> For the complete documentation index, see [llms.txt](https://ne0b1t3.gitbook.io/vault/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://ne0b1t3.gitbook.io/vault/eng/prolabs/offshore.md).
# Offshore
## Certification of Completion
Offshore is probably one of the **most complete Pro Labs on Hack The Box** in terms of technical variety. Unlike labs focused exclusively on Active Directory or Windows environments, here you face a heterogeneous infrastructure where Linux and Windows systems coexist, along with web applications, databases, corporate services, and multiple domains interconnected through trust relationships.
What sets Offshore apart from other Pro Labs is its **scale and diversity**: it’s not just AD. You will encounter Linux machines running services such as Splunk, PostgreSQL, GLPI, or custom PHP applications. At any moment, you can go from exploiting a web application to performing a Golden Ticket attack.
### Approximate Topology
You start from an external position with no privileged access to the internal network, and from there you must chain compromises, credentials, and pivots until you reach the most protected environments. There are a couple of standalone (non-domain joined) machines that make the environment feel much more realistic and alive.
The topology is gradually discovered. There is no full map at the beginning, meaning each compromised machine reveals new subnets and hosts. Having **Ligolo-ng** properly configured with multiple interfaces from the start is key.\
You will encounter an environment with up to 7 pivoting points, making this one of the largest environments on the platform.
All computers to be compromised
The lab is designed to simulate a large organization, so the challenge does not only lie in exploiting specific vulnerabilities, but also in managing a significant amount of information, credentials, access, and movement paths.
There are 38 flags spread throughout the environment. Some are straightforward, while others require chaining multiple techniques and revisiting previously compromised systems with new information.
At times, this can feel a bit tedious, since it is not just about compromising systems, but squeezing them from different angles and alternative paths, which adds complexity and sometimes a sense of “digging back” into already explored areas.
Still, it aligns well with the lab’s philosophy, as it heavily reinforces enumeration, information correlation, and the need to avoid considering a system “finished” after initial access. In reality, progress is non-linear, and that is part of the challenge.
Laboratory Infrastructure
***
### Fields You Should Master Before Attempting It
Throughout the lab, you constantly switch between Active Directory enumeration, web exploitation, lateral movement, pivoting, post-exploitation, and credential extraction. Tools such as BloodHound, **NetExec**, **PowerView**, **bloodyAD**, **Impacket**, or **Ligolo-ng** appear continuously and become part of your daily workflow.
It is also highly recommended to prepare a small offline repository with common binaries and dependencies. There are segments where downloading tools or installing packages is inconvenient or even impossible, so having utilities ready for Kerberos, DPAPI, post-exploitation, and local enumeration can save a lot of time.
Personally, there were several tools I ended up using far more than expected. **Seatbelt** and **SharpHound** were extremely helpful during internal reconnaissance; **SharpDPAPI** and **DonPAPI** were especially useful for extracting value from already compromised systems; while **Ligolo-ng** became a critical component for managing the large number of tunnels and routes required as the environment expanded.
***
### Predominant Techniques
**Enumeration** has an enormous weight throughout the entire lab. This includes not only Active Directory, but also network reconnaissance, host discovery, SMB enumeration, LDAP, databases, web applications, and traffic capture.
It is important to consider that this is a large-scale infrastructure with multiple domains and interconnected systems, where traffic between services is constant. Because of this, network analysis becomes especially relevant at certain points: not just as a supporting task, but as a direct source of credentials, access paths, or hints that allow you to progress when you get stuck.
The web component also plays a **significant role**. You will encounter corporate applications, admin panels, and internal services where exploitation relies on identifying misconfigurations, classic vulnerabilities, or features that allow code execution once privileged access is obtained.
Among the most common are **SQL Injection**, **XXE in SOAP services**, **PHP injections**, malicious file uploads, authentication bypasses, improper **JWT handling** in internal APIs, and exploitation of known **CVEs**. It is not a web-focused Pro Lab, but it is enough to constantly force you out of the Active Directory context.
Of course, **Active Directory** remains one of the core pillars of the lab. Techniques such as Kerberoasting, AS-REP Roasting, delegation abuse, ACL exploitation, gMSA accounts, and cross-domain trust relationships appear frequently, along with various forms of lateral movement.
Another particularly relevant aspect is the presence of Linux systems with a much greater weight than in other AD-focused Pro Labs. In many cases, they are not just entry points, but intermediate systems or even final objectives. This requires comfort with privilege escalation, service analysis, insecure configurations, scheduled tasks, and bypass techniques in restricted shells or filtered network environments.
Finally, Offshore strongly emphasizes **post-exploitation** and **data exfiltration**. Gaining access to a machine is rarely the final goal. The real objective is to fully exploit each system: stored credentials, DPAPI secrets, configurations, databases, Kerberos tickets, active sessions, GPOs, hardcoded credentials in scripts or config files, mounts, or even virtual disks. In fact, a significant portion of the flags are hidden in exactly these kinds of artifacts, so thorough post-exploitation enumeration is essential; otherwise, you will very likely have to backtrack later.
***
### Lessons Learned
Personally, one of the key takeaways—and likely the main goal of the Pro Lab—is learning to feel comfortable constantly switching contexts between technologies, applications, operating systems, and services. You move from web to Active Directory, Linux to Windows, exploitation to pivoting, and back again to deep enumeration. There is no linear flow, but rather a fully iterative one, where each discovery reshapes what makes sense to do next.
Finally, the value of **post-exploitation in a realistic environment** becomes very clear. In this case, gaining high privileges is not enough: the lab forces you to thoroughly inspect each system and look for alternative exploitation or escalation paths, since a significant portion of progress depends on information that is not immediately visible after initial compromise.
---
# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.
## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://ne0b1t3.gitbook.io/vault/eng/prolabs/offshore.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.