#modules

the result is not the same if you pipe the command into base64, bashfuscator does some tricks:

How did you grab the samaccountname 😉

@heady vine lmk if youve got something

Sure thing.

your command was close. You literally just need to add "description" to the -attr flag

thanks marcie

i dont know if you are girl or boy, btw u are king or queen

thanks very much to help me

I am kind of stuck:
this is what i have som far. That i think is right but it says no.
I have tried both of the outputs:
here are the version thing and this to it says is wrong

You need to ssh to the target to answer the questions

Hey guys, I'm in the file upload module whitelisting section and I managed to upload a php file using file.php/.png or file.php.\.png - The thing is I dont know under which filename they get saved. I was guessing they will get saved as file.php but I get a 404. Any ideas?

That does not really tell me much, i started with this today really, i have some knowledge from this from school and own preactices

OK, I need help: Currently working on the File Upload Attack module -> Blacklist Filters. I've run through the following lists: PayloadsAllTheThings/upload insecure files/extension php/extension.lst

seclists/discovery/web-content/raft-*-file-extensions.

not finding anything that is executing. Thoughts? Advice?

now i am in this module:
LLMNR/NBT-NS Poisoning - from Windows

i have to answer this question:
Run Inveigh and capture the NTLMv2 hash for the svc_qualys account. Crack and submit the cleartext password as the answer.

i found the hash, can you recommend a wordlist that works? because when i go to use rockyou it takes really many hours

The issue could be that your are fuzzing too fast. Try with removing the -t 60 . I had to add --timeout 20s.
Like said before do not grep. You have to see the output and then you filter the results you do not want.

Good tip, thanks. I'll try that in a bit, I'm seeing if I have any luck with wfuzz atm.

one of the accepted extensions is executing, trial and error

am I at least looking in the correct lists?

it is contained in this list

lol well... not sure luck has anything to do with that skills assessment : )

Thanks. I'll go over everything again. I have to have missed something somewhere in the reading. I don't feel like it should be this hard...

yea it is jsut one of those extensions in the list that can run in the server and is also allowed to be uploaded

have you tried the seclist wordlist they advise you to try?

SecLists Web Extensions. Yes.

My intuition at this point is that I missed something either in the reading or in my testing.

good evening again, I am in this module:
LLMNR/NBT-NS Poisoning - from Windows

I have to answer this question:
Run Inveigh and capture the NTLMv2 hash for the svc_qualys account. Crack and submit the cleartext password as the answer.

I found the hash, can you recommend a wordlist that works? because when I go to use rockyou it takes really many hours

a wordlist that isn't thousands of hours or miles long

there are always smaller rockyou versions in seclists. but the password is not in a smaller version unfortunately

could you tell me which wordlist I should search in?

sorry to say but it is only in rockyou

😢

sad react

are you hashcating from the vm?

yes i use hashcat

above the questions and spawn instance button (at the bottom of the reading) it tells you how to ssh to a server

rockyou should work; also it shouldn't take hours with hashcat

you might want to install hashcat on your host so it can access more ressources, like your GPU if you got one

estimated time != actual time btw

its to loooooong

you don't need to do -a 3 iirc

a 0 ?

no -a

just -m 5600

any luck?

ok thanks quet

Unfortunately. Changing threads and adding timeout didn't change anything 100,000 403s still. I'm still messing around. Not ready to call it quits yet.

i decided to take a little mental break, maybe its something on HTBs end that is going on

will get back to trying in a few mins

Ya could be. I may do the same, but a bit more struggling is still in order on my side.

it would have nothing to do with htb infra as these are docker containers, not private machines

what command are you using at the moment?

unless the endpoint people they use to host/launch also is fucked

does the box work on your end?

gobuster vhost -u http://inlanefreight.htb:54230 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --domain inlanefreight.htb --append-domain -v | tee gobuster_vhost.txt

why do you pipe everything to something? : D

tee lets me save it to a file for easy searching

you dom't need to do that

Yes, but it doesn't affect the output. It just makes it easier to search.

if you are motivated enough, try to send your fuzzing through burpsuite and see what you are actually fuzzing

it will make total sense if you see the actual request

I did think of that and captured them in wireshark. It seemed ok, though I must admit I don't know how gobuster's vhost enumeration works.

Ok, thanks for the tip. let me try it again.

i believe you can blackist a response with -b with gobuster

Nice. I figured there was an option for that somewhere, as wfuzz has it, but ... impatient.

hmm

i do think the whole thing is broken lol

i'm trying the working commands and everything gets 403

nah someone goofed on the backend for the spawns

even the correct subdomain is 403

LOL well honestly that is good to hear. I'm going to keep poking at it, because I am curious at what gobuster sends anyway.

you're not gonna get any valid results

what does that mean?

ALL subdomains and even the main domain is 403

Ya, I'll try it on a valid vhost on my own machine, spawn a docker or something.

do we just let it be for today?

probably for the best

i submitted a help ticket for it

:)

you just lost some life in this...

thanks for trying to support us either way though :D

at worst i'm bugging Tejas to fix it

So for the Attacking Domain Trusts - Child -> Parent Trusts - from Linux - I seem to be at a loss. I've spawned my target, it says to SSH to it, in reality its a windows box. I RDP to it, and its a windows system. I tried using the default parrot VM mentioned in a previous section, its up and I can ssh. However, whenever I try to replicate the steps of running secretsdump as shown in the screeshots - it doesn't work . Any idea what I am doing wrong?

Haha, it happens, and I was all too ready to believe that I was doing it wrong (maybe I still am).

I'll give it a go another day, maybe move onto another module for now.

are you inputting the htb-student password when it asks for password?

haha yeah sorry for thinking you were wrong : )

once is a skill issue, twice is a pattern

three times: neuron activation

indeed - the password provided below the target spawn button

LOL no worries

the one that correlates to "htb-student_adm"

haha yeah i guess I become more biased hanging too much in here... always assuming it is a skill issue and not a tech one : D

not tracking when we collected that password. I was assuming that was the same password as the password for htb-student

so i setup a vm with parrot os and each time i try and ssh into the target i spawn i get connection refused, anyone know why or am i dumb lol

nope

it's somewhere in one of the previous sections

are you connected to the vpn?

(Not an admin) Any errors when running openvpn?

it's given in the previous section

but the password is indeed not the same

as a note; any credentials you should always save

im ngl, i didnt have openvpn running, so imma just cry now as i am dumb, been using the pwnbox and decided to switch to a vm for more practice and i forgot about that

previous section as in the Windows portion of the Child/Parent trusts?

yes

any idea why I keep getting error

I haven't been able to get it to work, is there another guide? I install ParrotOS, shutdown, remove the installation media, turn back on, but files do not save still?

you did the full install thing, going through and selecting the appropriate options?

i do not have a specific link to give you sorry. I could search on google but I trust you are capable as well of finding one that suits you

your creds are incorrect

well first off '<PASSWORD HERE>'

check your first command

you're supposed to change that homie

thanks

bro got out with new clothes and the tags are still on

Hi! Has anyone solved this web proxies exercise? I'm having difficulty, and I would appreciate talking to someone.

Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

did you use burp repeater?

or zap?

i believe the section goes over how to set a custom thing/prepend a string

In this exercise, I am using two Python scripts to encode and decode. Once I had the 31-character cookie, I created a line for each alphanumeric character. After that, I encoded it in reverse, used all the options, and it was never correct. I have the 88 characters from the hint; maybe I'm doing it wrong.

hint "With payload processing in Burp Intruder, first add the decoded cookie as a prefix to the payload, then encode the entire payload with the same encoding methods you identified earlier (in reverse order). The final payload should be 88 characters long, similar to the one from the previous question.
"

you don't need a python script

and the intruder has an encode function

you basically just do the reverse of how you decoded

Do I just need to use the Intruder?

yes

what section exactly is it?

Skills Assessment - Using Web Proxies

Web Proxies

ah it's the skill assessment

Yes

decode cookie, put that as your prefix for the intruder command

In Attacking Domain Trusts - Child -> Parent Trusts - From Windows Module - what is the DC to target the INLANEFREIGHT.LOCAL. It appears when I'm trying to follow the instructions, my system is pointing to the LOGISTICS.INLANEFREIGHT.LOCAL domain, rather than the parent domain

then, you use the "encode" options to REencode the payload basically back as it's processing

weren't you just on the next section? don't be bouncing around

you told me i had to go back to get what i needed...

read above the questions dude

i'm just following your instructions...

it's that simple

they give you the htb-student_adm creds

youre saying these are the creds from the previous section?

yes

those were the creds i was using

I thought you said you were using the regular htb-student creds

they are literally identical in terms of the password as htb-student

no... they aren't

nevermind...ugh

"htb-student" and password "HTB_@cademy_stdnt!"
"htb-student_adm" and password "HTB_@cademy_stdnt_admin!"

they are in-fact... different

I don't have Burp Pro; can I do this work anyway? I'm doing it right now.

idk why you're getting frustrated lol... i'm telling you the pw are different

you don't need burp pro to do it

frustrated at myself for not reading. Fairly certain I entered the right password, but will retry, cuz its 99% likely user error with these things

i send dm

there was definitely a glitch of somekind, because the first nmap scan is of the system that spawned for me when I ran into issues (note my initial confusion around it not allowing me to SSH and I had to RDP). Second screen shot is of nmap of re-spawned system, after i shut down the old windows system to respawn the previous module, and then coming back to the linux module and spawning it

i don't do dms

all the options you need are in the intruder menu

add → prefix (the 31 character string)
encode → last decode you did
encode → first decode you did

it's that simple

and it should give a handful of hits for the flag

it also helps to look at all the responses, it's not like in some assessments where the result will just be the flag

Thank you, I will see how I can solve it. I'm having some trouble since I have always worked from the console and not with the Intruder. I have used the Repeater more for CTFs, but now I am entering this world of bug bount

Can I give Burp Suite the alphanum-case.txt file from SecLists to append each line at the end and then encode?

just follow the basic steps to send the request to intruder

just let it replace the value for cookie

if you highlight the the value 4d... in the request and then right-click -> send to intruder it'll automatically set it for replacement

if you want to get fancy with it you can use the "grep match" setting too; and add HTB{.*} (and be sure to select the regex option radio button)

Hi,

I was working on the Skills Assessment for the "Information Gathering-Web Edition" module.

When I try to access the page, it says I don't have permission (403 Forbidden) at http://ip:46606.

I've already added the IP to the hosts file and I'm connected to the VPN.

I wanted to ask if anyone else is experiencing the same issue because I searched for an updated walkthrough of the room on YouTube and the person was able to access the page.

You can access the Docker containers without a VPN
If you have entered the IP and the domain in the hosts file, you should be able to access the website via http://domain.tld:<PORT>

I tried too but the same problem 403 Forbidden

How did you enter the ip and domain in your hosts file?

etc/hosts
94.237.49.212 inlanefreight.htb

On browser I put: http://inlanefreight.htb:46606/

And the command
curl -I inlanefreight.htb:46606 gives a 403 error?

If so, restart the lab

yeah give me the same error and I've already restarted the target 3 times and still have the same problem

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>
<h1>Forbidden</h1>
<p>You don't have permission to access this resource.</p>
<hr>
<address>Apache/2.4.61 (Debian) Server at inlanefreight.htb Port 46606</address>
</body></html>

I don’t know what the problem might be. I’ll move on.

Thank you for your time.

Contact the support team. Something doesn't seem to be working properly

I tried to use the Pwnbox too and have the same prob. I will contact the support team

i have a question

Fire away - don't ask to ask

🙂

I'm trying to execute this command in the URL "https://94.237.59.199:38381/ping.php?filename=127.0.0.1" and I need to read the file that is /flag.txt. I added a semicolon and tried to see localhost/flag.txt, but it doesn't let me. Any advice?

anti CSRF-Tokens and CSP header not set

ZAP found 2 medium vulnerabilities: "Anti-CSRF Tokens and CSP header not set."

Which module is this?

Module / section

Using web Proxies / Web Scanner / Zap Scanner

hint in the web "i am trying the ping devtool but it is not working.
I tried the following:
/ping.php?ip=127.0.0.1"

Firstly, that's a tier 2 module, so please don't discuss any potential spoilers (you haven't so far), but rather ask for generic advice - someone may reach out to you to nudge you in the right direction. Secondly, I think perhaps you have missed some details from a previous section - Automatic Modification

I'd advise you go back and re-read and practice what that is teaching 🙂

That should get you on the right path

I understand, I will review and reread the section. Thank you very muc

for the advice as this is my first time on the server

can i get a little guidance to the Windows Event logs and finding evil first question on the skills assessment? it says to examine the directory to determine the process responsible for executing a DLL hijacking attack. am i supposed to imitate the attack and then look at the log ?

no, all you need is to inspect the provided log files

ok ty

Anyone know what is the prerequisite to do a petit potame attack is the ad cs is necessary to able to exploit or we can carry out the attack wothout the ad cs to be present

AD CS is required

petitpotam is not even strictly an attack, it's just a coercion method

it's useless if you can't chain it to something else

Having a hell of a time trying to find some initial foothold on AEN, doing it blind... Learning Web stuff might not be my strong suit right now

Hey, @next bronze can I DM just to confirm it's a issue on the VM / Pwnbox or routing problem and not spoil some of the info on the module?

for those you'll need to check with support, I don't have access to the backend stuff

I also don't use pwnbox

Not this specifically.... I've seen a couple of old messages and just want to confirm the info.
If it's confirmed, I'll know there is some issues in routing or the VM.

On the Windows Lateral movement module

Since there could be some spoiling info

Can anyone help me in the Broken Authentication module for getting the OTP. This is my command:

ffuf -w mixed_otps.txt -u http://83.136.252.57:35419/2fa.php -X POST -H "Host: 83.136.252.57:35419" -H "Content-Length: 5" -H "Cache-Control: max-age=0" -H "Accept-Language: en-US" -H "Upgrade-Insecure-Requests: 1" -H "Origin: http://83.136.252.57:35419" -H "Content-Type: application/x-www-form-urlencoded" -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.6478.57 Safari/537.36" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7" -H "Referer: http://83.136.252.57:35419/2fa.php" -H "Accept-Encoding: gzip, deflate, br" -H "Cookie: PHPSESSID=ub39g1j86hfu7gpj0mmmkp5ohq" -H "Connection: keep-alive" -d "otp=FUZZ" -fr "Invalid OTP."

Module: XSS
Section: Phishing

My issue is im not obtaining the credentials from the user, however i tested it on myself and it worked, im just stuck when it comes to the php part im not understanding what im supposed to do

What section is this?

Would you be able to help me if possible?

DM me your payload

Which section?

This is the Broken Authentication section (the skills assessment)

@cloud urchin ^

Brute force is the wrong way 😉

I used brute force to find the user, then the password, and then I logged in but there is an OTP, so this is not what you do?

Look in the module. Other techniques are shown how you can bypass something.
You won't get any further here with BruteForce.

This one! I can ping the IPv6 address with 0 loss, but nmap returns all ports filtered or closed
Just to confirm.

Also could only achieve this with ligolo-ng
Proxychains + chisel don’t want to work for anything

I didn't write down notes for that but I was able to scan with nmap through ligolo

need to add the ipv6 route tho

that's all I can remember

hi

h r u all

??

i want to write penetrate in msf

any one help

[;z

I’ve added the IPv6 subnet to the ligolo interface routing table already but still nmap returned nothing.
So you used ligolo and not chisel+proxychains then!?
Saw that you had some issues on the WSUS section that was resolved by switching VPN servers right?

yeah I don't use chisel unless I have to since ligolo is much easier to use

I guess

the WSUS thing was fixed, the rouute wasn't configured properply for US vpns

It’s more reliable and flexible I think

yep

Will try again in a while

Thanks

please any help

Your question makes no sense, what module/section/question are you stuck on?

sorry i want to write exploite and tried multible things to make it done well but without solution

i use msf

If you’re talking about a module of Academy let us know. If it’s just general exploit writing, not something we can help you with here 🙂

do u have knowledge about what i am talking about

metaspolite

kali

Might be just best to check out Academy

check the metasploit docs on kali

dont know Eng very well

and these apps also

but in need for this help

they provide a book with everything about shellcoding, and are you talking about porting exploits?

please

this discord is about the hack the box website and their platforms, this channel is specifically for help with the modules on academy, you probably won't find help with that on this server.

thats very specific 👀

@wary stump huh?

are u interestined in?

we don't do soliciting here, read #rules

are you sending it to /phishing/send.php?

no. soliciting. for. jobs

this is not a hacker for hire server

i suggest you stop asking

I wnat u help me.

We can't help you with what you want.

hey, im having some issues with information gathering virtual hosts. im trying to run the gobuster to solve the exercise at the bottom but don't get any hits on my wordlist

have you added the correct port to your url?

show us your command 🙂

gobuster vhost -u http://83.136.252.57:45218 -w /opt/useful/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain inlanefreight.htb

this is what i have at the moment, when i try with inlanefreight instead i get an error

i am using the htb pwnbox system

you need to add the domain as a separate flag

--domain inlanefreight.htb --append-domain

or add the site to your /etc/hosts and gobuster vhost -u http://inlanefreight.htb:port ...

okay i see, i was just missing --domain. thank you!

working now!

Hi. I need help with the ~~pivoting ~~ Lateral Movement module please. the MeshCentral section. Authenticate to (ACADEMY-LTMOV-SRV01) with user "admin" and password "RemoteManagement01"

• 2 Connect to MeshCentral (https://<IP>. What's the device group name where DC01 belongs to?

I tried to authenticate with rdp, evil-winrm without success. How are we supposed to aauthenticate ?

Thank you !

huh? meshcentral? that's not in the pivoting and port forwarding module

what's the name of the module?

sorry Lateral movement module

I am also facing the same issue, did you get any support?

like 7 hours ago, it was broken somehow. Haven't tried it since.

hey everyone, i am facing an issue

any one help me 🙂

even after entering correct url but still i am getting incorrect

😦

i guess this has to do with the port you specified

oh yes

Thanks buddy,
have a good day

thank you, you too.
Maybe remove the screenshots as they contain spoilers

Guyz hello

they are automatically removed

hy

I want to learn hacking and cybersecurity

Is there who can support me and give good courses

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

u can learn here how can u learn Cyber Security and its different paths.

That was me 🖐️

hey goblin how are u?

hehe hidden man.

Same old, how're you?

yeah i'm good.

Hey Bunny I have re-done the entire module but I cannot find anything other than what I was doing with the brute forcing, can you get me on the right track?

What is it exactly that you need help with? 🙂 When I get on my computer I am happy to help (feel free to dm me)

I'll be on my computer in about an hour

just tried it like an hour or so ago and it worked

it was just working for me earlier

It is technically impossible to solve the C# module without using vpn connection and only pwnbox.

The directory at the final skills assessment is something with h******s but I don’t have permissions to access it via browser and yes I’m the pwnbox

?

pwnbox naturally uses the vpn but idk what you're talking about

ANNND it's broken again

:( ik it's broken because on a fresh spawn i'm curling with the host header of the subdomain i know works

chatting with support about it now

as a note for anyone doing the Information Gathering Module - Skills Assessment; there is currently an intermittent issue where sometimes the targets spawn but don't let you actually connect to them (403, and scans reveal a load of 403)

note: this does affect the subdomain/vhosts that are correct too, so scanning won't find anything

support said looking into it 👍

I wanna learn ethical hacking from hack the box can anyone please provide the direct link of the module?

there's no one module my guy

search htb academy and click on the first link

https://academy.hackthebox.com/path/preview/information-security-foundations gonna have to start here if you're brand new

learn to walk before you run

You have to download dll files and there is just a button to do that no link for the final skills assessment. Also it’s not possible to access the subdirectories of the target on the browser

that's spoiling the module, most people do it blind

aight. keep your web root to yourself then 😄

i meant your question is revealing a portion of the AEN module

you goon

oops

i should try not reading the questions

found flag!

most people do it Blind

blind = not reading the question and going for full domain compromise

then going back through and answering the questions

hello i am doing Bleeding Edge Vulnerabilities on Active Dir Enumeration and Attacks, i am trying the petitpotam attack, when i am running the PetitPotam.py i am getting an error that looks like this
Trying pipe lsarpc
[-] Connecting to ncacn_np:172.16.5.5[\PIPE\lsarpc]
[+] Connected!
[+] Binding to c681d488-d850-11d0-8c52-00c04fd90f7e
[+] Successfully bound!
[-] Sending EfsRpcOpenFileRaw!
Something went wrong, check error status => The NETBIOS connection with the remote host timed out.

did you run the ntlmrelayx server?

also i didn't do petit for this

for this section i used the exploit referenced in Q1

yes i already running, i did this with nopac, but i heard ADCS vuln are more common so i want to try petitpotam

¯_(ツ)_/¯

hahaha okay

ADCS is a t3 module; so it's not expected for the CPTS exam

Nevermind, the petitpotam crashed but i still got the cerificate on the ntlmrelayx, so i can proceed with the attack, i didnt check the ntlmrelayx beacuse i saw the error on the petitpotam program thinking it didnt work

LOL even the example technically shows an error happen

not the same error though, i mean a nice hardcore python error
Traceback (most recent call last):
File "/usr/local/lib/python3.9/dist-packages/impacket-0.9.24.dev1+20211013.152215.3fe2d73a-py3.9.egg/impacket/nmb.py", line 984, in non_polling_read
received = self._sock.recv(bytes_left)
ConnectionResetError: [Errno 104] Connection reset by peer

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/PetitPotam/PetitPotam.py", line 461, in <module>
main()
File "/opt/PetitPotam/PetitPotam.py", line 457, in main
dce.disconnect()
......

Connection reset == Bad connection

the AD enum module is a bit of a pain sometimes, changing vpn regions can be more stable for the internal network

I am now at section PKI - ESC 1 in Windows attacks and defenses module.
When I RDP to the WS001, I can't login because "The trust relationship between this workstation and the primary domain failed.".

How to fix this issue?

@simple loom

What command r u sending?

xfreerdp /u:bob /p:'Slavi123' /v:172.16.18.25 /dynamic-resolution

wait a couple of mins and try again, if not reset

Hey, im stuck on the skills assesment for information gathering web edition. i am doing curl -I ||http://inlanefreight.htb:32634/admin/|| and only seeing|| apache|| for the server header. this is for the question what http server software is powering the inlanefreight.htb site on the target system?

Try another method of information gathering like vhost enumeration

im using the pwnbox and when i do that with the top subdomain wordlist, i get 200 on every attempt which doesnt seem right

apologies, that was happening without the hidden page, let me try now

Tried following what you explained here but having some trouble working it out. It is for Pivoting Skills Assessment.

I've found two accounts which may be subjective to PtH (ape......... and Adm..........)

doing that i only get context errors

uh it's hard to say why it's not working with just one command, I'd suggest not use msf unless you really have to

try some remote tools like impacke'ts psexec

Just to be sure, essentially I would have to make sure 135/445 is accessible for the DC then, correct?

yes, if you want to access multiple ports, just use a dynamic tunnel

just found this, i think this is my issue

Which option would you go for for the tunneling? According to the ones listed in the module.

I will try with Invoke-TheHash through rdp but not sure whats happening

you'll need to transfer the whole Invoke-TheHash repo to be able to import them
https://github.com/Kevin-Robertson/Invoke-TheHash

I would just set up a pivot and do it from my attack host tbh

hi guys when choosing a vpn what to look for for low ping

Is it possible I can send you a dm to show you the network diagram that I made for the skill assessment? To make sure I'm doing things right :-)

hi

The one closest to your location

https://xre0us.io/etc/htb-academy-latency-script/

unfortunately i don't remember a thing about the SA so can't help there

hi

https://academy.hackthebox.com/module/67/section/607

hi, why does my RDP connection fail

I think you are looking in the wrong place. You also don't need to use msf for any of it.
You can send me your network map if you want and I can compare it to mine.

Because you're supposed to connect to MSSQL, not RDP

Use single quotes on the password

Anyone else having issues spawning targets?
Working now

try now

xfreerdp has been having issues on pwnbox as well, use rdesktop or remmina

Still

I mean you generally aren't scanning ipv6

Most scoped things fall in an ipv4 cidr range

You mean the flags?
If I don't set them it will take forever

hello guys

Also, that ip isn't the right one, I believe you want the fe80 ip to scan

Even if I set a 'nmap -T5 -6 -p' will have to set port ranges for it to work

?

What do you mean?

nah that module has ipv6 targets

Really? Huh

Weird

it worked for me idk

Currently practicing some reverse shell work. Set up a listener nc -lvnp 5454.

When I execute socat with EXEC:bash from the victim host, I get a stable reverse shell that doesn't drop, but if I use EXEC:/bin/bash, it connects and immediately closes the connection. Anyone have an idea? Can't seem to find anything on the internet and ChatGPT isn't helping

Think there is an error in web requests module. On the search.php?search= one where you are supposed to figure out that search.php is used, the script.js throws an error so you never get to that point. Watched a tutorial after struggling and network tab was different to mine with same steps

does this machine Attacking Domain Trusts - Child -> Parent Trusts - from Windows take more than 10 min to spawn?

guyz i need help with androrat

anyone else having trouble with rdp?

[ERROR][com.freerdp.core] - transport_connect_tls:freerdp_set_last_error_ex ERRCONNECT_TLS_CONNECT_FAILED [0x00020008]

ping the host

i can ping yes

try again now myabe it had problem until initalized

nvm

Add ignore cert option

Did you find a way?

They solved it 🙂 we figured it out in dm

hello
for the module Intrusion Detection With Splunk (Real-world Scenario) im struggling on the question Navigate to http://[Target IP]:8000, open the "Search & Reporting" application, and find through SPL searches against all data the method through which the other process dumped lsass. Enter the misused DLL's name as your answer. Answer format: _.dll
im sure that the answer is ntdll.dll but that doesn t work

Run it with -v 6 and look at the actual error.

Hallow

Can you tell me where the error is in my payload?
`throw({message: 'The input ""' + console.log(input[0]); + '"" contains the following invalid characters: [",',;,',"]', statusCode: 403})`

This error, right? Now I see where the ||>|| is.

The error is in the bottom line, you should be able to see the difference between the payload and the error.

Can anyone who has completed the intro to whitebox pentesting module give me a little help with a question?

I don't see the part of the query mentioned in the error message in the payload above it. Is it because the error is for an earlier request?

Look harder

Rerunning it so I can open the file and go through the log properly rn 👍

Its in your screenshot

Read the error, Read the payload. Check the difference. You already know what the issue is from blindly running the script so it should be easy to spot.

I've looked at the screenshot multiple times... the error just doesn't seem to match the payload

There's no 274, 1, 686, 0) at the end of my payload.

I can see there's zfuy but the part before that doesn't match the payload either.

That still doesn't explain where 274, 1, 686, 0) came from.

Oh, the 274, 1, 686, 0) could be the suffix of the original query.

I wanna ask if I understood it right, but certainly doesn't feel like it

Oh, great. What encoding is that?

It's not, afaik

It will be some kind of blacklist/blocklist

I see.

Don't spoil skill assessments answers

I deleted it. Sorry, I tried to avoid as many spoilers as possible when posing my question 😅

By stating what tamper and such you used and the screenshots, it still spoils

Noted

i dont know if it worked,but try to add the password inside '' ,and also add a fixed size for the RDP

Hi everyone, has anybody done the Dynamic Analysis section from Introduction to Windows Evasion Technique Module? I'm running into some issue with the microshell shellcode. I don't receive a call back from the revshell whilst the self-written c# reverse shell give me a call back. If someone else has had the same problem and figured this out please let me know

No

You never go positive in cubes

T0 modules give back all the cubes spent on them, t1 and higher only return 20%

Hello,
any tips for second question DACL Attacks II Skills Assessment?
I have a new user and trying to find the path to next target? It has to do with logonscripts? gpos? I have enumerated multiple ways but without sucess

gpo and scripts, first find the right script path

why the progress bar and errors the same?

This is my first time using ffuf so Im not sure what to expect

you're not going to get any hits for subdomains, you have to fuzz for vhosts instead

so what changes? i get confused between those 2

you need to add the Host header
ffuf -w wordlist.txt -u http://example.htb -H 'Host: FUZZ.example.htb'

Gotcha ok ill try that. if its not to long of an explaination, what does the host part of the command do?

subdomains will not resolve since they use DNS, and there are no DNS records for any of the domains you'll find in HTB machines

^

You'll need to add it to your /etc/hosts file

And if it is a public ip, you don't put the port in the hosts file

you'll need to fuzz for vhosts instead, and you can do that by adding the Host header and fuzzing that

how do i know that?

Does the target give you a port

yes

Then it's public

Ok thank you

10.129.x.x = private
Everything else = public

filter hits by response size, and you'll find your vhosts. add them to your hosts file and you should be able to access them in your browser

-ac is an underrated ffuf flag

what it do, not on pc rn

Autocalibrates

sounds awesome maybe

if it filters automagically

It does

gotta try it out at some point then

I adopted it bc ffuf fuzzing likes to give a bunch of 200s

what size do i filter by to find a vhost? and its just -fs # right?

Look at the common response ffuf spits out

yea, run it once it'll give you a ton of 200s

What is the common size among them

filter by that common size

Does it have to run all the way thrugh before it gives me anything back?

You mean after you set the filter?

I havent set the filter bc i dont see anything being sent back yet

Are you getting errors?

yeah

Your command also needs to have the port in it

... i put the port in the wrong spot

ffuf -u http://inlanefreight.htb:port -H "FUZZ.inlanefreight.htb" -w 'wordlist'

As said earlier, the port does NOT go in the hosts file

I didnt do that ik that. I just put in front for some reason. idk y

Lol

So if this is some of the returns i get, the filter is what? the size is the same so its not fs id assume

Size:

hey sorry but i don't think that is true, if I'm not mistaken there are DNS records in htb machines, just not in that exercise.
It is not because machines use private DNS to resolve the name that there is no DNS records, they are just not in public servers.
When you add an IP and domain to /etc/hosts, it is useful for resolving a domain name locally. Some tools accept you specify a remote resolver and then /etc/hosts entry is not imperatively needed, even though it is a good habit to add entries in that file.
So saying that could be misleading to there is only vhosts in htb and never dig or fuzz for subdomains.

It depends. But http requests will default to public dns servers

So does dig and basic subdomain fuzzing

dig accepts remote resolver

Yes. But that's not the default lol

You're skipping the point lol

i dont think so

The point is; by default you're not gonna get hits with queries unless you manually specify

yea, i meant to say no records in public DNS servers. if there's an HTB box running DNS, you could have some records in there for subdomains (which are actually vhosts) that you can potentially enumerate and access

no the point is saying there is no dns records is misleading

This is a case of distinction of vhost and subdomain

Vhost means that the host is on the same ip

Subdomain just means it belongs to the subdomain

While colloquially, they are interchangeable- they are different

sooo: ffuf -w wordlist.txt -u http://example.htb -H 'Host: FUZZ.example.htb' Size: 200? sorry i feel stupid w ffuf, its been irritating me all morning before i even asked abt it

-fs is the size filter

oh ok

But your results tell you what size to likely filter

which is whats confusing me bc all the hosts are 120

plus the rest of the random stuff

Which means you want to filter it

With ffuf, the filter discards results that are in the filter

The opposing would be the match

OH I thought it was just gonna spit the same stuff. ok thank you

you contradict just for like nothing... lol
subdomains have dns records and vhosts do not

ffuf --help or man ffuf

Vhosts can have dns records, if dns is running

vhosts can most definitely have DNS records

It would be pointed to with 127.0.0.1 on the dns record

ok you are right they can have dns records but it is not obligatory

even if that does not diminish my previous point : D

Major point being, you're not gonna get routed to a .htb tld

Not without manually setting it up

i think the only module that you'll maybe see subdomain fuzzing is Information Gathering and possibly DNS Enumeration Using Python

because the .htb domains you're given simply don't resolve to anything

unless the box has DNS + web server running

Can ANYONE help me find what I'm looking for?

Path: SOC Analyst
Module: Windows Event Logs & Finding Evil
Lab: Analyzing Evil With Sysmon & Event Logs
Detection 2 | Question 2

In the lab, Detection 2 guides to complete Detecting Unmanaged PowerShell/C-Sharp Injection. In the command that is provided, I am unable to find locate how they got -PoshCode.

Command:
Invoke-PSInject -ProcId [Process ID of spoolsv.exe] -PoshCode "V3JpdGUtSG9zdCAiSGVsbG8sIEd1cnU5OSEi"

also footprinting module for instance, when you enumerate you got subdomains pointing to different IPs all on a 10.0.0.0/8 network. What I just mean is that people might think there is no need to search for that and in my opinion i find it to be an important part of the enumeration process

it's important, you just won't see it very often in the context of HTB boxes

I switch was I was looking for to directories using ffuf, and am getting stuff back but, I need to find a API key. I see that the 'admin' directory exists (whihc is where i need to go) with stuff in it but i dont know how to access that.

did i use this right?

hey, the poshcode is a base64 encoded command

I'm trying to find how they found it in the tutorial.

It's just provided

I'm not sure I'm understanding what you mean. The command in the tutorial is just an benign example, printing Hello, Guru99.
Let say an attacker want a reverse shell. They will write the reverse shell command in plaintext, base64 encode it and then inject the b64 string into a process.

Does that clear things for you or am I just explaining something you obviously already understood? 😄

@next bronze the sections makes multiple mentions of "tickets" without specifying if they r TGT or TGS and stuff are generally confusing there, look at the first mimikatz snippet for example

huh? nowhere in the pass the hash section did they talk about tickets

I get the perspective of your approach. Thank you. But, in this example they showed the example of adding the -PoshCode but I am not sure how they got that. I'm not sure where or how they came up with adding the PoshCode

"mimikatz - export tickets" What tickets??

where in the pass the hash section?

the first cmd snippet

sekurlsa::tickets /export

what is the use of these tickets, are they tgt

??

the first cmd is about passing the hash

That is part of how the module Invoke-PSInject works. You can check the help for that module it will give you more info

yo mb lol i meant the next section

execuse me

oh yeah that's about passing the ticket

completley different thing

exactly

hard stuff

I would suggest to do the Introduction to Active Directory module to get a better understanding of kerberos

i did it

ik the theory stuff, prob

yeah there's a whole section about Kerberos Authentication Process

yea its TGT and TGS, but what is the first mimikatz command supposed to do?

Sorry, I'm just not understanding.

the header of the paragraph explains it

Harvesting Kerberos Tickets from Windows

TGT tickets?

I'm not on that box so i can't print the help. But with a powershell module you can see the help by typing Get-Help <modulename>
you can see the code here or open the module in a text editor
https://github.com/EmpireProject/PSInject/blob/master/Invoke-PSInject.ps1

it does both

As users, are we not able to add images here?

i guess you have to follow the steps at #welcome to post images

Hello, module: web attack/Mass IDOR enumeration, why am i not getting that uid parameter like in the module? i have been struggling on this for few days... please help?

is there a trick to it?

oh mb, thanks

https://academy.hackthebox.com/module/112/section/2117

Module: Footprinting
Section: Oracle TNS

I'm stuck on the last question. Can any provide a hint, thanks.

./odat.py all -s 10.129.165.181 I run this and it doesn't find any logins.

it should work if you press C continue, can take quite some time

not sure to understand.. have you tried to manually type ?uid=1 or 2 etc?

Can ANYONE help me find what I'm looking for?

Path: SOC Analyst
Module: Windows Event Logs & Finding Evil
Lab: Analyzing Evil With Sysmon & Event Logs
Detection 2 | Question 2

In the example, they don't show how they got the -PoshCode as it's only given/provided. For me i'm just curious if anyone would know how or where to find this so i have a reference point to look it up.

Command:
Invoke-PSInject -ProcId [Process ID of spoolsv.exe] -PoshCode "V3JpdGUtSG9zdCAiSGVsbG8sIEd1cnU5OSEi"

yeah i tried, it goes empty , and i cant carry ou the rest of the attack

HtB provide the -PoshCode. I'm just curious how or where they obtained that

what if you follow the rest of the course and burpintrude other uid numbers?

lol... mate... It comes from the PSInject.ps1 source code, you can see the Parameter there...

just finished doing that , nothing , same response, empty

1 to 100

sorry, i can't help you further. I do not remember it as being that problematic, but I can be wrong. I hope some will help you find a working solution.

any Obsidian wizards around ? I dont get why it is highlighting the first IP octet as purple

when you go into reading mode it will highlight the second one too ;)

Because it's silly like that is all

ah ok, I thought I messed it up somehow still looks better than no color highlighting at all

Ye

lol you are right, very strange

I appreciate you trying , thanks alot🦾

anyone ?

Now I get a problem trying to run sqlplus

Finally found login scott/tiger, same as in example, but now I get a problem when trying to run sqlplus

I'll try to figure out why. I may have to get a non distro package

i'm literally staring at this screen, hoping someone has compassion .... i hate this feeling of being stuck

nice keep going! If you go far enough you'll find a Dropbox with files...

sorry, where can i get help with linux?

hey @storm elk can you please look into this? i also did a parameter fuzz just in case, still didnt find anything

Try to do it via Burp as proxy and check the requests 😉

Hey guys i am stuck in blind xpath injection. if anyone can help please dm me

What do you need help with exactly?

@storm elk i am currently exfiltrating the nodes and it came up as /accounts/acc/acc. now when i am trying to exfiltrate the values in nodes "acc" its string-length value is 0.

The last node is incorrect

If you get string length 0

sorry, how can i ssh into htb-student?

i dont understand this

Best to follow Linux Fundamentals if you don't grasp ssh

i am following

okay did it

🥳

well done

Have you identified how it works, i.e., view source?

yes, got sorted thanks

got it, but all files seem corrupted, nothing shows, and i didnt file that .txt, it's talking about, i changed the extension in the script in hopes of getting it, any hint ?

got it

Sorry was out for a bit. Glad you got it

no worries

Great job!

how do you guys URL encode ? in the bash terminal, i'm stuck at web attacks/IDORs/bypassing encoded reference

Burp Suite has an encoder

curl --data-urlencode

true, but i'm trying to script that, with a loop, that module

https://gist.githubusercontent.com/jaytaylor/5a90c49e0976aadfe0726a847ce58736/raw/c33f972f431071a84cc9104adb9a4be7453a2e3b/url_encode.sh

i'll see how i can make this work

could anyone say if im in the right or "almost there" direction on the "Linux Local Privilege Escalation - Skills Assessment". so i got the hidden creds in || /var/logs with the user that has the permissions for it ||. Tried to spray the common creds on the tomcat login page, spend here a lot of time so i moved on and i tried mysql, and the other users but no luck here...

i want do to this blind, so i dont want hints/nudge. just tell me i am close

Can anyone give me a hint on how i can find a API? I did this hoping to find a directory but im confused and dont even know if im asking the right question

maybe use bigger wordlists?

and if you wanna try finding directories like /api you gotta change the command btw. now youre searching for api subdomains

i did inlanefrieght.FUZZ instead after i saw that

the question asks about the admin directory and thats what I searched after this one but came up with nothing again

did you add the domain in your /etc/hosts file

you tried inlanefreight.fuzz for directory fuzzing?

thats incorrect, it should probably look like inlanefreight.htb/FUZZ (for directories)

In our math example, we must decide where to place the smallest number to make it as easy as possible.

    either we place it on the first open digit
    or we place it on the second.

whats meant by this

20 * ________ + ________ = 65535

from which section/module is that?

ah ok thanks ill try that

infosec

infosec?

basically "learning process"

on "decision making"

`https://academy.hackthebox.com/module/113/section/1209
attacking common services

what encoding is this
<?php system($_GET[fe8edbabc5c5c9b7b764504cd22b17af]);?>

i dont understand where they got it from

and i cant find anything that decodes it

looks like it is a md5 value used for the command execution parameter

Hi, In module Linux privilege escalation in lab environment Enumeration and Linux Services & internals Enumeration it return error when I try submit answer. Can you check it's everything ok?

make sure you don't have any white spaces in the answer

I'm sure it's ok I try multiple times

is it an encoding or is it just a random parameter name?

its supposed to be a php command injection, but im guessing its encoded become not so obvious?

currently on linux fundamentals, im stuck on the question "submit the full path of the "xxd" binary." and i thought the answer was /usr/bin/xxd but i was wrong and now im feelin a little stuck

sometimes clear caches helps

you can use the which command to find the full path to any binary

/user isn't a dir

probably typo

ye, ment usr

Yup I use incognito mode every time.

I just found flag.txt in root dir and can't submit

Second is python version and can't submit too

Others labs not have issues

Hello can I please DM anyone about XXE? I have a question

I'm not looking at the module but IMO it's not encoded, it just looks like a random parameter name. like normally that shell looks like <?php system($_GET["cmd"]); ?> and to use it you use query string?cmd=whoami to pass whoami to system to execute but maybe an IPS or something looks for $_GET["cmd"] to trigger a signature. So in your example they just use a random parameter fe8edbabc5c5c9b7b764504cd22b17af which you would use like ?fe8edbabc5c5c9b7b764504cd22b17af=whoami

(my example isn't very realistic but just using it to illustrate why there could be a random parameter)

cause functionally there'd be no reason to encode the parameter name. (that I can see)

but if i've made an error plz someone come shame me

in the case of a drive-by attacker, they may brute force parameters and find the cmd parameter, which gives them RCE on the server which you don't want

unlikely but possible

that's why they used an md5 hash

could anyone say if im in the right or "almost there" direction on the "Linux Local Privilege Escalation - Skills Assessment". so i got the hidden creds in || /var/logs with the user that has the permissions for it ||. Tried to spray the common creds on the tomcat login page, spend here a lot of time so i moved on and i tried mysql, and the other users but no luck here...

Not knowing what you have enumerated, I cannot really say how close you are or aren't.

i finished "learning process"

Idk what to say because you didn't say what you're going for next. If it can help > ||the next step isn't mysql or brute force/password spraying.|| ||Try enumerating interesting files more||

i have big error when i login in academy how to solve that there is anyone can help me

I think that you probably want support. This is a place for tips on how to solve challenges.

i know i talked to support before 7 hours and not response uptil now

I haven't seen any tech support in this channel.

where supportt channel?

We're regular users just like you.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

damn

i do that but now response

It may take some time yes, from what I read

fine

that makes sense. i thought it was encoded, but i guess its just a random string instead of cmd to bypass an idp/ips

whats wrong with this? gobuster dir -u http://94.237.55.236:49175 -H "Host: inlanefreight.htb" -w /home/ianworm/directory-names.txt (It says wordlist must be specified but I checked the path and its right, and the it also says domain must be specified and thats whats in the module

gobuster dir -u http://94.237.55.236:49175 -H "Host: inlanefreight.htb" -w /home/ianworm/directory-names.txt
also... check: File exists and is readable:

bash
Copy code
ls -l /home/ianworm/directory-names.txt
This should display the file with appropriate read permissions.

Correct usage of -H option:
The -H option should be used correctly as it is for headers. Ensure there are no extra spaces or incorrect characters.

If the command still fails, you can try running gobuster with minimal options to isolate the issue:

bash
Copy code
gobuster dir -u http://94.237.55.236:49175 -w /home/ianworm/directory-names.txt
If this works, then add the -H option:

bash
Copy code
gobuster dir -u http://94.237.55.236:49175 -H "Host: inlanefreight.htb" -w /home/ianworm/directory-names.txt

Thank you! ill try this

-w first

might be looking for the flags to be in a certain order

Ok

Same thing pops up

should I not be using the ip and be using the 'inlanefreight.htb'?

w the port

i don't use gobuster so this is outside of what i know

but the error messages point to some clues

check to make sure that your wordlist is where you're specifying

i did w -ls

if you're using a vhost, just put http://inlanefreight.htb or inlanefreight.htb

ok

and make sure you made the appropriate entry in your /etc/hosts file

I did that.

I dont put the port there right

don't put the port there

in fact you should probably put http://inlanefreight.htb:49175 if a port number is involved

ok ill try that

what module/section is this

Information Gathering web edition skills assessment

same error

Are you using the vhost argument in your gobuster command?

i'm actually doing this module rn..

I think so?

Which question are you on?

What is the API key in the hidden admin directory that you have discovered on the target system?

ok well mine worked

deleted bc spoilers

Gotcha

ok ill try it again thru the instance

something might be wrong with your install

what is an unkown shorthand flag in 'u' -u

jk got it

Hi all, quick question hopefully, I'm trying to run smbmap for the "Attacking SMB" section of the "Attacking Common Services" module... when I run it in Pwnbox, not problems connecting to the share with 'smbmap -H <target_ip>', when I try and do this using my Kali VM over VPN to the target IP, I'm getting the attached...

I've updated Kali, tried downloading the latest python script and running it directly... and even created a new Kali VM (fresh install) on a 2023 version of Kali, and I'm getting the same issue...

Is this a problem with smbclient? or an issue with trying to use smbclient via the VPN tunnel?

If I recall, that's the list I used...

Cool, I'll let it run through then. I stopped it the first time because I started second guessing myself but I'll see what happens. Thank you!

@fathom pendant btw, the issue with my xfreerdp not working lie with me having a backup vm that may or maynot have also been using the academys vpn

getting rid of the backup fixes the issue

@civic hamlet I was also having issues with RDP not loading and having a black screen and I fixed it by hitting space bar.

Also sometimes I have to wait a couple minutes, or run the command multiple times.

Im glad it worked for you

Are you having similar issues? Also are you attempting to connect from Pwnbox, or from a VM?

from a vm

it worked after I got rid of my backup vm, so everythings good

I'm looking for a hint: I'm doing some fundementals work in academy and am having trouble with the question "How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)"
I've been using netstat -lp and trying various greps to get the count of running interfaces but these answers are wrong so there's something I'm doing wrong.

Yes I was confused too but it's because xfreerdp doesn't draw the very first message and instead displays a blackscreen cf #modules message
You can see the message in question if you connect with remmina first instead

Yep..

Eyy,

Has anyone attempted the Advanced CSRF and XSS module? Specifically the Abusing CORS misconfiguration for CSRF

If I add Origin: any.htb to the request the server responds with Access-Allow-Origin: null

I did use the sandboxed iframe

It is just refusing to send any cookies and the browser says the error is because the cookies are treated as Third Party

nvm I got it

Am I missing something or is the lab just broken?

I respawned the challenge and still same behaviour.

Currently practicing some reverse shell work. Set up a listener nc -lvnp 5454.

When I execute socat with EXEC:bash from the victim host, I get a stable reverse shell that doesn't drop, but if I use EXEC:/bin/bash, it connects and immediately closes the connection. Anyone have an idea? Can't seem to find anything on the internet and ChatGPT isn't helping

If you write exec:"/bin/bash -i", what happens?

Password for [WORKGROUP\htb-student]: 

tree connect failed: NT_STATUS_BAD_NETWORK_NAME```

Why is this happening? ive spent 10-15 minutes trying to look for answers (firewalls, incorrect path to the shared file) This is giving me a headache, I guesss its deserved for not using pwnbox eh?

Did you try smbclient -U htb-student '//10.129.206.249/Company Data'?

I believe you need to escape the \ if I remember correctly or use /

Please

mmh, ye i was going for || user mrb3n or tomcat, think the tomcat page gives user tomcat.. || i got flag 2,3 and so not sure which use i should go for now || (tomcat or mrb3n) ||

||If you're still hesitating you didn't find the correct file yet, maybe try to search for interesting extensions?||

hey! i completed the Pivoting, Tunneling, and Port Forwarding skills assessment with chisel and im wondering if i can replace chisel entirely with ligolo-ng from now on? I had to try many times to get a xfreerdp session with the last machine

i knew i had the right credentials and all... took 3 attempts to connect with proxychains -q xfreerdp

#modules message

nice anology 🤣

what metasploit exploit am I supposed to use for the Automating Payloads and Delivery with Metasploit section of shells and payloads module? I tried eternal blue and two others and its not working. I thought if I tried to attack the SMB port because port 445 is open that I would get a reverse shell.

I also tried exploiting port 139 and it did nothing

am I exploiting the right port? I know if nothing else I'm getting the exploit wrong because I get this error that it won't let me post in this Discord server no matter what port I pick

I think I am getting something right because it won't let me post my output in this Discord.

which means it might partially be a spoiler?

automod blocked your message

did you try the exploit in that section of the module?

my advice is to use another exploit since it says "The target is not vulnerable"

try what the section shows.

another question about ligolo...
if i double hopped, and that new machine im connected on has a local port not detectable with nmap..
in this example port 3306.
Is it possible to use ligolo-ng to make port 3306 appear in my nmap scan and give me access to the local mysql service (if i have the creds for it.)?

aka port forwarding.

ligolo-ng is just a tunneling tool. it doesn't port forward for you.

https://scribe.bus-hit.me/@Thigh_GoD/ligolo-ng-finally-adds-local-port-forwarding-5bf9b19609f9

found this!!

https://tenor.com/view/you-birthday-gif-26304062

https://github.com/nicocha30/ligolo-ng?tab=readme-ov-file#access-to-agents-local-ports-127001

https://tenor.com/view/-gif-4475718

That is also cheese

that's cheese

I need to watch that again 😄

i thought of that extra scene earlier today 🤣

yes

ok got it

@dim wolf

ok I finished section I'm on next section

thanks for the tip bro.

switch \ to /: //10.129.206.249/Company Data

alternatively double the backslashes: \\\\10.129.206.249\\Company Data

\ is treated as an escape character, so you have to specify \\ for one backslash

Am I supposed to know this stuff? Feel like intro to bash scripting should’ve been higher up on the security foundations path

Anyways, thanks

i'd consider the escape character linux fundamentals

funny guy haha

?

Wait that wasn’t satire?

it's not satire, that's basic linux bash shell

I took detailed notes for Linux fundamentals and it never mentioned anything about escape characters

i'm not saying it's in the linux fundamentals module, it's a basic os thing

might’ve been on introduction to operating systems

you should probably delete the pic as it contains module content and spoilers

Leverage SeDebugPrivilege rights and obtain the NTLM password hash for the sccm_svc Account. (https://academy.hackthebox.com/module/67/section/631)
Hey, I'm a little confused about that, but the account given by Case RDP doesn't have permission to dump

How do I get help then?

you simply ask your question

My question is why is my correct command not working.

If I don't provide the command I'm using, how would anyone help me?

because many people have completed the module

Ok I can delete it but can someone please take a look at it and tell me if my command is correct? Or can I DM someone?

your error says timeout

So I need to change the timeout in my proxychains file?

no it means it timed out

you could try that if there's a timeout in there

make sure you can reach the target still

So I don't get an error running CME against 172.16.6.50, but I do get an error when running secretsdump.py against 172.16.6.3. They're on the same subnet and I have the autoroute and SOCKS proxy set up for that subnet.

Oh it's because I needed sudo

i don't really use metasploit so i'm not sure. it's a timeout error not a permission error you had.

I got it to work.

After I prefixed the command with sudo.

It doesn't work for me without sudo

may be something with metasploit then

Interesting. Thanks anyway for the help!

ive been trying to upload a zip file to bloodhound but it just stays at 0% when uploading the data, ik bloodhound is discontinued and I tried uploading the same data to bloodhound CE which worked but isnt too useful for giving the info like the orignal bloodhound does. Do I need to use CE or is there a way to fix the data not uploading?

Leverage SeDebugPrivilege rights and obtain the NTLM password hash for the sccm_svc Account. (https://academy.hackthebox.com/module/67/section/631)
Hey, I'm a little confused about that, but the account given by Case RDP doesn't have permission to dump

ahem didn’t mean to be rude, just letting you know

run as admin

No I don't have access to that

yes you do, right click cmd > run as admin

guys so can someone help me i dont know what's wrong but how to solve this?

Where are the Applications related to the system stored at?

on Macos fundementals module

the password has underscores in it

Hey guys what do you think about the Senior Web Penetration Tester course and cert?

i think its a fun course

Did u do it?

not all of it but the modules i did do are great

Which modules did u do

advanced xss & csrf exploitation, modern web exploitation techniques

i have more unlocked i need to do

I am debating on whether to spend cubes on those advanced web courses OR to spend them on the advanced AD courses

both are good

I'm so confused on this module...there isn't enough time allotted by HTB to complete the required task. You literally have to have your script go through 10 million usernames...I must be missing something.

Anyone able to give me some sort of hint on the Enumerating Users module, by chance? Using the xato-ten-million.txt list doesn't seem to be possible unless I want to sit and wait here for like 6 hours.

which module ?

broken auth ?

Yes

i really not that long in ffuf

and u dont need to go through them all

just use the first one u get i remember its was fast