#modules

I'm gonna do next section tomorrow

today has been very productive. hopefully I will get the next couple sections done tomorrow morning

I got two whole sections done today which is fabulous

ok good night yall

what was the updated tool for crackmapexec

netexec

yu

why wont my hdyra work for smb in password attacks med lab

[ERROR] target smb://10.129.202.221:445/ does not support SMBv1

Hi Pedant,
It's still not working for me.
I waited more than 10 minutes after spawning the target before doing anything
Then when I started the lab I still got the same error.
I'll reach out to you privately to explain step-by-step exactly what I'm doing

Looking forward to checking this one out. Did you also do the Game Hacking Fundamentals module?

use -smb2support

on your impacket-smbserver whatnot

This is a hydra error

it basically means "hydra can only crack passwords on old smb versions, this server uses a newer version, please use a different tool"

when bruteforcing rdp shud i netexec or hydra and is there any special option

in password attacks hard lab is it Johanna or johanna

hard lab

ah thaught this was the offline attack thingy

vcan anyone help

what wordlist for lab hard and is it johanna or Johanna

same ones you have used for the cource

like mutated++

this shit taking so long frfr this aint bussin

I am facing connection issues on hard lab had to reset target multiple times

It took forever to copy a file from hard lab to local machine, iykyk

Hurray 🥳

Anyone have issues with the revshell on Active Directory Skills Assessment 1? It's not working with any of the powershell revshells.

What network interfaces do the victim have?. Is it in a different network than you?

what does the layout look like

Module : Pivoting, Tunneling, and Port Forwarding (Skill-Assessment)
Question : Any optional command here that might help me generate an lsass.dmp file using powershell? cuz mine don't work
command : rundll32.exe C:\windows\system32\comsvcs.dll, MiniDump <lsass PID> C:\lsass.dmp full

I reall don't want to generate using task manager cuz rdp so laggy

i belive you can use impacket-secretsdump and crackmapexec for this also

oh boy do i have a tool for you
https://github.com/Xre0uS/MultiDump

secretsdump doesn't do lsass iirc

might have an extra comma there, try

rundll32.exe C:\Windows\System32\comsvcs.dll MiniDump (Get-Process lsass).id lsass.dmp full

@next bronze damn, sweet tool you made. Does windows detect the tool upon download or?

nope, fully undetected

alrighty I'll try this first then my last resort would be ur heavenly tool

thanks thanks

damn. Awesome!

can confirm, Defender doesn't make a peep, @next bronze did great work

thank you sir ❤️

Hi! Actually yes, since i've completed all modules below tier 3 i did have some spare cubes. I personally think that 500 cubes are a bit much for the Fundamentals one. If you have some familiarity with Cheat engine you can skip it

this tool of yours lookin hella fine, awesome job man

thanks!

HTTP Attacks modules from the CWEE path
Log Injection

Have tried multiple different payloads, encoding methods, etc. and I can't seem to get it
||name=NAME%0d%0a1PAYLOAD&email=EMAIL%40EMAIL.COM&phone=NUMBER&message=MESSAGE'%0d%0a2PAYLOAD||

this machine makes me wanna cry. its so slow

im in attacking common applications module - thick client application section. the first task i have to do is taking away the delete permissions from the user cybervaca so i can get the .tmp and .bat file that the .exe app creates but even tho i do delete permissions, the files still get deleted. help would be appreciated. thanks

follow a walkthrough for the PivotAPI box

i dont really wanna follow a walkthrough. the thing is, i believe im doing everything right in this step because its so simple. making a mistake is highly unlikely. but thanks. imma retry and if i did not succeed i will seek a hint or something

It made almost all of us cry

any help why this is not working?

its the same command used in the example

no dcsync rights

did you do token elevate?

no I did not do that. I do not think its in the section but let me check again

yeah don't do that, are you logged in as the right user

yes I am in htb-student in the windows host

I don't remember what user you're supposed to use, try resetting if it still doesn't work

I did try

this one is from the morning

you need to use the adunn user no?

yes

I have used adunn from linux host

guys i need help with the documentation & report module. i've found some users & password combination and the ip i have to use to connect in rdp is 172.16.5.5 but every try results in error. some hints or help?

well I don't remember much but from the error it seems that your user doesn't have dcsync rights

not specifically to that module but rdp is not the only way you can gain access, givent hat the creds are correct

i know but in this case rdp is used to gain access because some document in the module i think say to me to use rdp

if i show u in dm can u help me?

you can just say what you've done here, put it in spoiler tags

how can i put these targs?

||spoiler||

||spoiler||

Can anyone recommend some modules to complete before starting CWEE path?

Cross Site Scripting, File Inclusion, Command Injection

ATTACKING WEB APPLICATIONS WITH FFUF
Skill assessment
Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)
I've found three subdomains, none of them is the correct answer. Anyone a hint?

checked my notes, you don't need to rdp, there are a number of other ways you can get access

tell me some hints

i thought to use ||rdp because the module gives me dc01 uses rdp connections||

huh when did the module give you creds for the lab? the rdp creds is to access the WriteHat instance on the attack box

I tried reseting both target and vm again. From linux host I am using ||adunn:SyncMaster757|| I am still getting the error

|| the module gives me in form of precedent pentesting some credentials. ||

oh right those, that doesn't mean you can access DC rightaway, you're supposed to work your way through the lab with the final goal being gaining DA

I hope you have completed all the previous modules in the path before this

yes but im stuck which modul do you think i shoud see again to do this ?

For the labs using shared computers and the like, specifically AD Enumeration & Attacks - Skills Assessment Part II, when someone bricks one of the systems, how can you reset it? I was able to xfreerdp into it last night and this morning its erroring out, I reset my jump box, but how can the systems inside lab be reset? Or do I have to wait it out

the labs are private

Even the shared Domain computers on the private network?

maybe Credentialed Enumeration from the AD module

all academy labs are private

Good to know, then I bricked it and cant connect to it now lol , same issue but I am to blame

you can just respawn it

I also was clueless at the beginning. The hint that many people wrote on htb forums and helped me as well is to look through your obsidian report sample and try to find something for each page in the findings section (for example, kerberoasting). Don't forget to keep enumerating with each credentials you'll encounter during your way

i dont have this module in the ones provided by my work 😦

my command: ||ffuf -w /opt/useful/SecLists/Usernames/xato-net-10-million-usernames.txt:FUZZ -u http://faculty.academy.htb:37835/courses/linux-security.php7 -X POST -d 'username=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded'||

The results are all code 200 and scrambled in the terminal. What did i do wrong?

I'm referring to the Active Directory Enumeration & Attacks module, you should have that yeah?

no only introduction to active directory 😦

i'll require that from my manager xD

oh what? the documentation and reporting module assumes you have done the previous modules in the pentester path
https://academy.hackthebox.com/paths/jobrole

no they gave me a personalized playlist of modules

so i'm not stupid i only dont have some informations ahahah

yeah no, that's a strange decision to only make some modules available

The overview of a module will tell you which modules/concepts would be pre-requisite

The higher the module tier, the more likely there's gonna be assumed knowledge

So that the module can focus on teaching what it should be

yes i lost all day in trying doing this without knowing i need this

Any hints for the ADVANCED XSS AND CSRF EXPLOITATION skills assessment? Been stuck here for a while now, would be nice to get some direction. ||I have found a way to upload javascript with upload form but that CSP is ruining my attempts and I have not found bypasses for it. Only payload I managed to load is this <html> <body> <form method="GET" action="http://vulnerablesite.htb:41264/users.php"> <input type="hidden" name="userid" value="3" /> <input type="submit" value="Submit request" /> </form> <meta http-equiv="refresh" content="0;url=http://vulnerablesite.htb:41264/users.php?userid=3"> </body> </html> and when I run it I get redirected and message that only mods and admins can promote users. So either that payload has some issues or admin/mod is not running that payload when they visit that file. I'm pretty sure that I have to leverage that upload functionality to get myself to moderator and then task management to get myself to admin. ||

Nothing wrong, your terminal is just too small, can you make it bigger ?

can dm

Sure

NVM SOLVED

Dm please

Hey, do you still need help? Once you used that payload you posted here, what could you see on the log.php endpoint?

I do yes, just the data I had put in without the %0d%0a

no extra spaces or new lines formed

dm with a screenshot , aslo I recommend use Burp to see the log.php endpoint

Hey everyone, can anyone give me a nudge for Password Attacks Lab - Hard? I've found all the services, trying to bruteforce them with provided password list for user Johanna but no luck.

did you try adding a flag like --local-auth

Tried that, but it still takes way too long

Alright mutha fuckas let's get our streaks caught up!

no

Do it. You know you want to see that number increase

Just one lil module

Let me know if you've found something that solved your issue. Currently my only issue with htb or HTBA is deciding what wordlist to use or figuring out the best way to create one.

what wordlist for lab hard and is it johanna or Johanna

try other wordlists: start with mutated, then regular, then rockyou

password attacks

Will do, just finishing some work, give me 1h

it takes really long

They do

yea but is it joanna or Johanna

Good evening. Who may help me with this module (SESSION SECURITY) please.
about (the new private window for firefox) isn't work but without (private mode) it's work

it's a windows box so it shouldn't matter

it dont work i tried wit hnetexec and it went ofr hours

where athe things in hackthebox

my bad, but i really need

need help stuck on ad enum and attack skill 1 question 4 ive managed to get a metrepreter shell on the webserver grabbed svcs pass but am unsure how to connect to ms01

any suggestions on what tools i should up load to the webserver snyone here an ad pro

guys im doing a hard lab how do i use the pwnbox to use the resource mateiral

by webserver I assume you mean the foothold webshell, once you have domain creds you don't need the webshell anymore, operate from your attack box

guys how do i use the resource files on my pwnbox

you should be able to download and use them like you would from a vm

i am just starting out. When i click Modules i get this: javascript: void(0);

so i login?

to hackthebo

idk what you're really asking ¯_(ツ)_/¯

like the passowrd list its on module but i am using pwnbox

you can right click, copy url

how do i get the password

and use wget

that's just one way of doing it

hello guys need little help

When i click HTB academy modules or path

i just get javascript: void(0);

This massage. what do i do

if you're experiencing technical issues with the website: contact support

if you mean when you hover over the button it says the url is that: that's normal

no when i click modules or path

make sure you have adblock disabled

nothing happens. when i try to open in new page

it says javascript: void(0);

either way contacting support should be your first step

@next bronze I take it I have to tunnel my traffic through the webshell? this part is lost to me the pivoting and tunneling module was completely busted when i completed it

not discord

Thanks alot it was adblocker

(it's normally always adblocker)

some stuff on the site for w/e reason gets blocked by adblocker

idk what you mean by the module was busted but yes pivot

┌─[us-academy-1]─[10.10.14.241]─[htb-ac-911632@htb-6k7z1oybsy]─[~/Desktop]
└──╼ [★]$ crackmapexec rdp 10.129.202.222 -u johanna -p mutatedpas --local-auth
┌─[us-academy-1]─[10.10.14.241]─[htb-ac-911632@htb-6k7z1oybsy]─[~/Desktop]

why dont this work it just enter and makes an ew shell cmd nothing happens

where is the general channel

you need to verify your acc to see it

when using pwnbox do i hve to connect ot the vpm

follow the #welcome

no

no, it has it already implemented

the pwnbox is automagically connected to the vpn

also how can i copy and paste from my orig to the pwnbox it dont let me

sometimes cme is dumb

ALSO if you're running the vpn at all on any other system while trying to use the pwnbox you will encounter issues

i c ok thanks and alos how do i copy nad paste on it

there's a clipboard

but you should be able to ctrl+shift+v to paste in terminal

which is the default

your browser may ask you if you want to share the clipboard

no it doesnt let me paste

the other is right clic and paste

yeah pwnbox is really dumb a lot of the time

try to maximize it and on the tab theres a clipboard you can paste into

oh yes i c danke

or use a different browser

┌─[us-academy-1]─[10.10.14.241]─[htb-ac-911632@htb-l0c4tmhlfz]─[~/Desktop]
└──╼ [★]$ crackmapexec rdp 10.129.202.222 -u johanna -p mutated --local-auth
[] First time use detected
[] Creating home directory structure
[] Creating default workspace
[] Initializing FTP protocol database
[] Initializing MSSQL protocol database
[] Initializing WINRM protocol database
[] Initializing LDAP protocol database
[] Initializing RDP protocol database
[] Initializing SSH protocol database
[] Initializing SMB protocol database
[] Copying default configuration file
[] Generating SSL certificate
┌─[us-academy-1]─[10.10.14.241]─[htb-ac-911632@htb-l0c4tmhlfz]─[~/Desktop]
└──╼ [★]$ crackmapexec rdp 10.129.202.222 -u johanna -p mutated --local-auth
┌─[us-academy-1]─[10.10.14.241]─[htb-ac-911632@htb-l0c4tmhlfz]─[~/Desktop]
└──╼ [★]$ sudo crackmapexec rdp 10.129.202.222 -u johanna -p mutated --local-auth
┌─[us-academy-1]─[10.10.14.241]─[htb-ac-911632@htb-l0c4tmhlfz]─[~/Desktop]
└──╼ [★]$

can anyone help it dont work

@next bronze should I use rpivot or chisel to pivot

ligolo-ng

this channel isn't for starting-point boxes

Ah, sorry. I thought the one under multi-machine labs was like for a "networked boxes" version of Starting Point

there are no "networked boxes" in starting point

the starting-point machines are their own machines separate from labs

should i use -t4 with netexec rdp

idk what changing the threads to a lower count would do ¯_(ツ)_/¯

RDP 10.129.202.222 3389 WINSRV [-] WINSRV\johanna:1234569 (STATUS_LOGON_FAILURE)
RDP 10.129.202.222 3389 WINSRV [-] WINSRV\johanna:1234569
RDP 10.129.202.222 3389 WINSRV [-] WINSRV\johanna:1234569
RDP 10.129.202.222 3389 WINSRV [-]

it stopped saying the error msg

Yeah which is why I was confused as it was under Multi-Machine Labs, and all the stuff there are the networked labs

because technically they are under the same network; as each prolab listed there is on their own network requiring a separate vpn

I see

I did the dcsync attack with mimikatz but I am still having a issue on doing it with secretsdump.py

secretsdump.py -outputfile hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5 -use-vss
Impacket v0.9.24.dev1+20211013.152215.3fe2d73a - Copyright 2021 SecureAuth Corporation
Password:
[-] RemoteOperations failed: DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied
[*] Searching for NTDS.dit
[-] 'NoneType' object has no attribute 'request'
[*] Cleaning up...

I used the same credentials I used in mimikatz ||adunn|SyncMaster757||

crackmapexec winrm 10.129.X.X -u johanna -p mut_password.list
with --local-auth or without

you want to use local-auth when you want to attack local accounts

so is that no?

depends on the task which one are you doing?

password attacks hard lab

do it without it

WINRM 10.129.202.222 5985 WINSRV [-] WINSRV\johanna:12345604!
if it doesnt say error it stil lwokrs right

dude spoilers

how its not the password

and I think its not the answer

no i was just wondering if it doesnt say error is it still working

try without mutilating the list

but does it work if it doesnt say error

like is it stil ltrying to login?

when it works you will see [+]WINSRV\johanna:*****

not [-]

yea byt does it needs to have an error message

no

ok danke

bruh this aint raking it fr fr

I’m working on login brute forcing and I’m currently on login form attack, I believe I have the key but it’s not working as the answer

I’ve identified the password and user and I’ve gotten to the page that says “Welcome back Mr bill gates” and I see what appears to be a flag at the bottom but it’s not working in HTB

made sure theres no extra spaces or anything like that?

can soeone give begigning of letter for password atack hard lab

Help please. Noobie here

I'm doing the Web Enumeration.
The question is:
Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag.

This gobuster command is taking an age to run and the box is likely to time out before it gets to completion. gobuster dir -u http://10.10.10.121/ -w /usr/share/dirb/wordlists/common.txt

Am I looking in the right place as I can't find a solution using the other methods.

Good evening,
In your opinion, what is the best way to validate an OSCP certification: what are the modules to know and the sites that can also help us with this.
Sincerely

Can you search for text in this discord conversation? I want to ask a question but I'd rather see if it were asked before.

the cpts path right here

a ok thanks

I am doing the footprinting smb but 3rd question they are asking for password

you meant to prepare for oscp right? doing the cpts path is very good prep

ctrl f

do you mean that the cpts is a certification too?

yes

thanks 👍

the VM is very slow

choose the pwnbox server closest to you

I'm on Mobile. Good to know I could do it if I was on PC though lol

I understand basic computer literacy just not discord. Haha. Guess mobile can't do it.

Mobile can search

I don't understand how 😭 I can only see doing it by date and by people.

I even tried searching "Mobile can search" and nothing lol

Can I search for words in messages within the channel? That's what I'm trying to do. And I'm sorry btw I really am not great at using discord.

Yes

I just don't know all of its caveats

in: channel "string"

It literally gives you the syntax

Okay it works. For some reason the messages option wasn't appearing.

Also mind you my mobile search feature seems to look very different from yours.

can someone help with begining letter of htb password attacks hard lab? i use mutated password and crackmap winrm

It not let me search members and media when I was first trying

with --local-auth

Because there is no "messages" option lol its just "search string that matches these filters"

Try with and without --local-auth

I found it. Its pretty obvious when I went back through the module content.. 🤦‍♂️

We don't need to argue

do u remmeber beginng of wor

word for the pw

Just attack it

Stop asking, you're spending what feels like a lot of time asking, instead of doing

There's a reason you're being ignored with your request

do domain policies / user priv affect the number of logged-in users I can see during enumeration using cme's --loggedon-users

i am doig ive bee cracking it for an hour

On the exam: you won't be able to ask for hints. You'll need to figure it out on your own, you've been given enough info to move forward

fo sho

Did you reset the target to attack a fresh one?

no

that's why

wdym

why wud i reset it

because sometimes the hosts die without actually telling you

or the services stop working

it's dumb

oh i c danke

someone can buy me vip plz 🤓 🥰 🥹

just sanity checked @sleek moss the password is in-fact in the mutated wordlist

✨ no ✨

😦

Yeah so I'm glad I got the search feature figured out on here.
Guys, you can try using that feature before you ask questions 🙂

just go buy it yourself; this isn't a begging server either - read #welcome and #rules ; no one is just gonna buy something for someone they don't know :)

Getting straight dogged on

As another nudge hint on this one. You can try using the echo command to view the files and the while command to read the flag file.. 🙃

also to add on @sleek moss i checked multiple services; they all return the password after a minute or two; CME doesn't have an RDP module, hydra does though

wat after a min?

bruh :dead:

i did crackmapexec winrm

ye

crackmapexec winrm 10.129.155.35 -u johanna -p mutated --local-auth

hashcat --stdout -r custom.rule password.list > mut

do u c anything wrong there

you need to add | sort -u before feeding it to the mutated list

bruh

otherwise the wordlist is like much larger

ty

ye like twice as big

instead of 94k it ends up 188k

hashcat --stdout -r custom.rule password.list | sort -u > mu right

i c ty

yeye

i thought something was off from the cheatsheet

which doesn't have the sort -u

danke

--lo

been waiting for the target on windows priv esc to spawn for over an hour now.

change vpn regions: it seems us-academy-3 is working fine for now

yesterday I changed to 1 because of the same issue.

i instsalled parrot os with htb edition is it nromal to have this in shell when u first begin it automatically ]\342\224\214\342\224\200$([[ $? != 0 ]] && echo "[[]\342\234\227[]]\342\224\200")[$(if [[ ${EUID} == 0 ]]; then
echo '[]root[]@[]\h';
else
echo '[]\u[]@[]\h';
fi)[]]\342\224\200[[]\w[]]
[]\342\224\224\342\224\200\342\224\200\342\225\274 [][]$[]" - Parrot Terminal]\342\224\214\342\224\200$([[ $? != 0 ]] && echo "[[]\342\234\227[]]\342\224\200")[$(if [[ ${EUID} == 0 ]]; then
echo '[]root[]@[]\h';
else
echo '[]\u[]@[]\h';
fi)[]]\342\224\200[[]\w[]]
[]\342\224\224\342\224\200\342\224\200\342\225\274 [][]$[]" - Parrot Terminal┌─[sam@parrot]─[~]

or is there something wrong with my os

it's a weird thing in the bash.bashrc file

just comment out the line with trap i forget what line it's on

i c its normal toh right and ok ty

yeah it's not broken

it's just a weird config thing

ok ty

'We droppin shellcode

runs the revshell on my own machine by accident

Hahaha

Hey man you gotta make sure it works somehow

what is better parrotos with htb editiion or just kali linux

whatever you prefer

it's honestly mostly a preference thing

Hey in the module File Upload Attacks on the assessment I got very stuck and read a walk through. I was kinda doing too much, but thats okay. Question, where in the world is the location of the file that is uploaded

hi anyone would please tell me im using linux tails but it is showing no wifi driver can anyone help me ?

@everyone

@wraith seal I believe there is another channel on this server for this question I'm not sure.

smb: > get Backup.vhd
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: > getting file \Backup.vhd of size 136315392 as Backup.vhd SMBecho failed (NT_STATUS_CONNECTION_DISCONNECTED). The connection is disconnected now
why doesmblicnet say this

This isn't a tech support channel, also @ everyone is disabled.

It seems the connection timed out

why wont hashcat crack this /spoiler $bitlocker$0$16$asd$1048576$12$80b20a04341fd80103000000$60$asd

look at smbclient manual for -t

hashcat -m 22100 backup.hash mut -o backup.cracked

should crack, also wrap the hash with double pipes like: ||hash||: ||spoiler||

wdym

you didn't spoiler the comment

/spoiler needs to go at the beginning of the message but also: it's likely there's not a hashcat mode for it: try with john (as you likely used bitlocker2john)

mode should be fine, probably just doesnt have the intended password in mut or something of that sort

i c danke

and also is password attacks the heardest module

no

but it is the most tedious

why

what is most difficult

probably the more technical modules like AD enum

why

because it requires you to use more of your brain

password attacks is just a waiting game

nothing technically complex about it

Well most of these modules aren't hard, the password one made me curse a lot though, not because it was hard, but because of the amount of gotcha's it has.

the assessment at the end is very cool and nice though i still remember it

i c that hard lab where u us the bitlocker and mount it wont be on cpts right

or oscp

you bet your sweet bums it's prolly gonna be on the test.

:dead:

dont worry it's a breeze just keep calm and read

virtually everything covered in the modules will be on the exam

what about OSCP

will that mounting virutal harddrive be there

don't know about OSCP; the CPTS prep materials are for CPTS - you'd have to look at the OSCP domains to know what's on it

OSCP from what I've heard is mostly a CVE test, ensuring your ability to understand how to use them to pentest. they use metasploit for pretty much everything, they don't do most of the stuff we do on HTB.

you can't use metasploit on OSCP

*well you can, but only for one lab - and that's it

You can't? oh bummer, at least their metasploit unleashed course is free.

metasploit would literally trivialize the OSCP exam if it's mostly CVEs

you can still use searchsploit :> and just pass commands manually build payloads with msfvenom

and yet people will stoll like 7x in row

lol though i'd rather go with HTB personally.

@sleek moss just a tip, i wish someone told me this when doing the first assessment for the password attacks module, you gotta know how to read/write files using (i think it was) mysql statements. Apparently it's something you can do. Also the mysterious password database thing they have in one of the assessments is a file that can be cracked by one of the tools you learn about.

Hello

tbf the read write thing in mysql was covered in a previous module

the course modules assume you have knowledge from prior modules

or at the very least basic knowledge of the services you can interact with

htb

yes this is htb

congratulations on being able to join a discord server. this is truly the height of your technical acumen

That was their version of a syn packet, and you hit them with the ack! I'm gonna grab the popcorn and wait in suspense for the beloved syn/ack!

Nessus Skills Assessment lab - I cant get nessus to run

It says that the VM has nessus pre installed

yes: just go to the https://ip:nessusport

note it says "Authenticate to" not "ssh to"

https://tenor.com/view/nacho-smile-reverse-reverse-nacho-smile-nacho-smile-to-frown-nacho-libre-reverse-nacho-frown-gif-26430617

all i am going to say is thank god for questions like "Submit the NT hash of the administrator user"

if not i would have to redo all the steps from the first module in attacking enterprise networks

the module isn't part of the path it was a requirement for the path tho it's one of the intro ones.

writing to a file is covered in attacking common services i believe

target machines not spawning again ?

hmmm. no actually. holly shit its fast

is it a known issue that pwnbox seems to run out of memory using hashcat?

?

i've not run into any memory issues with hashcat

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 65 MB

happened to me yesterday too

hashcat -m mode file.hash password.list

you always do the hashfile first before the password list

what's your hashcat command?

sudo hashcat -m 1000 2b391dfc6690cc38547d74b8bd8a5b49 /usr/share/wordlists/rockyou.txt

but the hash into a file first and see if that makes a difference

alright let me try that

but i don't think i've had an issue like that

anyone else have issues with impacket-getuserspns with Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

im guessing the timestamp difference is to great, but how can i fix this to make it work?

it was covered in a previous module in the path. not a pre-req

you sync your time to the DC

just ran this: and it didn't error out for me

also: are you sure that's the right wordlist

what module are you working on?

so i set the fake spn on the ip of 172.16.8.20, and the dc-ip is on 172.16.8.3. I dont really have access to the DC( i think ). So how would i find the time and sync it?

strange, the file thing didnt work either. Im not 100 on the wordlist i havent tried others... also im on attacking active directory & ntds.dit

I dunno, id tunnel to the DC and sync it lul

ntlmv2 and that sounds like password attacks module?

yeah Module is password attacks: section name is Attacking Active Directory & ntds.dit

yeah pw attacks module.. just tried another wordlist and got the answer

thanks thought it was a memory issue, error was misleading

i dont have the password to get into the dc tho

so im kind off stuck here

for the record: most of the sections after the mutations section uses the mutated wordlist

noted

always start with the list(s) provided by the module, then check others

usually it's either in the provided list OR in rockyou if it's password related

nmap has a clock-skew script you can try to execute to retrieve the deviation

i ended up doing it locally on the host i have access to with rubeus

ah yeah i see it on my notes.

ftr you dont need password to the dc

you just need a route and your preferred time application

DCs have built in ntp functionality

you can sync without creds because devices need to match DC time to auth in the first place

Imagine getting KRB_AP_ERR_SKEW because you couldn't sync time to fix KRB_AP_ERR_SKEW 😂

Dunno if you got this since your question is old. Either way for others there are multiple binaries in the list. You just have to get the right one for the flag. 🙃

Peace everyone, I’m doing the “Network enumeration with NMAP” and I’m on the question about host discovery. It’s asking me based on the last result find out which operating system it belongs to. It’s gives the hint to look at TTL, I’ve tried both TTLs but to no avail. Any suggestions?

i would hope they got this question from 3 months ago

the TTL isn't gonna be the OS

most OS have a standard TTL they'll send back with pings

https://ostechnix.com/identify-operating-system-ttl-ping/

You need to find out what the OS name is relative to the TTL given.

Can't remember if HTB was case sensitive. Might be as I've been Reeeee on quite a few lol

attacking common applications module - exploiting web vulnerabilities in thick client application section . so the very first step is capturing and analyzing the netowrk traffic of the .jar file in wireshark but it just wont show no matter how much i interact with the .jar client.

I was more of giving an update for the Discord search and anyone else coming along. As there are times I will use it when stuck. 🙃

https://academy.hackthebox.com/achievement/873508/163

finally

now i have a new apprication to ligolo-ng 😄

@placid edge awesome

Just 40% remaining, I will soon be there

how much time it took you to complete the whole path ?

Im not done yet 😆

I just needed a little break from ad module

So i hopped on the smaller ones

But currently at 97%

It has been a major headache I only have 3 topics left in the module before the assessment. Then I can rest in peace. I wish AD wasn't so complex. Kinda makes you wonder about the design thought process asking "what was going on in their heads when they made this?"

For me I skipped AD module to hop on web attacks due to spawning issue, going to resume it today.

yeah that was a thing last week

Connectivity has been a issue for me as well. Makes some cources way longer but yeah

I feel you. Its starting to make more sense as you go. The hardest part seems to be «where do i begin» lol

Taking some time off and learning each thing more indepth has helped me. Like with kerberos and ACL

Watching a lot of youtube videos. ippsec.rocks and you can search for like DCSync and ect

Tell me about it

Today I was almost crying in front of the screen because of connectivity lol

I am currently doing AD enumeration module I am confused can you confirm this
Our attack host MS01 is host we have access to but it is not domain joined (not part of AD) , but it part of network and through it we are able to access machine that are part of AD ?

Active Directory Skills Assessment 1, I have the kerberoasted account name and password. Stuck on the fourth question: Submit the contents of the flag.txt file on the Administrator desktop on MS01. How am I supposed to access MS01?

wdym, what have you tried

I tried getting the Administrator desktop flag, but I was still on the first machine, because it was the same as the first question. I don't know how to log in to MS01.

wdym you dont know how to log into ms01, what have you tried to access it with

RDP was the only thing I could think of, it failed.

okay, try the other access methods used throughout the module

ssh failed

what about psexec or winrm

I'm on the kerberoasting section, I am still trying to find other methods.

SSH server (service) is not something that is enabled by default on windows

if Im just blind guessing to log into a windows machine I usually go psexec->winrm->rdp

though relevant to remember that psexec and winrm usually require some form of privileged credentials by default

Tried:

python3 psexec.py inlanefreight.local/<user>:'<password>'@<ip>

and tried python3 psexec.py SQL01.inlanefreight.local/<user>:'<password>'@<ip>

what's the difference between SQL01 and MS01?

Is my syntax correct?

the first one would be the syntax for trying a domain accouny

First command gave this

Second command gave this

Is MS01 a domain account?

technically? yes

but Im pretty sure the challenge has nothing to do with that

in this case MS01 is just a machine name

So is my command syntax correct?

this error is basically just saying the creds are valid but either the user isnt an admin for the box or psexec has been mitigated

win-rm failed as well

I don't know what else to try.

Understand if there are multiple network adapters on the machines, if that's the case then you must do dynamic port forwarding

I used the command: Enter-PSSession -ComputerName MS01 -Credential $cred

after setting up the cred and password variables

I feel like this shouldn't be so complicated. I have the creds, it's just that none of the methods are working.

wmiexec.py did not work either

Was that for me?

Are there any other methods to authenticate? I have the user and password, not sure why nothing is working.

Everytime I try something new I get the same administrator flag

So I think I figured it out. I have to use the Enter-PSSession module, however every time I attempt it, it does not work. The output is blank.

I have set up the password and cred variables correctly.

Anyone have similar issues?

Ok

Has anyone used Enter-PSSession to get MS01?!

I feel like it should work, is just not giving me a session.

I used the command:

Enter-PSSession -ComputerName MS01 -Credential $cred

after I had set up the cred and password variables.

I saw something in the forum about using chisel, but if I remember correctly that's a port forwarding tool, not an AD tool.

Guys i'm trying to run a python payload for achat buffer overflow (chatterbox machine) but keep getting errors with the script when trying to run python [payload].py

I read all the walkthroughs and videos on this box and at some point they use the python command to run the payload, any ideas? or is the payload just off with the new python3 ?

who can help me this question:"Find what attack the Enterprise Admins group can execute over the Domain object.",that in "ACTIVE DIRECTORY BLOODHOUND-Analyzing BloodHound Data",I don't know what I did wrong. I can't find the so-called domain object and I don't know what the correct answer format is. If anyone would like to help I would be grateful,This is the direct link:https://academy.hackthebox.com/module/69/section/2080

If you verify your account in #welcome you get access to other channels (like the boxes channel for old boxes) where people might be able to help. That being said, if you run a python2 script with python3 it usually won’t work

Im new and what does "Submit root flags" mean on the first course?

solved it

I wanted to ask the community or those who maybe have taken the cpts…or know more of it than myself…other than maybe Dante what other pro lab or labs are good to prepare for it? Like zephyr and Rasta ? Or offshore and zephyr or just offshore. Can anyone help me during my learning path?

hello, I'm new here and don't know where to start in terms of labs to build my skillset in hackthebox. can I get some advice please?

dm

if now you are don't solved this question

Some say it is not a good idea to do the prolabs, as they require things that are not covered in the CPTS path, so when you do the exam you might overthink solutions. Others say all practice is good. Dante and Zephyr are usually what people recommend, Dante gives some easy wins and allows you to practice pivoting but had little AD, zephyr is full of AD. Offshore has AV evasion and stuff, that’s way out of scope for CPTS, so probably not good for practicing

Cool. That’s good to know. Thank you.

hi im new

where to go first

does this server teach something?

you can look around

oh i see thats a website

Teaching Cybersecurity

great. i wanna learn something new

You can go to the shooting range, it’s on the hackthebox website, it’s very friendly to novices

does modules mean chapters?

modules are the specific topics, they are combined to make the paths

Hello Folks,

I see that the password attacks module, Attacking Active Directory & NTDS.dit section does not tell us what to do with the extracted ntds.dit file rather than using CME to extract the domain user hashes from the ntds.dit file existing in the remote target. Am i missing something?

Kindly help

cme is dcsync, you can also save ntds locally and extract hashes from it, two different methods

Yes, I want to know how to extract the hashes from the fetched ntds.dit file, i dont see it covered in the section in question.

secretsdump

I get this error.

yeah you need to save the system reg hive too, the key to decrypt is in there

Okay, Thank you

Would OSCP be the same kind of network that cpts has? Or is it more "attack these hosts" rather then enumerating internal networks and such

the oscp layout is known, you have 3 standalone hosts and 3 networked hosts in the AD set

do anyone want to do https://academy.hackthebox.com/module/details/208 for fun with me? it's not part of any path but is just cool

Alr. I just watched the machine active and gave me way to much confidence lol. I know its ranked easy but that was insane

Should probably go watch some hard ranked ones to knock my confidence level down to normal again lol

its in my to-do list

me too lol

im finishing binary exploitation

did you do the 1st one?

going to bug bounty

then maybe im doing it

pm me @onyx dust

ok

you don't need to be able to do hard for oscp haha

Ye idk lol

oscp is easy

dont worry. if u can do htb u can do oscp but u have to be good at understanding tunnels in case they break something on purpose to make u try harder 😉

i think this year they replaced pwnkit with dirtypipe for the linux boxes 😉 wow right?

I remember in my job interview they asked me if i wanted to take the oscp and was shocked when i said yes. Because only one of them had passed it @next bronze . They looked at me like i was insane lol. Didnt care anout the cpts plans tho, so idk how much they really know

Ligolo-ng is babe

haha idk what to feel about that

it's not difficult but the materials are bad

Idk. They also liked to specify how much younger i was than the youngest guys that worked there( 15years). So i guess they didnt take me seriously at all either way so

hihi guys, i am currently at "Dynamic Port Forwarding with SSH and SOCKS Tunneling". can anyone help me check if my understanding of proxychains and socks is correct?

It is. Proxychains defaults to socks4 on port 9050

I mean age doesn't determine skill, get that cert to prove them wrong

thanks! i was afraid i got the concept wrong.

So if its setup correct in the /etc/procychains4.conf file you can ssh in with the -D option and use proxychains before your tools

Or the cli

in this case, the proxychains is the socks client right since the localhost:9050 is the socks server

hello guys i am in attacking common applications skill assessment 2 and trying to get the shell , any hint on finding admin password will help

it's more of a proxy than a server but yes

yea so it is just like an server in the middle which has an ssh connection with the ssh server.

the proxy will make things look like any command used with proxychain come from the ssh server itself.

i guess this is how it works?

kind of, if you want a more acktually explanation, there are extra information in the SOCKS connection such as traffic type, destination address and port etc, and is used together with the SSH tunnel
https://gokhnayisigi.medium.com/what-is-socks-protocol-socket-secure-4ce77b463e59

but roughly knowing how it works will be good enough for most situations

thanks, i will read about it

Hello everyone, i am in the lateral movement section of the attacking enterprise networks module. I am following the exact steps that are mentioned for the Priv Esc but the exploit does not work. If anyone cna help i would be really glad because i am trying it for 3 hours now and i am going crazy

Having an issue in the SMTP section of the HTTP Attacks module - can't seem to access the vHost after adding it to the /etc/hosts

@rustic sage

?

I really need a favor

Can you help me find a great server for my wz3

This server has nothing to with w/e wz3 is

@fathom pendant have you had this happen to you? Super odd stuff, have reset the machine 3x

I haven't dont the http attacks module

Congrats but this channel os for academy

Perhaps you were looking for #1203399100918140948 or #1080884182336675872

oh mb

Hello I have a problem with this exercice can you help me please :
Attacking Common Applications osTicket

im sorry

You should install the fake_useragent python module to resolve the error

But this python tool is not needed for this section

This cleared up how to find the information. However I’m still having trouble with getting the correct answer. Based on the question it gave me a 2 TTLS (a sent and received one) one was 255 and the other was 128 I tried brute-forcing it and trying both ||Solaris|| and ||Windows XP|| but to no avail. Am I missing something?

Don't say xp

;) just windows

Does anyone know about google dorks?

Thank you

check out #general @gray glen

HTB took my $8 today. That marks my first month. Taking it slow and steady with the modules. Even with lots of previous experience, I have to say it's been worth it so far. I have learned new things still and I greatly appreciate the perspective HTB teaches us from.

(first month in academy) I've used HTB far before academy every existed!

I'm using VM instead of workstation instance..
And I have some problems when connecting VPN...
Is that ok to do some module exercise without using vpn

Hello everyone, I want to start studying cybersecurity, can you recommend useful sources?

you can offer even basic things, I will be grateful

The top 3 I can think of:

• Fundamental modules of the HTB academy
• Google Cybersecurity Certificate (beginner friendly)
• Comptia Security+ content (tons of resources online, professor messer, etc..)

Okay opkay how to do this? I need it but I am not registered on the API

You don't need this tool to complete the os Ticket section

question. When you have a lot of shares. What are your goto tools to download all the files?

smbget?

smbmap is good option

smbmap (which never works for me), netexec has the --spider and -M spider_plus, but usually just look through them manually with smbclient.py

i have the following access rn

        Department Shares                                       READ ONLY
        IPC$                                                    READ ONLY       Remote IPC
        NETLOGON                                                READ ONLY       Logon server share 
        SYSVOL                                                  READ ONLY       Logon server share 
        User Shares                                             READ ONLY
        ZZZ_archive                                             READ, WRITE

And i am trying to download all the files in each share to have locally

tho, i want to use responder in the ZZZ_archive

but still dont want to miss anything

sometimes I mount shares so you have a gui to easily select and open files locally to check whats relevant

Hi there, 1 silly question for y'all related to Print Operators | Windows PrivEsc, did u download 'n compiled the EnableSeLoadDriverPrivilege code or directly used the files left into C:\Tools?

Hi guys, got a reply redirecting me here from this message https://discordapp.com/channels/473760315293696010/1204480070136107080/1204480070136107080

How to find the password then ?

https://academy.hackthebox.com/achievement/873508/162

Another one bites the dust

woo

hi folks can anyone drop a hint on the last question for the ad enum and attack skill assessment 1

do the attack

Hey everyone 👋

@next bronze tried with the admin hash didnt work belive it was a null hash gonna go over the learning for said attack see if that gets me anywhere been on this module for a couple weeks so might have forgotten somethings

admin hash? use the credentials of the user in the 5th question to perfrom the attack in the 7th question

unless you've already done that

i got ts pass but it wont connect with evil winrm

there's more than one way of doing that attack, you don't need to get a local shell, read the section again

im lookin for the flag on admins desktop should i target smb or try for a shell

have you done that attack or do you already have DA creds?

that user is not a DA

ok ill try with the others creds from previous question or try and crack one of the others from the massive hash dump i did

use the credentials of the user in the 5th and 6th question to perfrom the attack in the 7th question

I've a problem in this exercise i tried many times and I couldn't find the solution
Exercise 2: Try adding a rule that automatically adds ;ls; when we click on Ping, by matching and replace the request body of the Ping request.

I don't know what should I set in the match and replace rules

im confused if i have 5s creds why would i need to get more creds with said attack

anyone to willing to give me a hand with UACMe/Akagi64.exe into Print Operator | WinPrivEsc section/module....

what? I'm saying to use the credentials of the user you already have from the 5th and 6th question

👀

my attempts at connecting to dco1 with 5s creds didnt work i dont think he had permissions ill try again see if itll work i remember i could list shares with cme but smbclient wouldnt connect mybe i did it wrong i was thinking winrm to get shell but that wouldnt connect

mabe cause im tunneling

maybe show some syntax ?

Man?

who may help me with module (session security) im about: there is error in the (incognito mode) but (without incognito it's work)

currently in the Linux introduction.

i got everything done in the "system information" part, yet can't seem to find the answer to "What is the path to the htb-student's mail?"

i tried both using ls and dir yet neither showed any directories, how do i find a list of all the directories available on the user?

if you found the mail do pwd

"print" "working" "directoy"

and "ls" has some perimeters , do "man ls"

weird to answer my message that was written in July 2023 :P, thanks anyway 😉

Hi i need help assembly language working on the unconditional module using jmp (unconditionals). I literally place the jmp between every line and its either exiting normally or its giving me the hex rbx value of 0x1000000 which is not correct.

global _start

section .text
_start:
mov rbx, 2
mov rcx, 5
loop:
imul rbx, rbx
jmp func
loop loop
func:
mov rax, 60
mov rdi, 0
syscall

this is what i have. Now my question is am i over thinking this or am i missing a step? also i need the hex of rbx

what's the question

Try to jump to "func" before "loop loop". What is the hex value of "rbx" at the end?

just do what the question asked, jump to func before the line loop loop and get the value of rbx

your code looks correct, just ge tthe right value from the right register

smbclient \\172.16.6.3\SYSVOL -U tpetty dont know how to get to admin desktop havent permissons to view C or ADMIN share

because the user is not an admin, do the attack

by attack you mean dcsync i thought that was for dumping hashes or should i make a golden ticket

golden ticket is just for persistence

you rarely get a golden ticket before youve already compromised the domain

im not sure how to proceed

what do you mean? dcsync as I've hinted many times, you don't need to get a local shell to dcsync

DCSync is a technique for stealing the Active Directory password database

correct

im so confused

do oyu have a BH dump ?

you don't need bh for this, the question already hinted at this, it's the answer for the second last question

i need the flag on dco1 admin desktop so i have to use a different account to get it?

runas?

problem: you don't have access to a domain admin
solution: get access to domain admin credentials

what kind of attack get you that?

its getting dangerous here: 96.88%

what are you confused about? Hes told you exactly what you need to try

have you tried it?

oh jesus.. thanks i got!! i did over think it

Hi everyone, I am doing the module Privilege Escalation and have it all figured out up to the point where you have to ssh into the root using the id_rsa, I created a vim called id_rsa and pasted the whole key into in and now I am running "shh root@ip -p port -i id_rsa" but it just throws a error: Warning: Identity file id_rsa not accessible: No such file or directory.

"No such file or directory."

make sure id_rsa is in the local directory and has the correct permissions

cant you use impacket-secretdump for dcsync?

or am i trippin

I did run it through the chmod 600 but I dont know if it worked since it doesnt have a callback (I hope :D)

and what did you mean by the local directory?

did you accidently move it in a different directory?

do ls. see if you can see the file

the directory you're running the command from

I am running it from root

we didnt ask about the user

I wish I had enough cubes for PowerView module 😩

did you remember to actually save the file you wrote?

[] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[] Using the DRSUAPI method to get NTDS.DIT secrets
Administrator:500:aad3b435b5

now i pth with evilwinrm and it doesnt work

dont use evil-winrm

did you use the right hash, and is winrm even enabled

use rdp

check what is actually open on the server

idk if rdp is open. i havent gotten that far

nope, how do you save it? never worked with vim before

ok so. nano might be easier then

":w"

idk I use nano not vim

better ":wq!"

@thorn urchin FINALLY I MEET SOMEONE WHO USES NANO

ops caps

there is no nano 😄

its simple, quick, and installed on everything

haha right

nano is a myth

"True random value does not exist" - give someone new access to Vim console and ask them to quit it

Ive never seen a linux machine that didnt have nano

Ive been on embedded Linux systems that still had nano

Alpine OS

E212: Can't open file for writing: permission denied

can you do this in the /tmp directory

I am doing the Module: Getting Started, Section: Privillege Escalation. The 2nd task is to "Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'. " I have access to user2, which has read privlieges in /root/.ssh/id_rsa. I tried to copy paste the content of the the id_rsa on my local machine, and then trying to login as root, but asks for password. Any idea what im doing wrong?

just restart everything

question : why do priv esc if there are no linux basics ?

https://vim-adventures.com/ Have some fun 😅

chmod 600 id_rsa

Ive considered learning vim but I just have so many other things of higher priority on my learn list

vimtutor

or chmod 777 id_rsa

just fire it up 🙂

vim is usable for me, but i prefeer nano. Also i use a basic terminal and not tmux.

Fair. Vim to me is like regex - it doesn't take a while to learn it, but once you do, it's actually useful 😄

tmux is weird on my keyboard because i live in a different country lol

you should see our seniors use vim 😉

both don't work 😦 "ermissions 0777 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
"

Hah, kids. I use DOS for pentesting

chmod 600

chmod 600 id_rsa

if not do sudo chmod 600 id_rsa

^ in that case, also change the ownership of the file

You can also get the answer If you just google this error.

where is the fun in that :/

Uh..

and please learn how to crawl before learning how to run 🙂

Crawl what?

linux basics

google op

is there a difference asking for help and googling? at least then you will get better at enumerating

Im literally googling a problem right now

Just write it here.

Google bad

it will probably end up to stackoverflow :>

no need, I googled and clicked on the first link and it had the exact solution to my issue with examples

I already tried it before still not working, am I doing something incorrect? This is supposed to be the ssh private key of the root user. Then I run: ssh root@94.237.53.58 -p 47371 -i id_rsa

ls -l id_rsa

Linux is very important

Ls -la

you might need a password yes. If there isnt anything you can do to bypass you can try a longshot with ss2john and see if you can crack the password

saying things arent working isnt useful, provide errors when troubleshooting new steps

-rw------- 1 htb-ac-32439 htb-ac-32439 2603 Feb 6 20:34 id_rsa

i not able to connecting the SMB1 Please help me

What happens when you run the ssh command then?

you failed to copy it over

Incomplete/corrupted private key, repeat the process

invalid format means its a bad copy yeah

@astral inlet ty for the help, I figured it out and when I finish the module ill be sure to check out linux basics

maybe missed some "---" or so ?

Also that can be googled like this https://serverfault.com/questions/854208/ssh-suddenly-returning-invalid-format

and you can ask chat gpt , it does google for you 🙂

I remember my old days of struggling to connect with openvpn.

yes me too

it took me quite a while, but i solved it myself

Everybody did, it's the process of learning

same. i struggled for 2 hours with /etc/host cause i didnt know what it was

How far we've all come.

the key point is how to learn to help yourself ...

Remember my old days of struggling with gobuster 😅 and this was a year ago, and in a few weeks im gonna have the cpts lmaooo

Yes, learning to Google stuff was a new thing I learned back then.

02hero

i am on my way to cpts too

You'll do great. It's been a whole year.

just eJPT / JPT yet 😉

started around 7-8 months ago

I have CRTP next month.

All the best man, crush it XD

working as a junior PT since december 2023

lets prey for all to pass cpts

Haha, will do. AD is totally new for me but I am enjoying the learning curve. It feels like being back in the old days of learning about Linux.

yes and after it oscp is on the menu

except for some reason this is weirdly more fun lmaooo

You'll be under my radar. I'll keep watching. 😅

sure 🙂

but i am @ around 40% of the PT path atm , will take a bit m

I'm kinda frustrated sometimes not understanding a topic, but whatever lol.

AD ?

Yes, CRTP bootcamp.

with nikhil

Yes. Started 2 days ago .

whenever I dont understand something, I perplexity.ai my way out then consult some pro's blog haha

I read as much as I could about AD. Academy modules, Microsoft Learn docs, PowerView docs, labs etc.

And I have a pretty fine amount of knowledge considering the time I started.

if you need some resources dm me @lapis pelican

Resources!! Why not??

got it guys thanks for the help

what was the issue / solution ?

hi everyone! could anyone possibly advise me on the NTLM Relay skills assesment?

im pretty sure I've found a the correct path... Im getting access denied for some reason though when using impacket

the previous hash i got for admin was wrong redid the dump and was able to execute type C:\Users\Administrator\Desktop\flag.txt

you may check it with nxc or cme before

which question and what have you got?

i originally dumped it with katz on ms01 this time used secretdumps with the dc01 ip and creds gathered

🙂

not gonna lie that was a tough module to get through

new fortinet breach, anyways what are some challenging modules? any genre.

yes HTB does not take you fully through it you have to think much

finally it worked, it was a bad copy, thought everything was fine but some additional "~" were at the bottom, that was the issue.. silly me xD.. ty all for help @astral inlet @low crescent @placid edge @thorn urchin

np. Good job!

there was alot of rabbit holes i had to dive headfirst into

im on the 2nd

your welcome and tbh the most you will do is troubleshoot

can I dm you?

and learn to fix things

It's not a rabbit hole if it leads somewhere

no offence

go ahead

that doesnt make any sense

Rabbit holes by colloquial definition lead nowhere

something that leads somewhere and can or will lead to another place repeatedly is technically a rabbit hole

they lead me to the rabbit who had the carrot

a rabbit hole being what seems like an infinite cycle of repetition between discovery is quite literally it

https://tenor.com/view/bye-alice-rabbit-hole-gif-10924271

like some SOG or Mamamax videos where they cover disturbing sites (usually darknet) that all interconnect to each other and seem to have no end to redirections

thats a rabbit hole

this module shouldve been put lower on the list imo

an end to no end

no end to an end

I need help with login brute forcing skills assessment, can someone help me with the parameters?

sure

tell us your syntax 🙂

hydra -l user -P /home/kali/Downloads/rockyou.txt -f 83.136.249.57 -s 35205 http-post-form “/admin_login.php: user=^USER^&pass=^PASS^:F=<form name='log-in’”

-1 ?

-l

-1

Yeha no it’s -l , I had to take a picture of my script and copy paste it from the picture

You can't copy/paste to discord? Or are you running baremetal and don't have discord installed

I don’t have discord installed, company computer

Ah

Install discord in the vm

I’m really not sure where I’m missing something, I’ve re read the module multiple times and I can’t seem to figure out what is wrong with my parameters

did you check with burp ?

Burp outputs user=test&pass=test

When using test:test

thats correct

What happens when you run the command? Does it instantly say successful?

Yes, it’s giving me user:12345 as the username password

Then the „failure detection“ part is wrong, that’s the part after F=

is user meant to be a name or a text file ?

Basically it tells hydra to look for a part in the result html and if it finds what’s after F= it didn’t log in correctly

I assume your page does not contain <form name='log-in' on a failed login

Maybe the form is named differently or you can find another unique string

better use the correct error message

Might be a dumb question but, is it case sensitive?

yes

probably

Ahhh I needed to use “Login” not “login”

and die perimeters of hydra are too

l = name
L = wordlist

It’s a name

I got it, thank you peoples

nice

Bro hi am new to start my journey

Of hacking

great 🙂

Greetings and salutations bb10

So uh guys I did not get it, I thought I did and I did not

Im looking at the curl rn and it says form name=‘log-in’

Where to start how to start give me some tips guys

do you have linux skills ?

Yeah some

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Is that not what your F= is?

My fail string is wrong but I’m not sure why

-f exit after the first found login/password pair (per host if -M)

   -F     exit after the first found login/password pair for any host (for usage with -M)

man hydra

you sure its rockyou maybe a custom wordlist been awhile since Ive done it

Is there a easier fail string? Like a proper „incorrect password“?