Noob question about the "Rules" @HTB

Hi there,

I've recently joined and successfully rooted my first box within a few days (0bscura) - Yeppee!

On my next box (Traverxec) I'm a bit stuck right now but no worries. However by accident I came across multiple files on Traverxec that I suppose where left by other user. Essentially I could complete the box now with the help of those files. But I'm here to learn! I'll take my time to solve the complete path myself, I've got the hint from the forums that after the initial RCE it's about exploiting j*****.d*** - and after that I know already what's coming through the mentioned files.

Still I wanted to know if it's against the rules to do so, to use what others left behind? I ask because I made an online course about the topic and the tutor essentially stated that it's "best practice" to look for & utilize holes that potential other "hackers" left for you.

Like to hear your's oppinion.

Cheereo, Mike.

Hack The Box

Comments

  • i dont know
  • edited December 2019
    Well these usually are not "real life" servers but puzzles. It is basically up to you if you want to use the files. I usually stash them to see later what others do. Sometimes it is hard to know if a file is there by purpose or left from someone elses exploit. For example once i ran into a php file which had a file traversal vuln which i used to enum. After a reset, the file was gone.

    Blaudoom
    Discord: Blaudoom#1254

  • Type your comment> @blaudoom said:

    Well these usually are not "real life" servers but puzzles. It is basically up to you if you want to use the files. I usually stash them to see later what others do. Sometimes it is hard to know if a file is there by purpose or left from someone elses exploit. For example once i ran into a php file which had a file traversal vuln which i used to enum. After a reset, the file was gone.

    I usually check the last modification date of the file before trying to open it.

    bumika

  • If you wan't to hack honestly just revert the box ..
    U will not find any files leftover by other people
    Or..
    Just take what u get .. consider it as ur lucky day :)

  • So the consensus here is that:

    • There's no rule that I cannot use other's files
    • It's also morally accepted
    • IRL this probably won't happen - but then again IRL I would definitely use it (as my Tutor once stated) if it's to my advantage
    • I'm responsible myself to have a good learning experience and should reset the box beforehand to provide that to myself
    • Nobody cares :D

    Thanks guys for sharing.

    Hack The Box

  • edited December 2019

    @sparkla As per the official rules, what you described is not prohibited. But:

    • don't forget that those are just intended vulnerable machines, which means that after devoting some time you'll probably be able to root the machine. But rooting is not the goal here, the goal is you to learn something new that you can actually use in real world scenarios. However some might say that again you'll learn but using a shortcut - but in real life hacking the difficult part usually is not the exploit itself but to identify the vulnerability in the first place.
    • Also in bounty-hunting or OSCP like certifications you'll be your own, having to deal with a complete unexplored territory, so the most time you've spent in the past dealing with situations like this the better for you. Ok in bounty-hunting you are probably not the only one attempting to find a bug, but other hackers are usually pretty cautious about what they left behind.
    • With so many frameworks and resources out there, nowadays the difficult part is mostly the effective enumeration process than the exploitation itself.
    • Finally the:

    "best practice" to look for & utilize holes that potential other "hackers" left for you"

    has a risk that those other "hackers" are the blue team and the holes are simply a honeypot, so always proceed with caution :)

    game0ver

    • "IRL this probably won't happen..."
      Says who? You don't think you'll ever do a pentest where a malicious hacker has gotten in first?

    I like to retrace my steps to see what others are doing. e.g. if web-app allows uploading a reverse shell, i'll check the uploads folder to see what others have done once I've gotten in myself. Usually a lot of failed attempts and prepackaged scripts, but there has been a couple cases that I've learned a new trick from someone else's methods.

  • Type your comment> @bumika said:
    > Type your comment> @blaudoom said:
    >
    > (Quote)
    > I usually check the last modification date of the file before trying to open it.

    Sure, if you have a shell. But if you find them fuzzing a www-dir. The name is the only hint.

    Blaudoom
    Discord: Blaudoom#1254

  • True with the trick part, also checking timestamp when i don't want it served but sometimes the payload is the filename :)

  • @game0ver said:

    "best practice" to look for & utilize holes that potential other "hackers" left for you"

    has a risk that those other "hackers" are the blue team and the holes are simply a honeypot, so always proceed with caution :)

    I'm a blue team developer. This is absolutely true, and with the arms race nature of security there are constantly new methods being developed.

    There are files used to determine if there are threats based on access, fake services, and a whole lot of other things that we do to pick of IOC. Just because something looks juicy doesn't mean you should take a bite. It may be a legit way of gaining access, but it could also be there to make sure your access gets shut down.

    Not sure how much of that is used in HTB machines, but it's definitely something to be aware of.

  • I'm also working in the open field for a long time, as admin not as a pentester. My servers are constantly under all sorts of attacks, all automated. I can't say I ever considered laying honeypots, there's not really a chance getting these guys, if their country's law basically allows hacking foreign servers.

    Albeit I only protect webservers and not company internals, but In everyday work it feels more like fighting bugs (in the meaning of an exterminator) and not like in the movies.

    Hack The Box

Sign In to comment.