Certification

Mastering: Hack The Box - Dante

Philipp Fragstein

3 min read
Mastering: Hack The Box - Dante
Photo by Markus Spiske / Unsplash

After completing the OSCP exam and participating in several different CTFs, I wanted to take on another challenge. I chose 'Dante' from Hack The Box Pro Labs as it covers some interesting topics that filled knowledge gaps from the (older) OSCP exam.

This blog article will illustrate my experience with the Hack The Box Pro Lab named 'Dante'. I'll share the lessons I've learned and some valuable tricks. Obviously, I can't go into too much detail as it would violate Hack The Box's policies.

Without a methodical approach and a sense of thoroughness, this challenge becomes unmanageable. It's important to keep this in mind.

Here are my tips for anyone aiming to succeed in this hacking lab.

Preparation

  • Create folders for each host to store exploits and scripts. This proves handy when reproducing attacks or simply pivoting.
  • Create a 'loot' directory within each of the previously created host directories. In this CTF lab, many hosts are interdependent. Gathering loot is crucial for making progress, so ensure all interesting files are stored locally on the attacker's box.
  • In Dante, all 14 machines are part of multiple subnets, with one acting as a bastion host. Given this setup, it's crucial to familiarize yourself with tools like Chisel and ProxyChains as long as you don't have a premium C2 framework in place. The following blog provides a detailed guide on using Chisel effectively in Dante: Pivoting with Chisel
    Annotation: Initially, I considered using the Covenant C2 framework until realizing it lacked Linux implants. Havoc, another open-source C2 framework, seems to offer this feature. While I didn't pursue this path and continued using Chisel, it might be useful to explore: Havoc Framework.
  • The specific attackers OS doesn't matter as long as it's Linux-based. However, I highly recommend Kali Linux because it comes preinstalled with many useful tools.
  • Join the official Hack The Box Discord server: Hack The Box Discord. This server hosts various channels dedicated to all the Pro Labs and beyond. Whenever I've stand in front of a wall not knowing what to do next, I've always found someone willing to offer a hint within a reasonable time.

Notes
Taking notes is an essential task. With dependencies between hosts and lateral movement involved, storing a significant amount of information becomes crucial.

  • I kept all my notes in a structured .txt file open in Vim within a Tmux pane throughout the entire process. While this approach might work for a small number of machines, it wasn't suitable for this lab. Eventually, I switched back to using CherryTree. Each host became a 'cherry' on the tree, containing all corresponding notes, aligning the CherryTree hierarchy with the network hierarchy."
  • Document all scanned TCP/UDP ports to determine which services to enumerate next.
  • Always record the complete path of exploitation. This information can prove valuable, as mentioned earlier."
  • Assigning each discovered flag to the attacked host and noting its location on that host is crucial. Towards the end, some flags remained undiscovered. Having a clear overview was particularly helpful in this case.
  • Make sure to document the loot gathered from boxes and store it in the loot directory within the host folder. Everything collected holds significance for a reason.
  • Mark the loot as used or unused to maintain an overview.

Other useful tips

  • Since you'll be connecting to the lab multiple times, consider creating a pivot script. This script will automate the steps required to connect to the different subnets of Dante.
  • In CTFs, owning 'root' typically signifies completion of the box. However, in Dante, due to interdependencies between the boxes, achieving 'root' doesn't conclude the task. Post-exploitation becomes necessary to harvest user data or uncover interesting files.
  • The Chisel reverse tunnel doesn't always function as expected. If you encounter unusual connection issues, such as constant loading, consider using Dynamic Port Forwarding over SSH instead.
  • Due to the lab's occasional instability in connectivity, I recommend scanning the networks multiple times at different intervals. Otherwise, there's a high chance of missing entire machines. This happened to me twice.
  • Utilize ChatGPT when enumeration becomes challenging. Note that many administrative tools are deactivated on the Windows boxes.

Overall, Hack The Box 'Dante' offered an engaging and educational lab experience that I highly recommend. It enriched my understanding, bridging gaps from the older OSCP exam and confirming the value of my choice. The only drawback I encountered was the lab's connectivity issues, which did consume some time. This might be a common issue across Hack The Box pro labs.