#modules

Hey can someone help me with this new question "What is the API key the inlanefreight.htb developers will be changing too?" from Info Gathering module please? Ive spent the whole day on this T_T I've gotten to the 2nd enumeration part and cannot seem to use any tools / crawlers on the subdomains

guys i need hellp i can't desative a machine on hack th ebox

and i am vip , pleaz helpe me , i can't delete this account

ping is not reliable way to determine if the machine is online or not, try to port scan it and if the supposed port is closed then reset the target
If it’s still not working then contact support

you got it?

tried and still nothing. i even stopped it, switched vpn, and restarted it. and still nothing

using the pwnbox and its working but annoying i cant get my own VM to connect....will figure it out another time lol

is there malware development module coming in future?

anyone knows for the akagi64.exe in UACMe . how to know which number to use?

for example .\Akagi64.exe 61 powershell.exe . like how to know which number to use? whr can i find out

just test them

they have a list of which one works

Wow, finally finished that API key question

ohhh that's not the answer interesting

We continue on then

in the Footprinting easy lab in htb acadmy how did we get the username (based on the youtube videos on the walk thorugh) on port 2121. I did a nmap scan and was not sure on how to procede seen 2 video and both login into ftp on port 2121 with the username ceil. right after doing a nmap scan

@next bronze https://raw.githubusercontent.com/hfiref0x/UACME/master/README.md is this the list u r referring to?

where did the get that username from

the number which is the key

Hey guys did u notice the updated "Information Gathering - Web Edition" module ?

is it buggy or it's just for me?

oh wait, nvm it is indeed the key

yes

what do you mean by buggy?

What is not working?

it showed my old answers as correct (which make no sense)

this isn't an integer ....

This is a known problem

that the old answer consider correct?

The answers are not changed, but the questions are changed. Therefore the answer is no longer correct

also they were out there, all I need to do is submit ...

but if I want to do it now I can't ...

you can do the last question and you'll need most of the other ones to complete it

As far as I know, HTB is looking for a solution to be able to delete the answers, but you will no longer receive cubes when submitting new answers. You already got them the first time

not at all but i'll keep on trying i guess, the worst fucking part is that the labs i so buggy bro i swear the connections keeps on failing and stuff

Hey guys,

i have a question about mimikart in evil-winrm. When try to run anything, i get a lot of this:
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #
mimikatz #

Anyone know, what this means and how i can use it properly?

don't use interactive mode

Sorry i´m not so used to this, how can i not use it?

.\mimikatz.exe "command" exit

^

I love you guys 🙂

most of the labs can be done using remote tools actually, no need to rdp

if you're still stuck dm me what you have done

bro stole my line

i think i'll go this way, just it has to do with the Svc_Admins group right?

yes

okay at least i'm going the right way, ty dude i'll stop bother you

yes of curse
thanx

not sure what u mean, cause after submitting them I can't do it ...

i just mean you can answer the questions without entering answers in the fields, not much room for errors

is it just me or vms on academy lose connection every 2-3 mins and then connect again?

hey guys in the Footprinting easy lab in htb acadmy how did we get the username (based on the youtube videos on the walk thorugh) on port 2121. I did a nmap scan and was not sure on how to procede seen 2 video and both login into ftp on port 2121 with the username ceil. right after doing a nmap scan

it says it at the top of the page

"Additionally, our teammates have found the following credentials "ceil:qwer1234", and they pointed out that some of the company's employees were talking about SSH keys on a forum."

Someone did the new Information Gathering - Web Edition module > Creepy Crawlies section and can give me a bit of a nudge on it ...

not sure what I'm missing...

yeah they are extremely slow, it's pretty annoying

I'm at the Windows PKI - ESC1 module and I had to RDP through 3 machines, I spent hours with this slow connection

@umbral fulcrum same with me I am not understanding that section

what is the issue?

if you installed scrapy properly it should work

what ?!
so I need to run it on some address?

inlanefreight.com yes

but there's no ip

you dont need the IP you got the domain name

Hello, i'm doing the module privilege escalation for windows and on the part about bypass UAC, i don't understand how to find the technique which will works on the specified build version ?

Like, how on the repo UACME i find the correct technique for my build ?

check the repo, there's a list on it

thanx

Hey guys i need a sanity check.
I´m currently doing the AD- Skill Assessment Part 2.
I got a systemshell in multiple ways on SQL01. Also got one as ||user administrator||.
||But i cant get any usefull credentials with mimikatz or crackmap.||
I checked and the solutions use an identical aproach to the one (of multiple) that i used but i dont get the password i´m supposed to get.

sorry, after escalating privilege i used mimikatz

u will get the mssqlsvc credential

Or can i pth`?

that's weird. i got the credential.

the actual password

yeah solutions got them aswell. Was banging my head against the wall about this step for 3 days, since i always dont get the password. And it´s not crackable either :/

look elsewhere besides LSASS

logonpasswords is not the only thing mimi can do

ok, i will look onward, but the solutions also used this so i assumed it was correct.
I will delete my output, for spoiler reasons.

@low girder yo

use overpass the hash to forge ticket?

I was asked to ping Tejas in the channel, I'm not violating any rules

thanks

I'll DM

no for this question specifically just dump other things

Ah ok got it, thanks 🙂
But i still wonder, why the solutions didnt work for me

where in the solution did they say to dump lsass tho

shell
mimikatz64.exe
privilege::debug
sekurlsa::logonpasswords

hmm from my notes it's explicitly not in lsass

Yep

Interesting, for me lsadump::secrets worked (just tried it again to make sure)

Yea that's where that password is stored

i have question from SEIM fundamentals modules that is : if it is available, so that it includes failed logon attempt data where the username field contains the keyword "admin" anywhere within it. What should you specify after user.name: in the KQL query? .. Plz give me hint about this..

keep it simple and you will get it

do not overcomplicate it

i had tried simple admin , wild card , with bol and evet code but idk where i am wrong

Information Gathering Web Edition- The updated Skills Assessment spawns a server pointing to upcloud I’m pretty sure we’re not supposed to attack. Any clarification would be excellent

Hello to all. I am stuck on the skill assessment for SSRF module. I have recon the target and it has provided me with so many open ports and services. I went through one by one but couldn't find a target to concentrate to perform SSRF. Due to this I haven't identified what type of SSRF to perform (normal, blind, ssi or ssti). Any hint on how to find a vulnerable target to concentrate on?

mainly I have found different applications with different technologies. I suppose I have to just continue searching one by one for a potential entry. Any hint is welcome. thank you

In the reporting section, how would we figure out the cvss score for a technique we use? I havent seen anywhere where it talks about scoring in much detail

..

yeah but our target is ip:port

Yes, it changed from just an ip and the questions don’t match up, just that last new one.

Ah so a different methodology entirely. That’s actually a lot of fun. Thanks for clarifying

that's right, the focus isn't on the same things. There is a mesasge about that from payloadbunny a few message earlier

Great to know how active this is here and thanks for the proper assistance 🫡

Hey all. I'm on the last question of the last section of Intro to Assembly Language. It says, "The above server simulates a vulnerable server that we can run our shellcodes on." I'm unclear as to what that's referring to. I assume it's the Pwnbox. When I spin that up it's just a vanilla VM. Am I on the right track?

hi, you have a start the target thing and you receive an ip and port, that's the one you want to test your shellcode, not the pwnbox

Thanks for the reply! I don't see a target like you describe. Several other sections had that, but this one doesn't.

in the question section, where it always is, it should be there

Am I allowed to post a screenshot?

Here's the link if you have access to it: https://academy.hackthebox.com/module/85/section/909

And now I see it. smh.

I swear it wasn't there before. Y'all got a wall of shame?

And just like that, I wrapped up a most excellent course. Thanks, @wraith pelican !

you need to verify your htb account to post images, in #welcome. i got that sometimes as well, "the thing wasnt there i swear!!" ... well after playing with assembly the eyes can play tricks...

I have trouble with HTB account linking, which room is right to post such problems?

Support is the right contact in this case

Support is not helping.. The support person disappears for hours

Support does not normally read here. Unfortunately, you have no choice but to open a ticket and wait.

Thanks

nvm solved

I am not thinking straight. lol I have found the solution to this. it was all along in front of me, All these ports found through recon with apps are there to distract you from the real website. Or they are there because there are multiple ways to finish this assessment. Either way i have found a way in. Please dm if you want to learn more.

If you're given a public_ip:port, then the only scope is the port given

nice to know. But there were many funny other apps loool

That doesn't matter

If it's public_ip:port, you're only attacking public_ip:port and ignoring other ports

Those other ports were likely hosting services for other modules that another person may be working on

Hey guys, im stuck at “intro to whitebox” skills assessment, and kinda need a small push, anyone successfully completed this module?

Hello, i need a sainity check on the very last step of the Advanced SQL Injections skill assessment (RCE); is anyone available? I'll show what I have tried so far. Thanks.

I am tring to use https://web.archive.org with hackthebox.com on 8th August 2018. I get redirected to a godaddy page...Trying to find how many labs they had on that date for a module question.

the question asks about hackthebox without telling the domain

try .eu instead

Worked great thank you

Hey, I'm doing the windows attacks & defense modules but some labs when I'm trying to RDP I receive the message "The trust relationship between this workstation and the primary domain failed", anyone know the cause of the problem and how to fix?

i am super confused at Windows Privilege Escalation Skills Assessment - Part I, using ||JuicyPotato|| trying different ||CLSIDs||, according to references i have to use them with the {}, but i keep getting Wrong Argument error, without them i get "COM -> recv failed with error: 10038", i used ||test_clsid.bat|| to validate them

Maybe try spoofing

ill check to see if the host is running windows 2019 or not if i remember correctly juicypotato dont work on 2019 but the other juicy potoato attack does

u mean ||PrintSpoofer||!! i tried it and didnt work too let me try again

its 2016

Also make sure you're running it on the right host

This is for the SQL01 admin yeah?

could be the arguments are not in a suitable order for juicy.exe, you got a wrong argument error.

right host!! no its WINLPE-SKILLS1-SRV

Oh wait I'm thinking a diff module

Long morning lol

i thought so 😂

I'm used to people yelling about the ADENUM module

i thought of this too and tried different things but didnt work for me

put it in quotes

https://github.com/ohpe/juicy-potato

like XreOuS said, the quotes

that's a different issue now

specify -l

now maybe it is not the correct CLSID, i used another one

it worked finally 🥲 thanks so much guys, that was a long day 😂 i hate this ohpe guy, why didnt he just said so

a lot of the tools are down to you to rtfm

congrats! what was the issue?

in the readme it didnt mention the quotes 🙆‍♂️

It worked now, had to restart the machine a couple of times

you're using powershell, ps and cmd interpret some characters differently

i didnt see that coming 🙆‍♂️ thank u for this

Currently working on: https://academy.hackthebox.com/module/144/section/1311

The questions seem to suggest looking at the robots.txt file to find the path to a admin page revealing an answer.

I have tried the obvious going to inlanefreight.htb/robots.txt with no luck
I have also used gobuster vhost -u http://inlanefreight.htb:34968 -w ./SecLists/Discovery/DNS/subdomains-top1million-110000.txt -t 50 --append-domain which found || web1337.inlanefreight.htb ||

no luck going to /robots.txt from there either.
I have tried crawling both pages with ReconSpider but it returned nothing

anyone have a suggestion?

Any nudge for a foothold on the Attacking common services medium lab?

||So far I've only managed to extract some info from dig which looks like there is an internal ftp server and nfs share based off the domains it found. Checked all the domains and found nothing.

Tried brute force on ssh (zzzzz),pop3/pop3d,ftp with the normal user list and made a @inlanefreight.htb list for pop3. Tried normal pw list and rockyou.

Tried manually checking accs in pop3 (Doesnt work)

Tried ftp bounce but I need auth, I see that its running on port 2121 and seems to be ccproxy ftp? Seems like there is a couple vulns for it but didnt find anything useful and it seems out of scope for the module.

I did find something running on port 30021 but its "tcpwrapped" so wont give out any info.||

I feel like I should've found a username or something

subdomain can have another sub domain ontop

I did actually add it to my hosts file and then use the same gobuster command but with web1337.inlanefreight.htb:34968 but get a unable to connect error.

I'm unable to connect to it aswell on browser..

Read the engagement carefully

you should see the robots.txt from there, but maybe the box creqshed, they tend to do that

make sure the hosts file u did not add the port number

You don't need to bounce @silk anchor

But you can likely guess what service is running on that extra port

Also keep inlanefreight.htb in the hosts file for that entry

I tried with it and then removed to see if it made a difference. no change

Also make sure http://

^

it is there just diapears with firefox when you hit enter

manually type it

http://theresthere

I promise you its there

well then restart the box if u say its using http instsad of https

I'll reset it then try again and report back. both http and https not working

Don't forget to update your hosts file with the new ip

also add the inlanefreight.htb to hosts

.

ah

LOL yes resarting it and it worked fine

thats some bs spent like an hour on that

yessir

it happens lol

Moving on

Thanks for the help.

Likely your bruteforcing DoSed it

Intresting. Would it still be trying to answer all the queries or just overloaded and shut down?

Just shut down

A DoSed server can't respond to queries

It'll just respond "unavailable"

from what i tried, for this server not to crash you have to extend the timeout when using ffuf or gobuster

guys i cant text on geeral chatt?

Read and follow #welcome

Hey can anyone help me to change to the student email in academy, i have a issue cuz i have my account linked in HTB and i have my personal email in the main account and i need to change the academy account's email to my student email for the student subscription and i have no idea what to do

Message support

Thankyou will do

after some try and error, i finally made it

Completed it, Thanks! Now I feel dumb

||I totally didnt spend 30 mins trying to format the key ||

I have robots.txt now but going to the directories of everything it lists on firefox gives 404. I have tried:
||http://sub.inlanefreight.htb:30385/dir http://sub.inlanefreight.htb:30385/dir/index.html http://inlanefreight.htb:30385/dir ||

among many other. The question asks for an api key in this directory. I'm confused where else to check

like i said subdomains can have subdomains ontop

Try not to spoil directories and subdomains

Using first letter or replacing [subdomain].inlanefreight.htb works just fine to get your point

And /dir

Okay I havent use a fourm or anything before my bad

It's basics, try not to spoil anything that could directly lead to answering the questions such as direct usernames/passwords, subdomains, directories. Obfuscate if it's necessary

Username: a*
Password: b*
Subdomain.inlanefreight.htb/hidden_dir

Just basics to avoid spoiling it for others because spoiler text honestly does nothing

I should have re-checked this after resetting the box earlier. Thank you

I am on module 2 and attempting to VPN in from my Kali Laptop.

With:

• TCP 443 Openvpn config file, I get 1000+ ms on ping.
• UDP 1337 I am averaging around 350 ms.

Already verified no other OpenVPN is open. Speedtest with OpenVPN off, I have 413 Mpbs down and 235 Mpbs up

lmk if u still get stuck

so your issue is just slow connection?

Yes, but it has a secondary problem with nmap enumeration in the module

and whats the problem with that

nmap wont return the correct results compared to pwnbox

well you can always change vpn connection to like EU and try again not really sure what we can do lol

Otherwise message support

sometimes some vpn regions are just slow (traffic is high due to the amount of users) ¯_(ツ)_/¯

I got a unique problem. I am able to get a meterepter session but I am not able to get a shell. I think it has something to do with my proxychains configuration

If you get a session you can drop into a shell

just spawn it with shell ?

^

But if you're not getting a session, make sure all variables are set properly

It also helps if you provide the module and section name you're working on.

Can I dm? I got the other questions but still not the hidden directory one lol

I did type shell and it just hangs

Did you press enter after a minute?

Did you try changing vpn regions and trying again

yeah dm me

Did you pray to God for the answers

u got jokes today XD

I pressed enter, didn't try the VPN regions, why would I pray to myself?

Hi im doing the file inclusions module and on the Log poisoning sessions i have manage to RCE using the PHP session cookie vulnerability, when i run the pwd command the output is not accepted by the exercise

is anyone else run a similar issue?

I am concerned because looking at the veteran HTB folks in the community the latency was 1 ms under UDP 1337 for regular HTB boxes. Is it normal for HTB academy boxes to return that high of a latency via OpenVPN?

Usually ~ 200 or less depending. The more important thing is stability

The latency is simply the distance from your computer to the server

If it's stable, you can manage, if it's unstable you're gonna have a bad time

its unstable

I.e.
200
200
1600
200
Is abnormal

Then change vpn regions

The problem is conflating latency with performance

The instability is known as jittering (what's colloquially known as lag)

Can someone direct me to a resource for installing an old version of Postgresql? Namely: postgresql-server-dev-13?

I'm having a devil of a time downgrading to such a version.

About 300 ms when I terminated the target machine and restarted it. NMAP came back with stronger results. Thank you

In case you wonder just resend the PHP cookie, even though is still the same cookie is expired and you need to send it again

the fact that the value of the cookie stays the same is a bit confusing

https://academy.hackthebox.com/module/144/section/1311

stuck on "What is the API key in the hidden admin directory that you have discovered on the target system?"

I have solved all other questions but this one.

I have tried many subdomain combinations looking for the hidden directory which I've gotten the name of but have had no luck. I've used FinalRecon on every subdomain looking for the hidden directory but can't find anything. Any nudge is appreciated.

dude were you joking to me about taht Svc_admins group. that's a compelte dead end isn't it?

it's not, have you checked bloodhound?

absolutly i can't find anythings really

no nested groups nothings with Find-interestingacl and stuff

reun your collectors, make sure you captured both domains

okay i'll try harder 😦

think i have it. my bloodhound was just not complete

makes me fart i sweaer

Still searching for the hidden directory ^^

no way!!

I got everything else

what have you got on that?

what do you mean

what options did you try ?

I have tried many subdomain combinations with the few you get while bruteforcing, looking for the hidden directory that i know the name of. I get 404 error on every page looking for it. I've used FinalRecon aswell on every subdomain looking for the hidden directory but can't find anything.

Does anyone remember in the shell and payloads module reverse shell if they had to use a different shell code then the module provided? All cool if thats the case just having issues with the one they provided

i've tried /[hidden directory name]/index.html on all the pages too idk

Nope

not to be overly simple but when you read the skill assessment brief, i guess there is one thing you have not tried, without brute forcing

interesting okay

are you reffering to the name of the hidden directory?

• Using whois
• Analysing robots.txt
• Performing subdomain bruteforcing
• Crawling and analysing results

Just select the payload and don't add any extra encoding

did you analysed it?

If you are asking me if I know the name of the hidden directory then yes. I'm just trying not to spoil it, maybe there is something else im missing?

I thought I did that however I'm getting all sorts of errors with the code, was expecting maybe av issues but not this

Then you likely did something wrong

The payload should start with powershell -e iirc

https://revshells.com/ this is where you generate the payload @upbeat oak

but if you got the name, you got the answer

Thank you and the code in the module definitely doesn't start with that appreciate the assist

well no, the question is asking for the API key. I'm unable to open the directory to view it

Always expect to need to modify something

They provide a direct link to revshells.com to use

I've reset the box a handful of times aswell

Oh wait @upbeat oak I misremembered this section

Not sure what channel to post this in but here goes, I have completed all the fundamental modules of the CREST CPSA/CRT path, I am looking to obviously complete it all and then do the exam, what is the best way to do it buy all the cubes upfront and go through it that way or is it more cost effective to sign up to a subscription? I am conscious with subs as I already have HTB subscription for boxes and a THM one so I am not an endless pot of money so want to gain the most, any opinions or advice is welcome many thanks

from what i have in my notes, you just have to type the hidden directory and the server shows a page with the key

can I dm you screenshots

dont wanna spoil here

yea

You need to adjust the 10.10.14.158,443 to your own tun0 ip and port @upbeat oak

You also need to run the command in commandline/cmd not powershell

ahh let me try that because I was using my tun0

Just above the payload it explicitly tells you cmd

boom that was it lol thank you

Reading helps 😉

Lol definitely assumed use powershell

Even the cmd example has the cmd background 😉

wow it definitely does

After 2 hours of trying to find the hidden directory, I just needed to add another / to the end of the url... ffs

if there is a more appropriate channel for this question can someone direct me as I want to start cracking on, I also have a question around the OS Fundamentals path as well, Many Thanks (Trying not to spam but I am on UK time so I want to sort it to continue tomorrow)

I don't know about CREST CPSA/CRT but in my case, for the cpts path, I found it easier to buy a monthly subscription as it would take several month to complete anyway. It is not cheaper and people buy the whole path at once, i guess it depends on if you're willing to drop several hundreds in one payment.

I don't suggest buying the cubes outright

The monthly subs are a significant discount to the relative cost of outright buying the cubes

well from what I can see the syllabus covers very cimilar to the CPTS and I have been advised to do that after doing the CREST paths (thats a big recruitment tickbox) so which membership makes the most sense? I study pretty much everyday and I have already covered things like win priv esc and linux priv esc before so it is more revisiting content specific knowledge

Platinum sub

As i believe the crest pathways themselves contain t3 modules

yeah I believe it does, one off topic questiona and I will stop filling up your time 😂 the OS Fundamentals course I only have the Mac OS module left, I have used macs in the past but do not have one currently is there a way to get this a s vm or virtual instance to complete the content? If not no big deal more just a knowledge refreshing exercise

I agree for the money it's worth it thanks for your advice, really helpful

idk about virtualizing macs, i'm sure you could but it's likely more effort than it's worth

thanks for being honest, I will just come back and fill that gap if I ever get my hands on a mac for a weekend haha

I will stop filling space now and sort my sub out, thanks

most hacking and learning is focused on Windows and Linux, so missing out on Mac isn't really that big of a deal

yeah I know, was more just so the incomplete course wasn't constantly staring at me haha

Shells and Payloads: MS17-010 keeps failing, not sure why. Have reset the host a couple of times. Originally thought it was because I had the listener on port 4444 and dropped it to 999 but still failed. Any ideas would be appreciated

did you use the right exploit, from what I recall there's a few and only one of them is the one that's just a flood attack

the others are actually shells or RCE

Ah, I think that's it, I recall that when doing ||blue|| thanks

Need help: In module Windows Attack & Defense: Print Spooler & NTLM Relaying, q2 of the page requires connection to the kali target spawned and the DC1 at the same time. Although I'm able to both ssh and rdp to the spawned kali, I'm unable to rdp to the DC1, which was provided the address of 172.16.18.3 and using credential htb-student:HTB_@cademy_stdnt! Not sure if I'm doing it right using xfreerdp /u:eagle\\htb-student /p:HTB@cademy_stdnt! /v:TARGET_IP /dynamic-resolution , but it doesnt work ;-;

you'll need to RDP to the DC1 FROM the kali machine

172.16.18.3 is an internal IP address that your tun0 ip does not give access to

also wrap commands in backticks `like this`

hey marcie, just tried the other one and that didn't work lol

make sure you set all the settings appropriately

not all of the exploits are created equally

yeah I can't seem to get it to pop

unless it wants me to use doublepulsar, which wouldn't make sense

it does not

make sure that it's one of the exec ones

also sometimes resetting msfconsole gets it to work

well there's code and command, command injection is listed as an auxiliary lol

(quit and open it again)

code injection failed

the one that the section shows is the psexec one

unless it wants me to run the kernel pool corruption first and then do the psexec code execution im lost

it does not

you don't need to run another module prior lol

I feel like I'm actually going crazy lol - I've done this machine before and I'm so lost why it isn't working lamo

quit msfconsole then reopen it

and try again

nope - fail lol

just spun it up

make sure you have the lhost and everything set correctly

btw; in msfconsole you can use the interface name instead of IP for LHOST

what port did you use?

i didn't adjust any ports or anything like that

just
set LHOST tun0
set RHOST target_IP

what msfconsole module are you running?

exploit(windows/smb/ms17_010_psexec)

then setting those variables should work

"Exploit completed, but no session was created)

check options and make sure your lhost variable is correct

because I literally just spun the target up for that section and it worked flawlessly

unless you're referring to the host on the skill assessment; in which case make sure the interface matches

exploit completed but no session means (generally) that the exploit did what it was meant to, but your listener isn't set up right

no idea, reset it and it worked fine lol

swear im not going crazy

sometimes just resetting it should work ¯_(ツ)_/¯

they can be touchy at times

Can someone sanity check the question : https://academy.hackthebox.com/module/239/section/2599
I found the answer, but locally it doesn't work while it should, can someone who has finished it also double check with me in DM ?

can someone share any discount coupon for academy full pass. Need help during crunch times.

there's no discount coupon bro

also wdym "full pass"? you mean one of the annual subs?

i meant the silver annual pass

there's no coupon codes going on for the annual subs atm

just gonna have to suck it up and buy it yourself or settle for one of the monthly subs

The base64 encoded ones?

already resolved

¯_(ツ)_/¯

lmao

Module: AD Enumeration & Attacks
Section: Kerberos "Double Hop" Problem (https://academy.hackthebox.com/module/143/section/1573)

In other words, the account's TGS Ticket is cached, which has the ability to sign TGTs and grant remote access.

Is there a mistake in the quoted text? Shouldn't it be the other way around? A TGT ticket is the one with the ability to sign TGSs and grant remote access, no?

can someone help with this question in CPTS foot printing DNS Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))

What are you having trouble with

i am kinda lost about what exactly he wants i ran the dig @10.129.42.195 inlanefreight.htb AXFR
command and it gave me the resault

there is 3 TXT rec in the resault

what exactly he wants

can anyone help me too? how do i fix this error?

You can also zone transfer subdomains

#starting-point

aight

You need to stop the active machine you've got running first.

i do not know where to find it. can someone hop in vc and i will start a steam ?

Look near the search at the top, the machine Crafty is running.

it gives me transfer failed

Sure

im redoing the file upload skill assessment for CBBH and i am positive i have the correct upload directory in the url bar, can someone give me insight as to why im still getting 404 error

Try it on every subdomain

so should i do subdomain enumeration

and will it just give me a clear flag

thank you @normal sand 🙏

You should try axfr on every host you see

got it bro thanks

never mind, for anyone else that comes across this, when you get past viewing the upload.php source code, it will show todays date on file name, but just know that depending on the time zone it may be a day ahead. For example it's supposed to be YYMMDD -> 240625 (todays date), but in my case it needed to be 240626 due to time zones...

Yep UTC will do that

need help on CBBH XXS modules . it didnt give me any pop up

you will probably get better help if you say which module, section, and question you're on and what you've tried

hey did you ever solve this.. I'm experiencing the same thing where I have the HTB{} flag but its marking it incorrect (and not the one that is previewed on the webpage) this is one thats been decoded and ran through serial.php again in a POST

or if anyone has done the bug bounty path with java deobfuscation im speaking of the suorce code flag

Source code section?

Read the source code of the base web page

It's really that simple

It's hiding in an html comment

its an obfuscated code - it was simple - but the flag I'm trying to submit is saying its wrong

Source code section yeah?

yeah inside the java deobfuscation module

Go to the /serial.php page and view source

There is no Deobfuscation needed

Module: AD Enumeration & Attacks
Section: Kerberos "Double Hop" Problem (https://academy.hackthebox.com/module/143/section/1573)

So only method #1 works from a Linux attack host?

lmao well ill be damned, i must have just solved a flag for another section LOL i guess i helped future me out

You did

A lot of the work you did is gone over in the other sections

lol im cackling at the flag for this section.. of which I DID NOT DO /secret.js was my landing LOL - thank you for giving me a swift kick back @fathom pendant

anyone have any recommendations for SMTP ?

module/103/section/1011

im trying to finish off the Attack Common Services for SMTP. i have the user/pass but im struggling to get into the mail box

the telnet option is shit. its confusing AF

which module, section

https://academy.hackthebox.com/module/116/section/1173

Just say the name and section or link if you're gonna do it that way

It depends on what service you're interacting with

Imap you need to prefix commands

i managed to run EHLO inlanefreight.htb which then gave an output, but then its just slow AF

<literally anything> <command> <args>

Lmao I just speedran this after you asked about it

Also be wary of being 2 steps ahead, it can bite you in the exam too

faaaaar out. it just took a few minutes for the server to respond to my commands....

this is my problem i either rabbit hole or i skip 2 steps ahead and completely have to backtrack

It's best not to question why it needs a prefix

The funny bit is one of the flags for the skill assessment for this module calls you out

well i just did 'AUTH LOGIN PLAIN' and got '334 UGFzc3dvcmQ6' in response

THATS WHERE I CACKLED i was thinking DAMN HTB YALL GOT ME GOOD

i wish HTB would provide something on how to get around in these environments. i cant even find much on google tbh

Try doing 1 login <user> <pass>

#modules message

334 btw is the authentication response code with the following text being the challenge code (aka its nothing)

roger. will try no

ahhhh gotcha

When dealing with services via CLI you'll often see a [response code] text

Where response code indicates the type of response generally is

It's not important to memorize all the codes

Btw it's base 64 if you want to copy/paste that then decode

i just want to get into this damn email inbox

who wouldve thought breaking the user/pass would be the easiest part....

i tried:
1 login <user> <pass>
and got
535 auth failure.

so now trying:
1 LOGIN <user>@inlanefreight.htb <pass>
and got
503 bad sequence of commands

Switch <user> and <pass> with username and password

Aka what you found

i put in the actual user/pass. i just didnt put it into chat for spoilers

Take out the @ domain

Oh btw that string you sent earlier decodes to Password

is there another way to connect without CLI?

this is taking forever....approx 2mins for responses from CLI

Also try putting the "user@domain" and "pass"

waiting for a response now

its been 4min

It's not gonna be much better from a gui, it sounds like you have high latency and maybe jitters. Change vpn region and respawn the target

might have too

If it's taking this long, assume either target soft died, or your connection is messed up

ive already done that just to crack the password

If you ping the ip, do you have consistent ping?

Or is it random and extremely high

nah, consistently 286

Also might help to change from US --> EU or vice versa

and from aus thats not bad

Ah

Yeah many people from the SEA/OCE region said the pwnbox was the most manageable. Even with latency

But it shouldn't take 4 minutes for a response

well i switched from my VM to the pwnbox because sometimes it just didnt work in the vm

and since youre learning, youre not 100% if its your fault

Just know it was only partially your fault

took me 3days to finish password attacks, long days too, and it turns out the machines were at fault a few times

hahahah yea thanks

i still find the lack of help for getting around in things like SMTP to be a bit annoying. googling and looking at youtube is all the same stuff. login with telnet (no auth) and write a test email. its crazy theres no other vids on using SMTP commands lol

Also I hope it was obvious to not include the brackets with the login attempt

Because it's not smtp commands, it's imap

You generally only interact with mail services via imap or pop3

ok, the lack of IMAP help is annoying lol

Well I linked to an article earlier

If you search in the discord from:marcielee has:link in:modules imap I've shared a few imap related articles

thanks. i see those links

terminated my pwnbox and target

and now respawning too. hopefully it helps

I also suggest just messing with some of the commands to familiarize yourself with them

Also if you're using pwnbox don't forget to turn off the vpn on your vm

And vice versa, they can cause issues with each other

oh didnt know that

yea i agree. its a good way to learn. but if its taking minutes to get responses its hard to tell what youre doing is working correctly lol

Just know the general 5xx errors are server errors (with an explanation); 3xx codes are server messages; 2xx are confirmation (if shown)

Also as a general FYI, imap isn't case sensitive

Once you read the email though be prepared to chuckle before you grab the flag

so i do AUTH LOGIN <user> and it gives back "Password:" in base64

so i send back the password in base64 and it fails

Put in the password in plaintext

It's just basically saying you didn't input the password for the login

The login command accepts both user and pass on the same line

And you do need to include the @domain for the user

Just checked

Btw it's treating AUTH as your command prefix, you can literally put any string of characters before it lol

ive tried so many commands and it still says failed

didnt work

1 login "(user)@inlanefreight.htb" "password"

(Without brackets)

'503 bad sequence of commands'

tried with and without quotes

Oh

Brother

Are you connecting to the imap port?

143

25

That's why you're getting errors

And it's not accepting the imap commands

Because you're on the smtp port

damn it....i used hydra on that port and thats how i got the usr/pwd

143 is the imap port my guy

now im in ... f m l

Yep always make sure to use the right port

Also with hydra you can specify protocol://ip if it's running default

yea i think i specified the protocol at the end

but i swear it found it through p25

Nope

You may have found the username through 25

As that's what's intended

right

i honestly find imap so incredibly confusing

It's better, structurally, than pop3

im in the inbox but i cant even undersand how to figure out what sin here

or how to read anything. lol

Just prefix <command> <args>

yea i get that

So, you see how there's the *[n] exists

yup

You can do just 1 fetch [id] body[] where id (without brackets) is a number between 1 and n

Or 1:n body[subject] if you're looking for subject lines

even going through those links that wasnt clear. thank you!

The body[] is the email itself from the headers to the message

You can even do body[message] to just grab the message without the headers (subject, sender, etc)

flag submitted .... think it took me 1.5hrs for this lol.

Speed doesn't matter

Understanding the material is more important

I could easily blitz through the remaining cpts modules using the silver annual walkthroughs, but I wouldn't learn anything

yea i get that.

And it'd only end up hurting me

I take plenty of notes to understand and solidify my understanding of content

As well as help out here to additionally cement the knowledge in my brain

yes, i get that. i have a tone of notes too.

I don't just help out of the altruistic nature of my heart, there's a selfish reason to me assisting others

i didnt see that fetch command referenced anywhere, not even in the links. flailing around not even knowing how to get around imap doesn't really help.

yea, i also get that too mate.

It's in the footprinting module

Though they give you the fetch ID all command, which doesn't do much

Or at least it only gives data about the structure of the email

yea. and those links you sent me do the same thing of just reference a number. i had no idea i could just reference the first 1 and not have to specify anything else other than body[]

I mean

It seems unintuitive until you realize how emails are stored

Then it's like "ohhh"

It fetches the id sequentially based on what's in the inbox

well im sure ppl who have never used linux feel the same way

but not being able to just see what is in there with a 'ls' type command is annoying. feel super blind using imap

i hope i never have to use that damn thing again.

I suggest, to learn basic linux commands, a terminal based game -- bashcrawl

im fine with linux

it was just an example. if ppl have only ever used windows and suddenly need a cli and linux im sure they feel overwhelmed

I hope the email from <user> to admin gave you a little chuckle

much like me an imap

i got the flag and rage quit it

Lol if you still have the terminal open scroll up

closed it. moving on. lol

Lol

Just a silly message regarding passwords

ah ok

It's in the email with the flag

i already closed it, and im definitely not going back in

Lol

But to answer your question earlier, there is the evolution email client you can use to set up auth to the target with

i opened that and it wouldnt connect at all

You gotta set it up to connect

Setting the remote server address, smtp, imap, pop3...

yea i tried and none of it wrked

that was before i terminated everything and then restarted the pwnbox and machine. so maybe i wouldve worked after that

I found the hidden path and the supposed API key (e96*), but say incorrect answer. Any hint? @wanton idol did you solve it?

isn't that the first API key?

there's a 2nd api key elsewhere, for the final question

Hello I am on the PIVOTING, TUNNELING, AND PORT FORWARDING module with the Web Server Pivoting with Rpivot section. And I am doing the last question " Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer." And after setting up the client.py and server.py and getting a connection, when I go to proxychains firefox <internal IP> I can only see the default apache page, and I have tried curl as well.

I tried also the method to connect through http proxy and NTLM auth but all I get it a Caught socket error trying to establish connection to proxy. Code 111. Msg Connection refused
Unable to connect to 172.16.5.129 port: 9999. Caught socket error trying to establish connection with RPIVOT server. Code 111. Msg Connection refused

check the banner in the default page

you getting to a page instead of a "can't connect" message via firefox means it's working

Got it

Thanks.

It was just confusing because I was expecting something else, but now I see it within the source code.

it's kinda right there

i take it though you were expecting HTB{..}

a fair bit of modules don't use the HTB{..} format for the flags/answers

but chances are if it's l337speak it's the answer

iirc that one is there on the page, in red? I only saved a snip it of the curl output

indeed

i had to double check myself

can anyone help with advanced xss skills assesssment, i found the vuln and the exploit works on my side but doesnt work on bot

if there is a script.txt file hosted on a server, can i use it in script src?

oooh i understand whats the problem

hi, I see that you found the solution, can you give me a hint to follow? thx

dm

Hey amigos. Does somebody understand why the SSRF last assessment was done is such way? We learned all these amazing procedures but none was used to be able to find the flag. it felt that it could have been better implemented. it was just a question of searching correctly rather that using a vulnerability

Hello, there is a problem with the section crawling in the module information gathering web edition ? I can't find the comment for the location of future reports

even if i try to read the source code of the website i can't find the comment

if you try to read the crawling results? there is nothing there?

No, i have some comments but nothing related to reports

you did the module ?

i do and in comments can find it

yes, it should be straght forward in the results

hmmm, so maybe i have a probleme with my reconspider ? is that possible ?

run again the tool to generate the results

yes, if you run some time only save last execution

Ok i got it thank you, i had to execute the tools like 3 times 😅

Yeah i solved it, the domain you found the text on about an API key is not the answer. You need to continue enumerating and finding more subdomains

Ah I'm late to the party

Finally finished the AD Module. What banger of a module. Especially the Skill Assesments were really great to learn.

on the road to victory now

good work mate

i just finished Attack Common Services - Medium, it was waaaay easier than the Easy lab lol

i dont think ill do too well on the AD module but i heard HTB is way more indepth than OffSec for that component. so looking forward to it

damn its nice when you try something out, something new, and you hit enumerating gold!

How to learn hacking from starting

Anyone got any idea about this?
#modules message

The module is really well written and will explain a lot of things. You can do it. The Skill Assessment requires a bit of trying things out and doing your own reasearch, but is really rewarding to to.

Yes, one of my friend is doing the course and labs for OSCP and he also did the ad module. He told me that HTB go more in depth for each concept

yea im looking forward to it. though i find myself feeling more at home on linux than windows lol

and OSCP is also a goal of mine. though i figured the HTB learning path would be better for the longrun

unconstrained delegation is a different mechanism from standard kerberos auathentication

Oh okay, so this is special for unconstrained delegation.

Thanks

@next bronze any idea about this #modules message ?

yes, that paragrapth is specifically referring to unconstrained delegation

you don't have to worry about double hop if you're authenticating directly from linux

whatever you want to access, just open a new connection to it, it will always be only one hop

And then I can just method #2 from there, right? (If I'm connecting to another remote host using WinRM)

there's no need to use any methods there if you're connecting directly

Oh, you mean directly from the attack host (linux) to the DC? Instead of via another host in between.

yes

that's also where pivoting comes into play

Ah, gotcha, that's why it mentions port forwarding as an alternative method at the bottom. Thanks a lot!

Btw @next bronze , weird question, but would you say the modules after AD Enumeration and Attacks take longer than the modules prior to it?

I only ask cuz I'm tryna plan my time accordingly. Totally understandable if there's no real answer to this tho 😅

why cant i run the file kernel which have executable permission

idk I didn't time myself

I also didn't do the modules in sequence

Ouhh

Is there a reason? Or you were just doing what modules you wanted and then the Penetration Tester path came out?

nah, I just did the topics I'm more familiar with first

Ahh ok.

try grep it

anyone?

have u tried sudo?

yes, didn't work
Sorry, user htb-student is not allowed to execute './kernel' as root on NIX02.

might help if you specify what module you are stuck on

Kernel Exploits section From linux priv esc

https://stackoverflow.com/help/how-to-ask

i have anything sql lol

Im working the the Active Directory Enumeration and Attacks module. Specifically the kerberoasting from windows section i tried spawning the machine and its been stuck on target spawning for about 20mins now ive tried refreshing the page and restarting my PC but its just stuck any suggestions? https://academy.hackthebox.com/module/143/section/1423

advanced xss and csrf module skills assessment, i suspect the admin bot is not working

they payload works on myside to enumerate internal api

Attacking common services hard done! That was a very cool attack chain

I'd be interested to know if there was a way to ||read the flag directly since I ended up needing to change some settings but I dunno if that is the intended way.||

Anyone care to give me a nudge on the "Broken Authentication Skill assessment?

is that module updated, i only know the previous one

Yeah recently updated it seems : <

I just finished it too! I got through most of it without a nudge, but the last part using sql was difficult for me .... I'll definitely need to circle back to sql exploits in the future

I actually found most of it easier than the easy lab if im being honest...

I agree, I had to get a nudge for that one. Knew what I was meant to do but executing it correctly was difficult.

Fun module tho, nice to start chaining stuff together

Yea, I understood conceptually but how you go about it was crazy imo. I wouldn't have thought of those linked things allowing you to circumvent the way you do

Will probably try it again at the end of the path, or look for a machine with those vectors. I imagine sometbing similar will show up in the exam

I fully expect everything covered in the modules to be in the exam in some shape

Yea thats everything I've read

I heard there is a big risk to overthinking things as everything you need is in the modules

I wanted to try a retired machine but without a proper subscription it seems that is hard to do ... (im using the student sub for academy)

I've came across that a few times so far with some of the module skill assesments too, Just need to remember to keep it simple and make sure you have tried all the obvious things before you start attempting the wild stuff.

The free retired machine in the lab is all web related stuff and I haven't got to that yet in the learning path 🤣

Yea sometimes too. Though at times I feel like the answer isn't directly related. I had forgotten about GTFObins and it was necessary on some previous stuff.

But carefully re reading the module often helps

Hello everyone

I am doing Windows Privilege Escalation Skills Assessment - Part 1

I am struggling to get the initial reverse shell, any hints on what I should use?
tried to inject commands to get a shell but had no luck so far

I have almost just been copy and pasting the modules so I can reference back to them easily, I'm planning to go back through them and all my notes from all the questions/skill assesments and make a CPTS cheatsheet for the exam

Yea I really only started taking proper notes in password attks. Kinda over did it though. I need to figure out a way to organise my notes better

I downloaded obsidian which I hope helps. Been using sublime

Btw @silk anchor , look at https://docs.sysreptor.com/htb-reporting-with-sysreptor/ for your reporting

I will sign up when it's exam time. They have templates for OSCP as well.

I've been using notion and formatting it like this. Basically copy most of the module and make detailed notes for every question/assesment. HTB also give you this template that you linked AFAIK.

notion else matters 😉

Ill have a look at notion tomorrow 🙂

Hey Anders, I saw in the chat history that you recently did the Broken auth assessment. Mind if I ask you for a nudge in DMs?

sure I will see if I can remember

I find myself going back and forth looking for enum code. Started to have notes by services to help

Appreciate that, send you a DM.

will I get hard copy if I passed HTB Certified Bug Bounty Hunter?

rdp connection is so slow in windows privesc module

still stuck?

In the Web Fuzzing Skills Assessment, part 3 says

One of the pages you will identify should say 'You don't have access!'. What is the full page URL?
but none of the index.FUZZ results are the answer. Does this mean I am expected to fuzz the pages to find one? I've spent half an hour fuzzing with various wordlists and domains with all of the extensions

yup

Hello there, if any kind soul has completed the Sliver module, I've been stuck on the SA - first domain compromise. Keep going over the material but seems like I have skill issues 😞

Did you read the hint?

what's the issue? maybe dm me

yes

I am fuzzing recursive rn

I find the folder

but (a) the first scan has another 28 minutes to go and (b) if I cancel it and start another in the subfolder, it finds nothing and (c) I have another 2 subdomains to look at

so that's like

3 hours on the top end of things

I can't remember it taking so long

do you use this list?
|| /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt ||

yes

@acoustic owl

with ||.php,.phps,.php7||

In the two previous questions you found subdomains and file extensions. Use this information to get further

I am using all 3 subdomains and extensions

but I shall keep looking ig

But then you should actually find what you are looking for

perhaps I need to just let it do all 1 million requests

If you get stuck, you can send me a dm. Then I can show you my way. But as far as I can tell, you're doing everything right so far

I found that some modules progress seem to be rolling back, is it just me?

if they updated content, and added sections/questions then progress will reflect that

Hello, I am completing Password Attacks Pass the Hash (PtH) task, and can't get to david.txt file, firsty I get access to machine with administrator creds via impacket-psexec, then used mimikatz for PTH as david with ||mimikatz.exe privilege::debug "sekurlsa::pth /user:david /rc4:c39f2beb3d2ec06a62cb887fb391dee0 /domain:inlanefreight.local /run:cmd.exe" exit ||
/run:cmd.exe command. And if I'm trying to type ||\DC01\david\david.txt|| it just shows me Access Denied

I see

index**.**FUZZ > look at your list ( might be adding something extra)
unless you using -e flag

oh you can filter for text with -fr '<Text/Regex>'

sorry -mr *

match regex

yea impacket doesnt "give" davids rights, try another tool

I tried also CME, netexec and rdp, same shit

mimikatz?

can't you smbclient to dc to access the file

I'll try this one

I'm having trouble with host 2 in the shells and payloads module. As it seems like its a pretty common issue but I keep getting the exploit to fail because of 'get-cookies'. Im only being vague cause I've already looked through here and this seems like this module causes lots of problems.

I have tried:
ensuring my vhost is set correctly
restarting pwnbox and the target vm
changing servers from US to EU
and using different interface addresses for rhosts

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

^^^

iirc you need to also make sure the LHOST is correct, RHOST, and VHOST

hi. when using netexec like so:
nxc smb 10.129.247.105 -u <user> -p mut_password.list --continue-on-success
it seems like it stops when finding out that <user> has guest access
10.129.247.105 445 NIX01 [+] \<user>: (Guest)
and I'm expecting it to continue trying passwords in the mut_password.list for <user>

iirc it's --local-auth

since for single user it won't just continue on success

ah i c

the continue on success is to go to the next user

ah ah

it's finding guest domain login?

basically

--local-auth switch also stops soon as it discovers user can login as guest

send a ss how you set it up. pretty sure i have a ss of that somwhere in my notes

lhost doesnt appear in the output of show options

Can I put a video within a spoiler here? I can show the process that way

no

Host 2 is the blog site yes?

there's only one user? I don't think it makes sense for it to continue once that user is found

yeah it is

do you have a user list?

you should be using the mentioned exploit

the xxxx.rb

(the creds are on the desktop for authentication)

Its weird. I extensively looked up questions about it here before I said anything after what I was trying wasnt working, and the only solutions outside of that were to restart everything and change servers

yeah Im using the 50064.rb from msf

@next bronze I'm trying to get it to try all passwords in given list for the user specified

i have a password list

i have already enumerated users on system

checked for typos and everything. For quick reference before I share the output of my options, should I be using the 10.xx..... or the 172.xxxxx address as the rhost for the blog site?

set vhost blog.inlanefreight.local
set RHOST <ip>
set username <username>
set password <password>

but a user can only have 1 valid password? why do you want it to continue once the valid password for that one single user is found?

it's the 172 address

as it's on a separate internal network

thats the only thing im fundamentally not sure on. Everything else should be working fine but ive tried with both addresses and nothnig

okay, finally I think I may have one more variable to share

Im using msf from the foothold that i am RDP'd into

is this correct or should I be running it from pwnbox?

that is correct

okay let me share my output

as you can't reach the 172 directly from the pwnbox/your vm

I figured but due to these errors I was second guessing haah

if all else fails

close msfconsole, then restart it, and try again

sometimes that legit fixes it

@next bronze because I think it is just telling me that the user has Guest access as a pose to finding the users actual password

of course... al progress is good. just keep going

ah okay you can remove the blank line in the password list then

ah

brother this isn't an idle chatter channel

read and follow #welcome to access more channels

see my second sentence

then reach out to an online mod or admin

just have patience

mods and admins also have lives outside of monitoring the discord

some have actual jobs that takes priority over answering discord dms

@next bronze thx for th hint. it seems like it tries a password finds and is able to log in with guest privileges

so it basically stops on every line

SMB         10.129.247.105  445    NIX01            [*] Windows 6.1 Build 0 (name:NIX01) (domain:NIX01) (signing:False) (SMBv1:False)
SMB         10.129.247.105  445    NIX01            [+] NIX01\will:00000 (Guest)

hmmm something i'm not understanding here

just make sure you're following the instructions in #welcome properly

I have tried closing msf and restarting it, as well as the vm and switching reigonal servers! Like i said, these were suggestions I had found before I asked here. So its like i got to the point where its like wut... so I asked

sec

Rhosts doesn't look correct to me

yeah

the RHOSTS isn't correct

the RHOSTS should be the ip of the entry in /etc/hosts for blog.inlanefreight.local

that's why it's failing

LHOSTS is the one that should be your ip

L - Listening/Local
R - Remote

okay. So I may need to dig the blog site then?

no

look at your /etc/hosts

I assumed the blog site was being hosted as a vhost from the device im rdpd into

are the other sites the same? no

don't make assumptions without confirming them

I gotcha. And thanks looking at the hosts file is a lot easier to see what the ip is for the blog

hi CROSS_SITE SCRIPTING (XSS) Module — Skills Assessment i cant get a callback on my kali vm sudo php -S 0.0.0.0:4004 plz help

maybe change the port to 80

also whenever you're given a hostname, vhost always check the /etc/hosts file for the entry

or change the xss payload port to 4004 so it can reach you machine

ok let try

thanks for the tip

Am i missing anything else? I still am getting the same issue as before while using the ip for the blog site as the rhost.

.local not .htb

Haha jesus, thanks. Im sure you know how it feels to be thrown off

I orginially had that before restarting everything

There we go. All taken care of. Thanks for the good tip moving forward

I can help you. Send me a DM

Can I DM someone for a bit of help on the ffuf module for the filtering section ?

I just tried to do mimikatz from linux, and psiexec, and didn't saw that mimi opens new cmd. So I've done same but with rdp and everything was fine

Just ask here

I want to avoid spoiling the challenge... it is about the filter option -fs I don't know if I'm right and I need a bigger wordlist or a setting issue

Filter out the common size

Don't use the fs from the example, use what you find through doing

That is what I'm doing

need a hint on passwords attack module section credential hunting on linux. so far i have managed to enumerate users and shares via guest smb access. I've been trying to brute force the users passwords using the passsowrd lists provided as well as mutated lists generated using the rule list provided. So far I've tried brute forcing the smb service.

Use the wordlist presented

That's the one with the firefox tool yeah?

You need to get a base user first, try cracking ftp. Don't be afraid to look at the hint for the username (make it lowercase)

its the one that has firefox tool and lazagne

goddamit

i didn't pay attention to my nmap output

You're not gonna get will straight away

i was using the three users i found by rid cycling

Rid isn't a thing on linux

just checked hint- had found that user

But yeah

sid cycling then

samba server

Well to be more precise

can connect using rpcclient

It's a thing added with samba server

then cycling the uids

But you don't need to necessarily do all that

it worked to enumerate the users

also found all the users in passwd

I use it, I filter on -fs 986, I obtain only test and admin with size 0

/etc/passwd

Either way. Make sure you save all users and passwords you find

You're going to need to log in as a different user before you're able to access will. That's my only hint

k* is the key

that's plenty good

i was actually bruteforcing the users i found, i overlooked the ftp service like an idiot

i got fixated on ssh and smb

Not all users may have access to smb

i need to focus on enumerating better

Just slow it down

You focused on smb because that was for SAM

Well that or ftp

yes. but i also didn't pay attention to the nmap properly

Then slow down

good advice

Don't try and rush it

This module is all about patience

i built the foundation using shaky assumptions

your hints helped, investigating new leads 🙂

Be prepared to spend up to 20 minutes on password bruteforcing

Just know hydra has a threads option to increase threads

yes i remember optimising hydra runs in another module

netexec definitely not the fastest

https://academy.hackthebox.com/module/136/section/1288
Trying to fuzz the extension with burp suite
Using the https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload Insecure Files/Extension PHP/extensions.lst as the wordlist
Added ".php" as the word to replace
Replaced Content-Type with "Image/png"

In Intruder:

POST /upload.php HTTP/1.1
Host: 94.237.59.63:56164
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://94.237.59.63:56164/
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------372853939017620031634039361819
Content-Length: 255
Origin: http://94.237.59.63:56164
DNT: 1
Connection: keep-alive
Sec-GPC: 1

-----------------------------372853939017620031634039361819
Content-Disposition: form-data; name="uploadFile"; filename="shell.php"
Content-Type: image/png

<?php
echo "Hello World";
?>

-----------------------------372853939017620031634039361819--

This request works and shows "File uploaded Successfully" but when I forward the same request to Repeater it fails.

im on the same exact one, for me i can upload and go to it in browser however it doesnt execute, instead just prints

I can't even get it to show up.

when your fuzzing, do you get 193 like in the chapter? because i get 230 saying upload is successful