#modules

specifically, the skill section says to "Enumerate the host and find a flag.txt file in an accessible directory." I can't find it and I want to check my reading of the statement/question. Are they saying there's a folder location accessible without using an LFI vuln to see? Or are we expected to leverage the LFI? I looked through all the folders by downloading the website with wget and used tree to view the structure. I can't find the flag.txt

did you get help on that one? I have a hint on it. I need help on the first question in that section.

I've done that and thats why I feel like an idiot as nothing I put in comes out as the right answer

I'm honestly at a total loss I was able to get the answers for the other questions and am working on the last one now which you look for the subdomain matching the right ip

is ryzen 7 better or intel i7

?

so it's a type of subdomain and you can find that subdomain with the command show in that part

for what you can just use dirsearch or gobuster

I'll give that a try, thanks

thanks, ill make a note of this

Try doing ||dig SOA for every A subdomain and check if any of them has an output with an ANSWER section ||

If that happens then ||you have found a zone in which you can try zone transfer or most likely “fierce” bruteforcing||

Hey, any nudge for the footprinting hard lab? I must be missing something, but cannot find a foothold :/ Especially that before in the exercises there always was some kind of name available

Question on the IMAP/Pop3 section in the Footprinting module. For question 4(What is the customized version of the pop3 server) I'm not sure what more of an answer this question is looking for. I found ||InFreight v9.188\x0d\x0a via metasploit||, but multiple variations of that answer is still not working as well. Any nudge in the right direction?

I'm about to lose my mind on the IDS evasion: Hard module

Nevermind, apparently 'POP3' needs to be included. That's dumb lol

Could you mark the message as spoiler?

done boss

Thank you 🙂

Is it the nmap module? HMU if you are still loosing your mind

I got it, was just annoying. Thanks tho

anyone can help me on ATTACKING ENTERPRISE NETWORKS ?

can someone remind me how to do the spoiler thing

Dm me if you still need help 😊

Text in between ||

|| sjdbddj ||

Start with ||

Put the text in between and finish with ||

I'm working on extension fuzzing for the assessment at the end of the ffuf module. I found the two extensions but it's telling me that wrong

Can anyone help

there are 3

Ok I'll figure out the third tonight then

Thanks is there a better word list then the web-extensions.txt from seclists

I used seclists/Discovery/Web-Content/raft-medium-extensions.txt for that module

Still only 2

Can someone help me find the .ovpn file? The online instance keeps crashing.

"/spoiler {{ message }} "

|| message ||

I used SecLists/Discovery/Web-Content/web-extensions.txt

ty

👍

yeah that doesn't show up for me.

ig I'll raise a request, thanks!

You can download it here
https://academy.hackthebox.com/vpn/key

yoo lifesaving, thanks!

Can I have some help on the broken authentication module: Brute forcing cookies section question 2?

@raven cairn what wordlist are you using?

Can anyone help with the "tamper the rememberme token" question for Broken Auth Module? Can get the decoding right..

Am I supposed to be using a wordlist for the second question?

Day 3 Right Now - Day 4 2nite! Get an Urge, Call Anyone or Join a Discord Audio Video Group and Find more people to work with & talk to, Get Clubhouse, ETC Especially!!!

Go somewhere else for your crypto scam buddy

I'm just trying to work on my cyberskills. Don't distract me SMH.

im not sure if i understood snmp right but i tried the commands given in the module, tried enemurating different community Strings using onesixtyone with different lists buti cant find that custom script
can anyone give me a hint?

Footprinting SNMP

Has anyone finished the password attacks module?

Yes

Hi guys, i'm stuck at AD Enumeration & Attacks - Skills Assessment Part I, i've solved the first 3 questions (found the flag and the spn and cracked it), but i can't reach the SQL01 or MS01 machine and get admin privs, could i get some hint on it? Thanks

yep

walk it out

I'm having trouble with enumerating the smtp server for the footprint module. I'm able to telnet in but it hardly responds and constantly times out. I've been giving commands like || VRFY ryan || but I don't even get a response back at all. I've also tried using || metasplot and smtp-user-enum with the provided fille || but its not getting any response either. Is this a issue with the VM?

dm me

Dm me if you still need help

Anyone able to help on the last question of the Metasploit module, last question of the Sessions & Jobs section? Has to deal with escalating privileges on a box using metasploit.

Yeah. What do you need help with?

@raven cairn I am able to run the local exploit suggester module on the box. I then try to use the 3 exploits it shows to work/potentially work. I run the exploits, they complete yet not session is established. I make sure to switch the ports to not be the same as the original section. A bit stumped at the moment.

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

...wow after 2h i found out that i have to be patient and wait till my big wordlist finds the result...

dm me if you still need help

I’ll take a look at it when I have a sec

any help with this? https://discord.com/channels/473760315293696010/1024786198213963846

is anyone skilled with sqlmap and some of the http error codes you can get when running it? i came across one im unfamiliar with and would like to know what it could indicate

#starting-point Would be more helpful. We mostly do Hackthebox academy here

Post it here and I can try to help out

its error code 510

I got it, eff the permissions. This is an open linux box, download FileZilla and side load LOL

|| Just FYI you can make it faster if you use dnsenum --threads 90 or some other high number to speed it up! ||

What interface do I listen on for rev shell using the hackthebox machine?

there are like 3 interfaces

Tun0

Thank you

you need to configure ||autoroute|| then run a ||ping sweep scan|| you'll discover ||2 new host|| on the internal network, ||rdp through proxychains on one of two with the creds you've ||

Having trouble with the final question on Service Scanning in the Getting Started module. The hint says ||bob uses weak passwords||, but I've tried a bunch of them and I can't get in. Tried using metasploit's smb_login, but it doesn't want to connect. The anonymous ftp server has a file that I don't have the rights to. Not sure where to go from here.

having some fun with burp intruder section of using web proxies, theres no indication what list should be used to fuzz, and with it beiing soooo slow with out professional any nudges to the right one?

“We will select /opt/useful/Seclists/Discovery/Web-Content/common.txt as our wordlist”

doh, missed SecLists in the path (https://github.com/danielmiessler/SecLists??)

Thanks Yaoi

I make mistakes like this all the time lol

Did you try ‘Welcome1’ as the password? If that doesnt work I can check

I read that path at least 3 times, and it didnt click till you pasted it here lol

are password reset emails not working?

It worked, where does Welcome1 come from?

Should be I believe. Check spam folder probably.

nothing there

tried resetting twice, i used it last night

“Let us try again using credentials for the user bob (bob:Welcome1)”

Ah wow

does anyone that can check if their password reset systems are bugging out

idle in discord?

Contact support

But honestly i doubt they are having issues on their end tbh

Mine works fine

that is so weird

Can I have help with this

confused on the instructions

I have been able to decode the reset token pretty easily

but how am i supposed to "forge a valid temp password to login?"

hello guys, im a new member, i need help for use a app in my virtual box

#1024429874246590575

Hey everyone, I am trying to find the custom script on the server for the Footprinting - SNMP section, can someone give me a hint. I am not sure what I am looking for is the problem

I can help. DM me

I got some help, it was a dumb HTB flag not actually a script so....

but thanks @pearl island

No worries!

Hey all, Need some direction on Password Attacks Easy Lab.

sure, Dm if you like

Can someone help me with the Attacking Common Services Skills Assessment Hard? I can login in the RDP but i dont know what to do with the mssql.

100% sure there is a bug in skills assessment file upload

any admin available to talk?

Can anyone point me in the right direction on the footprinting/imap+pop3. Cant find the admin email address and the final flag

I can help. DM me

sure, dm me

Anybody else getting the same error on pwnbox?

If yes, how did you circumvent it/ fix it?

use pip3

hey, i am on module Attacking Common Applications section Tomcat Attacking. can't find the flag, tried find / -name tomcat_flag.txt and even manually, but nothing

try find / -name tomcat_flag.txt 2>/dev/null

doesn't work too(

that's weird mind if i send you a dm about that?

which section?

I am currently doing: Web Attacks - Skills Assessment | I already completed the first part few months back, where I changed the password of the admin account and logged in, however; now when I'm trying to do the same I'm getting Access Denied. Can someone remind me what am I missing to change the password again, so I can start working on the part where I left of to get the flag.txt from the backend servers, thanks!

for that you need 2 main thing the ||uid|| and ||token||

Got them both!

oh then a hint for that ||request type||

SUPER! Thanks, forgot you need to change it through burp not manually 🙂

Any idea why in the next part I'm able to read base64 encoded index.php but not flag.php, it's giving me nothing

the flag is at /

Brilliant! Got it, thank you so much, was stuck in this for so long

Ok, I think this is the place to go with this question. If someone wanted to go from zero experience to “ready for the battlegrounds” the most efficiently, which path(s) would that person take?

You are dealing with MSSQL, right?... Just use the appropriate tools... 😉

heyy

What is the FQDN of .203? tired of wasting time on it

Hey guys can someone help me ? I'm stuck for about 1 day on this question I have upload the webshell to the target but I don't understand how to access the wp-user directory ?

I didn't find any infos on the forum or here.

MODULE : WORDPRESS

Thanks @west rampart @autumn pilot

@craggy rapids No

thanks

Anytime

this is not cool man I'm really stuck 😦

random ping is also not cool

use curl

sorry about that

I used it just but I don't understand how to access the directory

how would you access a directory on your vm?

basically you need to find the subdomain that have the ip end with .203

I'm like here but I don't understand what should be my next step

guys can you help send me the python download link my browsers and cmd not working

I know what I need to do. I've done it. I have also read the previous questions in this forum and performed those as well

@tranquil sierra May I DM you the link?

yes thank you

so what's the issue?

dm me

Does anyone know of a good web hash cracker that will work for the IPMI hash that was dumped by metasploit for the IPMI module in Footprinting.....If i use hashcat it says like 7 days

Try John

rockyou + john

ok let me check thanks

John is such a nice guy

can use hashcat with -m 7300 as well

oh that hash isn't going to take long to crack if you use rockyou

yea using the rockyou.txt took like seconds lol, thanks all. I was trying to use what was in the example on the training

@rustic sage thanks managed to do IT!

Not sure where to ask i cant ping my target machine it was working just fine recently i restarted openvpn couple times tried diferent config

I play through parrot os vm

you use sudo or root correct?

anyone can give a little help on Active Directory skills I?

is your pwnbox on?

@brazen dust i used sufo openvpn pathtoconfig

Sudo

Yes i restarted it

Make sure your pwnbox is not on if you are using your own vm and sometimes ill just do a sudo su - and log in as root

Ok thanks

dm if you still need help

Hello , I'm stuck on question#1 of the Predictable Reset Token module, this is my script， coluld anyone give me some hint?

Hi

Speak spanish please?

I think you need to add epoch time to your script

I can send you the script I used, it is pretty similiar

@vast geyser https://www.epochconverter.com/ I also found this resource to be super helpful

Does anyone know the word list needed for the ffuf assessment recursion scan ive tried a variety and am not getting any type of a hit

HELLO

HI

Having difficulty with the broken authentication skills assesment. This skills assesment is pretty huge haha.

Been able to decode cookies

Enumerated the password policy

I think I might have to brute force the password. Doing this requires filtering rockyou.txt with regex, and I suck at that

if you was able to decode cookies you can just change it to the admin and skip the rest if you want you just need to find the admin user

which question?

Third question in the assessment I used the syntex from the cheatsheet and followed the hint and keep getting nothing

oh yeah i also have an issue with this question try restart the target a few time and try again

i did note down 4 time work for me

Ok thank you I'll give it a try after work

Do I find admin user by fuzzing with burp intruder?

i mean you can but if you know the format you can just guess it

oh and btw if you still want to use grep for the filtering rockyou part try this https://quickref.me/grep

@vital adder Can i dm?

sure

the answer for HTB is very precise/picky

can anyone let me know if they are able to use wireshark on pwnbox and successfully capture traffic on Tun0?

sorry Jared, I can't say that I have tried

all good just wondering if this is a pwnbox issue or personal issue lol

I have just never had much luck with pwnbox.

Ok... what am I missing in the Footprinting Easy lab

Nothing on port ||2121|| is allowing me to connect

Modul: Footprinting
Section: SMTP
HTB Question: Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.

My tries:
perl smtp-user-enum.pl -M VRFY -U footprinting-wordlist.txt -t <IP>
sudo nmap <IP> -p25 --script smtp-enum-users -v
msfocnsole: smtp_enum

My Question: This did not bring any Results, any hints?

I got pissed off and just started enumerating the service manually with the wordlist

Wow, its in the hint, FML

😆

Enumerate the hostname of your target and submit it as the answer. (case-sensitive) Can anyone help with this

anyone for the command injection module?

Hello guys

I just installed the Linux 20.04 and I have some issues with sound

Can someone please help me with that 😃

which module and section?

ask this in #613049811481919508

solved it 😉

Network enumeration with Nmap

and the section name?

Host and Port scanning

the second question

yeah i'm double checking some stuff in my note i use -A and that's given issue right now but try that

sudo nmap 10.129.2.49 -A like so

sudo nmap 10.129.2.49 -A like so

i use it on the ||highest port||

your message is blank

it's a spoiler tag just click it

Did anyone ever get an issue with the SQL server on Footprinting - Med?

the hard lab?

I dont know what you mean on highest port

google a tool called smtp-user-enum

i solved it. But thanks 🙂

right on

i didnt mess with an sql server on that one

I've gotten the creds for ||sa and alex|| but it keeps erroring about named pipe issues when trying to use ||sa|| in SQL Manager

dm me

Anyone mind assisting with the Special Permissions section of the Linux Privileges Escalation

or think about what sa might stand for

nope i'm having some issue with the command in my note right now so try this

sudo nmap 10.129.2.49 -A -p 22
tried this

nothing

ssh isn't going to show you the host name

use -A with some of the port you found

oh that section is kinda dumb they give you 2 example command run both of that and compare the out put of that with the example compare and you got your answer

hey! did you solve the question?

@vital adder Yeah the wording was messing with me. So just run the two commands and compare the output, got it.

I found ports 22 80 110 139 143 445 and 31337 open

pls put an spoiler tab on that or remove that i you don't need to send that just run the scan

run a scan on all those ports

yes

I can help you with that

@vital adder May I DM you?

sure

sudo nmap 10.129.2.49 -A -p 22 80 110 139 143 445 31337
ran this scan nothing

Can I DM you

sure

Ok... What table is the HTB user in? Digging through all of this is ridiculous

nevermind.

Modul: Footprinting
Section: IMAP / POP3

I'm a little embarrassed, but I'm struggling with this question:
Figure out the exact organization name from the IMAP/POP3 service and submit it as the answer

i mean i did a nmap scan with -sC -sV, that gives me "organizationName=Inlanefreight".
but this doesn't work...

hint an organization name need to have some stuff at the end of their name

Here is a hint for you theres more than one way to pull it down, try googling other ways to get surface information

hello, someone can give me a nudge on Guessable Answers. i can not find the right question/wordlist

I just picked the question about favorite color and kept guessing

just what i did but using seclists i can not find the answer

never did get the script working

mmm... ok, i'll try the hard way then

@lethal atlas i got it. I can not make the script work though. Weird

thanks

https://academy.hackthebox.com/achievement/361678/80

I can't believe I actually finished this module!

Brutal haha

cheers mate

struggled a lot with it but at the end saw the light

I really enjoyed it but damn, it has some tricky questions

need help sqlmap final_flag cannot find vulnerable page. I tend to overthink things...

I was completing a final part of a module and my target box crashed, every time i spawn a new target or local host i am getting a series of xfreerdp errors. Any ideas?

hey, can someone help with enumerating the users of gitlab on module Attacking Common Application? Im running script and that all i get

to followup on this, I have tried on a different laptop, turning VPNs on for different continents and now gone through 11 new target hosts.

finished the Footprinting Medium took me a while but it was really fun anyone who need some hints feel free to dm

@polar crag The academy footprinting module?

ye

Can i dm u @polar crag ¿

sure

how long to create an operating system

anyone know how to get around Error 32 Broken pipe when trying to make a connection with xfreerdp?

@rustic sage 2 days

@sharp elm i use remmina, got way to many issues with xfreerdp

can you give me the syntax? I am doing this for school and just want to get it done

sudo apt-get install remmina

egh still cant rdp to the target box

Having issues with the HTML Injection section of the "Introduction to web applications" module. The answer seems so obvious but it's apparently not correct. Anyone have advice?

hi

Hey for the for the nessus module it says to authenticate to an IP and gives username and password. Auth via what RDP? (didnt work)

can someone please help me with the password attacks - network services. i'm running this command "sudo crackmapexec winrm 10.129.202.136 -u user.list -p password.list" and not getting a user output

i've also tried with taking sudo out, it doesn't make a difference

@charred gyro Can you post the question pls

Having issues with the HTML Injection section of the "Introduction to web applications" module. The answer seems so obvious (it appears to be "Click Me") but it's apparently not correct. Anyone have advice?

lol not what I meant

Its fine tho

Oh sorry

The question:
What text would be displayed on the page if we use the following payload as our input: <a href="http://www.hackthebox.com">Click Me</a>

What section?

HTML Injection, in Module "Introduction to Web applications"

So as you do academy you will learn that it is very picky with answers

Make sure to include everything

Should be _______ Click Me

You need to put in the full answer

I see now lol. Thanks!

Documentation and reporting: practice lab - question 1 ... this question is just out of left field and to even consider answering it seems out of place. Why is this included in the module?

Welcome to documentation and reporting ......

"complete the in-progress penetration test. Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host."

.... what?

Could use a little help with the Footprinting Lab - Medium. I have some credentials and have access to a service but not sure where to go next

Day 5 Right Now - Day 6 2nite! Get an Urge, Call Anyone or Join a Discord Audio Video Group and Find more people to work with & talk to, Get Clubhouse, ETC Especially!!!

So I'm working on the Skills Assessment I for AD Enumeration and Attacks and I can get a ||reverse shell||. When I upload ||mimikatz.exe|| and try and run it, though, it hangs. Is that normal? Am I going down the wrong path for trying to Kerberoast the MSSQLSvc Account? Nvm. Found a better way

found the || sa user||, but not sure where to look next

what role does sa have?

would appreciate some help on "docuement and reporting - Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host."

I’m not sure, could I DM you?

yes

@sharp elm try using the remina installation on the pwnbox. It worked for me

@wind gust try using the pwnbox, it worked for me too

@rustic sage it depends on the size of the team i guess. It is so difficult that anyone does it anymore, nowdays they just takes a linux core as a base and build it from there.

@heady nymph i explored the site with burp/zap first and i found a "hidden" post method somewhere in the shop

nope that cred is for nessus

try with ||cirt-default-usernames||

can someone help me with this How many files exist on the system that have the ".log" file extension? i type: find / -type f -name *.log and it wont work

?

this is the right command and i think crackmapexec winrm don't have the stop on success so you need to look out for the right cred or you can grep

try find / -name *.log -type f 2>/dev/null

ok

ty

nvm

Can I get some help on footprinting IMAP/POP3? Stuck on the flag for Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})

I opened the email, but it seems to be blank

Hi

yeah the section doesn't show what command you need to use try this from the top down https://donsutherland.org/crib/imap

Anyone for the broken auth module in academy ? Think something”s wrong. Dm

Feel free to DM me

not working

did you use ||49821.sh|| from exploit-db?

yep

https://academy.hackthebox.com/achievement/499031/58

the flag is a little insulting lol....... took me couple of days.........

oh that's weird shoot me a dm i'll help you troubleshoot

thx

Bonjour

Je suis nouveau ici

@fierce sparrow bonjour je suis nouveau ici

read rule 5 at#rules and start at #welcome

Feel free to DM me

Attacking Common Services - Attacking email services . which dictionary for bruteforcing? I'm trying with userslist from module resources against smtp (smtp-user-enum) but no user.... thanks

Remember that a server needs a certain amount of time to respond. Not all of them are equally fast.

would appreciate some help on "document and reporting - Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host."

thanks, i had to revert my pwnbox actually... then everything worked fine!

Anyone have a nudge for initial foothold on Footprint - Hard

@cosmic dock what is the problem

If anyone has completed the document and reporting module I’d be interested in talking. I’m stuck.

The last questions imo make no sense and are out of place.

Looking for a nudge on the initial foothold on Footprinting - Hard

dm me if you still need help with that

Try a ||UDP scan ||

hi, anyone can give a nudge, active directory skills II on question Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?, i have enumerted filesystem but can't find a mssql config file, thanks

Remember that the file could also be on another share

Hi, I got the same problem 😬

dm

Anybody free to give me some tips on web proxies module
the last part about metasploit

I find it really weird why we have to use metasploit in this module and without any training before 😐 .
I used it a bit in the past but forgot about it

I found a medium article which helped me so problem is solved

I was having issues with that module last night, for some reason all my nmap scans were coming back filtered. Tried again today and it scanned without issues and I got the answers in about two mins. 🤷‍♂️

any tips on footprinting hard lab?
|| was able to scan udp using nmap and found snmp running, but having trouble getting a community string using crunch and onesixtyone tools. ||

Feel free to DM me

ugh, I figured it out. I appreciate offering to help though, thanks!

Day 5 Right Now - Day 6 2nite! Get an Urge, Call Anyone or Join a Discord Audio Video Group and Find more people to work with & talk to, Get Clubhouse, ETC Especially!!!

anyone here can help me?

in footprinting module SMB section ,the 3th question is to see inside the flag.txt witch located in share list, but i have no access to the share list i just can see the list, i've tried every possible way to enumerate the SMB , but i couldn't know how get that flag.txt, i need help

Hey Mrtom thank you for the help yesterday sorry thought that was a hard lab

im putting the password for the nomachine and it wont take it. Man WTF is this frustrating lab setups

Hi
I'm very beginner in this field
How can I become pentester, please can you help me?

How can i start?

What should I study???

Try the Junior Pentester program here I am doing it and I am studying for the CEH exam

CEH is the Certified Ethical Hacker exam by EC Council and it has its own hacking labs

I'm zero
I haven't studied the basics yet

What basics should i can start?

The Junior Pentester program here is entry level I am doing it to further understand Penetation testing

Oh , I understand you

Start from the beginning learn the method then work the labs

yes it takes steps to become one

Kkk thx , bro 🥰

yes sir thank you

I am 48 yrs old and trying to learn

Long life for you

I'm 19 and trying to learn too

yeah considering the loss of my own family and friends

but I am not alone

@solid wedge May the Lord protect you

I'm from Egypt
And trying to learn the language and learning this track

I believe the ones gone are now more guardine angels and are on my side

Sure

I believe in there is a higher power

I think that too

Yes I believe God does exist

or what ever name he is called but still there is something there

anyway hope this helps

Please keep the conversations topic related.

@west rampart
Ok , bro

ok sorry

19

yes sir hail to the almighty technology

Is the help with Nmap

sorry there help with Namp

🤣

No I mean a good tutroial for Nmap

I got you homie

https://youtu.be/5MTZdN9TEO4 Hackersploit has tons of videos on Nmap

And the Nmap module is really good also

did anyone figure out the sudo version - https://github.com/CptGibbon/CVE-2021-3156 doesnt work

oh cool thank you

I know your ip address 😈😈😈

Watch out

127.0.0.1

😮

so do you know the answer to my question lol

have you done it

I think so

What module what section?

https://academy.hackthebox.com/module/39/section/415

not even sure why this challenge is here. its just out of place lol

So I am not at a computer right now. Dont remember my login

its metasploit module section sessions

Yeah that is the right vulnerability

Should have worked

im currently www-data

Weird

Are you using metasploit for cve 2021-3156?

Are you backgrounding your session?

Promise you this is the CVE i used on the section

And I promise it worked for me

waiy

wait

you are saying use Msf version of this cve?

Yes. Use metasploit

OHHHH

this makes sense now

thx

Np

would appreciate some help on "docuement and reporting - Once you achieve Domain Admin level access, submit the contents of the flag.txt file on the Administrator Desktop on the DC01 host."

Doing the shells and payload module skill assessment host #2 and having the exact same problem as you were. Working on host #2 cant get 50064 exploit to work. set RHOSTS and RHOST to target I.P set TARGET URI and VHOST to blogs url address. But not working for me. If theres anyone that done this module throw me a tip.

did you set the vhost to subdomain?

ill DM you

sure

anyone can help with Service Authentication Brute Forcing

not sure how long this should take but its taking a long time

can anyone tell me the best one liner to ping sweep on windows

the ones im using are unreliable

if you are in the Pivoting module i recommend a gui tool call wnetwatcher and ping sweep only work half of the time for me

hi which module and section is this?

login brute force

.

yeah that shouldn't take long for both question

oh and for the first question you need to use a custom wordlist make from the previous section

I copied it over but still not finding anything

idk if it scans both networks or just the one

nvm it scanned both

and you are on the Skills Assessment right?

yea i think i may have foudn it

testing now

nice

thank you

that took so long

Hello, everybody! I need some help, I just finished the first skill assessment on the Active directory attacks course, and I feel like I did it incorrectly and missed the point of some of the sections. Would anybody who has finished the course mind chatting about our solutions?

By "Incorrect," I mean that even though I was able to finish the module, I utilized a couple techniques that were not covered, and they were critical to my success.

On the AD Enumeration and Attacks Skills Assessment I, I'm not sure I'm understanding the next to last question, "What attack can this user perform?"

I mean - this module is about nmap ... why is it diverting from the primary module purpose so much? Seems so strange.

If anyone wants to use wpscan on Pwnbox and gets a missing gem issue, please run the following command:

sudo gem install nokogiri

Hey guys, I am stuck at Password Attacks - Credential Hunting in Windows. I found the first three password but now I couldn't find the default password of every newly created Inlanefreight Domain user account.

Hello guys how are you

I'm about to go to horny jail

oh thanks this is way quicker then re-install wpscan

hint the answer is in ||a script|| somewhere

Just to make sure the script is on the windows machine right? I did found the credential for "DC via RDP" but unsure how to use it

yep i think so all of the answer for this section is in 1 windows machine

solved. thx

Hi

Can someone hack 1 server and delete it for 5€

?

Have you tried contacting the FBI?

No

What is this?

@rustic sage FBI may help you with your work

Ok

How to communicate with FBI?

I can't deal with them😂

Is anyone here a hacker?

🙋‍♂️

Nice

Ok

@plain coral why not sudo jail

Day 6 Right Now - Day 7 2nite! Get an Urge, Call Anyone or Join a Discord Audio Video Group and Find more people to work with & talk to, Get Clubhouse, ETC Especially!!!

?

really can i john?plss

My command for SQLmap essentials skills assessment, is running for 15 min now, should it be like this ?

@chrome thistle patient

@placid quest ok ...but not my strength 🙂

@chrome thistle sometimes waiting is not useless

@placid quest wise words.... properly im on the right track then.

@chrome thistle yeap

or just cancel sqlmap and have a look at the log file 🙂

it will take some time but it shouldn't take that long

took 30min, so i canceled it and looked at the log file

yeah that's way too long

nevertheless got the flag 🙂

Hello can anyone help me with that Active Subdomain Enumeration module 🙂

I didn't know how to access the site
I put the ip and host in /etc/hosts

if you mean the Information Gathering - Web Edition module and Active Subdomain Enumeration section then there is no site that's a dns server

Yep that is the one

I saw this guy did it ?

I ran dig axfr inlanefreight.htb <ipadress> and it returned a bunch of dns and none of them is the answer

first why are you pinging that guy? and what question are you on?

also most if all of the ip you found is dead

You should try to find a zone in the subdomains

Or as many zones you can find better said

and then ?

Which question are you in?

The first one

Then ||dig ns||

is nslookup good ?

I looked at the cheat sheet

dig any $TARGET @<nameserver/IP>
for example here i put the nameserver as the $TARGET and the put it again in the command ?

no idea if nslookup will work or not just use dig

ok i did it

and now i do like dig ns with 2 subdomains ?

like here ?

nope do a ||dns zone transfer||

with nslookup i suppose

if you can

or use dig

You're awesome ❤️

a bit confused but thanks

I really mean it
You've been helping so many peeps out there

I don't understand
After I do the dig
It gives me one answer a.root**** and so on
So now with what should i do the dig ?

Unfortunately since my vacation ended, I am not getting much time to devote on Academy, but eventually

oh and because jarednexgent said i did a great job of helping and i also get confused but when i check my chat history then i realized i send over 1000 dm most of them to for helping and this is the 1069 (nice)

As @vital adder says you should try a zone transfer with dig

Indeed, we appreciate you a lot
Jared is og ❤️

ok i will do the zone transfer cmd from the cheat sheet

Hii all together
Modul: Footprinting
Section: IMAP / POP3

Question:
What is the admin email address?
and
Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})

Currently i logged in to the pop3 servcie in tried some commands...
but at the moment i find nothing that really helps...any tips for a next step?

i hate to break my 1069 dm but here https://donsutherland.org/crib/imap the section doesn't show what command you need to use try this from the top down

guys i did this with the inlanefreight.htb and it gave me that ninja domains

thanks 🙂

Explore ||FETCH||

Why don’t you use ||dig axfr||

it gives me a connection refused

all of the ip is either dead or you can only access it local so you can't use any online tool

and my ip expired so i need to change the etc hosts

Maybe that’s why you can’t access

well it expired now but i am stuck for hours now on this module

I don’t think you need to edit your hosts file

Once the ip responds and using the domain you should be fine

well everybody edited the hosts file

nothing works : )))

i will switch to the pwnbox

yeah i just try a dns zone transfer work fine without putting anything in /etc/hosts but just for sure put it in anyway

Right now I don’t remember doing it but try both options just in case

I believe the issue is more related to finding the zones

yeah.. without putting anything in /etc/hosts i can still get the all of the answer for that section

That’s what I recall too

ok now it works

now i am stuck

i really tried everything

how should i do a zone transfer ?

with the zonetransfer.me ?

nope

try dig axfr domain @ip

@vital adder hard to understand maybe share with him a screen shot or example using different domain

ok i searched the internet and one guy had the same results

so what did it give you when you try to do a zone transfer with dig?

a bunch of subdomains

and i think none of them work

that's right

yep because like i said all of the ip is dead

but the dns record is still there and that's the answer you need so try to dump that base on each question

so you say all the answers are in here ?

hint not all of is in there but you can get the rest with the same method

ok i got a flag

got another one

omg I bloody did it

I don't know man
is this the best way to learn things ?

i submited the answer with that dot at the end and that is way i always got the wrong answer

Thank you for help 🙏 🤝

nice and np

Can someone help me with Attacking Common Services - Easy, got credentials > found|| two files ||i||n ftp server ||> managed to upload the file but cant seem to to be able to launch it

Hey im doing the linux priv es module skills assessment, I managed to get flag 2,3,4,5 (including root flag) but can't get flag1 (supposedly the easiest one). ||When i do a find command as root for the flag. no such file named flag1.txt appears||. Any ideas here? I can see where I think it's supposed to be based on what we learn in the module. But it's just not there.
(Edited: added skills assessment, and more details)

if you do update it through the ||ftp|| then it can't run normal and i end up have to use a php payload with powershell

hint that flag is in ||the given user home directory||

@vital adder is that hint in your last message to me?

yep

So when i look at ||.bash_history|| it points to ||var/www/html/flag1.txt|| but no such file exists at that location. Can you confirm that this is not the correct hint?

nope the flag is in somewhere in the ||home directory|| and yes it isn't ||.bash_history||

You are a legend. I am an absolute moron. TY

"Password Reuse / Default Passwords" in the password attacks module. I'm stuck at ". What exactly do I need to do here. Priv esc ?

I am still working on the last two questions in the Footprinting module IMAP /POP3.
I'm logged in and in the dev.department mailbox, but I can't get any further.
Can someone spoil the next step for me ;)?

Once you ||SELECT the mailbox it appears the number of mails on it right?||

Now you just need to ||FETCH the content of the mail || to get the answers

Try using ||FETCH 1 RFC822|| if I remember well

But make sure in the mailbox you are, there are emails

in the Windows Fundamentals module there is a part which asks you to use smbclient to connect to a share you just made, im getting an error in smbclient - "Error NT_STATUS_IO_TIMEOUT", what am i doing wrong nevermind

nope the answer is in ||one of the link||

the password for that is a bit over 17000 word in so if it's taking too long cut the first 1700 word off

Is anyone able to help me out on the Active Directory Bloodhound - Skills Assessment. The last question is asking for the percentage of users with a path to Domain Admin. I have the query, but apparently, the Cypher query language for that function is deprecated, and I cannot for the life of me figure out how to solve the query.

Cypher Query from hausec.com2019/09/09/bloodhound-cypher-cheatsheet/

"MATCH (totalUsers:User {domain:'DOMAIN.GR'}) MATCH p=shortestPath((UsersWithPath:User {domain:'DOMAIN.GR'})-[r*1..]->(g:Group {name:'DOMAIN ADMINS@DOMAIN.GR'})) WITH COUNT(DISTINCT(totalUsers)) as totalUsers, COUNT(DISTINCT(UsersWithPath)) as UsersWithPath RETURN 100.0 * UsersWithPath / totalUsers AS percentUsersToDA"

Error message from Neo4j (see attached screenshot)

I have tried older versions of neo4j, tried running the queries inside of the provided pwnbox -- and nada -- any help would be greatly appreciated.

I solved it in exactly the same way. But with the right domain 😉

OMG I am an idiot --- I should have walked away -- I feel silly

hey, can someone help me with Linux Privileges Escalation flag4?

Feel free to DM me

need some help with AD skills assessment I last question "Take over the domain and submit the contents of the flag.txt file on the Administrator Desktop on DC01"

once you have ||tpetty|| creds you can ||dump the hashes|| with ||secretsdump|| and use ||admin hash with wmiexec|| to connect to the DC

solved ty

Day 6 Right Now - Day 7 2nite! Get an Urge, Call Anyone or Join a Discord Audio Video Group and Find more people to work with & talk to, Get Clubhouse, ETC Especially!!!

^^^ Bot?

how come I am able to login on my brave browser but not on my chrome browser?

can someone point me in the direction where i can find out how to answer the first question in the Windows Fundamentals module section "Windows Security" its hinting that i should be using the get-wmiobject cmdlet to get the SID but i dont see how google is your friend

hello

Hello, someone speak french, i need help for where i fail in the module "Started"

why is crackmapexec not installed on the PWNBOX

omg

it wont even download it

smh

use pip3

i don't speak french but what's the issue?

we need a tchat vocal, i show u with the stream

my english isn't good for explain.. :/

or you can send me a screenshot

and no worries my english are as bad too

ok so, i need to "grabbing banner" but when i write netcat ..

i don't have the grabbing

first which section are you on? and you need to use netcat on linux use nc to get the banner

section : basic tool,

with the vm on the site, linux, i open the terminal and write netcat "ip"

you can just run the following command for a quick install
python3 -m pip install pipx
pipx ensurepath
pipx install crackmapexec

dm me i'll help you with this

yeah the new pwnbox is ass it work for me the last time

sad

oh wait try this but run this ass the root user #modules message

with the new one once you open a terminal make sure to move out of the /root with cd ~

Hi
On the INFORMATION GATHERING - WEB EDITION module
at the Virtual Hosts page https://academy.hackthebox.com/module/144/section/1257

Is there a way to filter your results to find the vHosts required more quickly ?

hello

guys how do i connect to vpn

to download stuffs on pwn box

-fw <nr of words>

grep should work

@knotty cragsudo openvpn (filename) , each section has this:

anyone know how to access the nessus scan stuff for the Vulnerability Assessment module, nessus scan section of the JPT path?

the nessus is on the target machine you can access it via port 8843 and https

I ssh'ed into the target machine, however I tried to access the web interface by entering https://(IP):8443 and it doesn't allow connection.

oh that's weird i didn't do any port scan on that target machine so i'm not sure about the ssh thing but try restart the target machine

Forgive me for my folly, but I am confused on how to access the target machine and the scan data. I don't see it anywhere in the previous section showing how to.

the only section that you can access nessus is the Nessus Skills Assessment section and in that section nessus is install on the target machine and you can access with just going there on port 8843

oh wait you have a typo it's 8843 not 8443

That typo was here, i entered it correctly on the machine and no connection. Not sure why this is difficult for me to understand but I cant figure a way to access the machines scan data. everytime I try to connect says connect refused.

oh shit my bad it's on port 8834 not 8843

It worked, I just dont understand where that was stated in the module. how you figure that out?

the answer is in section Getting Started with Nessus

@vital adder well, sorry for my blindness lol. If it was a snake it would've bit me. Thank you for your help!

New problem: I can't seem to get the smbclient to connect to list the shares.
I'm using the academy vpn instead of pwnbox.
~~I can ping the server, ~~I can rdp into the server, and when I try to list the shares I get a connection that prompts for a password ... and then it just fails with a "Error NT_STATUS_NOT_FOUND"
I've been beating my head on this for hours now, and seemingly no permutation of the command seems to be doing anything.
the only difference being an attempting with -L gives me a timeout, an attempt with -L -I gives me the status not found
nevermind, i apparently cant ping the server, so that's a whole new issue lol

hello im stuck on this question "Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer." ive tried to go to http://sourceip:port/robots.txt and it doesnt work any help please?

Doing the windows fundamentals module skills assessment, where in the module does it explain how to make security groups? Once again, google is your friend ._.

So ... am I just not able to complete modules using the openvpn? Am I required to use a pwnbox?

🙏

you can use any OS you want as long as you connect to the VPN.

you can use either. in the modules that require the connection they give you the openvpn file you need for it

itll be called like 'academy.opvn'

Alright, well, I am connecting to it and it doesn't seem to be allowing me connect to the target machine.

which module

Windows Fundamentals. lol

oh lol

alright which section are you on

See above, I am able to rdp into the target no problem, but when try to list the shares I just get an error from smbclient.
Either TIMEOUT (obvious) or NO STATUS

ah, i was getting the same thing, you actually dont need to do so to complete the questions

I need to be able to mount the drive tho, don't I?

is it the Shares and NTFS section?

correct

Yes

dont need to no

i didnt

the questions dont require you to do so

guys im stuck at file inclusions can someone help

i know they are talking you through how to do so but the actual questions at the end of that section dont require you to do it

i s e e

--it may or may not be broken-- everything working as intended KAPPA

LOL

Well, fortunately for me this isn't my first time using smbclient (it's, like, my second xDDD) so at least I'm not losing much.

yeah same, i think just do some homework or something by doing a box that has SMB involved with it

look into ippsec.rocks to find boxes that do so

im required to fuzz for php scripts and read the conf files

which section

file inclusion

php filters

ok

what are you stuck doing

Fuzz the web application for other php scripts, and then read one of the configuration files and submit the database password as the answer

this is the question

i just need

direction

Alright, well, on to the next section then. xD

read through the entire section and pay close attention to the examples they provide and their methods for doing so

Glad I was beating my head on this for a few hours for no reason. xDD

yeah i asked a similar question earlier and then read the questions

and was like 'oh nvm'

i talked with ryan and did what he said but never got what was supposed to be gotten

pm me

pm me as i cannot

its not letting me do so

just dont get too frustrated later in that module, i definitely did lol

ok

thanks bruv easier than i thought

lol

np

A really dumb question, in the module Shells & Payloads I can not write the @ symbol in the login prompt, any way around this? I've tried screen keyboard, nmap to verify ssh and only port 4000 seems to be open

Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer. can anyone help with this Nmap lab

I just now realized that all the mount was doing is letting me make cmd arguments from my own terminal.
... Which I don't need at all, I have successfully rdp'd into the machine. lol

Can someone help with the Nmap Service Enumeration lab

which module is that a part of?

Network Enumeration with Nmap

ah i see it

which lab

I have tried so many scans but no luck getting the flag

which lab? easy/medium/hard?

Its in the section Host discovery and the Service enumeration box its that lab

Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.

this question?

yes

alright give me a moment to see what kind of output you get

let me pm you and ask you what youve tried

k

Hey all, need some hint on the Password Attacks hard assessment. Just need to confirm something.

Hello all,
Can anyone help me on "File Upload Attacks"->Type Filters ?

how to become a hacker enjoy?

I pass the filters, but I can't execute my php code in the browser

That is my error message in the navigator:

The image “http://<IP>:<PORT>/profile_images/<IMG_NAME>||.phar.jpeg||?cmd=id” cannot be displayed because it contains errors.

Could I have some help with Web Attacks: Advanced File Disclosure. I followed the instructions exactly, yet I am confused on why I am not getting the flag.

I am trying to do the Advanced Exfiltration with CDATA method

Alright. One down, ten million to go. lol

It's work for me

Just got the flag with error method.

I think you forget a '/' for
FILE:///

probably haha

Does your request give you the flag?

Got flag with error method but haven't tried CDATA again.

Okay, Have you finished the "File Upload Attacks" module ?

Yes

My favorite module haha

File Upload attacks are fun and sneaky

Soooo many ways to bypass filtering lol

Can I help me in DM on "Type Filters" ?

Sure, but probably a better idea to post here. I don't really have notes on how to complete this one, so if I can't figure it out somebody smarter can.

There are lots of filters on this question, so you gotta make sure you are properly bypassing each one

Would someone who finished the AD Enum and Attacks Skill Assessment I mind giving me a quick DM?

What port is the FTP service running on?

but FTP aint even open

Need help 🙂
**Path **: Penetration Tester
Module: ATTACKING COMMON SERVICES
Question: What is the password for the username "jason"?

Tried brute forcing SMB using crackmapexec and metasploit (smb_logon) via passwords.list (acquired from ftp server). No luck.

I am definitely struggling more with the AD Enum and Attacks Skills Assessment I than I expected. So I still am not sure how to identify what attack ||tpetty|| can perform. Also, I've managed to dump the hashes from ||172.16.6.3|| using ||proxychains secretsdump.py|| but Hashcat exhausts when trying to checking it against rockyou.txt and I'm not getting any cleartext passwords out of it, so I can't figure out how to get into DC01. Any help would be greatly appreciated.

thanks, I tried the "Whitelist Filters" page again to create a solid wordlist and then created a script to filter the results

try ||passing the hash||

With which protocol, though? It doesn't seem like RDP is an option and when I try with SMB it times out.

i was able to connect with ||proxychains smbclient||

Hmm. Okay. I'll try it. Also, how am I supposed to figure out what attack the user can do? I've tried pretty much every answer I plausibly thought could be right, but with no luck.

have you ran bloodhound?

I ran SharpHound on it, but I was struggling with getting the zip from MS01 back to my attack box.

you can collect bloodhound data remotely with bloodhound-python

if you have a user you can authenticate with

Oh dang. I forgot about bloodhound-python. Thanks.

Will i run it through ||proxychains ||as well, I assume?

not sure I haven't tested it

I ran bloodhound locally on the foothold machine

Ah okay.

Maybe I'll try that.

and can just move the file into C:\inetpub\wwwroot

then download from the webserver

Right on

same place its hosting the antak webshell

Thanks again. I've been struggling with this Assessment for a few days now. It's been driving me nuts

Is anyone on that is willing to give me a hand with the command Injection skills assessment

guyds

guys

how do i connect to vpn

and use firefox

i am having trouble

using firefox for testing my proxychains that i had set up

anyone familar with the Information Gathering - Web Edition module? just finshed the assessment and the last question I wasnt able to find the answer with the suggested tool, a google search did help me out but wondering if sublist3r needed a specific setting to find it or if question may need updating? dns has no record of the answer

anyone

?

i would find it helpful if anyone could help me with the open vpn stuff

anyone?

Hi, what is the issue you are having exactly?

I used sublist3r installing as it comes and it worked fine

Hello , I'm stuck on question#1 of the Predictable Reset Token module, this is my script， coluld anyone give me some hint?
I have no idea.

Wierd i did the search and brute force nothing

I have solved it

use //

Modul: NETWORK ENUMERATION WITH NMAP
Section: Firewall and IDS/IPS Evasion - Hard Lab
Question: Now our client wants to know if it is possible to find out the version of the running services. Submit the version of the service our client was talking about as the answer.

isn't it ||ibm-db2||?

oh no the version is the flag you need that not the service name

in the module Getting Started section Connecting Using VPN should have everything you need

Module: windows fundamentals
section: NTFS vs. Share Permissions
question: I have to make a shared folder which i can connect to using a linux computer. I managed to setup windows defensder to allow the connection, I can connect to the SMB using SMBclient, however within 5 secs I get a disconnect with the message:Reconnecting with SMB1 for workgroup listing.
do_connect: Connection to 10.129.175.17 failed (Error NT_STATUS_IO_TIMEOUT)
Unable to connect with SMB1 -- no workgroup available
Which setting should i change to prevent this from happening?

i assume you mean the github question and i'm not 100% sure on this but i think that subdomain is recently removed and i haven't got any luck with sublist3r yet but that tool maybe can still find it but me and some other people use a subdomain finding tool call c99 but if you use that tool too scan it now you properly won't find that right subdomain but after the scan scroll down a bit and you can find some scan history at "More scans of" and the answer should be in there

so what's your issue? that section don't require you to setup anything or are you having a connection issue?

Hi, i got the flag for the final assesment of the sqlmap module, yet when i try to submit it incorrect answer appaears, there are no extra spaces or any other stuff did someone experienced something similiar?

yeh I found it in some historical scans via google but wanted to check before flagging it with staff as incorrect answer

i didn't have that issue but i did help someone that does dm me the flag that you found

I am trying to progress towards the mounting part, however I cannot make one,
Therefor i thought i might done something wrong in the previous part. So i tried to make a full connecting to the share by smbclient -N and get a nt_status_logon_failure. So really I am trying to find what i am doing wrong and how ican solve this 😄

first i don't thing you can connect smb share like that try "\\\\IP\\share name" and you can't mount a share drive on your desktop mount it somewhere like at /mnt/

how can we download kali linux on low end ps guys?

except pwn box of hackthebox

ask that in #613049811481919508 this is for htb academy module

ok

Hello

got it working, failed to setup the firewall in both directions, used the wrong string to connect to SMB. And didn't understand the mount command in linux. thx for your pokes in the right direction and helping to restart my thinking process!! much appreciated

how long does it take for a programming language from scratch

Hi everybody

In the getting started module at this part: List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.

I see the flag.txt but when I do get flag.txt it doesn’t work

||cat flag.txt||

Can anyone help me with Attacking Common Services - Hard? Found the ||linked server ||and been trying to get commands that way without success

Greetings! Having connectivity/login issues in Module 33: SQL INJECTION FUNDAMENTALS. I was able to log into the target via mysql a couple days ago in my studies but now it's not working. I went into earlier parts of the module to confirm the correct credentials were being used. I'm using format -h [ip address] -P [port #] but getting this error in output. I've attempted using multiple pwnbox instances and respun multiple target instances. Unsure how I should move forward. any assist?

^ issue occurs with personal VPN on or off

hi this is pre-write thing so if you don't understand any shoot me a dm

for example the EXECUTE command if you run 1 command like EXECUTE('select @@servername') AT [LOCAL.TEST.LINKED.SRV] you only need to use 1 single quote but if you need to run 2 command (which is how you get the flag) like EXECUTE('xp_cmdshell ''dir''') AT [LOCAL.TEST.LINKED.SRV] you need to use 2 single quote
so EXECUTE('xp_cmdshell ''dir''') instead of EXECUTE('xp_cmdshell 'dir'')

your pwnbox and vpn can't be on at the same time so if you have both on and you turn your vpn off try given a it bit before login to mysql in the pwnbox

gotcha, will leave some time with VPN off and make a bagel. thanks

Thank you, just got the flag, those servers are quite hard to understand at first imo

lfi module skill assessment hint? I already have the source code, struggling to bypass extension

I am right now at the USING THE METASPLOIT FRAMEWORK module on the module part, but I have some problems. I trying to exploit the target system on the pwnbox with the windows/smb/ms17_010_psexec module. I setted the RHOSTS with the target machine's IP and I entered run to start the exploit. This is my result:

check the lhost and set it to tun0

what extension?

@vital adder Allright that worked thank you

issue persisted with vpn off and can be repro'd in a VM

and also which section are you in?

Using Comments --- checking to see if it replicates in another session

oh wait there are no login in this section

that's a web server

oh oop

hi I have "The connection was reset" error with target on academy htb

fixed 😭

Module: JAVASCRIPT DEOBFUSCATION
section: Decoding
Question: I have a solution to request however it is not accepted when I put it in the box at the bottom, can someone pls verify that I have found the right flag?

Shells & Payloads - Anatomy of a Shell tells you to use pwnbox to find powershell version and submit as answer but pwnbox doesn't match the screenshots

yeah this because of the pwnbox but it's been reported #858470491676737536 message