#modules

maybe instagram customer service

No. sorry. You should go through Instagram Support if you need an account taken down. It would be extremely unethical for anyone to help you even if you had a valid reason. If theres valid reason to need an account taken down Instagram Support is the place to go

nvm

hey im sorry, i was sleeping

Hi everyone, I'm stuck on broken authentication module skills assesment, I was able to enumerate 2 users through the message board, I know how to decode the cookie and I know what the password policy is. I tried to brute force to find the credentials of some user but this one blocks me on the 5th attempt. Any hints or recommendations please?

Hi all

i am in MSSQL section and struck in 2nd question. Actually i know the way and open it but struck with sql commands . So please let me know.

Thanks

The module teaches you all the commands you'll need to figure it out

hello everyone !!!!

i have recently joined htb nd discord hope we will make great discussions on htb

Expect your support guys!!!!!

@fathom pendant i get the commands but not working. so that's why i am not sure is my commands wrong or some problem with in the box

90% of the time you're doing something wrong. There's very rarely a problem with the box

may someone bit help me please.

with? 😄

Login Brute Forcing - Login Forms Attack
I should be using this hydra payload from my understanding in order to attack the /login.php form with admin user
||hydra -l admin -P /usr/share/payloads/SecLists/Passwords/Leaked-Databases/rockyou.txt -f <IP>-s <PORT>
http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='login' "|| Why would this payload not be working for this?

what's the F=<form about? that doesn't look correct

That seems right, it's the syntax for Hydra's http-post-form module.

@low vine are you sure you have the right username/password field names? And does the form name match what you see in the HTML source code?

let me triple check that might be where i messsed up

still up? 😄 i'm still in the VC 😄

<form is not a valid html tag <form> is

you probably just want to use the actual name of the form or so

Maybe i need to read back but not quite understanding what it should be

probably the name='...'?

just gonna keep playing around with it ty for the tips

Gonna go read back on that section as well and take good notes so I can have this down

@high sentinel it needs the actual HTML snippet, so <form name='xyz' is correct.

really? well i was wrong then

Yeah, the power just came back on. I can jump back in.

this is new

I wish they had a junior pentest cert for beginners

wouldn't that be htb cpts?

i thought it said, "intermediate"

it says intermediate but the course content is geared towards beginners (or anyone of any skill level really)

true; I guess your right.

CBBH feels pretty good towards junior lvl

Hi I’m new here

Anyone can help with the Password Attacks Lab - HARD I have been stuck for couple days with bruteforcing user johanna. I have tried mutated list using custom rules from resources as well as best64 rules, also tried the unmodfied password.list. I have used both hydra and crackmapexec targeting rdp.

Try attacking || WinRM || instead of RDP

Thanks, will give it a shot, I think I may have tried with one of the lists already but will make sure

Hey guys! So I'm working through the OSINT: Corporate recon module and stuck on the first questions x_x

It askes for the GPS coords for cities where the company HQ is, I found the cities no problem, but the issue is that I can't get the answer to validate.
I'm supposing the GPS coords are off by a few 1 meters which makes it really hard to get. Also the hint dosn't seem to show the same results as my google :/

Has anyone else dones this module and struggled with it? Would love to know!

Login Brute Forcing - Question #1

Driving me absolutely fucking insane. I'm there I'm in the spot and its giving me the same as the #2 flag? So confused.....

mind rephrasing your question? You are on this questions right?:
Using the technique you learned in this section, try attacking the IP shown above. What are the credentials used?

I reset the box and it was right there

not sure what happened but who knows

👌

Thank you, this is the best tip for this question in this Discord. I'm serious, it was pain

I don't think CPTS is for beginners. CryptoCat failed it first time around.

CPTS is approximately the same level as OSCP.
I think, CPTS is not a beginner level

Hello everyone! Anyone working on the Attacking FTP module! A little help would be appreciate it!

thats a section ig

The module is attacking common services and I`m in the ftp section!

specifically where are you stuck at?

the last question... Im trying medusa, hydra, crackmap againts ftp and ssh but I cant get the password of the user r.....

I`m using the pwd list provided but no luck so far!

password.list should work

how are you trying to attack the ftp server?

dont forget theres a ftp proxy server available

medusa is running now...

ftp proxy server?!?! meaning that it`s not port 21?!?!

enum the host

you'll know it

and kindly reply back with a ping if you need further help

Will there be a course on C2 usage and extension? I never was into C2s, but I can appreciate their usefulness in large and complex networks. Havoc looks like a promising, free alternative. Any thoughts on this?

Thanks!! I gotta go now 😦 😦 Ive been stuck for a couple of hours... when I come back I will keep trying!! thanks!!!

okay... hint: ||theres a ftp proxy server running on diff port||

I'm dying here. What's the best way to do host discovery from a windows box over a double-pivot? I have a meterpreter session, socks proxy, and autoroute configured. I've tried a ping sweep, which took forever and returned nothing, and my arp_ping doesn't return anything but the compromised machine itself... If it helps, this is for the Pivoting, Tunneling, and Port Forwarding skills assessment.

Clearly, all I needed to do was type out that message/vent. Nmap finally came through with the goods. I've found the other host.

Guys Should I choose ejpt or CEH? Which one more better?

what is your goal? also we have #careers-and-certs for these questions

I want to become like a (Red team)penetration tester

red team != pentester

Ah yes

hmm ok, I'll try my best to make it short,
firstly red team != penstester even if (arguably) pentesting is under the red team umbrella
secondly, none of these certs will help for that, maybe ejpt a little.
and finally, look at job offers and see what certifications are often asked for, for entry level jobs and more advanced roles.
Personally I don't think you should pay for certifications though, your employer should. But I'm aware that it's not that easy and a famous cert will open lots of doors.

Ahhhh thank you

And I want to ask if cyber security and computer science majors are the same?

is there many infosec majors? from my understanding unis mainly do CS and you can get a master geared towards infosec

also I do suggest you identify with our bot and come to #careers-and-certs to ask all your questions 😄

you'll get more answers, and also we don't want to go off topic in our channels

Ah ok 😁 thanks

I'm an infosec major and I can tell you it's absolutley a waste a of time. At least as a CS major you'll learn some somewhat practical things. Infosec degrees are very very very theory heavy. There's a good chance that most of your professors don't actually know what they're talking about. I'm half way through my second year and I've had a grand total of 1 good professor.

Infosec is 100% self study. The stuff you learn in college is very rarely practical or useful

if it's a good college you basically learn the oscp and how to do secure architecture 💀

why am I encouraging off topic convos

😆 yea basically. It's all stuff you can learn on your own for a lot less than what college will cost you

Ah thanks bro!!!

Np. That being said, this is definetly the wrong channel for this conversation. If you ask the same thing in #careers-and-certs there's a good chance you'll get several replies. You'll be able to hear more than a few different perspectives which will likely be very beneficial

AH OK 😂

$(rev<<<'imaohw') is the coolest thing ive seen in my entire life. how good is the command injection module lol

Bruh that's genius lol. I'll get to the command injection module eventually

it's cool 🙂

s92bjBycpBSZt9GZ5Vmc reverse this one and decode it 🙂

||wholesome||

For anyone that has been having trouble with predictable reset token, question 2, shoot me a message. I felt like such a noodle when i figured out how simple it is.

Hello world, in** AD Enumeration & Attacks - Skills Assessment Part I** To connect to MS01, do I need use web01 as Pivot ?

I tried Enter-PSSession but no success

People have said they've done that entire section without pivoting. I did not. Pivoting makes that section so much easier

Hey guys, sorry to bump but I'm still stuck on this one 😅 anyone got a clue?

Thanks guys!

I haven't done that module. Sorry

Thanks regardless!

Thank you, I did it with chisel, but nmap doesn't seem to work with it?

Remember that you can't send ICMP packets through a socks tunnel. You need the -Pn flag with nmap. You also can't do syn scans so you'll likely need the -sT flag too

Thanks

Anyone for small assistance for Attacking Common Services module ?

which section

final assessment hard, last question

you are taking into consideration the files you have previously discovered

Yes

once you know that there isn't only one service/server, you will have to tweak a bit the settings to execute commands

the command is not enabled by default

Attacking Common Services- easy I know what to do just ran out of time, but I got to thinking, could you create a php script for file upload with a web interface for the sql file upload. Then just edit the script with credentials and file location. Also could you use sqlmap to execute your payload as an alternative for this challenge. I’m just brainstorming other ways to do things and trying to make scripts for the exam.

As you already know the service and supposedly how to include something from yourself, trying crafting a something that will allow you to execute commands

Hi! I'm honestly not sure what I'm doing wrong, I'm trying to solve flag8(Case #8) from the SQLMAP ESSENTIALS. This is the command I'm using:

||sqlmap -u "http://161.35.169.118:30557/case8.php" --data="id=1&t0ken=wZfhGHZouwbPBukWrbI06G6yH25Me1ASxQzjBHyC2qA" --csrf-token="t0ken" --batch||

The only thing I get returned is 4 injection points, no flag. Appreciate it 😄

Im back! Yeah, I got the port now but still didnt find any password!!

Solved it!

Anyone working in the attacking common services module?!?!

What's your question

Hi, sorry if this is the wrong channel to ask this but does anyone know how i can link my academy account to discord? im supposed to be able to find the option here: https://academy.hackthebox.com/settings but I can't seem to find it anywhere. is this a bug or am i doing something wrong? (Trying to get the Academy User role)

How do you use the ftp command if tou want to connect to a different port other than 21

Im trying and searching but I cant find how to connect to an especific port different than 21

Stealth scan won't work through a proxy - you have to switch to a TCP scan, for that.

Howdy

man ftp

Have you done the attacking ftp section?

try attacking that port

I tried but get no valid password for user r....

In the forum they mention that you can access anonymously... but can`t find it how!

did you get the password.list from the ftp server?

yeah... I`m using the password list from the resources...

just finished HYDRA and got 0 valid passwords...

How do you I access the ftp server without the password...

not the resources

u need to grab it from the ftp server

anonymous and random password

||anonymous:slfksfsfs||

I get login incorrect

exactly what are you trying?

send ss

I`m trying to copy my screen!

how do you make a cut of whta`s being shown in your screen?!?! hahaha

windows?

or linux?

if windows use win+swift+s

try screen and snip

if linux use (right swift + printscreen)

yeah yeah! I`m on it

If anonymous login is aloud...

anonymous login is enabled on that target

How did you figure it out? that it was allowed?!?!

i did that target using anonymous user

^

Finally solved the Phishing XSS question... i just had to URL encode it
But the weird thing is when I tried to URLencode through JS with encodeURIComponent("string...") it didn't work, but when i copied it from the url it auto URL encoded it and it worked
Does anyone know what might have caused the issue?

just put the user anonymous and random chars as pass

Or any pass

That`s what I did... in the screenshot I sent... it says login failed... maybe I should use another command

your command is right

what youre inputting as pass?

ramdom keys

should work

now it works... I shouldn`t write the user=

btw

that target is kinda buggy

ftp proxy server needs some time to run

so try enum to check if the proxy server is up or down

it`s running 🙂

then the command should work

should I try to connect through ssh?!?!

that`s what the question says...

Hey people. Quick question

did you get the password.list from the ftp server?

u need that file to bruteforce

Is there any way of knowing whether a site was hacked (along with all the services)?

Oh, you put user= that's why it looked off

https://www.darkreading.com/

yeah 😦 😦 😦 I`m not very familiar with all these tools...

if the website is popular enough

It's Payoneer

i would recommend you to complete fundamental labs first

Thanks

I want to report a bug that's present in ALL tebex based minecraft server stores, this is a high severity problem. The problem is that I want to get a reward for my work, but tebex closed its public bug bounty program some time ago, and the server owners wont even listen to me, they just dont care, or in one case, I told them the bug, then they blocked me and stole the bug from me 😦 What should I do?

Generally you only need the user="name" syntax when inputting the command however for ftp and correct me if I'm wrong @brisk geode , is ftp "username"@IP Port

It's been a minute since I attacked ftp

i did

ftp {ip} {port}

then {user}

then {pass}

it worked for me

got it!

thanks a lot!!!!

how did you find out it was allowed the anonymous login in the ftp server?!?!?!?!

just trying out by using the username anonymous or you can check that by inspecting config files if you have access to the whole machine

If you do a -sC scan iirc it tells you

that also works

Because -sC for nmap tells it to run scripts for the services it finds

btw would u mind if i dm u? im gonna do that module next

How do you know the anonymous login is enable... ?!?!?

i just use that manual method which is kinda risky too might also log errors

You don't on this one. Nmap ftp scripts break when ftp is running on a nonstandard port. Just try it out

ohhh ok...since in this lab in 2121 it wont show it...

ohhhhhhhhhh!!! ok ok!!!

I should do that everytime!

not every time

depends on the situation

waf could pop up

ohhhh i see!!

yeah

lmao

Min rate 10000 could crash older machines if you aren't careful

Thanks to everyone!!! I keep learning!!

Hello mates! 🤝🏻

anybody else stuck on the vulnerability module? the machine for the nessus exercise keeps crashing every time I access the nessus ui

I say crashing because I can't ping it at all and I get a "trying to reconnect" pop up

I tried with 4 different machines, all the same results

Do not dm people wiothout asking first

Server rule

oh sorry

Hi there! Can somebody help me with dns fuzzing module? I can’t find the fqdn of x.x.x.203. I try multiple wordlists

REmember you can have subdomains of subdomains

Hi

How are you guys

I need to ask you about app

If i install it in my phone it's give the access to my phone and i can open microphone using another phone

Read #welcome it'll help you understand what this server is

The amount of people who dont read server rules will never cease to amaze me

hi guys. im at the footprinting hard lab. i ve logged in to ssh. ive found a mysql server (?) on there. Since i cant connect regularily to the mysql server (its local) am i right to assume that I have to somehow tunnel the connection through SSH? and if thats the case, how the hell am i doing that. i tried with googling but i cant get a connection to work.
Can someone give me a little nudge?

History is your friend ;)

WordPress Hacking Module, Skills Assessment.
which Plugin should i throw an eye on for an unauthenticated file download?

looked through wpscan but im not sure

You answered yourself in how to use exploit searching to search for it. Sometimes the best way to know is just use it and see

i just find vulns like LFI, SQLI and so on, but not 'Unauthenticated File Download'

Can't you use sql to download a file?

um via file write to create a webshell?

Command Injection - Bypassing Blacklisted commands
This is what i've come to that still works and bypasses what seems to be a block on ||cat||
||ip=127.0.0.1${LS_COLORS:10:1}%0ac'a't${IFS}${PATH:0:1}home${PATH:0:1}flag.txt||

I dont want the answer but would like a small nudge in what I might be missing and understanding. I've attempted to use the single and double quotes through the command but it seems that cat is the only 1 thats blocked from what I see.

It runs but it doesnt execute as intended I guess?

Hum ok, but I tried many way and found nothing

have you tried echoing it in a terminal to confirm that the resulting output is what you intended?

Zone transferring

I dont quite understand how id do that just tried

This is the answer of the previous question no?

echo "${LS_COLORS:10:1}%0ac$@at${IFS}${PATH:0:1}home${PATH:0:1}flag.txt"

echo 'YOUR PAYLOAD HERE'

yea doesnt work for me

what output do you get

As was stated, you can transfer to some zones, yes? So what's stopping you from going a level deeper?

try with double quotes and without anyquotes, theres one of em idr that parses it properly and another that doesnt

Internal zone?

Yea not valid in my terminal

😦

what shell are you using?

fish

then dont use fish

try in bash

One of the tools you are taught allows automation of this

Thats odd there shouldnt be a new line between cat and /home/flag.txt

dnsenum?

New line is before "cat" now im more confused lol

well that may be why your payload is failing 🙂

Yea I understand that but looking at the payload it should be

cat(space)/home/flag.txt```

I dont understand why its showing different

I think reverse it gonna work

gunna have to review your notes then

Thats the sad part i have for 30 minutes and I cant figure it out ><

let me read throug hagain

and might come cry in 20 minutes

Try cat instead of cat

Tac*

If cat is blacklisted

yes but now you know how to debug your payload

Well the bypass works for cat

if i use c'a't or c"a"t both work

Yup i was having trouble with that

ty

also I could totally be misremembering wrong but I didnt think the flag location was /home/flag.txt

but memory could be faulty, just make sure youre confident on that

I also just reread the question and its of a previous user lol

so that could also be a problem

Need some help here: https://academy.hackthebox.com/module/163/section/1551
Struggling with the reverse shell over the forwarded port 1234 on dmz01: dc01 -> dmz01 1234 <-portfwrd (msf) -> 10.10.14.19 (my attacker machine)

root@dmz01:~# tcpdump -i ens192 dst port 1234
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
20:59:41.186007 IP 172.16.8.3.64889 > 172.16.8.120.1234: Flags [R.], seq 3696198686, ack 2750044908, win 0, length 0
20:59:41.186109 IP 172.16.8.3.64902 > 172.16.8.120.1234: Flags [R.], seq 3586340546, ack 2592359372, win 0, length 0
20:59:41.186123 IP 172.16.8.3.64928 > 172.16.8.120.1234: Flags [R.], seq 478348283, ack 262965734, win 0, length 0
20:59:41.186136 IP 172.16.8.3.64914 > 172.16.8.120.1234: Flags [R.], seq 2264802788, ack 1072586443, win 0, length 0
20:59:41.186157 IP 172.16.8.3.64940 > 172.16.8.120.1234: Flags [R.], seq 2265080408, ack 3020844998, win 0, length 0
21:00:27.796403 IP 172.16.8.3.64946 > 172.16.8.120.1234: Flags [SEW], seq 3203670305, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
21:00:27.796828 IP 172.16.8.3.64946 > 172.16.8.120.1234: Flags [.], ack 4081947409, win 8212, length 0

Is my monitoring wrong?

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes
20:59:41.186230 IP 10.129.203.114.56830 > 10.10.14.19.https: Flags [P.], seq 2012863926:2012864054, ack 3152730324, win 4721, options [nop,nop,TS val 1279633583 ecr 1367410628], length 128
20:59:41.213762 IP 10.129.203.114.56830 > 10.10.14.19.https: Flags [P.], seq 128:640, ack 1, win 4721, options [nop,nop,TS val 1279633611 ecr 1367436449], length 512
20:59:41.306868 IP 10.129.203.114.56830 > 10.10.14.19.https: Flags [P.], seq 640:800, ack 129, win 4721, options [nop,nop,TS val 1279633704 ecr 1367436541], length 160
20:59:41.431617 IP 10.129.203.114.56830 > 10.10.14.19.https: Flags [P.], seq 800:960, ack 257, win 4721, options [nop,nop,TS val 1279633829 ecr 1367436666], length 160
20:59:41.603322 IP 10.129.203.114.56830 > 10.10.14.19.https: Flags [P.], seq 960:1120, ack 385, win 4721, options [nop,nop,TS val 1279634000 ecr 1367436838], length 160
20:59:41.706566 IP 10.129.203.114.56830 > 10.10.14.19.https: Flags [P.], seq 1120:1280, ack 513, win 4721, options [nop,nop,TS val 1279634103 ecr 1367436941], length 160
20:59:41.813586 IP 10.129.203.114.56830 > 10.10.14.19.https: Flags [P.], seq 1280:1440, ack 641, win 4721, options [nop,nop,TS val 1279634211 ecr 1367437048], length 160
21:00:27.797014 IP 10.129.203.114.56830 > 10.10.14.19.https: Flags [P.], seq 1440:1664, ack 641, win 4721, options [nop,nop,TS val 1279680194 ecr 1367437079], length 224
21:01:27.962619 IP 10.129.203.114.56830 > 10.10.14.19.https: Flags [P.], seq 1664:1808, ack 769, win 4721, options [nop,nop,TS val 1279740360 ecr 1367543248], length 144

The portforward is setup like this:
Revshell from dmz01 to kali on port 443

Updated first tcpdump, copypaste fail

Updated again, you can see the timestamps that the packages arriving on 1234 go out to 443 (https) to my machine

But metasploit doesn't catch the shell

Have you tried not using metasploit? I've heard people have had issues with metasploit on this one

aaand it died cause the 2h were over

No, haven't, it's quite a bit of portbending etc going on, so I tried to go as easy as possible

Guess I'll try again another day

@thorn urchin I've read back through the 3 sections and I'm just not understanding where the error is with it

could i pm you?

Not atm, im at work so dont have time to spin up an instance and test things/verify.

np appreciate the help either way. I'm not far off just maybe need to walk away and look at it in 30 minute

Anyone like me stuck in the Windows Privilege Escalation Print Operation Module, I cannot compile it

hello everyone, attacking common services module - Attacking DNS. I added machine to /etc/hosts with inlanefreight.htb. Also added ns1.inlanefreight.htb to resolvers.txt. But I am getting this error from subbrute

any ideas why? Hint suggests to use subbrute

Did you add the IP of the target?

Hi everyone. I'm doing the Intro to AD module and had to create a GPO using the following command

Copy-GPO -SourceName "Logon Banner" -TargetName "Security Analysts Control"

To later link it to the OU "Security Analysts"

Set-GPLink -Name "Security Analysts Control" -Target "ou=Security Analysts,ou=IT,OU=HQ-NYC,OU=Employees,OU=Corp,dc=INLANEFREIGHT,dc=LOCAL" -LinkEnabled Yes

The problem is that I'm having this error

if you mean add to the /etc/hosts. yes I did

Hey All!
I am working or rather stuck on "Password Attacks: Password Reuse/Default Passwords"

I am on the machine with the creds obtained from the previous task, and the question asks to discover the credentials for MySQL.

I scrolled through some of the previous posts here, and it seems like I went in the same direction as everyone else, with a particular online list of default creds.

However, none of them seem to work. Tried all the passwords related to MySQL and even put the previously discovered password in the list with some variations, with all the users on the machine, and nothing.

Any nudges would be greatly appreciated.

which part spesifically // sorry I bit tired I guess

I could be wrong entirely but testing for the default or reused password in Password Attacks: Password Reuse / Default Passwords

Q: Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>)

I am logged in and attempted to discover creds for mysql

my notes are a bit messy. I suggest you to check every server for creds

every port I mean

Ill try that out now! Thank you.

I assumed you use ssh or sth right? check other services

yeah i ssh'd into the box

yeah its not there as you know 😄

yup hahah

just trying to figure out the mysql part, i figured it would be a default, but yeah ha

it is default actually

but the list on the module doesnt have that one 😄

you still need to find it I guess 😄

got ya, google to the rescue hopefully lol

Theres a very useful link to a github repo with a list of default creds provided to you in that section

the Default list on github?

Ive been trying from there but still havent found the right one. Doesn't like me i guess

Yes. The one they give you a link for

I will def. keep poking at it

I mean, search the list for mysql. There are only 4 sets of creds lol

yeah for sure. I did lol. they just didnt work. Used good old ctrl +f, found the 4 you are referring to. Ill try and reset this machine again.

Greetings everyone, might anyone assist me with some confusion I'm having with "credential hunting in linux" from the "Password attacks" module? I've read the community forum but using and mutating the password from the hint does not grant me a successful authentication (either with CME or Hydra). I understand the idea of mutating passwords, even discovered passwords, but this lab has left me confused 😅

Make sure youre typing them correctly

Tried them all again after resetting, got it! Thanks, everyone. You all are awesome.

Theres more than one service to attack. Also iirc you need to read the hint for that one

Thanks for the nudge, I guess there's more than ssh, ftp and smb on the box 😅 I'm gonna shut down and come back to it. I appreciate that, Man in the Purple Tux 🙂

no those are the 3. Just remember you can attack all 3 of them. (SMB will almost always be the fastest to bruteforce)

Thank you, I'll take another crack at it in a little while. Thanks again 👍 😃

np. Feel free to dm me if you need more help with it

Shameless bost - After three days of researching, reviewing past sections in the Footprinting Module, and without querying this thread, I finally got the Footprinting - Hard Lab! 🎉

hi guys! you look like smart people so im going to ask a question

nevermind have a good life

Congrats, no shame in ones accomplishment! 😄

Thanks!

Congrats! Always celebrate the small wins. The more small wins you achive the bigger those "small" wins will become.

Thank you! That one definitely felt good to take down. I feel like I'm progressing as I slowly tic off the modules in this path.

This path is amazing

Sorry - this = the Penetration Tester path, to be specific.

Yes! It is.

Can someone help me to find the right value of the --kdcHost of the domain which correspond to the DC FQDN? I tried nmap as suggested by @solid python , but no success. connecting to the domain.

Module: Crackmapexec
Section: Working with Modules

Is anyone whos good at subdomain brute force able to tell me why the tool subbrute and gobuster are consistently returning different subdomains? I spent way too many hours because gobuster didnt return whats required...

are you doing common services - dns section / if you are can I send you a DM I am a bit stuck

Yep! Just solved it go for it

I also tried my own instance of cme, but does not seem to work either. Any idea?

Subrute is not finished in that image (unless you just cut that out of the image in which case i have no idea why that happens)

@graceful rampart Finished that section I was working on, wanted to say thanks for taking the time to help out. 👍

np!

Am I crazy or did the mods delete the discussion about making this channel verified only?

Dosent really matter since we got vetoed on that

Sure but mods shouldn't delete the discussion lol

🙄

which discussion? I still see my complaints in erratum

Oh shit I got this channel mixed up with #858470491676737536

I thought it was this channel haha

Oops lol

This just in: yaoi can't read

Lol. This is true

http://nohello.net/en

Do you need help with a module/section?

Yeah np!

What do you need help with?

which module?

cause surely youve read the server rules and understand what this chat is for

AND #welcome?

where do I ask for specific retired machine assistance

#boxes ; you'll need to verify your acct in #bot-commands

which one?

Ima start screen shotting all these

How do I get more access to other channels. Just got the flag but was curious

Read my comment above his

^

Huge NPC energy

Thank you lol. I was once the best player now saved as an NPC for memories

On chatterbox I'm system shell through impacket-psexec but can't type root.txt?

never seen this

what kind of error are you getting?

Access denied

off topic

please use the correct channel youve already been told so

^

You've been told how to access the correct channel for this

👍

Hi! I want to ask about Skills Assessment - Broken Authentication i have found 10 usernames in the websites and then i tried to create a password list based on the password policy using this command ||grep -E '^[A-Z]' /usr/share/wordlists/rockyou.txt | grep '[0-9]$' | grep '[^A-Za-z0-9]' | awk 'length >= 20 && length <= 29'|| but until today i can't find correct password for each user. Is my password list is wrong?

Time based SQL Injections are the worst lmao

That just sounds painful

Even with sqlmap, its so slowwww

This is almost as bad as some of the bruteforce in password attacks

Im terrified to do that module

ohh noo, nothing get close to bruteforce in password attacks lol. At least you get some reaction with time-based. With bruteforce you might get nothing lmao

fair, but i mean, im just sitting and waiting only to find out i need another flag in my command. Repeat that 5 times and its a pretty long and annoying wait

Module - active directory enumeration and attacks

section - bleeding edge vulnerabilities

question 2 - "Apply what was taught in this section to gain a shell on DC01. Submit the contents of flag.txt located in the DailyTasks directory on the Administrator's desktop. "

Not sure how to even start the exercise seems you cant ssh or rdp as the forend user. Can ssh as the htb-user but cant find nopac tool on that box and cant gitclone tools into the box cause it doesn't seem to have internet access. If anyone done this section

pivoting will make your life easier. ALso, you should have creds from previous sections

umm can I dm you?

Sure. I don't have notes on that exercise which means I found it to be very straight forward.

Can we help you with a module?

<@&861185840277487616>

https://tenor.com/view/summoned-i-have-been-summoned-power-gif-15859341

ez

They said the F word 🤬

Absolutely Haram

Your PFP encapsulates the true level of disgust

Thanks for the ping. 🙂

So many crazy unverified people here haha

Because it's the landing space

And unverified can't invade #general

bruh

why is this chanel availible to unvarified but #general isnt???

Academy didn't have a verification system until very recently. So unless the Academy channels were open, users would have had to create an account on the main platform. However, it has one now though so I'll bring that up at the next staff meeting.

ah, ok. Thanks

jared in erratum said this exact topic was discussed and it was decided not to be implemented. We definitely appreciate it bringing brought up again.

can someone plz help me to hack a snapchat acc

bro u being real?

💀

sorry

this is not the place

ohk sorry

what is that?

and hacking someone is acc depends on how dumb the victim is

ohk

It’s not like you can do an account takeover willy-nilly

lmao

This convo is over. @rustic sage This is a verbal warning.

Please read and follow the rules

okk sorry

lol

which part

sure sleep tight, most likely you are missing very small step

sure

Hey guys, sorry for the repost but still struggling for the location questions (1st ones) of the OSINT: Corporate Recon module. Has anyone done it?

Hey all,
I am trying to perform ADCS Relay + PetitPotam attack but I am getting error "[-] Error obtaining certificate!"
Did anyone else faced this error and why is happening ?
Thanks in advance

Hi i'm stuck with Active Directory - Skill assesment 1 to find ||tpetty|| credentials I tried lazagne and mimikatz but nothing

try more with mimikatz... 🙂

I found NLTM hash but no cleartext password

hashcat is your friend 👍
https://blog.codyrichardson.io/2020/06/hashcat-cracking-md5-and-ntlm-hashes.html

Yeah I tried to crack with rockyou but no success

Try with resources provided in the module

🔥

Hello, Im doing the Remote/Reverse Port Forwarding with SSH and the Meterpreter Tunneling & Port Forwarding Module, but im not able to run a function reverse shell in msfconsole if im follow the steps describe in the sections. I got some errors messages:

man Bill Gates had a pretty good password going in the brute forcing module

or Segmentation fault (core dumped)

Hack The Box churns out modules faster than I can learn 🙈🤣

@leaden quail the payload is causing that problem

i just finished the login brute forcing module and i now need a very stiff drink....

i am facing ngrok context deadline exceeded error... anyone knows how to fix?

after running an ssh command i never get promoted for a password?

yeah, its not reaching it, but every time i try restating the target i get the same resulkts

it was working fine 5 minutes ago

wtf

couldnt ping it or connect to ssh

ran an nmap again on it and it detected it

and now i can ssh again

wtf HTB servers

Can somebody help me out with information gathering web editionI am stuck on question 3
Q. find and submit the contents of the txt record as answer?
I am using dig and its giving error

try to get txt record with another dns tool

module: Password Attacks Lab - Hard can I DM you Mr.Tom? or anyone. I try hydra rdp, wordlist is mut_password.list with user john but it's not working. Thanks

nevermid... 🙄

Still getting:

This module sucks, or I am exhausted. Or both. Circling back later.

If anyone has any useful tips for RDP and SOCKS Tunneling with SocksOverRDP, I'm all ears though. Otherwise, backing away slowly...

If you wanna dm me feel free. I'm not at my pc right now but when I get a chance I'll pull up my notes and take a look

Im wondering, can soemnoe make safe exam browser bypass?

Nobody cares 🤷‍♀️

Sorry

huh

Not sure exactly what you're asking

They want to bypass exam proctoring software i tthink

Also please don't spam every channel with the same question

There's no proctoring for CPTS or CBBH

Yeah, but they aren’t asking about CpTS or CBBH

Well the. They're asking in the wrong server lol.

Why would ask about an exam that has nothing to do with HTB in the HTB server?

It isn’t uncommon for unverified people to ask stupid stuff like to ‘hack someones tiktok’

I know

But like, asking about a specific exam? I feel like people should have a little common sense lmao

https://safeexambrowser.org

Ngl a lot of the time its easier to just study than cheat lol

I’m sure if you put the time and effort you could probably find some sort of bypass, but it seems easier to me to just study haha

Lol. Most of these things are like invasive malware. Very hard to bypass usually, especially if they've been around for a while

(Also were getting off topic)

Module: CrackMapExec
Section: MSSQL Enumeration and Attacks.

Wondering why I am able to fetch the database name, but no result is displayed when fetching the table name from the core_app database. Any idea?

can i dm you too? i need help on Password Attacks Lab - Hard

sure

Hello I got an issue with a simple instruction: "Navigate to the web interface at the end of this section and log in with the provided credentials." This is regarding Nessus Skills Assessment. I've started the instance it provided me with an IP but when I'm trying to go to the web panel via pwnbox it's "Unable to connect Firefox can’t establish a connection to the server at IP." There are no additional instructions did someone experienced something similar?

I might be mistaken but I dont believe pwnbox has internet access.

well I can ping the target

what module is that

VULNERABILITY ASSESSMENT

🙂

either its something really simple or I don't know wtf

I've tried via vpn first with no result so I thought I'll use a pwnbox as it should see the thing

dm me

i just did

Hey, I've been stuck on the module firewall and ids/ips evasion hard lab for a while now and I was wondering if anyone could guide me in the right direction?

Or at least start you in the right direction

Oh wait wrong thing

Sorry

Syn scans are your friend

I've been using that option but still can't get the version to display for me with the state being filtered.

What has the module taught you about that then?

If anyone else runs into this on this module. After turning off "real-time" protections, make sure you are running regsvr32.exe in an elevated powershell session. that should have been obvious, which is why I guess it wasn't covered in the course material...

Source porting it with netcat?

Check your notes and try.

Which part of the module should I focus more on?

If you have notes/things to try, try them :)

this is fixed XD

I'm still running into a road block

Not sure if I'm doing something wrong or not!

Try resetting the box and redoing the steps

Ok. I'll try reseting the box again. And just to make sure, you're referring to the steps for source porting with netcat?

Yes

Those steps specifically, from the syn scan forward, are what will help you

Weird! I've tried that before but it never worked for some reason!?? Until now!

Yep resetting sometimes kicks the gears on

Exactly what is the reason for -p 50000 though? That part is still unclear to me!

When you did the -sS -p- it should have revealed that port

So I tried running it again how you said:
sudo nmap <target IP> -sS -p-
Just like that and the results didn't include port: 50000 just ports: 22 & 80

I'm trying to remember the syntax but basically that port is discoverable

Is there another option that needed to be set in order to display all filtered ports along with the open ports?

I've had this conversation with someone recently; went over chat logs , you added the suppress ping yeah?

-Pn

No I didn't add that to the cmd

Sometimes though you have to manipulate the commands provided to get info

I'm going to try that again and see if it discovers it this time

Could someone explain to me what exactly this command does (this will be 2 posts of single lines)

CMD="bin/sh"

php -r "system('$CMD');

So

CMD sets a variable named "CMD" to be "bin/sh"

Also that looks incorrect? Shouldn't it be /bin/sh?

yeyeyey /bin my bad

The $CMD indicates to PHP that you want to run the variable, not the text "CMD"

For the php portion look up PHP documentation for what 'system()' is

php -r is just the syntax to run the following using php

thx u

Much like python -m

this entire conversation i am copying and pasting and sending in my notes xD

I just finished running that command with -Pn added to it and it still didn't discover port: 50000

Hmm

Hello all... Just started a module and I'm at the question portion. How do I use my own Kali instance? I've downloaded the academy VPN file and connected. However, the only option that I have is to start their virtual instance.

So for the starting point modules you are expected to answer those using their pwnbox

There is no need to use a VPN to connect for any of the CA Challenges, they are all accessible via the public IP's given when started. Not all challenges have an HTTP server however, some you need to connect via nc.

Nm... I just refreshed the webpage and the option to spawn the target just appeared

sometimes it's weird ¯_(ツ)_/¯

I really need help from support doing the DCSync section in AD module, impacket-secretsdump does not work and I cannot complete the exercises with other tools... Please, just a hand on it

I am stuck here for a while

secretsdump worked for me when I last did it

just saw your picture in erratum, your domain is wrong

its not inlanefreight.local/adunn

its INLANEFREIGHT/adunn

^

@rustic sage respond in here to not clutter erratum channel.

whats the screenshot of your command and output when using the right domain?

can I DM anyone fo attacking common services easy, I am stuck on the SQL part and i must be just missing one little thing.

Hi guys! I'm on the Brute Forcing Passwords on the Broken Auth module.

Stuck on this question

Using rockyou-50.txt as password wordlist and htbuser as the username, find the policy and filter out strings that don't respect it. What is the valid password for the htbuser account?

Need help because some of the concepts aren't really clear

Hi guys, Im also stuck on a question and my question is related to using the correct User.list or Pass.list on:
Network Services
Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.

I cannot find the correct list to crack it

It's possible crackmapexec won't see the correct creds bruteforcing the winrm service...it happened to me. Run your scans against smb and winrm first since they should run faster

The username and password lists given in the resources section of the module are the correct ones to use

The credentials for winrm should still work for listing smb shares which is a capability of crackmapexec

the same

tried everything, it also does not work from ea-attack01

why are you at 10.129.217.89? that doesnt look like the DC to me

awesome thank you for your response

hi there, I am at the nmap hardlab, I found the missing port and I am trying to get the version, but had no luck so far. I also tried with netcat, but could not connect. Someone any more hints on this one?

Hello, could someone DM me the answers for the Session Security - Skills Assessment. I completed it in the past, but for some reason it shows incompleted, I remember it being pain in the ass and don't feel like redoing it hahah

no

against the rules for obvious reasons

Additionally, I uploaded php reverse shells through FTP and moved them to the proper directory and I have the ability to download the files, but not execute them.

Stupid question. Attacking Common Services - Attacking SQL Databases , What am I doing wrong with my sqsh command?

enjoyed this path

I've been trying to connect and I am a little confused what's going wrong

try using mssqlclient.py

i'm getting the same error with the sqsh tool.

Interesting.

Does that mean one of my commands was correct?

i do not suspect user error at this moment

Can anyone help me take down child p server

please keep discussion to HTB Academy modules thank you 🙂

Sorry I could not find any other channel

Your command is absolutely correct. This is from my notes

Damn. I'm not crazy

Usually I just make really simple mistakes.

Maybe a problem with sqsh 3.0?

I had the version 2.5.1.6.1 at that time

Can I at least have a bit of assistant connecting with impacket mssqclient.py then . The module doesn't talk about the command usage, there aren't many resources online, and impacket doesn't have manpages.

I thought one of the early modules talked about mssqlclient

mssqlclient.py -p 1433 htbdbuser@10.129.203.7

But I'm also bad at remembering rn as it feels like my head is in a vice grip

I triple checked the Ip.

Gonna try restarting machine and box. Hope that works

The good ole "reset it and it just works" technique

cause 1. you havnt read the welcome channel and 2. this isnt the server for that at all. 3. report it to the fbi

Update Jared Dm'd me about some stuff. Issue is resolved for now.

I have been banging my head for so many hours lmao 🤣

peopleve been saying sqsh has had issues for awhile now

User error?

I'm not from USA

so? they work internationally and will accept reports from anyone

^

Didn't know that ty

Probably just the new sqsh version I think. I just got impacket to work.

Hi! I have some difficulties with the module ACTIVE DIRECTORY ENUMERATION & ATTACKS (Especially for the section AD Enumeration & Attacks - Skills Assessment Part I)
Someone for a PM?

For Attacking Common Servicer -medium is there a wrong and right box? I have reset the box a few times and have gotten different NMAP results

it is the "public" IP of the DC, I can connect from this IP. Anyway, via internal server ea-attack01 is also imposible

thats not how it works

I feel like for Attacking Common Services half the box is missing. I found his SSH key in his inbox but don't know a way to retrieve them from pop, but I got the flag another way.

thats the foothold of the Network, unless that IP is running the DC services it is not the DC and wont connect to the controller that is on the 172. network

Its not gunna magically forward the requests for you

ok, so still does not work from internal machine...

are you sure .5.25 is the DC though?

i am totally idiot... thanks anyway, solved 😄

np! itd certainly be nice if impacket gave some clearer errors in these scenarios

even a "so and so IP address doesnt appear to be a DC" message would be nice

also Id recommend taking the time to setup a tunnel on the foothold host and trying again from your own machine routing through the tunnel.

The module doesnt tell you to do this, but itll be extremely useful for the assessment, and this section is one of the perfect labs to practice it and verify you have it working.

sorry my english is bad.. but I need help with privilege escalation (the final part of getting started) I'm stuck.... thanks

what part of the priv esc are you stuck on? what have you tried?

where you have to have the file that is in the root

yes, so you need to become root. What have you tried when it comes to looking for ways to become root.

try using sudo /usr/bin/php system("bin/sh"); since I can run the bin/php as root but it didn't work for me

Loading the LinEnum.sh file and adding a php line to it to run a rever shell as root but it didn't work

okay so right idea there with running php as sudo, no idea where you got adding php to linenum from.

the issue is you have the syntax for running php wrong

I recommend searching for php on the gtfobins site

Ok thanks

Yea this helps alot… even with machines

I finished it, thanks men

congrats

is the server down? I can't connect to the website

Yup, it's down.

yup main and academy. time to go outside and touch grass

noooooooooooooooooo

why gawd whyyyyy

I went outside once, the graphics are good, but the gameplay is sh*t.

i was on a roll lol

lol

guys i'm 96 percent done. took 150-160 hours

hey guys is academy down?

oh wait

yep

just read chat

😦

im kinda stuck on the blind sql module

I don't know the query to extract the length of a column entry

i'll help

thx 😄

sent a dm

ok )

🙂

well youre on mandatory break mode now sooo

It would be ironic if HTB got hacked,,, I want my server back

The HTB central server holds the golden flag. The one flag to rule them all.

i was thinking that would suck if they got hacked

guys what does the label top 25, 50 etc mean is that just for htb or htb academy or both

I think just HTB

yay sites back up!

but im not sure

aww I just turned off my computer lol

kk

lol

ehh how do I get in touch with a tutor

i thought i would be prompted after answe4ring a question wrong 3 times

hehe

Bottom right should be a chat bubble thing

hehe 🙂

thx

whoever is making the module artwork is doing a really good job

i can't stop looking at it

Hey folks, awhile back I went through a module that demonstrated some of the basics of enumerating web sites and then exploiting them with metasploit, but now I can't find it. I suspect it was retired. Does anyone have a suggestion for a current module I can reference for website enumeration, lateral movement, exploits, etc? I want to put on a demo for my university cybersecurity club.

alternatively, is there somewhere I can reference retired content for HTB Academy?

is this supposed to be general

this channel is for discussing the modules on HTB Academy

i think you need to verify your htb account if you want to get access to the other channels including #general

Getting Started might be what you're looking for

I'm trying to do Enter-PSSession -ComputerName ||MSSQLSvc/SQL01.inlanefreight.local:1433 -Credential INLANEFREIGHT\svc_sql|| however when i hit enter it prints a blank new line and nothing happens am i entering this command wrong?

Hey yall is this where general discussion occurs?

Hi, can anyone help me with the "Type Filters" section in File Upload Attacks, I am stuck. Let's DM.

general discussion for HTB Academy Modules yes 🙂

oh

#welcome

Because you entered a single '\' do a double '\\'

no it just does that auotmatically on discord haha let me double check tho and thanks for replying

ya it doesn't work i've tried the command literally prob 50 times in different ways 😦 i apprecciate you trying to help tho

@fathom pendant

Figured it out!

hi everyone 😄 has anyone done the blindsql injection module?

It asks for the admin password, but there is no non-default database to dump

was wondering if this was intended

I would love to use this tutor feature I heard about in the announcements 🙂

I haven't done the blind SQL injection module yet, so I can't help you there. But as for the HTB tutor feature, I believe you can only use it if you're on the silver annual plan. Are you on that?

I have gold

but not annual

😦

Yeah. it's limited right now to silver annual

oh I see

thanks for the info!

I'm sure someone else here can help you who's also done that module, this channel gets more active later in the day.

🙂 ok awesome 😄

I will get silver annual once I get my finances in order

saving up for a move hehe

kinda broke atm lol

Good luck with the move!

++verify

Please see your DMs for instructions on how to verify your HTB account.

Hi everyone, I'm stuck on the Nmap module IDS/IPS Evasion - Hard Lab. I tried to use different options like decoys, source IP address etc... but couldn't find the right service and its version. Can you guys please give me some idea ? I'm definitely missing something.

Hello, I'm new to Hack The Box and I'm very bad at hacking and would like to get started. only I did not manage to pass the "appointment" challenges of the easy level. Can you help me please ? thanks in advance for the answer.

This is for Academy.hackthebox.com not the boxes , #boxes for the machines

Should probably start at academy to learn the basics of penetration

hey guys i have a question maybe you could help me out, so here it goes; not wanting to pay for any subscriptions until just yet after signing up, does htb offer a lot of free rooms/modules ect like thm or more subscription based?

the academy is based on subscription levels - read the website

If you’re a college student, the student sub is hard to beat. The modules are more difficult than the THM rooms, but they go more in depth and have great exercises.

thanks

it's worth it !

be prepared for late nights and ramen noodles

yup, thanks

@gusty hornet

Hi

Hello everyone, I am in need of assistance with the LFI module on hackthebox. Specifically, I am currently stuck on the task of automating the scanning process for exposed parameters and attempting to exploit them using LFI wordlists to read the /flag.txt file. I have already attempted to fuzz the web application and find the parameter, as well as the webroot, but have not been successful in finding the flag.txt file. I have also attempted to view the /var/log/apache2/error|access.log using path traversal techniques in order to poison the logs, but have not been able to access them, suggesting that Apache logs are only readable by users with high privileges such as the root or adm groups. Can anyone provide guidance or assistance in this matter?

how can I contact support if the support chat is not responding?

yo Team, can somebody help me on Attacking Common Services : Attacking SQL Databases

be patient it is the weekend nonetheless

I know but I've been waiting for over 10 hours

¯_(ツ)_/¯

The weekend lasts from Friday evening until Monday morning. You will have to be patient

You can DM me

    require_once $_REQUEST['ajax_path'];
}````
when trying to load /etc/passwd, it works, but when i try /var/log/apache2/access.log it throws an error, is a .log not a regular file defined in is_file ?

In principle, yes, but maybe you don't have the rights to read the file?

yes it could be, no way to check by error msg

from which module is this?

WordPress Hacking Assessment
Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

trying to poison log and make an web shell

there are many vulnerable plugins tho, i personally like LFI most of them all listed

Ah okay
You need to find a plugin that has a corresponding vulnerability.

would be a great help if you could tell me which plugin/vuln
all of them are like sqli, lfi but none of them 'unauthenticated file download'

DM

yo Team, can somebody help me on Attacking Common Services : Attacking SQL Databases. Im stuck at the begining

where exactly, what did you do?

I connect to the mssql service with htdbuser, but nothing interesting, only that another user exists ||sa||, but cannot do anything with it, im trying to bruteforce this user creds but nothing and also trying to bruteforce creds for the user of question one for mssql and rdp but nothing

stuck here hahaha

can I DM?

well I dont remeber and my notes are empty at that part

to mssql

my notes start from there lol

haha

you should connect somewhere with given creds

maybe restart the machine

sure

Does the latest version of cURL (now installed on the new pwnbox) require user confirmation before finishing? Is there a flag to suppress that behavior?

Edit: nvm - user error (put your URL in quotes 😅)

Can anybody help me out please. I am doing the footprinting module, and I am stuck on the last question of the DNS section. The question is “what is the fqdn of the host where the last octet ends with .203?” I can’t find it it’s driving me up the wall

I’ve read numerous posts about using a certain word list etc but I’m still having no luck

I have not done the module but it sounds like you need to do a reverse lookup?

You need to find all zones

I’ve done a zone transfer on internal.inlinefreight.htb and a lot more show up. When I try and do a dig axfr on any of those I get nothing

Transfer failed

DM

hey Guys, am doing the RDP and SOCKS Tunneling with SocksOverRDP. But im stuck to running the listener 127.0.0.1:1080 On the Pivot Host. When im executing SocksOverRDP-Server.exe on 172.16.5.19 with Admin privileges and im looking at "netstat -antp" on the Pivot Host There are no active Connections. Any Hints?

how to elevate the privileges user so you can do what ever to the system but you have to get the authorization code it's like a API Keys but its more encrypted and powerfull and it can only use once ?

can someone check, if you get the same blank page when loading assessment 1 from nosql?

Did you add the ip into etc/hosts ?

yup

yes but there is no domain name

Name of the box .htb

i cant ping it

packet loss

100$

%

What is the name of the box ?

Introduction to NoSQL Injection
Assessment 1

Hi guys I m trying to use the command "nc -lnvp 4444" in the parrot os provided by HTB but it always listens on 0.0.0.0 and I am unable to get a reverse shell. Can anyone help me?

0.0.0.0 means that all incoming IPs are accepted

I will have a look to see, maybe check if you have the local host as the proxy on the browser, happen to me before 😂

every other box i spawn works for me

just assessment 1 doesnt

no proxy, no burp is running

Are you using openvpn?

yes

check out "Capture MSSQL Service Hash" from the Module

Maybe change the location as some days is very slow in some regions, do you have VIP ?

i already switched, tried that out, i can launch all every modules, just this one dont work for me

Sorry just thinking about all scenarios

Hi all anyone knows why crackmapexec is giving me like this?

SMB 10.129.202.136 5985 WINSRV [] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
HTTP 10.129.202.136 5985 WINSRV [] http://10.129.202.136:5985/wsman
WINRM 10.129.202.136 5985 WINSRV [-] WINSRV\username.list:password.list

im using the list from the resources module

can i dm you about #module Attacking Common Services, #sesion:FTP?

sure

That was it! Thank you. I don't know why I thought it would have had a more specific or elegant name.

thank you for the help.. I got it

Im doing the password attack module and I cannot crack any of the users

Can someone point me in the right direction please? I am using the credentials that the resources have on the module

use the provided lists, eventually you might also need to craft one with the one provided

Hmm I did use the provided list

But it does not seem to work either

Hello everyone - on hard lab // attacking common services. I ve got the flag but there is a question " Once logged in, what other user can we compromise to gain admin privileges? " which I cant figure out

I dont understand which users - there are 2 users I can impersonate when I enter the db as f* user. But I tried those with every combination. I also tried other users I found with possible combinations

never mind how on earth I was reading the question. It is asking for the user. only one and only one of them works indeed

writing here sometimes you will realize whats wrong hahh

too bad mine no

I did crack the SSH though hehe

yep made me read the question again haha

by the way my cme wasnt working last time I used

I did whatever I needed to do with meta

Hmm I will check meta I never used it

but thanks for the tip!!!

msfconsole

then choose what you want with

use

you can use it like

search "service name"

ur welcome

was trying to avoid metsploit but if cme wont work than yeaaa

well mine doesnt. tried to fix it without any luck 😦

Meta is a shortcut usually, but if you can't find a good POC then it works

cracking ssh i managed to get the users so it should be easier to enumerate now

hi anyone rooted new Stocker machine?

please keep discussion to HTB Academy modules thank you

#1063841252061229096 as it's an active box not much discussion around it

At least privesc

ok bro

i have a problem in privsec

Which module?

Hello
In the file upload attacks module in the whitelist filters section.
I find several payloads that work to send my file, I have a code 200 with the mention 'File successfully uploaded' but when I go to the page where I uploaded the file I have an error 404.

They are updating pwnbox rn I think. Sqsh wasn’t working for me

Last time I checked they were doing maintenance so if you are able to complete this section lmk

Hi all Im having issues trying to connect to an SMB

I have got the credentials but not sure about the sharename

how can I confirm the sharename of the smb

tree connect failed: NT_STATUS_BAD_NETWORK_NAME

smbclient -N -L ///ip/

to check available shares

smbclient //ip/sharename

to check share and if you have priv to read

I see let mee seee

How can I add credentials too :
smbclient -N -L ///ip/
I got this error message:
session setup failed: NT_STATUS_ACCESS_DENIED

i think i know how

-N I believe doesn't ask for the sign in

So remove that

I also believe -U is the user flag

still didnt work 😦

Hello, im doing the Pivoting, Tunneling, and Port Forwarding Skill Assessment im trying to ssh with mlefay. Just get "Permission denied". Any hint?

reset the machine

https://askubuntu.com/questions/109507/smbclient-getting-nt-status-logon-failure-connecting-to-windows-box

I gottt ittt

└──╼ $smbclient -L //10.129.212.99/ -U cassie -W WINSRV

ChatGPT got me the answer 😛

😂

There's probably something in the module that told you to do that

ask chatgpt haha?

i wonder if you could ask ChatGPT how to pwn offshore?

No. How to connect

ohh yea it did say how to connect too hahah

wohoo got all 4 flags !!

only took me 1 day

Hi! I am using CrackMapExec in a Docker container, but my proxychains is on my localhost machine. Can someone know how I can use crackmapexec running in a container through proxychains?

I have the same issue. Any solution?

Hi i have problem with crackmapexec when i try to install it poetry install
Traceback (most recent call last):
File "/usr/bin/poetry", line 5, in <module>
from poetry.console.application import main
File "/usr/lib/python3/dist-packages/poetry/console/application.py", line 15, in <module>
from cleo.exceptions import CleoError
ImportError: cannot import name 'CleoError' from 'cleo.exceptions' (/usr/lib/python3/dist-packages/cleo/exceptions/init.py)

ChatGPT obviously does not want to help 🤣

😂

But I am sure, in the channel https://discord.com/channels/473760315293696010/569167103077122058 you will be helped

yep it kinda did but offshore is just so ficking long

I have only made 1/4 so far

also because the discount on december was so big i can't resist but buy 2 pro lab so now i still for the aptlabs 😭

that's still progress but i've ben stuck at aground 50% for like 1 week now

my enum is just super slow also just have to note everything down is driving me crazy

Oh, you have a lot planned
I have now completed CPTS, waiting for the result.
Doing Offshore and all the new modules in the Academy. They are killing me. They're throwing out new content faster than I can learn it 🤣

I also write everything down. That helps me to understand things better

same with the academy also congratz on completing CPTS

Thanks

same and that's driving me crazy

Did you also take the exam?

not yet i need to finished offshore 🤣

I have two modules left to do

i may take the exam after offshore then the aptlabs

then gunna do dante

but there go my first half of 2023

Cool, so you're taking the exam?

after dante yeah

Dante is a great Lab

yes but not worth the money

ye, plan is to write up a mock report as if it were a real assessment for extra report writing practice