Yeah those are not it...

Try resetting the box and trying again

you should be able to find it fine with the VPN, I just double checked.

hmm, ok. restarting

thanks

Also run -p- with no other additional scan types like -sV or -sC

what about -A?

restarting did help

I can hit it with -sC -sV still but like MarcieLee said they are not needed in this case.

Other types of scans slow it down

Just the good ole
sudo nmap -Pn -n -p- ip

Hi guys sorry totally unrelated qn but idk where to ask… what do numbers mean in the openvpn servers selection for pro labs? The more the merrier or more crowded? Thank u!!

https://discord.com/channels/473760315293696010/1024429874246590575 You can ask these questions here.

anyone get through the sqlmap module and face this specific one?

what exactly is not working?

Anyone knows why i get the following error when i try to connect by ssh in footprinting lab-easy? "Permission denied (publickey)"

tbh, my understanding of how to start on this specific task. the others i was fine with, this one kind of intimidated me, ive been impatient with it so i am only asking if anyone did it, but i dont want the help for it is all .if this makes any sense

because you need a key file for authentication

Try to apply what was described in the module. If you need help, just ask for it again

ye, i know 🙂 like i said i just get impatient. but yeah im goong to be rereading thru it

🤗 thanks , i just needed a brain breather and just wanted to see who did it is all

I tried to use credentials to access by ftp but there is nothing in ftp. I have the credentials. The hint says that the public key for ssh is in a forum but i don't know what i have to do.

The module was completed by over 2800 people

very nice 🙂 thank you

Take a good look at all ports. Really all ports

as for "Attack Tuning" section, you need to run the sqlmap a few times. As, it's a blind payload, the results are not always the same.

definitely noticed this for for sure 🙂

thank you for your input 😉

typos

xD fixed

I found port ||2121|| but there is nothing interesting here

Are you sure? 😉

Curious, is it possible to download a file from an ftp?🤔

)

Good day, how long did CPTS take to you?

2x 10 days

Hmm, i got only 30 percent in 3 months...

I meant the path

Oh, you mean the course?

Yeah

I can't say that for sure. I had a silver subscription and just did everything I could.

Around 4-5 months?🤔

12 months for CBBH and CPTS
But not all modules were published at the beginning. This was done little by little

Ow

Got you

That's why I really can't tell you how long it took

Just want to complete the path in 3 months

Until summer🙂

Learn the content properly. Time should not play a role

For sure

How do i verify the command doesnt work

read the instructions again

it says it takes 43 days for the CPTS but I think that's like without sleeping, eating, or taking breaks. I've been going since february almost everyday and I'm only around 35% done

Same😂

I heard that it's 41 * 8

Not 24

Yep thats very true

But i am not a robot or stoic or emotional intelligent person, and for me it's almost impossible to study 8 hours every day 🥲

just take your time with it and learn the content, don't rush yourself

and now that im taking actually taking notes I can learn from I had to increase study time just to maintain pace

Yeah

notes are soooo important

I am taking them in obsidian now

yeah I have to revisit alot

And have git backup

I use one note

i literally copy the whole module in a digital notebook

Wow

I do a report for every machine

I am just copying the stuff which i think very important 🤔

its searchable so i can go back and refer to something if i need to

Doing only for skills assessments

I do for everything

It helps understanding so much

Curious, maybe i will try

where are you guys at along the path

i just finished password attacks

Now at the password attacks

password attacks

hahaha

Starting PTH

Ahaha

Or pass the ticket🤔

It's about the active directory

well if yall get stuck feel free to dm me i've saved notes on the attack chains for the labs haha

Cool

ok

I was stuck today, but forums with payload bunny are helpful 😂

What about you? In which module are you?

just finished the hard lab at the end of password attacks

Great

im excited for that lab will take it one sunday

It's the most frustrating module for now😂

it was really fun but yeah completely agree its a frustrating module

i was stuck for a while using rockyou.txt like an idiot

lol

I hated the parts when you have to brute force 3-4 hours☠️☠️

use the supplied password lists

lol

Mutations part bro

😂

hahaha

Do you like batman?)))

that module got everybody I think

I brute forced it about 3 hours

The lab creater must be a troll😂

Eventually solved this one, hint: url encode your payload and test all headers.

And also, do you have any idea how to get the credentials without hint in credential hunting in Linux section?

What about the credential hunting in Linux?😂

aside from the provided password.list idk

the hints imo are pretty required reading lol

No, i was checking with grep

There weren't these credentials

In most cases you can't do anything without them

yeah they have necessary info

i always read them

You can't solve the questions without the hints mostly

In my case i am trying to do something

But when i notice that i am hitting my head against wall

Reading them

Yeah, that's the problem

yeah stuff like that should be more included in the question than a hint imo but what can you do

Try to report i guess in erratum

true

yoo I have to redo credential hunting today hahaha

I was so lost the whole time but managed to finish it

Try to do it without hint)))))

Attacking Common Services

Attacking FTP

Is it normal that I cannot download the password list? I've restarted the machine twice but it results in the same behavior...

maybe reset openvpn?

Tried that as well. Sadly doesn't change anything. I'm able to download the users file without any issues.

Can anyone guide me on "Find the valid username for the web application based at subdirectory /question2/." of brute forcing usernames section on broken authentication modules please 🥲

I have seen this issue before but so far the only fix I found is reconnecting to FTP a bunch of times and sometimes it works, sometimes it doesn't. Really not sure what's going on there

SQLMAP skills assessment: is it expected behaviour for the final table contents to be empty? i managed to get the correct commands to enumerate but the contents are empty after

heyy, maybe switch to passive mode?

no it shouldn't be empty. I think it's incredibly slow, so you might have to give it some time, but certainly not empty

guess ill restart the instance

ya do that

its my 4th restart already and its getting abit

frustrating

if that doesn't work feel free to dm me. Maybe I can spot something

i feel its a instance thing because i can actually enumerate the db

DM me, I will help you out SQLmap module @willow sonnet

Didn't work either. Thanks for the suggestion.

what about if you try using the workstation (pwnbox) is the experience the same

how about the bulk download wget -m --no-passive ftp://$USER:$PASS@$IP?

nvrm i see it printing

Same issue.

Try it like this
||ftp 10.10.10.10 1234||

its been a while I did this module, but from what I see I think its the file privileges, i dont think thats the correct user, would you like to dm? I just re did it now

quick question for y'all: Which tool did you use for Attacking Common Services, section Attacking SMB? I did some testing and it looks like only the smb_login module from MSF works, but CME and Hydra don't. Did anyone run into similar issues?

weird CME worked pretty fine for me

well, not for me:

It was the right user. After restarting the machine 20 times or so, it worked 😅

^

alright

hello

Im new to hack the box

anyone could help me

well what do you need help with?

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

like i dont understand any thing

well start with basics then. for example, if you never worked with Linux, try getting to know that a bit: https://academy.hackthebox.com/module/details/18

i have three cubes or boxes

well nothing is truly free in life 🤷

i know

As soon as you complete modules, you get cubes back

VPS hardeing setting point

Im at this

plus the question is hard

what does the acronym Linux PAM stand for?

can anyone help me with the answer

well google it

thanks

your the best

What is the name of the first section of this module? If you are using a translation solution while studying, please disable it temporarily to enter the first section's name in English.

@lament mango You will use google a lot to get a deeper understanding of topic also each module has the information to answer the question

I googled it

Interactive Section

but it told me the answer is wrong

anyone

pls

what exactly is the question?

What is the name of the first section of this module? If you are using a translation solution while studying, please disable it temporarily to enter the first section's name in English.

Academy consists of a bunch of modules, each being devided into sections. You're currently working on one of the modules, which again has multiple sections. the first one of these is your answer

Read the chapter once again

@acoustic owl can you put me in a right direction? thanks

.

You want to do a restore, not a backup, right?

was able to create a restore, but the files contain nothing: restic.exe -r E:\restic2\ restore b0b6f4bb --target C:\File

b0b6f4bb -> id of C:\Windows\System32\config

although I am using 'Password' for $env:RESTIC_PASSWORD, it says wrong password when I use Super*******

There is more than one snapshot

fml, sorry for bothering you, had to be more perspicacious...

thanks

okay, another issue what am I supposed to do here, like I am lost

are student subscription modules permanent in htb academy?

You keep the modules that you completed

how bout started but not completed?

Not sure on these

ok, thanks for the info.

how did you get the hashes?

there is something that you can poke around even if it was in the past

also, not the first entry in the list would yield you with the appropriate ones

Why does my shell revert to bash, when I'm trying to launch pwsh in pwnbox

Restart to solve issue?

I've restarted once

Anyone with a nudge for me on the attacking common services easy lab? I found a username but I am not having any luck getting access to any services.

Attacking Common Services

Attacking Common Services - Hard

|| I extracted all the credentials from SMB and ran scans on all mssql and rdp with the 3 usernames found. Nothing seems to pop up. ||

DM

What about smb?

^

to scriptie:

Is smb really that common in real situations?

Ah, but why are we not getting a powershell session?

Oh boy. Yes. Since one of the 3 found users doesn't exist on SMB with null auth, it returned valid for every password, so my SMB scan never got to the correct user. That's an error on my part. Cheers for helping!

You mean like a proper powershell terminal?

Yeah

Well, that is the shell (terminal) to be honest

I'm outdated on pwsh on linux I guess lol. I was expecting the PS > sign.

don't forget the terminal is quite customized

so not always you will see that

Noted

I did actually think that too. I tried do ipconfig and it didn't work either, but I guess linux pwsh doesn't have everything?

I'm not aware what kind of constraints the linux one has

Thanks for clearing stuff up

Attacking Common Services

Attacking Common Services - Hard

Is this expected?

@admin
I want to invite someone and I need to have invitation code

yes, you are looking at the wrong server

You've just copy pasted the command from the modules

also, you can get an RDP session and to utilize the syntax highlighting from the provided software

Ah! I messed up in reading that. I figured 0 for isremote meant that it is this current database, which is not the case, it's the linked one. Woah my brain is clearly rattled, need a break after this. Thanks for bearing with me.

Hey! I'm having the same problem. It's broken or you solved it?

Ok so I just solved using: ||curl -i -s -X OPTIONS "http://134.209.176.83:31280/admin/reset.php?"|| but I don't know if is the intended way

If some one else did this part of the "Web attacks" module, please let me know if it's the intended way and why works

Hi, I found user ||alex|| in footprinting medium-lab but i don't find the password for ||RDP||. I need to ||brute force rdp with user alex||?

Use Remmina, not xfreerdp

Hello. Quick question: im doing the htb web enumeration module and there is a question where I have to use the learnt web enumeration technique on a given machine. I cannot connect to the machine that is given. Can't even ping it. I guess im supposed to download a VPN but I don't see an option to do so.

Section: Pillaging
Module: Windows Privilege Escalation

last question does not accept the ntlm hash, what should I do?

If you've got a username and nothing else, then yeah.

crazy how many ways there are for pivoting damn

After almost 2 hours brute forcing, i did not find anything

🥲

Xd

I'm using remmina but i don't have the password

Let me check that section rq.

sorry

i found the password

Alex password is really in plain text ; perhaps you should check and see if there's some sort of share

Ah

Thanks

Just as I got to my notes lol

Ah cool

nvm wtf

Yeah lol

Yeah I'm trolling

How much should I focus on smb shares? I’m a beginner and I skipped it as it’s a pain to set up on macOS

Like how common is it in irl situations / higher level machcines

Very common in irl situations.

Ugh

Ty!

You can just use pwnbox or setup a VM to play with SMB shares if it's a pain in macOS

Ya I’ve got vip so it’s not a problem but I usually prefer to play around in my terminal with tmux

VIP doesn't have any effect on Academy

They are separate platforms

I meant I have it on academy

Ah so you're referring to the silver/gold/ subscription on academy

Hello. 👋🏻

I’m working through a few modules on privilege escalation and lateral movement. Using wget or curl to import resources from GitHub results in a “could not resolve host” error.

What do I need to investigate?

I'm stuck at medium-lab footprinting in ||mssql management||. I don't find user ||HTB||

I have ||Administrator|| credentials and i can access to ||mssql|| by ||rdp||

Anyone can help me please?

Two options: GUI and CMD line

machines on academy usually don't have access to the internet. so you'd need to copy it over from your machine instead

If you're going CMD line you'll need to research, the attacking common services module goes over actual commands

The MSSQL section of footprint just shows and goes over GUI briefly

Thank you. 😄

np 🙂

But in the GUI you can at least look at the tree on the left, I'd start looking through databases

@paper rivet Take a read on the hint

someone know how to fix this? ```PS C:\Users\htb-student\Downloads\dnscat2-powershell\dnscat2-powershell> Import-Module .\dnscat2.ps1 Import-Module : File C:\Users\htb-student\Downloads\dnscat2-powershell\dnscat2-powershell\dnscat2.ps1 cannot be
loaded. The file C:\Users\htb-student\Downloads\dnscat2-powershell\dnscat2-powershell\dnscat2.ps1 is not digitally
signed. You cannot run this script on the current system. For more information about running scripts and setting
execution policy, see about_Execution_Policies at https:/go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1

• Import-Module .\dnscat2.ps1

•   + CategoryInfo          : SecurityError: (:) [Import-Module], PSSecurityException
    + FullyQualifiedErrorId : UnauthorizedAccess,Microsoft.PowerShell.Commands.ImportModuleCommand```

i downloaded the dnscat2-powershell in the rdp but i cannot import the module

powershell -ep bypass?

Import-Module .\dnscat2.ps1 -ep bypass

like this u mean?

it doesnt work

nah nah, just execute the command I sent first and importing again

is not digitally signed. meaning that you gotta open powershell with exec policy bypass.

C:\Users\htb-student>-ep bypass
'-ep' is not recognized as an internal or external command,
operable program or batch file.

i tried the command in cmd and powershell

you're missing the powershell before -ep

it's an argument to the PowerShell command lol

PS C:\> powershell -ep bypass
PS C:\> Import-Module .\dnscat2.ps1```

Any idea about what query use to view several columns of an user in mssql? (I'm searching for the password of an user)

I wrote the query ||select * from dbo.accounts|| but there is nothing

aren't you supposed to use .. in mssql? nvm

it doesnt work

Look into set-executionpolicy

am trying this Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass

it worked with this

This one 'PS C:\Tools> Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid}' supposed to take a while to run on challenge questions 😮

Actually yes, it takes quite a while.

Try hitting enter every 5 minutes, I remember waiting too long and hitting an enter dropped the ACL I was looking for

Gotcha

How far are you in CPTS?

I've hit 70

hi, when doint the Password Attack module, I now launch every attack from the Pwnbox since it's about 10 times faster (2ms vs 20+ms latency).
Do you think it is "normal" to have to use the pwn box to crack pass in a reasonable time or maybe I am not choosing the best / fastest method ?

Im currently at the Getting Started module at Basic Tools and trying to do the optional challenge. I am not able to netcat or nmap the server. Can someone help me with this?

2ms vs 20 ms on what lol?

latency (ping)

Yeah but between which 2 boxes

UH

offline cracking - use your own vm, for services related brute-forcing use pwnbox

What are you nmapping from?

no, the latency measures from the pwnbox to a Target and my attackbox over the VPN to the Target

thanks, you are conforting me. Do you think such thing might be needed during the exam ?

"my attackbox" is your kali vm?

am only talking about doing a ping lol.

yes my attack vm

(over vpn)

both

Any password cracking would definitely be faster if you can use a vm that utilizes more cores / your gpu

And yes that latency would be expected lol

I am talking about service bruteforcing (using hydra or cme mainly) of course offline cracking is not related to the latency between the attackbox and the target 🙂

I'm not sure what they got in the exam.

Maybe I'm simply just misunderstanding, but It shouldn't have much of a difference lol

unless CME waits until response comes back before initiating second query

if that's the case then yes you'd be looking at a 36ms different per crack attempt

But I believe HTB would have something in place like asking us to use a certain wordlist, so you don't have to worry too much about the latency.

@misty current we're at like 10mins lol

well, try to cme smb with a password list against an SMB service, one time using your personnal VM with the VPN, you will see lines scrolling gently each time a new password is tried. Do this again using the attack box and you will see Pages scrolling (not lines 😉 )

tried hitting the enter?

Interesting, Will do

Yes lol

Trying to pipe to csv now I reset environment once already

They do mention in the module "In our lab environment, it should take 2-3 minutes" but not the case.

Oh thank goodness

It finally came through

Yup

I'll help and not be influenced by you trolling me other

Question?

Is that the one with 50k passwords lol

Ah, Yeah so basically based on recommendations here and on forums is remove some of the passwords and reformat the stuff

I'd check the forums and look for their advice, I spent like 2 hours and basically cheated bc it was bs

Basically, they have you shorten the list

Or you could crtl f in here it's probably in the discord too

Oh and still n owork?

Try with 48 threads

Yup

Anyone around for some help with the flow control - loops module in Introduction to Bash Scripting? I'm not sure if I'm misunderstanding but I'm having trouble decrypting the flag and I keep getting bad decrypts and error's just wanted to show someone what I've got and see what I'm misunderstanding.

are you talking about the mutated password list in password attack module ?

Can I get some help with SQLMAP Essentials: Attack Tuning Case #7? I have used all kinds of requests but I have been failing

@slender shoal are you on this question ?

you don't need any cheat, this is doable in 20 minute

ok

u targeted ftp service ? from you VM or from the pwnbox ?

I started with SSH too lol but even using FTP was not that fast from me, until I try to attack from the pwnbox which is kind of, into the local network (low latency)

I'm actaully going to have a stroke "What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)" Scriptie come back

Can I DM someone about the Attacking Common Services Hard lab? I am mad lost after getting access to MSSQL

Did you get the ACLs for forend?

I did

I literally cannot figure this out command's been hanging for 30minutes lol

Tried brute-forcing options still can't get it lol

I have been working on this blasted SQLMAP Essentials Case 7 for waaay too long! Any help would be appreciated

So, you're still waiting for the ACL which forend has over the GPO management group huh?

uh yes

$itgroupsid = Convert-NameToSid "Information Technology"; $aclEntries = Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$.SecurityIdentifier -eq $itgroupsid}; $gpManagementRights = $aclEntries | ? {$.ObjectDN -like "GPO Management"}; $firstRight = $gpManagementRights | Select-Object -First 1; $firstRight.ObjectAceType

I think this is the one I'm using rn

Also tried : Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $itgroupsid} -Verbose

This one timed out Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose

This is the error I keep getting, I'm echoing my salt value to check that it's being properly assigned. I've tried running the loop as 0..28 and 1..28. I'm supposed to be taking the # of chars in the 28th iteration of base 64 encoding the var 9M right? I must be missing something simple or overthinking this right?

this is the for loop I've got

I could suggest you to get the answer from bloodhound but, it doesn't accurately tell (or maybe I don't know how to properly look it up) ObjectAceType.

Resolving it manually or with Powerview was the only way I could get the answer to the question. So you gotta wait for those ACLs

bloodhound uses the common name for it while the question wants the under the hood specific answer for it

^

also the proper method takes forever, people constantly quit out thinking it stalled/timed out but it hasnt

True, better let it run while you read other sections. @gentle root

I am stuck on Password Attacks > Credential Hunting in Linux :
the question is

Examine the target and find out the password of the user Will. Then, submit the password as the answer.

From the sequence's module, I don't understand how I could get that info.
I don't see any vulnerable service, SMB enumeration offers me shares that are not readables
I have tried to bruteforce user wil against the ftp service using different wordlist (the mutated password list, the simple password list and rockyou)...

Since all this, do not relate to "Credential Hunting I wonder "did I miss something ?"

talking about the hint being required info?

yeah its just bullshit

complain in erratum and maybe itll finally get changed

lol, thanks you... I never thing about clicking on the hint button...

ye its still bullshit lol

For the time being, think of hints as a necessity that needs to be viewed lol

it does stop though

I think that's the last question I remember where the hint was necessary

add one to your salt

had the same issue as well

lol, at least, that did makes me try almost all I knew and consider dig deeper (look for default passwords, etc.)

Can I get any love on the SQLMAP Essentials: Case 7?

What's the section name? @native parrot

SQLMap Essentials

Attack Tuning

Attack Tuning ah

That section has beating my tail

where you at so far? without spoilers

Case 7

😄

I have risk and level at max

Like, what you've tried and where you're stuck

trying to get an output to show the number of columns but failing at that

I have been trying to do the union-from flag7

failing to get the number of columns? It literally shows you the number of column just by visiting the case 7 page

I tried 5 still failed to produce an answer

post your command here?

make sure to cover it

ok I am new to discord. how do you do that

can u put the question?

hide

u just add ||

to hide

x2|text||

-.-

why just BEU?

weirddd do you know the reasoning behind it?

|| at the beginning

and || at the end

||text||

||sqlmap -u http://206.189.120.154:32221/case7.php?id=1 --technique=BEU --level=5 --risk=3 --union-cols=5 -T flag7||

ok success

xd

it is a union request so only need the U

why beu?

😄

should I remove that

newline, discussed here (#858470491676737536 message)

It can also be blind, time based

with union

is it this question ? Contents of table flag5?

better remove techinique and run with default

flag7

I removed it and now it is running

level 3 and risk 2-3 should be enough.

but yeah let it run, also

once you get a hit and sql-map tells you what kind of SQL injection it did, you can add technique to narrow it down when you run it next time

i literally just had ||sqlmap -u 'target' --level=5 --risk=3 --dump||

tried that and never got anything back

lucky you

I spent 2 days on case 6 because my computer would not decode the flag correctly

what did u put in target?

you guys aren't using --batch?

||ip:port/case7.php?id=1||

it's the most useful argument in sqlmap

whoops not on this command I usually do along with --threads 6

Freaking new lines 😄 thanks so much for pointing me in the right direction!

I have no idea how that relates with --batch

gives it more than one thread to run 😄

yea

i always use --batch

btw that scan just came back with no injectable points

hello.
can someone give me an explanation? I'm already giving up.+ 1 User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them.

||sqlmap -u 'http://206.189.120.154:32221/case7.php?id=1*' --level=3 --risk=3 --union-cols=5 --batch|| @native parrot try this? I don't remember exactly how I did but

What module is that?

it prolly playing around with the risk and level

also better run in pwnbox, it's faster

Yeah I tried but I think im almost there. I am not sure what to run to finish off the lession.

INTRODUCTION TO WINDOWS COMMAND LINE -

going to try that I have not found much luck with the pwnbox

INTRODUCTION TO WINDOWS COMMAND LINE --- there is a flag hidden in a file in the documents directory. All the commands they use return only empty files. I already looked here in the forum and in the htb forum, but I didn't find help.

I do not know why the * mattered but thanks

worked?

it did

*just specifies where to hit everything at

But, I did not expect it to be the reason to make it work hmmm

I just inserted it in cuz of habit

there was something to specify as well

if i remember well

--data='id=1'

i think was

I mean that completely changes the request

That's for POST request

what tools can i use to unzip in the target machine?

if they havent unzip command

i also tried jar xf and 7z

whats the target machine

did you try the type command? like, "type note.txt"

linux

i couldnt unzip it so i just used rpivot instead of chisel

idk why with the scp -r chisel i was missing some files in the target machine

Message me for any hacking services

tar

<@&861185840277487616>

Shells & Payloads - Page 13: Laudanum, One Webshell to rule them all- First question.
Is it just me or I'm not able to access the file I uploaded, even tho I'm following the exact way the module tells me to do

||Uploaded Configuration File Name: C:\inetpub\wwwroot\status.inlanefreight.local\files\shell.aspx||

I’m wondering why you need to add a // but that doesn’t matter I think it has something to do with naming or something very basic

Have you tried to upload other stuff?

it's application specific.

I just did and yeah, I'm able to view images hmmm.

Did you make the proper changes before hand

if you dont you just get served the 404 page as part of laud's stealth stuff 🙂

Ahhh

did u add ur ip to the script?

basically what im referring to

remove the useless things as well

^ Totally forgot about this part, I was thinking in usual web shell logic

like the art and that shits

yep

||Add your IP address to the allowedIps variable on line 59. Make any other changes you wish. It can be prudent to remove the ASCII art and comments from the file. These items in a payload are often signatured on and can alert the defenders/AV to what you are doing.||

it whitelists on purpose so that people that aren't the attacker cant just mass scan and pop forgotten laud shells

which is also good just cause in general is bad form in the real world to leave a payload that opens up your client to being more vulnerable to other threats

1 question
Does rpivot create a tunnel as well?

i.e you would never actually upload the classic php webshell that just executes a get unless there was some extreme space constraints involved, and youd aim for minimum a unique parameter name to take the command.

Totally, Thanks for pulling that info out

Got it @misty current - ran command - showered - came back

man wth is the last section of pivoting my machine is gonna explode

rdp to a target to pivot to other rdp to pivot to other rdp lol

I hated it

I cheated iirc

but idr how

i dont get it work and i followed all

I think there was an issue with the tool they tell you to use

but its been a hot minute

transfer your favorite proxy using rdp and use that to hop to the next connection instead

i use proxychains

with rpivot

I dont use rpivot so idk ¯_(ツ)_/¯

meh

i just wanted finish this section and go to sleep damn

same when I did it

hey im doing Ad enum and attakcs module

kerberoasting on linux section

im trynna run the iimpacket tool

well time to sleep i dont get it work thanks

but i never got provided with any password or domain joined user

they used GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend in the examples

but i never got any forend password or anything lol

nvm i found the pw like 3 sections before for forend

yeah for that module I highly recommend keeping a seperate credential list

because certain users and their passwords get reused a LOT in that module and youre expected to remember them

so you can kerberoast the account

kerberoasting requires a spn to be set, but the spn doesnt have to be an actually useful one to work

can you give me a hint on this "What powerful local group on the Domain Controller is the SAPService user a member of?"

what do i use for this?

Yeah but shouldn't it already have an SPN set...?

why would it?

not every account has a spn

Id use bloodhound or ldapsearch personally

might be some powershell stuff you could do instead

so do i do this for every new user i compromise?

Oh so you can only kerberoast accounts that have an SPN but service accounts typically have SPNs not usually user accounts ? -- Then what else really is the SPN used for?

on AD

like use bloodhound for it

Basically yes and I have no idea 😂 Id have to google around to figure out what the legitimate usage of spns are for

Gotcha, thanks beast!

You could, but generally id just refer to the bloodhound results

Nice about me lol

gotchya, thank ya sir

just keep in mind bloodbound doesnt necessarily collect ALL information

and Ive seen it miss routes that are obvious just by looking at things, so apply brain

well rn i dont have rdp to it soo do i use like um

forgot the name of the tool that gives me interactive poweshell from linux

evil winrm

oh forgot about that one

i meant on the other one but

ig that one works too

Ive not heard of another one

but then i need to use tunneling right?

depending on the env yeah

psexec is what i meant when i sad

said different tool..

what

oh

ah yeah thats just for getting a shell not necessarily powershell

read that wrong

hello can I ask some questions regarding user7 stage of WINDOWS COMMANDLINE MODULE?

I'm having trouble ssh'ing into user7 at the given ip address specifically.

i wanted to post this in help, but cant. is there a better way to get started? im new to all of this info and im getting hung up on the intro to Linux. lol i know its sad. ive got the directory question done but when i get to the password, i simply dont know what to do

never mind, i got it

<@&861185840277487616>

i thought this was google

Did anyone else had trouble with ICMP tool ptunnel-ng with autogen.sh ? in the pivoting section ?

need help on "attacking SMB" section. Trying to figure out Jason's password. Every tool i use to bruteforce his password seems to not work or have a bunch of false positives. hydra does not work due to some issue with it not being SMBv1. Metasploit and CrackMapExec arent working because they are giving me a ton of false positives. Could use a nudge

Crackmapexec --local-auth

thanks. Why does that work?

Because you're authenticating...locally to the machine

I remember this one, The problem is most of us think we need to pivot to the last machine. Not the case 🙃

Might be wrong but it’s because you want to use a local user

Yes actually. It's basically set up where: if you're not local authenticated then it just lets you look at it but not actually read anything

other way to think of it is that cme defaults to assuming youre referring to a domain based accounts

Anyone ever get an answeer for this one?

Did you run privilege::debug?

more details.
PS C:\Tools\mimikatz\x64> .\mimikatz.exe

mimikatz # privilege::debug
Privilege '20' OK

mimikatz

Try DCSync now?

^

mimikatz # privilege::debug
Privilege '20' OK

mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\adunn
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\adunn' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

mimikatz # c

Unless I'm losing my mind I thought this was what I was supposed to do lol

I'm trying to setup chisel proxy to use secretdumps, just doesn't make sense why mimikatz is working

Ah it's an issue with the adunn user I think. It's a fairly common thing that happens

People have fixed it in this channel iirc

I couldn't decode everyone else's

I meant user privs

It's okay I'll SOCKS proxy it

Oh

It says he has privs when I checked

with the command it gave to check DCSync rights

And you're running the command in admin PowerShell yeah?

Or admin CMD line

Powershell

ADM

I guess he is, or else privilege::debug would have thrown something back

¯_(ツ)_/¯

That's what I'm saying lmfao

You did everything from the section yeah?

Try logging out and back into the user?

^ I'm guessing it's a user priv issue too.

which user are you executing mimikatz as?

adunn it looks like

Ah right. I'm checking if I still have the bloodhound from this module.

adunn, but I guess I'm logged in as administrator since powershell even though I'm htb-student

This is the DCSync Section, right?

Yessir!

I'm sturggling to pivot atm lmfao so the SOCKS solution not working werll

have you tried DCSync with secretsdump.py?

Well that's from linux right?

I'm on windows?

You can still do it.

So I figured windows easier, I'm trying to get my SOCKS proxy setup but I'm not exactly sure how to secretdump through it and specify the correct IP

How so?

it's python so platform would be irrelevant

Ah wait, the section doesn't give you a linux host.

For this section, do you need to have creds for adunn from a previous place?

Uhhh well I have them

so

true, but installing dependencies would be a pain without internet

Yeah I think so previous module

Okay, I hate that part :S I just picked up the DCsync module after some weeks break

And I can't remember where I got Adunns creds

Yeah I have them

Just can't figure out how tf to DCSync lol

Can you point me to what module they are found in ?

I think you are overthinking it here. You have a linux attack box in the network

The one right before DCSync

Why don't you just use secretsdump from it

It's different network

DC is on 172.16.5.5

And you have 5.225 parrot

10.10.15.57

Top section of the module

You are told to SSH

into a parrot box in the same network

grsdfafgdsugibj

What the

Mods feel free to erase past 30 minutes of this conversation

Glad I could help

Appreciate it, you to scriptie

Sorry I'm blind apparently

Ah, just remembered secretsdump.exe exists too

Nerd

Lol but fr

That's such an easy mistake

I haven't seen a single module include another IP I need at the very top lol

Tbh. I spend a lot of time goofing around in these modules : <

But I blame HTB for not communicating properly, much easier to deflect

I was confused as well, I remember not pivoting or using mimikatz for the DCSync session.

I mean as Marcie always say, reading is key lol

I still need to practice DCSync with mimikatz oof, lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\adunn adunn is the specific user you're targetting to perform DCSync on right?

With this command

He would be the one with the replicate rights

Which is kinda the kicker in this scenario

Ah, definitely need to play around with mimikatz on this one.

Going to cry

inlanefreight.local\feliter:3359:aad3b435b51404eeaad3b435b51404ee:26a3b8164ec4d5a8149f82f43012c8aa:::
[-] [Errno 104] Connection reset by peer
[] Something wen't wrong with the DRSUAPI approach. Try again with -use-vss parameter
[] Cleaning up...

Did you succeed in the DCSync part? what are you doing next?

It synced, but it is timing out or disconnecting me it appears

Using resume file 🙂

just target a specific user then

I think the AD Env is huge

-just-dc-user

I'm able to DCSync with mimikatz

No way

Actually, were you running it as an administrator shell?

yes?

lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\adunn the command does DCSync on the user adunn, not as the adunn user.
Your shell defines which user you're running as, which means you were running as an local Administrator which has no DCSync right on anything

Then how did you get yours?

You don't need administrator shell for this one, just a shell from our girl adunn

That's interesting

OH MY GOSH it completed all by itself

secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn:'XXXXXXXXXXXXXXXXXX'@172.16.5.5

I did nothing different besides running in multiple times

Holy smokes what a section

If anyone has some hints on windows command line final assessments, I would rlly appreciate it 😔

where exactly

For "Shells and Payloads - Skill Assessment / The Live Engagement", is there any one know the reason ||why in MSF, only PSEXEC exploit with MS17-010 || will work, other || MS17-010 exploit in MSF ||won't? I'm really curious about the root cause. I know it's Windows Server 2016 1607.

you can increase the verbosity when running the exploit, this will allow you to see where it stops

Maybe a good idea.

just simply groom and trigger free of buffer failed. weird.

^ I had the same question in my mind

there are a few version of the thing you are looking at

you mean ntlm hash? but it doesnt accept it

?

poke around you will find out

User 7 stage

I am having trouble doing ssh user7@172….

if you are doing that from your machine, then it will not work

you using proxychain or smth?

I am using the htb academy pwnbox

If you are on machine A and that machine can only communicate to machine B, and you need to go to machine C which communicates only with machine B then you must use machine B

it wont work that way, if you see it is completely another network

if tun0 starts with 10..... whereas yours starts with 172..

look around

hah

Oh wow interesting…

Thx for letting me know…

Can someone please point me in the right direction for Password Attacks Easy lab Examine the first target and submit the root password as the answer.
i got credentials for ||m***|| but I cannot elevate to root

I need a hint, desperately...

Attacking Common Services - Medium: is 5 services enough? I scanned the target several times

What was the thing called, where it stored the commands you've already ran

I read that there should be more services, target does only spawn 5

what do you mean? it doesnt accept neither way like I am using secretsdump still no hit

If you are providing the whole line of the output form secretsdump, it won't be accepted

Again, there is more than one version of the file you are looking at

of course not, only nt part

on my lfe, academy will kill me some day with its own tricks

hi guys, im doing "Active Directory Enumeration & Attacks" module and i dont have answer on this question "Which ACE entry can be leveraged to perform a targeted Kerberoasting attack?". can anyone give me a hint?

nvm, 5 is not enough (for my desperate buddys from the future), but this time my target spawned correctly

there are a few hints in the section of the module

is it related to SPN?

🤷‍♂️

Everything you seek is in the section itself.

thanks, i answered 🙂

Hi Dpgg, I am stuck on Medium Password Attacks

I have found login for|| J****|| logged in but not finding headway

I believe there is a hint in the files you have already obtained. If those don't help, then general enumeration of the host you got onto will do the trick too

Cheers

still stuck found the database creds cannot determine who has admin/root

Hi, At "Attacking Common Services - Easy" I have gained necessary creds and also did the reverse shell upload however i am not able to execute it . Can someone guide how to execute the revshel.

Look into where you're uploading to, / directions are important

when i upload via web , its suppose to be in /xampp/htdocs/ as this is the root dir.

is it correct?

So maybe you just need to navigate to that webpage ;)

yeah thats what i am doing as hxxp://dollerip/xampp/htdocs/a.php but it says no such file or dir

htdocs

Dm me if you want

Why are you going that far if webroot is htdocs?

Cool trick here is that you can use || SQLMap to do the upload for you I believe. Try it out. SQLMap will even check for you if it's uploaded correctly! ||

Sqlmap isn't taught

It's a lot simpler

I know it isn't taught, it's still something cool to experiment with!

Wait that's a thing? I'll have to look into that

but it's honestly a very simple thing

Give me like 15 minutes and I'll check my notes

Ok let me try that one. Although i tried it before but let me give it another try.

|| sqlmap -d mysql://$user:$pass@$target:3306/$db --file-write $file --file-dest $dest ||

Awesome, tyvm 🙂

The 'Host-1 hint' from 'Shells & Payload - The Live Engagement' is also a necessity?

I don't think I would have guessed those credentials, neither would you get them from a normal "default credentiasl T*" google search

yeah. But not into doing SQL stuff. Just need do it module way.

My struggle with this one was misspelling htdocs (and having the / be facing correctly)

i was able to see xampp dir its browsable however htdocs isn't

i can see that however i think its very little minor problem i am into from last night.

You're doing the file upload method yeah? Not the sql method

can you see if i am doing it right?

Brother

Yes. I am not going SQL way. I have not studied it yet.

Htdocs is the WEBROOT

Aka where you start

That is how very close you are lol

haha

I am really pissed. let me do it little harder.

Did they teach this in any of the modules?

Probably the sqlmap specific module but don't think that's in CPTS path

No they don't teach it anywhere in the academy. Just a neat trick. If I find Mysql credentials, I often don't bother with manually enumerating it, but I just use SQLMap to dump the entire database. Much more efficient.

The only specific module for sqlmap is the SQLMap essentials so far as I know, but yeah I didn't come accross this.

SQLMap really has a lot of features huh

Yes

Thanks for sharing that, I'm adding this to my notes

Which is why OSCP disallows it xD

SQLMap too? I thought it was just Metasploit with 1 usage lol

Thanks for the tip, I will definitely try it out !

Does it require FILE/super_priv to use ?

I think it probably does

File write definitely needs high privs

It requires the same privileges as your manual approach does

It's nothing too fancy, just automates everything you'd otherwise have to do manually

Thanks for the clarification!

Hello! In module of “Attacking web applications with ffuf” in Filtering results, I don’t understand… because I was filtering for Fs 900 and mc 200, and script return a lot of subdomains, but later I put “subdomain.academy.htb” to answers and tell me that is wrong. What is that ask me in this question?? The question is: “try running a VHost fuzzing scan on “academy.htb” and see what other ghosts you get. What other vhost did you get?”

what kind of answer this question need? "What privileges does the user damundsen have over the Help Desk Level 1 group? " from bloodhound i found out that DAMUNDSEN have GenericWrite permission. is it wrong?

Are you sure that the command you are using is the one

Im not sure at all, but the problem that i see is that the question is not clearly, because I put vhost, I extract like… 20 subdomain of this vhost with response 200 (for example) but nothing is answer

which module/section is that?

kinda adjust the filters each time, if there are too many 200 response code, then filter that out. Find what's unique, understand the request and response for a valid vhost.

Active Directory Enumeration & Attacks | ACL Enumeration section

Ok! I try it this, but I don’t understand why questions said: there are a lot of subdomains, put one , if I need a specific one, or I don’t understand or the questions is confused

make sure you're not having spaces in the end or at the beginning of the answer

The question says what other vhosts you get, so maybe that's referring to the vhosts aside from what the module has unraveled so far @marsh veldt

i tried every possible form of answer with spaces, without spaces, with lowercase ,with uppercase & etc

this one right here definitely works

Try typing manually once exactly the way it's show in bloodhound.

You've just probably have some phantom space either at the start or at the end of the word/answer

It could be a false positive

Thanks all for help! I guess that i try filter and list of subdomains, searching vhosts and recursive vhost and I will try all answer

Pivoting, Tunneling, and Port Forwarding

Skills Assessment

How do I chain multiple tunnels?
Like this scenario is simple:
Me --> Ubuntu --> WinUser

But how do I do
Me --> Ubuntu --> WinUser --> AnotherMachine

I've been trying to do this with Chisel for hours, but can't seem to figure it out.

I personally hate the options they give in the course. This script helped me a ton:

https://github.com/p3nt4/Invoke-SocksProxy

Thanks @proud pine, I'll give it a whirl

there is also this tool which may come up handy to use:
https://github.com/nicocha30/ligolo-ng

Section: RDP and SOCKS Tunneling with SocksOverRDP
Is there someone who got this tool works?```

make sure you have an elevated prompt

plus windows defender to be off

|| Am connecting via rdp to the first target --> I upload the proxifier and the SocksOverRDP and I start it --> I'm doing RDP to the next target --> I setup the server in that machine --> In the client machine I use the the proxifer and I try to RDP to the last target ||

oh could be that i think i didnt open the server as admin

the windows defenders were off

it is not working I dont know why

m doing buffer overflow on windows module last skill assesment where we have to debuf a application so m using windows with 32xdbg as i attach application the eip is 72..... but as soon as i run my python script for remote fuzing it chnages to 67..... but in walkthrough it shows that 500bytes can crash the application but on 0 bytes my eip changes to this 67... idk why can someone help pls ,, right one is before and left one is after fuzzing with 0 bytes

u missing the .

forgot the /

or . I suppose

well yea u can use / as well

Thank you

cannot help im so bad in buffer overflow

the only thing i have done about buffer overflow was the 0xDiablo challenge

Pivoting, Tunneling, and Port Forwarding

Skills Assessment

Could I get any hints on the very last step to go to DC? I know the DC's IP.

you don't necessarily need to get to the DC to get it's flag. however you can get it that way. smbclient would be your tool of choice then

Hi 👋 I am new to hacking / pentesting, had HTB academy subscription for a while can someone help me or be partner in learning?

Thank you! I finally did it!

"Everyone" here will help you if you have specific questions about a module.
Being a learning partner is a bit more difficult as everyone is learning at their own pace

Hello pepoles

im doing ad module

and i start the machine

but when i rdp

its all black

restarted it like 50 times

Just hit enter when the black screen shows up

fr?

Yup

lemme try

i restarted the pwnbox now

ill check

It's just the disclaimer page that's being black, you usually click the 'OK' button, but since you can't see it, hitting enter will click that 'Ok' by default.

.... this is happening like 1000 times through this module

Hello Everyone, I'm Thorsten who likes Hack.

and i always restarted the machines like 50 times

until the disclaimer page pops up

thanks man

Ah, well now you know the trick.

saved me hella time lol

does anyone know a webstore i can buy hidden cameras

im getting a hashcat hash from powerview in this format

and i can not copy it...

what do i do

not the right place for these questions

where would i ask

https://discord.com/channels/473760315293696010/569177628918022185

doesnt say where i should post

do it with rubeus with /nowrap

or just pipe it to Export-Csv .\ilfreight_tgs.csv -NoTypeInformation and cat the csv for a copy pastable hash

ah, here https://discord.com/channels/473760315293696010/477042232109826048

does that mean that only port 8080 on host-01 is vulnerable? no right?

no..

it says hosts 1-3 will be targets

so all of them are in scope for vulns

ah alright, ty

not necessarily, but they've just narrowed it down

you could check with crackmapexec's winrm module?

any hint in skill assessment pivoting, tunneling and port forwarding?

Awesome 😎

Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer.

i found a lot of IPs but no of them is correct

i remember that

for me it did not work

it never showed that host

🤷‍♂️

i tried uploading the archives to create a tunnel i cannot either

Hi

SSTI Exploitation Example 1 need some help

link need some hint have shell

How do I find the order of the modules to do??

ping: 172.16.5.{1..254}: Name or service not known```

what am i writing wrong?

for i in $(seq 1 254); do (ping -c 1 172.16.5.$i | grep "bytes from" &); done

check this

ty it worked

👍

Depends what your goals are. But in general, do fundamentals first (Linux, Windows, Network), then either CBBH or CPTS paths are both good options

I have stuck in footprinting module, Oracle database part

When I run

odat all -s 10.129.***.**

it show something like this

Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.

Try running as sudo privilege

Any hint for pivoting, tunneling and port forwarding skills assessment am trying to dump the lsass

but i cannot transfer the archive to anywhere

you done that module?

yes

I am not sure whether this will work or not, but it takes me a half hour

PM

even u can use sqlplus to interact with the database ( with the given creds) take much less time

You can dump locally

how i havent any tool

Transfer mimikatz over

.

.

If you're using xfreerdp you can do /drive:path/to/tools, or just drag and drop

nvm i got it

can someone pls help me with bufferoverflow on windows module pls m stuck at last skill assesmnet

i was trying to transfer it using the wrong NIC

can someone pls help me with bufferoverflow on windows module pls m stuck at last skill assesmnet

check the forum

sure there is some useful info

@zinc marsh i checked the walkthrough the guy did the same things m doing but idk whats the issue have u done the module ?

no

@acoustic owl if i pay the subscription now for 7 euros until when will the subscription be until July 3 or until the end of the month

july 3

@zinc marsh So from number to number