#modules

This server isn't about trolling people or spreading malware, it's about learning and practicing cybersecurity

How Cookies can be Dangerous

Guys I'm new and I'm doing some modules in HTB academy... I'm having problem with the File Inclusion module in the basic bypasses section. The final question of the section asks to find the file /flag.txt
I've tried everything but i'm not able to find it...can someone help me please?

you can just learn how to make a MsgBox in VBS, plenty of tutorials on youtube for that

Yeah I don't know how to get this script to work

This channel is for assistance with academy modules

has anyone used another method than using their script

use guided mode it will help you

forums had a script to get it to work, that took way longer than needed I feel

There's also official documentation on oracle regarding install

guess I didn't dig enough I only found it on the forums and geeksforgeeks

are all the free boxes not good for OSCP?

someone told me the free ones don't prepare you whatsoever

bullshit or legit?

all the free ones isnt enough material, imo

Any hints or guidance on “find through spl searches against all data the two ip addresses of the c2 callback server” for intrusion detection with splunk

so it's totally useless?

dont want to waste my time with anything that's not useful

useless, i wouldnt say that. I think HTB has a ton to offer

im doing academy right now, plan to get my cpts and then oscp right after

but i paid for silver annual plan from the beginning, idk how limited the free version of academy is

find logs indicative of C2 communication, e.g., confirmed malicious files that originate from an unrecognized IP, communciation over non-standard ports, etc.

free boxes are just active boxes, new one gets added every week

if you can do the insane active boxes, you're probably ready

im speaking from my own perspective as a beginner lol

Found some funky Chinese stuff

i know im not ready, i just finished pivoting and port forwarding

I mean there are 20 active boxes at any time so, if you can do those you're ready

whether you want to get vip sub to prep for oscp, that's up to you

ok someone said doing the free ones are useless because they aren't like whats on OSCP

I guess that's just a load of shit though

thanks

cant say, i dont have the oscp. I went for CPTS because, imo its more challenging from what ive gathered. I believe if I can get CPTS then OSCP should be cake.

free htb boxes or htb academy? different things

boxes

this is academy chat.. i was speaking on academy.

C2 servers follow a regular pattern of call and response

My SPL is not finding it but I found 10.0.0.228:8080 doing something

I.e. every n seconds they call back to the c2

Sorry .229

You can likely search splunk resources for detecting a c2 server that uses average times and data like that to help narrow down

do htb academy, best oscp prep

no one solve this?

All I can find it 10.0.0.172, and 10.0.0.47 that seem odd I can’t find good resources on forums or here to help with a good query

Agreed

https://www.splunk.com/en_us/resources/videos/splunk-for-security-investigation-command-and-control-analysis.html

Try this video

So I cracked the password hash with hashcat and got the cleartext answer however it's saying its wrong ipmi section currently running it through metasploit to see if I get different results a little lost

Iirc the answer starts with t

I'd have to pull the page up to say truly

Ye it starts with t

lirc? and dang what I cracked was completely different thats interesting

and metasploit crashed lol

IIRC stands for if I recall correctly

Mobile autocapitalizes the first letter

Method: use Metasploit to pull the hash
Use hashcat and proper mode with the wordlist and get answer

I’ve tried this blue coat proxy doesn’t show up anything

Yeah thats the method I used and apparently that's the wrong answer

going to run it again looks like I got a different hash this time?

What's your command syntax? You used mode 7300 yeah?

Yeah mode -m 7300 -a 0

Weird well, try with the new hash and see if that nets the right answer

Yeah still gave me the wrong answer?

Weird

Try restarting the box

I'd get up and sanity check, but the couch is comfy lmao

okay and lol I don't blame you

But looking at the answer I have for that section, at least, ik what it should be

And I doubt it's a weird collision error with the hash

Hey everyone, I have only one section left in the path Documetation and reporting proactice lab but not able to access the RDP, tried switching VPN, RDP connections keeps disconnecting any solution?

Ive got some splunk skills, i can probably help. DM if you need.

Use tcp?

well fuck me sideways even that didn't work I'm going to try to run metasploit again maybe change my wordlist

Tried TCP it stucks.

Try both rockyou and the provided list

rockyou is what I've been using and it cracked it with hashcat but it starts with a j not a t

Weird

This is footprinting- ipmi yeah?

WIll try in morning when traffic is low.

yeah

Have you tried with the provided Footprinting wordlist?

Cracked it with hashcat aswell. Used rockyou and got the t aswell

But isnt the hash different since its salted?

I would need to pull out my notes to check tho.

It shouldn't be salted

if it cracks with a different password isn't the hash striaght up different

^

wrong module/section?

I'd say restart the lab and try again

Its not? Then i remeber it wrong. Mb

But yea the pass came out with first letter t

Anyone knw how to mount the bitlocker file in password attacks hard lab

I'm stuck at the RDP and SOCKS Tunneling with SocksOver RDP with this error message: "The module SocksOverRDP-Plugin.dll was loaded but the call to DllRegisterServer failed with error code 0x80070005. What am I doing wrong?

Why can’t I talk in the general channel

You can search this chat for mount bitlocker, should come up with something

Did you disable real-time protection?

i swear I'm doing everything you guys did just getting a different output for some reason not running and metasploit just crashes when i use the rockyou for the pass file

@fathom pendant That's a nice hint. Going to try that. Thank you!

Don't change the pass file

Just let it extract the hash

initially I let it extract which got me the hash. I didn't change anything then I used hashcat. Was just thinking if I maybe run the whole thing through metasploit it will crack the hash that way

I used meta sploit to get that hash. Then used hashcat to crack. Can you provide the whole hashcta command?

sudo hashcat -m 7300 -a 0 ipmi.txt /usr/share/wordlists/rockyou.txt

Btw you don't need to use sudo for hashcat

(That won't change the output, just an fyi)

I just got in the habit of using it good to know

wow that was the issue was running it with sudo

Lmao

holy fuck

Wat

Lol

ran it without sudo added --show and boom..

It be the simplest things

wow
https://academy.hackthebox.com/achievement/badge/b235c36d-e280-11ee-b18d-bea50ffe6cb4

Gl

spring break would have been perfect to take the exam

Isn't that coming up soon around Easter?

mine already started on monday

Ahh

idk if i can knock out some of my assignments tomorrow i might have enough time

things will be figured out

Hello world

Hi all . Any one had probleme with the skill assessment of the crakmapexec module? i tryied multiple time to connect to the internal network with chisel but it didnt work...

iirc it won't tell you that it's connected, it will just be there. try probing the ip range after you run chisel

HTB Academy - Web Attacks / Bypassing Encoded References

While trying to complete this module, when I try to download a file and Intercept it in Burp Suite, I cant find it anywhere. Do you guys know what might be the issue?

Clicking on the file at the spawned Ip it performs the download, but Burp Suite doesn't catch it to see the POST request

i tried but all my cmd act like if the pivot not working

Finally completed the path. Thanks @fathom pendant @next bronze @soft cedar for all the support. Will be starting exam on 21st.

nice 🎉 good luck!

hmm is your proxychains conf correct? and restart the target. didn't run into issues when I did the module

Trusted Domain will solve this issue?

got it. look like it only work with socks5 not 4. thanks for the help 🙂

hello there, im a bit stuck in linux priesc, more especifically the lab for logrotate, i found the log file the the student user has write access and i try executing the exploit logrotten on that acess.log but is stuck in Waiting for rotating, someone knows if im missing something?

Can someone help me with configuring the etc/hosts file for advanced xss and csrf exploitation? It keeps going to https instead of http when trying to go the websites.

That's not an /etc/hosts issue, that's your browser "upgrading" the request, you don't put the protocol in the hosts file

You can try manually specifying http://<domain>

Yes I do it keeps on doing it

Then Google "disable upgrade to https <insert browser name here>"

Ok thanks I’m trying it now. Should I put the port in the etc/hosts file though?

No

In the case where there's a non-standard port you'd still specify the port via
http://<domain>:port/

Hey, you passed CPTS, right? What boxes did you solve after completing the CPTS path? Any cheatsheets for HTB boxes?

Module: Password Attacks, Section: Pass the Hash, Last question on finding C:\julio\flag.txt, I got a reverse shell as inlanefreight\julio, however my hostname is MS01 instead of DC01. Could anyone point out any error in understanding?

Check if you can use dir, iirc it's not C:\ its formatted as \\DC01\Julio\flag.txt in the question

Now I’m getting were having trouble finding site

Make sure you don't have spelling errors

i use dir \DC01\julio but nothing was printed

please put your code in code blocks my guy

how do i do it sry

hello guys, i need help

Module: Password Attacks
Section: Remote Password Attacks - Network Service (RDP)

myproblem-> i found the rdp credential but not the connect when i try the connect
show this message ( connectiong to sesman ip sendin login info to session manager please wait login daile for display)

https://academy.hackthebox.com/module/147/section/1327

I did season 3 but imo doing boxes wouldn't help with the exams, the most important thing is to be familar with the course materials. as for cheatsheets, make your own when you're going through the course, the process will help you remember things better

Anyone did this question in the ids/idp Skills Assessment - Suricata module? There is a file named pipekatposhc2.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to WMI execution. Add yet another content keyword right after the msg part of the rule with sid 2024233 within the local.rules file so that an alert is triggered and enter the specified payload as your answer. Answer format: C____e.

I'm kind of lost on how I'm supposed to know what to add

```
here's your code block
```

look for any unique traits that constitute wmi execution

python Invoke-WMIExec -Target 172.16.1.5 -Domain inlanefreight.htb -Username julio -Hash {hash} -Command {payload}

I ain't reading all that

I tried -Target DC01, but no connection was made at the attacker machine, hence no rev shell

In short, i just want to check if the -Target is correct

Its been a minute since ive done this. I just remembered lightly following the examples and it just working

Btw, you're meant to have a reverse connection to the windows box, not your attack machine

you can check if the target is the DC, do a nslookup or probe with cme

As the windows box is the one with the connection to the dc

yup i understand this part

can I dm you

sure

I got it I was because I was putting www

for the reverse shell i am receiving, the hostname is MS01, instead of DC01

does it mean i am just connecting back to myself on the windows box haha

Ye, www is a subdomain

seems like it

ok dang it

Thanks for your help

Sometimes the ps thing is buggy

And shows ms01, but you can connect to the dc01 share

the thing is when i type dir \dc01\julio, nothing was printed out

😐

Each service has a unique user: so if it's a previous user that got the rdp creds, it's wrong

Restarting the machine fixed it

I guess it happens sometimes

Ye

Sometimes (especially with the windows labs) you gotta give em a little shake

stuck on skills asssessment web proxy : Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

i set up the payload and add rules of ||encoding to BASE64+ASCII HEX ||

but i don't know what to really fuzz

whole cookie?

add character and fuzz it?

Ok I have figured my mistake. First off, the ip i was connecting for revshell was the public ip: 10.129.x.x when i should be using the private ip: 172.16.1.5 (since MS01 and DC01 are in the same subnet). After I changed the ip for revshell payload, I managed to get the rev shell on the windows box, and GOT THE FLAG. Rookie mistake that cost me 2 hours oh wells.

10.129.x.x isnt a public ip

It's still a private ip, specifically the tun0 ip that's used to allow your device (via the vpn) to connect to it

Basically, yeah

ok but does the reason still stands by the fact that the ip address used should be in the same subnet of DC01?

Correct

is it because MS01 simply just cannot communicate to the tun0 as it is outside of its subnet

MS01 is the initial windows box

DC01 however

Is on a separate subnet to the tun0

tried to fuzz like this but didnt work

oh i see thanks

Alright I've been stuck on Q8 of AD Enumeration & Attacks - Skills Assessment Part II for two days and just cannot figure out what else I can pull from SQL01 box to get admin access to MS01. Can someone give a hint? I've secretsdumped, I've tried everything I can think of dumping in Mimikatz, and nothing is of value to move forward. I've tried passing the local admin hash extracted around the network and nothing is matching up. I've run Inveigh from SQL01 as admin, Inveigh from MS01 as low level user, nada. This CT user ID'd by bloodhound is a total ghost.

Hello for module 147 section 1320 I don’t know if I’m rigth Way, I enumerate service but that doesn’t work with user kira and the password provides

I try hydra smb://ip -l Kira -P password.list hé dosen’t work

I ve got a error does not support smbv1

you have system level over sql01 ?

yes. Psexec.py'd into it.

did you think about attacking SAM?

I have the SAM dumped.

you should have the admi hash then to log to ms01

Can't crack any of the users or pass the NT

well if pth didnt work for rdp try various remote access methods

how about evil-winrm , did you tried it?

Let me try again...CME kept coming back saying no good but I've done this so many times I'm not sure

just to make sure I'm on same page, does MS01 and SQL01 share the same local admin account creds?

nope

you gonna find another hash if i remember well

or maybe yes i really forgot

yes i guess they do share the same local admin creds

yeah because passing the local admin hash of SQL01 to MS01 is failing.

with evil-winrm?

dm me the hash

ok.

also i try connect on ssh but nothing

lowercase

also it doesn't provide the password

it provides a password that can be mutated

(which this password is in the grander mut_passwords.list from the password mutation section)

I did CPTS module a while back, and I'm now trying to find a certain exercise, maybe someone could quickly remind me where to find it? It was basically about vulnerable web page form fields, and the vulnerable ones needed to be identified by setting up a web server on the attacker host, and different message to each of the victim host web page form fields, to identify which one calls the attacker host. What module was it again?...

aaah but don't said you need to mutated the password 😦

because that would be too direct

it's meant to nudge you in the right direction and engage your brain in critical thinking

mhhhhhhhhhhhm yep You're right

???

https://academy.hackthebox.com/module/103/section/1008

Thank you, that looks familiar

Sekurlsa logonpasswords, you’ll get a user that can login there

CT doesn’t come into play yet

That’s for later questions

Can someone help me with a code that it's seems to not working in the Introduction to bash scripting?

anyone can help i am stuck on os command injection skill assessment i found vulnerable parameter in get request no what should i do ??? any hint

I got struck in attacking common services - SQL section. How do i find mssqlsvc password.

I tried logging in using provided creds to SQL server found two tables fl*** and hma*** both are unable to access.
Tried crackmapexec using pws.list for "mssqlsvc" didnt work
tried logging in with provided creds on SMTP didnt work.

Please provide me hints on how to crack the first question pls!

have you tried to steal the hash?

SMTP has 0 to do with SQL

Oh Okay I'll try it out ❤️

include the module, section and what excatly you need help with

@next bronze anyone can help i am stuck on os command injection skill assessment i found vulnerable parameter in get request and use ls and p'w'd but not showing output on screen

how do you know you have the right injection parameter if you try injecting and it doesn't work

by request denied

malious url denid

alright, did you obfuscate it?

HTB Staff if you're watching please fix the CME VM so the commands you provide work on it

yes , p'w'd like payloads i used but not getting respone on screen

did you enumerate like the module says, going each character 1 by 1 to see what's stopping it?

yes

did you try obfuscating another way?

i find it and when i use it its response directory not found or flag.txt persmission denied

sounds like you're looking in the wrong spot then

if you get a response saying directory not found it sounds like it's executing the command successfully, but it can't find the dir

can i paste the payload here so i can show you what i am doing???

maybe DM it to me

ok

i dm you

ok...thank you for pointing me back to this. logonpasswords is always my first command for mimikatz...I had wrongly copied down the kerberos password thinking it was the cleartext password and didn't try the hash. Bingo.

Im struggling connecting to WS001 in the PKI-ESC1 section of Windows attacks and defenses. They dont give a IP address for WS001 only an IP for kali. I have tried connecting using WS001 as hostname and using the IP address given in the "Overview and Lab Environment section". If I try to start a target machine that is WS001 under a diff section my kali target machine disconnects. Any suggestions on what im doing wrong?

WS001 is on a different internal network

you pivot to it/attack it from the Kali Machine

they are independent excersizes; therefore different environments

"Connect to the Kali host first, then RDP to WS001 as 'bob:Slavi123' and practice the techniques shown in this section. What is the flag value located at \dc1\c$\scripts?"

yes; it's telling you the chain of events to do: Connect to Kali, from Kali RDP to WS001 with the given creds

Yea i get that they dont give an Ip address for WS001 and connecting by hostname isnt working. I tried the IP address from the module overview section. If I try to spawn a WS001 host from a diff section my kali instance disconnects

What is max streak on htb academy for now?

I cant even ping WS001

Im trying to do the linux fundamentals, but i cant connect to inlanefright.com with curl in their pwnbox. Anyone else with this issue?

curl: (28) failed to connect to www.inlanefreight.com port 443 after 12936 ms: couldn't connect to server

are you sure? using the ip provided in overview works

It seems that https://academy.hackthebox.com/module/143/section/1422 ACTIVE DIRECTORY ENUMERATION & ATTACKS Internal Password Spraying - from Windows the RDP credentials are broken. I have tried <MACHINE_NAME>\htb-student, INLANE-FREIGHT.local\htb-student, and INLANE-FREIGHT.local\htb-student

I can't upload screenshots for some reason

I believe it's 16

ok I just pinged it yes It may have just taken a long time to load idk

it works ty

how are you connecting to it, if you're using xfreerdp, there's no need to specify the domain

lol

rdesktop

read #welcome to get verified and you can send screenshots

thanks I'll do that

the creds work, just tested

with or without a domain?

I use xfreerdp, there's no need to specify a domain

lol, seems it does not work using rdesktop

xfreerdp is fine thank you

hello guys, i need help

Module: Password Attacks
Section: Remote Password Attacks - Password Mutations

tried all the brute force with the customizations I learned but it doesn't work. I lost 2 hours in this module 😦

this is referencing a password ive forgotten.. was it like LoveYou or something ?

nvm got lucky and found the mutated file i used to get it and recracked it

@vestal crescent i am stuck at os command injection

Error while moving: mv: cannot stat '/var/www/html/files/605311066.txt': No such file or directory
mv: cannot stat 'cat': No such file or directory
mv: cannot stat '{/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin}home/flag.txt': No such file or directory

do i look like i know what im doing brother

If u haven't figured it out, then i got the password for u

And I also think you had to submit it earlier in the module

i have a tiny question guys
so basically if i wanna do a port scanning why i'm gonna get back an ICMP request ??
i though ICMP request and responses are for host discovery (ping sweep) !

because by default nmap scans if a host is up using an ICMP echo request

@fathom pendant each time the host is up there will be an ICMP echo request/response ?

you can DM me

got to say all of the modules on the cbbh are solid but the SESSION SECURITY one is hella confusing

if you're still stuck, can dm me

no; it generally only sends the one echo request at the start

@fathom pendant thanks alot 🙂

I'm stuck on the first question in the Log Injection topic in the HTTP ATTACKS module, can anyone give a clue?

In the module 231 modern web explotation techniques, in the second order attacks section, could someone write the script to filter the files with IDOR (whitebox)?

@echo forge Hello, I solved that question, thank you. I passed the HTTP Attacks module. But I got stuck in the first question. Maybe I didn't understand it or I couldn't do it, can you help me, I need a hint.
Question: Try to use what you learned in this section to obtain RCE via log poisoning and submit the flag. You can access the log at /log.php

Anyone got a tip of what to do? I'm in the section: ICMP Tunneling with SOCKS. And I've followed the steps in the section and I just get this error when trying to execute ptunnel.

looks like you don't have the required dependencies installed

Yeah, but it doesnt make any sense

It's literally the first step in the guide and it doesn't mention that I have to do anything on the target other than transfer the repo and then doing the mentioned command

Im doing WINDOWS PRIVILEGE ESCALATION - Windows Privilege Escalation Skills Assessment - Part I and I did the first question and got to mess with the website ping a lil, im just not sure where to go to get the ldapadmin password or anything else, if someone can push me in the right way that would be much appreciated

https://forum.hackthebox.com/t/icmp-tunneling-with-ptunnel-ng/268732

Def not the only one with the issue. Mby its a box issue?

Question with vim being +eip why can i do thinks like read a file like /etc/shadow with it, but any shells i spawn with it are always under the same lower privilage? I would think the shell would have the same privileges as the vim no?

try downloading an older version

the shared library needed is missing

Of ptunnel?

yeah

I'll give it a shot.

although libcrypto.so should be included in the standard ssl libraries

could be the path is wrong

they're running an elf

Has anyone solved the first question of the HTTP ATTACKS module?

hey, slightly offtopic but I have the gold annual, where do i get my exam voucher? and the lab exercise guidance?

Has anyone finished module 231 modern web exploitation techniques?

dac_override can overwrite files but not read them, no?

The box is outdated as I can understand on other people in forums. Don't know what to do.

im able to vim /etc/shadow w/o any issue so it def can read

https://askubuntu.com/questions/1462100/error-while-loading-shared-libraries-libcrypto-so-3-ubuntu-20-04

Tyy, but jesus so freaking annoying to do this for a simple tunnel xd

what is making you use ubuntu i thought all the attack boxes were parrotos

I'm using Kali Linux

On my own VM

so you're ssh'd into an ubuntu box?

tfw i'm likely missing something super obvious about this https://academy.hackthebox.com/module/143/section/1509 Q3 i have the answers to 1 & 2 but like every auth method i've tried said "No lol"

Yup

like i've tried using Enter-PSSession, evil-winrm

i'm this close to a mental breakdown lmao

does CME work? cme would be easiest probably, just use the -x command execution

libcrypto.so is not limited to ubuntu lmao

i know xre0us

does it work if you cat directly through vim without doing /bin/sh first?

i never said it was

negative

I don't think the box being outdated matters since ptunnel also hasn't been updated in a while

any thoughts on my dillema? lol i'm about @ my wits end with this xD

you have the admin pass that works on the DC? is that right? just use CME to read the file

yeah lemme test it

username should be DOMAIN/Administrator yeah?

i think it's just the username

i swear

unless you're on a multi-domain environment? in which case domain1\user domain2\user

oh you meant this

Waiting for him to flip out

ye

you have admin hash?

according to the module, he should have the cleartext password

no? i was told by the question to use the password submitted for Q2

which I HAVE

what's the error? use impacket with -debug

I'm guessing the domain is wrong

you said you had the answer for #2. #3 says use the password you got from #2 to read the flag....

so you say you compelted #2 but also don't have the password which was required to complete #2?

no? marcie said they have the password

the target won't spawn

Has anyone solved the first question of the HTTP attacks module?

right.. they have the password for domain admin lol

so what's the problem, go get that flag

i got it, thanks though

i got the password

crackmapexec smb 10.10.10.10 -u Administrator -p l33t -x 'type C:\flag.txt'

Hi, I didn't easily find this in pinned messages and just need some help: what is the "one-to-one lab exercise tutoring through Discord"? I have a gold annual subscription, and added Discord to my user profile--is there a channel that's suppoed to appear for specific labs?

what's the command that you used

try with psexec

the one I have works, v1.41

Hmm, interesting. Thanks for the insight. I'll note that down. I opt'ed to using the Pwnbox

Works there

My best guess is then that vim doesn’t execute the command in a way that keeps the capabilities. The gtfobin version for vim with capabilities relies on vom being compiled with python support, because running python through vim would drop the capabilities otherwise

how does that make a difference? isn't the problem you ran into with the target?

Has anyone solved the first question of the HTTP attacks module? I am stuck on the Log Poisoning question

Yes, the target was the issue. I did the exact same thing on Pwnbox, and it worked there but not on my own Kali.

yeah you said you were ssh'd into the ubuntu box and doing it there

you built it in pwnbox?

Yup

but you were running the program on the ubuntu box, not locally on your kali box

oh my god i was overcomplicating it bc of the fucking dumbass bloodhound thing

lol did you use cme?

no

Okay, hold up. I'm getting confused. I followed the exact same thing as demonstrated in the module.
https://academy.hackthebox.com/module/158/section/1438

ah yeah that's the problem, your vm probably has a later version of the C libraries than the target, if it's dynamically linked and the target doesn't have it it won't work

Yeah, I think you're right.

that makes sense

you'll run into this from time to time, either statically link it or have a few vms with older glibc for compiling

https://academy.hackthebox.com/module/153/section/1458
I'm in session Security Skill Assessment and i don't get how to find the second flag

• 1 Go through the PCAP file residing in the admin's public profile and identify the flag. Answer format: FLAG{string}
  I've pressed the flag2 pcap file and catched it with wireshark but no flag

can i get a hit pretty please?

Aight, I'll make a couple of "older" ones just in case. Thanks for the support!

you can just grab the older ubuntu servers

just to sanity check; I'm not meant to use the pw on the Administator@inlanefreight.local, and that was just a wild goose chase?

yeah just use the user and pass from q1 and 2

fucking christ; the section leading up to it made it seem like i had to do all that

... Anyone know the origin of these attacks?

no

-It's a history lesson.

it be like that sometimes

also what attacks

you've shown us nothing

BHG..

aka?

it wouldn't be the first time

still no idea m8

Oh come now

We have very little data on what you're referring to my guy

https://viperone.gitbook.io/pentest-everything/everything/everything-active-directory/tools/bloodhound

Bloodhound was ex military, shared between the US and Russia. Their dissident brethren became PowerShell Empire.

Still 0 idea what you're comin n here to yap about

https://www.stationx.net/how-to-use-powershell-empire/

ok?

Oh- let me spell it out, it's NOT a history lesson. Because there is no official connection between American and Ukrainian spec-ops teams. It's a myth. A legend retold by script kiddies on Discord.

Easier that way. Right?

I'll have some of what you're on

still 0 fucking clue what made you yap

https://tenor.com/view/tf2-soldier-tf2-scout-tf2-soldier-choke-scout-pov-soldier-strangulation-gif-4334235322775118860

lolol

illiterate and proud.

not really illiterate just fucking confused my dude

idk who said what or anything re: US and Ukrainian Spec Ops

That's not a CnC module? I haven't done the bloodhound one like 6 times> good, ok good.

CnC?

like you're losing me here buddy

this channel is referring to htb academy modules

you mean C2?

: same shit

never really seen C2 put as CnC

my computer in the 90s was faster than some of these machines. It just took over a minute to load notepad sheesh

either way: no the module I'm working on isn't a C2 module

idt any academy modules really refer to using a C2

except potentially in passing

or in the case of the defensive modules: identifying one

Active Directory, god that is kindof sad

that is really sad, yes there use to be a 'C2' mr fancy pants

i don't understand.

bloodhound used to be a C2, but it was malware 'in the wild', now national security put a happy frilly powder blue dog collar on my shit. - used to lead you straight to PowerShell Empire. and right into the dirt.

my brother in christ

i'm talking about htb academy learning modules

not whatever the hell you're yappin about

It's because Anony-moose doesn't want you hacking Russian banks without their trade-marked Guy Faux max.

I'm also- unfortunately for you: talking about HTB

HOW? LMAO no idea how any of this is linked

Doesn't matter

because there's a bloodhound module in htb academy, duh....

Like I'm trying to find the logic links

You're right I'm rambling

but they're stretched so thin not even a spider could walk on them

Has anyone here seen practical application of FHE (Fully Homomorphic Encryption) : of course without Sec Clearance?

I'll wait.

you can ask in #general

Sick

he can't type there

well that's the point really

he needs to follow #welcome

^not gonna do that

see?

then get ignored or eventually have a mod/admin to tell you to stay on-topic

there's plenty of actually relevant channels to yap and ask questions in

but you need to follow some level of basic instructions first to be able to access them

'yap' the truth is the truth

yeah I'll have some of what you're on

🍓

there is no such thing as hacking. it's all memes

wtf did i just come back to

skill issues ig

https://tenor.com/view/stickergiant-you-deserve-a-trophy-trophy-first-place-gold-medal-gif-24960237

True

bloodhound has never been a c2, there is literally no c2 functionality associated with it whatsoever

do you even know what a c2 is 😂

Counter (strike) 2

thank you for coming to my ted talk

Yup. Join my Red Team. We gon strike togetha

https://tenor.com/view/csgo-clean-rekt-plays-tv-plays-tv-gi-fs-gif-8981855

I just completed the whitelist filter section of file uploads. I did it with the first method double extension but I am having trouble understanding the concept of character injection. In the section it said that these characters when stored they make the file from shell.php%0a.jpg to shell.php . so what I did was use the list of command injections provided in the section and appended to the shell.${working php ext}.jpg -> shell.${working php ext}${char injection list}.jpg and then used intruder on it. Then I tried to run commands with the url shell.${working php} all returned 404.

anyone around for some help? I am way stuck https://academy.hackthebox.com/module/112/section/1079 I have found a user and pw and then found a file with what looks like creds, but I can't figure out how to log into mssql to use it or to smb to use it

So you have A user
You found an important file that contains some credentials for a higher privileged account.
After many attempts you realize alex cant login to mssql which is on desktop.
Maybe a higher privileged account can login? But you need to run thr client as that account

So you either run it as that user or you login as that user with the password you found!

You gonna smash your ahead against a wall once you find the solution

youre absolutely right i am

i have been trying to get to smb with the important files user, it won't let me in

I havent tried logging in via smb with that creds but i would see it being disabled for that user

hmm, I guess I am confused what service i should be trying to log in maybe rpc?

There are two options. I personally went and saw what other users are reachable via the network tab from alex machine and tried my luck there or you ||run as somethinz || mssql

ok, I am going to go keep banging my head against the wall and see if anything else shakes loose

Look

You found your credentials. Thr password is correct. But the username is not ||"sa"||

ah

ok

im lost in the the web proxies qst 3

skills assessement ,

idk how i should fuzz in burpsuite the cookie to get the last md5 char

tried to ||encode back to ASCII HEX and BASE64||

but i think im fuzzing something isnt supposed to fuzz

I'm in WEB SERVICE & API ATTACKS
SoapAction Spoofing question I'm curling the target and getting a Failed to connect error am i doing something wrong? or are the targets not working?

make sure you're on the vpn, double check the IP/port

I do not need the vpn if i'm using the htb VM no?

nvm got it

am I still suppose to use the vpn? i never used it till now

if you're using the pwn box, it will be connected to the network and you won't need the vpn

so double check the addresses

then wtf is going on I'm copying the address from the site

:/

often the site tells you how, but you need to look at the actual results yourself based on the enumeration to see what the question is asking

so the site is just an example ip most likely, try it yourself in a real environment and find the answer

https://academy.hackthebox.com/module/160/section/1482
It's pretty strait forward i just need to curl the website

and find the wsdl page but the server is not responding

ok, show the command you used and show the IP address of the VM

smb is not important here btw

I am hardcore riding the struggle bus on this one

curl http://10.129.16.115/wsdl?wsdl

as shown at the section
curl http://<TARGET IP>:3002/wsdl?wsdl

FUCK

nope, show the IP of the VM you spawned for the questions

it was the port

^

i was gonna say: looks like you didn't specify port

and you still need to use the IP of the VM, not the one in the example in the module training

i did here

forgot the port

alright cool

the creds you found are ||sa:[password]||

yep

also for future reference: to avoid any issues with us reading your errors: make sure to wrap your command in backticks ` so it formats it like https://example.com so you don't get messed up with discord's formatting

to be fair the question does not spesify a port
Exploit the SOAPAction spoofing vulnerability and submit the architecture of the web server as your answer. Answer options (without quotation marks): "x86_64", "x86"

i had to assume that from the example

thats dumb

powerful windows account

||sa refers to systemadministrator i think so basically you may try to run the mysql as administrator and provide the creds||

i thought it was mssql not mysql and i also can't figure out how to connect

a web server can be ran on any port that it's configured for

so the question is still accurate

i forgot what it was tbh but the sql management studio you have is where i ran my sql commands to learn them lol

Yea he meant mssql

you can only connect to the mssql server internally

from the target host

that's what I thought

again powerful windows account

this CME module is almost impossible to complete

ok, let me keep at it then. Thanks for the help

what is the most powerful local windows account you can think of

administrator

bingo

do you mean nt authority\system?

more powerful than admin 😛

let's not confuse the poor boy

he's already struggling hard enough with most of the answer already handed to him

Just finished this...what a nightmare...misleading to say the least, but ok.

?

Any help? Plis

Misleading on HTB's end. "Version"

technically speaking, it's the version output of the scan

It says to try all the methods, the methods provided are Command Injection, Command Substitution, Command Chaining, Environment Variables, and Shell Functions. Did you try each method?

OMG!!!! finally

Now for the hard one lol

imo as long as you read the engagement and be mindful of UDP ports, it's far easier than the medium

good to know. About to find out

on nmap module the time is increasing gradually I'm using the following command
nmap 10.129.238.171 -p- -sV -Pn -n --stats-every=5s -v --disable-arp-ping

Anyone able to assist with predictable reset token Question 1?

#modules message

-sT, and -T4

Oh perfect, but how am I supposed to submit the time like do I do a live calculation everytime I do a request?

yeah you'll need to convert to epoch time from the timestamp given by the website

default stealth scan is the culprit and threading? Thanks.

hello i don't understand how find the flag i'm connected with the hash David but i can't I can't reach the shared network //DC01

https://academy.hackthebox.com/module/147/section/1638

do i need to create a shared directory?

maybe try c:\shares, find the directory it's being shared from

and if you don't have permissions to access the shared folder you'll need to get those

c\shares it doesn't exist :/

that's not what the prompt is saying

i find a way i exploit this

the prompt is telling you; that the shell that you have (through smbexec) can't CD

dir C:\shares should list it

You know where the flag is you dont necessarily need to cd to the its directory

that's how it should work, isn't it?

The DC is going to be sharing from one folder. If you're on the DC on HTB, generally that folder is C:\Shares, which means the file you're looking for would be under C:\Shares\david. You'd only really use \dc01\shares\david\ if you weren't on the DC

i'm on the DC with credential david

then find the folder it's being shared from

and if you look in your search bar in Explorer, why does it say MS01 if you're on DC01?

look in "This PC" not the network

oooooowhh okok sorry

if you're on a computer as david, and david has access to the DC share, try typing \dc01\share\ in explorer and see if it goes there

\\dc01\shares

i guess discord deletes the first slash

my brain is overheating lol

network shares and how to navigate to those shares is going to be very important

That command you invoked appears to be querying the domain controller.

run hostname on this machine

yepp but no acces because i'm on MS

well that answers why you couldn't find it on c:\shares

the command from earlier is a pth attack

I dont remember how i did this.

Review your notes, or if you're not taking notes I would suggest making some notes it helps commit things to memory. Plus there's just way too much stuff to know about to operate without notes imo.

I think theres a way

I'm trying to connect but nothing

using smbsomething.py to pass the hash

kinda works like evilwinrm

okok thanks 😉

smbclient.py

but that wouldnt work; you're trying to reach the dc from ms01....

depends on how the share is setup, generally shares are made to be accessed from other computers lol

lol good luck i tried to help only gets harder from here @marsh echo you'll make it out in one piece

technically i should know this im taking the same test too but my brain right now is stuck on file upload attacks

yesss persistence and be brave I've got it in me lol

you're highly overcomplicating it

weren't you just auth as david? or you were misunderstanding who you were auth as

the issue wasn't that you couldn't access it bc you were on MS01; each of the shares in the scenario is designed to be accessed by their relative user

You successfully authenticated here, you see that?

if i'm authenticated with david i just wanted to test if i could connect directly on the DC01 machine but i understood that it's a file share

yes which is all you need

to get David's file

the fileshare, that shares the file that you're looking for

in cmd or powershell type whoami to confirm

i don't even think I used RDP for this

looks like you don't have permissions

I agree with you

use something else with your smbexec command

in your cmd, just for fun, what if you type "type \\dc01\shares\david\flag.txt" ?

but if i'm david and i don't have access to share it means there's a problem

it wouldn't be under shares

well wherever it is

also wrap it in backticks so discord doesn't keep flubbing it on you

yeah lol i noticed that..

\\like this

annoying

discord uses markdown

and \ is used to escape

so i can do `lol` and not have it do the markdown thing

The important thing is that the command got executed

i know it's probably overkill but what if he just uploads a remote shell.

and conversely \lol\

easiest way is going to be using crackmapexec tbh

but the module wants to reinforce what it taught

you know insert a powershell command that connects back to ms01

that and re-reading how the section wants you to do things

¯_(ツ)_/¯

i recall the section being fairly detailed on things you can do

or use the uhh... uh.... PS_remotesession thing

if the user has those permissions

because the type \dc01 thing got executed successfully

ah then that's def a no go

unless he did his enum right idk

ill stick to my original plan of theft just steal the file some how

acces denied lol

imo reading the section will be more detailed

(I think) your original approach of using pth with Invokethehash was correct not this, david does not have access to remote into the machine directly.

i've never seen HTB setup their share folder structure like that, with the user just at the root of the share

i think the idea is to fool dc01 into thinking you're signing in with NTLM directly instead of rdp

okok i'm back on invokethehash

web info gathering module vhost section any ide?

I edited my statement

read the section and perform the steps as outlined

that's really all I can say on it

yes dear i did this

the loop gets you a filter to use for ffuf

but i have not any directions

yah ./vhosts

no such file

what should i do

that is a great observation

mm

/etc/hosts is the file used

i try fuff tool so many times got error in every timr

but is not entirely required for this

ok got it

i try out that also

also the section details creating the vhosts file that you'd use for the fuzzing

it also provides another wordlist to use via SecLists

oh you mean should i add given vhost with target ip

if you read the section, you'll see how they want you to do it

this is honestly a case of "read the instructions"

because it's fairly clear

ok

took me like 2 seconds to find the relevant info on the page you're working on

For the module Documentation & Reporting, the optional question suggests we can submit our report to be evaluated. I have two questions: firstly, the question asks about the inlanefreight.local domain, should the report cover the scenario given in that module that our 'other tester' has started or should it cover the inlanefreight.local scenario from the Attacking Enterprise Networks module (presumably they aren't the same). Second question, what is the process for submitting such a report?

Am a noob hacker

hey again got error what about seclist story

can you explain it

the path they give might not be the same in your machine

yah i locate it

but no path

then you might need to download the SecLists wordlist

you can search for it and use git clone to copy the repository

ok

can you suggest specific one

https://github.com/danielmiessler/SecLists

i knw what exact wordlist

xposting here, minor feedback on CBBH DNS section #cwes message

firewall IDS/IPS evasion module they are using a different source IP for scan does that source IP have to be alive to scan at the first place or is it just a dummy IP?

hey see this command but i cannot see any thing

ffuf -w /usr/share/seclists/Discovery/DNS/namelist.txt -u http://10.129.251.107 -H “HOST: FUZZ.inlanefreight.htb” -fs 10918

my my host did not get from ffuf

use a different wordlist

or there are other tools to enumerate subdomains as well

?

module says use this

well you're getting errors, we can't help with just 'it doesn't work' we need to see the command you're typing and the full error

you can see at the bottom it says "error", you should expand that and look there for your answer

even if its not cutoff you should show the command used to ffuf

also is the victim box on?

pls send it last 2 ,essages

you're using http://<ip>, instead of http://website.com

https://github.com/ffuf/ffuf?tab=readme-ov-file#virtual-host-discovery-without-dns-records

yah try that also

again same error

what error though, all i see is 'error' try debug or more verbosity if you don't see it

also you still never showed the command

basic stuff here, getting an error, look at the error message. double check your command.

this is my command

nope

i want to see the command, never trust users lol

people always say that then they show something else

what

this is not other one my own

from medium blog

try looking at the command the module teaches

mm

ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612

yah i use that also

ok well if you can't provide the info i can't help

yes i can

I have a question about python library hijacking

i want to know how i edit host

it is only problem

nano /etc/hosts

no i mean how i edit

host phase

fuzz.randomtarget.com instead what

it should replace with my vhost

what does the module say?

i try this command with these edits

ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u http://10.129.249.109 -H "HOST: www.inlanefreight.htb" -fs 10918

same error any help?

module says use ffuf

As I said, I gave you the exact command to use, I linked you the github page that gives exact directions on what command to use, pointed you to the module you're on which will provide the answer, and I asked you to show a screenshot of the command you input as well as making your VM bigger to see the error it's telling you, or enable verbosity/debugging if you're able to see more details about the errors. I can't help you when you refuse to give me that information.

found it i got reply from target

good job

some words respond with 200 status

let me guess it was the wrong command

no i miss the fuzz before vhost

so.. wrong command

why

because you misinput the command

what is your pov

am i did wrong or doing wrong

no you're fine

glad you got it

yeh bro thanks i try to find flags

struggle with curl command now .

why all curl command give same output

do not care about vhosts words give same output

idk, i never did that module, does it say to use curl in the module somewhere? i bet the command is on that page

yah it also there but given same output as target ip

whatever vhost

find out and done that section thanks @fathom pendant @cloud urchin

can someone help me with the last question of "Using Crackmapexec" module?

i haven't complted the module but you should just post your question

Hello how to transfert my cookies.sqlite on my linux machine? please?

scp not available

smb share is my go-to

Try base64 method

I cant find the a way to the Domain Controller i need a little clue

How should I follow the modules? If I'm a begineer. Should I take a path like Pentester or complete all tier 0 modules first and then take the path or something like that?

Follow the paths. As a beginner, the Information Security Foundations path is probably the best place to start

hum..

@acoustic owl Are you referring to Basic Toolset?

https://academy.hackthebox.com/path/preview/information-security-foundations

@acoustic owl Ok! Will get back to you after finishing it.

hello, im working on the pivoting module Socksoverrdp section when i try to load the socksoverrdp.dll using the command "regsvr32.exe SocksOverRDP-Plugin.dll" i get the module socksoverrdp.dll faild to load

can someone help im in FILE UPLOAD ATTACKS blacklist filters and when i uplaod a php4 webshell it shows the src of the script i tried using other extensions but it either shows the src or it wont let me upload at all

For AD Enumeration & Attacks - Skills Assessment Part I, am I expected to find webshell on the external facing site ? I found pdf file but there's no webshell at all on the uploads folder.

ayo wtf when i just found out the the file .dll isn't uploaded but when i upload it it last for few seconds and disappears for no reason why is that ?

fixed it

almost like there's some sort of protection working in real-time

just turn off real time protection

:D you figured it out as i was typing it LMAO

and add the folder to excpetion

There's a handful of different extensions, make sure you try them all

yeah i found it on the forums and did my job

i consider it a mini-lesson that no Defender =/= no protection

https://academy.hackthebox.com/module/144/section/1257.
regarding this section of the info gathering module. Do I need to provide my own word lists? Cause I used few from the internet and I managed to get 2 flags but the 3d one seems rough. Is this a standard wordlist that should be used?

It's there

there's a wordlist referenced in the section

I have looked at each upload folders. Only images and and pdf can be found.

So basically I should managed to finish the section by using relaying on this wordlist only?

yes: the loop can get you a good idea of what the default response size is - and ffuf can be used (and is faster) to filter out default response sizes from a given wordlist

all the info for this section is provided in it

(you can then further drill down and do another curl loop to enumerate the correct hosts)

I see

thanks

https://tenor.com/view/smiling-smiling-cat-cat-cute-kitty-gif-12097880735853048722

you can also do it manually, but that's not fun

Found it

it's a small list of hosts

found it

What do you mean each? The notes at the start of the assessment state /uploads and you only have 1 ip

I solved it with another wordlist online. Apparently the one given in the sections is only enough to get you 1 flag

https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/common.txt

with this list

i don't recall having issues ¯_(ツ)_/¯

When did you do the module?

to be clear i'm referring to this wordlist /opt/useful/SecLists/Discovery/DNS/namelist.txt

not the ./vhosts list they have you make

I am using my own machine that's why

im on the last step from the sockcsoverrdp section and for some reason rdp isn't working i've checked for the 1080 port and its open and i've set the performance to modem i've also added the username jason and it still doesn't connect

either way; it's the referenced SecLists repository

yeh who needs to read references? I rather waste 4 hours like an idiot navigating throw subdomain with wrong wordlists

I love myself

Let's spin it to be a learning experience

It really was

you learned that there is a repository with a bunch of wordlists

At least I went from way to read more about vhosts

Exactly

thanks homie

and you learned more about vHosts that you didn't otherwise think about

Did you do the bug bounty certification?

nope

halfway through CPTS

that's what's app

btw seclist is preinstalled on kali already you don't need to get it from github

i solved it you have 2 rdp from the second machine .5.19 not from the 10.129

Hey I need help
My college provided some CTF challenges for students and I am struggling with a few questions can someone help

1: since it sounds like an active ctf, no
2: this wouldn't be the right channel anyway

ask your colleagues and fellow students

If you have a question about 1 particular concepts I will be glad to help. But I won't look at the challenge.

I use Arch as the linux distro of choice

Thanks mate, they gave us saleae logic Capture file and asked to decode it and no one knows how to do it I checked some tutorial but it doesn't work you have any clue how to do it

looks like Saleae is a tool

at the very least; start there?

Its for the students to learn and cybersecurity isn't even our majors

it's still not the right channel my dude

I downloaded saleae logic analyzer but it can't decode the file

this channel is regarding htb academy content

Ok, I didn't know that my bad

you can potentially ask in #1024429874246590575 or provide more details in a channel like #web or something: (you'll need to link your HTB Labs account following instructions in #welcome to gain access to more of the server

ah Saleae is a hardware analysis tool

hello guys, i found the website page that says "you dont have access" im ffuff module skill assessement

but the answer doesnt seem to be correct

its says to submit full page url

the format should be : ||http://xxxx.academy.htb:[port]/path/to/page|| right?

nvm they wanted to put word PORT not the port number lol

check the hint, you need to use htb:PORT

yes

i found it when checked the hint

he's saying

forgot there was hint there sorry i should've checked before asking here

literally use the word PORT

yes thats what worked haha

im stuck in file upload attacks Whitelist Filters after scanning with intruder i manualy checked all the files but i always got the file not found error

some plz help ive been stuck for 2 hours

should i be able to find with hydra the right password for the user i found?
module: attack common services, Attacking Email Services

yes

any tip for the right password list...? my search goes way too long....
hydra -L usersfound.txt -P /opt/useful/SecLists/Passwords/xato-net-10-million-passwords-1000000.txt -f -t 4 smtp://10.129.203.12
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-03-16 12:50:30
[INFO] several providers have implemented cracking protection, check with a small wordlist first - and stay legal!
[DATA] max 4 tasks per 1 server, overall 4 tasks, 1000000 login tries (l:1/p:1000000), ~250000 tries per task
[DATA] attacking smtp://10.129.203.12:25/
[STATUS] 522.00 tries/min, 522 tries in 00:01h, 999478 to do in 31:55h, 4 active
[STATUS] 526.00 tries/min, 1578 tries in 00:03h, 998422 to do in 31:39h, 4 active
[STATUS] 544.57 tries/min, 3812 tries in 00:07h, 996188 to do in 30:30h, 4 active
[STATUS] 537.40 tries/min, 8061 tries in 00:15h, 991939 to do in 30:46h, 4 active
[STATUS] 534.61 tries/min, 16573 tries in 00:31h, 983427 to do in 30:40h, 4 active
[STATUS] 540.26 tries/min, 25392 tries in 00:47h, 974608 to do in 30:04h, 4 active
[STATUS] 541.59 tries/min, 34120 tries in 01:03h, 965880 to do in 29:44h, 4 active

perhaps the one provided by the module?

aaah. thanks. haven't seen that

also there should only be ONE found user

if you found more: your syntax was wrong

found only one...but with a seclist 😉