#modules

Getting the same error over and over

https://www.exploit-db.com/exploits/49211

https://academy.hackthebox.com/module/67/section/910

For those who stuck in Vulnerable Services, I directly download this ps1 code from exploitdb, and modify it, and add htb-student to administrator group, that's it. NO NEED TO USE STUPID REVERSE SHELL

DON"T WASTE YOUR F******** TIME

don't use caps

sorry, my name already is

lmao

if you haven't added the required line at the end of the reverse shell, of course it wont work

regarding JP, you need to find a working CLSID

their script GetCLSID's didn't run on the box and the I've tried the first 10 from the Github list

So very fustrating

hello, i am currently on Attacking Enterprise Networks - Lateral Movement. When trying to add the ilfserveradm user to the local admin group, my bat file being executed by sysaxschedscp doesn't seem to be working, and i am confused why. I read the log file and this is the error i got:

C:\Windows\system32>þn
'þn' is not recognized as an internal or external command,
operable program or batch file.

but the command that i typed into the bat file isn't even remotely close to whats being executed... whats going on?

Anyone at all done / on the Skill Assessment for Whitebox Pentesting 101? I just cant get the last piece of this to work to achieve command injection, and would love to chat with someone and get a nudge/bounce ideas off. 🙂

note, that not only JP can exploit the privilege

Yeah thanks, I might try other iterations. I just really wanna get this stage done been here for a few hours and have all tools and connections set up : - D

bro

@silent scarab

come to dm for a sec 😂

I made a XSS payload, but it wont change the text to test, why?

<p id="msg">text bla bla</p>
<script>document.getElementByID("msg").value="test";</script>

which module, and where are you injecting this?

Cross site scripting - Stored XSS

I just want to make it so that I can see my own cookie in the list, its not part of the module but I want to see if its possible xd

Giving it a rest for now, i know my Shell works and ive tried just about every combination of calling the exploit and CLSID’s

<p id="msg">text bla bla</p>
<script>document.getElementById("msg").innerHTML = "test";</script>

value property is used for form elements like input fields, not for changing the text content of HTML elements like paragraphs

Aaaa

True

Thanks

It works now

👍

dm you

Hey there,
I'm working on Attacking Common Applications section Attacking Applications Connecting to Services.
I have solved the question but ran into an issue which I hope someone can explain to me:
When I run gdb on the binary, I get different addresses than shown in the example. I'm aware gdb has countless options but I'm not sure what I'd need to change. my best guess would be endianness but that doesn't seem to change anything. Here's what I'm getting:

SO every time the url adds a # in front it is a dom based script?

hello can anyone help regarding this Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

module: AD enumeration and attacks

section: Attacking Domain Trusts - Child -> Parent Trusts - from Linux

If you mean to ask if every time you see a # in the url that webpage is vulnerable to a dom based XSS, the answer is no because it's not granted that the sink function is not sanitized correctly.. and if it is, you can't do any dom based XSS attack on that parameter
If you mean to ask if there can only be a dom based XSS vulnerability if an url has #, the answer is again no, as it could be vulnerable also to other types of XSS attacks with different parameters

Oh finally! Wow that whitebox pentesting skill assessment took me way longer than it should have! Tricky thing!

you need to escape

'><script>document.getElementByID("msg").value="test";</script>

or ">

Aaa, oke, thanks

.

This input worked

Idk if both work xd

oh no

i didnt read your payload properly

you are using value

as the value you want to get from that id

but innerHTML sets that value and is correct

Yeah, thanks for taking your time to try and help (Even though i got the answer above hehe)

Hello

Hello, I have two questions regarding Login Brute Forcing - Service Authentication Brute Forcing. The exercise asks to brute force a password and get the flag. Since I just finished the nmap module I thought it would be interesting to scan the target machine. While during this I couldn't find the 22 tcp port opened, it was always filtered or open|filtered. I tried -sS, sA, sT, sF and sN, changed the source port to 53 and 88, decoys, and --data-length 30. My questions are: Am I supposed to find port 22 open? Is this obsession good or am I just wasting time?

The ssh service on that host machine is not running on port 22

You are given a target which is composed of IP and PORT.. that is the port you have to attack, not 22

Ok, thank you.

sorry someone knows if we have a spanish comunnity in hackthebox discord?? or someone speak spanish im really noob

i have noob problems with module 23, bypass LFI?? someone can help me please? or say me where i can search in discord channels? im noob

I am not aware of any Spanish HTB community, however if you manage to explain your issue in english someway, you could get help here

@hasty solar Can you perhaps help him?

Couldnt you just translate with chatgpt?

Hey Wiz!
I speak Spanish and can offer my assistance for sure! Although, right now I am far from my PC so will not be able to guide you correctly at this precise moment

thanks i can explain in english but i want to know if i am the one from spain in this comunity

thanks

i go with that

No, I think there are people here from all over the world.
Spanish is spoken in many countries, so there is a good chance to find people who can speak Spanish.

And you are certainly not the only person here from Spain

'"

Btw I didn't know Wiz Khalifa was Spanish and isn't that confident in his english.. now that's a news for me

I'm doing module 23, section 1491, LFI Bypass. When I enter the commands in the URL as described in the exercise, the page's response doesn't display the characters next to the image, like in the image shown in the description on HTB Academy. I've tried it on Ubuntu and also on Windows, using Chrome and Firefox, but I'm not getting the expected response. In the first exercise, I have to change: http://159.65.52.96:32032/index.php?language=languages/es.php to: http://159.65.52.96:32032/index.php?language=languages/etc/passwd. The expected result should give me the characters as a response, but in my browser, they don't appear, and the page remains blank. However, in the previous exercise, I managed to reach the flag, but it also didn't display the other characters. In other words, I receive a response, but not all the complete characters as shown in the example image on Academy. I apologize for the lengthy explanation.

hello everyone. i am attempting the AD Enumeration and attacks skill assessment part ii and i would like some hint on question 10. For the user CT***. anyone?

Crack this user's password hash and submit the cleartext password as your answer.
someone to help me out please

just a im a fan of wizkalifa

your emoji is a spanish celebrity: "El Risitas"

Hi,
Could someone help me with the "Working with the Registry" section of the "INTRODUCTION TO WINDOWS COMMAND LINE" module. I'm stuck at the question "A registry entry is made up of two pieces, a 'Key' and ' ' . What is the second piece?"

I don't really know how someone could help without giving you the answer.. I can tell you that it starts with the letter 'v' if that helps
If you just read the text you will find the answer

I actually knew that he is Spanish, that's why I used it

Thanks for ypur help
I've read the text many times but I'm confused because the answer isn't "values"

Try to reload the page and make sure that you have no spaces at the beginning or end of the string.

Ok thanks

I am pretty sure that you are not supposed to write that word plural with the final 's'

As neither the word "key" is plural

Scusate c’è qualcuno che parla Italiano?

I have reload the page and it's work, thank's a lot !

Wait, was it plural with the final s?

Yes it was with "s"

Oh

Ok

Yeh I'm also surprise

Anyone else have trouble with the TE.CL question in HTTP ATTACKS? I can't even produce a "400 Bad Request" response with these two requests:

POST / HTTP/1.1\r\n
Host: tecl.htb\r\n
Content-Length: 3\r\n
Transfer-Encoding: chunked\r\n
\r\n
5\r\n
HELLO\r\n
0\r\n
\r\n

GET / HTTP/1.1\r\n
Host: tecl.htb\r\n
\r\n

questino about sqlmap section, so in this lab there is --prefix option, when do i know what prefix i need to use?

like below they gave me the source code but what when its black box and i have no idea like whats running behind

hello. I have a question about "Security Monitoring & SIEM Fundamentals" assessment, I don't really understand why the last two questions are not the same answers.

Of course tell him to dm me

Hello, is there a way to keep the web vnc as full screen ? Each time I go to the next section it goes in a "window" mode ?

just refresh the page of the vnc

no way to keep it that ways without having to refresh each time I presume ? Thx anyway

It only does that if the new section you change to also has a docker instance.. if the section you change into is not a section with where the instance is required it will not rescale the window

And I don't think there is anything you can do to prevent it from rescaling

I think it has to do with the way the webpage of the new section you visit requests that instance on the screen, each time you refresh or visit a new section where the docker instance is present, the page has to request the instance to be scaled to the resolution of the box and this affects the other full page too.. as they are virtually the same instance

that's what i taught, it's ok it is just a minor inconvenience thx for the explanation

someone to help out please..

@south sentinel

How did you get the foothold? Anyway the hint provided should help a lot

Hello, I am really new to this stuff and I need some help setting up my vm and vpn. Could somebody please help me. Thank you !

Check out this Module

https://academy.hackthebox.com/module/details/87

Try a different HTTP method

need some help with attacking dns

ive already got a list of subdomains

but whenever i try dig any of them i get nothing back

Which module?

attacking common services

okay, what exactly did you try?

i used subbrute and got a list of subdomains

i then did dig axfr @subdomain inlanefreight.htb

Keep in mind that htb is not an official TLD, so you always have to specify a name server.

so do i need the inlanefreight to end in .com?

no, the TLD htb is correct

but you have to specify a name server

dig AXFR domain.tld @targetip
```

ah

i will try that now and let u know

For Web Skills Assessment - What method do we use to determine how to reset user password? I don't see anything in the module but I could be overlooking something

I should have thought of that

Wait I'm an idiot

you actually helped

with that completely useless answer

I spent like 1.5 hours yesterday and today without reading the username and password was given to me

Thanks

got it now thanks

Anyone around for a sanity check on Windows priv esc: Pillaging. I've restored the files, || dump the sams|| found the hashes but all attempts to submit are failing. NT, NTL, LM not sure but none are working for me. Wanting to confirm steps taken are accurate.
https://academy.hackthebox.com/module/67/section/1637

do'nt use samdump, use the other one

I used impacket for it, can someone validate my findings

You probably got the wrong data

Ok, think maybe one overwrote prior restore. Thanks!

Spot on, thanks!

Hey ya'll, currently taking Pentest Path, in Footprinting module.

stuck at Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer?

Not sure what to do next.. ran every single cmd in the module.

Any tips?

||rpcclient|| is your friend

Thanks @acoustic owl I'll dive a bit deeper.

Will previous modules apply as I navigate thru these boxes? Or will the information mentioned in the module be suffice to solve questions?

Also getting NT_STATUS_IO_TIMEOUT or connection disconnected .. is this normal? Sometimes occurs for cmds I've previously ran, am I querying too aggressively or is it part of realistic behavior?

Also getting NT_STATUS_IO_TIMEOUT or connection disconnected .. is this normal? Sometimes occurs for cmds I've previously ran, am I querying too aggressively or is it part of realistic behavior?

Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

You are looking for another plugin here. Check the wpScan Output. Scan with a Token

Tried this on the ms01 as user ab** and also as user br** but I am not getting any hashes

n00b question about meterpreter shells, can you not see the output of running something like linpeas.sh inside of them? Do you need to drop into a regular shell first?

You should be able to see the output just fine.

Really? Shit. Should you need to use the execute command for that? This is kind of a retrospective question, but I definitely feel like I messed something up, haha.

I'd have to see what you were doing to really know what you mean.

ACL section in the AD Attacks and Enumeration module, can someone help me with the correct query? The one I am running never populates anything? "What is the ObjectAceType of the first right that the forend user has over the GPO Management group?"

Fair enough, I probably should have taken some screenshots or something. Effectively just used upload to throw linpeas.sh onto the machine I was in and then tried running it, all I was getting was a process started response, or something along those lines 🤷

If you want to DM me and show me some screenshots, I can work through it with you.

Appreciate that, like I mentioned before, this is more of a question in retrospect than something I actively have rolling at the moment - but I'll take you up on that offer and recreate the circumstances later 🙂

Thank you!

Anyone else run into this issue in the Windows Priv Esc module where in the Pillaging section you add the d cookie for the slack.com website, refresh the page and nothing happens?

"Introduction to Academy"

Is this not an introduction? I have just spent 15 minutes searching the the archive here and seen not a single response to anyone asking about the non functional internet on the workstation. I'll go one further, and probably show how dumb I am with this but...

WHAT TARGET WEBSITE? Didn't it open the VM I'm supposed to attack from? I have no concept of what the scope is, there's nothing on my desktop that indicates anything other than a blank parrot instance. I have no target.

Not understanding anything additional I terminated my instance thinking I'd done something wrong, and now it turns out I absolutley have

It took me 20 minutes to shut myself out of the system.

I'm completely at a loss as to what I was supposed to do with the VM

I am going to be honest, if you're struggling to follow that simple exercise, then you may be into a hard time. The intro module is the easiest it comes, and the later challenges can get pretty tough. What you have to do is literally explained in the text, and is the basis for doing pretty much ever exercise later on.

To explain what's needed, you click to spawn a target. Then when the IP address appears, you click the IP address to copy, and then paste it into a web browser inside the pwnbox (or your own VM). If its pwnbox, the firefox browser is a shortcut on the top bar.

Yeah but I think he's claiming that he didn't knew the IP addr is linked to a web server, so he didn't knew he had to put it in the browser

Yeah... except the target link literally says "http://<ip>". If they're unaware that it should go into a browser, there's going to be a very steep learning curve.

Which, is... somewhat fair given that in the whole section nobody mentions that procedure.. but I mean, you can pretty easily deduce that the target IP is linked to a website from the question itself: What is the proof text displayed in the Target website you browsed? it says "target website you browser".. it should be obvious what you have to do with that target IP addr.. you have to browse it

Oh, is it with the http in front?

Nah it's not

I just checked

It's a normal IP address

True, but scroll up

In the text, under Docker Target

That text is straight up wrong.. should be modified.. the image also is wrong, as it shows the target with the "http://" in front, which it does not have.. even though also the text says the target is in the form of: http://<ip>:<port>
Which again is wrong

There is no direct indication that says the IP should be put in a browser.. nobody spoon fed him that info, but as I said, I think from the question, it should be logical

It's not 'wrong' - it's just not hand-holding someone who would have zero experience.

Well

Actually

It is wrong.. it says and I quote the instance will take the form of http://<ip>:<port> after spawning, i.e. http://157.245.40.149:30655
And it also shows a bs image below where the target is spawn the http:// in front of the ip
So there is no denial it is indeed wrong

But I agree on the spoon feeding part

Instructions on the page are:

1. Spawn your target!
2. Spawn My Workstation if you haven't done so.
   3. From your workstation, open Firefox and browse to the target URL.
3. Answer the question below.

Literally does say (- -)

You're trying to read into it in a way that it doesn't mean. For anyone with even the slightest bit of knowledge, they would understand it.

This just sounds like concern trolling.

Is it possible that Slack patched the vulnerability that allowed you to use a stolen cookie to get a list of credentials? It looks to me like the Pillaging section of the Windows Priv Esc module will need to be updated. This exploit doesn't appear to work anymore.

I believe its noted in the text

It's not about knowledge.. the image is lying.. I don't really know how they got that screenshot to show the http:// in front of the IP address, but it NEVER happened in any module I've taken.. they have either made that image up, with inspect element to prove the point lol OR there was a previous version of HTB Academy where the targets actually looked like that

No IP address ever appeared for me

Btw, if you want some help with starting and all you can DM me

Well, I don't see it mentioned and you're supposed to use this exploit to get the next password to complete the other challenges in this section.

I never received a prompt providing an IP address to review.

Nonono! I made the same mistake. Its not Slack you are connecting to. There's a dummy site faking slack.

The only IP address listed on the page is labeled as an example.

What's the address for the dummy site?

You click to spawn it

Wait... did you try to exploit actual slack? That's uhh... a crime.

Clicked that. Saw no IP

I just assumed that HTB had set up a bunch of fake users on their site to extract their creds from.

You're onWindows Privilege Escalation -> Pillaging right? Question 3 about Grace?

I'm sure I'm not the only person who made this mistake.

It's slacktestapp.com

Yes, that's where I'm stuck.

There was a sub interface with links that allowed me to open the VM in another window

Its in the question:
Log in as Grace and find the cookies for the slacktestapp.com website. Use the cookie to log in into slacktestapp.com from a browser within the RDP session and submit the flag.

But I saw no IP addresses anywhere

Someone provided me with that URL as well and it doesn't work.

Open in another window, terminate, or restart

those were my options

Made sure to disable my Ublock

Its in the question section under the pwnbox

Try a different browser

I can't now, I made the dumb mistake of terminating my instance

¯_(ツ)_/¯

You dont need the pwnbox to spawn the targets

And I have an IP from my host sstem.

thank you

This thing? That's what you are meant to steal the cookie for. You need to get Grace's cookies for it. 🙂

Whenever I navigate to that site, I get an error that it's having trouble finding that site.

Well.... that site, is the end goal, not the start

Have you added it to your local hosts file?

You need to access it inside the RDP as well

Okay, I'm rdp'd in and the cookie editor isn't installed on Firefox and you can't install it. The page just spins when you attempt to search for it.

This entire section referring to using the cookie editor needs to be removed from this section. It's not available anymore.

You're right. Looks like the VM got updated. But you don't need the cookie editor really. It just makes it nice and easy. Just press F12, goto the storage tab, cookies, sitename and edit the cookie manually.

Yep, I'm with you, but it won't let you edit cookies here either. That's not an option.

It does

I literally just did it

Just double click on the value field.

The d cookie already exists

You should also try base64 decoding the cookie (not for the exercise, but for the lulz)

I really don't get it. I can't edit the value no matter what I try and the d cookie doesn't appear on my end at all.

Anything else I can try?

Nevermind. I don't know what happened but it suddenly let me edit it and paste in the cookie! Thank you!

Do you know of any hints for the next one? I've tried following the lesson and I get to the point where I create the Restore folder and when open it, there's just a FileToBackup.txt that appears to just be a sample file. Never mind. It's the administrator password I can't seem to get for this one. The previous one was right on the desktop.

Would anyone know how to exploit CVE-2016-9565 nagois

why are you asking if anyone knows?

Because I’m having trouble on htb’s inject machine and wondering if someone could give me pointers

for "Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer. " on the Footprinting SMTP lesson, where in the lesson does it show me how to get the answer.

Do I use the VRFY command for each user listed in the wordlist one by one?

because that does not seem right

everywhere I've searched it's either been people saying to use nmap, which only gives root, admin, administrator, etc as usernames, or to use metasploit.

The smpt-user-enum standalone script isn't working either

So correct me if I'm wrong, based on my research, it looks like the only way to get the answer is to manually brute force telnet with the usernames in that list, or use metasploit

Even though metasploit has not been covered so far in any of the lessons in this learning path.

So I just confirmed, the only thing in the lesson that shows you how to find it would be manually entering every username into the telnet with the VRFY command to find it. smtp-user-enum script does not work. The nmap script does not work. Metasploit DOES work, but if you avoid Metasploit that doesn't help.

Has anyone found a different way of doing this?

Is the skills assessment for the shells & payloads module broken? There's not a web browser in the vm that you can use to browse to the page

It's hidden, but you can still access it

Which browser is it? because I'm not seeing one. Only one I see is the link to the tor browser and that's broken because it's not downloading it

How would you run something if you didn't have access to a GUI?

I found firefox installed but it won't launch lol. Wtf. Is getting a browser up part of the skills assessment or something.

Because if so that's pretty silly

You can launch firefox by literally typing its name in your terminal

Does anyone know the differentiation between the run and exploit commands within msfconsole?

Same thing

Tell me again how you can launch it from the command line

Hmm, I've actually had success with using run rather than exploit using the same exploit

They're aliases, they both execute the exploit

Try restarting your instance

Ah

Let's see. Hopefully that fixes it

It was driving me nuts lol

You could also open chromium from burpsuite xD, i believe it's installed

I didn't see it. Maybe I'm just way too tired to really be doing this lol. My ADHD meds wore off hours ago

Do you get a proof or some type of unofficial 'cert' for completing the Job role paths? (Pentest or bug bounty)

For imap/pop3 footprinting on the question"What is the customized version of the POP3 server?" Dovecot pop3d is not working.

That's all nmap gives and there is no information when using openssl

Is this another case of stuff not being in the lesson and I have to search for it or am I missing something?

Your close... Missing the full version

Yeah, there's no full version showing in nmap

or the openssl command

or the commands you can run from the openssl prompt

even with -vvv nothing

Module - Sql Injection
Section - Union Clause

Question -
Connect to the above MySQL server with the 'mysql' tool, and find the number of records returned when doing a 'Union' of all records in the 'employees' table and all records in the 'departments' table.

why is this not giving me the right answer :
select * from employees UNION SELECT null,null,null,null,null,null from departments;

Check a few more tools PNW.

Found it, I had to put all of the leading info, not just "vX.XXX"

Check what happens when you connect you're definitely overlooking it

haha

Lol just as I was nudging

I did the version, then with POP3, then I gave up and started going down the rabbit hole.

Thanks guys

Where do I even start for the admin email address?

I linked a site to useful imap commands a while back

I'm using the ones on the lesson mainly

Yeah but you're not gonna get all the info

How do I even know I should use imaps and not pop3

?

Neither imaps or pop3 are showing any messages

Like I said the commands they give you aren't going to give you everything

So is the fact that there are 0 emails normal?

#modules message

No

You're not in the right email folder if that's the case

I see

I didn't realize there were multiple folders

That's why the list command exists

Thanks for all of the help. I wish the lessons linked to more resources.

Are there walkthroughs of the lessons for those of us that don't want to bother the helpful folks at discord every time documentation is lacking?

I've complained in #858470491676737536 about it

I would complain but 96.5% of the time I'm being an idiot and/or missing something obvious.

I feel that, it's happened to me more than I care to admit

Still, when you spend 3 hours troubleshooting with the documentation given only to find out you needed to go to hacktricks or pentestmonkey it kind of makes you doubt the platform more.

tbf like 96.5% of the complaints I see in erratum that arent like grammar/spelling corrections do tend to be people just being dumb and not doing the lesson properly.

But the very few times it isnt is basically, "Oh yeah everyone whose been on academy for awhile knows this. its been broken for 7 months"

What about missing information and lack of walkthroughs

Usually the person being dumb about the lesson. A couple of notable exceptions however.

Being dumb might be too harsh, lacking required prerequisites is more typical

For example IMAP/POP3 footprinting: I'm trying to figure out how the lesson and information given would lead me to an admin email address

and access to emails/flag

The rule of thumb here is that you have to be comfortable searching documentation of a web application service youve never seen in order to discover how it can be leveraged properly.

Anything within that realm or approximate equivalent can be pretty fair game to me.

I understand, but I don't see where that is outlined in the curriculum

It isnt. thats the point.

If I were to take a course in "The Afterlife" I would expect the teacher to have me read "Dante's Inferno" if it was part of his curriculum

This isnt english literature, this is hacking

You have to have that spark of curiosity in you

Or at least hint that the material was included

no course can teach that, it can only encourage such behavior

I mean the module did. It provided some information about the service, with some hints about how to interact with it and then instructed you to figure out how to interact with it more on your own. and submitted flags as proof of this accomplishment

No madf0x, bring me my silver plate now!

I totally understand the frustration of tackling a technology youre unfamiliar with and trying to get it to do what you want it to do. But the stubbornness and curiosity to make it happen and the enjoyment of it finally working is the very heart and soul of hacking.

If that sensation and frustration bothers you or doesnt feel worth it, then perhaps there are other aspects of security or something youd be more suited for.

No, I'm determined, just expected a more comprehensive and detailed curriculum for the price I pay. That being said I appreciate the help I've received here so far.

Came here with a decent background and having completed THM Offensive Pentesting, just looking for the next step.

I mean the short answer is using an email client

So anyway for IMAP/POP3 "What is the admin email address? " question, if I've tried all commands, what's next?

one reference is asking me to "tag <command>" where HTB is asking me to "1 <command>"

Do you mean all commands from the module?

Or what I linked

and the links provided

besides logout

Im just saying sometimes the entire intent and lesson behind a section is to have you go off and explore new stuff on your own. Handing that to you directly inside the section would defeat the point.

Well if you read the email you'll get all the relevant info

I haven't read the email yet.

I can't even access an email

Just curious, how many active boxes do i have to pawned to get to hacker rank?

Then start with getting to the right email folder lol

Not relevant

Read #rules and #welcome

Start with the command to list all folders

yeah, did that, got 4 results

Alright then start there

Like you're complaining about a trivial issue

no matter what inbox I go to there are no emails or anything

Then you're doing something wrong

Lmao

so what would you reccomend?

Note there are no emails on the pop3 service

There's a reason I'm saying imap

yeah, I'm working only in imap

pop3 made that clear pretty quick

otherwise I would have been way further down the rabbit hole

so I tried to fetch headers

fetch messages

Double check that all branches you're looking at are empty

pretty much went through every command in the two links and the HTB lesson

?

You can't fetch a header for an email that doesn't exist

Are you actually selecting the folder

Like I said there has to be something you're doing wrong lol

show terminal output of your attempt to list emails from each of the folders you found.

alright starting from scratch

Cause I think were in devil in the details territory

and if were not. details will at least reveal where the misconception is

LOGIN ***** *****

with username password, not showing them for spoilers

then
1 LIST "" *

use triple backticks at the beginning and end to wrap your terminal output

so it looks like this

test```

nope

didn't work

test

there we go

my bad

okay so

1 LIST "" *

then

1 SELECT DEV.DEPARTMENT.INT

I've tried all of the tag STATUS INBOX (MESSAGES)

and those types of commands with no luck

You realize the status inbox is only showing status of the inbox folder, not the folder you're in

I also wanted to see direct terminal output of exactly what you typed in AND the response you got back.

Ctrl-C Ctrl-V

I have no idea what's going on past the module to be honest. I kind of grasp the extra resources you've given me, but other than that I am lost

They aren't verified so the bot may yeet it

You guys have been trying for 90+ minutes now. I don't think it's going to work out lol

then they should verify their account

hey now Ive only tried for like 10 minutes and 8 of that was ranting about hacking ethos

Its fairly obvious you're lost. Because you're blind copy/paste without understanding what you're trying to achieve

And without knowing what the command you're utilizing is doing

I can't copy the screenshot in

dont need a screenshot

It's like watching sisyphus.

just copy paste your terminal and wrap it in backticks

Your pfp is wildly fitting and it's slightly sending me

hit 2000 character limit

Do it one command at a time

cut it down to the relevant parts where you try to list emails

yeah bot yeet

verify your account

Verify?

#welcome

so you dont have the boring white name

I am signed up already

yeah but youre not verified here on the discord

so you have restricted permissions n stuff

Did that not come with the year long membership?

Bro you have to verify your account

read #welcome

Okay

Discord doesnt magically know who you are

I'm used to forums

this is the second time I've used Discord

or at least the second community

No worries, basically theres no way for HTB to auto link your discord and your HTB accounts

^

so you gotta follow some instructions from the bot to do so

It helps mitigate spammers n such

word

I need to take a break

At this point bro should just contact support

Clearly there is a severe misunderstanding somewhere

Hed have to verify his account for that

^

Layer 8 OSI issue.

It's how they offer the discord tutoring

Nah layer 10

Im trying to be nicer to a fellow PNW peep

Double it and give it to the next person

What's PNW

Pacific Northwest

Ah

Washington/Idaho/Oregon

I might hit up support, we'll see

though we only grudgingly accept Idaho

Yeah no worries, tho ur still not verified XD

inb4 he says hes from idaho

Bro from Ohio

if an ohio person is using the PNW tag we about to throw hands

I don't consider Idaho in the PNW

They're like a border to Montana for Washington

Idaho is Idaho

For real!

yeah but 'officially' theyre PNW too

True, but they don't throw hands, they throw potatoes.

Enterprise Academy doesn't sync with regular academy hmmm 😟

I verified my account

dm you

test

Test SAT

noice just made hacker

Congrats!

thank you kindly

Know anything about IMAP footprinting?

Are you on the footprinting lab - hard?

no, IMAP/POP3

question is "What is the admin email address?"

how far did you get

I'm authenticated and have found the directories with * LIST

other than that, none of the directories have any emails

I was trying to use the command :1 FETCH <ID> all Retrieves data associated with a message in the mailbox.

but there's no <ID>

Someone gave me a link to some other resources and none of those commands work either.

https://www.atmail.com/blog/imap-commands/

https://www.funoracleapps.com/2022/01/how-to-access-imap-server-from-command.html

once you authenticate to the imap server, you use the credentials provided to actually interact with the IMAP services. From there give this a read.

https://donsutherland.org/crib/imap

These commands do work

Why is it prepending everything with A1 instead of 1 like the lesson shows

Does it matter or does it have to be homogenous among each session?

I'm interested in that answer as well. I just know it works for me.

I pulled those last two questions just now.

Cool, thanks, will work more

This is what I got

'''tag FETCH 1 RFC822'''

Why that command?

if I can find a link to it I'll post. Should have found that first...

no worries

Though I would save it. I've used it a few times already.

Weird, that works for the question in the last section of the module, but the one before that I still can't get

"TAG" is an identifier for the command sent from the client to the server. It can be any string but it should be unique for every command within a single connection. The server will use the same tag in its response to indicate which command it's responding to.

"FETCH" is the command itself. It tells the server to retrieve specific parts of specific messages.

"1" is the message sequence number of the email message that you want to retrieve. So in this case, it's the first message in the mailbox.

"RFC822" is a message data item identifier. When used in a FETCH command, it tells the server to return the full, raw source of the email message, including the header, body, and any attachments, in the format specified by RFC 822 (a standard for the format of ARPA Internet text messages).

you don't get a "from: CTO" in your output?

Best documentation and help I've got in a while! I appreciate you!

Very informative!

It's almost like that should have been in the module!

So how was I supposed to find the admin email?

you don't get a "from: CTO" in your output?

No. I got it!

Thank you!

Can you tell me please how you came to this conclusion?!

If you read this properly you would’ve found it too 😅

I struggled here as well and kinda just frankensteined a bunch of stuff together.

Trial by fire..

That's how it looks like it's going.

Same here. Signed up for a comprehensive, detailed curriculum. Sorry you had to frankenstein. Thank you for the assist, I appreciate it!

I still don't understand those commands though

I see what you're saying, but there's no syntax

I would just use Evolution, it's good to learn the CLI, but I've yet to encounter a situation were I've been forced to use it.

evolution?

GUI for imap

oh nice

Why am I using "tag"

Try it without tag and use anything else

F FETCH 1 RFC822

That’s the easiest option yeah

blueteamTHIS got me through that

I still don't know why

just that it works

Did you try it?

yeah, I cleared the lesson with blueteamTHIS's help

This

the commands are just not clear

yeah?

They are very clear

Actually read what he says

"TAG" is an identifier for the command sent from the client to the server. It can be any string but it should be unique for every command within a single connection.

Basically it's just placing a label on the command you're about to use. (FETCH)

For client/server communication

It doesn't have to be "tag". It could be "yomam" FETCH

Got it, just having trouble reconciling that with the lesson material

It wasn't anywhere in the module

Correct, but you had the links already

Trying to find where I missed the mark

Well when the links didn't work I went back

I agree that they should provide those links or better explanation in the section

So if I find myself lost again I should seek outside assistance from resources other than the module?

Or past modules?

Googling never hurts

And you’ll find that they refer back to past modules sometimes yeah

Having a chatgpt tab open doesn't hurt either.

Just frustrating, I like getting quality instruction when I pay for it

Going back to footprinting module sometimes for syntax

You guys are top notch though

HTB should be paying you

maybe 0x56 but naaah I'm around the same level as you lol

They provide quality instructions, especially for the price you pay. Some modules could be made a bit better though I agree

We'll get there blueteamTHIS

But they’re constantly updating

I noticed that.

Pretty cool to see.

Yeah, much better than tryhackme

so far

I still have the ptp course from elearnsecurity, that’s the course for eCPPTv2, which was like 1500$. The explanation and detail in academy is better than that course imo

That’s what I mean with “especially for the price you pay”

It’s 8$ a month for a student and like 100$ to unlock all modules for others, that’s insanely cheap for the information provided

Well thanks for being helpful, transparent, honest, and not condescending.

You’re welcome👍🏼

The struggle is what helps me learn personally, so try to embrace it instead of getting frustrated

jesus christ 1.5K for that course???

For sure! Embrace the suck!

Was somewhere around that price yes, course + cert

do you at least get a cer attempt with the course?

Ive yet to take the exam though

even with the cer 1.5K is not worth it (a sans cer is way better with that kind price)

You won’t get a sans cert at that price though

Id recommend getting an offsec cert instead though

And I wouldn’t recommend elearn courses to anyone anymore

INE ruined that

wait really? last time i check it's some where around that price

I believe it’s more expensive, at least if you want training as well

i mean offsec "cer" is worth it but the course isn't

GPEN was 9k for just the course

Courses are getting better there as well, at least I’ve seen multiple positive reviews about the upgraded oscp material

$8275*

Yeah that sounds more like it

oh yea the oscp did finally get a good update

i miss remember the cer price 🤣

i did look into getting GPEN without the course and just with the academy content

but not sure if i want to yeeted about 1K out of the windows that way

and yeet you will

lol

hope not but probably will 🤣

haha I've been doing the course work and haven't bought the cert yet either cause I'm scuured

err the voucher.

hi everyone, i'm new in cybersecurity and i'm blocked at "linux fundamentals" in the section "System information", i can't login to the machine with SSH i don't know why

when it asks me to type the password i type it and it says "permission denied"

vpn

okay thanks but how do i connect to the vpn ?

okay it's good i found !

@scenic oar download the VPN and use sudo openvpn file name

thank you !

Hello colleagues I want to ask if this for loop is structured for this question. module BashScripting

Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

for i in {0..27}
do
var=$(echo $var | base64)
done
salt=$(echo $var | wc -c)

It would be of great help if you could indicate to me this structured in the way you are indicating in the question but I see that I am missing something because I have found the flag.

And can you recommend me a bashScripting course if someone can tell me where I can get it to go deeper into this topic that is of utmost importance.

Has anyone done the new Linux privilege escalation module yet? I’m struggling with the escape restricted shell bit

For report writing, do we have to record every command? Like even for file transfers, what to run on target and attack machine

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/escaping-from-limited-bash

Just discovered the tracert tool, and I'm curious why my packets go through 3 private IPs before entering the internet. The first one is my router, but not sure what the others are

What exactly don't you understand about this For loop?

It takes the value in the variable var and encodes it with base64and writes the new value back into the variable var
It does that 28x (0-27)

You can find programming courses either on Youtube or on Udemy, there mostly even in your native language.

Its a Restore folder. As in, Backups get Restored to it.

Hi who can Help me in pivoting module in meterpreter tunneling and port forwarding I have Syntax error .. when write run autoroute -p Ive got 3 IP address so how can write it in solve box I tried ||172.16.5.0/172.16.4.0|| but nothing worked

can you paste the command in spoiler tags for the network address you are trying to add?

otherwise you can dm me

Hey guys I'm on the medium assessment for password attacks and I'm trying to password spray smb for some creds but crackmap is saying all passwords are good. Dose anyone know how to fix this, thinks its some sort of bug saw it is the escape video ipp done recently.

Good day everyone, am new year. I am also new to Cyber Security and heard about harkthebox. I have followed the instructions and have 3 active connections, my machine is online and gave an IP address but when I ping the machine it's says not reachable, I have repeated the process over 10x, shut down and reported by system several times, delete files and reinstalled vpn, I still cannot get a feedback from the machine when I ping it. Please can someone assist me. Thank you in advance

hint try different enum on the smb and there is a reason why cme and other tool and showing all cred are good

which module and section are you on?

Okay thank you will try something else

Cheers mate

The first module Meow

yeah that isn't a hackthebox academy module it's a box on HTB main platform, read #welcome and #rules after that use /verify at #bot-commands and ask that at #starting-point

Ok thanks

Hi Guys! Can you help me with the Linux Priv esc Dirty Cow section? (Escalate privileges using the same Kernel exploit. Submit the contents of the flag.txt file in the /root/kernel_exploit directory.) I ran the exploit but the user firefart was not created and I could not escalate. Thanks!!

DM?

Please 🙂

ayo

am so stuck here

Leverage SeDebugPrivilege rights and obtain the NTLM password hash for the sccm_svc account.

they want me to assign privs to this user(Debug programs)

Hi, i think here is a dead link in the Footprinting Module > Linux Remote Management Protocols > Pluggable Authentication Modules (PAM)

but i dont have privs to even open Local Policies\User Rights Assignment

@acoustic owl

tried the Remote Code Execution as SYSTEM method?

i haven't

used the procdump.exe?

opening an elevated shell?

C:\Tools\Procdump> procdump.exe -accepteula -ma lsass.exe lsass.dmp

ProcDump v10.0 - Sysinternals process dump utility
Copyright (C) 2009-2020 Mark Russinovich and Andrew Richards
Sysinternals - www.sysinternals.com

Error opening lsass.exe (696):
Access is denied. (0x00000005, 5)

ayo

i cant find this file .\psgetsys.ps1

Hi! Im stuck on the Footprinting Laboratory - Easy on the Footprinting Module. Any help?

In Pivoting, Tunneling, and Port Forwarding in Web Server Pivoting with Rpivot
I wrote python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 in my kali
& python2.7 client.py --server-ip 10.10.14.237 --server-port 9999 in ubuntu
and I got connection
when I write proxychains firefox-esr 172.16.5.135:80
to acces in internal web server I dont have any connection !?

ayo idk why but its not giving me cmd admin shell

PS C:\Users\jordan\Desktop> .\psgetsys.ps1; lsass.exe :: CreateProcessFromParent((Get-Process lsass).Id,"cmd.exe")
PS C:\Users\jordan\Desktop>

kill/close the running browser instance and try again.

.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(644,"c:\Windows\System32\cmd.exe","")

just still loading page without show anything

PS C:\Users\jordan\Desktop> .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(640,"c:\Windows\System32\cmd.exe","")
Cannot find an overload for "CreateProcessFromParent" and the argument count: "3".
At line:1 char:17

• ... getsys.ps1; [MyProcess]::CreateProcessFromParent(640,"c:\Windows\Syst ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodException
  • FullyQualifiedErrorId : MethodCountCouldNotFindBest

lol

tasklist to find winlogon.exe PID>?

thanks and sorry lol

.\psgetsys.ps1; winlogon.exe ::CreateProcessFromParent(644,"c:\Windows\System32\cmd.exe","")

still not giving me shell lol

🥲 7

PS C:\Users\jordan\Desktop> .\psgetsys.ps1; winlogon.exe ::CreateProcessFromParent(644,"c:\Windows\System32\cmd.exe","")
PS C:\Users\jordan\Desktop>

Check the command I posted vrs urs

Ignoring the pop shell bit

PS C:\Users\jordan\Desktop> .\psgetsys.ps1; winlogon.exe ::CreateProcessFromParent(644,"c:\Windows\System32\cmd.exe","")popshell
PS C:\Users\jordan\Desktop> .\psgetsys.ps1; winlogon.exe ::CreateProcessFromParent(644,"c:\Windows\System32\cmd.exe","")popshell
PS C:\Users\jordan\Desktop>

.\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(644,"c:\Windows\System32\cmd.exe","")

PS C:\Users\jordan\Desktop> .\psgetsys.ps1; [MyProcess]::CreateProcessFromParent(644,"c:\Windows\System32\cmd.exe","
Exception calling "CreateProcessFromParent" with "3" argument(s): "Not all privileges or groups referenced are
assigned to the caller"
At line:1 char:17

• ... getsys.ps1; [MyProcess]::CreateProcessFromParent(644,"c:\Windows\Syst ...

•             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : NotSpecified: (:) [], MethodInvocationException
  • FullyQualifiedErrorId : Win32Exception

PS C:\Users\jordan\Desktop>

ion have privs ?

oh

Maybe a reread of the second is in order

got it

thansk

*thanks 🎉 👍

Sweet 🥳

I tried with pwnbox but nothing happened 🙃

Please, help in the easy lab of the Footprinting module. Im stuck in the ftp ||passive|| step, cause I don't find anything

Nvm, I just found the solution

Pivoting, Tunneling, and Port Forwarding: Skills Assessment
If anyone could give me a nudge, it would be greatly appreciated.
My DM is open, thanks 🙂

Dm

if you have a call back from your client on the ubuntu machine to your server could do a sanity check by just port scan the site or use curl? or do you have 0 connection to the 172.16.5.135 machine?

which case in this?

its for case 4.

if you copy the post request burp and run sqlmap with that request it should be straight forward

You can share this in #resources-tools

thanks!

actually I wrote sudo chown root /run/user/1000/gdm/Xauthority and wait a lot of time now its work

you should assign the length of var to the salt variable during the 28th iteration. Keep in mind that when counting programmatically, we begin from 0 😉

if (( i == 27 )); then
salt=${#var}
fi

oh what did i miss?

Nothing much he just shared bunch of free labs resources in module section

not sure about this but in my note for this section i actually kinda auto automated it a bit and i got no idea why but if you want i can send you that to see if it's will work

Great I’m waiting u .. and I appreciate ur help🌹

oh the most recent message in #resources-tools? and those lab are not free

sure give me a sec

Yess

pls I need help in smb question 5 I don't get it "Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer. "

Footprinting module

||rpcclient|| is your friend

thanks man

guys

i am study linux module fundmentals and i see this text "Terminal emulation is software that emulates the function of a terminal. It allows the use of text-based programs within a graphical user interface (GUI). There are also so-called command-line interfaces (CLI) that run as additional terminals in one terminal. In short, a terminal serves as an interface to the shell interpreter.

Terminal emulators and multiplexers are beneficial extensions for the terminal. They provide us with different methods and functions to work with the terminal, such as splitting the terminal into one window, working in multiple directories, creating different workspaces, and much more. An example of the use of such a multiplexer called Tmux could look something like this:"

what is mean multiplixer

Multiple on one screen

Tmux is a good example of a terminal multiplexer.

in fact i think tmux literally stands for terminal multiplexer.

multiple screen (in this case panes), tabs (in this case windows)

Guys I am doing the RDP and SOCKS Tunneling with SocksOverRDP in Pivoting, Tunneling, and Port Forwarding module (module/158/section/1439) I downloaded SocksOverRDP on the target and tried to load the dll file but I keep getting this error. Did anyone else face this issue and how do you resolve this?

You probably did not open cmd as administrator

nope, I opened it as Administrator

In powershell as administrator do "Set-MpPreference -DisableRealtimeMonitoring $true" To disable real time montoring

ok that worked

thank you

Thanks mate

Administrator:500:aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54

which part of the hash I needed to use for pth?

The second half.

and when I had this

was I able to activate pth without being admin?

If remote Administrator login is explicitly disabled, pth won't get around it

You could probably psexec instead

Or PTH winrm, and enable RDP

did you disable Restricted Admin Mode? (the given reg command)

The section tells you how to get around this

No

Yes it does lol iirc the section gives you that exact scenario in the example

hello guys, anyone knows which is the best command line with nmap. I usually use nmap -sV {ip} but i saw lot of videos which they write lot of stuff in terminal

It depends

Generally you're gonna be more specific with your scan if you know the ports you're attacking

anyone know the isssue here?

I got the privesc with other vuln

It looks like the module isn't loaded, if it's a power view module may need to load it by going to C:\tools

Doesn't seem to be erroring on the module, but just the parameter.

Did you grab the latest powerview?

i just used what they have instsalled on the machine

It's potential that -TrustedToAuth isn't on this

I'd try to grab the latest version, just in case. It looks like -trustedtoauth is a valid parameter for get-domainuser - get-netuser is just an alias for it.

From google: https://github.com/fortra/impacket/issues/320

Just to be clear, on password mutations in the Password Attacks module, all we are doing is using the supplied resources and using the supplied command to generate a wordlist and then bruteforce SSH? If so it has failed twice for me. Or am I off?

Bruteforce a different running service

Ssh is slow and the box will timeout

thank you

Yeah it was timing out

hello y'all, I'm stuck with shell & payloads skill assesssment, any hint

cuz I'm not sure if I'm over thinking

Has anyone here actually done the escaping restricted shells bit in the Linux privilege escalation module?

If you don't explain what question you're stuck with and what have you done to try solve it, there is not much we can do to give you a hint

Yes

LoL you're completely right, sorry about that

well I'm stuck with the question No 1, so far I tried to bypass the .zip & tar.gz files restrictions thru the content-type with no success {didn't find the right application/xxx} to be able to upload a webshell, also tried to upload the webshell via tomcat war files but, I really don't know where they are saved

hello all

please help me if you can

AD Enumeration & Attacks - Skills Assessment Part II

Submit the contents of the C:\flag.txt file on MS01.

am not able to connect to MS01

it seems rdp is disabled

Bummer

sounds like you should look for a different way

and evil-winrm is not working aswell

also telnet

yup

sounds like youve not found what you need yet

its a skill assessment so good luck : 👍

How can I send multiple commands using Invoke-Mimikatz like:

Invoke-Mimikatz -Command @"
privilege::debug
token::elevate
base64 /out:true
kerberos::list /export
"@

I need to send commands that use "/" like base64 /out:true, and it separates in multiple lines. I have also tried:

Invoke-Mimikatz -Command "privilege::debug token::elevate base64 /out:true kerberos::list /export"

Just got through this one, and it was a lot of fun but I have a question that would be a spoiler here in the chat. Can I dm someone who has completed this as well?

hey guys, doing the footprinting/smb module currently and I'm running into an issue with one of the questions, is there anyone I can DM?

one of the questions has me connect to a share and find a flag.txt, but it doesn't seem to accept the flag.txt I provide despite the share being correct

https://academy.hackthebox.com/module/67/section/640 Windows Privilege Escalation -- Credential Hunting -- Search the file system for a file containing a password. Submit the password as your answer.

someone who completed it to ask? I have found some passwords but no of them is the answer

never mind, solved this one -- had to actually retrieve it from the share to my local device rather than simply reading it from within the share

sure

Already clarified, but thanks anyway!

Wassup?

Hi , I am trying to solve the Network Enumeration with nmap , Section - Firewall and IDS/IPS Evasion - Hard Lab

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

It is not clearly mentioned what service , and there are only two services running

I tried the nmap --script dns-version and it is not working , it is returning back with an error

Check out the DNS Proxying section of the IDS/IPS evasion lesson. Read the clue in the question and then what that paragraph says about large data transfers.

That's all I remember from doing that one. I think it was one of the scans below that section that worked. It will be a bit of trial and error to find the right scan.

Much Appreciated

I think it was a SYN-Scan from DNS port IIRC.

Either way I'm pretty sure the scan you need is in that lesson.

Thank you very much

I will try it

hello everyone ! Anyone got the answer on Footprinting module for ORACLE TNS?

it seems odat.py doesn't want to work in pwnbox after installation

Hi

the intro networking module started off well, but the last 6 chapters... i had no clue what i was reading 💀

Module - sql injection
Section - reading files

We see in the above PHP code that '$conn' is not defined, so it must be imported using the PHP include command. Check the imported page to obtain the database password.

I cant find where the include is - I can see the php code for search.php .. but no include. Can anyone give me a nudge on this?

If you used the command from the module, you can check the source code of the page. In that source code you will find the .php which you need to use instead of search

is the other php page referenced in search.php ?

Use the command under “another example”

Then view source

And you’ll find the .php you need

hum yeah thats what ive done but im not seeing any other php files in the source

wait

its there

You got it?

yep

tyty

You’re welcome 👍🏼

Hello everyone

I got stucked with the snmp enumeration part of the Footprinting Lab Hard. Any hints?:)

You need to be more clear on your question if you want help😄 we will need to know what you tried and what you’re stuck on

I have enumerated the server and found the 161/udp open. After further enumeration ive found that is running snmp v3. Tried snmpwalk, onesixtyone but couldnt find anything.

In the academy course there is nothing mentioned about snmpv3 enumeration. 🙂

Should i bruteforce?

Is 161 the only port that’s open?

Imap,imaps,pop3,ssh,pop3s

So enumerate those

There’s a section imap /pop3 in the module

Yeah i tried them as well.

I am missing something... i will figure it out

The answer is in those ports

The final skills assessment in the sql injection module - is there some trick to the inital payload for sql injection? After completing the module I cant get sql injection to trigger

that one was confusing to me as well , one hint is to not trust nmap identification of snmp, and use many wordlists

Going to restart the server - none of the sqli discovery payloads are triggering anything

maybe its a lab deployment issue

nothing, strange

Figured it out 🙂 the community string was in front of my eyes. Misunderstood the output of onesixtyone

Thank you guys

Mind if I ask how you fixed yoru issue with [-] [('SSL routines', '', 'no protocols available')] ...?

module - sql injection
section - final skills assessment

is the user credentials intended to be cracked (hash) ?

can i get help with smbclient and how to get the password.
i type in

"smbclient -U bob \ip\users

I Entered workgroup\bob's password: which is bob:Welcome1
i tried with capital letter in B and it did not work
then what do i do next
If I press enter:
[5:46 PM]
"session setup failed:NT_status_logon_failure

are you sure it's the default workgroup for the login?

anyone got a quick second for a question, not a nudge, on sql injection final assessment? I have what I think is the pathway, but I think I may need to scan the ip address of the machine to proceed and I want to check if im going down the wrong path

solved

I have a question regarding the Windows Priv Esc module. It's the Pillaging section. I was able to get into the config folder finally but I can't seem to figure out which files in here that I need to transfer over to my VM for extraction of their hashes? Can someone help me out here? Never mind, it's the SAM and SYSTEM files. I should have remembered that.

You can DM me. I'll be able to assist you with that.

I believe that's the 'erratum' that you're looking for.

the credentials stored in cmdkey

are used to be able to login to another service without needing the password right?

Did you ever manage to resolve your issue with the SSL routines error..?

Nope, if you scan the network, you can find the parrot box and sign in with the htb-student creds, and use the mssqlclient.py that is on that box

that's what I did to deal with it

mate, I am on this module and almost finishing it off but I get this error after I load the dll successfully and when i try to connect with mstsc.exe i also get the pluggin enabled message.

but when I proceed with the connection I get the error you see. Is there a step I am missing? What I understood is once we connect we then transfer the SocksOverRDP-Sever.exe

Your resume doesn't bode well, if you can't read the description of the channel that you're posting in.

<@&861185840277487616>

My man tried to tag everyone with his spam

🙏 thanks to whoever deleted it

Are you sure the dll is getting loaded

yes, i got the same message as shown in the module

I made two terminals on my local machine and used each one to SSH into the linux machine HTB gives you in the module. On one machine, I got into the Windows machine using psexec and the methods from the module. On the other machine, I did "locate mimikatz.exe" then copied the mimikatz.exe file to the home folder. Then I set up a python http server. From the Windows shell I had on my other terminal window, I used a command starting with "Invoke-Webrequest" (you should see it in the Windows Transfer section of the File Transfer module other people have sent you). Make sure you do "ip addr" on the linux host to find out the ip address you need to use in the Invoke-Webrequest command on Windows. I was able to transfer mimikatz.exe, but I am still stuck.

What u stuck w

And pls yall send screenshots omfg

C:\Tools>reg query \10.129.19.166\HKLM\SYSTEM\CurrentControlSet\Services\DNS\Parameters
ERROR: Access is denied.

but :Administrator netadm

net group "Domain Admins" /dom
Group name Domain Admins
Comment Designated administrators of the domain

Members

Administrator netadm

module :WINDOWS PRIVILEGE ESCALATION

Table of Contents :DnsAdmins

Did you open cmd.exe as administrator?

yos

anyone ?

Wait, in the DnsAdmins section you don't need a reg query....

Hey Guys, I need some help with the rpivot part of the port forwarding module, I am doing everything it says to do in the section, just cant seem to get it to work

where are you stuck ? if its porxychains firefox ect, try proxychains curl or closing existing windows

wdym ?

oh ok

hello, i am unable to connect via RDP into the windows machines, trying to complete the Attacking common services RDP section. Getting network disconnect error. VPN connection is stable

Hello guys, I have a question regarding a tool used on the server side attacks (SSTI sections). They explain us to use Tlpmap to automate the engine identification unfortunately this tool is not supported by python 3 and I am not able to use python 2 for the packages installations do you have any solutions ?

This is for academy modules, not for your self promo.

please help in active subdomain enumeration section in Information gathering web edition module question 2 " Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer. "

Provide more details of your problem: what have you tried and what exactly are you stuck on?

Does somebody know why?
https://discord.com/channels/473760315293696010/1125746763295371314

I tried this command nslookup -type=any -query=AXFR zonetransfer.me ns.inlanefreight.htb

it's possible to get python2 in a venv, but honestly you can find alternative tools for SSTI, or just fuzz manually (which is way more fun imho).

Hacktricks has a great guide on detecting the SSTI engine.

Thx, I followed the hacktricks tuto but by using the seclist and the payloadallthethings wordlist but still unable to discover the correct engine 😦

help

htb is not an official TLD. You must specify a nameserver so that it can do the resolution

still confused

I don't know any nameservers

dns@ip

ns.inlanefreight.htb@ip

You specify the nameserver ns.inlanefreight.htb. Your PC can't resolve the address because htb is not an official TLD.

do I need to edit my etc/conf

or sudo nano /etc/hosts

hosts

ip ns.inlanefreight.htb

can it be NS.xxxx IP?

No, you can simply specify the IP address

dig AXFR example.com @10.10.10.10

yeah, i typed about it earlier)

10.129.144.123 ns.inlanefreight.htb is inmy etc hosts now and I tried nslookup -type=any -query=AXFR zonetransfer.me ns.inlanefreight.htb command and it didn't work

The specified NameServer almost certainly does not know the domain zonetransfer.me

nslookup -type=any -query=AXFR ns.inlanefreight.htb didn't work either

Take another good look at the whole DNS topic. What you try here can not work

please can someone explain in dm i'm dumb

try dig

tried dig axfr ns.inlanefreight.htb @ip and it not working

What ip are you using

I know i was trying to prove that you need to read the content again

You are missing a very important step

^

the one in the question i clicked to start

https://www.cloudflare.com/learning/dns/what-is-dns/

Is there a way to maximize the window screen for the first lesson in the 'Windows Fundamentals' module? I can't see the bottom.

Use the /dynamic-resolution flag when using xfreerdp to be able to resize the window how you want

I'm currently having trouble on the skills assessment of the "Hacking WordPress" module. When I spawn the target, the website works but I can't find any sign of it using Wordpress. Even WPScan gives an error that the site isn't running WordPress. Is this normal?

Thanks , that worked

hello im new and have no idea what to do any advice?

hello everyone ! Anyone got the answer on Footprinting module for ORACLE TNS?

its the olny answer i have to provide in order to complete module and odit.py doesn't work at all after 2 installations

you mean you dont know from where to start?

i saw the discord and thought "wow that is super cool i know little to nothing but , how bad can it be" and joined

and yea im completely clueless

linux and windows fundamenttals > crack into htb > basic toolset > any path you choose

ATTACKING COMMON APPLICATIONS --> WordPress - Discovery & Enumeration --> the hosts dont seem to run WordPress according the enumeration results. What did i do wrong?