i got domain admin already
#modules
fresh reef
o7 Peepz, Im having trouble on Skill Assesment 2 of Attacking Common Apps:
When dealing with nagios
I'm having trouble fingerprinting it for a version , and as far as exploitation goes many of the exploits require auth....so ive been reduced to bruteforcing and hoping for creds which is most likley the incorrect path to take.
Overall Im stuck and need a nudge
lol
fathom pendant
And youve tried everything from the module?
fresh reef
In what regard?
fathom pendant
I meant regarding your issue, you've tried all things taught to you
fresh reef
Nagios is only mentioned once and theats in honorable mentions
I believe so
Been at it for about 3 hours and ran out of ideas
so im here looking for help
fathom pendant
And you're sure that's the way to go?
There's no other app, service, or plugin running that might be more vulnerable
fresh reef
yes the question is : What is the admin password to access this application? -<
fathom pendant
Note* I haven't done this module just making sure youve exhausted all options
fresh reef
Ah @.@
fathom pendant
Up to and including just checking default passwords
Checking the source code if it's a webpage
fresh reef
I feel you...and appreciate your reminders. But im at the point in an issue where ive tried the fundamental acts of enumerating and have run into a mental block pertaining to the current and specific I question.
To Restate:
I'm having trouble fingerprinting it for a version , and as far as exploitation goes many of the exploits require auth....so ive been reduced to bruteforcing and hoping for creds which is most likely the incorrect path to take.
Query to the community of those doing or have done Attacking Common Applications - Skills Assessment :
How did you get the pass? was it just bruteforcing or am i missing some other detail?
fathom pendant
Also the other reason for my poking was to kinda get others to see that you had in fact tried everything you can think of
fathom pendant
About? If it's doc and reporting. No lol I haven't touched it
tidal mango
I feel you...and appreciate your reminders. But im at the point in an issue wher...
Your on skills assessment 2? How far have you gotten on it?
fathom pendant
They're trying nagios
fresh reef
Your on skills assessment 2? How far have you gotten on it?
Ive sequentially answered questions 1-4
stuck on 5
tidal mango
Ive sequentially answered questions 1-4
ah ok so your looking for the password for admin then?
tidal mango
you dont need to brute force it. Poke around the gitlab repos/projects etc
fresh reef
you know i saw that, and went back...but ill look again
thx @fathom pendant & @tidal mango
zinc marsh
About? If it's doc and reporting. No lol I haven't touched it
yea
still trying to dump NTLM hashes of other users in the network
i have domain admin
zinc marsh
the lab
zinc marsh
After achieving Domain Admin, submit the NTLM hash of the KRBTGT account.
tidal mango
```After achieving Domain Admin, submit the NTLM hash of the KRBTGT account.```
ok so you have the service account from Q1 correct?
tidal mango
What if any tool did you use to verify the access with that account?
zinc marsh
i cannot upload any tool
tidal mango
Try more with that π
tidal mango
but you have its creds, correct?
you can use CME to dump hashes of other accounts, check the flags you can use with it.
zinc marsh
which am i supposed to use?
thorn urchin
might be worth double checking your AD notes
theres some impacket script options you could use if you didnt want to use cme
tidal mango
yea i know i can use secretsdump.py
tidal mango
Nice, I know that feels good to be done with!
zinc marsh
all fundamentals and easy modules completed and 5 of medium π
rugged veldt
For hard password attack module, how do I transfer the Backup to my kali machine
spark vector
For hard password attack module, how do I transfer the Backup to my kali machine
Look at impacket - File Transfers Module
rugged veldt
Look at impacket - File Transfers Module
Can't find it am I blind
spark vector
impacket-smbserver
rugged veldt
impacket-smbserver
Then how do I use the smb connection I have to upload the files
spark vector
Review the File Transfers module. Read "Create the SMB Server with a Username and Password"
rugged veldt
Review the File Transfers module. Read "Create the SMB Server with a Username an...
I'm there but I still need to call cmds from the windows machine . Can I run these through my smb?
spark vector
I'm there but I still need to call cmds from the windows machine . Can I run the...
You need to set up a shared folder on the Windows box.
rugged veldt
The one I rdp into?
spark vector
That's the Windows box, right?
spark vector
Whatever you want to use.
rugged veldt
Use that to access the .vhd and then transfer to my kali?
spark vector
Yep so I log in as johanna
Set up a share on the Windows box.
What question in the module is this?
spark vector
ok
rugged veldt
So ur saying transfer smbserver to the windows box, run that to get the file
spark vector
What does "Create the SMB Server with a Username and Password" says to do?
rugged veldt
I don't have the backup on my windows box
spark vector
Did you set up the shared folder on the Windows box?
quasi wave
rugged veldt
Did you set up the shared folder on the Windows box?
Yes I mounted it on the Windows box
spark vector
What letter was assinged to it?
spark vector
Drop the file in this folder. Check Kali (where you ran the impacket-smbserver command) to make sure it's transfering
rugged veldt
I can't access the file as it's in David's documents
It's asking for admin pass
I hv his password
Not admin
heady geyser
im doing this box right now, stuck in a different part though. but i can give you a hand
now that you have davids creds. enumerate SMB again with the new creds
let me know if thats enough of a hint
rugged veldt
I found the backup
heady geyser
then you should be able to connect to it via smbclient and "get" it
rugged veldt
Get gives me an error
heady geyser
its like a 30sec download, so dont end it too soon
rugged veldt
Yea parallel read timeout
misty current
If SMB gives you too much error, you can try other file transfer methods.
You could try setting up an upload server with python on your attack host.
and use PS modules or Python (if python is available on the machine) to upload it.
rugged veldt
Upload an upload server to the victim?
heady geyser
could someone help me with the "password attack hard lab". i have vhd on my machine. i have cracked the password. I have tried mounting it via guestmount(ippsec video). no luck. I have tried just moving it to the victim windows machine and opening it there, no luck.
misty current
Check, file transfer with code (iirc) in the file transfer module.
heady geyser
thanks, looking
rugged veldt
X.x
rugged veldt
I'm so confused
How do I run code when all I have access to is the smb and no admin priv
I have rdp as another user but it asks me to login as Asmin to access
misty current
Just a minute, let me point you to the module.
https://academy.hackthebox.com/module/24/section/160 Check powershell web upload section -> this one tells you how to do it with PS Cmdlets
keen holly
Hello guys Can someone help me how to start with HTB?
rugged veldt
So ur saying use the smb impacketserver on the windows machine to mount David's share, then access that via my kali and download it that way? @misty current
misty current
Maybe, I haven't gotten the full context yet.
Can you give me a short run to where you are right now?
rugged veldt
Ok so
I have rdp access to a windows machine with one user and I have another uses creds to access their smb (trying to download from the smb but timeout errors)
misty current
Cuz, the method I'm suggesting assumed that you have direct access to the .vhd file in whichever user that has access to it.
misty current
Ah, I remember doing this with direct access to the user. I don't remember exactly how I did it. Let me review this module real quick.
heady geyser
did you try smbmap with davids creds? and then download from there
rugged veldt
Yep
rugged veldt
Yep both
heady geyser
stupid thought. but disconnect your RDP connection and try?
rugged veldt
Hmm I tried smbget and it said permission denied using David's creds?
Closed my rdp ill try smbcliebt
I could be messing a step?
misty current
Can you tell me which user you're currently using to take the RDP session?
rugged veldt
Johanna, I tried David but it won't work
heady geyser
dm me your creds for david and i can confirm or deny
so he definitely has the correct creds for david
misty current
so he definitely has the correct creds for david
Yup, he wouldn't have been able to see the .vhd otherwise.
heady geyser
true...its late
rugged veldt
So @heady geyser u just smbclient in and download it?
heady geyser
i did, one sec
rugged veldt
Yea
heady geyser
sucks
heady geyser
well, im going to bed. if you have any luck in mounting the vhd, please shoot me a DM
my brain is fried
rugged veldt
Allg gn
misty current
It worked
Nice, I just found how I did it. I used the runas command to open a shell in context of the david user.
misty current
well, im going to bed. if you have any luck in mounting the vhd, please shoot me...
You should have been able to if you followed the blog I sent.
misty current
Yup
rugged veldt
Let me try that
misty current
Sure.
I don't think they teach you that in the module, so it doesn't come to your mind.
Once I got that shell, I used the file transfer methods which I mentioned.
rugged veldt
Sure.
I don't think they teach you that in the module, so it doesn't come to yo...
That being run the smb server on the windows host?
Omg I think I got it
misty current
You don't depend on SMB in that technique. Everything happens in HTTP.
reef sundial
I am doing a skill assessment against a dual-homed target web-win01, I have a shell with system privileges. It seems that the machine has a different routing table, default route is the internal network. Reverse shells, downloading tools via HTTP like in the content is not working. Is this a problem with the machine or is this on purpose? Thanks
heady tusk
I am doing a skill assessment against a dual-homed target web-win01, I have a sh...
which module is that?
pine ore
hi
lean jackal
Hi everyone
I'm stuck on DNS Footprinting with the question "What is the FQDN of the host where the last octet ends with "x.x.x.203".
What i have found so far:
Running ||dig axfr inlanefreight.htb @10.129.33.77|| i got a few subdomains ||app. dev. internal.||
I tried getting more with axfr on those subdomains but without success. Now I am trying to bruteforce it like this:
||dnsenum --dnsserver 10.129.33.77 --enum -p 0 -s 0 -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt internal.inlanefreight.htb||
But I do get an error saying ||internal.inlanefreight.htb NS record query failed: REFUSED||
Thanks for any help!
acoustic owl
Hi everyone
I'm stuck on DNS Footprinting with the question "What is the FQDN of...
Why do you want to bruteforce a zone that allows zonetransfer?
lean jackal
Why do you want to bruteforce a zone that allows zonetransfer?
When I try ||dig axfr internal.inlanefreight.htb @10.129.33.77|| I get a timed out error
acoustic owl
When I try ||dig axfr internal.inlanefreight.htb @10.129.33.77|| I get a timed o...
In the PwnBox or in your VM?
lean jackal
In the PwnBox or in your VM?
In my VM. I just tried it a few more times and now I got a result. Still no .203 though...
acoustic owl
So there must be another zone π
lean jackal
So there must be another zone π
You mean even deeper or is it not in ||.internal||?
acoustic owl
Have a look at the other subdomains in the main zone.
Which of them could be a separate zone?
Which one would make sense to manage independently?
lean jackal
Have a look at the other subdomains in the main zone.
Which of them could be a s...
I cheched them all, only ||internal ||allows for a zone transfer to see more subdomains.
acoustic owl
Remember that you can configure a zone so that it does not allow a zone transfer from everyone
harsh patrol
Ah, I am once again loosing my mind, as I encounter ANOTHER DNS subdomain enumeration module (Attacking common services, DNS) and for the love of whatever is holy, why is no shorter wordlist provided?
Can someone please guide me with module/116/section/1512?
I am using subbrute.py as suggested, and using the provided names.txt (as suggested in another comment in this channel) and running it against inlanefreight.htb and the resolver.txt contains (only) the IP of the spawned dns server.
gobuster finds around ||5 subdomains||, one less than mentioned earlier
subbrute takes forever and doesn't return something useful
what I also did so far: tried A and TXT lookup for the subdomains found by gobuster, tried subdomain enum for those found subdomains against the names.txt from subbrute repository and I also reset the target once
zinc sentinel
what I also did so far: tried A and TXT lookup for the subdomains found by gobus...
Are you digging for the right subdomain π«’
Bottom of my notes for this section say reset box 10 times yo make subdomain work
zinc sentinel
For some reason iv written it in bold,caps and underlined ..
Must of been frustrated myself
If u screen me what you have so far I'll nudge along
dusky quiver
Hi, I get a gift card and I used in my acc. I want to buy de stundents pack but It dont let me buy with my acc money. Now I can use that money only for purcharse cubes?
autumn pilot
reach out to support
bleak gate
I just got HTB VIP+ subscription for a month and I want to make the most out of it. Is there any suggestions? I've not done anything on HTB before. I have done THM some years ago. Also if this is not the right thread to post, please let me know
bleak gate
I just got HTB VIP+ subscription for a month and I want to make the most out of ...
Is there're any roadmaps or certain boxes to do like learning paths?
autumn pilot
You can use this feature as a reference - https://academy.hackthebox.com/academy-lab-relations
rustic sage
is this a hacking server?
bleak gate
You can use this feature as a reference - https://academy.hackthebox.com/academy...
Wow this is so cool. It will definitely help me a lot, cheers x!
I wouldn't say so. It's an educational server
rustic sage
Does anyone know if its possible to hack through a vc? Cause I think I just got hacked like that
languid coral
the creds for the win host for 'Living off the land' aren't working...wondering if anyone else is experiencing the same issue?
bleak gate
You can use this feature as a reference - https://academy.hackthebox.com/academy...
Do you have any resource like this which will help me explore more of the HTB platform?
I would really appreciate
autumn pilot
bleak gate
https://help.hackthebox.com
Thank you boss
cinder mortar
is it possible to specify which user to dump when attacking ntds via cme?
autumn pilot
probably you have tried with grep?
ruby sentinel
Working on Footprinting Lab - Medium. When I try to login into MS SQL Management Studio I get this error. It seems to take the password. I tried to restart the server and same error.
fathom pendant
Working on Footprinting Lab - Medium. When I try to login into MS SQL Management...
Perhaps that user can't connect. Maybe a higher privilege user can.
reef sundial
which module is that?
Active Directory Skills Assessment Part I
The machine is also behaving strange, RDP only gives a command prompt
fathom pendant
Can you not search "PowerShell"?
harsh patrol
Working on Footprinting Lab - Medium. When I try to login into MS SQL Management...
what user do you try to connect with?
ruby sentinel
I was just clicking on the MS SQL Studio icon on desktop and putting in the password and got error. So I just right click on SQL icon and run as administrator then type in the password. It now connects.
MarcieLee was right higher privs needed. to run the app.
harsh patrol
run as admin, a classic for sql management studio
ruby sentinel
Got the flag. Thanks for the hint about higher privs. @fathom pendant
fathom pendant
Got the flag. Thanks for the hint about higher privs. <@134323136853311488>
Np if you want a sanity hint: you can just run sql*** with no arguments passed to it and connect to the server I tried passing arguments. It didn't like that
rotund urchin
Can someone nudge me on the Password Attacks medium lab? I am not sure how to move to the other user or root from this point.
zinc sentinel
Can someone nudge me on the Password Attacks medium lab? I am not sure how to mo...
cracked any files?
fathom pendant
Can someone nudge me on the Password Attacks medium lab? I am not sure how to mo...
It requires bouncing back and forth. Do you have j* or d* users?
Also history is a fantastic subject to study at times
rotund urchin
cracked any files?
yes, I am on the box as the J user. I ran a few tools looking for passwords and other useful info, but nothing yet. I assume i have to move to the D user before root.
fathom pendant
Correct
rotund urchin
the only history files I can read are my own
fathom pendant
yes, I am on the box as the J user. I ran a few tools looking for passwords and ...
Check documentation for how you obtained j* creds, they have some interesting information about certain services that should be running
That may contain creds
zinc sentinel
Check documentation for how you obtained j* creds, they have some interesting in...
β οΈ
fathom pendant
I literally just checked my notes for it :) and that's what I noted
near hinge
Hi, i'm currently learning Containerization section in Linux Fundamental module and i'm trying to do docker run. Is this the right output?
fathom pendant
Is docker running? @near hinge
fathom pendant
:) if docker isn't running xD
Then output is incorrect
If docker is running > correct
near hinge
Is this running?
fathom pendant
ps aux | grep docker
near hinge
Is this running?
rotund urchin
I was able to get root on the Password Attacks medium box, but I have some questions surrounding how it was done. Mind if I DM someone who understands it?
acoustic owl
I was able to get root on the Password Attacks medium box, but I have some quest...
I can try to answer your questions
fathom pendant
PayloadBunny based 
heady tusk
Active Directory Skills Assessment Part I
feel free to dm me if you want. I can take a look
dull vortex
I am stuck on the last question of Password Attacks - Pass the Ticket from Linux: "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)."
I am struggling to find the kerberos ticket I need, and I know it is not in the /tmp folder.
I have tired running "find" and not getting any other results either
ripe cosmos
Hello everyone, I'm new here
rustic sage
curl: (67) Select failed``` Can I get some help on footprinting IMAP/POP3? Stuck on the flag for Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})krb5? Klist ?
@ripe cosmos π
fathom pendant
<@947084215143522345> π
zinc sentinel
Yeah right
fathom pendant
```ββ# curl -k 'imaps://10.129.51.91/dev.department.init;uid=1' --user robin:rob...
Just connect using telnet or openssl if the secure imaps/pop3s is running
The section talks about how to connect using either
sleek urchin
Doing Pivoting, Tunneling, and Port Forwarding: SocksOverRDP and got this error, any help >
fathom pendant
Doing **Pivoting, Tunneling, and Port Forwarding: SocksOverRDP** and got this er...
Are you transferring over the 64bit or 32bit exe
Also your screenshot includes one of the flags
sleek urchin
Are you transferring over the 64bit or 32bit exe
I downloaded * SocksOverRDP-ARM64.ZIP *
fathom pendant
That doesn't sound like the right one
fickle nacelle
good morning, can someone give me a nudge here i am having trouble with this question still What is the FQDN of the host where the last octet ends with "x.x.x.203"? Here is some of the wordlists I have ran. dnsenum --dnsserver 10.129.60.96 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --threads 90 mail1.inlanefreight.htb
dnsenum --dnsserver 10.129.60.96 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-Jhaddix.txt --90 threads dev.inlanefreight.htb
dnsenum --dnsserver 10.129.60.96 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt --90 threads dev.inlanefreight.htb
fathom pendant
good morning, can someone give me a nudge here i am having trouble with this que...
You shouldn't need to specify threads
If you're using too many threads it could timeout and break connections
Because one of these (not spoiling which) looks like it's using the right wordlist and subdomain
fickle nacelle
okay, I think I know which one...
fickle nacelle
okay thanks il give it a go
fathom pendant
I'm just looking at your message
You go from /opt/useful/SecLists to /usr/share/SecLists in the next attempt
It also helps to have those files in those places
fickle nacelle
okay i appreciate the input going to go ahead and try running it. oh and by files in those place what do you mean exactly?? like downloaded?? that syntax /opt/useful/ or /ust/share/ are file lists?
fathom pendant
I'm just stating you are going different filepaths
fickle nacelle
OH!
fathom pendant
Also iirc SecLists should be capitalized like that unless it was saved lowercased
While doing the wordlist filepath, are you doing tab completion to make sure it exists
fickle nacelle
No I just assumed it all existed lol Now I am going to check
fathom pendant
:) don't assume always check
onyx rapids
ATTACKING COMMON APPLICATIONS -> Attacking Tomcat
Can someone tell me what folder the flag is in? Find isn't working and I don't have the patience to manually browse through every folder on the box
fathom pendant
If find isn't working, then your syntax is incorrect
thin harbor
Hi!
I also stopped at this task, who should have done it in the end?
I do the same thing, I can't do it, but I use other lists
fickle nacelle
thanks payload will try that
fathom pendant
Hi!
I also stopped at this task, who should have done it in the end?
I do the sa...
The right list is quite ferocious
onyx rapids
Can someone rewrite this command for a webshell?
find / -name tomcat_flag.txt 2>/dev/null
I thought this would work, but apparently not
find%20/%20-name%20tomcat_flag.txt%202%3E/dev/null
acoustic owl
good morning, can someone give me a nudge here i am having trouble with this que...
I have only now seen, you have already tried the right list
thin harbor
The right list is quite ferocious
But I don't understand, is this list located in the Seclists folder?
fathom pendant
Yes it's in one of the SecLists folders, since it's attacking DNS, check the DNS ones
Try copying to your machine
proud pine
Can someone rewrite this command for a webshell?
find / -name tomcat_flag.txt 2...
the jq tool is good for this.
echo 'whatever you want to encode' | jq -sRr @uri
onyx rapids
the jq tool is good for this.
```echo 'whatever you want to encode' | jq -sRr @u...
Thanks for another way to do it. Unfortunately it doesn't work, so my guess is that the find command isn't working through a web shell for whatever reason
It looks like a bunch of other users reported the same issue. I'll try another way to get RCE
autumn pilot
Don't forget that the file is a zip
fickle nacelle
I have only now seen, you have already tried the right list
Ok so if I have tried the right list then why am I not seeing the desired fqdn. Is it a problem with the ip I am using or the zone I am trying to brute??
acoustic owl
Ok so if I have tried the right list then why am I not seeing the desired fqdn. ...
Send me your command per DM
fickle nacelle
okay
autumn pilot
You need to unzip the file to see the contents, also note that you get permission denied when you try to download it
ashen umbra
Still working on :What is the FQDN of the host where the last octet ends with "x.x.x.203"?
in DNS enumeration. I believe the answer is in the in the zone transfer for internal, but I see no subdomains with .203. I tried performing axfr for all other subdomains gotten from dnsenum with no luck.
any more hints I can get I feel like i am right on the cusp of getting it
acoustic owl
no it is not in internal
So there must be another zone
acoustic owl
I should write a DNS module. So many people have problems with DNS
ashen umbra
I should write a DNS module. So many people have problems with DNS
Yeah I have seen you answer this question in forums too. DNS really is a discombobulator sometimes which is funny because the concept is simple, but Darn does it discombobulate
thin harbor
The right list is quite ferocious
I use the command dnsenum --dns server 10.129.51.189 --enum -p 0 -0 subdomains.txt -f /home/name/ubdomains-top1million-110000.txt --streams 90 dev.inlanefreight.htb
What is my mistake?
acoustic owl
What exactly is so confusing about DNS?
DNS is actually like a phone book. Distributed over various servers
acoustic owl
I use the command dnsenum --dns server 10.129.51.189 --enum -p 0 -0 subdomains.t...
Wrong List
and I think we have messed up the academy
thin harbor
shubs-subdomains.txt?
acoustic owl
Try the smallest list. Then if you find nothing, take the next bigger list
sleek urchin
Doing **Pivoting, Tunneling, and Port Forwarding: SocksOverRDP** and got this er...
i have reached the final step to connect to Windows server at 172.16.6.155, but i got this error, any help ?
and mstsc.exe doesn't seem to be appearing on Proxifier
outer steeple
Phew! I thought maybe it was just me having issues.
ashen umbra
everything is taking forever now. yup academy goes down right when I am having a breakthrough
sleek urchin
i have reached the final step to connect to Windows server at 172.16.6.155, but ...
SOLVED!!
outer steeple
What module is that?
proven peak
@surreal rain you got to come check the penthouse out bro
No more selling dbsππ
acoustic owl
<@&861185840277487616>
proven peak
Wtf wrong wit you
urban sage
misty current
i have reached the final step to connect to Windows server at 172.16.6.155, but ...
Did you figure out what you missed? Wrong host address?
Is the user Kira able to sudo into root?
Like is Kira in the sudoers?
fathom pendant
maybe ftp?
lofty wave
allright, having issues with the sql operators question in module SQL Injection Fundamentals.
I've got the query working with select count, from, where, >, and title called out. I keep getting the same number of rows.
Don't wanna give to many hints here. PM me please? π
Also using the same queries as other questions asked in this room. I did a search before asking.. π
nvm, got it. pay attention to operator precedence along with do not use NOT LIKE. Pay attention to what operator to use in answering this question.. π
fathom pendant
Just sanity checked. Try kira's login on other services.
fathom pendant
Yep that's why I sanity checked because I didn't recall finding it there. :)
fathom pendant
What made you think the notes.zip file is in the root directory
When they did the locate command it was in the root directory. And can confirm in ssh it shows in the /root/ directory
fathom pendant
also and fyi, the zipped file is not in the root's directory
I don't believe you can find notes.zip in ssh, you can find it in ftp
Because that's a hash
Access the target using any pass the hash method
autumn pilot
the section is all about pass the hash
And on the first question you are indirectly asked to authenticate using the any of the shown pass the hash methods
fathom pendant
Yeah the authenticate to should say use the hash
And hash, not and password
It should be fairly obvious that it's a hash, however as seen. It's apparently not
Either way Remmina and xfreerdp both have ways of using a hash
Or the hint suggest impacket stuff
The RDP part is actually second question
Lol
for the most part this section is super simple if you just read
timber ore
also and fyi, the zipped file is not in the root's directory
thank you, PayloadBunny helped me find it , the Notes.zip file was in two directories , and i was looking in the wrong the directory
timber ore
Just sanity checked. Try kira's login on other services.
I found it thank you for you time and help π
fathom pendant
Yeah
It was weird too because even going directly to that location previously I couldn't find it
Then this time it's there xD
Buggy stuff lol
Edit
User error: I did not in fact go to the right directory for sanity
fathom pendant
I found it thank you for you time and help π
Hopefully you did error redirect just to be safe xD 'Permission Denied'
thorn ingot
Skills Assessment - Using Web Proxies: In Question 3
I solved the question but I couldn't figure out the logic behind the Payload Processing rules
Could someone explain it to me?
dull vortex
For Password Attacks - Pass the ticket from linux, can someone give me a nudge in finding the kerberos ticket for the final question: "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).". I have been struggling all day so far and I am not sure what I am missing at this point.
fathom pendant
For Password Attacks - Pass the ticket from linux, can someone give me a nudge i...
There's a daemon that runs on Linux that connects you to the realm maybe look in that directory
dull vortex
There's a daemon that runs on Linux that connects you to the `realm` maybe look ...
I think I am in the right place but I don't want to write in here and spoil it
but a lot of it looks to be encrypted...
fathom pendant
It's not encrypted
thorn urchin
it is a binary blob iirc
fathom pendant
It's got a lot of cache though
thorn urchin
ye, just pointing out it could easily look encrypted but it isnt
fathom pendant
Ye
onyx rapids
Splunk - Discovery & Enumeration
Can someone message me the version number? It's two times I restart the server and both times I don't get a spunk instance. I port scan and it gives me PRTG which is the next section. Don't have time for this HTB nonsense
earnest ginkgo
Hi everyone, i am doing the module "Windows attack and defense" and more precisely the 4th attack that talks about how to attack and abuse bad management of GPOs. The course doesn't rly explain how to do it or how to detect which GPOs could be vulnerable. Would someone be ok with explaining me how to detect them and how to abuse them pls ? :3. Ty very much^^
hardy anchor
~~Hey I'm in the FILE UPLOAD ATTACKS - Skills Assessments but stuck with the file name. I have access to the upload.php to read the code. I know the directory name (||./user_feedback_submissions/||) but I'm not sure with what name the file is stored. Someone can help me?
||http://178.62.4.125:30411/user_feedback_submissions/230526_img.phar.jpg&cmd=id|| or ||http://178.62.4.125:30411/contact/user_feedback_submissions/230526_img.phar.jpg?cmd=id|| didn't work~~
I don't know what happen but is working now lol
thorn urchin
Splunk - Discovery & Enumeration
Can someone message me the version number? It'...
aint nobody just giving you the answer
dull vortex
not sure if I am diving down the rabbit hole or not
thorn urchin
and htb doesnt have a monopoly lol theyre just one of the best ones on the market. and who tf is paying $100 a month
academy doesnt even have an option for $100 a month
Then dont do it
onyx rapids
Well my mind doesn't like when things are not complete, it makes me crazy
dull vortex
come back to the question later...
onyx rapids
academy doesnt even have an option for $100 a month
onyx rapids
if the lab is being unstable contact support
The obsession with wanting to finish this question is certainly a me problem, but the fact that the box won't start the service is a HTB problem
thorn urchin
contact support
also thats plat tier, you literally paid for the most expensive option possible
zinc marsh
they havent
u can go to offensive security crest...
elearning security
they much cheaper i guess 
thorn urchin
academy is super cheap if you dont throw all your money at once for some reason
onyx rapids
they havent
Do they have a similar format? Learning material and then labs with questions?
zinc marsh
academy is super cheap if you dont throw all your money at once for some reason
yea everybody in hackthebox because is the best quality-price
onyx rapids
academy is super cheap if you dont throw all your money at once for some reason
500 cubes a hit is brutal, allows me to do two modules a month for my 100$
thorn urchin
price aside just contact support
earnest ginkgo
Definetely loving the price/quality of HTB academy. very very good quality content
zinc marsh
Definetely loving the price/quality of HTB academy. very very good quality conte...
β₯οΈ
earnest ginkgo
(especialy if you are student)
fathom pendant
Also shit like this happens. And sometimes services don't start until after a few minutes
fathom pendant
^
fathom pendant
Weekends are a little slower
onyx rapids
Alright, never used support, lets see
fathom pendant
But they are still monitoring support
zinc marsh
i had to use it one time for a box
fathom pendant
never used support
God the amount of people that don't think to use support to see if something is broken
thorn urchin
Technically asking people to DM you questions answers are a violation of the terms of agreement and you could have your academy account terminated btw
zinc marsh
i couldnt stop the machine and they solved it fast
fathom pendant
Or if it's a patience issue
zinc marsh
100$ canadian
thorn urchin
I mean we can test that theory if you really wanna
zinc marsh
I mean we can test that theory if you really wanna
tell the flags of any active content
thorn urchin
I don't think its likely but I would punch a horse in the mouth either
fathom pendant
Most of their money is made in enterprise
zinc marsh
anyway why people want get the answer
fathom pendant
Β―_(γ)_/Β―
zinc marsh
u here to learn
thorn urchin
Your entitlement to this is super high for someone bitching about the content
dull vortex
Is the kerberos ticket in one of these giant files of information, or am I running down a rabbit hole?
I am currently scanning huge screens of text atm
zinc marsh
Is the kerberos ticket in one of these giant files of information, or am I runni...
i think there was a tool to recover tickets
fathom pendant
Is the kerberos ticket in one of these giant files of information, or am I runni...
It's very much cached
zinc marsh
Is the kerberos ticket in one of these giant files of information, or am I runni...
check rubeus.exe tool
thorn urchin
Is the kerberos ticket in one of these giant files of information, or am I runni...
review your section notes on them.
onyx rapids
Not my fault, I'm always running into snags like this with their content and it really annoys me that I have to pay that much to waste a lot of time. The content is mostly really good, I've learned a lot, but dam it really pisses me off when I have to waste hours trying to get a flag that won't teach me a thing. They literally just want me to copy and paste the version number after logging in. They provide the creds and everything. It should be a 10 second thing
fathom pendant
check rubeus.exe tool
They're on a Linux system for this the exe won't help
zinc marsh
They're on a Linux system for this the exe won't help
oh okey
rustic sage
https://academy.hackthebox.com/module/112/section/1069 "Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain"
If i run dig any inlanefreight.htb @10.129.166.144 i get a timeout. i even added 10.129.166.144 inlanefreight.htb to /etc/hosts. How should i add it?
zinc marsh
They're on a Linux system for this the exe won't help
klist maybe?
fathom pendant
Maybe
thorn urchin
that lab isnt a gotcha, just gotta follow the section instructions
fathom pendant
https://academy.hackthebox.com/module/112/section/1069 "Interact with the target...
Don't add it to /etc/hosts
rustic sage
but i still get a timeout π¦ should i restart the target?
fathom pendant
Remove it from there actually :)
Probably
Also should probably check you're on the vpn
rustic sage
yup
fathom pendant
I've seen that happen
rustic sage
btw why not add it to /etc/hosts?
then i could remove the @rustic sage part in dig right?
fathom pendant
Because it's not a VHOST...
rustic sage
oh right
autumn pilot
Not sure, but the splunk instance loaded after like 2-3 minutes
rustic sage
when should i add a specific nameserver to the dig command?
at zone transfers right?
rustic sage
why always? when i do dig any google.com i get the same results as with the NS added from google right?
onyx rapids
Not sure, but the splunk instance loaded after like 2-3 minutes
dam, I don't understand, I must not be lucky
autumn pilot
well, if you show some kind of a log or a screenshot there could be someone that can help you
rustic sage
but why and when should i specify a NS in the dig command?
fathom pendant
for most if not all targets in HTB academy
onyx rapids
well, if you show some kind of a log or a screenshot there could be someone that...
The service just doesn't show up, even after 10 minutes, I'll do port scan, but will only see the PRTG server, I'll try a full reset of everything and give it another 10 minutes
autumn pilot
That doesn't mean anything to me without any evidence
rustic sage
> for most if not all targets in HTB academy
and how about in general?
fathom pendant
and how about in general?
In general you want to first do a ns dig, then specify one of the ns that comes up
zinc marsh
but why and when should i specify a NS in the dig command?
vhosts
zinc marsh
The service just doesn't show up, even after 10 minutes, I'll do port scan, but ...
are u connected to the vpn?
fathom pendant
are u connected to the vpn?
They are getting other services showing up, so yes
zinc marsh
They are getting other services showing up, so yes
weird
onyx rapids
are u connected to the vpn?
Yup, I'm using their box actually since I'm too lazy to turn my VM on today
rustic sage
In general you want to first do a ns dig, then specify one of the ns that comes ...
but why and when does it return different results if the NS is specified?
fathom pendant
but why and when does it return different results if the NS is specified?
It's like trying to open a door without a key
dull vortex
Alright, I found it. Thanks for the help, i'm ab to step away for a few hours to refresh myself
autumn pilot
take a screenshot of the browser to show the error of splunk
dull vortex
I didn't think to use chmod earlier to run linikatz...
fathom pendant
Sure it may be open but the name server tells it "hey I'm using this specific name server assigned to you"
onyx rapids
take a screenshot of the browser to show the error of splunk
It's not Splunk throwing the error, just the browser not finding anything there
fathom pendant
What better NS to give you answers than the NS assigned to the subdomain/zone
autumn pilot
still, you can take the screenshot if you want any help
fathom pendant
Basically we're asking for screenshots to see if it's something super simple that's overlooked
Because that happens
onyx rapids
It's there now. It took reset of their VIP box and the server
fathom pendant
VIP box?
onyx rapids
I forget what it's called, I rarely use it, but the box they provide you if you don't want to use your own VM with VPN
fallow delta
I'm running into an issue with the lateral movement trying to add ilfserveradm to local admin. It says RDP into the .50 as the user once you find the creds, but the box doesnt have RDP, just winrm
onyx rapids
ah yea that's it. I think that I'll go back to my own box, the pwnbox used to make me a bit insane and now I remember why
fathom pendant
Β―_(γ)_/Β―
tidal mango
I have a question for you all. This is from the skills assessment in the Active Directory Bloodhound module. the Last question is, Find the percentage of users with a path to GLOBAL ADMINISTRATOR. I think I need to write a custom query to get this, but I have hit a wall on it. Can anyone help me out on it? Thank you!
autumn pilot
You are on the right track with the custom query, however, be careful what you write in the query as to not hit a wall
Also don't forget A to Z
zinc marsh
Module: password attacks - Section: Credential Hunting in linux. In my notes i have the tool which i used to get it, but now i cannot get it
someone i can dm?
lament lance
what th-
fathom pendant
Lmao infinity box
There's an actual internal timer that will kill it properly on time
odd notch
the Information Gathering - Web Edition module Active Infrastructure Identification section questions says I need vHosts, I don't follow what that means...
fathom pendant
the Information Gathering - Web Edition module Active Infrastructure Identific...
Adding to /etc/hosts
odd notch
but under what ip?
fathom pendant
The spawned ip
odd notch
same IP for both domains? that's odd isn't it?
fathom pendant
Not really
Net use
But also it's just told to you in the question
9x outta 10: the DC will have a share
Net use is a way to use shares
Sorry I misunderstood your question
zinc marsh
u literally ran a command enumerating dc01\david
lol
are u just running random commands?
.
rustic sage
@weak zephyr
fallow delta
yeah I just added ilfserveradm to the local admin group but Its not letting my open an admin powershell or read the flag...
zinc marsh
i need someone who completed the Module: password attacks - Section: Credential Hunting in Linux
to check one thing
thorn urchin
i need someone who completed the Module: password attacks - Section: Credential ...
DM it
pulsar burrow
I'm running through the "Getting Started" Module and found the section describing running scripts with nmap. The page suggests using nmap as a vuln scanner with vulner. I've cloned the git hub copied the scripts and updated the scripts database but I can't seem to get any output from vulner. Has anyone else used this tool and got it working? I'm using the latest nmap and also the -sV flag to output versions. Any help or direction is appreciated.
thorn urchin
Ive never actually used nmap like that
pine dagger
I thought sV worked without any extra scripts
odd notch
Hi, trying to go over fuzzing vHosts and I kinda just lost what is what... from https://academy.hackthebox.com/module/144/section/1257 I get that there are 2 ways. IP based(multi nic) and domain based(diff names same host). but I don't get how I go about enumerating that without ANY info about the domain. I have an IP and a domain. but where do I fuzz? the www? after it? before it?
I'm ACTUALLY stuck so any help is welcomed
thorn urchin
Hi, trying to go over fuzzing vHosts and I kinda just lost what is what... from ...
Typically you would start with fuzzing for vhost subdomains
deep owl
hello all
steady otter
hello yall just joined
deep owl
module: password attacks ... section: lab - medium
i managed to get a file called Docs.zip
but when unzipping the file inside it is not opening or showing any useful information
any tips
deep owl
hello yall just joined
welcome
thorn urchin
but when unzipping the file inside it is not opening or showing any useful infor...
sounds like you need the zip password π
deep owl
already cracked it
after cracking it
i have a docx file
that i don't know what to do with
after unzipping am left with a docx file
thorn urchin
did you read the docx file
deep owl
when i did cat ... it displays bunch of gibberish
thorn urchin
???
why would you cat docx?
docx is Windows Word document file
open it up on word on a windows machine or libreoffice/openoffice on Linux
thorn urchin
also while im surprised at not recognizing the most common document format on the planet. for future reference when dealing with unknown file types try using the file utility on it. Usually itll give you a bit more info than just the extension alone and you can use that to google an appropriate tool.
deep owl
password attacks module section lab medium .... i just finished it am just wondering how are we supposed to know about the sql part .... and that there is a database that the current user has access to
fiery robin
Hey guys, I am stuck on Attacking Common Application module,the osTicket section π’ I couldnβt find a way to get user credentials to login to the helpdesk
Is there other vhosts except support.inland freight.local? By nmap scanning I find 8081 port running Gitlab, but I donβt know how to exploit it
dry tundra
Is academy acting weird for anyone else? For some reason, the targets that I am getting aren't up even though I've refreshed them a bunch of times. I'm also getting longer than usual "Life Left" times
referring to the SQL Injection module
weak charm
im currently stuck on the last 2 questions for AD skills assesment part 2. has anyone done these yet?
fathom pendant
password attacks module section lab medium .... i just finished it am just wonde...
For j* there's documentation
frigid ingot
having some massive issues trying to mass enumerate profiles when pairing IDOR vulnerabilities in the Web Attacks module
chaining IDOR vulnerabilities
if anyone is available for a push in the right direction
odd notch
So.. dum question.. isn't fuff and GoBuster doing the same thing?
weak charm
i think the difference is ffuf can do parameter fuzzing. thats the big difference i know of.
odd notch
so fuff is just better?
winter furnace
fallow delta
Finally finished this! Have a couple of tricks for some of the mods so feel free to DM: https://academy.hackthebox.com/achievement/badge/20354735-fc19-11ed-acfc-bea50ffe6cb4
odd notch
Yoooo grats! just doing the first steps in Information Gathering - Web Edition
narrow solar
Good morning everyone π
I am at shells & payloads live engagement, on the foothold machine i searched everywhere for a browser to interact with the other hosts but i can't find one, can you help me with this?
odd notch
So in web enum vhosts section am I supposed to do FUZZ.inlanefreight.htb or FUZZ.www.inlanefreight.htb? I'm so confused.
fathom pendant
Good morning everyone π
I am at shells & payloads live engagement, on the footh...
firefox
I'm confused about how I distinguise a diff subdomain from a diff vhost...
like say we have inlanefreight.htb, a subdomain could be subdom.inlanefreight.htb, but at the same time we could also have a vhost.inlanefreight.htb on the same machine. so... what gives?
fathom pendant
like say we have inlanefreight.htb, a subdomain could be subdom.inlanefreight.ht...
Pay attention to IP
odd notch
so if it's the same IP it would be a vhost yes?
odd notch
well I'm stuck at the section. I think I might be using the wrong list
fathom pendant
What section?
odd notch
oh sorry
Information Gathering - Web Edition Virtual Hosts
the weird thing is that I get responses from || FUZZ.inlanefreight.htb but when I curl them I get nothing. ||
I added the www.inlanefreight.htb with the IP to my etc/hosts
fathom pendant
Well what is the content-length of the response? :)
fathom pendant
Hint: filtering by content-length helps you filter through bad calls
Don't filter for lines
odd notch
oh π¦
fathom pendant
bad calls will all return the same content-length
odd notch
you mean words? or size?
fathom pendant
you mean words? or size?
Look at the example
odd notch
oohhh
but where do I see size in the output?
I'm a dummy
is the correct list || namelist.txt || for my section?
fathom pendant
is the correct list || namelist.txt || for my section?
Should be able to use the provided list from the section
odd notch
Should be able to use the provided list from the section
thats odd isn't it?
gentle root
Did this ever get answered
In Internal password spraying from linux, a bunch of these commands are using valid_users.txt but it isn't showing where this list actually came from
We got SMB Null sessions, LDAP, Kerbrute (which we used) and responder etc..
I am not sure how they are getting the usernames actually thrown into a .txt file for brute-forcing / spraying
odd notch
got it. I should have added what I found tot he hosts file.
weak charm
Oh yeah that is a pain. What I did which is a PITA is copied all the usernames from the output. Then went over to chat gpt and had it code me a shell script to remove everything but what I was looking for. I'm sure you can use regex but I'm not that good. I haven't honestly looked into if those tools will output the correct format
gentle root
lmfao fuick
weak charm
π€£π€£ but I mean chat gpt was pretty good at it lol.
fathom pendant
thats odd isn't it?
Figured it out: remove the www. One from your /etc/hosts
odd notch
Figured it out: remove the www. One from your /etc/hosts
but that would make it assume everything under inlanefreight.htb is under the same IP... which might not be the case no?
I just added || app.inlanefreight.htb || to my hosts
correct me if I'm wrong @fathom pendant
odd notch
Figured it out: remove the www. One from your /etc/hosts
that didn't work actually
fathom pendant
that didn't work actually
Ok resolved it now
odd notch
I solved it tho
fathom pendant
I had to rerun it, since my notes are sparse
odd notch
|| you add the found vhost to the hosts file ||
fathom pendant
Even still
odd notch
ok, I'm listening π
fathom pendant
I found all expected vhosts by using the f* hostlist (remember the .203 question xD)
odd notch
I just used || namelist.txt ||
fathom pendant
Do you wanna know the purpose of the www one?
It's to give you the right filter parameters
odd notch
but generally you can figure that from just bombing and seeing what flys and what doesn't no?
fathom pendant
Yes
odd notch
oki
fathom pendant
In this case though
odd notch
ZAP doesn't happen to have a cli/terminal utility does it?
fathom pendant
ZAP doesn't happen to have a cli/terminal utility does it?
The other thing is that the content length part: is default webpage size
odd notch
same same no? size would reflect that too no?
odd notch
yea I thought of that... no real solutionto that tho
untold lily
I'm stuck at Windows Built-in section (Backup Group) of Windows Privilege Escalation. i cracked the password for administrator and tried to login with cme, evil-winrm, runas. They all say password is incorrect. Can I get some guidance pls?
odd notch
Ok... in Information Gathering - Web - Skills Assessment the last question has me scraching my head... there is no way to "float" a word during enumeration over the subdomain string. which lead me to believe I need a specific wordlist... using gobuster I get a bit of slow responses (understendably as we are enumerating github...). direction needed π
and the tool suggested seems to kinda skip the logic needed to understand the question. so that's why I'm asking π
odd notch
Also || when trying sublist3r I get virus total is probably blocking your requests ||
ye I'm completly stuck again. elp, elp.
odd notch
oki
odd notch
try looking it up on crt.sh
my hero β€οΈ
crisp remnant
Can anyone help a bit with one of the sections in the HTTP Attacks module
odd notch
godaim another inf dump... Vulnerability Assessment .
lean jackal
Hi everyone. I am struggeling with Footprinting IMAP / POP3 on the last two questions where I have to read the mails.
I use openssl to connect via IMAP and can login using the command
||1 LOGIN robin robin||
I then can list all the mailboxes with
||1 LIST "" *||
and see two mailboxes. But they both seem to be empty. What am I doing wrong here?
misty current
@lean jackal https://donsutherland.org/crib/imap
lean jackal
<@308291607688380420> https://donsutherland.org/crib/imap
Thank you, I already tried all those commands but don't know where I am wrong
placid quest
@lean jackal use evolution
acoustic owl
Hi everyone. I am struggeling with Footprinting IMAP / POP3 on the last two ques...
Why don't you just use a mail client like Evolution / Thunderbird?
lean jackal
I would like to understand the commands used
placid quest
@deep yew <@&861185840277487616>
winged hedge
<@921958681761947689> <@&861185840277487616>
Thanks
lean jackal
<@308291607688380420> https://donsutherland.org/crib/imap
Allright, I got it with using evolution but I would still like to learn how to do it manually. Can you show me the commands used?
odd notch
IIRC || 1 fetch <ID> R822 ||. it's not in the section so... yea.
lean jackal
alright, and how do I find the ID?
or how do I even find the admin mail address in the first place?
odd notch
both can be figured with given info π
lean jackal
Can you elaborate a bit more please? I tried all the IMAP and POP3 commands
misty current
@lean jackal
I don't remember exactly but it was something like viewing the maiboxes with
||A1 LIST <mailbox> * - list available mailboxes
A1 SELECT INBOX - select the mailbox you want to interact with
A1 FETCH (flags) - list messages, iirc this is where you get the subject / UIDs
A1 UID FETCH (flag) - to read the body of the message||
plain coral
Can you elaborate a bit more please? I tried all the IMAP and POP3 commands
This involved me looking at supplementary resources, like reading the RFC and an external IMAP cheat sheet
zinc marsh
Can you elaborate a bit more please? I tried all the IMAP and POP3 commands
is IMAPS port open?
rustic sage
Can you elaborate a bit more please? I tried all the IMAP and POP3 commands
Dm if u still needed help
dim light
hey
i'm really stuck in Predictable Reset Token for Broken Authentication module
anybody can help me?
this question
Create a token on the web application exposed at subdirectory /question1/ using the *Create a reset token for htbuser* button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?
summer flame
<del>
autumn pilot
from which section and module is that?
amber lion
I got it, even though the guide had it in caps and it worked the answer was a lower cap, it was for the CRT prep module
dim light
from which section and module is that?
"Predictable Reset Token" for "Broken Authentication" module
dim light
hey
i'm really stuck in Predictable Reset Token for Broken Authentication module...
help :_)
zinc marsh
cannot I filter mimikatz sekurlsa::logonpasswords by username?
i wanted to filter the user david
heady tusk
you can find it manually. I never heard of a filter feature but let me know if there is one, that'd be neat π
misty current
cannot I filter mimikatz sekurlsa::logonpasswords by username?
I've never tried it but maybe you could run mimikatz directly instead of opening an interactive session by supplying the -Command option to execute sekurlsa::logonpasswords and pipe the output to powershell's Select-String command to search for your strings?
acoustic owl
help :_)
you have to calculate your token based on the time on the server, not on the time in your time zone
deep owl
follow the steps in the exercise, but change the listening port to 443 and generate a powershell reverse shell of the same port
proud cloak
hi all, i nedd a little help please -> Module: "Attacking Enterprise Networks" Section: "Web Enumeration & Exploitation" After logging in to the wordpress admin panel, I get an Apache error site 502 Proxy Error how do i resolve ?
fathom pendant
Turn off proxy?
acoustic owl
The error 502 comes from the server. Possibly a WAF
zinc marsh
Several issues can return a 502 Bad Gateway error. These include:
An unresolved domain name. The domain name might not be connecting to the correct IP address. This can happen because youβve recently migrated your site to a new host, and the DNS servers havenβt yet finished propagating.
An over-sensitive firewall. If your site or your web host is using a firewall, it may be blocking certain internet providers or IP addresses. This happens when the firewall detects a false threat.
Server overload. The origin server may have crashed due to a sudden spike in traffic. This problem is more common if youβre on a shared hosting plan and your server has limited resources.
Itβs worth noting that the 502 Bad Gateway error doesnβt always indicate a problem with the server. It can also be caused by a client-side issue, like an outdated browser version or corrupted files in the browser cache.```
Refresh the page: Sometimes, a temporary glitch or network hiccup can cause the error. Simply refreshing the page may resolve the issue.
Check the server availability: Ensure that the target server is up and running. You can try accessing the server directly without going through the proxy to see if it responds.
Clear browser cache: Cached data or cookies in your web browser can sometimes interfere with the proxy connection. Clear your browser cache and try accessing the page again.
Disable proxy: If you have control over the proxy settings, try temporarily disabling the proxy or connecting to a different proxy server to see if the error persists.
Verify proxy server configuration: If you are responsible for the proxy server, review its configuration settings. Ensure that it is properly configured to forward requests to the target server and that there are no errors or misconfigurations.
Check network connectivity: Verify that your network connection is stable and that there are no firewall or routing issues preventing the communication between the client, proxy server, and target server.
Contact the website administrator or network administrator: If the issue persists and you are accessing a specific website or service, contact the website administrator or your network administrator for further assistance. They may be able to provide insights or resolve the issue on their end.```
ruby delta
I'm kind of confused here is the academy separated from the primary hackthebox platform? Is there supposed to be a relationship between my main htb account and my academy account?
zinc marsh
I'm kind of confused here is the academy separated from the primary hackthebox p...
no
same for ctf and forum
ruby delta
sorry, no to the first question or the second question?
zinc marsh
just u can use the same 2FA for ur accounts in the different subdomains
i think i had to create a new account in the academy
but i dont remember
but i can use the same 2fa for both
ruby delta
Is it still possible to connect to the academy target boxes from a vm on my local computer or do I have to do everything from the vm hosted in academy?
zinc marsh
Is it still possible to connect to the academy target boxes from a vm on my loca...
from ur vm
but u need to download the academy vpn
ruby delta
I've done that and confirmed that the tunnel interface is up but it doesn't seem like I'm able to interact with the target. Nmap thinks the host is down but this is one of the really early modules so I don't think there should be anything that tricky going on. It seems like I've missed a step but I'm not sure where.
zinc marsh
I've done that and confirmed that the tunnel interface is up but it doesn't seem...
did u connect to the academy file?
ruby delta
yes, I downloaded a file called 'academy-regular.ovpn' and ran 'sudo openvpn academy-regular.ovpn' the output leads me to believe I'm connected. Do I need a different ovpn file from somewhere?
ruby delta
no, 100% packet loss
ruby delta
ha, I agree with that
behavior is the same. Maybe I'm getting punked somehow by the inclusion of the port on the target that htb academy is giving me.
I don't really understand where it comes into play.
wraith delta
[] Started reverse TCP handler on 10.10.14.126:4444
[-] Exploit aborted due to failure: bad-config: Server did not respond correctly to WebDAV request
[] Exploit completed, but no session was created.
Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?
I have this problem in meterpreter section in Msf module
[] Started reverse TCP handler on 10.10.14.126:4444
[-] Exploit aborted due to failure: bad-config: Server did not respond correctly to WebDAV request
[] Exploit completed, but no session was created.
zinc marsh
u havent configured the exploit
wraith delta
I dont know how to fix this
zinc marsh
All should be in the section explained
U have to do the revshell from MS01
Is it the correct IP?
If u don't get the shell the IP or the port is wrong
Do ipconfig
And check the IP
Are u listening in the Julio cmd
zinc marsh
Are u listening in the Julio cmd
?
misty current
Where did you get the payload from btw?
foggy finch
Ummm ;-;
Can Anyone help me? ;-;
zinc marsh
And the revshell to log in to dc01
zinc marsh
Ummm ;-;
Can Anyone help me? ;-;
With?
foggy finch
Ahh
I feel like one of my friend is having control of my Insta π
And he invited me to this server too
he said people here have my data
;-;
foggy finch
:O...
But I don't think it will get my friend to get out of my account
@LlΕ·r#4472
misty current
I too think you're on the right path, something with the payload is my guess.
zinc marsh
That is to execute wmi from ur machine
But if u not listening as Julio u cannot get it
Yea
misty current
But if u not listening as Julio u cannot get it
Can you let me know if that's the case? @rustic sage
If you get a successful connection.
zinc marsh
They say it and the examples from the section is like that
wraith delta
someone please help me with https://academy.hackthebox.com/module/39/section/414
misty current
@zinc marsh Does it matter which user shell we execute the command from? As long as the Listening address matches with MS01's address and we're listening from that machine. It shouldn't make a difference.
Tyt, I just want to know if that's the case.
wraith delta
oh my fucking hell this fucking this can suck a dickkk its so annoying
misty current
someone please help me with https://academy.hackthebox.com/module/39/section/414
Shoot your question?
wraith delta
Gimme a sec
Im so close to breaking my computer
5000/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Ive been trying to find an exploit that works on this mf in msfconsole but none of them work
I even asked fucking chatgpt, stupid mf doesnt know either robot my ass
sonic seal
Pivoting module:Skills assessment section
In this section, is it necessary to get upgrade to AUTHORITY\SYSTEM in the pivot host?
fathom pendant
I even asked fucking chatgpt, stupid mf doesnt know either robot my ass
What's the actual question tho and module my guy
deep owl
the password attacks hard lab is crazy difficult
fathom pendant
the password attacks hard lab is crazy difficult
Eh it's just back and forth cracking
Playing pingpong with creds
misty current
**Pivoting module:Skills assessment section**
In this section, is it necessary t...
You don't need to be an High Privileged most of the time, unless you want create tunnels or routes on that machine.
pallid geyser
hello im starting in etical hacking. I hve a question bc im doing this module https://academy.hackthebox.com/module/18/section/70 but im stucked in the first question bc the ssh doesnt connect to the ip. Any solutions?
deep owl
Eh it's just back and forth cracking
am now at the backup.vhd cracked the password but don't know what to do next
fathom pendant
am now at the backup.vhd cracked the password but don't know what to do next
What is a vhd π
zinc marsh
hello im starting in etical hacking. I hve a question bc im doing this module ht...
are u in ur vm or the pwnbox
sonic seal
You don't need to be an High Privileged most of the time, unless you want create...
Then, why can't I get from mimikats? Do you know?
fathom pendant
Iirc you have to do the debug first
pallid geyser
are u in ur vm or the pwnbox
im not in vm nor pwnbox. Im doing this with winkex, the linux terminal in windows
fathom pendant
I forget the command
misty current
Iirc you have to do the debug first
^ @sonic seal
privilege::debug
fathom pendant
im not in vm nor pwnbox. Im doing this with winkex, the linux terminal in window...
That's... Awful
zinc marsh
im not in vm nor pwnbox. Im doing this with winkex, the linux terminal in window...
did u connect to the vpn?
pallid geyser
the first question is about connect with ssh like this --> ssh user@ip
but always same error time out
zinc marsh
i guess no
pallid geyser
That's... Awful
why is awful winkex?
sonic seal
^ <@418425071229730816>
privilege::debug
Thank you! But...
zinc marsh
do the introduction to the academy module first
fathom pendant
the first question is about connect with ssh like this --> ssh user@ip
Are you actually typing user or the username it gives you (usually htb-student)
misty current
Thank you! But...
Ah, one more thing is, you do need to be administrator to run mimikatz
zinc marsh
Are you actually typing user or the username it gives you (usually htb-student)
he isnt connected to the vpn i guess
pallid geyser
ye ye the user is this htb-student
fathom pendant
why is awful winkex?
It's highly recommended to do the modules in a vm that way it's more controlled in case something goes wrong.
sonic seal
Ah, one more thing is, you do need to be administrator to run mimikatz
Oh, then I will investigate if this is the way. Thank you so much!
zinc marsh
Oh, then I will investigate if this is the way. Thank you so much!
try rubeus
fathom pendant
Or using the in-browser pwnbox
pallid geyser
same error in browser pwnbox
zinc marsh
Note:Β Mimikatz requires administrative rights to perform the Pass the Key/OverPass the Hash attacks, while Rubeus doesn't.
fathom pendant
same error in browser pwnbox
Are you typing the x.x.x.x ip or just typing 'ip'
misty current
Oh, then I will investigate if this is the way. Thank you so much!
Good luck
sonic seal
Note:Β Mimikatz requires administrative rights to perform the Pass the Key/OverPa...
Thanks! I didn't know about Rubeus.
ocean bear
Hi guys.
I'm new here.
Any tips on how to start as a complete beginner or newbie?
fathom pendant
If you're have both pwnbox running and VPN connected on your system then that can be the issue
zinc marsh
@pallid geyser use ur vm or the pwnbox anyway
pallid geyser
If you're have both pwnbox running and VPN connected on your system then that ca...
oh true i will reset all
fathom pendant
Just turn off VPN on your system to use pwnbox or turn off pwnbox to use vpn
zinc marsh
too dangerous using ur main pc
pallid geyser
i cnt use vm bc i hve bad pc
fathom pendant
That's what pwnbox is for
zinc marsh
use their pwnbox then
fathom pendant
It has basically all the tools installed
ocean bear
https://www.hackthebox.com/blog/learn-to-hack-beginners-bible
Thanks
pallid geyser
ye thanks
velvet merlin
Hello
zinc marsh
so many whites today lol
fathom pendant
so many whites today lol
Graduation just happened in a lot of states, and school is letting out for summer
misty current
Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS - ACL Enumerations
Does Bloodhound show the ObjectAceType GUID for the nodes?
Getting it from PoweView is taking a long time, maybe the ACLs in the lab is huge?
blissful plank
Okay, I am working on the get started module and I'm stuck on service scanning when I need to access the user for bob and enter the password. The password is not working. I have also attempted the commands in the screenshot. I am doin' this wrong and/or don't understand this portion. Can I get some help?
misty current
Oh nvm, PowerView just fetched it. Had to hit enter
zinc marsh
Okay, I am working on the get started module and I'm stuck on service scanning w...
connect to the vpn
fathom pendant
^ the VPN is required if you're using your own vm
zinc marsh
@fathom pendant can u help me with pass the ticket using rubeus?
______ _
(_____ \ | |
_____) )_ _| |__ _____ _ _ ___
| __ /| | | | _ \| ___ | | | |/___)
| | \ \| |_| | |_) ) ____| |_| |___ |
|_| |_|____/|____/|_____)____/(___/
v2.1.2
[*] Action: Import Ticket
[+] Ticket successfully imported!```where do i have to go to use the john account after importing the ticket with rubeus?
fathom pendant
It's been a minute and honestly my notes on that section is really sparse
misty current
where do i have to go to use the john account after importing the ticket with ru...
Which section is this?
blissful plank
connect to the vpn
totally forgot about the VPN thanks. Need to install it
misty current
PtT from Windows?
blissful plank
^ the VPN is required if you're using your own vm
im not using my own VM. I dont have an option to connect to the VPN in HTB
fathom pendant
If you're using the pwnbox on the site : it's already connected
It's generally not advisable to do the labs on your host system
Mostly due to software/tool incompatibility and the modules focus on Linux Tools
blissful plank
ok so can I get a little guidance on why i cannot get past the user bob password not working. I do'nt have the ability to screen shot but this is what I have been getting stuck at; $ smbclient -U bob \\10.129.234.251\users
Password for [WORKGROUP\bob]:
do_connect: Connection to failed (Error NT_STATUS_NOT_FOUND)
blissful plank
Try doing this:
```sh
smbclient -L //IP/
```
yes from what I see in the example
fathom pendant
yes from what I see in the example
I'm talking about from you running it on your system
blissful plank
I'm talking about from you running it on your system
it does not show my user name it has the htb root user name if thats what you mean
fathom pendant
What's the module name again?
blissful plank
getting started
zinc marsh
getting started
section?
blissful plank
that's what im trying to do. when it ask for the password I enter in the pass word and when that does not work I have tried the help and nothing
zinc marsh
did u learn something about crackmapexec there?
zinc marsh
that's what im trying to do. when it ask for the password I enter in the pass wo...
because there isnt any share called users
blissful plank
did u learn something about crackmapexec there?
no
fathom pendant
that's what im trying to do. when it ask for the password I enter in the pass wo...
The Welcome1 password given yea?
blissful plank
did u enumerated the shares?
do not know how to do that. it says to bring up the list and then to sign in with the user name bob
fathom pendant
do not know how to do that. it says to bring up the list and then to sign in wit...
I was able to login using -U bob and users share
zinc marsh
do not know how to do that. it says to bring up the list and then to sign in wit...
then read the section again
blissful plank
The Welcome1 password given yea?
yes and it didnt work
fathom pendant
then read the section again
There's no enum needed for password btw it's given in the section
zinc marsh
There's no enum needed for password btw it's given in the section
oh
then just run the command to log in to the share lol
zinc marsh
```bash
smbclient -U bob //IP/users
```
what is the password to try it
fathom pendant
Welcome1
zinc marsh
yea
blissful plank
this is my outcome: β[htb-xtgh39ink5@htb-ac-803547]-[18:43-27/05]-[/root]
ββΌ$ smbclient -U bob \\10.129.234.251\user
Password for [WORKGROUP\bob]:
do_connect: Connection to failed (Error NT_STATUS_NOT_FOUND)
zinc marsh
i could login as well to the users share
zinc marsh
this is my outcome: β[htb-xtgh39ink5@htb-ac-803547]-[18:43-27/05]-[/root]
ββΌ$ sm...
restart the machine
fiery berry
this is my outcome: β[htb-xtgh39ink5@htb-ac-803547]-[18:43-27/05]-[/root]
ββΌ$ sm...
users not user
zinc marsh
and yea is users
blissful plank
ok
fathom pendant
So you can verify you're doing the right share
fathom pendant
Lol
zinc marsh
that is why i told him to read the section again
fathom pendant
Because it's literally right above the share enumeration part where it gives creds
boreal basalt
Modules : FFUF
Hello, I was wondering about subdomains and Vhosts
When we connect to a vhsost we will connect to an ip then with the "Host" header we will specify the resource such as a subdomain
But when with htb they give us ip and we don't put random names like academy.htb or idk.bth
In which directory do they search for resources if the directory is not predefined
zinc marsh
Modules : FFUF
Hello, I was wondering about subdomains and Vhosts
When we conn...
u mean the wordlist to fuzz subdomains?
blissful plank
restart the machine
respawning the machine and restarting it worked i can actually see the files now. Thanks
I got this is thir right: \10.129.42.254users: Not enough '' characters in service
Usage: smbclient [-?EgqBNPkV] [-?|--help] [--usage] [-M|--message=HOST]
[-I|--ip-address=IP] [-E|--stderr] [-L|--list=HOST]
[-T|--tar=<c|x>IXFvgbNan] [-D|--directory=DIR] [-c|--command=STRING]
[-b|--send-buffer=BYTES] [-t|--timeout=SECONDS] [-p|--port=PORT]
[-g|--grepable] [-q|--quiet] [-B|--browse]
[-d|--debuglevel=DEBUGLEVEL] [--debug-stdout]
[-s|--configfile=CONFIGFILE] [--option=name=value]
[-l|--log-basename=LOGFILEBASE] [--leak-report] [--leak-report-full]
[-R|--name-resolve=NAME-RESOLVE-ORDER]
[-O|--socket-options=SOCKETOPTIONS] [-m|--max-protocol=MAXPROTOCOL]
[-n|--netbiosname=NETBIOSNAME] [--netbios-scope=SCOPE]
[-W|--workgroup=WORKGROUP] [--realm=REALM]
[-U|--user=[DOMAIN/]USERNAME[%PASSWORD]] [-N|--no-pass]
[--password=STRING] [--pw-nt-hash] [-A|--authentication-file=FILE]
[-P|--machine-pass] [--simple-bind-dn=DN]
[--use-kerberos=desired|required|off] [--use-krb5-ccache=CCACHE]
[--use-winbind-ccache] [--client-protection=sign|encrypt|off]
[-k|--kerberos] [-V|--version] [OPTIONS] service <password>
boreal basalt
u mean the wordlist to fuzz subdomains?
Nop the fact that how the server give me an answer when I put a random names on my etc/hosts files
blissful plank
read the error
I have its the exact command smbclient -U bob \\10.129.42.259\users
I then enter the password. and that is what I get in my output which is the error.
zinc marsh
Nop the fact that how the server give me an answer when I put a random names on ...
u just add the name that u want to an ip
boreal basalt
yes
zinc marsh
like if u save the number of ur mother in ur phone as 'dsafsdj'
past scaffold
hello i stuck a bit on the payload for the Web Service & API Attacks skills Assessment anyone willing to help ?
short mirage
Hi, can someone give me a hand on the AD enumeration and attacks, privileged access section? I am asked to find what other user in the domain has CanPSRemote rights to a host, but using the provided command and bloodhound, I can only see that the user forend has CanPSRemote rights. I can't find another user. Can I have a hint, please?
boreal basalt
like if u save the number of ur mother in ur phone as 'dsafsdj'
It's not the problem I talk about
The file in the web server
When I put ok.google.com
In the server there is a folder name
/google/
/ok.google/
But when we put an random name
There is no
/dsafsdj/
File
With the ip who htb give us
red current
I'm on the File Upload Attacks module and having an issue with the Upload Exploitation section. I keep getting a blank web page with /* on it whenever I try to navigate to the uploads directory and access the php file. Has anyone else come across this?
fiery berry
julio
fathom pendant
Sometimes it is weird and doesn't show the correct info so just do a dir C:\
buoyant void
So I just completed the footprinting hard lab in the footprinting module, didn't have any issues really but I like to go through the forums afterwards to see if I missed any thing I could've done differently. Some people on the htb forums mentioned that you needed to access another set of credentials to get the required flag to complete the lab and I didn't need to do that at all, I spent an hour looking everywhere for another password I could use for the other account and I found nothing. Anyone complete this lab recently and know what i'm talking about? I just want to know if I missed something.
misty current
What does the window title of the new cmd say?
rustic sage
why my the ctf website is slow
sometimes slow and sometimes fast
misty current
That's weird. It should show signs that it's from Julio user.
Which section is this?
autumn pilot
you can simply try to list the files
autumn pilot
because it is not C:\julio
marble kraken
Having a problem here with the Module 'Intro to Bash Scripting', page 4 'Comparison Operators' Question: https://academy.hackthebox.com/module/21/section/129
fathom pendant
Isn't that the question though or am I misreasing
marble kraken
This is my script ```#!/bin/bash
var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"
for i in {1..40}
do
var="$(echo -n "$var" | base64)"
if [[ "$var" == "$value" && $(echo -en "$var" | wc -c) -gt 113450 ]]
then
echo -e "$var" | tail -c 20
fi
done
Because you need to find a way to look for the $value inside $var
Iirc
marble kraken
Any hints as to why its not working? (Besides the obvious echo -n / echo ... issue in all these questions)
misty current
I might be wrong, but I think you're just PTH-ing to your own machine.
autumn pilot
if you have a "pth session" you can verify it by listing the files on the target (DC), then you can proceed getting a remote command executed followed up by a reverse shell
fathom pendant
All you're doing is checking if they are the same. Which realistically doesn't happen
marble kraken
as is $value
misty current
I might be wrong, but I think you're just PTH-ing to your own machine.
So you're executing commands in the MS01 in context to Julio user on the new cmd. This means you can't read the local file which is on DC01 from the new cmd (which is on MS01), but you can read the share's on DC01 allowed for Julio (as you're julio).
In order to read the local file in DC01, you need to execute commands on DC01. Get a reverse shell or write the content of the C:\julio\flag.txt to the share accessible by julio hosted on the DC01 machine and read it from the share. (Reverse shell is optimal)
@rustic sage
marble kraken
Because you need to find a way to look for the $value inside $var
ahh i totally misread this question
fathom pendant
The question is asking you to check if the $value exists somewhere in $var. If it does, then check the second condition else loop until you reach that same point
marble kraken
ok tnx
cedar void
I am having issues with running this command in this module βWhich CMS is used on app.inlanefreight.local'
from the Active Infrastructure Identification
acoustic owl
I am having issues with running this command in this module βWhich CMS is used o...
The magic word under Linux is called sudo
The Hosts file is protected. You need root privileges
cedar void
The magic word under Linux is called sudo
so 'sudo echo '10.129.172.169 app.inlanefreight.locl' >> /etc/hosts'?
acoustic owl
sudo echo '10.129.172.169 app.inlanefreight.local' >> /etc/hosts
misty current
Is that still the shell from pth you performed from MS01 machine using Julio's hash? can you execute hostname to confirm the machine?
acoustic owl
or just use a Text Editor
fathom pendant
^
Fun fact you can add multiple vhosts on the same line if they're on the same IP
Also it's .local not .locl
Just as an FYI before you bash your head in
fathom pendant
Source: I'm actually currently redoing this so I can have a canvas for practice and for assisting others. Easy to help others if I have notes on what I did
misty current
You're not in DC01. Rather, you're just accessing a share named julio hosted on DC01. accessing \\DC01\julio is not the same as accessing C:\julio\
fathom pendant
You're not in DC01. Rather, you're just accessing a share named julio hosted on ...
Iirc don't you need to supply a domain with pth too?
So it can bump you over to DC01?