#modules

yeah also tried to use import-module for like powerview and that doesn't work also

You don't need to import it in powershell the binary is enough

can u explain ?

I explained it here

yes this i get i thought you talking about importing powerview

I said you didn't need to import it into Powershell

And the binary on its own is enough

.\powerview.ps1 "Get-Domain" like this ?

Are you still talking about mimikatz or that you can't import powerview?

forget about mimikatz i mean using powerview

i think i need sharpview

You import powerview and that will give you access to methods like Set-DomainObjectAcl

You only import it once after that you don't need to invoke the script again

yeah this is what i'm mean importing its not working for somereason

after importing when i use like get-module i can't see it there

make sure that your copy of powerview is good

it worked now thanks maybe bad transfer thanks

@potent lotus Please, ask for permission here before DM'ing as per #rules nr. 8 and include the reason.

im on a diff module but currently using powerview, after import there doesnt appear to be a way to get it to return the included commands, get-module has an empty exported-commands (or w/e its called) and the get-command -module powerview.ps1 also returns empty, do you just refer to a readme on the github for the full list of uses?

or is there a better way?

im checking for a man page, perhaps but my target is respawning

not holding my breath, however

get-command works
https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/get-command?view=powershell-7.4

there are also a lot of docs on powerview functions

i get this error with powerview commands
Exception calling "FindAll" with "0" argument(s): "An operations error occurred.

Sorry

what are you trying to do

Get-DomainUser -SPN -Properties samaccountname,ServicePrincipalName

you're getting all domain usres and their spn, probably just timing out because there are a lot of users

there are better ways to kerberoast if that's what you're trying to do

i tried mimikatz and rubeus both didn't work

mimikatz doesn't do kerberoast

I'd recommend reviewing the kerberoasting section if you're having trouble

i used it for listing didn't find anything

huh? mimikatz straight up does not have the ability to do kerberoasting

i understand now i can use it after running setspn.exe which will loaded it to memory , i tried to run setspn.exe its not working

kerberoasting with rubeus is just 1 command

i tried Rubeus.exe kerberoast i get this error LDAP query failed, try specifying more domain information or specific SPNs.

Problem solved; turns out the word "PORT" in the hint was for submission, not for fuzzing. Hint should make that distinction more clear.

have you considered maybe there's nothing to kerberoast?

the hint has never instructed you to fuzz the port, you've already been provided one

yeah you'll see that in the modules PORT <PORT> IP, etc... be aware of another http://STMIP:STMPO/... i forget what the acronym means totally but its something like Target machine IP and target machine PORT

Hi there, I'm having an issue with module: Information Gathering - web edition - Creepy crawlies; reconspider.py is giving an error; scrappy module not imported

did you install it according to the steps in the module

yup.. want me to send a screen shot?

yes

any errors

how is your pip broken on kali too 💀

try this #modules message

i think it was already install from apt

but thanks i'll try this

uninstall the apt version then

kk

i'm trying to locate it

no luck

meaning?

i think i found the package

hey guys, i recently completed the AD enum & attacks modules but it gave me some trouble when trying to import powerview

bingo! thanks

now that i've done it i figured i could ask if anybody else is going thru the same

i mean the assessments are perfectly doable without powerview, but i wonder what was wrong with the lab that no matter what i did after doing Import-Module .\powerview.ps1, i just couldn't use any PowerView command (Get-DomainUser for example)

other tools where usable (not going to say which ones since that could spoil something)

did you make sure your installation was good?

get-module, is the module actually imported after you did import module ?

if I had a penny for every person with this problem today I'd have 3 pennies

lol

millionaire

so it's not just me then haha

i don't really remember

the previous two have problems with the file, make sure you've downloaded the correct one and transferrd properly

i did it from a evil-winrm shell tho if that has anything to do about it

nope

unrelated

well you can always go back and check

i tried various .ps1 files from different github repos, https://github.com/PowerShellEmpire/PowerTools/blob/master/PowerView/powerview.ps1 and https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/PowerView.ps1

i also tried different transfer methods and checked the hash sum to verify it didn't get corrupted or smthin

did you download the raw file

uhh yea(?)

i recall doing that yes

will do later

hmm recheck the steps, it should work

i mean the module is already done but i was wondering why that happened

hello, anyone have experience with the module Windows Lateral Movement -> WinRM? I'm stuck on the last question and was hoping for clarification on a couple things

AD skill assessment i'm stuck i got access to ms01 but i couldn't find anything there the question says weak creds so i did some enum on the password policy and found that the minimum password length is * so i thought of password spray but what could be the pasword i could use ?

I'm working on the session hijacking module with blind xss and I've been hitting my head up against a wall for awhile now... I found the injectable field, crafted the .js file and .php file to run on my local server. I get back cookies but none of them work for the login.php form on the server. One of the cookies I get back looks like a flag but that doesn't work as the answer to the exercise. Any help is much appreciated!

try with commonly used wordlists aaand be patient

there are some in the passsword spray module you could use

just ask

Okay I have a PSRemote session on SRV02 as Leonvqz, I understand there is a kerberos doublehop issue here but when creating a new ticket with rubeus its still not letting me run Invoke-Command. I know we can also use ps-credential objects but we only have the RC4 hash for the user Leonvqz and it doesnt crack so I dont think you can create a new credential object for that user.

Inside SRV02:

[SRV02.inlanefreight.local]: PS C:\Tools> .\Rubeus.exe asktgt /user:Leonvqz /rc4:A35289033D176ABAAF6BEAA0AA681400 /ptt
...
[SRV02.inlanefreight.local]: PS C:\Tools> klist

Current LogonId is 0:0x54447

Cached Tickets: (1)

#0>     Client: Leonvqz @ INLANEFREIGHT.LOCAL
        Server: krbtgt/inlanefreight.local @ INLANEFREIGHT.LOCAL
        KerbTicket Encryption Type: AES-256-CTS-HMAC-SHA1-96
        Ticket Flags 0x40e10000 -> forwardable renewable initial pre_authent name_canonicalize
...
[SRV02.inlanefreight.local]: PS C:\Tools> Invoke-Command -ComputerName DC01 -ScriptBlock { whoami } -Authentication Negotiate
[DC01] Connecting to remote server DC01 failed with the following error message : Access is denied. For more
information, see the about_Remote_Troubleshooting Help topic.
    + CategoryInfo          : OpenError: (DC01:String) [], PSRemotingTransportException
    + FullyQualifiedErrorId : AccessDenied,PSSessionStateBroken
[SRV02.inlanefreight.local]: PS C:\Tools> Invoke-Command -ComputerName DC01 -ScriptBlock { whoami } -Authentication Kerberos
[DC01] Connecting to remote server DC01 failed with the following error message : WinRM cannot process the request.
The following error with errorcode 0x8009030e occurred while using Kerberos authentication: A specified logon session
does not exist. It may already have been terminated.

We have creds for helen and helen can authenticate but flag is under Leonvqz's directory (question also states to authenticate to DC01 as Leonvqz).

[SRV02.inlanefreight.local]: PS C:\Tools> $SecPassword = ConvertTo-SecureString 'RedRiot88' -AsPlainText -Force
[SRV02.inlanefreight.local]: PS C:\Tools> $Cred = New-Object System.Management.Automation.PSCredential('inlanefreight\helen', $SecPassword)
[SRV02.inlanefreight.local]: PS C:\Tools> Invoke-Command -ComputerName dc01.inlanefreight.local -Credential $Cred -ScriptBlock { cat C:\Users\Leonvqz\Desktop\flag.txt }
Access is denied
    + CategoryInfo          : PermissionDenied: (C:\Users\Leonvqz\Desktop\flag.txt:String) [Get-Content], Unauthorized
   AccessException

well i just checked:

*Evil-WinRM* PS C:\Users\user\Documents> ls


    Directory: C:\Users\user\Documents


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        10/1/2024  11:05 AM         770279 PowerView.ps1


*Evil-WinRM* PS C:\Users\user\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\user\Documents> Get-Module

ModuleType Version    Name                                ExportedCommands
---------- -------    ----                                ----------------
Manifest   3.1.0.0    Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Content...}
Manifest   3.1.0.0    Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script     0.0        PowerView


*Evil-WinRM* PS C:\Users\user\Documents> Get-DomainUser
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
Exception calling "FindAll" with "0" argument(s): "An operations error occurred.
"
At C:\Users\user\Documents\PowerView.ps1:5253 char:20
+             else { $Results = $UserSearcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException
*Evil-WinRM* PS C:\Users\user\Documents>

get-executionpolicy, just in case ?

seems to imported right

there's nothing about wordlist there

if I remember right for that part you do need to use a credential object

that's a different problem, probably timing out because you're querying all the users, try a simpler command

there are common password examples there you can use

*Evil-WinRM* PS C:\Users\user\Documents> Get-ExecutionPolicy
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
RemoteSigned

it should be bypass, try to set it with set-executionpolicy bypass -scope process

how do you get PScredential object for Leonvqz with only the rc4 hash?

also shouldn't you just be able to ptt with rubeus? I'm not sure why that would fail but pscredential object would work

why don't you pth with rdp then Enter-PSSession

I was under assumption that you could use WinRM for all steps involved 😭

Maybe I'm trying the wrong login page to use the cookie on? Trying wp-login.php and also tried a login.php under a different directory from the injection.

*Evil-WinRM* PS C:\Users\no_spoilers\Documents> set-executionpolicy bypass -scope process
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
*Evil-WinRM* PS C:\Users\no_spoilers\Documents> Get-ExecutionPolicy
Bypass
*Evil-WinRM* PS C:\Users\no_spoilers\Documents> Get-DomainUser
Exception calling "FindAll" with "0" argument(s): "An operations error occurred.
"
At C:\Users\no_spoilers\Documents\PowerView.ps1:5253 char:20
+             else { $Results = $UserSearcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException

which command do u suggest i try?

*Evil-WinRM* PS C:\Users\no_spoilers\Documents> Get-DomainTrust
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
Exception calling "FindOne" with "0" argument(s): "An operations error occurred.
"
At C:\Users\no_spoilers\Documents\PowerView.ps1:6330 char:50
+ ... $PSBoundParameters['FindOne']) { $Results = $CompSearcher.FindOne() }
+                                      ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException
Exception calling "FindAll" with "0" argument(s): "An operations error occurred.
"
At C:\Users\no_spoilers\Documents\PowerView.ps1:19691 char:24
+                 else { $Results = $TrustSearcher.FindAll() }
+                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException
*Evil-WinRM* PS C:\Users\no_spoilers\Documents> Get-DomainGroup -UserName "no_spoilers"
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
Exception calling "FindAll" with "0" argument(s): "An operations error occurred.
"
At C:\Users\no_spoilers\Documents\PowerView.ps1:6663 char:20
+             else { $Results = $ObjectSearcher.FindAll() }
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : DirectoryServicesCOMException
*Evil-WinRM* PS C:\Users\no_spoilers\Documents>

ptt with rubeus should also work, but I might need to open a netonly session since it'll conflict with other tickets in kerberos

If I am thinking this right, you might be facing the double hop problem. Like you try to request information from the DC, but there is no credentials cached for evil-winrm to use; try creating a $cred object then provide it to the -credential argument with powerview commands

huh how is that a double hop? the winrm host can reach the DC directly

which host is this

hmmm, could be been a while since I did this, but I usually just throw fixes at it until one sticks

damn that worked

*Evil-WinRM* PS C:\Users\spoil_user\Documents> $SecPassword = ConvertTo-SecureString 'spoil_pass' -AsPlainText -Force
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
*Evil-WinRM* PS C:\Users\spoil_user\Documents> $Cred = New-Object System.Management.Automation.PSCredential('INLANEFREIGHT\spoil_user', $SecPassword)
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.7.50:5985  ...  OK
*Evil-WinRM* PS C:\Users\spoil_user\Documents> Get-DomainUser -Credential $Cred


logoncount             : 40
badpasswordtime        : 4/21/2022 4:29:52 PM
description            : Built-in account for administering the computer/domain
distinguishedname      : CN=Administrator,CN=Users,DC=INLANEFREIGHT,DC=LOCAL
<SNIP>

so it was a evil-winrm issue then?

which lab and machine is this

this is AD Enumeration & Attacks skills assesment 2

i'm trying now with MS01 but i was facing this from other hosts of the environment as well

Basically windows is complex when it comes with authentication. For example lets say you authenticate to that machine using psexec or RDP. Your credentials are getting cached on the Windows target. When you try to query the DC from that machine, windows will use the cached credentials in memory and provide them to DC to complete the request. With powershell remoting (evil-winrm), when you authenticate to a windows machine, the windows machine does not cache the credentials, so when you try to query the DC the windows machine has no credentials to present to it.

But like Xre0uS said, if your machine is directly connected to the DC, the problem is not there. The problem appears when you winrm into a windows machine, and from that windows machine you try to do actions that require credentials.

alright

i'll add that to my notes to remember it whenever i use winrm

thank you guys

this was bugging me throughout the assesment even tho i managed to do it in other ways

im not going to wait what is the answer: + 2 After successfully brute-forcing the PIN, what is the full flag the script returns?

no one is giving you the answer

im not going to wait

Yeah that plan won't work

you telling me i have to wait 40 minutes for a simple task flag? are you seriously?

hacking is not instant gratification. do not expect answers to be handed out on a whim. not to mention it is also against the rules and ToS

If you'd explain your problem a bit more people are more likely to help you

Which module/section are you working on?

Login Brute Forcing

Brute Force Attacks

im just waiting for a succesfull pin but omg just too much time

I know but a proof of concept should be less time consuming

It doesn't take 40 minutes nor 10 minutes

It is around 3-5 minutes at the worst case scenario

Just re-posting this if anyone is available to help w/ the blind xss / session hijacking module. Thanks!

I'm working on the session hijacking module with blind xss and I've been hitting my head up against a wall for awhile now... I found the injectable field, crafted the .js file and .php file to run on my local server. I get back cookies but none of them work for the login.php form on the server. One of the cookies I get back looks like a flag but that doesn't work as the answer to the exercise. Any help is much appreciated!

I don't think it will take that long.

i created a list with kerbrute and i used all the passwords in the module using crackmapexec nothing worked

I'm on my 3905th attempt, so they confirm that something is wrong and I should try again before restarting?

what userlist are you using

jsmith.txt

why are you using jsmth?

you can get a list of all the domain users

nope

I did the exercise and I know how much it takes

then you know you are wrong is more than 3-5 minutes as you say

¯_(ツ)_/¯

I don't recall that being in the module, so it was likely updated. I would switch things up, i.e., vpn, reset the machine, etc.

I already finished it, everything was correct, but it takes about 10-15 minutes

ohhhhh bro i forget about that but even if i got the user and i got the password how i'm supposed to get the password like in a real test or exam ?

DM me

Guys I'm new can anyone be my teacher and teach me how to begin with it

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

can't tell you what's in exams but doesn't hurt to try spraying one or two passwords in the background while you work on other things

@raven obsidian Don't send me DMs again without prior permission, this will be the last time, I'm not reporting you because you're new but so you keep it in mind

very few teach others. you are better off teaching yourself: #modules message

and also please read #rules

Oh sorry guy

Thanks for ur replays btw

Hey guys, am I allowed to ask for help here if I'm stuck on a part in the CPTS path (Academy)?

Yes

"After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer."

Now I'm using --script dns-nsid and have tried lots of possibilites. I've googled the answer and the command that gave him the answer doesn't do the same for me, I'd like to somehow figure out where and what I'm doing wrong, considering I tried the exact same command someone else did to get the answer

hey qq I got the flag for question one In the "Sqlmap Essentals - Attack Tuning" section but, its saying that its wrong.

this is one of the few times where you should use pwnbox

The command used: sudo nmap -sSU -p 53 -v --script dns-nsid 10.129.83.209
Response:

53/tcp open  domain
53/udp open  domain

NSE: Script Post-scanning.
Initiating NSE at 12:38
Completed NSE at 12:38, 0.00s elapsed

Oh for real is that my issue? I'm on kali

yeah try pwnbox for this module

Ugh if that works I'll be quite annoyed. Spent 6+ hours just on this question alone.

But, thanks so much dude.

run it again, time based sqli ccan be inaccurate sometimes

Yep.. that worked. 😦

nice 😄

I think I see the problem the answer in the table has extra caraters that are not in the retrieved field

Hopefully someone on HTB sees this and might make a note to use PwnBox, that would save others from wasting time for sure.

nope still saying wrong

I use pwnbox as default then use VPN incase pwnbox fails me. But that rarely happens

Idk what to do here it the only answer I'm getting for Case#5 can I share the answer I'm getting I'll mark it as spolier

I have a question about 'Using Crackmapexec' module Skills assessments - throughout the module i used 'Ligolo' instead of chisel+proxychains because the proxychains doesn't work on the pwnbox. now on skills assessments it seems i have to use chisel+proxychains. is there a way i can bypass it instead of using my own attacking box +VPN?

Yeah I like using pwnbox, but the specs and hardware of my laptop overpower the speed of pwnbox so I like to use my kali

no for the beginning part you'll need to use chisel, you can switch to ligolo once you get a shell

proxychains does work on pwnbox though. you can use your own attack box but you'll still have to use chisel

Well for me it doesn't works. I've never figured why so i just went to 'Ligolo'

underscore instead of \x03!

it def works, plenty of people are using proxychains no pwnbox

again you can use your own vm if you want

Thanks

Can I DM you with screenshots? maybe you can help me troubleshooting?

I'm hopping off soon, you can just send them here, someone else will come around

read #welcome to get verified so that you can send screenshots

Hey. Im in Login brute-forcing / Custom wordlist and have some problem with the task with grep: i use: sudo grep -E '^.{6,}$' jane.txt | grep -E '[A-Z]' | grep -E '[a-z]' | grep -E '[0-9]' | grep -E '([!@#$%^&].){2,}' > jane-filtered.txt but get : zsh: permission denied: jane-filtered.txt

Jull.

You aren't supposed to use Jane's info.

Read the start of the section again.

• hydra gives out false positives, might wanna try out medusa.

chmod ugo+rwx

Btw

Hi marcie

The > at the end

Is only for the last command

Which isn't being run with sudo

Piping commands doesn't inherit permission level

Lemme note that down.

Than. it was The > at the end

well the right terminal is the relay initiation, and the left is /etc/proxychains.conf

Can you help me out if you complete the section, cuz I tried hydra yesterday with Thomas Edison's info and got a lot of false positives.

Try with sudo

i let you know

Ty, man.

Gotta finish attacks on common applications and go onto Linux priv esc.

I am so slow, didn't think it would take a year to complete the path.

Is inlanefreight.com down right now?

It works. Thank you

Is anyone else having problems spawning targets in HTB Academy?

mine is working

Get the same error like you..

hey will i ever have to re-enumerate previous labs from the same section for something like credentials
like credentials you can find in the first lab but aren't used until the second lab
is that a thing in academy

Wdym?

You mean for skill assessments? Or overall

The answer to both is it depends

yeah for skill assessments

shit

You should always save credentials found

But the skill assessments are generally independent

yeah i'm saving the ones i've used so far and none of them work

because i found a list of like 200 credentials in the last lab

I.e. you won't need credential info from the module sections for their skill assessments

? What module

footprinting
second lab enumerating an mssql server and found a giant list of credentials, only one of which i actually needed
third lab enumerating an MX server, none of the credentials i've used work

Yeah they won't

You'll need to start each as a blank slate

ok that's a relief

There's more on the server than mail

.. someone is trolling

yeah i know there's a few other services running

Iirc that one also relies on a udp service

?

snmp is running but i got no luck with that yet

came into the vc heard someone use troll soundboard

Did you run the enumeration tools?

X_X

Reach out to admins

I'm not a mod/admin so I can't do shit

Nah, it's good, wasn't harmful, but made me jump out of my chair.

Waiting for a guy to join the Vc so we can comment the custom wordlist section.

hi marcielee

For which module?

yeah i need to read more about snmp because i still have almost no idea what it actually is

Login Bruteforcing? I am pretty sure it's that one.

All the tools you need to enumerate are given to you

yeah i know

What's your exact issue?

Don't overlook your outputs

skill issue

You can get the community string

Hydra giving out false positives on Thomas edison's creds. Tried the pwnbox which gave no results instead of a false positive. I might try and use the long list of passwords.

if you are not sure if is false positive you can try it manual

Ah it's part of the new content, haven't touched that yet

I tried it manually, that's how I confirmed it's FP.

False positive on a web page means your fail string is incorrect

Fail string?

If it's an http post form

Oh..right.

I don't know Medusa syntax, I generally use hydra

That's the false positive.

if you rerun it still getting that FP?

Gives out different passwords.

None of which are correct.

space in the password, probably messed up the request and triggered a different response

You are saying that in the wordlist there might be a space?

You're missing the :F btw

Yeah it was on the other module but not here.

I also wonder if they changed it to no longer show the sed syntax in the module

isn't that a space in the password

Nope.

Module: Windows Privilege Escalation
Section: SeImpersonate and SeAssignPrimaryToken
Link to section: https://academy.hackthebox.com/module/67/section/607

The following statement is taken from the section. What file transfer method would be ideal here (if you're connected using msssqlclient.py)?

let's first download the JuicyPotato.exe binary and upload this and nc.exe to the target server.

in windows attack & defenses after SSH to kali and trying to RDP to WS001 I get 14:03:39:776] [968:968] [ERROR][com.freerdp.client.x11] - failed to open display:
[14:03:39:776] [968:968] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

what am i doing wrong lol

Help them out, ima try different things.

don't run as root

Try rdesktop or remmina.

^

either http or smb is fine, xp_cmdshell is still a shell

Nah their issue is running around as root

i havent used sudo at all.. it seems unsual to be root as default

welcome back

wait, you're trying to rdp in ssh?

how'd you expect to see anything

perhaps you've switched to the root user

i mean idk lol

switch back to a normal user and try again

it says to ssh to kali and rdp to ws001

to connect ssh just type man ssh

im just trying to learn i didnt make these modules

you can ssh with X11 forwarding and then RDP to WS001

should pop open a RDP window on your machine

you're probably more familar with that module, but isn't ws001 directly accessible with another ip?

By HTTP you mean like IEX / Invoke-WebRequest? And I'm guessing SMB would be using the copy command?

it depends on the section, sometimes it is and sometimes it isn't

I see

yep

step by step if you dont understant some topic start first by those explaining what you dont understand well yet

as slow as it is, you're probably better off just RDPing to Kali then RDP to WS001

sometimes you dont know what you dont understand

yea i will just go back to doing that

or you can try X11 forwarding. i didn't do that when i did the module; maybe it's better

thanks

Weeb spotted

🙌 ya got me

how is that weeb acitivities

Btw, marcie, the 'F' thing appears to be working, cuz I ain' got results yet, so I hope it gives out smth. Weirdly enough they missed the F in this section, but on the login forms is there.

OH I FOUND MYSELF SOME CREDENTIALS

i think i was really tired when i was taking notes on snmp so i just reread the academy page about it and i found what i was missing

Probably a typo then, #1234357888114364508

Yup

hydra defaults to fail string if F: is not spcified tho

does anyone know if there's any language i can use for code blocks in obsidian to make my nmap outputs look nicer because right now it's all just one color

no language for Nmap

yeah i know, i just meant an alternative that might make it look less gray

i'll try a few, i know there are some languages that highlight numbers

you could try bash

lmao instantly deleted

bash looks pretty alright

unfortunately no, bash is best tbh but unless you look into plug-ins, natively it's not the best for outputs

bash looks pretty ok

you can output to html it looks great

still gray with html :(

change the color lol

hey anyone been having issues with vmware lately? drag and drop and bidirectional clipboard haven't been working for the past few weeks and i can't seem to update vmware either

like virt-clipboard?

yeah

can't copy and paste from vm to host anymore

someone here to give me a bump on the Skill assessment - Injection attacks CWEE path?
found the internal page and insertion point, but i can't get the data right 😦

have installed virt-clipbord on both?

yeah

it worked when i first installed and it appears to have stopped working

i would uninstall and reinstall vmware but i don't want to break anything with my kali vm

i doubt it would happen but just in case

you can try reinstalling open vmware tools in kali

yep tried that

it's pretty low on my priority list rn tbh, i'll put more effort into it another time

python http.server and nc work fine as a temporary replacement for drag and drop and clipboard, respectively

only takes a few extra seconds

i honestly think i just need to update vmware workstation but for some reason i can't update vmware workstation

i prefer virtualbox

or qemu

Bc there's the new 'free' pro version

yeah that’s what i’m using now

Someone recently got a remote shell on my system because I had outdated software.

Hi everyone Am new Here
My name is kryb

If there is something you cannot update, it is best to reinstall it until you can do it, security updates are really important

This isn't a gen chat, if you need help with an academy module ask, otherwise read #rules and #welcome

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

on a virtual machine or your host machine?

nvm got it 🙂

Let's limit the off-topic talk if we can

host 😦

wow

antivirus just detect it but anyways i wouldnt expecting that

alright i guess i'll uninstall and reinstall vmware later and just export and re-import the vm and hope nothing gets lost

i don't really have anything important on my kali vm anyway

Take it to DMs guys this channel is reserved for academy module questions. @loud dagger @uneven cairn

anyone have trouble using openssl to convert cert.pem to cert.pfx? I get "could not read prive key from -in file from cert.pem. When I Cat the file two hidden characters are at the beginning of the private key and i think theyre preventing openssl from reading the key but im not sure how to remove.

Greetings guys
Am new here

��-----BEGIN RSA PRIVATE KEY-----

like this

didn't someone just tell you to move to a different chat

I just did exactly that to move to the pro version and it was very smooth.
I see some perf improvements too

welcome but please, as Marcie said, not gen chat. Please read #welcome and #rules

#general

@sudden wind you were just told to read the rules, you can't send me FR without prior permission

No one told me

they did actually

Yes, they did #modules message

Please can you tell me the chat to move to?

dude

Huh

anyways i got a really stupid question, when imap and pop3 are both running on a remote host, they're both connected to the same email server, just accessed with different protocols, right?

i'm gonna go ahead and take that as a yes

yes i mean they send request to your smtp server

So am accepted to join you guys right?

ok i just wanted to make sure because i don't feel like enumerating imap and pop3

Hi

dude just stop

#general

Yeah that's true
Please pardon me

why don't you go ahead and pardon yourself to #general then bud

Please am trying to be nice

go be nice in #general then

I just want to be friends with you Guys

go make friends in #general

not with me go to #general if you want friends

this server is full of assholes anyway you're not going to make many friends here

What happened making friends here

yea this dude is deff a scammer or something. Just sent me a friend request. Its not normal to join a chat and immediately start friend requesting everyone,

yeah it is i see idiots do it all the time

<@&861185840277487616>

me too

it may be normal in the sense it happens a lot but its not normal in the sense normal people do it. Scamming is very normal in the sense it happens frequently

hanlon's razor

@sudden wind Please read the #rules

i guarantee it's not a scammer and it's just a kid who for some reason can't read and/or has no respect for anyone else

You are not allowed to simply dm another people

i'm not defending him, i'm just saying it's almost definitely not a scammer

i saw the exact same thing in the kali discord

idiots who come in here with no respect or patience

Hello

i especially got a TON of unsolicited friend requests, way more than anyone else there, presumably because i'm a woman

actually people who are new to cyber/IT are perfect victims as they are savvy enough to walk through a scammers steps but still easily tricked. Especially in chats like these where someone could be "helping" you by walking you through steps that screw you. However lets get back to important topics

could anyone help me with the last section in windows attacks/defenses

sometimes i would accept the request and give the person the benefit of the doubt and 99% of the time it was either "i just want to get to know you" or just a dick pic immediately

please all going to #general here only to specific modules question please

Aight enough discord for today

yeah that's why i'm not being nice to him
ok i'm done

Does anyone experience that 10.129.42.253 is down? I am trying to conduct an Nmap enumeration. Module: Getting Started; Section: Pen Testing basics

Am sorry
Guys

I won't try it again
I just went to read the rules

that is a private address

Please you all forgive me 🙏

jesus christ this channel today

10.129.42.253

???

From the PwnBox or from your VM?

PwnBox

The best thing you can do is to drop it and move on

yeah i'm closing discord anyway because my productivity tanks by roughly 90% when i have it open

If anyone can help me out in the Response Splitting section of the HTTP Attacks module, I'd appreciate.

restart the target and wait a few minutes. Then try again

I'm able to see my crafted XSS payload and make a request to my HTTP server, but when I change the payload to make it locally it doesn't trigger by setting it to the admin to check

NVM!

So it's not XSS reflected but blind?

how to fix the trust relationship between this worksation and the primary domain failed?

i have reset all machines and its still not trusted

Bump

I don't think its the module because others have obviously completed it but I get [10/01/2024 14:06:21] C:\Alpha\Static\app.exe - OK - Undetected by Microsoft Defender Antivirus but no flag.txt

Contact support

Had the same problem

Support told me they dont deal with issues for modules lmao

Another user who have contacted me on the forum also had it

But I will again

Haha Nice HTB!

For me they've told me they couldn't test it because they had problems with their RDP at the time

ahh ofc

And resolved it in a not usual way

How is the malware analysis module here? Does it prep for real world malware analysis?

#1234357888114364508

Yeah idk if its actually a module issue or if its me

hehe

is everything you need to know for the knowledge checks stuff you’ve already learned in academy? or is there a point where you need to start doing research

because i’m at a complete loss right now

specifically the end-of-module labs

i don’t remember if i’ve had to do that before

95% of the time, skill assessments can be completed with just the module content

what module you talking about

anyone who did the attacking common applications online?

i wan't to discuss the tomcat section

🙋‍♂️

can i dm you?

ye

Might be worth... I thought what the hell right!? Might try! Got the issue as well

Yeah okay support is offline so I'll bring it up when they come back lmao

I'm new when it comes to Linux and with that said I'm trying to go through the Linux Fundamentals but there are questions that the end of the section that wasn't even covered on how to do and the cheat sheet doesn't help much from a beginners perspective. Is it supposed to be this complicated?

yes the gaps are on purpose. You have to research and trial/error

some things are broken not on purpose but as a newbie you wont be able to tell. Thats kind of part of the learning. dealing with the constant frustrations

Ok I thought I was missing a portion of the training materials and that was the issue.

the hackthebox forums have been very helpful for me. Just look up the module youre on and id bet someone has discussed the same issue

Hello everyone

how are you obfuscating the payload?

It's a custom C# code.

ok did you try the code from the module?

I've finished the module, but I've had issues with this section as well.
And no, not using the AES encryption code they have for that section.

i was able to do it with what the module provided

But it shouldn't be an issue nevertheless as it is just a static analysis of the code

Also another user has contacted me on the forum about the same issue

not sure what your custom code contains, but the code from the section worked for me so maybe try that. i'm not exactly sure how it's detecting the code, it may not even be defender really doing it but something else they made.

I think not. I could get some of the scripts after gaining the shell, but since this one is only static and would not execute, I wasn't able to get the automation behind
And this module was pretty tight! Every exercise had one user account to execute it!

I guess @sacred gull code is the same as the module anyways

Yeah mine is the same as the module, only part changed is shell code

🤷‍♂️

did you also add to the code to allocate memory, copy the shellcode into the allocated space, make it executable, and then execute it?

@cloud urchin

Same custom C# code as the Dynamic Analysis section but passing the IP and Port directly

yeah that doesn't mean much to me, plenty of people struggle with plenty of different modules

i had some difficulty with this one too, but i got it working

Just telling you, man.... More people having the same problem 🤷‍♂️

Anyways... Best is to contact support....

https://forum.hackthebox.com/t/introduction-to-windows-evasion-techniques/322348

well that guy definitely didn't read the instructions

you can remote to the dev machine to build the project and then transfer it to the evasion machine

Not what this discord is about

then go to the police

Please teach me

Its too expensive

police cost money in your country?

No

ok then go to the police

I mean yes, like 1000 dollars

well sorry no one here can help you, only the authorities can

Because when I call 911 it cosrs 1000

911 doesn't cost 1k, it doesn't cost anything

It does man.

sure it is, you're asking people to commit federal crimes and risk prison for you

go to the police, that's your only recourse

I will try man, thanks.

Just did it again, no issue

Just make sure you're following it exactly like the module says, with the correct project settings etc

I'm retrying at the moment

Hi guys, Im on the password attack module, specifically the Password mutation section and Im having a little trouble understanding it

which part are you struggling to understand

there are a few parts Im having a little difficulty, I am given to understand that password mutation is basically using tools to generate mutated passwords

but in this case Im having trouble understanding the question in this sense because for example cewl, it has a "-d" flag, now if I was to use this flag, what would be the minimum length of letters I'd need for ssh, I could enter -d 11 but the password could be of 8 character lengths long

that's not what -d is for, -d is for depth

-m is for minimum length

what is depth? and yea the same basically applies to "-m" right?

no they are two totally different parameters. just like the module says -d will set the depth cewl searches on the website. for example blah.com/depth1/depth2/depth3/

oh so like the subdirectories you mean?

yeah depth in how far it goes into the website

its' the depth to spider to

Anyone for advanced xss and csrf exploitation - xss filter bypasses ? Able to bypass the filter, struggling with data exfil

data exfil code is pretty much going to be the same code used through the module

thank you, could u pls clear up my doubts on the "-m" flag 😅

-m is the minimum length of the words it looks for to use

Any other information? Using the same payload as the rest of the modules of double xml request. Getting stopped by cors

try man cewl

ok thanks

I don't think there are any special protections here since the section is focusing on XSS filter bypassing

does the password mutation task take a while to do? ive been on it for the past 5 mins and no success

like the command to mutate the password list itself? no i think it only takes a few seconds.

nah the enumeration

you mean the brute force?

yea sorry brute force

yeah it can take a while, but should be less than 20~30 mins

did it take u that long?

it's been a while since i did it but i think it was under 20 mins or so

because usually htb doesnt make it so long

ahh ok

htb staff has stated they don't want people just sitting there for 30+ mins etc, so it should be less time than that for sure

ill share the command i used

right exactly

no need really, just make sure you have a good amount of threads (48)

48 is the sweet spot

i didnt put threads

how do I add threads without interrupting the process 😅

don't think you can

ahh damn

Yeah, with the AES encryption worked.
It runs MpCmdRun.exe in the file with a custom scan.

yup

I've got to be close....Ahhhhh

A lot going on there. Looks like your lhost isn't set to your vpn adapter. also that rhost looks wrong. on top of this, your run command and exploit commands are both wrong.

Okay thanks..... So I need to figure out proper syntax I'm thinking

you can use the command ip a to find your VPN's IP, or just use 0.0.0.0 and it will listen on all adapters

make sure rhost is the target spawned, and to launch the metasploit module just use run or exploit and nothing else is needed

ohhhhhh I see now that I am Re entering the path...wow

I'm over complicating...lol

exploit

so I am not using vpn... I have been using my own machine just for HTB... Maybe I need to restart and spawn HTB Instance???

not all modules need the vpn, you didn't say which module you were on so i just assumed

I'm just getting started module

so tun0 isn't valid, as you can see. is 94.237.54.201 the target IP you spawned for that module?

try set lhost 0.0.0.0 instead, that listens on all

also type options, itll show you other settings like the port. you may need to change that too.

guys i'm doing the AD skill assessment and i'm stuck at "Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file? " i found the creds for BR--- and his passwords but i can't do anything with it i tried winrm but thats didn't work i tried also to use snaffler to find the config file and also findstr from password attack modules to hunt for it and didn't find anything , i saw the hint for question but i can't use BR--- to login

Thanks friend... I'm pretty sure it has something to do with using HTB vpn... it's actually part of the mod.... about 4 hours in... bedtime for my old a$$ lol..... Thanks again , it helps to get my mind shifted...lol

the rhost ip you targeted is public, you wouldn't access it via the vpn

use the creds to enum, not necessarily to login

just curious about SQLMap skill assessment -
I have the injection point and have successfully enumerated the database, but ultimately having issues actually --dumping the table. curious if anyone has any nudges. the time-based technique might be the problem but changing techniques results in sqlmap believing the parameter isn't injectable

Close yet so far

I need to finish

These pages

can someone help me understand the robocopy command?

im confused on my it was written twice in the modle

Quick question on the fuff module, in the skills assessment.
1st and 2nd question, they ask for subdomains and then extensions, but they don't specify how the answer should be given.

I found 2 extensions, and somehow spacing them or putting a comma in between doesn't work...

Can someone help with the format of the answer?

Just the letters

But there’s more

Yeah I don't know why I excluded the one giving a 403 answer

All good thanks

Great job

👏

Hello can we make the emulator like our own real phone that have camera?

How to access the camera on emulator :)) also

For which Academy module?

Noo dont have module here but I just wanna know I think possible but idk how to access the camera back and forward from out laptop / screen cam

when looking at modules i see option for , threat spotlight and targeted cyber ops

and they dont show anything when i press on em, do i just unlock them after i finish more modules or they empty for now

Ohh we cant scan / do anything hum

I hope #moderators get some psychological support, must be a tough job sometimes 😅

this discord is all about the hackthebox platform, and this channel specifically is their academy (educational resource), no one in this channel can help you with what you're asking for

Okeeii sorry

wait so i would eventually have to pay for cubes?

yes

for password attacks module, should i use pwnbox or my own machine? i heard its dependent on gpu, better gpu = fast cracking

Is it better to finish Cracking Passwords with Hashcat module before going to password attacks module ?

hello everyoone can someone help me pls

Attacking Common Applications : other applications

Enumerate the application for vulnerabilities. Gain remote code execution and submit the contents of the flag.txt file on the administrator desktop.

I found cve and payload but how I don't know how to use

in payload :
exploit.py [victim ip] [victim port] [path to ysoserial] [JRMPListener ip] [JRMPListener port] [JRMPClient]

I dont understand what is ysoserial and JRMPClient

it's not necessary, but it will give you a better grasp of hashcat's capabilities

Hello guys,
I installed htb edition of parrot os and now i came to know that anonsurf is not installed. Can some one tell me how to install anonsurf for parrot os (htb edition)

https://parrotsec.org/docs/tools/anonsurf/

Hi All, I have stuck on one of the questions on the academy can anyone help me with it?

just ask your question

I have tried it now but the third command which is

cd anonsurf/

make build

make install

Is not working.
I dont know why

It throws error messages most likely

If you verify your account you can post pics

What is the FQDN of the host where the last octet ends with x.x.x.203?
On the footprint course
I tried to use
for sub in $(cat /home/xman/Desktop/HackTools/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt);do dig $sub.inlanefreight.htb @10.129.24.49 | grep -v ';|SOA' | sed -r '/^\s*$/d' | grep $sub | tee -a subdomains.txt;done
But it does not work

did you dig around the server?

except for the bash script

Yes I did,
It show me a lot of ips but no one end with 203

it does, try all the techniques that the module have taught you up till now

The answer it the provided example on the module?

In*

no. try the methods you were taught

I see some people says that I should change the world list
But I use all the world lists for the dns in seclist file

OK thanks

try a fierecer list

I would like some assistence in 'Using Crackmapexec' skills assessments first question? I've obtained the usernames, but it seems it doesnt works when i attempt to asperoat. any idea how to proceed?

I'm solving some task and there is ssh connection. username and password is given but it is throughing an error.

user1@94.237.51.124: Permission denied (publickey).

Machine is pinging correctly.

did you use the correct port?

My command is this;

sudo ssh user1@94.237.51.124 52027

yeah thats not right you need -p

let me try

Done. thanks man @storm elk

Now I would like some assistence please (if missed due to recent conversation)

havent done that module, sorry

that's ok. Anyone who had done the 'Using Crackmapexec' module?

Exploiting XSS via WebSockets
Can some body help me with this section in the Modern Web Exploitation Techniques module?

The hint says The admin uses a firewall that prevents you from exfiltrating the cookie directly.
So it can't access my local or on the internet listener to exfiltrate the admin user cookies (from the XSS vuln), I tried exfiltrating back to the WebSocket but it doesn't seem to be working 😦

@astral gyro please do not post random links

hello everyone

i am currently doing the enumeration module and running into some trouble with the odat tool

is it normal that it takes a lot of time to enumerate the SID and username/password

?

Hello, i'm on Attacking Common Services
Attacking SQL Databases
The flag is not displaying well

hi can anyone give a hint on skill assessment for Advanced XSS and CSRF Exploitation modules, i get that there is an misconfiguration in "header" but cannot manage to bypass it for the admin.

module: password attack:
network services section

Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.

upon using netexec, even tried crackmapsec in pwnbox, the bruteforce is taking just time, idk if its the proper way or not.

Which wordlist are you using? Did you download the one provided in "Resources"?

I dont remember how much time it takes, but it works if you use the correct user and password lists

username.list and password.list, provided by module resources.

im using correct ones, i guess it was provided from the modules resources.

those are the correst lists.

can you check from your end? i think htb might be messing up, it had happened to be once, i wanna confirm.

Not at the moment I'm afraid.

okay.

just use the lists and crackmapexec on winrm and you should be fine.

hi i've a small problem, i wanna use my kali vm to do a module but when i ping the ip provided it's not working, but i've no problem on the pwnbox, any solution ? thank you !

are you connected to htb ovpn?

yknow, your kali machine.

that's probably this, i need to go now but i'll for sure check later, thank you for your time !

attack common services easy lab is not so easy after all, but I finally found both ways to get the flag. this sure is exciting and gained amazing knowledge

yeah easy is a relative term. if you're new to security and have no schema in broader tech you're prob gonna struggle a bit, but the security fundamentals does help to remediate that quite a bit.

yeah, had some issues chaining some attacks. Besides the attacking, HTB machine had problems, because I had to respawn the machine 4 times. Only then I successfully enumerate the user with the exact same command that I ran the previous 3 times 🤣

yeah definitely remember to do that first, reset, it happesn quite often invariably.

im having some trouble with nmap IPS lab medium

trying to get the dns service version

like i know what service is running and the fact that it's running on udp port

but cant get the version number, my nmap flags were sudo nmap 10.129.45.204 -p 53 --script banner -sV -v -D RND:6 -sU -Pn, i also tried several scripts like, dns-discovery, dns-nsid

Completed Service scan at 14:17, 0.07s elapsed (1 service on 1 host)
NSE: Script scanning 10.129.45.204.
Initiating NSE at 14:17
Completed NSE at 14:17, 0.00s elapsed
Initiating NSE at 14:17
Completed NSE at 14:17, 0.00s elapsed
Nmap scan report for 10.129.45.204
Host is up (0.72s latency).

PORT   STATE SERVICE VERSION
53/udp open  domain  NLnet Labs NSD
 

Hey guys i stuck here can anyone help? i tried username bruteforce to find a user name with enum4linux and crackmapexec and i got nothing

also tried to bruteforce winrm with random creds but also nothing

what module is this?

H

On what do password recovery functionalities provided by web applications typically rely to allow users to recover their accounts?

its a theoretical question not practical from broken authentication section CBBH need help

Password Attacks

network services seciotn

i had to use pwnbox to get the flag, vpn is cooked.

i just finished exploit pdf generation vulns, and wondering if its possible to do this with fetch instead of xhr

<script>
x = new XMLHttpRequest();
x.onload = function(){
document.write(this.responseText)
};
x.open("GET", "file:///etc/passwd");
x.send();
</script>

also did this but i receive an error but PASSWORD is not required in options

use crackmapexec with the provided lists in resource. I used that and got the answer

you may need to respawn the target machine multiple times, like I did in a different module. I ran the exact same command multiple times, only succeeding on the 4th respawn

list fro; seclist you maen

no, from the module resources.

Hey guys. I managed to get the flag for Server-Side Attacks - Skills Assessment - https://academy.hackthebox.com/module/145/section/1346 - However I am confused as to why the payload works.

Basically you can use file:// to get LFI through SSRF, but the URL absolutely must end with "&" which indicates start of new query param i.e. - api=file:///flag.txt&

I cant understand why that is...

do you know what the custom.rule is?

cd i

i need help with nmap hard

i found an unusual port starting with 5, trying nc ip + port

with nlv nothing :/

is this the right port?

Think about what types of public-facing services process large amounts of data, as the hint suggests. -p 1000-9999 should suffice for this.

hi there, i'm learning linux fundamentals, and I can't manage to find out how to get to htb-student's path to mail

Might be /var/mail

incorrect unfortunately :) , also I can't seem to find where I should be supposed to read about that in the section

/var/mail/htb-student?

oh

Usually mail is /var/mail/username

Also a simple Google search would've given the answer to this

thank you, but what's mail's purpose in Linux ?

I prefer asking rather than googling and finding a wrong answer

https://www.hackthebox.com/blog/when-easy-isnt-easy

I mean googling is also asking. But whatever floats your boat I guess

thank you for your help either ways

To that I don't have a answer

anyone able to point me in the right direction for 2nd question in NTLM relay skills assessment? - BACKUP01

hey guys im still stuck at the same question haha

i used the lists from the resources, also used other lists from seclist but nothing

Module Information Gathering - Web Edition, Virtual Hosts. added the ip with the domain without the port in etc/host file and ran gobuster still no hit

When domain name is used in the command instead of IP its working

Just seeking clarification, I knows in theory it can be done on any machine in the right circumstances but for: File Transfers - Miscellaneous File Transfer Methods, optional exercise is the ide to use the pwnbox to mount the drive or use our own vm or does it not really matter?

J

are you following the same thing as your screenshot above?

nvm got it, feel free to DM me if you get stuck

need to see the command

does not matter

yeah I gathered its just a poc of how you would use those methods in an assesment isn't it? as most quick wins are pretty locked down

I need to remember LOLBAS better

yeah

hey guys im locked here, the flag should be here but i only have acces to IPC$ and there is nothing in there

What module and section?

password attacks

network services section

Good evening all my friends, I am at the last question of the second AD skills lab, the question says: Submit the NTLM hash for the KRBTGT account for the target domain after achieving domain compromise.

now from my kali I managed to load mimikatz.exe
but as soon as I start it, it gives me this error,
.\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt" "exit"
why?
Any help?

what error?

C:\Users\CT059\Documents> .\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt" "exit"
Program 'mimikatz.exe' failed to run: The specified executable is not a valid application for this OS platform.At line:1 char:1

• .\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt" "exit"

At line:1 char:1

• .\mimikatz.exe "lsadump::dcsync /user:inlanefreight\krbtgt" "exit"

•   + CategoryInfo          : ResourceUnavailable: (:) [], ApplicationFailedException
    + FullyQualifiedErrorId : NativeCommandFailed

ur connecting over evil-winrm?

USUALLY i find a hard time running mimikatz w it tbh

if ur DA, and have a hash/password, try to do it remotely

yes, with evil

with xfree?

no no, secretsdump

now i try

@shell ore what should i do?

dont run

can someone help me please????

hey back, had to go, delete the pics please, they contain spoilers

to avoid more spoilers, DM me please

@vital zephyr

this one too

can anybody help me

gitlab? attacking common application?

yes buddy

ok delete the message cuz it have somewhat of a spoiler 😅

sorry

it my fualt

its okay, so you solved the first question

now for the second, i dont beleive u need a password

lemme see rq

okay

yes u dont need

then how you rce

it is taught in the module

it authenticated right ?

the || username enumeration || you did was through the || register || page, so use that

yeah i dumb as fuck

sorry i have not reading it proper

some time little details get missed

its okay

uhm, <@&861185840277487616> idk if applicable or not tbh 😂

That's a mute

his message still there, idk it should be reported or not, i did anyway

I got muted for a day for something like that

huh smth like what

Seriousrulebreak

well u see his message bro, what should i do 😭

Idk 🤷‍♂️

Anyone for advanced xss and csrf exploitation - xss filter bypasses ? Able to bypass the filter, still getting stuck on cors policy. Using 2 step xhr payload. Can’t get withCredentials to get a valid response

when i tried to download files from rsync it says "connected to machine". but i can't get any. sometimes i eve can't list what's inside. can someone tell me what's the issue and how to resolve it?

Need help withe PhT question on the "Attacking RDP" - Common Services module.

The question asks to connect via Admin (RDP) with the hash. But I am not able to dump the hash using || crackmapexec||

That command is not even explained there but I tried anyway.

I also tried to RDP as || lewen with his hash || and it did not work either.

why do u need to dump the hash?

because I don't have it

have u tried using rdp first

but "htb-user" is local admin

I am able to RDP yes. But this is for Q#3

do they not have the hash on the desktop?

The third question is for RDP, but as Admin with its hash

I do not see it, let me RDP again

Jesus Christ

where did u get that name from

Hit me with a pan

what name

htb-user

is provided

let me try what you said initially

has anyone had done 'Using Crackmapexec' skills assessments question 3? i am stuck after obtaining 'j***' credentials.

What is the API key in the hidden admin directory that you have discovered on the target system? Im stuck here completed other questiones (Skill assesment) can i dm anyone?

Currently doing the login bruteforce module...

After letting the first script run for 20 min not realising that I wasn't on the VPN (thanks for not throwing any timeout error 😄 ) I started it again, I'm currently in the 7.2k and still no answer...

Whyyyyy isn't the module over a 1000 range rather than 10k, the concept is identical haha

Can someone tell me if I already passed the right PIN and something is wrong?

what section exactly?

Brute Force Attacks / Brute Force attacks

I thought its not allowed for modules above tier 0?

Giving you straight the answer isn't allowed. But we need the command to know what you've potentially done wrong

Can i dm you regarding the skill assessment if that okay?

shit, this is the new section after updating the module 😅 lemme test it rq to check whats happening

Yeah it's also pretty slow to run on my box somehow

dm me it

Omg it concluded hahaha

Whyyyyy do they put the pin so effin far hahaha

still going for me lol

Yeah it took 30+min for me

💀

Which leads to another question: Can you open another section and spawn the next section's instance at the same time or not?

I hate not being able to pipeline these kind of things

yeah if its a public ip machine

i was searching for a way to see if i can speed it up somehow

wrong reply, lol

I was this close to ffuf-ing it to be honest haha

ACTUALLY

thats a good idea! wait 1 minute 😂

I know, I just want to do things the way the author meant them, because I also write education manuals hahahaha

Let me know how fast doest ffuf make it

I cannot believe I missed that. Thanks

I resend due to recent conversation. (So the message will not dissappear).

And then the script with the dictionnary didn't work (the file wasn't being transferred through github somehow) so had to download the file and get the script to pull from my own http server...

Weird

i have not done that module unfourently

Newbie here. Trying to get through Q3 under Service Scanning in PenTester role - List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file. Followed all guidance but can't get bob's password. Any suggestions plse ??

Mention module name, and section name if you want help

Without looking at the module:

• Was bob password used earlier in the module? Some modules reuse creds
• Do you need bob's password? There might be an option to connect without it

OK Thnx. Thot module was pentester and section was Service Scanning. Will go check

hello

Thnx HaTxx. Will go see

Please read #welcome and #rules it will explain how to get verified

ok, i was looking for that

Hello everyone, I'm working on https://academy.hackthebox.com/module/143/section/1275 now.
I spent quite a long time figuring out the ACADEMY-EA-ATTACK01 machine's credential for ssh login...
I think it's missing in the module page. I managed to find the credential here tho.