HackTheBox is a free* CTF style pen-testing playground that individuals can use to sharpen their skills. The site provides intentionally vulnerable virtual machines that have been submitted by the HackTheBox community and are usually centred around a single technique or exploit.

The objective of each challenge is to retrieve the contents of two text files that contain a unique hash. These are known as flags.

Each box contains two flags:

  1. A user flag. This is obtained by exploiting a vulnerability on the system (application, operating system, protocol etc) and gaining user access to the system.
  2. A root flag. Once a foothold has been established, the root flag is obtained by exploiting the system further in order to escalate privileges to gain administrative access to the system.

The two flags act as validation of completing the challenge.

Entering the unique hashes into the website marks the box as owned and points are awarded depending on the difficulty of exploitation and age of the machine.

New challenges are released regularly ensuring that the challenges remain fresh and relevant to today’s evolving threat landscape.

Below you’ll find a write up of the challenges I’ve completed where I explain:

  • The method I used to exploit the system and get the flags
  • An explanation of the techniques used
  • An explanation of the vulnerabilities that were exploited
  • A technical explanation of how the vulnerabilities work to exploit the system
  • Any notable known public weaponization of the vulnerabilities
  • Recommendations on how to mitigate the vulnerabilities.

Completed challenges