I’m having a lot of fun working through the easy boxes, but I want to make sure I’m learning and not just following writeups. I do feel myself getting better but there are some things that I feel I just would not know unless I followed a writeup first.
Things like knowing which directories should stand out, or what files seem interesting, or even picking up on the “hint” implied by the name of some of the boxes. Just knowledge of common exploits that as a beginner I just haven’t heard of.
Should I just keep plugging along, making notes of when I find something new? Or should I be doing more homework first? Just curious how some of you who are more experienced learned and if I can do any more to be more independent when working on boxes. Thanks!
Disclaimer - I am not a pentester.
Keep in mind that the boxes here are CTF boxes. This means they have a way to be exploited and may (often with the easy boxes) be configured in an unusual manner to allow people to find the path to victory.
I’d like to think that in real world pentests, server names don’t give immediate clues to exploitation (although if the name is something like PRODXPSERVER it might).
So to sort of answer the question - an awful lot of it is down to experience which comes from practice and exposure.
If you know Linux inside out, when you search for SUID binaries you can quickly identify the ones which aren’t “normal” - and in a CTF this nearly always means “path to root.” Same with Windows - the more you understand it, the quicker you can spot things like unusual group memberships or privileges.
Other than that, plugging away is critical. When you see a webserver, start with one thing and keep working through things until something works.
When you read a write up - or ask for help - it can seem like everyone else immediately knew how to exploit the box. But this really does hide the fact that people may have tried hundreds or thousands of things which haven’t worked. Don’t let this demoralise you - it is super rare for people to get an exploit the instant they see something.
As an example, there are some boxes where first blood took ~ 12 hours but when you follow the walk through, you can root it in an hour. This is a very good indicator that even the fastest at exploiting the box had to try lots and lots of things.
tl;dr - persistence is everything and the more you persist, the faster you become.
Fair enough, thanks for the thoughtful response. I don’t mind the hard work and trial and error, in fact it’s half the fun, but I do want to learn and get better as well, so I want to make sure I’m taking a productive approach. Your response was very encouraging.
I completely agree that there’s plenty of things on HTB machines where you have very little chance of figuring it out unless you’ve encountered it before. But now you’ve encountered it and found out how to deal with it from a walkthrough or a hint etc, next time you see something similar well now you have encountered it before so now you have some idea what to do.
The first time I came across a machine on HTB that required use of the Impacket GetNPUsers script I had no idea that script even existed and had to ask someone for a hint. But once I knew about it I used it, researched it, and ended up making a video teaching other people about how it works. Now I’ve used it on a few HTB machines without needing to ask for any help with that.
We all want the satisfaction of completing challenges and machines on our own without needing help, but if you really want to learn then I don’t think you should be too strict about that. All that does is waste time with you bashing your head against a brick wall getting nowhere (and probably eventually resorting to asking for help or reading a guide anyway). Once you’ve got enough experience you’ll start to solve “problems” without even realising you would have got stuck there in the past.
In general though I don’t think learning hacking/pentesting can be any different to learning literally anything else: you get better by practising and by learning new techniques.
This applies to pretty much every job or skill… people see someone who is an expert in that area (while they are still a beginner themselves) and they ask them what the secret is to getting that good. 99% of the time the answer is a lot of practice. There’s no shortcut unfortunately. If there was then everyone would be an expert 
** Disclaimer **
I am not a professional pentester either.
What I did do is spend a lot of time and money in graduate school studying this. I hope that I can say this without being disrespectful, but I found it to be of very little use.
I was 100% lost when I started HTB. But if you’re taking a break between Netflix shows, or put down the Call of Duty for a second, it’s a great thing to put some music on in the background and start some enumeration. Then you see something odd… which leads you to another something odd… then you get user. It’s also been about 4 hours and you didn’t even notice it.
It’s not so much memorizing things rather than discovering the techniques and procedures that work for you. Get your method. Assemble the tools you like. Rock it.
Give yourself permission to browse the forums for hints. Ask for help. No one knows everything, but in bunches, you start to get the idea. In most cases you’re closer than you think.
Pretty soon, people start asking you for help. You’ve gotten better and didn’t even realize it.
@MorpheusDark said:
Give yourself permission to browse the forums for hints. Ask for help. No one knows everything, but in bunches, you start to get the idea. In most cases you’re closer than you think.Pretty soon, people start asking you for help. You’ve gotten better and didn’t even realize it.
+1 couldn’t agree more
@MorpheusDark said:
Give yourself permission to browse the forums for hints. Ask for help. No one knows everything, but in bunches, you start to get the idea. In most cases you’re closer than you think.
I think this is critically important and I couldn’t agree more.
There is nothing wrong with asking for assistance or looking things up. It is insane to think you need (or can) know everything about every possible exploit. As long as you learn from the help, asking for it makes absolute sense.
One thing I would add - and this is common to all CTF platforms - is that there is a pressure for unique exploitation paths.
For example (and I am using old boxes here so it isn’t a spoiler) - to root carrier you had to practice a BGP hijack to intercept traffic. I can’t imagine many people knew how to do that in advance or have done it on any other box here.
This isn’t a bad thing, but it does mean you can feel a bit overwhelmed with the number of topics you feel you need to “learn”.
I appreciate the discussion. It’s encouraging to hear that these things shouldn’t be overwhelmingly obvious to a beginner. Thanks to TazWake’s response before and now with the addition of other responses, I feel much better about not seeing the route right away.
My approach so far has been to just get as far as I can, collect as much interesting info as I can, and then peek at the writeup, even just to see the Skills Required/Skills Learned and I read up. I slowly work through, take notes, etc. until eventually I can get the flags. As another challenge to myself I like to not submit any flags unless I can reach them without a walkthrough. Not so much to memorize the steps but to solidify the things that stand out in a system so that I can recognize and give me a lead in future machines.
Having a lot of fun with it so thanks again for the encouragement!