How to approach Hack the box?

Hi everyone, I hope this message finds you well. I’m a Software Engineer with 5 years of experience but zero experience with hacking.

I joined Hack The Box 2 months ago, and I’ve been working through the academy modules. I can confidently say that I have learned a lot so far, and there’s still much more for me to learn.

Up to this point, I have covered the following content from the Pentester path:

Introduction

1. Penetration Testing Process
2. Getting Started

Reconnaissance, Enumeration & Attack Planning 3. Network Enumeration with Nmap

4. Footprinting
5. Information Gathering - Web Edition
6. Vulnerability Assessment
7. File Transfers
8. Shells & Payloads
9. Using the Metasploit Framework

In addition, I’ve been participating in Capture The Flag (CTF) challenges on RootMe, which I enjoy because they provide resources in the challenge descriptions. These resources include RFCs, papers explaining specific vulnerabilities, and more. The challenges range from easy to hard, and I appreciate the learning process they offer. However, I’ve also attempted some machines on Hack The Box, and the experience is different. Unlike RootMe, the HTB machines don’t have readily available resources to explore and utilize for completion. In RootMe, I have a clear direction, although I understand this might not mirror real-world scenarios. Still, I can learn about vulnerabilities, conduct research, and develop my own scripts to exploit them. In contrast, with HTB, I often find myself unsure of where to begin.

So far, I’ve only tackled the starting point machines on HTB, which come with guided mode (though I usually aim to avoid hints). I distinctly remember working on the “Responder” challenge. Given my limited knowledge of Windows security, I struggled to imagine the necessary steps to complete the challenge. How could I figure out the required actions if I lack understanding of Windows systems?

I am aware of the resources available through the HTB academy, but I’m uncertain about the best approach to the platform. Should I complete all of the academy modules before diving into the machines, challenges, labs, fortresses, etc.?

I find myself a bit confused about how to effectively utilize Hack The Box and extract the maximum benefit from it. I understand that this journey takes time (similar to how it took me years to achieve a solid level of proficiency in software development) and involves a different mindset. Nevertheless, I believe in my ability to develop this new skillset.

If anyone could share their experiences, I would greatly appreciate it. Hearing about your journeys would provide me with valuable insights on how to approach both the academy and the platform on Hack The Box.

Warm regards!

You don’t. Hack The Box simulates the black box pentesting experience as closely as possible. If your target is Windows, you need to build up that understanding on Windows systems after all it’s the knowledge and understanding that’s the most important.

Once you identified the system as Windows, you could start looking up for what services are usually or always run on this type of machines, dig deeper and learn about your target environment while googling in process and you will start learning about those things.

First time you encounter new stuff in pentesting is always going to be difficult, more so if you’ve no prior experience on pentesting. Also learning the sys-admin stuff is “required” on this journey as software will only get you so far

Hi Janzu, thanks for sharing. I find your answer very honest and realistic. So I can say there is no right or wrong path. It is just about keep working on “know your target” mindset and practicing a lot. I think its clear for me, also I think the black box approach can be difficult at the beginning when everything is new to me, but as you mentioned it will help me to develop my research skills and familiarity will come over the time with practice.