Useful things I tend to forget to do when playing HTB

vict0ni · April 24, 2020, 9:13pm

HTB is a great place for anyone to practice their hacking skills. It doesn’t matter if you’re a beginner or a seasoned security professional, it has all sorts of machines to challenge your skills. After spending many hours, trying to root as many boxes as possible, I observed that I tend to forget some good practices or certain techniques and commands that would make my life easier and I thought of making this little article.

OSINT

With that, I mean the general concept of OSINT and looking for clues and solutions.

It’s always important to note any user you come across while browsing a website, as it may be useful for later use. A user Carl Smith that wrote an article on that box may have an account with the username csmith or c.smith or cSmith etc. If you come across a password with no username, chances are Mr. Smith is your guy.
Do some research on the box’s creator. This may sound as a cheat, but(!) see it this way: when you’re doing a pentest and you want to do a spear phishing attack, you have to know your target, right?
Many creators get in the process of creating a box just because they have an article about a technique to escalate privileges or a CVE under their name. Search for their blogs, their Github profiles and maybe even Twitter(?)!

Read `.bash_history`

Probably 99% of the boxes have it like that: .bash_history > /dev/null. Nevertheless, once you’re in the box, it only takes you half of a second to check. In real-world environments .bash_history can contain juicy information, like “accidental passwords typed after unsuccessful sudo” as mentioned this privilege escalation reference guide - Wiki in 0x00sec. Although I get it why .bash_history gets redirected to dev/null/ here in HTB. If it wasn’t, I would be getting root just by waiting for someone to enter the commands for me!

$ `sudo -l`

I really don’t know why, I just forget it. But you shouldn’t!

Enum, enum, enum

I can’t stress that enough. Enumerate as if you’re about to get root.
Yeah, sometimes things are clear as daylight, e.g. having a machine that uses a web server that is vulnerable to RCE. But most of the times it’s not and HTB wants you to suffer.

Frustration is your enemy

This can be a note to myself for every time I get stuck in a box. No, vict0ni, the box doesn’t want to mess with you. Neither does the creator. Take a step back, review your findings and the situation, and try again. This, of course, is not limited for playing HTB but it’s a good general tip for hacking and coding.

Don’t avoid Windows boxes

You can’t avoid the inevitable. Windows were, are and will be a big part of the world of computers. Although it’s boxes doesn’t always have the most realistic environments, I tend to see HTB as a practice for the real world and a very good preparation for OSCP. As I lack of knowledge for Windows, I can only get better at it by practicing. As @pry0cc said:

Eat your vegetables!

(If you’re like @Baud, replace the word “Windows” with “Linux”)

Now go hack!

yeezi · April 25, 2020, 12:02am

This is great!

I’ll add one I forgot too many times when I started HTB: specifying port ranges in an nmap command with -p-.

Gotta check all the ports. If you don’t, you might miss something important. And you’ve got plenty of time, so don’t make the mistake of spending hours on a box and not getting an entry point because you didn’t check obscure ports.

messede · April 25, 2020, 6:26am

cronjob is another thing you don’t wanna miss

fr0nk · May 1, 2020, 8:34am

Really felt this one

0xMagomed · May 1, 2020, 10:09am

Hey, great post, and when it comes to .bash_history being redirected to /dev/null is so the box creators don’t forget to remove some important confidential information such as potential passwords. Think this is another good reason.

vict0ni · May 1, 2020, 1:46pm

True! Sometimes, but rarely, UDP ports too

vict0ni · May 1, 2020, 1:47pm

Dang, I also forget that

vict0ni · May 1, 2020, 1:47pm

ikr? A necessary evil

vict0ni · May 1, 2020, 1:48pm

I didn’t know that, but ofc it makes sense

tsekc · June 10, 2020, 2:16am

Hey. I am new to hacking stuff but a basic question. Do I need a virtualbox setup to access hackthebox?

H45uK1mchi · June 10, 2020, 6:25am

@tsekc
Well, it is recommended. You will access the HTB network via VPN (openvpn). You could connect with your normal system, however it is not recommended. I mean you connect to a network full of hackers, that will totally scan your system.

So to stay safe it is always better to connect inside a VM. Setup parrot or kali and you’re good.

tsekc · June 11, 2020, 3:13am

Understood. Thanks. But why parrot or kali? I know they come with lot of tools but do we use all of them?

H45uK1mchi · June 11, 2020, 9:13am

Well, you are totally free to use any distro / system you like.
But yeah Kali/Parrot are nice, because they come with tons of tools preinstalled and it saves you a lot of time, because you can easily kill and respawn the VMs. You could also create your own image with tools you like.

But I would recommend to do this in some automated manner. It is mostly a pain to do all the setup all over again.

TBH, I mostly use only a very small set of tools for HTB.

My goto tools are mostly

nmap
Burp
gobuster
fuff
sqlmap
SMBmap
searchsploit
LinPEAS
GTFOBins
Some note taking app

And then depending on the machine maybe some other tools.

system · August 24, 2020, 1:13pm

This topic was automatically closed after 121 days. New replies are no longer allowed.