Just a small tool I threw together one day to make it easy to work with HTB from the command line. It uses the API wrapper from @kulinacs with a few modifications.
Install
pip install htbcliConfig
after installing the module. configure it with
# For free users use this command.
# Replace [your_key] with your actual api key from the settings page on HTB.
htb config --lab=free --apiKey=[your_key]
# For VIP Users its the same just pass vip instead of free to the --lab argument.
htb config --lab=vip --apiKey=[your_key]List
You can list all the boxes on HTB. Just use the list command.
$ htb list -h
# usage: htb list [-h] [--retired] [--assigned] [--incomplete] [--sort-by field]
# [--reverse] [-s SEPARATOR] [-rs ROW_SEPARATOR] [-q]
# [-f field [field ...]] [-a]
# optional arguments:
# -h, --help show this help message and exit
# --retired Include retired boxes in the output. [NOTE: Retired
# boxes are only available to VIP users and cannot be
# accessed by a free user.]
# --assigned Show what machines are assigned to you. [VIP Only]
# --incomplete Only show incomplete boxes in the output. An
# incomplete box is one where you haven't owned both
# user and root.
# --sort-by field Field to sort by. This will sort the boxes by the
# passed field. You can reverse the order by passing
# --reverse. Certain fields like difficulty will be the
# average value. To sort by the official HTB rank (ie
# easy/medium/hard) sort by the amount of points the box
# is/was assigned.
# --reverse Reverse the order of boxes. This will return the list
# sorted by the sort field in reverse.
# -s SEPARATOR, --separator SEPARATOR
# The separator to use when outputting the fields when
# -q is set
# -rs ROW_SEPARATOR, --row-separator ROW_SEPARATOR
# The separator to use between rows when outputting the
# fields when -q is set
# -q, --quiet Output only the field values without any formatting.
# Useful when parsing the output.
# -f field [field ...], --fields field [field ...]
# Limit the output to only these fields. All fields
# shown when this is omitted.
# -a, --all-fields Output every field on the machines.
$ htb list
# ββββββββ€βββββββββββββ€ββββββββββ€βββββββββββ€βββββββββββββββ€βββββββββββββββ€βββββββββββ
# β id β name β os β rating β owned_user β owned_root β active β
# ββββββββͺβββββββββββββͺββββββββββͺβββββββββββͺβββββββββββββββͺβββββββββββββββͺβββββββββββ‘
# β 191 β Smasher2 β Linux β 4.4 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 193 β Chainsaw β Linux β 4.2 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 196 β Player β Linux β 4.8 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 197 β Craft β Linux β 4.9 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 198 β RE β Windows β 4.4 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 200 β Rope β Linux β 4.7 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 201 β Heist β Windows β 4.4 β True β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 202 β Scavenger β Linux β 3.3 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 203 β Networked β Linux β 3.7 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 204 β Zetta β Linux β 4.5 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 207 β Bitlab β Linux β 3.7 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 208 β Wall β Linux β 2.3 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 209 β Bankrobber β Windows β 2.7 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 210 β Json β Windows β 4.1 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 211 β Sniper β Windows β 4.5 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 212 β Forest β Windows β 4.6 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 213 β Registry β Linux β 4.4 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 214 β Mango β Linux β 3.8 β True β True β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 215 β Postman β Linux β 3.9 β False β False β True β
# ββββββββΌβββββββββββββΌββββββββββΌβββββββββββΌβββββββββββββββΌβββββββββββββββΌβββββββββββ€
# β 216 β AI β Linux β 2.7 β False β False β True β
# ββββββββ§βββββββββββββ§ββββββββββ§βββββββββββ§βββββββββββββββ§βββββββββββββββ§βββββββββββ
Info
You can see data on a single machine with the info command.
$ htb info -h
# usage: htb info [-h] [-s SEPARATOR] [-q] [-f field [field ...]] [-a] BOX
# positional arguments:
# BOX The name of the box you want info for.
# optional arguments:
# -h, --help show this help message and exit
# -s SEPARATOR, --separator SEPARATOR
# The separator to use when outputting the fields when
# -q is set
# -q, --quiet Output only the field values without any formatting.
# Useful when parsing the output.
# -f field [field ...], --fields field [field ...]
# Limit the output to only these fields. All fields
# shown when this is omitted.
# -a, --all-fields Output every field on the machine.
$ htb info lame
# βββββββββββββββββ€βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
# β id β 1 β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β name β Lame β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β os β Linux β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β ip β 10.10.10.3 β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β avatar β https://www.hackthebox.eu/storage/avatars/fb2d9f98400e3c802a0d7145e125c4ff.png β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β avatar_thumb β https://www.hackthebox.eu/storage/avatars/fb2d9f98400e3c802a0d7145e125c4ff_thumb.png β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β points β 20 β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β release β 2017-03-14 21:54:51 β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β retired_date β 2017-05-26 19:00:00 β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β maker β id: 1 β
# β β name: ch4p β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β maker2 β β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β ratings_pro β 2331 β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β ratings_sucks β 220 β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β user_blood β id: 22 β
# β β name: 0x1Nj3cT0R β
# β β time: 18 days, 22 hours, 55 mins, 25 seconds β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β root_blood β id: 22 β
# β β name: 0x1Nj3cT0R β
# β β time: 18 days, 22 hours, 54 mins, 36 seconds β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β user_owns β 9949 β
# βββββββββββββββββΌβββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
# β root_owns β 10556 β
# βββββββββββββββββ§βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Reset
Of course you can also interact with the boxes. Here is how you request a reset of a box.
$ htb reset -h
# usage: htb reset [-h] BOX
# positional arguments:
# BOX The name of the box to reset. Resetting may take a few minutes
# to take effect and may be cancelled by another user.
# optional arguments:
# -h, --help show this help message and exit
$ htb reset mango
# Attempting to reset Mango. This request often takes ~30 seconds, so be patient please...
# success: 1
# output: Mango will be reset in 2 minutes.
# used: 0
# of : 2 total resets
# total: 2
Own
You can submit flags with the own command.
$ htb own -h
# usage: htb own [-h] -f FLAG -d [1-10] BOX
# positional arguments:
# BOX The name of the box you want to own.
# optional arguments:
# -h, --help show this help message and exit
# -f FLAG, --flag FLAG The flag you want to submit to own the box. user/root
# is automatically determined by the server based on
# what flag you submit.
# -d [1-10], --difficulty [1-10]
# The rating of how difficult you thought it was from
# 1-10.
$ htb own --flag=abcdefghijklmnopqrstuvwxyz123456 --difficulty=5 heist
# Attempting to own Heist with flag: abcdefghijklmnopqrstuvwxyz123456 and rating: 5/9...
# Heist user is now owned.
# 1
Spawn
You can interact with the new VIP interface's on demand launch capability with the spawn command.
$ htb spawn -h
# usage: htb spawn [-h] BOX
# positional arguments:
# BOX The name of the box to spawn. This will fail if you have another
# box currently spawned. Terminate any spawned boxes and wait
# until it actually shuts down before running this.
# optional arguments:
# -h, --help show this help message and exit
$ htb spawn chainsaw
# Attempting to spawn Chainsaw. This request often takes ~30 seconds, so be patient please...
# success: 1
# status: You have been assigned as an owner of this machine.
Terminate
And once youre done owning a box. Just terminate it and move on.
$ htb terminate -h
# usage: htb terminate [-h] BOX
# positional arguments:
# BOX The name of the box to terminate. Termination may take up to a
# few minutes to take effect. Until then you will not be able to
# spawn any new boxes.
# optional arguments:
# -h, --help show this help message and exit
$ htb terminate chainsaw
# Attempting to terminate Chainsaw. This request often takes ~30 seconds, so be patient please...
# success: 1
# status: Machine scheduled for termination.If anyone has any feature requests, I will gladly hear them out but can't guarantee I will have time to implement them.
I'm @devx00 on HTB. And I am an admin of a Discord server dedicated to helping people get into InfoSec and (ethical) hacking in general. Feel free to message me at either, or on github.
Heres a link to the Discord server for anyone interested. NullzSec Discord