Hi ! I need some guidance om Documentation & Reporting Practice Lab

I managed to find a user that can log on the DC but I am failing to get RCE on the DC

Module:ACTIVE DIRECTORY ENUMERATION & ATTACKS - Credentialed Enumeration - from Linux

I have a weird problem.. Found the user for the first question - but it doesn't accept his name / username as an naswer..

Ned some help with WEB ATTACKS - Advance File Disclosure. I've read through everyone elses complaints as well as reading some that apparently work and I'm not getting any sort of traction with this one.

I'm set up / its communicating but I just have the wrong info getting pulled in a I guess?

(CDAT BASED ONE )

if have converted the rid to a user, just get the username

and Axiom, please stop deleting your messages with the intent of posting another one only to be the most recent

I delete them because i think I found them

thanks for your input though

err think I found the answer and then realize im a dumbass and still cant do it

so i put it back up

I converted the 1700 to hex, and then searched a user with this number.. found him, but htb does not accept.. can I DM u?

sure

Just finished Linux Privilege Escalation module, if got stuck feel free for an hint

Or if have suggestions for challenging modules you got stuck at, feel free to mention them and I will take a look 😉

@austere osprey Web Attacks - Advanced File Disclosure using CDATA

Yo what up channel? I'm doing RDP and SOCKS Tunneling with SocksOverRDP from Pivoting, Tunneling, and Port Forwarding module and I have done all the steps but when I try to connect to 172.16.6.155 as Jason RDP never loads.. I have changed the RDP settings to 56 kbps Modem and it's now 20 minutes waiting for it to load.. any ideas how much should I wait for it to load?

I'm absolutely dumb....I got it.....im dumb

it loaded after 30+ mins

Never mind... Found it, for those looking for a tip : do not trust your predecessor and do everything by yourself

lol glad to see you found the problem

Starting with windows privilege escalation now, see how it goes xD

I am still having problems with "Packet Inception, Dissecting Network Traffic With Wireshark" I am looking for an image of a 'transformer' the only image I find after capture is a image of a dog. the dog comes down as ftp-data I have tried to filter on image-jfif and image-gif and looked through the http for any inline images in the data. I cant see any http traffic that contains images. i am not sure what i am supposed to be seeing. i am left to assume i am not even capturing the correct data. can someone help?

Hey

can anyone help me with what flags mean?

I'm having problems resolving HTTP and cUrl exercise

HTB{this_IS_a_fl4g}

but do they have any other definition i might dont know?

nope

apart from a md5sum, nothing else

I mean i've downloaded with curl a file from an url and now i have tofind the flag inside the file but i can´t

?w

Hey

I'm trying to figure out the solution to the windows fundamentals but it seems none of the answers I find is correct

Hi, I've finished the tutorial Getting Started. Can someone check my walkthrought document for the last module step and provide me some corrections ? 🙂

Hello everybody ! Someone could help me? I’m on Active Directory skill assessment II and I’m trying to find solutions solutions to connect myself on ms01 with mssql user (psexec) :))

dm 🙂

@gray blade maybe try with mssqlclient

https://discord.com/channels/473760315293696010/1080492674257273004` please "this is just a redirection to community help"

did you try curling the redirect?

hint - you don't need to actually download it

Hi, I am doing a medium lab of the Password Attacks module. I have password from users j***n and d****s (and its ssh key along with password). When enumerating the machine, I also found user n****y, but I don't have his password. I have been trying to find something interesting and useful using user d****s for a few days. Could I ask for some tips on what to do next?

can someone pls give me nitro

i never got it

no and don't ask for such stuff @wind sparrow

why do you have no roles

???

In RDP and SOCKS Tunneling with SocksOverRDP from PIVOTING, TUNNELING, AND PORT FORWARDING when trying to execute this command C:\Users\htb-student\Desktop\SocksOverRDP-x64> regsvr32.exe SocksOverRDP-Plugin.dll im getting the following error

The module SocksOverRDP-Plugin.dll failed to load, why I'm getting this ?

Have you deactivated Real Time Protection?

make sure you are running the terminal as an administrator

gonna try that thanks for the help

Hey, do you still need help regarding FI module? if yes, you can DM, if you want

bump

it is something simple that can be overlooked

If everything is configured correctly, a user does not have admin rights. But if he needs some, he often has another account, with which he can then get admin rights.
On a Linux machine, depending on the configuration, a key is needed for root 😉

Yes, I knew that I have do prev esc but really I don't see any attack vector. After running LinPeas on the target I saw it's venerable to CVE-2021-3560 (https://nvd.nist.gov/vuln/detail/CVE-2021-3560), but I know for almost 100% that isn't what I'm looking for

You have everything you need. You only need to login.

there is no need to run enumeration scripts or anything else

Oh...

IN Skills Assessment from PIVOTING, TUNNELING, AND PORT FORWARDING once you discover that user mlefay exists you have to pivot to a windows host, what dictionary did you use to bruteoforce the following services ssh,msrpc,smb and rdp

@hasty solar why do you need to brute force some services

cause I tried with null sessions and anonymous authentication and didnt found nothing on this host 172.16.5.35

@hasty solar but you need to dump the lsass to get the password and username

lsass is a windows process

TTL

ok

I'm working on AD Enum and Attacks:ACL Abuse Tactics. one of the examples mentions using Get-ADGroup from PowerView, but it doesn't look like Get_ADGroup is in PowerView. Thoughts?

are you sure you imported it correctly first?

actually looks like its a builtin, no powerview

https://learn.microsoft.com/en-us/powershell/module/activedirectory/get-adgroup?view=windowsserver2022-ps

ah, ok. Then the problem is that the ActiveDirectory module is not available.

so I guess that still leaves the question, how do I do this?

theres some other ways you could get the group information

idk off the top of my head for powershell but could always just do like bloodhound

In the new Linux fundamentals does anyone understand what is intended by the question What is the type of the service of the "syslog.service"? i tried systemd: system log, system logging, logging. etc.. I am not sure why is meant by the word type

hmm, ok. I did use bloodhound already. I was trying to follow the example in the section, but I guess that step is not too important

I dont remember it not working for me, but its been hot minute

¯_(ツ)_/¯

im working on the "Initial Enumeration" section in the the windows privesc module, im stuck on the What non-default privilege does the htb-student user have? , i ran whoami /all and everything seems standard, what am i missing? the hint says to run cmd as administrator and for some reason I actually can but why?!

Technically, because the user rights allow it.

what command can i run to see those rights?

I'm sure it works in the section practice section, but I was trying to apply the steps to the skills assessment

Not at all. Start cmd.exe with administrator rights and enter the command you mentioned earlier.

ahhh

Hi all, could I have a sanity check on this? this is my second day stuck here... Module: Attacking Common Applications, Section: Skill Assessment Part I

I dont actually like running powershell on the target if I can avoid it. so I didnt use that methof

the only thing that changed is now there is the setakeownership priv but its set to disabled

Everything done correctly

lol im so confused, anything i try to submit to the questing answer place it says wrong

oh nevermind i just wrote it wrong the first time

works now

Hello can someone assist with the File Upload Attacks Module. The question hint is "Try to find an extension that is not blacklisted and can execute PHP code on the web server, and use it to read "/flag.txt" I fuzzed for php extensions using seclists and payloadsallthings and get a bunch of 200s back. However, none of the extensions will read a simple hello world script or shell. Can someone give me a nudge?

which section are you working on? Blacklist filters?

If you want to DM me, I can try and help, are you using burp intruder? If so, can you show me your payload? and the part you are fuzzing and your script? I will say I got maybe 15-20 things that made it through as a file, but only one of them executes the php script when you call it

Hello, anyone could help me with the bash scripting module! I`ve been stuck in the flow control-loops sections for many days.

What exactly is not working?

could i have some help. im working on the "password attack" module. i have copied the NTDS.dit file from the target machine and now trying to share it back to my attack machine. im getting an error even though i am using the right share ip. any suggestions?

are you working on Capture the NTDS.dit file and dump the hashes. Use the techniques taught in this section to crack Jessica Stapleton's password. Submit her clear-text password as the answer. (Format: Case-Sensitive)

move isnt a command

nah

it's the sudo part

that actually breaks it

because they are remoted into a POWERSHELL

but also yes

try putting quotes around the command portion aftrer /c

Hello, may I get a hint with Attacking common services -Easy? I’ve attempted to get conmand execution with uploading php cmd file on FTP. Receiving a 404 not found error when attempting to navigate to it through the web browser.

is the ftp port linked to the web service?

they have other attempts without sudo that failed

but I had a light chuckle at that too

i can't read

I see a txt file in the FTP server showing FTP and 443 listed under the FTP server information. Unsure if that’s what u mean by linked..

in the ftp server isn't there an additional file that may be worthwhile to look at carefully

ftp is a common method for developers to upload appropriate files to the webserver or other documentation. MarcieLee is asking if theres a logical connection between the contents of the ftp server and the web server itself.

@hollow dagger check what realm the linux user is part of; then look for a folder that may contain that realm information; it has to be saved somewhere locally right?

you are looking for a ccache

Oh I see. Navigated to the correct url and logged in but it just downloaded my php file once I navigated the the php file through the web browser

basically if you are uploading it to the ftp server; where is it going?

To the web server

Could someone help me with the Pass the Ticket section, please? Particularly the last question, "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)."

I think I understand that I ||need to use a ccache file in /tmp (the ones starting with krb5cc)||, but none seem to let me smb into //dc01/linux01.

I then thought I needed to generate the ccache by running|| kinit linux01@INLANEFREIGHT.HTB -k -t /etc/krb5.keytab||, but that just says there are no suitable keys...

Have I missed something??

@fathom pendant , thanks for your quick response. I had posted it prematurely and have added more detail. Any more advice?

it is not in /tmp/

and you are unable to use that keytab

but there is a place where information about the realm is stored in some sort of variable library

AD Enumeration & Attacks - Skills Assessment Part II:

I'm having trouble with Question 8, wherein I need to obtain the flag.txt from the Administrator's Desktop on machine MS01.

At this point, I've tried running LaZagne.exe, Snaffler.exe, Mimikatz.exe, and Rubeus.exe to unearth assorted credentials from the SQL01 host. I've obtained a cleartext credential for mssqlsvc, but it hasn't seemed applicable. I've likewise pulled a number of hashes, including one for the local Administrator account for SQL01.

I've attempted to Pass-the-Hash with the aforementioned hash using impacket-psexec, crackmapexec, and evil-winrm to no avail. I've also tried various iterations on the password that was discovered. It's unclear to me what my next step is intended to be at this point.

why do you assume that password isnt applicable

hint:its not a red herring

hint: what does mssql stand for

thanks for jogging my memory on their question; after I re-read it it clicked what I remember doing

have you tried signing into the sql server with creds?

local*

When I initially compromised SQL01, I had sysadmin privileges with my n**** account (and could likewise just become sa if I wanted to); enumerating the databases didn't show me anything beyond the default, so I didn't look further)

i'll have to redo to doublecheck but iirc it's fairly straightforward

are you able to run commands in the sql server?

Sure can

including xp_cmdshell yeah?

Nope. I don't think anyone understands what exactly is being asked for here.

Yeah, I also have SYSTEM on SQL01 as a whole

so why can't you get Administrator desktop?

Admin desktop for MS01

Not SQL01

I'm having trouble with Question 8, wherein I need to obtain the flag.txt from the Administrator's Desktop on machine MS01.

mmm my bad

It's what follows getting Admin on SQL01

misread

is admin reusable?

Tried performing some pass-the-hash using the admin NTLM I dumped, but no dice

And I haven't been able to crack it yet

*crack the hash

thrown it at SMB and WinRM

that's not what I asked :)

have you tried reusing admin password

Not sure I follow; I have the SQL01 Admin's NTLM hash, but not their plaintext. Or was that not the "admin" you were referring to?

Hello friends

yes reusing this one

https://tenor.com/view/god-bless-snoop-dogg-gif-8059454

Thank you so much. That was such a good hint. Didn't give too much away and helped me realise where the gap in my knowledge was.

I wanted to reset the progress for modules that aren't completed, but thank you

if you want to feel silly relook at some of the examples :)

probably create a support ticket and ask there

Right, that's what I was saying. I don't have the plaintext for the Admin, just the NTLM hash. I've tried using a Pass-the-Hash attack (taking it and aiming the credential at MS01), but to no avail.

F

i misread the module you were doing; i haven't yet completed this one yet; i was thinking of a diff module mb but i'd say take a step back and take a break especially if you've been working 1-2+ hours on it

sad trombone

https://tenor.com/view/50first-dates-i-cant-read-i-just-cant-read-adam-sandler-henry-roth-gif-21316867

i've heard tho doing windows priv-esc first before ad enum helps a lot

you got distracted by MarcieLee's misreading

my hint is still relevant

Why do you think that clear text password isnt relevant?

Its very relevent, yes FOR MS01

Admin hash for SQL01 would only be useful if local admin pass was same across multiple machines(which sometimes is the case, especially if LAPS isnt used, but that doesnt apply here)

How can someone see their one?

??

this server isnt discord tech support, I suggest google

also read the #rules and #welcome

what

.

Hi Family!

@fathom pendant may I have another hint? I’m still lost 😞

Greetings

hint: what is the webserver home directory

https://nohello.net

I’ve input the webservers home in the "INTO OUTFILE" in the cmd.php payload I created

i wasn't sure either but i just googled "service types linux" and tried every one lol. "simple, forking, oneshot, dbus, notify or idle." are the service types which i didn't even know that there was service types but yeah.

Would you say labs in medium difficulty modules are equivalent to medium HTB machines?

they're really not 1-1 comparable; as the module teaches a specific thing where machines use a handful of things at times

medium modules just refer to the previous level of knowledge required to work through it smoothly

Ahhh

for instance there's a web https module that's tier4/5 i think that you'd be completely lost on if you don;t know basics of sqli/xss/xsrf/nosqli

Got ya, thanks for the info

no tier 5 modules

listen I couldn't remember what tier it was

I just remember it was a higher tier than 3

Hi guys

Can someone explain the magic that is wildcard abuse (in linux priv esc)? In the example, commands are written to filenames, which are executed by by the cron job, it seems. Is this because the cron job ends with a wildcard *, and the filenames are listed sequentially after the cron job in the directory?

Basically the askerisks denotes timing,"when/what time do you want this command to run" using all asterisks means for every minute of every hour, and for every hour of every day and for every day of the week, every week of the month and every month of the year execute whatever command or script next to the cron entry.

hello everyone

here's something I saved in my notes that could help :

* * * * *  command to execute
 ┬ ┬ ┬ ┬ ┬
 │ │ │ │ │
 │ │ │ │ │
 │ │ │ │ └───── day of week (0 - 7) (0 to 6 are Sunday to Saturday, or use names; 7 is Sunday, the same as 0)
 │ │ │ └────────── month (1 - 12)
 │ │ └─────────────── day of month (1 - 31)
 │ └──────────────────── hour (0 - 23)
 └───────────────────────── min (0 - 59)

anyone here looking forward, for a hacking partner?

no

read the #rules and #welcome

poor file permissions/use of relative path on the script/binary to run allows an attacker/you manipulate either the path or poison the script with shell liners

i understood

hello is anyone available for a simple question that i have?

its about ncat

when i am trying to open a server on port 80 using the pwnbox

it says the port is already in use

i am following the modules instructions so i am unsure how to fix it

Use a different port number

i amm supposed to listen on port 80 i think

since its a HTTP

for context

its the XSS module

phishing part

Hello everyone! Someone could help on Active Directory skill assessment ? I try to find solutions to connect myself to the dc01 :))

Your server can listen on any port. You just have to specify the port in the URL.

and what exactly is not working? Some info would be helpful

Sure! Im actually on ms01 with CT*** rights and im try to find solutions to connect myself on the dc01. I saw than someone talk about port forwarding but I don’t understand why because we are on the same network 172.16.7.0/23. Maybe I need to find other credentials on ms01 with CT*** rights (with snaffler) and know which tool I can use to be connected on dc

yep got it to work

tyty

just curious what's using port 80 on the pwnbox

is it the box itself?

Probably

Or some other thing like nginx

You can always take a look yourself

could probably do a scan

eh

getting late

need sleep

Don't even need to scan lol

i am still new to this

learning

gotta google it tmrw

XD

Lol or just use a simple command

will do

Feel free to DM me

sudo netstat -tunlp

That will tell you what process is listening on any ports

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 14344/python2.7

huh

Python http.server?

dunno

i didn't run a python server

That's what it looks like

¯_(ツ)_/¯

i just lunched the box as it is

ya

I use my own vm so dunno

i dont like using the boxes

i use my own vm too

but i just do it here and there to avoid lunching

just wanted to get a module out for today

whatever boats your float ¯_(ツ)_/¯

caffeine

a lot of it

Mood

File Upload Attacks final challenge was really fun. I encourage everyone to give that one a try.

🙏🏼 I just don’t understand how the cron job is running file names that are in the same directory as if they are lines of code?

same directory? maybe you could include a screenshot to explain what you dont understand so someone can know what you arent clear on to help out

hello guys

i've been having a problem with the Linux Fundamentals module, the task scheduling section.

i can't seem to find the answer for this question

What is the type of the service of the "syslog.service"?

i searched the internet for an answer, read the official linux wiki, tried multiple answers but nothing seems to work

if anyone knows any tips regarding this please tell me

Hello i want to participate in ctf events at ctf.hackthebox.com how can I participate

Just register

I done registration but i can't join in any events it requests Input key

if you don't have one, you can't join them

How can I get them

You can join public CTF

Like cyber apocalypse by HTB

if you are part of the entity that has requested the ctf you will have the key, otherwise you can't

Is that the only one available

Also anyone have vacancy in their team for a noob

can someone help me with answering this question : What is the admin email address? in the imap/pop3 module.

i have already got the flag

i have got this already ||* 1 FETCH (ENVELOPE ("Wed, 03 Nov 2021 16:13:27 +0200" "Flag" (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("Robin" NIL "robin" "inlanefreight.htb")) NIL NIL NIL NIL))||

you already have the email, you just need to piece together the information you already have

think about the format of the answer that is being expected

yes i got this but it isnt correct: ||CTO@devadmin.inlanefreight.htb||

because it is incorrect

ok got it

lol

thanks

i found it, tip for anyone who go stuck at it, check the service files

struggling on a php module

when a staf is free plz halp, like ik what payload to use i think im just missing something basic

Can I get a different discord admin member for assistance, I got MitcoSC and every time he has been the one to help me he does not provide good assistance and ghosts me. Like ive only have gotten help from him twice but so far 100% of the time he is not helpful where every other discord admin member who assists me is very helpful.

Most "staff" dont really get involved helping you solve things. They are more for technical issues and such. Its usually other members of the community that will offer to help.

Anyone potentially see any errors with this python3 file transfer command? I continuously get "name resolution" errors, even though I can browse to the URL I pass in perfectly fine. python3 -c 'import urllib.request;urllib.request.urlretrieve("https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh", "LinEnum.sh")'

@prisma knot has to be something in your settings. The command works perfectly

got a different helper and they helped me😎

I take it you're using the Perk of being a Silver Annual Sub; in which staff will indeed help you

Im just dumb - the target doesnt have internet access - just needed to run it on my pwnbox, and then transfer to the target lol

been there done that

information gathering, virtual hosts, ||ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -u http://10.129.42.195 -H "HOST: FUZZ.inlanefreight.htb" || needs around 18 hours to complete, isnt there any way i can do it faster?

||i added 10.129.42.195 inlanefreight.htb to my /etc/hosts but i cannot curl -s 10.129.42.195 -H "inlanefreight.htb" it there is no output at all||

anytime I run xfreerdp in any capacity, even if its just --help, I get this error: ```
No protocol specified
[15:23:30:279] [4324:4324] [ERROR][com.freerdp.client.x11] - failed to open display: :0.0
[15:23:30:279] [4324:4324] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

even with the default display set, which is 1, i get the same error

using pwnbox

the issue was pwnbox, works on my vm

if anyone is available i could used some assistance on the medium lab in password attacks. I was able to get the J account and from the cool document i got i know there is a mysql database but i cant seem to access it. ive searched through just about any file i could find and open but nothing is pointing to it. am i going down a rabbit hole here or is this the right way to go? any nudges?

Were you trying to run as root?

yeah

Try as the normal user.

I think the issue is just because you're only running commands in a shell as root, but it doesn't have an X session.

So if you still have the problem when not running as root, then I'm not sure.

did you try to use the creds for J's account to log into mysql?

bro what is this magic? i literally retyped in the command to sign in that i got an unauthorized message on so i can show what i got and it signed me in

but now for some reason it froze. so theres that

voodoo

i guess. lol

ah i have to restart the machine. yay

i have had some issues with academy lately doing that. I thought it was my kali vm over an rdp connection causing it but now im not so sure

usually after restarting the machine and the terminal that was connected to it i can continue on

Hello everyone, i'm on Windows Privilege Escalation Skills Assessment - Part II can anyone help me? i tried 16 explit from windows-exploit-suggester

helo bro, can i dm you about Windows Privilege Escalation Skills Assessment - Part II ?

Has anyone thats online dealt with the FTP section of Footprinting

I got the flag but I hate how unspecific questions are

submit the entire banner

well the banner is pretty fuckin big

and doesnt fit

Does anyone know what part i should copy and paste. It's no longer printing "try being more creative" so I assume I got the answer

the part that the is basically the banner

mashed potatoes

not helpful

I mean you need to make the differentiation what is the banner

for example when you visit a page that is non existent it will spit out 404

the banner is this portion yeah
| service blah
|
|

improve your method

wdym improve my method clearly a banner is something that can be dynamic

so i have to try every command till I get the order of the banner that works for the question

its not about that you have tried every command, but it is about how you consume the information that every command spits out

bro I got the flag already clearly im not bashing my brain at the terminal

i got no clue what this question ants me

it asks you to grab the banner of the service

nothing more nothing less

it is also shown in the section, e.g. in the material

could you please help me define which part the banner is

and there is an example

I guess but the examples arent always perfect man I mean I havent seen a single example in HTB that shows how to correctly use the NSE

it would be much more rewarding if you try it by yourself

I have been 100% i already have the answer

there was a module that explained NSE

and if you literally search on the page in the section the word "banner" you will go to the example and the text that explains it

It's training, it should explain concepts and processes to students more clearly

omg

it is explained cretan

this is painful bro my bad

when i think of banner

I think of enumeration with nmap or netcat

I've often found many sections kind of lacking

and they are?

I've been documenting them in the erratum as I've been going through. Also through our facilitator

but the response should never be "do better"

I dont expect answers to be given but I agree theres been a few times where the syntax isnt explained well for commands

and why that orders used etc

but its not a huge deal

to me

all I can see is that you have two messages there cretan

it might be a pretty stupid question but how do I upload an exploit from exploit-db to msfconsole?

No dumb questions here

https://www.amirootyet.com/post/how-to-add-new-exploit-to-metasploit/

hi

i am new to this community

can you guys tell what is this server about

most exploit db exploits are to be downloaded and used

Learning but this probably not the best place to ask I'd go to off topic or wherever dpgg suggests

and don't unnecessarily over exaggerating if you don't mind

ok

what if I have no access to the root?

not necessarily needed

canst find the off topic channe;

if you are working on the live engagement, the exploit is already there

You might need to verify/link your account

but how though pls guide and i will not disappoint you

#welcome and #rules

pretty sure theres a command that walks you thorugh it

yk it @autumn pilot ?

I cant find it in the msfconsole, can you maybe give me a hint about its name? because Ive been trying to look for it and couldnt find it

can't recall the exact name, but it was in the Downloads folder if I'm not mistaken

and it started with numbers

so how can I run it using msfconsole?

use <exploit>

but the downloads folder isnt connected to the msfconsole

done reading it all now sir what do i have to do

if you have actually read it you will know what to do as it is explained step by step

actually i read the rules word by word and and welcome also but i have a bit of doughs can u resolve them pls

is it free to learn

yes

and to some extent as well on academy

@autumn pilot can you help me find the exploit pls? I've been stuck on this for hours

I know what is the ruby file

ls Downloads/ or use the find command

I found the file

use <exploit>

I get failed to load module error

copy the error and paste in google

I cant find the problem

can someone pls help me

How did you figured it out?

hello

I'm really frustrated it won't work, I've been stuck on this for days, can you please try to help me with this? this error doesn't make any sense

What does the error message say?

what module are you working on?

im working on shells&payloads the live engagement

I got to the second host and I can't seem to find the exploit in the msfconsole even though the file clearly exists in the system

host 2 I presume

yeah

searchsploit -m

copies the file. then once you have msfconsole loaded you have to reload_all

after that you should be able to search for it in msf

thank you so much, it worked!!

😄

On the module Meterpreter Tunneling & Port Forwarding, i was able to complete it on the hackthebox instance but on my main attack box i can´t. Pretty sure something wrong with proxychains or even the auxiliary/server/socks_proxy module. When i try proxychains nmap 172.16.5.19 -p3389 -sT -v -Pn nothing happens. Just wondering if somenone had the same problem and was able to solve it. Thanks

double check your proxychains configuration and etc

everything is ok on the .conf

pretty odd because i was able to do it on the academy instance

Hi, do you have any tutorial/hints how to mount Bitlocker vhd disk on linux (kali/parrot)? [Password Attacks - Hard Lab]

https://stackoverflow.com/questions/36819474/how-can-i-attach-a-vhdx-or-vhd-file-in-linux

Can I DM someone about Active Directory Enumeration & Attacks - External Recon and Enumeration Principles? I feel like I'm missing something so simple but I can't find the flag

just ask your question

I just don't know how to find the flag... the hint says ||check DNS records|| but I don't see anything besides the nameservers, mail server, and www no flags. Tried looking at the site and couldn't find anything either. The module used bgp.he.net and I tried that but for some reason the site doesn't load on PwnBox

you can with your Linux if you install a package from apt
sudo apt install gnome-disk-utility or sudo apt install gnome-disk-image-mounter
one of them will work for mounting
Then right click > open with > mount

You can use dnschecker.com -> DNS Lookup

youre supposed to look at the mock dns server that is used in the lab

external checks wont see an internal vpn lab environment

wdym

inlanefreight is not a real domain

its just on the VPN

so you cant use public services with it

you gotta use local tools

in this exercise the real domain is used

Tried this, didn't worked

I've been mainly using dig and viewdns.info but I couldn't find any flag

@versed lichen If u are trying to mount bitlocker use this use bitlocker with losetup
sudo apt-get update; sudo apt-get install dislocker -y
sudo mkdir -p /media/bitlocker
sudo mkdir -p /media/bitlockermount
sudo losetup -f -P Backup.vhd
sudo dislocker /dev/loop0p2 -u(password) -- /media/bitlocker
sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount

also here is the unmount command if you are doing this on your machine
umount /media/bitlockermount /media/bitlocker
losetup -d /dev/loop0

the flag is in the mentioned record

sudo dislocker /dev/loop0p2 -u(password) -- /media/bitlocker -u password will be a cracked pass of vhd file?

yes

it asking me for some user pass, it'll be pass of user whose created this disk?

If you're talking about the TXT record from the module I'm not seeing that via dig

try using the tool that I shared

why doesn't that come up in dig tho?

don't know, maybe dns?

Can anyone help me with Bypassing other blacklisted characters section in comannd injections?

I'm almost there but i can't seem to get it to work.

DM?

Have you tried the ffuf fuzzing method?

hi InfoSec fundamentals is getting a lot of updates lately. How much is it gonna be expanded? I had completed 78% two days ago but now 2 modules have been expanded extensively. I'm fine with this but just so I can plan my goals a little better, how many sections are getting major updates that will be released soon and how long will it take for these major updates to be completed?

so now I've only completed 70% lol

Theres no released update plans

¯_(ツ)_/¯

but updates tens to be excellent so I welcome them even when briefly inconvenient

Hi all,
I'm in the Active Directory Enumeration & Attacks module, ACL Enumeration section, stuck on the last question regarding the forned users rights over the GPO Management group. I've tried everything demonstrated in the section, tried my best with Google Dorks and asked ChatGPT for help too, all without luck... Can i get a little help please?

Command Injection Module is a hair puller

have you managed to list files or whatever?

Yes thank you

and you have tried the same method from the whoami example?

I was able to get the flag

🙂

nice

I was forgetting the url encoded new line in the beginging.

I didn't realize i needed that to separate the command from the ip

Can you explain this?

echo -n 'cat /etc/passwd | grep 33' | base64

This command.... the | grep 33'

it will find a string let's say that has 33' and then it will base64 encode it

Is telling the base 65 something?

Or is it apart of the etc command

33 characters?

So its saying get me a code that is 33 characters

not 33 characters, but whatever line or string that has 33' in it

Why the 33?

no idea, maybe somewhere in the file there is that piece of string

you can remove the last part of the command, e.g. | base64 and see what exactly is being printed to stdout

open quotes are a bitch

uid 33 is very common for the www web user

remember im daft.

uid 33 what is this?

no worries dpgg didnt know off the top of their head either.

uid is user id, the ids given to linux users

and the 33 part of that?

root's uid is always 0 for example

that's a common ID number?

and most regular users are 1000 and up

yeah

1-999 are often uids for different services

*often but not always

if you look at an /etc/passwd file you can see all the associated uids for each user

Can i dm someone for the next question? I don't want to give a spoiler. I believe im close

I'm getting the ip to ping back and no invalid input. But the command is not running.

NVM got it.

I forgot to take out the grep 33 in the new command

same I didnt write down all the passwords. Missing kira's too LOLOL

at the moment my target goes all the time down...any body else facing problems?

im having trouble logging into the rdp as svc_backup from the windows privesc module: Leverage SeBackupPrivilege rights and obtain the flag located at... i enter the credentials and it just says incorect username or password, i used user "svc_backup" and password "HTB_@cademy_stdnt!"

sometimes rdp service takes awhile to setup properly and can be like additional 10-15 minutes before it works properly.

I also dont remember that section off the top of my head so I'd also verify that rdp is indeed the intended login method.

WTF....attacking common services after each attack my tagret goes down...

yeah rdp is the correct method " RDP to 10.129.11.106 with user "svc_backup" and password "HTB_@cademy_stdnt!" "rdp service is running fine because i can see the login screen, and i just tried it like 30 mins later and still same thing, tried restarting the server few times too

yes, when I say it still takes 10-15 minutes to fully startup, Im still talking about being able to see the login screen

also if youre passing the password via cmd line is worth trying not to and entering it for the prompt, sometimes bash will interpret the @ or ! weirdly

i escaped the ! with a backslashh

also tried entering from the login screen

idk what to do

escaping it can also mess it up

what client are you using

rdesktop

try xfreerdp

used it before on htb academy and worked fine

ok ill try it

its password prompt is text based

oh wow it actually worked!

thanks

Hello, I'm at the CROSS-SITE SCRIPTING (XSS), Session Hijacking. When the web page reads the src=IP/script injected code it does a Null request instead of GET. Is this an important factor or it doesn't affect the exercises?

May I dm someone to confirm I am barking up the right tree regarding creds and services for Attacking common services - Hard? Been stuck on this for a day.

Anyone happen to finish the Web Attacks assessment? I found an IDOR but currently trying to change a password| Edit: Figured it out

Having issues with Skills Assessment - Using Web Proxies "The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag. " I have the button enable and sent it through repeater and hit about 30 times still don't see the flag.

Hey yall! Im running into this xfreerdp error while trying to access the Password Attacks: Pass the Ticket labs. Anyone have advice on how to correct this?

][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate

Anyone else having issues getting pypykatz to work in the attack passwords / attacking lsass section?

I reinstalled pypykatz and I'm getting an error of ModuleNotFoundError: No module named 'msldap.commons.url' when I try running it. I've looked through the forum and through the chat here and I don't see any good answer for it.

i don't know where to put the creds iamtheadministrator? section Windows Privilege Escalation Skills Assessment - Part II . potato needs SeImpersonatePrivilege. Can anyone help me out?

I must be blind because I can not find the answer to this question. for Linux Priv Escalation.

Find a file with the setuid bit set that was not shown in the section command output (full path to the binary). I can't find anything that isn't shown in the example. I found the setgid no problem.

||/usr/bin/fXXXXX|| u need look more carefully

I tried that, let new try again after dinner

Hello everyone, I have a query, I am making the LFI module and I got to this part where I have to get to the root but I found this code that does not let me go through the routes ../../
Is something going over my head or maybe I should make the deposit in another way?

<?php
if(!isset($_GET['page'])) {
include "main.php";
}
else {
$page = $_GET['page'];
if (strpos($page, "..") !== false) {
include "error.php";
}
else {
include $page . ".php";
}
}
?>

Want to show some love to @light current @safe leaf and @west canopy for the huge help on Command Injections Skills Assessment.

GOD DAMN.

Really puts in perspective... How terrible I am at this. 🙂

i need to ask a thing
what programing language should i learn for hacking
like java or python or c++

People are going to say it sort of depends on what you want to do.

pls can you tell

.

Well, if you know nothing about programming you can't really do too bad learning python. There's a million free courses for it and there's a module for everything.

I need help please!

I can't access my Academy account with my email

What can I do to get back my academy account? 🥺🥺🥺

contact support

Can't get through to them

then you wait

Don't have access to my account

you can access support without an account

Wait for what?

How then?

By clicking the green chat bubble for support

so what youre saying is, you did not attempt to contact support yet

This is the incorrect channel to reach out for support @modest isle

What's the support channel here?

you also dont need to spam your request to three different channels

there is none

click the green bubble

Yhh

Buh I really need to get through to my account

you lack reading comprehension

Good luck 👍

Reading comprehension... Wow

you're really bad at reading comprehension, wow

If you can't sign in, you will need to make an account on the CTF platform as all accounts do not sync and aren't cross-platform. Again, this is the wrong channel to be discussing this as well.

If you are stuck, sign in to your HTB account and click the green chat bubble

been said like three times. 1. Go to the website. 2. click the green chat bubble.

The support team ain't responding

Please carry this to #1024429874246590575 otherwise, mutes will be handed out.

This convo stops here unless it is module related topic.

Thanks @novel matrix

np

hey, is this a place where i can learn how to hack

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@subtle escarp ^

I have a question about the Firewall and IDS/IPS Evasion - Medium Lab. Anyone around?

I solved it but I am not sure if I did it the right way.

what defines something as malicious, as in does that just mean hacking to get money and/or hacking to hurt someone in some way

Hello, I am struggling with Windows Exploitation. Can anyone please suggest me great resources to master Windows Exploitation. Thank you

Sure, you can dm me to avoid putting spoilers in chat

I'm having difficulty regarding nexpose. I downloaded and install nexpose but it doesn't show me the "login option" when I navigate to "https://localhost:3780/starting.html".

My bad, read it as winleiv esc assessment 1, so my hint would be to start seeking a folder that can store installation, setup or upgrade files. Oh, and wakanda forever

i'm done the module thansk

Can anyone that is good at windows help me a bit to understand why something is not working as expected

Hi,
I'm stuck in password attacks module in Pass the Ticket (PtT) from Linux section at the question :
Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

The clue is the following There is a file containing the identification information of Linux machines in Active Directory.

I tried everything in the course with the /etc/krb5.keytab but nothing work ...

When i try Abusing KeyTab Files i have an error :
keytabs contain no suitable key

With keytabextract.py i dump the hash but i can't login with it.

hello, can somebody give me a nudge towards the answer for the following:

Module: Password attacks
Section: Password mutations
Question: Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the SSH password for the user "sam"

I've tried several methods, but I cannot brute the password before the expiration of the target machine.
Currently trying: hydra -l sam -P cut_mut_password.list ftp://10.129.186.213 -t 64 (I've cut the first 17k lines from the wordlist as suggested here, and also opted for ftp brute forcing rather than ssh with no luck)

Yes there is a problem with this part, impossible to do it in ssh and in ftp it is the same it is too long
Your wordlist starts with which character?

starts with Steven7

The first character is B

hello, can somebody give me a nudge towards the answer for the following:

Module: Usig web proxies
Section: Zap Scanner
Question: Find vuln and get /flag.txt

I tried some command injections but I can't get it..

that's question 8 right? try the ||kinit|| tool

thanks, i got it:)

did you or zap found the vuln? also command injections is the right path

my zap on this section for some reason was only able to detect the vuln like half of the time

Yes it's the 8 question.
I tried with kinit but the response is 'keytabs contain no suitable key'
I tried with all the name in /etc/krb5.keytab

I run the active scan many times to get the vuln

yeah for this question i only got 2 command in my note and one of them is the kinit command but pretty sure it's showed in the example

same

well but I can't get the flag. have any hints?

so did you get RCE?

yes

I can't get to cat the flag.txt

because of to spoiler shoot me a dm with what you have try because if you got RCE the flag should just be at /

For me it doesn't work

i forgot about this common mistake, for this user only you can use @inlanefreight.htb

a quick ls at /home will show you all of the user that have @inlanefreight.htb at the end

Well yes, that's what I don't understand. It's not really a question of connecting to a particular user, but only to access to \DC01\linux01
There is no linux01 user

the linux01 user is a domain user and (i think) not a local user on this linux machine

Yes it is but then I don't understand how to access to this share folder
As root we can access /etc/krb5.keytab
but impossible to use everything that is in the course with this file.

yea i do remember don't have to use like half of the example showed but goddamn it's be come useful af for offshore

I've been on it since two days, I don't know what can i do for access to this folder

oh this one was a fun one to figure out. i can see you thought the same thing i did

do you still need help with this?. i can tell you youre in the right direction

Oh yes thanks. Just i’m not at home for thé moment. I come back in 2/3 hours.

ok. im working from home today but ill still be here working on this passwords hard lab. cant find a thread on it. just know the syntax i right. you need to look at how you putting the account name in

hello, i need a hint for the session security skill assessment 🙂

i need a hint at the password attacks easy lab im bruteforcing ssh and ftp but it needs ages. Is there anythin that can speed up that process

mm I remember that for that laboratory I used ftp + hydra and it didn't take me that long

what password list are you using

did you try -t 64? or 128?

yes but its just using 16 threads

im using normal an mutated

i used the -t 50 and it went pretty fast. also ssh takes too long

yeah im trying ftp

and im assuming youre using user list in hydra too correct?

yes

Hello, in attacking common services hard , I'm having problems to find the flag (||I've already activated xp_cmdshell and show advanced options )||, I'm making the following query: ||EXECUTE('SELECT *
FROM OPENROWSET(BULK ''C:\Users\Administrator\Desktop\flag.txt'', SINGLE_CLOB) AS Contents')
AT [LOCAL.TEST.LINKED.SRV]|| , and the error is dsp_desc_bind: memory allocation failure for column #1, any ideas?

I generally try easy and uncomplicated commands. Maybe it helps

nvm, I saw on stackoverflow that these problems are linked to sqsh, I tried with mssqclient.py and got the flag

thanks for answering as well ^^

ohh ok nice

your welcome

im on the hard lab for the password attacks and i cant seem to find a way to get that inital hold. i tried bruteforcing johannas password and have been through the whole mutated list. no hits. both local-auth and normal. any nudges?

sure what's the issue?

hint use the normal one

holy shit how did i suffer from attacking johanna's password for like 3 days , You have to brute force mut_password with user johanna, what tool are you using?

crackmapexec

i guess that would work too but i'm not sure also if you make the mutated wordlist right (with a sort command) the cred for that user isn't going to be that deep

Ok I am assuming you are using the default crackmapexec configuration, you have to put --local-auth to your query

i used my payload to change thins/ steal cookies etc. and this works for other users but this payloads doesn't work the the admin. is used the right submit endpoint.

im already done with the lab but thanks

i did. it went through the entire list with no hits

This helped me to find the password, check your mut_password because the password shouldn't take that long

hmmm....ill try again

so after adding the payload into the given user ||profile|| you have confirmed that it's worked but when you send through the API for the admin user to click it you get nothing back? or just a click request from the admin user but no cookie?

i get nothing back from the admin when i use the api, i also checked the ip and port etc.

but the api shows success

shoot me a dm if the API request that you use to send your payload to the admin user

if you have confirmed that the payload worked but only the sending it to the admin user doesn't work then this is the only issue i can think of right now

hi peeps, so i was doing the module **Password Attacks ** but the 3rd question in the "Attacking Active Directory & NTDS.dit" section is not accepting the answer, am i going nuts or what? pretty sure i have the answer..

Any module recommendations for Cloud pen testing?

maybe im going nuts, cuz the question says to submit username:password of the attacked win machine, i generated a wordlist with the given names using || username-anarchy || and then cracked it using || crackmapexec smb || , i found the user:pass but its not accepting the answer, what am i missing?

oh fuck, solved it

i didnt read well enough the output from the || ntds.dit file || which had the username in lowercase lol

password attacks medium labs i cant escalate privilege or find a pw for ||dennis||

what am i missing

I'm back and I have sent you a DM.

Hi someone can help me pls with BROKEN AUTHENTICATION - Predictable Reset Token ?

you got the J account password right?

yeas

examine the document where you got that info. notice anything you could also use that info for?

im connected trough ||ssh||

and i searched everything on that machine

but i cant get what am i not getting

i cant get what am i not getting ~~ Me 2023

official quote of the HTB Academy if ive ever seen one lol. ok go back to the .docx file. and read through to the bottom. what services does it mention?

ive been trough the ||mysql configs ||

idk how to do seperate spoilers. so its not the configs

||try the database itself||

youre my hero man

no problem, if you need help on the hard one well im stuck on it so itll be a minute before im ready to help anyone with it

bruh now im stuck again

how can I help

what have you found so far?

now im logged in as ||dennis|| but cant find credentials for root

oh yea this one is tricky unless you play around a bit.

what can you find on dennis home page?

i looked trough bash history etc. and all that and ssh key is encrypted but why would i crack that im already in dennis account

i mean sometimes the password on an ssh key is different then what the password for the account is

would be a reason to crack it i mean...

Any solution for this openvas error

[>]
[>] You might need to refresh your browser once it opens.
[>]
[>]  Web UI (Greenbone Security Assistant): https://127.0.0.1:9392

Job for ospd-openvas.service failed because the control process exited with error code.
See "systemctl status ospd-openvas.service" and "journalctl -xeu ospd-openvas.service" for details.
Job for gvmd.service failed because the control process exited with error code.
See "systemctl status gvmd.service" and "journalctl -xeu gvmd.service" for details.```

nah man thats fcked up

lol so you got it?

yes

my mindset should be just crack everything thats encrypted even if it doesnt make sense

thats the spirit

35k password attempts into the hard password lab. nothing. lol

Hey I am having some trouble with the CrackMapExec Module.
Question 4 in password spraying section

Is there any other local MSSQL account created with the same username and password as the corresponding Active Directory account?`

I am getting:

MSSQL       10.129.204.177  1433   DC01             [-] DC01\jorge:Inlanefreight01! [('SSL routines', '', 'legacy sigalg disallowed or unsupported')]
MSSQL       10.129.204.177  1433   DC01             [-] DC01\jorge:Inlanefreight02! [('SSL routines', '', 'legacy sigalg disallowed or unsupported')]
MSSQL       10.129.204.177  1433   DC01             [-] DC01\jorge:Inlanefreight03! [('SSL routines', '', 'legacy sigalg disallowed or unsupported')]
MSSQL       10.129.204.177  1433   DC01             [-] DC01\jorge:Password@123 [('SSL routines', '', 'legacy sigalg disallowed or unsupported')]

for every user

hmmm, maybe its to do with my cme install

someone here for helping me out on attacking common services easy lab?

what part are you working on?

brute forcing johanna

i rebuilt my mut-passwords

the mut list is the correct one

If you have more than 35k attempts it is because there is something wrong

not sure if it matters but is Johanna capitalized?

i know. i was told it shouldnt be that far into the list. but im now 46k in

she is not

because @opaque niche is correct, it should not take that long

let me reset target

on my hydra command I had it capitalized.

restarting with Johanna on RDP --local-auth

dont use rdp

try with winrm

I used ||hydra -l Johanna -P mut_password.list rdp://10.129.202.222||

yea rdp was running faster

but ill try winrm

||crackmapexec + winrm + --local-auth||

https://tenor.com/view/rick-and-morty-agree-yes-gif-11039530

If anyone can help with my crackmapexec module question above. it would be appreciated.

Im not familiar with that module sorry.

would you say johannas password is supposed to be within 10k of the mut-password list

let me check

i think so

for sure

ok then let me try hydra because CME just past it

how many passwords are in your mut list?

let me check

just curious if you maybe missed something

I have 94359

187775 after deleting it and rebuilding it from the resources

this list was made from the provided password list correct?

using ||hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list||

yes. thats the exact command i used

i can try rebuilding it again

ok after rebuilding 94045

thats closer. try running hydra now on rdp

the password in my list is between 9500 - 10000

running now with rdp

@tough fjord can i ask some?

ok cool. yea rdp works for it. CME just blasted right through it

hydra*

It's not my day ...
There is a special wordlist for Protected Archives in password attacks ?
I have the hash in good format but when i put the hash file in john there is no password.
I tried with rockyou and many list and the password.list in the ressource but not working.

what about the mut-password.list?

I'm an idiot! !! 😅
I tried all my wordlist, except this one ....

hi

in metasploit module , in sessions and jobs section i am not getting the correct exploit for the older version of sudo please help

Anyone know the working version to ingest files to Bloodhound for the Bloodhound module on ParrotOS ?

hello. I am trying to pass the password attack module. the Password Mutations section. But i have a really big problem. We have a lot of variants password even after deleting duplicate ones. And it's take around 6 hours. I sopose it's wrong dirrection. Maybe somebody make hint me, because other password in past section was realy fast founded.

https://github.com/szymex73/bloodhound-convert

for that section delete the first 17000 passwords and scan again.

The last I heard the bloodhound module was outdated and due to be fixed.

for LINUX PRIVILEGE ESCALATION, I am finding that we maynot have permissions to run some of the privesc that they demonstrate and the flag is just searching directories. For example in Shared Object HiJacking, I have the flag and completed the module, but I get a permission denied on the exploit and same thing for Miscl Techniques.

Am I just completely missing something?

someone has resetted the whole progress on BloodHound module

apparently I can't see what's updated, since everything stands new in that module (as of now), but I had already done it last year

https://academy.hackthebox.com/achievement/298184/69

https://academy.hackthebox.com/achievement/298184/path/5

no, the module was completely rewritten

there's the proof

I checked what's updated and saw that BloodHound was updated too

Since all areas have been replaced, the status is now 0% again.

makes sense

lmfao

I only skimmed it quickly, but I'm really happy about the update

I am excited about AzureHound

thx

hello guys i got a question

What is the type of the service of the "syslog.service"?

I cant guess this one

You shouldnt be guessing any of the questions

also which module and section

https://academy.hackthebox.com/module/18/section/2093

on the topic of Bloodhound... I have enough cubes to purchase a Tier III module. Would y'all recommend Bloodhound or CrackMapExec? I do plan on taking both, but I'm curious what y'all recommend

hey im doing "Information Gathering - Web Edition" and the DNS section asks "Which subdomain is returned when querying the PTR record for 173.0.87.51?"

wondering if the answer changed recently :/

ugh nevermind

check this out. https://wiki.debian.org/systemd/Services

Can someone share how they did the Double Pivot in ATTACKING ENTERPRISE NETWORKS Post-Exploitation? because the instructions provided in the module don't appear to work... 😥 --Edit --- Anyone who has this question in the future check out this post https://forum.hackthebox.com/t/attacking-enterprise-networks-double-pivot-using-chisel/267043/4 it will solve your problem. ^_^

I used bloodhound 4.0.3 and this and uploading the module zip file is a no go along with own personal files. neo4j 4.4.12 and java 11.0.8 on the brand new Parrot latest. No love!!!

Did you manage to solve this? I have the same problem.

Module: Attacking Common Services
Section: Attacking FTP
I have logged in ftp and used then used the username and password list to brute force to bruteforce ssh, When try logging in its giving me a error Permission denied publickey.
then i brute forced smb, and couldnt download the id_rsa, so i mounted it and tried again but same error.

Similar problem as @polar aspen and @viscid furnace and @hazy grotto - I can get the meterpreter, run it in the bg, and run what I believe is the correct cve exploit, but I always get "Exploit completed, but no session was created" on thie metasploit - sessions - last question. Any hints?

use get to download the id_rsa file
change chmod 600 id_rsa

dm

can i DM you?

sure

CME
Can't say for new BH, but old one definitely needed much volume in terms of improvement

Unfortunately i realized i didn't have good notes for this section. Purple more than likely helped me with this.

Unfortunately I dont take notes on section specific assignments so I couldnt help much either other than just redoing it again.

I won't have time to even look at my notes till tommorow night. So if you still need help then, feel free to dm me. I won't be around before that tho

No worries - thanks for the notes and giving me something else to mess around with

Sounds good - I'll keep messing

Hello guys, In the cbbh -> ATTACKING WEB APPLICATIONS WITH FFUF -> Recursive Fuzzing
I got the flag but it tells me that it is wrong. Can someone verify that the flag I have is the right one?

yeah dm me

I sent you, thank you.

Hello guys

I just noticed that the Linux Fundamentals module has been updated with some newer sections added

I feel that kind of cool

try to avoid just pinging people

but in short; are you having the payload call back to the right IP

Sorry about that - probably my first post on discord- I’ll double check the IP but I think it’s right - thanks for the help

Hello guys, I'm having a bit of trouble on the Getting Started module, Service Scanning section

Specifically this question
Perform a Nmap scan of the target. What is the version of the service from the Nmap scan running on port 8080?

I've identified it to be Apache Tomcat via nmap, but I'm stuck on what flags I need to set to pull up the version number

Tried things like
-A
--version-all
--script=http-apache-server-status

Also visited the site directly on the browser, got the version on the 404 page as 9.0.31, but that doesn't seem to be the correct answer

What does % mean in

Rpcclient -U’%’ 10.10.110.17

?

Oh... I was looking hard for the version number but it looks like the question was simply asking for the name of the service on that port. Got the answer now

im working on the part" On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive)" "attacking the active directory and NTDS.dit" of the "password attacks " modules

can someone help with this problem i have https://discordapp.com/channels/473760315293696010/774040263278592041/1080615236584865912

username-anarchy

im using the wrong credentials?

probably :) username-anarchy will generate a list of usernames based off of what you give it; that is what can be used to get the info :)

thanks ill try it 🙂

its confusing because i thought it had the permissions needed. i sent a photo of the permissions

follow the module closely

I told you last time what you were doing wrong

were you the one who helped with a previous module?

maybe?

I just clicked back to find your original question only to discover I had already answered it and you never replied lol

my apologies. i started using "upload"

still didnt work

winrm builtin upload?

yes

evil-winrm command

from the man

1. need to use download 2. did you specify full paths for both the source file AND destination?

or no, maybe upload is still correct idr

either way the path thing is key

Ive seen pro pentesters trip on that cause its dumb

this is how i used it

yeah thats not correct

before i recreate the wheel does anyone know a way to automate the section for bypasspassing blacklisted commands? can this be done in burp at all? If not I am thinking of writing a pythonscript to do it for me.

for winrm you dont need to use a share

you just specify the full local path

also stop trying to run sudo on a windows computer lol

im learning lol

Thats why I mention it

this is why i tried to use it

you use the share for using the cmd.exe move command, not for the winrm builtin in, it works differently

so i straight up fileshare and not use this command on the attack machine?

Youd use that command if you wanted to use the cmd route

evil-winrm's upload functionality does file transfer using just the winrm protocol.

the cmd.exe is using windows UNC path handling feature to treat shares as file system objects instead.

totally different mechanisms

either can be viable. but mixing is gunna be a bad time lol

like this

no, you should read your error messages closer

'upload' is not a valid command. And also like I said you DONT use the share at all when using the win rm file transfer method

which is admittedly weird cause it should exist

what output do you get if you enter in just 'menu'

you get this

okay so it does have upload and download properly

and yes you need to use download, not upload

so something like

download C:\NTDS\ntds.dit /home/htb-user-blah-whatever/

it worked this way it seems

hardway but hey if you got the file you got the file

it worked!

i appreciate the help man. i really do.

i been on this for a week

don't trust winrm saying its successful until youve verified the files actually there

Ive seen numerous times where it says successful and its just lied lol

Google your specific errors and the tools/commands youre trying to run more and itll take less time in the future

lmao im checking now and it looks weird

The reason the upload portion failed is because there is no c: on Linux, the upload is expecting
upload /path/to/Linux/file c:\windows\path

Upload is to upload a file from your attack system to the victim computer

like that?

Hey guys I'm currently stuck trying to answer the questions in the footprinting module specifically the part about DNS. Anyone in here able to help a brother figure this out

im doing this now and will do this entire part over again

Good idea 👍

Hey somone can help with fix mssqlclient.py issue?

https://dontasktoask.com

[-] [('SSL routines', '', 'legacy sigalg disallowed or unsupported')] any ideas?

I'm not sure what I'm doing wrong in those module. First question asks to enumerate the FQDN of the "inlanefreight.htb" domain and I can't even get that. Tried using dig got a few other subdomains but I'm stumped as to my next steps here.

Anymore subdomains to those subdomains…/

Thanks that helped me knock out two of the four questions. Still stuck on how to get the FQDN for the inlanefreight.htb domain and for another subdomain

Is there anyone I need to ask something

https://dontasktoask.com

Just wanted to say this really opened my eyes to way I tend to ask questions and how they may be perceived. So I apologize for all the times I've ever done this in any server and will definitely consider this going forward

hey no worries. People often think im being mean for linking it but no its genuinely a pretty good read on how to start asking better questions. Im glad you took the time to process it 👍

Guys I am the last question of the Linux Privilege Escalation Module and I am trying to find FLAG5 but what I understood is I need to upgrade my reverse shell for the user ||tomcat||, however using|| python -c ‘import pty;pty.spawn(“/bin/bash”)’|| does not do anything. Any hint on how to solve it?

What is a fqdn, that may help direct you better

Yes, just read the error and you'll see why it failed, not that you did anything fully incorrect

Something else that may also sound snarky is "read the error it gives you"

Yeah I figured it out a few minutes ago, the answer was simple I had it all along just didn't know I was looking at it

happens to the best of us

Yeah it's frustrating but on the bright side I was on the right track the whole time so gives me confidence that I understood the module

honestly i need a mentor...

you and me buddy, you and me

Did you end up cracking this hash?

Module:AD Enumeration & Attacks - Skills Assessment Part I
Im stuck due to this error

New-Object : Cannot find type [System.IdentityModel.Tokens.KerberosRequestorSecurityToken]: verify that the assembly 
containing this type is loaded.
At line:1 char:1
+ New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ...

    + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Any insight?

Prior to this i did add the relevant type via PS> Add-Type -AssemblyName System.IdentityModel

To make code/error blocks easier to read encase them between two sets of "backticks"

It makes it neater

```

I tried, but MEE6 hates me

lol

Ah

Probably BC you're not verified

It likes doing that

As it can be seen as "spammy" behavior

Ahh i see

Lol that was like a month ago always check timestamps xD

Any Insight on this though? 0.0 it's been driving me crazy

and ive spend a couple hours trying to remidiate it

I get no error when adding the System.IdentityModel assembly

but still get the error that subsequent object cant be created due to it been invalid...but it shouldn't be

lol and powerview throws errors as well