#modules

thanks

hello who know you to reverse engineer an private api ? (i use mitm) i need help thx

Hi

Can someone please help me here... I am trying to do the last exercise on AD Enumeration, which is Privilege Access. This one is the MSSQL question, getting the flag from DB01.

I keep getting an error when running this: ||Get-SQLQuery -Verbose -Instance "172.16.5.150,1433" -Username "contoso\joe" -Password "Password123!" -Query "EXEC xp_cmdshell 'powershell -c Get-Content c:\flag.txt'"||

I edited a bit to avoid spoilers. But I do not understand why it fails.

I get a connection a connection success, connection failed

I am very very close.... to upload ligolo and use commands from Kali, but I am trying to not deviate from exercise's main goal. I just do not understand why this keeps failing. By the way, RDP is painfully slow; I've tried remmina, rdesktop, xfreerdp, regenerate the VPN, you name it.

you can use the parrot instance that spawns alongside the windows targets

Connect to it using the internal IP (subnet) address

Thanks for reply. That's what I am trying to avoid. Regardless, I use it and that command still failed.

Ohhhhhh

I know what it is.

Formatting issues, when copy pasting those single and double quotes

https://tenor.com/view/sweet-jesus-facepalm-gif-13016582188040575668

its always quotes

https://tenor.com/view/office-screaming-michael-scott-scream-gritando-gif-19054984

well, at least I am making some progress

almost there, lol

its a chunky module but my favorite so far

kerberos attacks being a close second

love this module

Hey! I got stuck on the last section of the Getting Started module in the CPTS roadmap.

I got a reverse shell, but I am attempting to write a bash script in order to root the machine.

I have ALL : ALL (NOPASSWD) perms to /usr/bin/php

/usr/bin/php is a soft symlink that points to /etc/alternatives/php

/etc/alternatives/php is another symlink that points to /usr/bin/php7.4 which I do not have write access to.

I have tried to make the symlink point to my own script file using ln -sf, but I have no permissions to do that, and running that command with sudo requests password input.

did you try
https://gtfobins.github.io/gtfobins/php/#shell

php is a command?

Wouldn’t it still run as root?

yes /usr/bin/php is a binary/programm/command

I didn't know php was a command.

Thanks guys ❤️

cli basicly

may be worth a try

Any clue why it's not grabbing the CMD var?

You supposed to start looking for a date from a specific timeframe mentioned in the example

CMD is an env variable for www-data but isnt going to be part of root's env.

its unnecessary though, just put the command you want directly into the system call

sometimes GTFObins recommends some unnecessary extra steps, gotta use your brain sometimes to prune em for the situation

Ahhh gotchuu. Inserting the command didn't work either ;|

Yeah I was changing it I just wanted to know the reason you know

Can I use php to just run a .php file?

yeah you have some syntax errors

its still has to be correct php

u removed the ;

Dang you guys are sharp.

it literaly tells syntax error 😄

You're right 😂

reading is OP, trust

Now it froze my shell

its the meta strat

Yeah you're right guys I'm just after a few hours on this module so becoming a bit less effective

Where’s the $

taking a quick walk is always helpful too

It's because my target expired

Yeah I just really had the urge to get this done you right

This is the second time the target expired lol

staring at my screen for a while now my eyes are squares now ;D

using windapsearch.py I get this error, just want to confirm its with the server and not me:
[!] {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 107, 'ctrls': [], 'info': 'Transport endpoint is not connected'}

Thanks guys ❤️ @buoyant escarp @thorn urchin

yeah

Type shi

annoying, had 3 server resets but I can never connect

might have to leave it for a bit

I just got new glasses that have blue tint filters on them and its really pleasant for those longer screen sessions lol

Hello, when I'm trying to kerberoast, i keep getting this error.
Kerberos SessionError: KRB_AP_ERR_SKEW(Clock skew too great)

I tried using faketime and still same error, does anyone have any quick fix they do generally to combat this?

i dont have glasses, but they rly help a lot?

they do for me, less eye strain

the make non-corrective glasses that help too but you will look like a dork wearing them

it means faketime isnt working properly, VMs sometimes automatically sync themselves back to your host so you might have to disable your setting

would be op to use apples ar glasses for hacking lol

how can i do that?

no lol would probably be a huge headache

I dont remember tbh, and depends on what software you use

If anyone has any quick or easy fix for this please let me know.

hi which previous sections of Password Attacks Module should I reread before reattempting the Pass the Ticket from Linux Section?

I have done several of the question in the Linux Pass the Ticket section I just think I need to make sure I understand the material

have you tried just sitting down and seeing what you remembered? what about your section notes?

those are the only sections where thats talked about

why didnt they think of that earlier

Ive known queuemark for a long time. theres a legitimate chance they havnt

you got anything better to do then pester me? never see you answering questions

you're not above giving useful advice

ill just block now. youre useless

cool

you can renew the target timer

@sacred gull Have you done DACL II module?

No, just started yesterday properly so only upto the BloodHound module

I have been stuck on DACL 2 last question for couple days now

im planning on starting that one tonight after work

if you are able to finish the skill assesment ping me please

I set a reminder

hi

hi

Hi

they left

How to run hack the box in my computer

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ABUSING HTTP MISCONFIGURATIONS : Skills Assessment - Hard

Hey guys!
Currently working on hard skills assesment, but unfortunately couldn’t find any solution at the moment.
Can I DM for a nudge please?

hi

yo

wazzup

hi

hi

Active Directory Enumeration & Attacks > Miscellaneous Misconfigurations

Find another user with the "Do not require Kerberos pre-authentication setting" enabled. Perform an ASREPRoasting attack against this user, crack the hash, and submit their cleartext password as your answer.

i found another user that start with letter (m) and i cracked his pass (start with W) and its not accepting my answer

sounds like wrong user

answer does not start with W

there are two users and the first Q the user that start with y and in second Q it said (find another user)

Q1 Find another user with the passwd_notreqd field set. Submit the samaccountname as your answer. The samaccountname starts with the letter "y"

Q2 Find another user with the "Do not require Kerberos pre-authentication setting" enabled. Perform an ASREPRoasting attack against this user, crack the hash, and submit their cleartext password as your answer.

Im aware I checked my own answer

the answer does not begin with the letter W, you found the wrong user or performed the wrong attack

okay, i will try

thanks, i found it

np

Hello guys, I have a question. In AD Enum and Attacks. I tried recreating enumeration and attack techniques using a Linux host, in which the module suggest that I must SSH into a Linux host and do the activity there. But I want to exercise my pivoting skills and want to do it in my Kali Box through pivoting. I used dynamic port forward using SSH and Chisel, but I don't seem to be able access the DC and other hosts in the internal domain environment. Is this because of a network restriction in the module labs themselves? Like in some Bounty Hunter Modules where you can't establish a reverse shell because of restrictions or am I missing something?

Explain what you've done so far and we might be able to pinpoint the issue

worked fine when i did it

not with chisel tho

I did but the timestamp didn’t show any correct date, anyway I just tried the date from which the example started collecting events and it worked but I still don’t see how it’s the answer!?

NVM, understood what I have been doing wrong

I tried dynamic Port forward using SSH, so the provided linux box that is connected to the internal network with the DC serves as a proxy to forward my packets. But when trying proxychains nmap -A -Pn 172.16.5.5 (dc-ip) . No ports are open.

Nice. What did you use?

Try adding -sT in nmap, additionally, if it still doesn't establish the connection through the socks proxy use sudo proxychains.. (if using the workstation)

ligolo

but ssh and proxychains should work just fine

Yep, this worked. Thank you. I totally forgot about this. An oversight on my part.

Nice. I'll also try to learn this.

@pearl token hi can I dm pls

Anyone doing the crackmapexec Module currently by Chance or has already done it?

ask your question

With pleasure! It touched the silver C2 Framework, is there any other ressource where this gets Covered maybe a little more in depth?

Maybe your timestamp field was set to monthly? Play around with the interval and see how they work differently, eventually you will see the majority of the rows pointed out to the answer

Ok I’ll try, thank you

hello everyone , can anyone help me with
module : bloodhound
section : bloodhound for blouteams
question : Using BlueHound custom dashboard. What percentage of users have a path to Domain Admins? (Do not include %)

i found that the total of users is 31 and the number of users that have a path to domain admins is 4
but my answer is wrong , can anyone help me

AM I too slow to be on Red TeAm

The dashboard will provide you with the correct number

Yoo

I'm new

i have the number of the total users and the number of the users that they have a path domain admins
31/4 , but still my asnwer wrong

how do i use a vpn connection file? ot seems like some stuff wont work unless i connect my VM to the connection file

or am i understanding it wrong

sudo openvpn academy.ovpn

I had the same problem, use the number from the dashboard

thanks

hello , can i send u a dm ?

how long does it take to connect using ssh, does it usually take very long?

no

no

for some reason when i do it its just a blank line that i can type in, if i vput a command in there it does absolutely nothing

that's intentional

type in the password

sure

did nothing

try to ping the host

Sorry but relauch target! and wait 5 minutes. Always wait five

then Attempt

If you want to avoid problems

alright

didnt do anything

oh wait nvm

it worked, thanks!

i have the same problem with Xorsearch and scdebug.exe in the skills assessment

hello i have a problem in server side attack skill assessment anyone guide me plz this is the req POST / HTTP/1.1
Host: 83.136.251.210:32887
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: /
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://83.136.251.210:32887
Connection: keep-alive
Referer: http://83.136.251.210:32887/

api=http://truckapi.htb/?id%3D

what are you trying to do

Lets take it to dm to avoid spoilers please

okzz

Oh I meant you two. I’m unavailable atm (not at my pc, gonna be at least 2 hours)

ohh okz

Happy to help if you’re still stuck then 🙂

i am stuck i dont know what to do i did many thing dint worked

pwd,ls,id this cmd works but cmd with space is not working like ls -al or ls /

have you looked at the forum/

for this question

i did space encoding to

can you provide me forum link ?

https://forum.hackthebox.com/t/academy-server-side-attacks-skills-assessment/254476/2

thankyou

Hello, yea sure

In kali Linux
cd/usr/share/worldlist
Zsh : no such file or directory

How to solve this

what is your command

check spaces and spelling

In mobaXterm

nmap ip scaning blocked ping probe

dunno what to do

I've tried putting the whole thing in a .txt file and it didn't work. I tried removing admin, didn't work, tried just the first part didn't work and tried just the second part didn't work

I don't see a password here

Non of these outputs is the correct answer

crackstation also doesn't recognise the hashtype

what's the module name?

Fingerprinting ipmi section

Ok apparently the syntax for john is totally different with IPMI?

You need to get matasploit to output a file for john. Then run `john --fork=8 --incremental:alpha --format=rakp <name of whatever metasploit output file>

This gets the password without even using a wordlist which is weird.

check what "incremental" means

I got this from https://www.rapid7.com/blog/post/2013/07/02/a-penetration-testers-guide-to-ipmi/

• 0 What is the minPwdLength set to in the INLANEFREIGHT.LOCAL domain? (One number)

This is from AD.
I have tried ldapsearch, smb null logins, rpc null logins, and enum4linux, none gave me any info on Password Policy.
Any nudges?

try resetting the lab, I'm pretty sure I got the info

I just took a look at the forum thread and apparently there was a bug in the SA for Server-Side Attacks that made it way to easy. I just pushed a fix. Just want to mention it here in the channel in case anyone is wondering why the solution discussed in the thread no longer works.

Now I know why people have been complaining that the module is too easy

The secret's out

got it, thanks!

haha, there was also a lot of people that complained the skills assessment didnt reflect the things taught in the module

Anyone who has done intro to purple team module. I need little help with Zabbix CVE section

The Attacking Enterprises module for cpts is like a fever dream

It's fun blind

I'm having trouble with it at the moment

I for some reason cant reach the page for the pivoted machine on firefox

firefox gives me the proxy server is not accepting requests message

OH

gotta use -D with ssh

there we go

Can anyone confirm if the ssh is working ? Like the section after DCSync you're supposed to rdp into windows host and from there ssh to a Linux host

well to be fair from what I've seen so far I don't feel that I need a blind run, it's just that I don't see how each attack fits the web attacks part. Like I wouldn't guess "AHA! XXE attack here!" in something.inlanefreight.local for instance

It's still good to do the rest blind, as it's the closest to a mock CPTS you'll get

Morning / evening guys

Hey guys little question about burpsuite (module web proxies) i'm doing the skills assigment and the question is that a button on the page is disabled, i need to enable it to see the flag so i did a matching rule disabled to enabled in the response body but it still stays on disabled any idea?

Need an advice . I've been really frustrated with the AD modules . RDP is extremely laggy . Besides using the in browser Kali , any other suggestion ?

Maybe play with the MTU?

What error are you getting ?

you are overcomplicating it

right click inspect and replace disabled with enabled then you can click on it

already did

i got the flag ones and tried again to understand what i did but idk i can't dso it again

and when i click on it after it refresh and set it again on disabled

@compact matrix a thing that i also don't understandis that in the response it is set to enabled but when i go check in the http history its set to disabled

Hello Everyone

Can you help me with billing issue

Moderators please?

Nobody on Discord can help @queen birch . Please contact support on the site. Discord isn't monitored by support

https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

I contact with them with AI Chat Bot but my conversation is locked

There's an email customerops@hackthebox.com - best to e-mail them 🙂

@timber bluff - if you wanna run commands, go to #bot-commands please

hey huys other question about burp so the thing thati want to do is to ad a char at the end of the cookie, end after it encode the whole cookie in first base64 and then hex, i now i'm doing something wrong

remove the variable and add it again

is it to me?

yes

i don't understand what you mean it gives me the same?

the thing is that the paylaod position is disabled i cant change it to

payload position is a burp pro feature

ow oke so i guess i need to use zap

You should select the whole cookie

Add variable

then with payload processing

Try using Add Prefix instead of Hash MD5

that is the question in case Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

i understand the assigment and what i need to do this is my conf

is it not suffix its the last char?

i also tried that but i cant use a file here for sufix

So if I add the given 31 character hash to Add Prefix, Burp Intruder, will build the payload using that prefix and the Payload within the Payload Settings, so essentially it is adding the 1,2,3,4 to end of the prefix, then Base64 encoding it, Encoding as ASCII Hex, then testing it against the selected parameter from the Payload Positions. Does that make sense?

I don't recall the tier of this module, but if you'd like to see an example you can DM.

tricky one thanks i understand it now im gonna try it 🙂

do you also have an idea for this one @gray yacht i found the flag but idk how i tried again to understand it but can't find it anymore

Yeah

If you already got the flag you can DM.

hi

im new

Great. Read #welcome

plss teach me somthin

guess i'm not the only new one here lol

Hello,

I am having trouble on page 9 of Security Monitoring & SIEM Fundamentals. It's not taking the date in Elastic. Am I reading this task wrong or could this be an error in the module?

it's ok, i went to the thread for that section and found another method. they should fix this very annoying lab

someone can say me what is that? <!-- partial:index.partial.html -->

this is of File inclusion part one

If i remember you need to decode it until its md5, add this as prefix, then encode the whole as asciihex and then base64 or so

hello , does anyone finished bloodhound module ? i have a question in the BloodHound for BlueTeams section

Can anyone help me with the syntax for uploading lazagne.exe via xfreerdp for the Credential Hunting section in Password Attacks module. I'm having difficulty getting uploaded to the target host. Tried smb server and it didn't work

Something like this didn't work? xfreerdp /v:IP /u:username /p:password /dynamic-resolution /drive:linux,/home/kali /cert-ignore

did u try http server ?

you can copy the file to clipboard and paste it in somewhere in the desktop on the rdp session

I have not tried that yet, but im going to try multiple ways

I was doing /v: /u: /:p /drive:, but ill try this as well

mgr_brute.py

I've used this too +drive:smbfolder,/home/kali/

Figured it all out thank you @gray yacht , @minor sonnet and @sonic plume

Module: Active Directory enumeration and attacks
Section: LLMNR/NBT-NS poisoning - windows
I am having trouble connecting to the windows machine I keep getting error
"[12:14:35:029] [14037:14038] [WARN][com.freerdp.crypto] - Certificate verification failure 'self-signed certificate (18)' at stack position 0
[12:14:35:029] [14037:14038] [WARN][com.freerdp.crypto] - CN = ACADEMY-EA-MS01.INLANEFREIGHT.LOCAL
[12:14:44:044] [14037:14038] [ERROR][com.freerdp.core.connection] - Timeout waiting for activation
[12:14:44:047] [14037:14037] [ERROR][com.freerdp.core] - freerdp_abort_connect:freerdp_set_last_error_ex ERRCONNECT_CONNECT_CANCELLED [0x0002000B"

/cert-ignore to ur xfreerdp

thank you

now its saying timeout waiting for activation then aborts

show me

prolly restting would help tho

ok I will reset

worked idk why it didn't work last time weird thanks

I'm trying to access Splunk in Attacking Common Applications module but it keeps telling me Connection was reset

why am i not able to access it?

Here's the question

I did an nmap scan on the IP and it showed me that splunk is working at port 8089

Did you identify any other open ports?

yes, I can access other ports like 80 and 8080

What about 8000?

same, though I just reset the target so I'll give it some time maybe the service did not have the chance to start yet

Shoot me a DM if you can't get it to load.

DM'd

Hey guys, having some issues with the Start-Dnscat2 cmd. Having imported the ps1 module on the target successfully, the target is still unable to recognize the start cmdlet. I'm in the same directory and my dnscat2 server is properly configured on the attack box. Any ideas?

anyone here done HTTPs/TLS Attacks that i can dm?

Modify the time interval

Password Attacks -> Attacking LSASS
Apply the concepts taught in this section to obtain the password to the Vendor user account on the target. Submit the clear-text password as the answer. (Format: Case sensitive)

shouldn't the command netexec smb 10.129.166.200 --local-auth -u htb-student -p HTB_@cademy_stdnt! --lsa work beside the technique discussed above ?

Https?

You'd need a valid admin account to dump

anyone done intro to deserialization skills 2 that i can dm?

I'm going to go to sleep now. If you don't get any more help, send me a DM. I will answer it tomorrow.

Hi i have a question on the last question of skills-assessments from pivoting module, the shared you known, i have to have access to it if im in the last machine right?
If it is to much spoiler just tell my and i delete the message and ask private

Yes

Ok, ty

Dm

It just was that, now i understand ty

What a nice module i have to say

Hi everyone, I’m new here. I have a small issue where I can’t submit an answer for the /module/54/section/511 | Skills Assessment - Web Fuzzing | Q3 (question_id = 157). The question asks: 'One of the pages you will identify should say, "You don't have access!". What is the full page URL?' I have the answer after using ffuf, but it’s not being accepted and shows the error: 'Incorrect answer

I’m not sure how much I can post in the chat or what the rules are for providing answers. I’m just seeking some help as I might be missing something.

It might be the port number. You can DM what you are trying.

Hi Guys, Who got the way? I have stuck for weeks.

Hello everyone!

Could someone help with me
Shells & Payloads

I am stuck at Infiltrating Windows >

Gain a shell on the vulnerable target, then submit the contents of the flag.txt file that can be found in C:\

i have setup the Rhost Lhost SMBshare and used the ms17_010 when running the exploit is does not complete it

make sure your using the correct exploit, I too got confused when doing that section

Thanks you friend! i got it! 😄

Module: SOCKS5 Tunneling with Chisel

Anyone know why this is occuring, using Kali Linux and it does not work

sounds like the binary is for the wrong architecture

Shells & Payloads

Laudanum, One Webshell to Rule Them All

Establish a web shell session with the target using the concepts covered in this section. Submit the full path of the directory you land in. (Format: c:\path\you\land\in)

i did the etc file

can acces the site and upload a file

but cant acces with \files\file name i get a error

i think its in the aspx file wrong ip maybe ? does someone know

so you uploaded shell.aspx ? did you modify the file to match your IP?

it was my ip indeed sorry and thank you!

Lol this was exactly the issue, it's weird that it did not just redirect me.

Hi, I am stuck on the Documentation & Reporting Practice Lab module. can anyone help me with some hints?

Because it's not set up to auto-upgrade insecure requests

Can't help you if you don't provide info with what you're stuck on dude

Oh, sure. I am stuck on the first question. I am confused about how to start enumerate on DC01.

Well you should have learned your enumeration strategies from the previous modules

Assuming you're doing the cpts path

The other thing is you're given an incomplete report in the resources

I got some info from Nmap and reports from Obsidian but can't find my way to start

Start with the basics, are there open shares, ftp, anything you can use to break in

By this point, if you're doing the cpts path, you should have a decent methodology-- or at least notes from the previous modules -- to try

I will try with your hints. is it possible to ping you again if still stuck? thank you very much

No. You should be well equipped to figure it out on your own tbh

thank you

hello everyone, i am stuck in the third question of the "Credentials in Object Properties" section from the Windows Attack and Defense Module of the SOC Analyst path, i do everything required to the event with ID 4771 to appear but it does not show up, and the answer for that question is the TargetSid of an user, which should be present in the event

Did you try connecting to DC01 or the IP, you get two different event types

i first connected to the target, then perform the RDP logon to the DC1 using the "bonni" username and a wrong password, and then i connect to the DC1 with the correct provided credentials (htb-student:HTB_@cademy_stdnt!)

Is it DC1 or DC01 (genuinely don't recall)

in the section it is refered as DC1, this is the exact question if it helps "Connect to DC1 as 'htb-student:HTB_@cademy_stdnt!' and look at the logs in Event Viewer. What is the TargetSid of the bonni user?"

i am almost sure i am not doing anything wrong, but for some reason, the event with id 4771 that should be generated after the failed logon attempt does not show up in the Event viewer of the DC1

Try resetting the target or changing vpn region

ok i am gonna try to change the vpn region, as i have already reset the target multiple times

still no luck

where are you looking? i just did this and found it right away

Anyone who has completed Intro to purple Team Modules Zabbix CVE exploitation section!

İ need little help about moving forward after getting shell as Zabbix

Then sure there is something i am doing wrong --> Here is my steps again: Connect to the target using xfreerdp, then do the RDP logon to DC1 with the "bonni" username and a wrong password, then connect to DC1 with the provided correct credentials 'htb-student:HTB_@cademy_stdnt!', then opened the Event Viewer tool and filter for events with ID 4771. what can i be doing wrong?

which channel in the event viewer

Security

should be there, maybe rdp with the wrong pass a couple times try different passwords

yeah i have already did that, i used a wrong password like 3 times

The username is htb-student and password is HTB_@cademy_stndt!, not bonni..

There's part of the section that has you do a failed login to the DC

That would then answer the question number 2: Using the password discovered in the previous question, try to authenticate to DC1 as the bonni user. Is the password valid?

For this question it is specified the username and password

i think there is a misunderstanding, the answer for the second question is just "No", because it is a wrong password, but then i need to connect to the DC1 using the credentials they are providing me (htb-student:HTB_@cademy_stdnt!) and then use the Event viewer to retrieve some information of the Event with ID 4771 that should have generate after performing the failed login to DC1 using the bonni username

It's not "no" bc it's the wrong password

From the rdp session are you authenticating to the internal DC1 server, the host you're connecting to initially isn't DC1

Also don't share discovered passwords

I may have misunderstood it, so you can’t generate 4771 event id, and this is the problem correct?

I just went through the ExtraSids attack again (AD enum & attacks module, attacking domain trusts child->parent from windows), and I'm still struggling to understand the feature we are abusing. Can't trust chatgpt's explanation anymore after it hallucinated a bit trying to agree with me.

We are abusing the SID history attribute by adding the sid of a privileged group in the parent domain, and through that gain access to the parent domain after compromising the child domain. But I simply don't understand the design of the feature we are abusing. If I understand the content (and a few other sources I checked to see who was right) correctly,

1. User 'dude' has SID X in child domain;
2. We establish a trust between child domain and parent domain, and 'dude' in parent domain gets SID Y;
3. Since we still need 'dude' to access things in child domain, we add SID X to dude's SID history, and child domain will check SID history henceforth.

So far so good. But when we abuse this we are abusing the parent domain. We add say Enterprise Admins' SID to SID history, and the parent domain says "Oh hey Enterprise Admin, come on in." Why is the parent domain checking SID history at all, if it's meant to preserve rights in child domain? Shouldn't it just check the "current" SID?

its ok mate, and yes, that is the problem

sorry i dont understand what you mean by that

and also sorry, i did not know that

The spawned target isnt dc1

i think i got what you are saying here. and yes, i am aware that the target is not DC1

yes, i know the target is just a machine from the environment that was compromised (according to the section)

I don't doubt that I'm overcomplicating it, but how so ?

there are previous questions (from the same module) similar to this one, and the required/expected events always show up in the EventViewer, i dont what is the problem in this case

"If a user in one domain is migrated to another domain, a new account is created in the second domain. The original user's SID will be added to the new user's SID history attribute, ensuring that the user can still access resources in the original domain." is precisely the scenario described in the content and every other resource I've found

https://0xshin.hashnode.dev/active-directory-series-extrasids-attack-with-mimikatz-episode-03

thank you, reading

that in itself is not confusing. What is confusing to me is why the parent domain itself checks the sid history, if it's meant to preserve access on the child domain

For any person who is well rounded in xpath syntax and conditionals:
In a xpath injection scenario, why cant we use > and < to search for the correct character at a particular index :
substring(name(/*[1]),1,1) > 'a' and '1'='1'] --> only = sign works here

I'll re-read this carefully, thank you for taking the time. Just one note, I should generalise because indeed I don't think it matters that the trust here is parent-child

Hi there someone knows if is there any problem with the Vaccine lab in the tier 2 challenges? When running sqlmap as per the writeup the database which is supposed to be vulnerable to stacked queries for the --os-shell flag to work, is saying this: [CRITICAL] unable to prompt for an interactive operating system shell via the back-end DBMS because stacked queries SQL injection is not supported
Is this perhaps a misconfigurations on my side? I am trying to hack it by using metasploit but I need to crack the password which is md52d58e0637ec1e94cdfba3d1c26b67d01 but I had no luck cracking it 😅 ... Can anyone guide me trough please

ask in #starting-point

xD thanks

Sorry - I misdirected you @hasty flume

dont worry thanks anyway 🙏

I'm sorry, I still don't get why it's designed like this. I must be missing something fundamental. Maybe it's easier to explain what I'm struggling with with pseudocode. So what it sounds like a domain is doing when checking rights is:

checkRightsInThisDomain(object) {
   if (ACL.allows(object.SID) or ACL.allowsAnyIn(object.SIDHistory)
      OK
   else
      Permission denied
}

If I understand correctly, a SID is particular to a domain. Why isn't the check written like this instead (as in, why wouldn't that achieve the same requirements while being more secure):

checkRightsInThisDomain(object) {
   if (isInThisDomain(object.SID) and ACL.allows(object.SID))
      OK
   else
      for each SID in (object.SIDHistory)
          if (isInThisDomain(SID) and ACL.allows(object.SID))
              OK
   else
      Permission denied
}

if you guys think we're being too verbose I'm happy to dm

In the "Linux File Transfer Methods" module it says "There are also situations such as binary exploitation and packet capture analysis, where we must upload files from our target machine onto our attack host". Shouldn't it be the other way around?

Isn't uploading taking a file from my attacking machine and uploading it to the target?

I'm specifically referring to the bit where it says "from our target machine onto our attack host" - shouldn't it read "from our attack host onto our target machine"?

Reset the target and redo it in order, logon to bonni first then DC1. Nothing will show after you logon to DC1, I just tested it and it worked if you do it correctly in order

And it had to be the first time

I understand the attack (I think), and I think I could move on just like that, but I usually understand why something is designed the way it is and why it would need some kind of separate mitigation because a redesign would be costly. But in this case I don't see why it's not easy to patch, which tells me I am missing something about the feature itself

Maybe I'm misunderstanding. I would appreciate any guidance or help here.

"Such as binex and capture analysis"
Sometimes you want to harvest files from the target

It seems like SID filtering (https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/55fc19f2-55ba-4251-8a6a-103dd7c66280) can do exactly this, so indeed I'm missing something about why we need a more generic design than that. That's ok, I can live with that. If anyone knows why though, I'd still be interested :)

You mean: From target do the failed login to DC1 with bonni, and then the correct one. right?

Wouldn't that be "downloading files" as opposed to uploading? Which is what this part of the module is dealing with as this part's title is "Upload Operations"

Right

Hi guys, Can anyone help in the module windows privilege escalation section 'SeTakeOwnership' lab? when I do the whoami /priv the htb-student user is a standard user without any privileges assigned and the user is only member of Remote desktop user. Can anyone tell me how the lab is done?

that is what ive been doing mate, i am gonna try one again

You are uploading them from the target to your machine via a service i.e. you upload to a webserver you have running

Failed attempt got to be done before the first successful rdp, good luck

You can take over the ownership of the flag

think that was it

I'm stuck in "Advanced XSS and CSRF Exploitation
XSS Filter Bypasses", can anyone help? I am able to bypass xss filter and get logs as the admin, but cannot get it to work.

yes..I have understand that; But in order take the ownership of the file, user have that privilege in right? but here the user only have "SeChangeNotifyPrivilege, & SeIncreaseWorkingSetPrivilege". And when I check the ownship of the file "cmd /c dir /q "C:\TakeOwn" , it is owned by a sccm service account. Also I have tried the " takeown " functionality, but the "action is denied", since on the privilege we donot have the SeTakeOwnership privilege for this user.

does it actually say that the privledge is enabled?

No, but if it is disabled we can enable with the scripts given in the tools directory ("EnableAllTokens.ps1"). Here on the user privleges section there is quote of SeOwnershipPrivilege" PS C:\Users\htb-student> whoami /priv

PRIVILEGES INFORMATION

Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Users\htb-student>

are you sure you have set read access to print the file?

icacls 'C:\Department Shares\Private\IT\cred.txt' /grant htb-student:F (example)

even tho you are owner you might not still be able to read the file unless that comand has been ran

you can also verify that the owner has changed with

Get-ChildItem -Path 'C:\Department Shares\Private\IT\cred.txt' | select name,directory, @{Name="Owner";Expression={(Get-ACL $_.Fullname).Owner}}

yes..I have tried . I got the denied message "PS C:\Users\htb-student> icacls "C:\TakeOwn\flag.txt" /grant htb-student:F
C:\TakeOwn\flag.txt: Access is denied.
Successfully processed 0 files; Failed processing 1 files"

have you tried running cmd as administrator?

or powershell

just test it and see if it asks for a password

or try to supply your own

still nothing, i really dont know what ealse to do, i am pretty sure i am doing everything correctly (as it is a simple process)

yes, I have tried ..."permission denied"

what does your takeown tell you?

can you show cmd and output please

@placid edge mind if I dm?

go ahead

Thanks bro...after restarting the machine. Now I tried running powershell as administrator and got the access. PS C:\Windows\system32> whoami
winlpe-srv01\htb-student
PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION

Privilege Name Description State
============================= ======================================== ========
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\Windows\system32> C:\tools\EnableAllTokenPrivs.ps1
PS C:\Windows\system32> whoami /priv

PRIVILEGES INFORMATION

Privilege Name Description State
============================= ======================================== =======
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

glad you got it 🙂

🙂

Is there any way to report to HTB that a particular module may be broken? I'm doing the FTP page in the footprinting module and the FTP server just doesn't seem to work. ls times out no matter what, and you can't get the flag by any method listed on the page. wget just times out as well, get flag.txt doesn't seem to do anything.

#1234357888114364508

Did you open the event viewer from DC1 machine?

Yes, after the failed login a log to the DCI and opened the event viewer

That’s odd, the process is correct though

try pwnbox and restart the target

yea mate, and its soo annoying because i have wasted so much time on this already, and i know ive been doing it correctly since the start

Did you document your process? You can send me screenshots on dm maybe I can check on it

document in what way?, i take notes and also elaborate a "guide" that explains how do i answered every question , but all the info i pretty much already send it here

kerbrute passwordspray -d inlanefreight.local --dc 172.16.5.5 justusers.txt Welcome1 -v

Im trying passwordspraying using a valid username list with 56 entries. However,

2024/12/13 06:20:16 > Done! Tested 25 logins (0 successes) in 0.031 seconds

its not really going through the whole list, and the number of attempts keep changing.

Its Active Directory

module

The username is present in the list, however, it won't iterate uptil that username and there's no errors in verbose too

Welcome1!

?

Also there's multiple AD modules

Like a walkthrough with images, but never mind

Was just trying to help with the details

Yeah ik, but its more of a general question. I wanna know why kerbrute be like that? Why is it making variable authentication attempts and not going through the whole list

I'm stuck in "Advanced XSS and CSRF Exploitation
XSS Filter Bypasses", can anyone help?
I am able to bypass xss filter and get logs back, but I cannot fetch /home

Good evening. It's not directly about modules, but I don't know where else to ask. My Parrot OS machine on VirtualBox isn't launching, it just loads infinitely without any animation or crashes instantly with "RPC_S_SERVER_UNAVAILABLE" and I don't know what that means and how to fix it. Hyper-V is disabled (if it actually affects anything). It was working fine before. I tried reinstalling it completely.

guys, this is not making sense to me:

┌─[htb-student@ea-attack01]─[~]
└──╼ $cat justusers.txt | grep sgage
sgage
┌─[htb-student@ea-attack01]─[~]
└──╼ $netexec
-bash: netexec: command not found
┌─[✗]─[htb-student@ea-attack01]─[~]
└──╼ $sudo crackmapexec smb 172.16.5.5 -u sgage -p Welcome1 | grep +
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\sgage:Welcome1 
┌─[htb-student@ea-attack01]─[~]
└──╼ $sudo crackmapexec smb 172.16.5.5 -u justusers.txt -p Welcome1 | grep +
SMB         172.16.5.5      445    ACADEMY-EA-DC01  [+] INLANEFREIGHT.LOCAL\tjohnson:Welcome1 

Does it stop on the first valid match?

Yes, you need to provide the flag —continue-on-success

Amazing, thankyou!

Hello everybody, I am stuck in the Skills Assessment for the Attacking Authentication Mechanisms. Can I ping someone for a nudge? Thank you

Trying to span the machine for HTB lab Dev and it saying that "Switch to VIP Server" , not sure how to do that . I spawn the open box and tried a bunch of different VPNs

Nevermind, just figured out I need to switch to EU VIP

Does anyone having problem with file transfer with ligolo-ng?

You have to setup a listener on the correct interface to transfer files with ligolo. I can DM a YT video that covers this and rev shell connections.

So?

I setup a listener because after many tries I manage to upload it but after many tries 😀

So then you're good?

yes thanks

Sure you can send a DM.

heey, anyone finished the server side attack module after the update in 2024 ?? i have an issue with it can i get help ??

Hi, I have a question.
I'm trying to do this exercise:
Perform an analysis of C:\Apps\Restart-OracleService.exe and identify the credentials hidden within its source code. Submit the answer using the format username:password.
But when I drag the .bin file on top of de4dot file I get this error. Can someone guide me?

Is this the "Working with Rules" section?

You can DM the command you are running.

Ok this might be a dumb question, but is there any reason why the footprinting easy lab has you using up time running dig and dnsenum and finding an ftp dns to find an ftp server when you can just find it by using nmap on the main IP of the box in one step?

In fact the first thing it asks you to do in the walkthrough is run nmap. So you already have the info you need to get the flag. Why spend time enumerating the dns stuff?

https://www.youtube.com/watch?v=qou7shRlX_s

ligolo stuff ^

good watch

anyone know this one Find the output of the following command using one of the techniques you learned in this section: find /usr/share/ | grep root | grep mysql | tail -n 1

i made this command but it doesn't work 127.0.0.1%0abash<<<$(base64${IFS}-d<<<ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE=)

Module Command INjections Advanced Command Obfuscation

hi

when i trying to building the agent and proxy from ligolo-ng it gives me

zsh: illegal hardware instruction go build -o agent cmd/agent/main.go

Does this work?

127.0.0.1%0aecho${IFS}"ZmluZCAvdXNyL3NoYXJlLyB8IGdyZXAgcm9vdCB8IGdyZXAgbXlzcWwgfCB0YWlsIC1uIDE="|base64$IFS-d|bash

I figured it

Forgot to delete new line in burp

ah

alr

You grabbed the wrong version. ARM vs x86_64/AMD architecture

Any reason my nfs nmap scripts just never complete?

How does more time get added to ETA that doesn't even make sense

Timeout and readjusting

And if it gets stuck it just goes

I am working on ADCS Attacks module. I have complete all sections except ESC5, ESC8, and ESC11. I can't complete them because on the last step of abuse I get the following error Got error while trying to request TGT: Kerberos SessionError: KDC_ERR_PADATA_TYPE_NOSUPP(KDC has no support for padata type). Does anyone know a workaround?

hey remember me ?

oh sorry wrong account i am burny with the burpsuite issue

i solved it ,

instead of removing the entire cookie then replacing it with the $$ stuff , you add the damn $cookie hash$ like this

which is sO dAmN dumb but it works i guess

Does anyone have the command syntax to upload a directory for ssh? I'm trying to download LaZagne.py to kira's ssh in Cred Hunting in Linux and when I ran the script. It threw back "at line 17 you need..... this file"

tried using scp -r and wget on ssh

Thanks @urban elk

sure thing

learning purposes

nvm, figured it out

guys, could anyone please point out where the mistake is?

The question: Given the capture file at /tmp/capture.pcap, what tcpdump command will enable you to read from the capture and show the output contents in Hex and ASCII? (Please use best practices when using switches)(https://academy.hackthebox.com/module/81/section/774)
My answer: sudo tcpdump -Xr ~/tmp/capture.pcap

Has anyone succesfully used CME in "Using CrackMapExec" instead of just figuring something out with powershell without CME? It seems like for whatever reason chisel / pivoting just does not work on the target machine.

Hello guys!! Recently I started the "Malicious Document Analysis" module, I am having big problems to complete the "Analysis of Malicious RTF Files" section, I have problems with the "XORSearch.exe -W c:\temp\agenttesla_rtf.sc" output command of the example

try using cmd over powershell

the ~ is wrong

thank you very much

man thank you very much. But why that worked on cmd and not on the powershell?

i've been told the > is wierd in pwsh.

so wierd, thank you very much

Is there an option to reset job role path?

I can send you screenshots of my steps if it helps

Do any of u know how to reverse an windows installation and retrieve back all the files?

thanks, that was bothering me. Do you have any idea why that worked when my local ftp seemed to fail?

No

Nope

rip

Anyone else having issues dumping the table from sqlmap essentials

because i sure as hell am

Use the —dump flag

duh

I know to do that im not stupid

got it working

What section?

Just finished yesterday

Second question, SMTP module, using the provided resource and nmap enumeration, I cannot find the existing user. Any assistance is appreciated.

adjust the wait time

why

@jolly cradle @jolly cradle

@jolly cradle i want to rank up

Why what?

i want to rank up

So work on some of the active boxes and challenges to do that

ok

thanks

You're welcome

Is that for me?

Indeed

Thank you. I’ll tinker some more

I'm having trouble with this question in the Pass the Ticket from Linux section of Password Attacks Module:

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \\DC01\julio.```

I get this far but I don't get further than this:

svc_workstations@inlanefreight.htb@linux01:/tmp$ sudo su
root@linux01:/tmp# cd ~
root@linux01:~# klist
Ticket cache: FILE:/tmp/krb5cc_647401109_ruz7E5
Default principal: svc_workstations@INLANEFREIGHT.HTB

Valid starting Expires Service principal
12/13/2024 22:41:16 12/14/2024 08:41:16 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 12/14/2024 22:41:16
root@linux01:~# cp /tmp/krb5cc_647401109_ruz7E5 .
root@linux01:~# export KRB5CCNAME=/tmp/krb5cc_647401109_ruz7E5
root@linux01:~# klist
Ticket cache: FILE:/tmp/krb5cc_647401109_ruz7E5
Default principal: svc_workstations@INLANEFREIGHT.HTB

Valid starting Expires Service principal
12/13/2024 22:41:16 12/14/2024 08:41:16 krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
renew until 12/14/2024 22:41:16
root@linux01:~# smbclient //dc01/julio-k -c ls -no-pass
Enter svc_workstations@INLANEFREIGHT.HTB's password:
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
root@linux01:~# smbclient //dc01/julio -k -c ls -no-pass
NT_STATUS_ACCESS_DENIED listing *
root@linux01:~# smbclient //dc01/julio.txt -k -c type -no-pass
tree connect failed: NT_STATUS_BAD_NETWORK_NAME
root@linux01:~# smbclient //dc01/juliot -k -c ls -no-pass
tree connect failed: NT_STATUS_BAD_NETWORK_NAME

can someone help em out?

Sorry i know i'm not in the context but wich terminal are you using ?

I'm root user on the remote linux box. I actually managed to get an smb connection but I still am not able to get it to list the contents of julio.txt

Did you ask to chatgpt , when i'm stuck it's help me a lot to troubleshoot

hi

chatgpt doesn't work on this module

because its not free tier so chatgpt won't allow it

not tier 0 or 1 its tier 2

Which module is it ?

Password Attacks

the section is Pass the Ticket from Linux

I managed to get an smbclient connection

why can't I type in general?

but I cannot get it to print julio.txt contents

me to i can't

root@linux01:~# smbclient //dc01/julio/ -k -c
Try "help" to get a list of possible commands.
smb: \> help
?              allinfo        altname        archive        backup         
blocksize      cancel         case_sensitive cd             chmod          
chown          close          del            deltree        dir            
du             echo           exit           get            getfacl        
geteas         hardlink       help           history        iosize         
lcd            link           lock           lowercase      ls             
l              mask           md             mget           mkdir          
more           mput           newer          notify         open           
posix          posix_encrypt  posix_open     posix_mkdir    posix_rmdir    
posix_unlink   posix_whoami   print          prompt         put            
pwd            q              queue          quit           readlink       
rd             recurse        reget          rename         reput          
rm             rmdir          showacls       setea          setmode        
scopy          stat           symlink        tar            tarmode        
timeout        translate      unlock         volume         vuid           
wdel           logon          listconnect    showconnect    tcon           
tdis           tid            utimes         logoff         ..             
!              
smb: \> l
NT_STATUS_ACCESS_DENIED listing \*
smb: \> print julio.txt
NT_STATUS_ACCESS_DENIED opening remote file julio.txt
smb: \> ls
NT_STATUS_ACCESS_DENIED listing \*
smb: \> dir
NT_STATUS_ACCESS_DENIED listing \*

Sorry i can't help you , but i hope somone can help you to get rid of it

yeah go to #welcome u need to verify your account

oh thanks for the tip

i got an error when i'm trying to verify my account did you have this problem too ?

nah it worked first try

currently in Shells & Payloads, Page 13, Laudanum, One Webshell to Rule Them All

i've uploaded the shell.aspx (or demo.aspx) file multiple times, even renaming and uploading with any changes made (not sure if uploading the same file name overwrites the initial file uploaded) at times, removing the ASCII art and comments from the file as suggested in the module as well as leaving them in. I've quadruple checked the IP addresses are all in the proper places but i keep getting the "Server Error in '/' Application."
thoughts?

I will try another time

you spelled the share name wrong and you dont have julios ticket imported so it wouldnt work even if you connected

Hello newish to connect the bot anyone able to assist me with a small problem with it?

I know it has something to do with no file or directory. But I don't know how to fix it if it is the problem

If someone is able to help plz just reach out. Ty

you didnt explain the problem

ya but I have connected now

hold on

Problem is I did not read the question for the thing.

So I'm dumb

Im having some trouble with the command line injection module where I cant really figure out how to substiute the | any nudge or hint?
||```=127.0.0.1%0a'f'in'd'${IFS}${PATH:0:1}usr${PATH:0:1}share${PATH:0:1}${IFS}``||

Long story short I thought it wanted me to put cat/ect/issue but I just did not read it well enough

Advanced Command Obfuscation
oh and this is the section

I'm extremely new so I wish I could help Vader

here the file is not showing up and the name of the file I know I'm supposed to read:

NT_STATUS_NO_SUCH_FILE listing \julio\julio.txt

I also go into julio.txt and find flag.txt. When I use more on flag.txt I get some sort of flag but when I enter the contents of flag.txt in as the answer HTBA says wrong answer.

I'm on this question

Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \\DC01\julio.

this is for Pass the Ticket from Linux section of Password Attacks

if someone could help me with this that would be great

can someone help me with this?

try input redirector

What do you mean

<<<

so like this ||%0a%09{ta"i"l,-n,1}<<<$(g"re"p%09mysql)<<<$(g"re"p%09r"oo"t)<<<%09$(f"in"d%09${PATH:0:1}u"s"r${PATH:0:1}s"ha"re${PATH:0:1}||

hard to read but <<< can substitute as a pipe

they show it on the reverse commands part too

have you imported julios ticket?

yes but I don't think that is issue anyways

i see

anywho I'm gonna take a break until tonight

I have someone helping me in dm

i just did it

ok cool that's good too

looking at your klist command it says that you are svc_workstations not julio

ok

so log in as julio and connect from there?

yes I can get to julio user on linux box

but when I smbclient into dc01 no matter who I connect as it won't work

you dont need be ssh logged in as julio

just import their ticket

ok

in the /tmp folder

ya I tried that using the keytabextract.py script

its not a keytab file, so no need to extract anything

just set the KRB5CCNAME variable

so input redirector aint working

julio@inlanefreight.htb@linux01:/home/svc_workstations@inlanefreight.htb$ klist
klist: Credentials cache permissions incorrect (filename: /tmp/krb5cc_647401109_VLi7AQ)

hold on

ok its still not working

wait a minute

where is the right cache file

just base64 encode/decode it tbh

way simpler

check who owns it

127.0.0.1%0a'f'in'd'${IFS}${PATH:0:1}usr${PATH:0:1}share${PATH:0:1}${IFS}bash<<<$(base64-d<<<Z3JlcCByb290IHwgZ3JlcCAzMw==)

So like this?

actually

i have a better idea

you can make it a lot shorter

what if i just encoded it in base64 and feed it to bash

I WAS OVERCOMPLICATING IT THE WHOLE TIME?

hey on the bright side I learned a lot

and im stuck at the beginning of the skills assement

NEVER MIND WE GOOD

Add the IP address of your VM machine (attacking machine) to accepted IP address

I also got stuck on that when I did the module. Don't need to remove anything else

having an issue Shells & Payloads, Page 15, PHP Web Shells

i'm uploading the webshell.php with burp suite as my proxy, i change the content type the website expects to image/gif but every time i navigate to the file it opens the git page

you mean in /etc/hosts?

its just closing out a valid query

the cn part is unimportant

yeah because its closing out a valid query to filter out extra stuff

play around with the application without injecting it and see how its intended to work

don't use sqli. don't enter anything into the search box and hit search. you'll see this returns all the results in the database. after that, you can see the port code column. try searching for one of those like "cn sha", itll then only bring up that entry. if you enter "cn" itll bring up any port code starting with "cn". madf0x is right, you're closing out a valid query and then injecting your own code afterwards. if you remove the cn and just input the injection it'll show you all the results and then your injection happens afterwards.

In the aspx file

Ok thank you. I jumped to the next page and I’m getting owned there too lol

If you have issues with Land you can DM me

I was wondering if I could get a tip with the "Intro to C2 Operations with Sliver" module. I'm at the final question of the skills assessment. I had SYSTEM on DC02, I have earlier done the Active Directory module and I'm confident in how this should look but I cannot make it work. I've gotten to the point where I've ruled out a Sliver skills issue by using RDP as the Domain Admin to get on this server. I've noted that even commands like Get-DomainTrust when run as Domain Admin throw errors about servers not being operational, leaving me wondering if something deeper is going on. I've tried both methods in the "Whole forest takeover" section" without any luck.

Any tip on how to bypass the filter to execute command on advanced deserialization attack SA?

Not sure

<@&861185840277487616>

<@&861185840277487616>

How do I not have permission to access a folder I made on my own system and I'm using sudo?

footprinting medium lab, am I just barking up the wrong tree? Are you not meant to mount the NFS?

Show us the permissions of those

apparently you can't cd as sudo

Still trying to get into the folder to look at them

Show permission of NFS

Ls -l

drwx------ 2 nobody nobody 65536 Nov 11 2021 NFS

Where tf comes nobody from and why is it this weird file size

Interesting that I can sudo ls -la /NFS but cannot cd NFS

su root and go there

strange

i guess that means file permissions are not determined by your local machine

Asking again, in SOC Analyst Path, Windows attack and defense module. Where is the passwords.txt file used in the practicals located or does it even exist (there is no resources tab for this module)

it should be on the kali host

Are there any plans to add malware analysts to HTB Academy job paths?

Nothing official but after cbbh and cpts got advanced CERTs people expect cdsa to be next. They already added two defensive modules for that recently, and one is about analyzing malicious documents (pdf,Word,etc.). I assume it is going to continue in that direction

hi in Server-side Attacks Skills Assessment i found ssrf but file:/// not working it says Error (1): Protocol "file" not supported or disabled in libcurl. But then i searched in chrome someone did samething what i did and it worked for him. Can u help me?

Thx for the reply, I guess I’ll just wait the path comes out, since I thought there’s too less stuff about RE/Mal

Yea I’m hyped for that too. Reversing is great fun imo

Anyone know why zsh is erroring out like this?

zsh: event not found: mD

put password in ' ' single quotes

nice, thanks

hi guyys

cant seem to connect to the mysql server

mysql -u root -h 94.237.49.127

mysql -u root -h 94.237.49.127:47899

even tried that

ahh got the correct command as follows if anyone also faces the same problem

mysql -u root -h 94.237.49.127 -P 47899 -p

i run into the same problem.. any clue ? seems the DC does not have the trusted root installed or it is expired ?

Can someone help me with "Exploiting SSRF" exercise

what you need help with

Exploit the SSRF vulnerability to identify an additional endpoint. Access that endpoint to obtain the flag.
This is the question I tried enemurating ports and directories but didn't find anything useful

what does your command look like

For directory scanning
ffuf -w /opt/useful/secLists/Discovery/Web-Content/raft-small-words.txt -u http://10.129.176.152/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://10.129.176.152/FUZZ.php&date=2024-01-01" -fr "Not Found"

For port scanning
ffuf -w ./ports.txt -u http://10.129.144.252/index.php -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "dateserver=http://127.0.0.1:FUZZ/&date=2024-01-01" -fr "Failed to connect to"

I also tried using gopherus as the port 3306 was open I used the admin username and show databses; query and didn't get anything

no thats not required in this

1 sec

yeah I read that in the forum also but I gave it a try as this was my only option

okay tyt

In the ADCS module, I am stuck on an error KDC_ERR_PADATA_TYPE_NOSUPP for more than a week. Microsoft explanation is : "Smart card logon is being attempted and the proper certificate cannot be located. This problem can happen because the wrong certification authority (CA) is being queried or the proper CA cannot be contacted in order to get Domain Controller or Domain Controller Authentication certificates for the domain controller. It can also happen when a domain controller doesn't have a certificate installed for smart cards (Domain Controller or Domain Controller Authentication templates)." I see more people with the same problem, but nobody with a solution, can it be that the lab is broken ?

so you only found port 3306 open?

yeah

I tried enumarting all ports also

got two more ports at like the 40k but I couldn't reach them

you can dm me

sent you a message

Guys need an answers as for some reason I ma not allowed to post in the general chat channel - I am on question 1 of https://tryhackme.com/r/room/cyberkillchainzmt - the answers are correct, I checked them AFTER entering and even tested variants of the answers factoring in British and American English and swapping out & for 'and' in each variant......Anyone know why the room will not accept the answers?

this isn't TryHackMe, so we can't help you with that

this channel is for HTB Academy modules

Ah, sorry, wrong dept.

🤦‍♂️

Hello anyone doing LDAP injections ?
Why does this payload work: username=*)(description=*&password=*
But this DOESNT : username=*)(d*=*&password=*
Specifically when I prepend the * with a pattern that I know exists like d* (description) , the applicaiton returns a negative result
Same goes for this payload:
This returns true : username=htb-stdnt&password=*
While this returns FALSE, when I know that the first letter of the password is A: username=htb-stdnt&password=A*

This CSS looks ugly, probably unintended? Its supposed to have a tickebox next to the text or somewhere inside the container, not below it.

I'm in AD Enum & Attacks > Assessment #2
When ||password spraying with kerbrute|| I get "Can't talk to KDC. Aborting..." but I consistently get that "error" upon discovering valid credentials. Is this a quirk of the situation or am I missing a flag or something?

I think i had skewed results using kerbrute and switched to using a different technique on a compromised host.

Something went wrong
Error Code: 520

Our engineers have been notified and are working to resolve the issue.

Ray ID: ::RAY_ID::

what is wrong guys

am I the only one with this issue?

Can anyone help me on Advanced SQL Injections | Error-Based SQL Injection (https://academy.hackthebox.com/module/188/section/1998)

I have the final url, however i think my computed hash is wrong somehow?

did you manage to figure it out?

or you ❤️

id:email:hash

||DigestUtils.md5DigestAsHex(("" + user.getId() + ":" + user.getId() + ":" + user.getEmail()).getBytes());

isnt it id:id:email||

Nope, you have the same issue as I had

Did you use jd-gui?

ye

#1297959630487552070 message

Bruh how the hell on the footprinting lab hard are you supposed to know there's a mySQL database running on the target? It doesn't show up on nmap and even the walkthough is literally like "Ok now connect to the mySQL database" having mentioned it zero times before then.

There’s a sql file

What is the name of the security standard for credit card payments that a company must adhere to? (Answer Format: acronym)

Does anyone know what the right answer for this is? I tried PCI and its incorrect.

Module and section

Module : Penetration Testing Process
Section : Post-Exploitation

Where? And the walkthrough makes no mention of any file. It's literally like 1. Connect via SSH. 2. Connect to the mysql database. It doesn't say anything about finding a file.

Its in the root directory

But you can also see it running if you run netstat -tulpen I assume

I'm I misunderstanding what a walkthrough is supposed to be. I thought it's supposed to teach stuff. Instead it just provides the answers without showing any of the process or methadology.

I don’t have access to walkthroughs so couldn’t tell you

i dmed you my code. It still doesnt seem to want to work for me for some reason

not sure what the issue is now

thanks for the help ❤️

Can someone help?

Nvm I got it

When we need to scan udp ports, is there any method that can do it faster?

Connection always gets refused when I attempt to ssh to the target ip "ssh kali@[target ip]" so I havent been able to connect to the kali host , idk if i am missing something important

hi could i get a hint on kerberos attacks - skills assessment question 3, I cant find out a way to enumerate the user that has admin privileges on the machine that has unconstrained delegation, most solutions require rubeus, but i dont have access to a windows machine

hello
I am doing Using Crackmapexec module - Skill assessment

And i am stuck on a first question

I use

crackmapexec smb 10.129.199.120 -u '' -p '' --rid-brute
SMB 10.129.199.120 445 SQL01 [*] Windows 10 / Server 2019 Build 17763 x64 (name:SQL01) (domain:INLANEFREIGHT.LOCAL) (signing:False) (SMBv1:False)
SMB 10.129.199.120 445 SQL01 [-] INLANEFREIGHT.LOCAL: STATUS_ACCESS_DENIED
SMB 10.129.199.120 445 SQL01 [-] Error creating DCERPC connection: SMB SessionError: code: 0xc0000022 - STATUS_ACCESS_DENIED - {Access Denied} A process has requested access to an object but has not been granted those access rights.

I cant get usernames with --rid-brute

have u tried with netexec?

Hi guys, Im stuck on this thing, its very basic but i keep messing up

cd+cat+flag.txt

yes no luck

Im using a web shell and need to go back a directory and print the flag.txt

sorry, I wasnt much help. Seems the pros are taking a break rn lol, hopefully someone will be with us soon

yeah, i guess so.

dude I just asked my question on #general maybe try asking there

dont have permission to post

go to #welcome and follow the instructions to link your HTB account & discord

If you know the directory, why not just cat that directory? Like cat+/the/path/flag.txt

Genuinely don’t need to url encode here

You can just use phpbash or just print the absolute path of the directory

Thanks ill try that

Thanks

No problem Mr Honored One

Dm me if you have any trouble

Thank u bro 😂

thanks bro, did that

Hey, Just finished the skill assessment for the Shells & Payloads module and I dont understand
In host 1 and 2, how could we get the creds?
Got both creds from the hints..

anyone pls

<@&861185840277487616>

he can/>?

no ofc not

.

was that aginst the rule

yes delete the msg

am sry

How do i learn whitehat hacking

https://tenor.com/view/i-think-thats-an-actual-crime-lannan-eacott-lazarbeam-thats-against-the-law-thats-a-crime-gif-18350272

yes with this link you become hacker: https://referral.hackthebox.com/mzwwKA2

ok i opened the link am hacked now?

it says error

https://referral.hackthebox.com/mzwwKA2

cant be reacherd

idk why it doesnt work

https://academy.hackthebox.com/

go here

ty

@wooden mist am sorry for breaking the rule

ill make sure it wont happen again

you need consent from your parents to use the platform

https://help.hackthebox.com/en/articles/9456556-parental-consent-and-approval-for-users-under-18

I wanted to ping seriousrulebreak

But I don't wanna be muted again

Taken care of

🫡

Module (ACL Abuse Tactics) Anyone have a hint for me to get this working? Changing syntax, etc just is not working. I've checked that damundsen is in AD also. There is another password I tried for un w*** also, but nothing works. Even what i'm seeing in the suggestions in archives.

Hi, I’ve been working through the skills assessment for the injection attacks module which is part of the senior web tester path, I was hoping someone could help me out. I don’t want to give too much away but I’m able to access the target system and have identified what the vulnerability is but can seem to get anything to work with exploiting it, I must had read the data exfil section about 5 times but the app just isn’t responding how I’m expecting. I’m happy to drop anyone a PM with more info etc

Hi guys, Im on the SQLi skills assessment and could use some tips

Hard to help you with little info my guy

its okay, I dm'd vader they helped me

for now

This is a bad habit I see you have. You ask for help with very little context/what you may have tried. Asking in a better way will get people more likely to respond.

sorry, I'll keep that in mind going forward. Thank you for letting me know 🙂

I have several links in my bio about asking better questions and such if you wanna take the time to read them

I'll check them out once I'm a little more free.

SOLVED ISSUE now it really makes sense what is happening...

anyone plzzz

if the question doesn't say to SSH/RDP to kali, then you don't have access to kali

Hello anyone doing LDAP injections ?
Why does this payload work: username=*)(description=*&password=*
But this DOESNT : username=*)(d*=*&password=*
Specifically when I prepend the * with a pattern that I know exists like d* (description) , the applicaiton returns a negative result
Same goes for this payload:
This returns true : username=htb-stdnt&password=*
While this returns FALSE, when I know that the first letter of the password is A: username=htb-stdnt&password=A*

Because you can't wildcard a variable name

Also you can't partially wildcard

okay this makes sense, but what about the password ? In the module it is instructed : We can now brute-force the password character-by-character by injecting substring search filters. We can start with the first character by setting the password to a*

Ah

A* and a* are different, case sensitivity

Check this https://lgfang.github.io/computer/2021/12/15/ldap-search-wildcard

Different fields can define how sub string search works on them or if it works on them at all

And yea I don’t think wildcard works on field names?

It shouldn't afaik

okay thx @fathom pendant @tranquil axle much appreciated

No thats not it I ran it through a script on all printable ascii

and tried in manually aswell

You sure the field is called password then? Sounds like you are doing the right thing

Is your & valid syntax?

That's the payload from the module : (&(uid=htb-stdnt)(password=p@*)) there is no field required, its a direct injection into the password parameter

I always see &(filter=1)(filter=2)

You out the & in the middle

username=admin&password=a*

Shouldn’t it be &(username=admin)(password=a*)?

No look Ill send a pic of what i mean

It's as simple as this, but its not working in my case, the password is given and tried it manually

Ah, okay you pass it via url Parameters

The problem is when I use an * alone it works, however when I prepend it with the first password characters it returns false . So I guess this will stay a mystery

hi. im new on htb and im trying to get into a windows machine through the online htb parrot os machine. if i navigate to the link they provide i end up in the elastic web, how do i get the windows machine?

in Attacking Common Applications - Skills Assessment I

this url works
/url/path/to/*somefile.some_extension*?&dir+C:\Users\Administrator\Desktop\flag.txt
and displays that the file exists, however if I simply change dir to type it doesn't display anything.

Well, is the task to mess with elastic or to do something else. Rdp may work for the ip

did you try rdp for the ip

i dont know how to rdp bc im new on htb 😦

Then you should start with fundamentals

^^ preach sistah

It's nothing to do with being "new on htb"

There's a windows fundamentals course on htb academy, maybe do that first

i'll check it then

There's also the "introduction to academy" module i believe

my main pc is using linux, i assume that has nothing to do with rdp on the academy machine right?

Correct

hi all
Modul - Using Web Proxies
Task - Intercepting Responses

My Problem -> I turned on the setting he mentioned through the application, but I cannot view the source code.

i cant see response page

Hi guys, i'm curently on the 'Information Gathering - Web Edition'

I'm stuck on the question - Which domain is returned when querying the PTR record for 134.209.24.248?

When I use 'dig PTR <IP ADDRESS>' in the kali terminal and it doesn't show the domain that is returned. I've used a DNS query in a google search which has given me the answer I need. Has anyone had issues where the domain doesn't show in the terminal?

Try dig -x <IP>, or nslookup <IP>

nslookup works but the question specifically says to query the PTR record

so is dig PTR <IP> not the answer?

That's what the -x flag for.

nslookup worked for me as well so I included it too.

Good evening, I wanted to know if someone can help me with the file transfer module, file transfer with Windows, I'm with the base64 part that explains examples and other things with the terminal, but I don't know if I have to download something or I don't know how to be able to execute and so on.

you don't download anything. you are converting the file into a base64 string, then you can simply copy the string to your clipboard and paste it into the other machine, and then decode it there

On "Attacking Active Directory & NTDS.dit" with the question :
On an engagement you have gone on several social media sites and found the Inlanefreight employee names: John Marston IT Director, Carol Johnson Financial Controller and Jennifer Stapleton Logistics Manager. You decide to use these names to conduct your password attacks against the target domain controller. Submit John Marston's credentials as the answer. (Format: username:password, Case-Sensitive)

I have created a user.list using the provided firstname/lastname with the tool username-anarchy

i used ||crackmapexec smb 10.129.202.85 -u user.txt -p password.list||

and i got nothing, any help ?

Hi, I'm on the File module of the CPTS(penetration path). Everything, is working correcty execpt or the WebDav part. It's rare, but I have a no clue why.

No port

on dir \\10.10.15.18\DavWWWRoot