Hack The Box —Beginner Mistakes
“Hi, I am new to HTB!”, “How can I start hacking?”, “What the hack?”
If you have the questions in the subtitle, Welcome, you’ve come to the right place! I am an experienced System Integrator passionate about Info Security. I hope this helps you hunt.
Hack The Box is a mature online lab environment for those who want to learn hacking/penetration testing (https://www.hackthebox.eu/). It provides intended boxes for testers to test their skills and sharpen their weapon.
The HTB community is willing to help. We are a passionate community to make you succeed root the box yourself. But, we will never tell you how to root the box.
The funniest part of “hacking” is making it work yourself. It is a joy to get into something without someone’s permission (technically as a security enthusiast to do some tests and I always ask for consent in the workplace as professional). It can enrich your knowledge and sense of IT security.
If you’ve just started the penetration test, the following resources are recommended:
- IppSec https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA. IppSec’s videos are the best. It presents how a pen-tester thinks during hacking a system and the skills to execute them. However, it demands you have a certain level of knowledge in this field. Please don’t misunderstand, it is the BEST BEST free resource ever to study penetration test. But, you better do some research on the topics he mentioned.
- GTFOBins https://gtfobins.github.io/. A web site summarized common methods to exploit Linux command. Or, you can say, it is an intensive list of “Should not SUDO”. It is our friend for easy boxes, especially you have no idea what should do next.
- Stack Overflow https://stackoverflow.com/. Technically, most of the google results come from here.
- A Kali Linux in a Virtual Machine. You need those tools to do penetration tests, right?
- Another Virtual Machine for self-training. Unless you are familiar with Linux environment, you want to have a lab environment yourself to test installing Apache/MySQL/PHP, etc to get study with how those components work.
If you’ve already started playing with the boxes, the following are some common misconceptions/mistakes I made during rooting the boxes.
You may want to check if you are making the same mistakes I made.
Mistake#1 Enumeration = “nmap”, “dirbuster”,” ls“
Enumeration is the first step in everything. Harder enumeration can make your life easier. When I first learned about enumeration, my concept was just like to list everything without any idea. List them all first then guess! Common commands like “nmap -sV -A”, “searchsploit”, “msfconsole”, “dirbuster” are easy. Once I executed, I know the port and version. Then, google the version and find the CVE of the SSH to exploit.
Obviously, I failed “exploit” SSH at the end.
The idea of enumeration is getting familiar of the system and find the weakness. You should better know how it works normally before making it abnormal.
This is what I understand up to this stage. Try HARDER to learn the system and guess how it works. It is always worthy to spend time on studying how a command/system works instead of spending a lot of time doing meaningless googling.
An obvious change is, you will not blindly search “Exploit Apache 2.4.27” but “Virtual host ownership”, “Common configuration file location of Apache in Ubuntu”, “Heart bleed”, etc. More “grep”,” find”,” locate” are used during your game.
Hence, it is a reason why you better hide the version file of your application/containers such as Tomcat, Apache or PHP. Especially, if you must run an old Tomcat/PHP due to the limitation of a public login application without a separate admin entrance, you will never want to expose the version file.
Mistake #2 Metasploit Will Take Care Everything
“I exploited a Remote Code Execution vulnerability but I cannot change the directory even executed the command”. I believe you might encountering this problem so you put this to google. AND, Google brings you here. Hi friend!
In some vulnerability, Remote Code Execution allows you to make a request with command in the request. Since it is not a kind of shell in it, it will not allows you to dp something interesting such as “cd”, “su”. All you can do is “ls” or “cat” or “grep” to do further enumeration for the further weakness of the system.
Please, try hard to understand how the exploitation is working if you want to have a good start. If you are interested in security, the most important concept is “risk and damage estimation and control”. If you take this serious, you never want to induce any side effect during your exploitation.
If you are for fun, well, you don’t want to know you spent 2 hours because you made a mistake around 10 steps before sudo something right?
From another point of view, it can be a source of abnormal request patterns. If you found those kinds of requests in the work place, then you better check if there were any security assessment is performing to your system.
Mistake #3 Reverse Shell does not work
Beware of “reverse shell” and “tty” if you are a beginner. In Metasploit console, we can easily set a few parameters and spawn a shell. You will have a “shell” but don’t know what is going on. In most cases, it is spawning a shell/remote setting a netcat as a backdoor for you to access.
Following is the URL for your reference to set up a backdoor using nc:
Hacking with Netcat part 2: Bind and reverse shells - Hacking Tutorials
In part 1 of the Hacking with Netcat tutorials we have learned the very basics of Netcat. Now it is time to dive deeper…
After you got a reverse shell, the next thing you want is a terminal for input/output. Without this, you will encounter issues during vi/nano/less/more:
I hope it helps you to find the foothold and the flags.
Good luck hunting.