HackTheBox is a free* CTF style pen-testing playground that individuals can use to sharpen their skills.

The site provides intentionally vulnerable virtual machines that have been submitted by the HackTheBox community that are usually centred around a single technique or exploit.

The objective of each challenge is to retrieve the contents of two text files that contain a unique hash. These are known as flags.

Each box contains two flags: 

  1. A user flag. This is obtained by exploiting a vulnerability on the system (application, operating system, protocol etc) and gaining user access to the system.
  2. A root flag. Once a foothold has been established, the root flag is obtained by exploiting the system further in order to escalate privileges to gain administrative access to the system.

The two flags serve as validation of completing the challenge. Entering the unique hashes into the website marks the box as owned and points are awarded depending on the difficulty of exploitation and age of the machine.

New challenges are released regularly, ensuring that the challenges remain fresh and relevant to today's evolving threat landscape.

Below you'll find a write up of challenges I've completed, where I explain:

  1. The method I used to exploit the system and get the flags
  2. An in-depth explanation of the techniques uses
  3. An in-depth explanation of the vulnerabilities that were exploited, how they work, and any notable known public exploitations of the vulnerabilities
  4. Recommendations on how to mitigate the vulnerabilities