#modules

i k.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

oh ok

understood

went thru this

thanks alot!

Hey marcie

Any reason why this is happening?

?

no idea

Ok follow up

I have a number of pivots set up previously using 9050 in my proxy

Now i am setting up this one. I'm using the same 9050 in this new meterpreter one. could that be the issue?

¯_(ツ)_/¯

lol i think it was

Having trouble completing Footprinting, Section SMTP

Here is what I've been trying: || for i in $(cat ./footprinting-wordlist.txt); do echo "VRFY $i" | nc -w 3 $IP 25 | while read response; do echo "$response"; done; done||

I haven't really made a whole lot of progress because nc seems to skip multiple entrys in the wordlist

currently doing a tcpdump to try and figure out why thats the case

any advice can someone please fix my tunnel vision if this is completely the wrong way to enumerate this

side note anyone know of a handy way to grep tcpdump

just use the smtp-user-enum script

I tried using that it seems broken

it's not

by default it scans like 10 users and always finds them

you just need to use the right params

I can confirm those users do not exist on the machine

by running VRFY

you need to append the domain iirc or leave it off

i forget which

okay

whichever one you're not doing

domain as in args?

I was even trying to supply it args

smtp-user-enum is a script

yes

you can supply args to scripts

do smtp-user-enum -h to see what you can do

i meant it's its own command

not just an nmap script

is it

omg

thank you

is that the name?

or is it on github

yes

i think it's just smtp-user-enum

i don't recall needing to install it on parrot

appreciate the help

How did you enumerate the domain?

Well if you read carefully you'll be able to figure it out

Im on the password attacks lab easy and tried to hydra my way into ssh and ftp but both got no result after 30 min of brute force anyone got a clue?

woot woot! got past the part I was stuck at on Intro to Assembly last night!! I guess I just needed some sleep and a fresh look at it 😄

use the username & password wordlist given to you for that module

did so:
hydra -L ./username.list -P ./password.list ftp://10.129.202.219

-t 64 😉

oh yea i remember 😄

ty

How do you enumerate the domain for Module Footprinting, Section SMTP?

did you get the tool?

Yeah I did it doesn't seem to be working corectly without providing the domain

in tcpdump its not sending any VRFY commands

use it with the option ||-M VRFY||

i am

and give it a wordlist

did that too

what was the output?

||smtp-user-enum.pl -M VRFY -U footprinting-wordlist.txt -D mail1.infreight.htb -t $IP||

0 results

i don’t think you need the domain

alright Im gonna try resetting the lab and giving it another go

remember that there are servers that take a little longer to respond

in the password attacks lab - easy i got the root from looking in the ||bash history.|| Was this the intended way ? 😄

I was using the wrong github tool I guess??? Tried downloading another smtp-user-enum tool and tcpdump is capturing VRFY

finally got it

never give up lads no matter how much time it feels like you're wasting

Where would i go if i wanted help trying to solve a box, i was able to ftp into it but when i do ls i get no file and it says html, the http website is the default apache website and idk where to go from here

youd first read #welcome and follow the instructions to access the rest of the server

Hi, can I DM someone, I need some help with AD Enumeration & Attacks - Skills Assessment Part I

how do i open docx files on the Attackbox? 😄

where are you stuck?

Submit the contents of the flag.txt file on the Administrator desktop on MS01

authenticate to that host with the creds you found

just like you were taught 😉

Thanks

hi

Hi

I am on password attacks lab medium. Got a shell with the jason user but got no clue how to get to root.. Anyone got a hint ?

here's a general tip: always look for what your user has access to

Ty, i had to reboot everything

there’s an ||sql server|| hosted on that machine 😉

Hello, I am studying Bloodhound and i have a question regarding the privilege escalation using the commands get-AD* available with the RSAT AD powershell package : How an attacker is supposed to execute those commands to privesc if he gains access to a basic computer in the AD where RSAT is not installed ? It requires elevated privileges to install it. Sometimes exploiting Bloodhound privesc without using the AD powershell command is impossible so i dont understand ...

I am on the SockOverRDP tunnel module. I have successfully copied the two files I will need to complete this section. Not sure what I am doing wrong

I typed this command 'regsvr32.exe SocksOverRDP-Plugin.dll' and the dll file was in the directory I typed that command in
https://academy.hackthebox.com/module/158/section/1439

does anyone know where i can find this powershell module

i found one but its not giving the same results

if anyone can help

ill be gratefull

Still have not resolved this. everytime I move the 'SocksOverRDP-Server' folder to the windows desktop and try to run the command 'regsvr32.exe SocksOverRDP-Plugin.dll' in the SockOverRDP-Server folder the 'SocksOverRDP-Plugin.dll' disappears. Strangest thing and even stranger that they don't mention that plugin disappearing in the module

Have you deactivated real-time protection?

I don't know how I would do that

Settings > Windows Security > Virus & threat protection > Virus & threat protection settings > Real-time protection

I think I have a different issue this time and I turned Real time protection off.

Maybe if I run the command prompt as an administrator it would work .

Yesh that worked.

They should mentioned that you need to change virus protection settings in the module. Would have saved a lot of time

again targets not spawning 🙃

yep same here

at least for me is a little frustrating

i can understand it happens once or twice but not every day xd

im paying for this

Wow

thats got to be frustrating.

my targets spawning i just cant seem to figure out this one.

Anyone 🥲

why do u need that xd

its for the hard skill assessment right

remember before diggin into harder stuff you can try the low hanging fruit strings

wrong channel mate. #1178046751706447952

Also please read the #rules and #welcome

You start mstsc.exe on the local machine not through proxifer

Yes I tried that ... so would I start 'mstsc.exe' in the folder where the proxifier is?

No, type run or Windows + R command then mstsc.exe and enter in the details of the machine your trying to access

If proxifer is configured correctly with the SOCKS proxy you should be able to reach the target

Hey guys anyone knows how to you Splunk I am really stuck, I tried multiple queries, none of em work.

Dw about the answer is wronf

wrong*

I amm banging my head against the wall please help me before i get a craniocerebral trauma

hay, I really need help in AD Enumeration & Attacks - Skills Assessment Part I question.
can I dm anyone for it.

where are you stuck?

I am stuck on question no 4 I am unable to connect to the MS01

I think I am doing something wrong

strange, are you using valid creds?

yes

then you’re not doing anything wrong you just need to start a new-psession with MS01

or simply login using rdp

with valid creds of course

Hi , I need some help regarding footprinting lab - medium exercise. Can I DM someone to enquire on this ?

where are you stuck?

Pmed you on my current progress

I have a question that I'm embarassed to ask xd, just solved Q4 AD Assessment Part 1 Submit the contents of the flag.txt file on the Administrator desktop on MS01 after by usind evil-winrm over proxychains. I was stuck for a long time trying to find a way to connect to MS01. it took me over 1 day, first I got lost and did not know what to do at all! tinkered for some time, referred to help here and found chisel is the way to go. after chisel I did not know how to connect again! spent hours trying with Impacket-mssqlclient but didn't work (used all variations of proxychains impacket-mssqlclient svc_sql@172.16.6.xx ). searched here and saw someone mentions evil-winrm and connected using that. Question: how do you guys know you should use evil-winrm in that situation, or how do you get unstuck overall? because no way I could try evil-winrm without the help in discord. is it normal to feel this way and get stuck? or I am too dumb for this? 😄

yes you're dumb (kidding) but tbh you should always be trying everything

that's how you move forward is by trying things

it's gonna be similar in the exam probably; you might not KNOW what tools are readily available and ports may be accessible internally

so you just kinda gotta fuck around

I'm at the half of AD, but i think there is a way to read the file without connecting... you can try it with the command Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query ‘PUT YOUR QUERRY HERE’

first you can see where you are there, then you can try to get flag with cat....

right, I think I need f around more :)) and need more practice.

thanks, found the answer. it's on the administrator\desktop directory so it is not in the DB.

you could have confirmed the winrm service is listening by checking the ports 5985,5986

I am having an issue with my nmap scans for the network enumeration with nmap module. I just completed the module, but I thought I'd go back in to repeat the labs and note down my steps taken. However, now when I run my service scan (-sV) on the correct port for the Medium lab, I get no results for version. I then tried with -A which I found online to be a known success (full input is: ||sudo nmap 10.129.61.176 -p53 -D RND:5 -n -Pn -A||, but I get this output : Starting Nmap 7.94 ( https://nmap.org ) nmap: traceroute.cc:653: virtual unsigned char* ICMPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion source->ss_family == AF_INET' failed.
Aborted`

I've done some googling but I can't find a solution, any ideas on what the issue is?

screenshot

you don't need to do the RND thing btw

the error looks like an ICMP error just from looking at it

really good point. so the first to do after jumping onto a new host is to do another ping sweep to see where u are?

which is odd since you have -Pn

yes practice help, but sometimes you can get some clues of what to use from open ports, or you can just simply try everything and see which one is working :))

internal enumeration 👍

strange

@lusty thicket @steady dust Thanks for the tips guys!

Yeah, it worked fine when I first did it and got the flag, so I am super confused because I don't believe I changed anything since then.

Has anyone solved Web thick client ? . I've been told to see the Ippsec video . But my question is am I doing something wrong that the open button is not showing in the bottom ?

read the #rules my guy

this isn't the place to ask

oh ok

so where i need to take help?

nowhere, you're asking to break a game ToS my guy

yeah the shit game ban my 2 id and i was spend it so much money there

😭

then take it up with the game's customer support

keep the channel on topic

this channel is for help with academy modules

not helping hack a game

oh

sorry

i am new in this server

then learn to read

#welcome explains how to access more of the server, and #rules explains the rules

generally the first thing you should do is read a server's welcome and/or rules channels

Anybody
. Attacking Web thick client ?

lots of people have had issues; try starting from step 1 again and make sure you didn't miss anything

as this section was a late addition most people have had complaints about it's addition to that module

I can login but the button in the bottom never shows

I've tried to keep going and updating the Java code on line 20 and 76 and running the SQL code . But it still fails . I'm just wondering if it maybe has to do with that . Idk . If anybody can help me get thru this.

A DM Would be much appreciated

@wild iron Did you get it?

still not xd

The question is asking what command is being ran, not the query.

Answer format: net view /Domain:_.local

Ok maybe I just don't understand the question

I just tried reinstalling nmap from source, still the same issue. I don't understand what the nature of the problem is other than it trying to make an ICMP packet and something failing, any ideas, or thoughts on where else I could find help?

nope

hmm thanks anyway!

I am trying to fix it

Yeah, you'll need to change the query as stated in the question.

I was able to get the answer relatively quick. So i'm sure you can get it. Just make sure you understand what you are being asked to do.

Honestly maybe I understand the question but not the answer format

I am so confused rn

the answer format is asking for a command like "net view /Domain:_.local" you'll need to find this.

OHHHHHHHHHH

so no commandline="net view"

you mean commandline needs to be replaced ?

I'm not going to tell you how to get the answer, you'll need to find that out. But i'm telling how the answer is formatted as stated in the question.

It relys on basic windows command line knowledge.

if i find a stupid answer, boutta a straight punch into the computer i swear

@slender shoal Hey my friends, any smol hint ? pwease ?

I believe the question does an adequate job. If I give you any more I'm giving you the answer.

ok ill spend few more hours before harrassing you again

Tech Laci

@slender shoal I AM SO SMART I FOUND THE ANSWER 😭

Hi Legends, AD Assessment 1, after connecting to MS01 via evil-winrm over proxychains. how do to transfer files from the windows shell machine to MS01? currently stuck at Find cleartext credentials for another domain user. Submit the username as your answer. I think I need to transfer mimikatz.

you don’t need to transfer anything

Hmm okay let me try more. Thanks

Maybe you can try Snaffler xD

Check the forums. There’s some useful hints there

https://0xdf.gitlab.io/2020/08/08/htb-fatty.html
https://youtu.be/3bvKLj0akMM
https://forum.hackthebox.com/t/exploiting-web-vulnerabilities-in-thick-client-applications/276823

Yeah, its not exactly the most fun. I also used Recaf to compile it quickly. It took me a while to get through that section because it is difficult.
https://github.com/Col-E/Recaf

Need a hand on that

Unsure whats the C2 call back server

it's asking for 2 servers

yes it does

still stuck here, Any tips on how to proceed/which module or tool to refer to?

use methods from the file transfer module

can someone help me with the footprinting module footprinting lab -medium: Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.

I have got the user alex and I understand that I shoul do a RDP but his user is not working what can I do?

why is not working?

Because his user has no permissions for sql database

Hello I have a question but I don't want to spoil the exercise

Can someone go private?

USING WEB PROXIES
Skills Assessment - Using Web Proxies

Did you tried Snaffler?

if anyone need help with AD Enumeration & Attacks - Skills Assessment Part I you can DM me.

I am stuck on SECURE CODING 101: JAVASCRIPT at the Dead Code section. It says "Next, we can delete the original content of sendCode.js and replace it with the completely unpacked version from the previous section, which should be still in Prettier." So do I get the code from the Unpacking section or not ? Cause I try to collapse all the functions and It dosen't give me much.
I believe I need to get the code like in the image

Also it could be someting related to max tokenizationlength although i changed it

You'll get it after you recursively unpack all packers in the sendCode.js source.

ok but do i need the code from this section or the previous one ?

I don't think you'll be able to get the completely unpacked version of sendCode.js from previous sections

They're mostly shown with images or code that is snipped.

I believe there's a lot of corrections to be made to that module, so I'd advise you to read/follow ahead or a module further instead of getting stuck following things there line by line.

Ok thank you

The problem is I could not transfer the file yet 😄

Finally!!

once I type 'mstsc.exe' on the machine where the local proxifier is configured, I should be prompted with a window asking me to enter the details of the machine I am trying to access?

You have to start the dll file first before mstsc.exe

When I tried entering the IP of the target machine (172.16.6.155) that did not work

looking for a hint on the attacking kerberos module skills assessment final question: I am on ||server01|| am using rubeus to monitor at an interval. I have got ||jakes|| tgt and have tried to trigger ||spool poc|| but it wont' work. I also tried exporting that ticket and triggering from linux incase. I know I have to use ||unconstrained delgation|| and that ||annettes|| account has an ||spn|| so have that part.

click "show options"

Do I not enter the target address because when I did enter some of the credentials of the target addres and the target IP address itself, it didn't work.

I am looking for a hint on the last two flags for the pivoting, tunneling module in htb.academy. I found the vfrank creds but i can’t connect to the last two machines for their flags. I successfully got a meterpreter shell running on vfranks desktop. I know the last two ips but I am stuck. I am not sure how to do a responder attack through a pivot. I don’t even think that will help tho

Are you sure it's the right ip

And right creds

I am using the IP and creds from the question. Was I supposed to do anything else to the Proxficier after I configured it?

Read the section carefully

There's a middle connection with a different user

so I enter victors credentials and IP address

Yes

Jason is the last step

Now go back to the foothold machine and try and connect to Jason

If you flow each step properly it should work

I'm not gonna walk you through the section, it already is a walk through

Just make sure you follow the steps line by line

Deleted: wrong section; sorry folks :/

This channel is for academy modules only. Please review #rules and #welcome and you can gain access to #challenges

Tune in everyone for my talk about “Advanced Code Injection” in the Uni CTF stream.

https://www.youtube.com/live/dlu5gvOmvFs

Note: when I say “our recently released path”, I mean “our soon to be released path” 🌚

Okay , but these walkthrough instructions are not good for this module. I had to disabled the windows security settings even though it wasn't in the instructions because I was having trouble moving the SOCKSoverRDP folder from host to target machine

Hey, I think something weird is going on, I'm working through the Login Brute Forcing module and I'm struggling with Skills Assessment - Service Login. I'm pretty certain something odd is happening with the spawned target, as the IP I'm given to attack (83.136.254.53:35855) is not listed on the route table:

default via 10.42.0.1 dev eth0 proto dhcp src 10.42.0.116 metric 100 
10.10.10.0/23 via 10.10.16.1 dev tun0 
10.10.16.0/23 dev tun0 proto kernel scope link src 10.10.16.36 
10.42.0.0/24 dev eth0 proto kernel scope link src 10.42.0.116 metric 100 
10.129.0.0/16 via 10.10.16.1 dev tun0 

This also means that I cannot reach it even though I have the VPN running, and cannot attack or progress

hy can anyone help me in AD Enumeration & Attacks - Skills Assessment Part II question number 7.
I got the shell but its nt service\mssql$sqlexpress

i'm gonna blow your mind: that's a public IP

Then why is HTB providing it?

because it's being hosted on a docker container probably

¯_(ツ)_/¯

it's not entirely unheard of for them to do that

in the Getting Started Module one of the sections uses a public IP

That I understand, but from what I gather attacking public IP without written consent of the authorized people = bad

if it's being given to you

with a specific port

that is authorized

this is likely an IP and container that HTB controls

but stick to the IP:PORT for the attack

Well thats at least a little reassuring, but sadly I still can't progress cause it refuses incoming connections :(

are you specifying the port in your attack?

http defaults to 80, so unless you tell it otherwise, it'll use that

Have you transferred SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to 172.16.5.19 by copy and pasting it. You then can then start SocksOverRDP-Server.exe with Admin privileges.

Yes, I'll DM you my commands if thats ok

no

I haven't done this module

It's likely you're doing something incorrect :P

oh my bad then

I'm certain the mistake is on my end but I've tried many things including checking writeups and I can't figure out why it doesnt work

Configure Proxifier on the foothold and With Proxifier configured and running, you can start mstsc.exe on the foothold and connect to 172.16.6.155 with jason:

This is the command + output

└─$ hydra -L ~/Desktop/Anarchy/username-anarchy/HarryUser.txt -P ~/Desktop/CUPP/harry.txt -f ssh://83.136.254.53:35855 -t 4
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-12-07 08:13:24
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4206 login tries (l:1/p:4206), ~1052 tries per task
[DATA] attacking ssh://83.136.254.53:35855/
[ERROR] could not connect to ssh://83.136.254.53:35855 - Connection refused

All I need to do is configure Proxifier? do I need to do anything to get it to run?

*All I need to have done

ssh? 😂

??

youre not mean to brute force ssh here

port 22 is obviously not open

So I'm not meant to do exactly what is said in the question, right?

I'm also not trying to bruteforce port 22

Yes you need to run it

did you read it?

ssh to the target

with the credentials obtained

that is weirdly phrased it happened to me also

also that port is likely an alt ssh port

i think

the port given is forwarded to ssh in the container

yeah but I think you have to specify the port a different way with hydra

not just tacking it on at the end

yes with -s iirc

Were are you stuck, what have you done so far?

you mean reusing the credentials from the previous question?

no the :port option works, it can be a little weird sometimes though, using -s is better

Should I run these while SSH'd in?

You need to connect to the pivot machine with victor then run proxifier and Socksoverrdpserver on the PIVOT machine.. then you can connect with Jason

ok I appear to be having a VPN issue

ffs, was that in the end after all I hate it here

so don't go back to the windows host machine where I set up proxifier at all. run the socksoverrdpserver.exe file on victors machine

If thats the case then , I think my issue was with the proxifier not properly running...even though it was configured

iirc you have to run Proxifer from Victors machine

how the hell are you supposed to crack Notes.zip? lol

just finished the module

I'm gonna cry

which module were you doing

is it through brute forcing the docker ssh?

yea

the wording is really really confusing, as well as the fact i had to use the pwnbox to even be able to reach the target

Module:Attacking Web Apps Section:attacking wordpress ---cant update file in wordpress themes editor -- error:Unable to communicate back with site to check for fatal errors, so the PHP change was reverted. You will need to upload your PHP file change by some other means, such as by using SFTP. -------tried sftp but no success --- any solution to this problem? thx

Got it -- had to deactivate all plugins

Ok so i am getting frustrated at this point. Two hours on how i am supposed to even begin this module.

I get presented with a jumpbox to the internal network that hosts 3 systems with different vulnerbillities. All of them are web applications. I tried activating ssh on the jumpbox and that worked fine, and then use ssh proxy to let me access these webapplications but it literally does not work. I’ve set foxyproxy to port 1337, and then this command on the ssh jumpbox: ssh -D 1337 ip:port -i id_rsa and i get connected but when i try to access these webapplications its stuck loading. Maybe i am missing something but can someone put me in the right direction so can begin this Live Engagement. I've tried using SOCKS4 and SOCKS5.

The errors that i recive in ssh:
connect failed: Temporary failure in name resolution
network unreachable
ect

This is the module for those who want that. https://academy.hackthebox.com/module/115/section/1139

Take a look at the error message.
The name resolution is obviously not working. Are you trying to access a domain? Who or what is doing the name resolution?

you can run sys commands in that server 😉

yea i know, but wouldnt the dns work over the SOCKS5 proxy?

you were given valid rdp creds for the jump host

there is like a jumpbox on ip 10.129.xx.xx and internal network is something like 179.10.xx.xx something. Wouldnt using a socks5 proxy thru the jumpbox allow me to access the internal network that way?

yes, but it didnt have a web browser on that machine

so i dont see a way to access the webapplication

maybe with curl but that is a lot more painfull

Can anyone help me with this kerberos assessment?

type in firefox in your terminal

my original question is here - looking for a hint on the attacking kerberos module skills assessment final question: I am on ||server01|| am using rubeus to monitor at an interval. I have got ||jakes|| tgt and have tried to trigger ||spool poc|| but it wont' work. I also tried exporting that ticket and triggering from linux incase. I know I have to use ||unconstrained delgation|| and that ||annettes|| account has an ||spn|| so have that part.

i've searched through previous posts and can see bunny here has given hints but there is something I am not getting

@lusty thicket yes but also those rdp/pwnbox connections are ungodly slow. Would much rather be able to use my own machine that those for attacking

also i didnt know that firefox was installed lol, thanks

might have mistyped it when i was first trying it

i didn't have issues with the speed on rdp when i ran through it

I'm sure I'm missing something really simple but maybe someone can help me out. In Kerberoasting module, the first section. I log into windows machines to Rubeus hashes, I then put my hashes in the shared folder. When I try to log into the kali machine nothing will work. None of the IP's given will allow me to SSH to that machine to use hashcat. Anyone run into this before or what am i missing?

There are two kerberoasting sections in the AD module.

@slender shoal it would be the first

Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him? (Answer format: [key] + [key] + [key], i.e., fill in the values for "key" and leave the brackets and + signs.)

what does it want

T_T

Kerberoasting from Linux? or Windows? The first one says Linux.

@slender shoal have you got any pointers for the kerberoasing module skills assesment final question?

@slender shoal sorry should narrow it down. This is through the SoC path, windows attacks and defense, Kerberoasting

I have not done that. Make sure to include module name and exact section name next time. It will help with others trying to assist.

@slender shoal will do

Is this also from the CDSA path?

Yes

it's just the standalone kerberos module

I have not completed that.

no problem.

Tried to set the server as a trusted host as well. That didnt help " Set-Item -Path WSMan:\localhost\Client\TrustedHosts -Value '*' "

klist shows the imported keys

this is hack the box...

hahahahah ignore me than!

thanks dude. Been that kinda day

if it's any consolation I am also struggling with delagation issue also hahaha

Nope

you'd need a browser extension

even if you hadn't asked, others have

I haven't looked into it bc I don't use light mode ¯_(ツ)_/¯

why nervous? ¯_(ツ)_/¯

Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

Anyone got an idea? I mutated the pwd list. Used hydra ( still running) ,crackmapexec showed no ( Pwned ) -> no right password?

That's Password Mutations Section.

(Currently attacking ftp - already did ssh and smb).

I will try changing the response time and threads.

Attacking ftp is better as ssh is slow

Yeah.

And threads between 48-64

I am using hydra -l sam -P custom.list ftp;//10.129.X.X -t 48

Should I re-run and increase to 64?

48 is fine

Alright, keeping it.

And to be sure you used the password and rules from the zip files yeah?

Yep, custom.rule

The list should be ~90k

94044*

Yeah that's right

It's just patience

I see.

This module will take my soul.

I see bruteforce as a last resort.

This module is a lot about patience

Also: save passwords you find

They do get reused at times

someone, anyone, please give me a nudge on the final question of the kerberos skills assessment. I have ||jakes|| ticket I have dumped the hash of ||server01|| I am unsure of what else I need to do. I Have tried creatiing silver tickets

I noticed that there's one SSH key for most of the labs.

Bro...I can just.

Yk what.

Let me try the general ssh key.

?????

There's not

There is, same ssh key for a few labs.

In footprinting, metasploit.

File transfer.

I even saved it X_X

That's odd and probably not intended

:)

And you likely didn't learn the intended way

You're shooting yourself in the foot by trying to shortcut

I know, just messing around.

I won't bypass it.

What's the point.

@autumn pilot is there someone that can confirm and potentially fix

I mean...it's quite obvious when I xfreerdp and I find the same id_rsa.

I sometimes ask myself what is required to maintain this whole structure.

The amount of engineering is pure maddness.

It's likely a result of the same author writing the modules

¯_(ツ)_/¯

(╯°□°)╯︵ ┻━┻

Yesss, it found itttt.

Much love :)))

When I obtain CPTS I am doing an honorable mention for you and a few more people.

¯_(ツ)_/¯

Hi all,
I have a doubt regarding the Windows Privilege Escalation module, in the Weak Permissions section
Here SharpUp.exe is executed to retreive 2 exploitation ways; a modifiable service and a modifiable service binary
In case of the binary one (SecurityService) text says that the service is also startable by unprivileged users. Why is that? Is it prepared?
How can I see which users are allowed to start one or another service?

I did it!!!! ❤️

Congrats man!!!

Keep that up.

Thanks Hippo!

Im working on Attacking Email Services and I got the username and password I just cant seem to get the settings correct in evolution, any hints? I got it using telnet but I wanted to use evolution

Introduction to Digital Forensics > Evidence Acquisition Techniques & Tools

Question on the exercise. The instructions/module fall short of telling you how to parse the Velociraptor data to find the answer. I did this by ||downloading CSV|| and searching for ||"Windows\\System32\\Tasks\\A"||. Is there a more efficient/better way of finding the answer?

Good day. I’m new here. I’d like to know if purchasing the silver annual subscription is a good thing. I’m enjoying the fundamental module I’m currently doing and got interested in pursuing the cybersecurity path within the Informatics field. As background, I have a graduation in Informatics and I’ve been working as a software developer/web developer for 4 years now.

There should be a Module about VIM on HTB academy

Yes it is good thing and you will enjoy the journey.

If you're only planning on doing one of the job role paths its not worth it. It's cheaper to do like 2 months of Plat. Someone did the math a while back

I was actually planing to do the three of them

With emphasis on Pentesting

Just a note silver annual only includes one of the exam vouchers

👍🏻

You also need to bear in mind if you're gonna be able to complete it all within a year

Will it prepare me to face the labs with a bit more confidence?

Mostly

It should

A lot of the labs have some sort of gimmick

And the academy modules should prepare you to at least be in the mindset to figure it out

But then I can also learn with the labs, right. But as long as I can get a start and not be stuck on the first minute…

And actually understand what I’m doing instead of just copy-pasting info I found on the web

The starting point machines are decent at teaching some fundamentals

As long as you actually attempt to understand what you're doing

I went through them. But felt the need to understand some more.

This field is all about research

Hi I am new to this server.

Ok then. I guess my mind didn’t change and I’ll invest the time and money. Thank you all! I’m really liking it and opens an interesting working possibility.

Module:Attacking Web Apps Section:Attacking Drupal -- logged in but editable page doesnt render php code! Any solutions? Cant select to be rendered as php code as in section example!

This isn't a gen chat, read #rules and #welcome

is there a general here to talk

Read #welcome to figure out how to access more of the server

ok I read it.

I have an account ready in this website and I need someone to help me out.

Follow the instructions then

k

Anyone can help me out with the above posted problem?

look again

Got it -- actually i had to add a new article and not a page

im on password labs hard. I cracked the bitlocker but cant mount it without admin rights. Anyone got a hint?

You can mount in linux or windows host

what tool u use to mount it on linux ?

https://www.linuxuprising.com/2019/04/how-to-mount-bitlocker-encrypted.html

ty 🙂

Anybody else have issues with the lab Bypassing security filter section of Web attacks? I feel like I tried everything from sections and cheat sheet even had help from ChatGPT and still no resolution lol

where are you stuck?

u can dm me

and tell me what have you done

so far i may help

Just getting the flag. I imputed the file into burp suite like the lab said I used POST GET TRACE DELETE HEAD everything 😂 and went into command like and used curl

With the file; cp /flag.txt./

what does the question say?

“To get flag, try to bypass the command injection filter through HTTP verb tampering, While using the following: file; cp /flag.txt./

I'm busy with the Documentation and Reporting Skills Assessment, and I'm stuck right at the start. I've gone through the notes on the machine, and filled out a few of the findings myself BUT I cant seem to RDP onto any of the machines with the Creds found in the Notes.
As a sanity check I've run crackmap to check if the creds for asmith are valid on 172.16.5.5 (which they are) and after that tried to connect with xfreerdp /v:172.16.5.5 /u:asmith /p:Welcome1 but with no success.
Any help would be appreciated.

( I am trying all of this from the Reporting box)

GUYSSSS .... I REALLLYY NEED A MALWARE URL / SCAMMING ANALYSIS

PLZ DM ME

No

Read #rules and #welcome

ugh ok

sorry

I got in, and got the flag. not usign any creds found in the notes 😦

Try out https://malcore.io

who has done windows Fundamentals?

lol

what an idiot

???

some guy tried posting a porn server link

eh its normal. large enough servers get swarmed with bots. They just get auto deleted by bots as well

nbd just ignore em

how do you create a security group called HR for example

https://its.uark.edu/campus-it-resources/identity-access/active-directory-ou-security-groups.php

Module:Attacking Web Apps Section:Attacking Tomcat -- actually i found valid credential pair, but its only accepting the username as valid -- it this intentional?

use the instruction on the question

no it’s not intentional

you should have a valid user & pass

i have one

I feel I tried every way possible might just be burned out today thanks bro!

but its not accepting it

you’re really close to the flag

strange

I’ll keep you posted!

can you login with the creds you found?

just tried it nope

Strange, because i got a valid hit:[+] 10.129.214.24:8080 - Login Successful: -- but its not accepting it

the right port is 8180

yeah just saw it

any hint which pass file to use? dont get a hit for the found user with password list shown in example, tried rockyou but aborted after a time...

the pass list shown in the example also contains the password

suddenly it works -- dont know why

awesome!

Need some hints/guidance on:
Password Attacks
Pass the Ticket (PtT) from Linux
https://academy.hackthebox.com/module/147/section/1657
Question:
||Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.||

My process:
||1) I managed to enumerate and got access to root in the target through
ssh -l svc_workstations@inlanefreight.htb -p 2222 and changing to sudo su
2) Therafter I went to look for ccache files and found julio's file.
3) I know ccache files can expire, so I copied the one that is still valid.
4) Then I used this command and managed to download flag.txt which contains the flag I got as mentioned previously.
smbclient //dc01/C$ -k -c "cd julio; get flag.txt; ls" -no-pass
However, the flag seems to be wrong, I verified this with support too.||

May I know if there are any hints on what I could be getting wrong? Thank you!

Cross-Site Scripting, section : Stored XSS, I am little confused with this tip Tip: Many modern web applications utilize cross-domain IFrames to handle user input, so that even if the web form is vulnerable to XSS, it would not be a vulnerability on the main web application. This is why we are showing the value of window.origin in the alert box, instead of a static value like 1. In this case, the alert box would reveal the URL it is being executed on, and will confirm which form is the vulnerable one, in case an IFrame was being used. can I have more explanations, beacuse i create an index.html and set a cookie exampleCookie=value and another iframe.html with a form (XSS vulnerability) and i can get the cookie value set in index.html with <script>alert(document.exampleCookie)</script> in iframe.html input field

all i wanna know is if the account i need to be on is sol************ for this module

for the practice lab?

yes sir i am rdp into a system using that credentials solXXXXxxXXXXXX i just wanna am i on the right track

or can i PM

my notes don't say anything about a solxxx user... you can dm

I've been working on it this week.

Not sure if this is the right feed for the question but I'm not sure I see a better one. I'm trying to do more HTB machines and challenges in the Labs but I'm trying to find a group to do rooms with on a routine schedule. Curious if people have experience at finding others that are interested in something like this.

Doing individual challenges as a group usually just means everyone isnt learning as much as they could be

You gotta have some sufficient skill already before theres any real benefit from group work

i.e to the point where people actually have varying degrees of talent in sub fields and those can learn from their weaknesses by leaning on others strengths. But that only works if you and everyone else in the team actually has something worth contributing

When youre new youre still just figuring everything out and dont even have a methodology worked out yet.

If you have/get a VIP subscription that's really good for learning. Go down the list of easiest retired boxes and reference the walkthrough for hints when you get stuck for too long. And then regardless of whether you solved it on your own or needed a hint, read the entire walkthrough and then watch Ippsec's walkthrough on YouTube. I did that for ~15 boxes starting from the easiest community rated machines before my OSCP exam and found it very helpful. But if you haven't already completed any ethical hacking courses/paths (e.g. CPTS path, THM, PEN-200, PEH) you should start there to get a solid foundation.

So I have a solid foundation and have been doing offensive cyber work for a little over a year and a half. Mostly developing simple artifacts for defensive teams to find like in a purple team scenario. The issue is I work with people that do and are interested in defense so putting together a routine offensive CTF collaboration event is challenging. Just trying to see where other people have had luck finding small groups of people to maybe try and work together to solve some different CTF events or HTB Labs. I did find one group on Meetup so far

@naive cargo @thorn urchin

there isn't an established system to find teams, try doing seasons and talk to people in the chat, you can discuss with others in dms, make friends and see how it goes trom there

its like this for a lot of time

why? all days the same xd

Would the section of this module (https://academy.hackthebox.com/module/158/section/1428)

help me answer question 4 of the skill assessment of this module:+ 1 Use the information you gathered to pivot to the discovered host. Submit the contents of C:\Flag.txt as the answerhttps://academy.hackthebox.com/module/158/section/1441

Hi.. I am stuck on identifying the command injection. I did all of the other parts. On the Linux machine on port 80 there is an XML file with usernames and password. Tried to use them to ssh into the box or use sftp or even upload a file via scp. But none worked. There is an uploads directory and I was assuming that there is a way to upload a reverse shell. But can't find a way to upload a file. Are there any hints you can share? thanks.

can someone give me a nudge with which tool to use to crack r**** password for this question: Use the discovered username with its password to login via SSH and obtain the flag.txt file. Submit the contents as your answer - under the attacking ftp section under attacking common services? I tried hydra/crackmap/medus all with a mut list/the password list/ and rockyou and i get nothingagainst the ftp or ssh

test the ftp server for ||anonymous login|| 😉

@lusty thicket i keep getting not connected erros

that’s normal reset the machine and try again

@lusty thicket ok

@lusty thicket I am trying this and I still get not connected -|| ftp ftp://anonymous:password@10.129.78.117||

strange

:2121

try

its 22

jk dont listen

I am not sure this helps you, but start out simple and then do one step after the other. Through the module I never used rdp; I used carckmapexec and evilwinrm; evil-winrm is nice since it gives you a powershell prompt. Hackingarticles has very good descriptions of both tools. Overall I like them a lot since they have very detailed articles related to hacking. The way I did it was: (0) run nmap; also do a udp scan, now you have open ports and IPs, (1) use responder to catch hashes and then crack them; after 15 minutes there were 5 users with hashes; rockyou.txt cracks 4 of them; (2) then do Kerberoasting; that gives you 5 more users and hashes, rockyou.txt cracks 3 of them, (3) then do ASREP Roasting; that gives an other user and again rockyou.txt cracks the hash, (4) now run bloodhound-python; you can do it with any of the users you already captured previously or with user asmith; bloodhound will also tell you the domain admins; many of the users you get through steps 1,2,3 are Domain admins. This should get you started.

@lusty thicket I am getting this now....ftp ||ftp://anonymous:password@10.129.78.117:2121
ftp: ftp://anonymous:password@10.129.78.117:2121: Name or service not known
ftp> ls
Not connected.
ftp> ||
I have the user name...any other way to get PW to get in via ssh?

reset nd try again

@lusty thicket oof - that's my 4th time now lol...something must be up or some small little detail i am maybe overlooking

@lusty thicket nothing -|| ftp ftp://anonymous:password@10.129.203.6:2121
ftp: ftp://anonymous:password@10.129.203.6:2121: Name or service not known
ftp> ls
Not connected.
ftp> exit||
this is only one of many ways i have tried to sign in with ftp - i changed port/creds/ etc and still nothing

strange

it only took me 7 tries

reset and try again

vpn off ?

vpn is fine

still saying the same

im finishing off 'Documentation & Reporting Practice Lab' , i have administrator on DC1 host but the flag isnt there

anyone mind showing me where I could find information on how to do LLMNR poisonings from the internal network? When doing the pivoting, tunneling, skill assessment, I want to try and do the responder attack from vfrank to our attacking machine.

If anyone has done some splunk could you help me pls ?

I might be off in the wrong direction tho

the AD Enumeration and Attacks modules covers it

Can someone help instead of removing myscreenshot

you help me get from 80 to 80 thanks !

someone, anyone, please give me a nudge on the final question of the kerberos skills assessment. I have ||jakes|| ticket I have dumped the hash of ||server01|| I am unsure of what else I need to do. I am 99% sure the attack vector is ||KUD|| but cannot get the ||DC|| to auth with ||SERVER01||. I Have tried creatiing silver tickets

I can't beat that question I have tried them all

Cant you ctrl f for the known bits of the IP in the thing?

wdym ?

like, in a text file, you can search for a word. You know what most of the IP will be, search for that. Haven't done the module myself but thats how i would try it.

Dw i try with that SPL query index=* 10.0.0.* sourcetype=*

I got ip close to 10.0.0.1XX

I tried them all none of them work

again it's asking for 2 ips

a AND b

ikkkk

I have tried all 10.0.0.1* and 10.0.0.* possibilities with the given IP's

Maybe im dumb dumb

I gues the classic "try harder" applies 🤷‍♂️

I am

I even tried all ips that there is

stil none of them work

I aslo try to find ip adress in bites and convert them to number

no success (I have aslo tried with RuleName=Technique_id=T*)

Hey, I wanted just to clarify with Attacking Common Application skill assessment part2, I've answered all other questions but can't seem to find correct URL for WordPress

Anyone else?

hi

Don't understand what specific URL needs to be found, so far have tried wp-* paths, readme.html file, who could hint me a little bit on this?

it's one of the vhosts

I found all three, it don't as for FQDN as it asks for the third one, so tried with http:// or https:// but doesn't seem to be the right answer

make sure there's no spaces at the start or end

jesus christ

Need little help in Attacking enterprise networks question perform vhost discovery. What additional vhost exist? Enumerated all the subdomains but none of them is correct. Some is available to help me?

hi, in the documentation and reporting module there is a sample report which prompts for a password

whats the password?

cause I dont find it

guess you gotta figure it out

it's probably given somewhere as many people have been able to get the sample report

is a sample report for cpts but okey

Sometimes wordlists dont contain the same values between lists.

hey guys kinda have an issue with my openvpn :/

[sudo] password for m45faleh:
2023-12-08 12:56:47 WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set.
2023-12-08 12:56:47 Note: '--allow-compression' is not set to 'no', disabling data channel offload.

that's just a general warning

not an actual issue

do you get Initilization Sequence completed at the end?

no its taking forever

so towards the bottom there's no line that says that?

if you open a new terminal and tip in ip a do you have a tun0 interface

no i dont

interesting, chat with support on the website then

you can try changing to a different vpn region and downloading a new one ¯_(ツ)_/¯

i tried didnt work

then chat website support

👍

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

thank you

anyone real quick ?

use SPL to craft some arithmethic queries

That seem where unusual I would say

I wouldnt have thought of that

"analytics driven SPL query

Oh well i will just need few hours to answer that one i guess

use the material in the section, additionally you can also use splunk's documentation

as it is the only source that holds more comprehensive explanations of the queries/commands

True, I always forget the reading part and struggle

reading it is

the struggle is part of anything you learn in your life, let's take for example, walking, it would take you somewhere between 10 and 18 months

Module:Attack Web Apps Section:Attack Splunk -- dont have an interface like in section on:https://10.129.201.50:8000/en-US/manager/search/apps/local -- i have to upload the tar file somehow -- any hints

it took me 10 minutes

😂

interact with the application and you will eventually find where you can upload the tar file

No, the code of courseware does not work. You need to edit the name of parameter we are focusing.

Hi! I got stucked at Active directory anumeration & attacks - ACL Abuse Tactics. I was unable to Set-DomainUserPassword bc it gives me an error: The username or password is incorrect. And when i tried to kerberoast it gaves me no resilt as well. Can someone give me a tip?

I got it at the end, something bad with my browser cache.. worked good from incognito mode.
But I'm stuck now on the skill assessment lab, found a way to bypass the js upload but can't promote my user... 🤔
I know the cap blocks external script

hello everyone
I have ben stuck on the footprinting lab - easy
For a couple of hours.
I have seen from hints that ppl are using wget yo download the contents of the ftp proxy running in port 2121 but Im only getting a hidden .listing file that doesn't contain anything 😕
Could you give me a hint ?

when you ftp in; do ls -la

make sure it's on 2121

I feel like a dum dum,
Thank you very much

Is ther any idea what am i doing wrong?

i cross my fingers it works

Module:Attack Web Apps Section:Attack Splunk -- dont have a login page -- confused

Read the section again. It explains why.

anyone for the answer real quick

Module: ATTACKING COMMON SERVICES
Section: Attacking SMB

Does anyone know how to brute force a specific smb share for download permissions?|| Anon login is allowed but i cant figure out how to brute force for download permissions.||

I don't think I can use this command 'scp -r ptunnel-ng user@172.16..**:~/' to transfer a payload to that IP address since the '172' in that IP address would indicatee that it is a private/internal host right?

not always the 172.16.x.x subnet indicates it is a private one (internal), you need to do the necessary enumeration to conclude that

If you check the NIC and routes on the box your on and it has anything in its ARP cache indicating you can then you can

AD skill assessment 1 took me 3 days.... the conclusion is I don't know shit about AD. but I can learn by practicing I guess. now I'm burned out and need to rest for today lol. this assessment challenged all my previous knowledge and even the quality of my notes! I think I better off throwing away all the notes (I wrote ESSAYS!) and refer to Academy modules...... :W
my only advice: IF YOU WANT TO BECOME A PENTESTER, DO IT BEFORE YOU HAVE KIDS!

Its been a while since a module has made want to cry but this one will do it you

Suuuuuuuuuuuuuuper slow mini screen jumpbox

yeah It really made me cry, didn't shave my beard for days! just look poor and miserable in front of my PC while the imposter syndrom beating up my ass every single minute

TBH I feel so scared to hit the button and move to the Assessment 2.

AD is fun once you get the hang of it, massive attack surface, so many things to break

do you mean the initial webshell?

yeah the first thing was to get rid of that webshell, tbh the chisel pivotting saved my life

after pivotting it was all about understanding what's the goal and how to get there.

wondering if real world AD environments are really vulnerable as well, I think it's quite difficult to harden them

anyone know how to get saxonb-xslt for command line on parrot os? can't seem to find it on my parrot os nor in repos, i copied the one from the https://manpages.ubuntu.com/manpages/trusty/man1/saxonb-xslt.1.html but that doesn't work.

i mean there's xslt-proc iirc which allows you to use xml files but I guess that's not what you're wanting?

oh crap nevermind im blind its just on the page lol, skimmed over it

nmap module?

'sudo apt install default-jdk libsaxon-java libsaxonb-java'

this

i meant what module are you working on

https://academy.hackthebox.com/module/145/section/1308 ssti Attacking XSLT

ahh

(it helps in future to mention what module you're doing)

soz will do

right like i was going mad before i got tunneling to work

when using hashcat do you need to use the --show tag to actually see the cracked password? I ran hashcat against one of the training sections for the hashcat module. I thought it failed but upon re running I got a message about it being in the potfile. so I ran hashcat <hash> --show and that showed me the hash. Is this the normal work flow?

no; --show is generally for if you already cracked it

because it gets saved into what's known as a .potfile

it doesn't hurt to include it in the command

I mean it cracked it im just wondering does it always go to the potfile without displaying and then you have to run --show?

yes it won't try to crack it if it's already in the potfile

it always goes into the potfile, it will show it only on the first try of cracking it

if you don't do --show

roger that. thanks

https://academy.hackthebox.com/module/145/section/1346, that was too easy/not really relevant to the module

also spelling lol

can anyone assist me on the attacking common service/ftp attack section? Last night and now i am trying to get R's password and even login as|| anonymous||, but nothing seems to be working...even after multiple resets...it just keeps saying not connected.

lowercase is important

@fathom pendant so I have tried all these and I get nothing on a PW match nor any connection with ftp:
I change the IP after each reset, but these are what I run.....
||medusa -u r**** -P pws.list -h 10.129.75.231 -n 2*** -M ftp
ftp 10.129.78.154
ftp ftp://anonymous:password@10.129.203.6
hydra -l r*****-P ./pws.list ftp://$TARGET:****||

Hey buddy, can I dm you?

Can anyone DM me on attacking ftp section? I am really lucking out on how to get the flag...not sure if it is the proxy or something else causing the trouble, but i keep getting not connected and cannot run anything even using anon or anything else

Working on File Upload Attacks Blacklist Filters. I used burp to intercept and edit the upload, then sent to intruder to check for accepted extensions. I have tried all of them but none of them work. The php code keeps getting commented out when I inspect the page. Not sure what to do.

reset the machine and try again

@lusty thicket Tried that multiple times…can I get pw some other way with other services

strange, try testing for allowed extensions manually

you can’t

@lusty thicket booo…I’ve been at it utilizing multiple methods and simple ftp login methods and nothing. The box keeps saying port closed or not connected- etc. I revert and get the port I need then when trying to get in - nothing. It says not connected. Any other advice?

tried resetting the machine and eventually got it

Hello, I am working on the intermediate network analysis and I am stuck on the first question. Did anyone else have this problem? I followed all of the steps, but it says that the answer is wrong.

Nevermind, I was not looking at the status bar, I was looking at the total number of packets in the window, lol.

this is unrelated to any academy modules

ok I have a question on the cracking miscellaneous files and hashes section of the cracking passwords with HASHCAT module. I have the Misc_hashes.zip file that isnt encrypted. I extracted it and the undelying file is hashcat.7z zip2john is doing exacty nothing. Should I install 7z2john? or is there a flag that im missing in running this command?

reset the machine wait 10mins and try again

Module: Attacking Common Services
Section: Attacking SQL Databases
Host Machine: Pwnbox

Using sqsh to connect to the db I get the following error:
sqsh -S $ip -U htbdbuser -P 'MSSQLAccess01!' -h

Requested server name not found.```
I am able to connect using `mssqlclient.py`
mssqlclient.py htbdbuser@$ip

However, for the next task, I am unable to login as `mssqlsvc`
mssqlclient.py mssqlsvc@$ip
```[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed for user 'mssqlsvc'.```
mssqlclient.py .\\\mssqlsvc@$ip
```[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed for user '.\mssqlsvc'.```
and as predicted, `sqsh` won't work for me here either.
sqsh -S $ip -U mssqlsvc -P '<redacted>' -h
sqsh -S $ip -U .\\\mssqlsvc -P '<redacted>' -h
```Layer 6, Origin 8, Severity 5, Number 3
ct_connect(): directory service layer: internal directory control layer error:
Requested server name not found.```
I used the discord search history and didn't had much luck either on this matter. Can anyone point me out what I might be doing wrong here? I'm using the cracked password from the hash.

Module: ATTACKING COMMON SERVICES
Section: Attacking SMB

Does anyone know how to brute force a specific smb share for download permissions? ||Anon login is allowed but i cant figure out how to brute force for download permissions.||

-windows-auth

try

damn, that worked. Feels stupid, thankyou!

The section covers about the brute forcing you need to do.

Brute Forcing and Password Spray

guys University CTF 2023: Brains & Bytes
what password of zip files

#1168306743961456721

in the medium lab for the footprinting module, I got access to SSMS as admin and got the password but it was through guessing. is there any way to figure out the database to query is {SPOILER:accounts.dbo.devsacc} without guessing?

I'am stuck at Web Attacks - Skills Assessment on the first step. I have found the vuln, I seem to know how to exploit but for some reason it is not working

Somebody available for a quick private chat?

Not needed anymore. Found out that 'Change request method' in Burpsuite is something different than manually change the request method.

If you have access, you can use the database with SQL queries

I know tht but is there a way to narrow down where to search, or is it just a guessing game. when i was searching there were like 10 different choices popping up in the account database

great!

So as not to spoil anything, send me a DM with what exactly you mean by guessing.
The name of the database?

in the web requests module in the GET section, is the app working correctly? because the task is talking about the request to `server:port/search.php' but the browser in the instanced machine doesn't make no such request when searching

the app is working correctly

Having a weird interaction in the second exercise of the Web Attacks Module. I've tried all HTTP methods (Bypassing Security Filters) and yet I'm getting denied in all of them. Clues?

using burpsuite ||right click>change request method ||

then forward the request

it should work now

Ah fudge, I was doing it manually and doing it wrong. Thank you!!

Is it me, or is there an issue with xfreerdp into Windows for Windows Event Logs? I have been trying for over a month, and I cannot seem to get passed the login screen. Sometimes I can, but other times I get something like freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED. When I am able to get in, it only stays connected for a couple of minutes and then just disconnects

Sometimes I get failed to connect to 10.129.205.123

Sometimes, I do get the option to trust the certificate, but then I get one of the previous errors or metwprl doscpmmect

Yea sure

Hello im Pipo! im completely new to not just linux but to everything in the industry haha. I've been going at HTB academy and OG HTB to learn but I feel the engine sputtering out lol. Embarrassingly enough I wanted to come and ask for a point in the right direction. I'm on tier 0 stuck in the basics and have been doing some of my own searching to figure it out and came up w/ enough to understand syntax more or less lol. I wanted to ask if anyone has a "baby/journalist mode" resources to help understand the fundamentals of Linux?

We don't need your life story for you to ask a question

And there's a linux Fundamentals module, unless you're struggling on that

If so, check all the commands given with man [command] (don't use brackets)

I am not sure what a baby jounral is, but I would recommend watching YouTube videos. There is Udemy out there. Freecodecamp.org might have something. The Fundamentals course is pretty straight forward. What are you stuck on?

my bad just wanted to communicate that i didn't know much

Most people don't

And a lot of people don't want to read a wall of unnecessary text just to get to the question

alright dog chill

Just sayin

sayin a whole lot

very welcoming to new people btw

I also provided some additional help ¯_(ツ)_/¯

You dont need to get defensive over it. Its nbd

this channel gets swarmed by new people being very off topic and not even realizing what this channel is for. Your post verbatim sounded just like that till halfway through the post, thats why you got the heads up.

gotcha

For Hunting Evil with Sigma Splunk Edition:
I run sigmac in the previous targets Machine to get the Splunk query but when I run it it returns nothing. I've gone through the steps 3 seperate times to make sure I wasnt making a mistake can anyone nudge me towards what I'm missing?

Maricie is one of the top three most prolific module helpers on the discord

I appreciate everyone's input 🙂 thank you for the help

good luck on your journey! its gunna be a wild ride!

I'm abrasive, but I also am blunt - If i'm gonna help I'd rather know what your specific issue is rather than try and decipher what part of your paragraph is a question and what isn't

saying you're new is fine, but going into a whole spiel about it is unnecessary - lots of people are new, and just saying that means that I'll likely reframe how I answer your question

Hey everyone I'm doing the windows privesc and on the pillaging I have dumped the admin hash using secretsdump with security and hash is still wrong not sure what the go is anyone else run into this

for instance instead of "did you try doing this specific thing with tool" I'd phrase it "Well you can do x with this flag of the command you're using"

Hi. I am trying to solve Firewall and IDS/IPS Evasion - Medium Lab. I have a version for the DNS port (as asked) but it isn't taking it as an answer. Not sure what else I am doing wrong.

this is one of those weird ones if I'm recalling, try doing it in pwnbox and see if you get something different

Cheers. Completely different answer from my VPN but I've got it now!

otherwise you'd need to reset the target a few times to get it to work with vpn, this is a jank one

All good! Thanks for the quick help 🙂

does anyone know why my responder is only catching one users hash and not all of them? I'm only getting the hash of the user who enters their credentials. I thought i was supposed to get all?

sudo responder -I tun0 -dwv

Responder is a MITM type deal

it only responds when you connect to it and even then - those connections are generally brief

oh because i watched videos where they're getting all of the users hashes

it just depends

i get the hash for whatever the user enters in for the credentials

what module are you doing?

i am doing the pivoting tunneling forwarding module

im testing out other methods

it depends 100% on the environment. Some envs you dont get anyones ever 🙂

ah yeah no you're not really gonna get multiple creds from that type of deal

oh ok so the environment has to be set up to give all hashes

sorta

well it's not really set up to DO anything

yeah, just misconfigured

it's more of it's not set up to prevent that

hard press to find a scenario where youd get everyones hashes

ok. so generally you're most likely only going to get one hash from the user who enters it

but unless it's some sort of LLMNR cache poisoning or something

eh no to that too lol

oh :think:

realistically youre most likely to get the hashes of misconfigured service accounts

but if it's just a connection to the service you're gonna only get one cred

and then maybe some real users if youre lucky

usually that service

like SQL_SVC or something like that

¯_(ツ)_/¯

ah

so if the sql service is storing hashes and misconfigured then you may get those?

no

this has nothing to do with storing hashes

its namespace issues

responder literally just responds to authentication requests in order to capture the hash of whoever made the requests.

How and why responder even SEES this request depends on the environment and layout. It could be services authenticating to that machine specifically, or it could be because the requests arent being sent to real computers correctly and so gets routed around hoping to find the real computer and responder is just like "yeah thats totally me bro, send it here"

i see

its not even a hash !

its an auth challenge response

yeah it gets the ntlmv2 hash by responding to the auth challenge stuff

ntlm is another totally different thing

hes talking about ntlmrelayx

and netntlmv2 are not hashes

which is a more advanced attack

yes it is

calling them hashes is abusing the word

...they are hashes

the fuck are you smoking that they aren't

netntlmv2 doesnt map data of arbitrary size to fixed-size

which is the definition of hash function

"In short : NTLM (aka NT) hashes are local users hashes. NTLMv1/v2 (aka Net-NTLMv1/v2) hashes are used for network authentication"

man google goes wild

i know everywhere its called a hash but its not compliant with hash definition

just an abuse of the language here

...

"The NTLM hash is encoded by taking the user's password and converting it into a 16-byte key using an MD4 hash function. This key is divided into two halves of 8 bytes each, which are used as input to three rounds of DES encryption to generate a 16-byte output that represents the NTLM hash."

its not a hash like mdX sha-X nt or lm

I'm literally using google to disprove you dude

ntlm is not netntlmv2

different things

netntlmv2 is not a hash per hash definition is what i mean

Just take your L and stop

hashes are always same length

source on this

you're literally being told by multiple people you're just flat out wrong

https://0xdf.gitlab.io/2019/01/13/getting-net-ntlm-hases-from-windows.html

just curious cause youre literally the only person Ive seen make this argument

also: https://en.wikipedia.org/wiki/Hash_function

netntlmv2 is not compliant with hash definition

"Both LMv2 and NTv2 hash the client and server challenge with the NT hash of the user's password and other identifying information. The exact formula is to begin with the NT hash, which is stored in the SAM or AD, and continue to hash in, using HMAC-MD5, the username and domain name. In the box below, X stands for the fixed contents of a formatting field."

again they are called hashes

a hash always has a fixed lenght (e.g. 32 for md5)

I think youre confusing people saying the netntlmv2 hashes with people saying ntlmv2 itself

ntlmv2 is the short way

ntlmv2 is the protocol, of which includes hashes

prevent brute force

so when people say ntlmv2 hashes they mean the hashes from within the protocol

but a hash always has a fixed lenght

so?

what we capture with tools, i.e. responder, have variable length

but we call em hashes

which is totally ok

just a language convention

you know what you don't wanna admit you're wrong

but i think its important to make the difference between a real hash (md5) and netntlmv2 challenge responses

why

general knowledge

ok

it is a hash for the purposes of cracking it uses hash algorithms

Thanks for derailing the entire topic from someone that was trying to actually learn

any time !

but on a real note, you're being needlessly pedantic about it

always like to be

when someone was asking in general about something

i prefer thorough

but pedantic works

nah, you're being pedantic

opinions matter

we cant all have the same one

because for general purpose the semantics don't really matter

i think they do

the modules and most other references call it a hash

yes because calling it authentication challenge response was long i guess

btw: https://ieeexplore.ieee.org/document/7164747

hashes CAN have variable length outputs

xD

then we should call them pseudo-hashes

but we dont

which is an error

imo

nobody cares

and it can be your opinion, but the wider world disagrees

¯_(ツ)_/¯

Hi y'all

because at then end in IT semantic is not that important, and sometimes that makes some stuff more difficult to learn

we rarely need to actually care that it's a challenge response

in Maths it happens the same (i've a BS in Physics and Maths). It kind of frustrates me to be limited somewhat by the language to learn some things.

the only thing that cares is Windows Authentication which uses it

lets stop here xD

channel topic

(We don't care about your degrees)

just if madf0x was going to ask about source

Generalizations happen a lot of the time all over the place

technically speaking gravity differs at different altitudes; but we still use a generalized constant - similar with boiling point - but we don't go around correcting people that "technically where you live you actually need to heat it up to this heat to get it to boil"

topic please

great!

NTLMV2 is a hash for the purposes of Responder; as the modules teach it to you as stealing the hash of the service authenticating to it.

and hashcat calls it a hash for it's purposes of cracking it