Overview
HackTheBox (HTB) is a well-known and challenging platform for developing and honing cybersecurity skills. Breaking into HackTheBox is a difficult, but overall rewarding challenge. Thankfully, over the years it has become somewhat more accessible. Today, we will be discussing the strategies you can use to maximize the time you have and begin to develop your capture-the-flag skill set, and ultimately how to start HackTheBox.
Before You Start HackTheBox
1) Setting Up a Stable Hacking Environment
We need an environment that we can use to install tools, test payloads, build scripts, and participate in capture-the-flag. This box is also going to be connected to a hostile environment via a VPN so using a virtual machine is ideal. There are a few different options for virtualization software, and also pentesting distributions like Kali and Parrot to choose from. Personally, I prefer Kali over Parrot as generally it’s more stable and easier to work with.
For a full step-by-step guide on setting up a Kali Virtual Machine, you can check out Heath’s video here.
2) Efficient Note-Taking
Next up, we need to discuss keeping good notes. I recommend you choose one place to keep all your notes, make sure you can easily back it up and refer back to it. The actual software you use to keep notes is less important than the process of actually doing it, so find an application that you like and stick with it. Personally, I use Obsidian, and I sync the notes to a private repository on GitHub.
3) Developing a Methodology
Over time we’ll need to develop a methodology. Even though HackTheBox and CTFs in general are a good way to develop penetration testing skills, the methodologies used between the two are quite different. In the next section as we look to set out a study plan, we’ll discuss more about how our methodology will improve over time. For now, we want to start with key tools and resources that we can utilize to keep moving forward.
- Learn about scanning and enumeration
- Make use of key resources (Writeups, PayloadsAllTheThings, HackTricks, etc)
- Follow a circular pattern
- Scanning and enumeration of the target (or service)
- Google and research
- Try to understand what you’re looking at
- Try to find out if it’s exploitable
- Repeat this cycle
Building Your Skills
Progressing at the beginning with HackTheBox doesn’t have to take a huge amount of time. Some structured learning can go a long way. It’s worth mentioning at this point that there are other methods available, such as using the starting point path, and guided writeups. I’ve not used either of these as they were not available and I’m a big believer in self-guided learning as it supports understanding, retention, and troubleshooting skills (all key things you’ll need) but I encourage you to explore them as alternatives.
Practice Efficiently
Try to dedicate at least an hour daily to HackTheBox. Initially, follow IppSec’s walkthroughs for your first five boxes, aiming to complete one box per day. This will introduce you to essential tools and strategies, you’ll notice patterns to follow and gain ideas from IppSec’s commentary. You should take good notes along the way and try to watch a short section and then repeat it yourself rather than trying to keep up in real time.
The first five boxes I recommend are:
Once you’ve completed these, it’s time to turn up the difficulty slightly with 10 more boxes. For each hour you’ll be aiming to complete a single flag, but not entirely alone. I recommend you set a timer for 30-40 minutes, attempt the box yourself, and after that follow the writeup to get the flag. Once again taking notes and comparing IppSec’s thoughts and commentary to things that you considered or looked at. Don’t worry if you don’t manage to get any of the flags solo, 30 minutes is not much time but it’s going to help you start developing the skills you’ll need to take on live machines.
Your schedule should look something like this:
- Day 1: User flag on box 1
- Day 2: Root flag on box 1
- Day 3: User flag on box 2
- Day 4: Root flag on box 2
- Etc
The next ten boxes for this challenge are:
Learn From Others
There’s no reason to take on these challenges alone and I encourage you to engage with the wider cybersecurity community. Joining study groups on security-focused Discord servers can be a real motivator. Networking is also a good way to boost your chances of landing a role in the industry and it’s worth starting as early as you can.
Maintain Consistency
Regular, shorter sessions are more effective than sporadic, long ones. Of course you should figure out a schedule that works for you, but if you can, prioritize doing an hour a day over seven hours on the weekend. You won’t notice any real changes overnight but over time, you’ll notice significant improvements in your ability to tackle challenges.
Once you’ve cracked the recommended machines, you have some choices:
- Continue with this methodology if it’s working for you and start to throw in Medium boxes too
- Start to tackle Easy boxes from the live pool
For more study tips, check out our post on healthy study habits.
Creating a Game Plan
A strategic approach is crucial for success. It’s recommended that you develop a checklist or a mind map to ensure that you are thorough when working on boxes. This will help you avoid common pitfalls and rabbit holes, and over time will help you understand where your strengths and weaknesses are with certain topics or targets. Keep your notes and checklists up to date and it will serve you well for many years to come as you find common patterns and techniques but in slightly different packages.
Conclusion
Embarking on your HackTheBox journey is an adventure that requires dedication and the right mindset. By setting up a solid foundation, building your skills through practice and sticking to a well-thought-out game plan, you’ll find yourself navigating the challenges with increasing confidence.
Enjoy the process, learn from each experience, and don’t forget to celebrate your progress along the way.
View a video version of this article:
About the Author: Alex Olsen
Alex is a Web Application Security specialist with experience working across multiple sectors, from single-developer applications all the way up to enterprise web apps with tens of millions of users. He enjoys building applications almost as much as breaking them and has spent many years supporting the shift-left movement by teaching developers, infrastructure engineers, architects, and anyone who would listen about cybersecurity.
Alex holds a Master’s Degree in Computing, as well as the PNPT, CEH, and OSCP certifications.
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Blog | LinkedIn | YouTube | Twitter | Facebook | Instagram
Contact Us: sales@tcm-sec.com
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.