#modules

what Marcie said

hey

good good

hbu

read #rules and #welcome this channel is for academy modules pls take general talk to #general if you guys want to chats

ok sorry

hi can anyone help me with the attacking common services dns part?

What have you tried

and then its just doing the fallback thing

Switch the ns1 to the ip

Also should be inlanefreight.htb in your command

okay! thank you, i tried that however it didnt work

its still doing the same thing with the fallback

... I meant replace the whole line with the ip

Not just the ns1 part

yeah i tried that too but im still getting the same result

Only thing needed in revolvers.txt is ip

Don't forget to change the command from inlanefreight.com to inlanefreight.htb

thank you for your help, its been trial and error haha but yeah im still getting the same result, its probably something stupid that im doing. ill show you my output

What is your command and please put a ` in front and behind the command

Since you're not verified if you tried to multi-line code example, the bot will yeet it

it helps readability

That's a quote

Not a backtick

But anyway, did you copy/paste that from your terminal?

yes

Put a space after the flags

I'd suggest deleting your messages after because they are spoilers

and thank you, i will

Are you connected to the vpn?

Give me a minute to sanity check here

okay haha thank you so much for your help i really appreciate it a ton ive been stuck on this module for like a week

and no im not, do i need to be?

...

How do you expect to attack a machine that isn't on the same network

you mean the ip?

If you do ip a do you have a tun0 ip

im connected to the ip using the pwnbox

Oh OK you're using the pwnbox

Good

OK just did sanity check: and if you're doing it correctly: there should be no errors with nameservers

I did the same exact command you did (with my spawned ip)

You'll get the warning, that's normal

And you did not edit the names.txt yeah?

Yeah no even doing your command syntax it all worked fine for me

hahaha yeah otherwise there'd be no shot of me getting any level of connection, and thank you so much, i just figured out the issue, id been working on it so long it became disconnected from the ip address i had it under omg. but the other issues were just because i didnt have the ip address in the right spot before you corrected me. yeah i didnt edit anything, i cant thank you enough for your help. now i think i just have to do the dig commands through each address that it finds and i should find the flag somewhere in there

Yeah once it spits out the subdomains at you you can start digging :)

No problem

Expect to run into failures on dig commands until you hit the right one btw

Hi all, I am stuck on abusing http misconfiguration advanced cache poisoning attacks - if anyone on hes/shes free time will be able to help with this, just let me know. Thanks

for the attacking common services dns

Dig axfr subdomain.inlanefreight.htb @ip

That’s the error I’m getting, im not too sure what that’s about

...

https://tenor.com/view/ffs-baby-really-oh-god-just-stop-gif-20490509

Replace subdomain with one that popped up when you did the subbrute

Subbrute takes a few minutes to spit out some subdomains

nevermind hahaha i just got it

im so sorry lol

ofc the one i gave up on

I'm being abstract on purpose so as to not give away the answer. So don't take things as literal as I type them

But congrats on the answer

yeah thank you so much for your help i was being a little stupid on this one

can someone help me with a hashcat error? 🙂
at module Password Attacks, at Passwd, Shadow & Opasswd section
i downloaded the resource zip and mutate the passwords to bruteforce unshadowed and i got this error

can anyone help me with the command injection skill assessment plz?

i dont know where to put the payload

The error is with the hashes not your password list

hashcat is extremely picky with its hashes input

Currently on Common Attack Services / SQL > what syntax are you suppose to use when connected with mssqlclient.py? Have tried the normal sql syntax. but it doesn't seem to work

i can use the hash file with rockyou 😦

MSSQL has a slightly different syntax of the one you are using (mysql)

Hey so uh, rdp with like a < 1Mb connection via tethering kinda sucks I'm getting 10 frames per minute over here 😢

rough

I managed though to successfully do the first host on shells & payloads, I realized I never took notes on this skills assessment

i tried on pwnbox, maybe is something from my machine

Garfield, the cable is out

If you don't get the reference f0x I'll gladly dm it to you lol

I refer to it in these trying times

Hashcat is picky about the hashes

That's all it is

So your unshadow process may have been a bit borked

omg this is a pain. Can't locate the syntax at all

any pointers, the content on academy doesn't show to much on how to list db etc

the command to list databases in MSSQL is in the section

I must be blind

I can only connect also via mssqlclient.py not via sqsh..

is that by design or something i also do wrong?

Sqsh is broken with parrot but either way

Syntax would be the same if you used either

Mysql is not mssql

You need to use the MSSQL syntax

yeah

mental note check the cheat sheet

I mean if you just read the section you're on

It literally tells you the commands

It gives both the mysql syntax AND the mssql syntax for enumeration

this syntax is pain

so listing all the table in the db. no userss...

Start from the top and move down slowly enumerating

First find database names, then select database, then find tables

If you wanna do something extra you can even find the column_name from a table : so you can just select the relevant columns from a table instead of *

But academy dbs are just like a few columns wide

My brother in christ

Read the section

You're also meant to do something else first

Hint it involves hashes

Also you'll probably need a certain flag to authenticate with windows

If you're still stuck in 30 minutes you can dm me.

I just reran it and had to re-remember how I did the second part to see the flag

Good morning all, I am not stuck but I am wondering if there is another way to get the answer to this question in the WordPress skills assessment: "Identify the only non-admin WordPress user. (Format: <first-name> <last-name>)". The way I got it feels kinda cheap.

Hi! i got stucked on the module Shells and Payloads - The Live Engagement. I'm on the first Host trying to find an exploit for the apache tomcat. And as i gathered i should find somewhere some login creds for the tomcat manager, but i cant see any tomcat manager on the nmap output. Can someone help me? Thank you in advance 🙂

||WPScan|| is your friend

Thanks 🙂 ended up moving on because I already had the answer. But, while you're here do you mind if I DM you about a later question in that section?

sure

hey there guys, hope you re doing fine 🙂
I ;m having syntax problems w the CLI, meaning:
I 'm unable to understand command syntax at some points, I mean really, I don t get it.
e.g. can I use both
a. '-sV -sC' and
b. '-sVC and could I also add
c. '-sVCA'
or each option needs to be stand alone.
For ls it s ok to type e.g.= ls -lah,
same goes for everycommand?
Where could I find a very dumbproof guide to cli syntax?

or maybe it s a man page notation knowledge thing I have to get through before starting to comprehend stuff?

Okay, so you can't add those commands together

if you type man nmap into the terminal you will get the manual

and you can then look at all the different switches

https://www.stationx.net/nmap-cheat-sheet/

also there is no hard and fast rule

for cli syntax, there is conventions but sometimes applications use different conventions

@naive wadi Conventions seems to be a legit explanation to my problem.
I mean slight differentiations among cmds should be what gets me.
I guess thoroughly reading each command and searching for paradigms of use is the way to go.
I was just wondering if maybe I 'm just not getting it for some reason.
Thnx btw 🙂

Most programs will use arguments and switches in the same way e.g. -p password -u username but it's just a case of getting used to each program

Most of them are the same and then one dev will decide to use some obtuse way to do something that you have to remember or take notes of

just a case of repetition repetition

@naive wadi this I get. Also I understand that both '-U' & '--username' are exactly the same yes?

correct

Powershell actually has a pretty good standard as outlined here - https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_command_syntax?view=powershell-7.3

@naive wadi this is eyeopening, thnx

no worries, people hate on powershell but it's usually a skill issue, it's actually really powerful and well implemented with good standards

also to answer your original question here

a. '-sV -sC' these are seperate switches and invoke different functionaility.
b. '-sVC and could I also add (this would not work)
c. '-sVCA' (again this would not work.

the actual command would be -sV -sC -A

Hi everyone!
Currently on windows PE Part 1.
Added new user with printnightmare, but can’t rdp or evil-winrm to it

@naive wadi Are there cases where seperating switches wouldn t work?
not literally for 'ls' but for understanding's sake e.g.:
ls -lah (works but)
ls -l -a -h (wouldn 't work)
I 'm probably pushing it too far lol

Yeah, because if -l -a -h is not a recognized function it wont' call anything. So if a program has a function that corresponds to -lah it has no way of inferring your meaning unless explicitily programmed too (which is a waste of programming time)

@naive wadi The way is paved w trial & error I recon... Off I go 😛
Thnx again

literally the best approach to have, just play and see what happens

I just enrolled in the "Detecting Windows Attacks With Splunk" course. I am a Splunk Professional Services Consultant and have worked with Splunk for many years. I just wanted to point out some issues with the SPL being used in this module. First off the index is set to main. In most cases a customers or your orgs windows data will not be and should not be contained in the "main" index, this index is usually reserved for data that is onboarded with an unconfigured index. Second, this search implies that XML is enabled for Windows Event Logs. 99.9% of organizations will have XML disabled for Windows logs, especially if me or any other consultant has been involved in the building of the environment. Why? Because compared to how Splunk visualizes events, XML is messy and terrible to look at. It also implies that sysmon is bein used by the customer, which is typically not the case. You will not be able to see any of the switches used for a command without sysmon being used in normal windows event logs.

Can you Share a Screenshot?

Please share your feedback in #858470491676737536

Ok I will, thank you!

You Sure that is password and username you have given when executing the printnightmare script

https://github.com/calebstewart/CVE-2021-1675
I used this one

can you share the command you used

Import-Module .\exp.ps1
Invoke-Nightmare

By default , it gives those creds

Might be missing context further up, but -sCV for example is definitely valid

Hm, I just tried it and it is working for me

It clearly says your credentials are not valid from the error

can you try to create a new user with the script and use that to login

It also didn’t work actually : D
Maybe I have some problem with my shell, but I’m not sure

May I please get any help for Skills Assessment - File Upload Attacks? I guess I have everything I need to know. I found the upload path and how pictures are safed reading the file. But when I upload just a normal picture and browse to ||http://83.136.252.24:48352/contact/user_feedback_submissions/20231011_clean.jpeg|| I get a "Not Found" error.
What am I missing here?

bit stuck on the proxy chains module the section is "Web server pivoting with rpivot" i set everything up correctly however when i try to use the command "proxychains firefox-esr 172.16.5.129:80" it just sits loading my proxychains.conf file is setup correctly aswell so the only thing i can think of is maybe the ip or port of the webserver is wrong but idk what else it could be

Can someone please help me with ACTIVE DIRECTORY ENUMERATION & ATTACKS > ACL Enumeration's last question What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word). I see many (too much people) are struggling to those stupid and nosense questions. Also the command needed to get the results is stucking for about 1 hour, anyone can give me the answer ? thx

replace the * with group name, by default the command checks all the objects in the domain

check your file name again, its not in the right format

did you look at the hint? status.inlanefreight.local

google: php date function

you dont have everything

Yep, it was strange, but I had problems with my shell.
Thank you!

Hi guys I'm in "Command Injections" ==>> "Skills Assessment"
I put ||/index.php?to=tmp&from=51459716.txt%26bash<<<$(base64%09-d<<<Y2F0IC9mbGFnLnR4dAo=)&finish=1&move=1||

but I get error:
|| Error while moving: mv: missing destination file operand after '/var/www/html/files/51459716.txt' ||
||Try 'mv --help' for more information.||
|| /var/www/html/files/tmp: /var/www/html/files/tmp: Is a directory||

does anyone have any idea what am I missing?

Interesting

try inyecting your payload at the end of the mv command not at the middle.

can someone please help

Is there any free certification offering from HTB or THM?

Dude don't judge me I have anxiety

it still doesn't give me ....
hmmm what am I missing?

nvm i forgot to do a ping sweep 🤦‍♂️

My life is a lie

can I DM ??

it just saves the second it takes to type out the full thing, no big deal

change your payload, start first with something more basic, don't go for the flag inmediatly.
Its possible its not on that directory

Looking for the actual spelling/syntax of an answer question for DACL Attacks I. I know the answer but unsure how it's actually to be entered? The question - RIGHT_WRITE_OWNER allows modifying what attribute of an object?

The answer should be ||Security Descriptor's Owner||

well at least that's what the page alludes too it being.

stuck on "web server pivoting with rpivot" section in the port forwarding module ive done everything right no errors i try to connect to the webserver using proxychains firefox-esr 172.16.5.135:80 and it doesnt load please help https://academy.hackthebox.com/module/158/section/1434

what have you set your proxy and server ports to?

proxychains.conf is socks4 127.0.0.1 9050 on server.py proxy port is 9050 and server port is 9999

I need tech master's help
I really need to use tplmap tool to complete SSTI room. However I can't fix this problem. I tried to install pip mapping, collections. I tried to run with pyhton3 and python 2.7 still failed. However, when I tried to run it from htb box that problem didn't happen

I'm missing somthing cuase no comand is working & it only show me if it moved or not ...

just to double check is the ip of 172.16.5.135 the actual IP of the host that has spawned? Because often the IP on the exapmples is differnt from what is spawned in the lab

Even though I finished room, but I couldn't fix that problem

Sounds like a dependancy issue on your own machine? If it works on the pwnbox but not yours then that's an issue on your install.

i ran i ping sweep theres only 2 172.16.5.129 this is the ubuntu machine u ssh to then 172.16.5.135 this should be the webserver as i ran nmap and port 80 is open

Yeah I know something issue from my pc, I couldn't know the real issue

i tried connect to 172.16.5.129 aswell obviously still doesnt work

it will be in whatever errors our output to the terminal?

Only that error

Module collections has no attribute Mapping

Does anyone know why HTB won't take my answer for "What role ensures the objects in a domain are not assigned the same SID? (Full name)"

I've tried submitting Relative ID (RID) Master and every other variation fathomable, and it will not take the answer, am I answering it wrong? Yes I've checked for proper spacing, and have tried all the case sensitive variations as well

what happen if you try to execute it with python2?

It says yaml not installed I tried to install yaml2 but another error

So i think I have to install fresh linux to vm

bro! I googled that error and it's an open issue on github....? Did you google it....? https://github.com/epinna/tplmap/issues/104

It's literally the first hit

I googled it but not with tplmap 🤦‍♂️

Thank you bro

without seeing the exact things you've posted it's hard to diagnose

Screenshot commands

yeah hang on

and I know you've said what you did do, but that doesn't mean you didn't misstype something you know?

I've searched for different terms all over the module page and I'm 99.9% sure its RID Master

which section of a module is this? AD?

Active Directory Functionality section

In the intro to AD module

It should be the very last question

Even the hint is telling me It's relative and still won't take my answer

remove the (...) from the answer

wow

I did that

but i must've spelt it wrong

thanks

I was losing my mind over that question, thanks a lot!

ive sent them in dm if u dont mind its not allowing me to send them here

How far into the academy are you @fiery berry

finished the CPTS path some time ago but I can't do the exam due to a full agenda

Dang! That's sick, how hard would you say the material starts to get once you get past the fundamentals?

let's take this on dm

Whenever you decide to take the exam, would you have to start completely over, or would you just have to touch up on some things

ok

try following the methodology on the module, test on a local bash environment, you are inyection in some mv <from> <to> <here> , so first you have add new line , comma, redirector | , && , etc . Something to escape the mv sintax and also doesn't fail

Hello, did u find the answer?

Hello everyone, Module bloodhound section nodes question Which non-default Group Policy affects all users?

if anyone got any hint i appreciate it, i can't seem to find the answer, i can see the default gpo but i didn't get how to enumerate the non-default ones

I found the answer, as a hint for anyone struggling, check the GPO link in the section, under the Users section, there's sth about GPOs, check it out :D

I'm on the Common Services > DNS. Are there anyhting special you need to do with the pwnbox to get this to work. Cause I can't get the zone transfer to work no matter how I try

Perhaps the zone is configured to allow zone transfer only from certain servers.

is this correct?

that would indeed brute some subdomains, but thats not a zone transfer if that's what youre meant to do

yeah, my problem is when i do the dig axfr , it gets me nowhere

got it

holy hell that was not my module

Web Attacks - Skills Assessment
Was anyone able to get XXEInjector to work for this skills assessment?? I've already completed it manually but was just curious. Spent a bit of time tinkering with it to no avail.

I'm starting to feel Deja Vu with the DNS questions

Hi! Does anyone know how can i find the tomcat cred on Shells and Payloads Host 1?

If we told you itd ruin the challenge

maybe a hint then?

Tbh it's more obvious than you think

I dont do hints but if theres something youre attempting and having issues with then I could possibly help with that more

i keep having problems with the ffuf skill assesment
Im using this command:
sudo ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:32896/ -H 'Host: FUZZ.academy.htb' -fs 985
For this question:
Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)
I get 0 output. i changed the /etc/hosts file to. am i doing something wrong?

they’re in plain sight on the users desktop

How many people have all 3 certificates as of today? Is there a way to check how many people have htb certs?

Well it'd be hard to have all 3

whys that

Considering cdsa just launched

oh yea

But what about the other two

The only way to know how many have the certs individually is to get the cert yourself

But combined don't know

They tell you once you've completed the certification? Interesting

Well you get a badge in academy

Which tells you how many have it

But publicly they haven't disclosed I don't think

Nice, do you have it yet? If you don't mind me asking

Nope

Had to halt progress for personal reasons

Understandable, how long does it usually take someone to complete the certificate in general? Starting from scrath in terms of HTB material

ssh with root isnt possible

spoiler btw

yeh you right sry

Depends on familiarity with topics it can take a couple months or longer , the exams themselves are roughly a week long each and feedback takes up to 20 business days

👍

but i got on a better track found where to use the creds i found for root

lets see where it leads me 😄

Hello!
I have problem in Introduction

When i open firefox it's can't open any pages

I see - The connection has timed out

check if your forxy proxy is on bro

No proxy in my settings

are you inside a vm?

It's in Inroduction in acade,y

I start machine in - Intercative Section with Target

Oh

The pwnbox has limited internet access

Try opening the webpage in your normal browser

But i use link for task

http://ip:port

I understand

Did you also click the "spawn target" button?

Yes

Which is located just above the questions

Yes

I try to visit this link

But i have this problem

It's a public ip

You don't need the pwnbox

How i can send you screenshot?

Don't

I know your issue. And the section

сan I write to you in person or call you?

You're given a public ip and port

I'm telling you how to solve it here

send them a letter in the mail

Must i use HTB VPN for that?

No

It's not required

As the ip is public

No, that's why its a public address

I recommend tackling some computer fundementals and coming back to HTB in a month or so

Okey, it;s help for me

Thanks

I think i must open this link in machine

Youve already been told the answer though

Open it in your personal browser, not the machine

Yeah. it's help me

Thank you very much!

Spawn your target!
Spawn My Workstation if you haven't done so.
From your workstation, open Firefox and browse to the target URL.
Answer the question below.

It's point from this task

Can someone help me lol... I dumped all the NTLM hashes with impacket-secretsdump, and I'm running "sudo hashcat -m 1000 domain_hashes.ntds /usr/share/wordlists/rockyou.txt" but it only cracks like 3 passwords and stops after 2-3 mins... There is 3,000+ hashes in there no way it's finishing that quick

Also your screenshot is spoilers

I don't think the module asks you to crack all of the hashes anyway

Probably not

Some of the passwords may not even be in rockyou

But if you want to use https://github.com/clr2of8/DPAT and make a good report you need to lol

I've tried some of them in SecLists as well same thing

runs for like 3mins (not even) and only cracks those 3

It could also be that the internal ones are getting escaped by the backslash

Also the hashes are good as passwords 99% of the time. Cracking the ntds.dit is mostly just for providing the client password analysis

plus if you want to try cracking 3000+ hashes, you wouldn't do that in a VM, you'd use a nice cracking rig

yup

Id focus just on whatever user the question is asking for

Most remote software allows you to use hashes in a pth method

It stills shouldn't stop... I was monitoring usage and it came no where close to maxing

Sir

You're focusing on the wrong things

Not my goal... already completed the lab just trying to work on reporting

is hashcat giving you an error when it stops

^

Let me run it again

I didn't see one

try it on your host

it could just be either processing still or just done lol

Or is it just saying "exhausted"

This

Is is saying "Status...........: Exhausted" but the usuage doesn't even spike...

that means its done

I can try brining it to my host, but for reporting on the exam what would you do

congrats

Means it's done

hashcat has a cache iirc so it probably skipping once it already finished

having only 3 accounts use easily guessable passwords is also report worthy

I find it hard to believe they only made 3 weak passwords

For these labs? I believe it

^

remember by your own admission youre doing extra lol

ok got nowhere

Have any of you done Attacking Enterprise Network and tried cracking them all?

The 3 weak passwords are the intended passwords to get

side note but machine account hashes can also sometimes be better than user hashes 🙂

Or did you all just skip that lol

I skipped

And if you get the system account then gg ez

If you really want to try more hashcat -m <mode> /use/share/wordlist/*

a machine account hash IS the system account effectively

Just throw all the wordkists at it

Will impacket-secretsdump also dump the machine account hashes?

yes

i need help at the password attacking module medium lab found a root password in a docx but i cant figure out where to use it i might need a nugget pls help me ❤️

you dont need to know machine account hash stuff for CPTS though

"WEB-0008$:1599:???:???:::" these?

ye

remember in active directory machines are users too

WEB-008$ is also a domain user

DC01$ is also a domain user 😉

Domain admin even

I dont recall a root password in the docx

Ahh so I know you say it's not important for CPTS, but why is a machine hash more valuable then say the domain admins hashes?

sometimes more valuable

I cant say much but I recently had a situation where I skipped some things because they didnt realize you could dump the dc machine hash

in the zip is a docx

so went from basic user to DA in one jump

I said specifically root

but the DC built in admin was disabled so the local user hash was worthless

cant disable the machine hash though

Okay I understand

persistence too

What else is there besides the password?

Nah the point is its not root password unless htb changed it

Welp I finished... guess I should redo some of the AD stuff before the exam

A company that gets compromised might have the forethought to reset everyones passwords, but if they didnt reset the machine account hashes, then having the machine account hashes is a backdoor for Compromised 2: Electric Boogaloo

I mean the document says Root Password, so their question isn't incorrect, but it's still clear what it is

how are you guys able to send screenshots and I am not?

because we read #welcome

Does it? I'll have to recheck my docx to see if it's different

Unless I'm thinking different doc

don't know if it's changed since you did it

https://tenor.com/view/the-simpsons-homer-simpson-hiding-embarrassed-bush-gif-17685536

Thanks for explaining! So on the exam and in future tests if I can't crack the hashes either it's no big deal? I can say I was able to and since PtH exists I can just log in as anyone and demonstrate that?

if you cant crack the hash then dont say you were able to

yeah getting ntds.dit is GG for that domain

Oh I ignored the root password is because the format it gave me

I just rechecked it

yeah, same

So this DPAT just make the report look nicer

it's just extra information you can deliver

like that's it, youve won, take a victory lap. Unless theres further subnets/sibling domains/non-domain joined computers then youre king.

yeah providing password analysis for the client

which they may not even request

In report you can say "I was unsuccessful in cracking user passwords, however I did get several high level system accounts"

Okay!

Thanks for explaining everyone

I thought like you'd HAVE to crack more hashes and it was required..

Nope

I don't have the money to afford a good cracking station yet😅

You cracked the important ones

in real life youd probably be working for a company that has their own 40k cracking rig

^

must be nice..

Export or do whatever SOP would be needed to crack it

hand write a couple hashes down on paper so you can see if you get an instant win on a second engagement

(dont do this)

also also even if they went through the herculean effort to stop PtH attacks, if you have the krbtgt account hash you can just forge kerberos tickets and use those instead for persistence

Now to learn double hop with ligolo-ng

(And then more Active Directory practice)

https://tenor.com/view/leonardo-dicaprio-clapping-clap-applause-amazing-gif-16078907558888063471

niceeeeee

thats what I'm talking about

Thanks

Now get back to your module learning

https://tenor.com/view/get-back-to-work-gif-1126008344771276194

congrats you finally did it

HAHA

Reading is a tough skill

Critical thinking? Even harder

Harder than hacking itself

Me expecting this double pivot to be a little complicated to understand on ligolo-ng and then this guy just does it with one listener 🫠

Especially when you have your 2 braincells competing for 3rd place

this is sooo cool!

I'm used to my two powerful hacks cntrl + c and cntrl + v

easiest shit in the world. Second agent just connect to the server -> make sure you have a route for the new subnet added -> start and youre good to go.

If you dont have outbound then just listener_add to forward a port to your ligolo server and then connect the second agent to the opened port.

That don't work in terminal and you get confused

double pivoting is when I knew for sure that ligolo btfos other pivot methods

I know 😭😭 TRUST ME I'VE TRIED

ctrl+shift+C/V

Yep

This was what I was trying to show you guys earlier

Is this the new HTB theme?

Oh, just refresh

This happens occasionally

Hey I found the hash in the footprinting module Oracle TNS. I know it's not needed but just to practice I wanted to try and unhash the value but for some reason I can't figure it out.

This works

echo "stealth:d776dd32d662b8efbdf853837269bd725203c579" > crack.txt
john --single --format=raw-sha1 crack.txt

This doesn't

echo "DBSNMP:E066D214D5421CCC" > hash.txt
john --single --format=raw-sha1 hash.txt

wow... I'm gettting off for the day

Try not specifying the format

hard to imagine using anything else, double, triple, quadruple pivots, you can stack them all day long

Also adding a wordlist

yup the first time you do it it youre like surely switching the session and starting it will kill the chain and ruin the pivot, because it would for literally any other tool. And instead its like magic and you teleported to the new subnet

ok got it thanks

Anyone here good with evil-winrm? I sometimes start it within like /home/linty/project/random/here and when I try to do "upload /opt/toolname" it'll say it doesn't exist and I have to "upload ../../../../../opt/toolname" Is there any easy way to get around this? I guess I could just start evil-winrm in ~ or / but...

it does feel like magic, glad I jumped on the ligolo-ng hype train when I did

Because if you're incorrect on the format, John doesn't correct you

for the file upload attacks skills assessment, is it possible to change the mime type to jpg (not content-type, but the actual file content through injecting magic bytes)

evil-winrm works best when you specify full path name for both source and destination

Start from /opt/toolname

sometimes its just ass

makes sense I just assumed the tutorial I read was giving me the right format

but we dont have anything better

But yeah

I always just specify full paths, never had any issues

No one has bothered to make a better tool

anyone wants a security tool dev project: make a better version of evil-winrm

what are ya'll waiting for, make one 😁

Lazy

skill issue for me

I just might if I actually had the time

I do "upload /opt/toolname" but it says the path "/home/linty/htb/academy/attacking-enterprice-networks/opt/toolname" doesn't exist lol

idk doesnt do that for me

yeah, because it adds on to the path you're currently in

It's dumb

i've found the source code and everything, just having a hard time to bypass the type check specially mime type

Is there any way to fix that? or am I just going to have to remember to start in "/" or "~"?

😭

Has anyone actually considered the job postings that HTB offers? How legitimate are they

Just get good

Might do well to Uninstall and reinstall it

@thorn urchin can I dm you about ligolo since it really isn't module related😅

You can but im at work so may slow to respond

they should definitely add it to the modules

I even took the time to write a blog post about it (as if everyone isn't doing that already)

does it take long to crack the password in footprinting module IPMI?

Im sure itll be an update eventually

pretty quickly

idr exactly how fast but negligible

aint waiting 10-15mins or anything like that

ok

so I messed up somewhere

What command are you using?

I think I will try to figure it on my own rn

man they really put you in the dark for this one. Chaining IDOR Vulnerabilities.

K

I mean you're creating a script based off of what you did manually

Hi

did it

Nice

The last script I wrote was a couple pages ago and it was for downloading contracts

I think I know what its asking

Its asking to find all the roles, so I can get the correct role for the "admin" right?

Then I would be able to find the uuid?

I am here: https://academy.hackthebox.com/module/134/section/1200

I haven't done this module so I couldn't tell you exactly

really simple with bash

for i in $(seq X Y); do curl ...; done

also you can grep and filter for the desired result

you can do it with Python and with Intruder if u like

thank you, I think I found a way with intruder..

thats insane

for this type of stuff i suggest bash scripting + curl

way easier and cleaner result to look at

also you can work with threads on bash using xargs

Hi there, for GAME HACKING FUNDAMENTALS, skill assessment question 2, someone have a hint, i have identify two memory values related with the Score, All modifications make change back to original even if try change both. Any helps? thanks an advance

hello, in ffuf module there is question, i found all sub-domains, but what i need to type to this? there is 3 sub-domain, can anyone helo?

only the subdomain

what does that mean? there is 3 sub-domains

section?

Skills Assessment

1 2 3

like that

oh ok, thanks

any time

thank U
the <from><to><here> hint did the trick
my location at the end of the URL was the problem
I must say that this assessment is nothing like the whole module...
thanx again

hey guys, under Initial Enumeration of the Domain from AD enum & attack module, you have only 3 host alive?, including the attack host..!!!

cuz the module says 9 including the host attack

Pivoting

I was stuck on upload attack skill assessment for 2 days and turns out the server date is different than my date🤣 such stupid mistake

Mood

?

what is your time zone? lol

yea in US its still October 11th

🤣 what a tragedy

US. But the file name was always a day off

not always

Good lesson learned though. I'll always check server response time now

yea

or just move to where the server is located 🙂

I'm currently working on the Python3 module and I've been working on this question for an hour but still can't get the answer. If someone who has completed this module could help me that would be great 🙂

Does the module/section not go over loops?

This section doesn't go over loops but it briefly did in the previous section. I use the lines of code from within the module but I keep getting errors. Can coding in Python3 only be done in Terminal?

No

You can use a text editor iirc parrot also has vscode installed with python modules to code with

How do I open the text editor in parrot OS?

nano from terminal

code from terminal

the best 2 for beginners

Hi - I'm doing the windows attack and defend module - I'm struggling to connect from the RDP using xfreerdp from parrot terminal error:[03:35:48:593] [3054:3055] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[03:35:48:593] [3054:3055] [ERROR][com.freerdp.core] - failed to connect to 172.16.18.25
Which VPN do I have to connect? inside the parrot terminal? or the ovpn file from the academy? your response is really appreciated . TIA

Well I'm assuming they give you an attack host to first rdp into

For the last question of the 'Live and Engagement' section for the 'Shells and Payload' module, if I am using msfconsole to execute the 'eternalblue' payload, do I set the 'RHOSTS' to the IP address of HOST 3 and isn't the LHOST the IP address that I 'xfreerdp' into? I tried establishing a session but failed .

https://academy.hackthebox.com/module/115/section/1139

The academy one is correct, usually when you see a 172.16.x.x ip you're expected to first rdp into a jump host: then to the target

Nope you had a similar issue with a different target if I recall, you need to use the ip that's on the same network

Same concept applies here

it says , you need to connect to the vpn, I am not sure if the .ovpn file from the academy or an ovpn file from the parrot terminal - but it appears no ovpn file from the VM

Oh yeah you are right, so I need to change the localhost

The pwnbox is natively connected, if you're referring to the in-browser vm

Step 1) use pwnbox or connect to vpn from your own virtual machine.
Step 2) connect to the spawned ip
Step 3) further connect to the internal target

LHOST stands for listening host

L for listen R for receive

wow that web attacks skill assessment beginning enumeration

nothing to do with the module

not there yet, but it's fair game if it involves anything from previous modules, since they're meant to be done in order

04:42:54:793] [7411:7412] [WARN][com.freerdp.crypto] - Certificate verification failure 'self signed certificate (18)' at stack position 0
got a new error

Thatd just a warning lol

Not a full error

what enumeration? you do not use anything outside of the module for that assessment

it literally gives credentials for the application and from there you have everything you need

but how was I supposed to find the hidden directory?

you dont have to find any hidden directory

the assessment goes over IDOR enum into Verb tampering for password change and one special user has an extra function which is vulnerable to XXE

just all of what module teaches but in a more “complex” environment

yeah it was easy after getting to the special user

see how you didnt need hard enumeration

my burp suite didnt show any of the good stuff

huh?

it didnt even show "token" "uuid" things like that

but only for the skills assessment

weird

maybe I shouldve reset it

just use curl + bash scripting as i told you esrlier

i changed all passwords with 1 click 🤣

nice

way better than burp for this type of stuff

In the Introduction to Bash Scripting Module
Chapter: Flow Control - Loops
Can anyone confirm that the task script is solvable?
Because im really stuck

the task script is solvable

great ...

and the only thing i have to do, is encode the variable with a for loop and assign the length of that variable to the salt?

ok but lets say i did on a "permitted" target and get these results, what do i do now? like why's there a bipolarity in the results?

yez the number of characters of the 28th iteration

after the*

also im doing this section:
https://academy.hackthebox.com/module/19/section/103
it says
"One disadvantage to Nmap's presented results is that the automatic scan can miss some information because sometimes Nmap does not know how to handle it. Let us look at an example of this."
they then basically try to show how nmap can sometimes overlook some information (like the service) but if we use netcat & tcpdump we can see that. (but they're onto nothing)

check if its open

interact with the port

everything shown in the nmap section is for local scanning only (not public stuff) and even if you have permission to, scanning the domain youtube.com doesn't point to a 1 single ip plus they probably have a shit ton of protection in place so just using a tools like nmap won't get you anything much

also your ISP isn't going to be happy that you scan some random public server without permission through their stuff

so do you manually check each port seperately? i mean, the command i ran earlier nmap youtube.com -Pn --reason --top-ports=12 is legit but still i got a wrong answer.

alright i got the part that i've to be in the legal bounds but all im asking is how is a here netcat (paired with tcpdump) said to be giving better scan than nmap while both gave literally the same output?

From where are you scanning that target?

from my college ethernet cable 💀

In the Attacking Common Services in Attacking SQL Databases, I can not connect to the MSSQL server at all.
These do not work:
sqsh -S 10.129.203.130 -U htbdbuser -P 'MSSQLAccess01!'
mysql -u htbdbuser -pMSSQLAccess01! -h 10.129.203.130
This does work but I don't need it:
mssqlclient.py -p 1433 htbdbuser@10.129.203.130

Furthermore in the Attacking FTP, I have scanned all TCP and UDP ports and there is no FTP port open. I think that one is broken

I just did that one, don't use 'sqsh'. use mssqlclient.py

also the box seems a bit unstable, had to respawn it a couple of times

Oh ok

Thanks

I am very lost in the Attacking SQL Databases section.
I have checked:
-No linked MSSQL servers found
-No users that I can impersonate
-Don't have permission to xp_cmdshell

Attacking common services yeah?

Yeah, now that I looked again, I think I know

Have you tried stealing something

It is always like that, as soon I ask for help then I realize what i missed

Thanks though

(Also to save time add -windows-auth

😉

Aha ok, thank you

I take it you answered the first question or no?

No

Ah ok

Well good luck you'll be on the right track soon

Thanks again 😄

Yeah that's my only gripe about this section us that you don't really explore too many of the other options

They come in handy in the skill assessment so be ready for that

In the Password Attacks - Attacking Sam

I am able to save the hklm* file, but when I try to move it it says 'access denied' and I'm already run as administrator, is there anything I did wrong?

INTRODUCTION TO BASH SCRIPTING | Flow Control - Loops
im lost and appreciate help
im pretty sure i did what was asked, but i get an error
||bad decrypt
140488265971008:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:612:||

i don't think thats what the question was asking to do

"Apply the concepts taught in this section to obtain the password to the ITbackdoor user account on the target. Submit the clear-text password as the answer." this is the question I was working on, am I using the wrong method?

iirc there are other concepts taught in that section

and you were provided valid credentials

😉

alr thx

Hi guy, can someone help me please in "Skills Assessment - File Upload Attacks"

I got most of the puzzle but I can't get it together...

• found the black & white list
• got the Content-Type
  but I can't get it 2 work...

Hi, Is it possible to run responder to capture hashes through proxychains on my Kali machine?I can’t see my target’s duel NICs, and I cannot run as root on my target to run responder. It sounds dumb but I thought I’d ask

Question on academy labs. Is there a problem with my VPN connection or are some labs intended to be done solely via pwnbox? I had issues receiving output (other than host online) in the nmap labs last night.

No issues via pwnbox, to be clear.

Does what is underly imply that I this facebook exploit can be used in 'msfconsole'?

Yes and remove the image as it's spoiler

You could have blocked out the name and everything, because this is part of the skill assessment

responder works on layer 2 of the OSI stack, in case you land on a Windows machine you can use Inveigh

Module: Broken Authentication
Section: Brute Forcing Cookies
Question: Tamper the session cookie for the application at subdirectory /question1/ to give yourself access as a super user. What is the flag?

||I changed the user role to super like this user:htbuser;role:super;time:1697111842 but I'm not getting any results||

hello everyone, in Hydra module, Skills Assessment - Website, im trying to attack with hydra but it just sends me a first password in my wordlist, it is because of wrong Failed statement flag, but how to fix this? i have done same thing on other sections and it worked, but there this is not working.
hydra -l admin -P /usr/share/wordlists/rockyou.txt -f 94.237.62.195 -s 38287 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='login'"
can anyone help please?

|| are you sure admin is the right username? ||

i’ve done every lab on my own VM (via VPN). what are you having issues with?

well maybe it is not admin, but my output like this:

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-10-12 15:20:35
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://94.237.62.195:38287/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='login'
[38287][http-post-form] host: 94.237.62.195 login: admin password: 123456
[STATUS] attack finished for 94.237.62.195 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-10-12 15:20:36

its says that it found a password for admin username

i'd have to look at the lab again to verify but...
|| 1) don't just assume the user as admin, this isn't very stealthy either. Find the right user, use the hint if necessary ||
|| 2) i don't believe the login form uses user and pass which may be another issue. in other words hydra is injecting into a field that isn't there||
|| 3) verify <form name='login' is actually on the web page and won't be on the authenticated user dashboard either ||
|| my guess is it's not working because of point two. you're injecting into nothing and maybe you're being redirected to another page that <form name-'login' isn't actually on, hence hydra thinks it works ||

haven't done it yet sorry @thorn ingot 🫤

no worries

check and see if there is a way to verify that you're actually a super user

hmm okay i will check it again, but point 2 is really like this, this from burp:user=test&pass=test, but thank you ❤️

i'll launch up the lab right now and double check

ok, thank you very much

nvm stupid question lol let me bypass the first part first

hey still struggeling at the password attacking module medium lab found a root password in a docx but i cant figure out where to use it i might need a nugget pls help me pls ❤️

the docx talks about build your own inlane installation

||there is a local sql database running on that host||

read the .docx carefully it hints at something

but there fore i need access to a machine via ssh right?

https://academy.hackthebox.com/module/147/section/1657
The 'extract keytab' section has a different font 😛

Then it's convenient you're given a username:password

if your reporting an issue go to #858470491676737536

don't you already have access?

via smb yeh

No they just have smb

first part is ||login:user pass:password ||

and he got a ||user|| and ||pass|| from there

He hasn't realized that part and is only focused that the line in the doc says "root password is"

but it doesnt work for ssh

It should

you need ti

Hint: the user isn't root

user J and D let me check on that again sry for bothering you guys

now you have all the information you need to get the flag

👍

I mean the line that gives you the password tells you which user

Remember the format username:password

okay i see what burp is doing now, || you want to follow what the HTML is doing / what the login form says, not the parameters being passed ||, so you need to || 1) use the correct user, 2) use the correct fields (switch to username and password) and finally reread the source code, because it's not <form name='login'||

oh damn i might just checked for the D user

Me staring at the doc

Take one quick step back: look at what it's given you

And thats literally all you needed this whole time to get in

Like I said it very much tells you which user the password is for

yes is see thank you very much Sir im now logged into ssh

oh yeah, form name was incorrect, thanks for ur help

Now just poke around and you'll get there

How many disks exist in our Pwnbox? (Format: 0) i cant solve this for the life of me i tried lsblk, sudo fdisk - l both while disconnected from the ssh server

it's from the linux fundamentals

lsblk -d

i still dont get it, how do i type the answer. idk what's a format 0

with the specified format

The specified format is a number

sorry i still dont get it, i put the command and it listed 2 disc but the answer isnt 2

02

Try leading zero

nah it isnt 02

this is what i got

try 3

is it from Linux Fundamentals - File System Management?

yes

did they update this section🧐

i have no clue

this is the question

i know the question lol, but my answer doesn't work with the current environment anymore

and i know "how" i got my answer and it wasn't from listing how many disks exist

so i'm wondering if the question itself changed

lol i still dont understand what they're looking for

the listed disk is less than 10 i believe

you want to dm and we can try working it out without spoiling?

yes please this is the one thing im so stumped at and the internet doesnt help

i tried so many list disk commands

maybe the module is screwed?

the question used to be tje space

of the disk

my answer is 100

yeah i went through a few things with them and none of the numbers worked lol

mine was 160

the current space is 50 and that also doesn't work

and they changed to 50Gb

try 0?

nope doesnt work

from 1 to 10 ? brute force

try also the old answer, 50 or 100

i already did lmao

they did lol

aah i already did that too

yea its broken

#858470491676737536

wow i should get my money back

unlucky

i would report in #858470491676737536 and probably use the support button on the website

oh yeah

the cargo website seems to be dead, i had to get my answer off the internet for that part

guys in hydra module, in Skills Assessment - Service, i have done everything(trying to brute-force ssh) and it brute-forcing at least a 30 min already, i dont think that must take so long

try harder

you should not have more than 3000-4000 passwords and less than 10 users

then use -u flag for hydra to loop over users not passwords

it tells you what user to use doesn't it?

or is this the one you have to generate your own username list

own username list

there is user, i generated with username-anarchy, and password list with cupp, sed it to password policy, then started a brute force,

-u flag

and dont use too much information with cupp just the basic

well without -u flag this wont work? bcs i think hydra will try all users and all passwords too

it will work

damn linux has so much to remember but i think the --help will make things easier lol

it will just take way longer

" As you now have the name of an employee from the previous skills assessment question, try to gather basic information about them, and generate a custom password wordlist that meets the password policy."

hint: || you don't need to provide all the information cupp wants you to give it just use what was given ||

understood, i didnt knew it
thank you ❤️

yeah i did it already, thank u2

hello there, can i ask for a bit of help, i'm doint the footprinting module and now i'm in the DNS section, but the last question asking for the FQDN of the IP that ends in 203 have me stuck, im been digging for the last 2 days all the subdomains in the normal zone and in the transfered zone for the last 2 days like an exemplar dwarf, i also try the route of brute forcing with dnsrecon and dnsenum but nothing, the only think i found is one subdomain that ends in 200 after one zone transfer

maybe you aren't using the right wordlist

😉

Subdomains of Subdomains

😉

Remember that not every zone allows a zone transfer from everyone.

Aka this question has been asked so many times

Someday I'll write a DNS module lol

Write one that uses ips in the example and not just name server fqdn

that means i need to mask the request some how?
i already try to zone transfer to subdomains of subdomais but all i get is transfer failed

you're on the right track with dnsenum

No, if a zonetransfer is not allowed, then you have to query the zone manually. You can use automated tools for this.

ok it looks like i will need to try each list in seclist

Start small go big

To save headache

@opal dagger you should also follow this hint

😉

You can use dnsenum with the same syntax just change it to {subdomain}.inlanefreight.htb

honestly doing Hacking WordPress, my new pet peeve is people doing curl -X GET ...

https://enterprise.hackthebox.com/storage/modules/80/scripts/timing_py.txt does this link work for anyone? It simply redirects me to the dashboard

That's an enterprise link, so not very likely someone here can confirm either way

damn it, I can't progress without having their resources...

As arthos said, it’s EP so no user will see unless given reasons

yeah I get it, just sucks I can't progress because of their site isn't working as intended - Ill use another method, but my intention was to use their stuff instead of mine

hi there, doing a SQLMap module, Attack Tuning Section, dumped a database with sqlmap, and found a flag, but flag is incomplete, can someone help?

||Database: testdb
Table: flag5
[1 entry]
+----+-------------------------+
| id | content |
+----+-------------------------+
| 1 | HTB{700_much_r15k_bu7_x |
+----+-------------------------+
||

is this using blind sql?

well i think that is not, its "OR" statement, ||sqlmap -u http://94.237.56.76:30080/case5.php?id=1 --dump --dbs -T flag5 --level 5 --risk 3 || here what i used

information gathring / vhosts ... its says look for a flag but im suposed to curl the results of the fuzz ? and look all of the line?

using ffuf

yes but when i curl the resault i fund nothing

on active dir skill assessement part 1

i cannot connect to the remot host

i got 6 vhosts

I remember those cases being extremely unreliable and needing to run the attacks a few times to get the proper flag

iirc my fourth attempt printed the proper flag

despite running the same command

lul im just d** i was doing the curl wrong

it's possible the user doesn't have rdp/winrm access, double check the lab is still up or trying running commands as them in a powershell window

although it's not the complete flag, you should remove it.

read the hint @tame ivy might help

im trying to check if i have adrp or remote mangement

bu i have no results with my cmnd

Get-NetLocalGroupMember -ComputerName MS01 -GroupName "Remote Desktop Users"

no results

oh it worked, thanks

thank you2

Module Name: Login Brute Forcing
Section: Service Authentication Brute Forcing
Module ID?: module/57/section/491
VPN: EU Academy 1

Task Precursor text:
SSH to 94.237.53.115 with user "b.gates" and password ""

The task is to brute force the password of the user b.gates, but it doesn't look like the SSH allows for password authentication at all?

[DATA] attacking ssh://94.237.53.115:22/
[ERROR] target ssh://94.237.53.115:22/ does not support password authentication (method reply 4).

Either I'm missing something, or it's configured incorrectly right now?

you could try restarting the box, i think you also need to lower your thread count - try -t 4
hard to say without knowing what you're executing

if the above doesn't work, let me know and i'll redo the lab for you

I've tried resetting the box a couple times to no avail. Just tried swapping VPNs as well in case there are different labs on each one, but that didn't help. o.o

Here's what I'm executing and my result:

> hydra -l b.gates -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-10.txt -u -f -t 4 ssh://94.237.53.115
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-10-12 11:52:24
[DATA] max 4 tasks per 1 server, overall 4 tasks, 92 login tries (l:1/p:92), ~23 tries per task
[DATA] attacking ssh://94.237.53.115:22/
[ERROR] target ssh://94.237.53.115:22/ does not support password authentication (method reply 4).

let me redo this section and get back to you 🙂

Thank you! 😄

Hi Jeremys556, I'm having some trouble regarding the ||SNMP, which is v3 for me, so it requires authentication afaik.||
How did you manage?

Running the snmp tools worked fine for me

Oh. Uh.. It was a fairly rookie mistake. x) It was because the port needed to be the box port rather than 22.

If I run v 2 it doesn't respond, while on v3 it requires auth, what am I missing?

So problem solved! I should've checked that first. But I really appreciate trying to help. 😄
The correct command would be:

hydra -l b.gates -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-10.txt -u -f -t 4 ssh://94.237.53.115:50341

Or whatever port the box is generated with.

that was the first thing i noticed, but i was waiting for my hydra scan to complete lol
secondly, || you might want to use cupp -i and use that wordlist ||

Think about all the tools taught in the snmp section

Okay ^,^ Thank you!

just follow how the module creates the password list and you should be golden

Oh I see, I didn't think about one I could've tried without creds.
Thanks for helping me through 🙂
Hopefully, it's gonna work.

thanks to everyone for the help in the DNS question i finally got the FQDN, now just a simple DNS theory question, when you create a domain entry in a zone is the reverse dns created automatically or you can have domains that wont reply to a reverse dns query because the record was not created?

Nevermind, nothing worked.

creating an entry in a zone does not automatically create a reverse dns entry

Sorry to bother you again, but I don't see a solution here.
||- smnpbulkwalk needs authentication.

• I have tried onesixtyone with several community strings, plus the default wordlists and a custom wordlist but nothing hits.
• Gave braa a go with some common community strings and again no hits.||

have you tried ||bruteforcing community srings||?

yeah, that's what ||onesixtyone is for. Default lists don't hit, nor did my custom one (using hostname + 3 digits)||

then you're doing something wrong iirc ||onesixtyone should output the right community string||

Guess I'll reset the instance then, maybe something broke

follow the exact syntax for ||onesixtyone|| used in the module

Syntax was just fine, instance was not.
Resetting worked. FML.

is there a way to know the ip adresse of this instance ComputerName : SQL01.inlanefreight.local
Instance : SQL01.inlanefreight.local,1433
DomainAccountSid : 150000052100015021581135153197131788620723312701800
DomainAccount : svc_sql
DomainAccountCn : svc_sql
Service : MSSQLSvc
Spn : MSSQLSvc/SQL01.inlanefreight.local:1433
LastLogon : 4/11/2022 7:51 PM
Description :

Well if you're on the computer: ipconfig

ano ther instance runing on the network

hello guys, in XSS module, Phishing Section, this js code is not working for me, it is not deleting a urlform,
document.getElementById('urlform').remove();
i tried a lot of times, document.write func is working, but not this

not the same computer

try using crackmapexec, crackmapexec smb 172.16.8.0/23

i don't know the ip range being used on that box though

i dont know hat to do anymore to connect SQL01.inlanefreight.local itried evrything i know so far

what happened when you did crackmapexec on the internal ip range?

did you name the file correctly, do you have the right contents, did you enter your IP correctly, did you access the share you put the malicious scf file in to trigger it?

you have to give more than, "it didn't work"

found 3 hosts

tried to look for which host have 1433 port open

but nop one has

if you run crackmapexec it should be able to identify SQL01.inlanefreight.local assuming it's on the same network

I have a question about the AD module DCSync. I have DCSynced the DC, however in the result I don't see the user that can rm into DC. Is it possible to perform DCSync and have some users missing?

use grep

assuming that the right ip/network then sql01 doesn't exist on that network. check the other hostnames there and see if they have an sql server or maybe the sql server is on a different subnet

i'm also not aware of what module and section you're on so it's possible you need to restart and wait like ten minutes for the lab to fully boot up

active dirctory

enum&attack

ComputerName : SQL01.inlanefreight.local
Instance : SQL01.inlanefreight.local,1433
DomainAccountSid : 150000052100015021581135153197131788620723312701800
DomainAccount : svc_sql
DomainAccountCn : svc_sql
Service : MSSQLSvc
Spn : MSSQLSvc/SQL01.inlanefreight.local:1433
LastLogon : 4/11/2022 7:51 PM

Thanks for the reply I did use grep. I am able to complete the questions, it is just that I am playing around and in the bloodhound I see a user called BDAVIS that have rights to rm into DC and I grep the DCSync result and can't find his hash.

So I am just wondering, when we perform DCSync are we dumping everything or is it possible for some user to not be on that DC.

does nslookup work?

for anyone who did the AD Enumeration & Attacks - Skills Assessment Part I i need his help

what portion are you stuck on

i have the user and the password

for sql01

okay

right

so i tried to connect to ms01 using those cred enter ps session

it didnt work

yeah

use em on sql01

tried to acces to instance sql01.inlanefreight.local

it didnt work

explain didnt work

cause it does work

wait ill send the screen shot

i tried to use this Get-SQLQuery to quesry the data base

why

use a mssql client

you should remove that it leaks credentials

oh im sorry

so sorry

whenever you obtain credentials, you can use crackmapexec to see if they work anywhere else

with this situation theres no need to check anywhere else

they have sql01 creds, they need to use em on sql01