#modules

Hi I wanted to enroll htb academy student subscription but I have few things to ask, first of all does it give me a certification or something like this? And also I have logged in with my mail .edu.it that is the school certified email but i can’t access the plan, should I write to the support?

can't get the zip file to crack into the pwnbox... any advice?

If you complete the path you will enroll in, I believe there will be a "cert" given

Did you change the academy email into the .edu one?

Have you tried uploading it somewhere public accessible? Or downloading it straight from the browser?

Thanks 👍

I'm at File Upload Skills Assessment, but guess doing something wrong - have created a list of allowed mime types and file extenstions, but using them ends with error 500. Anyone?

Yes but still nothing

Maybe you need to verify it? Or you could contact support. As far as I can remember the process was as easy as changing the email

Yeah makes sense to just log in directly in the PWNbox or open up a python http server and wget it

Either way this module is dumb 😂 don’t take it personally if the author of the module is here but I found the area of hacking I’m not interested in as much as others 😂

Things are dumb if you're not interested in it. Epic

Hi, i just started the Intro ti network traffic analysis module and I'm stuck at the second page (Networking primer - Layers 1-4). I answered all the questions but the 4th one, What addressing mechanism is used at the Link Layer of the TCP/IP model? (hint: Its not IP. Write it as singular not plural.): the module, under the section Addressing Mechanisms, states that the addressing mechanism used in the Link Layer is MAC-addressing but I'm having trouble finding the right answer.

Could someone tell me if I'm missing some information or it's just a format problem, thanks in advance.

well, guess that's it because I'm close to toss my PC through the window

well there are other Address Resolution Protocols out there maybe you should search them up and see if that could work

Ok, I'll try, thanks for the help ʕ •ᴥ•ʔ

no problem

i need help with web attacks skill assessment

if you haven't yeeted your PC through the window and still need help with the Skills Assessment dm me

if still you need help shoot me a dm (fat finger)

when you're making a python http server on pwnbox it just says connected on http://0.0.0.0:80/ this is a problem... any help trouble shooting? trying to move a zip file over to crack

Hi, i'm stuck at module Using metasploit framework, Exploit the Apache Druid service and find the flag.txt file. Submit the contents of this file as the answer., i think i'm doing it correctly, setting RHOSTS and LHOST, but says target not exploitable and won't return the shell.

which section is this

if you are trying to move file from target machine to your pwnbox how can make the python http server on your pwnbox do it

yeah i solved it. just logged into academy in the pwnbox

now i'm trying to run the 7z2john.py script and it keeps saying syntax error xD

Section is "payloads"

oh yeah i remember that download a new 7z2john.py or download it to your local vm and extract the hash there

It seems pretty straightforward but i keep getting that the target is not vulnerable

dm me i'll help you troubleshoot

so this one doesn't actually need hashcat at all?

no it still need hashcat, you just can't extract the hash with the existed 7z2john so download a new one

getting the same problem when i download the script from github

clearly user(me) error

any tips? (this is the 7z2john.py script, i downloaded it from github on my vm)

it's just not named that xD

no not that file extract that file and use the tool to extract the file inside it

that's .zip not .7z

help me pls

about vpn

but i also can't extract the .7z file in my kali for some reason so if you also can't try this it work for me https://hashes.com/en/johntheripper/zip2john

this is like what we were talking about earlier

i know what i need to do but some issue with pwnbox is stopping it working properly

derp... got that unzipped. getting same error now with the extracted file

Try the steps here: https://academy.hackthebox.com/vpn for the Academy VPN. Sharing the error message would also help.

ty

oh i mean upload the extracted file to that website to extract the hash

hi man, i'm stuck in "AD Enumeration & Attacks - Skills Assessment Part II" at the question "Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain." , i have a session on MS01 but when i use DomainPasswordSpray.ps1 it doesn't find anythink, it is stuck and don't run (i have already correct the powershell script)..... can anyone help me please??

ah yeah

ok i've got that NOW i mess around with it in hashcat xD

Hi I'm the last part of Skills Assessment - File Inclusion

I'm struggling to|| execute the log poisoning on the admin panel, I'm able to inject my user agent and view it through the nginx logs, but once I inject the php shell I cant get it to execute commands like &cmd=id || Any tips?

hello everyone, anyone who had completed XSS room?

dm

You should be able to do a credentialed enumeration to pull a valid user list and then perform your spray from the attack box rather than from the windows host. this can be done using ||kerbrute|| or ||crackmapexec||

Any help on AD Enum and Attacks - Assessment Part II for how to get Administrator flag on MS01? I got into a rabbit hole of trying ||printnightmare|| but couldn't get it working.

hello

i got error using waybackurls command

could anyone help me

bash: waybackurls: command not found

@rapid pine i might be able to help

thank you , solved

Hey everyone, I'm looking for some direction on the xss phishing module.

Issue 1.
Payload: I use the provided JavaScript between <script> tabs.
Results in this: HTB phishing https://imgur.com/a/5YCkwbx
Which does not seem correct.

Do I need to find a different payload?

Also when running netcat on port 80, the workstation keeps telling me the port is already in use. Though I have not played around with it much due to wanting to get past the code issue first.
Any guidance would be appreciated

Tried another payload with similar results; JavaScript: document.write....

Hey people I got an issue with the final skill assessment in Using Web Proxies Module. Last task. I've set up a proxy inside the Metasploit (set PROXIES HTTP:127.0.0.1:8080) and yet Burpsuite is not catching the requests send via auxiliary/scanner/http/coldfusion_locale_traversal. Can someone tell what am I missing?

Ok I got this.

Try to Google settings up metasploit to proxy through burp. I forget exactly what I had to do but the answer wasn't in the module / didn't work. @surreal marsh

I got it 🙂 Let's just say it wasn't a proxy issue. But thanks for help !

Hello! I'm currently working on the privilege escalation problem in the "Getting Started Module". I'm. stuck on the second part where the prompt is " Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'." Whenever I try the "chmod 600" command it says "Operation not permitted". I don't know how to get around it. Any help would be greatly appreciated.

Anyone around that could help give me a nudge on the Footprinting Lab - Hard module. Always remember to scan UDP.

does anyone know how to solve this error

downloaded vpn key from info gathering module then tried using openvpn academy.ovpn

Try sudo openvpn other.ovpn

ok

tnx

np, glad it helped

@opaque badger try running as sudo maybe

@west canopy Sudo requires the password for the user2 which I don’t have because I acquired shellthrough a vulnerability under user1. And user1 doesn’t have permission even with sudo

Thanks tho

@opaque badger wait did you copy the id_rsa file to your own mahcine?

hey
i just finished all the paths in thm
and i would like to know in what order i should take the paths in hackthebox to learn the most out of them

Take a look at this path. To start probably exactly the right thing:
https://academy.hackthebox.com/path/preview/information-security-foundations

ok ty

i want to do specifically pentesting

start with Basic Toolset path imo

does the jr pentesting path cover that or should i take that before jr pentesting

I'm not sure, i think there is some overlap between some of the paths

ok ty

any one finish the academy module foot printing. On the last 2 questions of the IMAP/POP3 section. What is the admin email address? and Try to access the emails on the IMAP server and submit the flag as the answer. Not sure how to find the admin email and could use a tip on finding the flag.

Need a hint on Attacking Common Services - Attacking SQL Databases. Logged in to the mssql server with the given creds but running any command gives me no output
nvm figured it out

Need some hints for question Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host on final assessment 2 in the module Active Directory Enum and Attack .

@white crater did you find the credentials for ||mssqlsvc?||

Yes, can I dm you with what I have currently, i dont want to spoil it for others

sure

thanks

Ok nevermind finally figured it out

Hi! Can I dm someone for the blacklist filters section in the File Upload Attack? I’m running out of ideas, despite of having several not blacklisted extension, I haven’t found any that executes php code

So I could use a little help on the Network Traffic Analysis in Intro to Networking. I'm looking through the pcap file, but I am not finding anything even resembling an employee name.

Thank you mate, I didn't even use hashcat after found this. hash.raw | cut -d ':' -f4 then crackstation

yeah that what i tell that guy to use, i can't even remember what section that was

try ||.phar|| but use a .png extension when you upload and change it in burp

hi! I am working on the hashcat module, trying to pass first question in last section (Wireless cracking) . I used the ./cap2hccapx.bin to get the hash, it looks fine on output. However, I got error when I used hash cat to crack it. I think it somehow went wrong. can anyone help me? thanks !

�b...*1y�J�A�А�c��&O�"s^'��PvB��y): Separator unmatched => i got something like this

read the hash if it look fine then use hashid -jm hash to see what hashcat syntax you need you use of if look F use hcxpcapngtool

yep use hcxpcapngtool (cap file) -o (output hash file)

thank you for helping

i got it

nice

which section are you in ?

i think he is the the Packet Inception, Dissecting Network Traffic With Wireshark section

use the given cred to login via ssh and use one of the usename on that machine to answer the question (pretty that's the wrong way)

Anyone else having VPN issues today? Mine keeps timing out, before anyone says, yes used openvpn before and the connection pack from here before and yes tried downloading a fresh connection pack.

Thanks a lot, I guess I was missing some extensions in my list

if "Packet Inception, Dissecting Network Traffic With Wireshark "is the section you stuck in, I can try to help you. First, wait until a lot of http and ftp packets be captured. Second, try to find out the process that the user try to change the password. Finally, you can find the bad guy.

on "Pivoting, Tunneling, and Port Forwarding" the part "Web Server Pivoting with Rpivot" im stuck on the last question "Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer." i have done it but still cant see the web page i even scanned with nmap and its not open etc... any help?

i solved it

hey guys, anyone manage to get dcsync to work for khartsfield on AD attacks module, probably doing something daft but can't get to work..

@wind plaza @vital adder Part of my issue is that I can't get NoMachine to connect, nor ssh. I keep getting 'No Route to Host' errors. I am connected to the Academy VPN, though. I'm assuming I need fresh packets, not the stuff in the lab resources.

Need a nudge for Attacking Common Services - Attacking SQL Databases. I am logged in as mssqlsvc. Tried impersonating existing users but do not get any users I can impersonate. Also, tried to find communicate with other databases but does not look like there is one to communicate with.

use the method show in ||Capture MSSQL Service Hash||

after you start your target machine try to scan port 22 on that machine if it's open you can login with the given cred but if you can connect for even interact with that target machine at all i think there is an issue with your vpn

Hmm. Okay. I've tried refreshing my VPN several times, though. May be a ticket to support.

oh btw can use check what openvpn version are you using

OpenVPN 2.5.7 x86_64-pc-linux-gnu

oh good there is no issue with this version if there is an issue with your vpn contact support

I need a little help at the File Upload Attack - Skills Assessment module, I found the upload location when I read the code, successfully uploaded the file, but I can't find the file I uploaded, the path is as I understand. then the files will be changed to YMD_filename.extension format and saved in ||/user_feedback_submissions/||
For example: ||http://IP/user_feedback_submissions/20220723_shell.phar.jpeg|| , am I missing something ?

Hi i am new to HTB academy - i am facing problem with the CRACKING PASSWORDS WITH HASHCAT module.

I am having trouble with this question:
Identify the following hash: $S$D34783772bRXEx1aCsvY.bqgaaSu75XmVlKrW9Du8IQlvxHlmzLc.

I have tried Drupal7 but it just wont give me right.

use just the last 2 digits of the year

thank you, i tried and got the flag

try submit the full name that hashid output include the ||>||

jeeze apppprecaite that alot.. Thanks 🙏

could anyone help me with this

module=information gathering

section=active subdomain enumeration

question number=4

crackmapexec smb 10.129.32.8 --port 139 -u jason -p pws.list ???

sure that would work

on port 445 not work

@vital adder Okay, I finally got connected and was able to run Wireshark to capture. I found a HTTP Stream for forgot password, but still am struggling to find the employee name. Am I at least looking in the right spot?

there are requests for other pages around that one, one of them contains the right username

Cool, thanks

np

Hi, in the module Stack-Based Buffer Overflows on Windows x86, the section Finding a Return Instruction ask for searching a pattern

The address I found several times doesn't count as an answer, I'm missing something?

Hello

Hello

I need help

wait i forgot don't use the --port

ok, but not work.

dm me your crackmapexec command

what do you need help with?

Hi, i'm doing module "Password Attacks" in section password mutations, doing a mutation from the original wordlist with the rule they provide i get a 93000 password dictionary, i'm not getting any hit with hydra as it is so slow, any recommendation?

@vapid grove i ended up just attacking ||ftp instead of ssh and cranked up the threads in Hydra||

you mean attacking the ftp service with the same user and so?

yep

just because you can put more threads on it or?

yea and i think natively it might be faster

to bruteforce

Hello everyone,
I need some help on a question from Hacking Wordpress - Skills Assessment.
Got all answers, except one : "Use a vulnerable plugin to download a file containing a flag value via an unauthenticated file download."
Just saying "a file" seems too large for me.
Can someone who already did this module help me ?
Thanks.

Would someone be able to help me with Footprinting Lab-easy? I am struggling to understand how I can find the username and password on my own without using the hint info.

Do a scan with wpscan including token. Then the vulnerabilities will be shown to you.

Scan for all ports and look closely at the output. Is there a port that you didn't expect to see? Take a closer look at it.

You need to find all the zones.

Thank you. Already did that and not managed to find a working vuln for a file download.

got my answer. anyways tnx for the hint mate

Hey, could i DM somebody on SQLMap Essentials on Final Examination.
I have found an injection point but SQLMap is not returning the final_flag in a right format :S

general question about wpscan and wordpress. if you are enumerating a site and you find a readme.txt of a plugin but wpscan says it doesnt find the actual plugin, should you reach the conclusion that the plugin is actually present but the scan doesnt see it? would there be a situation where you would find a readme.txt of a plugin that is not present on the site?

@devout cliff it would depend on if there is anything in the /wp-content/plugins or theme directories

i believe

like for instance if there was /wp-content/plugins/PLUGIN-NAME/readme.txt present could you assume the plugin is there? because i am finding a lot of readmes but for some reason wpscan is saying no plugins are present

im going to run the scan again but its very odd

if there aren't any php files then i wouldn't think its active

present but not active on the website

DM me

Aside from the obvious ones in the CBBH path, what modules have you all done that seemed interesting from a bug bounty point of view?

+ Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})
Please any help with this ? i openssl 'ed to the IMAP mail server but i can't login with the credentials HTB provided

Try using a mail client of your choice.

└─$ telnet 10.129.166.252 143
Trying 10.129.166.252...
Connected to 10.129.166.252.
Escape character is '^]'.
* OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ STARTTLS LOGINDISABLED] HTB{roncfbw7iszerd7shni7jr2343zhrj}
LOGIN robin robin
LOGIN BAD First parameter in line is IMAP's command tag, not the command name. Add that before the command, like: a login user pass

Do you understand this output

LOGIN BAD First parameter in line is IMAP's command tag, not the command name. Add that before the command, like: a login user pass```

@summer lava try doing ||tag login robin robin||

Hey bro, you just saved my ass ... thank you so much

Bro, just logged but having difficulties in fetching the messages

sec i will DM

Hello guys can someone help me on getting started module section public exploits
I used metasploit but keep saying completed without anything happened can someone help me?

What wordlist should I be using? it's taking forever

Hopfully someone can assist me

@quiet cape Do you have a listener set up?

I assume you're trying to get a shell

Yes i do

hi I need help with this module

Linux Fundamentals module 18 Section 1

Its a wordpress page with plugin 2.7.10

I get one config file to show up but the file is invalid

answer doesn't accept file

could someone hint me towards the right answer?

@quasi wave What are you trying to do with the file?

I need to find the right file so I can type its name in answer box

but I want to really learn and not just have someone give me the answer

thanks btw

I just wanted to clarify my inquiry

queuemark you already have your answer in that terminal window

yes I know but I type the name of the file in the answer box and it won't accept it

it will say incorrect

Are you typing the path or the file?

shit

I omitted the file path and it worked

lol I wasn't thinking

thank you

🙂

Don’t feel bad bro, I’ve been there a ton myself lol

I know

I know

brainfart

I mean this stuff is going well btw I just am doing TryHackMe and Hack the Box academy concurrently

I think as a combination it goes quite nicely

will the bug bounty learning path be enough for me to learn to make real money doing bug bounties?

I just thought I would ask

That’s a complicated question, but I’d say yes and no.

ok

what do you mean?

does it depend on the person?

Yes in that it gives you the tools for sure, but no in the sense that bug bounties, especially public ones, require quite a bit of time to find bugs, even for seasoned hunters. I don’t know everything, for sure, but I’ve got a few bounties and what worked for me was combining THM, HTB-Academy, and not cheating on boxes in the actual HTB.

ok

what's your largest bounty?

It does depend on the person for sure. Not to discourage you, though, I think anyone could do it, just takes a lot of work.

is pentesterlab an ideal place to learn after I complete the bug bounty path?

or is it not necessary

I’ve never tried it, but it’s worth a look for sure!

ok

once I complete THM and HTB Academy, aside from the real HTB, where else should I work on my skills?

thanks btw

would you say that doing HTB and Pentesterlab is practical at that point?

I'm looking for learn more advanced skills and get some repetition in

the idea is to get as good as possible in two or three years

etc

You could try an actual public bounty board, like HackerOne or Bugcrowd.

I’d say yeah, that’s the practical stuff you’re looking for. Someone more experienced than me likely can also point you in some good directions too. That’s what I love abojt this stuff is that you’re always learning, and you can stay humble with the vast amount of stuff there is to know.

I would just be careful on real targets because they will definitely come after you if you accidentally bring a server down, so go nuts on HTB and pen tester lab and learn there. Also look up which tools can cause problems with servers, because that’s the last thing you want is to be on the line for stuff like that.

right

pentesterlab teaches web penetration testing without tools

it teaches basic through mega advanced

it teaches you to do everything manually

lol

Oh that’s neat. Sounds super tedious but I’d be down to learn more about not being so tool reliant

ya

but I think getting through the bug bounty path will be the step I take before pentesterlab

I mean and getting through all the THM paths

because ideally I need to learn as much as possible

I'm just absorbing stuff

It’s great training, for sure. Save the cheat sheets too bc they are good references. I keep them saved so that I don’t have to waste bandwidth trying to remember the ins and outs of every single tool.

I ideally want to be a good bug hunter and/or web penetration tester

but ya good idea

I think that going through multiple trainings is ideal in my case because I want to gain as much skills as possible before I graduate in 2 and a half years

Yeah I feel you dude. You’re def in the right place for a goal like that!

maybe in the next three years ya

Also another tip is don’t shy away from the blue team stuff. I did that starting out and my reports were horrible, but the more I’m learning now the better my reports are becoming. A good report can make the difference in how fast the bug gets fixed and how the interaction with the client goes.

I feel ya

ya I mean I definitely will take cyber defense learning path on THM when I get to it

I for sure should do some defensive security courses

its a good idea

what is a good amount of money to expect to make on a first bounty

let's say I'm starting off

like once I get through bug bounty learning path in HTB Academy

is it possible to complete all of THM learning paths and HTB Academy in 6 months?

if I focus hard on it?

and put in a lot of time and effort?

well i have never used THM but you can definitely get thru the bug bounty path in 6 months

I want to get through bug bounty path and jr pentester path tho am right now I am doing Linux Fundamentals and I need to do prerequisite paths

when I get stuck on HTB Academy for a while I transition to THM and vice versa

so ya

then once I meet this goal I will decide next goal

Oh you can def get through it in 6 months.

sorry for the late response but i think you could complete 7 of the thm path in about 3-4 months (if you are grinding), i didn't complete the last Cyber Defense one so i can't say how long it will be

Ok thanks

Awesome

So I guess this is a doable goal then

Ok

but don't jump right into the offensive or defensive path do the beginner and fundamentals path first

I know I already completed PreSec and I am doing web fundamentals path

nice

People tell me I will get burnt out but I don’t think that’s the case

I’m aiming to build penetration testing skills quickly

So once I complete THM and HTB Academy I will move onto Pentesterlab and HTB VIP

In order to get more advanced skills

yeah i first started i was think the same as you but after 400 thm room you have to be careful of burnt out

My sincerest apology to you/mods/each and everyone of you who received the invite link or got spammed every section of this server, my account got hacked !
Idk what is happening....its literally getting spammed almost everywhere..i got phished!!
With the same server link , im trying my best to mitigate the issue...it just happened unknowingly.
I strongly suggest not to click join or verify yourself via any method , its a new kind of social engineering or phishing attack named token loggers . Im not the one who created this sh*t ! This is spreading everywhere!!! my friends account are also getting compromised.... I got this sent by one of my friends, if you click join n verify yourself your account will also get hacked n will start to spam everywhere...so Please don’t ! And be aware of it guys. .

The HTB provided a wordlist just beside that cheatsheet

@summer lava Thanks for the reply I solved it a minute ago, the forum had good pointers

Great

Are you fellowing the JUnior Penetration Tester

Yeah, I did some lose modules before and now I'm following the path

hey

i wanted to hack an insta account

can someone help?

#bot-commands

pls help

imma leave the server

its just useless

lol

bro

do u know how to hack?

wanna hack my teachers id

nah man

only hackthebox machines sry

okk

where u from tho?

i don't think we are supposed to be having this conversation in this channel

hmm

u are probably a middle schooler

yeah true

which class?

6th?

lol

i don't really understand why you are mad but imma just ignore you np

Do not ask about illegal things.

please read the #rules

and do not start flame wars for no reasons.

You need to find all the zones.
If you are still stuck, feel free to DM me

I started the path earlier this month.. now at the fourth module

Still here can someone help

where can i contact the support for htb accademy student subriscption?

I still can't get the student subrcription with my edu mail

Hi, I'm stuck in the Weak Bruteforce Protections section of the Broken Authentication module. I've tried using the provided python script but I can't get it to run without errors. I've also tried fuzzing the login with Zap using the mentioned CIRT lists for username and password. Lastly, I also tried using Ffuf, similarly without any results. DM me please, thank you!

with htb student I can access only to htb2 module and not htb 3 right? so i'll have to complete all of them to have 1 tier 3?

You will have everything from tier 0 to tier 2
Tier 3 and above will cost u cubes

click the support bubbles and "Start a conversation" and "ACAD: Student Subscription" and fill in some info they need

yea thanks already done

did you set your lhost and rhost correctly

try ||changing your ip to localhost|| if you have some issue with that dm me

How to set it correctly if the website has
202.20.4.6:30157 like thats

The l host is tun0 right?

oh wait yeah you don't need metasploit for this

What do i need

you need jesus and google

If u have a frre time look at the section is in module getting started section public exploits

I couldnt find anything useful all of them use metasploit

i just double check search a Public Exploits on ||google|| for that ||Plugin||

What do i type?

I keep coming accros rabid7

@quiet cape no i was wrong metasploit make this way easier

you just need to set rhost and rport and the file path to the flag location

How to set file path?

What do i put in it

the flag location ||it's in the question||

Wait i'll try now

Can completed modules be revised without paying for them again? Nor retaking them entirely?

Yup!

Hi ,Could anyone give me some hint about "WEB ATTACKS- Mass IDOR Enumeration"?
I am stuck at regexp for ".txt" so I manual find the flag
How can I write the regexp for this ?
Thanks

@vast geyser i solved it using ||burp repeater and just fuzzed for uid's 1-100||

No but if you don't buy any module and unlock everything up to tier 2 you will still be awarded the cubes and you get the free price included in the student subscription

At that point you will have reached 500 cubes i believe

And you will be able to unlock only one tier 3

By purchasing with the cubes earned

Without having to pay those other subscriptions

Silver etc.

Oh ok

Hello good people is anyone working on the xss module

?

I think the cheatsheet for that module is pretty weak. Especially most of users familiar with linux more

i know this is the wrong place to ask, but anyone know what gives with the openvpn issue ? data-ciphers-fallback(2.4.7)

is this an openssl issue ?

before going to the help channel

switch the region and redownload the vpn pack
sudo openvpn the_new_download_vpn

ANSWERED

Working through Getting Started: Public Exploits. I can exploit the plugin on the target website and pull back the backed up file (looks like it's a list of profiles and permissions), but I'm not sure what to do after that. I've tried running some other exploits with msf based on the filenames, but I'm not having any success. Any suggestions would be appreciated.

Comment that line
Worked fine for me

RDP and SOCKS Tunneling with SocksOverRDP super unstable even not practicable

something wrong with instances now? NVM, restart fixed it

Evening, having some issues with the WINDOWS FUNDAMENTALS module in the NTFS vs. Share Permissions section at the "Using smbclient to Connect to the Share" part where I need to use smbclient in which I have and included the Ip addy of the target. But I keep getting "failded (Error NT_STATU_IO_TIMEOUT) and not sure why, could someone help guide me to where I've gone wrong?#WINDOWS FUNDAMENTALS#modules

that one is on pausing for me as well. Good luck!

This one is super annoying. Try to think out of the box and hack in with your own knowledge. Doing it in intended way is too complicated and painful.

@grizzled cobalt where are you stack

hello can someone help me im on module getting started section nibbles intial foothold i couldnt get a reverse shell what did i do wrong?

I’m good now, someone DM’d me with help. Thank you though.

I'm doing a refresher of Info Gathering - Web edition :: Active Sub Enumeration, and I'm in the section Active sub enumeration, I remember I had trouble getting the FQDN of the nameservers before, been trying dig/nslookup/etc, but cant seem to get it to cooperate. Anyone available? --- edit: found a forum post, nvm 🙂

Use the same way to obtain flags of the skill assessment. It should work like a charm. Just don't forget the last one, Z not C

Hello, I am currently stuck at ACTIVE DIRECTORY Skills Assessment 2: Getting access to Administrator Desktop on MS01. After obtaining an elevated shell on the SQL server, I pulled an INLANEFREIGHT/Administrator hash from the cache. However, any attempt to crack it or doing pass-the-hash was unsuccessful.

Hello, for the Footprinting: DNS module (final question), I'm trying to brute force (dnsenum) various subdomains to identify the host ending with .203 . I did find out a zone transfer on a subdomain but no help.

iirc, pass-the-hash attack was patched for assessment 2. Try use other ways. e.g. rdp .50 by using a plaintext credentials

You mean RDP with pass-the hash?

rdp .50 by using a plaintext credentials

I just received the NT-Hash for admin. No chance to crack it offline...

read mine above again. If you don't trust me then just drop it and believe yourself

I think I'm pretty clear about what can be done and what can not be done

Who is talking about not trusting? If you could just explain me what you mean by RDP .50? There is no need to be defensive about your advise.

no offence, probably should go with netrual words "*believe"

Hi, I'm stuck in the Bruteforcing Usernames section of the Broken Authentication module. I can't get wfuzz to detect any difference in the outputs, even though it is clearly visible upon manual inspection (I brute forced the answer). Using the timing script in order to solve question two likewise doesn't detect any difference. If you have managed to make it work, please DM me. Thank you!

Hi, im stuck at Password Attacks - Credential Hunting in Windows, I find Winscp creds with the method they provide, but in the module response says the credential is wrong..

Edit: solved, format things 😫

I see in the section SERVER-SIDE ATTACKS - Blind SSRF Exploitation Example , the target machine does not seem to match the lesson content, the target machine is repeated with the SSRF Example which should be an example exercise about Blind-SSRF

Footprinting modules boxes were a tough one, though definitely fulfilling to have finished them without looking at any hints or the forum

i find only ||ns, helpdesk, control, root, mail.pornhub, pornhub||

https://tenor.com/view/what-huh-face-shocked-zoom-gif-23833189

Hey

/rank

./verify

i don't this the last one is a subdomain ||that's a domain||

Anyone nudges on the Footprinting Easy module

Look closely at the ports. Do you notice any? Look at it more closely

Please check DM I am sending the details

Hi, I'm stuck in the Bruteforcing Usernames section of the Broken Authentication module. I can't get wfuzz to detect any difference in the outputs, even though it is clearly visible upon manual inspection (I brute forced the answer). Using the timing script in order to solve question two likewise doesn't detect any difference in the execution times. Please DM me

Footprinting medium challenge got some creds for smtp in tickets does that help?

There is no flag here. Get back to hacking!

I have the sa credentials for the SQL service but, it doesn't seem to work for me

hi guys, I'm little stuck on DNS attacking on common services module. Can someone help me? I red that there is some bug on that, but I don't know if it's me or the bug the problem...

DM

why is the pwnbox so laggy? it's beyond usable for me

how ca i connect to htb vpn?

Options error: In [CMD-LINE]:1: Error opening configuration file: lab_lob0i.ovpn
Use --help for more information

it says this

Post your command

the error indicates you have an invalid option specified in your command.

has anybody been able to import powerview into powershell on the AD Enumeration and Attacks skills assessment part 2?

@rapid pine i checked my notes and i used PowerView on part1 and not part2... but we should be able to just move over the .ps1 file and then import-module

yeah i tried that on multiple machines... seems to import fine but i can't use any of the commands.... guess i'll have to find a different way

hey guys can yall help resolve this "could not resolve host: github.com" its in kali btw

Need a nudge on Attacking Common Services - Easy. Still looking for any type of creds, tried brute forcing ftp and rdp with no luck

try the ||smtp||

anyone who has competed SQLMAP module, to ask some..!!!

what's the issue?

I'm not able to read the content of a table "flag3" but @lethal atlas gave me a hint, thanks in advanced

did you use any ||cookie|| tag in sqlmap?

yep, I tried --cookie

and the ||TESTPARAMETER (-p)||

no, i didn't use this argument

I'm give it a try

thank you

@tight mesa if you still have some issue with that feel free to dm me

course, ty @vital adder

are you doing --dump -t flag3?

he is now that I pointed him that way. I really think he was just overthinking the problem.

although you can do it without -t flag3

pls be careful with spoilers @karmic vigil

How is ffuf not able to find these files while gobuster is?

Is there a ffuf option that I'm missing, or is there something that gobuster does in the background that ffuf doesn't?

pipe it through a proxy and compare the requests to see

I'm currently using mssqlclient in docker to access a database from the academy but I can't use any of the mysql commands like "show"

Could not find stored procedure 'SHOW'.

I want you to guess Sony's hands. I have a special hand, meaning a small nickname

I ended up solving the exercise but not the way I hope was intended

Hi gus, one question , i have a problem with the section "Network enumeration with nmap" in the module Firewall and IDS/IPS Evasion - Easy Lab
Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.
i run the command sudo nmap 10.129.140.142 -T2 -p10001 -A, and it detects the OS in linux, but it is not the answer, someone solved that section

😆

could use nudge on the footprinting lab-easy. Have found ssh keys and downloaded them to my attack machine. Though when I try to connect to the target using ssh p 22 command- ssh -i ./id_rsa ceil@<target i.p> keeps saying Connection closed by <target i.P> port 22. I did modify the permissions too for the private key file to chmod 600.

@storm lagoon it wants something a little more specific. Which distribution of linux specifically?

@wheat garden your path is correct, we should be able to ssh in as ceil. Maybe try to restart the target?

the command syntax looks correct? might be networking issues again then

yes

i am testing it right now and its hanging for me too

dang so the lab probably glitched/ malfunctioning

maybe try from pwnbox?

Need a nudge on Attacking Common Services - Easy Lab found the username and password and I know the exploit. However, my exploit is not returning any output. Anyone available to help me out?

yep ill try it

It is that it does not ask for anything specific, according to the answer, it is enough to indicate which OS is running, but when I put linux, an error appears

Right but which distribution of linux?

@slow ruin DM me 🙂

I went crazy, I was writing ubunto and it was ubunto haha, thanks my friend love you

you're welcome 🙂

@wheat garden just tested and i can ssh as ceil from pwnbox but not my kali vm

ok ya some kind of networking issue with the vpn I guess is preventing it.

Am I supposed to bruteforce the password of the local Administrator in Footprinting Lab - Medium?

I have gotten the rdp u/p and logged in but I'm stuck there

@unreal patio did you find ||the credentials for the sa user?||

Not yet

I couldnt find acces to the smtp server

what about ||smb?||

Guess I have to try that

important.txt retrieved

Thanks

hi, in module "Using the Metasploit Framework: Sessions & Jobs" in the question about "old sudo" i don't find the "relevant" exploit maybe why i dont privileges. Can anyone give me a hint where togo from here? thx

@mossy epoch which exploit did you use

i gain acces with "elfinder_archive_cmd_injection"

Is anyone able to give a little hint "AD Enumeration & Attacks - Skills Assessment Part II" - flag for admin on MS01. I got "DefaultPassword" from the SQL01 and have tried running it by my users list - no success. I tried cracking all the hashes I can get near with no luck. Anyone before I might give up.. :/

have you got Administrator hash on SQL01??

Yes I should have. Both DCC2 mscache hash and an ntlm hash

have you try pass the hash attack on MS01 with Administrator hash found on SQL01??

I get an account restriction that prevents the user from signing in, so that doesn't work

i found the Administrator hash on SQL01 and test it with crackmapexec for winrm session on MS01 and it work

Hi!
I am stuck for a few days now, and I’m don’t know what I’m doing wrong.
The question is:
Enumerate the target and find a vHost that contains flag No. 2. Submit the flag value as your answer (in the format HTB{DATA}).

When I’m doing FFUF on it, and want to go to for example blog.inlanefreight.htb than everything is the same webpage. The webpage from the Ubuntu Apache page.
When i go to HTTP://inlanefreight.htb 1 than I got a flag 1 and that is OK.

I added the findings from FFUF to /etc/hosts/ with the given target-ip.

Can anyone tell me what I’m doing wrong, please?

Thanks. I tried for too long with smb, and that didn't work but winrm did!

Hi! Anyone can help on the last machine of the getting started module?

I got footprint already and trying now to gain privilege escalation to root but stuck a bit

Thanks!

@feral stump did you use like sudo -l to see what happens

Yup

Hello

i need hlp

help*

ATTACKING ENTERPRISE NETWORKS

Web Enumeration & Exploitation

i can't access http://dev.inlanefreight.local

did you add the ip address to your /etc/hosts?

hi , i'm stucked at "AD Enumeration & Attacks - Skills Assessment Part II" on the question "Obtain credentials for a user who has GenericAll rights over the Domain Admins group. What this user's account name?" .... i've try all method but i can't obtain this credential ... can anyone help me please??

solved

Hey guys, Im stuck on attacking common services - SQL. I have tried using the commands and looking around for several hours, but im stuck tbh. Is there someone who can help?

Feel free to DM me

hi in Pivoting, Tunneling, and Port Forwarding module i have a problem with chisel i uploaded it tried to run it and with sudo but it give this error "./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by ./chisel)"

solved it thanks bros ❤️

Hi, I'm with the cracking passwords with hashcat module and hashcat always reply that my command is a illegal hardware instruction, I just copy the commands from the module so I don't understand what I'm missing

Damn

anyone got a hint for finding CT059 credentials in AD Enumeration and Attacks Skills assessment Part 2 ?

@limpid crane try using ||inveigh|| 🙂

@final frigate maybe try it from the pwnbox?

Oh that’s weird

I second what Jared says. Try it from pwnbox.

i get a weird error whenever i try to run hashcat on my Kali 2019 image that i use for testing occassionally

@west canopy ths, i try

yep, the pwnbox works fine

I think is some kind of problem with drivers, I tried using hashcat locally and reply that needs some drivers from my cpu

But I thought that Kali come with all the necessary drivers

Hi, i'm stuck in Password attack - credential hunting in Linux, i've tried bruteforcing with the provided resource, not working for will / kira

@vapid grove try using ||a mutated version of the password provided in the hint. It might already exist if you mutated the original password list :)||

I'm stuck on Footprinting [NFS chapter] the /etc/exports directory isnt on my machine. I was able to use nmap but I can't use showmount
NVM I had to download nfs-common I guess

worked, thanks

Is this place for learning how to use coding or for getting peoples IP cuz I kinda wanna know how to get Ip cuz some kid I know tried to get mine smh and he failed bad

So I wanna get his cuz he thinks I can’t

Lol

If this isn’t a server for that sort of stuff I will leave if the admins or the owner wants me to

This is a place where we discuss academy related stuff. We DO NOT condone hacking without consent. What we learn here we learn for good, not evil.

Ok

If you think I should leave then that is fine I don’t hold a grudge but do you know any servers that does allow that sort of stuff do you mind letting me know

how long does it take to do all the modules?

i feel like it's been FOREVER

Now that being said, if you want to learn skills that will help you get a career in cybersecurity, this IS the place

a lot, but just enjoy the process no?

No I’m all good @lethal atlas

those of you with these meters full, how long did it take you?

Thanks for letting me know

I’ll be on my way now

Appreciate the info

I have been at it over a year,

ty that's what i'm looking for

It depends on how much time you can dedicate to it.

i try to do some every day and even at that for a couple months

some days I can spend most of my day working on modules, the last month I have barely had time to touch it

I have completed the bug bounty path though. I need to tighten up my SSTI and XSS skills before I attempt the exam.

did u get the exam

I havent paid for it yet but plan to.

i wonder if it's hard

I know a couple of guys who have attempted it. Only one that passed.

I hear its challenging which is why I want to beef up my weak spots before I attempt it

Im in top 1% in HTB academy and I gotta say this is impressive

I’ve been working on modules ~4 months and I would say I am 75% done from completing every module.

Pat yourself on the back. Some of the modules are BRUTAL. They can take some time.

Worry more about learning than speed.

i dont get how the meters work

Also this is my best advice for Academy

The meters make no sense.

they really don't

as far as the exam. I would read this https://academy.hackthebox.com/exams/2/certification-steps

Could I get an honest answer. If I completed the BB/Pentest exam do you think employers would find that impressive??

Don’t want to ask staff cuz they might give a biased answer Lol

I want to get an IT job.

I guess that depends on the job and employer. I work in IT for a college now but we don't handle anything like this. We farm all our testing to a 3rd party.

I think the certificate is just too unknown so far to be used for recruiting staff

yeah i think the same. but hackthebox is pretty known i would say in IT so it would not be a bad thing to have in your resume. also the important is not to have your resume full of courses, certs, etc, the important thing is that you can then show you got all that knowledge hands on

thats why I think it's not a good idea to rush modules, instead go slow and learn as much as possible

I think it would be hugely beneficial. Particularly once you get the interview, you could talk about your passion for hacking/security, tell them how you took this exam in your free time because you love to learn. Then show them your report and walk them through each vulnerability you found. It would probably blow most interviewers away.

Going through the Web Proxies module using Burp exclusively but now I'm trying to go back and use ZAP. I'm using the pwnbox but can't seem to turn intercept on in the HUD mode. I click it but nothing happens. I'm sure I'm missing something simple but am a bit sleep deprived 🤣

Hey guys i have a problem finding the TXT in Information Gathering - Web Edition

I was able to find subdomains but i think i'm using the wrong query

Omg i just find the flag

It doesn't work lol

I use a pomodoro page to keep track

This is my query and the output but the flag doesn´t work

||`nslookup -type=TXT inlanefreight.com
;; Got SERVFAIL reply from 200.115.192.28, trying next server
;; Got SERVFAIL reply from 190.55.60.130, trying next server
Server: 181.47.248.145
Address: 181.47.248.145#53

Non-authoritative answer:
inlanefreight.com text = "HTB{XXXXXX}"`||

You are not looking for the TXT entry of inlanefreight.com but .htb

Sorry, i don't understand

You queried inlanefreight.com, but should have queried inlanefreight.htb.
instead of .com use .htb

But if i use .htb the output shows: *** Can't find inlanefreight.htb: No answer

I edited my etc/host

You must specify the target machine as the DNS server.

|| dig TXT domain.tld @rustic sageIP ||

My domain.tld is this:
curl -s https://sonar.omnisint.io/tlds/inlanefreight.htb
Output:
["inlanefreight.com"] right?

So if i do dig TXT inlanefreight.com 10.129.155.149

The output show spoiler ||300 IN TXT "HTB{5Fz6UPNUFFzqjdg0AzXyxCjMZ}"||

if that flag doesn't work I would check if that's encoded

No, the flag is simply wrong and does not belong to this question.
Have helped him via DM.

ive only been doing the academy modules for about 2 months now. and it already says im in top 1% 🤨 guess alot of people who start the academy dont do that many modules.

done like 18 modules so far

With 500000 Academy users, 5000 users are in the top 1%.
https://twitter.com/hackthebox_eu/status/1529492627661500417?s=21&t=4FPIchZccEHbiBV-7RNcqA

But how the ranking is created, I do not know. Number of modules? Number of sections? Number of answered questions?

Hello, I am in the File Transfers module and in the first question it asks me to download the flag.txt file with wget and to put the content. I download it but I do a cat flag.txt to read the content and I get a series of numbers and letters, I paste it in the response and it doesn't give it to me as valid. What is it that escapes me?

Check if you have copied a space at the beginning or at the end.

Exactly, that was the mistake, thanks😅

18 modules is a lot

The bug bounty path is like 20 modules I think?

I think that talking about Hackthebox is amazing for interviews, but in my limited experience HR gives interviews to people who do Comptia certs.

comptia has like the gayest certs ever. Ive got a few of um. And I learned more way more on hack the box abd the academy thatn Ive learned from any of those comptia certs,

The question is always, what certificates are needed to get an interview in the first place?

In my region, these are mainly CEH and OSCP. Sometimes also CompTIA.
Unfortunately, what one has learned in the process is often of secondary importance. That is only relevant at the interview, and yes, then the HTB certificate is certainly helpful.

Why don't you do a CompTIA certificate; if it's helpful in your area?
I think with the knowledge here from the Academy you should be able to do it.

With the CompTIA certificate to the job interview and with the HTB certificate to the job 😉

Depending on what type of job you're applying for, I genuinely question if CEH and/or CompTIA certs will help. Certainly DoD/contract jobs, where it's a checkbox requirement, yes, but aside from that, while many job postings may have CySA or CEH listed, it seems like a massive disconnect from HR to actual hiring manager. Yes, if going for say help desk, no doubt having A+ will help... And having the KNOWLEDGE will certainly help, but at $300+/cert (CompTIA), seemingly many better returns on investment. Even worse for CEH.
Edit: In full disclosure I have a # of CompTIA certs and CEH... live-and-learn.

is there a recommended course guide for newbies?

Finish the information security path

quick question

i'm on the hashcat module skills assessment final question

says what's the most common password

how would i find the most common one?

looks like i've cracked the list

Anyone help me on the Command Injection skills assesment, I have the injection point but something isn't working....

you can write a python script to catch and count the hash

then crack the most common hash

oo that's a smart idea. time to google xD

i've got a list of cracked hashes anyway

nvm it's exhausted not cracked

try dictionary in python

hmm not my wheelhouse. the hint suggests crack it then use NTDSAudt DPAT or grep for the results

the exhausted result suggests i need something else not a straight brute force wordlist

Good luck. I was stuck on the skills assesment for 2 months

thanks, oh man I have tried so many things, hit hard for like a week then took some time and back at it

Thank you! I ended up starting that one

nvm got it lol

has anyone run into an issue with starting point responder where you put in the site after starting responder to get the hash and it prompts you for a username and password? this wasn't in the walkthrough and its very confusing lol

Anyone help me find the flag in task 1 skill assessment Intro to Assambly language.

I stucked 2 weeks

Feel free to DM me

Hello, I'm doing the Getting started module, page 23 Knowledge Check: I managed to exploit the machine and get a meterpreter shell, I also uploaded LinEnum.sh to the machine but I'm not able to run it because i don't have the right permissions. If you have any tips please feel free to DM me. Thanks

is there a good bash tutorial i should check? doing the bash scripting module and only have javascript and python experience so stuck at the first hurdle

try chmod +x linenum.sh

i already tried giving the right permissions to the file, i'll get back to it later and start from the beginning to see if i missed something

Hi i'm doing the Password Attack module and i'm stucked in the password mutations section. I can't find the right creds even though i've created the mutated wordlist. this wordlist is 94000 passwords long and it would take 16 hours to complete the brute forcing attack through hydra. Any hints?

I had that issue, and searched this channel and got a decent suggestion from it. Cut the first 17,000 entries from the mutated list, and use that instead.
tail mut_password.list | head -n +17000 > cut_mut_password.list

do i always try with hydra?

How do you know what % you are in?

Yeah, but for some of the labs, you can use Hydra to scan with FTP rather than SSH, because SSH is slower. Sometimes the creds for FTP and SSH are the same. If you nmap the target, you can see if it has FTP open. 😉

It told me in my transcript. You can download it in your profile page.

I'm targeting ftp but i still get 5.30 hours... and the machine despawnes in 90 mins

Yep. But you should crack it in about 15-30 minutes at worse.

ok i'll wait and i'll let you know. thank you

Hrm... dont see anything like that on my profile page. Sad. Must only show it if you're in that top

oh wait my also said Ranking: Top 1%

Can you screenshot where it shows you?

im also top 1% but i dont feel like i've done nearly enough to be in the top 1%

lol

Figure for every person that signs up for academy, some large percentage sign up but don't complete ANYTHING (because free to sign up)... From there, another large percentage may only do a module or 2, and another large percentage only do the truly free modules. So you quickly dwindle down to small percentage of folks doing a measurable amount of content... Just shows you are committed far more than most

yeah that makes sense

i still get nothing... can somebody give me a hint?

Hey all good morning from midwestern USA.

I have recently begun the HTB Academy: Web Requests and I notice that the Cheatsheet and Hint options do not work. When I click, the page size changes, however, no window for either pops up. I do have pop up blocker allowing HTB academy through. I have reloaded, closed out - reopened, etc. No avail. Is this normal?

Apologies, I gave you the wrong command.
cat mut_password.list | tail -n +17000 > cut_mut_password.list

Weird. I've no idea where to find that page....

oh on your account click setting and file the download transcript

Ohhhhh

try using the files in the resources on the top-right part of the module

yes i know i had correct it because it gave me 10 passwords as output but i still get the same result...

just saw that,came back to delete the text 😅
thank you

You should only get one password...

no sorry i wrote it in a bad way i was saying that the output file (cut_mut_password.list) was made up of only ten passwords instead of 77000

but it's 1 hour that hydra is going and i have no passwd found now the machine has expired i don't know how to go on

I have just tested with the same command and it cracked it in less than 5 minutes.

please can you sand me the command?

Pivoting, Tunneling and Port Forwarding Module - Skills Assessment Section; I got into the Windows host through the pivot Ubuntu server and I tried to Meterpreter Tunneling and port forwarding to be able to route nmap through windows internal network to enumerate but I dont get the connection back through multi/handler. Also I don’t get how to use the user vfrank. Any help/hint?

i used this: hydra -l sam -P cut_mut_password.list ftp://IP

DM me.

you have to add me as your friend

Did all of tier 0, just finishing off tier 1 before moving onto tier 2. 🙂

Really confused how they calculate that now LOL

Probably most people join and do the tier 0 stuff, or do a module or two for things they are really interested in

And then there's crazy people like me who are working through every module to see if there's anything I can learn 🤣

I think it is probably just sampling bias.

I'm hoping to finish all the modules by October, and then I'll go nuts on cracking boxes ^^

Hi, can i get a nudge on password attacks - lab hard ? I can't find anything on services 😦

Hi

use the given username and brute force the ||rdp||

I’m planning to finish all the modules. Do you want to work together on the things we get stuck on?

Sure, although I think you're a bit ahead of me. I'm currently finishing "Password Attacks" and "Shells & Payloads". But only time I get to work on them is during the weekend. 😦

I have one question for password attacks
can I text you? when you are not busy

Drop the question here first. So others can search it later 😉

not exactly a question, In password attacks Network services I got all the correct user and password, the deal is with SMB the user doesn't have read access so I am not sure how can I proceed with that as it says "NT_STATUS_ACCESS_DENIED"
and for rdp, the connection establishing using xfreerdp fails

Yes.

How do you request flag information? dig txt XXX.inlanefreight.htb @ip-addres?

Oh hrm. Had to go look at the exercise. For the SMB part, the clue is ||in the name of one of the shares||. If you dont follow what I mean, think about how the whole process of a pen test / box cracking is returning to earlier steps once you have more information.

😁

oh that one

@quaint marsh use the ||custom DNS server (-r)|| you are run gobuster

-r without param?

yep

i don't quite understand the goal of the "-r" option

NP. Can I dm?

Yus.

Hi All working on the Active Subdomain Enumeration lab under Information Gathering - Web Edition, I understand how to start a zone transfer but I am lost as to how to identify "zones". "identify how many zones exist on the nameserver" is one of the questions, and I guessed it right ||"2"||, but I have no idea why that is correct. Any help would be greatly appreciated.

I still don't get

DM me.

why can't I connect? Did I miss something?

are u sure it's on port 22

Are you connected to the VPN?
ifconfig tun0

Hi all, someone who finished the API skill assessment can help me out? I am sending the request and receiving an error, I fixed the error but I keep receiving the same message.

well it showed that in the settings but it is turned off automatically somehow

On attacking common services, i can't bruteforce the smtp or pop3 server and can't exec any command, get the error 503: Bad sequence of commands do I need to authenticate ? If so do I need to use GUI tool like thunderbird ?

ur not connected here

wait what?

ur tun0 isn't up

but I imported the academy.ovpn file and turned the button to "on"

what's tun0 if I may ask? I thought its just a different name for a internet access point

u can use the command line : sudo openvpn urFile.ovpn

it's an interface usually used by VPN

do I need to mention the path aswell?

yes

what did I do wrong this time?

aah /home

sorry for my stupidity :D

np

thank you guys for helping!

Have you found a valid username?

yup

what's the matter this time?

what do u get with a ps aux | grep vpn ?

kill them all and relaunch ur VPN

However, with this you should be able to bruteforce the access. Which list did you use?

u should have only entries :
1 sudo
1 without sudo

the one from the task and rockyou

like this?

with rockyou i think it block the port bcs i get

now it's clean

Check your DM

not again

maybe try to reboot ur computer

allright

Hi all, Trying to identify other zones on the DNS server. need a nudge

you can use dnsenum

do I need to redownload the .ovpn every time I want to connect to htb or do I only need to do that once?

normally once is enough

okay, thanks!

hey im working on the same module and area you mid if i dm you? i got some questions

no need to download the vpn file every time

why do they even require connecting via vpn to access them?

i dont mind at all

security reason

as you might already know, some of the targets can either be reached through the VPN or without one

so that they are not available on shodan for exemple

the button in the exercises is put for convenience

so it's basically not more secure, just better hidden from unwanted guests?

has anyone here been charged double the cubes for a module before? i.e. module is 20 cubes and you got hit with 40. Tried looking in FAQ but nothing there regarding this.

not yet XD

open a ticket I guess?

bummer, gunna reach out to support then, thanks!

welp, it seems neither the cli nor the gui openvpn clients work, ill resort to google

have done that but get only 3 result

am I doing this wrong?

You still need to specify the DNS server

how?

i looked at the syntax on their forum but the example works

Yes, for a "normal" domain this is true. Any DNS resolver can resolve them.
But if you have domains that not every DNS resolver knows, like .htb or .thm or .local, then you have to specify the DNS resolver explicitly.

https://www.kali.org/tools/dnsenum/

even if its in hosts.txt? tried it anyway didnt work

if anyone has any ideas my DMs are open

Use the IP address as name server.
Just use the target IP address.

not yet

if you look at the CheatSheets on the Footprinting Module , you will see that the share a command line for dnsenum ' dnsenum --dnsserver <nameserver> --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list <domain.tld>' , change namerserver, domain.tld and subdomains.list

whoops mistyped, its working.... kinda, doesnt give me any info on zones that I am looking for

also doesnt enumerate nearly as much as dig or nslookup has been

I have a question about a HackTheBox Academy module. For the "Introduction to Bash Scripting" module under Comparison Operators, I got the following answer: U2paTlJYTkxDZz09Cg==

Here is the following code that I used:

var="8dm7KsjU28B7v621Jls"
value="ERmFRMVZ0U2paTlJYTkxDZz09Cg"

for i in {1..40}
do

    var=$(echo $var | base64)
    length=$(echo $var | wc -c)
   
    if [[ "$var" == *"$value"* ]] && [[ $length -gt 113469 ]]
    then
echo ${var: -20}
       
    fi
   
done

I feel like this is the right answer, but for some reason, I am getting it marked as incorrect. Can anybody explain why?

Hey guys
When attacking common services - DNS
-How long should I expect subbrute to take? 🙂

Hi I’m stuck at in the FOOTPRINTING module DNS... anyone can help me?

What is the FQDN of the host where the last octet ends with “x.x.x.203”?

use gobuster if subbrute are too slow

okay, thanks!

oh sht sorry i miss this message if you still help with that dm me

I got the gobuster working, but i dont seem to get any results. Can DM you? 🙂

sure

Could I get a nudge on the XSS Skills Assessment please?

Sure thing, DM me

your code is just a bit off. DM me and I will help

Question for all those who have completed the XSS module. I am going back thru and in the Phishing section I have never been able to get the code to clean up the page the way they say in the section. Even using the code they provide does not work. Has anyone been able to make the page ONLY show the username and password login boxes?

I don't think i was able to. I recall the page looking all messed up

yeah, I remember you and I talking about that when I first completed this

is there someone for "Attacking common protocols" "Easy" i think i'm near the end but there is a little thing not working
EDIT: Finished Thx @west canopy

@grave dust i might be able to help , feel free to DM me 🙂

If you are still stuck, you can DM me

I was doing the windows box but i can't use xfreerdp, i've also installed it with aptitude but still nohing

I can't ping any of my target machines in HTB academy. My internet and VPN are both connected. I can't ping the target machine from the pwn box too!

Is there a problem with Academy machines?

The target machine can only connect to either your pc or the pwn box iirc. close pwn box and reset target and connect will probably work

or only the pwn box and not vpn ofcourse

Tried both. Couldn't connect through pwn box, then tried from my PC. No luck there too!

Somebody had the same issue before. I don't know if it was resolved. @pine vale

Maybe restarting pc? if you didnt already

Let me try that too!

Getting Started: Privilege Escalation

I can successfully ssh into the target system and I can see the first flag. I can also move laterally into user2's account. Also I can access root's id_rsa file and see the key within it, copy that key, and move it to user2's files. Where this one breaks down for me is in trying to use root's key to ssh into the system as user2. It times out every time I try.

Not sure what I'm doing wrong here. Any help would be appreciated.

Hi all 👋 just joined and looking forward to discussing some of these modules with everyone 😄

We want to use root's id_rsa file to SSH in as root, not as user2 🙂

I've tried that too, and it still times out on me

Does it matter where I execute the ssh command? Like, do I need to be in an entirely new window?

can anyone help me make a virus using node.js

you try it in pwnbox ? sometimes things dont work using your own vm through htbs vpn

The id_rsa file containing root's key doesn't exist on pwnbox

could create one and manually copy it over into it

I swear, I am constantly overthinking this stuff 🤦‍♂️

Let's hope that works.

That timed out as well

are you specifying the port when SSHing?

That's not really the topic of this channel. Is there a specific goal you have in mind?

I was just coming here to say that I left that bit out. Just got in. Thanks guys!

np nice work 🙂

you cant use a premade one off google?

I'm supposed to identify two zones from this

I only see inlanefreight and root.inlanefreight under SOA

But I'm missing a zone to query for the TXT record

Can someone give me a pointer?

@unreal patio try doing a zone transfer against one of the subdomains you found

one or all?

test them all until you get a zone transfer 🙂

Sigh

Thanks, solved it

Did you solve this? I have the same issue.

I'm stuck on USING THE METASPLOIT FRAMEWORK - Meterpreter. I'm supposed to Retrieve the NTLM password hash for the "htb-student" user, but even though I'm system user when I run the hashdump command in meterpreter I get this error: "[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect." I've tried changing to just about every other running process and I still can't get it to work. Any ideas?

@modest token yes hashdump does not work , i ended up ||using mimikatz :)||

ahh I see, I'll try that then, ty!

I was wondering if anyone could give me a nudge on the Skills Assessment portion of the JavaScript Deobfuscation module. I'm stuck on the next to last question. Nvm. Figured it out.

For windows privilege escalation DnsAdmins use multi/script/web_delivery to generate the cmd line for msfvenom to use. Others won't work, at least for me. And try to switch between cmd and ps if got stuck

yeah, me too

Hey guys, i'm doing the attacking common services - mail services
I got the user, but i don't know where to go now. Could someone give me a nudge please 🙂

Please... to know how to use the FETCH command to read mail... i used it once but forgotten ...

IMAPs server

for me? 🙂

how to i read that mail

okay, thanks!

Do i need to get a password for the user first?

did you try ||pop3||

Yes, i tried to connect to the pop3 server, but i could not login, because i only have the username from the ||smtp user enum|| 🙂

oh then use hydra brute force the password

okay, thanks!

What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word)

I'm on "Attacking common services" "Hard" adn I don't know why I can't impersonate the user I need to impersonate can I sand someone the command I'm using ?

u can use smbmap or smbclient to see the shares

Thanks i will try it

sure shoot me a dm if you still need help with that

Ok

HI I'm having problems in the passwords attack module, in the Credential Hunting in Windows part (What is the default password of every newly created Inlanefreight Domain user account?). I've searched for the word password in almost all the pc but i can't find this password. any hints?

It’s in a script in one of the folders after you’ve cracked one of the accounts and logged on via RDP

Can’t give you more specific advice atm as I’m on a train visiting a customer

Did you get the password to the "Pass mutations" section? How long did it take?

if it's taking to long cut the first 17000 password

but in time?

i can't remember i just let it run on pwnbox and go get some food by the time i'm back it was finish

ok, thx

if you cut the first 17000 it takes almost one minute

Thank you as always i tried something far more complicated

What am I missing? xD

Done every other question with no difficulty

"Intro to Network Traffic Analysis"

remove the ||ing||