
After using Kali 2019.4 for almost 2 years, I finally upgraded my Kali to 2021.2. I wanted to try Parrot or build a weaponized version of Ubuntu, but because I like simplicity, I decided to use Kali again 😄 //slap.
In this post, I’d like to share my Kali Linux setup for playing HackTheBox. I think it is applicable for TryHackMe, VulnHub or other boot2root platform, too.
Display IP Address in Prompt
Adding IP address in your prompt would be really helpful as it lets you copy the IP faster for reverse shell. To do so, we’ll need to modify the .zshrc
file. But, before performing any modification, consider to make a backup of your original file using the following command:
$ cp ~/.zshrc{,.bak}
Also, I usually put any customization at the top of the .zshrc
file wrapped between two comments, for example:
# START CUSTOM
...[custom script here]
# END CUSTOM
If all set, add the following function to your .zshrc
file.
function get_ip(){
# It can be thm or htb IP
tunnel_ip=`ifconfig tun0 2>/dev/null | grep netmask | awk '{print $2}'`
# Use eth0 as default IP,
default_ip=`ifconfig eth0 2>/dev/null | grep netmask | awk '{print $2}'`
if [[ $tunnel_ip == *"10."* ]]; then
echo $tunnel_ip
else
echo $default_ip
fi
}
Then, find the following lines:
...
case "$PROMPT_ALTERNATIVE" in
twoline)
...
Under these lines, replace the entire PROMPT
variable with the following line:
PROMPT=$'%F{%(#.blue.green)}┌──${debian_chroot:+($debian_chroot)─}${VIRTUAL_ENV:+($(basename $VIRTUAL_ENV))─}(%B%F{%(#.red.blue)}%n$prompt_symbol%m%b%F{%(#.blue.green)})-[%B%F{reset}%(6~.%-1~/…/%4~.%5~)%b%F{%(#.blue.green)}]-%B%F{152}[`get_ip`]%b%f%F{%(#.blue.green)}\n└─%B%(#.%F{red}#.%F{blue}$)%b%F{reset} '
Reopen your terminal or type one of the following commands in the terminal.
$ zsh
$ source ~/.zshrc
And done.

OpenVPN Connection
For VPN, it’s tiring when you have to type $ openvpn /path/to/config/file.ovpn
each time you want to connect to the HTB/THM network. To make thing easier, we can create a folder called .ovpnconfig
in the home directory.
$ mkdir -p ~/.ovpnconfig
Then put all of your OpenVPN configuration files into this .ovpnconfig
folder.

Finally, add some aliases into your .zshrc
.
alias htbon='openvpn ~/ovpnconfig/htb-sg.ovpn 1>/dev/null &'
alias htbfort='openvpn ~/ovpnconfig/htb-fortress.ovpn 1>/dev/null &'
alias htbrel='openvpn ~/ovpnconfig/htb-release.ovpn 1>/dev/null &'
alias thmon='openvpn ~/ovpnconfig/thm.ovpn 1>/dev/null &'
alias thmwreath='openvpn ~/ovpnconfig/thm-wreath.ovpn 1>/dev/null &'
alias kvpn='pkill openvpn'
Now we can type $ htbon
or $ thmon
in the command prompt to connect to the VPN. Want to turn off the VPN? Simply type $ kvpn
!
Sudo with Alias
In the newer Kali Linux (non-root login), the only problem is that openvpn
must be executed with sudo
. Therefore, you’ve to add the following sudo
alias.
# Source: https://askubuntu.com/questions/750419/how-do-i-run-a-sudo-command-needing-password-input-in-the-background
alias sudo='sudo -v; [ $? ] && sudo '
sudo -v
will authenticate the user first.[ $? ] && sudo
will check if the previous command (separated by semi-colon) return with success (value of 0), if yes runsudo
again.
This time, we can run sudo command with aliases.
$ sudo <alias-command>
$ sudo htbon
$ sudo thmon
$ sudo kvpn
An alternative for sudo to work with alias is using sudo with no passwd.
$ sudo visudo /etc/sudoers.d/kali
Then add the following line.
kali ALL=NOPASSWD: ALL
After that, change the previous sudo alias to this one
alias sudo='sudo '
Tools Transfer
Just like the OpenVPN files, I like to keep the essential tools to be centralized in one folder and so it can be hosted immediately. Again, we can create a folder called tools
.
$ mkdir -p ~/tools
Put your tools inside the folder. The following are some of the tools that I think to be essential (including web-shell).

Next, add another alias to host these tools immediately with one command, feel free to create alias for yourself. Mine called hostit
.
alias hostit='python3 -m http.server -d ~/tools 8000'
If you watch ippsec, he prefers keeping the tools with the associated pwned machines (in www
directory). So it’s up to you.
Note Template
My current note template is available on GitHub. I’m using the following function to recreate the directory structure:
function mknote(){
mkdir nmap gobuster loot logs exploits ssh-keys post-exploits
}
-
nmap: each nmap scan goes here.
-
gobuster: each gobuster scan goes here.
-
loot: each interesting file for further analysis goes here.
-
logs: If you like to log your activity with
$ script
, put them here. -
exploits: exploit script goes here.
-
ssh-keys: obtained ssh-key goes here, not loot.
-
post-exploits: post-compromise loot goes here.
Usage is simple:
$ cd htb-machine-folder/
$ mknote
$ tree
.
├── exploits
├── gobuster
├── logs
├── loot
├── nmap
├── post-exploits
└── ssh-keys
SSH Configuration
I have always use a separate SSH keys for CTF. My SSH key for CTF is using ed25519. You can create one using the following command:
$ ssh-keygen -a 100 -t ed25519 -f ~/.ssh/ctf_ssh
After that, register your private key to SSH agent.
$ eval "$(ssh-agent -s)"
$ ssh-add ~/.ssh/ctf_ssh
Since HackTheBox machine starts with IP address of 10.10.*
, add these lines to your SSH config (~/.ssh/config
). Create one if you don’t have it.
Host 10.10.*
IdentityFile ~/.ssh/ctf_ssh
With the config above, whenever I injected my public key (/.ssh/ctf_ssh.pub
) to HackTheBox machine for persistence access, I can login by simply typing $ ssh machine-name@hostname
or $ ssh machine-name@ip
. I don’t have to specify -i /path/to/ssh/private/key
anymore.
QTerminal Configuration
Unfortunately I’m not a tmux user here. Tmux is rich in features, but I’m not comfortable with its prefix key. So far, I’ve always used the default QTerminal application and leveraged its shortcut feature to ‘navigate’ a slightly faster in terminal.
If you’re a Windows Terminal user, you’ll familiar with some of these shortcuts:
ALT + Arrows
: Move cursor in subterminalCTRL + TAB
: Navigate between tabsCTRL + Arrow Left
: Previous tabCTRL + Arrow Right
: Next tabCTRL + N
: New terminal tabCTRL + SHIFT + W
: Close current subterminalCTRL + SHIFT + =
: Split terminal verticallyCTRL + SHIFT + -
: Split terminal horizontallyCTRL + SHIFT + F
: Open search bar in terminalCTRL + =
: Zoom inCTRL + -
: Zoom out
For me, the only limitation here is that there is no shortcut for resizing a subterminal.
All in One with Oh My Zsh Plugin
If you’re a Oh My Zsh user like me, we can add these configurations (excluding SSH and QTerminal configurations) into a custom plugin.
Save the following script to /home/<username>/.oh-my-zsh/custom/plugins/ctf/ctf.plugin.zsh
.
#!/bin/bash
function get_ip(){
# It can be thm or htb IP
tunnel_ip=`ifconfig tun0 2>/dev/null | grep netmask | awk '{print $2}'`
# Use eth0 as default IP,
default_ip=`ifconfig eth0 2>/dev/null | grep netmask | awk '{print $2}'`
if [[ $tunnel_ip == *"10."* ]]; then
echo $tunnel_ip
else
echo $default_ip
fi
}
function mknote(){
mkdir nmap gobuster loot logs exploits ssh-keys dump post-exploits
}
# https://askubuntu.com/questions/750419/how-do-i-run-a-sudo-command-needing-password-input-in-the-background
alias sudo='sudo -v; [ $? ] && sudo '
alias htbon='openvpn ~/ovpnconfig/htb-sg.ovpn 1>/dev/null &'
alias htbfort='openvpn ~/ovpnconfig/htb-fortress.ovpn 1>/dev/null &'
alias htbrel='openvpn ~/ovpnconfig/htb-release.ovpn 1>/dev/null &'
alias thmon='openvpn ~/ovpnconfig/thm.ovpn 1>/dev/null &'
alias thmwreath='openvpn ~/ovpnconfig/thm-wreath.ovpn 1>/dev/null &'
alias kvpn='pkill openvpn'
alias hostit='python3 -m http.server -d ~/tools 8000'
If you want to include my note template as well, I’ve prepared this one with note template embedded in
mknote
function.
The next step depends on your theme. I use a theme called robbyrussell
.
I created a copy of the theme in /home/kali/.oh-my-zsh/custom/themes/robbyrussell.zsh-theme
and modified the theme to display IP address and use two lines prompt.
NEWLINE=$'\n$'
PROMPT='%(?:%{$fg_bold[green]%}→:%{$fg_bold[red]%}→)'
PROMPT+=' %F{4}%n@%m %{$fg[cyan]%}«%c»%{$reset_color%}'
PROMPT+=' %B%F{152}«$(get_ip)»%f%b $(git_prompt_info)'
PROMPT+="%F{31}${NEWLINE} %f"
ZSH_THEME_GIT_PROMPT_PREFIX="%{$fg_bold[blue]%}git:(%{$fg[red]%}"
ZSH_THEME_GIT_PROMPT_SUFFIX="%{$reset_color%} "
ZSH_THEME_GIT_PROMPT_DIRTY="%{$fg[blue]%}) %{$fg[yellow]%}✗"
ZSH_THEME_GIT_PROMPT_CLEAN="%{$fg[blue]%})"
Finally, load the ctf
plugin we created in .zshrc
file.
...[SNIP]...
# Which plugins would you like to load?
# Standard plugins can be found in $ZSH/plugins/
# Custom plugins may be added to $ZSH_CUSTOM/plugins/
# Example format: plugins=(rails git textmate ruby lighthouse)
# Add wisely, as too many plugins slow down shell startup.
plugins=(git ctf)
...[SNIP]...
Restart your terminal and we’re done.

And that’s all for this post!