Hack The Box - Offshore Lab
HackTheBox Offshore review - a mixed experience Posted on May 15, 2021
After significant struggle, I finally finished Offshore, a prolab offered by HackTheBox. I attempted this lab to improve my knowledge of AD, improve my pivoting skills and practice using a C2. I have achieved all the goals I set for myself and more. For the C2, I picked metasploit and it has been a huge time saver after I got used to it. The lab took me about 6 weeks to finish with a full time job, but I’ve done nothing but work and do Offshore for those 6 weeks. My knowledge before attempting offshore was the CRTP certification from Pentester Academy and about a year of web focused pentesting work experience. I had close to no practical experience in pentesting an internal network outside of the OSCP. I paid for offshore out of my own pocket. The Premise You are a super secret agent tasked with breaching into a secure offshore bank and exposing their money laundering practices. The bank has acquired a number of smaller companies and plugged them into their main network as different domains. I like it when CTFs provide a story and hacking into a bank is a pretty good one. Also gives you an idea of the potential layout and security pitfalls of the company.
The Lab
The lab contains 21 machines and 38 flags spread across 4 domains. You will have to pivot at various points. This can occasionally get a bit ridiculous, like being 4 pivots deep and with 3 nested RDP sessions praying that your tools still work, but for the most part is manageable if you do some proper post exploitation. Every box has only one intended path.
The Good
For 90 pounds + 20 pounds/month after, you get a rather sizeable lab with a lot of content in it. The AD related content is good to very good. As a reference, I was able to use my CRTP knowledge as a crutch to get me as far as to the third domain. Once there I had to do some extra research and progress slowed down. Purely for learning and practicing purposes, the lab is good value for the money as long as you don’t go for longer than 5-6 months.
You will get to play with bloodhound a lot, deepen your knowledge of kerberos attack vectors, ACL abuse, pass the hash, DCSync and other AD related attack vectors, as well as a few other challenges that will test your scripting ability.
The Bad
The infamous shared lab experience. You will often encounter other players in the lab, especially until DC03. At peak hours, the lab can slow down considerably. A single box serves as an early pivot to a large part of the lab and can only be accessed via RDP. Expect your shells to drop a lot. Also expect players to leave solutions behind, to change passwords for boxes and to leave some boxes in an unsolvable state until a reset is requested. This can all be immensely frustrating.
Some side quests are also not quite up to par in terms of their design and can end up being frustrating and immensely time consuming. Do not hesitate to ask for sanity checks from the community!
The Great
Ippsec’s box is a lot of fun and felt like a really well paced challenge - although it should be worth way more points. Aside from the lab, the people I got to meet and interact along the way were incredible and I will be forever thankful for their patience. This is an instance of the whole being greater than the sum of its parts. The people made this experience great, as they were my teachers and helped when I got stuck, and all for free. Don’t be afraid to look like a fool and ask questions on the discord channel. Often enough I found the solution while trying to word a question.
Prerequisites
The Offshore Path from hackthebox is a good intro. Also use ippsec.rocks to check other AD related boxes from HTB. CRTP knowledge will also get you reasonably far. If you’re not familiar with the HTB discord, also consider lurking in the offshore channel for a bit.
Conclusion
Offshore can be a very enjoyable experience if you purely focus on the learning aspect and not on the certificate itself, earning it a 4.5/5. It also works as a bridge between something like CRTP, and something more difficult such as OSEP or CRTE. The overall lab track needs some polish and redesign around some of the pivots and side challenges, but getting to practice in a 15+ boxes lab environment for $120 is a really good deal if you can avoid peak times. A lukewarm recommendation if you want to go for the full cert, which I’d personally rate as more of a 3.5/5.
Should you do offshore? If you want to purely use it to learn and practice AD, and you can stomach the grind to DC1, and about $120 is not much money to you, then yes, the path to DC4 is interesting and outside of the 2nd pivot, not too frustrating from a technical point of view. You will still encounter the shared labs pitfalls.
As for the cert, I’m a bit more on the fence here. Many flags feel like padding and some are hidden in really annoying places that don’t serve to teach anything. Having to redo your pivots every day is also somewhat annoying especially in the later domains. The hints for some side quests are also really vague if you’re not used to CTF content, but by far the biggest culprit is the shared labs experience. Which brings me to a new section of the review, the worst.
The Worst
The shared labs experience can be absolutely infuriating. Some examples I’ve personally encountered:
People using the broadcast on the first pivot box function to spoil the solutions for other boxes as well as yell some obscenities.
Someone kicking me off an RDP session and closing all the stuff I had open. We ended up wasting half an hour just kicking each other from the RDP session.
Furthermore, the shared labs will lead to something I’ve coined as “Offshore dementiaâ€. As an example, the hashes and vectors you used today might not work tomorrow because people changed them. The hashes you get tomorrow might not work the next day for the same reason. Which ones were the right ones? Who knows! Your best bet is to log in early into the morning and see which ones work.
Your shells and pivots will also drop constantly. Once you get to DC3 or DC4, I’d recommend doing your pivots from there, they will be significantly more stable. Otherwise consider using 2 shells per box if it’s a pivot box to have one as a backup.
There are two particular quests that are absolutely infuriating. The first one is MGMT01, which has a really wonky vector. Once you identify it, I’d suggest you script it because it can take an ungodly amount of attempts to get it running. It took me about 40, but I’ve heard people reach close to 100. Although I have also heard of people say not to script it because that can also lead to failure. Offshore dementia.
The other one is the Joe-LPTP sidequest, including the stuff that comes after it. Joe-LPTP itself has only about 1 GB of space left with auto updates on so it tends to brick itself one the HDD fills up. The box after Joe-LPTP also requires multiple attempts and restores. So again, kind of a mix between poor design and what feels like padding. Do not hesitate to ask for sanity checks on the discord channel.
There’s also a box on the path between DC3 and DC4 with a rotating hash. It is a bit annoying to have to redo the process every day if you’re stuck for multiple days.
The pricicing scheme is also a bit ridiculous. 70 pounds to generate an OpenVPN file and allocate an user to a pool is taking the piss. Having to pay 70 pounds again if you want to take a break from the lab and start again is taking oceanic amounts of piss. 20/month is good value, I’d reckon that even up to 30/m would be good value. If you are able to get it on sale for 35 pounds, then the value proposition is significantly better. I just hope they will reconsider the part where you have to pay the full sum if you take a break.
Discord
Most of the people on the channel are great. Some are even fantastic. But the moment you ask for help, you will start getting random DMs from people asking directly for help. Personally I just ignore them and I don’t report them, because that would be silly. Please do not be afraid to ask questions on the public channel instead of random DMs, nobody will think less of you if you do.
Final Thoughts
Offshore is an experience, and once you’ve experienced it once, you’ll never want to experience it again.It’s good, but it could be great. I think the lab also suffers a bit from bloated design, which is a double edged sword. On one hand, more content. On the other hand, some of this content is not good. I’ve heard similar issues about Rastalabs, although I have also heard that the harder labs are much better. I will be taking a break from HTB pro labs for the foreseeable future as I want to focus on OSEP, but maybe I will attempt those harder ones in the future.