#modules

if not why would they give password away?

You don't get any password from nmap?

Like you're not going to get anything like that from nmap I mean

an encrypted one and then it gives password away in next question

it gives sha2 salt

??

its like a super easy question. I guess this is not password cracking module?

It's not

And again you don't get any sort of encrypted password

I think you're misinterpreting the output

Also the creds it gives you are related to another section you've already done

You're given creds to connect to the service with, just use those to enumerate what's required

ok thanks I completed MySQL section

got everything I needed

Literally just don't overthink it

Save the overthinking for attacking common services

ok thanks

I will do that from now on

that's just general advice overall: don't overthink, if the module didn't make reference to - or go over how to do it, it's likely not what you're looking for

ya I have issues with overthinking things generally tbh

the exceptions might be in some later modules where you're meant to crack a pw after obtaining the hash (but those are fairly obvious, as the Question will clearly state, what's the cleartext password for x)

ok got it

but the later modules are later in the CPTS queue due to the fact they expect you to have a base level understanding of the stuff before it

Attacking Common Services can be seen as the Sequel to footprinting, as you footprint the available service, then attack it using various methods

ah I see ok thanks

I.E. how are you meant to even know how to look for certain services

or do basic enumeration and recon

well that's a fairly clear explanation

I would say, for your case, as you're learning these techniques - turn them into a checklist of sorts

ok

ya checklist could be good to organize my thinking

on another note I'm still learning but I want to be able to help other people on this server to give back to community but I don't feel I know enough. is there another way I can give back? or should I just try to do my best to help people here?

I.E. a basic checklist for finding a vulnerable service

• Are services that allow Null Sessions/Anonymous login available?
• Is Anonymous/Null Login enabled?
• Check other services for potentially revealing info

ok

i.e. some people might label their running server with their username

ok got it

username's FTP server

ya I can see how that could be a problem

then that lowers exponentially the time it takes to bruteforce

ya

instead of an x by y list, it's a 1 by x list

no I totally get the example your giivng

also something I always encourage for local stuff; check the user directory (/home/ or C:\Users\)

give yourself an idea of the other local accounts on the system to trim from username lists

MarcieLee i can mp you pls ?

that way instead of using a 100 user list you narrow down to 5-10

no :)

help i need a little bone in the linux privesc module the kernel exploit exercise, i already use all the exploits that apear in searchsploit for that kernel version but no luck T.T

Hey Marcie, yesterday you said to pay attention to udp ports, but I am not seeing any open

should be, on the hard lab, might need a less aggressive scan time though - UDP can be tricky

(i'm also assuming you're doing -sU to scan UDP)

nmap -sU -T4 -F <target>

do you know what -F does?

I don’t think i scanned for udp ports on lab hard of footprinting tho

Just do normal scan ig

it helps

i don't believe the one port shows up on tcp

well, two minutes from the UDP scan finishing anyways

do you guys know about a note taking app called obsidian at all? I just started using it

I prefer using notion

But a lot of ppl seems to love obsidian as their note taking app

I like the way it links and shows things in relationship

we will see as I keep using it

I really don’t remember, i checked my note to see if i mentionned smth about that but doesn’t seem the case

https://tenor.com/view/keemstar-im-fast-as-fuck-boi-keemstar-run-running-fast-gif-18083431

problem with notion is that you don't own the data, and it gets slow if you have a lot of stuff

Tcp shows like imaps and pop3s. So i had to scan udp to realize i need to go take a walk

Yes i noticed notion getting slower after taking a lot of notes there , probably gonna switch to obsidian then

Its just i got too comfortable with notion now

I see, so the udp scan was a must in that lab

Yea. Not sure maybe you found about it via another scan?

I really like it so far

Maybe

im walking but not getting anywhere

You cant walk without a community

https://tenor.com/view/teletubbies-lala-po-poh-walking-gif-22092325

lol, i tried walking into the community but it wasn't ther

You sure? I hope you didnt miss it like i did and though thats just a normal respond. Wasting an hour because i was legally blind

I am sure that's whats wrong lol. I should have my license revoked

Did you try to get a walk? But you dont have a community string yet?

yes

not sure how to enumerate the string

There is a tool. Reread the module

thanks

they tell you how in one of the sections but I had trouble finding it too at first. Look very carefully at each tool mentioned in module. Should be last three headers discussed in section

so three subsections one for each tool. then think carefully about what your doing

i found it, but I don't have the wordlist they are referring to

so I guess I will just use one of the ones i have

you can download wordlist

and you may already have it. its hard to find on your machine

but if you don't want to look you can download

can you assist? i know what it is, just not where or how to get it

just google the name of the wordlist and look for a github to download. I actually think its on the machine already but kind of you gotta know where to look

but if you can't find it just google to download

there's a github for it I am pretty srue

Isnt it from the seclist worldlist?

Like seclist/snmp/snmp.txt?

/opt/useful/SecLists/Discovery/SNMP/snmp.txt

but it's not there on my kali

/usr/share/seclists/Discovery/SNMP/snmp.txt

Uszally in usr share

^

I think when I found it on Parrot in pwnbox it was in usr share

but if its your local machine just download it you will be fine

I had issues finding it too

You can locate snmp.txt

working

not sure if locate is installed by default on kali

Thats true aswell. I dont rmemeber either

pretty sure it is

got it

thank you

Yes

TIL, so used to installing it

Alternatively:
find / -name "snmp.txt" -type f 2>/dev/null
I guess you could add -exec cp {} . ; as well

For easier usage.

Mobile discord doesn't like \ but it should be in the -exec as well.

so i have walked into the community but it doesn't tell me much about the HTB user. Not sure what I am looking for

If you walked with the correct string there should have been a username and password

then i guess im in the wrong community ol

lol

Im pretty sure there is only one community string

Not serious: the answer is always 42. You're looking for the question.

hmm. i need to get back up then

i am seeing a failed password change for a user, but not the HTB pass

is it okay to find the answer using google?

What answer

dude this pasword mutation section is terrible

True

like im readiong here and on forums

Not only that section , the whole module

the hints are all over "use force, dont use force, use these threads, "

i was stuck in a module banging my head and after a google search of how to do it I tried the command and it worked and found flag so is it considered cheating or not?

" dont attack ssh but pleazse target ssh"

also please wait 30+ min for a password

I cant wait to get to this module

I mean its not you can just note it and keep going ,but i doubt you need to search for commands outside what really in the materials

im literally twiddling my thumbs waiting for a success

do i have the syntax right here? am i missing something? snmpwalk -v2c -c <community> <target>

yes

yes exactly

Lmao i read this one where i attacked ftp instead of ssh lmao

Since bruteforcing ftp is faster than ssh

Struggling with the VHosts enumeration with ffuf. I went to the first url in my browser and I can access the flag, but if I use curl it gives a 400 error for the same url.

I am confusion

thast what i found out. but it literally says attack SSH

Yeah if you attacked ssh you gonna wait for eternity there

ftp is already taking forever

Real

they need to just give a smaller list

gawd damn

Did you add the vhosts to /etc/hosts file?

BREH

I did

Did you specify port in curl?

You do. Check the whole output

just tried that and got a 400

I read through the output several times now. It only seems to mention a failed user passwrod change

Lemme try that im opening my computer in 10min and i will see if it really doesnt work

i hate this

Lemme check the answer so i can give you a hint

Can you paste the output in here?

the output isd halfway down

with the name t

└─$ curl -s http://10.129.66.163:80 -H "Host: http://inlanefreight.htb/"
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.41 (Ubuntu) Server at localhost Port 80</address>
</body></html>

".sh

It takes about 1-2mins. The dictionary you use is bit arbitrary.

Yea its there

what are you using for it to take 1-2 mins

There is a name and password in there

I am dumb then. I don't see any mention of HTB

yeo i see it too

ive timed out on t 48 3 times

Don't remember but it's a mutation of the password list provided or fasttrack.txt

The file is talking about a user tom that got changed. The HTB user is deeper into the lab

Then don't use t 48

ah, this is just a step on the way

im using the mutation lol its 94k pw's

it needs to be the mutated list, but that looks like a connection problem, reset your vpn or switch server

you can remove the first 14k entries

There's a way to cut down on the number of lines. I honestly don't remember but the clues are in the module. The shitty thing about the module is the dictionary randomly changes without any indication or reason.

that's not how you use curl, you're confusing it with the ffuf syntax, you should curl the vhost that you discovered directly as the url

it doesn't? the mutated list is used throughout

ok I need a sanity check here because this is off the cheatsheet on the module

That’s what i was about to say

What module is that ? I got different cheatsheet lol

https://academy.hackthebox.com/module/144/section/1257

wth

I mean your syntax is wrong regardless, there shouldn't be http in the header. and once you've added to the hosts file there's no need to do that anymore

Special Treatment

use it directly in the url or with curl or browser

sooooooooooooo Fasttrack does not work

if i remember the password start with b

Do a mutation of the provided list.

or it was for other question

ive done a mutation ive had it time out 3 times

I'm not home so can't check.

that's a connection problem, nothing to do with the wordlist

Honestly, try using pwnbox.

If it's a match, then you know it's a connection problem.

Do the mutation.
Run the command.
Try without -t

If it's a connection problem going fast only makes it worse.

so now that I have this users creds, i can't ssh or telnet in because i don't have the public key. Not sure where I should focus now

enumeration friend

check your connection

• the password starts with B, reduce your wordlist to let it containn only passwords that starts with B and run hydra again

should save you some time

am i looking for a dove?

I found the users ssh private key and was able to ssh in

can anyone help me get around this? trying to install odat.py

i tried apt install python3-cx_Oracle and still giving me an error

still cant find how to sort to letter b only reduced it down to 0-c on pwnbox which is 8255

grep -E '^B'

oh

well thank you sir

<@&861185840277487616>

piss off scammer

i already work on the corner for soemone else

shes pretty mean about it too

Just finished the footprinting labs. Thank you everyone who has helped me for the help and the patience with me. I feel like I have learned so much about how to think doing this and thanks to everyone here.

do them 3 more times blind in 1 week

scemmer

I am Noob Here can you suggest me where I need to start in the hack the box

I’m stock in foot printing section “connect to the mssql instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server”

getting started

Yes

no thats where u start

kinda just skipped over the whole getting started module lol

But what I need to do ..

you need to get started!

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

I’m stock in foot printing section “connect to the mssql instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server”

Oky

I will try my best 😺

break a leg

and a pelvis

or your brain

Hahahah

I think the command for that is mssql <ip>

mssql user@ip

does anyone really use mssql these days? I thought everyone ditched nosql and stuck with oracle/mysql/postgres

its somewhat in use for older systems

I run the command, the thing is to list the non-default database present on the server

i quit man

this is on pwnbox

mutate the list

its been mutated and dwinwdled down to only B passwords

FROM WHT I READ on forums. its one of these unless they changed it since december 2023

i know which one it is it's in there

so why isnt PWNBOX picking it up

ive seen people have this issue before both on their own machines and on pwnbox. idk why this happens the last guy this happened to quit htb

if you look at your error, it says 5 targets did not resolve or could not be connected, which indicates it has nothing to do with your list but instead some kind of network problem. i'd double check your IP addresses and the command.

i see i see

yep, and your command has the wrong ip.

the issue

im a dumbass

anyone who said it didn't happen to them is lying

i think i was c/p-ing commands as frustration, but really wondering why it wouldnt work earlier on my vm. thanks for the help sorry for the annoyance and frustration

god you are in for quite an infuriating journey my friend.

may the lord of the whales be with you always.

if this was this annoying i can only imagine

its only level 3 of pain you haven't gotten to lvl 20 yet 😄

https://tenor.com/view/yoda-star-wars-lighting-much-to-learn-you-still-have-gif-16584148

I think I'm gonna stop using pwnbox and start using my kali vm

i hated the pwnbox and only use my kali vm

it's not that bad

I actually do love the convenience, it's just that I'm paying $18 a month for it.

i dont remember if on a free acc you can extend the time for targets

with your kali vm, it will always be set the way you want it with your tools where you want them and how you are used to your environment

Any ideas why the AD environment in Documentation & Reporting Practice lab seems to have f'ed up LDAP?
None of the tools that I usually use work there. Am I doing something wrong and not recognizing something about the enviroment or is it just not there?
I m leaning towards the other since AD Webservices aren't set up there either.

Also interestingly enough, the provided report says that ASMITH as AS-REProastable however the .zipped bloodhound output from the same report conflicts with that It doesn't, it's DHAWKINS that's roastable. Doesn't change the fact that either LDAP is not there or I'm too tired to notice my mistake

bro you might wanna change that name

Just server rules shrug

you do you. ||not minimodding just a friendly reminder||

<@&861185840277487616>

ngl kinda takes you outta the immersion. Shame the lab isn't... properly constructed (?)

Thanks

oh cavalry is here !

np

philosophical programming

'the greek tragedies are being played out on Github'

is it a different subnet

got it done thanks for the help

for anyone who wants to install volatility 2.6.1 on their own parrot os vm but can't because trying to install python2.7 is a pain, try this: https://github.com/volatilityfoundation/volatility/issues/768

I ran it inside the domain

I also tried proxying impacket through a pivot

so no, it was the right subnet

heck, the "DC" even has DNS on it's 53

and?

same result lol

what's the error

connection error

I m using a dynamic SOCKS proxy with chisel

me - SOCKS -> pivot -> domain

did you try resetting the lab

I don't wanna sound like a dick but I wouldn't be here if I wasn't absolutely sure something is wrong

yes I did

if you did then it's probably not the labs problem

you're getting a connection error, read the error and follow it

no one else ran into it from what I've seen

Is it okay if I explain my "attack path" since it's documented in the mock half-finished report anyway?

Come on dude you seem like you just might be able to either help me or prove I'm right

checking

works for me

hm, what user did you run this as*

doesn't matter, any domain user can kerberoast

explains the local part since I was running Rubeus under NT / Service

I must have messed up the proxy

i'm deobfuscating your picture and cracking your hashes right now

but cme works fine through it

well yeah, that can't be used as a domain account

only SYSTEM/local admin can be used to get similar rights as a domain user

Can anyone give me a nudge on the web attacks skill assessment? I feel like I've gotten through the difficult part and elevated privileges, but now I've tried every XXE payload that the modules covered and nothing seems to be working

anybody in IPS/IDS evasion hard lab?

the... DC... seems to be down in my lab... but other hosts are fine...
I solved the issue then... thanks Xre0uS

I need help with the skills assessment for the file upload attacks module I am stuck because I'm not sure how to get upload.php to come out as base64 when uploading. I've tried:
-altering the html
-inserting a fake jpg
-inserting a real jpg with a php filter
-uploading a jpg but in the request adding an XXE payload to read upload.php

if anyone has any hints i'd appreciate it

oap I just got it, looks like there was a typo on my payload

EVASION NMAP HARD LAB:
can anybody point out what's wrong with this command?
nmap <TARGET_IP> -p- -sV -Pn -n --disable-arp-ping --source-port 53 -v

Getting banned before getting full port scan done
I have tried other evading techniques as well to no avail.

I already got the flag(which is of no use if I didn't get it myself) by searching around the web what's the higher port number was but I wanted to find that port number by myself as well that's the issue I'm not getting halfway through the whole full port scan thing.

Hello hackers i need some help

I need help
In my kali linx , home directory there is a folder which is empty and if i remove it, it appears again on every reboot at same position

Module: Password Attacks, Section: Protected Files, Question: Use the cracked password of the user kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer. I have been trying to use hydra to crack the password of user Kira, either using rockyou.txt, password.list (given in resources) or mut_password.list. Am I off the intended path by a huge difference, or i just need to let hydra run longer?

kira not Kira, lowercase k

yep i used lowercase haha

are you missing the password or the ssh key password?

I am missing the password to Kira

mutate loveyou and bruteforce with the list, I think it was mentioned in a hint of an earlier section

Ohh ok, i think i recalled it in one of the hints

thanku

Why does ssh2john.py not work haha. The error: Traceback (most recent call last):
File "/usr/share/john/ssh2john.py", line 193, in <module>
read_private_key(filename)
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'

what note tool is that!

obsidian

ty! looks very clean compared to my cherrytree xd

Assuming you're running nmap as an unprivileged user? If you sudo your nmap you'll be able to do a TCP SYN scan vs only doing a TCP connect scan which is lighting your scan up.

use python2/2.7

I managed to run using python2.7, could i ask is it because base64.decodestring is deprecated for other versions of python?

Yes since 3.9

i just installed sqlplus, ran it successfully once but needed to close terminal. now im getting this error when trying to run it

any help?

./sqlplus assuming it's in your current directory?

ahhhhhh brain fart its so late here, thanks man!

no I was running it with root privileges also tried -sS by the way and IDS/IPS pick its up pretty quick.

Hello everyone, I'm stuck at the "Attacking SQL Databases" module. I cracked the first question and got the password for the mssqlsvc user. But when i'm trying to connect to the database with this user i have this error : ERROR(WIN-02\SQLEXPRESS): Line 1: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication. I tried both authentication method (Mixed and Windows authentication mode) but I always have the same error. Did I missed something here?

It seems that no module involves Redis...

is anyone else not able to download the vpn file for each exercise?

you just need to download the file one time, and use the same file to connect to vpn each time you need to

oh

nice ty

Hey guys, I'm on part 2 of the active directory enum attack assessment. Question 9 at the minute. I have hash for the Admin account on MS01 and am trying to get an admin shell on it (I think)

The only idea I have now that I think of it is another shot with mimikatz

Hey man how to transfert file on my windows serveur and my linux attack machine? I have a cookie.sqlite -> linux plz

On which machine is the file now? To which machine would you like to send it?

it is located on windows (cookies.sqli) and I have to send it to my linux machine (I have already tried scp it does not work port 22 is closed)

Found a way forward 🎉

Do you know about the thing where you right click a folder and go into properties and set up a shared folder over smb

I think

smb server is going to be the easiest to xfer from windows to linux imo

have you tried setting up a simple.server with python on your linux machine?

than you can upload your file using powershell

or you can setup a smb server as well with python "python3 smbserver.py -smb2support"

I don' t have admin access and I don't have python3 ^^"

you need to set it up on your host machine (I assue it's your linux machine?)

If you have rdp you can use /drive:

And you can try sswws

then on the windows machine you need to use powershell to upload it on your linux host

you're at winPE, you should be very familiar with various file transfer methods by now, I suggest revisiting the file transfer module

Need help with ADVANCED SQL INJECTIONS - Skills Assessment - Last flag, trying to do RCE. I'm currently at the moment when py script lunches CREATE FUNCTION command, but it doesn't work and I cant figure out the reason. I used SELECT lo_put instead of INSERT to upload shellcode to large objects as INSERT didn't work as well.
5 days no result. Has anyone managed to get the last flag? 🙂

I'm stuck in the CL.TE section of the HTTP ATTACK module. I cannot run the CL.TE headers that it gives as an example and give an error.

@amber ore Dude, I can't help you, I'm behind, but can you help me?

I find I must to use a other user

thanks

What kind of error are you getting?

Yes. On which flag are you?

Try to use what you learned in this section to exploit request smuggling to force the admin user to reveal the flag.@amber ore

@acoustic owlI'm trying to create request inconsistency between reverse proxy and web server but I can't do it, both requests go smoothly

I cannot detect the presence of CL.TE.

Did you set up a chunk size?

@amber ore You need to create a ||PostgreSQL extension || and then upload it to the server using the script from the module

@azure fog first request
POST / HTTP/1.1
Host: 94.237.54.170:42716
Content-Length: 13
Content-Type: chunked

0

HELLO
second request
GET / HTTP/1.1
Host: 94.237.54.170:42716

someone known how resolve this problem ? on the pwnbox the command line works but on my virtual machin doesn't work :/

Probably you are just too late with those requests, if you are on the first CL.TE section, you don't have to create 2 tabs in burp, try to send your first request 2 times in a row

@azure fogthe logic you said is correct I sent the request but I got 200 get in both requests

I also used GET method

This is exactly what I'm trying to achieve. But script doesn't work at the stage of 'CREATE FUNCTION'. I understand it because I put select pg_sleep(6) to freaze for 6 seconds each request and also see it in wireshark, CREATE FUNCTION - doesn't freeze. I feel like there are no writes for CREATE FUNCTION for user, I tryed to give writes but it doesn't work

@azure fogDude, I tried get and post requests but no result

I just completed skills assessment one in attacking common applications, can I PM someone as my route to the flag seems strange, just wanted to see what other people did

I am facing problem connecting VPN using OpenVPN in windows and as well as in kali

how do i troubleshoot

Send me a DM

redownload and switch from tcp to udp or vice versa

also reduce complexity etc, are you running any other vpns on your host that would be interfering, e.g. vpn in vm & vpn on host

^^

No I am not running any other VPN

redownload and switch from tcp to udp or vice versa

AD Enum & Attacks complete. 🥲

Send me a DM

is this the hardest of the modules?

now you can get back to your pace since the next few modules are far more easier

not the hardest, but probably the longest and you gonna learn so much stuff, you need time and good notes to digest all informations

I haven't done them all yet but it was a big step up for me. I can't say that I did it off my own back as I needed a lot of hints. But I feel like I started to map out AD somewhat now.

i see ... I'm going to shit I'm sure lol

Thank God for that. I need a few chill modules now

There's just so much new stuff. And then when you have to chain it together its easy to get lost. A good time to build a system and deffo take good notes

i really had the same feeling when completed AD haha

when you say set up a system, do you mean install an ad with services on a virtual machine? and practice on it?

Hello

I was only doing a bit each day so it seemed like it dragged on for weeks

Need hacker

DM

I just mean that you can't just wade in and start throwing attacks at AD. You sorta have to form a process where you know what privs each user you capture has and what they can dump and stuff. It gets quite spaghetti like at times. You need to be organised. I use cherrytree so I can nest my notes and stay on top of things

i can't really use cherrytree i'd have to learn how to use it i use notion for my notes but thanks a lot for the advice I appreciate

Hey man

can you run powershell as admin

(ignore needing admin hash for a moment)

sometimes the provided user they give you for these exercises is an admin

hey

it seems that this setting up module is also linked to learning process module

also: i would also advise trying to restore maybe with a directory your user can directly write to rather than at filesystem root

maybe vaguely

but not directly

So should I read learning process module first?

you don't have to

This module is really just a collection of references that may help you in the future

hence: setting up

But does it not have some relation with setting up

dude

you're reading too much into it and thinking too hard about it

ok

don't think too hard about what module relates to what

ok

if they do, they do and it'll be fairly obvious

imo it's mostly a waste of time to ask whether or not two modules relate to each other at this base of a level

hmm

when both of them are just info modules

understood

you wasted time asking the questions rather than just reading through and doing both to make the connections yourself

I was reading btw

• and doing both

I've found a solution for anyone working on a VM to upgrade to a lower version of openssl and ruby.

going to a lower version is called downgrading

also having just reinstalled and upgraded my system: that isn't the full issue

I think to find can you to send a captur in pv ?

as i was able to get evil-winrm to install/work just fine

no i haven't done this module myself

just offering some ideas

thank you I couldn't find the word in english

no problem I have a Hash admin

seriously :0

just remember up is generally higher version down is generally lower :)

ye

thx 🙂

i'd have to double check and spin up a module that has me use win-rm but i had to reinstall anyway because ruby/gems were being stupid overall

I struggled for 2 hours to find the package that pwnbox uses to put it on my VM and get it working.

pwnbox is using a slightly outdated version of parrot anyway

but also it looks like you manually installed evil-winrm

so your situation is different

lol I reinstalled ruby and gem but nothing :/

by manually installed i mean you downloaded the repository and installed it that way

but at least it works now lol

there is the gem install evil-winrm

(though you might need to add sudo at the start)

that way whenever you update your ruby gems (gem update it will also update evil-winrm)

I must to take only nthash?

because it is not okay

that would be the correct hash; by this point in the modules you should be able to identify which parts of the hashes are necessary

This is obviously a rhetorical question, I tested it doesn't work

I'm saying is administrator the right user

I tried both ways firstly with gem install evil-winrm but I'll try to reinstall it with the recent versions, because in fact there was an encryption problem I think openssl takes polus in charge RPC4 that's why I can't reach john david and julio last night with evil-winrm

i see 2 other accounts

lab_adm and lab_admin

¯_(ツ)_/¯

I tested too

just to see if you have time you can look on this section if you can reach john here is the command:

remove the hash as it's something you have to dig for

https://academy.hackthebox.com/module/147/section/1638

hi im new here can someone recommend module for me to learn?

as that question is optional, i never performed this attack

sry I made a mistake

depends if you are a complete beginner or you already have some experience in the field

you from france?

in programming i have basic but in cyber im new and what is the most cost effective way

no but I mean in general with other users you manage to connect with?

I tested too but it is not okay

yesss lol my english is is too bad I'm using a little help from google translation

i assume you managed to get it to work with the other users in this excersize?

in which case the issue wasn't win-rm rather - the hash you were using

yess I succeeded, I just wanted to understand why with the new version of openssl and ruyby it works for you and not for me.

a lot recommend the information security foundations module to most ppl who are new to the field as it covers what's you should know to get started

aaahhhhh

you can try after that to enroll in CPTS path imo

can i dm?

but i could be wrong on your issue

yes 🙂

no I tested all the hashes with winrm and it focused what I couldn't do with the new version openssl and ruby but it works with what I've been able to modify

i just check it cost 180 i only have 60 cube

you can get HTB academy for 8.4eur/monthif you are a student and you get access to all beginner/intermediate modules

Tier 0 modules are free

Anyone else have trouble with the SOC Analyst Elastic path?

I can't seem to get onto any of the boxes to display the webapp, always times out in my browser

Cost 10 but can earn 10 cube

So free..

Really? Where can i acces it

Hi do I need to use inetsim in malware analysis to answet this question?
Examine the communication patterns of the malware and provide the domain it interacts with as your answer. Answer format: .._

you need to change the email on your academy account to a student email, and you should be able to access it via the billing page

It turned out i didn't need the inetsim

hi

hello everyone, does anybody know if one of the US regions is on the west coast & if so which one is it?

Does student account free or need paymen?

A student email is provided to you by your educational institution i.e [firstinital][lastname][numbers]@[schoolname].edu

so jdoe42@mit.edu would be an example

the school has to be recognized by HTB (if it's not, you have to submit a support ticket for them to look into and verify the school)

I do have student account but some website only offer discount for learning and not free + special privilage

as the person stated earlier: it's a discounted subscription

$8/month for acess to all modules up through and including tier 2

https://academy.hackthebox.com/module/160/section/1500
i cant get this Arbitrary file upload to work on web service & api attacks
I'm 100% sure I'm doing everything right and im getting no output

Is this just broken or what?

so i'd say that's a pretty good deal considering it's (almost) equivalent annual sub is several hundred dollars

is there any appropriate channel to ask for som hints on hackthebox academy sock path? been stuck on a module for days xD

this channel is appropriate to ask for help with #modules irregardless of path

each path is a collection of modules

so just ask your question and someone may help

https://academy.hackthebox.com/module/214/section/2285
question 2:
Stuxbot uploaded and executed mimikatz. Provide the process arguments (what is after .\mimikatz.exe, ...) as your answer.
https://academy.hackthebox.com/module/214/section/2287
In the skills assesment there are also 2 questions i have not figured out.
Hunt 2: Create a KQL query to hunt for "Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder". Enter the content of the registry.value field in the document that is related to the first registry-based persistence action as your answer.
here the hint said to use event code 13. i filtered it down and thought i had the correct one. when i didnt find it i tried every registry.value that is under event.code 13 and still no luck

For Hunt 2, notice it wants registry.value and not registry.key. I got this wrong because I was inputting the key. Another hint is find the event with the key in the boot/startup *\CurrentVersion\Run\* and once you find the correct record, look at the registry.value

thanks, that was actually pretty helpful!

found the other one aswell, tried the same answer multiple times, not sure why it worked today!

Sometimes copy/pasting can lead to weird extra spaces/whitespace characters

hello everyone may i ask what apps did you used in taking notes? 🙂

Obsidian

how about the others? 🙂

This is what I use; others use cherry tree, notion, one note and whatnot.

It’s all about personal preference.

50% done of CPTS path. All downhill from here...right?!

I dig cherry tree. Cause it just clicks with me. Super easy. Other peoples notes look pretty though in Obsidian

Not really there are still some pretty stacked modules like Windows privesc and Attacking common applications.

I got stuck in the TE.TE section in the HTTP ATTACKS module, I used all the techniques he mentioned but I got no results. Where do you think I am making a mistake sample code
GET / HTTP/1.1
Host: 94.237.54.170:48475
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9,ru;q=0.8
Connection: close
Content-Length: 10
Transfer-Encoding: chunked

0

HELLO

I keep sending the request for 15 to 20 seconds but I don't get any 405 error. If I find the right payload I will do the same as before and get the flag.

But you should breeze through the web modules

Yeah the web stuff seems easy. I'm a full stack dev so I guess that helps with the Dom and stuff

GGs then.

this was pure fun

Notepad

sublim3

and obsidian and joplin 😉

Im cureently with cherry but gonna switch to obsidian in couple of days

Is Obsidian worth the change then? I just stuck with cherry tree cause it was so obvious how to work out of the box

I use obsidan and it's very good but, if you find no reason to change then there's no need to

^

Use whatever is most comfortable for you

Im switchinz over because of the astetic aswell. Like i want to have good looking notes and maybe more things explained with text and colors

But yea ppl use what they most comfortable

Obsidian has tons of plugins to make things look nice

and even themes

you can even make your own custom theme with CSS

Yea. Cherry is great and all but its plain

It’s not bad at all.

A lot of people still use it; to pass cpts, oscp and others.

Yep. I mean im using cheery tree still but slowly gonna try to move to another.

That’s completely fine, especially if aesthetic is what you want.

crafty is very annoying, is there any way of doing it without minecraft?

I have an AD question. How can I figure out a password, when I already have the domain name, and the username to access it?

theres a ton of ways you can do it, that isnt very specific

well all I have is the IP, the username and the domain, but in order for me to continue with this step I can't figure out how to crack it, I don't have any hint how to do it.

yes, but also spoilers and ask in #boxes

that is very vauge, is it a module? give the module name and section pls

Stuck in the HTTP ATACKS module (TE.TE)
Can anybody help me?

considering the whole attack type: yes

as the box author had told someone "Just do more research"

Detecting attacker behavior with spunk based on TTP. Question is asking find through SPL searches against all the data of the password utilized during the activity. Enter it as your answer. I don’t understand the answer format and what needs to be provided.

Is it just asking what the password is?

seems like it

though likely it's asking you to perform detection based on the information provided to you so far/section

The answers are sensitive just wanted to clarify. This question is written very awkwardly.

some tend to be that way, some of the authors aren't native english speakers so some translations get mixed up

or wording is more EU centric than US

Is it that obvious I’m a yank lol

I’m a yank from the “ayyyy im walkin here !“ region

nah, i'm from the US as well

I'm also just used to UK/EU grammar/wording so it doesn't throw me off as much

Centre

You just get used to it

Hello

Need hacker for iPhone

Figured it out

Module: Password Attacks, Section: Password Attacks Lab - Medium, I am struggling to find the local mysql after logging in as J (for ssh). I have tried to find all database files, but none of them has info on how to get D creds, might need a nudge here

DM

looking around the db afaik was how i moved forward; my notes explicitly state "Navigated SQL to find creds for user d*"

For those that are having trouble with “open the search and reporting application and find through the SPL search as against all the data the password utilize during the PSEXEC activity”. Translation: find that password used in splunk, they have it in there, so do a search and figure it out .

yes i am trying to find the mysql database files that contains the creds, but to no avail

this was the command i used: @skills-medium:/$ for l in $(echo ".sql .db .*db .db*");do echo -e "\nDB File extension: " $l; find / -name *$l 2>/dev/null | grep -v "doc|lib|headers|share|man";done

Used my north easterner explanation hopefully someone will understand me lmao

that's gonna be incorrect

"navigate" being the keyword here; maybe a look at history will show you how to log in

but you really gotta just log in and look around

hmmm i took a look at bash history for J and deny permission for bash history for D

well according to documentation; there should be a server running

think how you would authenticate to a server

it's likely right in front of you and you're looking over it as something simple

yes, i was trying to figure if i needed to add the target ip to etc/hosts because the documentation contains a URL to the mysql

it's running locally; not exposed to the outside

you need to access it via the user you have

thanks for this good nudge, successfully accessed the mysql

👍 the rest should be mostly straightforward: just always keep one of the basic questions in mind: "why?"

okie thanks for the heads up!

np

it definitely made me think about it for a bit

until it clicked "wait.. why is.."

This makes absolutely no sense to me. 840 isn't even listed on the chart, neither is 113556. I don't understand where these numbers are coming from.

The explanations aren't really helping either.

they are decimal values. once you convert them to hex, it should make sense

I answered the question that referenced this technique, but I have a feeling that this is gonna take some work to fully use

the number can be added together to represent multiple flags
https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/useraccountcontrol-manipulate-account-properties

oop i read your question wrong

sorry

I sort of figured that out, but if I want, say, "Normal User Account" at 128, how do I specifically choose one that has "Account is disabled"?

128 + 2

So it's just adding? I line it up with the attribute I'm filtering and then add the values to it?

yea so if you want to represent a normal user account who is disabled, you write 128 + 2 = 130

Okay, that simplifies it quite a bit

i have managed to gain root access, but i'm curious why id_rsa for user D was the key to access to user R, is it based on the fact of password reuse?

I was trying to work out all the numbers in the command "userAccountControl: 1.4.8 etc." when it's just the "=130" at the end that matters

https://www.techjutsu.ca/uac-decoder

or you can write your own script to parse it

Perhaps D* is an admin

someone can explain for what doesn't , i mutated it and i try with passwords mutated find but nothing I do not understand why freerdp not workingfind but nothing

Single quotes around the password

$$ is a variable call to the PID of your current shell

you're my fucking hero thank you very much

😂

Single quotes tells bash to interpret it as a literal string, instead of a combined string

I didn't think $$ would be a problem, but now I understand better.

thank 🙂

Whenever you see a special character, just wrap it in single quotes

I.e. !! runs the last thing in your bash history

![n] runs the nth number in history, and ![-n] runs the nth number from the bottom of history

hey I'm trying to use wget -m –no-passive ftp://ceil:qwer1234@[Target IP]:2121 it says I downloaded files but I see nothing in the created directory

Why not just manually connect with ftp

ftp ip port

Yeah ls is pulling up nothing

Tfw he doesn't la

You forgot about hidden files

wait hold up both of those acronyms are foreign to me

Tfw = that face when
la are flags with ls

That will show all files and list them

tf lol that wasn't in my notes hold up

-l and -a are separate flags

But can be conveniently combined

Ok a little confused still but i'll google that

Hey anyone knw in the attacking common service module attacking ftp section how to connect to the ftp of the target I try to connect to ftp using ftp ip -p 2121 but it isn't connecting

man ls

Don't use -p

Ftp you just specify the port after the ip

Ohk

ok i'm tracking now

https://tenor.com/view/tracking-marine-understand-you-got-gif-22519541

devil

You had it but didn't know huh

All because they hide

sure got me

https://tenor.com/view/theyre-just-hiding-hiding-hide-smoke-when-im-gone-lani-rose-gif-15069850

i have a question , when doing union in sql , its does have to be same columns yes, or we can find our ways around it, but should the elements we union have the same data type?

Generally, yes

since in the union section , both departments and employees has same columns but union select * doesnt work until i union only who have the same data type

thanks !

There's ways around like adding a blank column iirc

Been a minute

but they already have the same columns

really pay attention to how sql unions and joins work.
a union is a horizonal addition, adding more columns.
a join is a vertical addition, adding more rows.
so unioning 2 sets gives you more columns to work with.

BUT to reveal specific columns on your target, generally the types must match because php (or whatever) is trying to extract specific data types out of the db, and convert those to a displayable format.
some data types have whats called implicit conversion, which does the dirty work for you. language and db dependant.

after you have your mass of column names, its up to you to pick which ones to display, with the right types, and the right NUMBER of columns to fill up whatever data structure is on the backend of the php command.

This AD module is never going to end

Mood

I've delayed it for so long

Facing this problem when connecting to VPN

it stops here

can someone help ?

got it ! i understand now why the union select * didnt work

thanks man

I’m still lost in this question “Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.” I made everything and list the databases, but HTB does not accept any answer

you listed the databases?

Yes

what module is is

footprinting

Footprint

Yes

I just finished that section of footprinting if you listed the databases the answer is there just try all of them

or the one that isn't a normal database kind of like the example in the notes

I try all of them, but hack the box does not accept the answer or maybe I’m doing something wrong

did you use this select name from sys.databases? @upbeat island

Can you show commands?

Htb is in the databse, there are like 5 different databses there, 4 of em are default, and one is the needed one

enum_db

Ok brb let me go get my notes

Is that medium lab?

no it's mssql

Ah

Is just a module mssql

get a shell with mssqlclient.py
then simply|| select name from sys.databases;||

Thats not the name of the correct databases?! I donz even see it of being one of the other ones

That's what I said

There's so much stuff open on my enum for the footprinting medium lab I honestly don't know where to begin

You need a hint?

lol yeah I'm guessing smb since that's relevant to what we just went over but i'm un sure where that will tie in next

Hey, I hope this is the right channel for this, but I'm having trouble with the Password Attacks Module (Network Services portion: https://academy.hackthebox.com/module/147/section/1327) and was hoping I could get some guidance.

I'm trying to brute force the winrm username/password using the username.list and password.list files but I keep getting no results.

I've tried multiple times with both crackmapexec and netexec but nothing crops up. Is there another tool I could try? Or a different work list other than the ones provided.

I think smb is needed a bit later. But the stuff can be accessed via other stuff later so you dont even need to touch anything in smb

well shit lol

There is another service running that should peek your interest

⛰️ (-ain)

Would it be in my notes?

If I guess had good notes lol

Yes 100% everything is taken from the modules!

. Maybe a hint

oh I get the hint now lol I'm slow

which section was that

NFS

lol

Wait not nsf

Lol NFS

Okay bet

it's connected

use the mutated list

oh wait nvm

not at that part yet

some of the tools might require you to specify -local-auth or -windows-auth (i forget for nxc/cme)

could anyone help me on this :
so zone.identifier might not change but i dunno where is file located for analysis

module Intro to digital forensic - Rapid Triage Examination & Analysis Tools

you dont get access to the file itself, but you have access to the USN Journal file that you can parse and then investigate with timelineexlorer

its usually called J$

$J

oh so like parse it to .csv

yep

and then investigate with timelineexploerer

I'll look into this. Thank you!

wait but i am confuess

the machine had given file is MFT-backup.csv right

so could use that

the question asks about usn journal, so I'd go for that tbh. Could be that this information is also in the mft.csv, but doesnt sound like the intended path

how do you get around the permission for viewing the nfs share in the medium lab footprinting?

How to get access to ftp in attacking common services attacking ftp section I'm clueless here

Anyone with Command Injection Skills Assessment? Not able to find the vector

In the nfs module its explained somewhere, make sure to read it! Its like that: if you have the user name or uids or guids you can create them on system and you can read. Example if the files can be accessed woth root, then just sudo it

https://academy.hackthebox.com/module/160/section/1500
Can i get some help on this module I'm doing everything according to the module and I'm getting no out put from the python script for some reason

I followed it step by step i feel like something is broken

so it's normal I can't cd to the directory?

cd is a shell builtin. sudo only works with executables.
You could type sudo su and then cd or just sudo ls ./TechSupp

tracking now

run as sudo

https://academy.hackthebox.com/module/160/section/1500
im doing everything right on this module and when I'm trying to get output from the py script this is the result:

nothing

I DONT GET IT

I'm working through the ACL Abuse exercise in the AD module. I'm following along with the exercise and none of the commands they're running work for me. I can't answer the question because of the last one not working, specifically.

have you checked your creds

I followed the module exactly so I'm not even sure what to change. I'm guessing I should switch the default for my login creds for the RDP

Oh, I see. I was supposed to use credentials from like 8 modules previously

make a habit to keep a list of the creds you have

It's still not working unfortunately

then somewhere along the line you fucked up

Most likely

I don't recall having any issues running through this when I ran it; just set the environment variables as expected

following the examples

I've authenticated as the wley user but when I try to change damundsen's password it tells me the "user name or password is incorrect"

anyone that did cbbh help me out porfavor

is that the right password or creds though

does wley have those perms that you need

The exercise says he does, so I'd assume so

I think this module is actually bugged at list on the pwnbox

I cant get it to work

all modules have been tested to work with the pwnbox

Well I'm 100% sure I'm doing everything right and i already encountered stuff that dont work well on the pwnbox and i had to use my own VM so...
I just cant do it on this one because i dont have open vpn on it

This part of the module is just copy and paste its not even hard but not working

wdym "don't have openvpn" on it

Isnt it preinstalled?

you can install openvpn with a few clicks or is preinstalled with many distros

Nope

Will do i guess

Need another hint, if I was able to find smtp credentials but on my nmap scan I don't see port 25 open can I even do anything with that?

or I suppose the credentials might be able to be used for other protocols

smtp is often used with other protocols

also if you're able to find smtp creds: smtp is running

Not working even on my VM

:/

I’m on openvas scanning in vulnerability module. I use https://target:8080 get brought to greenbone login page. Use username htb-student pass HTB_@cademy_student! And it says login failed invalid username or password. Why is this I am copy pasting so I know it’s right

It says to use these credentials on getting started with openvas page

Anyone

Restart the instance? You double check the script? IPS are correct? Ports are correct? No weird white space anywhere?

Alright I'm at the end of my rope with the web attacks skill assessment, I've tried every single XXE payload that was taught in the entire module and nothing works. I'm able to verify the XXE vulnerability is there if I just put in a random entity with some text, but can't get it to do anything else that I need to get the flag. Can anyone point me in the right direction

Tried to restart and everyting is right 100%

The output is just blank

And how do you know everything is 100% correct?

Look at the module its basicly copy and paste

can someone explain me more in depth why we need to create a fake SPN for a targeted kerberoasting attack

Then if it's 100% you should be able to send a ping back to yourself and capture it through tcpdump

to request a service ticket, the accoutn must have an SPN set

With wireshark?

so in the case of ttimons, he didnt have one?

Attacking Enterprise Networks Active Directory Compromise

if you have to set a spn, probably not

standard accounts usually will not have a spn, only service accounts do

ok

thank you

What entity did you try?

Please guys I'm stuck on the introduction question and answer

well i created backdoor.php with vim instead of with echo > backdoor.php and it worked now

2 hours of my time gone💀 🤣

Can you help me out on the first introduction question

elaborate.

try harder

bakal have you done command injection skill assessment?

So your script wasn't 100% correct?

I've tried using SYSTEM to to either base64 encode the flag and retrieve it, and used SYSTEM to try to read the file. I can read /etc/passwd just fine but if I try to get the flag I'm just having no luck I have no clue what I'm doing wrong

I'm dead

You're close, did you try b64 /flag.php?

I tried every variation I could think of including that, and I just realized why nothing was working, I wasn't closing the statement with a >, I can't believe I spent hours getting frustrated over a freaking typo smh

Yup I got the flag now lol

Appreciate the assistance it at least made me look at the code closer and figure out what the issue was

What is the name of the first section of this module? If you are using a translation solution while studying, please disable it temporarily to enter the first section's name in English.

Look at the page and paste the name of the first section in the module

tfw i almost get stuck ad AD enum skill assessment 1 then realize other tools exist

Have you not done it yet?

I'm still stuck 🥹🥹🥹🥹

nope

Try Harder.

On the right side of the page there will be a table of contents listing each section

first figure out what a Section is; and they conveniently tell you what it is

QQ regarding the assessment: I should be able to import the AD module yes? (via the import-module cmdlet?)

before I start runnin around figuring shit out

No

Have input interactive section but still saying incorrect

got it so gotta fuck around with tools

TY

Is that the first section?

That was the most annoying part of the assessment, I spent so long trying to figure out how to import the AD module

you'd think it'd be included

case sensitivity

so that literally knocks powerview off the table, since it uses AD modules

That was my assumption as well