#modules

This is better for #hacker-lounge or #general

Whenever I answer any of these five questions do I always have to use the same username and password given above the first question of the section of this module when using ldapsearch-ap or windapsearch? (https://academy.hackthebox.com/module/22/section/290)

I only see the student ID, it's not 60 characters long

I think to verify you need an account on main platform hackthebox.com.

hashcat doesn't work on my virtual machine so i ran it on my pc. The mut_pssword.list file it created doesn't have sam's password. I ran hydra. I don't know if the size of the file hashcat gave is too small. If i try the pwnbox I don't know how to download the resources, it bugs out if you go to HTB pages that load the pwnbox

https://academy.hackthebox.com/module/147/section/1391

Hey everyone

I am stuck in one task in ATTACKING COMMON SERVICES of Attacking SQL Databases.
I try to connect mssql by using the sqsh and mssqlclinet.py with credential but I am getting the login error.

https://academy.hackthebox.com/module/116/section/1169

I have been working on the second question of the section of module(https://academy.hackthebox.com/module/22/section/290) for about an hour or so and I am stuck. I typed out this command( python3 /opt/windapsearch/windapsearch.py --dc-ip 10.129.42.188 -u inlanefreight\james.cross -U --full --output "final_output.txt"
), it listed all 12 users on that domain and saved the output of the result of the command to a file. When I typed C+F and typed "SMARTCARD_REQUIRED" I could not find that term in the file I created anywhere.

The question:

What user account requires a smart card for interactive logon (SMARTCARD_REQUIRED)?

you need to include a UAC for SMARTCARD_REQUIRED in your query.

how do I find the UAC with the windapsearch tool?

Well... I dont remeber! LOL, I will look at the section again and see if I can remember where I came up with it.

Go back over the prior section, Leveraging Search Filters, it is in there, I really struggled to understand that portion TBH. But it is there.

can someone help me on the bash introduction

I googled the UAC value for SMART_REQUIRED flag and I still could not find it in the output of my result...whici would be userAccountControl

i created a script but it doesnt work i think the key is wrong but i dont know how to fix it

you need to use an LDAP search that includes OID and UAC

What is the OID?

Object IDentifier

Object Identifiers (OIDs), like I said it is in the prior section

I just got into Academy and I have a question. It says I pay 10 cubes for free modules and I get 10 cubes from them. Do I get extra cubes for solving the individual questions inside them? Like can I make cubes just by solving free modules?

Here is what I typed out:

"python3 /opt/windapsearch /windapsearch.py --dc-ip 10.129.42.188 -u inlanefreight\james.cross -m custom --filter '(&(objectClass=person)(userAccountControl:1.2.840.113556.1.4.803:=262144))' --attrs
"

Thats much closer!

Hello, anyone can help me on the AD assessment - Part 1 ? I have all flags except the cleartext password of one user and I think it might be broken

which question?

Submit this user's cleartext password.

Modified the command a little.

Sent you a DM

I found that by doing question 5 assuming you asking about 6. If you have a question on it I might be able to help

I need help with Password Attacks/Credential Hunting in Linux: I tried using Hydra to bruteforce ssh into the target with the username Kira and a mutation list of the password given in the hint. Unfortunately this didn't work. Can anyone give me a hint?

hello all am always facing issues with kirbi2john.py

it never worked for me cracking the TGS

Can someone help me with Active Directory BloodHound:Skills Assessment last question Find the percentage of users with a path to GLOBAL ADMINISTRATOR I used my query and when I put my answer it say wrong I'm sure that my query is ok

did you use "upload data" to uplod your docs in the bloodhound

can someone please help me in "Attacking Common Services - Easy" i just gained access but idk how to enumerate the Windows env, i tried dir and go back with cd .. and i tried to enumerate using dir and i tried a reverse shell as well but i couldn't

Try using an encoded poweshell reverse shell

Or the IEX one with a powershell script hosted on your own webserver

Question on Linux Privilege Escalation -> Python Library Hijacking. The examples show the commands using sudo multiple times, but the htb-student doesnt have the ability to sudo there... what am I missing from completing the examples?

You should have sudo

Hey guys, how are you doing? I'm having little troubles with the mutation part of password attacks. I know it get a lot of time to crack a password, but its gonna take line 14 hours.
It's been like an hour so far and nothing came up. It's like this?

If it's for the hashcat module none of them should take that long

I think the longest one took for me was about 5-10 mins

If you enumerate it might help the wait, wait, wait...

Well, target systems are only 6hs max. Hope to get lucky 😂

Ah. You have to write the full path.

Module: Attacking Common Applications

Section: Attacking Common Applications - Skills Assessment I

Hello, I've completed this section but via msfconsole. Any hints to solve it in right way?
I can only run &dir command. Already tried to use type and more command with encoded path but no luck to view the flag.

nah but protip. If you have access to a university email you can sign up for a student account and have access to nearly all modules for just $8.00 a month thats the best deal. Messing around buying cubes is fail

That’ll do it. I opt to do full paths with sudo every time to avoid that issue.

I'm working on the "Attacking Common Applications" Module and Exploiting Thick-Client Applications. I made the new fatty-client.jar file with changed port and MANIFEST, removed both hashfiles, and rebuilt it successfully. It runs and I can login, BUT... I can't open any of the files the course content says I should be able to. There's not an "Open" button in the lower part of the window. Any advice/tips?

The back half of the attacking common applications module is so weird

Mass Assignment and LDAP injection just come out of nowhere

that module is the random grab bag of the course

I don't hate the Thick Client section but also why is there another rev related thing like 5 sections later, feels like it makes more sense to keep all of that together

Any tips for why I’m not seeing the “Open” button that will allow me to read even the basic files?

Could I get some help with the Broken Authentication Predicatable Reset Token question? Thanks in advance.

Having some issues with the vhosts lab in information gathering. I was able to get one of the flags last night, flag #3 by choosing one of the subdomains I got with ffuf. Today when I went to get the rest I had to rewrite my /etc/hosts file from scratch using what I was able to find online for a default. I'm running a live boot persistent kali usb drive, but there was nothing I could find that had a default /etc/hosts file nor a way to automatically generate a default so I am stuck. The flag for flag #3 still works, and by the same method none of the other subdomains are giving me a flag when I curl the subdomain. I am using the same method of inputting the subdomain and ip into the /etc/hosts file as I did with the flag #3 last night.

Doesn't make any sense

default etc hosts is just 127.0.0.1 and localhost

some distros may add some random stuff but theyre rarely truly mandatory

I don't know why your etc/hosts would be so borked you had to rewrite from scratch though

it just deleted everything except for the vhosts I was using at the time for the questions

I must have deleted it somehow

odd, wouldnt think itd break anything though

hosts is checked first but its not checked last

This is what it looks like, I just put a window over the subdomains to hide them as spoilers

It's what I found with ffuf

the only one that works with the curl command is the one that I used last night

Hi guys, I'm in the getting setup module. It wants us to set up a windows 10 VM in which it points us to a link for windows 10 VM, but it is bringing me to windows 11 VM. Will this be an issue going forward with the different scripts and chocolatey manager we are to setup?

"Setting up" module

I don't think it actually matters but fwiw I always just put all my vhosts on the same line

try cutting the first 17000 password of

For Windows Priv Esc Part 2, how should I find the iamtheadministrator creds? I've been searching for xml, config and txt files but nothing so far

Thanks bro, gonna try tomorrow.

gotcha

still not sure why the rest of the domains arent working

I'm doing the exact same thing I was doing yesterday with the 3rd flag

hint you can still other command but it's just there are no output beside for a couple of command and for me i just the flag that way or if you google around there should be some exploit for this that can give you a shell

hi, I have a problem with the academy vm instance, I already turn it on but there's just blank screen and later disconnected, already switch from using vpn or non vpn but nothing work, anyone know what's wrong?

feel free to shoot me a dm if you still need help with that

Would be highly appreciated if any hints can be given :]

give me a sec my note suck ass on that one part for some reason but basically yes that's what you have to find

the pwnbox?

yea

if both your vpn and the pwnbox are on at the same time then both will try to kick each other of the network and that's your issue

It's like finding a needle in a haystack

i would recommended turn off both and a wait a few min before using either one

so I should only use one?

yep and one only

ok thx

I'm gunna try pipe select string and get childitem

Oh

There we go xd

still happen

Looks like my /etc/hosts was good, I reset the target IP on the academy page and now they're working with the new IP

I said vhosts, I meant /etc/hosts, modified the above comment

After some more time I finally got it. My script was wrong.

In the footprinting module, DNS section, I am currently having trouble finding the FQDN whose octet ends in x.x.x.203. If anyone is able to help, I can share what I have tried so far in DMs.

did you find the zones?

I was able to use dig axfr internal.inlanefreight.htb @[target-IP] and dig axfr inlanefreight.htb @[target-IP], but I don't know where to go from there. I tried using dnsenum, but I could only get it to work on inlanefreight.htb, not on any of the subdomains. I'm not sure if I'm just using dnsenum wrong or if my methodology is wrong.

dig is more than enough ... if you find the zones then you answer will be there

Okay, I will try to use dig some more to see if I can find the answer. Thanks for your help!

hi I completed most of the getting started module and completed all privesc except for last thing from Nibbles box. I got help a couple of weeks ago and I think I understand the material I'm just having loads of frustrating typos at this point. I did MOST of the privesc in the module. Will it hurt to look at walkthrough of module? I mean the part of the module I'm stuck on is just a walkthrough of Nibbles box.

It seems and feels like its been three or four weeks and I want to progress and I have done most of module.

is looking at a walkthrough and taking notes for getting started module a bad idea?

Isn't the privesc only like 1 step? And the module also walks you through it?

yes

but I keep having typos

lot to type in

and its getting frustrating

so at this point I think I understand it

and I know there will be privesc in future modules right?

Using the walkthrough at that point is perfectly fine.

If you have typos, just take this as an opportunity to practice not making those errors

I agree but I have been doing that.

Ok cool. That sounds like a fairly honest answer.

Unless you mean the assessment portion

as does @trail leaf

no assessment portion I will be fine with

If you mean the actual walkthrough part, and you were trying to do it without using what they were showing you

They absolutely expected you to follow along at that part

yes that's what I mean

Ok ya but I am doing that and its taking forever and I understand it but I keep running into typos and I think I understand the privesc and what reverse and bind shells are

I was doing what they showed me

but I think if I watched a video walkthrough of module and took notes that would be ideal at this point

do you agree?

Getting Started was more of a brief introduction, and getting you to a feel of what the process is like.

this is what I think too

If you're planning to use external stuff, that's probably iffy. There's no way to know how much of it is good information, or bad.

I can vouch for the quality of the material in the course itself, but if you're looking at some random youtube video, it could be some guy who knows nothing.

no the official youtube

The ippsec walkthrough?

yes

Yes, anything ippsec is good.

Though, that video is ancient, and his processes have changed a lot since then lol

ok cool

I think there's other walk throughs that are official tho no?

alright thanks

Anyone ever had a WebDriver error when running eyewitness?

Had wrong selenium version

I figured it out! I thought I was at a dead end because dnsenum wouldn't show anything for any domain except inlanefreight.htb and dig afxr wouldn't work for anything except internal.inlanefreight.htb, but it turns out I was using the wrong list. I found the answer very quickly once I figured out the correct list to use with dnsenum.

For burp suite I'm receiving receiving a No route to host for dev.inlanefreight.local, have added to /etc/hosts

Fixed it, had one too many IPs pointing to same host in hosts

I'm on cracking with hashcat module, I tried to activeated the pwnbox but it says connected to undefined, it's active but no screen are showed
anyone know what's wrong?

Try to reload the page

it solved the 'connected to undefined' thx, but not with screen

now it says disconnected

Can someone help me on the second question for File Inclusion - File Inclusion Prevention? The question is: "Edit the php.ini file to block system(), then try to execute PHP Code that uses system. Read the /var/log/apache2/error.log file and fill in the blank: system() has been disabled for ________ reasons." The hint says to put a PHP vile in the /var/www/html directory, but I have to be root to do that. I also cannot edit the php.ini file without being root. Any hints? Thanks!

list your sudo permission

I am not able to do sudo -l...it asks for a password

Actually, I can...here it is: Matching Defaults entries for htb-student on lfi-harden:
env_reset, mail_badpass,
secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User htb-student may run the following commands on lfi-harden:
(ALL : ALL) ALL

then try to modify the file you couldn't do

Okay, I think I got it...I was able to create the PHP file in /var/www/html....I feel like such a newb for forgetting about sudo -l....Thanks @fiery berry !

Hello, I have question on Pivot and Tunneling Skill ASSESSMENT
Submit the credentials found in the user's home directory. (Format: user:password)

Plain Human work! ohh i get it... weird for normalpassword to have space

I am stuck on Ooopsie Task 2 What is the path to the directory on the webserver that returns a login page? I put /cdn-cgi/login and I get network error.

I tried asking on pwnbox but I do not have access to writing in the chat fields.

have you verified your account? https://discord.com/channels/473760315293696010/477042232109826048

yes

My main problem is that I can not enter the correct answear to task 2

Burp give me the link /cdn-cgi/login on the target tab

I'll dm you to see why you can't access the "pwnbox" channel, here is for the "academy" modules

My name on hackthebox is noobie79

if that isn't on the academy read #welcome and #rules after that use /verify at #bot-commands and ask that at the appropriate channel

Hi guys
Im currenlty working on password attacks - hard lab.
I have runas to david cmd - found backup.vhd file. unable to download becoz of file size.
Im stuck on mount the baclup.vhd file from windows to linux.
can any help me with this.

Hi, can you help me with this question pls ? I'm also trying to do dnsenum for inlanefreight.htb and I tried it with all wordlists in ../SecLists/../DNS/, but I still don't get this xxx.xxx.xxx.203 ip

Hello, does someone know why the following command does not retrieve the allowed HTTP verbs ? ```shell
curl -i -X OPTIONS http://SERVER_IP:PORT/

as it is supposed to be as explained in the web attack module

You need to find all zones

can you post a screenshot of the output? I did a random curl and I can see an "allow" header. In case just use "--head" instead of "-i"

NVM. i I have downlaod the .vhd file.

https://itsfoss.com/mount-encrypted-windows-partition-linux/

Thanks

┌──(honeypot㉿kali)-[~]
└─$ curl -i -L -X OPTIONS http://94.237.59.206:48113/   
HTTP/1.1 200 OK
Date: Wed, 26 Jul 2023 09:20:20 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1108
Content-Type: text/html; charset=UTF-8

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>File Manager</title>
    <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.3/css/bootstrap-theme.min.css">
    <link rel="stylesheet" href="//netdna.bootstrapcdn.com/bootstrap/3.0.3/css/bootstrap.min.css">
    <script src="//netdna.bootstrapcdn.com/bootstrap/3.0.3/js/bootstrap.min.js"></script>
    <script src='https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.3/jquery.min.js'></script>
    <link rel="stylesheet" href="./style.css">
</head>

<body>
    <div class="form-group">
        <h1>File Manager</h1>
        <form role="form" action="index.php" method="GET">
            <input type="text" class="form-control" placeholder="New File Name" name="filename">
        </form>
        <form action="admin/reset.php" method="GET">
            <input type="submit" value="Reset" class="btn btn-danger" />
        </form>
    </div>
</body>
</body>

</html>

<div></div><ul class="list-unstyled" id="file"><div><h3>Available Files:<h3></div><ul><li><h4><a href='notes.txt'>notes.txt</a></h4></li></ul></ul>   

And with --head instead of -i:

┌──(honeypot㉿kali)-[~]
└─$ curl --head -L -X OPTIONS http://94.237.59.206:48113/
HTTP/1.1 200 OK
Date: Wed, 26 Jul 2023 09:21:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 1108
Content-Type: text/html; charset=UTF-8

module and section?

Web attacks section 3 but the command is explained in section 2

Try to give an endpoint to the request

exit

worked thx 🙂

Can anyone help me? I got stuck for the following question on the module
https://academy.hackthebox.com/module/18/section/75
I try to use the "ls -al /etc" command to list out all files in the /etc folder. Use vim to find the line number that contain the file "sudoers". It's the line 177. I try to submit 177 or 176 but both are failed. Let someone help me.

||https://www.cyberciti.biz/faq/howto-print-inode-data-structure/||

Thx, I understand now.

solved, all I had to do is logout and login again, takes half day to solve this lmao 💀

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

curl -s https://www.inlanefreight.com | grep  -oiE "www.inlanefreight.com/*[^'\"\ \?\\t\%]+/" | sort -u
 
www.inlanefreight.com/index.php/
www.inlanefreight.com/index.php/career/
www.inlanefreight.com/index.php/feed/
www.inlanefreight.com/index.php/news/
www.inlanefreight.com/index.php/offices/
www.inlanefreight.com/index.php/wp-json/
www.inlanefreight.com/index.php/wp-json/oembed/1.0/
www.inlanefreight.com/index.php/wp-json/wp/v2/pages/
www.inlanefreight.com/wp-includes/
www.inlanefreight.com/wp-includes/css/
www.inlanefreight.com/wp-includes/js/
www.inlanefreight.com/wp-includes/js/jquery/
                                             

Tried 12, and 11 as answers and it says it is wrong, idk what else can I do.

Been a while since I did that module, but I think the root domain also counts as 1.

It says 13 is also wrong, this thing gives me a headache.

There are a few more.

Try to list all URLs and then sort away the ones that appear twice

Can a kind soul please explain or speak to how the script, user.sh, reads the html header and executes code. I understand that the payload works because of a vulnerable version of bash. What I don’t understand is how would you be able to tell that the script will take the html headers and execute it. This is for the Shocker box.

You better ask this question in #boxes

Could you possibly direct me on how to get access to that channel?

read and follow #welcome

I went through the verification process, still no luck

Once your user is verified, you will have access to more channels here, including #boxes

K I’ll try it again, thanks for the help payloadbunny

thanks, apparently my approach wasn't systematic enough :/

any tip on :Web Enumeration

mod : GETTING STARTED

q :Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag.

Do I need to learn Splunk if I am only interested in Cissp GRC roles

ik it's some curl flags e.g **curl -IL ** but anyways it would be a great help if u help w this

Try ||gobuster||

New certs!!!

HTB CDSA

https://academy.hackthebox.com/billing

I guess it is something like advanced

or maybe a blue team cert

SOC Analyst is blue for sure, sounds interesting, I wonder what a lab for that would look like

ah lol hadn't seen soc analyst

I just read CDSA and I had thought advanced or analyst lol

Im having trouble on the linux privesc logrotate module, I can't get the exploit from github to resolve from the target box. Im in the /home/htb-student directory where ssh drops me when i try cloning the repo. I tried cloning it on my machine and it worked just fine, so i compiled it on my machine and used wget to send it over. But when i try running it, i says permission denied. Is that because i compiled on my machine? or because of the directory im executing it in? UPDATE: I moved just the logrotten.c to the target machine and compiled which seemed to work.

Attack Enterprise Networks // Post-exploitation. I'm having trouble getting dc_shell.exe to work. I can't get connection with msfconsole.
Someone can help me?

it is a module, could i get some help please 🙂

its the payload module for metasploit

Certified Defense Security Analyst

Its already set

The / is the root working directory of the webapp

big brain

please help In Password cracking module try to copy the shadow of NTDS but I get error I can't send screenshot for some reason but here's my terminal output:

Evil-WinRM PS C:\Users\jmarston\Documents> vssadmin CREATE SHADOW /For=C:
vssadmin 1.1 - Volume Shadow Copy Service administrative command-line tool
(C) Copyright 2001-2013 Microsoft Corp.

Successfully created shadow copy for 'C:'
Shadow Copy ID: {12194c91-d2e0-42c7-a68b-723626288aaf}
Shadow Copy Volume Name: \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1
Evil-WinRM PS C:\Users\jmarston\Documents> cmd.exe /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit
cmd.exe : The system cannot find the path specified.
+ CategoryInfo : NotSpecified: (The system cann...path specified.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
0 file(s) copied.

on **ACTIVE DIRECTORY ENUMERATION & ATTACKS ** > Bleeding Edge Vulnerabilities, when trying Petit Potam, I am always getting this message (under Windows using rubeus : [X] KRB-ERROR (62) : KDC_ERR_CLIENT_NOT_TRUSTED) or (Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication data)" under linux) .

I have tried respawning the lab multiple times (I already needed this at the beginning to retrieve the b64 cert).
Does some of you have an idea of what may be wrong ?

🥱 and slapped by automod.

I have problems with module Broken Authentication Predictable Reset Token

i try a lot finally i am at this point
i use a php script to check the time stemp the given token was generated and generated a token with the user htbadmin.

` <?php

function generate_reset_token($username, $timestep)
{
$token = md5($username . $timestep);
return $token;
}
function timerange($username, $timestep)
{
for ($i = $timestep + 0; $i <= $timestep + 2200; $i++) {

  if (generate_reset_token($username, $i) == "2f14f4ab65d13240fa0992494ccb7756") //give token with htbuser

{
echo "timestep: " . $i . " " . "hash: " . generate_reset_token($username, $i) . "<br/>";
echo generate_reset_token("htbadmin", $i) . "<br/>";
}
}
}
timerange("htbuser", 1690384826000) //timestemp
?>`

what is your problem ?

i don't get it even when i hash the htbadmin with every timestep in milliseconds around the and brute force it.

your screenshot doesn't provide specific details (at least for me eyes...) please, ask what you need, explain where you are stucked and what you have done...

havn't done that specific module yet but you may be sure of the timestamp by checking the time from HTTP server responses (in the header)

does anyone know roughly how long the brute force attack last for on the login brute force skills assessment - website Q2 please? I'm using the rockyou.txt wl. thank you

yes i get from there but this dont work

it dont work by me too first rockyou.txt is extrem big

i recomand a smaler version like rockyou-10.txt it is later use in the module

this need work

but its exact same answer then Q1

how do you check that the token is invalid ?do you feed your generated tokens to ffuf or another tool ?

i get no results from rockyou-10.txt

i check it now admin is not in rockyou-10.txt

it is first in rockyou-60.txt

grep -n "admin" rockyou.txt

burp i translate the time stemp in the right format with a website

i get a token. this token is the md5 hash from "htbuser" + timestemp millisecond
i get the right timestemp to generate the same md5 hash

the question says it generate at the same time a token for the htbadmin user at the same way

i test every md5 hash with the timestemp around that whan how is the right but it dont work

Did anyone else encounter the below error when performing the Petit Potam exploit in the Bleeding Edge Vulnerabilities section of the Active Directory Enumeration and Attacks module? I ended up getting past it by performing a RBCD attack, but the provided instructions didn't seem to work the way the author described and I'm wondering if it was intentional. If not, I may broach the issue in erratum to make them aware. Thanks!

┌─[htb-student@ea-attack01]─[~]
└──╼ $ python3 /opt/PKINITtools/gettgtpkinit.py 'INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01$' -pfx-base64 "$(cat dc01.pfx.b64 | tr -d '\n')" dc01.ccache

    minikerberos INFO     Loading certificate and key from file
    minikerberos INFO     Requesting TGT

    ...KerberosError:  Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication data)"

@digital pewter

I think Alh4zr3d had a tweet about these errors on HTB a few days ago related to AD CS

I think it’s applicable here considering I was able to do it a week or two ago while helping someone else with a different error

wow thanks, ... I could have taken many times continuing to try to find a fix for this !

I have a few ways to attempt get around it when doing some of the abuses outlined in Certified Pre-Owned, but I haven’t played with PetitPotam enough to see if there’s a potential workaround here

you could change DCs date time I guess ?

Didn’t think about that as an option but its worth a try

but that mean you must already be able to have admin right on the domain

Oh true

there might also be needed to disable some service that may be used to timesync the VM Lab with "real world" host server (ESX server or whatever else)

Do you have to be an admin to do that? It would make sense but I’ve never had to do it not as an admin.

you need to be admin to change date time, and in an AD domain, you need to change the DC's time because all others devices are syncing their time with it (it's defined within GPOs)

I am on Attacking DNS. Trying fierce I get: fierce --domain inlanefreight.htb
NS: failure
SOA: failure
Failed to lookup NS/SOA, Domain does not exist

And Ive added the domain and IP to my /etc/hosts

Also subfinder finds nothing while subbrute has a bunch of errors

The challenge is: "Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. "

htb is not an official TLD. Thus, you must always specify a NameServer that can handle the resolution.
In this case it is the target server.

yo guys havig a bit of trouble footpring oracle tns question where you have to get the password hash for the stated user, im logged into the db as sysdba but can not seem to find the has when running SELECT username FROM dba_users WHERE username = 'DBSNMP';

Its looking like it may not be intended so I may go ahead and bring it up in #858470491676737536. This resource helped me get around the issue in case you may find it helpful:
https://offsec.almond.consulting/authenticating-with-certificates-when-pkinit-is-not-supported.html

Hi guys, I’m having trouble finding a way forward in the Password Attacks Hard Lab. I’ve got J and D’s creds and I have the B file but know that I need admin rights on the win box to read it. I’m struggling to find a way to get admin. I want to try and get the SAM but I don’t think I can get that without being Admin first and I’ve run out of ideas. Would anyone be able to give me a nudge please?

if I recall you have to use keepass2john , are you at that part or passed it?

@thick juniper theres also bitlocker2john

the B file is bitlocker

Would it be alright if I DM'd you?

you don't need to open the B file on the windows attack machine, you can mount it on your attackbox or another windows machine that you own

sure

Hey guys, I'm trying to figure out how to get the root flag but I'm having no luck.

I’ve cracked the password for the B…..V.. file, I just can’t open it because I don’t have admin on the Win target

open it on your own system

How would you go about doing that on my attack box? I’ve looked around and found a vdhi viewer but I didn’t quite get it to work. So am I at the last step to get admin creds?

As in the Pwnbox or a separate Win system?

I don’t have a win system to hand sadly, if there’s a way to open it up in the Pwnbox that would probably be my route

whatever works for you

time for some googling then

yo, anyone here willing to help with the automated scanning section in file inclusion module? kinda lost here

I’ll have a dig, thank you all

I had a lot of issues finding something that would work on my attackbox, someone gave me this link here and it worked really well https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

hello all

AD Enumeration & Attacks - Skills Assessment Part II

• 1 Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

when doing the command setspn.exe -Q /

i enumerate service account

let's say i managed to get the password

how do i know which service account to login with the password i obtained

That’s great, thank you!

someone could help me adding users to other computers

as domain admin?

https://www.windows-commandline.com/add-user-to-domain-group/

none of the spn accounts i enumerated was able to logon to

appreciate any help or hint

ty I didn't know adding the user to domain admins I could login anywhere

Read #rules

@everyone

<@&861185840277487616>

Like we are stupid enough to allow everyone to use the everyone ping 😂

to sell a different course content that could be pirated for free no less

it is a guy called everyone I think

Has anyone also had problems with the OSINT module, in the coordinates part ?

In the Attacking Common Applications module, the Attacking Applications Connecting to Services chapter, I'm getting different mem addresses compared to the ones in the screens from the course. What could be the cause? I used all the exact same commands

hi I completed Nibbles on Getting Started Module

now I just gotta do the last section which I will do later

but I'm glad I actually am getting through this

I assume in the example they left out the part where they started running the program. Binaries can have a protection known as PIE (position independent executable), meaning that everything is set at a specific offset, but everytime you run the file, the base address changes.

The example likely already ran the binary in the debugger and then printed out the disassembly, which means the base address has already been decided.

I must say... anyone who's considering Whitebox Attacks... be prepared for pain. A fantastic module, but it definitely is challenging. lol

Why do I get this error?

that binary isnt compatible with your setup

do u have the wordlists there?

So i need to use another shell then?

I made one

It should show like this when the wordlist is in that directory for kali

what happen if u do it with ./wordlist

its nothing to do with the wordlists

illegal hardware instruction means the actual CPU received a bad asm op code

that comes from not having a compatible binary for your environment, not wrong argument usage

yes you can use chatgpt

How do i make it compatible?

grab the correct binary for your system or build it from scratch

Build hydra from scratch?

was hydra the one that gave you the error?

your screen shot is showing hashcat

Aaa

I meant

Hashcat

Lol

I am tired

Maybe i should sleep

try running it as root

Update Drivers: Ensure that you have the latest drivers installed for your GPU. Outdated or incompatible drivers can cause issues with GPU-based applications like Hashcat. Visit the GPU manufacturer's website (NVIDIA or AMD) to download and install the latest drivers for your GPU.

Check OpenCL Support: Verify that your GPU supports OpenCL and that it is enabled in the GPU settings. Hashcat requires OpenCL to access the GPU's processing capabilities.

Check System Requirements: Make sure your system meets the minimum requirements for running Hashcat. Check the Hashcat documentation or website for the system requirements and recommendations.

Check Dependencies: Ensure that all the required dependencies for Hashcat are installed on your system. For example, Hashcat might require certain runtime libraries or additional packages to function correctly.

Run as Administrator or with Sudo: If you are using Hashcat on a Linux system, make sure you are running it with appropriate privileges. Use sudo to run Hashcat with root/administrator privileges.

Use the Correct Hashcat Binary: If you have multiple versions of Hashcat installed, ensure that you are using the correct binary for your system.

Check Your Hashcat Command: Review your Hashcat command and options for any errors or typos.

Seek Community Support: If the problem persists, seek help from the Hashcat community or forums. Other users may have encountered similar issues and could offer insights or solutions.```

Ok

root isnt going to change an illegal instruction error

christ

I don't know I just sent what chat-gpt told lol

I noticed

Sometimes its better to apply brain than use chat gpt

I don't know hardware error seems like not cpu,ram... enough given to the box

Yeh, it didnt help

Lol

then remove hashcat and try reinstalling it maybe

My brother in quality assurance

its an illegal instruction error

or check if u have different versions installed

As I said, that means the binary youre using isnt built for the cpu youre using

Soooo

I should build another vm

Lmao

eg x64 bit on 32 bit system, intel on arm, arm on intel, ect

No, you should just install the version correct for your system

https://hashcat.net/hashcat/

Can i do that using CLI?

uninstall hashcat I guess

and do apt install hashcat

Ok, ill do it tomorrow

Thanks

• apt remove hashcat
• apt install hashcat

I don't recommend using the --force flag, pretty sure that's not part of the issue here, but it's mostly there as an option for devs when they're working on it iirc

it is shown in the module I think

to use --force

I don't think using that flag changes anything 🤷‍♂️

I could totally be wrong on why the flag shouldn't be used, but all I know is that I've seen core hashcat devs (mainly chick3nman) actively tell people not to use it, and they know better than I do.

I don't know either

I didn't try it

idr if its necessary to force hashcat to generate the resulting wordlist or not

cause youre not actually cracking a hash

I think thats why its used but I could be wrong.

neat, thanks for checking

#forensics-cryptography message chick3nman is the hashcat dev

Deleted hashcat, got confuzed on how to install it

Died

sounds like a good erratum

on it

word from the dev that it shouldnt be used, and you have proof its not necessary for the intended results

👍

https://academy.hackthebox.com/module/18/section/2095
can anyone help with the autosynch with rsync and cron

what can i do if the remote user of the backup server has pw enabled

i always get Permission denied (even with sudo)

Permission denied, please try again.
htb-sho@1: Permission denied (publickey,password).
rsync: connection unexpectedly closed (0 bytes received so far) [sender]
rsync error: error in rsync protocol data stream (code 12) at io.c(231) [sender=3.2.7]

test.sh:

rsync -avz -e ssh /path/to/mydirectory user@backup_server:/path/to/backup/directory

crontab:

nvm just use keypairs and it's working gucci

talking about keypairs, do you usually set seedphrases?

Hey guys, I'm stuck on Credential Hunting in windows https://academy.hackthebox.com/module/147/section/1318. Lazagne gets me what it says is the username and password for WinSCP but that doesn't work? The hint says to use the tool described and that Lazagne

what am I missing?

Might need to look a little bit harder. You're probably doing it right, but just reading the output too fast and missing what the actual credentials are

--force just ignores errors

Speaking from experience

@trail leaf can I dm you a screenshot of the answer I've got?

go ahead

I am stuck on the AD Enumeration and Attacks skills assessment part 2 question 7 I know what i need to do but i am having trouble figuring out how to get the exploit onto the server with the shell i currently have.

I was originally using a nc shell but switched to a msfconsole session shell because i was hoping i could make it a meterpreter shell. However, I get the error "Target is running Windows on an unsupported architecture such as Windows ARM!" which im pretty sure isnt the case but okay.

I have also attempted to make the MS01 a httpserver so that i could pull the file from there

any help would be appreciated

I like pwncat-cs for windows shells. It can listen for any standard shell callback, and upgrade to a better one. It also has upload/download functionality and such.

ahh i shall try that thank you

If you need any help messing with it, you can DM me.

will do

when in doubt if your shell sucks upload a better shell 😉

Looking for someone who has completed the javascript deobfuscation skill assessment. I have answered all questions and stepped through the entire process including finding the final flag. however, the 2 questions prior can only have one answer along that progression and the module will not accept either as an answer. I know the answers but potentially HTB wants them in a string or given format that is unspecified? anyone that can help it would be appreciated.

I unlocked that module and loaded up the skill assessment. The two questions are working for me

feel free to DM what answers you attempted

Hi guys, i'm doing the Setup module -- it is sending us to link to download windows 10 VM, but the link now actually leads to windows 11. Will this matter later on when actually using the window system?

a

For Windows Privilege Escalation Skills Assessment Part 2, When running a program named Sharp*.exe I am getting a message to install .NET framework 3.5. Am I using the wrong tool? I also can't run CVE-2020-.

lazagne

lazagne can find some application specific loot that mimikatz doesnt look for

Probably not, there really haven’t been extremely huge differences between the operating systems for anything you would be using it for

You can probably google for the .NET error and add “ctf” or “hackthebox” and you’ll probably find people with similar problems on various boxes

Regardless, there’s a reason the module shows you more than one tool for a lot of the different sections. I don’t want to say anything else about that skill assessment before I spoil something.

its always worth rechecking things with different tools even if you think they cover the exact same info

it sounds dumb, but experience will teach you it isnt

Tools can and will lie to you

Are you still stuck? I know I'm late, but I don't spend much time on Discord.

Guys am i dumb or it is normal that i get off topic tasks in Linux module? Eg. I am studying how to filter files and it asks me to work with servers and IP addresses. How am i supposed to know that.

Elaborate on what you're referring to

Like what section specifically

I think I know (I'm doing Linux fundamentals right now)

Filter Contents is my guess as to which section they mean

I'm pretty sure the tasks are asking you to use commands seen earlier on in linux fundamentals, though, combined with some filters.

^

I did struggle with the last one, granted, but the first two are definitely doable

It's a bit if you don't know the basic filtering commands for sure

I've been having trouble all day trying to download packages to a Pwnbox while following along in the section Package Management (Linux Fundamentals). I've tried resetting the Pwnbox to no avail. It seems to be a connection issue, but I'm certainly not having any internet problems right now (and I'm not sure that'd matter on a Pwnbox?). Does anyone know what I might be missing here?

I don't think pwnbox has internet access

You're getting net unreachable errors so yeah

I think it does if you're subscribed

wouldn't know ¯_(ツ)_/¯

but yeah, free doesn't for sure

Always read your errors people lol

I mean, I read them

I just didn't realize the free Pwnbox didn't have internet access

I was under the assumption it would if it needed it. The section implies I should be able to follow along regardless.

I believe it's installed by default

But also I think the tool itself can be reached I believe it's a very tight whitelist for what can and can't be downloaded

It's less about having the tool and more about installing it (the focus of the entire section is becoming familiar with installing packages), but thanks regardless.

post about it in #858470491676737536 ¯_(ツ)_/¯

I use my own vm

Is there anyone here interested in unlocking my phone?

will probably take credit for it

no that sounds illegal

illegal?

illegal means against the law

sure if you can prove the phone is yours and don't mind getting scammed

or your info stolen

today i heard more rockets

reason for?

hanabi

i mean hanabi

ok please the channel on topic, this is for help on academy modules

my phone is android

I don't know unfortunately

Who did pwn sau i kindda stuck on PE

Can someone help me on File Inclusion - Skill Assessment? Right now I am trying to find the php.ini file using base 64 (from this section of the training: https://academy.hackthebox.com/module/23/section/253) - specifically, the ||php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.4/apache2/php.ini"|| command. I have found the website uses ||nginx|| and is running ||PHP 7.3|| I've tried the following command: ||curl "http://83.136.252.24:52595/index.php?page=php://filter/read=convert.base64-encode/resource=../../../../etc/php/7.3/fpm/php.ini"|| Is this what I am supposed to do? I've been reading through the chat and others have said to ||get the index.php file|| but I haven't been able to do that either.

In one of the first sections of the module you are shown how a web app might be handling extensions

Should I try those methods with the php:// command?

Only one way to find out 🙂

Haha, thanks for the nudge!

I just got it! You rock!

I did it, but thanks anyway

Hey guys, in the module "Shells & Payloads" > "Laudanum, One Webshell to Rule Them All" > Question 2: "Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudanum/aspx)"

Can someone confirm the question is either out of date or broken? I did a find on the entire box and no answer seems to fit the question 🤷‍♂️

One of the code blocks in the lesson has the path in it, I just used that one

it dosn't seem to work for me :/

same issue witht he antak question on the next module :/

The awnser is there bud

disregard.... you have to include the damn file name 🤦‍♂️

hehe

I hate these low-level confusing questions...

I don't mind getting stuck on something for a few hours, but that...

yeah, I got stuck on the first part of the Password Attacks Hard assessment for a few days trying to brute force the username and password. Only to see that an username is given in the little blurb at the top 🤦. Felt like such an idiot.

Thats the first thing I usually do, but in this case I just didn't read the scenario and went straight to the question. Learned a lesson there.

hello guys i have a question

i am curious about this module

https://academy.hackthebox.com/module/77/section/859

becaus i solve it but they mentioned they have 2 ways to do the foothold

yes?

one using Metasploit and one via a manual process

yes but i am curious about the manual process

because i search the paths

what is your question exactly?

yes i am sorry

hey somebody had done the password attacks module

the question is, there exist a way to solve it using a password cracker or something like that ? , because in the course of this module if i am not wrong they mentioned a way to try with some information that you can search in path

i solved using metasploit

but i am curious about the password cracker i never used one before

i assume i can use the information obteined in the path and then use it to try it in the login

i just i am curious about that

i solved it in this case using metasploit

https://academy.hackthebox.com/module/147/section/1334

i found the creds not able to log in

do you know is possible ?

How can I make the command just "hashcat"?

I cant install it using sudo apt install hashcat cuz i get this error, then when i try to update apt it says its updated

update the distro and see if it solves the problem

how?

google or just check the linux fundamentals module

I have already completed that lol

ok

brb

but its already updated

what

can you update the repository with: sudo apt update -y?

I cant install anything

I dont see how that would help, and it didnt

Litterly nothing works on my machine lol

then try to install hashcat one more time

Like I cant download anything

or

it tells me everything is updated

maybe its missing the right repository

But

How come

the tutorial tells me to download update-manager

but i cant download it

(I need hashcat to do a module, but I cant install it, the binaries work but then it wont update on its own and i dont know how to make the file path i need to specify short)

Before you download it, type apt update first

I have done that

you can download an already compile binary and move it to "/usr/local/bin", another way is to download a prebuild image from the kali website, third troubleshoot by googling the error message you have

try to update the archive-keyring as root: wget -q -O - https://archive.kali.org/archive-key.asc | apt-key add

I have tried downloading the binary, but the issue is then thtat I have to run /usr/bin/hashcat/hashcat.bin

Ah

now it works

you should not be doing updates on kali like this. It will almost certainly break a ton of things.

like what ?

It broke a lot of things

A lot of programs stopped working

And hashcat dosent work

Lol

This sucks

And i got the error from yesterday, when i downloaded the binary it didnt but i had to specify the whole path

Complete the PW attacks Hard Lab, thanks for the pointers guys 👌 as a side, one of the commands “modprobe ndb” worked for me, but when I reset the machine to try it again to make sure I had it, it failed and came up with a fatal error. Anyone have an idea why it worked once and not the second time?

I'n in the linux fundamentals and for the love of god trying to find the What is the path to the htb-student's mail? under the system section

im the only one who cant connect to the VPN in EU 1 or 2?

@solar smelt Hint, the full path does not exist yet, but you can know what it would be

have tried home folder. if it's under /usr that a needle in a haystack

Do I have to 'google' the userAccountControl bitmask for NORMAL_ACCOUNT and ENCRYPTED_TEXT_PWD_ALLOWED?

no VPN on academy work on my side WTF

what platform are you on

platform? i tried all the EU and US VPN

linux, mac or win? and what is the error message?

linux, arch

i tried all 5 VPN servers, and this message appears after a few minutes and cant connect to labs in academy

Mails are not located in the home folder, what folder might contain these kind of files?

Currently working through the credential hunting in windows section of the password attacks module. The question is wanting me to use lazagne (I'm assuming the .exe version as python is not installed on the target machine) to find credentials for a file server that the user accesses via WinSCP. However, if I try to run the .exe via GUI I receive the "This app can't run on your PC" error. Trying to run from command line gives the same pop up, along with "access denied" output whether I run as admin or not. Parsed around the system manually, couldn't find the creds so I'm really wanting to use lazagne. Thoughts?

found it with some forensics🔎 😄

@eager merlin thank you

You make me curious😀

also tried finding it with the findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml *.git *.ps1 *.yml command, but nothing seems to be there either.

I am having trouble with this question from this module: (https://academy.hackthebox.com/module/22/section/290)

Question: What is the userAccountControl bitmask for NORMAL_ACCOUNT and ENCRYPTED_TEXT_PWD_ALLOWED? (decimal value)

Attempted solution:

I typed out 'python3 /opt/ldapsearch-ad /ldapsearch-ad.py -l 10.129.42.188 -u 'james.cross' -p 'Academy_Student!' -t search -s "(userAccountControl:1.2.840.113556.1.4.803:=128 & userAccountControl:1.2.840.113556.1.4.803:=512 )" -d inlanefreight.local’

And here were my results

if i have an ipmi account, does it also allow me to maybe ssh with said account?

maybe ipmi account = local account or something like that?

Another 🔥

Well, pentest/ctf machines are supposed to be volatile because of this things. Ippsec has a pretty good tutorial in his channel to automate real machines using ansible, however that can be a bit tricky depending on your experience with Linux. Another way to go is over virtual machines, I recommend virtualbox because you have snapshots for free and so you can create/restore one always you like. For cracking hashes specifically it's best to have it in your local machine (prefer build your local versions from source or to use a standalone binary) but you have the option to use a docker container leveraging of your graphical card (GPU) as well if you want flexibility. At extreme cases you can use cloud solutions using GPU for the hard work. So, always keep an updated version of the kali and you will avoid a lot of these issues.

Guys, you're making modules faster than I can learn.

Rip to that one guy that finished almost all modules a few days ago

You mean satelite?

He has already completed this module 🤣

Oh okay

Unlocking all modules sounds pretty pricey

The modules are definitely worth it.

All the modules I have done so far I would definitely do again.

There are a few I was disappointed in but others are really really good

Really? Which one disappointed you?

OSINT was maybe the module I expected a little more from, but even that module was cool.

Mh i have to recheck if you want a real list but I remember in the cbbh path one of the last modules was we serviced and api attacks

Did you contact the author in each case and tell him what bothered you?
I mean, an author can only do better if he knows what was not good.

And it mainly showed very small examples and referred to the other modules for more in depth

Oh no I didn’t wanna be the guy to tell someone I didn’t like the course

I just remember being confused that as one of the final courses in the path it wouldnt go into more detail but just refer to the other modules again

Honestly, if I were writing a module, I would want people to tell me that was good and that wasn't good.
But then it is important to say why you didn't like it.

An author can't do anything with the statement, that was crap.

But if you say, that was shit, because this and that was missing, then the author knows what it's about and he has the chance to make it better.

A good critique has never hurt.

but I can say I generally agree that the material seems very high quality. I'm currently doing the AD Enumeration and Attacks Module and I really enjoy the content and how it is presented

and I remember how great it felt to finish the assessment in upload vulnerabilities or so where I had to combine all methods learned in the module to finally upload a php shell disguised as another file

Don't worry, they are still on my ToDo list
At the latest when the exam is online, I think many will jump on it.

I am using a VM and dowloading a new version rn

lol

but

thanks

Anyone got any hints on the last question in using metasploit, sessions. Exploiting an old version of sudo. I have found two poc and compiled them using make then moved them onto the target but get the error: libc.so.6: version 'GLIBC_2.34' not found. How am I meant to compile the exploits if I don't have gcc or make installed on the box?

why cant things just work lmao, the VM isnt installing

Updated VirtualBox, works now, ill stop complaining xd

Isn’t the whole idea to use metasploit for it?

Powerview and LDAP modules are also great expansion modules / refreshers

Yes you are right. I have completed it now thanks

Hey all, not sure I'm posting in the right place but here it goes

Im working on a OSINT challange

This led me to a blog site where I need to download a CV and look in the metaData of the file.
The blog is actually down. https://dylonellwood.blogspot.com/

What should I do in this case?

Hello everyone!! So, I've been at the footprinting module for the pentest path, stuck on the dns one. I've read the forums but when I dig it isn't showing me any other domains, zone transfer fails. I tried with a VPN connection and the pwn box. If anyone is available for hints or help my sanity would appreciate it!

would this help? https://web.archive.org/web/20230325000640/https://dylonellwood.blogspot.com/

It does thank you! I can't find a way to download it tho 😦

curl?

In the "Password attacks" module I have been running into issues with transferring files from the windows to the pwnbox. The instructions say to create a share using smbserver.py on the pwnbox, and I should be able to just go to the windows cmd line and type move <file> \<IP><Share> and it should move the file but all I get is "Access Denied". How am I supposed to move the file? It does not seem to matter if I made the file or not.

The domain uses a TLD (.htb) that is not publicly available.
This means that you must always specify a name server that can handle the resolution.

Good thing it looks like they're releasing a defensive based cert

OOOOOOOOoooooOOOo, duhh. I am cooking now, thank you!!

dig axfr domain @ip

{@IP} is a simplification of @nameserver

I have the same issue. Were you able to figure it out?

Be mindful of timestamps when you reply to another user's post lol

That was a few days ago

I forget the syntax they suggest

I am aware it was a few days ago. More likely we have the same exact issue. Am I not supposed to ask questions?

I'm just saying it's just as likely they forgot. You can just ask the question yourself instead of waiting for the specific user to reply back. That's all really

I have also asked the question. Then searched for it afterwards, and saw theirs

thanks for the link, I will try to make it work on the lab

Has anyone did the "Intro to assembly"?? I'm stuck in the final assement #1. Will appreciate your hints. If yes kindly @ me or DM me for further discussion 😄

You betcha. If you get hung up, let me know and I'll share the commands. Its actually a really fun exploit path.

I guess ill be done in 14 hours💀

ngl, I would've left at that point

I did

There must be another way (The module told me to bruteforce it so idk if there is)

Try enumerating the target, there might be a service that’s easier to brute force

Oke

Ftp

They need to reword that question

I feel stupid, I'm on Attacking Common Services - Easy rn, do you absolutely need to upload a shell on this one to get the flag? Or should I just search the MySQL databases until I find it?

Yea the XAMPP site

Ok

thx again @rustic sage

AAA i tried Smb and ssh xd

Yes, but i thought i just had to make a bigger list with hashcat lol

You can also use awk to modify the file. You may not need passwords that are on the shorter side

💀

Ok

Anyone?

what are you struggling with?

Hi! someone good with regex that can help me understanding a grep command? (web attacks --> Massive IDOR Enumeration)

Is it a grep tag/syntax question?

anybody can help me in password attack medium assissment

I mean unless you ask what you're struggling with

can dm you

Can you ask the question here without spoiling details?

Note you can give vague enough user info by doing like j* and a*

i found the creds in docuemnt

ssh into it

in ssh service found 2 users

The document talks about an internal service if memory serves correct

Which can be used to get info for user2

d*** user have ssh hidden folder i can't cd into it

Correct because you can't cd into another user's protected folders, permissions won't allow it

i am stucking here only

Read the document over again, you'll find out that there is a certain internal service

give me hint

its a skill assessment

I dont recall if the history shows anything helpful on it

The information you need to move forward is there that's all you need to know tbh

tbh??

yes

Providing hints sabotages the purpose of the skill assessments.

Personally I don't mind troubleshooting a particular method and helping that way. But if you dont even know the path forward you must seek it on your own

Tbh: to be honest

nothing found on docs related any service

Yes

It'll pop in like 20-30 tbh @pulsar needle

Have you looked up the man pages for grep and are still confused?

Yes i swear i did

Aaa oke

i've been struggling all the afternoon to understand it

Password attacks; medium right?

yes

My notes reflect that "according to documentation, service should be running"

that j**** user

It's the same documentation you get that info

So it's all in that same document

That tells you where to look next after ssh in

I have the same problem

ok i read it again

Note: it may not say it directly

But you can probably guess that it should be running

yo someone who used reverse connections with ligolo?

I have some doubts

got it thanks miss

hit me with em

@zinc marsh

HI I'm in password attacks. my mut_password.list file is showing as an unknown application and is causing crackmapexec to throw up UnicodeDecodeError: 'utf-8' codec can't decode byte 0xff in position 0: invalid start byte. I tried chaning it to a .txt and then it shows as a text file but crack still throws the same error. Anything I can do to fix this?

.txt

which page

I guess https://academy.hackthebox.com/module/147/section/1320

I know the hint gives a username but I'm trying to get hydra/crack to run with my mut_password file

it runs fine with password.list

mutated one more password list

for https://academy.hackthebox.com/module/147/section/1391 I gave up on getting my own to work and used the Pwn box but at some point I'll need to have it work on my own machine

@analog pewter what do you mean?

Am i supposed to run a hydra brute force through my ssh connection? (Password Reuse - Password attacks)|| The default mysql credentials dont work||

Brute force is not necessary. Check history if I'm remembering correctly

@pulsar needle make sure you try the list they link to with the defaults

Did you generate it using the provided command?

@fathom pendant yeh found D*** creds then id_rsa into hash then decrypt another cred i got log into ssh with id_rsa but not getting root

Think abstract. Why would he need to password protect his own rsa

They also give you a resource to look for default credentials in the module

its too confusing

Just take a step outside the box for a second and think

You're literally almost there

Ah yes I forgot this one was also the default password section

It's in the provided linked resource

Aaaa, I thought i used it but i clicked on the wrong thing lmao

finally done Thank 😄

These worda help me alot

Sometimes it takes critical thinking

Like "huh ... why is it this way"

Even though, when you think about it, it would certainly make sense to pw protect your rsa keys

it is

so have you done CBBH

Nope

Currently without wifi/internet (using mobile data)

So my academy progress has been halted

what are you doing cbbh or cpts

Cpts path

Marcie is def gunna pass though

i am planning

too

where you write you notes

Marcie has spent so much time on the front lines of this chat that I would be shocked if they didn't pass on their first go

Me when I find some new shit

Hello

no

@silver flower read #rules and #welcome

Read the #rules dumbass

Can anyone can help me to ban my acc from instagram

no

No

get lost

@fathom pendant I didn't gen using provided commands because I had to run hashcat on windows and the -u caused issues. I xfered it over and am having issues with the file type/permissions or something windows gave it

Ah

Your mistake is using windows

hahah

Just download it to your vm/pwnbox and create a new one

my virtual box with parrot won't run hashcat

I haven't had issues

That was the original issue

Can I get. Some sort of information from here

It says Illegal action. I asked on the hashcat discord and they said don't use a VB

Like can I learn anything here?

Ah illegal instructions, its trying to do an arm instruction on amd or vice versa

Nothing that will help you with anything illegal

For example

Refer to the statements telling you to read #rules and #welcome

theres plenty to learn. but not for your type.

read #rules and #welcome

Yeah I have read it

Clearly you havnt

or you wouldnt still be a white name

hanabi hanabi

I've seen some badges shared here, where you can see how many people have it, where can I see that?

hanabi hanabi

<@&861185840277487616>

https://academy.hackthebox.com/my-badges

Anyone around to tell me what Im doing wrong in Shells and Payloads - Live Engagement - Host3?

Redoing some stuff and its not working this time around

hmmm today we dive bros... and... sisters...

Hello! Could I please get assistance on answering this question on the Linux directory: What is the name of the last modified file in the "/var/backups" directory?"

Ive tried searching it this way: tree /var/backups and I pull up a directory and the last file is shadow.bak but thats not the answer. Am I looking in the wrong place?

That's because that's not the last modified file, they are looking for the file with the most recent timestamp

@mortal narwhal continuing help here

If you read the syntaxes and everything from examples, you'll see that you can specify directories in commands like ls @mortal narwhal

Ls= list stuff

-l gives you it in a neater list format
-a gives you all info (and also shows hidden files/directories

Combining flags gets you ls -la

I'm still stick on this

hello friends hope you are all having a great day i am new in the cybersecurity field all want to ask is can HTB academy make me able to pass the OSCP test or i need more resorces ?

everything you need to pass the OSCP is in the materials that offsec gives you, but htb academy also has good stuff

ok got it

first when i was creating my account i choose some interests can i modify them or add more in the future or even do my choices affect my learning resources

it does not matter

thanks mate ❤️

Hey I''m currently on web proxies assessment and I was trying to do it using zap because to get accustomed to both. how do i fuzz with and encdoe / decode

There’s a page in the module that will walk you through fuzzing with Zap.

thanks, I realise that. The he part that is confusing me is I''m able to decode and encode wit hthe zap decoder/encoder but i can't do it in fuzz which is the problem. I don't get the same answer

*stuck

Hello anyone who has made Password Attack Module | PtT From Linux section....

I'm having some issues to find tgt for the svc_workstations

any hint?

The section almost identically walks through what to do

Just have to do a little bit of additional searching

You dont need to do any tgt exploits. Just use the tool they talk about in the chapter..

hello guys

can any one send good and simple videos can help me to do this?

ty @trail leaf & @pine dagger but, how suppose do I get the credentials to be able to connect via ssh?

^

using the tools described in the module, I can obtain the AES_256 hash not the NTLM

I'm overthinking or missreading something

unless I have not to connect via ssh to read the svc user flag

^

that's the almost bit. Take a closer look at the supposed location of these credential files.

LoL a little direction of what the searching do I have to do, would be awesome....!!!

unfortunately I don't get it / follow

You followed the section and found a file in a location, but only got the AES 256 hash. I'm saying look closer at that location.

||smbclient //dc01/svc_workstations -k -c ls||

LoL

1k times LoL, ty @trail leaf

https://youtu.be/krfUjg0S2uI

i must do it?

It's only a recommendation to build a simple site, it's not a requirement to do so

ok thanks

was hoping for a nudge in the right direction on the skills assessment part 2 for AD enumeration im on question 8 looking for a way to escalate myself on MS01 im currently system on SQL01 and have tried just about all i can think of to find creds to escalate myself with on MS01

Hello, I am looking for programmers who know about twitch, if you know about that, contact me privately

Any help with the Web Proxy module and Zap Scanner question?

You're basically there, look back at some of the post exploitation steps they recommend throughout the module and that should give you an idea.

Won't say more since it's a skill assessment

appreciate the help

If I remember correctly run both spider methods then use the web scanner

I found the vulns but I am not sure how to exploit them using Zap

I requested help through HTB but that was yesterday, just trying to see if anyone can provide a nudge

have you requested the url the vuln gives you?

Like in a reg browser or in Zap?

either should work

Well the browser is just a blank page

hmm one sec im gonna try on my machine

I see the vuln that allows me to read files from the srever but nothing I do works to read anything else lol

have you been able to read /etc/hosts?

the link the vuln shows is already set up to read that file

have you tried running other commands?

sometimes you may have to reset the machine.

I completed the Hardware module yesterday, but I have not got this badge 😢 for my collection!

I'm working on the following section of the Active Directory Enumeration & Attacks module: Attacking Domain Trusts - Child -> Parent Trusts - from Windows

I can't get the initial mimikatz command to run. It keeps throwing errors.

Anyone else have this issue?

@astral elm

Any reason why I can't upload screenshots here?

Go to the last page of the module again and finish it with the Finish button.

Read and follow #welcome

I did it again, but I still have not got it lol @acoustic owl

Thanks.

You completed the module too quickly. There is no badge for this 🤣

because this topic is old for me

not sure what I'm missing here or why it seems the user account doesn't have the privileges required to complete the tasks.

You're admin?

The module provides you an admin login to rdp into.

try to escalate the token, before privilege::debug

token::elevate

No change.

Did you start the PowerShell as administrator?

I figured it out and I hate that, that of all things was the issue.

Took me literally hours. I'm going to bed. Thanks folks.

bruteforce tool faster than cme and hydra

can anybosy tell

Nope

Hydra and cme are really gonna be the best for now

Also ~threading~

[-t]

for rdp

i want

Most of the ports respond decently well to -t 48

already tried

CME and hydra are still great, some people use Medusa

whats about crowbar??

Which is just a similar tool to hydra

Haven't touched it or seen anyone recommend it

let's try cme

Password attacks module is mostly a waiting game, 30 minutes at most for bruting

Iirc a flag like --local-auth or -local-auth is needed

Fwiw

ok well i try with both

Hello there, anyone could help on Intro to Assembly Language, Skill Assessment Task 1 , i have try a lot of different shellcodes but nothings works , I have the code to xor all the data pushed to the stack with a loop and all of that, but when a dump the decoded shellcode it didn't do anything

I’m at work rn so I can’t check my notes, but if you send me your decoded shell codes I can tell you if the right one is there

i am not able to download a file from smbclient

parallel_read returned NT_STATUS_IO_TIMEOUT