#modules

Yes

I found the question very confusing

It's basically asking for after you install the submodule

What command would you run

Access to the subnet through the provided machine(foothold) and not through your openvpn

Using npm is just telling you "with npm, find a way to start a simple http server"

Ohhhhh

I suppose using npx I could run the command without first using npm, and after installing with npm I don't technically need to use npx. I see your point

Gotcha. Thanks

Yeah

It's one of the more silly questions

Is this the flavor of trick-question with a match-or-fail design I can expect during certification exams?

Can't tell you what's on the exam

But the exam is flag based

So I doubt it's a "what command is used" and more "submit flag on machine x"

I just saw, crackmapexec is down? 😄

It's been dead

It's been forked to netexec

that's good to hear and answers my question, thanks 👍

There's a whole discussion thread on the cme github as to why

Also the exam isn't leading questions

that's especially good to hear

It's tough but fair from those that have taken it

The exam will only have stuff from it's required path (plus fundamentals)

So you're not expected to know all the ADCS techniques or Custom Exploits in CPTS

nice

Didn't we talk about " Sticky Notes" !

You are answering to messages from february. 🙂

Hey, guys please tell me where to start to get better in cybersecurity. Anyone?

Depends on your currents skills. Think where you have gaps and try to fill them.

I just started the course

I like to know and practice

Any website on YouTube to watch or practice

https://youtube.com/ippsec
https://ippsec.rocks/
https://0xdf.gitlab.io/

Awesome thank you

@fading comet I can recommend darknetdiaries, they have their own podcast site or you can find them on youtube. It's a lot of interviews with hackers and cybersec specialists. A lot of the time people will talk about how they got started in the industry and there are a lot of useful insights.

You can also query your prefered AI chatbot with a properly engineered prompt. For example:
"I have the following experiences/education with computers/networking/programming:
[...]
I would like to get acquainted with fundamental cybersecurity principles. Could you create a roadmap for me showcasing the different areas I should research and add sub-points for specific technologies and practices I should look into?"

Then you can use that roadmap as a starting-off point for your research.
I am currently taking the HTB Academy Cybersecurity Fundamentals path and can recommend it as a good starting point if you want to get more familiar with Linux, Windows, Networking, etc.

Perfect I appreciate your help

my pleasure

Good evening everyone , i have this kind of problem today. I can't ping and reach any target machine from academy. I tried both my own machine with vpn and Pwnbox

Can I DM you regarding this? I though I was on the right track but I'm still lost

are you sure you are using the correct ovpn certificate? Does the vpn connection work but you can't ping the machine once you are on the network?

if so, did you remember to spawn the target machine?

i tried to change vpn connection (no result) , Pwnbox different server , respawn target . not working for me

aany ideas why the LFI skill assesment on the ||log poisoning|| part is basically impossible to do through default burp install / settings?

I had to curl my way through it

idk why , but it started to work again . Guess admin buff xD

haha 😄

once I SSH into a target machine on my Parrot VM, the terminal gets so slow, I can basically brew myself a tea while I wait for a command I typed in to appear. Maybe there's just a lot of server load lately.

I rdped onto a target, lasted for a few secs then it closed itself and now I can no longer rdp into it....very weird, not sure what to do sometimes I am spending more time debugging these issues than on the contents of the materials themselves....

mb mb , ty for response

sure, no worries

and again I get access for 30 seconds almost get to run a command and it closes itself again

write it in mousepad and ctrl+v it in

will take as long to type in as it would one letter

that. Is an excellent idea 😄

yea, get used to it 😅 . Lotta latency on them targets sadly

ISDN era Problems require ISDN era solutions 😄

I will pretend that I got the reference LOL

latency is one thing but losing access to the machine intermittently is another

You don't have much to do... just patience...

well, it's the type of dial-up connection you had before DSL

oh yeah try the uhm

it wasn't fast

/bpp:8 /compression -auto-reconnect -wallpaper +f -clipboard
flags to xfreerdp
use ctrl+alt+enter to leave fullscreeen

it's shit and it will be shit. had to go through the same process. In one module in particular I basically had to cheat past one creds step because that's the only way I could finish the exercise without using RDP

interesting, thanks for the settings, I guess this is where I should have thought outside the box

cool ? I guess? I mean now that you explained it it is kinda funny

no not really that's a quality issue : p

I mean RDP will always have more latency than remote shells

I am German, explaining jokes is in my blood.

It is the way.

but this is unacceptable. Whenever I had an issue like that I wondered "would an employee working in such an environment be able to get anything done" great way to discern quality issue from your own skill issue

KEKW. I had a german friend lately explain to me what it means to be a "german potatoe" or some shit like that. With the lawbook and industrial standard thingy and stuff. almost spilled me coffee that time

BUT, do research on other tools than HTB suggests. There are some hidden perls out there : p

you mean like more stable RDP clients ?

no that's just RDP being RDP and latency being what it is. Oh also increase the timeout using a flag I forget what's it called exactly just go xfreerdp --help | grep time and set that to 100000

well, excessively exact standards and regulations often sound silly in isolation, but then again, it makes the supply chain more resillient against greed the same way standards and regulations in development can make applications more robust and secure in production 😄 There are some really funny ones though, the EU in large has them too

good catch on the timeout flag

np, one of the community moderators taught me that flag combination

okay, Im off to play some apex to chill after that LFI BS I had to go through

hf

happy haacking and good luck. Feel free to dm me anytime if you've got any questions greenhorn.

I appreciate that

I'm pretty sure a malicious IP just attacked the Pwnbox I was in while I was working on the skills assessment for AD. I have some screenshots. Where do I report it? The IP came back as a known malicious IP in VirusTotal. I dont even know if this is the right section in Discord XD

Probably just send a explanation of the incident to HTB Support

I'm just curious, how did you find that it was attacked?

Was in the middle of skills assessment with python3 -m http.server on the generated IP. Then, a random out of scope IP started downloading and sending requests to the box.

That’s weird as hell

Yeah it was rather strange so I took a screenshot of the 5 requests that were made in a second, terminated box/session. Thought I'd report it.

Wait but wasnt that ip internal then? Like 10.x?

nope 167. IP

and the skills asssessment box is 172.16.7.x

Oh you can access from outside to pwnbox. I never tried

how did you think that you can access pwnbox, if there is no connection with "the outside world"? 😄

Web

well, I mean if he is hosting a webserver on it

at the very least I thought someone could tell me I was wrong and at least tell me why otherwise could be useful information?

Well its not how i meant it

Can I share screenshot on this thread? Maybe someone can illuminate me, if I'm dumb or not.

i would love to see it ngl

When you host an http server on a machine with a real ip address, it'll try to expose a port on that IP address to the internet for web-access. So, your pawnbox may have been web-accessible at that point. Does look like it from the screenshot.

There are bots that will scan far and wide for accessible ips on all sorts of ports to try and find vulnerabilities. If you expose a service with default authentication credentials, that becomes a potential attack vector for turning the machine into a botnet bot. It's kind of what the labs challenges are about.

||wrong channel mb||

rly? but that made sense, it could have been a crawler lol Not all bots mapping accessible ips also do attacks, some just map the internet

That's actually good information. Learned something new then. Do yall think this should be reported or nah? IP in VirusTotal shows malicioua

While it may very well have been a malicious IP, I doubt it would have found anything interesting. Since it only made GET requests and a PRI request and didn't get anything, it should be fine.

had to look up PRI requests, actually, so I learned something too lol

On the servers I manage, requests like this and worse come in constantly. It's a real barrage 😄 They try to go right for the juicy stuff too.

I just definitely wasn't ready to see that in the environment so I thought I'd say something just in case xD.

Seems like a solid proceedure. And now we both learned something, net benefit all around 😄

Yeah forreal. I'll take that!

Hi guys, someone can help me to understand a problem in the module Stack Base Overflow with Windows x86? I have write a post, in the forum, with the details https://forum.hackthebox.com/t/stack-based-buffer-overflows-on-windows-x86-jmp-esp/282719/5?u=thor.elveneyes

maybe vt said it's mailicious because it's some automatic tool that is scanning internet all the time. There are a lot of people, who doesn't have really good intentions, who are you using automatic scanning tools to find "intersting things"... imagine that an admin is exposing in internet an insecure server for like one hour. Finding something like is pure gold..

yeah, that stuff can happen very easily.

Would yall recommend a different method of file transferring? I was moving mimikatz and printspoofer. Or just use a different default port?

remmina is stupid easy

what's the scope? Are you transferring on the same machine, between machines on the same network or over the internet?

10.129.x.x to 172.16.7.x on Skills Assessment 2 - AD. So, different networks. Using SSH to get from one to another. RDP port not open for remmina though that's typically what I use for RDP sessions.

@pseudo birch is SFTP or RSync an option? I can't really assist on this one, I'm not that experienced with network stuff on windows yet Gotta get into that Windows Fundamentals Module first xD

You can dm me

since SFTP should use SSH it would probably be a question of whether the service is available or installable

Negative unfortunately. I could see if I could upload SMB and go that route. Python3 -m http.server is just super quick. Because I'm having to xfer from host to attack machine to sql machine then onto DC

sometimes you can enable rdp

i haven't done that module though so i don't know specifically about that

might be worth a try. See if you have enough privileges to enable/install stuff

honestly downloading through a remmina copy/paste is going to be just about as fast or slower than using the command line to grab it from the python webserver you have

establish the ssh connection in vs-code, having vs-code install the vs-code server package on the target machine, then see if you can get into the explorer and download/upload stuff via the editor 😂

I doubt that'll work, but if it does, I'd say it'd probably be up there with the worst possible solutions.

i use smb or python or evil-winrm to transfer files

or meterpreter ; p

Honestly one of 3 reasons I use it 😂

outside of that, if you've got a fancier keyboard / mouse, set up a macro to paste a command template to fill out

Hello all, I have a question about setting up the HTB Parrot OS on VMware in the Setting Up module. Everytime I close the VM and turn it back on, it asks me to install Try/Install. Will it always do this? Am I setting it up incorrectly? Do I have to do the Parrot OS installation on the desktop every time I power it on?

Change boot order/dismount the iso

It's booting from the cd first

Which is the install iso, and not the vhd you installed

Thanks for the quick response, I will try this

can someone give me a oneliner for powershell to upload a file over ftp to my kali?

lost all my notes, my vm crashed, had to setup a new one 😦

iam stuck at snmp footprinting. snmpwalk and snmp-check both are giving "SNMP request timeout". applied delay too. sometimes the query is working, sometimes it does'nt work. Its the same query. is it some kind of glitch or it is meant that way?

Whats the timeout you set?

If you dont set a long enough of timeout the script will well just go over the user too fast and it wont get a response from the server yet, meaning it will drop the user

The sweet spot id say was 15-20s

Around that

is the certificates unstable ?\

25

Got the problem. The target ip is getting offline. smh

rip. But for me it was smoothly enum users without any glitches. So yea make sure your target stable

been happening from 2 days. target ip goes offline in between.

:/ i havent worked on the path in a few days since i got ill, if you want you can send the command you used and ill check if its correct

ping <ip>

even this is not working lol

Lol

Do you have openvpn running in multiple places? Do you see multiple instances from ps aux | grep openvpn?

If you do, each client will fight each other for the connection, resulting in your lab connection going up and down frequently

Jusz spawned mine, works fine for me avg 8ms on a ping. And did some scanning had no interruptions

"works fine"

yeah that might be it

killall openvpn, or just reboot and give it another go. Hope it helps!

using pwnbox now

Note on Pwnbox it connects to the VPN automatically on your selected lab, so you don't need to run the openvpn command yourself

is vpn not working rn

snmpwalk -t25 -v2c -c public 10.129.185.100 . is it right? I'am getting timeout issues

https://tenor.com/view/shrek-shrek-rizz-rizz-gif-11157824601050747846

Ah snmp check?? Wait i though you were the guy with the smtp question before
Fk my bad

On the snmp section you dont need any timeouts
So yea your command without the t25

yeah same guy. just different module now

Timeout: No Response from 10.129.185.100

Yea sorry smtp and snmp if you check fast are very simmilar.

Have you tried changinf vpn servers?

237ms is the minium. F

I jsut ran the command and i got all the info instantly

What about eu academy to 2?

using pwnbox

Well im pretty sure that matters aswell which server since pwnbox is based on it

Pwnbox connects to it automaticly

• has the location

yeah checking out different servers now. dk wtf is going on

--- 10.129.185.100 ping statistics ---
161 packets transmitted, 5 received, 96.8944% packet loss, time 162083ms
rtt min/avg/max/mdev = 99.232/7383.196/33356.948/13006.885 ms, pipe 33

wtf seriously

💀5 recieved is wild

missing those days, when ping respinse used to be fast.

look at dat packet loss xD

i wish if i got those marks in school. lol

That's a pretty mental loss / latency. Which lab server / target?

(on Pwnbox I think you said?)

snmp footprinting. academy module. UK server.

Got a link to the module / section please?

https://academy.hackthebox.com/module/112/section/1075

wish to be done with footprinitng module. done with snmp finally

i have the full output of the snmpwalk in a file, i could send it here for him, its just the output, he still needs to find the correct stuff in there, and his command above was correct

can i report anywhere, son of a gun. target goes offline midway

I guess its just real time practice. Unintentional real time frustration

first i though ots 96% recieved which well still not optimal but nothing WOW. then double looked

something wrong with servers? my target keeps dying on windows priv esc

finally someone going through same

yes when i try to connect with xfreerdp

i have to keep doing ping to check if target is up, then run the command

yea same but it wont come back up this time

iam on different module bud. but going through same

--- 10.129.3.53 ping statistics ---
88 packets transmitted, 0 received, 100% packet loss, time 88149ms
well well welll

PING 10.129.43.44 (10.129.43.44) 56(84) bytes of data.
^C
--- 10.129.43.44 ping statistics ---
137 packets transmitted, 0 received, 100% packet loss, time 137816ms

they lied to me... should have been 1k

I did face some issues - I've reset the Pwnbox a couple of times and it's now come up fine and can access the target. Unsure what's going on there - might be an issue with one of the nodes hosting Pwnboxes.

Could you try terminating / starting the Pwnbox again, and when it's up check if you've got tun0 in ifconfig?

i think i tried bout 15 different targets now

problem is target dying midway.

ohh just noticed you are the staff member

academy-eu-1, yes?

Connect to Pwnbox
Your own web-based Parrot Linux instance to play our labs.

Pwnbox Location
UK
170ms
Terminate Pwnbox to switch location

I'm getting the following error from evil-winrm with credentials I picked up from nxc:

Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

got tun0. still target is down.

been like this for hours

Mind if I DM?

sure

Does anyone have any ideas regarding my evil-winrm error? Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

Okay, it is working through pwnbox...but now none of the commands work.

Except for cd

switch to eu-academy-2 vpn. eu-academy-1 is having some problems

@valid viper

I'm on us-academy-2

Should I switch to 1?

The issues on eu-academy-1 should be resolved now

Our sincere apologies for any inconvenience caused 😦

This still isn't working for me.

I'm connected via PowerShell over pwnbox, but the commands are timing out.

And then it's disconnecting.

Can you DM me your VPN IP and target IP please?

Thanks for your post!

if you do http://127.0.0.1:3002, connection stays open and for port 2222 it errors. I would assume this is POC.

||[*] Exploit completed, but no session was created.
msf6 exploit(unix/webapp/get_simple_cms_upload_exec) > options

Module options (exploit/unix/webapp/get_simple_cms_upload_exec):

Name Current Setting Required Description

PASSWORD admin yes The right password for the provide
d username
Proxies no A proxy chain of format type:host:
port[,type:host:port][...]
RHOSTS yes The target host(s), see https://do
cs.metasploit.com/docs/using-metas
ploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing con
nections
TARGETURI admin yes The full URI path to GetSimplecms
USERNAME admin yes The username that will be used for
authentication process
VHOST no HTTP server virtual host

Payload options (php/meterpreter/reverse_tcp):

Name Current Setting Required Description

LHOST yes The listen address (an interface may b
e specified)
LPORT 4444 yes The listen port

Exploit target:

Id Name

0 Generic (PHP Payload)

View the full module info with the info, or info -d command.||

im on getting started lab i found the username and password ||admin:admin|| the login page is at ||/admin ||but idk what to set for targetURI

Might want to look up what a URI is, that should give you the answer

its the full url but in the prev examle they just put down the nibbleblog and not full url

Can't say, not sure where my notes went for that, I'm missing half the module including the lab. If I had to guess it should just be the IP, if that fails just add the rest.

I don't recall needing to change the uri but it's been a minute

I used a regular poc for that instead of metasploit

Hello. I got a flag while solving the nmap problem, but I wonder what the solution is.
.....delete....

BloodHoung is making me very confused. While looking at the data I collected while in a domain-joined machine, it clearly states that the user X has no admin or RDP privileges on machine Y. But I just found out that user X can in fact RDP to X and run admin commands. What gives? SharpHound is compatible with my version of BloodHound.

|| just scanned udp ports ||

Just look into the folders you got!

That was from a couple months ago dude lol

I'd hope they got it by now

If you scroll down too you'll see they figured it out

Hey guys was doing the Learning Process module, but couldn't understand a part where it's being defined what is a question:

Let us, therefore, create a situation with a question to test this statement. Let us assume we see host A and host B. To do this, we can ask the following question, which we will also ask during our penetration tests:

How is Host A connected to Host B?

Our goal was to obtain or acquire information with the help of the question posed. Did we obtain or acquire any information from this question? - No. Regardless of the form of the questions asked, strictly speaking, the official definition of the question also missed the point.

Context: The module is debating about how the official definition of question doesn't always apply and gives the example of the question above: How is Host A connected to Host B? and then says that we do not acquire the any information from this question, however don't we? For example Host A could be connected to Host B with a cooper wire, so that's the information we obtain after posing the question.

I know this a weird question, but I wanted to see what point the creators are trying to convey that I'm failing to understand, if anyone could answer that'd be great!

They are looking for the NT part of hash only!

Thats... Thats 1 year ago

Thanks. Then there's a case where tcp opens with -D RND so I can get a flag and I'm so curious if this is just a bug.

what did your command look like?

-D RND from what i remember is used to specify a decoy scan

Always be thinking about things, basically

The other thing is more of a networking question than physically how it's connected

Hello everyone. I'm quite stuck on a module and it has been 3 days with no respose from my HTB academy support request. I was hoping one of you may be able to help/clear something up for me.

Module: Using Web Proxies
Section: Proxying Tools

[RESOLVED] Issue: the section mentions editing proxychains.conf but I don't have the permissions in the VM to save the advised changes to get proxychains working.

[RESOLVED]Question/Concern: wtf am I supposed to be looking for/doing to pass the section question? I have started burp and metaspoloit. I've set the "use auxiliary/scanner/http/http_put" but when sending the "run" command while monitoring via burp I get "error: file doest seem to exist. the upload probably failed"

I'm not sure what I'm supposed to be looking for/doing at this point as this module just feels all bugged out.

EDIT for anyone looking for an actual answer:

How-to: edit proxychains.conf:

open MATE terminal
enter command: sudo vi /etc/proxychains.conf
to enter insert mode- hit the letter "i". you will see -insert- at the bottom.
move to where you want to insert the "http 127.0.0.1" and/or go to remove the # from the #quitemode line.
hit esc/escape to exit insert mode and enter back to "command mode"
type :w or :wq , :wq saves and quites the terminal. :w only saves.

note: looks like sudo vi lets you modify as root whereas sudoedit will only save the modified version under var/temp/

Use sudo to edit it then

good idea but still no dice. cant save over the file in its base directory. root/etc/.

Sudo works for me to edit files I might not be able to write to as user

is that a generic statement or is this the process you used to modify the proxychains.conf file when you were doing the module?

When I've needed to edit, yes

is the optional exercise necessary?

it's optional but recommended

but im lazy dont want to write 500 words

It says at most

that's fine

Not at min

Alrighty ty!

ok

It was sometimes on tcp ports through the command below. I was wondering why it was on tcp.
*nmap -T4 -p53 -A -v {ip} -D RND:5
*nmap -T4 -p53 -v {ip} --source-port 21

No clue then lol. Both commands scan tcp ports.
I dont remember getting anything usefull from the tcp ports

Dns runs on both tcp/udp

Yea but the flag im pretty sure is || only seen from thr udp onr ||

¯_(ツ)_/¯

Footprinting medium lab. He apperently got it somehow differently

doesnt ring a bell for me

Hey guys, stupid question but I need to make sure. Once I complete the modules, they are mine correct? If I don’t finish the module, then I have to pay for it again right?

once you complete it, it's yours forever

If I miss one little portion of the module, then can’t be re-looked at right

Let’s say I do it all but forget the final assessment etc etc

then you won't have access to the module once your subscription expires

if you unlock a module with cubes, then i think you keep it forever regardless of completion

OK, so the entire module needs to be 100% completed not a single question missed

yes

I will be done with the modules by August for all three of the exams. I’m doing that to save money.

Then test later

Done with bug 75% for pen, tester and half done with SOC

i really want to do the senior web pentester path..

Examine the communication patterns of the malware and provide the domain it interacts with as your answer. Answer format: .._ https://academy.hackthebox.com/module/227/section/2498. Ive ran Noriben and strings already with no success, also have taken a lookat x64dbg

I don’t think it’s worth the cost

we can't really know until we do it ourselves or enough people give their reviews about its contents

i'm already torso-deep in academy content anyway

Can someone help me i get this in the session hijacking xss module bug bounty

is your script.js in your current directory

Which directory exactly should i put the script in

Hey, does anyone know how to deal with this RDP error ? I see it quite often and cant manage to solve it

[17:00:16:425] [136556:136557] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 0: Succès
[17:00:16:425] [136556:136557] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]

Its now in the home directory

To the directory in which you started the server

the directory you start your server in has to contain your script.js

No way on earth you goated

Yeah thanks mate ❤️🗿

@dim wolfcan you help me out with my question

im 99% the way through cdsa 😭

i don't have my notes atm butt

try checking the Debugging section again

iirc there's something there that can potentially help

my last attempt would be to use inetsim let me try that

yea try that

open wireshark as well

@dim wolf llittle confused on what to do here

set it to your vm IP, not target IP

actually you cant use inetsim here if you don't know the domain name it's connecting to

yeah thats the problem i thought about

you will just have to try and use wireshark

I think I used IDA to solve that one. Inetsim was only used on orange

i used x64dbg

but i think you can also use wireshark theoretically

alr ill use wireshark

Possible that it was x64dbg

for wireshark do i just start a capture, run the exe, and start looking?

If you're asking that then you should go over the traffic analysis module again

A question asks about the serial number of a windows system, this should be it right ? it does not seem to accept it

i spawned another machine, got a different serial number, still not accepting it....

apparently it's a different command for vm

where do i start?

<@&861185840277487616>

Atlist i hope this is a rule break

I just send a question once, and the bot sent me a warning about not sending the message again and again

Be mindful of the #rules

I did not break any rules

automod doesn't like large messages for unlinked accounts ¯_(ツ)_/¯

Same reason as to why you can't post images

https://academy.hackthebox.com/module/143/section/1489

i was able to DCsync ||khartsfield|| however im not getting results using ||"hashcat -m 1000 <khartsfield NTLM> /usr/share/wordlists/rockyou.txt"||

am I using the wrong wordlist?

Trying to connect to RDP for the Password attack labs Pass the Ticket (PtT) from Windows and receiving this SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server. How can i be able to solve this https://academy.hackthebox.com/module/147/section/1639

Read the question one word at a time

Can try adding /sec:tls to the end of xfreerdp command to see if that works. Wouldn't know any more than that

ah dang lol i was doing too much

thanks for that

https://academy.hackthebox.com/module/134/section/1207
I'm on blind XXE trying to use XXEinjector I've followed all the steps and I'm getting this error:
[-] Wrong HTTP file format.
did they change how the tool works or what?
(SOLVED)

Thanks works

Going to need more info, like module / section, maybe the question...

win fundamentals > windows security, Find the SID of the bob.smith user.

Out of curiosity what do you mean by unlinked accounts?

Read #welcome

Make sure you have no white space, in your image you have a space.

yeah, made sure there is nothing behind S, still no luck

Your image and spoiler do not match, your image is correct. Also be sure to remove both spoilers as they provide the answer

Thanks

lmao I typed it manually and it worked, how can copy pasta copy something different ?

That's on you to figure out

Whitespaces exist. Be it infront or at start.

Annoying

i dont think it was, deleted the last character and retyped it to be sure, my theory is something with powershell ASCII formatting, but who knows, first time i encountered something like this in the modules

password attacks lab - easy : ive been trying to ssh2john these to try to get the root password. but i just cant. ssh doesnt work for mike. is there more files i need to try?

Not sure why you're trying to do that in that directory. If ssh2john isn't in your path just call the full path

I know this was asked many times with no resolution but is there a way to change to light mode on HTB academy without using an extension?

Correct

so, I have two sep accounts one for htb and one for academy, I have subcription for academy but obviously is not showing when doing the identify command, what could I possible do here? or plz direct me to somewhere I can ask this question

can someone give me a hint on the advanced xss / csrf skills assement, I can already extract all 5 pieces of data i can find but there is no flag in there?

Discord only uses the main platform for the identify command. What's the issue since your account is already verified?

I thought there was an academy role, but maybe I am good

There is just for cert holders at the academy.

if I get a cert, how would that be verified?

It's pinned at least in the CPTS chan

got it, thanks!

what tool do you use to enter the password into a .img (bitlocker) so that you can mount afterwards

hi guys. is available a specific module on htb where to learn how to build malware from scratch?

or where to find it? thank you

vpn is not working from yersterday what i can do

https://maldevacademy.com

Download a new VPN file

treid all

usa,eu all

Then reach out to support

k

thank you. Is this one the best website?

can i start from scratch there?

yeah one of the best and well you need to know how to program in C they will go over C but not as in depth but sure u can

They were ppl having like 96% packet loss yesterday on eu academy 1 vpn. They fixed it but maybe they still struggling. You tried changing thaz too? If not support best chance

anyone know how to access Kibana on the pwnbox or is this something I have to set up myself? Trying to do the SOC Analyst path and I am on "Introduction To The Elastic Stack", can't seem to find anything on pwnbox to do the task

Password Attacks Hard Lab
i got the password from one of the .img that were inside of the B......vhd
now i try to use dislocker to decrypt the .img but i cant get it to work, does it mean the password is wrong?

intermediate level of C programming is enough to start the course?

and should I also learn assembly x86 before starting?

that is good enough maybe more than good enough

Guys grep '^re.*\.exe$' example.txt is this the correct way to filter out word that starts with "re" and ends with ".exe" in a .txt file?

i never used eu 1 , the problem was in my vmware NAT setting

u dont need to i believe

Yea It filters lines in example.txt that start with "re" and end with ".exe".

I usually always make a dummy file. Put some stuff in and test if it works. There is always a chance that you/someone else looking at a regex misses smthing

ok thank you. When assembly x86 should be learnt? only for malware analysis jobs?

i am not sure about that but im sure you will learn more about it along the way in maldevacadmey and their discord channel which will help you alot

Thxx 😁

Colleagues I have a question, I'm in the ssh tom but I can't find a way to find the HTB user, what I see is a script reovery.sh module Footprinting --> hard lab

maybe you can look at what commands tom used before

I see several strings like changing the password for Tom @fringe urchin

anyone not able to get vpn working? just went down for me in the middle of a section 5 minutes ago

chpasswd: (user tom) pam_chauthtok() failed, error: @fringe urchin

Yea i guess it failed. Any ither thing that looks interesting? Maybe he tried to login to a service or smthing

I see that you are generally changing your password but you have not been able to make the change

@fringe urchin I see that you are generally changing your password but you have not been able to make the change

history can often be useful

There is a mysql service in bash_history you would have to log in on this side to be able to log in****

I'm having an issue with the ACTIVE DIRECTORY ENUMERATION & ATTACKS module. I'm trying to exploit the PrintNightmare vulnerability with CVE-2021-1675.py exploit. I followed the lab instructions but I keep getting an error when I try to use the exploit

Yep

It shows you how he logged in

Please is there anyone that can assist me with this. I'm trying to send an screenshot of the error but it's not working

Hello

Bash history is what i was refering to

Sorry that it confused you thats on me

I see that I have to access a mysql service but what I can't find is the password for that service @fathom pendant @fringe urchin

You have it

bash history

Don't overthink

What I can deduce in the strings is that I couldn't change the password and in the hsitorial it leaves the mysql service to be seen but I'm trying to log in with the password and it won't let you access @fathom pendant

You don't need to change a password

You login internally

You habe the toms oassword from before

^

Hi all, I'm working on "Attacking Web Applications with ffuf" on the "recursive fuzzing" sub-module. Attempting to answer the question "use what you've learned so far to find the flag". What I've done so far is: 1) fuzz index for possible file extensions 2) after confirming the file extension, I start a recursive "scan". but I'm not finding any new directories. 3) back to step one, I'm currently performing another directory scan to verify that I've not missed any directories. Is there something obvious I'm missing from the content?

I dont remember from where the password change is but its not important in this contennt. The only info you gez from it is, the password failed to be changed and its still thr same as before

So try to internally login like its shown in bash history

Shit is that I have a problem starting the mysql service, sorry for the inconvenience from my local machine @fringe urchin @fathom pendant

You don't need to start it

No. You dont login to the msql via your machine

But via the ssh tom session

'Cause I never thought about it 😦

Well if you see commands from bash history it means they were run on that shell, so most of the times these kind of commands you can run too, that applies to msqs aswell .
Did you manage to do it?

Esotoy performing the queries in the database

I've made it thanks to @fringe urchin

congratz! Btw which file is it where it says he failed the password change. I sadly dont have the name in my poorly written writeup

Or is it in bash history?(I dont have the full bash copied)

I've found it through snmpwalk where the strings indicate that the passwords could not be changed @fringe urchin

Ah snmpwalk. Ty for the answer. I started doing proper writeups at shells and payloads

During the walk

Are modules ever broken? I'm doing the Skill Assessment of the Command Injection Module. I'm litearlly sitting here for a full 6 hrs and I am as far as I was when I started. I read through the entire module 2 times and I am not even sure if I am working with the correct field. It never says anything unless I put in less than 3 characters 😣

That module is not broken

ty

feel free to DM me if you need some tips

yea jusz checked. Have only the password from the walk glad i do em better now

omg this module is so big, finnaly i can head to the next module phew

What's the error... What did you try?

RPRN Session error: code 0×2 - ERROR_FILE_NOT_FOUND - The system cannot find the file specified

You're going to need to provide more than that. Your question and response is that of telling a doctor over the phone your leg hurts and expecting them to know everything.

What did you try? Also you said a lab, which one?

It would be easier if I can send screenshots but I don't know why I can't send images on here. Is it alright if we solve this in the DM?

No, read #welcome to verify your account, you'll be able to add images then. Also no because someone else may have a similar issue and it could help them down the road. And lastly no cause I come and go and between me disappearing someone else may chime in to offer as well.

What section?
What command(s) did you use?

Not saying any of that to be mean, but to help.

You also need to be at least the rank of Hacker in order to post images AFAIK

Not in the academy chans as far as I'm aware

Aha

nvm. got it. 😏

any reason why im getting no results doing this/

it doesnt even seem to run

That's only in #general

use -v for verbose mode

--verbose - the option is shown right there 🙂

omg

If in doubt, run man <command>, e.g. man crackmapexec to read the documentation 🙂

is smb runing on remote server

--verbose needs to come before smb

@onyx halo i think so, it just has port 22, 139, 445

it doesnt look like its attempting brute forcing

It really doesn't... you have a tun0 up in ifconfig?

Might be a dumb question but you still connected to the VPN?

yes to both

tun0 is up / vpn is still running and connected

im on password attacks medium lab if that helps

DM me the VPN server you're connected to, your tun0 IP and the target IP

smbmap -H <host> -r ?

0 hosts serving smb

now my nmap isnt populating

let me try resetting the target

so i got connected again, found \myaccount share. but dont have a username yet. can you maybe help point me in the right direction? should i try hydra on ssh?

maybe add more slashes

////10.129.75.79//myaccount

maybe you have to escape the slashes in the name.

Other slashes, I think

\\\\<ip>\\<account>

Also check man smbclient for usage examples

I gotta go, good luck

Yeah, re-read the material @novel hinge

There are examples there of how to use smbclient

he is correct it's smbclient //<fqdn/ip>/<share/

but his error says nt bad network name

so there's something going on there

That's not what the module documentation states

The attacking common services / smb section will provide info

Could be that's under Powershell?

They're running under a bash shell

Anyway, the module documentation in the Password Attacks > Network Services has the information you need to use smbclient

nn

Get some sleep

which module is this? i did most of the ones with smbclient but i don't have notes on /myaccount

HTB{$(cat flag.txt)}

hi i am stuck on footprinting easy lab. when trying to connect to ftp proxy nc -nv 10.129.54.11 2121 the server just hangs after sending the banner

type ls

im not logged in so it returns nothing

nevermind, reseting the lab fixed it 🤷‍♂️

still interested to know if the ftp proxy is supposed to hang when connecting

Sometimes that lab just breaks, or I've never been patient with it

not sure if this is another error on the lab's part, but i copied .ssh/id_rsa to my home folder w/ perms 600 and its denying it when using -i id_rsa

Using correct username?

yes, ceil

command looks like ssh ceil@10.129.54.11 -i id_rsa

chmod, correct path to id_rsa?

Your command is correct

yep, id_rsa is in the same directory that im running SSH

Check the id_rsa file to see if it is correct?

i re downloaded and its the exact same size

i even b64 encoded it and compared the first and 2nd download and theyre the same

Like make sure no extra new line in file

yes

should i just restart the server again

i guess? ¯_(ツ)_/¯

Ok I feel kinda dumb for having to ask this.. in the Using CrackMapExec module, Basic SMB Reconnaissance section, the last question is What's the OS version? The should be simple from what I can see, but no matter what I try to put in for the answer, it says incorrect...

did u run a nmap -sV?

yeah

show the screenshot

just running crackmap smb give me the OS as well...

it's tier III so probs not super easy

of the answer or the command?

I don't have that module but if you try to connect it should just spit out the os on the first line

in xss and file inclusion php payload are used , should i be expert in php or should i know enough what the code is doing

ohh its not CPTS.

Anyone can help me?

Module: Password Attacks
Section: Lab hard

I get the kdbx file, so I try guess the pass but, I'm waiting for hours, is this a rabbit hole? I get the first user, just J...

Just enough to write really dangerous code

You should be able to crack it - if it helps afterwards is a different question. 🙂

thats mean i have be expert

Only if there was a tool to use to help extract a hash, alas I wouldn't know...

there will be like js , php , python and low level lang

you can dm me

bruhhhhhhhhhhh

No

where can i learn about php , rn i was using w3school

or anyother coding lang

Ok, i'll wait jajaj

As a rule of thumb: It never should take more than maximum 10 minutes to crack something with HTB - more like 5.

lol

lol, what?

lol waht u said

Unless a module is about brute forcing you generally don't need to use brute force, and should avoid it.

I check my notes, maybe I do something wrong

you can DM if you need help on that part

¯_(ツ)_/¯

the password cracking module can take more than 10 min

I'm not sure where to ask, but I'm trying to work on the new box Usage...

#1228763236409802814

And I can't ping the box. I tried re-downloading the VPN.

#1228763236409802814

too slow @tulip dragon

'You do not have access to this link.'

https://tenor.com/view/ratatouille-remy-i-will-get-you-next-time-gif-14528446

Okay well...

I also can't get retired boxes to spin up either.

Is HTB just FUBAR at the moment?

So the machines that I can get to won't spin up, and machines that I can't get to will spin up.

fine for me, what vpn are you using? not academy still right

No, I'm using the right VPN.

Machine is spawning, please stand by...

This is what I'm getting for retired boxes.

well, I am using the vip boxes, someone else just reported an issue in #cpts so maybe the free ones are overloaded

I'm using the same.

EU VIP+

I'm not sure if that's the problem as I'm in the US?

I am CREATING INSTANCE now as well too

I use US VIP+

pretty sure its site-wide

my academy lab isnt launching either

It's not just the labs, but the boxes

And for some reason it's defaulting to EU instead of the US.

Alright, well I guess HTB is done for a while.

😐

appears to be back @valid viper

Thanks man. Yeah I'll check it tomorrow, hopefully it'll still be up 😃

why academy guided lab machine are so slow.

Is there anyone else having issues connecting to the target machines via the modules?

Im too

They are generating but they not working

hey! im struggling on just one question on the Windows Attacks & Defense module, in the Print Spooler & NTLM Relaying section, is this the right place to ask for advice?

Are you trying to exploit PrintNightmare?

no its the question dealing with preventing the PrinterBug attack. The question specifically is:

After performing the previous attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and make the appropriate change to the registry to prevent the PrinterBug attack. Then, restart DC1 and try the same attack again. What is the error message seen when running dementor.py?

i feel like im for sure missing something simple, i was able to do the question before it with no issues but am stuck here...

I'm not familiar with the PrinterDebug attack

Yea just keep trying, I'm sure you'll figure it out

no worries! if anyone has any suggestions, please feel free to @ or dm me! :))

Hello, i am on the nmap module and looking into ids/ips evasion. I am trying the technique with the ACK scan (-sA) combined with a 5 ips decoy and it just runs soooo sloow. I know -sA runs slower than the syn scan but it barely goes 1% in about 20min. Is that to be expected?

https://academy.hackthebox.com/module/163/section/1554 Hey guys. I have a problem. I can't find the sql console page described by the module. I don't know if it is an environment problem.

😭

The SQL console as explained in the section can be found in the Settings

@autumn pilotHey man, can I ask you a private message?

you can ask here

The problem I'm currently having is that the PersonaBar is not loading

PersonaBar?

Hey guys! Anyone encountered this issue on the module Windows Event Logs & Finding Evil-Tapping Into ETW: After I started capturing ETW events I created the cmd command process form spoolsv.exe but I cannot find any process id info in the etw.json file. No log info about this spoolsv.exe.

Hi everyone, I'm on the Windows privesc module from cpts path. I'm playing with permissive registry ACLs in attacking the os/weak permissions section. I was able to complete it with other privesc in the section but this particular method seems like a dead end from htb-student user perspective. The course example is to use accesschk.exe with 'mrb3n' as user. That dumps a lot of 'KEY_ALL_ACCESS'.

With htb-student, we got some permission like CREATE_SUB_KEY in BTAGService, so ok i write a setting and link the setting IMAGEPATH to a netcat command. But first the BTAGService is a bluetooth thing, i guess it is just disabled in the vm, I can't restart it, it does not start after reboot and then I don't know if a setting I own in a service will trigger the command. I tried the technique in my home lab where i was able, as admin, to create a service and give a low priv user KEY_ALL_ACCESS, so i know it works. Am I missing something here or the course was just stating 'this technique exists'? I'm asking because I can't think straight about it anymore... Thanks!

I don't think you can do that with this module. I think it's just saying if you have permissions over the registry key you can abuse it.

Thanks!

how can I get access to this channel?

Read and follow #welcome

thanks

hi

Right lads need someone to point out where I’m being stupid here, currently doing the ARP spoofing and abnormality detection and have wireshark filters set to “arp.code == 1 && eth.src == 08:00:27:53:0c:ba” should filter out correctly if I’m not mistaken, what am I missing here? Just a nudge would be appreciated

hello have you make web service api attack because i have problem with this question (Exploit the command injection vulnerability of the target to execute an "id" command. Submit the privileges under which the server is running as your answer. Answer options (without quotation marks): "user", "www-data", "root")i have tried like this curl http://10.129.202.133:3003/ping-server.php/system/id

What's the issue?

i dont know what i make wrong

did you curl the url?

yes

dm me

Hey guys can anyone help me with usage room

#1228763236409802814 read and follow #welcome to access it

ok

Bro it says No Access

Read my message fully

Okay

Hey can i do academy modules on vip+ instance?

you don't. vip+ is on the other platform. academy is its own platform.

Hello, I'm on "SeImpersonate and SeAssignPrimaryToken" page of "WINDOWS PRIVILEGE ESCALATION" module.
The page says ' Attackers often abuse this privilege in the "Potato style" privescs - where a service account can SeImpersonate, but not obtain full SYSTEM level privileges.'
What is the reason why it is called "potato style"?🥔

The original exploit was called "Hot Potato" and there have been several modifications, such as "Juicy Potato," "Rotten Potato," "God Potato," etc, so they've become known as potato attacks

ah thank you, it's not related to real potato 🍠

https://academy.hackthebox.com/module/163/section/1554 Hey guys, after logging in to the backend using relevant credentials, the relevant resources cannot be loaded normally. Did I miss something?

The current situation encountered is that after logging in, the relevant Setting button is not displayed.

Command exec!

help with windows attacks and defence

it seems like everyone is getting this error with impacket-ntlmrelayx

.

screw rdp its slow as tortoise

Hey

anyone done with Print Spooler & NTLM Relaying section?

in windows attacks and defence

Can weekly streaks can be setting?

I just want it a bit more harder

nice idea but not there yet

i've performed that exploit but not that module

i keep getting errors from ntlmrelay

well that's not good

why do we even need rdp for kali :( its so slow, if i type it appears after like 30 seconds

i think you can also ssh

i think they have a firewall blocking ssh

nvm i got ssh now

wow the exploit worked with ssh

screw rdp again, ssh ftw

samAccountName != UPN

Yup, got it.

lol

Wrote it without the

ilfreight

i found the error and submitted it but i doesnt accept ( i dont understand the format)

I assume this isn't the pentester path.

windows attacks and defence

windows modules are hell

when you connect via winrm it doesn't pass your tickets, so when you use sharphound to gather data it is as if you were unauthenticated, that is also the last error message in your screenshot

check the hint

after few minutes i got a different error and it was accepted

what's the command for connecting with mongo server?

mongo db enumeration

just type mongo i guess?

https://www.mongodb.com/docs/v4.4/mongo/

hi everyone

I'm trying to complete the exercise to find a flag in one of the services by using the nse and it's scripts

so far I have :
ran nmap with --script all against various services

tried running various scripts targetted to the service running on the port

Without you telling us the module and section you stuck on we have have a hard time giving help

why webrealted modules only include php not any other lang

hmm

ah yes

My message seems to not have sent. So I am on the nmap enumeration module

Network Enumeration with Nmap

section nmap scripting engine

The 80 port could be interesting

Hello. Do you know if the skills assessments of the modules can be solved independently? Or should I grab information from the easy ones to solve the hard ones? Thanks.

thanks schainy

i have a question... does nmap select scripts based on the service detected running on the port if combined with sV?

so nmap -sV --script all -p80 <target>

will that result in only scripts that are relevant to the service running on the port 80?

hello im new to hack the box can someone help me set it up

?

setup what?

so sV will try and detect the service and version of the one running on the open port, and with --sccript all it will select from the Nmap Scripting Engine (NSE) that are relevant to that service.

perfect thanks schainy

I can also use "http-*" as a regex

i see from the doc

most of them can be solved seperatly, but i wouldnt be suprised if deeper into the module you would need to use the creds from before, but most likely it will be written in the description of the challange

to get the flag you need to visit the website aswell and check if the vuln/ or any other stuff can give you more info🤖 just looking at nmap for detail wont help you in a lot of cases. (Dont overthink hard)

The skill assessments tend to be independent

FIX: Update visual studio, if that doesnt work try reinstalling.

Advanced Deserialization attacks, Section: Example 1: JSON

I'm getting following error on visual studio: CS0234: The type or namespace name 'Data' does not exist in the namespace 'System.Windows' (are you missing an assembly reference?)

Just using the same code as in example. I'm using own windows machine. I tried adding reference to PresentationFramework but did not help. Not familiar with visual studio.

using System.Windows.Data;

namespace RememberMeExploit
{
    internal class Program
    {
        static void Main(string[] args)
        {
            ObjectDataProvider odp = new ObjectDataProvider();
            odp.ObjectType = typeof(System.Diagnostics.Process);
            odp.MethodParameters.Add("C:\\Windows\\System32\\cmd.exe");
            odp.MethodParameters.Add("/c calc.exe");
            odp.MethodName = "Start";
        }
    }
}

isnt the using system windows data used for GUIs programs and yours is a console application? i mean thats the only thing that has data in?

I don't know. Picture said to use console application.

does the program work if you just remove the using System.Windows.Data;?

Then we come to another problem: There will be an error regarding ObjectDataProvider. Visual Studio will not reference the necessary namespace by itself for this class, so it is necessary to hover over it, select Show potential fixes and then select using System.Windows.Data; (from PresentationFramework)

I have to use that to fix another error

was it shown to use framework? or core'

It only says this: With Visual Studio installed, we can open it and create a new Console App (.NET Framework).

https://stackoverflow.com/questions/37789584/type-or-namespace-name-data-does-not-exist-in-the-namespace-system
maybe try ths?

Can't get it to work now. Im going to try this with pwnbox tomorrow, even though it was recommend to try on own machine.

pwnbox isnt windows is it?

I don't think most of the stuff for advanced deser will work underlinux

There was a windows lab setup where I can rdp, not really a pwn box

Basically instead of exercise box you can spawn yourself a windows machine which has those tools installed

I don know that for two packages you have to add them in vis studio in that course

like you create a .Net app but also you have to do something in the vis studio itself to modify what libs you include to get that to work

Hey guys, stuck on Linux Pass the hash module getting the flag for the \DC01\linux01 have gotten root access to the machine any hints on the ticket would be appreciated https://academy.hackthebox.com/module/147/section/1657

Find the machine ticket that allows the system to connect to the domain

Is there a recommended method for dealing with the stack trace that results from installing powerview.py and running as described in the ADCS Certifried module? I've tried copying msada_guids.py to the directory that contains dacledit.py and removing "impacket" from the line that's sourcing it, but that doesn't seem to help either.

why rdp are always to sloooow

hey could someone help me with atacking common services "DNS Attacks" Section?

Determine the folder that contains all Mimikatz-related files and enter the full path as your answer.

I have ran the ||Windows.Search.FileFinder|| artifact is this not the right one?

Is this is not the related path ? ||C:/Users/j0seph/AppData/Local/mimik/x64/mimikatz.exe||

can anyone that has done the NTLM RELAY ATTACKS skills assemnt give me a hint for the second question: Compromise BACKUP01 and then submit the flag located at 'C:\Users\Administrator\Desktop\flag.txt'

anyone know how to copy a file from rdp to my machine using the /drive , I get access denied

should be \\tsclient\<shareName>

yes but when I move the file from the windows to \tsclient\share , I got access denied

even that I am local admin

Hey a question regarding the starting labs. can i ask here?

reset the rdp I guess

sad

do you have access to that folder?

Hello guys, any good gui apps to interact with imap and pop3 ?

|| xfreerdp /u:derek.walker /p:"h4cknd0c0zwhYN07:)" /v:10.129.105.105 /dynamic-resolution /port:23389 /drive:linux,/opt +clipboard||

yes I'm asking if you have access to the dir that you're sharing

check esc

do you mean ntlmrelayx.py -t ldap://172.16.117.3 -smb2support --escalate-user 'plaintext$' --no-dump -debug?

yes , I can see the files , copy from the share to the windows machine ,
but not vice versa asking if there's a way to copy from the windows to my machine

never seen that happen, you can use other ways, smb, upload server, etc

esc as in adcs

oh okay

i figured that was the step for the later questions x.x

i can see bytes becoz so slow ;/

the rdp is exposed on a specific port behind an other machine so is kinda of pain

lol , I just need to run xfreerdp as sudo

that's why I've asked you if you have access to the dir that you're sharing

the kali user doesn't have write perms to opt

Has anyone done AD Enumeration & Attacks - Skills Assessment Part 1 recently that could help me figure out why I can't get chisel to work on the compromised host [Question 4]? I'm sure I'm doing something wrong, potentially my proxychains.conf or how I'm moving the chisel.exe to the compromised host. (I know there are a handful of ways to do handle the question, I chose chisel because of the PF/Tunneling Module) Will take any advice.

does medium lab for footprinting require hash cracking? is there cryptography involved?

I don't know where to begin. Which sections from the footprinting module should I review to get started?

I wanna get my brain into gear

Scan the ports and start there

ok thanks

Also the footprinting skill assessments do fairly well at giving you an overview of what to expect

I was stupid

Can someon help with this question the only persistence I found related to the malware was ||HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\reverse|| is this not the one?

can someone explain to me how the --prefix and --suffix work in sqlmap. been trying to understand but I can't

that's the value. the question asks for the key

not value per se but it's not the key itself

Hi! Someone could give me a hand with Web Attacks > Advanced File Disclosure > Error Based XXE please?

I've been trying to get the /etc/passwd of the machine but it seems that it doesn't work the technique

This is what I've done so far:

And this is what I've got :

Let's go only 2 to go, this one was a fun module

i'm still working on the enumeration with nmap module. Trying to find the flag in the nse scripts section. What format is the flag supposed to be in?

HTB{..}

I do have a question about something that came up in one of the Windows privesc assessments, without spoiling anything I was wondering why I would get more hashes when I use secretsdump.py vs dumping lsass and using mimikatz directly on the target machine? I was trying to get the hashes using mimikatz but was having no luck and secretsdump.py took the same lssas.dmp and got all the hashes I needed

Lsa and lsass are different things. I doubt it used the same lsass.dmp file

I remember i used --script vuln

And one of those many "vulns" was the correct one 🤖

hmmm i want to be more selective with the scripts i run against the service as it takes a long time

ah right okay that's a great point I always conflate the two in my mind because of the similar letters

sudo nmap -Pn -v -p80 --script "(not dos and not fuzzer) and http-*" 10.129.2.49 -oA http_scripts_port80

The more time you spend being selective, ironically the more time you spend not getting the answer

ok,

it's just that a full script scan takes a looooong time

But my question remains, is there a way to get similar output from Mimikatz that I was getting from secretsdump.py? The relevant module section outlined dumping lsass using procdump and then suggested some mimikatz commands to dump the hashes, which is what I was doing but not getting any of the hashes that secretsdump got

Just doing --script vuln should be fine

I don't believe so

It's one of those quirk things

Gotcha appreciate the answer

I got the hostname of the device and operating system for medium lab of footprinting module. I have the username because they gave it. so how do I get the password?

i'm running sudo nmap -v -p80 --script "vuln" 10.129.2.49 -oA http_scripts_port80

Use the many techniques mentioned in the module

i could be a bit more precise with -n and -Pn etc. but should still yield more output I think....

Having an issue with access : RDP to 10.129.225.217 with user "svc_backup" and password "HTB_@cademy_stdnt!". It keep's saying password incorrect. This is on the Windows Built-in Groups part of the Windows Escalation module.

Why you want more? Im pretty sure the list is long enough

You don't need quotes for vuln

same result.... with or without. The quotes are just to stop shell interpreting characters like spaces i guess?

Also sometimes just exploring can help. You might see a certain txt file

Nvm, xfreerdp worked for some reason

@zealous rune

ah

i actually didn't do this 🙂

Just because they gave you thr "HTB" username, doesnt mean its in the path. Its more of what username you need to find at the end to get the correct flag

Since its in the question

ok got it

but then I don't need a password then?

You do need a password

ok

And there's a wordlist you can bruteforce with

you will find about that in the end, there is many steps between you and HTB. you need a password but not for HTB user

wait its footprinting medium, there is no need to bruteforce

Oh yeah

I'm thinking of the old one with Ceil

then why won't it let me log into RDP as HTB user

ah ceil, yea ceil is easy lab, ehm the a*** is the medium one

Yeah I just meant that's the one I was thinking

cuz there doesnt exist a HTB user where RDP is running

ok thanks

Read carefully: htb user is the last step. You don't need to do anything after getting his pw as I believe that's the answer to the skill assessment question

yep^

just ignore HTB user, till you find him manually

well I can't RDP in just with domain or IP address

No. But there's ways to enumerate a user

Look at the open ports and techniques to enumerate them

then you missing something, you didnt enumerate enough

Ty tho now I recall the steps

ok I will keep enumerating

Look at all the sections and see which ones match up to what you see

ok i see

although in practice i would likely have used gobuster and web enum scripts to get there....

All in perspective

well its one of the first pages pentesters usually visit.

This is showing how to get there from nmap first

although this is a good lesson in paying attention to detail

you will get enough of that lesson

i guess in "my process" i would say that once i identify http server, i'm noting this and to further enumerate the web service i would go to whatweb and gobuster and other specialised tools/scripts for webserver enumeration

NTLM RELAY ATTACKS skills assment question 2:

i have used ntlmrelayx.py ||-t ldap://172.16.117.3 -smb2support --no-da --no-acl --lootdir ldap_dump|| to enmrate the domain and get usernames
||dob mozhar sqladm Administrator Guest krbtgt||
from reading other questions it looks like i need to use the cleartext password taken from the sql_ftp_test account with responder?

however no combo of those account names and the password seems to work. Anyone do this before that can point me in the right direction?

has anyone had problems with xfreerdp not loading recently

Have you tried pressing enter after it pops up?

Nah like as in it doesn't connect.

Did you put the password in single quotes?

Been going on for a month.

I will try

timeout

Try changing vpn region

How the hell do I do that,

is this eu / emea related

Download a new vpn pack for your account

Ohhh, this.

Yeah aight.

^

yh, will do

I live in europe, it wouldn't be a problem to dowload USA

right?

Don't forget to close and delete the old vpn

Nope

Done that, ser

The difference, if any, would be negligble

Well, let's see how it goes.

You don't need domain