How to stay safe on HTB - checklist

In HTB rules
pt 5 says
“The network is built in such a way that direct communication between two member systems is prohibited.”
pt 6 says
“HTB Network is filled with security enthusiasts that have the skills and toolsets to hack systems and no matter how hard we try to secure you, we are likely to fail :P”

Despite pt 5, if you think about it, its actually trivial to start attacking other members. That made me think of what one should do to limit the attack surface.

My current suggestions would be :

1. If you are using VM to connect to HTB, change default user password and disable ssh login (if not required) or set to key based login only
2. If you are using VM, keep your VM software up to date. There are some that have ‘escape to host’ vulnerabilities
3. If your router supports multiple networks (i.e. guest WIFI) - create separate for HTB and use that
4. Keep you router firmware up to date and disable unneeded services (i.e. DNSMasq on by default in DD-WRT. patch or disable now !)
5. Try to hack your own lab machine. See what else you can find can be abused

I’m interested to hear other suggestions.

I agree with most parts apart from securing the router on the specific context.
The only IP that could be discovered by another member would be your private VPN IP (10.10.14.x) therefore they could not attack your router (since they will not know your public IP.

To add on your list, I would also say “Do not hold any personal data on the VM you use to play on HTB.”

Finally I believe it is not needed to say that you should not route traffic from HTB VPN to your home/business network.

The reason I mention router and having separate network is that despite you best efforts your VM can become compromised. Surely you have active connection to your router from VM as you must have internet somehow. If you don’t create separate network, it also opens all the other devices on the network as potential victims and these can be attacked. NAS, rpi lying somehwere, wifes old Win XP Laptop, TV ?
Unless I’m missing something. How should you configure you network interface for VMs ?From all the options I’d think its NAT, no ?

trade your XP wife for a OpenBSD one.

You have a point Also, upgrade your wife’s laptop!

Hey guys, I’m a complete noob who just heard about this and wanted bragging rights that I’d gotten in. I didn’t realize you needed a VM and all to stay safe here. I want to ask if I’m safe on the dashboard at least. I don’t want to buy a VM right now as we just bought a house and are a bit low on cash. I’m not that interested in the hacking as I need to learn it first, so I just want to know if the dashboard is safe. Would appreciate an answer!

@ChancellorCeti said:

Hey guys, I’m a complete noob who just heard about this and wanted bragging rights that I’d gotten in.

Welcome.

I didn’t realize you needed a VM and all to stay safe here. I want to ask if I’m safe on the dashboard at least.

The dashboard is a website. You are as safe on that as anything else on the internet.

I don’t want to buy a VM right now

VMs are free.

as we just bought a house and are a bit low on cash. I’m not that interested in the hacking as I need to learn it first,

Ok, you might want to read through other threads rather than this very, very old one.

so I just want to know if the dashboard is safe. Would appreciate an answer!

The dashboard is as safe as anything on the internet. HTB is largely as safe as anything on the internet. If an attacker can get to you over the HTB VPN, they can get to you anyway

Thanks for the tips, I’ll look through some other threads. I really got scared by this, so this was really helpful.

Type your comment> @sajkox said:

In HTB rules
pt 5 says
“The network is built in such a way that direct communication between two member systems is prohibited.”
pt 6 says
“HTB Network is filled with security enthusiasts that have the skills and toolsets to hack systems and no matter how hard we try to secure you, we are likely to fail :P”

Despite pt 5, if you think about it, its actually trivial to start attacking other members. That made me think of what one should do to limit the attack surface.

My current suggestions would be :

1. If you are using VM to connect to HTB, change default user password and disable ssh login (if not required) or set to key based login only
2. If you are using VM, keep your VM software up to date. There are some that have ‘escape to host’ vulnerabilities
3. If your router supports multiple networks (i.e. guest WIFI) - create separate for HTB and use that
4. Keep you router firmware up to date and disable unneeded services (i.e. DNSMasq on by default in DD-WRT. patch or disable now !)
5. Try to hack your own lab machine. See what else you can find can be abused

I’m interested to hear other suggestions.

Great suggestions.

For a start, run linpeas on your own machine. I routinely do that, and routinely display a window with netstat showing me the connections on my machine.

Hey. I’m using a VM with Kali. But I don’t know how to configure my VM (VirtualBox Settings) to keep my host-system safe.

Is it possible, that an attacker can break out of my VM to compromise my host?
I’m reading about different Network-Settings in VirtualBox, but no one has properities like ‘The VM has ONLY access to the internet’. The reason for this sounds trivial: the gateway lies in the LAN, so the guest needs a connection to the LAN. Something like a ‘tunnel’ between guest and LAN-Gateway can’t exist, can it?
I can ping my host and other devices in hosts LAN from my VM. Pinging back isn’t possible (depends on VirtualBox Network Settings). For a noob like me, it sounds like an attacker CAN compromise my guest respectively the LAN.

@tXxc said:

Hey. I’m using a VM with Kali. But I don’t know how to configure my VM (VirtualBox Settings) to keep my host-system safe.

Is it possible, that an attacker can break out of my VM to compromise my host?

Questions like this are difficult to honestly answer. Information security is full of vague situations.

Is it possible - the answer has to be “yes it is theoretically possible” but that might not be what you are really asking.

For example, if a nation-state has developed a way to escape Virtual Box sandboxing to attack the host, that isn’t the same as some random internet attacker looking to get a coinminer running.

In technology, most things are possible, (Stuxnet demonstrated an attack which can jump air gaps in 2009), even the ones we think are impossible are just down to no one having achieved it yet.

The better way to think is to focus on “Is this likely”.

The more steps an attacker has to get through, the less likely it is they will work.

I’m reading about different Network-Settings in VirtualBox, but no one has properities like ‘The VM has ONLY access to the internet’. The reason for this sounds trivial: the gateway lies in the LAN, so the guest needs a connection to the LAN. Something like a ‘tunnel’ between guest and LAN-Gateway can’t exist, can it?

Well, it feels like you are describing a VPN tunnel but I’m not sure where this is going.

I can ping my host and other devices in hosts LAN from my VM. Pinging back isn’t possible (depends on VirtualBox Network Settings). For a noob like me, it sounds like an attacker CAN compromise my guest respectively the LAN.

The simple answer is that it is possible. But that is an oversimplification.

As a counter question - why are you asking this? Is it a generally theoretical question about VM escaping? Or (based on the threat title) are you asking about an attacker getting access to your host via the HTB connection on Kali?

If it is the latter, turn it around. If you were going to attack someone identical to you, would you do it that way?

Or would you just attack the host directly?

For the HTB attack you need:

• to be on the HTB network itself which means you have no anonymity to the HTB staff (who can track the VPN connection you’ve used and associate that with an account if nothing else)
• to be on the same part of the HTB network (for example EU server, US server, VIP server etc), which may increase the knowledge HTB have about you.
• to find the IP address of the victim which, while it can repeat, is not guaranteed between connections.
• mount an attack while the VPN is open or have an esoteric way of attacking over HTB but using a direct internet connection as C2 (rather than just attacking over the internet in the first place)
• find a way to compromise your Kali machine. This is harder than you might think as even if you have things like SSH open, it doesn’t provide the foothold people might think it does.
• establish a foothold on your machine and break out of the VM before the OpenVPN session is terminated
• find a vulnerability in the Host which allows the escaped attacker access from what was the Kali host.

Now all of this is possible but there are much, much easier attack paths for pretty much every attack.

At the most basic level, the attacker moving from Kali to Host is effectively the same as attacking the host directly. (yes there are some caveats around network segmentation but unless your host is on Windows XP, home networking is fairly robust now as well).

All the attacker has done here is to add some incredibly complex steps when they would be better off sending a phishing email, spoofing a legitimate site or attacking your networking hardware.

For me, the key point to remember is that if you think there is a significant risk from the VM to HTB connection, you might not want to connect your computer to the internet.

For me, using HTB is probably one of the lowest risk activities I do on the internet. The need to regularly pull new git repos, pip packages etc from the internet means you are never going to fully isolate your environment.

However, attacks from the HTB network are going to be orders of magnitude less than attacks from the internet in general. It feels that sometimes the threat models become a bit distorted here.

It is true that a sufficiently resourced and motivated attacker targeting a specific individual may have the time/capability to make an attack over HTB. Even in this very rare case, I believe there would be hundreds if not thousands of easier routes they could take.

Obviously, this is very generalised, but if you have hardened your host OS sufficiently that an internet-based attack is minimised, a lot of this will also defend against a VM breakout attack. If VM breakout is a legitimate attack, you really need to make sure every device (router, TV, PlayStation etc) is suitably hardened as well - attacking them is still a LOT easier than getting an attack from HTB into Kali then doing a VM breakout.

Type your comment> @TazWake said:

@tXxc said:

Hey. I’m using a VM with Kali. But I don’t know how to configure my VM (VirtualBox Settings) to keep my host-system safe.

Is it possible, that an attacker can break out of my VM to compromise my host?

Questions like this are difficult to honestly answer. Information security is full of vague situations.

Is it possible - the answer has to be “yes it is theoretically possible” but that might not be what you are really asking.

For example, if a nation-state has developed a way to escape Virtual Box sandboxing to attack the host, that isn’t the same as some random internet attacker looking to get a coinminer running.

In technology, most things are possible, (Stuxnet demonstrated an attack which can jump air gaps in 2009), even the ones we think are impossible are just down to no one having achieved it yet.

The better way to think is to focus on “Is this likely”.

The more steps an attacker has to get through, the less likely it is they will work.

I’m reading about different Network-Settings in VirtualBox, but no one has properities like ‘The VM has ONLY access to the internet’. The reason for this sounds trivial: the gateway lies in the LAN, so the guest needs a connection to the LAN. Something like a ‘tunnel’ between guest and LAN-Gateway can’t exist, can it?

Well, it feels like you are describing a VPN tunnel but I’m not sure where this is going.

Yeah it could be a VPN between the Virtual Network Interface (on my host) and a VPN-Gateway/Router. The reason for this is to keep host and LAN safe, IF an attacker (from the HTB network) manged to hack into my guest system (Kali). It’s like I said, I am a noob, but I think via the VPN-Connection to the HTB-network, skilled people can access to my guest. And after this step, they got a network-connection to my host/LAN. Or do I overlook an essential aspect?

I can ping my host and other devices in hosts LAN from my VM. Pinging back isn’t possible (depends on VirtualBox Network Settings). For a noob like me, it sounds like an attacker CAN compromise my guest respectively the LAN.

The simple answer is that it is possible. But that is an oversimplification.

As a counter question - why are you asking this? Is it a generally theoretical question about VM escaping? Or (based on the threat title) are you asking about an attacker getting access to your host via the HTB connection on Kali?

It is the second sentence You are right.

If it is the latter, turn it around. If you were going to attack someone identical to you, would you do it that way?

Hmmm… theoretically I would do a portscan against my victim to find flaws. Or is this step not even possible? Via the VPN-connection to the HTB-network this could be possible…
After that I would try to hide a backdoor on the victims guest, which I just can use, if the VPN-connection to HTB is active. But it could be question of the settings of the backdoor.
If I could manage to get permantent connection to the victim, I can access his host/LAN (if he is using a VM) via the standard network connection between guest and host/LAN.

Or would you just attack the host directly?

For the HTB attack you need:

• to be on the HTB network itself which means you have no anonymity to the HTB staff (who can track the VPN connection you’ve used and associate that with an account if nothing else)
• to be on the same part of the HTB network (for example EU server, US server, VIP server etc), which may increase the knowledge HTB have about you.
• to find the IP address of the victim which, while it can repeat, is not guaranteed between connections.
• mount an attack while the VPN is open or have an esoteric way of attacking over HTB but using a direct internet connection as C2 (rather than just attacking over the internet in the first place)
• find a way to compromise your Kali machine. This is harder than you might think as even if you have things like SSH open, it doesn’t provide the foothold people might think it does.
• establish a foothold on your machine and break out of the VM before the OpenVPN session is terminated
• find a vulnerability in the Host which allows the escaped attacker access from what was the Kali host.

Now all of this is possible but there are much, much easier attack paths for pretty much every attack.

Okay. I think I just summed up your description in my answer above

At the most basic level, the attacker moving from Kali to Host is effectively the same as attacking the host directly. (yes there are some caveats around network segmentation but unless your host is on Windows XP, home networking is fairly robust now as well).

All the attacker has done here is to add some incredibly complex steps when they would be better off sending a phishing email, spoofing a legitimate site or attacking your networking hardware.

I think I am missing some basic steps… I can use nmap for example to scan my host/LAN from the guest. so… an attacker could do this step to (after he establishs a foothold on my guest). Thats the reason, why I am asking

For me, the key point to remember is that if you think there is a significant risk from the VM to HTB connection, you might not want to connect your computer to the internet.

@tXxc said:

Yeah it could be a VPN between the Virtual Network Interface (on my host) and a VPN-Gateway/Router. The reason for this is to keep host and LAN safe, IF an attacker (from the HTB network) manged to hack into my guest system (Kali). It’s like I said, I am a noob, but I think via the VPN-Connection to the HTB-network, skilled people can access to my guest.

How?

As a term “can” is too broad to be useful when it comes to working out risks in Information Security. Skilled people can also break into your house and steal your computer. Skilled people can kidnap your family and demand information.

The range of things which can happen is often unbounded.

There isn’t anything people can do over the HTB VPN that they cant do over any other internet connection to either your VM or your host OS.

In 2017 when this thread started, if you installed a default Kali with root/toor as the username/password, enabled SSH and turned off your firewall, it is possible for an attacker to SSH into your machine if they know your IP address.

Even then, the attack required you took active measures to expose things.

If you have an even slightly more recent build of Kali, or simply haven’t opened the SSH server, that attack no longer works and they’d need to find something else.

Simply having a machine on the network doesn’t make it vulnerable.

And after this step, they got a network-connection to my host/LAN. Or do I overlook an essential aspect?

Sort of, but mostly you may be thinking that possible = likely/probable.

If they are capable of getting a foothold on your Kali machine they still need compromise your host OS.

The only advantage they get from this attack is that you might have configured your host OS to expose vulnerable services on connections it thinks are “internal.”

If you haven’t done this, the attack is still the same as if they were on the internet.

Hmmm… theoretically I would do a portscan against my victim to find flaws. Or is this step not even possible? Via the VPN-connection to the HTB-network this could be possible…

You are oversimplifying the attacks. Try to think how you would actually do any of this.

So to do a portscan against the host OS, ask yourself how many other things you have had to do first.

You cant, on your kali instance connected to the HTB VPN, run a portscan against my Host OS while I am connected to the HTB VPN.

For even this portscan to work you’d need to:

• find my IP
• be able to access it (are you on the same VPN connection as me?)
• find a vulnerability in my Kali machine
• find a way to exploit that vulnerability
• successfully exploit the vulnerability
• get a foothold which allows you to portscan (probably root)
• run the portscan without triggering any host based protection I have on my host OS

At this point, for most builds, it is going to be beyond the effort needed for an insane box here - simply because we dont tend to build our machines with an attack path in mind.

After that I would try to hide a backdoor on the victims guest, which I just can use,

That’s some leap from portscan to backdoor. You need to exploit the host. Chances are you aren’t running Joomla/Wordpress to serve an unpatched system to internal devices.

If you have an old, unpatched, windows OS as the host, ETERNAL BLUE might work but then you’d be pwnd from the internet every 10 seconds.

Beyond that, what services are you exposing which an attacker can target like this?

if the VPN-connection to HTB is active. But it could be question of the settings of the backdoor.

Your tunnel only works while the victim is connected. The next time they connect you may not know what their IP address is. If they have AV or HIPS you have to defeat this (and good luck getting this past Windows 10 Defender).

If I could manage to get permantent connection to the victim,

How? If you can get a permanent connection via an internet attack you wouldn’t need to do this at all.

The problem with “if” statements in this is that every one makes the attack harder and less likely.

The attack path is now looking like if a and if b and if c and if d and if e and if f - each step is a new hurdle. In mathematical terms, assuming each “if” has a massive 10% chance of being successful you’d be looking at 0.0001% chance of success.

Instead, the attacker could just attack your host over the internet.

I can access his host/LAN (if he is using a VM) via the standard network connection between guest and host/LAN.

So my point here is you need to determine what (if any) advantage this gives an attacker.

If there is one, you need to disconnect or harden everything on your network because an attacker will pop an IOT device a lot faster than they will get into Kali via a HTB VPN.

I think I am missing some basic steps… I can use nmap for example to scan my host/LAN from the guest. so… an attacker could do this step to (after he establishs a foothold on my guest). Thats the reason, why I am asking

Yes. If an attacker can find a way to compromise your Kali VM, they can use nmap to scan your network.

An nmap scan is not the same as compromising a device (as you will see on most HTB boxes).

They dont need to compromise your Kali VM to run nmap against your host but I assume you are thinking more about the different firewall postures meaning an “internal” nmap will be different from an external nmap. This is true.

If you are running from a home network, your ISP may be providing a firewall but your host probably has HIPS/Host Based Firewall as well. This can be surprisingly effective. If your home network has any other device on it (printers, alexa, TV, speakers, IoT devices etc), then these are significantly easier to compromise.

Rather than think “evil will sneak across HTB and attack”, it is orders of magnitude more likely that evil will pwn something else and attack.

The simplest answer is run HIPS on your host and dont host vulnerable services internally or externally.

Do either of them and you’ve pretty much eliminated the attack vectors.

If you dont do either of them, internet-based attackers are a million times greater risk than an HTB attacker.

@sparkla said:

One thing I need to bring to the table though is the possibility of social engineering.

Totally agree. This is a much easier approach for an attacker but isn’t limited to HTB forums.

Just a reminder: The forums aren’t the HTB network. Anybody can register afaik. And that can go through VPNs or TOR, meaning HTB staff knows jack about those accounts.

Again I totally agree. However, this is, I feel, a separate discussion.

Yes, anyone can register a forum account and use this to socially engineer a victim into something and HTB have no insight into who they are. But that has nothing at all to do with the HTB network or VPN.

It is one of the reasons why I dont think it’s worth worrying about attacks coming over the wire from the HTB network. There are so many easier ways which allow the attacker to remain anonymous and dont require nation-state skill sets.

Hello guys, I am new here. I am 30 years old and I work as network engineer. I was always interested in hacking area and now I decided to learn it and maybe change job in future. Hopefully it is not too late.

I don´t use VM, instead I use kali live cd with persistency on my 128GB USB that is booted on my desktop computer as I want to use full power of it and especially I do not want to be disturbed by regular stuff during my learning/hacking sessions.

In this topic main discussion was about security from VM point of view. What about kali live CD point of view? Should I be worried? Is it good way or better to prepare dedicated laptop for hacking purposes?

In Kali live cd I have accessible SSD and HDD with personal stuff. Should I somehow unmount these disks for security reasons?

And one more question. When it comes to pentest there are many topics how to do it, tools, etc. but I did not find a topic how to secure own attacking machine. I guess there are more things to do than install Kali. Is there any resource/guide that explain how to secure attacker machine?

As I am new in this field, my information resource database is small so I am looking for your recommendation.

Thank you in advance.

I used to run everything on bare metal Windows/WSL, but have recently move to HyperV/Kali for anything CTF related. Still find VMs to be a hassle to deal with, particularly the back and forth between host and VM when you are working on academy stuff. I very much prefer to access everything from within the VM, including access to various personal accounts (Google, Discord etc).
Curious to hear what you consider best practises. Do you access your personal stuff from within your VM instances or is this considered a big no-no?