#modules

Being honest, depending what kind of intern, you're not gonna reach a decent level of Competency in just a month, the cpts path itself can take ~ 3months itself

Random question, I'm doing the AD module and was wondering is there any issue with using evil-winrm to access the Windows attack host and run tools like Inveigh from evil-winrm? Instead of actually RDPing into the machine

Inveigh sucks on cli stuff tbh

Evil-winrm also is just bad (but currently no alternatives)

But rdp is generally gonna be better for windows related tasks

Got it I tried it with evil-winrm just because RDP connection was absolutely awful, and it was decent but no interactive console on Inveigh like you'd have if you just ran it from the RDP which was annoying

There's also 2 inveighs, the cool exe one and the ps1 script

The exe one is 10/10

yeah I tried the exe one from evil-winrm, but next time I'll just RDP to do it

Also fwiw, if you're not already - use the tcp vpn pack

Hello, I am about to finish the bug bug hunter path (90%) and then I want to continue on the Senior Web Penetration Tester path, do you think I should try to get an award in hackerone before I enter this or should I finish the SEnior web penetration tester?

I mean the senior path is mostly an extension of the bb path

how would a h1 award help u pass the test? do they count for flags?

If you want to practice on platforms like h1 no one is gonna stop you, and if that helps you feel validated with your learning then great!

i would suggest doing the senior web penetration path and then trying h1 because you will learn things and get to practice in a nice structured environment before trying it on h1 platform which has been publicly tested in many different ways.

it doesn't appear to me to be an extension of the bug bounty path inasmuch as it looks like htb's version of the burp cert

Even getting 20 hours a week?

dont let any1 dull your sparkle

Go for it if you think you can, but 20 hours a week is actually pretty low for someone wanting to speedrun the course

^

20 hours is what I was putting in when I didnt have much study time and was procrastinating

individuals learn at different rates and don't underestimate passion and curious people who have goals

Not wrong, but people should be realistic about their own abilities

finishing CPTS in a month without prior exp would be a legendary feat

go for it by all means tho

they said they wanted to become intern level. that means you could do both at the same time considering intern level is up to the organization and what types of education and training costs for which they've tolerance.

it's up to your experience @thin parrot. put in the 20 hrs and see what happens.

it's better than 0 hours

I agree with that

20 hours minimum, I’m aiming for 30
But I work 30 hours a week on top of that

Keep in mind I have a cs degree so I’m not entirely out of the loop just some things I’ve never worked with. Linux for example I’ve barely touched till now

also mb. I was reading as finishing cpts in a month, not intern level. Intern level 100% depends on the company like jinn said

interns can vary between total newbs to cutting edge research lmao

Yeah no way I’m finishing that. It’ll take me another 4-6 months to get through nearly everything

i did all of offsec labs + pg in 8 weeks then got oscp from it

it's doable if you're into it.

also that's like 10 hr a day too

where can i get kali linux for virtual machine?

kali.org

what VM do i use?

lol

🥲

<@&861185840277487616>

I’m not sure what the abbreviations are exactly but I’m doing this to get into pen-testing

Your preference

recommend me some

^ I like vbox personally

google some

oracle virtualbox?

sure try that

Yes, was very straightforward if I remember correctly

Virtualbox is great for getting started with VMs, I've since moved over to fully using VMWare Workstation Pro but I never had issues with Virtualbox

I use VMWare Fusion as I find it works best with my Mac

you defintely want to try either vmware workstation pro (free) or virtualbox, those are very straight forward

<@&861185840277487616>

oh fuck its the carpet guy

bro you never gave me the price to hack a carpet

😭 ill never learn how much it is to hack carpets

cant pass this phase while running monitor.sh on nibbles:

nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo monitor.sh sudo monitor.sh [sudo] password for nibbler:

it is asking for password. Any clue?

use the full filepath

Your block is getting deleted because automod is seeing it as spam

If you link your account following #welcome you'll be able to post large code blocks

sorry, i have no clue on how to link my account , can you help please?

There's directions in #welcome

Working on the RDP and SOCKS Tunneling with SocksOverRDP section of the pivoting and tunneling module I'm stuck - can anyone assist?

Hey, I am new to hacking and started working on an easy box labeled Bizness. I am doing directory discovery with Gobuster. I have a decent computer and ran a discovery with the wordlist 'directory-list-2.3-medium.txt' It's been around 20 minutes running and the scan is only 23%. When y'all run discoveries, is this wait time normal?

this isnt the channel to ask

follow the instructions in #welcome to access the rest of the server where you can then ask in #boxes

Arigato

done, took me some time to figure it out

here is what happens after using the full path

nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
'unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
nc: getaddrinfo: Temporary failure in name resolution
nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la
ls -la
total 16
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10 2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxrwxrwx 1 nibbler nibbler 4102 Feb 2 20:37 monitor.sh
nibbler@Nibbles:/home/nibbler/personal/stuff$

How many modules/sections do people aim to do a day/week?

i will be happy if i can finish one module per week

did you put your tun0 ip in the echo command to monitor.sh; and are you running the second listener

i am not running a second listener

thats a pretty good goal! Thanks for sharing. I've just started so I wanted to look to others to see what their pacing is for the academy.

then you should; reading how the revshell works you need to replace the temporary 10.10.10.10 ip or w/e is in the example to your IP

i have the impression it gets worse

Well im looking forward to the tough stuff tbh

i have the listener in the terminal were i have the shell running on the box, and i have a second running localy listening to port 9443

have the other one listening on 8443 as the bash revshell shows

:)

the error was in name resolution: meaning it couldn't reach the IP from the command

ohhhh

could not finish it today, but will try tomorrow again. thanks for you help. cheers

Anyone having trouble spawning targets ?

Yup, been trying for 3 hours now

Hi, Im doing intro to assembly language and i kid you not been stuck on "debugging with GDB" for a week now, I need guidance...Please and thank you

haven't done that, but may be helpful to straight up say your question and what you need help with

been away from Academy for too long and working back into it... I assume that purchasing say 500 cubes in a one shot is NOT possible. Is that correct?

shit nm

the giant green buttons didn't register

yeah you can... but subscription cheaper

yeah i see that... it would hold my feet to the fire to simply subscribe 🤔

if you no student, platinum best price...

You could also buy silver annual

i think i would need right around the 500 but i could see myself going into addiction levels within a few months 😄

500 = $50... plat $70 or $60 somehthing for 1000

yeah i think it'd be $70

but the one-shot silver per annum is definitely looking tempting 🤷‍♂️

68$

i don't need certs or pwn boxes though

i'll figure it out

i have a discipline problem i need to solve before monday 😛

n-hours-per-day / 2

same haha... but for a matrix and linear algebra test

you wanna do htb academy for 12 hours? that's cool

nice -- maths 🙂

nah i'm thinking a minimum of 4 hours per day on HTB tho

that's probably around the average

i have to code too... there's a project i want to do over the next six months. also another 4 hours per day minimum

try not to chew more than you can hold... that may not help your discipline issue... but I have no qualification to say anything

Anyways, this is a modules channel, we have strayed long enough, although it is kind of related...

bruh i'm actually thinking of drawing up a schedule that starts with 1) make bed 2) shower 3) brush teeth... 😄

whatever works for you... best of luck!!

understood

thanks

Weird one here dude and dudettes, rdp session to an internal pivot host keeps dying periodically with this error:
"[05:11:49:143] [10220:10222] [INFO][com.freerdp.core] - ERRINFO_DISCONNECTED_BY_OTHER_CONNECTION (0x00000005):Another user connected to the server, forcing the disconnection of the current connection.
[05:11:49:143] [10220:10222] [ERROR][com.freerdp.core] - rdp_set_error_info:freerdp_set_last_error_ex ERRINFO_DISCONNECTED_BY_OTHER_CONNECTION [0x00010005]"

I am not initiating any other connections... are the target boxes shared?

Doing the "Pivoting and tunneling module" btw

When are the active directory labs going to be fixed? Anyone know?

are they not working right now? I'm doing the Active Domain Enumeration & Attacks module right now haven't had a problem yet but I'm guessing you mean the final assessment lab?

that works too

No, I went back to one of the ones further back in the AD section

I'm on "privileged access"

Yeah I tried switching vpns too.

You're a bit ahead of me but so far I haven't had problems connecting to anything, a bit slower than usual on RDP one time I couldnt even connect to the RDP but other than that it seems okay. Hopefully whatever the issue is gets fixed soon

How long have they been broken? Ive been trying to do them all night

" Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>?" i honestly do not know what im doing here, so far i downloaded the file and linked it to the object file. run the program but im having a extremly hard time understanding debugging in GDB.

If you set a breakpoint at _start and step through the code until you reach _start+16 you should be able to look at the rax register

If you installed gef it should show you where you are in the code and what value each register holds after each step

what does "CN" mean here?

under the DistinguishedName: CN=htb

common name

ahhh

thank you

this server is english only I think

the first CN is common name, the second one is the container the object is in which is users

How can I hack a website

I am a beginner

Read the #rules first

pls reaply

press control+shift+i and delete everything under elements

thanks bro. what does DC stand for?

yes And then

Domain Controller

congrats u have hacked the website

thanks

🙂

ya, no problem. AD gets confusing fast just a heads up. Everything has it's own concept and I mean everything lol

yup, it's taking me days to finish this intro because i'm constantly rereading everything 😂

but eventually it all makes sense

ya, have you tried messing with AD in python with things like ldap3 and impacket's Kerberos utilities?

nope, haven't reached that point yet

It's definitely a challenge lol.

sounds like one 😂

which path are you following?

I don't do academy lol

damn 🫡

which box is this then?

In the GAME HACKING FUNDAMENTALS module, I downloaded the official Cheat-Engine tool and opened it successfully in Windows. However, when I went to load the problematic Hackman process, it could not be loaded, causing me to be unable to complete the module. Someone has encountered the same problem. Is it a problem?

I can't say what boxes require Kerberos cause that might be considered spoilers. I've just been working on a side project that involves AD

spoilers? oh... didn't know it would be possible to spoil a box lol. Don't they give u an intro of what the box contains before u start it?

Module Password Attack - Section :Passwd, Shadow & Opasswd
I tried using mutated list and rockyou.txt both but still couldn't crack it.
Any nudge ?

How are the vpn connections?

For me I am able to spawn and interact with targets vpn-eu2.

Try rock you

I tried that one too waited for three hours couldn't crack it

This password module is the most frustating one.

should be in the mutated list

Mutated wordlist is the right way

So i am doing a module where i need to go the the subdomain of gitlab.inlanefreight.local. Yet when i go there i get redirected to port 8081 that doesnt have anything on it. Anyone that could help me understand why this is happening?

Fixed it by clearing cache.

I don’t think that’s the right hash.

Sanity check
Created this mutated list
.\hashcat.exe .\inputs\Password-Attacks\password.list -r .\inputs\Password-Attacks\custom.rule --stdout -D2 -d1 > .\inputs\Password-Attacks\mut.txt use same to crack another section
word list contain 187775 words

root:$6$XePuRx/4eO0Wuu....<snip> lilUw2EfqhXg.:0:0:root:/root:/bin/bash I got this one

the hash should be right

mutated list should contain 94044 words

try --stdout | sort -u > pass.txt

Let me see the full hash

root:$6$XePuRx/4eO0WuuPS$a0t5vIuIrBDFx1LyxAozOu.cVaww01u.6dSvct8AYVVI6ClJmY8ZZuPDP7IoXRJhYz4U8.DJUlilUw2EfqhXg.:0:0:root:/root:/bin/bash

Trying*

Alright that’s correct, it should work.
you should try saving the hash in a hash.txt file before using it in Hashcat / JtR

I am using txt file as input, as suggested by Xre0uS there is issue with mutated list. after sorting also I am getting 54550 words

your wordlist seems pretty messed up, do head, what do you see

hmm okay try again, you should only see english words for the candiates output in hashcat

I am not sure what am I missing, I am only getting 54550 words

You should follow the section’s command syntax used to create the mutated wordlist.

nah it didn't work for them because of some igpu thing

try mutating the list on linux maybe, since it uses the cpu anyway

.\hashcat.exe .\inputs\Password-Attacks\password.list -r .\inputs\Password-Attacks\custom.rule --stdout -D2 -d1 | sort -u > .\inputs\mut_password.list
-D2 -d1 flags are related to gpu issues and not using --force as suggested by many

I see, makes sense.

try this then.

yeah try in linux then transfer out to crack in windows, you should get 94k words

I cant try that on linux , I have my attack box on VM 😦 not enough memory to allocate to hashcat

I think chick3nman might be able to help

It might be unrelated issue.

anyone else seen this when using ligolo?

2024/02/03 11:05:13 [ERR] yamux: Failed to read header: remote error: tls: internal error
ERRO[0000] Connection error: remote error: tls: internal error 
FATA[0000] remote error: tls: internal error     

lmk when you've got it

It didnt even took 30 sec and hashcat cracked the password.

Thanks.

technical issue, unlucky

give your vm a bit more ram if you can

or could've mutated the list in pwnbox I guess

I am not sure what is the issue 😦 , I was been at this for like 4.5 hours

Will try that

I think it might be related libraries and something related to gpu.

yeah maybe, well at least the cracking part works

Something funny going on with my hashcat xD

I found the password in my wordlist too, but for some reason my wordlist is not working.

I hope such issues dont come during exam

So i am trying to make ligolo work with a module here and i keep having issues.

┌───────────────────────────────────────────────┐
│ Interface 2                                   │
├──────────────┬────────────────────────────────┤
│ Name         │ ens192                         │
│ Hardware MAC │ 00:50:56:b9:ff:e3              │
│ MTU          │ 1500                           │
│ Flags        │ up|broadcast|multicast|running │
│ IPv4 Address │ 172.16.8.120/16                │
│ IPv6 Address │ fe80::250:56ff:feb9:ffe3/64    │
└──────────────┴────────────────────────────────┘

And i try to add the network route like: sudo ip route add 172.16.8.0/16 dev ligolo

But i keep getting this issue. Error: Invalid prefix for given prefix length.

this issues comes when to try to give incorrect CIDR range /24

i dont get it. since the cidr i used was from ligolo

maybe ip issues idk

172.16.8.0/24 might work (but I dont any reasoning why it might work)

you need to give the first ip of the subnet

so if you want /16 it should be 172.16.0.0/16 but that's usually way too wide

/24 is enough as mentioned above

@next bronze can I dm I have one query ?

sure

need some help Exploit the target and gain a shell session. Submit the name of the folder located in C:\Shares\ (Format: all lower case) Module SHELLS & PAYLOADS . i have create a ||war|| file and uploaded it, but i cant get my reverse shell to the provided pwnbox

is your lhost and port correct

Hello! I’m having a nightmare trying to get ODAT and SQLplus running on my Kali vm and was hoping someone could please help. 

Initially I did a new install gf Kali, everything updated and have all metapackages installed through kali-tweaks and get the following:

sudo apt-get install odat
Reading package lists… Done
Building dependency tree… Done
Reading state information… Done
Unable to locate package odat

I then spent the last night and all of this morning trying to install through the github page for Odat following the install instructions and despite trying several times and following the instructions I now get the following response when I try and run anything.

./odat.py all -s <target>
11:53:20 ERROR -: Impossible to load local configuration files in conf/ and to set driver_name: DPI-1047: Cannot locate a 64-bit Oracle Client library: “libclntsh.so: cannot open shared object file: No such file or directory”.

Could anyone please help guide me through getting this to work properly with library. I’ve trawled google and YouTube and no dice…

Try installing libclntsh.so

@brisk socket Check your dms. I'll try to help quick before i leave.

@paper gust I tried creating the wordlist but it differs from the expected output, tried installing cuda but it was failure, any insight what issue is causing this? (sorry to ping you)

• Even though the word on the wordlist hashcat was not able to crack it .

output.

it's not that

Because I can't enter your hacker box, you tell me an error, Networks

the proper mut wordlist size should be 90k+ words

did you install the oracle packages?

Yes Xre0us helped me with the wordlist. But on my end I am not able to generate the given size it's missing some words , it comes out around 50k

huh. weird

I did, I followed everystep of the installation readme on github

Are you installing it on parrot ?

the section shows a bunch of the oracle-* packages to install using apt

do you get an error with installing those

no, on Kali

No errors on installation or any step of the process. Odat will then fire up on it's own but when you add a target machine to actually use it it errors out with

ERROR -: Impossible to load local configuration files in conf/ and to set driver_name: DPI-1047: Cannot locate a 64-bit Oracle Client library: “libclntsh.so: cannot open shared object file: No such file or directory”.

Did you read the section iirc they give you a command to run if you get that error

I'm sorry can't seem to find that, i just looked again

Took me half a second to find

It's likely a similar/related error to what you're experiencing

how come i am in the administrators group but not allowed to view the administrator folder

Running into some issue with the Password Attack module.
Specifically Remote Password Attacks > Network Services - I have the user and password but get denied when trying to view contents

is anyone getting issues on the PIVOTING, TUNNELING, AND PORT FORWARDING module? the target is not spawning more than an hour already

Sometimes you may have another target still up from another module. If you did previous modules, terminate the target (if you haven't) and try again or close browser, clear cache and try again

i am stuck at this point:

nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
'unknown': I need something more specific.
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found
/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
nc: getaddrinfo: Temporary failure in name resolution

any clue on how to pass this point?

i don't have any target running. I just resume my module after 2 days. tried incognito as well, no luck

Hmmm, might be on the HTB side then. I don't work internally so I wouldn't know where to point you. I found that solution doing some research when I had the issue. You can try a different browser as well, but I am sure you tried that too

this is my first month ever using HTB and i gotta say it's been a complete mess trying to use the targets, they don't work half the time

Try running as admin

I'm having issues with the Password Attacks Module > Network Services: I get into smb but when I try to retrieve information about the dir, I get
Try "help" to get a list of possible commands.
smb: > ls
NT_STATUS_ACCESS_DENIED listing *
smb: >
I have tried the following command from outside of the smb share
smbclient \\10.129.202.136\cassie -U <pwnd-user>%<pwnd-pass> -c "ls"
smbclient \\10.129.202.136\cassie -U <pwnd-user>%<pwnd-pass> -c "dir"
both access denied since yesterday

Here's a hint: the user should be the same as the share

THanks. So the password that was pwnd using crackmapexec was wrong?

If it's a different user: yes

Each user for the services are unique

Interesting. Had no idea. Have to try a different method. THanks

I believe the question says find the user for x service

And repeat for however many services

Yeah, bad timing, it's been a bad couple of weeks, they've had a bunch of upstream issues with providers, been using HTB for much longer than you and it's smooth sailing most of the time

Hopefully should be improving after the maintenance we did

In module Attacking Authentication Mechanisms, skills assements. I managed to complete it with this, but I have a question about it: ||First I created account with /register endpoint then used /login endpoint to get that token. Bruteforced weak secret, edited token's isAdmin to true. Then I went back to main page / and it asks for token. So I sent POST request with token as json in post data, but it did not work. Then I sent with GET request and it works. But how can GET request take data from request body? Its kinda new concept for me or at least very unusual and I have not seen it before.
My final payload to complete it

GET / HTTP/1.1
Host: asmt.htb.net
Content-Type: application/json;charset=UTF-8
Content-Length: 279

{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyX2lkIjoiNjViZTU0MjY2YmEyYWQ3YWI1ZjlkYjZmIiwiZW1haWwiOiJhM0BhLmNvbSIsImZpcnN0X25hbWUiOiJhIiwibGFzdF9uYW1lIjoiYSIsImlzQWRtaW4iOnRydWUsImlhdCI6MTcwNjk3MjE5OCwiZXhwIjoxNzA2OTc5Mzk4fQ.W-ZX4q3Sl7WazBUGKLP6c1ARhuIPDbcpJRvZ6pl9r4U"}
```||

Sup hackers, I'm in the Java Deobfuscation module, in the first part "source code" I retrieve the flag but the answer its not accepted, I'm pretty sure I have the right flag, HTB{flag} (to avoid spoilers I'm not pasting the real flag), I already try to clean any spaces at the beginning and in the end, any clue what's goin on?

Check if you have spaces in start/end of the flag

done my dude there's no spaces in the start/end of the flag

Can you dm me the flag so I will check if its same?

yeah sure

its all a matter of how its programmed, in php for example there are variables for $_GET, $_POST, $_COOKIE and $_REQUEST. REQUEST holds the value of all other 3 combined, so if the handler for the get request uses $_REQUEST instead of specifically $_GET then they will also get stuff from the body

Thanks for your help!

Thanks, for clarifying. Something new learned again.

Doing the intro to assembly module. How come I am able to access the value of RAX with the registers command but not manual inspection?

Actually.. is it attempting to load the content of the RAX as a memory address? How do I reference the register itself?

SOC Analyst Path
Windows Attacks & Defense
PKI - ESC1

I RDP'd into the kali machine and from there RDP's into the WS001 machine.
Trying to replicate the attack scenario but facing an error when executing this command: .\Certify.exe request /ca:PKI.eagle.local\eagle-PKI-CA /template:UserCert /altname:Administrator
The error is [X] Error sending the certificate request: System.Runtime.InteropServices.COMException (0x800706BA): CCertRequest::Submit: The RPC server is unavailable. 0x800706ba (WIN32: 1722 RPC_S_SERVER_UNAVAILABLE)
I checked services.msc and RPC service is running

Any help on this would be much appreciated

you can do print /x $rax, I think "x" you used always translates it to an actual address

That happened to me a couple of times. I resolved it by respawning the target a couple of times. I had to try a couple of times before it worked, unfortunately.

Interesting
Thank you for the reply
I'll try doing that now

im doing the nmap module and am tryiing to nmap a ip with all port flag (-p-) but it is taking forever, what should i do?

anybody interested in studying for the OSCP with me hardcore?

try nmap -T5 -p- <ip> -v | grep 'Discovered open*'

I can help you study

My old oscp training partner hacks for Tesla now. I'm good for it.

Lmk if you want to do some proving grounds boxes sometime

Can confirm this works.
Thanks!

Remote Password Attack (Password Mutation and password reuse):
the command given to mutate the password list in the resources file has over 94K lines once mutated. Instructions say to run mut_...list. Is this list intentionally supposed to be long in cracking the password for "sam" or did I do something wrong? Been running for about 25 minutes. Not sure if this is intentional or maybe I am doing something worng

94k is the correct length

Try cracking ftp service ssh is slow

Thanks. I'll shoot for that

Dm me

oh not accepting friend requests

yeah message me

I tried it once a couple years ago and failed

but im intent on becoming the best hacker I can be

so I need that cert

Remote Password Attack (Password Mutation and password reuse):
Tried ftp and got loggin errors with crackmapexec and hydra dropped out disabled too many errors - any suggestions
my syntax:
hydra -l sam -P mut_password.list ftp://<ip>
crackmapexec ftp <ip> -u sam -p mut_password.list

@onyx dust cant send you a friend request

must be F8

oops

one sec

ok go for it @onyx dust

all set

Looks like a rule violation to me

Not related to modules

@muted seal read #rules #welcome

<@&861185840277487616>

@next bronze I use that next time.

yes please do

Same here lmao

Currently working through password attacks on the following question "Examine the target and find out the password of the user Will. Then, submit the password as the answer." While waiting for my password search to go through I took a look at the hint and saw the SSH login for Kira. I was just wondering was anybody able to get this login using Hydra or through another method because bruteforce takes forever for me currently.

Which sub module is examine the target?

2 things:
lowercase
Mutated

Remote Password Attack (Password Mutation and password reuse):
Tried ftp and got loggin errors with crackmapexec and hydra dropped out disabled too many errors - any suggestions
my syntax:
hydra -l sam -P mut_password.list ftp://<ip>
crackmapexec ftp <ip> -u sam -p mut_password.list

anyone else unable to get their targets to spawn today?

It's the Credential Hunting In Linux submodule.

So I used the same mutation that was given in the earlier section for Remote Password Attacks ||hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list||

Yes, you reuse that list throughout the module

Also, save passwords you find. They are helpful

SOC Analyst Path
Windows Attacks & Defense
PKI - ESC1

   ______        _
  (_____ \      | |
   _____) )_   _| |__  _____ _   _  ___
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.0.1

[*] Action: Ask TGT

[*] Using PKINIT with etype rc4_hmac and subject: CN=bob, OU=EagleUsers, DC=eagle, DC=local
[*] Building AS-REQ (w/ PKINIT preauth) for: 'eagle.local\Administrator'

[X] KRB-ERROR (16) : KDC_ERR_PADATA_TYPE_NOSUPP```

Tried manually copying the .pem and .pfx files between linux and windows, tried resetting pwnbox, tried doing it on my own VM (EU server). Nothing worked. I got the .pfx file, copied it from Windows to Kali Linux.

I have been doing that. I was wondering if it's possible to get a response when the mutated list through Hydra to find the SSH creds for the Kira account as I have yet to see anything find the password in a timely manner.

And on top of that the Kali Linux machine is super laggy, unresponsive, disconnects over and over. SUPER frustrating.

Don't use ssh

Use a different available service

Ssh is super slow with hydra/cme

Always scan targets. You're usually given an end-goal, that doesn't mean it's the first step

I had gotten other services, but when looking at the hint, and seeing that I wasn't getting a response I thought I had to refocus strictly for SSH.

Nope

Also second part of my hint

lowercase

Don't use "Kira"
use "kira"

I’m struggling in two question of hack the box Footprinting. In SMTP section I have use all wordlist to know Which users exist and also the version , when I summit the answer is incorrect

If you find tell me I'm on this since yesterday and I have the same problem

trying to escape a string to execute command

said program runs

sh -c /usr/bin/sqlite3 /var/www/DoodleGrive/db.sqlite3 -line 'UPDATE accounts_customuser SET is_active=1 WHERE username="test";'

user can specify the username which is put in the username field binary is setuid and runs as root

What module is this for?

its for a box actually not a module

I cant ask anywhere else because I do not have access

This channel isn't for help with boxes

Ive tried using the bot to identify but its broken

I know it isnt but if anyone can help just do so instead of "just wait till you can use a propper channel" 💀

"It's broken" did you message a mod/admin to get it sorted?

I have and just did once more

Then just be patient: this channel's explicit purpose is for academy modules. There's channels for #boxes {boxes} and #challenges {challenges} once you're connected

if that is your way of saying you do not know then alrighty

It's my way of saying you're not gonna get answers here

sure

@slender shoal ^ can you help verify this mans

anyone can help me with Attacking Thick Client Applications?

appreciate it

Look up a walk-through for "Fatty" this section revolves around a retired insane machine

@rustic sage dm me

hmmm

I've come this far

but i can't find this

Completed the footprinting hard lab with little to no help at all. Small achievements

Nice man! Well done!

Nice! I did alright on that one just now. Apart from I was looking for a hint towards the end and saw the simple thing I needed to do so kinda cheated , Seemed easier than the medium

Hello, idk if im asking this in the correct channel but i just made a HTB account and it says i have to verify my email i didn't get any email and clicked resend and waited a few minutes but still got nothing, is there any way to fix this?

Oh nvm i just got it rn

i am in the intriduction sequence and have reached the "interactive part with taregt", yet when typing in the ip it keeps telling me it took too long to load, what do I do?

If it's a public ip with port: you need to include the port

http://ip:port

it has the port included

the docker target in the intruction i was given, which i assume is the same for everyone is http://157.245.40.149:30655

Reset the target

thanks that seemed to fix it

Can SeBackupPrivilege be abused to dump the NTDS remotely? Or will you need an active session on the DC?

am i allowed to ask questions about retired boxes here?

You can ask here #boxes

I dont have access to that unfortunately

Then read and follow instructions in #welcome

which pro lab do you recommend to prepare for the CPTS exam?

<@&861185840277487616> slipped through the cracks

Usually the links are auto yeeted by the bot/automod

@slender shoal Hello, Can i dm for a question

Sure

Why would password spraying with rpcclient result in more hits than when I do the exact same user list and password through crackmapexec? I know there's probably a simple reason for this

My discord account was unfairly disabled what I do ??

someone help me please

Contact support

If an account was disabled ain't shit anybody can do for you

Enumerate the smtp service and summit the banner, including its version as the answer. // struggling

Well one way to get a service's banner is with netcat

Another is to just connect to it

Enumerate the smtp service even further and find the username that exists on the system summit it as the answer // struggling.

Repeating it won't get you an answer faster

I've done this and said my account violated the terms and guidelines of Discord

Use the techniques shown in the section

Let me try and repeat it

Well there's nothing we can do for you here

Thanks.

sorry

This server doesn't do any "account recovery" stuff.

That kind of thing breaches discord ToS as a whole

Is there one that does ???

And anyone who sells you that service is likely scamming you

Contact Discord support. We cannot help you.

Discord support are the only ones able to help.

If Discord said your old acct broke ToS then there's nothing that can be done

But it was unfairly !!

@hot oyster I'm going to ask that you do not continue this. Contact support, as they are the only ones with the ability to help.

Ok? Then appeal and ask for proof. Many people say they're banned unfairly

But aside from that then literally no one can help you.

I'm not skirting around some ToS by telling you: no one can help you

Anyone that offers that help is a scammer

oh ok

https://support.discord.com/hc/en-us/community/posts/16191655766679-Discord-Account-Appeals-What-you-need-to-know

There that's discords official support response to this issue, good luck it can be a hassle from what I've heard

Hello everyone, could anyone help me with a window lifting exercise?

Other Files

1. find the cleartext password for the bob_adm user on the target system.

I believe it's doing the PSSLite technique, but the Set-ExecutionPolicy Bypass -Scope Process command showing in the session doesn't work, is this the right way to finish, or is it mapping the files in search of the password?

Information Gather - DNS "What is the first mailserver returned when querying the MX records for paypal.com? "

Im gathering the MX record and inputting what Im finding but Im not sure if the format is correct. It keeps saying incorrect.

what is your MX query? and what answer are you getting?

what question is that?

the command im using is|| dig mx paypal.com @192.168.52.2|| and the answer im trying to use is ||mx2.paypalcorp.com||

mx1

:^)

nslookup may give you the result in a diff order

It was technically the second BUT i can see why thats the answer lol

critical thinking

do you get diff results without adding the dns resolver?

idk I completed the section and moved onto the next one

always good to double check but if you're satisfied and want to move on go for it ¯_(ツ)_/¯

youre right

Yes it did. It came up in the correct order

anyone can help me wiht Exploiting Web Vulnerabilities in Thick-Client Applications? I can't download fatty-server.jar

anyone??

@fickle sparrow your messages are getting yeeted by automod

you'll need to link your htb labs account following #welcome to post textblocks/images

Thank yuou!! done

also for formatting textblocks

put ``` in front and behind the block

what module is this for

also are you sure you can write to the directory you launched ftp from

usually it gives you a local: permission denied message but idk about Passive mode

you also didn't answer: which academy module is this for

if this is for a starting-point machine then --> #starting-point

thanks

also be wary of posting info from machines: as they can be considered spoilers

it could be that you intentionally can't download that file

Has the spawning targets issue been fixed? I'm doing the updated part on Windows Privilege Escalation - Citrix Breakout and i'm having some troubles spawning the target you're supposed to RDP in

it seems like it's still intermittent; better than before - switch vpn regions

will do, if it doesn't work i'll call it a day and try it again tomorrow, no reason to hurry

i hop everyone you become good person and hapy

Active subdomain enumeration - I added the IP to the hosts file with the DNS name and used nslookup to get the FQDN but it says unable to connect to server

Can you show you /etc/hosts file?

i'm stuck here for 3 hours

you still need to specify the ns for it

using the IP works fine

what's in the Tools directory

that the lnk points to

||nslookup -type=NS 10.129.28.180|| ||nslookup -type=NS inlanefreight.htb|| both these commands give me the same error

sir

you need to do nslookup -type=NS inlanefreight.htb ip

this

i haven't done this module so i can't guide you; also as a sidenote - don't dm without asking

One dumb question but how do you exit xfreerdp full screen 😅

what is this module?

esc?

i never do fullscreen xfreerdp i always do /dynamic-resolution so i can resize

I didnt know you could do xfreerdp full screen

yeah; it's one of the many options

No it doesn't work 😭 I had to terminate session to exit

Ctrl] + [Alt] + [Enter] try this.. @ruby whale

thought full screen only worked on rdesktop

Stuck on:
ATTACKING COMMON APPLICATIONS: Attacking Thick Client Applications
Question: Perform an analysis of C:\Apps\Restart-OracleService.exe and identify the credentials hidden within its source code. Submit the answer using the format username:password.

With x64db done this as per module.

But when I use strings it says

Can anyone help with this section. It's really something that is wired

like +clipboard to ensure clipboard functionality

VMware goes into full screen mode

https://tenor.com/view/ryan-gosling-critics-choice-awards-side-eye-confused-clapping-gif-14741917063569043913

@tawdry vapor Have you done the thick client section?

From now onwards using Dynamic resolution

it's likely ctrl or alt is bound to be the host escape key

Yes

@fathom pendant have you completed the whole path ?

no

been busy with life

Would there be any reason I'm suddenly having trouble connecting to any machine via RDP with xfreerdp? I'm currently in the Active Directoy Enumeration & Attacks module and I haven't been able to RDP using xfreerdp at all, the authentication happens and then I just get a black screen. Remmina is working perfectly though so I'm wondering if theres some setting in xfreerdp I should be including since the machines I'm trying to connect to are part of an AD environment?

Fixes:

1. in case of pwnbox--> reset targets and try again
2. in case of VM---> try downloading openvpn file with TCP not UDP. then try connecting

Apart from those in AD there are specific sections where things get really odd.

Anyone ???

Yeah I'm using TCP for the VPN, issues only started when I switched to the EU servers the other day when I was having trouble spawning targets. Maybe I'll try going back to the usual server I would be on

Okay..!

AD Enumeration & Attacks - Skills Assessment Part I Target is not spawning.

Any news on when they are going to fix the AD labs?

Or does anyone know which servers work?

anyone can connect to the pwned machines?

I'm receiving this error message :
[21:32:07:799] [8606:8607] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe [21:32:07:799] [8606:8607] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D] [21:32:07:799] [8606:8607] [ERROR][com.freerdp.core] - freerdp_post_connect failed

what academy module is this for?

Windows PrivEsc

it also just looks like xfreerdp being dumb, sometimes that happens

I tried with remmina same result

idk then reset target ¯_(ツ)_/¯

LoL I tried from my Kali VM and my host with no success....

maybe today is not my study day, LoL

Attacking common applications

Dm me

AD Skills Assessment Part 1, cd command does not work

what am I supposed to do with this web shell?

you generally can't cd with a webshell

but you sure can dir C:\

<@&861185840277487616>

For future reference in the Scripting AoB section of Game Reversing and Modding the last script doesn't work, and it does not work because the provided pattern on the AOBScanModule is not universal, you need to generate your own, following of course the examples given in the module. It's very important to read the Relative & Absolute Addressing section because without it you won't know how to spot the pattern needed.

Thank you

so what you're saying is you need to read the section and not just copy/paste a script

None of the AD modules in AD Skills Assessment Part 1 webshell are working.

Where do I even start here!?

Looking back at the material I can't find anything about an Antak webshell

Can someone point me to that?

is powerview.ps1 in the C:\ directory?

also why not work to upgrade the shell from a web to a full shell or enabling rdp

I got the first flag by using the type command

ok? that's not what i said though :P

Don't know where to start with this one though.

how?

I can

t even CD with the webshell

create a revshell

use like msfvenom or grab one from revshells.org and upload it to the webshell

webshells suck and are very limiting

That's why I am confused. This is very different than the end of module questions thus far

i mean my dude, there was a whole module on shells way earlier on

not to mention there is a way to kerberoast SPNs i forget exactly which section, but there was a whole ass bit regarding SPNs

What would lead me to this conclusion so far?

I've barely just got the first flag!

Yeah, didn't work

"Kerberoast an account with the SPN"

it literally gives you the SPN

but i think first and foremost: getting a better shell is more of a priority

NOPE! lol

for christs sake dude: read the error -> command not found

meaning whatever powershell module that would load the command isn't loaded in/imported

It's literally yelling at you that the command isn't found

reviewed my notes for that module, slow down and read what marcielee is saying, you really should get a reverse shell from that web shell

My first question once I saw where you tried to import the powerview module: is it in the C:\ directory?

just because you didn't see an error doesn't mean there wasn't one: webshells lack a lot of visual clarity for things

normally the error line would be deep red

you can just nab a simple revshell from the revshell site yeah?

Yeah, because it's loaded but I can't cd into C:

that... wasn't... the... question

is ActiveDirectory loaded?

I have no idea

How do I check that?

ah you uploaded one

basic powershell

yeah, i've learned a lot, totally would have done it differently now knowing as much as i do now

https://learn.microsoft.com/en-us/powershell/module/powershellget/get-installedmodule?view=powershellget-3.x

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/get-module?view=powershell-7.4

I am not following in any way shape or form.

2 ways of using basic powershell to get the loaded modules :)

but imho step 1 should be just getting a reverse shell instead of working with a clunky web one

I'll try to get a shell first

👍 you can use an msfvenom reverse tcp payload

I wonder if julio.txt has any text root@linux01:~# smbclient //dc01/julio -k -c 'get julio.txt' -no-pass getting file \julio.txt of size 0 as julio.txt (0.0 KiloBytes/sec) (average -nan KiloBytes/sec
Password attack one the most annoying modules :p

My bad I might be missing something

it happens

Doubt - why listing files on share show size 0 ?
maybe by trying what I missed I will be able to access the files, but not sure reasoning behind it

maybe manually connect to it and don't run a command

Yes I figured this out.

But why cant we list it using the commands

the text file shouldn't be empty

also are you sure the ccache isn't expired?

No its not

pretty much yes. The question doesn't do a very good job at making this clear, since in that section you're provided a "finished" AOB Injection script, it should be worded more clearly in the sense that you're supposed to make your own. Not just follow blindly the example

I have a question. In the scenario below, was it possible to do a PtT instead, rather than waiting for a successful paswword crack?

Scenario 1 - Waiting On An Admin

During this engagement, I compromised a single host and gained SYSTEM level access. Because this was a domain-joined host, I was able to use this access to enumerate the domain. I went through all of the standard enumeration, but did not find much. There were Service Principal Names (SPNs) present within the environment, and I was able to perform a Kerberoasting attack and retrieve TGS tickets for a few accounts. I attempted to crack these with Hashcat and some of my standard wordlists and rules, but was unsuccessful at first. I ended up leaving a cracking job running overnight with a very large wordlist combined with the d3ad0ne rule that ships with Hashcat. The next morning I had a hit on one ticket and retrieved the cleartext password for a user account. This account did not give me significant access, but it did give me write access on certain file shares. I used this access to drop SCF files around the shares and left Responder going. After a while, I got a single hit, the NetNTLMv2 hash of a user. I checked through the BloodHound output and noticed that this user was actually a domain admin! Easy day from here.

Weird, have you tried resetting the target.

I did try two ways

1. updating KRB5CCNAME on svc_workstation as root and get julio.txt
2. getting /tmp/krb converting it to julio.krb and then using Rubeus.exe to get same results
   Let me try resetting target

You need the TGT for pass the ticket, but in the scenario they only acquired the TGS, that’s only good for cracking

They are both called ticket, so it can be a bit confusing

I don’t think the ccache is expired otherwise it wouldn’t let you impersonate as Julio so reset and redo the steps, btw which PtT/PtH section is this?

Pass the Ticket (PtT) from Linux

Okay, that makes sense

I was playing with ligolo tried replicating this proxychains impacket-wmiexec dc01 -k gives [-] [Errno Connection error (dc01:445)] [Errno -2] Name or service not known any one tried to use this with ligolo?

With ligolo, you don’t need proxychains

I didn't use proxychains just impacket-wmiexec dc01 -k it was not able to resolve dc01

did you map dc01 in the /etc/hosts file?

guys my hcakthebox lab wont spawn target

how do i fix

Change your vpn server and spawn the target

shud i connect ot vp

beofre i clcik spawn??

switch in between us and eu. and spawn the target.

ok is wiced from us 1 to us 3 t

yes and you would have to re-download new vpn file for that.

i c

Ah yes there was a typo 😔

ty

ir worked

@soft cedar resetting worked

Finally after going it at it for 4 hours + completed the section, resetting does help. 🙂

Guys, on the Active Infrastructure Identification in Info Gathering. Working on VPN. Could grab the header with curl,so it's up. Can ping it but when I try to whatweb I keep getting connection refused for both IP or the .local domains it gives. I could see other people use the same command and get results on forum. I think I'm missing something about the setup here. I think I'm on UDP VPN if it matters. Help please 🥺

Could be share the command and output? before logging off I will try to help

Hang on, i think I'm onto something with the hosts file

Thanks for offering to help. I think I'll try harder for now

in on oass the ticket password attacks and how do i get ccache for linux

linux01

@tranquil axle you can. To achieve it you need to dump the NTLM hash with mimikatz, forge a ticket with the NTLM provided, and perform PtT attack.

See https://www.varonis.com/blog/kerberos-attack-silver-ticket#:~:text=With a Silver Ticket in,to do some major infiltration.

silver ticket and kerberoasing are tow completely different concepts, to be able to get a NTLM hash of a service account you'd generally need system/admin level privilege on a machine

in on oass the ticket password attacks and how do i get ccache for linux
can someone help

pass the ticket

Yeah, from this scenario there is a system level access.

I have a question. In the scenario below, was it possible to do a PtT instead, rather than waiting for a successful paswword crack?

Scenario 1 - Waiting On An Admin

During this engagement, I compromised a single host and gained SYSTEM level access. Because this was a domain-joined host, I was able to use this access to enumerate the domain. I went through all of the standard enumeration, but did not find much. There were Service Principal Names (SPNs) present within the environment, and I was able to perform a Kerberoasting attack and retrieve TGS tickets for a few accounts. I attempted to crack these with Hashcat and some of my standard wordlists and rules, but was unsuccessful at first. I ended up leaving a cracking job running overnight with a very large wordlist combined with the d3ad0ne rule that ships with Hashcat. The next morning I had a hit on one ticket and retrieved the cleartext password for a user account. This account did not give me significant access, but it did give me write access on certain file shares. I used this access to drop SCF files around the shares and left Responder going. After a while, I got a single hit, the NetNTLMv2 hash of a user. I checked through the BloodHound output and noticed that this user was actually a domain admin! Easy day from here.

well @tranquil axle has already answered it, you need a TGS/service ticket to PTT

also, silver ticket doesn't necessarily give you more access, since you need the NTLM hash to be able to forge one, it's more of a stealth/persistence thing

with system access you can run this command to get the NTLM hash.

#use Mimikatz to dump all users Kerberos encryption keys
mimikatz.exe "privilege::debug" "sekurlsa::ekeys"

See OverPass-the-hash Attack module

Yes, I know silver ticket doesn't give you more access. I was thinking of other methods

@next bronze thanks tho.

Any updates on the connection issues?

I'm attempting an ssh login on a target, yet when it asks for the password i can no longer type any characters into the console? what do i do?

Does this one liner work for you(you may need to install "sshpass" to make it work) ? :
ssh username@<IP_ADDRESS_OF_THE_MACHINE> -oKnownHosts=<(printf '%s\n' 'yes')> | sshpass -p <YOUR_PASSWORD> ssh username@<IP_ADDRESS_OF_THE_MACHINE>

Alternatively try this:
Generate an SSH key pair on your local machine:
ssh-keygen -t rsa -b 4096

Copy the public key to the remote machine:

ssh-copy-id username@<IP_ADDRESS_OF_THE_REMOTE_MACHINE>
After you've copied the public key to the remote machine, you can now SSH into the remote machine without a password:

ssh username@<IP_ADDRESS_OF_THE_REMOTE_MACHINE>

all i get is an error saying missing file specifications

you can't see the password being typed but it's still being entered, it's a security feature. just copy then ctrl shit v to paste

oh right^

does it ever explain that?

completely forgot about that

1. copying from my machine into pwnbox isn't working as it never gives me the option to paste
2. typing it out manually just tells me permission denied

fullscreen the vm and look in the bottom right corner

It allows you to copy commands over

thank you

No problem 🥳

i'm struggling with finding the way you can have all directory paths displayed as for my device it is dir

am i missing something?

.

Do u mind if I dm you I'm stuck there? In the DNS rebind portion of the lab

sure, i'm leaving now but i'll answer when I have time

use all the tools mentioned in the section

Thx!

Active Directory Bloodhound Skills Assessment Hint
Question: Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78).
||MATCH (a:AZUser)
RETURN count(DISTINCT a) AS TotalAzureUsers

Looking up GLOBAL ADMINISTRATOR in Bloodhound and right-clicking 'Shortest Paths to Here' yield n Azure users.

(n/TotalAzureUsers)×100||

hello ive just launched hack the box for the first time yesterday, and im doing one of the easy difficulty machines

anybody have advice or some sort of link to a tutorial i could use?

2 things: there are no official/allowed tutorials for active machines
Second: this isn't the channel to ask for nudges on active boxes - #boxes is for that (read and follow #welcome to find out how to access more of the server)

alright makes sense

Attacking WordPress module.

Problem: I'm attempting to use Metasploit in conjunction with the WordPress admin account to carry out the exploit. However, I'm encountering an error that halts the process. The specific message I receive is: "Exploit aborted due to failure: unexpected-reply: Failed to upload the payload."

Request for Assistance: Has anyone faced a similar issue or does anyone have insights on how to resolve this? Any hints or suggestions on alternative approaches to successfully upload the payload would be greatly appreciated.

how to solve this: harry.potter@94.237.56.188: Permission denied (publickey).
Skill assesment - login brute forcing

Did you setup the correct parameters on Set using metap ? @lapis delta

i i did not it would not authenticate no?

RHOST contains RPORT also

yeah, two different ports

Mimikatz allows you only extract an nt hash from memory, and that would be possible if the account (service account) in this instance was a local account or has had a previous log on onto the machine, from my existing AD knowledege I dont think you can request an NTLM hash of a domain user just because youre system on a domain joined machine(unless of course you have the user's password you could get a ticket). You NEED the NT hash of the service account to be able to craft a silver ticket which is basically still a TGS that allows you to access the service whenever in a stealthy manner. In this scenerio the tester kerberoasted with SYSTEM to retrieve a domain account service ticket, that would only be good for cracking, and not in any way passing the ticket. We are really not the tester, and were not the ones doing the test haha so we wouldnt know other variables to factor in but the emphasis on the story was the use of custom rules to mutate wordlists and be persistent with cracking I believe.

I want to ask this one...

you found them on the two collection zip file from desktop?

Hey! As far as I can remember, I only ran the VADs collection, rest were on desktop. Although I could be forgetting. I also remember there being useful collections relating to the registry in Velociraptor

Can you help me with advice on where to look in ABUSING HTTP MISCONFIGURATIONS Skills Assessment - Hard? I can't find the cache?

I have the same problem with the svg file upload.
I could trigger XSS but no XXE, I tried everything, even tried remote DTD, checked Hacktricks and PayloadsAllTheThings
I found the images directory by fuzzing so I am triggering it well (hence XSS works)

PIVOTING, TUNNELING, AND PORT FORWARDING-RDP and SOCKS Tunneling with SocksOverRDP
i cant load SocksOverRDP-Plugin.dll because regsvr32.exe is detecting it to be a virus
i can't find the file exclusion list any other solutions beside disabling the windows defender?
im gonna go to bed now i will on this tmr

Has anyone ran into an error with Julio's flag on the Linux PtT module? Specifically the question "Check the /tmp directory and find Julio's Kerberos ticket...". I have retrieved the flag two different ways now, and the flag is never accepted. I see there was a comment made by another user last February complaining of the same thing.

theres like 3 steps to this if i recall correctly from my notes. you dont just go from svg to shell, you have to check out what file types are filtered on upload. svg could get you the source... but you need to investigate the source to get to the next step. dm if you need.

Yes

I have ensured there are no whitespaces or any other special characters. It is very clearly the flag. The module directs me to \DC01\julio\julio.txt (and i retrieve this file). It is as if the flag changed or is mistyped (or i'm seriously missing something)

Disable the windows defender first before you transfer the binary over to the target and make sure to run PS as administrator before loading the plugin. 👍🏼

Alternatively, download and learn ligolo-ng

Thanks. I had to make a reload after the uploaded svg on the MAIN page and not the /images directory to trigger the XXE, now I can get something with file://

ahhhh i misunderstood the issue. nice work. dm for moral support.

Where can one report typos on the page?

#858470491676737536

Cheers

#858470491676737536 is for academy modules, there's no fix suggestions channel for starting point machines, read #welcome and follow instructions to access more of the server

Will do.

🎉

BTW it would have been nice to mention in the Upload/SVG/XXE student material somewhere that when we try to get something with php filter look for the result INSIDE THE SOURCE CODE after a reload and not on the screen
#858470491676737536

That messed me up too.

Actually post it in #858470491676737536

"Tagging" #858470491676737536 doesn't do anything

An HTB Academy team member reached out to me regarding this
He tried doing the lab and got the same error
They're looking into it

how to fix armitage exploit "connection with 'host ip' timed out"

I found another way to solve it, I launch a reverse shell in Velociraptor, and use the powershell

Skills Assessment - Introduction to Digital Forensics
this is how to solve without using collections

wow the relaying module is really good

🙂

I wonder if there will be any cloud modules

Perfect keep me updated with this plz

If I have the free version of HTB i can only use the web based parrot linux for 2 hours only and then cant use it again without VIP?

For the main platform yes.
You can also just download/install a vm and use the vpn for unlimited time. This channel isn't for main platform, it's for htb academy - read #welcome

Ahh I see, and my bad

The issue is that i got a chromebook so is not possible for me to get a vm

You can absolutely install a linux OS on top of one though

Chromium is just a shitty linux

Ahh I see, ima see what I can do

@maiden field @topaz latch Hello guys. I've spoke with our Labs Engineer and he told me everything works fine. You only need to wait 7-10 minutes before requesting any certificates.

He also informed me that he will try to reduce the waiting time by changing the configuration of this lab.

HTTP Attacks from CWEE Path
Log Injection (CRLF)

I'm having trouble with the exercise, can't get the server to accept %0d%0a even though it's supposedly an introductory exercise with a very clear path to solving it. Any clues?

Yo, are there problems with the labs again?

I'm having quite a difficult time with the Advanced Javascript Deobfuscation exercise in capturing the flag. I captured the hidden flag in the code but HTB states my answer is wrong. It has to be right based on the instructions followed in the exercise. Confused?! 🤔

This is a really really interesting module, really makes things going but it's noticeable different than others. Not harder per se, but requires some knowledge in C#.

Check for trailing spaces maybe

Finding this super odd, have gotten a friend to help and he couldn't figure it out either. Has anyone actually done this module?

I am doing DNS section of footprinting module. I'm on question 2. So my AXFR queries show its possible to get zone transfer but I am having trouble finding the text for the text record. Can someone help me out? Please don't just give me the answer.

you might need to dig an extra level deeper

Hey guys

can someone help with password attacks

• 0 Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer. idk where kira password is

Protected Files

you got it from an earlier section of the module

Credential Hunting i believe

take this as a note: always save credentials you find

i cant find it do u have her pw

solved

So I just finished the "Introduction to Windows Command Line" module. It is really really cool, however there is one detail that makes it average. Last skill assessment question is:

" What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account."

There are not that many ID 4625 Events on the host so I used:

Get-WinEvent -FilterHashTable @{LogName='Security';ID='4625 '} | Format-List -Property *

to check them in detail. I used all user account names that were mentioned in any of the events and none of them worked.

In the end the answer was a user whose user account name does not pop up in any of the Events on the host. 😡

you didn't get her password as an answer

you used her password to do the credential hunting for will

:) easy recrack though if you wanna just throw the mutated wordlist at ftp

ic ok thank

are you running it on the domain controller?

the question explicitly tells you to run check on the domain controller; not on the initial host

I’m stuck in a single question, they said “enumerate the custom script that is running on the system and submit its output as the answer”. How do I know what is the output // that is for SNMP

use the snmp tools provided by the module

you'll see script:: output

basically

script.sh
lines
lines
lines
output

Let me try once again.

Thanks.

i believe braa might cut out the part where it shows the script being run

and just show

script.sh
output

Nope, It show me “message cannot be decoded”

now I'm on the last section of DNS

can someone give me a hint? I think I need to find another wordlist

am I wrong?

are you using the community string?

this is for last question of dns section of footprinting

what's the question?

is that the one where it has you use the tool?

Yessss I got it now. Thanks a lot

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

if so: fierce wordlists are your friend

yes; subdomains of subdomains is your other hint

ok thanks

is chatgpt allowed for cpts exam

There is only one host provided for this task, so i assumed that is the Domain Controller. The events with specified ID are there etc. It is just the events that should provide the answer are missing.

But anyways with Get-ADUser -Filter * one gets the list of all potential answers so it is not that bad.

I just write it here, so that the mods will update it someday. And so the peps struggling with this one, can get their answer.

it is not; one of the questions on the Windows CLI skill assessment even gives you an internal host to connect to

There is only one such question. And i can also see a reason why only one.

and it explicitly tells you that it's the Domain Controller in that question (172.x.x.x)

For this one you are asked to connect to the specified host. The host is a part of the AD so you can get domain information from its console. If it was as you say, they would ask again to connect to the X.X.X.X host to do the task.

except it tells you and says explicitly "What account on the Domain Controller"

meaning you need to connect to the DC (Domain Controller)

You are right mister, I just checked it. Thanks for explanation. For my defense, this question should be rewritten ;d

it really doesn't. It explicitly tells you where to look for the answer

just because you misread it. doesn't mean it's written poorly

i am not a native sorry

I think I have solved the last DNS question I just have to wait for it to finish loading

the answer will be in the format a.b.inlanefreight.htb {a being the one that has the .203, b being the subdomain you bruteforced}

ya I get that part

just waiting for it to show up

ye

sometimes it's silly

I know its taking a while so I'm gonna maybe watch some TV or something while I wait for the thing to load

it shouldn't take more than a few minutes btw

ok what if its taking 20 minutes or 15 minutes

wrong word list?

should I try different word list?

I tried both fierce wordlists and one was taking forever and the other one didn't have the answer

like 5-10 minutes

should be the max

ok thanks

the targets for academy seem to be acting weird

so it might take longer: but tbh if you're going at the wrong subdomain you're gonna get no answers anyway

ok got it well I am trying the for-loop one for the specific IP address

how do I know I got the right subdomain?

dig axfr inlanefreight.htb @ip

do that first

ok

because you're likely looking over one of the subdomains to bruteforce

:)

Howd o I login + 0 Use the cracked password of the user Kira, log in to the host, and read the Notes.zip file containing the flag. Then, submit the flag as the answer. password attacks

do I need to use the IP of subdomain or can I use same IP?

right now I am using the FQDN of a subdomain I think is it. I narrowed it down to 2 subdomains

you have to use the same IP

ok thanks

i mean ftp works, ssh too

and how do I know which word list to use?

is it same wordlist as previous or fierce wordlist?

the fierce wordlist is used for this part

it dont work

ok thanks

"it don't work" isn't an error message that I know of

it says password incorect

then you copied her password incorrectly

||L0veme||

not work

if you just copied it from the hint in the Credential Hunting section: then yes it won't work

no i cracked the new password from the file

it should work then ¯_(ツ)_/¯

Protected Archives

so you have the .zip and cracked that password?

wait nvm i used the wrong pw

:)

i thoght i had to use the cracked password from prev section smh thank

then what would be the point of cracking the zip file?

it just for prev section to crack file encrypted i thought iw as new pw

2 steps when examining things

1. try a pw you already know
2. bruteforce

ok thanks

ok solved the DNS section

marcy u have good pfp

ty i commisioned it a while back

I’m working through the foot printing medium box rn.

Stuck on something, but I think I’m close

Hi Guys i'm stuck on this question on three days.Examine the target and find out the password of the user Will. Then, submit the password as the answer.|| Sometimes, we will not have any initial credentials available, and as the last step, we will need to bruteforce the credentials to available services to get access. From other hosts on the network, our colleagues were able to identify the user "Kira", who in most cases had SSH access to other systems with the password "LoveYou1". We have already provided a prepared list of passwords in the "Resources" section for simplicity's purpose.|| So far i've tried|| hashcat --force password.list -r custom.rule --stdout | sort -u > mut_pass.list|| and ||hydra -l kira -P mut_pass.list ssh://10.129.202.64 -t 64 and hydra -l kira -P mut_pass.list ssh://10.129.202.64 -t 48`|| I still don't get any match.Could someone give me some hint?

I found the NFS share, mounted to my local machine, but when I try to cd into the folder it says access denied

Is it a configuration issue on my end?

No it' not.LoveYou1 won't login.

u need to mutate

move around as root

a specific word and then maybe try to crack into using adiff service

this is one of the few times su to root is actually a thing

Oh ok, I thought it was on my end. Good to see I’m on right track here.

Haven’t su to root on the htb parrot vm. Anything special to do it

nope

just sudo su

you might get a bunch of strange letters

but that's just a weird thing in the bashrc file

ill need more context

Thanks @fathom pendant

lowercase kira

also

don't attack ssh; attack another service

services can limit your threads btw

Password Attacks Lab - Easy hint? i just use hydra on ssh using the pass mutated list right

ssh is a slow service

try other exposed services

Thanks mate.Right now i attacking ftp am i in the right track?|| hydra -l kira -P mut_password.list ftp://10.129.202.64 -t 48||

should get you there in a few minutes

Thanks you very much.😀 I was stuck on this three days😂

step 1) enumerate the target

also as a note: you'll want to save any and all credentials you find for this module

Thanks mate I will do that

48 is generally a good bet for ftp threads

also shud i attack the easy lab with mutated passwords or no

i believe the mutated list should work

i c ok thank

so on the windows fundamentals module, on the "NTFS vs. Share Permissions" it says "Once the proper inbound firewall rules are enabled we will successfully connect to the share.", they don't say which ones so had to look for them, idk if it was intended that we knew by hand before but well, Ig is part of the learning to look for , maybe I didnt read something

Already did that part only wanted to know

AD Enumeration & Attacks - Skills Assessment Part I
how do i get a shell from the webshell wget doesnt work

Hey, so im having a problem with module 19 section 103, where i have to enumerate the ports and their services fine the service that cant be fully scanned and find the flag. Sometimes the port scan doesnt ever load but i have found a work around for that as it sometimes works and i can just write down the port status's, hopefully its a connection issue w me and htb or im just running to many enumerations and canceling them when packets drop?

you should only ever need to run one nmap scan at a time

the issue here is that the nc -nv ipaddress port just times out

my brother in christ

the answer is right there

the 220 htb thing?

it times out due to inactivity

yes

220 is a status code :)

im try that again but a couple days ago i copy pasted it like 3 different ways and it was wrong

2 things:
Delete the screenshot
the only thing that matters is the HTB{..} bit

make sure you don't have any spaces before and after

no spaces ok. thanks

yep

220 isn't important; that's literally a response code, that generally means "I received your connection"

A 220 code is sent in response to a new user connecting to the FTP server to indicate that the server is ready for the new client. 

Hi mate I wait until finished still not found match.

try resetting the target; it's likely your attempts to bruteforce ssh with 64 threads ddosed it