Lately I’ve been doing a quite a lot of playing around on HackTheBox. I just love the “competitive mode/season” thing they are trying out, as it just gives you a target for the week. It does add a nice incentive to play around there and makes it harder to forget, as who doesn’t like getting higher on the “leader board”.

But what I’ve noticed over the past few weeks there is that there are some decoy hints on the machines. So if you seem stuck for a while and are quite sure you are doing the right thing.. Just take a step back and go through your notes again. The last decoy I found my self stuck on for a while was an app returning “username” in the header. Of course that was the value for username I used in all the following exploitation steps instead of my own username that I used to register. Wasted a bit of time because of that. It was there purely to throw people off! But hey lesson learned!

Also although nmap might say that some software version is vulnerable then usually that’s not the way in. It still tends to be some web application vulnerability that gives you the initial foothold not “vulnerable ssh daemon” (don’t waste time guessing usernames for scp exploitation). Most likely there is either a path traversal issue which allows you to see get access to something you shouldn’t or SQL injection.

Oh and before I forget, -p- flag for scanning is quite a good idea, as there have been quite a few hosts there where the actually vulnerable service doesn’t show up in the default port selection. And if you feel stuck then surely visit HackTheBox forums/discord servers to get a nudge/do a sanity check on your progress. Really nice and active community there with quite a few people willing to share ideas with out actually spoiling the challenge.