The error they are getting isn't even mounting the remote system

additionally, you turned it into general chat (#858470491676737536) where the purpose of that channel is completely different

yeah, posted to erratum after I verified I had tried everything

I've just tested the exercise and with the command, and it is working as intended

They are getting the "not in host:dir format"

I'm currently trying to get wifi hooked back up but that's gonna be a few weeks

Which I think that error is a user error not a remote host error

you're probably missing a colon

<ip>:/

it worked as root for some reason

read the man page for mount and you will know why, plus if I'm not wrong you can add the option -o noperm which does:

ls -la I literally helped someone with this earlier

It's because you create it with sudo (root)

I'm all for learning, but this was an unnecessary rabbit hole

It's an easy thing and literally has been discussed

In this channel, multiple times

It's okay, I addressed it in erratum, hopefully it will be addressed in the future with changes

Discord does have a search feature yakno

I appreciate the help!

Yeah, I use the search feature extensively

It helps most of the time

Guys, for the MacOS fundamentals there's no actual Mac VM to do the exercises?

Yes on the info page it has a disclaimer that you will need access to a MacOS device

Anyway, now that I'm through that issue, all I have now is a bunch of text files.

.... so just cat xxxxx.txt

ad nauseum?

Is there anything worthwhile in these or is this just another waste of time?

I mean if you ls -la you should see file size

@modern hill

Yeah, just me rushing it and not seeing that.

Thanks.

At least it's fundamental and only 10 cubes

You don't need one.

As it states though you can at least take notes on the content

Yeah, for sure.

Just may not be able to complete the exercises

It's probably the best of the windows/linux/mac trio

Still need a Mac "device"

Only to use the package manager i(brew)

but you can just use https://formulae.brew.sh/ to get the same result

That's why you're smarter than me

Anyone playing Authority?

Windows machine.

#1129834089013330075

If you have no access, read and follow #welcome

Hi payload I see you are picking up the graveyard helpdesk shift OK bye leaves 1000 tickets on desk

yes I take the shift here 😉
Good Night Marcie

Idk not working on my phone.

I've logged in. Still

Have you verified your account?

What font is that my brain isn't braining

What font?

In the screenshot

That’s just a screenshot of the welcome page

You have something different?

Brother I'm talking about the font from the screenshot

As in what language? Or what lol

I guess I’m too stupid to comprehend your question

If language, it’s German

Nevermind

Font: the style that the text is in

Yeah, and I asked if yours is different, this is just the font discord mobile is in for me so I don’t know any better lol

Like I said never-mind

👍🏼

Can someone help with this problem ./logrotten -p ./payload /home/×/× /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34 not found (required by ./logrotten)

if compiling with gcc try to use the -static option, let me know how it goes. Otherwise an already compiled binary solves the problem (I haven't done the updated modules yet, so the solution with gcc provided may not work)

This method solve the problem but didn't get the reverse shell

can you try something simpler rather than a reverse shell? If you could use something like id > /tmp/output.txt and see if something happen. I know, probably a rev shell would have worked just fine but for the sake of removing any "x" variable its worth to give a shot

Doesn't work

you can compile it directly on the target machine (in case you didn't try):

Hi I need help on AD Enumeration & Attacks - Skill Assessment Part II question 10. I have got admin access to MS01, how do I get the password hash for user C****?

read the hint on question 9, go back try the stuff showed in the sections for getting a foothold

Im on windows priv esc Prilaging module, anyone know what part of the hash the answer wants, ive tried the whole thing, NT and LM but cant get it to work

Read the question. It should be defined there what exactly is being asked

Just says the Administrator hash

and none of them work

Then i guess its the NTLM Hash

just got it, there was 2 different backups to restore, i was doing the old one

Yeah i know that, it was another problem

Hello, I'm in the Web Attacks module in Bypassing Encoded References:

I found:
MQ%3D%3D >> 1
c4ca4238a0b923820dcc509a6f75849b.

Any hint please.

Hi guys...
I'm currently grappling with the challenges posed by the Broken Authentication module, specifically in relation to Bruteforcing Cookies. This topic seems completely baffling to me... Is there anyone willing to reach out through direct message and provide instruction? I'm in desperate need of assistance and support.

Look at the source code and consider how you can download the Contracts

This question?

Tamper the session cookie for the application at subdirectory /question1/ to give yourself access as a super user. What is the flag?

Yes

This question is really posed in such a way that it often leads to misunderstandings.
||You must assign the role "super" to the user||

Yes, i saw this here on channel, but how do i tamper this role? And i dont know what i need to do after that

If you could teach me on dm how to do this steps i will really appreciate

The module shows you how to decrypt cookies. If you know the content, change it in your favor, encrypt it again and swap it with your existing cookie

I am only online for a very short time.
Later in the evening I can explain to you which steps are necessary.
Just try again. If you can't make it, send me a DM and I'll look at it tonight

soooo linux privesc assessment flag1.txt isnt where its supposed to be any hints?

Ok bud, i'll try it again 🙂 thanks

hint somewhere in the given user ||home|| directory

ooooooof thank you very much I got it

Hello

Question 4 of the using ffuf module

Of the skill assessment

I am running this:
ffuf -w /opt/useful/SecLists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://faculty.academy.htb:53094/courses/linux-security.php7 -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded'
Any ideas why it doesn't work?

Also I would appreciate it if someone explained when I should fuzz for parameters in practice

I'm not seeing anything wrong at first glance in the command, do you get any ouput?

Well it's saying that every request sends back an error

mmm... can you filter by the size or anything else to remove that errors? Of course make sure the time didn't end up for the target machine and you can reach it

I restarted the target and it worked 😳

Ig I should've done that before askign for help

Thanks anyway though <3

it's fine, it happens

Did anyone finish the INTRO TO ASSEMBLY LANGUAGE? I have a question relating shellcoding tool assessment ... i try to push the shellcode through netcat but end up getting "Failed to run shellcode!" even though they work on my system ... so wanted to figure out what I am doing wrong

Can someone hint me in sudo section linux priv esc when i open the program that i can run with sudo what should i do

I typed some options and nothing happens

Look at the options of this program. One of these options stands out

I tried many of them and nothing work

I'm so pissed off

This thing took me 2 hours

I open the root directory and then can't open the flag file

I really can't tell you any more without telling you the solution than to tell you to look at the features of this program

I got it

Hello! I need help on the Windows Privilege Escalation module.
The question is " Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe?"

The module says I need to use Accesschk to get data of the named pipe, but when I try to run it both cmd and Powershell say the command isn't found.

have a look in c:\Tools
I think the program is there

Thank you! Now i'm getting another error: "All pipe instances are busy. No matching objects found."

Honestly, I recommend just playing with the syntax a little bit to understand how to use the tool. It took me a minute to understand it at first but figuring out the syntax yourself will help internalize it.

you can send me what you have. I finished it not too long ago and I should have my working version somewhere, maybe we can figure out together whats wrong with yours

thanks mate... should i dm you?

yea sounds good

I am struggling with this, can somebody help me?

This looks familiar. Would you please specify which module and page you’re working from?

Linux Privilege Escalation, 2.section

Reviewing this now.

Hi guys ! Got a quick question about the footprinting module (DNS part). I saw that we always use the Base_IP + Name_Server in order to dig things. But how do we dig into a subdomain ? Should we keep the Base_IP or use the new IP (from "A "record of our subdomain) ?

I do the following
for sub in $(cat /opt/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.179.179 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
app.inlanefreight.htb. 604800 IN A 10.129.18.15

But to domain bruteforce mail1.inlanefreight.htb will I use 10.129.179.179 or 10.129.18.201 ?

I found it.

You’re looking for a string within a file that contains a known pattern.

yeah I know, but I couldnt find the file

I’ll add that the content within the module is not a guide to the answer.

There’s a way of searching the entire file system for files that contain a particular string. Do some Google-Fu. Anything further and I’d be handing you the answer.

You’ve got this!

where can i get rubeus.exe?

Releases here I beleive. https://github.com/GhostPack/Rubeus

actually i am not sure how to convert it to exe 😅

it's call compiling 🤣 but you can just get the binary here https://github.com/r3motecontrol/Ghostpack-CompiledBinaries

https://github.com/GhostPack/Rubeus#compile-instructions\

Or that yep.

yes it is 😂 i came across of doing it before but not sure where

thank you both 🥰

I found it thank you

but I hate it when the content of the section is useless for the assessment

It's entirely possible to do it using the content from the module. There's just multiple ways to arrive at the same answer

I am doing the footprint module's medium lab and I can't connect to the || SQL Management Studio || .
I need help to understand why it's failing?

Need more context are you trying to use a user/pass combo?

Did you find the important document

Yeah I am using the creds from it .

Switch to local authentication

You can also use the password for a more powerful user

To remote with

Hi guys, I’m doing the AD Enumeration & Attacks - Skills Assessment Part II and I’m stuck at the question “Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host”.
I got a reverse shell from the sql01 but I’m not able to escalate privileges, I tried with the printnightmare but every time it return an error with the driver path and I tried to transfer files from the attack box to it in many ways but nothing worked, someone has any hint?
Thank you!

have u ran || whoami /priv||

Yes and I know what you mean, but how can I use it?

@cinder cobalt refer to your notes about what the information could mean

Alright, thanks!

sent u a dm

If you want further hints/guidance dm me . If you do dm please include everything you've tried

HTTP basic authentication

i am stuck at the lfi with languages/en.php prepended, can someone dm me ?

running out of ideas

Sent

Without knowing what you have already tried, it is very difficult to give you any tips.

yea but i dont wanna post spoilers

can i dm you ?

sure

I don't know if PrintNightmare is necessarily the way, but if it's erroring out, try something else

File transfers is another thing though, it shouldn't be that difficult for you to do it considering both machines are on the same network. My advice is the same, if one method doesn't work, try something else.

anyone here able to give me a hand with file upload module?

https://enterprise.hackthebox.com/academy-lab/2231/3770/modules/136/1290

this is "enterprise" probably I wont be able to see it, what do you need help with?

I've found the available extensions that are accepted along with the content types, although as soon as I make any changes to the content, I get rejected immediately. Screenshots incoming

check the user tokens

is this the skill-assessment?

no

well, could you be more precise?

Type Filters module

what do you addtionally need to see?

Nothing else, did you manage by the way to upload an image without getting any error? I would go from there by fuzzing the extension with a PHP list you can find on PaylaodAllTheThings

the image yes, I've got my list of extensions and content-types that were allowed

anything else I got errors

Nice, so I think you're close

I am, but any change to the file content, poof

i've been on it for a while, and ive brute forced my options to no avail

I've used "GIF89;"

the course doesn't go over changes to the content being an issue, which is suprising, this is out of scope of its contents

even with a clean picture, doesnt chew it up

going to dm you

Thank you mann that did all, never thought someone would do this on his server hahaha.

It's more common than you think

Admins don't care, they just want things done right?

More like managers, security is often dropped for convenience

or to save a dollar or two

hello all

Could someone help me with broken authentication cookies. I'm stuck for a long days in this module... if anyone could dm to give me a guide/help it will be appreciated.

what is wrong here?

python2 get out reeeeeeeeeeeeeee

Probably a different version of python

yea got it thanks

you could use python2 to run it

I changed them for input()

you can also try 2to3

more and more systems these days dont have python2 native installed

or the best way: dont use python2 anything. if something is not in python3 its outdated and end of life. unmaintainable

even python thinks its a bad idea to still run python2

yup thats how tech works

ýea

ty

do u know any other tool like bad-pdf?

no

hi. im new to the academy and pen test in general. Was hacking a box again. This time web enumeration. In the text for the question the just asked me to run some enumeration, that we just learned in the text previously. So i did some enumeration, without any flag. Then i did a whatweb on sub net. You know 0/24 at the end of an ip. And oh lord i got a lot of information, about website and email from people im pretty sure doesn't have anything to do with hack the box. Im a bit freaked out, because i really don't wanna violet anything of anyones private data without permission. Is whatweb a aggresive scan?

Perform the tactics on the provided target

You never need to go into subnets

hi. i did solve the puzzel and got the flag in the end. but i just had that scan in the back of my head. Did i do something stupid now? I godt om information on someone linkedIn and stuff like that

You're overreacting

Chill

Just do the thing and move on.

okay. it was just one of those things in the lector and i was like. "okay let me se if this works"

hehe thanks. this is actually comforting 🙂

Again you're overthinking it

What web only scrapes info

As long as you stay in the HTB network, not much can happen.
Nevertheless, you should only scan subnets if the module specifies this.

okay thanks. That info helps 🙂

If you did a scan on 10.10.x.x/24 or 10.129.x.x/24 you're fine

yeah I dont even see how whateweb woulda even found anyones LinkedIn stuff

even using it wrong

^

but yeah never acan against the lab subnet. If they want you to do a subnet scan of any sort. theyll have you connect to a jump box first for an internal network to scan

yah. ill keep that in mind next time. i was just stuck and did the whatweb sub scan because the talked about it in the article.

Usually a 172.16.x.x format

Or whatever that address schema is

used it on the provided ip, but whit x/24 at the end

Which subnet have you scanned?
Which IP did you use?

it did, some principal from scotland.

There are still Docker containers. You can recognize them by the fact that they always specify a port as well.

For example: 83.136.251.168:50637

i used the provided ip from hack the box.

This IP is also from HTB.

yah someting like that but with the 0/24 at the end

Which IP exactly have you scanned?

well as long as its HTB i good

2 sek. ill have to start linx up

yeah cause its starting to sound like you got a public docker IP which means you did scan a bunch of rando servers that might not have anything to do with HTB

which isnt toooo bad. whatweb is just enumeration, public services wre getting such scans 24/7

^

here is the line: whatweb --no-errors 94.237.56.0/24

yeah that's public

okay, docker

you scanned some random peoples stuff

noooooooo

its fine. I wouldnt lose sleep over it in this instance, just be more careful in the future

If you get an IP with port, then be sure to stick to this IP incl. port.

maybe go learn some networking fundementals so you can recognize stuff like that

at least you werent running anything destructive

^ Just a silly little scraper

Which is most of the active tools

For web enum

true. but i actually thought is was pretty safe using HTB servers

You woulda been, except what you scanned wasnt htb servers lol

Yep

This is why I said specifically 10.10.x.x and 10.129.x.x

As those would be your internal networks

Through the tunnel

@barren salmon your homework today is to go learn networking address ranges and memorize the difference between public address ranges and private address ranges, noting specifically which ranges are private.

There's 4 classes of private and like a handful of ways to differentiate

that fucking sucks. but the server i was provied was 94.237.56.76:54499

yah i guess it is. damn

https://academy.hackthebox.com/module/details/34

You have ip:port

but the class i was on is Getting Started

dont worry, you were going to have to learn it sooner or later. Youre actually lucky in that now you have a first hand experience on why you need to learn it sooner rather than later.

class as in IP class, not academy class

oh my bad

but i assume the information i got from whatweb is just what there is already public

thanks, imma gonna learn that

yup. though sometimes the people behind the service didnt realize it was public

but yeah while it is a mess up you don't want to do again in the future, its not something id lose sleep over

its also why scoping is such an important thing in pentests and bug bounties

theres is so much to learn

no i would do that again

Module: Attacking Common Services
Section: Attacking SMB
https://academy.hackthebox.com/module/116/section/1167

Third challenge: I got RCE using smbclient, but does anyone have any idea why impacket-(at/smb/ps)exec, crackmapexec, and Metasploit psexec won't work?

Edit: yes, I have changed the --exec-method flag on CrackMapExec to every options available to test

the 3rd question asks you to use SSH

what are the best modules for building up to doing easy boxes/ challenges? I only have access to tier 0s and 1 or 2 tier 1s btw

All the fundamentals

And you'll be mostly fine

And doing the starting point boxes with help from uncle Google and the official writeups

I dont recall specifically for that lab, but psexec and the likes I believe require access to some of the special default shares and if those are disabled they wont work even if youve got valid creds.

like the ones with the fundamental/general tag?

I'll shoot you a DM about this

Yes

Tier 0

So if I just do the ones tagged fundamental I should know enough to be able to move on to doing stuff like the hacker bootcamp?

haven't looked at it ¯_(ツ)_/¯

But the fundamentals get you at least started

Ok cool thanks

And Google can take you a long way

yeah im still trying to figure out where these free retired machines are

#1128623304199110796 I think

oops i just rememberd i dont have my hackthebox account connected to this lol

I would say do fundementals then do starting-point machines then move on to the new guided stuff.

idk how good the new guided stuff is yet, but its interesting enough to give a shot.

That seems like it makes sense and wont have me spending ages on academy, thanks bro

just remember that no matter what you do, take a lot of notes. Have a seperate section for general knowledge and cheatsheet notes, and then a new section for when youre working on boxes.

Anytime you get stuck on a box or a challenge and then overcome it(even if you must lookup the answer), take special notice to write notes about the situation in your general knowledge notes.

That way everytime you overcome becoming stuck, it becomes part of your repertoire for every future machine you encounter.

Mhm

Always expect to hit a wall

Im actually slacking right now cause theres a bunch of boxes n stuff I havnt transferred over inti general notes yet

oops i havent taken notes on this hacking stuff like at all... maybe thats why i struggle
no better time to start than now i guess

Yeah my notes from the beginning of academy and the end of academy are drastically different in quality.

Had I kept proper notes I would t have had to relearn so much stuff from my hiatus.

Good note taking is the difference between bad hackers and good hackers. Or even good hackers and great hackers 😉

very few people can get away with little to no notes and theyll often regret it eventually.

I guess im regretting it now and when i look back i think i could have made much more progress with notes.
Might as well start now though lol ive just made a page on notion and used one of their template thingies

dont use notion

why?

notion is cloud only and not encrypted. Which is okay for personal notes, but if you ever get serious in offensive related roles and start doing stuff for clients like pentesting thats not gunna be allowed at all. Like lose your job. So if youre not going to be allowed to use notion for client notes youre gunna have to learn a new tool anyways. Might as well learn a tool you can use for personal notes now and for client work down the line.

ohhh ok that makes sense now that i think about it. what note applications are encrypted?

The hot one everyone is using at the moment is obsidian. Not encrypted by default but its offline so thats fine. You can pay for Sync which is end to end encrypted or use some plugins and git shenanigans to rig your own sync setup with encryption.

ok thanks bro 👍

so yeah obsidian is what I recommend but if you stumble across something better by all means use that instead.

Just specifically a cloud only one like notion is bad if youre going to be in offensive stuff.

Hello boys, i have no clue how to find the flag on the Authentication Module --> Reset Token --> Question 1. I'm might missing something, tried to modify the reset_token_time.py script (https://academy.hackthebox.com/storage/modules/80/scripts/reset_token_time_py.txt) adding the milliseconds converting the time and adding the username but nothing seems to work. Here's what i added --> added a line 12 --> user="htbadmin" | line 16 --> x=str(x*1000) | modified line 17 --> md5_token = md5(str(x + user).encode()).hexdigest() | also, modified the url variable

I found that results were a lot more consistent if I could parse the time stamp that they give you into a base time to work off of, but I don't know if that's how other people did it too

I am on the footprinting module in the DNS section. It asks "What is the IPv4 address of the hostname DC1?". tbh, I don't really know what this question is asking... what is DC1 ?

What have you done so far?

nvm didn't realize it was located when searching the internal subdomain

we good

thanks though

hello if you got stuck in Footprinting Lab Hard, please ping me aside ill help you out, because the time is so valuable to waste it 🙂

hello guys, I have a question regarding the SQLMap Fundamentals module, in the Attack Tuning Section's questions, there is this question What's the contents of table flag6? (Case #6) , My question is how am i supposed to figure out the prefix without refferring to the hint given?

No need to DM. I meant that in the exercise they give you, when you get the token, they give you the exact server time that the token was generated.

You can potentially use that to figure out the correct time instead of brute forcing from your own time

Can't really respond to DMs right now but hopefully that's enough of a tip

Thank you for the tip!

This is a section a lot of people get stuck on, so there's also a lot of stuff from people on the forums

Hey guys im stuck on active subdomain enumeration. I cant figure out how to find the txt file! Any hints?

what module?

Information gathering-web edition

I've done it a while ago so i don't remember the method a 100%

but from what i recall, you try to do a zone transfer with the domain given, you will see a list of subdomains

then you try a zone-transfer on one of them to get the flag

^^

Hey, I'm on Footprinting Lab hard, I've managed to ssh in as one of the users but I don't know how to escalate my privileges/what I'm supposed to do now

my bad I'm in as root

i was just gonna say u gotta search for a different service in order to move on, no need to escalate anything xD

Hey, i'm on the File Inclusion assessment. I've made it a few steps through, but i'm not sure if the method i'm trying is wrong or I'm just doing it wrong lol

Hi

I have completed this one

Where are you having doubts?

i've found address with the log parameter... I think it's supposed to be ||log poisoning|| but I can't get the code execution to work... am I on the wrong path?

It depends, where you are attempting log poisoning, is it on that secret page?

hmmm mind if i dm so I don't post spoilers?

Sure

Hello all, I'm currently working through the AD Enumeration & Attacks - Skills Assessment Part I and have completed the assessment with the exception of retrieving the cleartext password for t*****. I've tried using mimikatz to dump LSA secrets on the MS01 machine but I still can't seem to find the password. Can someone lend a hand?

try other tools such as LaZagne

Thanks for the help!

hello guys, i need some help on the skill assessment of the SQLMap Fundamentals module, i can't seem to find the parameters to test on the website, i have gone through every menu/catalog option, and every form while inspecting each request in the network monitor, any tips would be appreciated.

nvm i found it

Tamper the session cookie for the application at subdirectory /question1/ to give yourself access as a super user. What is the flag? - Brute Forcing Cookies - Broken Authentication

Any tip please?

Hi guys, I'm currently doing Attacking Common Services module. I got stuck in the easy lab. I found out the username to use but not able to crack the password for it. If I'm using rockyou with hydra it is showing an estimated time of 2600 hrs. I also tried mutating the password list given in the module but it didn't work. I will be great if anyone can give me a nudge

hey mate, the f user and rockyou should get you there. I just checked and The password should be within the first 100 lines of rockyou.

Mutated wordlist not needed. As skillet said it's there it shouldn't take long I also believe it to be in the included passwords.list but I could be mistaken

Stuck on the Medium Footprinting lab

so far I have rdp access

and have found the important.txt file

txt password isn't working for the SQL server application

am I wasting time or is this a valid approach

?

try looking to see if there is a native sql application when you rdp

Hello Team, I'm trying SQL injection Fundamentals module but in the SQL statements content, I can't see the development table. Can you help me?

There is

mssql server management studio?

management studio 18

and you cant open it to query the db?

hello can anyone guide me with "attacking common service Lab Medium" i been bruteforcing simon at port 2121 for so long now

the sa password from the "important.txt" file doesn't work

spoilers my dude, you can dm me

not spoilers if they don't work, lol

just showing what I've tried, hoping it will save some time for someone else

try the same username as you used to rdp?

as the login and pw?

i will dm

k

has anyone done the mac os fundementals

did anyone getting trouble with ldapsearch with -h flag ? why the -h flag is asking for help not represented as host/target

-H for host

-H for ldap uri (ldap://ipaddress/

Yes, wasn't that your question?

i mean, the module and a lot of refference i read is using -h to spell a host instead of -H

have you found the anonymous login?

Oh, I haven't done the LDAP module, but there's a short section in Attacking Common Applications where they do use -H

ah i got. nowadays -h is deprecated and changed for -H

your screenshot shows the databases... you should connect to them and then see what tables are in them. I would start with employees, as that is a non-standard database

I finished it

thank you i can see it

there is anonymous login? i can't login anonymous

its on a pretty high port, try expanding your nmap scan

hello, can someone please help me on Footprinting Lab hard i found the .sh file using braa, a mean i found the path and i found this user called xxx but i did not find any password to enumerate IMAPS service or POP3 service

i will dm

thanks @fringe shell

In what order should I do the modules

are you doing a skill path?

I have started Cracking into Hack the Box

then follow the order of the modules for the skill path

Okay do you have any knowledge where i should go onto after that

I'm going into college and studying cyber forensics and security and just wanted to get the fundmentals down and keep learning

thanks

can you teach me nmap what that parameter to avoid being firewalled

Still stuck?

I'm logged in as Admin, thanks, but yeah, stuck on where to go from here

Try logging into the sql database using a different authentication option from the drop down, maybe local

Someone DMed me with some good info and I'm already authenticated as Admin, just trying to work my way back to how I would have found the info myself

Just trying tbh. Also abstracting what sa could mean as well

hiii

Hello I'm in SOCKS5 Tunneling with Chisel (PIVOTING, TUNNELING, AND PORT FORWARDING )
to solve question I write
||./chisel client -v 10.129.175.171:1234 socks || in my parrot
||./chisel server -v -p 1234 --socks5|| in ubuntu
when wrote proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123
I get error
why ?

can you paste/screenshot the error you get?

||./chisel client -v 10.129.175.171:1234 socks||
2023/07/18 08:21:33 client: tun: Bound proxies
2023/07/18 08:21:33 client: Handshaking...
2023/07/18 08:21:33 client: Sending config
2023/07/18 08:21:33 client: tun: SSH connected
|| ./chisel server -v -p 1234 --socks5||
2023/07/18 07:11:06 server: Fingerprint qDgBBAANJX0YNDQX0YKqRIQOKv8CIVw6GSFZybgRNWA=
2023/07/18 07:11:06 server: Listening on http://0.0.0.0:1234
2023/07/18 07:21:33 server: session#1: Handshaking with 10.10.15.25:52946...
2023/07/18 07:21:33 server: session#1: Verifying configuration
2023/07/18 07:21:33 server: session#1: tun: Created (SOCKS enabled)
2023/07/18 07:21:33 server: session#1: tun: SSH connected

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain ... 127.0.0.1:9050 ... timeout
[08:27:42:783] [4249:4251] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[08:27:42:783] [4249:4251] [ERROR][com.freerdp.core] - failed to connect to 172.16.5.19

can I see the last lines of proxychains.conf? You are using port 9050 for proxy, make sure to edit the file accordingly or comment the line you don't need

When you run chisel you can see that is attempting to connect using port 1080

now its like :
#socks4 127.0.0.1 9050
socks5 127.0.0.1 1080
but get this error
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
No protocol specified
[08:56:58:181] [4733:4733] [ERROR][com.freerdp.client.x11] - failed to open display: :1
[08:56:58:181] [4733:4733] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

When I run the above command I get this kind of output. It runs forever. When I run the same command on my kali vm it says "zsh: parse error near '&'.

dm you

Please check that the $DISPLAY environment variable is properly set.

it was set properly, at some point I have advised him to reboot the machine

aaaaa

so do i have to reboot it ?

and it will work properly ?

@fiery berry

probably there was another work around so I'm not saying that rebooting is the best solution, but since he is in control of his machine troubleshooting it myself wouldn't be that "confy"

@fiery berry i was taking about the footPrint module the medium lab xD

Can someone help me out with Attacking Common Applications / Exploiting Web Vulnerabilities in Thick-Client Applications I'm following the guidelines but the newly created .jar file doesn't start...

i receive that message error when i was trying to login

Sorry can you remind me please when I did left a message for you?

:C

ah!

can you please help me ?

xD

of course

some people said that use remmina instead but i dont know how to use it

who can help me this https://academy.hackthebox.com/module/116/section/1512

I've resolved it.

I have noticed that you both with @gaunt monolith are using xfreerdp with the root account, try with the normal user account. I advised SilverSec to do it and for him now it's working (maybe it has to do with some config setting)

helpme https://academy.hackthebox.com/module/116/section/1512

you are right thank you so much for your help, i appreciate it

kindov stuck with Find the password for the ldapadmin account somewhere on the system.

Windows Privilege Escalation Skills Assessment - Part I

tried LaZagne juicepotato

non worked

http://dontasktoask.com/ for someone to be able to do that you kinda have to say what you need help with

hint one of the thing you have tried is the right path and if you haven't already try with multiple different ||CLSID|| (you can get the list on the exploit github)

I just did this today and the machine is wildly inconsistent. I ran the same scan which effectively points you to the solution of the challenge a few times and only had it work maybe 50% of the time - it seems like people are getting stuck on this due to a HTB issue and not a student issue?

I strongly doubt this is a network issue on my side as I've had no issues with any other HTB Labs/Modules or any other networked services at all

wtf?! why are the answers case sensitive in the first place?? is it so hard to add a call to the lower function?!

just wasted another hour on enumerating users

Regex 2 hard

next time it would be more efficient to just brute force the damn answer request (dont do that please)

ATTACKING COMMON APPLICATIONS - PRTG - Attack the PRTG target and gain remote code execution. Submit the contents of the flag.txt file on the administrator Desktop.

I've found the flag.txt but the flag isnt accepted. Any tips?

https://i.postimg.cc/SxVvs5Fp/htb-prtg-flag.png

reload the page and make sure you have no spaces at the beginning or end of the flag

its the wrong flag

Hello everyone, can anyone help me understand for what is the variable value used here, because when I do the if with the comparison I get what I need but I didn't understand why I have to put the * wildcard to get all values, does this mean that when the programm encodes the var, one of the values of the encode will equal the one in the variable value, or is it just random?

Sorry for the stupid question guys but I just can't figure out that little part

That's to check if value is "contained" anywhere within the string var. value won't necessarily be at start or end of the string var. It can exist anywhere in it.

can you help me

I've got all the credentials, but I'm not going to use evolution

PS C:\users\public> & "C:\users\public\juicyPotato.exe" -p .\node.bat -l 9003 -t * -c "{659cdea7-489e-11d9-a9cd-000d56965251}"
Testing {659cdea7-489e-11d9-a9cd-000d56965251} 9003
COM -> recv failed with error: 10038
PS C:\users\public> ls

In ICMP Tunneling with SOCKS write this command
proxychains nmap -sV -sT 172.16.5.19 -p3389
and 3389 open
now when write proxychains xfreerdp /u:victor /p:pass@123 /v:172.16.5.19:3389
no connection I'm waiting a lot of time its normal or not ?

What do you mean no connection?

nothing happen just this command i show in terminal

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.14
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.5.19:3389  ...  OK```

anyone done windows priv esc skills assesment 1?

mu juicypotato / printspoofer isnt working

I keep getting this error whenever i try to connect to the rhost. The creds I've used are working (can use them on other occassions without error) but not when i try to connect with MSF. What do i do wrong?

[] Started reverse TCP handler on 10.10.14.236:4444
[-] Exploit aborted due to failure: no-access: Failed to authenticate to the web interface
[] Exploit completed, but no session was created.

ATTACKING COMMON APPLICATIONS - PRTG

use the matrix in the module and look at the services

for that i tested for 500 CLSID

Hi, im with the final exercise of Shells and Payloads module, the live engagement section. In the host number 3 I have uploaded a bind shell and I got the shell but with no administrator privileges. Htb talks about eternalblue but I cant get through in this way, msf or manual way. Any help please?

just got the list of CLSID ill work out which one to use

there is a good few that will work and the rest doesn't

the usually i would recommend when pivot with proxychians is use proxychians4, dynamic chain instead of strict chain

also why do you have the port in the ip??

your questions here before was ok but it's better if you add what did you try and what fail instead of "here is a error that i got, how to fix it?"

so there is multiple way on pwning the third host, if you have a shell and want to PrivEsc you can or if you want to go the eternalblue route you can use the exploit multiple in msf that only let you run 1 command intended of getting a shell

Using the exploit of msf it doesn’t work, using autoblue from github doesn’t work either

I will check with winpeas

which if you are using the exploit that give use a shell that will not work

use the one that let you run a single command

Can we talk by pm?

sure

nvm already solve

anybody have trouble getting through the Metasploit module? I wasted so much time and its so simple. It wont connect to the host.

I changed vpn port from udp to tcp on my end. Its the very first one for eternal blue. https://academy.hackthebox.com/module/39/section/404

Thanks mate. I’ll give it a try

Thank you. I’ll try it.

Try to do introduction to analysing networking traffic first, it teaches how to use wireshark

which question exactly?

Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer.

can you show the name of the exploit you are using?

msf6 exploit(windows/smb/ms17_010_eternalblue) >

then I set rhost to the target ip

then enter "run"

have you tried to use an alternative to ms17_010_eternalblue since there are few others?

I tried eternal romance

thats the next module they have you do and it didnt work for me either

try with another ms17_010_* and see how it goes

it fails at this part [*] 10.129.221.7:445 - Triggering free of corrupted buffer.
[-] 10.129.221.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.221.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[-] 10.129.221.7:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

okay

nothing

which one did you use?

all 3

let's move to dm

thanks

last resort I will reboot vm and my computer I guess

anyone around finish the linux priv esc capabilities section?

sure what's the issue?

Im doing Kerberos Attacks Module and I got a issue with dnstool.py, is there someone that has done that?

Not getting the exploit to work, vim.basic is opening in read only, silent mode fails too

which section are you on?

linux priv esc

capabilities

you can force it with !

i do remember having some issue with this part but you can just use the given echo command in the example

someone already checked this?

I just saw it when I opened google

not really the place but that's just google GPT 🤣

Unrelated

try adding an ! after wq

k I sent it to resources

Thank you bro

or sis

thank you

meh I just asked 1 thing about crackmapexec and it didn't work

What exactly is not working?

so worse than GPT-3 🤣

I think it just released. So, it needs to learn.

that seem to fix the issue, Nice catch ❤️

What could I be doing wrong:

┌──(kali㉿kali)-[~/krbrelayx]
└─$ python3 dnstool.py -u INLANEFREIGHT.LOCAL\\callum.dixon -p C@lluMDIXON -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.129.186.191 --action add <kali_ip>
[-] Connecting to host...
[-] Binding to host
Traceback (most recent call last):
  File "/home/kali/krbrelayx/dnstool.py", line 596, in <module>
    main()
  File "/home/kali/krbrelayx/dnstool.py", line 418, in main
    if not c.bind():
           ^^^^^^^^
  File "/usr/lib/python3/dist-packages/ldap3/core/connection.py", line 589, in bind
    self.open(read_server_info=False)
  File "/usr/lib/python3/dist-packages/ldap3/strategy/sync.py", line 57, in open
    BaseStrategy.open(self, reset_usage, read_server_info)
  File "/usr/lib/python3/dist-packages/ldap3/strategy/base.py", line 146, in open
    raise exception_history[0][0]
ldap3.core.exceptions.LDAPSocketOpenError: socket connection error while opening: [Errno 111] Connection refused

Did you add inlanefreight.local dc01 and dc01.inlanefreight.local to your hosts file?

yes sir

can I ask the question about htb of retired machine :Active here?

Read #welcome then go and ask in #boxes

Have you tried the other user?

tried both same output

best user security ever

Oh wait, you have swapped target and your IP
@forest zenith

Hey guys. I just scanned one of the academy servers with nmap for all 65535 ports and i think HTB is using one computer for all exercises LoooooL

https://github.com/dirkjanm/krbrelayx

-d = recorddata = Your Kali IP

lol

That was it

Thank you @acoustic owl

@acoustic owl Now, Im also getting a error while trying to use addsn.py. Is it the right account:

┌──(kali㉿kali)-[~/krbrelayx]
└─$ sudo python3 addspn.py -u inlanefreight.local\\callum.dixon -p C@lluMDIXON --target-type samname -t sqldev -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local
[-] Connecting to host...
[-] Binding to host
[+] Bind OK
[+] Found modification target
[!] Could not modify object, the server reports insufficient rights: 00002098: SecErr: DSID-0315145A, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0

No, check the users again

Hi

Anyone here

I

K

Yes?

hi

im currently completing the metasploit module, payloads. I have no idea how to exploit the druid service. Im not sure if im using the right payload since nothing ive tried has worked...

1. make sure its not a ddos attack
2. make sure you're using the right rport/lport rhost/lhost options as applicable

Hello everyone, it's probably a dumb question but I haven't find the answer for this one. I'm doing Linux fundamentals, file system management part and there is a question "What is the size in GiB of the "/dev/sda" disk in our Pwnbox?". The problem is that there is only one option to start pwnbox is by activating instances which i can't because I've already powered it on (I have only 1 activation per day). Is it possible to somehow connect to pwnbox with, for example, ssh and answer this question without googling it? Thanks in advance

You can only access the PwnBox when it is started.

Oh okay, will wait until tomorrow. Thanks

y0 y0 to all. I need some help on SQL injection fundamental module at the last question. I have this webserver with a login being trying to inject some SQL code for 1 day now and i can't seem to do nothing to the database or login page. I have also BURP setup and can send the request from the repeater to see If i get a response in the body with some type of leak but can't seem to see something. I have also nmap the trarget and found the apache serve version.

How can i found out if the database is affected by SQL injection non of the special characters work?

Hello

I'm working on Starting Point, I barely know anything at all concerning htb, however I do have experience with Linux, and my current machine has WSL enabled
Is it possible to work on the starting point with WSL? Or do I need to create a linux VM?

Hey I'm doing https://academy.hackthebox.com/module/144/section/1256 , Active Subdomain Enumeration. I added inlanefreight.htb to my /etc/hosts and was able to find the FQDN. I added the FQDN to my etc/hosts but that doesn't seem to work, it is the host machine IP that goes with it or am I missing something

best you ask this here #starting-point
If you have no access, read and follow #welcome

oh yes thanks man

Why do you add the domain to the hosts file? This is not necessary.

you shouldn't start with starting point.

Starting point is after HTB Academy.

This channel is for modules under HTB Academy. (which is where you should be going to)

oh ok I understand

there is a module in HTB Academy that sorta eases you into the whole box stuff as well

and setting up a vm is included.

eh I think plenty of content is more advanced then starting-point

overall starting-point just kinda sucks imo lol

I know how to setup a vm, I'm just wondering if it's absolutely necessary, given that my laptop is lacking in storage, and that I already have WSL set up

but I'm not more advanced, that's the issue

lots of people have issues getting WSL to work, I do not recommend

@acoustic owl when i do nslookup without adding it I got error messages is there a way to get results without adding it?

It's just generally more convenient to get ur own VM setup.

You have to specify the target IP as NameServer

if you cant setup a vm yet, then make good use of your pwnbox instances

Oh ok

welp, time to make a vm :(
I'll set up Fedora

just grab kali

unless you feel like doing hard mode

Hard mode is my coffee brand

(I don't drink coffee)

Nah, it's just that I'm more familiar with Fedora

Your poison

Vast majority of guides and tuts and academy content are going to presume youre using kali or parrot. So be prepared to have to fill in a lot of setup gaps yourself

is fedora pre installed with sqlmap? 😛 hahah i dont know really lol

Yeah i know

I'll figure it out when I cross that bridge

help for Where is the SAM database located in the Windows registry? in the Password Attacks Attacking SAM ?

i tried manythings

The module tells you this pretty explicitly. When in doubt, try and copy and paste exactly how it's formatted in the module.

anyone available for a question on Credential Hunting in Linux/

Is there an alternative to PowerView & SharpHound but for Linux?
I am having a hard time finding one

Sure

hey guys I find a way 😄

Hey, I have solved this.

Still stuck? You can dm me.

hello all please help

AD Enumeration & Attacks - Skills Assessment Part II

question 4

AD Enumeration & Attacks - Skills Assessment Part II

Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

am stuck here for more than a week

a week??

what common methods have you tried

i mean i work so i don't have much time

i have tried password spraying

did you try spraying using their example passwords

yup invoked the ps1 file

imported it first

then used the invoke command

am not sure what pass i have to try other the one mentioned in the "Internal Password Spraying - from Windows" section

then perhaps your user list is bad

yo guys can i discuss ctfs in the server?

you should probably read #rules and #welcome

this channel is for module discussion

yea so i ask if u have some room for ctfs

maybe you should learn to read better

did not use a user list as it was not discussed in the section

yea ur right my en is not that good bro

theres sections about enumerating users

but i will definitely look it up

thanks a lot

what were you spraying if you didnt have a user list? lol

helpful tip

gl 👍

i thought if the user is domain joined then we don't have to use a list 😦

ah tbf, I didnt use whatever ps1 script so perhaps it enums users first

I'm a little bit stuck on the Credentials Hunting in Linux, I have managed to ssh onto the target after reading the hint, and I have found the bash history file for will but I cant open it or read it ||tail: cannot open '/home/will/.bash_history' for reading: Permission denied|| as with the code shown in the module. Can anyone point me in the right direction from here?

this is my first time doing a user list .... do i have to enter the username only or the full email id

depends on the tool

DomainPasswordSpray.ps1

idk I dont use it

no worries thanks

Look for something else

like the .bak files?

something to do with browsers

Cool, When i run the example commands in the browser section I get a failed output, but i'll look a bit deeper

I'm on the protected Files module and I'm stuck I got the id_rsa file but everytime I try to convert it I am faced with this error:(I've also tried on both my personal machine and pawn machine) ERROR: /usr/share/john/ssh2john.py id_rsa > ssh.hash
Traceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'

Im sure youll get it

bash history also could help you but not wills

I think i found the browser things, thanks for the pointers. been at this most of tonight

this password module is pretty insane ngl

yeah, that 8 hour estimate on the overview is deceptive

exactly i would say at least double that

im the dumbest person alive, i sovled it the issue was you cant have the file go from id_rsa to ssh.hash it has to be from id_rsa to id_rsa.hash

Atleast you found the answer.

you still working on the same one?

yeah, cant get firefox_decrypt.py to work

how is it not working

tried copying the file from kira's to my local and use it there byt then the profile does not show up

oh ya dont do that I know exactly the error your running into

Who can help me out with the NMap module? Stuck on the last lab.

Oh and hello of course 🙂

Basically when you transfer the file it adds your whole transfer to that file so instead find a way to copy firefox_decrpyt.py into a file on your target machine and run it from there but if you already transferred the file then restart your target ip machine and this time dont transfer it and just run firefox_decrypt.py on the target machine right away

Makes more sense

well, this might be stupid, but when I try to upload the .py : ftp> put firefox_decrypt.py
local: firefox_decrypt.py remote: firefox_decrypt.py
421 Timeout.
or > Not Connected in a follow up attempt

am I just being stupid?

hope that was retoric. JK.

were you able to solve this?

just a little bit.

which part are you stuck on?

Last lab of NMAP IDS evation. It though/think I tried all. Including trying harder.

reconnected and tried again, what do you know it worked first try

had the exact same thing happen with an earlier module but third try lmao

have you tried using the -T modifier and using -g 53?

Has anyone completed the Windows Event Logs Skills Assessment? im on the first question, and stuck..figured it would be easy to find, but none of the .exe files are matching up

mabe not yet. Thx for the hint.

scrach that...for some reason i wasnt opening the DLL event log

if -g does not work look for a source port modifier

I finally got it. Thans creator

no problem, anytime just ask

hello guys

Need to go all. Pretty late. Have fun. And thanks for the hints.

when i open kali terminal in virtual box this message pop up suddenly in the terminal

what is it?

Looks like not enough rresoureces assigned to the CPU or somcthing.

^

Or SWAP fulll

but what is realtion between watchdog game and this weird message

Lmao

Give your VM a little bit more resources and SWAP space. Seems like you use low-spec computer.

It has nothing to do with the game

exactly

LOL

Anyway. Night night all. _o/

since while i tried to install watch dog in my pc but it cannot launch

The game got its name from this service

It is wholly unrelated

theris service named watch dog?

Yes

It's a system level service that monitors hardware

LOL

:p the service has been around way longer than the game

It's really not something gone over in cpts or cbbh if I'm looking at the curriculum correctly

https://www.infineon.com/cms/en/design-support/tools/sdk/psoc-software/psoc-4-components/software-watchdog-pdl_swwdg/

But here's an article

¯_(ツ)_/¯

You could try some one liners with PowerShell or generating a reverse whell with msfvenom and downloading it to the machine

It ain't that deep

capture request with burp, use an encoded one liner

ok thanks

my goto strat with these tends to be to pull down a shell script and then use a second command to execute it.

But otherwise this is a pretty standard thing youll want to have some comfortable tricks using

I'm currently working on HTTP Attack Module's section TE.TE; can I dm someone about this?

Is it me or do some of the HTB modules "over-talk" some of the topics? I'm reading about DNS and all of a sudden the module throws in CHAOS records out of nowhere

I mean they elaborate alot on certain things and sometimes skip through certain info.

It's at the end of the day rlly up 2 you how you study and learn more.

Hello if you need help in Footprint module easy lab, medium lab, hard lab ping me aside that thing is difficult xD ill try to give you the right direction i just finished them a few seconds ago

Thanks man. I thought I knew my stuff until I began to use dig lol

I spent a good hour trying to figure out what they needed me to find

my pleasure, i would say that the 3 labs are not easy or medium i would say that they just have a different services with different ways to enumerate them and thats it

because from my pov all of them were hard

xD

wait till you get to pivoting and ad 🤯

there's always more to learn

well hello there

can't wait to beat it as well UWU

Im on password attack module and im on the easy assesment. I have got access to M*** account completely through ssh but now ive been going through his bash history and really trying to find a way to get root but im stuck. Can someone point me in the right dirrection

Yeahh dude

For the 2nd problem in Windows File Transfer Methods section under the FILE TRANSFERS module (https://academy.hackthebox.com/module/24/section/160), it says to upload file to the target machine and then RDP into the machine to unzip it.

I am able to upload the file after RDPing into the windows machine and get the flag.

Is the question phrased incorrectly?
If not I would really appreciate it if someone could nudge in the right direction so that I can actually solve the problem in the "proper" way.

what part exactly are you unable to do? Have you uploaded the .zip to the target machine?

I am unable to upload it without rdping into the machine first.

oh I get what your saying, no the question is just phrased strangely

gotcha.
Thanks for the clarification!

Can someone give me a hint?

~~Hello, I've been stuck here. I am bit confused where should I modify this htb/fatty/shared/resources/User.java. I tried to modified and rebuild the JAR file but it didn't work. Appreciate if someone can give me a hint. Thanks

Module: ATTACKING COMMON APPLICATIONS

Section: Exploiting Web Vulnerabilities in Thick-Client Applications

Part: SQL Injection

public User(int uid, String username, String password, String email, Role role) {
    this.uid = uid;
    this.username = username;
    this.password = password;
    this.email = email;
    this.role = role;
}
public void setPassword(String password) {
    this.password = password;
  }

~~
Edit: Solved. Thanks @vital adder for the help.

yea this part is kinda evil but read the question carefully you don't need to get root

feel free to shoot me a dm if you still need help with that

Now I’m so confused I read the question again and it wants root password so I’m assuming that would mean getting root

the thing that you said you have read should have what you need

Okay I’ll keep looking at the bash history

In File Upload Attacks - Limited File Uploads, I'm trying to send through basically the same payload as the section notes... but the server just hangs and doesn't send a response. I can upload a normal SVG of course. Can anyone see anything glaringly wrong from my request?

need to url encode the command. try putting + instead of spaces

if you are on question 1 then that should be right

the target hangs but did the file get uploaded?

Just done it today, Best of luck to you all!!

https://academy.hackthebox.com/achievement/badge/e0d5b79c-25f6-11ee-acfc-bea50ffe6cb4

nah, burp just times out and I don't get a response. Refreshing upload page and viewing source shows the image hasn't been changed either 🤷‍♂️ i'm going to reset the box and see if that works

nah, same deal. If i just put <svg>test</svg> as the payload, it uploads and i can view it in the source code... has to be something with the xxe payload

just give it a quick try and everything seem to be working fine for me

used the same payload (without burp)

URL encode key characters in burp

Have a looked here:
GET /tmpbijqh.php?cmd=python3+-c+'print(100)' HTTP/1.1

Congrats, good luck with your exam.

alright, i just vpn'd out of my network and it worked... maybe my pihole was blocking it? who knows. Cheers for the help

Hey c0nstant. Thank you so much for getting back to me. I was able to by pass the login page. Now trying to see if I can get info from the database. Might come back to you if I can't find something today hehe. thank you so much for your help

Does anyone else have problems with accessing their badges, get's an Unauthorized - Warning, when accessing them?

none on my end

looks OK to me too

Try logout and the login again

https://cdn.discordapp.com/attachments/774040263278592041/1130770219246293023/Screenshot_20230718_105517.png

When I run the above command I get this kind of output. It runs forever. When I run the same command on my kali vm it says "zsh: parse error near '&'.

I've this problem the weekend, so i logged in and out serval times in the meanwhile, but without any change, on the weekend i also had problems to start the pwnbox instance, but thats fine now

Reach out to support (green bubble)

there are multiple & in your url which in linux is sending the command that you are running in the background

add ' to your url

Add quotes around my URL?

yep ('URL')

Thank you! Makes sense.

If there is someone who can talk about AD enumeration and attacks Skill Assesment II, im on the question about the hash of CT059. 2 days im on it and nothing 😦

Anyone know a responder like which Can work well on windows through evil-winrm?

Hey @tall saffron not related to your issue but what module is this in the academy?

you can use Inveight.ps1

It is the AD enumeration and attacks module

I tried but no success

Maybe it was a problem in an other part so

to run it through evil-winrm try load it in memory, or try to get RDP access

I tried too but no result, maybe with new (reset) box

Personally I did it while I was in RDP, from the man page you can see that with evil-winrm there is an option to load a script with the -s even though I haven't tried it myself

I talk about winrm because i searched for hint today and i saw someone in the forum who said it must be done through evil-winrm (weird idk why)

Can i dm you really quick ?

sure

Hello

Koi hai

I did it via evil-winrm and logged as admin there but you could do it in different ways, I believe that you have admin hash for MS01 & SQL01, logging via evil-winrm to one of the compromised domain and run Inveigh.exe {found here:https://github.com/Kevin-Robertson/Inveigh/releases/tag/v2.0.10 } NOT Inveigh.ps1 , waiting a couple of minutes and you get CT user hash

I copied the exe via RDP, but ran it via evil-winrm

in password attacks, they suggest to use the --force with hashcat whilst in the hashcat module they advise NEVER to use this option.

How big is the chance on incorrect results because of the --force flag

when you in evil-winrm, you could use built in functions, one of them is upload

upload /home/kali/your/file or upload /home/kali/your/file C:\file\destination

or I could just drag and drop it via the existing RDP that is already open, and save myself a lot of typing

😄

there is no right or wrong method, as long as it works then go for it

evil-winrm upload doesn't work is a classic and now it's more of a feature then a bug 🤣 so don't be surprise if this doesn't work

Yeeees after 2 diffucult days i was able to find the flag of the sql module. thank you all for your help

i forgot to mention is that my evil-winrm session was through my machine, not through the ssh session with the help of proxychains

proxychains -q evil-winrm -i some.ip -u administrator -H XXXXXXXXXXXXXXXXXXXXXX

through a proxy or not the upload "feature" in evil-winrm work like 20% of the time for me

that why i did it on my machine, ssh dynamic port forwarding

at least it worked for me that time

evil-winrm upload should work fine, as long as you give full paths.

i may mistake the upload with the download but both usually don't work for me

Same goes for download. If you're seeing it 'fake' an upload/download, chances are you just didn't give it a full path.

I used to have problems with it, too.

But then it took an arrow to the knee?

In the FTP section of the Attacking common services module, the FTP service is extremely slow, taking like 10 seconds to respond to a login attempt. Since the task is to bruteforce the username and password, this makes it kinda impossible. I tried resetting the target like 6 times but most of the times the service won't even start. What to do?

what port ftp is running on ?

2121

good, there is no need to brute force, there is section about 'Misconfigurations' try to read it again and understand it

i know i can login with 'anonymous', but i still need credentials for ssh connection

I believe that Hydra will work, and use -t 4 for threads along with rockyou

anyway im pretty sure the target in that section is broken so someone from HTB staff should take a look at that

On Attacking Kerberos Module, on chapter "Unconstrained Delegation - Users" how am I supposed to use powerview?

Since I cant RDP into the machine or get psexec or winrm running

How can I check the users?

The user you are using is wrong

Why do you need credential to log in anonymously.

Yes, but I cant use powerview

you don't need powerview to solve the question

The module provides you with the users. You do not need a powerview

powerview is just an example

this is so annoying

xfreerdp /v:10.129.101.50 /u:htb-student
[05:34:33:504] [25401:25402] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[05:34:33:505] [25401:25402] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]