HTB Lessons Learned (Part One)

Easy Windows Boxes

I recently went back and completed all the ‘Easy’ difficulty Windows boxes on These are the lessons that I learned, specifically the things that had me smashing my face off the keyboard for hours on end and wondering why I subject myself to these trials, and whether or not I’m really cut out for a career in information security.

I hope this will help you in your own journey.

General Things

Read/Watch the Walkthroughs

IppSec is your friend. I have a policy. If I’m stuck for longer than 30-60 minutes on something and I’m sure I’ve tried everything that I can think of, I’ll find IppSec’s video.

It’s very easy to get trapped into thinking that looking at the walkthrough is somehow ‘giving up’. It’s not. It’s a trade-off between learning to be persistent and learning the value of your own time. Smashing your face off a box for two days is a poor use of time in my opinion, when you can try for an hour, get a prompt for the next bit, and then take it from there.

You’ll learn more. You’ll learn faster. And with 350 boxes (or however many there are now) you’re never going to run out. There’s plenty of time once you’ve gone through the back catalogue to smash your face off the active boxes for days. When you’re still learning though, use all the resources available to you and don’t squander your time.

Make Notes

Learned something? Write it down. Keep it secret. Keep it safe. I use Obsidian. I try to keep everything organised as well as I can. I have a section for infrastructure notes that is divided up by OS family, and it contains notes on enumeration, privesc, domain escalation, etc, etc. There’s a separate section on techniques that talks about shells, file transfer methods, proxying, etc, etc. You get the picture.

You’ll figure out your own way of organising things that is in some way analogous to how your brain works. My notes are probably deeply unsettling and frightening to most people for this very reason, and secondary only to my own laziness as the reason why I don’t publish them.


Enumerate all the things. This goes without saying. Remember that you’re on HackTheBox. The solution is there, you just need to know how to find it. If the box really were impossible, as that small part of your brain is screaming at you relentlessly, then nobody would be able to solve it, would they? Chances are, when you see how it’s actually done you will kick yourself. So look at everything.

Some suggestions:

  • PowerShell history.
  • Group membership.
  • Interesting file types you haven’t encountered before.
  • C:/ProgramData. As your homework, see if you can find a list of interesting Windows file locations. Saves me doing it.
Think Forensically

What’s unique on the system? What files have been changed recently? Don’t think of this as cheating. Think of it as learning useful forensic skills. Learn what Alternative Data Streams (ADS) are. Seriously, you’ll thank me.

Remember That It’s 2023

A lot of these boxes are old. You will find unintended paths. That’s okay. Also remember that sometimes newer versions of tools won’t work like they’re supposed to. It can sometimes be handy to have a VM knocking around with an older version of Kali.

Also think about passwords. If the password was Password2019 what might it have been changed to later?

Don’t Make Assumptions

Just because the webapp looks like it was whipped together quickly, it doesn’t mean that the box creator rolled their own. You’ll be surprised by what is actually an honest-to-god application that someone published and actual real people are using in the wild. At least at first. The jaded cynicism comes with time.

Don’t assume that the flags will always be where you expect them to be, either.

Don’t rely on one tool, or one wordlist. If you’re stuck, branch out. Try something new.

Be careful when copying and pasting. Especially with passwords. It might not always work like you expect.

Metasploit Troubleshooting

If the module doesn’t seem to be working, check the following:

  • 64-bit vs 32-bit processes
  • interactive vs non-interactive processes
  • or… maybe it did work. Ctrl-C and check the list of sessions. It might have worked and just not exited gracefully.
Password Reuse

It’s as true on HTB as it is in the real world. Passwords get reused all the time. Dump all the usernames you find into one file and all the passwords you find into another: crackmapexec smb —shares -u users.txt -p passwords.txt. Spray usernames and passwords you find at everything that’s available to you. You never know.

Specific Windows Things (No Spoilers)

  • Alternative Data Streams. I know I’ve already mentioned this, but seriously. I’ve wanted to murder people.
  • Learn what cmdkey /list does.
  • Learn how to work efficiently with SMB. You don’t need to download multi gigabyte files to run your Kali tools against them (mount -t cifs).
  • Windows loves spraying its hashes all over the place. Learn about SCF file attacks and Responder. Understand why it works.
  • Learn how to use BloodHound. Learn about transitive relationships between AD groups.
  • You can dump process memory to disk. Just… remember that. Might come in handy.
  • nc is great, but remember telnet is a thing.
  • Just because you get NT_STATUS_ACCESS_DENIED when you run dir on an SMB share doesn’t mean you can just directly cd to a directory you know is there. Permissions aren’t always passed down from the parent to the child folders, just like I didn’t inherit my parent’s hatred of fun.
  • In PowerShell, sc is aliased to something else. You’ve been warned.
  • SysInternals.
  • Alternative Data Streams. I know. I know. But seriously.

In Conclusion

I love HTB. I think it’s a great resource, and the wealth of write-ups around it make it so much better. Use all the resources available to you and value your own time. You are beautiful. Also, fuck Alternative Data Streams.






Leave a Reply

Your email address will not be published. Required fields are marked *