#modules

(also try adding -Pn) as the message suggests

getting started

public exploits

ah ok

the section you linked btw was the service scanning section

btw

but anyway; point still stands

-_-

the webpage holds all the info you'll need

:)

its ok with -Pn

gonna take a look what Pn means

disable icmp ping

nmap uses an ICMP echo request to see if a host is up, generally these public docker containers are set to discard/not reply to ICMP requests

oh okej so with -Pn i only do a port scanning?

but if the host was really down then the port scanning will not be succesfull right?

correct

okej thanks 🙂

Looking to someone can help me with this Module. I'm currently on the "Using Web Proxies section" and im stuck on the "Repeating Requests sub-section". Trying to find the other flag and the hint says it's not in the same directory, but when I edit the request to change, i don't change directories.

you can't cd in a webshell

a common place to find files is in the filesystem root / , or in the root home dir /root/

ls command can look in other specified dirs if you tell it to

ah okay, I was thinking I could cd. Thank you

webshells will always execute in the current directory and can't cd, it's a limitation

if you wanna be extra special about it you can do ls ../../../../../

Just got the other flag, thank you

👍

hey guys , can someone help me around with the SSRF sections in the Module of server side attacks

if im not mistaken u can "cd" but you wont "stay" there. i mean if its just cd by itself then its pointless...

That look like a whole lotta stuffy stuff

is it just me or the SSRF section in server side attacks in insufferable

just you

cd just doesn't really work much at all, at least in the sense most people would want to use it as

true, its kinda pointless.

youd have to chain it, with other commands. like cd /;cat xyz.txt. and if thats the case why not just cat /xyz.txt

it is quite pointless cuz then youd have to chain it

Bingo

🔥 💯

And who's to say that ; isn't blacklisted or otherwise not allowed

man i wanna bash thee computer

Hey everyone, is there a list of boxes that we can do before the exam to prepare it ?

Which exam?

sorry CPTS*

do AEN blind, it's going to mimic the exam best

There's also Ippsec's unofficial CPTS prep playlist on YouTube, but AEN is what's recommended

Anyone have issues with WordPress - Discovery & Enumeration - Attacking Common Applications? I can't get the vhost working. I've got it in my hosts file, I've tried to curl -H "Host: blog.inlanefreight.local" http://10.129.79.232 which should give me the vhost even if it's not in my hosts file. I have tried just curl on http://blog.inlanfreight.local. I have reset the instance a number of times. Just going to the IP I get ```<html>
<head>
<title>Testing Default Vhosts</title>
</head>
<body>
<p>This is the inlanefreight.local default vhost</p>
</body>
</html>

I got stuck on the following last question in the Kerberos Attacks module.
What's the content of the file: \\DC01\Secret Share\flag.txt?

I need a hint.
I monitored with Rubeus and got TGTs for ||SERVER01|| and ||jake.kirk||, but none of them seem to have access to dc01.

how can i found the specific information from the target in this module

https://academy.hackthebox.com/module/57/section/516

i have already generated the username,but for the password wordlist i cannot find it

with cupp -i i didn't the specific information

Read the hint again

think simple

done

That one is easy to over-think or over-do. Do what the hint says and you should get it.

I just started Selinux and could not find information how to configure it, so I asked chatGPT to help. After that user still can access the file. This is what he wrote to me. I think user can read and open file with these permisions isn't?
module mydenyuser 1.0; require { type user_t; type user_home_t; class file { read open }; } neverallow user_t user_home_t:file { read open };

https://academy.hackthebox.com/achievement/667914/23 woooo

bruh i feel so dumb... gotta think outside the box lmao

in this case... it's well within the box

so within the box, it's a basic command

why this is take a long time

Am just careless … it’s just never came up in my mind. When I wanted to change directories, the box was not allowing me too. I never thought of using the ls with a path

But thx though

because ssh sucks to bruteforce

shouldn't take more than like 10-15 minutes though

it has been more than 15minutes

then something is wrong with what you're doing :)

also make sure to have it cycle through usernames first instead of passwords

it'll be significantly better

i have already checked the write up and i do the same like they did

expect for cupp -i

you should probably use cupp to make the password

¯_(ツ)_/¯

yes

i do that

also make sure you trim the list

your wordlist looks far too big to have been trimmed

you have 3 rules you can use to trim with sed (note the sed commands they give will be fine with no modifications)

i already used sed

like I said your wordlist is looking too big from your screenshot

too much info

you don't need partner or child name in there

oh mb

Did you read the hint?

It tells you exactly what to do

anyone know the link to learn more about SELinux?

I'm actually stuck here

i mean the other thing being; trimming the wordlist

you don't need to set it up

is the short answer

yes the hint said just fill the information i get

Yeah, but the hint tells you ||start with their name, then if you don't get it, go larger||

yeah

basic info first

then trim according to the rules

¯_(ツ)_/¯

Try going as simple as possible with cupp.

@bright pivot deleting the screenshots as they're spoilers for the skill assessment

but i've given you more than enough info to get there, i literally just genned a list on my own system, and ran it

I need some assistance with the intro to forensics module, been stuck on a question for sometime

and it literally instantly popped

just ask your question

we can't read your mind to know where you're stuck or what you might be doing wrong

Also, if anyone is having problems with the wordpress section, It took me 7-10 resets before I could actually access the site.... yay

after I import the csv into the timeline explorer, I cant figure out how to filter by zone.identifier to obtain more info on the uninstall.exe file

as stated in the other channel you asked in, reach out to support

the section should guide you through how to do so

you literally JUST asked it

ofc no one answered within 10 seconds of you asking

thanks for help sir

thanks but I read the section several times and it doesnt help so if anyone can give a bit more indepth guidance, would be appreciated

you should just be able to search for uninstall.exe from what i understand; i believe you need to load both csvs but I could be wrong

i have a question i found origin ip Can I get a bounty.any one experience

this isn't the channel for that question

read and follow #welcome to access more of the server

but the short answer is it depends either way you should reach out to the site owner

i parsed the $MFT into a csv and imported that, but what would be the other csv you refer to?

the $J file

i see thank you

this is the subsection where you'd read about it

hey guys, i am going the skill assessment 1 for windows priv esc, what ever i do i cannot reach the target (like i tried pinging it and nmap), i tried resseting it, i tried changing the VPN but it doesnt work, the weird thing that when i try spawning the target for other excerses it works

could someone please tell what am i doing wrong

And you can't connect via the intended method shown?

there is no method shown, it just gives you the IP

I take it with nmap you added -Pn to be sure it wasn't just blocking ICMP probes

let me try that

Lol btw nmap even says "if you're sure it's up, try adding -Pn"

i didnt payed attention

but thanks @fathom pendant

always there to help

😄 it's enough of an issue the nmap devs were nice enough to tell you to do that

i even messaged support 😆

can i delete thos?

Nope

Gonna have to wait for support to close it

Just tell them nevermind, solved and they'll close it when they get to it

it says all 1000 ports are in ingorned state

Now that doesn't seem right

you know marcielee, i think i know why the ssrf drives me nuts

Because you were doing it wrong?

since i already did it pre-update, and i think they changed the questions since i did the module

Maybe

¯_(ツ)_/¯

so the questions have changed but my answers since then stayed

so i cant recreate my answers

i mean if i wouldve done it badly iwouldnt of passed the module i guess

¯_(ツ)_/¯

Hello,

need some help with the second question of DACL Attacks II.

I have connected to the RD09 machine but i cannot escalae privilages. I have crated a gpo and linked it with the OU of the RD09, but cannot add the rights toe scalate provilatges. I get an access denied.

Any tips?

need a help in Command Injections

just ask the question

solved

hi, i need some help with windows priv esc part 1

i have exploited the commant injection vunreability and got a shell, but i dont know what to afterwards

Escalate

¯_(ツ)_/¯

thats where i am stuck

Enumerate and stuff then escalate

Everything is taught in the module

every priv is disabled

i found seImporsonate but its disabled

a bit of help would be appreciated

Haven't done this module so don't have a way to guide you aside from try everything

I doubt every priv is disabled

Credential harvesting worth looking into as well, keys in registry etc, I have not gotten yet to the module just what I remember from windows boxes

yep sorry

the priveelge was enabled

the output was f up because i was using nc

how many ovpn files do i need to download for this to work on my vm, ive downloaded at least over 50 now and i keep getting no route to host even while using openvpn

You only need the one

then tell me after fucking 50 different tries then it now worked

¯_(ツ)_/¯

i havent been able to do any work cause of this bullshit

Don't need to be so hostile dude

well its frustrating when this has been stopping me for 3 days

Could be a whole host of backend issues that caused it

But imo if it wasn't working after the first few dl then go support for it

I need some help again, I am still in the Web Proxies module and I am attempting to do the ZAP Fuzzer section. I've used the cookie that you get when you make a request using the manual scan on zap. However, when I attempt to fuzz either the /skills/ or the cookie itself I come back will all 404 or 200 messages for all the users in the list i'm suppose to use

nvm I figured it out

RE: validating findings in web fuzzing.

I have found the hidden directory and referenced gzip archive. I got its headers with curl, and am trying to enter it; however the answer isn’t accepted. I’m looking to see if I’m just wrong or if this is a syntax issue.

Filtering goes a long way

I’m having trouble with Preigntion and Appointment. Both of them are similar problems, where I keep getting error and no such file exists messages when typing in commands for gobuster

Module - Footprinting

Footprinting Lab 1

I have a most likely very dumb question but I haven't been able to work this out myself with Google etc.

I tried using tools to find the domain name but every attempt of this for me has failed so far. Are we just meant to assume the domain is the same as it has been throughout the module? I'm not stuck, I just want to understand how I would go about doing this for real - I hope this makes sense?

I|| was playing around with dig, nslookup, nmap (with scripts), tried navigating to the IP directly etc. but I haven't "found" the domain myself. If I use the domain used previously in this module, I get results/information but I want to understand this part first before moving on.||

Many thanks for your time

Hello

#starting-point , read and follow #welcome to access

This is genuinely doable without digging

But for most intents and purposes, yes assume inlanefreight.htb as the default

Unless specified, that's generally the default

Otherwise it's .local or some other variation

If you scan all ports you'll find something interesting on non-default ports

Perfect, thank you! 😄

no this is not a dumb question, i had years of experience and this eluded me, so long as we're talking about the same thing... im not sure totally how it works (as it doesnt ALWAYS work 100% anyways) but try adding nmap -vv to your list for ns lookups... particularly as they relate to htb boxes... you start off with an ip, and if you visit the site you might get reidrected, but you might not, nmap isnt perfect at this but when it does catch something it puts it in http-title column in output

we are talking about hostname resolution on boxes right?

Anyone can help with the following from SOC Module

Need help with Detecting DCSync/DCShadow section from DETECTING WINDOWS ATTACKS WITH SPLUNK

Modify the last Splunk search in this section by replacing the two hidden characters (XX) to align the results with those shown in the screenshot. Enter the correct characters as your answer.

index=main earliest=1690623888 latest=1690623890 EventCode=4742
| rex field=Message "(?P<gcspn>XX/[a-zA-Z0-9.-/]+)"
| table _time, ComputerName, Security_ID, Account_Name, user, gcspn
| search gcspn=*

Is 2 weeks a normal amount of time to complete a 17 section module?

Depends on difficulty and how much you put on

can someone help me at ctf problem 🙂

This channel isn't for ctf help

getting started module, privilege escalation.

It doesn't create the session for me im using the correct vpn etc

Ohhh okeeii

You need to browse to that uploaded file

In order for a webshell to execute it needs to get loaded

Also make sure your shell was written with the right ip and port

Oh yeah i know i did that, but metasploit shoulda done it for me anyways

Why should it have done it?

Ah nvm I see you're trying to do the metasploit way instead of manual

Honestly idk what all the proper settings for metasploit would be since I never bothered with it

The manual way worked fine for me

can anyone nudge on the advanced deserialization skills assessment? I think Ive found a vulnerability but am having trouble reversing the authentication mechanism to get to that point in code

Ask ChatGPT. He can help build a script

ok Ill give it a shot

not really sure what Im looking at when I looked at dnspy

and the crypto stuff

i got a new openvpn config and got a new ip it's still being dodgy with me

shells dont execute, Metasploit wont give a session, target is unreachable

i genuinely dont know what to do at this rate and the pwnbox is really slow for me

i'll restart my vm and try ag ain

would you mind if I DM you? I think I've generated a token properly, but am still having some issues. I'd be forever in your debt if you could sanity check me 🙂

is it a windows box or one unresponsive to ping? do an nmap -p- scan

not sure tbh but i restartted my vm and stuff and it gave a response

going to attempt this question again

Sure. Not at my computer but i can try to help

OMG YES IT WORKED

i restarted my vm everything went fine

completed the getting started

Module Footprinting. Section IMAP/POP. Question: What is the admin email address? Im stuck on this part. anyone can share some tips

there's a tool that can help you to discover the email off the domain, you can also try enumerating the site to see if u can see an email somewhere maybe

still not found. may be i missed something.

take a minute break come back and read carefully refresh ur mind

yeah , i just skip for now . thanks

Hi, I have a problem with the Windows Lateral Movement Module specifically the WSUS section, I created the update and approved it as in the guide and I got the error related to downloading the file, I solved it like the content by getting the path from the related event-id and copy the binary for PsExec.exe, still, my update keeps on 0% in the WSUS dashboard. I also used the pervious VNC access to DC01 and opened the windows update to pull the malicious update. but DC01 does not see any new updates.

after you've placed the binary and the path, you can create a few similar tasks to speed up the process, I had to wait for ~10 mins

i already tried "Retry to download" and also created new updates. but still same issue

and also i opened DC01 and start to search for updates isn't this should speed the process as mentioned in the module

you don't need to access the dc, just have to wait a bit

i will give it another try now, but i am sure i waited enough when i was solving it

I need help. Im stuck at API Attack lab 2 i need to brute the OTP i have use BURP but it's too slow im using FFUF but i couldn't get any response

I am stuggeling to log into the ssh, i need help pls

I think it is trying to explain how but i dont understand

make sure the url is correct and the target is up, all the requests return errors

the url is correct

then the request itself is wrong since they're all returning errors

i'm using this request

any help? getting frustrated lol

you should find out why it's erroring out in the first place

run ffuf through burp so that you can see the response

Hello everyone, I've got a doubt about wireless hardening, does disabling SSID broadcast increase the security of a WAP?

no, even if SSID is hidden it can still easily be sniffed. not to mention that the client will need to constantly check if the the hidden APs have the SSID that it wants to connect to so the name is basically broadcasted still

Got some problem on the medium lab footprinting, im not sure what to start off with because it's only smb showing on ports, nothing else for me to use however if i try to connect to the smbclient it denies my access

How to know that information is usefull?

Okay so why is it included in wireless hardening in the Introduction to Networking module

Also, is this accurate? I thought WEP 104 has a 104 bit secret key?

wep is obsolete anyways

Attacking common Application
Attacking SQL Databases

Are we suppose to crack the mssqlsvc users hash? i ran through the provided list + rockyou and someothers but nothing was found. i have not yet tried anything with relaying tho

Anyone who's done the "Intro to C2 Operations with Sliver" module or just knows Sliver who could point me to what I'm doing wrong?

I'm trying to follow to the Privilege Escalation section, but for example, the alias for sharpup executes without output, running it with execute-assembly also executes without output until I add the -i flag to execute it in process. and trying to execute GodPotato does nothing period.

Note that I believe my main mistake was compiling from source instead of using the easy install from the first section, for example generate stager isn't a thing anymore, I got over that by just generating things directly with mfsvenom. So maybe something's different here as well.

yeah you can crack it with rockyou

reran the command 3x 4x times and the status went from Status...........: Exhausted
to Cracked......

I tried the other method in the section too just in case that works, but Rubeus executes with the following errors, which suggest ERROR_FILE_NOT_FOUND, which makes zero sense

execute-assembly -i /root/HTB/academy/sliver-c2/SharpCollection/NetFramework_4.0_Any/Rubeus.exe createnetonly /program:C:\\windows\\system32\\notepad.exe

[*] Action: Create Process (/netonly)


[*] Using random username and password.

[*] Showing process : False
[*] Username        : SSGO6VZA
[*] Domain          : 3PE1EFWE
[*] Password        : 94AX2SWM
[X] CreateProcessWithLogonW error: 2

the MethodInfo::Invoke_3 method returned an error:
The system cannot find the file specified.

sessions also die in about 30 minutes, I thought Sliver was fairly stable, so I'm probably doing something gravely wrong

Hi I am doing the Password Attacks module and have reached Password Reuse / Default Passwords

The challenge seems a bit off topic for the section I am on.

I have to find the credentials for the MySQL user, using the information I have already gathered.

The problem is that the port for MySQL is not exposed, so I can only interact with the service from my ssh-session, and hydra is not installed on the target system.

Can someone give me a hint 🙂

i need to bit help on AD Enumeration & Attacks - Skills Assessment Part I on getting the users clear text pass

which user, what have you tried

Windows Event Logs & Finding Evil
Analyzing Evil With Sysmon & Event Logs

I downloaded sysmos to my downloads folder, then tried the command provided.
There is no Tools folder within my C: folder so... thats probably something to do with it...
If windows doesn't have a tools folder within C: then why did HTB put this command in the unit?

you don't need hydra, the module mentions a link to check for default creds

read it again

what if the mysql service isnt exposed to the outside?

Not to be disrespectful, but this is a prime example of my experience with HTB, I swear HTB is riddled with stuff like this, where the obstacles are not 'difficult thing to learn', but the units just not working themselves for whatever reason.

I'm going to edit the command so it checks the downloads folder for sysmon instead.
I don't know if that will work but that's all I can think of.

Does anyone else have the same experience or is it just me?

ah nwm im blind but yea you dont need hydra for you to access the mysql service

default credentials are always good to try

ah! I see. I didn't try with a different user, i tried the default credentials with just sam. THX!

yea you need to change the username too. many services have different usernames aswell like scrutremote:admin exampple for Sctrucinize (mysql)

good day everyone please am new to this and am stuck on the sections menu(interactive session ) of the intro to hack the box academy please in need of guidence

why i cannot bruteforce this ssh?

Feedback: Having an option of adding profile picture in academy will be cool

The port seems closed try resetting it

Hi guys... I'm trying "Windows Privilege Escalation Skills Assessment - Part I"... But the target is not spawing... The string "Target(s) are spawning..." is on since 15 minutes... What can I do? Thanks

change vpn server or start the target in another section

after i run command get flag.txt in FTP where can i see that file?

i already searched in my download directory but i cannot find it

It's in the directory you launched ftp from

which directory?

Exit ftp

Amd do ls

You should know what directory you run your command in

after exit and then do ls?

Yes

after i do exit i am in ssh

and then do exit again?

Did you run ftp from the ssh session?

yes

Then it won't be in your system

It will be on the system you ssh to

cat flag.txt

I want to buy the student subscription on htb academy but everytime i click on subscribe, the screen becomes grey. ( knowing that i already added my payment method via visa card). Is there something that Im forgetting ?

ftp doesn't magically send files to another host

Disable adblock?

Also reach out to support

Oh yea im using brave (adblock integrated by default)

Thanks i ll try it in a bit and let u know

hey

Why did the contents of the flag.txt file change after using get on FTP compared to its contents before using get on SSH

could anyone help me with Attacking Thick Client Applications (module Attacking Common Application)

??????

You likely overrode an existing flag.txt file

but get do a download?

i have finished everything and now i am on AEN but i am only stuck with that

get downloads to the machine running the command

Look up the guide for 'fatty'

no its for the other one nbot for the jar

like its not for exploting web vunreabilities

This Question "Perform an analysis of C:\Apps\Restart-OracleService.exe and identify the credentials hidden within its source code. Submit the answer using the format username:password."

oh that's pivotAPI

yeah i also tried the walkthrough for that

that one shouldn't be too bad, just follow the steps in the module

how does connecting to the windows target work ? i tried everything and it keep saying failed

Are you connected to the vpn?

how do i check ?

yes yes im connected to the vpn from the htb servers

Are you using the in-browser vm?

It also helps to know the error

"It fails" isn't descriptive of anything

yes im in the browser vm

And the module and section you're on

xfreerdp seems broken on pwnbox, use rdesktop or remmina instead

so i must use another ip or another computer to try it out right ?

i use VMware

and also what does /u:htb-studet mean ?

No

the same ip they give it to me right ?

Wdym? The target ip should be 10.129.x.x

oh ok ok i got it

Also
/u: <- user
/v: <- visit remote system
/p: <- password (make a habit of wrapping the password in single quotes 'pa$$w0rd'
/dynamic-resolution <- lets you change screen size

ok now i tried the same 10.129xxx and the same user then i put my password, then it appeared to me that the connection failed to 10.129.xx.xx

Well I assume you're using the actual ip given above the questions

"Click here to spawn target"

yes im actually using the same ip they gave me haha

Had to make sure

What is the error habibi

We can't troubleshoot without error

Shouldn't the output for these two commands be the same, considering both are https and I'm just requesting the ip address instead of the domain name?

python3 ReconSpider.py https://inlanefreight.com

python3 ReconSpider.py https://134.209.24.248

nope, the host header will be different

An SSL certificate cannot be issued to an IP, only to a domain

an IP can have multiple web servers running

i cant even take a ss

Just copy/paste

You need to link your htb account following #welcome to post images

mee6 bot is mad lol

?

Your name got changed bc #rules

i didnt break the rule lol

But if you're trying to copy/paste the whole output, the automod gets mad

Name must be readable in English

oh ok

Rule 10

But I digress

Only important thing is the last few lines

Not the whole thing

Hi friends,

I am currently attempting Attacking Common Services > Attacking SQL Databases

I am using VPN, running the command mysql -u htbdbuser -pMSSQLAccess01! -h 10.129.231.145 seems to hang with no connection made.

Persists after restarting the target.

Any ideas?

Edit: Receiving this error: ERROR 2002 (HY000): Can't connect to server on '10.129.231.145' (115)

Try wrapping the pw in quotes

Maybe mysql isn't running?

Double or single quotes?

Maybe it's mssql

Issue persists after running sudo service mysqld start

That won't matter for connecting to a remote db

Maybe. It's a different. Db

I'll try sqsh

Actually just read the first question

It should give you a hint as to what db is running lol

Also the password

It's in the password too

https://tenor.com/view/ryo-yamada-ryo-i-may-be-stupid-bocchi-the-rock-haybo-real-gif-8495031349478581936

Okay I think im in? But im doing SHOW DATABASES; and nothings happening

just gives me 2>, im not familiar with sqsh, is there something else I gotta do to have my command execute?

sqsh you need to send go

I'd suggest to just use mssqlclient.py

Im not using the pwnbox so I dont believe I have that, do you know where I could find this script?

probably impacket-mssqlclient

Ty

Not sure if I understand why that will make a difference..?

@fathom pendant

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Host
you'll be served different content depending on the request. imagine if you run a number of websites and you have to use a different unique ip for each domain, not a realistic case

username or password is incorrect

ok thanks now it works

Windows Event Logs & Finding Evil
Analyzing Evil With Sysmon & Event Logs

I downloaded sysmon to my downloads folder, then tried the command provided but it does not work, see image of my cmd.exe.
There is no Tools folder within my C: folder so... thats probably something to do with it...
If windows doesn't have a tools folder within C: then why did HTB put this command in the unit?
Why is following the instructions on HTB not working?

I have also tried changing the path so it is to my downloads folder, but that doesnt work either

because that's not how windows command line works

C:\Tools\Sysmon> denotes the current directory, sysmon.exe calls a program in that directory

omg

i get it

i just get rid of the path part, right?

you can but you'll need to cd to that dir first

cool haha

thanks

I got through that section by tweaking things in various ways, but I still don't understand why the things shown in the section don't work as described, if anyone has an idea, I'd love to hear it

unfortunately I don't use sliver enough to know, maybe check the logs or try the beacon in your own vm?

I have sql_svc and Administrator but looking for tpetty clear text pass

Hi, what is the problem? I've tried everything

sudo python3 ReconSpider.py http://inlanefreight.com
Traceback (most recent call last):
  File "/home/htb-ac-620586/.local/bin/ReconSpider.py", line 1, in <module>
    import scrapy
ModuleNotFoundError: No module named 'scrapy'

spoilers but dump everything

did you install scrapy?

yes

well yes but how did you install it

also why run as sudo

pip3 install scrapy

i gotta say, the new skill assessment for the ssrf module is wayy to easy

don't run reconspider with sudo

Yeah, good idea, should test with my own VMs, if doesn't work there either, that would be troublesome, doesn't help that my only other C2 experience is CS

How do i go about this

Hey where do I generally talk?

#general

What tools can dump things

Well that helped thanks

Not allowed to?

Read and follow #welcome

if you can't figure it out lmk I can check with someone who's more familiar with it

Things like ?

Secrets, passwords, hashes

tried mimikatz - found the hash - can't crack

Thanks, I'll do some testing and see what's up

What did you run with mimikatz

Not enough information

you mean sekurlsa::logonPasswords ?

Yes, that should give the plaintext as well

didn't see any

I don't think it's in lsass

there are other things mimi can dump

It's what I've got in my notes at least, been a long time since I finished that module though

sam ?

lsadump

Hey guys, i am currently working through metasploit framework module, and i am in "Meterpreter" section. The problem is when i run te exploit it shows

[-] Exploit aborted due to failure: unexpected-reply: Failed to execute the payload: Connection reset by 
[*] Exploit completed, but no session was created.```
I am connected to the htb academy vpn, and i can ping machine, so i don't know what is the problem. Can anyone help me?

Hello I am working on Information disclosure with a twist of SQLI
https://academy.hackthebox.com/module/160/section/1474

But the IP cannot be reached. I reset it and still not working. I nmap it to not find anything. I fuzz for parameters in case there is a different paramater than what it says which is ID but there isnt anything. Any help would be appreciated

is anyone else having serious issues with attack targets today? every single one ive accessed today is hanging/lagging, disconnecting me. cant get 2 minutes of solid connectivity in any target today. pwnboxes working fine, ive tried resetting target. this is happening over multiple modules in the pentesting job path (shells & payloads, file transfers)

In the protected files section, are they referencing an old password here? what section was it in?
"Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer."

I can't connect to my target even after reset

yeah somethings up, hopefully theyre working on it

got the same exact issue with a local VM as well, at least it tells me I can't blame HTB

anything in the logs?

Can I speak to someone that has completed the 'Attacking Common Applications' Skills assessment I ?

I've completed the module and assessments now but I I'd be interested to hear how others did this as I think I ended up doing some janky method.

nothing that tells me anything useful I can act upon at least

lsadump::secrets
did it - thanks

uhh I'm not sure what's wrong then

have someone done web archives part of information gathering web edition?

Hackthebox didn't always use .com

nah i have question about wikipedia part

Well we're not mind readers

We don't know your question unless you ask

so they ask you to "according to wikipedia.com snapshot taken in March 2001, how many pages did they have over?"
I've taken that snapshot for Jul 28 2001, because thats one only accessible in that period of time and they state something like that

so i try type in 6000 and it doesnt work so im not sure whether there is another source of that information on webpage or what is my mistake

I also tried 7000, 8000 but it doesnt work neither

6,000

Also it might be based off the reading

nope, I've got the answer and it was 3000

I tried it just now, but I wonder how should I gain that information

Are you sure there wasn't a snapshot for mar2001? Otherwise that question wouldn't be doable

https://web.archive.org/web/20010331173908/http://www.wikipedia.com/

What was your search?

http://www.wikipedia.org/

.com

It literally says it in the question

i see it now, but the issue was redirection

Worked fine for me

It's because .org is newer

So any recent results will redirect to .org, historical results may be on .com

Before they acquired the .org tld

Yeah, I've just assumed redirection won't change anything and that's part of process

thanks for help!

any fix on this with Whisker?

i thinking this is a typo

shouldn't disallow LM hash be processed last ? and therefore override any GPO

How come no machines are working for me?

If I change my Academy Subscription do I have to change my VPN too?

Doing the web fuzzing module. On Validating Findings, I have found the referenced directory and gzip archive. I cannot seem to get the answer accepted. I'm looking for either confirmation that I'm in the right place and entering the answer wrong, or a nudge to let me know I'm looking at the wrong thing.

||used ferox to find <machine>/ur-hiddenmemeber/backup.tar.gz curl -I on the archive returns Content-Length: 210. This answer is not accepted. Am I wrong, or is this a syntax issue||

Highest Link Order Number Last: A GPO with a higher link order number (e.g., 3) is processed after those with lower link order numbers (e.g., 1 and 2). This allows the settings in GPOs with higher link order numbers to potentially override those in GPOs with lower link order numbers.

This doesnt make sense that means the default GPO overrides everything

using module info "When more than one GPO is linked to an OU, they are processed based on the Link Order. The GPO with the lowest Link Order is processed last, or the GPO with link order 1 has the highest precedence, then 2, and 3, and so on." this again means Default GPO is proccessed last and therefore overrides everything?

so either im losing my mind or HTB made a mistake

I have just spent 90 minutes trying to bypass a login page, that the question gave me credentials for . I guess reading is important.

lowest number has the highest precedence and is processed last

Omg I had the biggest brain fart and couldn't understand basic English

Guess I'm tilted and need a break

Intro to Digital Forensics - Skill Assessment:
Using VAD analysis, pinpoint the suspicious process and enter its name as your answer. Answer format: _.exe

Does anyone how exactly how to approach this

I have been analyzing Windows.System.VAD artifacts file that has a bunch of events about processes and commandline arguments related to them

but no clue as I can't exactly find the malicious process

You would have done the example ffuf in the section earlier try to do that way by updating the json request n response

guys, im doing a file upload exploit lab and i have bypassed the server with the extension like file.php.png now how i can execute command now? i have tried http:/.../uploads/file.php.png?cmd=dir but it's not work

Which section?

hmm im just doing a lab made by myself...

Ah thought it was module related mb

#web would be better since it's not academy related, sorry

alright thanks you!

yo whats the difference between local and physical attack vectors in the cvss reorts?

i mean both require to be PHYSICALLY there. so :D?

Sort of

so whats the differnce ??

https://www.balbix.com/insights/base-cvss-scores/

checking it now

Physical means you physically need to interact with the system, being in the same room

but so does the local no?

Wheras local is more same network

Local (L): Attackers can exploit this vulnerability only by accessing the target system locally (e.g., keyboard, terminal, etc.) or remotely (e.g., SSH) or through user interaction.

like companies computer

and for Physical ? the server itself?

Local encompasses the network as a whole

I.e. interaction with a machine remotely without the need for physical intervention

A lot of the attacks performed in academy would be classified as Local

As you are accessing machines on the local network

And you don't need to physically interact

they would be considered adjacent as i am in the company vpn

.... same physical or logical network (secure VPN included).

Physical is exclusively physical interaction

like inside the server room?

Yes

LMAO for real?

As in hands on the keyboard of the machine

i mean if im in the server room well. i can technically say "Gotcha b***" basically you can do whatever u want . well almost

Sort of

But the major point is

Physical = literally touching the computer you're exploiting

i wonder how many "Exploits" are tagged as Local. i mean if u are local its essentially privescing i guess

Heya, is it okay to take a break from pentesting and try the soc analyst path?

¯_(ツ)_/¯

Up2you

Awesome, i'll try this path out to see how I like it

so far so good to me

finally it's good wheather and I can return to modules

Hey I'm trying to rdp using a hash and in the previous step I set the DisableRestrictedAdmin key using evilwinrm however rdp keeps timing out now? This is the password attacks pass the hash module. Am I missing something?

if its timing, then check the host

ping it, reload it on htb page

if it doesn't help come back again

Respawned host twice and I can still ping

Guess the connection was just acting up, its working now

👍

lets say for shells and payloads module

I have completed 8 sections of shells and payloads in like 9 days so far

maybe in 8 days so like on average a section per day

There is a "estimated" time for completion that they put in module's page

Could take less... Could take more.... Depends on how much your baggage is and how much you put on

ok

Generally... The time they set as a estimation, is an ok one.
But don't throw yourself down if it takes more

Everyone is different and it's ok to slow down sometimes

ok thanks

That's good advice. I will follow it. I would rather learn slow and know material well than learn quick and forget all of it

hi how long should i usually wait for "Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.". Brute forcing sam's password. || (also doing it on ftp since ssh slow asf)||

Every module has a couple of lab's boxes for you to practice on as well to reinforce the knowledge

Server Side Attacks
Exploiting SSRF

Exploit the SSRF vulnerability to identify an additional endpoint. Access that endpoint to obtain the flag.

My payload in ffuf shows LICENSE, '.', index

what do I miss?

nvm, I didn't realize dateserver is internal domain

I know I already am doing those.

try using fuff with the same wordlist and see if it still happens, also the -timeout flag may cause it?

@strange pivot ok I'll try ffuf and report back. The timeout flag was added after I treid it with the default several times with no success.

Hi, who know how can i cancel my subcription?

I did yeah

I'm trying again with subbrute

?

@upper bear please provide the full seed phrase to your bitcoin wallet and we'll get you squared away

hahahahha

only 16,985,421 sats to cancel

its been about 5 mins and subbrute is either really slow or not working. I never got it to finish earlier after several attempts.

because the guide said use seclists. really should not matter because this is the same list I used with gobuster and it found some subdomains, just not the hr one that is in the wordlist

My main issue is why does gobuster not find a subdomain that is clearly listed in the wordlist.

anyone knows why the root.txt file in editorial isnt showing?

i got the correct logins and stuff but the file is just not anywhere

Use the wordlist with the tool

Don't use seclists

#boxes

oh oops

currently on intro Malware analysis in code analysis I'm prompted to "Download additional_samples.zip from this module's resources (available at the upper right corner) and transfer the .zip file to this section's target". How do I transfer the zip to pwnbox ?

right click to copy download link and paste it in the pwnbox

@crystal kayak please refrain from spoiling content

As you're meant to find the sudomain via bruteforce, stating the subdomain is spoiling

sorry, everyone was telling me the wordlist was the problem when it wasn't. just trying to prove that something is f'd with the tools, or so it seems.

Alongside showing walkthrough content, which is paid

The tool shown in the section worked, so it's likely something with gobuster you're misunderstanding

I put the screenshot of gobuster being used. it not some complicated tool. if ppl here smarter than me are looking at the screenshot and still saying oh maybe you don't know to use the tool then man, I guess I should not come back to discord for help

or maybe its the wrong wordlist. I mean come on guys. This is not buffer overflow we're talking about

I'm more saying gobuster isn't likely doing the same thing the showcased tool is doing

could i get a little nudge for the command injection skill assestment? Any little direction would be helpful || i was searching for a POST req, but found only one and is not vulnerable i think. most other things i try on the page gives me an "302 Found" code. ||

Im having a lot of trouble with Introduction to Windows Command Line, the final skills assessment seems to have broken passwords. It says to use password "" but trying to just hit enter at the prompt gets permission denied so I cant ssh into the target

Im stuck for what Im supposed to do here

Use the previous answer as the password

It's the same throughout this assessment

that could probably have been noted a little clearer on the question but that worked! thank you so much

I believe it's meant to be inferred from the previous questions how it'll work

I thought for sure it meant that there was no password, thats definitely what it seems like its communicating to me at least. probably better not to leave instructions up for inference in any case tho

It might be a limitation of the backend on how it handles that pw above the question

But you can use /feedback in the discord or chat with support on the website to provide the feedback

What have you done so far and identified? If you don't want to post spoilers you can DM if you would like.

the windows fundamnetals module sections has by far been the most annoying buggy module ive ever dealt with

a bit ironic from someone whos done 2 modules only but yes

Use the tcp vpn download, that's gonna be way more stable than the udp

Yo can anyone help with the phishing submodule in the xss module in the cbbh part?..
I got the xss payload to be 'onerror=alert.window();' later when I had to create a fake login page and inject it, I tried using the payload they gave itself(with some minor tweaks), but it only shows password for somw reason and the image url box stays there itself so I tried chatgpt-ing it and got a proper payload which shows both the username and apssword fields and also removes the url box also. But it shows Invalid url in both the cases.

add <!-- to the end of your payload to inject the html comment at the end

yep tried that too

also don't use onerror for this

also phishing is the section** not submodule

oh mb 😅

Is there some otherway too ?? Thanks for the tip, I'll take a look

did you include the document.getElementByID('<element here>').remove()

you don't need onerror

that's all i'll say

the provided code should work

with obvious modifications to change to your ip:port/index.php

yesss

I've done all the modifications

dm me your payload

oh yea I thing

since it'd be a spoiler

Hello

Hi

hola

Hello, could someone help me with the Introduction to Assembly Module? I'm currently in the Skills Assement. On question 2 I need to optimize a code to be able to generate a shellcode less than 50 bytes. I currently have this code and its generating a shellcode of 62 bytes. global _start

section .text
_start:
; push './flg.txt\x00'
xor rax, rax
push rax ; push NULL string terminator
mov rdi, '/flg.txt' ; rest of file name
push rdi ; push to stack

; open('rsp', 'O_RDONLY')
xor rax, rax
mov al, 2          ; open syscall number
mov rdi, rsp        ; move pointer to filename
xor rsi, rsi
;mov sil, 0          ; set O_RDONLY flag
syscall

; read file
lea rsi, [rdi]      ; pointer to opened file
mov dil, al        ; set fd to rax from open syscall
xor rax, rax
;mov al, 0          ; read syscall number
xor rdx, rdx
mov dl, 24         ; size to read
syscall

; write output
xor rax, rax
mov al, 1          ; write syscall
xor rdi, rdi
mov dil, 1          ; set fd to stdout
xor rdx, rdx
mov dl, 24         ; size to read
syscall

I'm not sure what else can I do to make it smaller

Sry for the text wall, cant share screenshots

I feel like I'm crazy. Working on the Linux Fundamentals module and the only question I'm stuck on is what is the path to the htb-student's mail? For some stupid reason, I'm not finding any mail directories in there anywhere. There is /var/mail but that's not what they are looking for. Am I just missing something? Anyone got a cryptic hint maybe please?

Nevermind, I was overthinking it lol

right on you'll soon run into the find cmd and be sure to drill that cmd until you know it forwards and backwards you'll be able to find everything you need

Hey, did you work this one out?

Now I got no errors but no subdomain either..

hey, what do you mean? I reviewed the conversation there. I would guess the target was the issue, not the method

Yeah I just ran the command again and it worked but didn't find any subdomains.

you have to add --append-domain

when in doubt about fuzzing, I think it is important to take the time to send the tool through burp suite and see what are the actual requests we are sending

Alright will try - wondering whether to use gobuster in DNS or vhost mode?

Yeah I saw that you were doing something like that in the previous convo. Makes sence to do.

in this case, we are facing vhosts

and yeah about proxying ffuf or gobuster, just a few request to figure out, no need to keep fuzzing through it for the whole wordlist

Now it won't even start..

Will try to increase delay and cut threading to half

Have you entered the domain in your hosts file?

#modules message Yes

i will check from here if i have the same issue

it seems to run ok on a fresh target,

try with ffuf
ffuf -u http://inlanefreight.htb:port -w <wordlist> -H "HOST: FUZZ.inlanefreight.htb" -ac

@stark lark ok i retract my previous message, it errors at about half of the wordlist

try vhosts

@fathom pendant beat me to it

i've never gotten vhosts to work on gobuster

ffuf for vhosts, also for ignoring status and size errors

i think even ippsec does it that way, i wanna say on one of his uploads he used gobuster and had to switch to ffuf for quickly running the same search but ignoring a particular 203 page output size to filter output to just "real" pages and not auto redirects

it works with gobuster here, but somehow it errors at one point with the long wordlist. I tried to use a wordlist only a few words and it finds it
it works as well with the other syntax and /etc/host file

strange

you're getting output but im not sure that its "working" ... there's no header to fuzz there.

i checked that already with burp both ffuf and gobuster send the same requests when vhost fuzzing

#1269878800586506360 message @sharp epoch ; filter by size

see the most common size value being output, and filter that out

can you show us a proxied request that makes use of the Host: header? im genuinely curious and would appreciate it

yeah i'd have to rerun it as i dont have the screenshots anymore

set burp to proxy traffic on the entire address 127.0.0.1

Thank you

turn off interceptor

so it doesnt get in the way of your request out

gobuster with gobuster vhost -u http://<ip>:<port> -w subd.list --append-domain --domain <domain-name>

ffuf

interesting, learned something today thx. was very curious whether or not it actually worked as most info i read online always suggested to just use ffuf for vhost

and gobuster with the ip in /etc/hosts and the syntax from the course

Appreciate your help! It found web.....inlanefreight.htb for me, so I hope that's all

Hey guys! I don't know where I should post this question, so I'll post it here. So basically, in the Footprinting module, the Hard Lab machine has been loading for like 30 minutes now. Refreshing didn't help. What should I do?

did you try refreshing htb?

Yes, I also tried loading it from my laptop

you're welcome and yes that would be my go-to as well usually, but since gobuster has the option, i just thought i should figure it out. It seems however those little target gets really messed up quickly, and I can't figure out the issue

did you try switching vpn servers?

Does that influence the target machine?

Yeah that would probably explain it.. Maybe gobuster for subdomain enumeration is a no-go..

idk how HTB's backend works so probably

it does

vpn servers control which node that your targets will spawn on, and ofc the node you connect to to be able to reach the target

It works now, thanks!!

Ohhh, I see. Thank you!

for vhosts.. but it works as well so..

gobuster should work

likely target is dumb ¯_(ツ)_/¯

yeah can't figure out the difference but I see in ffuf requests the host header do not contains the port

FFUF is an oddball

still if i wireshark both the requests look the same

iirc when it was going through the 403 it was being dumb

like i'd specify port in -u, but the header was trying 80

and if i manually make a request to the webpage and intercept it, the port is in the host header

that's just a quirk of standard requests

what do you mean?

if the whole box has gone pear shaped (died/403 spam) then it falls back to 80

it's a weird one

yeah... i thought i was over it then i'm rabbit holing this thing again... it has to stop.
it is weird, period...

trust me it's a whole lotta nothing in that hole

I was trying to do LFI on HACKING WPS Module and then this happen

yeah but that's a bit disappointing... and also not really reassuring to not figure if it is a tool issue or a box issue which has just to be respawned and that's not possible IRL, that could lead to another sort of rabbit hole

and also it would be nice if an admin or someone with access to the backend could tell us what is actually going on with those boxes

if the page loading takes too long that could happen

Fixed i change the network, My Company Firewall block this type of connection

hello i am having trouble on the new web fuzzing module (tier 0) (link: https://academy.hackthebox.com/module/details/280) i dont know if i am doing something wrong or something else. the issue i am encountering is the questions state to "Answer using the full Content-Length header, eg "Content-Length: 1337"" which i am doing "Content-Length: 210" but the module wont accept it. here is the full instruction for the question:
Fuzz the target system using directory-list-2.3-medium.txt, looking for a hidden directory. Once you have found the hidden directory, responsibly determine the validity of the vulnerability by analyzing the gzip file in the directory. Answer using the full Content-Length header, eg "Content-Length: 1337"

I think this is an bug in the module. See also:
#1269212022919397410 message

Okay ill check it. Thank you!

i love how intuitive they made the filter sections in file upload attacks (the only negative being you can't follow 1::1, but that's where the fun is)

Hey in the fuzzing module there is a question try using vhost fuzzing scan on accademy.htb and see ehat v hosts u get i tries adding the target ip and admin.accademy.htb to etc hosts and ran ffuf command but i dont get any valid result

the ffuf module?

or the new fuzzing module

Yes

ok what section are you on?

also academy.htb, not accademy.htb

you got an extra c in there for some reason

Fuzzing module filtering results

also with ffuf you'll need to calibrate your results

as stated by the section you're reading

note the filter from the example WON'T be the same as what you'll need for the question

I didnt get the whole vhost thing also what does it to if public dns doesnt have the ip

put it in your /etc/hosts

ip academy.htb then ffuf -u http://academy.htb:port -H "HOST:FUZZ.academy.htb" -w <wordlist>

you can stop it after the first handful of 200s

Hi everyone,

I’m having trouble with an exercise that involves using the Metasploit Framework to exploit a target with the EternalRomance exploit. The goal is to locate the flag.txt file on the Administrator's desktop and submit its contents.

Here’s what I’ve done so far:

I’m following a similar approach to the example for exploiting with the ms17_010_psexec module.
I’ve set the RHOSTS parameter to the target’s IP address (10.10.10.40).
However, I’m encountering an issue where a session cannot be established. Can anyone help me understand what might be going wrong and how to resolve it?

Thanks in advance!

and analyze the common thread between them all

that's not the target IP

target IPs for private hosts in HTB start with 10.129

what is this? --> msf6 exploit(windows/smb/ms17_010_psexec) > set RHOSTS 10.10.10.40

RHOSTS => 10.10.10.40

looks like you're trying to blindly follow the example

above the questions should be "click here to spawn target system"

rarely will the target ever match the examples

yes i thought i must foolow the example

you should be able to use your brain to adjust to what you need for

RHOSTS is remote host, the example host is never gonna be live

*note unless it's a live website like inlanefreight.com

but otherwise, the targets don't spawn until you tell them to

but as a note, don't blindly follow examples, it can easily get you tripped up

Anyone what exactly is a vhost i didnt get that part

"I thought I was following the example with the same parameters. Since you say that's not the case, which IP should I target? Does this platform provide alternatives?"

this

any section that has a target will have this above the questions

and just above the first question or any question that needs a baseline credential, will be given the connection method and credentials if required otherwise assume creds aren't needed or are meant to be attained via knowledge from the module

i also heavily suggest, if you aren't already, taking notes as you go through the modules. Helps with "oh yeah i remember running into this before" moments

zero spawns left for today

well... that's not the target

that's the in-browser vm/pwnbox

you can spawn as many targets as you want in a day

heck sometimes the machines are goofed on spawn and you need to respawn them to fix

Thank you for the answers!! But you should know that even before it worked(spawn the target), I couldn’t find any information about the target, such as which IP to target. As a beginner, I thought I should strictly follow the example and gradually increase the difficulty.

?

wdym?

when it spawns you get either a 10.129.x.x or a public-ip:port

you should follow the example, however you shouldn't be following it blindly

Maybe I didn’t pay enough attention, and I missed it.

there's a difference between doing what the module says, and doing exactly what the module says

👍

also the Intro to Academy course teaches you how academy works

👍

anyway GL :)

ip academy.htb then ffuf -u http://academy.htb:port -H "HOST:FUZZ.academy.htb" -w <wordlist>
Exactly gow does this command work ?

they are separate things

you put the spawned IP and the domain academy.htb in /etc/hosts

then you run that ffuf command

note; you don't include the port in the hosts file

I reviewed the Intro Academy again and noticed that the example shows the target IP after you click 'Spawn the Target.' And again thanks!!

thnx for help man, it worked in firefox, no idea why cookies not sent from chrome

probably some "security" features in chrome 🗿

because that's just how vhost works especially on a non-routed domain

also spoiler for the skill assessment

but iirc that's how the module teaches you how to do it now

yeah, that's why I tagged it

it's something to do with host headers and all that

spoiler tags do nothing

the best bet is to redact the answer

as an exampple, i redacted this info as i was showing someone earlier about html paramter ? vs & and how you can't do xyz.php&cmd=<command>

when I looked up that command on one of Ippsec's video I hadn't seen that one, but that's always something new to learn

it's either --append-domain for gobuster or -H "HOST: FUZZ.domain" for ffuf

also as a little extra for gobuster, you can specify the domain with --domain

What is the use of show solution button? I did not find even one solution written

hi everyone, I'm really struggling with skill assessment for Attacking Authentication Mechanisms module for a quite some time now. I'm trying with ||Exploiting jwk, generating new key pairs and signing new token with various payloads. I've tried changing 'accountType': 'admin' (and Admin, administrator), with and without adding "isAdmin": True, with deleting accountType, leaving only isAdmin. Changing username, user id etc. || Since none of that worked, I've tried with other methods, like ||signing with None, without signature, algorithm confusion attack||. I've went through the course again but I got no new inspiration. People on the official forum are recommending strange methods, like "If you tried a method one time, try it a couple more times and it should work." Well, tried that but still nothing.

I'm clearly missing something and would really appreciate a hint or a direction to what else I should try or what direction to take. I guess official htb discord is the best place to ask for help (inb4 "Try smarter" is not what I'm looking for here)

Can someone help with Service side attacks skill assessment.
||Tried to pass differnt payloads encoded for ssi/ssrf/xslt attacks in ID parameter but all of them are failed to get RCE||

Are u guys having trouble accessing the academy platform now?

Yes

yes

ok thks

https://status.hackthebox.com

need help with soc analyst module anyone?

https://dontasktoask.com

2 things for success: stating what the name of the module you're working on, and the section you're on

guys hello, i am in AD Enumeration & Attacks - Skills Assessment Part I, i have an active winrm session with the creds i found for the user on MS01 and now i am trying to trasfer a file from the WEB-WIN01 to the MS01 but when am trying
copy \WEB-WIN01\c$\Users\Public\file.exe C:\Users\svc_sql.INLANEFREIGHT\file.exe
but i get access is denied. Can someone give me a hint to trafer the file?

Somebody can give me some tips? I have a annoying bug in the Attacking Enterprise Networks - Web Enumeration & Exploitation module

Despite I already added the subdomains (and main domain) of inlanefreight.local gobuster (and firefox) keeps giving me the error of "unable to connect to ..."

And yes, the VPN is working flawlessly and the IP address answers my pings.

im doing linux fundamentals and some of the questions do not make any sense. Filter contents for example, more/less etc and at the end Questions are not even close to the topic covered, am i missing something? why is that ?

im still on the intro to digital forensics module trying to determine what uninstall has been renamed to. I have imported the J.csv and also the mft.csv into timeline explorer but still cannot determine from there how to see what the file has been renamed to.

accessing the c$ require admin privs, why not just transfer it to your own host

i want think to do it with mimikatz, i found reg is already installed on the system

hmm? reg is a native windows command to interact with the registry

~~Anyone that can give a hint on 'Linux Privilege Escalation - Environment Enumeration' ?

I'm Getting skill issued here.

Rooted the box
Checked a million things
Searched the full system multiple times for different keywords
Searched by users, groups, file extensions.

Re-read the module and still cant find the flag.~~

Found it 10 mins after posting this.

I am trying around, since i found reg is on the system i made a sam,system,security save and now i will try to trasfer them and dump the secrets out, i am not sure if it is the right path, i found a secretsdump.exe that i trasfered from my machien to the WEB-WIN01 but is not running gives me an error, this would have made my life much easiser if there was not error with it

just transfer it to your own host and use secretsdump.py

Hello there, can anyone help me undrstand what am I doing wrong? I'm currently working on "Intro to assembly language"

I'm in section "Functions"

I'm asked to download a file and : "Try to fix the Stack Alignment in "print", so it does not crash, and prints "Its Aligned!". How much boundary was needed to be added? "write a number""

when I get to link the functions.o I get an error message : undefined reference to "printf"

are u talking about transfering the sam,system,security files on my own machine and using secretsdump.py to dump them?

or remoteply dumping the secrets using secretsdump.py from my own machine

if anyone has done this and can guide me please let me know. thanks

The Active Directory Enumeration & Attacks is being so overwhelming. Did any of you finished recently? I feel like, even though I´m taking my time and taking quite a lot of notes, I´m not going to be able to do everything that is shown in the module by my own. For example, the Bleeding Edge Vulnerabilities section. I tried to understand how to detect the vulnerabilities presented but I feel like I have a big gap of knowledge to understand what´s going on. If anybody wants to comment on how did you approach the entire module or how did you feel after finishing it, I would like to hear it because it´s being quite a hard time!

idk what access you have but if you have admin creds remote dump also works

practice more, the bleeding edge vulnerabilites as the name suggests is more complex, you'll get the hang of it once you mess with AD more

now i have purchased htb subscription, and i have completed a module 100% , will it be available after the subscription ends

Anybody on that has finished the Modern Web Exploitation Skill Assessment? I need a nudge on the DNS Rebind part of it

Introduction to digital forensics - Skills assessment

Determine the folder that contains all Mimikatz-related files and enter the full path as your answer.

can someone give me a hint on this questions .... im clueless on where to exactly look for

I've looked at all the collected artifacts from velociraptor within the desktop that are provided to us

but im unsure what to do next ... which velociraptor collections to use too

Module : Cracking Passwords with Hascat
Section : Skills Assesment
Last Qeustion
can anyone tell me everytime i run Hashcat on NTDS file i got exhausted and cannot solve the last question only
Any idea??

have you already cracked them? use --show

yeah i have tried it

Question is :
After cracking the NTLM password hashes contained in the NTDS.dit file, perform an analysis of the results and find out the MOST common password in the INLANEFREIGHT.LOCAL domain.

you're supposed to provide the most common password

check the hint too

yeah i have check this

but the answer is not that showing

looks like you need to crack more then

run it through hashcat

hmm

but it exhaust in mid 😦

*rockyou

yes

rockyou.txt

your cracked list shouldn't be this short to begin with

are you using the proper rockyou

yeah

/usr/share/wordlists/rockyou.txt

still same results

well the file name doesn't mean anything, make sure it's the right size

yeah it is 133.4 mb

are you using the tools suggested in the hint?

if you're just using hashcat output without --username it will only show the hash once of course

yeah buddy i have used it, lemme have send an ss here

I just ran through it and got the right answer

^

can you please tell me the command that you have used or correct my command that i have used:

hashcat -a 0 -m 1000 '/home/kali/Desktop/hash.ntds' /usr/share/wordlists/rockyou.txt --username

your output doesn't contain the username so it will not show multiple user with the same hash, it will only show the hash once

i have wrote this here

here is the command

I'm telling you what's wrong with your output

when i am using --username i am getting output in this format:

Session..........: hashcat
Status...........: Exhausted
Hash.Mode........: 1000 (NTLM)
Hash.Target......: /home/kali/Desktop/DC01.inlanefreight.local.ntds
Time.Started.....: Mon Aug  5 12:45:43 2024 (5 secs)
Time.Estimated...: Mon Aug  5 12:45:48 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  2942.3 kH/s (0.13ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 468/895 (52.29%) Digests (total), 0/895 (0.00%) Digests (new)
Progress.........: 14344385/14344385 (100.00%)
Rejected.........: 0/14344385 (0.00%)
Restore.Point....: 14344385/14344385 (100.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: $HEX[212173657879616e67656c2121] -> $HEX[042a0337c2a156616d6f732103]
Hardware.Mon.#1..: Util: 34%

Started: Mon Aug  5 12:45:43 2024
Stopped: Mon Aug  5 12:45:49 2024

Mate can you please tell me is there any mistake i am making in Command? or I am wrong at any other place.

are you trying to crack an ntds file?

I have explore some blogs, i got the asnwer but i don't want to pass the hurdle without sufring it

yes

has it been parsed correctly

i have use this command :

hashcat -a 0 -m 1000 '/home/kali/Desktop/hash.ntds' /usr/share/wordlists/rockyou.txt --username

Output is this

i am getting in HEX Format

that's not the output, that's just hashcat showing the status

you need to get a list of cracked hashes

so how can i do this.

https://hashcat.net/wiki/doku.php?id=hashcat

or again you can use one of the tools mentioned in the hint

Alright, lemme try

ummh i still didn't find any solution..

☹️

what's the flag that saves the output?

i am not getting anything in mind..

My brain is just becoming a crap... Learning from Morning 5AM and now it is 10:05 PM ... i am not getting anything in mind.

If you can please tell me that i am wrong at command.. and i need to correct my command

then you should take a break and come back later, if I just give you the command outright you won't learn anything

Completed every questionbut stuck there

sigh

-o, --outfile | File | Define outfile for recovered hash | -o outfile.txt

means i have to generate a file from hashcat right?

hmm true, i think i have to take some rest and then come back.
Have a good day buddy.

it writes the cracked hash to a file, per the description in the wiki

For Intro to Splunk & SPL module and section I'm struggling with "get SPL search against all 4624 events the account name that made the most login attempts within a span of 10 minutes." Best query so far is EventCode=4624
| bucket _time span=10m
| stats count by Account_Name

when i try to install parrot, it reports:Command <i>/usr/sbin/sources-media-unmount</i> failed to finish in 600 seconds.
There was no output from the command.😭

does anyone know why

i use the 6.1 .iso file, on VMware pro 17

Hey! I'm struggling with the easy lab of Attacking common services: I've managed to push a reverse shell into the FTP server but when I go to the website to execute it, it propose me to download it instead.
Same thing if I cURL it. It just shows me the code

Someone could help me?

Hello can someone help I am unable to link the target IP with the vHost that it has:
94.237.50.175:37677 inlanefreight.htb
I put that into /etc/hosts but it doesnt resolve.

• When entering the IP, I can see the web page just fine, but not when I enter the name inlanefreight.htb
• I can't perform the necessary whois command on neither the IP or the inlanefreight.htb

Any help would be appreciated