2025-01-24 20:41:00
Three weeks ago I mentioned that I'm going for my OSCP certification, again.
Since then I've been working my way through the Hack The Box Academy pentest learning path. On the one hand to refresh what I already know, on the other hand to learn some new tricks... And in general to get back into a regular process loop of research-enumerate-attack-privesc-loot.
Overal the HTB course has been pretty great!
I've recently also taken a look at Try Hack Me (though not as extensively as HTB) and I like the THM interface a lot less than HTB. In almost every aspect (UI, writing, examples and labs) I like HTB a lot more than THM.
There's one module where I feel HTB could've done things differently: Password Attacks. In that module, they could give just a little more guidance in the brute forcing exercises, to ensure students don't have to spend 2+ hours waiting for a test to run.
I know: it's realistic! In real life you could have a cracker like hashcat run for days without results. You could have a brute forcer like Hydra come up dry after six hours. But when you're going through a training and most sections in a module take 30 minutes, it really grinds your pace to a halt when one section takes 2+ hours, just because you're waiting.
When the example files give you 100 users and 200 passwords, even without permutations that gives you 20.000 login attempts to try. Adding the custom permutation rules the HTB lab suggests, you're looking at 94k possible passwords, so nine million login attempts.
For a lab, that just doesn't fly. For the final exam? Sure! But not while you're trying to learn and practice.
kilala.nl tags: studies,
View or add comments (curr. 0)
All content, with exception of "borrowed" blogpost images, or unless otherwise indicated, is copyright of Tess Sluijter. The character Kilala the cat-demon is copyright of Rumiko Takahashi and used here without permission.