#modules

just had to reactivate the sleeper agent

again

quit/exit msfconsole
restart it
rerun the first exploit
rerun the post-exploit

alternatively (or as well) reset the target

I did too lol even going the extra mile and restarting postgresql.service

brb

I had 0.11

yeah same here but it is installed via apt on parrot, i'll check on a kali box

same on kali, installed via apt and this is 0.12.0.dev1

what i do with python, i dont know if this is a good way, i first check via apt if a package is available and not too outdated. If not in apt i use pipx and install the dependecies via apt if possible (python3-packetname).. if not i use a pyenv for a local directory and install via pip

reading this, i think this is kinda messed up but it works...

apt may not have the packages as well (usually it may)

apt is usually a version or so ahead of pip(x)

but it's also usually on the dev branch

Im starting to think i might save myself some grief just to run parrot os while i do the modules

try changing vpn regions

aight

also this is revealing spoilers so i suggest deleting

what are you running? should be ok on any debian based stuff

worked fine for me

ubuntu, but i'm starting to see it isn't the best idea. has been a hassle for the most part, and very heavy on resources

yeah ubuntu really wasn't made as a hacking distro (you can install tools on it)

did you set payload to x64?

rookie mistake

i didn't have to, msf set it for me

[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp

mine defaults to x86

hmmm

but it still went through

¯_(ツ)_/¯

I literally get that same message too when using the x86, but the only reason im required to change is for post/exploit

which breaks x64 exploit

for uknown reasons

going to try something new

throwing yourself out the window? wouldn't advise that

if i just get stock debian and install my own tools would that do the trick?

they might not all be in the stock debian repos

kali and parrot are both Debian derivatives

anything works, depends on if you want to install everything you might need

and come with a fair bit preinstalled

also you're never gonna have "all the tools" there's always some new tool or something to find that does a thing you want

I like the idea of starting with a blank slate and building my own custom os sorta thing

Achievement Unlocked: God Speed

have fun spending hours finding and installing the tools you want/need and troubleshooting

no I went and changed from TCP to UDP and vise-versa for the vpn

that didnt work either

god speed sp0derman

i could always get parrot and customize that instead, for the sake of saving time. thx for the advice guys

did you try restarting your vm/machine altogether?

as a note: for exploit 1; set RHOSTS and LHOST
exploit 2: LHOST and Session

yeah i can understand that, i feel like parrot is awful visually out of the box. But it could be a side project to build your own distro. if you are on the cpts path, you may want to focus on that and not on this

great advice. project for later.

i had fun building out my own PS1 for terminal

essentially i already know what i'm doing to get the flag but my sessions are dumbaf can somone just pass the flag (dm) because im just burning a hole in my brain

:D

I would advise looking into shells and wrapper for them if your looking for cosmentics or functionality

otherwise parrotos is great

nah i just wanted to do something silly

out of curiosity what's your msfconsole -V output?

yeah me too! it switches the ip if i got a vpn or local networks... i was quite proud of my bash scripting prowess

nice

ah your version is ahead of mine

im on arch

that tracks (parrot opts to be slower to be on latest version for stability)

kill your vpn and try with pwnbox

i would hate to be like "just reinstall msfconsole" but it might come down to it man

o7 worst case is reinstalling whole OS

hmmmm usually arch repo is good about release stable packages which im using the stable repo compared to their testing repos

lmfao i already did

this is my main lol thats why im frustrated

yeah

this is why it's recommended to do this shit in a vm lol

easier to scrap and start over a VM

just backup files to Host and then fuck off :D

true but when i can spin up a vm on the spot my main patches the timeframe and i just got bored between im free hours

timeshift?

but yea this is fucky. cant because F2FS doesnt support timeshift or something about it

man running bare metal arch but metasploit fails.... on parrot script kiddie it works,.,,, that's a good morning irony : D

tho i might not be os related, what changed since your last working msf reverse shell?

did some of the modules go up in price? theres one I wanted to buy that i swear was 500cubes but is now 1000. unless im mis-remembering lol

only if it changed tiers for whatever reason

but the overall module prices haven't changed

nah, same tier. i must have been thinking about another 1 then. (I have a few wishlisted.)

what's the fastest way to get cubes (FREE methods)

all modules of the same tier are the same price

git gud

compete in the CTFs

yea i want to eventually get the OSINT module which is tier4. it hasnt changed tiers.

yeah t4 has always been 1k

I find the modules more than fairly priced for the content.

that's HTB's main mission statement, they haven't even adjusted for inflation since they released certs

the subs and cert prices have been the same

its a great price for all of it tbh

glad to be here

ill eventually get my OSCP but the cost for OffSec is crazy...

g0blin has said they don't plan on changing that any time soon

thats good. ive recommended it to a lot of ppl as its good content especially for the price

you might also want to debut it before reinstalling everything
https://docs.metasploit.com/docs/using-metasploit/advanced/meterpreter/meterpreter-debugging-meterpreter-sessions.html

debug*

thank you that recent keyboard is a mess of sensitivityy

CME works fine, but Hydra is throwing errors. What could cause this?

hey does anybody know why my hints won't pop-up it just resizes the screen?

could be smbv2 issues

iirc hydra doesn't like it

adblock/pop-up blocker?

Using what you learned in this section, try attacking the '/login.php' page to identify the password for the 'admin' user. Once you login, you should find a flag. Submit the flag as the answer.

yeah well, i'll let that there, we never know

might be a long shot, but did you try using the techniques taught in the section to attack the /login.php page

Thanks. Finally got that module complete. The hint on the API key led me off a false trail trying to do things with the hash.

yeah ReconSpider kinda stronk (for simple things)

props to PandaSt0rm for the simple things :)

Thats what I was thinking but it has worked before I will try messing with that thank you

it was set to allow this time I whitelisted hackthebox too

same result.. Is there a way I can bring it up by inspecting the page?

I can see it activating when click the button but won't show on the page

message support

Hello everyone

ok

hello

Did you solve it? I only came as far as that part yesterday. I think I have an idea of a potential avenue though.

After spidering inlanefreight.com, identify the location where future reports will be stored. Respond with the full domain, e.g., files.inlanefreight.com.
Am not getting any answer for this
I have used : python3 ReconSpider.py http://inlanefreight.com

is your results.json file empty? do you get errors when using the tool?

yess

its results.json is empty and i did get error

is there anything in the error messages that can help you figure out what might be the issue?

I send u on dm

Hey guys
I can’t open this files after download

hello guys

I'm stuff in INFORMATION GATHERING - WEB EDITION - Skill assessment

i found the path of admin but can't access this

any hints?

did someone solved the scrapping part from Information Gathering -> Web Edition

Hey guys
I can’t open REPORT EXAMPLE files after download

wwhich one?

this one

Maybe you should try another method of enumeration

you should remove the directory name, because it spoils it for others

Like subdomain enumeration, vhost enumeration

okay

did you update your /etc/hosts file with the newly discovered directories?

yes

or i must update the path admin in it?

no

you are nearly there if you got the directory and the correct subdomain. try to see if there is anything you can add to the address that would signal it is a directory you are looking for

If you still can't find the answer
DM

@karmic girder you're looking to find other subdomains, you will want to enumerate to find those and work from there. Basically, find subdomain, crawl the path, and work from there. If you've done enough to find something after crawling the inlanefreight.htb base domain and nothing is there, chances are there may not be something there. So look to discover new subdomains and repeat the process

another one from w.... ?

XD

👍

Does anyone else have connectivity issues working on labs/exercises? Is it normal for the platform? Like RDP session keeps dying and can't even ping the target for a few mins. And nmap scans get ruined when it dynamically adjusts it's timeouts to be massive after it keeps not getting responses back

Whats the response time when you ping the spawned target IP?

Atm I'm still not getting any response to ping

And I terminated it and spawned a new one. It worked for a minute and then died again

target might not respond to ping requests. But did you try to change your vpn config file, change location, see if there is one with low load, use tcp, etc

anyone have some suggestions on installing bloodhound on a parrot VM?

It does respond to pings most of the time, but then it dies and I can't ping it, can't connect to services any more, and sometimes it's just super slow/intermittent. Feels like it's been worse over the last few days and wasn't sure if it was common for others.
I'll try using tcp vpn
Thank you for your help

i'm not connected to any box at the moment. Sometimes rdp can be slow, there is ways to reduce traffic from xfreerdp like:
```xfreerdp /u:anonymous /p:<password> /v:192.168.1.0 /dynamic-resolution /auto-reconnect /cert-ignore /timeout:200000 +clipboard /network:modem /compression -themes -wallpaper /audio-mode:1 ````

there is a version in apt repos, and there is the community edition directly from specterops.

they are not quite the same last time i checked

If you're using your own VM, download a different VPN connection file and choose TCP instead of UDP for the connection. See if that helps

i was trying to install the python version and kept going in circles. apt for the main GUI repo worked

you are speaking about the collector from a linux host

this one? https://github.com/dirkjanm/BloodHound.py

yea

one of the supporting modules throws a python version error. unsure how to install it using my pyenv that has 2.7

you can set any version of python with pyenv

yea i get that, but how do i do that with "pip install bloodhound" ?

I used pipx to install it and i think, if I remember correctly, installing the dependencies using apt python3-<packagename>

you can set pyenv local <pythonversion> when you are in the folder

is pyenv local only for that specific folder youre in?

yes

i tried setting it to 2.7 and still get errors for python version lol

i think so

you dont want 2.7 for bloodhound-python

the 3.11, i guess is ok, must be the one you got in your system

one of the dependencies requires it

pipx worked

yeah like a charm usually

thats a new 1 for me. i havent used it before

that was a nice detour hahaha

the thing is when you use normal pip after that, it might say: no i dont want to install because you use an externally-managed-environment

ah, good to know

on another note, bloodhound looks pretty cool. i thought i was going to ahve to use draw.io . this looks much better haha

yeah, it is really cool, just looking at those edges, then all the commands to exploit a path, it is really well done

yea definitely. pretty good for FOSS as well

im sure the enterprise version is just a nicer gui haha

with gold handles... i found there was less options in the latest CE then the one in the parrot/kali repos, but maybe i'm mistaken and i've not checked it in a few weeks

interesting

it could be the case

i the skills assessment for AD Attacks a long one?

i'm really not the good person to answer that question as i'm always taking way more time than what was announced on the module : )

i did with password attacks

took me 3 long days lol

Thank you

👍 thank you

Working better now?

i hate doing anything rdp due to the connections. if you can, try using evil-winrm. i uch prefer a cli lol

Yes I was using the Pwnbox VM they provide but seems much more reliable when I use my own

fyi, i will sometimes switch. sometimes the pwnbox is better, othertimes my own VM

cool 👍

for the cpts exam if that's what you do, it is better to have your own vm with all the stuff installed

thats why im trying to use my VM as much as possible

so i dont have to troubleshoot missing tools/stuff missing.

well, that is post training i'd like to have a VM to actually do things lol

yeah and in pwnbow i had to switch wallpaper and colors... that can also take some time : D and then there is the tmux conf and so on

hahaha whys that? didnt like the scheme?

haha i havent seen it in a long time but it was quite flashy if i remember correctly, green on black or something, and yellows

yea. i actually thought it was alright. but each to their own i guess haha

yeah totally! it s not that i found it ugly or whatever, it is just that so much screentime was killing me at the beginning of this cyberstuff journey. Now it is fine tho

ahhh, yea that makes sense. im used to all the screentime so it doesnt worry me tbh

lol new questions old answers

weird i cant submit new answers

Hi guys. Just a short question to the Navigation (Linux Fundamentals) Module. I’m stuck at the first question (it says “what is the name of the hidden history file in the htb users home directory?”) probably I’m just to dumb but I did:
SSH (successfully)
Found the file (it’s .bash_history, right?
Tried to cat it (gave an output but was a wrong answer)
And I tired to ls it (but there wasn’t any name there)

hello : ) maybe re-read the question, or your message. It seems to me you already got your answer

ls -la

Yep already tried that

what is the name of the file you found?

what is your current directory

Nah guys my bad

My god, I already got my answer

Embarrassing

lmao

that's a good one\

i'm thinking about screenshooting that

Dude I just sat here for half an hour

i didnt get it at first too when you mentioned catting that out

I thought I would need something different than the file name

Genius incoming

and they say when you formulate a question you might click on what you are missing.... haha

Well at least I got it now

It literally says name of the file in the question

it should be pinned

Pin it

As I said. Genius incoming

yeah on my wall for the sad winter days... lol

Consequences of overthinking

¯_(ツ)_/¯

that's your first question ever on the academy?

That’s me

Nah. But I think like something around the fifth

but i feel you, the simpliest question may be hard to answer because i would think: it could not be that answer it is too simple

That was actually overthinking hardcore edition

Well thanks for your help though

no please, thank you for the good moment : D

this : #modules message

@next bronze Hey dude you around?

sup

how are you?

got them DCs exept for the last one, any hints?

last question?

yeah the fabricorp DC

dump things in the previous dc and check for gpo

dump things?

yeah, when you get admin on a host, dump the usual stuff and look for creds

ty

Ahoyhoy, I am pretty new to this stuff but having fun with the Linux fundamentals. But there is a point where I try some stuff while SSH to HTB and the command-line becomes stuck? It vanishes and there is only a blinking cursor. Tryed Ctrl Z, Ctrl C and \ but nothing helps. I feel quite dumb xD

you are still able to type?

no nothing

i have not really experienced that, but i would think that the ssh connection died. Is there particular stuff you were trying before it happens?

last thing I tried was: htb-student@nixfund:~$ more /etc/passwd | sort

and it happened a lot when I tried ls -la in large folders

and all that happens is a blinking cursor on the far left without anything (like the htb-student stuff)

you probably have a bad connection, choose a closer vpn server and use tcp

also ~.<enter> will close the ssh connection if you're stuck

I will try, thank you all

why isnt this working

is your vhost added in /etc/hosts?

no

but im mentioning the ip right

yes you did. so maybe it works like that, i don't know mate

Hey I have a question on the metasploit module in the Evasion section (Firewall and IDS/IPS evasion). In the end it talks about archiving payloads and stuff. But if I archive it and manage to transfer it to a windows machine. I will need to unzip it on the windows machine and execute it? Im kind of lost here. I dont get what is the point of bypassing av just to transfer the file if it is going to get detected when you want to execute it... Unless if executing the archive would exec the payload. PLS help thanks...

add vhost to hostlist

/etc/hosts

server side attack skill assesment isn't as fun as the module lol

it's just to keep it undetected in storage

If i am running an Ubuntu host off of a persistent usb drive and then from there run a parrot os vm to do my modules, am I asking for trouble or will this technically go smoothly?

yes

it will likely be messy

USB is already a shaky thing to use as a storage media for your OS

as it's not meant for constant R/W and often has a lower R/W than SSD/HDD

thx for the feedback. was trying to find a shortcut, but looks like im starting from scratch

just another quick question. do I need a windows install handy to do the modules or can it all be done from linux? Thinking of maybe ditching windows and be done with the nonsense

most of the stuff is done from linux

but i wouldn't recommend doing it on your host system

doing pentesting from your host is a recipe for trouble

I'd highly recommend having a windows vm available, makes it much easier to test things

just want to set this up properly, sorry to bother with noob stuff

use windows servers btw, those consume way less resources

what do you have at the moment?

i was running ubuntu off a usb drive and it was going great installing my own tools but yesterday i got stuck trying to run mssqlclient, tried everything. so now i figure might as well just run parrot and save myself trouble with tool installs

so you have a windows host? why not a vm?

i thought running off a usb was safer, but maybe I'm wrong?

Although it will be detected once unarchived right?

so its only usefull for file transferring malware

yes

Alright. It's kinda pointless then 😦

I need to do the new module windows AV evasion 0_0

looks so nice :p

I was worried about someone trying to escape the vm into my host, thus running off usb

yeah for what we do, like ethical hacking stuff, a vm is safe enough i guess

running off usb would be way easier to move to the host compared to a vm

geez, looks like i was dead wrong then huh

i thought it would containerize it

stuff in the usb are just regular files, stuff in the vm are contained

^

really appreciate it guys, gonna act accordingly

bah we may read to run tails on usb stick and move places every day... but... it is not for the same purpose

hello, is an admin here please ? can i dm ?

why do you need an admin?

do you mean staff?

Why?

if you mean staff --> message support

bc my kaspersky alerted me of trojan download on command injection module

well if you're downloading a file onto your host instead of in the vm lots of things will trigger alerts

heuristics btw

i'm not, i only try to go on the page

well whitelist academy

there's nothing inherintly malicious on webpages

it's likely detecting a code block on the page as a backdoor code

meaning it's doing technically what it's supposed to

it's just a standard powershell payload, the AV scans the website for potential threats and alerted you

if you whitelist *.hackthebox.com/ on kaspersky you're fine

but discord admins aren't staff

is it possible your AV is reading the page content?

yes, it is

it's a similar thing to taking notes and your AV detecting your notes as having malicious code

it's detecting the text itself as malicious code

which is funny

ok i will, thanks !

i cant find any subdomains or pages

are you using ip:port?

or inlanefreight.htb:port?

what does your /etc/hosts look like

ip:port

try adding the ip to your /etc/hosts

how does that make any difference

anyways i have it in my hosts file

then do -u 'http://inlanefreight.htb:port'

is the port in your hosts file, if so don't

I also suggest re-doing (at least for mental sake) the other questions

since they have changed

okay

the problem is i cant verify if my answer is correct

well yeah

but the point is it'll still help build up to the final question

should there be a robots.txt file?

cuz i dont find it

that's in the first subdomain you find

i used the subdomains 110000 file to find it

from DNS or from ffuf ?

from ffuf

lemme try dns jhadix

you don't need to use any tools besides what's shown in the module

@candid lily just spun up a host and got the subdomain

uh

see if it finds anything if not use a diff wordlist

i used the subdomains-top1million-110000.txt as shown multiple times throughout the module

^

typically you should go for that first then other wordlists

im trying that now

i think the wordlist you showed was the 20000 list or a different smaller one

dns jaddhix has 200k

not all wordlists are created equal

the word that's in the one list might not be in it

ran a quick grep on jhaddix, and the word is not in there

ooh got it now

unexpected name

yeah only 2 wordlists contain it, and the other wordlist that has it is 600k words long

also don't forget about subdomains of subdomains that may exist

I will say ReconSpider is super helpful

as you can cat results.json and read the key values with jq

jq -r '.[key]' so jq -r '.links' for links

at this point you might as well give the answers : D

*the one from the Creepy Crawlies section

nah just to avoid repeating questions

If i wanted to give answers i'd just tell explicitly what to look for

¯_(ツ)_/¯

damn thanks never would've expected

i predicted the next question "I still can't find the thing"

how does some questions give cubes still

because of the changes and additions

¯_(ツ)_/¯

no complaints here

is it extra cubes or they changed from tier1 to tier 2

tier 3 modules should be reduced to 250 cubes, even with platinum sub its like just 2 modules per month

it's just the additions to the module itself

they didn't change the tier afaik

i don't think it was tier 1 previously

Tbh. I think 1000 isn’t too high. The content is great. Especially the cwee ones

Maybe if we compare to other training platforms it is not that expensive.

500 is t3, 1000 is t4

Right. Ooops. Even better value 🤣

Sorry

what section?

are you using the right creds?

what's the error you're getting?

if i can give tips, don't use windows rdp it's laggy and inconsistend, you can actually do everythings from your linux host and if you need some file from a host, just dld them in your box and do it from here

first section on windows event viewer where you are tasked with drilling down into logs to gain info xfreerdp /u:Administrator /p:'HTB_@cad3my_lab_W1n10_r00t!@0' /v:10.129.205.123 /dynamic-resolution and it would error not connecting

it would attempt to I just closed my VM I will try again after

and the vms from htb usually work fine, so if you can't connect try to reset the box

maybe a syntax, does the password contain characters such as !@$?

try to '' everythings

put the /v: first

single quotes tells bash to interpret as literal string

she has the pw in single quotes

i was trying to say 'string' everythings

nah it only matters in the pw

right

the whole password is wrapped in singlequotes

Bro is playing a game not even in chat to read the support messages 😭

which is fine

they literally said they'll come back to it later

xfreerdp /u:Administrator /p:'HTB_@cad3my_lab_W1n10_r00t!@0' /v:10.129.205.123 /dynamic-resolution so it's easier to see @muted jacinth

my only other thing would be asking if you were connected to the vpn

(if using pwnbox, don't worry)

did not see that when i wrote my message

generally, wait at least 5-10 minutes after asking a question before AFKing

that way you can test feedback before giving up and doing something else

otherwise people will be waiting for you to try the thing and seeing if it worked

or at least tell people "thanks i'll do these later"

otherwise most assumption is you tried the feedback and it worked and problem solved

or you end up re-asking the question that others had already spent time to answer

just 2 cents, rdp can be sluggish but if you have to wait like 5 minutes there is another issue

i can't even wait for 2 minutes tbh

sometimes it's just backend

HTB recommends to wait a few minutes for the environment to fully spin up

thanks, I was mostly asking if others had an issue with the RDP I terminated the box to try again after I also have more than one device with VMs on so I can be working as well, but it's cool ignore the question lol

he wasn't ignoring the question lol

just adding onto things with his own thoughts

friday troubleshooting, not much other thing to do... haha

no I am saying I retract my question

since no other meaningful attribution aside from what's already been said

Ah ok

¯_(ツ)_/¯

you want help? you got help lol

no need to delete though, in the event someone else asks the same question

overwhelming help

no not overwhelming help I am aware this is a busy forum and didn't want to keep it busy with something as noted is not being addressed by me right now

as long as you come back to it it's fine ¯_(ツ)_/¯

you posed a question and said that you won't be working on it right now

you set expectations that any help offered wasn't going to be immediately addressed

it's not like you posed the question. went AFK for 3 hours. Came back and reasked the question

(which does happen)

yeah I am fully aware questions get asked again without any intent on trying it out for themselves, I deleted it so it didn't crowd the busy forum

but thanks @fathom pendant I will try moving v:/ to the front of my syntax when I try it later

again you don't need to delete

This got way too complicated for no reason

people are free to ask questions whenever, you shouldn't be afraid to "Crowd" the place ¯_(ツ)_/¯

that's literally what this channel is for, helping people

ikr

this is the problem when you unleash a few weirdos with odd connected brains on a helping channel... but i try to not add anything to this

Weirdos?

is ptunnel-ng sometimes unstable for anyone else ? like works for a while then suddenly drops and you have to reconnect it ?

Which modules in the SOC Analyst paths have practicals (i.e use of workstation) as opposed to pure theory?

All of them

Pretty much all modules have a practical lab portion

maybe it's me but ive done everything in the new info gathering module but i cant find any subdomains. i used ffuf, gobuster, and AutoRecon and its not giving me anything

can or cant

also it depends which wordlist u use

can't... sorry
i am using the sub...top1million-110000.txt

and what is the command u are running with ffuf

if you scroll a bit up, you got all the answers

or do that 😂

not very far away

Yeah

very not not far away

i did lol

What's your ffuf command

so what is the command u running

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://94.237.51.241:48481/' -H "Host: FUZZ.inlanefreight.htb"

do you get any errors?

and dont fprget to filter size

if you got errors, likely the server crashed

if no erros

you add ip to /etc/hosts?

^

the best thing to solve this is asking yourself: "What would ippsec do?

i do

lol

yeah yeah you lolz and all but.... i know i know

maybe check your spaces?

make sure your hosts file u didnt include the port number

so... what would ippsec do?

except of typos of course

It's not required to add the ip to hosts when using ffuf

Just ran it against his target from my pwnbox and it worked just fine

• and gobuster

gobuster is better to add to /etc/hosts

hey team,
before posting this question i did attempt to scrub thru discord. also some chatgpt action. when running nmap scan, i only get "1000 scanned ports are in ignored states" " 1000 filtered tcp ports (no response)". i tested turning off my host firewall, then tested with enabling icmp echo requests in the firewall. stuck on what else to try.

What academy module are you working on?

what would ippsec do?

If it's not an academy module, read and follow #welcome to access more of the server

I take it you're using pwnbox?

Because it all works fine on my end

so unsure what's going wrong ¯_(ツ)_/¯

isn't pwnbox file structure dif?

errors, maybe ffuf got 9503errors

i am using the pwnbox

I'm using my pwnbox so any issues should be replicable

Make sure to run ffuf in full-screen or with -s

Ffuf doesn't like non-fullscreen

@wild sinew did you try capitalizing HOST?

Just the first starting point meow excersise .

There's a #starting-point channel

I haven't used it in awhile, thought I saw some modules with a diff file structure and some with /Seclists/ instead of /seclists/

Default is SecLists, but ig pwnbox is normalized to lowercase

nope

Just checked, it doesn't matter

Make sure no spelling errors

screenshot your ffuf output

I've had brainlet moments of inlanfreight, inlanefright

They can't share screenshots unless they verify/link account

Following #welcome

if you have set a -fs flag, not the 110000 lines

I heard there is a software with algorithmic predictions about the future, can I get information about it, I want to learn

the middle part of inlanefreight is typing in a satisfactory manner

@wraith pelican

Is it real?

i just messaged you @wraith pelican

mh hard to say what's real brother

This isn't the channel

i can do the same thing i predict in 100 years from now we all are gonna be five feet under

Read and follow #welcome to access more channels

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u 'http://94.237.51.241:48481/' -H "Host: FUZZ.inlanefreight.htb" -fs 120
try with fs 120

@wanton idol Here we have two and a half meters 😂

I'd rather explain why the filter size

it should work

Rather than just do this filter

Common link in filesize response

because he sent me a screenshot

does that exclude all that includes the size of 120?

I meant the reason as to why we are using that size filter

fs means you are getting rid of all responses that match that size

understoood! thats the switch i was looking for

which will only show other file size that will be your answer

It's not gone over in the module because this module uses gobuster

so when you see ffuf output all the same kind off line, you should look at what is common between those lines. Here we see the size is 120, so we may want to filter the ffuf output. Thus we are applyting the -fs120 size to our command

used to use gobuster alot but then once i learned ffuf i have never turned back since 😂

we might also add the flag -ac, for auto calibration, so ffuf filters out all by itself. But that's not a silver bullet, sometimes it might filters things we want

@wild sinew ffuf --help will give you the help output that explains a lot of the flags

So you don't have to rely on others to read the manual for you

man <tool>, <tool> -h/--help are 2 commands you should get familiar with to help explain tool functions

thank you for the assitance

did it work?

sure did

you got the command right in first place though, the -fs120 doesnt change anything but the output we see

^

You just weren't providing enough info for us to push in the right direction

Don't forget to add any found subdomains to your /etc/hosts

and then refuzz for any sub-subdomains

the first thing i did

👍

No, you provided minimal info

If you had said "I got a bunch of results, but none are right"

That points to where to help you

Even without a screenshot

I guess it is more a repetition thing, i'm just active on this discord for a few days and it is all the same questions about the same module. All the answers are there, a bit to scroll up, somewhere, a search away. It is kinda astonishing, for me anyway, I barely used discord during the cpts path, and i find it really curious.

Well most people don't know about/utilize discord search feature

it's me again, so I re-tried the rdp (I downloaded a new vpn config and as academy 2 was really busy I moved to academy 4 I changed the syntax it worked and I connected via RDP now it is timing out ill attach the screenshot

Make sure you only have one vpn running

yeah I do, I had the session running was about to open event viewer and then connection dropped so I just tried to pick it up again

Reset the target

Wait a few minutes

Then try again

Also try using the tcp vpn

ok will give it a run, thank you

guys, I try to do the modules (CPTS) without using PwnBox but my own VM through VPN (academy vpn)
but I cant ping the target
The target can be ping'ed, I did earlier when I was doing the module through PwnBox

Is the pwnbox still running?

yes, it is (115mins left)

you can try to sudo killall openvpn, then reconnect
you also can try to add some flags to your command, some might be useful
xfreerdp /u:<user> /p:<password> /v:192.168.1.0 /dynamic-resolution /auto-reconnect /cert-ignore /timeout:200000 +clipboard /network:modem /compression -themes -wallpaper /audio-mode:1

and my tun0 interface has IP from the VPN

Terminate the pwnbox

on kali VM

Tried it once, will try again

You do not need the pwnbox running to use the vpn

no, the pwnbox is not running, the target is

thanks I will pop that in my notepad file

Reset the target

Try changing vpn regions

Reach out to support

what would ippsec do? no?

lol sorry

worked after 3rd spawn

the try harder thing wasnt so stupid in the end

https://tenor.com/view/vinyl-records-record-collection-warped-vinyl-playing-music-record-player-gif-21484870

it seems like a normal record to me

The way I overcomplicated the updated Web Recon Assessment question smh ... at least I got to dig through ReconSpider tool

Yep

Comments are great

I recently redid it (all the questions, not just the last one)

When you do a 'get .profile' in a remote share while forgetting to switch directory from ~... 😅
Imagine IF the module's author were evil 🏴‍☠️

it was a good reminder for me to just do the simple stuff

K.I.S.S. method never fails

most of the sections, if you follow along the examples you got the answer

sometimes with a twist but really reasonable

"Hah it wasn't my fault"
2 seconds later
"It was my fault"

As long as you understand the underlying material

i guess sometimes answering the questions obscure the material

When trying to outsmart the question ends up outsmarting yourself

hi

yeah maybe, for me it is more like an embarrassing thing to answer and when it is done there is room to try to figure out stuff

hello

if I had to work helpdesk they would be afraid to have me on the phone lol

Yeah you'd be fired day 1 "have you even tried restarting it"

i think I would help them so much it would be awkward

Most help center call times are 10-15 minute calls (give or take what's being supported)

from what i can gather, it is likely to be "add it to /etc/hosts", i could be super efficient perhaps

It depends

ffuf doesn't require it to be in the hosts file as it's pulling the header from the supplied -H flag

lol you are telling me this!! we debated about il! : D

I even tried both ffuf and gobuser through burp and wireshark to prove myself i was right

Either way. We're derailing the channel

ha

sidenote.... i love burp.

correction... i love burp PROFESSIONAL

Lol lucky

Hi can anyone please help with running mssqlclient.py in the "Footprinting MSSQL" module of "Pentester" job path? I keep getting the same error and some Googling shows that it likely requires a reinstall of Impacket, but whenever I try to add or remove the existing Impacket on my Parrot it just says that it's an "extremely-managed-environment". I'd appreciate any help!

anyone have experience fixing this issue?

For reference, here's what I keep seeing:

You don't need to specify python3 and the filepath btw

sudo pip3 uninstall impacket --break-system-packages && sudo pip3 install impacket --break-system-packages

if you re on parrot just try to run impacket-mssqlclient, no python whatsoever

That's just msfconsole saying you don't have a db connected

That works for the apt installed version

tracking on that - ive run through the troubleshooting stuff in the module for MSF Databases to no avail

What module?

Btw at the end there it tells you created a db

This worked for me. Thank you!

You also don't need a db to use msfconsole (unless you're planning to use it's db related features)

yeah but its not connected - its module Meterpreter from Using the MSF section on CPTS academy path

Can you run msf commands?

This is Going to probably be a very simple answer, so I have investigated the event and I get to the XML view but the only executable is services.exe, there isn't much else am I in the right place? any hints would be great

Do the same investigation tactics as shown in the section

those still use python btw, they're just installed with apt

Hint: it deals with the Logon ID

i mean no need for python3 before the command and no need to break packages

I mean it's already installed in pwnbox to not need the path either

should use pipx to install impacket, that's the recommended way

they will set up the venv for you

Don't think pipx is on the pwnbox

And going with least troubleshoot effort

it is on pwnbox

this is what I get when I run a db cmd

is it ok if i ask for feedback on my setup again?

on parrot it is installed with apt and their command wasnt right

Before launching msfconsole did you run sudo msfdb init?

yes & reninit

I'm saying impacket should be installed with pipx and that is on pwnbox

maybe this:
systemctl start postgresql
systemctl enable postgresql
msfdb init

do they have the rights to do this on pwnbox?

still not connecting to the db

yeah, you have root perms on pwnbox, it's just a vm after all

i'd rather try to use the correct command and then re-installing if that doesnt work but that just me

is the msf problem also pwnbox? why not just reset it

ah nvm it comes like that

yes, it worked initially but after starting a new instance after stepping away for a few it wont work anymore

I'd just use my vm tbh, even if you fix it now you'd have to do it again every time you spawn it

inside msfconsole:
db_status

db_rebuild_cache

well i would bc i prefer Kali, but I'm also unable to connect to the VPN (have a whole other ticket submitted for that lol)

Are you using sudo?

when i launch msf, yes

db_remove

shoudl i try that & redo the db?

could try anything on a vm, why is it msf5 though

no clue lol its pwnbox

is anyone experiencing any errors when using ReconSpider.py? it doesnt give me an output file when completed

No results.json?

nope

worked fine for me ¯_(ツ)_/¯

It's either results or Results.json

I forget if it's capital or not

like they said earlier, maybe just restart the box as you will not be able to upgrade it

It's likely a message that's meaning as of msf 5 it's deprecated

It's using msf6

this shit makes me want to drink lol

what doesnt? : )

let say you dont want to run db_nmap

ok

i mean is there a way to run that without connecting to the db and you can still go on with whatever task you are doing

for sure, i'm just trying to follow the material so i cna use it later - im taking copious notes

not a bad idea to finish the module & move on

could it be done with an nmap --script?

just type nmap and it work inside msf

i got the same thing actually

what is the weirdest thing to me is it was working fine until I launched a new instance lol

stupid work meetings lol

it works

sudo systemctl start postgresql && sudo systemctl enable postgresql

i got all the same result except "Database not connected" lol

manual nmap is almost done I'll probably just take your suggestion & finish this one the boring way lol

and a dumb: nmap localhost, do you see a postgresql port?

nope

nah just do ss -tunap | grep "127.0"

if you don't see postgres it's not running

so what is this telling me?

seems like something is just really broken

hahaha yeah no doubt

I submitted a correct answer but I'm not sure why it's correct - or if I even reached it the "correct" way. It's obviously spoilers so I won't write it here, but would anyone be willing to please go over a quick thing with me regarding the Footprinting module in private?

when you google search for the issue it appears quite a bit. there is solutions or things to try

what module?

this is what i get when i ReconSpyder.py

bro

it means you can't write to the directory you're in

It's the Footprinting module

thanks, ill play around with those - do any catch your eye?

yeah the one answer is indeed, not a default MSSQL database

i would try anything that seems to make some sense
this is always more or less about the database, depending on what you can do on that box

read the subsection: MSSQL databases to see what the default ones are

I know what the answer is, I just have no idea if I got it the "right" way or why it didn't show up when I used other methods

that's literally all the question is asking "of the listed databases, which one isn't there by default

wdym "right way"

there's multiple ways to enum

mssqlclient.py comes with some built in tooling

but the method shown in the module also works

select name from sys.databases

if you got the answer, it's a way to do it

there's no 1 exact perfect way

the only wrong ways are the ways that don't get you answers

So I was trying to use the method they showed us during the module but I got no responses from the server (I'm not sure why) as you can see in the screenshot.
Eventually I went through every command in "help". I tired using enum_db but got no response, then I used enum_users and got kicked out repeatedly (both of which I have no idea why)
Finally I used enum_impersonate which changed "master" to the answer but I'm not sure what that did or why that matters

that's just mssqlclient being dumb

this may be a dumb question but what do i do if the local host is refusing connections on the port?

pipx uninstall impacket && pipx install impacket

Meaning what? I just don't get why none of the methods I tried first worked, or why the random thing I ended up doing DID work. Like I answered the question but I feel I've learned nill

mssqlclient can be borken maybe

basically sometimes mssqlclient/impacket breaks

if it's not giving you any output

and reinstalling generally fixes

it breaks when you install it with break-system-packages : D

that's why you use pipx

that s why i use it yeah

So using "SELECT * FROM master.dbo.databases" SHOULD have worked if mssqlclient.py wasn't lame?

but no impacked is apt installed

on parrot it is iirc

generally yes

but you'd want to use name instead of *

Yeah, that's what they said too. Is it because using * would just output everything stored on master.dbo.databases and not just the database names?

you should post the entire command you use to call impacket etc

i know the course say to use mssqlclient.py but it is likely you could have to use: impacket-mssqlclient

also master.dbo.databases isn't an object

try with sys.databases

usually it would send the error and tell you it's not an object

just did it with the quick reinstall of impacket with pip and it works fine for me

¯_(ツ)_/¯

i cant figure out why reinstalling stuff that would be installed and working out of the box

it's an error that likely happened when pwnbox was updated

are there any good resources out there for building XML queries? I have asnwered both questions for the sub section of Windows Event Logs & Finding Evil but I stupidly terminated the box before re-tracing my steps. I will go through it again tomorrow but wanted some material to help understand how they are built to read/watch before bed

I believe there is an error in the new Information Gathering - Web Edition inside the Web Recon - Skills Assessment section
Can anyone confirm? Cant even ping the vHost

I got parrot os installed and I am on the footprinting Oracle TNS module and section. I was asked to run a script to install odat, which I did. I then went into the odat folder and added the execute permission to the file with chmod +x and ran the command specified in the section to test the install. I get the result output in the picture

here's a microsoft article

did you add the vhost to your /etc/hosts?

is odat.py in that directory? is the simple question

yes you can even see it listed in the pic i provided at the top

i had run ls right above the screenshot

Yeah I read through a lot of them around the event viewer, the first part made sense once I knew what I was looking for but the second question where you use the previous event to build the XML query to find the desired event is a bit hazy, but you suggest the mucrosoft documentation is the best point of call?

ok so following the section, they use the unique Logon ID to filter the query which is drilled down through the EventData tag

you have to chmod +x odat.py if you wanna run it with ./
or you use python odat.py
you see the error: bash cannot execute. Because you want to execute it with python and not bash

i did the chmod prior to the result i posted and even verified to make sure it is indeed executable by owner

the way that the Event Viewer xml files are named it's under Event Data --> Data Name; since multiple sections have a "Data Name" Tag we use @ to specify which Data Name we want

when i run the python command i get module error standby for output

import cx_Oracle

Sorry if I am taking up time, I am going through cancer treatment so sometimes I get mind tired and ask dumb questions, I have read your below comment as well and I will put that in my notes and I will try a re-run tomorrow I need to sleep its GMT +1 here thank you

pip3 install cx_Oracle

it wants to force me into a venv

odat is intalled by default on parrot, i think. what if you type just:
odat

lol, just my lucky day

no problem just think of it this way [Tag1[Tag2[@Name='Text tag']='filter']]

at least i got the mssqlclient to run... baby step..

This part describes how to install instantclient, CX_Oracle and some others python libraries on Ubuntu in order to have the ODAT development version. Don't forget that an ODAT standalone version exists at https://github.com/quentinhardy/odat/releases/: It is not required to install something for use the standalone version

it's in the repos as well btw

sudo apt install odat

niiice

it's installing, fingers crossed

at this point we need human sacrifices

works!

i believe they added it to the repos relatively recently

Thank you

thanks. but fr i just followed instructions in the module exactly, so not sure if this should be modified to just run sudo apt install odat instead of that script

much appreciated

the module was created before it was added to repos

fair enough

but it could also not be in all distros

¯_(ツ)_/¯

installing from script also worked just fine for me

user error i suppose, although i did check and triple check before coming here

hello guys,

AD attack enum module
ACL attack enum

i dont understand this explain

So, to recap, we started with the user wley and now have control over the user damundsen via the User-Force-Change-Password extended right. Let's use Powerview to hunt for where, if anywhere, control over the damundsen account could take us.

i have the permission for damundsen but i dont change passwd

how to check ACL controls with damundsen account bcs we dont take this account

convert their samaccountname to sid, then use powerview to filter for that sid

I don't quite understand how it works in the background

i believe that section shows you how to do it

you don't need to worry about how it works too much in the background

This section shows that we have privileges over the user, but I don't understand how we can perform queries with their privileges without changing their password.

oky

oky

in short though: it looks up the Object then sees what SIDs are attached to it

you are not querying with their privileges. you can query what privileges they have

^

you're asking "hey what can this guy do"

understand

Hi

I need help with the "Attacking Domain Trusts - Child -> Parent Trusts - from Linux" section of my lab. I've been stuck here for quite some time and am unsure if my approach is correct.

I'm attempting to extract the NTLM hash for the user bross using secretsdump.py. Here is the command I'm using:

secretsdump.py INLANEFREIGHT.LOCAL/htb-student_adm@172.16.5.5 -just-dc-user bross

I need to know if this is the correct way to obtain the hash for the user bross from the parent domain (172.16.5.5 INLANEFREIGHT.LOCAL

follow the steps in the section

^

Yeah, that is what I did for the last two days. This is pretty much the last step to get it, but I have not been able to get the hash. That is why i need to know if this is the correct way to do it. Because there is no mimikatz in PS of the machine i get she SYSTEM shell

start with a child; then use the administrator

the raise child gives you some interesting things

But how to get the hash of bross from administrator System shell

look at the output of raiseChild

it's right there

you're not using the admin shell

you're using the admin hash

you got shell on the parent domain?

it's what raiseChild.py does

I mean there are multiple ways of dumping domain hashes then

you don't have to use mimi

the official guide tm shows using raiseChild to grab the admin hash, then using that with secretsdump to grab the hash for bross

yeah that's one way to do it

I understand now. Thank you very much, Marcie and Xre0uS. I appreciate it. I got the hash now

i mean is the other method you're thinking extracting SAM/SECURITY/SYSTEM hives?

since... admin?

I did that, and I received a lot of output, but I did not get any hashes of bross.

or extract ntds

that's the one

ntds

the method they want you to use is secretsdump

but many ways to crack an egg

this could work, machine hash is in security and use that to dcsync, but that's exta steps since you would already have admin hash

yeah the main point that's focused on is the DCSYNC aspect

anyone good with DSQuery and ldap filters? lol

ive tried a few i thought that'd give me my answer but not getting any returns

All the LDAP filters you need brother https://ldapwiki.com/wiki/

https://gist.github.com/jonlabelle/0f8ec20c2474084325a89bc5362008a7 and these

found a cheatsheet recently; bless up

thanks team

im still strugling to get the answer i need

I need to find the flag hidden in the description field of a disable account, with admin privileges

chatgpt is great for creating ldap filters

found it!

i was missnig the right attribute flag

that too so long lol

that's what she said

lol

Can I please get an admin or someone who works for hackthebox for assistance

need to change emails on my account as I'm locked out, if thats possible

no one in this particular channel will be able to help you with that

i'd suggest using the support option on the site, and submit a ticket

I'm working on the IPMI section of the Footprinting module and am struggling with obtaining the cleartext password. I did the ipmi_dumphashes and hashcat wants to take days to complete. I am using mode 7300 as the IPMI section speaks to and just waited almost an hour and a half with no results, then hashcat decided to keep running with an end time of Sunday. I used hashcat -m 7300 <fileName> -a 3 -S -w 3 -O. Where am I going wrong?

https://hashcat.net/wiki/doku.php?id=example_hashes

check you've got the right mode

Hey guys how should I start Bug Bounty ?

in what way?

as a job? or the training?

what wordlist?

you did something wrong, probably wrong wordlist. i cracked it in 1 second.

for training

don-t use -a or -s or -w, just -m and -O

I hadn't used one, but I've used rockyou in the past. Any recommendations?

Okay

rockyou is pretty standard, try that

Okay, I'll give that a go tomorrow. Thank you for the help, hashcat is clearly not my strength

brute forcing is going to take forever, just use a wordlist like rockyou

have you enrolled in the CBBH path?

i heard portswigger academy is also great (and free)

message support

yea i found eary parts of the pathway to be difficult using it too. but its been getting easier

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

No, I will not register with CBBH

ok. but if you want to do bug bounty, then wouldnt the bug bounty path be the right way to go?

Yes, it is

the path is good for base foundations

#cwes message this message explains what CBBH is and what the path is

this channel is for help with the HTB academy learning modules; if you want to access more channels -- read and follow #welcome

I get that, I first used hashcat in a bootcamp back in 2020 and haven't used it much since. I have some rust to shake off.

there's a whole module and the sections that involve using hashcat generally detail what to do

also if you read hashcat -h you'll see what all the different options are

Yes, but I don't know where to start

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

you start with the basics

thats why the path is good. it gives you a layout.

you don't have to take the cert to have gained knowledge