Secure setup before connecting to the labs

Hello guys,

I’m a freshman here and I cannot wait to hack my first box! Before I start, I want to make sure I take the necessary steps to secure myself from other lab users. Rule #6 in the rules section states:

“We strongly recommend not to use your production PC to connect to the HTB Network. Build a VM or physical system just for this purpose. HTB Network is filled with security enthusiasts that have the skills and toolsets to hack systems and no matter how hard we try to secure you, we are likely to fail We do not hold any responsibility for any damage, theft or loss of personal data although in such event, we will cooperate fully with the authorities.”

I don’t see how I can secure myself effectively using a VM or physical machine with no production data. Right now I’m using a kali VM hosted on my production PC. The production PC is connected to a router and the router is connected to the internet. If an attacker manages to get remote access to that kali VM he will have a machine in the same network as my production PC, right? In VMware workstation I can choose between different network adapter options but from my understanding, an attacker will always share a network with the host PC assuming he has access to the VM. If this happens to be the case, I don’t grasp how this setup is more secure than connecting with the production PC itself to the labs. Am I missing something here? Any tips and/or resources are greatly appreciated.

Really you are questioning the very heart of security itself. Can you, can anyone, effectively 100% secure their IT?

It was once said that if you wanted to avoid being hacked, take your computers out into the garden, dig a hole in the ground and bury them.

The answer to the question above is “no”. A dedicated attacker, hellbent on accessing your systems, will eventually get there. Truth is, you would have to be of supremely high value, either financially or emotionally, to be worthy of such status.

The vast majority of people here will not hack you, just like the majority of people at a Jiujitsu club will not snap your ulna. You have to trust your training partners to some extent.

Of course, the other side of that argument says that there will always be one or two ■■■-hats who will have a go. In that sense rule #6 is a disclaimer, but one very much rooted in reality.

Do your due diligence. After a bunch of reconnaissance, an exploit and a payload, a dedicated attacker could potentially have access to your machine which is connected to a VPN, and not necessarily access to the whole internet or your network. A lot of other stuff goes into securing a system beyond the system itself.

Dual boot with FDE. Or disable your alternate hard drive in Bios. Or set rules that isolate the VM. Don’t run anything you don’t need. I could go on and on. It depends on your OpSec and how much you are willing to trust that the folks here want the points over your files.

(And how paranoid you are. Paranoia doesn’t hurt, but it definitely doesn’t help beyond a certain point.)

Anyway, take the disclaimer seriously whilst understanding what it is there for.

I wasn’t questioning the very heart of security itself, I’m aware that I have to accept risk to some extent. My question was more about what (inexpensive) steps I could take to mitigate the risk. Effective was probably the wrong word. You gave me some pointers to the right direction and a new view on the matter, so I’m very thankful for your answer.

they made vpn waterproof normally.