#modules

qq in the Footprinting Mod MySQL when I try to login to the mysql server I get this error " ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain"

You can rm that externally managed file. And with apt you need to run with sudo

not sure what you mean by remove the externally managed file? it says my environment is externally managed and doesnt mention a file as far as i can see

maybe im missing something

cant send an image lol it wont let me

it's a file in the python install

find / -name "EXTERNALLY-MANAGED" 2> /dev/null

thanks, im assuming that wont break anything? some stackoverflow threads said installing stuff could break the system

suggested installing them in a venv instead

it shouldn't

and a fair bit of tools now use pipx for their installs

which creates a venv for them to run in

U still on this?

@safe star yeah on my kali machine I switch to the pwnbox to move along but I still want to figure out the error

just use -p and don’t input the password

It will prompt u

I'll try it real quick to see if it lets me

same error

I'll work on it when I get back from getting my kids from school

What module?

Footprinting the Mysql section

it works in the pwnbox but yeah just wanna figure it out on my local machine

I just logged in

U sure u just did -p and nothing after?

Oh alr

In Module Pivoting, Tunneling, and Port Forwarding Section Web Server Pivoting with Rpivot Question 3

I get an error when trying to run rpivot client.py from the PivotMachine

python2.7 client.py --server-ip <IP> --server-port 9999
Traceback (most recent call last):
File "client.py", line 12, in <module>
import relay
ImportError: No module named relay

Why is that? I mean I understand the error but why is the PivotMachine not configured to run the tool?

Does anyone know why I'm getting this error, I'm using ligolo to reach the DC IP

└──╼ $bloodhound-python -d inlanefreight.local -c All -u DOMAINUSERNAME -p PASS -ns DCIP --kerberos

LDAP port is open

Yea I did syntax I used was mysql -u robin -p -h <spawnedIP> it prompted me then gave password robin and got the same error

bottom of the error > Invalid server address

try the FQDN of the DC01, not the IP

also make sure it's in your /etc/hosts as DC01 DC01.inlanefreight.local

Nvm figured it out. Didn't transfer the whole folder

-ns only works with IP, but specifying the domain now, was in /etc/hosts

kerberos is picky about it

yeah, netexec with BH doesn't even use kerberos

but that also gives me an LDAP socket error

I can windapsearch though, so it's not on the server

¯_(ツ)_/¯

I contacted support

the only thing you can do is run sharphound, but even then that doesn't get the computers

if you're lucky enough to get that upload half working

sharphound should get most of it

and i've not had much issues with it

¯_(ツ)_/¯

I got it working one time

but then env got reset

@rustic sage have a look at this video
https://www.youtube.com/watch?v=4ydjpSSKQ8g

When i was prepping for OSCP this helped me fix the problem

GOATED

But it's a messy solution

i'll take a look thx

ligolo knows all

I gave up on it and just when the SharpHound route

it doesn't upload to bloodhound though

my tunnel using chisel is setup and i want to do a ping sweep

here is proof it works but why isnt fping working?

i know i can use a port sweep module in msfconsole and itll work that way, also if i do a tunnel with ligolo it works, but why not this?

Chisel Reverse Pivot was done

i forgot does chisel even support ping traffic ?

my this is it

Chisel is a TCP/UDP-based tunneling tool written in Go that uses HTTP to transport data that is secured using SSH.

It should

I don't think it supports icmp echo requests

I really don't understand why I can't submit the correct flag to this Rpivot exercise. It is driving me insane

Make sure no extra spaces or whitespace characters at either end

Cleaned it over and over without luck. There was another poster here with the same problem but he mentioned restarting the host worked for him. Did it twice and still not working

The flag is I_..ns

yup that's the one with a lot of leet chars

sometimes I had to copy to notepad, and then to question input

no luck..

hmm, let me check what I answered on it

Maybe it's the fact that I curl instead of doing it from the firefox GUI, but the browser timesout

That shouldn't matter tbh

have you tried refreshing the page ? that helped me sometimes

yeah well this is currently unsolvable so fml

Yeah sometimes refreshing the page helps

Yeah no luck. Marcielee can I dm you the flag to at least verify I am not under the sea level IQ dumb

you can dm me

Ye

If anyone else has the problem with rpivot and submitting the flag..just manually type it

how can i send photo here

read and follow #welcome

@wild harbor I didn't consent to dms

thank you

@fathom pendant completed the module, but i have a question

How can you infer, from a registry-run key, if an application is disabled?

Windows fundamentals, Windows security

apolozise Bro

did you get the computers.JSON when you ran sharphound

sorry, I am not sure what we are talking about rn

you said you went the sharphound route, I got everything uploaded (after 4 tries) except the computer data

oh weird, i didn't do that exercise specifically, just mentioned I gave up using bloodhound.py and used SharpHound instead wherever I could

did the dnschef not help?

nah

thx though

back again cause i finally got my vm set up. is there a way to connect to the vpn from my virtual machine while htb is open on the host machine? i'd like to have the htb window open on my main machine but be running all my commands from the virtual machine. when i drag and drop the file into the vm and run the command it doesnt seem to want to connect

seems to hang on "Protocol options: explicit-exit-notify 1"

think i got it, never mind

hi

looking for a small hint on the module 77 knowledge check. i managed to get a foothold using metasploit with the outdated version on the website. found the user flag. im working through privilege escalation now and found the sudo passwordless information... apparently this user doesnt have any write permission so i cant wget linenum, cant create files, and cant edit the file that i have permission to run with sudo. any tips?

cant tee either...

"Module 77" means nothing

Always check where you are

And if it's the thing I'm thinking, wget won't be helpful anyway

sorry - last module of the "getting started" path

Last section* getting started module*

👍

Learning paths are broken down into modules, which are broken down into sections

gotcha makes sense

The knowledge check section?

thats the one. im going through my privesc notes and trying to check each thing out, i think i might have an idea but im not 100% sure on how to execute it

let me try this and see if it works

When you switch to the other user make sure you're in the right directory to write files

thanks ;) managed to get wget working and ran linenum

i think i know what its gonna tell me (sudo exploitation stuff) and ive been trying to run a shell related to that but i keep getting a "failed to parse" error when i try to run it

No sudo exploitation

Trust me. Once you find it out. It's so dumb

got it

it was sudo stuff i was just looking at it the wrong way

thanks for this lol i cant believe i didnt do that at first

Wait nvm it is sudo

Gtfobins is great

Well, sudo permissions

yeah i was using that at first to try and do reverse shell stuff but realized i was way overcomplicating and could just access the filesystem on the target machine

just had to scroll down half a page on gtfobins and not get too locked in to the first result haha

thanks again

Can someone please point out what's going on with this little bash scripting encryption exercise. As far as I'm aware, the script should be fine. The prompt is:
Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable.

And this is my script:

#!/bin/bash

#provided by HTB
function decrypt {
        MzSaas7k=$(echo $hash | sed 's/988sn1/83unasa/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/4d298d/9999/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/3i8dqos82/873h4d/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/4n9Ls/20X/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/912oijs01/i7gg/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/k32jx0aa/n391s/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/nI72n/YzF1/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/82ns71n/2d49/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/JGcms1a/zIm12/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/MS9/4SIs/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/Ymxj00Ims/Uso18/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/sSi8Lm/Mit/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/9su2n/43n92ka/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/ggf3iunds/dn3i8/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/uBz/TT0K/g')

        flag=$(echo $MzSaas7k | base64 -d | openssl enc -aes-128-cbc -a -d -salt -pass pass:$salt)
}

#provided by HTB
var="9M"
salt=""
hash="VTJGc2RHVmtYMTl2ZnYyNTdUeERVRnBtQWVGNmFWWVUySG1wTXNmRi9rQT0K"

# my portion
for counter in {1..28}
do
        result=$(echo $var | base64)
        if [ $counter -eq 28 ]
        then
                salt="${#result}"
                echo "fuck yeah?"
        fi
done

#provided by HTB
if [[ ! -z "$salt" ]]
then
        decrypt
        echo $flag
        echo "yeah?"
else
        exit 1
fi

The output is:

fuck yeah?
*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
4057C913DF7E0000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:129:

yeah?

The "yeah" stuff was just for debugging to make sure it's apparently doing what it's supposed to. I'm new to encryption so I can't quite diagnose what's the problem.

Your padding broke

Aka for some reason, the key to decrypt is looking for ABC, but your block us CBA

It's not an error correcting algorithm

Echo your counter so you know where it's at too

You also don't need to include the if statement in your for loop

Also you're not continuously encoding var

You can use var = instead of result =

Right.
Sorry for not replying faster. I kept reediting my message to account for every new thing you said haha.
I'm rewriting my portion right now.

Also echo the salt

Like some characters that you may not want

hello, is there any purple team path in HTB?

Like characters in the hash, before they get counted and assigned to salt?

In the salt

Not really no

oh okay, is there any video in youtube that shows how a blue team, red team, bug bounty hunter and pentester work?

Because im pretty well learning but im learning not knowing what i want to do

Maybe if you do the research yourself

I did

I could not find anything about red team and blue team

just bug bounty hunter

Blue team = defensive work, red team = offensive simulation

Bug bounty is finding a needle in a haystack

Pentester: hired red team.
Bug bounty: "hobbyist" red team.

And pentesting is telling a company how vulnerable certain aspects of their network are

That's very much reducing the value of red team

really?

Yes

I already know

I want to see how they work

Then get a job

In what way?

yes, at 15 yo

Red team is far more than just pentesting

Google is your friend. If you can't find it on Google, then you aren't asking the right way

Most red-teams have their own dedicated malware developer

Ah. Apologies. I merely meant to define pentester. Not insinuate that the only difference between red team and pentester is their contract agreement.

As off-the-shelf exploits will get detected

You shouldn't define either pentester or bounty hunter in terms of red team

Ok

not google, copilot is.

AI is dogshit at answering broad queries

As AI isn't a search engine

AI is my best friend

anyways, is there a Red Team or Blue team path in HTB?

here's the new code:

#!/bin/bash

# Decrypt function
function decrypt {
        MzSaas7k=$(echo $hash | sed 's/988sn1/83unasa/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/4d298d/9999/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/3i8dqos82/873h4d/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/4n9Ls/20X/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/912oijs01/i7gg/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/k32jx0aa/n391s/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/nI72n/YzF1/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/82ns71n/2d49/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/JGcms1a/zIm12/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/MS9/4SIs/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/Ymxj00Ims/Uso18/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/sSi8Lm/Mit/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/9su2n/43n92ka/g')
        Mzns7293sk=$(echo $MzSaas7k | sed 's/ggf3iunds/dn3i8/g')
        MzSaas7k=$(echo $Mzns7293sk | sed 's/uBz/TT0K/g')

        flag=$(echo $MzSaas7k | base64 -d | openssl enc -aes-128-cbc -a -d -salt -pass pass:$salt)
}

# Variables
var="9M"
salt=""
hash="VTJGc2RHVmtYMTl2ZnYyNTdUeERVRnBtQWVGNmFWWVUySG1wTXNmRi9rQT0K"

# Base64 Encoding Example:
#        $ echo "Some Text" | base64

# <- For-Loop here
for counter in {1..28}
do
        echo $counter
        var=$(echo $var | base64)
done
echo "{$counter}th hash character number getting assigned to salt..."
echo "This is the current var: $var"
salt=${#var}

# Check if $salt is empty
if [[ ! -z "$salt" ]]
then
        decrypt
        echo "Salt: $salt"
        echo "Flag: $flag"
else
        exit 1
fi

The output is very large, due to the var value I printed. But it's effectively: 1 2 3 4 . . . 28 {28}th hash character number getting assigned to salt... This is the current var: Vm0wd2QyUXlVWGxWV0d4Vm0wd2QyUXlVWGxWV...wNk1EbERaejA5Q2c9PQo=

The rest of the output is:

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
40870EDBAF720000:error:1C800064:Provider routines:ossl_cipher_unpadblock:bad decrypt:../providers/implementations/ciphers/ciphercommon_block.c:124:
Salt: 34070
Flag: 

Thank you, by the way, for offering to help.

¯_(ツ)_/¯

I'm not all that familiar with bash

I don't really mind it ultimately. But it technically won't count as a finished module if I don't answer all the prompts haha.

I might've misunderstood the assignment. The characters in the hash it was gets assigned, not var. Supposedly, at least.
But how does var correlate to the hash.

Try instead echo $var | wc -c | tr -d ' '

The var is ultimately used for the salt

For assigning salt

It does print a flag now!

And it is indeed the answer. Thank you very much Marcie.

Likely some slight difference then

It also works without using the space delimeter. Do you reckon I should stay away from using "${#variable}" next time to count and stick to wc?

might be a weird edge case ¯_(ツ)_/¯

Probably, yeah.

Curious what the length difference is

Originally the salt was "34070", and now it's "34071"

lol

off by one error

Oh fuck you know what it genuinely might be? Newline character

Oh my god. It totally was the newline.

I mean, it might've been. Used "was" but I don't know how to confirm that.

I don't think using tr -d '\n' would do it

It's the most likely culprit

Yeah

Hey guys can someone help me for the nmap module?

do you know why it take this much time?

like sometimes it takes 15s and then other time its shows this? What i also not understand is when i do a scan without -p- sometimes it says that all the scanned ports are in ignored states? What does that mean? Thanks for you help 🙂

Module: Shells and Payloads
Section: Laudanum, one webshell ro rule them all

i gained the webshell access ofc, I did "cd ../../" in the input box and it didnt send me back to any directories, other directories r locked for access

i also did the "cd .."

well the backwards slash too since it's windows

same issue

not working for me which is odd

for xfreerdp you can add a drive by using /drive:etc.. but the thing is im able to move stuff out of the folder to the machine(rdp'd machine) but cant move stuff into the folder from the rdp'd machine

any commands or tips?

trying to get sharphound result out

Guys I'm in pentest path, in the footprinting module in MySQL footprinting. In the second question where it asks you to find the email of Otto lang it seems like the MySQL server has massive performance problems. I had to use ssh to with robin:robin to connect to the localhost and then connect to the MySQL server but any command I use on the server doesn't respond, like I can type random letters all day and I can't even see them on the terminal

I already reset the server and vpn multiple times also changing it's location

And now even just after I ssh into it I can't see anything that I type

Even on the pwnbox same thing

fixed

Now it worked but I had to do copy paste for every command otherwise it would keep lagging for every letter I typed. Is there a way to avoid this? Any settings?

to update. i tried ligolo again, and the second pivot just worked. im still not sure why. maybe re-setting my VM and a new target instance helped reset whatever issues I had.

what I did do different was i kept the ligolo dev the same, as opposed to the tutorial which created another tun dev just for the second pivot. so when I did ip route add 172.x.x.x/23 dev ligolo it added this new subnet to the already existing dev that had the first subnet/network.

this doesnt make any sense for why it worked this time, when i tried it for many hours over and over last night. so dunno why it worked. but when it does work, it is far less complicated that msf (though msf has benefits beyond a simple tunnel so sometimes it can be preferred)

I'd have to check my notes to verify how I normally setup double pivots. I agree MSF pivoting can have benefits outside of a pivot and honestly it's great to just have a few different methods ready to go in case one fails. Nice work!

Hello guys I'm in need of little help with a question in htb Linux module.
Q: what is the name of the latest modified file in the "/var/backups" directory?
I did "ls -lt /var/backups | head -n 2 | tail -n 1"
The file I got was " 0 AUG 13 dpkg.arch.0"
However it was incorrect answer

yea, i agree. having a few different ways is good. i found the pivoting module relatively easy but i do have a background in networking.

and the failing double pivot was annoying me because there was 0 logic to it failing .... i still dont know why. i got further with msf, though today msf was failing lol!

good thing about ligolo is that i was able to scp my exploit files across the double pivot, to the target system, without trying to figure out some complicated way. was just the normal scp command and it routed it as per normal ... lol

On this module now and keep getting errors like FETCH: Invalid Arguments whenever I try these payloads. Is there something missing?

are you connected with openssl ?

type this: 1 LIST "" *

Also, A1 LIST INBOX * returns absolutely nothing. Yes I am and yes I am authenticated using the compromised user (i.e. the a1 login robin robin) command

try use pop3 instead

openssl s_client -connect 10.10.10.10:pop3s

Exactly how I connected.

ok try imaps instead now

openssl s_client -connect 10.10.10.10:imaps

Won't even let you log in as the compromised user without SSL, so again, already did that.

in the shells and payload module for the live engagement skills assessment , is the only way to complete these task to use the rdp into the host and then foothold from that host ? as living in Australia this rdp machine is just unusable and the vm is just so out of date

Again, already done. The 1 login robin robin command would have thrown an error saying "log in using OpenSSL first" if that wasn't the way I logged in.

can you login with telnet?

connect with telnet

then use, USER (Username)

and PASS (password)

then type: LIST

and RETR 1

I get BAD[ALERT] Plaintext authentication not allowed without SSL/TLS, but your client did it anyway when I try that.

As already stated before.

ok what does openssl do when you do it?

Actually allows me to log in as the compromised user, while Telnet doesn't.

try these three commands once youve authenticated in openssl

A1 LIST "" *
A1 LIST INBOX *
A1 LIST "Archive" *

in openssl you login like this was well: A1 LOGIN "username" "password"

All of those return "A1 OK List completed" but don't return any data.

try just LOGIN "username" "password" without the A1 😛

what page are you on? ill go to it and try it

Was RDP supposed to work during the pivoting skill assessment?

i had to do so much with winrm, netsh, and proxychains

yes Tlattice

Returns login BAD First parameter in line is IMAP's command tag, not the command name. Add that before the command, like: a login user pass

🙃

so this is what worked for

https://academy.hackthebox.com/module/112/section/1073

me, openssl s_client -connect 10.10.10.10:imaps

"1 login user pass"

1 LIST "" *
1 FETCH 1 ALL
1 FETCH 1 BODY[]

that was from my notes

if that don't work for you 😛 ill try it now see if i can find out

freaky ahh emojis

1 FETCH 1 ALL returns 1 BAD Error in IMAP Command FETCH: Invalid messageset

Well ive just done exactly what ive just wrote

and its working for me 😄

1 LIST "" *

• LIST (\Noselect \HasChildren) "." DEV
• LIST (\Noselect \HasChildren) "." DEV.DEPARTMENT
• LIST (\HasNoChildren) "." DEV.DEPARTMENT.INT
• LIST (\HasNoChildren) "." INBOX
  1 OK List completed (0.010 + 0.000 + 0.009 secs).

I gotta go sleep now, hope you work it out, good luck 😛

try hacktricks if your still stuck

try type 1 list inbox

trying to get the flag?

I think, DEV and DEV.Department have contents so try list them 😛

which question are you on?

I think hes on the last question

and Tlattice, use ligolo for the pivoting module

u forgot the select option i think

1 select DEV.DEPARTMENT.INT

^

1 FETCH <ID> all

from my notes 😛

Second-to-last

ah the email address

yeah im def learning that

1 select Dev.Dep...

just wanted to learn how pivoting worked first

If you want lattice i can help you set it up?

nah im good for rn

ok, i got a perfect script to set it up for when i take the exam 😛

that module burned me out for a lil

on github?

honestly, ligolo makes it like a cake walk 😄

its like laughable how easy it is with ligolo haha

and yes, ill post it there now

ive heard that a lot

just wanted to feel the struggle of other tools first

ill message you my github

alr

Okay, figured out what the problem was. Needed to put "DEV.DEPARTMENT.INT" in double quotes because otherwise, I'm guessing, the '.' was seen as an invalid character and messing up the syntax.

im doing the attacking common apps module and im having trouble getting joomlabrute to work. has anyone had this problem

nvm got it to work with a different script

https://academy.hackthebox.com/module/113/section/2139 Why don't I have this?

why is the target taking so long to boot?

the pwnbox boots just fine. this makes no sense. is there a lot of traffic right now with the targets?

normally it doesn't take this long so its really weird. this is for PHP web shells section of shells and payloads module

wait it loaded never mind

who can help me

Can someone help me understand this? its not clicking...
Remote Access VPN This involves the client's computer creating a virtual interface that behaves as if it is on a client's network. Hack The Box utilizes OpenVPN, which makes a TUN Adapter letting us access the labs. When analyzing these VPNs, an important piece to consider is the routing table that is created when joining the VPN. If the VPN only creates routes for specific networks (ex: 10.10.10.0/24), this is called a Split-Tunnel VPN, meaning the Internet connection is not going out of the VPN. This is great for Hack The Box because it provides access to the Lab without the privacy concern of monitoring your internet connection. However, for a company, split-tunnel VPN's are typically not ideal because if the machine is infected with malware, network-based detection methods will most likely not work as that traffic goes out the Internet.

specifically the last few lines:

for a company, split-tunnel VPN's are typically not ideal because if the machine is infected with malware, network-based detection methods will most likely not work as that traffic goes out the Internet.

wait maybe i got it, the internet connection does not route out of the vpn, but rather on the host machine?

that seems unclear, and makes it sound like there is no internet access

ah nvm

gap in threat detection... exfil from a target machine to the local then pass it along from there via the internet (if needed)

I'm trying to do the skill assessment of XSS (cbbh path), but I'm not able to go the /assessment directory. I've even connected to the vpn. But I'm able to connect to that using pwnbox, any Idea why this is happening ?

I think the only when routing to the addresees in some specific ranges that vpn is being used, rest of the internet you surf is wihout the vpn.
Correct me If i'm wrong

think about it his one. a vpn can be setup in a couple different ways. one is that it allows you to access a private network, so other devices on the same vlan. the other forces all your traffic to be funneled through the vpn connection (which also lets you access other devices on the vlan)

something i'm doing wrong with chisel here? i have proxychains.conf with socks4 127.0.0.1 1080, but i can't reach any hosts. CME - skills assessment. feeling kind of dumb not even being able to do the setup

https://academy.hackthebox.com/achievement/1387209/49

on to bash scripting

cant afford anything else, im out of cubes

oh well

all the tier 0 modules are a good choice, other than buffer overflows

try with sudo

PwnBox has been stuck on "Instance is starting" for 5 minutes now — has anyone else had this problem?

@autumn pilot do you know what could cause PwnBox to just hang instead of starting properly?

try in an incognito tab

is there a way to do this with .pngs or .jpgs?

Not doing anything. It's still stuck on "Instance is starting…" for what seems like forever. It's also taking forever to spawn the targets, something that didn't happen in a non-incognito environment.

reach out to support

Why don't I have a 0000000000003000 sized

You can do that with a ton of different file formats: https://en.wikipedia.org/wiki/List_of_file_signatures

Has anyone done this? Can anyone help me?

i think that is the one based on fatty insane box right ?

https://academy.hackthebox.com/module/113/section/2139

if I am correct, take a peak at IPsec walkthrough for fatty to unstuck yourself

I solved one problem and then another one came up

Why don't I have an open button?

Hi everyone. I wanted to hear your opinion. Let's say, I finished the cbbh track. Can I take the exam right away? or do you recommend going through everything again? What are your thoughts on this? Thanks.

I tried this with the PNG thing, with GIFs you just put "GIF8" at the top. I put "‰PNG␍␊␚␊" like this page you linked suggests and it doesn't recognize it as a png after that.

Do I have to use some hexademical editor for file types other than GIF??

You need to use a hex editor unless the magic bytes are in plain ASCII

Gotcha, thanks man

Guys, when you are making the penetration tester process module, do you make the submodules together? For example, read a topic and do Linux fundamentals, Windows fundamentals, networking, read a part and do the modules that are mentioned?

I personally just did the entire infosec fundamentals path entirely prior to starting the cpts path

What is one prominent issue with passwords? (Broken Authentication: Brute-Forcing Passwords)

I can't seem to get answer for this question.

Read the module again. You should find the answer there

thanks got it :3

Having Issues with the academy atm, anyone else? spawned a machine but can't ping, scan or connect via SSH which is required for the module. connected to the VPN and have restarted my VM and the target machine multiple times. anyone else having issues or just me? module is from the pivoting module specifically "Web Server Pivoting with Rpivot" but I have tried a few other lessons and getting the same issues

Edit: must be my VPN, pwnbox is working fine

I'm having issues in using ReconSpider.py . Tried everything . Installed scrapy and python required.

(Please disregard: All good.

stupid question but are accidentally using a different VPN (like starting point or one for other boxes)?

ik i’ve accidentally done that before

can I ask what the issue was? /nf

The script needs to update from (from scrapy.downloadermiddlewares.offsite import) to ( from scrapy.spidermiddlewares.offsite import OffsiteMiddleware). Reinstalled scrapy using python3-scrapy (pipx was my default)

ah, mkay

tbh when I tried that one it kept saying things were depreciated (I made sure I had the current version (the one you’re describing)) so I figured i’d just make a spider and probably learn a lot more that way

Cool.

If you do pip3 install scrapy it works fine

hello there
the the passowrd attacks module Ptt windows section when i try to rdp it just fails

this are the creds from invoking the instance

Try putting the password in quotation marks

same thing

ok single quote worked

but why?

Singlequotes disable handling of special characters like $

In Introduction to active directory Module's guided lab part 1 section. if i rdp into that given windows server target its showing a black screen and after sometime showing the error shown in the ss. Any help please ?

alright, lol same. now it works after adding single quote.

use the search feature

it's because bash takes anything in single quotes as a literal string

it has been explained numerous times and it is trivial

hey @autumn pilot i was just on the Drupal section and decided to refactor the python2.7 exploit...only in the next sentence it gives your updated python3 version

Hey need help with this.. Within the "webfuzzing_hidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag.
i tried using this cmd ffuf -u http://94.237.53.113:56313/webfuzzing_hidden_path/FUZZ -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/web-extensions.txt:FUZZ -c and got .ic as output but i get 403 forbideen when i visit the website.

help anyone?

you have to fuzz by files and not by file extensions

can someone help me with this one? I tried again yesterday on my pwnbox instead of vpn and it worked?

i have seclists, can you tell me what wordlist should i use and what shuld be the command?

What do you need help with if it worked?

because in the real world i dont have a pwnbox ^^

just want to know why it didnt with the vpn setup

Look in the module. It explains which lists are suitable

aight a sec

Is it the question with the DNS port?
It's probably the VPN's fault that it's not working

were you able to solve it?

Nope I wasn't and my subscription has ended while I was stuck on that lab

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.

Can you help me with this question from the course? I've imported ccache file but I don't know how to use it to connect to the share? (Password Attacks - Pass the Ticket (PtT) from Linux)

i believe the module/section explains how to use it

iirc it's as simple as using -k with smbclient

but it should be explained in the reading

I guess I'm just having trouble understanding the explanation, then.

got the list figured out. but am confused about the command ffuf -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://94.237.53.113:56313/FUZZ should it be this one or this>> ffuf -w /usr/share/wordlists/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://94.237.53.113:56313/webfuzzing_hidden_path/FUZZ

this is the module question Within the "webfuzzing_hidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag.

Need helpp. stuck on Module: Broken Authentication
Brute-Forcing Password Reset Tokens

I have tried so many times on GET + POST reqs but in vain. Pls help.

the second one

it's literally telling you to start @ webfuzzing_hidden_path

and what about the wordlist

Can you ping me if you manage to solve it?

the wordlist you're using is fine

will sure do.

okay..

just have patience

ya

the module suggests this one /usr/share/seclists/Discovery/Web-Content/common.txt

maybe that's why am complicating it..

how does your second command look like ?

hhahaha, sometimes I don't think one way, it's unbelievable. I think this certification is helping me discover who I really am.

Can anyone help me with this please?

make sure your tokens have leading 0s

so instead of 1; 00001 (or however many to meet the length)

yes they are leading with zeroes.

second question; are they the right length?

the question before asked the combinations of 6 digit OTP. so 6 digits. however, i've also tried 4.

visit that endpoint

:)

:)

i haven't done this module so i can't provide more insight

is says this is the flag directory

there's no flag

what wordlist for files should work?

you can use the same

or use the other list mentioned in the reading

alongside the -e [.extension,.list,.here]

trying that..

the reading is pretty helpful in telling you what to try

i am following it

and this time it responded with an index.html page

which says the same as the flag dir

weird i'm in the middle of another module atm so i can't troubleshoot this for you

Which section

did you find any other files?

beyond index.html?

nope just his one

nah

Brute-Forcing Password Reset Tokens.

and you used all the extensions from the reading? and using common.txt?

can send u the active machine ip

i'm doing a completely different module brother

so i can't TS this for you

yes like .php, .jav

did you use the whole list shown?

its fine

yes

.php,.jav,.txt,.jav ...

bc i definitely feel like you missed something

ffuf -w /usr/share/wfuzz/wordlist/general/common.txt -u http://94.237.53.113:56313/webfuzzing_hidden_path/flag/FUZZ -v -c -e .php,.html,.txt,.bak,.js

got the respone from this.

solved it. @stone elk

can someone help?

what?

i've found a flag directory but there's isnt one

so what do i do next

this is correct but change the wordlist

which one.

it is given

got seclists,

in section

a sec this one is given bro

deleting bc spoilers

my guy

then what are looking for
you already got it @vapid forge

used 4 digits + instead of GET, Used POST req to change the password and embeded the password in the req. logged in with the new password and there is the flag on the front page.

Guys to be a cyber security enginner is worth it nowadays??

no flag

İ m currently student but i don t know which field must i choose like to be android developer backend developer etch

that .html extention is the flag

just visit

did

DM me

thank you

you should delete it from here

@vapid forge are you including .html in your fuzzing extensions?

the wordlist is fine

it's not on index

it's a different filename that's .html

i did include it. didnt work, now am using the previous wordlist

common.txt worked for me

it will but the flag is a file

@fathom pendant

sorry for the flag

STOP SPOILING THE FUCKING ANSWER

mistake

it's one you keep making

:(

sori sori

https://tenor.com/view/angry-angry-cat-mad-cat-mad-death-stare-gif-2007099240114134459

Anyone know of a color wordlist for a security question field? Tested a few short ones (~150 lines) like html-colors. None seem to work.

For API attacks skills assessment

Any idea why I would be getting this error on a pre-built hack the box server???

does your common.txt has the word flag?

yes it is in updated wordlist but pls edit your msg to remove that word

Indeed

Next time don't highlight prior to screenshot, holy shit that hurt my eyes to parse

sorry that's the snipping tool

I've used windows snip a ton, never had it highlight unwantingly

Must have clicked on something

something like this project? Color names are in files with hex values, you can easily extract them or find a ready-made wordlist based on the project. There is multiple sources in there you can check. I don't know if that work for your API skill assessment though.
https://github.com/meodai/color-names

tfw a manual exploit works but the msfconsole exploit fails

ama check it out🔝

W wordlist

hi guys, i have a problem with the machine at hacking wordpress module. I need the last flag, but the vulnerable machine is too slow and i cant upload my payload.

it's lag, and some times it gives me "this site can't be reached" then for some minutes it returns up. I have edit the host file and all, but nothing. I have tried also to change vpn but it still to go slow.

Progress: module/112/section/1245

Attempt:
||

msfconsole
use auxiliary/scanner/ipmi/ipmi_dumphashes
<SNIP>
set OUTPUT_HASHCAT_FILE /home/<username>/Desktop/ipmi-hashcat-pwn.txt
exploit
exit
hashcat -m 7300 -a 0 Desktop/ipmi-hashcat-pwn.txt /usr/share/wordlists/rockyou.txt

||

Result: Hashfile ||'ipmi-hashcat-pwn.txt'|| on line 1 (<SNIP>): Token length exception

Why is the OUTPUT_HASHCAT_FILE generated by Metasploit specifically for Hashcat not being recognized as valid by Hashcat and how does one tweak the file so it actually gets properly recognized?

module name and section name are more helpful than the endpoint

take out the -a0 that's not required

Still giving the token length exception error

There has to be something buggy with the way Metasploit is exporting the OUTPUT_HASHCAT_FILE. Question is, how do I edit the formatting of the hash so that Hashcat sees it as valid input?

just take the raw output from the msfmodule

don't take the file it outputs

i don't recall needing to edit it or do anything crazy

should be <username>:hash iirc

Yeah, Metasploit is outputting it as username:long_hash:short_hash. Which of those 2 hashes do I use?

Because if I copy the whole line and paste it, I'm still getting the token length exception error.

It's been a minute but like I said you shouldn't need to modify it

Okay, it works if I snip the username out.

Try with --username and see if that makes a difference

Or that works

im having xfreerdp RDP issues, where it doesn't connect properly, crashes everytime

Connection timed out; Network disconnect

sounds like connection issues

try adding /timeout:99999

Hi

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -v -u http://94.237.49.212:57542/recursive_fuzz/FUZZ -e .html -recursion -recursion-depth 2 -rate 500 -c -v

Hi Everyone ,Detection Example 3: Detecting Credential Dumping Q3) Replicate the Credential Dumping attack described in this section and provide the NTLM hash of the Administrator user as your answer. “C:\Tools\Sysmon” and “C:\Tools\Mimikatz” on the spawned target contain everything you need.
I try do Mimikatz the file AgentEXE.exe and i run this file do the same coomand line and passwd it work but when i go to event view there is no event Id 10, try find by the name of AgentEXE.exe not found any id 10.
i did the sysmon step also to double check. but also the same thing no found any event id 10.
how can i find it

Analyzing Evil With Sysmon & Event Logs Windows Event Logs & Finding Evil

don't limit the recursion depth

its taking soo long

and it will bc that list is pretty big, you also don't need to rate limit

but the cheat sheet says so

idgaf what the cheatsheet says

marcielee can u spoil the answer in dm ?

i'm telling you from experience

same thing when i try it

sir yes sir

i don't give answers

am dying from patience

No do not do this to yourself it wont help u learn

its already like 41-50 minutes

then help me some other way

sometimes it's okay to know just understand why they got that answer

yo in the SQLi findamentals module

We see in the above PHP code that '$conn' is not defined, so it must be imported using the PHP include command. Check the imported page to obtain the database password.

I'm not able to figure out how to get the name of the other page. Can someone give any hint.

wait wut...

@proper mountain how did you quote this

Patience is a key virtue in the world of hacking

> at the start of the line

<you made that up yourself>

just select it

include a space after

> text here

text here

that shall maketh it i guess.

¯_(ツ)_/¯

it's basic markdown stuff

pro

https://support.discord.com/hc/en-us/articles/210298617-Markdown-Text-101-Chat-Formatting-Bold-Italic-Underline

😿 tf yall ignoring me ?

i know, i dont even wanna think at this point @fathom pendant

i didnt, i read your question but i cant help

not ignoring you

chill

was looking it up

lets talk about life... how are you doing my friend

yessir thanks verymuch

this isn't a gen chat channel

rn? bruh this web fuzzing module

oh yea mb I had sent that satirically tho

marcielee for mod

what section specifically

reding files section

bc i can't be asked to dig through every section

I can send the code here itslef

don't

yea right mb I should've specified it in the beginning

It's given in the question !

anyway; the source code is your friend

once you get the source code for A you can then find the source code for B

as described, by the module btw of viewing the source code

btw you sure it will work for me?

yes

just be patient you little fucker

yoo the source code is the one they had given in the above image

go grab a coffee and relax

can i dm i found something

no

if you found something investigate it on your own

i tried reviewing it and understanding with the help of chatgpt

i'm not in much of a mood for "and next"

i did but not working

not able to find anything

well no; the source code specifically that you'd load is something different

won't be exactly as the example

and it will lead you to the next crumb

fff

mb that was so obviuous

:) don't always trust the examples; they will either be different or omit the next crumb

think for yourself, don't try and be a copy/paste warrior

thanks for the help... I just glanced through the source code on burp, thought they were the same so then I thought we had to invoke an error and it would show something because of the die fuction (idk php asked gpt to explain the code a bit).
Thanks tho

yessir I try to understand as much as possible

die is just the "quit connection" function for php

you wanted me to remove something from the command

what was it?

the recursion-depth

as the answer is deeper than 2

I am unable to install PowerShellGet on the Target Host and on running Get-PSRepository I get the following warning:
WARNING: Unable to find module repositories.

I have tried to implement solutions from google but to no avail.

Is anyone else experiencing slow connection / dropped connections on "Attacking Common Applications" ? I can imagine the hosts having low resources and running many services putting load on servers.

Is there someone that can shed a bit of light for me about the second part of the assessment challenge for "Advanced SQL injections" module

File upload skills assessment was really something

it was cool

i mean is

yeah it's actually a decent combination of techniques that makes you think

it's up there with the hard assessment for password attacks for me tbh

I did it in a few hours, wans't the hardest but probably the coolest

oh yeah not saying difficulty wise, i'm more referring to the use of techniques

made me think I am a real investigator for a moment

Hello there.
I'm at the very end of the ADCS module and I'm stuck on the last question of the skills Assessment.
got the DEV01 with Machine Template.
Found Jimmy
Found a local cache credential for domain admin but unable to crack.
Tried ESC8 and ESC11 with coercer end petitpotam but each time got RPC error.
Only DEV01 allows me to coerce and potam ... then I have no clue to get the domain admin privilege.
Thank you very much

I think what really gets you is the fact that you swear you tried everything

and then you try one of the other techniques you swear you did

and it falls apart

hahahah fr

The way they displayed the file first made me think it doesn't make sense, if it weren't a challenge I would've thought it wasn't exploitable

I hope what's coming up in web would be as cool

What's the OS version?
Windows 10 / Server 2019 Build 17763 x64

what am I have to write

how to do it right

Try Windows 10; Try Windows Server 2019

In the detecting windows attacks with Splunk i have no logs when I try to run the query for detecting kerberoasting. I only have two events in the whole kerberoast index. Should that be that way or is something wrong with the instance? I tried restarting it

did anybody pass Skills Assessment of module 280, Web Fuzzing?

some have completed it yes

admin/panel.php with message "Invalid parameter, please ensure accessID is set correctly", I tried different fuzz that parameter with post and get requests but unsuccessful and actually stacked on it. Just want to know that it's correct

fuzz the parameter=FUZZ

it will be in common.txt

:)

i did

it 100% is in common.txt; i believe i used get requests

make sure your spelling is correct as well

Why does ls <mounted NFS> take forever to run in the case of module/112/section/1079? Tried the following and it just hangs:

||```bash
mkdir Desktop/NFSPwn
sudo mount -t nfs <target IP>:/TechSupport Desktop/NFSPwn
ls Desktop/NFSPwn

The `ls` just hangs for 2 minutes, then throws `Permission denied` after keeping me waiting.

try running ls with sudo

:)

Hangs in that case too. Why the slow performance?

I also get cp: cannot stat <SNIP>: Input/output error when I try to copy the files.

Never mind, copying files seems to be working on the second attempt.

doing the new api module @fathom pendant htb as taken the affirmitive approach https://gyazo.com/e5d1d76f3cd6b2e559f17a13d7718038

Update: the I/O error happened again. Can anyone explain why this is?

I think all of the servers are loaded right now.

if your using pwnbox like I am its an issue

I was about to do skills assessment for the module I'm finishing but I'm gonna wait until later for this reason

Using US-WEST-6 which is allegedly a low load — and it's also closer to where I'm located (California)

you're basically mounting a remote fileshare, so you're subject to the whims of network issue

the VPN server might still work I'm just used to pwnbox and I have other things I am working on

and then what about the target?

try sudo cat <snip>/ticket<snip>.txt

I'm too lazy to use VPN connection even tho I know how because I dont' want to actually install ParrotOS VM and use it yet. For my next computer, which I may get soon, I will probably use VPN connection because host OS will be Parrot OS but for now my OS is Kubuntu. Technically I have a Kali VM I'm just lazy so I use Pwnbox.

i mean you can use any VM

Looping through all of them; will see what information they contain.

I know I could use Kali but I'm lazy so Pwnbox is easier

if you do -size +0 i believe it'll trim out the empty ones

because its right there in the browser

Module: Hacking Wordpress
Section: RCE via Theme Editor
I am having trouble with the 404.php it tells me Uncaught Error: Call to undefined function get_header() in /usr/src/wordpress/wp-content/themes/twentyseventeen/404.php:13 does anyone know how to fix this?

the -size thing is taught btw in the Linux Fundamentals module 😉

look at line 13 in that code; did you end your RCE statement (presumably system($_GET['cmd']) with a semicolon?

as a note whenever you see; file:N that N is the line number that's throwing the error

I didn't add the RCE statement in there yet

¯_(ツ)_/¯

😦

then it looks like it either gets the function from somewhere else, or it's just an oops

ya thats what I was thinking

i wouldn't worry about the generated errors, just throw in your RCE, call it, and see if it works

:)

ok

btw in some of the modules they encourage you to use a random/obfsucated command so instead of 'cmd' you'd use like, the md5sum of the word 'cmd' (dcfdd5e021a869fcc6dfaef8bf31377e)

so that in the event some rando rogue hacker is also testing, you're not incidentally creating an easier path for them

so when you call it you do ?dcfdd5e021a869fcc6dfaef8bf31377e=<insert+command+here>

also don't forget with spaces either %20 or +

it still brings up the error. if I was to delete the entire php and put in the RCE statement would it work

¯_(ツ)_/¯

it's generally discouraged though to completely erase a customer's file

also just genuinely asking, you're referring to the error happening in the editor, or the page itself

when I try to render the page in the browser it shows the error

👍 just wanted to see what the error was

but i mean you likely can scrap the code; but in a real engagement you can't just go "so i scrapped your 404 page, and didn't back it up... soooorrrryyyy"

i know haha

can you check the other theme's 404 page? just out of curiosity

transportex works

then i'd say use that tbh

no sense in debugging something when you can just use something else

the other ones that aren't active do the same thing would that be the problem

I'll do that because I just tested it and doesn't work

Well it returned some SMTP credentials but SMTP isn't open on the target and using the IP address in the ticket shows the port as filtered.

Well what other things run alongside smtp think about what the [m] stands for

Don't worry about the ip in the ticket, worry about the given target ip

it didn't work you think I should contact support?

well when you called the new shell did you specify the other theme?

hii

yes in the url I can call any theme I want

hi

i'm saying are you calling the theme you added the cmd to?

yes

There're having hacker, right?

this isn't a hacker for hire server, read #rules and #welcome

this channel is for discussion of HTB Academy modules

Okay

Hi. I'm doing the first DACL attacks module.

I don't understand the difference or relation between ActiveDirectoryRights and Access Mask.

user A has GenericWrite right over user B

and the access mask is ReadControl, WriteProperties, Self

My understanding is that Generic Write and Write Properties are different rights.

Anyone can shed a light on the difference between those properties please ?

https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/abusing-active-directory-acls-aces

https://book.hacktricks.xyz/windows-hardening/windows-local-privilege-escalation/acls-dacls-sacls-aces

access mask, a 32-bit value specifying the object's granted rights.

Why is it different from the ActiveDirectoryRights

Generic is broad

Aka you have broad write access to something

So GenericWrite doesn't mean I can write what I want to the object ? So in some cases I can't write to some property for example ? And it's the mask that specifies exactly what I can write. Is my understanding correct ?

basically yes

write = specific, genericwrite = broad

think of it like a generic access key to a building; you have a key to get into the apartment complex (genericwrite) then you have a key to get into your specific apartment (write)

Thank you !

PRTG is giving me a headache as it's not doing the thing REEEE

Update on this: || so I was able to use XFreeRDP to gain full GUI access to the victim machine.|| So what now, given that accessing C:\Users on the machine || that I've RDP'd into|| still doesn't include any mention of any username called HTB? Unless there's some other service that needs to be enumerated to escalate privileges, this is strange.

there's other services running

snoop around for anything interesting

HTB user isn't gonna be a user on the system

he's ||in a database||

Hey there lads,

I'm currently doing Pivoting, Tunneling, and Port Forwarding

Do you guys have any recommended videos/articles for getting more knowledge on this matter? Would appreciate it!

I haven't read it but hacktricks usual really good on looking at hands on material
https://book.hacktricks.xyz/generic-methodologies-and-resources/tunneling-and-port-forwarding

could i get a little nudge in dm for file upload sa?

try each method from front-end bypass to blacklist one at a time

Well the credentials in the text of support ticket don't work on the SQL Server Manager, unless I'm missing something.

In the DACL Attacks, why does this work robocopy /b P:\Windows\ntds\ C:\Users\Public\ ntds.dit

but cp P:\Windows\ntds\ntds.dit C:\Users\Public\ not

snooping around will help you find the next step

because under the hood robocopy and cp/copy do different things

Could you please elaborate. Like how can I robocopy then read a file that I don't have right to read in the first place.

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/robocopy read what this does

search on the page for /b

hi,
Service Authentication Brute Forcing
don't take the mr bill home flag....if it's correct
||HTB{n3---d5!}||

/b Copies files in backup mode. In backup mode, robocopy overrides file and folder permission settings (ACLs), which might otherwise block access.

refresh the page, make sure no whitespace in the answer field

yup

i'll give it a minute to kick in as to why that's an important distinction

This is crazy ! Or I misunderstand something. What if I use it on any file I don't have access to. robocopy it then read it. Where's the catch ?

Thanks!

😅 thankyou

it does exactly what it says on the tin

which is why proper rights management is important

Which rights do you need to be able to robocopy a file ?

Do you need SeBackupPrivilege ?

i never dug deep into it ¯_(ツ)_/¯

just providing what documentation there is

Thank you ! This is confusing to me. I don't have access to the file. But I can robocopy it.

What if I use it access files of Administrator or sth

¯_(ツ)_/¯

||important.txt|| is no help either:

Maybe those credentials are reused for a higher power

hey everyone, in the information gathering module skill assessment i put the host in the /etc/hosts file but it doesnt resolve

how did you put it in there?

if you put the ip:port in there; that's incorrect

😄

83.136.251.65 inlanefreight.htb

no port

and in your browser are you calling it by http://inlanefreight.htb:port

yeah

doesnt load the page

did you also try visiting the http://inlanefreight.htb:port/robots.txt ?

yep

then restart the machine, make sure you replace the ip in your hosts file

if it continues happening, reach out to support

wait

it works now lmao

didnt work when i was connected with vpn

it shouldn't matter being connected to the vpn

but eh

weird shit happens

whatever it works now

what exactly is your problem

this module is messed up for me

i solved it before and my old answers show up in the new questions lmao

the name server is the ip i think

dig axfr inlanefreight.htb @machine_ip

not sure tho

dig axfr inlanefreight.htb @ip

if you don't know the nameserver then you need to specify the IP

since .htb isn't a publicly routed tld

np

when in doubt use the IP

also not rooms; sections

modules are broken down into sections

rooms is THM lingo, and we don't do that here, we're better than that

Okay, I left for a while
but a question is still there

Using CrackMapExec
Basic SMB Reconnaissance

What's the OS version?
Windows 10 / Server 2019 Build 17763 x64

Windows 10
Server 2019
Windows Server 2019
doesn't work

windows 10?

Windows 10
Server 2019 - doesn't work
Windows Server 2019

which section?

Basic SMB Reconnaissance

hi so for the first question for the assessment section of shells and payloads module I'm trying to get the hostname of host 1. I have tried different things in Nmap and its still not showing up:

$sudo nmap -sC -sV 172.16.1.11 --script=banner.nse
Starting Nmap 7.92 ( https://nmap.org ) at 2024-08-14 17:58 EDT
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 0.00% done
Stats: 0:00:32 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 63.64% done; ETC: 17:59 (0:00:18 remaining)
Nmap scan report for status.inlanefreight.local (172.16.1.11)
Host is up (0.044s latency).
Not shown: 989 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
80/tcp   open  http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds
515/tcp  open  printer
1801/tcp open  msmq?
2103/tcp open  msrpc         Microsoft Windows RPC
2105/tcp open  msrpc         Microsoft Windows RPC
2107/tcp open  msrpc         Microsoft Windows RPC
3389/tcp open  ms-wbt-server Microsoft Terminal Services
8080/tcp open  http          Apache Tomcat 10.0.11
MAC Address: 00:50:56:B0:12:E4 (VMware)
Service Info: OSs: Windows, Windows Server 2008 R2 - 2012; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 75.25 seconds
┌─[htb-student@skills-foothold]─[~]
└──╼ $ping 172.16.1.11
PING 172.16.1.11 (172.16.1.11) 56(84) bytes of data.
64 bytes from 172.16.1.11: icmp_seq=1 ttl=128 time=0.572 ms
64 bytes from 172.16.1.11: icmp_seq=2 ttl=128 time=0.523 ms
64 bytes from 172.16.1.11: icmp_seq=3 ttl=128 time=0.586 ms
64 bytes from 172.16.1.11: icmp_seq=4 ttl=128 time=1.69 ms
64 bytes from 172.16.1.11: icmp_seq=5 ttl=128 time=0.631 ms
^C
--- 172.16.1.11 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4076ms
rtt min/avg/max/mdev = 0.523/0.800/1.690/0.446 ms
┌─[htb-student@skills-foothold]─[~]
└──╼ $sudo nmap -v -sP 172.16.1.11 
Warning: The -sP option is deprecated. Please use -sn
Starting Nmap 7.92 ( https://nmap.org ) at 2024-08-14 18:04 EDT
Initiating ARP Ping Scan at 18:04
Scanning 172.16.1.11 [1 port]
Completed ARP Ping Scan at 18:04, 0.01s elapsed (1 total hosts)
Nmap scan report for status.inlanefreight.local (172.16.1.11)
Host is up (0.00011s latency).
MAC Address: 00:50:56:B0:12:E4 (VMware)
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.10 seconds
           Raw packets sent: 1 (28B) | Rcvd: 1 (28B)
┌─[htb-student@skills-foothold]─[~]
└──╼ $

I entered status.inlanefreight.local and it didn't work as host name.

but it should be no?

Well status wouldn't be thr hostname

That's the vhost. But not the hostname

ok hold on

Hostname = computer name

Like how the hostname for the foothold is skills-foothold

ya I know

but then how do I get that?

Looks like 8080 is open

Tomcat is a vulnerable service yknow

I suggest using firefox and hope you're rdp into the host

ok but firefox is not on this host

only tor browser which won't work

Yes it is

why doesn't it show up under Internet?

Try typing firefox in terminal

¯_(ツ)_/¯

ok thanks

wait I found it without opening firefox but ya opening firefox in terminal worked

ok great. thanks for the hint it will be helpful when I get to the web shells section

Also credentials are given on the desktop for services

I opened the page in firefox and I did a failed login attempt then it gave me the username and password. I tried entering in the username and password to login again (this is for question 2) and it won't let me login as manager in GUI even with manager username and password.

Can someone help point me in the right direction here?

it says I need to add creds to this file but how do I do that?

Look at the desktop

ok got it

There's your credentials

ok I'm gonna keep trying

I'll get back to this tonight

please, help

what module and section?

since you keep bugging about it

CrackMapExec
Basic SMB Reconnaissance

you owe me 500 cubes for this

not joking

I could give you my creds if you need

or send screenshots in dm

take out / server 2019 and the rest is kosher

it's that simple

it's a combination you likely didn't even think to do

I have cubes to if you can solve me problem with hacking wordpress 😛

doesn't work

make sure no extra spaces

Alright, moved onto module/112/section/1080 now. Nmap scan of all ports showed that the POP3 and IMAP ports were open for both SSL and cleartext, yet the instant I initiated a script scan on the discovered ports directly, they suddenly went from open to filtered. Is there some IDS on the victim machine that the module description isn't telling us about?

dude

use the module and section name

not the endpoint

the endpoint is useless to me

yes there is

try 10.0

thanks

@gilded radish i'm deleting your messages considering it's a t3 module

and you've basically been spoiling it

yeah, sure, won't happen again

thank you so much

(narrator: it will happen again)

but yeah it's likely some version changes and such caused the difference

I will delete myself then

"Footprinting Lab — Hard"

👍

i saw

give me a minute jesus

gonna see if nxc gives the expected output or if it should be thrown in #1234357888114364508

yeah, okay

yep, It output the same thing

ahhhh ha I finally got it I think it was how I spaced out the RCE statement

thank you for help

pinged ya in #1234357888114364508 so you can see if there's a fix or if it's gonna forever haunt everyone

👍

one of the few instances where i won't fault for spoiling *stupid bullshit nxc/cme

@fathom pendant it also runs with the error too

if i recall correctly, the breakin for that section uses an interesting port, did you do a UDP scan? 😉

¯_(ツ)_/¯

i only have enough braincells to spare for a minute before cracking away at my own problems... like not being able to read

Would you recommend -T5 too or not? Seeing as though UDP scans take forever to scan all ports.

i would not

but you shouldn't need to scan all ports

it's a common port

ubiquitous enough to have a tool named after it

Ah, yes. Alright then.

if you want more hints just read the mission brief for the lab

-p top-1000-ports or whatever the arg is

Isn't that the default?

Top 1000 is default I believe

And -F is top 100

maybe the arg is top-10000-... ? i can never remember it, they shouldve made it 10k or 1k or whatever... something with... less zeroes?

Also it's like --top-ports N

well you could use -p 0-10000

that just scans ports 0-10k

appears the option is actually --top-ports X

Nope that's different

yeah and top 10k port scan is that