what is up everybody I'm Bob I'm an I.T and cyber security educator and content creator and welcome to a beginner's guide to cyber security and ethical hacking I want to make this video and this you know this these lessons because I believe that a lot of people are intimidated by hack the Box by ethical hacking and cyber security in general and I sort of want to help more beginners start to learn this stuff and I believe you know you've gotta start somewhere and there's so many different places and options and things out there that you know you can get caught up in going down paths that maybe aren't the best paths um I'm not saying the one that I'm going to share is the absolute best but I personally believe it's fantastic I have a bias towards it and before we get into the actual technical aspect of this where I will show you some skills and help you develop some skills I do want to talk a little bit about a platform if you haven't heard about it called hack the Box hack the box I will say honestly is one of the only companies I can genuinely say when I hear about it when I talk to people there when I'm when I interact with I I genuinely have love in my heart for this company I have done work with them before on actually on the academy platform and I'm I'm a regular player a huge fan of the platform and pretty much everything they do I see them as sort of the Apple Steve Jobs era of of cyber security training I think what they're doing is revolutionary not just from a cyber security training perspective but from an education perspective I'll show you and I I am biased towards it because I've benefited greatly from using it in my career professionally and just personally through people I've met friendships I've made fun times I've had and the learning that has happened on this platform and continues to happen with me all the time you know I can't say I use it every day but I would say maybe every three days I'm back on here nowadays especially in the summertime I've got to say so first of all hack the box is a cyber security training company they use gamification and a bunch of different things Innovation to create engaging cyber security training specifically within the realm of ethical hacking you will see more defensive content as they they've released they're releasing more defensive content regularly so overall they're they're just a cyber security training company on their website you can see a lot about their culture and about who they are and who founded them in their history they've got several products they've come out with over the years and Big Time money going into the company you know millions and millions of dollars that are getting invested in because I'm not the only one that believes in this company in this product there's you know you know businesses all around the world believe in them investors believe in them lots of people believe in them because of what's happening and I'll explain it these These are the founders James hooker I call him Goblin Harris ballerinos chap Aries or as Zeke I I believe um awesome folks you know these these are very accessible individuals in the Discord some of them are even there you know and the discord's free very Community focused organization they really care about people and about making you know this very highly Technical and specialized discipline that was once reserved for only a select few Elite people when I say that I mean like pen test penetration testing ethical hacking and just cyber security as a discipline it hasn't been this accessible just because of how difficult it is and and I believe in many ways hack the Box does make it more accessible and does make it I'll say I'll use this word sparingly easier than it has been historically let me explain that a little bit I think before your hack the boxes you you didn't have many like Pathways per se or easy ways to learn these skills you really had to be Cut From a Different Cloth if you will and you had to have some serious technical skills and you still need that however I believe what's happening with hack the box is there's getting more of a you know there's more training Pathways when I think about education in general I believe you know always when there's a new innovation there's a new field usually learning institutions like colleges they take a little while to get to a point where they have formalized textbooks you know content and courses and degrees to actually pave a way into that particular discipline at first it just starts usually like Grassroots there's only so like few that know about it because it's brand new hack the box is really interesting because it's not really paywalled there's free tiers yes there is paid paid subscriptions and there's more Pathways here and tracks that you can take now to start learning these skills the reason I say earlier I'm using the word easy sparingly or easier because cyber security in general is not an easy field just because of the nature of of it it's more and I've explained this before in this way it's like a sport right I mean you do have to understand the underlying technology and the way it's used in order to secure it or let's say actively secure it because in my perspective in my experience as an I.T and cyber security professional I don't think cyber security is a permanent State and I don't know that you'll hear a lot of cyber Security Professionals declare that it is it is an actively Changing State so you know let's say at one point in time you can declare your environment secure you're like hey this this environment right here that I've built for this company or organization or person is secured it's not going to stay that way right and by itself right you have to actively keep an eye out for the latest tactics techniques and procedures the things that hackers are using the vulnerabilities that are coming out in libraries and open source projects that are hard to to catch day one right so technology in general is not just easy to secure when you look at any piece of tech you're going to see that it's usually made up of multiple different pieces of tech a stack if you will a lot of software is built on open source and a lot of software is proprietary and both have they have vulnerabilities that come up people make mistakes or hackers get crafty sometimes these malicious hackers they're just crafty and smart and they've figured out a way to bypass a security control and that gets discovered and you know that's time to to response is really important and we'll talk about some of those things but I just want to explain now that why hacking it's kind of controversial depending on who you're talking to they may tell you you know you may tell them you're a hacker and they'll tell you ah you know I'm scared of that you know I'm not saying they'll they'll scream like that but they might gasp or some might say wow that's awesome that's so cool what do you do like what is hacking but I think still there's a stigma against hackers that's like every Hacker's bad and that hacking is just you know if you you can't do it that's not the way to do cyber security and I'm I've grown recently in my career to believe that hacking perspective is the way to do it it's the way to do security starting with that perspective and understanding the hacker like not everyone's going to be a full-time penetration tester what I'm saying is if but if you have the mindset of a hacker and you know some of the tools and the techniques and you're always trying to stay up to date on what's happening in that area you will have better defenses to guard against it right you know you the one way I can think about this is if you know you let's say you get a bulletproof vest right you buy it for whatever reason and you're buying that bulletproof vest because you expect that that's gonna probably protect you from bullets right if it's someone shot at you but you would hope somebody tested that right before you bought it so when I think about a computer network when I think about a system that's how I think about it too you know I'm hoping yeah okay we've set it up we believe we said it like even myself I believe I've set this thing up securely based on having some you know hardening guides from respected organizations and you know having professionals on my team that know defense and things like that and expertise around me but I don't really truly know if what I've set up is absolutely secure until I try to hack it if I try to come in behind myself or someone else a third party that didn't set it up with A New Perspective comes in and tries to hack it they might find something because they're approaching it from a different perspective I might find something because when I come in to try to pen test something or hack it especially when you look at like hack the Box I'm gonna see vulnerabilities in a different light when I'm in the hacking mindset so it's like something you can flick on like a switch as you develop it and one thing that is big on the platform that I really agree with is developing the hacker mindset but I do want you to know that I I'm advocating for the ethical use of it the legal use of these skills on systems that you have been given explicit written permission to do you know you know these the skills you might learn in turn in the ethical hacking realm or just pen testing realm in general you actively try to exploit A system that you haven't given been given permission to on some random website on the internet you can probably get in trouble maybe even get thrown in jail because it's illegal in a lot of countries the salad is in America we have computer crime laws you can't just go do this on anything and that's where one of the big values of hack the Box comes in too is you can you can do ethical hacking and you can do pen testing on vulnerable machines intentionally vulnerable machines that are realistic and uh you do that for as much as you want legally because it's all on hack the Box's lab environment so this is very revolutionary platform in my opinion in what they're doing so let me break it down a little bit I'll break down some of my motivations of using hack the Box why I still use it to this day even as someone who has a job in the field who can pivot to companies because of my contacts and because of my skills and and who continues to learn from the platform but I will also explain how to use it from a beginner perspective that's the main thing that I really want to get across is to beginners because I believe that that audience and that if you're in that realm and you consider yourself a beginner you're in the right place because I I really love to teach beginners because I feel like I can relate to them I'm a teacher full-time I teach beginners all the time at a community college they come in normally with zero it knowledge so I've had a unique experience with it which is why I really address it but I do think if you're a seasoned I.T professional you can also benefit from you know the lessons I'm I'm teaching here and the lessons that you'll learn on hack the box I will ask you if you're not too comfortable on the couch or wherever you're watching me from if you have a laptop or a desktop computer go and create a a hack the Box account so you can go to hackthebox.com create an account real quick go through the first little walkthrough of the tour of the platform you know you can pause this video if you want or you know go on the stream right now you can always record the stream back this will be on YouTube and and then come and catch up because when we get to the technical part what I want you to do is is follow along and maybe even put comments and questions in the comments below that can add to the conversation or maybe even add context or perspective that's the biggest way if you're more experienced that you can add to this these lessons is ADD context you know share uh share what your experience is with the platform or with the tools or with in the industry and and you know all that what are my motivations with hack the Box why do I use it there's a bunch of different motivations I've been on hack the box for over a year just as a player I'll say and with an account and stuff I've found that there's a few different ways you can use it and all of them are pretty awesome lately the way that I've been using hack the box is because I want to rise and rank and this is hack the Box the main platform there's also Academy which is like more guide course format which I'll show I'll show that later on but for now know that there's a leaderboard and there's a ranking platform and there's there's a Hall of Fame and this is in my opinion if you're a competitive and you start to feel the you get the skills and you start to feel and maybe even if you don't have the skills but you just have a competitive Drive I think the ranking aspect of it can really motivate you you know because there are people I've met in the hack the Box Discord who say you know they don't hack as a profession they do something else why do they hack them they hack because they like it they think it's fun they think it's mentally stimulating and when they get unhacked the box they just free their mind and try to break out of the box a little bit as they try to find vulnerabilities in the system and in the meantime they're developing some killer I.T skills I'm telling you and we'll explain I'll explain what kind of skills and just even I.T foundations you can build that brings some people me I've recently come to this point where I'm like I kind of want to be in the top 100 in the world and I'm not there yet I've just reached hacker rank recently I was a noob or I think it's that's Noob Noob or script Kitty or one of the lower level ranks that you have and I was on Noob for like half a year because I wasn't I was hardly ever working on content that would earn you points because there are pieces of content on hack the box that earn you points called active machines and active challenges and I'll show you that but let's say you just come in here you just want to rank up and you can see they've got graphs and they have a point system and they have this whole thing that you can follow to rank up on the platform and it's really cool you can see people who are who are Hall of Fame around the world you can see team rankings like you see these teams here Hall of Fame is like individuals I would like to get to the top 100 before I talk about getting any further than that I think you get a badge too which is like another gamification element they've added and that's one of the cool things is it feels like a game as you start to use it you're like okay I can kind of see the vision of how this is a video game and you know I think about any any Hard video game that you've ever played you could think about it and it's like you did have to grind to actually get good at it you had to figure out the controls you know you had to figure out the controls for for the typical person that's not a gamer think about this uh this is not an easy thing to get used to controlling a character on the screen as funny as that sounds right like you know we take that for granted I remember I recently got um a Nintendo switch you know it's 2023 I just got one and I'm the controls to me were weird to learn I was like what in the world how come a is where why is X right there you know what I mean it should be why and it's like so my brain was not used to that controller so a lot of the games I've been learned playing like I've been playing Legend of Zelda breath of the Wild is hard it's kind of hard to play because it's like you're learning these mechanics you're learning the switch controls on top of the mechanics of the game which are you know initially complicated so many menus and it's I sound old when I'm talking about it but it's like if you think about any modern game it can get it's pretty complicated when you first start to learn it especially if it's a new game to you and and you put in the time right you put in the effort you you and it sometimes it's not that fun right like you just want to get good at it so it can be fun and that's one of the things that I really like about hack the box too and when I make the correlation between video games real like actual video games and then hack the box as a video game they are very similar in the way that you just if you don't give up and you keep learning the mechanics the tools and the techniques and and all that you'll learn it you'll get good you can only get better if you keep trying right so when you think about the intimidation factor of hack the Box because it is intimidating this field of cyber security is intimidating the more you spend time trying to get better at it the only option is to get better even if it's just slow and incremental and it's gonna be it's I'll say this growth really never feels like growth until you look at back at where you came from in the midst of it you're going to feel the growing pains and to be honest with you ethical hacking and the nature of penetration testing is usually just confusion confusion until you learn the concepts that you didn't know before and then all of a sudden it makes sense right you know it's like but it's called it's a constant humbling I feel that when any time I'm doing a box even if the box is like an easy rank box you know I'm gonna get humbled in some way and that's awesome you know I love that because it means that there's always something new to learn and that's one of the cool things about hack the box so when we talk about the rankings and that gamification element if you're competitive this is awesome right so my goal by August this is the the start of June it's really the end of May but going into June of 2023 I want to get to the top 100 Global ranking by August I don't know if it's possible but I need to get active and working towards that more more diligently I challenge you as well make a goal for yourself on the hack the Box platform to get to a certain rank or to a certain leaderboard level let's see how far you can go that's it if you care about ranks but that it doesn't have to be all about ranks last thing about the ranking thing you know it may feel like a gamification thing that only matters on hack the box but I do know I've seen the Discord I've also seen out on LinkedIn and job post that there are companies that actually if you're on hack the Box you you they will actually consider your rank now is your rank going to disqualify you probably not but if you have a higher rank you know hacker Pro hacker above they are impressed by that because it shows you put in significant effort on learning this stuff on your downtime I know there's even organizations that build some hack the Box content into their hiring processes so you can bypass certain checks resume check or something like that which is really profound and that's like a that's revolutionary and on that note let me show you another reason you may want to use hack the box to learn this is a reason I really think it's kind of going to change the landscape a little bit this is revolutionary as more companies under start to understand the value of hack the box and platforms like it I do think they're gonna start doing this this is some thought leadership so hack the box has a job board which is cool right and let's look at this at let's look at how the gamification is added notice this job right that this company called SEC force it was posted 16 days ago through hack the box so meaning that company and hack the Box worked together to make sure that this job posting was here right for people that use hack the Box let's say I'm like you know I want a job I'm looking for a job as a pen tester or in cyber security realm let me check the job board on hack the Box let's say I thought this was a good one look as I hover over it pro hacker rank required oh you know what that does to me if I'm looking for a job personally I'm right now I'm pretty happy with what I'm doing but if I'm getting on here to look for a position and I see that wait hold on Pro hacker rank I can't apply for that one I'm gonna try to go get Pro hacker you know I'm also going to look for others look I'm eligible for this one I think this one's hacker limited to hacker rank you know this one's Pro hacker you know hacker rank I can I can apply for this right and this is of course hack the Box eating their own dog food meaning you know hey look if we're gonna ask other companies to use our job board we're going to use our own job board as well you better believe some of these companies are probably going to really pay special attention to the applicants coming through hack the Box because if you think about it it's new it's Innovative way to kind of get Talent it's a different pipeline I'm not saying it's the only one it's not gatekeeping I don't think that's what hack the Box's goal is if I could speak to their goals if I know anything about hack the box in the time I've been connected with hack the box and known about the platform and met people through the Discord and met people there and made friends I can say they're not trying to gatekeep cyber security but I could say they're building a different type of pathway or series of Pathways and opportunities in and I think that's been really Innovative approach to learning because now I have a bigger reason to use hack the Box than to just say oh my rank is this and I'm I'm feeling fancy and you know I can hack on hack the box and not you know I'm cool but now it's like okay I can get on hack the box and it can be some life-changing opportunities through using it by job getting jobs and all types of stuff so this is just another reason to use it I want to show you here is sort of how they break up their machines and their challenges simply put there's active machines and there's retired machines active machines if you do these they're going to count towards your rank you cannot stream these you know you cannot publish write-ups you're violating the terms of service if you create content based on an active machine and you publish it while that machine is active or that challenge because they do have challenges you can download you know Android apps uh forensics challenges you know other things that are not a whole VM is not needed for because these are VMS that get spawned like these are real machines that get spawned up on hack the Box environment and I'll show you that too so retired machines are not going to earn you points so if you do these you're not getting points on the platform or towards your rank but you are going to learn so here's the thing I think for the first half a year that I was using hack the box and to learn ethical hacking skills are in penetration testing skills I did not move past that first rank I just did retired machines and I live streamed several of them one of my big drives of using hack the Box really was to stream just as a Creator to stream hack the Box machines retired machines I would get on here I would pick a box randomly start it up and then start my stream and I would learn on live stream and talk about a humbling experience it is because you're running into problems you know on a live stream you would hope you could just Breeze through and look just perfect right ideally you know but I think in the smaller settings and like the groups that I would have you know it would go from five to ten to fifty I would get more than that at some points just working on a box with me live it was like a meet up I had an online live Meetup and it was cool because you were learning in a community environment so if you hit a problem you might get somebody in the chat saying Hey try this I just tried it got me a little bit further and boom you're there and and here's a cool thing about hack box hack the box is very Creator friendly so in their terms of service and they document this Google like can I live stream hack the box you can Google that and it'll come up with the very specifics about what you can live stream I know retired machines have retired Michelle challenges retired content in general you can live stream and you can create content based off of right like videos and write-ups and things and publish that and I think that's great because for your career especially if you're trying to break in a lot of these people that are going to be interviewing you they want to look for more than a resume they want to see what have you done what kind of experience have you had you know you hear this thing as like you're breaking into cyber security is hard because entry level roles in cyber security you know require this many years of experience or whatever to accelerate pass through some of those requirements if you can have things like blog posts you can show you're pretty active and you're different you're not just coming in expecting a job because you have a degree or because you want it you're showing them okay I've got some content I've produced I've got some contributions that I've provided this is my writing ability this is in my skills right now you're giving that hiring manager more to work with than just you know here's a resume and I have a degree and I have have some of this you're giving them more because you think about if you have other candidates going in with the same thing but they don't have hack the box and write-ups and they don't have all these blog posts that like you then you have a unique Advantage right I think can provide a unique Advantage for people out there in the job market let's poke into one of these retired machines I'll show you the machine page you know it's pretty self-explanatory it tells you what you can do you can add it to a to-do list review it once you're done there's threads for them in a forum but the biggest thing for me that was driving me and still drives me to do retired machines I don't do retired machines as much as I did I'm on that active machine life because of the ranking now right now for example like what we're going to do in this video is is going to be through a starting point machine a free machine doesn't earn points you know you could do the same with a retired machine I can do that because it doesn't violate the terms of service but it also gives you an awesome learning opportunity and here's why let's say you're doing one of these machines you're learning and you hit a wall you can go to this walkthroughs Tab and you can look at a walk through now there's no shame in looking at that walk through you just have to be careful not to get so reliant on walkthroughs that that's you know that's your mindset on every single box you do because you do want to ultimately build a skill set where you can do some of this stuff off the top of your head or using various you know articles or building a command cheat sheet or a Playbook of commands that you typically run when you're going against a machine I'd say that because when you do this in the real world you won't always come across walkthroughs for those problems I always encourage you to look up things and Google things but when it comes to the boxes on hack the Box there's walkthroughs use them I'll read a walkthrough even if I didn't need it during the box like even if I didn't go through the Box in reference to walk through during and I just got through it by myself I will still read the walkthrough because it shows different ways of doing things and you learn different commands and different Pro tips from different people like the way they did things might have been better than the way you did it or the way I did it it's really cool to do that and build a skill set that way I've got to talk about two awesome creators that are hack the Box creators ipsec or ippsec who makes YouTube videos for every retired machine as soon as it retires ipsec is posting his video on YouTube Faithfully very persistently and very with high quality and it's a lot to learn you're going to learn a lot when you watch a walk through from ipsec oxdf is great he does write-ups I believe he also has a YouTube channel but most of his content is in written form on his blog it's oxdf hack stuff you could Google that I'll put some of the some of this in the comments below or in the description below too so those are great go-to resources here's the cool thing right and oh by the way this is oxdf right here he he has a write-up for this box the other thing is check this out this is User submitted walkthroughs if you're going to be doing a write-up you're taking notes during the box and you turn the notes into something a little bit more and it becomes an educational walkthrough of some kind you can click this button which is behind my head I'll just show you the results of me hitting the button submit walkthrough and you can add the URL you'll submit it and what will happen is people at hack the Box will QA that and they will say is this appropriate is this does this work you know is this good does it look good and if it's good enough it's up to par there they'll add it to the platform and that's something if I were you I would put on your resume you know because in a way you'd contributed supplementary learning material via user submission form on hack the Box to such and such machine that covered and you could talk about like various technologies that you talked about and link to that in your resume or on your LinkedIn or whatever platform you're using to look for work or to look for different opportunities whatever it is I'm just saying like that right there you can use that as a career resource a professional development resource too and even it just as a challenge I'll show you on my blog just an idea of how I would do a walk through is this one this was a retired machine called netmon and as I was doing the box I was just adding notes to this get book I have get books free you can go to get book right now and you can create a free website and you don't have to pay for it you can host your your web page there and you don't have to write in HTML you don't have to worry about all that if you don't want to and you know I would put screenshots up here and as I'm going I'll type what's in the screenshot and I'm almost entering in like a reflection as I'm doing it I'm trying to understand what I'm learning and I'm also explaining it too I'm an educator but I also when I'm learning I try to format what I'm learning into something that I can teach if that makes sense I call that learn to teach as a sort of a methodology a learning methodology if you can do that you you start to I believe you start to better understand what you're learning because then you're looking at everything as a teacher you wanna understand it at a deep enough level that you can explain it in a way that would make sense to someone and that's going to force you to try to seek for a deeper understanding of it even if you're not planning on being an educator teacher Creator I do still think that that is very helpful because what else does that show if you're trying to be a penetration tester for example or I was I would argue any position in cyber security whether it's on the defensive or the offensive side there's a tremendous need for the ability to write well if you can do this you're working on your writing skills and I know I'm not perfect but that's a skill that I'm actively building and one that you can actively try to build through doing boxes and challenges on hack the box that's another drive and motivator for me you've got tracks here which are are like Pathways they're just like curated you know lists of of machines and challenges that have a theme hack the Box does these ctfs which are really cool where it's like a theme and a storyline and and they happen for a certain period of time and they're they're challenges if you don't know what a CTF is basically I'll put it this way a CTF like challenge is you're trying to find vulnerability in a system to get access to that system and then you're gonna find a flag and that flag essentially verifies that you are able to exploit the vulnerability with hack the Box there's typically on a box two flags when we're talking about just machines and our user and then there's a root or system level if you're Windows which is like the the ultimate admin of a Windows machine you usually get the skill of getting the initial access yes whether it's through like a web application or some vulnerable service and then there's how how can you escalate your privileges to a higher level of administrative privileges on that system and so you'll get flags for both of those things now I do know that they have I could talk about this another time I do have other videos on my channel I did do a review on one of their Pro Labs that's called Dante which was amazing and it's essentially an environment that's completely it's a completely vulnerable environment so it's not just one box it's multiple like you can see Dante has 14 machines those are windows boxes Linux boxes Windows Server Windows clients offshores like big inactive directory and they're always coming out with new prolabs and these are really cool I will say these are my favorite personal products I will call them Innovations on hack the Box are the pro Labs because they're so real it's a whole environment you're attacking and you have to chain attacks and you have to be sort of strategic about the way you move further into an environment you may be able to individually exploit a vulnerability on one machine but depending on how you do it it might that particular way of exploiting vulnerability may not allow you to to use that machine to Pivot to another machine so you have to think how should I exploit this so I can maintain persistence and move further that's where the the pro labs are really cool I love me some Pro labs for sure I'm working on offshore as you can see I've made much progress I'm working on it it's fun learning a lot there's end games some of them are retired they're like mini pro Labs so there's like you know four or three machines and so it does feel still like more of a network environment than like an individual machine does these retired end games you could stream which is really cool fortresses I've never done one but I I know that companies make them so look these are Big names that make these fortresses and I believe if you finish one of these you unlock something specific to that company I think about the concept of this Fortress idea is it makes sense for companies to say okay we need more web app pen testers what does that skill set look like and then they build like a lab host or work with hack the box to build a specific lab to like for example whatever AWS wants whoever finishes it seems like a pretty good candidate you know what I mean so that's kind of a unique way to recruit too you could use these as recruitment tools you could use these in the hiring process maybe one phase is like a technical Challenge and you have them use your Fortress as an employer you have them use your hack the Box Fortress to create a penetration testing report of this Fortress and that determines where they are as a candidate you know maybe you don't expect to get through the whole thing but you know as far as they can get and then that's how you assess candidates and Technical proficiency but that's just an idea I'm sure some companies have thought of that as a beginner wouldn't start on any of these I wouldn't start on end games prolapse versus our Battlegrounds I would start at starting point and that's where we're going to start I hope that you'll join me in that in the next video