
Hack the Box – Pentesting Labs for Free - Fake4d
https://www.hackthebox.eu
======
Maven911
Asking the Hive Mind who might play with HTB, vulnhub and other labs (OSCP
paid one):

1\. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well
known tools - what other tools are often used by pen testers ?

2\. How is MFA beaten in today's enterprises ?

3\. Do most engagements assume one is already in the network ? If not, how
does one scan (basic OSINT towards their externally facing website, but let's
assume that is very secure)

4\. How well do pen testers know the defense side and amalgamation of so many
defensive tools - how do they learn what to beat ? Is it really as simple as
try to fingerprint and then look for known vulnerabilities on msf ? Or do pen
testers not care if xyz enterprise is using this version of Palo Alto or a
carbon black EDR etc.

e.g. Alphabet soup of products in a large enterprise for defensive solutions -
NGAV, EDR, SIEM, honeypots etc. etc.

5\. How do you keep up ? aside from Reddit

6\. any advice to future job seekers working their way into learning more
infosec ?

~~~
001spartan
1\. Dozens (if not hundreds) of tools are used. It's all about personal
preference, and what you're used to. Personally, I don't often use most of the
tools you mentioned except Mimikatz; I use a commercial framework paired with
many open source or private PowerShell scripts and .NET tools.

2\. Something like evilginx2 can provide man in the middle functionality for
stealing MFA tokens, or I try to find endpoints that have misconfigured or
absent MFA.

3\. It depends on the engagement. We like assumed breach scenarios because
they're more effective for the time and money involved, but clients want
entirely black-box engagements fairly often as well. Otherwise, I'll focus on
using OSINT to develop a phishing target list, assuming I do basic scans
against the organization's external network footprint and don't find anything
egregious.

4\. It's all about experience. You have to come up against the tools, and then
see what works. It's really a lot of trial and error, though a lot of common
bypass techniques will work against multiple products. There's no one-size-
fits-all bypass.

5\. Twitter, public Slack channels, and research performed by myself and my
coworkers.

6\. Learn soft skills. It's easy to teach someone how to do the technical part
of the job, but you have to be able to communicate it to stakeholders.
Technically, you should focus on the areas that interest you, but ensure that
it's something used by the types of clients you're doing work for. It doesn't
help to know the latest and greatest Linux attacks if none of your clients
even know what Linux is. It doesn't help to be a badass web application
pentester if you're expected to be able to move through a large Active
Directory environment. Personally, I focus on Windows and Active Directory
environments.

~~~
Maven911
Thanks for the detailed response!

------
tptacek
JFYI: There's a rule on HN that "Show HN's" can't just be sign-up pages or
require invite codes; people have to be able to actually interact with
whatever you're "Showing".

~~~
bwbw223
I mean you're kinda supposed to hack your way into getting an invite code...

~~~
elvecinodeabajo
True. The invite code is a first hacking test. There is this message in the
web: "Feel free to hack your way in :)".

No invitation needed, it's just the first puzzle.

------
Kurtz79
For those that have been using the service and have actual pentesting
experience, how applicable are the challenges to the real world?

Similar challenges I took in the past seemed like fun games, but still games.

~~~
CyberBank
YMMV, but, in my experience the biggest difference between these platforms and
"real world" is the amount of data available (generally). At big companies, if
you were to run a red team exercise or pen test, most of the probing and data
gathering you do is on confluence, open git repos, and other places of
documentation. Not running nmap or sitting in the middle of two services and
inspecting packets. That's not to say that more advanced testers don't employ
those methods, but the reality is, the most effective way is to expose
yourself to the data available in front of you.

Disclosure: I run Vulnerability Management and Assessments globally for one of
the largest companies in the world

~~~
Maven911
I've been trying to learn infosec for a few years now with the eventual goal
of either an offense/defense role. Plan to work on my OSCP next.

I have a few basic questions please:

1\. Aside from: linux cmds, nmap, metasploit, sqlmap, mimikatz, kali's well
known tools - what other tools are often used by pen testers ?

2\. How is MFA beaten in today's enterprises ?

3\. Do most engagements assume one is already in the network ? If not, how
does one scan (basic OSINT towards their externally facing website, but let's
assume that is very secure)

4\. How well do pen testers know the defense side and amalgamation of so many
defensive tools - how do they learn what to beat ? Is it really as simple as
try to fingerprint and then look for known vulnerabilities on msf ? Or do pen
testers not care if xyz enterprise is using this version of Palo Alto or a
carbon black EDR etc.

e.g. Alphabet soup of products in a large enterprise for defensive solutions -
NGAV, EDR, SIEM, honeypots etc. etc.

5\. How do you keep up ? aside from Reddit

6\. any advice to future job seekers working their way into learning more
infosec ?

~~~
CyberBank
I've replied to your thread level comment, but please do feel free to reach
out to me if you want any advice or discussion: i@willcode.it

~~~
mdaniel
Foremost, I'd also like to say thank you for providing such a detailed reply
to the top level comment

But I also wanted to extend my admiration of that very crafty email address.
I'm sorry I didn't think of it first

------
Peyphour
I've been on HTB for 4 months. If you want to get into pentesting this is a
very good resource. If you reach the "Pro Hacker" level you should be able to
pass OSCP first try.

~~~
bitcoinmoney
What is OsCp about? What’s the salary range for this type of job?

------
rishabhd
Nice!

Also reccomended are pentestit.ru, pentester academy and boxes hosted on
vulnhub. Apart from offensive security labs ofcourse.

~~~
ifoundthetao
100% agreed

I love Pentester Academy. I've had a subscription to it for the last year or
so.

And OffSec is nice, too. I've got OSWP, OSCP, OSCE, and I'm in the Black Hat
training this year for OSEE. So we'll see how that goes. I haven't tried their
On-Prem labs though, but I think they'd be pretty fun.

~~~
sogubsys
I've browsed a few times the assembler courses on Pentester Academy. I'm not
sure I'm up for being a pentester but I do like the particulars of assembler
and CPUs.

Would you recommend those courses in particular (looking as amd64 and arm
ones)?

~~~
ifoundthetao
Yep, they're great courses. Make sure you actually do it.

Vivek is an excellent instructor, and he goes from nothing to getting you up
to speed pretty quickly.

The first parts might be a bit dry, because it's a lot of architecture and
theoretical stuff. But after you get through that, and start doing things,
you'll find that it's awesome.

Also, if you don't want to be a pentester, you might find a particular
affinity for exploit development. And that's a niche field that pays well.
That's where I'm going with my training, research, job. Not easy, at all, but
it's deep, and fun.

~~~
rishabhd
Absolutely agree! Vivek's ASM tuts are amazing. Additionally, Nikhil's red
team lab is highly recommended.

~~~
sogubsys
Will check that one out. I only have a rough idea of what a red team is
(abstract, some books, etc), but no practical experience with it.

------
bawana
I dont get it. Why not put a pc on your lan and try to hack that? What is the
benefit to me here? How do i know that the 'labs' i am participating in are
safe? Are they honeypots? or perhaps i am just being used in a covert plan to
crowdsource an attack on a vic?

~~~
rc_hadoken
Yeah you dont get it. Have you even read the website? Like...why are you
jumping onto the fear bandwagon before understanding what hackthebox is about.
When you turn on you fill your car with gas do you worry about an oil tanker
spill?

------
FrankSansC
This first challenge seems to be able to generate an invite code

~~~
afterparty
Yea I was hoping to sign up to, to try it out!

~~~
stedaniels
The clue is on the page... "Feel free to hack your way in :)" Should take you
a moment or two if that's your mind set, a little longer if you need to brush
up on your JavaScript, or a little quicker if you Google a walkthrough :-)

~~~
sucrose
I tried to do a SQL injection on the invite code form and they blocked my IP
for 15 min. I guess some technique's aren't allowed.

EDIT: Switched my target to the front-end and was able to get in pretty
easily.

------
unixhero
It's so much fun. With the exception of losing hard earned points when a box
is retired.

------
KangLi
I need an invite code. Please help :)

~~~
chronal
As the anoother comment said, go around with/in javascript.

------
dod9er
What does VIP cost?

~~~
ifoundthetao
I had it last year, I think it was $150 USD when I paid for it.

