I've been quite active in the HTB discord, helping people out. And I've come across quite common problems that are not directly HTB related, but instead about common computer knowledge. I have listed here some of the stuff I get asked help on often. This page has no sources (other than my head, and thats not proper) and the information might be "about right", but it works for me and for HTB.
This stuff can be learned from OTW Bandit or Pentesterlab few first badges.
SSH is a basic encrypted remote terminal connection mostly used in unix systems, but also in other platforms.
In HTB, you will notice ssh service being on almost every linux box. I have not come accross a single box where ssh would be the service to exploit.
In SSH, most common authentication methods are username/password or username / and rsa-key. In the case of an rsa-key.
If you are authenticating with a password. you are connecting like:
ssh user@server.htbThe ssh client will ask you for the login password of the user.
ssh -i id_rsa user@server.htbwhere id_rsa is the private key. The ssh client might ask for a password here too. Please see the password prompt if it is asking for the password for the key id_rsa or for the users logon password. If the prompt asks for the id_rsa password, the key is ecnrypted and you need to find the password, or crack it. If the client prompts for the user's password, the key is either not accepted on server or there was some error. The error is usually presented.
USUALLY the id_rsa resides in /home/[USER]/.ssh , but it does not have to be there. This is the default location where most linux SSH servers and clients look for it. This can be changed in configurations. When not using the -i param in ssh command, the id_rsa here is tried first, if the configs are not changed. The id_rsa needs to have strict permissions.
chmod 700 id_rsaSo only the owner of the file can read it. Otherwise you cannot use it.
Also one interesting thing is that because people do not know how to use SSH -keys, I often get the question "I got this SSH key, but I cannot decrypt it. How do I decrypt it?"
I have yet to come across a case where I would need to decrypt and SSH key. And truth be told, I have never tried, so I would not know how.
Sudo is a tool on many (but not all) Linux distributions, which allows you to run commands as another user, commonly root. There is a lot of documentation on sudo online, for example:
So, I'm not going to go through a whole sudo tutorial here, but a few selected commands usually needed in CTF.sudo -l lists the sudo privileges the current user has. If you have anything you can sudo without a password, this command does not require a password either. (Tell me if I'm wrong) (ALL) NOPASSWD: /bin/ls. This would mean that the command ls is executable as any other user without a password. There is an URL like megacorp.htb, but my browser can't find it.
Usually URLs are resolved with a DNS server. Your system has a DNS-server configured. When you ask for an url like google.com, your system will ask the set DNS-server for an IP address to find google.com in.
HTB-addresses are not hosted on any DNS-server, so you need to map them manually. The hosts-file maps HOSTS to IP-Adresses. This is the place where it is told where localhost is for example.
In unix systems, the file is usually /etc/hosts
In windows, usually: c:\windows\system32\drivers\etc\hosts
The format is a host per line. For example
127.0.0.1 localhost
or
10.10.10.197 multimaster.htb
After adding that line, you can connect to multimaster.htb with any network software that uses domain names, like a browser.
In HTB as well as in real life, you will come across services that do not use http protocol. Many of these services have their own clients, for example: as mentioned SSH, also FTP, DNS, DS, SMB, WinRM ... the list is long.
So, before you fall into despair on these services, that "Why wont my firefox open this?". Try to google or check kali (or whatever system you are using) or the protocols documentation on a client or an scanner / exploitation tool for the protocol.
If such a tool or client cannot be found, or the service is unregognized by the scanner or you, try netcat (usually nc on linux or nc.exe on windows) or telnet for connecting to the service.
NOTE! scanners like nmap, can usually try to identify the service in question. In nmap the parameter is -sV for service detection
When you run into a login page, and you dont have the credentials for it, as tempting as letting the computer do all the work, thats not usually the right action. Hackthebox is meant to be a gamified teaching platform. By bruteforcing a password, you are learning quite little. Maybe the one command. Sure, in some places bruteforce will work, as HTB quite often uses simple passwords. But if you bruteforce the login page, you are most likely missing the point of the exercise and making it hard for anyone else to do it correctly either. As a load towards the server, bruteforcing is basically a denial of service (DOS) from a single point. If there are several people, like on public servers, it becomes DDOS ( distributed denial of service) and then the box will go stuck and everyone will complain. So please do not bruteforce.
So why did I wrote never like never? So that we can draw a fine line. Spamming a online login form with a password list or symbol by symbol can be considered bruteforcing. Cracking a hash or a ssh-key with john or hashcat, is not bruteforcing
as far as what we are talking about here. Those actions could also be considered bruteforcing, but they are not disruptive.
Other actions someone might consider bruteforcing (but I dont):
FUZZING (params, param values, directories, subdomains).
DIRBUSTING (files, directories)
I'm trying to run this and that from my smb server but it disconnects as soon as it connects
If you are trying to run a reverse-shell or a another piece of software remotely by accessing your samba-share from the victim windows host, do not use the impacket's smb-server.
The smb-server in inmpacket seems to work well for trasferring files, but not so well for running files. My guess is, that it does not handle open pipes well, just a guess.
My go-to solution is to use the actual samba-server from package manager (apt in kali).