#modules

here

i do believe you can get away with just manual enumertion tbh the auto scripts sometimes output too much info

whats everyone using as their default brute force password list 'rockyou' ?

I am in the Working with Rules excercise i got the SHA1 password, test it and the excerceise do not accpet as valid

fair fair loool

i cant send a picture

how

thanks

im sure it is on linenum output but i didnt use it, the first things to try is sudo -l

it is on getting started, the last root?

from what you find with sudo -l you can have a rev shell as root

ok

yeah php with root with no password

ok

easy root shell, think about it 😉

cant you have a rev shell with php binary?

so what am i supposed to do? thers no password prompt or anything?

just apply sudo to the equation and you are root

it is for @quasi wave 😉

i know

im asking my own question

lol

what is the module

sorry i didnt followed xD

Linux fundamentals

didnt made this module but are you sure it is on port 22 you are supposed to connect?

when i type the ssh command it just makes my terminal blank

Working on the Password Attack Lab - Medium, and not sure if I am on the right track but I cracked the password on a word doc, but I don't know how to open the word doc itself from the parrot box. All of the things I have googled have proved to not work...

i must takes notes of the solutions i used xD

idk what im doing wrong

could it be becasue im using a vm?

do a ping to verify and sometimes ping isnt allowed so use nmap with -Pn option on port 22 and see if it is open, just to eliminate network connectivity problem

i pinged it seems up

I am thinking I need to go back to the web app and write different PHP shell? or is it something I can do from the same reverse shell I am already in?

im sorry, im really new to this

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology and Resources/Reverse Shell Cheatsheet.md#php

thanks ok

in the shell you already have 😉

ok thanks

Sudo openvpn condole

*in terminal

since it is up when he ping it it must be connected to the vpn ^^

is there any way to grep the time response

in burpsuite?

mind joining vc so i can screenshare?

in intruder or spider or an other tab?

fk

Try the command “xdg-open <filename>”

download Libre or wps office

im in here

idk my pushtotalk buttoon one sec

intruder

are you connected to the VPN?

yes

am practicing sql blind injections manually

why no permissions? to stream

and with the time delay injection I cannot find a way to fuzz the password

yes

but why cant i? too new?

this is my payload but I cannot find a way to add the response time to the intruder

does that when i press up arrow

Control C

what happen

yea

ctrl C just kicks me out of it

doesnt solve my problem lol

Already tried that. Sadly didn't work

Now restart ssh

how

libre office doesnt work?

Makes me feel like I am not on the right track as that seems more work than they would give us

Same cmd from your pic

Can't download it

wait is there another way to do it?

i feel like such an idiot

I think word docs are fancy XML files right so you can run strings on it

I know i was saying is there any other way to do a blind sql injection WITHOUT covering your eyes 🤣

I know i enjoyed it and was feeding into it lolol

he understood it the first time...

go on the module and look if the target isnt down due to time limit 😉

its not

I am just trying to get it to ask me for the password and can view the file. Not trying to search it

i have 90 min

reset it 😉

i have

multiple times

im so confused

ohhh awkward
I think theres a john module for that

make a nmap -Pn theIP -p 22

and send result

host is up

are you sure you are supposed to connect via ssh?

netcat 4 lyfe ?

Already cracked the password, but I don't know how to open a docx file from a linux terminal. Might be on the wrong track. Was just so proud that I cracked it 🥲

Try restarting the vpn file

what is the exercise you are trying to do?

because that's weird xD

windows VM to the rescue 😛

Linux Fundamentals>The Shell>System Information

i dont have access to this module

its 10 cubes

you get 10 cubes for doing it to

ok good night lol

dont give up my duuuude youre at the tail end of it i g2g but best of luck my dude

huh?

he cant connect via ssh

yeah

i really dont know what to say more, if you are connected to the VPN, or trying with your pwnbox instance and cant connect to ssh WTF

sorry i tried 😢

am i doing it wrong?

nope

is it cuz im using a vm?

nope

ugh

you are connected to the VPN, your VM can ping the target, all is good, idk what's the problem

or im too tired it is very late here but that must work normally xD

ok then

thanks anyways

Did you do your daily upgrade && update

no

.....

what cmd is that?

Sudo apt upgrade && update

still nothing

lmk if it works in the last few days, im really crurious to know what was the problem, but i think it is a a problem on their side

ok

maybe im downloading the vpn wrong?

can you do the nmap -p 22?

it looks like this is my downloads

nope, if the vpn file was fucked you cant ping the target

says 0 ips found

nmap -p 22 IpofTARGET

nmap -p 22 10.129.183.39

1 ip found

if this ip is always the one you must connect to

send screenshot of the result

at least the problem isnt on the VPN side

Hi, has anyone finished the Attacking Enterprise Networks module? I am stuck with cracking a hash - I am clearly missing somithing obvious. Cloud someone assist me?

it shows you cant ping the target

oh

try same command but with -Pn

nmap -p 22 10.129.183.39 -Pn

ssh still doesnt work

alright. I am stumped. I have ran the psexec version of eternalblue several times. RHOSTS is 172.16.1.13 LHOST is 10.129.204.126.

I remember I have had this issue before, but I am not sure from what. will send the show options

yep the port isnt open for whatever reason

you forgot the -p before 22 xD

nmap -p 22 10.129.183.39 -Pn --reason

but host is running but port 22 is closed wtf

and here are my options on the eternal blue

brb gotta p

the port must be open for this exercise

try using their pwnbox

i only get 1 per day

i cant use it

and im not paying for shit when i have a perfectly fine VM with the same OS lol

whelp imma get on MW2 ill catch ya later thanks for trying 🙂

You update your vm

yeah try when you can have one or tomorrow 😉

hf on mw2 🙂

I required the private ip of the foothold. fixed it

Restart your computer and try again

did that too lmao

you already used your VM to make some exercises? because it seems there is no connections between you and the target

nmap say Host is up because we asked no ping

and with the ping it doesnt seems up

that's why you must try, when you will have access, with pwnbox

are you using the TCP opvn pack ?if not switch to that

Hey yall quick question for the assessments on the Vuln Asses section it says the following
'Alternatively, use the pre-populated scan data to answer the questions below without having to wait for the scan to finish but feel free to practice configuring and running it.'

But where idk where the scan data is
any help ?

hey everyone, so i took a break and wen to the gym. and i'm still stuck on this section.

password attacks/password mutation

i used crackmapexe default PW zip file and got john:123456 smb

but he has no access to anything i get access denied

any hints on how to move forward ?

all oterh service ssh, ldap, ftp, winrm i get no hits

what module and section? I did this one a little while ago and I cant recall tbh

was this the one with a custom.rule you had to apply to make the mutated list ?

yup

this one sucks loool

lol thanks for the heads up

yea I just applied the mutated password split it into a bunch and started hammering away

id try different services

maybe youll get lucky with one

i'm trying smb right now i got a hit with the mut list just waiting for a password

lol can i atleast get a small hint

i used msfconsole

and none of these passwords wok

Don't attack ssh, attack a different service first for password

And for some protocols and tools you'll need to add --local-auth

I didn't use msfconsole

it should be attack brute force a service with username 'sam' and the mutated list created from the resources

^

cme and hydra are your friends

Also i agree with marcielee try staying away from msf as a whole it sucks

cme ?

Crackmapexec

Ahhh so much easier lol

cme is just an alias

ima add that to my rc

I just remember using crackmap and hydra

Because cme has some more useful tooling with it

whats cme stand for ?

This

oh i'm usinf cme

It's either single -local-auth or double dash local-auth

Sometimes *

i'm getting somewhere

lol nope not all actually

I dont recall if I attacked smb

But also

Why are you doing a whole list

you're given the username

saw some stuff on the forum saying don't attack ssh you'll find that later after i enumerate another service. i was thinking same went with ssh and i didn't need that name yet

you've tried ftp yes?

I'm not at home to check my notes

yea i keep getting an error when i try ftp

Is your syntax correct? Iirc hydra uses capital/lowercase for single user and list

I don't recall if cme supports ftp

i dont believe cme does

and when i use hydra it says sam user not found

The -L flag is for a file, you want to use -l for a single username

The error tells you exactly what's wrong

ooooooooooooooooooooooooo, thanks

@trail leaf ur a cybersecurity or criminal ?

is there difference ?

yea

🤣

bro ur just a noob shut up

weeeeeeeee

my entire life is noob role

I am the cybersecurity, thank you for asking

i don't give a 🖕

Hi guys, during settup we install a linux GUI on windows 10 app store, did anyone get it working having your VM installed on Vmware?

stay on topic

Hello everyone, I'm currently studying Linux system hardening. Could you kindly provide me with up-to-date resources on this topic? I've encountered sysctl hardening and similar subjects, but the resources I've found are mostly outdated (kernel v2). Any material related to Linux system hardening would be greatly appreciated. Thank you in advance for any guidance.

this channel is for academy module discussion only

read #rules and #welcome

sorry 🥲

hello, im struggling on the path to the home directory. could someone help?

I'm back at it again now. I'll take a look at the permissions and see if I can figure it out. I'll let you know if I have any questions. Thank you!

Okay, I'll take a look at that if I run into any issues.

I recommend just copying from the module to the exercise which is what i did but lmk if you run into issues

There are multiple ways to privesc, just follow the examples closely

When ssh into the system as htb-student do pwd

pwd isnt the answer

ooooooooooh

thanks

anyone willing to give me a hand with Password Attack Module | PtT in Linux..!!!

Does anyone know why Set-VMProcessor is not being recognized as the name of a cmdlet in Windows Powershell?

I'd like to understand if I'm on track with what I'm doing to grab the flag of LINUX01$ at //dc01/linux01

I can't too

Hello, if you don't mind. May I know how did you do this? Already got the flag but via msfconsole. I tried the printspoofer and it didn't work.

Unable to find image 'main_app:latest' locally is the error I get when I try to use the main_app docker image. I have progressed further than before, but I'm not sure why I'm getting this error.

This is the modified command that I'm running because there is no 'app' directory. Docker.sock is in the run directory.

/tmp/docker -H unix:///run/docker.sock run --rm -d --privileged -v /:/hostsystem main_app

I'm having the same problem. Did you solve it? I'm really stuck in the DCSync module. secretsdump.exe is not working

Edit: Ok secretsdump.exe is working now (the problem was that the output is empty when I use the flag -just-dc) but I didn't get the password for the user ||syncron||.

<@&861185840277487616>

The realm daemon has some interesting stuff in their directory

thanks

@everyone NAZI

@rustic sage We have logs btw

cool

he banned me from his server for external drama lmao

sadly giving up on this password attack module for now, need to rest my eyes

linik*.sh ish.....

Nope

Look at realm info

ok., I found 2 users D & J

LoL

I don't got it man, reading realm I can find couple of users but, not sure where to find and use Linux01 Kerberos ticket

@fathom pendant with linikatz.sh could find what I guess is the LINUX01$ kerberos ticket but, I don't know how to use it....

Check the daemon that runs it c*

ps -ax,u mean?

having trouble with these 2 questions

its the linux fundamentals module

I'm stuck on the Footprinting Lab - Medium and need some help. I was able to find the creds of the user after mounting the NFS but I'm not sure on where to go next

The daemon has a directory it uses to pull its tickets from

sorry man, I'm not following to you.....

When I get home in an hour I'll be able to explain it better

unfortunately I don't understand what you mean

excellent, I'm going to workout and back in an hour and ping you back....

@fathom pendant any advice on what to next for the Footprinting Lab - Medium after getting mounting the NFS and finding the creds in the txt file?

Try using the creds you found against running services that require authentication

@pseudo hill Re: bad IMAP commands
are you including the prefix?

hey @fathom pendant I'm back

do you prefer a DM?

OK so examine the results of realm there should be a daemon running I believe it's c*d in there. Look for that

to not spoiler

I've said similar things in the past and most people have been able to get it from that

realm list ?

Whatever the command is they tell you about

ok., 1 more thing, in which user david?

svc_workstations?

||david@inlanefreight.htb@linux01:~$ realm list inlanefreight.htb type: kerberos realm-name: INLANEFREIGHT.HTB domain-name: inlanefreight.htb configured: kerberos-member server-software: active-directory client-software: sssd required-package: sssd-tools required-package: sssd required-package: libnss-sss required-package: libpam-sss required-package: adcli required-package: samba-common-bin login-formats: %U@inlanefreight.htb login-policy: allow-permitted-logins permitted-logins: david@inlanefreight.htb, julio@inlanefreight.htb permitted-groups: Linux Admins||

Try just realm

Or realms

ok.

Ohhh

Sorry

My brain lapsed

It's not c*d it's s*d

Also no new line spacing is gross

It took way too long to parse that

realm there isn't exist

realms need a param as list

Like I said

I had to reparse the info

Because 1) you didn't code block it
2) info dump block

client-software

man, no worries I really don't understand your hints I will be making a research

I'm telling you

because more than solve the question is understand what I'm doing and I'm not understanding what I'm doing

Look for a directory regarding the name of the client software, just drop the d from the end

what directory?

Iejejdhfirnd

IM GIVING YOU THE HINT

sssd

^

Now go

Root around and find things

ok., I guess I found the user you told me earlier

and guess he has domain privileges

but still haven't the linux01 kerberos ticket..!!!

remember you can use ccache files

Also the daemon isn't a user

what do you mean with daemon?

It's what the d stands for

A daemon is a user-agent much like how www-data is usually a web user agent

simplified

It's what helps things run in the background

||I ran ls -la /usr/libexec/sssd/ but can't understand the content of the directory||

Just... look around

where can I read info regarding the content of this directory

I'm telling you. How I figured it out, was simply by looking around

you should be able to cd to that directory

hahaha is not easy to look around when you don't know what exactly you have to look

like I said I found out the fafo method

I just kinda dug around until I found it

Like at any point after this it'd be hand holding

ok., can you share any documentation before continue?

What module is this again

I said before I don't wanna find the flag, I need to understand what I'm doing

password attack | PtT from Linux section

and the information in this section is not very clear or explanatory about your hints

Also

It's not in a sssd location

I said explicitly drop the d from the end

The linikatz example output also shows something

ok., with that I could find if the machine is not part of a domain

ok., now we're talking something different

It's honestly something that was right there, you just didn't know what it was

with linikatz I could find the path of linux01 ticket

like I said you can just use the ccache ¯_(ツ)_/¯

Also it should have stored the extracted cache stuff in a folder for you

You just didn't know what it was

¯_(ツ)_/¯

wait a minute

||is Ticket cache: FILE:/tmp/krb5cc_647401106_HRJDux the tgt for LINUX01$@INLANEFREIGHT.HTB||

Maybe maybe not

I'm specifically ignoring tgt

And stuff

I'm telling you

The answer is in the example

to this question : Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

Yes. That's the question

I'm telling you

Look at the example output of linikatz, your output

And apply critical thinking

ok. but, you know when I impersonate linux01 with ccache ticket and try to connect to //dc01/linux01 I got an error....

BUT

can connect to //dc01/C$ but cannot ran any command more than dir

Are you using the right one. Ccache files can expire 😉

yep

root@linux01:/opt/linikatz.5394# klist
Ticket cache: FILE:_tmp_krb5cc_647401106_PDEOyy.13549
Default principal: j xyz@INLANEFREIGHT.HTB

Valid starting Expires Service principal
08/04/23 04:55:02 08/04/23 14:55:02 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 08/05/23 04:55:02

this is the error that I talked

root@linux01:/opt/linikatz.5394# smbclient //dc01/linux01 -k -c ls -no-pass
NT_STATUS_ACCESS_DENIED listing *

That looks like a krbt not Ccache

hmm I'm doing the same what explained in this part of the section

Importing the ccache File into our Current Session

root@linux01:~# klist

klist: No credentials cache found (filename: /tmp/krb5cc_0)
root@linux01:~# cp /tmp/krb5cc_647401106_I8I133 .
root@linux01:~# export KRB5CCNAME=/root/krb5cc_647401106_I8I133
root@linux01:~# klist

Hint: it's not in tmp

Just take a step back

Evaluate the information you're being given

Here's where I'm telling you to apply critical thinking. Maybe change the file you're copying and using as your krb5ccname

I'm using it as krb5ccname

do you know the terminal command in wirndows to find file?

not sure if what am going to say is an atrocity, I guess linux01 as user there isn't exist

root@linux01:/opt/linikatz.5394# smbclient //dc01/C$ -k -no-pass
Try "help" to get a list of possible commands.
smb: > dir
$Recycle.Bin DHS 0 Wed Oct 6 17:31:14 2021
Config.Msi DHS 0 Wed Oct 6 14:26:27 2021
Documents and Settings DHSrn 0 Wed Oct 6 20:38:04 2021
john D 0 Mon Jul 18 13:19:50 2022
julio D 0 Mon Jul 18 13:54:02 2022
pagefile.sys AHS 738197504 Fri Aug 4 04:13:43 2023
PerfLogs D 0 Fri Feb 25 16:20:48 2022
Program Files DR 0 Wed Oct 6 20:50:50 2021
Program Files (x86) D 0 Mon Jul 18 16:00:35 2022
ProgramData DHn 0 Fri Aug 19 12:18:42 2022
SharedFolder D 0 Thu Oct 6 14:46:20 2022
System Volume Information DHS 0 Wed Jul 13 19:01:52 2022
tools D 0 Thu Sep 22 18:19:04 2022
Users DR 0 Thu Oct 6 11:46:05 2022
Windows D 0 Mon Oct 10 10:48:55 2022

    7706623 blocks of size 4096. 4459270 blocks available

smb: > cd users
smb: \users> dir
. DR 0 Thu Oct 6 11:46:05 2022
.. DR 0 Thu Oct 6 11:46:05 2022
Administrator D 0 Wed Jul 13 18:53:11 2022
All Users DHSrn 0 Sat Sep 15 07:28:48 2018
david D 0 Thu Oct 6 11:46:05 2022
Default DHR 0 Wed Oct 6 20:38:04 2021
Default User DHSrn 0 Sat Sep 15 07:28:48 2018
desktop.ini AHS 174 Sat Sep 15 07:16:48 2018
john D 0 Thu Jul 14 16:12:03 2022
julio D 0 Thu Sep 29 18:37:29 2022
Public DR 0 Wed Oct 6 20:46:09 2021
svc_workstations D 0 Thu Jul 14 12:26:47 2022

    7706623 blocks of size 4096. 4459270 blocks available

I'm trying to find the flag file with this command
smb: > dir "flag*" /s
NT_STATUS_NO_SUCH_FILE listing \flag*

That's useless

ok., tomorrow is another day....

Just slow it down

Sleep it off

I'm completely stuck with this question

I'm gonna read the whole section tomorrow to see if I'm jumping some

thank you for your help btw

https://academy.hackthebox.com/module/189/section/2011
Use WCVS to identify an HTTP header vulnerable to web cache poisoning in the provided web application.

should i here provide the header name as Answer or use the header to poison the cache and get the content of the admin page!?? Could you please make such questions more clearer!! @tough fjord

Hello everyone im in the module ATTACKING COMMON APPLICATIONS in section Attacking Thick Client Applications i have to get the falg but is so hard, please can anybody help me?

Anyone else having trouble accessing Splunk in the Attacking Common Applications module? PRTG comes up just fine, but Splunk doesn't.

scan again

if you up a machine you will wait 2-3 mins to everything go up

Yeah, I've waited 10 mins, restarted the instance a few times, tried with the PwnBox...now I'm going to switch VPNs. Odd.

i do this module on monday and no problems

share a screenshot

https

https

https

x3 jajajajaja

kkkkkkkk

Hi! Any help in the password attacks module, pass the ticket from linux module?

I’m stuck finding the credentials for the user svc_workstations

LOL. Time for bed. 😛 Thx.

I’m using the svc_workstations ticket but smbclient doesn’t work

the question if I'm correct is asking you to get credentials to get to authenticate via SSH, read the question one more time

anybody had done cracking passwords with hashcat

And I did, but the only credentials I could get was for the user john

It didnt work for ssh, but it did work for WinRM but it seems like a dead end

so do you have or not the credentials for the user svc_workstation?

Nope

I don’t know where to find

the question in saying "Check Carlos' crontab" go from there

I did

I generate the ticket in tmp file using the kinit command

have you check the content of "kerberos_script_test.sh"?

Yes

and...

I launch the script and it get stuck

did you went to see in that "folder" what there may be

I create a ticket (in tmp folder) and use to access with smb and get stuck

Yes, I have the ticket

But if I simply open it its encoded

if you have the keytab use keytabextract.py

It works on the ticket?

I was using this app just for .keytab files

I’ll try

Nothing… can I talk to you by pm?

sure

and this #modules message and nothing but when i answer "so you dont know the answer lmao" to someone who sent me on chatgpt, staff said: "dont be an ass" and i must stop LOL

@simple falcon so what was your problem yesterday since it seems to work today?

Hello everyone, im in module ATTACKING COMMON APPLICATIONS im trying to get the flag of Exploiting Web Vulnerabilities in Thick-Client Applications but i cant please could somebody help please?

What are you stuck at exactly?

Is the App not working after taking it apart?

hi im stuck in footprinting lab medium, aleady get cred ||alex|| and ||sa||, but still can't login SQL Server Management Studio.
is there any other user ?

use rdp. xfreerdp, remmina

the connection may not be the best tho

Hackthebox academy vpn not working

reset vpn download a new vpn connection

Is there any way to use VPN for Frre in Kali Linux

Tried everything, and did some editing of my own as well, still not working

already use xfreerdp but not work

OpenVPN does not cost a license fee. That means you can connect to a VPN server (e.g. HTP) without additional fees.

Hey, I am doing Getting Started module where I need to find a public exploit. Using msfconsole I am able to find & run the exploit to get the flag but how would I go about doing this on my own following the instructions for "2. File Download" from the found exploit?

Example 1 : Download tools.php source file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=

Example 2 : Download a backup file :
http://127.0.0.1/<WP-path>/wp-admin/tools.php?page=backup_manager&download_backup_file=backup-2016-02-21-111047.tar

But I am not sure how I would go about constructing the URl to be about flag.txt

My attempt was

http://TARGET-IP:TARGET-PORT/flag.txt?page=backup_manager&download_backup_file=

woops nvm already solve

Just finished Attacking Common Services. This was a great one

in the intro to SQL injection fundamentals, module SQL Operators, for the question "In the 'titles' table, what is the number of records WHERE the employee number is greater than 10000 OR their title does NOT contain 'engineer'? " . i am not able to find the titles table, i can usee only employess table when i use the SHOW DATABASES; command in mysql

Hi! Quick question if anyone knows.
Im in lateral movement module. Section rpivot.
I managed to establish the connection to the victim IP
The section is telling me to do ||proxychains firefox-esr 172.16.5.135:80|| which opens FF but doesnt display the webpage which is wierd cause
if i do ||proxychains nmap 172.16.5.135|| it works fine and says port 80 is opem, also did ||proxychains curl 172.16.5.135|| and works, it returns me the webpage but not with firefox. Any ideas? I just checked in case, buprsuite is close and foxyproxy is disabled

hey
can i send DM about Credential Hunting in Linux to someone?!

yeah

i have insane problems at the logrogate section in linux privesc

i really dont know what to do. I know that it has somethng to do with the ||backups/access.log.1|| but i cant figure it out. And how its described in the section really doenst help me

so im trying to use the $tree command to see the last modified file, how can i tell which was the last to be modified?

a tip for that is you can use the Proxies option in msf with burp to log the traffic

Thx, I will take a look at it. I was looking at the exploit source code to better understand what it is doing.

yeah i stuck forever on that

wrong channels bro

i dont know if thats inteded

the employess is a databases not a table the titles table is in that databses

oh wait you mean the logrotate section in the linux privesc module??

im stuck on that forever. thats the last module in the pentest path that i need

feel free to shoot me a dm if you guys need help with that

Oh I see , how to I select that table ??

https://www.w3schools.com/mysql/mysql_select.asp

yes i already performed the select command, couldnt find anything such as titles

Hey guys, I'm stuck in the Footprinting-Hard lab. Here's what I have done so far:

• Enumerated the running services and found IMAP & IMAPS, POP3 & POP3s, SSH, and SNMP.
• Enumerating POP3/IMAP requires credentials to a user's inbox. Hence, I figured to start with SNMP.
• Using snmpwalk gives a Timeout error. (snmpwalk -v2c -c public $IP)
• Tried to bruteforce comunity strings using onesixtyone, but did not get anything. (onesixtyone -c snmp.txt $IP)
  Am I missing something? I'm unable to enumerate SNMP and am unsure of how to proceed further.

oh i got it, thanks

Hello, I would want to understand what i'm doing wrong in the Password Attacks -> Pass the ticket section:

Use john's TGT to perform a Pass the Ticket attack and connect to the DC01 using PowerShell Remoting. Read the flag from C:\john\john.txt
I connected to the DC01 using Powershell remoting, but cannot find the flag in C:\john.

i am working on windows privilege escalation final assessment one and the timer for the target box counts down its 120 minutes in under 5 minutes. Is this a known issue right now?

I shall add that doing hostname gives me DC01

I finally freaking got the enumerator in "getting started" module done

boy was I over thinking

hint the last thing you try is on the right path, use the SNMP wordlist in seclist

the flag is somewhere in \DC01.inlanefreight.htb\john\ so guessing it's in the user folder

In windows privilege escalation skills assessment 1 am i missing something basic? I don't see how to get any login credentials with the information given in the course or on the page. I nmaped and see a very boring web server which i tried to find directories in with a more interesting interface but found nothing and i see an rdp port open.

how can i scan port service version bypass firewall TCPWARRPED

this could be a gui bug try refresh the page or even a hard refresh

hint the very boring web is the key

Damn, it was right before my eyes. Initially thought the output wasn't important. Thanks.

i still don't see anything interesting about the boring website. I am trying to use a wmap scan in metasploit but that is not been fruitful yet and it is either very slow or locking up.

hint try some basic web exploit

can you guide me to which module in the section might have a hint to this 'basic web exploit'... google is not being very relevant.. tried to feed it some trash such as <?> etc and i get an error page but that is it

i can not find a module in this lesson that prepared me for this task.

hint it's a type of ||injection|| attack but remember there is 0 db

so i am able to get it to echo some stuff back to me but nothing interesting yet

hint you should be able to get ||RCE||

During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?

I GOT THE MAIL FROM SQL TABLE BUT IT DONT WORK

IT IS FROM FOOTPRINTIG MYSQL

so far i got the code for the page...i need to stop for the day soon ... when i get back to this i am gonna try to echo something back into the file that might give me a reverse shell

if you still can't get it then it's ||command injection|| and you can just run a shell

Hi, there is a reference to Wirless attack module, but I can not find it, does this module exist?

thanks i will keep looking

There is some stupid bug or idk, I need correct answer

where is the bug🤔

u didn't even send the command

I fetched urls with:

root_paths=$(echo "$curl_output" | grep -oiE "($target)[a-zA-Z0-9/_.?-]+/" | sort -u)

And I also did something similar with python, and with js, and I even did manually count this focking shit and it always says wrong answer.

On USING WEB PROXIES > Intercepting Web Requests : am I the only one to have trouble make ZAP work properly ?

From my kali VM, i manate to make it work but had sometime to refresh stuff, was not able to intercept request and modify them. Had to do it without the HUD.
From the pwnbox, the hud does nothing when I click on buttons (again I can use Zap but the Hud seems to not be stable at all)

From what I have read the HUD can sometime be not stable, but I would have thought the HTB course (more over using the pwnbox) would work properly no ?

doesn't the section teach u that?

anyways to read the source code of a website it is just curl -s <url>

With the commands shown in the section, you should be able to filter the source code accordingly.

I had some problems with zap as well

I remember I skipped what I couldn't use

Hey guys, I'm struggling with RDP and SOCKS Tunneling with SocksOverRDP. Windows security is disabled. Is the box just loading incorrectly? I tried reloading twice and waiting over 5mins.

I don't know how I would diable defender on the 172.16.6.155 computer if I can't access it

this is what I did too but was wondering if this was "normal" or not : the tool seems far more powerfull that what I thought, and I would have love to learn how to use it if it can be as good as burp (thanks for the feedback tho)

it hasn't been updated since august 2022

Hi, could I get a quick tip on the Attacking Enterprise Networks module? I am probably using the wrong wordlist for cracking the hash

Hey guys so I’m like very new to coding and stuff, and I wanted to do my own discord bot. I tried doing it on scratch already but it didn’t really work. I’m here to ask for help, if anyone can teach me simple things I’d be very grateful.

And I really don’t know where to start.

Not the right channel, try googling for a more tech oriented server

this is just a sanity check mostly because its friday and i might just be overthinking

is it fair to confuse a question that says "/ root directory" than just "/root"

Heyy

It can be, usually they do distinguish it with 'the "/" root directory' rather than '/root'

tyty, i wasnt sure if the flag i found was in the wrong place or i misread where it wanted me to look

I still don't know if I'm doing something wrong or if it's the box being buggy

There's also the real-time threat protection running

Which is separate from defender running

ty

To be fair your question has been asked dozens of times

I've excluded .exe and .dll

and the c;\

You're going to need to re-download the dll

And re execute it

Literally follow the steps for like 90% of it

any idea how to solve this question, module DOCUMENTATION & REPORTING ? Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.). i have inputed [ctrl] + [b] + [%] as anwer but its wrong

I tried redownloading it, I triedswitching to 56kb modem

Close out of rdp

And reopen it

:)

Same. Must I rdp redownload and then try? Or must I restart the windows machine

Try restarting the lab

Either that or you skipped some steps

:)

ty

i tried pinging 172.16.6.155 from the windows machine and got nothing

I mean likelihood is that you wouldn't

Also is it 172.16.6.155 and not 172.16.6.15?

u should re-read the section.
Its workinf fine

i just did it

You are missing things.

I rdp over I turn off real-time and excluded the file, I exclude dll and exe for processes then open cmd as admin xfer over the files. extract them then run regsvr32.exe SocksOverRDP-Plugin.dll. it tells me it succeeded I then open rdp and type in the IP

I didn't even need to add exclusion

It can't make it not work though right?

Too many double negatives

@drowsy swallow did I miss a step?

Anyway read carefully

Read again the section

Your problem aint there

but that's as far as I get?

You're missing part 2

You've successfully got a foothold at 172.16.5.19 correct?

no

So start from the top and work your way down

yeah.. I thought jason replaced victor

thank you sorry

It literally walks you through step-by-step

Pivoting is by far the most hand-hold one

I didn't read the ips

I assumed the question had the ips I needed, didn't think blindly following the module was what to do

Hey!
im at AD Enumeration & Attacks - Skills Assessment Part II - Question: " Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. "

• i have to pivot somehow from the sql01 host to ms01 as admin
• I've got system priveleges on sql01 host and try to dump the memory like this:

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 664 C:\lsass.dmp full
./mimikatz.exe log "sekurlsa::minidump /lsass.dmp" "sekurlsa::logonpasswords full" exit > dump8.txt

i cant find anything interesting in the dump. Am i missing something?

It's how every other section worked thus far

2 of the port forwarding did not work as explained.

I'd love to help, but I'm good at keeping secrets. 😉

ICMP required to look at erratum and chisel needs the older version dled

muhahahahahah, thanks mate 😄 found it

Hi Guys Has anyone solved Skill the Assessment exercise 2 of Using web proxies?

Has anyone gotten WSL2 and a Linux subsystem installed properly during Settup module?

I can't seem to get Linux subsystem working after installing from windows store, WSL2 gives me error about virtualization not being enabled... when I have checked bios and windows features, everything is enabled -_-

unfortunately the easiest way to solve wsl issues is to give up and install a real VM instead

I am inside the windows 10 VM they suggest we install, in which we install WSL2 and Linux subsystem inside of it

Yes

Yes lol -- i've been following the Settup Module. We create a linux Vm as well as Windows VM

it's been wasting so much of my time

Did you not go through the Settup module on Academy?

Hackthebox confuses me, it gives us all these recommended modules on academy beforehand doing the labs

Did you just start labs?

Thanks for input, maybe I will just skip their windows/linux subsystem VM, focus soley on my linux VM

cause it is very de-motivating when iv'e spent 2 days trying to resolve this. Lmao

Most (all) modules are done with Linux in mind

Good to know, thank you

Like if windows is needed you're given a host to rdp into

the windows/linux subsystem would've been cool to know but i never planned on pentesting from a windows machine anyways

The suggestion is mostly if you want to do further testing on your own

Fair enough

I honestly just got caught up on it because I didn't want to leave it unsolved. Lol

but i've given up, because at this point I need to start a lab and not stay in settup FOREVER lmao

Good luck

hey everyone

has anyone completed the Pandora machine?

channel is for module discussion

#boxes

There is a whole windows fundamentals and intro to windows command line

Windows privesc module is 10/10 would recommend

Well yeah but their question was about "fundamentals"

They also explicitly asked about the Windows Privesc module 🤷‍♂️

Oh

You're right

They said after

My brain is like a poached egg today

Can anyone explain the difference between DownloadString and DownloadStringAsync?

Sorry, meant DownloadFile and DownloadFileAsync

They don't explain what it means to "block the calling thread"

Okay

So what do you like to know about the DownloadFile and DownloadFileAsync

From what I have looked at in other resources online it appears DownloadFile will wait until it's downloaded and you can't do anything else in powershell until it's done, and DownloadFileAsync will essentially background the process so you can continue other commands.

Assuming this is about the C# module. When you call DownloadFile, the program does not continue execution until that function has completed. With DownloadFileAsync, you let another thread of execution handle the operation, but need to do some additional handling to know exactly when it's finished downloading, which starts the whole discussion of multithreading/multiprocessing.

yep!

Sorry, more detail needed on my end: This is for the "File Transfers" module

DownloadString:
This is a synchronous method, which means that when you call DownloadString, your program will pause and wait for the entire download operation to complete before proceeding to the next line of code. This can potentially cause your application to become unresponsive if the download takes a long time, especially on the main UI thread

WebClient client = new WebClient();
string content = client.DownloadString("https://example.com");
Console.WriteLine(content);

Thanks!

Thanks!

DownloadStringAsync:
This is an asynchronous method, meaning that it initiates the download operation and returns immediately, allowing your program to continue executing other tasks without waiting for the download to finish. You provide an event handler to this method, which will be called once the download is complete. This approach is preferred when working with user interfaces or applications that need to remain responsive during the download.

You didn't specify at first so I googled for the function names 😅

But both are part of the .NET framework and are pulling from similar things, so the same logic applies

You are right

Who can teach me how to carete software on PC

ah so your response was just chatgpt then lmao

yEAH

go to #welcome, verify, then ask about programming and development in #programming

Why

Do you know how to carete it

because this is the chat for HTB Academy modules, and talking about that here will clutter up the chat and be annoying to anyone who has a question about Academy modules

I know that but you can in box me one on one and then teach me

nah

nah

I told you what to do if you wanted to learn to program from people here, couldn't even listen to that

@molten zenith pls read #welcome and #rules after that use /verify at #bot-commands if you are on HTB and ask your question in the appropriate channels, this channel is for HTB academy module so pls stay on tops or you may get the 👢

why the vpn connection is not stable i'am trying to rdp to a machine and its disconnect me every min

" attacking password module "

ohhhhhh
i rstore the machine many time and tried difrent machine and its same issue

You know what ..
^%#$%$#

Morning all, the current path I am on is Penetration Tester and I am on the Attacking Common Services section. I am right at the end on the Attacking Common Services - Hard Skills Assessment but I am really stuck! I am stuck on question 1, What file can you retrieve that belongs to the user "simon"? (Format: filename.txt). I have tried the basic / normal nmap enumeration, gone straight for SMB / 445 but cannot get anything to work, cannot get anything useful back. I have read bits of things online and poeple are saying this is the starting point, could I please ask for a small hint to get me moving, been at it for a couple of hours this morning so it might be brain fog and time to pack in for the day. Thanks

morning mates am a fullstack web devloper

if u r looking for any web d project feel free for help...

Cool story bro but read #welcome

Can anyone help me out? ,In the Active Directory LDAP module LDAP Anonymous Bind section -- The last question is "What OU is the user Kevin Gregory part of (one word, case sensitive, i.e. Marketing)? ". I cannot figure out how to get OU information back with an anonymous bind.

Could someone help me with the Pass the Ticket section, please? Particularly the last question, "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)."

I have used linikatz and it provided me with the below

||Ticket cache: FILE:/var/lib/sss/db/ccache_INLANEFREIGHT.HTB
Default principal: LINUX01$@INLANEFREIGHT.HTB||

I then I used this ||kinit linux01@INLANEFREIGHT.HTB -k -t /var/lib/sss/db/ccache_INLANEFREIGHT.HTB||
but that just says "kinit: Pre-authentication failed: Unsupported key table format version number while getting initial credentials"

Have I missed something?

Try downloading the tcp version of the vpn, are you also terminating the connection, if you do ip a do you only have 1 tun interface?

Try a different impersonation method

Using windapsearch you can dump the full information

you mean like proxychains ?

No

Just go over all the methods discussed

but using the same ticket correct?

Considering the type of file it is

I am not confirming or denying. But definitely on the right track

Hi guys, Im stuck on this question... I think I know what I need to do just that I didnt understand the question enough:

"Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt."

Do I need to login as Julios with the hash? and use his account to invoke the hash?

Snoopy

Is a dog

Nop

I mean, yes

damm that was tricky, this module need to approached slowly with a lot of focus

But if you're referring to the box, there's a #boxes channel (if you have no access, read #welcome )

I have figured it out and got the flag, thanks a lot @fathom pendant .

Yes. You are told how to handle those types of files but it isn't immediately obvious

I have a question if may DM you about to not spoils anything more in here @fathom pendant

I dont have access to my notes

oh no it's about logical thinking

Ah sure dm

oh! I got it. Thank you!

when I used the tool Linikatz I found the path but after restarting the box and using Linikatz again I found another results so how could I find it manually next time ? or was my whole approach wrong to begin with ?

So look at realm list or whatever the command is

https://tenor.com/view/snoopy-snoopy-dance-dancing-gif-22085516

It is a dog 😉

Your approach is correct, especially since it got you the path to the answer

I struggled manually through it 😄

okay I got it now

thanks a lot, I need to get me coffee ahahaha

guys how do i enable this? im getting the same thing when installing openssh and apache2

use the start command

https://www.digitalocean.com/community/tutorials/how-to-use-systemctl-to-manage-systemd-services-and-units

It’s trying to kill me🥹

"sudo systemctl start openvpn" and then enable it by using "sudo systemctl enable openvpn"

where you are at ? and how can I help without spoilers ?

thanks a lot!

https://tenor.com/view/welcome-gif-18895012

I have done the ssh-mitm and I got the credentials for cbrown but I am unable to get the flag. That’s makes me hate myself. I took alot of time doing it. But no flag🥹

Which question is this ? as I was doing the below
Module: Password Attacks
Chapter: Pass the Ticket (PtT) from Linux
Question: Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

God I hate module questions that have you bruteforce for literally half an hour or more

Sir you are requesting help with a box please read #welcome to see how to verify your htb account and ask n #boxes

Skill issue

Ok thanks

I stated this earlier, you must have missed it

Guys can you remind me which chapter and question have we done Kira brute force so I can go back to it as I need it in the below
Module: Password Attacks
Chapter: Protected Files
Question: Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

I think it was one of the early ones

This is a lesson in remembering to save all creds you find

true 💔

I mean you should still have the mutated wordlist

So just need to recrack the password

KEKW, I was looking at the FQDN thinking "oh that's a funny machine in 2023" then continued running other commands, completely oblivious to what I was actually looking for...........................

OK Alice x3

ALL the root paths found in source: 19
https://www.inlanefreight.com/index.php/about-us/
https://www.inlanefreight.com/index.php/career/
https://www.inlanefreight.com/index.php/comments/feed/
https://www.inlanefreight.com/index.php/contact/
https://www.inlanefreight.com/index.php/feed/
https://www.inlanefreight.com/index.php/news/
https://www.inlanefreight.com/index.php/offices/
https://www.inlanefreight.com/index.php/wp-json/
https://www.inlanefreight.com/index.php/wp-json/oembed/1.0/
https://www.inlanefreight.com/index.php/wp-json/wp/v2/pages/
https://www.inlanefreight.com/wp-content/themes/ben_theme/
https://www.inlanefreight.com/wp-content/themes/ben_theme/css/
https://www.inlanefreight.com/wp-content/themes/ben_theme/css/colors/
https://www.inlanefreight.com/wp-content/themes/ben_theme/images/
https://www.inlanefreight.com/wp-content/themes/ben_theme/js/
https://www.inlanefreight.com/wp-includes/
https://www.inlanefreight.com/wp-includes/css/dist/block-library/
https://www.inlanefreight.com/wp-includes/js/
https://www.inlanefreight.com/wp-includes/js/jquery/

And 3 external paths.

//api.w.org/
//fonts.googleapis.com/
//gmpg.org/xfn/

This is all I got, tried all answers in range 18-26 and it says wrong answer. Are you sure that the source haven't change?

Edit: Got tired and found the answer via simple js bruteforce, it is a few more, but it doesn't add up with the source imo.

Alice, rabbit holes

Ah. Yes. That and distractions

Can anyone help with AD Enumeration & Attacks - Skills Assessment Part II - Q8 + 1 Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. I have SYSTEM on SQL01, have run mimikatz and tried using the admin hash to connect to MS01 which didn't work. Ran snaffler and no luck. Appreciate any help.

i could help you bc i did solve this but i am afk for the next 4-5 hours or so

i would have to be on my laptop because it was a long time ago and i dont remember this anymore.
i will dm you, just later - ok?

guys does it really matter uppercase or lowercase ssh username or a password ?

in login

On the 2nd injection point (which you've found), you need to do ||an XML injection||. There's multiple ways of doing it. The first involves ||enumerating the XML to find the correct path at which point, by returning the correct order, you will find the answer|| or there's a quick and dirty way which you can use by ||simply sending an XML test search||. The quick and dirty method isn't covered in the module, so you'd have to do your own research on how to do it.

Try a different hash, like for another account you've already used. I used ||evil-winrm over chisel||.

So you used the hash for the local Administrator from the SQL01 account to connect to the MS01 host?

No. Apologies, I checked my notes again, and realised I used a different hash.

Try looking for an account, like for ||a service||.

?????

oh ok yeah, I got the username and password for the mssqlsvc account.

wasnt able to do much more with it but I will take another look

Depends which system you are interacting with. Windows generally doesn't care about case sensitivity on usernames. *nix based operating systems do. Passwords are always case sensitive.

can I dm someone about bash scripting module ?
https://academy.hackthebox.com/module/21/section/128

oh okay thanks

what about mac os ?

just ask

If you do it right, it will show you the right number 😉

MacOS is based off BSD, which is a Unix based OS.

I am stucked at the exercise, I am getting error like this

4007DF79137F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:```

so mac os cares about case sensitivity because mac os is a unix based operating system right ?

Yes.

okay thanks

Few hours. Depends how fast you read, etc.

Non-native english speakers would probably take a little longer, etc.

Try not to complete the modules as quickly as possible, but in such a way that you learn as much as possible.

Especially fundamental modules

hi, anyone completed the footprinting module - hard? am i supposed to search the mail and maildir dir?

Yes.

never mind. i solved it. is not the mail and maildir

lmao

thanks anyway

hi

Then show me the correct way

actually guys, do u guys hack the box after completing all the cpts module?

or you can complete one module then do one box?

DM

@slow ruin could you please help me in this point when i use (net use ) i see (There are no entries in the list) , i already dm you if you dont mind

You should do boxes while doing the modules. Academy has an option that shows all boxes related to the module. When I get stuck I do the boxes and watch ippsec videos to learn more about it and get a better understanding

@coral sundial just a random appreciation post the GOAT. Thanks for all you do

hello

Goodbye

Serious Rule Break

What's the contents of table flag5? (Case #5) SQLMap Essentials->Attack Tuning, got the flag but it says incorrect

nope i checked it

maybe but it says flag5 😕

as per the hint used the correct comand

Refresh page

Try pasting again

yep did also logged out and logged in again

Make sure no extra weird invisible characters at start/end

Hii

#welcome and #rules

You have to use an option that will give you string output in a clear formate.

anybody can help in cracking password with hashcat module

what issue are you experiencing?

Cracking common hashes page i find the hash type but able to identify the rule set to use

Alright, what rule have you tried to use?

most common of hashcat like best64,specific,combinator,leetspeak,dive and more

I will DM you

hi

Hi, I also found the user, could you give me a hint how to get the password? thanks

I am on the Windows PrivEsc module right now . Anyone else had a problem with compiling UACME akagi ? i tried it on both windows and linux with different compilers . i am getting these errors everytime #error ANSI build is not supported ^~~~~ .\Source\Akagi\global.h:25:27: fatal error: shared\libinc.h: No such file or directory #include "shared\libinc.h"

What's the contents of table flag5? (Case #5) also for flag7 (Case #5) SQLMap Essentials->Attack Tuning recommended running it on a pwnbox, turns out indeed the only thing that differentiated me from capturing the flag was me running sqlmap on my VM - classic

The Java application exploitation in Attacking Common Apps is boss. Daaang. 🙂

Using rockyou-50.txt as password wordlist and htbuser as the username, find the policy and filter out strings that don't respect it. What is the valid password for the htbuser account? . I have the password policy down to three requirements and grepped the file requested accordingly to get the "respected" passwords. I have five passwords . None of them work. Anyone know if I am on the right track? This is from Broken Authentication module.

im trying to exploit 2.7.10 for WordPress

where is the problem why I can't read flag.txt ?

Module: WINDOWS PRIVILEGE ESCALATION
Section: Windows Privilege Escalation Skills Assessment - Part I
Question: Find the password for the ldapadmin account somewhere on the system.

isn't this question suppose to be after getting the admin shell? Cuz i ran a certain tool before and after the admin shell and it only worked with admin privileges also pretty sure the foothold account doesnt have privileges to read those specific files that has the password.

is there another way that would actually wrok with out admin privs?

#modules message

?

Is that what you're looking for

Actually, no

There only two ports open for this machine I don't think I can use windapsearch

#1121536356439556146 message You are correct.

Feel stuck on nmap enumeration - avoiding ids/ips medium.

I've tried changing source port, source ip, decoys, connecting with ncat, -O version scan, udp scan, --script banner, -T5, can't get it to return anything but filtered for -p53.

Am I missing some specific combination of things to get a result?

The point of avoiding IDS/IPS is not using things like -T5, scripts, etc. You want to make as little noise as possible.

look into how dns works again

Because you're not meant to attack port 53

I have removed my head from my ass yet again! I have found the password that works. I had the requirements wrong for the password policy.

Mood

Were you like one policy off?

Yes and I can't believe I wasted this much time being an idiot

Actually who am I kidding, this is not the first time. Oh well.

And likely won't be the last

Hi, has anyone done "Active Driectory LDAP"? im stuck at this question "What is the password history size of the domain? (How many passwords remembered.)?". Just need to be pointed to the right direction
Do I need find the admin account?

which section are you on?

@vital adder
Credentialed LDAP Enumeration

I'm 77% of the way through with the course. Where is everyone else at?

Hello everyone hope you all are having a great day

I am newbie and still learning from zero experience

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

i am literly clueless on this one its in linux fundmentals

sorry for the delay but give this check https://ppn.snovvcrash.rocks/pentest/infrastructure/ad/ldap-ldaps#go-windapsearch

can someone plzz explain to me what should i do with steps cause this question never been explained in th HTB academy or maybe i missed the explination

I got it the answer. Thank you a lot!

Morning all, anyone able to help me please? I am really stuck, I am poking at SMB with smbclient and smbmap, only getting a list of shares but cannot do anything with the list of shares, I have no creds, although I feel I should have some creds, I am clearly missing something really obvious here, a hint to get me moving would be much appreciated. Thank you.

Hello, Can anyone explain to me what is mean that in practically way. It is from shell& payload module

Quick update for anyone else struggling, SMB is the starting point, no creds are needed but the syntax for smbclient is important, what I will say is, consider the number of back slashes required to correctly connect to the target using smbclinet.

But it is port 53

The answer isn't on -p53

Yes, it is.

No

Do a scan without specifying -p53

Go try? The flag is literally from port 53

I dont recall it being on that port

But it's been a minute

I could be thinking of the other lab

Maybe it's changed since you finished, too, but that's where it is 😛

hi, I'm on windows privilege escalation module DNSAdmins sections, I'm following step from this link https://medium.com/@parvezahmad90/windows-privilege-escalation-dns-admin-to-nt-authority-system-step-by-step-945fe2a094dc and it did work except for the reverse shell, can anyone help me with this please?

They tell you exactly what to do in the section why would you get a random medium post to tell you what to.

doesn't work for me tho, I searched for the same problem in this channel and one of the man who solved this recommend using this post

🤷‍♂️

Are you specifying the absolute path to the DLL?

yea?

Maybe try having the DLL execute a command to put you in Adminstrators/Domain Admins? Not sure what else to tell you

It can be a little finnicky when restarting the DNS service iirc, but that's all I remember with my own troubleshooting when I was doing that one

okay thx dude!

What does this mean?!?!

what is 192.168.49.128? the target or the host?

what are the -v -n -s ??

what does "bye" mean?

This is an example

Bye exits ftp

If you look at the man page for ftp it tells you

https://linux.die.net/man/1/ftp

Thanks, I finally found a resource that explained it. I was overthinking it.

Seems kind of cheesy

Why would I echo commands on a target machine to make a command file to then just run that command?

I guess they're just giving us options!

Exactly

Thanks, I thought I was going crazy. If it was for obfuscation, I would understand, but this just seems sloppy in terms of cleanup to avoid detection by digital forensics.

How would I go about reporting someone for posting a walkthrough of a modules skill assessment?

Probably DM staff

in discord?

Aren't writeups only prohibited on the main platform for active machines?

And on any tier 1+ content

I haven't seen anything saying module information is not fair game

As tier0 is considered free

hey what is the answer to task 3 on appointment

So it's a copyright thing?

Basically

#starting-point (read #welcome if you do not have access)

I think that walkthroughs on skill assessments would be beneficial.

If you're stuck and have one detail that you're missing, it's beneficial.

That's what the forums are for

By definition, the assessment is supposed to be a test. All the information you need is in the module.

If you're stuck and you have one detail that you're missing due to an issue with the connection that's beneficial.

I agree, but there is no feedback to tell you what the issue is.

There won't be in the exam, either.

I've spent several hours trying random stuff thinking it was a ME issue, just to reset the machine to find it was a ME not resetting the machine issue, lol

I don't see a problem with walkthroughs if you're only verifying current conditions before moving on.

That's what the guided stuff on the main platform is all about as far as I can tell.

I think the problem is there will be plenty of people who won't just verify current conditions and move on

If you need a sanity check, you can ask in the chat. Though, based on some of the issues you've had, I would say that the issue is more likely a 'you' issue, than a 'module' issue.

On nmap enumeration, how is setting the source IP supposed to work? If I set it to anything but my actual IP, I get an error that a route to the destination can't be found

Guided mode is just questions leading you in the right direction

That's true, but they're only doing themselves a disservice!

I like sanity checks, I've just had long wait times for support at times.

What does it mean show isnt a command

Are you in a mysql command line?

no

i am in mssql

But the syntax should be the same

what question are you on?

The module only gives you metasploit and Mssqlclient.py as options.

I would try one of those, forget which one I did.

Maybe see if there is a mssql cheatsheet somewhere

Attacking common services, sql attacks

First question

ooh, sorry, I'm not quite there. I was thinking it might be footprinting. I took some notes on the issues I had with that one.

If you find the provided brief or resources are lacking check out: https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server

In general hacktricks has been clutch for me

Aaah oke thanks

No problem! Good luck! You have Silver Annual?