#modules

Yeah, I must have missed a step? But I’ll keep trying some things

Reset the target and do all steps again

Roger 🫡

Make sure to go line by line

anyone?

dm me the whole thing

@elder citrus that's the same as the answer I have, make sure there's no space before and after your answer

sent you a pic

clear cache, refresh page

well, did that. Now for some weird reason, i can't see my data anymore

now i am kind of panicking

If using pwnbox go fullscreen

the answer is correct, it's not being accepted for some reason

Could anyone help me with this question "Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?" in the module "AD Enumeration & Attacks - Skills Assessment Part II". I have tried running Snaffler and a few other tools like Lazagne, but I don't seem to be getting back anything that relates to the question

I believe snaffler should find it

my data looks like it's gone

I thought so too probably a skill issue on my side 😅

Are you running it on the MS01 host?

You also might need to be the B* user

Yeah it was me been a dumbass and not changing to the B user, thanks for the push

wdym your data

Good morning people. I have a question. I just finished the "Penetration Testing Process" module. This module mentions that every time I read two modules, it recommends making machines to practice what I learned. Are there machines designed to practice each module? I see that there are machines but they require knowledge in several modules.

That's not required

There's a list given by htb when you complete a module AFAIK

It's a very loose list

True

The suggested machines only partially have what you just learned

I'm at ground zero. All my progress is gone!!!!

Then get it all again

Restart the target. Do the steps. Get the answer

all your progress like previously submitted answers and modules?

yes

the data is stored on the server side, clearing cache wouldn't remove them

logout and log back in

Still stuck

nothing's happening

Message support

yep message support

I have. It's to wait now

Hey!
I want to brute force SMB on the Credential Hunting in Linux section.
Using the auxiliary/scanner/smb/smb_login as shown in another module, this is what I entered:

msf6 > use auxiliary/scanner/smb/smb_login
msf6 auxiliary(scanner/smb/smb_login) > set SMBUser will
SMBUser => will
msf6 auxiliary(scanner/smb/smb_login) > set pass_file mut_password.list
pass_file => mut_password.list
msf6 auxiliary(scanner/smb/smb_login) > set rhosts 10.129.174.90
rhosts => 10.129.174.90
msf6 auxiliary(scanner/smb/smb_login) > run

i get this:

[+] 10.129.174.90:445     - 10.129.174.90:445 - Success: '.\will:!'

The password is most certainly not a dot. What can i do to make it brute force?

is it because it is a samba service instead of a Windows smb service?

you're not gonna get will's password this way

dont care.

why is it not working is what im asking!

...because this isn't the method

maybe i want to brute force another user... wink wink

i don't care that you "don't care" this method isn't how you'll get it

will's password isn't even in the mutated list

i suggest other services to bruteforce instead of smb

i used "will" because "kira" is a spoiler.

kira's password is in the list

well that doesn't alleviate confusion now does it

but you're not gonna get it through smb

at least with metasploit

haven't tried with other protocols

but smb is set up for guest access

I understand that it is not required, but I would like to test what I have just learned!

so it'll just say any password is good

the module itself is enough practice, as the suggested boxes will go beyond what you just learned and even go deeper

and often require learning/knowing other things

Perfect! Thank you for your answers!

Hello, I'm trying to do Creepy Crawlies within the INFORMATION GATHERING - WEB EDITION module, but when I try to run ReconSpider.py I get the error of ModuleNotFoundError: No module named 'scrapy.downloadermiddlewares.offsite'. I did make sure scrapy was installed (/usr/bin/scrapy). Please help.

install it and use the break flag

install it as described with the break flag, than everything should work fine

I'll try it thank you

thank you again, it worked

in "credential hunting in linux", am i actually supposed to press "hint" ?

i know what to do with the hint....but how did "the colleagues" find that?

you get hints when you are stuck.

yeah but that hint.... that hint in particular... is it intended to be pressed?

first one i pressed

Hi

Is it possible to reset the module's progress?

no

sombeody online who did digital forensic?
i would need a hint in the section Evidence Acquisition Techniques & Tools
i've collected the artifacts as described, but i dont know how to look for the process which start with a and ends with g.
would be nice if somebody could nudge me in the right direction

I'm on the last question of INTRO TO C2 OPERATIONS WITH SLIVER and unable to solve the question. Anyone that has completed the module that can confirm dumping the hashes on the DC is not possible?

where did the "hint" find LoveYou1? am i supposed to find that? or is it intended to press "hint" and get LoveYou1 from the hint?

Went through the whole process again and still getting the password prompt :/

Yes

You still mutate that

That mutated pw is in the big lists

You can safely use 48 threads for most services in this module

oh i got the password... just wanted to know if this was a dirty trick from htb...and yes! dirty trick! don't press the hint = don't get to complete the exercise!

You can get it without the hint

It just takes patience

thats what i want to know!

crap...ssh

Don't attack ssh

it has to be ssh

ftp? no way on earth!

There's other protocols running

Indeed

but the password is not on the mut_password.list

I also suggest investigating /home/

Will's password isn't

Her password is

You will use pretty much all tools in this section

Hi! Someone done the API Attacks module....Stuck on last assessment. Any suggestions where to begin? Tried the "new" function in so many ways....What am I missing? grrrhhhhh

sombeody online who did digital forensic?
i would need a hint in the section Evidence Acquisition Techniques & Tools
i've collected the artifacts as described, but i dont know how to look for the process which start with a and ends with g.
would be nice if somebody could nudge me in the right direction
should i use tools like timeline explorer? or just in text editor search for the right strings?

but on this host aren't tools so i think only search in edtior for the right strings?

found it lol

lucky punch

greetings, is there some bug with Web Server Pivoting with Rpivot. i sucessfully got new connection from pivot target but when i try launch firefox with proxychains it cant load site. it is loading but after 20 secs it says unable to connect. i tried add in /etc/hosts ip address of target but it dosent matter. anyone had same issue?

I didn't have that issue

its strange but curl with proxychains goes well

but load on firefox nope

at leat i got the flag

try manually putting http:// instead of https://

tried

it dont work

works for me ¯_(ツ)_/¯

guys been struggling with the linux priv escalation room ..... the one where you gotta get the flag by escaping the restricted bash shell
[22:19]
spent like 3 hours on this .... but i just cant solve it

https://book.hacktricks.xyz/linux-hardening/privilege-escalation/escaping-from-limited-bash

i tried with this command echo "$(<flag.txt)"

but does not seem like the ideal way

but i still got the flag though

i used one of the methods from this site

alr will check it out thx bro

Got it! Just a matter of wordlist....

https://dontasktoask.com

File Upload Attacks - Skills Assessment - File Upload Attacks
I was able to find the upload directory and dump the SRC code but it looks like the VM is on a different date. Does anyone know how to get the date of the target vm using an XXE attack?

htb is an eu company, so if you're in the US they're like 1 day ahead

UTC

Look at the timestamp the server sends back via burp

East Coast US is -4, West is -7 iirc

i only was thinking about it bc my weekly streak rolled over at 8PM EST last night

are you hoarding answers to keep your streak going too?

no

it's called laziness

you wouldn't understand

Hi, I am working on the Linux Privilege Escalation module, Environment enumeration section. Stuck on the 'Enumerate the Linux environment and look for interesting files that might contain sensitive data. Submit the flag as the answer.' Used grep, but as user htb-student wasn't able to see the result. How can I escalate the privileges to user lab_adm ?

i mean something tells me env will be useful

That what doesnt make sense
time on the response is Date: Mon, 08 Jul 2024 20:00:48 GMT
so date(ymd) should == 240708

just do it for tomorrow, at most it can only be 1 day ahead

no

Server is GMT; it's 10PM there, not tomorrow yet

oh ok

2 more hours it will be

then what's the issue

Hi all. I'm having a bit of trouble with one of the modules. Here is my problem: In the footprinting module in the MySQL section, I'm working on the second question where I am trying to log in to the MySQL server but when I use the MySQL command, the terminal says: bash: MySQL: command not found. Anybody have this problem and does anyone have a solution?

sorry i can't read

i lied they're only 4 hours ahead of EST

8 PM; so 4 hours to midnight GMT

Not so much, I have found that non root users can execute on /bin/ncdu, but dont know much how to use this info

there are only two options here

it's either today, or tomorrow, so if one doesn't work try the other

#modules message

pretty much that simple. if you're not finding the dir like that then you should inspect the source code again

also is the file formate yymmdd??

or is it ddmmyy?

Thank you! I'll give this a go

the php in the source code is date('ymd')

eu has weird ass date formats too

Hello, I had a small doubt if anyone has any idea...

In intro to AD, I can't xfreerdp from my host system to the windows server. It just shows black screen with normal log messages.

From pwnbox it loads normally

did you try pressing a button when you connect, like enter or space

Yup, nothing happens

Okay wait, after logging in from pwnbox, I suddenly got logged in now from host as well without pressing anything this time

sometimes it's just weird I guess

Thank you 😊

make sure you don't run the pwnbox at the same time as being on the vpn

Don't use pwnbox and your own vm at the same time

OMG im retarted lol I forgot to disable noscript and that was preventing uploads.

Let's not use the r word

Even if you can't spell it right

lol told you, sure thing!

Point stands, just avoid using it

@fathom pendant still getting the password prompt, I tried checking the path on the target and the personal directory is actually a zip? Could be the wrong place

You need to unzip it first... then insert your code

As said, by the sections regarding this

It would help if I remembered to do what it says huh

It's why I said to follow the steps exactly as outlined

You skipped a few paragraphs ahead and missed the plot

password attacks lab - hard: I'm attempting to pull the a file through SMB & I'm getting this error: parallel_read returned NT_STATUS_IO_TIMEOUT & then it disconnects my session

I have tried this on two reverted machines, my own VPN connected VM & the pwnbox (not simultaneously)

Change vpn regions

Restart target

When I dont, I get a black screen again from my host system 🥲

Well that's a different issue

And by host do you mean your vm?

Hey there!
Who could assist me to access DC01 (DACL Attacks I - Skill Assessment - the last question).
I have got Jose's hash but it seems to be uncrakable, and I can't access by this one nowhere.

Yes, from my VM

In terminology the Host is your base OS that's running the virtual software

Why do you need to crack it?

I had read it early just trying to do it at work I lose my place sometimes

Okay to clarify now, my VM on my host system

Anyway. No idea why it won't work on your vm

No problem, I will troubleshoot for a bit. Thank you!

it appears the backend thinks my VPN is still connected, which i manually exited out of - is there a way to reset it instead of waiting for the session to die?

I have tried to aceess by hash via WinRM and RDP to the DC01 but have failed

Haven't seen vpn tracking in academy related to being connected

not sure i follow what you mean

I haven't seen htb track whether I'm connected to academy vpn or not

oh

well it's a DACL module so check what rights the user has

its been happening occasionally when there is an issue disconnecting my VPN connection to academy & it wont let me start a new one, even after changing regions, getting a new VPN pack (UDP or TCP)

?

I've had no issues like that

Unless you're referring to the pwnbox, which is different

In which case, just refresh the page

no that usually works np, just wonky to use

Ctrl+shift+r to reload the page and clear cache

Hm, good idea, thanks!
I will think about it

Hey guys, anyone here?
Im having a question on the Introduction to Windows Evasion Techniques : Process Injection
i Developped somethings trying to reproduce the lesson but when i Upload the file. It seems like it doesn't get executed by the user.
the log doesn't output anythings new, is this normal?

[05/07/2024 05:57:00] C:\Alpha\ProcessInjection\AlsoNotMalware.exe - OK - Timeout reached, killing process
[05/07/2024 05:57:14] Checking...
[05/07/2024 05:58:14] Checking...

the log file isn't getting refreshed, even after the uploading of the file, and the previous output (displayed above) seems outdated and are in the log file even before we upload the malware

yeah it's broken

haha ok

good

Is it supposed to be fixed soon or?

yeah hopefully

okay, ty

re-strating my VM this morning, i appear to be able to run nc on port 80 now...though my version of nc doesn't give me any verbose that its listening which is annoying.

Did you add the -v flag?

nc -lvnp [port] is the format iirc

yea, nc -lvnp 80. im going to run through an exercise that requires it, so hopefully it still listens. but i have a few versions of netcat

Why do you have multiple versions?

because it wouldnt work on my parrot os when i got it, so i went through and tried to install something that would work

and there are multi forks ...

works on my machine ¯_(ツ)_/¯

dunno what to tell you, it didnt on mine.

Iirc netcat is bundled in core-utils if [for some reason] it's not already installed

You can also install ncat [nmap's netcat]

yea thats what i thought.

The one that's common though is netcat-openbsd

just installed ncat, and it is giving me verbose

👍

this makes me happy. i know its listening lol

<@&861185840277487616>

<@&861185840277487616>

<@&861185840277487616>

get out of here loser.

We just need to wait for mods to wake up

Already reported their shit to discord as well

They were banned

yeah he comes back every so often

waiting for messages to be whiped

They're puppet accounts

yeah

Join date today

what a waste of time

i dunno what the point of all that was

Well I can wipe them but then Discord wont ban them because "MesSaGe WaS DeLeTEd"

Trolls being unoriginal

People don’t have anything better to do 😒

I reported the messages as well when they happened

Iirc those reports are archived

Right, but they have to remain on the server for them to review it otherwise garbage collection

But sock account so

¯_(ツ)_/¯

eh yea idc enough for discord to review it

yea very unoriginal. surely it'd take more time to create their troll account then their account would survive to do useless trolling lol

probably just some 12 year old

...yea, probably. lol

good day. I need help with something. module Linux Fundamentals, section Task Scheduling. the question asks about dconf.service, but I don't see this in pwnbox. and there's no target machine. am I expected to install this?

finally found the file on pwnbox 😅

hi for burseuqe box i added searcher.htb with the ip and i can ping it └─$ ping searcher.htb
PING searcher.htb (10.10.11.208) 56(84) bytes of data.
64 bytes from searcher.htb (10.10.11.208): icmp_seq=1 ttl=63 time=108 ms
64 bytes from searcher.htb (10.10.11.208): icmp_seq=2 ttl=63 time=114 ms
64 bytes from searcher.htb (10.10.11.208): icmp_seq=3 ttl=63 time=91.3 ms
but when i go to the website it says Unable to connect

An error occurred during a connection to searcher.htb.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the web.

10.10.11.208 searcher.htb

in my /etc/hossts

i can wget the page

i think you want #boxes

why

is it a module?

quick question on the juicypotato in windows privilege escalation skill assessment: what does -l mean? through a section it says COM server listening port. How do i get that number exactly?

-l is the listening port

so i have to view what ports are open in the machine right?

-l is the parameter juicypotato uses to specify the listening port for the COM server that jucypotato sets up, the port is used internally by juicypotato to interact with the COM service it is exploiting, so you can pick the port yourself. you'd want to pick a port that isn't in use.

ok so i can pick something random that isn't in use got it now

yep

i did it but i keep receiving "COM -> recv failed with error: 10038"

wait i changed what's inside -c and got something

this is weird i don't know why it happened tbh

edit: it gives out without actual results i think i have to edit something with the nc.exe that i uploaded its not working for a reason

Try to create the 'ids.txt' wordlist, identify the accepted value with a fuzzing scan, and then use it in a 'POST' request with 'curl' to collect the flag. What is the content of the flag?
need help with this in fuff module i dont know why it dont work

what section

value fuzzing

where exactly are you stuck

i generate the list even with 10 ids and run the command
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:PORT/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
but with ip and pot that is given and no resault found

dm me a screenshot of the actual command

ok

is there anyone available to help me understand the doc and reporting section they didnt do a very good job of explaining it or how to do it. you can dm me if your interested

which part did you not get

im on the assesment and it tells me to do this and that but to be honest the notes are all over the place and im not sure where to start or how to add things to the notes i read the module and i understand it but also like its thrown at me and not sure where to begin ive ran responer to get some hashes

yeah, the previous pentester did a terrible job, its your job to clean it up

do you mind working with me for a bit over screen share?

it's the scond last module of the path, you're expected to be able to complete the pentest yourself

sorry i can't do that

cant really complete if i cant understand what this report is telling me

ignore what they put in the report then, just do it all fresh yourself

there are ips all over and whatnot

use full path

yeah you can see it's trying to download from your cwd

also maybe delete that post because many people try that module blind

check the "info" line -- it shows you're not downloading from the right spot

oh that's AEN, yeah delete that

Got it. Thank you.

last update on that for those who are interested i solved the problem by simply changing the CLSID from the default one into something else and random from this site "https://ohpe.it/juicy-potato/CLSID/Windows_Server_2016_Standard/". However, i honestly have no idea based on what some random CLSID works and others don't if anyone does please let me know.

Hi all. I'm having a bit of trouble with the second question in the Footprinting module in the MSSQL section. When I try to log in using mssqlclient.py backdoor@<target_IP> -windows-auth, it gives me a message saying 'SSL routines, no protocols available'. Has this happened to anyone else and what can I do to fix this?

the clsid is the class id, it's used by juicy potato for exploiting the COM objects. the ones listed on that site are known to be exploitable for priv esc.

try adding -no-ssl

ok but how do i know which one to use? there is a ton of them do i just brute force them until i get a shell?

the website shows you which ones are known

i don't know enough about it to know why some would work and some wouldn't if the target machine matches where you're getting the cslid's. maybe something was updated there or something i have no idea really.

I tried it and it still doesn't work

sudo pip install impacket --upgrade --break-system-packages

it's an error with the impacket installation on the pwnbox

two options are reinstall completely or force an upgrade

i wanna try something alternative to see if it works i'll let you know if it does

staff/engineers are aware of the issues that are going on with the current pwnbox

Okay, I'll give this a try

stinky pip impacket

some ids are only valid on certain versions

just a weird bug with the install on the pwnbox ¯_(ツ)_/¯

yeah but he's saying the list showing the valid ones for the versions don't all work.

x and y are valid, but only x worked

may have missed over one?

¯_(ツ)_/¯

i think that's what he's saying at least.. unless i misunderstand

idk

it's based on windows version level

he's asking why some from that list work and some don't

he pointed to a specific version list though

so i assume he was targeting that version, maybe not

version level

as in specific install version beyond 2016

i.e. 2016 R2

or some subversion within

I mean sometimes that clsid just isn't being use by whatever registered it

^

it's kinda just a guess and check thing

I'm confused.

so i'll have to brute force it?

to a degree, yes

i wouldn't really call trying a couple brute forcing, but sure 😛

clsid spraying

that's sad but thank you

there's not always a clean way to do everything ¯_(ツ)_/¯

also ew no background png

i had to download it to show I'm sad

just use the gif selector

https://tenor.com/view/crycat-crying-cat-crying-cat-thumbs-up-thumbs-up-ok-gif-22851318

Hey guys I am on the assesment section of password attacks and am stuck at the initial enumeration of easy.
PING 10.129.212.177 (10.129.212.177) 56(84) bytes of data.
From 10.10.14.1 icmp_seq=1 Destination Host Unreachable
From 10.10.14.1 icmp_seq=2 Destination Host Unreachable
From 10.10.14.1 icmp_seq=3 Destination Host Unreachable
^C
--- 10.129.212.177 ping statistics ---
4 packets transmitted, 0 received, +3 errors, 100% packet loss, time 3232ms
pipe 3

Try resetting the target or changing vpn regions

I feel I should manipulate the hosts file, but I'm not sure how Ishould do so. I'm getting a response from whatever sits in front of the box

if you're not getting a ping reply back and can't scan with nmap -Pn then you're not gonna move forward

I reset the target I will try changing region

Well the VPN doesn't seem to be connected at all

hosts file won't help you

it's connected

I am connected to vpn , confirmed

I will see if changing region works

Yeah try another VPN then

still unreachable using ping. -Pn worked for nmap?

Then ICMP is probably off in the target

-Pn skips host discovery via ICMP

No, PN actually gave no results

Does it show results?

I am still not talking to it

did you download a new vpn file after changing regions? and reset the target?

(yes you need to reset the target when you change regions)

says all tcp ports are in ignored states which i know is incorrect

Terminate --> start, not just the refresh button

Well then it didn't work

ah , I dint reset the target

yeah it's still spawned on the old region

thanks for responding by the way guys

lol no, still unreachable via nmap and ping. I reset the target, generated and connected usingm a new vpn file of another region, nada

I'm sure if I do it from the provided attack host it will connect

How do you know you're connected to the VPN?

I see that i am connected to 10.10.15.50 in the top right of my kali instance

i have never had this happen before

ping that

ok

replied

very odd

that will tell nothing my guy

it's the same as pinging your own host from any other interface

At least if the connection is actually working

lol yeah i tried it tho

that won't tell anything

I can touch the target from within the parrot os they give

you need to ping another machine to test

Hm

don't run pwnbox and vpn at the same time

sudo killall openvpn then reconnect and try again

ok

Other machine ain't responding

it's up and connectable via pwnbox so something is up

also terminate the pwnbox when you go to use nmap the target

Maybe some kind of firewall issue?

weird to be running a firewall on a pentest machine

¯_(ツ)_/¯

Yeah I mean idrk what's happening here lol

https://academy.hackthebox.com/achievement/1346583/103

Hey guys I’m having some issues with one of the modules. Basically it’s asking me to rdp into a windows machine and then either ssh or rdp into a kali machine to answer the questions

I can rdp into the windows machine but I get a connection refuses when I ssh into the Kali machine or I get an error when trying to rdp into it. This happens on my vm and in the pwnbox/workstation. Any ideas? I can ping the target, and nmap doesn’t say 22 is open but this doesn’t explain why I can’t rdp to the Kali machine

you need to connect to the Kali machine FROM the target machine

you use it as a jump host/pivot point

@rustic sage @fathom pendant thanks again my fellows. have a good night

y can’t i use general chat

read #welcome

Hmm still says connection refused when I try to ssh from the windows machine I connected to through rdp

that’s so extra

the chanel gets spammed

idk i haven't done that module ¯_(ツ)_/¯

then you don't get the talking stick to talk in #general

Hi I want to do bug bounty for business logic flaws, but I wanted to know, do people actually get the things in their cart from intercepting?

it's a server revolving around the HackTheBox website; expect to need an account to have further permissions in the server

no idea; as the goal from the cart thing isn't to actually buy the item

That’s ok thanks for trying

It’s to find the bug?

it's exposing a weakness or flaw with database backends

yes lol

Okay thanks.

for the hard password attack labs I'm having troubles trying to mount the drive since it's asking me for an admin password. david's (which seems to be the local admin if i understand it correctly) doesn't seem to work -- is there a credential I missed (johanna, david, keepass)?

you need to mount on your machine; or a windows machine you have admin on -- d* isn't a local admin

there's plenty of guides if you use the discord search feature that people have shared

solved, thanks for the tip

Linux Fundamentals, section Task Scheduling. the question asks about dconf.service, but could not see the service. Can anyone help me

the file is in pwnbox. you have to find that file first

I found the file but the type of service not found

did you see the contents of the file?

Yes able to see the contents

then you should find the answer in there 🙂

@topaz fossil Ok fine I will try to find it and Thanks @topaz fossil

I completed Windows File Transfers.

now doing linux file transfers starting tomorrow

I was way overthinking it for a while

Good morning colleagues I am stuck on this question module password attacks section Credential Hunting in Linux the question is the following: Examine the target and find out the password of the user Will. Then, submit the password as the answer.

1. I'm creating the password policy with hashcat as follows

hashcat --force LoveYou1.txt -r custom.rule --stdout | sort -u > mutPasswd.list
hydra -l Kira -p mutPasswd.list ssh://<host>
But at the time of checking the ssh service it does not get my password, what am I doing wrong?

Might need help, no users pop up

Might need to provide module and section

use enum4linux maybe its easier

footprinting, smb

Let me try this

Delete your screenshot it contains spoilers. What question are you on? Not sure why you're trying to enum users for the section.

I need to look for the filepath

You already have that in the screenshot I said to delete

the share was sambashare right? But then when i try look for it, all i see is "C:" for everything

o really holdon

What's the c:\ equivalent in Linux?

\

-.-'

\\ ?

└─$ hydra -L users.list -P pass.list -s 2121 ftp://10.129.131.49 -t 10

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-07-09 01:03:14
[DATA] max 10 tasks per 1 server, overall 10 tasks, 26307 login tries (l:79/p:333), ~2631 tries per task
[DATA] attacking ftp://10.129.131.49:2121/
[ERROR] all children were disabled due too many connection errors
0 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-07-09 01:03:18

What could cause this error? I tried -t 10 to see if it would help from 16.

Other way around buddy

Can someone help me with the question is that I've been stuck for several days and I can't find a solution 😦

1 problem, i've tried those paths and none of it worked

OMG I DID IT

You should try a different service that will be faster with hydra, increase the threads to (iirc) 48

I will check out the services that are available if I find something out there

Is the instance still up?

trying to install tls-breaker

https://academy.hackthebox.com/module/144/section/1257 Didn't pick up anythying from my gobuster scan.

Am i doing something wrong?

follow the last example given in the section

am i supposed to keep the inlanefreight.htb part? Or is that meant to be the generated target address

Yes, very much so. You need to use the domain not the IP. Edit your hosts file as well

eee so annoying

the target address is inlanefreight.htb, that's the vhost you need to add to your host file

ok it works if i change java version

Hello I want to do bug bounty, but I had a question. When people intercept prices on sites and try to buy does it work if the website is server side rendered?

Is this formatted incorrectly?

no

yeah don't put the port

Or the protocol

and then put the port at the back of inlanefreigyht.htb in my gobuster cmd

alr its going tysm guys

shower time at two AM

pop quiz will my parents kill me

For anybody else on the Windows attack and defense module for the SOC analyst path whos having issues connecting through SSH/RDP to the kali machine, heres the workaround I used

RDP to WS001 and obtain the file using ruebus 
Use SMBClient as guided in the overview page of the module to get the file onto your host machine
When the file is located in your host machine, close the connection with WS001
Establish connection with kali as target generated from Coercing Attack page in this same module
password.txt is located here, so we can retrieve the password.txt to our host using scp 
 end connection to kali, and execute ripper or hashcat in your local

For the Active Directory Trusts Attacks, I am having difficulties to RDP into the target machine (via the Pwnbox or my own VM). I am using xfreerdp to RDP into it.

[01:34:30:908] [11352:11353] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[01:34:30:908] [11352:11353] [WARN][com.freerdp.crypto] - CN = SQL01.inlanefreight.ad
[01:34:39:918] [11352:11353] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[01:34:39:919] [11352:11352] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B]```

which section?

Mapping Active Directory Trusts

I had also the same issue in the section before

the labs doesn't look stable to me

just tested, works for me on US4

ok thanks I will try US4 VPN then

What "pane history" mean in tmux?

oh I am already on US4

idk then, it works fine for me, try respawning and wait a couple of minutes

the history of the pane

I know..😅

yeah so what are you asking? the history just contains the previous commands and output

I tried to respawn but I keep getting disconnected with the machine

use tcp vpn

On password attacks modules

Am I doing something wrong? Did exactly as the module said, create a mutated list with the custom rule they provide

nvm, i didnt capitalise the p 💀

I tried everythin, respawn the target, changing VPN areas, restart the VPN.
What is the process for a refund?
I won't be able to complete the lab if the lab is not stable

it works for me

contact support

I’ve had some difficulty with rdp too. Sometimes you just need to wait a bit after the target has spawned. Or I’ve had to try the free rdp command a few times

So in the documentatiin & reporting module, there's explanation that we can clear the pane history by typing prefix + alt + c.

But nothing happen after I typing that even my pane full of commands and output

The history is not cleared..

did you install the plugin and did you try scrolling back up after clearing?

it clears the scroll buffer, not what's currenly shown in the pane

which plugin? In the module I was not shown to install certain plugins to "clear pane history"

I did try scrolling back up but there's many command before

you sure about that? the Notetaking & Organization section walked you through setting up and installing plugins with tpm

oh that one, yes I have it installed

https://github.com/tmux-plugins/tmux-logging

actually same problem

I still don't understand what is "cleared" from the clean pane history feature. like it doesn't have any effect

you will see a message pop up at the status bar and the scroll buffer will be cleared

Does the password attack module actually expect you to wait 6 hours to crack a password

I don't understand scroll buffer mean

https://academy.hackthebox.com/achievement/1346583/23

no

Hi all... just started my Adademy journey... I'm stuck in my box using ZAP Spider. I'm starting ZAP in my cloud instance... then I start the browser and browse to my target... the ZAP HUD appears... YAY... continue to target ad when I want to start a spider it tells me the ip is not in the scope... should I add it... YES please... start and nothing 😦 Does anyone have any clues?

Tried to add the IP manually doesn't work... clicking the out scope to add it doesn't work...

hey mate. when you open up ZAP, are you clicking on the firefox icon in ZAP?

yes indeed

awesome (i made that mistake took me a while to figure out ...)

ow... seemed like the way to go 😉

in the initial screen, you should have a list of Sites on the left-hand side, and the ip and/or hostname in a list

yes found them

i click on the IP, right click, then to attack --> then to spider

then the screen comes up with the starting point. it should be loaded. make sure recurse is clicked. then 'start scan'

ok that works.. skipping the HUD completely

i found the HUD is very hit and miss...its been more miss for me, and others in here told me similar.

so i've just avoided it tbh. unsure if thats wise. but i just use the main screen/gui

Thanks... wil try it using the main screen then

im very new myself .... so dont take my process as gospel . very much trial and error (focus on the error haha)

I hoped the cloud instance would reflect the course

I'm using my own VM in most cases. but some modules don't matc the content 100%. in their defence, its minor considering the amount of content.

you can post in #1234357888114364508 for errors. that may be a good place to bring up something. i understand they are responsive.

okay you have your local parrot instance

agreed! i think its meant to be 1 day, it took me a lot longer but i got a lot out of it.

that's a great idea

i did a few modules on the cloud instance, but did transition to my own VM. a few times the pwnbox was better, for whatever reason.

thanks for the tips

i recently noticed that some of my stuff wasn't being processed, and figured out it was likely my ISP filtering (or something similar), as it was obvious XSS attacks. no such issues on the pwnbox though.

ow yeah that's nasty... but nice they are kind of 'protecting' you 😉

pivoting, and then AD attacks, are great modules coming up. if you know networking then pivoting will be easier but still great/difficult at times. and AD attacks features heavily in the exam, from what i've been told. and far better teaching than OffSec provide. i enjoyed it.

hahahaha, protecting me from myself ;). tbh, its likely basic filtering to stop script kiddies being a-holes. lol!

what should i do if its stuck in Targets are spawning for a while?

are you using pwnbox or your vpn?

atm pwnbox but i can switch to my linux host and use the VPN if needed

but i dont think that even matters when its the targets that aint spawning

refresh the page, change your region for pwnbox, and then try to re-spawn

targets are spawned based on your region that you are connected to, so it may.

i see

the pwnbox, or your own vpn, are connected to certain servers (your region). so if you spawn a target, it'll be spawned within that network (in that region).

that is my understanding of it all. so i hope it is correct ... i have had targets not spawn for a while though. sometimes there are just a lot of ppl and it doesn' work well.

I have also question with pwnbox because for free version we have access for pwnbox only for 2 hours and with for example starting point on htb is no problem to connect with VPN but how can I connect VPN for htb academy?

quick question, any reason why I wouldn't be able to chat in the off topic chat

it was still stuck, i now tried starting targets from another section so it would stop the other ones and restarting

oh and it started

while you are in a module, or on Academy, you can click your username --> VPN settings.

any idea when the maintenance will be completed?

openvpn academy-regular(2).ovpn it is not working

there it has some instructions. get yourself something to run a VM, I use Oracle VM. download a copy of your VM (I'm using Parrot Security. You can use Kali if you like), then choose a VPN server at the bottom of the page.

its sudo openvpn <file>

VM is definitely the way forward, although pwnbox is good having a VM set up makes life much easier

Yes I am logged as root

have you followed #welcome to verify yoruself?

you still have to run as sudo

no idea

cheers

no problem

https://www.youtube.com/watch?v=NzTkJtJAYKs

There's a section to download the academy VPN. Download it, and use openvpn to connect to academy. ``sudo openvpn <VPN_file.ovpn>

Yes but guy in this video in module has an address IP for the VM and in module MacOS I don't see any

I have connect VPN but how can i connect to my VM (parrot os)

YOUR VM?

you connect the VPN in your VM

Do you mean pwnbox?

Yes

Becuase questions is abuot their pwnbox

Pwnbox is a cloud based VM. you don't VPN into it. think of it as a separate computer

Pwnbox is not something you connect via a VPN. You access pwnbox via the browser.

Yes but can I use their system in module via VPN?

the Pwnbox is connect to the HTB intranet. when you look at a target, its in the same network. when you use your VM at home you are connecting that VM to the HTB intranet.

What module are you trying to do?

MacOS fundamental

Hello, anyone have a job in cybersecurity?

why, you recruiting? hahaha

@sterile solstice only ur mom, hahaha

So you want to interact with the target machine, using pwnbox right?

I can’t connect to the target, I changed the VPN to a lesser load on the network and also added single brackets to the password (I found on the forum that this can help if there are special characters in the password)

Using pwnbox is impossible becuase is limit time like 2 hours

Well if you don't have a VPN+ account, you can download your own ovpn file and use it via your machine/VM

which is why you should try yuor own VM, not pwnbox

But academy module require their VM to explore it and they usually give us address IP

with sepcial characters, i add ' either side of password

when you connect your VM to HTB with VPN, you become part of there network. the supplied IP they give you will connect

I did that too, it didn't help

i found i had to spam RPD on some of them, as my connection kept dropping

But in module MacOS they don't give IP

Just finished playing watch dogs boutta become a hacker

may try switching between UDP or TCP vpn.

Oh so I have to have my own macOS machine

Well I just checked and they don't provide any MacOS VM for you. You should probably have a MacOS device on your own

Oh that explains

¯_(ツ)_/¯

is API attack (new module) is fully web based???

So better use pwnbox for 2 hours that install new machine 😛

Who has a job in cybersecurity

pwnbox is still a Linux machine not MacOS

Yeah sorry, my mistake

Lol

I changed the VPN to tcp, it worked, but the problem now is that after 5 seconds of work the window turns off and I already see some actions in the console, although I didn’t do anything before and just opened

I have another problem becuase this is the question: "Read the zsh configuration shown in the section above to find what command is mapped to 'll'. Submit the command as the answer. " and when I do this command in parrot system: chsh -s /bin/bash it asked me for password and HTB don't give us password for parrot system so what can I do?

I have no control, everything is just frozen

What module is this?

MacOS Fundamental 🙂

Well

1. you can't run MacOS commands in a Linux machine

2. This is designed to be run on YOUR own device, so you would know the password

TCP is slower ... i know you can set response time for xfreerdp to stop it from timing out/disconnecting

but in my limited experience, its just very slow going with rdp on the modules.

But I used their pwnbox, this is prepared machine for this module

And this command worked but i don' know password in pwnbox

What's the section of the module exactly?

MacOS terminal

So what you basically have to do is download a configuration file that they provide to YOUR MacOS device, read it, then answer the questions accordingly

Ok so their pwnbox is in this section useless 😄

Thank you very much for help, I will use my own MacOs device 🙂

LoL pwnbox is Linux. And they do say that you need a MacOS device to follow through this module at the start

And in the summary

Yes, I changed the VPN again, everything seems to be ok, thanks

no problem mate. glad its working.

Ok but it is weird that in all previous sections I used pwnbox and commands and answers was working and been correct

Dude stop @ing people

I haven't looked at it but considering it's API and it's going to be thrown in the cbbh path, I'm gonna say yes

is it against rule?

Yes

And it's annoying

okay thanks much

oooh

sure I will take care of that

If you do it again I will block you

calm down
its first time i knew that it is not good to @ing

and revert your module progress

?

you can't revert it ig.

but one can always go back and re-read the stuff.

It's just annoying, wanna know how you get an answer? By reading the module overview

yeah sure

I'm going nuts on a side quest in the DFIR module. Trying to use cyber-chef to decode a powershell command that's been encoded and then compressed. I can remove the first layer, but am stuck. Can anyone help me? 🙂

Well MacOS and Linux commands are quite similar, especially at the command line interface level. This is because both macOS and Linux are Unix-like operating systems.

But you should use your own MacOS device as they recommend

Oki thank you 😄

Hi ! I'm working on the "INTRO TO WHITEBOX PENTESTING" module - section Skills Assessment.
I've found one of the RCE method but looking for the second one.
Does anyone can nudge me?

Where i can find a good network course from basic to advanced?

There's no one course that will take you from 0 to hero and it depends

CCNA

Most of what you need for hacking is basics

If you wanna ask in a more suitable channel read and follow #welcome and look in other channels like #resources-tools or #homelab-sysadm

Very vendor specific. Juniper's JNCIA is free and less vendor specific (due to how the OS works)

Or Network+ for genuine vendor neutral training. In that case, Dion or Prof Messer on YT or Udemy.

Oh, and NetworkChuck on YT for his explanations on subnetting. Honestly the best explanation I've come across.

Depends how in depth you need it to be

But that's off-topic for this channel

I don't like network chucks style at all. He doesn't go in much depth. I prefer Jeremy's IT lab. He's the man. Goes very in depth. Though if he helped you understand subnetting, good for you

Again this is all off-topic for the channel, there's other channels this conversation can be had in

I can't say anything in #general

does academy has another payment option except credit card

Read and follow #welcome

Message support ig

Introduction to Windows Evasion Techniques Section Process Injection, I'm stuck on this task because my code isnt being run, so i guess the task is broken

I don't have a htb account so I guess this is the only place I can have conversations

And you'll still be guided to stay on topic, and an htb account takes 5 minutes to create

At most

looking at the logs, the last time a check was done was 2 months ago

Jeez god forbid one must never utter a word that's off topic

When it starts taking over the channel, and it gets filled with unrelated chatter, yes

This channel is specifically for help with academy modules

Oh okay I see

any mods willing to help?

k just found that it's broken

Mods aren't staff, if you believe there's an error in content post to #1234357888114364508

You can also reach out to support to try and resolve issues

thx i will

OCKS5 Tunneling with Chisel.

• 1 Using the concepts taught in this section, connect to the target and establish a SOCKS5 Tunnel that can be used to RDP into the domain controller (172.16.5.19, victor:pass@123). Submit the contents of C:\Users\victor\Documents\flag.txt as the answer.

xfreedp wasn't working, so i tried rdesktop. i get the error invaild username / password but i've double checked. any help?

also tried ligolo-ng, socat, reverting didn't solve it

Wrap the password in single quotes

nope

Also make sure your proxychains config is correct (only socks5)

Also put the /v: argument first

think the box is broken

try adding /timeout:60000

my man

Thanks

that worked? nice!

Yep

Heyy, while doing the IPS/IDS easy box from the network enumeration with nmap module, I noticed when I open the webpage with the /status.php, the number keeps going up even though i haven't started my scanning, is it due to other people using the same IP?

No

It's just triggering as well off the web requests

Ohhhhh I see, that makes sense

Academy labs on the 10.129.x.x network are independent and not shared

But, btw, it started at like 50 when i first opened it is that normal also?

Yes

That's really nicee

It would defeat the learning experience if others could hijack your box and mess with it

That's what I was thinking, I couldn't do the boxes if other people were constantly getting the max alerts

Btw, this is also due to the web requests?

This narrows issues down to 2 things:
User error (skill issue)
HTB infra issues

And scans

Btw if you trigger the ids/ips just reset the target

Okok, just asking because , I haven't started scanning and it was like 50/100 when I started , so it must have been just web requests I guess

As it locks you out from interacting with it for like 5 minutes

Yeah it's dumb

Okok, ty for the tip

But you can go through the whole easy --> hard without triggering

can someone help, i can’t connect to the VPN i keep getting TLS handshake failed

Thats perfect, thank you for the help once again 🙂

At most you'd trigger 30 alerts

Just don't trip it

Message support

on the website?

Yes

Support doesn't monitor the discord

for every section in AD modules, time spent for rdp > time spent on solving question

anyone know how to make connection stable

really spending 1 hour+ for each question cuz keep disconnecting

Use TCP vpn pack

Set high timeout

if im using pwnbox?

Ah use a different region

Still set high timeout

Module: Information Gathering Web:Subdomain Bruteforcing

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://FUZZ.inlanefreight.com -H "Host: FUZZ" -fs 915

Am I doing it the right way with ffuf by only filtering size 915? I observed that most response with 915 are all 403s

is it about picking a different wordlist like before?

You're doing this so wrong

It's -u http://domain -H "Host: FUZZ.domain"

If it'd a public ip

You don't put the port in the hosts file, you specify it in the http://domain:port

Also using -ac will let ffuf automatically toss junk responses

by port you meant 80/tcp for the http port?

Read my statement again

if it's a public ip

If it's private, then you don't need to specify

As it's running on 80, http assumes 80 by default

The public_ip:port is the scope of the target if it's given in that format

Does anyone know why this error is occurring? I successfully executed this earlier for root, but accidentally forgot the flag so I executed the attack again later and it's throwing this error:

KRB5CCNAME=ticket3.ccache impacket-psexec support.htb/administrator@dc.support.htb -k -no
-pass
Impacket v0.12.0.dev1 - Copyright 2023 Fortra

[-] SMB SessionError: code: 0xc0000016 - STATUS_MORE_PROCESSING_REQUIRED - {Still Busy} The sp
ecified I/O request packet (IRP) cannot be disposed of because the I/O operation is not comple
te.

Reset the target

Hello all, I just need some guidance for one of the questions in skills assessment on introduction to windows command line module.

For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host.
This host seems to have several PowerShell modules loaded, and this user's flag is hidden in one of them.
hint
How can we view loaded modules and their members?

Well, the hint gives you what to at least think about and look for

https://learn.microsoft.com/en-us/powershell/module/powershellget/get-installedmodule?view=powershellget-3.x

Get-Module in PowerShell to list the modules

Everything you need for the skill assessment has been mentioned in the module

Please respect m4cz's wishes.

This is not the proper channel for that, if you wish to see the rest of the server please follow #rules and read #welcome to gain access to the other parts.

hello guys. I have a strange behaviour regarding a target. The below image is the ip I get. I found it strange that there is a text next to the IP is the first time I see this. When i try to connect to this I get no connection. I tried to download different VPN and I still get the same behaviour. My next step would have been to go to support but maybe is best to check firstly here. Let me know what you think.

i'm going to ask you to be respectful and read #rules. Thank you.

the strange this is that i am able to ping it but i dont get a any results on the web browser.

Has anyone done the macos fundamentals. I got the module and I don't have a mac. Anyone willing to send answers to my DM?

you can do the module without a mac, google them

yeah, i did it

In the Linux Fundamentals - User Management section, the question is *" Which option needs to be set to lock a user account using the "usermod" command? (long version of the option)" *

the accepted answer to this is "--lock", howerver, the man page explicitly says: "Note: if you wish to lock the account (not only access with a password), you should also set the EXPIRE_DATE to 1."
Shouldn't either the question or the expected anser be changed?

use java 11 for installation(don't forget about skip tests), also use it when you will run this app, it wont work on other versions

Hey guys

Module: OSINT: CORPORATE RECON
Section: Public Domain Records

Question asked: What is the name of the registrar of this domain?

What I have done:

• WHois lookup using both ip and domain name
• shodan
• dig
• dnsdumpster
• whois ||-B --sources RIPE,ARIN-GRS digitalocean||
• and hours and hours of searching through different resources

Can any body please help or give me a quick sanity check? Thanks

rubeus no need username and password to do kerberoasting?

with || whois ||you should find what you are looking for.

That's what I supose, but I literally tried everything from all those results, including ||DO-13||

I don't have a terminal available at the moment, but I can find the answer using online tools.

Hi, I have read that when application whitelisting is in place I should use LOLBins and it gives an example of GfxDownloadWrapper.
Is there a way to enumerate LOLBins installed/available? Or do you guys keep a list of common LOLBins to try?

Yes, the results should be the same using online tools, I have tried many as well. I literally already copied and pasted all the values I could find for ||OrgName, OrgId, NetName, NetHandle, Organization,|| etc. Tried variations of each as well. At this point I'm not sure if I misunderstood the question or if I'm looking at the wrong information

I've also done the same when using ||the domain name|| as well, which provide different results, but still no luck

guys i cant find walkthroughs for htb academy modules

y is that? coz i used to find alot for THM rooms

Send me a dm

Walkthrougs are not permitted for modules greater than Tier 0

htb academy

Anyone else not able to access the openVPN services for HTB? (Tried multiple things like restarting, logging out/on. Deleting & redownloading etc etc

nope

turn off n on ur vm

Not a VM. Bare-metal.
Also i have tried restarting my pc

It just started doing this after creating a new account and logging into it in HTB

Happening to another person i know ^^

Yes, no walkthroughs are permitted for the Tier I to IV modules

Should also mention the error i popping up when i try to download the OpenVPN file

Fixed it

INFORMATION GATHERING - WEB EDITION
Skills Assessment
What is the API key in the hidden admin directory that you have discovered on the target system?

I have tried fuzzing, gobuster, and no luck. doing to the endpoint takes me to a permanantly removed 301 page... Any help?

Hi everyone,

I am attempting to complete "RDP and SOCKS Tunneling with SocksOverRDP" but when I connect to the final host 172.16.6.155 it claims the host is offline.

I am confident I have carried out the steps correctly but happy to be wrong.

Steps:

RDP to jump host 10.129.x.x

Drop SockOVerRDP and Proxy, turn off AV and run

RDP to second host 172.16.6.19 using mstsc.exe as victor drop Socks....exe run as admin

run mstsc.exe connecting to 172.16.6.155

Any help appreciated greatly

Im working on the same module, is yours also laggy AF?

sometimes mostley been fine though

switching between us eu or browser if gets tilting

hey guys, i have an issue, in the login brute forcing module ,login form attacks section, i found the correct password, try to log in, but i keep being kick back... did you encounter something like that? i'm pretty sure i got the correct password though

Is the correct password conveniently the first one in the list?

Make sure with the login forms your fail string is properly set (for post forms)

nope

"Keeps kicking you back" genuinely unsure what that means btw

it accepts the creds then prompts the login form again as if the creds are wrong

got it

Thank you @fathom pendant 🦾

i was logging in on the wrong page 😂

Yo, im curious on how hackers hack into cameras, do they break in the system and crack the password of cameras?

Struggling with the last two questions on **MS01 **(AD Skills Assesment part 2)
After importing, I run Get-Module and it says it successfully loaded but it seems to be getting blocked. I've also tried running PowerShell as admin with Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass but I keep getting the error
The term '...' is not recognized as the name of a cmdlet, function, script file, or operable program.
Any one got an idea what I'm doing wrong?

Wrong channel 😉

i was about to say

@acoustic owl which channel😉

most cameras aren't pw protected

So they hack in the system

read and follow #welcome and ask in #hardware-iot-ics

Im good lil bro

Read and follow #welcome
then you will see more channels

Im good for now lil bro

you'll have a better chance of getting a real answer if you ask in #hardware-iot-ics

That "Exploiting Web Vulnerabilities in Thick-Client Applications" was violent

@vital ice i don't accept random DMs btw

Legal questinon regarding osint tool h8mail

Would it be legal to run a check of all emails and password leaks associated with one domain for example facebook.com, like this would be the command to explain better (h8mail -t fcorp.com -q domain -c h8mail_config.ini). These passwords are already leaked on databases all the tool does is search those data bases using api keys. I do not want to accidentally get in trouble so can someone say if this is legal or not?

Every country has its own laws. The best thing to do is to ask a lawyer in your area

Did this fix the error? 😁 I am having the same issue, my understanding is the final host isnt booting up

Technically speaking you're still bruteforcing a website even if the password is "already leaked"

Hmmm I guess these is true in a way but also tge info is accessible to everyone on the internet so idk but I'll take your word for it

It would have been interesting to try and find my account

It doesn't matter if it's bruteforcing, if its just a tool to search a static database that isn't actually logging into anything then that's different

Also there's haveibeenpwned

https://haveibeenpwned.com/

Checks if your email has been exposed in data breaches

Yes it searches a bunch of different databases such as haveibeenpwned when you provide api keys I don't think it actually brute forces the website or servers itself

apologies didn't realise there are several tabs, you are very active in here thank you!

which module to chose after finishing the Kerveros attacks module?

• NTLM Relay Attacks
• ADCS Attacks
• Active Directory Trust Attacks

all of those are s tier

and if you had to choose one ?

probably ADCS, it's a very common vector

how does Kerberos Attacks hold up to those other three modules

I'd say they're all very close

I'm having some trouble connecting to the VPN using the connection file. Is this the right channel to ask?

it's not vulnerable, there's 0 mention of vulnerabilities in the module

I already checked the KB and the FAQ and found nothing relating to my particular issue\

I got the flag doing the same thing ive been doing all day, target host is very slow/temperamental

yeah i just gave up, trying again tomorrow, thing is way to slow

Not vulnerable, just misconfigured to allow inbound connections

Which is?

It's a fatal error. I've posted more details + a screenshot in the community help zone

Run openvpn with sudo

Just above the exit message it says "operation not permitted"

Aka permission denied aka need root perms/sudo

it's technically not even a misconfig, if you disallow that incoming port in fw you pretty much can't use dns

Oh shit. How did I miss that

I mean it depends on context

Thanks it's working now

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

Not allowing inbound port 53 connections from external entities

¯_(ツ)_/¯

yes