#modules

Yes

is there a way to do that?>

Wait, no, include the mssqlsvc also.

The entire thing.

You might want to try https://github.com/noraj/haiti to identify hashes, it's pretty good at identifying hashes and give you the JohnTheRipper and hashcat codes so you don't have to search them on internet

okay

If you look at the output when you capture the hash, you'll see it's specified there that it's an NTLMv2 hash.

thanks

don't use this, these are never reliable, either check hashcat examples or how you have acquired the hash is the best way to figure out the hash type

its the first time it gave multiple types, quite bizarre. looks like my fault for not supplying complete hash

Isn't never reliable a bit much? I think haiti gives me the correct result >90% of the time, hash-identifier not so much though

I'm pretty sure Xre0uS was referring to hashid.

https://hashcat.net/wiki/doku.php?id=example_hashes
why use the tool when you can confirm them yourself

It's mostly to win time, especially since it gives you the JtR and hashcat codes. But yes before I was checking this page for hashcat

so for Q2, I am supposed to login as the other user to get flag fromflagdb right?
unable to login, or do I have to do it another way?

not sure about sqlcmd, try wit mssqlclient from impacket wiht windows auth

||impacket-mssqlclient mssqlsvc@$IPTA -windows-auth||

oh

I dont understand why we need windowsauth, because the host mssql db is running on windows?

mssqlsvc is a domain acount

by default it wil login as a local account iirc

let's not just straight up give the answer yeah 🙂 especially when it contains the password

wdym by it will login as local account?

Yes maybe it was a bit much, but it doesn't contain the password (you get the password from cracking the netntlmv2 hash, and you still have to enter it after this command)

But yes yashfren the exercises at the end of the module will be harder so you'll probably have to work harder/take more time to understand the lessons I think

Earlier today someone told me that the -windows-auth option tells it to login as local account, so which is it?

The help for mssqlclient.py just states "whether or not to use windows authentication." I'm guessing this means when we don't specify it uses the SQL server login, whereas when we specify it uses Windows authentication (domain & non-domain joined)?

If I'm wrong, someone please correct me. Thanks 😅

https://github.com/fortra/impacket/blob/15eff8805116007cfb59332a64194a5b9c8bcf25/impacket/tds.py#L909
windows-auth uses NTLM/kerberos which allows local/domain login, without it it will use mssql account login, I was referring to the local mssql account oops

yeah this is correct

Thanks a lot for clarifying. Much appreciated.

I read somewhere on the forums that sqsh is outdated or something, that's why it doesn't work properly? So it's recommended to use mssqlclient.py. Thought I'd let you know.

Thanks, yes I saw that the version is 2.X and it's 3.X on the pwnbox, that makes sense. Apparently ParrotOS tends to have more up to date packages than kali

what am i doing wrong? Windows Priv escaltion / Citrix Breakout

What version are you referring to?

The sqsh versions, 2.5.16.1 for kali and 3.0 for ParrotOS (currently)

Think of the Pivoting module, what are the limitations certain machines in X, Y and Z environment can have

my thought was also..how are my linux machine and the citrix machine connected...

can you give a bit a more specific hint?

Yes, look into the section

Where are the tools located

Hello amigos. I hope that everybody is OK and enjoying their challenges :D. I just started the module Server-Side attacks. I am on the first chapters and i am having difficulty in setting up the nginx server to work as a nginx reverse proxy. Would it be possible to request some assistance regarding this?

I have successfully installed docker, nginx and the AJP module. Have successfully connected nginx with the AJP module and have edit the nging.conf file, Maybe my edit of the nginx.conf file is not correct that's why I get this error or strange behaviour.

When I try to run

sudo nginx i get this message:0.0.0.0:80 failed (98 Address already in use).

edit: I have never instucted nginx to connect to 0.0.0.0 - I am instructing it to connect to the IP of the target system.

Port 98 is already in use
So first stop the service running on this port or use another

How is it possible it ask for port 98? I never told him to go there. Is it automatic? I have asked him to connect to port 80 and check the target IP with the port given from HTB website for the target.

why cant i login to mssql db

Can you show me SS

I change the port to 8080 from 80. When I try to curl to 127.0.0.1:8080 i get 502 bad gateway and when i try to run again nginx i get these messages:

What's your nginx conf?

Were you able to figure out why?

no

Try mssqlclient.py directly instead?

Nginx conf incoming -

everything else is comment out expect the last bracket } to close the http section

Looks fine to me. You stop then start nginx?

after login with the given credentials, i cant open the flagdb

Hint: you don't have the required privilege.

I get this behaviour when i try to stop and restart nginx

i thought so, and tired looking for additional data i can get in other db, but didnt fount anything
any hint from here what to do?

Attempt to get the hash of the service account.

Instead of listen 8080, choose a different port

I went and change to 8082 and now i go this running

In Active Directory Enumeration module (https://academy.hackthebox.com/module/143/section/1265) there is a very nice section on different set ups. I am however not able to understand what exactly is happening here in terms of network connections "A penetration testing distro (typically Linux) as a virtual machine in their internal infrastructure that calls back to a jump host we control over VPN, and we can SSH into." Does it mean that for example, the pen testing team has a VPN server such as OpenVPN that the Kali/ParrotOS vm from the customer's network is connecting to as VPN client?

yes, if it's an internal pentest you'd have a attack host that can reach the internal network

I did it for 127.0.0.1:8082 Now need to do it for the target system

That is the target system

???

no it's not

is not the ip given at the bottom of the excercise?

You have nginx setup as a proxy with the target as the upstream. Hitting 8082 locally is hitting the 94.xxx

or i'm missing context and this is the module that has you proxy local

AHH

ok then yeah it's working as intended

and if the target upstream is apache then

nothing wrong ¯_(ツ)_/¯

No way 😄

I see. When we lunch nginx succesfully is like we are proxy for the ip target we have put. Thus 127 goes to that target. OUAOU

https://tenor.com/view/waynesworld-way-gif-5800555

I need advanced notes for this 😄

Maybe i misunderstood -- you said hitting 8082 locally will hit the 93. Meaning that we locally hit 8082 which is instructed to go fetch the info from 93. due to nginx? I though that nginx was suppose to be a server but we are using it to go connect to a server which has the AJP module (Apache Tomcat). I am a little confuse lol

nginx can be used as a web server, or as a proxy.

In your conf you have the upstream setup for the server you want to access. In the server section you have ajp_pass telling nginx to use the tomcats upstream config.

Anyone needs help with GIAC exam?

https://tenor.com/view/what-do-you-mean-by-that-gif-10559980082154008380

||answer wisely||

also GIAC has nothing to do with htb academy

Yes but got the certificate now learning from here and is Amazing how much you can learn

i need help with GIAC exam. please buy it for me

Also helping others that are actively taking the exam is a quick way to get your exam and the other person's exam revoked

Only hints my friend not taking for them or me

even hints for the exam can get your cert revoked you goon

sup everyone i need help on ADVANCED XSS AND CSRF EXPLOITATION-->CORS Misconfigurations
i have found the vuln page but when i set the origin to the exploit server nothing seem to happen i tried almost every exploit explained in this section yet none of them worked

im glad for any help

What kind of hints do you need for the exam? Those are open book...

Guys, please how do I learn web hacking for bug bounty hunting?
Ever since I started my hacking career, I have just been learning stuffs that has not been making me money or anything, I'm starting to need money more and the more I need money, the more I'm tempted to let go of hacking and find something else to pay my bills, any ideas???

Ask in #careers-and-certs

bug bounty isn't a reliable income source

what specifically to look at on a target

I would assume that those are randomly picked from a pool (at least that's the case for the blue team practical labs).
Did not really take him seriously since only the GIAC exam was mentioned like there are not hundreds 😅

I don't have access...

Then what exactly is because it feels like I might just keep learning everyday without benefiting from it...

Read #rules, #welcome and verify

I still don't have access...

Hey everyone, I am stuck at wordpress enumeration, I am able to upload an image file but the reverse-shell is not working. Is there anything else I should be looking for?

did you actually follow the steps from #welcome

Thanks Man

Hey i there someone who can help me the footprinting smtp module? i am kind of stuck i found the user but cant seem to find the flag

I may be able to help you. I just finished that section of the module.

i will dm you

Hello, anyone could give me a hand with the Linux priviledge escalation... Ive been stuck for a while in the logrotate module...

Here is a screenshot... somehow it keeps rotating

Hello, I have been doing Linux Fundamentals. In System Information part there are these 2 questions:

1. What is the path to the htb-student's mail?
2. Which shell is specified for the htb-student user?

I managed to get SSH connection and did other tasks but I could not managed to answer these 2 tasks. Can someone explain me these tasks?

if u managed to ssh into the user
u can run echo $SHELL to see the shell

someone done the windows evasion modul? i would have a qustion at the section Static Analysis, if i could send the C# code and ask a question. PM?

Why is this under the title anonymous authentication? This is the Attacking Common Network Services module in the Attacking SMB section

because if u dont know user and pass u can still connect to it as anonymous

so guest is called anonymous as in the one with no pass or username

Yeah but this doesn't have anything to do with anonymous login since it works with credentials or without kinda. that's all that's written under the anonymous login title

and for the mail part search google on what mail path works on linux

so anonymous means without creds

it says u will be anonymous by default

unless u find creds

moreover smclient into it u will understand

and if u think this is confusing feel free to make a #1234357888114364508

I mean its not that big of a deal

same

Theres a bunch of obviously misplaced stuff there that has a higher priority

u know what to do mate

Thanks so much for help

Hi everyone, I was doing the "Firewall and IDS/IPS evasion - Easy Lab" in the network enumeration with nmap, the task is basically to determine OS of the system.

I spawned target and entered the following command to remain quite, determine whether a firewall is stateful, and to differentiate between filtered and unfiltered ports.

sudo nmap 10.129.189.79 -p- -sA -Pn -n --disable-arp-ping --packet-trace --min-rate 1000

but the issue is, its not showing me any ports at all...if I dont know what the ports are how will I move forward.

Please let me know if I have missed something or if there is an issue with my concepts.

Does it not say right there that it found 970 filtered ports?

or am I misunderstanding that

Damn I actually did not focus on that line, my bad, but with only this info how will I know which port no. I should target to determine OS....

It's a bit easy to miss so I don't blame you

I mean do you need specific port numbers to determine OS version?

somebody good a C#?

I'm alright at C#

I personally thought it would give me some sort of list like in this example

hmmm I dont know what to say 🥲

Well perhaps you need to be more evaise

evasive

try going back and reading previous sections a bit to see if you find some ideas there

alright I'll check it out again

can i dm you something?

You can send it here

the code is a shellcode loader written in C#, which uses common WinAPI functions to execute meterpreter/reverse_http shellcode. i did setup the http reverse handler and execute the code. i should obtaina meterpreter session, but the console does close and no meterpreter session...

Can someone help me?

I'm pretty sure its the right awnser?

dump?

mb but stil wrong lol

sudo tcpdump -n -v -X -c 100

already tried, here is the hint but its what we just did

Not sure why your answer is wrong then

as in change order

no nvXc is correct

i see

i need to respect the order of the question

remove sudo maybe?

already did but still not good

what module

INTRO TO NETWORK TRAFFIC ANALYSIS

tried to search on the web but there is nothing on the forums

i didnt do that module

sorry man, i provided the correct answer

I know I also believe that its the right one but visible not the correct order or something

"what are the switches used"

so the answer should be the switches

delete that shit bruh

and this

and this

and this

so mean 😦

can't be spoiling content

mb

good job

hi guys

i need help with this question (Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.) i created a mutation password list using this command ( hashcat --force password.list -r custom.rule --stdout | sort -u > mutationPassword.list ) and then tried to brute force ssh using im metasploit and crackmapexec and hydra each tool for at least 10 min i couldnt get any thing ! Any Help ?

its password cracking module btw

Ssh painfully slow. You should almost never attack it. There is another service open : FTP. Its using the same accounts.

i did what you said and brute force the ftp using hydra its past 10 min rn and got nothing + Tried To Brute force with crackmapexec but its run so fast and gives me logging error then stops for some reason

Cme would be slower than hydra. Did you try adding -t 48 to your hydra command?

No i didnt

[STATUS] 251.20 tries/min, 3768 tries in 00:15h, 90276 to do in 05:60h, 16 active ) Should i stop the scann and add the -t 48 to it ?

Iirc default is 4 threads, so yeah?

Default ftp is I believe 4 or 16

Either way, super slow

I am about to pull my hair out. I am working on SQL injection fundamentals and I am stuck on "writing files". It seems I was able to inject the webshell, but when I try and navigate to the page I created I just get a blank screen. What am I missing?

You putting the file in the correct path?

Well is the webshell expecting an argument

Like ?cmd=<command>

Oh I guess if white page prolly is correct

Basic webshells aren't fully interactive

ill keep trying. I have read the module 5 times now and there is nothing that explains the leap in logic. I followed the module fine, but I cant get anything other than a blank screen. I feel like they are expecting some extra knowledge that I just dont have.

Likely knowledge picked up in the shells and payloads module

What does the php file look like

i am not able to ssh to 172.16.5.225 from ms01

Try switching to EU vpn and trying again

k

The US ones have been shaky on that module

but i was using pwn macihne

i don't think vpn matter

this is the entire injection that the module says to use.

cn' union select "",'<?php system($_REQUEST[0]); ?>', "", "" into outfile '/var/www/html/shell.php'-- -

So, do ?0=<command>

So ?0=id as a test

you mean after I input this in the vulnerable field and go back to navigate to : http://SERVER_IP:PORT/shell.php?0=id.... thats what the module suggested

oh i see

ok

😉

@fathom pendant how much cpts completed?

it is confusing because even using =id it should show something other than a blank screen

Like 60% been busy

Then you likely did something wrong

but u completed AD i think

Yes, a while back

well damn.... i dont know what i could be doing wrong

Restart the target and try again

i have 5 times now. When i inject the code it responds as the module says it should for a successful injection, but navigating to it just shows a white page.

yep... just a white screen again. i dont get it. I even broke down and read a spoiler. Everything I input is correct. Still nothing

i tried reading the page source thinking maybe the info is not displayed... nothing

Check page source

i did

I don't recall having this issue

Also is it O or 0

😉

its a zero. still nothing

this is demoralizing. I felt bad breaking down and reading a spoiler and it didnt even matter. I still cant get the damn answer

im not cut out for this

Are you sure the command and your input are 0

Or is it meant to be an O

i tried both

Replace it with "cmd"

And see if you can pop it that way

By it I mean your into outfile command

just a blank white screen

Also are you using enough spacers

i tried so many different combinations

Replace the "" with numbers

tried it

weird if you're getting nothing ¯_(ツ)_/¯

i have been stuck on this for 7 hours now.

if i have to just take the answer from the spoiler to move on then I am clearly not cut out for this. I think I am putting this down for awhile. I will subscribe again when I feel like I know what I am doing. this is pointless

This is a sign to take a break

Come back after a bit

And checking the guide is fine if you're 100% sure you're doing it right

how can i be sure of that though. I am doing exactly what the spoiler says and still cant get the result.

There's times where I try to take a simpler approach, just write a file that says "hi mom" for basic sanity check, also walking away for an hour or day helps too.

Are you ending your injection with -- -

yes. the ending is the two dashes followed by a space

Are you using the htb-student password?

HTB_@cademy_stdnt!

Copy/pasted?

yes

From the section that gives creds on it?

I forget if that host has a diff password

yeah first paragraph gave the password

i used those creds only still error

Are you doing ctrl-v?

tried both ctrl-v and right click

doing that was part of the module. I had no problem until the end. I created a .txt file no problem

vpn was not the issue

Did you try a blank copy/paste into the terminal to see if it's on the clipboard

its working

It's been a long while since I've done the module.

but not ssh

Weird

really

i'll try later moving on

A lot of stuff uses the internal linux host

maybe its common mistake i can't see but i will try later rn i can't see that mistake

I'll spin this up in a bit and see

by all accounts the result I am getting should not happen. i just dont get it

this module was going so well too. I was starting to feel like I understood.

I can't at the moment but some time later today or tomorrow (depending upon timezones) I can chat with you if you'd like. See if we can get it resolved.

right on. I appreciate that. I just input the answer from the spoiler because I am 90% sure I was doing things correctly, but I would love to chat and see if we can figure it out. No rush at all and I appreciate you.

Kk, I'll let you know when I'm available.

finally finished footprinting wooo

10/10 module

Typing it out worked fine for me, and doing the right-click paste worked

Weird ctrl-v doesn't

Oh

Thx

Did you type this out in the search or copy/paste

Because I just did it with no issues

i typed it and copy and paste

Then it should work

I just spun up 2 targets

And both worked

Note if you tried typing, then tried the copy/paste, you'll have to change the filename at the end

For instance if you already have a shell.php, shell2.php

i must have typed it wrong once and then tried again in the same instance. I can now get the expect response to ?0=id. I just need to solve the problem now. I at least have something happening

Yep just use other *nix commands to find it

@jolly cradle hi

Hello

took me awhile to figure out how to cat the file, but I got it...... thank you so much for the help.

i finally figured it out.

Gg

Any time i have an RDP session on a windows target, i will open Notepad. Then copy paste into notepad, then copy paste from notepad into cmd/powershell/whatever

Hey everyone, i'm stuck at footprinting (DNS) module on the question:
What is the FQDN of the host where the last octet ends with "x.x.x.203"?

i've tried all subdomain lists in SecList
plus zone transfers as well
Also used DNSenum

Did you do a zone transfer to the base domain to get a basic list of subdomains you can start with

dnsenum isn't limited to just example.com

It could bruteforce hacked.example.com and give a result such as
got.hacked.example.com

Is anyone available to talk about the Footprinting > MSSQL questions? I am having a heck of a time connecting to the MSSQL service with the given credentials with mssqlclient.py, nmap's mssql scripts and even sqsh.

oop... ok... got it maybe?

yup, nvm. Got it. The instance is being glitchy. 😒

Having trouble spawning machines in both eu and us regions..

Been trying for 30 mins. Can't spawn anything anywhere!

Nice

Yes I’ve tried

I got basic list

Internal, dev, app, mail1, ns

Applied zone transfer with all these

can anyone explain
why this payload is working
" II true II ""=="

and not this
" || ""=="

That’s done now. Thanks

You need to provide more detail like which module and section, the rest of the payload. Wrapping code in back ticks will make it easier to read.

`.... || true || ""==" ....`

Nosql Injection

server side javascript injection

Does any one know why this doesn't work?

I'm studying the model footprinting currently in the section IPMI. I want to get the password hash for the admin using metasploit (ipmi_dumphashes aux), now, when I use the metasploit's default ipmi_password it gives me the hash but not the cleartext password, when I change the pass_file to rockyo list it takes about 5m and then kills the whole process, where metasplolit prints "Killed" and crashes.

I used rockyou with hashcat and it worked.
Also I don't think it's a problem with my machine, the same thing happend with the Pawnbox.

hi

in easy lab of attacking common services. how to use curl for geting shell. i tried the way from docs.txt which i downloaded from ftp. i found flag with mysql. but want to learn second method.

anyone?

but curl mentioned in docs.txt and from exploit-deb cmd not writing the test.php file

you will never get cleartext password. you have to crack it with hashcat or with other tools

I am stucked on NoSql skill assess II
can anyone help me?

You just upload a php file with a php function that will execute system code on the target, instead of a txt file, eg
<?php echo '<br><pre>' . shell_exec($_GET['cmd']) . '</pre><br>'; ?>
then
file.php?cmd=<your command>

will try thank you

y cant i chat in general

I read that I can get a cleartext if I change the pass_file in metasploit, looks like that person was mistaken.
Thanks

hmm maybe

ok

windows privilege escalation / Interacting with Users, i have a question to the screenshot. the script i have to save as what , ps1 file? at my linux machine?

How do I resolve this when RDP'ing into WS001 in module "Windows Attack and Defense"? I've respawned the VMs and waited 20+ minutes multiple times, with still no luck RDP'ing in as bob:

I believe that machine has a weird bug. Respawn it until it lets you log in. It took me 2-4 times respawning as I recall. This is also mentioned as a solution on the forum.

Ahh... unbelievable. But ok, thanks

Yeah it's a weird one.

Yeah, it worked now. I literally have been at this for hours and it worked on the 5th or 6th respawn. Frustrating

The labs can be frustrating at times especially from a latency perspective but I have grown more to appreciate how well they pair the learning material with seriously testing our comprehension. They really always go the extra mile to grind your comprehension. I guess a little latency and jankyness can be forgiven considering.

Hey ! Could someone help me please ? im getting an hard time with that nmap exercice :

Thanks! Yeah, that's a good perspective

There is a script you need to use with your scan. If you've done it right the output of the nmap will contain the flag.

The script in question is discussed in the module's content. If you don't know what you need to do you need to re-read it.

Got it, i confused 2 argument thanks you

No problem 🙂

DOES ANYBODY K HOW TO FIND THE ADMINISTRATORS PASSWORD ON MY LAPTOP

🥺🥺

Reset it

no like somebody esle controls my laptop

💀

who has your laptop

??
What

sercret

but how do i find out that password

i can't download games and stuff its

ok well you're never going to know

likeput in admins password

this is also wrong channel

RLLY????????

SORRY

Ask whoever is “controlling” your laptop

My brain hurts when I see these posts

seems pretty illegal to me so i'm not gonna help you

Maybe someone set parental lock 😂

How to get access to the off htb off-topic channel

#welcome

welcome @analog dock

welcome @analog dock

Anybody has a clue why bloodhound doesn't want my ingest?

Been trying for hours now with netexec bloodhound ingestor, bloodhound.py, sharphound exe,sharphound ps, v1, v2

1. A screenshot of a spreadsheet with various websites listed on it, including The Verge and Huffington Post. 2. The image is from the perspective of someone looking at the list of websites. 3. There are multiple rows in the table, each containing a different website name. 4. The table has a header row that includes labels for each column, such as "Website," "URL," and possibly "Date."

I am running Bloodhound CE through Docker Desktop on a windows machine but it has worked before. So I am really confused

windows priv escalation / interactign with users, should'nt i be able to save the .scf file within the departemtn shares?

Can this guy get banned how useless are those responses? talking about @night bear

What module are you doing, what command have you tried etc

Right now your question is as bad as his response

Firewall and IDS/IPS Evasion. Find OS name. Cant find it. I tried: -D RND:5, -S 10.129.2.200 -e tun0, --source-port 53
The hint says neighbouring sub is blocked.

All the different version of "-c All"

What module

0x56 you an offsec neutron, also working here now?

AEN

I’m not an offsec neutron, and I’m not working here

you work for offsec

at least change your acc when your shilling lmaooo

I do not

keep it up lmaooo

I’m a community companion there, I do not work there

so go there

What’s your problem lmao

advice people how only pen100 and pen200 is sufficient to pass the oscp whilst you study the cpts lmaooo

Wtf are you talking about

fakes

hustler s

I literally recommend everyone there to do the cpts path before starting oscp, just like I did

Maybe keep it on topic ?

thats illegal and you can lose your job for that

false advertising

you guys are sooooo dumb its unbelievable

The only dumb one here is you

Agreed

chill

I have no fucking clue why you’re even coming at me out of the blue

I don’t even know you

where's your oscp smart guy

Could I get some help with the verify bot? I deleted my old verified discord

now you know who i am

workin on it loser

Oh dear fucking lord, not you again

oh yes

Well my bloodhound is working I think saying the fix spoils part of AEN so if you want to know DM me

Ban evading?

quit yapping and go study then

lolll

He has learn unlimited, instead of using the resources he got he prefers to act smart to others while failing his exams

And is extremely arrogant

Anyways I’m glad you got it sorted

Well even if he gets his OSCP any normal job opportunity will see right through him and not hire

Probably has wasted half his sub already, if not more 😂

if only there are other courses that can help

could I get some advice pls?

Sure after the way you act all the time I’m so happy to help you

loll

definitely not meaning you

kid

He tried to add me xD

add?

lol

sayin you know me is add?

lmaooo

talk big off chat then

Yes cuz you have to send a friend request

?

I don't know you, I know people that behave like you.

why on this earth would i want to befriend you?

ah projecting

nice

I would recommend an adjustment in behavior, especially since you’re in need of help so often. There’s many smart people here and in the offsec server, but if you continue to behave in a toxic manner no one will want to help you

Ahh I see what Offsec is doing. All the students that failed the OSCP recently have gone to the CPTS. And to make appear there are some overlaps between the two companies so as not to lose custumors they send the same employees to the competitiion.

I will contact HTB about this and ask if this is acceptable, messing up customers from a different platform.

keep the normal tone in the conversations

or I will take it from you

is it acceptable to be attacked when asking a question by the competition in the chat from the course were i pay for?

I can see that you attacked him after he asked the module you are working on

i have issues with this shill from offsec and they try to bring it here

Worse, I wasn’t even asking him what module he was working on, just got attacked out of the blue

i do not prefer to be helped by offsec emplyees at htb

Nor am I an employee for offsec

Move on @fading spoke , and don't bring arguments/fights from other servers

Nor am I a shill

agreed, if you can guarantee this person will leave me alone

If anything I’m a shill for cpts, as I recommend everyone to take cpts before starting oscp

You’re the one attacking me???? I didn’t even know this was you

Take the timeout as a break for you to cool off

0x56 leave him alone and don't bother

Will do👍🏼

Yo

I don't want to be helped by Capricorns.

Get CBBH from HTB Academy and do some CTFs!

watch some nahamsec/xssrat and stuff!

why?

Hey guys, I was redoing the "AD Enumeration & Attacks - Skills Assessment Part I". On question 5 and 6 I was able to get the answers using crackmapexec with the --lsa flag. However, i remembered the first time I did this, i achieved the same results using mimikatz on an rdp session in MS01. But I couldn't for the life of me recreate the result using mimikatz. I used lsadump::secrets and found the cleartext password, but the output does not explicitly tie it to the tp**** user. Does anybody know how i can solve this just using mimikatz?

if anyone did the kerberos module Pass-the-Ticket section, can someone tell why am I not getting the ticket while dumping the luid?

.\Rubeus.exe dump /luid:<0xdeadbeef> /service:krbtgt /nowrap ?

has anybody done the
OSINT: Corporate Recon module

is it really worth 1k cubes

it suppose to print out the ticket, but rather just imports to current session, I can see it when I am checking klist command

my bad, appears its not even importing to klist...

iirc /ptt

to add it to the klist

no, that should not be the case, in fact, I dont need to just import it to klist, its just confirmation that I imported the ticket, I need to renew it anyway, so it has to display the ticket

I jsut check my notes , the command is correct , just make sure the luid is correct

try triage again

only 2, and none of it is working

I guess the lab is broken

weird should dump the ticket

yeah, maybe I might report it somehow to the support, is there any ticket that I can raise?

message support if it seems like a technical error

if you can get it some other way then #1234357888114364508

try reset the target first

btw, let me try to change the vpn, maybe that will help)

just re-spawn it

did it few times already

just for check try to dump other user TGT

alright

works perfectly fine

so there's problem in the previous ticket

¯_(ツ)_/¯

I will stop it right here, will check it later or tomorrow have some work to do, thanks for the help!

as has been stated a bunch of times

AEN is done blind; as the module itself is the walkthrough

if you're truly stuck, then keep trying

most use AEN as a practice exam

also FAIL parameters are tricky

you want to use something unique to the body, as stated in the brute forcing module

perhaps inspecting the actual login form itself using browser tools will help

Hi All
is qwinsta.exe removed from Win11 ? for some reason I am not able to find it in C:\windows\System32

what module does this relate to?

doing a quick google

sorry I missed that,
its AD Enum and Attacks,

afaik none of the hosts are windows 11

thanks @fathom pendant , I thought it was something stupid, I did the google but missed this part,

again you're already revealing a lot for what you're on

as stated AEN is done blind by many

so even posting your hydra command spoils it for many

and no, spoiler text doesn't do anything

people can just as easily click it

well if you tried with hydra and you failed to, then make an assumption on your own

:) if you already checked and the method used was manual, move on

Firewall and IDS/IPS Evasion. Find OS name. Cant find it. I tried: -D RND:5, -S 10.129.2.200 -e tun0, --source-port 53
The hint says neighbouring sub is blocked.

Module: Attacking Common Services

Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.
I'll be honest, I'm completely lost when it comes to DNS. I understand what the queries are but don't know how to use them properly.

I've managed to solve DNS in the modules before, it's just that I've forgotten. I tried going back but... it didn't help.

If someone could point me in the right direction to start with I'd greatly appreciate it.

I know I have to add the target IP address and the domain inlanefreight.htb to the /etc/hosts file but just don't get why.

domain name resolution

inlanefreight is the domain name

when you visit a website, like google.com, you're not really going to a website. you're going to an IP address. your computer will reach out to a DNS server to resolve the hostname and turn it into an IP address for you. the reason you need to add the hostname and associate the IP in your hosts file is because it's a private network and the public DNS servers your computer calls to won't know what it resolves to because it's not on the internet.

Sorry, and thanks a lot, but before ya'll continue, I get how DNS works. I completely understand all the theory behind it.

It's the practical aspect I'm struggling with.

i think supernuts explained it well, what are you struggling with?

I also understand the purpose of the /etc/hosts file.

Well, in the question they've given me the IP address, which I'm told is the DNS Server? And I've been given a domain.

Let's assume they didn't give me the domain though, is there a way to obtain it?

Would it be using this command?

nslookup -query=PTR <ip_addr>

if its not public, i think not

thats why you need to add it yourself to the /etc/hosts file

so your /etc/host file is the dns

i think

But why? Don't I have to query for inlanefrieght.htb on the target DNS server?
So wouldn't the command be:

dig any inlanefreight.htb @<target_ip>

I know this is wrong cuz I ain't getting any output.

when you use dig, the @ indicates that's what it will use as the nameserver

dig any inlanefreight.htb (the host you want to dig) @<name server>

The host I want to dig?? I thought there were only two params: the nameserver and the thing you want to query, which in this case would be inlanefreight.htb

This part, how to use the dig command is confusing me. Is the target IP given to me the nameserver?

you could simply dig any inlanefreight.htb, because that's a private address your DNS server won't resolve it. That's where the @<name server> comes in, that tells dig to use a specific name server, ie. the nameserver on the private network

correct

In that case, why doesn't the command from this earlier message return any records?

i mean i don't know for that particular module, but for the modules that call for you to use @<ip of the vm you spawn on htb> then yeah it's probably a nameserver

Nvm, I'm so sorry, it does, I missed the @

From what i remember dig needs the @ and nslookup doesnt

Alright, the only thing I don't understand now is why I need to add the target IP to the /etc/hosts file?

you don't

only to being able to resolve it by name

Also, when I ran the command, I got this output. The IP addr for ns.inlanefrieght.com says its 127.0.0.1, so it's the localhost, as in the target IP or my attack host?

that's an A record https://support.google.com/a/answer/2576578?hl=en#zippy=%2Cconfigure-a-records-now

above you see SOA and NS records

Yeah, I understood, so since the A record points to the localhost IP, it's referring to the server itself? So the target IP in this case aka the nameserver?

i'm not sure what oyu mean by target ip. it's the address record of the host displayed in your picture, ns.inlanefreight.htb

By target IP I'm referring to this IP

i believe that IP acts as inlanefreight.htb and is also ns.inlanefreight.htb, so yes

What I'm asking is if 127.0.0.1 here means my attack host or the nameserver.

Oh ok

The hint tells me to use subbrute, so I need to add inlanefrieght.htb to the hosts file for that, right?

hashcat should work you do not need to use the mask given by the module, but the mode is correct

127.0.0.1 is relative to the record

nope

So this?

just specify the ip in the resolvers.txt file

you can specify them both in the same line

btw

Resolvers.txt file?

yes for subbrute

look at the tool and you'll see

I actually downloaded the binary for it.

didn't realize it had a binary

I wasn't able to install it properly on the pwnbox using the cli.

?

Got it under releases on GitHub.

it's just git clone --> cd to subbrute --> run tool from there

I couldn't find the file when I downloaded the repo

In which dir is it?

that's subfinder

not subbrute

Oh damn, my bad.

that's probably why there's a difference

Sry, brain dead already.

there's even a direct link in the module/section

So I just add the same records I added in the host file to the resolvers?

nope

The resolvers.txt file seems to be filled with IP addresses? There doesn't seem to be any domains in there.

just the ip

all the IPs are public domain servers

Alrighty, but why does the example in the section show them appending a domain name to the file?

the example is using a .com domain

Ahh, it's appending the dns server my bad.

so it has a public name server

so it can use the fqdn with no issues

also it's not appending

it's just basically rewriting the .txt to only have that in it

> replace
>> append

So once I get the subdomains I just perform an axfr query on them to find the flag?

basically

yeah

Btw do you have any idea how the subbrute script is able to find these subdomains?

¯_(ツ)_/¯

i didn't read the script

Welp, maybe I'll dive into the source code ltr.

Thanks Marcie and SuperNuts.

it's likely just bruteforcing the names and returning the positive results

You sure about that cuz the section says it can be used on hosts that don't have access to the internet?

i mean you can likely just for name in $(cat names.txt); do dig axfr $name.inlanefreight.htb @ip;done

Maybe cuz it only uses the dns server on the lan.

and it's not using the internet

So it's only using the local dns server?

well more specifically

it's using the servers you specify in resolvers.txt

it's likely running a handful of for loops

unsure if it does for x in names.txt and for y in resolvers or the reverse

¯_(ツ)_/¯

Hey i am stuck at footprinting the service IPMI at the last question 'What is the account's cleartext password?'

i have found the hash made a txt but couldnt get the pw with the metasploit console and hashcat, can someone give me a nudge ?

Any idea how long this script takes to run?

it can take a few minutes

Do I just perform axfr queries while waiting for more results?

i gave you a nudge earlier

yep just try any results you get while you wait

iirc the names.txt is like 100k words long

so if you're waiting for it to finish...

hashcat should work

Also, correct me if I'm wrong, hopefully I've finally got this DNS thing down but the command will be:
||

dig axfr <subdomain>.inlanefreight.htb @<nameserver_ip>

||

that is correct

since you have it in your /etc/hosts you can also do @ns.inlanefreight.htb

¯_(ツ)_/¯

Ahh okay, nice. I think I finally get the whole command syntax thing.

¯_(ツ)_/¯

dig is simple syntax

i do not see anything 😮

i have been trying no succes :/

I was just over-complicating things in my head 🤦‍♂️

well you deleted your previous question

what is your hashcat command, i likely know what you're doing wrong

you're likely adding the mask (which isn't correct for this scenario)

the metasploit module uses a small wordlist to try and crack the pw; if not it will output the hash as username:hash

the mask given is only for very specific scenarios that the exercise doesn't fall under

you can use the given wordlist i believe for this, or rockyou

hashcat -m 100 hash.txt /usr/share/wordlists/rockyou.txt

in the hash.txt i put the hash2 after the admin(hash1):(hash2)

wrong mode

i have tried 0 and 5300 too

those are also wrong modes

😦

it's the same mode as the mask one

as it's IPMI

just using a wordlist instead of a mask

idk where you got 0, 5300, or 100 from lmao

https://hashcat.net/wiki/doku.php?id=example_hashes

i went to the htb forums

well those people were wrong

do a search here for IPMI

oke 7300

for sha1

now go crack it

first place to look when unsure is RTFM

and thank goodness hashcat has a whole list

I believe you can just do hashcat hash.txt and it tries to auto identify it

also 0 and 5300 are both MD5 related

Hey I'm in the WORKING WITH IDS/IPS room, Suricata Rule Development Part 1 page
What is the minimum offset value that can be set to trigger an alert?

I searched for the first content and i found that it is in the offset 0x500, but when i submitted that value it didn't work, but it generates log ( i found the correct answer to the question but i don't understad why) can some one help me with that?

is it expecting 0x<hex> or just the <hex>

it takes both

is it higher or lower than you expect

when i use the 7300 i get separator unmatched , no hashes loaded but with 100 i get exhausted

it was way lower than 0x500

did you do admin:hash in your hash

and did you test with that offset?

yup

¯_(ツ)_/¯

bought the oscp 2 days ago but it starts in july instead. Just started on the attacking common application module. 🤣 abit worried about passing oscp 🤣

OSCP is cake comparatively

the biggest thing is avoiding msfconsole modules if you wanna prep for OSCP as well

Anyone knows how does OSCP AD exam compare with htb AD module skills assessment?

i may do oscp for the resume cred tbh

Is it easier or harder?

i've heard it's fairly simple

but the exacts can't be discussed, obviously

like thats the only reason i see forking up 1650

Just for the cert 🤣😂 but knowledge wise is still CPTS ftw

thats what im saying

id only do it for the resume bufff

then never again lmao

I got the urge to do oscp immediately after completing windows privilege escalation WITHOUT doing any boxes beforehand🤣 but it is a huge gamble

dude i feel like GOAD lab is like such a good lab to do

3 forests 5 machines

GOAD?

i just finished Goad-Lite and gonna do the full next then the nHA

https://github.com/Orange-Cyberdefense/GOAD/tree/main

its an AD lab that, when i did the LITE edition, was kinda based off the CPTS course

i used the hash identifier complete with admin:hash1:hash2

gave me a not found
with just hash2 i got that its sha1

there was ALOT that i found from cpts course

weird

there shouldn't be a hash1:hash2 from what i recall

just username:hash

(the example hash the first hash is the username)

It’s easy after cpts path

Btw do u guys use

nmapAuthomator.sh?

Or just nmap alone

spoilers dude

but just remove the admin: part

is it ? sorry :/

and yes i did that

but i'd delete the hash you posted

i deleted the message

yeah considering it's part of the module and reveals information

but anyway

i literally just did this

hashcat -m 7300 ipmi.txt /usr/share/wordlists/rockyou.txt my hash had the username: removed

you copied the whole thing yeah?

i was mistaken when i didn't see the other : for the pw

aaaahh

i finally got it thank you so much!

i was so stuck not copying the whole thing because the identifier did not give me anything

yeah the identifier can be hit or miss

especially if there's no specific signature like $b5$<hash>

i'm having a problem on Citrix Breakout (Windows priv esc)

i can't download the default desktop after login the site for rdp

it keep saying " An error occurred while making the requested connection. " when i click the default desktop

i tried this, but says permision denied

sudo fdisk -l then

lsblk is the right one since fdisk -l says permision denied, ty

i mean both work

as you might learn multiple tools do similar things

permission denied = try with sudo

how can I make that green bubble pop up, I dont have any extension that blocks it

ad-block

if you have a dns adblock like a pi-hole then it could block it

for w/e reason adblocks don't like intercom

no, I dont have any installed extensions except vpn(and I have not enabled it)

¯_(ツ)_/¯

could be the browser

the issue I was talking about earlier still remains, so I wanted to let them know

just email them then

might be, but I dont think that chrome blocks it

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

try going to it in incognito mode and see

Hello anyone for a question about dacls attacks 2 skill assessments ?

Just ask your question as long as it doesn't spoil it

If it might spoil, redact usernames with first initial* i.e. f*

Guys, i need some help, in footpriting IMAP/POP3 i am connecting to imap using openssl and then i am trying to list all the direcrories using the LIST "" *, i tried mutliple approaches but nothing seems to be workign i always get Error in IMAP command receiced by server

A1 LIST "" *
A1 BAD Error in IMAP command received by server.

A1 List "" * iirc is the command

spacing is important

also it's backticks/grave to mark code
`like this`

A1 List "" *
A1 BAD Error in IMAP command received by server.

i still get the following result

are you logged in?

A1 login user pass

then try running the command again

What does this attack have to do with time...?

i am trying to login but i get Authentication failed, i tryed with user:pass, username:password, user:p4ssw0rd and nothing

brother the syntax

A1 LOGIN user pass this si how i am trying to login

and you're given a username and password to boot

A1 Login <username here> <password here>

read the last paragraph of the section, it gives you a user:pass to login with

Yes i didnt read the last paragraph

thanks hahah

https://tenor.com/view/shocked-reading-gif-18060591

Looking for help on sherlock ultimatum stack without a clue

wrong channel; #sherlocks; read and follow #welcome to access it

Unless I'm missing something, I think the LDAP service is broken on Attacking Enterprise Networks. I can't run SharpHound because it throws an error regarding LDAP authentication (despite the walkthrough doing so without issues). Also, I can't Kerberoast because NetExec also throws an error regarding LDAP.

Would really appreciate if someone could verify if they are also having these issues. I want to finish this module ASAP so I can take the exam

try changing VPN regions

Will do

that should be one of your first steps if you suspect issues

if changing VPN regions doesn't work, just reach out to support

it's literally their job to deal with technical issues

Will a student subscription unlock me all the Penetration Tester Job Role Path modules ?

Yes

Yes, it will unlock all tier 2 and below, the pentest job role path is at most tier 2

sounds good, that's the path that prepares you for CPTS right?

Correct

I need to finish it in a month

Best of luck? Hopefully you have already started it. I'm not personally aware of anyone completing it in less than three months. I think most take about half a year.

Huh? doesn't it say the following

Thats 8hoirs a day/ not getting stuck anywhere

And you need to understand the material aswell and not just rush through it

It does say that, but like I said I'm not aware of anyone completing it that quickly. You get stuck, you have a life, and grinding that hard can cause burn out.

dang it now sounds like a money trap

still gonna give it a shot though

People who complete it that quickly are already in the field, that timer is meant more for businesses not individuals

This is also dependent on you understanding the fundamentals

You can buy plat and gold and you get enough cubes to unlock all modules/ or you have student sub which is 8 per month. I havent done any modules in a month or two and still dont feel like its a waste of money. Life came in the way

I have no doubt there are people here that can and have, but for those it's a refresher not really learning material.

Yep

And for other people they just paid attention and know how to adapt

I am glad I asked here, thank you all for saving me from a bit of shock.

Comparing to other people's timelines is cringe anyway

Go at a pace that's comfortable to you

^
Some ppl have knowledge already in some areas and will have it much easier then someone with a fresh start.

And aswell burn out can happen

Or life events rearranging priorities

Anyhow everyone is saying to set a realistic timeline for yourself. If you're completely new to the field there's a lot to learn, soak it in, don't speed run it. Keep yourself happy.

And I was thinking that I was going in a slow pace since theres no way im completing it in 43 days lol

Again 43 is just there for businesses

That's it lmao

Some modules that say 8 hours took me a week to complete since I went in depth into anything mentioned there

Unexpected issues happen, especially between keyboard and chair

Update: Im getting timeouts when leveraging transfer tools with files above 10K.
Progress: Have SQL01 NTLM hash, but exhausted with xato and rockyou

May I have a nudge? I thought it could be a pivot issue, perhaps I also didnt enumerate the db, certutil certainly wants to work, and it hits the http server, but I'm missing something... very interesting

Change vpn regions?

hmmm i've not got to that module but i had a similar issue on another module and switching vpn locations helped

🙂

I have

Im thinking about using ms01 to access sql01, but Im wondering if that is the intended way

Otherwise, Im about to hamer down on some offline cracking lmao

If it works

¯_(ツ)_/¯

sigh that is tru

I've recently discovered that the end of module screen contains a list of machines recommended. I find some of the machines a bit "strange." for example end of footprinting module it suggests Sekhmet and a few other Insane machines

That doesn't seem to correspond with the content in the module.

or am i missing something

Because footprinting is the building block for all machines

Me moving to diff country and not bringing my computer with me, so have to do it on phone till he arrives

Recommended just means the box in some form has something to do with what you learned, even if only a fraction

Anyone having issues with targets not spawning?

ah ok so not expected to "root" the machines

Well footprinting is gonna be used to get a footprint on many machines. And yea you usually cant get root woth it since it gives the initial access to it. Maybe some easy machines have some root flags in smpt or samba etc but its not common

ok thx

Some windows machine tends to take a while to spawn

Finally 💪🏽

Almost at the end of the SQLMap essentials and I just have a side question: is it common for "modern" dbms' to ship without the FILE privilege enabled on useres? Am I understanding that correctly?

Generally it's default unless specified sorta thing

@fathom pendant so typically on by default or typically off by default?

Typically off iirc

But gotta check docs for that tbh

That makes more sense from a security standpoint

of course

Sec standpoint and default standpoint often are misaligned

@fathom pendant Oh, I know that all too well...

https://tenor.com/view/stewie-rocking-shocked-trauma-family-guy-gif-3629549

Default AD is insecure

@fathom pendant there's a certain section of the population that would argue that AD is the vulnerability.

I am wondering why the Windows Privesc needs around 12 times more time than the Linux Privesc?

More to do in Windows

Also not 12x

Just 4x

1 day in context is 8 hours

But as said previously, ignore the timers

true, takes me 4x of whatever they say. 3 months in and done barely 50% of pat thats supposed to take 1.5 months

You also have brain damage /s

Is anyone facing issues with connecting to the Internal machines on Attacking Enterprise Networks module. There is a lot of delay in my case why accessing those webservers. I don't have any problems with proxies and stuff. I previously did the same module with no issues like this. I'm not doing anything different this time.

had the similar issue while working on Exploiting Web Vulnerabilities in Thick-Client Applications.

Change vpns

Yes this can affect

I was using tcp and I tried to use udp vpn. Still no luck.

might as well try different servers.

but I'm worried that it might increase the latency

It would be negligible

S

still no change. Can I DM you? I don't want to spoil the lab for others?

No

I'd message support

I haven't done this lab myself

oh. No problem. Thank you.

im getting this error while doing the sudo 0-day section in linux priv esc:
./sudo-hax-me-a-sandwich: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./sudo-hax-me-a-sandwich)

i tried compiling on the target machine but it doesn't have gcc installed

does glibc 2.34 exist on the box?

Well you need to compile statically likely

how do i do that

google ¯_(ツ)_/¯

Or figure what library is needed for it and compile it with that

Hello everyone, I keep getting this error when trying to run the smbclient command in the Introduction to Windows module.

do_connect: Connection to 10.129.163.52 failed (Error NT_STATUS_IO_TIMEOUT)

I made connection when I xfreerdp the windows, and I created the new file and did the share they asked for and then it wanted me to smbclient for a list. and that is when I get the above error message. I been working on this for two days now. May I please get a little hint what I might be doing wrong. Thank you in advance.

Timeout means it's taking too long to respond

What is your ping to the lab?

32 packets transmitted, 0 received, 100% packet loss, time 31421ms

Try 1) resetting target
2) changing VPN region

thank you I will try those thank you thank you thank you will let you know what happens

I reset the target and this now happened
ping 10.129.163.52
PING 10.129.163.52 (10.129.163.52) 56(84) bytes of data.
From 10.10.14.1 icmp_seq=10 Destination Host Unreachable
From 10.10.14.1 icmp_seq=11 Destination Host Unreachable
From 10.10.14.1 icmp_seq=12 Destination Host Unreachable
From 10.10.14.1 icmp_seq=13 Destination Host Unreachable
From 10.10.14.1 icmp_seq=14 Destination Host Unreachable
From 10.10.14.1 icmp_seq=15 Destination Host Unreachable
From 10.10.14.1 icmp_seq=16 Destination Host Unreachable
^C
--- 10.129.163.52 ping statistics ---
17 packets transmitted, 0 received, +7 errors, 100% packet loss, time 16208ms
pipe 4