Red Teaming

7 min read

It is Okay to Use Writeups

The path to becoming a self-sufficient learner

ippsec 0xdf, Feb 11,

There is a big sense of accomplishment when solving a box completely on your own, but when you’re just getting started, that can feel impossible. A great resource for HackTheBox players trying to learn is writeups, both the official writeups available to VIP subscribers and the many written and video writeups developed by the HackTheBox community. 

Some people worry about spoilers and robbing themselves of a potential learning experience, and while there's some logic to this thought process, with over 250 machines available on HackTheBox and new ones published every week, there will always be more boxes to learn from. Ignoring these resources can slow down your success, leaving you demotivated and not learning at all.

The Three Most Important Skillsets

When learning to hack vulnerable machines like on HackTheBox, the necessary skills can be divided into three categories:

  • Technical Foundation - Understanding how services work internally as well as concepts like networking. Having a strong foundation allows people to quickly perform enumeration which aids in turning a simple proof of concept into a weaponized exploit or efficiently pivoting throughout a network once an initial foothold is gained.
  • Hacking Techniques - Identifying services and knowing the attack paths of this service. This is the “most teachable” skill as it isn’t hard to know what tools or payloads to try out on a service. However, if you don’t have a strong foundation then you’ll likely miss small things like Tomcat being hosted through Apache/Nginx or having an SSRF (Server Side Request Forgery) on a box in the cloud. Both of which aren’t immediately apparent from network scans but do have unique attacks.
  • Persistence and Endurance - Knowing how to keep driving into a problem looking for creative ways to get information out of it. This is a combination of creative thinking and stick-to-it that takes a long time to develop.

Many people focus on Hacking Techniques, which is fine but without all three skills, it will be hard to find success. An easy way to identify if you fall into this category is how much time you spend on a box after getting the root flag. After rooting the box, you should spend time looking at how each service was installed and reading other writeups to identify anything you may have missed.

Improving all three of these skill sets can be really tough, especially if you are not well-rounded already. If you are having trouble solving easy machines, chances are there’s just a small component you are missing. If you follow the steps below, we are sure you’ll find success!

Repetition Guarantees Success

Repetition is the best way to consistently be successful. Not only is it a proven method of memory retention but as long as you stick with it, you haven’t failed! Solving machines on HackTheBox without any guidance requires a lot of endurance and foundations that no beginners possess. If you burn yourself out trying to solve a machine, it will be tough for you to stay motivated in order to reap the benefits of repetition.

Set Small Predictable Goals

It’s always great to see progress, without write-ups machines are an open-ended problem which makes it very unpredictable on the amount of time you’ll spend solving a machine. If your goal is two machines per week and your training plan does not involve write-ups then a machine could take 30 minutes to full days. Having such an unpredictable time requirement means it won’t fit into a schedule which makes consistency difficult.

Treat Writeups as a Virtual Way to Shadow

One of the things I wish I knew when I was younger is that professionals often don’t know what they are doing and learn “on the job”. When people join a tech company, it shouldn’t be expected that they hit the ground running and are immediately successful. Oftentimes new employees will shadow an experienced person and soak up their knowledge. This method is great but historically it did require getting a job first and shadowing on the job has become less efficient with the major shift to remote work. However, reading write ups or watching videos provides many of the same benefits of shadowing. The only thing that may be difficult is asking questions but you’d be surprised how often you’ll get a response when leaving a comment on their media or asking on Twitter.

Create a Training Plan

Knowing the benefits of repetition, goals, and virtual shadowing, you can combine everything and create a training plan, which will help keep you motivated and always learning. Below are two different potential training plans, the first is how ippsec would approach it and the second is 0xdf’s. The purpose of showing both is to demonstrate there is no one answer, find what works for you, and make it your own!

The Ippsec Way

  1. Establish Your Methodology: Read writeups, or watch videos and work along side them. Don’t worry about “spoilers” ruining your learning experience, there will always be more boxes.
  2. Validate The Methodology: Watch a video in its entirety, then immediately do the box. If you are short on time, then divide machines parts, for example watching up to the user flag then solving the machine.
  3. Work on Memory Retention: Add some time between watching the video and solving the machine. Start off with a few hour break between the video and solving the machine. Eventually, graduate up to waiting a day between. Don’t be afraid to go back and watch the video when you are stuck on a part for 20-30 minutes.
  4. Make Hacking Muscle Memory: Watch multiple videos but solve the machine yourself days later. Having watched multiple videos or read writeups before solving the box will really test your skills.

The 0xdf Way

  1. Note taking is key. Writing something down is a great way to lock in information. Create some key sections in a way that works for you. I use markdown files in Typora, but find what works best for you.
  2. When you first start, you are missing a lot of the information needed to complete a machine. Work alongside write-ups / video solutions, but don’t copy and paste. Type commands in, and make sure you understand what they do. Quiz yourself about what would happen if you changed various arguments in the commands, and then check if you are correct. Record the tools and syntax you learned in your notes for future reference.
  3. Once you start being able to predict what the writeup author will do next, start working out ahead of the writeup / video. Try the various techniques from your notes, and you may start to see vectors to explore, and explore them. When you get stuck, go back to the writeup and read/watch up to the point where you’re stuck and get a nudge forward. Make sure to update your notes with the new techniques you’ve learned.
  4. Over time, you’ll find your notes contain more and more of what you need to explore a box. The secret is to find the balance. The more you practice, the less you want to rely on walkthroughs. That said, even the most talented hackers will often work in teams because anyone can get stuck.

Learning is much better with friends, I would highly recommend finding people around the same skill level that also enjoy doing similar things. If you're looking for friends to solve boxes with, our Discord Community is full of people at all skill levels. The best channels for this are under the "HTB: Platform" section, where there are specific places to talk about each type of challenge. Additionally, there are dedicated channels for the latest two boxes. Those dedicated channels are a great place to meet people as everyone there will be doing the same box as yourself.


Hack The Blog

The latest news and updates, direct from Hack The Box