#modules

I went to sleep mad then it was working normal after

Try terminating it and waiting a few minutes

hahaha

🫡

after cracking easy and medium labs for nmap module, in hard module, I find it really funny lol With our second test's help, our client was able to gain new insights and sent one of its administrators to a training course for IDS/IPS systems.

i'm having an issue at footprinting lab - easy

i should be able to download the id_rsa from the ftp server

but it says permission denied.. i tried even setting chmod 600 and still doesn't work

mget id_rsa gives me cant access id_rsa: permission denied

hey have a general question , where can i get the files that comes with the machines? i mean , i need to use a wordlist from the machine but i want to do it on my vm and dont have the wordlist on my vm

no need to download it. just copy content

you can't download machines, if that's your question

no , i just want the neccesary files that needed to complete the machine on my vm , eg wordlist

usually located at usr/share/wordlists/ just delete wordlists, you should be good.

how?

i can't 'open' it

you can specify your own wordlist without deleting the existing ones.

you can find them on github, typically rockyou.txt and the seclists wordlists are the ones you need

prolly a bug, let me try to reset the machine

which section is it?

thank you thats what i meant , ill check it out

easy test lab

sometimes that works.

it worked first time, but my VM crashed

then i reset my VM and it said permission denied

/usr/share/dirb/wordlists/common.txt
i need that one

which module?

still doesn't work

footprinting

install dirb then

https://github.com/danielmiessler/SecLists this includes everything you might need.

you could use vim or nano to open the id_rsa and then copy the key.

vim and nano are unknown commands

how about cat?

same..

enter shell see if opens better terminal.

nvm it worked

i had another id_rsa on my local

didnt overwrite

alright

thanks ❤️

thank you both @real delta @grand portal , got everything i was needed

Module: Pivoting, Tunneling, and Port Forwarding -> ICMP Tunneling with SOCKS

Hi all, I was having an issue with ptunnel-ng not executing on the pivot host so I did some research and it seems like you need to compile (autogen.sh) with the same version of glibc as the pivot host.

Did anyone find a way around this? Seems like creating a new VM just to compile a single program is overkill.

There was a method shared in the channel on how to statically compile it

Ah cool, thanks. Only just realised there is a search function

Guys is there anyone who completed "INTRO TO C2 OPERATIONS WITH SLIVER" module. I am having difficulties in "Establishing persistence" part.

NetExec / CME have a --local-auth option for authenticating against the local target machine. Is this functionally the same as passing "-d ." or is there more to it?

There's likely more to it

do the streak points do anything atm?

Can anybody help my laptop doesn't just want to connect to my laptop Icon also not showing on desktop

Not tech support channel

Not atm

I've asked in the general group aswell

ah okay in the works atm then im guessing

No you haven't

Hello, why am I getting this error ?
https://academy.hackthebox.com/module/280/section/3132
Gobuster Subdomain Fuzzing

Anyway #1024429874246590575 and create your own post

are you giving it the correct port as it will probs default to port 80 i would guess

Inlanefreight.com is a live website

No ports or /etc/hosts entry needed

why are you fuzzing a live website to start with

Did you add inlanefreight.com to your /etc/hosts? If so, that's why

Because it's a website controlled by htb

And the question asks for it

right didn't know that sorry, pretty cool then

Inlanefreight is a fictional company that's used as a background company that's the basis of most of the modules

You'll see inlanefreight.htb, inlanefreight.local, and even freightlogistics.local

For some of the modules

that's cool tbf, nice to see something outside of the standard vpn box's

¯_(ツ)_/¯

No, I have only done this step before
This is not done in Gobuster Subdomain Fuzzing

Ok good just making sure that you didn't goof

Can you ping inlanefreight.com?

Also don't put 100 threads

You might just be trying too many threads at once

I just ran the gobuster command, and it worked fine for me

nslookup is normal
But ping seems to be stuck

Same as before

Worked for me

I take it you're using pwnbox?

Or your own vm

Could be some misconfiguration in your vm

hello

I have no idea. Can anyone help me?

The credentials should be given to you in the section

find / -name "restic" maybe? 🤣

This is in windows I believe

https://academy.hackthebox.com/module/158/section/1436

why does this break?

I have restored all the backup files

That's not the question

The question is "what's the password for Restic Backup"

Aka you were overthinking the question

after i got this output how to login as selly.jones?

can someone please help?

You'd need to find their password

Did you do the gem install commands?

no, I have never used ruby before. can you tell me what are those?

i get this running monitor.sh on nibbles , and nc -nvpl doesnt get anything
/home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found

Literally the commands just above starting up the dnscat server

where can i get that password?

Did you add the bash one-liner to the monitor.sh file?

What module are you working on?

wait i added the wrong ip adress in it ill rework on it with my monitorbak i made

@fathom pendantHow do I find out?

hacking wordpress

... look at the top of your screenshot

at page 11

Do the techniques shown in the module to find information

yeah it worked now , i get these error on lines that i didnt written i guess its ok and related to the file itself

No, that's all he gave me

RESTIC_PASSWORD =

done

Oh my god

It's asking for the password for the Restic Backup Service/tool

hello ？

What module/section?

https://academy.hackthebox.com/module/67/section/1637

Ok so you're deep in this section

And you found the answer

Put the S* password you found

No, I didn't understand his steps

S* is the result of asking others, I want to learn by myself

I beg you to teach me

😫

Look for configuration files

Configuration files are often low security

I think I've read everything I can about backups

Did you go to the Restic folder?

And look for a conf file there?

what can i do with that output?

I tried to open it

Passwd only shows users

Are you in the "Restic Backup" files?

Also check Desktop

OMG

Wdyk it's on the desktop 😉

Always enumerate what your user can see

It turned out that he had been right in front of me the whole time, and I spent three hours searching for him

thanks

@fathom pendantBoss Why haven't I recovered SAM

I see some questions from the community

why arent the commands running on dnscat?

This is the second time this happened. I restart the session one before.

This is from the next part, using chisel. any way to fix this?

hello am on web fuzzing assesment || i got admin/panel.php i just done both GET and POST commands but found nothing and lost where to go from here ||

me too

@nocturne hedge what did you try

which question you on, asking for parameter name or flag?

|| i got the files from recursive fuzzing admin/panel.php||

Hello, everybody!

I'm on https://academy.hackthebox.com/module/74/section/708

Trying to connect to remote machine via xfreerdp. Opens window with rdp but in contantly has blackscreen. Has tried from VirtualBox Kali and from pwnbox also. The same result in both cases.

Tried setting the access id or whatever but no results

i'm getting same error too

Same

There is a note in the section that will help you

Fuzz parameter values, you're given a parameter - capitalization matters

Hello
I want to find a people who want to learn programming with me and i iwis if we be a team work together in the future
we will learn together and have fun together and i wish if we be a small family in the future
if you want to join send me

could i get some help with this question? " Review the NFS server's export list and find a directory holding a flag." (Miscellaneous Techniques section) linux pe).

Im getting this error; mount.nfs: access denied by server while mounting IP:/tmp, with this command 'sudo mount -t nfs IP:/tmp /mnt'. I've tried do everything which is mentioned in the section; also i've tried restting the box multiply times, change vpn. But really the strange part is, i could do the same command and it worked then but when trying to execute the shell owned by root it gave me a "htb-student@NIX02:/tmp$ ./shell
./shell: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./shell)
htb-student@NIX02:/tmp$".

I've no idea how to fix this or what to do.

#1225791307256168448

url="http://94.237.59.63:45600"

for i in {1..20}; do
        for link in $(curl -s "$url/documents.php?uid=$i" | grep -oP "\/documents/Invoice.*?\.(pdf|txt)"); do
                wget -q $url/$link
        done
done```
hello i have a question in fact i don't understand why the files don't download yet i start in the script base and i modify it to download the useful files with a regex but it doesn't do anything but with the script provided in the course it doesn't do anything.
https://academy.hackthebox.com/module/134/section/1186

Is tmp the name of the share?

yeah, in the config file and it shows on the showmount command

That's not what I asked

Ip:/sharename

oh mb, yea the name is /tmp

Does it require remote authentication to connect

Worked for me

Also, capitalization is important

/var/nfs/general *(rw,no_root_squash)
/tmp *(rw,no_root_squash)

no i guess not, it does not require extern authentication (/etc/exports file)

I really tested everything and restarted the server several times, thinking that maybe that was the problem, but no ...

it's x-y-a paramaters right ?

?

on the Web Fuzzing

I meant idk wtf you're referring to with x-y-a

for paramaters

The parameter that you need to fuzz it's value for is given to you

lol

Idk what you mean by x-y-a

ow

my bad i think i got it

i am currently using wenum

Also once you find the value

Visit the webpage with that parameter=value

I only used ffuf tbh and it worked fine

will try to am used to wenum more

Yes

Whatever works for you

yeah except it didnt work 😅

ig i'll try ffuf

once I got the page extension it worked for me ¯_(ツ)_/¯

I'll spin it up and try wenum to alleviate doubts

alright

But all FUZZ values will be in common.txt

alright

hello
in password mutation section of password attacks , im kinda stuck since the question says to use the password list from the resources of the module and crated a mutated one to brute force the user sam in ssh , i did that but got no results after waiting for too long , any one got the same prob

this is the question : Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the password for the user "sam". Once successful, log in with SSH and submit the contents of the flag.txt file as your answer.

when i looked in the youtube i saw someone using the same thing but the made a list with batman in it and mutated it

when i looked into the mutated file i made from the password list in the zip file there were nothing like batman

any ideas

The mutated list should be about 94k lines long

Did u try cat mutated | grep -i batman

actually thats what i did aftermaking the mutated file i did $ grep -i batman mutated.list

And nothing?

Usually it just takes an unnecessary amount of time to get the right password

Did you make the mutated list like it says in the module using hashcat? resources gives you the custom rule and password list to make it

just found the problem

the problem was that i made my own rule file

this script works for you too? curl -s "http://SERVER_IP:PORT/documents.php?uid=1" | grep "<li class='pure-tree_link'>" because me nothing displayed

which included the rules show in the module

but now when i did it for th 4th time i found when unziping the file i got the rule file

so i was using the wrong one

Yeah

Anyone would care to give a hand in the "Attacking Authentication Mechanisms" - Skills Assessment!?
Just to see if I'm banging my head against a brick wall or if I'm in the right direction

sorry for the inconvenience

Hello

i had to make a quick modification to the script given, since it's a POST request, you need to supply the uid in a -d "uid=$i" and then i just modified the end of the grep to be \.(pdf|txt)

@harsh oak can I help you? I don't do random dms

did anyone have trouble with File Upload Attacks - Type Filters? doing a double reverse method using extension htb.jpg.phar

I even modified the content-type

Are you using a file signature?

Also make sure there's a newline between the Content-type and the signature

yup there is a new line

Looking at my notes I used the gif* example and used a specific image/g* content-type

Wrong image content type

okay cool

image/gif?

Try and see

kk

You should have fuzzed for valid image/[type]

What does your fuzzing reveal

Don't just copy/paste from the walkthrough

okay i'll check my fuzzing

Ik you are copying from the walk-through bc of the php command in your request

cool cool

WTF is going on today on the service?

#starting-point

Try with -Pn as the note suggests, also be sure you're on the right vpn

what's a good image extension wordlist

The section goes over this

It shows creating a wordlist with just image/[type] from the SecLists Content-Type list

oh yes

thanks

I suggest reading the material and stop relying on the walkthrough

You won't have a walkthrough for the exam

it doesn't really show fuzzing content-type

it hints at it

am i sending it to intruder? all content-types are -> Only Images Allowed

When I RDP from Parrot OS terminal to a windows machine, I can not copy text from remote machine. How should I accomplish this task?

yes use intruder

then use the menu at the top to filter it by size

there are some that will work

+clipboard

👍

Hello @everyone, does anyone can help me with the first question of the Module OSINT: Corporate Recon, please?

What have you tried and what doesn't work?

@acoustic owl I wrote coordinates in DD. But it doesn't work.

Have you found the right city? Take a close look at the page
Then it is important that you have set the browser to English. Otherwise you may get different results

Does anyone know if HTB runs through their modules after deployment? How does one get to the kali box if there isn't a start instance button like other instances?
Module: CDSA Path - Windows Att & Def - Kerberoasting

hello! i have a question
how did you make the xss phishing module?
I made the malicious form, I make the listening script to get the credentials when the person fills the form.
i send the link in phishing/send.php
then what ?
because if I test myself filling the form the credentials are not useful when I try to log in /phishing/login.php

what do I have to try?

why i got different output?

you RDP into WS001, not the kali box

i believe you can RDP into the kali box after you've RDPed into WS001

I got it to somehow work. now there is a new issue with the next part

Understood...I tried to ssh from WS001...it wasn't listening. I tried to RDP and it is not listening either. The previous page states that Kali should be at 172.16.18.20. It is not responding to ping as well.

may not be there for that section then

Bummer...going to be hard to perform the Kerberoasting questions without the kali box to perform hashcat

both the kali box and WS001 show up in the later sections IIRC

Alright, I'll just go through the solutions and skip this module

wouldn't recommend that but you do you

I did that

Hi everyone, quick question: Has anyone solved the assignment in the 'Broken Authentication' module, particularly the part on 'Enumerating Users'? I keep getting errors when I try to run the command and can't submit the question

I'm struggling with this question, in CMD vs. PowerShell: " What command string can we use to view the help documentation for the command Get-Location? (full string)" I'm pretty sure the answer is ||Get-Help Get-Location -online|| what am i missing?

I'll fire up my PC shortly

o capital?

Enumerating Users

Enumerating Users

someone please help, this is too frustrating

https://forum.hackthebox.com/t/icmp-tunneling-with-ptunnel-ng/268732/19

I've tested it in my own powershell, and it works but apparently its the wrong answer

I did that too.

I'll be firing up my PC in a few

Nevermind I was reading the question wrong 😬

hello! i have a question
how did you make the xss phishing module on htb?
I made the malicious form, I make the listening script to get the credentials when the person fills the form.
i send the link in phishing/send.php
then what ?
because if I test myself filling the form the credentials are not useful when I try to log in /phishing/login.php

what do I have to try?

I had to search through the solutions...
Apparently we are supposed to know that there are password files located on the parrot desktops. Once I knew this fact, the rest was rather easy.

Thanks, I’m going to test it later, thank you very much

you don't even need those if you already have rockyou

Yes, but you don't have it...unless you know where they are located on the parrot desktop. 😉

i'm not sure i follow

are you using pwnbox or VM

pwnbox...the rockyou*.txt files are in an obscure folder in /opt.

because i just cracked the ticket offline on my own VM

ok that makes sense

Yeah, I've not gone down the rabbit hole of VPN just yet...I'm not sure it is the best solution for this type of user base. Teach them to walk then stand then run.

that's covered in Infosec Foundations path

you should be acquainted with the tools you have in your environment if you're doing Windows Attacks & Defense

Oh I am...it is just when the tools aren't available that I get stuck

I mean they're still available

The update to pwnbox shuffled stuff around and the module text hadn't updated to reflect it

oh they did update pwnbox huh...

Right...so now, take the viewpoint of someone trying this out for the first time...although with 20+ years of IT experience. This isn't supposed to be expert level stuff...yet

i recommend using your own VM then just so you know where all your tools are

^

i forgot that they updated pwnbox so what you're told in the module in regards to pwnbox tools might not necessarily be what you get.. you'd be better off with your own VM

Anyone finished “Attacking Authentication Mechanisms” could care a hand?
Some of these modules feel like a black hole in the forum and in here…

Or find / -name "thing" 2> /dev/null

i also thought of that as well

but if you're struggling to find tools in pwnbox, it'd probably be better just to have your own VM at that point

module: shells and payloads
section: metasploit

I tried the logical thing which was "shell" because it gives u the shell with metasploit if u run that command, seems like it wasnt correct

nevermind figured it

they're pretty much in the same location on vms too 😂

Good afternoon!

some stuff is placed in /opt but that's not the case on a fresh install of Parrot

proxies = {"https": "https://127.0.0.1:8080", "http": "http://127.0.0.1:8080"}
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

def sqlInject(url):
password_ext = ""
for i in range(1, 21):

        r = requests.get(url,proxies=proxies, verify=False, cookies=cookie)

why doesnt this work? it works if i dont do proxies=proxies but if i put in proxies=proxies it doesnt work and the r.status_code doesnt return even tho i have burpsuite set up nd stuff

for sql inject

Ive been trying to solve the thick applications module but I am super stuck... I have tried many ways but after changing the port and deleting the hashes from the MANIFEST.MF file

I tried from the pawnbox and I get errors and when I tried from the windows machine I double click but the java app does not start

now I manage from the pawn box to run the application but when I type the username and password I get error as well...

so i found what images are allowed and what web extension are sort of allowed. but when i put it all together in repeater, it still doesn't work? can i send you a screenshot of it?

make sure the signature matches the type 😉

signature as in .png matches content-type: image/png?

how about my method? should it be get or post?

its' post right now

well to upload it's POST

is in the magic bytes; and for the sake of simplicity they use GIF8 as the GIF signature

I managed to access but now I dont see the lower tab for opening files...

I dont know why I dont see it...

I have tried closing and open and changing the size of the window

.

any ideas...

Try runningbundle install and then sudo bundle exec dnscat2.rb .... The directory already has a Gemfile which defines what other dependencies to install and Gemfile.lock which specifies which specific versions to install. There's also a Dockerfile in there that you could try building.

Can anyone help please? I'm stuck on 'Firewall and IDS/IPS Evasion - Hard Lab' in the 'Network Enumeration With Nmap' module.

The question is 'Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer. '

And the hint is 'Our client also mentioned that they were forced to add a service that plays a vital role for their customer because they require large amounts of data.'

it means you won't be looking at DNS for the answer

you'll need to do a scan of all ports to find a service that may be running

Okay. I used -v and it kept outputtingIncreasing send delay for 10.129.2.47 from 160 to 320 due to 11 out of 12 dropped probes since last increase and now the scan isn't progressing at all.

re we agree that before the .(pdf|txt) I add the file name for example documents/(Invoice|Report).*?.(pdf|txt)

and for the POST i use -X option for designed POST

When I press space bar, it says Stats: 0:05:45 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan SYN Stealth Scan Timing: About 10.15% done; ETC: 21:29 (0:51:04 remaining)

with -d (data) post is assumed

try adding -T4 to the scan command

sometimes SYN can be dumb

Okay. I've done that now. Could you explain what was happening there?

default scan timers often try and readjust when timeouts occur

Thanks!

Warning: xx.xx.xx.xx giving up on port because retransmission cap hit (6).
That happened one time. I googled it and it recommended lowering the timing value.

Hey I've been stuck on the last question of the Information Gathering - Web Edition (Updated)
Q: What is the API key the inlanefreight.htb developers will be changing too?
I found an API key on the vhost but not sure how to use it any tips?

But when it was the default -T3, it didn't work either.

it's pretty dumb you can do --max-retries=2

you don't need to use the found API key

you are just locating it

I've located it, but not sure what to do now.

wdym? the API key is the answer

the question asks for the new API key, nothing more -- nothing less

but if the answer isn't accepted, maybe go another level deeper

bc there's w*.inlanefreight.htb then there's another vhost under w*

so a.b.domain

Would that not make it happen more? Because instead of trying 6 times, it only tries twice?

I'm sorry marcie but i'm lost .. in the courses they says to use -s for a method GET for download all documents and you say me use -d for use method post ...

once max retries happens it will stop trying that port

don't worry about if it hits max retries for a port

manually view the requests being made

don't just blindly follow the module

utilize the knowledge being given to extract and discover info

intercept the request you make on your system to the target

see the type of request being made

and modify/make your script off that

you can't always follow the examples exactly

utilize the information that is surrounding the examples on how you'd discover it for yourself

i see okok

thx

don't complain that "it just doesn't work" because there's generally a reason behind it not working

(and usually it's not bc the lab is broken)

it's also very fresh on my brain bc i just did it

currently doing my process map for the skill assessment

I understand, thank you, I'll follow your advice (I've always followed it and I've always succeeded, so there's no way I won't lol).

back to screenshot and copy/pasting my scripts into my notes

I got 2 open ports and 2172 filtered ones (no response) from the full scan. When I done a service version scan on the two open ones, neither contained the flag.

i found the flag but with intruder 😦 i'mgoing to try the script

maybe you need to think about your source

i'd re-read the text on DNS Proxying in the IDS/IPS Evasion section; it might reveal something to you

also make sure you didn't incidentally trip the IDS

Okay. Is there a way to check if I've tripped the IDS?

if you can still interact with the target, you haven't tripped it

i believe it's also on http://ip/status.php

as given in the first assessment

in a normal engagement you wouldn't have access to this page

Okay. I'm interacting with it so I'm okay.

I found a new open port! (: It was also faster when I changed my source port. Is there a reason for that?

but marcie i think you understand things better than i do but what i don't understand is why the post method is used knowing that get allows you to ask the server for documents based on the user's uid ?

The service is shown as tcpwrapped and there's no version.

It could be the system's firewall is sending you an RST on closed ports when the source port is set (fix spoiler) instead of simply dropping the packet which forces your system to wait until timeout for a response that isn't coming. You'd have to use nmap's packet-trace options if you wanted to quantify it for yourself through, I'm just guessing.

That makes sense

after this what should i do next?

https://academy.hackthebox.com/module/17/section/60

how to acces the target?

You've got command execution, make the computer do anything you want!

so how to go home directory?

so just run the command in my terminal?

like this?

so where should i add wp-user?

so i need to check the wp-content,wp-include,etc?

can you give me some example?

change cmd input

yes but i donot know which one should i change

i think replace cmd=id with other commands than id

that’s a webshell right?

yes

ye if u wanna know the files just do cmd=ls+/home

then it’ll show users then after that u can keep searching

https://academy.hackthebox.com/achievement/667914/134

it's based on a certain configuration in the reading

so when i want to cd just do cmd=cd wp-user?

you can't cd in a webshell

ye but it’s a webshell it doesnt work the same

the webshell is being hosted on a specific directory idk how to explain

at least for the purposes of changing your current working directory

the webshell will always be hosted at the directory it's planted at, so cd does nothing permanent; you'd need to chain together like cd <directory>;<other command>

yee chaining tho

cd..;ls

so what if i want to go wp-user which command should i use?

you can't go to them

you can ls that directory

i mean see that file

or cat that file, if it's a file

oh ok so just do ls../...?

yeah, basically

or you can use the full path

cmd=ls wp-user like this?

if it's in the same directory as your shell, yes

u never used web shells b4 😭?

idk how if he's doing the cbbh path

yes this is 1st time

this cant work cause look at the path in the url

honestly though webshells are like dummy simple

u def cant ls a directory that isnt in the current directory

would probably be faster to just use the path

/var/www/html/wp-users instead of a million ../../../../../../

or wherever the wp-users dir is located on the webroot

that's not how that works

you need to ls it you goon

i was referring to using the filepath + an enumeration command

since you know, you can provide a command like ls, or cat, with a filepath instead of the current directory to enumerate

nearly finished

oh ok

tbh it took me longer to document my steps than it did doing the damn thing

it takes so long to document the attack path, especially for me

is there module about webshell?

it also took me an extra minute because i completely missed the u* endpoint and was trying to attack the t* endpoint

Shells and Payloads should go over web shells

not directly about webshells, but the Shells and Payloads module goes over a bunch of different shell types

webshells being one of them

but like nothing that's crazy in-depth

you're just thinking a webshell is more than what it is

think of a webshell as a website in a way. By itself it only can see where its at, and you have to tell it where to look for your commands

i.e. in a NixOS environment for the webshell; you'd do something like cat /etc/passwd to read the passwd file, but you can't just tell it to cat etc/passwd as there is no etc/passwd file in the webroot (or wherever your shell is located)

you need to give it either a relative or absolute path to reach the destination

if you don't know what either of those are, then you're missing some fundamentals

relative == i am in /home/marcielee and i want to look at home, without changing my directory i can either:
ls ../ (which will tell ls to look one directory back, relative to my current directory) or ls /home/ (tell ls directly where to look)

Two things I've learned with HTB

1. Be patient
2. Pay close attention to detail

Holy crap did I put myself in an unnecessary mess 😤

yup

https://tenor.com/view/running-home-bugs-bunny-jump-hiding-gif-8509983

you're staring at something more complex when the answer was 2 lines up from where you were at

or one of the modules where you dump the SAM/SYSTEM and it's in plaintext...right there...

Did the domain crash on the pwnboxes?
Error: The trust relationship between this workstation and the primary domain failed

I don't think so ¯_(ツ)_/¯

https://status.hackthebox.com

Looks like something just blipped on it

I rebooted all my instances...except the Windows VM...just restarted it and it seems to be ok now

Hello. I am stuck on a module. I am working on File Upload Attacks, and I am on Blacklist Filters. I used burpsuite intruder to fuzz different php extensions. I found a couple that allowed me to get a successful upload in repeater. However now that I have my phpbash shell file uploaded I do not get the usual shell when I visit the page. I get what you see in this picture. Can anyone tell me where I went wrong? https://gyazo.com/f4c766b8c965fb668b26c71d0c27cc67

i just used a standard php webshell ¯_(ツ)_/¯

to me it looks like there was some error in your phpbash script

ill try another webshell

try another extension

oh ok

don't just assume that a successful upload means that you'll get a shell out of it

understood

but using a basic webshell or a simple test like <?php system('id') ?> should be used before trying to troubleshoot a pseudoshell

is there any foss alternative to xfreerdp? sonmehow it keeps on crashing on me

is it a timeout error?

if so /timeout:999999

there's also other tools like rdesktop or remmina

something like

[17:47:23:883] [28787:28788] [ERROR][com.freerdp.core.transport] - BIO_read returned a system error 110: Connection timed out
[17:47:23:883] [28787:28788] [ERROR][com.freerdp.core] - transport_read_layer:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[17:47:23:883] [28787:28788] [INFO][com.freerdp.client.common] - Network disconnect!

every module I have to restart the thing multiple times..

thanks will try it out!

system error 110: Connection timed out
<snip>
Network disconnect!

yeah the thing is that I can't even reconnect without restarting the target

will try with the timeout parameter thank you

i'd also suggest changing vpn regions, and using the tcp vpn download, instead of UDP

got it. thank you

👍

OK... I am done beating my head against a wall on this. I am absolutely stuck. Where do I get help with the File Upload Module? NOTHING is executing.

then try a different extension? or combination? what section are you on?

@fathom pendant sorry, working on file upload -> black listed filters.

tried the following wordlists: payloads all the things > extension PHP > extensions.lst

seclists>web extensions

fuzzdb > alt-extensions-php.txt

seclists > file-extensions-lower-case.txt

raft-*-extensions.txt

NOTHING is executing.

Its secure; I hate it.

I've been stuck on it for like 3 weeks. I feel like an idiot.

i just did this one the other day; did you use the php list that's suggested by the module, also: filter by the response size, if you view the responses of the larger files -- it'll be successful (ignore what the reading says about its sizes)

you don't need to use raft or any ext like that

can I dm you real quick? I want to make sure I've got the right file

within the reading they directly reference a php list

gimme a sec to pull it up

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Upload Insecure Files/Extension PHP/extensions.lst this list from the reading

yeah

it's a matter of using burp intruder, waiting for it to finish, then sorting

you'll find a handful of extensions that "uploaded" but only one will actually execute

i believe if you view source it shows the failed payload in an html comment whereas on the success it will execute

The response(s) I'm getting from Burp are all 200 ok, with either 'File successfully uploaded' or 'Extension not allowed'.

alright, I'm going to walk my dog and let this finish.

yes because you're getting one of two messages; either "you can't do that" or "uploaded" if you filter by response size -- you'll see that the successful uploads have one size while the failed have another

Sir I'm a beginner in this field is there any recommended youtube channel from you to start hacking?

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

You can't learn hacking by just watching videos

Helloo .. recently when I was trying to run custom queries on bloodhound it shows no match found for all the queries that I write, even the obv ones

does someone know how to solve this,

@fathom pendant ran through the entire list, sorted by length. found an obvious difference. Tested larger ones, nothing executed.

I HAVE to be doing something wrong...

from what i recall

what is the php code that you're testing?

<?php system('id'); ?> is generally a good test

yeah... I uploaded that

how the hell am I realistically supposed to check all of these in any reasonable lenght of time?

@fathom pendant I found it. Thank you.

I'm so angry at myself right now

:)

who or where can i ask for help on a particular assignment in the academy modules?

you can ask your question here

nobody, read the rules

odds are at least one person has completed the module you're working on

advertising "hack services" is not allowed

doing the common apps module now... good lord is the wp section lorge

im stuck on this question
"Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable. "
its in Introduction to Bash Scripting Flow Control - Loops

well what are you having trouble with?

what have you tried?

i keep getting
"*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
40E74883607F0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:…/providers/implementations/ciphers/ciphercommon_block.c:124:"

that module is huge.. have fun with the thick-client section

not sure if my script is correct but no matter what i do i get bad magic number

likely your script; but that doesn't necessarily tell us what you've tried

¯_(ツ)_/¯

bad decrypt generally means the password used to attempt to decrypt was incorrect

Hey guys im stuck here is my awnser close ?

that is correct; the hostname isn't nmap -sn

and your answer is not close

some services, like SMB, report the hostname, generally enumerated via -sC

or scripts

ow okej im gonna give it a try thanks

reading the question generally gives you an idea of what the question wants

yeah I just don't understand why they ask something that they don't show in the module

?? Doesn't that section show using scripts? Or -sV or something??

Click around for other databases

This is in the nmap module yeah? @tender nimbus ?

Yeah found it just didnt know that with a version scan you can actually find the hostname

• databases

Well that's something you figure out here

Using the tools and techniques you learned in that section... it's not like they asked you to do something completely out of pocket like run a whole separate other command

But to be sure, it depends the service that is running right? Cause iit showed the hostname at port 445 but not on the others

something will evenetually yield a database and table you can interact with to find more info, like a table to search under

yes, it depends on the services

some do, some don't

but you don't know unless you try

Yeah i was asking cause im not on my desk anymore i will test it out tommorow thank you

what is it with people and asking about something and not being at their desk to check jfc

also you seem to be looking under security, not the databases list

tbf; the footprinting module is a little light on enumerating the MSSQL GUI

but it's mostly just clicking around

accounts might be interesting

try right-clicking it

:)

also look at -Tables

generally information in an SQL database is gonna be in a table of sorts

:)

you've gone one level too deep

right-click that table

also remember a table is made of columns and rows; so you see the columns there

guys im new to this , currently im doing the ftp modue in academy , and it shows 1/1 spawn , does this mean i only got 1 chance to pass the module , meaning like once i spawn it i have to finish it ?

don't hate yourself dude, see this as a sign to take a little breather

no that spawn is referring to the pwnbox (in-browser vm)

also i don't recall there being an ftp module, do you mean the file transfers module?

ftp is just a protocol; file transfers is the method (of which there are many beyond ftp)

yeah dude, thats the one hahha , really confusing 😫

just take it slow my guy

no need to rush

Ok. Will try in some time

@fathom pendant Can I DM you about that Blacklisted File Upload? I found the answer but I'm still not understanding it.

i.e. I have the flag, but I still have questions.

go ahead i'll prob be slow to respond but i'll do my best to explain

That's fine. I'll probably take a while asking the question 😄

@indigo flax dnscat.rb was fixed, ptunnel is my current issue. help pleasee

#modules message

Is there a way to reset progress on a module we completed a few years prior? I completed a few one off modules in college and now I want to go back through with a fresh start on some of them...

why? Also you can't reset them

Just redo the questions, there's also a nonzero chance that some have been updated so the answers no longer match

thanks, fixed with chatgpt by modifying make files

anyway to fix this?

I ended up not using it, too clunky for me- I used a different method ¯_(ツ)_/¯

okay ima use the different one then, thanks

Finally figured this one out. Follow advice here: #modules message but run sudo make clean and then sudo make. You can always run cat on the autogen.sh file and then manually follow the commands it runs.

What I did was change makefile.am

Got it to work.

Ah nice

like this, credits to chatgpt

I added the dll file, why doesnt this work?

Make sure you're calling to the right machine

the IP seems to be correct?

There's a system in the middle, read the text

oh

wait, I rdp into htbstudent at 10.129.---, now I must connect to jason @ 172.5 right? is there another machine in the middle?

oh i think i got it

Same spot too

These last two sections are a pain 😭

almost done, only skills assessment to go

I got it. so is it important to login to the other machine with username victor to get the SocksOverRDP running then proxifier on htbstudent to login to target with flag?

yeah

that was so SLOW

i had to type the flag in

anyone been thru the first few intro segments (linux) on the intro to security module recently? i forgot to make a note and something they brought up... very simple get request using tcp socket, is bothering the heck out of me and i "NEED" to see the info again, and i cant find it T_T''

it wasnt that slow for me thankfully, I could copy paste

The instructions are given step by step

Well you can always go back to old sections still

yeah im hunting for it now but im having no luck... it was just a simple demo... it was in either the linux fundamentals or some other fundamentals type (mixed) segment where it discussed linux sockets and what im after is the part about tcp sockets and how they issued a get request to a tcp socket /dev/tcp/google.com/80 type deal ... and im trying to make note of that, i thought it was really... cool? dunno never really seen that... chatgpt gives me "something" but i want to re-read it make a note of it and commit it to memory... from htb

i get the concept and i get how to do it... but i just have a irk where i NEED to see it... to be like... "ok"

this problem has plagued me for most of my life... i have several songs in my head that i "NEED" to hear but dont know enough about them to find the artist/title, movie quotes i "NEED" to remember so i can find the name of the movie but cannot remember the actor or movie, just the quote itself... etc. etc... i create these problems for myself... kinda sad

Well it might not have been in intro to linux tbh

Well linux fundamentals

im thinking you're right, now that im halfway thru my second search

it might've been the module prior... i went to the academy and started like... from the intro and just let it pass me along to whatever was "next" so now im having a little trouble back tracking

why didnt i just write it down... :/

Hi guys

https://academy.hackthebox.com/module/67/section/913 (This module requires Python2.7) The PWNbox provided by the official website does not have Py2.7

Do I need to install this manually?

did you check python --version ?

It's not installable (via apt)

I checked it

Latest python is 3.12

pwnbox doesnt installed backdated python? check python2 --version as well, just for grins before installing

2.x has been officially dropped by many distros

oic

It does not

Yes, no Py2

I'm trying to install Py2

But I feel it is very slow

#modules message

curl https://pyenv.run | bash
echo 'export PYENV_ROOT="$HOME/.pyenv"' >> ~/.bashrc
echo 'command -v pyenv >/dev/null || export PATH="$PYENV_ROOT/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(pyenv init -)"' >> ~/.bashrc
source ~/.bashrc
pyenv install 2.7
pyenv shell 2.7
python --version

So cool you guys

Took a min using the discord search feature

man, im so confused ive been thru all my previously completed modules... im wondering if i just made this up? the bit about the get request using /dev/tcp/... ? its kinda nonconsequential but its driving me mad.

this is not friggin cool its gonna keep me up all night

Probably read it on some forum

/dev/{tcp|udp}/remote.address/port

it was so simple so elegant

it was like echo -ne 'GET ....' > /dev/tcp/yahoo.com/80

but i just cant be sure...

yeah its here i think https://academy.hackthebox.com/module/24/section/514

¯_(ツ)_/¯

i ran into that but im not enrolled in it, and never got a badge for it... so im hesitant to get in there

then im not sure

yeah same, just complaining is all

thats the only module i can think of

u know what... i bet you its in the module... i just cant "find" it because its a screenshot

man imma have to go thru this with a fine comb

@fathom pendant I summon thy

Windows fundamentals, Windows security

What 3rd party security application is disabled at startup for the current user? (The answer is case sensitive).

ive already tried to query for security proccesess that arent running and dont have a microsoft vendor, the answers ive tried dont work so far , could I get a hint?

wait, a non running application is not considered a proccess is it?

get-service powershell

Good morning frens
I'm just starting out in cyber sec, going through the setting up module should I install everything I'm learning about? Including them chocolate manager, Subsystems etc

get-service | Select-Object -Property Status then start lookin

yes this is a handy idea

personally i would do it on a windows vm or a custom user account though

bit more than a hint my friend

but thanks

Aiit thanks

you should've been well prepared by the time you reached that question, though. i just went thru that exact module just a few days ago

are you taking notes?

(im clearly not one to speak, just curious... those were in my notes)

Contact support via website. Discord is not the place for this

ok

They’ll get back to you asap 😄 (there is no billing support on discord)

oh ok, thank you

Get-Service | ? {$_.Vendor -NotLike "*MicroSoft*" -and $_.Status -eq "Stopped" -and $_.DisplayName -like "*Security*"}

Is this command wrong?

in this context

I dont see why im not getting the correct answer? A security applicaton would usually have something security related in its displayname, its a proccess thats disabled upon boot, so it would be stopped, and its a third party app

ive been at this for 2 hours, going to go to bed

Hello for Sever Side attack, can I do it lab on my own VM? cuz I can't connect to the target on my VM even I connect to VPN
But when I try on HTB pwnbox it work fine. Anyone know how to fix this

Module: Pivoting, Tunneling, and Port Forwarding -> RDP and SOCKS Tunneling with SocksOverRDP

Hi all, anyone else have issues transferring SocksOverRDP-Server.exe onto 172.16.5.19 from the attack host? I'm able to RDP to the pivot host, install the dll and then RDP from there to the victim host (172.16.5.19) but when I try to move the files (SocksOverRDP-Server.exe) from my attack host to victim host (SMB and HTTP) they are getting blocked or not recognising my attack host IP.

Real time monitoring is on

U can also copy and paste the folder into the rdp window

Yeah I have already turned it off on the pivot host. I tried drag n dropping the files across but it shows that error icon (circle with slash) to show it won't accept it. Not sure if I need to config something to allow for it, I was just about to start looking into that actually.

Are u using xfreerdp

I just run it with /u: /p: /v:

I am using xfreerdp from Attack host (Kali) -> Pivot host (Windows) and then Remote Desktop Connection from Pivot host (Windows)-> Victim (Windows). I wasn't able to directly xfreerdp to the Victim host from Attack host as it's a private network.

Oh I got confused on which was the victim

lol okay, I'm dumb. Drag n drop doesn't work but copy n paste does.

working now

i have a problem at module 144 - information gathering - web edition ❤️

skills assessment

i spawn machine and i'm given vHosts needed for these questions: - inlanefreight.htb

i add this to etc/hosts

i can't whois, can't dig, can't do anything

if i do dig -x on the target ip i get a weird dns

if it's the question aout the IANA its a public domain

omg yes

the question says .com not .htb

yeahhh I did the same thing lol

**AD-Enum Credentialed Enum - Linux: ** Does anyone know why my netexec is hanging when tunneling it via ligolo? (I've also tried with proxychains and with socat redirection. This is through the Attack-01. I relize I could just the pivot host, but I want to be able to do this as on an actual assessment a real target won't have any tools on it and I don't want to install netexec offline. thanks!

here is the verbose ouput

adding to etc/hosts I just have issue with establishing the connection

I can use --shares, maybe it's a network issue?

hlw i cant connect to the htb linux interface with ssh. I have installed server side ssh. says ssh htb-student@10.129.224.248
ssh: connect to host 10.129.224.248 port 22: Connection timed out

can you ping?

i cant send ss.

are you sure its supposed to be port 22

i didnt mention port. I only typed ssh htb-student@10.129.224.248

lol why did you blur the IP address

How should I downgrade PS when 2.0 is not available

what module are you on?

Module: Password Attack
Section: Lab Hard
is netexec generally recommended over hydra (even the compiled one with rdp and smb2 acess?)

I just completed the Firewall and IDS/IPS Evasion - Hard Lab in the Network Enumeration With Nmap module. The task was to find the version of a service, which will contain the flag. Port 50000 was filtered so I changed my source port to 53. Then it was shown as open

When I done a -sV scan, the service was shown as TCPWrapped with no version but when I used netcat instead of Nmap, it gave me the banner. Why did Netcat work but not Nmap?

Networking management from the CLI

Search for all lines that contain a word that starts with Permit.
what is the command for that

i tried
grep "permit"

it's case sensitive

you could also do grep -e '*ermit"

anyone have some experience with double pivoting with Ligolo? i've gone through multiple tutorials (written and on youtube) and i cant see to get the pivot right.

Aight

and what if i want to find with an ending word

• = anything of any size

for instance anything ending in at = *at

so it would find for e.g (cat,bat,sat,etc.)

not specifically an extension

a word

Search for all lines that contain a word ending with Authentication.

like this one

My guess is that nmap's requests are more advanced / suspicious than netcat so they're getting blocked, but netcat is simpler and only tries to do a three way handshake so it doesn't get blocked. Is that correct?

bro can i dm?

Looking into now, you shouldn't need the target to answer the questions though

sure

you need to enter-pssesion

it's a windows box

i want to connect to instance but in my personal windows desktop

i dont wanna use parrot terminal to complete tasks. can you give me any solution

openvpn

Sudo apt install openvpn, dude

Linux: Filter Contents module Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

how to solve this question

it's a pain (but really teaches you), try to use the various output filtering to make your output easier, for instance, first think what can I use to get be able to get all the links (probably some delimiter), then I need to make sure they're unique. Sometimes you could be off by +-1 so you can spray a little for that too when you think you have the answer

I've used it.

What is right channel to ask about problem related to subscription problem?

whare are you using it for (module & scenario)

last machine needed to complete AEN

spent around 4hrs going through ligolo tutorials on double pivots but nothing has worked lol

How do you use the Burp Suite tool to encode a parameter with a new line?

I tried pressing Ctrl+U and ctrl +shift+U and I don't get the paramater with zero in it:

https://academy.hackthebox.com/module/109/section/1035
127.0.0.1\nwhoami

staff dont man the discord. contacting support will be your best bet. you can email or use the little chat/bubble on the bottom right-hand corner of the module page (may not be there if you have ad-blockers)

in general, support are quick to respond

is thre problem related to this Kerberos authentication across two (or more) hops.

I know you said you read multiple tutorials, but I felt this one provided enough information. https://www.stationx.net/how-to-use-ligolo-ng/

i highlight the text and right-click, then go to the option to encode.

my connection does not seem so terrible, yet using the academy VPN is being so frustrating at the moment https://www.speedtest.net/result/16618088338

Thanks for your reply. I already "talk" with bot, but somehow I hope that stuff is also here and mybe get some help quickly. Thanks.

The VPN servers are not located on the same server you've chosen for your test, meaning that it is not quite accurate

ive seen it on rare occassions, but thats been more luck than anything. ive had good luck with emails tbh.

when using WinRM to authenticate over two or more connections, the user's password is never cached as part of their login.

i mean of course it is not going to be as good

i havent even been able to ping the host. i dont think there is a double hop problem ....

yet typing a command on ssh takes ages

I have about the same speeds as you and today, academy is reaaaaaally slow, every other http request to the wordpress I'm looking at times out

thanks! that does look familiar and im pretty sure ive used that 1. but ill definitely have another look.

ive managed to get the second jump host to connect to the first one, but nothing is reaching the required network. no pings, nmaps, nothing ... i already have the creds but no connection lol

yeah most likely the fact that im in SE asia affects that since they have no servers here

I would verify you have the correct IP addresses in place. I think there is an image in the tutorial that you can use to bounce off the interfaces you have to validate your configuration.

Yeah, that's an explanation at least, I've done 20 modules without issues and I'm not on an overloaded vpn, so thinking that it's maybe the machines that are out of resources or somthing.

yea it does get confusing but i am pretty confident. the subnets are subtle but ive got the right ones.

im struggling so much because im doing the tunneling module and when you have multiple hops seems to get worse and worse

plus meterpreter shells keep dying and have to do everything again

thanks for the help. ive spent too many hours. im gonna just get it done using metasploit and then revisit with ligolo. id much prefer ligolo as its made 1hop's super easy!

I'd say to mess around with different releases as that could be an issue. I know I've run into some issues and just resorted to using other pivoting techniques. I don't remember what I used for AEN.

yea. i did notice some differences on my screen compared to the tutorials. its a relatively young software too

Okay, sounds like you wrap tcp in tcp, see if you can have tcp only on the outmost layer and udp in the internal tunnels, might help

well i can just hope that the exam doesn't rquire too much more than AEN with jump hosts lol

or maybe the other way around 🤔

idk tbh at the moment i cant even get to do the first tunnel, but yeah i read before about tcp in tcp

im mostly using meterpreter tunnels though

In case you wanted to try a different version, I've had success with 0.5.2

i dont know how meterpreter handles it internally but i think it has its own multiplexing mechanism and just sends the data rather then sending the whole tcp segments

good to know!!

What is the API key in the hidden admin directory that you have discovered on the target system? inforamation gathering web edition

can somebody help on this question

Apply all the techniques described in the module. Then you should find what you are looking for

I selected "Convert selected" and selected one of the options and that didn't work:

DM!

Hey, I am aiming to be a web-pentest, and so far, a lot of what i study on HTB seems kinda useless to study currently. Like, most of the Windows stuff seems good for administrator roles, not Pentest. Is there some kind of good path to take within HTB, that someone recommends ? I do know that i need a good grasp of TCP/IP, Linux, Windows, Protocols just for the basics.

HTB offers a specific web pentesting path, I don’t know if you’re taking the normal pentesting path (CPTS) but I imagine you are. The web pentesting path is much more expensive though.

That’s also because CPTS isn’t a web specific pentest certificate or course, it’s tailored towards network pentesting, and the overall gist of it all

Eh I would say CPTS is 50% infra 50% web, the web portion is too big to consider it a network pentesting cert

Is that a path or certification ?

Well both, the cpts path prepares you for the cpts cert

Gotcha! Thanks

#modules message

He already did

Oh sorry I gave it a quick check 😅

Which is a good thing, because web pentesting is the vast majority of what you see in the real world these days.

anyone know why netexec with bloodhound doesn't work on AEN lab

nxc ldap 172.16.8.3 -u 'USER' -p 'PASS' --bloodhound --collection All --dns-server IP -d inlanefreight.local

I can ping the IP and I configured my .nxc/nxc.config

I think I missed something here. Can anyone explain why both shells are the same julio user but see different files?

On the left is a reverse shell on RDP machine. On the right is a shell using evil-winrm

Module: Password Attack
Section: Hard Lab
Any alternative than ||smbclient for transfering large file||?
im getting parallel_read returned NT_STATUS_IO_TIMEOUT even switching from US to EU

its actually smbget

I just finished this section too. I had a really janky reverse shell and, similarly, I couldn't see c:\julio even with "dir /a", but I was able to "type c:\julio\flag.txt". My only guess is it's some kind of synthetic barrier limiting traditional access to force you to use a reverse shell like the question asks of you. Your screen shot adds context so now I'm curious too if this is synthetic or whats going on.

Had this problem on the Getting Started lab myself. I found that switching from the PwnBox DE to the Integrated Terminal (minimized on the web page by default) and using tmux there helped.

hi

Also, try to use PwnBox instead of your home system to access the VPN whenever possible if your personal network isn't extremely high speed; it's got a connection 10x faster than even my Verizon 5G Home Plus on the backend.

what weekly reward are there? I got 6 strike, but no rewards yet :/

None yet

https://academy.hackthebox.com/module/74/section/708

Connect via rdesktop from pwnbox (because xfreerdp does not working, that's separate topic)

aaaaaand ta-daaaaa

Try without the domain

I tried smbget instead it works.
Thanks for the help regardless

no luck

The creds worked fine for me

Did you connect via xfreerdp?

yes, using my own vm

wow, xfreerdp works

figured it out with rdesktop btw, you gotta specify the domain as local (-d .)

or in the login screen .\

@manic bramble 1) don't dm without asking 2) i suggest always following the basic steps the sections take, without copying 1 for 1 the results

my bad

i followed the steps i believe

nevermind then

Hey Guys. Is pwnbox easier and faster to use than using a VM for parrot os?

I am currently using parrot os in a VM at the moment to do all hackthebox modules.

I tried again with "type c:\julio\flag.txt" but could not succeed like you. I must use a reverse shell. I had the same wonder if it makes you do the intended path or something due to different kinds of shells.

okay so I am working through the Active Directory Enumeration & Attacks and enumerating users. This is fine and works but does anyone know a way to extract the output of kerbrute so you just get the valid users in a list without:
2024/08/13 10:38:07 > [+] VALID USERNAME: emercer@inlanefreight.local

So I can just have a user list?

it depends; you can do everything on the pwnbox, but you're also at the mercy of HTB with version control of applications, needing to reinstall apps every time you spin it up etc...

kerbrute has an output option

@fathom pendant Ok thank you, Thats what I was thinking as well. I also like the experience of just using linux as my OS

parrotOS works well enough for me for academy

a few hiccups here and there but those usually get fixed fairly quickly if they're minor things

ok perfect. I am on the Linux fundies so its a good start for me

thankyou

anyone know why netexec with bloodhound doesn't work on AEN lab

nxc ldap 172.16.8.3 -u 'USER' -p 'PASS' --bloodhound --collection All --dns-server IP -d inlanefreight.local

I can ping the IP and I configured my .nxc/nxc.config

Spawn is already almost 10 minutes... How to stop it and restart?

refresh

hard refresh the page [ctrl+shift+R]

No luck

Restart my laptop

Yes but that just outputs the whole line and not just the usernames.

you can also try to start another target which will kill the other one

then just do a little cut; cut -d ":" -f2

Hard Reset, Browser Reopening, Restart laptop, Relogin into the account - did not help. Any other suggestions?

change vpn regions and try respawning target

note changing vpn regions (if using your own vm) you'll need to download a new vpn

How it should help if spawning machine does not depend on VPN? I login into acc and just spawn a target in a module.

I need the VPN to connect to the target. But my target in spawning state and I cannot see the IP to which I should connect.

Machine spawns do depend on VPN

the VPN region dictates where the machine/what endpoint/network is able to connect

it's why some solutions genuinely are "just change vpn regions"

here?

yes

oh yes, it helped. Thanks a lot)

Still need help with that?