#modules

@worn tusk i mean the command for this

What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word) Bloodhound shows 2 but none of those are correct

I may be wrong but it has been my experience that people often forget to try the simple steps first. I catch myself overcomplicating problems here frequently. Always try the basic stuff first, work your way into the more complex solutions when those fail.

so like.. who do we ask about things that shouldnt be in modules?
Im doing the Pivoting module. https://academy.hackthebox.com/module/158/section/1439

So i was scratching my brain wondering why i couldnt find the dll file in the unzipped file..........

Windows deletes it as it detects bad code.

You have to go into settings on the box and windows security to restore the dll... which is fine if you know that this is a thing. but if you dont then..... yay?

Is this part of the module as in "expected knowledge"?

Yes. In the real world you will need to consider firewalls & av while on engagements

aye but like "officially" in this htb module.
ignore the real world for now.

Yep its that way on purpose in this module to help prepare people for what can be experienced in the real world

oh ok. thought i had better check. usually small hints are dropped. this module has no break pedal. lololol

pls any help with windows fundemantals ntfs vs. share permissions first question. tried everything but notthing get accepted

pls

lol... i never read the hints....... i read it. says defender might "get in the way"

first question? protocol?

yes

i guarantee you you have done this right. it aint you.

fully refresh your page. try entering it again.

uhhhhhm

yep try a hard refresh

didn´t bring anything

yah. i guarantee you did this right.

You need to enter it again after a full refresh of this page

i did

dm me

@lucid bloom

Whoever made the Password attacks module should really cut the list down

like a lot

taking forever

like 17000 less you mean? lolololol

maybe possibly more lol

I did the math

on how long it was taking

before I made a script

that made it a bit faster

it would have taken 5 hours

each service

like god damn

no its not more. its not less. its 17000

i mean taking off

@brazen apex DM me for assustance

you can fix this with a command and then get the answer in roughly 2 minutes.

You talking about ||threads||

they didnt affect performance

for me

are you talking about the whole module or one of the section? because one of the section the right password is over 17000 word deep

Got it, thank you!

he got it. no worries my dude.

so... HTB broke?

I am using the correct creds....... I also tried .\

its driving me a little nuts ngl...

its the pivoting module. specifically the RDP and SOCKS Tunneling with SocksOverRDP

I never got that thing to work either

ahhhhhhhhh

@solar granite me too i am still stuck on that

ffs..... who so we ask? lol

im also soooo glad it aint just me.

Don't know about that, but there's a workaround. ||Connect with mstsc.exe straight, instead of pivoting||

straight to 155?

Yes

||From the victor machine|| I believe

i mean.... yeah.... i can try that.. seems like cheese tho.

It is, but since the intended way doesn't work I'm not sure what to call it

i calls it cheese lol. bit i like a little cheese here and there.

nah. no cheese here. i cant connect to anything. 172.16.6.155 is blocked to me for straight rdp and the intended route via 172.16.5.19 is blocked by a password bug.....

I didn't note the last command I used, but try connecting as both victor and jason to .155, one definitely worked for me

i see. i have no path to it tho.. but i will re-attempt.

nah. i cant get in direct. they must have fixed that cheese.

im at a total loss.

so i can verify the victor machine cred do work find the but the third jason machine did give me an error

and also for the "password bug" i 100% remember that bug when the module first come out i forgot which machine have that bug and i'm pretty sure they did fix that at one point because a while after i done this module i did come back and do this section the intended way

guys

anybody down to help me with some hacking

I am completely new to hacking

and yeah

I nearly got hacked 2 times in span of few days

give both of this video a check if you are new to this
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=lhz0-qAQlBM

I do have their IP adress

https://www.youtube.com/watch?v=MS7WRuzNYDc

I'm not really a huge liveoverflow fan but this video goes over why leaking an IP isn't that bad.

If you want to start learning there is hackthebox academy, and starting point 😉

||Also my channel|| Shameless plug warning

||shameless plug||

I can delete if mods want me to haha

I don't want to be annoying at the end of the day

just want to help people out

I know, was just joking

yeah but you are pretty much right lmao

No.

breh

lemme DM one of ya guys

No problemo. Just not gonna help you with anything that is stupid.

💀 Ok bad idea lol

<@&861185840277487616>
4/ 59 but still sus
https://www.virustotal.com/gui/file/becde39db524930de4c7b6c960fba32ddcddbf38e5e325204276620e9fef469f

Np

Good luck on your journey

Nice little crypto miner

wait crypto miner? intezer show it's ClipBanker and Discord Token Grabber

dunno, just a guess based on what virustotal says it "drops" in the temp folder

but definitely malware 😄

so ty ❤️

It would be much great if java based deserialization attacks is included in the "Introduction to Deserialization Attacks" module.

@dense ferry

so i just give the RDP and SOCKS Tunneling with SocksOverRDP section a try and everything seem to be working fine for me now, Paddon and crean (don't want to ping) but if you guys still need help shoot me a dm

Hi guys i'm new to this server

check #welcome for the servre and check this for hacking #modules message

thx

who here knows about github?

oh wow that's a hard topics to learn the joke come out kinda mean

pretty much everyone here will know what that is Lol

nah i was just asking

hello, I'm at the final part of the shoppy machinr

where i have to root the machine

but i can't find any credentials for the master password

#boxes if you can't access that channel use ++verify at #bot-commands

oh i see

thanks

Ok, what am I missing on the Password Attacks - Protected Archived module? I’ve followed the instructions to a T, yet no passwords have been extracted from zip.hash.

Thanks for the offer mate but I'm done with that module. I learned the stuff so I don't feel bad about not doing it the right way lol

same i just do it again for helping other people how to do the "right way" if they want to do it like that

Your help is definitely appreciated

Anyone who has completed AD E&A Skills Assessment Part II with a good memory available?

Did you do anything differently or is it just working now?

i waited like 5 min after i god the target ip for everything to fully boot up and that seem to fixed some of the issue

not good memory but I have some notes, what about it

Can I DM?

sure

Ok, what’s up with the Protected Archived module on Password Attacks?

Hi 🙂

im going though Server side attacks

and when im trying to install tplmap tool i found that This project is no longer maintained

someone have any alternatives?

i found this one, https://github.com/vladko312/SSTImap

is based on tplmap

so i think is a good alternative

so for that i did help one guy with a weird issue but basically he got a ||pkzip|| hash when extract the hash on his kali and i got a different one on the pwnbox and when i try it on my kali sure enough i got the same hash but the different is i can crack it but he can't (we're using the same tool and wordlist) but all he did was wait a day and try again and it work for some reason

if you are having issue with that wait a day and try again or shoot me a dm

So I'm attempting to connect to a box for my first time. Im connected via Openvpn to the starting point server and I have an online target machine. My task is to telnet in, I'm using (telnet -l root <Ip adress> <port 23>. I continue to get a Connection refused. Also should I be able to ping the server or the target machine(because i cannot)

Yeah, you should be able to ping the machine. Unless you're doing starting point machines, the academy modules have a different vpn server

Ok I was able to figure it out. I was not running openvpn as su

looks like you're set but if needed, just completed, have some notes.

Alright I remutated the password list provided and that ended up working. Thank you for the assistance!

oh that's weird first time i heard of re-mutated the wordlist for this module

This is cool. I might use this if it is better than TPLmap.

++ Thanks sir

So close to finishing another path : D

(one costs 2k)
D :

Uhhh?
What path is that?

2k cubes ?

Enumeration ^^

It's the last one, at the bottom

Use school email for free modules (from tier0 to tier2)

I do not go to school 💀

You know no one going?

I do but it gives me time to save whilst I'm going over the initial modules again

Stuff like OS fundamentals

Well it's also a way to do it

pr++join prolabs-dante

++join prolabs-dante

I don't know what role that is. Did you spell it right?

Read #welcome and verify your account. You will then be able to see #prolabs-dante

and pls verify your account at #bot-commands

I just redid the original mutation to the password list. It was nothing too fancy lol. Not sure why it wasn’t working the first few times I tried it, but it worked when it mattered…. Three hours later….

yeah that module is a slog

The AD enumeration and Attacks is also a slog but its just a crap ton of material to go through. So its a happy slog.

#module: Password Attacks
#Section: Network Services
Man does Crackmapexec just not work I feel like im gonna go insane its gone through the 2 lists 2 times now with no credentials for ssh I need some advice on how to continue because running it a third time I don't think is gonna make it work

What other services are running? Attacking ssh takes a long time, why not try another service

I didnt know you could do that

I thought that it would stop bopth processes

if I tried "attacking" the target with so many

at a time

I mean you could end up dosing the target if you were going like absolutely ham

I have xargs running 20 instances of crackmapexec

lmao

lmao your fine

I think I did it with Hydra and did like 64 threads

alright thanks I'm definitely gonna do that then

can I use crackmapexec or would I have to use

Yeah for that entire module just try other services, rarely should you ever attack ssh directly

a different service like hydra

just curious

If I remember correctly that module has you use hydra and crack map

hyrdra wont work with smb if I remember correctly but crackmap will

Yeah it does but I guess im asking there wont be any issues

if I lets say used crackmap for 3 different services at a time

like rdp winrm and smb

depends on the device, if it can handle the traffic

Okay gotcha

a server can obviously handle more traffic than a end device

I guess I was wondering if the program would allow it yk

I dont see why not

It solely depends on the network then

thanks man

Hey guys, I need some help on the 'File Transfers' Module. I'm in the first section 'Windows File Transfer Methods'. I'm having trouble with the 2nd question in the assessment. It's asking me to RDP to the box and the credentials have been provided. How can I RDP into the box? I have tried ssh and smbclient and I haven't been successful.

RDP is a windows protocol so you'd have to access it via port 3389 using a RDP tool. So xfreerdp or my prefered being reminia

Thanks for your help!

Dumb question. Why am I not able to authenticate with Impacket.

I know I am missing something super obvious

but I don't know what

I remember that one kinda just working

I remember because I was trying to figure out how to leverage some other user then I realized they kinda give it to you

which page of the module is that

Active Directory Enumeration and Attacks - Privileged Access

This is what the module tells me to do

yeah that should just work

try resetting it

Hiii

I'm from Philippines

sup

yup that should just be a connect and follow instructions one, I remember because they have you look up some user who also has PS access or some crap and I thought we had to leverage our way to his account then do the msql stuff

turned out "oh I suck at reading" and was done in 2 mins

looks like youre trying it directly and not from/through the jumpbox

yup that'll do it idk why I didnt see that

jumpbox??

have to remember your on the 10 network

never heard that term

pivot host if you prefer

Ok

ssh to the 10 ip then attack from that host or setup a piviot

https://en.m.wikipedia.org/wiki/Jump_server

stupid me

I get tunnel vision sometimes haha

ironically if you 'tunneled' your vision, youd not have a problem 😛

I figured out why I've wasted hours on the network services portion of password cracking

crackmapexec deosnt always print out Pwn3d on success

and thats what ive been greping this whole time 🥲

it only prints Pwn3d if it detects it to be a local admin 🙂

Could I have some more explanation on this 😅

So they tell you to ssh to that 10 ip right?

when you spawn the target the target it gives you is the pivot

thats the attack box they have setup within the target network

you can attack from either that box

usually setup with the tools you already need on there

or just use it a a pivot and proxychain your way in

SO run my tools in the windows machine I've RDP'd to??

theres usually also a linux host for Linux relevant sections

or you create a tunnel

good practice to setup a piviot

I was able to get a netsh piviot working on the machines in this module too

I got it : )

I haven't finished the pivoting, tunneling and port forwarding modules yet

are you just yoloing whatever module you feel like at the time lol?

That's pretty much what i do

I should follow stuff in order haha

unironically yes

¯_(ツ)_/¯

Lol The AD enum module is a slog too

idk if its just me but for what ever reason my remote vm keep on kicking me out

@thorn urchin How far are you in the pathway anyways?

70~%

Are you able to solve easy boxes on htb yet? it still seems to be crazy hard for me

Ive solved some in the past, but I havnt tackled any since doing the path, not a priority to me.

most boxes are just X random web vuln, chain to Y random web vuln to get user, then random BS go for root.

yeah the red pandas (recently retired) the user wasn't to bad but after that it was a nightmare. Watching Ipsec video on it was like how in the hell

Red panda was the most recent one I did, but never got around to root

I dont think the cpts pathway has material that woulda been relevant for the root path on that one tbh

I am about 24% done. It's taking me a lot longer to go through all the modules than I thought, but the material is very good so I'm not complaining.

just finished that broken authentication module...damn that was rough...finishing the skills assessment is a morale booster haha

I am at a loss now for https://academy.hackthebox.com/module/143/section/1508

I can create the ticket without issue but I can't psexec with the created golden ticket

@thorn urchin Did you have any trouble with Attacking Domain Trusts - Child -> Parent Trusts - from Linux ?

no was a pretty straightforward one for me

I figured it out I just said screw it and copied and pasted their commands and it worked. Meaning ive been fat fingering something this entire time

How did you get secrets dump.py to use your ticket?

I've tried -k and -no-pass but it doesnt work

does kinit see your ticket as loaded?

with the ccache file and all that jazz?

yup

Am I just not doing the command correctly?|| secretsdump.py logistics.inlanefreight.local/paste@172.16.5.5 -just-dc-user INLANEFREIGHT/bross -k ||

looks good to me, noticing my notes for the section doesnt have secretsdump for it though,

How did you get the ntlm hash then?

my notes doesn't actually have the end section assessment so idk lol im loading the module back up now

im banging my head against this atm lol

that vaguely looks familiar

I mightve tried one of the other dumping methods

idk how to get it to dump using the method they want us to use

im starting to wonder if maybe the ticket i generated isnt good after all

Double checked my ticket I can get C drive access I just cant get it to dump

not sure what im missing

@thorn urchin I got it, was not able to get it via the kerberos ticket though

okay just went through it

you need to have your created user @ the FQDN of the dc controller, not just @rustic sage

and secretsdump will get it just fine

so inlanefreight.local?

nah

the full name of the dc controller

the academy-blah.inlanefreight.locsl

hmm still failing on me

oh its also still logistics.inlanefreight.local/fakeuser

rip

still not working for me

I was able to get it via the hash method

but not via the ticket

yeah it suddenly stopped working for me even running the exact same working command within the same session

I think its just temperamental

whats the hash method

so using || the raisechild.py it spits out the administrator ntlm you can pass that hash and it will work ||

ah gotcha

yeah I think it uses a slightly different method for the extraSIDs

werid reset it now im getting invalid checksum

the manual method worked for me again after I regenerated a new ccache file

also it says you can use a fake user but I cant help but wonder if itd be more stable if you used a real username on the child domain since the error message is about not being able to find the spn

annnd it finnaly worked

regenerated it and it worked

idk Im done for the night this shit drove me batty

Going to write this down though as im not doing it again in the skills assessment

no spoilers but I wouldnt stress too much about it

but yeah regenning the ccache if its giving you errors is def note worthy

im glad cpts is a week long as i'll end up going through the modules to brainstorm

definitely wont hurt I imagine

Ive considered doing a blind run of all the skills assessment after I finished but that may be too tedious. gunna do the dante prolab though as extra prep for sure.

same that and do a few boxes too

If someone has an answer to this, please @ me so I don't miss your response when I check back in later. **Has anyone had success proxying Metaspoit through Burp/Zap? ** I tried using msf through proxychains, I tried setting the proxy within metasploit. No matter what I tried it never got intercepted by Burp or Zap.

In previous exercises I did get some things to work through proxychains (like curl), but just never Metasploit. Thanks

Ive not had issues with either method

Thanks. In the /etc/proxychains.conf file, do you add those HTTP and HTTPS lines, for port 8080? Or are you doing anything different

yeah

its type ip port

I’m gonna try and do the boxes they recommend that are also on TJ Null’s OSCP prep list (minus BOF). Figured that would aid in prep for both certs. Dante’s Pro Lab is going to be my graduation event before doing the CPTS too. I’d rather over prepare than have to go through another week of the exam.

There’s a lot of overlapping boxes at the end of modules and TJ’s list

any one on done attacking common services - medium skill assessment? Im stuck.

I found the 2nd ftp service got username s---- and tried brute forcing both ftp services and pop3 service using the provided pass list and s---- username and am not getting any hits.

If any one can provide more insight.

Hey, can anybody help with Information Gathering Web Edition - Active Infrastructure Identification? I think I may have a DNS issue.

gotta add the host to your /etc/hosts file

@thorn urchin I've added inlanefreight.local as the IP was provided at the start of the exercise and I can enumerate that host with no issues, I can't work out a way to find the dev.inlanefreight and app.inlanefreight IP addresses though

Did you add dev.inlanefreight.local and app.inlanefreight.local to your /etc/hosts? or just inlanefreight.local

@rustic sage

just inlanefreight.local @rustic sage

Can you give a hint on how to enumerate for the IPs of the subdomains? All methods previously taught don't work

you have to add the subdomain as well to /etc/hosts

^^

you’re trying to enter a domain and your computer has no idea how to resolve it. You have to add subdomains to the /etc/hosts file as well before you can ping/reach them

@thorn urchin @rustic sage I add them under the same IP? This is a learning for me

you can add multiple lines or add them on the same line either works

<ip> inlanefreight.local dev.inlanefreight.local app.inlanefreight.local

OR

<ip> inlanefreight.local
<ip> dev.inlanefreight.local
<ip> app.inlanefreight.local

I always do multiple lines because I find it easier just to echo ‘ip domain’ | sudo tee -a /etc/hosts

and you will need to do that for every subdomain/VHOST you find or else you won’t be able to reach it

not sure if this is needed, but you should install it through pipx

sudo python3 -m pip install pipx
sudo pipx install crackmapexec

You won't compile it without first installing rust

on the AD Enum course, whats the 'right' way for interacting with the target network?

the attacker linux host provided seems to be missing some stuff, like trying to run kerbrute. is the right way for the lab to just try and install tools/dependencies on the box, or should i be trying to tunnel through?

Hey everyone , i m block in Web Service & API Fundamentals. I dont understand the meaning of the question "If you should think of the operation object in WSDL as a programming concept, which of the following is closer in terms of the provided functionality? " ? someone help me ? I m sorry for my bad english it's not my native language

bro i like your font color can you tell me the Hex code of your font color

On the ZAP scanner question, i could run the scanner but found no high level vulnerability. Any help please:)

Having an issue with this too

If I can get a prod into the right direction it'd be appreciated!

@ocean raft mate unblock me

Pls

@ocean raft plssss

I am looking for help with the footprinting module for IMAP I am going through the list from hacktricks and not finding any messages.

Hello, I'm on the Htb academy. I'm doing the module: Web Request.

I'm on the GET section. & I was doing the instance, and I tried to do a search for the flag but the new request didn't pop up. Can someone explain to me what I did wrong?

Hi, I'm also on that section. Did you ever find help for that part?

okay hackthebox in my opinion so far after purchasing is honestly terrible. When I read a module, I learn a few things. But then the question it's asking is completely different to what I've just read. I'm currently on "Working with web services" and its asking me to use npm, a command I've never even seen before. How am I supposed to know what to do if I'm not taught anything about what the question is asking?

I don't mean to come off as a being rude or anything, I'm genuinely curious as to how other people do it.

Most people google to get an idea and if they struggle they ask further questions in here

you're not always going to be given the answer that goes for anything... You've been taught to read man pages and to do outside research. If you cannot do that this really isn't the field for you. You will need to always be constantly learning and reading new tools, man pages, and new attacks.

The questions for the modules aren't always "repeat what you learned above." Sometimes they are, but they are also there to challenge you and get you in the mindset for what you'll be doing in this field.

Yeah I googled, but I was getting a ton of different answers and HTB tends to only like specific answers

Say you're doing a pentest for someone and you see some sort of service that you're unfamiliar with. How are you going to figure out how to move forward and test that?

There wont always be a do X. Sometimes we gotta google around and try to figure it out and work from there

that's the pwnbox

for that section the first time i manually find and exploit the vuln after that i did to use zap scan again but i would say it only worked half of the time for me so try restart the target machine and scan again

Anyone?

that look like one of the networking module which module and section are you on?

My advice is instead of saying how the platform is awful and doesn't teach you what you're being asked, try telling us what you tried, what went wrong, where you're struggling so you can get a nudge in the right direction @woeful karma. Not just "I'm never taught this, this module is terrible"

I was reading the man pages. npm is a package manager as I'm sure you're aware, but the question was asking to start a HTTP server via npm. Okay now as I'm writing this... I've just realised I didn't even think of googling "npm http server"... wow today is just strange. I'm just not functioning at all for some reason.

Anyway, ty :)

Can you tell me what I did wrong?

hint ||Authorization||

Wait, I don't want an answer to the question. I'm in the Network tab of the inspection. But whenever I search "flag" new requests don't pop up. Is there something wrong w my steps? Did I skip something?

Make sure to always do external research (and that doesn't mean looking at the forums or reddit for the answer), try different solutions and see what you're given. If you're still stuck ask for a nudge in a DM so no spoilers are given. Make sure to tell whoever is helping you what you tried, what you're thinking, and where you're struggling.

i would say the htb academy for 100% complete beginner you do need some skill like google for tool and how some basic stuff work but a module isn't and can't tech you every single thing about a tool exploit or attack so you still have to google a lot of them

yeah some one need to pin this

Yeah I know. I literally don't even know why I'm asking about this here... I've been doing IT-related things for years but today it's like I've just forgotten everything I've ever learned

if you don't want spoiler then the short answer is yes do did skip something in the section

Got it thanks!

Had a small typo aha ^^;

Also finishing a module isn't the end. You should go back and make sure you understand the tool, what you were taught, and why the command gave you such output in the first place. I can't express enough how important it is to understand the tool you're using and what it is doing behind the scenes to feed you that output

I'm sorry. You didn't spoil anything for me. I couldn't even read what you sent besides "hint" but I didn't understand your hint. I'm still confused...

oh that hint was just pointing you to the thing you missed

and if you're doing a job path such as the CBBH or CPTS, it's even more important because you really do need notes and need to understand what the tool is doing before you use it actively

anyone on that knows the IMAP, I found the mail folder that i think i should be in and can see that one email exists but can't open it.

never mind got it

I always make little notes on flags and stuff a tool can do

Then I use the hell out of it

And try to test the limits of it

lol i think i found a later flag i wasn't supposed to find yet in this box

module like that one i think use the same target machine for multiple section so there is a chance that will happen

Happens quite a lot. Make a note. You'll probably need it in 10 mins time 😉

Ok, so what did I miss? 😵‍💫

||header||

I can't see that

All I see is a black mark.

i mean on the section

Can I message you what I'm doing?

sure

Why does ssh take so much longer to brute force vs any other network service

It's deliberate. Specifically... for linux boxes at least... PAM imposes a delay on failure to stop you brute-forcing too fast.

... possibly the question should be 'why don't all the other network services enforce an arbitrary delay on password failure?' 😉

hello

hey in Firewall and IDS/IPS Evasion - Hard Lab you have to find the service in UDP or TCP Scan? and which service do you have to find?

the service

run both and see what comes up🤷‍♂️ enumerate the services found and see what they give you!

I have already done it and when trying tu put the answer got the following message : INcorret answer

remove that so no spoilers are leaked

you can dm me and I'll tell you if you're submitting the right flag or not

ok sorry

someone can help me on Web Service & API Attacks - Skills Assessment

CBBH Path

you'll probably have more luck asking in #cwes

kk thank you

Send me a md and a screenshot of where you are stuck

I messaged you already.

hello

im here to learn ethical hacking'

im in class 8

what does class 8 mean

give both of this video a check to get started
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=lhz0-qAQlBM

im in grade 8

school ?

u dont know school

ohokay

k

yeah check out mah boi 0xyaoi

His videos can get you started pretty quick

does you school have its own email

address or whatever

oh thanks

yupp

becuase you can use that to get a pretty hefty discount on the academy

modules 0-2

for about 8$ a month

i wanted to ask

sign up using your schools

its what i did anyways

where we can find his videos

on youtube @vital adder just sent a few

here

oh thaks

yep goodluck hacking feel free to ask questions here when your stuck theres plenty of people willing to help

I can help with a few im not that far in tho

Hello people.... how are you today, God bless you!

i will be with god soon so thanks

You alright?

just a little brain damage

no escape for you. i need your hints

The server would definitely collapse without the helpful squirrel

Good luck on your journey 😁

💀

Can anyone help or give me a little hint. I'm on password attack hard lab. I already have the vhd file but i don't find a way to read it, already have a The password. I try guestmount, i try to Open on My windows host machine (no proud but i read that it was a way but no) almost done with this interesting module hahaha any help would be appreciated.

#modules message

Yeah, so wtf is going on here?

"Works fine on my machine"

But not on target.

Can't guarantee, but this might help https://www.sapien.com/forums/viewtopic.php?t=9805

Please find the unique malware in this windows 10 iso file.

Hi. I'm trying to finish the footprinting medium lab. I got the sa:password from the txt file. I can't seem to get past the sql login. I tried to log in with sa and Administrator but no luck. I also tried to remote in with sa as user as well as Administrator but no luck with that either. All I can do is remote in with Alex. I'd appreciate any help. Thanks.

Your on the right track, || are there any other accounts you can login too? ||

@hasty temple dont share users and passwords here

Hey thanks for the help

I am targeted by a hacker group. They altered the iso file that I downloaded from microsoft's website.
I am %99 sure that this iso file has a unique undetected RAT malware

@west rampart @languid dawn @sharp cove I think this falls under your purview?

@rustic sage We're not downloading any weird iso files

@rustic sage Please read the rules of the Server. Thanks

Thanks!

@rustic sage also not the right channel for it even if were allowed. also also unique undetected malware is actually pretty common. Even basic stuff thats written by amateurs automatically become unique and will evade half of AV. Doesnt take a whole lot of effort to make it bypass the rest. Not that special.

Linux Fundemantals Section Working with Web Services, first question - there are multiple http frameworks/servers - which one should i use?

yes but in npm are more than one

I think your over thinking this

think " I have zero linux knowledge" and go from there

No idea but I just used another method.

🤷‍♂️

what is what is shown on the page?

Id go with the one http-server that calls it a simple http server

and cli based

answers for 95% of the module questions are listed in the module

the other 5% involve smashing your head on the keyboard

You’re not kidding

just wait till you actually come across a bug in the module its the worst lol

yeah theyre not many but theyre painful

but also working around RL bugs and faulty documentation is true to life

yup, apparently the bug in the pivot module was fixed or at least was working now according to MrTom

Hello there, I'm currently giving the linux fundamentals a go, and I'm at this point where I get this error and I'm not sure why. I'd love to know what I'm doing wrong.

mv: cannot move 'info.txt' to 'Storage/': Not a directory```

I thought that the Storage/local/user were directories, do I need to specify the full path to Storage?

is storage in your current directory?

I'm further in the tree of it.

if your deeper, then you need to move up with ..

the way you currently have it you want it to move into a directory called storage within your current directory

got it. So if I wanted to move it, then I should navigate to storage and execute something like, mv /local/user/info.txt /Storage

If the info.txt is in your current directory you could just do ./info.txt /storage

way easier then specifying the entire directory, but if its not then you need to specify the entire path

For example if I wanted user.txt from johns directory and put it in my own home directory id do something like mv /user/john/user.txt ~/

Anyone free for a nudge on Command Injection Skills Assessment?

Anyone finish with the footprinting module. DNS section. I'm having trouble with the last question

could I dm someone about MSSQL?

you can dm me

PassAttack - PtH I'm a little confused. David doesn't seem to have permissions on the SMB share on the Domain Controller, at least according to this but he can authenticate:

You can mount .vhd files in Windows as one option (in Hyper-V), or otherwise extract it with 7zip or other tools

yeah authentication is different from the share permissions

cause you can have permission for some shares but not others, authentication is seperate.

So, I have to take it upon myself to "give him permission"?

Can a local Administrator even do that remotely?

maybe I dont remember that section very well

I usually only save notes about the module and the end full skill assessment, I dont often write notes for the section by section tests

@thorn urchin hei i need ur help

busy atm but ask away and maybe ill have something or someone else can chime in

Ok no problem

hello
at the modul file inclusion in section automated scanning, should this command work as explained in the example with the spawned webpage?
xy@htb[/htb]$ curl http://<SERVER_IP>:<PORT>/index.php?language=../../../../etc/apache2/apache2.conf

...SNIP...
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

...SNIP...

yo i got root but could u explain to me (in dm if u want) why or how that works

im a bit confused how this priveleg escalation works

hey everyone. I am currently doing Bash Scripting, section Flow Control and I am having trouble with my script

if anyone could help id appreciate it

Heya. I've gotta dash... but I got bitten on this module last night. If you're pretty sure you've got it right and it should be working... I think there's a problem in this module. If you're using something like: ${#variable} to get the length to set your salt (as you're taught in the Arithmetic section) ... it won't work. If you the earlier method (echo $variable | wc -c)... then it'll appear to work. Technically... the latter method is wrong, as it also counts a newline, so it's off by one.

Sorry if that's too cryptic, but I'm outta time. I'll be back around tomorrow at some point if you're still in trouble 😉

somebody knows if there will come azure or aws modules?

can i DM you...would appreciate some help with the file inclusion automated scanning stuff....?

Hi everyone, I need a little nudge for the Password Attacks > Mutations module. I downloaded the resources and created a password list, using the provided rules. Resulting list is 90k+ strings. As expected, bruteforcing SSH is slow (up to 30 tries per minute), which means that either I can have a luck, or wait for tens of hours. Is there anything I might have missed?

its much faster to brute against the ftp service than the ssh service. Yes I know it tells you to do it against the ssh service but its a dumb module

it will still take ages however

Thank you! Indeed, the module is a bit odd.

can someone help me at the nmap scanning module HTB at medium lab i've been stuck over a week

it's so hard lool

for me *

Firewall and IDS/IPS Evasion - Medium Lab

@thorn urchin Can you shoot me a tiny nudge for the AD Skills assessment? I got a meterpreter foothold on the webshell machine and I was able to dump the admin hashes but I cant crack the admin password. I've tried getting Domain spray on it but I cant import the module at all

you can DM me if you want.

the webshell machine? you should already have admin privs for that dont need to dump or anything on it

go back to the basics and what every AD testers favorite thing to run once on a AD network.

yep feel free to DM 🙂

https://tenor.com/view/learning-learnding-funny-the-simpsons-dumb-gif-5270072

How it feels asking for help here when the answer is a simple oversight

Wait you can rdp with the webshell password?

I dont believe so, where ya getting rdp from?

ikm so lost on this module the most I can get is the inital foothold from the webshell to a reverse shell

cant import active directory

on either a nc shell or metasploit

dont really need to, the webshell is already a shell

For Getting Started: Privilege Escalation

I have made a copy of the file but I am having trouble getting wget to transfer the file:
user2: python3 -m http.server 8000

attacker: wget http://138.68.191.22:8000/file

Helloooo I require some help again, this time I am stuck on Web Information Gathering - Active Subdomain Enumeration. Can anyone please DM?

I have added the host to /etc/hosts and can ping it with it returning the IP address but I can't perform an nslookup on it to complete the first challenge.

you need to select the target as the dns server for nslookup

otherwise its just gunna go off your system dns which isnt going to know anything about the domain

How the heck did you manage to get a set of working credentials then? You cant Kerberoast without valid credentials on the network. I've been trying to figure out how to find a user hash to dump

Administrators failed when I tried rockyou against it

thats not the only possible valid criteria for kerberoasting

you dont need to go after the webhost administrator at all

forget it even exists

Id just like to get a working version of powershell

I figured out what wasnt working with meterpreters for importing modules then it broke when giving output lol

I didnt bother

i know im supposed to enumerate the AD but nothing seems to be working for me on that front lol

I did what I needed to get the kerberoast going, and then switched to a chisel pivot once I had network creds

anyone please?

you sure that youre using the right IP address, and that user2 has the file youre trying to transfer in the same directory youre running the python listener on? what error are you getting?

it will just keep attempting to connect

any output on your listener side?

can you not put screenshots in here?

you can

might be blocked for unverified users

im using snippet tool and I cant paste it

thats unfortunate

user2@gettingstartedprivesc-500761-74ddd8d999-phxrs:/tmp$ python3 -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

wget http://138.68.191.22:8000/id_rsa
--2022-11-30 23:49:35-- http://138.68.191.22:8000/id_rsa
Connecting to 138.68.191.22:8000...

and youre sure thats the right ip

so i checked ifconfig and I see its a completely diff ip

I changed it and nothing happened still

im so lost... why is the IP that spawns completely different internally?

this should be an easy transfer, use the key and get root

it shouldnt be, I have no idea what rabbit hole youve gone down

could be a firewall block too

I manage to extract to img file from the vhd file, im getting the files with and without adding the password on 7zip command, is this the right way to get this two files? Thanks

im just gonna start everything from scratch

use the ip for the vpn, probably under tun0 when you ifconfig. I think it should be something like 10.10.x.x

Can you elaborate a bit more? In regards to transferring the file?

in your wget command, use that ip

Not the ip that you spawn in?

When you launch everything?

wait never mind I see you are trying to transfer off the victim machine, not to it. Forget what I said

Correct

also its just an id_rsa key, Id just cat it and copy paste it

What percentage of CBBH path is covered under CPTS path?

Can someone help me out with the Documentation and Reporting lab? Honestly have no clue how to move forward. I found lab_adm hash but haven't been able to crack it and not even sure if I'm on the right path. Thought this was supposed to be an easy module 😩 please help

Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What this user's account name? tried with responder but I don't think this is the way

More than half. I'm 87% through CPTS and 54% through CBBH

gotta enumerate the acls

Hi all! I am a mathematician who's always had an interest in computers and after doing cryptography in uni I decided cybersec is the pathway I want to go. Can you recommend the first training course I can do to get my feet wet in hacking and start to figure out which field best suits my talents and interests, thanks guys 😄

Different powershell versions maybe?

There are 11 modules that are shared between the two

i checked, they weren't that far apart. Both within v5.x

no clue meng

Last idea, Is there no content in the file lsass.dmp ?

I'll have to check tomorrow but it's likely. Another process (convert.b64) similar returned '0'.

Not sure if 'exit 0' or '0 bytes'

I'm still pretty new to Powershell

Just saying that made me realize...

I must be mentally defective...

why would an error 'exit 0 '? Lol

nvm

Found the user, bloodhound was not working lost 35 minutes fixing, but no way the creds, do I need to change something?

can you help me out with this please? I'm at the same spot and not even sure if it is the correct approach

Can anyone help with the hashcat module question? Crack the following hash: 978078e7845f2fb2e20399d9e80475bc1c275e06 using the mask ?d?s. I have been using the command line hashcat -a 7 -m 190 hybridhash -1 01 '?d?s' /usr/share/wordlists/rockyou.txt I have tested the hashcat modes 100,4500,6000,190 and I keep getting an exhausted error.

have you tried ||running responder?||

My approach was not the correct approach 🙂

I might be able to help, whats up?

sure you can dm me if you still have question but basically some one put the ||root key|| there this is a ctf thing

sorry for not pinging this this was meant for you
#modules message

did you ever get the script to work that was in the lesson? I went || URLencoded base64 for each parameter|| is that what you did? just want to make sure i didnt go the LONG way...

Wow ok. So then if I do both learning paths the two paths benefit each other and build on each other?

Yeah, but its not a POST request like the module, watch it in BURP. I also got it to work in intruder in BURP

For sure! They recommend CBBH first, either way would benefit the other I would imagine. https://www.youtube.com/watch?v=wwmCHeYd1I4

ahhh...yea your right....i completed it through burp, but was playing around trying to figure out the script

thanks man

NP, DM me if you need to see the script

Anyone completed the DNS Enumeration Using Python (module 27 section 439)?
It asks me to perform a zone transfer against the target but what I get for dig axfr inlanefreight.htb @10.129.184.188 is "Transfer failed." Any idea how to resolve this?

so I want to run kerbrute against a network, but i dont want to have to constantly rebuild tools for the attack VM in the AD module. is there any reason why i couldnt create an ssh tunnel from my kali VM to the parrot attack box, and run the tool from my own VM?

Good morning from Spain! Ive been struggling with the live engagement (shells and payloads), I have the aspx web shell but cant navigate through the directories 😦 😦 any hint would be appreciated!!

@rich vale try to use vpn

semi-related question, but has anyone had issues with kerbrute not actually writing output to a file? creates the file, but file is empty

Hi guys,
I am stuck at "RDP and SOCKS Tunneling with SocksOverRDP" task. I cannot apply the technique in this task because the Jason's machine has different IP Network: 172.16.6.155
While the pivot point (htb-student) has 2 IP network: (10.129.42.198 & 172.16.5.155). I also find out there is another machine 172.16.5.19, and I supposed this machine can connect to Jason Machine

But I am get stuck how to get the credential of machine 172.16.5.19?

hint there ||3|| machine in that lab the info for the second one is in the section

the creds are in the module brief. if it helps they be green.

good luck getting it to connect to 5.19 tho. lol. i still havent found success.

yes I know there are 3 machines. But does not know how to get the credentials into the second machine

So how you can finish the lab? Because the htb-student does not have the same network with Jason's machine

its written pretty clearly in the module but... you need the 5.19 machine to connect to 6.155. there is another component you must use on the 6.155 machine that connects back to you.

i just try this on the pwnbox and it's working fine for me so you are doing it on your machine you shouldn't have to do this but try adding that to your hosts file

How I can get the credential of machine 5.19? Or do I have to reuse the credential of machine 5.19 in the previous labs?

If this is the one I’m thinking of, you need to dump the creds and find the logonpasswords, then make sure there is a route to the other network from the pivot point.

my dude. read the module. they give them to you. they are green.

wrong module. im doing the same one as him as we speak. he just isnt reading the breif.

oh shiet = = It's like I'm covered by someone... Ok I got it

thank you ^^

Ah. Well, remember that for later lol.

if you are in a web shell you can't change directory but you will still have access to other directory

thank you my dude.

im done. dead easy this one once 5.19 is working.

Stuck also two days with it. Solved by using same method in the first question but changing user and using grep for powershell solves it

Yea but what IP address should i add it in the host file as? Because the assignment makes it seem like the site is different to the target

just use the target ip for that

i didn't have to do that on the pwnbox but just for sure try that

i will try to do that on the pwnbox as you did cause HTB has issues time to time ... thanks a bunch

Hi guys, I need some help with Windows Privilege Escalation - DnsAdmins. I have used the technique to escalate, and I am part of the domain admins group:
Local Group Memberships *DnsAdmins *Remote Desktop Users Global Group memberships *Domain Admins *Domain Users
However, I still get an access denied error when trying to read the flag or access the Administrator directory, even from an administrator powershell console.

Edit: solved. Simply log out and log back in.

in that section for me i end up making the dll payload run a different rev shell file and that give me authority system but if you want to do the intended way try restart the the target (with shutdown -l)
#modules message

Having a little trouble setting up proxy chains

I keep getting error [proxychains] config file found: /etc/proxychains.conf [proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4 error: invalid item in proxylist section: https 127.0.0.1 8080

My understanding is that it wants us using that, but just not quite understanding why its not funcitoning correctly

delete the line https

so:

http 127.0.0.1 8080

Yea works perfect

Ty

🙂

❤️

Guess the module needs to be edited or I just need to read better lol

To use proxychains, we first have to edit /etc/proxychains.conf, comment the final line and add the following two lines at the end of it:

Ty. Solved it.

can anyone that has completed Broken Authentication help me?

sure what's the issue?

i'm clueless in the skill assesment, but i dont want to spoil it, so can i dm you? @vital adder

sure

thanks 🙂

Guys I am new here and I am having trouble connecting to the VPN can anyone help?

Anyone around that's finished the AD Enumeration & Attack module? I've been stuck on final assessment I Q4 for about 10 hours now and while the failing has been useful I'm spinning my wheels a bit here and think I could use a hint.

How do you actually use searchsploit properly? I just got to it in the "Getting Started" Module and I'm supposed to look for "Simple Backup Plugin 2.7.10 for WordPress". Of course, you can find it on google, but the same search doesn't output any results on searchsploit. The help command wasn't very useful either

searchsploit Simple Backup

i have a result.

google ultimately is your best friend tho. exploit-db will likely come up with some code.

What search termshave you tried? Like Baka just said try using a subset of the string and if you need fewer results narrowing it as you go. Once you've found the one you need you can run it with -m to mirror (copy) the exploit to local directory or -x to examine it in a pager

Wrong one, sadly.

which module is this?

copy uRL of the question youre on.

Well there are no results. This is not a question of finding the right exploit, I found that arledy and the solution. It's a question of using searchsploit to get to the exploit I'm looking for

https://academy.hackthebox.com/module/77/section/843

try running searchsploit -u to update the local db?

As I said, I have arledy solved the question, but not through using searchsploit, because it didn't output the result I needed no matter the input

And I kind of wanted to understand if it was a me issue or a serachsploit issue

i think the purpose of this module was simply to teach you to use google. I think i did this using another method.

I see, thank you both then! 😄

someone could help me in USING WEB PROXIES module- Skill Assesment?¿

which question tho? its been a WHILE so i might need a minute or 30 to remember.......

meh, dm me if needed. im gonna continue with other stuff til then.

Foot Printing Easy - can some one DM me how you would have found the creds without the hint and it says not to brute force so stuff like medusa and nscrack would be off the table

AD Enumeration & Attacks - Skills Assessment Part II
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

Can someone help me?

Just for my sanity...nobody knows all of the terminology in AD off the bat right? Like I'm not the only person who'll still be searching this in the future??^^;

not all, but in https://academy.hackthebox.com/module/complete/74 u learn a lot

I'm on it now, but it's a LOT to take on

yeah

it is

Taking notes but I'm forgetting a lot as I go on

x

D

Pace yourself. Itll start making more sense as you continue to practice, read and complete challenge questions.

yeah, I have to rego over it anyway

Saving up for the next module gives me time to study

intro to ad section structure last question - what´s the awnser?

I have a question about the root indicator I don't understand that part in the first machine.

I undestand jejjee

ok for Footprinting Easy i figured out where to get the password from without the hint. it just takes a while the way I did it. I would still love for people to DM me how they found it without the hint so I can add that to my notes.

noone is just gonna give you the answer... for nothing else other than youll only be lying to yourself that you "did" it.

Give us the URL for that question set so people can see what youre on about

nvm found it

anyone could give a nudge for deserialization skill assessment 2? thanks.

Still needing helo

Help*

can´t connect to intro to ad - ad administration 1

Anyone for footprinting module ?

footprinting is an awful module.

feel free to DM me

Having this issue too, is there a specific format??

can someone help me, i am very new to all of this...... it keeps saying: Firefox is configured to use a proxy server that is refusing connections. so now i cant use firefox and i tried everything already.

Try using another browser-

i did

i tried 4 already

same issue

Chrome/Brave?

yes

And which VM are you running?

The built in one or your own?

no i use the one on the site that runs it for you

And when you press start instance it just comes up with an error?

( my workstation )

yes nothing works

been trying things sinds yesterday

Find a moderator and send them a recording/screenshot id suggest

suggestion: Dont use your main browser for proxying. Just use the built in browser on burp. easier.

how do i do that?

where can i find that?

i am very very new to all this

Are you using a windows computer?

no macbook

in your browser (firefox i assume) what are you using to proxy?

foxy?

i am learning linux from this guy on youtube ( networkchuck ) and he shows that i need to install al kind of stuff so i need to use firefox the browser bud i cant because its keeps saying tge same thing

already did...

does your proxy setting look like this?

no

make it look like that.

Macbook screenshot:
Shift + command + 3

(just for future reference 😄 )

there are problems with the academy labs?

which one?

alright i will try thankyou!

AD Enumeration & Attacks - Skills Assessment Part II

give the box 5 mins to start up.

i tried resseting the pwnbox, the targets etc

okey but thats just an attack host

I usually just fully restart the browser or target when that happens

resetting isnt waiting. IF you hold off for 5 mins on pressing spawn youll likely be able to ping.

more than 5 :/

browser reset also valid.

do what peacekeeper suggested.

check that you havent left a connection open to a previous box too.

i do that ._.

One sec

Is that target still up?

yes

still up no

for me is more like down

xD

o-o

Hmmmm

i am getting ping responses on that box fyi

I was about to say

Yeah aha

._.

im not getting any

/still nothing

let me ask.. . are you connected to the VPN?

im using pwnbox

so yes

What browsers have you tried?

take screenshots to show us whats happening. or we cant help

interesting...... try connecting your physical box to the vpn and send ping. or terminate the pwnbox session and make a new one?

Did any one complete the footprinting Easy lab without the hint? I would like to compare notes to see if we did it the same way

i terminate and open 4 times already

@frigid mica

ill try from my kali laptop

Kali my beloved

yeah iknow bud i dont know how to send it in here

So it should be saved to your desktop, rename it if you'd like.

Press the plus next to your message input, browse to the image and send it here ^^

i dont have the option send image

In here?

yeah

i dont know why

I'll give it a try. Thanks!

you need to verify first use ++verify at #bot-commands

^^^^^

it's "possible" to do that without the hint and i did check the cred is in some of the wordlist and you can blindly brute force with some random wordlist and if lucky get a hit but i think the intended way is do it with the hint

which question? the same one i have before?

I got it thanks! I kept putting group at the end ^^;;;

Always with the syntax ehehe

hi @frigid mica mind explaining your issue again?

solved. anyone need help, feel free to dm.

That’s what I did I used rock you and then took a shower, then I used a list from seclists and found it in 5 min

I’m curious though how it would be in the exam

oh wait i did only check if the cred was there i didn't check the cred location so it's that fast

also htb always use the ||names.txt|| so a good guess for the username wordlist should be that and of course rock you

If that’s to me, you get the cred from NMAP

Also I’m new to discord how do I black out text

oh that's the spoiler tag you can use ||sus|| to ||sus||

Ok sweet ||Test||

||||

Ehehe

p3ta@kali ~/H/A/footprinting> ||hydra -l ceil -P /usr/share/wordlists/seclists/Passwords/darkweb2017-top10.txt 10.129.74.82 -s 2121 ftp -vv||
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-01 07:07:58
[DATA] max 11 tasks per 1 server, overall 11 tasks, 11 login tries (l:1/p:11), ~1 try per task
[DATA] attacking ftp://10.129.74.82:2121/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[2121][ftp] host: 10.129.74.82 login: ||ceil password: qwer1234||
[STATUS] attack finished for 10.129.74.82 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-12-01 07:08:11

This was how I did it after I found the cred with ||NMAP||

Someone can help with this?

The word list didn’t have it in though I added it to it after I found it in rock you, I forgot to copy my notes and didn’t want to run it again

did you manage to find the plaintext password for admin?

yeah

and for mssqlsvc

but im not sure if i got the right one

can i dm u?=

sure

I'm stuck on the pivot to MS01 in the first skills assessment either of you gents willing to DM me a hint?

although spoiler tag pls don't post any cred also i found the shortest password wordlist that have the right password i can find is the ||darkweb2017-top1000.txt|| one also for the username if you want to do this completely without the hint (so no username) then only username wordlist i can find that have the right one is the ||names.txt|| also in secliect

the pivoting module or the ad module?

AD enum and Attack

oh i haven't done that so can't help

NP, there was two gents just above talking about the second final assessment so hoping to hop in

Enumerate the target and find a vHost that contains flag No. 1. Submit the flag value as your answer (in the format HTB{DATA}). , is the namelist.txt on seclist the right wordlist? No matter how I change de ffuf command I get no results

How can you get mimikatz output from a rev shell?

I got the ticket I want to extract in memory but I can't get my rev shell to run mimikatz or any powerview module

which module and section are you on?

Information Gathering - Web Edition - Virtual Hosts

have you tried redirecting output to a file?

you can use log for that

ooo thats a good idea how do you do that?

If you want I can send you the command on your dm

yep the namelist.txt is the right wordlist and i was able to found all of the subdomain for that section in one gobuster run

ffuf should work the same

sure can i help you troubleshoot if you still need it but i got some stuff right now i think i'll be free in like 30 min

I will send to you and try here again, If I got something I send you another message

mimikatz.exe privilege::debug; log output.txt; sekurlsa::tickets ?

as thats not working for me

Thanks MRtom! I have tried entering the directory of the question but still doesn`t do much 😦

try C:\tools\mimikatz.exe privilege::debug token::elevate "log output.txt" "sekurlsa::tickets" exit

So I got mimikatz to finally work via shell on meterpreter but I guess it droped the ticket from memory as its unable to find it now

I got it

this has been fustrating as hell but I got it lol

I`m with the live engagement and seems the laundanum aspx webshell only allows me to see the actual directory... I have tried cd \ // and multiple things but no luck yet... any hints!

iirc laudanum doesnt support changing directories, just gotta specify full paths

@thorn urchin laudanum uploads a bat file to execute the commands and then delete it true?

idr

it was something like that, thats why u cant change directories

I write the path provided in the question but I can`t seem to get into the directory to see the files and folders in it

its overall not super uncommon for shells, webshells in particular, to not support directory changing

im on lfi skill assessment i found the admin log and the access.log but i cant seem to get rce through &cmd=id i wanna try to change the payload to not needing the &cmd=COMMAND and just executing whatever i put into the php script but idk how to write it out

I had a lot of issue with that one using the curl command for you know what. Much easier to use the burp method instead

i dont have burp suite

also just in case, the access.log isnt a real log file, gotta find the real one.

yes you do, community edition is free

i dont reallly wanna spend time learning burp suite right now i just wanna get the thing done and move on to another module

well good luck then because I tried exhaustively to bypass the intended route of the module and wasnt able to, so log injection was needed and the curl method kept failing outright.

oh well

only thing I didnt try was one of the automated tools, so you can try that or you can start learning the basics of burp

I imagine zap would work too if youre more familiar with that

Having an issue with AD enumeration and attacks - skills assessment part 1

so should the php code <?php system("id"); ?> instead of <?php system($_GET["cmd"]); ?>

either

The web server was working and now it isn't

ok i guess ill just learn burp

10/10 hacker over here, crack the users passwords but forget to write down their username.

woopsies

I've restarted it several times

@thorn urchin have u completed ACTIVE DIRECTORY ENUMERATION & ATTACKS?

yeah

I'm so close too

took like 8 hours on the part 2 assessment lol

help me with the 2 assessment

what are you stuck on

im trying to figure out what user have generic all priv on domain admins

Could you try to start 1 and see if the web server comes up for you?

you run bloodhound

Blood hound

i dont like bloodhound :S

-c all

Bloodhound is one of the most powerful tools in AD hacking so unfortunately gotta live with it

||Get-ObjectAcl -ResolveGUIDs | ? {$.objectdn -eq "CN=Domain Admins,CN=Users,DC=INLANEFREIGHT,DC=LOCAL"-and ($.ActiveDirectoryRights -Like 'GenericAll')}||

i was trying that :S

you could do it manually but takes longer and harder to parse imo

but yes u are right

Next you'll say you don't like burp

Lol

i love burp

the three way venn diagram of burp users, web app pentesers, and zap users, are just two circles barely tapping each other.

but bloodhound looks ugly to me

i prefer command line

I think you can use bloodhound cmd line if youre really good at cypher queries 😛

no im not xAD

lol im on day 2 of the 1st skills assessment in the AD module

graph based attack tools are cool though imo, one of the few things I dont mind having GUIs for, and I imagine theres more untapped potential for graph based tooling.

yesterday was killing my moral

Could someone check ad assessment 1?

I think youre either cursed, or overcomplicating things by trying to run extra uneccessary shells instead of just using the provided one.

The provided one got hung up alot for me

Oh yeah I'm on that too

Semi colon breaks it

but being cursed is a true statement with me and computers

they actively break around me

@tranquil carbon ill check ty

its why im good at IT because I am constantly fixing my own computer

wait you can? is this cover in the ad module?

Not at all

Lol

well a little bit about cypher queries, but not running cmdline

Do I want to know what a cypher query is or is it come kind of Eldrich truth?

Someone should make a tui for bloodhound

idk if it officially has support for it, but its all neo4j db, so if youre good with cypher queries you could just connect to the db and run the queries manually.

bloodhound is good but it's so goddamn messy multiple step just for some enum

think sql for neo4j