HTB Pro Labs - Offshore: A Review

I wanted to share my thoughts after completing one of HackTheBox's Pro Labs - Offshore. I was going through a sequence of penetration tests which didn't involve much Active Directory testing. Offshore was a great supplement - giving me an opportunity to stay fresh and even augment some of my skills around an Active Directory Penetration Test. Below are my thoughts - pros, cons, and a quick intro for those unfamiliar.

Pro Labs Background

For those unfamiliar - HacktheBox Pro Labs are a separate subscription offering from HackTheBox, intended to better emulate a "real world enterprise". Rather than attempting to exploit one standalone system in your traditional HTB challenge - it involves multiple flags across multiple systems. Many of the systems have information or credentials which are needed to access other systems within the challenge. There can be simulated users which are needed to obtain some of the flags. And lastly - the Pro labs are marketed as having realistic scenarios using the latest TTPs.

HackTheBox has 11 different pro lab scenarios in total and counting. They seem to be making a conscious effort to creating more as well, so keep an eye out. If you complete the entirety of a Pro Labs (i.e. get all the flags) - you are given a Certificate of Completion, which you can submit for CEUs for various certifications (check it below!!!).

Offshore Primer

Offshore is one of the "Intermediate" ranking Pro Labs. It consists of 21 systems, and 38 flags across a DMZ and 4 domains. The scenario sets you as an "agent tasked with exposing money laundering operations in an offshore international bank". I quickly forgot that was my role, and viewed it more as an Active Directory penetration test/red team engagement.

You're given a VPN profile which is effectively giving you access to the external perimeter of the bank. That's it - from there you're on your own to enumerate, get a foothold, and start collecting flags. Some systems have 1 flag (root/SYSTEM) other systems have 2+ flags. Your objective should be getting administrative access on every system in the lab.

All in all it took me around < 3 months and ~70-90 hours to complete. YMMV on timing. It's certainly something you could get done a little bit every day. I found I was most successful when I could allocated a few hours at a time to the lab.

The... Pros (Pun Intended)

Great Experience - The flags involved using exploits and attack paths that spanned Windows, web, Active Directory, network, and other thick client vulnerabilities. The lab is obviously predominantly AD focused, but you still get to use a lot of modern attack vectors. You will use Bloodhound A LOT - and more than on a typical pentest. You'll also become more familiar with the interfaces. I can safely say I've effectively gone from clicking random buttons hoping an attack chain appears (joking) to understanding the layout, and how to use the tool effectively. Not only Bloodhound, but NXE/CME, PowerView/PowerUp, and impacket will be your friend. You'll abuse ACLs, pass hashes, DCSyncs, Raise Children (not as intense as is sounds, and I'm not talking real humans either), and more!

Real World Experience! The scenarios throughout the lab seemed pretty realistic. Some attack vectors I've seen in the wild, others I've wished to come across. The exploits/vulnerabilities are also relatively modern, so it would feel relatively realistic to finding in a real enterprise. Sadly though, not as much password reuse as I was anticipating (but that was just a bias of mine 😁).

Lots of Reps - I realistically wouldn't have done 21 separate boxes and gotten 38 flags on HTB (or any other training site) under normal circumstances. The Pro Labs format has an addictive - albeit healthy - quality to making you want to keep moving within the domain. The environment is conducive to fast lateral movement, as it's online 24/7. No time waiting for HTB to spin up/down boxes. Pro Labs make it easy to implement the Seinfeld Effect.

Awesome Community - I couldn't have completed the course without help from the Discord Channel and a friend who helped give me nudges, or even an opportunity to rubber ducky through the various pain points of the test. It's a very collaborative Discord Channel, where the desire to help is contagious. I found myself "passing it on" - and more than just hashes - once I solved a box.

Note: personal preference thing, but I would say it's a widely shared sentiment within the cyber community - If you're looking for help on the Discord channel don't just say "I'm stuck and need help". Give an overview of what you've attempted, where your thought process is about the attack path when you're asking for help. Also don't get mad at the person helping you for giving you a nudge in the right direction rather than the exact answer. Alright, I'll get off my soapbox.

Cons

Lil' Buggy - There were a few boxes which the intended attack paths didn't work. It was likely a result of working within a shared environment. While they typically do a refresh of the environment daily (or sometimes the most targeted systems) - it can still be hit and miss. It's not the end of the world - because it's actually a good representation of the real world. With pentesting/red teaming - you often have to work within the constraints you're given, not the ones you want.

No Regular HTB Stats - A small annoyance, and realistically not something that should stop you from doing Offshore - but your machine/user/system owns in Pro Labs don't count towards your HTB Profile stats. There is a separate "Pro Labs Progress" within a user profile that you can use to show your progress. I'm sure this has something to do with Pro labs being separate from the regular HTB, and technically how your regular HTB Rank is relative to the number of active Machines & Challenges, but still frustrating nonetheless.

Lessons Learned

I think if I did it again, I'd do a few things differently.

Don't Rush - I was trying to save some $$ - and instead of buying an annual subscription - I paid monthly. I was rushing to get the lab done before I got to month 4 of my subscription. Alternatively, I should've just been okay with spending another $50 for the month... but I wasn't really seeing the big picture.

(C2) Experimentation - I dabbled with the idea of using Covenant, but ran into issues with my old Kali VM with compiling it. I toyed around with sliver a little bit but quickly switched to using chisel since you really only needed to proxy the traffic. If I did it again, I would've been a bit more adventurous and experimented a bit more with C2s, or even other tunnels (other folks raved about ligolo). You likely don't need to leverage the beacon capabilities of C2s, but moreso sessions. Seems like a good opportunity to experiment with various C2s and expand the overall experience and exposure you're getting.

Take Good Notes - I kinda "did it live" when it came to note taking. What I would recommend - is an adaptation of the ippsec methodology of providing a numerical prefix for organization purposes. I developed this method about ~1/2 way through, so some of my notes are really organized.

  • 1 note per flag - typically with a syntax of [Flag#]-[Box Count]- Domain - Box - [User/Service/System] Flag. Maybe the "Box Count" isn't needed, but I also wanted to make sure I was closing in on the 21 system count that is provided from the start. It helps you identify if you missed another flag on a box you already have, vs needing to enumerate the networks for another system. Then have any enumeration notes go in a note with a numerical prefix starting at 40. So It'd look something like:
    • 01-01 - DMZ - OFFSHORE-LAB-SRV01 - User Flag
    • 02-01 - DMZ - OFFSHORE-LAB-SRV01 - FTP Flag
    • ...
    • 05-02 - CORP.LOCAL - MS01 - SYSTEM Flag
    • ...
    • 40 - DMZ - Nmap Scan
    • 41 - DMZ - Service Version Enumeration
  • Put the Flag Name in the Note - I didn't pay attention to this from the start, and it made it a bit confusing when I was going back trying to determine which systems I needed to target for the flags I missed after pwning all 4 domains. Avoid replicating my pain, when you submit a flag, note which flag name/question that HTB marks as completed, and paste that name into your note. This also helps when you're looking to help others in the Discord.
  • Obsidian Links Are Your Friends - In order to stay organized, I used a lot of Obsidian links - both internal links, and embedded files. I probably could've gotten away with just internal links, and flowed between Enumeration and Flag notes, but the embedded files is a cool feature I wanted to try out. I would use it within a Flag note, and embed the sections of my enumeration notes before I was certain of the specific attack vector.

Conclusion

I often joke around that there's so much good training material for pentesters/red teamers that I'd need a night person (or five) to study all the awesome material. However, until that becomes a reality - I'll have to filter down my training methods to the most effective and impactful trainings possible. It's safe to say HTB Pro Labs ranks in the upper echelon of content, and I plan to do more in the future.

Swanky cert I totally hung on the fridge to make Mom proud