#modules

1 messages · Page 323 of 1

cerulean hinge
#

Hello, not sure if it is the good channel to discuss that but it's about something explained in the Active Directory Enumerations & Attacks module. If not let me know I will delete my message.

It is said in the module that a kerbrute attempt will log only 4768 events (due to only preauthentication being performed) while a password spray for example will logs a 4768 & a 4625 (auth failure). Is that always true ?
It shouldn't be event 4771 for the pre authentication ?
In microsoft documentation it is said for event 4768 : This event generates every time Key Distribution Center issues a Kerberos Ticket Granting Ticket (TGT).
Then it should means that we did more than the pre authentication right ?

red juniper
#

congrats bro

fathom pendant
marsh echo
#

thx 🙂 but I haven't realized it yet ahah, Coming soon 😉

fathom pendant
#

4768 is "if a problem arose during pre-authentication"

marsh echo
#

the CPTS exam is going to be a relentless 10-day battle

fathom pendant
cerulean hinge
#

Ok thanks for the links. I understands it better now.

red juniper
#

i just had to remove beans.xml hash lol

fathom pendant
red juniper
fathom pendant
#

Yeah when it said all hashes it meant all hashes kek

red juniper
#

how did you do it?

#

you removed all the hashes?

fathom pendant
#

Yes

#

As you're making modifications and changes to files, the hashes won't match

red juniper
#

aha

#

let's try it as well trail and error. i have some spear time on me right now lol

#

this section is going over my head though 😛

clear rover
fathom pendant
#

Unless you mean the john marston

#

Then no it's not a spray

#

The hint mentions fasttrack

rough comet
#

Hi

#

I am on Windows Lateral Movement - SMB

#

Trying to solve this question: Use any tool to get a shell on SRV02 using the service Application Layer Gateway Service (ALG) and read the flag located at C:\Flags\serviceflag.txt:

#

I am able to get a PS shell using SharpNoPSExec

#

but not able to run any command

#

I just can list content. Can someone please lead me to the right direction?

clear rover
fathom pendant
clear rover
#

ohhhhh

rough comet
#

Hi, did you solve this question? I managed to get a shell but cannot read the flag.

fathom pendant
#

It seems like your revshell isn't sending stdout

#

Try a different shell

trim frost
#

nevermind, I am the problem 🤣

red juniper
rough comet
#

more? to list the file?

red juniper
fathom pendant
#

The command more

#

Wait

fathom pendant
#

Flag.txt doesn't exist

#

Anyways

red juniper
#

lol i didn't notice that

rough comet
fathom pendant
#

Yeah mb

#

But yeah don't share images from the target. Even with a spoiler tag

#

Spoiler tag does nothing

red juniper
#

try this "more serviceflag.txt"

fathom pendant
#

Can you try transferring the flag?

rough comet
rough comet
rough comet
smoky marten
#

okay i’m, so lost rn

i’m on File upload attacks - Skill Assessment, and when I try to repeat the request through burp it always works once and then gives “Only images are allowed” for subsequent identical requests; no idea what’s causing this

I don’t see any form of duplicate prevention that i’m familiar with (no cookies or extra params), and i’d assume it’s not that since the module didn’t cover any form of anti csrf, and the same request does work two times (the inital rq and one from repeater)

i’ve no clue what’s causing this

rough comet
red juniper
#

try this one

rough comet
#

1 sec

rough comet
#

how did you obtain the shell? using || SharpNoPSExec || ?

quiet trout
#

also be sure to note the different errors you get they change depending on what filter is blocking what

smoky marten
#

the same exact request is getting different responses, is my problem. I’m not even checking filters yet and it’s blocking it’s own request when I re-send it

quiet trout
#

feel free to DM me with where you're at if you feel the need

red juniper
#

it should work though

rough comet
#

it does not.

#

Now I am grabbing the shell from Windows itself , SRV01

#

same issue I had if I was grabbing it from Kali

#

I can get a shell but is useless

#

cannot run any command at all

smoky marten
rough comet
#

commands work if I use || psexec, from serv01 || but I get access denied. I cannot open that as || Helen or SYSTEM || I cannot use icalcs either.

quiet trout
red juniper
#

might help you

rough comet
#

I also reset the box. I will try again.

red juniper
smoky marten
quiet trout
#

right on. i think you'll be on your way then

karmic gulch
#

Ohio

safe star
#

only in ohio 😹 😹 😝

#

...

rough comet
#

I used icacls , changed to SYSTEM... even after that, can't open the file, so annoying

#

I used findstr, more, type, cat, Get-Content, nothing works

solid quarry
#

Did someone finished the sccm, exchange and sql skills assesment? Just want to be sure if the endpoint /AdminService/wmi/ is intended to not work

sand rose
#

Hello guys. I need help with this: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

I tried running: sudo nmap --script smtp-enum-users <ip address> -p25

I got a list of users, but none of the ones there was correct. Through some digging, I saw that some people had to use metasploit, but considering I hadn't gotten to that module, and assume there's a way to find it with what the SMTP footprinting module taught me, Im curious if anyone can give me guidance.

safe star
#

i think u need smtp user enum

#

not sure why the module didnt go over it tbh

quiet trout
sand rose
#

@safe star I did. In my post, you'll see the scan I ran

#

the result didn't give me the answer (I tried each one it enumerated).

safe star
#

are u able to supply a wordlist and domain to it?

#

if not then u will need smtp user enum or metasploit

sand rose
#

Does smtp-enum-users need one? (There isnt anything in the module about it, so I'm not entirely sure how it works... I had to cheat a bit and look on reddit/forums and was trying to get as few of spoilers as needed).

safe star
#

just have to give the arguments

sand rose
#

Is it a default nmap script?

safe star
#

the one you used

sand rose
#

When I did the inital scan yesterday I ran default scripts, and dont remember the result off the top of my head.

smtp-enum-users is a default script when I use -sC?

safe star
#

not sure

#

google smtp-user-enum nmap it and it will show the arguments it has

#

u can give it a wordlist and domain

sand rose
#

Dumb question: What is a domain in this context? When I think of domain I think web servers.

safe star
#

the name after @ in an email

sand rose
#

I feel so stupid

safe star
#

i suggest the smtp-user-enum tool instead ngl

sand rose
#

The one I used above?

#

the scan I used was:

clear rover
#

Hey guys, im doing: https://academy.hackthebox.com/module/147/section/1320; i tried using the custom-rule on Kira's password and brute forcing, i tried bruteforcing with password.list on both Will and Kira. Am i missing something? My only hunch now is to use custom.rule on all password.list or making a custom rule based on Kira's password and applying to passwords.list then spraying that? Can i get a hint here?

sand rose
#

sudo nmap --script smtp-enum-users <ip address>

Or is that a different command?

#

(they look similar, so just clarifying).

safe star
#

oh wait nvm, i read that wrong

clear rover
#

yeah im using the hint already

safe star
#

ur last hunch might work

safe star
clear rover
#

yeah thank you 🙂

sand rose
#

Ty, ill try it out. Thanks @safe star

safe star
safe star
solid quarry
clear rover
#

i wanna blow my brains out rn

hushed sail
fathom pendant
#

At least suck to work with

fathom pendant
clear rover
#

yeah such a simple mistake

clear rover
fathom pendant
#

Generally go with the more restricted set if unsure

fathom pendant
cloud urchin
#

^ lol probably the best tip you'll get through the whole course right there

clear rover
rustic spire
#

for windows event log and fiinding evil i got all the questions correct in the skills assessment but i don't quite understand exactly why the answer for the last question is correct

#

can someone explain it to me

fathom pendant
#

LFG!!!!

storm elk
fathom pendant
#

i actually broke it down too into alternate ways aside from the revshell

#

like adding to group :)

#

imo i like the skill assessments with a few questions and like maybe a lead or two to go off of (aside from the mission brief)

#

skill assessment 1 was fine but too many leading questions kek

storm elk
#

Nice! 👌

fathom pendant
#

then after I checked the walkthrough...never heard of the tool they mentioned (it was likely gone over in the module i just forgor)

storm elk
#

So many tools 😄

#

I have to pick up academy soon

fathom pendant
#

before I start AEN i'm gonna need to go and hoover up the various bits and pieces of tools, and organize them

#

i have a ~/htb/resources directory that i mount with xfreerdp

#

or if needed do python3 -m http.server 8080 --bind tun0-ip

#

depending what's called for

idle sigil
#

Hey, so I am working on the AD lab 2. I am having trouble importing PowerView even when Im logged in as 1 of the admins. I have even redownloaded the module but im still getting the same error msgs. 😦

CleanShot_2024-09-07_at_14.55.052x.png
misty current
#

Recheck the URL you downloaded it from perhaps or the command you used to fetch the file

idle sigil
#

Ive been using this without issue on other boxes tho T_T

storm elk
misty current
#

You probably messed up with your command that ended up fetching up the file in some kind of HTTP response format I guess

#

You can even view the file of your PowerView.ps1 and the raw link which I shared you

#

To see that they are different

idle sigil
#

omg it works now!

#

mind0blwn!

#

that was so weird lol. but thanks for ur help 🙂

fleet plaza
#

I joined from internet I was searching for hack for a game loll 😆😆sorry

fathom pendant
misty current
#

That works best lol

fathom pendant
#

just gotta make sure to run the Get-Filehash -Algorithm MD5 file1 file2 file3 ...

#

but i've found if you have an xfreerdp session going, /drive: is fairly reliable

misty current
#

Unless it's first time, it's always handy to have all the tools/scripts in a folder and mount it with that^ command

fathom pendant
#

ye

#

i have my handy dandy ~/htb/resources (though xfreerdp doesn't like ~ so i gotta either specify the relative or absolute)

#

also useful to run in-memory stuff to prevent writing to disk (if possible)

#

i.e. importing a module for powershell

#

i can just do import-module \\tsclient\tools\path\to\tool.ps1

#

avoiding web calls as well

cold star
#

what account it is refering to crack?
I am in kerbrosting From Windows

image.png
#

I have tried adding the SPNACCOUNT1 Password didnt work

fathom pendant
cold star
fathom pendant
#

ad enum module?

cold star
fathom pendant
#

the sv* user

cold star
#

can I share a video?

fathom pendant
#

pw is ...1

fathom pendant
cold star
#

Mine ends with $

fathom pendant
#

it shouldn't

cold star
fathom pendant
#

i already told you

cold star
#

aaaah

fathom pendant
#

the answer to the prev question is the user

cold star
#

got it got it

fathom pendant
#

you should be able to roast and crack their pw

cold star
#

sorry sorry, I am really dumb sorry

cold star
fathom pendant
#

in the hashcat output above where it says cracked it'll print the hash....:password

#

the info under where it says cracked is just info of where it was at when it cracked the pw

cold star
#

yea gotcha

fathom pendant
#

you likely are looking at the wrong hash

#

or you're doing something very wrong

cold star
#

Yep IK thats just example i shared

fathom pendant
#

ye

#

but also refrain from sharing images :) as you never know if a hash you showed will come back at a later time and is a spoiler for later

cold star
#

I am going to crack the new user hash now

cold star
fathom pendant
#

if you also want to be sure; you can add -o cracked.hash and it will make a file to put the output to

#

then cat the file and badabing badaboom, it's there

#

:)

cold star
idle sigil
#

Completing AD lab 2 (which took me almost a week) only granted 0.2% to my path lol T_T

safe star
#

What path u taking?😭

#

Oh I thought u meant the whole module

idle sigil
#

im taking cpts

#

the whole AD module is HUUUUGE tooo

safe star
#

Yeah fr, took me like 5 days

#

Still don’t understand the skill assessment 2 ending

idle sigil
#

It's a very good and thorough AD module and the skill assessments really tested me - but i still hate AD X_X lol

safe star
idle sigil
#

why questionable?

rustic sage
#

timeout issues again on freexrdp added timeout for 99999

#

still unable to interact with it on my vm

safe star
#

Doing 2 llmnr poisonings doesn’t make sense, unless you’re targeting specific machines

#

But that’s not how llmnr works

#

1 poison attack would make sense cause I don’t know if it’s targeting my machine or not

fathom pendant
rustic sage
idle sigil
fathom pendant
#

No idea I don't recall multiple

#

But the idea may be different requests caught on different interfaces

idle sigil
fathom pendant
#

¯_(ツ)_/¯

#

Genuinely don't recall

safe star
#

they're all on the same network, but its whatever catHiss

idle sigil
#

but on ms01, u r local admin tho. perhaps that gave u more results?

safe star
#

i should be able to get the same hash on the linux machine on the same network but its targeted towards the windows one

#

"The kicker here is that when LLMNR/NBT-NS are used for name resolution, ANY host on the network can reply"

#

this is what he said

cold star
idle sigil
#

yea, i know what u mean. i didnt notice the 2 llmnr thing until u mentioned it. Ive also gone back to re-read my notes and and what u said is right. I duno why we couldnt get C's hash from the 1st LLMNR poison. D:

safe star
#

i needed a hint for that part, no way i was gonna guess that

cold star
safe star
cold star
# safe star yeah

Oh man that's Some Dedication It will take me 20 days for Active Directory Enumeration & Attacks

idle sigil
safe star
#

ive been going through the path pretty fast

cold star
safe star
#

67% started last month

cold star
#

I just started An ACE in the Hole Section

idle sigil
cold star
safe star
cold star
#

I am also been creating notes on the side

image.png
cold star
safe star
#

i think its suggested to do pass attacks before

wicked apex
#

Yeah
would be better to follow the job path or something
cuz alot of those modules require knowledge from previous modules

naive sage
woeful shore
#

Hey there
I'm currently on INFORMATION GATHERING-WEB EDITION Module ,on the Skill Assesment lab

I've solved all questions but here's what I'm struggling with:

(What is the API key in the hidden admin directory that you have discovered on the target system?)
I've tried every thing i know and still, help

shut quest
cold star
midnight galleon
#

is there a quick way to turn a evil-winrm to meterpeter

naive sage
errant spoke
#

hi all!i have been trying for 3 days the 1st module, but im getting mad, im really stucked.

i must answer this question Within the "webfuzzing_hidden_path" path on the target system (ie http://IP:PORT/webfuzzing_hidden_path/), fuzz for folders and then files to find the flag.

i try so many comands on the terminal, but im not able to find the flag.
Reaccionar a la publicación

Siguiendo

Garo95
AO
— hoy a las 12:01
i use this command on ffux: ffuf -u http://94.237.59.63:54494/webfuzzing_hidden_path/FUZZ -w /usr/share/sqlmap/data/txt/wordlist.txt

naive sage
#

I don't think evil-winrm has something built in like that.

wicked apex
shut quest
naive sage
#

mhm ^^^

midnight galleon
#

Yeah IK but I thought there is some script around that automated this processkek

shut quest
naive sage
shut quest
midnight galleon
#

Pentest is not a lazy jobprayge

errant spoke
wicked apex
#

You can always take lazy/efficient approaches

strange pivot
#

I know you can use kerberos authentication with mssqlclient.py, but can you pass the hash with it?

woeful shore
summer flame
#

im new into cyber security any tips? (want to focus on pentesting)

pliant wharf
#

Hi anyone can help please ?
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

I tried smtp-user-enum + I downloaded the given wordlist, still I can't find anything

compact patrolBOT
eager ledge
fathom light
#

Hi i am in malware analysis module

#

Noriben cannot real file. Please help

fiery berry
eager ledge
fiery berry
fiery berry
hushed sail
misty current
midnight galleon
hushed sail
#

with meterpreter

#

are you trying to use something meterpreter specific? like portfwd or something?

fathom light
#

Q

vocal bridge
#

I want to report a possible problem with case 10 from SQLMap module, bypassing section. I should have used a tamper script or something to bypass the denying of my request but it worked anyway

fathom light
#

Is it possible to learn soc analyst without java c,++ or assembly

hushed sail
fathom light
#

I dont like coding but i want to get into cybersecurit6

eager ledge
oblique urchin
#

I had an easier time with the enumeration module than with the web module - the collection of lol DNS information and all its little hidden side drives me crazy 🤯. It should at least be reclassified as average....

stark lark
#

Does anyone know why I can copy & paste from Kali VM into RDP session desktop but not vice-versa?

fathom light
oblique urchin
#

Guest additions

#

Because its working for me

fathom pendant
#

They're like referring to rdp to a target rather than from host <--> vm

oblique urchin
#

Remote desktop ?

fathom pendant
fathom pendant
oblique urchin
#

Yes true things i put this final comand

forest gust
raven quail
forest gust
raven quail
raven quail
vocal bridge
#

case 11 of SQLMap module,Bypassing Web Application Protections section gave me the database but not the flag

topaz dagger
#

anyone have issues RDPing into windows boxes on us vpn (tcp or udp)

vocal bridge
quiet trout
#

can you link me the section?

raven quail
topaz dagger
#

yeah ill try remmina

quiet trout
analog verge
#

Can anyone tell how can purchase cube using PayPal?

topaz dagger
vocal bridge
quiet trout
#

if i remember correctly it only dumped the wrong db for me without the -T flag

vocal bridge
raven quail
quiet trout
faint acorn
vocal bridge
quiet trout
#

thx, i love my darling son yoshikage!

iu.png
clear rover
#

Hey guys, im not allowed to upload images here, am i missing some permission?

quiet trout
#

yes

#

hacker rank

vocal bridge
quiet trout
#

yeah you gotta grind active boxes.

#

maybe retired, i dont have access to that

analog verge
#

Can anyone help I cannot find the PayPal option anymore while purchasing the cube

topaz dagger
#

remmina is working, odd havent run into the issue of xfreerdp not working on htb windows boxes

storm elk
storm elk
quiet trout
analog verge
storm elk
#

I see. Contact support. That’s the best option. 🙂

compact patrolBOT
quiet trout
#

if you wanna go that route while supporth elps you sort it

#

six of one half a dozen the other

analog verge
#

I should check it later

faint acorn
quiet trout
#

what have you tried?

#

oh im sorry i misunderstood your question im not familiar with that module, someone else might be along shortly that can help tho

faint acorn
#

ok ty. i tried to grab the banner with nc, tcdump. I tried -sV option from nmap. i tried some scripts too

#

I was stuck in this machine for 1 hour. I restarted the machine and did what i previously did and worked. I got the flag. Probably some machine connection problem 🥲

rose abyss
rustic sage
#

AD Enum Module
Can anyone explain why I get different number of users?
┌─[htb-ac-956179☺htb-zp8joehlqi]─[~]
└──╼ $ldapsearch -H ldap://172.16.5.5 -x -b "DC=INLANEFREIGHT,DC=LOCAL" -s sub "(&(objectclass=user))" | grep sAMAccountName: | cut -f2 -d" " | wc -l
1000
┌─[htb-ac-956179☺htb-zp8joehlqi]─[~]
└──╼ $windapsearch -m users --dc 172.16.5.5 -u "" -U | grep sAMAccountName | sort -u | cut -d " " -f 2 | wc -l
2921

With rpcclient it's like 500. (There's 3500 users according to rpcclient)

vocal bridge
#

it might sound lazy but can someone give me a pointer on what the attack vector on the final assessment on SQLMap module might be? I can't figure out what it could be and i checked from catalogue for an id but i got only a # symbol and the rest of the site features dont have functionality.Trying to crawl with zap and try an attack to check in depth crashes my pc. Even a small pointer helps thx

misty current
quiet trout
vocal bridge
#

tried looking into stuff like contact forms but they dont seem to have functionality

quiet trout
#

oh right, ok have ytou explored the whole page?

#

the whole site*

vocal bridge
#

crawled through all the pages and looked at each i think

#

even looked at the checkout one

quiet trout
#

ok so in addition to the contact forms you've found what else about the site might be issuing requests to a database?

#

hint: its the purpose of the site. pretend you were actually using the site and what you would want to do, as a normal user if you were visiting the site

vocal bridge
quiet trout
#

why would someone reach the site, to begin with

muted jacinth
#

Hey, in the wsus section of the windows lateral movement, there seems to have a problem with wsus.
I'm getting the following eror every time i run sharpwsus
"[*] Action: Inspect WSUS Server
Something went wrong, unable to detect SQL details from registry.
Something went wrong, unable to detect SQL details from registry.

[!] Unhandled SharpWSUS exception:

System.NullReferenceException: Object reference not set to an instance of an object.
at Connect.FsqlConnection()
at SharpWSUS.Commands.Inspect.Execute(Dictionary2 arguments) at SharpWSUS.Args.CommandCollection.ExecuteCommand(String commandName, Dictionary2 arguments)
at SharpWSUS.Program.MainExecute(String commandName, Dictionary`2 parsedArgs)"

#

anyone had that problem?

quiet trout
vocal bridge
#

hold on I am looking at the shop page maybe i'll figure it out

#

seems like i have a price range input maybe i can do smth

vocal bridge
quiet trout
#

you're on the right track

quiet trout
vocal bridge
#

too bad cart and checkout dont work

#

could've been a lead i think

quiet trout
#

dont pass up the e-shopping system just yet, think about how you would structure this database

vocal bridge
#

looking at it. price range is the only thing that does smth

#

i mean it doesnt change anything on the page

quiet trout
#

look at this chatgpt code snip of a e-cart sql database, how are items organized:

`-- Create the database
CREATE DATABASE e_cart;

-- Use the newly created database
USE e_cart;

-- Create a table for belts
CREATE TABLE belts (
belt_id INT AUTO_INCREMENT PRIMARY KEY, -- Primary key column
belt_name VARCHAR(255) NOT NULL,
belt_price DECIMAL(10, 2) NOT NULL,
belt_description TEXT
);

-- Insert some sample data into the belts table
INSERT INTO belts (belt_name, belt_price, belt_description) VALUES
('Leather Belt', 29.99, 'A high-quality leather belt with a classic buckle.'),
('Canvas Belt', 15.49, 'A casual canvas belt with a simple metal buckle.'),
('Braided Belt', 22.99, 'A stylish braided belt made from durable synthetic material.');

-- Query to check the data in the belts table
SELECT * FROM belts;`

#

this isnt a very /awesome/ example, but consider the keys that make each key unique, how would you go about retrieving them?

#

unique in the sql database sense, not unique in the common sense of whether they are equivalent or not

vocal bridge
#

thing is I can't see any special get/post requests

quiet trout
#

are you using burp or watching the dev console network tab?

vocal bridge
#

this would have proved they are stored somewhere and not just for show

vocal bridge
#

but mostly network tab

quiet trout
#

what happens when you add an item to your cart?

#

show me your network tab when you add an item to your cart

#

refresh the page first to clear requests

vocal bridge
#

oh i see

quiet trout
#

and remember to scroll to bottom for newest request i think the old ones stay on top

vocal bridge
#

how did i not press that button until now

#

only tried buy now

quiet trout
#

right on

vocal bridge
#

finally got it

#

took my time to optimise it to only get the flag so i dont have to scroll through all that. thx for the hint

fathom pendant
eager ruin
#

I have problems with this module Cross-Site Scripting (XSS) /Session Hijacking

eager ruin
cerulean hinge
#

Hello, I'm on the SkillAssessment II of the Active Directory Enumeration & Attacks module and i'm facing an issue.
I managed to get a foothold and connect to MS01. I currently have a powershell session. However I can't run BloodHound, nor enumerate with PowerView. I always get few errors, it's like I don't have the right to do it but I have a shell in a domain user context, it should be enough right ?

For bloodhound I get : "ERROR|Unable to connect to LDAP, verify your credentials"

With PowerView I can run commands but I don't get any result most of the time, even with the most basics command such as Get-DomainController

PS : I managed to run bloodhound with the python version from the parrot machine and the account I compromised first but just wonder why I couldn't from the MS01 machine

smoky tapir
#

Having some issues in Directory and FIle Fuzzing for the cubes. When i specify my target "-u" with fuff against http://IP:PORT/webfuzzing_hidden_path/ I get not indication that the tool is running. I get the following, what is this a indication of?

rogress: [1/1] :: Job [1/1] :: 0 req/sec :: Duration: [0:00:00] :: Errors: 0 ::

#

I got it to work.

#

Nvm, I forgot to put /FUZZ at the end

midnight galleon
#

Attacking common application -osTickets
Is it me or this attacks seems wayyy unrealistic ?

image.png
fathom pendant
#

It's realistic tbh

hexed lintel
#

when i run mimikatz it continously does this

#

what is happening here

dim wolf
#

you need to run your mimikatz commands from the command line instead of using interactive mode

rocky estuary
#

guys i'm at the bind shell part and dosn't work every time i create a shell its get stuck

#

i'm running this command from my side "rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f"

safe star
#

Wdym my side

rocky estuary
#

i tried to run it in the target machine i get this error msg "cannot assign requested address"

safe star
#

Did u change the ip when u copied it?

rocky estuary
#

yes i used my ip

safe star
#

It’s supposed to be the target ip

rocky estuary
#

let me try it

safe star
#

-l flag for netcat means listen

rocky estuary
rocky estuary
#

i'm used to use reverse shell all the time i was going mad

safe star
#

That’s the ip it’s listening on not looking for

rustic sage
#

I have a question regarding pivoting module / remote reverse forwarding, and how to download the payload on the Windows host, also we did not connect to Windows still

rocky estuary
rustic sage
safe star
#

Did you make a remote port forward to local port so you can use an http server

rustic sage
safe star
#

or u can just put the file on the pivot host then transfer it

rustic sage
safe star
#

yeah just scp it on the ubuntu machine then use python http server on it

#

no port forwarding needed

rustic sage
#

Okay I will do this now

midnight galleon
#

How is this even possible

#

Why would they even make an email address for every ticket
Like, anyone would just make a support@domain.xyz and call it a day

#

And I think most people just buy mailboxes instead of configuring one, but this is beside the point

shut vapor
#

It's possible with a catchall where literally anything you email @example.com is processed and at least delivered to a default mailbox. You could do this to tie messages received to a ticket. I've never seen it like that -- typically a ticket number would be parsed out of the headers or subject. People do weird stuff with comptuers all the time though, so... in that way, I'd agree it's realistic. 😬

fathom pendant
#

in some ticketing systems as well they're tagged with a UID within the email (which is why you should always reply to the email of the support ticket, and not email directly) so it routes to the correct case and doesn't bounce

midnight galleon
midnight galleon
fathom pendant
#

at my old job the email was routed through [support@company.com] with the subject line containing a unique value related to the ticket, alongside it being in the email iirc; such that when the customer replied to the email, instead of it getting sent to everyone @ support, (we had our own internal emails) it pushes the updated email/conversation to the support case

midnight galleon
fathom pendant
#

it relates tangentially; in this case the way that it's set up is that xxxxx@domain is just a generic thing that routes to a ticketing system

#

generally this may be an INTERNAL thing rather than EXTERNAL case

#

as stated at the beginning of that module; you are placed in the position of all the targets being internal/intranet sites

#

not so mech external sites

midnight galleon
#

Hmmmm

#

I think I understand but that doesn't answer my question as to why would the IT guy setup the helpdesk to display obviously internal data ig?

cloud urchin
#

they don't the devs of the ticketing system made it that way

midnight galleon
#

I will go and reread the section again and come and read this again

midnight galleon
cloud urchin
#

exactly, it's all up to the devs

fathom pendant
#

it's up to the dev maintaining the actual settings

#

not the IT guy

#

the IT guy isn't the person who sets up the ticketer

cloud urchin
#

no, the module covers how to do it

#

what i mean is, the module covers what's needed to complete the skill assessment

cerulean hinge
#

Hello,
Do you have any idea of the difficulty of the Skill Assessments of the AD enumeration & attacks ?
I mean compared to the machines in the HTB lab.

Also at the end of the pentest learning path we should be able to do what kind of machine ? Is it a good preparation also for the Pro Labs ?

fathom pendant
#

the end of the pentest path preps you for entry level pentest work; but in terms of labs and machines it's generally easy/med

#

and as far as prolabs, you'll often need to go beyond what's taught in the path for prolabs

#

pika_sip got bored for Doc&Reporting module, decided to try and work out through pivoting; worked just fine

cloud urchin
#

my opinion is the ad enum and attacks module is a very solid module to learn how to attack ad for beginner level. the htb machines are hard to judge it against because they can be much more difficult and they serve different purposes. the ad attack module is here to give you the foundations of attacking AD and also to pass the exam while some boxes go into more intermediate/advanced level attacking methods. generally pro labs aren't recommended as there are many things out of scope from the exam, and the cpts path itself is the best learning resource to prepare for the cpts exam.

cerulean hinge
#

Ok thank you

static locust
#

@fathom pendant thank you so much i was off by 1 line the whole time.....

fathom pendant
#

Always evaluate output if you're unsure of why it's wrong, such as with head or tail to see if there's some output being appended to the top or bottom

misty summit
#

Im installing Virtualbox htb on my pc. I got it up now im about to install parrot. Im on the partitions portion of the installation. If i select erase disk, will it affect my pc or just my HTB

cloud urchin
#

are you selecting the disk you created within virtualbox?

glass ravine
fathom pendant
misty summit
fickle thicket
#

anyone knows the password for the PDF inside the resources ( Documentation & Reporting - Sample Report ) from Documentation & Reporting module

fathom pendant
#

hackthebox

fathom pendant
fickle thicket
#

ah thanks i found it. went back to doing that module after 2 months of hiatus.

fathom pendant
#

best to just treat it as going in blind

#

rather than other stuff messing with your perception

fickle thicket
#

i already done the skill assessment using netexec but i suck at report writing.

#

is possible to fail with a lousy report right?

fathom pendant
#

save writing a report for attempting AEN blind TBH

rustic sage
#

in "Web Server Pivoting with Rpivot" section in pivoting modeule,
i have ran the server on attack machine, and the client on pivot target, and got a successful log "New connection from host 10.129.xx.xx, source port 35226"...
but when running the firefox thorought proxychains "proxychains firefox-esr 172.16.5.135:80", it gives this error in logs :-

Screenshot_2024-09-08_at_8.35.56_AM.png
fathom pendant
#

as that will be a more full experience

#

since with the Doc&Reporting you really only need to target one server

fathom pendant
rustic sage
fathom pendant
#

it shouldn't take long to load

fickle thicket
#

@fathom pendant do you know the estimated timing for completing AEN blind?

rustic sage
fathom pendant
#

AEN blind is a way to not only test your knowledge but your methodology

#

how well can you unstuck yourself from a situation

#

it's also good to identify where your weak point may be to brush up on it

#

but 99% of AEN is doable from just the coursework knowledge (the other 1% isn't relevant to getting DA)

crimson moon
#

In “attacking SAM” I’m trying to copy from Windows to pwnbox using smbserver.py but while copying have the error of “ network Name not found” I tried pinging it’s fine. Do I need to do anything on the windows host as I’m only using the IP of the pwnbox ?

fathom pendant
crimson moon
#

Yes

fathom pendant
#

/drive:<path here>,name replace <path here> with the absolute or relative path to where you want to mount

#

it'll mount on the windows host as \\tsclient\name and you can copy that way

#

nothing really more you'd need to do though if you're still trying to do the smbserver transfer though

rustic sage
fathom pendant
#

just copy filename \\tun0ip\sharename\

fathom pendant
#

try refreshing the page now that you have firefox open anyway

rustic sage
fathom pendant
#

otherwise standard troubleshooting applies:

  • check to make sure that the other lines in the proxychains config are commented out around it
  • change vpn regions
  • tcp instead of udp
#

alterantively

#

instead of launching firefox with proxychains, you can just manually set the proxy in the firefox settings

rustic sage
#

i see, ok, will do that

fathom pendant
#

about:settings then search "proxy"

image.png
rustic sage
crimson moon
fickle thicket
fathom pendant
fathom pendant
clear rover
lunar torrent
#

After Windows Security blocks the file you can unblock it and run it with: Windows Security -> Virus & Threat Protection -> Current Threats -> Protection History -> Find the relevant Threat Blocked -> Restore

fathom pendant
unique ether
#

Easy modules ease my soul

safe star
#

Fr, the web half of the cpts feels a lot and shorter imo

#

Can get through them in a day

serene scroll
#

Hey everyone a newbie here where could I find discussions about season boxes like the recent Sightless thanks

storm elk
maiden jay
#

Hello, I am planning to start learning Python. Which online course is good for newbie and explained well?

dry cloud
storm elk
#

Please read #welcome and #rules 🙂 it will explain how to get verified

storm elk
dry cloud
maiden jay
#

What you guys think about Coursera course Python for Everybody?

cloud urchin
#

Never did it. I like Python Crash Course by Eric Matthes myself, but it depends on where you're at in programming. HTB has an intro to Python module but I haven't done it.

storm elk
cloud urchin
#

it's a book

#

It's a great hands-on way to learn python

storm elk
#

Oh Nice!

rustic sage
#

If anyone know how to switch pwnbox to windows??

rustic sage
limber river
rustic sage
cloud urchin
#

what are you talking about? you don't need pwnbox "to be windows", it works for the whole course

limber river
#

there's no reason to use windows

rustic sage
limber river
#

and you can done the task using linux

rustic sage
#

What if I don't have windows? , I know I can use Linux instead

#

But I was trying to do plink.exe to test myself

limber river
rustic sage
night crypt
#

hello everyone, quick Q on the attacking LDAP module - am I right in understanding in the first example (username = *, password = whatever) you'll login to the application with whatever the 'first' user is in the database, and in the second example, you'd be able to target a user (e.g. with the name "dummy") and gain access to that target user with any password?

image.png
cloud urchin
#

yeah that's right

wintry iris
#

I am working on the first XSS task

#

but the payloads don't work at all

night crypt
wintry iris
#

<script>alert("xss");</script>
<script>print();</script>
neither of them works

cloud urchin
wintry iris
cloud urchin
wintry iris
#

nono, not that part yet

#

the payload is not working at all

#

I mean alert() but no pop up at all

#

I checked the request with BurpSweet

#

the script was not submitted at all

limber river
#

try other payloads Kappa

wintry iris
#

even I modified the request, it still doesn't work

drowsy jasper
#

Hello guys, I recently started my cybersecurity career... I am confused about which certification I should consider CCNA or Security+ ?? Please answer in respect to the INDIAN environment..

wintry iris
#

even I follow the solution

#

I can see the flag in the cookie

#

but the issue is the page doesn't work as designed

#

I saw the cookie in response data in Burpsweet

#

just not getting any pop up at all

cloud urchin
#

it works for me

wintry iris
#

ok, maybe a buggy design

cloud urchin
#

nah its not

#

works great

#

are you pressing enter or clicking on the reset button?

#

i even used your code they both work copypaste. but you have to press enter

night crypt
#

question about ELF executable examination this time, the first time I ran the disassembly it showed the following address 0x11b0, then running it a second time it showed what seems to be the 'real' address, what's the cause for this?

image.png image.png
storm elk
#

He’s gone

wintry iris
cloud urchin
#

the module does mention how to 'debug' in a way, to find what isn't working. start with only the first character of your payload, see if it works, if it does move to the 2nd, see if it works, etc.

#

that should immediately tell you what you can and can't use

regal sigil
#

Hi I am trying to do this question " Retrieve the TGS ticket for the SAPService account. Crack the ticket offline and submit the password as your answer." in the Attacking Active Directory module (Kerberoasting in linux).
But whenever I try to run GetUserSPNs.py my ssh connection freezes everytime. Can anyone help with this

cloud urchin
#

I gave you an answer on this, also delete the pic as it shows contents of the module

vocal bridge
regal sigil
cloud urchin
vocal bridge
safe star
hexed lintel
#

running sharphound from evil-winrm gives above error
but running through rdp works fine

#

can anyone help me

safe star
#

I think it’s the double hop problem

cloud urchin
#

rdp is an interactive session while winrm is a remote management session which could have reduced privs. could also be because it's a non-interactive session.

safe star
#

Bloodhound-python should work fine though

regal sigil
#

I managed to solve it by just running it on pwnbox, i still do not understand the issue

sweet jewel
sweet jewel
safe star
#

I just put a ligolo agent and ran everything from my machine for those

sweet jewel
#

i suspect that the connection timeout is due to either your /etc/hosts not being populated properly, or you are unable to reach the domain controller from your linux host (firewall/internal subnet)

limber river
solid moth
#

Module: Kerberos Attacks-Unconstrained Delegation - Users
"callum.dixon:C@lluMDIXON has Unconstrained Delegation set and carole.rose:jasmine has genericwrite over callum.dixon. Using this information, try to compromise the domain and read the content of C:\flag.txt on DC01."
I followed the steps and got the TGT ,but i can't perform a DCsync attack. can somebody tell me why???

limber river
solid moth
#

ccache file

#

i should export it first

limber river
#

yeah ofc

#

if you didn't export it , then you are not using it

solid moth
#

why it's not working ?

limber river
#

you got the TGT of who ?

solid moth
#

dc01$

limber river
#

use env | grep KRB5CCNAME to check that ticket is properly imported

#

you might need to use the absolute path

solid moth
#

KRB5CCNAME=/home/kali/krbrelayx/DC01$@INLANEFREIGHT.LOCAL_krbtgt@INLANEFREIGHT.LOCAL.ccache
not working - -

limber river
#

screenshot of the error would help

stuck igloo
#

Hello everybody I am just joining the community
I have zero knowledge about hacking or cyber security
I need a breakdown on how to go about.
Thank you

compact patrolBOT
solid moth
#

impacket-secretsdump -k -no-pass ACADEMY-KERBATTCK-2-DC01.inlanefreight.local
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[-] Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user
[*] Cleaning up...

solid moth
#

i don't how to send a picture

limber river
#

you should verify yourself

limber river
#

that's will not work if your /etc/hosts is set properly

solid moth
#

this is my /etc/hosts

1725788647374.png
limber river
solid moth
#

still not working ...

limber river
#

and send screenshot

sweet jewel
solid moth
#

python dnstool.py -u INLANEFREIGHT.LOCAL\carole.rose -p jasmine -r roguecomputer.INLANEFREIGHT.LOCAL -d 10.10.16.2 --action add 10.129.23.164
python addspn.py -u inlanefreight.local\carole.rose -p jasmine --target-type samname -t callum.dixon -s CIFS/roguecomputer.inlanefreight.local ACADEMY-KERBATTCK-2-DC01.inlanefreight.local
sudo python krbrelayx.py -hashes :3E7C48255206470A13543B27B7AF18DE

limber river
#

it said spn not found in CACHE

#

use DC01.inlanefreight.local

solid moth
#

the hostname is above the question

limber river
#

@solid moth

image.png
solid moth
#

yes

#

you are right

#

thank you . i change the name and it worked

vapid summit
#

hi i am stuck at this question can anyone help? What is the API key in the hidden admin directory that you have discovered on the target system? It is the question from skill assessment Info-gathering web edition
i have done everything but when i do the nslookup it is showing ** server can't find inlanefreight.htb: NXDOMAIN

acoustic owl
vapid summit
#

what should i do

acoustic owl
#

Apply all the techniques shown in the module to all domains and subdomains. Then you should find what you are looking for

vapid summit
#

i have done everything but i have not found any hidden directory

acoustic owl
#

Then you didn't try everything shown 😉

#

Take another look at the module

wild oriole
#

Hey, I have a question about running SQLMap
you know it takes too much time to get a result, how we can decide what would be the best options like levels, risks, tampers and so on, is there is any methodolgoy for that?

vocal bridge
#

Command injection module; bypassing blacklisted characters section. can someone help me understand what I'm doing wrong? I tried looking inside /home and not even "staff" username worked

image.png image.png
hexed lintel
vocal bridge
vocal bridge
wild oriole
vocal bridge
wild oriole
#

Does that work for CBBH exam as well?

vocal bridge
#

being an exam i suppose time is most important so try to fine tune your commands

hexed lintel
vocal bridge
#

yup

hexed lintel
#

can you dm me unblurred screenshot

safe star
smoky marten
vocal bridge
smoky marten
#

i.e. /home/USER

twilit wharf
#

Sliver Module -> Kerberos Delegation
After Getting a TGS as explained in the module using constrained delegation against srv02, the module claim, we have direct access to the server using ls //srv02.child.htb.local/c$

But this makes no sense. The ticket was never imported and obviously running the above command does not return the contents of C: because without improting the TGS we have no access. Clearly the step concerning importing the requested TGS is missing there.

vocal bridge
#

it should be the same

smoky marten
#

dude your screenshots have the answer in them you’re just entering the wrong thing

safe star
pliant coyote
#

When I search through sensitive documents, I encounter a large volume of content, causing me to miss a lot of information. What should I do? Do you have any good suggestions?

image.png
vocal bridge
#

what module is this btw?

pliant coyote
pliant coyote
#

I am looking for sensitive files, not the specific information within a file.

limber river
#

transfer the file to your machine , and play with it as you like

digital crown
#

Module: Windows Privilege Escalation
Section: Windows Built in groups
I did everything as it's shown so I'm not sure what is wrong, is it the case mentioned "It's worth noting that if a folder or file has an explicit deny entry for our current user or a group they belong to, this will prevent us from accessing it, even if the FILE_FLAG_BACKUP_SEMANTICS flag is specified." or did i mess something up

image.png
placid edge
#

open powershell as administrator

pliant coyote
#

The internet is so lousy right now.

storm elk
#

Helps me sometime 🤣

pseudo kiln
vivid nexus
#

hi

rustic sage
#

Helloh

fiery berry
pseudo kiln
#

when I source it . .\psgetsys.ps1 , it throws a bunch of syntax error saying the script is wrong

#

but I got it work, by copy pasting the script in notepad

#

and then sourcing it

pseudo kiln
# fiery berry command used? (The syntax, in case copy and paste)

sorry for the ping, but when you were a this section have you figured out how to use the PoC to add a user to local admins group ?
I try like this and it does not work ImpersonateFromParentPid -ppid 612 -command "net user hacker hacker /add"
However if I just do ImpersonateFromParentPid -ppid 612 -command "cmd.exe" it spawns a new cmd session as SYSTEM just fine, but I am trying to cover the situation when you do not have an RDP session with the target

median gale
#

Once completing a module with student subscription can you retake it ? When the subscription is over

fiery berry
safe star
wicked apex
#

Web Proxy skill assessment
Does any one knows how to actually import and have the html hex encode script works in the ZAP fuzzing payload processor?
I imported it still nothing shows up there

quiet trout
#

if you're using ZAP i feel for you, i just couldnt commit any time to using it especially when burp is basically defacto standard in the industry and zap is ... kinda barely hanging on by a thread

#

im not saying cheese it like i did, but im also saying not to waste precious brain energy commiting zap stuff to memory

wicked apex
#

sike
Maybe I should manually encode it and import as a file
or just choose the more sensible option and use burp instead

quiet trout
#

if you're already setup and running iw ould go ahead and manually encode then process

#

and failing that i would go burp @wicked apex

#

to be or not to be, and all that jazz.

karmic orbit
#

Can anyone help me with the Footprinting Lab - Easy? I need to 'Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer. ' There are credentials ceil:qwer1234, and I can use username ceil to attempt to connect to the SSH service. However, I need to use Public Key Authentication and I don't know how to find the private key.

#

The hint is 'Remember that SSH keys need to have specific permissions set before they can be used.'

hexed lintel
quiet trout
#

can you link us to the section?

karmic orbit
quiet trout
#

ok have you found the private key yet?

#

sorry im looking at this a little blind here i dont have access to that module

karmic orbit
rustic sage
wicked apex
quiet trout
#

@karmic orbit but i've ran across this in boxes basically when you're enumerating a box and you gain a foothold for a user you go and check for PGP keys either in their typically known locations ~/.ssh (i think) or with a find / -type f -name "id_rsa" 2>&/dev/null type cmd

rustic sage
fiery berry
karmic orbit
#

Sorry if I'm just being really dumb but I can't log in because it requires public key authentication, and I don't have the private key for it.

karmic orbit
quiet trout
#

ok so where are you exactly? a web login?

hoary gull
#

Hi guys, I'm using ligolo-ng right now for pivoting, and even for some file transfering from a windows to a windows (which i've had some difficulties), and it's just phenomenal how easier it is to do it with it.
I wasn't so sure about this tool since it was not on the cpts path, but really, it is worth the try

karmic orbit
hexed lintel
#

there is ftp server
search there

#

you will get everything you want

quiet trout
#

he will certainly need to chmod it once he encounters it i believe

karmic orbit
pseudo kiln
quiet trout
# hexed lintel there is ftp server search there

ok so this is a good point, when you're given (or obtain) credentials be sure to reuse them on as many services as you can... i had a box like this (an easy one, even!) and i chased my tail for at least 2 hours trying to move laterally not realizing that the password from a web app also worked with the ssh login or something like that... i thought SURELY they wouldnt password reuse.

deft topaz
#

Any chance the "Using CrackMapExec" module could receive an update? CME has been deprecated since Dec '23 and its successor (NetExec) has undergone tons of updates since then.

stark lark
#

Howcome I sometimes not be able to RDP anymore (Service doesn't respond)?

Quite annoying that the lab has to be reset due to this..

image.png
safe star
#

is that the skill assesment?

silent sleet
#

Windows Lateral Movement Skills assessment is kind of buggy

pliant coyote
#

He's lagging all the time.

image.png
tacit relic
#

Good evening everyone, I'm trying to complete the "introducction to c# module" and I'm not finding a way to run the c# files. (I'm using pwnbox) First I downloaded the C# and c# development kits on VSC. Then I installed dotnet on the cli. In the module there are specified differents commands, I've even tried to even create some new projects. Can someone explain what I'm doing wrong and how to run the c# compiler? Thank you for your kind help

rustic sage
#

Hi, I'm doing the SQLMap Essentials module. I am in the attack tuning section with the question "What is the content of the flag5 table? (Case #5)"
I got two different flags and both don't work
what am i doing wrong?

Screenshot_2024-09-08_193437.png
fallen garden
#

So I'm doing some academy modules, and I'm finding that the questions database seems to be out of sync with the content on the page. The questions are 1 to 2 pages ahead of the content. Maybe some pages were added at some point. But I'm wondering what the protocol for reporting issues like that is. I searched FAQs but don't see any mention of whether to contact the creator or the chat help for the site.

fathom pendant
#

It's the nature of the attack being done (timing)

rustic sage
#

ok ty

tender nimbus
#

Hy guys, do you know why the command where ilook for Otto doesnt work?

image.png
fathom pendant
#

Your first command is where the end is like Lang, the second is where the end is like Otto

#

Think of % as the * wildcard

#

But it's a tiny bit more strict

tender nimbus
#

oooh yes i remember

fathom pendant
#

It's generally best practice to do %query%

tender nimbus
#

its %Otto%

#

sql is far away in my head haah thanks 🙂

sly field
#

Hello guys! I just started with HTB Academy, I have some web dev and software engineering experience, but man I'm freaking out, I'm so god damn overwhelmed😵. Any advice for a nooby? 🥲

tender nimbus
fathom pendant
#

Think of it as a (^|.*)query($|.*) if you know how regex or works

fathom pendant
tender nimbus
#

yeah but i'm not an expert in it i still have to make my own research

fathom pendant
#

It's a marathon not a sprint

sly field
fathom pendant
#

And TAKE NOTES

sly field
fathom pendant
sly field
fathom pendant
#

The modules provide plenty of chances to practice what you just read

#

And don't be afraid to fuck around with the targets

#

As the 10.129.x.x targets are isolated

#

So only you can mess with it

#

So if you accidentally break it, you're not fucking over other people

sly field
#

Thank you so much for all of this!

fathom pendant
#

HTB provides a well contained environment

#

There's generally not gonna be an unintended way

#

Also always follow the K.I.S.S. method, do the simple stuff first

sly field
shell carbon
#

in the intro to python 3 a url for using in the project is written as http://target:port, but that is not the real URL right?

fathom pendant
fathom pendant
#

As it appears when you spawn the target

#

It also depends* is target and port defined elsewhere in the code?

#

Or is it just in the text reading

shell carbon
#

it is in the code listing when i read the module. does this assume i should be running the pwnbox and connect to it with the ip/port given?

#

>>> r = requests.get('http://target:port/missing.html') literally this

fathom pendant
#

I'm sure it's explained but when you see
>>> that's in an interactive terminal

#

And datacamp teaches python in relation to data analysis

#

(But it's not free)

shell carbon
#

yeah, but it's a weird assumtion that i would understand to replace it with the address of the pwn box 🤔

fathom pendant
#

Automate the boring stuff basically goes through each topic individually instead of throwing 20 concepts at you all at once and trying to have you cobble them together

fathom pendant
#

They can't populate the reading with the spawn ip, lots of backend code that goes into it

#

And if you don't have the target spawned it'd be blank

#

So they use placeholders

shell carbon
#

yeah but they could have mention that somewhere. maybe they did in one of the intro sessions

fathom pendant
#

Probably

#

It's been a min since I tackled this one tbh

shell carbon
#

but that book looks very interesting. i don't usually use python for automating boring tasks. i prefer bash-ing my head against the wall

full patio
#

Got a question about the HTB Academy modules. I'm going through the Pentester Path and I was of the understanding that there are specific boxes that are advised for further practice with each module, but so far I've done four modules and haven't come across any recommendations. Any ideas if this will change as I continue through the path? 🤷

hollow furnace
#

It does change

#

I've done quite a few

full patio
fathom pendant
#

It's very much a guided learning to understand python concepts

#

With mini projects

vocal bridge
#

on the final assessment of Command injection module I can't figure out which injection operator to use. I tried every single one on the cheatsheet in hex and only got 302 error

#

if someone could maybe give me a clue?

fathom pendant
#

And of course figure out where to inject

vocal bridge
vocal bridge
fathom pendant
#

I mean, a simple thing is just the id command

vocal bridge
#

i used ls until now or whoami with " " and reversal

#

but i'll try injector symbol and id

fathom pendant
#

Dint forget about url encoding

shut vapor
#

You can't have more than one entry in the proxychains config that aren't... chained together. 🤦

vocal bridge
#

like changing \n to %0a

fathom pendant
#

That's not \n

fathom pendant
signal sluice
#

hello, where to ask for career advice

shut vapor
blissful elm
fathom pendant
signal sluice
#

is cybersecurity for the people who already have IT exp in any field or for non tech starters

ember karma
#

Hello

median gale
fathom pendant
#

You can ignore the host auth message (type yes) btw

#

You need to actually fully be connected

median gale
#

Edited proxychains4.conf also

E7E6564B-80E7-4341-B189-1A19AA6AC39A.png
median gale
fathom pendant
fathom pendant
#

You can likely rm the regular proxychains file and it should pull the proxychains4 conf

median gale
#

Should i copy contents of proxychains4.conf to proxychains.conf? The ...4.conf looks more like a proxychains conf file

fathom pendant
#

I mean that works too

safe star
#

cant u just use the proxychains4 command

#

or is that the same

fathom pendant
safe star
#

yeah

fathom pendant
#

Its likely something in the binary that grabs the first proxychains*.conf file

#

Unless it's an environment variable somewhere

cloud urchin
shut vapor
fathom pendant
#

Because proxychains gets mad

clear rover
#

Hey guys, im doing https://academy.hackthebox.com/module/23/section/513, i found the source code and figured out that its appending .php to all the files. Null bytes dont work with this php version. I cant read any files that arent php. Is the method here to bypass this control or try another method, it seems the other php wrappers are disabled. Can anyone give me a small tip here?

fading steppe
#

Hi everyone, I am currently completing the Nibbles box on HTB academy Penetration Tester path, and for some reason I am not able to establish a reverse shell using nc -lvnp, everything seems matching with HTB walkthrough but it says on the terminal "listening on port" and thats it, could anyone help what could be the cause?

hard matrix
#

need some more info on how you're trying to send a revshell back to yourself

safe star
#

the module also said this

#

look closely at the source code again

clear rover
#

ah i see my error

#

a closer look at source code

#

thank you good sir

static locust
#

so me being a complete noob this whole thing has taught me a lot. but the questions are killing me!! lol please help. ive gotten 3 possible answers and still nada. ive gotten 4, 6 , 14 unique paths but none are correct.

Screenshot_Capture_-_2024-09-08_-_17-54-58.png Screenshot_Capture_-_2024-09-08_-_18-23-26.png
junior birch
#

Hello

rustic sage
#

Hi

sacred jacinth
#

you are basically just going through the navbar/footer only

static locust
sacred jacinth
sacred jacinth
fading steppe
sacred jacinth
sacred jacinth
fading steppe
#

Lemme try again

latent meteor
#

question about Password-Attacks Lab - hard: i got creds to rdp via hyrda but when trying to connect with xfreerdp i get a invalid logon. i had initially the cert error but added cert ignore. still a bit puzzled. any hint please? thanks

hard matrix
latent meteor
#

i get SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server

#

i warning on the cert i just turned /cert-ignore..

#

running: └─$ xfreerdp /v:10.129.152.164 /u:..a /p:B...

placid edge
#

might be causing issues if it includes special characters

#

try putting the password as a string instead like /p:'test123!'

#

or you can try escaping those special characters using /p:test123\! @latent meteor

rustic sage
#

i'm just getting into HTB and cranking through some of the starter modules. is nmap -p- -sV on the redis module supposed to take 10 minutes to run? if i run nmap without the -p- flag it will run the through the first 1000 ports and come back and tell me everything is closed.

#

the nmap without the port flag took ~40 seconds to run

#

disregard - i didn't wait to find out. reran it with the -p 6000-7000 to hunt for the redis port and it ran as expected.

tender nimbus
#

hey guys im stuck i can't find the non default db?

image.png
tulip wharf
#

got a /etc/passwd file from the PDFy challenge, but no flag found. any hint?

dim wolf
tender nimbus
placid edge
tender nimbus
placid edge
#

ah nvr mind, you got it

tender nimbus
cloud urchin
tender nimbus
#

it worked via metasploit but not normal cli idk why

cloud urchin
#

because your syntax is wrong

tender nimbus
#

syntax is same

image.png
placid edge
#

looks like an issue you have on your tool tbh

#

none of your other commands you are using is displaying output as well

cloud urchin
#

yeah what tool are you using

tender nimbus
#

same on both ^^

placid edge
#

he is using mssqlclient but check the versions

tender nimbus
#

left with metasploit and right just with cli

cloud urchin
#

what command did you use to connect

tender nimbus
#

with cli

image.png
#

metasploit

image.png
cloud urchin
#

maybe restart the target

tender nimbus
#

okej but i also have this hint

#

ow i cant show it anymore...

tender nimbus
#

is the problem not something with this windows authentificaiton?

cloud urchin
#

what if you type SELECT @@VERSION;

placid edge
#

looks like an issue with your shell

tender nimbus
placid edge
#

can you replicate the issue on your own machine and not pwnbox?

tender nimbus
#

its my own machine ^^

#

the parrot one

placid edge
#

ok, then try on pwnbox

#

dont you have a binary file for impacket-mssqlclient ?

tender nimbus
tender nimbus
placid edge
#

check if pwnbox has it

tender nimbus
tender nimbus
#

how can i find it

placid edge
#

just type in impacket-mssqlclient

tender nimbus
#

on my machine i have it but not on pwnbox

placid edge
#

do pip3 install impacket

#

and run again

tender nimbus
#

stil same error

image.png
placid edge
tender nimbus
#

^yes

placid edge
#

yeah alr, i mean

tender nimbus
#

just weird

placid edge
#

you got the module answer right.

tender nimbus
#

jup

placid edge
#

prob some weird thing with impacket

tender nimbus
#

but frustrating that i dont know why hha

#

okej thnks for you effort 🙂

placid edge
#

you can try to reinstall the impacket, but you need to update and install the requirements file with pip

#

take a look here if you want to

tender nimbus
#

yeah im gonna try it tommorow just weired that i can connect but that the sql command just work trough msfconsole

placid edge
#

but my bet is that its going to work. Its just some weird thing with your shell and/or output type

#

or a faulty version of impacket who knows

#

it worked for me when i was running just pure kali

#

so might be a parrot issue idk

ruby badger
#

Yo if someone got my ip address using grabify can he penetrate my network?

round lagoon
#

what module should I start with if i got almost no background except for some knowledge in networking?

twilit cipher
#

Leaving this here for future reference. If anyone needs help on the Windows Lateral Movement - Skills Assessment module, let me know. It was a doozy, and I needed help myself, so I'd like to pay it forward.

ruby badger
round lagoon
cloud urchin
# ruby badger Anyone?

Probably better to ask in general discussion or something, this channel is about the HTB Academy modules.

ruby badger
#

Thats the only channel i have access to

cloud urchin
#

you have to read and follow the instructions in #welcome first

oak lance
#

In the CME module, Vulnerability Scan Modules - I keep getting auth errors on the jump host using the provided credentials. Are these the right credentials?

┌──(kali㉿kali)-[~/Academy]
└─$ netexec smb 10.129.141.4 -u Administrator -p 'IpreferanewP@$$'                                                        
SMB         10.129.141.4    445    WS01             [*] Windows Server 2016 Standard 14393 x64 (name:WS01) (domain:INLANEFREIGHT.HTB) (signing:False) (SMBv1:True)
SMB         10.129.141.4    445    WS01             [-] INLANEFREIGHT.HTB\Administrator:IpreferanewP@$$ STATUS_LOGON_FAILURE
image.png
#

I've tried resetting the server

cloud urchin
#

logon failure

#

authentication issue

oak lance
#

I've literally copied and pasted the credentials from the lab guide, hence me asking if those are the correct credentials that have been provided.

limber river
#

weird

cloud urchin
#

yeah the username and password is correct, but it's an authentication issue.

limber river
#

contact support

#

or reset the target

cloud urchin
#

not a support issue

#

resetting won't help. as i said. it's a problem with the authentication. so if you have the u/p correct, think what else could it be?

limber river
#

maybe try other protocols

cloud urchin
#

no

oak lance
#

I thought about other protocols, but the example is to upload a file using SMB

#

Ahh - I have a thought

oak lance
limber river
oak lance
#

I was authenticating against the domain

limber river
#

aaah i get it now

pseudo kiln
#

guys just double checking, but to dump NTDS.dit offline you also need a copy of the SYSTEM registry hive correct ?

unique ether
#

Hi I just recently finished information gathering web module I wanted to ask that subdomains is more related to dns records and vhosts are more related to web servers and can have totally different domains running on the same server correct?

#

Just want to clarify

cloud urchin
#

subdomains are domains that are part of a larger partent domain. vhosts is a configuration concept for web servers to host multiple websites on a single server or ip address.

plain trellis
#

I'm doing password attacks module -> Network Services section -> Is it normal that I don't have access to the JNFS share even after accessing from root?

image.png
cloud urchin
#

none of the questions in that section say to find a password on the nfs share

plain trellis
cloud urchin
#

are you on the ssh question?

plain trellis
#

I did get a valid user from the first question but using same user for ssh doesn't work

plain trellis