that is a big problem

there is another way to get a shell from inside tomcat

ye mean through the web manager or on the host?

thru the manager

have you completed the hacking wordpress module?

check out Remote Code Execution (RCE) via the Theme Editor

you can get a shell that way and find flag4

No, was finishing up this module to finish through and start back in a linear manner completing the CPTS path

Curious, I did this before on a past box where I had to upload the war file to get a shell, is this not possible on this box? Just wanting to make sure I am not missing something. But I will look at what you suggested

I have done the same but I do not know if it will work or not in this module. I used the theme editor method and never went back

I guess the trick is to discover the upload directory

i found it on the host, it allows me to access to other resources via the web manager but not the one I uploaded

on windows privilege escalation, looks like I need sysinternal but it is not installed

can people recommend some modules that talk about 'living off the land'? i know the file transfers module talks about it a bit, does the linux/windows priv esc modules talk about it as well?

yes

so does Active Directory Enumeration & Attacks

ty sir

see: GTFOBins, LOLBAS, and WADComs

actually not WADComs

Hi everyone, looking to copy a file from target to HTB Pwnbox - I might be missing something.
The command i use on target connected via ssh is
scp file htb-userNumber@htb-host:~/Desktop
in which he cannot DNS resolve the host part.

Anyone knows how I could fix my command to make it work ?
Without any DNS in IP i would do something like
scp file myUser@myIP:~/home/user

yeah im familiar with GTFObins and LOLBAS. was helping someone else and wanted to point them in the right direction to find more information on them and some examples in modules 😄

you're specifying something that doesn't exist; ~is already the command line shortcut for /home/user/ so you're putting in /home/user/home/user if you want to just specify the home directory without the ~ then it'd be in the form of :/home/user

Right, thanks for this 😄 - I don't think the problem is coming from here tho, it has to do with the way i'm writing the pwnbox ip in the scp command I think

I wish i could post the screen but basically i get a "ssh could not resolve hostname htb-host : temporary failure in name resolution" Of course "htb-host" string is replaced by my pwnbox informations.

Im in the getting started module and I was trying to scp the id_rsa key instead of copy/paste the text.

Write the host and IP in /etc/hosts on your attacking machine. Example:

10.10.10.10  htb-host.htb

EDIT: Don't have permission to modify this, I believe I just don't write the pownbox IP properly, with the tunneling and the VPN it's out of my skill scope right now

sudo vi /etc/hosts?

on pownbox it works no problem, but i want to send from target to pownbox

and on target i can't do that, i don't have root access at that point of the box - just access to one user

what is the target?

linux/windows?

NANO PLEASE

https://tenor.com/view/vim-nodding-head-theprimeagen-linux-gif-24975873

what the heck is nano?

same thing as vi/vim

I prefer vim

Can someone help me with this on using Hydra, I have never seen this happen to me before. I am working on the Login Brute Force - Username Brute Force Module.

 hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -P /usr/share/wordlists/rockyou.txt -u -f 134.122.105.9 -s 31710 http-get / -vv -t 64 -I                                                                           ─╯
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-16 11:41:33
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 64 tasks per 1 server, overall 64 tasks, 145982948623 login tries (l:10177/p:14344399), ~2280983573 tries per task
[DATA] attacking http-get://134.122.105.9:31710/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Retrying connection for child 31
[VERBOSE] Retrying connection for child 20
[VERBOSE] Retrying connection for child 41
[VERBOSE] Retrying connection for child 33
[VERBOSE] Retrying connection for child 10
[VERBOSE] Retrying connection for child 58
[VERBOSE] Retrying connection for child 62
[VERBOSE] Retrying connection for child 7
[VERBOSE] Retrying connection for child 24
[VERBOSE] Retrying connection for child 50
[VERBOSE] Retrying connection for child 18
[VERBOSE] Retrying connection for child 49
[VERBOSE] Retrying connection for child 19
[VERBOSE] Retrying connection for child 30
[VERBOSE] Retrying connection for child 44
[VERBOSE] Retrying connection for child 6
[VERBOSE] Retrying connection for child 29
[VERBOSE] Retrying connection for child 59
[STATUS] 921.00 tries/min, 921 tries in 00:01h, 145982947702 to do in 2641747:10h, 64 active

macro installed

exposed !!

oh it actually exists

@autumn pilot linux ! It's the target in "GETTING STARTED Privilege Escalation" - basically they ask to copy the content of a file on the target to my Pownbox VM (won't spoil the exercice tho). Instead of copying/pasting i would like to send the file with scp, but i can't write the Pownbox IP properly it seems -> scp file htb-user@<IP>:~/Desktop i believe the IP is not standard since it's a VM on a HTB cluster, i thought it was htb-Numbers (what i can read on the terminal in the Pownbox) but it's seems that im wrong

was there not a provided username list in resources?

not that i can see, this is the command they highlight in the example.

 hydra -L /opt/useful/SecLists/Usernames/Names/names.txt -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -u -f 178.35.49.134 -s 32901 http-get /

so if you look on the righthand side or bottom of the page there is not a "resources" button?

that's what I'm asking

tun0 -> grep IP

i'm not caring about the example; the example is just an example

nope

Let me try this, obviously 😄 Thanks

I can get the creds if I just run it with looking for either the user name or the password by itself but not like this

have you tried with lowering the threadcount just to see if it's trying to run too many threads at a time?

also ran it with default thread count

are you sure you need http-get and not something else

following the module, since its Basic HTTP Authentication its using the Request Method

also, have you checked the target if it's working

yeah because I was able to get it with just the user

hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -p admin -u -f 144.126.206.114 -s 31299 http-get / -vv -T 64  -I                                                                       ─╯
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-16 11:57:16
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 10177 login tries (l:10177/p:1), ~637 tries per task
[DATA] attacking http-get://144.126.206.114:31299/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[31299][http-get] host: 144.126.206.114   login: admin   password: admin
[STATUS] attack finished for 144.126.206.114 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-02-16 11:57:19

okay, so what is the problem

the module calls for you to use a password list and a user name list

yes?

─ hydra -L /usr/share/wordlists/seclists/Usernames/Names/names.txt -P /usr/share/wordlists/seclists/Passwords/darkweb2017-top100.txt -u -f 144.126.206.114 -s 31299 http-get / -vv  -I                    ─╯
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-16 11:58:13
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1007523 login tries (l:10177/p:99), ~62971 tries per task
[DATA] attacking http-get://144.126.206.114:31299/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[STATUS] 781.00 tries/min, 781 tries in 00:01h, 1006742 to do in 21:30h, 16 active
[VERBOSE] Retrying connection for child 12
[VERBOSE] Retrying connection for child 9

that is the results when running a username and password list

sounds like you need a better list

I don't see any issues. Looks like it's retrying requests, but just turn off verbose

Unless it's failing all requests

maybe with the 64 threads that you've done before that you could have DoS'sed the target

^

ill reset and try that, the darkweb list was me just seeing if I would get a different result then using rockyou because admin isn't in the darkweb

Anyone mind nudging, still stuck on trying to get the shell to work.

Someone could help with this question?

Password Attacks - Pass the Ticket (PtP) from Linux

Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

I'm stuck here a long long time.

trying to find the LINUX01$ ticket?

think: there is a service that runs the connection to the kerberos server - so there must be a filepath that relates to that service

must i connect with root account?

do you have the root password? remember you're only impersonating their KERBEROS information NOT their USER information

hello did anyone do the "Attacking LSASS" ?

hint for finding the filepath to look into; it relates to Securing System Services

svc_workstations is root

@novel matrix

well yes but that wasn't really the core of my hint

I got the hash only for the htb-student from the lsass.dmp file..

also svc_workstations can switch to root; but is not inherently root

im not sure what the question is looking for..

please change your name so you don't get whacked by mods with a name like "Andy McVerify"

damn that is so confuse

I did this module recently. You are going to need to be someone else beside david, and find where the kereberos tickets are located on the host.

Thank you!

think about it this way; even as your user in your linux terminal you still need to use SUDO to do things

if you have an account on http://hackthebox.com you can also verify that account in #bot-commands by typing in ++verify there

@graceful mortar Look at the note under Identifying keytab files in cronjobs

As well the output of: realm list to see what groups can connect.. and what users you can impersonate that might have what you need

can anyone help me with the module "Attacking LSASS"

🙂

nvm

I am so blind..

oh man...i had the flag 60min ago...it always said it is not correct... search for another... than i thought okay..it has to be that..refreshed the page...said n not correct...then I searched again...nothing else found...
i logged out...logged in again i tried the same flag...said nope...really no joke..i searched again...have nothing found...tried again the same flag and the id says it is CORRECT?!?

so this is really annoying.....

people are more willing to help if you provide more information in your question btw; just "i need help, or can anyone help" is broad. As I've finished the module/section it's best to ask more pointed questions such as I am in as {user} but can't seem to get {function} to work

extra spaces can be a bitch I always go to the start hit backspace a few times, and end hit del a few times to be sure

i am really 99% sure i have checked blanks also from the beginning.......

again even if you don't see a blank doesn't mean one can't be there

i know

Can i get assistance on windows privilege escalation for the creds of bob_adm

This question?

Using the techniques shown in this section, find the cleartext password for the bob_adm user on the target system

is it the one in stuff.txt?

what?
What section and question are you in? What do you need help with?

windows priv esc module. section is 'other files'. question is what is the plaintext password for bob_adm. Im trying to replicate the steps in the section but i cant figure out the password

Where do users like to store passwords? A solution was discussed in the module.

in places that make sysadmins mad :)

hello, I'm trying to practice the section DNS Tunneling with Dnscat2 in module PIVOTING, TUNNELING, AND PORT FORWARDING. But when I try to run dnscat2.ps1 on the target I get: Import-Module : File C:\users\htb-student\Downloads\dnscat2.ps1 cannot be loaded. The file
C:\users\htb-student\Downloads\dnscat2.ps1 is not digitally signed. You cannot run this script on the current system.

I've tried both cmd and powershells as admin

Set-ExecutionPolicy Bypass -Scope Process

hi guys

thanks, that fixed it. I didn't see that covered in the section

LLPE - Skill Assessment: Is it possible to || priv esc via the tomcat manager on that is hosting on port 8080? What about the user mrb3n, is it possible to find their creds as well? ||

i don't know if it was mentioned in the module.
Here you can read more about execution policies
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_execution_policies?view=powershell-5.1

thanks

disable real-time protection also works

Linux Local Privilege Escalation - Skills Assessment: I pwned the box, but I don't think I went the route that the module was trying to make you do. Found another exploit and got root. Didn't utilize the vulnerable external services.

Yes, || Polkit || works. But there is nothing to prevent you from trying the other way.

anyone knows how can I connect to the target in Attacking SQL database module? So confusing.

I was successful in trying the other way or actual route the module wanted you to go. || Up until the point of executing the war reverse shell file I uploaded via the tomcat manager. For some reason it wouldnt allow me access to the directory where the file I uploaded was but would allow me access to the other directories. Not sure if it is some configuration issue that I have to solve. ||

Which section?

I’m trying to answer the first question password for the mssqlsvc but i don’t know how can I connect to the target. Should I first connect to the ip with RDP or what?

sometimes I feel the direction is not clear or maybe me 🤪

No

For accessing the database, do you know what kind it is? Mysql or mssql? @compact raft

Yes and I did that and keep getting error

How you access it depends on which one, and how to access it you'll find in the information at the/near the top of the page

What ye try?

First MySQL and sqsh and impacket. Nothing working for me

I see port 1433 is open but nothing is working.

Have you tried mssqlclient.py?

Yup

Have you tried --windows-auth flag with it?

Check the syntax on that flag tho

Away from computer rn

Let me try that

does juciypotato not work anymore? im trying it for the skills assessment for the window priv esc module

Yes, it works, but you need the right CLSID
https://github.com/ohpe/juicy-potato/tree/master/Test

I am stuck Password Attacks - Hard Lab. How do I download the .vhd file to my machine. Attempted smbclient and received a timeout error and also with crackmapexec utilizing module spiderplus to no avail.

@magic valve scp

Or see if you can make a python web server

Thank you. I will try

That's how I did it

In section RDP and SOCKS Tunneling with SocksOverRDP of Tunneling mod, is there a reason why the Windows host is deleting dlls?

cause I'm trying to copy over the SocksOverRDP binaries

#modules message

very frustrating

Hello! I need help in the "Footprinting" module, the "Easy lab" !

please help 🙂

One message removed from a suspended account.

very broad question haha

are you wanting to learn?

if so you are in the right place

One message removed from a suspended account.

So I personally would recommend picking a domain that you are interested in first

Then I would highly recommend certs. You can technically learn everything for free but Imho a cert is the most efficient way to learn. You don't need to compile your resources or find out what you don't know that you don't know. You also usually get labs for certs.

After that start using said knowledge from that cert

For example there are many entry level certs like OSCP, CPTS, PNPT, Etc that will help with some of the basics. Which one is right for you depends because everyone is different

So for example if your interest was learning webExploitation you could pick a cert, get said cert, and then practice BBs

This 'killchain' is how you would learn a certain domain.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@stoic swift This is also a good resource

Also fundamental IT knowledge like Linux, WIndows, Web Applications, AD could be helpful for what you are interested in

thats not really a getting started subject lol

even trashy basic rootkits that get caught by AV and EDR are still pretty advanced subjects

also out of the scope of this channel, this is for discussing academy modules

🤣

For the life of me, I cant get the module Public Exploits to work. I keep re trying it every couple days, and have not gotten it to work. It always spawns on some weird port that just will not version check

any ideas ?

i can try to help

thanks! I checked erratum. I know what is supposed to happen, I just cant do it

what module and section???

I run the nmap scan on both the ip, and the ip + port. Nothing for both. One of the first ones, Public Exploits

is this on getting started?

yes

Can i see the nmap error?

No error, jsut no response. ```
nmap -sV -Pn -p 31423 $ip1
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-16 20:06 EST
Nmap scan report for 134.209.17.36
Host is up.

PORT STATE SERVICE VERSION
31423/tcp filtered unknown

or just

nmap -sV $ip1               
Starting Nmap 7.92 ( https://nmap.org ) at 2023-02-16 20:05 EST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.42 seconds

it's been a long time since I have done the module.

have you tried full port scan?

you are just scanning 1 port

One message removed from a suspended account.

it's just a good blogpost on getting started

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

I have, Yeah. it was a while ago when I did that. Why would it give me a port?

one sec. I am going to try doing the section really quick on my machine

One message removed from a suspended account.

I have also tried the bash one liner and nmap ping sweep

Yes and no.

bruh the website is for this discord server lol

have you tried looking at the ip and port in your browser?

I have, I know what its supposed to do. Even knowing that, I have no luck. Did you get it to work?

well you should find the exploit for what is running

imma just run a full scan and go watch puss in boots. Ill get back to yah

thank

no you are close lol. If you need more help just dm

also new puss in boots is great

use searchsploit or google

you should quite literally see many results for the exploit if you google it

then run said exploit in msfconsole and you are golden

I am confused lol. Defs overthinking. Help would be appreciated.

Such a hard module.

Nm. Issue has been resolved

I don't know how i was supposed to know how to use that network tho lol

you should clog chat for records so people can use search function 😛

Bruh that's from months ago

I know.

I was using the Discord search function as I implied

Really? I think this is one of the easier ones

Thanks for rubbing it in jerk.

sorry

love you homie

love you

the easiest module is password attacks

I'm working through academy from the pwnbox and none of the ip addresses are pinging. When I run the nmap scan it says host is down. What can I do?

hi i need help -.-

can i see the exact error? You might need to specify -Pn ?

in german pls ^^

Welcome! I don't know german haha. Have you read the #rules ?

hey ty @raven cairn yeah i had but my english is soooo bad and its so mutch to tell ^^

when I run -Pn

🫂

I don't know if there are many german speakers here tbh

😢

It's not allowing me to ping any target. I even changed modules

im sorry but i cant get rid of my hacker -.- are there any commands for cmd ? register cleaning or remove github ?

not the server for that

use Grammarly as well as google translate.

em okay do you meen it really ? i would like to post a job but when u say thats not the right server for me... than i found anyone else how made it ... i cant starting my iphone or else than i must pay 8k € its so f:::: SH!! -.- sorry when im wrong, its okay ... but anyone are intrestet the hacker to catch contakt me pls .. it gos about 7 month and now i had enaught .. i hope u all can understand it -.- i can not work .. im at home and than so much money wasted ,... sorry but thats my last chance

nono i must learn it again ^^

On the Windows Privilege Escalation Skills Assessment - Part I Question #2 Find the password for the ldapadmin account somewhere on the system. . After I escalated myself to nt authority\system, I am trying to run ||findstr /SIM /C:“ldapadmin” *.txt *.ini *.cfg *.config *.xml ||However, I get a memory error when trying to do this. Is there another way I should be doing this?

The only port that is open is 53; and although that is valid, I feel like its not the direction it wants me to go

this isnt tech support and this is literally against the rules, so fuck off.

its okay i say sorry

no, sorry doesnt cut it

fuck off

i dont need support ^^

anyone who can help in IDS/IPS evasion medium level , job-role path

which module? the footprinting?

https://academy.hackthebox.com/module/19/section/106

ok yea this one

i DMd you

starting the AD enumeration and attack module, wish my mental health good luck

All The Best . i am At The Ending Of The Module I Think Today Will Be Last Day For Me At Ad Enum And Attack Module .

How did you find it ?

Fun 😊

Very interesting

Frustrated

All in one 😂

@dim cosmos just be consistent

Did you figure this out?

Good luck! The skills assessments are challenging but fun.

Hi @here Can anyone help me FILE UPLOAD ATTACKS Whitelist Filters

Hello, does anyone know the answer to this question? I guess it's not SQL injection.
What is the 2021 OWASP Top 10 classification for this vulnerability?
I keep seeing Broken Access Control at the top of the list.

A03:2021-Injection

what programming language do you use here?

how can I learn here?

depends

port forwarding and tunneling, part with netsh.
could somebody explain this. i dont get it

Is it just the port forwarding aspect you don't get?

They use this command in the explanation: Using Netsh.exe to Port Forward ==> C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25

and after that they verify: netsh.exe interface portproxy show v4tov4 and the output is this:

the verifying part does not match with the specified ips above, right?

those are examples

the point is that your spawned target can communicate internally on a different network with another machine (windows server)

not sure if my diagram is understandable, but at least can build some more friendlier look

thanks a lot!

i did this:

but it did not work. do i totally not udnerstand it...? or a small error?

never mind...had a typo...

Hi, did you find a way for privesc ? Could you give me a hint ?

Hi, in SQLMap essentials: Running SQLMap on an HTTP Request
I've run SQLMap to get all the DB entries, which display in my shell.
The question is: What's the contents of table flag2? (Case #2)
What does HTB mean by this?

@sudden galleon ssh with root

I see the entire table (which I'm assuming is flag2?). Do I need to enter a flag? Cause I cant find any. I tried the table name, but I don't see any other input I could give (besides guessing what the type of data would be, like credentials, users, etc.)

https://tenor.com/view/cat-whatever-cool-smooth-cute-gif-19939517

That feeling when you do Attacking Common Services - Easy for hours, and then you do Attacking Common Services - Medium in 5 minutes

The flag is an actual row in one of the columns of that table.

I got the flag! Thanks a lot!

@sudden galleon no problem

I must be doing something wrong then 😛 I don't see any flag. Is it the HTB{Randommumbojumo} format?

Yes

If you did things right and there was no data in the table, try resetting your target. It's weird though.

There is data in the table (32 rows). It's just.. all "normal" user data. There is a random string at the bottom but I tried that, that's not the flag either

If I remember correctly, there should only be 1 row in that table.

In firefox I did CTRL+F '{' but it returned nothing

DM me what you tried and the result. I'll reply to it in a bit, making lunch :p

Thankss!

Module :Password-Attacks
Section :Protected-Archives:
i am unable to crack Kira's file Notes.zip.
I tried Hashcat , John , didn’t works. Any hint?

Module : Footprinting
Section : Easy lab

I need Help with this please!

which wordlist are you using? Use the one given in the htb. You will get the password by using John.

what do you need help with?

oooh, I was using rockyou

I will try! thanks evil man

it's the same password.

You have to use zip2john first > file.txt then crack with john or use fcrackzip

Aha ok i will try thanks

Yes i did but i think i will use the mut.list and try again, thanks

that suggestion was for different person, can you tell me where you got struck?

yeah I notice that, I am still trying. there's only one question

It's not a huge password, so don't waste time by waiting for a long time. It will give you immediately or else you are doing something wrong.

all the best, if you have any doubts ping me.

but do I have to get a hash then use john? I used ssh-audit.py

they gave me ssh credentials in the hint

I'm confused now, are you talking about the footprinting one or the password attacks module

the footprinting, the easy lab

for this, download all the files from ftp 2121
chnage the permissions of the file
search for the flag after login.
Hope this should help.

Hi,
On footprinting module in IMPI section.
At the last question we need enter the password.
I have dump the hash with metasploit.
I use hashcat with the command in the course, it has been running for a while without result.
Metasploit didn't decrypt it either and I can't find any way to decrypt it.

that help a lot! I will try, thanks

it all depends on the wordlist you use.

I think you have to use rockyou

or another wordlist

but not the default metasploit gaves you

Oh yes i understand my error it's good, thanks !

well I try nc, telnet, openssl, ftp and I couldn't find anything 🤔

Are you sure did you scan with nmap and check what services were running?

well nmap -sV gave me this:
21/tcp open ftp?
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
53/tcp open domain ISC BIND 9.16.1 (Ubuntu Linux)
2121/tcp open ftp ProFTPD

did you brute force the ftp service

you mean with the nmap script ftp-brute ?

No there is a wordlist given in the resouces, use it and bruteforce the ftp servive using hydra or any brute force tool.

..

I can't find the resources

the footprinting module the easy lab

maaaaan

there I found it

sorry I didn't see it

When you open the htb footprinting module, check at the right side of your screen there will be an option called "Resources". Download from there.

no worries, mate.

thanks

Anyone on this one?

what..?

Module : Footfrinting, Section : DNS
Hello, the first question of this section is: Interact with the target DNS using its IP address and enumerate the FQDN of it for the “inlanefreight.htb” domain.

I don’t know what exactly are they asking for. Is there any FQDN like HTB{xxxx}?
tks

they're asking for a FQDN

the FQDN of the IP address

FQDN (fully qualified domain name)

Module Footprinting Section SMTP:
Question:
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
This is what i have tried
telnet <IP> 25
Tried with VRFY different Username
Do i have to use smtp-user-enum??

i got the same result 0 cracked , i might doing smth wrong )

can you send me the command you used

Hi im in "Shells and Payloads" module in the Live engagement and idk what to do with the host 1, i tried all the upload exploits with different configurations with the correct interface ip and nothing.. Any hint please?

did you try onesixtystone tool

i know about the lhost part but its a apache server, it doesn't have smb

There are 2 ways, DM for specifics

ok

No not yet. The hint was:On systems usernames are often named after the employee's name. We recommend to use the Footprinting-wordlist provided as resource. Remember that some SMTP servers have higher response times.

what happend when you tried to upload the war file?

So i used a couple of name text files in /opt/useful/SecLists/Usernames/Names/ non of them returned results

you should use the lists that are present in the resources. If you open the module, and check at the top right corner you will find resources click on it and download the files and use them.

IM STUPID THANKS

Hi, Have you found a way to mount it ? I tried with 'guestmount' but i received some errors after insert bitlocker password

so im on the command line injection module for bug bounty training, no matter what i do i cant seem to be able to pull up the target page in my browser

nvm i used the power of restart instnace and it fixed it

try this https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

Yes, after try hard a little i opened vhd on windows box and got files. Thanks anyway

trying hard huh

isn't that the offsec motto

ook 🙂 bye

??

#Module Password Attacks

Section Pass the Ticket (PtT) from Linux

Question : Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

The flag retrieved isn't accepted.
Can someone help me with this part?

get the file and cat it on your attack box

Anyone stuck on the "Footprinting Lab - Hard" ? I could discover the SNMP-Server running on v3. As far as I know, v3 does not support/allow any community-strings, right?
Everything I read about the lab was about finding the right community-string, but it seems impossible to me in this case. Could nmap give me a wrong version of the snmp-server?

of course yes but error appears

JuL1()_xxx_xxxx

iirc one of those domain share files has garbled text in it and i don't remember if it was that one or not

if it's not accepting the flag just make sure there are no trailing whitespaces

I've tried all of that, with spaces and without spaces and it doesn't work

i'm not sure then

i never did a version scan but you might want to try anyway

Ik the answer to this but HTB is saying its wrong

https://academy.hackthebox.com/module/109/section/1035

like ive used burp and Ik which operator isnt blacklisted but putting it in says incorrect

like i feel bad cause i had to hit the discord request help button but this is like 100% something simple i must be missing

I'm pretty sure it's v3 after doing some more research.

can't hurt to try and find the string anyway, right?

when i open an instance it turns blank does anyone know how to solve this?

Yeah I had this same question, because v3 uses username/authentication not community strings but I just treated it like I would a v2c and it worked lol

lol, tried the same with onesixtyone but wasn't successful

try again look closely at the results, both snmp dictionaries from seclists actually work. XD

how fast do you have onesixtyone running?

just tried another snmp-dictionary... it worked!

Still confused, why this works with v3

snmpwalk works with the -v2c flag tho. Nmap might have tricked us

Guys related to cybersecurity certs how often should i get one?

you might want to ask that in #careers-and-certs

No channel like this

check #welcome for instructions

Yes there is nothing related

#welcome message

?

Verification?

yeah

you need to verify yourself to see the rest of the channels

it might be ok to ask in #cpts but it's probably safer to ask in the other channel

this is only applicable if i'd want to connect with my own computer instead of an instance right?

Yep, you will use that file to connect to vpn

any idea why instances just blank out the whole time?

im using chrome dont know if thats the issue

resources? not sure. its better practice to use your own VM

Now it is initiated or not?

@dim wolf

i don't think so

What did wrong?

i'm not sure..

Hi,
Anyone have a hint for me for the Footprinting Lab - Medium
I'm connected with the RDP but I can't find any clues to get the database username and password.

There is an || „important“ || file

Yes, thank you, I've looked around and I don't see which file it is.
It is certainly very stupid but I can't find it.

DM

Where's Kira cracked password in Passwod attacks module: Protected files?

Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

I didnt understand this question

ssh key are normally located here:
~/.ssh

@acoustic owl ok but how i connect to the ssh?

ssh user@ip

lol

i dont have the target password

The question dont give me Kira cracked password

You cracked the password in a previous lesson, right?

i dont remember

lol

thats a module where you really want to be logging that sort of thing lul

F

@acoustic owl previous lesson i cracked david, julio and john

not kira

i transfer the chisel binary to a host, and than when i do: ./chisel server -v -p 1234 --socks5
comes this:

what am i doing wrong?

Have a look at the section Credential Hunting in Linux

Question on SQL Map - I am finding the flag, but I can't seem to find out the why. For example Case #6 hint. I have looked through burp and inspected the page and can not find out what would have lead to me that hint.

@acoustic owl lol i need to do this lesson again to get kira password?

If you have not noted the creds, then yes

Hi, anyone for HttpMisconfiguration Skills Hard ? Payload locally works I'm not sure admin bot working

Write down each command you use and the corresponding output. You might need these things again.

im crying now

The pass attacks module you will bounce back and forth between the same sets of users

has anybody done the pivot tunneling modul part socks5 tunneling with chisel and knows why this error occurs when i transfer the chisel binary to the ubuntu host.
./chisel: error while loading shared libraries: libgo.so.21: cannot open shared object file: No such file or directory

this error occurs aftr i do: ./chisel server -v -p 1234 --socks5

might be a bug at that modul...

Have you tried to re-download Chisel?

https://github.com/jpillora/chisel/releases

yes

and at my own host the command is working fine

I think it is already reported

Try to download an older version of Chisel.

The module was released on 3 June 22. Take a version of Chisel from that time.

Maybe 1.7.7 will work
https://github.com/jpillora/chisel/releases/tag/v1.7.7

thanks i will try

yeah, try an older version

this version did not work

Same error?

yes

and at my own host it is wrking fine again

Did you compile yourself or did you download the binaries?

If you have compiled yourself, try downloading the binaries and see if the error still exists.

compiled myself. will try that. thanks

I've spent the last hour trying to get pypykatz to run on the pwnbox. It's still not working. Anyone know of an alternative I can try to dump hashes from an lsass.dmp file? preferrably something that is not python 😅

could i dm you? i have a qustion regarding the pre compiled file

sure

For future reference, this works for me (if you do it before you break it):
pip3 install --upgrade pyopenssl==22.1.0 pip3 install pypykatz pip3 install --upgrade minikerberos==0.3.5

Hello hackers, I'm finishing the "Doc.. & Report..." module and i found this "error" about the DISPLAY var

I use export yo change but none, i searching in internet but i dont know if change the pwnedbox config

Sorry my english jajaja

SQLMAP Essentials Case#7 can I get a sanity check on my syntax for my SQLMAP

sqlmap --flush-session -u 'http://178.62.20.33:32615/case7.php?id=1' --level=5 --risk=3 --union-cols=1-5 --technique=U --dump 

You're missing some details in your command. Take a look at the request when you try it on the browser. What else should you add?

What's case 7? I can't remember the details

DM me with a screenshot of the regular request from a browser and I'll try to guide you 🙂

yeah your missing one important thing look at what you received over burp

yeah case 7

now i got it and all i did was remove batch

yup the answer is staring at you in the face

no..

"/login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"```

look at this

also, i wouldn't use the entire rockyou

I'm working through AD Enumeration & Attacks, and I have a question about the Internal Password Spraying from Linux section. When I run enum4linux and rpcclient, I get the same user list - about 500 users. When I run CME, I get a much larger list - about 2000 users. I've reloaded the box and this result reproduces on the second load. Does anyone know why the difference exists across tools?

theres faster ways to do rockyou which they cover in the module

unless you want to just run it and leave

What's the question on the page for case 7? That's what I can't remember

you just have to get the flag from using SQL Map i ended up getting it

i honestly have no clue why my commands didn't work though. if i identified -T flag7 it would fail and if I batched it would fail. Then when I ran it without those like in the example that i gave it worked on the second time

must be a gremlin

Its friday friday. Gonna get down on friday

In the module "Windows Privilege Escalation" , section "Credential Hunting", it's asking for a plaintext password as the answer. I have tried every password from "findstr", web.config, and the powershell history (all have passwords in cleartext) but none of them are accepted as the correct answer. The section also suggested looking for Unattend.xml (but it doesn't exist). Has anyone found the correct answer? Any help is appreciated. Thanks!

for what it's worth, i searched the chat history and 2 other people have found the same issue but no solutions seem to have been provided

have you looked for any application specific passwords?

maybe it's a bug

not a bug

these look to be the only 2 hits for application specific passwords

that passwords.txt file is full of passwords (too many to try w/o losing my mind) 🙂

thats not a real passwords.txt so can be ignored

thats a chrome thingy

using the syntax from the module, it suggest using the following : findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml

there's a "stuff.txt" file that looks interesting but it doesn't like it

hint suggests start at C:\Users

tons of output to look through, will see what i can come up with - thanks

keep in mind the findstr commands starts looking from the directory youre currently in

this section is kinda annoying cause there are a couple diff cleartext passwords to find

yes, there are more than a few :/

but I did just verify that the box is still working

this let me specify c:\users : findstr /SIM /C:"password" "c:\users*"

never tried findstr like that

there's a "slash" not showing up in that command after users but before the asterisk - fwiw - discord is truncating it 🤷‍♂️

ye, still never used findstr trying to specifiy a full path with wildcard

Ill trust ya if you say it works like that, just saying its not how I managed to complete the section.

this SQLMAP Module is making my head hurt for case 8 how does this look

||```rust
sqlmap --flush-session -u "http://178.62.20.33:31952/case8.php" --data="id=1&t0ken=CEoRAX8CzzsOp8GL1CvNJro0nSW8s8dbw56hryqcOP0" --csrf-token="t0ken" --batch --dump

Burp Intercept

||```rust
POST /case8.php HTTP/1.1

Host: 178.62.20.33:31952

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Content-Length: 54

Origin: http://178.62.20.33:31952

Connection: close

Referer: http://178.62.20.33:31952/case8.php

Cookie: PHPSESSID=nqpms2o435bn3e6olfghd9lhqq

Upgrade-Insecure-Requests: 1



id=1&t0ken=CEoRAX8CzzsOp8GL1CvNJro0nSW8s8dbw56hryqcOP0
```||

end of my results

```rust
[16:33:08] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[16:33:14] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[16:33:19] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[16:33:25] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[16:33:30] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK - comment)'
[16:33:33] [INFO] testing 'MySQL < 5.0.12 stacked queries (BENCHMARK)'
[16:33:35] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[16:33:41] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[16:33:46] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[16:33:52] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[16:34:52] [CRITICAL] anti-CSRF token 't0ken' can't be found at 'http://178.62.20.33:31952/case8.php'. You can try to rerun by providing a valid value for option '--csrf-url'

Need help in the last flag "crackmapexec skill assessment"

btw, this is really helpful to ignore error lines

i got it! thanks again @thorn urchin

np

Not sure what you mean by 'does not work as intended', but it should definitely work.

I encountered no bugs with this module. You might want to go over everything again, and make sure all of your parameters are correct.

guys m stuck at the find flag at / directory at file inclusion part rce help pls

Hi, I have a problem with module footprinting -> dns -> What is the FQDN of the host where the last octet ends with "x.x.x.203"? I have tried everything but I can't find this last question can someone help me?

Subdomains of subdomains

That's just in the inlanefreight axfr you can go deeper. Try zone transferring to any of the other subdomains

ok I re try thx

. Help pls

hi everyone 🙂

I am stuck Password Attacks - Hard Lab. I’ve been attempting to mount the .vhd file to my machine. May I dm someone on the steps I’m using to mount the .vhd file?

Hello everyone! I'm trying to get this answer from the Command Prompt Basic. the question is :In what directory can the cmd executable be found? (just the folder name as answer) hint: there are 32 flavors of files and folders in this directory located at "C:\Windows" I have been stuck on this thing for two days now. If anyone can lead me in the right direction that will be great. 🙂

Try googling command prompt location in Windows

@magic valve I will do that. thanks for the info 🙂

No problem

Hi, any idea how to do an automatic process migration as soon as a reverse shell is open? something like a script or something

Have you found any interesting files that may help you with rce?

DM if still stuck

if you have a meterpreter shell you can use migrate for that

You can use session startup scripts in metasploit

@late wave what if the answer is Syst--32

can we connect to the modules through vpn
or can we only solve through pwnbox

could someone send a guide if possible

There are instructions in the "Getting Started" module, it is probably also in one of the FAQ's.

tried those didnt work

So you followed the official guide and now you are looking for another guide? Perhaps you should be describing the problem you are having instead?

ok so i can connect to the vpn with the ovpn file
but i cant access the spawned target

You are connecting to the vpn within your Linux box and are getting your tun0 adapter?

yes i connect to the vpn through my virtual machine

You are seeing your tun0 adapter? It should just work unless you have a weird networking setup on your side, or you have connected to multiple VPN's or connected multiple times.

hi, i'm stuck to get initial creds in the Password Attacks Medium lab, someone can help?

Hi, Anyone for HTTPMisconfiguration Skills assessment 2 ? Just one problem to ask

@lyric inlet what is the question?

@shadow verge I have a working payload, I have a doubt if the admin bot connect to the vulnerable webpage

@I can mp you ?

okay

You can try a traceroute to the target IP and make sure it is passing through the tun0 gateway. Other then that, can't really help you mate. Nobody knows what setup you have except you and attempting to obtain one piece of information at a time takes way too long.

ohk thanks for your help

Still haven't received an answer on this one. Anyone?

anybody knows why i got this error using crackmapexec in pwnbox? in my kali linux it works....

are you sure that this is the name of the file

need --local-auth?

nope, as he is passing a file which actually is not a file

therefore it gets considered as a password

@graceful mortar use the absolute path for your password file (/home/htb-/mut_password.list)

Can anyone give me a hint on Case 5 of Attacktuning of SQLMap essentials?

Increase the || level and risk ||

Ah i'll give that a try! Thank you

The version on pwnbox is a bit wonky and doesn't handle file resolution very well. As ccjell suggested, use the absolute path or since you are in your home directory you can also use ~/mut_password.list

makes sense

anyone have a rough idea how long the Get-DomainObjectACL command takes to run in the AD enumeration module?

not sure if its borked and i need to reset

Were you using the wildcard identity?

If so, it can take a LOT of time.

I would recommend setting it to a variable, without any parsing, in case you need to check multiple times. Something like

$variable = Get-DomainObjectACL -Identity *

yes wildcard identity

That way, you can always just pipe from the variable instead.

oic, nice tip, many thanks

If you change anything, obviously the variable won't reflect that. However, I'd always set up a baseline variable with it, since waiting 5-10 minutes for it to finish each time is not great.

i actually just changed it from wildcard to the specific CN i was interested in

didnt realise teh wildcard would make it such a long wait 😛

That works if you want to know what has an ACL over the specific entity, but not if you want to know what the entity has over others.

yeh the question just asks for objectacetype a user has over a named group

"What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)"

reported

https://tenor.com/view/wolf-of-wall-street-rookie-numbers-gif-20904132

@novel matrix

Buddy, did you finally get out ahead of it?

yes thanks you

would you have any hints for me? it's been 2 days that I can't get through it

you try to find a subdomain of a subdomain but don't dwell on internal it leads to nothing

and i have a question, how did you get the "academy user "on discord rank?

using #bot-commands i think from memory

Booted

shame, i was looking forward to 47k per day

I found it there too. I think it's supposed to be like this. Tried to rdp on the ip 172.16.10.5 - i thought this is the one of the DC but never mind.

yea but i have no api key on my accounts academy.hackthebox

Yes I gained access on command shell and when I did ls it shows me root files with akshakhdjansbpdhdkahsnd.txt I thought it's flag but it's not m stuck there

Heya,i new in this world,i want get more skill and start working in cyber security,what you can recomendate first module or path for beginner?

some tips to Password Attacks Hard lab?

it is recomendation?

i'm stuck in this lab

kkkrying

in this lab you try hack password?

im trying

crack johanna

failing miserably

There should be only one file in the root directory like /flagYadayadayada.txt
Feel free to DM

Login Brute Forcing - Skills Assessment - Service Login, first part: I'm at the end of my wits here, getting 25 attempts/minute and looking at 24 hours of brute forcing a container that is reset every 90 minutes or so. If I had enemies, this is the challenge I would send them. Anyone, please? DM ok.
(I know the employee name, I have used both anarchy and cupp to create my lists, and I know how to use hydra)

should i use rockyou to crack johanna account in password attacks lab -hard?

the password of that user is quite simple

cracking about 40 min

around*

with mut_passwords.list

:/

Did you remove all entries discussed in previous sections?

And I hoped you used the hint “first start only with first name”

Hello guys for the "Hunting Credential in Linux" , the hint gave me username and password which is Kira and LoveYou1 but when I ssh given username and password it says password is wrong am I doing something wrong here?

:(...

i have done my sed's.. i did start with just the first name, but i then added another name.. and then set a couple of the yes/no params.. and now i'm having a bad day 🙂

It’s been a while but I am 90% sure you need only first name to generate the correct password

not even the y/n stuff? i did read the forum after a while, and there was a hint that this might be required
i just had to reset and am getting a blistering 580 requests/minute right now, so maybe this will work

I would suggest you run the brute forcing in pwnbox instead of openvpn as well , I had some problems getting the correct passwords in brute forcing module via openvpn

@dull zinc first name with all the yes/no options

I had no issues

With my machine

thing is, the password list is not that long, but combined with the userlist it becomes .. well .. difficult

If SMTP is open, you may be able to verify users first that way

docker instance, not a vm, unfortunately

i seem to remember another brute forcing thing from another module where there was an ftp port open also that could be used, but ssh is horrible

Ssh is a last resort

As it's the slowest

hey, I'm on the module "network enumeration with nmap", module "host and port scanning". seems like to matter what arguments i supply nmap with I can't get it to divulge the hostname of my target?

DM me one of your outputs

You also may want to closely look at the Packet - trace results

thanks, that's one argument that I haven't tried actually. I'll have a look

tried to grep the results but I'm not entirely sure what to grep. I

I've scrolled through the results, about 2000 lines and still can't find it

Double check the commands given in that section

I ran another command in parallel that I found through some googling and eventually found the hostname. Reading up on specific options now to see which one of them was the responsible. Thanks a lot for the help 🙂

Did you try the -A switch?

I mean before the googling

I don't believe so. Also I just found out that the -sV switch alone didn't reveal the hostname. what I found by googling was ||nmap -PR -sS -sU -sV -O -T4 IP||. It worked but took 20 minutes. I'll try to experiment a bit more, and add the -A switch

That's too much

Lol

Yeah I'm not getting a response at all now it seems, haha

The reason it took so long is because -sV does a version scan, -O is another scan that runs after to attempt to discover the OS

The weird thing is I did -O by itself before but it didn't reveal the hostname, neither did -sV by itself. But yeah, I might've accidentally abused the target a bit so currently respawning it 🙂

..Yeah, -A was quick and got me the info from a fresh target. Not sure why the hostname was truncated by 1 character in parts of the result but it worked. Thanks all, on to the next section 😎

finally 🥲

Congrats!

thanks, now that weird looking man with the cigar can finally stop kicking me in my nut

also should write a test report for this? (and maybe send it to mrb3n for grading 🤣) after this i will say goodbye to society for a week for the exam and maybe a few day after that for emotional recovery if i fail but i got 162 note file in obsidian so the reporting is going to be fun

I know that
Every time you think you're close, he stands there and hits you with the spoon.

Good luck with the exam

yeah this is actually kinda true for offshore 🤣

Attacking DNS room how long subbrute tacking to complete?

awesome work Tom!!!

How to enable VT-x in Kali Linux

I'm running into stability issues with the target machine for module 103 (XSS). The target machine frequently hangs and stops replying to pings & http requests. I've tried resetting the machine, but that doesn't seem to help much.

This is an absurd joke, working through a module, terminate the instance cause I had some things to do and didn't want the time to run out, came back to continue through module later in the day, needed to spawn it again, but unless you pay for a plan vs buying cubes you can only spawn it once a day. scam.

can someone help me with the Directory Indexin - HACKING WP module?

Hi, i'm currently on the intro to pyhon 3 module in "Continuously Improving The Code" section and i cant reveal the answer (also i cant see the hints in any modules) is it normal ?

Hi everybody. I am working in the Skills Assessment -Web Fuzzing (Attacking Web Applications with FFUF). I cannot get the right answer the following question:

Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?
My answer: php, phps

But it is marked as wrong. I have the following identified vhosts: test, archive,faculty. I couldn't find any subdomain :(. I am not sure what I am doing wrong
I need help! Thanks 🙂

There is another extention.. search in faculty... (write the answer without ,)

for those doing Enumerating & Footprinting Services module which is part of CPTS, i have created this map which can help. just note many commands are out of what have been mentioned in the module. https://github.com/Osiris-OM/Cheat-sheet

hopefully it will be of help to someone

@timid osprey 😥

anyone solve COMMAND INJECTIONS - Skills Assessment ?

Did you ever figure it out?

Yeap

For password attacks, can I get someone's hash of the mutated wordlist?

Mine seems to be incorrect

dang, i have new respect for Metasploit...this module is pretty fun

Can anyone help me on file inclusion assessment? I found hidden page and i know i need to exploit server log poisoning but the payloads dont work

You have to mutate that password and also lowercase

If you created the mutated list using the custom.rule and password.list from the resources you should be fine

hi guys

When I run the created list against the root user in Passwd, Shadow & Opasswd, I get no hits

Maybe my hashcat invocation is wrong?

I cant even recover Kira's password which I was able to bruteforce with hydra with the mutated wordlist

Did you do the unshadow; not to mention cutting the list down to just the users you need that cuts the time significantly

I'm doing abusing ACL's. I can change the damundsen password if I start a powershell session as wley but if i stick in the htb-user powershell and do the $secpassword and $cred objects I get errors when I try to do the Set-DomainUserPassword command with these credentials .... any ideas why?

I exhaust the password list before finding matching password, even for the Kira user, and yes, I unshadowed

Try rockyou then

Did that as well, unfortunately

I have to have screwed something up but I don't know what

Then idk what to tell you bro try recreating the wordlist with the rule and password and try again

working now, i must have made a typo or something

May I have some assistance with Password Attacks - Hard Lab. I cracked the hash for the .vhd file. I’m unable to mount it with guestmount. Looks like it is all processing correctly and asks for the passphrase and I input it and continues to process with no errors it seems. When I navigate to the directory where I mounted it nothing is there.

If you're on a windows main system just mount it on your system

or use a windows vm

Or that

Oh okay. I was attempting through my Kali vm

nah needs windows

Gotcha. Thank you @dim cosmos and @fathom pendant

🤜

cant believe how much im learning in this AD enumeration and attack module

Can anyone help me on file inclusion assessment? I found hidden page and i know i need to exploit server log poisoning but the payloads dont work

Need some help on Linux Privilege Escalation/Special Permissions... I am not understanding the questions being asked to answere. What are they looking for?

need help with the sqlmap essentials skill assestment, i already found the injectable parameter

it is missing the password parameter

for hydra you need both, a username and a password

if i remember correctly, there is a hint in the login of the page, in the question before

you need to create a dictionary for username and other for passwords

try mounting using the disk management tool

then it lets you do the thing

or just click empty space in the disk management tool

@magic valve

maybe i very stupid but i dont understand how get this answers,can whos one help or share samethin link where explain?

Submit the decimal representation of the subnet mask from the following CIDR: 10.200.20.0/27 | Submit the broadcast address of the following CIDR: 10.200.20.0/27 | Split the network 10.200.20.0/27 into 4 subnets and submit the network address of the 3rd subnet as the answer.

For SQLMAP Case#11 it talks about: Filtering of characters '<', '>' and with the hint I did pick the right tamper script because of the > but I am confused about the < part of it.

I was literally trying to filter those characters for a while. Can someone explain to me a bit more if I am missing something because I feel like I just got lucky and guessed the right tramper script.

Metasploit Framework - Assessment: Looking for a hint, but if I put info here not sure if it will be a spoiler

can I throw someone a dm

https://en.m.wikipedia.org/wiki/Classless_Inter-Domain_Routing

PetitPotam hurts my brain!

Anyone around that has completed the SQLMap assessment? I am still struggling with the Tamper-Scripts. I am pretty sure I am close to getting the flag but honestly still guessing.

Can someone help me with the filter contents module of the workflow section in linux fundamentals?

Nevermind I found thr command it was ||ps aux||

Now I need help with the last question of the Linux fundamentals module.

ugh the pivoting module skill assessment not sure how to even take the first step ugh

anyone is doing the white box pentesting 101 module

This SQL MAP is really starting to troll me.....

Database: production
Table: final_flag
[1 entry]
+---------+---------+
| id      | content |
+---------+---------+
| <blank> | <blank> |
+---------+---------+

I sat here letting it go very slow to finally get the table to dump and this is what I get? Am I missing a completely different area to look?

Pivoting; Tunneling; Port Forwarding Skills Assessment ugh not sure how to do this if there was a section that talked about this i don't mind being pointed to it but the section on webshells is not really existent

You figure it out?

yeah

i forgot to set meterpreter to the linux rev tcp :^)

now it's just scanning and setting up the proxies

:D

If you need any further help on the module, you can DM me.

have you done the SQL MAP one?

i'll probably need it tbh

got xfreerdp :^) it helps if i spell m* right xD

ugh i'm just gonna go to bed pivoting makes my brain hurt

can anyone help explain what the main differences between Organizational units and groups are? im still confused even after doing some research myself

hey

hackers

hey can anyone give me a nudge on Skills Assessment - File Inclusion?

i got the log file tried to change the user agent to poison the log file but nothing is working

Please, could someone help me? I'm struggling in the [ATTACKING COMMON SERVICES - Attacking SQL Databases] module. I captured the flag but I can't crack it to get the mssqlsvc user password.

My command: hashcat -m 1000 F800D07797C939FBB74663CAB92E9D0B creds/pws.list

Anyone can explain me, where I can get this nodule

You have to grab the NTLMv2 hash and crack it.

Can anyone give me a hint here? The question: Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host.
I have an interactive OS shell on the remote host, but I can't cd into other directories, I can't use 'find' to search the machine. the hint says ||"the flag is in a common directory"|| but I can't move out of my current directory? Could you point me in the right direction?

@chilly forge look in the root

I cant :<
ls /
cd /
neither work

I get "no output"

What about reading the flag.txt@chilly forge

@placid quest at the root or in that specific directory? Cause that was the answer for the previous challenge 😛

@chilly forge how

oh right,|| cat /flag.txt did work somehow. Why can't i use ls or find, but cat is possible?|| That solved it, thank you! Weird question this one

at the modul pivot, tunneling and port forwarding, at the section RDP and SOCKS Tunneling with SocksOverRDP
there i have problem to start... am i supposed to transfer the files "SocksOverRDP x64 Binaries" and "Proxifier Portable Binary" with rdp to the windows host?

yes

than it asks me for the domain name, is that right, do i have to find out the correct domain name?

Make sure to not use double quotes in your user agent payload. That will likely break as the user agent is put into double quotes in the log file.
Feel free to DM

Im stuck on nmap evasion lab medium

I need a help

Module name: COMMAND INJECTIONS
Section: Skills Assessment
The question: What is the content of '/flag.txt'?
Can anyone give me a hint here to find injected user input?

Yea. That tripped me up too. Also, if you can't view access.log due to an error, you'll likely be able to view error.log to help diagnose the issue

Http misconfiguration , very good module

footprinting, dns, last question.
i know it has nothing to do with ||internal.inlanefreight.htb||,i tried ||dig axfr <sub.>inlanefreight.htb @target.ip|| for every subdomain i found and i get nothing, i dont know which ones are zones so im trying everything, may i please have some help?

transfer failed

i tried with +cmd too

dm me, i passed it yesterday

In the module RDP and SOCKS Tunneling with SocksOverRDP, I have everything setup to the point that all I need to do is connect to 172.16.6.155 as jason, but I don't know what endpoint to connect to with mstsc.exe.

Also, Proxifier isn't noticing any app use the proxy

So I'm doing something wrong, I don't know what it is though

Your first host

Not every DNS server allows zone transfer from everyone.

what port? I'm having a lot of trouble understanding this section

Once it's set up you don't need to change port of anything

Hm, sorry. I had a similar issue in the info gathering module and thats how I solved it

So how do I end up connecting to jason's machine? I don't understand that at all

Just put in his IP and it should connect

Hello, I am very new here. I want learn website hacking. How can I learn?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

O thank you.

anyone have done the white box pentesting 101 skill assessment ??

do this on the first host, or on the DC 172.16.5.19?

The first host

on the first host, I keep getting an error

This module is all about jumping hosts

That's because you need to still be connected to the DC for it to work

I am, look at my screenshot

That's why the module states "hey you may want to change the connection speed to lower"

Also you dont have the proxifier server set up

yes, it is

If you follow the section it mostly guides you through everything

I don't see a server in your proxifier window

yeah, I followed the section step by step

Check what the firewall evasion section says about DNS proxying. Maybe that gives you an idea what you are missing (hint: it's not about using --source-port)

And when you opened mstsc.exe it gave you the notification it was using 127.0.0.1:1080?

no

So with the "second" mstsc.exe instance, I have to set the target to 127.0.0.1:1080? Nothing seemed to happen when I tried that

Sorry I meant when you connected to the 172.16.5.19 one

Hey can someone tell me wrong with academy's payment this is my second time having academy subscription with the same credit card previously it didn't throw any error but this time its saying "no funds" but I'm pretty sure there is no problem with the funds and overseas payment is enabled too. Is there any any way to remove the recurring payment method card and readd the card details and try ?

Open a support ticket by clicking the green bubble on the site , also you should be able to remove card details

Ah I didn't try connecting to the same host after setting everything up.

Just to be sure, proxifier needs to be run on the first host, right? Not the DC at 172.16.5.19

When you initially connected to the DC, did you get that popup as shown in the pictures of the section?

Yes

Which popup?

Hello everyone! Any help appreciate it! I`m working on the comparision operations section (bash scripting) and I'm stuck with this challenge:

The "socks over RDP plugin is enabled"

Yes

Give me like an hour and I'll sanity check, I'm just waking up

if [[ $var == $value && $var -ge 113450 ]]

Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,450 characters.

Ah okay, machine just shutdown for me also, so I'll try again later too. Thanks

Anyone you can provide some guidance in the bash scripting module!

im aware, i just have no clue what to include there so i tried every sub i found, none of them worked

A DNS server that does not allow you to transfer zones must be forced to hand over the data.

I don't know the module but ${#var} should give you the number of chars in the var variable

yeah, I don't know if that is what I'm missing

At least this is what is not matching in your statement with the question you provided

on the tunneling skills assessment, I'm trying to use sshuttle to scan ||172.16.6.25|| but when I run nmap, every port comes back as open. I'm using nmap with -sT and -Pn. Is sshuttle not compatible with nmap?

I'm pivoting through ||webadmin||

Hi om stuck on Skills Assessment on into to windows command line I'm trying to connect with ssh as ||"user1"|| and pass ||"previous flag"|| but it wont work just gives me permission denied.

Check again if you copied the right flag in the previous exercise. The skills assessment flag are case-insensitive, but the logon passwords are case-sensitive.

Writing it as it is but still permission denied and I'm sure it is the right pass

Can you send it to me over DM?

did you have a typo on the ip or something? that's the one of the right ip just not your next target after the linux box

I checked and I set it in an env variable to avoid typos. I can get to ||172.16.5.35|| already. But I'm not clear why an nmap scan through sshuttle would show all ports as open

for the me skill assessment of that module print the flag character by character it's super slow and yep a bit trolling also if you still need help with that shoot me a dm

for that i just use the ||dynamic port forward|| thing, so i just add the tag ||-D|| in

Anyone able to give some pointers on Broken Authentication - Skill Assessment? I've ||created an account and seen the hints about the support account|| and then ||tried to enumerate different support accounts with various country codes|| and then attempted ||to brute force with a password list made up from rockyou meeting the criteria||, but I don't seem to be getting anywhere.

ok, I'll play around with that. I just found proxychains with nmap to be a little unpredictable

but sshuttle is being unpredictable anyway

I'm stuck on intro to windows command line, ||"User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them." || I tried the ||"Type"|| command to try and output all the ||flag.txt ||but dsnt seem to work I'm kinda stuck here and not sure how to move on. On Section "Skills Assessment"

unpredictable but fast not good for pivot but for scan

so did you get the support username? or the policy?

google / research about how powershell read multiple files syntax

i mean you can use cmd if you want but powershell is better

I've got a list of usernames which I think are likely candidates, but not confirmed.

and the password policy?

sanity check @ivory dock : was able to get it to work just fine with my system; connection can be a bit of a pain sometimes

I believe so, but without stating it, its hard to confirm if I'm missing the obivous. My cut down rockyou is 29 passwords.

seem about right did you try brute forcing?

Yeah with a 10 second wait between each try to rate limit

i do 25 but if you didn't get block then i think it should be fine

I double checked in Burp, and all the responses show "Invalid creds" rather than "too many tries"

I did that, I think i have the right syntax ||"Get-content" ||but the problem is every dir has a subfolder with ||flag.txt|| so it's an crazy amount of|| flag.txt ||i need to ||get-content|| and it did not work