To prepare for the eCPPTv2 test I decided to do the Dante Pro Lab on Hack the Box. I had previously completed the Wreath network and the Throwback network on Try Hack Me after taking time off. Dante consists of 14 machines and 26 flags and has both Windows and Linux machines. There are also Windows and Linux buffer overflows in the network but that is not the only way to exploit the machine that they are on. The lab is described as beginner level but if someone has little to no experience it would be a challenge for them to complete. There are no hints, and if you are stuck the only help is joining the Discord channel. I found this enjoyable and the people there were helpful. There are pivots, lots and lots of glorious pivots. I used about every pivot tool including Sshuttle, Chisel, SSH and even the Metasploit SOCKS proxy module.
I did have one problem in the lab with the machine the Windows buffer overflow was on. I got a shell on the machine as a low-level user. I found the executable for the buffer overflow and created the exploit, and I could get a remote shell as the low-level user if I started the program. The problem was that there was no high-level user running the program. I verified with the HTB Discord admins that there should be a port open running the program. I was told to wait until the morning because the machines reset every night. I had the same problem the next day and I spent about four days messing with this machine thinking I must be doing something wrong. I even rebooted the machine thinking someone had crashed it before I got on it again. I gave up getting system using the buffer overflow and I decided to get system another way. I cracked the administrator hash and then used the password to RDP into the machine as the administrator. The program started running on the desktop and was listening on the designated port. I was then able to get a reverse shell using my exploit as system. My guess is that something in the config was broken, and the administrator was not auto logging into the machine after the resets.
The lab took me about 2 months to complete doing it at lunch and after work and on the weekend. I found the experience with Dante enjoyable and well worth the money spent.
Orville's Security Blog 