#modules

1 messages Β· Page 228 of 1

cloud urchin
#

i'm not staff i can't answer those questions. bottom line is it's a company, don't sign up if you don't like the terms.

jovial wolf
#

it's incredible how much they HATE capitalism... to the point of doing that.

#

but it's beyond me how they do it, without any remorse

#

do i have to go to school to learn?

#

i mean to use your services?

#

i never went to stepped in a school again since elementary

#

and i will never do, those are just churches of statism. and its ok to not agree with me, but to ask my FULL name, in a hacking purpose community

#

is beyond me, why is that? explain

acoustic owl
#

I have already warned you once today.
Please go back to the topic in this channel

jovial wolf
#

this message...

#

it hurts my heart

#

Fullname is required

#

it hurts me...

warm crater
jovial wolf
#

seems i will never find real people in this city, not anymore

cloud urchin
#

every day something new here lol

jovial wolf
#

even the homeless i met are more into society than me

jovial wolf
#

and a hacker community should be against that

#

there is no hope into becoming a hacker nowadays

#

Join thousands of hackers.
Fullname is required

#

im still stuck there

#

and the worst part, is that all seems to beautiful and well done.
why the smartest people hate Crypto or hyper-capitalism?

#

why the smartest devs, are this WOKE

next bronze
#

can we just ban this guy

jovial wolf
cloud urchin
jovial wolf
#

im here to learn like yall

#

im just not WOKE is that wrong?

next bronze
#

yeah you're not woke, you're cringe

acoustic owl
jovial wolf
#

i just want to learn,

#

im trying to understand

#

Step 2: Copy your Account Identifier

acoustic owl
# jovial wolf i just want to learn,

Then sign up for the Academy and learn with the modules. Or you could sign up on the main platform and learn there, for example with the Starting Point

jovial wolf
#

does this mean some sort of KYC ? cause i wouldn't be surprised

#

this: Step 2: Copy your Account Identifier

#

Login to your HTB Account

#

i made the account...

acoustic owl
next bronze
#

<@&861185840277487616>

#

holy cringe

severe moon
#

ok

cloud urchin
#

been a wild night

steel gorge
#

I'm trying this with the simplest possible request (a single GET XMLHttpRequest to http://exfiltrate.htb/?didthiswork=yes )
I can't get the Delivery to work. Has anyone gotten this to work? A Discord search reveals confused people posting the exploit directly into the guestbook but I want to make sure this is actually possible.
Can someone please confirm it's possible?
Edit: I'm on the "Introduction to XSS Exploitation" section
Edit: Solved. For me the lab set up did contribute a bit to my confusion.
When you test it for yourself by visiting /exploit directly, it just shows you javascript code unless you wrap it in <script></scipt> tags.
But if you leave them in there, the delivery mechanism doesn't work.
Leaving this here so it hopefully helps someone else.

snow ridge
steel gorge
# snow ridge put right port into url

Seriously? Why the note saying not to do that? πŸ€” (I'm referring to your message above).
Here's what I've done:

  • XSS in guestbook - both with port and without port
  • exploit script - with port and without port.
    That said, there's always a chance I've missed something so I'll give it another go. Thanks for your help πŸ™‚
snow ridge
steel gorge
steel gorge
# snow ridge Oh I read it wrong, my bad. DONT use port. Some exercises you had to use but thi...

I've been taking laborious notes throughout this whole process and even with a fresh machine, I can't make even a simple exploit work such that the admin hits the endpoint. I got through the CSRF stuff ok πŸ€”
I'm not sure how to launch an official request for help from the HTB team on this. I don't want to go around this by pasting the exploit directly into the guestbook, because I want to learn what's going on, but I don't have the visibility into it.

#

So I tried again with no port in the XSS (as instructed)
and with no port in the exploit. Still nothing. I'm not sure what to do now, I can't really make it simpler. 🀷
I guess unless anyone has any better ideas, I'll do the direct workaround.
Very grateful for your help and engagement on this @snow ridge πŸ™‡

cloud urchin
#

what are you trying to do

dreamy yew
#

Module: Pivoting, Tunnelling, port forwarding. Section: Skills Assessment. Question: I am currently trying to do it using ligolo-ng, I was able to set up the agent (on the pivot host), and proxy (on attack machine). Afterwards, I added the subnet (for internal network) to my attack machine using ip route add.__ However, I am stuck on enumerating further internal hosts when i run nmap -sn <internal subnet> on my attack machine.__

next bronze
#

need more info like the subnets and commands you used

#

also if you're using -sn you might as well just do a ping sweep

dreamy yew
#

@next bronze these are the commands i have ran in the form of screenshots

next bronze
#

did you run ifconfig in ligolo to check what subnet you should be adding?

dreamy yew
#

oh no i dint

next bronze
#

well before you pivot, you must know what subnet you want access to

dreamy yew
#

based on this, im assuming i am suppose to access to 172.16.0.0/16

image.png
#

if this is the case, i would have added to my attack machine via ip route add

next bronze
#

you just need to add /24

neat shore
#

Skills Assessment - File Upload Attacks

When sending the file, the form does so with the GET method instead of POST. Is this part of the exercise or is it an error in the form?

dreamy yew
next bronze
#

/16 consists of 65536 addresses, you should start with the immediate subnets before moving to a range this big

dreamy yew
#

ohh yes /24 has only 255 possible addr to scan

next bronze
#

check group managed accounts

latent frigate
#

thks, but for all targets i get the result "are u sure it is running ldap?"

cme ldap FQDN user pas -gmsa

next bronze
#

you need to target the dc of course

upper haven
steel gorge
#

Thank you, DM'd

real blade
#

Hello guys
Is the cpts exam voucher has expiration date?

next bronze
#

who tf pinged me angryping

fringe urchin
#

sorry ||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||||​||_ _ _ _ _ _ _ @next bronze

next bronze
haughty stirrup
fringe urchin
latent frigate
next bronze
#

what? I said to use it against the dc, there's no need to use --kdchost

latent frigate
#

yes got, but all possible combination to dc, or IP of dc gives me this result: are u sure ldap running

next bronze
#

what's the ip of dc?

latent frigate
#

172.16.15.3 : DC01
172.16.15.15: DEV01
172.16.15.20: SQL01

next bronze
#

works for me

image.png
latent frigate
#

yes. same command, different output.
Chisel is working here, i can scan smb. so connection is not a problema

/etc/host: DC01 DEV01 SQL01.INLAINEFREIGHT.LOCAL and for all addresses

#

└─$ proxychains4 -q crackmapexec ldap 172.16.15.3 -u j.... -p '0......'
SMB 172.16.15.3 445 DC01 [*] Windows 10.0 Build 17763 x64 (name:DC01) (domain:INLANEFREIGHT.LOCAL) (signing:True) (SMBv1:False)
LDAP 172.16.15.3 445 DC01 [-] INLANEFREIGHT.LOCAL\j......s:0........ Error connecting to the domain, are you sure LDAP service is running on the target ?

next bronze
#

what is the entry for dc in your hosts file

#

did you add the domain and fqdn?

rustic sage
#

Happy Easter

latent frigate
#

yes for all of them
SQL01.INLANE...LOCAL
DEV01.INLANE...LOCAL
SQL01.INLANE...LOCAL

next bronze
#

the whole line please

latent frigate
#

I tried to send it and i got an automatically message. dont send the same message again and again

next bronze
#

just the entry for dc, not the other hosts

latent frigate
#

172.16.15.3 DC01 DC01.INLANEFREIGHT.LOCAL

next bronze
#

add the domain

#

if it still doesn't work restart the lab

latent frigate
#

ok i did it before. I just sent a message to suport. Ill wait for them. Thks for the help

#

terminate, wait, start && restart

tulip dragon
#

what does this doo

image.png
fathom pendant
real blade
pale stirrup
fathom pendant
covert trail
#

Can anyone help me out with Password Attacks Module (Password Attacks Lab - Hard)? I've been trying to bruteforce the user with CME for over 3 hours and nothing yet...

shut quest
covert trail
# shut quest What word list you using?

I'm using the customer wordlist generated using the resources provided for the module using this code here: hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

rustic sage
#

Check svc_workstations Sudo privs > pass the ticket > password attacks > cpts. I got the flag from the previous question, I have found an aes 256 for svc, I can’t use Sudo -l at all. I do not know where to go nor where to look. Hint is not useful. Can anyone help

#

What do you mean?

#

Are you saying I should switch back to David?

covert trail
#

Oops sorry, replied to the wrong person..

rustic sage
#

That doesn’t work, Sudo -l doesn’t work for David either

rustic sage
gaunt linden
#

@low crescent Did you solve the CSRF Lab component of Advanced XSS in Academy?

next bronze
rustic sage
#

I’m on Carlos

next bronze
#

are you able to get svc_workstation?

rustic sage
#

I have to step away for an hour or so are you comfortable with me pming you later? If not that’s cool

next bronze
#

look for keytabs

shut quest
covert trail
radiant eagle
#

Hello, I have problem since yesterday with an IP address of the skill assessment of pivoting. I have enter the machine before with proxychains but then got freeze and stop working, and since then I havent been able to continue the lab. Im a silver plan and dont know why i dont get discord answer when i press the bottom for help.

radiant eagle
gaunt linden
#

In Academy: Advanced XSS it states: " Web browsers typically add the Origin header to cross-origin requests to indicate the target origin where the request originated from. An attacker cannot control this behavior." Is this true? I thought with proxys you could change the Origin header?

shut quest
slate halo
#

Im doing Pass the Ticket (PtT) from Linux and im trying the understand the part in where htb is exporting export KRB5CCNAME=/root/krb5cc_647401106_I8I133. Whose ccache file are we exporting? Im asking because trying to import julios ticket.

next bronze
#

you can use klist

radiant eagle
limber river
radiant eagle
tough tiger
radiant eagle
dreamy yew
#

Module: Pivoting, Tunnelling and Forwarding, Section: Skills Assessment, Question: I used LaZagne and got vfrank creds (in the form of nthash and shahash) but it did not seem to be crackable, any nudge?

celest scaffold
#

If anyone would like to join my fortnite group please dm me and I’ll catch up to you later

fathom pendant
#

Are you meant to crack it?

fathom pendant
dreamy yew
#

however it has no indication the output was for which user

fathom pendant
#

It definitely does tell you, if you look closely lol

dreamy yew
#

it just looks like hex dump and its decrypted contents haha, is it ok if i pm u

#

idw spoil

fathom pendant
#

Also it won't be a hexdump

#

If it's a full hash then it'll be a large string but an ntlm hash consists partly of the lm:nt hash and some other data

dreamy yew
#

umm i notice 2 accounts SC_DHCPServer and SC_SCardSvr having "Im w u_"

fathom pendant
#

I don't recall it being that complicated

dreamy yew
#

hmm i just used Lazagne output thats all

#

or perhaps i did not use -v option for more

fathom pendant
#

Also the examples won't always match, and will often omit things that would reveal an answer

dreamy yew
#

examples as in?

fathom pendant
#

The example outputs from the module

#

Sometimes though things may be in plaintext

dreamy yew
#

ahh ok

fathom pendant
#

Always carefully look at outputs

severe matrix
#

I had the same issue when I did that module. Chased cracking hashes and such. Reading is hard!

tame scroll
#

Hi friends, since yesterday I have been having problems with the IP TARGET, it never establishes a connection, does anyone have the same problem?
I ping and all the packets are lost.

radiant eagle
snow ridge
#

Did you figure this out and can I dm you?

amber ore
unreal prairie
#

Hi guys... Anyone can help me with DNS part of Footprinting module for CPTS path? I don't understand why the response of a DNS query type=SOA for a domain is empty but when I do DNS Zone transfer for that domain, there is the DNS record type=SOA... Thanks so much

hot grove
#

need help with Vuln-assessment- Nessus Skills Assessment... ive scannned the ip privded WITH nessus and i am not presented with any info that answers the asked questions. it tells to authenteicate a scan under a user(which i did over 5x) and it faills. its stupposed to be windows system but the scan says its linux. please help

rustic sage
#

(Look at the Kira from the older modules) I’m so suprised they asked to pull a random password for the protected files lab like wtffff. So left field. Thank god I wrote it all in notion

fathom pendant
rustic sage
#

I mean I get it attention to detail but it took me aback

fathom pendant
#

The whole module is all about grabbing and saving passwords

rustic sage
#

See if you’re skipping around I get the reason

fathom pendant
#

You shouldn't be skipping around a module

rustic sage
#

Yeah I mean but it was way back

#

I agreee which is why they prob did that

fathom pendant
rustic sage
#

How do I do that

fathom pendant
#

Delete the message

rustic sage
#

Ok

#

Done

fathom pendant
#

The Linux labs and Windows labs are connected throughout the module

rustic sage
#

I get the reason

#

Usually, they start kind of fresh

fathom pendant
#

Which is why I tend to advise that once you get in, to check the C:/users or /home/ directory

rustic sage
#

They really keep us on our toes

fathom pendant
#

The ad module is the same

#

The labs are connected

rustic sage
#

Good tip

#

Oh ok. Now I see nvm

fathom pendant
#

So you can use creds from way early on in the ad enum module way later on

rustic sage
#

That’s actually a wise move

#

I stand corrected

fathom pendant
#

it's expected in the module Β―_(ツ)_/Β―

cedar yew
#

Hello guys i need help

module - Password Attack
Section - pth attack
Question - Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

i use the command but not working

cedar yew
#

my hash powershell3 base64

#

my hash conf

image.png
#

yes i use the nc other window

#

im try 1.5 and 1.10 but not working

#

yup im waiting other window

#

PS C:\tools> .\nc.exe -lvnp 8001
listening on [any] 8001 ...

#

nope not working

scenic plover
#

Hey, for the Server-Side Attacks module in SSTI Exploitation Example 2 and SSTI Exploitation Example 3, is there a way to get a reverse shell in these scenarios? I've gone through each section twice using both the pwnbox, and my own VM with the same results. I've used the payload provided and attempted a base64 encoded command to make sure the special characters weren't causing trouble. The page hangs like it's attempting to connect, but then just sits for a minute before rendering again. I tried the payload with python and python3 as well. I'm just trying to figure out if I'm still doing something wrong, or if this is not possible on these exercises due to network restrictions. I can get command execution fine, but I can't catch the reverse shell at all.

cedar yew
#

where am i doing wrong

radiant eagle
cedar yew
#

can i send dm bro

crystal steeple
#

"If we addΒ .Β to the path by issuing the commandΒ PATH=.:$PATHΒ and thenΒ export PATH, we will be able to run binaries located in our current working directory by just typing the name of the file (i.e. just typingΒ lsΒ will call the malicious script namedΒ lsΒ in the current working directory instead of the binary located atΒ /bin/ls).
"

#

how would this benefit in linux PE? since we can just call the script directly in our directory?

#

i didnt understand this part of linux PE well, can someone elaborate , thanks in advance !

cloud urchin
cedar yew
#

so I will look some more

crystal steeple
#

what does that mean, isn't useless to do so if we can call binaries already from whatever directory we in just by adding them to PATH env var

cloud urchin
crystal steeple
#

yes i do understand that, but let's say we can change the PATH env var and we added . to it so now, we can call any binaries in our current directory right?

cloud urchin
#

no

crystal steeple
#

so what does they mean by this phrase : "If we add . to the path by issuing the command PATH=.:$PATH and then export PATH, we will be able to run binaries located in our current working directory by just typing the name of the file (i.e. just typing ls will call the malicious script named ls in the current working directory instead of the binary located at /bin/ls)"

radiant eagle
fathom pendant
cedar yew
#

yes

fathom pendant
#

does the export command take the . ?

#

i thought it would have to be ./

cloud urchin
#

i don't think so

#

but i could be wrong

#

chatgpt says i'm right

#

now i'm questioning it lol

#

i guess test it out?

fathom pendant
# cedar yew yes

so when you type ipconfig /all it shows you that one of your interfaces is 172.16.1.5

crystal steeple
#

i think i understand now what they mean , basically after doing that ,we can call whatever binaries located in our current directory from whatever directory we in

cloud urchin
cloud urchin
cedar yew
crystal steeple
cloud urchin
fathom pendant
cedar yew
#

yes

cloud urchin
# crystal steeple thanks man for the clarification !

Even more info: take your 'whoami' command. it's in /usr/bin. if /usr/bin was not in your PATH env, then you would have to type "/usr/bin/whoami" to call to the command. due to the '/usr/bin' folder being in your PATH env, you can call to that command anywhere in the terminal.

crystal steeple
fathom pendant
#

because it starts in current directory, then looks to path

crystal steeple
crystal steeple
fathom pendant
cloud urchin
#

ok i think i'm wrong about this

#

chatgpt says this: When you type PATH=.:$PATH in the terminal while you're in the directory /home/dir, it will input PATH=.:$PATH into the environment, not PATH=/home/dir:$PATH.

crystal steeple
fathom pendant
crystal steeple
#

its shown in section too

l.png
cloud urchin
#

i think it's probably right

#

ahh yeah there you go

#

that's kinda dangerous though ngl

crystal steeple
cloud urchin
#

convenience is always in balance with security

crystal steeple
#

to see it in action

fathom pendant
#

oh

#

It's likely using it to bypass any restrictions

#

i.e. it calls your current path at the front of the PATH variable instead of the end

crystal steeple
cedar yew
scenic plover
# cloud urchin Generally yeah. If you have command execution you can create a rev shell.

Have you completed those sections and got a reverse shell? If you have, or know someone who has, then I definitely want to go back and try something else. I can "make" a shell like using a python script to automate sending the request with the template injection, but no matter the reverse shell I run, whether it be a python or bash I can't seem to get it to work. I've tried the "echo "base64_encoded_command_here" | base64 -d | /bin/bash" as well as attempting to run the reverse shell directly in the injection, but it'll hang for a while without me receiving a connection at all, so I'm leaning towards it is a network rule that's not allowing it to make the call out. Figured pwnbox would work because of it being apart of their network, but I get the same behavior there as well.

fathom pendant
#

as they both use the same vpn connection

cloud urchin
#

i imagine you could catch a reverse bash shell with nc or something

scenic plover
hollow pewter
#

Hello Guys, I hope all are doing well. can anyone help me with the following task please: CROSS-SITE SCRIPTING (XSS) Skills Assessment

scenic plover
crystal steeple
cloud urchin
hollow pewter
scenic plover
hollow pewter
#

I set all requirements that were needed, I reached the comment page, and I started my port listener, but I can get anything

crystal steeple
#

if you followed the steps in sesssion hijacking, you should be able to finish it, only thing that you need to find out is the vuln xss field

hollow pewter
crystal steeple
fathom pendant
#

this sounds like it'll push into spoiler territory

hollow pewter
#

the field in the comment

crystal steeple
#

i don't think it was in comment :3

hollow pewter
#

I will double check

quasi summit
#

Hi all, im stuck on the "using the stack section" of intro into assembly language. The task is telling me to debug the attached binary to find the flag being pushed to the stack. I have dowloaded the zip file like normal and tried to extract but where normally you would get a text file with instructions I cannot seem to open it. I don't know what I'm doing wrong:( Pluma (on parrot OS) says it can't detect the character encoding.

crimson moon
#

Thanks

next bronze
inner geyser
#

long story short I finished a module that I'm still not certain I did the 'best' way. I was given one target IP and two vHosts for the questions. I was able to get the answer just by editing /etc/hosts and using the same IP but associated to 2 different vHosts/subdomains when the question called for it. However, that doesn't seem like the way this should be done. If i'm given one target IP and need to gather info/enumerate on 2 vHosts....was there a better way to go about this? I'm sure I'm missing something extremely simple here with what needs to be added to /etc/hosts

vital wren
#

Hey, has anyone around here done the "Whitebox Attacks" by @upper haven .. Working on Prototype Pollution and I cannot get the "Exploitation of prototype pollution to execute code" through constructor.prototype property on the skill check. πŸ€” Feel like my JSON request is a tad off somewhere but unsure.

fathom pendant
inner geyser
#

Thanks @fathom pendant but is it as simple as just changing the subdomain in /etc/hosts with the same IP address being used?

fathom pendant
#

An IP can host multiple subdomains

#

In this instance it's hosting both those subdomains

inner geyser
#

yeah that's why i was more/less thinking about having the IP associated to the top-level domain instead of editing to match specific subdomains

#

but thank you for answering!

fathom pendant
#

That's not always how it works

#

Also it wouldn't be the tld you associate it with rather the domain

#

sudomain.domain.tld

inner geyser
#

oh, right. thanks again

fathom pendant
#

www.google.com
www would be the subdomain
Google is the domain
Com is the tld

quasi summit
next bronze
#

yep

quasi summit
# next bronze yep

i've been tryuing to do that but when I type** gdb./stack** into the terminal i get :Reading symbols from ./stack...
(No debugging symbols found in ./stack)

next bronze
#

you did unzip the folder? run file fileName, it should tell you it's an ELF executable

quasi summit
#

yes i did. i ran ./stack
bash: ./stack: cannot execute binary file: Exec format error

next bronze
#

run file stack

#

also maybe download it again

quasi summit
#

Did both of those

#

I’m thinking I missed something in the instructions

#

But this file doesn’t seem to be behaving like the ones I have previously worked with in the module

#

Which is super frustrating

#

I was thinking if I try to do the same process on another distribution

next bronze
quasi summit
#

I’ll come back to it soon. My son is back home. Thank you for your help so far

potent ermine
#

I'm in the Pivoting module, Double Pivot section. I'm trying to do the exercise doing ligolo-ng. I'm running the agent on the first pivot host, established the connection. My understanding is that to access the 172.16.6.155 host, I have to start a listener and then run the agent on the 2nd host. I'm getting this error when I try to connect the agent from the DC01 host, even after adding the listener. I'm I missing a step?

image.png image.png
next bronze
#

you'll need to connect to the internal ip of the pivot host

fathom pendant
#

You also need to set your routing table to use that second ip

#

Hop 1 -> hop 2 -> end

potent ermine
potent ermine
next bronze
potent ermine
next bronze
#

yeah so, the second pivot will need to connect to that 172 ip

potent ermine
#

Thanks, I got the connection now! πŸ™‚

grand sundial
#

I am on the password attack module. I need some advise with crackmapexec command. When I run it on the parrot vm it working fine, but when I run it on my kali linux, it throws ton of exception errors.

next bronze
grand sundial
tame scroll
#

trying but cant find the answer some hint please MODULE:SHELLS & PAYLOADS --Infiltrating Windows, questions: Gain a shell on the vulnerable target, then submit the contents of the flag.txt file that can be found in C:\

#

I've tried many ways the eternal blue but it almost certainly isn't, unless I'm missing something.

next bronze
tame scroll
next bronze
#

nope, it's your tun0 ip, it needs to be in the same subnet as the target

jade latch
next bronze
#

there's some drama when the fork was created and it's still very new

jade latch
#

https://academy.hackthebox.com/achievement/1119847/147 finally! prayge

Completed Password Attacks

Passwords are still the primary method of authentication in corporate networks. If strong password policies are not in place, users will often opt for weak, easy-to-remember passwords that can often be cracked offline and used to further our access. We will encounter passwords in many forms during our assessments. We must understand the various ...

tame scroll
cloud urchin
#

does anyone know how to convert a guid into the group name? the powerview module says to use get-gpo but that cmdlet doesn't seem to exist

dull cove
#

:p

next bronze
quasi summit
next bronze
#

wat

quasi summit
#

i did it without the run command and just typed in file stack and got the same output as you did.

#

apologies

next bronze
#

yeah so run it through gdb

quasi summit
#

ran it through gdb and got this: Starting program: /home/fred/Desktop/stack
/bin/bash: line 1: /home/fred/Desktop/stack: cannot execute binary file: Exec format error
/bin/bash: line 1: /home/fred/Desktop/stack: Success
During startup program exited with code 126.

next bronze
#

download it again and unzip it, check if the hash is the same

# 
md5sum stack                              
90b443ce5fb71650b9b99f1277933642  stack
quasi summit
#

Will do thanks

verbal moth
#

Has anybody finished the NoSQL injection? Assessment 2. I have the injection, and have been progressing manually, but the data I am extracting is 60 characters long... can anybody help me script this?

burnt sluice
#

hello, does anyone know if you can launch a skill assessment after your subscription has ended? I've been trying to launch one and it doesn't seem to launch

#

nvm, it just spawned

latent glen
#

Hello everyone, quick question. Lately I've been having issues with running secretsdump.py
I get the same output every time

Impacket v0.11.0 - Copyright 2023 Fortra

[-] unpack requires a buffer of 4 bytes
[*] Cleaning up...

#

Could anyone please help with this ?

#

The method I used to exfiltrate the SAM,SECURITY,SYSTEM file was a nc method, but I double check and the files are transferred completely

#

I'm currently trying to exploit HiveNightmare.exe in the Windows Privesc Module

next bronze
#

something is wrong with the files that you transferred out, make srue they're not corrupted or no data is lost

#

also run it with -debug

latent glen
#

ooh the -debug is useful

#

thank you, okay I will try exfiltrate using a different method

#

As usual, @next bronze you are incredibly helpful. There was indeed something wrong with the way I did a nc transfer, Ill have to revisit that. Exfiltrating using powershell to an upload server proved to work better

#

the thing is, the victim host doenst always allow exfiltration through smbserver so I had to find another way

next bronze
#

I like to use http servers, haven't failed me yet

latent glen
#

how would you upload from cmd.exe to that ?

#

curl ?

next bronze
latent glen
#

uuuuuuuuuuuuuuuuuuuuuh.... NOW we talking

next bronze
latent glen
#

yes so I just used that PSUpload

next bronze
#

yep that's what I usually use, easy and always works

latent glen
#

Damn, Im looking at Multidump and wow.. Well done you for writing that! very very very amazing. Let me play a bit with it, but if it works as well as I think it does, that is being added to the arsenal RIGHT AWAY

#

okay, I guess I can no longer avoid it. I never really saw how to build a binary like yours for example using visual studio. I dont know how Ive lasted til now without doing it but I always found a compiled binary somewhere. Now Im forced to do it.

next bronze
#

it's a good thing to learn and very straightforward with VS

latent glen
#

yep.. on it

#

aaaaaaaaaaaaaaaaaaaah I see

#

wow, a whole new world of projects (without binaries available) has just opened up

#

hahah

next bronze
#

yeah literally just double click the sln file and build 4Head

latent glen
#

hahaha

#

yes

cedar yew
#

im going to crazy i use diffrent tool diffrent port why not working

image.png
#

i want to go dc01 from ms01

latent glen
next bronze
#

it does both if you use remote mode

latent glen
#

say I have this situation in windows

-a---- 4/1/2024 12:32 AM 65536 SAM-2021-08-07
-a---- 4/1/2024 12:32 AM 32768 SECURITY-2021-08-07
-a---- 4/1/2024 12:32 AM 12582912 SYSTEM-2021-08-07

How do I exfiltrate those using MultiDump?

next bronze
#

the main purpose is to dump lsass without being detected, then I added functions to exfiltrate the data and also dumps the registry

cloud urchin
# cedar yew im going to crazy i use diffrent tool diffrent port why not working

I'm not familiar enough with SMBExec to know if it decodes that, but it looks to me like you're sending a system command encoded in base64 with 'powershell -e'. powershell -e isn't a native command, so that doesn't do anything (unless smbexec somehow gives it that capability). you'd probably need to run powershell -encodedcommand is my guess.

next bronze
soft cedar
latent glen
#

aaaah thats what I meant. Yes because using the HiveNightmare attack doesnt necessarily require you to have admin privileges. Thats what I mean. But you need those to extract with your tool I take it

upper haven
slate halo
#

im doing the last flag for the LINUX01 I have found it but its not working am I allowed to paste it here?

cloud urchin
#

@upper haven can you give me a push on advanced xss & csrf skills assessment? i can read bits of the api but can't find a place for sqli, is that the right next step?

latent glen
#

let me try pass the hash, get the creds, then play with your tool to get familiar with it

next bronze
cedar yew
soft cedar
next bronze
cedar yew
soft cedar
cedar yew
#

Actually the command works but the shell does not give

latent glen
slate halo
#

im doing the last flag for the LINUX01 kerberos ticket I have found it but its not working am I allowed to paste it here to check if right or just box is glitched?

next bronze
soft cedar
#

change it none.

next bronze
slate halo
soft cedar
#

It is already bs64 encoded, you are just encoding it again.

next bronze
slate halo
#

I mean the first letter is mising onlu

#

its really strange

next bronze
#

maybe read it again then

cedar yew
upper haven
cedar yew
#

It was a really weird module.

#

thx @soft cedar

slate halo
next bronze
#

yeah as in read it again to make sure it's printed correctly

fickle bison
#

hi guys, i have a question regarding the trickbot.pcap suricata rule question..i tried both JA3 hash but it seems that both works when checking the pcap file via suricata..i wonder why the other is the correct answer when it should be both

slate halo
next bronze
#

huh? there's no space anywhere, also not in the hint

astral inlet
#

hi there πŸ™‚ performance issues again for EU ?

shadow current
#

doing Attacking Enterprise Network Question Steal an admin's session cookie and gain access to the support ticketing queue. Submit the flag value for the "John" user as your answer. I already got a cookie but it doesnt log me in even if i set the cookie

#

got ittt already

next bronze
#

<@&861185840277487616> in other channels too

#

piss off scammer

astral inlet
#

probably a bot

patent oak
#

Guys you know when attacking thick client with x64dbg. I caught the 3000 rw thing but where do I right click to dump it executable?

#

It says right click the address but theres no dump option

soft cedar
#

and then right click on the address.

patent oak
#

sadglas it was moving so fast

#

It never moved the first time

soft cedar
soft cedar
patent oak
#

The memory map isn't paused. It says its paused and exited but its still dancing. I had to lay in wait to click the right one when it appeared

soft cedar
#

lol

#

I didnt experience that tho.

patent oak
#

I don't think I'll have time for a right click but if this is what it takes

#

Okay so, if you click the column header to sort by type, they dance and you can't catch them to click.

#

If you leave it as it is when you load the file, they stay still. πŸ€·β€β™‚οΈ

#

Thanks for the tip!

#

Weird section steve_10

soft cedar
olive slate
#

Is anyone having problems with the 'Active Directory Enumeration & Attacks'. The modules that requires RDP, they just don't work for me, from my own VM and from the attackbox

patent oak
silver iris
olive slate
# silver iris What do you mean by dont work? Do you get any error message? I had connection is...

Sometimes it connects but i get a blackscreen on xfreerdp, sometimes it does not connect at all with connection refused error message. For me it is almost luck based, as I'll have keep restarting the lab and try again until it works. But even when it eventually works it sometimes disconnect and doesn't let me connect again and I had to keep restarting and try again. I'm almost at the end of the module doing it this way but it is a very frustrating experience

autumn pilot
#

Have you tried reaching out to support

silver iris
fathom pendant
fathom pendant
olive slate
silver iris
fathom pendant
#

Sometimes the agreement screen doesn't show up

#

You can also resize the screen and it usually comes up

olive slate
#

Thanks guys for the tips. This will definitely help me get through the last few modules

astral inlet
#

3 to go

image.png
raven lagoon
#

whats HackThebread

astral inlet
#

good question

#

the cube is orange now

marble spire
#

Hey when i run evil-winrm through proxychains i'm getting this error

Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

I didnt find any work around, does someone know what's the problem here ?

rough pecan
#

Hello, I just completed the HTML section of Introduction to Web Applications, and your question asks for the tag for an image. The only correct answer allowed is <img> when technically <img /> isn't wrong either. I still got the cubes for it, but just a little thing,,, is there a way to make both answers correct for students?

acoustic owl
#

That is why <img /> is not correct

rough pecan
#

so it can be broken by the src info... πŸ€” I hadn't thought of that, to be honest... I know the order technically doesn't matter, but had always been taught src followed by alt, not alt followed by src... Now I see how it could be an issue. πŸ€” 😱

tawdry comet
#

I have enough cubes for an additional module after finishing the cpts path, which one do you think would be more beneficial, powerview or adcs?

half stag
#

hey guys, i am stuck on the module "Password Attacks", the section "Attacking LSASS", the questions asks "Apply the concepts taught in this section to obtain the password to the Vendor user account on the target. Submit the clear-text password as the answer. (Format: Case sensitive)" i dumped the lsass.dmp file and moved it to my attack hosts but i am stuck on pypykatz saying "parsing file" it has been stuck for there for quite a while now.

next bronze
half stag
#

Thanks i will try

cedar yew
#

Pass the Ticket from windows

#

password attack module

half stag
#

its still stuck

cloud chasm
#

Module:NTLM Relay Attacks
Skills Assessment
i have problem with second question i have compromise BACKUP01 but when i try the same commands i cant get a shell can anyone help

cedar yew
#

and command

half stag
cedar yew
#

pypykatz latest version?

soft cedar
#

the directory lists from Seclist is not bad

cedar yew
#

maybe you try /home/user/lsass.dmp im use this command

soft cedar
#

The small/medium is fine.

#

It usually works.

fringe urchin
#

its starting

image.png
#

πŸ’€

cedar yew
#

I can connect to the machine with Remmina, which I cannot connect to with xfreerdp. How is this possible?

wise vault
#

Hi everyone.

#

I am just stuck on the medium lab of the footprinting module. I just mounted a share to my host and found some tickets*.txt files. what to do next?

half stag
wise vault
#

hi did you solved it?

rough pecan
wise vault
#

Hi am just stuck.

soft cedar
wise vault
#

100+

soft cedar
#

Then look at the file sizes

fringe urchin
#

there is def one of them thats different in size then others

wise vault
#

ok

soft cedar
#

You can also cat * since the rest are empty afaik.

#

And scroll through until you find the right one.

wise vault
patent oak
soft cedar
patent oak
#

😒

soft cedar
#

Defn one of the worst section.

wise vault
heavy edge
patent oak
#

It says to edit the one in fatty client new.jar.src

#

I was thinking it threw me a curve ball

#

Nevermind

wise vault
soft cedar
wise vault
#

thinking about it

soft cedar
#

so look somewhere else.

soft cedar
wise vault
#

ok

toxic apex
#

can someone give me a hint for the prototype pollution part of the whitebox attacks module? I have finished everything in the module except that one question.

hallow dagger
#

I don't know how to formulate the answer in module Introduction to MSSQL/SQL Server
Is there anyone who solved it?
I got the answer but don't know how to formulate it

cedar yew
#

hello guys i have question i learning kerberos protocol and this output base64 keys equal .kirbi file?

image.png
patent oak
#

@soft cedar Dude kek I'm lucky to be a software engineer but that seems like it would slay anyone who wasn't

#

Onto the SQL part

tulip dragon
#

is this code wrong or does this need sudo priv to work

image.png
#

coz i can't get the clipboard content

soft cedar
wise vault
#

is there anything am missing

soft cedar
wise vault
soft cedar
wise vault
#

what should be the server name

soft cedar
#

when auth, choose windows authentication

timber hatch
#

why or how can we see that: "From the output above, we can see that only administrators have full access to the LSASS process, as expected."

image.png
dim wolf
#

because they have the FILE_ALL_ACCESS permission, which no other group has

fathom pendant
timber hatch
#

now that you mention it...yesπŸ˜†

#

thanks πŸ˜‰

oblique spoke
#

Hi I got stucked at thsi question. I Used the premade board as well as my own. This is bullshit ..... the quetion is: Navigate to http://[Target IP]:5601, click on the side navigation toggle, and click on "Dashboard". Extend the visualization we created or the "User added or removed from a local group" visualization, if it is available, and enter the common date on which all returned events took place as your answer. Answer format: 20XX-0X-0X
I am using last 15 years with timestamp, event.created, event.ingested

#

what am i missing?

hallow dagger
#

I don't know how to formulate the answer in module Introduction to MSSQL/SQL Server
Is there anyone who solved it?
I got the answer but don't know how to formulate it

#

?

rustic sage
#

guys , tf is with server logo , pleaseee i have ocd damnnn πŸ˜‚

regal lantern
#

hi guys, I’m new here. what are the best modules to start ?? i have no knowledge of linux etc..
thank you.
sry if my English isnt perfecrt im from italy.

dim wolf
regal lantern
#

ty

dim wolf
#

if you're looking for more blue-team oriented content, check out the SOC Analyst Prerequisites skill path

regal lantern
#

rn im doing the learning process module

rustic sage
#

hello i'm pretty much beginner. Is there any fellow-noob here interested in doing pwnboxes together? I'm currently at startingpoint. Also i'm downloading the parrot iso and setting it up with qemu so I don't have enough time to complete any boxes today. But perhaps for the near future if anyone is interested send me a message, i think it is more fun together.

fathom pendant
#

Pwnbox refers to the in-browser vm

rustic sage
#

Password attack lab - easy. Used the custom rule for a mut password, running it on ftp since it’s faster against the given user name list. I have a feeling it’s one of those wait and see ones. Thoughts? I don’t want to waste my time

#

Hydra l username list mutated list ftp ip on t4

fathom pendant
#

Always analyze and examine to make sure you're attacking it properly. Make sure no ports are allowing "anonymous" login

#

Don't lower threads my dude

#

-T 48 is the most stable and fastest threadcount

rustic sage
#

I meant 48 sorry typo, we spoke about this a few weeks ago

fathom pendant
#

Also -t is a different thing than -T

rustic sage
#

I’m on my phone

fathom pendant
#

Just making sure for clarity

rustic sage
#

Sorry for the short hand

#

I’m assuming use the given user name list and mutate on ftp basically

fathom pendant
#

Perhaps

rustic sage
fathom pendant
#

I'll have to double check my notes on it

modest isle
#

Hello

rustic sage
#

Ok I’ll just wait it’s only been 5 minutes

fathom pendant
rustic sage
#

yes

#

These labs are a pain because of the waiting

fathom pendant
rustic sage
#

mmm ok

fathom pendant
rustic sage
#

Doh

#

:Simpson voice

fathom pendant
#

There may be a somewhat faster answer in there

#

I genuinely forget this lab though

hasty solar
#

can I dm anyone at ADVANCED DESERIALIZATION ATTACKS Skill Assesment? Thx in advance

junior oxide
#

i have a stupid problem in the mass idor enumeration in web attacks module

#

i found the uid and a .txt file for the flag

#

but when i go for it i get a webpage opened with no interesting content in it

rustic sage
#

These labs got me sweating like Justin beiber at puff daddy’s house sometimes I swear

fathom pendant
rustic sage
#

Amen

dusky loom
#

I'm doing Sherlock: Recollection. I unzipped the file and there's a file called recollection.bin that i have no idea what to do with. Anyone?

fathom pendant
lucid mountain
#

I've been stuck on this question from the SOC path for a couple hours

Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the port that one of the two C2 callback server IPs used to connect to one of the compromised machines. Enter it as your answer.

I've been looking for the SourcePorts with the DestIp of the two in previous answers to no avail

shell ore
#

hey quick question abt powreshell

# 
Get-ObjectAcl "DC=inlanefreight,DC=local" -ResolveGUIDs | ? { ($_.ObjectAceType -match 'Replication-Get')} | ?{$_.SecurityIdentifier -match $sid}```
#

after the first pipe we used () inside the { } but not the second time, why? πŸ˜…

lucid mountain
shell ore
#

aha

#

thank you :).

lucid mountain
#

Thank claude. Maybe you should ask ai for questions like that next time. Can someone help me with my question that ai can't help me with

shell ore
shut quest
visual dock
#

lolll

tacit frigate
#

I'm new to cybersecurity and coding.

#

What is the main discussion room?

shut quest
tacit frigate
#

Do you know the name of the site that teaches bash hacking skills through those "leetcode"-like exercises?

#

I had it bookmarked but lost it; I thought it could be useful.

lucid mountain
dim wolf
#

if it's a C2, it's most likely sending commands from the C2 IP to the target IP

lucid mountain
#

Makes sense. Completely overlooked that

hasty dust
#

anyone else feels like the Introduction to Networking module (at least the first section) talks about, and mentions way too many concepts that people that are new to networking will not be able to understand or learn as a first introduction to it?

timber hatch
#

WINDOWS PRIVILEGE ESCALATION , great modul so far, but the windows host is lagging very much...

#

rdp conenction goes down a lot...

junior oxide
timber hatch
#

it's worth a shot..but i've already chossen the best one...

topaz sable
#

Why can't I access baking general? It says done reading check out #modules

low crescent
shut quest
shell ore
#

any idea why these creds arent working? AD attacks, DCSync section

image.png
timber hatch
shut quest
shell ore
timber hatch
fathom pendant
shell ore
#

u mean?
ssh htb-student:HTB_@cademy_stdnt!@172.16.5.225 ?

next bronze
#

yes

shell ore
#

didnt work

next bronze
#

don't specify the password, it will ask for it later

shell ore
#

also tried that

#

im litteraly copy pasting πŸ™‚ πŸ’”

next bronze
#

wdym didn't work

#

what's the error

shell ore
cedar yew
#

why is not work i dont understand

image.png
shell ore
cedar yew
#

works πŸ˜„ thanks

shell ore
crystal steeple
crystal sorrel
#

Can I delete the download for kali Linux

shell ore
dim wolf
shell ore
#

what πŸ˜‚

crystal sorrel
#

Can u delete the download for kali idk

dim wolf
#

i'm not sure what that's supposed to mean.. do you mean the kali vm on your computer?

cedar yew
shell ore
#

i just wanna finish this section man 😭

lusty hearth
crystal steeple
crystal steeple
#

And ssh directly with proxychains

barren root
shell ore
next bronze
#

the creds work, probably a layer 8 issue

#

are you following the instructions correctly

autumn pilot
#

@shell ore feel free to dm me the issue that you are having

barren root
shell ore
barren root
#

try resetting the lab and resetting the VPN

#

sometimes works, dunno why or how it "just" works

barren root
shell ore
barren root
#

Imma see if it works for me

shell ore
#

it worked, @autumn pilot, appreciate it prayge

barren root
next bronze
crystal sorrel
barren root
#

And you seem pretty active hence me asking

dim wolf
barren root
#

the πŸ‘ŒπŸ» = okay to DM you or "ok good luck"? Just wanna make sure πŸ˜…

shell ore
crystal sorrel
#

Kali-Linux-2024.1-VMware-amd64

barren root
shell ore
dim wolf
#

you want to remove a download... from the Kali website

next bronze
thorny edge
#

can anyone help me on USING WEB PROXIES, on ZAP Fuzzer??

dim wolf
#

not to mention that it's most likely illegal

somber geyser
#

Guys, I have a small question regarding an exercise on the CPTS path, can someone help me?

dim wolf
thorny edge
#

guys I have really stucked

#

this module is just pain

somber geyser
#

In Linux Privilege Escalation specifically in Shared Object Hijacking. I have a doubt regarding the answer I have to give because I have already done the process that htb tells us and I am as root.

The question in question is:

Follow the examples in this section to escalate privileges, recreate all examples (don't just run the payroll binary). Practice using ldd and readelf. Submit the version of glibc (i.e. 2.30) in use to move on to the next section.

#

When validating with ldd and readelf I do not find this information.

dim wolf
#

is glibc a binary?

heavy edge
#

does the mysql section take a while for the db to connect on attacking commons svcs

cedar yew
#

solved but thanks

next bronze
sour dust
#

is there a problem with the vpn servers or is it just me? I have terrible connection issues

next bronze
#

oh wait you're asking someone else kekw

heavy edge
#

so i found some msql hashes but what do i use to crack it with? john and hashcat do not crack it

#

common svcs lab btw

soft cedar
heavy edge
#

the mysql skills assessment yes

#

not the actual end module assessemnt

soft cedar
#

is should be crackable. attacking sql db right?

heavy edge
#

yes sir

soft cedar
#

make sure you copy the whole hash.

heavy edge
#

this is the hash no?

image.png
#

or is the thicc one underneath

image.png
soft cedar
heavy edge
#

wot

soft cedar
#

copy everything. starting from ms**

heavy edge
#

oh

#

i love you

graceful mortar
heavy edge
#

dont be jealous chef lucas

#

also that was very interesting

north bramble
heavy edge
#

did you nmap the ip? also did you take the previous module labeled password attacks?

north bramble
#

I am using hydra rn tho, I have used hydra and crackmapexec before

heavy edge
#

i woul ddo the entire password module as this brings some of it with you

#

also make sure you run -sC

#

youll see some info

north bramble
north bramble
heavy edge
#

one second

north bramble
#

@heavy edge I ran the hydra command and it says 1 password found. ran with userlist and passwordlist
there were 26000 of these, how do I find the valid one πŸ˜…

#

sorry for this newbie question

heavy edge
#

im scanning the IP rn one sec

north bramble
#

oh okay

heavy edge
#

okay so

#

i just scanned the IP with the -sC flag.

#

and you should read the first half of the section

north bramble
heavy edge
#

id read the first half of the ftp section, and from there youll find what you need

#

there is always something you try before you do anything else post ftp nmap scan

north bramble
#

okay wait its scanning

heavy edge
#

read the first half of the article

north bramble
#

should I paste the scan result here?

heavy edge
#

no

#

yash, have you attacked FTP in the previous modules

north bramble
heavy edge
#

okay

#

so what is the first thing you do before you try to bruteforce

north bramble
heavy edge
north bramble
#

see when I try

ftp <IP> 2121

instead of prompting for username it goes straight into root

heavy edge
#

ftp ip -p 2121

north bramble
#

what am I missing? if I remember correctly it should ask for a username right?

north bramble
heavy edge
#

if you are using a nonstandard port for ftp it is

dim wolf
#

iirc if FTP runs on a non-standard port, it's required

heavy edge
#

^

#

what i said but cooler

north bramble
#

kek

#

ftp 10.129.40.164 -p 2121
usage: ftp host-name [port]
ftp> username: anonymous
?Invalid command

heavy edge
#

worked for me fingerguns

north bramble
#

not working for me
cant even post Screenshot here but

β”Œβ”€[eu-academy-1]─[10.10.14.243]─[htb-ac-883403@htb-plsvlrjuxd]─[~]
└──╼ [β˜…]$ ftp 10.129.40.164 -p 2121
usage: ftp host-name [port]
ftp>

heavy edge
#

dont just mash enter

#

wait till the username comes up

#

then go. the box takes a bit to load

north bramble
#

uh wdym?

heavy edge
#

when it loads theres a bit of waiting time. you can type anonymous and then enter when its a blank screen

north bramble
#

nah its instant for me

heavy edge
#

it will bring up a pw box

dim wolf
#

i wonder what ftp is running on the pwnbox..

heavy edge
#

i was thinkng the same thing

dim wolf
north bramble
#

guys thanks for the help but I'll do this tomorrow, its 3 am already.

I gotta sleep

thanks again for trying, if I cannot figure it out, Ill again be here tomorrow. GN frens

spiral lotus
#

yo

#

whats good

#

new here someone to show me around

dim wolf
heavy edge
fathom pendant
#

You literally just add the port after

north bramble
fathom pendant
#

You don't need to*

#

But also wait for it to load

#

Wait for it to ask you to put in a name

north bramble
#

Okay
I'll retry tomorrow. Almost 3:30 am

tight hedge
#

Hi Guys! anyone could give a hint on the 3 question of the "Credentials in Object Properties" I have been stuck in here for a while :C

merry agate
#

does someone know any cmd commands that can make me admin on my computer i got locked out 😦

dim wolf
#

this chat is for HTB Academy modules. see #welcome to verify your account

cloud urchin
#

ask in the baking channel

dim wolf
#

are there even account lockout bypasses?

old vector
cloud urchin
old vector
#

genius

#

i forgot all about that there was some other charachters that has done that to me before to

grizzled cobalt
#

I'm working through Shells & Payloads: The Live Engagement, and I think the version of msf that is on the foothold machine is incomplete. I can't find the necessary exploit to throw, and I can't run an update to try to get it onto the foothold box because it doesn't appear to be connected to the actual internet. Any suggestions?

#

This is for Host-02

fathom pendant
#

use (exploit name)

remote latch
sonic ridge
#

Can someone help me understand how to find the zones in active subdomain enumeration

sonic ridge
#

I did the nslookup any and axfr zone transfer test and it returned some subdomains but im not sure how to identify a zone. Or am I going in the wrong direction

onyx halo
#

Did anyone found the TE.CL section lab from HTTP Attacks module a bit contradictory? First TE smuggle is shown, then you force WAF to fall back to CL, not sure how the second GET request to admin is not blocked by WAF since CL stops body block after 27\r\n (from the example)

fathom pendant
#

The number of zones is small

#

You have exactly what you can transfer to as the zones

sonic ridge
#

@fathom pendant i know the answer already but im not sure how to get there as I dont understand how to identify the actual zones. Am I at least using the right command to identify the zones?

fathom pendant
sonic ridge
#

Ok so then the dns server is holding the records correct?

fathom pendant
#

Sort of, but yes

sonic ridge
#

So that would be considered one zone

#

Would the other zone be root.inlanefreight.htb?

fathom pendant
fathom pendant
sonic ridge
#

Oh man im really off lol

#

Well i found the dns which is ns.inlanefreight.htb

fathom pendant
#

It's literally the other zone you transfer to

#

The i*.inlanefreight.htb and the inlanefreight.htb domains

outer urchin
#

i cannot for the life of me crack the administrator hash for the hard password attack lab

#

dumped the sam backup and got the hashes but john and hashcat aren't working

fathom pendant
sonic ridge
#

@fathom pendant now im really confused. So why is it those two?

fathom pendant
fathom pendant
#

Also hashes can have multiple uses

#

You don't always need to crack it

sonic ridge
#

@fathom pendant wouldn't inlanefreight.htb have that local host

fathom pendant
outer urchin
#

i mounted the share to linux and got this
Tried mutated, and rock you. Hashcat said cracked but didn't show a password and now I keep getting "All hashes found as potfile and/or empty entries! Use --show to display them." Even with the --potfile-disable flag

screenshot.png
fathom pendant
fathom pendant
sonic ridge
#

@fathom pendant ok that one i understand

fathom pendant
outer urchin
#

Already deleted it. I'm just going to restart the VM

fathom pendant
#

So relative to the inlanefreight.htb server, the other subdomain is on the same host

sonic ridge
#

@fathom pendant and that would be i*.inlanefreight.htb?

fathom pendant
#

Yes

outer urchin
#

This lab makes me want to pull my hair out, every step is like 45 minutes of troubleshooting

sonic ridge
#

@fathom pendant and I can tell that they are on the same host by using nslookup correct?

gaunt dagger
#

Hey I'm stuck in RFI of File Inclusion module. Targets IP is not working

fathom pendant
sonic ridge
#

@fathom pendant how is that though?

fathom pendant
#

127.0.0.1 is a reserved ip to refer to localhost

sonic ridge
#

@fathom pendant well i know that

fathom pendant
#

(Similar to ::1 for ipv6)

sonic ridge
#

@fathom pendant thats the loopback address

fathom pendant
fathom pendant
#

Point still stands

#

The entry shows that, according to the records you see: the other zone you transfer to is on the same host

sonic ridge
#

@fathom pendant so then how would I identify zones using a website like facebook as an example

fathom pendant
#

It's hard to determine because you don't quite know what their infra is like

#

And you generally never need to dig into them

sonic ridge
#

@fathom pendant so then how is identifying zones useful?

fathom pendant
#

Because you might find subdomains that you otherwise couldn't see

#

But again: that goes beyond the scope, and you'd need to refer to whatever company you're trying to sniff at's bug bounty program

#

Sometimes those extra domains are outside the scope of the bounty program, and can lead you to legal trouble

sonic ridge
#

@fathom pendant but if i were to identify the zones on facebook then can I expect them to be on the same host?

fathom pendant
#

Maybe

#

It depends how Facebook has it structured

#

Zones are an administrative dns tool

#

I linked a cloudflare article earlier

#

The point of the question is "don't overthink"

sonic ridge
#

@fathom pendant yeah im going to read it. I dont think I fully grasp it to be honest with you but im trying.

fathom pendant
#

And you're focusing too hard on it

sonic ridge
#

Should I just move onto the next set of problems then?

fathom pendant
#

Zones can be useful or useless, it all just depends on scope. As shown in the section, text records might reveal things they shouldn't

#

I.e. what if the flag was actually credentials

fathom pendant
sonic ridge
#

Ok will do. Thank u again ur always so helpful

outer urchin
#

this is so scuffed

quasi jungle
fathom pendant
outer urchin
#

Probably a good idea

fathom pendant
quasi jungle
fathom pendant
#

I will tell you, everything you need to know has been taught to you up to this point

#

Check if those creds work on other services

quasi jungle
fathom pendant
#

Or you're looking in the wrong places to upload it

arctic topaz
#

sorry, but i cant message in the general channel, i havent messaged in this server ever so i dont have a ban. can someone help me out here

fathom pendant
shell ore
#

hey whos up?

#

the auth problem is back again pepehands

sinful drift
#

I reloaded the page, the VPN and it keeps loading my IP, does anyone know how to get out of this?

Captura_de_pantalla_2024-04-01_212347.png
fringe sand
#

anyone else having issues spawning instances for modules

#

Target: Target is spawning... forever sadge

shell ore
fringe sand
#

rip

shell ore
#

i cant authenticate to any host even after responding

sinful drift
woven zenith
#

Server Side Attacks: SSRF Exploitation Example
-I'm like right there but can't find this damn flag. I have shell and can see whats in root (internal.py, internal_local.py, start.sh) and have cat'd all of the but I see nothing. Any help would be awesome!

sinful drift
woven zenith
gaunt dagger
#

Hey I accessed flag.txt in exercise directory but dont know how to view contents of flag.txt.

Here's the url
http://<target ip>/index.php?language=http://<my ip>:<port>/shell.php&cmd=ls /exercise

fathom pendant
gaunt dagger
#

Ok thanks

fathom pendant
gaunt dagger
#

I reached the flag I used cat /exercise/flag.txt

fathom pendant
#

πŸ‘

crisp meteor
#

In meow I'm having a error to execute the Open-VPN any advise?

acoustic owl
outer urchin
#

I really need advice for getting the right hash for the password attack hard lab

#

samdump on the vhd gives null hashes and every technique the module goes through for windows machine requires elevated privileges

#

Can't find anything online

fathom pendant
#

You used both sam/secret that was in the vhd yeah?

outer urchin
#

yes

#

I will try transferring the vhd again

orchid gate
cursive gull
#

Active Directory Skills Assessment I
||Has anyone else encountered this issue? I'm unable to RDP to MS01. I've restarted the lab, tried with both Remmina and xfreerdp. The credentials are correct and I do have connectivity - I'm able to run nmap scans on it. I've also tried adding the /ignore-cert flag and still no luck. Any help would be appreciated.||

SPOILER_image.png
fathom pendant
#

I didn't have issues myself with it though

#

Did you try INLANEFREIGHT/<username> ?

cursive gull
#

I did.

fathom pendant
#

Try putting your path for the drive mount in single quotes

#

Also try doing it without mounting the drive and see if it goes through

cursive gull
#

Still nothing, I haven't had this issue on any other lab.

fathom pendant
#

Try resetting the lab and trying again or try using a different pivot?

cursive gull
#

I've done all those things, tried bother ligolo and chisel

fathom pendant
#

I used ligolo with no issues

#

Β―_(ツ)_/Β―

#

The error also shows logon failure

cursive gull
#

Yea, which is weird becuase those are the correct credentials

fathom pendant
#

Hey.

#

It's not

#

Check your answer to q1

#

And check your screenshot

#

Then check again

cursive gull
#

omg...

#

Thanks lol

fathom pendant
#

I had to check my answers bc I was like "something feels off"

#

I didn't do assessment 2 yet

tight hedge
#

Guys! I'm a little stuck in this question as I can't generate the right event.

I need a hint to solve this please, I've been working on this with no solution 😦

Do I need to change the settings of the user on the server? someone a hint please

Screenshot_2024-04-02_111930.png
#

This is from the "Credentials in objects properties" module

rustic sage
#

Does silver/monthly subscription allow you to access silver/gold modules/path or only annual?

wise vault
#

hi

#

@soft cedar sa:???
these creds are not working by selecting windows auth and also the server auth.

soft cedar
wise vault
#

ok

soft cedar
#

or you can log in as admin via rdp with those creds and open mssql, that also works.

wise vault
wise vault
wise vault
soft cedar
# wise vault

that is sql injection, not windows. click on the drop down arrown

soft cedar
wise vault
soft cedar
#

yes that's because you are not admin.

wise vault
#

in the ticket file i just got normal user creds

#

do you mean i have to use that pass as a admin

soft cedar
#

sa in windows is Administrator

#

I mean when logging in you will have to modify the creds a bit.πŸ‘†

wise vault
#

loggged in

rustic sage
#

Does silver/monthly subscription allow you to access silver/gold modules/path or only annual?

soft cedar
# wise vault loggged in

okay so now you can enum the db, if you have problem with the interface, you can always use the linux impacket / sqlcmd.

wise vault
rustic sage
#

guys

next bronze
rustic sage
autumn pilot
next bronze
#

it does, you can use cubes to buy modules

next bronze
rustic sage
#

damn that sucks

#

so much cheaper to be a student

wise vault
#

got full access to CPTS path

#

upto Tier 2

rustic sage
#

i got to pay Β£53+ to get same access u do

wise vault
#

also you can

rustic sage
#

gay af

wise vault
#

you need student email id

rustic sage
#

dont start uni for 6 months

wise vault
#

without student email you cant subs

rustic sage
#

big sad

#

does any student email work

#

or only specific ones

autumn pilot
#

Use the help page that I sent you to find such information

rustic sage
#

On your site it says that I can use a student email, but somewhere else it says it's only the listed educational organisations

#

which is it

next bronze
#

what's the "somewhere else"

autumn pilot
#

Carefully read what it says there

#

...If the student plan remains unavailable after changing the email on your account to be your academic email, or if you do not have an academic email, please contact support.

rustic sage
#

dm'd u the image

#

"If the student plan remains unavailable after changing the email on your account to be your academic email, or if you do not have an academic email, please contact support." This suggests it can be any educational email

#

The other piece of information suggests it's limited to whitelisted educational emails

autumn pilot
#

Reach out to support please, they will be able to assit you

wise vault
#

πŸ€¦πŸ»β€β™‚οΈ

rustic sage
proper pelican
#

Hi all, I’m struggling with hard lab from attacking common services module. It seems that even though I may have impersonated john, he’s not in sysadmins group so I can’t enable xp_cmdshell nor do any other operation to access the flag. I followed instructions from academy on impersonation. Did it both from cmd windows (after rdping) and mssqlclient.py. I even found one metasploit module and it said that neither john nor simon are sysadmins. Any clue what I’ve been missing here? Many thanks

soft cedar
#

have you check for linked servers?

proper pelican
#

Yes. I found 2 servers, one seems to be linked.

#

Im just a bit confused because one of the questions suggests I should be impersonating john

soft cedar
#

and you have done that but you can exec commands or do anything.

rustic sage
#

has anyone hacked hackthebox before

soft cedar
proper pelican
soft cedar
#

your end goal is to escalate your privileges.

soft cedar
proper pelican
#

Any specific way you could recommend to move laterally here?

soft cedar
#

kindly refer to the module.

proper pelican
#

I will try again, thanks. It’s just I can’t seem to be able to use any of the mentioned commands, such as bulk , openrowset etc. due to lack of privileges

#

Like a vicious circle 😁

soft cedar
proper pelican
#

Im executing them from john impersonated account (allegedly). Should I execute them from linked server or at least make it look like that?

soft cedar
proper pelican
#

Ok. Thank for very useful tip. I’ll be fighting with this case the upcoming evening.

strange spindle
#

for the What is the flag value located at \\dc1\c$\scripts? question on WINDOWS ATTACKS & DEFENSE: PKI - ESC1, im trying to run the openssl command after importing the cert.pem file to the kali machine from the Windows one. i've been trying every combination i can think of and keep getting this error:

003448604A7F0000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:../crypto/encode_decode/decoder_lib.c:101:No supported data to decode. Input type: PEM

any clues as to what im doing wrong?

#

my cert.pem file might not have the right formatting... these are the (shortened) file contents

-----BEGIN PRIVATE KEY-----
MIIEpAIBAAKCAQEA5j33yZbsQEuxABp6jot1MKfjSRLOkTaDehbYbDjSRY2zUX3h
0WWHez3KOb5ql/tlGe4PZ9KTQLlyL9ksTKG2hcZ4Qe8CeZITEsZfqDFFYnIhZCMu
...
wEllkmxW7uR1JAIfLG7WMS/O3zGLW4D1WmEUMP7IzeuKKn28+M+vuel9G7w7kt8o
0gV1JdIDQDYnGcYUQO2HdAIZVaYeH3C7CMokFXxpYI3nInxwEq/9yw==
-----END PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
MIIGLzCCBRegAwIBAgITFgAAADqZoTLtUlWdCAAAAAAAOjANBgkqhkiG9w0BAQsF
ADBFMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFTATBgoJkiaJk/IsZAEZFgVlYWds
...
htMH/mWNKf7JvA5Oi+jQQ/3PnVmBwCgKfhz/kjYL/ZYDQ/MCrF/uonR1qYYbMJCy
PuKQ
-----END CERTIFICATE-----