#modules

What is the FQDN of the host where the last octet ends with "x.x.x.203"? anyone know how i can solve it i tried brutefroceing and file transfers

You need to find all zones

so if a zone fails i need to brute force it ?

for example:

dig axfr @10.129.42.195 mail1.inlanefreight.htb

; <<>> DiG 9.18.12-1-Debian <<>> axfr @10.129.42.195 mail1.inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

@acoustic owl

Not every zone allows a zone transfer, that is correct

yeah ive tried that ive tried bruteforcing no luck what wordlist u prefer?

Take the smallest one from SecLists
If you can't find the host with this, then use the next larger list.
The list with 5000 entries is too big

keeps giving me app.inlanefreight.htb NS record query failed: NOERROR

thanks for the help anyway

https://en.m.wikipedia.org/wiki/DNS_zone

no i got that still bruteforcing no luck

Hi, any advice to module "AD Enumeration & Attacks - Skills Assessment Part II", I have some trouble with the next questions "Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What this user's account name?"

I think i have to spoof, but im not sure

yes, because you are trying to query a host and not a zone

thats the output i got

i have no clue were i should go next

|| BloodHound || is your friend

Read the chapter about DNS zones again.

anybody have tips on public exploit section of getting started

google is your best friend

to find the exploit

if your doing the lab

@halcyon grove i tryed

what are you stuck on

trying to find the service or plugin

nmap is blocking pings

are you doing nibbles ?

go buster isn't showing anyhting

no public exploits

its the metasploit primer

only thing that shows stuff is curl -IL

and whatweb

hit: look at the wordpress verssion

wordpress version is 5.6.1

now think of possible exploits

then i do search exploit on msfconsole

theres lke 80 expoits

how do i know wich one

narrow it down what functions does the website have

hint: its the title

i wish it would explain this stuff

once you find the plugin the website is useing searchsploit it

good luck

yeh it says 2.7.10

searchploit does nothing

i just use it then it gives a list

yes

a list of ?

exploits

that i can't use

there you go

you can think about it

what is that plugin version vanrable to

how do i find that?

whats the plugin name lets start of with that

2.7.1 or 5.6.1???

read again what's the name of the plugin it gives you the name in the wordpess website

starts with an s

simple backup

i do searchploit and it says mutiple vunerablities, whats that mean?

i wish i could post screen shots but this sub is restricted

simple backup _______

ur missing sumthing

after u find the missing part if searchsploit gives you no resualt goole it

Hint: exploit ends with read

@agile rapids

Hi
And who is the site administrator here, who can I talk to about paying for a subscription?

hmmm

just a min

I'm just asked to pay for my subscription with a card or PayPal, and I don't have it in the USA

left corner start a new chat

Khaotic#5059 He can help, can't he?

If it's not difficult for anyone to tell him, let him answer me in PM

just pay for it on the site???

@halcyon grove should i use ncat for listener

yes

but its your choice at this point if you found the correct exploit

Yes, I want to pay for the subscription, but I can't do it, I wanted to ask if I could pay in another way

all the available payment options are listed there is no custom payment

^

Well, if I don't have paypal and USA card

are you in the US?

Maybe you can pay for crypto

US shouldn't matter anyway since HTB is based in UK

No

The only currently known payment processing issue is if you're in India

but you don't need a US card...

just a card

Well, I want to pay, but I don't know how to do it

I can't even pay with a European card

sounds like a skill issue

I'm working on the Pivoting, Tunneling and Port Forwarding module and there appears to be a step or instructions missing for the Meterpreter Tunneling and Port Forwarding section. It mentions configuring and starting the multi/handler after creating your payload, but there is absolutely no mention of how to copy that payload over to the ubuntu pivot target. Is that something you're just supposed to know or is there something missing from this section of the module?

I don't have more than one payment method that I'm offered, I can't do it physically, and here's my skill

@red current Nothing that is missing in the module

Got it. So I'm just missing something and need to figure it out myself.

@red current what problem are you facing

If you are following the CPTS course the File Transfers module is listed before Pivoting & Tunneling, so it's assumed knowledge.
https://academy.hackthebox.com/course/preview/file-transfers

Clarification on mimikatz / passtheticket -- ||When I use "mimikatz # kerberos::ptt "C:\tools[0;53834]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi"

• File: 'C:\tools[0;53834]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi': OK

mimikatz # exit
Bye!

C:\tools>dir \DC01.inlanefreight.htb\john" --------- Am I being granted the rights of John for the next command I type ||

anyone have the solution foe this i am about to rip my head out:

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

I'm not seeing how they want us to transfer the file over to the ubuntu pivot host. I struggled a lot with the file transfers module and I don't think I really understood it. I'll go back over it.

Dig more on all domains.

i fucking tried

Try Harder -- Jk

bruteforceing and everything

tried all word lists

can you give me a hint

@red current use wget and python server

Oh shoot that's right. Yeah there's a brute force on a subdomain IIRC

ahhhh ?

Will do. Thank you!

not exactly sure what you mean DM me more with what you're actually trying to do... because I don't really see anything where it's forcing you to do anything with a specific country thing.

1 sec

explain 😭

Which question module is thsi on?

DNS

Footprinting

PMing

subdomains of subdomains. first get a list of all subdomains > then try and bruteforce those subdomains i.e. a.b.inlanefreight.htb

^^

I am from Russia

@halcyon grove auxiliary/scanner/http/wp_simple_backup_file_read still doesn't help

don't know what to tell you brother you can make a post in #1024429874246590575 and you may get assistance from a mod there ¯_(ツ)_/¯

make sure you use the right FILEPATH

wink

I should have thought about that one a little harder. It wasn't nearly as difficult as I was making it out to be. Thanks again!

@red current you are welcome

@fathom pendant filepath is correct i think it has something to do with my ports and lhost

fun fact if you do lhost tun0 it will automatically configure it to your vpn IP

i did tun0 says did you mean vhost?

thats the exploit

vhost would be the website

that may be required

i forget

use tun0

ur useing openvpn

this module doesn't use openvpn its on clear net

also always pay attention to errors when things fail; they tend to give you a clue as to where you fucked up

so the first octets aren't 10.129.x.x or 10.x.x.x?

what's the module for this one?

@fathom pendant getting started public exploits section

oh yeah this one is on the docker container

your lhost should be your IP though just to be sure

@fathom pendant you mean i should put my exteranl iP or lan ip?

i use both instance and vm for different results

when you do ip a whatever that IP is

I am working on "Password mutations" lab from "Password attacks" module and I am stuck on bruteforcing SSH. I have created a mutated password list and I tried using hydra and crackmapexec for cracking but the process is very slow. The time usually runs out before I finish the list, any tips to improve?

I’m very stuck on the last part of the LFI skills assessment, anyone available to talk to?

@agile rapids make sure you set the RHOST and RPORT properly; the only options needed to change are FILEPATH; RHOST; RPORT that's it

did you create the mutated list using the provided password.list and rules.list from the resource files?

Yeah, I used the exact command too

give me a moment to sanity check this

dm

So I was thinking that my first scan with hydra worked on 8k passwords, I could split the wordlist into chunks of 8k each and run it from there but I think there should be another easier solution. Each scan can do 8k password attempts before machine dies.

shouldn't be necessary

Okay, what do you have in mind?

like I said I'm sanity checking on my VM

alrighty

@fathom pendant filepath should be my filepath?

Filepath is the filepath that the file you're looking for is at (hint look at the phrasing of the question for this one) by default it's /etc/passwd

@fathom pendant thanks finally... sorry for bugging you guys just really wanted to solve this one

you're fine, you're asking fairly easy questions and easy to trip up questions - you were on the right path just needed the nudge :) hint for future when looking for specific files:: they will generally be located in the filepath shown in the question

try bruteforcing a different service that's running

Got it.

also in hydra you can increase the threads with -t (though if you use too many threads you can miss the password too, it's a delicate balance)

don't forget there is an "extend instance liftime" button under the refresh instance button

so if it's gonna take a bit of time :)

I just discovered this button today :/

thanks

it's a relatively new button

Howdy! I am rather new, and am in the Getting Started module, specifically am in Knowledge Check. Amidst my logging into the admin website management site, I can't upload any files into the Upload Files section. I also tried searching for exploits with SearchSploit for the HTTP version, and the listed exploit scripts unfortunately don't work.

If I may ask, may someone please help me amidst my predicament? Link to the module/section below. Thanks for reading, and I hope y'all have a grand day!

https://academy.hackthebox.com/module/77/section/859

Yeah that one's a bit tricky. It's easier to just run the metasploit exploit for it

Rather than try and do the uploads

Delete the first 17,000 lines

that's for a different section wolfiej

Module : Active Directory Enumeration & Attacks
Section: Kerberoasting - from Linux
I logged in using ssh but Im getting this error when i used this password "HTB_@cademy_stdnt!" , Same password i used to ssh in

Any idee why crackmapexec does not start bruteforcing the username/password here? Its from the Password Attacks module

Ah. My notes on that module weren’t as thorough. But none of the other questions require you to extend the session life.

yeah most shouldn't it's just an option just in case it's necessary

You’re passing the file names as username and password

you have any clue about this @fathom pendant

I haven't done this yet

I think you need capital u and p

nah

cme only uses -u and -p

no capitals

so weird.. why would it do it lol

Hrm

it errors if you try and do -P

try absolute filepaths

My one note isn’t opening to check my notes. Sigh

that works thanks ❤️

CME/crackmap is a bit finicky tbh

Ah. I had the command pulling them from downloads so never hit that issue. 🙂

@acoustic owl you have any clue about this?

Sometimes for me the " @ " symbol isn't working try typing it into the console without a password prompt to see if it is working correctly

Maybe also try copying the password then pasting it when prompted

maybe a char is somehow broken

hm

HTB_@cademy_stdnt!

the password is hidden so not sure what i should do

just when you are prompted press ctrl+shift+v

it will paste the password then if it is copied

it did copied it.. but not working

I see someone had the same issue as me.. not sure how they solved it

From my notes on kerb for Linux, I didn’t use that account

I mean I can ssh in.. so it should be the same password

Try using ||dbranch|| login

can i dm you @pine dagger

Sorry, not atm. Tomorrow morning. Am in bed 🙂

its all good man. Thanks for trying

The account I referred to you should have the password for from the earlier chapter Internal Password Spraying from Windows

you mean using that in impacket?
inlanefreight.local/adunn ?

Click the black block in my earlier answer to see the name of the account

I just looked for password for that user.. I didnt found any from pervious section.. going blind maybe lol

The username is the answer to question 2 of that section. You spray the password to get the username

So you must have the password 🙂

bro thanks

lmao

+rep @pine dagger

Getspn working now?

Anyone in future having problem with logging in Kerberoasting - from Linux , Use the user Internal Password Spraying - from Windows

yes sir

Glad I could help. That module is a beast

/goes back to reading macOS fundamentals

I did this and it's still not returning anything

cracking takes forever

Which chapter is it?

try upping the threads to like 48

this is password mutations from password attacks but anyways, I am trying to run this again

thanks

can anyone give me a hint on the command injection skills assessment? I've tried several approaches, I know where I need to inject, I just can't seem to bypass the thing

@surreal rain

Hi, for AD Enumeration & Attacks - Skills Assessment Part II Qn 11, I am trying dcsync method but it does not seems to work? Can advise if I am on the right path?

Are there any options that let me connect to rdp

Rather than remmina

xfreerdp

@rustic sage rdesktop

It is not working with me!

@rustic sage did you install it

Yes

Question 11 shouldn’t require a dcsync. That’s more for question 12.

Hello, i'm a noob a I need help (The course is https://academy.hackthebox.com/module/35/section/224)

When I type curl -X POST -d '{"search":"london"}' -b 'PHPSESSID=brlcb2hci2588m60fs1id1ofs5' -H 'Content-Type: application/json' http://144.126.192.55:30392/search.php
This return Received content contained invalid JSON!

I can't pass this exercice 😭

hmm do the task by copy and pasting from the example code and replacing the ip and Sessioncookie with your's it's propably something stupid-simple you are missing, which is totally normal, i still have the same problems with other modules today

hey guy can some help me with the the metasploit framework modules

@lost rivet where are you stuck

Meterpreter

i cant steal the token

Use post modules

sorry but can u explain more

@lost rivet if you are trying to steal passwords or dump passwords you can use post modules

i tried

but when checking method for exploit

@lost rivet can you dm

anyone nudge for module "Attaching Common Applications" ?

i have done 1,2,3 assessment

but I'm stuck on Thick Client app

Yes

I’ll be back

I'm stuck here

Can I get a nudge for default password section in password attacks module?
I have|| logged into ssh|| and I am stuck

in the skills assessment section of the module "shells & payload" you're given access to a foothold box and ip addresses and ports of 3 more boxes. one of these is accessed at port 8080 but the foothold box seems to be missing a browser and it can't connect to the internet to fetch one either. is this intentional?

You can launch firefox by typing it on terminal

Had the same problem myself

thanks @rustic sage, that worked 🙂

happy hunting

@everyone Hello Guys , I would like to ask for help from anyone who is quite confortable with reverse engineering. That would be very helpful

hello guys, I do reverse shell and I get an error: WARNING: Failed to daemonise. This is quite common and not fatal. No route to host (113) . Can some help me ?

give more context....

What rev shell r u using

i use php reverse shell

in what box or module

and whats the rev shell ur using

i also get error on other platform like tryhackme

are you using a vpn

yes

What box are you using the rev shell on, and what is the php rev shell

three in tier 1 and pentestmonkey/php-reverse-shell

I'm on the Pivoting, Tunneling and Port Forwarding module and having an issue with the Web Server Pivoting with Rpivot section. When starting server.py from my VM or from the Pwnbox I get an error of can't open file server.py: [Errno 2] No such file or directory. Has anyone else come across this?

Currently doing the medium lab for Password Attacks. Have ssh access and found that there is a second user starting with d. Tried everything from the Linux Credential Hunting segment. Anyone open for a chat on how to proceed?

Never mind. I figured out my issue with rpivot. It helps to be in the correct directory. However, when I try running proxychains (yes, I configured it properly) the web page times out, so I'm not able to get the flag. I tried using the option of connecting via Web Server using HTTP-Proxy & NTLM Auth as mentioned in the section and I get a strange syntax error. Has anyone else run into this?

I'm looking it up now. Give me a minute

There should be a database that you can sign into with the credentials you already found. In that database will be the user name of d. You can DM me if you're still stuck.

Thanks! I will have a look

dm'ed you

hi all, hit a wall with:

Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: AD Enumeration & Attacks - Skills Assessment Part I
Q:6 ||tpetty's|| cleartext password

I've tried Mimikatz and Lazagne (and impacket-secretsdump) both with admin privileges, I'm only getting a SHA and NTLM hash for ||tpetty||, no passwords at all, but I cannot crack that hash, I've tried multiple wordlists (rockyou as well).
Any idea / nudges on this?

Oracle TNS hack the box i need help cant get the password

./odat.py all -s 10.129.205.19
[+] Checking if target 10.129.205.19:1521 is well configured for a connection...
[-] Impossible to establish a TCP connection to 10.129.205.19:1521. This target is SKIPPED

hi everyone

i need help with active subdomain enumeration

i dont understand this room and i cant solve the questions

i tried looking up hints and nothing was helpful

footprinting What is the FQDN of the host where the last octet ends with "x.x.x.203"? I made a script that went through all the wordlist but didnt find any x.x.x.203 ip address what am I missing?

The answer

is there any module that explains this more?

was that aimed at me tcp?

You must DIG all domains

ok will try that out

DM me if you get stuck. Just finished it like 2 minutes ago

Subdomains of subdomains

What exactly is giving you an issue/confusing

Can anyone lend a nudge on command injection skills assessment? I'm leading out with || or %27%27, and I've tried b64 encoding and double url encoding, and using rev and all kinds of stuff and I've been stuck for a while

||Bypassing one of the operators won't return an error||

I've caught an error with everything I've tried it just says malicious request denied

One of them will work

Ok I'll just try harder

If you're still stuck, you can dm me

Hashes you've previously cracked are stored in hashcat.potfile

I'm running into an issue in the Port Forwarding with Windows Netsh section of the Pivoting, Tunneling and Port Forwarding module. I can't seem to get the RDP session to start using the provided username and password, even though I confirmed that the listener is running on the Windows pivot host. Has anyone else run into that?

Try adding the --show option

<@&861185840277487616>

Having handled

Thank you 👍 He posted the same message on all academy channels.

@warped cape Did you ever find the right answer to that last question in the Bloodhound module? I know how many users and how many have a path to GLOBAL ADMINISTRATOR, but the math doesn't seem to work out.

@fossil crescent Did you ever find the answer to my above query?

I mean, are you supposed to count service accounts, adn the one duplicate "extension" account?

ayone know how i can get into the ssh serber footprinting lab 1

ome/kali/FootPrint_LAB1/10.129.42.195:2121/key.txt' ceil@10.129.42.195
Load key "/home/kali/FootPrint_LAB1/10.129.42.195:2121/key.txt": error in libcrypto
ceil@10.129.42.195: Permission denied (publickey).

sup

Yes -- I have some notes stored away but feel free to dm if needed

whoever is doing the footprinting lab i figgured it out

find the ssh keys on port 2121

its hiden with a firewall

hint:decoy method

use msfconsole to determine the password of the ftp user

download ssh keys

login with the ssh key

you will find flag .txt

your welcome

Can someone help me with Login Brute Forcing - Skills Assessment - Website? dm me pls

Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.)
It doesnt take this as answer
|| [Ctrl] + [B] + [Shift] + ["] ||

is that tmux

the keybind for vertical split is ctrl + b + %

Good evening! Have you managed to unwind Advanced sqli:Common Character Bypasses:union-based SQL injection?('//union//select/**/$$1$$,$$2$$,$$3$$--)

If you need help, feel free to DM me

Hey people,

I have a question on MACOS FUNDAMENTALS -> https://academy.hackthebox.com/module/details/157
They say ( To complete this module, you must have access to a macOS machine ) but when I start the instance it's not MACOS, what can I do and how connect to MACOS?

@copper haven I had to finish the module without connecting to macos

"To complete this module, you must have access to a macOS machine"

Please Guys
How do i get HTTP headers, in JSON format ?

@summer lava use jq

Ok thank you

@copper haven You are welcome

thanks

Hey All, Just wondering if they Skill Assessment for "File Inclusion" is broken or breaks? I can read via LFI and write into the user-agent field. When I use a basic PHP webshell the log stops being written to and webshell commands don't work. Anyone else experience the same? Restarted the box multiple times

Look at the quotation marks.
You must use || single quotes.||
||With double quotes you break the log ||

hey guys...another one stuck on command injection skills assessment... i've managed to get this error message..can anyone give me any pointers at all?

never mind, got the flag.

Ok I'm on the command injection assessment I figured out what connection command bypasses the filter but now everything I put in after bypasses the filter, or I think it is, I just get the same output as if I had only searched for the file. I guess I'm just a little lost on where I'm going wrong I've tried different obfuscation methods and just writing the command to the server, its the same output

OMG! It was that all along...... @acoustic owl will you have my babies?? Thank you

can anyone help me with getting started "privilege esc " portion .

which question?

All I can recommend is:

• url encode
• watch out for spaces
• remember to modify some comm'and's
• Variables $PATH or $PWD can be your friends

Ok I guess my only question is am I just continuing to stab in the dark or are there indicators I'm not noticing bc as I said I've tried different things and I'm just getting the same results at least a failed attempt on the request would tell me something

hi please I want to know about this offer,

I can get all modules from tier 0 to tier 2 with it ?

to winsrv

any support for htb academic here ?

Yes, exactly. If you are a student and have a corresponding email, you can take advantage of this offer.
https://academy.hackthebox.com/faq

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

okay but what if my mail is not accepted ? do you know the list of accepted mails domains ?

thankss

hi all,
i try to complete the module File Upload Attacks but im stuck on the skill assessment section.
I guess we have to use an XXE on the image in the contact page but impossible to trigger anything.
i tried to fuzz black/white list extenstion but i always get a success and nothing happen...
I cant find what i missing out. If someone can help me it will be very apreciated.
Thanks all have a good day

[Ctrl] + [B] + [%]
this is also giving error

The Answer format: [key] + [key] + [key]
While I need 4 key according to the section?

try caps lock :")

the session tool is tmux though right?

yea

[Ctrl] + [B] + ["] this right ?

try both

bro.. its crazy sometimes how forgetful I can be. using tmux this whole time but answering the question wrong -.-

Also for someone in future the format is
[key] + [key] + [key] + [key]

it happens

@foggy light So you mean the answer is the format

In the question it says

Answer format: [key] + [key] + [key]

But the true format is [key] + [key] + [key] + [key]

@foggy light Thanks

post it in #858470491676737536

i rich to fuzz and find .svg extension is allowd but if i tried to change the content type for image/svg+xml or/and remove the png type in the content i get an internal error 500

pleas no one can help me ?🙏

So I just finished Network Enumeration with Nmap

Here’s my fucking problem… why the labs have answers and no answers at the same time XD
Maybe I’m just dumb because if forgot to do the <target>/status.php but holy shit XD that was a lot.

Like one lab I had use —script=dns-nsid… WHERE DOES THAT SAY THAT

I READ EVERYTHING AND STILL AINT FIND IT XD

Hello, i'm on starting point and i'm stuck in Tier 1 - Machine called Three. I'm stuck at the step Then, we can upload this PHP shell to the thetoppers.htb S3 bucket using the following command.

I managed to do all the actions, my cmd tells me that the file has been uploaded but I am left with a 404 Not Found

The requested URL was not found on this server.

Also, when you do this command aws --endpoint=http://s3.thetoppers.htb s3 ls s3://thetoppers.htb it returns 2 files (In walkthrough) while I see 15

Check out the walkthrough

That's what i do

I write it in my last message

AD Skills Assessment II 'get flag.txt on MS01 host as Admin'. I ran mimikatz, have hashes, successfully logged in with a password. waht next?

Did you resolve this? Can I DM you? I have issues on this topic too

Someone can help me ?

When I type nc -nvlp 1337, my terminal returs listennig on [any] 1337 Instead of listennig on 0.0.0.0:1337

@spare condor I still need help with it myself.

i Think it fails on the Success/FAIL string but im not sure

fy

@red current where are you stuck

@placid quest I'm actually at work right now. I'll try to message you back when I get off in about 4 hours if you're still available.

@red current no problem

Hello! I'm having trouble with the Linux Fundamentals System Information questions "What is the path to the heb-student's mail?" & "Which shell is specified for the htb-student user?" I thought the mail path would be "/var/mail/" and the shell is either "unprivileged" or "bash" but none of those are being accepted

So now I'm not sure if I'm understanding the questions correctly

Just a question regarding netcat, when connecting to a service and waiting for a reply is there any reason the response takes so long to come back? for example Firewall IDS/IPS Hard lab. when I test netcat on x port connection succeeds but response 200 takes 30 seconds to come back (using the HTB vnc web browser client no vpn)

I think you're not allowed to post this

<@&861185840277487616>

thanks

💀

I don't know if i can @mention, thanks ! I do it next time..

Anyone else having issues with spawned targets right now?

Module: Documentation & Reporting Practice Lab
can someone help with the assessment? not sure what im doing here. collected all the password I can and logged into rdp but none of them have domain admin level access

you can get DA creds in the first 5 minutes of doing the lab

just cause the partial pentest says the former guy did something, doesnt mean they were properly thorough

can i dm you?

sure

Hello everyone, I have a very big doubt regarding a topic: How to study hacking, more specifically the modules for CPTS etc? What should I focus on to understand and remember the material?

In my experience I read the module count and take notes, and I try to use flash cards, but I feel that I am not being very efficient and effective.

I want to hear your study techniques on how to study hacking better!

write good notes, dont skip out on practicing whats taught

not much more than that. everything else is just experience and aptitude

Can you be more especific abou taking good notes ?

if you have a weak background thatll be difficult

not really, good notes vary from person to person

I did the junior penetration path on tryhackme

thats pretty much next to nothing

What in you opinion be a good background ?

lot of experience with fundementals, knowing Linux and windows pretty well, understanding of networking, some coding/scripting knowledge helpful as well

Can you show me one of your notes ?

no

Okay

Good evening, could anyone give me a hint on the Active Directory BloodHound -> Analyzing BloodHound Data question 3? Its " Find what attack the Enterprise Admins group can execute over the Domain object.". I can see what level of control they have, but I can't seem to figure out what the correct answer is.

hey guys

does anyone use chirpy-theme on github pages? got a little doubt

Nevermind. Its a syntax thing. (- -)

anyone complete the Attacking Applications Connecting to Services yet? When I am running this command to set the break points its not really working like its shown in the module.

gdb-peda$ set disassembly-flavor intel
gdb-peda$ disas main

   0x00000000000015fa <+420>:    mov    ecx,0xfffffffd
   0x00000000000015ff <+425>:    mov    esi,0x0
   0x0000000000001604 <+430>:    mov    rdi,rax
   0x0000000000001607 <+433>:    call   0x11b0 <SQLDriverConnect@plt>
   0x000000000000160c <+438>:    add    rsp,0x10
   0x0000000000001610 <+442>:    mov    WORD PTR [rbp-0x4b4],ax

gdb-peda$ b *0x11b0
Breakpoint 1 at 0x11b0
gdb-peda$ run
Starting program: /home/htb-student/octopus_checker 
Warning:
Cannot insert breakpoint 1.
Cannot access memory at address 0x11b0

run it first

thanks that worked

np, that one irritated me as well.

have you done the exploiting web vulnerbilities in thick-client applications yet?

Yes.

ok, i need help with that one, let me finish this module real fast if you dont mind

Its pretty much a case of following the steps. You just need to modify a different Java file, and then copy that in instead of the ClientGUI. The modified code is detailed towards the end of the instructions.

They just don't provide the steps for importing it.

did you run wireshark from your kali box or from the Windows box?

Huh?

for the fat client one

You would run it on the Windows box. But you dont need to do that, because the notes in the folder detail the port

ok, thats where i gave up on that one, was because the wireshark wasn't working.

I just jumped straight into modifying, heh

Its the same port as in the reading

ok cool going to work it now

hey all, in Password Attack module, and Attacking SAM section, I copied the three hives from the target, and when I tried to dump the hashes using secretsdump.py, I recieve this message, Can someone help?

I'd check the size of your .save files

all had the size of 64.0 KiB

that seems too small for a good transfer

them all being identical is also suspicious

I got it, Thanks all, I'll try another way to transfer them

Footprinting Lab - Hard
any hints i found all ports just don't know were to start from

snmpwalk -v2c -c public 10.129.202.20 i tried this,but no response from target. i enumerated what should be next step?

@pine dagger on the fat client one, I made the changes to the port, deleted the 1.RSA, 1.SF, and all of the hashes in manifest.mf, ran

jar -cmf .\META-INF\MANIFEST.MF ..\fatty-client-new.jar *

and still getting connection error

NEVERMIND....

I am a dumb dumb... realized it creates a new .jar in the directory outside of the one i am working in 🙂

Anything I can do to fix this? Need it for the MSSQL chapter in the footprinting module.

enumerate the snmp community strings may be a good start, not all time "public" would be the case!

Thanks I'll look I to it

onesixtyone -c '/home/kali/SecLists/Discovery/SNMP/snmp.txt' 10.129.2.14
Scanning 1 hosts, 3219 communities
10.129.2.14 [backup] Linux NIXHARD 5.4.0-90-generic #101-Ubuntu SMP Fri Oct 15 20:00:55 UTC 2021 x86_64

no luck with onesixyone

any hint ?

@versed frost

Well, I can see that there is a communty string you found in your message here, try using it with snmpwalk to find if there is any important info from the snmp service. Recall that the SNMP service on the target is actually version 1

anyone familiar with turing machines wanna dm me $$$

communities ?

can you dm me so I can explain it without spoiling it for others?

I'm working through the Windows Command Line Basics module, and are currently on scheduling tasks under cmd.txt

I've tried setting up the following on the target it gives me:

schtasks /create /sc minute /tn "Task" /tr "echo test > C:\Users\htb-student\Desktop\testing.txt"

however the task never runs, nor does it run if I manually do schtasks /run /tn "Task"

if I manually copy and paste the task command it works so i know the command is valid

does anyone have any ideas how to fix this?

after 10+ minutes there still isnt the testing.txt file

anybody here to help

Try:
schtasks /create /sc minute /mo 1 /tn "Task" /tr "echo test > C:\Users\htb-student\Desktop\testing.txt"?

nothing - even if i manually run it with schtasks /run /tn "Task"

it doesnt work if i do it on my local machine either

so its not just vm-centred

@pine dagger mind DMin me I am stuck on the Fat Client one trying to get it to create the file on my desktop right now

I'm literally heading to bed right now

ok no problem

Try writing the echo command to a batch file, and running the batch file instead. I think if you check task scheduler, you'll find that it will say something like "cannot find the specified resource". Most likely because "echo" isn't an executable that can be run outside of command prompt/powershell.

this module is a nightmare lol

sadly still didn't work - i ran the .bat file by its own to confirm its working itself and its working fine, its just not being ran through schtasks

I tested it and it worked fine.

How weird, all the same commands?

I guess I’ll just move on and know my notes are correct, just can’t test it out for whatever reason

I’m logging off for the night now anyway but I’ll play around tomorrow to see if I can debug it at all

You don’t have the /mo to identify how many minutes

Okay, that's really weird

out of my curiosity I just booted up a laptop of mine and its working perfectly fine?

the only difference is its running a older version of windows 10, instead of windows 11

thanks for all your help!

Hello not sure where I should ask this question so I’m typing it here

I am having issues trying to set up my kali Linux vm while connecting it to hack the box through the vpn

If anyone could help me out it would be much appreciated

Hi there!!

In the Attacking DNS section of the Attacking Common Services module, I am having troubles getting the flag as a DNS record. Using subbrute and the IP in the resolvers file, I have yet been able to find a name server allowing me to find the flag when using dig axfr

this was unlread

@foggy light can u help me with LFI

Nvm got it

Can anyone help me lfi final assessment, I got lfi but I'm not able to get an rce. I think I'm missing something.

can someone help me with Footprinting Lab - Medium i can't connect with the database despite have a right cred.

credential reuse, and try running as an administrator.

Thank you so much

Did anyone answer this? I have the same question. The instructions aren't very clear what state you want to find the address of the base pointer.

Got it. You're suppose to use the python input from the previous example. Wish they specified that, but if anyone has this issue, add the python input. I think it's not intuitive to do this, because the program segfaults on itself, and doesn't even provide input before it breaks. On my own, I would have used my input of AAAABBBB..., and would have been wrong. Maybe add what input will get the correct address on EBP after it faults.

Attacking Common Services Easy, I need help uploading my reverse shell. Have uploaded using ftp but not able to access it via the browser?

Nvm using sql I got it :)

Doing the same lab

I'm using sql however

Q) Enumerate the custom script that is running on the system and submit its output as the answer.

snmpwalk -v2c -c $IP 10.129.14.128, nothing seems like a custom script am i missing anything?

How did you find the right reverse shell?

I0m getting sql syntax error

I'm*

Revisit the sql section in the module, make sure u change the path to that of Windows, look in the config file of the web page to find the default location, this is where u save the shell. Make sure its a webshell, then u can run a command to get urself a Rev shell

g

AD Skills Assessment II 'get flag.txt on MS01 host as Admin'. I ran mimikatz, have hashes, logged in with a password as a m...svc user. what next?

Someone finish the Crackmapexec module ? I need help plz

can anyone guide me in knowledge check portion of "getting started" module .

I am stuck and not able to figure out how to upload the payload on GetSimple csm

have you checked if there is a module about the vulnerability you are poking within metasploit?

yes

but i want to do it manually

then search for blog posts of the vulnerability

usually, people explain how they go to X, Y and Z

okay thanks for responding @autumn pilot

Hello guys, I need a bit help in HTB Academy, in Network Enumeration with Nmap

But its not working

Any ideas why?

I am working on 'Active Directory Enumeration & Attacks' and cannot get some of the examples to work. How do I use the 'net' command. the 'accounts' option net accounts does not appear to be a option in net. I get the message:

PS /home/htb-student> net accounts
Invalid command: net accounts
Usage:
...

in the usage list accounts is not a valid option

net users?

i am really unclear what is it asking me to do. it gave me an ip for a linux machine for which too ssh to... then it asks for information on windows policies but i don't know what windows machine i am supposed to be looking at.

Questions

Answer the question(s) below to complete this Section and earn cubes!

Target: 10.129.155.176

Life Left: 79 minutes

SSH to 10.129.155.176 with user "htb-student" and password "HTB_@cademy_stdnt!"
+ 0 What is the default Minimum password length when a new domain is created? (One number) 

so the net command i can get to is the linux one...

the linux based query command require a windows computer to 'look at'

for what new domain?

#general message
Congo is better

attacking common services - DNS, I got the flag but for some reason says is wrong, no space at beginning or end, flag-format HTB{s3c3r3t}

Attacking Thick Client Applications Dumping the File to Memory.
in the Module it says "The specific map's size is 0000000000003000, and if we double-click on it, we will see the magic bytes MZ in the ASCII .." if i double click on the one with that size, the magic byte MZ is not there.

the only way i get that Magic Byte is on the "...401000" Adress.

my problem now is no matter which of those i dump to memory and run strings on, neither gives me an output.

i only get "no matching files were found" when i use strings.

if someone could lend me a hand that would be greatly appreciated.

have you tried strings -el?

Possibly through the section there was a Window System which was used for examples.. try it out
and / or maybe you can scan the network on the tunX interface to find the ip address and try using Nmap or other tools to determine the system

in my experience, memory addresses/sizes aren't always going to be 1:1. there is another important step you're missing that is explained in the section. you should go off of that, not the memory address/size.

you're most likely suppose to use that Linux box as a jump host to the Windows box. but I could be mistaken🤷‍♂️

please remove that screenshot you're spoiling the lab.

1) Check for leading/trailing whitespaces.
2) If there is none, and you're sure you're copying/pasting right, you most likely found a flag for a previous/future question

Aight, deleted

Apprently the linux machine not needed at all. not sure why it was there but it threw me off and made the questions very confusing.

And.. yea.. I will try to restart it, but not sure about that, there are no previous boxes

there are previous and future sections.. sometimes they use the same box for the entire module. what I mean is you found a flag, but not the flag

you maybe need the linux for jump host either you ssh to it or you can tunel to it to be able to access the Widows Host

Ah, yea, you are right! I found flag that was answer to something different 😄 Thx for help!

okay. i guess you are talking about the ASCII Banner. Thats what i did. Just so i understand the instructions of the Module right: I Inspect the Addresses then double click on the Address check if its an executable then go back to the memory map right click on the single adress and select "dump memory to file". Is that the right way?

you need to dump the correct memory address. you cannot just dump any memory address

yeah i figured that. I just wanted to make sure i understand the process. Thanks I´ll tinker on. It cant be that hard to find the correct one 🙃

read the instructions.. it tells you which one to dump

yes ive read the instructions and i know what it tells me to dump. The problem is no matter if dump the map with the file size 0000003000 or the one were i see the magic byte MZ is giving me either the correct output if i use strings, nor is containing a .net executable.

i mean either im completly blind rn or i need to restart the instance. but ill take a short break. Thanks for your help

Hi, Im looking for help with the password attacks - pass the hash - final question. Please let me know if you can help and ill provide more details. Thanks ❤️

sure, dm me

How do people go about unlocking modules? I’m seeing some for 500-1000 cubes. Unless I’m dropping 100s of dollars how do I get access to these modules?

By winning either a CTF that HTB has sponsored or a giveaway

anyone who did AD enum&Attack skills assesment 1 ??
I am unable to Import the PowerView, I've had enough I need a phocologist....

just completed that one yesterday. feel free to dm me

Nah I have been stuck on the same part too- they have re-written this section multiple times recently, but seems like I still get messed up here everytime Edit* I did get it finally if you are still stuck DM

I'm using Pwnbox in the file transfer lab and am seeing the RDP is unstable. I've reset the target but continually get a dropped connection and can't work through the exercise. Any suggestions? Honestly I just need the quick answer and am happy to move on. I know what to do the machine is just unstable

sometimes I have had to rest boxes like 15 times to get the proper ports/results even after waiting multiple mins on each reset. I pretty much only use ovpn now as pwnbox kept messing up

ive reset the pwn box several times and the labs 😦

and am now getting incorrect password after trying rdesktop instead of remmina or xfree

So I am on the last question of the Active Subdomain Enumeration module and I feel like I am in the right place to get the answer for the, Submit the number of all "A" records from all zones as the answer. But it is coming back incorrect. I have used the dig AXFR inlanefreight.htb @rustic sageIP to bring up all A records. Am I missing something?

Do I need to do this for all of the zones that appear on this list? A little confusing probably haven't quite grasped it yet.

Hello everyone, I am a new member, it is nice to meet all of you and I hope to become friends with you.

@pulsar spade welcome to the club

I am from Ukraine now living in the United States, where are you from?

in Using the Metasploit Framework
Which version of Metasploit is free and can be used only through a CLI?
Can anyone give me a hint how to find which version?

they don't mean a version like v5 or v6.2. instead they're looking for the command you'll be using most of the time

exactly. do it for all zones, add up the A entries, that's your answer

Hi, Im looking for help with the password attacks - pass the hash - final question. Please let me know if you can help and ill provide more details. Thanks ❤️

someone can give me a hand with dns enumeration im a bit lost

oh thx! i get it now

hi everyone

someone for a hint with a question in bug bounty process please?

So I ended up finding the answer. Using gobuster, still don't quite understand how I did it nslookup was not giving me the output I wanted but I'm sure I'm just dumb lol

Tried using dig as well and it kept coming back connection refused on the other subdomains ect

I believe there was one where dig should work. The others indeed don't work because they aren't zones.

Working on the XSS module and having trouble with the Phishing section. Whenever I try to set up a listener - either netcat or PHP - it comes back complaining that 0.0.0.0:80 is already in use on my PwnBox instance. Any ideas?

Also tried using the tun0 address with port 80 and it too comes back that it's in use.

you can use a different port

Got it working, thank you.

@idle cargo where are you stuck

@idle cargo If you want some information about sql injection you can visit this web site https://portswigger.net/web-security

Anyone able to give me a hint for AD Enum & Attacks skill assessment part two? feel free to dm me, I'll share more details where I currently am

how can i lern to hack

Anybody has discount code for the prolabs?

how can i learn to hack

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

hello all I am about to finish the whole Bug Bounty Hunter path but a i have 2-3 sections/questions to finish, any help will appreciated 😉

Broken Authentication: Predictable Reset Token and Server-side Attacks: Nginx Reverse Proxy & AJP

I'm in the SOCKS5 Tunneling with Chisel section in Pivoting, Tunneling and Port Forwarding and I'm running into an issue with the final command. I've been able to get everything else to work and confirm that it's working up to this point. However, when I run the $ proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123 I get a failed to connect to 172.16.5.19. Has anyone else come across this? Everything up to this has connected and I'm getting the successfully completed messages and my listeners are running. Never mind. It helps to have your proxychains4.conf file properly configured!

gez the new attacking thick client applications exercise is madness....

my f8 key is worn out lol

Congrats for making it so far!

Hey all, in Password Attacks Module, Attacking Active Directory & NTDS.dit Section, when I got through the target and obtained the ntds.dit file, moved it to my machine, how can I dump the hashes of it? I solved the question with the cme method, however, I did not know how to get a valuable info out of this file. Though I tried secretsdump.py but it needs SYSTEM hive or bootkey which I don't have

thank you very much, all I have to do is finish the path

someone can give me a hand with imap/pop3 part

in the module footprinting?

check out Password Attacks - Attacking NTDS

For attacking common services medium I have found the 2nd ftp server but unable to run an Nmap scan with ftp-* scripts to enum it further. What am I missing?

someone who completed footprinting please

Nvm had to restart vm and reset instsnce 3 times

Can I dm someone about skills assesment - medium lab in password attacks module?

DM me

Ok thanks

Sure, dm

can i dm someone about **Broken Authentication: Predictable Reset Token **(only question1)

?

hi im having trouble doing ssh keys on the getting started module

did you try chmod 400 id_rsa ?

@sleek urchin i tryed chmod 600 , i thought that was the lowest

600 is technically fine

as that just translates to rw-;---;--- access to the file

400 is r--;--;---

aka readonly

*tho if you have control of the file it will always be rw to you

i figured what i should do is cp the key file to user 2 then do shh root@10.10.10.10 -i keyfile

or are root

@fathom pendant or am i missing something with the pubkeys

what error (if any) are you getting when you do it

pubkey won't do anything you need the private key

aka the id_rsa

no error just hanging terminal

yeh the id_rsa

you must use private key not the public one

if it's hanging try resetting the excersize

and trying again

hmmm ok

wait

nevermind

I found your error

you said root@10.10.10.10

is that the actual ip of the target?

10.10.10.10 is just example

or did you do 10.10.10.10 as an example

ok

Anyone able to help with Attacking Common Services Hard? Able to RDP with user f.. from there am trying to use sqlcmd with no luck

weird though i do it over and over all i get is hanging terminal

il try couple more times

reset docker etc..

anyone wanna do binexp/RE challenges w me

this isn't the channel for that #rules #welcome

pls do point me in the right direction oh gracious discord mod

I'm not a mod and learn to read

i pointed you to the rules and welcome pages

you should be very careful when coping the key, otherwise you will face such problem

@sleek urchin yeh thats what i did

😭

i just did ''' cp /root/.ssh/id_rsa .ssh/id_rsa '''

your copying it to where though?

:)

if you don't copy it to YOUR machine how can you use it?

the reason it's hanging is because it's trying to ssh to itself

if you're user2@system and attempting to do this then yeah

that's why it's hanging

you use 'cat ' {somefile.txt} to view the contents of the file/text, then copy its contents to another file/text into you **machine/working space **

also that's not how you code block you use ` and ```

you can

@fathom pendant hmmm yeh thats the case im user2... so your saying i should copy it to user1 or directlly to my machine?

directly to your system

@fathom pendant ok i understand, thats just strange to me i can't just do it from user2

either by doing python -m http.server then on your system in a different terminal window wget http://ip/id_rsa

because of what ssh is

that's safer, i agree

ssh is a secure shell protocol to remote into a system... but you're already interacting with that system through ssh

meaning it's trying to call that protocol on itself while it's already in use

ssh is NOT meant to be a privilege escalation technique from within the shell

@fathom pendant i guess its just an ssh thing, cause ive done this lots with netcat

netcat is a different protocol/tool entirely

netcat is generally used with reverse shells

ssh is it's own dedicated service

netcat reverse/bind shells are temporary they are not the same

Anyone

@fathom pendant interesting thanks, i try the otherway then

@fathom pendant ohh now i remmber the problem

i did this before

it keeps asking me for keyfile

sorry not keyfile password to login as root

on my system

yes because it didn't recognize the keyfile you're using as a privatekey

so it defaults to the next auth system

@fathom pendant ok i guess i nned to the exact file through wget

yes

the PRIVATE key is unique to that individual user

it cannot be YOUR private key

so now im trying to do wget problem is i can't becuase i have no access to user2

so im wondering how do i download a file i have no ssh access to because user 2 was only accomplish through lateral movement?

ssh user1; lateral to user2

start the http server as user2

you use wget from YOUR system

to the target IP

I keep getting a error trying to "Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer." ---- ──╼ [★]$ ssh2john.py id_rsa > hashes.txt
Traceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'

I thought this was exactly what I was supposed to be doing, am I doing something wrong here?

it's because base64.decodestring() is deprecated in python3, you'd need to install an older version of python (2.7) for it to work

or more accurately; the function was renamed/changed

You're a wizard

i ran into that issue too

the only other way would be to edit that line to the new call function in python 3.x

I forget what it is though

You taking CPTS ?

I'm doing the path yeah

How's progress?

had to take a break on progress life stuff happening

Sounds awesome, you're going to kill it 🙂

Anyone able to help with Attacking Common Services Hard? Able to RDP with user f.. from there am trying to use sqlcmd with no luck

Have also attempted sqsh from my kali VM with no success

AD Enumeration & Attacks - Skills Assessment Part I
Q3 Crack the account's password. Submit the cleartext value.

Hoping for a nudge. I've tried to upload PowerView but can't Import Module [Error - doesn't exist]. I can't get Rubeus to work and Mimikatz is hanging when I try to run it. any direction would be appreciated

SOLVED: || I used https://www.revshells.com/ to generate a PowerShell #3 (Base64) Reverse Shell and connected to my Kali netcat listener. This gave me a more stable shell than the webshell. From here I used PowerView that I had previously uploaded and it worked without issue. ||

anyone please ? because I am getting really frustrated and I gonna break something, hopefully not my skull

So enumerating over a box I managed to figure the username from a file... But I would have never thought about using the email as a password. I'm kinda afraid I should have known better?

Take a step away from the module for a bit and then come back to it after a break. If you're at this point of frustration just step back

honestly I want to finish the path as soon as i can because a have some big responsibility in the up coming days, and I won't be free for more than week

plus I really want to see the full path complete

then you're rushing yourself and probably overlooking something simple. Take a break like an hour or two, let your mind reset and reapproach the question

thanks for the advise !

(Predictable Reset Token) I'd assume means that it's probably something simple in the section/module that you've overlooked

for now i will stick to your advise, and look at the task later

Ok all my sql login attempts are failing

i forget if that one is mssql and not mysql ;) idk if that makes a difference...

I figured it out, I didn't even need to use a login

Because when u think abt it u are already windows authenticated when u RDP in

ive underestimated the difficulty level of hte documentation and reporting lab

any1 had to crack a md5 joomla hash before struggling

Looking for help with pass the hash, been stuck on it for days, any help guidance would be massively helpful

which step

Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer. Im struggling here. How do i search for the user bross

if you have answered the previous two questions, you can combine the answers into the command for the 3rd question

i cant find the user bross

what if you don't need that user, but something else

i got the ticket but im not able to secretdump the dc01 for credentials/ntml hashes

Submit this hash as your answer.

yeah i know but i cant find the hash of said user bross

my bad, was looking at the wrong exercise

so, basically what I did is to use some of the "ACL Abuse Tactics", and then since I already control a users password I can simply dump hashes and grep for the username, since there quite the number of users in the environment

This doesn't work for me...it then complains that it can't get the certificate from the server...

i didnt do it like that but thanks anyway as always

Hi all

I am working on password attack hard lab and I am stuck at cracking the ||encrypted VHD file||. Can I dm anyone?
I don't know what I am supposed to do with this file at all, cracking was the first thing that came to mind after playing with it but still don't know.

https://academy.hackthebox.com/module/147/section/1323

@autumn pilot you saved my life

I just noticed that john has it

thanks mate

One more sanity check @autumn pilot
Is the file supposed to be corrupted or my file was corrupted somewhere between transfers?

it could be between transfer

Right, cause the file command has thrown errors

The file is rather big, which affects the transfer, e.g. it might not transfer the whole file but a portion which won't work

I will work around it

ZUP HUD working unstable. Any similar experiences?

anyone around who has done the Thick Client Web Vuln assessment? I've managed to download fatty-server but it isnt running. I can extract contents and all looks ok, but would be good to discuss with someone who has done it

guys if i subscribe in the Platinum Subscription do i get tier 2 modules or just the cubs ?

woohoo!

that last thick client one was absolutely awful

can u help me 1 sec?

cannot find 1 answer in the SNMP part in Footprinting

i found the flag and the dev mail

ive shut down my vm sorry mate, time for bed, if no one has helped you by tomorrow my time i will have a look

but the version idk why is the wrong answer

k

bruh now idk why was wrong

i must have been using a space or something

been there many times

stuck at medium passwd attack i got user jason and ssh into him but i cant seem to find out where to go from there

I been working on password attack hard lab for a few hours now, ||I finally managed to mount the disk only to find out there is nothing inside||. I need to dm someone about this, is anyone available?

||look back at the document maybe there is a hint to move forward :)||

||did you mount it properly?|| did you use the proper credentials?

let me know if that's correct so I delete it

Can someone please help me with Module: Web Attacks. Section: Bypassing Encoded References?

yes that's right you can delete it. let me look into this article you used

do you have a Windows host? I have in my notes that I mounted to a Windows VM

no 😦 I even used a cli tool called guestfish that is standard across linux environments

I am so close to admin

I'm not online yet so I cannot try to replicate on linux, if possible get a Windows VM and try mounting it from there

ty, I will probably look for other linux based solutions around here

I am seriously struggling with and feeling like I am burning out with Attacking common services - easy. Anyone care to toss me a lifeline in DMs?

btw @rustic sage, does the file system show corrupted to you?

i am working on Active Directory Enumeration & Attacks : Kerberoasting - from Linux and when i try to run the example command GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend it requires a password which i can not find given to me. is this something i am supposed to get by other means or did i miss it in the text of the lesson?

that module was so long ago I honestly can't remember.

no worries, I have left it out for now, I will do it later

write down every username:password credential pair they give you.. the module will move on in future sections and only give the username and assume you know the password.

good days .. i have a problem
'Exploiting Web Vulnerabilities in Thick-Client Applications'
After I edit the xml file and manifest I compile the app again but it gives me error at startup, anyone for nudges?

ok thanks

you'll need to give more info on where you're stuck without spoiling the lab

ok sorry but I didn't mess up the lab because the lab tells it what to do step by step, but unfortunately recompiling and running it gives me error

I'm stuck 😦

I've already done the three assessments as well

I don't believe you need to edit the XML file unless the instructions have since changed..

in the instructions it says exactly how to change it, but I don't want to do spoilers

nothing much just a different tcp port

english only read #rules

soory

sorry

it looks like they've updated the lab and I've not completed the updated version so I won't be able to help you

in the dns enumeration with python module i tried running the script and none of my imports are recognized but when i do pip install dnspython it says its already satisified. Im cornfused as to what im missing

It’s way way complicated sometimes, Especially on a mobile phone. I understand what are you trying to do though

im stuck in the last question of SMB that says "What is the full system path of that specific share?"
I found the path, but it doesn't say correct. Somebody mentioned this question has a format issue with the answer. can somebody help?

anyone complete the Exploiting Web Vulnerabilities in Thick-Client Applications yet, i have been stuck on this for days

which module, which section?

footprinting module SMB section

oh boy, finally getting to the AD modules, feel like there are going to put up a fight

Remember the differences between Linux and Windows ;)

thanks, got it

<@&861185840277487616> ^

thanks

you should mention where you're stuck.. it's a heavy section with a lot of steps. narrowing down where you're stuck will allow us to better understand where you're stuck and how to help you

I am getting an error trying to make the .jar file to my desktop

that's still pretty open-ended... you mentioned desktop? are you taking about obtaining fatty-server.jar? or are you have trouble recompiling fatty-client.jar?

WHAT IS fatty-client.jar

someone who completed the module footprinting can help me with oracle?

right now I am at the part where you edit the code and rebuild the jar

where are you stuck?

WHAT IS fatty-client.jar

Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.

they changed this module a bit since I did it so I can try to assist but no promises😅 do the errors point to anything interesting when trying to recompile?

not that i can see 😦

It is a java executable that's part of an academy module

can you send me this

https://academy.hackthebox.com/

dm me

you can dm me with a screenshot and we can try to diagnose the issue.. like I said though I haven't had a chance to do the updated section sooo

ok thanks

how long should Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid} take to run... i have been waiting more then a few minutes for it to return ...

I believe this one takes some time.. what section and module?

what apps do I need to start hacking

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

depend if u start from zero in IT or not

ik a little python

so from zero

i would go to tryhackme first and omplete all the paths there

thx

can u send an invite

?

then move to hackthebox academy and app.hackthebox when u are done

ok i joined

https://tryhackme.com/

well u have enough content for many thousand hours

then

acl enumeration in AD attacks. it still has not come back i am thinking it is broken i guess i should try to reset?

if you're doing the last question then yes this takes time... from what I've read in this Discord's past messages most people just guess

interesting ok thanks

i am actually trying to do the second to last question is there a faster way to acquire the ActiveDirectoryRights that the user forend has over the user dpayne i thought that one command was going to spam out the answer to both and my task was digging through the output. i dont really see an alternative given ... the bloodhound solution seems equally long-returning

I'm on the first box for Attacking Enterprise Networks and noticed some services seem to be failing, after getting a shell I saw this:

df -h
Filesystem                         Size  Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv   14G   14G     0 100% /

That's not intended right?

i modified the foreach command into something that returned

is there anyway to get ipmi credentials without using msfconsole

guys

i need help

please

if it's related to an academy module just ask; if it's about an account being hacked and looking for someone to help with that - please read the #rules

wait a sec i will send what's my problem

Module: attacking web applications with ffuf
Skills Assessment last question.

Could someone please help me with the wordlist selection to get the value of the parameter?

You can DM me too

@rustic sage Were you able to find the parameters?

If you did there should be a wordlist in the SecList try them

@native comet I think your comment was meant for me. I've tried MANY lists in there. None are returning any results

i am trying to send a msg it is not showing up on my screen and when i tried to send it again i got a warning about duplication. is this normal?

bru i dmed 8

u

can someone answer some questions about secretsdump.py getting a reset by peer issue for the dsync module

Use mimikatz

the mimikatz example from the module does not work on the administstrator account as it is suggested it should i get the following error ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439) when i google this error i get limited information .. from what i gather user being used is not privileged enough to execute... i am still just trying to follow the examples given on the page did i miss a step?

I'm fairly sure I did it using secretsdump.py. have you tried that again?

thanks secretsdump eventually did complete and i was able to pull the NTLM from from it. the answer wanted the format given by mimikatz so i am pretty sure i was supposed to use that ( i had remove the 'extra' bits of the hash from the secretsdump.py).. i never did figure out how to get mimikatz to work.

I ran cmd as admin and it worked for me

@vital adder Are you available by chance? I see you helped a few people on a question that i am currently on. XSS Phishing

need help with public keys

?

If you still need help with XSS, send me a DM

i ran it as admin and none admin from a powershell and it never works: i always get this message ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

someone who completed footprinting

can help me with the first lab

sure drop me a dm with some details

is someone here know lua?

https://dontasktoask.com

also read #rules and #welcome