htb

1. Information Security Foundations

1.1. Intro to Academy

“Great things are not done by impulse, but by a series of small things brought together.” Vincent Van Gogh

How are Modules Completed?

To complete a module, you need to solve all of its exercises and mark all sections as “completed”. Once that’s done, you will usually face the module’s Skills Assessment, which represents a real-world scenario of the topic the module covered, and tests your understanding of most/all of the skills shown within it.

What is a Section

A section is the smallest building block in the HTB Academy structure. Each section covers a specific area in the larger module topic, and is designed to be completed in one sitting.

For example, in this Intro to Academy module, this Sections section discusses sections! section-ception

What Types of Sections are there

There are two types of sections: Theory Sections and Interactive Sections.

Theory sections do not contain any practical elements. Instead, they build the foundational knowledge that is necessary to understand any upcoming practical/interactive lessons, and establish the basics for the entire module.

On the other hand, interactive sections, which are denoted with a small green box, form the majority of sections within HTB Academy. This is where you will learn through practical examples and demos.

Start your workstation, then use the integrated terminal to find the Linux OS flavor by running the following command: cat /etc/issue

parrot

What is an Exercise

In addition to the examples and demos demonstrated within interactive sections, most also end with exercises to test that knowledge.

An exercise will usually have an accompanying Docker target or VM target(s). A target can be started by clicking on Click here to spawn the target system!, which will be populated with its access details, in the format http://:. It may also provide authentication details, in the form of a username and password.

Start the above target, copy the shown IP:PORT by clicking on them, and then paste them in your browser. What’s the proof shown in the page?

t4rg3ts

What is a Path

Paths are a collection of modules that share a broader topic. Certain paths lead to an HTB Certification after completing their corresponding exam. A single module may show up in multiple paths if its topic matches the path’s topic. Types of Paths

There are two types of paths in HTB Academy: Skill Paths and Job-Role Paths. You can enroll in any path by clicking on the Enroll button, which will make it easier to track your progress in the path and see the upcoming modules in it through the Dashboard page.

Note: Enrolling in a path does not unlock all of the modules within it. Hence, enrolling in a path does not cost any cubes.

A Skill Path groups modules with a specific popular skill that students may want to learn.

Tip: You can estimate how long a path will take to complete by checking the duration mentioned underneath the path’s title. This represents the sum of the estimated time for completion of each module in the path “in 8-hour work days”.

What is a Certification

An HTB Certification is the key achievement students should target within HTB Academy.

By the time you obtain an HTB certification, you will have completed hundreds of sections and exercises, tens of modules and skills assessments, and have passed a real-world multi-day practical exam. So, you will be market-ready for the specified job role.

Note: Completing a path also unlocks a new badge, and so does obtaining a certificate.

1.2. Learning Process

Since we are dealing with frustration here, we can see from the diagram that, in this case, we lack some resources that frustrate us. In information security and pentesting, these kinds of resources will often be information that we have to work with. Perhaps we have already read it several times that “Enumeration is key”. If not, it is not bad. We will fall over it.

Since we are dealing with the offensive aspects of information security, it is essential that we can get the information by ourselves. This is a skill that must be continuously trained. We will have to deal with different services, sources, and technologies to find out how to get the information we need. The feeling of frustration with a lack of resources depends on our skill. If we do not have the necessary skills, we will feel anxiety, which brings us back to the topic of comfort and comfort zone. We should also understand the connections between the individual topics better to get back to the frustration tolerance level.

To express our frustration tolerance adequately, we need to consciously but in a controlled way, place ourselves in situations where a particular frustration can be assumed. It is important to note that this must be done in a controlled and conscious way. It must, therefore, be our conscious decision to deal with the upcoming situation.

To make it a little clearer, pay attention to our feelings for the following example:

Imagine that you have to catch a train. To catch it in time, we are forced to run about 2 miles quickly. We take all excuses and changes out of the situation for this example (“Think Outside the Box”) and determine that you have no other choice in this example. We will be sweaty, maybe we will even get a bit dirty and out of breath, and maybe we will even miss our train because it came too early for once. Furthermore, now let us change the situation a little bit and imagine that you consciously decide to leave the house too late and run fast to catch the train.

Even if we do not catch that train, our frustration level will be much lower than in the first example. We will no longer pay attention to the external factors we blame for not getting the train, but we will find ourselves analyzing our reactions.

Do not forget that this feeling of frustration is temporary. This means that when we feel frustrated, it will pass. Most people get scared and panicky at such a feeling, which leads to the fact that such people sometimes even react aggressively. They are not aware that it is a temporary feeling. Therefore, we do not need to be afraid to venture into such situations.

1.3. Setting Up

• Skills Assessment

1.4. Introduction to Windows Command Line

Module Sections

• Introduction

CMD

• Command Prompt Basics
• Getting Help
• System Navigation
• Working with Directories and Files - CMD
• Gathering System Information
• Finding Files and Directories
• Environment Variables
• Managing Services
• Working With Scheduled Tasks

PowerShell

• CMD Vs. PowerShell
• All About Cmdlets and Modules
• User and Group Management
• Working with Files and Directories - PowerShell
• Finding & Filtering Content
• Working with Services
• Working with the Registry
• Working with the Windows Event Log
• Networking Management from The CLI
• Interacting with The Web
• PowerShell Scripting and Automation

Finish Strong

• Skills Assessment
• Beyond This Module

1.5. Introduction to Bash Scripting

• Scripts

Module Sections

• Bourne Again Shell
• Conditional Execution
• Arguments, Variables, and Arrays
• Comparison Operators
• Arithmetic
• Input and Output Control
• Flow Control - Loops
• Flow Control - Branches
• Functions
• Debugging

1.6. Introduction to Networking

1.7. Intro to Network Traffic Analysis

1.8. Introduction to Active Directory

1.9. Introduction to Web Applications

1.10. Web Requests

The exercise above seems to be broken, as it returns incorrect results. Use the browser devtools to see what is the request it is sending when we search, and use cURL to search for ‘flag’ and obtain the flag.

HTB{curl_g3773r}

Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to ‘/search.php’

HTB{p0$t_r3p34t3r}

First, try to update any city’s name to be ‘flag’. Then, delete any city. Once done, search for a city named ‘flag’ to get the flag.

HTB{crud_4p!_m4n!pul4t0r}

2. Operating System Fundamentals

2.1. Linux Fundamentals

2.2. Windows Fundamentals

2.3. MacOS Fundamentals

2.4. Android Fundamentals

3. SOC Analyst (Skill Path)

3.1. Penetration Testing Process

3.2. Network Enumeration with Nmap

3.3. Introduction to Assembly Language

Module Sections

Architecture

• Assembly Language
• Computer Architecture
• CPU Architecture
• Instruction Set Architectures
• Registers, Addresses, and Data Types

Assembling & Debugging

• Assembly File Structure
• Assembling & Disassembling

Download the attached file and disassemble it to find the flag

HBT{d154553m811n9_81n42135_2_f1nd_53c2375}

• GNU Debugger (GDB)
• Debugging with GDB

Download the attached file, and find the hex value in ‘rax’ when we reach the instruction at <_start+16>?

0x21796d6564637708

Module Project

• Module Project

Basic Instructions

• Data Movement

Add an instruction at the end of the attached code to move the value in “rsp” to “rax”. What is the hex value of “rax” at the end of program execution?

0x400

• Arithmetic Instructions

Add an instruction to the end of the attached code to “xor” “rbx” with “15”. What is the hex value of ‘rbx’ at the end?

0x0

Control Instructions

• Loops

Edit the attached assembly code to loop the “loop” label 5 times. What is the hex value of “rax” by the end?

• Unconditional Branching

Try to jump to “func” before “loop loop”. What is the hex value of “rbx” at the end?

• Conditional Branching

The attached assembly code loops forever. Try to modify (mov rax, 5) to make it not loop. What hex value prevents the loop?

Functions

• Using the Stack

• Syscalls
• Procedures

• Functions

• Libc Functions

Shellcoding

• Shellcodes

• Shellcoding Techniques
• Shellcoding Tools

Skills Assessment

• Skills Assessment

4. SOC Analyst (Job Path)

4.1. Incident Handling Process

4.2. Security Monitoring & SIEM Fundamentals

4.3. Windows Event Logs & Finding Evil

4.4. Introduction to Threat Hunting & Hunting with Elastic

4.5. Understanding Log Sources & Investigating with Splunk

4.6. Windows Attacks & Defense

AD

DCs:

• Store NTDS.DIT in %SystemRoot%\NTDS
• Run LDAP and listen for requests from the network
• Run KDC (Kerberos Key Distribution Center)

Authentication

• User/Password: LM, NTLM, NetNTLM{v1,v2}
• Kerberos tickets
• Authentication over LDAP (user/pwd, user/computer certificates)
• AD CS (Certificate Services)

Network Ports

• 53: DNS
• 88: Kerberos
• 135: WMI/RPC
• 137-139 & 445: SMB
• 389 & 636: LDAP
• 3389: RDP
• 5985 & 5986: WinRM (PowerShell Remoting)

Weaknesses

1. Complexity
2. Allows remote CodeExec by design (via GPOs pulled from SYSVOL)
3. Legacy, not secure by default. E.g.: DNS-like protocols (NetBIOS, LLMNR) brodcast user credentials on the wire

Windows Attacks

Kerberoasting

AS-REProasting

GPP Passwords

Misconfigured GPO permissions

Credentials in Network Shares

Credentials in User Attributes

Kerberos Constrained Delegation

PrintSpooler & NTLM Relaying

Coercing attacks & Kerberos Unconstrained Delegation

Object ACLs

PKI Misconfigurations

(2022) Certified Pre-Owned: “Abusing Active Directory Certificate Services”

PKI Architecture Flaws:

• Lack of Offline Root CA & Tiered Architecture
• Unprotected Subordinate CAs
• Breaking Forest Trust via AD CS

ESC1: Misconfigured Certificate Templates

ESC8: NTLM Relay to AD CS HTTP Endpoints

Skills Assessment

Replicate the attack described in this section and view the related 4886 and 4887 logs. Enter the name shown in the Requester field as your answer. (Format: EAGLE.…)

EAGLE\DC2$

4.7. Intermediate Network Traffic Analysis

4.8. Working with IDS/IPS

4.9. Introduction to Malware Analysis

4.10. JavaScript Deobfuscation

4.11. YARA & Sigma for SOC Analyst

4.12. Introduction to Digital Forensics

4.13. Detecting Windows Attacks with Splunk

4.14. Security Incident Reporting

This site is open source. Improve this page.