#modules

Pls help me

Does anyone is having issues this last week with the academy?

Yes

not particularly, no

targets have been spawning and responsive

¯_(ツ)_/¯

I have not had issues either.

Question

Hey guys ive been trying to run mimikatz on a evil-winrm session but it doesnt seem to work and just starts spamming these ####
Evil-WinRM PS C:\Users\svc_sql.INLANEFREIGHT\Documents> cd mimikatz
Evil-WinRM PS C:\Users\svc_sql.INLANEFREIGHT\Documents\mimikatz> cd x64
Evil-WinRM PS C:\Users\svc_sql.INLANEFREIGHT\Documents\mimikatz\x64> .\mimikatz.exe

.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## >

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > / ***/

mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #

I am white hat

But I want to became black hat how

hahahaha

Completely wrong server for such questions

Ok

Thanks for fucking questions

mentioned this earlier

Hey, this is referring to the NFS section in Footprinting module. Can somebody explain to me what the solution to the problem raised here is? I don't know if my english is just trash but I can't understand what they're explaining here

./mimikatz.exe "<command>" "exit"

can i specify 2 commands?

your system's users and groups might be different from the fileshare system's users and groups

you can specify any number of commands, commands and their arguments are delimited by ""

so "<command1> [args]" "<command2> [args]" "exit"

it's very important that you add the "exit" at the end

otherwise you get the repeated prompt loop

What do you do in that case? In the paragraph there it raises that problem and says "This is why we use this authentication method" which idk if im missing something but it I can't understand how it makes sense

thanks again how do u know all this 😆

btw, congrats on community contributor I apperciate you helping

trial and error, it was also showcased in one of the modules that used it

also a lot of the cheatsheet stuff that uses mimikatz will highlight that syntax

alr sick thanks

.

Me too bro I'm genuinely angry it's been 2 days now

Quick question, I've done AD assessment 1, but I couldn't load powerview modules or use them during the assessment, is that intentional? Or was I doing something wrong?

Try setting execution policy to bypass when you launch powershell

I did that 😛

I even tried with . .import

Did you get any errors?

Because it should work, maybe you had a broken copy

it just wouldnt recognize the cmdlet modules lol

I managed to pass it though, but it would of been nice to of been able to use it to enumerate the users etc...

because you need to load it in a different way; it's running a different version of windows and such

but everything is doable without it

How do you mean load it in a different way?

Was it how i was importing it?

sorry not powerview

but activedirectory

#modules message

but import-module should work if you bring in the ps1 file for powerview

iirc

Maybe i wasn't in the right directory when importanting it 🤔

it just doesn't work well in a webshell

I used msfvenom and gained a regular shell with that

The meterpreter shell wouldnt work

¯_(ツ)_/¯

meterpreter is interesting

after finding credentials from q1/2 i just used a pivot to do the rest

ligolo was my go to

I used netsh, to gain rdp, then i used it again to gain a winrm session

chisel wouldnt work for some reason 😮

chisel is dum ¯_(ツ)_/¯

I'll have to give that ligolo a go

certified ligolo-ng shill

give it a try after you complete the module

also remember because it's a webshell infinite loading when an output would result in either no output/loading until cancelled means it's working

i.e. doesn't print output/is a polling output

Hi, can an admin see whats going on with the module ATTACKING ENTERPRISE NETWORKS , im trying to finish the module from the pwnbox but i have a lot of connection problem with the target

message support

this contains a spoiler

different types of password dumps exist

always that i try they answer me like 10 hours later, i still dont know how the yearly members works in this cases

even still if it's an issue with the module; message support

Hey guys i need help with getting the users t***** on ad skills assesment i dont seem to get anything whend umping on MS** :Evil-WinRM PS C:\Users\svc_l.INLANEFREIGHT\Documents\mimikatz\x64> .\mimikatz.exe "privilege::debug" "sekurlsa::logonpass**" "exit"

.#####. mimikatz 2.2.0 (x64) #18362 Feb 29 2020 11:13:36
.## ^ ##. "A La Vie, A L'Amour" - (oe.eo)

/ \ ## /*** Benjamin DELPY gentilkiwi ( benjamin@gentilkiwi.com )

\ / ## > http://blog.gentilkiwi.com/mimikatz

'## v ##' Vincent LE TOUX ( vincent.letoux@gmail.com )
'#####' > http://pingcastle.com / http://mysmartlogon.com ***/

mimikatz(commandline) #
Privilege '20' OK

mimikatz(commandline) #
Authentication Id : 0 ; 230195 (00000000:00038333)
Session : Interactive from 1
User Name : t***

Domain : INLANEFREIGHT
Logon Server : DC01
Logon Time : 5/8/2024 10:30:06 AM
SID : S-1-5-21-2270287766-1317258649-2146029398-4607
msv :
[00000003] Primary
* Username : t****
* Domain : INLANEFREIGHT
* NTLM : fd37b6fec5704cadabb319ceb****
* SHA1 : 38afea42a5e28220474839558f073979645a1192
* DPAPI : da2ec07551ab1602b7468db08b41e3b2
tspkg :
wdigest :
* Username : t***
* Domain : INLANEFREIGHT
* Password : (null)
kerberos :
* Username : t****
* Domain : INLANEFREIGHT.LOCAL
* Password : (null)

admins/staff really can't do much without a ticket open

and even then, not all admins are staff - support staff doesn't necessarily monitor the discord

try using netexec to dump it i can't recall exactly which mimikatz submodule i used

https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz

lsass and lsa are different, so they may contain different results

Ight lemme check it out

.

Hi guys, I'm doing the "Attacking Authentication Mechanisms", I'm to the "Algorithm Confusion" of JWT, but after that I run jwt_forgery.py, get the public key and generate the new JWT with CyberChef, I cannot solve the assessment at the end of the session because the server replies always with "Token is invalid"
Did someone solve it?

https://tenor.com/view/sleep-time-gif-2822468507363798988

while sqlmap does the thing

I feel so dumb
On the first section of the web requests module, I was trying to use the cURL command as:

curl -o /download.php (IP here)

Instead of:

curl (IP here)/download.php

I spent half an hour trying to find out what was wrong 🤣

been there before

also get used to them sometimes throwing in webroot to mean http://ip:port/

I got confused by them saying you can use -o to select the file name to be downloaded

Well, I'm brand new to all of this

Setting up a VM for doing the challenges was already quite a ride lol

Sorry, I've lost track. Which module are you talking about?

This one?
What is the password for the htb-stdnt user?

If yes, you should answer this question with the output from a tool from the first question

Try it with the ||Database||

i did everything a module asked me to but i cannot find the flag

How do i find my IP of my pwnbox? if config is bringing up 192 address and 127 address. on my OpenVPN Connect, it says Your Private IP (IPV4) but when I try to ping the machine from a target machine it doesn't work. I set up a httpserver and its not connecting via that Private IP 10.10.xx.xxx

the ip will be the tun0 adress

also by pwnbox do you mean the in-browser vm or your own

my own

since you mention OpenVPN Connect

i have no tun0 address

are you running the vpn in your vm or on your host

host

you should be running the vpn in your vm

ah...

ive been doing labs with that on host for 95% of cdsa modules

¯_(ツ)_/¯

it seems generally fine for outgoing but incoming is not so good

Oh men the last module is the worst of all the pentesting lab, such a waist of time trying to finish with such intermittence

it's likely due to the Host firewall rules

👍 Thank you

it just exhautss da list

do you need to get the password?

remember hashes have many uses

hi guys in the Practical Digital Forensics Scenario first question; I am unable to decode the second b64, only getting rubbish data out of decoding it ?

i don't believe you are required to decode that

What's the error you're getting from winrm?

Also what module and section are you on?

AD Enumeration & Attacks - Skills Assessment Part II

• 1 Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

im on sql server i used meterpreter and dumped memory and found admin hash

now i try to connect to ms01 with has

WinRMAuthorizationError usually means the creds are wrong or the user is not allowed to winrm

where'd you even get the admin hash from

Perhaps this is not the way

Likely mimikatz

intro to whitebox pentesting / help :

i did this command : "curl -s -X POST -H "Content-Type: application/json" -d '{"email": "test@test.com"}' http://localhost:5000/api/auth/authenticate"
it generate me a token but the token doesnt work
i tried with this command : curl -s -X POST -H "Content-Type: application/json" -H "Authorization: Bearer <token>" -d '{"text": "this is a test"}' http://localhost:5000/api/service/generate

Maybe one of the privs you have on the sql host can lead to a juicy exploit, or maybe spoofed answers

from the sql server

Yes

im arleady meterpreter nt system

Ah right mimikatz is the way

Maybe you used the wrong submodule

Because one of the password related ones definitely outputs in plaintext

Alternatively nxc/netexec can also get it

It can't be cracked because it's not in the wordlist

Also the user you're looking for isn't necessarily "Administrator"

i c ok danke

mssqlsvc

rite?

Perhaps

hmm any insights how to solve it ? i have extracted the handles and dlls related with the pid, but nothing worthwhile

i don't know what the question is so i couldn't tell you

i am going through the intro to AD. The kerberos auth process seem to be incorrect. The user's ntlm never being to encrypted tgt (which suppose to be encrypted kdc secret key). yet the article in module state this "1. The user logs on, and their password is converted to an NTLM hash, which is used to encrypt the TGT ticket. This decouples the user's credentials from requests to resources."

what's wrong about that statement?

In x64dbg when I click run for my shell.exe for INTRODUCTION TO MALWARE ANALYSIS - Debugging, I am not getting any pop ups. I put the proper breakpoints toggled, I changed the code, and I have the INetSim functional. Any idea why I am not getting the pop-up for "This is the INetSim default binary" "Connecton sent to C2"
I am not getting any of these checks or any pop up after clicking the "run" button in x64dbg.

The user's ntlm never being to encrypted tgt (which suppose to be encrypted kdc secret key)

How does this server work? What is his purpose?

this is the official community Discord server for Hack The Box

Yes, but what is the purpose?

I'm a little uninformed

Learning cybersecurity, both defense and offense.

I liked

What? The user's hash is absolutely used to encrypt the ticket.

People help each other in this one channel

it's pretty much the central hub for the HTB community

whether it's the main platform, CTF, or academy

i think enterprise as well

https://youtu.be/5N242XcKAsM?t=432 <- have a look this this. hash is to encrypt session key , NOT, tgt ticket. Tgt ticket is encrypted by kdc secret key.

If a user's ntlm wasn't involved then why is part of the tgt/tgs ticket is the LMhash:NThash (which is the format of ntlm)

Part of krb auth is the ntlm hash

Otherwise it wouldn't be tied back to the user

Ok? What's that got to do with the statement you said was wrong?

There has to be some form of identification that the user in the ticket is the one being authed

the NTLM hash is inside the TGT

^

if it wasn't, Kerberoasting wouldn't exist

It's nested in it

at least in its current form

I swear we have this convo at least once a month lol

The NTLM hash itself is not contained within any tickets.

Well no

But a form of it nested within the ticket

it is different to the explanation to the video show in 'kerberos deep dive' which make more sense. just have a look. also, client ntlm encrypting tgt kinda defeat the purpose as client can simply decrypt tgt .

That contains the authentication (password/credential) info

The NTLM hash is only ever used locally, not transmitted with the ticket. The ticket keys are derived from the NTLM hash of the user.

but it is USED to encrypt the ticket

so the statement is correct

i am incorrect yes it is not actually inside the TGT

BUT it is definitely used to encrypt the TGT

yes, exactly

it's used with a timestamp to derive a key

The KDC already knows the hash

I'm on the Footprinting MSSQL module

Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.

sqlcmd and metasploit are all saying this is the wrong user:pass

try impacket

thank you

Short answer, it's dumb
Long answer, it's very dumb

makes no sense why that work but native tools such as sqlcmd didnt

way to ruin 30 minutes of my time

i have had 0 luck with sqlcmd

another W for impacket

when hackers write better tools than Microsoft with their own software

MariaDB be like:

Mssql gui? Hell no

the statement talk NOT about how TGT ticket derived. But ntlm is used to decrypt tgt ticket. I am not even sure you understand my question. If you don't , i am happy to elaborate. Below are response from chatgpt The statement contains a misunderstanding of the Kerberos authentication process. The obvious mistake is that Kerberos does not use NTLM hashes to encrypt TGT tickets. Instead, during the authentication process, the user's password is used to generate a Ticket Granting Ticket (TGT), which is encrypted with a symmetric key derived from the user's password and stored on the Key Distribution Center (KDC). This TGT is then used to request service tickets for accessing specific resources. So, the use of NTLM hashes and the claim that they encrypt the TGT ticket is inaccurate. Additionally, Kerberos authentication does not entirely decouple the user's credentials from resource requests, as the TGT is still used to obtain service tickets for accessing resources.

oof, automod

im on AD Enumeration & Attacks - Skills Assessment Part II how the frick do i get bloodhound gui to open up? on the attack device?

you can get around automod if you verify your account -> #welcome

you need to setup bloodhound on your host

there are instructions to do so

You can rdp to the attack host

oh shit

i'm keeping quiet from now on

I believe it's mentioned in the engagement statement for the skill assessment that you can either/or

Or both

http://localhost:7474/browser/
guys i dont see the upload button

Have an ssh and an rdp session

Brother you have to launch bloodhound to upload

AD Enumeration & Attacks - Skills Assessment Part I:

Already got every Question except the "Cleartext one for t...y".

What I already tried to find the password:

Overall lookaround on MS01
Dumped LSA/SAM with lsassy and mimicatz
Lookup with lazagne
Cracking the NTLM Hash
But no cleartext password for the user.

Any hints?

i have the .jsonfiles

Try other dump methods

Lsass != lsa

Yes. Which you upload via bloodhound gui

Alternatively transfer the files back to your host and run the bh gui on your host

ohh i c danke

thanks you are the best, I mixed up lsa and lsass

How much it took you to get the CDSA cartifcation?

two months in between college coursework

more like 3 months to actually get the cert though

PS C:\Users\mssqlsvc\Desktop> runas /user:CT059 "powershell"
Enter the password for CT059:
Attempting to start powershell as user "MS01\CT059" ...
RUNAS ERROR: Unable to run - powershell
1326: The user name or password is incorrect.

PS C:\Users\mssqlsvc\Desktop>

BRUH i put in the password ||charlie1|| but it not work why

AD Enumeration & Attacks - Skills Assessment Part II

Is it a local user to MS01 or a domain user?

domain

well, there is your problem then.

danke

bitte

bite

Hey hope everyone is doing well having issues and don’t know if it’s a mistake by me or issue with exercise. Today working through nmap module on cpts training the port i was told to scan using nmap scripts is coming back filtered anytime i scan the specific port regardless of triggers used. If i scan all ports -p- it comes back open. Can using your own virtual machine running Kali Linux cause issues connecting to the target ip? Should i be using the htb instance instead? Same issue when using nc on specific port like when doing tcpdump. Been stuck for a min so just curious if it’s tech issue or am i messing up and just need to try harder lol !?

You can use either one you like, if you're connected properly via kali and the vpn you won't have issues connecting to the target

u need to sudo openvpn the vpn

@cloud urchin @sini12349 thanks for info I’m connected to vpn it’s showing the new ip by the network tab on top right in my vm

can you ping the target

PS C:> Set-DomainObject -Identity "DC01.INLANEFREIGHT.LOCAL" -SET @{userAccountControl=4096} -Verbose
VERBOSE: [Get-DomainObject] Get-DomainObject filter string:
(|(|(samAccountName=DC01.INLANEFREIGHT.LOCAL)(name=DC01.INLANEFREIGHT.LOCAL)(dnshostname=DC01.INLANEFREIGHT.LOCAL)))
VERBOSE: [Get-DomainSearcher] search base: LDAP://DC=INLANEFREIGHT,DC=LOCAL
VERBOSE: [Invoke-LDAPQuery] filter string:
(&(|(|(samAccountName=DC01.INLANEFREIGHT.LOCAL)(name=DC01.INLANEFREIGHT.LOCAL)(dnshostname=DC01.INLANEFREIGHT.LOCAL))))
VERBOSE: [Get-DomainObject] Error disposing of the Results object: Method invocation failed because
[System.DirectoryServices.SearchResult] does not contain a method named 'dispose'.
VERBOSE: [Set-DomainObject] Setting 'userAccountControl' to '4096' for object 'DC01$'

why cant i enable rdp on dc? i am amdinsitraotr

No i get message back that it’s down @cloud urchin

Make sure you don't have pwnbox turned on at the same time while being connected to the vpn

Yes it’s off @cloud urchin

if you're connected to the correct vpn, the pwnbox isn't spawned, and the victim host is up, you should be able to connect without issue. if you hammer the victim it may die, or maybe for some other reason, you may need to restart the victim box

beyond that, run a traceroute to see where the connection issue is, or reach out to support

hello guys

anybody can help me on Sauna box?

You should ask in a platform channel and not in an academy channel.

do u have the link ?

i want to change the settings to allow rdp on the domain controller from my device is it possible t o change the D.C settings

yes if you have admin privs

• 1 Submit the contents of the flag.txt file on the Administrator desktop on the DC01 host.
  AD Enumeration & Attacks - Skills Assessment Part II

I changed admin password and can use admin pass bu ti cant rdp or connect to dc cause it s not enabled how do i enable

there's a crackmapexec module for it, you can enable rdp via a registry key, and you can disable nla if needed via a registry key as well

You sure you want to do all of that, and disable any firewall issues. Way easier to just use something like psexec.py

there might be gpo's that block it too you'd have to disable those somehow

wdym psexec.py i cant onnect to dc

smb is not open?

no

Hi I am in linux privilege escalation linux module shared libraries section and in on the given target /development directory has write privilege to my user as shown in the section but the library present there is write protected so how in the world can I replace it with a malicious binary?

hello?

the question says to use LD_PRELOAD, go over that section again

use sudo -l to see what you can do with root privileges is step 1

yea I did the LD_PRELOAD section and the one I am talking about is different

and it is kinda my fault I forgot to mention hijacking in shared library hijacking

it was not necessary to follow the section to get the answer just had to do a version check and there was the answer

but according to the section it was supposed to work by swapping the shared library binary in the runpath with a malicious one

the run path would be rwx for the current user

but the shared library was not.

I checked the code for payroll.c and found that it was using dbquery.h header and thought maybe I had to put a dbquery.h header file in the runpath. but as soon as I compiled the malicious file in the runpath and executed the binary the libshared.so read-only binary mysteriously vanished

and then I did the usual and got my way

any idea as to why this happened?

you should delete those i think its against the rules

its not an issue cuz they do not have the answer nor the method of getting the answer and what I showed is directly whats written in the section

I was hoping someone might be able to shed some light on this

but regardless the task was done

yeah but it's taking pics of the content of the module and posting it in a public forum

just delete the msgs

any idea why I am getting password prompt when its NOPASSWD

~~Hi, I am doing the PHP Web Shells portion of the Shells & Payloads module on HTB Enterprise. The module is asking me to Use BurpSuite to bypass file type restrictions on rConfig and it wants me to configure proxy settings in BurpSuite.

The exact wording is "Start Burp Suite, navigate to the browser's network settings menu and fill out the proxy settings. 127.0.0.1 will go in the IP address field and 8080 will go in the port field to ensure all requests pass through Burp."

I cannot for the life of me find where exactly these are configured. I cannot find such a config menu in BurpSuite nor the Chromium Browser built into BurpSuite. Any insight?~~

Edit: Disregard, the module was referring to the pwnbox's browser. Not BurpSuite's built in Chromium browser.

i believe also specifify the full path of the mem_status.py

yep it worked

thanks

anytime 🙂

I got same errors, how did you fix this? For Zeek Running this command/usr/local/zeek/bin/zeek -C -r /home/htb-student/pcaps/revilkaseya.pcap

gm

@cloud urchin thanks for help!! Support got back to me, and after switching redownloading my vpn for a new region the target is responding!

is there any way i can download a .vhd file from pwnbox ?

Ended up using tcpdump... zeek wasn't running that command -_-

No

https://www.parrotsec.org/download/

parrotsec htb edition is close though

use this filter -fl

@mortal basin sorry for ping, Im working through the new Windows Evasion Module rn and in the section Microsoft Defender Antivirus the spawned VM (and also the VM from the previous section) do not contain a Threat with the ID asked for in the questions. Is the wrong image being spun up here or is it me?

Folks, I'm on the Hard lab at the end of the Footprinting module and I'm getting a bit frustrated with trying to find my way to any valid credentials. I've found the SNMP string with 161 and braa gives me ||Admin tech@inlanefreight.com|| but that's it. Any pointers? - NVM, I switched regions and it all came through

Reach out to support

DM me

in the headless lab

please do not post spoilers of active content

if you are talking about headless box got to #boxes

on top of that this is not the channel

sorry didnt know i tried to like spoiler tag it my bad ❤️

ok

I NEED THIS MODULE

THIS IS THE ONE

i have never wanted a module this bad until now

https://tenor.com/view/penguin-buy-penguins-hodl-stonks-gif-26461029

as soon as i have my hands on a computer i will buy it

anyone else having issues spawning victim boxes?

can i get help regarding skill assessment I in AD attacks module? stuck at getting the "t" user's password

shoot me a dm if you still need help with that (due to spoiler)

jesus christ the new module look nice 🔥

I'm too busy to do the module

Dont we have holiday today

we?

no man it's friday

oh the module is pretty basic but a good start nonetheless

Did you get a solution for this?

for that section the questions got adjusted, the id is now available

Okay ill try restarting box

hello guys im stuck at the session security skill assessments
i was able to gain the admins's cookie but every time i use it i get (noaouth) can somone give me a hint

maybe try it in a private window or another browser

Hi

Finally finished the AD Trust Attacks Module. It honestly felt more like a ProLab than a regular course. Great content though!

thanks so much thats worked

@tranquil axle Did you have any problems in section Static Analysis? ```[05/09/2024 05:28:13] C:\Alpha\Static\ConsoleApp1.exe - OK - Undetected by Microsoft Defender Antivirus

[05/09/2024 05:29:11] Checking...

[05/09/2024 05:29:11] C:\Alpha\Static\ConsoleApp1.exe - OK - Undetected by Microsoft Defender Antivirus

[05/09/2024 05:30:11] Checking...

[05/09/2024 05:30:12] C:\Alpha\Static\ConsoleApp1.exe - OK - Undetected by Microsoft Defender Antivirus``` Checks already ran many times and it was undetected but flag.txt is not spawning

Hey is anyone working on the box Corporate

The new one?

yeah, I haven't even finished trust attacks

This isn't the channel to talk about boxes. Ask in #boxes (read and follow #welcome to access it)

hi wolfie

anyone did wordpress module?

i need a bit of help

cant find that anywhere

nor do i know which file to download

Yea, I’m having a few issues with the check scripts. For static analysis I ended up compiling it with visual studio and then publish it into a single exe file. Since publishing didn’t work on the rdp machine I used my own computer for it. That exe file then passed all checks and gave me the flag

How come some modules are still tagged as "updated" even if I solved all updated content?

It just means the module updated recently

Nothing to do with your personal progress

Sometimes it's just a wording change

The module I am looking at was last updated in march 2023

OK

I see

Sometimes they don't log wording changes

Considering how often those likely happen

@remote latch which question ?

i literally have smart shell and cant find shit

try to download file from the website

the main one without wordpress?

then see which directory you are looking for

i can just search

Your ss has spoilers for 1 and 2, holy 1983 camera batman

MAN ITS MY PHONE

Shitty aaa phone camera having ass

deleted photo

cant find no flag

maybe cat * | grep "HTB"

and stop sending those pictures

which

.

sorry

Imagine the flag is the md5 hash and not HTB{..}

That one's fine

no is HTB , I checked

Those are standard wp stuff

INFORMATION GATHERING - WEB EDITION > Active Infrastructure Identification

What Apache version is running on app.inlanefreight.local? (Format: 0.0.0)

can someone hint me on this?
i tried this command but it does not give me any suitable result.

whatweb -a 3 10.10.14.167 -H “Host: app.inlanefreight.local” -v

Getting some connection issues with RDP.

Total no of VMs for this module are same as Rastalabs

That's not how that works

The vhost is running on the target web server

Specifically in that section, the vhosts dev.inlanefreight.local and app.inlanefreight.local are running on that server

In your command you're using your ip

Not the target ip

It's also best to put the vhosts in your /etc/hosts

As ip vhost1 vhost2

That worked

got it. thnk. i did put the following in the etc hosts

any tips for understanding linPEAS and winPEAS resaults better ?

yea my problem is if you get to dynamic analysis this method no longer properly executes the rev shell? I think the module would profit from a small section explaining what the check scripts actually check or how they expect you to build the .exe files on the provided vm

Those tools often give a bunch of extra, useless, data

If it's not a simple path, ignore it

Yeah, instructions are kind of unclear. I might wait a few days or a week if we get a statement/update about it

i felt this too

What exactly is unclear?

I developed the walkthrough for the entire module (will be published today) without needing any clarifications from the module author...

hi anyone can plz help me in setoolkit
i have creat a pdf payload but i cant find it whare can i find it

kali linux

The sections use Visual Studio not something else.

found the flag wolfie

ur kind tho, tnx

Your task is to bypass AV not to understand how the labs are built if I am not mistaken

what settings to use to compile, when I used the provided vm then neither the Debug nor Release settings created a single .exe file, and putting .exe, .dll and .json file from the release/debug folder into the Static folder to get checked did not work. Only when I used the publish feature to make it into a single .exe did the check script "pass all tests". But publishing doesn't work on the development machine so ???

For example this from Static analysis. ```[05/09/2024 05:28:13] C:\Alpha\Static\ConsoleApp1.exe - OK - Undetected by Microsoft Defender Antivirus

[05/09/2024 05:29:11] Checking...

[05/09/2024 05:29:11] C:\Alpha\Static\ConsoleApp1.exe - OK - Undetected by Microsoft Defender Antivirus

[05/09/2024 05:30:11] Checking...

[05/09/2024 05:30:12] C:\Alpha\Static\ConsoleApp1.exe - OK - Undetected by Microsoft Defender Antivirus```
Checks already ran many times and it was undetected but flag.txt is not spawning. After I published it as single exe file it worked

Payload itself worked fine on dev machine

What do you mean "Publish" it as a single file

well yea the script says av successfully bypassed and when I run the .exe manually on the dev machine it also does what I want it to (inlcuding rev shell and everything) yet the script says undetected but doesn't provide the flag. And I don't know what is wrong so I have no way to fix it

if you press build solution on visual studio you get a .exe, a .dll and a .json

if you publish via studio you can tell it to pack these into a single .exe

If you get the flag, you solved the question. Nothing else matters.

If you dont get it then you need to retry.

Why are you publishing

because if I dont it doesnt accept the file?

You are supposed to compile it

thats my problem with the module, I dont know what the script is checking for so I cant even tell you why the published standalone one works but the other with .exe, .dll and .json doesnt

You are not supposed to know. You are supposed to do what it wants to get the flag.

We are not teaching how to build labs nor sharing such material

hello guys i am current stuck

i am trying to spawn a target and i do not know how to do so

I think you are misunderstanding me. I bypass AV and get the rev shell to work if I execute it. The script says it bypasses av. But unless I pack it into a single .exe it does not give me the flag

"Click here to spawn target!" Text

OK lets go to DMs this is getting confusing

Can you add me to groupdm?

Sure

Hi

INFORMATION GATHERING - WEB EDITION > Active Infrastructure Identification

Which CMS is used on app.inlanefreight.local? (Format: word)

i ran this but i cant seem to find any cms related info.

whatweb -a 3 XXX -H “Host:XXX” -v

If the vhosts are in your /etc/hosts you don't need to specify host header

Just specify it as the site

Also look for the word 'management'

Or something like 'content'

Read the output, basically

that medium footprinting lab machine is crashing (disconnect the rdp) always after 30 sec to 2min when work on it via rdp. is there a way to work around? its feels super slow.

Hello, can someone help with skill assessments for password attacks module?
I finished the material a month back and have started after a break. I need a little help please.

Use tcp vpn. Set /timeout:100000

Or change vpn servers

It's worked fine for me

is pawnbox

Vpn servers are different from pwnbox servers

k will try to change

I am trying to bruteforce ftp but failing as per a forums post

Vpn = target
Pwnbox = pwnbox region

Hey, in this example we have the SOA record containing inlanefreight.htb. in the place you'd expect to see the primary NS, however, we see a couple of lines down that the NS record points to ns.inlanefreight.htb., my question is, are the 2 domains CNAMES of each other? or are they two differnet NS?

ah ok i see

Scan all ports

sorry if this comes off as a spoiler but this is what I tried

or is ns.inlanefreight.htb. the secondary?

use hydra

Ns is primary

I don't suggest changing cme threads tbh

tried. didnt work. may I attach a screenshot. I most likely messed up

so shouldn't the SOA record show ns.inlanefreight.htb. before the root.inlanefreight.htb. (which I assume is the admin email)

No

SOA shows the domain

it didnt work. anyway lol

In this case the domain, is the ns

Hydra works

¯_(ツ)_/¯

A nameserver doesn't always have to have ns.

But anyway

this correct syntax?

I suggest 48 threads for ftp in hydra, but yeah

I generally don't do -v though

I aint touching threads

It clogs the screen

It shows the domain at the beginning but should also show the primary name server I think, for eaxmple: here is one of the previous examples they've used in this section

okay

-t n

That's threads bud

Again, it doesn't always

ah it worked. thanks. i was scared because it would work with cme

Either way, you're overthinking it

In this instance it's a private server, so it doesn't need to follow public convention

solved. thnk

Oh its like a convention to put it there but not required?

Exactly

https://www.cloudflare.com/learning/dns/dns-records/dns-soa-record/

So only ones that conform to the IETF standard, thanks!

Yep, since example.com is a public website, it has to conform

Not to mention, since the NS record is defined separately, it doesn't need to be in SOA

What module?

Oh wait nvm

In future separate with a dash between the module and section name

I will tell you, all services have their own user

Then what tool is giving you the error?

As that's a python related error

Also what is your syntax [omitting usernames and passwords]

No one pinged you bro

Yes

Also it's a windows machine so ...

I just realized I wasn’t using type and full path….how embarrassing. Haha. Thank you.

Is it supposed to take this long?

is there an issue with spawning targets in modules currently ? been waiting for a while usually it's pretty fast

I was just going to comment the exact opposite, spun up my victim box and RDP service was up instantly...yesterday it was rather slow.

it's just stuck forever in Target is spawning...

oof yeah, terminate and try again, grab a fresh cup of coffee

i logged out, refreshed the page, and it's still stuck in "Target is spawning...", is there some trick or work-around ?

it takes long

still showing 2 hours lol

Not that I am aware of

great if only the platform was half as good as the content..... I thought the ssh performance was bad enough, then there is this

so I found this trick on reddit which seemed to work. I spawned a target from a different module, which worked, came back to the original module and spawning there worked too

l

I am doing assembly module , specifically stack section. In this section a hex immediate value is loaded into register and then pushed onto stack. This operation is done multiple times. Finally a flag will form after combining all values. But What i am observing is after first part is pushed to stack. second part is pushed to stack. now rsp should point to this second part only but rsp points to concatenated value of first part+second part. And as per my stack understanding how is that possible. Shouldn't rsp be pointing to only last value pushed. Any help would be appreciated and sorry if this dumb. But i checked with my test code pushing values 1,2,3 onto stack and in that case it doesnt concatenate as expected.

partial assembly code

damn i just spent all my 500 cubes and they release this?!

is there anyway i can sell an module 😅

its just how gdb displays strings it actually contains 8 bytes per line only

Thank you.

just finished AD attack and enum module. Before that i didn't know it is impossible for user to have MORE privilege on the same host when using different protocol. like winRM vs RDP. learn alot these few days.

hey, im doing the java deobfuscation module. and at the http request section im curling the /secret.php page. but i get a page 404

are you curling the http://ip:port/secret.php?

ye

tried to respawn the machines

maybe i was doing something wrong idk

i don't see where it's saying secret.php on the page?

i'm seeing it mention serial.php

hackthebox version of OSEP coming?!

and it specifically saying to do a post request to /serial.php

🫣 bruh i read it as secret php the entire time

embarrasing

you were likely thinking of secret.js

yes

from previous sections

awkward haha

it happens

usually means it's time to step away and take a break

i wanna keep myself at a pace of a module a day

atleast

i didn't mean for the whole day

just take a break for like a little bit

even just a half hour away

it's a marathon, not a sprint ¯_(ツ)_/¯

got u 😉

some modules make you feel crazy, spending lots of time on goofy shit

until you realize syntax error

and your life is ruined

ye, the fuzzing one bruh, i was getting so many errors.

man i inputted in /etc/hosts the ip:port , not just the ip. which resulted in errors while fuzzing

yep

you never put the port in /etc/hosts

can someone help me on web attacks skill assessment

I might be able to. What are you having trouble with?

For Linux Privilege Escalation: Environment Enumeration, I found the flag after escalating privileges to lab_adm. I found the flag, yet when submitting it doesn't take it. Are there other flags that I need to find?

it helps others help you if you explain what you're having issues with, try not to be too specific;
Having trouble with skill assessment on [Module Name] - I tried doing [specific method] on the /(redacted) page but it's not working

so just avoid spoilers if possible

the first part of it I have a lot of user names and token just don't know where to use them

Module name is web attack
section is skill assessment

Check out Mass IDOR Enumeration section. Use Burp Intruder/Repeater. Try to guide your search by asking yourself questions like what kind of user am I looking for? Whats the role/privilege of the user I'm looking for? What token do I have is it mine or is it another users? What user? Do I have a sessionID? Can I get someone elses? What kind of HTTP request am I using, can I try others? Etc.

^

ok ya I got more than 80 users and tokens I know which one is mine thank you

perhaps running a request where you check tokens against users, and etc - or maybe something about the token might identify which user it could belong to

Oh I know who they belong too just need to figure out how to use them. I think I have an idea tho

haha I looked through the users and found a user I need now to get into their account

Great job! Keep going!

Nice I just finished that skill assessment was a fun one

you on the right track

@atomic stream here

hey

i have a question on module 3 on cdsa section 2

can someone help me ?

Replicate the Unmanaged PowerShell attack described in this section and provide the SHA256 hash of clrjit.dll that spoolsv.exe will load as your answer. "C:\Tools\Sysmon" and "C:\Tools\PSInject" on the spawned target contain everything you need.

this question

after i did the injection i could not see an event related to this question

even tho everything worked fine

it's me or the pwn box it's not available ?

ya I really enjoyed it

module and section numbers don't help, better to say module name and section name to get help

yea yea for next time

also do you have sysmon running to catch the inject?

thanks anywaysi solved it

¯_(ツ)_/¯

yes

well even still it helps people in future utilize discord search feature to help them find answers

the problem was the sysmon didnt log event id 7 for spoolsv

the reason was i didnt configure it before the injection so i realized that then i configured it and tried ti inject again but it didnt cause an event so i restarted the machine and it worked

yeah sometimes with those labs restarting the machine makes it work

general tip with the windows related labs, wait a few minutes before connecting and doing the thing ¯_(ツ)_/¯

Okay I finally got the password and username for Password attacks module - easy skill assessment

got id_rsa id_rsa.pub and authorised keys files.

tried to
ssh root@IP -i id_rsa

but it asks for passphrase

what am I doing wrong

this is the SS for reference

because that rsa isn't for root

maybe you should take a lesson in history

also general suggestion, make a separate folder for doing academy stuff

that way you don't clutter your home directory with a bunch of stuff

Thanks but I have taken a machine snapshot ima revert back to when I am done.

Hello guys, I'm new here and I need someone to learn and practice together

secondary note, ffuf can be installed on parrot with apt

i only snapshot when i feel i'm about to do something stupid ¯_(ツ)_/¯

Oh okay. I will try this in the morning. Thanks a lot. I tried it for the user I got from ftp and it didnt work.

ok let me rephrase; you have login for a user - check their history

from there it's really only like... maybe one or two steps

Lol I think it didnt work for me. Like even after installing it said ffuf command not found so I got it from github

¯_(ツ)_/¯

Uh stupid question but login to ssh from the ftp creds I found?

but that's just a secondary note

ssh user@ip

<password>

oh wait

Same user as ftp right?

ssh user@ip -i id_rsa as per my enumeration

and yes if a user exists on ftp; it's likely they exist to ssh with

I did this using id_rsa I found from ftp on the same user as well insteaf of root.

from my notes directly

In the other tab its open if u zoom in a little

so it's asking for the passphrase to the rsa file (which you need to chmod to 600)

Did that

¯_(ツ)_/¯

just telling you what my notes say from that

What does password protected here mean?

it means exactly that

that the rsa key was password protected

So how do you crack it. SshtoJohn?

meaning that you need to provide a passphrase/word when using the id_rsa

2john*

but yes ssh2john

Ah ok.

Convert idrsa using that am I correct?

it's not converting

it's extracting

Uh crack sorry

you extract the password hash

though I generally suggest to check password reuse

Then crack the hash to find the password?

I see

always check reuse before going to cracking

I will try this in the morning. Thanks for you help. Its 2:30 am for me.

np

it's all about developing a methodology

How long have you been doing this? Its been barely 3-4 months for me with a gap in between managing with college.

my steps

• get ftp user:pass
• check with ssh
• log in to ftp, extract files
• check with RSA file

Thanks. Will keep this in mind.

i started like 6-7 months ago, had a solid month or so break due to life circumstances

actually it was more like 3 months i wanna say

For just 6-7 months your knowledge level is pretty high. Do you already have a network/programming background?

actually scratch that it was more than that

more like 18 months

6-7 actual months of working on it

nope

More than a year youve been doing this on and off then...

I know some programming things, but that's not helpful to this particular course

Cool.

and I knew some basic networking things

but as far as what the course expects you to know (which is basic level networking, networking 101 stuff)

I learnt the basics last sem for networking.

Alright. I must sleep gn.

For the File Upload Attacks skills assessments I got stuck on the last part. My payload was giving "only images are allowed", but when I checked the writeup I had the same payload, just some XML code I had used previously in front of it.

I don't see a reason for the code to be there, since I have the payload in there

And I already used that XML payload for it's purpose to get to where I was at

I figured it out eventually, just wondering what the reason for that XML code is, it wasn't covered in the module except for source code discovery, not being part of a final payload

I don't remember using any xml in that module.

are you talking about the walkthroughs you get with the annual sub?

likely, yes

oh ok imma shut up then

Yes

There was some XML code I couldn't get it to work without

meh the writeups take a big assumption of knowledge in most cses

Yeah, I just didn't see that method in the module

it was likely explained but you glossed over it

¯_(ツ)_/¯

They used that for source code discovery, not prepending it to a legitimate payload

it's likely the way it interacts that it has to be there

¯_(ツ)_/¯

the writeups don't really explain much of anything

It was explained in the "Limited File Uploads" section under XXE, but that was for reading source code of php pages, it did not cover appending a payload to that portion, so I am confused. Is there another way to do this?

To me <?php system($_REQUEST['cmd']); ?> is a PHP payload

Not
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE svg [ <!ENTITY xxe SYSTEM "SPOILER"> ]> <svg>&xxe;</svg> <?php system($_REQUEST['cmd']); ?>

Spoiler removed

¯_(ツ)_/¯

That's what I'm saying!

Is there another way to do that?

haven't done this module so couldn't tell you ¯_(ツ)_/¯

I think I figured it out, XXE is covered in Web Attacks

i felt like that module was straightforward, the xxe portion is literally just copy/paste from what i remember

Which is after the next module

There was a proof of concept

it walks you throught exactly how to do it within the file upload module itself

Then how to check source code

yep, that's all you need for this

Nothing about appending a PHP script to the end of an XML script

i didn't do that to complete the module

What did you do?

That's what the writeup showed me

i don't really want to give the steps away for completing a skills assessment i can dm you

pretty much exactly as the module outlines

Yes please

@cloud urchin cleared it up, writeup gives incorrect information

Thanks!

Or alternate info

ya there are multiple ways to complete it

I believe @kind turret does a pretty good job at giving the right commands, one of my only complaints is they use msf/meterpreter 🙄 but the theory behind them remains the same. They pull from either the module itself or the prescribed pre-req modules.

I should clarify, they give you a weird method that was not explained in the modules. The real solution was WAY more simple.

¯_(ツ)_/¯

I can't load the dll file every time I run the command, it deletes automatically. I don't know why, but on the training course it looks so easyI thought that the manipulation had to be done on victor but it's just the server that has to be transferred .
.https://academy.hackthebox.com/module/158/section/1439

Real-time protection is running

is not to set out this term in the course 😦

It's a basics of Windows thing

Just because Defender isn't running, doesn't mean there isn't some protection running

I was able to bypass the real time protection but when I want to access my remote server via the proxy server on 172.16.5.19 it gives me this error message

did you apply the RDP performance configurations section's suggestions?

I cannot sudo

yess i was able to succed by executed rdp on 172.16.5.19 idk if that's how it should be done but it works

A

Any news on when the next batch of CDSA results are coming out?🤔

if someone for help me please for skill assessement tunneling and port forwarding

i find the ip but idk how do for acces on, i use brute forcing via port forwarding use the port 9050 for proxychains . I read the text which say me use the account mlefay, i try mutated him and bruteforce rdp and ssh but nothing

We need answers

Bruteforce not required

I am having having a walk in the park on my last and final module. It's a blast and almost serene trying to remember everything--all the days I've spent.

The closest I can compare to is like, mayhem the entire way. And then coming to understand, yeah, x was the time that y .

Still quickly working on my D&R framework and how I'd want to standardized my Reports with my notes, but it's looking like time will only be my issue approaching the engagement exam.

Actually, the last module feels a lot more like that moment of being rung out for the last 6 months and then looking into the light only to hear "It's not your time yet, finish the job" like a sweat nothing, to then be thrown back down into the pits of shits about to get real except--in a better place than before lmao

Feel free to modify this how you'd like for better effect. Learning a lot, basically.

Hiboox, you should:

• Establish your pivoting and forwarding; ensure that it works.
• Ensure you're using proper syntax and the right proxy tool (again, follow syntax and understand your tools)
• Once you've confirmed that everything works in your environment, then attempt the tool that you think you need to test with.
• Also, Good luck with either rdp or ssh. I cannot remember which one that takes forever. Try another then come back around if the tree doesn't fall.
• I am impressed you're mutating passwords, but consider your list and complexity as required.

Im off for the night. Later guys.

ahah it's nice to see someone see the light at the end of the tunnel good luck with the exam. As for me, I'm always in the dark trying to figure out any strategy I can think of, but sometimes I go too far, but I figure if you try nothing, you'll never get anything.

Hi!
I have a query in Command Injections Module in Identifying Filters Section.
The question is "Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application? "
I got the answer it is the new line operator but i am not able to submit that answer i even tried URL encoded version of that string.
Any help on how the format is to submit the answer for that particular question?

Sorry got the answer.
I need to write "new-line" as the answer instead of "\n".

i put the right password and user it gives me this error i really can't understand its problem at rdp

Thanks 🐸

says in your error message 'unable to connect to ldap, verify your credentials'

Thanks mate. I might have overlooked it. It's working now

friendly note that many people do AEN blind; so be careful with asking questions here, especially since AEN itself is the walkthrough

got it I'll be careful.

man that was fun completed web attacks thanks for the help

I think I have the right password and user but still nothing.

timeout waiting for activation; sounds like it couldn't connect

yeah that's why i always do a high timeout just in case

especially in you're in an area like SG or something; the latency makes other additional settings necessary

Still on easy skill assessment in password attacks module. used id_rsa to login as the same user as ftp and also used same passphrase for ssh.
Any hint as to how I can get root?

Check ||history||

Dming you fren

Is anybody else not able to search for modules on HTB academy on firefox? It shows me that there are no results regardless of what I type in

also the billing page doesnt work

disable adblock

Its disabled

then there are other things messing with it

I disabled all extentions and the firefox shield

still doesn't work

Maybe its because im using user.js

there shouldn't be anything from firefox that's blocking it, I have the enhanced shielf turned on and it still works

Hey ! I've got a problem on the new module "Introduction to Windows Evasion Techniques" in the Static Analysis section. I managed to recreate all steps on the DEV machine, i uploaded the EXE in the static folder of the TARGET machine. Got "OK - Undetected by Microsoft Defender Antivirus" in the log but the flag isn't spawning. Am I missing something?

Hi guys...I am currently doing "Firewall and IDS/IPS Evasion - Medium Lab" on academy from the "Network Enumeration with Nmap " module...what I am struggling with is the question

After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.

I'd suggest going back to the page where they talk about evading IDS/IPS and trying out some techniques from there

okay I'll give it a look, thank you

if you're not taking notes; I heavily suggest to do so as you go through a module

Honestly I did this module a month ago and didn't complete it...I'm scared that I want to complete as much modules as possible with my monthly subscription but I think I should just start this module again and do what u say and take notes...as I haven't actually taken notes on this module 😅

is there a way to reset the whole module? so that I can have another go at it?

no

ahh

you can just click on other sections and re-read the content though

ahh okay

also sprinting through content is not smart

as you're just infodumping your brain

actually sprinting is fine as long as you reread

lol no

It depends on what you mean by "sprinting"

i find it super hard to understand the first time

i mean barely reading the content and just copy/pasting commands or looking up walkthroughs for a module

Rushing to the end of a module is not beneficial imo but you could definetly allocate a lot of time for studying per day and accomplish a lot in 1 day

so i only see what i understand, then visit later after i get some experience

I don't get the point of doing that, if you're paying for the academy you're here to learn so learn to the fullest

there's a difference between understanding what the module is teaching you now and revisting after gaining some experience, VERSUS just trying to COMPLETE modules as fast as possible without actually reading

hmm

I end up googling everything I don't understand to try and gain a better understanding but maybe it becomes harder in more advanced modules

it's a marathon not a sprint, the end goal isn't changing or getting further away if you spend 5 minutes on a module vs 5 hours

I'm a bit of both 😅 I try to complete it quickly but also want to understand it

some things, depending on what you're looking up, can actually be explained by chatGPT (chatGPT shouldn't replace your brain)

these things can contradict

Yeah I end up using chat GPT as a last resort if I can't get stuff by searching myself well

also utilizing quotes in a google search is helpful

if you utilize quotes you are telling google i want to include exactly this

also it gets around some other google search things i.e. +/- so "-P" for instance will show you results with "-P"

Yeah I've done some online OSINT courses so I learned it there

Hello, i'm trying to do a module exo, i need to rdp to a machine, but i have a black screen, and nothings happen when i'm reaching the windows VM, i did it on the web parrot OS and reset 2 times the VM i need to reach

did anyone had the same problem ?

Press enter

ok... it's working... tf is this xD : thx

it's the enterprise welcome screen

Lmao

yh, but why a blackscreen xD

"You acknowledge that you are only using this device for it's intended purpose"

because it's initialized before the login; when the machine starts up

and so it doesn't properly draw or get sent in an rdp session

resizing the screen gets it to show

ok, it appears on the first login, so i thought smth went wrong after

it also just depends

sometimes it does and sometimes it doesn't show up

the main reason though is that it's screensaver

when you initiate a login it doesn't fully wake up the screen sometimes

that post is from 2 years ago btw

Just in case, anyone looking for solution.

i mean the solution could be derived in many ways

also it can be considered a spoiler

¯_(ツ)_/¯

If anyone's struggling with wordlist.

everything is available in the module ¯_(ツ)_/¯

they provide a direct namelist to generally use

👍 Thank you.

if you're struggling with a namelist you likely weren't paying attention much

(not to mention the other questions actually prep you to get that last Q)

spoiler tags don't do shit btw

i suggest renaming it to "parameter"

as the parameter is part of the answer to another question

ok

better?

eh

mostly

but the best would be to just not have posted it, as someone should naturally have derived that

as the subdomain/vhost is also part of another answer

should i delete it?

¯_(ツ)_/¯

HI

this is MarkRober server?

yeah a lot of that command is including stuff that is related to other answers

nope, not even close

Done, happy?

and what server is this?

idk why you're being snarky about it

read #welcome to understand what the server is about

ok

i was just trying help.

pluh

There's a difference between helping and straight up providing the answer

No #rules

<@&861185840277487616> i fear a dumbass raid is upon us

Brother that's illegal

No, it's not

please keep the channel on topic

how can I remove paypal account from academy acount
I want to add a fresh card instead of paypal

message support, afaik Update Payment method should work in the Billing page

sure!

Should I use this tool to hack into an ssh server rather than hydra? https://github.com/pwnesia/ssb

I need help at the Attacking Common Apps - osTicket module. I can't seem to find out the credentials of the agent. dehashed.py has been updated so the instructions won't work anymore. https://academy.hackthebox.com/module/113/section/1214

dehashed is just an example on what you can use for public websites, try the creds given in the module

in general, you shouldn't brute ssh unless you have to i forget how it works with needing a username list

One of the questions for this module requires me to bruteforce the ssh server .https://academy.hackthebox.com/module/57/section/516

Cant get the flag

https://academy.hackthebox.com/module/35/section/227

ah; well hydra doesn't take that long, especially if you use the -u feature

thanks

Cant get the flag
https://academy.hackthebox.com/module/35/section/227

I can't find the corresponding keytab

https://academy.hackthebox.com/module/147/section/1657

perhaps it's a script running in crontab

First, try to update any city's name to be 'flag'. Then, delete any city. Once done, search for a city named 'flag' to get the flag.

but also read the question carefully

"Check sudo priveleges"

for the skills assessment in pivoting tunneling and port forwarding, do i need to scan the entire subnet to find the other active host

I believe so yes

yeah, ping sweep a couple of times more hosts appear once the ARP cache is built

is this

well your original q was regarding the next question

also crontab -l

Hello anyone for question 2 on module "Active Directory Trust Attacks" ?

Why is there no corresponding keytab for searching from the / directory?

https://tenor.com/view/that-answer-is-maybe-alexis-rose-alexis-annie-murphy-schitts-creek-gif-20788058

? the point is to check the crontab for an executable which may be used to set the keytab of the user

Files with the original kt suffix can also be extracted.

yes

but again; that's not the point

check crontab -l --> check what it reveals --> basic code reading

This AES doesn't seem to crack out

it should give you an NTLM hash

https://tenor.com/view/bruh-cat-gif-5067414931466166810

it's for annual only

https://tenor.com/view/بحبالفلوس-gif-25731629

the write-up shouldn't replace your learning ¯_(ツ)_/¯

I personally use it to verify that i'm on the right path as I wait for stuff to go, like a ffuf scan or something

the new module already giving me trip

What is the full value of the CmdLine which triggered a detection?

copying out the full line and it doesnt accept it

is it intended to fuck people over really?

with copy paste?:D

don't forget the '_'

i know but why

🤷‍♂️

how can i show the ProcMon accessing file path? It doesn't show them at my setup. in the guide it shows that it accesses \temp... but i only see some non useful details at my procmon

use the filter, 6th icon next to delete

it still doesnt show the path

delete this as that's a spoiler

and the answer isn't necessarily garbled; the question tells you where to start

Yes, there's a hint.

starts with *

that's the part you copy

Do I have to do all the Optional Exercises or can I skip them?

If I want to pass the cpts

they are optional, so don't get too frustrated if you can't do them.

they just showcase other ways to do things

I can't run the monta.ps1 script using powershell, an error shows up "The type initializer for 'System.Management.Automation.Runspaces.InitialSessionState' threw an exception."

Module: https://academy.hackthebox.com/module/113/section/2139

Nvm fixed it by running powershell with admin mode

So all skill assessment modules in the pentesting path now have the step by step solution feature enable button now?

only for annual subscribers

the new module is RDP usage heavy, and the eu lab getting worse accessing from sea

can relate, absolutely laggy

I swear it was 150-200ms last time, heck I passed CPTS on eu server with 200ms

it's now 360 for me on eu

have to switch to us servers lol

People there's a serious problem

yup, thanks it's doable now

Can i ask you important question

I can't find the "Dump Memory to file" when right clicking on the address in x64dbg. How else can I dump the memory? https://academy.hackthebox.com/module/113/section/2139