After significant struggle, I finally finished Offshore, a prolab offered by HackTheBox. I attempted this lab to improve my knowledge of AD, improve my pivoting skills and practice using a C2. I have achieved all the goals I set for myself and more. For the C2, I picked metasploit and it has been a huge time saver after I got used to it. The lab took me about 6 weeks to finish with a full time job, but I’ve done nothing but work and do Offshore for those 6 weeks. My knowledge before attempting offshore was the CRTP certification from Pentester Academy and about a year of web focused pentesting work experience. I had close to no practical experience in pentesting an internal network outside of the OSCP. I paid for offshore out of my own pocket.
The Premise
You are a super secret agent tasked with breaching into a secure offshore bank and exposing their money laundering practices. The bank has acquired a number of smaller companies and plugged them into their main network as different domains. I like it when CTFs provide a story and hacking into a bank is a pretty good one. Also gives you an idea of the potential layout and security pitfalls of the company.
The Lab
The lab contains 21 machines and 38 flags spread across 4 domains. You will have to pivot at various points. This can occasionally get a bit ridiculous, like being 4 pivots deep and with 3 nested RDP sessions praying that your tools still work, but for the most part is manageable if you do some proper post exploitation. Every box has only one intended path.
The Good
For 90 pounds + 20 pounds/month after, you get a rather sizeable lab with a lot of content in it. The AD related content is good to very good. As a reference, I was able to use my CRTP knowledge as a crutch to get me as far as to the third domain. Once there I had to do some extra research and progress slowed down. Purely for learning and practicing purposes, the lab is good value for the money as long as you don’t go for longer than 5–6 months.
You will get to play with bloodhound a lot, deepen your knowledge of kerberos attack vectors, ACL abuse, pass the hash, DCSync and other AD related attack vectors, as well as a few other challenges that will test your scripting ability.
The Bad
The infamous shared lab experience. You will often encounter other players in the lab, especially until DC03. At peak hours, the lab can slow down considerably. A single box serves as an early pivot to a large part of the lab and can only be accessed via RDP. Expect your shells to drop a lot. Also expect players to leave solutions behind, to change passwords for boxes and to leave some boxes in an unsolvable state until a reset is requested. This can all be immensely frustrating.
Some side quests are also not quite up to par in terms of their design and can end up being frustrating and immensely time consuming. Do not hesitate to ask for sanity checks from the community!
The Great
Ippsec’s box is a lot of fun and felt like a really well paced challenge — although it should be worth way more points. Aside from the lab, the people I got to meet and interact along the way were incredible and I will be forever thankful for their patience. This is an instance of the whole being greater than the sum of its parts. The people made this experience great, as they were my teachers and helped when I got stuck, and all for free. Don’t be afraid to look like a fool and ask questions on the discord channel. Often enough I found the solution while trying to word a question.
Prerequisites
The Offshore Path from hackthebox is a good intro. Also use ippsec.rocks to check other AD related boxes from HTB. CRTP knowledge will also get you reasonably far. If you’re not familiar with the HTB discord, also consider lurking in the offshore channel for a bit.
Conclusion
Offshore can be a very enjoyable experience if you purely focus on the learning aspect and not on the certificate itself, earning it a 4.5/5. It also works as a bridge between something like CRTP, and something more difficult such as OSEP or CRTE. The overall lab track needs some polish and redesign around some of the pivots and side challenges, but getting to practice in a 15+ boxes lab environment for $120 is a really good deal if you can avoid peak times. A lukewarm recommendation if you want to go for the full cert, which I’d personally rate as more of a 3.5/5.
Thanks for reading. If you’ve enjoyed this review, be sure to check out some extra points here: https://robsware.github.io/rants/offshore#extra
