Hi guys, I cant seem to get anything to work with the IP in this section in the nmap module

https://academy.hackthebox.com/module/19/section/117

ls /path/to/dir worked but what if I didn't know the path and wanted to move up a directory

ls ..

oh i didnt know you could do that got ya

You can use the pwd command to get the working directory

is it possible to string together commands though

"can't get anything to work" can you scan it with nmap -Pn

yea just get the url-encoded value of |

or there may be somethjng else there in the module

also do you have multiple vpn configs running? ip a and ps aux | grep openvpn to look for multiple instances

im guessing both of these are wrong?

I have up to tun4

then sudo killall openvpn

you have multiple instances of openvpn running, causing the target to not know where to send it back to

ahh

okay let me try reconnect

Did you copy thr hash manually or did msf wrote it down into a file!

usually username:hash is the format for hashcat to crack ipmi

also running as root might cause issues

I see you're running as root user by the # in front of the command

@fringe urchin copy and pasted into file then added : admin

@dim wolf so I could do %26command%7Ccommand%26 and that would string together the commands?

how many lines in your file?

thanks man, I guess it was cos i was connected to too many vpns...its working now 🙂

yeah that's the issue

you don't add :admin at the end

Yea dont do that! Stuff needs proper order! Let msf. Write it into a file

maybe, i don't remember exactly

hashcat expects a certain order to the hashes you present to it

the module i think explains it

And like marcie said running iz as sudo can cause problems like it happend to someone else last time

if URL encoding doesn't work, there are other methods

not the current one im on :/

okay let me try reg user and copy from msf without adding anything

they were getting the completely wrong pw somehow

is there anytime I would be stringing together commands anyways or would I normally just issue a command then go from there?

No clue why sudo would break lol. I havent personally tried it yet

stopped using sudo and boom: right pw

something something wizards in the machine

Sudo go brrrr

Just let msf do the work snd dont touch the file. Safest way

you string commands together for a reverse shell

^

so it is useful to know

of course

Sometimes whitespace could get copies with or maybe a wrong character since you copied to much etc

i think most of the time URL encoding works

ill give that a try and see if it works by url encoding |

i think in the footprinting module when someone copied the email for the rsa key it gave them CRLF encoding: causing it to break when passing with -i for ssh

i was trying to put another & sign into the url and that didnt seem to do anything

another fun wizard trick i noticed: someone downloaded (clicked the download button) for an exploit from exploitdb, it wasn't working, copied/wget from the raw page - worked fine

wanna know the issue? CRLF encoding

so literally if you did a diff -y on it: they looked IDENTICAL but diff will say they're different

im so lost guys im so sorry

does the ipmi have a second : in it?

I think clrf encoding is the rpoblem

i genuinely don't recall

indeed it is

bash doesn't like CRLF

Hi guys, why isnt it showing me the OS of the IP?

Threw some wierd stuff out on google

yes it does

following this

latest version of NMAP some things are broken

ahh

is there an alternative?

-O

Im pretty sure thats not how my file looked like

thanks @fathom pendant

also smb-os discovery only works if SMB is running

smb isn't running on the host

it doesn't look like it is in your case

running that script won't do anything

and whatever guide you're following for whatever reason it was

Show me msf command

ahh I see, but the guide I was following is for this specific room and module and this is what the person used, so im confused

that looks like the right mode

you should generally stick to the module not some guide you found on the internet

okay

Yes but not the hash output format

thanks

try with --username also you need to add -a 0

Otherwise you end up in a situation like this: where you had all the answers but not necessarily understanding how it fully works

which in the long-run is a detriment

Or does the file look weird just because the size of the notepad.

Ok now do it with --username and -a 3

-a 3?

put all the options in front

and just have ipmi.txt and the wordlist after

(also you'll have faster luck using the provided module wordlist)

let me change to footprinting wordlist but still giving error

Yea -a 3 worked for me.

3 is for masks, they're using a wordlist

just paste the hash here lmao

okay trying now w/ hash pasted and -a 0

hey @fathom pendant I used the "-O" flag but this is the result it gave

it worked for me

(yea even sudo )

i mean; doing it the down and dirty way; i just literally viewed the available webpage

and made an educated guess

ahh haha let me see if I can do it then

idk how u can tell the OS by viewing a web page tho

ahh it says lol

thanks marcielee

yea im just reading it now. lol hmmm my bad

does this look right? and should it take awhile now?

it should take a fw minutes

takes around a minute or two

considering you have an i9 13900: a few minutes is a highball estimate

no it wouldn't work, you're using stdin mode, it's expecting the wordlist to be fed via stdin

i'm runningIntel(R) Core(TM) i5-7200U

oh wait it didn't read the input

i didn't peep that lol

I meant for you to send the hash here in discord, not paste it in the command

ohhhh

admin:013ebf2082000000efd8dc9e4ebeaf35089da6daffc1c044d97d8d1b551102506d7a60cd9e58426ba123456789abcdefa123456789abcdef140561646d696e:2775fff47dd69521ab1f9ce009bc306ae4207af0

and was the password in that specific wordlist?
i personally didnt use it so i dont know

yes it's in rockyou

yea but he used footprinting one

i used rockyou

cracked for me

it's not

i just downloaded and checked

ok ty

but if my i5 can crack with rockyou in like half a second his i9 should be able to do it in a nanosecond

not i'm only using 2/4 cores in my vm for it

@novel hinge use rockyou, not footprinting one

so it's not even in full turbo mode

my parrot has screen tearing

skill issue

congratz now delete it since it containts the password

ugh not all my files copied from my old parrot vm, good thing i didn't completely nuke it yet

https://tenor.com/view/pepe-nuke-apocalypse-meme-gif-9579985

my fault, thank you guys so much for your help today. i really do appreciate you guys helping here

had to reinstall due to some weird issue with ruby not recognizing i have openssl

but i'm fine it's all fine

its fineee everyone gets stuck somewhere thank to god we have marcie andXreous here

also the fact that the http:// source for gems no longer works because it's a force upgrade to secure: it didn't like that

always one thing breaks

oh it automaticly redirects you to https:?

yep

yea i fixed it last time. cleraing cookied and history helped aswell

found that out by doing a debug and seeing that it's a 301

cookies and history don't help since it's from the command line

oooh command line. yea i though from firefox. mine went automaticly to https. on some sites since he saved those entries

it's literally a 301 redirect

i'm referring specifically to ruby/gems and how it sources them

error tells me to "use http/insecure source"

switches to 'insecure'
Still errors out telling me to switch to insecure
mfw:

positive things i've received out of it: nxc instead of cme

just dont be insecure

literally what it was telling me

it was a weird error with the openssl config in ruby

always a blast searching for a solution

hey what codes do i need know to code a website like reddit

i mean there is react what i use

probably react,or swift, or something

isnt reddit written in pylons framework?

idk exactly what reddit uses on it's backend

i was watching youtube people were clone it with next13.js

and the new one does not have the pages folder

python apparently

but also this is straying off topic from the channel

any idea

this is better suited to be asked in #web (read and follow #welcome to access more of the server)

i dont have access

if only i included a thing that tells you how to access more of the server

that sounds messy

even the new reddit?

no wonder it runs like shit

that was 2 years ago. no clue if that applies to current one

what is with next13.js

either way; straying far off topic

it does not have anymore pages folder

this channel is for assistance with academy modules

not random questions re: what a website's framework runs on

if you want to know what HTB Academy is you can sign up and find out

why cant i write in general

.

did anyone end up getting this question?
Im a bit confused about how zone information (which from my understanding is file origin, can show a rename)

I have the USN journal open and from my understanding of the logs show the file wasn't renamed? ||(rename old name was uninstall.exe, rename new name is uninstall.exe?)||

I’m on openvas scanning in vulnerability module. I use https://target:8080 get brought to greenbone login page. Use username htb-student pass HTB_@cademy_student! And it says login failed invalid username or password. Why is this I am copy pasting so I know it’s right

is that the right creds it tells you?

shitty ahhh mobile phone photo

Yes I e been stuck on this cuz I can’t login to green one

Greenbone

reset the target; wait a minute; then try and log in

Ok

sometimes it can take a few minutes to initialize

but you don't/shouldn't need to ssh in to config anything

Now I’m getting this message instead

it just doesn't like you

give it a few more minutes and try again maybe?

also as an fyi; there's pre-populated scans so you don't have to run one (they can take a LONG time)

Yes I’ll just use those because it’s saying time out and I just reset it I don’t have time

thanks I’m going to do the same

after editing i was able to get evil-winrm to work on the module i was doing it stopped yelling at me about the digest

Ahah I told you that it worked half for the rpc4 🙂 but thank you for sharing the solution

yeah the issue is that newer versions of openSSL don't support some things so you gotta tell it to support it again

but now you can have an updated openssl and ruby

:D

😂😂😂 after 2 hours of research to learn how to compile a downgrading of openssl 😭 well at least I would know how to do it now

you found something that worked for you

and now you know: you didn't need to

such is the life of Cyber

Lool 🥳🥳 Excatly in all the it is important to find various ways to make a program work

hey all, stuck here https://academy.hackthebox.com/module/144/section/1256 it can't find the server when i run nslookup. the correct ip and inlanefrieght.htb are in my /etc/hosts file. Not sure what I am doing wrong here

hello, im on sql injection fundamentals skill assessement, can anyone give me a hint on how to find which directory we have right to write in it?

wish I knew lol

nslookup reaches out to your resolvers in resolv.conf to try and resolve a hostname into an ip address. putting the hostname and ip address in /etc/hosts makes it so your computer can resolve that address, so you do not need to use nslookup with it.

i don't really even understand the hint given lol

the module doesn't tell you how to enumerate that?

actually no

the hint is : Try to read files you know to find a location you can write to.

then why do you want to do it

because i wanna get rce

did you read all the files?

and i can only write files in a specefic directory which is the one im looking for

yes

the question seems to hint that the location is hidden in one of those files you can read

like, maybe off a txt file you read to find the location idk

hmm i'll try some of the location i can read into it

i didn't do that module but if you want to just find permissions for a database i'd use crackmapexec

Take a look at the url

crackmapexec mssql <ip> -u <user> -p <password> --local-auth -q "your sql statements here"

i tried to use that directory but i get error :
||Can't create/write to file '/dashboard/shells.php' (Errcode: 2 "No such file or directory")||

can you explain a little further, I understand what you are saying about the hosts file. But why is nslookup doing this?
simon@osboxes:~$ nslookup -type=NS inlanefreight.htb
Server: 192.168.178.1
Address: 192.168.178.1#53

** server can't find inlanefreight.htb: NXDOMAIN

That directory is in the web root directory

dammn

you're right i forgot its was in web root dir

i'll try now

yes, i explained this. nslookup reaches out to your DNS servers to resolve the hostname into an IP address. your computer is reaching out to your ISP to try and resolve inlanefreight.htb, which it can't , because it's not a public address it's a private address hosted within htb's virtual infrastructure. your computer will be unable to resolve that with the public resolvers, which is why you add the ip/hostname into /etc/hosts, doing that will tell your computer which ip to resolve the hostname (inlanefreight.htb) into. adding that entry to /etc/hosts makes it so you don't need to resolve the host via nslookup.

thanks man ! worked perfectly fine, im stupid for forgetting such small details

try it with a real address and it will work, like nslookup google.com

awesome, thanks, I will try this

how can help with this question " How many files exist on the system that have the ".log" file extension?" and " How many total packages are installed on the target system?" here is the modules URL : https://academy.hackthebox.com/module/18/section/79

help with the command and the answer input so i can learn please ...

i'm sure the module went over how to find files, you should re-read that section

i did

i don't have that module unlocked but i can see in the syllabus there's a whole section about finding files and directories

also filter contents and regular expressions

i have one last question , by looking at the url how did you knew that we had write access in that directory?

I added the ip of the machine to the resolv file, ie nameserver <targetIP>
still the same result, I must be confusing what you mean

Yes... but a number of commands and I try to input my answer but it seems wrong

would be more useful to tell us what you have tried so that we can give better help

{ locate *.log | wc -l }

i tried this command and few more

did the section go through locate?

nope ... and the input was 24 .. i guess i was wrong

right, so use find

Any other commands it taught you to find files on Linux?

as it is in the section

find gave me 0 and the input is wrong also

i know of { find , locate }

and what's the command

please provide more information instead of "not working"

Also: big importance, are you connected to the target

I commented out the other entries in the /etc/resolv.conf file and added nameserver with the target machine IP. I am getting different output now but not what i need
simon@osboxes:~$ nslookup inlanefreight.htb
Server: 10.129.204.198
Address: 10.129.204.198#53

*** Can't find inlanefreight.htb: No answer

find -name *.log | wc -l

You need to specify an ip

not the right syntax, read the section again

nslookup domain ip/nameserver

I did in the .conf file nameserver <targetmachine IP>

That's not how it works

It's still trying to pull other records to resolve

i have so many time for two days now

It has 0 idea how to resolve inlanefreight.htb

Generally local name resolutions are done in /etc/hosts

HTB learning process is so goddamn good

just use the IP

this is what someone told me to do here
yes, i explained this. nslookup reaches out to your DNS servers to resolve the hostname into an IP address. your computer is reaching out to your ISP to try and resolve inlanefreight.htb, which it can't , because it's not a public address it's a private address hosted within htb's virtual infrastructure. your computer will be unable to resolve that with the public resolvers, which is why you add the ip/hostname into /etc/hosts, doing that will tell your computer which ip to resolve the hostname (inlanefreight.htb) into. adding that entry to /etc/hosts makes it so you don't need to resolve the host via nslookup.

https://www.geeksforgeeks.org/find-command-in-linux-with-examples/

Again: not how it works

sdlevy what's your goal here? why are you editing your resolv.conf file when you already have the ip/host added to /etc/hosts?

Yes nslookup uses stuff from resolv.conf to try and find info: but inherently there's some flaws. For instance it doesn't understand that the domain you're trying to reach is also the same as what you're specifying as the nameserver

Info gathering web module. Instructed to use nslookup to find various bits of info

trying to get the fqdn for inlanefreight.htb

Why the module doesn't use dig is beyond me but eh, it is what it is

For the nameserver of inlanefreight.htb

yes

It's important to not leave out important parts of the question

nslookup inlanefreight.htb ip

Do that and see if you get a different answer

thanks ,...let's read, maybe it will help

If you aren't connected to the target, you're gonna get the wrong answer every time btw

simon@osboxes:~$ nslookup inlanefreight.htb 10.129.204.198
Server: 10.129.204.198
Address: 10.129.204.198#53

*** Can't find inlanefreight.htb: No answer

Now, remove the entry from your hosts file

same

and revert any changes you made to resolv.conf

That too

I have done both, deleted the nameserver ip from resolv.conf and removed the ip from /etc/hosts
same result

Sec

Ah

Because you need to specify type

||nslookup -type=NS inlanefreight.htb 10.129.109.136||

was about to say it

Nowhere in the section displays just using nslookup without a type query

let me try that

Even in the public zone.transfer.me example

yeah he probably forgot to add -type flag

yep

Given the copy/pasted terminal output:yes

thanks

This is a heavy case of: read the material

It literally shows you multiple examples

None of which are missing -type

You only don't need -type if you specify -query

its really easy to say that. When people are learning and trying to understand content that is new to them they are going to miss things. It is unreasonable to hand someone that much information and have them fully understand everything without missing things or having questions

I prefer dig for the cleaner output

It's easy to say because i did ctrl-f to see where nslookup was mentioned and the example commands

yes, but I am assumming you have more time in than my 6 months of learning, and understand more fully what these things mean already. i am attacking this content every single day and trying to learn, but some things are just not going to make sense

I barely understood what it was when I first went through it

I am telling you as someone who's journey started with CPTS and minimal linux knowledge

that's what I am trying to say. I am trying very hard to learn this. It just gets under my skin when people say it's right there in the content you should know it

sorry, I will get off my soap box now

Well then read the content more and try and understand it better

not helpful

learning involves a network and a community

saying just learn better isn't helpfu

I'd understand if it was an issue like with Footprinting/email where they give you the fetch <id> all command

Where the command just doesn't give the needed info

But it's pretty much shown how it works in the section

I'm not saying "learn better" I'm saying "read carefully"

i think what she wanna say is to be mindful of commands you write and why you write them to not miss small details that are keys to the answer

Missing something happens, but I begin to doubt you re-read the material once you hit a wall

I re-read once I hit a wall. I try and make sure that before I ask the question it's not as simple as "oh I missed this argument" and if it is: then I accept that I was dumb and remember for next time. It's what makes me effective at helping people

I failed, messed up, and learned

Heck the only question I asked for the AD skill assessment was "is x on these machines," but I trusted that I had all the info given by the module

And/or from a module it expected me to already have gone through and understood

I value the struggle as a part of learning.

It irks me when people assume things about other people. I do re read, because this material is taught in a non interactive way with people who can explain why you are struggling with something. Being able to ask questions of others is extremely helpful. I fully accept and understand that i know nothing. sometimes I need people to explain things to me in a way that is different to the content

And asking questions isn't inherently negative.

Why not work along with what's being taught

the examples used public websites ¯_(ツ)_/¯

I was a university professor for four years. I know a bit about the educational process

And even in some other modules where it might be related to using a private ip, just spin up the ip and work alongside what's being taught

And before you know it you already have the answers for the questions

I'm making an observation based on past behavior, I say I begin to doubt because it doesn't feel that way to me. However i can concede that it could be a misunderstanding of material (which can happen)

I was just talking to someone today about how helpful this community is

Sometimes even the process of asking the question actually gets you the answer

It's why I volunteer my time here. I just also dislike seeing certain patterns of behavior, some more egregious than others. I'm not accusing you of this behavior

Kerberoasting for windows attack second question must I RDP into this account ?

Some people do just not fully read the provided material and expect someone to answer them

I’m having trouble RDP into it

Module?

Windows attack kerberoasting

I don't expect answers, just help understanding. Otherwise it's not learnign

Also if the question says "authenticate" then rdp may not be the only way

Winrm is also a popular windows remote tool

Can you give a specific error?

You have to RDP to DC01 within the target Windows machine, you can use the windows RDP app

Usually if rdp isn't enabled for a user there's a message that says it when it authenticates or something along those lines

Ah the double bounce

My favorite part of networked windows

You are one of the most helpful people for me. You really make me think.

I apologize for offending you in any way

Or HTB misleads you

Is English your first language?

Sometimes

Fuckin still fresh in my mind about that shit in AD enum

65% my fault the rest is awful wording of questions

"Authenticate to"

I was probably just frustrated and grumpy. No worries

Found it. They should of said connect via RDP via the original RDP connection to Bob

💩

It’s those kinds of things that get on my nerves

is english your first language? I don't think the instructions are anything too confusing

Meh usually not but sometimes you can tell the person isn’t super fluent

It’s not that it’s wrong it’s just sometimes written awkwardly

I missed that too, I just couldn't wrap myself around RDPing within an RDP session

Glad it’s not me

Would have been nice to clarify within the host and not inside

Outside *

Before I start this box do I have to buy minecraft?

I assume its a very popular exploit to do with logging and really don't want to purchase minecraft just for that...

Hi

Hello

to be fair, if it's not something you're used to: it's not gonna be an instintctual thought

wrong channel and no

fair. having a bit of networking knowledge would helped I guess, the second target is in a different subnet

oh @next bronze wanna know what else tripped me up on the first AD assessment: for like the first 10 minutes I couldn't ping DC01 so it confused me as to why, but more importantly how

what was the problem

Any hint for the event viewer I am filtered in4769 looking for anything web mentioned or a new servicesid

Question two of windows attack, and defense kerbo roasting

👋

I am searching all 4769 I’m lost

Since the question is asking for the webservice user, you can use the find function to find the relevant log

I did that

I searched” webservice” on all 4769 nothing shows

the instructions involved in Windows Attacks & Defense are a bit misleading; the overview section makes it seem like you can RDP to both WS001 and kali from your VM when in reality it's just one or the other depending on the section. of course, you can always RDP from WS001 to kali and vice versa if you know the internal IP addresses of each, but i don't think that's inherent knowledge that you can have if you're simply doing the path in order

I am past that

Now I am in it and searching 4769 and now I’m lost I search web webservice

Can you try bob? Honestly I don't remember if I searched something or just went one by one until I found it. I don't think I had to click that many before I found the webservice log

I’m suppose to be on HTB student for this portion

which section

I backed out of that particular event now I’m searching wider

Second question windows attack and defense kerboroasting

I have RDP into the RDP from the RDP now looking at the event log

fair

you can just filter for any instance of webservice

I did that just now

Looking

idk i could eventually ping it

and doing an fping revealed all the connected servers

i just couldn't for w/e reason ping it from the rdp session for a bit

which seriously confused me for a bit

weird

tip: use netexec to sweep the subnet in an ad environment, it will almost always find all the windows machines

i was like "i gotta get to DC01.... but where are you" (i was making the educated guess it was the first ip in the fping)

I used the load_file priv (read permissions) to read the Apache configs at /etc/apache2/apache2.conf and found out that the web root directory was allowed but upon writing the web shell to that directory, it returned as not having permissions so I had to look for the next sub directory hence the url

Hope that clarifies it.

Looked at this no one helped him lol it’s the same issue I’m having I’m searching 4769 I see nothing but junk

can you show a screencap of an event 4769

I’m on a work computer I can’t screen I RDP to the second questions host and searched event log > security > 4769 now I’m searching it all I tried to “find” web or webservice and got nothing

what's the command you're using

There’s no command its event viewer filtered on include 4769

oh man.. you're using that?

Yes per the directions

it's a whole lot easier if you use Get-WinEvent

Hmm

can you just say what you think the ServiceSid is in a spoiler

or at least the last 4

well no

Yeah hold on

oh yeah you right

SIDs are weird man

|752445584–1001|

Included that s-1 shit too

putting || before and after puts a spoiler message

||like this||

ok you're definitely on the right path then

try your hand at using Get-WinEvent

it makes it a lot easier to search and filter logs

Can I get a syntax for it it’s not working

And even the event log filtered on 4769 all the service sid are all the same

The lesson doesn’t even go through any of this

Nothing on forum about this nothing on chat about this . Nothing

how do i know my target system , please help

Module: Password Attacks, Section: Password Attacks Lab - Hard, Question: I have been figuring how to dump the LSASS files, have tried pd64.exe or using the Task Manager, but__ i have realised that I need administrator privileges, __so im stuck here and might need a nudge :/

Get-WinEvent -LogName "logname" -FilterXPath "your-filter"

Thanks, getting some sleep maybe my brain will work tomorrow

going over my notes not sure why you're trying to dump lsass for that lab

i think my thought process was firstly, i saw a Keepass database, but i couldn't login with J creds, so i was trying to dump lsass and see if i could crack the dump using pypykatz to get creds to unlock the Keepass file. Please do correct me if i am straying from the intended path haha

If only there was a convenient tool for this

You can try to crack the keepass file?

anything else you can do with keepass?

KeePass is definitely the right direction though

This lab is a bunch of back and forth

👍

It's a fun assessment imo

there's one section in ithat lab i didn't like

The final part?

Or?

yeah no doubt

no, a couple of steps right before that bitlkOpen...

You mean cracking or? I think we're thinking the same step. I don't really consider the final extraction as a separate thing

I guess you can call it the final part

But if you mean the whole "how do I even" bit was the only tedious thing

I think my first go around I just did it on my host then transferred to my vm

I very much did the lazier way my first go around in some modules

I.e. using an email client for the imap/pop3 stuff

I hear what you're saying, but I couldn't do it that way 😂

Not running that host? Or just running your setup baremetal? Or some other restrictions

Former

Gotcha

Either way a learned experience

Perhaps can convert it to a format for John to crack it hmm

if you're not sure, you can always go back to the module and try to look for a keepass section

This command was placed in the section without any description or explanation. Can someone explain it to me please?

XP_SUBDIRS Hash Stealing with impacket

Attacking SQL Databases

sudo impacket-smbserver share ./ -smb2support

Impacket v0.9.22 - Copyright 2020 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0 
[*] Config file parsed                                                 
[*] Config file parsed                                                 
[*] Config file parsed
[*] Incoming connection (10.129.203.7,49728)
[*] AUTHENTICATE_MESSAGE (WINSRV02\mssqlsvc,WINSRV02)
[*] User WINSRV02\mssqlsvc authenticated successfully                        
[*] demouser::WIN7BOX:5e3ab1c4380b94a1:A18830632D52768440B7E2425C4A7107:0101000000000000009BFFB9DE3DD801D5448EF4D0BA034D0000000002000800510053004700320001001E00570049004E002D003500440050005A0033005200530032004F005800320004003400570049004E002D003500440050005A0033005200530032004F00580013456F0051005300470013456F004C004F00430041004C000300140051005300470013456F004C004F00430041004C000500140051005300470013456F004C004F00430041004C0007000800009BFFB9DE3DD80106000400020000000800300030000000000000000100000000200000ADCA14A9054707D3939B6A5F98CE1F6E5981AC62CEC5BEAD4F6200A35E8AD9170A0010000000000000000000000000000000000009001C0063006900660073002F00740065007300740069006E006700730061000000000000000000
[*] Closing down connection (10.129.203.7,49728)                      
[*] Remaining connections []```

It's for capturing hashes. This is the explanation from the hackthebox section: In the Attacking SMB section, we discussed that we could create a fake SMB server to steal a hash and abuse some default implementation within a Windows operating system. We can also steal the MSSQL service account hash using xp_subdirs or xp_dirtree undocumented stored procedures, which use the SMB protocol to retrieve a list of child directories under a specified parent directory from the file system. When we use one of these stored procedures and point it to our SMB server, the directory listening functionality will force the server to authenticate and send the NTLMv2 hash of the service account that is running the SQL Server.

any guidance on this crackmapexec skill assessment? stuck trying to get into the ccache share. i have dev01 compromised, ||got the password from keepass|| but i can't see where to use it or how to get into that share.

does htb academy cover nessus at all? i’ve always wanted to learn it

oh it’s in vulnerability assessment

also do they teach about the individual tools you use or do they teach you the general idea and then you have to figure out how to use the tools?

I think they have a complete section on Nessus

and a smaller one on OpenVAS as well

Hello can anyone help me enumerate mssql

That’s vague, what do you want to do?

For pwnbox: a very smol question: how do i fix the error "There are no available instance." I have tried refreshing the page but to no success.

I am just trying to see the databases, tables, and their data.

This is my commands:
SELECT name FROM master.dbo.sysdatabases
SELECT * FROM master.dbo.sysdatabases
SELECT name FROM sys.databases;
SELECT *FROM sys.databases;
Nothing of these work. I tried a bunch of other commands, but likewise the response is just empty

What module / section ?

Attacking SQL Databases
https://academy.hackthebox.com/module/116/section/1169

I used mssqlclient.py and sqsh to connect

is someone available to help me with Logrotate?

Did you use windows authentication to connect ?

I just used the creds provided:
Authenticate to 10.129.203.12 with user "htbdbuser" and password "MSSQLAccess01!"

Are you on question 1 or two?

1

The question is asking you for a password of a user:
What part of the section talks about stealing hashes?

You need to try one of the techniques shown there. No need to “enumerate” the DB

"There are no available instances please try again later"

Thanks for this. Can u offer me a hint regarding the technique I should use

It is in the section of the module

^ it should be easy to find xd

do you know how to troubleshoot this issue?

nah i think it's an issue with the platform

dang it, i was so close to discovering more creds on the lab

looks like it's back up

oh maybe not it just terminated again

Hi all, I'm currently doing the skills assessment in Pivot, tunneling and port forwarding. I got some issues with RDP to vfrank. I got his credentials but I don't seem to have the right IP to RDP to. I've tried to ping sweep 172.16.6.x and 172.16.5.x. I've attached a image of the IP's I've found. Can anyone nudge me in the right direction?

i can't spawn the victim vm now

anyone else having issues on the platform?

Nope

plenty

having issues with my target machine at the moment.

reach out to support

mentioning it in discord won't change anything

i mean.. on the same hand i've seen other staff mention short downtimes etc, i was just asking

wasn't sure if it was me or the platform, since a while earlier the platform was actually down

asking the community was my inital idea before pinging support for help.

but uh. ok?

Password: Password Attacks, Section: Password Labs -Hard, Question: I have trouble transferring the .vhd file from target to attack machine, i think it was probably too big but i might need a nudge

You are on the right path of considering the size of the file, knowing that you can approach SMB differently and the share, you can approach it like a NFS share

Obtain remote code execution on the http://web01.inlanefreight.local:8180 Tomcat instance. Find and submit the contents of tomcat_flag.txt
on https://academy.hackthebox.com/module/113/section/1211
I already got the RCE but i cant see the tomcat_flag.txt file

thank you

I have tried to mount but this error persists: ```┌─[eu-academy-2]─[10.10.14.58]─[htb-ac-1065982@htb-hqgz4lmrqd]─[~]
└──╼ [★]$ sudo mount -t nfs 10.10.14.58:/mnt/nfs_share /home/htb-ac-1065982/Desktop
mount.nfs: requested NFS version or transport protocol is not supported

i'm still stuck on CME skill assessment if anyone could push me in the right direction. i need to access the ccache share and don't have users who can. i have dev01 pwned and got the ||keepass password|| but it doesn't work anywhere that i can see

Introduction to Digital Forensics > skill assessment

can someone hint me on this.

Using VAD analysis, pinpoint the suspicious process and enter its name as your answer. Answer format: _.exe

i tried to do a collection on Windows.KapeFiles.Targets under san triage, but no clue.

Password: Password Attacks, Section: Password Labs -Hard, Question: I am still stuck on trying to download the Backup.vhd, it might relate to mounting the target share locally but i have no clue how to start on it

Does it teach doing that in the module?

have you tried setting up a web server with python?

python and python3 are unavailable on target machine

you have to set it up on your attack machine

and then on the target machine use powershell to upload the file

use smbclient from impacket

yea i did this, but the file was too big to transfer and it timedout

yeah smb works too

is it different from just using the normal smbclient?

yes

ohh ok i will try it out now

Mine didn't work with normal smbclient

but with impacket it worked

Had the same issue as you

Hi all, I'll try again to see if anyone here have the answers
I'm on the second last question in PIVOTING, TUNNELING, AND PORT FORWARDING skill assessment.
I have the credentials for vfrank. I've found two IP's with ping sweep 172.16.6.45 and 172.16.6.35. But I can't RDP to either of them. Would appreciate any kind of help.

are they both windows?

Based on the TTL I would guess .45 is Linux and .35 is Windows

[SOLVED]
DOCUMENTATION & REPORTING > Notetaking & Organization > Q1: What tool mentioned in this section can make logging a session easier?
Hey guys, So I'm stuck on the stupidest thing ever. See the question above; i read through the thing, knwo the answer (as it clearly stated in the question below) but can't find the exact formating used. Would someone be able to help me out? (I can put my answer as a spoiler if you want, it's nothing critical lol )

edit: disregard, Was being way too specific :/ it's the tool, not the plugin to the tool....

i'm not at this module yet but is it possible RDP run on a hidden port?

Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

Type help for list of commands
# use david
# ls
drw-rw-rw-          0  Fri Feb 11 10:43:03 2022 .
drw-rw-rw-          0  Fri Feb 11 10:43:03 2022 ..
-rw-rw-rw-  136315392  Fri Feb 11 12:16:12 2022 Backup.vhd
# get Backup.vhd
[-] The NETBIOS connection with the remote host timed out.``` Did you encounter this before?

No, don't recognize that

Hello,
I have a problem validating the first exercice of the "INTRODUCTION TO BASH SCRIPTING" module, could someone help me to understand what I did wrong ?

ohhh but the syntax of the command u sent just now didnt work

have you tried to download directly with smbmap?

smbmap -H <IP> --download "notes\note.txt"

[!] 445 not open on 10.129.203.131....``` this was the error

is the target machine still up?

now its up again, and i could see the shares listed.

ok good so try with the --download flag

i dont think this is the correct syntax to download the files right

smbmap -H 10.129.202.222 -u david -p xxxxxx --download "david\Backups.vhd"

and if you try with impacket maybe? I did a quick search and this is the syntax I have:

impacket-smbclient -H 192.168.1.100 -U user%password -R Documents/important_document.txt -o important_document.txt

ok let me try it

└──╼ [★]$ /usr/share/doc/python3-impacket/examples/smbclient.py david:******@10.129.202.222
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

Type help for list of commands
# ls
[-] No share selected
# use david
# ls
drw-rw-rw-          0  Fri Feb 11 10:43:03 2022 .
drw-rw-rw-          0  Fri Feb 11 10:43:03 2022 ..
-rw-rw-rw-  136315392  Fri Feb 11 12:16:12 2022 Backup.vhd
# get Backup.vhd
[-] The NETBIOS connection with the remote host timed out.

still doesn't work

try with this syntax

impacket-smbclient -H 192.168.1.100 -U user%password -R Documents/important_document.txt -o important_document.txt

with the -U and the -R flag

like this: impacket-smbclient -H 10.129.202.222 -U david%****** -R david/Backup.vhd -o Backup.vhd

@languid fjord Hello; I have a question, how come Academy is running so super insanely slow but HTB Labs is fine?

i cant even connect to a server

It's so hard :L idk what's going on

Trying to ssh and it literally isnt working

htb down

Ohhh Labs is working academy isn't though i think, although i didn't try HTB Labs machines I just just logged in

the -U flag is not recognised

i second this too

maybe it's related to the outage

try again when this is resolved

the target ip for academy has been timing out on and off despite resetting it many times over 2 hours

:L

yep i will take a break

major headache now

Yeah I'll wait it out like you guys, I may try HTB Labs, it seemed not to be slow at all

yeah haha

Hey guys! First time here nice to meet you all. If I found a problem or missing data on of the modules, where would I go to report it? 😉

@sick shale thanks for the extensive help though

#858470491676737536 i guess

Perfect, cheers!

my pleasure hope you'll get it !!

Ima test HTB Labs to see if it's working or it's just Academy

Yeah must be system wide

Labs isn't working either :L

I guess I'll do Try Hack me or Over The Wire studies tonight hahaha

Reach out to support

hello guys, i need help

Module-> Password Attacks
Task-> Remote password attacks - Password Mutations

my problem-> I created a word list and tried brute force, it took hours but I couldn't succeed.

my command-> hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list
https://academy.hackthebox.com/module/147/section/1391

solved 🙂

Wrong protocol?

password list 😐

Well if you used the provided one from the resources button, that wouldn't be the case

The end result should be 94044 words long

Either way: brute forcing ssh should be a last ditch effort if you were doing that

I used that list but it took too long

Don't bruteforce ssh, and this module is an exercise in patience

With the right threads and protocol: it takes ~30 minutes

48 is the sweet spot for many

true

why do i get different numbers from locate *.log | wc -l and find / -name "*.log" 2>/dev/null | wc -l?

The fastest bits of this module come from hash cracking

Because locate pulls from a different source and may be outdated

Find searches the system

I.e. if you just uninstalled something, locate may still see it

ah ok gotcha

thanks

Locate is basically a database search

stupid question, in an AD environment the goal is to compromise the Domain Controller. I now have the admin credentials and logged into the system as NT Authority System. Does that means its compromised?

That system, maybe

You have local administrator. 🙂

the goal depends on what is agreed upon at the start of an engagement. but if you have gotten DA, it's safe to say the domain is compromised

But to pwn a domain, you need specifically "domain admin"

Windows attacks and defense - kerberoasting- second question. I have RDP into the HTB student account. I have visited event viewer and filtered all that is event 4769. I have tried to use xml to filter webservice user. It results with no findings. If I take the xml off for webservice. I get an ocean of 4769 logs with nothing webservice related . I tried to filter more for web and nothing. All the accounts from this point have often the same servicesid so this is very confusing and frustrating. If anyone has a tip from this point please let me know.

This question has me sweating like R Kelly in prison

I looked at the questions on the forum, zilch. The only questions were people not knowing to RDP into the HTB student rdp, and didn’t know they needed to do that from the first account. Nothing in regards to post event viewer searching for the proper SID. Looked at the chats looked at the forum, not a single tip

hello, im in the sqlmap essentials module stuck on case6 , i used the hint and executed the command : ||sqlmap -r req.txt --dbms=mysql --prefix="')" --level=3 --risk=3 --batch --dump|| but still failed to get the flag, maybe something wrong with my command?

nvm got it

If anyone can help please let me know I’ve tried everything

can i see your Message filter

whats cheapest way to study for OSCP?

For those that struggle for this question in the future, when you do the attack, make sure you get the time of the attack right away on power shell write it down so you can hone in on when this occurred in the event logs. If you copy this servicenumber and it doesn’t refresh the page that was my issue

Cpts

link? whats that?

Omg

i have THM and HTB Free now

If you can’t do a basic Google search you are a goner

For OSCP you have to buy the course, you can't not buy only the exam

Htb academy offers a cert course called Certified Penetration Testing Specialist https://referral.hackthebox.com/mz7OtZW

I recommend you do the EJPT first before you touch this stuff you’re going to get crushed if you don’t

bought the course, tried exam once and failed it

is it free? LMAO

No

I said FREE

: Insert this is Sparta kick into the well:

Well if you want free, just Google the course topics

first thing to learn if you want to be a hacker: how to google

And read articles upon articles of content

Use Google, bro don’t be an oxygen thief

For the most part, the stuff on academy is well put together

And worth the cost for learning it

Sure is

My manager has his OSCP and he is still struggling with this CPTs exam

im just doing free boxes now

w.e Idgaf

Free boxes won't really prep you for OSCP

were you using event viewer?

at all?

They help you develop methodology, sure

I already have the course material from before

I figured it out. I was not refreshing the Academy page and it wasn’t registering the question.

But there's a portion of oscp that's focused a bit on AD

Which boxes won't really prep you for

the fuck?

yeah im just looking for a study routine with the proper material

dont wanna waste time with bs

CPTS material goes over most, if not all, the material of OSCP and some more

should I have my old course notes out?

And for a fraction of the cost

Notes are useful

mine are from when I last tried in 2020

Well I think AD is relatively recent

Since CPTS dropped, OSCP updated their material

Buffer Overflow isn't on it anymore

hey guys, in sqlmap chapter4, I got the flag of case1, but the web hit me: it's a mistake

what the correct type of case2 flag?

wym by chapter 4

LOL i remember that

im in that module can u specify section

Oh, it needs flag2 not flag1

my bad, sorry guys

wonder how expensive CPTS is

someone said do the labs on HTB

its really cheap compared to oscp

they're like 49/mo tho

Cheapest you can get is like ~$400

For cpts course + voucher

if you want AD practice do the Offshore Pro Lab

Just the course like $140

Its much cheaper thrn oscp

And if you are a student you can pay 8€ a month for t0 up to t2 courses.

If that

So like "free"

it's basically free i'm riding that student subscription

Same

I'm riding my not rigged silver annual sub I got from the giveaway

nah offshore is overkill

especially for oscp

so if i can complete cpts course in one month its gonna cost me only 10$

oh ur right

Yea

i forgot OSCP has like a 3 box AD set

Well + the voucher

Ofc voucher needs to be pirchased seperatly

Student sub doesn't include voucher

Still relatively cheap though

you can technically get cpts for $218

who can do that though

Can you just start every module as a student and then end sub?

LMAO at thinking 200 bucks to study is "cheap"

No

210 bucks is the exam voucher

Any module you don't complete when your sub ends, you lose access to

Oscp costs 1500- 2500

8 dollars/month for all the modules

Oooh ok ty

yes its quite affordable and goated given the material given

Honestly with how many people had "issues" with ad skill assessment 1, my only major issue was figuring out the right tool

you can do the whole thing with with like 5 nxc commands

literally the easier one

its probably the cheapest cert you can get in the market with the materials given :3

Nxc was being dumb for me or I wasn't doing something right

probably the latter

i already got the CEH

Ok? I'm still saying multiple people had had issues with it

Probably didn't like me trying to nxc through a pivot

No worries the next one will be better 👀 much more fun

shouldn't be a problem, I do that all the time

The hardest part for me was fixing evil-winrm

Why don’t you go to oSCP and pay 2500?

This is 400 bucks and it’s better harder stuff. What’s the issue?

Im getting my oSCP after cpts. I’m doing this way so I can prove to my team I wont fail it

That’s what my boss wants. Don’t waste corporate money on oSCP, do cpts and if you pass then you can have the fancy title.

And this is coming from a top company everyone sees daily but I can’t tell you due to privacy

Source me, a junior pentester

We should be lucky HTB offers all this shit for 400 it’s worth way way more. Sure the wording sucks sometimes but we are in an international community. Not everyone has the queens English. It’s a trade off that’s worth it in the end price and knowledge wise

compared to everything else, yeah of course 218-480 bucks isn't cheap, but HTB Academy is one of the cheapest options around in cybersecurity education

and for the quality you get, i'd say it's well worth it

Go do pnpt they are 200 300 but you have to download an ovpn and its a pain in the ass at least HTB has in house vms

You can still interact with htb with a vpn and your own vm

Yes but it’s an option pnpt isn’t

Fair

the issue is that the pipeline into this field is completley and utterly fucked. it's like a giant abortion. there's no linear pathway and most don't know their asses from their elbows

Pnpt has you doing ad and setting it all up which is awful if you have a slow computer

is there any way to solve Password Mutations? i ve been hydra-ing for 2 hours but only 4088 tries.... still got 8999 left to go AHHAHAHA

HTB its served right on a dinner plate. What’s there not to love?

Don't attack ssh

No it’s not why don’t you network

yeah it is LMAO

Gotta know people to network

just applying for jobs is confusing enough

It took me a year after I graduated to find a job how did I get it? I looked at pentesters at X Corp, and reached out!

And we all know that leaving the house is game over for hackers

How can you be a pentester if you can’t Google or even do that like damn homie

took you a year to find a job. great field

Yeah because that’s life

your an idiot LOL

No one will give you shit you have to take it

You sound like a soft male that hates your own weakness

You're*

your probably a woman

Let's not get into personal attacks

cringe kid

Why don’t you cowboy the fuck up and look for a job by ANY means necessary

Pentesters make due with shit they have if you can’t do that work tech support

I dont wanna have to call in the eagle 500kg

If you can’t OSINT people on LinkedIn and tear down the barrier you can’t do it on an assessment

^

blocked

nice

This field is all about research

So why don’t you just sit in your moms basement and cry your own problems you caused to someone else

Beta male behaviors

If you can't do bare minimum research, then the field isn't for you

Let the democracy handle that

ok got it

Go be tech support and make 15 an hour

Alpha, as in software Dev - an alpha version isn't ready for the general public

isnt that how it works? i created a mutated wordlist but still is 90k

The wordlist is right. Just attack a different protocol

aaaaaa they got me

This has 0 to do with modules, and the reason for not being able to post in #general is quite literally skill issue

Coming in and attacking everyone that is articulating counter points by name calling is a poor reflection upon yourself. This channel is about htb academy modules. Might want to take your attitude to a different channel before the mods come in.

Need to be hacker rank+ to post images in general chat

I didn't know this. Sorry

Also I don't think anyone monitors the hackthebox discord account

actually why attacking ssh is longer than other protocol?

Because ssh is a slow protocol and often heavily limited on the amount of parallel threads/connection attempts

If you look at the hydra output you will see that it drops to like 4 threads

yes hahahah

thanks for the knowledge

which protocol is the fastest to bruteforce? rdp, ftp, smb

ftp/smb

Also you can manually adjust threads with -t

yes ive put it as -t 64 ahahahaha

64 can be too many

im doing it on ftp but still 668 tries per sec

if you can access ldap or kerberos those are even faster

A good amount of people have luck with 48

maybe thats normal

It should take ~20 minutes

So go do something else while it searches

Hmm can you use braa without the oid? Found the community string and I think a user with snmpwalk using the community string. Trying to use braa to doublecheck but I get a invalid syntax when I use the community string braa <community string>@ipaddress

Do I look British to you?

You can use the basic syntax given by the module

The .1.*

okay bet, wasn't for sure if that would work

Try with given resources first, ask when it breaks that's what I do

Then realize I made a minor spelling mistake

noted

Inlanefreight.htb instead of inlanefreight.local

I'll probably tackle the second ad enum lab later

its a giant joke ive tried everything. i will probably be able to get into this field as a hobby but the pipeline is totally broken. the best I can get is a data entry job. had a IT Helpdesk job but got fired because I was "to slow". that was 3 years ago. couldn't get a new job since. now im not taking it seriously at all but still pursuing it because I love it. I tried LinkedIn, cold emailing, cold calling, applying, applying to different countries. nothing

its a giant joke

Not really the right place to ask this but in reference to what you guys were talking about earlier @fathom pendant are you working as a pentester now and if so could you maybe dm the steps you took?

If you got fired from IT helpdesk for being too slow, then you really must have been slow af

Part of your training generally includes SLA for handling incidents

different companies have diferent definitions I guess

Bare minimum standards to follow

Truly. I could spend an hour on a call (actively doing troubleshooting/fixes) and not be considered slow

I had great CSATs

Only one dickweed every now and then that doesn't understand "we can't do that"

Proper training/actively following training keeps you out of trouble

Shit part of training before full prod they had us making sure we had a good workflow

Mind you, OEM support but still

~5 cph if the issues were simple

usually was ¯_(ツ)_/¯

Occasionally it was slightly out of scope questions that didn't take more than a few searches within the KB to fix

Not really

People get frustrated with AI telling them to do things

would love to see an AI do a pentest

Goes out of scope
Chuckles we are in danger

Your attitude is weak. It’s repulsive. Not many people will say this straight out but everyone hates a weak man. Stop acting soft.

most don't know their asses from their elbows
from this conversation and what you've said, I don't think the problem is with "most"

best to leave some important things to humans... like pentests

I agree the job market sucks right now, but there are other things you can do

Ahh the classic when everyone is the problem......

Im fresh out of college. Had a year of exp as a pentester moving now to a diff country, got denied by others since i dont have any certs(worked as a student in that job we didnt get certs paid), saw that certs are needed to show skills, doing cpts in the meantimr while searching for a job
There.is always things you can improve/work on to help your future you

yeah well said

many things to learn, keep going

anyone here to have taken successfully the PJPT exam?

I was an accountant for 7 years. Got a masters in IT. No one wanted to hire me. Networked and found a person plus I fluffed up my resume. Got an It audit job, did that 9 months, got another job making 12k more doing third party risk assessments, did that 4 months, switched took a 10K pay cut as a junior pen. Been doing that for a year now I’m going to be getting hopefully 25K raise here soon

Also I worked at Pizza Hut up until a year ago so I could meet ends meat.

All while I had a divorce/custody battle that emptied my 401K

working on the footprinting lab hard and I've gained ssh access but am unsure of what I'm looking for now in reference to HTB or if I did something wrong with my ssh?

nevermind

Still need a nudge? Or found it

found it I believe

I was definitely confused on why I didn't see any sql ports open in my nmap scan in reference to the question but the ssh has confirmed my suspicions

Some boxes same as the medium lab have em open only internal.

Tracking tracking, I'm getting a can't connect to server error now wondering if its just the target machine needs to be refreshed however I can still ping it

If you were connected to it before then yea most likely a.machine issue

restarted the target machine and can't connect to the server still?

if I just try mysql -u usernmae -p then enter the password I get access denied

You try that in the ssh session?