One month of HTB: Impressions and tips from a noob!

Tutorials Other
,
1

Hello everyone!

So I am here about one month and I am really enjoying my time here, it has been a crazy learning experience and I want to share my thougts and give some tips for peoples that, like me, is new to infosec!

If you are really new I would suggest you to have some particular set of skills before starting cracking some boxes here:

  • Linux: Of course, you need to know your way into linux terminal, how to navigate throught folders, read files, install programs, update lists. If you don’t know these things yet you should check the Linux Fundamentals PDF (http://linux-training.be/linuxfun.pdf) and do the overthewire.org wargame called Bandit. These two, especially the wargame, will give you a solid base knowledge about things that you will use.

  • Programming: You will need to read lots of codes in order to understand what is going on in a page, or to get why your exploit its not working. So, it is important to know how to program. If you dont know yet, try python! Its a great beginner language, really good to use with linux and it is heavly used in security. There is this course that will help you a lot: Think Python 2e – Green Tea Press

  • Basic network: How TCP/IP works, what is a DNS, SMTP, telnet, what is a port an what means when its open, are just a few things that are needed. Here I would suggest you to find a good book and read it. I am not encouraging you to download unautorized PDF of books but its REALLY easy to get them online :stuck_out_tongue:

  • Basic Infosec tools and Expressions: Metasploit? Kali linux? Reverse Shell? Priv esc? These and many other things will be at the forums and discussions around the boxes and you will need to know what they are. You can learn this things on the fly also, but getting a basic book or a online course will help you a lot. Here I dont have any suggestion I learned everything searching the topcs individually.

So you already know some of these things or just are ignoring my suggestions (which is totally fine, I am just a newbie after all), and want to start here on HTB! Great! Here are some things that I learned in this one month that helped me a lot!

0 - @ippsec videos: This guy is a aweasome! He has crazy walkthoughts and great tips for everyone, beginner or experienced people. He recently organized his playlists by difficulty start with easy ones but first, watch his video about tmux! https://www.youtube.com/channel/UCa6eh7gCkpPo5XXUDfygQQA/playlists

1 - Try hard, but also ask for help: Always try to solve the boxes by yourself, even it is really hard when you just started making CTF’s. But if you are really stucked just go to the forum, go to the box discussion and ask for help. Usually people that finished the boxes post there and the ones that are willing to help will say so.

2 - Know how to ask for help: Don’t PM a guy with just "I need help with user/root on box XXXX ". Say what you did so far, what you discovered, what you tried and what worked or not and BE POLITE, nobody likes an a**hole. It will be much easier to the person to help you, and don’t ask for the full answer. A good pm would be something like this: "Hello! I am stucked at the box XXXXX for some time and I was wondering if you could help me. I scanned the box and found port XX running a service and I tried the tool XXXXX to exploit that but it didin’t work. I am on the right path? Thanks for the help!

3 - Acknowledge the ones that helped you: Is always nice to get appreciation when you help someone so, if somebody contribuited with you, ask for his HTB profile and give him a “Respect”. This will encourage him to always help others and everybody wins with that!

4 - Help others: Congratulations, you cracked your first box! Even that you did that all by yourself, go to the forum and tell people to PM you asking for help! I am a teacher and I learn A LOT teaching! It is great when someone cracks a box after you helped them :slight_smile:

5 - Read Writeups: When a box is retired, people make writeups about them. It is a great way to learn and to see how people do things in different ways. Recently the box “Access” got retired and because it was a easy box, there is a lot of different writeups about it. Check them out!

6 - Have fun: My Overwatch account is dead since I started here. It is the most fun I had in a long time doing something, and I am learning like crazy at the same time! I really want to thank everyone that helped me so far, especially @ippsec with his aweasome videos!

Sorry for the long post but I really want to give my impressions of my time here! I love this community more every day I cant wait to learn more and meet new people that share this love!

Thank you for reading and also, share your experiences here! What other tip would you give for someone new? Also sorry for any english mistakes, not my mother language :stuck_out_tongue:

3 Likes
2

3rd day on HtB, I was exactly looking for a post like this and this is exactly the post I need! Many thanks!

4

totally newbie too here. This is a helpful post. I am still bit confused about the very first steps. How to setup my environment. How to know which machines to start with. HTB terminologies.

5

good tips: i would add : configure and learn burpsuite (learn to do the same with curl)
mainly, when you ask for help: box name, step user or priv esc and founds. We cant guess that.
for first machines, read the statistics of owned.
root-me challenges helped me a lot when I started here.
you have very easy machines on labs.wizard-security to train.

6

Type your comment> @peek said:

good tips: i would add : configure and learn burpsuite (learn to do the same with curl)
mainly, when you ask for help: box name, step user or priv esc and founds. We cant guess that.
for first machines, read the statistics of owned.
root-me challenges helped me a lot when I started here.
you have very easy machines on labs.wizard-security to train.

That’s right. You need mention what you’re trying to do for user or root. Among the 20 boxes it’s hard to recollect quickly what you’re talking about.
Some people ask quick hint on root for x box in one line. We can’t guess where you are. Simple ans is cat/type root.txt :slight_smile:

7

Programming is not that important though. Sure you need to know how to read code and write some basic things yourself sometimes but it really isn’t necessary to be a python guru. Maybe for the insane Machines but mostly you got tools for everything.

And yes ippsec’s videos are a really big information source. Just keep watching and you will become a Guru as well :smiley:

8

Good writeup. Love seeing you pop up on the forums. Such a friendly guy :slight_smile:

9

Really good hints and post. Still a beginner myself as I have a lot to learn. Whenever I learn something and I go into a new challenge feeling confident, I hit a brick-wall but ambition is the way to go.

As a guy who always wants to provide help I understand the frustration when it comes to receiving messages like " i need help on box pls help". I need at least some kind of understanding of the path you are taking or the steps you achieved to make. I always strive to give hints in such a way without giving spoilers because learning by trial and error is the best practice (learned that from a good friend around here). So yes please when you write a help message, think about how it sounds to the other person. Be polite be concise and you will be helped.

10

This is good advice! :smiley: w00t

11

Great advice brother!
Your words are quite cool

12

@dcdesmond I been here (off and on) since 2017 and I have infosec certs, and I STILL found your post helpful. Great job taking the time to write and share what all you are thinking and providing a fresh perspective.

13

Good tips man. Appreciate it ?.

14

One thing I’d like to add : Take. A lot. Of notes. Usually when I do a box for the first time, my notes are messy. Sometimes I get so excited (or angry) I don’t even take notes and later on when I have to go back to the box I spend too much time just trying to retrace my steps. So, even though I don’t always do that myself, it’s always good to follow that process : - Do a box, take notes along the way, - Do it again, and this time take clean notes, take your time, now that the puzzle is solved, you can focus on understanding how the pieces fit together, - Do it one more time, and try to look at your notes as little as possible. Bonus point : Write your notes the same way you would if you were trying to explain the box to dump people :slight_smile: One thing I like doing also when I encounter a new concept or technology is going over to other CTF platforms and trying to find similar challenges so I can make sure I understood things by applying them in different environments. Not always possible and very time consuming though.

15

Type your comment> @dragonista said: > > Bonus point : Write your notes the same way you would if you were trying to explain the box to dump people :slight_smile: > This is excellent advice, and is really helpful because the dumb person you are trying to explain it to will most often be future you who has forgotten the details. Never assume “oh, I’ll remember how that works, I don’t need to put that much detail”. I can’t tell you the number of times that past me has really effed over future me by giving him way too much credit, and future me ends up mad at past me for leaving out the details on the technique he came back to read about and try and remember how it works.

16

DLLemphasized textstrong text