#modules

Loo

L

I dont give a shit who he is.

And you didnt even read the article anyways

I was just amused. Was imagining that Rick and Morty scene with pizza, telephones and couches.

He said it so it must be right

If a tree falls in a forest, and nobody is around to hear it, are you still wrong?

Lmao

Just as you quoted the title of an article from 6 years ago

Im a hacker, and I say youre wrong

Wdym?

The guy that is pen tester, said that pentesting is a QA process... who you just called a hacker.... isnt a hacker?

Mental gymnastics there

WHA i thought this was general

Lol

Wow, his code is so clean, he must be a cleaner then

Wow he’s such a hacker

You have a narrow view on what a hacker is.
A hacker is a person skilled in information technology who uses their technical knowledge to achieve a goal or overcome an obstacle, within a computerized system by non-standard means.
Nothing there about requiring exploit development.

I think it's best to just block him, my dudes. He does nothing but complain about modules all day, and ask for help. He's likely struggling with the idea that he won't ever pass the exam, and won't make it in the industry.

Nah it’s easy for him, just make it a bit more straight forward because that’s what pentesters do

There’s no challenge

I'm sure pentesting is just running Nessus scan, and then reporting findings.... right?

You're not even passing the assessments. =/

Easily

Easily I’m sure, just make it a bit more straight forward

Its like he wants to learn hacking but hates the process

And keeps going

Lol

Anyone, ignoring the trolly commentary.... anyone completed Injection Attacks? I could use a pointer on where to go next with Xpath injection.

https://tenor.com/view/pinhead-no-tears-hellraiser-good-suffering-torture-gif-5298813

But

If you hate it

I have literally seen you give up 30 seconds after getting to a question.

Lol

More than once.

hello guys can you help me for this question i'm stuck

We see in the above PHP code that '$conn' is not defined, so it must be imported using the PHP include command. Check the imported page to obtain the database password.

You give up in the way that you ask for the answer

sql injection module (reading files )

Im a native speaker and I didnt have issue understanding

There are non native english speakers who have better grammar than native level speakers

While I have seen some slightly odd english in about one module, it was still perfectly understandable.

Indeed

honestly Im less offended by you calling it QA and more offended by you calling it 'not hacking'

what have you tried? check the file that's being called/imported from the code that you're able to read.

you can just stop using it if you dont like it

i like how this is still going XD

also i always thought QA was for products given to customers

ok i try

If you said that to Chris Kirsch, he would probably laugh you out of the room

on **ACTIVE DIRECTORY ENUMERATION & ATTACKS ** > Kerberoasting - from Linux > What powerful local group on the Domain Controller is the SAPService user a member of? : I don't see any Linux Solution to directly enumerate group membership from the provided tools (I guess I could try ldapsearch but havn't learned how to use it yet). Did I miss sont explaination within the course or am I supposed to try to connect to the DC using the freshly cracked SAPService's credentials ?

ok cool buddy, but this is #modules go put your shit takes somewhere else.

you can get it using the tool from the question above

I got the answer from the same command I used from question #1.

you can also build ldap queries to solve it

I totally missed the fact that I was having this info in directly on my screen thanks both

indeed , but at this step during the course, I have only "learned" ldap queries using dsquery's windows tool and not ldapsearch that require some parameters I havn't read about yet (or did I missed something else ?)

Its in the AD LDAP module

is it in the pentest's job role path ?

Uhhhhh

pass

If you've got creds, you can use crackmapexec to get down group information from linux.

well, I only know about how to list "all" users or "all" groups not "specific" user group membership using CME

@thorn urchin I used mimikatz to dump the lsa, i found the user t*** but his password is not in cleartext is it normal ?

is this possible using a specific module ?

try other tools

you could specify a user to the --user parameter.

Doesn't drop that info huh.

are you perhaps using a more recent version of the provided CME ?

Nope, I just made a suggestion based on the crackmapexec usage doc

you are making the same kind of assumptions ChatGPT does when I ask him such questions lol he told me rpcclient could do it when I asked so too hehe

Lol

AD Enumeration & Attacks - Skills Assessment Part II :

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. connect to sql01 and have rev shell but im not sure how to transfer files over

Kind of depends what you used to get shell.

I just had a feeling that cme might have something like that. I kinda still feel like it might. It's all just assumption tho

Maybe oh maybe

connected to the reverse shell with netcat

yelo

Well, you could fire up a simple http server on your attack machine, and then use something like invoke-webrequest if you can launch powershell from your nc session

can i still do this through proxychains?

That might be more of a challenge

I used meterpreter

what module did you use?

its an mssql server, which you got the creds for in the last question. Just search for modules that involve mssql and you can set a meterpreter payload 🙂

im trying to use windows/mssql/mssql_payload module which i think should work it uploads the payload then says Exploit completed, but no session was created.

Can you please provide more information?

hello all

AD Enumeration & Attacks - Skills Assessment Part II

q6

Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

i realize since there are no easy wins (kerberoasting etc) that now the right action is to use bloodhound

powerview is not working at the AB920 user machine

ran bloodhound on my htb-student machine

was not able to find anything

am i missing something

think of other ways to find passwords and give them a try

am not able to connect to the sql machine yet to look for the file

Read the question again, does it say you need to be connected?

Module- Attacking Common Applications

Section- Attacking WordPress

question 4 - Following the steps in this section, obtain code execution on the host and submit the contents of the flag.txt file in the webroot.

I have a php reverse shell on the target and used "find" command to search the entire file system for "flag.txt" I can only find 1 flag but its for the previous module section. I see no other "flag.txt" Any one finish this section give me some direction on this?

perhaps it is not named flag.txt

maybe your right but damn the question says "conents of flag.txt" I got the machine fully compromised and been searching around for a while now havent found anything yet

it does say "in the webroot" did you look at what files are there

like madf0x suggested check the webroot, you could also do something like find / -name flag*.txt at least I think that would work

"webroot" is kindof an inprecise term usually thats /var/www/ right? Or what is the "webroot"?

depends on the application'a configuration

^

but generally id start in something like /var/www first yeah

thats a good place to start most times

If you know what the underlying application is you can Google "application webroot"

ok

if im not sure sometimes ill just check the apache/nginx/whatever configs

if I gained RCE through a web app very frequently the working dir it drops you into will be the webroot or only one or two levels below as well

proceed to do

ls -la
cd ..
ls -la
cd ..
ls -la

haha

ok ya found the flag like you said by back tracking directories one by one and ya the name of the flag file was obfuscated some so ya you cant just search for it.

actually this may would have worked too

when Ive gotten really desperate Ill just grep the entire filesystem for the flag format lul

sounds like a legitimate strategy

its really slow

can someone help me out with finding the right exploit on metasploit? I have tried so many different ones, but none of them are working

Would someone mind pointing me in the right direction please. I am on the Footprinting Medium lab in the MSSQL server. I have been clicking + and - for way too long lol. What I am I missing here?

Make sure you are launching it with the appropriate privileges

I believe I have logged in as the right user.. I found that there was more than one. Logged out as the initial user and logged back in as a 'upgraded' user.

I mean the application

the server app?

dm if you'd like, I think i know where you're stuck but not 100% and don't wanna spoil

Just curious, does anyone know like the average time it would take to finish the whole Pentester path?

It seems the average is around 3 months.

but it depends entirely on how much time you put into it, and how much you already know.

I'm currently working and have a family.. have 0 knowledge in hacking when I started and it took me more than a year to complete it! 😂

Could you elaborate on that

that message is from over a month ago lol

also, anyone free to DM for Attacking Common Services - Attacking RDP? Solved it, but the hint makes me think there was an alternate way that I should probably write down

could just be me being very sleepy though impacting my ability to read

Does anyone can help me with Attacking Common Services??

I'm trying to solve the challenge of Attacking DNS, I think I have all the information needed to answer but I don't know how to response.

What is the syntax of the flag?

You can send me a DM, then I can show you my way

Like so
HTB{………}

Can I send you a DM?

sure

Any clues as to how to start the Footprinting hard lab?

I performed all of the scans an then did an -sV -sC on the open ports and I still have nothing. I saw something about SNMP in the forums, but there was nothing on those ports.

I'm confused

DM me, I don't want to spoil in this chat, and I can only say this one way

Try pop3 ports

And don’t forget there are two protocols

When scanning with nmap

I think there's some leftover artifacts from testing on Attacking Common Services - Easy. The C:\Windows\System32\Drivers\etc\hosts file is overwritten with something from a PoC. Not too big of a deal to report in #858470491676737536 imo, but thought I'd mention it.

also am a bit surprised at how involved the easy skill assessment is for that one, but it's good stuff

Nah, it was cool

definitely tricky if you're new to this stuff, which is why it makes for a good assessment

There are ways to figure this out 😉

sometimes spite drives us to just be better 😆

I think you have accessed the "website" on port 443 (https).
This is a FTP server in this lab 😉

U right thanks for that

In the file you found, you saw two paths.
Also a scan with NMAP shows you what is running on which port.
Not everything is always as you would expect it to be.

You should use hashcat -m 1800 hash.txt mut_password.list and ensure your password list and hash files are correctly formatted with appropriate read permissions.

Still the same - shows no hashes loaded

shall I DM you

Hello to all. I am trying to understand this part of the sqlmap module:

User-agent Blacklisting Bypass for SQLmap

In case of immediate problems (e.g., HTTP error code 5XX from the start) while running SQLMap, one of the first things we should think of is the potential blacklisting of the default user-agent used by SQLMap (e.g. User-agent: sqlmap/1.4.9 (http://sqlmap.org)). --> How can I check if the normal UserAgent is giving a 5XX error?

The Burp request is well received when trying to tamper with the id parameter. Do I have to check this with curl? I can't seem to find any message from SQLmap that indicates we got a 5xx error prior using -random-agent. Is it because I have verbosity to low?

You could try setting the user-agent in burp to sqlmap/1.4.9 and see if it returns 5xx

same can ofc be done with curl. I would assume sqlmap would warn you if its instantly 5xx, but I am not sure and you may be right that you'll have to mess with the verbosity setting (even though this sounds like a error that sqlmap should print even on lowest verbosity setting)

Hi, did anayone manage to use firefox_decrypt on the Password attack module (Credentials in Linux).

I managed to SSH through and now i am stuck as the python version is 3.8

are you sure? Did you run whereis?

Is there anyone who use writehat report tool, because i have some issue

I would avoid it. It's beyond buggy, and without being pre-populated, it will only slow you down.

Can you suggest me some reporting tool

I tried a few of them, but none of the free options have a populated database. Without that, they don't offer much benefit.

https://github.com/pwndoc/pwndoc

Is it ok APTRS

I don't know, perhaps we should probably discuss this somewhere else

Private message?

sure

Hi can anyone give me a helping hand with the nmap firewall and ids evasion lab?

Quick question, anyone knows why I'm getting these errors?

I'm doing Linux Fundamentals > Containerization, and it happens once I type the second "sudo apt update -y", after that nothing works.

This happens on both Pwnbox and my VM.

This is the entire script

.

Which question are you stuck on?

the medium lab can get the unfiltered version of port 53

What commands have you tried thus far?

currently trying, sudo nmap -sS <box ip> -p 53 -Pn -n --disable-arp-ping -D RND:20 --source-port 53 -sC -sV

try with -T 2 as well

i tried with -T1 still getting filtered

now trying with -T0

Try dropping the source-port from you command

no luck still filtered

what happens when you use --max-retries 0?

maybe drop the -sC as well

just check that you are not locked out for the 5 minutes after generating too many alerts

okay will do just waiting for a -T0 to run and im 17/100 requests at the minute

still filtered 😦

Try with this sudo nmap -sS -sV -p 53 -T 2 --reason --max-retries 0 --disable-arp-ping -Pn <ip>

got filtered domain no response

weird. That worked for me when I was doing the lab

Hi guys, I am stuck on Passwd,Shadow & Opasswd module for a while. Is anyone free to help me on a private chat to not spoil any answers/

yeah very annoying no luck

nvm I finally did it!!

What went wrong?

I was trying to unshadow the|| .baks|| when the hash was inside the ||shadw.bak|| I was doing what the module said

Windapsearch is a cool alternative (the go version), you could use the members module and use the --group switch if you know the DN of the group you are enumerating to get the group membership. I haven't tried it out yet tho

you can also unshadow by hand if its only 1 or 2 like in the module

Has anyone done Whitebox Attacks? I'm having an issue with the Remote Command Execution chapter, where I can't make it do the described 2nd injection. Any ideas why the JSON proto injection isnt working?

Ah nevermind. I understand how to do it now. It was simply how the JSON was constructed that was the problem. Good link for this module: https://book.hacktricks.xyz/pentesting-web/deserialization/nodejs-proto-prototype-pollution/prototype-pollution-to-rce

probably not

I do: smbclient //DC01/ -U julio
but I get no output. I am user julio@inlanefreight.htb

I have one last question to answer for this section which is: Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

It's the Pass the Ticket from Linux module

What should I do here?

I already found the ccache file and used it to switch from root to julio

Because its not utilizing the impersonated kerberos ccache file, use -k to use kerberos auth and --no-pass switch I think, to force use the ticket.

Weird, added those and it still give me zero output

apologies, checked my notes, it is -no-pass

Hmm not working still no output. I am going to run an errand. Be back later

okay try this too smbclient //dc01/C$ -k -c ls -no-pass

gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

brb

I'm doing the CPTS path, and so far, everything is going great. However, I'm kinda stuck at the "Password Attacks - Pass the Ticket (PtT) from Windows" section. I'm having a really hard time understanding the concepts in this section. Does anyone suggest external resources that will help cement the information discussed in this section better?

Am I the only one that is/has been experiencing RDP connection failures? Im trying to do the Password Attacks: Pass the Ticket and Cant connect with the provided credentials, from either the pwnbox or my own vm.

The creds provided on the question

Try remmina instead of xfreerdp

Worked for me sometimes

Put the pass in single quotes

$$ is a variable call, single quotes tells bash to interpret the input as text and not variable or anything else

Makes sense, I got this response.

Is the lab still up? Reset it and try again

Whenever this happenes to me, I disconnect then connect to the lab VPN again.

AD Enumeration & Attacks Skill assesment2 Can someone help me with obtain credentials for CT###??? Im trying Inveight but it isnt working

How can you set the connection to tcp?

^

It works, can't believe it was that simple

:p lab probably timed out while you were figuring it out

When using evil-winrm Inveigh doesnt listen and im not sure why. can anyone help?

guys, i have trouble with pwnbox that after i spawned it i can't connect to the target machine by ssh, the same issue is after reset the machine. is anybody occured with it?

For the footprinting module for SMTP what's the intended method to enumerate the users in the list provided? I tried passing the list as an argument to the nmap smtp user enumeration script and also used the VRFY method and ran it with packet trace on and it shows as only hitting the first user in the list but when switching the method to RCPT it hits everyone. Regardless when I manually enumerated everyone to get the answer the user that I found still returned a status code of 252 so I'm not sure it'd even return a result if the nmap script did run as I intended it to.

Evil-WinRm is not an interactive shell, meaning you won’t be able to work with any “live output”

You can actually still use Inveigh (kind of) from winrm, but it’s very scuffed and you should just use RDP if possible

Below is the nmap script I tried using ||sudo nmap -p25 10.129.42.195 --script smtp-enum-users --script-args userdb='/home/htb-ac-474810/plaintext.txt',smtp-enum-users.methods={VRFY} --packet-trace||

Im working on AD Enumeration & Attacks Skill assesment 2. im doing passthehash and rdp doesn't let me use the hash.

Just use the smtp-user-enum.py script

Not the Nmap subscript

Because Nmap scripting is scuffed af

Thanks! Yeah it does seem pretty scuffed lol!

The error you are facing can be bypassed

any help for Where is the SAM database located in the Windows registry? (Format: ****\****) ?!

can anyone explain me SQLMAP ESSENTIALS > Attack Tuning
case5 please
time base attack UNION ...took time and slow

this error can be bypassed?

Account restrictions are preventing this user from signing in. For example: blank passwords aren't allowed, sign-in times are limited, or a policy restriction has been enforced.

nevermind i just got it

thanks for your help

i tried tuning best as i could but how can i know i got the right tuning

so I found a flag in the JS Deobfuscation module, but I dont understand what is that ,,%" at the end of the flag, can somebody tell me?

probably just some URL encoding things going on, you can probably ignore it

In password attacks, Pass the ticket from linux, I am user "julio," but when I do: smbclient //DC01/C$ -k -c ls -no-pass I get: gensec_spnego_client_negTokenInit_step: Could not find a suitable mechtype in NEG_TOKEN_INIT
session setup failed: NT_STATUS_INVALID_PARAMETER

Im thinking I have the wrong ticket

so Im switching it now

there were 2 tickets from julio if i'm not wrong

BTW that module is a bit...frustrating 😂

AD Enumeration & Attacks Skill assesment 2. How do i Connect to DC01?

I'm stuck on the linux buffer overflow skill ass, when i try to run my exploit i just get "Illegal instruction (core dumped)". does anyone know what the reason could be?

Im stuck as user julio

I should not have swicthed from root, now Ive got to back track a bunch haha

"Password Attacks - Credential Hunting in Linux." The question is: Examine the target and find out the password of the user Will. Then, submit the password as the answer.

[★]$ hydra -I -l Kira -P mut.pass.list ftp://10.129.202.64 -f -V
[ATTEMPT] target 10.129.202.64 - login "Kira" - pass "Willi@m99!" - 93972 of 93973 [child 4] (0/0)
[ATTEMPT] target 10.129.202.64 - login "Kira" - pass "Willi@m99!" - 93973 of 93973 [child 4] (0/0)
1 of 1 target completed, 0 valid password found

I have tried many times with hydra. But I can't crack the password. Anyone please help me?

This module in particular, i mean the module facilitates a lot the job providing a passlist but generally speaking i hate doing bruteforce on services and waiting

Luckily i've finished it today. Gonna crash again into a wall for the AD part fro sure

can anyone help?

@rustic sage Finally got the last flag

i had the wrong ticket

hi guys im doing the skills assesment for hacking wordpress. i have all te flags exept one and cant find the bloody file im supposed to download with the flag from one of the plugins any chance of a nudge in right direction

The hint will give you a password.
With this you have to create your own password list.

||evil-winrm|| is a good option

you log in with ct user correct?

no, with Administrator

It might be worth revisiting and rereading a lot of the material from the module, you’ve asked questions almost every step of the way for the skills assessment. I also think that it’s a tricky assessment, but definitely important to get a better grasp of these things instead of completing it as quickly as possible.

Search for the plugin and the vulnerability. I am sure Google or any other search engine of your choice will lead you to the right place.

i got it in the meantime thank you. i got everyng without having to go near the vulnerablility db then i realised it was what i needed to do to figure it out

BOOM bughunter path now complete

😄

Congrats 🎉

174 CBBH certificates have been issued so far. You can join the top 200

Yeah i am going to reread it. Im required to finish the module by Augest 1

Hi everyone, I'm in the Skill assesment AD module and I've been looking for the password for t**** for hours now. I've used mimikatz and I can't crack the hash, I've used lazagne and nothing. please I need a clue or an indication to continue.

And i tried pth alsoo

if its been running for a certain amount of hours, you might lose connection

Hi to all. I was able to find the last flag of the sqlmap module by doing a copy of the http request and parsing this to sqlmap with a time base technique. When I try to do this manually withtout a txt file I can't seem to get the same results. I have in both cases a tamper setting also. Do you know maybe why is this? I can indicate the two lines here but this will give the exact answer to the module.

hello could somone help me in MSSQL , https://academy.hackthebox.com/module/116/section/1169mssqlclient.py the thing is that i tried to login with the credentials available but did no work for me, i tried in MSSQL and SQL as well, any hint ?htbduser@10.129.67.252 -windows-auth
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

Password:
[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
┌─[root@htb-dzql6elch2]─[/home/htb-ac-395388]

holi shit i thought it was way more than that

thank you kindly

im going to buy a voucher today and see what the cric is

Good luck 🍀

craic

can someone please help me :C?

thanks again

pls can someone help me ?

for that reason i used this flags,"-windows-auth" do i missing something ?

i was using sudo

checking

Which SA? I or II? For which question?

nope `mssqlclient.py htbduser@10.129.67.252 -local-auth
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

usage: mssqlclient.py [-h] [-port PORT] [-db DB] [-windows-auth] [-debug]
[-show] [-file FILE] [-hashes LMHASH:NTHASH] [-no-pass]
[-k] [-aesKey hex key] [-dc-ip ip address]
target
mssqlclient.py: error: unrecognized arguments: -local-auth
`

sorry i was checking

oh sorry the first one and the question : Submit this user's cleartext password.

thanks

ocate impacket-mssqlclient locate: warning: database ‘/var/cache/locate/locatedb’ is more than 8 days old (actual age is 79.6 days) /usr/bin/impacket-mssqlclient

it exists i am using the htb instance

checking with the full path command

the path isnt the issue

Try CrackMapExec

Mimikatz apparently makes problems in the newer versions and does not find the password

i'll try this

/usr/bin/impacket-mssqlclient htbduser@10.129.67.252 -windows-auth
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

Password:
[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
┌─[root@htb-dzql6elch2]─[/home/htb-ac-395388]

nope

@thorn urchin so what could be the problem i am typing and copy pasting the password

so tha password is not the problem

the '

your username is wrong

lol

Would someone mind giving me a DM. I am on the Footprinting Lab-Hard. I am trying to log into the MSQL server and keep getting a ERROR 2002 (HY000) error. What am I doing wrong? Any help would be super appreciated.

you right

xD

jajjajaja

`/usr/bin/impacket-mssqlclient htbdbuser@10.129.67.252 -windows-auth
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

Password:
[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
┌─[root@htb-dzql6elch2]─[/home/htb-ac-395388]
`

nope seems thats not the problem

i copied the one that @rustic sage sent us

jajajaja

tranquilo bro

se entiende

xD

english only, before a mod sees

it doesn't work even with cme, i used it before, i use with local-auth

oh got it

but is not a user issue

an user issue*

Check out the option || Local Security Authority||

is it necessary ? a mean i checked but i was copy pasting

and i tried manually by typing and i checked as well

look

htbdbuser" and password "MSSQLAccess01! || /usr/bin/impacket-mssqlclient htbdbuser@10.129.67.252 -windows-auth >> password MSSQLAccess01! output >> [*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

nope is not what i am typing or the copy paste method

checking

I canno't make it locally ? i have to dump the lsass and then use it in my attackhost ?

did not work xD let me show you the output

tmr

i can not send it

xD

a mean i could not

verify your account in #welcome

I don't know. I solved it with Mimikatz at that time. But with an old version.
A few days ago another student showed me the way with CME.

I think I used secretsdump but idr for sure

ok so with local security... i canno't do nothing because i can't use mimikatz

mimikatz def isnt the only thing that can touch lsa

yes

humor me and try secretsdump

im at work so cant test myself right now

ahah okay i'll test secretsdump right now

also DM me your lazagne attempt output.

Non-zero chance you simply overlooked it

ok i send you it now

lazagne had indeed solved it already 😉

Hello. Im working on Documentation & Reporting Practice Lab. Im on question 1 and stuck can i get a nudge?

All of the answers are explicitly written in the section for that one

Having alot of trouble with the file transfer module first section Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run “hasher upload_win.txt” from the command line. Submit the generated hash as your answer. Anyone have any advice on uploading the file to the windows target?

well the entire idea is to pick a method of your choice to upload it

so utilize the lessons of the module

john --wordlist=mut_pass2.list ~/notes.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:00 DONE (2023-07-22 16:30) 0g/s 1995p/s 1995c/s 1995C/s L0vey0u1..LoveYou199!
Session completed
Why does this process end so soon? Its like it didnt even start

This is the zip2john section of password attacks protected archives

@rustic sage This is the hash here: Notes.zip/notes.txt:$pkzip2$1220261ad0ced23b043026d0ce7ef8b154046595e5f738ad20bd1cda08958a8814bd6c6153218183c0496d728da36461c0c7b77e1c$/pkzip2$:notes.txt:Notes.zip::Notes.zip

haha lol

hmm ok

its doing the same thing

Notes.zip/notes.txt:$pkzip2$1220261ad0ced23b043026d0ce7ef8b154046595e5f738ad20bd1cda08958a8814bd6c6153218183c0496d728da36461c0c7b77e1c$/pkzip2$

@thorn urchin pm me if u got the time im so stuck

youre better off just asking your question here

Im at work atm and can only offer limited help

ah I see you did ask your question

what file transfer method are you attempting that youre stuck with

@rustic sage and I removed everything after the third $ so it's Notes.zip/notes.txt:$pkzip2$1220261ad0ced23b043026d0ce7ef8b154046595e5f738ad20bd1cda08958a8814bd6c6153218183c0496d728da36461c0c7b77e1c

but that returns no password hashes loaded

I'll keep playing with the format until something works

yes

@rustic sage 🥹

it didnt end soon, it finished real quick

its so fast it can do all of rockyou in <1s

which means you need to use a different wordlist

@tranquil axle hmm yeah rockyou finishes in 2 seconds lol

Has anyone completed Whitebox Attacks? I've got a few questions on a couple chapters and would like to chat about it 🙂

This was by far the most difficult module I had ever done, if anyone needs help with AD enumeration & attacks, feel free to reach out.

Congrats! I agree, it's probably the most difficult. There's a few tier3/4 ones that come close though. 🙂

Yep, it's definitely worth re-doing again to understand better. I am gonna head towards windows privilege escalation now.

I'd recommend doing Active Directory LDAP/Active Directory PowerView as a follow on from AD Enum (when you're ready for it ofc). Fleshes out some extra bits of specific knowledge.

Thanks, will do.

The high tier modules that focus on web and sql attacks are also quite tricky 🙂

the only thing Id caution about diving into higher tier modules is that the exam only covers what the modules in the path covers

Ive witnessed multiple highly experienced people fail because they wasted time trying to do advanced stuff not covered by the course

I wasted a whole day trying for something more advanced than what the course covers

💀

hence my exam advice of when it doubt think dumber

I didn't have much difficulty with web modules, I didn't follow the order so now I am AD > windows > reporting > enterprise networks

Everyone's got different skill sets, strengths, and weaknesses. But some of the modules like Advanced SQL Injection, Injection Attacks, HTTP Attacks, etc I found to be pretty challenging... and sadly because fewer people have done them, there's less help available for them.

I think those modules are part of CBBH, in CPTS we have SQL injection attacks but it doesn't go too deep

I'm doing the modules for the modules, not for the exams themselves 🙂

I may do the exams later on

Right on, you will be ahead of most people

78/81 modules. 🙂

You are so close!

Wow u're doing all of them?

thats the goal

That's cool

then smash through a bunch of boxes

What do you left?

I think you're good enough to do boxes, atleast the easy ones

Whitebox Attacks, Working with IDS/IPS, Game Hacking Fundamentals

Whitebox Attacks is frustrating the crap out of me atm :3

Ye i can understand the feeling

I think u got the most modules in order to do the boxes, but i can understand the greeding for the modules 😂

its coming up to a year since I started on the modules, so wanted to get them done before the anniversary 😄

Im working on Documentation & Reporting Practice Lab. Im on question 1 and stuck can i get a nudge/DM? thanks

hello

AD Enumeration & Attacks - Skills Assessment Part II

Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

guys i think am facing a problem with my account

when i ssh to the ip spawned in AD Enumeration & Attacks - Skills Assessment Part II

it shows me as the htb-student@skills-part01

not a helpful answer

more so make sure you have the correct lab spawned

and?

hello i am in the RFI from File inclusion module and for some reason the spawned ip doesnt have a port and i can't access the site i should try RFI on .. am i missing something ?

spawned the right section part II but when is connect to the spawned ip it shows me as am htb-student@skills-part01

please if anyone can direct me to support team

that would be helpful

did you reset the lab

Green bubble on the bottom right of your screen

u can contact support from the site itself bottom right corner

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Im working on Documentation & Reporting Practice Lab. Im on question 1. I crack the ipmi hash but I cant find where to use it. any nudges?

this started happening like since two days ago

thank you so much

Thanks alot

have you tried resetting the lab yet

yes did that

mmkay

crazy

just 3 more bro

Any advice or tips for academy beginner?

Take notes

pretty much this ^

password attacks, Lab - Medium. Question, I don't know how to proceed. I got 'J' credential, logged in. I tried doing a privilege escalation, but couldn't find anything to grasp. There is not history in the account and I kept looking at mysql 's folder for any posssible credentials, however, I only found 'mysql' user, but not password. I tried loggin into mysql with blank password, 'j' credentials, and even tried all default credentials but all fail. The command I tried was 'mysql -u mysql' inside my logged session. I am not sure if that is the correct command. I also notice the otherr user, 'w', but I don't have access to any of his files. I will try to brute force ssh for this user, but that is my last resort, it takes forever. Any hints?

What about it?

Has anyone solved TE.CL seciton in the HTTP Attacks Module? If yes, can I DM someone?

password attacks, Lab - Medium. Question, I don't know how to proceed. I got 'J' credential, logged in. I tried doing a privilege escalation, but couldn't find anything to grasp. There is not history in the account and I kept looking at mysql 's folder for any posssible credentials, however, I only found 'mysql' user, but not password. I tried loggin into mysql with blank password, 'j' credentials, and even tried all default credentials but all fail. The command I tried was 'mysql -u mysql' inside my logged session. I am not sure if that is the correct command. I also notice the otherr user, 'w', but I don't have access to any of his fi

Try without any parameters

i thought I tried that, but let me try.

This can only be done from the shell

So logged in as j*

you mean the python tty shell?

I mean however you logged in with j* to the system

Like ssh

Try using his password

I don't have my notes on me ¯_(ツ)_/¯

you mean 'mysql -u jason -p <password>' I tried that before and got the same error. But let me check again.

i got it, I feel stupid spend a whole day researching about it and just realize I was inserting a space between '-p<password>'. It seems it doesn't like it.

Ye

thanks, I blame it on spending too much in front of the screen looking at the same problem over and over.

I usually do mysql -u root -p -h IP myself, and then enter the password at the prompt

That stuff happens unfortunately. All you can do is learn from your mistakes

Sometimes those mistakes are the best teachers.

just wait until you get to AD and have to fight DNS

but it do be like that sometimes

Fight DNS?

can I dm? I'm stuck at around the same place...

You mean you don't automatically edit your hosts file everytime you're working with AD? 😄

sure

but the order of the stuff in your hosts file matters too, depending on the tool

Never had that problem, in any module.

just talking AD in general 🤷‍♂️

Mmm, can't think of a situation where that would be the case, except multiple DCs.

I also can't because it's been a while since it's happened to be but it definitely has happened to me before and/or I've read about it

and found an example: https://0xdf.gitlab.io/2023/05/27/htb-absolute.html#without-cme

Ah I see. I've always done it in that order. lol

i do not understand this can anyone send video explain it

I don't think there are any vids related to that module to explain it, but what is the thing that you are struggling to understand? Maybe we can try to explain it with other words

what u don't understand?

it seems like copying the http request burpsuite? and pasting it to the console

what is JSON ? and i shoul know it?

I am doing the basic linux module and it says that I need to authenticate when I try to use systemctl enable ssh but I dont know what the password is. What password would it be?

should i study it?

oh u studying computer engineering

I am studying that in the university as well

wdym

if u don't know what is something just search for it and learn what it is

In my honest opinion the issue is not even what you didn't understand rather what you asked for, a video, as many of those people who can't focus enough on reading things and understanding them. I would be able to provide you with a very good book about web requests that will explain in detail what you said to not understand, would you be willing to accept that?

he is just doing a get request if I am right no?

ok thanks

yes

I have sent you a dm

hey guys is there any place i can post to ask for help with a question in a module.

JSON put very simply is a file format, like PDF which you've probably heard of before.. JSON is primarily used in web development and has some strict rules regarding its content, that must be composed of pairs of keys and values (which together compose a JSON element) and the value can be a JS object, an array, a string, an integer, a string and so on
You should definitely know it, most web requests you will encounter are in the JSON format and if you continue with your hacking journey you will soon be asked to edit or forge your own web requests

You already are in the correct channel for that

hello all

Im working on Documentation & Reporting Practice Lab. Im on question 1. I crack the ipmi hash but I cant find where to use it. any nudges?

The objective of qn1 is to connect to DC01, first find the address of it from the files left behind by the pentetration tester

which is 172.16.5.5 correct?

yup. If the cracked ipmi hash doesnt work, try different credentials you can find

if youre still stuck send me a dm

@worthy pagoda and @onyx rapids Did you guys find out how to bypass the "LOG INJECTION" module's WAF? I can't get < or > to return. I've tried the common bypasses but no lucl.

Anyone reading this, did anyone solve this?

can anyone help me with this question? Connect to the testing VM using Xfreerdp and practice testing, documentation, and reporting against the target lab. Once the target spawns, browse to the WriteHat instance on port 443 and authenticate with the provided admin credentials. Play around with the tool and practice adding findings to the database to get a feel for the reporting tools available to us. Remember that all data will be lost once the target resets, so save any practice findings locally! Next, complete the in-progress penetration test. Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host.

I already manage to rdp to DC01 and success, but now I can't found any flag.txt file, anyone know what to do please?
thank you!

FOOTPRINTING HARD LAB: Enumerated all of the TCP ports and UDP. From what I'm seeing on the forums it's all about UDP, but I'm not finding anything based on the scans in the lessons.

braa, onesixtyone, snmpwalk

snmpwalk is returning: "Timeout: No Response: <IP>"

What command did you use for onesixtyone?

onesixtyone -c <pathtomy snmp wordlist> <ip>

That's all I got, IP preceding.

Dude

It’s giving you the answer

(Also should probably remove that screenshot)

If you're administrator, you should be able to find it under C:\Users\Administrator\Desktop\flag.txt

I don't understand

I thought it was just a banner at first when I did it lol

Especially removing the screenshot, I redacted the IP for a reason

@heavy marsh it's showing you the connection string in your screenshot

Your issue isn’t in the command, it’s you not understanding the output

NIXHARD, yeah tried that

The first word in the screenshot you posted is the snmp community string….

So you can do the next command which is failing

So… you were doing everything right 🙂

braa command doesn't return anything using NIXHARD

That’s not the first word

oh I see.

What's the difference between the two?

Sometimes it’s staring you in the face. 🙂

The connection string is in the brackets here

The first word is the brute forced community string. The second word is not

https://tenor.com/view/wtf-are-you-staring-gif-18289354

For sure

Found the TASTY BURGER!

I’ve had moments like that. Where I’ve misread what the output was showing me. Always good to check that you understand what the output a tool is meant to show

Yeah, I was stuck on the prompt from the lab that talked about "HTB"

The rest of that question is pretty logical to follow from there. Easier than medium, heh

Thanks @pine dagger

You’ll need HTB at the end when you get to the sql server 😉

Good to know. I'm making my own writeup of these challenges. Details are hard, but they help later.

Oh you definitely should. I didn’t take proper notes until I did password attacks. I regret it a lot

I'm an administrator but there's no file in it

I was very diligent about it when I was doing TryHackMe, but that's proved to be unreliable.

Someone yesterday told me to do a UDP scan and I was just thinking of that as an alien concept

Due to THM garbage.

Definitely takes a minute to find a style/method of writing notes that works for you

if UDP is a new concept for you, you should definitely review the networking basics.
In the module UDP was used in several places 😉

Are u sure u are on DC01?

my bad, I was on DEV01 turns out lol

No, it was more complacency, I had to add an -sU scan to my cheatsheet

I understand UDP though

Teaching moment for you there! Always get the host name!

yeah lol

Anyone figure out how to bypass the WAF on Log Injection (https://academy.hackthebox.com/module/191/section/2055).

how did you figure the way to crack the hash?

Stuck on FOOTPRINTING HARD, did UDP scan and have no information to further enumerate

tried the tom and password for SSH and it didn't work

at this point I'm just guessing based on the lesson material

anyone know how to crack ipmi hash from documentation and reporting module?

this is the hash 5768797002000000e05179a2382122e7500df7c9949a89f08a1987132dd0f48fe2e1d37238c7448fa123456789abcdefa123456789abcdef140541444d494e:a60c216003306640422c8855b290c32c53319e5a

please tell me the steps if you know, thank you

Thought this was going to be useful but it wasn't. Where do I go from here!

look into john the ripper

Probably delete that image, I think it's a spoiler

DM me

I'm not sure it's a spoiler

As it contains creds, its a spoiler

Actually I'm pretty sure it's not

It is

Those creds did not work

As someone that's completed the module

Deleted

Still didn't work

They are spoilers, you're sure you've tried everything? Are you sure you're copying the password correctly and there's no weird paste issue adding new line characters

ok thx

When you get credentials, you want to try them against any service that requires authentication

Credentials that work against one may not work against another

yeah, SSH is frozen

there's more than just SSH out there

Try to find out what triggers the WAF and what data is stored in the logfile

?

I'm trying to SSH and I cant even input a password

Port 22 is open based on my NMAP scan

AWESOME!

oh you shouldn't be getting a timeout error, you should be getting a different error lmao

There are other open ports

yes

Tried them

I noticed that it removes or filters < and >. I've been using encoding and double encode but to no avail. I need to trigger php rce

I hate to say it, but haven't tried enough 🤷‍♂️

I talked to you last night, did everything but UDP

now I've done UDP

what's left?

DM me, I don't want to spoil more about the skills assessment here

Look at what data is logged at all and look at when exactly it is logged.

Enumerated all of the services on FOOTPRINTING HARD, no logins are working

MX

Are you sure you did a scan for all ports?

That password works for a service

143,995,993,110,22 TCP and then 161 UDP

Password hasn't worked for anything

What are 995,993

what NMAP should I be using to find that service

POP3 and IMAP

Mbm

You specifically have to login to the secure version of these services

I've already scanned everything I'm stuck

I even DMed @trail leaf

He helped me

openssl s_client -connect <IP>:pop3

just hangs

pop3s

You need the s at the end

Iirc

Sorry, typo, still hanging

You could also just use a mail client 😉

That's the easy way

I'm just trying to figure out if this is my commands or if it should be in erratum?

So far I'm thinking erratum

I dont have wifi to check

Try it with a Mailclient

No worries, I might check tomorrow to see if the servers are responding properly

You got a step so the servers are fine

The password you received appears to be correct

I am loading up my vm to double check you

Well then what's the issue?

I have the password saved

apologies for ghosting, had something I had to tend to immediately because of a storm

no worries

That password is correct

Switch udp/tcp vpn connection or restart the lab instance

thanks!

You can also try it with the PwnBox

Does anyone else have issues connecting to the windows xfreerdp on the windows event log module?

I just keep getting errors failed to connect, but when i first used the command it connected then disconnected and continues to give me that error

~~Attacking Common Services - Easy

Does anyone help me to find the password of f**** ?
I'm wondering if I should do bruteforce with huge list.
#modules message

Any suggestions would be greatly appreciated.~~
I've got password.

Before it did connect one time though

Try using remmina

That was the first one I used actually and it did a similar thing

connected first time then didnt but let me try again

Try using tcp instead of udp connection

Let me run the command real quick

I still get that

Im not to sure

Reset the lab and try the new ip it gives you

works

I don't understand

the logfile stores only certain data, not all.
The logfile only saves data when an error occurs

@heavy marsh I don't recall if I got the answer with pop3 but imap

I generally hate pop3(s)

Doing Introduction to Windows Command Line: Skills Assessment *Q4: User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them. *

Find a way to combine commands to read multiple files

I performed tree /F C:\Users\user4\Documents | ?? and i know i should pipe it to a command to read all of the flags to find the answer, i have tried many things but nothing seems to be working

IMAP works

Pop3 is just ass

What is the windows equivalent to cat

a linux equivalent is tree <path> | cat * but what is the powershell equivalent, any help is appreciated

Get-Content

or type

I believe an earlier section tells you how to read files

Yes

What is wrong here

protocol

You used the terminal or remmina to connect?

xfreerdp

Read the message I pinged you in

Sorry, I thought I did a screenshot

FOOTPRINTING HARD

Ffs

if you keep posting the picture with the user and his password, I'll keep deleting it

You followed me over from erratum?

Pinged

I just want help!

hes a moderator

Read

I've followed you over and gave you an answer to your problem, and how you can resolve it

^

protocol?

I don't understand

If you disregard it, then ¯_(ツ)_/¯

Always remember, the exercises are based on the section/module, but they require you to adapt a little bit and not to copy paste commands - thats not the point

I also pinged with an answer way earlier

where do I see the ping?

...

Scroll up

Just... scroll up

this?

Warmer

imap?!

Yes

So how do I know which one to use?

Trial and error

But I would say imap > pop3 because imap has file structure

But also: if one isn't working, try the other

You also got this hint once today.
When you find new creds, test them against ALL services

hi, i'm currently doing the web requests module for post

my cookie is correct, the authentication is correct, headers are all correct, and i'm not getting any issues other than there isn't data returned for the flag

like for example, when i search for london, the data i get is ["London (UK)"]

but when i search for flag, the data is []

i also tried to make sure there weren't any issues with double quotes in my json by using escapes before the quotes, and i still get [] for flag

actually hm, i just realized any search i've been trying other than london has returned []

EDIT: ok never mind about this, i refreshed the machine and got the flag

Stuck on FOOTPRINTING HARD

What is the next logical step?

Apparently I'm supposed to find a password for a username "HTB"

"fetch 1 all" doesnt actually do what you think it does, it does not retrieve the email body

I've linked an article a few times in here about different imap commands

Not using the command line for this? 🤷🏻‍♂️

1 FETCH <ID> ALL

what's ID

Id is just message id starting at 1

THIS is what I have to go on for now

Last time I put in some arbitrary command it was not easy to get back in.

Utilize discord's search feature, as I've linked to a couple useful blogs related to imap commands

the problem is using "all" when there are other options that show you more info than "all"

Okay, but where do I find all of this info?

Do you know how discord's search feature works?

How am I supposed to access a local website on this box? There is no web browser and i need to locate a website lol

I just google when I don't know

imap command line retrieve message

firefox

Respectfully, I'm not trying to read blogs, I'm trying to read HackTheBox

gives me like 12 different articles with tons of examples

You need to discard this notion

Then you're stuck, unless you use an email client

you are expected to apply outside research as well

It isnt installed

you cannot pass the exam if you cannot do this

In the Terminal

I literally could not have found this without using outside research

I pay for this service, I'm expecting a certain level of professionalism

Aaaaaa lol

Respectfully, we're being as professional as we can

you need to have research skills or the exam is not passable

We're leading you to how to find the answers in multiple sources

No it's not you guys, you are being helpful for sure!

Google, this chat

The modules themselves aren't going to teach you everything

the point is that the modules leave out some things on purpose to force you to explore and engage in research to find the answers.

this is one of those situations

we have offered you several solutions. But you don't want to go one of these ways and now you are scolding that HTB is not professional?

Some of it just does not function properly, you guys are being very helpful and I appreciate it.

We are aware

That's why we're trying to steer you in the right direction

Sometimes module is just dumb and shows a bad/worse way

I really encourage you to re-read my last couple of messages. This is important.

This is you are wasting money and will throw $200 on exam voucher in the gutter important.

and I do not want to see that happen to you

And other times as madf0x said: they want you to develop research skills when you run into a wall

I tend to come here for help when I've exhausted reading the sections over again, and googling

same here!

Apparently not, since one of the suggestions was literally "Google the thing"

Actually you currently have two options

Either you look for the article that Marcie posted here some time ago, or you use a mail client such as Evolution / Thunderbird etc.

First time I ran the module i used an email client, second time i stuck to command line

(I got stuck at the NILNILNILNIL) part for a bit too

It's not "cheating" to use gui clients

Especially when they just work™️

I'm still stuck on the output

no problem

then what?!

Then there's a few options

1. utilize discord search feature
2. Google
3. install and use mail client

All will yield results to lead to the answer

I mean this was already extremely close to the answer

you just need to do that tiny bit of extra research to actually retrieve what you want

Yep

It's a case of you hit a wall and you've been given options to go over, under, and through it. And it's just not clicking

So what is wrong with openssl?

Nothing is wrong

Am I supposed to be using a tool that wasn't mentioned in the module?!

This issue is all user related

Which user?!

🪞

youre the user

But I have no user privileges yet

I had a user "tom"

I refer you back to this statement

that didn't work out

And this

And this

#modules message

I think it might be good time for bed my friend. Its late in our timezone and youre starting to regress from the progress you had already made.

Review it with fresh eyes in the morning.

Im having a problem submitting a flag in the module of file upload, in the section while list upload upload.. anyone has had the same problem?

Ensure a clean copy/paste no "invisible" weird characters at start or wnd

I'll check ty

You’re searching for something else in there. Not the HTB account. Look for interesting things that can let you go further

https://academy.hackthebox.com/achievement/16794/path/16

Interesting stuff!

Congrats 🎉

Hey can anyone help me in the Footprinting Lab -Easy

What I have done
namp -sC -sV -Pn <ip> gives ftp 21, 2121 open , 22 ssh open

Logged in with the ftp server with the creds given in the module. Found nothing

Downloaded all files using wget -m --nopassive ftp://:@<ip>

Found a folder with a hidden file '.listing'
cat . listing gives nothing useful

Almost spent 2 days with it. Please help!

There's something on the ftp server that you can use. Its a file that allows you to login to things, such as ssh.

is the best method to mount a bitlocker encrypted vhd really just using windows? I'm trying guestmount but I'm just failing from one error to the next

which module was that from?

Password Attacks Hard Skill Assessment

Sorry, my notes aren't good from that module 😦 However, I noted down this link, so may help you: https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

Thanks I’ll take a look!

that worked perfectly! thank you so much, I'll make sure to save that link

Can you please hint the command for that.

I have tried all possible commands for the ftp server but found no id_rsa or similar

when we finish a module it recommends labs/boxes on regular HTB; is it advised to go and do these or complete the course & then do the labs/boxes on regular HTB?

most of the boxes on HTB expect you to have knowledge of several modules. If you just finished your first few modules those boxes might still be too hard. Most boxes are set up in a way that you have to find the vulnerabilities yourself and if you don't know yet what kind of vulnerabilities can exist in e.g. webapps then you might get stuck quickly

I finished the cbbh modules first before attempting any boxes personally

Can anyone give me a hint on "Passwd, Shadow & Opasswd"

I am currently stuck on the question: "Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer."

I have already unhashed passwd and shadow file, but my hashcat command is not working:

hashcat -m 1800 -a 0 ./unshadowed.hashes ./password.list -o ./unshadowed.cracked

the root hash which I am passing thorough looks like this:
root:$6$XePuRx/4eO0WuuPS$a0t5vIuIrBDFx1LyxAozOu.cVaww01u.6dSvct8AYVVI6ClJmY8ZZuPDP7IoXRJhYz4U8.DJUlilUw2EfqhXg.:0:0:root:/root:/bin/bash

if you have a subscription, you can access those retired boxes.

It's good for practice and there's a walkthrough too, but you're not forced to do so.

whats the error of the hashcat command

no error but nothing cracked

try a different wordlist

offline cracking is often so fast that you can afford to use bigger wordlists, the one you used got fully processed in 2 seconds

i tried, rock you which isnt ideal and also the common word list

try using what the module provided and what it taught you in the previous sections

i read through the forums and a lot of people used the one given by HTB and it workd, i am just wondering what I am doing wrong

HTB provides you with three files, a passwordlist, a userlist and a third file

maybe that third one can help you

LEGEND!
I had tyo use the ruleset with hashcat, which was provided by HTB

thanks

hello

yea the module is kinda mean in the way that they switch around which wordlists you need to use

I am doing the skill assessment in the shells and payloads module, i have tried to upload a .php file and use burp to change the "Content-Type" to ||application/octet-stream||, but it still says i need to upload a .war file and it cant be anything else, what am i supposed to do?

look up what a war file is and maybe you can use that information so you don't end up needing a php shell

ok

im in a module , and i need to upload a reverse shell to a website

but i can«t acess the website

it is already in hosts

forget it , i only restarted the ip address

I ended up making a ||.war shell|| but i cant seem to execute it on the website

I think after uploading it it appeared in the list on top and can be executed, no? ||Otherwise theres also a msf module for it||

Nothing works

Lol

I am dying

Should I work through htb modules or go to boxes?

I'm currently almost done with Jr Penetration Tester on THM and planning to finish Penetration Tester before moving over to HTB.

I'll be buying premium on both so disregard free/pay considerations

maybe try resetting the box once? lol

I did

No

Wait

Let me try resetting it again

If it dosent work after resetting the box

Rip me

Still dosent work

:I

mh can you try setting the other ip as LHOST

the internal one, not the one you connect to

Then I get 2 errors

Try ifconfig in terminal on the machine you are connected to

There should be a ip starting with 172

That’s the one you need, the machine you are attacking can’t reach ips on the 10. subnet

Still dosent work

isn't this that ||facebook|| styled blog?

I am so stuck

And I have no clue what to do

manual payloads dont work either

crafted with msfvenom

Maybe that's not the way

Did you check other services running on the host?

It specifially tells me to ||login to the website, the hint tells me to upload a file here and execute it||, but it dosent work

yeah, but it doesn't tell you if it's tomcat or not

look for another service

And i checked online, and it works for other people

for live engagement of shells & payloads, I followed the same path of .war payload and then realized there is another service

wh

a

ok

and for that other service, ||I think you need to read the exploit code and reproduce it manually|| because ||you may not be able to add an exploit to msf|| lol

Hi everyone I have a question about SA AD part 2

I'm at question 4 and I managed to guess the password for question 5. However, when I try to do a password spraying on the DC using kerbrute and cme the password doesn't match any user.

I thought I had got the user names wrong so I tried two formats 'user' and 'user@inlanefreight.local'.

I have 57 users in my two lists but none of them work.

Could someone explain why?

#Update# I succeed

But it says it has to be on port 8080 so is it a ||website hosted on the tomcat thing?||

I did this just a few days ago, I remember struggling a bit (didnt realize firefox was on the machine installed) an ended up setting up a ssh tunnel to even access the website. But I'm pretty sure I just uploaded my war file and got a call back on nc

oh, okay after uploaded the rev shell "starting" it wasnt enough, I had to click the "/revshell" url in tomcat

Guys I want to learn Active Directory privilege escalation\lateral movement attack any recommend ?

btw I Finsh the Active Directory Enumeration & Attacks Module So I want To go deeper

try the tier3 AD

or tier4 idk

I was thinking of setting up a ssh tunnel but idk how lol, but i guess ill follow your footsteps

the format of the usernames is similar to the answer in qn1

AD Enumeration & Attacks - Skills Assessment Part II

• 1 Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

I just tried it again and it works without ssh tunnel, I used msfvenom on the machine to create a rev shell war and used a simple nc listener on the machine, just need to make sure to use the 172. ip address as lhost and to browse onto the /revshell url to execute it after uploading

i have tried to use powerview & importing active directory module to enumerate but it is producing errors..... i figured to use bloodhound but am only able to run it on the 172.16.7.240 and not on the windows machine...and when i ran it am not able to find anything interesting ..... appreciate any hints that would point me in the right direction

Ok, ill try that, thanks

hint: smb

can you share the link please ?

You have the windows attacks and defense module(Tier II), the kerberos module(tier III), Bloodhound(Tier III) etc... search with the search bar in the module section you have a lot of modules on windows and AD

can't get the hash though, already tried john --wordlist=/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-75.txt --format=Raw-SHA1 ipmi.txt

what should I try?

OMAH, I used the wrong IP, lol thanks