#modules

now after hitting forward once I get this

Is that helpful?

rip

Sec

I mean I'm getting the render tab now... it's not selectable but it's there...

Worked fine for me

wat

how

what'd your setting with proxy look like??

After loading page and pressing forward I got the expected html source response

¯_(ツ)_/¯

I changed no settings

^

I know, but what settign differences do you have compared to mine

I just clicked enable under "response interception rules"

bruh

I didn't select any "or" options

And yes I used the same webpage you're using

Since it's a docker container

confusion

¯_(ツ)_/¯

I literally only enabled response interception and pressed forward once

ok where's that box?

Do I have the selected??

Looks like it

bruh

time to restart burp

¯_(ツ)_/¯

Like I said I messed with nothing

oop

hold on

..

brain hurty

bruh

i'm a dumbass omg

I enable the wrong checkbox

this

is not this

🤦‍♂️

Thanks @fathom pendant

. you had this here

oh wait

nvm, it's not fixed

confusion

Hi guys

hola

Try restarting burp and taking it from step 1

ay carumba

All you should have to do is enable request

After that it's just grab request, make quick edits, and boom, ez

all I'm getting is that first page

not the HTML or anything

frustration

I mean the options aren't even saving after I exit burp and reopen it

That's normal

Saving settings is for paying customers 🙄

uuuhhh

wut?

That looks like your IDE crashed

rip my IDE

O7

aaaaaannnnnnddddd

nothin

https://github.com/the-useless-one/pywerview?tab=readme-ov-file#json-output dacl attacks 2, i can't seem to output to json with pywerview. is there another argument i can use?

works for me ¯_(ツ)_/¯

I really don't know what you could be doing differently

wtf what am I doing wrong

when in doubt reboot the box

So I've got a question about module 'Show Solution' documentation...basically wondering if my thought process is correct and if this should be corrected? At some point early in the module, you are able to obtain the Administrator PW. Then, towards the end of the module, one of the goals is to add the 'CT' user to the Domain Admins group.

So the last 2 questions are about obtaining the flag on Administrator's desktop and submitting the KRBTGT hash. It would seem to me the goal of adding CT's user to the Domain Admins group would be so that you can get the flag and krbtgt hash as the CT user. However, the documentation completely pivots from "cracker the CT user's hash" to "submit the contents of the flag.txt file on the Administrator desktop on the DC01 host"

Obviously you would have the option to use the Administrator user to get the flag and the hash...but does it make sense to anyone else that the payoff of adding the CT user to Domain Admins would lead to getting them? The 'Show Solution' gives you the Administrator user performing those tasks instead of the CT user.

Open webpage; make sure proxy is enabled; intercept requests and responses enabled; refresh page

Are you hard or soft refreshing? (Ctrl+r vs ctrl+shift+r)

I mean this isn't an issue that needs fixed now because it's not an intereactive portion of the lesson, but I can't follow along with the lesson if I can't recreate the steps they're taking to help me learn..

?

I'm just clicking the refresh button

I dunno

If domain admin they can see local admin

Do ctrl+shift+r

Might be some cacheing in play bypassing the response

As said in the module/section

Yeah, had to edit the end of my question to hopefully make it make more sense? Since CT is an admin you'd think the solution would have you use that account...the but examples in the solution are using the administrator account...instead of the CT account that you just added to the 'Domain Admins' group

Omg I think that was it

What device are you adding the CT user to domain admins from, it's certainly not the DC

yup

that's a fucking dumb browser thing, wtf, that's so confusing

Correct, i believe it was MS01

Eh put it in #1234357888114364508 if you want clarity

It's a soft reset (preserve cache) vs hard reset (clear cache)

Think how annoying it'd be for a large webpage to load if it wasn't cached

that probably should've been mentioned in the lesson to be fair. I know it said to do ctrl+shift+r but it could've explained the difference

tis whatever, I understand now, so thanks again @fathom pendant

Np

currently stuck on broken authentication, predictable token, i haven an script, shlod work, but dont know why is not working, need some help

Anyone having issues with NTLM Relay Attacks Skills lab? I completed it not too long ago but I'm going back to practice and the same method I used before leads to a timeout.

is their anywhare to ask question abt Hackthebox Main website

Read #rules and #welcome , verify your account to get access to the rest of the server

Ty !

Not able to connect through HTB Academy VPN since yesterday. Is there any specific channel to seek help on such issues

try re-downloading the vpn file, and if you've done that try another region

Hi all - I'm doing the Active Directory Enumeration and Attacks module, and I'm up to the page Initial Enumeration of the Domain. I'm trying to use kerbrute to enumerate users with jsmith.txt, but I'm not sure how to get the text file jsmith.txt.

Do I need to do something to connect to the internet on the target computer?

locate jsmith.txt

thanks mate you're the best

Was going down a big rabbit hole trying to figure out if I had to do something to pull it off github

They did provide the github link for the files, so you could have.

How would I go about doing that? I was trying to at first, but I couldn't figure out how to connect to the internet on the target machine to do that

pull it down to your machine then scp/ssh/nc/wget/etc the file over

ah ok thanks - I'll keep that in mind!

Hello all, I have completed the module, UNDERSTANDING LOG SOURCES & INVESTIGATING WITH SPLUNK. I am currently doing the assessment and stuck on the last question for a few days.

What I have Discoved : I have discovered A chain of infection but cant seem to get further or trace back this chain to understand which .exe file is being asked for, So far I have understood that :
10.0.0229:8080(IP from which RandomFile.exe was downloaded by msedge.exe) -> Randomfile.exe -> rundll32.exe -> lsass.exe -> credentials dumped.

Question : What else should I search for in Splunk to find the Infection Source... Any Ideas or Suggestions? The idea is to find some exe that came before "Randomfile.exe"

I have tried so hard that I have lost hope. Who can explain my mistakes to me?

footprinting-dns-Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))?

Did you read the hint?

yes

Did you also try to perform a zone transfer for each zone?

I have done a zone transfer to each other but i don't know if it is the right command

send me a dm with your command

🆗

how to fix rdp black after connected

by waking up the computer

esc, enter space, nothing working

somewhere in the box there's a button, click around

@shut quest Hey. Can I DM you about burnout topic?

naur

i have no idea what you are talking about

I've completed the cybersecurity path and now I don't want to study it anymore cause I forced myself to do it too hardly

Maybe you faced the same problem and can give an advice

i have advice for you

https://tenor.com/view/do-it-what-are-you-waiting-for-determined-angry-gif-5247874

Not funny at all

https://tenor.com/view/monkey-rofl-lmao-lol-laughing-hard-gif-5525141812885180069

step away, relax the brain, do something else

For how much time?

¯_(ツ)_/¯

eat a bagel and go swing at the park

In CyberSecurity, you will never stop studying. There will always be new technologies and opportunities.

Burnout is a serious problem. You shouldn't take it lightly

menace bunny im burned out on intro to networking im still here

Take small steps forward. Learn something new every day.

I understand that. I want to study, but my brain doesn't. I've planned to complete the course and exam within 2 months but now I don't know, whether it is possible cause when I see those articles once again I can only think about other things and procrastination. The question is, how much time do I need to relax to overcome this feeling?

play some ranked and go yell at children you'll feel much better trust

That depends on you. Nobody can tell you that.
Wanting to work through the course in two months is a very ambitious goal.
In my opinion, it's wrong to set yourself a time limit here. Do a little every day. But stay on the ball. This is probably much better in the long run, even if it takes longer. As soon as you set yourself a time horizon, you put yourself under additional pressure.

brother its different for everyone its all up to you and how much time you need to relax... you know your potential and how much time you have just be responsible... or be like me and pop that adderall kekw

but in all seriousness, it's healthy to take breaks from learning, it's healthy for repetition as well. No one can tell you how much rest you need. I take breaks from learning this kind of material for months at a time. Then the itch comes back and I go at it for 2-3 months, rinse and repeat.

Sorry for asking maybe stupid questions, I am really confused because of this right now. Thank you.

eat a snickers youre not you when youre hungry

this is not a stupid question, and mental health is important

2 months for the CPTS path is faster than most everyone here. even 3 months is pushing it. it's a lot of material to cover even if you have been in IT for years

https://tenor.com/view/on-god-no-cap-big-facts-dance-gif-25336254

I cycle between long periods of study and long periods of playing computer games to decompress. Been doing that for years. Mostly I suggest spending time outdoors and with friends and family. Eventually you will miss nerdy stuff. Watch ippsec videos every now and again to remember how fun it is. Enjoy music. Take good care of yourself. Get good sleep and exercise.

I enjoy switching to studying programming in periods. Learning C is really nerdy. I recommend the book Advanced Programming in the UNIX Environment.

Maybe go swimming in the ocean or lakes. Be in beautiful places. Relax. Have fun.

I find my self with this crazy anxiety to finish what I started learning just to finish it and want to start something else. It’s a paradox -____-

Same here.

Listening to music really sparks joy for me. So go to concerts. Listen to loud favorite music. Relax.

Hell, go on a trip. See waterfalls. Go hiking. Stuff like that.

Drop the nerd playlists I need to update my library plz and thank

https://soundcloud.com/x_j/sets/low-end-theory-podcast

Thank you 3000

Module - password attacks, Single Crack Mode is one of the most common John modes used when attempting to crack passwords using a single password list. It is a brute-force attack, meaning all passwords on the list are tried, one by one, until the correct one is found this paragraph is confusing, isnt this considered a dictionary attack?

ask ai

still confusing

Understand that you are only going to really learn how to use john by actually using it, so if these details sound daunting ,don't worry, if you can do the exercises and the skill assessment by yourself youre set

Don't think about it too hard, if you want a correction #1234357888114364508

Yo i'm on the same module (again) password attacks

https://academy.hackthebox.com/module/147/section/1327 in this section they introduce crackmapexec

Crackmapexec has been archived in their github repo

Hey , I just started CPTS Path

Why am i not allowed to text in #general ?

https://github.com/Pennyw0rth/NetExec

Thank you!

I was about to send that link and ask if i should use this

yes, it's the up to date fork

Are yall updating the module?

I'm out, continuing the module using netexec

Nobody?

hey from the past few days I am unable to connect to the HTB VPN using openvpn. The internet connection is fine on my VM
It stops at establishing TCP connection. I tried changing regions and also the protocol

Reinstall openvpn

I tried that too 😦 no luck

#modules message

Read and follow #welcome

the vpn works on your main host?

Message support

Thank you so much🙌🏼

nope 😦

what I would do on my machine is to check the routing table and see if you can reach correctly the vpn endpoint.

I am currently checking my firewall to see if I accidentally blocked anything

from the vpn config file you can dump the ips and port where it's trying to connect

you can also check with wireshark if you vpn handshaker exit correctly and if you receive any answer

Thanks for the help I will check them

you're welcome 👍

only SYN

hello guys , In the local file inclusion skills assessment... I managed to get RCE a few times however after refreshing the server several time its still getting frozen when I try to execute commands can som1 help ?

can I dm som1 who has completed this

if you do "ip route get <vpn endpoint ip>" which interface is hits

then if you can't ping it you can try a traceroute to see if there is something in the networks

if so maybe it's a problem with the generation of your certificate and support would be the best option imho

yes the packet just get timed out. I will reach support

sorry we couldn't land anywhere better eheh

Thanks for the help anyway

in module Attacking Enterprise Networks - Active Directory Compromise, how can i authenticate to the domain controller? Rdp is not listening and i tried winrm but it didn't work. Is there other ways or did i miss something

Wait nevermind, i tried to pass the hash with evil-winrm and it works

i am currently in password attack module, Password mutations section ,
||hydra -l sam -P mut_password.list ssh://10.129.68.44||
it is taking forever to get the correct credential

am i doing something wrong or this is normal

try a different protocol may be there is a password reuse

☝️☝️☝️ and good luck

I mean don't forget about increasing threads

The default amount is so slow

Hello,
I am in module Linux Fundamentals section "Filter contents".
I have successfully answered this question :
Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

I used this command to find the answer :
|| curl https://www.inlanefreight.com | grep -E "https://www.inlanefreight.com\\S+" -o 2> /dev/null | tr \" ' ' | tr \' ' ' | cut -d' ' -f1 | sort | uniq | wc -l ||

My intuition is that it feels really too complex (for example regular expressions are not supposed to be known yet at this point) so I was wondering if there was a "basic/easy" solution ? 🤔

its been more than 1hr, using -T 64 , still no result

Use 48

64 is often too much and causes packet loss

And you often skip over what the answer would be

It should take roughly 30 minutes give or take

This is intended to be a hard question, I looked at the forums for this one

There's one forum answer that describes the commands they used

I believe I've shared it in this channel before if not it's not too hard to find

OK I was wondering if I had missed anything that would make it very trivial (for example a curl option)

Yeah it doesn't help that RegEx is after this one

The other thing you can do is copy the source code and ask chatGPT after a few nudges it provides the right answer

But it can't give you a curl command for it

Goofy aaah gpt

That's for a diff module

Once you get to the module my command references you'll see how it makes sense

But yeah I would say that the curl question is the toughest one as it requires knowing how some commands work, as well as knowing html coding (src= and a href=)

Guys how do i install crackmapexec on debian

if you want cme get netexec instead

what is netexec?

the successor to cme

it's just cme with a different name

thanks, is the syntax same as cme?

Yes

It's a fork of CME as the main people holding up the codebase had some disagreements with the original author (to put it mildly)

Name was changed to avoid confusion

Thank you guys, ive downloaded it

New module with C2 wow
Is it collaboration with LockBit?

Has anyone done the DACL Attacks II skills assessment? I am stuck on the first question. I'ìll share what I have tried.

I mean the module description and announcement would say if it was

@sinful elbow I don't accept random dms, what do you want

@sinful elbow yeah geez bro smh

Hi guys, I'm stuck on a question in ACL Enumeration.
The question is -
What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)
Tried lots of things but none seem to work. can somebody give me a hint or something?

my ISP IP probably got blacklisted lmao. I tried connecting with a different connection

get the sid of the user and use the domain object acl command with whatever group you want

If possible, skip the Proton VPN connection. The speed will certainly not be faster this way

hey anyone can give me a hint on sliver skills assessment first flag?

The thing is the original IP is not connecting to HTB. the support asked me to test with an different connection. It's just a test. no way I am gonna use like this

As long as it works, you can use it as it is. But a VPN connection through a VPN connection is usually much slower.

absolutely yes

bros gonna be waiting an hour for a nmap scan to finish 😭

Hey guys, is anyone hiring in 🇩🇪 Germany, into ai/ml? I have someone who is talented enough looking out for opportunities. If you have or know someone kindly let me know. Thanks once again!!

Hey so in the Passwords Attacks module under the Password Mutations section we are asked to create a mutated wordlist and use that to find credentials for SSH, my question is, is that suppossed to take a lot of time? I know cracking attacks take time but usually we get a small wordlist/ a word early in the wordlist gets chosen so it does not take a lot of time to get the answer to questions.

it will take a very long time

Okay, thanks

You're not gonna get an answer here, read and follow #welcome there's a #careers-and-certs channel as well as #job-postings

Don't attack ssh

Scan the target and see if another protocol would be better to attack

Ssh is an extremely slow protocol for hydra/cme/nxc to crack

Yeah true

I thought about maybe trying to find another serivce and trying that but I ended up being like "nahh I can wait" but i'll try

48 is the magic number of threads for the service

Also if you're waiting for ssh, it could probably take longer than the target lifetime

You'd have to constantly extend the lifetime until max and pray

The logical thing is;
See ssh would take forever
Think that there must be another way
Scan

It was about to take like 2 hours

So I just extended the lifetime a bit and it was enough

but yeah

Hi is anybody created htb machine on hackthebox and submitted it to them

Not the channel bro, read and follow #welcome and you should be able to access more channels. Though you might have to just ask in #1024429874246590575

Hey, so I can't really grasp the concept of running a shell in a context of a different user. How does that differ from just using the victim's account? Say I got a NTLM hash. Why does mimikatz start a shell in the context of a user and not just log-in with it to the account?

I know that hash is not a password, but we still use it to authenticate as an account so what is the difference under the hood?

wdym by login? mimi opens a shell as the user, it is logged in as the user

I had the same question. The answer I got was "since you access the contents only that user is allowed, you know you are working on the context of that user"🙄

If I remember correctly, I had tried whoami command on the shell, and it still gave the previous user, not the one on whose context the shell was running. @candid night can you try the command?

Per my notes from the PtH section - after authenticating to a user and executing a cmd.exe with this command
mimikatz.exe privilege::debug "sekurlsa::pth /user:julio /rc4:64F12CDDAA88057E06A81B54E73B949B /domain:inlanefreight.htb /run:cmd.exe" exit

"Now we can use cmd.exe to execute commands in the user's context. For this example, julio can connect to a shared folder named julio on the DC"

And now, when I'm working on kerberoasting the same separation of using a domain account and using a shell in the context of a domain account appears

Anyone who passed the CPTS certification, are the user/pass list from different modules beneficial in the exam?

The NTLM hash is derived from a user's authentication

So it, in essence, is the user's login

Yes rc4 is the same

I'm not in the section about it right now but I tested the same thing that you did and I also had the same results

It's weird visually

The point is, since the command actually ran successfully-- it worked and you're in the cmd prompt as that user

Otherwise mimikatz would throw some error at you

I do agree that the text could be clearer about it

'Aight, so essentially. "running a shell in the context of a user" just means "running a shell as the user". Meaning, when we do a PtH with mimikatz we just get a shell that is the same as we would get if we knew clear text password and just sshed to that user?

Yea you get the perms from the user but it still shows as the prev user. A bit wierd. I was confused aswell till supernuts explained it
#modules message

Basically, yes

You basically (for all intents and purposes) are the user you pass the hash with

MimiKatz impersonates the user by using their network token letting you use it for network authentication but when you run whoami, that is not network authentication so it shows your local user on the shell and not the person you are impersonating

Okay, thanks a lot guys. That cleared a lot of confusion for me

Thats interesting. Is there any way I can determine which user I am impersonating, may be some commands?

run "klist" and it shows it edit: only works if u have a kerberos ticket

Thanks!

klist only works if you have a kerberos ticket

if it's ntlm only it won't show

but generally pth is best used from a linux host or a c2

ah ur right, forgot about that

CPTS -> Information Gathering | Web Edition
https://academy.hackthebox.com/module/144/section/1257

I'm trying to automate virtual host discovery but seems like I get all output from the command, for each name, however in the guide it only shows those that are valid.

ffuf -w SecLists/Discovery/DNS/namelist.txt -u http://10.129.254.237 -H "HOST: FUZZ.inlanefreight.htb" -fs 612

why dont this work
┌──(sam㉿kali)-[~/Desktop]
└─$ gobuster vhost -u inlanefreight.local -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 50 -k -q
Found: 1 Status: 400 [Size: 436]

Attacking Common Applications - Skills Assessment II

Can you provided som more insights? Also, what is the purpose of vhost in your cmd? Mode?

Have you added the domain to you dns /etc/conf file?

i aded it to /etc/hs10.129.78.178 inlanefreight.local

10.129.78.178 inlanefreight.local
to /etc/hosts but none of the vdomains pop up

to get subdomains

i ltierally copied it from the answer solution

cause ik the freaking answer was in ther and it still not work

i have a question

about cyber things

try adding the --append-domain flag at the end of the command

Don't we all

can you help me with my questioin about cyber things

why don't you just ask the question

https://dontasktoask.com

Can i go to the toilet?

Well.. can you?

That's a question only you can answer

idk thats why im askin

Off topic, ability to go to the toilet is not covered in Academy modules, sorry.

💀 ok let me go to oscp and pay 1000€

Do you still need help?

did you copy and paste the command?

Yes but ofcourse - changed the necessary parameters such as IP and domain + wordlist location

but not the length, am I right?

Well, it's the same as the one shown so the answer is not

My cmd:
ffuf -w SecLists/Discovery/DNS/namelist.txt -u http://10.129.254.237/ -H "HOST: FUZZ.inlanefreight.htb" -fs 612

Academy:
ffuf -w ./vhosts -u http://192.168.10.10 -H "HOST: FUZZ.randomtarget.com" -fs 612

I mean maybe the output is correct but I dont think I'm supposed to be spammed completely with requests

No, you didn't get what I said. Could you please check again the response length for a non-existent domain?

Are you completely sure it's the same as shown from the command you copy/pasted?

You are referring to fs 612... correct?

Indeed

Even from the screenshot you pasted I can see something different

Yes, they respond with 200 but from what I know that means it is accepted/open right?

The 200 OK means that the request is successful it doesn't say that the domain exists.

Can you check the response length of a false positive?

Hmm considering there is so many 200's, they can't all be valid, so could it be false positives?

Sorry I need to repeat myself, the response length not the status code. The option fs in ffuf is to filter response size as the man page says.

Now, are you sure 612 is correct?

Thanks! Got it now. I still get a lot of info, do you know why? Almost if I had verbosity enabled.

remove the screenshot please is not needed

Hey I'm fairly new to HTB and pwnbox in general. I'm doing the Detecting Windows Attacks with Splunk module because I'm trying to get as much practice in with Splunk as possible for my BTL1 cert exam and one problem I'm having is that it tells me to:

"Let's now navigate to the bottom of this section and click on "Click here to spawn the target system!". Then, access the Splunk interface at http://[Target IP]:8000 and launch the Search & Reporting Splunk application. The vast majority of searches covered from this point up to end of this section can be replicated inside the target, offering a more comprehensive grasp of the topics presented."

The problem is that I don't see a target ip anywhere in the module. I know that typically I can get to Splunk with 127.0.0.1:8000 but doing that in Mozilla in the Parrot OS lab doesn't seem to work and I'm trying to workout where I'm going wrong and no target ip seems to be listed anywhere in the module...
tying "sudo systemct1 start Splunkd" in the parrot terminal doesn't seem to help either as I get a "Unit Splunkd.service not found" error

Pwnbox doesn't have Splunk installed. you need to spawn the target and connect to it

scroll down to the bottom of the section, click on "Click here to spawn the target system"

Yeah I did that

once it's ready, you'll get an IP address and port

connect to that in your browser on the Pwnbox

I'll try it again, mustve missed the ip address and port

or connect to it with your own VM

Just one last advice do not copy and paste blindly 😁.
This should be valid for everyone really.

Ah thanks, I think I realize what I did wrong now, definitely user error as usual hah

I'll dm you about the filtering since I can see only valid sdomains listed.
Remember to filter by size with -fs.

hey chat i have a question

Hey french are here?

?

https://dontasktoask.com

can i ask a question?

uoi uoi baguette

Just ask it nerd

is name calling your love language

awww you lil silly flirt you

It's how I express frustration

damn 💀

Usually before I actually block 😄

what no we've been through so much 😭

Yeah, and I was nice enough to do it free of charge

:(

well

are you nice enough to do it one more time bro

Fuckin ask your question I swear to God child

child??? im older than you?? ... i think maybe...

Doubt that

im 20

27

https://tenor.com/view/dead-my-honest-reaction-damn-skull-skeleton-gif-15885937969029652188

anyways why does binary now have letters in it in the IPv6?

Because IPV6 uses hex

so would all the rules we learned yesterday be the same? (like range and broadcast address)

2 rules of IPv6
You can short any string of 0000:0000:0000 to :: once, and you can omit leading 0s

IPv6 doesn't use broadcast

idk wdym by "::"

Most practical application of subnetting occurs within IPv4

AAAA:0000:00000:0000:0000:0000:0000:BBBB is shortened to AAAA::BBBB

but what about the 1s?

Brother

thing

If you wanna calculate the binary for hex values, be my guest

https://networklessons.com/ipv6/shortening-ipv6-addresses

hey hey the intro lesson says asking the right questions is a sign of wisdom and intelligence

so basically im fuckin ghandi

Yeah, but you're converting a VERY large number

or einstein

Remember 1111 in a hex system means
1 x 16^3
1 x 16^2
1 x 16^1
1 x 16^0

As you can see, hex numbers get very big

so it uses 4 bits?

Way more

but 16 means 4 octets

16 bits

And nope we aren't in octets anymore

FFFF = 65535 = 1111 1111 1111 1111

where tf did you get F from

That's hex baby

IPv6 is written in hex

It's 8 sets of 16 bits

128 bits total

Compared to 32 bits of IPv4... it's exponentially larger

Hex uses 0-9 then A-F which represent 10-15

ok but why use IPv6 instead of IPv4 whats the difference?

Much more space

Because of the limited space of IPv4, IPv6 was invented

wdym limited? doesnt it have like 4.3 billion combinations??

Lmao and that's not enough

https://www.juniper.net/gb/en/research-topics/what-is-ipv4-vs-ipv6.html

Consider; how many humans exist

bro menace bunny got all the connections

Or just used google

not more than 4 billion 😭

oh wait

Google is my friend 😉

Brother

go easy on me its 2200

10pm for you simpleton americans

i wanna be a fwb with google ong id be rich fast as fuck

https://letmegooglethat.com/?q=What is the difference between IPv4 and IPv6?

Blocked

THERES A GOOGLE COMMAND THAT IS FIRE

You're fired

you dont mean that

Cooked

Roasted into a congratulation

marcie what are you on rn 😭

i need wtv youre smoking fr

You need to focus

Fuckin 5 second attention span headass

my adderall wears off around 3pm every day

sometimes sooner

Learn constructive ways of managing it then

and im on 40mg xr daily

nahhh i got a 5head

meds only get you so far ¯_(ツ)_/¯

Anyway

you sound like my mom rn 😭

Well maybe she got a point

nah she pisses me off

The sooner you learn to manage yourself without meds the better off you'll be

last time i tried to be off of them i got into a car crash and broke ribs so no thx im ok

Such as, not saying everything that comes into your head

I DONT??

Didn't say to quit them headass

I said manage when you're off them

You should never drop prescription meds flat out without consulting your doc

alr gn im going to bed

So I'm at the beginning of the Detecting Windows Attacks with Splunk module and I gotta admit my Splunk skills are coming up short on the same question. It's wanting me to modify the search so that it'll show all process names that made LDAP queries where the filter includes the samAccountType=805306368 so that I can enter the missing process name from a list given in the question.

I've tried adding "AND ProcessName" to the search filter, tried to specify the names of the relevant processes of it and I've also tried adding Event Id 1644 (seeing as Event 1644 is the LDAP performance monitoring log) to the top line of the search query but none of this is working.

I'm not wanting anyone to give me the answer, I'm just wondering if someone could give me a hint that would put me in the right direction for solving it...

I'm definitely not equipped to help with that directly but I would say maybe be quite specific about what you're asking for with it? You're more likely to get responses if it doesn't come off as a "please do my homework for me" type of request if you know what I mean....

it looks like your modifications to the query only make your results more restricted

Yep, the default query has one result and whatever I do it seems to result in zero stat responses so I'm definitely not going about it the right way

look at what the query is, and see what it is that's restricting the results

the obvious freebie is the timeframe but you will need to modify it further

@dim wolf thanks, I think I need to take a small break and look at it again later. At least the more time I spend with Splunk in general the less foreign it'll feel in the BTL1 exam

👍

Probably vm mem management... Not sure why it would jump from 0x0000... to 0x5555...

Just how mem works my dude

i need help on this one One of the pages you will identify should say 'You don't have access!'. What is the full page URL? Skill assesment web fuzzing i fuzz with all 3 vhosts i got but i get ton of pages not sure how i should find the one i need

I believe you can filter content with ffuf to have that string

Also don't forget the file extensions

why would it operate in so much higher range 0x00005555511b0 and then jump down to much lower range od addresses: 0x00005555555551b0

but how do i know which page to choose from bunch of them i get

¯_(ツ)_/¯

Brother

There should only be one response from the right subdomain, extension, and response text

If you're getting too many, maybe you're at the wrong spot

Make sure to be recursive

Oh and don't forget the size

Remember with ffuf
f is filter out
m is match

would that mean filter out ones with size: 0 bcs i keep getting those

What does your match string look like

Including flag

(Flag is argument tag)

ohh mb

so i gotta include like match for HTB{

No

What does the question say you're looking for

oh riht

I'm meaning flag in the context of running a command, a flag is also known as an argument

you dont have acces to

It's case sensitive

But also, show your command where you have the string

Including the -argument

Technically it's matching regex

u mean this one part ? -mr "You don't have access!"

Yep

Try with single quotes instead

Also, you do need to be recursive it's not at http://subdomains.inlanefreight.htb/file.ext

ye i put all that

it just takes so long

It'll take a minute

Here's another hint, use the subdomain that you found all the extensions for

smart

Your -e is revealing an answer btw

oh bm

Also. Turn on verbosity

Whenever you do recursion, verbosity helps

When you run it btw, is your ffuf requests dropping really low? If so, try changing to bridged networking in your vm

Something with NAT and your router causes issues

i am doing it in their instance

Ah

Then it should be fine

library gonna close soon

hope i can find it

hello everybody
can someone help me with ssh-keyggen, a day ago i generated keys and imported to authorized keys, it worked properly, but when the machines reseted it required me to regenerate the keys again to connect back, but this time its prompting me to the password

what module?

If the machine was reset, you'd need to add your public key to the authorized keys file again. A reset means the machine is restored to a "clean state"

i added my keys again, chmod 600 authorized_keys, still not working

Well chmod 600 authorized keys won't do anything

You need to use the id_rsa to sign in

Ah.. yeah, if using pwnbox the id_rsa would not be there any more..

Question is then, are you using Pwnbox, and if so do you still have the same instance as last time you worked on the machine?

Which port are you listening on?

Oh

You said Kali.. you forwarded the port to an external IP?

Module instances are hosted on public IPs and ports. In order for the module instance to reach your Kali instance you're running locally, you'd need to expose your Kali instance (port 80) to the internet

Hm ok, nevermind then. So the Kali machine is connected to the VPN, and you can reach the target from you Kali VM?

No if the target is on a VPN you shouldn't need to

Perhaps try a different port, like 8080. I'm not fully up to date on firewall rules for those instances, but it's worth a try.

So you'd connect back to your VPN IP from the module instance (which I guess you have a shell on)

I should be in bed, I'm gonna regret this.. hit me up in DMs

First time I've had that reaction

Thank you

No come on, let's do this

One more problem solved before sleep

otherwise it'll tick me off lol

o_0

You sure you're not still on the kali vm lol

Otherwise gg

Sorry, dumb question, but gotta ask them

Noice

nn then 😄

Rubber ducky debugging 🦆

Cheers!

I am doing the Windows Fundamental course. Is there a plan to update it with info on Win 11 in the future?

windows still work the same between 10 and 11, there's not really much to update for fundamentals

Ahhhhh 😄

A facepalm sometimes feels good.

In a business setting for servers, you are mostly going to be dealing with Windows Server, rather than 10/11. Still, even if your scope includes workstations, the content of the CPTS course should be fine for both 10 and 11.

They just added one

/s

i didnt just chmod authrorized_keys, of course i added keys into to it then i did

Classic PEBKAC

Well yes but you still don't use the authorized_keys file to ssh with an rsa

You use your private rsa key

Problem exists between...

the thing is i connected to this machine before, i know how to connect by ssh, but the problem is i use the same technique i cannot connect

Idk how you used the authorized_key file to connect

Also what module are you working on again?

If it's a #starting-point machine or lab #boxes you're in the wrong channel

i genrated keys by ssh-keygen, i copied key.pub to authorized_keys in htb machine

Yes and you use your private key to ssh in

That's how ssh keys work

yes i did, it worked

only in my first attemp

Again though you're not answering my initial question

what module are you working on

its box

Then wrong channel

.

If it's a starting point machine: #starting-point
If it's a regular box: #boxes

This channel is and the other academy channels are for assistance with HTB academy. This one in particular, is for the academy learning modules

does anyone able to spawn a target machine for this module INTRODUCTION TO WINDOWS EVASION TECHNIQUES

For Assessment 1 or 2?

In fact, for which specific section?

I was able to spawn now it was just slow.

Yep.. it can take some time for instances to spawn, especially Windows instances

Good hunting 🙂

just wondering, will HTB release more for evasion modules ?

Working on AD Trust Attacks, Trust Account Attack section. It's asking me to proxychain ssh into the DC which I can do without issue, the problem is when combining proxychains with ssh it seems to stop scrolling the screen. so when I run a command like mimikatz it just updates the last line on the screen making it impossible to read. is there a way to make it scroll or do I just need to use tmux and log it all or something?

Hi I am in windows priv escalation module miscellaneous section, I am trying to do CVE-2019-1388 but i cannot get the browser to open as SYSTEM is it patched in this target?
I did right click on hhupd.exe tool and run as admin > clicked on the hyperlink and then tried to view from task manager but the user column was empty

it's not patched

Could someone please explain what this means?

Note: If you are using Impacket tools from a Linux machine connected to the domain, note that some Linux Active Directory implementations use the FILE: prefix in the KRB5CCNAME variable. If this is the case, we need to modify the variable only to include the path to the ccache file.

Module: https://academy.hackthebox.com/module/147/section/1657

The FILE prefix in the env indicates the Kerberos credential cache is stored in a file. Without the FILE prefix the variable directly points to the file path of the credential cache.

I'm afraid I still don't get it 😅
Could you please provide an example?

By FILE prefix, do you mean KRB5CCNAME?

KRB5CCNAME=FILE:/tmp/krb5cc_0 means the credential cache is located at /tmp/krb5cc_0, and the prefix FILE: specifies the storage type.

KRB5CCNAME=/tmp/krb5cc_0 simply specifies the file location without indicating the storage type. Some tools (like impacket) may require the path without the FILE: prefix to function correctly.

I see. Thanks, that was very helpful.

no, KRB5CCNAME is the variable itself

it's the environmental variable

the FILE prefix would be part of the value of that variable

i think you got it though

Got it 👍

Yup, thanks.

Based on title alone I would assume they are

gimme dat edr evasion module

Need help in Advanced SQL Injections skills assessment. Anyone free?

?

Hi im currently going through the pivoting module, at the rdp and socks section you need to transfer SocksOverRDP binaries to the target. the target identifies the binary as a virus and immediately deletes it. anyone knows how to solve?

try using ligolo

btw can you send the link to the section so I can look up what u are asking?

https://academy.hackthebox.com/module/158/section/1439

are you talking about the dll file for this regsvr32.exe SocksOverRDP-Plugin.dll command??

yeah

I am spawing the machine wait a sec

I think I posted my question to a wrong channel accidently earlier:
can someone who has active Pwnbox give me the Powesrhell version number from $PSversiontable? Thanks

is there something preventing you from spawning it

disable the defender

hello not having access to the pwnbox channels I would ask my questions here if that suits you, I have a problem with my virtual machine and also that of hackthebox I cannot manage to 'fatal: unable to access' https:// github.com/Hackplayers/evil-winrm.git/': Failed to connect to github.com port 443 after 130180 ms: Couldn't connect to server" how to resolve this problem thank you for your understanding moreover being French and to facilitate me the task reply to me by pressing the arrow above a message to mention it

oh ty i thought its off but the real time was on

go to #welcome and follow the steps

I'm in the process of doing this but can you please help me in the meantime?

is it related to academy or main boxes?

if its academy stuff can you send the link to the module

https://academy.hackthebox.com/module/18/section/72

I try to download evil-things for the optional exercise but I can't do it all the time, errors even with the different download methods

maybe you can remove the whitespce from the address before github?
also check out whether you can access any other githubpage

what is "whitespce", how to find projects with the possibility of downloading them thanks to git clone thank you for your help I am just starting out with cyber security and I have never used github

remove the SPACE character from the address

I'll try I'll tell you again

so regarding my problem I fixed it on my personal machine in any case, I just had to generate a github token and that fixed everything

Hi everyone!
Can someone give me hint? I'm stuck on DACL I Attacks Modules - Granting Rights and Ownership.

We have access to lilia account, she have owns rights on Manager group. I try abuse with owneredit, but have some issues:

BH show edges:

And if check DACL rights on chap user use Managers with lilia creds, we detect WriteOwner rights:

Task:
Lilia is owner of the Managers group; abuse her privileges to gain access to the shared folder \\DC01\Managers and submit the contents of flag.txt as the answer.

fuck

it

If I remember right, you can be owner of the group but you might not be group member. So check that. I have notes about this but currently not on my computer

Yes, i'm not in group. I try add lilia in Managers group via net rpc group addmem 'Managers' lilia -U inlanefreight.local/lilia%DACLPass123 -S 10.129.205.81 but access denied and other users i can't add to group

And via addusertogroup.py can't add user:

I just checked and the owneredit should work

Can you show command?

I just noticed it, your target is wrong

Otherwise its right

May be i just use owneredit with target chap?

smbserver is not running , any solution

Try -smb2support share .

May be some problems in impacket packages?

how to find the problem related to impacket packages

hey

anyone could help me with task 3 of getting the password of ftpsql in the NTLM Relay skill assesment?

I have a clear text cred for a local user called sql_ftp_test but I have no access with that account to any share

try to use impacket-smbserver

now working
what was the reason for not working in my screenshot

it seems like this is lib not binary (not sure tho)

Hi everyone. I have a question. I'm actually following the module "Setting up" and I just read the section "Organization", but I'm scared to not remember all the organization this section talk. Any advice ?

Take notes on the important stuff (applies to all modules).

Anything you're afraid you won't remember and may need in the future, take notes.

Okay thanks !

trying to connect to the host using evil winrm

https://forum.hackthebox.com/t/evil-winrm-error-on-connection-to-host/257342/3

Always check GPT, search engine, Discord, and the HTB forum. When it comes to Academy you'll likely find your answer this way.

In the attacking common applications under PRTG Network Monitor section. the reverseshell is not executing commands.

Why is the Connection being refused? I am using attackbox to connect to the target.

module is teaching about Pypykatz
now mimikatz is available on linux also,

so any recource to learn mimikatz in linux

does the machine have port 22 opened

I believe it is, because we are required to connect to the kali machine to solve this module
https://academy.hackthebox.com/module/176/section/1778
The target is spawned, I can even rdp to the windows machine, but cannot ssh to the kali one.

If you are going to use the kali machine just to crack the hashes, better use the workstation instead

Makes sense, thanks. I feel kinda dumb now lol

Hi, i think question in Identifying Filters section in Command Injection module has a bug, there are multiple answers to the question, both (the one from solution, and the other one), are not accepted.. even though application seems to be responsive to the provided command injection.

Hi everyone, I have a simple question (i hope it is the correct place to aks it) do you know if it is possible to perform pth attack with Remmina ? In order to access a machine with RDP

i think u need to put here #1234357888114364508

idk

will try, thanks Volter

dunno
but you can do it with xfreerdp

ur welcome

Hi guys, I'm on file upload attacks skills assessment but I'm unable to progress. I was able to read the source code of contact/upload.php with SVG/XML payload but when I decode the base64 I don't see anything about where it uploads my file to

make sure you copied entire base64 string, if you just highlighted part of the string it will not decode full code, only part of it... happened to me

#broken_authentication reset token question 1,

I'm using a python script that generates md5 hashes using username htbadmin and the time . but can't get the matched token .... any help ?

Can I dm real quick if you don't mind?

sure

check out the source code where it is gonna be uploaded, you will find it there

#broken_authentication reset token question 1,

I'm using a python script that generates md5 hashes using username htbadmin and the time . but can't get the matched token .... any help ?

I did but it's no where to be found in the source code when I decoded the base64 or I just can't interpret it

it is very straightforward so make sure you will get the full source code b64 encoded as suggested above

Just dm'ed you if you don't mind

please reply mine

#broken_authentication reset token question 1,

I'm using a python script that generates md5 hashes using username htbadmin and the time . but can't get the matched token .... any help ?

Without knowing exactly what your script is doing, it will be impossible to help you.

||Your script must be based on the time specified.
Plus minus one second
Create a token per millisecond and send it to the web server||

guys i am stuck at INJECTION ATTACKS -->Exploitation of PDF Generation Vulnerabilities i think i have the multiple working ip and port but im unable to get any file when i send my payload i just reseve the title and the note is just empty i tried using the xml req and then encode it with base64 and it didnt work i dont get it

any help?

Send me your payload via DM.
As soon as I'm home (about 1 hour), I'll take a look at it

Anyone having issues with AD attacks and enumeration - bleeding edge vulnerabilities? the exploits keep failing with "remote host timed out" for both noPac and PrintNightmare

i've sent my code snippets to you... along with my problem... please see DM

guys I want to ask if I have "currenti plan silver" and I want to open "student plan" without end of the month, can I do it or should I wait until the "silve" plan ends?

Probably just wait

okey thx

If you go to the "/opt" folder over the pwnbox you can find the "noPac" exploit directly there to use it

So when i try that, it gets hung up on "requesting S4U2self" and then failes with a "connection reset by peer" error

I'm not sure if i'm missing something silly, or if the DC01 box is having issues and needs to be bounced

You may want to remove the screenshots since I don't remember if the passwd for the user is already disclosed by the module. Give a me sec to re-verify everything myself or possibly you want to restart the target

It's an answer to a question in one of the other sections

my bad

Yeah this module is a grey area since like the entire lab is reused throughout

Hey for the yesterday's task it still doesn't work I fuzzed now with faculty and . php7 and I get nothing expect index.php7

Tried and it works flawlessly

Weird you should find a subfolder that has the expected answer

Interesting. I feel like something in my lab env is screwed up but who knows

I even fohnd the answer somewhere

But I dont get it

I cant even open it in mozilla

Youre using forend user correct?

Recursion and verbosity helps

Some issue I put them all in etc/hosts so its not that

Probably you can just reset the target and try once more

I'll try that again. was having same issue last night so not sure

thanks!

You don't put the uri in /etc/hosts just the domain/subdomain {a.inlanefreight.htb...} or I think they use .local

And you do still have to specify the port even if it's in your /etc/hosts

Ye i know I put like ****.academy.htb

As you don't specify port in that file

Finally it worked

Think I missedspelled port since it wasn't written in fuzz output

Hey how’s everyone doing!? Quick question about hascat. Everytime i try i use —force because of kernel autotune failure but it never finishes. Last night said estimate of 1hr i woke up and its not saying 25 days. Is this because im using a virtual machine or because host machines gpu isn’t good enough?

use your host machine. not a vm

if you are using haschat from a virtual machine it's gonna be slow , because it don't use GPU

• why using this --force ?

windows priv escaltion module / kernel exploits, why is this CVE-2021-1675 a kernel exploit? when i read it, it is a Windows Print Spooler Remote Code Execution Vulnerability?

becuase it exploit the kernel as simple as that

yo im new here, where can i ask about a machine?

#boxes

If you have no access, read and follow #welcome

It uses the windows spooler service to exploit the kernel

wait, they take away the tutoring service on academy now ?

it's been replaced by step-by-step solutions

im doing C2 with sliver module

and maybe the module still new

so there's nothing on the solution yet

Usually the walk-through for new modules is like a week after release

make more sense now, i will wait until then

or you can just ask your question and maybe someone can help

Instead of waiting however long

¯_(ツ)_/¯

module: "INTRO TO C2 OPERATIONS WITH SLIVER "
section: "Probing the Surface"
description: I created ||staged.txt|| and made a payload with msfvenom. But I might do something wrong when replacing the payload from ||staged.txt|| to|| sliver.aspx|| because i don't have any sessions return

Ok thanks for that used pwnbox and all worked. When it comes to exam is it best to use pwnbox or virtual machine? Or should i just use both to be prepared @dim wolf

whatever you're more comfortable with

if you want to have tools at the ready, use a vm

Has anyone done "Domain Reconnaissance" section in INTRO TO C2 OPERATIONS WITH SLIVER. Im constantly getting errors like this when I try to run SharpView ```[] Output:
[Get-DomainSearcher] search base: LDAP://DC=child,DC=htb,DC=local
[Get-DomainObject] Get-DomainComputer filter string: (objectClass=)
An error occurred: 'System.Reflection.TargetInvocationException: Exception has been thrown by the target of an invocation. ---> System.DirectoryServices.DirectoryServicesCOMException: An operations error occurred.

at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at SharpView.PowerView.Get_DomainObject(Args_Get_DomainObject args)
--- End of inner exception stack trace ---
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at SharpView.Program.Run(String[] args)
at SharpView.Program.Main(String[] args)'``` Its basically impossible for me to do exercises, I have already switched to different VPNs tried both UDP and TCP. Rdp is not also working on that module. I can connect once and then I disconnect and then cant connect to it anymore. I even submitted ticket to htb because machines were not spawning with EU vpns, but they fixed it today.

If someone knows a fix or how to make sliver connection better, let me know. My network is fully stable fiber with hight speeds so its not my internet and this is the only module I have ever had issues like this.

How exciting!

Not all questions award cubes

¯_(ツ)_/¯

The sum total of cubes you get from the module will be 20% (or 100% for tier 0) of what you spent

Yea I think I read that somewhere before. Still, it's a funny pop-up

Can you run any other commands?

on skills assessment for web attacks, ive managed to reset the password for all users up to uid 100, but i seem to be stuck at this point

is it worth doing the basic toolset path before i start the cpts path just so i can start getting some ctfs under my belt

Ctfs won't help with cpts

https://academy.hackthebox.com/module/54/section/490 - i ran the recursive scan but i cannot find the admin folder. just only blog and forum. i tried to again spawn the target. same results. Can anyone give a clue.

Yes, I think its some kind of timeout problem but not 100% sure about that. For example this ran successfully ```sliver (http-beacon5) > execute-assembly /home/kali/SharpCollection/NetFramework_4.5_Any/SharpView.exe "ConvertTo-SID -Name websec" -t 240 -i -E -M

[*] Output:
S-1-5-21-2749819870-3967162335-1946002573-<SNIP>```

You should have obtained the admin's creds if you reset all the user passwords up to user # 100

does the admin have their username set to admin

that’s not what i asked

DM me

I don't think it can hurt, most of that path is covered by the Pentester's path (CPTS path) already. The only modules not included in the Pentester's path that are in the Basic Toolset path is: Cracking Passwords with Hashcat and Intro to Network Traffic Analysis.

think i might do that then

i know ctfs won’t help with cpts, i just want to start doing ctfs because they’re fun

intro to network traffic analysis is covered in infosec foundations

yep yep

it's not part of the pentester's path though

i finished it already

infosec foundations is the prerequisite to pentester path

i just finished infosec foundations

I was able to complete just the pentester's path without doing any other path.

that’s cool but i still already finished infosec foundations

yes but it is highly recommended to do so for beginners

sure i agree but the question was specific to the pentester's path

the pentester path assumes you've completed infosec foundations anyway

SMB         10.129.205.234  445    WEB01            [*] Windows 10 / Server 2019 Build 17763 x64 (name:WEB01) (domain:child.htb.local) (signing:False) (SMBv1:False)
SMB         10.129.205.234  445    WEB01            [-] Connection Error: The NETBIOS connection with the remote host timed out.``` I had to run this 3 times before it worked, so I think theres definitely some problems with the machine and not in sliver. But the thing is that I have already restarted it 3 times 😄

add the argument '--smb-timeout 5' to your command

I use 240 second timeout with sliver and commands are still failing, except when the output is only one line

ok but you showed me cme, not sliver

for cme, add that argument and it probably won't time out

I was just testing where the problem might be

Hi

hashcat is not in the pentester path?

no :(

huh what

that's such a crucial tool

What is this server about

#welcome

wdym what is this server about why did you join

i think when hashcat comes up they just kinda give you the command, but yeah agree hashcat is pretty crucial lol

My friend invited me

yeah i thought it was weird that hashcat isn’t included in cpts

It's lightly covered in Password Attacks

also covered a smidge in AD enum and attacks

but like, that's just a review

and you didn’t ask the person who invited you what the server is about?

No😅

if you read #welcome it will tell you what the server is about

Oooo ok

people confuse me

can soemone help me with nibbles in nmap enumeration htb academy

slide in dms

just ask your question

people will be cool enough to help you in this chat

in "Getting Started" section in CPTS path, in bind shell section it says
"Note: we will start a listening connection on port '1234' on the remote host, with IP '0.0.0.0' so that we can connect to it from anywhere.".
can someone explain why use no ip address in reverse shell or bash command. ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f"),
does it mean we can connect it from any IP address?

Generally yes

However since it's an isolated environment

You can only access it via the vpn connection

i see, thank you

erm why does my parrot say duplicate launchers

i cannot find the file with flag.

what am i missing

tried looking into all the shares

Well because you're not connected to the right share

Also as a note; each service has a different user

IPC$, C$ Are system shares

You need to connect to the actual share broadcasted

smbclient -L -U "user" //ip/

-L will list all shares

Once you know the share that's not a system/default it's just connecting to that

there is one non system share
i am connected to that but

you're either in the wrong share or the user you're using doesn't have permissions to access it.

^

Could be that your password enumeration net a false positive

Hence flags like -local-auth or --windows-auth are used in some instances

which module is that

and I perfer to use smbmap since it gives a better output and cleaner info than smbclient

Password attacks

got it

crackmapexec stopped after getting 1st correct username and password

there were more user

Hi i was just wondering is there a way to reset your progress back too the start on HTB Academy i have been away for a while and would like to start some of the material from the begging any help would be apriciated thanks 🙂

you still use crackmapexec ? try netexec

Hello again. I have a problem with my parrotOs VM. I use Virtualbox, and during the first installation, I allocated 20 go of space to this VM. I tried to update the OS with this command :
sudo apt update -y && sudo apt full-upgrade -y && sudo apt autoremove -y && sudo apt autoclean -y
but I get the error
insufficient space in /var/cache/apt/archive

I tried to allocate 20 more Go, but I still get the error
I followed the instruction in the module Setting up, section Linux
I used LVM during the installation of the OS
Any advice please ?

i had created a 40 GB Parrot OS VM when i started

when i finished CPTS, it was completely full

so i created a new one and gave it 80 GB of storage

that's overkill imo

on top of that you don't want to run a full upgrade before doing an update

you made a fresh vm instead of just increasing the partition size?

skill issue

i needed a new one anyway

fair

it was already a year old and i couldn't update sh!t

Okay I will remember to add more space

you'll need to extend the partition too, it's pretty easy with lvm

you can just increase the partition size

I don't know how to do that. I tried google but I'm lost. It's the first time I use a VM

hmmm

depends on your hypervisor

increase the disk space for your vm (google how), then increase the partition using lvm (also google how)

I already increased the disk space. I will do more search to increase the partition using lvm. Thanks !

i had to do the same thing when my game server ran out of space

at long last i am finally enrolled in CPTS

Just adding more HDD space doesn't automatically grow the OS's space. If you check the disk space with something lsblk you'll probably see the space is unallocated, and you need to grow the disk to use the free partition. A tool like gparted will probably help.

Okay thanks I will look into that !

https://suwandaru.wordpress.com/2020/07/02/increase-disk-parrot-os/ may help, was my first Google hit.

Thanks !

you don't need to use gparted with lvm

True. But if they're struggling with expanding a disk it'll probably be easier for them to understand. 😄

afaik, its actually lvextend, not lvm though /shrug

well they said that they've configed the system to use lvm and gparted doesn't support directly managing the partition
https://askubuntu.com/questions/277399/how-to-unlock-partition-in-gparted/349677#349677

Well, hopefully they'll have the sense to snapshot before attempting to mess with the disk at all 😄

Otherwise... it'll be a learning experience \o/

or maybe the comment is wrong, either way just use the lvm commands directly lol

take a snapshot before you mess with the disks

Quick question for the Module "Footprinting" - Section "SMTP"

How do I increase the 'wait time' for pentestmonkey's smtp_user_enum perl script?
According to the help file, it should be '-t <seconds>', yet -t is already used to define the target IP - seems odd.

Setting -t twice (first for the IP, second for the wait time) does not seem to work, as I cannot get it to actually find the correct user name (which I already know and am explicitly searching for).

./smtp-user-enum.pl -M VRFY -u ||robin|| -t 10.129.233.90 -t 100

Any idea what I am doing wrong?

It used to be -w

-w is not working, sadly.
"Unknown option: w"

I could try to edit the script and change it to -w, maybe that'll work 😄

lol, I just noticed the -t is in there twice

You could try the ported Python script? https://github.com/cytopia/smtp-user-enum

please what’s the difference between remote port forwarding and a reverse shell.

From what I have gathered, local port forwarding is when traffic from an application/service attached to a port on my local machine is sent to that same application on the same port on another computer through a tunnel. While remote port forwarding allows applications outside your network to connect to an application running on a port within your network/computer

And is port forwarding only possible using ssh, I saw a YT video on how to set up port forwarding within a router. It sounds like remote port forwarding.

Port forwarding is simply forwarding ports from one device to another. For example, incoming traffic on port 80 to your home's connection may be forwarded to a computer you have on your network running a webserver on port 80. This is forwarding the port from your router to the computer. A reverse shell is a binary that connects to a remote server.

https://letmegooglethat.com/?q=difference between remote port forwading and reverse shell

chatgpt can break this down more into more granular explanations if you need more details

Awww dammmmmn, they dropped a lmgtfy

Thanks for the suggestion 🙂

Turns out the SMTP server itself doesn't even recognize the user, which the module is looking for.

VRFY ||robin|| returns code 252 (user does not exist).

Not sure what's going on here, but I'll just shrug it off and continue I guess.

used this as shown and it says file ot found

Well... the username was correct from my notes 😄

Yeah, it should be correct.
The IMAP / POP3 section also mentions it (which is where I got the answer in the first place) 😛
Feels like something is broken.

doesnt make sense to me why does it say passwords not found

Is that file in that folder in your vm?

Are you sure your SecList is in that exact directory?

im using the integrated vm