Hmm I see

Good evening! Friends, help me figure this out.
Introduction to Digital Forensics:During our examination of the USN Journal within Timeline Explorer, we observed "uninstall.exe". The attacker subsequently renamed this file. Use Zone.Identifier information to determine its new name and enter it as your answer.

For the HTB footprinting medium lab, I’ve gotten the admin password and am into the mssql server. However, I can’t find the user password for the account HTB. I’ve searched high and low and I feel I’m overlooking something. Pointers?

look for a non standard database

thank you! got it!

I heard hack the box doesn't hold hands in teaching is that true

Hey I'm doing the intro to linux and on a practice I have to get a username and a UID and replace the spaces with commas, whenever I get rid of the white space and add commas it'll just print the whole line (cry0l1t3,x,1001,1001,,/home/cry0l1t3,/bin/bash) but I want to get (cry0l1t3,1001) cat /etc/passwd | grep "cry0l1t3" | tr ":" "," | awk '{print $1, $3}' is what I wrote but whenever I do that awk can't pull specifically the 1st and 3rd slot. Can anyone help me with what I'm doing wrong, am I not using a argument I need?

awk by default takes blank as separator

thats what I assumed how would I make it take commas?

awk '{print $1,$3}' FS=','

should do the trick

sweet

what does FS stand for?

im not on the pc and i donnot remember it by head

Field Separator

tell me if it works

its giving me cry0l1t3 1001

no comma between it 🤔

you can skip the tr step and do FS=':'

add the comma after

do this

cat passwd | grep | awk FS | tr ' ' ','

ok lemme try

the final step is TRansform space into a comma

the comma inside awk print is to select different fields

please notice this is a schema 🤣 im being lazy to write 5 AM here

cat /etc/passwd | grep "cry0l1t3" | awk '{print $1, $3}' FS=':' | tr ":" ","

like that? and no worries haha

yeee try

Still giving me this

noo

the tr is ' ' instead of ':'

Do I put fs in the '' awk

ohhh yea I forgot we transformed it to space before

TRansform space into a comma

then we do space to comma

kind of, we took colon as FS

lets gooo!!! thank you for the help

.

any time dude

yea I gotch you, so in the AWK we are using the field separator which seperates it with space

Real quick, how can I verify in this server for roles etc?

and we take space and make it into a comma

we tell awk hey the colon (:) is the field separator

take 1 and 3 by counting colons

and then we want the space to be a comma

ez

yurrr appreciate you homie\

ayeee

shit was confusing me haha

😴 good night

night night bro

happens at the beginning of:)

Verify your user if not already done. Read #welcome

I already figured it out on my own, thanks though. I should learn to read a bit more!

Hello guys

One question

If i have local admin on the DC

can i hunt for golden ticket

To get the domain admin

I was in my bed and i had this idea

Is it possible

No, you need the password hash from krbtgt user

But i have local admin on the dc i can just dump the hashes to get the kbtgt

Thenn forge a golden ticket to go domain admin

I was googling but i didnt find the answer im looking for

I am not sure if this will work.
You can try it

pretty sure it wouldn't work, local admin has nothing to do with active directory (except possibly being an AD user, which isn't going to let you dump the hash unless the user has DCSync rights)

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/golden-ticket

Yeah i found it

Thank you tho

Thank you payload and arthos

you can dump ntds.dit with dc local admin sometimes.

secretsdump can do a lot more than just dcsync

Exploiting web vulnerabilities in thick client apps module is unbelievably frustrating

Thanks

I got engaged on THM it was quite interesting while learning Linux

and on HTB if the virtual machines are of the AttackBox type as in THM?

I'm just from Russia, I apologize for my English 😅

Hi, first message here.
Have someone done the "Intro to Assembly Language" skill assessment? I've been hardstuck for 3 weeks, there is only one thread in the forum and I'm not able to reproduce what other people did to achieve the flag, link to thread is https://forum.hackthebox.com/t/htb-academy-intro-to-assembly-language-skills-assessment-task-1/4164
I've tried everything, I'm already thinking in putting this Skill Assessment apart and continue other paths. Any advice/hint/help would be very much appreciated.
Cheers.

U can get the hash of krbtgt then???

what have you tried so far and where are you stuck?

Can someone tell me I am not going crazy. In DACL Attacks I it says this

"Let us launch a new cmd.exe window as Administrator and use the credentials of Pedro to confirm we have the appropriate access rights/privileges:
Pedro with Backup Operators Privileges"

But then shows this

Surely that means that the user does NOT have the privileges?

if so I will post in erratum just want to make sure I am not missunderstanding something fundamental?

Disabled doesn’t mean he doesn’t have the priv

Really? Thanks.

Is there a term for this so I can look into it more?

You can look on hacktricks “abusing tokens”

thanks

I've done so far:

• Dumped the assembly code and added a label to loop through the stack and xor the rdx register with the key stored in rbx
• Copied every iteration from $rcx = 0xe all the way to $rcx = 0x1, (the 14 iterations) and joining the contents of $rdx, removing the 0x and run the whole thing with the loader.py script. The only result I get is a red dollar prompt that ends whenever I press return. Also echo $? returns 0 so it ran correctly, but I have no clue where the hell is the flag.

Sorry for the 2-hour delay, I went to the supermarket and left the message there lmao

dw, what bytes is your extracted shellcode starting with and what bytes is it ending with? just making sure you concatenated correctly

4831..4bd7

the starting bytes sound good, it should end on f05 and I dont have bd7 anywhere in mine

ok, thanks, I'll keep trying! at least now I know what to look for 😃

How did u guys get through the permissions denied when trying to open the folder mounted during footprinting medium lab

Got good

just got it!!! thank you very much man!!! ❤️

Now, to Task 2, wish me luck! 😃

What options (-o) did you set when mounting

nolock

I think there's like norootsquash or no_root_squash but also you can su to root and browse that way

Ok let me try

Nice it opened thanks

hey guys, quick question about ffuf. Does anyone know if it is possible to filter by response size with greater or smaller than?

Yes

I think

You can do man ffuf or ffuf -h and it tells you all the flag filters

I checked them and I also looked online but it doesnt work. It says I can filter the response time by using >100 or <100 but the same doesn't work for response size

Well you might need to use a backslash to escape the arrows

Because otherwise bash treats it as a redirect

you can work with ranges in the -fs param, so maybe just do 0-100 instead of <101?

^

That's what it is

Also it would be -ms

Because m is to match

f is to filter(out) I thought

yes, that worked perfectly

thanks a lot guys

has anyone done DACL Attacks I mini module? I'm on the addmembers abuse part and for question 1: I have answered it and got the flag, but unsure how... as we are told in the module that to use abuse the ||addmember|| acl we need one of the following privileges ||GenericAll, GenericWrite, Self, AllExtendedRights, or Self-Membership|| but when I enumerate the privileges the user has over the group he has none of them but can still perform the attack?

I know this is a gap in my knowledge.

having the flag is nice and all but is not going to serve me well If I don't understand the mechanism behind it

What privs do you have?

Are you running ps as admin?

||ReadProperty, WriteProperty, ExtendedRight, GenericExecute||

that may be it. I've lost track as following along as I go

Will reset and see if it does the same again

Just removed the user

then relaunched PS without admin creds and could still add the user with the privs listed there

You have extended right priv you say

I thought you needed AllExtendedRights?

Just as that's what it says in module.

I believe certain extended rights can be set, and in this case you have the extended right to fulfill the task

Haven’t done the module myself

Hi guys, I'm new here. Who is willing to guide me through?

literally nobody

sorry dude, but you gotta spend more than 5 seconds

https://tenor.com/view/this-gif-4354544

Common guys, I believe you were all novices at a point

we were indeed, but if you don't care about spending more than 5 seconds reading the pins, the channel description and such, you won't get far

Nope soz. You are by yourself.

Alright, let me check it out

I figured, thanks, appreciate it.

I’m not 100% certain though. Perhaps someone else with more experience can clear things up

you've been here a few months already, how did you find the server if I may ask? just curious

I've been speaking to the writer of the module so will give them a shout too

• he joined the first day of account creation lol

Alright, if you do find out, let me know! Curious as well now

Will do, nothing annoys me more than not understanding why something works. I mean it's great that it does but without actually understanding the underlying mechanism being exploited am I actually learning?

Hey man, why are you DM'ing me? If it's for guidance as you say. Do as @high zinc said and read the pins, channel descriptions etc and read this https://www.hackthebox.com/blog/a-beginners-guide-to-htb-academy

Hello everyone, Module:Linux Priv Esc,Section:Linux Services&Internals Enumuration, that ask which version python is installed, i did python --version and it says 3.8.10, but answer is incorrect, could anyone help please?

Yeah, thanks

This will only show you the currently active Python version.
But you can install several versions side by side.

really stuck on the "RDP and SOCKS Tunneling with SocksOverRDP" section in the port forwarding module my issue is with proxifier its not connecting to 127.0.0.1 on port 1080 but i ran the netstat command it says listening not sure why ive tried running everything as administrator and ive also tried to use both socks4 and socks5 any ideas? maybe a firewall issue or something?

have you ensured that proxifier is listening on localhost:1080 on the RDP server ?

are you getting the dialog box when connecting through mstsc ?

yes just says could not connect to proxy 127.0.0.1 1080

ATTACKING COMMON APPLICATIONS > Attacking Joomla > Leveraging Known Vulnerabilities : I don't understand how to "find" the CVE used in the course. From the enumeration, the server version is 3.10.0. But the course explains that we can use a CVE affecting 3.9.4 and below versions... How am I supposed to guess that I may try versions where this vuln should be fixed ?

can you connect locally using NC.exe ?

where is nc exe located its not on the server

it's not on the server, just upload it

I just says this as a basic troubleshooting exercice :

• check that the service is listening on TCP/1080 (you did it using netstat)
• check that you can connect to it (first locally, next, remotely)
  If previous checks are passing, there should be no reasons for it to not work (except if the SocksOverRDP-Plugin.dll is kind of screwed)

if the command is nc.exe 127.0.0.1 1080 no its not connecting

can you try to listen on 1080 usinc nc perhaps ? and see if it works

just done that still doesnt connect

have you tried restarting the Lab and doing all again ? (IIRC, it's a bit long to play all over again, but that might perhaps solve your problem)

yep i restarted from the beginning making sure i did everything correct been on this for days now

does the "proxy checker exe" confirm that the service is not running ?

hang on ive reset gotta get back to where i was

am currently trying the lab

Module:Linux Priv Esc,Section:Kernel Exploits, i did everything that was written, but there is error, could anyone help me?
./exp1: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./exp1)

did you got the dialog box when you connected using mstsc ?

havn't done this module yet but this seems to mean that you have tried to run a binary grabed from another host and you don't have the same LIBC

oh yeah, i have compiled on my local machine, and trasfered to target, is that a error?

yes

ran the proxy checker says testing failed

ok, i solved it, thank you sir

how did you did it ? using some tool like https://github.com/X0RW3LL/XenSpawn ?

noo, i just compiled it on target host 😅 , maybe not good practice but it worked

@keen compass working now not sure how but it is

I just realized I gave you wrong informations.
Proxifier is not listening on 1080 (it's not listening at all in fact)
When you connect using mstsc after registering the DLL you must have a dialog box that prove the DLL is loaded properly.
Then, when you run the SocksOverRDP-Server.exe the mstscclient starts listening on 1080 (on Client computer, not server).
Finally, starting proxifier on the Client enable your next mstsc client to be forwarded through the local socks proxy and get forwarded through the SocksOverRDP-Server.exe on the server.

If proxify is not run as elevated (UAC), it will not "catch" mstsc.exe traffic (but will not complain).
If you run it "as administrator" it will "catch" mstsc.exe traffic and forward it through the local socks proxy.

One last thing : by default, when closing proxifier, it just minimize. So if you run it as "simple user" first and closed it, check and close it from the tray before running it again "as administrator" or it won't work.

Are there any modules that focus on stealth and leaving no trace of entry?

some modules touch on it for red teaming purposes

Good morning hacksters

Hey guys, for the Reporting module: it can be completed without this, however, one of the unfinished findings is a command injection vulnerability. Can anyone give some tips/hints on where to look for that command injection vuln? I found the other unfinished ones - LFI and password in description field.

anyone has done this module and could tell me why a CVE identified as "affecting Joomla 3.9.4 and below" also work on 3.10 please ?

in PIVOTING module in Web Server Pivoting with Rpivot section
in the last question i should go the the web server and submit a flag yet just the default apache index page is available. what do I miss here?

not on the right host perhaps ?

no way for this, ssh for the correct host is provided

tried restart the instance ?

i did

even escalated privs to find flag in the /root dir, nothing in there

on the rpivot server, you have a "New connection from host xxxx" that appear ?

on the client (victim machine):

on the server (my attack host):

when running firefox, do you see connnection logs from proxychains ?

yeah

how did you got the web server IP ?

take a look here

(sorry to ask, I didn't took any notes since it was very straightforward)

this is not that webserver

the webserver is supposed to be on the internal network

not your bounce host

ok got it

scan for another host from your pivot host then connect to it from your attack box using chisel + ff

got the flag thanks, bad with details today

Hey anyone available for a question on FIle Uploads?

yes

hello everyone. I got a question about module WHOIS second question: What is the admin email contact for tesla.com? is it n.....@n....com

is it?

you would get help faster if you just asked your question

i have it as the answer

but im not sure if they changed the question

does it matter

Basically. I have gotten this much to successfully upload. However, if I insert the shell code it refuses to upload. What can I do?

if you have passed it already go on

spoilers

Should I message u privately?

you're on the right track

keep trying

I have a question

Does the shell code not work ONLY if the Content-Type is not an application type?

@sly dome yes it matters

the content type does not affect to the execution

explain yourself

And how about the MIME type?

mime type is used as filter

But why would I change the mime type if I know that PNG works?

yea why would you?

Then why do they teach u how to change it if it doesn't need to be changed

Is there ever a situation to change it?

it depends on the filter

you will see later when you get RCE

you can do the code review

there are a lot of machines on HTB CTF where u get RCE with mime-type

USING WEB PROXIES --> Repeating Requests --> Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.

I've found flag.txt but this is not the correct answer. Are there more than one to find?

Used payload ||ip=1;cat flag.txt;||

yes the other flag

i have a questions about moduel INFORMATION GATHERING - WEB EDITION section whois: What is the admin email contact for the tesla.com domain? anyone can help

i have n..........@n.....com as the answer but cant figure it out anymore

So if I remove PNG or if I remove the highlighted text, the upload is refused. if I include the shell code, the upload is refused. Is there anything I can do please?

keep trying what more can i tell you

if i tell you the next step i literally give you the solution

use what you learned

Can u give me a gentle nudge

lol so they changed the question

🤷‍♂️

lemme check notes ok

if I insert the shell code at the end, it succeeds the submission. However, it is only outputting an error which the browser shows on the right

😉

think!

Like Jimmy Neutron?

more

wat section was that

Like Albert Einstein

FILE UPLOAD ATTACKS

Type Filters

ya wrong mimetype o.O

Didn't u say that if the MIME type works don't change it?

And I asked u does the MIME type determine if execution will occur

i was thinking on the skill assessment

no the mimetype doesnt affect the execution

Good day, I have a question. I am new and I am currently studying in the academy and noticed when I click a spawned target its saying copied to the clip board, but when I try to paste it in my browser spawned attack machine the paste isnt working. I tried using the CTRL + Shift + v. PS it was working before. Can anyone assist to get it working again?

the web server is expecting an image

and its getting another thing

thats the error

but that is because the final extension is .png

the webserver thinks its a png based on the file extension and tries to render what you submitted as png, which doesn't work

But here in the module they used GIF8 and the web shell still worked

but they didnt upload it as .gif

we're doing your job here

I'm a business student they taught me to delegate work

maybe upload it as the php working extension?

like png.phar

thats your nudge

but it was explained in white filter section

if it uses this regex: if (!preg_match('^.*\.(jpg|jpeg|png|gif)', $fileName)) { it does not matter if it ends on those extensions

only if it contains them

which is this case

you have to work harder if you want to improve

Okay thank u I will try harder

well done

+77053644912

its me

Can I call u

sure

Rafa

yes?

Okay so next time if u dont help me I will give gay people ur number for phone sex

bro 💀

gotta go eat dinner good luck with modules

Thanks for ur help see u later

Module:Attacking Common Services,Section:Attacking SQL, i have obtained a hash for mssql, cracked it, but cannot connect with it to db, for given username htbdbuser, i can login but cannot enumerate a flagDB, do not have permission, could anyone help me pls?

-windows-auth

iirc

Yep

oh, thanks, fucked up 10 minutes of my life

Been there

not long enough

HELLO FAMILYYYYYYYYY

mssqlclient.py -h would have sped you up

well yeah, but too long to connect to mssql

ill try it now, thank you sir

will check out this flag

That's the help flag

No one waved at me

It gives you flags to use

anyways happy to be tere

there

This isn't a casual convo channel

your about me almost made me giggle

lol

Read #welcome and #rules

i said hi like

bro

okay limpejohn

hi back

Do you have a question about an academy module?

Or did you join just to attempt to troll

both?

i just joined the community and wanted to say hello

ok if its not allowed im sorry ig

As I said read the #welcome you clearly skipped over. This server is related to hackthebox content, and the only way to get access to more of the server is to have a hackthebox account

Module:Attacking Common Services,Section:RDP, i set a registry key to Pass-The-Hash, but now that says login as administrator with NTLM, do i need to upload a mimikatz and try to dump it? bcs there is no hashes in this section

Yes you'll need to dump the hash. You'll probably find the tool in C:\tools

oh there is no tools folders, okay i will upload it with via http

did you open the note that was left on the desktop?

😉

ahaha i didnt, got u 😉

😉

always enumeration skill issue

is it okay to ask for help on modules here?

Sure

i can't post screnshot

I thnk you need to verify yourself, instructions should be in #welcome

okay i got verified

any hints on third question?

you should put which course/section your on and what you have tried so far.

It's Linux Fundamentals, module System Information

Delete the image as it contains answers

So the path doesn't actually exist iirc on that system but it's going off of what the default mail path is

So Google that and you'll find it iirx

It could also be in the environment variable

Google "linux default mail path"?

I just remember it not being straightforward

Ye

okay, should this module have told me to google?

no module is going to tell you to Google, you're expected to do your own research

^

This field you have to be prepared to use outside material to the course to problem solve

Like for instance in one of the modules it doesn't tell you how to properly retrieve an email from imap, but doing some research I found a blog that has a bunch of useful imap commands and explanations

That I messed with a bit in that section to further understand

I see. thought the modules would contain everything

That's just not possible, the amount of information in this field is nigh infinite, the courses gives you the methodology and a ton of tools, but research skills is something you must develop for yourself

or at least 'everything' needed to pass those little questions

They contain enough information to give you an idea what to look up

okay, /var/spool/mail/htb-student didn't work

That doesn't look correct

There's a different default

Ye it's close

You just added an extra word

I think if you type env it's there

i did "env | grep MAIL" as suggested by a forum post

It's one of those "It's dumb" type deals

Anyone here can help with HTTP Attacks: Log Injection. In the log.php I am getting back the payload ＜?php system(＄_GET[＇cmd＇]); ?＞; but is not executing the php code. Anyone has a nudge? I was able to encoded with UTF-8 and URL. At the log.php I do ip.addrs/log.php?cmd=ls but nothing.

<@&861185840277487616>

xD sorry

nah it's ok haha

the first 5 chars match the role name lmao

yea

I wonder what the scam entails there

Did u guys ever use a XXE payload in a document

look up "task scam"

Are u still around @sly dome

yes

My kali vm broke for the first time 🥳

huh

this book covers the Linux Fundamentals modules?

or should I start with Linux Bible?

Books take way longer than online modules though

Thanks

@sly dome can you nudge me as to why this SVG file isn't being recognized as an SVG file?

probably the boundary ?

it appears like part of the code

line 26 add a line break

section?

web attacks module?

ah same module limited file uploads

Rafa do u remember that I have ur number?

true

why did you add SVG at the beginning of the body

svg do not have an specific file signature since it is just XML code

browsers can read and execute it

Thanks that's why it wasn't working. I learnt that before u said it cause I downloaded a bunch of svg files from google and they didnt have any signatures

👌

You can download that book free and legal under a CC licence from the book's official website, compliments of the author instead of No Starch https://www.linuxcommand.org/tlcl.php

Dude that author is a beast

I love that he's like "please buy it but like... lol you don't have to"

I like his book automate the boring stuff

Yeah I love when books have a Creative Commons edition or a pre-pub/wip edition from the authors. Even just buying a preorder on No Starch gets you regular updates til the full edition

And then, of course the book comes out in a Humble Bundle a few months later

I think i'll start wit Linux Basics for Hackers by occupytheweb

People often underestimate the importance of fundamentals

not the place to ask, read #welcome and ask in #boxes, it's 100% your script tho, plenty of people have done the box

Are there books that cover the same material as the Windows Fundamental module?

Footprinting Medium, i have the creds for the super user but remmina is not working neither xfreerdp

rdesktop did not try

w8 i have been trolled by smbclient

HTB - gofer error?

is this the right place to ask for guidance in HTB X Academy modules?

Yes, which module are we talking about?

intro to windows CLI > skills assessment > user4. im not sure which cmdlet i should be using as most that i learned in the module are not recognized

This one?
User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them

Once again, not the place to ask, read #welcome and ask in #boxes

Have you read the hint?

I can't give you much more as a hint.

files with information are bigger in size

footprinting module super cool ! but i expected the labs to be more difficult since people ask here bout them A LOT

finished the 3 labs in under 30’minutes

ive been chipping at this module for about 3 weeks now. its disappointing because ive been working in IT for years and i guess i never learned fundamentals or never needed it

intro to win CLI?

yes

i hope you spend less than 10 minutes each day then

coz 3 weeks come on 🤣

also hackers > IT average employee

Yeah, I expected the same, the labs were fairly easy, but the module itself did take a long time to get through

i finished it as expected

if it is marked as 2 days it took me 10-12 hours

at least that is what i’ve been noticing with every 2 days module

And then there's password attacks

8 hours... right

but i knew a lot of the information provided from before

i have +80 retired machines done with a lot of notes and im seeing the concepts in a theoretical way in the modules

the 8 hours ones usually are taking me 5-6 hours, we will see

That one is an exception, you'll see

So far, footprinting and password attacks especially are the modules that took me the longest, I'm guessing attacking common applications will top that

hahaha

why so long password attacks?

I agree if you do Password Attacks blindly without using the forums or Discord search or getting any specific help. It'll take you more than 2 days.

It's designed as a trap lol

It can take multiple hours for some brute forcing to finish running

i would not count that as time for the module tho

you can start with another module in the meantime 🤣

or do the season machine for example or just go touch some grass

Basically it makes you think something is wrong with what you're doing so you go down rabbit holes

It's only a trap if you don't properly enumerate, if you're using hydra to brute ssh, then yeah it takes hours

i prefer to ask if i should let it running to someone who finished it, at least for something like this…

I believe the module even tells you ssh is a slow service

Even ftp with that wordlist can take like 2 hours if you don't narrow it down

I didn't take that long

But I also used more threads with hydra

if you enumerate properly you can get rid of many passwords?

Instead of default 16

No, if you use tools and read documentation you can save yourself time

I had it running for an hour and a half with no result, 48 threads so it doesn't get unstable or miss the answer

im gonna start it tomorrow

That sounds like a network issue tbqh I think the slowest maybe took 15-20 minutes

want to see that

List all files

Could be, don't generally face any network issues tho, it's done now thankfully 😁

I do agree that it's poorly designed in having you make a 98k password list

Forcing you to wait arbitrarily

But I managed it without cutting the list

¯_(ツ)_/¯

Maybe the lesson is that you're gonna be bored waiting for tools to run on the job sometimes lol

Yep, usually in those cases you'd enumerate further if you have a user access

It's also a lesson in "for the love of God save creds you find"

I went through while doing it and wrote which services the creds work for

Yeah, luckily I already had the habit of writing down everything I find

i did. im trying to list out all the contents at once, struggling to do so

Hi guys, I'm working on MODERN WEB EXPLOITATION TECHNIQUES - Final Skills Assessement but I got stuck on q2, can you someone give me a hint ? thanks

i gave you a nice hint

files that have information inside are bigger than 0 bytes

||powershell -command "Get-ChildItem C:\Users\user4\Documents\ -recurse | ?{$_.length -gt 1} | ft fullname, length -auto"||

Tbf they don't really go over powershell in this section i don't think

think twice 🤣

Oh yeah it's the skill assessment

yyy

You can tell I honestly blocked it out

Tbh this module could be better formatted

happened the same to me

im going through the module again, i must have missed a specific cmdlet

but i usually go back to it and check something

are you ignoring me 🤣

Check powershell sections

https://tenor.com/view/what-am-i-chopped-liver-gif-11569208

6:34am here should i sleep or better tomorrow

Who needs sleep

i do, for work in about 4 hours 😪 ill try again next weekend

i gave you the command, and the hint to think it by yourself

so interestingly enough i wanted to sign up to check out the academy

the website is bugged

says invalid captcha, there's no captcha

Refresh the page

:^)

yea but there's no captcha in the first place

almost reminds me of the good ole days when you had to hack your way into HtB in the first place to make an account and get yourself a sign up token

but i don't believe i'm supposed to do that here 😛

Nah

You can try clearing cache and trying again

It could also be an adblocker issue

i killed my adblockers too

-_-

let me try edge

interesting, still nothing

Happened to me b4 it just worked the next day

and that has no blockers of any kind

Hi I am in the footprinting hard lab.
I just did my nmap and only got 1 ssh port and 4 mail ports
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
110/tcp open pop3 syn-ack
143/tcp open imap syn-ack
993/tcp open imaps syn-ack
995/tcp open pop3s syn-ack
I tried connecting with openssl but without creds it was nothing any clues as for what to do next?

did you scan for udp ports?

no I did not I will do that now thanks

gl

so i bypassed the captcha

i had someone invite me and it didn't complain about recaptcha

I have troubles fetching a mail from imap server can someone explain me the fetch syntax please I just did this from a blog

> FETCH 1 (body)                
* 1 FETCH (BODY ("text" "plain" ("charset" "us-ascii") NIL NIL "7bit" 3430 49))
> OK Fetch completed (0.001 + 0.000 secs).

i prefer curl

https://everything.curl.dev/usingcurl/reademail

thanks I thought curl was only good for listing

I will try curl now

https://book.hacktricks.xyz/network-services-pentesting/pentesting-imap#curl

Thanks this link had exactly what I wanted

yes HT is our bible

UID FETCH 1 (BODY[])

try

I will try it

spoiler btw

/INBOX;MAILINDEX=1

i thought it was ok as I did not mention the lab

tried got no return

the normal call returned an ssh key

like this one

i got the ssh with inbox;mailindex=1

Hey guys, for the Reporting module: it can be completed without this, however, one of the unfinished findings is a command injection vulnerability. Can anyone give some tips/hints on where to look for that command injection vuln? I found the other unfinished ones - LFI and password in description field.

you dont need “-X” xd

where u saw that

in the bible there was one for -X fetch

the second last example

you just cant read

It is also possible to use UID (unique id) to access messages, however it is less conveniant as the search command needs to be manually formatted. E.g.

IT IS LESS CONVENIANT

just use 1 2 and 3

you only needed this command

curl imaps://ip/folder;mailindex=ID

yes but it is returning the whole mail I just want the body

what xd

any way to just get the body

why do you need ONLY the body?

to directly store it in a file instead of copying

HAHAHAHAHAA

im done

did you try this command?

I will do it now

any reason to not copy paste the body

also you have grep awk

and stuff like that

just to hone my linux terminal skills

to format stdout

I am learning linux too on the side

you could do grep from the linebreak to the end

grep is very hard I am leaning it real slowly I do not know to get the linebreak

a

then learn how to?

linebreak is just a \n character

yes but how do I select a portion

I can only use it for searching the output

any good material from where I could practice grep?

just do the linux fundamentals module

* 1 FETCH (BODY[] {3661}

pretty sure if you google it you will find in less than 2 minutes

i just found it

and using your mouse to select and copy paste is a good skill

ok I will do it

ippsec does it like 20 times per video

I just thought it might come in handy someday

probably

but as a hacker you just need to know how to find it in your notes or in google

you dont need to know the exact command

but for a simple copy paste why make it difficult

ok I will remember not to complicate it thanks for the advice

any time dude

think that you could hve already ended the module

go rest or keep studying

in this meantime

I still need to find the cred for htb user so lab is still not complete

but I will take some rest after it

that is the easiest

but i let yourself with it

hey there everyone, cheers!,
I 'm working on transferring files with 'wget'
I used a pwnbox machine to set up a python3 http.server and trying to get a file from the directory my listening port is on while on root priviledges on the remote machine.
So..

1. The server is set and listening on 0.0.0.0
2. I 've used 'ip a' and have my ip
3. Fed the wget command using my ip and the port, then hit enter and I get:
   "Connecting to XX.XX.XX.XX:8000..." which times out, never gets there.
   What could I be doing wrong here? Any insights?

(btw I m logged on the last given remote server (target) w escalated (root) priviledges, I mean, it should work right?

If you're not pivoting through that system, there is no way to pass it back through

You said "last given" you'd have to roll it through backwards

finally done

On the target machine, navigate to the specific directory you wish to transfer from. Use the pwd command to determine the current path. Then incorporate that directory path into the wget command. For example wget 192.168.1.0:8000/filetotransfer.txt

Also if it's a windows system you have to specify the -o c:\file\path\to\download\file.ext

Do you see the GET request in your python server?

DM me if you like

@plain coral thnx

@fathom pendant thnx 🙂

Hey guys, has anyone completed all the findings of the unfinished pen test in the Reporting module's skills assessment?

Okay, so found out from the person who wrote the actual module. Turns out the user does have AllExtendedRights over the group, but this was not showing up in my scans using powerview but when using dacledit.py it shows correctly. So appears to be a tooling issue.

I see! Thanks for the information

Do you know if powerview always shows it like that, or this was an odd case?

Gonna retest shortly so will let you know

Will DM outputs

Alright!

Hi guyz !

I'm meeting a small trouble in the pivot/port forward module

In the chapter RDP and SOCKS Tunneling with SocksOverRDP

They ask to send SocksOVerRdp files to windows host

The files are DLL and EXE

I tried sending it by using HTTP, RDP but each time the windows host delete the dll file

Mmh it seems that we have to disable the av scan...

Sorry for disturbing

[MODULE] ACTIVE DIRECTORY ENUMERATION & ATTACKS
[SECTION] Kerberoasting - from Linux
[QUESTION] What powerful local group on the Domain Controller is the SAPService user a member of?

Tried commands from rpcclient, but couldn't find any other group except 1 (user "queryuser <username/rid>" and "queryusergroups <rid>")
How I can found out which groups user are part of?

You can see it in the output from GetUserSPNs or in Bloodhound

Hey guys, anyone doing the reporting module skills assessment?

hello everyone! got a question about module "information gathering - web edition" section "Active Subdomain Enumeration" last question:Submit the number of all "A" records from all zones as the answer is it 2x or just 7

asking because i cant reproduce 27 as the answer anymore. guess they changed something

Make sure you're not like me who can't count

^

Don't forget the other subdomain in the zone

i have all subdomains an now it counts a one digit number. is this wrong

i have the answer already submitted as a two number digit

Your grep or wc is wrong (or your dig command)

so is it still a two digit number

Yes

Yes

like x7

Dude you already said the answer lol no sense trying to be cryptic anymore

ok 😦

Make sure you've found all the zone transfers that can be performed

are there more than 2

Yea

sure .)

Yep just ran the needed commands to make it easier and the right answer is still the right answer

got it thx

Hi All, Grad student here. starting out on CPTS course on student subscription(provides access to all Penetration Tester job-role path modules for a monthly fee) - Could someone clarify, If I will have access to the modules that I have "completed" after I stop the subscription?

Those that you have completed, you will have access to

The student subscription I personally wouldn’t stop, unless you finished everything tier 0-2

The value is great

Yes of course. I believe i would have finished everthing tier 0-2 by the time i complete the Penetration Tester Job role path? @analog dock

No. There’s more modules

Oh okay. I didn't know that. I'm a student graduating in 6 months time. My student email will be disabled by end of my course. But I will definitely need more time to finish everything tier 0-2 and take the exam later. Should I still go for student subscription or Silver annual subscription? please advice @analog dock

You don't need to do all tier0-2 modules for cpts

All modules in cpts are t0-2 though

looks like the mass IDOR enumeration chapter needs some rework for the questions section to make sense again - pretty much everything told above is not like in the machine. there is no /documents.php forward, there is no uid=1 get request and therefore the script wont work... for everybody else stuck in there: try post and modify accordingly

Student subscription is best value till you finish all tier 0-2. After that platinum is best value for the higher tier modules

What does this red minus sign mean

Can HTB academy email be changed to a personal email once my current mailbox access is removed? (So I don't lose access to the finished modules)

It means negative

Yes you can have both

Guys in network enumeration module they put that the -sn disable the port scanning.
Is this right? I thought it was for enabling host discovery scan using ICMP !:

I am not sure why the negative sign is showing up here

It does both

Because the command is taking the input as literal name/password not file

That's good. Thanks.

Thanks 🤜🏻🤛🏻

If you examine the output it will show you

So I don't actually use 'user.list' or 'password.list' as indicated in the example of the section of this module

if the files don't exist in the local directory- then it takes it literally

use the typical ./

It doesn't matter tbh the ./ to indicate current directory, as it's outdated - most codes are optimized to check if it's in the cwd or not

Hi all, has anyone completed all the findings of the unfinished pen test in the Reporting module's lab?

You'll get more people to answer if you actually ask your question, as generally as possible

Just asking if someone completed it initiates a game of tag where responses are waited for

Interested on anyone else’s thoughts on this? I know there is a caveat in the module that says wait 60 seconds after your target has spawned then you’ll be able to see the service on the box. Is it intended behaviour to reset the target 874 times In Attacking Common Services - FTP section? Was using the Pwnbox and inb4 ‘your internets ass’ comments. Completed the section but that was annoying 😂

Yeah, I know but I did that all day yesterday and noone responded.

I also asked on the forum but cricket noises there as usual.

And I am on a tight deadline to do this module so I have no choice

you didnt ask anything

But just in case, my question is whether anyone has found the command injection vulnerability for the optional exercise of the Documentation and Reporting module Lab?

I did, yesterday

this question?

yes sir

then probably those who read it didnt find the vuln

yep, I undestand and will ask more precisely next time

and considering it is optional exercise

you know what i mean

I mean they say its optional but anyone who has done the module knows that its not haha

because the optional exercise is basically to finish the pentest report which the whole module is about

it says its optional but you need it to finish the moduleV

personally im not losing my time with something i can just skip, i would try for some hours but nothing more xd

prefer to invest it in the attacking enterprise module

no, you don't. You can finish it without doing the exercise. But the whole module is about writing a good report and the "mandatory" exercises do not have anything to do with the actual contents of the module. The mandatory exercises are some basic ad stuff. While the optional exercise is about finding 3 more vulnerabilities and then writing them up.

I see what you mean. I will be writing a report for attacking enterpirse module as well. But I would like to start the exam soon after finish that module and I do not want to wait for feedback for the report.

what i meant is here you get answers if someone has done it

yep, I see what you mean. Still worth a shot.

The people have may have done it are those who've finished the path, a lot of them don't hang around here and probably plenty didn't do it if it's optional. Any reason you're in a hurry? Would be valuable if you could wait to get some feedback on a report after attacking enterprise networks.

one of your biggest deals is madf0x he has the CPTS and is considerably active in the chat

good point. I guess I will have to wait to get some feedback on the attacking enterprise module. I just wanted to have as much feedback as possible in order to get the exam on the first try.

thanks, I will be on the lookout for him/her

also PayloadBunny

both of them should’ve found some if not the 3 vulns

in my case im at least 10 days away from that module

and rat has offered to look over reports

I'm at least several weeks away from it

im starting password attcks today

gonna skip others just for the pleasure of it

Have fun 😁

the worst module)))

strange

uuuuh, you're reading the output wrong

Pwn3d is output from the tool, which means the user is both valid and has local admin rights

Ah "john" is the username

The password isn’t pwned and the user isn’t November

Yup!

That november

wait

did he use the password as user?

and the pwned as password

haha that was funny

Ye

They tend to misread the output

I think partially language barrier when learning

the good pwned message from NetExec

guys i have aprobleme with mimikatz i unistall and inmstall again and still the same probleme

Trying to run mimikatz in an evil-winrm session?

did you run it with “exit”

i did that befor

is it going to cuz a probleme

nop

why not xd

All commands have to be on one line in quotation marks and always end with "exit" ^

it can get buggy over remote access like winrm

its a widely documented problem/issue

but again the google search skill

thx'

if you want you can run it in interactive mode

just issuing “mimikatz” without arguments

yeah, it really does not like it.

unless you have to use mimikatz, rubeus is way more stable over unstable remote connections

ah the good old rubeus

nowadays we have a lot of alternatives to mimikatz tho

but modules teach the common tools of course

Anything in particular you prefer?

if i have RDP i would just dump the lsass RAM process

with the task manager

then analyze it and extract hashes and all with volatility

or pypykatz

I try to avoid RDP as much as possible

netexec (old cme) has the lsass module

—lsa iirc

lssasy also a good tool

There's --lsa and -M lsassy

Yeah

yea netexec is huge

i think you only need that tool

at least for common purposes

You could definitely do a whole pentest just with that lmao, but it's a bad idea to rely on one tool too much

but mimikatz is simply the father of all

all hail Delpy

his contributions are just too much

he's always like 10 steps ahead

i think he has C code implemented in his brain

ive review some of his code

cant even understand

🤣

On a side note, this is also amazing by Schroeder and Christensen https://specterops.io/wp-content/uploads/sites/3/2022/06/Certified_Pre-Owned.pdf

he just knows Windows too in depth

years of experience and also a smart person behind

It's hilarious how he's like "I was just playing around to learn C", damn man, wish I could play around like that

Really good stuff for sure

When the quiet kid drops bars

gonna save it for later

Everything ADCS is great basically

https://www.netexec.wiki/smb-protocol/obtaining-credentials/dump-dpapi

—nosystem option is fire

IKR hey here is my project to learn C btw it will be instrumental in offsec moving forward

pretty inspiring honestly

can anyone help with AD skil assessment part 1 I uploaded Rubeus and ran

Rubeus.exe kerberoast /domain:INLANEFREUGHT.LOCAL /user:svc_sql /nowrap

but it says LDAP query failed

idk if i'm missing something

Read #rules

Can someone please help me with the very first question from the Linux Privilege Escalation module? I think I've wasted way too much time on such an easy thing. I think it has to do with the other user but I get permission denied when I grep.

Bye bye

oh sorry

Thanks

Is it actually bash telling you it's grep?

What question exactly are you on?

3

I run a grep command to search the whole filesystem but i get permission denied on two files from the other user

i used powerview actually to get the ticket

This one?
Submit this user's cleartext password

Well, can you be the other user?

In my notes the questions are not numbered, sorry

I can't get rubeus the kerberoast is my issue

no I tried

just finished the module ig ille go do some ad boxes even tho i dont know annything about windows priv esclation

Maybe Rubeus is the wrong tool.
This is exactly why I always ask for Module, Section and Question.
That way I can look in my notes and assess what works or doesn't work.

Need some help for XSS phishing part (https://academy.hackthebox.com/module/103/section/984)
Do I need to submit all the request or something ? (I have the creds but nothing passes the check)

Actiev Directory Skills assessment... https://academy.hackthebox.com/module/143/section/1278

1

yes

dont relay on 1 tool like if one didnt work u can use others

try power view may be

I just assumed mimikatz would require me to have creds to run it I'll try other stuff

go to login.php and use the creds

i didnt use rubeus i just used power view and it worked

so i dk what is the problme with it

every tool that dump stuff need at least local admin privileges

hi

i am new

I'm feeling so dumb, it is written in the exercise
thanks

is not like Rubeus does something very different to Mimikatz

can anyone teach me hacking

pls

read #rules and #welcome

then?

you can learn in the academy site

for free?

keep reading

or paid?

some modules yes

oh ok

paying you get access to more content

All Tier0 Modules are free

every tier 0 is free

ok thx @sly dome

I really dont get what I am missing

Can one of the mods or admins help me? The hackster bot says that i need to contact a admin or mod.

Packet Inception, Dissecting Network Traffic With Wireshark
Which employee is suspected of performing potentially malicious actions in the live environment?

can i ping a mod? 😭

there are certain packet’s where a username is being used

username is not showing

When I run the command:|| grep -r -l 'HTB{' /home | 2>/dev/null|| I get grep: /home/lab_adm/.viminfo: Permission denied

and I cant find the lab_adm password

keep looking for it

does anybody remember this for the module Linux Privilege Escalation?

is there any option i have to enable in order to see hostnames

can i ping a mod?

you just have to look at some unencrypted packets

stop asking that please

WHY

I need help

not the appropriate channel

i dont got the channels thats the whole problem

go over the platform and use the green bubble chat

The bot says i need to contact a mod

I cant believe Ive spent almost 2 hours on this, someone please 😭

you have to escalate privileges to read the flag

not here, in the HTB website

Identification error: please contact an online Moderator or Administrator for help.

Hello guys, I'm stuck at this question "What is the FQDN of the host where the last octet ends with “x.x.x.203”?" In the Footprinting module (DNS)

yes go over HTB website

ugh that shit again, yk what fine

I tried a lot of things but it doesn't seem to work

dnsenum --dnsserver 10.129.64.254 --enum -p 0 -s 0 -o subdomains.txt -f /home/dekryptor/Downloads/fierce-hostlist(1).txt --threads 90 inlanefreight.htb

you didn’t try the correct thing

you’re on the right track with the wordlist

you have more subdomains to test it in

on

maybe it is a subsubdomain

How should i figure it out?

Any hints?

trying?

i gave you the hint

Ayo💀

.

test with subdomains

also with a for loop in bash you can test in all subdomains at once

and grep for 203

when I try I get Sorry, user htb-student is not allowed to execute '/usr/bin/su' as root on ubuntu.

or grep '.203'

Ight, I'll try

the point of privesc is to find a flaw that let you actually escalate privileges

enumerate harder

Ill try I guess

iv e been at it for almost 2 hours though

I feel so stupid

is it a skill assessment?

no its the VERY first quesiton of the whole module

then just do what the section does

I did like twice

tried it but not getting hostname only mac address of network card