You did -fs 200

where is that a default in this case? you did 200 but either way even 612 in this case is wrong

-fs means filter by response size

And,

Look at the screen ? I have more than 10000 !

Which means that a response size of 200 isn't the correct size to filter by

ok do you know what size here at this example is default page you dont wanna see?

Ah it's the pages we don't want to see?

I thought the opposite lol.

Yeah, you filter out what you don't want to see, so the errors essentially

mb okay :).

Or the "not found" sizes

Thanks.

Or you find the size of pages that succeed and you filter those in. I worded that wrong

but in this case easier to just filter everything out with the exact Size since the flags have diff size

I really hate this SQLMap Essentials module

Thanks guys :).

im still far away

Hey! Im doing the module "WINDOWS EVENT LOGS & FINDING EVIL".
I have really tried many times, and search alot, but i dont know how to do it...
Im at the "Detection Example 1: Detecting DLL Hijacking", where it says:

Let's attempt the hijack using "calc.exe" and "WININET.dll" as an example. To simplify the process, we can utilize Stephen Fewer's "hello world" reflective DLL. It should be noted that DLL hijacking does not require reflective DLLs.

By following the required steps, which involve renaming reflective_dll.x64.dll to WININET.dll, moving calc.exe from C:\Windows\System32 along with WININET.dll to a writable directory (such as the Desktop folder), and executing calc.exe, we achieve success. Instead of the Calculator application, a MessageBox is displayed.

Is there a video or somebody who can help me? Please! Big thanks!

When you run calc from the same folder does it show you results?

are they in the same folder? or do i have to move it?

You said it in the question

The modules showing you that for it to work the calc.exe need to reference that DLL, of which would be considered a altered/“evil” DLL

i just posted what they are saying. but i dont undestand how they whant me to do it.

do you say it is already done in the lab they have?

DMS

I dont undestand... would you maybe hit me up on discord (private) and tele me?

hello guys, i need help

Module: Password Attack
Task: Credential Hunting in Windows
Question : What is the default password of every newly created Inlanefreight Domain user account? (Format: Case-Sensitive)

I've searched everywhere but I can't find it, I found everything else, I can't find this.

Did you run lazagne?

yes but no cred for AD

Can you DM me your lazagne output?

output cred

gitlab cred
ssh cred

you dont need lazagne for this

yes just search

but i dont find i check everyshere

what happens when you search something like AD or ADUser?

It says that user bob leaves interesting scenarios around, but I couldn't find such a scenario.

i dont remember where but it is in a ||folder|| so you can start looking from C:

I've been trying since last night going to crazy -_-

did you try the search item above?

no bcs this machine not server so i dodnt try but now i try

wdym?
I'm just saying use the windows search

oo I tried it

follow the instructions in the module axactly., copy calc.exe to the same folder as the renamed dll. that will give you the correct result when running calc.exe
then find the hash for the dll

Thanks!

the module is on windows event logs so you can take a look at the events when doing it

i thinks maybe i dumped hash ntds or sam and use the hashcat?

Did you look through all the files from C:/ onward

As well as stuff that was in the faves/quicklinks

I checked them all, I don't know what I'm missing.

if it's asking for what the default password is, NTDS/LSA/LSASS won't give you the answer

as active accounts aren't likely to have the default, in many cases a default password is marked as "Change on login"

true

Do you have any tips you can give?

not much more than what everyone else has told you

just look around the system for any files that might contain a password

okey thx

im continu searching

I think the section goes over how to make that search faster but it's been a minute

what are you trying to do, search for a file on a computer?

yes

What is the default password of every newly created Inlanefreight Domain user account

this file

cd C:\ & findstr /SI /M "password" *.xml *.ini *.txt

should be *.xml, *.ini, *.txt, or whatever you want

stupid discord

https://swisskyrepo.github.io/PayloadsAllTheThingsWeb/Methodology and Resources/Windows - Privilege Escalation/#search-for-file-contents

adding a backtick before and after your message makes it not format

like this ******

also the findstr command is detailed in the section

to include a bunch more file extensions

Hey, i dont get this sektion to work; To showcase unmanaged PowerShell injection, we can inject an unmanaged PowerShell-like DLL into a random process, such as spoolsv.exe. We can do that by utilizing the PSInject project in the following manner.

Analyzing Evil With
Sysmon & Event Logs
powershell -ep bypass
Import-Module .\Invoke-PSInject.ps1
Invoke-PSInject -ProcId [Process ID of spoolsv.exe] -PoshCode "V3JpdGUtSG9zdCAiSGVsbG8sIEd1cnU5OSEi"

how do i do it?

directly from the module

lol

there's a reason i said "read the section"

I knew it was in there lol

didnt work

it's even funnier that it's under the subheading "using findstr" which is right after the LaZagne section

Hello! I am currently stuck on Question 4 in the Malware Analysis - Skills Assessment section: "Examine the communication patterns of the malware and provide the domain it interacts with as your answer. Answer format: .._"

I have used Procmon and Noriben (as in the "Dynamic Analysis" section) to analyze apple.exe. I could however not find a domain name that the malware is connecting to, neither in Procmon nor in the .txt file created by Noriben.

I have also investigated the file in IDA. While I found some interesting function calls (InternetOpenA, InternetSetOptionA, InternetConnectA, HttpOpenRequestA, HttpSendRequestA, HttpQueryInfoA), I could not find a domain name here either.

Could anyone please give me a hint regarding which tool should be used for this question and possibly some general idea where to look for the domain name?

Hi everyone.
in the Module: PASSWORD ATTACKS > Section: Pass the Hash (PtH)

I am a bit confused as to why I am not able to run mimikatz after i remote into the machine as david or administrator?

32bit vs 64bit i think

^

are you using the one in C:\Tools\Mimikatz\x64\mimikatz.exe?

no.
I was using C:\tools\mimikatz.exe

Hi @fathom pendant , I am at windows priv esc Assessment Lab 1 and I am stuck at doing priv esclation via jusicy potato , the command gets execute without issue but no rev shell is captured . Any help on this please

iirc there's a whole subfolder with mimikatz in the C:/tools folder

hmmm. Interesting.
I was able to get the flag using the same cmd a few mins ago, but it won't let me run the cmd a second time.

¯_(ツ)_/¯

yeah.
i used mimikatz.exe from that subfolder.

ok

then it's just some odd thing

couldn't tell ya ¯_(ツ)_/¯

try the 32bit one

Anyone familiar with the SQLMap essentials module that can give me a nudge in the direction of the foothold for the skills assessment?

i am assuming we will have to transfer it to the remote machine from our attack machine?
i can only find one version of mimikatz in the remote machine.

there should be another folder under C:\Tools\Mimikatz

yeah.
that is the only one i can see here.

there's not like an x86?

or something

sure, transfer, or just copy the powershell script over with copy/paste

ah

you could also try compatibility mode

i don't recall having compatibility issues

and they said it just worked a minute ago

restart it then

yes.
I was able to get the flag.
Just wanted to play around wiht it to see what else we can find.

there's really not much else you can find

but also is it possible, on the other end, that the other command you're trying to run isn't working

the screenshot you showed was cutoff

and was showing /run:c

which is odd

it would be too easy if you were provided all the information

i am intentionally trying not to post entire screenshots.
is it okay to do it here?
Just an FYI: I did run the exact same cmd used to authenticate to david's share which was giving the error as well.

might just be the lab being dumb ¯_(ツ)_/¯

and no; if the screenshot contains the user hash - don't add it without hiding/redacting the hash

as it's something you need to dig for

gothca. thanks.
one of the reasons I am bringing this up is to know if this might be an issue during the actual exam.
would it be okay to rest the machines once we start the exam?

yes

if resetting the lab doesn't help in the exam: you contact support

there's no reason that you shouldn't be able to reset the environment if you feel that something should be working, and it's not

Hey, i dont get this sektion to work. please help;

To showcase unmanaged PowerShell injection, we can inject an unmanaged PowerShell-like DLL into a random process, such as spoolsv.exe. We can do that by utilizing the PSInject project in the following manner.

Analyzing Evil With
Sysmon & Event Logs
powershell -ep bypass
Import-Module .\Invoke-PSInject.ps1
Invoke-PSInject -ProcId [Process ID of spoolsv.exe] -PoshCode "V3JpdGUtSG9zdCAiSGVsbG8sIEd1cnU5OSEi"

ok. ok. thanks
i thought that might not be a possibility... and also not sure about all the other caveats related to resetting machines during the exam.

Hi! Im on into network traffic analysis and there is this question which command will enable you to read from the capture and show the output in hex ascii? Isnt it tcpdump -Xr file.pcap ?

refer to the Debugging section

i've heard this question is stupid and wants you to provide the flags in a specific order

for some reason the color doesn't update in Process Hacker, but it definitely becomes a managed process

Do i need to give the whole command or just the flags?

try closing and reopening process hacker

i think it's the whole command

i haven't done it but you can likely search this channel to find the answer

The quistion is more about. I have now idea even how to do what they are saying i should do

what is the question

labs are very slow today -_-

Thank you for the tip

how do i do the injektion?

you just follow the steps outlined in the section

they dont work. everythink i just red text comming back

when i copy past what they say. then it tells it dosent exists

send a screenshot of your commands

did you replace [Process ID of spoolsv.exe]with the PID of spoolsv.exe?

❌

lol

kinda rude

weeeird

e

nice scare bro

oh please i already know my own ip address

wow nice

there's a cube talk today ?

ye

nice

30m

10

they do the cube talks during class though..

just skip class

if i skip my grade goes down a letter so no

? you come here for help or just to be a skid?

exciting

just underflow your grade so it loops back around

holy shit genius idea

just drop ur school xD

my bare minimum requirements for me not getting booted from my school is keeping a 2.0 GPA, fuckin EZ

Lol. can paste a picture...

i'm one semester away from graduating though

you can verify your account in #welcome

in order to send screenshots/images you need to follow #welcome

then you can afford a letter grade drop

why is your battry so low 🙂

Cool, behave or your permission to speak or use this server will be revoked

You can't just copy/paste that command. You need to replace the text [Process ID of spoolsv.exe] with the PID.

Domain Expansion: Shut the Fuck up

@clear iron We gonna have a problem?

yo, HTB Certified Discord Member

welp

No u

RIP skid

https://tenor.com/view/reversed-cursed-technique-red-gif-25624842

you are about to be free

thats a big ban

Just so we're clear what nonsense behavior gets you when interrupting people trying to learn.

and jobless xD

bro....

no offense , JK

no it's true tho lol

wish u all the best

thanks

https://tenor.com/view/sad-smile-person-gif-3593640814102488583

can someone help on this please?

i haven't done this btw

it didn't import the process inject

you need to locate the module you're importing

ohh. No worries. Is there someone else who has done Win priv escalation

your first error shows that it didn't import; the fully qualified error "Module not found"

.\ implies to powershell (and most shells) that you're importing it from the current directory

i forgot where the tools are on this module's target

likely C:\Tools

i would check either the root directory or your Downloads folder

as that's the most often place for them in the Windows machines

i think for this module it was in C:\Users\Administrator\Downloads but you can always just check both

maybe!

it's likely referenced in the section

Thank you, I found it now! 🙂

try having a look at PSInject

yep the PSInject is a directory

yes now import the module!

So i do the commands from here?

yep

you can also do Import-Module C:\path\to\module.ps1

using the full path to the module you're importing

and we agre that this is the Proces number?

i just changed magic bytes with hexeditor and worked

idk why it didnt by adding directly the file signature

that looks correct for you, yes

FFUF Attacking Web Applications with FFUF - Module: Directory Fuzzing

Guys im not a pro at linux but I understand that this following cmd line guide in this module is giving a directory that I can't access?

jojoB@htb[/htb]$ ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ

Output:
Encountered error(s): 1 errors occured.
* -u flag or -request flag is required

It's asking for a target URL but this part of the guide doesn't explicitly say what the target is?
Or is that the part I'm supposed to figure out, just give a random URL?... That's really ambiguous

you need to provide a url

usually that's gonna be the target spawned in the module

it should specify that then.

if you need a target, the target should be spawned at the bottom of the section

no part of the guide says "give a url"

just saying , again. Ambiguous to newcomers

either a public_ip:port or a 10.129.x.x

i'm pretty sure the command output given in the section specifies an example URL

the URL is gonna be whatever you're gonna be scanning

probably, they don't do wordwrap so commands can go on for miles beyond what's just in the window

true

thanks though guys

now i just restart the spoolsv.exe?

the directory mentioned is just the SecLists directory; if you don't have the SecLists repository downloaded then you'll just have to download it from github

take attention to time when it happened, use example from topic

so if you don't have that specific directory you'll have to find out either: A) where it is or B) download and just put it there

if you injected the code into the process, then you've completed the exploit. the process should turn green in Process Hacker. if it doesn't, that's fine, just refresh or restart Process Hacker and it should become green. What matters here the most though is the event logs; if you have Sysmon configured to log event ID 7, you should see spoolsv.exe load clr.dll and clrjit.dll in the Sysmon event logs

i do what it says. but it did not turn "spoolsv.exe" transitions from an unmanaged to a managed state.

like i said, that's fine. if you want to see it turn into a managed process, refresh or restart Process Hacker

however, you should see Sysmon Event ID 7 events being logged if you have it configured to do so

Hello man

What is KBs ?

what module is this?

https://academy.hackthebox.com/module/67/section/637

this

Google Windows KBs

IIRC KBs are kernel updates

eh

i don't remember tho

they're more like minor patches

i see

KB specifically refers to the Knowlege Base article on Windows regarding the update

https://www.catalog.update.microsoft.com/Search.aspx?q=KB here you can see a bunch of them

thanks man

weird

but there's commands to see what specific ones are installed

i think my file signature was wrong

since when i added the magic bytrs and viewed then the file signature it wa sslightly different idk

i have done that. but it is not right still.. im at the event 7 and have the proces id infront of me. but it is the wrong proces

filter for the process

or if you know the time you did the PowerShell injection, you can look around that time instead

how do i do that? set the proces number instead of event number?

This one looks right. but it is not that..

1. remember the exact time you performed the PowerShell injection. search the logs around that time.
2. check the process ID in the logs. it should be the same as spoolsv.exe

i forgot that filtering is taught later in the module

Guys, to finish the module Password attacks section pass the ticket on Linux, I need to complete all sections and despite many days I couldn’t figure out how to solve the part on Pass the Ticket Linux page . I didn’t receive help in that particular section so I’m writing here - maybe some of you could be kind enough to give me some hint. The task was:

Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_)
I transferred linikatz and ran it from svc_workstations where I was root and couldn’t find any ticket that would grant me access to dc01/linux01. What am I missing? Maaaaaany thanks in advance!

There's definitely a ticket you'll find that gives you linux01$

look through the ccache files it finds

I tried them all and get ‘no credentials found’ message

The example image also shows a place where they're stored

Is there a way to make linikatz check different places than default ones?

It's in a default location

And it should be done from svc _workstations account where I have root,right?

Thnanks!

It can be done from there

I think it's under some /var/lib/ directory

I manually dug around to find it when I did it, so the tool cuts the time down a lot

How were you searching for that manually?

Lots of digging around with ls and find and pain

I would not recommend

Linikatz should find what you need

Ok. Thank you very much MarcieLee. Will give it another try this late evening. Have a great day

Hey looking for someone who can assist me. I’m having trouble with whitelist file upload attacks section. I’ve been trying to upload the phpbash script but I can’t get the webshell to appear just a grey page with an error

**Module: Attacking Common Services, Section: Easy Lab, **Question: My friend said if i enumerate the smtp i would be able to find a valid user using the provided users list at Resources, but i couldnt find any valid users, might need a nudge. ```
smtp-user-enum -M RCPT -U /home/htb-ac-1065982/Desktop/usernames.list -D inlanefreight.htb -t 10.129.203.7

You just need to find right extension

If you already bypassed blacklist and whitelist

I’m doing exactly what I did before but not getting the shell

Good Day,
I have returned to the Introduction to Brute Forcing module and I'm currently on the Website Skills Assessment. I am not sure if there is something wrong with my fail string but the login creds that hydra is providing is not working. Going to try uploading a screenshot now

How did you bypass the whitelist filter

Ig he’s getting an error in the page when he try to execute commands i this error saying : image couldnt be displayed or smth

I used php:.jpg before but now it’s not working for for white list

Apparently the web doesn’t recognize the php code with the extensions you put so you need to try multiple extensions that works

Yep you may have passed the whitelist

But the php code doesn’t get executed , try different allowed php extensions

I guess I don't know how to find my account identifier despite linking my HTB acct and HTB Academy acct.

Read #welcome

Yes one sec

There are instructions on how to find your identifier

I did and when I try going to apps.hackthebox.com it redirects me to HTB Academy login

And unless I'm misunderstanding, I'm not sure if I can obtain my acct identifier from HTB Academy profile settings

use https://www.hackthebox.com/

choose HTB Labs

I keep getting either a 404 error or

Or can not be displayed because errors

Dang HTB really isn't liking me. Tried resetting my p/w and the reset link still hasn't hit my inbox or spam lol

HTB Academy and HTB Labs do not use the same account

might want to restart your machine ... being bored on a friday i just fired it up and got the username ... only difference is that i don't explicitly call my file I just run my command from wherever my user list was at ... might want to revert and try again

dir

I got it nvrmnd

Can someone help me on the CORS Misconfigurations module in advanced xss and csrf exploitation? I'm lost on how to get the flag I reread all my notes and material.

I am using the following command
hydra -L /opt/useful/SecLists/Usernames/top-usernames-shortlist.txt -P /opt/useful/SecLists/Passwords/darkweb2017-top100.txt -f 94.237.57.59 -s 38019 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='login'"

The creds Hydra produced were root:password
The login page doesn't seem to like these creds. Is there something wrong with my failure string?

Alternatively if I specify the user as root in the below command

hydra -l root -P /opt/useful/SecLists/Passwords/darkweb2017-top100.txt -f 94.237.57.59 -s 38019 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='login'"

Hydra comes up with root:123456 for creds

i'm not sure about that module, but your command looks a bit off to me, specifically the last part. is the fail message of the app "<=form name='login'? because that seems like a strange fail message

generally it's going to say something like "login failed" or "error" or "not found" or something you know?

just search for mimikatz in the host machine and copy paste the path.

can you give me a hint how to solve command and control question?

DM me bro

There isn't a formal failed password message. User and pass fields clear and you aren't re-prompted to enter correct creds. The user is just left to assume they are incorrect because they haven't been logged in. I'm a lil flustered since I had success with the first question which is very similar but I know I'm overlooking smt

It's been stuck like this for several minutes lol. One day I'll finish this module.

yep i resetted the target and managed to get the user and retrieve the flag, thanks man!

There are some issues with your http-post-form

Any hints would be much appreciated

While working this same one I found that if you remove the username and password from the POST it will give you a HTB{} in the body of the message you just have to hunt through each try.

That looks like a GET request, not a POST

I can't test it since I don't have the wordlists anymore

Instead of http-post-form use http-get and see if that works. It's not a post form. Assuming you're on the Skills Assessment: Website one

That part is correct

You're going to have to look at the code to see what you did wrong

Which one are you looking at? I managed to brute force it with http-get, but I might be on the wrong one.

Isn't it an http-post since I, the user, am doing an HTTP POST by entering creds?

The second question

Oh, right. I'm looking at the first question.

But that's what I am not understanding. Is it in my fail string?

Look at each part of your whole string and look at the source

You can use the section Login Form Attacks to reference the code there and see what the difference is there

https://academy.hackthebox.com/module/113/section/1108

on the first question im having a hard time getting the first flag i got all the remaining flag including RCE can anyone lead me to the right direction?

Hello, I'd like to know if it's normal for the module's windows machines to be extremely slow. It takes me a few seconds to see what I'm writing in the powershell, it's unbearable and unusable. I use xfreerdp to connect.

Use the tcp vpn

I will try

yeahhh its slow TCP vpn will make it a bit better

Thanks for the moment it's much better

how'd you get all the other ffufing answers and not that one?

well i just do ffuf and i got some vhost looked at the gitlabs proj use msfconsole to enumerate the app and got 2 interesting exploit and one of them works

I'm not seeing it. Maybe I've spent too many hours looking at this

i got a wp site but the question is not taking my answer ;?

there are 3 specific things that are different about your string that are different in the source. take a step away and look at it with fresh eyes

it requires the full http url.....

got it i was putting / at the end and didn't notice it

thanksss for the assistance!

Hello man can you help me plz for this : https://academy.hackthebox.com/module/67/section/637

I search login ldapadmin but since 6 hours I don't find

Okay so I think the login field is <form name='log-in'
Username field is no longer username= but user= and pass= respectively. Am I on the right track?

@shut quest @minor stag I finally got it... I appreciate the assist lads

Hello can someone help me with https://academy.hackthebox.com/module/211/section/2276

anybody have done CPTS windows priv escalation assessment lab I?

Yep! What are you stuck on?

tried multiple times and it keeps saying wrong

for active directory enumeration & attacks skills assessment part 2, are there supposed to be problems with using mssqlclient to connection and you have to do it the windows way, or is mssqlclient still a possibility and I'm just using it wrong? (I'm getting untrusted domain errors)

I had this exact issue earlier today. I had to run it 4-5 times and got slightly different flags each time until eventually I got the right flag.

The third word of the flag kept changing and eventually came out correctly

this is the right line tho, no? its driving me nuts lol

Yes, it's the right line. Just keep trying until it comes out correctly.

i gots a silly question. when im in the manual for a tool and you use "/" to search.. how do you move to the next find?

legit ran it 10+ times lol

Is it returning that same result really quickly?

You may need to add --flush-session so it runs it again from scratch

hello i make the introduction to c# and i stuck on this question ( Write a piece of code that performs and assigns the modulus of 10 divided by 3 to an integer named remainder.) i have tried like this: int a = 10;
int b = 3;

int div = a / b; //quotient is 1
int remainder = a % b; //remainder is 1 if anyone can help me thanks

There's literally only one incorrect character in that flag too, so hopefully it rights itself after a session flush.

usually n

I think the A needs to be a _

Please delete the screenshot though, as flags should not be shared

That's correct, yeah. It's just a matter of these time-based sql injections giving weird results.

Eventually they come out correctly.

FINALLY!!! thank you! lol

question on sqlmap essentials, for table flag6. i got the right answer but im confused on why this got the wrong answer:

vs

also, without the hint letting you know of the prefix needed, how would one know to use the prefix parameter ?

in the service attack module, in dns part. what we need to put in /etc/hosts file. i had put ip with domain inlanefreight.htb and ip with *.inlanefreight.htb . how i can get the associated NS with it to put in resolvers.txt file (under subbrute directory) . if i lookup with dig it shows NS inlanefreight.htb but that produces the error since there is only 1 NS. am i putting wrong NS value in resolvers file or some value missing in

What question are you on? If you're using the resolvers.txt you don't need to put anything in your /etc/hosts

trying to understand how subbrute works. lemme check without adding into host file

subbrute will simply brute force subdomains. it will use a wordlist you point it to.

yeah i got that. but with inlanefreight.htb iam confused and unable to make it work. what to add in resolvers.txt. the resolvers.txt file ideallly should contain dns servers. in context of inlanefreight.htb which dns server should be added?

you're correct. in this case, the box you spawn will act as the DNS server for you, so instead of your computer calling out to the real DNS servers from your ISP, it will use htb's private name server (the box you spawn) to resolve the hosts, this way you can resolve hosts that are on the internal network (inlanefreight.htb) that aren't accessible by your public DNS servers from your ISP

long story short, spawn the box and the only thing in resolvers.txt should be that IP of the box you spawn for the module, that way it forces subbrute to use that name server only

Please remove the commands, its not fair to others that do not want to know the answer. As for the quotes you can read this:
https://www.gnu.org/software/bash/manual/html_node/Double-Quotes.html
and this
https://www.gnu.org/software/bash/manual/html_node/Single-Quotes.html

how did you solve this error bro?

i will but it confusing that HTB doesnt break this down really. just doing random trial and error

@fathom pendant I still can't find it jessus sorry

Just look carefully at the output

I checked every file under appdata

cortana user data vs vs

I thought you were on the linux ptt?

modul?

windows

What module?

And section?

Hello can you help me plz on this exercices ?

https://academy.hackthebox.com/module/67/section/637

Can't answer questions you don't ask

I don't transfert tools, I don't find creds not too... I am blocked since 9hours on this exercice

i dont understand what you mean

sorry

I'm asking what module and section you're working on

PAssword Attack - Windows Local Password Attacks - Credential Hunting in Windows

Mmm ok someone was asking about linux prev

What is the default password of every newly created Inlanefreight Domain user account?

Read the part titled "using findstr"

Actually I've been reading and using it for 2 days. 😄

Well then I suggest copy/pasting that command exactly. Iirc I didn't have to change anything about the given command

Digging manually would take ages, even given the hint

I'll let you figure out the other parts but the command is wget not nwget, and you'll want to add a -O whatEverFileNameYouWant

Poor documentation from HTB seriously. still unable to figure out. All i understood is ip that is given is nameserver. since subbrute doesnt recognise ip, we need to find associate domain or create one, by editing the host file and adding ns1.domain in it. Now adding this ns in resolvers.txt too . all steps followed, still its showing some error

apologies if this is a spoiler in any way, please I need a nudge on this, any advice would be appreciated, I get the wrong value from my script in the "Intro to Bash Scripting" Module section - Comparison Operators

Just add the ip to the resolvers.txt

Already do

Oh damn, figured it out, apologies this is a spoiler, gonna edit now, thanks!

Asking the question often gets the gears working to the answer :D

Is that a O or a 0

actually 🤣 I checked the hint and apparently, the answer is supposed to be 19 chars not 20, wasted so much time on that

hello everybody

Looks like a 0 in your command line, which is incorrect

-O as in OutFile

no information is provided for the skill assessment part 1 of the attack password module do i need to do a hydra on the ftp service? i've changed the passwords but still nothing.

for some reason it is giving same "list out of index" error

Well then you fucked something up lol

Remove references to ns and inlanefreight.htb in the resolvers.txt

i did reset the whole box as well as the target.

it worked fine for me ¯_(ツ)_/¯

they could have just really put some instructions on this inlane domain.

noob me, i guess

I mean really what worked for me was using the ip in the resolver file

Other than that idk

Maybe run specifically with python3?

does'nt look like its version error. trying it lets see. same error. even with dig command, it is showing timeout. the command iam using dig inlanefreight.htb @10.129.203.7

Well dig isn't gonna give much tbh

Can you ping it?

yes

Then it's not dead

it is showing timeout, nameserver are somehow not working

Eh

dns server*

You're sending a blank dig query

Try dig ns or dig axfr

communications error to 10.129.203.7#53: timed out

Huh.

give it a few minutes then ¯_(ツ)_/¯

I'd like to know if I'm on the right track because I've tried without password mutated and with but nothing 😦

Right track for which section?

https://academy.hackthebox.com/module/147/section/1334

New error this time lol. Connection to 10.129.203.7#53(10.129.203.7) for inlanefreight.htb failed: timed out.

Just always enumerate the target and look around

Don't always jump to attacking, always check if a service has anonymous login enabled

For instance *

it's true that the module is called password attacking for me it was probably brute force directly fucked ... thank you. 🙂

Step 0: always enumerate

Find all surface info before attacking

i think i got the error, so basically port 53 is not open on the ip. so all connections to that port are timed out. dont know what to do now

also 64 threads might be too much, try 48 or removing the flag

@fathom pendant

Well if the port isn't open nothing you can do

I don't have magic ts for you to do except terminate machine, start it again, wait ~5 minutes try again

yeahhh. Thanks a lot brother.

all I can say is right track ¯_(ツ)_/¯

hi, im trying to do the ADVANCED XSS AND CSRF EXPLOITATION but in the Lab warmup module asks to add this domains to the /etc/hosts
vHosts needed for these questions:
exfiltrate.htb
exploitserver.htb
xss.vulnerablesite.htb
csrf.vulnerablesite.htb

but when i add them like
<targetIP> exfiltrate.htb exploitserver.htb xss.vulnerablesite.htb csrf.vulnerablesite.htb

it does not show anythin, any one could help me?

Thanks

im solved really :))

It was in a very simple place.

Hello! I have a question about the Whitelist Filters Section at 'File Upload Attacks'
I did the bash script thing and I've got all this extensions with 'File successfully uploaded'

My question is: Is there a way that one can see if the script uploaded was successfully executed without doing a click 1 by 1 > send to Repeater > refresh the page > go to that link on EVERY SINGLE payload on the intruder?

Every payload with Lenght 230 gives me a 'File successfully uploaded' , but not all of these payloads execute the php script

Because imagine if you are on an assessment or bug bounty and this will take you at least 1 hour to test manually every payload

hi

I bought a CPTS exam certificate ticket by mistake, it was on my card, how can I cancel it, now it's done.

The exam voucher is good for 1 year, but you'll have to contact support

Do you have an e-mail address and e-mail address?

Reach out to our support team on https://help.hackthebox.com (bottom right, chat bubble). They will be able to assist you.

Isn't there a relevant e-mail address? We couldn't find it here.

The best thing is to raise a request via the site above, it'll go through to our support department. If you were to email in, it'd likely be direct to the above link.

Just open the chat with the icon in the bottom right, and as it states, type "Connect to an agent".

i'm waiting for a person so there hasn't been a return, hope it happens soon

thanks

Someone will get in touch with you as soon as they can, but do take in to account the time and day. We'll get you sorted out, don't worry 🙂

Just leave a message detailing your concern, and you'll get a response as soon as possible

i also sent an e-mail with the receipt in a click editme

Ok, but that email will not go to the support team. Sit tight, someone will assist you as soon as possible

seriously, a worried click has gone

i have sent a message to the support page so far, but if I close the page, will it be a problem if I fall asleep

No, the message will still be received by the team, and they will reach out.

my friend, thank you very much, good work, good hacks

can any one help me with this one, Command injection module Bypassing Blacklisted Commands section

Use what you learned in this section find the content of flag.txt in the home folder of the user you previously found.

i tried obfuscating the cat command

but it doesnt work

is good 😉

first time using burp suite for php web shells module, im trying to click "open browser" on burp and its not working. watched a video and they didnt have the samee problem

you don't need to use that, just use firefox with foxy proxy and set the proxy port to burp's

@next bronze yeaahhh watched another video w/ foxy proxy. got it all good now

Anyone done intro to python3 - Continuously Improving The Code? I'm not really seeing how the code relates to the question/answer at the end

hi i am doing WINDOWS EVENT LOGS & FINDING EVIL skill assessment, in question 3 it asks about the process that injected calculator.exe to do unmanaged code execution. in my part i checked event id 8 'CreateRemoteThread' BUT i am very curious to know if there is another way to go about it.

spoilers

Sorry if this isn't the right place to ask about this. I'm confused about the point of cubes. The silver/gold subscription gives you access to the modules anyways so why would one bother with the cubes..?

just different models, silver gives tier 2 and below access, gold give tier 3 and below, you can use cubes on any modules

So if you wanted to complete modules above level 3 you'd need to use cubes, but otherwise you can just get the subscription? I'm really only interested in the cpts cert so I assume the cheapest way to go is the annual silver subscription?

i would only get the gold subscription if you're planning on taking the CWEE

Even then 6 months Plat covers it for less

Give or take

awesome

if you're planning to do only 1 path, getting the montly cubes subscription is far cheaper

I only recommend the annual plans if you plan on doing a lot of the content

And even then, only for one year

After a year the value proposition dies hard

the only issue would be that you're just limited to two modules a month on plat (which might actually be fine)

Well I'd assume the t3 modules are tough enough and dense enough for a months worth

you can also start your plat sub early and accumlate the cubes

I have couple thousand cubes sitting around

Oh I see. So the silver monthly plan wouldn't unlock everything right away, but rather give me 200 cubes to unlock modules throughout the month. But beacuse the modules take time to complete, 200/mo should be satisfactory?

2 months of plat covers a whole path (outside of cwee), you can then cancel the plan while still having enough cubes to unlock the modules

And I retain access to my cubes and modules even after cancelling the subscription after those two months have passed? That's a very good strategy. 2 Months of platinum + the test voucher is significantly cheaper than an annual silver subscription.

yes, modules unlocked with cubes are permeant

you also get 20% of cubes back when you complete the module so technically 1 month of plat + 1 month of gold is enough for cpts

You sir, are a legend. Thank you for helping me understand the pricing model lol. I miss the days when I could just type in my card info rather than sifting through subscriptions, tiers, and alternate currencies 😭

to be fair the pricing model on academy is a bit weird

I've heard they're looking into it

I've mentioned a fair few times to g0blin the value proposition of the annual subs falls off hard after the first year

does gold monthly unlock tier3?

gold monthly gets you 500 cubes, you can unlock whatever you want with it

except Tier IV modules, you need 1000 cubes for those (2 months)

anyone having a difficult time spawing their target?

me

it took like 10 minute but spawned at the end

same here too, it seems to be taking way longer than usual

do we agree that in skillassessment2 there is no domain?

There can still be a local domain

Also its taking username.list as a user, not a list from what I'm seeing

according to the cheatsheet, this is how you specify a list

I'm just going off the visible error

i'm lost 😦 i ennumerate the users with msf and at last I have my wordlist but when i do hydra or crackmapexec nothing ...

try typing the name of the browser you want to run into the terminal

@dim wolf ty! im going to delete so ppl dont see that LOL

I had been in academy recently and I realized that I'm not fully understand in each 4 topics here

From what I understanding,I think this 4 topics to be 2x2 table

Offensive- penetrating / exploit
Defensive- Defense / bug finding 

guys im not able to redeem hack the box academy code :c , can anyone help me?

Am I understood it right?

when i go to the pagge to try to see if my shell worked, it just loads indefinetly, does that mean i did something wrong?

Module: Attacking Common Services, Section: Assessment Lab - Hard, Question: How do i get the Administrator creds, might need a nudge for example which part should i enumerate more. ```
Current creds that I have:
s*****
f****
j***

I was able to login to all 3 users on smb.
I was able to rdp using f**** creds.

Interesting file: unattended2.xml, which had a administrator password, but could not use for any services hosted on target

Is that the last question?

Yes it is

you don't need to find the admin creds for this

what other services can you use the creds you have to authenticate with?

There’s rpc,smb,mssql,rdp on target, however I only found the creds for smb (but none with admin privs), for rdp (only f*****). For mssql, I didn’t manage to get any credential.

From one of the shares you found in the smb shares, you get some information on how escalate privileges.

Yes I rmb to impersonate someone

great so that shows the service you need to attack

after impersonating that user, enumerate further

Oh ok, I’ll explore that area further 🫡

you are so close. just open that (service) section of the module and try the other techniques and you're golden.

Ok thanks m8

@soft cedar I got the mssql password for user f*, but i was unable to login using sqsh using the below command: ```
sqsh -S <ip> -U .\f**** -P '<password>' -h

Error message:
Open Client Message
Layer 6, Origin 8, Severity 5, Number 3
ct_connect(): directory service layer: internal directory control layer error: Requested server name
not found.

did you try with impacket ?

impacket-mssqlclient -p 1433 f****:'<Password>'@IP -windows-auth

i tried mssqlclient.py -p 1433 f****@ip

you need to add -windows-auth, since you are auth to windows

bro thanks

i managed to log in yay

so let's say if we need to auth to windows for mssql, is there any flag we need to put when we bruteforcing with hydra or other tools

nope

ok thats cool

can i dm something regarding the impersonation process, because i might be leaking the users if i post the ss here

ok go ahead

in which part of the crackmapexec result shows that the user is local admin?

Pwn3d! and the fact that it's a single \ shows it is local

i tot pwn3d just tells that it is a valid user?

icic

valid user will be a green [+]

no if its just a valid user it displays +

icic thanks a lot!

In footprinting DNS module, can’t seem to find the x.x.x..203 IP.

Are you just trying how file download works by downloading something from your own machine?

What happens when you open the browser and browse the url and port? Do you see the file listing?

that’s not very specific

You have to find all Zones

Hello everyone - is crt.sh down for anybody else or is it just my internet being a potato?

Yes No prob

If you try to download from localhost, where do you think it tries to download from?

im doing AD fundamentals rn, isnt a leaf basically just objects like users, computers, etc?

yes, a leaf is an individual object that resides inside of a branch

a user, computer, group, printer, etc

alright thanks

in my experience they provided the creds

idk about that specific module though

you could try the default for the neo4j database, neo4j:neo4j

It’s different from the one provided by htb.

yeah i figured, i remember it being different

But it’s in the module somewhere

does anyone have a list of yes and no variations that i can try on this question ? the correct answer is Yes but ti does not take it, neither takes no soo i wanna give it list of variations lol

hey , guys i am stuck in the last question of pillaging section of windows privilege escalation , i have SAM , SYSTEM , SECURITY files on kali machine but by using secretsdump.py on those files it is showing an error "can't find root key " , any hints ?

It's not asking a yes or no question

that's what it sounds like to me 🤦 were numbers used ? yes or not

lol i can see it being read that way

and this is the hint 🙂 Are absolute sequence numbers easily understandable?

yes or no...

can't see any other answer

i believe it's asking you if it's a or b, not if either were used

thanks...

it makes sense now

ook another one now.... for real why are them questions so tricky...
-r to read a file, -X to output in hex and ASCII .. why it doesn't work ?

i didn't do that module so idk, but it looks like it wants the whole command not just the flags

tried... nothing works..
also tried -rX and path to file, tried -r pathtofile -X .. also tried double X

try without the path

or use the hint, idk man i didn't do that

thanks for the yesterday help

i complete it

In "stacking the deck" how to setup lab for the Bleeding edge vulnerabilities. According to scenario at the top of section when i open parrot os from the end and spawn the machine then i ssh to this machine and when i run another rdp by spawning the machine the previous one is closed

@next bronze

Can you show us the command you ran? Did you use Local?

hi

hi

did you completed the AD enum & attack module?

yees

that's great senior😀

can you help me with one question?

I am noob not senior

yeaah

In "stacking the deck" how to setup lab for the Bleeding edge vulnerabilities. According to scenario at the top of section when i open parrot os from the end and spawn the machine then i ssh to this machine and when i run another rdp by spawning the machine the previous one is closed

you can't spawn two machines in the same time

so how I can solve it?

it's not necessary to spawn both of them at once

ok

where i can practice the other ones. there is lots of tools

and techniques

you can finish the techniques on the windows machine then spawn the linux machine and use it to practice other techniques

in windows i can open multiple cmd prompt but when i open ssh to a attack01 host i cant open multiple terminals to run multiple tools like nopac

printnightmare

idk man , I used my vm with vpn to solve this

ok

am using also

but i really appreciate your help thanks a lot🙂

iirc , I have done the windows part , then go back to the previous section and spawn the linux part

I also use pivoting sometimes , so I can rely on my VM only

i think the answer was right there

talking about the 2 question

nah someone posted a question but they deleted it

so i repsonded to him but its gone

hmm

https://academy.hackthebox.com/module/144/section/1311

||Well I tried a lot of tools like dig, sublist3r and I looked at "hint" and they are saying to use crt.sh, but... ||

Well I found a tool but why I have no access to crt.sh ?

I think its down

Doesnt work for me either

And it worked when i was doing this

It’s working for me.

Try searching something

yeah its broken.

RIP

Heyyyy

Well xd, I found alternatives tools so it's okay I hope it will come back soon :(.

Just with sublist3r why I had this msg and it was stopping, I looked at the forum and some people were saying it was working to find the solution.

Can someone tell me that they can hack Instagram?

#rules keep it legal :D

No, this is not legally possible

However, you can always contact Instagram support if you have problems with your login.

No my account got hacked 😭😭😭 that's why i am sayinggggg

Contact the Instagram support team

They aren't moving their lazy ass what they can do?

EH don't hackback :).

XD

If you are not patient, leave internet bro.

Leave this world.

Bro did smooth Reply

The web is not a location where you have an answer in 5min.

My account was famous and it got banned

Yeah yeah famous.

And you are not in the correct channel btw ;).

9879 followers

Almost to 10k

Wow insane. ||no||

So what ? I am not here to learn Calculus

this is not the place. we can't solve your issues

Nobody called you bro💀🙌🏻

#rules.

you got told that by two other people man. at some point, it's gotta get in your head

we're not instagram

Hmm

Imagine contacting EH for hacking insta.

There will be a reason why you were banned,

There is nothing we can do for you here.
Please return to the topic of this channel

I have 2 questions about this section: https://academy.hackthebox.com/module/103/section/1008
Whcih ip address do I need to use in the xss payload? the ip of my localhost? private ip address? public ip?
Secondly it is mentioned to start a php server but the code for the index.php is not given. So is it the same server as last the last section?

OUR_IP = Your PwnBox / VPN IP
You have to write the index.php yourself

Alright, thanks a lot

hi guys, in the skill assessment of SECURITY MONITORING & SIEM FUNDAMENTALS, the 2nd question with #1 failed login of a disabled account, is it that critical to escalate?. The account is disabled, only single login, and it failed. Couldn't we assume the user mistakenly used old credentials?

disabled

that's the key word here

usually "old credentials" means old password

and an account wouldn't be disabled if the username was changed

an account being disabled means the user is no longer in the org and the account was disabled -- prior to whatever the next step would be in their Security Process

(if it ever gets cleaned up)

most of these questions are not black or white, it can be seen as a "someone tried to log into our honeypot" and therefore would be "escalate this!". But you asking this question and thinking about it already shows you know theres a nuance to his and you passed the test

Makes sense, thanks (to both of you guys) for clarification 🙂

np

it's always about looking at the wider net

sure this is one isolated user

but that one isolated user could have been a previously compromised user, or had their credentials compromised at some point

need some assistance with type filters on the file upload attacks module is someone available to assist

i get this " cannot be displayed because it contains errors

Gif8.phar.png is what im using as a filename

well it sounds like your payload contains errors

i also have GIF8 in the top of the payload php script

to trick it into thinking its a different filetype

but is that what it's loading the file extension as?

also when i remove gif8 from the payload script it fails when trying to upload

try switching the extension
png.phar

it's not every allowed extension that can execute PHP code.

anyone can help me with Skill Assessment - Broken Authentication? I got the session id persistent cookie but I couldn't figure out how to decode it on cyber chef, (url decode/encode, base64, md5, magic) tried everything but rabbit hole gets deeper and losing my mind. thank you.

also i noticed the session persistent id looks like a not normal cookie so i dont know if that's a factor too. example:

Set-Cookie: ||htb_sessid=YjNiOGI1Y2Y0MjFkM2Y5NmY2NDY5ZmE2MThhNmJiN2Y6NDM0OTkwYzhhMjVkMmJlOTQ4NjM1NjFhZTk4YmQ2ODI=||
Set-Cookie: ||htb_sessid_persistent=ab9ffc18bdb04af3e26491495979dd7713cc7691 ||

thank you for anyone who's going to help me!

well as it's a skill assessment, take a step back and review the other sections of the module to figure it out

did not work

can you send a ss of the burp repeater

that's why i use cyberchef because i went back. but still couldn't figure out. thanks tho

i guess no one will help. thanks anyway

just be patient dude

just because you didn't get an answer you were expecting doesn't mean no one is gonna help

easy for you to say. been stuck here for 3 days

ss?

#cwes message

then it sounds like you might be overlooking something

people can't share screenshots in here unless they read and follow #welcome

already stepped out, touched grass, went back, and still couldn't figure out

gotcha

still cant get it is someone available to assist

https://academy.hackthebox.com/module/103/section/1008 : I have an issue in this section. I can not get the loading remote script. I have a php server up and running. I have tested the link on my browser and it was able to receive an http request. The problem is that when I submit the payloads in the form I get nothing. Have tried all payloads mentioned none worked

Sure dm

Hi All,

hey red

what do u need?

Sorry clumsy finger... I have a question about the Infiltrating Unix/Linux (page 10) in the Shells & Payloads. I wasn't able to make work the metasploit module for the rconfig web service.

I solved with a different solotion but I'm still curios about how should I fix it?

idk. i just know the answers

my only memories come from certain modules (like game modding and reversing and thick client applications)

i dont really take notes because i'm not taking the cert

unless i win one in a ctf then i will get it for my collection but outside of that i would rather spend the voucher money on good food and good times.

i don't think rconfig was vulnerable for this instance

oh wait it is

i'm thinking something else

i mean if you answered q1 it shouldn't take much to get q2

it's just setting the right things in msfconsole

RHOST, LHOST things like that

the rconfig_vendors_auth_file_upload_rce was working and properly upload the php payload but wasn't able to establish the revers_shell. I do solved using a webshell

did you set the LHOST properly?

I did set LHOST to my vpn IP indeed

a shortcut in-case you mistyped is using set LHOST tun0 and it will pull your tun0 ip

instead of you manually typing it

that's a wonderfull tip thanks!
if there aren't other parameters to set could it be that I was the problem 😓 .

thanks a lot!

module DETECTING WINDOWS ATTACKS WITH SPLUNK
iam doing Detecting Golden Tickets/Silver Tickets
had stuck at the question : For which "service" did the user named Barbi generate a silver ticket?
i had try query from silver ticket in the module and find through username Barbi
have 4 events
but none of them have category Service

i just checked, and idk if you rechecked as well, but I changed nothing but the RHOSTS and LHOST variable and it worked just fine for me

so likely you mistyped your LHOST IP

which happens

i've definitely been guilty of stuff like 10.10.14..15

I will try it again double checking my ip so thank a lot

but you can literally type set LHOST tun0 and it'll pull that ip

no need to retype it

👍

I solved it. The problem was the configuration between the vpn and the target. I recommend using the pawnbox when it comes to setting up servers and networking

pwnbox uses the same vpn

I know. But I excuted the same commands on my machine but it did not work unline the pawnbox. Could be a cache problem on my network or so

maybe

or a firewall

prob the second. As I have a few set up on my private network

:< no one in modules DETECTING WINDOWS ATTACKS WITH SPLUNK now

anyone know this one hash from hashcat module ? the only thing i've not done in that module ... things i tried:

sudo hashcat -a 6 -m 0 hash /usr/share/wordlists/rockyou.txt -1 ?1?d?d?d?d?d?d
hashcat hash -m 0 -r /usr/share/hashcat/rules/rockyou-30000.rule /usr/share/wordlists/rockyou.txt
hashcat hash -m 0 -r /usr/share/hashcat/rules/best64.rule /usr/share/wordlists/rockyou.txt```

yep

just from target machine and resource given you can complete that sections bro

that for me , even i spend 2-3 days to do that and understand 🙂

but figure it out is much more interesting

That guy helped others but didn’t help me. Such is life

:v what do you mean bro

Anyone can help me that would be so great. Thanks

🙂 oh damm i did not get into module about attack yet

Talking about that marcielee person but that’s okay

Its okay! 😊

is not like people have to help you.. and he is not htb staff either so again he doesnt have to 🙂 btw have you tried base64 decoding ?

may not be helpfull as i've not done the module yet but looks like a base64 🙂

do you need more help ?

perhaps i haven't done that module and can only offer mild speculation

🙂 oh man whatdahell i get this

🙂 so now understand it

I don't know all the fun tricks they showed in that module to maybe getting the answer you expect

Will try to look again when i get back. Thanks

Exactly, why did you reply like that in the first place. Thanks anyway

Because I was offering some insight that maybe you looked over something, i.e. the session being b64

You provided barebones info and what you have/haven't tried

with minimal info I'm gonna tell you to re-read the module and refer to the different sections to pass it ¯_(ツ)_/¯

now i'm triggered like i feel i wanna solve that authentication module lol

done everrything in the hashcat module besides the one hash i can;t crack lol ...

I have a strange issue or lack of knowlege with hashcat. I have a as-rep ticket that starts with $krb5asrep$18$, this is for the Kerberos Attacks course on HTB Academy, I am fairly certain the only way forward is to get the password out of this hash (I saw a post on the Academy Forum that said that). My problem is when I try to run hashcat on my host machine I always get an error say the separator is unmatched. I can run the same command on my VM and it works fine but does not give me a password back. I often have hashcat not crack things using the VM which I why I want to run it on the host. This is the command ``` hashcat -m 18200 dw.hash /usr/share/wordlists/rockyou.txt

does anyone know how to change a value at a memory address

can someone help

I dont think that's the right mode

I could be wrong though

im not novice and have all the tools i just want to ask about adressing the address

so if i cat proc pid maps

it has addresses in

then i use dd to write to proc pid mem

Asrep$23$ is 18200

you should read #rules and #welcome and know this is not the channel for that

but what address do i write to

This has nothing to do with an htb academy module and likely something you can Google

I'm not seeing a hashcat mode that matches asrep$18$

I'm seeing krb5pa$18$ and tgs$18$

Thank you for the help! Yeah I was just looking through there as well, I don't see it either, at least that make some sense as to what I am seeing, maybe there is another approach for this one, it is the skills assesment on Kerberos attacks, if anyone can help that would be wonderful!

I'm working on the question in CPTS ptunnel-ng module. I have installed autoreconf and added "-static -lssl -lcrypto" under the "LDFLAGS =" section of the Makefiles ( root and src directories). After running " sudo ./autogen.sh" and scp-ing the folder to the ubuntu box, when i run ~/ptunnel-ng/src/ptunnel-ng i get an error while loading shared libraries: libcrypto.so.3 no such file or directory. I ran a sudo find / -name libcrypto.so.3 2>/dev/null to find the missing library thinking I could just update the LD_LIBRARY_PATH, but nothing was found. I'm running a local kali instance instead of the in browser parrot vm. Anybody encounter this issue and found a resolution for this ?

I will try those two as well then.

It might just be how you retrieved it

¯_(ツ)_/¯

https://github.com/hashcat/hashcat/issues/3926

Might help, not sure if still in beta or pushed and your version of hashcat is out of date?

Just going off the hashcat doku

I did the same and did more digging

You can also try not specifying the mode and seeing if it finds it

could try john as well

John to the rescue

there is $krb5tgs$18$ , it's 19700

I did try that as well, kinda my go to first thing

But that's not $krb5asrep$18$

yeah that doesn't exist

Anyone manage to compile ptunnel-ng on kali and get it to work on the ubuntu machine?

you'll need to use a machine with an older version of the C libraries to compile

#modules message

Hello, I'm still having connection problems with my Windows box, it's really starting to be a pain. I'm fine with the VPN in TCP and for the last 1-2 hours the connection has been weakening. Now I get this error :

It's becoming unbearable, impossible to finish a module properly ....