#modules

okk... then

But that might be me overanalyzing it

let me give one more try then

if you don't grab anything supicious within like.. idk 5 minutes, maybe restart the target

sure... let me grab those

ok i'm gonna stop slacking now

Me every other hour

no i'm slacking agian

Hey don’t discount your self. You’ve been an angel to me. I thank you for taking time out of your day to help all of us.

my brother if only you knew the insanity that goes on

Insanity with what in particular ?

just myself

For the future: Anyone needing some help on the noSQL injection Skills Assessment II, can DM me! Glad to help

Academy down? can't access the dashboard. I can visit academy.hackthebox.com but not /dashboard

i ate the API

same here 😦

Sounds yummy

Yes I cannot login to my dashboard neither

Sadge

I really didn't read the link you sent me with the "contact form" but I started solving the puzzle. At least I think its a puzzle since I've gotten pretty far not even knowing what I was signing up for 😄

?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

oh

it's not a puzzle

it's literally one of the ways to contact htb support

uhh... are you uh

yesterday was like that too, I thought the problem was here

there's no "puzzle" to be solved

Like I could explain what I've done but spoilers?

just reading comprehension

wdym what you've done? there's nothing to do on the contact htb help page

no I mean. the shits just a png, the clues in the headers. Modifying the headers you can get more images or returns which contain a secret

you then request the page with the secret and it throws you a real page with javascript

what are you yappin about my dude

among other things

Idk what is up with academy servers. It's insane how often it's down

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support <-- this page right here is literally just a help center article regarding how to contact htb support

well that's whats up. If you dont find the secret and try to use the contact thingy it will just return a still image and some text that you're not worthy

so i really don't understand what you're yappin on about

the text says I'm not allowed to share it but I could show you the start

i'm just fuckin confused my dude

because nothing about that article has anything to do with any sort of challenge

<img style="display: block;-webkit-user-select: none;margin: auto;background-color: hsl(0, 0%, 90%);transition: background-color 300ms;" src="https://downloads.intercomcdn.com/i/o/466500971/3349e9122e37487b83cd140b/image.png">````

so this is what you get if you click on the connect to agent

yes, that's the chat agent

that's used to connect to a support staff

i really don't see what the fuck you're yappin on about

its the whole page

that's what happens when you click the green bubble

maybe it's because of the the Cyber Apocalypse 2024

unrelated, separate platforms

this has 0 to do with anything

you're literally chasing nothing

Something went wrong
Error Code: 504

Our engineers have been notified and are working to resolve the issue.

Ray ID: 862c86d0b88790a1 ????

be patient

it's a known thing atm

what time it could take???

took like 10 min friday

Aren't we supposed to ssh to kali from the htb machine ?

from bob; the 172 address is an internal address on the network

depends on how fast they resolve the issue

10-20 minutes or maybe more, it's a weekday so engineers are probally all working

anyone having problems with academy not loading ?

@pastel lava i discus above

lol im not even getting an error code just sitting loading lmao

it'll load until it errors out

how bro? Lmao it's a sitewide issue

surely theres nothing u can do lmao

they need to fix it

swear this happened the other day

working now

Got it. but its a complete mess for me to understand the lab setup.lol

Academy dashboard got back! o/

this is nothing to do with lab setup and all to do with networking

to be fair, the lab setup is a bit weird, and it's only for the first section of the module that you have this SSH problem

the kali box is on a separate internal network that bob's machine has access to - it's not on the 10.129.x.x network in which you'd normally interact with

all the other sections you can do entirely in WS001

it's on the 172.16.x.x network

in which your machine can't access (without pivoting)

pivoting is not a requirement for the module

We all suffer inside our minds.

Hack the box is my only salvation from the dark world of reality

In the previous section, it's laid out so it seems like you can access both WS001 and kali simultaneously from your own box, but that's not the case, so the confusion is understandable

either you RDP into WS001 then SSH into kali from there, or you RDP into WS001, get the hash you need, and crack it on your own machine (which is what i did)

the rest of the sections, you either do entirely within WS001 or kali, and you'll know which one to use based on the target you spawn

it would've be great if each module chat is isolated.

❌

That would be alot of chats

Hey everyone, i have been stuck on Password Attacks > Password Mutation running the mutated wordlist to brute force the user sam for hours, can anyone give me a nudge (i think the hints from 2023 and later are no longer valid)

there was an idea floating around to make modules chat into a forum like #1024429874246590575 ; which I somewhat agree with, it would make searching for your issue a LOT easier. and it wouldn't get drowned out as easy

don't attack ssh

i was attacking ftp

48 threads is the sweet spot for most

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

yes that will generate the correct list

Yeah that's true. But I don't wanna shift through 30 channels to see if I can help someone out. But yes, it would make sense if you were looking for something specific.

and i use hydra -l sam -P mut_password.list ssh://ip -t 48

and it keeps crashing

i mean

ftp*

it's right there that your command is bruteforcing ssh

but it should only take ~ 20 minutes with the full list

or you can cut the first 17k lines and get it like way faster

¯_(ツ)_/¯

the hints should still be viable as I don't believe they've changed any conditions to the lab

i think they changed the dc hero, and more

no

did it last week and everything seemed normal

also idk what you mean by "dc hero" that has nothing to do with this module

hydra -l sam -P mut_password.list ftp://10.129.35.67 -t 48
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-11 15:44:16
[DATA] max 48 tasks per 1 server, overall 48 tasks, 55711 login tries (l:1/p:55711), ~1161 tries per task
[DATA] attacking ftp://10.129.35.67:21/
1 of 1 target completed, 0 valid password found
[WARNING] Writing restore file because 13 final worker threads did not complete until end.
[ERROR] 13 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-03-11 15:45:12

i keep receiving this error when i tried -t 48 or -t 64

that looks like you might need to lower your threads then

it sounds like for w/e reason your system can't handle that many threads so they're getting discarded

also that pw list looks awfully small

the full list should be 94k words

hmmm if the threads keep getting discarded, does it help if i restart pwnbox?

probably

or change vpn regions and see if it's the box being unstable

either way; it doesn't look like your pw list is correct

and in fact if you cut out more than the first 17k lines then you missed the right password by a mile

w/out cut it's like 94,044; with cut it's like 77,044

hmm ok ill try the methods u stated

<@&861185840277487616>

sry

@mint canopy Read the rules of the server.

read the #rules and #welcome ya goon

Thanks Marcie

also make sure to use the provided rules and pw list from the resources section

yes i did used them fyi

also don't do --force

ah i used --force

[DATA] max 48 tasks per 1 server, overall 48 tasks, 55711 login tries (l:1/p:55711), ~1161 tries per task < this indicates that your pw list is much shorter than the intended list

55711 pws in your mut_password.list

which is completely incorrect

you should generate a wordlist that's 94k words long with the provided list/rules

yes i just generated on with the length, 94044

im testing it with hydra and -t 48 after resetting pwnbox

i would also suggest restarting the lab

yes will try doing that now

really appreciate the timely help

the full list w/ -t48 (if no other issues prevent it) takes ~20 minutes to grab the pw

figured i'd give you that heads up if you wanted to step away and take a break while it runs

:) since it doesn't need supervision

i think the break is needed fr, getting a lil tunnel vision

❤️ this is everyone's reminder that if you've been staring at your screen for 4 or more hours to get up and go take a break and hydrate

or even if you're getting more irritable at silly mistakes, take a break

This may be a stupid question, but if im trying to bruteforce RDP, is port 3389 the only viable option?

generally unless RDP is running on a different port

then you need to specify it

wisdom

iirc with hydra you have to do -s

<@&861185840277487616>

Please let me be scammed by u!

ty

kakow

been busy today

gotta get up pretty early to catch me lackin on a scam

XD

I sniff em out like a pig finds truffles

🐧

People, is the DSync section in AD Attacks module broken? I've reset the machine multiple already, checked that adunn has replication rights (It can carry out the attack) and double checked for typos. Still, following the steps outlined in the module, mimikatz returns:

ERROR kull_m_rpc_drsr_getDCBind ; RPC Exception 0x00000005 (5)

EDIT: If you are logged in as htb-student then very likely there's something wrong going on with the runas command. Try logging via RDP as the user with replication rights whose password you found in the previous section and you will be able to carry out the attack.

Searching for this string here in discord returns 4 people with the same problem but the answer/explanation for what is happening is not found.

0x00000005: Access is denied.

reset the lab maybe

Alright let's see if that helps

also try setting a pivot and use secretsdump

Found the problem

Gonna edit main comment. Thanks for telling me about the access denied thing!

ah okay, yeah usually loging in directly will be more reliable

i don't think i've ever used runas when i've had creds for a user

make sure you put 0x at the beginning of the answer

ok.. that's as far as i can help w/o notes 😭

can i see the question?

and you added the appropriate instruction i'm guessing

are you looking at the right place? it the value will be the same at the same instruction

I believe so, so I watch this value, start in $rsp and go to the $rax register. It's just that the question doesn't seem to like my answer sadly.

if I did it right, would the value of RSP change? Or would RAX just take on that value when it gets the mov instruction? (Sorry everyone)

You are moving the value of rsp to rax

send a screenshot of your gdb

Don't apologize, you're asking valid questions about something you're likely misunderstanding

You just need to link your app.hackthebox.com account to the discord (following #welcome )

It's not

Otherwise you'd have your htb rank

can you show the upper part of this output?

yeah non of what's in the screenshot shows rax

Your gdb instructions show you moved rax to rsp

I'm stuck on whitebox 101 skills assessment, trying this payload but doesn't seem to work ||curl http://94.237.58.211:36265/ping -X POST -d '{"debug":true, "ip":"\"; const { exec } = require(\"child_process\"); exec(\"ls / > source.zip\")}; //"}' -H "Content-Type: application/json"||
quite sure this is what i should be doing though

0x40100d instruction

so I have it backwards?

the values of each register are in the upper part of the output you didn't put in your screencap

@pine dagger could you perhaps help?

This too ^

Am I wrong in thinking the 0x40100d instruction is backwards?

I'm not too familiar with assembly to be certain

mov rax, 1 -> rax = 1

Ok I'm just thinking wrong, ty

that is correct, that copies the value at rsp to rax

gdb outputs more than that, scroll up to find the register values

as for what info registers is displaying, i'm not sure

so this is supposed to give you the register values, but it's not working for some reason

see the label where it says stack
show the output of what's above that

you can do x/x $rax

or just scroll up in gdb

I see what you're justs are saying, under legend?

@next bronze become a white box pro and help me

yeah maybe next year

it's only 15 modules

Hey Xre0Us, doing any path currently ?

not atm, probably won't for a bit

iirc they're doing maldev

yeah finished that

oh

gonna wrap up my current job and prep for the penteter offer

you have the answer right there

now i understand, you were submitting the pointer to the value at rsp as the answer

Can anyone please tell me how can i up my Reversing game? till now i've only been solving picoCTF gym, and i want to get better in this domain. I am a little restricted when it comes to buying subscriptions and stuff. your advice will be highly appreciated. (please ping me when you respond)

yeah as I said, look at the right place

Oh that one. Heh. that's definitely a tricky one. You are on the correct line. But I did it using ||"ip":'"'"'); const||, you may want to copy that out so you can see the difference between ||' and "||

All the best!

How would you make that work though? As that does interfere with the single quotes around it

curl http://127.0.0.1:21440/ping -X POST -d '{"debug":true, "ip":'"'"'); const { exec } = require(\"child_process\"); exec(\"ping -c 5 127.0.0.1\"); //"}' -H "Content-Type: application/json" gives errors

it was one of the methods discussed in one of the modules I did. yours should work as well...

It does not 🥲

I'll dm you my notes 🙂

Thanks a lot

Hi guys, could use a little help 🙂
I get this error when trying to download a file from smbclient. Any recommendation to alternative ways or maybe why it's failing?

try restarting the machine

it looks like the box is being buggy

yeah, ill give it a shot!

NT_STATUS_[ANYTHING] is a windows related error

smb: > getting file \Backup.vhd of size 136315392 as Backup.vhd SMBecho failed (NT_STATUS_INVALID_NETWORK_RESPONSE). The connection is disconnected now

Also giving me this

exit smb, restart the lab, try again

Sounds like a plan

this is generally an error on the box end

unless for w/e reason your connection is unstable

Nice to know. I'll keep that in mind.

in which case it's your end

and you should change vpn regions

yeah, I think there's one closer to me but it's like 5ms difference

i'll try it out

i'm not referring to pwnbox

pwnbox != vpn

they are completely different

oh yeah so like changing from eu1 to eu2?

ye

pwnbox region strictly dictates where the pwnbox spawns

vpn region dictates where the target spawns

I see. Thanks for the clarification. Didn't give it much thought

Is there a big difference between running it UDP or TCP?

if you're using the pwnbox? no

if you're using the vpn and your own machine: UDP is faster, TCP is more stable

Ah okay, yeah I think I prefer stable

i.e. having issues with rdp? use TCP

DACL attacks - this question says Lilia is the owner of the "Managers" group, and to abuse that to gain access to chap's account, however it doesn't seem to be the case that Lilia an owner of the group.. what am I missing?

Sorry, last question. How long should I wait to respawn my machine?

Module: Kerberos attacks, does anyone know a tip how to easily copy hashes from powerviews output? Because it contains line breaks and spaces so I cant just paste it to hashcat have to fix that first

Run the command with /nowrap at the end

^

i mean generally i'd wait a few minutes after spawning the machine to interact with it

group owner != in the group

yes i know

but she isn't a group owner either

see the screen shots

PS C:\Tools> import-module .\PowerView.ps1
PS C:\Tools> Invoke-Kerberoast /nowrap
PS C:\Tools> get-module

Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Con...
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script     0.0        PowerView
Script     2.0.0      PSReadline

Not getting any output now

why not use rubeus for the kerberoasting?

because I wanted to try this out 😄

well powershell natively truncates outputs a fair bit of the time

Well, rubeus it is then because it gives cleaner output

i mean another alternative is using sed to remove all the newlines

how'd you do the previous question then

you can use a text editor, then search and replace \n with nothing, removing all the new line characters

/nowrap is for Rubeus, for PowerView you are in the world of powershell and can use "general powershell methods" to format the output the way you want. try Invoke-Kerberoast -OutputFormat hashcat | % {$_.Hash} "%" means "for each object", and in the script block the $_ represents each object, from where we extract the "Hash" field. This should output it in a format more to your liking

sry i had to leave before explaining the I.Img. but kts cool ill do in right channel some day

I get this error when trying to get a file with SMB. I've tried to switch VPN and restart the machine. Anyone know what it could be?

do you need an output?

what do u mean?

theres a chance im wrong here but dont you need to tell it the name and/ or path of wheres its getting downloaded too?

get Backup.vhd Backup.vhd

I'll try it

not required

Yeah, I get the same error

looks like a connection problem

^

are you able to ping the target?

you can try the impacket version, smbclilent.py

Thanks, will try this

yup, full connection

that is the impacket version

I'll try it out

on parrot it's aliased to not require the .py

I'm on my own vpn

that's the samba version, impacket version uses a different syntax

huh TIL

looks like smbclient.py did the job

curious what the difference is lol

yeah, it's a bit odd

hey guys stuck on "ICMP Tunneling with SOCKS" with the first few steps. Im using a VM with Kali (idk if that matters much over parrotOS) and I clone "ptunnel-ng.git" to my machine. then I try to run "sudo ./autogen.sh" but errors out stating line 10 - 14,19 not found.

I cant seem to add screenshots on here for some reason

looks like i was able to fix it by installing autoreconf

btw you cant send images because youve not verified your account yet

i thought i had.. let me double check

you def havnt or you wouldnt be a white name lol

Module: Password Attacks
Section: Password Attacks Lab - Hard
Question: I'm trying to mount a .vhd drive. I've cracked the password and everything. But now I can see that I have to get the admin password to mount it, which makes sense. I've looked everywhere but im kinda lost on where to look. Can anyone give me a nudge?

prolly a really dumb question but why am i not able to load the /robots.txt page (or any listed in nmap scan)? the actual page its self without any sub dirctories works fine

put every entry on one line

127.0.0.1 example.org sub1.example.org

same results page its self still loads fine but no sub directories, i was able to run feroxbuster vs it and access sub directories it found, just find it weird that nmap found a robots page but i cant access.

You can transfer vhd disk over to your attacker machine; and mount it there

So I mount it remote?

Yup

but wont i need to still have the permissions to mount it remotely?

You can use smbserver to get it to your Vm and mount it there or transfer to a windows box /machine

Yes but you have admin permission on your windows machine / box and ‘sudo’ privs on Linux

But I don't have admin perm on the windows machine

**Module: WINDOWS PRIVILEGE ESCALATION **
Section: Citrix Breakout
https://academy.hackthebox.com/module/67/section/2502

RDP is not working. It's just blank. Tried both **rdesktop **& xfreerdp. All the other sections have worked fine.

does anyone have a kali linux with all the tools essential i can download:? or list?

No, on any remote windows machine (in this case prolly your windows machine )

Ah okay, I get you know. Thanks!

^ spin up a vm

you're right, i remember i didnt link because i only had an academy acct and there was no way to link it. looks like they added an account manager to tie all your accounts together

I wouldn't mount random vdisks on my own pc

My own Windows VM is slower than HTB RDP machines

you can use windows server, those take way less resources than windows home

Did it yesterday. Saved the last question for today. Maybe I need to go perform the steps in the previous questions for her to get ownership, but I believe the module says she should be owner by default. She was owner yesterday I remember seeing it in BH, today after multiple restarts on the box she isn't.

True but sadly, I ran everything from there. I was running out of space

https://medium.com/@kartik.sharma522/mounting-bit-locker-encrypted-vhd-files-in-linux-4b3f543251f0

Found this guide. Worked like a charm.

I mean bh also isn't the only tool you can use

yeah something is wrong here, bh doesn't even show the relationship between luna and inlanefreight. i'll go through the page again.

yesterday i'm prett ysure she was an owner, and now she isn't. i never had to do anything to make her owner, she just was by default.

h e y

no response

Not sure how to proceed here. Lilia is not an owner as the question states...

Just in the module burp introder from "User Web Proxies", I started the exercice and I am waiting for a long time, is it normal?

how to fix ftp> ls
229 Entering Extended Passive Mode (|||58428|)
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp>

ran sharphound on the host and then uploaded the zip from there to bh, works now and i can see the edges.

need a bit of help with "ICMP Tunneling with SOCKS".. getting this error "version `GLIBC_2.36' not found" im on 2.37.. is there a way to roll back? or will that mess up my VM?

anyone have any advice on footprinting easy lab

enumeration is key:

i did i enumerated the dns servers

idk how to get thru the ftp stuff it stuck in pasive mode

run a full tcp scan and take a close look at the open ports provided by nmap

Working on the Vulnerability Assessment module, under the Nessus Skills Assessment Section. I logged into Nessus, but when i try to access the scan it says API Disabled. Nessus has detected that API access on this scanner is disabled. If you believe this is an error, please try the following. -- I've already cleared my browser's cache and still get the same message any suggestions?

theres port 21 and port 2121

bingo

yes but i cant go on either of the ports it just says ftp> dir
229 Entering Extended Passive Mode (|||58519|)
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp>

disregard, i think it wants me to create my own scan

how did you connect to the second one?

ftp -p 10.129.68.16 2121

ftp <IP> -p 2121

i c ok thanks

ftp> dir
229 Entering Extended Passive Mode (|||14073|)
150 Opening ASCII mode data connection for file list
226 Transfer complete
ftp>

dir -a

oohhhh thank u

always check for hidden files. you can also use ls -la

how can u do that on ftp server

By typing that exact command

type help to see all commands

ok thank u

np G

which is longer to digest: Introduction to Malware Analysis's "Code Analysis" or Introduction to Digital Forensics's "Rapid Triage Examination & Analysis Tools"

morning all, I am stuck here, on the second part, I have the password hash but I am struggling to get the clear text of the password. I have tried john the ripper, it's been running for 14 hours to no success yet. I have tried hashcat with wordlists to no success and the brute forcing of it through hashcat says it will take 10 years. I know I am missing something just not sure what https://academy.hackthebox.com/module/112/section/1245

10 years? what wordlist are you using and what's the command?

no wordlist to bruteforce. to crack the salt using a wordlist i tried rockyou, i tried the wordlist inside the cracked hashes directory and xato

what's the hashcat command

hashcat -m 100 -a 0 /usr/share/metasploit-framework/ipmi_hash.hash /usr/share/wordlists/rockyou.txt

hashcat -m 100 -a 3 8a3997093c278242ad2d1736f36e318766a97fe5 ?a?a?a?a?a?a?a?a

wrong hash mode, it's 7300 which is given in the module, and use a wordlist instead of masks

thanks, let me try this and see if i get anywhere

thank you, I'm dumb

Trying to use burp intruder but I have no status? 🤔 why? I have only "errors" checked.

https://academy.hackthebox.com/module/110/section/1054

Don't click on images if you don't want to get spoil.

Can anyone give me a hint on " Use the Managers group privileges to abuse the company's CEO's account chap, and gain access to the shared folder \DC01\CEO, without changing the CEO's password. Submit the contents of flag.txt as the answer. " with DACL attacks? I'm able to take ownership of the chap account and change the password, but I can't figure out how to get access to the folder without changing the password.

probably setspn and kerberoast, but the module didn't go through an even better method for some reason: shadow credentials, there are a few ways to do with but with certipy shadow auto you can just grab the hash

yeah i have his hash

i thought there would be a specific method they want me to do

any method works as long as you're not changing the password

alright thanks

I think you're right about the targeted kerberoasting, that seems to be the only way to do it all from within the module. unfortunately no matter what i do i cannot get the clock skew to sync. i just went ahead and used his hash with smbclient to grab it.

Can someone answer my message in general
#general message

im om footprinting med and i found SA and the password but it doesnt letm e log onto the MSSQL database saying login failed

run as admin

I just finished the Linux credential harvesting challenge and for some reason lazagne wouldn't pick up the cred but the firefox tool did. Is this normal or was I using lazagne incorrectly

idk but the intended method is with the firefox tool

not every tool will pull the same info

ok cool, I saw some other stuff online mentioning lazagne so I gave it a go as well

hey folks, stuck here npow https://academy.hackthebox.com/module/112/section/1078 I have found the users public key, fetched it from the telnet server, given it the necessary permissions, when i try to ssh in I am being told the user password is incorrect, but it's the one given in the prompt. I'm confused

if you have the key; why are you using a password

also: it could be giving you the error that it's not accepting a password and only using publickey auth

also idr telnet being a part of this

when i attempt to connect ssh @<user><ip> the next prompt it asks is password

the format for ssh is user@ip

not @<user><ip>

sorry, that's what i had been using

second the answer won't be using the given credentials to sign in to ssh

this is what happens when you attempt to ssh with the given user

i pulled those keys down onto my system

why are you using telnet to connect to ftp

also spoilers as that port isn't known

sorry, I said telnet, I meant ssh

no argh sorry im frustrated

I mean ftp

not telnet at all

yes, this is what I am getting

so I guess some of my confusion is in I have ceils ssh key but if I am not supposed to log in as ceil?

by using the ssh key

just ssh @ the ip?

you need to provide an argument that tells ssh you're identifying with the ssh key

as in the path

sort of

man ssh

thanks

and you'll see what i mean

let me mess around then

-i

👍

after that it's just a lesson in history

thanks

still fighting
simon@osboxes:~/Ceil$ ssh -i /home/simon/Ceil/id_rsa.pub ceill@10.129.234.38
ceill@10.129.234.38's password:
Permission denied, please try again.
ceill@10.129.234.38's password:

clearly i don't understand

DACL Skill Assessment "What's the password of the account that Carlos can perform a targeted Kerberoasting attack against?" I'm unable to crack this password on any of the accounts I can grab a hash for. Hint?

are u using public id_rsa?

or private key?

i have tried with id_rsa.pub and also id_rsa

id_rsa should work with the right permissions

i fetched all three files from the server

maybe I have the permissions wrong still, let me go confirm that

You added an extra l

Also you don't use the pub key

You use the private id_rsa [no extensions]

I just did it and rhe intended pathway works

simon@osboxes:~/Ceil$ chmod 600 /home/simon/Ceil/id_rsa
simon@osboxes:~/Ceil$ ssh -i /home/simon/Ciel/id_rsa 10.129.234.38
Warning: Identity file /home/simon/Ciel/id_rsa not accessible: No such file or directory.
simon@10.129.234.38's password:
Like this?

maybe i should go back to building in the theater lol

ssh -i <path to id_rsa> <username>@<IP>

Well it looks like your file path is incorrect

yep typo. but it still prompts for my password

It shouldn't if you do it right

simon@osboxes:~/Ceil$ ssh -i /home/simon/Ceil/id_rsa 10.129.234.38
simon@10.129.234.38's password:
Permission denied, please try again.
simon@10.129.234.38's password:

It's prompting for pw because you're not specifying the username

ah

in

You still need to specify the username otherwise it's assuming you're using your username to connect

thanks

Now just to remember your history

fingers crossed

That was an intentional hint btw

As a treat

lol, cause youre pretty amazing

amazing

Can i have an assist on login-brute force skills assessment question 2
here is my syntax|| hydra -l user -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou-50.txt -t 64 -f 94.237.60.170 -s 40782 http-post-form "/admin_login.php:user=^USER^&pass=^PASS^:F=log-in='submit'"||

thankyou

Am I not supposed to crack this or something? The module says nothing about targeted kerberoasting beyond cracking it.

Well it's asking for the password, so I'd assume cracking it is part of it

yeah but it's not crackable it seems

i got outside resources to obtain the nt hash but can't log into the computer with it or anything. i thought maybe the plaintext passwd was on the desktop or something.

omg

i just tried hashcat again and insta-cracked it. not sure what i did wrong before.

You applied more skill

anyone having issues connecting to VPN?

wdym issues connecting; i.e. it errors out or?

common issue is not running it with sudo

How do I install and get a working VPN linux, I'm a beginner and I don't trust YouTube tutorials to install things on my pc

is this related to using the HTB vpn to access the labs?

or just a vpn in general; in which case your query isn't for this channel

also - if you don't trust a random YT tutorial then how are you gonna trust a rando person

😦

Aight

i think openvpn is pre-installed on kali, just type openvpn <o.vpn file>

Did you ever figure out the final part of this? I'm stuck at the very end of it

hello guys, need help on AD module Kerberoasting - from Linux: Section

when we request TGS ticket its asking password, but how we get it ?

you need to have a valid user that can do the roasting

read the section carefully, it's also likely expecting you to use a password you previously compromised to do so

oh yea Winter2021!

always read the section carefully for the instructions on what to do/how to do it

on the public exploit module I need a shove in the right direction, I found the exploit to use, I know it's wordpress yet when I run the exploit no dice :c

does any of this look wrong persay

your rhost and rport look weird

it'd be port 22 though right?

i mean it can be any port, generally 22 is ssh

As long as you have RHOST and RPORT set correctly. LPORT should your machine. I believe I left TARGETURI as just "/"

rhost is the target ip right

and rport should be the port discovered I think

yes I believe so. It's been a bit, but that sounds right

hm

I found wordpress using gobuster didnt get a port 80 from anything

the 83.136 is the target ip

if it's wordpress it almost certainly wouldn't be port 22

yep

maybe im mentally ill

how did you find which vuln to use

wordpress is a web app. it'll be hosted on the port the http is being served on.

searchsploit

well then I used metasploit

yeah but how did you know what to search for

I found wordpress in gobuster so I looked for it in metasploit

RPORT should be the web server

then I figured I would just need to be able to read the files

so the one I picked seemed right

well did you specify a port in gobustr?

or have you tried visiting in your browser?

I don't remember let me check

I have visited it in my browser yes

so port 80 then

I feel a little silly now

and what's the address you put in the url?

i would read over the page carefully, generally you're not going to be able to just use searchsploit and pick one to exploit the target

http://83.136.249.159:52169/

so what's the port?

ah lol

yknow it makes more sense now

that's also a public IP address -- is this from a htb module?

now that I've said it out loud

yes it's a docker container

yes

ahh ok

so just to be clear

52169 is the port

correct

or is 80 the port

ah ok

yep now I think I got it

or well I atleast got something

yeah, good job! now you just gotta read it 🙂

on this DACL module -- am i supposed to be able to use GMSAPasswordReader? I believe this is the next step to obtain jose's NTLM, but the program isn't working. the module didn't teach rubeus at all, but I think I can get it from there because I see a ticket from him, but that's not the intended method...

boingo bango now I gotta add this to the notes

also it appears to be using LDAP, and the whole time this module is calling to use ldap, but ldap does not work in this lab.

ldap will have to work, else the whole domain is broken

yeah i think it's busted

hasn't worked the whole time

oh you mean in general. yeah idk. but this thing is falling to make ldap calls along with cme, etc

the whole module gives you cme commands via ldap, which straight up do not work. smb works fine.

you need to add the hostname and fqdn to /etc/hosts for ldap

this is on the windows machine inside the domain, ws01$

you run cme on a windows machine?

no, i did it before with my kali box

i mean, is gmsapw reader supposed to work? because its not working and i'm pretty positive this is the intended path

-- supplied credential is invalid

correct

meaning you did something wrong :)

you don't supply it creds, just the username.

jose sounds like a name, not a username

is that their samaccountname?

this is what's instructed in the module, and this is what worked in the learning path up to this skill assessment

for some reason rubeus is in there, despite not using it once in the entire module, it does say you can use the tools in c:\tools, but i don't think that's intended

how are you so sure that it's the intended path

because rubeus wasn't in the module

and they specifically taught to use gmsapasswordreader

by module do you mean section?

no. the entire dacl module does not use rubeus at all.

it's not rubeus but post exploit routine still applies, the scenario given is a pentest after all

wait didn't I told you the same thing for the adcs module

i know, but i want to do it the intended way

i mean let's think about this. the module doesn't cover rubeus. it covers gmsapasswordreader.exe specifically, and shows you how to gran the ntlm with it

but what you think is intended doesn't work, does it?

it teaches you to use this specific tool.

it doesn't even mention the other one once

is it possible that it's assuming you are in a post-exploit scenario?

i highly doubt you're 'supposed' to use rubeus

I didn't say you need to use rubeus

I mean, if you're so sure then go ahead

so basically, you don't know why this isn't working either is what you're saying?

that's not what he's saying at all

but just saying, gmsa stands for group managed service accounts, does the account "jose" appear to be a service account?

I don't but XreOuS has completed more of the AD modules than me

well that makes sense then

but still

weird that it just throws rubeus in there

so I trust him to have done his due diligence in understanding the tools at play

you don't have to use rubeus, do your post exploit routine, gmsa comes later

that's as much as i can say without giving the steps

alright thanks

for the privilege escalation module in the getting started module I cannot ssh in

It keeps refusing my publickey

am I meant to break into it?

There is no port specified above and it gives me the login and password

yes there is

it'll specifically be after the ip

it's given as ip:port

look where you clicked to spawn the target

I thought it would be somewhere else lol mbad

generally when given a public IP you're also given a port to attack

as opposed to the private IP where you're expected to scan and recon

Ah that's fair

that's kinda what I was expecting to do

this is explicitly telling you what connection protocol to use and even how to specify the port :)

which makes that the easy part

yee :D

now I just gotta do the python stuffs

scp will be your transfer tool here

scp source destination

so: scp [local filepath on your attack machine] [destination on target]

it'll be the format user@ip:~/ for their home directory and i believe it uses -p for port

also wdym by "the python stuff?"

trying the diff enumeration scripts

ah fair

I'm really not understanding what im looking at rn or what i've read and I think it's because im tired

tbh you should always start with seeing what your user can sudo

so im gonna try to power through and then try it again tommrow

the enum scripts can throw a bunch of info at you

and a lot of the info is useless

some basic stuff you can do without scripts is checking sudo perms and history

yeah I see

which I assume is what im supposed to do

well to break down what that means

it means user1 can run /bin/bash in the context of user2 with sudo

I also already checked the kernel version too

to look for exploits

kernel version is irrelevent

there is no exploit or anything that's complex like that

ahh

check sudo -h to see what all you can do with sudo

the page I read said to check for stuff like that

reminder: this is a getting-started section

there's nothing that's gonna be uber complex

kernel exploits would be considered complex

I see

I'm struggling on direction to get to user 2 atm though

like i said

you can run /bin/bash in the context of user2 with sudo

I'm kinda braindead at the moment, that means with context earlier it's a no password too?

so I basically just get a free terminal

correct: meaning it doesn't require a password to perform this

so typing:

well yes if you just do sudo /bin/bash you're not gonna get there

yeah fair

without a user argument, it's assumed to be root

but sudo can do more than root

as stated earlier: read the help/man page for the tool

progress

we have done it

i think you might be missing an argument

hm

with this I ran /bin/bash again but now It wants a password for user2

this is progress

look at the start of the line

you are now user2

oh good point

😉

:3

I'm sure once I actually sleep I won't feel so braindead

tbh i'd revisit this after you sleep

yeah

since doing any type of learning while tired will likely lead to a loss of information

this is also only the 4th day I've been working with linux

before this I hadn't touched it

either way

yeah

now you just need to get to this user's home directory

there's a handful of ways, usually just cd will drop you to the user's home

or cd ~

otherwise cd /home/user/<username> works

yee

I did the 2nd option

now just about seeing what user2 can do or see

maybe history is helpful here

yeah

I wanna see what privs user 2 has

they may have no privs, but you need to get to root, so maybe looking at all of the info in /root/ can help you move forward

yee I see the flag

but I need the root access

look closely at the files/directories in /root/

read over the portion that talks about SSH Keys for that part also.

that comes in later

hm

not much later

if you escalate privileges you can get the flag.

but finding the right place to look helps

in the rot

well yea that's kinda the point of this one

glad to have helped

👍

yes and the floor is made of floor; great contribution

look at the file perms ( -la will list all attributes)

you might notice something interesting about all the directories there that make them different from the root flag.txt

yee I can read everything except flag.txt

i'll wait for it to click

well all but one are in the same group

still waiting for it to click

re: ssh keys

ahh I thought that was for later

not much later

my point was you needed to find the right place to look first

before worrying about ssh keys

ahh I thought when you said that earlier you were saying save that for a later assignment

no these assignments are independent of each other

check the fail string.

yee

I gotta copy the ssh key

now I gotta do the best way for it

i mean good ole ctrl+shit+c and paste into a text editor works fine

that's fair

then just adjusting the permissions

I adjusted the perms but it doesnt like the format

does it gotta be rsa?

yes

remember you need the id_rsa file

not the .pub or other files in that directory

and it needs to have the

----BEGIN
----END
```
lines

:D

gg :D

now to try and turn that into notes lol

I think all this will be easier once im more used to how linux works

i wouldn't worry too much about it with the getting-started stuff as they're showcasing different methods

right as I hit compleated

go sleep and finish tomorrow

https://tenor.com/view/neco-arc-neco-arc-fate-cat-gif-1748062773671823114

yeah

Try to Analyze the deobfuscated JavaScript code, and understand its main functionality. Once you do, try to replicate what it's doing to get a secret key. What is the key? i am giving the right answer of this but i always giving message wrong answer

the key might be further obfuscated with +

but i try it with key=answer it give me the riht answer and it was submited as a correct

you don't need the key= part

just the key itself

unless i'm misunderstanding what you're meaning

this is the javascript deobfuscation module, what section?

yes

skill asessment second last question

in future it helps when you include the module name and section name you're working on

ok

now what i do

you have the key as 415... yeah? (obviously don't say the whole thing)

you're applying all the skills from the module here

you need to analyze what the JS code is doing in order to move forward

that key is encoded in some form

yes i have key and use it further to retirive last flag but 2 last not working

the DECODED_KEY is the value of the previous question decoded

i put that but icorrect anwser

man i just don't know what i'm missing with this dacl thing

@fathom pendant thanks it resolves

np i just reran it to be sure and yep all techniques from the module is shown

Any feedback for OSINT: Corporate Recon? Is it worth to buy or subscribe for 1000 box?

whats the point of doing the intro to different languages modules

PHP and javascript will seriously benefit you in the pentesting modules.

actually I probably would just suggest a whole course on web development before going into pentesting

the windows command line module which is new should also be a must for it

intro iis usually data types and syntax. Different in all

damn the intro to assembly skill assessment is really hard

On Getting Started module : Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)

I cannot identify which service is vulnerable lmao

Hi 😉 Looking for some help on the HTTP Spliiting attack module, please 😉

Completed that one???

phew finally got dacl attacks done. took me longer than i liked but that was a fun one.

not yet , one solved , and one still working on it

moudle name :xss section name: phishing i am stuck here to give the url to victim but when i test it's all look well and i allso get the credentials what i input any tip

hi wolfie, i think ur rlly cute uwu :3 ^-^

Uh

did bash scripting intro, mfs asked me to do hella advanced shit, not even covered in the module

doing C# intro and its quite easy but ONLY because i learned it before

Im still stuck at the beginning of intro to C# ( first questions) but intro to bash was quite ok for me, before these two i've only scripted in python.

it just mostly depends on the person

some people have an easier time with some languages than others

Still stuck at FILE UPLOAD ATTACKS --> blacklist.

I've enumerated the file extensions and picked .php6 , uploaded it, error. Made the file with double extensions, same result. What am i missing to make this work?

Error: image cannot be displayed <url> because it contains errors.

whats the first question on C#

Is there some trick to this? I can ping the spawned box lol

its cuz ur using brave instead of firefox

(jk, im just firefox enjoyer)

that's not the only error

htb academy doesnt require vpn no more

Declare a byte variable aByte and assign it the maximum value that a byte can hold.
Submit your answer here...

• 0 Declare a nullable integer named itemsCount and assign it the null value.

at least for me

you're meant to rdp to the box first; then visit the url

so fucking easy

Well that explains it lol

meanwhile bash is hard as fuck

haha I think the oposite about it 😂

we should work together on shit

with our opposites combined we can be great team

Maybe I need coffee before I start studying

btw im also script kiddie

i never tried coffie(im 15)

drink 3 redbulls before you start

i guarantee that you will do Excellent on exercises

I just wanted something easier before I got back on the Active Directory Enum & Attacks grind and I'm still messing up minor things

can relate up to a point

Anyone a nudge? Guess its very simple but i keep missing it.

did you set the magic bytes?

find a write up

most post only answers, i want to learn how to come to the result.

thereis this site called medium

No... didnt note anything about that in this module.

there you can find write up for almost anything

In "Windows Attack and Defense | PKI - ESC1" and I'm being asked to RDP to Kali then WS001. I can get into Kali just fine but connecting the WS001 just tells me that the login failed. I'm using the same IP for both (dont know if thats an issue), any help would be great 🙂

also re: the C# question maybe this will help https://learn.microsoft.com/en-us/dotnet/csharp/language-reference/builtin-types/integral-numeric-types

Ah thanks! Thought you were talking about file upload attacks. But no i did not do that in that module. Thanks for the extra help 🙂

file upload attacks i was referring to magic bytes for the image extension

which is why it's not loading

Sorry for misunderstanding.

Okay so problem is the IP seems to only resemble a Kali VM, so I can't rdp to a windows machine. Is there another IP i'm missing?

You will have to use the kali as a bastion host to reach/rdp into the WS001

Or you can set up socks proxy where you will be able to use your VM as the initial host through proxyhign

moudle name :xss section name: phishing i am stuck here to give the url to victim but when i test it's all look well and i allso get the credentials what i input any tip

???

Module:Windows Event Logs & Finding Evil
Question:Replicate the DLL hijacking attack described in this section and provide the SHA256 hash of the malicious WININET.dll as your answer. "C:\Tools\Sysmon" and "C:\Tools\Reflective DLLInjection" on the spawned target contain everything you need.

Just wanted to say that replication of image loading was succesful, but sysmon didn't generate event with ID 7. Used certutil in the end.

Hey, I'm with the same problem, don't know what it's expected @acoustic owl

Hi, I'm still stuck in this module PASSWORDS ATTACKS, page 15 on the last question "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)." I don't understand, what to do. I've answered the other questions correctly, but I have a problem with this one. What to do ? Please give me a beginning or a method... Thanks

Send me a DM

hey, did you figured it out? I'm with the same problem

Step 1: find the linux01$ keytab or ccache

I have these in the .ker... folder, but after I can't use it because there are julio or david or other but not with root (sorry I'm not native english/american)

You absolutely can use the ccache files for linux01$, use one of the tools shown in the section

im in section child-parent attack from linux : Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

i got the shell session after executing the attack , but i can't transfer the sam files to my attack host to get the hashes

Transfer files -> the median host then to your attack host

yes tried that

also but its says network path not found

Are you using the right network pathing?

I.e. from DC -> median host won't be 10.129.x.x

ph

K, well, I use another user and after I : Impersonating a User with a keytab, but is there any linux01 user ?

It'll be a 172 address

Linux01$ is the machine account

There is a tool that enumerates all directories to find ccache and keytab files

Hey anyone can help with my pc ?

Pls help

Anyone pls help my pc

Ok, thank's @fathom pendant I'll re-try harder :), the response is on the page, I know it 😉 I don't necessarily have to use : hashcat or other to find cred ?

Pls anyone help

This isn't a troubleshooting channel. Maybe ask in #1024429874246590575 with details of your issue

im in ergen

im stuck , cant transfer the files tried everything

either access denied or doesn't work

is there any method to oget that hash without trasnfering the sam files?

a windows tool or so

have you already gotten DA?

why do you need to dump reg hives for the extrasid attack

yes

you have the DA's hash?

of the parent domain?

whichever domain you want to target

idk , the extrasid attack let you get just the krbtgt hash to perform the attack and get the golden ticket

im not sure i understand

and does it work?

yes it did

i got a shell via psexec

then just dcsync

thanks man

i did dcsync with || secretsdump using adunn creds that were obtained via ACL Abuse||

i don't think i used that golden ticket in this dcsync no?

my problem is that i can't transfer mimikatz

oh no wait

why not? you can dcsync over kerberos

use secretsdump

let me check my notes

Hi, is it correct to say that a local administrator (in an AD environment) has ALMOST the rights of an AD user?

i don't think this was covered in modules? not in dcsync section

it's just dcsync but with a ticket, it's not that different than with ntlm

the same syntax you used for psexec will probably work

yep

thank you!

0

a password prompt popped

just to make sure the syntax should be || secretsdump.py LOGISTICS.INLANEFREIGHT.LOCAL/hacker@academy-ea-dc01.inlanefreight.local -k -no-pass -just-dc-user bross
||

nvm its worked

thanks man , the syntax was in the first thing the section started with lol but without the -k -no-pass flags

I might need a nudge on this, Module: Password Attacks, Section: Attacking SAM. I have copied the sam.save, security.save, system.save to my attack machine. I have called python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -system system.save LOCAL, but it gave me the error of "read length must be non-negative or -1"

the target you connect to first is the target you spawn

if you want to connect to the other instance, you need to RDP from the target to that machine

you will need the internal IP address of that machine in order to do so

Don't forget the security.save

the same error persists though

Hi for who already did the Vulnerability Assessment. I don't understand, in the Nessus Skill Assessment -> Requirements part where I can find the pre-populated scan data?
I checkd the spawn box but I don't see any nessusd service running

The logs: python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[-] read length must be non-negative or -1
[*] Cleaning up...

Do a checksum to make sure the files didn't get corrupted in transit

https://stackoverflow.com/questions/10521061/how-to-get-an-md5-checksum-in-powershell

ok ill do it now

It's not impossible

Another way is if you have rdp access, xfreerdp has the /drive: option so you don't have to mess too much with setting up python http.server and stuff

Right now, I am following the HTB materials, for me to reg.exe hklm\sam C:\sam.save then I move it to the smbserver set up on the attacker machine

isn't it reg save HKLM\SAM C:\sam.save

you missed save

Hey I'm stuck on enumerating the FQDN I tried a dig ns inlanefreight.htb @ipaddress but I'm geting a communication error and no servers could be reached. Am I just using the wrong dig options or would it better to just use dnsenum?

ya i followed it haha, but i did managed to have sam.save, security.save, system.save

are the file sizes > 0?

yes all of them are

and yes do checksum on windows and after being transferred out

Try with dig axfr

Alternatively nslookup domain nameserver/ip

I'm going through my notes and I think the issue is my lack of understanding what a FQDN is and what I'm looking for in the outputs, it doesn't explain it a lot in the module

FQDN is fully qualified domain name i.e. www.google.com would be the FQDN for google.com; anything after like www.google.com/search?query=whatever would be considered the URI

or translate.google.com is the FQDN of the google translate service

the other dumb question would be: are you connected to the vpn

installing odat took me ages 💀

Connected to the openvpn and using kali also thank you for the explanation

it's.... a tool, that's for sure

👍 i've seen sometimes where it's the simple thing of not being connected/having the tun0 ip

some lib were broken. had to install most alone and check which one is acting wierd. got it to work but seems like i fk up on the $PATH somewhere so i have problems calling it outside

Module kerberos attacks, section Unconstrained Delegation - Users.
I managed to complete it, but I'm not sure if I did it intended way. In examples htb used given hash to retrieve kerberos ticket but they provided users password in exercise. I couldn't do it with password so I converted it to NT hash then I got the ticket. And only way I managed to read flag was to use smbexec, is there a more convenient or better way to do that? I DCsynced admin but couldn't connect with evil-winrm its probably closed.

🤝 I'll be more vary of that now for sure

eh even the module shows running it from the directory

so it might just be how ODAT is set up that it doesn't like being called from outside the house

i mean im in the directory but cant call python scripts. so i would need to recheck.

• required file not found

thanks bash

well its there

very helpful

• is it executable?

yes

works fine with this

then just run it with python3

¯_(ツ)_/¯

yep

it looks like it's trying to run it with bash instead of python

which is generally the case when you do ./