Useful things I tend to forget to do when playing HTB

HTB is a great place for anyone to practice their hacking skills. It doesn’t matter if you’re a beginner or a seasoned security professional, it has all sorts of machines to challenge your skills. After spending many hours, trying to root as many boxes as possible, I observed that I tend to forget some good practices or certain techniques and commands that would make my life easier and I thought of making this little article.

OSINT

With that, I mean the general concept of OSINT and looking for clues and solutions.

  • It’s always important to note any user you come across while browsing a website, as it may be useful for later use. A user Carl Smith that wrote an article on that box may have an account with the username csmith or c.smith or cSmith etc. If you come across a password with no username, chances are Mr. Smith is your guy.
  • Do some research on the box’s creator. This may sound as a cheat, but(!) see it this way: when you’re doing a pentest and you want to do a spear phishing attack, you have to know your target, right?
    Many creators get in the process of creating a box just because they have an article about a technique to escalate privileges or a CVE under their name. Search for their blogs, their Github profiles and maybe even Twitter(?)!

Read .bash_history

Probably 99% of the boxes have it like that: .bash_history > /dev/null. Nevertheless, once you’re in the box, it only takes you half of a second to check. In real-world environments .bash_history can contain juicy information, like “accidental passwords typed after unsuccessful sudo” as mentioned this privilege escalation reference guide - Wiki in 0x00sec. Although I get it why .bash_history gets redirected to dev/null/ here in HTB. If it wasn’t, I would be getting root just by waiting for someone to enter the commands for me!

$ sudo -l

I really don’t know why, I just forget it. But you shouldn’t!

Enum, enum, enum

I can’t stress that enough. Enumerate as if you’re about to get root.
Yeah, sometimes things are clear as daylight, e.g. having a machine that uses a web server that is vulnerable to RCE. But most of the times it’s not and HTB wants you to suffer.

Frustration is your enemy

This can be a note to myself for every time I get stuck in a box. No, vict0ni, the box doesn’t want to mess with you. Neither does the creator. Take a step back, review your findings and the situation, and try again. This, of course, is not limited for playing HTB but it’s a good general tip for hacking and coding.

Don’t avoid Windows boxes

You can’t avoid the inevitable. Windows were, are and will be a big part of the world of computers. Although it’s boxes doesn’t always have the most realistic environments, I tend to see HTB as a practice for the real world and a very good preparation for OSCP. As I lack of knowledge for Windows, I can only get better at it by practicing. As @pry0cc said:

Eat your vegetables!

(If you’re like @Baud, replace the word “Windows” with “Linux”)

Now go hack!



vict0ni

12 Likes

This is great!

I’ll add one I forgot too many times when I started HTB: specifying port ranges in an nmap command with -p-.

Gotta check all the ports. If you don’t, you might miss something important. And you’ve got plenty of time, so don’t make the mistake of spending hours on a box and not getting an entry point because you didn’t check obscure ports.

5 Likes

cronjob is another thing you don’t wanna miss

3 Likes

Really felt this one

1 Like

Hey, great post, and when it comes to .bash_history being redirected to /dev/null is so the box creators don’t forget to remove some important confidential information such as potential passwords. Think this is another good reason.

1 Like

True! Sometimes, but rarely, UDP ports too

1 Like

Dang, I also forget that :sweat_smile:

ikr? A necessary evil

I didn’t know that, but ofc it makes sense

1 Like

Hey. I am new to hacking stuff but a basic question. Do I need a virtualbox setup to access hackthebox?

@tsekc
Well, it is recommended. You will access the HTB network via VPN (openvpn). You could connect with your normal system, however it is not recommended. I mean you connect to a network full of hackers, that will totally scan your system.

So to stay safe it is always better to connect inside a VM. Setup parrot or kali and you’re good.

Understood. Thanks. But why parrot or kali? I know they come with lot of tools but do we use all of them?

Well, you are totally free to use any distro / system you like.
But yeah Kali/Parrot are nice, because they come with tons of tools preinstalled and it saves you a lot of time, because you can easily kill and respawn the VMs. You could also create your own image with tools you like.

But I would recommend to do this in some automated manner. It is mostly a pain to do all the setup all over again.

TBH, I mostly use only a very small set of tools for HTB.

My goto tools are mostly

  • nmap
  • Burp
  • gobuster
  • fuff
  • sqlmap
  • SMBmap
  • searchsploit
  • LinPEAS
  • GTFOBins
  • Some note taking app

And then depending on the machine maybe some other tools.

2 Likes