NOTE: This is not a walkthrough nor will there be spoilers regarding this HackTheBox Pro Lab. I will speak about the use of tools and methods in a general context that can be applied to any lab environment.

Information on this HTB cyber range and others can be found here:
https://www.hackthebox.com/hacker/pro-labs

Background

The HTB Dante Pro Lab is a cyber range, a network of machines on the HackTheBox platform that allows offensive security professionals to learn new skills and test out new tools in a safe environment that can easily be rebooted back to its default state. There are 13 machines and 26 flags to collect in order to obtain the HTB Dante Pro Lab Certificate. The machines have a variety of different vulnerabilities that will require extensive research and range from easy to hard in difficulty. It is considered an “intermediate” level in difficulty.

My Experience

This was a very fun but challenging cyber range from HTB that was primarily focused on web vulnerabilities, local privilege escalation, exploit development, pivoting and active directory attacks. It took me roughly 4 weeks, close to a month to compromise the entire environment and I did a lot of research in order to properly get a foothold and privesc on all 13 machines in the network. 

The cyber range is heavy on pivoting, and requires good networking knowledge in order to successfully laterally move across the network between segmentations and firewalls. If you are studying for any penetration testing certifications involving Active Directory such as the PNPT, eCPPT or OSCP, this lab IMO will definitely help you practice your pivoting and network hacking skills. 

I also noticed that there were multiple paths to compromise a target, and I will say that everyone’s experience may be different in this cyber range lab.

Tips and Tricks 

Enumeration

To properly enumerate the machines I recommend using the following tools to help you expedite your information gathering process and gain a foothold

• Rustscan: You can quickly scan through all the ports and get information faster than running nmap, which will help you expedite your penetration testing process. In alot of CTF scenarios, developers will usually hide vulnerable services on uncommon ports.
• Nuclei: Scanning your target with nuclei can sometimes give you a hit in terms finding targets that have CVEs with publicly known exploit scripts. It also helps to run your nuclei scans with additional templates in order to find more vulnerabilities.
• Gobuster and Raft Wordlists: Gobuster is incredibly fast and can easily perform directory busting to find hidden files or routes. The raft wordlists that come default with SecLists is also a good wordlist to use on the cyber range.
• CrackMapExec(NetExec): CrackMapExec is an invaluable tool in the active directory environment, once you obtain valid credentials, it’s important to spray it across the network in order to check for password reuse and access to other assets. This is crucial when you obtain valid admin creds as this can be used to gain access to domain controllers. Additionally this can help you list smb shares with valuable loot or creds.

Privilege Escalation

The following are my go to local host enumeration tools to quickly find potential privesc paths once a foothold has been obtained:

• linPEAS/winPEAS: The PEAS family of host enumeration tools are very valuable, and I recommend making sure that you upload the most recent version of the tool to the target as this often gets updated. You may run an older version of linPEAS that might not detect new vulnerabilities that have been added.
• Wes-ng: Windows Exploit Suggester New Generation is an updated version of windows exploit suggester, and I recommend using that as it can be used to check for newer vulnerabilities especially on newer Windows Server versions.
• Linux Exploit Suggester: For privesc on Linux machines, sometimes there maybe a path to exploit and elevate from the kernel level, or you may be required to compile a binary on the system. This tool can help you find those paths potentially, so I recommend doing that on machines that use Linux.
• Pspy: This is a good tool to find processes that may be running with root privileges. If you find something that is running with root privs, it’s possible to replace the script/file in its designated path, and once the root user runs it on schedule, you can potentially get a shell back and gain elevated access to the machine.

Pivoting

Chisel

There were multiple ways I was able to pivot around the network, but I found that using Chisel was the easiest way to do it. In some engagements, it’s possible that one pivoting method may cause some “weird” things to happen on a machine that you are trying to access. I am trying not to spoil anything here, but sometimes if for some reason you can’t access a machine you now exists in the internal network, you can change the method you are using to pivot, and for some reason you now have access to that machine or are able to “ping” it.

Remote and Local Port Forwarding

Knowing how to do this is crucial in engagements where there may be a firewall blocking you from gaining deeper access into the network. Chisel, as I mentioned above, has that capability and can help you move deeper into the network across multiple network segmentations and potential firewalls with proper use. 

Conclusion

I highly recommend anyone who wants to further develop or maintain their network hacking skills in active directory to try this cyber range. I thought that the scenarios were very realistic, and could easily apply to a real-life scenario on the job. Overall, this pro lab will test your skills, and all of the vulns that you’ll find you can find with enough research online as well as being able to “piece together” different clues and information on the machines.